#!/bin/bash

#
# LRP/Debian network configuration system
#
# Ring a ding ding, my dang a lang dong	   Dave 'Kill a Cop' Cinege   GPL2
# Ding Dong Dell, Pussy's in the well      Matthew 'Network Cowboy' Grant GPL2

# 
# start)
# Depending on the auto config portions in /etc/network.conf, it auto-
# generates hosts, resolv.conf, sets the hostname, starts up interfaces,
# configures the IP filter/firewall and sets up routes (not necessarily
# in that order). 
# 
# stop)
# brings down all interfaces listed in /proc/net/dev, and their associated
# routes. Flushes all rules for iptables.
#

# bail out if we are not root
if [ "`id -un`" != "root" ] ; then
	echo 1>&2
	echo "  `basename $0`: you must be root to run this command." 1>&2
	echo 1>&2
	exit 1
fi

TARGET_KERNEL1="2.4"
TARGET_KERNEL2="2.6"
TARGET_KERNEL3="3"

#DEBUG=1

SP='   '

qt () { "$@" >/dev/null 2>&1 ; }
vb () { "$@" ; }
source () { . $1 ; }
basename () { echo "${1##*/}"; }

BANNER="# This file was generated by $0. It may be overwritten!"


#Default safe settings
VERBOSE=YES
IPV6_MODULE=NO
IPV4_FWDING_KERNEL=NO
IPV6_FWDING_KERNEL=NO
IP_FILTER_KERNEL=PACKET
IF_AUTO="eth0"
IPV4_DISABLE=NO
IPV6_DISABLE=NO
BASE_MODPATH="/lib/modules/`uname -r`/kernel"
MODPATH="${BASE_MODPATH}/net"
KERN_VERSION=`uname -r | cut -d . -f 1,2`
if echo "$KERN_VERSION" | grep '^3\..*' -q; then
	KERN_VERSION='3'
fi
[ "$KERN_VERSION" = "$TARGET_KERNEL1" ] && MODEXT="o"
[ "$KERN_VERSION" = "$TARGET_KERNEL2" ] && MODEXT="ko"
[ "$KERN_VERSION" = "$TARGET_KERNEL3" ] && MODEXT="ko"
NETFILTER_CONF="/etc/netscript"
IPTBL_FILE="$NETFILTER_CONF/iptables"
IPTBL_FILE_BACKUP="$IPTBL_FILE.backup"
IP6TBL_FILE="$NETFILTER_CONF/ip6tables"
IP6TBL_FILE_BACKUP="$IP6TBL_FILE.backup"
# test for OpenWRT
if type -f iptables | grep -q '/usr/sbin'; then
	IPTBL_PREFIX="/usr/sbin"
else
	IPTBL_PREFIX="/sbin"
fi
IPTBL="$IPTBL_PREFIX/iptables"
IPTBL_RESTORE="$IPTBL_PREFIX/iptables-restore"
IPTBL_SAVE="$IPTBL_PREFIX/iptables-save"
IP6TBL="$IPTBL_PREFIX/ip6tables"
IP6TBL_RESTORE="$IPTBL_PREFIX/ip6tables-restore"
IP6TBL_SAVE="$IPTBL_PREFIX/ip6tables-save"
IPTBL_V4PROC="/proc/net/ip_tables_names"
IPTBL_V6PROC="/proc/net/ip6_tables_names"
IPV4_PROC="/proc/sys/net/ipv4"
IPV6_PROC="/proc/sys/net/ipv6"
IPFWD_V4PROC="${IPV4_PROC}/ip_forward"
IPFWD_V6PROC="${IPV6_PROC}/conf/all/forwarding"
IPV6_DEFAULT_PREFIX=default
DEFAULT_METRIC=999999999
BACKUP_LEVELS=2
IF_DEFAULT_IPV6_DISABLE="NO"

#==============================================================================#

# Read in configuration files 
# 	- these ones can be changed by users
[ -f $NETFILTER_CONF/network.conf ] \
	&& source $NETFILTER_CONF/network.conf
IPFILTER=0
[ -f $NETFILTER_CONF/ipfilter.conf ] \
	&& source $NETFILTER_CONF/ipfilter.conf && IPFILTER=1
[ -f $NETFILTER_CONF/srvfilter.conf ] \
	&& source $NETFILTER_CONF/srvfilter.conf

[ "$DEBUG" ] && qt () { "$@" ; }
[ "$VERBOSE" = "NO" ] && vb () { qt "$@" ; }


[ -f /proc/net/ip_fwchains ] && IPCHAINS=1
[ -f /proc/net/ip_masq/autofw ] && IPAUTOFW=1
[ -f /proc/net/ip_masq/portfw ] && IPPORTFW=1
[ -f /proc/net/ip_masq/mfw ] && IPMFW=1

# translate old values for compatibility
if [ -n "$IPFWDING_KERNEL" ]; then
	IPV4_FWDING_KERNEL="$IPFWDING_KERNEL"
fi
# Setup stuff for IPv6
IPV6_KRNL=0
[ -d $IPV6_PROC ] && IPV6_KRNL=1

#############################################################################
# Code to set up function lists for filtering
#############################################################################

get_fns () {
	local STR="s/^.* ${1}\([^ ]\+\)$/\1/"
	if [ -n "$BASH_VERSION" ]; then
		declare -F | grep $1 | sed -e "$STR"
	else
		hash | grep "^function $1" | sed -e "$STR"
	fi
}

for FN in `get_fns ipf4_`; do
	if [ -z "$IPF4_FNS" ]; then
		IPF4_FNS="$FN"
	else
		IPF4_FNS="${IPF4_FNS}|$FN"
	fi
done; unset FN

for FN in `get_fns ipf6_`; do
	if [ -z "$IPF6_FNS" ]; then
		IPF6_FNS="$FN"
	else
		IPF6_FNS="${IPF6_FNS}|$FN"
	fi
done; unset FN

###############################################################################
#IP kernel option loading for global kernel switches
###############################################################################
read_sysctl () {
        local PROCFILE PROCVAL COMMENT ANS

	while read PROCFILE PROCVAL COMMENT; do
		if [ -z "$PROCFILE" -o -z "$PROCVAL" ]; then
			continue
		fi
	
		if [ "$PROCFILE"  = "#" -o "$PROCVAL" = "#" ]; then
			continue
		fi
		
		case "$PROCVAL" in
		YES|Yes|yes)
			PROCVAL=1
			;;
		NO|No|no)
			PROCVAL=0
			;;
		esac

		[ ! -f $1/$PROCFILE ] && continue

		echo $PROCVAL > $1/$PROCFILE
	done

}

read_gbl_sysctl () {

	echo "$NET_GLOBAL_SYSCTL" | read_sysctl /proc/sys/net
	
	return 0
}


###############################################################################
#IP Forwarding configuration
###############################################################################
start_auto_ipkrnlswch () {
    	local DIR
    
	# read in the global sysctl settings
	#read_gbl_sysctl

	# Turn on global RP filter switch - this is ANDed with 
	# the per interface ones
	#echo 1 > ${IPV4_PROC}/conf/all/rp_filter
	# Fix the Shared Media Mess
	#echo 0 > ${IPV4_PROC}/conf/all/shared_media
	#echo 0 > ${IPV4_PROC}/conf/default/shared_media


	if [ "$IPV4_FWDING_KERNEL" = "YES" ]; then
		vb echo -n "Enabling IPv4 packet forwarding..."
		echo "1" >$IPFWD_V4PROC && vb echo "done."
	elif [ "$IPV4_FWDING_KERNEL" != "FILTER_ON" ]; then
		vb echo -n "Disabling IPv4 packet forwarding..."
		echo "0" >$IPFWD_V4PROC && vb echo "done."
	fi 

	# IPv6  
	if [ $IPV6_KRNL -lt 1 ]; then
		return 0
	fi
	
	# Most hardened servers and routers need defaults like these
	# for interface host mode
	#for DIR in ${IPV6_PROC}/conf/*; do
	#	# Don't allow ICMP redirect by default
	#
	#echo 0 > $DIR/accept_redirects
	#done

	# This is here just to do the printing when IPv6 IS disabled.
	case "$IPV6_DISABLE" in
	YES|Yes|yes)
		vb echo -n "Disabling IPv6 protocol..." 
		ifv6_setproc all disable_ipv6 "$IPV6_DISABLE" && echo "done."
		;;
	*)
		ifv6_setproc all disable_ipv6 "$IPV6_DISABLE"
		;;
	esac

	# Set this flag as required for creation of dynamic bridged
	# interfaces
	#ifv6_setproc default disable_ipv6 "$IF_DEFAULT_IPV6_DISABLE"

	if [ "$IPV6_FWDING_KERNEL" = "YES" ]; then
		vb echo -n "Enabling IPv6 packet forwarding..." 
		echo "1" >$IPFWD_V6PROC && vb echo "done."
	elif [ "$IPV6_FWDING_KERNEL" != "FILTER_ON" ]; then
		vb echo -n "Disabling IPv6 packet forwarding..." 
		echo "0" >$IPFWD_V6PROC && vb echo "done."
	fi 

}

##############################################################################
# Functions to set 2.4 kernel interface parameters
# ifv4_setproc (<interface> <file> YES|NO
# ifv6_setproc (<interface> <file> YES|NO
##############################################################################
ifv4_setproc () {
	if [ -z "$3" ]; then
		return 0;
	fi

	[ ! -f ${IPV4_PROC}/conf/$1/$2 ] && return 1

	case "$3" in 
	YES|Yes|yes)
		echo 1 > ${IPV4_PROC}/conf/$1/$2
		return 0;
		;;
	NO|No|no)
		echo 0 > ${IPV4_PROC}/conf/$1/$2
		return 0;
		;;
	*)
		if echo $3 | grep -q '^[0-9]\+$'; then
			echo $3 > ${IPV4_PROC}/conf/$1/$2
			return 0
		fi

		return 1;
		;;
	esac
	
	return 0;
	
}

ifv6_setproc () {
	if [ -z "$3" ]; then
		return 0;
	fi

	[ $IPV6_KRNL -lt 1 ] && return 1 
	[ ! -f ${IPV6_PROC}/conf/$1/$2 ] && return 1

	case "$3" in 
	YES|Yes|yes)
		echo 1 > ${IPV6_PROC}/conf/$1/$2
		return 0;
		;;
	NO|No|no)
		echo 0 > ${IPV6_PROC}/conf/$1/$2
		return 0;
		;;
	*)
		if echo $3 | grep -q '^[0-9]\+$'; then
			echo $3 > ${IPV6_PROC}/conf/$1/$2
			return 0
		fi
		
		return 1;
		;;
	esac
	
	return 0;
	
}


##############################################################################
# checkarg() a function to check interface arguments
##############################################################################
checkarg() {
    eval "case \"$*\" in
        $IFLIST)
            ;;
        *)
            echo \"Usage: `basename $0` ifup|ifdown|ifqos|ifreload\" 
	    echo \"       ${SP} {$IFLIST}\"
            exit 1
            ;;
         esac"
}


##############################################################################
# functions to handle filter stuff
##############################################################################

#
# backup_rotate <filename> <maxlevel>
#
backup_rotate () {
        local MAX="$2"
        [ $MAX -lt 2 ] && MAX=2
        local COUNT=$(($MAX - 1))
        local PREV="$MAX"
        while [ $COUNT -gt 0 ]; do
                [ -f "${1}.${COUNT}" ] && mv "${1}.${COUNT}" "${1}.${PREV}"
                PREV=$COUNT
                COUNT=$(( $COUNT - 1 ))
        done
        [ -f "$1" ] && mv "$1" "${1}.1"
	return 0
}

ipv4filter_kernfwd () {
	local OVERRIDE="$2"

	if [ "$OVERRIDE" != "YES" -a "$OVERRIDE" != "Yes" \
		-a "$OVERRIDE" != "yes" \
		-a  "$IPV4_FWDING_KERNEL" != "FILTER_ON" ]; then
		return 0;
    	fi
    
	case $1 in 
	on)
		vb echo -n "Enabling IPv4 packet forwarding..."
		echo "1" >$IPFWD_V4PROC \
			&& vb echo "done."
		;;
	off)
		vb echo -n "Disabling IPv4 packet forwarding..."
		echo "0" >$IPFWD_V4PROC \
			&& vb echo "done."
	    	;;
	*)
		echo "AAARGGHH - wrong argument given to ipv4filter_kernfwd: $1"
		exit 1
		;;
	esac
}

# Check and see if filtering and mangling are available
ipv4filter_check () {
	local TBL MANGLE FILTER
	MANGLE=0
	FILTER=0

	[ ! -f "$IPTBL_V4PROC" ] && return 1

	for TBL in `cat $IPTBL_V4PROC`; do
		case $TBL in
		mangle)
			MANGLE=1
			;;
		filter)
			FILTER=1
			;;
		esac
	done

	if [ $MANGLE -ne 1 -a $FILTER -ne 1 ]; then
		return 1
	fi

	return 0
}

# A function to flush the filters (for internal use)
ipv4filter_flush  () {
	local TBL

	# Flush the IPV4 filters out, and user defined chains
	[ ! -f $IPTBL_V4PROC ] && return 0
	for TBL in `cat $IPTBL_V4PROC`; do
		if [ "$TBL" = "$1" ]; then
			continue
		fi
		$IPTBL -t $TBL -F
		$IPTBL -t $TBL -X
	done

	return 0
}

ipv4filter_policy () {
	local TBL

	[ ! -f $IPTBL_V4PROC ] && return 0
	for TBL in `cat $IPTBL_V4PROC`; do
		if [ "$TBL" = "$2" ]; then
			continue
		fi

		case $TBL in
		mangle)
			$IPTBL -t $TBL -P PREROUTING $1
			$IPTBL -t $TBL -P OUTPUT $1
			;;
		filter)
			$IPTBL -t $TBL -P INPUT $1
			$IPTBL -t $TBL -P FORWARD $1
			$IPTBL -t $TBL -P OUTPUT $1
			;;
		nat)
			$IPTBL -t $TBL -P PREROUTING $1
			$IPTBL -t $TBL -P POSTROUTING $1
			$IPTBL -t $TBL -P OUTPUT $1
			;;
		rawpost)
			$IPTBL -t $TBL -P POSTROUTING $1
			;;
		raw)	
			$IPTBL -t $TBL -P PREROUTING $1
			$IPTBL -t $TBL -P OUTPUT $1
			;;
		security)
			$IPTBL -t $TBL -P INPUT $1
			$IPTBL -t $TBL -P FORWARD $1
			$IPTBL -t $TBL -P OUTPUT $1
			;;
		esac
	done

	return 0
}
				
# function to set the filter default policies
ipv4filter_clear () { 

	ipv4filter_flush $1

	ipv4filter_policy ACCEPT $1

	return 0	    

}

# Selects basic filter type configuration function
ipv4filter_iptbl_cfg () {
	if ! ipv4filter_check && ! $IPTBL -L &> /dev/null; then
		echo 
		echo "IPv4 filters: netfilter kernel modules not present." 
		echo
		return 1
	fi

	if [ ! -f $1 ] ; then
		echo
		echo "IPv4 filters: no $1 file."
		echo
		return 1
	fi
	echo -n "Loading IPv4 filters..." 
	if $IPTBL_RESTORE < $1; then
		ipf4_laptopfw
		vb echo "done."
		ipv4filter_kernfwd on
	else
		return 1
	fi

	return 0

}


ipv4filter_iptbl_save () {
	local OLD_UMASK
	
	if ! ipv4filter_check; then
		echo 
		echo "IPv4 filters: netfilter kernel modules not loaded." 
		echo
		return 1
	fi
	
	echo -n "Saving IPv4 filters..."
	backup_rotate "$IPTBL_FILE" "$BACKUP_LEVELS"
	OLD_UMASK=`umask`
	umask 0277
	if $IPTBL_SAVE > $IPTBL_FILE; then
		umask $OLD_UMASK
		chmod 0400 $IPTBL_FILE
		vb echo "done."
	else
		umask $OLD_UMASK
		vb echo
		return 1
	fi 

	vb echo
	return 0
}

# Some functions to handle Protocol IP Port tuples

ipfilter_echoParam () {
	local format="$1"
	local IFS='_'
	set -- $2
	eval "echo \"$format\""
}
	
ipfilter_echoIpPort () {
	local format1="$1"
	local format2="$2"
	local testpar="$3"
	local IFS='_'
	set -- $4
	eval "echo -n \"$format1\""
	eval "if [ -n \"$testpar\" ]; then
		echo \" $format2\"
	fi"
}

ipv4filter_exec () {
	local RES
	
	if ! ipv4filter_check && ! $IPTBL -L &> /dev/null; then
		echo 
		echo "IPv4 filters: netfilter kernel modules not present." 
		echo
		return 1
	fi

	local FN="$1"
	shift
	eval "case \"$FN\" in
		$IPF4_FNS)
			case \$1 in 
			-r|remove)
				vb echo -n \"Removing IPv4 filter $FN...\"
				;;
			*)
				vb echo -n \"Loading IPv4 filter $FN...\"
				;;
			esac
			if ipf4_${FN} $*; then 	
				echo \"done.\"
				exit 0
			fi
			exit 1
			;;
		*)
    			echo \"       `basename $0` ipfilter exec $IPF4_FNS\"
			echo \"                              [chain p1 p2 ...]\"
    			exit 1
			;;
		esac"

	return 0
}


ipv4filter_cmd () {
	
	if [ "$KERN_VERSION" != "$TARGET_KERNEL1" \
		-a "$KERN_VERSION" != "$TARGET_KERNEL2" \
		-a "$KERN_VERSION" != "$TARGET_KERNEL3" ] ; then
		echo
		echo "IPv4 filters: kernel not version ${TARGET_KERNEL1}.x, ${TARGET_KERNEL2}.x, or ${TARGET_KERNEL3}.x."
		if [ "$IPV4_FWDING_KERNEL" = "FILTER_ON" ]; then
			# Keep the output pretty..
			echo
		fi
		ipv4filter_kernfwd off
		echo
		return 1
	fi
	if ! [ -x $IPTBL ] ; then
		echo
		echo "IPv4 filters: $IPTBL not found."
		echo
		return 1
	fi
	case $1 in
	load|reload|restart|reset)
		ipv4filter_iptbl_cfg $IPTBL_FILE
    		;;
	usebackup)
		local BKUP_NUM=1
    		[ -n "$2" ] && BKUP_NUM="$2"
		ipv4filter_iptbl_cfg "${IPTBL_FILE}.${BKUP_NUM}"
		;;
	save)
		ipv4filter_iptbl_save
    		;;
	clear|flush)
		ipv4filter_kernfwd off
 		vb echo -n "Flushing IPv4 filters..."
 		ipv4filter_clear
    		vb echo "done."
    		;;
	exec)
		shift
		ipv4filter_exec $*
		;;
	forward|fwd)
		ipv4filter_kernfwd on yes
		;;
	noforward|nofwd)
		ipv4filter_kernfwd off yes
		;;
	
	*)
		echo "Usage: `basename $0` ipfilter load|clear|flush|fwd|nofwd|reload|save"
		echo "                              usebackup [backup-number]"
		echo "       `basename $0` ipfilter exec $IPF4_FNS"
		echo "                              [chain p1 p2 ...]"
		exit 1
		;;
	esac
}

# IPv6 filters

ipv6filter_kernfwd () {
	local OVERRIDE="$2"

	if [ "$OVERRIDE" != "YES" -a "$OVERRIDE" != "Yes" \
		-a "$OVERRIDE" != "yes" \
		-a  "$IPV6_FWDING_KERNEL" != "FILTER_ON" ]; then
		return 0;
    	fi
    
	case $1 in 
	on)
		vb echo -n "Enabling IPv6 packet forwarding..." 
		echo "1" >$IPFWD_V6PROC \
			&& vb echo "done."
		;;
	off)
		vb echo -n "Disabling IPv6 packet forwarding..."
		echo "0" >$IPFWD_V6PROC \
			&& vb echo "done."
	    	;;
	*)
		echo "AAARGGHH - wrong argument given to ipv6filter_kernfwd: $1"
		exit 1
		;;
	esac
}

# Check and see if filtering and mangling are available
ipv6filter_check () {
	local TBL MANGLE FILTER
	MANGLE=0
	FILTER=0

	[ ! -f "$IPTBL_V6PROC" ] && return 1

	for TBL in `cat $IPTBL_V6PROC`; do
		case $TBL in
		mangle)
			MANGLE=1
			;;
		filter)
			FILTER=1
			;;
		esac
	done

	if [ $MANGLE -ne 1 -a $FILTER -ne 1 ]; then
		return 1
	fi

	return 0
}


# A function to flush the filters (for internal use)
ipv6filter_flush  () {
	local TBL

	# Flush the IPV6 filters out, and user defined chains
	[ ! -f $IPTBL_V6PROC ] && return 0
	for TBL in `cat $IPTBL_V6PROC`; do
		if [ "$TBL" = "$1" ]; then
			continue
		fi
		$IP6TBL -t $TBL -F
		$IP6TBL -t $TBL -X
	done

	return 0
}

ipv6filter_policy () {
	local TBL

	[ ! -f $IPTBL_V6PROC ] && return 0
	for TBL in `cat $IPTBL_V6PROC`; do
		if [ "$TBL" = "$2" ]; then
			continue
		fi

		case $TBL in
		mangle)
			$IP6TBL -t $TBL -P PREROUTING $1
			$IP6TBL -t $TBL -P OUTPUT $1
			;;
		filter)
			$IP6TBL -t $TBL -P INPUT $1
			$IP6TBL -t $TBL -P FORWARD $1
			$IP6TBL -t $TBL -P OUTPUT $1
			;;
		nat)
			$IP6TBL -t $TBL -P PREROUTING $1
			$IP6TBL -t $TBL -P POSTROUTING $1
			$IP6TBL -t $TBL -P OUTPUT $1
			;;
		esac
	done

	return 0
}
				
# function to set the filter default policies
ipv6filter_clear () { 

	ipv6filter_flush $1

	ipv6filter_policy ACCEPT $1

	return 0	    

}

# Selects basic filter type configuration function
ipv6filter_iptbl_cfg () {
	if ! ipv6filter_check && ! $IP6TBL -L &> /dev/null; then
		echo 
		echo "IPv6 filters: netfilter kernel modules not present." 
		echo
		return 1
	fi

	if [ ! -f $1 ] ; then
		echo
		echo "IPv6 filters: no $1 file."
		echo
		return 1
	fi
	echo -n "Loading IPv6 filters..." 
	if $IP6TBL_RESTORE < $1; then
		ipf6_laptopfw
		vb echo "done."
		ipv6filter_kernfwd on
	else
		return 1
	fi

	return 0

}

ipv6filter_iptbl_save () {
	local OLD_UMASK

	if ! ipv6filter_check; then
		echo 
		echo "IPv6 filters: netfilter kernel modules not loaded." 
		echo
		return 1
	fi

	echo -n "Saving IPv6 filters..."
	backup_rotate "$IP6TBL_FILE" "$BACKUP_LEVELS"
	OLD_UMASK=`umask`
	umask 0277
	if $IP6TBL_SAVE > $IP6TBL_FILE; then
		umask $OLD_UMASK
		chmod 0400 $IP6TBL_FILE
		vb echo "done."
	else
		umask $OLD_UMASK
		vb echo
		return 1
	fi 

	vb echo
	return 0
}

ipv6filter_exec () {
	local RES
	
	if ! ipv6filter_check && ! $IP6TBL -L &> /dev/null; then
		echo 
		echo "IPv6 filters: netfilter kernel modules not present." 
		echo
		return 1
	fi

	local FN="$1"
	shift
	eval "case \"$FN\" in
		$IPF6_FNS)
			case \$1 in 
			-r|remove)
				vb echo -n \"Removing IPv6 filter $FN...\"
				;;
			*)
				vb echo -n \"Loading IPv6 filter $FN...\"
				;;
			esac
			if ipf6_${FN} $*; then 	
				echo \"done.\"
				exit 0
			fi
			exit 1
			;;
		*)
    			echo \"       `basename $0` ip6filter exec $IPF6_FNS\"
			echo \"                              [chain p1 p2 ...]\"
    			exit 1
			;;
		esac"


	return 0
}

ipv6filter_cmd () {
	if [ $IPV6_KRNL -lt 1 ]; then
		return 0
	fi

	if [ "$KERN_VERSION" != "$TARGET_KERNEL1"  \
		-a "$KERN_VERSION" != "$TARGET_KERNEL2" \
		-a "$KERN_VERSION" != "$TARGET_KERNEL3" ] ; then
		echo
		echo "IPv6 filters: kernel not version ${TARGET_KERNEL1}.x, ${TARGET_KERNEL2}.x, or ${TARGET_KERNEL3}.x."
		if [ "$IPV6_FWDING_KERNEL" = "FILTER_ON" ]; then
			# Keep the output pretty..
			echo
		fi
		ipv6filter_kernfwd off
		echo
		return 1
	fi
	if ! [ -x $IP6TBL ] ; then
		echo
		echo "IPv6 filters: $IP6TBL not found."
		echo
		return 1
	fi
	case $1 in
	load|reload|restart|reset)
		ipv6filter_iptbl_cfg $IP6TBL_FILE
    		;;
	usebackup)
		local BKUP_NUM=1
    		[ -n "$2" ] && BKUP_NUM="$2"
		ipv6filter_iptbl_cfg "${IP6TBL_FILE}.${BKUP_NUM}"
		;;
	save)
		ipv6filter_iptbl_save
    		;;
	clear|flush)
		ipv6filter_kernfwd off
 		vb echo -n "Flushing IPv6 filters..."
 		ipv6filter_clear
    		vb echo "done."
    		;;
	exec)
		shift
		ipv6filter_exec $*
		;;
	forward|fwd)
		ipv6filter_kernfwd on yes
		;;
	noforward|nofwd)
		ipv6filter_kernfwd off yes
		;;
	
	*)
		echo "Usage: `basename $0` ip6filter load|clear|flush|fwd|nofwd|reload|save"
		echo "                               usebackup [backup-number]"
		echo "       `basename $0` ip6filter exec $IPF6_FNS"
		echo "                              [chain p1 p2 ...]"
		exit 1
		;;
	esac
}


##############################################################################
# Start and stop
##############################################################################

start () {

	start_auto_ipkrnlswch
	ipv4filter_cmd load
	
	if [ $IPV6_KRNL -ge 1 ]; then
		ipv6filter_cmd load
	fi
	
}	#END start ()

stop () {

	vb echo -n "Disabling IPv4 packet forwarding..."
	echo "0" >$IPFWD_V4PROC \
	    && vb echo "done."
	vb echo -n "Flushing IPv4 filters..."
	ipv4filter_clear && vb echo "done."
	
	if [ $IPV6_KRNL -ge 1 ]; then
		vb echo -n "Disabling IPv6 packet forwarding..."
		echo "0" >$IPFWD_V6PROC \
	    		&& vb echo "done."
		vb echo -n "Flushing IPv6 filters..."
		ipv6filter_clear && vb echo "done."
	fi

}	#END stop ()

#############################################################################
# Main - Down to business
#############################################################################


# Handle symlinked ifup and ifdown commands

if [ "`basename $0`" = "ifup" -o "`basename $0`" = "ifdown" ]; then 
	ifupdown $*
fi

case "$1" in
	start)	start	;;
	stop)	stop	;; 
	reload) start reload ;;
	restart|force-reload)
		$0 stop
		sleep 1
		$0 start
		;;

	ipfilter)
		shift
		if ! ipv4filter_cmd $*; then
		    exit 1
		fi
		;;

	*)
		if [ $IPV6_KRNL -ge 1 -a "$1" = "ip6filter" ]; then
			shift
			if ! ipv6filter_cmd $*; then
		    	exit 1
			fi
			exit 0
		fi
		echo "Usage: `basename $0` start|stop|reload|restart" 
		echo "Usage: `basename $0` ipfilter load|clear|fairq|flush|fwd|nofwd|reload|save"
		echo "                              usebackup [backup-number]"
		echo "       `basename $0` ipfilter exec $IPF4_FNS"
		echo "                              [chain p1 p2 ...]"
		if [ $IPV6_KRNL -ge 1 ]; then 
			echo "Usage: `basename $0` ip6filter load|clear|fairq|flush|fwd|nofwd|reload|save"
			echo "                              usebackup [backup-number]"
			echo "       `basename $0` ip6filter exec $IPF6_FNS"
			echo "                              [chain p1 p2 ...]"
		fi
		exit 1 
        ;;
esac

exit 0


