ipv4_load_modules()
{
	local i conn

	_modprobe die -k -a ip_tables

	conn=""
	for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o ; do
		conn="$conn `echo $i | awk '!/ftp|irc|egg/ { gsub(/.*\//,"") ; gsub(/\.o$/,"") ; print $1 }'`"
	done
	_modprobe die -k -a ip_conntrack \
		`[ -z "$CONNTRACK_HASHSIZE" ] || echo "hashsize=$CONNTRACK_HASHSIZE"`
	_modprobe die -k -a ip_conntrack_ftp \
				`[ -z "$FTP_PORTS" ] || echo "ports=$FTP_PORTS"` \
				`[ -z "$FTP_FXP" ] || echo "fxp=1"`
	_modprobe die -k -a ip_conntrack_irc \
				`[ -z "$FTP_PORTS" ] || echo "ports=$IRC_PORTS"`
	_modprobe die -k -a ip_conntrack_egg \
				`[ -z "$FTP_PORTS" ] || echo "ports=$EGGDROP_PORTS"`
	_modprobe die -k -a $conn

	if echo "$ipv4_TABLES" | awk '!/nat/ {exit 1}' ; then
		conn=""
		for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o ; do
			conn="$conn `echo $i | awk '!/ftp|irc/ { gsub(/.*\//,"") ; gsub(/\.o$/,"") ; print $1 }'`"
		done
		_modprobe die -k -a ip_nat_ftp \
				`[ -z "$FTP_PORTS" ] || echo "ports=$FTP_PORTS"`
		_modprobe die -k -a ip_nat_irc \
				`[ -z "$FTP_PORTS" ] || echo "ports=$IRC_PORTS"`
		_modprobe die -k -a $conn
	fi
}

ipv6_load_modules()
{
	_modprobe die -k -a ip6_tables
}

ipv4_remove_modules()
{
	local modules

	modules="`lsmod | grep "^ipt_" | cut -f 1 -d ' '`"
	[ -n "$modules" ] && rmmod $modules
	modules="`lsmod | grep "^ip_nat_" | cut -f 1 -d ' '`"
	[ -n "$modules" ] && rmmod $modules
	modules="`lsmod | grep "^ip_conntrack" | cut -f 1 -d ' '`"
	[ -n "$modules" ] && rmmod $modules
	modules="`lsmod | grep "^iptable_" | cut -f 1 -d ' '`"
	[ -n "$modules" ] && rmmod $modules
	rmmod ip_tables
}

ipv6_remove_modules()
{
	local modules

	modules="`lsmod | grep "^ip6t_" | cut -f 1 -d ' '`"
	[ -n "$modules" ] && rmmod $modules
	modules="`lsmod | grep "^ip6table_" | cut -f 1 -d ' '`"
	[ -n "$modules" ] && rmmod $modules
	rmmod ip6_tables
}

setup_rules()
{
	local table TABLES chain policy CHAINS proto ipt

	case "$1" in
	    ipv4)
		proto="ipv4"
		TABLES="$ipv4_TABLES" 
		ipt="$iptables"
		;;
	    ipv6)
		proto="ipv6"
		TABLES="$ipv6_TABLES" 
		ipt="$ip6tables"
		;;
	    *)
		return
		;;
	esac
	[ -z "$TABLES" ] && return
	for table in $TABLES; do
		. $FIREWALL_DIR/$proto/$table
		[ -z "$CHAINS" ] && continue
		for chain in $CHAINS ; do
			${proto}_${table}_${chain}_rules
			eval policy="\$${proto}_${table}_${chain}"
			$ipt -t $table -P $chain $policy
		done
	done
}

clean_rules()
{
	local table chain CHAINS

	case "$1" in
	    ipv4)
		proto="ipv4"
		TABLES="$ipv4_TABLES" 
		ipt="$iptables"
		;;
	    ipv6)
		proto="ipv6"
		TABLES="$ipv6_TABLES" 
		ipt="$ip6tables"
		;;
	    *)
		return
		;;
	esac
	[ -z "$TABLES" ] && TABLES=filter
	for table in $TABLES ; do
		$ipt -t $table -F
		. $FIREWALL_DIR/$proto/$table
		[ -z "$CHAINS" ] && continue
		for chain in $CHAINS ; do
			$ipt -t $table -P $chain ACCEPT
		done
	done

	# 2nd step because of dependencies
	for table in $TABLES ; do
		$ipt -t $table -X
	done
}

ipv4_pre_init_block()
{
	local ns

	$iptables -P INPUT DROP
	$iptables -P OUTPUT DROP
	$iptables -P FORWARD DROP

	for ns in `awk '/^nameserver/ && !/:/ { print $2 }' < /etc/resolv.conf` ; do
		[ -z "$ns" ] && continue
		$iptables -A INPUT -p udp -s $ns --sport 53 -j ACCEPT
		$iptables -A OUTPUT -p udp -d $ns --dport 53 -j ACCEPT
	done

	$iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
	$iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
}

ipv6_pre_init_block()
{
	local ns

	$ip6tables -P INPUT DROP
	$ip6tables -P OUTPUT DROP
	$ip6tables -P FORWARD DROP

	for ns in `awk '/^nameserver/ && /:/ { print $2 }' < /etc/resolv.conf` ; do
		[ -z "$ns" ] && continue
		$ip6tables -A INPUT -p udp -s $ns --sport 53 -j ACCEPT
		$ip6tables -A OUTPUT -p udp -d $ns --dport 53 -j ACCEPT
	done

	$ip6tables -A INPUT -i lo -s ::1 -j ACCEPT
	$ip6tables -A OUTPUT -o lo -d ::1 -j ACCEPT
}

ipv4_forward_set()
{
	# Turn IP forwarding on or off. We do this before bringing up the
	# interfaces to make sure we don't forward when we shouldn't, and
	# we do it even if networking isn't configured (why not?).
	if [ -d /proc/sys/net/ipv4 ]; then
		value=$1
		if [ $value != 1 ]; then
			value=0
			message="Disabling IPv4 packet forwarding"
		else
			value=1
			message="Enabling IPv4 packet forwarding"
		fi
		show "$message"
		busy
		if [ ! -f /proc/sys/net/ipv4/ip_forward ] ; then
			deltext
			fail
			exit 1
		else
			echo "$value" > /proc/sys/net/ipv4/ip_forward
			deltext
			ok
		fi
	fi
}

ipv4_spoof_protection()
{
	# This is the best method: turn on Source Address Verification and get
	# spoof protection on all current and future interfaces.
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
		show "Setting up IP spoofing protection"
		busy
		for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
			echo 1 > $f
		done
		deltext
		ok
	else
		deltext
		fail
		echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED!"
	fi
}

ipv6_forward_set()
{
	if [ -e /proc/sys/net/ipv6/conf/all/forwarding ]; then
		value=$1
		if [ $value != 1 ]; then
			value=0
			message="Disabling IPv6 packet forwarding"
		else
			value=1
			message="Enabling IPv6 packet forwarding"
		fi
		show "$message"
		busy
		for f in /proc/sys/net/ipv6/conf/*/forwarding; do
			echo $value > $f
		done
		deltext
		ok
	fi
}

# This must be last line !
# vi:syntax=sh:tw=78:ts=8:sw=4
