2002-05-01 01:13:15 +02:00
#!/bin/sh
#
2006-01-16 16:15:43 +01:00
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.2
2002-05-01 01:13:15 +02:00
#
2003-02-23 15:10:37 +01:00
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
2002-05-01 01:13:15 +02:00
#
2006-01-15 20:27:57 +01:00
# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
2005-10-07 00:46:17 +02:00
#
2005-10-06 00:51:29 +02:00
# tcstart from tc4shorewall Version 0.5
# (c) 2005 Arne Bernin <arne@ucbering.de>
# Modified by Tom Eastep for integration into the Shorewall distribution
# published under GPL Version 2#
2002-05-01 01:13:15 +02:00
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
2003-02-23 15:10:37 +01:00
# it under the terms of Version 2 of the GNU General Public License
2002-05-01 01:13:15 +02:00
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
2003-02-23 15:10:37 +01:00
# shorewall start Starts the firewall
2002-05-01 01:13:15 +02:00
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
2005-07-09 07:45:05 +02:00
# shorewall reset Resets iptables packet and
2002-05-01 01:13:15 +02:00
# byte counts
2003-02-23 15:10:37 +01:00
# shorewall clear Remove all Shorewall chains
2002-05-01 01:13:15 +02:00
# and rules/policies.
# shorewall refresh . Rebuild the common chain
2002-10-23 18:48:40 +02:00
#
# Mutual exclusion -- These functions are jackets for the mutual exclusion
2003-01-07 00:01:23 +01:00
# routines in $FUNCTIONS. They invoke
2002-10-23 18:48:40 +02:00
# the corresponding function in that file if the user did
# not specify "nolock" on the runline.
#
2006-01-16 22:29:00 +01:00
my_mutex_on() {
2006-01-17 18:34:34 +01:00
[ -n "$NOLOCK" ] || { mutex_on; HAVE_MUTEX=Yes; }
2006-01-16 22:29:00 +01:00
}
my_mutex_off() {
[ -n "$HAVE_MUTEX" ] && { mutex_off; HAVE_MUTEX=; }
}
2002-10-23 18:48:40 +02:00
#
# Fatal error -- stops the firewall after issuing the error message
#
2002-05-01 01:13:15 +02:00
fatal_error() # $* = Error Message
{
2005-07-26 01:08:09 +02:00
echo " ERROR: $@" >&2
2006-01-23 00:41:56 +01:00
stop_firewall
2002-05-01 01:13:15 +02:00
exit 2
}
2002-10-23 18:48:40 +02:00
#
2005-07-09 07:45:05 +02:00
# Fatal error during startup -- generate an error message and abend without
2002-10-23 18:48:40 +02:00
# altering the state of the firewall
#
2002-05-01 01:13:15 +02:00
startup_error() # $* = Error Message
{
2005-07-26 01:08:09 +02:00
echo " ERROR: $@" >&2
2002-05-01 01:13:15 +02:00
my_mutex_off
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
2005-07-09 06:45:32 +02:00
[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
2002-05-01 01:13:15 +02:00
kill $$
exit 2
}
2002-10-23 18:48:40 +02:00
#
# Send a message to STDOUT and the System Log
#
2002-05-03 00:56:27 +02:00
report () { # $* = message
2006-01-25 01:13:45 +01:00
progress_message3 "$@"
2002-05-03 00:56:27 +02:00
logger "$@"
}
2002-10-23 18:48:40 +02:00
#
# Run iptables and if an error occurs, stop the firewall and quit
#
2002-05-01 01:13:15 +02:00
run_iptables() {
2005-09-27 16:30:11 +02:00
#
# Purge the temporary files that we use to prevent duplicate '-m' specifications
#
2005-07-09 07:45:05 +02:00
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
2005-07-09 06:45:32 +02:00
2005-07-09 07:45:05 +02:00
if ! $IPTABLES $@ ; then
2005-09-08 22:57:29 +02:00
if [ -z "$STOPPING" ]; then
2005-07-09 07:45:05 +02:00
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
2002-12-18 22:26:03 +01:00
fi
}
2002-12-18 22:58:21 +01:00
2002-12-18 22:26:03 +01:00
#
# Version of 'run_iptables' that inserts white space after "!" in the arg list
#
run_iptables2() {
2005-07-09 07:45:05 +02:00
case "$@" in
*!*)
run_iptables $(fix_bang $@)
;;
*)
run_iptables $@
;;
esac
2005-07-09 06:45:32 +02:00
}
2006-01-12 00:30:33 +01:00
#
# Quietly run iptables
#
qt_iptables() {
#
# Purge the temporary files that we use to prevent duplicate '-m' specifications
#
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
qt $IPTABLES $@
}
2002-10-23 18:48:40 +02:00
#
# Run ip and if an error occurs, stop the firewall and quit
#
2002-05-01 01:13:15 +02:00
run_ip() {
if ! ip $@ ; then
2005-09-08 22:57:29 +02:00
if [ -z "$STOPPING" ]; then
2005-07-09 07:45:05 +02:00
error_message "ERROR: Command \"ip $@\" Failed"
stop_firewall
exit 2
fi
2002-05-01 01:13:15 +02:00
fi
}
2002-10-23 18:48:40 +02:00
#
# Run tc and if an error occurs, stop the firewall and quit
#
2002-05-01 01:13:15 +02:00
run_tc() {
if ! tc $@ ; then
2005-09-08 22:57:29 +02:00
if [ -z "$STOPPING" ]; then
2005-07-09 07:45:05 +02:00
error_message "ERROR: Command \"tc $@\" Failed"
stop_firewall
exit 2
fi
2002-05-01 01:13:15 +02:00
fi
}
2006-01-17 00:15:51 +01:00
#
# Delete a chain if it exists
#
deletechain() # $1 = name of chain
{
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
}
2002-11-13 01:57:48 +01:00
#
# Determine if a chain is a policy chain
#
is_policy_chain() # $1 = name of chain
{
eval test \"\$${1}_is_policy\" = Yes
2003-02-23 15:10:37 +01:00
}
2002-11-13 01:57:48 +01:00
2002-10-23 18:48:40 +02:00
#
# Set a standard chain's policy
#
2002-05-01 01:13:15 +02:00
setpolicy() # $1 = name of chain, $2 = policy
{
run_iptables -P $1 $2
}
2002-10-23 18:48:40 +02:00
#
2003-06-11 03:01:48 +02:00
# Set a standard chain to enable established and related connections
2002-10-23 18:48:40 +02:00
#
2002-05-01 01:13:15 +02:00
setcontinue() # $1 = name of chain
{
2003-06-11 03:01:48 +02:00
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
2002-05-01 01:13:15 +02:00
}
2002-10-23 18:48:40 +02:00
#
# Flush one of the NAT table chains
#
2002-05-01 01:13:15 +02:00
flushnat() # $1 = name of chain
{
run_iptables -t nat -F $1
}
2003-02-24 16:24:55 +01:00
#
# Flush one of the Mangle table chains
#
flushmangle() # $1 = name of chain
{
run_iptables -t mangle -F $1
}
2005-07-26 01:08:09 +02:00
#
2005-09-02 22:46:53 +02:00
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
2005-07-26 01:08:09 +02:00
#
2005-09-02 22:46:53 +02:00
determine_zones()
2005-07-26 01:08:09 +02:00
{
2005-09-03 02:48:37 +02:00
local zone parent parents rest new_zone_file= r
2005-09-02 22:46:53 +02:00
merge_zone()
{
local z zones="$ZONES" merged=
2005-09-03 02:48:37 +02:00
if [ -n "$parents" ]; then
ZONES=
for z in $zones; do
if [ -z "$merged" ] && list_search $z $parents; then
ZONES="$ZONES $zone"
merged=Yes
fi
ZONES="$ZONES $z"
done
else
ZONES="$ZONES $zone"
fi
2005-09-03 00:56:35 +02:00
}
2005-09-02 22:46:53 +02:00
strip_file zones
ZONES=
2005-10-04 16:54:56 +02:00
IPV4_ZONES=
IPSEC_ZONES=
2005-09-02 22:46:53 +02:00
2005-10-03 19:59:19 +02:00
[ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}"
2005-09-02 22:46:53 +02:00
while read zone type rest; do
expandv zone type
case $zone in
*:*)
parents=${zone#*:}
zone=${zone%:*}
[ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents"
parents=$(separate_list $parents)
;;
*)
parents=
;;
esac
for parent in $parents; do
2005-09-19 16:43:22 +02:00
[ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed"
2005-09-02 22:46:53 +02:00
list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
2005-09-19 16:43:22 +02:00
done
2005-07-26 01:08:09 +02:00
[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
case "$zone" in
[0-9*])
startup_error "Illegal zone name \"$zone\" in zones file"
;;
2005-09-02 22:46:53 +02:00
all|none)
startup_error "Reserved zone name \"$zone\" in zones file"
2005-07-26 01:08:09 +02:00
;;
esac
2005-09-02 22:46:53 +02:00
if [ -n "$new_zone_file" ]; then
2005-09-30 19:16:22 +02:00
case ${type:=ipv4} in
2005-09-30 20:22:57 +02:00
ipv4|IPv4|IPV4|plain|-)
2005-09-02 22:46:53 +02:00
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
merge_zone
2005-10-04 16:54:56 +02:00
IPV4_ZONES="$IPV4_ZONES $zone"
2005-09-02 22:46:53 +02:00
;;
2005-09-30 20:22:57 +02:00
ipsec|IPSEC|ipsec4|IPSEC4)
2005-09-02 22:46:53 +02:00
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
merge_zone
2005-10-04 16:54:56 +02:00
IPSEC_ZONES="$IPSEC_ZONES $zone"
2005-09-02 22:46:53 +02:00
;;
firewall)
2005-10-03 19:39:36 +02:00
[ -n "$FW" ] && startup_error "Only one firewall zone may be defined"
2005-09-02 22:46:53 +02:00
list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
[ -n "$parents" ] && startup_error "The firewall zone may not be nested"
2005-09-03 02:48:37 +02:00
for r in $rest; do
[ "x$r" = x- ] || startup_error "OPTIONS not allowed on the firewall zone"
done
2005-09-02 22:46:53 +02:00
FW=$zone
;;
*)
2005-09-03 02:48:37 +02:00
startup_error "Invalid Zone Type: $type"
2005-09-02 22:46:53 +02:00
;;
esac
2005-10-04 16:54:56 +02:00
eval ${zone}_type=$type
2005-09-02 22:46:53 +02:00
else
2005-09-03 02:48:37 +02:00
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
2005-09-02 22:46:53 +02:00
ZONES="$ZONES $zone"
2005-10-04 16:54:56 +02:00
IPV4_ZONES="$IPV4_ZONES $zone"
eval ${zone}_type=ipv4
2005-09-02 22:46:53 +02:00
fi
done < $TMP_DIR/zones
2005-07-26 01:08:09 +02:00
2005-09-30 21:20:27 +02:00
[ -z "$ZONES" ] && startup_error "No ipv4 or ipsec Zones Defined"
2005-07-26 01:08:09 +02:00
2005-09-02 22:46:53 +02:00
[ -z "$FW" ] && startup_error "No Firewall Zone Defined"
2005-07-26 01:08:09 +02:00
}
2002-10-23 18:48:40 +02:00
#
2002-12-07 04:21:32 +01:00
# Find interfaces to a given zone
2002-10-23 18:48:40 +02:00
#
2002-12-07 04:21:32 +01:00
# Search the variables representing the contents of the interfaces file and
2003-02-23 15:10:37 +01:00
# for each record matching the passed ZONE, echo the expanded contents of
2002-12-07 04:21:32 +01:00
# the "INTERFACE" column
#
find_interfaces() # $1 = interface zone
2002-05-18 15:45:23 +02:00
{
2002-12-07 04:21:32 +01:00
local zne=$1
local z
local interface
2002-05-18 15:45:23 +02:00
2005-07-09 07:45:05 +02:00
for interface in $ALL_INTERFACES; do
2005-07-09 06:45:32 +02:00
eval z=\$$(chain_base $interface)_zone
2002-12-07 04:21:32 +01:00
[ "x${z}" = x${zne} ] && echo $interface
done
2002-05-18 15:45:23 +02:00
}
2002-10-23 18:48:40 +02:00
#
# Forward Chain for an interface
#
2002-05-18 15:45:23 +02:00
forward_chain() # $1 = interface
{
2005-07-09 06:45:32 +02:00
echo $(chain_base $1)_fwd
2002-05-18 15:45:23 +02:00
}
2002-10-23 18:48:40 +02:00
#
# Input Chain for an interface
#
2002-05-18 15:45:23 +02:00
input_chain() # $1 = interface
{
2005-07-09 06:45:32 +02:00
echo $(chain_base $1)_in
2002-05-18 15:45:23 +02:00
}
2002-10-23 18:48:40 +02:00
#
# Output Chain for an interface
#
2002-07-05 17:56:02 +02:00
output_chain() # $1 = interface
{
2005-07-09 06:45:32 +02:00
echo $(chain_base $1)_out
2002-07-05 17:56:02 +02:00
}
2002-10-23 18:48:40 +02:00
#
# Masquerade Chain for an interface
#
2002-07-05 23:57:37 +02:00
masq_chain() # $1 = interface
{
2005-07-09 06:45:32 +02:00
echo $(chain_base $1)_masq
2002-07-05 23:57:37 +02:00
}
2002-10-23 18:48:40 +02:00
#
# MAC Verification Chain for an interface
#
2002-10-23 17:58:53 +02:00
mac_chain() # $1 = interface
{
2005-07-09 06:45:32 +02:00
echo $(chain_base $1)_mac
}
2005-07-26 01:08:09 +02:00
macrecent_target() # $1 - interface
{
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
}
2006-01-12 00:30:33 +01:00
#
# Functions for creating dynamic zone rules
#
dynamic_fwd() # $1 = interface
{
echo $(chain_base $1)_dynf
}
dynamic_in() # $1 = interface
{
echo $(chain_base $1)_dyni
}
dynamic_out() # $1 = interface
{
echo $(chain_base $1)_dyno
}
dynamic_chains() #$1 = interface
{
local c=$(chain_base $1)
echo ${c}_dyni ${c}_dynf ${c}_dyno
}
2002-10-23 18:48:40 +02:00
#
# DNAT Chain from a zone
#
2002-07-05 23:57:37 +02:00
dnat_chain() # $1 = zone
{
echo ${1}_dnat
}
2002-10-23 18:48:40 +02:00
#
2005-08-02 23:06:05 +02:00
# SNAT Chain to an interface
2002-10-23 18:48:40 +02:00
#
2005-08-02 23:06:05 +02:00
snat_chain() # $1 = interface
2002-07-05 23:57:37 +02:00
{
2005-07-09 06:45:32 +02:00
echo $(chain_base $1)_snat
2003-02-24 16:24:55 +01:00
}
#
# ECN Chain to an interface
#
ecn_chain() # $1 = interface
{
2005-07-09 06:45:32 +02:00
echo $(chain_base $1)_ecn
2002-07-05 23:57:37 +02:00
}
2002-10-23 18:48:40 +02:00
#
# First chains for an interface
#
2002-05-18 15:45:23 +02:00
first_chains() #$1 = interface
{
2005-07-09 06:45:32 +02:00
local c=$(chain_base $1)
2002-05-18 15:45:23 +02:00
echo ${c}_fwd ${c}_in
}
2003-08-21 15:18:51 +02:00
#
2005-07-09 07:45:05 +02:00
# Horrible hack to work around an iptables limitation
#
2005-08-02 18:46:30 +02:00
iprange_echo()
2005-07-09 07:45:05 +02:00
{
if [ -f $TMP_DIR/iprange ]; then
echo $@
else
echo "-m iprange $@"
> $TMP_DIR/iprange
fi
}
2005-07-09 07:55:29 +02:00
#
# Get set flags (ipsets).
#
get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
{
local temp setname=$1 options=$2
[ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"
case $1 in
*\[[1-6]\])
temp=${1#*\[}
temp=${temp%\]}
setname=${1%\[*}
while [ $temp -gt 1 ]; do
options="$options,$2"
temp=$(($temp - 1))
2005-09-19 16:43:22 +02:00
done
2005-07-09 07:55:29 +02:00
;;
*\[*\])
options=${1#*\[}
options=${options%\]}
setname=${1%\[*}
;;
*)
;;
esac
2005-08-02 18:46:30 +02:00
2005-07-09 07:55:29 +02:00
echo "--set ${setname#+} $options"
2005-08-02 18:46:30 +02:00
}
2005-07-09 07:45:05 +02:00
#
# Horrible hack to work around an iptables limitation
2003-08-21 15:18:51 +02:00
#
2005-08-02 18:46:30 +02:00
physdev_echo()
2003-08-21 15:18:51 +02:00
{
2005-07-09 06:45:32 +02:00
if [ -f $TMP_DIR/physdev ]; then
echo $@
else
echo -m physdev $@
> $TMP_DIR/physdev
fi
2003-08-21 15:18:51 +02:00
}
#
2005-07-09 06:45:32 +02:00
# We allow hosts to be specified by IP address or by physdev. These two functions
# are used to produce the proper match in a netfilter rule.
2003-08-21 15:18:51 +02:00
#
2005-07-09 06:45:32 +02:00
match_source_hosts()
{
if [ -n "$BRIDGING" ]; then
case $1 in
*:*)
2005-07-09 07:45:05 +02:00
physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})"
2005-07-09 06:45:32 +02:00
;;
2005-07-09 07:55:29 +02:00
*.*.*.*|+*|!+*)
2005-07-09 07:45:05 +02:00
echo $(source_ip_range $1)
2005-07-09 06:45:32 +02:00
;;
*)
physdev_echo "--physdev-in $1"
;;
esac
else
2005-07-09 07:45:05 +02:00
echo $(source_ip_range $1)
2005-07-09 06:45:32 +02:00
fi
}
match_dest_hosts()
2003-08-21 15:18:51 +02:00
{
2005-07-09 06:45:32 +02:00
if [ -n "$BRIDGING" ]; then
case $1 in
*:*)
2005-07-09 07:45:05 +02:00
physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})"
2005-07-09 06:45:32 +02:00
;;
2005-07-09 07:55:29 +02:00
*.*.*.*|+*|!+*)
2005-07-09 07:45:05 +02:00
echo $(dest_ip_range $1)
2005-07-09 06:45:32 +02:00
;;
*)
physdev_echo "--physdev-out $1"
;;
esac
else
2005-07-09 07:45:05 +02:00
echo $(dest_ip_range $1)
2005-07-09 06:45:32 +02:00
fi
2003-08-21 15:18:51 +02:00
}
2005-07-09 06:45:32 +02:00
#
2005-08-02 18:46:30 +02:00
# Similarly, the source or destination in a rule can be qualified by a device name. If
2005-07-09 06:45:32 +02:00
# the device is defined in /etc/shorewall/interfaces then a normal interface match is
# generated (-i or -o); otherwise, a physdev match is generated.
#-------------------------------------------------------------------------------------
2003-08-21 15:18:51 +02:00
#
2005-07-09 06:45:32 +02:00
# loosely match the passed interface with those in /etc/shorewall/interfaces.
2003-08-21 15:18:51 +02:00
#
2005-07-09 06:45:32 +02:00
known_interface() # $1 = interface name
{
local iface
2005-07-09 07:45:05 +02:00
for iface in $ALL_INTERFACES ; do
2005-07-09 06:45:32 +02:00
if if_match $iface $1 ; then
return 0
fi
done
return 1
}
2005-12-21 05:20:16 +01:00
known_port() # $1 = port name
{
local port
for port in $ALL_PORTS ; do
if if_match $port $1 ; then
return 0
fi
done
return 1
}
2005-07-09 06:45:32 +02:00
match_source_dev()
{
if [ -n "$BRIDGING" ]; then
2005-12-21 05:20:16 +01:00
known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1
2005-07-09 06:45:32 +02:00
else
echo -i $1
fi
}
match_dest_dev()
{
if [ -n "$BRIDGING" ]; then
2005-12-21 05:20:16 +01:00
known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1
2005-07-09 06:45:32 +02:00
else
echo -o $1
fi
}
verify_interface()
2003-08-21 15:18:51 +02:00
{
2005-12-21 05:20:16 +01:00
known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; }
2005-07-09 07:45:05 +02:00
}
#
# Determine if communication to/from a host is encrypted using IPSEC
#
is_ipsec_host() # $1 = zone, $2 = host
{
eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\"
test -n "$is_ipsec" || list_search $2 $hosts
}
#
# Generate a match for decrypted packets
#
match_ipsec_in() # $1 = zone, $2 = host
{
if is_ipsec_host $1 $2 ; then
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in"
fi
}
#
# Generate a match for packets that will be encrypted
#
match_ipsec_out() # $1 = zone, $2 = host
{
if is_ipsec_host $1 $2 ; then
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir out"
fi
}
#
# Jacket for ip_range() that takes care of iprange match
#
firewall_ip_range() # $1 = IP address or range
{
[ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1
2003-08-21 15:18:51 +02:00
}
2005-07-09 06:45:32 +02:00
#
2002-10-23 18:48:40 +02:00
#
# Find hosts in a given zone
#
# Read hosts file and for each record matching the passed ZONE,
# echo the expanded contents of the "HOST(S)" column
#
2002-05-01 01:13:15 +02:00
find_hosts() # $1 = host zone
{
2003-07-06 17:31:26 +02:00
local hosts interface address addresses
2002-05-01 01:13:15 +02:00
while read z hosts options; do
2005-07-09 06:45:32 +02:00
if [ "x$(expand $z)" = "x$1" ]; then
2003-07-06 17:31:26 +02:00
expandv hosts
2005-07-09 06:45:32 +02:00
interface=${hosts%%:*}
2003-07-06 17:31:26 +02:00
addresses=${hosts#*:}
2005-08-02 18:46:30 +02:00
for address in $(separate_list $addresses); do
2003-07-06 17:31:26 +02:00
echo $interface:$address
done
fi
2002-05-01 01:13:15 +02:00
done < $TMP_DIR/hosts
}
2002-10-23 18:48:40 +02:00
#
# Determine the interfaces on the firewall
#
# For each zone, create a variable called ${zone}_interfaces. This
# variable contains a space-separated list of interfaces to the zone
#
2002-05-01 01:13:15 +02:00
determine_interfaces() {
2005-07-26 01:08:09 +02:00
for zone in $ZONES; do
2005-07-09 06:45:32 +02:00
interfaces=$(find_interfaces $zone)
interfaces=$(echo $interfaces) # Remove extra trash
2003-02-20 00:52:03 +01:00
eval ${zone}_interfaces=\"\$interfaces\"
2002-05-01 01:13:15 +02:00
done
}
2003-02-23 15:10:37 +01:00
2005-07-09 06:45:32 +02:00
#
# Determine if an interface has a given option
#
interface_has_option() # $1 = interface, #2 = option
{
local options
eval options=\$$(chain_base $1)_options
list_search $2 $options
}
2002-10-23 18:48:40 +02:00
#
# Determine the defined hosts in each zone and generate report
#
2002-05-01 01:13:15 +02:00
determine_hosts() {
2005-07-26 01:08:09 +02:00
for zone in $ZONES; do
2005-07-09 06:45:32 +02:00
hosts=$(find_hosts $zone)
hosts=$(echo $hosts) # Remove extra trash
2003-02-08 21:58:44 +01:00
2002-07-06 00:24:40 +02:00
eval interfaces=\$${zone}_interfaces
2002-05-01 01:13:15 +02:00
for interface in $interfaces; do
2005-07-09 06:45:32 +02:00
if interface_has_option $interface detectnets; then
networks=$(get_routed_networks $interface)
2002-05-01 01:13:15 +02:00
else
2005-07-09 06:45:32 +02:00
networks=0.0.0.0/0
2002-05-01 01:13:15 +02:00
fi
2004-01-24 00:48:30 +01:00
2005-07-09 07:55:29 +02:00
for network in $networks; do
2004-01-24 00:48:30 +01:00
if [ -z "$hosts" ]; then
2005-07-09 07:55:29 +02:00
hosts=$interface:$network
2004-01-24 00:48:30 +01:00
else
2005-07-09 07:55:29 +02:00
hosts="$hosts $interface:$network"
2005-07-09 06:45:32 +02:00
fi
if interface_has_option $interface routeback; then
2005-07-09 07:55:29 +02:00
eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\"
2004-01-24 00:48:30 +01:00
fi
done
2002-05-01 01:13:15 +02:00
done
2002-07-09 17:44:49 +02:00
interfaces=
2003-02-23 15:10:37 +01:00
2002-07-09 17:44:49 +02:00
for host in $hosts; do
interface=${host%:*}
2005-07-09 06:45:32 +02:00
if list_search $interface $interfaces; then
list_search $interface:0.0.0.0/0 $hosts && \
startup_error "Invalid zone definition for zone $zone"
list_search $interface:0/0 $hosts && \
startup_error "Invalid zone definition for zone $zone"
eval ${zone}_is_complex=Yes
else
2002-07-09 17:44:49 +02:00
if [ -z "$interfaces" ]; then
interfaces=$interface
else
interfaces="$interfaces $interface"
fi
fi
done
eval ${zone}_interfaces="\$interfaces"
2002-05-01 01:13:15 +02:00
eval ${zone}_hosts="\$hosts"
if [ -n "$hosts" ]; then
2006-01-23 02:41:24 +01:00
[ $VERBOSE -ge 1 ] && display_list "$zone Zone:" $hosts
2002-05-18 21:04:45 +02:00
else
2005-07-26 01:08:09 +02:00
error_message "WARNING: Zone $zone is empty"
2003-02-23 15:10:37 +01:00
fi
2002-05-01 01:13:15 +02:00
done
}
2002-10-23 18:48:40 +02:00
#
# Ensure that the passed zone is defined in the zones file or is the firewall
#
2002-05-01 01:13:15 +02:00
validate_zone() # $1 = zone
{
2005-07-26 01:08:09 +02:00
list_search $1 $ZONES $FW
2002-05-01 01:13:15 +02:00
}
2005-07-09 06:45:32 +02:00
#
# Ensure that the passed zone is defined in the zones file.
#
validate_zone1() # $1 = zone
{
2005-07-26 01:08:09 +02:00
list_search $1 $ZONES
2005-07-09 06:45:32 +02:00
}
2002-05-01 01:13:15 +02:00
2002-10-23 18:48:40 +02:00
#
# Validate the zone names and options in the interfaces file
#
2002-05-01 01:13:15 +02:00
validate_interfaces_file() {
2004-01-24 00:48:30 +01:00
local wildcard
2005-07-09 06:45:32 +02:00
local found_obsolete_option=
local z interface networks options r iface option
2004-01-24 00:48:30 +01:00
2005-07-09 08:13:05 +02:00
while read z interface networks options; do
2005-07-09 06:45:32 +02:00
expandv z interface networks options
r="$z $interface $networks $options"
2002-12-07 04:21:32 +01:00
[ "x$z" = "x-" ] && z=
2003-02-23 15:10:37 +01:00
if [ -n "$z" ]; then
2002-12-07 04:21:32 +01:00
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
fi
2002-05-01 01:13:15 +02:00
2005-07-09 07:45:05 +02:00
list_search $interface $ALL_INTERFACES && \
2003-02-08 21:58:44 +01:00
startup_error "Duplicate Interface $interface"
2004-01-24 00:48:30 +01:00
wildcard=
2003-02-08 21:58:44 +01:00
case $interface in
2005-07-09 06:45:32 +02:00
*:*|+)
2003-02-08 21:58:44 +01:00
startup_error "Invalid Interface Name: $interface"
;;
2005-07-09 06:45:32 +02:00
*+)
2004-01-24 00:48:30 +01:00
wildcard=Yes
;;
2003-02-08 21:58:44 +01:00
esac
2003-02-23 15:10:37 +01:00
2005-07-09 07:45:05 +02:00
ALL_INTERFACES="$ALL_INTERFACES $interface"
2005-07-09 06:45:32 +02:00
options=$(separate_list $options)
iface=$(chain_base $interface)
2003-02-23 15:10:37 +01:00
2005-07-09 06:45:32 +02:00
eval ${iface}_broadcast="$networks"
2003-11-08 03:38:30 +01:00
eval ${iface}_zone="$z"
eval ${iface}_options=\"$options\"
2002-05-18 15:45:23 +02:00
2002-12-19 22:30:58 +01:00
for option in $options; do
2002-05-01 01:13:15 +02:00
case $option in
2005-07-09 07:55:29 +02:00
-)
;;
2006-01-13 20:29:23 +01:00
dhcp|tcpflags|arp_filter|routefilter|maclist|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-)
2005-08-14 18:45:48 +02:00
;;
norfc1918)
2006-01-23 00:41:56 +01:00
addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
if [ -n "$addr" ]; then
addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do
if in_network $addr $network; then
startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface"
fi
done
2005-08-14 18:45:48 +02:00
fi
2005-07-26 01:08:09 +02:00
;;
arp_ignore=*)
eval ${iface}_arp_ignore=${option#*=}
;;
arp_ignore)
eval ${iface}_arp_ignore=1
2003-01-21 01:34:00 +01:00
;;
2004-01-24 00:48:30 +01:00
detectnets)
[ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
2006-01-13 00:26:37 +01:00
[ -n $EXPORT ] && \
2006-01-13 00:29:45 +01:00
startup_error "'detectnets' not permitted with the -e run-line option"
2004-01-24 00:48:30 +01:00
;;
2003-04-01 04:00:37 +02:00
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
;;
2003-01-21 01:34:00 +01:00
*)
2005-07-26 01:08:09 +02:00
error_message "WARNING: Invalid option ($option) in record \"$r\""
2003-01-27 03:54:43 +01:00
;;
2002-05-01 01:13:15 +02:00
esac
done
done < $TMP_DIR/interfaces
2005-08-02 18:46:30 +02:00
2005-07-09 07:55:29 +02:00
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
}
#
# Check that a mark value or mask is less that 256
#
verify_mark() # $1 = value to test
{
2005-08-02 18:46:30 +02:00
verify_mark1()
2005-07-09 07:55:29 +02:00
{
[ $1 -lt 256 ]
}
2005-08-02 18:46:30 +02:00
2005-07-09 07:55:29 +02:00
verify_mark2()
{
verify_mark1 $1 2> /dev/null
}
2005-08-02 18:46:30 +02:00
2005-07-09 07:55:29 +02:00
verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1"
2002-05-01 01:13:15 +02:00
}
2005-07-09 07:55:29 +02:00
#
2006-01-25 01:13:45 +01:00
# Format a match by the passed MAC address
# The passed address begins with "~" and uses "-" as a separator between bytes
# Example: ~01-02-03-04-05-06
2005-07-09 07:55:29 +02:00
#
2006-01-25 01:13:45 +01:00
mac_match() # $1 = MAC address formated as described above
2005-07-09 07:55:29 +02:00
{
2006-01-25 01:13:45 +01:00
echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')"
}
2005-07-09 07:55:29 +02:00
2006-01-25 01:13:45 +01:00
#
# Find broadcast addresses -- if we are compiling a script and 'detect' is specified for an interface
# the function returns nothing for that interface
#
find_broadcasts() {
for interface in $ALL_INTERFACES; do
eval bcast=\$$(chain_base $interface)_broadcast
if [ "x$bcast" = "xdetect" ]; then
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
elif [ "x${bcast}" != "x-" ]; then
echo $(separate_list $bcast)
fi
done
}
2005-10-06 18:35:20 +02:00
2006-01-25 01:13:45 +01:00
#
# Find interfaces that have the passed option specified
#
find_interfaces_by_option() # $1 = option
{
for interface in $ALL_INTERFACES; do
eval options=\$$(chain_base $interface)_options
list_search $1 $options && echo $interface
done
}
2005-07-09 07:55:29 +02:00
2006-01-25 01:13:45 +01:00
#
# This slightly slower version is used to find both the option and option followed
# by equal sign ("=") and a value
#
find_interfaces_by_option1() # $1 = option
{
local options option
2005-07-09 07:55:29 +02:00
2006-01-25 01:13:45 +01:00
for interface in $ALL_INTERFACES; do
eval options=\$$(chain_base $interface)_options
for option in $options; do
if [ "${option%=*}" = "$1" ]; then
echo $interface
break
2005-07-09 07:55:29 +02:00
fi
done
2006-01-25 01:13:45 +01:00
done
}
2005-07-09 07:55:29 +02:00
2006-01-25 01:13:45 +01:00
#
# Find hosts with the passed option
#
find_hosts_by_option() # $1 = option
{
local ignore hosts interface address addresses options ipsec= list
2005-07-09 07:55:29 +02:00
2006-01-25 01:13:45 +01:00
while read ignore hosts options; do
expandv options
list=$(separate_list $options)
if list_search $1 $list; then
list_search ipsec $list && ipsec=ipsec || ipsec=none
expandv hosts
interface=${hosts%%:*}
addresses=${hosts#*:}
for address in $(separate_list $addresses); do
echo ${ipsec}^$interface:$address
done
2005-07-09 07:55:29 +02:00
fi
2006-01-25 01:13:45 +01:00
done < $TMP_DIR/hosts
2005-07-09 07:55:29 +02:00
2006-01-25 01:13:45 +01:00
for interface in $ALL_INTERFACES; do
interface_has_option $interface $1 && \
echo none^${interface}:0.0.0.0/0
done
}
2005-08-30 22:29:42 +02:00
2006-01-25 01:13:45 +01:00
#
# Flush and delete all user-defined chains in the filter table
#
deleteallchains() {
run_iptables -F
run_iptables -X
}
2003-11-27 19:24:57 +01:00
2005-07-09 07:45:05 +02:00
#
# Process the routestopped file either adding or deleting rules
#
process_routestopped() # $1 = command
{
2005-07-09 07:55:29 +02:00
local hosts= interface host host1 options networks source= dest= matched
2005-07-09 07:45:05 +02:00
while read interface host options; do
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback=
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
2005-07-26 01:08:09 +02:00
error_message "WARNING: Duplicate routestopped option ignored: routeback"
2005-07-09 07:45:05 +02:00
else
routeback=Yes
for h in $(separate_list $host); do
run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
2005-07-09 07:55:29 +02:00
source)
for h in $(separate_list $host); do
source="$source $interface:$h"
done
;;
dest)
for h in $(separate_list $host); do
dest="$dest $interface:$h"
done
;;
2005-07-26 01:08:09 +02:00
critical)
;;
2005-07-09 07:45:05 +02:00
*)
2005-07-26 01:08:09 +02:00
error_message "WARNING: Unknown routestopped option ignored: $option"
2005-07-09 07:45:05 +02:00
;;
esac
done
fi
2005-09-19 16:43:22 +02:00
2005-07-09 07:45:05 +02:00
done < $TMP_DIR/routestopped
2005-07-09 07:55:29 +02:00
2005-07-09 07:45:05 +02:00
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
2006-01-14 19:35:50 +01:00
run_iptables $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
2005-09-15 18:11:54 +02:00
[ -z "$ADMINISABSENTMINDED" -o $COMMAND != stop ] && \
2005-07-09 07:45:05 +02:00
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
2005-07-09 07:55:29 +02:00
matched=
if list_search $host $source ; then
run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
matched=Yes
fi
if list_search $host $dest ; then
run_iptables $1 FORWARD -o $interface $(dest_ip_range $networks) -j ACCEPT
matched=Yes
fi
2005-09-19 16:43:22 +02:00
2005-07-09 07:55:29 +02:00
if [ -z "$matched" ]; then
for host1 in $hosts; do
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
fi
2005-07-09 07:45:05 +02:00
done
}
2005-07-26 01:08:09 +02:00
process_criticalhosts()
{
local hosts= interface host h options networks criticalhosts=
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
while read interface host options; do
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback|source|dest)
;;
critical)
for h in $host; do
criticalhosts="$criticalhosts $interface:$h"
done
;;
*)
error_message "WARNING: Unknown routestopped option ignored: $option"
;;
esac
done
2005-09-19 16:43:22 +02:00
fi
2005-07-26 01:08:09 +02:00
done < $TMP_DIR/routestopped
if [ -n "$criticalhosts" ]; then
CRITICALHOSTS=$criticalhosts
progress_message "Critical Hosts are:$CRITICALHOSTS"
fi
}
2005-08-02 18:46:30 +02:00
2005-07-26 01:08:09 +02:00
#
# For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to
# enable traffic to/from those hosts.
#
2005-08-02 18:46:30 +02:00
enable_critical_hosts()
2005-07-26 01:08:09 +02:00
{
for host in $CRITICALHOSTS; do
interface=${host%:*}
networks=${host#*:}
2006-01-25 01:13:45 +01:00
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
2005-07-26 01:08:09 +02:00
done
}
#
# For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that
# enable traffic to/from those hosts.
#
2005-08-02 18:46:30 +02:00
disable_critical_hosts()
2005-07-26 01:08:09 +02:00
{
for host in $CRITICALHOSTS; do
interface=${host%:*}
networks=${host#*:}
2006-01-25 01:13:45 +01:00
$IPTABLES -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
2005-07-26 01:08:09 +02:00
done
}
2006-01-17 00:15:51 +01:00
#
# Stop the Firewall
#
stop_firewall() {
#
# Turn off trace unless we were tracing "stop" or "clear"
#
[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
case $COMMAND in
stop|clear)
;;
*)
set +x
[ -n "${RESTOREFILE:=restore}" ]
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
progress_message2 Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
for table in mangle nat filter; do
iptables -t $table -F
iptables -t $table -X
done
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
if $RESTOREPATH; then
echo "Shorewall restored from $RESTOREPATH"
set_state "Started"
else
set_state "Unknown"
fi
my_mutex_off
kill $$
exit 2
fi
;;
esac
set_state "Stopping"
STOPPING="Yes"
TERMINATOR=
deletechain shorewall
run_user_exit stop
if [ -n "$MANGLE_ENABLED" ]; then
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt $IPTABLES -t mangle -P $chain ACCEPT
done
fi
if [ -n "$RAW_TABLE" ]; then
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt $IPTABLES -t raw -P $chain ACCEPT
done
fi
if [ -n "$NAT_ENABLED" ]; then
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt $IPTABLES -t nat -P $chain ACCEPT
done
fi
delete_proxy_arp
[ -n "$CLEAR_TC" ] && delete_tc1
[ -n "$DISABLE_IPV6" ] && disable_ipv6
process_criticalhosts
if [ -n "$CRITICALHOSTS" ]; then
if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT; do
setpolicy $chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
enable_critical_hosts
for chain in INPUT OUTPUT; do
setpolicy $chain DROP
done
else
for chain in INPUT OUTPUT; do
setpolicy $chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
enable_critical_hosts
setpolicy INPUT DROP
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
elif [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
done
deleteallchains
else
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
setpolicy OUTPUT ACCEPT
deleteallchains
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
process_routestopped -A
$IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
$IPTABLES -A OUTPUT -o lo -j ACCEPT
for interface in $(find_interfaces_by_option dhcp); do
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
#
# This might be a bridge
#
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
[Oo][Nn])
echo 1 > /proc/sys/net/ipv4/ip_forward
progress_message2 "IP Forwarding Enabled"
;;
[Oo][Ff][Ff])
echo 0 > /proc/sys/net/ipv4/ip_forward
progress_message2 "IP Forwarding Disabled!"
;;
esac
run_user_exit stopped
set_state "Stopped"
logger "Shorewall Stopped"
rm -rf $TMP_DIR
case $COMMAND in
stop|clear)
;;
*)
#
# The firewall is being stopped when we were trying to do something
# else. Remove the lock file and Kill the shell in case we're in a
# subshell
#
my_mutex_off
kill $$
;;
esac
}
#
# Remove all rules and remove all user-defined chains
#
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
2006-01-18 02:42:24 +01:00
if [ -n "$DISABLE_IPV6" ] && qt mywhich ip6tables; then
2006-01-17 00:15:51 +01:00
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
fi
run_user_exit clear
set_state "Cleared"
logger "Shorewall Cleared"
}
2002-10-23 18:48:40 +02:00
#
2006-01-25 01:13:45 +01:00
# Process the ipsec information in the zones file
2002-10-23 18:48:40 +02:00
#
2006-01-25 01:13:45 +01:00
setup_ipsec() {
local zone using_ipsec=
2005-07-09 07:45:05 +02:00
2006-01-25 01:13:45 +01:00
do_options() # $1 = _in, _out or "" - $2 = option list
2002-05-01 01:13:15 +02:00
{
2006-01-25 01:13:45 +01:00
local option opts newoptions= val
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
[ x${2} = x- ] && return
opts=$(separate_list $2)
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
for option in $opts; do
val=${option#*=}
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
case $option in
mss=[0-9]*) ;;
strict) newoptions="$newoptions --strict" ;;
next) newoptions="$newoptions --next" ;;
reqid=*) newoptions="$newoptions --reqid $val" ;;
spi=*) newoptions="$newoptions --spi $val" ;;
proto=*) newoptions="$newoptions --proto $val" ;;
mode=*) newoptions="$newoptions --mode $val" ;;
tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
spi!=*) newoptions="$newoptions ! --spi $val" ;;
proto!=*) newoptions="$newoptions ! --proto $val" ;;
mode!=*) newoptions="$newoptions ! --mode $val" ;;
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
esac
done
2005-07-09 07:45:05 +02:00
2006-01-25 01:13:45 +01:00
if [ -n "$newoptions" ]; then
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_complex=Yes
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
2005-07-09 06:45:32 +02:00
fi
2006-01-25 01:13:45 +01:00
}
case $IPSECFILE in
zones)
f=zones
progress_message "Setting up IPSEC..."
;;
*)
f=$IPSECFILE
strip_file $f
progress_message "Processing $f..."
using_ipsec=Yes
;;
esac
2002-06-21 17:57:01 +02:00
2006-01-25 01:13:45 +01:00
while read zone type options in_options out_options mss; do
expandv zone type options in_options out_options mss
2003-02-23 15:10:37 +01:00
2006-01-25 01:13:45 +01:00
if [ -n "$using_ipsec" ]; then
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
2005-07-26 01:08:09 +02:00
fi
2005-07-09 07:45:05 +02:00
2005-09-02 22:46:53 +02:00
if [ -n "$type" ]; then
if [ -n "$using_ipsec" ]; then
case $type in
No|no)
;;
Yes|yes)
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
2005-10-04 16:54:56 +02:00
eval ${zone}_type=ipsec4
2005-09-02 22:46:53 +02:00
;;
*)
fatal_error "Invalid IPSEC column contents"
;;
esac
fi
2005-09-19 16:43:22 +02:00
2005-07-26 01:08:09 +02:00
do_options "" $options
do_options "_in" $in_options
do_options "_out" $out_options
fi
done < $TMP_DIR/$f
2005-09-17 06:05:57 +02:00
}
2005-07-09 07:45:05 +02:00
2002-10-23 18:48:40 +02:00
#
2006-01-25 01:13:45 +01:00
# Delete existing Proxy ARP
#
delete_proxy_arp() {
if [ -f /var/lib/shorewall/proxyarp ]; then
while read address interface external haveroute; do
case $COMMAND in
stop|clear)
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
;;
*)
if [ -n "$STOPPING" ]; then
qt arp -i $external -d $address pub
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
else
qt arp -i $external -d $address pub
if [ -z "$haveroute" ];then
[ -n "$NOROUTE" ] || qt ip route del $address dev $interface
fi
fi
;;
esac
done < /var/lib/shorewall/proxyarp
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
rm -f /var/lib/shorewall/proxyarp
fi
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
case $COMMAND in
stop|clear)
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
2002-05-01 01:13:15 +02:00
;;
2002-07-06 00:24:40 +02:00
*)
2006-01-25 01:13:45 +01:00
if [ -n "$STOPPING" ]; then
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
else
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
2002-07-06 00:24:40 +02:00
fi
2002-05-01 01:13:15 +02:00
;;
2006-01-25 01:13:45 +01:00
esac
}
2002-05-01 01:13:15 +02:00
2006-01-25 01:13:45 +01:00
#
# Delete existing Static NAT
#
delete_nat() {
run_iptables -t nat -F
run_iptables -t nat -X
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
if [ -f /var/lib/shorewall/nat ]; then
while read external interface; do
qt ip addr del $external dev $interface
done < /var/lib/shorewall/nat
2006-01-14 21:40:15 +01:00
2006-01-25 01:13:45 +01:00
rm -f {/var/lib/shorewall}/nat
fi
2006-01-14 21:40:15 +01:00
2006-01-25 01:13:45 +01:00
[ -d $STATEDIR ] && touch $STATEDIR/nat
}
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
#
# Setup Network Mapping (NETMAP)
#
setup_netmap() {
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
while read type net1 interface net2 ; do
expandv type net1 interface net2
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
list_search $interface $ALL_INTERFACES || \
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
2002-05-01 01:13:15 +02:00
2006-01-25 01:13:45 +01:00
case $type in
DNAT)
addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2
;;
SNAT)
addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
;;
*)
fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
;;
esac
2005-07-09 06:45:32 +02:00
progress_message " Network $net1 on $interface mapped to $net2 ($type)"
done < $TMP_DIR/netmap
}
2003-02-24 16:24:55 +01:00
#
# Setup ECN disabling rules
#
setup_ecn() # $1 = file name
{
2003-03-21 20:23:03 +01:00
local interfaces=""
2005-07-09 07:45:05 +02:00
local hosts=
2003-02-24 16:24:55 +01:00
local h
strip_file ecn $1
2006-01-09 18:11:30 +01:00
progress_message2 "Processing $1..."
2003-02-26 00:35:22 +01:00
2003-02-24 16:24:55 +01:00
while read interface host; do
expandv interface host
2005-07-09 07:45:05 +02:00
list_search $interface $ALL_INTERFACES || \
2003-03-24 22:56:31 +01:00
startup_error "Unknown interface $interface"
2003-02-24 16:24:55 +01:00
list_search $interface $interfaces || \
interfaces="$interfaces $interface"
2003-02-24 16:35:50 +01:00
[ "x$host" = "x-" ] && host=
2005-07-09 06:45:32 +02:00
for h in $(separate_list ${host:-0.0.0.0/0}); do
2003-02-24 16:24:55 +01:00
hosts="$hosts $interface:$h"
done
done < $TMP_DIR/ecn
if [ -n "$interfaces" ]; then
2005-07-09 06:45:32 +02:00
progress_message "Setting up ECN control on${interfaces}..."
2003-03-24 22:56:31 +01:00
2003-02-24 16:24:55 +01:00
for interface in $interfaces; do
2005-07-09 06:45:32 +02:00
chain=$(ecn_chain $interface)
2006-01-07 00:02:55 +01:00
if havemanglechain $chain; then
2003-02-24 16:24:55 +01:00
flushmangle $chain
else
2006-01-07 00:02:55 +01:00
createmanglechain $chain
2003-02-24 16:24:55 +01:00
run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain
fi
done
2003-03-24 22:56:31 +01:00
2003-02-24 16:24:55 +01:00
for host in $hosts; do
interface=${host%:*}
h=${host#*:}
2005-07-09 07:45:05 +02:00
run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove
2005-07-09 06:45:32 +02:00
progress_message " ECN Disabled to $h through $interface"
2003-02-24 16:24:55 +01:00
done
fi
}
2005-08-05 17:52:03 +02:00
#
2005-08-13 23:39:34 +02:00
# Set up an exclusion chain
2005-08-05 17:52:03 +02:00
#
2005-08-14 18:45:48 +02:00
build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
2005-08-05 17:52:03 +02:00
{
2005-08-13 23:39:34 +02:00
local c=excl_${EXCLUSION_SEQ} net
2005-08-05 17:52:03 +02:00
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
2005-08-13 23:39:34 +02:00
run_iptables -t $2 -N $c
2005-08-05 17:52:03 +02:00
2005-08-13 23:39:34 +02:00
for net in $(separate_list $3); do
run_iptables -t $2 -A $c $(source_ip_range $net) -j RETURN
2005-08-05 17:52:03 +02:00
done
2005-08-13 23:39:34 +02:00
for net in $(separate_list $4); do
run_iptables -t $2 -A $c $(dest_ip_range $net) -j RETURN
2005-08-05 17:52:03 +02:00
done
2005-08-13 23:39:34 +02:00
case $2 in
filter)
eval exists_${c}=Yes
;;
nat)
eval exists_nat_${c}=Yes
;;
esac
eval $1=$c
2005-08-05 17:52:03 +02:00
}
2005-07-09 07:55:29 +02:00
2005-10-07 00:46:17 +02:00
#
# Arne Bernin's 'tc4shorewall'
#
2005-10-06 00:51:29 +02:00
setup_traffic_shaping()
{
2005-10-07 00:46:17 +02:00
local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1
2005-10-06 00:51:29 +02:00
mtu=1500
r2q=10
rate_to_kbit() {
local rateunit rate
rate=$1
rateunit=$( echo $rate | sed -e 's/[0-9]*//')
rate=$( echo $rate | sed -e 's/[a-z]*//g')
case $rateunit in
kbit)
rate=$rate
;;
mbit)
rate=$(expr $rate \* 1024)
;;
mbps)
rate=$(expr $rate \* 8192)
;;
kbps)
rate=$(expr $rate \* 8)
;;
*)
rate=$(expr $rate / 128)
;;
esac
echo $rate
}
calculate_quantum() {
local rate
rate=$1
rate=$(rate_to_kbit $rate)
rate=$(expr $rate \* 128 / $r2q )
if [ $rate -lt $mtu ] ; then
echo $mtu
else
echo $rate
fi
}
# get given outbandwidth for device
get_outband_for_dev() {
local device inband outband
while read device inband outband; do
expandv device inband outband
tcdev="$device $inband $outband"
if [ "$1" = "$device" ] ; then
echo $outband
return
fi
done < $TMP_DIR/tcdevices
}
check_tcclasses_options() {
while [ $# -gt 1 ]; do
shift
case $1 in
default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
;;
*)
echo $1
return 1
;;
esac
done
return 0
}
get_defmark_for_dev() {
local searchdev searchmark device ceil prio options
searchdev=$1
while read device mark rate ceil prio options; do
expandv device mark rate ceil prio options
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
tcdev="$device $mark $rate $ceil $prio $options"
if [ "$searchdev" = "$device" ] ; then
list_search "default" $options && echo $mark &&return 0
fi
done < $TMP_DIR/tcclasses
return 1
}
check_defmark_for_dev() {
get_defmark_for_dev $1 >/dev/null
}
validate_tcdevices_file() {
2006-01-09 18:11:30 +01:00
progress_message2 "Validating $devfile..."
2005-10-06 00:51:29 +02:00
local device local device inband outband
while read device inband outband; do
expandv device inband outband
tcdev="$device $inband $outband"
check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
case $interface in
*:*|+)
fatal_error "Invalid Interface Name: $interface"
;;
esac
list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices"
tc_all_devices="$tc_all_devices $device"
done < $TMP_DIR/tcdevices
}
validate_tcclasses_file() {
2006-01-09 18:11:30 +01:00
progress_message2 "Validating $classfile..."
2005-10-06 00:51:29 +02:00
local classlist device mark rate ceil prio bandw wrongopt allopts opt
allopts=""
while read device mark rate ceil prio options; do
expandv device mark rate ceil prio options
tcdev="$device $mark $rate $ceil $prio $options"
ratew=$(get_outband_for_dev $device)
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
for opt in $options; do
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
allopts="$allopts $device-$opt"
done
wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
if [ -z "$ratew" ] ; then
fatal_error "device $device seems not to be configured in tcdevices"
fi
list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses"
classlist="$classlist $device-$mark"
done < $TMP_DIR/tcclasses
}
add_root_tc() {
local defmark
defmark=$(get_defmark_for_dev $device)
2006-01-25 01:13:45 +01:00
qt tc qdisc del dev $device root
qt tc qdisc del dev $device ingress
run_tc qdisc add dev $device root handle $devnum: htb default 1$defmark
run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $outband
run_tc qdisc add dev $device handle ffff: ingress
run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1
2005-10-07 00:46:17 +02:00
eval $(chain_base $device)_devnum=$devnum
devnum=$(($devnum + 1))
2005-10-06 00:51:29 +02:00
}
add_tc_class() {
2005-10-07 00:46:17 +02:00
local full classid
2005-10-06 00:51:29 +02:00
full=$(get_outband_for_dev $device)
full=$(rate_to_kbit $full)
if [ -z "$prio" ] ; then
prio=1
fi
case $rate in
*full*)
rate=$(echo $rate | sed -e "s/full/$full/")
rate="$(($rate))kbit"
;;
esac
case $ceil in
*full*)
ceil=$(echo $ceil | sed -e "s/full/$full/")
ceil="$(($ceil))kbit"
;;
esac
2005-10-07 00:46:17 +02:00
eval devnum=\$$(chain_base $device)_devnum
classid=$devnum:1$mark
[ -n "$devnum" ] || fatal_error "Device $device not defined in $devfile"
2006-01-25 01:13:45 +01:00
run_tc class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio quantum $(calculate_quantum $rate)
run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10
2005-10-06 00:51:29 +02:00
# add filters
2005-10-06 02:07:06 +02:00
if [ -n "$CLASSIFY_TARGET" ]; then
2005-10-07 00:46:17 +02:00
run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark -j CLASSIFY --set-class $classid
2005-10-06 02:07:06 +02:00
else
2006-01-25 01:13:45 +01:00
run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
2005-10-06 02:07:06 +02:00
fi
2005-10-06 16:21:04 +02:00
#options
2006-01-25 01:13:45 +01:00
list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid
list_search "tos-minimize-delay" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid $classid
list_search "tos-minimize-cost" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x02 0xff flowid $classid
list_search "tos-maximize-troughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0xff flowid $classid
list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0xff flowid $classid
list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0xff flowid $classid
2005-10-06 00:51:29 +02:00
# tcp
}
2005-10-06 02:41:24 +02:00
strip_file tcdevices $devfile
strip_file tcclasses $classfile
2005-10-06 00:51:29 +02:00
validate_tcdevices_file
validate_tcclasses_file
2006-01-23 00:41:56 +01:00
if [ -s $TMP_DIR/tcdevices ]; then
progress_message2 "Processing $devfile..."
2005-10-06 00:51:29 +02:00
2006-01-23 00:41:56 +01:00
while read device inband outband defmark ackmark; do
expandv device inband outband defmark ackmark
tcdev="$device $inband $outband"
add_root_tc
progress_message " TC Device $tcdev Added."
done < $TMP_DIR/tcdevices
fi
if [ -s $TMP_DIR/tcclasses ]; then
progress_message2 "Processing $classfile..."
while read device mark rate ceil prio options; do
expandv device mark rate ceil prio options
tcdev="$device $mark $rate $ceil $prio $options"
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
add_tc_class
progress_message " TC Class \"$tcdev\" Added."
done < $TMP_DIR/tcclasses
2005-10-06 00:51:29 +02:00
fi
2006-01-23 00:41:56 +01:00
2005-10-06 00:51:29 +02:00
}
2002-10-23 18:48:40 +02:00
#
2005-07-09 07:45:05 +02:00
# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
2003-01-24 00:18:40 +01:00
# default marking chain
2002-10-23 18:48:40 +02:00
#
2002-05-01 01:13:15 +02:00
process_tc_rule()
{
2005-07-09 07:55:29 +02:00
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
2005-07-09 07:45:05 +02:00
verify_designator() {
[ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
chain=$1
mark="${mark%:*}"
}
2005-10-04 20:20:28 +02:00
do_ipp2p()
{
2005-10-04 20:46:35 +02:00
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
2005-10-05 18:45:50 +02:00
[ "x$port" = "x-" ] && port="ipp2p"
2005-10-04 20:46:35 +02:00
2005-10-04 20:20:28 +02:00
case $proto in
2005-10-05 18:45:50 +02:00
*:*)
proto=${proto#*:}
2005-10-04 20:20:28 +02:00
;;
*)
2005-10-05 18:45:50 +02:00
proto=tcp
2005-10-04 20:20:28 +02:00
;;
esac
2005-10-05 18:45:50 +02:00
r="${r}-p $proto -m ipp2p --${port} "
2005-10-04 20:20:28 +02:00
}
2002-05-01 01:13:15 +02:00
add_a_tc_rule() {
r=
2002-07-06 00:24:40 +02:00
if [ "x$source" != "x-" ]; then
2002-05-01 01:13:15 +02:00
case $source in
2005-07-09 07:55:29 +02:00
$FW:*)
2005-08-16 20:54:11 +02:00
[ $chain = tcpost ] || chain=tcout
2005-08-02 18:46:30 +02:00
r="$(source_ip_range ${source#*:}) "
2005-07-09 07:55:29 +02:00
;;
*.*.*|+*|!+*)
2005-07-09 07:45:05 +02:00
r="$(source_ip_range $source) "
2002-11-09 16:56:29 +01:00
;;
~*)
2005-07-09 06:45:32 +02:00
r="$(mac_match $source) "
2002-11-09 16:56:29 +01:00
;;
$FW)
2005-08-16 20:54:11 +02:00
[ $chain = tcpost ] || chain=tcout
2002-11-09 16:56:29 +01:00
;;
2005-09-19 16:43:22 +02:00
*)
2005-07-09 06:45:32 +02:00
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
2005-12-12 19:52:40 +01:00
r="$(match_source_dev $source) "
2002-11-09 16:56:29 +01:00
;;
2002-05-01 01:13:15 +02:00
esac
fi
2003-01-24 00:18:40 +01:00
2004-03-04 16:24:59 +01:00
if [ "x${user:--}" != "x-" ]; then
2004-01-22 21:24:56 +01:00
[ "$chain" != tcout ] && \
fatal_error "Invalid use of a user/group: rule \"$rule\""
2005-07-09 07:55:29 +02:00
r="$r-m owner"
2005-09-19 16:43:22 +02:00
2005-07-09 07:55:29 +02:00
case "$user" in
*+*)
r="$r --cmd-owner ${user#*+} "
user=${user%+*}
;;
esac
2004-01-22 21:24:56 +01:00
case "$user" in
*:*)
temp="${user%:*}"
2005-08-02 18:46:30 +02:00
[ -n "$temp" ] && r="$r --uid-owner $temp "
2004-01-22 21:24:56 +01:00
temp="${user#*:}"
[ -n "$temp" ] && r="$r --gid-owner $temp "
;;
*)
2005-07-09 07:55:29 +02:00
[ -n "$user" ] && r="$r --uid-owner $user "
2004-01-22 21:24:56 +01:00
;;
esac
fi
2005-07-09 07:45:05 +02:00
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
if [ "x$dest" != "x-" ]; then
case $dest in
2005-07-09 07:55:29 +02:00
*.*.*|+*|!+*)
2005-07-09 07:45:05 +02:00
r="${r}$(dest_ip_range $dest) "
;;
*)
2005-07-10 01:23:45 +02:00
[ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain"
2005-07-09 07:45:05 +02:00
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
;;
esac
fi
2006-01-17 18:08:41 +01:00
if [ "x${length:=-}" != "x-" ]; then
2006-01-17 00:15:51 +01:00
[ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
r="${r}-m length --length ${length} "
2006-01-15 23:54:12 +01:00
fi
2005-08-13 00:11:30 +02:00
multiport=
2005-09-19 16:43:22 +02:00
case $proto in
2005-10-04 20:46:35 +02:00
ipp2p|IPP2P|ipp2p:*|IPP2P:*)
2005-10-04 20:20:28 +02:00
do_ipp2p
2005-10-04 20:00:55 +02:00
;;
2005-09-19 16:43:22 +02:00
icmp|ICMP|1)
r="${r}-p icmp "
2005-09-21 21:10:01 +02:00
[ "x$port" = "x-" ] || r="${r}--icmp-type $port"
2005-09-19 16:43:22 +02:00
;;
*)
2005-09-21 21:05:01 +02:00
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
2005-09-19 16:43:22 +02:00
;;
esac
2005-07-09 07:45:05 +02:00
2005-08-13 01:57:35 +02:00
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
2002-05-01 01:13:15 +02:00
2005-08-16 20:54:11 +02:00
if [ -n "${excludesources}${excludedests}" ]; then
build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
run_iptables2 -t mangle -A $chain $r -j $chain1
run_iptables -t mangle -A $chain1 -j $target $mark
else
run_iptables2 -t mangle -A $chain $r -j $target $mark
fi
2002-05-01 01:13:15 +02:00
}
2003-10-25 02:54:01 +02:00
if [ "$mark" != "${mark%:*}" ]; then
case "${mark#*:}" in
p|P)
2005-07-09 07:45:05 +02:00
verify_designator tcpre
;;
cp|CP)
verify_designator tcpre
target="CONNMARK --set-mark"
2003-10-25 02:54:01 +02:00
;;
f|F)
2005-07-09 07:45:05 +02:00
verify_designator tcfor
;;
cf|CF)
verify_designator tcfor
target="CONNMARK --set-mark"
;;
c|C)
target="CONNMARK --set-mark"
mark=${mark%:*}
2003-10-25 02:54:01 +02:00
;;
*)
2005-07-09 07:45:05 +02:00
chain=tcpost
2005-09-19 16:43:22 +02:00
target="CLASSIFY --set-class"
2003-10-25 02:54:01 +02:00
;;
esac
2005-09-19 16:43:22 +02:00
2003-10-25 02:54:01 +02:00
fi
2005-07-09 07:45:05 +02:00
case $mark in
SAVE)
2005-07-09 07:55:29 +02:00
target="CONNMARK --save-mark --mask 255"
2005-07-09 07:45:05 +02:00
mark=
;;
SAVE/*)
target="CONNMARK --save-mark --mask"
mark=${mark#*/}
2005-07-09 07:55:29 +02:00
verify_mark $mark
2005-07-09 07:45:05 +02:00
;;
RESTORE)
2005-07-09 07:55:29 +02:00
target="CONNMARK --restore-mark --mask 255"
2005-07-09 07:45:05 +02:00
mark=
;;
RESTORE/*)
target="CONNMARK --restore-mark --mask"
mark=${mark#*/}
2005-07-09 07:55:29 +02:00
verify_mark $mark
2005-07-09 07:45:05 +02:00
;;
CONTINUE)
target=RETURN
mark=
;;
2005-07-09 07:55:29 +02:00
*)
if [ "$chain" != tcpost ]; then
verify_mark $mark
fi
;;
2005-09-19 16:43:22 +02:00
esac
2005-07-09 07:45:05 +02:00
case $testval in
-)
;;
!*:C)
marktest="connmark ! "
testval=${testval%:*}
testval=${testval#!}
;;
*:C)
marktest="connmark "
testval=${testval%:*}
;;
!*)
marktest="mark ! "
testval=${testval#!}
;;
*)
[ -n "$testval" ] && marktest="mark "
;;
esac
2005-07-09 07:55:29 +02:00
if [ -n "$marktest" ] ; then
case $testval in
*/*)
verify_mark ${testval%/*}
verify_mark ${testval#*/}
;;
*)
verify_mark $testval
testval=$testval/255
;;
esac
fi
2005-08-16 20:54:11 +02:00
excludesources=
case ${sources:=-} in
*!*!*)
fatal_error "Invalid SOURCE in rule \"$rule\""
;;
!*)
if [ $(list_count $sourcess) -gt 1 ]; then
excludesources=${sources#!}
sources=-
fi
;;
*!*)
excludesources=${sources#*!}
sources=${sources%!*}
;;
esac
excludedests=
case ${dests:=-} in
*!*!*)
fatal_error "Invalid DEST in rule \"$rule\""
;;
!*)
if [ $(list_count $dests) -gt 1 ]; then
excludedests=${dests#*!}
dests=-
fi
;;
*!*)
excludedests=${dests#*!}
dests=${dests%!*}
;;
esac
2005-09-17 06:05:57 +02:00
2005-08-16 20:54:11 +02:00
for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do
2005-07-09 06:45:32 +02:00
for port in $(separate_list ${ports:=-}); do
for sport in $(separate_list ${sports:=-}); do
2002-05-01 01:13:15 +02:00
add_a_tc_rule
done
done
2002-07-06 00:24:40 +02:00
done
2002-05-01 01:13:15 +02:00
done
2006-01-23 00:41:56 +01:00
progress_message " TC Rule \"$rule\" added"
2002-05-01 01:13:15 +02:00
}
2002-10-23 18:48:40 +02:00
#
# Setup queuing and classes
#
2002-12-04 22:17:14 +01:00
setup_tc1() {
2002-05-01 01:13:15 +02:00
#
# Create the TC mangle chains
#
2003-02-23 15:10:37 +01:00
2006-01-07 00:02:55 +01:00
createmanglechain tcpre
createmanglechain tcfor
createmanglechain tcout
createmanglechain tcpost
2002-05-01 01:13:15 +02:00
#
# Process the TC Rules File
#
strip_file tcrules
2006-01-15 23:54:12 +01:00
while read mark sources dests proto ports sports user testval length; do
expandv mark sources dests proto ports sports user testval length
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
2002-05-01 01:13:15 +02:00
process_tc_rule
done < $TMP_DIR/tcrules
#
# Link to the TC mangle chains from the main chains
#
2003-02-23 15:10:37 +01:00
2005-08-01 19:17:24 +02:00
if [ -n "$ROUTEMARK_INTERFACES" ]; then
#
2005-09-19 16:43:22 +02:00
# Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
2005-08-01 19:17:24 +02:00
# packets that are not part of a marked connection to the 'tcpre/tcout' chains
#
run_iptables -t mangle -A PREROUTING -m mark --mark 0 -j tcpre
run_iptables -t mangle -A OUTPUT -m mark --mark 0 -j tcout
else
run_iptables -t mangle -A PREROUTING -j tcpre
run_iptables -t mangle -A OUTPUT -j tcout
fi
2005-07-09 07:45:05 +02:00
run_iptables -t mangle -A FORWARD -j tcfor
run_iptables -t mangle -A POSTROUTING -j tcpost
2002-05-01 01:13:15 +02:00
2005-10-09 18:21:15 +02:00
if [ -n "$TC_SCRIPT" ]; then
2005-10-08 00:16:03 +02:00
run_user_exit $TC_SCRIPT
2005-10-09 17:47:47 +02:00
elif [ -n "$TC_ENABLED" ]; then
2005-10-06 00:51:29 +02:00
setup_traffic_shaping
2005-07-09 07:45:05 +02:00
fi
2002-05-01 01:13:15 +02:00
}
2002-12-04 22:17:14 +01:00
setup_tc() {
2006-01-09 18:11:30 +01:00
progress_message2 "Setting up Traffic Control Rules..."
2002-12-04 22:17:14 +01:00
setup_tc1
}
2002-10-23 18:48:40 +02:00
#
# Clear Traffic Shaping
#
2002-05-01 01:13:15 +02:00
delete_tc()
{
clear_one_tc() {
2006-01-25 01:13:45 +01:00
tc qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null
2005-07-09 06:45:32 +02:00
}
run_user_exit tcclear
2006-01-23 00:41:56 +01:00
run_ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
clear_one_tc ${interface%:}
;;
*)
;;
esac
done
2005-07-09 06:45:32 +02:00
}
2003-02-27 23:28:06 +01:00
#
2006-01-25 01:13:45 +01:00
# Refresh queuing and classes
2003-08-10 03:11:50 +02:00
#
2006-01-25 01:13:45 +01:00
refresh_tc() {
2005-09-19 16:43:22 +02:00
2006-01-25 01:13:45 +01:00
progress_message2 "Refreshing Traffic Control Rules..."
2003-08-10 18:01:21 +02:00
2006-01-25 01:13:45 +01:00
[ -n "$CLEAR_TC" ] && delete_tc1
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
2003-02-23 15:10:37 +01:00
2006-01-07 00:02:55 +01:00
if qt $IPTABLES -t mangle -L $chain -n ; then
2002-12-04 22:17:14 +01:00
#
# Flush the TC mangle chains
#
2005-10-05 18:45:50 +02:00
run_iptables -t mangle -F tcfor
run_iptables -t mangle -F tcpre
2002-12-04 22:17:14 +01:00
run_iptables -t mangle -F tcout
2005-10-04 19:04:19 +02:00
run_iptables -t mangle -F tcpost
2002-12-04 22:17:14 +01:00
#
# Process the TC Rules File
#
strip_file tcrules
2006-01-15 23:54:12 +01:00
while read mark sources dests proto ports sports user testval length; do
expandv mark sources dests proto ports sports user testval length
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
2003-02-23 15:10:37 +01:00
process_tc_rule
2002-12-04 22:17:14 +01:00
done < $TMP_DIR/tcrules
else
setup_tc1
2005-09-28 20:29:11 +02:00
fi
2005-09-02 01:00:30 +02:00
2005-10-08 00:16:03 +02:00
if [ -n "$TC_SCRIPT" ]; then
run_user_exit $TC_SCRIPT
2005-10-09 17:47:47 +02:00
elif [ -n "$TC_ENABLED" ]; then
2005-10-06 00:51:29 +02:00
setup_traffic_shaping
2002-12-04 22:17:14 +01:00
fi
}
2003-12-04 03:01:08 +01:00
#
2006-01-25 01:13:45 +01:00
# Display elements of a list with leading white space
2003-12-04 03:01:08 +01:00
#
2006-01-25 01:13:45 +01:00
display_list() # $1 = List Title, rest of $* = list to display
2003-12-04 03:01:08 +01:00
{
2006-01-25 01:13:45 +01:00
[ $# -gt 1 ] && echo " $*"
2003-12-04 03:01:08 +01:00
}
2006-01-25 01:13:45 +01:00
policy_rules() # $1 = chain to add rules to
# $2 = policy
# $3 = loglevel
2003-12-04 03:01:08 +01:00
{
2006-01-25 01:13:45 +01:00
local target="$2"
2003-12-04 03:01:08 +01:00
2006-01-25 01:13:45 +01:00
case "$target" in
ACCEPT)
[ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common
;;
DROP)
[ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common
;;
2003-12-04 03:01:08 +01:00
REJECT)
2006-01-25 01:13:45 +01:00
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
2003-12-04 03:01:08 +01:00
target=reject
;;
2006-01-25 01:13:45 +01:00
QUEUE)
[ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
;;
2005-07-09 06:45:32 +02:00
CONTINUE)
2006-01-25 01:13:45 +01:00
target=
2005-07-09 06:45:32 +02:00
;;
2003-12-04 03:01:08 +01:00
*)
2006-01-25 01:13:45 +01:00
fatal_error "Invalid policy ($policy) for $1"
2005-11-15 19:44:02 +01:00
;;
esac
2005-07-26 01:08:09 +02:00
2006-01-25 01:13:45 +01:00
if [ $# -eq 3 -a "x${3}" != "x-" ]; then
log_rule $3 $1 $2
fi
2006-01-12 00:30:33 +01:00
2006-01-25 01:13:45 +01:00
[ -n "$target" ] && run_iptables -A $1 -j $target
}
2004-01-24 00:48:30 +01:00
2006-01-25 01:13:45 +01:00
#
# Add a record to the blacklst chain
#
# $source = address match
# $proto = protocol selector
# $dport = destination port selector
#
add_blacklist_rule() {
if [ -n "$BLACKLIST_LOGLEVEL" ]; then
log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport)
fi
2002-05-01 01:13:15 +02:00
2006-01-25 01:13:45 +01:00
run_iptables2 -A blacklst $source $proto $dport -j $disposition
}
2002-10-01 22:54:42 +02:00
2006-01-25 01:13:45 +01:00
#
# Process a record from the blacklist file
#
# $networks = address/networks
# $protocol = Protocol Number/Name
# $port = Port Number/Name
#
process_blacklist_rec() {
local source
local addr
local proto
local dport
local temp
local setname
2002-05-18 21:04:45 +02:00
2006-01-25 01:13:45 +01:00
for addr in $(separate_list $networks); do
case $addr in
-)
source=
;;
~*)
addr=$(echo $addr | sed 's/~//;s/-/:/g')
source="--match mac --mac-source $addr"
;;
*)
source="$(source_ip_range $addr)"
;;
esac
2003-10-15 20:34:05 +02:00
2006-01-25 01:13:45 +01:00
if [ -n "$protocol" ]; then
proto=" -p $protocol "
2003-10-15 20:34:05 +02:00
2006-01-25 01:13:45 +01:00
case $protocol in
tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then
if [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \
$(list_count $ports) -le 15 ]
then
dport="-m multiport --dports $ports"
add_blacklist_rule
else
for dport in $(separate_list $ports); do
dport="--dport $dport"
add_blacklist_rule
done
2005-07-09 06:45:32 +02:00
fi
2006-01-25 01:13:45 +01:00
else
add_blacklist_rule
fi
;;
icmp|ICMP|0)
if [ -n "$ports" ]; then
for dport in $(separate_list $ports); do
dport="--icmp-type $dport"
add_blacklist_rule
done
else
add_blacklist_rule
2005-07-09 06:45:32 +02:00
fi
;;
2006-01-25 01:13:45 +01:00
*)
add_blacklist_rule
;;
2005-07-09 06:45:32 +02:00
esac
2006-01-25 01:13:45 +01:00
else
add_blacklist_rule
2005-07-26 01:08:09 +02:00
fi
2006-01-25 01:13:45 +01:00
if [ -n "$ports" ]; then
addr="$addr $protocol $ports"
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
2002-09-15 00:00:52 +02:00
2006-01-25 01:13:45 +01:00
progress_message " $addr added to Black List"
done
}
2005-07-26 01:08:09 +02:00
2006-01-25 01:13:45 +01:00
#
# Refresh the Black List
#
refresh_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION
2006-01-12 00:30:33 +01:00
2006-01-25 01:13:45 +01:00
if qt $IPTABLES -L blacklst -n ; then
progress_message2 "Loading Black List..."
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
strip_file blacklist $f
2005-09-18 00:37:32 +02:00
2006-01-25 01:13:45 +01:00
[ "$disposition" = REJECT ] && disposition=reject
2005-09-19 16:43:22 +02:00
2006-01-25 01:13:45 +01:00
run_iptables -F blacklst
2005-09-18 00:37:32 +02:00
2006-01-25 01:13:45 +01:00
while read networks protocol ports; do
expandv networks protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
fi
}
2003-10-15 20:34:05 +02:00
2006-01-25 01:13:45 +01:00
#
# Verify the Black List
#
validate_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION
2005-07-09 07:55:29 +02:00
2006-01-25 01:13:45 +01:00
progress_message2 "Checking Black List..."
2002-05-01 01:13:15 +02:00
2006-01-25 01:13:45 +01:00
strip_file blacklist $f
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
[ "$disposition" = REJECT ] && disposition=reject
2005-07-09 06:45:32 +02:00
2006-01-25 01:13:45 +01:00
while read networks protocol ports; do
expandv networks protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
}
2005-07-26 01:08:09 +02:00
2006-01-25 01:13:45 +01:00
#
# Verify that kernel has netfilter support
#
verify_os_version() {
2005-08-02 18:46:30 +02:00
2006-01-25 01:13:45 +01:00
osversion=$(uname -r)
2005-07-09 07:45:05 +02:00
2006-01-25 01:13:45 +01:00
case $osversion in
2.4.*|2.5.*|2.6.*)
;;
*)
startup_error "Shorewall version $VERSION does not work with kernel version $osversion"
;;
esac
2005-07-09 07:45:05 +02:00
2006-01-25 01:13:45 +01:00
[ $COMMAND = start -a -n "$(lsmod 2> /dev/null | grep '^ipchains')" ] && \
startup_error "Shorewall can't start with the ipchains kernel module loaded - see FAQ #8"
2002-05-01 01:13:15 +02:00
}
2002-10-23 18:48:40 +02:00
#
2003-07-28 19:32:41 +02:00
# Check for disabled startup
2002-10-23 18:48:40 +02:00
#
2003-07-28 19:32:41 +02:00
check_disabled_startup() {
2005-07-09 07:45:05 +02:00
if [ -z "$STARTUP_ENABLED" ]; then
2002-09-19 22:40:10 +02:00
echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration,"
2005-07-09 07:45:05 +02:00
echo " change the setting of STARTUP_ENABLED to Yes in"
echo " /etc/shorewall/shorewall.conf"
2002-09-19 22:40:10 +02:00
2002-09-29 23:28:44 +02:00
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
2002-09-19 22:40:10 +02:00
my_mutex_off
exit 2
fi
2003-07-28 19:32:41 +02:00
}
2006-01-17 21:03:00 +01:00
#
2006-01-23 00:41:56 +01:00
# Refresh the firewall
2006-01-17 21:03:00 +01:00
#
2006-01-23 00:41:56 +01:00
refresh_firewall()
{
#
2006-01-17 21:03:00 +01:00
2006-01-25 01:13:45 +01:00
progress_message3 "Refreshing Shorewall..."
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
progress_message2 "Determining Zones and Interfaces..."
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
determine_zones
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
validate_interfaces_file
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
determine_interfaces
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
run_user_exit refresh
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
#
# Blacklist
#
refresh_blacklist
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
ecn=$(find_file ecn)
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
#
# Refresh Traffic Control
#
[ -n "$MANGLE_ENABLED" ] && refresh_tc
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
report "Shorewall Refreshed"
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
rm -rf $TMP_DIR
}
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
#
# Add a host or networks to a zone
#
add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
{
local interface host zone z h z1 z2 chain
local dhcp_interfaces blacklist_interfaces maclist_interfaces
local tcpflags_interfaces newhostlist=
local rulenum source_chain dest_hosts iface hosts hostlist=
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
nat_chain_exists() # $1 = chain name
{
qt $IPTABLES -t nat -L $1 -n
}
2006-01-17 21:03:00 +01:00
2006-01-23 00:41:56 +01:00
do_iptables() # $@ = command
{
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
2006-01-12 00:30:33 +01:00
if ! $IPTABLES $@ ; then
2006-01-15 03:19:04 +01:00
error_message "ERROR: Can't add $newhost to zone $zone"
2006-01-12 00:30:33 +01:00
fi
}
#
# Load $zones
#
determine_zones
#
# Validate Interfaces File
#
validate_interfaces_file
#
# Validate Hosts File
#
validate_hosts_file
#
# Validate IPSec File
#
2006-01-12 00:42:06 +01:00
f=$(find_file $IPSECFILE)
2006-01-12 00:30:33 +01:00
[ -f $f ] && setup_ipsec $f
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
#
# Be sure that the interface was dynamic at last [re]start
#
if ! chain_exists $(input_chain $interface) ; then
startup_error "Unknown interface $interface"
fi
if ! chain_exists $(dynamic_in $interface) ; then
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
fi
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
#
# Validate Zone
#
zone=$1
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found"
[ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found"
#
# Check for duplicates and create a new zone state file
#
> /var/lib/shorewall/zones_$$
while read z type hosts; do
if [ "$z" = "$zone" ]; then
for h in $hostlist; do
list_search $h $hosts
if [ "$?" -gt 0 ]; then
newhostlist="$newhostlist $h"
else
error_message "$h already in zone $zone"
fi
done
[ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist"
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $type $hosts" >> /var/lib/shorewall/zones_$$
done < /var/lib/shorewall/zones
mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones
TERMINATOR=fatal_error
#
# Create a new Zone state file
#
for newhost in $newhostlist; do
#
# Isolate interface and host parts
#
interface=${newhost%%:*}
host=${newhost#*:}
#
# If the zone passed in the command has a dnat chain then insert a rule in
# the nat table PREROUTING chain to jump to that chain when the source
# matches the new host(s)#
#
chain=${zone}_dnat
if nat_chain_exists $chain; then
do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain
fi
#
# Insert new rules into the filter table for the passed interface
#
while read z1 z2 chain; do
[ "$z1" = "$z2" ] && op="-I" || op="-A"
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain
else
source_chain=$(dynamic_fwd $interface)
if is_ipsec_host $z1 $newhost ; then
do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
else
eval dest_hosts=\"\$${z2}_hosts\"
for h in $dest_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi
done
fi
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
#
# Add a rule to the dynamic out chain for the interface
#
do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then
do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
else
do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
fi
fi
done
fi
fi
done < /var/lib/shorewall/chains
progress_message "$newhost added to zone $zone"
done
rm -rf $TMP_DIR
}
#
# Delete a host or networks from a zone
#
delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
{
local interface host zone z h z1 z2 chain delhost
local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces
local rulenum source_chain dest_hosts iface hosts hostlist=
#
# Load $zones
#
determine_zones
#
# Validate Interfaces File
#
validate_interfaces_file
#
# Validate Hosts File
#
validate_hosts_file
#
# Validate IPSec File
#
f=$(find_file ipsec)
[ -f $f ] && setup_ipsec $f
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
#
# Be sure that the interface was dynamic at last [re]start
#
if ! chain_exists $(input_chain $interface) ; then
startup_error "Unknown interface $interface"
fi
if ! chain_exists $(dynamic_in $interface) ; then
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
fi
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
#
# Validate Zone
#
zone=$1
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found"
[ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found"
#
# Delete the passed hosts from the zone state file
#
> /var/lib/shorewall/zones_$$
while read z hosts; do
if [ "$z" = "$zone" ]; then
temp=$hosts
hosts=
for host in $hostlist; do
found=
for h in $temp; do
if [ "$h" = "$host" ]; then
found=Yes
break
fi
done
2006-01-15 03:19:04 +01:00
[ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone"
2006-01-12 00:30:33 +01:00
done
for h in $temp; do
found=
for host in $hostlist; do
if [ "$h" = "$host" ]; then
found=Yes
break
fi
done
[ -n "$found" ] || hosts="$hosts $h"
done
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> /var/lib/shorewall/zones_$$
done < /var/lib/shorewall/zones
mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones
TERMINATOR=fatal_error
for delhost in $hostlist; do
interface=${delhost%%:*}
host=${delhost#*:}
#
# Delete any nat table entries for the host(s)
#
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat
#
# Delete rules rules the input chains for the passed interface
#
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain
else
source_chain=$(dynamic_fwd $interface)
if is_ipsec_host $z1 $delhost ; then
qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
else
eval dest_hosts=\"\$${z2}_hosts\"
[ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist"
for h in $dest_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi
done
fi
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then
qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
fi
fi
done
fi
fi
done < /var/lib/shorewall/chains
progress_message "$delhost removed from zone $zone"
done
rm -rf $TMP_DIR
}
2002-10-23 18:48:40 +02:00
#
# Determine the value for a parameter that defaults to Yes
#
2002-05-01 01:13:15 +02:00
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo "Yes"
else case $val in
2002-07-06 00:24:40 +02:00
[Yy][Ee][Ss])
2002-05-01 01:13:15 +02:00
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
startup_error "Invalid value ($val) for $1"
;;
esac
fi
}
2002-10-23 18:48:40 +02:00
#
# Determine the value for a parameter that defaults to No
#
2002-05-01 01:13:15 +02:00
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo ""
else case $val in
2002-07-06 00:24:40 +02:00
[Yy][Ee][Ss])
2002-05-01 01:13:15 +02:00
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
startup_error "Invalid value ($val) for $1"
;;
esac
fi
}
2002-10-23 18:48:40 +02:00
#
# Initialize this program
#
2002-05-01 01:13:15 +02:00
do_initialize() {
2005-08-02 18:46:30 +02:00
2002-05-01 01:13:15 +02:00
# Run all utility programs using the C locale
#
# Thanks to Vincent Planchenault for this tip #
export LC_ALL=C
2005-07-09 07:45:05 +02:00
# Make sure umask is sane
2006-01-21 00:34:19 +01:00
umask 077
2005-07-09 07:45:05 +02:00
2002-05-01 01:13:15 +02:00
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
2002-10-23 18:48:40 +02:00
#
2003-02-23 15:10:37 +01:00
# Establish termination function
#
2005-08-01 19:17:24 +02:00
TERMINATOR=startup_error
2003-02-23 15:10:37 +01:00
#
2002-05-01 01:13:15 +02:00
# Clear all configuration variables
#
2006-01-13 00:45:33 +01:00
VERSION=
2005-07-09 07:45:05 +02:00
IPTABLES=
2002-05-01 01:13:15 +02:00
FW=
SUBSYSLOCK=
2003-02-08 21:58:44 +01:00
ALLOWRELATED=Yes
2002-05-01 01:13:15 +02:00
LOGRATE=
LOGBURST=
LOGPARMS=
2003-08-22 17:27:08 +02:00
LOGLIMIT=
2002-05-01 01:13:15 +02:00
ADD_IP_ALIASES=
ADD_SNAT_ALIASES=
2005-10-09 17:47:47 +02:00
TC_ENABLED=
2002-05-01 01:13:15 +02:00
BLACKLIST_DISPOSITION=
BLACKLIST_LOGLEVEL=
CLAMPMSS=
ROUTE_FILTER=
2005-07-09 07:45:05 +02:00
LOG_MARTIANS=
2002-07-09 23:21:28 +02:00
DETECT_DNAT_IPADDRS=
2002-07-24 05:47:34 +02:00
MUTEX_TIMEOUT=
2002-08-12 19:33:05 +02:00
FORWARDPING=
2002-10-22 20:07:52 +02:00
MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL=
2002-11-10 22:34:20 +01:00
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
2002-12-13 04:23:46 +01:00
RFC1918_LOG_LEVEL=
2002-12-16 20:25:20 +01:00
MARK_IN_FORWARD_CHAIN=
2003-02-08 21:58:44 +01:00
SHARED_DIR=/usr/share/shorewall
2003-01-07 00:01:23 +01:00
FUNCTIONS=
VERSION_FILE=
2003-05-21 23:36:05 +02:00
LOGFORMAT=
2003-05-27 19:42:12 +02:00
LOGRULENUMBERS=
2003-07-30 01:04:04 +02:00
ADMINISABSENTMINDED=
2003-10-11 18:06:00 +02:00
BLACKLISTNEWONLY=
2003-12-01 17:10:08 +01:00
MODULE_SUFFIX=
2003-12-04 03:01:08 +01:00
ACTIONS=
2005-07-09 06:45:32 +02:00
USEDACTIONS=
SMURF_LOG_LEVEL=
DISABLE_IPV6=
BRIDGING=
2006-01-12 00:30:33 +01:00
DYNAMIC_ZONES=
2005-07-09 06:45:32 +02:00
PKTTYPE=
2005-08-14 21:26:17 +02:00
USEPKTYPE=
2005-07-09 07:45:05 +02:00
RETAIN_ALIASES=
DELAYBLACKLISTLOAD=
LOGTAGONLY=
LOGALLNEW=
RFC1918_STRICT=
MACLIST_TTL=
2005-07-09 07:55:29 +02:00
SAVE_IPSETS=
RESTOREFILE=
2005-07-26 01:08:09 +02:00
MAPOLDACTIONS=
2005-07-09 07:45:05 +02:00
2005-07-09 06:45:32 +02:00
RESTOREBASE=
TMP_DIR=
2005-07-09 07:45:05 +02:00
ALL_INTERFACES=
2005-07-09 07:55:29 +02:00
ROUTEMARK_INTERFACES=
2005-08-01 22:35:28 +02:00
IPSECMARK=256
2005-07-09 07:55:29 +02:00
PROVIDERS=
2005-07-26 01:08:09 +02:00
CRITICALHOSTS=
IPSECFILE=
2005-08-05 17:52:03 +02:00
EXCLUSION_SEQ=1
2005-08-23 22:41:18 +02:00
STOPPING=
HAVE_MUTEX=
ALIASES_TO_ADD=
2005-08-27 16:39:43 +02:00
SECTION=ESTABLISHED
2005-08-26 19:16:09 +02:00
SECTIONS=
2005-12-21 05:05:27 +01:00
ALL_PORTS=
2002-05-01 01:13:15 +02:00
2003-03-08 18:55:34 +01:00
FUNCTIONS=$SHARED_DIR/functions
if [ -f $FUNCTIONS ]; then
2006-01-23 02:41:24 +01:00
[ $VERBOSE -gt 1 ] && echo "Loading $FUNCTIONS..."
2003-03-08 18:55:34 +01:00
. $FUNCTIONS
2003-03-07 00:21:25 +01:00
else
2003-03-08 18:55:34 +01:00
startup_error "$FUNCTIONS does not exist!"
2003-03-07 00:21:25 +01:00
fi
2005-07-09 06:45:32 +02:00
TMP_DIR=$(mktempdir)
[ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
startup_error "Can't create a temporary directory"
2006-01-17 18:00:54 +01:00
trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
2005-07-09 06:45:32 +02:00
ensure_config_path
2003-03-08 19:01:32 +01:00
VERSION_FILE=$SHARED_DIR/version
2006-01-13 00:45:33 +01:00
[ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)
2003-03-08 19:01:32 +01:00
2003-03-08 18:55:34 +01:00
run_user_exit params
2003-03-07 00:21:25 +01:00
2005-07-09 06:45:32 +02:00
config=$(find_file shorewall.conf)
2003-02-23 15:10:37 +01:00
2003-01-07 00:01:23 +01:00
if [ -f $config ]; then
2005-07-09 06:45:32 +02:00
if [ -r $config ]; then
2006-01-09 18:11:30 +01:00
progress_message "Processing $config..."
2005-07-09 06:45:32 +02:00
. $config
else
2005-09-18 00:37:32 +02:00
startup_error "Cannot read $config (Hint: Are you root?)"
2005-07-09 06:45:32 +02:00
fi
2003-01-07 00:01:23 +01:00
else
2005-09-18 00:37:32 +02:00
startup_error "$config does not exist!"
2002-05-01 01:13:15 +02:00
fi
2003-07-22 16:25:36 +02:00
#
2005-07-09 06:45:32 +02:00
# Restore CONFIG_PATH if the shorewall.conf file cleared it
#
ensure_config_path
#
2003-07-22 16:25:36 +02:00
# Determine the capabilities of the installed iptables/netfilter
2005-08-02 18:46:30 +02:00
# We load the kernel modules here to accurately determine
2005-07-09 06:45:32 +02:00
# capabilities when module autoloading isn't enabled.
2003-07-22 16:25:36 +02:00
#
2006-01-20 22:41:03 +01:00
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
2005-07-09 06:45:32 +02:00
2005-09-28 22:28:01 +02:00
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
2006-01-21 00:34:19 +01:00
if [ -z "$EXPORT" ]; then
2006-01-20 22:41:03 +01:00
2006-01-21 00:34:19 +01:00
load_kernel_modules
2005-07-09 07:45:05 +02:00
2006-01-20 22:41:03 +01:00
if [ -z "$IPTABLES" ]; then
IPTABLES=$(mywhich iptables 2> /dev/null)
2005-07-09 07:45:05 +02:00
2006-01-20 22:41:03 +01:00
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
2006-01-21 00:34:19 +01:00
determine_capabilities
2005-07-09 07:45:05 +02:00
2006-01-21 00:34:19 +01:00
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
2002-05-01 01:13:15 +02:00
2006-01-21 00:34:19 +01:00
else
f=$(find_file capabilities)
[ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file"
fi
2002-05-01 01:13:15 +02:00
2005-07-09 06:45:32 +02:00
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
2003-02-08 21:58:44 +01:00
[ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported"
2005-07-09 06:45:32 +02:00
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
2002-05-01 01:13:15 +02:00
if [ -n "${LOGRATE}${LOGBURST}" ]; then
2003-08-22 17:27:08 +02:00
LOGLIMIT="--match limit"
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
2002-05-01 01:13:15 +02:00
fi
if [ -n "$IP_FORWARDING" ]; then
case "$IP_FORWARDING" in
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
2002-07-06 00:24:40 +02:00
;;
*)
2002-05-01 01:13:15 +02:00
startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
;;
esac
else
IP_FORWARDING=On
fi
2005-10-06 00:51:29 +02:00
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
2005-08-02 18:46:30 +02:00
2005-07-09 07:45:05 +02:00
case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
2005-08-02 18:46:30 +02:00
2005-07-09 06:45:32 +02:00
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
2005-07-09 07:45:05 +02:00
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
2005-07-09 06:45:32 +02:00
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
2003-02-08 21:58:44 +01:00
[ -n "$FORWARDPING" ] && \
startup_error "FORWARDPING=Yes is no longer supported"
2003-06-12 01:57:35 +02:00
maclist_target=reject
2003-02-23 15:10:37 +01:00
2002-10-22 20:07:52 +02:00
if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in
REJECT)
;;
2005-07-18 00:08:15 +02:00
DROP)
maclist_target=DROP
;;
ACCEPT)
maclist_target=RETURN
2002-10-22 20:07:52 +02:00
;;
*)
startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
;;
esac
else
2003-06-12 01:57:35 +02:00
MACLIST_DISPOSITION=REJECT
2002-10-22 20:07:52 +02:00
fi
2002-11-10 22:34:20 +01:00
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
2005-09-28 22:28:01 +02:00
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
2005-07-09 06:45:32 +02:00
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
2005-07-09 07:45:05 +02:00
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
2005-10-06 00:51:29 +02:00
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
2005-08-02 18:46:30 +02:00
2003-05-22 22:37:24 +02:00
if [ -n "$LOGFORMAT" ]; then
2005-07-09 06:45:32 +02:00
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
2003-05-27 19:49:13 +02:00
LOGRULENUMBERS=Yes
2005-07-09 06:45:32 +02:00
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
2003-05-28 21:20:23 +02:00
if [ $? -ne 0 ]; then
2003-05-27 19:49:13 +02:00
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
else
2005-07-09 06:45:32 +02:00
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
2003-05-28 21:20:23 +02:00
if [ $? -ne 0 ]; then
2003-05-27 19:49:13 +02:00
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
2003-05-22 22:37:24 +02:00
fi
2003-05-28 21:20:23 +02:00
2005-07-09 07:45:05 +02:00
[ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
2003-05-22 22:37:24 +02:00
else
2003-05-27 19:42:12 +02:00
LOGFORMAT="Shorewall:%s:%s:"
2003-05-22 22:37:24 +02:00
fi
2005-07-09 06:45:32 +02:00
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
2006-01-12 00:30:33 +01:00
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
2005-07-09 07:45:05 +02:00
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
2006-01-07 06:34:24 +01:00
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
2005-07-09 07:45:05 +02:00
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
2005-07-26 01:08:09 +02:00
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
2005-08-02 18:46:30 +02:00
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
2005-08-11 21:53:07 +02:00
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
2005-07-26 01:08:09 +02:00
case ${IPSECFILE:=ipsec} in
ipsec|zones)
;;
*)
startup_error "Invalid value ($IPSECFILE) for IPSECFILE option"
;;
esac
2005-10-06 22:01:51 +02:00
case ${MACLIST_TABLE:=filter} in
filter)
;;
mangle)
[ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
;; *)
startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
;;
esac
2005-10-09 17:47:47 +02:00
TC_SCRIPT=
if [ -n "$TC_ENABLED" ] ; then
case "$TC_ENABLED" in
[Yy][Ee][Ss])
TC_ENABLED=
TC_SCRIPT=$(find_file tcstart)
[ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file"
;;
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
TC_ENABLED=Yes
;;
[Nn][Oo])
TC_ENABLED=
;;
esac
else
TC_ENABLED=Yes
fi
if [ -n "$TC_ENABLED" ];then
[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
2005-10-08 00:16:03 +02:00
fi
2005-07-26 01:08:09 +02:00
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
2003-01-07 00:01:23 +01:00
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
2003-06-27 23:02:52 +02:00
#
2003-07-01 22:29:01 +02:00
# Check out the user's shell
#
2005-09-28 22:28:01 +02:00
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
2003-06-27 23:02:52 +02:00
2005-08-02 18:46:30 +02:00
temp=$(decodeaddr 192.168.1.1)
2005-07-09 06:45:32 +02:00
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
2003-07-01 22:29:01 +02:00
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
2005-07-09 06:45:32 +02:00
rm -f $TMP_DIR/physdev
2005-07-09 07:45:05 +02:00
rm -f $TMP_DIR/iprange
2002-05-01 01:13:15 +02:00
}
2002-10-23 18:48:40 +02:00
#
# Give Usage Information
#
2002-05-01 01:13:15 +02:00
usage() {
2006-01-23 00:41:56 +01:00
echo "Usage: $0 [debug] {start|stop|reset|restart|refresh|clear}"
2002-05-01 01:13:15 +02:00
exit 1
}
2002-10-23 18:48:40 +02:00
#
# E X E C U T I O N B E G I N S H E R E
#
2002-05-01 01:13:15 +02:00
#
# Start trace if first arg is "debug"
#
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
2006-01-17 18:34:34 +01:00
NOLOCK=
2002-05-01 01:13:15 +02:00
2006-01-17 18:34:34 +01:00
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
2002-05-01 01:13:15 +02:00
2002-07-30 01:53:26 +02:00
trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9
2005-07-09 06:45:32 +02:00
COMMAND="$1"
2002-05-01 01:13:15 +02:00
2005-07-09 06:45:32 +02:00
case "$COMMAND" in
2002-05-01 01:13:15 +02:00
stop)
2002-10-01 22:54:42 +02:00
[ $# -ne 1 ] && usage
2002-05-01 01:13:15 +02:00
do_initialize
my_mutex_on
2003-07-28 19:32:41 +02:00
#
# Don't want to do a 'stop' when startup is disabled
#
2005-08-02 18:46:30 +02:00
check_disabled_startup
2006-01-25 01:13:45 +01:00
progress_message3 "Stopping Shorewall..."
2002-05-01 01:13:15 +02:00
stop_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
2006-01-25 01:13:45 +01:00
progress_message3 "done."
2002-05-01 01:13:15 +02:00
my_mutex_off
;;
2002-05-30 14:55:47 +02:00
2002-05-01 01:13:15 +02:00
reset)
2002-10-01 22:54:42 +02:00
[ $# -ne 1 ] && usage
2002-10-30 16:56:46 +01:00
do_initialize
my_mutex_on
2005-08-01 22:35:28 +02:00
if ! shorewall_is_started ; then
2002-10-30 16:56:46 +01:00
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
2005-07-09 07:45:05 +02:00
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
2002-05-03 00:56:27 +02:00
report "Shorewall Counters Reset"
2005-07-26 01:08:09 +02:00
date > /var/lib/shorewall/restarted
2002-10-30 16:56:46 +01:00
my_mutex_off
2002-05-01 01:13:15 +02:00
;;
2002-05-30 14:55:47 +02:00
2002-05-01 01:13:15 +02:00
refresh)
2002-10-01 22:54:42 +02:00
[ $# -ne 1 ] && usage
2002-05-01 01:13:15 +02:00
do_initialize
my_mutex_on
2005-08-01 22:35:28 +02:00
if ! shorewall_is_started ; then
2006-01-25 01:13:45 +01:00
echo "Shorewall Not Started" >&2
2002-09-29 23:28:44 +02:00
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
2002-05-01 01:13:15 +02:00
my_mutex_off
exit 2;
2002-07-06 00:24:40 +02:00
fi
2002-05-01 01:13:15 +02:00
refresh_firewall;
my_mutex_off
;;
2002-05-30 14:55:47 +02:00
2002-05-01 01:13:15 +02:00
clear)
2002-10-01 22:54:42 +02:00
[ $# -ne 1 ] && usage
2002-05-01 01:13:15 +02:00
do_initialize
my_mutex_on
2006-01-25 01:13:45 +01:00
progress_message3 "Clearing Shorewall..."
2002-05-01 01:13:15 +02:00
clear_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
2006-01-25 01:13:45 +01:00
progress_message3 "done."
2002-05-01 01:13:15 +02:00
my_mutex_off
;;
2002-05-30 14:55:47 +02:00
2006-01-12 00:30:33 +01:00
add)
[ $# -lt 3 ] && usage
do_initialize
my_mutex_on
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
shift
add_to_zone $@
my_mutex_off
;;
delete)
[ $# -lt 3 ] && usage
do_initialize
my_mutex_on
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
shift
delete_from_zone $@
my_mutex_off
;;
call)
2003-07-05 19:55:43 +02:00
#
# Undocumented way to call functions in /usr/share/shorewall/firewall directly
#
2006-01-05 00:34:07 +01:00
shift
2003-07-05 19:55:43 +02:00
do_initialize
2003-07-05 21:52:34 +02:00
EMPTY=
2003-07-05 19:55:43 +02:00
$@
;;
2005-07-09 07:55:29 +02:00
2002-05-01 01:13:15 +02:00
*)
usage
;;
2002-05-30 14:55:47 +02:00
2002-05-01 01:13:15 +02:00
esac