bash

2024-01-09 15:35:38 +00:00 · 2024-01-09 15:35:38 +00:00 · a354df3d40
commit a354df3d40
parent d29b1e4542
63 changed files with 26542 additions and 453 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,8 @@
 This role builds on, and requires, ../base_role and lays down the
 basics for cntlm and socks and http and https proxies.  It is required
-to be run after ../base_role
+to be run after ../base_role. Run this role even if you do not run
 behind a proxy as it sets up the proxy variables for that case.
 Look at the variables in defaults/main.yml to customize the role, and
 double-check the settings in vars/*.yml.
@ -11,3 +12,17 @@ athough only tested on Gentoo. To bring it up to date, just copy the
 existing files in vars and maybe tasks to the new name and edit to suit,
 but be advised that it is systemd-challenged, like its author.
 It should support a number of different proxy situations on a host:
 1) http_proxy and https_proxy
 2) socks_proxy and tor proxy
 3) CNTLM proxy
 4) Whonix gateway
 It should also support these different proxy situations in a container.
 It has 2 test scripts proxy_daily.bash and proxy_daily.bash than
 run quick status checks and indepth testing respectively.
--- a/overlay/Gentoo/usr/local/sbin/gentoo_check_manifest.bash
+++ b/overlay/Gentoo/usr/local/sbin/gentoo_check_manifest.bash
@ -27,7 +27,7 @@ gpg2 --verify --keyring $keyf $BASE_PORTDIR/Manifest >/tmp/K$$.log 2>&1 || exit
 grep 'using RSA key' /tmp/K$$.log || exit 4
 grep 'Primary key fingerprint:' /tmp/K$$.log | sed -e 's/.*: //' -e 's/ //g' > /tmp/K$$.key || exit 5
-if route | grep -q ^default ; then
+if grep -q "^wlan[1-9][ 	]00000000" /proc/net/route ; then
    . /root/bin/tor.sh
    wget -O /tmp/K$$.html https://www.gentoo.org/downloads/signatures/ || exit 0
    grep "`cat /tmp/K$$.key`" /tmp/K$$.html || {
--- a/overlay/Linux/usr/local/bin/curl.bash
+++ b/overlay/Linux/usr/local/bin/curl.bash
@ -2,16 +2,36 @@
 # -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
 ROLE=proxy
 PREFIX=/usr/local
 . /usr/local/bin/usr_local_tput.bash || exit 2
 ip route | grep -q ^def || {
-    WARN we are not connected
+    WARN we are not connected >&2
    exit 1
 }
 [ -f $HOME/.curlrc ] || touch $HOME/.curlrc
 declare -a CURL_OPTS
 # --silent  --show-error
 CURL_OPTS=( --fail-early --fail )
 [[ "$*" =~ --http0.9 ]] || [[ "$*" =~ --http1 ]] || [[ "$*" =~ --http1.1 ]] || \
  [[ "$*" =~ --http2 ]] || [[ "$*" =~ --http3 ]] ||  CURL_OPTS+=( --http0.9 )
 [[ ! "$*" =~ --retry ]] &&  CURL_OPTS+=( --retry 3 )
 [[ ! "$*" =~ -4 ]] &&  CURL_OPTS+=( -4 )
 # [[ ! "$*" =~ --http2 ]] &&  CURL_OPTS+=(  --http2 )
 [[ ! "$*" =~  --max-redirs ]] &&  CURL_OPTS+=( --max-redirs 10 )
 [[ ! "$*" =~ --location ]] &&  CURL_OPTS+=( --location )
 [[ ! "$*" =~ --remote-time ]] &&  CURL_OPTS+=( --remote-time )
 [[ ! "$*" =~ --create-dirs ]] &&  CURL_OPTS+=( --create-dirs )
 if [[ "$socks_proxy" =~ socks5://.* ]] ; then
    export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
 fi
 if [[ ! "$*" =~  --proxy ]] && [ -n "$socks_proxy" ] ; then
    CURL_OPTS+=( --proxy $socks_proxy )
    [ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
    [ -n "$http_proxy" ]  && export http_proxy=  && unset http_proxy
@ -21,8 +41,14 @@ if [[ "$socks_proxy" =~ socks5://.* ]] ; then
  elif [ -n "$http_proxy" ] ; then
    CURL_OPTS+=( --proxy $http_proxy )
 fi
 export CURL_OPTS+=( -L )
 if [ -d  $HOME/.local/ ] ; then
    [ -f $HOME/.local/jar.cookie ] || touch $HOME/.local/jar.cookie
    [[ ! "$*" =~ --cookie-jar ]] && \
        CURL_OPTS+=(  --cookie-jar $HOME/.local/jar.cookie --junk-session-cookies )
 fi
 export CURL_OPTS+=( -L --remote-time )
 if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
    export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
    # #define CURLALTSVC_H2           (1<<4)
@ -41,5 +67,6 @@ if [[ ! "$*" =~ --capath ]] && \
  export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
 fi
-echo INFO: curl $CURL_OPTS "$@"
+export CURL_OPTS
-exec       curl $CURL_OPTS "$@"
+DBUG /usr/bin/curl "${CURL_OPTS[@]}" "$@" >&2
 exec /usr/bin/curl "${CURL_OPTS[@]}" "$@"
--- a/overlay/Linux/usr/local/bin/dirmngr.bash
+++ b/overlay/Linux/usr/local/bin/dirmngr.bash
@ -31,7 +31,7 @@ if [ -n "$PROXY_WLAN" ] ; then
 	echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
 fi
-route | grep -q ^default || { ERROR no route ; exit 1; }
+grep -q "^wlan[1-9][ 	]00000000" /proc/net/route || { ERROR no route ; exit 1; }
 [ ! -x /usr/bin/netstat ] || \
  netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
--- a/overlay/Linux/usr/local/bin/proxy_daily.bash
+++ b/overlay/Linux/usr/local/bin/proxy_daily.bash
@ -13,7 +13,8 @@ ROLE=proxy
 # It is also run at the end of ansible_local.bash --tags daily to raise the issues.
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-[ -f /usr/local/etc/testforge/testforge.bash ] && .  /usr/local/etc/testforge/testforge.bash
+[ -f /usr/local/etc/testforge/testforge.bash ] && \
    .  /usr/local/etc/testforge/testforge.bash
 MYID=$( id -u )
 [ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ;  exit 1 ; }
@ -34,8 +35,8 @@ rm -f $LOG_DIR/*${prog}_${ly}*.log
 elt=doctest3
 if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
-    /var/local/bin/testforge_python_doctest3.bash \
+    $PREFIX/bin/testforge_python_doctest3.bash \
-	/var/local/share/doc/txt/proxy3.txt \
+	/usr/local/share/doc/txt/proxy3.txt \
 	> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
 fi
--- a/overlay/Linux/usr/local/bin/proxy_dirmngr.bash
+++ b/overlay/Linux/usr/local/bin/proxy_dirmngr.bash
@ -28,7 +28,7 @@ if [ -n "$PROXY_WLAN" ] ; then
 	echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
 fi
-route | grep -q ^default || { ERROR no route ; exit 1; }
+grep -q "^wlan[1-9][ 	]00000000" /proc/net/route || { ERROR no route ; exit 1; }
 [ -z "$USER" ] && USER=$(id -un )
 if [ $USER = root ] ; then
--- a/overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash
+++ b/overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash
@ -41,17 +41,21 @@ if [ -d /etc/pacman.d/gnupg ] ; then
    fi
  fi
 if [ ! -f /etc/dirmngr/dirmngr.conf ] || \
       grep ^keyserver /etc/dirmngr/dirmngr.conf ; then
    echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf
    exit 1
 fi
 GPG="gpg --verbose --home $HOMEDIR"
 [ -f /etc/dirmngr/dirmngr.conf ] || { echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf ; exit 1 ; }
 $GPG --refresh-keys --verbose
 ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
-grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
+grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf | \
    sed -e 's@keyserver hkp://@@' | \
-    while read elt;do
+    while read elt ; do
 	for proxy in $PROXIES; do
            echo 1 | http_proxy=$proxy $GPG --yes \
 			       --debug-level guru \
@ -61,3 +65,4 @@ grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
 	done
    done
 /usr/local/bin/proxy_ping_test.bash dirmngr
--- a/overlay/Linux/usr/local/bin/proxy_hourly.bash
+++ b/overlay/Linux/usr/local/bin/proxy_hourly.bash
@ -12,15 +12,25 @@ DEBUG=1
 # It is also run at the end of ansible_local.bash --tags daily to raise the issues.
 prog=$( basename $0 .bash )
 . /usr/local/bin/usr_local_tput.bash || exit 2
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 [ -f /usr/local/etc/testforge/testforge.bash ] && \
    .  /usr/local/etc/testforge/testforge.bash >/dev/null
 . /usr/local/bin/proxy_export.bash
 PL=/usr/local/bin/proxy_ping_lib.bash
 . $PL
 PL=
 PLL=/usr/local/bin/proxy_libvirt_lib.bash
 . $PLL
 PLL=
 DEBUG=1
 declare -a BOX_NBD_OVERLAY_EXTERNAL
 # fill this in with the ansible hosts.yml
 BOX_NBD_OVERLAY_EXTERNALS=(
    /o/var/local/src/play_tox/hosts.yml
    /o/data/TestForge/src/ansible/hosts.yml
    )
 [ -z "$USER" ] && USER=$(id -un )
 MYID=$( id -u )
 [ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ;  exit 1 ; }
@ -40,48 +50,113 @@ ELOG=$LOG_DIR/E${prog}_${ly}$$.log
 WLOG=$LOG_DIR/W${prog}_${ly}$$.log
 OUT=$LOG_DIR/O${prog}_${ly}$$.log
 [ -f /usr/local/etc/testforge/testforge.bash ] && \
 	. /usr/local/etc/testforge/testforge.bash
 export PATH=$PATH:/usr/local/bin
-
+[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
 [ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
 [ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
 [ -z "$MODE" ] && exit 2
 [ ! -d $LOG_DIR/ ] && mkdir -p $LOG_DIR && chmod 1777 $LOG_DIR
 find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete
 elt=proxy_export
 DBUG elt=$elt
 . /usr/local/bin/$elt.bash || exit 2
 DBUG http_proxy=$http_proxy
 DBUG https_proxy=$https_proxy
 DBUG socks_proxy=$socks_proxy
 IP=`ifconfig|grep -A1 'eth\|wlan'|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
 DBUG external=$IP
 GW=`ip route | grep ^def | sed -e 's/.*via //' -e 's/ .*//'`
 DBUG gw=$GW
 grep -q "^wlan[1-9][ 	]00000000" /proc/net/route && ZERO_CONNECTED=0 || ZERO_CONNECTED=1
 if [ $ZERO_CONNECTED == 0 ] ; then
    /usr/local/bin/proxy_ping_test.bash $MODE 2>&1| grep ERROR: | tee $ELOG
    [ -s $ELOG ] || INFO /usr/local/bin/proxy_ping_test.bash $MODE
 fi
 elt=/etc/ssl/certs
 DBUG elt=$elt
 if [ -d  /etc/ssl/certs/ ] ; then
    find -L /etc/ssl/certs/ -type l | tee -a $ELOG
    find -L /etc/ssl/certs/ -type l -delete
 else
    WARN /etc/ssl/certs/ missing
 fi
 elt=route
 DBUG elt=$elt
 # ubuntu / devuan oddball
 route | grep -q 'lo$' || \
   ip route add 127.0.0.0/8 dev lo scope host
-/usr/local/bin/proxy_ping_test.bash $MODE 2> $ELOG
+if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor  ] ; then
    NS=127.0.0.1
 elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws  ] ; then
    NS=10.0.2.2
 else
    NS=
 fi
 if [ -n "$NS" ] ; then
    elt=/etc/resolv.conf
    DBUG elt=$elt
    a=`grep nameserver /etc/resolv.conf | grep -v "nameserver $IP" | wc -l`
    if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
 	/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
 	echo "nameserver $IP" > /etc/resolv.conf
    fi
 fi
-if [ $ONE_GUEST -eq 0 ] ; then
+if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor  ] ; then
    IP=`ifconfig |grep -A1 wlan|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
    # 10.24.216.64
    elt=/etc/hosts
    DBUG elt=$elt
    if [ -n "$IP" ] ; then
 	grep -q " external" /etc/hosts && \
 	    sed -e "s/.* external/$IP external/" -i /etc/hosts  || \
 		echo "$IP external" >>  /etc/hosts
 	for file in "${BOX_NBD_OVERLAY_EXTERNALS[@]}" ; do
 	    [ -f $file ] || continue
 	    grep -q "BOX_NBD_OVERLAY_EXTERNAL.*" $file && continue
 	    sed -i -e "s/BOX_NBD_OVERLAY_EXTERNAL:.*/BOX_NBD_OVERLAY_EXTERNAL: \"$IP\"/" $file
 	done
    fi
-    a=`grep nameserver /etc/resolv.conf | grep -v 'nameserver 127.0.0.1'| wc -l`
+    elt=/etc/firewall.conf
-    if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
+    DBUG elt=$elt
-	/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
+    [ -f /etc/firewall.conf ] || {
-	echo 'nameserver 127.0.0.1' > /etc/resolv.conf
+	ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
 	    xargs /usr/local/bin/base_wall.bash
    }
    elt=iptables
    DBUG elt=$elt
    $PL proxy_iptables_save >$OUT 2>&1
    if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
 	ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
 	/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
 	#?	    /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
    fi
-    [ -d $LOG_DIR/ ] || mkdir -p $LOG_DIR/ || true
+elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws  ] && [ $ONE_GUEST -eq 1 ]; then
-    find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete || true
+    elt=/etc/resolv.conf
-    if [ -d /etc/ssl/certs/ ] ; then
+    DBUG elt=$elt
-	find -L /etc/ssl/certs/ -type l >> $WLOG
+    if [ $? -eq 0 -a -n "$GW" ] ; then
-	find -L /etc/ssl/certs/ -type l -delete
+	if ! grep  -q "$GW" /etc/resolv.conf ; then
-    else
+	    /usr/local/bin/base_wall.bash "CRIT: $GW not in /etc/resolv.conf"
-	WARN /etc/ssl/certs/ missing
+	    echo "nameserver $GW" >> /etc/resolv.conf
 	fi
 	$PL proxy_ping_firewall_check  || \
 	    /usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
    fi
 fi
 if [ $ONE_GUEST -eq 0 ] ; then
    if [ "$MODE" = whonix ] ; then
 	[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
 	BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
 	if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
 	       which virsh 2>/dev/null >/dev/null && \
@ -89,18 +164,14 @@ if [ $ONE_GUEST -eq 0 ] ; then
 	    # sh proxy_whonix_host_tor.bash whonix
 	    /usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
 	fi
-	$PL proxy_libvirt_test >$OUT 2>&1
+	$PLL proxy_libvirt_test >$OUT 2>&1
 	retval=$?
-	[ $retval -gt 1 ] && ERROR $prog proxy_libvirt_test retval=$retval >> $ELOG
+	[ $retval -gt 1 ] && \
-fi
+	    ERROR $prog proxy_libvirt_test retval=$retval | tee -a $ELOG
    fi
    [ -f /etc/firewall.conf ] || {
 	ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
 	    xargs /usr/local/bin/base_wall.bash
    }
    ifconfig | grep -q ^wlan
    if [ $? -eq 0 ] ; then
    wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
    if [ -n "$wlan7" ] ; then
 	grep -q $wlan7 /etc/firewall.conf  || {
 	    ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
 		xargs /usr/local/bin/base_wall.bash
@ -109,43 +180,37 @@ fi
    fi
    [ -f /var/log/privoxy/logfile ] && \
-	grep -i fatal /var/log/privoxy/logfile >> $WLOG && \
+	grep -i fatal /var/log/privoxy/logfile | tee -a $ELOG && \
-	echo ERROR: Fatal in /var/log/privoxy/logfile |tee -a $ELOG
+	ERROR Fatal in /var/log/privoxy/logfile |tee -a $ELOG
-if route | grep -q ^def ; then
+    if grep -q "^wlan[1-9][ 	]00000000" /proc/net/route ; then
 	$PL proxy_ping_gw_check || {
-	ERROR  proxy_ping_gw_check >> $ELOG
+	    ERROR  proxy_ping_gw_check | tee -a $ELOG
 	}
-    $PL proxy_ping_dnsmasq_check || {
+	$PL proxy_ping_dnsmasq_check && \
-x	ERROR  proxy_ping_dnsmasq_check >> $ELOG
+	    ERROR  proxy_ping_dnsmasq_check || {
 	    ERROR  proxy_ping_dnsmasq_check | tee -a $ELOG
 	}
-    $PL proxy_ping_firewall_check || {
+	$PL proxy_ping_firewall_check && \
-	ERROR proxy_ping_firewall_check >> $ELOG
+	    INFO proxy_ping_firewall_check  || {
 	    ERROR proxy_ping_firewall_check | tee -a $ELOG
 	}
-    $PL proxy_iptables_save >$OUT 2>&1
+	$PL proxy_test_dirmngr $OUT && \
-    if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
+	    INFO proxy_test_dirmngr $retval | tee -a $ELOG || {
-	ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
+		retval=$?
-	/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
+		ERROR proxy_test_dirmngr $retval | tee -a $ELOG
-#?	    /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
+	}
    fi
    $PL proxy_test_dirmngr $OUT || \
 	    { retval=$? ; ERROR proxy_test_dirmngr $retval >> $ELOG ; }
 	if dmesg | grep --text -A 1 'martian' ; then
 	    dmesg | grep --text -A 1 'martian' | \
-		     xargs echo WARN: martians >> $WLOG
+		xargs echo WARN: martians | tee -a $ELOG
            dmesg | grep --text -A 1 'martian' | \
-	    sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' >> $WLOG
+		sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' | tee -a $ELOG
 	else
 	    INFO proxy_test_dirmngr no martians
 	fi
    /usr/local/bin/proxy_ping_test.bash dns || {
 	ERROR $prog no dns >> $ELOG ;
    }
    /usr/local/bin/proxy_ping_test.bash 3128 || {
 	# can be false
 	WARN $prog no 3128 >> $WLOG
    }
 	PROXY_WLAN=$( $PL proxy_get_if )
 	[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
 	    ps ax | grep -q wpa_supplicant && \
@ -155,20 +220,16 @@ x	ERROR  proxy_ping_dnsmasq_check >> $ELOG
 	            wpa_cli -i "$PROXY_WLAN" blacklist $elt
 		done
-    $PL proxy_ping_firewall_check  || \
+    fi
 	/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
 fi
 fi
-[ -s $OUT ] && grep WARN: $OUT >> $WLOG
+# [ -s $OUT ] && grep WARN: $OUT | tee -a $ELOG
 if [ -s $ELOG ] ; then
    errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
    if [ $? -eq 0 -a $errs -ne 0 ] ; then
 	ERROR $prog $errs $ly $prog errors in $ELOG
 	cat $ELOG
 	/usr/local/bin/base_wall.bash "ERROR: $prog $errs errors in $ELOG" 
 	exit $errs
      fi
 fi
@ -177,15 +238,7 @@ fi
 [ $? -eq 0 -a $warns -ne 0 ] && \
  WARN "$warns $ly $prog warnings in $WLOG"
 [ -f $ELOG ] && errs=`wc -l $ELOG | cut -f 1 -d ' '`
 if [ $? -eq 0 -a $errs -ne 0 ] ; then
    ERROR "$errs $ly $prog errors in $ELOG"
    cat $ELOG
    exit $errs
 fi
 [ $errs -eq 0 ] && \
  ols_clean_testforge_logs $HARDEN_LOG_DIR && \
  [ $warns -eq 0 ] && \
  INFO  "$prog No $ly errors in $HARDEN_LOG_DIR"
--- a/overlay/Linux/usr/local/bin/proxy_jnettop.bash
+++ b/overlay/Linux/usr/local/bin/proxy_jnettop.bash
@ -6,7 +6,7 @@ prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
-route | grep -q ^default || exit 0
+grep -q "^wlan[1-9][ 	]00000000" /proc/net/route || exit 0
 [ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
 	|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
--- a/overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash
+++ b/overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash
@ -5,9 +5,11 @@
 # so must be idempotemt - as its called by things it calls?
 prog=$( basename $0 .bash )
 [ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
 PREFIX=/usr/local
 ROLE=proxy
 [ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
 [ -z "$USER" ] && USER=$(id -un )
 [ -n "$USER" -a "$USER" = root ] && \
--- a/overlay/Linux/usr/local/bin/proxy_ping_lib.bash
+++ b/overlay/Linux/usr/local/bin/proxy_ping_lib.bash
@ -12,7 +12,11 @@ base=proxy_ping_lib
 [ -z "$USER" ] && USER=$(id -un )
 # /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
 BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
-PROXY_GPG_KEYSERVER=keys.openpgp.org
+
 # shellcheck disable=SC2154
 [ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
 # shellcheck disable=SC2154
 [ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
 PROXY_IFCONFIG=/sbin/ifconfig
 [ -x /sbin/ifconfig ] && PROXY_IFCONFIG=/sbin/ifconfig
@ -36,11 +40,6 @@ proxy_ifconfig () {
    $PROXY_IFCONFIG $*
 }
    # shellcheck disable=SC2154
 [ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
    # shellcheck disable=SC2154
 [ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
    # shellcheck disable=SC2154
 [ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
    # shellcheck disable=SC2154
@ -136,90 +135,6 @@ proxy_whonix_get_gateway_dom_bad () {
    return 0
 }
 proxy_test_dirmngr () { DBUG proxy_test_dirmngr MODE=$MODE $* ;
    [ $# -eq 0 ] && set -- \
 			hkp://$PROXY_GPG_KEYSERVER \
 			hkp://gpg.mit.edu hkp://keys.gnupg.net
    # shellcheck disable=SC2154
    [ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
    # shellcheck disable=SC2154
    [ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
    [ -h /usr/bin/dirmngr ] || {
 	ERROR /usr/bin/dirmngr not a symlink
 	return 2
    }
    grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
 	[ -f $b ] || WARN file not found $b
    done
    /usr/bin/dirmngr --version </dev/null || {
 	ERROR /usr/bin/dirmngr not working --version
 	return 3
    }
    # grep ^OK
    DBUG /usr/bin/dirmngr working --version
    /etc/init.d/privoxy status || /etc/init.d/privoxy start
    /etc/init.d/privoxy status || {
 	WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
    }
    # /usr/local/bin/proxy_ping_test.bash 3128
    netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
 	ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
 	return 4
    }
    DBUG /etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
    route | grep -q ^default || return 0
    gpg-connect-agent --dirmngr 'loadswdb --force' /bye </dev/null >/tmp/GpgL$$.tmp 2>&1
    retval=$?
    [ $retval -ne 0 ] && \
 	ERROR gpg-connect-agent 'loadswdb --force' /tmp/GpgL$$.tmp && \
 	cat /tmp/GpgL$$.tmp && \
 	return 5$retval
    ! grep -q OK /tmp/GpgL$$.tmp && \
 	ERROR gpg-connect-agent 'loadswdb --force' not OK  `cat /tmp/GpgL$$.tmp` && \
 	rm -f /tmp/GpgL$$.tmp && \
 	return 6$retval
    DBUG gpg-connect-agent OK  `cat /tmp/GpgL$$.tmp`
    rm -f /tmp/GpgL$$.tmp
    gpg-connect-agent </dev/null --dirmngr 'keyserver' /bye >/tmp/GpgG$$.tmp 2>&1
    retval=$?
    [ $retval -ne 0 ] && \
 	ERROR gpg-connect-agent 'keyserver' `cat /tmp/GpgG$$.tmp` && \
 	rm -f /tmp/GpgG$$.tmp && \
 	return 7$retval
    grep -q ^S /tmp/GpgG$$.tmp || { \
 	ERROR gpg-connect-agent 'keyserver' no S  `cat /tmp/GpgG$$.tmp` && \
 	rm -f /tmp/GpgG$$.tmp && \
 	return 8$retval
    }
    DBUG gpg-connect-agent 'keyserver' S  `cat /tmp/GpgG$$.tmp`
    if [ -d /root/.emacs.d/elpa/gnupg ] && \
 	   ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
 	for elt in "$@" ; do
 	    echo keyserver --resolve $elt /bye > /tmp/GpgR$$.tmp
 	    gpg-connect-agent </dev/null --dirmngr --homedir /root/.emacs.d/elpa/gnupg \
 		      -r /tmp/GpgR$$.tmp >/tmp/GpgC$$.tmp 2>&1
            retval=$?
 	    [ $retval -ne 0 ] && \
 		ERROR gpg-connect-agent $elt `cat /tmp/GpgC$$.tmp` | tee -a $ELOG && \
 		rm -f /tmp/GpgC$$.tmp && \
 		return 9$retval
 	    grep -q 'ERR\|failed:' /tmp/GpgC$$.tmp && \
 		ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
 		rm -f /tmp/GpgC$$.tmp && \
  		return 10
 	    INFO gpg-connect-agent $elt
 	done
 	rm -f /tmp/GpgC$$.tmp
    fi
    return  0
 }
 ## proxy_whonix_get_gateway_dom
 proxy_whonix_get_gateway_dom () {
    # shellcheck disable=SC2154
@ -262,7 +177,7 @@ proxy_ping_mode () { #
    # shellcheck disable=SC2154
    [ -n "$MODE" ] && echo "$MODE" && return 0
-	proxy_ifconfig -a > /tmp/ipconfig-a.$$
+    proxy_ifconfig -a >/tmp/ipconfig-a.$$
    if grep -q /dev/vda /proc/cmdline ; then
 	MODE=vda
    elif ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
@ -283,7 +198,7 @@ proxy_ping_mode () { #
 	    MODE=$mode
 	else
 	    host=$( $PREFIX/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
-	    [ -n "$host" ] && MODE=whonix
+	    [ -n "$host" ] && MODE=$host # whonix
 	fi
    fi
@ -851,6 +766,7 @@ proxy_whonix_copy_files () { DBUG proxy_whonix_copy_files PROXY_WLAN=$PROXY_WLAN
 ## proxy_ping_firewall_check
 proxy_ping_firewall_check () { DBUG proxy_ping_firewall_check PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
    [ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
    if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then
        :
    elif [ "$MODE" = nat -o "$MODE" = gateway -o "$MODE" = host ] ; then
@ -1473,10 +1389,10 @@ starbucks_pdnsd () {
    [ -z "$pdnsd" ] && return 0
    if [ "$pdnsd" = "dnscrypt" ] && \
 	   ! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
-	cp /dev/null /var/local/var/log/dnscrypt-proxy.log
+	cp /dev/null $PREFIX/var/log/dnscrypt-proxy.log
 	$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
 	sleep $DELAY
-	[ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \
+	[ ! -s $PREFIX/var/log/dnscrypt-proxy.log ] || \
            ! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
        ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
    elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then
--- a/overlay/Linux/usr/local/bin/proxy_ping_test.bash
+++ b/overlay/Linux/usr/local/bin/proxy_ping_test.bash
@ -11,7 +11,10 @@ PYVER=3
 . /usr/local/bin/proxy_ping_lib.bash || \
    { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
 [ -f $PREFIX/etc/testforge/testforge.bash ] && \
    . /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
 PL=/usr/local/bin/proxy_libvirt_lib.bash
 declare -a tests
 which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
@ -20,22 +23,19 @@ which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
 which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
 [ -z "$prog" ] || prog=proxy_ping_test
-proxy_ping_get_socks >/dev/null
+SOCKS_PAIR=`proxy_ping_get_socks`
-[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
+[ -z "$SOCKS_HOST" ] && SOCKS_HOST=`echo $SOCKS_PAIR|sed -e 's/:.*//'`
-[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
+[ -z "$SOCKS_PORT" ] && SOCKS_PORT=`echo $SOCKS_PAIR|sed -e 's/.*://'`
 [ -z "$SOCKS_DNS" ]  && SOCKS_DNS=9053
-HTTPS_PORT=9128
+HTTPS_PORT=`echo $HTTPS_PAIR|sed -e 's/.*://'`
-HTTPS_HOST=127.0.0.1
+HTTPS_HOST=`echo $HTTPS_PAIR|sed -e 's/:.*//'`
-proxy_ping_get_https >/dev/null
+HTTPS_PAIR=`proxy_ping_get_https`
 [ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
-HTTP_PORT=3128
+HTTP_PAIR=`proxy_ping_get_http`
-HTTP_PROXY_HOST=127.0.0.1
+HTTP_PORT=`echo $HTTP_PAIR|sed -e 's/.*://'`
-proxy_ping_get_http >/dev/null
+HTTP_HOST=`echo $HTTP_PAIR|sed -e 's/:.*//'`
 [ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
 [ -f $PREFIX/etc/testforge/testforge.bash ] && \
    . /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
 P="BASE_PYTHON${PYVER}_MINOR"
 PYTHON_MINOR="$(eval echo \$$P)"
 [ -n "$PYTHON_MINOR" ] || \
@ -65,14 +65,14 @@ TIMEOUT=30
 [ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"
 DNS_HOST1="208.67.220.220"
-DNS_HOST2="8.8.8.8"ggggg
+DNS_HOST2="1.1.1.1"
 [ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
 [ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
 HTTP_TARGET=www.whatismypublicip.com
 # time.nist.gov 132.163.97.3
 NTP_HOST1=132.163.97.3
-# pool.ntp.org 78.46.53.2
+# pool.ntp.org 78.46.53.2 205.206.70.7
 NTP_HOST2=78.46.53.2
 #  --no-check-certificate
 WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
@ -103,6 +103,113 @@ DNS_HOST=$SOCKS_HOST
 [ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
 [ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
 PROXY_GPG_KEYSERVER=keys.openpgp.org
 declare -a GPG_KEYSERVERS=(
    hkp://$PROXY_GPG_KEYSERVER
    hkp://gpg.mit.edu
    hkp://keys.gnupg.net
 )
 ## proxy_test_dirmngr
 proxy_test_dirmngr () {
    [ $# -eq 0 ] && set -- "${GPG_KEYSERVERS[@]}"
    DBUG proxy_test_dirmngr MODE=$MODE $* ;
    # shellcheck disable=SC2154
    [ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
    # shellcheck disable=SC2154
    [ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
    [ -h /usr/bin/dirmngr ] || {
 	WARN /usr/bin/dirmngr not a symlink
 	#fixed? return 2
    }
    grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
 	[ -f $b ] || WARN file not found $b in /etc/dirmngr/dirmngr.conf
    done
    /usr/bin/dirmngr --version  </dev/null >/dev/null && \
 	INFO /usr/bin/dirmngr working  --version || {
 	ERROR /usr/bin/dirmngr not working --version
 	return 3
    }
    # grep ^OK
    DM=`grep ' keyserver ' /etc/dirmngr/dirmngr.conf | head -1 | sed -e 's/.* //'`
    grep -q "^wlan[1-9][ 	]00000000" /proc/net/route || {
 	DBUG not connected
 	return 0
    }
    echo 'loadswdb --force' /bye | \
 	gpg-connect-agent --dirmngr  \
 			  >/tmp/GpgL$$.tmp 2>&1
    retval=$?
    [ $retval -ne 0 ] && \
 	WARN gpg-connect-agent --dirmngr 'loadswdb --force' /bye /tmp/GpgL$$.tmp && \
 	cat /tmp/GpgL$$.tmp && \
 	# return 5$retval
    ! grep -q OK /tmp/GpgL$$.tmp && \
 	WARN gpg-connect-agent --dirmngr 'loadswdb --force' /bye OK not found /tmp/GpgL$$.tmp && \
 	# return 6$retval
    INFO elt=gpg-connect-agent --dirmngr 'loadswdb --force' OK
    rm -f /tmp/GpgL$$.tmp
    # gpg-connect-agent --dirmngr 'help keyserver' /bye
    echo 'keyserver --resolve' /bye | \
 	gpg-connect-agent --dirmngr  \
 			  >/tmp/GpgG$$.tmp 2>&1
    retval=$?
    grep  'ERR\|failed:' /tmp/GpgG$$.tmp >> $ELOG && \
 	ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
  	return 10
    grep -q ^S /tmp/GpgG$$.tmp || { \
 	WARN gpg-connect-agent 'keyserver' no S /tmp/GpgG$$.tmp && \
 	return 8$retval
    }
    INFO elt=gpg-connect-agent 'keyserver --resolve' S 
    cat /tmp/GpgG$$.tmp
    rm -f /tmp/GpgG$$.tmp
    if [ ! -d /root/.emacs.d/elpa/gnupg ] || \
 	   ! ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
 	WARN no running /root/.emacs.d/elpa/gnupg agent
    else
 	INFO running /root/.emacs.d/elpa/gnupg agent
 	echo keyserver --resolve | \
 	    gpg-connect-agent --dirmngr \
 			      --homedir /root/.emacs.d/elpa/gnupg \
 			      >/tmp/GpgC$$.tmp 2>&1
        retval=$?
 	if grep 'ERR\|failed:' /tmp/GpgC$$.tmp >> $ELOG ; then
 	    WARN /root/.emacs.d/elpa/gnupg gpg-connect-agent `tail -1 $ELOG` && \
 	    cat /tmp/GpgC$$.tmp
 	else
 	    INFO elt=gpg-connect-agent
 	    cat /tmp/GpgC$$.tmp
 	    rm -f /tmp/GpgC$$.tmp
 	fi
    fi
    return  0
 }
 ## proxy_test_privoxy_test
 proxy_test_privoxy_test () { DBUG proxy_test_privoxy_test $* ;
    return  0
    /etc/init.d/privoxy status || /etc/init.d/privoxy start
    /etc/init.d/privoxy status && \
 	DBUG /etc/init.d/privoxy running || {
 	WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
    }
    # /usr/local/bin/proxy_ping_test.bash 3128
    netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
 	ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
 	return 4
    }
    INFO elt=/etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
    return 0
 }
 ## proxy_test_netstat_dns
 proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
    $NETS | grep -q ":53"
@ -119,7 +226,7 @@ proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
    retval=$?
    [ $retval -eq 0 ] && return 0
    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
-    [ -z "$ALL" ] && exit $ARG$retval || return 1
+    [ -z "$ALL" ] && exit "$ARG$retval" || return 1
    # works
    GREP="-i icmp"
    return 0
@ -128,7 +235,7 @@ proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
 ## proxy_test_dig_direct
 proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
-    dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
+    dig @$DNS_HOST1 $NTP_HOST2 +timeout=$TIMEOUT >/dev/null
    retval=$?
    [ $retval -eq 0 ] && return 0
    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
@ -140,8 +247,8 @@ proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
    return 0
 }
-## proxy_test_curl_firewall_bin
+## proxy_test_curl_firewall_asbin
-proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
+proxy_test_curl_firewall_asbin () { DBUG proxy_test_curl_firewall_asbin $* ;
    su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
    retval=$?
    [ $retval -eq 0 ] && return 0
@ -164,7 +271,7 @@ proxy_ping_curl () { DBUG proxy_ping_curl $* ;
 ## proxy_ping_make_help
 proxy_ping_make_help () {
    grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
-	 > /tmp/proxy_ping_test.hlp
+	 > /tmp/proxy_ping_test-$USER.hlp
    return 0
 }
@ -260,7 +367,7 @@ proxy_test_pretest_exit () {
 	    { WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
 	proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
    elif [ "$1" = nat ] ; then
-	: proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
+	proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
    else
 	proxy_do_ping || exit 4$?
 	proxy_ping_test_resolv $MODE || \
@ -276,19 +383,19 @@ proxy_test_help_args () {
    declare -a elts=()
    declare -a ret=()
    local elt
-    if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then
+    if [ "$1" = selektor -o "$1" = torhost ] ; then
-	elts=($1 socks http dns https tordns firefail)
+	elts=($1 socks dns http https dirmngr tordns firefail)
-    elif [ "$1" = torlibvirthost ] ; then
+    elif [ "$1" = torlibvirthost -o "$1" = whonix ] ; then
-	elts=($1 libvirthost socks http https tordns firefail)
+	elts=(libvirthost socks http https dirmngr tordns firefail)
 	elts+=($MODE)
-    elif [ "$1" = gateway ] ; then
+    elif [ "$1" = gateway -o "$1" = nat ] ; then
-	elts=($1 libvirtguest socks dns http https firefail)
+	elts=($1 libvirtguest socks dns http https dirmngr firefail)
    else
 	elts=($1)
    fi
    for elt in "${elts[@]}" ; do
 #	DBUG proxy_test_help_args $elt $1 >&2
-	ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \
+	ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test-$USER.hlp | \
 		     sed -e 's/.=.*//' -e 's/.*tests.//') )
    done
    DBUG proxy_test_help_args "${ret[@]}" >&2
@ -302,66 +409,88 @@ proxy_ping_test_set_args () {
    local args="$@"
    local val="$@"
    declare -a aret=()
-    rm -f /tmp/proxy_ping_test.hlp
+    rm -f /tmp/proxy_ping_test-$USER.hlp
-    [ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
+    [ -f /tmp/proxy_ping_test-$USER.hlp ] || proxy_ping_make_help
-## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
+    
 ## to_tor - tor with the firewall host side client setup tor server - gateway
 [ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
 	aret=(  6 13 16 ) && \
 	! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv
 ## vda - through the Gateway with the firewall - also polipo,panic - uses env
 [ "$1" = vda ] &&
 	aret=(  35  3 20  ) #
 ## kick - open firewall with tor running - call dns,polipo +tor in addition
 [ "$1" = kick -o "$1" = host ] &&
 	aret=(  24 31 13 16 6  )# 30 24 31 6 13 16
 ## gateway - on the Gateway, trans firewall with tor running - call dns in addition
 [ "$1" = gateway ] &&
 	aret=(  23 25 4 5 30 24 17 3 21  ) # 31 6 16
-# aliases
+    # aliases
-# socks defines http as the target of a user using socks
+    # socks defines http as the target of a user using socks
-[ "$1" = "$SOCKS_PORT"  ] && set -- socks
+    [ "$1" = "$SOCKS_PORT"  ] && set -- socks
-# http defines http as the target of a user using http
+    # http defines http as the target of a user using http
-[ "$1" = "$HTTP_PORT"  ] && set -- http
+    [ "$1" = "$HTTP_PORT"  ] && set -- http
-# https defines http as the target of a user using https
+    # https defines http as the target of a user using https
-[ "$1" = "$HTTPS_PORT"  ] && set -- https
+    [ "$1" = "$HTTPS_PORT"  ] && set -- https
-# dns defines http as the target of a user using dns
+    # dns defines http as the target of a user using dns
-[ "$1" = "53"  ] && set -- dns
+    [ "$1" = "53"  ] && set -- dns
-# tordns defines http as the target of a user using tordns
+    # tordns defines http as the target of a user using tordns
-[ "$1" = "9053"  ] && set -- tordns
+    [ "$1" = "9053"  ] && set -- tordns
-[ "$1" = scan ] && set -- iwlist
+    # old aliases
-[ "$1" = panic ] && set -- firewall
+    [ "$1" = scan ] && set -- iwlist
-[ "$1" = to_gateway ] && set -- whonix
+    [ "$1" = panic ] && set -- firewall
-[ "$1" = from_tor ] && set -- whonix
+    [ "$1" = asbin ] && set -- firewall
 [ "$1" = from_gateway ] && set -- gateway
 [ "$1" = traceroute ] && set -- = trace
 [ "$1" = connected ] && set -- wifi
 [ "$1" = clear ] && set -- direct 
-# scenarios - modes: nat selektor
+    [ "$1" = to_gateway ] && set -- whonix
    [ "$1" = from_tor ] && set -- whonix
    [ "$1" = from_gateway ] && set -- gateway
    [ "$1" = to_tor ] && set -- gateway
    [ "$1" = workstation ] && set -- ws
    [ "$1" = traceroute ] && set -- = trace
    [ "$1" = connected ] && set -- wifi
    [ "$1" = clear ] && set -- direct 
    [ "$1" = tor ] && set -- torhost
    # scenarios - modes: nat selektor
    # wifi?
 ## nat - through the Gateway via the nat
-[ "$1" = nat ] && \
+    if [ "$1" = nat ] ; then
-    set -- ping dns socks http https tordns firefail libvirtguest
+        set -- $1 ping dns socks http https dirmngr tordns firefail libvirtguest
-# wifi?
+	[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT" 
-[ "$1" = whonix ] && \
+## vda - through the Gateway with the firewall - also polipo,panic - uses env
-    set -- ping tordns dns socks http https torhost tordns firefail gw
+## ws - through the Gateway with the firewall - it is a vda
-[ "$1" = tor -o "$1" = selektor ] && \
+	[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT" 
-    set -- ping tordns dns trace torhost nmap gw
+    elif [ "$1" = vda -o "$1" = ws ] ; then
-## torhost implies  -
+	# Fixme - guessing
-#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
+	# was aret=(  35  3 20  )
-[ "$1" = direct -o "$1" = '' ] && \
+        set -- ping dns socks http https dirmngr tordns firefail libvirtguest
 ## gateway - ssh to the whonix gateway from the torhost
    elif [ "$1" = gateway ] ; then
 	## gateway - on the Gateway, trans firewall with tor running -
 	#? looks like it had direct in gateway;
 	#? aret=(  23 25 4 5 30 24 17 3 21  ) # 31 6 16
        set -- ping dns socks http https dirmngr tordns firefail libvirtguest
 	[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT" 
 ## whonix - whonix torhost with libvirt container running gateway behind firewa
    elif [ "$1" = whonix ] ; then
        set -- ping libvirtguest tordns dns socks http https dirmngr torhost tordns firefail gw
 	[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT" 
 ## torhost - running tor with the firewall
    [ "$1" = torhost -o "$1" = selektor ] && \
        set -- ping torhost tordns dns trace nmap gw
 	[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT" 
    #? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
 ## direct - assume no firewall and no proxy - but may work depend on env
    elif [ "$1" = direct -o "$1" = '' ] ; then
    	set -- ping dns trace nmap gw 
-## all - all tests not stopping on the first error
+    ## all - all tests not stopping on the first error
-[ "$1" = all ] && ALL=1 
+    elif [ "$1" = all ] ; then
-# aret="${#tests[@]}"
+        ALL=1 
 	# aret="${#tests[@]}"
    fi
 ## gw - test if we are connected to the gateway
 ## env - from the cmdline with a properly setup env
 ## firefail - test the proxy without env vars to expect failure
 ## torhost - running tor with the firewall
 ## http - assumes torhost or whonix and env setup
 ## https - assumes torhost or whonix and env setup
 ## socks - assumes torhost or whonix and env setup
@ -373,23 +502,21 @@ proxy_ping_test_set_args () {
 ## iwlist - wlan scan of a wifi host
 ## firewall - test that the firewall blocks
 ## virbr1 - looks for virbr1 on a libvirt host  torhost or whonix
 ## gateway - ssh to the whonix gateway from the torhost
 ## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
 ## wifi - test if we are connected - call scan in addition
 ## libvirthost - hosting a libvirt container
 ## libvirtguest - in a libvirt container
 ## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor
 ## direct - assume no firewall and no proxy - but may work depend on env
    for elt in "$@" ; do
-	if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
+	if [ "$elt" = gw -o "$elt" = env -o \
       "$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
-       "$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
+       "$elt" = torhost -o "$elt" = 'nat' -o "$elt" = whonix -o  "$elt" = selektor -o  \
       "$elt" = tordns -o \
       "$elt" = libvirthost -o "$elt" =  torlibvirthost -o \
       "$elt" = libvirtguest -o "$elt" = virbr1 -o \
       "$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
       "$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
-       "$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
+       "$elt" = trace -o "$elt" = wifi -o "$elt" = 'dirmngr' -o "$elt" = 'test' \
    ] ; then
 	    aret+=(  `proxy_test_help_args $elt` )
 	else
@ -407,21 +534,23 @@ if [ "$#" = 0 ] ; then
    # default to mode
    set --  $MODE
  fi
-if [ $1 = '-h' -o $1 = '--help' ] ; then
+if [ "$1" = '-h' -o $1 = '--help' ] ; then
    echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
    grep '^## [a-oq-z]' $0 | sed -e 's/^## /  /'
    exit 0
  elif [ "$1" = 0 ] ; then
    INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
-    echo 0 help /tmp/proxy_ping_test.hlp
+    echo 0 help /tmp/proxy_ping_test-$USER.hlp
-    [ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
+    [ -f /tmp/proxy_ping_test-$USER.hlp ] || proxy_ping_make_help
-    . /tmp/proxy_ping_test.hlp
+    . /tmp/proxy_ping_test-$USER.hlp
    for elt in "${!tests[@]}" ; do
 	echo $elt "${tests[$elt]}"
    done
    exit 0
  elif [[ $1 =~ ^[0-9] ]] ; then
    : passthrough
  elif [ $1 = 'test' -o $1 = '--test' ] ; then
    set -- 99
  else
      set -- `proxy_ping_test_set_args "$@"`
      DBUG running tests numbered "$@"
@ -459,7 +588,7 @@ while [ "$#" -gt 0 ] ; do
 	tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
 	[ -n "$https_proxy" ]  && LARGS="" || \
 		LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
-	$LARGS $WGET https://$HTTP_TARGET
+	$LARGS $WGET https://$HTTP_TARGET 2>/dev/null
 	retval=$?
 	if [ $retval -eq 8 -o $retval -eq 0 ] ; then
            INFO  $prog test=$ARG "${tests[$ARG]}"
@ -547,9 +676,9 @@ while [ "$#" -gt 0 ] ; do
 	GREP="$SOCKS_DNS"
    elif [ $ARG -eq  6 ] ; then
 	tests[6]="curl_https_as_user - https "
 	proxy=`proxy_ping_get_https`
        desc="curl --proxy http://${proxy}"
 	tests[6]="curl_https_as_user - https "
 	proxy_ping_curl --proxy http://${proxy} \
 	    --proxy-insecure https://$HTTP_TARGET || { \
 	    retval=$?
@ -630,7 +759,6 @@ while [ "$#" -gt 0 ] ; do
 	tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
 	[ $USER = root ] || continue
 	which nmap 2>/dev/null >/dev/null || continue
 	[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
        nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
 	     retval=$?
 	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
@ -641,9 +769,9 @@ while [ "$#" -gt 0 ] ; do
 	GREP="53"
    elif [ $ARG -eq  13 ] ; then
-	tests[13]="curl_firewall_bin - wifi "
+	tests[13]="curl_firewall_bin - firewall "
 	[ $USER = root ] || continue
-	proxy_test_curl_firewall_bin || continue
+	proxy_test_curl_firewall_asbin || continue
        INFO  $prog test=$ARG "${tests[$ARG]}" curl bin
 	# works
 	GREP="443"
@ -664,7 +792,7 @@ while [ "$#" -gt 0 ] ; do
        INFO  $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct
    elif [ $ARG -eq  16 ] ; then
-	tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
+	tests[16]="nslookup_as_root nslookup ${DNS_HOST1} $PRIV_BIN_OWNER - firewall "
 	[ $USER = root ] || continue
 	[ $HAVE_NSLOOKUP = 1 ] || continue	  
        su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
@ -705,7 +833,8 @@ while [ "$#" -gt 0 ] ; do
 	GREP="123"
    elif [ $ARG -eq  19 ] ; then
 	tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
-	proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
+	timeout -k $TIMEOUT $TIMEOUT env - $CURL  \
 		--noproxy "'*.*'" --connect-timeout $TIMEOUT \
 			http://$HTTP_TARGET >/dev/null && {
 	    retval=$?
 	    ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
@ -782,7 +911,7 @@ while [ "$#" -gt 0 ] ; do
 	[ $HAVE_NSLOOKUP = 1 ] || continue	  
 	# noenv with or without proxy
 	# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
-	$NSL >/dev/null $DNS_TARGET || { \
+	$NSL >/dev/null $DNS_TARGET  ${DNS_HOST} || { \
 	     retval=$?
 	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET
 	    [ -z "$ALL" ] && exit $ARG$retval || continue
@ -832,7 +961,7 @@ while [ "$#" -gt 0 ] ; do
    elif [ $ARG -eq 30 ] ; then
 	tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
-	[ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || {
+	[ $MODE = tor -o $MODE = whonix -o $MODE = gateway -o $MODE = selektor ] || {
 	    # are there other roles that run tor?
 	    WARN $prog MODE != tor test=$ARG
 	}
@ -856,9 +985,10 @@ while [ "$#" -gt 0 ] ; do
    elif [ $ARG -eq 31 ] ; then
 	tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
- 	proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
+	timeout -k $TIMEOUT $TIMEOUT  env - $CURL \
 		--noproxy '*' http://${HTTP_TARGET} && { \
 	     retval=$?
-	    ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT
+	    ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval $HTTP_TARGET
 	    [ -z "$ALL" ] && exit $ARG$retval || continue
 	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
@ -908,9 +1038,9 @@ while [ "$#" -gt 0 ] ; do
 	[ $USER = root ] || continue
 	[ $HAVE_DIG = 1 ] || continue
 	# @$DNS_HOST1
-        su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
+        su -c "dig $NTP_HOST2 +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
 	     retval=$?
-	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
+	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig $NTP_HOST2 $PRIV_BIN_OWNER
 	    [ -z "$ALL" ] && exit $ARG$retval || continue
 	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
@ -918,12 +1048,12 @@ while [ "$#" -gt 0 ] ; do
 	GREP="53"
    elif [ $ARG -eq  36 ] ; then
-	tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
+	tests[36]="tor_resolve_as_user tor-resolve $NTP_HOST2 - tordns "
 	[ $HAVE_TOR_RESOLVE = 1 ] || continue
-        tor-resolve  pool.ntp.org >/dev/null || { \
+        tor-resolve  $NTP_HOST2 >/dev/null || { \
 	    retval=$?
 	    # dunno Failed parsing SOCKS5 response conf?
-	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
+	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve $NTP_HOST2
 	    continue
 	}
        INFO  $prog test=$ARG "${tests[$ARG]}" 
@ -931,7 +1061,7 @@ while [ "$#" -gt 0 ] ; do
 	GREP="9053"
    elif [ $ARG -eq  37 ] ; then
-	tests[37]="qemu-guest-agent and ports - libvirtguest "
+	tests[37]="qemu_guest_agent_ports - libvirtguest "
 	ser=qemu-guest-agent
 	proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
 	proxy_rc_service $ser status >/dev/null ||  { \
@ -946,8 +1076,9 @@ while [ "$#" -gt 0 ] ; do
 	}
        INFO  $prog test=$ARG "${tests[$ARG]}" 
 	GREP=""
    elif [ $ARG -eq  38 ] ; then
-	tests[38]="qemu-guest-agent and ports - libvirthost "
+	tests[38]="check_libvirt_running - libvirthost "
 	[ $USER = root ] || continue
 	$PL proxy_libvirt_list
 	aret=$?
@ -957,12 +1088,42 @@ while [ "$#" -gt 0 ] ; do
            DBUG proxy_libvirt_status aret=$aret
 	else
 	    # was $GATEW_DOM but now can be gentoo_vm-2 etc
-            $PL proxy_libvirt_list 2>&1 | grep -q "running" || {
+            $PL proxy_libvirt_list 2>&1| grep -q "running" || {
-		WARN MODE=$MODE and nothing libvirt running ;
+		WARN MODE=$MODE and nothing libvirt running
 		continue
 	    }
            INFO  $prog test=$ARG "${tests[$ARG]}" 
 	fi
    elif [ $ARG -eq  39 ] ; then
 	tests[39]="proxy_test_dirmngr - dirmngr "
 	[ $USER = root ] || continue
 	proxy_test_dirmngr
    elif [ $ARG -eq  99 ] ; then
 	tests[99]="test_all_modes unfinished not sure"
 	[ $USER = root ] || continue
 	for elt in vda selektor ws gateway nat tor whonix; do
 	    INFO testing $elt
 	    if [ "$MODE" = vda ] ; then
 	        : vda
 	    elif [ "$MODE" = selektor ] ; then
 	        : selektor
 	    elif [ "$MODE" = ws ] ; then
 	        : ws
 	    elif [ "$MODE" = gateway ] ; then
 	        : gateway
 	    elif [ "$MODE" = nat ] ; then
 	        : nat
 	    elif [ "$MODE" = tor ] ; then
 	        : tor
 	    elif [ "$MODE" = whonix ] ; then
 	        : whonix
 	    else
 	        WARN unrecognized mode MODE=$elt
 	    fi
 	done
    elif false ; then
 	if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
 	    $NETS | grep -q :53 || {
@ -977,21 +1138,3 @@ while [ "$#" -gt 0 ] ; do
  done
 exit 0
 1)
        env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
 2)
        curl $D -k --proxy
 3)
        curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
 6)
        curl -k --proxy $HTTP_PORT
 16)
        nslookup $PRIV_BIN_OWNER
 18)
        ntpdate as sroot
 19)
        curl raw noproxy
 0)
        usage
--- a/overlay/Linux/usr/local/bin/proxy_test_ssl.bash
+++ b/overlay/Linux/usr/local/bin/proxy_test_ssl.bash
@ -161,8 +161,8 @@ else
 fi
 CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
-if [ -f /var/local/bin/analyze-ssl.pl.bash ] ; then
+if [ -f $PREFIX/bin/analyze-ssl.pl.bash ] ; then
-    analyze=/var/local/bin/analyze-ssl.pl.bash
+    analyze=$PREFIX/bin/analyze-ssl.pl.bash
    ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
 else
    analyze=""
--- a/overlay/Linux/usr/local/bin/scurl.bash
+++ b/overlay/Linux/usr/local/bin/scurl.bash
@ -15,7 +15,7 @@ SSL_VER=3
 . /usr/local/bin/proxy_ping_lib.bash
 [ -f /usr/local/bin/proxy_curl_lib.bash ] && \
   . /usr/local/bin/proxy_curl_lib.bash
-if ! route | grep -q ^def ; then
+if ! grep -q "^wlan[1-9][ 	]00000000" /proc/net/route ; then
    WARN $prog we are not connected >&2
    exit -1
 fi
@ -51,8 +51,8 @@ LARGS+=( --proto-redir https --proto-default https --proto =https )
 [ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
 SSL_LIB=openssl # nss
-if [ -x /var/local/bin/curl.bash ] ; then
+if [ -x $PREFIX/bin/curl.bash ] ; then
-    EXE=/var/local/bin/curl.bash
+    EXE=$PREFIX/bin/curl.bash
 elif which scurl ; then
    EXE=`which scurl`
 else
--- a/overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash
+++ b/overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash
@ -3,25 +3,21 @@
 set -o pipefail || exit 1
 # was in /usr/lib/whonix-libvirt/install
 # unlike that one, this should be idempotent
 # [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=base
 . /usr/local/bin/usr_local_tput.bash
 . /usr/local/sbin/proxy-libvirt-install.bash
 # was in /usr/lib/whonix-libvirt/install
 # unlike that one, this should be idempotent
 # [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
 GATEW=1
 # for testforge use we only need the Gateway
 WORKS=
 [ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
 . /usr/local/bin/proxy_ping_lib.bash || \
    { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
 . /usr/local/bin/usr_local_base.bash || exit 2
 MODE=`proxy_ping_mode`
 [ $MODE = whonix ] || exit 0
 #? echo ERROR: avoiding $prog proxy_whonix-libvirt-install.bash ; exit 10
@ -29,9 +25,6 @@ MODE=`proxy_ping_mode`
 [ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || exit 12
 /usr/local/bin/proxy_libvirt_hook_network.bash || exit 13
 [ -d /usr/local/var/log ] || mkdir /usr/local/var/log || exit 14
 chmod 1777 /usr/local/var/log
 [ -f /etc/firewall.conf.whonix ] || \
  cp -p /usr/local/etc/firewall.conf.* /etc/ || exit 15
@ -49,36 +42,14 @@ EOF
 [ -x /etc/libvirt/hooks/network ] || chmod a+x /etc/libvirt/hooks/network
 /etc/libvirt/hooks/network || exit 16
 ## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 set -e
 ## {{ Taken from qemu-system-common.postinst.
 # Add the kvm group unless it's already there
 if ! getent group kvm >/dev/null; then
   addgroup --quiet --system kvm || true
 fi
 ## }} Taken from qemu-system-common.postinst.
 ## {{ Taken from libvirt-bin.postinst.
 if ! getent group libvirt >/dev/null; then
   addgroup --system libvirt
 fi
 ## }} Taken from libvirt-bin.postinst.
 ## Existence of user "user" is not guaranteed at this point.
 if grep -q ^user /etc/passwd ; then
    grep -q ^kvm /etc/group || addgroup user kvm
    grep -q ^libvirt /etc/group || addgroup user libvirt
 fi
 ## Create shared directory and adjust permissions
 [ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
 [ -n "$WORKS" ] && [ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
 chmod 1777 /mnt/gateway-shared
 [ -n "$WORKS" ] && chmod 1777 /mnt/workstation-shared
 ## networks
 proxy_virsh net-list --all | grep -q default || \
  virsh -c qemu:///system net-autostart "default" || exit 1$?
@ -97,7 +68,6 @@ proxy_virsh net-list | grep -q Whonix-External || \
 proxy_virsh net-list | grep -q Whonix-Internal || \
  virsh -c qemu:///system net-start "Whonix-Internal" || exit 6$?
 lsmod | grep -q kvm||modprobe kvm || exit 7
 temp_dir=/usr/local/etc/libvirt/qemu
 if virsh capabilities | grep -q "<domain type='kvm'" ; then
--- a/overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash
+++ b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash
@ -111,7 +111,7 @@ proxy_vda_start () {
 	ifconfig eth0 $IP netmask 255.255.192.0 broadcast 10.152.191.255
 	#? inet $IP  netmask 255.0.0.0  broadcast 10.255.255.255
    fi
-    ip route | grep -q ^default || \
+    ip grep -q "^wlan[1-9][ 	]00000000" /proc/net/route || \
 	route add default gw $PROXY_WLAN_GW
    # dnsmasq
--- a/overlay/Linux/usr/local/src/curl.bash
+++ b/overlay/Linux/usr/local/src/curl.bash
@ -0,0 +1,72 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
 ROLE=proxy
 PREFIX=/usr/local
 . /usr/local/bin/usr_local_tput.bash || exit 2
 ip route | grep -q ^def || {
    WARN we are not connected >&2
    exit 1
 }
 [ -f $HOME/.curlrc ] || touch $HOME/.curlrc
 declare -a CURL_OPTS
 # --silent  --show-error
 CURL_OPTS=( --fail-early --fail )
 [[ "$*" =~ --http0.9 ]] || [[ "$*" =~ --http1 ]] || [[ "$*" =~ --http1.1 ]] || \
  [[ "$*" =~ --http2 ]] || [[ "$*" =~ --http3 ]] ||  CURL_OPTS+=( --http0.9 )
 [[ ! "$*" =~ --retry ]] &&  CURL_OPTS+=( --retry 3 )
 [[ ! "$*" =~ -4 ]] &&  CURL_OPTS+=( -4 )
 # [[ ! "$*" =~ --http2 ]] &&  CURL_OPTS+=(  --http2 )
 [[ ! "$*" =~  --max-redirs ]] &&  CURL_OPTS+=( --max-redirs 10 )
 [[ ! "$*" =~ --location ]] &&  CURL_OPTS+=( --location )
 [[ ! "$*" =~ --remote-time ]] &&  CURL_OPTS+=( --remote-time )
 [[ ! "$*" =~ --create-dirs ]] &&  CURL_OPTS+=( --create-dirs )
 if [[ "$socks_proxy" =~ socks5://.* ]] ; then
    export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
 fi
 if [[ ! "$*" =~  --proxy ]] && [ -n "$socks_proxy" ] ; then
    CURL_OPTS+=( --proxy $socks_proxy )
    [ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
    [ -n "$http_proxy" ]  && export http_proxy=  && unset http_proxy
  elif [ -n "$https_proxy" ] ; then
    CURL_OPTS+=( --proxy $https_proxy )
    [ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
  elif [ -n "$http_proxy" ] ; then
    CURL_OPTS+=( --proxy $http_proxy )
 fi
 export CURL_OPTS+=( -L )
 if [ -d  $HOME/.local/ ] ; then
    [ -f $HOME/.local/jar.cookie ] || touch $HOME/.local/jar.cookie
    [[ ! "$*" =~ --cookie-jar ]] && \
        CURL_OPTS+=(  --cookie-jar $HOME/.local/jar.cookie --junk-session-cookies )
 fi
 if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
    export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
    # #define CURLALTSVC_H2           (1<<4)
    export CURLOPT_ALTSVC_CTRL=16
 fi
 [[ ! "$*" =~ --config ]] && [ -s "$HOME/.curlrc" ] && \
    export CURL_OPTS+=( --config $HOME/.curlrc )
 [[ ! "$*" =~ --cookie-jar ]] && [ -s $HOME/.local/jar.cookie ] && \
  export CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie )
 if [[ ! "$*" =~ --capath ]] && \
       [[ ! "$*" =~ --cacert  ]] && \
       [ -s /usr/local/etc/ssl/cacert-testforge.pem ] ; then
    # --capath /usr/local/etc/:/etc/ssl/certs
  export CURL_OPTS+=( --cacert /usr/local/etc/ssl/cacert-testforge.pem )
  export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
 fi
 export CURL_OPTS
 DBUG /usr/bin/curl "${CURL_OPTS[@]}" "$@" >&2
 exec /usr/bin/curl "${CURL_OPTS[@]}" "$@"
--- a/overlay/Linux/usr/local/src/dirmngr.bash
+++ b/overlay/Linux/usr/local/src/dirmngr.bash
@ -0,0 +1,63 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 PREFIX=/usr/local
 ROLE=proxy
 . /usr/local/bin/usr_local_base.bash || exit 2
 if [ "$#" -eq 1 -a "$1" = '--version' ] ; then
    exec /usr/bin/dirmngr.bin --version
    return 0
 fi
 # echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
 PROXY_GPG_KEYSERVER=keys.openpgp.org
 [ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
 [ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
 # ONLY disabling  on  the command line or
 [ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
  [ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
  echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
 PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
 if [ -n "$PROXY_WLAN" ] ; then
    wlan7=$PROXY_WLAN
    [ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
 	[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
 	echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
 fi
 grep -q "^wlan[1-9][ 	]00000000" /proc/net/route || { ERROR no route ; exit 1; }
 [ ! -x /usr/bin/netstat ] || \
  netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
 [ -z "$USER" ] && USER=$(id -un )
 if [ $USER = root ] ; then
    [ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
 	mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
    [ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
 	ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
 fi
 [ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
 [ -f /etc/dirmngr/dirmngr.conf ] || exit 3
 # This is not enough: --disable-ipv6
 # --keyserver hkps://keys.gentoo.org is required
 # --http-proxy http://127.0.0.1:3128
 # --keyserver $PROXY_GPG_KEYERVER_URL
 # --no-use-tor is REQUIRED if you are running tor
 # EVEN IF YOU DOT USE use-tor - silent dns failure
 exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
 	--options /etc/dirmngr/dirmngr.conf \
       --nameserver 127.0.0.1 \
       --disable-ipv6 \
       --disable-ldap \
 	--no-use-tor \
 	--log-file /var/log/dirmngr.log --debug-level 4 \
 	"$@"
--- a/overlay/Linux/usr/local/src/gentoo_lis_to_urls.bash
+++ b/overlay/Linux/usr/local/src/gentoo_lis_to_urls.bash
@ -0,0 +1,17 @@
 #!/bin/sh
 # filter
 ROLE=proxy
 CACHE=/mnt/i/net/Http
 grep --text ^http:// | \
  sed -e 's@ftp://[^ ]*@@g' | \
  while read line ; do
    for url in $line ; do 
        base=`basename "$url"`
 	[ -e /usr/portage/distfiles/$base ] && break
        pre=`sed -e "s@http://@${CACHE}@" <<< $url`
        [ -e $pre ] && break
        echo $line
        break
      done
  done
 exit 0
--- a/overlay/Linux/usr/local/src/gentoo_swget_urls.sh
+++ b/overlay/Linux/usr/local/src/gentoo_swget_urls.sh
@ -0,0 +1,29 @@
 #!/bin/sh
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 ROLE=proxy
 # filter - arguments are to wget - quoted?
 if [ "$#" -eq 0 ] ; then
    WARGS="-xc -P /i/net/Http --tries=1 --no-hsts"
    export CURL_OPTS="-C - --retry 3 --remote-name --create-dirs"
  else
    WARGS="$@"
    export CURL_OPTS="$@"
  fi
 grep ^http | \
    sed -e 's@ftp://[^ ]*@@' \
 	-e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@' \
 	-e 's/http:/https:/' \
 	-e 's@distfiles.gentoo.org/@mirror.leaseweb.com/gentoo/@g' | \
    while read urls ; do
        url=`echo $urls|sed -e 's@ .*@@'`
        base=`basename "$url"`
 	[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
 	for url in $urls ; do
            # wget --restrict-file-names=windows --no-verbose $WARGS $url || continue
 	    scurl.bash  --directory-prefix /i/net/Http  --force-directories \
 			-- $CURL_OPTS $url || continue
            break
 	  done
      done
--- a/overlay/Linux/usr/local/src/gitproxy.bash
+++ b/overlay/Linux/usr/local/src/gitproxy.bash
@ -0,0 +1,10 @@
 # -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
 PREFIX=/usr/local
 ROLE=proxy
 # BEGIN ANSIBLE MANAGED BLOCK proxy
 exec corkscrew   $1 $2
 # $1 %h $2 %p
 #? exec connect -4 -S : $(tor-resolve $1 :) $2
 # END ANSIBLE MANAGED BLOCK proxy
--- a/overlay/Linux/usr/local/src/proxy_ansible.bash
+++ b/overlay/Linux/usr/local/src/proxy_ansible.bash
@ -0,0 +1,12 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 . /usr/local/etc/testforge/testforge.bash
 PREFIX=$PROXY_VAR_LOCAL
 [ "$#" -eq 0 ] && set --  proxy
 exec bash $PREFIX/bin/testforge_ansible.bash "$@"
 ROLE=proxy
--- a/overlay/Linux/usr/local/src/proxy_curl_lib.bash
+++ b/overlay/Linux/usr/local/src/proxy_curl_lib.bash
@ -0,0 +1,401 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 ROLE=proxy
 . /usr/local/bin/usr_local_tput.bash || exit 2
 ## proxy_ami_cloudflared
 proxy_ami_cloudflared() {
    [ $# -gt 0 ] || return 1
    local ip=$1
    for no in "${CLOUDFN[@]}" ; do
 	nopat=`sed -e 's@[.0]*/[0-9][0-9]@@' <<< $no`
 	[[ $ip =~ ${nopat}.* ]] && {
 	    # WARN $url cloudflared $ip $no
 	    echo True
 	    return 0
 	    }
    done
    echo False
    return 0
 }
 ## proxy_ami_cloudflared_py
 proxy_ami_cloudflared_py() {
    [ $# -gt 0 ] || return 1
    local ip=$1
    a=`proxy_ami_cloudflared $ip`
    if [ $? -eq 0 -a "$a" = True ] ; then
 	echo $a
 	return 0
    fi
    # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
    # a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
    # https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
    for no in "${CLOUDFN[@]}" ; do
 	a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
 	if [ $? -eq 0 -a "$a" = True ] ; then
 	    echo $a
 	    return 0
 	fi
    done
    echo False
    return 0
 }
 ## proxy_ami_nottlsv3
 proxy_ami_nottlsv3() {
    [ $# -gt 0 ] || return 1
    local site=$1
    for no in "${NOTLSV3[@]}" ; do
 	[[ $site =~ $no ]] && echo True && return 0
    done
    echo False
    return 0
 }
 declare -a NOTLSV3
 NOTLSV3=(
    # connection refused
    www.mirrorservice.org
    # no ipv3
    files.pythonhosted.org
    # forbidden
    download.nvidia.com
    # 500
    www.x.org
 )
 #     https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
 declare -a CLOUDFN
 CLOUDFN=(
    173.245.48.0/20
    103.21.244.0/22
    103.22.200.0/22
    103.31.4.0/22
    104.16.0.0/13
    104.24.0.0/14
    108.162.192.0/18
    131.0.72.0/22
    141.101.64.0/18
    162.158.0.0/15
    172.64.0.0/13
    188.114.96.0/20
    190.93.240.0/20
    197.234.240.0/22
    198.41.128.0/17
 )
 #for no in "${CLOUDFN[@]}" ; do
 #  # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
 #  a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
 #done
 # /usr/include/openssl/x509_vfy.h
 declare -A OPENSSL_X509_V
 OPENSSL_X509_V=(
 	[0]=OK
 	[1]=ERR_UNSPECIFIED
 	[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
 	[3]=ERR_UNABLE_TO_GET_CRL
 	[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
 	[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
 	[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
 	[7]=ERR_CERT_SIGNATURE_FAILURE
 	[8]=ERR_CRL_SIGNATURE_FAILURE
 	[9]=ERR_CERT_NOT_YET_VALID
 	[10]=ERR_CERT_HAS_EXPIRED
 	[11]=ERR_CRL_NOT_YET_VALID
 	[12]=ERR_CRL_HAS_EXPIRED
 	[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
 	[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
 	[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
 	[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
 	[17]=ERR_OUT_OF_MEM
 	[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
 	[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
 	[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
 	[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
 	[22]=ERR_CERT_CHAIN_TOO_LONG
 	[23]=ERR_CERT_REVOKED
 	[24]=ERR_INVALID_CA
 	[25]=ERR_PATH_LENGTH_EXCEEDED
 	[26]=ERR_INVALID_PURPOSE
 	[27]=ERR_CERT_UNTRUSTED
 	[28]=ERR_CERT_REJECTED
 	# These are 'informational' when looking for issuer cert
 	[29]=ERR_SUBJECT_ISSUER_MISMATCH
 	[30]=ERR_AKID_SKID_MISMATCH
 	[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
 	[32]=ERR_KEYUSAGE_NO_CERTSIGN
 	[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
 	[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
 	[35]=ERR_KEYUSAGE_NO_CRL_SIGN
 	[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
 	[37]=ERR_INVALID_NON_CA
 	[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
 	[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
 	[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
 	[41]=ERR_INVALID_EXTENSION
 	[42]=ERR_INVALID_POLICY_EXTENSION
 	[43]=ERR_NO_EXPLICIT_POLICY
 	[44]=ERR_DIFFERENT_CRL_SCOPE
 	[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
 	[46]=ERR_UNNESTED_RESOURCE
 	[47]=ERR_PERMITTED_VIOLATION
 	[48]=ERR_EXCLUDED_VIOLATION
 	[49]=ERR_SUBTREE_MINMAX
 	# The application is not happy
 	[50]=ERR_APPLICATION_VERIFICATION
 	[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
 	[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
 	[53]=ERR_UNSUPPORTED_NAME_SYNTAX
 	[54]=ERR_CRL_PATH_VALIDATION_ERROR
 	# Another issuer check debug option
 	[55]=ERR_PATH_LOOP
 	# Suite B mode algorithm violation
 	[56]=ERR_SUITE_B_INVALID_VERSION
 	[57]=ERR_SUITE_B_INVALID_ALGORITHM
 	[58]=ERR_SUITE_B_INVALID_CURVE
 	[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
 	[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
 	[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
 	# Host, email and IP check errors
 	[62]=ERR_HOSTNAME_MISMATCH
 	[63]=ERR_EMAIL_MISMATCH
 	[64]=ERR_IP_ADDRESS_MISMATCH
 	# DANE TLSA errors
 	[65]=ERR_DANE_NO_MATCH
 	# security level errors
 	[66]=ERR_EE_KEY_TOO_SMALL
 	[67]=ERR_CA_KEY_TOO_SMALL
 	[68]=ERR_CA_MD_TOO_WEAK
 	# Caller error
 	[69]=ERR_INVALID_CALL
 	# Issuer lookup error
 	[70]=ERR_STORE_LOOKUP
 	# Certificate transparency
 	[71]=ERR_NO_VALID_SCTS
 	[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
 	# OCSP status errors
 	[73]=ERR_OCSP_VERIFY_NEEDED  	# Need OCSP verification
 	[74]=ERR_OCSP_VERIFY_FAILED  	# Couldn't verify cert through OCSP
 	[75]=ERR_OCSP_CERT_UNKNOWN  	# Certificate wasn't recognized by the OCSP responder
 	[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
 	[77]=ERR_NO_ISSUER_PUBLIC_KEY
 	[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
 	[79]=ERR_EC_KEY_EXPLICIT_PARAMS
 	)
 # man 3 libcurl-errors
 declare -A CURLE
 CURLE=(
 	[0]=CURLE_OK
 	[1]=CURLE_UNSUPPORTED_PROTOCOL
 	[2]=CURLE_FAILED_INIT
 	[3]=CURLE_URL_MALFORMAT
 	[4]=CURLE_NOT_BUILT_IN
 	[5]=CURLE_COULDNT_RESOLVE_PROXY
 	[6]=CURLE_COULDNT_RESOLVE_HOST
 	[7]=CURLE_COULDNT_CONNECT
 	[8]=CURLE_WEIRD_SERVER_REPLY
 	[9]=CURLE_REMOTE_ACCESS_DENIED
 	[10]=CURLE_FTP_ACCEPT_FAILED
 	[11]=CURLE_FTP_WEIRD_PASS_REPLY
 	[12]=CURLE_FTP_ACCEPT_TIMEOUT
 	[13]=CURLE_FTP_WEIRD_PASV_REPLY
 	[14]=CURLE_FTP_WEIRD_227_FORMAT
 	[15]=CURLE_FTP_CANT_GET_HOST
 	[16]=CURLE_HTTP2
 	[17]=CURLE_FTP_COULDNT_SET_TYPE
 	[18]=CURLE_PARTIAL_FILE
 	[19]=CURLE_FTP_COULDNT_RETR_FILE
 	[21]=CURLE_QUOTE_ERROR
 	[22]=CURLE_HTTP_RETURNED_ERROR
 	[23]=CURLE_WRITE_ERROR
 	[25]=CURLE_UPLOAD_FAILED
 	[26]=CURLE_READ_ERROR
 	[27]=CURLE_OUT_OF_MEMORY
 	[28]=CURLE_OPERATION_TIMEDOUT
 	[30]=CURLE_FTP_PORT_FAILED
 	[31]=CURLE_FTP_COULDNT_USE_REST
 	[33]=CURLE_RANGE_ERROR
 	[34]=CURLE_HTTP_POST_ERROR
 	[35]=CURLE_SSL_CONNECT_ERROR
 	[36]=CURLE_BAD_DOWNLOAD_RESUME
 	[37]=CURLE_FILE_COULDNT_READ_FILE
 	[38]=CURLE_LDAP_CANNOT_BIND
 	[39]=CURLE_LDAP_SEARCH_FAILED
 	[41]=CURLE_FUNCTION_NOT_FOUND
 	[42]=CURLE_ABORTED_BY_CALLBACK
 	[43]=CURLE_BAD_FUNCTION_ARGUMENT
 	[45]=CURLE_INTERFACE_FAILED
 	[47]=CURLE_TOO_MANY_REDIRECTS
 	[48]=CURLE_UNKNOWN_OPTION
 	[49]=CURLE_SETOPT_OPTION_SYNTAX
 	[52]=CURLE_GOT_NOTHING
 	[53]=CURLE_SSL_ENGINE_NOTFOUND
 	[54]=CURLE_SSL_ENGINE_SETFAILED
 	[55]=CURLE_SEND_ERROR
 	[56]=CURLE_RECV_ERROR
 	[58]=CURLE_SSL_CERTPROBLEM
 	[59]=CURLE_SSL_CIPHER
 	[60]=CURLE_PEER_FAILED_VERIFICATION
 	[61]=CURLE_BAD_CONTENT_ENCODING
 	[62]=CURLE_LDAP_INVALID_URL
 	[63]=CURLE_FILESIZE_EXCEEDED
 	[64]=CURLE_USE_SSL_FAILED
 	[65]=CURLE_SEND_FAIL_REWIND
 	[66]=CURLE_SSL_ENGINE_INITFAILED
 	[67]=CURLE_LOGIN_DENIED
 	[68]=CURLE_TFTP_NOTFOUND
 	[69]=CURLE_TFTP_PERM
 	[70]=CURLE_REMOTE_DISK_FULL
 	[71]=CURLE_TFTP_ILLEGAL
 	[72]=CURLE_TFTP_UNKNOWNID
 	[73]=CURLE_REMOTE_FILE_EXISTS
 	[74]=CURLE_TFTP_NOSUCHUSER
 	[75]=CURLE_CONV_FAILED
 	[76]=CURLE_CONV_REQD
 	[77]=CURLE_SSL_CACERT_BADFILE
 	[78]=CURLE_REMOTE_FILE_NOT_FOUND
 	[79]=CURLE_SSH
 	[80]=CURLE_SSL_SHUTDOWN_FAILED
 	[81]=CURLE_AGAIN
 	[82]=CURLE_SSL_CRL_BADFILE
 	[83]=CURLE_SSL_ISSUER_ERROR
 	[84]=CURLE_FTP_PRET_FAILED
 	[85]=CURLE_RTSP_CSEQ_ERROR
 	[86]=CURLE_RTSP_SESSION_ERROR
 	[87]=CURLE_FTP_BAD_FILE_LIST
 	[88]=CURLE_CHUNK_FAILED
 	[89]=CURLE_NO_CONNECTION_AVAILABLE
 	[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
 	[91]=CURLE_SSL_INVALIDCERTSTATUS
 	[92]=CURLE_HTTP2_STREAM
 	[93]=CURLE_RECURSIVE_API_CALL
 	[94]=CURLE_AUTH_ERROR
 	[95]=CURLE_HTTP3
 	[96]=CURLE_QUIC_CONNECT_ERROR
 	[98]=CURLE_SSL_CLIENTCERT
 	[99]=CURLE_UNRECOVERABLE_POLL
 )
 #    20 HTTP response status codes
 declare -A HTTP_RESPONSE
 HTTP_RESPONSE=(
 	[100]="Continue"
 	[101]="Switching Protocols"
 	[103]="Early Hints"
 	[200]="OK"
 	[201]="Created"
 	[202]="Accepted"
 	[203]="Non-Authoritative Information"
 	[204]="No Content"
 	[205]="Reset Content"
 	[206]="Partial Content"
 	[300]="Multiple Choices"
 	[301]="Moved Permanently"
 	[302]="Found"
 	[303]="See Other"
 	[304]="Not Modified"
 	[307]="Temporary Redirect"
 	[308]="Permanent Redirect"
 	[400]="Bad Request"
 	[401]="Unauthorized"
 	[402]="Payment Required"
 	[403]="Forbidden"
 	[404]="Not Found"
 	[405]="Method Not Allowed"
 	[406]="Not Acceptable"
 	[407]="Proxy Authentication Required"
 	[408]="Request Timeout"
 	[409]="Conflict"
 	[410]="Gone"
 	[411]="Length Required"
 	[412]="Precondition Failed"
 	[413]="Payload Too Large"
 	[414]="URI Too Long"
 	[415]="Unsupported Media Type"
 	[416]="Range Not Satisfiable"
 	[417]="Expectation Failed"
 	[418]="Im a teapot"
 	[422]="Unprocessable Entity"
 	[425]="Too Early"
 	[426]="Upgrade Required"
 	[428]="Precondition Required"
 	[429]="Too Many Requests"
 	[431]="Request Header Fields Too Large"
 	[451]="Unavailable For Legal Reasons"
 	[500]="Internal Server Error"
 	[501]="Not Implemented"
 	[502]="Bad Gateway"
 	[503]="Service Unavailable"
 	[504]="Gateway Timeout"
 	[505]="HTTP Version Not Supported"
 	[506]="Variant Also Negotiates"
 	[507]="Insufficient Storage"
 	[508]="Loop Detected"
 	[510]="Not Extended"
 	[511]="Network Authentication Required"
 )
 # https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132
 declare -a SSL_ALERT_CODES
 # B.2.  Alert Messages
 SSL_ALERT_CODES=(
 	[0]="close_notify"
 	[10]="unexpected_message"
 	[20]="bad_record_mac"
 	[21]="decryption_failed_RESERVED"
 	[22]="record_overflow"
 	[30]="decompression_failure_RESERVED"
 	[40]="handshake_failure"
 	[41]="no_certificate_RESERVED"
 	[42]="bad_certificate"
 	[43]="unsupported_certificate"
 	[44]="certificate_revoked"
 	[45]="certificate_expired"
 	[46]="certificate_unknown"
 	[47]="illegal_parameter"
 	[48]="unknown_ca"
 	[49]="access_denied"
 	[50]="decode_error"
 	[51]="decrypt_error"
 	[60]="export_restriction_RESERVED"
 	[70]="protocol_version"
 	[71]="insufficient_security"
 	[80]="internal_error"
 	[86]="inappropriate_fallback"
 	[90]="user_canceled"
 	[100]="no_renegotiation_RESERVED"
 	[109]="missing_extension"
 	[110]="unsupported_extension"
 	[111]="certificate_unobtainable_RESERVED"
 	[112]="unrecognized_name"
 	[113]="bad_certificate_status_response"
 	[114]="bad_certificate_hash_value_RESERVED"
 	[115]="unknown_psk_identity"
 	[116]="certificate_required"
 	[120]="no_application_protocol"
 )
 # https://curl.se/docs/ssl-ciphers.html
 # openssl
 # https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
 # https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
 openssl=openssl
 # CURLOPT_TLS13_CIPHERS --tls13-ciphers
 if [ $openssl = openssl ] ; then
    export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
 elif [ $openssl = nss ] ; then
    export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
 fi
--- a/overlay/Linux/usr/local/src/proxy_daily.bash
+++ b/overlay/Linux/usr/local/src/proxy_daily.bash
@ -0,0 +1,56 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 prog=$( basename $0 .bash )
 . /usr/local/bin/usr_local_tput.bash || exit 2
 PREFIX=/usr/local
 ROLE=proxy
 # The idea here is to run ansible_local.bash --tags daily
 # and then use this to do the parsing and throwing errors based on the output.
 # This was the ansible run can be free from erroring and this can be
 # run repeatedly anytime outside of ansible to deal with the issues raised.
 # It is also run at the end of ansible_local.bash --tags daily to raise the issues.
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 [ -f /usr/local/etc/testforge/testforge.bash ] && \
    .  /usr/local/etc/testforge/testforge.bash
 MYID=$( id -u )
 [ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ;  exit 1 ; }
 # . $PREFIX/src/var_local_src.bash
 which ansifilter >/dev/null 2>&1  && ansifilter=ansifilter || ansifilter=cat
 ly=daily
 errs=0
 warns=0
 elt=proxy
 LOG_DIR=/usr/local/tmp
 ELOG=$LOG_DIR/E${prog}_${ly}$$.log
 WLOG=$LOG_DIR/W${prog}_${ly}$$.log
 OUT=$LOG_DIR/O${prog}_${ly}$$.log
 rm -f $LOG_DIR/*${prog}_${ly}*.log
 elt=doctest3
 if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
    $PREFIX/bin/testforge_python_doctest3.bash \
 	/usr/local/share/doc/txt/proxy3.txt \
 	> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
 fi
 [ -f $WLOG ] && warns=$( wc -l $WLOG | cut -f 1 -d ' ' )
 [ $? -eq 0 -a $warns -ne 0 ] && \
  WARN "$prog $warns $ly $prog warnings in $WLOG"
 [ -f $ELOG ] && errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
 [ $? -eq 0 -a $errs -ne 0 ] && \
  ERROR "$prog $errs $ly $prog errors in $ELOG" && cat $ELOG
 [ $errs -eq 0 ] && \
  [ $warns -eq 0 ] && \
  INFO "$prog No $ly errors" && \
  rm -f $WLOG $ELOG $OUT
 exit $errs
--- a/overlay/Linux/usr/local/src/proxy_dirmngr.bash
+++ b/overlay/Linux/usr/local/src/proxy_dirmngr.bash
@ -0,0 +1,64 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 PREFIX=/usr/local
 ROLE=proxy
 . /usr/local/bin/usr_local_base.bash || exit 2
 # NO allow-version-check CALLS ANYWAY versions.gnupg.org
 # echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
 PROXY_GPG_KEYSERVER=keys.openpgp.org
 [ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
 [ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
 # ONLY disabling  on  the command line or
 [ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
 [ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
  echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
 PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
 if [ -n "$PROXY_WLAN" ] ; then
    wlan7=$PROXY_WLAN
    [ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
 	[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
 	echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
 fi
 grep -q "^wlan[1-9][ 	]00000000" /proc/net/route || { ERROR no route ; exit 1; }
 [ -z "$USER" ] && USER=$(id -un )
 if [ $USER = root ] ; then
  [ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
    mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
  [ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
      ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
 fi
 [ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
 [ -f /etc/dirmngr/dirmngr.conf ] || exit 3
 [ -x /usr/bin/dirmngr.bin ] || exit 4
 [ ! -x /usr/bin/netstat ] || \
  netstat -nlp|grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 5; }
 [ ! -x /usr/bin/netstat ] || \
  netstat -nlp|grep -q 127.0.0.1:3128 || { ERROR no proxy 3128 ; exit 6; }
 # This is not enough: --disable-ipv6
 # --keyserver hkps://keys.gentoo.org is required
 # --http-proxy http://127.0.0.1:3128
 # --keyserver $PROXY_GPG_KEYERVER_URL
 # --no-use-tor is REQUIRED if you are running tor
 # EVEN IF YOU DOT USE use-tor - silent dns failure
 exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
 	--options /etc/dirmngr/dirmngr.conf \
       --nameserver 127.0.0.1 \
       --disable-ipv6 \
       --disable-ldap \
 	--no-use-tor \
 	--log-file /var/log/dirmngr.log --debug-level 4 \
 	"$@"
--- a/overlay/Linux/usr/local/src/proxy_dirmngr_test.bash
+++ b/overlay/Linux/usr/local/src/proxy_dirmngr_test.bash
@ -0,0 +1,68 @@
 #!/bin/sh
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 # Dual Linux or msys64
 prog=$( basename $0 .bash )
 ROLE=proxy
 PREFIX=/usr/local
 [ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
 [ -f $PREFIX/etc/testforge/testforge.bash ] \
    && . /usr/local/etc/testforge/testforge.bash
 # Dual Linux or msys64
 PROXIES=""
 if [ -d /etc/pacman.d/gnupg ] ; then
    ROLE=msys64
    HOMEDIR=/etc/pacman.d/gnupg
    # proxy or striaght through
    PROXIES="10.152.152.12"
  elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
    ROLE=q
    HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
    ppl=/usr/local/bin/proxy_ping_lib.bash
    # /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
    [ "$USER" != root ] && export PATH=/sbin:$PATH
    [ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
    if [ "$MODE" = tor ] ; then
 	PROXIES="127.0.0.1:3128"
      elif [ "$MODE" = whonix ] ; then
 	PROXIES="10.0.2.15:9128"
      elif [ "$MODE" = gateway ] ; then
 	PROXIES="10.0.2.15:9128"
      elif ps ax | grep -q polipo ; then
 	PROXIES="127.0.0.1:3128"
    else
 	echo ERROR: unknown proxy
 	exit 2
    fi
  fi
 if [ ! -f /etc/dirmngr/dirmngr.conf ] || \
       grep ^keyserver /etc/dirmngr/dirmngr.conf ; then
    echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf
    exit 1
 fi
 GPG="gpg --verbose --home $HOMEDIR"
 $GPG --refresh-keys --verbose
 ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
 grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf | \
    sed -e 's@keyserver hkp://@@' | \
    while read elt ; do
 	for proxy in $PROXIES; do
            echo 1 | http_proxy=$proxy $GPG --yes \
 			       --debug-level guru \
 			       --keyserver hkp://$elt \
 			       --search-keys abcdefghij  || exit 3$?
 	    echo INFO: $proxy $elt
 	done
    done
 /usr/local/bin/proxy_ping_test.bash dirmngr
--- a/overlay/Linux/usr/local/src/proxy_dns_forward.bash
+++ b/overlay/Linux/usr/local/src/proxy_dns_forward.bash
@ -0,0 +1,22 @@
 #!/bin/sh
 # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
 # https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
 . /usr/local/bin/usr_local_tput.bash || exit 2
 netstat -nlpe4 | grep -q 127.0.0.1:53 && {
    ERROR 127.0.0.1:53 already bound
    exit 1
 }
 MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
 if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
    socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null
 elif a[ "$MODE" = whonix  ] ; then
    socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053 >/dev/null
 fi
--- a/overlay/Linux/usr/local/src/proxy_export.bash
+++ b/overlay/Linux/usr/local/src/proxy_export.bash
@ -0,0 +1,166 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 ROLE=proxy
 #NO prog=proxy_export
 . /usr/local/bin/usr_local_tput.bash || exit 2
 [ -f /usr/local/bin/proxy_ping_lib.bash ] || \
    { ERROR missing /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
 # /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
 # [ "$USER" != root ] && export PATH=/sbin:$PATH
 ## proxy_to_virbr1_15
 proxy_to_virbr1_15 () {
   if ifconfig | grep -q virbr1 ; then
 	PROXY_VIREXT_IP=$( ifconfig virbr1 | grep inet | sed -e 's/.*inet //' -e 's/ .*//' )
 	[ $? -eq 0 -a -n "$PROXY_VIREXT_IP" ] && \
 	    PROXY_VIREXT_HOST=$( echo $PROXY_VIREXT_IP | sed -e 's/2$/15/' ) && \
            [ -n "$PROXY_VIREXT_HOST" ] && \
 	    export no_proxy="localhost,127.0.0.1,$PROXY_VIREXT_HOST" && \
 	    export https_proxy=http://$PROXY_VIREXT_HOST:9128 && \
 	    export socks_proxy=socks5://$PROXY_VIREXT_HOST:9050 && \
 		export TOR_SOCKS_HOST=$PROXY_VIREXT_HOST && \
 		export TOR_SOCKS_PORT=9050
   fi
   return 0
 }
 ## proxy_http_host_httpproxy
 proxy_http_host_httpproxy () {
    if netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null ; then
        export http_proxy=http://127.0.0.1:3128
 	export https_proxy=http://127.0.0.1:3128
 	export RSYNC_PROXY=127.0.0.1:3128
      fi
    return 0
 }
 proxy_https_host_selektor () { proxy_https_host_tor $* ; }
 proxy_https_host_tor () {
    if netstat -nle4 | grep -q 127.0.0.1:9128 >/dev/null ; then
        export https_proxy=http://127.0.0.1:9128
      fi
    return 0
 }
 proxy_socks_host_tor () {
    local file=/etc/tor/torrc
    if [ -f $file ] ; then
 	port=`grep -hi ^socksport /etc/tor/torrc /etc/tor/torrc-defaults | sed -e 's/SocksPort //' -e 's/.*://'`
        [ -z "$port" ] && port=9050
        export socks_proxy=socks5://127.0.0.1:$port
 	return 0
    else
 	[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
 	    echo >&2 WARN: $prog $file not found
        return 1
    fi
    if netstat -nle4 | grep -q 127.0.0.1:$port >/dev/null ; then
        export socks_proxy=socks5://127.0.0.1:$port
      fi
    return 0
 }
 proxy_socks_host_selektor () {
    local file=/var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
    if [ -f $file ] ; then
 	port=`grep PREF_LISTENPORT $file | sed -e 's/.*">//' -e 's/<.*//'`
        [ -z "$port" ] && port=9050
        export socks_proxy=socks5://127.0.0.1:$port
 	return 0
    else
 	[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
 	    echo >&2 WARN: $prog $file not found
    fi
    return 0
 }
 # proxy_export_mode
 proxy_export_mode () {
    ppl=/usr/local/bin/proxy_ping_lib.bash
    [ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
    [ -z "$MODE" ] && MODE=host
    # $0=bash
    [ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
 	debug $prog MODE=$MODE ONE=$MODE 0=$0 "$#" "$@"
    if [ "$MODE" = from -o "$MODE" = whonix ] ; then
 	export no_proxy="localhost,127.0.0.1,10.0.2.15"
 	proxy_http_host_httpproxy
 	proxy_to_virbr1_15
    elif [ "$MODE" = client ] ; then
 	# inherit the environment
 	proxy_http_host_httpproxy
 	proxy_https_host_tor
 	proxy_socks_host_tor
    elif [ "$MODE" = nat ] ; then
 	export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.0/24"
 	# get external
 	external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
 	if [ $? -eq 0 ] && [ -n "$external" ] ; then
 	    # get the ports and PROXY_MODE of the host
 	    export socks_proxy=socks5://$external:9050
 	    export http_proxy=http://$external:3128
 	    export https_proxy=http://$external:9128
 	fi
    elif [ "$MODE" = vda -o "$MODE" = workstation ] ; then
 	export no_proxy="localhost,127.0.0.1,10.152.152.10"
 	export socks_proxy=socks5://10.152.152.10:9050
 	proxy_http_host_httpproxy
 	export https_proxy=http://10.152.152.10:9128
    elif [ "$MODE" = gateway ] ; then
 	export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.15"
 	export socks_proxy=socks5://10.0.2.15:9050
 	proxy_http_host_httpproxy
 	export https_proxy=http://10.0.2.15:9128
    elif [ "$MODE" = selektor ] ; then
        export http_proxy=http://127.0.0.1:3128
 	export https_proxy=http://127.0.0.1:9128
 	export no_proxy="localhost,127.0.0.1"
 	proxy_http_host_httpproxy
 	proxy_https_host_selektor
 	proxy_socks_host_selektor
    elif true || [ "$MODE" = to -o "$MODE" = to_tor -o "$MODE" = tor ] ; then
        export http_proxy=http://127.0.0.1:3128
 	export https_proxy=http://127.0.0.1:9128
 	export socks_proxy=http://127.0.0.1:9050
 	export no_proxy="localhost,127.0.0.1"
 	proxy_http_host_httpproxy
 	proxy_https_host_tor
 	proxy_socks_host_tor
    fi
 }
 # echo $0 $* "$0" = 'tostop' -o
 if [ "$0" = '-bash' -o "$0" = '/bin/bash'  -o "$0" = 'bash' ] ; then
       proxy_export_mode
       [ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
 	   env | grep proxy | while read line ; do debug $line ; done
  elif [ -x /usr/bin/basename ] && \
       [ `basename -- "$0"` = 'proxy_export.bash' -o \
  	   "$( basename -- "`readlink $0`" )" = 'proxy_export.bash' ] ; then
    if [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] ; then
 	echo USAGE: $0 && grep '^## ' $0 | sed -e 's/^## //'|sort
    elif [ "$#" -eq 0 ] || [ "$#" -eq 1 -a $1 = mode ]; then
 	set -- proxy_export_mode
    fi
    eval "$@"
    exit $?
 fi
--- a/overlay/Linux/usr/local/src/proxy_firewall_start.bash
+++ b/overlay/Linux/usr/local/src/proxy_firewall_start.bash
@ -0,0 +1,8 @@
 #!/bin/bash
 # -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
 PREFIX=/usr/local
 ROLE=proxy
 . /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
 proxy_ping_firewall_restart $*
--- a/overlay/Linux/usr/local/src/proxy_fw_laptop.bash
+++ b/overlay/Linux/usr/local/src/proxy_fw_laptop.bash
@ -0,0 +1,572 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 PREFIX=/usr/local
 ROLE=proxy
 . /usr/local/bin/usr_local_tput.bash || exit 2
 # https://www.hermann-uwe.de/files/fw_laptop
 #------------------------------------------------------------------------------
 # File: fw_laptop
 # Author: Uwe Hermann <uwe@hermann-uwe.de>
 # URL: http://www.hermann-uwe.de/files/fw_laptop
 # License: GNU GPL (version 2, or any later version).
 # $Id: fw_laptop 529 2006-06-10 15:11:40Z uh1763 $
 #------------------------------------------------------------------------------
 # A firewall script intended to be used on workstations / laptops. It basically
 # blocks all incoming traffic and only allows minimal outgoing traffic.
 # It helps to mitigate certains attacks, misconfigurations of local daemons,
 # misbehaving local users or applications, and can prevent untrusted
 # applications from "phoning home", among other things.
 # Note: This is work in progress! Any comments and suggestions are welcome!
 # Thanks for comments and suggestions:
 #   * Jean Christophe André <jean-christophe.andre@auf.org>
 #   * Ryan Giobbi <rgiobbi@gmail.com>
 #   * Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
 #------------------------------------------------------------------------------
 # Configuration.
 #------------------------------------------------------------------------------
 # For debugging use iptables -v.
 IPTABLES="/sbin/iptables"
 IP6TABLES="/sbin/ip6tables"
 MODPROBE="/sbin/modprobe"
 RMMOD="/sbin/rmmod"
 ARP="/usr/sbin/arp"
 # Logging options.
 # Note: We use --log-level debug, so that the messages are not output
 # to all virtual consoles (which would be quite annoying).
 # Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
 # /etc/init.d/klogd startup-script.
 LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
 LOG="$LOG --log-ip-options"
 # Defaults for rate limiting (to prevent DoS attacks and excessive logging).
 # TODO: What is a good value for --limit and --limit-burst?
 # TODO: Test rate limiting.
 RLIMIT="-m limit --limit 3/s --limit-burst 8"
 # Unprivileged ports.
 PHIGH="1024:65535"
 # Common SSH source ports.
 PSSH="1000:1023"
 # Load required kernel modules (if automatic module loading is disabled).
 #$MODPROBE ip_conntrack_ftp
 #$MODPROBE ip_conntrack_irc
 #------------------------------------------------------------------------------
 # Mitigate ARP spoofing/poisoning and similar attacks.
 # For details see:
 #   * http://en.wikipedia.org/wiki/ARP_spoofing
 #   * http://www.grc.com/nat/arp.htm
 #------------------------------------------------------------------------------
 # Hardcode static ARP cache entries here (e.g. for the network gateway).
 # $ARP -s IP-ADDRESS MAC-ADDRESS
 #------------------------------------------------------------------------------
 # Kernel configuration.
 # For details see:
 #   * http://www.securityfocus.com/infocus/1711
 #   * http://www.linuxgazette.com/issue77/lechnyr.html
 #   * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
 #   * /usr/src/linux/Documentation/filesystems/proc.txt
 #   * /usr/src/linux/Documentation/networking/ip-sysctl.txt
 #------------------------------------------------------------------------------
 # Disable IP forwarding.
 # Note: We turn this on and off to reset all settings to their defaults.
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo 0 > /proc/sys/net/ipv4/ip_forward
 # Enable IP spoofing protection (i.e. source address verification).
 # Note: This is special, as it seems to only be enabled if you set
 # */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
 # */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
 for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
 # Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 # Ignore all incoming ICMP echo requests (i.e. disable ping).
 # Usually not a good idea, as some protocols and users need/want this.
 # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 # Ignore ICMP echo requests to broadcast/multicast addresses. We do not
 # want to participate in smurf (and similar) DoS attacks.
 # For details see: http://en.wikipedia.org/wiki/Smurf_attack.
 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 # Log packets with impossible addresses.
 for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
 # Don't log invalid responses to broadcast frames, they just clutter the logs.
 echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 # Don't accept or send ICMP redirects.
 for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
 for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
 # Don't accept source routed packets.
 for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
 # Disable multicast routing. Should not be needed, usually.
 # TODO: This throws an "Operation not permitted" error. Why?
 # for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
 # Disable proxy_arp. Should not be needed, usually.
 for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
 # Enable secure redirects, i.e. only accept ICMP redirects for gateways
 # listed in the default gateway list. Helps against MITM attacks.
 for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
 # Disable bootp_relay. Should not be needed, usually.
 for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
 # TODO: These may mitigate ARP poisoning attacks?
 # /proc/sys/net/ipv4/neigh/*/locktime
 # /proc/sys/net/ipv4/neigh/*/gc_stale_time
 # TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
 # Are there any security-relevant options I missed? Check especially:
 # icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
 exit 0
 #------------------------------------------------------------------------------
 # Default policies.
 #------------------------------------------------------------------------------
 # Drop everything by default.
 # Note: The default policies are set _before_ flushing the chains, to prevent
 # a short timespan between flushing the chains and setting policies where
 # any traffic would be allowed.
 $IPTABLES -P INPUT DROP
 $IPTABLES -P FORWARD DROP
 $IPTABLES -P OUTPUT DROP
 # Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them).
 # Packets will simply pass through these tables unchanged.
 # TODO: What happens if the modules aren't loaded?
 $IPTABLES -t nat -P PREROUTING ACCEPT
 $IPTABLES -t nat -P OUTPUT ACCEPT
 $IPTABLES -t nat -P POSTROUTING ACCEPT
 $IPTABLES -t mangle -P PREROUTING ACCEPT
 $IPTABLES -t mangle -P INPUT ACCEPT
 $IPTABLES -t mangle -P FORWARD ACCEPT
 $IPTABLES -t mangle -P OUTPUT ACCEPT
 $IPTABLES -t mangle -P POSTROUTING ACCEPT
 # TODO: Correct? Remove this?
 # $IPTABLES -t raw -P PREROUTING ACCEPT
 # $IPTABLES -t raw -P OUTPUT ACCEPT
 #------------------------------------------------------------------------------
 # Cleanup.
 #------------------------------------------------------------------------------
 # Delete all rules.
 $IPTABLES -F
 $IPTABLES -t nat -F
 $IPTABLES -t mangle -F
 # Delete all (non-builtin) user-defined chains.
 $IPTABLES -X
 $IPTABLES -t nat -X
 $IPTABLES -t mangle -X
 # Zero all packet and byte counters.
 $IPTABLES -Z
 $IPTABLES -t nat -Z
 $IPTABLES -t mangle -Z
 #------------------------------------------------------------------------------
 # Completely disable IPv6.
 #------------------------------------------------------------------------------
 # Block all IPv6 traffic, otherwise the firewall might be circumvented by an
 # attacker who simply sends IPv6 traffic instead of IPv4 traffic.
 # Note: The safest way to prevent IPv6 traffic is to not enable support for
 # IPv6 in the kernel in the first place (neither built-in nor as a module).
 # If the ip6tables command is available, try to block all IPv6 traffic.
 if test -x $IP6TABLES; then
  # Set the default policies (drop everything).
  $IP6TABLES -P INPUT DROP 2>/dev/null
  $IP6TABLES -P FORWARD DROP 2>/dev/null
  $IP6TABLES -P OUTPUT DROP 2>/dev/null
  # The mangle table can pass everything through unaltered (we don't use it).
  $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
  # Delete all rules.
  $IP6TABLES -F 2>/dev/null
  $IP6TABLES -t mangle -F 2>/dev/null
  # Delete all (non-builtin) user-defined chains.
  $IP6TABLES -X 2>/dev/null
  $IP6TABLES -t mangle -X 2>/dev/null
  # Zero all packet and byte counters.
  $IP6TABLES -Z 2>/dev/null
  $IP6TABLES -t mangle -Z 2>/dev/null
 fi
 #------------------------------------------------------------------------------
 # Custom user-defined chains.
 #------------------------------------------------------------------------------
 # LOG packets, then ACCEPT them.
 $IPTABLES -N ACCEPTLOG
 $IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
 $IPTABLES -A ACCEPTLOG -j ACCEPT
 # LOG packets, then DROP them.
 $IPTABLES -N DROPLOG
 $IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
 $IPTABLES -A DROPLOG -j DROP
 # LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
 $IPTABLES -N REJECTLOG
 $IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
 $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
 $IPTABLES -A REJECTLOG -j REJECT
 # A custom chain which only allows minimal (RELATED) ICMP types
 # (destination-unreachable, time-exceeded, and parameter-problem).
 # TODO: Rate-limit this traffic?
 # TODO: Allow fragmentation-needed?
 # TODO: Test.
 $IPTABLES -N RELATED_ICMP
 $IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
 $IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
 $IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
 $IPTABLES -A RELATED_ICMP -j DROPLOG
 #------------------------------------------------------------------------------
 # Only allow the minimally required/recommended parts of ICMP. Block the rest.
 # For details see:
 #   * http://tools.ietf.org/html/792
 #   * http://tools.ietf.org/html/1122
 #   * http://www.iana.org/assignments/icmp-parameters
 #   * http://www.daemon.be/maarten/icmpfilter.html
 #------------------------------------------------------------------------------
 # Note: Be careful if you're using kernels older than 2.4.29. Some locally
 # generated ICMP error types (going through OUTPUT) are erroneously tagged
 # as INVALID (instead of RELATED).
 # Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.
 # TODO: This section needs a lot of testing!
 # First, drop all fragmented ICMP packets (almost always malicious).
 $IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
 $IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
 $IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
 # Allow all ESTABLISHED ICMP traffic.
 # TODO: Tighten this some more?
 $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
 $IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
 # Allow some parts of the RELATED ICMP traffic, block the rest.
 # TODO: FORWARD?
 $IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
 $IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
 # Allow incoming ICMP echo requests (ping), but only rate-limited.
 $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
 # Allow outgoing ICMP echo requests (ping), but only rate-limited.
 # TODO: Really do rate limiting here?
 $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
 # Drop any other ICMP traffic.
 $IPTABLES -A INPUT -p icmp -j DROPLOG
 $IPTABLES -A OUTPUT -p icmp -j DROPLOG
 $IPTABLES -A FORWARD -p icmp -j DROPLOG
 #------------------------------------------------------------------------------
 # Selectively allow certain special types of traffic.
 #------------------------------------------------------------------------------
 # Allow all incoming and outgoing connections on the loopback interface.
 $IPTABLES -A INPUT -i lo -j ACCEPT
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 # Allow incoming connections related to existing allowed connections.
 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # Allow outgoing connections related to existing allowed connections.
 $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # Uncomment this (and comment the above line) to allow all outgoing
 # connections (except for INVALID ones).
 # $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 # TODO: Read Securing Debian Manual's "Disabling weak-end hosts issues".
 # For details see:
 #   * http://www.debian.org/doc/manuals/securing-debian-howto/
 #   * ftp://ftp.isi.edu/in-notes/rfc1122.txt
 # TODO: Split the ESTABLISHED,RELATED rules by state, protocol, type?
 #------------------------------------------------------------------------------
 # Miscellaneous.
 #------------------------------------------------------------------------------
 # Drop SMB/CIFS, and related Windows traffic without logging. We don't care.
 # TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
 $IPTABLES -A INPUT -p tcp -m multiport \
          --dports 135,137,138,139,445,1433,1434 -j DROP
 $IPTABLES -A INPUT -p udp -m multiport \
          --dports 135,137,138,139,445,1433,1434 -j DROP
 # Explicitly drop invalid incoming traffic (use DROPLOG if you want logging).
 $IPTABLES -A INPUT -m state --state INVALID -j DROP
 # Drop invalid outgoing traffic, too.
 # Note: This may prevent you from performing certain scans. Also, see above
 # comment about ICMP packets being erroneously marked as INVALID instead of
 # RELATED in kernels older than 2.4.29. Remove this rule if needed.
 $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
 # This is not needed, as we use policy DROP for FORWARD, and we disabled
 # ip_forward anyways. However, if we would use NAT, INVALID packets would
 # bypass our rules, so we block them explicitly here, just in case.
 $IPTABLES -A FORWARD -m state --state INVALID -j DROP
 # Hinder portscanners a bit.
 $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
 $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
 # TODO: Some more anti-spoofing rules? For example:
 # TODO: Test.
 # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
 # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 # TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
 # $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG
 #------------------------------------------------------------------------------
 # Drop any traffic from IANA-reserved IPs.
 # Note: You could easily block valid traffic, e.g. if your ISP uses private
 # addresses (see RFC 1918) in their network. If in doubt, remove these rules.
 # For details see:
 #   * ftp://ftp.iana.org/assignments/ipv4-address-space
 #   * http://www.cymru.com/Documents/bogon-bn-agg.txt
 #------------------------------------------------------------------------------
 $IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
 $IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
 $IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
 $IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
 $IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
 $IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
 $IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
 # $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
 $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
 $IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
 $IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
 $IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
 $IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
 # $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
 $IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
 $IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
 $IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP
 #------------------------------------------------------------------------------
 # Selectively allow certain outbound connections, block the rest.
 # TODO: This could be tightened a bit more (limit source/dest port ranges).
 #------------------------------------------------------------------------------
 # Allow outgoing DNS requests. Few things will work without this.
 $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 # Allow outgoing HTTP requests. Unencrypted, use with care.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
 # Allow outgoing HTTPS requests.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
 # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
 # Allow outgoing "submission" requests.
 # Submission (RFC 2476) is used for sending email, and uses port 587.
 # This can be encrypted or unencrypted, depending on the server (I think).
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
 # Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
 # Allow outgoing SSH requests.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
 # Allow outgoing FTP requests. Unencrypted, use with care.
 # Note: This usually needs the ip_conntrack_ftp kernel module.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
 # Allow outgoing NNTP requests. Unencrypted, use with care.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
 # Allow outgoing NTP requests. Unencrypted, use with care.
 $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
 # Allow outgoing IRC requests. Unencrypted, use with care.
 # Note: This usually needs the ip_conntrack_irc kernel module.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
 # Allow outgoing requests to various proxies. Unencrypted, use with care.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT
 # Allow outgoing DHCP requests. Unencrypted, use with care.
 # TODO: This is completely untested, I have no idea whether it works!
 # TODO: I think this can be tightened a bit more.
 $IPTABLES -A OUTPUT -m state --state NEW -p udp \
          --sport 67:68 --dport 67:68 -j ACCEPT
 # Allow outgoing CVS requests. Unencrypted, use with care.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
 # Allow outgoing SVN requests. Unencrypted, use with care.
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
 # Allow outgoing Tor (http://tor.eff.org) requests.
 # Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT
 # Allow outgoing Bacula (http://www.bacula.org) requests.
 # Unencrypted (usually), use with care.
 # Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
 $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9101 -j ACCEPT
 # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9103 -j ACCEPT
 # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9102:9103 -j ACCEPT
 # Allow outgoing OpenVPN requests.
 $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
 # TODO: ICQ, ...
 #------------------------------------------------------------------------------
 # Selectively allow certain inbound connections, block the rest.
 # TODO: This could be tightened a bit more (limit source/dest port ranges).
 #------------------------------------------------------------------------------
 # Allow incoming DNS requests.
 # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 # Allow incoming HTTP requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
 # Allow incoming HTTPS requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 # Allow incoming POP3 requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 # Allow incoming POP3S requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
 # Allow incoming SMTP requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 # Allow incoming SSH requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
 # Allow incoming FTP requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
 # Allow incoming NNTP requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
 # Allow incoming BitTorrent requests.
 # TODO: Are these already handled by ACCEPTing established/related traffic?
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
 # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT
 # Allow incoming nc requests.
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
 # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT
 # Allow incoming Bacula (http://www.bacula.org) requests.
 # Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9102 -j ACCEPT
 # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9101:9103 -j ACCEPT
 #------------------------------------------------------------------------------
 # Explicitly log and reject everything else.
 #------------------------------------------------------------------------------
 # Use REJECT instead of REJECTLOG if you don't need/want logging.
 $IPTABLES -A INPUT -j REJECTLOG
 $IPTABLES -A OUTPUT -j REJECTLOG
 $IPTABLES -A FORWARD -j REJECTLOG
 #------------------------------------------------------------------------------
 # Testing the firewall.
 #------------------------------------------------------------------------------
 # You should check/test that the firewall really works, using for example
 # iptables -vnL, nmap, ping, telnet, ...
 #------------------------------------------------------------------------------
 # Exit gracefully.
 #------------------------------------------------------------------------------
 exit 0
--- a/overlay/Linux/usr/local/src/proxy_get_if.bash
+++ b/overlay/Linux/usr/local/src/proxy_get_if.bash
@ -0,0 +1,16 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
 # on stdout - messages on stderr
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
 export PATH=$PATH:/usr/local/bin
 PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_get_if )
 retval=$?
 echo -n $PROXY_WLAN
 exit $retval
--- a/overlay/Linux/usr/local/src/proxy_hosts_test.bash
+++ b/overlay/Linux/usr/local/src/proxy_hosts_test.bash
@ -0,0 +1,25 @@
 #!/bin/sh
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 # Dual Linux or msys64
 prog=$( basename $0 .bash )
 ROLE=proxy
 PREFIX=/usr/local
 [ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
 . /usr/local/bin/usr_local_tput.bash
 [ -f $PREFIX/etc/testforge/testforge.bash ] \
    && . /usr/local/etc/testforge/testforge.bash
 grep -v '#\|127.0.0.1' /etc/hosts | while read ip b ; do
 	[ -z "$ip" ] && continue
 	[ -z "$b" ] && continue
 	dig -x $ip | grep "$b" && \
 		INFO $ip $b || \
 		WARN $ip $b `dig -x $ip | grep 'IN.*\.'`
 	dig $b | grep 'IN.*\.'
 	dig @8.8.8.8 $b | grep 'IN.*\.'
 done
--- a/overlay/Linux/usr/local/src/proxy_hourly.bash
+++ b/overlay/Linux/usr/local/src/proxy_hourly.bash
@ -0,0 +1,245 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 PREFIX=/usr/local
 ROLE=proxy
 DEBUG=1
 # The idea here is to run ansible_local.bash --tags daily
 # and then use this to do the parsing and throwing errors based on the output.
 # This was the ansible run can be free from erroring and this can be
 # run repeatedly anytime outside of ansible to deal with the issues raised.
 # It is also run at the end of ansible_local.bash --tags daily to raise the issues.
 prog=$( basename $0 .bash )
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 [ -f /usr/local/etc/testforge/testforge.bash ] && \
    .  /usr/local/etc/testforge/testforge.bash >/dev/null
 . /usr/local/bin/proxy_export.bash
 PL=/usr/local/bin/proxy_ping_lib.bash
 . $PL
 PL=
 PLL=/usr/local/bin/proxy_libvirt_lib.bash
 . $PLL
 PLL=
 DEBUG=1
 declare -a BOX_NBD_OVERLAY_EXTERNAL
 # fill this in with the ansible hosts.yml
 BOX_NBD_OVERLAY_EXTERNALS=(
    /o/var/local/src/play_tox/hosts.yml
    /o/data/TestForge/src/ansible/hosts.yml
    )
 [ -z "$USER" ] && USER=$(id -un )
 MYID=$( id -u )
 [ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ;  exit 1 ; }
 # . $PREFIX/src/var_local_src.bash
 which ansifilter >/dev/null 2>&1  && ansifilter=ansifilter || ansifilter=cat
 [ -d /dev/virtio-ports ] && ONE_GUEST=1 || ONE_GUEST=0
 ly=hourly
 errs=0
 warns=0
 elt=proxy
 LOG_DIR=/usr/local/tmp
 ELOG=$LOG_DIR/E${prog}_${ly}$$.log
 WLOG=$LOG_DIR/W${prog}_${ly}$$.log
 OUT=$LOG_DIR/O${prog}_${ly}$$.log
 export PATH=$PATH:/usr/local/bin
 [ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
 [ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
 [ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
 [ -z "$MODE" ] && exit 2
 [ ! -d $LOG_DIR/ ] && mkdir -p $LOG_DIR && chmod 1777 $LOG_DIR
 find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete
 elt=proxy_export
 DBUG elt=$elt
 . /usr/local/bin/$elt.bash || exit 2
 DBUG http_proxy=$http_proxy
 DBUG https_proxy=$https_proxy
 DBUG socks_proxy=$socks_proxy
 IP=`ifconfig|grep -A1 'eth\|wlan'|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
 DBUG external=$IP
 GW=`ip route | grep ^def | sed -e 's/.*via //' -e 's/ .*//'`
 DBUG gw=$GW
 grep -q "^wlan[1-9][ 	]00000000" /proc/net/route && ZERO_CONNECTED=0 || ZERO_CONNECTED=1
 if [ $ZERO_CONNECTED == 0 ] ; then
    /usr/local/bin/proxy_ping_test.bash $MODE 2>&1| grep ERROR: | tee $ELOG
    [ -s $ELOG ] || INFO /usr/local/bin/proxy_ping_test.bash $MODE
 fi
 elt=/etc/ssl/certs
 DBUG elt=$elt
 if [ -d  /etc/ssl/certs/ ] ; then
    find -L /etc/ssl/certs/ -type l | tee -a $ELOG
    find -L /etc/ssl/certs/ -type l -delete
 else
    WARN /etc/ssl/certs/ missing
 fi
 elt=route
 DBUG elt=$elt
 # ubuntu / devuan oddball
 route | grep -q 'lo$' || \
   ip route add 127.0.0.0/8 dev lo scope host
 if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor  ] ; then
    NS=127.0.0.1
 elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws  ] ; then
    NS=10.0.2.2
 else
    NS=
 fi
 if [ -n "$NS" ] ; then
    elt=/etc/resolv.conf
    DBUG elt=$elt
    a=`grep nameserver /etc/resolv.conf | grep -v "nameserver $IP" | wc -l`
    if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
 	/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
 	echo "nameserver $IP" > /etc/resolv.conf
    fi
 fi
 if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor  ] ; then
    # 10.24.216.64
    elt=/etc/hosts
    DBUG elt=$elt
    if [ -n "$IP" ] ; then
 	grep -q " external" /etc/hosts && \
 	    sed -e "s/.* external/$IP external/" -i /etc/hosts  || \
 		echo "$IP external" >>  /etc/hosts
 	for file in "${BOX_NBD_OVERLAY_EXTERNALS[@]}" ; do
 	    [ -f $file ] || continue
 	    grep -q "BOX_NBD_OVERLAY_EXTERNAL.*" $file && continue
 	    sed -i -e "s/BOX_NBD_OVERLAY_EXTERNAL:.*/BOX_NBD_OVERLAY_EXTERNAL: \"$IP\"/" $file
 	done
    fi
    elt=/etc/firewall.conf
    DBUG elt=$elt
    [ -f /etc/firewall.conf ] || {
 	ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
 	    xargs /usr/local/bin/base_wall.bash
    }
    elt=iptables
    DBUG elt=$elt
    $PL proxy_iptables_save >$OUT 2>&1
    if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
 	ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
 	/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
 	#?	    /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
    fi
 elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws  ] && [ $ONE_GUEST -eq 1 ]; then
    elt=/etc/resolv.conf
    DBUG elt=$elt
    if [ $? -eq 0 -a -n "$GW" ] ; then
 	if ! grep  -q "$GW" /etc/resolv.conf ; then
 	    /usr/local/bin/base_wall.bash "CRIT: $GW not in /etc/resolv.conf"
 	    echo "nameserver $GW" >> /etc/resolv.conf
 	fi
 	$PL proxy_ping_firewall_check  || \
 	    /usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
    fi
 fi
 if [ $ONE_GUEST -eq 0 ] ; then
    if [ "$MODE" = whonix ] ; then
 	BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
 	if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
 	       which virsh 2>/dev/null >/dev/null && \
 	       virsh list | grep -q "$BOX_WHONIX_PROXY_HOST" ; then
 	    # sh proxy_whonix_host_tor.bash whonix
 	    /usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
 	fi
 	$PLL proxy_libvirt_test >$OUT 2>&1
 	retval=$?
 	[ $retval -gt 1 ] && \
 	    ERROR $prog proxy_libvirt_test retval=$retval | tee -a $ELOG
    fi
    wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
    if [ -n "$wlan7" ] ; then
 	grep -q $wlan7 /etc/firewall.conf  || {
 	    ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
 		xargs /usr/local/bin/base_wall.bash
 	    /usr/local/bin/firewall.bash
 	}
    fi
    [ -f /var/log/privoxy/logfile ] && \
 	grep -i fatal /var/log/privoxy/logfile | tee -a $ELOG && \
 	ERROR Fatal in /var/log/privoxy/logfile |tee -a $ELOG
    if grep -q "^wlan[1-9][ 	]00000000" /proc/net/route ; then
 	$PL proxy_ping_gw_check || {
 	    ERROR  proxy_ping_gw_check | tee -a $ELOG
 	}
 	$PL proxy_ping_dnsmasq_check && \
 	    ERROR  proxy_ping_dnsmasq_check || {
 	    ERROR  proxy_ping_dnsmasq_check | tee -a $ELOG
 	}
 	$PL proxy_ping_firewall_check && \
 	    INFO proxy_ping_firewall_check  || {
 	    ERROR proxy_ping_firewall_check | tee -a $ELOG
 	}
 	$PL proxy_test_dirmngr $OUT && \
 	    INFO proxy_test_dirmngr $retval | tee -a $ELOG || {
 		retval=$?
 		ERROR proxy_test_dirmngr $retval | tee -a $ELOG
 	}
 	if dmesg | grep --text -A 1 'martian' ; then
 	    dmesg | grep --text -A 1 'martian' | \
 		xargs echo WARN: martians | tee -a $ELOG
            dmesg | grep --text -A 1 'martian' | \
 		sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' | tee -a $ELOG
 	else
 	    INFO proxy_test_dirmngr no martians
 	fi
 	PROXY_WLAN=$( $PL proxy_get_if )
 	[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
 	    ps ax | grep -q wpa_supplicant && \
 	    grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
 		grep bssid | sed -e 's/.*= //' | \
 		while read elt ; do \
 	            wpa_cli -i "$PROXY_WLAN" blacklist $elt
 		done
    fi
 fi
 # [ -s $OUT ] && grep WARN: $OUT | tee -a $ELOG
 if [ -s $ELOG ] ; then
    errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
    if [ $? -eq 0 -a $errs -ne 0 ] ; then
 	ERROR $prog $errs $ly $prog errors in $ELOG
 	cat $ELOG
 	exit $errs
      fi
 fi
 [ -f $WLOG ] && warns=`wc -l $WLOG | cut -f 1 -d ' '`
 [ $? -eq 0 -a $warns -ne 0 ] && \
  WARN "$warns $ly $prog warnings in $WLOG"
 [ $errs -eq 0 ] && \
  [ $warns -eq 0 ] && \
  INFO  "$prog No $ly errors in $HARDEN_LOG_DIR"
 exit 0
--- a/overlay/Linux/usr/local/src/proxy_jnettop.bash
+++ b/overlay/Linux/usr/local/src/proxy_jnettop.bash
@ -0,0 +1,35 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
 prog=$( basename $0 .bash )
 . /usr/local/bin/usr_local_tput.bash || exit 2
 PREFIX=/usr/local
 ROLE=proxy
 grep -q "^wlan[1-9][ 	]00000000" /proc/net/route || exit 0
 [ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
 	|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
 error () { retval=$1 ; shift; echo "ERROR: $prog" $* ; exit $retval ; }
 warn () { WARN "$prog " $* ; }
 info () { echo "INFO: $prog " $* ; }
 usage () { echo "USAGE: $prog chroot-dir [command args] -" $* ; exit 1 ; }
 # must be run as root
 [ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
 PROXY_WLAN=$( /usr/local/bin/proxy_get_if.bash )
 [ $? -eq 0 ] || error 2 " error getting device $?"
 PROXY_WLAN_IP=$( proxy_ping_lib.bash proxy_get_wlan_ip )
 LARGS="-i $PROXY_WLAN"
 CONF=/usr/local/etc/jnettop.conf
 if [ -f $CONF ] ; then
    LARGS="$LARGS --config-file $CONF"
    # sed -e 's/^#* *interface.*/interface	"'$PROXY_WLAN'"/' -i $CONF
    [ -n "$PROXY_WLAN_IP" ] && sed -e 's/"me"\t.*/"me"		"net '$PROXY_WLAN_IP'"/' -i $CONF && grep -q $PROXY_WLAN_IP $CONF
  fi
 exec jnettop $LARGS $* # 2>/dev/null
--- a/overlay/Linux/usr/local/src/proxy_libvirt_forward.bash
+++ b/overlay/Linux/usr/local/src/proxy_libvirt_forward.bash
@ -0,0 +1,35 @@
 #!/bin/sh
 # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
 # https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
 . /usr/local/bin/usr_local_tput.bash || exit 2
 if [ ! -d /run/tmp ] ; then
    sudo mkdir /run/tmp
    sudo chown 1777 /run/tmp
 fi
 [ -z "$MODE" ] && MODE=$(/usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
 IP=`grep ' external$' /etc/hosts|sed -e 's/ .*//'`
 retval=$?
 if [ $retval -ne 0 ] || [ -z "$IP" ] ; then
    exit $retval
 fi
 if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
     socat -L/run/socat.lck udp-l:53,bind=$IP,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null || \
 	 WARN 53,bind=$IP in use
    for elt in 9050 9128 ; do
 	netstat -nle4 | grep -q $IP:$elt && {
 	    ERROR $IP:$elt already bound
 	    continue # exit 1
 	}
 	DBUG socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt
 	socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt &
    done
 #else
 #    WARN $MODE
 #fi
--- a/overlay/Linux/usr/local/src/proxy_libvirt_ga_test.bash
+++ b/overlay/Linux/usr/local/src/proxy_libvirt_ga_test.bash
@ -0,0 +1,62 @@
 #!/bin/bash
 ROLE=proxy
 #[ $# -eq 0 ] && set --  Whonix-Gateway /bin/cat /proc/cmdline
 [ $# -lt 2 ] && echo USAGE: $0 domain command arguments
 HOST=$1
 shift
 CMD=$1
 shift
 # FixMe
 if [ $? -gt 1 ]  ; then
    ARGS=""
  elif [ $? -gt 1 ] ; then
    ARGS=`sed -e 's/ /","/g' <<< $@`
  else
    ARGS="$1"
 fi
 [ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
 [ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
 echo INFO: $0 $HOST $CMD $ARGS
 false && echo DEBUG: virsh qemu-agent-command $HOST \
  '{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
 virsh qemu-agent-command $HOST \
  '{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
  >/tmp/Q$$.out || exit 1$?
 grep -q return /tmp/Q$$.out || exit 2
 pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
 [ $? -eq 0 ] || exit 3
 # echo DEBUG: virsh qemu-agent-command $HOST \
 #  '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
 virsh qemu-agent-command $HOST \
  '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
  >/tmp/R$$.out || exit 4$?
 TRIES=10
 i=0
 while [ $i -lt $TRIES ] ; do
    i=`expr $i + 1`
    virsh qemu-agent-command $HOST \
 	  '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
 	  >/tmp/R$$.out || exit 4$i$?
    grep -q '"exitcode":0' /tmp/R$$.out && break
    sleep 5
    echo DEBUG: $i
 done
 [ $i -lt $TRIES ] || \
    { echo ERROR: $i no exitcode in  /tmp/R$$.out; exit 5 ; }
 b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
 [ $? -eq 0 ] || exit 6
 [ -n "$b64" ] || exit 7
 echo $b64 | base64 -d -
 rm -f /tmp/{Q,R}$$.out
 exit 0
--- a/overlay/Linux/usr/local/src/proxy_libvirt_hook_network.bash
+++ b/overlay/Linux/usr/local/src/proxy_libvirt_hook_network.bash
@ -0,0 +1,44 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
 # Aruments ignored: dom plugged begin
 # so must be idempotemt - as its called by things it calls?
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
 [ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
 [ -z "$USER" ] && USER=$(id -un )
 [ -n "$USER" -a "$USER" = root ] && \
 for file in /usr/local/etc/modules-load.d/vda*.conf ; do
    base=$( basename $file )
    [ -e /etc/modules-load.d/$base ] && continue
    cp -p $file  /etc/modules-load.d/$base
  done
 /etc/init.d/virtlogd status || /etc/init.d/virtlogd start
 /etc/init.d/libvirtd status
 retval=$?
 [ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
 [ $retval -eq 0 ]  || /etc/init.d/libvirtd start
 grep "`date +%Y-%m-%d`.* error :" /var/log/libvirt/libvirtd.log
 . /usr/local/bin/proxy_ping_lib.bash
 proxy_ping_firewall_restart
 retval=$?
 if [ $retval -eq 0 ] ; then
    [ "$DEBUG" = 1 ] && logger INFO: $prog  proxy_ping_firewall_restart $*
  else
    logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
    exit $retval
 fi
 [ -n "$HTTPPROXY" ] || HTTPPROXY=privoxy
 /etc/init.d/$HTTPPROXY status || /etc/init.d/$HTTPPROXY start
 /etc/init.d/dnsmasq status || /etc/init.d/dnsmasq start
 # clean
 exit 0
--- a/overlay/Linux/usr/local/src/proxy_libvirt_hook_qemu.bash
+++ b/overlay/Linux/usr/local/src/proxy_libvirt_hook_qemu.bash
@ -0,0 +1,11 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
 logger INFO: $0 $PWD $*
 exit 0
--- a/overlay/Linux/usr/local/src/proxy_libvirt_lib.bash
+++ b/overlay/Linux/usr/local/src/proxy_libvirt_lib.bash
@ -0,0 +1,285 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
 PREFIX=/usr/local
 ROLE=proxy
 base=proxy_libvirt_lib
 # shellcheck disable=SC2154
 [ -z "$USER" ] && USER=$(id -un )
 # /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
 . /usr/local/bin/usr_local_tput.bash || exit 2
 . /usr/local/bin/proxy_ping_lib.bash || exit 2
 ## proxy_libvirt_test_dnsmasq
 proxy_libvirt_test_dnsmasq () { DBUG proxy_libvirt_test_dnsmasq $* ;
    proxy_rc_service libvirtd status </dev/null >/dev/null || {
 	DBUG $prog libvirtd not running ; return 0
    }
    if ls /var/lib/libvirt/dnsmasq/*conf >/dev/null 2>/dev/null ; then
 	dbug $prog checking libvirtd dnsmasq conf
 	PROXY_WLAN=$( proxy_get_if )
 	retval=$?
 	[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
 	    ERROR proxy_get_if empty wlan7 retval=$retval
 	    return 2$retval
 	}
 	for elt in bind-interfaces except-interface=$PROXY_WLAN no-dhcp-interface=$PROXY_WLAN ; do
 	  for file in /var/lib/libvirt/dnsmasq/*conf ; do
 	    if ! grep -q $elt $file ; then
 		[ -f $file.$$ ] || cp -p $file $file.$$
 		echo $elt >> $file
 	      fi
 	    done
 	  done
 	if ls /var/lib/libvirt/dnsmasq/*conf.$$ >/dev/null 2>/dev/null ; then
 	    dbug $prog restarting libvirtd dnsmasq conf
 	    # FixMe: use virsh net-update net-edit
 	    # ps ax | grep dnsmasq|grep -v grep|while read pid rest ; do kill -HUP $pid; done
 	    for file in  /var/lib/libvirt/dnsmasq/*conf.$$ ; do
 		pid=$( grep ^pid-file= $file|sed -e 's/.*=//' )
 		[ $? -ne 0 -o -z "$pid" ] && WARN $prog not pid-file in $file && continue
 		[ -f $pid ] || dbug $prog no pid-file in $file && continue
 		pid=$( cat $pid )
 		dbug $prog HUPing libvirtd dnsmasq $pid
 		kill -HUP $pid ||  WARN $prog error killing $file $pid && continue
 	    done
 	  fi
 	fi
    return 0
 }
 ## proxy_libvirt_clean_virbr1_rules
 proxy_libvirt_clean_virbr1_rules () {
    local line
    proxy_iptables_save | \
 	grep -e '-A LIBVIRT_[OUTINP]* -i virbr[12] .* --dport [56][378] -j ACCEPT' | \
 	sed -e 's/-A/-D/' | while read line ; do
 	proxy_iptables $line
 	done
    return 0
 }
 ## proxy_libvirt_no_autostart
 proxy_libvirt_no_autostart () { DBUG proxy_libvirt_no_autostart $* ;
    proxy_libvirt_hung || return 1
    proxy_virsh net-list --autostart | while read n s a p ; do
 	[ "$a" = yes ] || continue
 	virsh net-autostart $n --disable || { ERROR $prog net-autostart $n --disable ; return 1 ; }
 	dbug $prog net-autostart $n --disable
 	[ "$s" = active ] || continue
 	virsh net-destroy $n || { dbug $prog net-destroy $n ; return 2 ; }
 	dbug $prog net-destroy $n
      done
    return 0
 }
 ## proxy_libvirt_status tests and checks logs - noisy
 proxy_libvirt_status () { proxy_libvirt_status_host $* ; return $? ; }
 proxy_libvirt_status_host () { DBUG proxy_libvirt_status $* ;
    /etc/init.d/virtlogd status  >/dev/null || /etc/init.d/virtlogd start || return 1$?
    /etc/init.d/libvirtd status  >/dev/null || /etc/init.d/libvirtd start || return 2$?
    if ! proxy_rc_service libvirtd status >/dev/null ; then
 	DBUG proxy_libvirt_status proxy_rc_service libvirtd start
 	proxy_rc_service libvirtd start || return 3$?
    fi
    if ! proxy_rc_service libvirtd status >/dev/null ; then
 	ERROR proxy_libvirt_status proxy_rc_service libvirtd not started
        return 4
    fi
    if [ ! -e /run/libvirt/libvirt-sock ] ; then
 	WARN proxy_libvirt_status no /run/libvirt/libvirt-sock
    fi
    if [ ! -e /run/libvirt/virtlogd-sock ] ; then
 	WARN proxy_libvirt_status no /run/libvirt/virtlogd-sock
    fi
    # virtlockd-sock
    # shellcheck disable=SC2154
    [ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
    if [ -n "$GATEW_DOM" ] ; then
 	proxy_libvirt_list | grep -q $GATEW_DOM
 	[ $? -ne 0 ] && DBUG proxy_libvirt_status $GATEW_DOM not in virsh list
 	#? && return 3
    else
 	WARN proxy_libvirt_status null GATEW_DOM
    fi
    return 0
 }
 ## proxy_libvirt_restart
 proxy_libvirt_restart () { DBUG proxy_libvirt_restart $* ;
    # tests restarts
    proxy_libvirt_start || return 3$?
    proxy_libvirt_test || return 4$?
    [ -x /etc/libvirt/hooks/network ] || return 7$?
    /etc/libvirt/hooks/network || return 8$?
    proxy_ping_firewall_restart
    # /etc/modules-load.d/firewall.conf
    return 0
 }
 ## proxy_libvirt_start_guest
 proxy_libvirt_start_guest () {
    local dire=$1
    [ ! -f /etc/init.d/qemu-guest-agent ] && return 0
    proxy_rc_service qemu-guest-agent status >/dev/null \
 	|| proxy_rc_service qemu-guest-agent start || return 2$?
    return $?
 }
 # proxy_libvirt_test_host
 proxy_libvirt_test_host () {
    local dire=$1
    [ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
    [ -n "$MODE" ] || MODE=host
    if [ $MODE = tor ] ; then
 	proxy_rc_service tor status >/dev/null || \
 	    { echo ERROR: $prog tor is not running ; return 2 ; }
 	# different for selector
    fi
    $PREFIX/bin/proxy_ping_test.bash to_tor || return 6$?
    return $?
 }
 # proxy_libvirt_test_guest
 proxy_libvirt_test_guest () {
    [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
 	echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
    proxy_rc_service qemu-guest-agent status
    return $?
 }
 ## proxy_libvirt_status tests and checks logs - noisy
 proxy_libvirt_test () { DBUG proxy_libvirt_test $* ;
    [ -e /dev/virtio-ports ] && proxy_libvirt_test_guest || \
 	    proxy_libvirt_test_host
    return $?
 }
 ## proxy_libvirt_status tests and checks logs - noisy
 proxy_libvirt_test_host () { DBUG proxy_libvirt_test_host $* ;
    proxy_libvirt_status || return 1$?
    [ -f /var/log/libvirt/libvirtd.log ] && \
 	INFO proxy_libvirt_test /var/log/libvirt/libvirtd.log && \
 	tail /var/log/libvirt/libvirtd.log
    # shellcheck disable=SC2154
    [ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
    if [ -n "$GATEW_DOM" ] ; then
 	if [ -f /var/log/libvirt/qemu/$GATEW_DOM.log ] ; then
 	    INFO proxy_libvirt_test /var/log/libvirt/qemu/$GATEW_DOM.log
 	    tail /var/log/libvirt/qemu/$GATEW_DOM.log
 	else
 	    WARN proxy_libvirt_test missing /var/log/libvirt/qemu/$GATEW_DOM.log
 	fi
    else
 	WARN proxy_libvirt_test null GATEW_DOM
    fi
    proxy_libvirt_test_dnsmasq || return 6$?
    return 0
 }
 ## proxy_libvirt_start
 proxy_libvirt_start () { DBUG proxy_libvirt_start $* ;
    proxy_ping_firewall_modules
    proxy_libvirt_hung || return 2
    proxy_rc_service libvirtd status >/dev/null 2>/dev/null || \
        proxy_rc_service libvirtd start || return 3$?
    return 0
 }
 ## proxy_libvirt_hung
 proxy_libvirt_hung () { DBUG proxy_libvirt_hung $* ;
    # 1 means hung
    [ -f /etc/init.d/libvirtd ] || return 0
    if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
 	INFO proxy_libvirt_hung proxy_rc_service libvirtd start
 	proxy_rc_service libvirtd start || return 1
 	sleep $DELAY
    fi
    /etc/init.d/libvirtd status 2>/dev/null >/dev/null || return 1
    a=$( /etc/init.d/libvirtd status |grep '├─' |grep -c -v '/usr/s.*bin' )
    # hung processes will hang proxy_virsh list
    [ $? -eq 0 -a $a -gt 1 ] && {
 	WARN proxy_libvirt_hung - too many subprocesses $a
 	return 1
    }
    # ├─  820 /usr/sbin/libvirtd
    # ├─ 2221 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/Whonix-External.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
    # ├─28153 /bin/sh /etc/libvirt/hooks/network Whonix-External plugged begin -
    # ├─28154 bash /usr/local/bin/proxy_libvirt_hook_network.bash Whonix-External plugged begin -
    return 0
 }
 ## proxy_libvirt_list
 proxy_libvirt_list () { DBUG proxy_libvirt_list $* ;
    local a
    proxy_libvirt_hung || return 10
    proxy_virsh list
    return $?
 }
 ## proxy_libvirt_clean_iptables
 proxy_libvirt_clean_iptables () {
    local i int dir dcp prot port
    for dir in i ; do
 	for int in virbr2 virbr1; do
 	    dcp=67
 	    [ $dir = i ] || dcp=68
 	    for port in 53 $dcp ; do
 		[ $dir = i ] && table=INP || table=OUT
 		for prot in udp tcp; do
 		    proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
 		    iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
 			echo WARN: $?  -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
 		done
 	    done
 	done
    done
    for dir in o ; do
 	for int in virbr2 virbr1; do
 	    dcp=68
 	    [ $dir = o ] || dcp=67
 	    for port in 53 68 ; do
 		table=OUT
 		[ $dir = i ] && table=INP
 		for prot in udp tcp; do
 		    proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
 		    iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
 			echo WARN: $?  -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
 		done
 	    done
 	done
    done
    return 0
 }
 # DBUG 0=$0
 base=proxy_libvirt_lib
 if [ -x /usr/bin/basename ] && \
       [  $( basename -- "$0" .bash ) = $base \
 	 -o $( basename -- "$0" .sh ) = $base ] ; then
    [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
 	echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
    "$@"
    exit $?
  fi
--- a/overlay/Linux/usr/local/src/proxy_nm_wireless_clean.bash
+++ b/overlay/Linux/usr/local/src/proxy_nm_wireless_clean.bash
@ -0,0 +1,51 @@
 #!/bin/bash
 # -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
 ROLE=proxy
 prog=$( basename $0 .bash )
 . /usr/local/bin/usr_local_tput.bash
 PREFIX=/usr/local
 [ $( id -u ) -eq 0 ] || { ERROR "this must be run as root" ; exit 1 ; }
 LOG=/tmp/I$$.log
 JSON=/tmp/I$$.json
 . /usr/local/bin/proxy_ping_lib.bash || \
    { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
 . /usr/local/bin/usr_local_base.bash || exit 2
 PROXY_WLAN=$(route |grep ^def |sed -e 's/.* //') || { echo ERROR: " no route $?" ; exit 4 ; }
 if [ -z "$PROXY_WLAN" ] ; then
 PROXY_WLAN=$( proxy_get_if )
 [ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 5 ; }
 fi
 [ -d /etc/NetworkManager/system-connections ] || exit 0
 cd /etc/NetworkManager/system-connections/ || exit 6
 pgrep NetworkManager >/dev/null || \
  /etc/init.d/network-manager start # || exit 7
 iwlist $PROXY_WLAN scan > $LOG 2>&1 || { echo ERROR: failed iwlist scan ; exit 2 ; }
 which yq 2>/dev/null >/dev/null && \
 for file in *.nmconnection; do
    elt=$( basename "$file" .nmconnection )
    grep -q "$elt" "$LOG" || continue
    L=$( cat $LOG | grep -B 5 "$elt" | sed -e 's@/.*@@' -e 's@[=:]@: @' -e 's/.*Addre/- Addre/' -e '/^--\|Frequency:\|Encryption/d' -e 's/^   */  /' | yq 'sort_by(.Quality)|reverse|map(del(.Channel))|.[0:4]'|grep Address|sed -e 's/,/;/' -e 's/ *.Address.: //'|xargs echo|sed -e 's/ //g' )
    [ -z "$L" ] && continue
    sed -e "s@^seen-bssids=.*@seen-bssids=$L@" -i "$file"
    grep -q lldp=0 "$file"  || echo WARN:   nmcli con modify $elt connection.lldp 0
    grep -q llmnr=0 "$file" || echo WARN:   nmcli con modify $elt connection.llmnr 0
    grep -q mdns=0 "$file"  || echo WARN:   nmcli con modify $elt connection.mdns 0
    INFO $prog $PWD/$file
  done
 rm -f /tmp/I$$.log
 [ "$#" -eq 0 ] && exit 0
 [ $1 = connect ] && nmtui-connect
 [ $1 = edit ] && nmtui-edit
--- a/overlay/Linux/usr/local/src/proxy_pacman_gpg_test.bash
+++ b/overlay/Linux/usr/local/src/proxy_pacman_gpg_test.bash
@ -0,0 +1,55 @@
 #!/bin/sh
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 # Dual Linux or msys64
 prog=$( basename $0 .bash )
 ROLE=proxy
 PREFIX=/usr/local
 [ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
 [ -f $PREFIX/etc/testforge/testforge.bash ] \
    && . /usr/local/etc/testforge/testforge.bash
 . /usr/local/bin/usr_local_tput.bash || exit 2
 PROXIES=""
 if [ -d /etc/pacman.d/gnupg ] ; then
    ROLE=msys64
    HOMEDIR=/etc/pacman.d/gnupg
    # proxy or striaght through
    PROXIES="10.152.152.12"
  elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
    ROLE=q
    HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
    ppl=/usr/local/bin/proxy_ping_lib.bash
    # /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
    [ "$USER" != root ] && export PATH=/sbin:$PATH
    [ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
    if [ "$MODE" = tor ] ; then
 	PROXIES="127.0.0.1:3128"
      elif [ "$MODE" = whonix ] ; then
 	PROXIES="10.0.2.15:9128"
      elif [ "$MODE" = gateway ] ; then
 	PROXIES="10.0.2.15:9128"
      elif ps ax | grep -q polipo ; then
 	PROXIES="127.0.0.1:3128"
    else
 	echo ERROR: unknown proxy
 	exit 2
    fi
  fi
 GPG="gpg --verbose --home $HOMEDIR"
 a=`ls $HOMEDIR/private-keys-v1.d/|wc -l`
 if [ $? -ne 0 -o "$a" -eq 0 ] ; then
    ERROR you need a private kepair with $GPG --quick-gen-key
    exit 3
 fi
 # shellcheck disable=SC2154
 $GPG --list-keys  | grep -B 1 unknown && \
    WARN un-signed keys in pacman && \
    DBUG "$GPG --list-keys 2>/dev/null |grep -B1 unknown|grep '^ ' |while read elt;do \$GPG --edit-key $elt ;done"
--- a/overlay/Linux/usr/local/src/proxy_ping_lib.bash
+++ b/overlay/Linux/usr/local/src/proxy_ping_lib.bash
--- a/overlay/Linux/usr/local/src/proxy_ping_test.bash
+++ b/overlay/Linux/usr/local/src/proxy_ping_test.bash
--- a/overlay/Linux/usr/local/src/proxy_sdwdate.bash
+++ b/overlay/Linux/usr/local/src/proxy_sdwdate.bash
@ -0,0 +1,10 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
 PREFIX=/usr/local
 ROLE=proxy
 sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
 sh $PREFIX/bin/proxy_ping_test.bash tor || exit 2
 exec $PREFIX/bin/python3.7.sh $PREFIX/bin/sdwdate_.py "$@"
--- a/overlay/Linux/usr/local/src/proxy_ssl_certs.bash
+++ b/overlay/Linux/usr/local/src/proxy_ssl_certs.bash
@ -0,0 +1,69 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 # https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
 . /usr/local/bin/proxy_ping_lib.bash || \
    { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
 . /usr/local/bin/usr_local_base.bash || exit 2
 proxy_ping_mode
 #? . /usr/local/bin/proxy_export.bash $MODE
 . /usr/local/bin/usr_local_base.bash || exit 2
 CERT=$( proxy_ping_update_cacert )
 [ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
 	CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
 openssl=openssl
 OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
 if [ -n "$https_proxy" ] ; then
    HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
    HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
    OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
 elif [ -n "$socks_proxy" ] ; then
    SOCKS_HOST=$( echo $socks_proxy|sed  -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //'  -e 's/ .*//' )
    SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
    # check /etc/tor/torsocks.conf
    openssl='torsocks openssl'
 fi
 OUTR=/tmp/$prog$$
 for item in "$@" ; do
    i=0
    OUTRF=$OUTR.$item
    INFO openssl s_client -connect ${item}:443 -servername $item  $OPENSSL_ARGS
    $openssl s_client -connect ${item}:443 -servername $item  $OPENSSL_ARGS \
 	     </dev/null 2>$OUTRF.err >$OUTRF.out
    [ $? -eq 0 ] || {
 	retval=$?
 	ERROR $prog $retval see $OUTRF.err
 	cat $OUTRF.err
 	exit 1$retval
    }
    [ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
    sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
    DBUG $prog Certificate chain:
    grep '^ [0-9][0-9]* ' $OUTRF.chain
    INFO $prog Base64 Certificate sha256 digests:
    rest=$( cat $OUTRF.chain )
    while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
 	cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
 	rest=${rest#*-----END CERTIFICATE-----}
 	echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
 	    openssl x509 -pubkey -noout |
 	    openssl rsa -pubin -outform der 2>/dev/null |
 	    openssl dgst -sha256 -binary | openssl enc -base64
    done
    # rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
 done
 exit 0
--- a/overlay/Linux/usr/local/src/proxy_test_ssl.bash
+++ b/overlay/Linux/usr/local/src/proxy_test_ssl.bash
@ -0,0 +1,351 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 . /usr/local/bin/usr_local_tput.bash || exit 2
 PREFIX=/usr/local
 ROLE=proxy
 NOW=$( date -u +%y-%m-%d_%H%m )
 DEBUG=1
 PROXY_WLAN=wlan4
 prog=$( basename $0 .bash )
 # SocksPolicy Accept in /etc/tor/torrc - required and works with sslscan
 ip route | grep ^default || { ERROR "not connected" ; exit 1 ; }
 PATH=$PATH:/sbin
 BADSSL_SITES=(
    self-signed.badssl.com
    expired.badssl.com
    mixed.badssl.com
    rc4.badssl.com
    hsts.badssl.com
 )
 badssl=0
 [ "$#" -eq 0 ] && badssl=1
 # tests="$MODE"
 tests=""
 nodig=1
 verbosity=2
 outdir=/tmp
 timeout=20
 #[ -f /usr/local/etc/testforge/testforge.bash ] && \
 #    . /usr/local/etc/testforge/testforge.bash
 . /usr/local/bin/proxy_ping_lib.bash || \
    { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
 if [ -f /usr/local/etc/ssl/cacert-testforge.pem ] ; then
    CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
 else
    CERT=$( proxy_ping_update_cacert )
    [ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
 	    CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
 fi
 [ -z "$MODE" ] || MODE=`proxy_ping_mode`
 if [ "$MODE" = tor ] ; then
    [ -z "PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if`
    [ -z "PROXY_WLAN" ] && { ERROR " error getting device $?" ; exit 3 ; }
    if ip route | grep ^def ; then
 	PROXY_WLAN_IP=$( proxy_get_wlan_ip )
 	[ -n "$PROXY_WLAN_IP" ] || { ERROR "no PROXY_WLAN_IP" ; exit 4 ; }
    fi
 fi
 usage() {
    echo "Usage: $0 [OPTIONS] dirs-or-files"
    echo
    echo " -B | --badssl                 - test badssl.org sites"
    echo " -D | --nodig                  - no dig sites"
    echo " -T | --tests                  - ping tests to run first"
    echo " -o | --outdir=/tmp            - output directory"
    echo " -v | --verbosity=$verbosity   - verbosity 0 least 5 most"
    echo
    echo " -V | --version                - print version of this script"
    echo " -h | --help                   - print this help"
 }
 SHORTOPTS="hVBDT:v:"
 LONGOPTS="help,version:,badssl,nodig,tests:,verbosity:"
 HOSTS=
 ARGS=$(getopt --options $SHORTOPTS  --longoptions $LONGOPTS -- "$@")
 [ $? != 0 ] &&  { ERROR "error parsing getopt" ; exit 5 ; }
 eval set -- "$ARGS"
 while true; do
    case "$1" in
 	# -t --tests
        -o|--outdir)
            shift
            outdir="$1"
            ;;
        -v|--verbosity)
            shift
            verbosity="$1"
            ;;
        -B|--badssl)
 	    badssl=1
 	    ;;
        -D|--nodig)
 	    nodig=1
 	    ;;
        -T|--tests)
            shift
            tests="$1"
            ;;
        -V|--version)
            usage
            exit 0
            ;;
        -h|--help)
            usage
            exit 0
            ;;
        '--')
            shift
            HOSTS="$*"
            break
            ;;
        *)
 	    { ERROR "unrecognized arguments $*" ; exit 6 ; }
            break
            ;;
    esac
    shift
 done
 [ $badssl -ne 0 ] && HOSTS="${BADSSL_SITES[*]}"
 [ -z "$HOSTS" ] && { ERROR "no arguments $*" ; exit 0 ; }
 [ -d "$outdir" ] || mkdir -p "$outdir" || { ERROR "mkdir $outdir" ; exit 7 ; }
 kill_time=$( expr $timeout + 10 )
 [ -z "$tests" ] || \
 for elt in $tests ; do
    /usr/local/bin/proxy_ping_test.bash $elt || exit 9$?
 done
 if which sslscan 2>/dev/null ; then
    sslscan='sslscan'
    SSLSCAN_ARGS="-4 --show-client-cas --show-certificate --bugs --timeout $timeout --tlsall --show-ciphers --no-colour --verbose"
 else
    # no proxy support
    sslscan=''
 fi
 # sslscan --show-client-cas - no proxy
 openssl=openssl
 OPENSSL_ARGS="-4 -bugs -showcerts"
 if [ -e /dev/tcp ] && which testssl.bash 2>/dev/null ; then
    testssl='testssl.bash'
    TESTSSL_ARGS="--connect-timeout $timeout --openssl-timeout $timeout --standard --vulnerable"
    #? --ssl-native
    TESTSSL_ARGS="$TESTSSL_ARGS --add-ca $CAFILE --assume-http --hints --color=0 --append"
 else
    # no proxy support
    testssl=''
 fi
 if [ -f /usr/local/bin/scurl.bash ] ; then
    curl="/usr/local/bin/scurl.bash -- -s -S"
 else
    curl='curl -s -S'
 fi
 CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
 if [ -f $PREFIX/bin/analyze-ssl.pl.bash ] ; then
    analyze=$PREFIX/bin/analyze-ssl.pl.bash
    ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
 else
    analyze=""
 fi
 warns=0
 OUTR=$outdir/$prog-$NOW
 if [ $nodig -eq 0 ] ; then
    for item in $HOSTS ; do
 	i=0
 	OUTRF=$OUTR.$item
 	if [ $MODE = tor ] ; then
 	    torresolve $item > $OUTRF.dig.out 2>&1
 	    retval=$?
 	    [ $retval -ne 0 ] && ERROR "torresolve $item $? - see $OUTRF.dig.out" && exit 1$?
 	elif false ; then
            nslookup $item > $OUTRF.nslookup.out 2>&1
 	#?[ $? -eq 0 ] || WARN "nslookup $item $? - see $OUTRF.nslookup.out"
 	    #?grep NXDOMAIN "$OUTRF.nslookup.out" && WARN "nslookup $item NXDOMAIN - see $OUTRF.nslookup.out"
 	else
 	    dig $item > $OUTRF.dig.out 2>&1
 	    [ $? -ne 0 ] && ERROR "dig $item $? - see $OUTRF.dig.out" && exit 1$?
 	    grep 'ANSWER: 1' "$OUTRF.dig.out" || ERROR "dig $item no ANSWER - see $OUTRF.dig.out" && exit 2$?
 	fi
    done
 fi
 # [ -r /etc/tor/torrc ]
 # was https take precedence over socks
 if [ -n "$socks_proxy" ] ; then
    SOCKS_HOST=$( echo $socks_proxy|sed  -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //'  -e 's/ .*//' )
    SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
    openssl='torsocks openssl'
    #  --interface lo --dns-interface lo
    [ -n "$analyze" ] && analyze="torsocks $analyze"
    [ -n "$testssl" ] && testssl="torsocks $testssl"
    [ -n "$sslscan" ] && sslscan="torsocks $sslscan"
    if [  $MODE = tor -o $MODE = selektor ] ; then
 	sudo grep -q "SocksPolicy *accept *$PROXY_WLAN_IP" /etc/tor/torrc || \
 	    { WARN "need SocksPolicy accept $PROXY_WLAN_IP in /etc/tor/torrc" ; }
    fi
    CURL_ARGS="$CURL_ARGS --proxy $socks_proxy "
    if [ ${HTTPS_HOST} = 127.0.0.1 ] ;  then
 	CURL_ARGS="$CURL_ARGS --interface"
    fi
    if netstat -nle4 | grep 127.0.1:53 ; then
 	CURL_ARGS="$CURL_ARGS --dns-interface lo"
      fi
  elif [ -n "$https_proxy" ] ; then
    HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
    HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
    OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
    TESTSSL_ARGS="$TESTSSL_ARGS --proxy=auto"
    CURL_ARGS="$CURL_ARGS --proxy http://${HTTPS_HOST}:$HTTPS_PORT"
    ANALYZE_ARGS="$ANALYZE_ARGS --starttls http_proxy:${HTTPS_HOST}:$HTTPS_PORT"
    [ -n "$testssl" ] && testssl="torsocks $testssl"
    [ -n "$sslscan" ] && sslscan="torsocks $sslscan"
 else
    : direct
 fi
 TENVS="DNS_VIA_PROXY=true"
 errs=0
 for CAFILE in /etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert-testforge.pem ; do
    [ -f $CAFILE ] || { ERROR "CAfile not found $CAFILE" ; exit 8; }
    for item in $HOSTS ; do
 	i=0
 	OUTRF=$OUTR.$item
 	if [ -n "$openssl" ] ; then
 	    INFO "$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE"
 	    echo $openssl s_client \
 		 -connect ${item}:443 -servername $item $OPENSSL_ARGS  --CAfile $CAFILE \
 		 < /dev/null > $OUTRF.s_client.out
 	    timeout ${kill_time}s \
 	      $openssl s_client \
 	      -connect ${item}:443 -servername $item $OPENSSL_ARGS  --CAfile $CAFILE \
 	      < /dev/null >> $OUTRF.s_client.out 2>&1
 	    # :error:\|
 	    if [ $? -eq 124 ] ; then
 		echo "DEBUG: timeout openssl s_client failed $? see $OUTRF.s_client.out"
 	    elif [ $? -ne 0 ] ; then
 		WARN "openssl s_client failed $? see $OUTRF.s_client.out"
 		i=$( expr $i + 1 )
 	    elif str='unable to get local issuer certificate' && \
 	    	 grep "$str" $OUTRF.s_client.out; then
 		WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
 		i=$( expr $i + 1 )
 	    elif str='Cipher is (NONE)' && \
 	    	 grep "$str" $OUTRF.s_client.out; then
 		WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
 		i=$( expr $i + 1 )
 	    elif str='SSL handshake has read 0 bytes' && \
 	    	 grep "$str" $OUTRF.s_client.out; then
 		WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
 		i=$( expr $i + 1 )
 	    else
 		echo "DEBUG: openssl s_client -showcerts $OPENSSL_ARGS --CAfile $CAFILE $item"
 		timeout ${kill_time}s \
 		  $openssl s_client -showcerts \
 		  -connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE < /dev/null \
 		  > $OUTRF.s_client.certs 2>&1
 	    fi
 	fi
 	if [ -n "$sslscan" ] ; then
 	    echo $sslscan $SSLSCAN_ARGS  --certs $CAFILE --sni-name $item $item > $OUTRF.sslscan.out
 	    timeout ${kill_time}s \
 	      $sslscan $SSLSCAN_ARGS --sni-name $item $item >> $OUTRF.sslscan.out 2>&1
 	    if [ $? -eq 124 ] ; then
 		echo "DEBUG: timeout sslscan failed $? see $OUTRF.sslscan.out "
 	    elif [ $? -ne 0 ] ; then
 		WARN "sslscan failed $? see $OUTRF.sslscan.out "
 		i=$( expr $i + 1 )
 	    elif grep 'SSL Certificate' $OUTRF.sslscan.out ; then
 		WARN "sslscan failed see $OUTRF.sslscan.out "
 		i=$( expr $i + 1 )
 	    elif grep 'Connection failed' $OUTRF.sslscan.out ; then
 		# tail -1 $OUTRF.sslscan.out | grep 'Supported Server Cipher'
 		WARN "sslscan failed see $OUTRF.sslscan.out "
 		i=$( expr $i + 1 )
 	    else
 		INFO "$sslscan $SSLSCAN_ARGS $item"
 	    fi
 	fi
 	if [ -n "$testssl" -a -n "$https_proxy" ] ; then
 	    # rDNS (140.82.114.3):    lb-140-82-114-3-iad.github.com.testssl.sh: line 10330: /dev/tcp/140.82.114.3/443: No such file or directory
 	    echo $TENVS $testssl $TESTSSL_ARGS $item >  $OUTRF.testssl.out
 	    env  $TENVS $testssl $TESTSSL_ARGS $item >> $OUTRF.testssl.out 2>&1
 	    if [ $? -ne 0 ] ; then
 		WARN "testssl failed $? see $OUTRF.testssl.out"
 		i=$( expr $i + 1 )
 	    elif grep ': unable to\| error:\|doesn.t seem to be a TLS/SSL enabled server' $OUTRF.testssl.out; then
 		WARN "testssl failure see $OUTRF.testssl.out"
 		i=$( expr $i + 1 )
 	    else
 		INFO "$testssl $TESTSSL_ARGS $item"
 		echo "DEBUG: $testssl $TESTSSL_ARGS --jsonfile-pretty  $OUTRF.testssl.json $item"
 		env $TENVS $testssl $TESTSSL_ARGS --jsonfile-pretty  $OUTRF.testssl.json $item > $OUTRF.testssl-json.out 2>&1
 	    fi
 	fi
 	if [ -n "$curl" ] ; then
 	    DBUG $TENVS $curl $CURL_ARGS -o /dev/null https://$item/
 	    env $TENVS $curl $CURL_ARGS -o /dev/null https://$item/ > $OUTRF.curl-vvv.out 2>&1
 	    if [ $? -eq 0 ] ; then
 		grep 'SSL certificate problem:' $OUTRF.curl-vvv.out && \
 		    { WARN "curl -vvv failed $? see $OUTRF.curl-vvv.out" ;
 			i=$( expr $i + 1 ) ; } || \
 		    INFO $curl $CURL_ARGS $item
 	    else
 		INFO $curl $CURL_ARGS $item
 	    fi
 	fi
 	if [ -n "$analyze" ] ; then
 	    timeout ${kill_time}s \
 	      $analyze $ANALYZE_ARGS --name $item ${item}:443 \
 		    > $OUTRF.analyze-ssl.out 2>&1
 	    # certificate verified : ok
 	    if [ $? -eq 124 ] ; then
 		echo "DEBUG: timeout $analyze $ANALYZE_ARGS $item"
 	    elif [ $? -eq 0 ] ; then
 		INFO "$analyze $ANALYZE_ARGS $item"
 	    else
 		WARN "$analyze failed $? see $OUTRF.analyze-ssl.out"
 		i=$( expr $i + 1 )
 	    fi
 	fi
 	[ $i -eq 0 ] && continue
 	WARN "$i failures for $item"
 	errs=$(expr $errs + $i )
 	DBUG $OUTRF.*.out
    done
 done
 find $OUTRF.* -type f -empty -delete
 exit $errs
--- a/overlay/Linux/usr/local/src/proxy_testssl_lib.bash
+++ b/overlay/Linux/usr/local/src/proxy_testssl_lib.bash
--- a/overlay/Linux/usr/local/src/proxy_whonix.bash
+++ b/overlay/Linux/usr/local/src/proxy_whonix.bash
@ -0,0 +1,137 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
 USAGE="host|to_tor|tor|from_tor|client|whonix|gateway|vda|nat|workstation|ping|ssl|status|test|refresh|update|up|down"
 [ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
 [ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
 . /usr/local/sbin/proxy_whonix_lib.bash || \
    { ERROR loading /usr/local/sbin/proxy_whonix_host_lib.bash ; exit 2; }
 #. /usr/local/bin/proxy_ping_lib.bash || \
 #    { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
 . /usr/local/bin/usr_local_base.bash || exit 2
 proxy_whonix_mode
 ## proxy_whonix_test_mode - proxy_whonix_host.bash test
 proxy_whonix_test_mode () { DBUG proxy_whonix_test_mode $* ;
    if [ $MODE = tor -o $MODE = whonix -o $MODE = host ]; then
 	/usr/local/sbin/proxy_whonix_host.bash test || return 1$?
    fi
    return 0
 }
 ## proxy_whonix_status - proxy_ping_test.bash "$MODE"
 proxy_whonix_status () { DBUG proxy_whonix_status $* ;
    $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
    return 0
 }
 ## proxy_whonix_refresh
 proxy_whonix_refresh () { DBUG proxy_whonix_refresh $* ;
    local USAGE="python|pip"
    if [ "$#" -eq 0 ] ; then
 	echo USAGE: $prog $USAGE
    elif [ "$1" = '-h'  ] || [ "$1" = '--help' ] ; then
 	echo USAGE: $prog $USAGE or:
    elif [ "$1" = 'python' ] ; then
 	/usr/local/bin/testforge_clean_usr_local_lib.bash
    elif [ "$1" = 'pip' ] ; then
 	/usr/local/bin/base_pip_upgrade.bash -p 2 -i 0
 	/usr/local/bin/base_pip_upgrade.bash -p 3 -i 0
 	base_sheebang_after_pip.bash
    else
 	:
    fi
 }
 UPGRADE_USAGE="python|pip"
 ## proxy_whonix_update - $UPGRADE_USAGE
 proxy_whonix_update() {
    if [ "$#" -eq 0 ] ; then
 	echo USAGE: $prog $UPGRADE_USAGE
    elif [ "$1" = '-h'  ] || [ "$1" = '--help' ] ; then
 	echo USAGE: $prog $USAGE or:
    elif [ "$1" = 'python' ] ; then
 	:
    elif [ "$1" = 'pip' ] ; then
 	:
    else
 	:
    fi
 }
 TEST_USAGE="ssl|ping|mode|libvirt|ga"
 ## proxy_whonix_test - test $TEST_USAGE
 proxy_whonix_test () { DBUG proxy_whonix_test $* ;
    if [ "$#" -eq 0 ] ; then
 	echo USAGE: $prog $TEST_USAGE
    elif [ "$1" = '-h'  ] || [ "$1" = '--help' ] ; then
 	echo USAGE: $prog $USAGE or:
    elif [ "$1" = 'ssl' ] ; then
 	$PREFIX/sbin/proxy_test_ssl.bash "$@" || exit 3$?
    elif [ "$1" = 'mode' ] ; then
 	proxy_whonix_test_mode || exit 4$?
    elif [ "$1" = 'ping' ] ; then
 	$PREFIX/sbin/proxy_ping_test.bash "$@" || exit 4$?
    elif [ "$1" = 'libvirt' ] ; then
 	$PREFIX/bin/proxy_ping_lib.bash proxy_libvirt_test || exit 5$?
    elif [ "$1" = 'ga' ] ; then
 	$PREFIX/bin/proxy_libvirt_ga_test.bash || exit 5$?
    else
 	:
    fi
    return 0
 }
 WD=$PWD
 if [ "$#" -eq 0 ] ; then
    echo USAGE: $prog $USAGE
    exit 0
  elif [ "$1" = '-h'  ] || [ "$1" = '--help' ] ; then
    echo USAGE: $prog $USAGE or:
    grep '^## ' $0 | sed -e 's/^## //'
    exit 0
  elif [ "$1" = client ] ; then
    shift
  elif [ "$1" = ws -o "$1" = 'workstation' -o "$1" = 'gateway' ] ; then
    [ $1 = ws ] && arg=workstation || arg=$1
    shift
    $PREFIX/sbin/proxy_whonix_guest_$arg.bash "$*" || exit 3$?
  elif [ 'to_tor' -o "$1" = 'tor' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
    $PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
  elif [ "$1" = host ] ; then
    shift
    $PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
  elif [ "$1" = refresh -o  "$1" = update -o "$1" = 'test' -o "$1" = 'status' ] ; then
    arg=$1;shift
    proxy_whonix_$arg "$@"
  elif [ "$1" = 'down' -o "$1" = 'up' ] ; then
    arg=$1;shift
    proxy_whonix_$arg "$@"
  elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
    :
  else
    DBUG $prog $*
    eval "$@"
    exit $?
  fi
 exit 0
--- a/overlay/Linux/usr/local/src/scurl.bash
+++ b/overlay/Linux/usr/local/src/scurl.bash
@ -0,0 +1,254 @@
 #!/bin/bash
 # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
 # must not use stdout
 prog=$( basename $0 .bash )
 PREFIX=/usr/local
 ROLE=proxy
 prog=scurl
 umask 022
 RETRIES=2
 SSL_VER=3
 . /usr/local/bin/proxy_ping_lib.bash
 [ -f /usr/local/bin/proxy_curl_lib.bash ] && \
   . /usr/local/bin/proxy_curl_lib.bash
 if ! grep -q "^wlan[1-9][ 	]00000000" /proc/net/route ; then
    WARN $prog we are not connected >&2
    exit -1
 fi
 usage="curls with some wget options
 Usage: $prog options -- curl-options
 Options:
 -P, --directory-prefix
 -X, --force-directories create directories to download to
 -C, --cacert            CA certs in .pem
 -M, --mode              proxy_ping_mode
 -S, --ssl               ssl version 2=tls1.2 3=tls1.3
 -Y, --ciphers           comma sep list of ciphers
 -Q, --quiet             --silent --show-error
 -h, --help              display this help and exit
 "
 if [[ $? -ne 0 ]]; then
    echo "$usage"
    exit 2
 fi
 declare -a LARGS
 # --location is required to follow redirects
 # im not sure about  --http2
 LARGS+=( --remote-time --location --max-redirs 10 --continue-at - )
 LARGS+=( --retry-delay 10 --show-error --fail )
 # --proto-redir https --proto =https is required to prevent protocol downgrades
 LARGS+=( --proto-redir https --proto-default https --proto =https )
 [ -z "$MODE" ] && MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
 [ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
 SSL_LIB=openssl # nss
 if [ -x $PREFIX/bin/curl.bash ] ; then
    EXE=$PREFIX/bin/curl.bash
 elif which scurl ; then
    EXE=`which scurl`
 else
    EXE=curl
 fi
 SHORT=M:QP:XC:F:hS:
 LONG=mode:,quiet,directory-prefix:,force-directories,cacert,ca-cert:,help,ssl:
 #? export POSIXLY_CORRECT=1
 PARSED=$(getopt --options $SHORT --longoptions $LONG --name "$prog" -- "$@")
 eval set -- "$PARSED"
 P="$PWD"
 X="0"
 # echo DEBUG: WD=$WD rest=$*
 LOGF=/tmp/$prog$$.err
 SSL_CIPHERS=""
 while true; do
    case "$1" in
        -P|--directory-prefix)
 	    shift
            P="$1"
            shift
 	    # echo DEBUG: P=$WD rest=$*
            ;;
        -X|--force-directories)
            X=1
            shift
            ;;
        -S|--ssl)
            shift
            SSL_VER="$1"
            shift
            ;;
        -Y|--ciphers)
            shift
            SSL_CIPHERS="$1"
            shift
            ;;
        -C|--cacert|-Z|--ca-cert)
            shift
            CA_CERT="$1"
            shift
            ;;
        -M|--mode)
            shift
            MODE="$1"
            shift
            ;;
        -Q|--quiet)
            shift
 	    LARGS="$LARGS --silent  --show-error"
            ;;
        -h|--help)
            echo USAGE: "$usage"
            exit 0
            ;;
        --)
            shift
            break
            ;;
        *)
 	    # echo ERROR: unhandled arguments $* - use -- after -P $PWD or -X ; exit 3
 	    break
            ;;
    esac
 done
 [ "$SSL_VER" -ge 2 -a "$SSL_VER" -le 3 ] || { ERROR "SSL_VER $SSL_VER" ; exit 6 ; }
 LARGS+=( --tlsv1.$SSL_VER )
 if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 2 ] ; then
    [ $SSL_LIB = openssl ] && \
      SSL_CIPHERS="ECDHE-RSA-AES256-SHA" # ECDHE-RSA-AES256-GCM-SHA384
    [ $SSL_LIB = nss ] && \
 	SSL_CIPHERS="ecdhe_rsa_aes_256_sha"
 fi
 if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 3 ] ; then
    [ $SSL_LIB = openssl ] && \
      SSL_CIPHERS="TLS_AES_256_GCM_SHA384" # TLS_CHACHA20_POLY1305_SHA256
    [ $SSL_LIB = nss ] && \
      SSL_CIPHERS="aes_256_gcm_sha_384"
 fi
 [ -n "$SSL_CIPHERS" ] && LARGS+=(  --ciphers "$SSL_CIPHERS" )
 if [ "$MODE" = tor -o "$MODE" = selektor -o "$MODE" = whonix ] && \
       netstat -nle4 | grep -q 127.0.0.1:53 ; then
    LARGS+=( --dns-ipv4-addr 127.0.0.1 --dns-servers 127.0.0.1 )
 elif [ "$MODE" = whonix ] && ifconfig virbr1 | grep -q 10.0.2.2 ; then
    LARGS+=( --dns-ipv4-addr 10.0.2.15:9053 --dns-servers 10.0.2.15:9053 )
 else
    debug 127.0.0.1:53 not running MODE=$MODE
 fi
 if ! uname -a | grep -q 'Devuan\|Debian' ; then
    if [ -f $HOME/.local/ ] ; then
 	[ -f $HOME/.local/alt.svc ] || touch $HOME/.local/alt.svc
 	LARGS+=(  --alt-svc $HOME/.local/alt.svc )
 	# #define CURLALTSVC_H2           (1<<4)
    fi
    export CURLOPT_ALTSVC_CTRL=16
 fi
 declare -a RARGS
 RARGS=("$@")
 DBUG "$#" "${RARGS[*]}" >&2
 i=0
 while [ $i -le $RETRIES ] ; do
    # assumes one URL
    if [ "${#RARGS[@]}" -eq 1 ] ; then
 	the_url=`sed -e 's@http://@https://@g' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[*]}"`
    else
 	the_url=`sed -e 's@http://@https://@' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[-1]}"`
    fi
    RARGS[-1]="$the_url"
    site=`sed -e 's@https*://@@g' -e 's@/.*@@' <<< $the_url`
    i=`expr $i + 1`
    if [ "$X" = 1 ] ; then
 	rel_file=$( sed -e 's@^file://*@@' -e 's@^https*://*@@' -e 's@[&?#].*@@' <<< $the_url )
 	rel_dir=$( sed -e 's@/$@@' <<< $rel_file )
 	rel_dir=$( sed -e 's@/[^/]*$@@' <<< $rel_dir )
 	[ -d "$P/$rel_dir" ] || mkdir -p "$P/$rel_dir"
 	output=`sed -e 's/[!:?#]/_/g' <<< "$P/$rel_file"`
 	LARGS+=( --output "$output" --create-dirs )
    fi
    DBUG $EXE "${LARGS[@]}" "${RARGS[@]}" >&2
    echo $EXE "${LARGS[@]}" "${RARGS[@]}" > $LOGF
         $EXE "${LARGS[@]}" "${RARGS[@]}" >> $LOGF 2>&1
    retval=$?
    if [ "$retval" -eq 22 ] || \
 	   tail -4 $LOGF | grep -q 'The requested URL returned error:'; then
 	# on 22 - change to HTTP code
 	code=`tail -4 $LOGF | grep 'The requested URL returned error:' | sed -e 's/.*returned error: //' -e 's/ *$//'`
 	if [ "$code" = 416 ] ; then
    	    INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[416]} $the_url = $LOGF" >&2
 	    retval=$code
 	elif [ "$code" = 429 ] ; then
    	    ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
 	    retval=$code
 	    exit $retval
 	elif [ -n "$code" ] && [ "$code" -ge 400 ] ; then
 	    # 403 Cloudflare
    	    ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
 	    retval=$code
 	elif [ -n "$code" ] && [ "$code" -lt 400 ] ; then
    	    INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
 	else
    	    WARN "$prog retval=$retval \"$code\" $the_url = $LOGF" >&2
 	fi
    elif [ "$retval" = 35 ] ; then
 	# 35 CURLE_SSL_CONNECT_ERROR
 	ERROR "$prog retval=$retval CURLE_SSL_CONNECT_ERROR $the_url = $LOGF" >&2
 	# feedback to scurl_urls.sh
 	NOTLSV3+=( $site )
    elif [ "$retval" = 1 ] ; then
 	# retval=1 CURLE=CURLE_UNSUPPORTED_PROTOCOL - seems to be a transient error
 	WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
 	continue
    elif [ "$retval" = 92 ] ; then
 	# curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
 	WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
 	continue
    elif [ "$retval" -ne 0 ] ; then
 	# curl: (3) URL using bad/illegal format or missing URL - worked
 	WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
    elif tail -3 $LOGF | grep -q "HTTP code 504 from proxy after CONNECT" ; then
 	WARN "$prog HTTP code 504 from proxy after CONNECT $the_url = $LOGF" >&2
 	continue
    elif tail -3 $LOGF | grep -q "503 - Forwarding failure" ; then
 	WARN "$prog 503 - Forwarding failure $the_url = $LOGF" >&2
 	continue
    else
 	INFO  "$prog $output = $LOGF" >&2
 #	rm -f $LOGF
    fi
    break
    #  "$P/$rel_file"
    # if [ $retval -gt 0 ] ; then
    # The requested URL returned error: 416
    # if [ $retval = 22 ] && [ "$code" = 416 ] && [ -f "$P/$rel_file" ] ; then
    # fi
 done
 exit $retval
--- a/overlay/Linux/usr/local/src/sdwdate.bash
+++ b/overlay/Linux/usr/local/src/sdwdate.bash
@ -0,0 +1,18 @@
 #!/bin/sh
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 PREFIX=/usr/local
 PREFIX=/usr/local
 ROLE=proxy
 if [ -x $PREFIX/bin/proxy_ping_test.bash ] ; then
    if virsh|grep Whonix-Gateway ; then
    sh $PREFIX/bin/proxy_ping_test.bash whonix || exit 1
    else
    sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
    sh $PREFIX/bin/proxy_ping_test.bash 30 || exit 2
    fi
  fi
 export PYTHONPATH=$PREFIX/lib64/python3.7/site-packages
 exec python3.sh $PREFIX/bin/sdwdate_.py "$@"
--- a/overlay/Linux/usr/local/src/usr_local_proxy.bash
+++ b/overlay/Linux/usr/local/src/usr_local_proxy.bash
@ -0,0 +1,19 @@
 #!/bin/bash
 # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
 [ -z "$prog" ] && prog=`basename $0 .bash`
 [ -z "$USER" ] && USER=$( id -un )
 ROLE=proxy
 [ -f /usr/local/bin/usr_local_tput.bash ] && \
 . /usr/local/bin/usr_local_tput.bash
 . /usr/local/src/usr_local_src.bash
 base=usr_local_proxy
 # DBUG 0=$0
 if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 ) = $base'.bash' -o $( basename -- $0 ) = $base'.sh' ] ; then
    [ "$#" -eq 0 ] && exit 0
    [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
 	echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && exit 0
    eval "$@"
    exit $?
 fi
--- a/tasks/Gentoo.yml
+++ b/tasks/Gentoo.yml
@ -19,8 +19,8 @@
    cd {{ BASE_ROOT_LOG_DIR }} || exit 2
    retval=0
    /usr/local/bin/usr_local_base.bash box_gentoo_emerge \
-        {{proxy_pkgs_bootstrap}} \
+        {{' '.join(proxy_pkgs_bootstrap)}} \
-        {{proxy_pkgs_inst}} \
+        {{' '.join(proxy_pkgs_inst)}} \
      && exit 0
    retval=$?
    echo WARN: $retval
@ -35,8 +35,8 @@
  shell:  |
    cd {{ BASE_ROOT_LOG_DIR }} || exit 2
    /usr/local/bin/usr_local_base.bash box_gentoo_emerge \
-        {{ proxy_pkgs_bootstrap }} \
+        {{ ' '.join(proxy_pkgs_bootstrap) }} \
-       {{ proxy_pkgs_inst_guest }} \
+       {{ ' '.join(proxy_pkgs_inst_guest) }} \
    || exit $?
  ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
  when:
--- a/tasks/Gentoo/Gentoo/main.yml
+++ b/tasks/Gentoo/Gentoo/main.yml
@ -13,4 +13,4 @@
 #- include_tasks: Gentoo/Pentoo/mask.yml
- include_tasks: Gentoo/Pentoo/accept_keywords.yml
+#- include_tasks: Gentoo/Pentoo/accept_keywords.yml
--- a/tasks/Gentoo/Pentoo/use.yml
+++ b/tasks/Gentoo/Pentoo/use.yml
@ -13,6 +13,14 @@
    block: |
      net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls 
 - name: "/etc/portage/package.use/2023-01-01_world.txt"
  blockinfile:
    dest: /etc/portage/package.use/2023-01-01_world.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy curl"
    block: |
      net-misc/curl static-libs
 - name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
  blockinfile:
    dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
@ -21,22 +29,6 @@
    block: |
      app-arch/unzip natspec
 - name: "/etc/portage/package.use/2020-00_ipv6.txt"
  blockinfile:
    dest: /etc/portage/package.use/2020-00_ipv6.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy nmap"
    block: |
      net-analyzer/nmap -ipv6
 - name: "/etc/portage/package.use/2021-00_verify-sig.txt"
  blockinfile:
    dest: /etc/portage/package.use/2021-00_verify-sig.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy nmap"
    block: |
      net-analyzer/nmap verify-sig
 - name: "/etc/portage/package.use/2019-02_rkhunter.txt"
  blockinfile:
    dest: /etc/portage/package.use/2019-02_rkhunter.txt
@ -53,3 +45,51 @@
    block: |
      sys-process/lsof -ipv6
 - name: "/etc/portage/package.use/2020-01_sqlite.txt"
  blockinfile:
    dest: /etc/portage/package.use/2020-01_sqlite.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy eix"
    block: |
      app-portage/eix sqlite
 - name: "/etc/portage/package.use/2020-00_ipv6.txt"
  blockinfile:
    dest: /etc/portage/package.use/2020-00_ipv6.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy socat"
    block: |
      net-misc/socat -ipv6
 - name: "/etc/portage/package.use/2020-00_ipv6.txt"
  blockinfile:
    dest: /etc/portage/package.use/2020-00_ipv6.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy privoxy"
    block: |
      net-proxy/privoxy -ipv6
 - name: "/etc/portage/package.use/2021-07_privoxy.txt"
  blockinfile:
    dest: /etc/portage/package.use/2021-07_privoxy.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy privoxy"
    block: |
      net-proxy/privoxy brotli whitelists -mbedtls openssl zlib external-filters
 - name: "/etc/portage/package.use/2020-00_ipv6.txt"
  blockinfile:
    dest: /etc/portage/package.use/2020-00_ipv6.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy nmap"
    block: |
      net-analyzer/nmap -ipv6
 - name: "/etc/portage/package.use/2021-00_verify-sig.txt"
  blockinfile:
    dest: /etc/portage/package.use/2021-00_verify-sig.txt
    create: true
    marker: "# {mark} Ansible Managed Block proxy nmap"
    block: |
      net-analyzer/nmap verify-sig
--- a/tasks/dns.yml
+++ b/tasks/dns.yml
@ -67,11 +67,22 @@
      nameserver 127.0.0.1
  when:
    - PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq', 'socat']
-
+    - PROXY_MODE in ['tor', 'selektor', 'whonix']
 # stop dhclient from overwriting resolv.conf
 # with scripts in /lib/dhcpcd/dhcpcd-hooks/
 # FixMe: /etc/dhcp/dhcp-client.conf?
 - name: "/etc/resolv.conf"
  blockinfile:
    dest: /etc/resolv.conf
    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
    create: yes
    block: |
      nameserver 10.0.2.2
  when:
    - PROXY_MODE in ['nat']
    - "'{{BOX_NBD_OVERLAY_BR}}' == 'virbr1'"
 # dnscrypt is not a system service
 - name: "service disable not {{PROXY_DNS_PROXY}}"
  service:
--- a/tasks/hourly.yml
+++ b/tasks/hourly.yml
@ -86,6 +86,8 @@
    umask 0027
    echo "INFO: proxy_log_hourly"
    cd {{USR_LOCAL}}/bin
    export MODE={{PROXY_MODE}}
    . proxy_export.bash
    [ -x proxy_hourly.bash ] || exit 0
    bash proxy_hourly.bash
  register: proxy_log_hourly
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -113,7 +113,7 @@
      /usr/local/sbin/base_patch_from_diff.bash *
  when:
-    - true or ansible_distribution == 'Gentoo'
+    - false and ansible_distribution == 'Gentoo'
 - name: install proxy pips 2
  changed_when: false
@ -168,7 +168,6 @@
  environment: "{{ shell_proxy_env }}"
  shell: |
    umask 0002
    #?    usr_local_python.bash
    [ ! -f  usr_local_proxy.bash ] && exit 1
    bash usr_local_python.bash \
      {{ 'check' if ansible_check_mode }}
@ -248,17 +247,6 @@
  loop_control:
    loop_var: LOOP_USER
 - name: "/usr/local/etc/testforge/testforge.ini BOF"
  lineinfile:
    dest: "/usr/local/etc/testforge/testforge.ini"
    insertbefore: BOF
    mode:  0755
    owner: "{{BOX_ROOT_USER}}"
    group: "{{BOX_ROOT_GROUP}}"
    create: yes
    regexp: "# -.- mode: sh; tab-width: 0; coding: utf-8-unix -.-"
    line: "# -*- mode: sh; tab-width: 0; coding: utf-8-unix -*-"
 - name: /usr/local/etc/testforge/testforge.ini proxy
  blockinfile:
    dest: /usr/local/etc/testforge/testforge.ini
@ -306,6 +294,25 @@
    - true or CORP_NTLM_PROXY|default('') != ''
  notify: update facts
 - block:
  - name: external
    delegate_to: localhost
    shell: |
      grep ' external$' /etc/hosts | sed -e 's/ .*//'
    register: external_out
    check_mode: false
  - name: BASE_EXTERNAL_IP
    set_fact:
      BASE_EXTERNAL_IP: "{{external_out.stdout}}"
    when: external_out.rc|default(1) == 0
    check_mode: false
  when:
    - "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
    - BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']
 - name: "include dns.yml tasks"
  include_tasks: "dns.yml"
  when:
--- a/tasks/proxy_mode.yml
+++ b/tasks/proxy_mode.yml
@ -147,4 +147,4 @@
  check_mode: false
  rescue:
    - debug:
-        msg: "WARN: error including proxy_export.txt"
+        msg: "WARN: RESCUE error including proxy_export.txt"
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -40,44 +40,11 @@
 - block:
  # dont change the environment for everyone with env.d/70proxy
  # manually include tor.sh
  - name: "/usr/local/share/scripts/box_proxy_tor.bash no_proxy /bin/sh"
    lineinfile:
      path: "{{ item.dest|expanduser }}/box_proxy_tor.bash"
      create: yes
      owner: "{{ item.owner }}"
      mode: "{{ item.mode }}"
      insertafter: BOF
      line: "#!/bin/sh"
      regexp: "#./bin/sh"
    with_items:
      - dest: "~{{LOOP_USER}}/bin"
        owner: "{{ LOOP_USER }}"
        mode: "0755"
  # unused?
  - name: ~/bin/box_proxy_tor.bash no_proxy
    blockinfile:
      dest: "{{ item.dest|expanduser }}/box_proxy_tor.bash"
      create: yes
      marker: "# {mark} ANSIBLE MANAGED BLOCK proxy noproxy"
      insertafter: "#./bin/sh"
      mode: "{{ item.mode }}"
      block: |
         [ -f {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash ] && . {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash
         [ -n "$no_proxy" ] && export no_proxy=$no_proxy || export no_proxy={{ NO_PROXY }}
    when:
      - "LOOP_USER != 'portage'"
    with_items:
      - dest: "~{{LOOP_USER}}/bin"
        owner: "{{ LOOP_USER }}"
        mode: "0755"
  - name: /etc/dirmngr/dirmngr.conf
    shell: |
      [ -e "/etc/dirmngr/dirmngr.conf" ] || exit 0
      [ -e "{{ item|expanduser }}" ] && exit 0
      [ -d "`dirname {{ item|expanduser }}`" ] || exit 0
      ln -s "/etc/dirmngr/dirmngr.conf" "{{ item|expanduser }}"
    with_items:
      - "~{{LOOP_USER}}/.gpg/dirmngr.conf"
--- a/tasks/whonix_guest.yml
+++ b/tasks/whonix_guest.yml
@ -28,19 +28,6 @@
    shell: |
      [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]
  - name: external
    delegate_to: localhost
    shell: |
      grep ' external$' /etc/hosts | sed -e 's/ .*//'
    register: external_out
    check_mode: false
  - name: BASE_EXTERNAL_IP
    set_fact:
      BASE_EXTERNAL_IP: "{{external_out.stdout}}"
    when: external_out.rc|default(1) == 0
    check_mode: false
  when:
    - "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
    - BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']
--- a/tasks/whonix_host.yml
+++ b/tasks/whonix_host.yml
@ -233,7 +233,7 @@
  - name: /usr/local/src/secbrowser.bash
    shell: |
      [ -f /usr/local/src/secbrowser.bash ] && exit 0
-      /local/src/secbrowser.bash
+      /usr/local/local/src/secbrowser.bash
    when:
      - BOX_OS_FLAVOR|default('') == 'KickSecure'
  when:
--- a/templates/etc/firewall.sh
+++ b/templates/etc/firewall.sh
@ -0,0 +1,4 @@
 #!/bin/sh
 for file in * ; do mv $file $file.bak ; cp -p /etc/$file . ; done
--- a/vars/Gentoo2.yml
+++ b/vars/Gentoo2.yml
@ -26,6 +26,7 @@ proxy_pkgs_bootstrap:
  - linux-firmware
  - net-dns/bind-tools
  - net-misc/socat
  - app-portage/gentoolkit
 proxy_pkgs_inst:
 # move these to testforge - epecially gnupg for static
`@ -13,4 +13,4 @@`

	`#- include_tasks: Gentoo/Pentoo/mask.yml`	`#- include_tasks: Gentoo/Pentoo/mask.yml`

	`- include_tasks: Gentoo/Pentoo/accept_keywords.yml`	`#- include_tasks: Gentoo/Pentoo/accept_keywords.yml`
		`@ -0,0 +1,4 @@`
							`#!/bin/sh`

							`for file in * ; do mv $file $file.bak ; cp -p /etc/$file . ; done`