#
# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
#
#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
#
#	Complete documentation is available at http://shorewall.net
#
#       This program is part of Shorewall.
#
#	This program is free software; you can redistribute it and/or modify
#	it under the terms of the GNU General Public License as published by the
#       Free Software Foundation, either version 2 of the license or, at your
#       option, any later version.
#
#	This program is distributed in the hope that it will be useful,
#	but WITHOUT ANY WARRANTY; without even the implied warranty of
#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#	GNU General Public License for more details.
#
#	You should have received a copy of the GNU General Public License
#	along with this program; if not, see <http://www.gnu.org/licenses/>.
#
# This library contains the command processing code common to /sbin/shorewall[6] and
# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
# loaded after this one and replaces some of the functions declared here.
#

SHOREWALL_CAPVERSION=50004

[ -n "${g_program:=shorewall}" ]

if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc

    g_sharedir="$SHAREDIR"/$g_program
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
fi

. ${SHAREDIR}/shorewall/lib.base

#
# Issue an error message and die
#
startup_error() {
    echo "   ERROR: $@" >&2
    kill $$
    exit 1
}

#
# Display a chain if it exists
#

showfirstchain() # $1 = name of chain
{
    awk \
    'BEGIN	 {prnt=0; rslt=1; }; \
    /^$/	 { next; };\
    /^Chain/	 {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
    /Chain '$1'/ { prnt=1; }; \
		 { if (prnt == 1)  print; };\
    END		 { exit rslt; }' $TMPFILE
}

showchain() # $1 = name of chain
{
    if [ "$firstchain" = "Yes" ]; then
	if showfirstchain $1; then
	    firstchain=
	fi
    else
	awk \
	'BEGIN	     {prnt=0;};\
	/^$|^ pkts/  { next; };\
	/^Chain/     {if ( prnt == 1 ) exit; };\
	/Chain '$1'/ { prnt=1; };\
		     { if (prnt == 1)  print; }' $TMPFILE
    fi
}

#
# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
#

iptablesbug()
{
    if [ $g_family -eq 4 ]; then
	if qt mywhich awk ; then
	    awk 'BEGIN           { sline=""; };\
             /^-[jg]/            { print sline $0; next };\
             /-m policy.*-[jg] / { print $0; next };\
             /-m policy/         { sline=$0; next };\
             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
                                 { print ; sline="" }'
        else
	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
	    cat
	fi
    else
	cat
    fi
}

#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
    case $RESTOREFILE in
	*/*)
	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
	    exit 2
	    ;;
	.safe|.try)
	    ;;
	.*|NONE)
	    error_message "ERROR: Reserved File Name: $RESTOREFILE"
	    exit 2
	    ;;
    esac
}

#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
    [ -t 1 ] && clear
}

#
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay
#
timed_read ()
{
    read -t $timeout foo 2> /dev/null

    test $? -eq 2 && sleep $timeout
}

#
# Determine if 'syslogd -C' or logd -S is running
#
syslog_circular_buffer() {
    local pid
    local tty
    local flags
    local time
    local path
    local args
    local arg

    ps w 2> /dev/null | (
	while read pid tty stat time path args; do
	    case $path in
		syslogd|*/syslogd)
		    for arg in $args; do
			case $arg in
			    -C*)
				return 0
				;;
			esac
		    done
		    ;;
		logd|*/logd)
		    for arg in $args; do
			case $arg in
			    -S*)
				return 0
				;;
			esac
		    done
		    ;;
	    esac
	done

	return 1 )
}

setup_logread() {
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

    if syslog_circular_buffer; then
	LOGFILE=logread
	if qt mywhich tac; then
	    g_logread="logread | tac"
	else
	    g_logread="logread"
	fi
    elif [ -r $LOGFILE ]; then
	if qt mywhich tac; then
	    g_logread="tac $LOGFILE"
	else
	    g_logread="cat $LOGFILE"
	fi
    else
	fatal_error "LOGFILE ($LOGFILE) does not exist or is not readable!"
    fi
}

#
# Display the last $1 packets logged
#
packet_log() # $1 = number of messages
{
    if qt mywhich tac; then
	if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
	    if [ $g_family -eq 4 ]; then
		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
	    else
		$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	    fi
	elif [ $g_family -eq 4 ]; then
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
	else
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	fi
    else
	if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
	    if [ $g_family -eq 4 ]; then
		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | tail -n$1 | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
	    else
		$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | tail -n$1 | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	    fi
	elif [ $g_family -eq 4 ]; then
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  tail -n$1 | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
	else
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  tail -n$1 | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	fi
    fi	
}

search_log() # $1 = IP address to search for
{
    if qt mywhich tac; then
	if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
            if [ $g_family -eq 4 ]; then
		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
	    else
		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	    fi
	elif [ $g_family -eq 4 ]; then
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
	else
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	fi
    else
	if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
            if [ $g_family -eq 4 ]; then
		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
	    else
		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	    fi
	elif [ $g_family -eq 4 ]; then
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
	else
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	fi
    fi
}

#
# Show traffic control information
#
show_tc1() {

    show_one_tc() {
	local device
	device=${1%@*}
	qdisc=$(tc qdisc list dev $device)

	if [ -n "$qdisc" ]; then
	    echo Device $device:
	    tc -s -d qdisc show dev $device
	    echo
	    tc -s -d class show dev $device
	    echo
	fi
    }

    if [ $# -gt 0 ]; then
	show_one_tc $1
    else
	ip -o link list | while read inx interface details; do
	    show_one_tc ${interface%:}
	done
    fi

}

show_tc() {
    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
    echo
    shift

    if [ -z "$1" ]; then
	$g_tool -t mangle -L -n -v | $output_filter
	echo
    fi

    show_tc1 $1
}

#
# Show classifier information
#
show_classifiers() {

    show_one_classifier() {
	local device
	device=${1%@*}
	qdisc=$(tc qdisc list dev $device)

	if [ -n "$qdisc" ]; then
	    echo Device $device:
	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
	    tc filter show dev $device
	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
		if [ -n "$class" ]; then
		    echo
		    echo Node $class
		    tc filter show dev $device parent $class
		fi
	    done
	    echo
	fi
    }

    ip -o link list | while read inx interface details; do
	show_one_classifier ${interface%:}
    done

}

#
# Display blacklist chains
#
show_bl() {
    $g_tool -L $g_ipt_options | \
	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
            /Chain .*~ /     {prnt=1; };
            /Chain dynamic / {prnt=1; };
            {if (prnt == 1)  print; };
            END {if (prnt == 1 ) print "" };'
}

#
# Watch the Firewall Log
#
logwatch() # $1 = timeout -- if negative, prompt each time that
	   #		     an 'interesting' packet count changes
{
    setup_logread

    host=$(echo $g_hostname | sed 's/\..*$//')
    oldrejects=$($g_tool -L -v -n | grep 'LOG')

    if [ $1 -lt 0 ]; then
	timeout=$((- $1))
	pause="Yes"
    else
	pause="No"
	timeout=$1
    fi

    qt mywhich awk && haveawk=Yes || haveawk=

    while true; do
	clear_term
	echo "$banner $(date)"
	echo

	echo "Dropped/Rejected Packet Log ($LOGFILE)"
	echo

	show_reset

	rejects=$($g_tool -L -v -n | grep 'LOG')

	if [ "$rejects" != "$oldrejects" ]; then
	    oldrejects="$rejects"

	    $g_ring_bell

	    packet_log 40

	    if [ "$pause" = "Yes" ]; then
		echo
		echo $g_echo_n 'Enter any character to continue: '
		read foo
	    else
		timed_read
	    fi
	else
	    echo
	    packet_log 40
	    timed_read
	fi
    done
}


#
# Try to find the arptables binary -- sets the variable 'arptables'
#
resolve_arptables() {
    arptables="$ARPTABLES"

    [ -n "${arptables:=arptables}" ]

    case $arptables in
	*/*)
	    ;;
	*)
	    arptables=$(mywhich "$arptables")
	    ;;
    esac
}

#
# Try to run the 'savesets' command
#
savesets() {
    local supported

    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )

    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
}

#
# Proactive save of the current ipset contents
#
savesets1() {
    local supported

    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )

    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
}

#
# Save currently running configuration
#
do_save() {
    local status
    local arptables
    status=0

    if [ -f ${VARDIR}/firewall ]; then
	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
	    cp -f ${VARDIR}/firewall $g_restorepath
	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
	    chmod +x $g_restorepath
	    echo "   Currently-running Configuration Saved to $g_restorepath"
	    run_user_exit save
	else
	    rm -f ${VARDIR}/restore-$$
	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
	    status=1
	fi
    else
	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
	status=1
    fi

    case ${SAVE_ARPTABLES:=No} in
	[Yy]es)
	    resolve_arptables

	    if [ -n "$arptables" ]; then
		if ${arptables}-save > ${VARDIR}/restore-$$; then
		    if grep -q '^-A' ${VARDIR}/restore-$$; then
			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
		    else
			rm -f ${VARDIR}/restore-$$
		    fi
		fi
	    else
		case "$ARPTABLES" in
		    */*)
			error_message "ERROR: ARPTABLES=$ARPTABLES does not exist or is not executable - arptables not saved"
			;;
		    *)
			error_message "ERROR: The arptables utility cannot be located - arptables not saved"
		    ;;
		esac

		rm -f ${g_restorepath}-arptables
	    fi
	    ;;
	[Nn]o)
	    rm -f ${g_restorepath}-arptables
	    ;;
	*)
	    error_message "WARNING: Invalid value ($SAVE_ARPTABLES) for SAVE_ARPTABLES"
	    ;;
    esac

    if ! savesets;  then
	case ${SAVE_IPSETS:=No} in
	    [Yy]es)
		case ${IPSET:=ipset} in
		    */*)
			if [ ! -x "$IPSET" ]; then
			    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
			    IPSET=
			fi
			;;
		    *)
			IPSET="$(mywhich $IPSET)"
			[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
			;;
		esac

		if [ -n "$IPSET" ]; then
		    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
			#
			# Don't save an 'empty' file
			#
			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
		    fi
		fi
		;;
	    [Nn]o|ipv4|ipv6)
		;;
	    *)
		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
		;;
	esac
    fi

    return $status
}

save_config() {

    local result
    result=1

    iptables_save=${g_tool}-save

    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2

    [ -n "$g_counters" ] && iptables_save="$iptables_save --counters"

    if product_is_started ; then
	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

	if [ -f $g_restorepath -a ! -x $g_restorepath ]; then
	    echo "   ERROR: $g_restorepath exists and is not a saved $g_product configuration" >&2
	else
	    case $RESTOREFILE in
		capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)
		    echo "   ERROR: Reserved file name: $RESTOREFILE" >&2
		    ;;
		*)
		    validate_restorefile RESTOREFILE
		    if do_save; then
			rm -f ${VARDIR}/save
			result=0
		    fi
		    ;;
	    esac
	fi
    else
	echo "$g_product isn't started" >&2
    fi

    return $result

}

#
# Recent Linux systems seem to like to print a randomly-ordered
# view of routing tables. This hack sorts the output into the
# order we all know and love
#
sort_routes() {
    local dest
    local second
    local rest
    local vlsm
    local maxvlsm
    local rule

    if [ $g_family -eq 4 ]; then
	maxvlsm=032
    else
	maxvlsm=128
    fi

    while read dest second rest; do
	if [ -n "$dest" ]; then
	    rule="$dest $second $rest"
	    case "$dest" in
		default)
		    echo "000 $rule"
		    ;;
		blackhole|local)
		    case "$second" in
			*/*)
			    vlsm=${second#*/}
			    printf "%03d %s\n" $vlsm "$rule"
			    ;;
			*)
			    echo "$maxvlsm $rule"
			    ;;
		    esac
		    ;;
		*/*)
		    vlsm=${dest#*/}
		    printf "%03d %s\n" $vlsm "$rule"
		    ;;
		*)
		    echo "$maxvlsm $rule"
		    ;;
	    esac
	fi
    done | sort -r | while read dest rest; do echo $rest; done
}

#
# Isolate the table in the routing rules being read from stdin.
# Piping through sed to remove trailing whitespace works around
# recent 'features' in dash and ip.
#
find_tables() {
    sed -r 's/[[:space:]]+$//' | while read rule; do
	echo ${rule##* }
    done
}

#
# Show routing configuration
#
show_routing() {
    local rule
    local table

    if [ -n "$(ip -$g_family rule list)" ]; then
	heading "Routing Rules"
	ip -$g_family rule list
	ip -$g_family rule list | find_tables | sort -u | while read table; do
	    heading "Table $table:"
	    if [ $g_family -eq 6 ]; then
		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
	    else
		ip -4 -o route list table $table | sort_routes
	    fi
	done

	if [ -n "$g_routecache" ]; then
	    heading "Route Cache"
	    ip -$g_family route list cache
	fi
    else
	heading "Routing Table"
	if [ $g_family -eq 6 ]; then
	    ip -$g_family -o route list | grep -vF cache | sort_routes
	else
	    ip -4 -o route list table $table | sort_routes
	fi
    fi
}

determine_ipset_version() {
    local setname

    if [ -z "$IPSET" -o "$IPSET" = "ipset" ]; then
	IPSET=$(mywhich ipset)
	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
    fi

    setname=fooX$$

    qt ipset -X $setname # Just in case something went wrong the last time

    if qt ipset -N $setname hash:ip family inet; then
	qt ipset -X $setname
	IPSETN="$IPSET"
    else
	IPSETN="$IPSET -n"
    fi
}

#
# 'list dynamic' command executor
#
find_sets() {
    local junk
    local setname

    $IPSETN -L | egrep "^Name: ${1}(_.+)?$" | while read junk setname; do echo $setname; done
}

list_zone() {

    local sets
    local setname

    determine_ipset_version

    if [ $g_family -eq 4 ]; then
	sets=$($IPSETN -L | egrep "^$1(_.+)?");
     else
	sets=$($IPSETN -L | egrep "^6_$1(_.+)?")
    fi

    [ -n "$sets" ] || sets=$(find_sets $1)

    for setname in $sets; do
	echo "${setname#${1}_}:"
	$IPSETN -L $setname | awk 'BEGIN        {prnt=0;}; \
                                   /^Members:/  {prnt=1; next; }; \
                                   /^Bindings:/ {prnt=0; }; \
                                                { if (prnt == 1) print "   ", $1; };'
    done
}

version_command() {
    local finished
    finished=0
    local all
    all=
    local product

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			a*)
			    all=Yes
			    option=${option#a}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    [ $# -gt 0 ] && usage 1

    if [ -n "$all" ]; then
	echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"

	for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
	    if [ -f ${SHAREDIR}/$product/version ]; then
		echo "$product: $(cat ${SHAREDIR}/$product/version)"
	    fi
	done

	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
	    $g_firewall version
	fi
    else
	echo $SHOREWALL_VERSION
    fi
}

#
# Show Filter - For Shorewall[6]-lite, if there was an scfilter file at compile-time,
#               then the compiler generated another version of this function and
#               embedded it in the firewall.conf file. That version supersedes this
#               one.
#
show_connections_filter() {
    local filter
    local command
    local first

    command=${SHOREWALL_SHELL}

    filter=$(find_file scfilter)

    if [ -f $filter ]; then
	first=$(head -n1 $filter)

	case $first in
	    \#!*)
		command=${first#\#!}
		;;
	esac

	$command $filter
    else
	cat -
    fi
}

show_nfacct() {
    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
	NFACCT=
    else
	NFACCT=$(mywhich nfacct)
	[ -n "$NFACCT" ] || echo "No NF Accounting defined (nfacct not found)"
    fi

    if [ -n "$NFACCT" ]; then
	$NFACCT list
	echo
    fi
}

show_event() {
    local address
    local ttl_label
    local ttl
    local last_seen
    local last
    local oldest_pkt
    local oldest
    local intimes
    local outtimes1
    local outtimes2
    local time
    local count

    while read address ttl_label ttl last_seen last oldest_pkt oldest intimes; do
	case $address in
	    *.*)
		[ $g_family -eq 4 ] || continue
		;;
	    *:*)
		[ $g_family -eq 6 ] || continue
		;;
	    *)
		continue
		;;
	esac

	outtimes1=''
	outtimes2=''
	count=0
	last=$((($currenttime - $last)/1000))
	for time in $intimes; do
	    time=${time%,}
	    time=$(($currenttime - $time))
	    if [ $time -lt 10 ]; then
		time="000$time"
	    elif [ $time -lt 100 ]; then
		time="00$time"
	    elif [ $time -lt 1000 ]; then
		time="0$time"
	    fi

	    if [ $count -lt $oldest ]; then
		outtimes2="$outtimes2 $time"
	    else
		outtimes1="$outtimes1 $time"
	    fi

	    count=$(($count + 1))
	done

	outtimes1="${outtimes1}${outtimes2}"

	[ -n "$outtimes1" ] && outtimes1=$(echo "$outtimes1 " | sed -r 's/([[:digit:]]{3}) /\.\1, /g') && outtimes1=${outtimes1%, }

	echo "   $address : ${outtimes1}"
    done < /proc/net/xt_recent/$1
}

show_events() {
    local file
    local base
    local currenttime

    if [ -f /proc/net/xt_recent/%CURRENTTIME ]; then
	echo -127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
	echo +127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
	currenttime=$(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -)
	# echo Current time: $currenttime
	# echo
    else
	currenttime=0
    fi

    if [ $# -gt 0 ]; then
	for event in $@ ; do
	    if [ -f /proc/net/xt_recent/$event ]; then
		echo $event:
		show_event $event
		echo
	    else
		error_message "WARNING: Event $event not found"
	    fi
	done
    else
	for file in /proc/net/xt_recent/*; do
	    base=$(basename $file)

	    if [ $base != %CURRENTTIME ]; then
		echo $base
		show_event $base
		echo
	    fi
	done
    fi
}

show_actions() {
    echo "A_ACCEPT                        # Audit and accept the connection"
    echo "A_DROP                          # Audit and drop the connection"
    echo "A_REJECT                        # Audit and reject the connection "
    echo "allowBcast                      # Silently Allow Broadcast/multicast"
    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
    echo "dropBcast                       # Silently Drop Broadcast/multicast"
    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"

    if [ -f ${g_confdir}/actions ]; then
	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
    else
	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
    fi
}

show_chain() {
    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
    echo
    show_reset
    if [ $# -gt 0 ]; then
	for chain in $*; do
	    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
	    echo
	done
    else
	$g_tool -t $table -L $g_ipt_options | $output_filter
    fi
}

show_chains() {
    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
    echo
    show_reset
    for chain in $*; do
	$g_tool -t $table -L $chain $g_ipt_options | $output_filter
	echo
    done
}

show_table() {
    echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t $table -L $g_ipt_options | $output_filter
}

show_nat() {
    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t nat -L $g_ipt_options | $output_filter
}

show_raw() {
    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t raw -L $g_ipt_options | $output_filter
}

show_rawpost() {
    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t rawpost -L $g_ipt_options | $output_filter
}

show_mangle() {
    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t mangle -L $g_ipt_options | $output_filter
}

show_classifiers_command() {
    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
    echo
    show_classifiers
}

show_ip_addresses() {
    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
    echo
    ip -$g_family addr list
}

show_routing_command() {
    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
    echo
    show_routing
}

show_policies() {
    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
    echo
    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies
}

show_ipa() {
    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
    echo
    perip_accounting
}

show_arptables() {
    echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
    echo
    $arptables -L -n -v
}

show_log() {
    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
    echo
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')

    if [ $# -eq 2 ]; then
	eval search_log $2
    elif [ -n "$g_pager" ]; then
	packet_log 100
    else
	packet_log 20
    fi
}

show_connections() {
    if [ $g_family -eq 4 ]; then
	if [ -d /proc/sys/net/netfilter/ ]; then
	    local count
	    local max
	    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
	    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
	else
	    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
	fi

	echo

	if qt mywhich conntrack ; then
	    shift
	    conntrack -f ipv4 -L $@ | show_connections_filter
	else
	    [ $# -gt 1 ] && usage 1
	    if [ -f /proc/net/ip_conntrack ]; then
		cat /proc/net/ip_conntrack | show_connections_filter
	    else
		grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
	    fi
	fi
    elif qt mywhich conntrack ; then
	shift
	echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
	echo
	conntrack -f ipv6 -L $@ | show_connections_filter
    else
	[ $# -gt 1 ] && usage 1
	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
	    echo
	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
	fi
    fi
}

show_nfacct_command() {
    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
    echo
    show_nfacct
}

show_events_command() {
    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
    echo
    show_events
}

show_blacklists() {
    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
    echo
    show_bl;
}

show_actions_sorted() {
    show_actions | sort
}

show_macros() {
    for directory in $(split $CONFIG_PATH); do
	temp=
	for macro in ${directory}/macro.*; do
	    case $macro in
		*\*)
                ;;
		*)
		    if [ -z "$temp" ]; then
			echo
			echo "Macros in $directory:"
			echo
			temp=Yes
		    fi
		    show_macro
		    ;;
	    esac
	done
    done
}

#
# Show Command Executor
#
show_command() {
    local finished
    finished=0
    local table
    table=filter
    local table_given
    table_given=
    local output_filter
    output_filter=cat
    local arptables
    local macro

    show_macro() {
	foo=`grep 'This macro' $macro | sed 's/This macro //'`
	if [ -n "$foo" ]; then
	    macro=${macro#*.}
	    foo=${foo%.*}
	    if [ ${#macro} -gt 10 ]; then
		echo "   $macro  ${foo#\#}"
	    else
		$g_echo_e "   $macro  \t${foo#\#}"
	    fi
	fi
    }

    # eliminates rules which have not been used from ip*tables' output
    brief_output() {
	awk \
	'/^Chain /  { heading1 = $0; getline heading2; printed = 0; next; };
         /^ +0 +0 / { next; };
         /^$/       { if ( printed == 1 ) { print $0; }; next; };
                    { if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
	            { print; }';
    }

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			v*)
			    VERBOSITY=$(($VERBOSITY + 1 ))
			    option=${option#v}
			    ;;
			x*)
			    g_ipt_options="-xnv"
			    option=${option#x}
			    ;;
			m*)
			    g_showmacs=Yes
			    option=${option#m}
			    ;;
			f*)
			    g_filemode=Yes
			    option=${option#f}
			    ;;
			t)
			    [ $# -eq 1 ] && usage 1

			    case $2 in
				mangle|nat|filter|raw|rawpost)
				    table=$2
				    table_given=Yes
				    ;;
				*)
				    fatal_error "Invalid table name ($s)"
				    ;;
			    esac

			    option=
			    shift
			    ;;
			l*)
			    g_ipt_options1="--line-numbers"
			    option=${option#l}
			    ;;
			c*)
			    g_routecache=Yes
			    option=${option#c}
			    ;;
			b*)
			    output_filter=brief_output
			    option=${option#b}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    g_ipt_options="$g_ipt_options $g_ipt_options1"


    [ -n "$g_debugging" ] && set -x

    case "$1" in
	connections)
	    eval show_connections $@ $g_pager
	    ;;
	nat)
	    [ $# -gt 1 ] && usage 1
	    eval show_nat $g_pager
	    ;;
	raw)
	    [ $# -gt 1 ] && usage 1
	    eval show_raw $g_pager
	    ;;
	rawpost)
	    [ $# -gt 1 ] && usage 1
	    eval show_rawpost $g_pager
	    ;;
	tos|mangle)
	    [ $# -gt 1 ] && usage 1
	    eval show_mangle $g_pager
	    ;;
	log)
	    [ $# -gt 2 ] && usage 1

	    setup_logread
	    eval show_log $g_pager
	    ;;
	tc)
	    [ $# -gt 2 ] && usage 1
	    eval show_tc $@ $g_pager
	    ;;
	classifiers|filters)
	    [ $# -gt 1 ] && usage 1
	    eval show_classifiers_command $g_pager
	    ;;
	zones)
	    [ $# -gt 1 ] && usage 1
	    if [ -f ${VARDIR}/zones ]; then
		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
		echo
		while read zone type hosts; do
		    echo "$zone ($type)"
		    for host in $hosts; do
			case $host in
			    exclude)
				echo "  exclude:"
				;;
			    *)
				echo "   $host"
				;;
			esac
		    done
		done < ${VARDIR}/zones
		echo
	    else
		fatal_error "${VARDIR}/zones does not exist"
	    fi
	    ;;
	capabilities)
	    [ $# -gt 1 ] && usage 1
	    determine_capabilities
	    VERBOSITY=2
	    if [ -n "$g_filemode" ]; then
		eval report_capabilities1 $g_pager
	    else
		eval report_capabilities $g_pager
	    fi
	    ;;
	ip)
	    [ $# -gt 1 ] && usage 1
	    eval show_ip_addresses $g_pager
	    ;;
	routing)
	    [ $# -gt 1 ] && usage 1
	    eval show_routing_command $g_pager
	    ;;
	config)
	    . ${g_sharedir}/configpath
	    if [ -n "$g_filemode" ]; then
		echo "CONFIG_PATH=$CONFIG_PATH"
		echo "VARDIR=$VARDIR"
		echo "LIBEXEC=${LIBEXECDIR}"
		echo "SBINDIR=${SBINDIR}"
		echo "CONFDIR=${CONFDIR}"
		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
	    else
		echo "Default CONFIG_PATH is $CONFIG_PATH"
		echo "Default VARDIR is /var/lib/$g_program"
		echo "LIBEXEC is ${LIBEXECDIR}"
		echo "SBINDIR is ${SBINDIR}"
		echo "CONFDIR is ${CONFDIR}"
		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
	    fi
	    ;;
	chain)
	    shift
	    eval show_chain $@ $g_pager
	    ;;
	vardir)
	    echo $VARDIR;
	    ;;
	policies)
	    [ $# -gt 1 ] && usage 1
	    eval show_policies $g_pager
	    ;;
	ipa)
	    [ $g_family -eq 4 ] || usage 1
	    [ $# -gt 1 ] && usage 1
	    eval show_ipa $g_pager
	    ;;
	marks)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
	    echo
	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
	    ;;
	nfacct)
	    [ $# -gt 1 ] && usage 1
	    eval show_nfacct_command $g_pager
	    ;;
	arptables)
	    [ $# -gt 1 ] && usage 1
	    resolve_arptables
	    if [ -n "$arptables" -a -x $arptables ]; then
		eval show_arptables $g_pager
	    else
		error_message "Cannot locate the arptables executable"
	    fi
	    ;;
	event)
	    [ $# -gt 1 ] || usage 1
	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
	    echo
	    shift
	    show_events $@
	    ;;
	events)
	    [ $# -gt 1 ] && usage 1
	    eval show_events_command $g_pager
	    ;;
	bl|blacklists)
	    [ $# -gt 1 ] && usage 1
	    eval show_blacklists $g_pager
	    ;;
	opens)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"

	    if chain_exists dynamic; then
		g_ipt_options="$g_ipt_options --line-numbers"
		$g_tool -t filter -L dynamic $g_ipt_options  | head -n2
		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
	    fi
	    ;;
	*)
	    case "$g_program" in
		*-lite)
		    ;;
	    	*)
		    case $1 in
			actions)
			    [ $# -gt 1 ] && usage 1
			    eval show_actions_sorted $g_pager
			    return
			    ;;
			macro)
			    [ $# -ne 2 ] && usage 1
			    for directory in $(split $CONFIG_PATH); do
				if [ -f ${directory}/macro.$2 ]; then
				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
				    cat ${directory}/macro.$2
				    return
				fi
			    done
			    echo "   WARNING: Macro $2 not found" >&2
			    return
			    ;;
			macros)
			    [ $# -gt 1 ] && usage 1
			    eval show_macros $g_pager
			    return
			    ;;
		    esac
		    ;;
	    esac

	    if [ $# -gt 0 ]; then
		if [ $1 = dynamic -a $# -gt 1 ]; then
		    shift
		    [ $# -eq 1 ] || usage 1
		    list_zone $1
		    return;
                fi

		[ -n "$table_given" ] || for chain in $*; do
		    if ! qt $g_tool -t $table -L $chain $g_ipt_options; then
			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
			exit 1
		    fi
					 done

		eval show_chains $@ $g_pager
	    else
		eval show_table $g_pager
	    fi
	    ;;
    esac
}

perip_accounting() {
    if qt mywhich iptaccount; then
	local hnames
	local hname

	hnames=$(iptaccount -a | grep '^Found table:' | cut -d ' ' -f 3)

	if [ -n "$hnames" ]; then
	    for hname in $hnames; do
		iptaccount -l $hname | egrep '^IP:|^Show'
		echo
	    done
	else
	    echo "   No IP Accounting Tables Defined"
	    echo
	fi
    else
	echo "   iptaccount is not installed"
    fi
}

#
# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
#               then the compiler generated another version of this function and
#               embedded it in the firewall.conf file. That version supersedes this
#               one.
#
dump_filter() {
    local filter
    local command
    local first

    command=${SHOREWALL_SHELL}

    filter=$(find_file dumpfilter)

    if [ -f $filter ]; then
	first=$(head -n1 $filter)

	case $first in
	    \#!*)
		command=${first#\#!}
		;;
	esac

	eval $command $filter $g_pager
    else
	cat -
    fi
}

dump_filter_wrapper() {
    eval dump_filter $g_pager
}

#
# Dump Command Executor
#
do_dump_command() {
    local finished
    finished=0
    local arptables

    resolve_arptables

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			x*)
			    g_ipt_options="-xnv"
			    option=${option#x}
			    ;;
			m*)
			    g_showmacs=Yes
			    option=${option#m}
			    ;;
			l*)
			    g_ipt_options1="--line-numbers"
			    option=${option#l}
			    ;;
			c*)
			    g_routecache=Yes
			    option=${option#c}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    setup_logread

    g_ipt_options="$g_ipt_options $g_ipt_options1"

    [ $VERBOSITY -lt 2 ] && VERBOSITY=2

    [ -n "$g_debugging" ] && set -x
    [ $# -eq 0 ] || usage 1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo

    if [ $g_family -eq 6 ] && [ -f ${SHAREDIR}/shorewall/version ]; then
	echo "   Shorewall $(cat ${SHAREDIR}/shorewall/version)"
	echo
    fi
    show_status
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    $g_tool -L $g_ipt_options

    if [ -n "$arptables" -a -x "$arptables" ]; then
	heading "ARP rules"
	$arptables -L -n -v
    fi

    heading "Log ($LOGFILE)"
    packet_log 20

    if qt $g_tool -t nat -L -n; then
	heading "NAT Table"
	$g_tool -t nat -L $g_ipt_options
    fi

    if qt $g_tool -t mangle -L -n; then
	heading "Mangle Table"
	$g_tool -t mangle -L $g_ipt_options
    fi

    if qt $g_tool -t raw -L -n; then
	heading "Raw Table"
	$g_tool -t raw -L $g_ipt_options
    fi

    if qt $g_tool -t rawpost -L -n; then
	heading "Rawpost Table"
	$g_tool -t rawpost -L $g_ipt_options
    fi

    local count
    local max

    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)

	heading "Conntrack Table ($count out of $max)"
    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)

	heading "Conntrack Table ($count out of $max)"
    else
	heading "Conntrack Table"
    fi

    if qt mywhich conntrack; then
	conntrack -f ipv${g_family} -L 2> /dev/null
    elif [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
    else
	grep '^ipv6' /proc/net/nf_conntrack
    fi

    heading "IP Configuration"
    ip -$g_family addr list

    heading "IP Stats"
    ip -stat link list

    if qt mywhich brctl; then
	heading "Bridges"
	brctl show
    fi

    show_routing

    if [ $g_family -eq 4 ]; then
	heading "Per-IP Counters"

	perip_accounting
    fi

    heading "NF Accounting"
    show_nfacct

    heading "Events"
    show_events

    if qt mywhich setkey; then
	heading "PFKEY SPD"
	setkey -DP
	heading "PFKEY SAD"
	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
    fi

    heading "/proc"
    show_proc /proc/version

    if [ $g_family -eq 4 ]; then
	show_proc /proc/sys/net/ipv4/ip_forward
	show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all

	for directory in /proc/sys/net/ipv4/conf/*; do
	    for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do
		show_proc $directory/$file
	    done
	done
    else
	for directory in /proc/sys/net/ipv6/conf/*; do
	    for file in forwarding proxy_ra proxy_ndp; do
		show_proc $directory/$file
	    done
	done
    fi

    if [ $g_family -eq 4 ]; then
	heading "ARP"
	if qt mywhich arp; then
	    arp -na
	else
	    ip -4 neigh ls
	    ip -4 neigh ls proxy
	fi
    else
	heading "Neighbors"
	ip -6 neigh ls
    fi

    if qt mywhich lsmod; then
	heading "Modules"

	if [ $g_family -eq 4 ]; then
	    lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort
	else
	    lsmod | grep -E '^(x_|ip6|nf_|xt_)' | sort
	fi
    fi

    determine_capabilities
    echo
    report_capabilities

    echo

    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }

    if [ -n "$TC_ENABLED" ]; then
	heading "Traffic Control"
	show_tc1
	heading "TC Filters"
	show_classifiers
	fi
}

dump_command() {
    do_dump_command $@ | dump_filter_wrapper
}

#
# Restore Comand Executor
#
restore_command() {
    local finished
    finished=0

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			n*)
			    g_noroutes=Yes
			    option=${option#n}
			    ;;
			p*)
			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
			    g_purge=Yes
			    option=${option%p}
			    ;;
			C*)
			    g_counters=Yes
			    option=${option#C}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    case $# in
    0)
	;;
    1)
	RESTOREFILE="$1"
	validate_restorefile '<restore file>'
	;;
    *)
	usage 1
	;;
    esac

    if [ -z "$STARTUP_ENABLED" ]; then
	error_message "ERROR: Startup is disabled"
	exit 6
    fi

    g_restorepath=${VARDIR}/$RESTOREFILE

    [ -n "$g_nolock" ] || mutex_on

    if [ -x $g_restorepath ]; then
	progress_message3 "Restoring $g_product..."

	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"

	[ -n "$g_nolock" ] || mutex_off
    else
	echo "File $g_restorepath: file not found"
	[ -n "$g_nolock" ] || mutex_off
	exit 2
    fi
}

#
# Display the time that the counters were last reset
#
show_reset() {
    [ -f ${VARDIR}/restarted ] && \
	echo "Counters reset $(cat ${VARDIR}/restarted)" && \
	echo
}

#
# Display's the passed file name followed by "=" and the file's contents.
#
show_proc() # $1 = name of a file
{
    [ -f $1 ] && echo "   $1 = $(cat $1)"
}

read_yesno_with_timeout() {
    local timeout
    timeout=${1:-60}

    case $timeout in
	*s)
	    ;;
	*m)
	    timeout=$((${timeout%m} * 60))
	    ;;
	*h)
	    timeout=$((${timeout%h} * 3600))
	    ;;
    esac

    read -t $timeout yn 2> /dev/null
    if [ $? -eq 2 ]
    then
	# read doesn't support timeout
	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
	return $?
    else
	# read supports timeout
	case "$yn" in
	    y|Y)
		return 0
		;;
	    *)
		return 1
		;;
	esac
    fi
}

#
# Print a heading with leading and trailing black lines
#
heading() {
    echo
    echo "$@"
    echo
}

#
# Create the appropriate -q option to pass onward
#
make_verbose() {
    local v
    v=$g_verbose_offset
    local option
    option=-

    if [ -n "$g_use_verbosity" ]; then
	echo "-v$g_use_verbosity"
    elif [ $g_verbose_offset -gt 0 ]; then
	while [ $v -gt 0 ]; do
	    option="${option}v"
	    v=$(($v - 1))
	done

	echo $option
    elif [ $g_verbose_offset -lt 0 ]; then
	while [ $v -lt 0 ]; do
	    option="${option}q"
	    v=$(($v + 1))
	done

	echo $option
    fi
}

#
# Executor for drop,reject,... commands
#
block() # $1 = command, $2 = Finished, $3 - $n addresses
{
    local chain
    chain=$1
    local finished
    finished=$2
    local which
    which='-s'
    local range
    range='--src-range'

    if ! chain_exists dynamic; then
	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
	[ -n "$g_nolock" ] || mutex_off
	exit 2
    fi

    shift 3

    while [ $# -gt 0 ]; do
	case $1 in
	    from)
		which='-s'
		range='--src-range'
		shift
		continue
		;;
	    to)
		which='-d'
		range='--dst-range'
		shift
		continue
		;;
	    *-*)
		qt $g_tool -D dynamic -m iprange $range $1 -j reject
		qt $g_tool -D dynamic -m iprange $range  $1 -j DROP
		qt $g_tool -D dynamic -m iprange $range $1 -j logreject
		qt $g_tool -D dynamic -m iprange $range $1 -j logdrop
		$g_tool -A dynamic -m iprange $range $1 -j $chain || break 1
		;;
	    *)
		qt $g_tool -D dynamic $which $1 -j reject
		qt $g_tool -D dynamic $which $1 -j DROP
		qt $g_tool -D dynamic $which $1 -j logreject
		qt $g_tool -D dynamic $which $1 -j logdrop
		$g_tool -A dynamic $which $1 -j $chain || break 1
		;;
	esac

	echo "$1 $finished"
	shift
    done
}

#
# Replace commas with spaces and echo the result
#
separate_list() {
    local list
    list="$@"
    local part
    local newlist
    local firstpart
    local lastpart
    local enclosure

    case "$list" in
	*,|,*|*,,*|*[[:space:]]*)
	    #
	    # There's been whining about us not catching embedded white space in
	    # comma-separated lists. This is an attempt to snag some of the cases.
	    #
            echo "WARNING -- invalid comma-separated list \"$@\"" >&2
	    ;;
	*\[*\]*)
	    #
	    # Where we need to embed comma-separated lists within lists, we enclose them
	    # within square brackets.
	    #
	    firstpart=${list%%\[*}
	    lastpart=${list#*\[}
	    enclosure=${lastpart%%\]*}
	    lastpart=${lastpart#*\]}
	    case $lastpart in
		\,*)
		    case $firstpart in
			*\,)
			    echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})"
			    ;;
			*)
			    echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
			    ;;
		    esac
		    ;;
		*)
		    case $firstpart in
			*\,)
			    echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
			    ;;
			*)
			    echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
			    ;;
		    esac
		    ;;
	    esac
	    return
	    ;;
    esac

    list="$@"
    part="${list%%,*}"
    newlist="$part"

    while [ "x$part" != "x$list" ]; do
	list="${list#*,}";
	part="${list%%,*}";
	newlist="$newlist $part";
    done

    echo "$newlist"
}

#
# add command executor
#
add_command() {
    local interface host hostlist zone ipset
    if ! product_is_started ; then
	fatal_error "$g_product Not Started"
    fi

    determine_ipset_version

    case $1 in
	*:*)
	    while [ $# -gt 1 ]; do
		if [ $g_family -eq 4 ]; then
		    interface=${1%%:*}
		    host=${1#*:}
		else
		    interface=${1%%|*}
		    host=${1#*|}
		fi

		[ "$host" = "$1" ] && host=

		if [ -z "$host" ]; then
		    if [ $g_family -eq 4 ]; then
			hostlist="$hostlist $interface:0.0.0.0/0"
		    else
			hostlist="$hostlist $interface:::/0"
		    fi
		else
		    for h in $(separate_list $host); do
			hostlist="$hostlist $interface:$h"
		    done
		fi

		shift
	    done
	    ;;
	*)
	    ipset=$1
	    shift
	    while [ $# -gt 0 ]; do
		for h in $(separate_list $1); do
		    hostlist="$hostlist $h"
		done
		shift
	    done
	    ;;
    esac

    zone=$1

    if [ -n "$zone" ]; then
	for host in $hostlist; do
	    if [ $g_family -eq 4 ]; then
		interface=${host%:*}
		ipset=${zone}_${interface};
	    else
		interface=${host%%:*}
		ipset=6_${zone}_${interface};
	    fi

	    ipset=$(echo $ipset | sed 's/\./_/g');

	    if ! qt $IPSET -L $ipset; then
		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
	    fi

	    host=${host#*:}

	    if $IPSET -A $ipset $host; then
		echo "Host $interface:$host added to zone $zone"
	    else
		fatal_error "Unable to add $interface:$host to zone $zone"
	    fi
	done
    else
	qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"

	for host in $hostlist; do
	    if $IPSET -A $ipset $host; then
		echo "Host $host added to zone $ipset"
	    else
		fatal_error "Unable to add $host to zone $ipset"
	    fi
	done
    fi
}

#
# delete command executor
#
delete_command() {
    local interface host hostent hostlist zone ipset
    if ! product_is_started ; then
	fatal_error "$g_product Not Started"
    fi

    determine_ipset_version

    case $1 in
	*:*)
	    while [ $# -gt 1 ]; do
		if [ $g_family -eq 4 ]; then
		    interface=${1%%:*}
		    host=${1#*:}
		else
		    interface=${1%%|*}
		    host=${1#*|}
		fi

		[ "$host" = "$1" ] && host=

		if [ -z "$host" ]; then
		    if [ $g_family -eq 4 ]; then
			hostlist="$hostlist $interface:0.0.0.0/0"
		    else
			hostlist="$hostlist $interface:::/0"
		    fi
		else
		    for h in $(separate_list $host); do
			hostlist="$hostlist $interface:$h"
		    done
		fi

		shift
	    done
	    ;;
	*)
	    ipset=$1
	    shift
	    while [ $# -gt 0 ]; do
		for h in $(separate_list $1); do
		    hostlist="$hostlist $h"
		done
		shift
	    done
	    ;;
    esac

    zone=$1

    if [ -n "$zone" ]; then
	for host in $hostlist; do
	    if [ $g_family -eq 4 ]; then
		interface=${host%:*}
		ipset=${zone}_${interface};
	    else
		interface=${host%%:*}
		ipset=6_${zone}_${interface};
	    fi

	    ipset=$(echo $ipset | sed 's/./_/g');

	    if ! qt $IPSET -L $ipset -n; then
		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
	    fi

	    host=${host#*:}

	    if $IPSET -D $ipset $host; then
		echo "Host $host deleted from zone $zone"
	    else
		echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
	    fi
	done
    else
	qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"

	for host in $hostlist; do
	    if $IPSET -D $ipset $host; then
		echo "Host $host deleted from to zone $ipset"
	    else
		echo "   WARNING: Unable to delete host $host from zone $zone" >&2
	    fi
	done
    fi
}

open_close_command() {
    local command
    local desc
    local proto
    local icmptype

    open_close_setup() {
	[ -n "$g_nolock" ] || mutex_on

	if ! product_is_started ; then
	    [ -n "$g_nolock" ] || mutex_off
	    fatal_error "The $COMMAND command requires the firewall to be running"
	fi

	if ! chain_exists dynamic; then
	    [ -n "$g_nolock" ] || mutex_off
	    fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
	fi
    }

    [ $# -le 4 ] || fatal_error "Too many parameters"

    if [ $COMMAND = open ]; then
	[ $# -ge 2 ] || fatal_error "Too few parameters"
    else
	[ $# -ge 1 ] || fatal_error "Too few parameters"
    fi

    if [ $# -eq 1 ]; then
	#
	# close <rule number>
	#
	case $1 in
	    [1-9]|[1-9][0-9]|[1-9][0-9][0-9]*)
		;;
	    *)
		fatal_error "$1 is not a valid temporary open number"
		;;
	esac

	open_close_setup #Conditionally acquires mutex

	if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
	    if $g_tool -D dynamic $1; then
		[ -n "$g_nolock" ] || mutex_off
		echo "Temporary open #$1 closed"
		return 0
	    fi
	    [ -n "$g_nolock" ] || mutex_off
	    return 2
	else
	    [ -n "$g_nolock" ] || mutex_off
	    fatal_error "$1 is not a valid temporary open number"
	fi
    else
	if [ $1 = all ]; then
	    command=dynamic
	else
	    command="dynamic -s $1"
	fi

	if [ $2 != all ]; then
	    command="$command -d $2"
	fi

	desc="from $1 to $2"

	if [ $# -ge 3 ]; then
	    proto=$3

	    [ $proto = icmp -a $g_family -eq 6 ] && proto=58

	    command="$command -p $proto"

	    case $3 in
		[0-9]*)
		    desc="$desc protocol $3"
		    ;;
		*)
		    desc="$desc $3"
		    ;;
	    esac

	    if [ $g_family -eq 4 ]; then
		if [ $proto = 6 -o $proto = icmp ]; then
		    proto=icmp
		    icmptype='--icmp-type'
		fi
	    else
		if [ $proto = 58 -o $proto = ipv6-icmp ]; then
		    proto=icmp
		    icmptype='--icmpv6-type'
		fi
	    fi
	fi

	if [ $# -eq 4 ]; then
	    if [ $proto = icmp ]; then
		case $4 in
		    *,*)
			fatal_error "Only a single ICMP type may be specified"
			;;
		    [0-9]*)
			desc="$desc type $4"
			;;
		    *)
			desc="$desc $4"
			;;
		esac

		command="$command $icmptype $4"
	    else
		case $4 in
		*,*)
		    command="$command -m multiport --dports $4"
		    ;;
		*)
		    command="$command --dport $4"
		    ;;
		esac

		case $4 in
		    [0-9]*,)
			desc="$desc ports $4"
			;;
		    [0-9]*)
			desc="$desc port $4"
			;;
		    *)
			desc="$desc $4"
			;;
		esac
	    fi
	fi

	command="$command -j ACCEPT"

	open_close_setup #Conditionally acquires mutex

	if [ $COMMAND = open ]; then
	    if $g_tool -I $command ; then
		[ -n "$g_nolock" ] || mutex_off
		echo "Firewall dynamically opened for connections $desc"
		return 0
	    fi
	    [ -n "$g_nolock" ] || mutex_off
	    return 2
	fi

	if $g_tool -D $command 2> /dev/null; then
	    [ -n "$g_nolock" ] || mutex_off
	    echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
	    return 0
	fi

	[ -n "$g_nolock" ] || mutex_off
	fatal_error "Connections $desc are not currently opened"
    fi
}

#
# 'hits' commmand executor
#
hits_command() {
    local finished
    finished=0
    local today
    today=

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			t*)
			    today=$(date +'^%b %_d.*')
			    option=${option#t}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    [ $# -eq 0 ] || usage 1

    clear_term
    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
    echo

    timeout=30

    if $g_logread | grep -q "${today}IN=.* OUT=" ; then
	echo "   HITS IP	        DATE"
	echo "   ---- --------------- ------"
	$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
	    printf '%7d %-15s %3s %2d\n' $count $address $month $day
	done

	echo ""

	echo "   HITS IP	        PORT"
	echo "   ---- --------------- -----"
	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
						t
						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
	    [ -z "$port" ] && port=0
	    printf '%7d %-15s %d\n' $count $address $port
	done

	echo ""

	echo "   HITS DATE"
	echo "   ---- ------"
	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
	    printf '%7d %3s %2d\n' $count $month $day
	done

	echo ""

	echo "   HITS  PORT SERVICE(S)"
	echo "   ---- ----- ----------"
	$g_logread | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
	    # List all services defined for the given port
	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
	    srv=$(echo $srv | sed 's/ /,/g')

	    if [ -n "$srv" ] ; then
		printf '%7d %5d %s\n' $count $port $srv
	    else
		printf '%7d %5d\n' $count $port
	    fi
	done
    fi
}

#
# 'allow' command executor
#
allow_command() {
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if product_is_started ; then
	local which
	which='-s'
	local range
	range='--src-range'

	if ! chain_exists dynamic; then
	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
	fi

	[ -n "$g_nolock" ] || mutex_on
	while [ $# -gt 1 ]; do
	    shift
	    case $1 in
		from)
		    which='-s'
		    range='--src-range'
		    continue
		    ;;
		to)
		    which='-d'
		    range='--dst-range'
		    continue
		    ;;
		*-*)
		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
			then
			echo "$1 Allowed"
		    else
			echo "$1 Not Dropped or Rejected"
		    fi
		    ;;
		*)
		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
			qt $g_tool -D dynamic $which $1 -j DROP      ||\
			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
			qt $g_tool -D dynamic $which $1 -j logreject
			then
			echo "$1 Allowed"
		    else
			echo "$1 Not Dropped or Rejected"
		    fi
		    ;;
	    esac
	done
	[ -n "$g_nolock" ] || mutex_off
    else
	error_message "ERROR: $g_product is not started"
	exit 2
    fi
}

#
# 'logwatch' command executor
#
logwatch_command() {
    shift

    finished=0

    while [ $finished -eq 0 -a $# -ne 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		[ -z "$option" ] && usage 1

		while [ -n "$option" ]; do
		    case $option in
			v*)
			    VERBOSITY=$(($VERBOSITY + 1 ))
			    option=${option#v}
			    ;;
			q*)
			    VERBOSITY=$(($VERBOSITY - 1 ))
			    option=${option#q}
			    ;;
			m*)
			    g_showmacs=Yes
			    option=${option#m}
			    ;;
			-)
			    finished=1
			    option=
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    [ -n "$g_debugging" ] && set -x

    if [ $# -eq 1 ]; then
	logwatch $1
    elif [ $# -eq 0 ]; then
	logwatch 30
    else
	usage 1
    fi
}

#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {

    local tool
    local chain
    local chain1
    local arptables
    local helper

    if [ -z "$g_tool" ]; then
	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables

	g_tool=$(mywhich $tool)

	if [ -z "$g_tool" ]; then
	    fatal-error "No executable $tool binary can be found on your PATH"
	fi
    fi

    qt $g_tool -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
    qt $g_tool -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=

    [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)

    [ -n "$IP" -a -x "$IP" ] || IP=

    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)

    [ -n "$TC" -a -x "$TC" ] || TC=

    CONNTRACK_MATCH=
    NEW_CONNTRACK_MATCH=
    OLD_CONNTRACK_MATCH=
    MULTIPORT=
    XMULTIPORT=
    EMULTIPORT=
    POLICY_MATCH=
    PHYSDEV_MATCH=
    PHYSDEV_BRIDGE=
    IPRANGE_MATCH=
    RECENT_MATCH=
    REAP_OPTION=
    OWNER_MATCH=
    OWNER_NAME_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    IPSET_MATCH_NOMATCH=
    IPSET_MATCH_COUNTERS=
    IPSET_V5=
    CONNMARK=
    XCONNMARK=
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
    USEPKTTYPE=
    KLUDGEFREE=
    MARK=
    XMARK=
    EXMARK=
    TPROXY_TARGET=
    MANGLE_FORWARD=
    COMMENTS=
    ADDRTYPE=
    TCPMSS_MATCH=
    HASHLIMIT_MATCH=
    NFQUEUE_TARGET=
    REALM_MATCH=
    HELPER_MATCH=
    CONNLIMIT_MATCH=
    TIME_MATCH=
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
    LOG_TARGET=Yes
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
    HEADER_MATCH=
    ACCOUNT_TARGET=
    AUDIT_TARGET=
    CONDITION_MATCH=
    IPTABLES_S=
    BASIC_FILTER=
    BASIC_EMATCH=
    CT_TARGET=
    STATISTIC_MATCH=
    IMQ_TARGET=
    DSCP_MATCH=
    DSCP_TARGET=
    GEOIP_MATCH=
    RPFILTER_MATCH=
    NFACCT_MATCH=
    CHECKSUM_TARGET=
    ARPTABLESJF=
    MASQUERADE_TGT=
    UDPLITEREDIRECT=
    NEW_TOS_MATCH=
    TARPIT_TARGET=
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=

    AMANDA_HELPER=
    FTP_HELPER=
    FTP0_HELPER=
    IRC_HELPER=
    IRC0_HELPER=
    NETBIOS_NS_HELPER=
    H323_HELPER=
    PPTP_HELPER=
    SANE_HELPER=
    SANE0_HELPER=
    SIP_HELPER=
    SIP0_HELPER=
    SNMP_HELPER=
    TFTP_HELPER=
    TFTP0_HELPER=

    resolve_arptables

    if [ -n "$arptables" -a -x "$arptables" ]; then
	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi

    if qt $g_tool --wait -t filter -L INPUT -n -v; then
	WAIT_OPTION=Yes
	tool="$tool --wait"
    fi

    chain=fooX$$

    if [ -n "$NAT_ENABLED" ]; then
	if qt $g_tool -t nat -N $chain; then
	    if [ $g_family -eq 4 ]; then
		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
	    else
		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
	    fi
	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
	    qt $g_tool -t nat -F $chain
	    qt $g_tool -t nat -X $chain
	fi
    fi

    qt $g_tool -F $chain
    qt $g_tool -X $chain
    if ! $g_tool -N $chain; then
	fatal_error "The command \"$g_tool -N $chain\" failed"
    fi

    chain1=${chain}1

    qt $g_tool -F $chain1
    qt $g_tool -X $chain1
    if ! $g_tool -N $chain1; then
	qt $g_tool -X $CHAIN
	fatal_error "The command \"$g_tool -N $chain1\" failed"
    fi

    if ! qt $g_tool -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
       ! qt $g_tool -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
	qt $g_tool -x $chain
	qt $g_tool -x $chain1
	fatal_error "Your kernel lacks connection tracking and/or state matching -- $g_product will not run on this system"
    fi

    if [ $g_family -eq 4 ]; then
	qt $g_tool -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
    else
	qt $g_tool -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes
    fi

    if [ -n "$CONNTRACK_MATCH" ]; then
	qt $g_tool -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes

	if [ $g_family -eq 4 ]; then
	    qt $g_tool -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
	else
	    qt $g_tool -A $chain -m conntrack ! --ctorigdst ::1 || OLD_CONNTRACK_MATCH=Yes
	fi
    fi

    if qt $g_tool -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
	MULTIPORT=Yes
	qt $g_tool -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
    fi

    qt $g_tool -A $chain -p tcp  -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
    qt $g_tool -A $chain -p sctp -m multiport --dports 21,22 -j ACCEPT           && EMULTIPORT=Yes
    qt $g_tool -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes

    if qt $g_tool -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
	PHYSDEV_MATCH=Yes
	qt $g_tool -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
	if [ -z "${KLUDGEFREE}" ]; then
	    qt $g_tool -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
	fi
    fi

    if [ $g_family -eq 4 ]; then
	if qt $g_tool -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
	    IPRANGE_MATCH=Yes
	    if [ -z "${KLUDGEFREE}" ]; then
		qt $g_tool -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
	    fi
	fi
    elif qt $g_tool -A $chain -m iprange --src-range ::1-::2 -j ACCEPT; then
	IPRANGE_MATCH=Yes
	if [ -z "${KLUDGEFREE}" ]; then
	    qt $g_tool -A $chain -m iprange --src-range ::1-::2 -m iprange --dst-range ::1-::2 -j ACCEPT && KLUDGEFREE=Yes
	fi
    fi

    if qt $g_tool -A $chain -m recent --update -j ACCEPT; then
	RECENT_MATCH=Yes
	qt $g_tool -A $chain -m recent --rcheck --seconds 10 --reap && REAP_OPTION=Yes
    fi

    qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes

    local name
    name=$(id -un 2> /dev/null)

    [ -n "$name" ] && qt $g_tool -A $chain -m owner --uid-owner $name -j ACCEPT && OWNER_NAME_MATCH=Yes

    if qt $g_tool -A $chain -m connmark --mark 2  -j ACCEPT; then
	CONNMARK_MATCH=Yes
	qt $g_tool -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
    fi

    qt $g_tool -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
    if [ -n "$IPP2P_MATCH" ]; then
	qt $g_tool -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
    fi

    qt $g_tool -A $chain -m length --length 10:20 -j ACCEPT    && LENGTH_MATCH=Yes

    if [ $g_family -eq 4 ]; then
        qt $g_tool -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
    else
	qt $g_tool -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes
    fi

    qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes

    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
	NFACCT=
    else
	NFACCT=$(mywhich nfacct)
    fi

    if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
	qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
	qt $g_tool -D $chain -m nfacct --nfacct-name $chain
	qt $NFACCT del $chain
    fi

    qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes

    qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes

    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu && TCPMSS_TARGET=Yes

    if [ -n "$MANGLE_ENABLED" ]; then
	qt $g_tool -t mangle -N $chain

	if qt $g_tool -t mangle -A $chain -j MARK --set-mark 1; then
	    MARK=Yes
	    qt $g_tool -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
	    qt $g_tool -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
	fi

	if qt $g_tool -t mangle -A $chain -j CONNMARK --save-mark; then
	    CONNMARK=Yes
	    qt $g_tool -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
	fi

	qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
	qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
	qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
	qt $g_tool -t mangle -A $chain -m tos --tos 0x10/0xff && NEW_TOS_MATCH=Yes

	qt $g_tool -t mangle -F $chain
	qt $g_tool -t mangle -X $chain

	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
    fi

    qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes

    if [ -n "$RAW_TABLE" ]; then
	qt $g_tool -t raw -F $chain
	qt $g_tool -t raw -X $chain
	qt $g_tool -t raw -N $chain
	
	if qt $g_tool -t raw -A $chain -j CT --notrack; then
	    CT_TARGET=Yes;

	    for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
		eval ${helper}_ENABLED=''
	    done

	    if [ -n "$HELPERS" ]; then
		for helper in $(split_list "$HELPERS"); do
		    case $helper in
			none)
			    ;;
			amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
			    eval ${helper}_ENABLED=Yes
			    ;;
			*)
			    error_message "WARNING: Invalid helper ($helper) ignored"
			    ;;
		    esac
		done
	    else
		for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
		    eval ${helper}_ENABLED=Yes
		done
	    fi

	    [ -n "$amanda_ENABLED" ]     && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
	    [ -n "$ftp_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
	    [ -n "$ftp0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
	    [ -n "$h323_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
	    [ -n "$irc_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
	    [ -n "$irc0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
	    [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
	    [ -n "$pptp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
	    [ -n "$sane_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
	    [ -n "$sane0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
	    [ -n "$sip_ENABLED" ]        && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
	    [ -n "$sip0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
	    [ -n "$snmp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
	    [ -n "$tftp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
	    [ -n "$tftp0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
	fi

	qt $g_tool -t raw -F $chain
	qt $g_tool -t raw -X $chain	   
    fi

    if qt mywhich ipset; then
	qt ipset -X $chain # Just in case something went wrong the last time

	local have_ipset

	if [ $g_family -eq 4 ]; then
	    if qt ipset -N $chain hash:ip family inet; then
		IPSET_V5=Yes
		have_ipset=Yes
	    elif qt ipset -N $chain iphash ; then
		have_ipset=Yes
	    fi

	    if [ -n "$have_ipset" ]; then
		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
		    qt $g_tool -A $chain -m set --match-set $chain src --return-nomatch  -j ACCEPT && IPSET_MATCH_NOMATCH=Yes
		    qt $g_tool -A $chain -m set --match-set $chain src --packets-lt 100  -j ACCEPT && IPSET_MATCH_COUNTERS=Yes
		    qt $g_tool -F $chain
		    IPSET_MATCH=Yes
		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
		    qt $g_tool -F $chain
		    IPSET_MATCH=Yes
		    OLD_IPSET_MATCH=Yes
		fi
		qt ipset -X $chain
	    fi
	elif qt ipset -N $chain hash:ip family inet6; then
	    IPSET_V5=Yes
	    if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
		qt $g_tool -F $chain
		IPSET_MATCH=Yes
	    elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
		qt $g_tool -F $chain
		IPSET_MATCH=Yes
		OLD_IPSET_MATCH=Yes
	    fi
	    qt ipset -X $chain
	fi
    fi

    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
    if [ -z "$HASHLIMIT_MATCH" ]; then
	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi
    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes

    #
    # -m helper doesn't verify the existence of the specified helper :-(
    #
    if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
	HELPER_MATCH=Yes

	if [ -z "$CT_TARGET" ]; then
	    AMANDA_HELPER=Yes
	    FTP_HELPER=Yes
	    FTP_HELPER=Yes
	    H323_HELPER=Yes
	    IRC_HELPER=Yes
	    NS_HELPER=Yes
	    PPTP_HELPER=Yes
	    SANE_HELPER=Yes
	    SIP_HELPER=Yes
	    SNMP_HELPER=Yes
	    TFTP_HELPER=Yes
	fi
    fi

    qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $g_tool -A $chain -j LOG || LOG_TARGET=
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes

    if [ $g_family -eq 4 ]; then
	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
    else
	qt $g_tool -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
	qt $g_tool -A $chain -j ACCOUNT --addr ::1/122 --tname $chain && ACCOUNT_TARGET=Yes
    fi

    qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes

    qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes

    qt $g_tool -S INPUT && IPTABLES_S=Yes
    qt $g_tool -F $chain
    qt $g_tool -X $chain
    qt $g_tool -F $chain1
    qt $g_tool -X $chain1

    if [ -n "$TC" ]; then
	$TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes

	if $TC filter add basic help 2>&1 | grep -q ^Usage; then
	    BASIC_FILTER=Yes
	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
	fi
    fi

    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION

    KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')

    case "$KERNELVERSION" in
	*.*.*)
	    KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
	    ;;
	*)
	    KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
	    ;;
    esac
}

report_capabilities_unsorted() {
    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
    {
	local setting
	setting=

	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"

	echo "  " $1: $setting
    }

    report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
    report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
    report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
    [ -n "$MULTIPORT" ]  && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
    [ -n "$EMULTIPORT" ] && report_capability "Enhanced Multi-port Match (EMULIPORT)" $EMULTIPORT
    report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
    if [ -n "$CONNTRACK_MATCH" ]; then
	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
    fi
    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
    report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
    report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
    report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
    if [ -n "$IPSET_MATCH" ]; then
	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
    fi
    report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
    [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
    report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
    [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
    report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
    report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
    [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
    report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
    report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
    report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
    report_capability "MARK Target (MARK)" $MARK
    [ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
    [ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
    report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
    report_capability "Comments (COMMENTS)" $COMMENTS
    report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
    report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
    report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
    [ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
    report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
    report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
    report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
    report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
    report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
    report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
    report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
    report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
    report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
    report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
    report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
    report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
    report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
    report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
    report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
    report_capability "Mark in the filter table (MARK_ANYWHERE)" $MARK_ANYWHERE
    report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
    report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
    report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
    report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
    report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
    report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
    report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
    report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
    report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
    report_capability "Geo IP Match (GEOIP_MATCH)" $GEOIP_MATCH
    report_capability "RPFilter Match (RPFILTER_MATCH)" $RPFILTER_MATCH
    report_capability "NFAcct Match" $NFACCT_MATCH
    report_capability "Checksum Target (CHECKSUM_TARGET)" $CHECKSUM_TARGET
    report_capability "Arptables JF (ARPTABLESJF)" $ARPTABLESJF
    report_capability "MASQUERADE Target (MASQUERADE_TGT)" $MASQUERADE_TGT
    report_capability "UDPLITE Port Redirection (UDPLITEREDIRECT)" $UDPLITEREDIRECT
    report_capability "New tos Match (NEW_TOS_MATCH)" $NEW_TOS_MATCH
    report_capability "TARPIT Target (TARPIT_TARGET)" $TARPIT_TARGET
    report_capability "Iface Match (IFACE_MATCH)" $IFACE_MATCH
    report_capability "TCPMSS Target (TCPMSS_TARGET)" $TCPMSS_TARGET

    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
    report_capability "FTP-0 Helper" $FTP0_HELPER
    report_capability "IRC Helper" $IRC_HELPER
    report_capability "IRC-0 Helper" $IRC0_HELPER
    report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
    report_capability "H323 Helper" $H323_HELPER
    report_capability "PPTP Helper" $PPTP_HELPER
    report_capability "SANE Helper" $SANE_HELPER
    report_capability "SANE-0 Helper" $SANE0_HELPER
    report_capability "SIP Helper" $SIP_HELPER
    report_capability "SIP-0 Helper" $SIP0_HELPER
    report_capability "SNMP Helper" $SNMP_HELPER
    report_capability "TFTP Helper" $TFTP_HELPER
    report_capability "TFTP-0 Helper" $TFTP0_HELPER

    if [ $g_family -eq 4 ]; then
	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
    else
	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
    fi

    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
}

report_capabilities() {

    if [ $VERBOSITY -gt 1 ]; then
	echo "$g_product has detected the following iptables/netfilter capabilities:"
	report_capabilities_unsorted | sort
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=

}

report_capabilities_unsorted1() {
    report_capability1() # $1 = Capability
    {
	eval echo $1=\$$1
    }

    report_capability1 NAT_ENABLED
    report_capability1 MANGLE_ENABLED
    report_capability1 MULTIPORT
    report_capability1 XMULTIPORT
    report_capability1 EMULTIPORT
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 PHYSDEV_BRIDGE
    report_capability1 LENGTH_MATCH
    report_capability1 IPRANGE_MATCH
    report_capability1 RECENT_MATCH
    report_capability1 REAP_OPTION
    report_capability1 OWNER_MATCH
    report_capability1 OWNER_NAME_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 IPSET_MATCH_NOMATCH
    report_capability1 IPSET_MATCH_COUNTERS
    report_capability1 CONNMARK
    report_capability1 XCONNMARK
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
    report_capability1 ENHANCED_REJECT
    report_capability1 KLUDGEFREE
    report_capability1 MARK
    report_capability1 XMARK
    report_capability1 EXMARK
    report_capability1 MANGLE_FORWARD
    report_capability1 COMMENTS
    report_capability1 ADDRTYPE
    report_capability1 TCPMSS_MATCH
    report_capability1 HASHLIMIT_MATCH
    report_capability1 OLD_HL_MATCH
    report_capability1 NFQUEUE_TARGET
    report_capability1 REALM_MATCH
    report_capability1 HELPER_MATCH
    report_capability1 CONNLIMIT_MATCH
    report_capability1 TIME_MATCH
    report_capability1 GOTO_TARGET
    report_capability1 LOGMARK_TARGET
    report_capability1 IPMARK_TARGET
    report_capability1 LOG_TARGET
    report_capability1 ULOG_TARGET
    report_capability1 NFLOG_TARGET
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
    report_capability1 MARK_ANYWHERE
    report_capability1 HEADER_MATCH
    report_capability1 ACCOUNT_TARGET
    report_capability1 AUDIT_TARGET
    report_capability1 IPSET_V5
    report_capability1 CONDITION_MATCH
    report_capability1 IPTABLES_S
    report_capability1 BASIC_FILTER
    report_capability1 BASIC_EMATCH
    report_capability1 CT_TARGET
    report_capability1 STATISTIC_MATCH
    report_capability1 IMQ_TARGET
    report_capability1 DSCP_MATCH
    report_capability1 DSCP_TARGET
    report_capability1 GEOIP_MATCH
    report_capability1 RPFILTER_MATCH
    report_capability1 NFACCT_MATCH
    report_capability1 CHECKSUM_TARGET
    report_capability1 ARPTABLESJF
    report_capability1 MASQUERADE_TGT
    report_capability1 UDPLITEREDIRECT
    report_capability1 NEW_TOS_MATCH
    report_capability1 TARPIT_TARGET
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
    report_capability1 FTP0_HELPER
    report_capability1 IRC_HELPER
    report_capability1 IRC0_HELPER
    report_capability1 NETBIOS_NS_HELPER
    report_capability1 H323_HELPER
    report_capability1 PPTP_HELPER
    report_capability1 SANE_HELPER
    report_capability1 SANE0_HELPER
    report_capability1 SIP_HELPER
    report_capability1 SIP0_HELPER
    report_capability1 SNMP_HELPER
    report_capability1 TFTP_HELPER
    report_capability1 TFTP0_HELPER

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
}

report_capabilities1() {
    echo "#"
    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
    echo "#"
    report_capabilities_unsorted1 | sort
}

show_status() {
    if product_is_started ; then
	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
	status=0
    else
	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
	status=4
    fi

    if [ -f ${VARDIR}/state ]; then
	state="$(cat ${VARDIR}/state)"
	case $state in
	    Stopped*|Closed*|Clear*)
		status=3
		;;
	esac
    else
	state=Unknown
    fi

    if [ $VERBOSITY -ge 1 ]; then 
	if [ -f $g_firewall ]; then
	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
	fi
	echo "State:$state"
	echo
    fi

}

interface_status() {
    case $(cat $1) in
	0)
	    echo Enabled
	    ;;
	1)
	    echo Disabled
	    ;;
	*)
	    echo Unknown
	    ;;
    esac
}

show_interfaces() {
    local f
    local interface
    local printed

    for f in ${VARDIR}/*.status; do
	if [ -f $f ]; then
	    interface=$(basename $f)
	    echo "   Interface ${interface%.status} is $(interface_status $f)"
	    printed=Yes
	fi
    done

    [ -n "$printed" ] && echo
}

status_command() {
     local finished
    finished=0
    local option
    local interfaces

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			i*)
			    interfaces=Yes
			    option=${option#i}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    [ $# -eq 0 ] || usage 1

    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
    [ -n "$interfaces" ] && show_interfaces
    exit $status
}

drop_command() {
    if product_is_started ; then
	if ! chain_exists dynamic; then
	    echo "Dynamic blacklisting is not supported in the current $g_product configuration"
	    exit 2
	fi

	[ -n "$g_nolock" ] || mutex_on
	block DROP Dropped $*
	[ -n "$g_nolock" ] || mutex_off
    else
	fatal_error "$g_product is not started"
    fi
}

logdrop_command() {
    if product_is_started ; then
	if ! chain_exists dynamic; then
	    echo "Dynamic blacklisting is not supported in the current $g_product configuration"
	    exit 2
	fi

	[ -n "$g_nolock" ] || mutex_on
	block logdrop Dropped $*
	[ -n "$g_nolock" ] || mutex_off
    else
	fatal_error "$g_product is not started"
    fi
}

reject_command() {
    if product_is_started ; then
	[ -n "$g_nolock" ] || mutex_on
	block $1 Rejected $*
	[ -n "$g_nolock" ] || mutex_off
    else
	fatal_error "$g_product is not started"
    fi
}

save_command() {
    local finished
    finished=0

    shift

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			C*)
			    g_counters=Yes
			    option=${option#C}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    case $# in
	0)
	    ;;
	1)
	    RESTOREFILE="$1"
	    validate_restorefile '<restore file>'
	    ;;
	*)
	    usage 1
	    ;;
	esac

    g_restorepath=${VARDIR}/$RESTOREFILE

    [ -n "$g_nolock" ] || mutex_on

    save_config

    result=$?

    [ -n "$g_nolock" ] || mutex_off

    exit $result
}

forget_command() {
    case $# in
	1)
	    ;;
	2)
	    RESTOREFILE="$2"
	    validate_restorefile '<restore file>'
	    ;;
	*)
	    usage 1
	    ;;
    esac

    g_restorepath=${VARDIR}/$RESTOREFILE

    if [ -x $g_restorepath ]; then
	rm -f $g_restorepath
	rm -f ${g_restorepath}-iptables
	rm -f ${g_restorepath}-ipsets
	rm -f ${g_restorepath}-arptables
	echo "    $g_restorepath removed"
    elif [ -f $g_restorepath ]; then
	echo "   $g_restorepath exists and is not a saved $g_product configuration"
    fi
    rm -f ${VARDIR}/save
}

ipcalc_command() {
    local address
    local vlsm

    [ $g_family -eq 6 ] && usage 1

    if [ $# -eq 2 ]; then
	address=${2%/*}
	vlsm=${2#*/}
    elif [ $# -eq 3 ]; then
	address=$2
	vlsm=$(ip_vlsm $3)
    else
	usage 1
    fi

    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && usage 2
    [ "x$address" = "x$vlsm" ] && usage 2
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"

    address=$address/$vlsm

    echo "   CIDR=$address"
    temp=$(ip_netmask $address);       echo "   NETMASK=$(encodeaddr $temp)"
    temp=$(ip_network $address);       echo "   NETWORK=$temp"
    temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
}

iprange_command() {
    local range

    [ $g_family -eq 6 ] && usage 1

    range=''

    while [ $# -gt 0 ]; do
	shift
	range="${range}${1}"
    done

    case $range in
	*.*.*.*-*.*.*.*)
	    for address in ${range%-*} ${range#*-}; do
		valid_address $address || fatal_error "Invalid IP address: $address"
	    done

	    ip_range $range
	    ;;
	*)
	    usage 1
	    ;;
    esac
}

ipdecimal_command() {
    [ $# -eq 2 ] || usage 1

    [ $g_family -eq 6 ] && usage 1

    case $2 in
	*.*.*.*)
	    valid_address $2 || fatal_error "Invalid IP address: $2"
	    echo "   $(decodeaddr $2)"
	    ;;
	*)
	    echo "   $(encodeaddr $2)"
	    ;;
    esac
}

iptrace_command() {
    if product_is_started ; then
	$g_tool -t raw -A PREROUTING $@ -j TRACE
	$g_tool -t raw -A OUTPUT $@ -j TRACE
    else
	fatal_error "$g_product is not started"
    fi
}

noiptrace_command() {
    if product_is_started ; then
	$g_tool -t raw -D PREROUTING $@ -j TRACE
	$g_tool -t raw -D OUTPUT $@ -j TRACE
    else
	fatal_error "$g_product is not started"
    fi
}

#
# Verify that we have a compiled firewall script
#
verify_firewall_script() {
    if [ ! -f $g_firewall ]; then
	echo "   ERROR: $g_product is not properly installed" >&2
	if [ -L $g_firewall ]; then
	    echo "          $g_firewall is a symbolic link to a" >&2
	    echo "          non-existant file" >&2
	else
	    echo "          The file $g_firewall does not exist" >&2
	fi

	exit 2
    fi
}

################################################################################
# The remaining functions are used by the Lite cli - they are overloaded by
# the Standard CLI by loading lib.cli-std
################################################################################
#
# Set the configuration variables from shorewall[6]-lite.conf.
#
get_config() {
    local config
    local lib

    ensure_config_path

    config=$(find_file ${g_program}.conf)

    if [ -f $config ]; then
	if [ -r $config ]; then
	    . $config
	else
	    fatal_error "Cannot read $config! (Hint: Are you root?)"
	fi
    else
	fatal_error "$config does not exist!"
    fi

    ensure_config_path

    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf

    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

    setup_logread
    #
    # See if we have a real version of "tail" -- use separate redirection so
    # that ash (aka /bin/sh on LRP) doesn't crap
    #
    if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
	realtail="Yes"
    else
	realtail=""
    fi

    [ -n "$FW" ] || FW=fw

    if [ $g_family -eq 4 ]; then
	if [ -n "$IPTABLES" ]; then
	    if [ ! -x "$IPTABLES" ]; then
		fatal_error "The program specified in IPTABLES does not exist or is not executable"
	    fi
	else
	    IPTABLES=$(mywhich iptables 2> /dev/null)
	    if [ -z "$IPTABLES" ] ; then
		fatal_error "Can't find iptables executable"
	    fi
	fi

	g_tool=$IPTABLES
    else
	if [ -n "$IP6TABLES" ]; then
	    if [ ! -x "$IP6TABLES" ]; then
		fatal_error "The program specified in IP6TABLES does not exist or is not executable"
	    fi
	else
	    IP6TABLES=$(mywhich ip6tables 2> /dev/null)
	    if [ -z "$IP6TABLES" ] ; then
		fatal_error "Can't find ip6tables executable"
	    fi
	fi

	g_tool=$IP6TABLES
    fi

    if [ -n "$SHOREWALL_SHELL" ]; then
	if [ ! -x "$SHOREWALL_SHELL" ]; then
	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
	    SHOREWALL_SHELL=/bin/sh
	fi
    fi

    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore

    validate_restorefile RESTOREFILE

    [ -n "${VERBOSITY:=2}" ]

    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

    if [ $VERBOSITY -lt -1 ]; then
	VERBOSITY=-1
    elif [ $VERBOSITY -gt 2 ]; then
	VERBOSITY=2
    fi

    if qt mywhich hostname; then
	g_hostname=$(hostname 2> /dev/null)
    elif qt mywhich uname; then
	g_hostname=$(uname -n 2> /dev/null)
    else
	g_hostname=localhost
    fi

    if [ -n "$IPSET" ]; then
	case "$IPSET" in
	    */*)
		if [ ! -x "$IPSET" ] ; then
		    fatal_error "The program specified in IPSET ($IPSET) does not exist or is not executable"
		fi
		;;
	    *)
		prog="$(mywhich $IPSET 2> /dev/null)"
		if [ -z "$prog" ] ; then
		    fatal_error "Can't find $IPSET executable"
		fi
		IPSET=$prog
		;;
	esac
    else
	IPSET=''
    fi

    if [ -n "$WORKAROUNDS" ]; then
	case $WORKAROUNDS in
	    [Yy]es)
	        ;;
	    [Nn]o)
		WORKAROUNDS=''
		;;
	    *)
		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
		;;
	esac
    fi

    TC=tc

    IP=$(mywhich ip 2> /dev/null)

    g_loopback=$(find_loopback_interfaces)

    if [ -n "$PAGER" -a -t 1 ]; then
	case $PAGER in
	    /*)
		g_pager="$PAGER"
		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
		;;
	    *)
		g_pager=$(mywhich pager 2> /dev/null)
		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
		;;
	esac

	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

	g_pager="| $g_pager"
     fi

    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib

}
#
# Start Command Executor
#
start_command() {
    local finished
    finished=0

    do_it() {
	local rc
	rc=0
	[ -n "$g_nolock" ] || mutex_on

	if [ -x ${VARDIR}/firewall ]; then
	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
	    else
		run_it ${VARDIR}/firewall $g_debugging start
	    fi
	    rc=$?
	else
	    error_message "${VARDIR}/firewall is missing or is not executable"
	    logger -p kern.err "ERROR:$g_product start failed"
	    rc=6
	fi

	[ -n "$g_nolock" ] || mutex_off
	exit $rc
    }

    verify_firewall_script

    if product_is_started; then
	if [ $g_family -eq 4 ]; then
	    error_message "Shorewall is already running"
	else
	    error_message "Shorewall6 is already running"
	fi

	exit 0
    fi

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			f*)
			    g_fast=Yes
			    option=${option#f}
			    ;;
			C*)
			    g_counters=Yes
			    option=${option#C}
			    ;;
			p*)
			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
			    g_purge=Yes
			    option=${option%p}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    case $# in
	0)
	    ;;
	*)
	    usage 1
	    ;;
    esac

    do_it
}

#
# Reload/Restart Command Executor
#
restart_command() {
    local finished
    finished=0
    local rc
    rc=0

    verify_firewall_script

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			n*)
			    g_noroutes=Yes
			    option=${option#n}
			    ;;
			p*)
			    [ -n "$(mywhich conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
			    g_purge=Yes
			    option=${option%p}
			    ;;
			C*)
			    g_counters=Yes
			    option=${option#C}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    case $# in
	0)
	    ;;
	*)
	    usage 1
	    ;;
    esac

    [ -n "$g_nolock" ] || mutex_on

    if [ -x ${VARDIR}/firewall ]; then
	run_it ${VARDIR}/firewall $g_debugging $COMMAND
	rc=$?
    else
	error_message "${VARDIR}/firewall is missing or is not executable"
	logger -p kern.err "ERROR:$g_product $COMMAND failed"
	rc=6
    fi

    [ -n "$g_nolock" ] || mutex_off
    return $rc
}

run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
	run_it ${VARDIR}/firewall $g_debugging $@
    else
	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
}

#
# Echo the parameters if product is Shorewall or Shorewall6
#
ecko() {
    [ -z "$g_lite" ] && echo "$@"
}
#
# Give Usage Information
#
usage() # $1 = exit status
{
    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ] [ -l ] [ -m ]"
    echo "   enable <interface>"
    ecko "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
    echo "   forget [ <file name> ]"
    echo "   help"

    if [ $g_family -eq 4 ]; then
	echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
	echo "   ipdecimal { <address> | <integer> }"
	echo "   iprange <address>-<address>"
    fi

    if [ $g_family -eq 4 ]; then
	echo "   iptrace <iptables match expression>"
    else
	echo "   iptrace <ip6tables match expression>"
    fi

    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"

    if [ $g_family -eq 4 ]; then
	echo "   noiptrace <iptables match expression>"
    else
	echo "   noiptrace <ip6tables match expression>"
    fi

    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"

    if [ -z "$g_lite" ]; then
	echo "   remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
	echo "   remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
	echo "   remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
    fi

    echo "   reset [ <chain> ... ]"

    if [ -n "$g_lite" ]; then
	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
    else
	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
    fi

    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    ecko "   safe-restart [ -t <timeout> ] [ <directory> ]"
    ecko "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ -C ] [ <file name> ]"
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    ecko "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
    echo "   [ show | list | ls ] event [ <event> ...]"
    echo "   [ show | list | ls ] events"
    echo "   [ show | list | ls ] filters"
    echo "   [ show | list | ls ] ip"

    if [ $g_family -eq 4 ]; then
	echo "   [ show | list | ls ] ipa"
    fi

    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
    ecko "   [ show | list | ls ] macro <macro>"
    ecko "   [ show | list | ls ] macros"
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"

    if [ -n "$g_lite" ]; then
	echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
    else
	echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
    fi

    echo "   status [ -i ]"
    echo "   stop"
    ecko "   try <directory> [ <timeout> ]"
    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
    echo "   version [ -a ]"
    echo
    exit $1
}

#
# This is the main entry point into the CLI. It directly handles all commands supported
# by both the full and lite versions. Note, however, that functions such as start_command()
# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
# here if that lib is loaded below.
#
shorewall_cli() {
    g_debugging=

    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
	g_debugging=$1
	shift
    fi

    g_nolock=

    if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
	g_nolock=nolock
	shift
    fi

    g_noroutes=
    g_purge=
    g_ipt_options="-nv"
    g_fast=
    g_verbose_offset=0
    g_use_verbosity=
    g_debug=
    g_export=
    g_refreshchains=:none:
    g_confess=
    g_update=
    g_annotate=
    g_recovering=
    g_timestamp=
    g_shorewalldir=
    g_haveconfig=
    g_conditional=
    g_file=
    g_doing="Compiling"
    g_inline=
    g_counters=
    g_loopback=
    g_compiled=
    g_pager=

    VERBOSE=
    VERBOSITY=1

    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

    finished=0

    while [ $finished -eq 0 ]; do
	[ $# -eq 0 ] && usage 1
	option=$1
	case $option in
	    -)
		finished=1
		;;
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			c)
			    [ $# -eq 1 -o -n "$g_lite" ] && usage 1

			    if [ ! -d $2 ]; then
				if [ -e $2 ]; then
				    fatal_error "$2 is not a directory"
				else
				    fatal_error "Directory $2 does not exist"
				fi
			    fi

			    g_shorewalldir=$(resolve_file $2)
			    option=
			    shift
			    ;;
			e*)
			    [ -n "$g_lite" ] && usage 1
			    g_export=Yes
			    option=${option#e}
			    ;;
			x*)
			    g_ipt_options="-xnv"
			    option=${option#x}
			    ;;
			q*)
			    g_verbose_offset=$(($g_verbose_offset - 1 ))
			    option=${option#q}
			    ;;
			f*)
			    g_fast=Yes
			    option=${option#f}
			    ;;
			[vV]*)
			    case $option in
				v*)
				    option=${option#v}
				    ;;
				*)
				    option=${option#V}
				    ;;
			    esac

			    case $option in
				-1*)
				    g_use_verbosity=-1
				    option=${option#-1}
				    ;;
				0*)
				    g_use_verbosity=0
				    option=${option#0}
				    ;;
				1*)
				    g_use_verbosity=1
				    option=${option#1}
				    ;;
				2*)
				    g_use_verbosity=2
				    option=${option#2}
				    ;;
				*)
				    g_verbose_offset=$(($g_verbose_offset + 1 ))
				    g_use_verbosity=
				    ;;
			    esac
			    ;;
			n*)
			    g_noroutes=Yes
			    option=${option#n}
			    ;;
			t*)
			    g_timestamp=Yes
			    option=${option#t}
			    ;;
			-)
			    finished=1
			    option=
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    if [ $# -eq 0 ]; then
	usage 1
    fi

    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=

    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir

    [ -n "${VARDIR:=/var/lib/$g_program}" ]

    g_firewall=${VARDIR}/firewall

    version_file=${g_sharedir}/version
    if [ -f $version_file ]; then
	SHOREWALL_VERSION=$(cat $version_file)
    else
	echo "   ERROR: $g_product is not properly installed" >&2
	echo "	 The file $version_file does not exist"  >&2
	exit 1
    fi

    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"

    case $(echo -e) in
	-e*)
	    g_ring_bell="echo \a"
	    g_echo_e="echo"
	    ;;
	*)
	    g_ring_bell="echo -e \a"
	    g_echo_e="echo -e"
	    ;;
    esac

    case $(echo -n "Testing") in
	-n*)
	    g_echo_n=
	    ;;
	*)
	    g_echo_n=-n
	    ;;
    esac

    COMMAND=$1

    case "$COMMAND" in
	start)
	    get_config Yes Yes
	    shift
	    start_command $@
	    ;;
	stop|clear)
	    [ $# -ne 1 ] && usage 1
	    get_config
	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
	    [ -n "$g_nolock" ] || mutex_on
	    run_it $g_firewall $g_debugging $COMMAND
	    [ -n "$g_nolock" ] || mutex_off
	    ;;
	reset)
	    get_config
	    shift
	    [ -n "$g_nolock" ] || mutex_on
	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
	    run_it $g_firewall $g_debugging reset $@
	    [ -n "$g_nolock" ] || mutex_off
	    ;;
	reload|restart)
	    get_config Yes Yes
	    shift
	    restart_command $@
	    ;;
	disable|enable|reenable)
	    get_config Yes
	    if product_is_started; then
		run_it ${VARDIR}/firewall $g_debugging $@
	    else
		fatal_error "$g_product is not running"
	    fi
	    ;;
	run)
	    [ $# -gt 1 ] || fatal_error "Missing function name"
	    get_config Yes
	    run_command $@
	    ;;
	show|list|ls)
	    get_config Yes No Yes
    	    shift
    	    show_command $@
	    ;;
	status)
	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
	    get_config
	    shift
	    status_command $@
	    ;;
	dump)
	    get_config Yes No Yes
    	    shift
    	    dump_command $@
	    ;;
	hits)
	    [ $g_family -eq 6 ] && usage 1
	    get_config Yes No Yes
	    [ -n "$g_debugging" ] && set -x
	    shift
	    hits_command $@
	    ;;
	version)
	    shift
	    version_command $@
	    ;;
	logwatch)
	    get_config Yes Yes Yes
	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
	    logwatch_command $@
	    ;;
	drop)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    [ $# -eq 1 ] && usage 1
	    drop_command $@
	    ;;
	logdrop)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    [ $# -eq 1 ] && usage 1
	    logdrop_command $@
	    ;;
	reject|logreject)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    [ $# -eq 1 ] && usage 1
	    reject_command $@
	    ;;
	open|close)
	    get_config
	    shift
	    open_close_command $@
	    ;;
	allow)
	    get_config
	    allow_command $@
	    ;;
	add)
	    get_config
	    shift
	    add_command $@
	    ;;
	delete)
	    get_config
	    shift
	    delete_command $@
	    ;;
	save)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    save_command $@
	    ;;
	forget)
	    get_config
	    forget_command $@
	    ;;
	ipcalc)
    	    [ -n "$g_debugging" ] && set -x
	    ipcalc_command $@
	    ;;
	iprange)
	    [ -n "$g_debugging" ] && set -x
	    iprange_command $@
	    ;;
	ipdecimal)
	    [ -n "$g_debugging" ] && set -x
	    ipdecimal_command $@
	    ;;
	restore)
	    get_config
	    shift
	    restore_command $@
            ;;
	call)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    #
	    # Way to call functions in the libraries directly
	    #
	    shift

	    if [ $# -gt 0 ]; then
		#
		# First look for it here
		#
		if type $1 2> /dev/null | fgrep -q 'is a function'; then
		    #
		    # It's a shell function -- call it
		    #
		    $@
		else
		    #
		    # It isn't a function visible to this script -- try
		    # the compiled firewall
		    #
		    run_it $g_firewall $g_debugging call $@
		fi
	    else
		usage 1
	    fi
	    ;;
	help)
	    shift
	    usage
	    ;;
	iptrace)
	    get_config
	    shift
	    iptrace_command $@
	    ;;
	noiptrace)
	    get_config
	    shift
	    noiptrace_command $@
	    ;;
	savesets)
	    [ $# -eq 1 ] || usage 1
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    savesets1
	    ;;
	*)
	    if [ -z "$g_lite" ]; then
		compiler_command $@
	    else
		usage 1
	    fi
	    ;;
    esac
}