2009-02-22 18:30:14 +01:00
|
|
|
#! /usr/bin/perl -w
|
|
|
|
#
|
2012-01-02 16:43:13 +01:00
|
|
|
# The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
|
|
#
|
2013-01-12 01:01:10 +01:00
|
|
|
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# Complete documentation is available at http://shorewall.net
|
|
|
|
#
|
2014-01-04 18:48:27 +01:00
|
|
|
# This program is part of Shorewall.
|
|
|
|
#
|
2009-02-22 18:30:14 +01:00
|
|
|
# This program is free software; you can redistribute it and/or modify
|
2014-01-04 18:48:27 +01:00
|
|
|
# it under the terms of the GNU General Public License as published by the
|
|
|
|
# Free Software Foundation, either version 2 of the license or, at your
|
|
|
|
# option, any later version.
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
2014-01-04 18:48:27 +01:00
|
|
|
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
package Shorewall::Compiler;
|
|
|
|
require Exporter;
|
|
|
|
use Shorewall::Config qw(:DEFAULT :internal);
|
|
|
|
use Shorewall::Chains qw(:DEFAULT :internal);
|
|
|
|
use Shorewall::Zones;
|
|
|
|
use Shorewall::Nat;
|
|
|
|
use Shorewall::Providers;
|
|
|
|
use Shorewall::Tc;
|
|
|
|
use Shorewall::Tunnels;
|
|
|
|
use Shorewall::Accounting;
|
|
|
|
use Shorewall::Rules;
|
|
|
|
use Shorewall::Proc;
|
|
|
|
use Shorewall::Proxyarp;
|
|
|
|
use Shorewall::Raw;
|
2010-12-15 21:57:55 +01:00
|
|
|
use Shorewall::Misc;
|
2013-01-04 18:17:57 +01:00
|
|
|
use Shorewall::ARP;
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2011-08-27 17:29:55 +02:00
|
|
|
use strict;
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
our @ISA = qw(Exporter);
|
2010-03-03 18:50:07 +01:00
|
|
|
our @EXPORT = qw( compiler );
|
2009-02-22 18:30:14 +01:00
|
|
|
our @EXPORT_OK = qw( $export );
|
2011-07-11 00:10:27 +02:00
|
|
|
our $VERSION = 'MODULEVERSION';
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2012-12-23 22:16:54 +01:00
|
|
|
our $export;
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2012-12-23 22:16:54 +01:00
|
|
|
our $test;
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2012-12-23 22:16:54 +01:00
|
|
|
our $family;
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2013-01-04 18:17:57 +01:00
|
|
|
our $have_arptables;
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2009-08-16 18:24:51 +02:00
|
|
|
# Initilize the package-globals in the other modules
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2012-09-04 00:07:50 +02:00
|
|
|
sub initialize_package_globals( $$$ ) {
|
|
|
|
Shorewall::Config::initialize($family, $_[1], $_[2]);
|
2011-05-15 20:48:34 +02:00
|
|
|
Shorewall::Chains::initialize ($family, 1, $export );
|
2012-04-01 19:47:24 +02:00
|
|
|
Shorewall::Zones::initialize ($family, $_[0]);
|
2013-02-19 00:15:26 +01:00
|
|
|
Shorewall::Nat::initialize($family);
|
2009-02-22 18:30:14 +01:00
|
|
|
Shorewall::Providers::initialize($family);
|
|
|
|
Shorewall::Tc::initialize($family);
|
|
|
|
Shorewall::Accounting::initialize;
|
|
|
|
Shorewall::Rules::initialize($family);
|
|
|
|
Shorewall::Proxyarp::initialize($family);
|
|
|
|
Shorewall::IPAddrs::initialize($family);
|
2010-12-15 21:57:55 +01:00
|
|
|
Shorewall::Misc::initialize($family);
|
2014-01-01 16:18:36 +01:00
|
|
|
Shorewall::Raw::initialize($family);
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# First stage of script generation.
|
|
|
|
#
|
2012-03-19 23:56:02 +01:00
|
|
|
# Copy lib.core and lib.common to the generated script.
|
2009-03-26 19:18:09 +01:00
|
|
|
# Generate the various user-exit jacket functions.
|
|
|
|
#
|
2010-02-15 23:07:35 +01:00
|
|
|
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
|
|
|
# than those related to writing to the output script file.
|
|
|
|
#
|
2010-03-29 18:48:23 +02:00
|
|
|
sub generate_script_1( $ ) {
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2010-03-29 18:48:23 +02:00
|
|
|
my $script = shift;
|
2010-03-05 19:40:18 +01:00
|
|
|
|
2010-03-29 18:48:23 +02:00
|
|
|
if ( $script ) {
|
|
|
|
if ( $test ) {
|
2011-08-03 16:20:34 +02:00
|
|
|
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
|
2009-02-22 18:30:14 +01:00
|
|
|
} else {
|
2010-03-29 18:48:23 +02:00
|
|
|
my $date = localtime;
|
2010-06-07 16:30:56 +02:00
|
|
|
|
2011-08-03 16:20:34 +02:00
|
|
|
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
|
2010-06-07 16:30:56 +02:00
|
|
|
|
2012-03-19 23:56:02 +01:00
|
|
|
copy $globals{SHAREDIRPL} . '/lib.core', 0;
|
2011-12-04 18:19:48 +01:00
|
|
|
copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
2010-06-07 16:30:56 +02:00
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
2009-03-26 19:18:09 +01:00
|
|
|
|
2010-03-29 20:56:06 +02:00
|
|
|
my $lib = find_file 'lib.private';
|
2010-06-07 16:30:56 +02:00
|
|
|
|
2010-03-29 20:56:06 +02:00
|
|
|
copy2( $lib, $debug ) if -f $lib;
|
|
|
|
|
2009-03-26 19:18:09 +01:00
|
|
|
emit <<'EOF';
|
|
|
|
################################################################################
|
|
|
|
# Functions to execute the various user exits (extension scripts)
|
|
|
|
################################################################################
|
|
|
|
EOF
|
|
|
|
|
2011-06-13 15:39:38 +02:00
|
|
|
for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
|
2009-03-26 19:18:09 +01:00
|
|
|
emit "\nrun_${exit}_exit() {";
|
|
|
|
push_indent;
|
|
|
|
append_file $exit or emit 'true';
|
|
|
|
pop_indent;
|
|
|
|
emit '}';
|
|
|
|
}
|
|
|
|
|
2011-06-13 15:39:38 +02:00
|
|
|
for my $exit ( qw/isusable findgw/ ) {
|
2009-06-29 17:14:53 +02:00
|
|
|
emit "\nrun_${exit}_exit() {";
|
|
|
|
push_indent;
|
|
|
|
append_file($exit, 1) or emit 'true';
|
|
|
|
pop_indent;
|
|
|
|
emit '}';
|
|
|
|
}
|
|
|
|
|
2009-03-26 19:18:09 +01:00
|
|
|
emit <<'EOF';
|
|
|
|
################################################################################
|
|
|
|
# End user exit functions
|
|
|
|
################################################################################
|
|
|
|
EOF
|
|
|
|
|
2009-03-21 17:45:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Second stage of script generation.
|
|
|
|
#
|
|
|
|
# Generate the 'initialize()' function.
|
|
|
|
#
|
|
|
|
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
2009-10-06 00:43:29 +02:00
|
|
|
# than those related to writing to the output script file.
|
2009-03-21 17:45:27 +01:00
|
|
|
|
|
|
|
sub generate_script_2() {
|
2009-02-22 18:30:14 +01:00
|
|
|
|
|
|
|
emit ( '',
|
|
|
|
'#',
|
|
|
|
'# This function initializes the global variables used by the program',
|
|
|
|
'#',
|
|
|
|
'initialize()',
|
|
|
|
'{',
|
|
|
|
' #',
|
2009-02-26 17:34:31 +01:00
|
|
|
' # Be sure that umask is sane',
|
|
|
|
' #',
|
2012-04-02 16:46:38 +02:00
|
|
|
' umask 077' );
|
|
|
|
|
|
|
|
emit ( '',
|
2009-02-26 17:34:31 +01:00
|
|
|
' #',
|
2009-02-22 18:30:14 +01:00
|
|
|
' # These variables are required by the library functions called in this script',
|
|
|
|
' #'
|
|
|
|
);
|
|
|
|
|
|
|
|
push_indent;
|
|
|
|
|
2012-09-04 05:09:20 +02:00
|
|
|
if ( $shorewallrc1{TEMPDIR} ) {
|
2012-04-02 16:46:38 +02:00
|
|
|
emit( '',
|
|
|
|
qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
|
|
|
|
q(export TMPDIR) );
|
|
|
|
}
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
if ( $family == F_IPV4 ) {
|
2011-12-04 18:19:48 +01:00
|
|
|
emit( 'g_family=4' );
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
if ( $export ) {
|
2012-09-04 05:09:20 +02:00
|
|
|
emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
|
2011-12-04 18:19:48 +01:00
|
|
|
'g_product="Shorewall Lite"',
|
|
|
|
'g_program=shorewall-lite',
|
|
|
|
'g_basedir=/usr/share/shorewall-lite',
|
2012-09-04 05:09:20 +02:00
|
|
|
qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
|
2009-02-22 18:30:14 +01:00
|
|
|
);
|
|
|
|
} else {
|
2012-09-04 05:09:20 +02:00
|
|
|
emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
|
2011-12-04 18:19:48 +01:00
|
|
|
'g_product=Shorewall',
|
|
|
|
'g_program=shorewall',
|
|
|
|
'g_basedir=/usr/share/shorewall',
|
2012-04-02 21:39:49 +02:00
|
|
|
qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
|
2009-02-22 18:30:14 +01:00
|
|
|
);
|
|
|
|
}
|
|
|
|
} else {
|
2011-12-04 18:19:48 +01:00
|
|
|
emit( 'g_family=6' );
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
if ( $export ) {
|
2012-09-04 05:09:20 +02:00
|
|
|
emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
|
2011-12-04 18:19:48 +01:00
|
|
|
'g_product="Shorewall6 Lite"',
|
|
|
|
'g_program=shorewall6-lite',
|
|
|
|
'g_basedir=/usr/share/shorewall6',
|
2012-09-04 05:09:20 +02:00
|
|
|
qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
|
2009-02-22 18:30:14 +01:00
|
|
|
);
|
|
|
|
} else {
|
2012-09-04 05:09:20 +02:00
|
|
|
emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
|
2011-12-04 18:19:48 +01:00
|
|
|
'g_product=Shorewall6',
|
|
|
|
'g_program=shorewall6',
|
2012-04-02 21:39:49 +02:00
|
|
|
'g_basedir=/usr/share/shorewall',
|
|
|
|
qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
|
2009-02-22 18:30:14 +01:00
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-09-04 15:59:16 +02:00
|
|
|
emit ( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
|
|
|
|
emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
|
2012-11-09 21:29:19 +01:00
|
|
|
emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
|
2009-02-22 18:30:14 +01:00
|
|
|
|
|
|
|
emit 'TEMPFILE=';
|
|
|
|
|
|
|
|
propagateconfig;
|
|
|
|
|
|
|
|
my @dont_load = split_list $config{DONT_LOAD}, 'module';
|
|
|
|
|
|
|
|
emit ( '[ -n "${COMMAND:=restart}" ]',
|
2010-03-01 02:58:01 +01:00
|
|
|
'[ -n "${VERBOSITY:=0}" ]',
|
2009-10-19 16:25:03 +02:00
|
|
|
qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2010-03-02 17:02:10 +01:00
|
|
|
emit ( qq(SHOREWALL_VERSION="$globals{VERSION}") ) unless $test;
|
2009-02-22 18:30:14 +01:00
|
|
|
|
|
|
|
emit ( qq(PATH="$config{PATH}") ,
|
|
|
|
'TERMINATOR=fatal_error' ,
|
|
|
|
qq(DONT_LOAD="@dont_load") ,
|
|
|
|
qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
|
|
|
|
''
|
|
|
|
);
|
|
|
|
|
2009-03-28 20:21:36 +01:00
|
|
|
set_chain_variables;
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2013-01-04 18:17:57 +01:00
|
|
|
my $need_arptables = $have_arptables || $config{SAVE_ARPTABLES};
|
|
|
|
|
|
|
|
if ( my $arptables = $config{ARPTABLES} ) {
|
|
|
|
emit( qq(ARPTABLES="$arptables"),
|
|
|
|
'[ -x "$ARPTABLES" ] || startup_error "ARPTABLES=$ARPTABLES does not exist or is not executable"',
|
|
|
|
);
|
|
|
|
} elsif ( $need_arptables ) {
|
|
|
|
emit( '[ -z "$ARPTABLES" ] && ARPTABLES=$(mywhich arptables)',
|
|
|
|
'[ -n "$ARPTABLES" -a -x "$ARPTABLES" ] || startup_error "Can\'t find arptables executable"' );
|
|
|
|
}
|
|
|
|
|
|
|
|
if ( $need_arptables ) {
|
|
|
|
emit( 'ARPTABLES_RESTORE=${ARPTABLES}-restore',
|
|
|
|
'[ -x "$ARPTABLES_RESTORE" ] || startup_error "$ARPTABLES_RESTORE does not exist or is not executable"' );
|
|
|
|
}
|
|
|
|
|
2011-01-09 19:12:36 +01:00
|
|
|
if ( $config{EXPORTPARAMS} ) {
|
|
|
|
append_file 'params';
|
|
|
|
} else {
|
|
|
|
export_params;
|
|
|
|
}
|
2009-02-22 18:30:14 +01:00
|
|
|
|
|
|
|
emit ( '',
|
2010-03-02 16:37:30 +01:00
|
|
|
"g_stopping=",
|
2009-02-22 18:30:14 +01:00
|
|
|
'',
|
|
|
|
'#',
|
|
|
|
'# The library requires that ${VARDIR} exist',
|
|
|
|
'#',
|
|
|
|
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
|
|
|
|
);
|
|
|
|
|
2009-10-15 22:06:04 +02:00
|
|
|
pop_indent;
|
|
|
|
|
|
|
|
emit "\n}\n"; # End of initialize()
|
|
|
|
|
|
|
|
emit( '' ,
|
|
|
|
'#' ,
|
|
|
|
'# Set global variables holding detected IP information' ,
|
|
|
|
'#' ,
|
|
|
|
'detect_configuration()',
|
|
|
|
'{' );
|
|
|
|
|
2009-03-21 17:45:27 +01:00
|
|
|
my $global_variables = have_global_variables;
|
|
|
|
|
2009-10-17 20:08:34 +02:00
|
|
|
push_indent;
|
|
|
|
|
2009-03-21 17:45:27 +01:00
|
|
|
if ( $global_variables ) {
|
2010-06-07 16:30:56 +02:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
if ( $global_variables & NOT_RESTORE ) {
|
2009-03-21 17:45:27 +01:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
emit( 'case $COMMAND in' );
|
2009-03-21 17:45:27 +01:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
push_indent;
|
2009-08-20 23:32:15 +02:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
emit 'restore)';
|
2009-03-21 17:45:27 +01:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
push_indent;
|
2009-03-21 17:45:27 +01:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
|
|
|
|
|
|
|
|
set_global_variables(0);
|
2009-06-17 00:39:04 +02:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
handle_optional_interfaces(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
emit ';;';
|
2009-08-20 23:32:15 +02:00
|
|
|
|
2009-03-21 17:45:27 +01:00
|
|
|
pop_indent;
|
2009-08-20 23:32:15 +02:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
emit '*)';
|
2009-03-21 17:45:27 +01:00
|
|
|
|
|
|
|
push_indent;
|
2014-08-04 00:11:25 +02:00
|
|
|
}
|
2009-03-21 17:45:27 +01:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
set_global_variables(1);
|
2009-03-21 17:45:27 +01:00
|
|
|
|
2014-08-04 00:11:25 +02:00
|
|
|
if ( $global_variables & NOT_RESTORE ) {
|
2014-09-14 18:29:04 +02:00
|
|
|
handle_optional_interfaces(0);
|
2009-03-21 17:45:27 +01:00
|
|
|
emit ';;';
|
2014-08-04 00:11:25 +02:00
|
|
|
pop_indent;
|
|
|
|
pop_indent;
|
|
|
|
emit ( 'esac' );
|
2014-09-14 18:29:04 +02:00
|
|
|
} else {
|
|
|
|
handle_optional_interfaces(1);
|
2009-03-21 17:45:27 +01:00
|
|
|
}
|
2009-10-15 22:06:04 +02:00
|
|
|
} else {
|
2010-06-04 19:35:45 +02:00
|
|
|
emit( 'true' ) unless handle_optional_interfaces(1);
|
2009-03-21 17:45:27 +01:00
|
|
|
}
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
pop_indent;
|
|
|
|
|
2009-10-15 22:06:04 +02:00
|
|
|
emit "\n}\n"; # End of detect_configuration()
|
2010-06-07 16:30:56 +02:00
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
# Final stage of script generation.
|
|
|
|
#
|
2009-03-28 20:21:36 +01:00
|
|
|
# Generate code for loading the various files in /var/lib/shorewall[6][-lite]
|
2009-02-22 18:30:14 +01:00
|
|
|
# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
|
|
|
|
# Generate the 'setup_netfilter()' function that runs iptables-restore.
|
|
|
|
# Generate the 'define_firewall()' function.
|
|
|
|
#
|
|
|
|
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
2009-10-06 00:43:29 +02:00
|
|
|
# than those related to writing to the output script file.
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2009-03-21 17:45:27 +01:00
|
|
|
sub generate_script_3($) {
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
if ( $family == F_IPV4 ) {
|
|
|
|
progress_message2 "Creating iptables-restore input...";
|
|
|
|
} else {
|
|
|
|
progress_message2 "Creating ip6tables-restore input...";
|
|
|
|
}
|
|
|
|
|
|
|
|
create_netfilter_load( $test );
|
2013-01-04 18:17:57 +01:00
|
|
|
create_arptables_load( $test ) if $have_arptables;
|
2009-02-22 18:30:14 +01:00
|
|
|
create_chainlist_reload( $_[0] );
|
|
|
|
|
|
|
|
emit "#\n# Start/Restart the Firewall\n#";
|
|
|
|
|
|
|
|
emit 'define_firewall() {';
|
|
|
|
|
|
|
|
push_indent;
|
|
|
|
|
|
|
|
save_progress_message 'Initializing...';
|
|
|
|
|
2011-02-06 17:42:35 +01:00
|
|
|
if ( $export || $config{EXPORTMODULES} ) {
|
2011-01-22 17:13:17 +01:00
|
|
|
my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2011-02-06 17:42:35 +01:00
|
|
|
if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
|
2009-02-22 18:30:14 +01:00
|
|
|
emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
|
|
|
|
emit 'cat > ${VARDIR}/.modules << EOF';
|
|
|
|
open_file $fn;
|
2009-05-28 23:04:42 +02:00
|
|
|
|
2012-04-14 17:04:28 +02:00
|
|
|
emit_unindented $currentline while read_a_line( NORMAL_READ );
|
2009-05-28 23:04:42 +02:00
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
emit_unindented 'EOF';
|
2011-02-06 17:57:48 +01:00
|
|
|
emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
|
2009-02-22 18:30:14 +01:00
|
|
|
} else {
|
|
|
|
emit 'load_kernel_modules Yes';
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
emit 'load_kernel_modules Yes';
|
|
|
|
}
|
|
|
|
|
2011-02-06 17:57:48 +01:00
|
|
|
emit '';
|
|
|
|
|
2014-05-07 21:19:24 +02:00
|
|
|
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
|
|
|
' run_refresh_exit' ,
|
|
|
|
'else' ,
|
|
|
|
' run_init_exit',
|
|
|
|
'fi',
|
|
|
|
'' );
|
|
|
|
|
2011-06-20 19:41:29 +02:00
|
|
|
load_ipsets;
|
2012-07-28 20:21:16 +02:00
|
|
|
create_nfobjects;
|
2014-05-07 21:19:24 +02:00
|
|
|
verify_address_variables;
|
|
|
|
save_dynamic_chains;
|
|
|
|
mark_firewall_not_started;
|
2011-06-07 00:40:21 +02:00
|
|
|
|
2011-06-20 19:41:29 +02:00
|
|
|
if ( $family == F_IPV4 ) {
|
2011-04-10 18:52:00 +02:00
|
|
|
emit ( '',
|
2009-02-22 18:30:14 +01:00
|
|
|
'delete_proxyarp',
|
|
|
|
''
|
|
|
|
);
|
|
|
|
|
2010-01-25 16:56:16 +01:00
|
|
|
if ( have_capability( 'NAT_ENABLED' ) ) {
|
2009-02-22 18:30:14 +01:00
|
|
|
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
|
|
|
' while read external interface; do',
|
|
|
|
' del_ip_addr $external $interface',
|
|
|
|
' done < ${VARDIR}/nat',
|
|
|
|
'',
|
|
|
|
' rm -f ${VARDIR}/nat',
|
|
|
|
"fi\n" );
|
|
|
|
}
|
2009-07-07 03:23:23 +02:00
|
|
|
|
|
|
|
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
} else {
|
2014-05-07 21:19:24 +02:00
|
|
|
if ( have_capability( 'NAT_ENABLED' ) ) {
|
|
|
|
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
|
|
|
' while read external interface; do',
|
|
|
|
' del_ip_addr $external $interface',
|
|
|
|
' done < ${VARDIR}/nat',
|
|
|
|
'',
|
|
|
|
' rm -f ${VARDIR}/nat',
|
|
|
|
"fi\n" );
|
|
|
|
}
|
2010-12-11 04:06:44 +01:00
|
|
|
|
|
|
|
emit ('',
|
|
|
|
'delete_proxyndp',
|
|
|
|
''
|
|
|
|
);
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
emit qq(delete_tc1\n) if $config{CLEAR_TC};
|
|
|
|
|
|
|
|
emit( 'setup_common_rules', '' );
|
|
|
|
|
|
|
|
emit( 'setup_routing_and_traffic_shaping', '' );
|
|
|
|
|
2010-12-11 04:06:44 +01:00
|
|
|
if ( $family == F_IPV4 ) {
|
|
|
|
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
|
|
|
|
} else {
|
|
|
|
emit 'cat > ${VARDIR}/proxyndp << __EOF__';
|
2012-04-24 23:52:57 +02:00
|
|
|
}
|
2010-12-11 04:06:44 +01:00
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
dump_proxy_arp;
|
|
|
|
emit_unindented '__EOF__';
|
|
|
|
|
|
|
|
emit( '',
|
|
|
|
'if [ "$COMMAND" != refresh ]; then' );
|
|
|
|
|
|
|
|
push_indent;
|
|
|
|
|
|
|
|
emit 'cat > ${VARDIR}/zones << __EOF__';
|
|
|
|
dump_zone_contents;
|
|
|
|
emit_unindented '__EOF__';
|
|
|
|
|
2009-11-15 18:24:56 +01:00
|
|
|
emit 'cat > ${VARDIR}/policies << __EOF__';
|
|
|
|
save_policies;
|
|
|
|
emit_unindented '__EOF__';
|
|
|
|
|
2011-11-20 21:29:17 +01:00
|
|
|
emit 'cat > ${VARDIR}/marks << __EOF__';
|
|
|
|
dump_mark_layout;
|
|
|
|
emit_unindented '__EOF__';
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
pop_indent;
|
|
|
|
|
|
|
|
emit "fi\n";
|
|
|
|
|
|
|
|
emit '> ${VARDIR}/nat';
|
|
|
|
|
|
|
|
add_addresses;
|
|
|
|
|
|
|
|
emit( '',
|
|
|
|
'if [ $COMMAND = restore ]; then',
|
|
|
|
' iptables_save_file=${VARDIR}/$(basename $0)-iptables',
|
|
|
|
' if [ -f $iptables_save_file ]; then' );
|
|
|
|
|
|
|
|
if ( $family == F_IPV4 ) {
|
2013-01-04 18:17:57 +01:00
|
|
|
emit( ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
|
|
|
|
|
|
|
|
emit( '',
|
|
|
|
' arptables_save_file=${VARDIR}/$(basename $0)-arptables',
|
|
|
|
' if [ -f $arptables_save_file ]; then',
|
|
|
|
' cat $arptables_save_file | $ARPTABLES_RESTORE',
|
|
|
|
' fi')
|
|
|
|
if $config{SAVE_ARPTABLES};
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
} else {
|
|
|
|
emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
|
|
|
|
}
|
|
|
|
|
2013-01-04 18:17:57 +01:00
|
|
|
emit( ' else',
|
|
|
|
' fatal_error "$iptables_save_file does not exist"',
|
|
|
|
' fi',
|
|
|
|
''
|
|
|
|
);
|
|
|
|
|
2012-11-30 16:49:42 +01:00
|
|
|
push_indent;
|
2012-01-16 04:23:44 +01:00
|
|
|
setup_load_distribution;
|
2009-05-29 16:03:24 +02:00
|
|
|
setup_forwarding( $family , 1 );
|
2012-11-30 16:49:42 +01:00
|
|
|
pop_indent;
|
2010-02-15 23:07:35 +01:00
|
|
|
|
2010-08-13 02:54:07 +02:00
|
|
|
my $config_dir = $globals{CONFIGDIR};
|
|
|
|
|
|
|
|
emit<<"EOF";
|
2010-09-27 20:16:18 +02:00
|
|
|
set_state Started $config_dir
|
2009-02-22 18:30:14 +01:00
|
|
|
run_restored_exit
|
2012-11-30 17:46:49 +01:00
|
|
|
elif [ \$COMMAND = refresh ]; then
|
|
|
|
chainlist_reload
|
2009-02-22 18:30:14 +01:00
|
|
|
EOF
|
2012-11-30 17:46:49 +01:00
|
|
|
push_indent;
|
2012-01-16 19:07:18 +01:00
|
|
|
setup_load_distribution;
|
2009-05-29 16:03:24 +02:00
|
|
|
setup_forwarding( $family , 0 );
|
2012-11-30 17:46:49 +01:00
|
|
|
pop_indent;
|
|
|
|
#
|
|
|
|
# Use a parameter list rather than 'here documents' to avoid an extra blank line
|
|
|
|
#
|
|
|
|
emit(
|
|
|
|
' run_refreshed_exit',
|
2013-07-12 16:14:22 +02:00
|
|
|
' do_iptables -N shorewall' );
|
2013-07-12 18:46:08 +02:00
|
|
|
|
|
|
|
emit ( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
|
|
|
|
|
2013-07-12 16:14:22 +02:00
|
|
|
emit(
|
2012-11-30 17:46:49 +01:00
|
|
|
" set_state Started $config_dir",
|
2012-11-30 18:55:24 +01:00
|
|
|
' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
|
2012-11-30 17:46:49 +01:00
|
|
|
'else',
|
|
|
|
' setup_netfilter'
|
|
|
|
);
|
|
|
|
push_indent;
|
2013-01-04 18:17:57 +01:00
|
|
|
emit 'setup_arptables' if $have_arptables;
|
2012-01-16 04:23:44 +01:00
|
|
|
setup_load_distribution;
|
2012-11-30 17:46:49 +01:00
|
|
|
pop_indent;
|
2012-01-16 04:23:44 +01:00
|
|
|
|
2012-11-30 17:46:49 +01:00
|
|
|
emit<<'EOF';
|
|
|
|
conditionally_flush_conntrack
|
2009-02-22 18:30:14 +01:00
|
|
|
EOF
|
2012-11-30 17:46:49 +01:00
|
|
|
push_indent;
|
2012-11-28 01:17:43 +01:00
|
|
|
initialize_switches;
|
2009-05-29 16:03:24 +02:00
|
|
|
setup_forwarding( $family , 0 );
|
2012-11-30 17:46:49 +01:00
|
|
|
pop_indent;
|
2010-02-15 23:07:35 +01:00
|
|
|
|
2010-08-13 02:54:07 +02:00
|
|
|
emit<<"EOF";
|
2012-11-30 17:46:49 +01:00
|
|
|
run_start_exit
|
|
|
|
do_iptables -N shorewall
|
2013-07-12 16:14:22 +02:00
|
|
|
EOF
|
|
|
|
|
2013-07-12 18:46:08 +02:00
|
|
|
emit ( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
|
2013-07-12 16:14:22 +02:00
|
|
|
|
|
|
|
emit<<"EOF";
|
2012-11-30 17:46:49 +01:00
|
|
|
set_state Started $config_dir
|
2013-05-06 18:22:16 +02:00
|
|
|
my_pathname=\$(my_pathname)
|
|
|
|
[ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
|
2012-11-30 17:46:49 +01:00
|
|
|
run_started_exit
|
|
|
|
fi
|
2010-08-13 02:54:07 +02:00
|
|
|
EOF
|
|
|
|
|
|
|
|
emit<<'EOF';
|
2009-02-22 18:30:14 +01:00
|
|
|
date > ${VARDIR}/restarted
|
|
|
|
|
|
|
|
case $COMMAND in
|
|
|
|
start)
|
2010-03-02 21:34:36 +01:00
|
|
|
logger -p kern.info "$g_product started"
|
2009-02-22 18:30:14 +01:00
|
|
|
;;
|
|
|
|
restart)
|
2010-03-02 21:34:36 +01:00
|
|
|
logger -p kern.info "$g_product restarted"
|
2009-02-22 18:30:14 +01:00
|
|
|
;;
|
|
|
|
refresh)
|
2010-03-02 21:34:36 +01:00
|
|
|
logger -p kern.info "$g_product refreshed"
|
2009-02-22 18:30:14 +01:00
|
|
|
;;
|
|
|
|
restore)
|
2010-03-02 21:34:36 +01:00
|
|
|
logger -p kern.info "$g_product restored"
|
2009-02-22 18:30:14 +01:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
EOF
|
|
|
|
|
|
|
|
pop_indent;
|
|
|
|
|
|
|
|
emit "}\n";
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2011-11-24 19:05:39 +01:00
|
|
|
#
|
2009-02-22 18:30:14 +01:00
|
|
|
# The Compiler.
|
|
|
|
#
|
|
|
|
# Arguments are named -- see %parms below.
|
|
|
|
#
|
|
|
|
sub compiler {
|
|
|
|
|
2014-02-15 18:36:13 +01:00
|
|
|
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules ) =
|
|
|
|
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 );
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2013-01-04 18:17:57 +01:00
|
|
|
$export = 0;
|
|
|
|
$test = 0;
|
|
|
|
$have_arptables = 0;
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2009-07-22 19:43:53 +02:00
|
|
|
sub validate_boolean( $ ) {
|
2009-08-20 23:32:15 +02:00
|
|
|
my $val = numeric_value( shift );
|
2009-02-22 18:30:14 +01:00
|
|
|
defined($val) && ($val >= 0) && ($val < 2);
|
|
|
|
}
|
|
|
|
|
2009-07-22 19:43:53 +02:00
|
|
|
sub validate_verbosity( $ ) {
|
2009-02-22 18:30:14 +01:00
|
|
|
my $val = numeric_value( shift );
|
|
|
|
defined($val) && ($val >= MIN_VERBOSITY) && ($val <= MAX_VERBOSITY);
|
|
|
|
}
|
|
|
|
|
2009-07-22 19:43:53 +02:00
|
|
|
sub validate_family( $ ) {
|
2009-02-22 18:30:14 +01:00
|
|
|
my $val = numeric_value( shift );
|
|
|
|
defined($val) && ($val == F_IPV4 || $val == F_IPV6);
|
|
|
|
}
|
|
|
|
|
2009-10-12 17:24:47 +02:00
|
|
|
my %parms = ( object => { store => \$scriptfilename }, #Deprecated
|
|
|
|
script => { store => \$scriptfilename },
|
2009-02-22 18:30:14 +01:00
|
|
|
directory => { store => \$directory },
|
2009-07-22 19:43:53 +02:00
|
|
|
family => { store => \$family , validate => \&validate_family } ,
|
|
|
|
verbosity => { store => \$verbosity , validate => \&validate_verbosity } ,
|
|
|
|
timestamp => { store => \$timestamp, validate => \&validate_boolean } ,
|
|
|
|
debug => { store => \$debug, validate => \&validate_boolean } ,
|
|
|
|
export => { store => \$export , validate => \&validate_boolean } ,
|
2009-02-22 18:30:14 +01:00
|
|
|
chains => { store => \$chains },
|
|
|
|
log => { store => \$log },
|
2009-07-22 19:43:53 +02:00
|
|
|
log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
|
2009-02-22 18:30:14 +01:00
|
|
|
test => { store => \$test },
|
2012-04-24 23:52:57 +02:00
|
|
|
preview => { store => \$preview, validate=> \&validate_boolean } ,
|
2011-06-18 22:03:55 +02:00
|
|
|
confess => { store => \$confess, validate=> \&validate_boolean } ,
|
2011-06-19 16:14:27 +02:00
|
|
|
update => { store => \$update, validate=> \&validate_boolean } ,
|
2011-11-08 21:59:40 +01:00
|
|
|
convert => { store => \$convert, validate=> \&validate_boolean } ,
|
2011-12-02 16:36:23 +01:00
|
|
|
annotate => { store => \$annotate, validate=> \&validate_boolean } ,
|
2013-12-15 02:54:10 +01:00
|
|
|
inline => { store => \$inline, validate=> \&validate_boolean } ,
|
2012-12-23 19:50:31 +01:00
|
|
|
directives => { store => \$directives, validate=> \&validate_boolean } ,
|
2014-02-15 18:36:13 +01:00
|
|
|
tcrules => { store => \$tcrules, validate=> \&validate_boolean } ,
|
2011-12-02 16:36:23 +01:00
|
|
|
config_path => { store => \$config_path } ,
|
2012-04-01 19:47:24 +02:00
|
|
|
shorewallrc => { store => \$shorewallrc } ,
|
2012-09-04 00:07:50 +02:00
|
|
|
shorewallrc1 => { store => \$shorewallrc1 } ,
|
2009-02-22 18:30:14 +01:00
|
|
|
);
|
|
|
|
#
|
|
|
|
# P A R A M E T E R P R O C E S S I N G
|
|
|
|
#
|
|
|
|
while ( defined ( my $name = shift ) ) {
|
|
|
|
fatal_error "Unknown parameter ($name)" unless my $ref = $parms{$name};
|
|
|
|
fatal_error "Undefined value supplied for parameter $name" unless defined ( my $val = shift ) ;
|
2009-07-22 19:43:53 +02:00
|
|
|
if ( $ref->{validate} ) {
|
|
|
|
fatal_error "Invalid value ( $val ) supplied for parameter $name" unless $ref->{validate}->($val);
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
${$ref->{store}} = $val;
|
|
|
|
}
|
|
|
|
|
2009-08-16 18:24:51 +02:00
|
|
|
#
|
2009-08-17 21:58:50 +02:00
|
|
|
# Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
|
2009-08-16 18:24:51 +02:00
|
|
|
#
|
2012-09-04 00:07:50 +02:00
|
|
|
initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2011-12-02 16:36:23 +01:00
|
|
|
set_config_path( $config_path ) if $config_path;
|
|
|
|
|
2009-02-22 18:30:14 +01:00
|
|
|
if ( $directory ne '' ) {
|
|
|
|
fatal_error "$directory is not an existing directory" unless -d $directory;
|
|
|
|
set_shorewall_dir( $directory );
|
|
|
|
}
|
|
|
|
|
2010-03-29 18:48:23 +02:00
|
|
|
$verbosity = 1 if $debug && $verbosity < 1;
|
|
|
|
|
2009-08-22 16:57:55 +02:00
|
|
|
set_verbosity( $verbosity );
|
2009-02-22 18:30:14 +01:00
|
|
|
set_log($log, $log_verbosity) if $log;
|
|
|
|
set_timestamp( $timestamp );
|
2011-05-24 19:21:49 +02:00
|
|
|
set_debug( $debug , $confess );
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# S H O R E W A L L . C O N F A N D C A P A B I L I T I E S
|
|
|
|
#
|
2013-12-15 02:54:10 +01:00
|
|
|
get_configuration( $export , $update , $annotate , $directives , $inline );
|
2012-01-17 16:24:12 +01:00
|
|
|
#
|
|
|
|
# Create a temp file to hold the script
|
|
|
|
#
|
2009-10-08 18:48:15 +02:00
|
|
|
if ( $scriptfilename ) {
|
2009-08-22 18:39:15 +02:00
|
|
|
set_command( 'compile', 'Compiling', 'Compiled' );
|
2009-10-08 18:48:15 +02:00
|
|
|
create_temp_script( $scriptfilename , $export );
|
2009-08-17 20:22:03 +02:00
|
|
|
} else {
|
|
|
|
set_command( 'check', 'Checking', 'Checked' );
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
2009-09-04 00:24:19 +02:00
|
|
|
#
|
|
|
|
# Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
|
2012-01-17 16:24:12 +01:00
|
|
|
# now when shorewall.conf has been processed and the capabilities have been determined.
|
2009-09-04 00:24:19 +02:00
|
|
|
#
|
2011-05-26 23:11:36 +02:00
|
|
|
initialize_chain_table(1);
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# Allow user to load Perl modules
|
|
|
|
#
|
|
|
|
run_user_exit1 'compile';
|
|
|
|
#
|
|
|
|
# Z O N E D E F I N I T I O N
|
|
|
|
# (Produces no output to the compiled script)
|
|
|
|
#
|
|
|
|
determine_zones;
|
|
|
|
#
|
|
|
|
# Process the interfaces file.
|
|
|
|
#
|
|
|
|
validate_interfaces_file ( $export );
|
|
|
|
#
|
|
|
|
# Process the hosts file.
|
2009-09-13 18:13:50 +02:00
|
|
|
#
|
2009-02-22 18:30:14 +01:00
|
|
|
validate_hosts_file;
|
|
|
|
#
|
|
|
|
# Report zone contents
|
|
|
|
#
|
|
|
|
zone_report;
|
|
|
|
#
|
|
|
|
# Do action pre-processing.
|
|
|
|
#
|
2011-05-20 19:46:18 +02:00
|
|
|
process_actions;
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# P O L I C Y
|
|
|
|
# (Produces no output to the compiled script)
|
|
|
|
#
|
2011-02-21 17:13:46 +01:00
|
|
|
process_policies;
|
2009-03-21 17:45:27 +01:00
|
|
|
|
2009-10-06 00:43:29 +02:00
|
|
|
enable_script;
|
2009-08-20 23:32:15 +02:00
|
|
|
|
2010-03-29 18:48:23 +02:00
|
|
|
if ( $scriptfilename || $debug ) {
|
2009-03-21 17:45:27 +01:00
|
|
|
#
|
2009-10-06 00:43:29 +02:00
|
|
|
# Place Header in the script
|
2009-03-21 17:45:27 +01:00
|
|
|
#
|
2010-03-29 18:48:23 +02:00
|
|
|
generate_script_1( $scriptfilename );
|
2009-03-03 05:07:33 +01:00
|
|
|
#
|
|
|
|
# C O M M O N _ R U L E S
|
|
|
|
# (Writes the setup_common_rules() function to the compiled script)
|
|
|
|
#
|
2009-02-22 18:30:14 +01:00
|
|
|
emit( "\n#",
|
|
|
|
'# Setup Common Rules (/proc)',
|
|
|
|
'#',
|
|
|
|
'setup_common_rules() {'
|
|
|
|
);
|
|
|
|
|
|
|
|
push_indent;
|
2009-08-20 23:32:15 +02:00
|
|
|
}
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2010-02-15 23:07:35 +01:00
|
|
|
# Do all of the zone-independent stuff (mostly /proc)
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2014-05-16 23:46:15 +02:00
|
|
|
add_common_rules( $convert, $tcrules );
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2010-02-15 23:07:35 +01:00
|
|
|
# More /proc
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
if ( $family == F_IPV4 ) {
|
|
|
|
setup_arp_filtering;
|
|
|
|
setup_route_filtering;
|
|
|
|
setup_martian_logging;
|
|
|
|
}
|
|
|
|
|
|
|
|
setup_source_routing($family);
|
|
|
|
#
|
|
|
|
# Proxy Arp/Ndp
|
|
|
|
#
|
|
|
|
setup_proxy_arp;
|
|
|
|
|
2012-08-12 17:43:28 +02:00
|
|
|
emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
|
2012-08-04 04:26:02 +02:00
|
|
|
'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
|
2012-08-12 17:43:28 +02:00
|
|
|
' progress_message "Disabling Kernel Automatic Helper Association"',
|
|
|
|
" echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
|
2012-08-04 04:26:02 +02:00
|
|
|
'fi',
|
|
|
|
''
|
|
|
|
);
|
|
|
|
|
2013-03-31 00:44:18 +01:00
|
|
|
setup_accept_ra if $family == F_IPV6;
|
|
|
|
|
2010-03-29 18:48:23 +02:00
|
|
|
if ( $scriptfilename || $debug ) {
|
2009-04-18 18:20:06 +02:00
|
|
|
emit 'return 0';
|
2009-02-22 18:30:14 +01:00
|
|
|
pop_indent;
|
2011-09-03 17:44:15 +02:00
|
|
|
emit '}'; # End of setup_common_rules()
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
|
|
|
|
2009-10-06 00:43:29 +02:00
|
|
|
disable_script;
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
|
|
|
|
# (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
|
|
|
|
#
|
2013-04-02 00:23:16 +02:00
|
|
|
enable_script;
|
|
|
|
#
|
2011-08-27 17:29:55 +02:00
|
|
|
# Validate the TC files so that the providers will know what interfaces have TC
|
|
|
|
#
|
|
|
|
my $tcinterfaces = process_tc;
|
|
|
|
#
|
2011-08-25 02:37:39 +02:00
|
|
|
# Generate a function to bring up each provider
|
|
|
|
#
|
2011-08-27 17:29:55 +02:00
|
|
|
process_providers( $tcinterfaces );
|
2011-08-25 02:37:39 +02:00
|
|
|
#
|
|
|
|
# [Re-]establish Routing
|
|
|
|
#
|
2010-03-29 18:48:23 +02:00
|
|
|
if ( $scriptfilename || $debug ) {
|
2009-02-22 18:30:14 +01:00
|
|
|
emit( "\n#",
|
|
|
|
'# Setup routing and traffic shaping',
|
|
|
|
'#',
|
|
|
|
'setup_routing_and_traffic_shaping() {'
|
|
|
|
);
|
|
|
|
|
|
|
|
push_indent;
|
|
|
|
}
|
2011-08-26 01:00:27 +02:00
|
|
|
|
|
|
|
setup_providers;
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# TCRules and Traffic Shaping
|
|
|
|
#
|
2014-02-15 18:36:13 +01:00
|
|
|
setup_tc( $tcrules );
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2010-03-29 18:48:23 +02:00
|
|
|
if ( $scriptfilename || $debug ) {
|
2009-02-22 18:30:14 +01:00
|
|
|
pop_indent;
|
2011-09-03 17:44:15 +02:00
|
|
|
emit "}\n"; # End of setup_routing_and_traffic_shaping()
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
|
|
|
|
2013-01-04 18:17:57 +01:00
|
|
|
$have_arptables = process_arprules if $family == F_IPV4;
|
|
|
|
|
2009-10-06 00:43:29 +02:00
|
|
|
disable_script;
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2009-03-05 05:02:03 +01:00
|
|
|
# N E T F I L T E R
|
|
|
|
# (Produces no output to the compiled script -- rules are stored in the chain table)
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
process_tos;
|
2013-02-19 20:59:57 +01:00
|
|
|
#
|
|
|
|
# ECN
|
|
|
|
#
|
|
|
|
setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
2013-02-19 00:15:26 +01:00
|
|
|
#
|
|
|
|
# Setup Masquerading/SNAT
|
|
|
|
#
|
|
|
|
setup_masq;
|
|
|
|
#
|
|
|
|
# Setup Nat
|
|
|
|
#
|
2014-05-25 17:57:01 +02:00
|
|
|
setup_nat;
|
2011-09-17 16:31:18 +02:00
|
|
|
#
|
|
|
|
# Setup NETMAP
|
|
|
|
#
|
|
|
|
setup_netmap;
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# MACLIST Filtration
|
|
|
|
#
|
|
|
|
setup_mac_lists 1;
|
|
|
|
#
|
|
|
|
# Process the rules file.
|
|
|
|
#
|
2012-02-07 16:38:07 +01:00
|
|
|
process_rules( $convert );
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2012-08-08 16:23:20 +02:00
|
|
|
# Process the conntrack file
|
|
|
|
#
|
|
|
|
setup_conntrack;
|
|
|
|
#
|
2009-02-22 18:30:14 +01:00
|
|
|
# Add Tunnel rules.
|
|
|
|
#
|
|
|
|
setup_tunnels;
|
|
|
|
#
|
2013-06-01 22:03:10 +02:00
|
|
|
# Clear the current filename
|
|
|
|
#
|
|
|
|
clear_currentfilename;
|
|
|
|
#
|
2009-02-22 18:30:14 +01:00
|
|
|
# MACLIST Filtration again
|
|
|
|
#
|
|
|
|
setup_mac_lists 2;
|
|
|
|
#
|
|
|
|
# Apply Policies
|
|
|
|
#
|
|
|
|
apply_policy_rules;
|
|
|
|
#
|
2013-09-01 18:14:10 +02:00
|
|
|
# Reject Action
|
|
|
|
#
|
|
|
|
process_reject_action if $config{REJECT_ACTION};
|
|
|
|
#
|
2009-02-22 18:30:14 +01:00
|
|
|
# Accounting.
|
|
|
|
#
|
2010-01-16 18:53:53 +01:00
|
|
|
setup_accounting if $config{ACCOUNTING};
|
2009-02-22 18:30:14 +01:00
|
|
|
|
2009-10-08 18:48:15 +02:00
|
|
|
if ( $scriptfilename ) {
|
2009-07-21 23:13:26 +02:00
|
|
|
#
|
2010-01-13 17:12:00 +01:00
|
|
|
# Compiling a script - generate the zone by zone matrix
|
2009-07-21 23:13:26 +02:00
|
|
|
#
|
|
|
|
generate_matrix;
|
|
|
|
|
2011-12-29 01:22:11 +01:00
|
|
|
optimize_level0;
|
|
|
|
|
2012-05-19 17:15:20 +02:00
|
|
|
if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
|
2010-01-16 18:53:53 +01:00
|
|
|
progress_message2 'Optimizing Ruleset...';
|
|
|
|
#
|
|
|
|
# Optimize Policy Chains
|
|
|
|
#
|
2012-06-05 21:51:52 +02:00
|
|
|
optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
|
2010-01-16 18:53:53 +01:00
|
|
|
#
|
|
|
|
# More Optimization
|
|
|
|
#
|
2012-06-04 17:00:07 +02:00
|
|
|
optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
|
2010-01-16 18:53:53 +01:00
|
|
|
}
|
|
|
|
|
2009-10-06 00:43:29 +02:00
|
|
|
enable_script;
|
2009-03-21 17:45:27 +01:00
|
|
|
#
|
2009-09-08 22:04:34 +02:00
|
|
|
# I N I T I A L I Z E
|
|
|
|
# (Writes the initialize() function to the compiled script)
|
2009-03-21 17:45:27 +01:00
|
|
|
#
|
|
|
|
generate_script_2;
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2009-02-23 17:08:10 +01:00
|
|
|
# N E T F I L T E R L O A D
|
2013-01-04 18:17:57 +01:00
|
|
|
# (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
2009-03-21 17:45:27 +01:00
|
|
|
generate_script_3( $chains );
|
2009-09-09 01:00:40 +02:00
|
|
|
#
|
|
|
|
# We must reinitialize Shorewall::Chains before generating the iptables-restore input
|
|
|
|
# for stopping the firewall
|
|
|
|
#
|
2011-05-15 20:48:34 +02:00
|
|
|
Shorewall::Chains::initialize( $family, 0 , $export );
|
2011-05-26 23:11:36 +02:00
|
|
|
initialize_chain_table(0);
|
2009-09-09 01:00:40 +02:00
|
|
|
#
|
2009-09-08 22:04:34 +02:00
|
|
|
# S T O P _ F I R E W A L L
|
|
|
|
# (Writes the stop_firewall() function to the compiled script)
|
|
|
|
#
|
2013-01-04 18:17:57 +01:00
|
|
|
compile_stop_firewall( $test, $export , $have_arptables );
|
2009-03-30 02:49:00 +02:00
|
|
|
#
|
2010-05-15 21:48:04 +02:00
|
|
|
# U P D O W N
|
|
|
|
# (Writes the updown() function to the compiled script)
|
|
|
|
#
|
|
|
|
compile_updown;
|
|
|
|
#
|
2009-10-06 00:43:29 +02:00
|
|
|
# Copy the footer to the script
|
2009-03-30 02:49:00 +02:00
|
|
|
#
|
2012-01-07 22:53:41 +01:00
|
|
|
copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
|
2009-08-20 23:32:15 +02:00
|
|
|
|
2009-10-06 00:43:29 +02:00
|
|
|
disable_script;
|
2009-02-23 17:08:10 +01:00
|
|
|
#
|
2009-10-06 00:43:29 +02:00
|
|
|
# Close, rename and secure the script
|
2009-02-23 17:08:10 +01:00
|
|
|
#
|
2009-10-06 00:43:29 +02:00
|
|
|
finalize_script ( $export );
|
2009-02-22 18:30:14 +01:00
|
|
|
#
|
|
|
|
# And generate the auxilary config file
|
|
|
|
#
|
2009-10-06 00:43:29 +02:00
|
|
|
enable_script, generate_aux_config if $export;
|
2013-02-18 17:48:18 +01:00
|
|
|
#
|
|
|
|
# Report used/required capabilities
|
|
|
|
#
|
|
|
|
report_used_capabilities;
|
2009-08-17 20:22:03 +02:00
|
|
|
} else {
|
2010-01-13 17:12:00 +01:00
|
|
|
#
|
2010-01-16 18:53:53 +01:00
|
|
|
# Just checking the configuration
|
2010-01-13 17:12:00 +01:00
|
|
|
#
|
2010-03-28 22:09:04 +02:00
|
|
|
if ( $preview || $debug ) {
|
2010-01-16 18:53:53 +01:00
|
|
|
#
|
2010-03-28 22:09:04 +02:00
|
|
|
# User wishes to preview the ruleset or we are tracing -- generate the rule matrix
|
2010-01-16 18:53:53 +01:00
|
|
|
#
|
2010-01-13 00:32:50 +01:00
|
|
|
generate_matrix;
|
2010-01-16 18:53:53 +01:00
|
|
|
|
2011-12-29 01:22:11 +01:00
|
|
|
optimize_level0;
|
|
|
|
|
2013-01-08 18:51:32 +01:00
|
|
|
if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
|
2010-01-16 18:53:53 +01:00
|
|
|
progress_message2 'Optimizing Ruleset...';
|
|
|
|
#
|
|
|
|
# Optimize Policy Chains
|
|
|
|
#
|
2012-06-05 21:51:52 +02:00
|
|
|
optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
|
2010-01-16 18:53:53 +01:00
|
|
|
#
|
|
|
|
# Ruleset Optimization
|
|
|
|
#
|
2012-06-04 00:15:11 +02:00
|
|
|
optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
|
2010-01-16 18:53:53 +01:00
|
|
|
}
|
|
|
|
|
2010-03-29 18:48:23 +02:00
|
|
|
enable_script if $debug;
|
|
|
|
|
|
|
|
generate_script_2 if $debug;
|
|
|
|
|
2013-01-04 18:17:57 +01:00
|
|
|
if ( $preview ) {
|
|
|
|
preview_netfilter_load;
|
|
|
|
preview_arptables_load if $have_arptables;
|
|
|
|
}
|
2010-01-13 00:32:50 +01:00
|
|
|
}
|
2009-09-09 01:00:40 +02:00
|
|
|
#
|
|
|
|
# Re-initialize the chain table so that process_routestopped() has the same
|
|
|
|
# environment that it would when called by compile_stop_firewall().
|
|
|
|
#
|
2011-05-15 20:48:34 +02:00
|
|
|
Shorewall::Chains::initialize( $family , 0 , $export );
|
2011-05-26 23:11:36 +02:00
|
|
|
initialize_chain_table(0);
|
2010-03-29 18:48:23 +02:00
|
|
|
|
|
|
|
if ( $debug ) {
|
2013-01-04 18:17:57 +01:00
|
|
|
compile_stop_firewall( $test, $export, $have_arptables );
|
2010-03-29 18:48:23 +02:00
|
|
|
disable_script;
|
|
|
|
} else {
|
|
|
|
#
|
|
|
|
# compile_stop_firewall() also validates the routestopped file. Since we don't
|
|
|
|
# call that function during normal 'check', we must validate routestopped here.
|
|
|
|
#
|
|
|
|
process_routestopped;
|
2012-09-03 17:44:03 +02:00
|
|
|
process_stoppedrules;
|
2010-03-29 18:48:23 +02:00
|
|
|
}
|
2013-02-18 17:48:18 +01:00
|
|
|
#
|
|
|
|
# Report used/required capabilities
|
|
|
|
#
|
|
|
|
report_used_capabilities;
|
2009-09-08 21:54:23 +02:00
|
|
|
|
2009-08-17 20:22:03 +02:00
|
|
|
if ( $family == F_IPV4 ) {
|
|
|
|
progress_message3 "Shorewall configuration verified";
|
|
|
|
} else {
|
|
|
|
progress_message3 "Shorewall6 configuration verified";
|
|
|
|
}
|
2009-02-22 18:30:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
close_log if $log;
|
|
|
|
|
|
|
|
1;
|
|
|
|
}
|
|
|
|
|
|
|
|
1;
|