2008-12-07 19:17:26 +01:00
#
2012-01-02 16:43:13 +01:00
# Shorewall 4.5 -- /usr/share/shorewall/lib.cli.
2008-12-07 19:17:26 +01:00
#
2014-01-04 18:48:27 +01:00
# (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
2008-12-07 19:17:26 +01:00
#
# Complete documentation is available at http://shorewall.net
#
2014-01-04 18:48:27 +01:00
# This program is part of Shorewall.
#
2008-12-07 19:17:26 +01:00
# This program is free software; you can redistribute it and/or modify
2014-01-04 18:48:27 +01:00
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
2008-12-07 19:17:26 +01:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
2014-01-04 18:48:27 +01:00
# along with this program; if not, see <http://www.gnu.org/licenses/>.
2008-12-07 19:17:26 +01:00
#
2011-12-03 19:59:01 +01:00
# This library contains the command processing code common to /sbin/shorewall[6] and
2012-10-19 16:12:49 +02:00
# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is
# loaded after this one and replaces some of the functions declared here.
2008-12-07 19:17:26 +01:00
#
2012-03-24 21:05:39 +01:00
2015-04-01 00:53:05 +02:00
SHOREWALL_CAPVERSION=40609
2012-10-19 16:12:49 +02:00
[ -n "${g_program:=shorewall}" ]
2012-03-24 21:05:39 +01:00
if [ -z "$g_readrc" ]; then
2012-03-30 21:02:25 +02:00
#
# This is modified by the installer when ${SHAREDIR} <> /usr/share
#
. /usr/share/shorewall/shorewallrc
2012-03-24 21:05:39 +01:00
2012-04-15 18:43:41 +02:00
g_sharedir="$SHAREDIR"/$g_program
2012-04-02 21:39:49 +02:00
g_confdir="$CONFDIR"/$g_program
2012-03-24 21:05:39 +01:00
g_readrc=1
fi
2012-04-02 21:39:49 +02:00
. ${SHAREDIR}/shorewall/lib.base
2012-03-24 21:05:39 +01:00
2012-04-01 19:47:24 +02:00
2008-12-07 19:17:26 +01:00
#
# Fatal Error
#
fatal_error() # $@ = Message
{
2011-12-01 19:25:51 +01:00
echo " ERROR: $@" >&2
2008-12-07 19:17:26 +01:00
exit 2
}
2011-12-09 07:00:48 +01:00
#
# Issue an error message and die
#
startup_error() {
echo " ERROR: $@" >&2
kill $$
exit 1
}
2010-03-03 17:51:40 +01:00
#
2008-12-07 19:17:26 +01:00
# Display a chain if it exists
#
showfirstchain() # $1 = name of chain
{
awk \
'BEGIN {prnt=0; rslt=1; }; \
/^$/ { next; };\
/^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
/Chain '$1'/ { prnt=1; }; \
{ if (prnt == 1) print; };\
END { exit rslt; }' $TMPFILE
}
showchain() # $1 = name of chain
{
if [ "$firstchain" = "Yes" ]; then
if showfirstchain $1; then
firstchain=
fi
else
awk \
'BEGIN {prnt=0;};\
/^$|^ pkts/ { next; };\
/^Chain/ {if ( prnt == 1 ) exit; };\
/Chain '$1'/ { prnt=1; };\
{ if (prnt == 1) print; }' $TMPFILE
fi
}
#
# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
#
iptablesbug()
{
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
if qt mywhich awk ; then
awk 'BEGIN { sline=""; };\
2012-01-09 15:49:45 +01:00
/^-[jg]/ { print sline $0; next };\
/-m policy.*-[jg] / { print $0; next };\
/-m policy/ { sline=$0; next };\
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
{ print ; sline="" }'
2011-12-03 19:59:01 +01:00
else
echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
cat
2011-12-03 21:41:05 +01:00
fi
2008-12-07 19:17:26 +01:00
else
cat
fi
}
#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
case $RESTOREFILE in
*/*)
error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
exit 2
;;
.safe|.try)
;;
.*|NONE)
error_message "ERROR: Reserved File Name: $RESTOREFILE"
exit 2
;;
esac
}
#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
[ -t 1 ] && clear
}
#
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay
#
timed_read ()
{
read -t $timeout foo 2> /dev/null
test $? -eq 2 && sleep $timeout
}
#
# Determine if 'syslog -C' is running
#
syslog_circular_buffer() {
local pid
local tty
local flags
local cputime
local path
local args
local arg
ps ax 2> /dev/null | while read pid tty flags cputime path args; do
case $path in
syslogd|*/syslogd)
for arg in $args; do
if [ x$arg = x-C ]; then
echo Yes
return
fi
done
;;
esac
done
}
#
# Display the last $1 packets logged
#
packet_log() # $1 = number of messages
{
2010-03-01 02:58:01 +01:00
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
2011-12-03 21:41:05 +01:00
elif [ $g_family -eq 4 ]; then
2010-02-24 02:00:26 +01:00
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
2011-12-03 19:59:01 +01:00
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
2008-12-07 19:17:26 +01:00
fi
}
2010-04-19 19:20:28 +02:00
search_log() # $1 = IP address to search for
{
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
2010-04-19 19:20:28 +02:00
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
2011-12-03 19:59:01 +01:00
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
2010-04-19 19:20:28 +02:00
fi
2010-06-07 18:16:56 +02:00
}
2010-04-19 19:20:28 +02:00
2008-12-07 19:17:26 +01:00
#
# Show traffic control information
#
show_tc() {
show_one_tc() {
local device
device=${1%@*}
qdisc=$(tc qdisc list dev $device)
if [ -n "$qdisc" ]; then
echo Device $device:
tc -s -d qdisc show dev $device
echo
tc -s -d class show dev $device
echo
fi
}
2010-01-13 03:57:04 +01:00
if [ $# -gt 0 ]; then
show_one_tc $1
else
ip -o link list | while read inx interface details; do
show_one_tc ${interface%:}
done
fi
2008-12-07 19:17:26 +01:00
}
#
# Show classifier information
#
show_classifiers() {
show_one_classifier() {
local device
device=${1%@*}
qdisc=$(tc qdisc list dev $device)
if [ -n "$qdisc" ]; then
echo Device $device:
2014-05-23 18:26:12 +02:00
qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
2014-05-25 21:30:12 +02:00
tc filter show dev $device
tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
if [ -n "$class" ]; then
echo
echo Node $class
tc filter show dev $device parent $class
fi
done
2008-12-07 19:17:26 +01:00
echo
fi
}
ip -o link list | while read inx interface details; do
show_one_classifier ${interface%:}
done
}
2014-06-18 22:27:25 +02:00
#
# Display blacklist chains
#
show_bl() {
$g_tool -L $g_ipt_options | \
awk 'BEGIN {prnt=0; };
/^$/ {if (prnt == 1) print ""; prnt=0; };
/Chain .*~ / {prnt=1; };
/Chain dynamic / {prnt=1; };
{if (prnt == 1) print; };
END {if (prnt == 1 ) print "" };'
}
2008-12-07 19:17:26 +01:00
#
# Watch the Firewall Log
#
logwatch() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes
{
2010-07-31 21:45:43 +02:00
if [ -z "$LOGFILE" ]; then
LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
2013-02-16 16:32:47 +01:00
fatal_error "LOGFILE ($LOGFILE) does not exist!"
2010-07-31 21:45:43 +02:00
fi
fi
2008-12-07 19:17:26 +01:00
2010-03-02 20:59:38 +01:00
host=$(echo $g_hostname | sed 's/\..*$//')
2011-12-03 19:59:01 +01:00
oldrejects=$($g_tool -L -v -n | grep 'LOG')
2008-12-07 19:17:26 +01:00
if [ $1 -lt 0 ]; then
timeout=$((- $1))
pause="Yes"
else
pause="No"
timeout=$1
fi
qt mywhich awk && haveawk=Yes || haveawk=
while true; do
clear_term
echo "$banner $(date)"
echo
echo "Dropped/Rejected Packet Log ($LOGFILE)"
echo
show_reset
2011-12-03 19:59:01 +01:00
rejects=$($g_tool -L -v -n | grep 'LOG')
2008-12-07 19:17:26 +01:00
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
2010-02-23 16:52:35 +01:00
$g_ring_bell
2008-12-07 19:17:26 +01:00
packet_log 40
if [ "$pause" = "Yes" ]; then
echo
2010-02-23 16:52:35 +01:00
echo $g_echo_n 'Enter any character to continue: '
2008-12-07 19:17:26 +01:00
read foo
else
timed_read
fi
else
echo
packet_log 40
timed_read
fi
done
}
2013-01-04 18:17:57 +01:00
#
# Try to find the arptables binary -- sets the variable 'arptables'
#
resolve_arptables() {
arptables="$ARPTABLES"
[ -n "${arptables:=arptables}" ]
case $arptables in
*/*)
;;
*)
arptables=$(mywhich "$arptables")
;;
esac
}
2014-10-11 00:57:48 +02:00
#
# Try to run the 'savesets' command
#
savesets() {
local supported
supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
2015-03-17 18:03:12 +01:00
[ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
}
#
# Proactive save of the current ipset contents
#
savesets1() {
local supported
supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
[ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
2014-10-11 00:57:48 +02:00
}
2008-12-07 19:17:26 +01:00
#
# Save currently running configuration
#
2010-01-13 03:57:04 +01:00
do_save() {
local status
2013-01-04 18:17:57 +01:00
local arptables
2010-01-13 03:57:04 +01:00
status=0
if [ -f ${VARDIR}/firewall ]; then
2015-03-06 17:13:44 +01:00
if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
2010-02-26 17:35:50 +01:00
cp -f ${VARDIR}/firewall $g_restorepath
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
chmod +x $g_restorepath
echo " Currently-running Configuration Saved to $g_restorepath"
2010-01-13 03:57:04 +01:00
run_user_exit save
else
rm -f ${VARDIR}/restore-$$
echo " ERROR: Currently-running Configuration Not Saved" >&2
status=1
fi
else
echo " ERROR: ${VARDIR}/firewall does not exist" >&2
status=1
fi
2013-01-04 18:17:57 +01:00
case ${SAVE_ARPTABLES:=No} in
[Yy]es)
resolve_arptables
if [ -n "$arptables" ]; then
#
# 'sed' command is a hack to work around broken arptables_jf
#
if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
if grep -q '^-A' ${VARDIR}/restore-$$; then
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
else
rm -f ${VARDIR}/restore-$$
fi
fi
else
case "$ARPTABLES" in
*/*)
error_message "ERROR: ARPTABLES=$ARPTABLES does not exist or is not executable - arptables not saved"
;;
*)
error_message "ERROR: The arptables utility cannot be located - arptables not saved"
;;
esac
rm -f ${g_restorepath}-arptables
fi
;;
[Nn]o)
rm -f ${g_restorepath}-arptables
;;
*)
error_message "WARNING: Invalid value ($SAVE_ARPTABLES) for SAVE_ARPTABLES"
;;
esac
2014-10-11 00:57:48 +02:00
if ! savesets; then
2014-09-28 20:19:41 +02:00
case ${SAVE_IPSETS:=No} in
[Yy]es)
case ${IPSET:=ipset} in
*/*)
if [ ! -x "$IPSET" ]; then
error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
IPSET=
fi
;;
*)
IPSET="$(mywhich $IPSET)"
[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
;;
esac
2010-01-13 03:57:04 +01:00
2014-09-28 20:19:41 +02:00
if [ -n "$IPSET" ]; then
if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
#
# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
#
hack='| grep -v /31'
else
hack=
fi
2010-01-13 03:57:04 +01:00
2014-09-28 20:19:41 +02:00
if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
#
# Don't save an 'empty' file
#
grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
fi
2010-01-13 03:57:04 +01:00
fi
2014-09-28 20:19:41 +02:00
;;
[Nn]o)
;;
*)
error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
;;
esac
fi
2010-01-13 03:57:04 +01:00
return $status
}
2008-12-07 19:17:26 +01:00
save_config() {
local result
result=1
2010-06-07 18:16:56 +02:00
2011-12-03 19:59:01 +01:00
iptables_save=${g_tool}-save
2008-12-07 19:17:26 +01:00
[ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
2014-11-01 18:09:04 +01:00
[ -n "$g_counters" ] && iptables_save="$iptables_save --counters"
2014-10-30 16:57:56 +01:00
2011-12-03 19:59:01 +01:00
if product_is_started ; then
2008-12-07 19:17:26 +01:00
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
2010-02-26 17:35:50 +01:00
if [ -f $g_restorepath -a ! -x $g_restorepath ]; then
2010-03-02 21:34:36 +01:00
echo " ERROR: $g_restorepath exists and is not a saved $g_product configuration" >&2
2008-12-07 19:17:26 +01:00
else
case $RESTOREFILE in
capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)
echo " ERROR: Reserved file name: $RESTOREFILE" >&2
;;
*)
validate_restorefile RESTOREFILE
2013-02-16 16:32:47 +01:00
if do_save; then
rm -f ${VARDIR}/save
result=0
fi
2008-12-07 19:17:26 +01:00
;;
esac
fi
else
2011-12-03 19:59:01 +01:00
echo "$g_product isn't started" >&2
2008-12-07 19:17:26 +01:00
fi
2013-02-16 16:32:47 +01:00
return $result
2008-12-07 19:17:26 +01:00
}
2012-01-20 16:08:02 +01:00
#
# Recent Linux systems seem to like to print a randomly-ordered
# view of routing tables. This hack sorts the output into the
# order we all know and love
#
sort_routes() {
2012-04-24 23:52:57 +02:00
local dest
2012-10-23 20:53:19 +02:00
local second
2012-01-20 16:08:02 +01:00
local rest
2012-10-13 18:58:34 +02:00
local vlsm
2012-10-23 20:53:19 +02:00
local maxvlsm
local rule
if [ $g_family -eq 4 ]; then
maxvlsm=032
else
maxvlsm=128
fi
2012-01-20 16:08:02 +01:00
2012-10-23 20:53:19 +02:00
while read dest second rest; do
2012-01-20 16:08:02 +01:00
if [ -n "$dest" ]; then
2012-10-23 20:53:19 +02:00
rule="$dest $second $rest"
2012-01-20 16:08:02 +01:00
case "$dest" in
default)
2012-10-23 20:53:19 +02:00
echo "000 $rule"
;;
blackhole|local)
case "$second" in
*/*)
vlsm=${second#*/}
printf "%03d %s\n" $vlsm "$rule"
;;
*)
echo "$maxvlsm $rule"
;;
esac
2012-01-20 16:08:02 +01:00
;;
*/*)
2012-10-13 18:58:34 +02:00
vlsm=${dest#*/}
2012-10-23 20:53:19 +02:00
printf "%03d %s\n" $vlsm "$rule"
2012-01-20 16:08:02 +01:00
;;
*)
2012-10-23 20:53:19 +02:00
echo "$maxvlsm $rule"
2012-01-20 16:08:02 +01:00
;;
esac
fi
done | sort -r | while read dest rest; do echo $rest; done
}
2012-04-16 20:40:36 +02:00
#
2012-04-17 15:57:59 +02:00
# Isolate the table in the routing rules being read from stdin.
# Piping through sed to remove trailing whitespace works around
# recent 'features' in dash and ip.
2012-04-16 20:40:36 +02:00
#
find_tables() {
sed -r 's/[[:space:]]+$//' | while read rule; do
echo ${rule##* }
done
}
2008-12-07 19:17:26 +01:00
#
# Show routing configuration
#
show_routing() {
2012-04-16 20:40:36 +02:00
local rule
2012-04-24 23:52:57 +02:00
local table
2012-04-16 20:40:36 +02:00
2011-12-03 19:59:01 +01:00
if [ -n "$(ip -$g_family rule list)" ]; then
2008-12-07 19:17:26 +01:00
heading "Routing Rules"
2011-12-03 19:59:01 +01:00
ip -$g_family rule list
2012-04-16 20:40:36 +02:00
ip -$g_family rule list | find_tables | sort -u | while read table; do
2008-12-07 19:17:26 +01:00
heading "Table $table:"
2011-12-26 20:57:18 +01:00
if [ $g_family -eq 6 ]; then
2013-10-14 16:15:08 +02:00
ip -$g_family -o route list table $table | grep -vF cache | sort_routes
2011-12-26 20:57:18 +01:00
else
2012-01-20 16:08:02 +01:00
ip -4 -o route list table $table | sort_routes
2011-12-26 20:57:18 +01:00
fi
2008-12-07 19:17:26 +01:00
done
2011-06-29 20:48:23 +02:00
if [ -n "$g_routecache" ]; then
heading "Route Cache"
2011-12-03 19:59:01 +01:00
ip -$g_family route list cache
2011-06-29 20:48:23 +02:00
fi
2008-12-07 19:17:26 +01:00
else
heading "Routing Table"
2012-01-20 16:08:02 +01:00
if [ $g_family -eq 6 ]; then
2013-10-14 16:15:08 +02:00
ip -$g_family -o route list | grep -vF cache | sort_routes
2012-01-20 16:08:02 +01:00
else
ip -4 -o route list table $table | sort_routes
fi
2008-12-07 19:17:26 +01:00
fi
}
2012-10-07 17:10:57 +02:00
determine_ipset_version() {
local setname
2013-12-18 16:15:24 +01:00
if [ -z "$IPSET" -o "$IPSET" = "ipset" ]; then
2012-10-07 17:10:57 +02:00
IPSET=$(mywhich ipset)
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
fi
setname=fooX$$
qt ipset -X $setname # Just in case something went wrong the last time
if qt ipset -N $setname hash:ip family inet; then
qt ipset -X $setname
IPSETN="$IPSET"
else
IPSETN="$IPSET -n"
fi
}
2009-03-06 21:43:46 +01:00
#
# 'list dynamic' command executor
#
find_sets() {
local junk
local setname
2012-10-07 17:36:28 +02:00
$IPSETN -L | egrep "^Name: ${1}(_.+)?$" | while read junk setname; do echo $setname; done
2009-03-06 21:43:46 +01:00
}
list_zone() {
local sets
local setname
2012-10-07 17:10:57 +02:00
determine_ipset_version
2009-03-06 21:43:46 +01:00
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
2012-10-07 17:36:28 +02:00
sets=$($IPSETN -L | egrep "^$1(_.+)?");
2011-12-03 19:59:01 +01:00
else
2012-10-07 17:36:28 +02:00
sets=$($IPSETN -L | egrep "^6_$1(_.+)?")
2011-12-03 19:59:01 +01:00
fi
2011-06-21 02:22:04 +02:00
[ -n "$sets" ] || sets=$(find_sets $1)
2009-03-06 21:43:46 +01:00
for setname in $sets; do
echo "${setname#${1}_}:"
2012-10-07 17:10:57 +02:00
$IPSETN -L $setname | awk 'BEGIN {prnt=0;}; \
/^Members:/ {prnt=1; next; }; \
/^Bindings:/ {prnt=0; }; \
{ if (prnt == 1) print " ", $1; };'
2009-03-06 21:43:46 +01:00
done
}
2011-12-06 16:47:34 +01:00
version_command() {
local finished
finished=0
local all
all=
local product
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
a*)
all=Yes
option=${option#a}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
[ $# -gt 0 ] && usage 1
if [ -n "$all" ]; then
2013-02-15 21:45:49 +01:00
echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
2012-01-02 05:30:09 +01:00
2011-12-06 16:47:34 +01:00
for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
2012-04-13 03:56:36 +02:00
if [ -f ${SHAREDIR}/$product/version ]; then
echo "$product: $(cat ${SHAREDIR}/$product/version)"
2011-12-06 16:47:34 +01:00
fi
done
2013-10-01 00:59:42 +02:00
2013-10-14 16:51:07 +02:00
if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
2013-10-01 00:59:42 +02:00
echo $g_echo_n "$g_firewall was compiled by Shorewall version "
$g_firewall version
fi
2012-01-02 05:30:09 +01:00
else
echo $SHOREWALL_VERSION
2011-12-06 16:47:34 +01:00
fi
}
2010-10-01 16:38:14 +02:00
#
2011-12-03 19:59:01 +01:00
# Show Filter - For Shorewall[6]-lite, if there was an scfilter file at compile-time,
2010-10-03 21:52:30 +02:00
# then the compiler generated another version of this function and
# embedded it in the firewall.conf file. That version supersedes this
# one.
2010-10-01 16:38:14 +02:00
#
show_connections_filter() {
2010-10-01 19:59:15 +02:00
local filter
local command
local first
2010-10-01 16:38:14 +02:00
2010-10-01 19:59:15 +02:00
command=${SHOREWALL_SHELL}
2010-10-03 21:52:30 +02:00
filter=$(find_file scfilter)
2010-10-01 19:59:15 +02:00
if [ -f $filter ]; then
first=$(head -n1 $filter)
case $first in
\#!*)
command=${first#\#!}
;;
esac
$command $filter
2010-10-01 16:38:14 +02:00
else
cat -
fi
}
2012-07-28 20:21:16 +02:00
show_nfacct() {
if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
NFACCT=
else
NFACCT=$(mywhich nfacct)
2012-07-30 18:22:43 +02:00
[ -n "$NFACCT" ] || echo "No NF Accounting defined (nfacct not found)"
2012-07-28 20:21:16 +02:00
fi
if [ -n "$NFACCT" ]; then
$NFACCT list
echo
fi
}
2013-07-12 04:21:56 +02:00
2013-07-13 01:07:22 +02:00
show_event() {
local address
local ttl_label
local ttl
local last_seen
local last
local oldest_pkt
local oldest
local intimes
local outtimes1
local outtimes2
local time
local count
while read address ttl_label ttl last_seen last oldest_pkt oldest intimes; do
2013-07-13 18:08:50 +02:00
case $address in
*.*)
[ $g_family -eq 4 ] || continue
;;
*:*)
[ $g_family -eq 6 ] || continue
;;
*)
continue
;;
esac
2013-07-13 01:07:22 +02:00
outtimes1=''
outtimes2=''
count=0
last=$((($currenttime - $last)/1000))
for time in $intimes; do
time=${time%,}
2013-07-13 18:08:50 +02:00
time=$(($currenttime - $time))
if [ $time -lt 10 ]; then
time="000$time"
elif [ $time -lt 100 ]; then
time="00$time"
elif [ $time -lt 1000 ]; then
time="0$time"
fi
2013-07-13 01:07:22 +02:00
if [ $count -lt $oldest ]; then
outtimes2="$outtimes2 $time"
else
outtimes1="$outtimes1 $time"
fi
2013-07-13 18:08:50 +02:00
2013-07-13 01:07:22 +02:00
count=$(($count + 1))
done
2013-07-13 18:08:50 +02:00
outtimes1="${outtimes1}${outtimes2}"
[ -n "$outtimes1" ] && outtimes1=$(echo "$outtimes1 " | sed -r 's/([[:digit:]]{3}) /\.\1, /g') && outtimes1=${outtimes1%, }
echo " $address : ${outtimes1}"
done < /proc/net/xt_recent/$1
2013-07-13 01:07:22 +02:00
}
2013-07-12 04:21:56 +02:00
show_events() {
2013-07-12 18:46:08 +02:00
local file
local base
2013-07-13 01:07:22 +02:00
local currenttime
2013-07-12 18:46:08 +02:00
2013-07-12 16:14:22 +02:00
if [ -f /proc/net/xt_recent/%CURRENTTIME ]; then
echo -127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
echo +127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
2013-07-13 01:07:22 +02:00
currenttime=$(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -)
# echo Current time: $currenttime
# echo
else
currenttime=0
2013-07-12 16:14:22 +02:00
fi
2013-07-12 04:21:56 +02:00
if [ $# -gt 0 ]; then
for event in $@ ; do
if [ -f /proc/net/xt_recent/$event ]; then
echo $event:
2013-07-13 01:07:22 +02:00
show_event $event
2013-07-12 04:21:56 +02:00
echo
else
error_message "WARNING: Event $event not found"
fi
done
else
for file in /proc/net/xt_recent/*; do
2013-07-12 18:46:08 +02:00
base=$(basename $file)
if [ $base != %CURRENTTIME ]; then
2013-07-13 01:07:22 +02:00
echo $base
show_event $base
2013-07-12 18:46:08 +02:00
echo
fi
2013-07-12 04:21:56 +02:00
done
fi
}
2008-12-07 19:17:26 +01:00
#
# Show Command Executor
#
show_command() {
local finished
finished=0
local table
table=filter
local table_given
table_given=
2012-10-14 05:37:48 +02:00
local output_filter
output_filter=cat
2013-01-04 18:17:57 +01:00
local arptables
2008-12-07 19:17:26 +01:00
show_macro() {
foo=`grep 'This macro' $macro | sed 's/This macro //'`
if [ -n "$foo" ]; then
macro=${macro#*.}
foo=${foo%.*}
if [ ${#macro} -gt 10 ]; then
echo " $macro ${foo#\#}"
else
2010-02-23 16:52:35 +01:00
$g_echo_e " $macro \t${foo#\#}"
2008-12-07 19:17:26 +01:00
fi
fi
}
2012-10-14 05:37:48 +02:00
# eliminates rules which have not been used from ip*tables' output
brief_output() {
2012-10-22 23:15:37 +02:00
awk \
'/^Chain / { heading1 = $0; getline heading2; printed = 0; next; };
/^ +0 +0 / { next; };
/^$/ { if ( printed == 1 ) { print $0; }; next; };
{ if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
{ print; }';
2012-10-14 05:37:48 +02:00
}
2008-12-07 19:17:26 +01:00
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
v*)
2010-03-01 02:58:01 +01:00
VERBOSITY=$(($VERBOSITY + 1 ))
2008-12-07 19:17:26 +01:00
option=${option#v}
;;
x*)
2010-02-22 17:05:23 +01:00
g_ipt_options="-xnv"
2008-12-07 19:17:26 +01:00
option=${option#x}
;;
m*)
2010-02-22 17:24:29 +01:00
g_showmacs=Yes
2008-12-07 19:17:26 +01:00
option=${option#m}
;;
f*)
2010-02-22 17:24:29 +01:00
g_filemode=Yes
2008-12-07 19:17:26 +01:00
option=${option#f}
;;
t)
[ $# -eq 1 ] && usage 1
case $2 in
2011-08-14 21:01:17 +02:00
mangle|nat|filter|raw|rawpost)
2008-12-07 19:17:26 +01:00
table=$2
table_given=Yes
;;
*)
fatal_error "Invalid table name ($s)"
;;
esac
2010-06-07 18:16:56 +02:00
2008-12-07 19:17:26 +01:00
option=
shift
;;
2009-11-17 00:14:24 +01:00
l*)
2010-02-22 17:05:23 +01:00
g_ipt_options1="--line-numbers"
2009-11-17 00:14:24 +01:00
option=${option#l}
;;
2011-06-29 20:48:23 +02:00
c*)
g_routecache=Yes
option=${option#c}
;;
2012-10-20 06:02:59 +02:00
b*)
2012-10-14 05:37:48 +02:00
output_filter=brief_output
option=${option#b}
;;
2008-12-07 19:17:26 +01:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
2010-02-22 17:05:23 +01:00
g_ipt_options="$g_ipt_options $g_ipt_options1"
2009-11-17 00:14:24 +01:00
2010-10-01 02:18:58 +02:00
2010-02-23 01:43:38 +01:00
[ -n "$g_debugging" ] && set -x
2012-10-13 20:16:59 +02:00
2008-12-07 19:17:26 +01:00
case "$1" in
connections)
[ $# -gt 1 ] && usage 1
2010-10-01 02:18:58 +02:00
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
if [ -d /proc/sys/net/netfilter/ ]; then
local count
local max
count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
else
echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
fi
2010-10-01 02:18:58 +02:00
2011-12-03 19:59:01 +01:00
echo
2010-10-01 02:18:58 +02:00
2011-12-03 19:59:01 +01:00
if qt mywhich conntrack ; then
conntrack -f ipv${g_family} -L | show_connections_filter
2010-10-01 16:38:14 +02:00
else
2011-12-03 19:59:01 +01:00
if [ -f /proc/net/ip_conntrack ]; then
cat /proc/net/ip_conntrack | show_connections_filter
else
grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
fi
fi
elif qt mywhich conntrack ; then
echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
echo
conntrack -f ipv6 -L | show_connections_filter
else
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
echo
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
2010-09-24 04:08:40 +02:00
fi
2008-12-07 19:17:26 +01:00
;;
nat)
[ $# -gt 1 ] && usage 1
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
show_reset
2012-10-14 05:37:48 +02:00
$g_tool -t nat -L $g_ipt_options | $output_filter
2008-12-07 19:17:26 +01:00
;;
2009-02-21 18:21:51 +01:00
raw)
[ $# -gt 1 ] && usage 1
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
2009-02-21 18:21:51 +01:00
echo
show_reset
2012-10-14 05:37:48 +02:00
$g_tool -t raw -L $g_ipt_options | $output_filter
2009-02-21 18:21:51 +01:00
;;
2011-08-14 21:01:17 +02:00
rawpost)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
echo
show_reset
2012-10-14 05:37:48 +02:00
$g_tool -t rawpost -L $g_ipt_options | $output_filter
2011-08-14 21:01:17 +02:00
;;
2008-12-07 19:17:26 +01:00
tos|mangle)
[ $# -gt 1 ] && usage 1
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
show_reset
2012-10-14 05:37:48 +02:00
$g_tool -t mangle -L $g_ipt_options | $output_filter
2008-12-07 19:17:26 +01:00
;;
log)
2010-04-19 19:20:28 +02:00
[ $# -gt 2 ] && usage 1
2010-07-31 21:45:43 +02:00
if [ -z "$LOGFILE" ]; then
LOGFILE=/var/log/messages
2010-09-27 20:16:18 +02:00
2010-07-31 21:45:43 +02:00
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
2013-02-16 16:32:47 +01:00
fatal_error "LOGFILE ($LOGFILE) does not exist!"
2010-07-31 21:45:43 +02:00
fi
fi
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
show_reset
2010-03-02 20:59:38 +01:00
host=$(echo $g_hostname | sed 's/\..*$//')
2010-04-19 19:20:28 +02:00
if [ $# -eq 2 ]; then
search_log $2
else
packet_log 20
fi
2008-12-07 19:17:26 +01:00
;;
tc)
2010-01-13 03:57:04 +01:00
[ $# -gt 2 ] && usage 1
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
2010-01-13 03:57:04 +01:00
shift
2011-04-04 17:19:36 +02:00
if [ -z "$1" ]; then
2012-10-14 05:37:48 +02:00
$g_tool -t mangle -L -n -v | $output_filter
2011-04-04 17:19:36 +02:00
echo
fi
2010-01-13 03:57:04 +01:00
show_tc $1
2008-12-07 19:17:26 +01:00
;;
classifiers|filters)
[ $# -gt 1 ] && usage 1
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
while read zone type hosts; do
echo "$zone ($type)"
for host in $hosts; do
case $host in
exclude)
echo " exclude:"
;;
*)
echo " $host"
;;
esac
done
done < ${VARDIR}/zones
echo
else
2013-02-16 16:32:47 +01:00
fatal_error "${VARDIR}/zones does not exist"
2008-12-07 19:17:26 +01:00
fi
;;
capabilities)
[ $# -gt 1 ] && usage 1
determine_capabilities
2010-03-01 02:58:01 +01:00
VERBOSITY=2
2010-02-22 17:24:29 +01:00
if [ -n "$g_filemode" ]; then
2008-12-07 19:17:26 +01:00
report_capabilities1
else
report_capabilities
fi
;;
ip)
[ $# -gt 1 ] && usage 1
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
2011-12-03 19:59:01 +01:00
ip -$g_family addr list
2008-12-07 19:17:26 +01:00
;;
routing)
[ $# -gt 1 ] && usage 1
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
show_routing
;;
config)
2012-04-02 21:39:49 +02:00
. ${g_sharedir}/configpath
2011-04-03 18:56:30 +02:00
if [ -n "$g_filemode" ]; then
echo "CONFIG_PATH=$CONFIG_PATH"
echo "VARDIR=$VARDIR"
2012-10-01 15:51:36 +02:00
echo "LIBEXEC=${LIBEXECDIR}"
2012-10-01 15:55:48 +02:00
echo "SBINDIR=${SBINDIR}"
2012-04-04 18:24:48 +02:00
echo "CONFDIR=${CONFDIR}"
2012-04-04 16:08:02 +02:00
[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
2011-04-03 18:56:30 +02:00
else
echo "Default CONFIG_PATH is $CONFIG_PATH"
2011-12-07 00:39:18 +01:00
echo "Default VARDIR is /var/lib/$g_program"
2012-10-01 15:51:36 +02:00
echo "LIBEXEC is ${LIBEXECDIR}"
2012-10-01 15:55:48 +02:00
echo "SBINDIR is ${SBINDIR}"
2012-04-04 18:24:48 +02:00
echo "CONFDIR is ${CONFDIR}"
2011-12-07 00:39:18 +01:00
[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
2011-04-03 18:56:30 +02:00
fi
2008-12-07 19:17:26 +01:00
;;
chain)
shift
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
2012-10-14 05:37:48 +02:00
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
2009-06-25 00:41:15 +02:00
echo
2008-12-07 19:17:26 +01:00
done
else
2012-10-14 05:37:48 +02:00
$g_tool -t $table -L $g_ipt_options | $output_filter
2008-12-07 19:17:26 +01:00
fi
;;
vardir)
echo $VARDIR;
;;
2009-11-15 18:24:56 +01:00
policies)
[ $# -gt 1 ] && usage 1
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
2009-11-15 18:24:56 +01:00
echo
[ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
;;
2011-02-02 02:15:49 +01:00
ipa)
2011-12-21 16:25:20 +01:00
[ $g_family -eq 4 ] || usage 1
2011-02-02 01:47:20 +01:00
echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
echo
[ $# -gt 1 ] && usage 1
perip_accounting
;;
2011-11-20 21:29:17 +01:00
marks)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
echo
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
;;
2012-07-28 20:21:16 +02:00
nfacct)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
echo
show_nfacct
;;
2013-01-04 18:17:57 +01:00
arptables)
[ $# -gt 1 ] && usage 1
resolve_arptables
if [ -n "$arptables" -a -x $arptables ]; then
echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
echo
$arptables -L -n -v
else
error_message "Cannot locate the arptables executable"
fi
;;
2013-07-12 04:21:56 +02:00
event)
[ $# -gt 1 ] || usage 1
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
echo
shift
show_events $@
;;
events)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
echo
show_events
2014-06-18 22:27:25 +02:00
;;
bl|blacklists)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
echo
show_bl;
;;
2015-03-06 22:10:23 +01:00
opens)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
if chain_exists dynamic; then
2015-03-14 16:54:30 +01:00
g_ipt_options="$g_ipt_options --line-numbers"
$g_tool -t filter -L dynamic $g_ipt_options | head -n2
$g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter
2015-03-06 22:10:23 +01:00
fi
;;
2008-12-07 19:17:26 +01:00
*)
2011-12-04 18:19:48 +01:00
case "$g_program" in
*-lite)
2011-12-03 19:59:01 +01:00
;;
*)
case $1 in
actions)
[ $# -gt 1 ] && usage 1
2012-12-04 19:54:32 +01:00
echo "A_ACCEPT # Audit and accept the connection"
echo "A_DROP # Audit and drop the connection"
echo "A_REJECT # Audit and reject the connection "
echo "allowBcast # Silently Allow Broadcast/multicast"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
2011-12-03 19:59:01 +01:00
2012-04-02 21:39:49 +02:00
if [ -f ${g_confdir}/actions ]; then
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
2011-12-03 19:59:01 +01:00
else
2012-04-02 21:39:49 +02:00
grep -Ev '^\#|^$' ${g_sharedir}/actions.std
2010-01-12 22:12:01 +01:00
fi
2010-06-07 18:16:56 +02:00
2011-12-03 19:59:01 +01:00
return
;;
macro)
[ $# -ne 2 ] && usage 1
for directory in $(split $CONFIG_PATH); do
if [ -f ${directory}/macro.$2 ]; then
echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
cat ${directory}/macro.$2
return
fi
done
echo " WARNING: Macro $2 not found" >&2
return
;;
macros)
[ $# -gt 1 ] && usage 1
for directory in $(split $CONFIG_PATH); do
temp=
for macro in ${directory}/macro.*; do
case $macro in
*\*)
;;
*)
if [ -z "$temp" ]; then
echo
echo "Macros in $directory:"
echo
temp=Yes
fi
show_macro
;;
esac
done
done
return
;;
esac
;;
esac
2008-12-07 19:17:26 +01:00
if [ $# -gt 0 ]; then
2009-06-25 00:28:43 +02:00
if [ $1 = dynamic -a $# -gt 1 ]; then
shift
[ $# -eq 1 ] || usage 1
2010-03-05 04:05:47 +01:00
list_zone $1
2009-06-25 00:28:43 +02:00
return;
fi
2008-12-07 19:17:26 +01:00
[ -n "$table_given" ] || for chain in $*; do
2011-12-03 19:59:01 +01:00
if ! qt $g_tool -t $table -L $chain $g_ipt_options; then
error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
2008-12-07 19:17:26 +01:00
exit 1
fi
done
2010-06-07 18:16:56 +02:00
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
show_reset
for chain in $*; do
2012-10-14 05:37:48 +02:00
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
2009-06-25 00:41:15 +02:00
echo
2008-12-07 19:17:26 +01:00
done
else
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
show_reset
2012-10-14 05:37:48 +02:00
$g_tool -t $table -L $g_ipt_options | $output_filter
2008-12-07 19:17:26 +01:00
fi
;;
esac
}
2011-02-02 01:47:20 +01:00
perip_accounting() {
if qt mywhich iptaccount; then
local hnames
local hname
hnames=$(iptaccount -a | grep '^Found table:' | cut -d ' ' -f 3)
if [ -n "$hnames" ]; then
for hname in $hnames; do
2012-04-24 23:52:57 +02:00
iptaccount -l $hname | egrep '^IP:|^Show'
2011-02-02 01:47:20 +01:00
echo
done
else
echo " No IP Accounting Tables Defined"
2012-04-24 23:52:57 +02:00
echo
2011-02-02 01:47:20 +01:00
fi
else
echo " iptaccount is not installed"
fi
}
2010-10-07 23:19:09 +02:00
#
# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
# then the compiler generated another version of this function and
# embedded it in the firewall.conf file. That version supersedes this
# one.
#
dump_filter() {
local filter
local command
local first
command=${SHOREWALL_SHELL}
filter=$(find_file dumpfilter)
if [ -f $filter ]; then
first=$(head -n1 $filter)
case $first in
\#!*)
command=${first#\#!}
;;
esac
$command $filter
else
cat -
fi
}
2008-12-07 19:17:26 +01:00
#
# Dump Command Executor
#
2010-10-07 23:19:09 +02:00
do_dump_command() {
2008-12-07 19:17:26 +01:00
local finished
finished=0
2013-01-04 18:17:57 +01:00
local arptables
resolve_arptables
2008-12-07 19:17:26 +01:00
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
x*)
2010-02-22 17:05:23 +01:00
g_ipt_options="-xnv"
2008-12-07 19:17:26 +01:00
option=${option#x}
;;
m*)
2010-02-22 17:24:29 +01:00
g_showmacs=Yes
2008-12-07 19:17:26 +01:00
option=${option#m}
;;
2009-11-17 00:14:24 +01:00
l*)
2010-02-22 17:05:23 +01:00
g_ipt_options1="--line-numbers"
2009-11-17 00:14:24 +01:00
option=${option#l}
;;
2011-06-29 20:48:23 +02:00
c*)
g_routecache=Yes
option=${option#c}
;;
2008-12-07 19:17:26 +01:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
2010-07-31 21:45:43 +02:00
if [ -z "$LOGFILE" ]; then
2010-07-31 22:52:28 +02:00
LOGFILE=/var/log/messages
2010-07-31 21:45:43 +02:00
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
2013-02-16 16:32:47 +01:00
fatal_error "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html"
2010-07-31 21:45:43 +02:00
fi
fi
2010-02-22 17:05:23 +01:00
g_ipt_options="$g_ipt_options $g_ipt_options1"
2009-11-17 00:14:24 +01:00
2010-03-01 02:58:01 +01:00
[ $VERBOSITY -lt 2 ] && VERBOSITY=2
2008-12-07 19:17:26 +01:00
2010-02-23 01:43:38 +01:00
[ -n "$g_debugging" ] && set -x
2008-12-07 19:17:26 +01:00
[ $# -eq 0 ] || usage 1
clear_term
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
2010-06-07 18:16:56 +02:00
2012-04-04 18:24:48 +02:00
if [ $g_family -eq 6 ] && [ -f ${SHAREDIR}/shorewall/version ]; then
echo " Shorewall $(cat ${SHAREDIR}/shorewall/version)"
2011-12-03 19:59:01 +01:00
echo
fi
2012-02-27 01:14:43 +01:00
show_status
2008-12-07 19:17:26 +01:00
show_reset
2010-03-02 20:59:38 +01:00
host=$(echo $g_hostname | sed 's/\..*$//')
2011-12-03 19:59:01 +01:00
$g_tool -L $g_ipt_options
2008-12-07 19:17:26 +01:00
2013-01-04 18:17:57 +01:00
if [ -n "$arptables" -a -x "$arptables" ]; then
heading "ARP rules"
$arptables -L -n -v
fi
2008-12-07 19:17:26 +01:00
heading "Log ($LOGFILE)"
packet_log 20
2011-12-03 19:59:01 +01:00
if qt $g_tool -t nat -L -n; then
2010-03-19 18:10:20 +01:00
heading "NAT Table"
2011-12-03 19:59:01 +01:00
$g_tool -t nat -L $g_ipt_options
2010-03-19 18:10:20 +01:00
fi
2008-12-07 19:17:26 +01:00
2011-12-03 19:59:01 +01:00
if qt $g_tool -t mangle -L -n; then
2010-03-19 18:10:20 +01:00
heading "Mangle Table"
2011-12-03 19:59:01 +01:00
$g_tool -t mangle -L $g_ipt_options
2010-03-19 18:10:20 +01:00
fi
2009-02-26 17:34:31 +01:00
2011-12-03 19:59:01 +01:00
if qt $g_tool -t raw -L -n; then
2010-03-19 18:10:20 +01:00
heading "Raw Table"
2011-12-03 19:59:01 +01:00
$g_tool -t raw -L $g_ipt_options
2010-03-19 18:10:20 +01:00
fi
2008-12-07 19:17:26 +01:00
2011-12-03 19:59:01 +01:00
if qt $g_tool -t rawpost -L -n; then
2011-11-04 21:02:30 +01:00
heading "Rawpost Table"
2011-12-03 19:59:01 +01:00
$g_tool -t rawpost -L $g_ipt_options
2011-11-04 21:02:30 +01:00
fi
2014-08-13 01:18:42 +02:00
local count
local max
if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
heading "Conntrack Table ($count out of $max)"
elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
2009-12-12 18:10:24 +01:00
2014-08-13 01:18:42 +02:00
heading "Conntrack Table ($count out of $max)"
else
heading "Conntrack Table"
fi
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
else
grep '^ipv6' /proc/net/nf_conntrack
fi
2008-12-07 19:17:26 +01:00
heading "IP Configuration"
2011-12-03 19:59:01 +01:00
ip -$g_family addr list
2008-12-07 19:17:26 +01:00
heading "IP Stats"
ip -stat link list
if qt mywhich brctl; then
heading "Bridges"
brctl show
fi
2012-08-23 18:16:45 +02:00
show_routing
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
heading "Per-IP Counters"
2011-02-02 01:47:20 +01:00
2011-12-03 19:59:01 +01:00
perip_accounting
fi
2011-02-02 01:47:20 +01:00
2012-07-28 20:21:16 +02:00
heading "NF Accounting"
show_nfacct
2013-07-12 04:21:56 +02:00
heading "Events"
show_events
2008-12-07 19:17:26 +01:00
if qt mywhich setkey; then
heading "PFKEY SPD"
setkey -DP
heading "PFKEY SAD"
2010-06-07 18:16:56 +02:00
setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys
2008-12-07 19:17:26 +01:00
fi
heading "/proc"
show_proc /proc/version
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
show_proc /proc/sys/net/ipv4/ip_forward
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do
show_proc $directory/$file
done
2008-12-07 19:17:26 +01:00
done
2011-12-03 19:59:01 +01:00
else
for directory in /proc/sys/net/ipv6/conf/*; do
for file in forwarding proxy_ra proxy_ndp; do
show_proc $directory/$file
done
done
fi
2008-12-07 19:17:26 +01:00
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
heading "ARP"
2013-09-17 17:10:36 +02:00
if qt mywhich arp; then
arp -na
else
ip -4 neigh ls
ip -4 neigh ls proxy
fi
2011-12-03 19:59:01 +01:00
else
heading "Neighbors"
ip -6 neigh ls
fi
2008-12-07 19:17:26 +01:00
if qt mywhich lsmod; then
heading "Modules"
2011-12-03 19:59:01 +01:00
if [ $g_family -eq 4 ]; then
lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort
else
lsmod | grep -E '^(x_|ip6|nf_|xt_)' | sort
fi
2008-12-07 19:17:26 +01:00
fi
determine_capabilities
echo
report_capabilities
echo
2011-12-23 20:59:19 +01:00
2013-09-17 15:55:04 +02:00
ss -${g_family}tunap
2008-12-07 19:17:26 +01:00
if [ -n "$TC_ENABLED" ]; then
heading "Traffic Control"
show_tc
heading "TC Filters"
show_classifiers
fi
}
2010-10-07 23:35:03 +02:00
dump_command() {
2014-01-16 02:38:39 +01:00
do_dump_command $@ | dump_filter
2010-10-07 23:35:03 +02:00
}
2008-12-07 19:17:26 +01:00
#
# Restore Comand Executor
#
restore_command() {
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
n*)
2010-03-03 18:50:07 +01:00
g_noroutes=Yes
2008-12-07 19:17:26 +01:00
option=${option#n}
;;
2014-10-30 16:57:56 +01:00
p*)
[ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
g_purge=Yes
option=${option%p}
;;
2014-11-01 17:37:57 +01:00
C*)
g_counters=Yes
option=${option#C}
;;
2008-12-07 19:17:26 +01:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
RESTOREFILE="$1"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
if [ -z "$STARTUP_ENABLED" ]; then
error_message "ERROR: Startup is disabled"
2015-05-07 23:12:41 +02:00
exit 6
2008-12-07 19:17:26 +01:00
fi
2010-02-26 17:35:50 +01:00
g_restorepath=${VARDIR}/$RESTOREFILE
2008-12-07 19:17:26 +01:00
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_on
2008-12-07 19:17:26 +01:00
2010-02-26 17:35:50 +01:00
if [ -x $g_restorepath ]; then
2011-12-03 19:59:01 +01:00
progress_message3 "Restoring $g_product..."
2008-12-07 19:17:26 +01:00
2010-03-03 18:50:07 +01:00
run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
2008-12-07 19:17:26 +01:00
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2008-12-07 19:17:26 +01:00
else
2010-02-26 17:35:50 +01:00
echo "File $g_restorepath: file not found"
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2008-12-07 19:17:26 +01:00
exit 2
fi
}
#
# Display the time that the counters were last reset
#
show_reset() {
[ -f ${VARDIR}/restarted ] && \
echo "Counters reset $(cat ${VARDIR}/restarted)" && \
echo
}
#
# Display's the passed file name followed by "=" and the file's contents.
#
show_proc() # $1 = name of a file
{
[ -f $1 ] && echo " $1 = $(cat $1)"
}
read_yesno_with_timeout() {
2011-12-31 18:40:36 +01:00
local timeout
timeout=${1:-60}
case $timeout in
*s)
;;
*m)
timeout=$((${timeout%m} * 60))
;;
*h)
timeout=$((${timeout%h} * 3600))
;;
esac
read -t $timeout yn 2> /dev/null
2008-12-07 19:17:26 +01:00
if [ $? -eq 2 ]
then
# read doesn't support timeout
test -x /bin/bash || return 2 # bash is not installed so the feature is not available
2011-12-31 18:40:36 +01:00
/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
2008-12-07 19:17:26 +01:00
return $?
else
# read supports timeout
case "$yn" in
y|Y)
return 0
;;
*)
return 1
;;
esac
fi
}
#
# Print a heading with leading and trailing black lines
#
heading() {
echo
echo "$@"
echo
}
#
# Create the appropriate -q option to pass onward
#
make_verbose() {
local v
2010-02-22 17:05:23 +01:00
v=$g_verbose_offset
2008-12-07 19:17:26 +01:00
local option
option=-
2010-02-22 17:05:23 +01:00
if [ -n "$g_use_verbosity" ]; then
echo "-v$g_use_verbosity"
elif [ $g_verbose_offset -gt 0 ]; then
2008-12-07 19:17:26 +01:00
while [ $v -gt 0 ]; do
option="${option}v"
v=$(($v - 1))
done
echo $option
2010-02-22 17:05:23 +01:00
elif [ $g_verbose_offset -lt 0 ]; then
2008-12-07 19:17:26 +01:00
while [ $v -lt 0 ]; do
option="${option}q"
v=$(($v + 1))
done
echo $option
fi
}
#
# Executor for drop,reject,... commands
#
block() # $1 = command, $2 = Finished, $3 - $n addresses
{
local chain
chain=$1
local finished
finished=$2
2010-08-11 02:33:50 +02:00
local which
which='-s'
local range
range='--src-range'
2008-12-07 19:17:26 +01:00
2010-01-13 03:57:04 +01:00
if ! chain_exists dynamic; then
2010-03-02 21:34:36 +01:00
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2010-01-13 03:57:04 +01:00
exit 2
fi
2008-12-07 19:17:26 +01:00
shift 3
while [ $# -gt 0 ]; do
case $1 in
2010-08-11 02:33:50 +02:00
from)
which='-s'
range='--src-range'
shift
continue
;;
to)
which='-d'
range='--dst-range'
shift
continue
;;
2008-12-07 19:17:26 +01:00
*-*)
2011-12-03 19:59:01 +01:00
qt $g_tool -D dynamic -m iprange $range $1 -j reject
qt $g_tool -D dynamic -m iprange $range $1 -j DROP
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop
$g_tool -A dynamic -m iprange $range $1 -j $chain || break 1
2008-12-07 19:17:26 +01:00
;;
*)
2011-12-03 19:59:01 +01:00
qt $g_tool -D dynamic $which $1 -j reject
qt $g_tool -D dynamic $which $1 -j DROP
qt $g_tool -D dynamic $which $1 -j logreject
qt $g_tool -D dynamic $which $1 -j logdrop
$g_tool -A dynamic $which $1 -j $chain || break 1
2008-12-07 19:17:26 +01:00
;;
esac
echo "$1 $finished"
shift
done
}
2009-03-06 18:00:38 +01:00
#
# Replace commas with spaces and echo the result
#
separate_list() {
local list
list="$@"
local part
local newlist
local firstpart
local lastpart
local enclosure
case "$list" in
*,|,*|*,,*|*[[:space:]]*)
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
#
echo "WARNING -- invalid comma-separated list \"$@\"" >&2
;;
*\[*\]*)
#
# Where we need to embed comma-separated lists within lists, we enclose them
# within square brackets.
#
firstpart=${list%%\[*}
lastpart=${list#*\[}
enclosure=${lastpart%%\]*}
lastpart=${lastpart#*\]}
case $lastpart in
\,*)
case $firstpart in
*\,)
echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})"
;;
*)
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
;;
esac
;;
*)
case $firstpart in
*\,)
echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
;;
*)
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
;;
esac
;;
esac
return
;;
esac
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
}
#
# add command executor
#
add_command() {
local interface host hostlist zone ipset
2011-12-03 19:59:01 +01:00
if ! product_is_started ; then
2013-02-16 16:32:47 +01:00
fatal_error "$g_product Not Started"
2009-03-06 18:00:38 +01:00
fi
2012-10-07 17:10:57 +02:00
determine_ipset_version
2009-03-06 18:00:38 +01:00
2012-10-06 18:22:14 +02:00
case $1 in
*:*)
while [ $# -gt 1 ]; do
2012-10-07 17:24:04 +02:00
if [ $g_family -eq 4 ]; then
2012-10-06 18:22:14 +02:00
interface=${1%%:*}
host=${1#*:}
else
interface=${1%%|*}
host=${1#*|}
fi
2009-03-06 18:00:38 +01:00
2012-10-06 18:22:14 +02:00
[ "$host" = "$1" ] && host=
if [ -z "$host" ]; then
if [ $g_family -eq 4 ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
hostlist="$hostlist $interface:::/0"
fi
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
;;
*)
ipset=$1
shift
while [ $# -gt 0 ]; do
for h in $(separate_list $1); do
hostlist="$hostlist $h"
done
shift
done
;;
esac
2009-03-06 18:00:38 +01:00
zone=$1
2012-10-06 18:22:14 +02:00
if [ -n "$zone" ]; then
for host in $hostlist; do
if [ $g_family -eq 4 ]; then
interface=${host%:*}
ipset=${zone}_${interface};
else
interface=${host%%:*}
ipset=6_${zone}_${interface};
fi
2009-03-06 18:00:38 +01:00
2014-12-13 22:48:36 +01:00
ipset=$(echo $ipset | sed 's/\./_/g');
2014-01-30 22:18:05 +01:00
2012-10-07 17:24:04 +02:00
if ! qt $IPSET -L $ipset; then
2012-10-06 18:22:14 +02:00
fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
fi
2010-06-07 18:16:56 +02:00
2012-10-06 18:22:14 +02:00
host=${host#*:}
2009-03-06 18:00:38 +01:00
2012-10-06 18:22:14 +02:00
if $IPSET -A $ipset $host; then
echo "Host $interface:$host added to zone $zone"
else
fatal_error "Unable to add $interface:$host to zone $zone"
fi
done
else
2012-10-07 17:24:04 +02:00
qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"
2010-06-07 18:16:56 +02:00
2012-10-06 18:22:14 +02:00
for host in $hostlist; do
if $IPSET -A $ipset $host; then
echo "Host $host added to zone $ipset"
else
fatal_error "Unable to add $host to zone $ipset"
fi
done
fi
2009-03-06 18:00:38 +01:00
}
#
# delete command executor
#
delete_command() {
local interface host hostent hostlist zone ipset
2011-12-03 19:59:01 +01:00
if ! product_is_started ; then
2013-02-16 16:32:47 +01:00
fatal_error "$g_product Not Started"
2009-03-06 18:00:38 +01:00
fi
2012-10-07 17:10:57 +02:00
determine_ipset_version
2009-03-06 21:25:59 +01:00
2012-10-06 18:22:14 +02:00
case $1 in
*:*)
while [ $# -gt 1 ]; do
2012-10-07 17:24:04 +02:00
if [ $g_family -eq 4 ]; then
2012-10-06 18:22:14 +02:00
interface=${1%%:*}
host=${1#*:}
else
interface=${1%%|*}
host=${1#*|}
fi
2009-03-06 18:00:38 +01:00
2012-10-06 18:22:14 +02:00
[ "$host" = "$1" ] && host=
2009-03-06 18:00:38 +01:00
2012-10-06 18:22:14 +02:00
if [ -z "$host" ]; then
if [ $g_family -eq 4 ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
hostlist="$hostlist $interface:::/0"
fi
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
;;
*)
ipset=$1
shift
while [ $# -gt 0 ]; do
for h in $(separate_list $1); do
hostlist="$hostlist $h"
done
shift
done
;;
esac
2009-03-06 18:00:38 +01:00
zone=$1
2012-10-06 18:22:14 +02:00
if [ -n "$zone" ]; then
for host in $hostlist; do
if [ $g_family -eq 4 ]; then
interface=${host%:*}
ipset=${zone}_${interface};
else
interface=${host%%:*}
ipset=6_${zone}_${interface};
fi
2009-03-06 18:00:38 +01:00
2014-01-30 22:18:05 +01:00
ipset=$(echo $ipset | sed 's/./_/g');
2012-10-06 18:22:14 +02:00
if ! qt $IPSET -L $ipset -n; then
fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
fi
2010-06-07 18:16:56 +02:00
2012-10-06 18:22:14 +02:00
host=${host#*:}
2009-03-06 18:00:38 +01:00
2012-10-06 18:22:14 +02:00
if $IPSET -D $ipset $host; then
2012-10-07 17:24:04 +02:00
echo "Host $host deleted from zone $zone"
2012-10-06 18:22:14 +02:00
else
echo " WARNING: Unable to delete host $hostent to zone $zone" >&2
fi
done
else
qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"
2010-06-07 18:16:56 +02:00
2012-10-06 18:22:14 +02:00
for host in $hostlist; do
if $IPSET -D $ipset $host; then
echo "Host $host deleted from to zone $ipset"
else
echo " WARNING: Unable to delete host $host from zone $zone" >&2
fi
done
fi
2009-03-06 18:00:38 +01:00
}
2015-03-06 01:20:54 +01:00
open_close_command() {
local command
local desc
2015-03-17 00:25:32 +01:00
local proto
local icmptype
2015-03-06 01:20:54 +01:00
2015-03-14 17:42:43 +01:00
open_close_setup() {
[ -n "$g_nolock" ] || mutex_on
if ! product_is_started ; then
[ -n "$g_nolock" ] || mutex_off
fatal_error "The $COMMAND command requires the firewall to be running"
fi
if ! chain_exists dynamic; then
[ -n "$g_nolock" ] || mutex_off
fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
fi
}
2015-03-06 01:20:54 +01:00
[ $# -le 4 ] || fatal_error "Too many parameters"
2015-03-14 16:54:30 +01:00
if [ $COMMAND = open ]; then
[ $# -ge 2 ] || fatal_error "Too few parameters"
2015-03-06 01:20:54 +01:00
else
2015-03-14 16:54:30 +01:00
[ $# -ge 1 ] || fatal_error "Too few parameters"
2015-03-06 01:20:54 +01:00
fi
2015-03-14 16:54:30 +01:00
if [ $# -eq 1 ]; then
#
# close <rule number>
#
case $1 in
2015-03-15 18:15:39 +01:00
[1-9]|[1-9][0-9]|[1-9][0-9][0-9]*)
2015-03-06 17:13:44 +01:00
;;
*)
2015-03-15 18:15:39 +01:00
fatal_error "$1 is not a valid temporary open number"
2015-03-06 17:13:44 +01:00
;;
esac
2015-03-06 01:20:54 +01:00
2015-03-14 16:54:30 +01:00
open_close_setup #Conditionally acquires mutex
2015-03-06 01:20:54 +01:00
2015-03-14 16:54:30 +01:00
if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
if $g_tool -D dynamic $1; then
[ -n "$g_nolock" ] || mutex_off
echo "Temporary open #$1 closed"
return 0
fi
[ -n "$g_nolock" ] || mutex_off
return 2
else
[ -n "$g_nolock" ] || mutex_off
fatal_error "$1 is not a valid temporary open number"
fi
else
if [ $1 = all ]; then
command=dynamic
else
command="dynamic -s $1"
fi
if [ $2 != all ]; then
command="$command -d $2"
fi
2015-03-06 17:13:44 +01:00
2015-03-14 16:54:30 +01:00
desc="from $1 to $2"
2015-03-06 17:13:44 +01:00
2015-03-14 16:54:30 +01:00
if [ $# -ge 3 ]; then
2015-03-17 00:25:32 +01:00
proto=$3
[ $proto = icmp -a $g_family -eq 6 ] && proto=58
command="$command -p $proto"
2015-03-14 16:54:30 +01:00
case $3 in
[0-9]*)
desc="$desc protocol $3"
;;
*)
desc="$desc $3"
;;
esac
2015-03-17 00:25:32 +01:00
if [ $g_family -eq 4 ]; then
if [ $proto = 6 -o $proto = icmp ]; then
proto=icmp
icmptype='--icmp-type'
fi
else
if [ $proto = 58 -o $proto = ipv6-icmp ]; then
proto=icmp
icmptype='--icmpv6-type'
fi
fi
2015-03-06 17:13:44 +01:00
fi
2015-03-14 16:54:30 +01:00
if [ $# -eq 4 ]; then
2015-03-17 00:25:32 +01:00
if [ $proto = icmp ]; then
case $4 in
*,*)
fatal_error "Only a single ICMP type may be specified"
;;
[0-9]*)
desc="$desc type $4"
;;
*)
desc="$desc $4"
;;
esac
2015-03-14 16:54:30 +01:00
2015-03-17 00:25:32 +01:00
command="$command $icmptype $4"
else
case $4 in
*,*)
command="$command -m multiport --dports $4"
2015-03-14 16:54:30 +01:00
;;
*)
2015-03-17 00:25:32 +01:00
command="$command --dport $4"
2015-03-14 16:54:30 +01:00
;;
2015-03-17 00:25:32 +01:00
esac
case $4 in
[0-9]*,)
desc="$desc ports $4"
;;
[0-9]*)
desc="$desc port $4"
;;
*)
desc="$desc $4"
;;
esac
fi
2015-03-14 16:54:30 +01:00
fi
command="$command -j ACCEPT"
open_close_setup #Conditionally acquires mutex
if [ $COMMAND = open ]; then
if $g_tool -I $command ; then
[ -n "$g_nolock" ] || mutex_off
echo "Firewall dynamically opened for connections $desc"
return 0
fi
[ -n "$g_nolock" ] || mutex_off
return 2
fi
2015-03-06 17:13:44 +01:00
if $g_tool -D $command 2> /dev/null; then
2015-03-14 16:54:30 +01:00
[ -n "$g_nolock" ] || mutex_off
2015-03-06 17:13:44 +01:00
echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
return 0
fi
2015-03-06 01:20:54 +01:00
2015-03-14 16:54:30 +01:00
[ -n "$g_nolock" ] || mutex_off
2015-03-06 17:13:44 +01:00
fatal_error "Connections $desc are not currently opened"
2015-03-06 01:20:54 +01:00
fi
}
2008-12-07 19:17:26 +01:00
#
# 'hits' commmand executor
#
hits_command() {
local finished
finished=0
local today
today=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
t*)
today=$(date +'^%b %_d.*')
option=${option#t}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
[ $# -eq 0 ] || usage 1
clear_term
2010-03-02 21:34:36 +01:00
echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
2008-12-07 19:17:26 +01:00
echo
timeout=30
2010-02-24 02:00:26 +01:00
if $g_logread | grep -q "${today}IN=.* OUT=" ; then
2008-12-07 19:17:26 +01:00
echo " HITS IP DATE"
echo " ---- --------------- ------"
2010-02-24 02:00:26 +01:00
$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn | while read count address month day; do
2008-12-07 19:17:26 +01:00
printf '%7d %-15s %3s %2d\n' $count $address $month $day
done
echo ""
echo " HITS IP PORT"
echo " ---- --------------- -----"
2010-02-24 02:00:26 +01:00
$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
2008-12-07 19:17:26 +01:00
t
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
2011-09-01 01:38:58 +02:00
[ -z "$port" ] && port=0
2008-12-07 19:17:26 +01:00
printf '%7d %-15s %d\n' $count $address $port
done
echo ""
echo " HITS DATE"
echo " ---- ------"
2010-02-24 02:00:26 +01:00
$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
2008-12-07 19:17:26 +01:00
printf '%7d %3s %2d\n' $count $month $day
done
echo ""
echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------"
2010-02-24 02:00:26 +01:00
$g_logread | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
2008-12-07 19:17:26 +01:00
# List all services defined for the given port
srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
srv=$(echo $srv | sed 's/ /,/g')
if [ -n "$srv" ] ; then
printf '%7d %5d %s\n' $count $port $srv
else
printf '%7d %5d\n' $count $port
fi
done
fi
}
#
# 'allow' command executor
#
allow_command() {
2010-02-23 01:43:38 +01:00
[ -n "$g_debugging" ] && set -x
2008-12-07 19:17:26 +01:00
[ $# -eq 1 ] && usage 1
2011-12-03 19:59:01 +01:00
if product_is_started ; then
2010-08-11 02:33:50 +02:00
local which
which='-s'
local range
range='--src-range'
2010-01-13 03:57:04 +01:00
if ! chain_exists dynamic; then
2013-02-16 16:32:47 +01:00
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
2010-01-13 03:57:04 +01:00
fi
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_on
2008-12-07 19:17:26 +01:00
while [ $# -gt 1 ]; do
shift
case $1 in
2010-08-11 02:33:50 +02:00
from)
which='-s'
range='--src-range'
continue
;;
to)
which='-d'
range='--dst-range'
continue
;;
2008-12-07 19:17:26 +01:00
*-*)
2011-12-03 19:59:01 +01:00
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
2008-12-07 19:17:26 +01:00
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
*)
2011-12-03 19:59:01 +01:00
if qt $g_tool -D dynamic $which $1 -j reject ||\
qt $g_tool -D dynamic $which $1 -j DROP ||\
qt $g_tool -D dynamic $which $1 -j logdrop ||\
qt $g_tool -D dynamic $which $1 -j logreject
2008-12-07 19:17:26 +01:00
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
esac
done
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2008-12-07 19:17:26 +01:00
else
2010-03-02 21:34:36 +01:00
error_message "ERROR: $g_product is not started"
2008-12-07 19:17:26 +01:00
exit 2
fi
}
#
# 'logwatch' command executor
#
logwatch_command() {
shift
finished=0
while [ $finished -eq 0 -a $# -ne 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
2010-06-07 18:16:56 +02:00
2008-12-07 19:17:26 +01:00
[ -z "$option" ] && usage 1
2010-06-07 18:16:56 +02:00
2008-12-07 19:17:26 +01:00
while [ -n "$option" ]; do
case $option in
v*)
2010-03-01 02:58:01 +01:00
VERBOSITY=$(($VERBOSITY + 1 ))
2008-12-07 19:17:26 +01:00
option=${option#v}
;;
q*)
2010-03-01 02:58:01 +01:00
VERBOSITY=$(($VERBOSITY - 1 ))
2008-12-07 19:17:26 +01:00
option=${option#q}
;;
m*)
2010-02-22 17:24:29 +01:00
g_showmacs=Yes
2008-12-07 19:17:26 +01:00
option=${option#m}
;;
-)
finished=1
option=
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
2010-06-07 18:16:56 +02:00
2010-02-23 01:43:38 +01:00
[ -n "$g_debugging" ] && set -x
2008-12-07 19:17:26 +01:00
if [ $# -eq 1 ]; then
logwatch $1
elif [ $# -eq 0 ]; then
logwatch 30
else
usage 1
fi
}
2010-03-04 21:38:02 +01:00
#
# Determine which optional facilities are supported by iptables/netfilter
#
2011-12-05 21:00:36 +01:00
determine_capabilities() {
2010-03-04 21:38:02 +01:00
2011-12-05 21:00:36 +01:00
local tool
local chain
local chain1
2013-01-04 18:17:57 +01:00
local arptables
2015-05-02 16:54:01 +02:00
local helper
2010-03-04 21:38:02 +01:00
2011-12-12 01:28:40 +01:00
if [ -z "$g_tool" ]; then
[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
2010-03-04 21:38:02 +01:00
2011-12-12 01:28:40 +01:00
g_tool=$(mywhich $tool)
2010-03-04 21:38:02 +01:00
2011-12-12 01:28:40 +01:00
if [ -z "$g_tool" ]; then
2013-02-16 16:32:47 +01:00
fatal-error "No executable $tool binary can be found on your PATH"
2011-12-12 01:28:40 +01:00
fi
2010-03-04 21:38:02 +01:00
fi
2011-12-05 21:00:36 +01:00
qt $g_tool -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $g_tool -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
2011-06-23 01:43:42 +02:00
2011-12-05 21:00:36 +01:00
[ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
2010-03-04 21:38:02 +01:00
2011-12-05 21:00:36 +01:00
[ -n "$IP" -a -x "$IP" ] || IP=
2010-03-04 21:38:02 +01:00
2011-12-05 21:00:36 +01:00
[ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
2011-07-28 02:03:27 +02:00
2011-12-05 21:00:36 +01:00
[ -n "$TC" -a -x "$TC" ] || TC=
2010-03-04 21:38:02 +01:00
2011-12-05 21:00:36 +01:00
CONNTRACK_MATCH=
NEW_CONNTRACK_MATCH=
OLD_CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
2013-03-10 17:04:47 +01:00
EMULTIPORT=
2011-12-05 21:00:36 +01:00
POLICY_MATCH=
PHYSDEV_MATCH=
PHYSDEV_BRIDGE=
IPRANGE_MATCH=
RECENT_MATCH=
2013-10-07 16:54:52 +02:00
REAP_OPTION=
2011-12-05 21:00:36 +01:00
OWNER_MATCH=
2012-03-26 05:18:20 +02:00
OWNER_NAME_MATCH=
2011-12-05 21:00:36 +01:00
IPSET_MATCH=
OLD_IPSET_MATCH=
2014-01-02 23:43:55 +01:00
IPSET_MATCH_NOMATCH=
IPSET_MATCH_COUNTERS=
2011-12-05 21:00:36 +01:00
IPSET_V5=
CONNMARK=
XCONNMARK=
CONNMARK_MATCH=
XCONNMARK_MATCH=
RAW_TABLE=
RAWPOST_TABLE=
IPP2P_MATCH=
OLD_IPP2P_MATCH=
LENGTH_MATCH=
CLASSIFY_TARGET=
ENHANCED_REJECT=
USEPKTTYPE=
KLUDGEFREE=
MARK=
XMARK=
EXMARK=
TPROXY_TARGET=
MANGLE_FORWARD=
COMMENTS=
ADDRTYPE=
TCPMSS_MATCH=
HASHLIMIT_MATCH=
NFQUEUE_TARGET=
REALM_MATCH=
HELPER_MATCH=
CONNLIMIT_MATCH=
TIME_MATCH=
GOTO_TARGET=
LOGMARK_TARGET=
IPMARK_TARGET=
LOG_TARGET=Yes
ULOG_TARGET=
NFLOG_TARGET=
PERSISTENT_SNAT=
FLOW_FILTER=
FWMARK_RT_MASK=
MARK_ANYWHERE=
HEADER_MATCH=
ACCOUNT_TARGET=
AUDIT_TARGET=
CONDITION_MATCH=
IPTABLES_S=
BASIC_FILTER=
2014-02-03 21:03:22 +01:00
BASIC_EMATCH=
2011-12-05 21:00:36 +01:00
CT_TARGET=
2012-01-05 00:46:01 +01:00
STATISTIC_MATCH=
2012-02-02 21:54:00 +01:00
IMQ_TARGET=
2012-02-20 17:47:48 +01:00
DSCP_MATCH=
DSCP_TARGET=
2012-05-15 02:12:46 +02:00
GEOIP_MATCH=
2012-07-15 16:54:46 +02:00
RPFILTER_MATCH=
2012-07-28 17:19:05 +02:00
NFACCT_MATCH=
2012-10-23 00:42:13 +02:00
CHECKSUM_TARGET=
2013-01-04 18:17:57 +01:00
ARPTABLESJF=
2013-02-27 18:25:26 +01:00
MASQUERADE_TGT=
2013-03-10 18:07:52 +01:00
UDPLITEREDIRECT=
2013-04-09 23:04:16 +02:00
NEW_TOS_MATCH=
2014-12-29 00:23:30 +01:00
TARPIT_TARGET=
2015-01-02 18:05:06 +01:00
IFACE_MATCH=
2015-04-01 00:53:05 +02:00
TCPMSS_TARGET=
2013-03-10 18:07:52 +01:00
2012-08-03 00:38:23 +02:00
AMANDA_HELPER=
FTP_HELPER=
2012-08-07 00:54:45 +02:00
FTP0_HELPER=
2012-08-03 00:38:23 +02:00
IRC_HELPER=
2012-08-07 00:54:45 +02:00
IRC0_HELPER=
2012-08-03 00:38:23 +02:00
NETBIOS_NS_HELPER=
2012-08-03 19:53:20 +02:00
H323_HELPER=
2012-08-03 00:38:23 +02:00
PPTP_HELPER=
SANE_HELPER=
2012-08-07 00:54:45 +02:00
SANE0_HELPER=
2012-08-03 00:38:23 +02:00
SIP_HELPER=
2012-08-07 00:54:45 +02:00
SIP0_HELPER=
2012-08-03 00:38:23 +02:00
SNMP_HELPER=
TFTP_HELPER=
2012-08-07 00:54:45 +02:00
TFTP0_HELPER=
2011-12-03 19:59:01 +01:00
2013-01-04 18:17:57 +01:00
resolve_arptables
2013-03-10 17:48:10 +01:00
if [ -n "$arptables" -a -x "$arptables" ]; then
2013-01-04 18:17:57 +01:00
qt $arptables -L OUT && ARPTABLESJF=Yes
fi
2011-12-03 19:59:01 +01:00
chain=fooX$$
2011-12-05 21:00:36 +01:00
if [ -n "$NAT_ENABLED" ]; then
if qt $g_tool -t nat -N $chain; then
2011-12-23 19:55:08 +01:00
if [ $g_family -eq 4 ]; then
qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
2013-02-23 21:59:38 +01:00
else
qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
2011-12-23 19:55:08 +01:00
fi
2013-02-27 18:25:26 +01:00
qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
2013-03-10 18:07:52 +01:00
qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
2011-12-05 21:00:36 +01:00
qt $g_tool -t nat -F $chain
qt $g_tool -t nat -X $chain
fi
2011-12-03 19:59:01 +01:00
fi
2011-12-05 21:00:36 +01:00
qt $g_tool -F $chain
qt $g_tool -X $chain
if ! $g_tool -N $chain; then
2013-02-16 16:32:47 +01:00
fatal_error "The command \"$g_tool -N $chain\" failed"
2011-12-03 19:59:01 +01:00
fi
chain1=${chain}1
2011-12-05 21:00:36 +01:00
qt $g_tool -F $chain1
qt $g_tool -X $chain1
if ! $g_tool -N $chain1; then
2011-12-23 19:55:08 +01:00
qt $g_tool -X $CHAIN
2013-02-16 16:32:47 +01:00
fatal_error "The command \"$g_tool -N $chain1\" failed"
2011-12-03 19:59:01 +01:00
fi
2011-12-05 21:00:36 +01:00
if ! qt $g_tool -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
! qt $g_tool -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
2011-12-23 19:55:08 +01:00
qt $g_tool -x $chain
qt $g_tool -x $chain1
2013-02-16 16:32:47 +01:00
fatal_error "Your kernel lacks connection tracking and/or state matching -- $g_product will not run on this system"
2011-12-03 19:59:01 +01:00
fi
2011-12-05 21:00:36 +01:00
if [ $g_family -eq 4 ]; then
qt $g_tool -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
else
qt $g_tool -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes
2012-04-24 23:52:57 +02:00
fi
2011-12-03 19:59:01 +01:00
if [ -n "$CONNTRACK_MATCH" ]; then
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
2012-04-24 23:52:57 +02:00
2011-12-05 21:00:36 +01:00
if [ $g_family -eq 4 ]; then
qt $g_tool -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
else
qt $g_tool -A $chain -m conntrack ! --ctorigdst ::1 || OLD_CONNTRACK_MATCH=Yes
fi
2011-12-03 19:59:01 +01:00
fi
2011-12-05 21:00:36 +01:00
if qt $g_tool -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
2011-12-03 19:59:01 +01:00
MULTIPORT=Yes
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
2011-12-03 19:59:01 +01:00
fi
2013-03-10 17:04:47 +01:00
qt $g_tool -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $g_tool -A $chain -p sctp -m multiport --dports 21,22 -j ACCEPT && EMULTIPORT=Yes
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
2011-12-03 19:59:01 +01:00
2011-12-05 21:00:36 +01:00
if qt $g_tool -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
2011-12-03 19:59:01 +01:00
PHYSDEV_MATCH=Yes
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
2011-12-03 19:59:01 +01:00
if [ -z "${KLUDGEFREE}" ]; then
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
2011-12-03 19:59:01 +01:00
fi
fi
2011-12-05 21:00:36 +01:00
if [ $g_family -eq 4 ]; then
if qt $g_tool -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
IPRANGE_MATCH=Yes
if [ -z "${KLUDGEFREE}" ]; then
qt $g_tool -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
fi
fi
elif qt $g_tool -A $chain -m iprange --src-range ::1-::2 -j ACCEPT; then
2011-12-03 19:59:01 +01:00
IPRANGE_MATCH=Yes
if [ -z "${KLUDGEFREE}" ]; then
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m iprange --src-range ::1-::2 -m iprange --dst-range ::1-::2 -j ACCEPT && KLUDGEFREE=Yes
2011-12-03 19:59:01 +01:00
fi
fi
2013-10-07 16:54:52 +02:00
if qt $g_tool -A $chain -m recent --update -j ACCEPT; then
RECENT_MATCH=Yes
qt $g_tool -A $chain -m recent --rcheck --seconds 10 --reap && REAP_OPTION=Yes
fi
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
2011-12-03 19:59:01 +01:00
2012-03-26 05:18:20 +02:00
local name
name=$(id -un 2> /dev/null)
[ -n "$name" ] && qt $g_tool -A $chain -m owner --uid-owner $name -j ACCEPT && OWNER_NAME_MATCH=Yes
2011-12-05 21:00:36 +01:00
if qt $g_tool -A $chain -m connmark --mark 2 -j ACCEPT; then
2011-12-03 19:59:01 +01:00
CONNMARK_MATCH=Yes
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
2011-12-03 19:59:01 +01:00
fi
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
2011-12-03 19:59:01 +01:00
if [ -n "$IPP2P_MATCH" ]; then
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
2011-12-03 19:59:01 +01:00
fi
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
2011-12-03 19:59:01 +01:00
2011-12-05 21:00:36 +01:00
if [ $g_family -eq 4 ]; then
qt $g_tool -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
else
qt $g_tool -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes
fi
qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
2011-12-03 19:59:01 +01:00
2012-07-28 20:21:16 +02:00
if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
NFACCT=
else
NFACCT=$(mywhich nfacct)
fi
if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
qt $g_tool -D $chain -m nfacct --nfacct-name $chain
qt $NFACCT del $chain
fi
2014-12-29 00:23:30 +01:00
qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes
2015-01-02 18:05:06 +01:00
qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
2015-04-01 00:53:05 +02:00
qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu && TCPMSS_TARGET=Yes
2011-12-03 19:59:01 +01:00
if [ -n "$MANGLE_ENABLED" ]; then
2011-12-05 21:00:36 +01:00
qt $g_tool -t mangle -N $chain
2011-12-03 19:59:01 +01:00
2011-12-05 21:00:36 +01:00
if qt $g_tool -t mangle -A $chain -j MARK --set-mark 1; then
2011-12-03 19:59:01 +01:00
MARK=Yes
2011-12-05 21:00:36 +01:00
qt $g_tool -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
qt $g_tool -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
2011-12-03 19:59:01 +01:00
fi
2011-12-05 21:00:36 +01:00
if qt $g_tool -t mangle -A $chain -j CONNMARK --save-mark; then
2011-12-03 19:59:01 +01:00
CONNMARK=Yes
2011-12-05 21:00:36 +01:00
qt $g_tool -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
2011-12-03 19:59:01 +01:00
fi
2011-12-05 21:00:36 +01:00
qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
2012-02-20 17:47:48 +01:00
qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
2012-07-15 16:54:46 +02:00
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
2012-10-23 00:42:13 +02:00
qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
2013-04-09 23:04:16 +02:00
qt $g_tool -t mangle -A $chain -m tos --tos 0x10/0xff && NEW_TOS_MATCH=Yes
2012-02-20 17:47:48 +01:00
2011-12-05 21:00:36 +01:00
qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain
2012-04-24 23:52:57 +02:00
2011-12-05 21:00:36 +01:00
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
2011-12-03 19:59:01 +01:00
fi
2012-08-03 00:38:23 +02:00
qt $g_tool -t raw -L -n && RAW_TABLE=Yes
2011-12-05 21:00:36 +01:00
qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
2011-12-03 19:59:01 +01:00
2011-12-04 23:35:53 +01:00
if [ -n "$RAW_TABLE" ]; then
2011-12-05 21:00:36 +01:00
qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain
2012-08-03 00:38:23 +02:00
qt $g_tool -t raw -N $chain
2012-08-04 20:36:03 +02:00
if qt $g_tool -t raw -A $chain -j CT --notrack; then
CT_TARGET=Yes;
2015-05-02 16:54:01 +02:00
for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
eval ${helper}_ENABLED=''
done
if [ -n "$HELPERS" ]; then
for helper in $(split_list "$HELPERS"); do
case $helper in
none)
;;
amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
eval ${helper}_ENABLED=Yes
;;
*)
error_message "WARNING: Invalid helper ($helper) ignored"
;;
esac
done
else
for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
eval ${helper}_ENABLED=Yes
done
fi
[ -n "$amanda_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
[ -n "$ftp_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
[ -n "$ftp0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes
[ -n "$h323_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
[ -n "$irc_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
[ -n "$irc0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes
[ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
[ -n "$pptp_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
[ -n "$sane_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
[ -n "$sane0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes
[ -n "$sip_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
[ -n "$sip0_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes
[ -n "$snmp_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
[ -n "$tftp_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
[ -n "$tftp0_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes
2012-08-04 20:36:03 +02:00
fi
2012-08-03 00:38:23 +02:00
qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain
2011-12-04 23:35:53 +01:00
fi
2011-12-03 19:59:01 +01:00
if qt mywhich ipset; then
qt ipset -X $chain # Just in case something went wrong the last time
2011-12-05 21:00:36 +01:00
local have_ipset
if [ $g_family -eq 4 ]; then
if qt ipset -N $chain hash:ip family inet; then
IPSET_V5=Yes
have_ipset=Yes
elif qt ipset -N $chain iphash ; then
have_ipset=Yes
fi
if [ -n "$have_ipset" ]; then
if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
2014-01-02 23:43:55 +01:00
qt $g_tool -A $chain -m set --match-set $chain src --return-nomatch -j ACCEPT && IPSET_MATCH_NOMATCH=Yes
qt $g_tool -A $chain -m set --match-set $chain src --packets-lt 100 -j ACCEPT && IPSET_MATCH_COUNTERS=Yes
2012-08-19 15:43:25 +02:00
qt $g_tool -F $chain
2011-12-05 21:00:36 +01:00
IPSET_MATCH=Yes
elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
2012-08-19 15:43:25 +02:00
qt $g_tool -F $chain
2011-12-05 21:00:36 +01:00
IPSET_MATCH=Yes
OLD_IPSET_MATCH=Yes
fi
qt ipset -X $chain
fi
elif qt ipset -N $chain hash:ip family inet6; then
2011-12-03 19:59:01 +01:00
IPSET_V5=Yes
2011-12-05 21:00:36 +01:00
if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
2012-08-19 15:43:25 +02:00
qt $g_tool -F $chain
2011-12-03 19:59:01 +01:00
IPSET_MATCH=Yes
2011-12-05 21:00:36 +01:00
elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
2012-08-19 15:43:25 +02:00
qt $g_tool -F $chain
2011-12-03 19:59:01 +01:00
IPSET_MATCH=Yes
OLD_IPSET_MATCH=Yes
fi
qt ipset -X $chain
fi
fi
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
2011-12-03 19:59:01 +01:00
if [ -z "$HASHLIMIT_MATCH" ]; then
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
2011-12-03 19:59:01 +01:00
HASHLIMIT_MATCH=$OLD_HL_MATCH
2011-12-05 21:00:36 +01:00
fi
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
2012-08-03 19:53:20 +02:00
2012-08-04 20:36:03 +02:00
#
# -m helper doesn't verify the existence of the specified helper :-(
#
if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
HELPER_MATCH=Yes
if [ -z "$CT_TARGET" ]; then
AMANDA_HELPER=Yes
FTP_HELPER=Yes
2012-08-07 00:54:45 +02:00
FTP_HELPER=Yes
2012-08-04 20:36:03 +02:00
H323_HELPER=Yes
IRC_HELPER=Yes
NS_HELPER=Yes
PPTP_HELPER=Yes
SANE_HELPER=Yes
SIP_HELPER=Yes
SNMP_HELPER=Yes
TFTP_HELPER=Yes
fi
fi
2012-08-03 19:53:20 +02:00
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
qt $g_tool -A $chain -j LOG || LOG_TARGET=
qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
2012-01-05 00:46:01 +01:00
qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
2012-05-15 02:12:46 +02:00
qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
2011-12-05 21:00:36 +01:00
if [ $g_family -eq 4 ]; then
qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
else
qt $g_tool -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
2011-12-23 19:55:08 +01:00
qt $g_tool -A $chain -j ACCOUNT --addr ::1/122 --tname $chain && ACCOUNT_TARGET=Yes
2011-12-05 21:00:36 +01:00
fi
2011-12-03 19:59:01 +01:00
2011-12-05 21:00:36 +01:00
qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
2012-11-29 21:15:15 +01:00
2012-11-30 16:31:29 +01:00
qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
2012-11-29 21:15:15 +01:00
2011-12-05 21:00:36 +01:00
qt $g_tool -S INPUT && IPTABLES_S=Yes
qt $g_tool -F $chain
qt $g_tool -X $chain
qt $g_tool -F $chain1
qt $g_tool -X $chain1
2011-12-03 19:59:01 +01:00
2014-02-03 21:03:22 +01:00
if [ -n "$TC" ]; then
$TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
if $TC filter add basic help 2>&1 | grep -q ^Usage; then
BASIC_FILTER=Yes
$TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
fi
fi
2011-12-03 19:59:01 +01:00
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
CAPVERSION=$SHOREWALL_CAPVERSION
2012-04-24 23:52:57 +02:00
2011-12-03 19:59:01 +01:00
KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')
2012-04-24 23:52:57 +02:00
case "$KERNELVERSION" in
2011-12-03 19:59:01 +01:00
*.*.*)
KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
;;
*)
KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
;;
esac
}
2012-12-21 20:09:18 +01:00
report_capabilities_unsorted() {
2010-03-04 21:38:02 +01:00
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting
setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
2012-12-21 20:09:18 +01:00
report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
2013-03-10 17:04:47 +01:00
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
[ -n "$EMULTIPORT" ] && report_capability "Enhanced Multi-port Match (EMULIPORT)" $EMULTIPORT
2012-12-21 20:09:18 +01:00
report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
if [ -n "$CONNTRACK_MATCH" ]; then
report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
fi
report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
2014-03-27 18:52:40 +01:00
[ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
2012-12-21 20:09:18 +01:00
report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
if [ -n "$IPSET_MATCH" ]; then
report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
2014-01-02 23:43:55 +01:00
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)" $IPSET_MATCH_NOMATCH
[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
2012-12-21 20:09:18 +01:00
fi
report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
report_capability "MARK Target (MARK)" $MARK
[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
report_capability "Comments (COMMENTS)" $COMMENTS
report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
2013-07-12 18:45:20 +02:00
report_capability "Mark in the filter table (MARK_ANYWHERE)" $MARK_ANYWHERE
2012-12-21 20:09:18 +01:00
report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
2015-04-01 00:53:05 +02:00
report_capability "Geo IP Match (GEOIP_MATCH)" $GEOIP_MATCH
report_capability "RPFilter Match (RPFILTER_MATCH)" $RPFILTER_MATCH
report_capability "NFAcct Match" $NFACCT_MATCH
report_capability "Checksum Target (CHECKSUM_TARGET)" $CHECKSUM_TARGET
report_capability "Arptables JF (ARPTABLESJF)" $ARPTABLESJF
report_capability "MASQUERADE Target (MASQUERADE_TGT)" $MASQUERADE_TGT
report_capability "UDPLITE Port Redirection (UDPLITEREDIRECT)" $UDPLITEREDIRECT
report_capability "New tos Match (NEW_TOS_MATCH)" $NEW_TOS_MATCH
report_capability "TARPIT Target (TARPIT_TARGET)" $TARPIT_TARGET
report_capability "Iface Match (IFACE_MATCH)" $IFACE_MATCH
report_capability "TCPMSS Target (TCPMSS_TARGET)" $TCPMSS_TARGET
2012-12-21 20:09:18 +01:00
report_capability "Amanda Helper" $AMANDA_HELPER
report_capability "FTP Helper" $FTP_HELPER
report_capability "FTP-0 Helper" $FTP0_HELPER
report_capability "IRC Helper" $IRC_HELPER
report_capability "IRC-0 Helper" $IRC0_HELPER
report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
report_capability "H323 Helper" $H323_HELPER
report_capability "PPTP Helper" $PPTP_HELPER
report_capability "SANE Helper" $SANE_HELPER
report_capability "SANE-0 Helper" $SANE0_HELPER
report_capability "SIP Helper" $SIP_HELPER
report_capability "SIP-0 Helper" $SIP0_HELPER
report_capability "SNMP Helper" $SNMP_HELPER
report_capability "TFTP Helper" $TFTP_HELPER
report_capability "TFTP-0 Helper" $TFTP0_HELPER
2012-04-24 23:52:57 +02:00
2012-12-21 20:09:18 +01:00
if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
else
report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
fi
report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
2014-02-03 21:03:22 +01:00
report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
2012-12-21 20:09:18 +01:00
report_capability "CT Target (CT_TARGET)" $CT_TARGET
echo " Kernel Version (KERNELVERSION): $KERNELVERSION"
echo " Capabilities Version (CAPVERSION): $CAPVERSION"
}
2011-12-03 19:59:01 +01:00
2012-12-21 20:09:18 +01:00
report_capabilities() {
2012-08-03 02:38:41 +02:00
2012-12-21 20:09:18 +01:00
if [ $VERBOSITY -gt 1 ]; then
echo "$g_product has detected the following iptables/netfilter capabilities:"
report_capabilities_unsorted | sort
2010-03-04 21:38:02 +01:00
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
}
2012-12-21 20:09:18 +01:00
report_capabilities_unsorted1() {
2010-03-04 21:38:02 +01:00
report_capability1() # $1 = Capability
{
eval echo $1=\$$1
}
report_capability1 NAT_ENABLED
report_capability1 MANGLE_ENABLED
report_capability1 MULTIPORT
report_capability1 XMULTIPORT
2013-03-10 17:04:47 +01:00
report_capability1 EMULTIPORT
2010-03-04 21:38:02 +01:00
report_capability1 CONNTRACK_MATCH
report_capability1 NEW_CONNTRACK_MATCH
report_capability1 OLD_CONNTRACK_MATCH
report_capability1 USEPKTTYPE
report_capability1 POLICY_MATCH
report_capability1 PHYSDEV_MATCH
report_capability1 PHYSDEV_BRIDGE
report_capability1 LENGTH_MATCH
report_capability1 IPRANGE_MATCH
report_capability1 RECENT_MATCH
2013-10-07 16:54:52 +02:00
report_capability1 REAP_OPTION
2010-03-04 21:38:02 +01:00
report_capability1 OWNER_MATCH
2012-03-26 05:18:20 +02:00
report_capability1 OWNER_NAME_MATCH
2010-03-04 21:38:02 +01:00
report_capability1 IPSET_MATCH
2010-08-04 06:06:17 +02:00
report_capability1 OLD_IPSET_MATCH
2014-01-02 23:43:55 +01:00
report_capability1 IPSET_MATCH_NOMATCH
report_capability1 IPSET_MATCH_COUNTERS
2010-03-04 21:38:02 +01:00
report_capability1 CONNMARK
report_capability1 XCONNMARK
report_capability1 CONNMARK_MATCH
report_capability1 XCONNMARK_MATCH
report_capability1 RAW_TABLE
2011-08-13 20:14:29 +02:00
report_capability1 RAWPOST_TABLE
2010-03-04 21:38:02 +01:00
report_capability1 IPP2P_MATCH
report_capability1 OLD_IPP2P_MATCH
report_capability1 CLASSIFY_TARGET
report_capability1 ENHANCED_REJECT
report_capability1 KLUDGEFREE
report_capability1 MARK
report_capability1 XMARK
report_capability1 EXMARK
report_capability1 MANGLE_FORWARD
report_capability1 COMMENTS
report_capability1 ADDRTYPE
report_capability1 TCPMSS_MATCH
report_capability1 HASHLIMIT_MATCH
report_capability1 OLD_HL_MATCH
report_capability1 NFQUEUE_TARGET
report_capability1 REALM_MATCH
report_capability1 HELPER_MATCH
report_capability1 CONNLIMIT_MATCH
report_capability1 TIME_MATCH
report_capability1 GOTO_TARGET
report_capability1 LOGMARK_TARGET
report_capability1 IPMARK_TARGET
report_capability1 LOG_TARGET
2011-11-12 23:10:48 +01:00
report_capability1 ULOG_TARGET
report_capability1 NFLOG_TARGET
2010-03-04 21:38:02 +01:00
report_capability1 PERSISTENT_SNAT
report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER
2010-07-04 18:08:04 +02:00
report_capability1 FWMARK_RT_MASK
2010-08-27 17:35:33 +02:00
report_capability1 MARK_ANYWHERE
2010-11-24 19:46:06 +01:00
report_capability1 HEADER_MATCH
2011-01-29 23:18:53 +01:00
report_capability1 ACCOUNT_TARGET
2011-05-30 20:39:21 +02:00
report_capability1 AUDIT_TARGET
2011-06-23 15:36:35 +02:00
report_capability1 IPSET_V5
2011-09-22 00:20:50 +02:00
report_capability1 CONDITION_MATCH
2011-10-01 22:54:52 +02:00
report_capability1 IPTABLES_S
2011-11-01 14:34:57 +01:00
report_capability1 BASIC_FILTER
2014-02-03 21:03:22 +01:00
report_capability1 BASIC_EMATCH
2011-12-04 23:35:53 +01:00
report_capability1 CT_TARGET
2012-01-05 00:46:01 +01:00
report_capability1 STATISTIC_MATCH
2012-02-02 21:54:00 +01:00
report_capability1 IMQ_TARGET
2012-02-20 17:47:48 +01:00
report_capability1 DSCP_MATCH
report_capability1 DSCP_TARGET
2012-05-15 02:12:46 +02:00
report_capability1 GEOIP_MATCH
2012-07-15 16:54:46 +02:00
report_capability1 RPFILTER_MATCH
2012-07-28 17:19:05 +02:00
report_capability1 NFACCT_MATCH
2012-10-23 00:42:13 +02:00
report_capability1 CHECKSUM_TARGET
2013-01-04 18:17:57 +01:00
report_capability1 ARPTABLESJF
2013-02-27 18:25:26 +01:00
report_capability1 MASQUERADE_TGT
2013-03-10 18:07:52 +01:00
report_capability1 UDPLITEREDIRECT
2013-04-09 23:04:16 +02:00
report_capability1 NEW_TOS_MATCH
2014-12-29 00:23:30 +01:00
report_capability1 TARPIT_TARGET
2015-01-02 18:05:06 +01:00
report_capability1 IFACE_MATCH
2015-04-01 00:53:05 +02:00
report_capability1 TCPMSS_TARGET
2012-10-23 00:42:13 +02:00
2012-08-03 00:38:23 +02:00
report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER
2012-08-07 00:54:45 +02:00
report_capability1 FTP0_HELPER
2012-08-03 00:38:23 +02:00
report_capability1 IRC_HELPER
2012-08-07 00:54:45 +02:00
report_capability1 IRC0_HELPER
2012-08-03 00:38:23 +02:00
report_capability1 NETBIOS_NS_HELPER
2012-08-03 19:53:20 +02:00
report_capability1 H323_HELPER
2012-08-03 00:38:23 +02:00
report_capability1 PPTP_HELPER
report_capability1 SANE_HELPER
2012-08-07 00:54:45 +02:00
report_capability1 SANE0_HELPER
report_capability1 SIP_HELPER
report_capability1 SIP0_HELPER
2012-08-03 00:38:23 +02:00
report_capability1 SNMP_HELPER
report_capability1 TFTP_HELPER
2012-08-07 00:54:45 +02:00
report_capability1 TFTP0_HELPER
2010-06-07 18:16:56 +02:00
2010-03-04 21:38:02 +01:00
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION
}
2011-12-06 16:47:34 +01:00
2012-12-21 20:09:18 +01:00
report_capabilities1() {
echo "#"
echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
echo "#"
report_capabilities_unsorted1 | sort
}
2012-02-27 01:14:43 +01:00
show_status() {
2011-12-06 16:47:34 +01:00
if product_is_started ; then
2013-08-13 15:52:46 +02:00
[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
2011-12-06 16:47:34 +01:00
status=0
else
2013-08-13 15:52:46 +02:00
[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
2011-12-06 16:47:34 +01:00
status=4
fi
if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)"
case $state in
Stopped*|Closed*|Clear*)
status=3
;;
esac
else
state=Unknown
fi
2013-10-01 00:59:42 +02:00
if [ $VERBOSITY -ge 1 ]; then
if [ -f $g_firewall ]; then
2014-03-27 18:44:08 +01:00
state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
2013-10-01 00:59:42 +02:00
fi
2014-03-27 18:44:08 +01:00
echo "State:$state"
echo
2013-10-01 00:59:42 +02:00
fi
2012-02-27 01:14:43 +01:00
}
2014-06-18 20:07:37 +02:00
interface_status() {
case $(cat $1) in
0)
echo Enabled
;;
1)
echo Disabled
;;
*)
echo Unknown
;;
esac
}
show_interfaces() {
local f
local interface
local printed
for f in ${VARDIR}/*.status; do
interface=$(basename $f)
echo " Interface ${interface%.status} is $(interface_status $f)"
printed=Yes
done
[ -n "$printed" ] && echo
}
2012-02-27 01:14:43 +01:00
status_command() {
2014-06-18 20:07:37 +02:00
local finished
finished=0
local option
local interfaces
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
i*)
interfaces=Yes
option=${option#i}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
[ $# -eq 0 ] || usage 1
2013-08-13 15:52:46 +02:00
[ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
2012-02-27 01:14:43 +01:00
show_status
2014-06-18 20:07:37 +02:00
[ -n "$interfaces" ] && show_interfaces
2011-12-06 16:47:34 +01:00
exit $status
}
drop_command() {
if product_is_started ; then
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not supported in the current $g_product configuration"
exit 2
fi
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_on
2011-12-06 16:47:34 +01:00
block DROP Dropped $*
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2011-12-06 16:47:34 +01:00
else
fatal_error "$g_product is not started"
fi
}
logdrop_command() {
if product_is_started ; then
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not supported in the current $g_product configuration"
exit 2
fi
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_on
2011-12-06 16:47:34 +01:00
block logdrop Dropped $*
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2011-12-06 16:47:34 +01:00
else
fatal_error "$g_product is not started"
fi
}
reject_command() {
if product_is_started ; then
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_on
2011-12-06 16:47:34 +01:00
block $1 Rejected $*
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2011-12-06 16:47:34 +01:00
else
fatal_error "$g_product is not started"
fi
}
save_command() {
2014-11-01 17:37:57 +01:00
local finished
finished=0
2014-11-01 18:09:04 +01:00
shift
2014-11-01 17:37:57 +01:00
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
C*)
g_counters=Yes
option=${option#C}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
2011-12-06 16:47:34 +01:00
case $# in
2014-11-01 18:09:04 +01:00
0)
2011-12-06 16:47:34 +01:00
;;
2014-11-01 18:09:04 +01:00
1)
RESTOREFILE="$1"
2011-12-06 16:47:34 +01:00
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
g_restorepath=${VARDIR}/$RESTOREFILE
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_on
2011-12-06 16:47:34 +01:00
save_config
result=$?
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2011-12-06 16:47:34 +01:00
exit $result
}
forget_command() {
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
g_restorepath=${VARDIR}/$RESTOREFILE
if [ -x $g_restorepath ]; then
rm -f $g_restorepath
rm -f ${g_restorepath}-iptables
rm -f ${g_restorepath}-ipsets
2013-01-04 18:17:57 +01:00
rm -f ${g_restorepath}-arptables
2011-12-06 16:47:34 +01:00
echo " $g_restorepath removed"
elif [ -f $g_restorepath ]; then
echo " $g_restorepath exists and is not a saved $g_product configuration"
fi
rm -f ${VARDIR}/save
}
ipcalc_command() {
local address
local vlsm
2012-04-24 23:52:57 +02:00
2011-12-06 16:47:34 +01:00
[ $g_family -eq 6 ] && usage 1
if [ $# -eq 2 ]; then
address=${2%/*}
vlsm=${2#*/}
elif [ $# -eq 3 ]; then
address=$2
vlsm=$(ip_vlsm $3)
else
usage 1
fi
valid_address $address || fatal_error "Invalid IP address: $address"
[ -z "$vlsm" ] && usage 2
[ "x$address" = "x$vlsm" ] && usage 2
2013-02-16 16:32:47 +01:00
[ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
2011-12-06 16:47:34 +01:00
address=$address/$vlsm
echo " CIDR=$address"
temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)"
temp=$(ip_network $address); echo " NETWORK=$temp"
temp=$(broadcastaddress $address); echo " BROADCAST=$temp"
}
iprange_command() {
local range
[ $g_family -eq 6 ] && usage 1
2012-04-24 23:52:57 +02:00
range=''
2011-12-06 16:47:34 +01:00
while [ $# -gt 0 ]; do
shift
range="${range}${1}"
done
case $range in
*.*.*.*-*.*.*.*)
for address in ${range%-*} ${range#*-}; do
valid_address $address || fatal_error "Invalid IP address: $address"
done
ip_range $range
;;
*)
usage 1
;;
esac
}
ipdecimal_command() {
[ $# -eq 2 ] || usage 1
[ $g_family -eq 6 ] && usage 1
case $2 in
*.*.*.*)
valid_address $2 || fatal_error "Invalid IP address: $2"
echo " $(decodeaddr $2)"
;;
*)
echo " $(encodeaddr $2)"
;;
esac
}
iptrace_command() {
if product_is_started ; then
$g_tool -t raw -A PREROUTING $@ -j TRACE
$g_tool -t raw -A OUTPUT $@ -j TRACE
else
fatal_error "$g_product is not started"
fi
}
noiptrace_command() {
if product_is_started ; then
$g_tool -t raw -D PREROUTING $@ -j TRACE
$g_tool -t raw -D OUTPUT $@ -j TRACE
else
fatal_error "$g_product is not started"
fi
}
2011-12-11 22:15:30 +01:00
#
# Set the configuration variables from shorewall-lite.conf
#
get_config() {
ensure_config_path
2012-01-30 01:50:32 +01:00
config=$(find_file ${g_program}.conf)
2012-04-24 23:52:57 +02:00
2011-12-11 22:15:30 +01:00
if [ -f $config ]; then
if [ -r $config ]; then
. $config
else
2013-02-16 16:32:47 +01:00
fatal_error "Cannot read $config! (Hint: Are you root?)"
2011-12-11 22:15:30 +01:00
fi
else
2013-02-16 16:32:47 +01:00
fatal_error "$config does not exist!"
2011-12-11 22:15:30 +01:00
fi
ensure_config_path
[ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
2013-02-16 16:32:47 +01:00
fatal_error "LOGFILE ($LOGFILE) does not exist!"
2011-12-11 22:15:30 +01:00
fi
#
# See if we have a real version of "tail" -- use separate redirection so
# that ash (aka /bin/sh on LRP) doesn't crap
#
if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
realtail="Yes"
else
realtail=""
fi
[ -n "$FW" ] || FW=fw
if [ $g_family -eq 4 ]; then
if [ -n "$IPTABLES" ]; then
if [ ! -x "$IPTABLES" ]; then
2013-02-16 16:32:47 +01:00
fatal_error "The program specified in IPTABLES does not exist or is not executable"
2011-12-11 22:15:30 +01:00
fi
2012-04-24 23:52:57 +02:00
else
2011-12-11 22:15:30 +01:00
IPTABLES=$(mywhich iptables 2> /dev/null)
if [ -z "$IPTABLES" ] ; then
2013-02-16 16:32:47 +01:00
fatal_error "Can't find iptables executable"
2011-12-11 22:15:30 +01:00
fi
fi
g_tool=$IPTABLES
else
if [ -n "$IP6TABLES" ]; then
if [ ! -x "$IP6TABLES" ]; then
2013-02-16 16:32:47 +01:00
fatal_error "The program specified in IP6TABLES does not exist or is not executable"
2011-12-11 22:15:30 +01:00
fi
2012-04-24 23:52:57 +02:00
else
2011-12-11 22:15:30 +01:00
IP6TABLES=$(mywhich ip6tables 2> /dev/null)
if [ -z "$IP6TABLES" ] ; then
2013-02-16 16:32:47 +01:00
fatal_error "Can't find ip6tables executable"
2011-12-11 22:15:30 +01:00
fi
fi
g_tool=$IP6TABLES
fi
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -x "$SHOREWALL_SHELL" ]; then
echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
SHOREWALL_SHELL=/bin/sh
fi
fi
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
validate_restorefile RESTOREFILE
[ -n "${VERBOSITY:=2}" ]
[ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
if [ $VERBOSITY -lt -1 ]; then
VERBOSITY=-1
elif [ $VERBOSITY -gt 2 ]; then
VERBOSITY=2
fi
g_hostname=$(hostname 2> /dev/null)
2012-10-07 17:10:57 +02:00
if [ -n "$IPSET" ]; then
case "$IPSET" in
*/*)
if [ ! -x "$IPSET" ] ; then
2013-02-16 16:32:47 +01:00
fatal_error "The program specified in IPSET ($IPSET) does not exist or is not executable"
2012-10-07 17:10:57 +02:00
fi
;;
*)
prog="$(mywhich $IPSET 2> /dev/null)"
if [ -z "$prog" ] ; then
2013-02-16 16:32:47 +01:00
fatal_error "Can't find $IPSET executable"
2012-10-07 17:10:57 +02:00
fi
IPSET=$prog
;;
esac
else
2012-11-09 17:54:54 +01:00
IPSET=''
2012-10-07 17:10:57 +02:00
fi
2011-12-11 22:15:30 +01:00
TC=tc
2015-01-02 18:28:50 +01:00
IP=$(mywhich ip 2> /dev/null)
2015-01-02 17:49:38 +01:00
g_loopback=$(find_loopback_interfaces)
2011-12-11 22:15:30 +01:00
}
#
# Verify that we have a compiled firewall script
#
verify_firewall_script() {
if [ ! -f $g_firewall ]; then
echo " ERROR: $g_product is not properly installed" >&2
if [ -L $g_firewall ]; then
echo " $g_firewall is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $g_firewall does not exist" >&2
fi
2012-04-24 23:52:57 +02:00
2011-12-11 22:15:30 +01:00
exit 2
fi
}
################################################################################
# The remaining functions are used by the Lite cli - they are overloaded by
# the Standard CLI by loading lib.cli-std
################################################################################
#
# Start Command Executor
#
start_command() {
local finished
finished=0
do_it() {
local rc
rc=0
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_on
2011-12-11 22:15:30 +01:00
if [ -x ${VARDIR}/firewall ]; then
2014-10-30 18:42:39 +01:00
if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
else
run_it ${VARDIR}/firewall $g_debugging start
fi
2011-12-11 22:15:30 +01:00
rc=$?
else
error_message "${VARDIR}/firewall is missing or is not executable"
logger -p kern.err "ERROR:$g_product start failed"
2015-05-07 23:12:41 +02:00
rc=6
2011-12-11 22:15:30 +01:00
fi
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2011-12-11 22:15:30 +01:00
exit $rc
}
verify_firewall_script
if product_is_started; then
if [ $g_family -eq 4 ]; then
error_message "Shorewall is already running"
else
error_message "Shorewall6 is already running"
fi
exit 0
fi
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
2014-10-30 18:42:39 +01:00
f*)
g_fast=Yes
option=${option#f}
;;
2014-11-01 17:37:57 +01:00
C*)
g_counters=Yes
option=${option#C}
;;
2011-12-11 22:15:30 +01:00
p*)
[ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
g_purge=Yes
option=${option%p}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
*)
usage 1
;;
esac
do_it
}
#
# Restart Command Executor
#
restart_command() {
local finished
finished=0
local rc
rc=0
verify_firewall_script
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
n*)
g_noroutes=Yes
option=${option#n}
;;
p*)
2012-01-14 00:42:20 +01:00
[ -n "$(mywhich conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
2011-12-11 22:15:30 +01:00
g_purge=Yes
option=${option%p}
;;
2014-11-01 17:37:57 +01:00
C*)
g_counters=Yes
option=${option#C}
;;
2011-12-11 22:15:30 +01:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
*)
usage 1
;;
esac
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_on
2011-12-11 22:15:30 +01:00
if [ -x ${VARDIR}/firewall ]; then
2012-01-02 06:16:16 +01:00
run_it ${VARDIR}/firewall $g_debugging restart
2011-12-11 22:15:30 +01:00
rc=$?
else
error_message "${VARDIR}/firewall is missing or is not executable"
logger -p kern.err "ERROR:$g_product restart failed"
2015-05-07 23:12:41 +02:00
rc=6
2011-12-11 22:15:30 +01:00
fi
2011-12-19 15:29:05 +01:00
[ -n "$g_nolock" ] || mutex_off
2011-12-11 22:15:30 +01:00
return $rc
}
2014-07-29 19:30:07 +02:00
run_command() {
if [ -x ${VARDIR}/firewall ] ; then
run_it ${VARDIR}/firewall $g_debugging $@
else
fatal_error "${VARDIR}/firewall does not exist or is not executable"
fi
}
2011-12-11 22:15:30 +01:00
#
# Give Usage Information
#
usage() # $1 = exit status
{
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..."
echo " clear"
2015-03-06 01:20:54 +01:00
echo " close <source> <dest> [ <protocol> [ <port> ] ]"
2011-12-11 22:15:30 +01:00
echo " delete <interface>[:<host-list>] ... <zone>"
echo " disable <interface>"
echo " drop <address> ..."
2014-01-16 04:25:07 +01:00
echo " dump [ -x ] [ -l ] [ -m ]"
2011-12-11 22:15:30 +01:00
echo " enable <interface>"
echo " forget [ <file name> ]"
echo " help"
if [ $g_family -eq 4 ]; then
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>"
fi
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
2015-03-06 01:20:54 +01:00
echo " open <source> <dest> [ <protocol> [ <port> ] ]"
2011-12-11 22:15:30 +01:00
echo " reject <address> ..."
2015-04-28 22:02:12 +02:00
echo " reenable <interface>"
2011-12-11 22:15:30 +01:00
echo " reset [ <chain> ... ]"
2014-11-01 17:37:57 +01:00
echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
2014-07-29 19:46:28 +02:00
echo " run <command> [ <parameter> ... ]"
2014-11-01 17:37:57 +01:00
echo " save [ -C ] [ <file name> ]"
2015-03-17 18:03:12 +01:00
echo " savesets"
2013-08-06 16:05:47 +02:00
echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
echo " [ show | list | ls ] [ -f ] capabilities"
echo " [ show | list | ls ] arptables"
2014-06-19 00:38:11 +02:00
echo " [ show | list | ls ] [ -x ] {bl|blacklists}"
2013-08-06 16:05:47 +02:00
echo " [ show | list | ls ] classifiers"
echo " [ show | list | ls ] config"
echo " [ show | list | ls ] connections"
echo " [ show | list | ls ] event [ <event> ...]"
echo " [ show | list | ls ] events"
echo " [ show | list | ls ] filters"
echo " [ show | list | ls ] ip"
2012-07-30 16:23:53 +02:00
if [ $g_family -eq 4 ]; then
2013-08-06 16:05:47 +02:00
echo " [ show | list | ls ] ipa"
2012-07-30 16:23:53 +02:00
fi
2013-08-06 16:05:47 +02:00
echo " [ show | list | ls ] [ -m ] log [<regex>]"
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
echo " [ show | list | ls ] nfacct"
2015-03-06 22:10:23 +01:00
echo " [ show | list | ls ] opens"
2013-08-06 16:05:47 +02:00
echo " [ show | list | ls ] policies"
echo " [ show | list | ls ] routing"
echo " [ show | list | ls ] tc [ device ]"
echo " [ show | list | ls ] vardir"
echo " [ show | list | ls ] zones"
2014-11-01 17:37:57 +01:00
echo " start [ -f ] [ -p ] [ -C ] [ <directory> ]"
2011-12-11 22:15:30 +01:00
echo " stop"
2014-06-18 20:07:37 +02:00
echo " status [ -i ]"
2011-12-11 22:15:30 +01:00
echo " version [ -a ]"
echo
exit $1
}
2012-01-02 05:30:09 +01:00
#
# This is the main entry point into the CLI. It directly handles all commands supported
# by both the full and lite versions. Note, however, that functions such as start_command()
# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
# here if that lib is loaded below.
#
2011-12-20 00:52:42 +01:00
shorewall_cli() {
2012-01-02 05:30:09 +01:00
g_debugging=
if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
g_debugging=$1
shift
fi
g_nolock=
if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
g_nolock=nolock
shift
fi
g_noroutes=
g_purge=
g_ipt_options="-nv"
g_fast=
g_verbose_offset=0
g_use_verbosity=
g_debug=
g_export=
g_refreshchains=:none:
g_confess=
g_update=
g_convert=
g_annotate=
g_recovering=
g_timestamp=
g_shorewalldir=
2013-02-23 01:15:41 +01:00
g_haveconfig=
2013-05-09 04:01:39 +02:00
g_conditional=
g_file=
2013-07-03 17:16:27 +02:00
g_doing="Compiling"
2013-12-15 18:32:09 +01:00
g_directives=
g_inline=
2014-02-15 18:36:13 +01:00
g_tcrules=
2014-11-01 17:37:57 +01:00
g_counters=
2015-01-02 17:49:38 +01:00
g_loopback=
2012-01-02 05:30:09 +01:00
VERBOSE=
2012-09-01 17:21:45 +02:00
VERBOSITY=1
2012-01-02 05:30:09 +01:00
2012-04-02 21:39:49 +02:00
[ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
2012-01-02 05:30:09 +01:00
2011-12-20 00:52:42 +01:00
finished=0
while [ $finished -eq 0 ]; do
[ $# -eq 0 ] && usage 1
option=$1
case $option in
-)
finished=1
;;
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
c)
[ $# -eq 1 -o -n "$g_lite" ] && usage 1
if [ ! -d $2 ]; then
if [ -e $2 ]; then
2013-02-16 16:32:47 +01:00
fatal_error "$2 is not a directory"
2011-12-20 00:52:42 +01:00
else
2013-02-16 16:32:47 +01:00
fatal_error "Directory $2 does not exist"
2011-12-20 00:52:42 +01:00
fi
fi
2011-12-20 17:19:57 +01:00
g_shorewalldir=$(resolve_file $2)
2011-12-20 00:52:42 +01:00
option=
shift
;;
e*)
[ -n "$g_lite" ] && usage 1
g_export=Yes
option=${option#e}
;;
x*)
g_ipt_options="-xnv"
option=${option#x}
;;
q*)
g_verbose_offset=$(($g_verbose_offset - 1 ))
option=${option#q}
;;
f*)
g_fast=Yes
option=${option#f}
;;
2013-05-16 23:29:36 +02:00
[vV]*)
case $option in
v*)
option=${option#v}
;;
*)
option=${option#V}
;;
esac
2011-12-20 00:52:42 +01:00
case $option in
-1*)
g_use_verbosity=-1
option=${option#-1}
;;
0*)
g_use_verbosity=0
option=${option#0}
;;
1*)
g_use_verbosity=1
option=${option#1}
;;
2*)
g_use_verbosity=2
option=${option#2}
;;
*)
g_verbose_offset=$(($g_verbose_offset + 1 ))
g_use_verbosity=
;;
esac
;;
n*)
g_noroutes=Yes
option=${option#n}
;;
t*)
g_timestamp=Yes
option=${option#t}
;;
-)
finished=1
option=
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
if [ $# -eq 0 ]; then
usage 1
fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT=
2012-04-02 21:39:49 +02:00
[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
2011-12-20 00:52:42 +01:00
[ -n "${VARDIR:=/var/lib/$g_program}" ]
g_firewall=${VARDIR}/firewall
2012-04-02 21:39:49 +02:00
version_file=${g_sharedir}/version
2011-12-20 00:52:42 +01:00
if [ -f $version_file ]; then
SHOREWALL_VERSION=$(cat $version_file)
else
echo " ERROR: $g_product is not properly installed" >&2
echo " The file $version_file does not exist" >&2
exit 1
fi
banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
case $(echo -e) in
-e*)
g_ring_bell="echo \a"
g_echo_e="echo"
;;
*)
g_ring_bell="echo -e \a"
g_echo_e="echo -e"
;;
esac
case $(echo -n "Testing") in
-n*)
g_echo_n=
;;
*)
g_echo_n=-n
;;
esac
COMMAND=$1
case "$COMMAND" in
start)
get_config Yes Yes
shift
start_command $@
;;
stop|clear)
[ $# -ne 1 ] && usage 1
get_config
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
[ -n "$g_nolock" ] || mutex_on
run_it $g_firewall $g_debugging $COMMAND
[ -n "$g_nolock" ] || mutex_off
;;
reset)
get_config
shift
[ -n "$g_nolock" ] || mutex_on
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
run_it $g_firewall $g_debugging reset $@
[ -n "$g_nolock" ] || mutex_off
;;
restart)
get_config Yes Yes
shift
restart_command $@
;;
2015-04-28 22:02:12 +02:00
disable|enable|reenable)
2011-12-20 00:52:42 +01:00
get_config Yes
if product_is_started; then
run_it ${VARDIR}/firewall $g_debugging $@
else
2013-02-24 01:32:17 +01:00
fatal_error "$g_product is not running"
2011-12-20 00:52:42 +01:00
fi
;;
2014-07-28 16:04:56 +02:00
run)
2014-07-29 19:30:07 +02:00
[ $# -gt 1 ] || fatal_error "Missing function name"
2014-07-28 16:04:56 +02:00
get_config Yes
2014-07-29 19:30:07 +02:00
run_command $@
2014-07-28 16:04:56 +02:00
;;
2013-08-06 16:05:47 +02:00
show|list|ls)
2011-12-20 00:52:42 +01:00
get_config Yes No Yes
shift
show_command $@
;;
status)
[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
get_config
2014-06-18 20:07:37 +02:00
shift
status_command $@
2011-12-20 00:52:42 +01:00
;;
dump)
get_config Yes No Yes
shift
dump_command $@
;;
hits)
[ $g_family -eq 6 ] && usage 1
get_config Yes No Yes
[ -n "$g_debugging" ] && set -x
shift
hits_command $@
;;
version)
shift
version_command $@
;;
logwatch)
get_config Yes Yes Yes
banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
logwatch_command $@
;;
drop)
get_config
[ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1
drop_command $@
;;
logdrop)
get_config
[ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1
logdrop_command $@
;;
reject|logreject)
get_config
[ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1
reject_command $@
;;
2015-03-06 01:20:54 +01:00
open|close)
get_config
shift
open_close_command $@
;;
2011-12-20 00:52:42 +01:00
allow)
get_config
allow_command $@
;;
add)
get_config
shift
add_command $@
;;
delete)
get_config
shift
delete_command $@
;;
save)
get_config
[ -n "$g_debugging" ] && set -x
save_command $@
;;
forget)
get_config
forget_command $@
;;
ipcalc)
[ -n "$g_debugging" ] && set -x
ipcalc_command $@
;;
iprange)
[ -n "$g_debugging" ] && set -x
iprange_command $@
;;
ipdecimal)
[ -n "$g_debugging" ] && set -x
ipdecimal_command $@
;;
restore)
get_config
shift
restore_command $@
;;
call)
get_config
[ -n "$g_debugging" ] && set -x
#
# Undocumented way to call functions in the libraries directly
#
shift
$@
;;
help)
shift
usage
;;
iptrace)
get_config
shift
iptrace_command $@
;;
noiptrace)
get_config
shift
noiptrace_command $@
;;
2015-03-17 18:03:12 +01:00
savesets)
[ $# -eq 1 ] || usage 1
get_config
[ -n "$g_debugging" ] && set -x
savesets1
;;
2011-12-20 00:52:42 +01:00
*)
if [ -z "$g_lite" ]; then
compiler_command $@
else
usage 1
fi
2012-04-24 23:52:57 +02:00
;;
2011-12-20 00:52:42 +01:00
esac
}