lib.config

sharewall is very good

	    ;;
	esac
    fi
}

#
# Determine the value for a parameter that defaults to No
#
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
{
    local val
    val="$2"

    if [ -z "$val" ]; then
	echo ""
    else case $val in
	[Yy][Ee][Ss])
	    echo "Yes"
	    ;;
	[Nn][Oo])
	    echo ""
	    ;;
	*)
	    startup_error "Invalid value ($val) for $1"
	    ;;
	esac
    fi
}

#
# Initialize this program
#
do_initialize() {

    # Run all utility programs using the C locale
    #
    # Thanks to Vincent Planchenault for this tip #

    export LC_ALL=C

    # Make sure umask is sane
    umask 077

    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
    #
    # Establish termination function
    #
    TERMINATOR=fatal_error
    #
    # Clear all configuration variables (shorewall.conf)
    #
    STARTUP_ENABLED=
    #
    #VERBOSE is inherited -- VERBOSITY is only used in the CIs
    #    
    #
    # Logging
    #
    LOGFILE=
    LOGFORMAT=
    LOGTAGONLY=
    LOGRATE=
    LOGBURST=
    LOGALLNEW=
    BLACKLIST_LOGLEVEL=
    MACLIST_LOG_LEVEL=
    TCP_FLAGS_LOG_LEVEL=
    RFC1918_LOG_LEVEL=
    SMURF_LOG_LEVEL=
    LOG_MARTIANS=
    #
    # Location of files
    #
    IPTABLES=
    #PATH is inherited
    SHOREWALL_SHELL=
    SUBSYSLOCK=
    MODULESDIR=
    #CONFIG_PATH is inherited
    RESTOREFILE=
    IPSECFILE=
    LOCKFILE=
    #
    # Default Actions/Macros
    #
    DROP_DEFAULT=
    REJECT_DEFAULT=
    ACCEPT_DEFAULT=
    QUEUE_DEFAULT=
    #
    # Firewall Options
    #
    IP_FORWARDING=
    ADD_IP_ALIASES=
    ADD_SNAT_ALIASES=
    RETAIN_ALIASES=
    TC_ENABLED=
    TC_EXPERT=
    CLEAR_TC=
    MARK_IN_FORWARD_CHAIN=
    CLAMPMSS=
    ROUTE_FILTER=
    DETECT_DNAT_IPADDRS=
    MUTEX_TIMEOUT=
    ADMINISABSENTMINDED=
    BLACKLISTNEWONLY=
    DELAYBLACKLISTLOAD=
    MODULE_SUFFIX=
    DISABLE_IPV6=
    BRIDGING=
    DYNAMIC_ZONES=
    PKTTYPE=
    RFC1918_STRICT=
    MACLIST_TABLE=
    MACLIST_TTL=
    SAVE_IPSETS=
    MAPOLDACTIONS=
    FASTACCEPT=
    IMPLICIT_CONTINUE=
    HIGH_ROUTE_MARKS=
    USE_ACTIONS=
    OPTIMIZE=
    EXPORTPARAMS=
    KEEP_TC_RULES=
    DELETE_THEN_ADD=
    DONT_LOAD=
    #
    # Packet Disposition
    #
    MACLIST_DISPOSITION=
    TCP_FLAGS_DISPOSITION=
    BLACKLIST_DISPOSITION=
    #
    # Other Globals
    #
    VERSION=
    FW=
    USEPKTYPE=
    LOGLIMIT=
    LOGPARMS=
    OUTPUT=
    ALL_INTERFACES=
    ROUTEMARK_INTERFACES=
    PROVIDERS=
    CRITICALHOSTS=
    EXCLUSION_SEQ=1
    STOPPING=
    HAVE_MUTEX=
    ALIASES_TO_ADD=
    SECTION=ESTABLISHED
    SECTIONS=
    ALL_PORTS=
    ACTIONS=
    USEDACTIONS=
    DEFAULT_MACROS=
    COMMENT=
    VERSION_FILE=
    LOGRULENUMBERS=
    ORIGINAL_POLICY_MATCH=
    ORIGINAL_MANGLE_ENABLED=

    ensure_config_path

    VERSION_FILE=$SHAREDIR/version

    [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)

    [ -d /usr/share/shorewall-perl ] && set -a; 
    
    run_user_exit params

    set +a

    config=$(find_file shorewall.conf)

    if [ -f $config ]; then
	if [ -r $config ]; then
	    progress_message "Processing $config..."
	    . $config
	else
	    startup_error "Cannot read $config (Hint: Are you root?)"
	fi
    else
	startup_error "$config does not exist!"
    fi
    #
    # Restore CONFIG_PATH if the shorewall.conf file cleared it
    #
    ensure_config_path

    TMP_DIR=$(mktempdir)

    [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
       startup_error "Can't create a temporary directory"

    case $PROGRAM in
	compiler)
	    trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
	    ;;
	firewall)
	    trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
	    ;;
    esac

    #
    # Determine the capabilities of the installed iptables/netfilter
    # We load the kernel modules here to accurately determine
    # capabilities when module autoloading isn't enabled.
    #
    PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
    [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )"

    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

    if [ -z "$EXPORT" -a $(id -u) -eq 0 ]; then

	load_kernel_modules Yes

	if [ -z "$IPTABLES" ]; then
	    IPTABLES=$(mywhich iptables 2> /dev/null)
	    [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
	else
	    [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
	fi

	f=$(find_file capabilities)

	[ -f $f ] && . $f || determine_capabilities
    else
	f=$(find_file capabilities)
	[ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file"
    fi

    if [ -n "$CAPVERSION" ]; then
	[ $CAPVERSION -ge $SHOREWALL_CAPVERSION ] || error_message "WARNING: $f is out of date -- it does not contain all of the capabilities defined by Shorewall version $VERSION"
    else
	error_message "WARNING: $f may be not contain all of the capabilities defined by Shorewall version $VERSION"
    fi

    ORIGINAL_POLICY_MATCH=$POLICY_MATCH
    ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED
    
    ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"

    if [ -n "${LOGRATE}${LOGBURST}" ]; then
	LOGLIMIT="--match limit"
	[ -n "$LOGRATE" ]  && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
	[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
    fi

    if [ -n "$IP_FORWARDING" ]; then
	case "$IP_FORWARDING" in
	    On|Off|Yes|No|Keep|on|off|yes|no|keep|ON|OFF|YES|NO|KEEP)
		;;
	    *)
		startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
		;;
	esac
    else
	IP_FORWARDING=On
    fi

    if [ -n "$ROUTE_FILTER" ]; then
	case "$ROUTE_FILTER" in
	    Yes|yes|YES)
		ROUTE_FILTER=yes
		;;
	    No|no|NO)
		ROUTE_FILTER=no
		;;
	    Keep|keep|KEEP)
		ROUTE_FILTER=
		;;
	    *)
		startup_error "Invalid value ($ROUTE_FILTER) for ROUTE_FILTER"
		;;
	esac
    else
	ROUTE_FILTER=
    fi

    if [ -n "$LOG_MARTIANS" ]; then
	case "$LOG_MARTIANS" in
	    Yes|yes|YES)
		LOG_MARTIANS=yes
		;;
	    No|no|NO)
		LOG_MARTIANS=no
		;;
	    Keep|keep|KEEP)
		LOG_MARTIANS=
		;;
	    *)
		startup_error "Invalid value ($LOG_MARTIANS) for LOG_MARTIANS"
		;;
	esac
    else
	LOG_MARTIANS=yes
    fi

    [ -n "${BLACKLIST_DISPOSITION:=DROP}" ]

    case "$CLAMPMSS" in
	[0-9]*)
	    ;;
	*)
	    CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
	    ;;
    esac

    ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
    DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)

    MACLIST_TARGET=reject

    if [ -n "$MACLIST_DISPOSITION" ] ; then
	case $MACLIST_DISPOSITION in
	    REJECT)
		;;
	    DROP)
		MACLIST_TARGET=DROP
		;;
	    ACCEPT)
		MACLIST_TARGET=RETURN
		;;
	    *)
		startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
		;;
	esac
    else
	MACLIST_DISPOSITION=REJECT
    fi

    if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
	case $TCP_FLAGS_DISPOSITION in
	    REJECT|ACCEPT|DROP)
		;;
	    *)
		startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
		;;
	esac
    else
	TCP_FLAGS_DISPOSITION=DROP
    fi

    [ -n "${RFC1918_LOG_LEVEL:=info}" ]

    MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
    [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
    CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)

    if [ -n "$LOGFORMAT" ]; then
	if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
	    LOGRULENUMBERS=Yes
	    temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null)
	    if [ $? -ne 0 ]; then
		startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
	    fi
	else
	    temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null)
	    if [ $? -ne 0 ]; then
		startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
	    fi
	fi

	[ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""

	MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) ))
	MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*}
    else
	LOGFORMAT="Shorewall:%s:%s:"
	MAXZONENAMELENGTH=5
    fi

    ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
    BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
    DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
    BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)

    DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
    if [ -n "$DYNAMIC_ZONES" ]; then
	[ -n "$EXPORT" ] && startup_error "DYNAMIC_ZONES=Yes is incompatible with the -e option"
	lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed"
    fi

    STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
    RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
    [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
    DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
    LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
    RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
    SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
    MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
    FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)

    [ -n "$FASTACCEPT" -a -z "$BLACKLISTNEWONLY" ] && error_message "WARNING: BLACKLISTNEWONLY=No does not work with FASTACCEPT=Yes"

    IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
    HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
    TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
    USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
    EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS)
    KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES)
    DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD)

    if [ -n "$MANGLE_ENABLED" ] ; then
	case $MANGLE_ENABLED in
	    Yes|yes)
		;;
	    No|no)
		MANGLE_ENABLED=
		;;
	    *)
		startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED";
		;;
	esac
    fi

    [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"

    [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
    [ -n "$XMARK" ] || XCONNMARK=

    [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"

    case ${MACLIST_TABLE:=filter} in
	filter)
	    ;;
	mangle)
	    [ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
	    ;;	*)
	    startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
	    ;;
    esac

   TC_SCRIPT=

   if [ -n "$TC_ENABLED" ] ; then
	case "$TC_ENABLED" in
	    [Yy][Ee][Ss])
		TC_ENABLED=Yes
		TC_SCRIPT=$(find_file tcstart)
		[ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file"
		;;
	    [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
	        TC_ENABLED=Internal
		;;
	    [Nn][Oo])
		TC_ENABLED=
		;;
	esac
    else
	TC_ENABLED=Yes
    fi

    if [ -n "$TC_ENABLED" ];then
	[ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
	[ -n "$MANGLE_ENABLED" ]          || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf"
    fi

    [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
    [ -n "${RESTOREFILE:=restore}" ]

    case "${DROP_DEFAULT:=Drop}" in
	None)
	    DROP_DEFAULT=none
	    ;;
    esac

    case "${REJECT_DEFAULT:=Reject}" in
	None)
	    REJECT_DEFAULT=none
	    ;;
    esac

    case "${QUEUE_DEFAULT:=none}" in
	None)
	    QUEUE_DEFAULT=none
	    ;;
    esac

    case "${ACCEPT_DEFAULT:=none}" in
	None)
	    ACCEPT_DEFAULT=none
	    ;;
    esac

    case "${OPTIMIZE:=0}" in
	0|1)
	    ;;
	*)
	    startup_error "Invalid OPTIMIZE value ($OPTIMIZE)"
	    ;;
    esac

    if [ -n "$LOCKFILE" ]; then
	[ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist"
    fi
    #
    # Check out the user's shell
    #
    [ -n "${SHOREWALL_SHELL:=/bin/sh}" ]

    temp=$(decodeaddr 192.168.1.1)
    if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
	startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
    fi

    if [ -z "$KLUDGEFREE" ]; then
	rm -f $TMP_DIR/physdev
	rm -f $TMP_DIR/iprange
    fi

    qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
    #
    # Pre-process all of the standard files
    #
    # Because 'strip_file()' does shell variable expansion, we must first determine the
    # setting of $FW
    #
    case ${IPSECFILE:=ipsec} in
	ipsec)
	    [ -n "${FW:=fw}" ]
	    strip_file ipsec
	    ;;
	zones)
	    get_firewall_zone
	    ;;
	*)
	    startup_error "Invalid value ($IPSECFILE) for IPSECFILE option"
	    ;;
    esac

    strip_file zones
    strip_file routestopped
    strip_file interfaces
    strip_file hosts

    if [ $PROGRAM = compiler ]; then
	strip_file_and_lib_load accounting accounting

	if [ -n "$USE_ACTIONS" ]; then
	    strip_file actions
	    strip_file actions.std ${SHAREDIR}/actions.std
	fi
	    
	strip_file blacklist
	strip_file ecn
	strip_file maclist
	strip_file_and_lib_load masq nat
	strip_file_and_lib_load nat nat
	strip_file_and_lib_load netmap nat
	strip_file policy
	strip_file_and_lib_load providers providers && strip_file route_rules
	strip_file_and_lib_load proxyarp proxyarp
	strip_file rfc1918
	strip_file routestopped
	strip_file rules

	if [ "$TC_ENABLED" = Internal ]; then
	    strip_file_and_lib_load tcdevices tc
	    strip_file_and_lib_load tcclasses tc
	fi
	
	strip_file_and_lib_load tcrules tcrules
	strip_file tos
	strip_file_and_lib_load tunnels tunnels
    fi
    
    [ "$IPSECFILE" = zones ] && FW=
}