2006-09-07 01:07:29 +02:00
#!/bin/sh
#
2007-12-01 18:45:43 +01:00
# Shorewall 4.1 -- /usr/share/shorewall/lib.config
2006-09-07 01:07:29 +02:00
#
2007-09-08 18:09:51 +02:00
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
2006-09-07 01:07:29 +02:00
#
2007-01-12 23:06:29 +01:00
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
2006-09-07 01:07:29 +02:00
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
2007-09-08 18:09:51 +02:00
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
2006-09-09 17:03:44 +02:00
#
2006-09-09 18:16:41 +02:00
# This library contains the configuration file parsing code common to
# /usr/share/shorewall/compiler and /usr/share/shorewall/firewall
2006-09-09 17:03:44 +02:00
#
2006-09-07 01:07:29 +02:00
2007-07-02 23:32:48 +02:00
SHOREWALL_CONFIGVERSION=40000
2006-09-07 01:07:29 +02:00
#
# Replace commas with spaces and echo the result
#
separate_list() {
2008-03-14 03:07:28 +01:00
local list
list="$@"
2006-09-07 01:07:29 +02:00
local part
local newlist
local firstpart
local lastpart
local enclosure
case "$list" in
*,|,*|*,,*|*[[:space:]]*)
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
#
# The 'TERMINATOR' function will be set by the 'firewall' script to
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
[ -n "$TERMINATOR" ] && \
$TERMINATOR "Invalid comma-separated list \"$@\""
echo "WARNING -- invalid comma-separated list \"$@\"" >&2
;;
*\[*\]*)
#
# Where we need to embed comma-separated lists within lists, we enclose them
# within square brackets.
#
firstpart=${list%%\[*}
lastpart=${list#*\[}
enclosure=${lastpart%%\]*}
lastpart=${lastpart#*\]}
case $lastpart in
\,*)
case $firstpart in
*\,)
echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})"
;;
*)
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
;;
esac
;;
*)
case $firstpart in
*\,)
echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
;;
*)
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
;;
esac
;;
esac
return
;;
esac
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
}
#
# Display elements of a list with leading white space
#
display_list() # $1 = List Title, rest of $* = list to display
{
[ $# -gt 1 ] && echo " $*"
}
#
# Determine if a chain is a policy chain
#
is_policy_chain() # $1 = name of chain
{
eval test \"\$${1}_is_policy\" = Yes
}
#
# Return a space separated list of values matching
#
list_walk() # $1 = element to search for, $2-$n = list
{
2008-03-14 03:07:28 +01:00
local e
e=$1
local result
result=
2006-09-07 01:07:29 +02:00
while [ $# -gt 1 ]; do
shift
case $1 in
$e*)
result="$result ${1##$e}"
;;
esac
done
echo $result
}
#
# Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count1() {
echo $#
}
#
# Comma-separated list
#
list_count() {
list_count1 $(separate_list $1)
}
2006-12-10 04:01:24 +01:00
#
# Filter that expands variables
#
expand_line() {
local line
while read line; do
echo $(expand $line)
done
}
2006-12-10 05:05:06 +01:00
2006-09-07 01:07:29 +02:00
#
2006-09-13 17:09:07 +02:00
# Add whitespace after leading "!"
2006-09-07 01:07:29 +02:00
#
fix_bang()
{
2008-03-14 03:07:28 +01:00
local result
result=
2006-09-07 01:07:29 +02:00
while [ $# -gt 0 ]; do
case $1 in
!*)
result="$result ! ${1#!}"
;;
*)
result="$result $1"
;;
esac
shift
done
echo $result
}
2006-12-09 20:01:42 +01:00
#
# Read the zones file and find the firewall zone
#
get_firewall_zone() {
2008-03-14 03:07:28 +01:00
local zone
local type
local rest
local comment
comment='#*'
local f
f=$(find_file zones)
2006-12-09 20:01:42 +01:00
[ -f $f ] || startup_error "Unable to find zones file"
while read zone type rest; do
case $zone in
$comment)
;;
*)
if [ "x$type" = xfirewall ]; then
FW=$zone
return
fi
;;
esac
done < $f
2006-12-09 20:31:23 +01:00
startup_error "No firewall zone defined in $f"
2006-12-09 20:01:42 +01:00
}
2006-09-07 01:07:29 +02:00
#
# This function assumes that the TMP_DIR variable is set and that
# its value names an existing directory.
#
determine_zones()
{
2008-03-14 03:07:28 +01:00
local zone
local parent
local parents
local rest
local new_zone_file
new_zone_file=
local r
2006-09-07 01:07:29 +02:00
merge_zone()
{
2008-03-14 03:07:28 +01:00
local z
local zones
zones="$ZONES"
local merged
merged=
2006-09-07 01:07:29 +02:00
if [ -n "$parents" ]; then
ZONES=
for z in $zones; do
if [ -z "$merged" ] && list_search $z $parents; then
ZONES="$ZONES $zone"
merged=Yes
fi
ZONES="$ZONES $z"
done
else
ZONES="$ZONES $zone"
fi
}
ZONES=
IPV4_ZONES=
IPSEC_ZONES=
2006-12-09 20:31:23 +01:00
[ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}"
2006-09-07 01:07:29 +02:00
while read zone type rest; do
case $zone in
*:*)
parents=${zone#*:}
zone=${zone%:*}
[ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents"
parents=$(separate_list $parents)
eval ${zone}_parents=\"$parents\"
;;
*)
parents=
eval ${zone}_parents=
;;
esac
for parent in $parents; do
[ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed"
list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
done
2006-10-05 00:40:34 +02:00
[ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone"
2006-09-07 01:07:29 +02:00
case "$zone" in
[0-9*])
startup_error "Illegal zone name \"$zone\" in zones file"
;;
2007-05-02 21:43:25 +02:00
all|none|SOURCE|DEST)
2006-09-07 01:07:29 +02:00
startup_error "Reserved zone name \"$zone\" in zones file"
;;
esac
if [ -n "$new_zone_file" ]; then
case ${type:=ipv4} in
ipv4|IPv4|IPV4|plain|-)
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
merge_zone
IPV4_ZONES="$IPV4_ZONES $zone"
;;
ipsec|IPSEC|ipsec4|IPSEC4)
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
[ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
merge_zone
IPSEC_ZONES="$IPSEC_ZONES $zone"
;;
firewall)
[ -n "$FW" ] && startup_error "Only one firewall zone may be defined"
list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
[ -n "$parents" ] && startup_error "The firewall zone may not be nested"
for r in $rest; do
[ "x$r" = x- ] || startup_error "OPTIONS not allowed on the firewall zone"
done
FW=$zone
;;
2007-06-19 17:45:39 +02:00
bport|bport4)
[ "$PROGRAM" = compiler ] && startup_error "Invalid Zone Type: $type"
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
merge_zone
2007-06-19 21:42:49 +02:00
BRIDGING=Yes
2007-06-19 17:45:39 +02:00
;;
2006-09-07 01:07:29 +02:00
*)
startup_error "Invalid Zone Type: $type"
;;
esac
eval ${zone}_type=$type
else
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
ZONES="$ZONES $zone"
IPV4_ZONES="$IPV4_ZONES $zone"
eval ${zone}_type=ipv4
fi
done < $TMP_DIR/zones
[ -z "$ZONES" ] && startup_error "No ipv4 or ipsec Zones Defined"
[ -z "$FW" ] && startup_error "No Firewall Zone Defined"
}
#
# Validate the zone names and options in the interfaces file
#
validate_interfaces_file() {
local wildcard
2008-03-14 03:07:28 +01:00
local found_obsolete_option
found_obsolete_option=
local z
local interface
local networks
local options
local r
local iface
local option
2006-09-07 01:07:29 +02:00
while read z interface networks options; do
r="$z $interface $networks $options"
[ "x$z" = "x-" ] && z=
if [ -n "$z" ]; then
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
fi
list_search $interface $ALL_INTERFACES && \
startup_error "Duplicate Interface $interface"
wildcard=
case $interface in
2007-06-19 17:45:39 +02:00
*:*)
if [ "$PROGRAM" != compiler ]; then
#
# Assume that this is 4.0 syntax for a bridge
#
2008-03-14 03:07:28 +01:00
local bridge
bridge=${interface%:*}
2007-06-19 17:45:39 +02:00
list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge"
interface=${interface#*:}
else
startup_error "Invalid Interface Name: $interface"
fi
;;
+)
startup_error "Invalid Interface Name: +"
2006-09-07 01:07:29 +02:00
;;
*+)
wildcard=Yes
;;
esac
ALL_INTERFACES="$ALL_INTERFACES $interface"
options=$(separate_list $options)
iface=$(chain_base $interface)
eval ${iface}_broadcast="$networks"
eval ${iface}_zone="$z"
eval ${iface}_options=\"$options\"
for option in $options; do
case $option in
-)
;;
dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|nosmurfs|upnp|-)
;;
proxyarp)
2007-08-04 00:58:56 +02:00
[ "$PROGRAM" = compiler ] && lib_load proxyarp "The 'proxyarp' option on interface $interface"
2006-09-07 01:07:29 +02:00
;;
maclist)
2007-08-04 00:58:56 +02:00
[ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option"
2006-09-07 01:07:29 +02:00
;;
norfc1918)
2006-11-01 22:56:33 +01:00
if [ "$PROGRAM" != compiler ]; then
2006-09-07 01:07:29 +02:00
addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
if [ -n "$addr" ]; then
addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do
if in_network $addr $network; then
startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface"
fi
done
fi
fi
;;
arp_ignore=*)
eval ${iface}_arp_ignore=${option#*=}
;;
arp_ignore)
eval ${iface}_arp_ignore=1
;;
detectnets)
[ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
[ -n "$EXPORT" ] && \
startup_error "'detectnets' not permitted with the -e run-line option"
;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
;;
*)
2007-05-14 16:51:27 +02:00
[ $PROGRAM = compiler ] && error_message "WARNING: Invalid option ($option) in record \"$r\""
2006-09-07 01:07:29 +02:00
;;
esac
done
done < $TMP_DIR/interfaces
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
}
#
# Process the ipsec information in the zones file
#
setup_ipsec() {
2008-03-14 03:07:28 +01:00
local zone
local using_ipsec
using_ipsec=
2006-09-07 01:07:29 +02:00
#
# Add a --set-mss rule to the passed chain
#
set_mss1() # $1 = chain, $2 = MSS
{
2008-03-14 03:07:28 +01:00
local policy
eval policy=\$${1}_policy
2006-09-07 01:07:29 +02:00
if [ "$policy" != NONE ]; then
ensurechain $1
2008-03-14 03:07:28 +01:00
local match
match=
2007-06-16 17:24:17 +02:00
[ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: "
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2
2006-09-07 01:07:29 +02:00
fi
}
#
# Set up rules to set MSS to and/or from zone "$zone"
#
set_mss() # $1 = MSS value, $2 = _in, _out or ""
2006-10-31 20:01:23 +01:00
{
2006-09-07 01:07:29 +02:00
for z in $ZONES $FW; do
case $2 in
_in)
set_mss1 ${zone}2${z} $1
;;
_out)
set_mss1 ${z}2${zone} $1
;;
*)
set_mss1 ${z}2${zone} $1
set_mss1 ${zone}2${z} $1
;;
esac
done
}
do_options() # $1 = _in, _out or "" - $2 = option list
{
2008-03-14 03:07:28 +01:00
local option
local newoptions
newoptions=
local val
2006-09-07 01:07:29 +02:00
[ x${2} = x- ] && return
for option in $(separate_list $2); do
val=${option#*=}
case $option in
mss=[0-9]*) [ "$PROGRAM" = compiler ] && set_mss $val $1 ;;
strict) newoptions="$newoptions --strict" ;;
next) newoptions="$newoptions --next" ;;
reqid=*) newoptions="$newoptions --reqid $val" ;;
spi=*) newoptions="$newoptions --spi $val" ;;
proto=*) newoptions="$newoptions --proto $val" ;;
mode=*) newoptions="$newoptions --mode $val" ;;
tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
spi!=*) newoptions="$newoptions ! --spi $val" ;;
proto!=*) newoptions="$newoptions ! --proto $val" ;;
mode!=*) newoptions="$newoptions ! --mode $val" ;;
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
esac
done
if [ -n "$newoptions" ]; then
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_complex=Yes
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
fi
}
case $IPSECFILE in
zones)
f=zones
2006-11-14 19:24:09 +01:00
progress_message "$DOING IPSEC..."
2006-11-19 04:26:50 +01:00
[ $PROGRAM = compiler -a -n "$IPSEC_ZONES" ] && save_progress_message "Setting up IPSEC management..."
2006-09-07 01:07:29 +02:00
;;
2006-12-09 20:01:42 +01:00
ipsec)
2006-09-07 01:07:29 +02:00
using_ipsec=Yes
2006-12-09 20:01:42 +01:00
if [ -s ${TMP_DIR}/ipsec ]; then
progress_message "$DOING ipsec..."
2006-11-14 19:24:09 +01:00
[ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..."
2007-08-26 17:09:27 +02:00
f=ipsec
else
return
2006-10-31 01:41:32 +01:00
fi
2006-09-07 01:07:29 +02:00
;;
esac
while read zone type options in_options out_options mss; do
if [ -n "$using_ipsec" ]; then
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
fi
if [ -n "$type" ]; then
if [ -n "$using_ipsec" ]; then
case $type in
No|no)
;;
Yes|yes)
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
eval ${zone}_type=ipsec4
;;
*)
fatal_error "Invalid IPSEC column contents"
;;
esac
fi
do_options "" $options
do_options "_in" $in_options
do_options "_out" $out_options
fi
done < $TMP_DIR/$f
}
#
# Validate the zone names and options in the hosts file
#
validate_hosts_file() {
2008-03-14 03:07:28 +01:00
local z
local hosts
local options
local r
local interface
local host
local option
local zports
local ipsec
ipsec=
2006-09-07 01:07:29 +02:00
check_bridge_port()
{
list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
list_search $1 $ALL_PORTS || ALL_PORTS="$ALL_PORTS $1"
}
while read z hosts options; do
r="$z $hosts $options"
validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
case $hosts in
*:*)
interface=${hosts%%:*}
iface=$(chain_base $interface)
list_search $interface $ALL_INTERFACES || \
startup_error "Unknown interface ($interface) in record \"$r\""
hosts=${hosts#*:}
;;
*)
startup_error "Invalid HOST(S) column contents: $hosts"
;;
esac
eval zports=\$${z}_ports
2006-10-18 21:56:22 +02:00
if [ -z "$BRIDGING" ]; then
case $hosts in
*!*!*)
startup_error "Invalid hosts file entry: \"$r\""
;;
!*)
hosts=0.0.0.0/0
eval ${z}_is_complex=Yes
;;
*!*)
hosts=${hosts%%!*}
eval ${z}_is_complex=Yes
;;
esac
2006-10-31 20:01:23 +01:00
fi
2006-10-18 21:56:22 +02:00
2006-09-07 01:07:29 +02:00
for host in $(separate_list $hosts); do
if [ -n "$BRIDGING" ]; then
case $host in
*:*)
known_interface ${host%:*} && \
startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host"
check_bridge_port ${host%%:*}
;;
*.*.*)
;;
2006-09-10 19:22:02 +02:00
*+|+*|*!*)
2006-09-07 01:07:29 +02:00
eval ${z}_is_complex=Yes
;;
*)
known_interface $host && \
startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host"
check_bridge_port $host
;;
esac
else
2006-10-18 21:56:22 +02:00
case $host in
*.*.*)
;;
2006-11-19 00:52:06 +01:00
+*)
2006-10-18 21:56:22 +02:00
eval ${z}_is_complex=Yes
;;
*)
startup_error "BRIDGING=Yes is needed for this zone definition: $r"
;;
esac
fi
2006-10-31 20:01:23 +01:00
2006-10-18 21:56:22 +02:00
for option in $(separate_list $options) ; do
case $option in
norfc1918|blacklist|tcpflags|nosmurfs|-)
;;
maclist)
2007-08-04 00:58:56 +02:00
[ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option"
2006-09-07 01:07:29 +02:00
;;
2006-10-18 21:56:22 +02:00
ipsec)
2006-09-07 01:07:29 +02:00
[ -n "$POLICY_MATCH" ] || \
startup_error "Your kernel and/or iptables does not support policy match: ipsec"
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
eval ${z}_is_complex=Yes
2006-11-01 18:15:23 +01:00
ipsec=Yes
2006-09-07 01:07:29 +02:00
;;
routeback)
eval ${z}_routeback=\"$interface:$host \$${z}_routeback\"
;;
*)
error_message "WARNING: Invalid option ($option) in record \"$r\""
;;
esac
done
done
[ -n "$zports" ] && eval ${z}_ports=\"$zports\"
done < $TMP_DIR/hosts
[ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS"
2006-11-01 18:15:23 +01:00
[ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH=
2006-09-07 01:07:29 +02:00
}
#
# Find interfaces to a given zone
#
# Search the variables representing the contents of the interfaces file and
# for each record matching the passed ZONE, echo the expanded contents of
# the "INTERFACE" column
#
find_interfaces() # $1 = interface zone
{
2008-03-14 03:07:28 +01:00
local zne
zne=$1
2006-09-07 01:07:29 +02:00
local z
local interface
for interface in $ALL_INTERFACES; do
eval z=\$$(chain_base $interface)_zone
[ "x${z}" = x${zne} ] && echo $interface
done
}
#
# Forward Chain for an interface
#
forward_chain() # $1 = interface
{
echo $(chain_base $1)_fwd
}
#
# Input Chain for an interface
#
input_chain() # $1 = interface
{
echo $(chain_base $1)_in
}
#
# Output Chain for an interface
#
output_chain() # $1 = interface
{
echo $(chain_base $1)_out
}
#
# Masquerade Chain for an interface
#
masq_chain() # $1 = interface
{
echo $(chain_base $1)_masq
}
#
# MAC Verification Chain for an interface
#
mac_chain() # $1 = interface
{
echo $(chain_base $1)_mac
}
macrecent_target() # $1 - interface
{
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
}
#
# Functions for creating dynamic zone rules
#
dynamic_fwd() # $1 = interface
{
echo $(chain_base $1)_dynf
}
dynamic_in() # $1 = interface
{
echo $(chain_base $1)_dyni
}
dynamic_out() # $1 = interface
{
echo $(chain_base $1)_dyno
}
dynamic_chains() #$1 = interface
{
2008-03-14 03:07:28 +01:00
local c
c=$(chain_base $1)
2006-09-07 01:07:29 +02:00
echo ${c}_dyni ${c}_dynf ${c}_dyno
}
#
# DNAT Chain from a zone
#
dnat_chain() # $1 = zone
{
echo ${1}_dnat
}
#
# SNAT Chain to an interface
#
snat_chain() # $1 = interface
{
echo $(chain_base $1)_snat
}
#
# ECN Chain to an interface
#
ecn_chain() # $1 = interface
{
echo $(chain_base $1)_ecn
}
#
# First chains for an interface
#
first_chains() #$1 = interface
{
2008-03-14 03:07:28 +01:00
local c
c=$(chain_base $1)
2006-09-07 01:07:29 +02:00
echo ${c}_fwd ${c}_in
}
2006-10-24 17:07:18 +02:00
#
# Out Chain to an interface
#
out_chain() # $1 = interface
{
echo $(chain_base $1)_out
}
2006-09-07 01:07:29 +02:00
#
# Horrible hack to work around an iptables limitation
#
iprange_echo()
{
if [ -n "$KLUDGEFREE" ]; then
echo "-m iprange $@"
elif [ -f $TMP_DIR/iprange ]; then
echo $@
else
echo "-m iprange $@"
> $TMP_DIR/iprange
fi
}
#
# Get set flags (ipsets).
#
get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
{
2008-03-14 03:07:28 +01:00
local temp
local setname
setname=$1
local options
options=$2
2006-09-07 01:07:29 +02:00
[ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"
case $1 in
*\[[1-6]\])
temp=${1#*\[}
temp=${temp%\]}
setname=${1%\[*}
while [ $temp -gt 1 ]; do
options="$options,$2"
temp=$(($temp - 1))
done
;;
*\[*\])
options=${1#*\[}
options=${options%\]}
setname=${1%\[*}
;;
*)
;;
esac
echo "--set ${setname#+} $options"
}
#
# Horrible hack to work around an iptables limitation
#
physdev_echo()
{
if [ -n "$KLUDGEFREE" ]; then
echo -m physdev $@
elif [ -f $TMP_DIR/physdev ]; then
echo $@
else
echo -m physdev $@
> $TMP_DIR/physdev
fi
}
2006-09-10 19:22:02 +02:00
#
# Source IP range
#
source_ip_range() # $1 = Address or Address Range
{
[ $# -gt 0 ] && case $1 in
*.*.*.*-*.*.*.*)
case $1 in
!*)
iprange_echo "! --src-range ${1#!}"
;;
*)
iprange_echo "--src-range $1"
;;
esac
;;
!+*)
echo "-m set ! $(get_set_flags ${1#!} src)"
;;
+*)
echo "-m set $(get_set_flags $1 src)"
;;
*)
echo "-s $1"
;;
esac
}
#
# Destination IP range
#
dest_ip_range() # $1 = Address or Address Range
{
[ $# -gt 0 ] && case $1 in
*.*.*.*-*.*.*.*)
case $1 in
!*)
iprange_echo "! --dst-range ${1#!}"
;;
*)
iprange_echo "--dst-range $1"
;;
esac
;;
!+*)
echo "-m set ! $(get_set_flags ${1#!} dst)"
;;
+*)
echo "-m set $(get_set_flags $1 dst)"
;;
*)
echo "-d $1"
;;
esac
}
both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
{
2008-03-14 03:07:28 +01:00
local rangeprefix
rangeprefix=
local setprefix
setprefix=
local rangematch
rangematch=
local setmatch
setmatch=
2006-09-10 19:22:02 +02:00
case $1 in
*.*.*.*-*.*.*.*)
rangeprefix="-m iprange"
rangematch="--src-range $1"
;;
!+*)
setprefix="-m set"
setmatch="! $(get_set_flags ${1#!} src)"
;;
+*)
setprefix="-m set"
setmatch="$(get_set_flags $1 src)"
;;
*)
rangematch="-s $1"
;;
esac
case $2 in
*.*.*.*-*.*.*.*)
rangeprefix="-m iprange"
rangematch="$rangematch --dst-range $2"
;;
!+*)
setprefix="-m set"
match="$setmatch ! $(get_set_flags ${2#!} dst)"
;;
+*)
setprefix="-m set"
setmatch="$setmatch $(get_set_flags $2 dst)"
;;
*)
rangematch="$rangematch -d $2"
;;
esac
echo "$rangeprefix $rangematch $setprefix $setmatch"
}
2007-01-03 19:49:02 +01:00
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Full interface name - may also end in "+"
{
2008-03-14 03:07:28 +01:00
local pattern
pattern=${1%+}
2007-01-03 19:49:02 +01:00
case $1 in
*+)
test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
;;
*)
test "x$1" = "x$2"
;;
esac
}
2006-09-07 01:07:29 +02:00
#
# We allow hosts to be specified by IP address or by physdev. These two functions
# are used to produce the proper match in a netfilter rule.
#
match_source_hosts()
{
if [ -n "$BRIDGING" ]; then
case $1 in
*:*)
physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})"
;;
*.*.*.*|+*|!+*)
echo $(source_ip_range $1)
;;
*)
physdev_echo "--physdev-in $1"
;;
esac
else
echo $(source_ip_range $1)
fi
}
match_dest_hosts()
{
if [ -n "$BRIDGING" ]; then
case $1 in
*:*)
physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})"
;;
*.*.*.*|+*|!+*)
echo $(dest_ip_range $1)
;;
*)
physdev_echo "--physdev-out $1"
;;
esac
else
echo $(dest_ip_range $1)
fi
}
2006-09-10 19:22:02 +02:00
#
# Matches for either <address-range> or <interface>:<address range>
#
2006-10-31 20:01:23 +01:00
match_source()
2006-09-10 19:22:02 +02:00
{
case "$1" in
*:*)
echo "-i ${1%%:*} $(match_source_hosts ${1#*:})"
;;
*)
echo $(dest_ip_range $1)
;;
esac
}
match_dest()
{
case "$1" in
*:*)
echo "-o ${1%%:*} $(match_dest_hosts ${1#*:})"
;;
*)
echo $(dest_ip_range $1)
;;
esac
}
2006-09-07 01:07:29 +02:00
#
# Similarly, the source or destination in a rule can be qualified by a device name. If
# the device is defined in ${CONFDIR}/interfaces then a normal interface match is
# generated (-i or -o); otherwise, a physdev match is generated.
#-------------------------------------------------------------------------------------
#
# loosely match the passed interface with those in ${CONFDIR}/interfaces.
#
known_interface() # $1 = interface name
{
local iface
for iface in $ALL_INTERFACES ; do
if if_match $iface $1 ; then
return 0
fi
done
return 1
}
known_port() # $1 = port name
{
local port
for port in $ALL_PORTS ; do
if if_match $port $1 ; then
return 0
fi
done
return 1
}
match_source_dev()
{
if [ -n "$BRIDGING" ]; then
known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1
elif known_interface $1; then
echo -i $1
elif [ -n "$PHYSDEV_MATCH" ]; then
physdev_echo "--physdev-in $1"
else
echo -i $1
fi
}
match_dest_dev()
{
if [ -n "$BRIDGING" ]; then
known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1
elif known_interface $1; then
echo -o $1
elif [ -n "$PHYSDEV_MATCH" ]; then
physdev_echo "--physdev-out $1"
else
echo -o $1
fi
}
verify_interface()
{
known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; }
}
#
# Determine if communication to/from a host is encrypted using IPSEC
#
is_ipsec_host() # $1 = zone, $2 = host
{
2008-03-14 03:07:28 +01:00
local is_ipsec
eval is_ipsec=\$${1}_is_ipsec
local hosts
eval hosts=\"\$${1}_ipsec_hosts\"
2006-09-07 01:07:29 +02:00
test -n "$is_ipsec" || list_search $2 $hosts
}
#
# Generate a match for decrypted packets
#
match_ipsec_in() # $1 = zone, $2 = host
{
if is_ipsec_host $1 $2 ; then
2008-03-14 03:07:28 +01:00
local options
eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
2006-09-07 01:07:29 +02:00
echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in"
fi
}
#
# Generate a match for packets that will be encrypted
#
match_ipsec_out() # $1 = zone, $2 = host
{
if is_ipsec_host $1 $2 ; then
2008-03-14 03:07:28 +01:00
local options
eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
2006-09-07 01:07:29 +02:00
echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir out"
fi
}
#
# Jacket for ip_range() that takes care of iprange match
#
firewall_ip_range() # $1 = IP address or range
{
[ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1
}
#
#
# Find hosts in a given zone
#
# Read hosts file and for each record matching the passed ZONE,
# echo the expanded contents of the "HOST(S)" column
#
find_hosts() # $1 = host zone
{
2008-03-14 03:07:28 +01:00
local hosts
local interface
local address
local addresses
2006-09-07 01:07:29 +02:00
while read z hosts options; do
if [ "x$(expand $z)" = "x$1" ]; then
interface=${hosts%%:*}
addresses=${hosts#*:}
2006-10-18 21:56:22 +02:00
case $addresses in
!*)
echo $interface:0.0.0.0/0
;;
*)
for address in $(separate_list ${addresses%%!*}); do
echo $interface:$address
done
;;
esac
fi
done < $TMP_DIR/hosts
}
#
#
# Find exclusions in a given zone
#
# Read hosts file and for each record matching the passed ZONE,
# echo any exclusions
#
find_exclusions() # $1 = host zone
{
2008-03-14 03:07:28 +01:00
local hosts
local interface
local address
local addresses
2006-10-18 21:56:22 +02:00
while read z hosts options; do
2006-12-09 20:01:42 +01:00
if [ "x$z" = "x$1" ]; then
2006-10-18 21:56:22 +02:00
interface=${hosts%%:*}
addresses=${hosts#*:}
case $addresses in
*!*)
for address in $(separate_list ${addresses#*!}); do
echo $interface:$address
done
;;
esac
2006-09-07 01:07:29 +02:00
fi
done < $TMP_DIR/hosts
}
#
# Determine the interfaces on the firewall
#
# For each zone, create a variable called ${zone}_interfaces. This
# variable contains a space-separated list of interfaces to the zone
#
determine_interfaces() {
for zone in $ZONES; do
interfaces=$(find_interfaces $zone)
interfaces=$(echo $interfaces) # Remove extra trash
eval ${zone}_interfaces=\"\$interfaces\"
done
}
#
# Determine if an interface has a given option
#
interface_has_option() # $1 = interface, #2 = option
{
local options
eval options=\$$(chain_base $1)_options
list_search $2 $options
}
#
# Determine the defined hosts in each zone
#
determine_hosts() {
for zone in $ZONES; do
hosts=$(find_hosts $zone)
hosts=$(echo $hosts) # Remove extra trash
2006-10-18 21:56:22 +02:00
exclusions=$(find_exclusions $zone)
exclusions=$(echo $exclusions) # Remove extra trash
2006-09-07 01:07:29 +02:00
eval interfaces=\$${zone}_interfaces
for interface in $interfaces; do
if interface_has_option $interface detectnets; then
networks=$(get_routed_networks $interface "detectnets not allowed on interface with default route - $interface" )
else
networks=0.0.0.0/0
fi
for network in $networks; do
if [ -z "$hosts" ]; then
hosts=$interface:$network
else
hosts="$hosts $interface:$network"
fi
if interface_has_option $interface routeback; then
eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\"
fi
done
done
interfaces=
for host in $hosts; do
interface=${host%:*}
if list_search $interface $interfaces; then
list_search $interface:0.0.0.0/0 $hosts && \
startup_error "Invalid zone definition for zone $zone"
list_search $interface:0/0 $hosts && \
startup_error "Invalid zone definition for zone $zone"
eval ${zone}_is_complex=Yes
else
if [ -z "$interfaces" ]; then
interfaces=$interface
else
interfaces="$interfaces $interface"
fi
fi
done
2006-10-18 21:56:22 +02:00
eval ${zone}_exclusions="\$exclusions"
2006-09-07 01:07:29 +02:00
eval ${zone}_interfaces="\$interfaces"
eval ${zone}_hosts="\$hosts"
if [ -n "$hosts" ]; then
2006-10-18 21:56:22 +02:00
if [ $VERBOSE -ge 1 ]; then
2006-10-31 20:01:23 +01:00
[ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts
2006-10-18 21:56:22 +02:00
fi
2006-09-07 01:07:29 +02:00
else
error_message "WARNING: Zone $zone is empty"
fi
done
}
#
# Ensure that the passed zone is defined in the zones file or is the firewall
#
validate_zone() # $1 = zone
{
list_search $1 $ZONES $FW
}
#
# Ensure that the passed zone is defined in the zones file.
#
validate_zone1() # $1 = zone
{
list_search $1 $ZONES
}
#
# Format a match by the passed MAC address
# The passed address begins with "~" and uses "-" as a separator between bytes
# Example: ~01-02-03-04-05-06
#
mac_match() # $1 = MAC address formated as described above
{
echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')"
}
#
# Find interfaces that have the passed option specified
#
find_interfaces_by_option() # $1 = option
{
for interface in $ALL_INTERFACES; do
eval options=\$$(chain_base $interface)_options
list_search $1 $options && echo $interface
done
}
#
# This slightly slower version is used to find both the option and option followed
# by equal sign ("=") and a value
#
find_interfaces_by_option1() # $1 = option
{
2008-03-14 03:07:28 +01:00
local options
local option
2006-09-07 01:07:29 +02:00
for interface in $ALL_INTERFACES; do
eval options=\$$(chain_base $interface)_options
for option in $options; do
if [ "${option%=*}" = "$1" ]; then
echo $interface
break
fi
done
done
}
#
# Find hosts with the passed option
#
find_hosts_by_option() # $1 = option
{
2008-03-14 03:07:28 +01:00
local ignore
local hosts
local interface
local address
local addresses
local options
local ipsec
ipsec=
local list
2006-09-07 01:07:29 +02:00
while read ignore hosts options; do
list=$(separate_list $options)
if list_search $1 $list; then
list_search ipsec $list && ipsec=ipsec || ipsec=none
interface=${hosts%%:*}
addresses=${hosts#*:}
for address in $(separate_list $addresses); do
echo ${ipsec}^$interface:$address
done
fi
done < $TMP_DIR/hosts
for interface in $ALL_INTERFACES; do
interface_has_option $interface $1 && \
echo none^${interface}:0.0.0.0/0
done
}
#
# Process the routestopped file either adding or deleting rules
#
process_routestopped() # $1 = command
{
2008-03-14 03:07:28 +01:00
local hosts
hosts=
local interface
local host
local host1
local options
local networks
local source
source=
local dest
dest=
local matched
2006-09-07 01:07:29 +02:00
while read interface host options; do
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback=
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
error_message "WARNING: Duplicate routestopped option ignored: routeback"
else
routeback=Yes
for h in $(separate_list $host); do
run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
source)
for h in $(separate_list $host); do
source="$source $interface:$h"
done
;;
dest)
for h in $(separate_list $host); do
dest="$dest $interface:$h"
done
;;
critical)
;;
*)
error_message "WARNING: Unknown routestopped option ignored: $option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
source_range=$(source_ip_range $networks)
dest_range=$(dest_ip_range $networks)
run_iptables $1 INPUT -i $interface $source_range -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
run_iptables $1 OUTPUT -o $interface $dest_range -j ACCEPT
matched=
if list_search $host $source ; then
run_iptables $1 FORWARD -i $interface $source_range -j ACCEPT
matched=Yes
fi
if list_search $host $dest ; then
run_iptables $1 FORWARD -o $interface $dest_range -j ACCEPT
matched=Yes
fi
if [ -z "$matched" ]; then
for host1 in $hosts; do
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
fi
done
}
process_criticalhosts()
{
2008-03-14 03:07:28 +01:00
local hosts
hosts=
local interface
local host
local h
local options
local networks
local criticalhosts
criticalhosts=
2006-09-07 01:07:29 +02:00
while read interface host options; do
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback|source|dest)
;;
critical)
for h in $host; do
criticalhosts="$criticalhosts $interface:$h"
done
;;
*)
error_message "WARNING: Unknown routestopped option ignored: $option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
if [ -n "$criticalhosts" ]; then
CRITICALHOSTS=$criticalhosts
progress_message "Critical Hosts are:$CRITICALHOSTS"
fi
}
#
# create a temporary directory
#
mktempdir() {
[ -z "$MKTEMP" ] && find_mktemp
case "$MKTEMP" in
STD)
mktemp -td shorewall.XXXXXX
;;
None|BSD)
#
# Not all versions of the BSD mktemp support the -d option under Linux
#
qt rm -rf /tmp/shorewall-$$
mkdir -p /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
error_message "ERROR:Internal error in mktempdir"
;;
esac
}
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
2008-03-14 03:07:28 +01:00
local first
local rest
2006-09-07 01:07:29 +02:00
2007-01-30 21:41:42 +01:00
if [ -f $1 ]; then
2006-09-07 01:07:29 +02:00
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
else
error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)"
fi
else
2006-12-10 04:01:24 +01:00
echo "$first $rest"
2006-09-07 01:07:29 +02:00
fi
done < $1
else
[ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1"
echo "WARNING -- No such file: $1"
fi
}
#
# Strip comments and blank lines from a file and place the result in the
# temporary directory
#
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{
local fname
if [ ! -f $TMP_DIR/$1 ]; then
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
if [ -f $fname ]; then
2006-12-10 04:01:24 +01:00
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1
2006-09-07 01:07:29 +02:00
else
> $TMP_DIR/$1
fi
fi
}
#
# Strip the passed file.
#
# Return success if
# a) the stripped file is non-empty and the library was successfully loaded; or
# b) the stripped file is empty but the library had been loaded previously
#
strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty
{
2008-03-14 03:07:28 +01:00
local f
f=$(find_file $1)
2006-09-07 01:07:29 +02:00
strip_file $1 $f
if [ -s $TMP_DIR/$1 ]; then
lib_load $2 "A non-empty $1 file ($f)"
return 0
fi
2006-10-31 20:01:23 +01:00
2006-09-07 01:07:29 +02:00
eval test -n \"\$LIB_${2}_LOADED\"
}
#
# Check that a mark value or mask is less that 256 or that it is less than 65536 and
# that it's lower 8 bits are zero.
#
verify_mark() # $1 = value to test
{
verify_mark2()
{
case $1 in
0*)
[ $(($1)) -lt 256 ] && return 0
[ -n "$HIGH_ROUTE_MARKS" ] || return 1
[ $(($1)) -gt 65535 ] && return 1
return $(($1 & 0xFF))
;;
[1-9]*)
[ $1 -lt 256 ] && return 0
[ -n "$HIGH_ROUTE_MARKS" ] || return 1
[ $1 -gt 65535 ] && return 1
return $(($1 & 0xFF))
;;
*)
return 2
;;
esac
}
verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1"
}
#
2006-09-07 17:17:42 +02:00
# Determine the value for a parameter that defaults to Yes
#
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
{
2008-03-14 03:07:28 +01:00
local val
val="$2"
2006-09-07 17:17:42 +02:00
if [ -z "$val" ]; then
echo "Yes"
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
startup_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Determine the value for a parameter that defaults to No
2006-09-07 01:07:29 +02:00
#
2006-09-07 17:17:42 +02:00
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
2006-09-07 01:07:29 +02:00
{
2008-03-14 03:07:28 +01:00
local val
val="$2"
2006-09-07 17:17:42 +02:00
if [ -z "$val" ]; then
echo ""
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
startup_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Initialize this program
#
do_initialize() {
# Run all utility programs using the C locale
#
# Thanks to Vincent Planchenault for this tip #
export LC_ALL=C
# Make sure umask is sane
umask 077
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
#
# Establish termination function
#
TERMINATOR=fatal_error
#
2006-12-09 20:31:23 +01:00
# Clear all configuration variables (shorewall.conf)
2006-09-07 17:17:42 +02:00
#
2006-12-09 20:31:23 +01:00
STARTUP_ENABLED=
#
#VERBOSE is inherited -- VERBOSITY is only used in the CIs
#
2006-12-09 19:12:19 +01:00
#
# Logging
#
LOGFILE=
LOGFORMAT=
LOGTAGONLY=
2006-09-07 17:17:42 +02:00
LOGRATE=
LOGBURST=
2006-12-09 19:12:19 +01:00
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=
TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL=
SMURF_LOG_LEVEL=
LOG_MARTIANS=
#
# Location of files
#
IPTABLES=
#PATH is inherited
SHOREWALL_SHELL=
SUBSYSLOCK=
MODULESDIR=
#CONFIG_PATH is inherited
RESTOREFILE=
IPSECFILE=
2007-04-16 01:41:13 +02:00
LOCKFILE=
2006-12-09 19:12:19 +01:00
#
# Default Actions/Macros
#
DROP_DEFAULT=
REJECT_DEFAULT=
ACCEPT_DEFAULT=
QUEUE_DEFAULT=
#
# Firewall Options
#
IP_FORWARDING=
2006-09-07 17:17:42 +02:00
ADD_IP_ALIASES=
ADD_SNAT_ALIASES=
2006-12-09 19:12:19 +01:00
RETAIN_ALIASES=
2006-09-07 17:17:42 +02:00
TC_ENABLED=
2006-12-09 19:12:19 +01:00
TC_EXPERT=
CLEAR_TC=
MARK_IN_FORWARD_CHAIN=
2006-09-07 17:17:42 +02:00
CLAMPMSS=
ROUTE_FILTER=
DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
2006-12-09 19:12:19 +01:00
DELAYBLACKLISTLOAD=
2006-09-07 17:17:42 +02:00
MODULE_SUFFIX=
DISABLE_IPV6=
BRIDGING=
DYNAMIC_ZONES=
PKTTYPE=
RFC1918_STRICT=
2006-12-09 19:12:19 +01:00
MACLIST_TABLE=
2006-09-07 17:17:42 +02:00
MACLIST_TTL=
SAVE_IPSETS=
MAPOLDACTIONS=
2006-12-09 19:12:19 +01:00
FASTACCEPT=
2006-09-07 17:17:42 +02:00
IMPLICIT_CONTINUE=
HIGH_ROUTE_MARKS=
USE_ACTIONS=
2006-10-25 17:13:49 +02:00
OPTIMIZE=
2007-02-09 17:15:08 +01:00
EXPORTPARAMS=
2007-08-16 18:08:53 +02:00
KEEP_TC_RULES=
2007-09-21 18:55:28 +02:00
DELETE_THEN_ADD=
2007-11-16 00:24:54 +01:00
DONT_LOAD=
2006-12-09 19:12:19 +01:00
#
# Packet Disposition
#
MACLIST_DISPOSITION=
TCP_FLAGS_DISPOSITION=
BLACKLIST_DISPOSITION=
#
# Other Globals
#
2006-12-09 20:31:23 +01:00
VERSION=
2006-12-09 19:12:19 +01:00
FW=
USEPKTYPE=
2006-09-07 17:17:42 +02:00
LOGLIMIT=
LOGPARMS=
OUTPUT=
ALL_INTERFACES=
ROUTEMARK_INTERFACES=
PROVIDERS=
CRITICALHOSTS=
EXCLUSION_SEQ=1
STOPPING=
HAVE_MUTEX=
ALIASES_TO_ADD=
SECTION=ESTABLISHED
SECTIONS=
ALL_PORTS=
2006-12-09 19:12:19 +01:00
ACTIONS=
USEDACTIONS=
2006-09-07 17:17:42 +02:00
DEFAULT_MACROS=
2006-10-09 19:10:24 +02:00
COMMENT=
2006-12-09 19:12:19 +01:00
VERSION_FILE=
LOGRULENUMBERS=
2006-12-18 19:44:48 +01:00
ORIGINAL_POLICY_MATCH=
2006-09-07 17:17:42 +02:00
ensure_config_path
VERSION_FILE=$SHAREDIR/version
[ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)
2007-03-28 18:16:12 +02:00
[ -d /usr/share/shorewall-perl ] && set -a;
2007-03-22 18:58:25 +01:00
2006-09-07 17:17:42 +02:00
run_user_exit params
2007-04-02 01:46:27 +02:00
set +a
2007-03-22 18:58:25 +01:00
2006-09-07 17:17:42 +02:00
config=$(find_file shorewall.conf)
if [ -f $config ]; then
if [ -r $config ]; then
progress_message "Processing $config..."
. $config
else
2006-12-09 20:31:23 +01:00
startup_error "Cannot read $config (Hint: Are you root?)"
2006-09-07 17:17:42 +02:00
fi
else
2006-12-09 20:31:23 +01:00
startup_error "$config does not exist!"
2006-09-07 17:17:42 +02:00
fi
#
# Restore CONFIG_PATH if the shorewall.conf file cleared it
#
ensure_config_path
2007-04-02 01:46:27 +02:00
TMP_DIR=$(mktempdir)
[ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
startup_error "Can't create a temporary directory"
case $PROGRAM in
compiler)
trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
;;
firewall)
2007-08-04 04:50:06 +02:00
trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
2007-04-02 01:46:27 +02:00
;;
esac
2007-04-09 20:09:03 +02:00
#
# Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules here to accurately determine
# capabilities when module autoloading isn't enabled.
#
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
2007-11-16 00:24:54 +01:00
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )"
2007-04-09 20:09:03 +02:00
2006-09-07 17:17:42 +02:00
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
2007-01-27 00:35:05 +01:00
if [ -z "$EXPORT" -a $(id -u) -eq 0 ]; then
2006-09-07 17:17:42 +02:00
2007-01-25 19:56:24 +01:00
load_kernel_modules Yes
2006-09-07 17:17:42 +02:00
if [ -z "$IPTABLES" ]; then
IPTABLES=$(mywhich iptables 2> /dev/null)
2006-12-09 20:31:23 +01:00
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
2006-09-07 17:17:42 +02:00
else
2006-12-09 20:31:23 +01:00
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
2006-09-07 17:17:42 +02:00
fi
2006-12-04 17:31:48 +01:00
2007-04-01 19:50:51 +02:00
f=$(find_file capabilities)
2006-09-07 17:17:42 +02:00
2007-04-01 19:50:51 +02:00
[ -f $f ] && . $f || determine_capabilities
2007-04-02 01:46:27 +02:00
else
2006-09-07 17:17:42 +02:00
f=$(find_file capabilities)
2006-12-09 20:31:23 +01:00
[ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file"
2006-09-07 17:17:42 +02:00
fi
2007-06-17 23:39:01 +02:00
if [ -n "$CAPVERSION" ]; then
[ $CAPVERSION -ge $SHOREWALL_CAPVERSION ] || error_message "WARNING: $f is out of date -- it does not contain all of the capabilities defined by Shorewall version $VERSION"
else
2007-06-18 00:13:00 +02:00
error_message "WARNING: $f may be not contain all of the capabilities defined by Shorewall version $VERSION"
2007-06-17 23:39:01 +02:00
fi
2006-12-18 19:44:48 +01:00
ORIGINAL_POLICY_MATCH=$POLICY_MATCH
2006-12-09 20:01:42 +01:00
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
2006-09-07 17:17:42 +02:00
if [ -n "${LOGRATE}${LOGBURST}" ]; then
LOGLIMIT="--match limit"
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
fi
if [ -n "$IP_FORWARDING" ]; then
case "$IP_FORWARDING" in
2007-04-24 20:26:38 +02:00
On|Off|Yes|No|Keep|on|off|yes|no|keep|ON|OFF|YES|NO|KEEP)
2007-01-27 00:55:06 +01:00
;;
*)
startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
;;
2006-09-07 17:17:42 +02:00
esac
else
IP_FORWARDING=On
fi
2007-04-21 23:24:38 +02:00
if [ -n "$ROUTE_FILTER" ]; then
case "$ROUTE_FILTER" in
Yes|yes|YES)
ROUTE_FILTER=yes
;;
No|no|NO)
ROUTE_FILTER=no
;;
Keep|keep|KEEP)
ROUTE_FILTER=
;;
*)
startup_error "Invalid value ($ROUTE_FILTER) for ROUTE_FILTER"
;;
esac
else
2007-04-22 05:11:34 +02:00
ROUTE_FILTER=
2007-04-21 23:24:38 +02:00
fi
if [ -n "$LOG_MARTIANS" ]; then
case "$LOG_MARTIANS" in
Yes|yes|YES)
LOG_MARTIANS=yes
;;
No|no|NO)
LOG_MARTIANS=no
;;
Keep|keep|KEEP)
LOG_MARTIANS=
;;
*)
startup_error "Invalid value ($LOG_MARTIANS) for LOG_MARTIANS"
;;
esac
else
2008-02-13 21:05:18 +01:00
LOG_MARTIANS=yes
2007-04-21 23:24:38 +02:00
fi
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
2006-09-07 17:17:42 +02:00
case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
2006-10-12 23:56:16 +02:00
MACLIST_TARGET=reject
2006-09-07 17:17:42 +02:00
if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in
REJECT)
;;
DROP)
2006-10-12 23:56:16 +02:00
MACLIST_TARGET=DROP
2006-09-07 17:17:42 +02:00
;;
ACCEPT)
2006-10-12 23:56:16 +02:00
MACLIST_TARGET=RETURN
2006-09-07 17:17:42 +02:00
;;
*)
2006-12-09 20:31:23 +01:00
startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
2006-09-07 17:17:42 +02:00
;;
esac
else
MACLIST_DISPOSITION=REJECT
fi
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
2006-12-09 20:31:23 +01:00
startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
2006-09-07 17:17:42 +02:00
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
2006-09-07 01:07:29 +02:00
2006-09-07 17:17:42 +02:00
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
if [ -n "$LOGFORMAT" ]; then
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
LOGRULENUMBERS=Yes
2006-10-05 00:40:34 +02:00
temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null)
2006-09-07 17:17:42 +02:00
if [ $? -ne 0 ]; then
2006-12-09 20:31:23 +01:00
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
2006-09-07 17:17:42 +02:00
fi
else
2006-10-05 00:40:34 +02:00
temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null)
2006-09-07 17:17:42 +02:00
if [ $? -ne 0 ]; then
2006-12-09 20:31:23 +01:00
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
2006-09-07 17:17:42 +02:00
fi
fi
2006-12-09 20:31:23 +01:00
[ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
2006-10-05 00:40:34 +02:00
MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) ))
MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*}
2006-09-07 01:07:29 +02:00
else
2006-09-07 17:17:42 +02:00
LOGFORMAT="Shorewall:%s:%s:"
2006-10-05 00:40:34 +02:00
MAXZONENAMELENGTH=5
2006-09-07 01:07:29 +02:00
fi
2006-09-07 17:17:42 +02:00
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
if [ -n "$DYNAMIC_ZONES" ]; then
2006-12-09 20:31:23 +01:00
[ -n "$EXPORT" ] && startup_error "DYNAMIC_ZONES=Yes is incompatible with the -e option"
2006-09-07 17:17:42 +02:00
lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed"
fi
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
2007-04-22 23:50:33 +02:00
[ -n "$FASTACCEPT" -a -z "$BLACKLISTNEWONLY" ] && error_message "WARNING: BLACKLISTNEWONLY=No does not work with FASTACCEPT=Yes"
2006-09-07 17:17:42 +02:00
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
2007-02-09 17:15:08 +01:00
EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS)
2007-08-16 18:08:53 +02:00
KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES)
2007-09-21 18:55:28 +02:00
DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD)
2007-03-28 18:56:09 +02:00
2007-04-16 23:21:16 +02:00
[ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
2006-10-31 20:01:23 +01:00
2006-09-07 17:17:42 +02:00
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK=
2006-12-09 20:31:23 +01:00
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
2006-09-07 17:17:42 +02:00
case ${MACLIST_TABLE:=filter} in
filter)
;;
mangle)
2006-12-09 20:31:23 +01:00
[ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
2006-09-07 17:17:42 +02:00
;; *)
2006-12-09 20:31:23 +01:00
startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
2006-09-07 17:17:42 +02:00
;;
esac
TC_SCRIPT=
if [ -n "$TC_ENABLED" ] ; then
case "$TC_ENABLED" in
[Yy][Ee][Ss])
2006-09-10 23:19:05 +02:00
TC_ENABLED=Yes
2006-09-07 17:17:42 +02:00
TC_SCRIPT=$(find_file tcstart)
2006-12-09 20:31:23 +01:00
[ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file"
2006-09-07 17:17:42 +02:00
;;
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
2006-09-10 23:19:05 +02:00
TC_ENABLED=Internal
2006-09-07 17:17:42 +02:00
;;
[Nn][Oo])
TC_ENABLED=
;;
esac
else
TC_ENABLED=Yes
fi
if [ -n "$TC_ENABLED" ];then
2006-12-09 20:31:23 +01:00
[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
2006-09-07 17:17:42 +02:00
fi
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
[ -n "${RESTOREFILE:=restore}" ]
case "${DROP_DEFAULT:=Drop}" in
None)
DROP_DEFAULT=none
;;
esac
case "${REJECT_DEFAULT:=Reject}" in
None)
REJECT_DEFAULT=none
;;
esac
case "${QUEUE_DEFAULT:=none}" in
None)
QUEUE_DEFAULT=none
;;
esac
case "${ACCEPT_DEFAULT:=none}" in
None)
ACCEPT_DEFAULT=none
;;
esac
2006-10-25 17:13:49 +02:00
case "${OPTIMIZE:=0}" in
0|1)
;;
*)
2006-12-09 20:31:23 +01:00
startup_error "Invalid OPTIMIZE value ($OPTIMIZE)"
2006-10-25 17:13:49 +02:00
;;
esac
2007-04-16 01:41:13 +02:00
if [ -n "$LOCKFILE" ]; then
[ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist"
fi
2006-09-07 17:17:42 +02:00
#
# Check out the user's shell
#
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
temp=$(decodeaddr 192.168.1.1)
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
2006-12-09 20:31:23 +01:00
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
2006-09-07 17:17:42 +02:00
fi
if [ -z "$KLUDGEFREE" ]; then
rm -f $TMP_DIR/physdev
rm -f $TMP_DIR/iprange
fi
qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
2006-12-09 20:31:23 +01:00
#
# Pre-process all of the standard files
#
# Because 'strip_file()' does shell variable expansion, we must first determine the
# setting of $FW
#
2006-12-09 20:01:42 +01:00
case ${IPSECFILE:=ipsec} in
ipsec)
[ -n "${FW:=fw}" ]
strip_file ipsec
;;
zones)
get_firewall_zone
;;
*)
2006-12-09 20:31:23 +01:00
startup_error "Invalid value ($IPSECFILE) for IPSECFILE option"
2006-12-09 20:01:42 +01:00
;;
esac
2007-04-09 05:51:25 +02:00
strip_file zones
strip_file routestopped
strip_file interfaces
strip_file hosts
2006-12-09 20:01:42 +01:00
if [ $PROGRAM = compiler ]; then
2007-04-02 01:46:27 +02:00
strip_file_and_lib_load accounting accounting
2006-12-09 20:31:23 +01:00
2007-04-02 01:46:27 +02:00
if [ -n "$USE_ACTIONS" ]; then
strip_file actions
strip_file actions.std ${SHAREDIR}/actions.std
fi
2007-03-29 19:02:34 +02:00
2007-04-02 01:46:27 +02:00
strip_file blacklist
strip_file ecn
strip_file maclist
strip_file_and_lib_load masq nat
strip_file_and_lib_load nat nat
strip_file_and_lib_load netmap nat
strip_file policy
strip_file_and_lib_load providers providers && strip_file route_rules
strip_file_and_lib_load proxyarp proxyarp
strip_file rfc1918
strip_file routestopped
strip_file rules
if [ "$TC_ENABLED" = Internal ]; then
strip_file_and_lib_load tcdevices tc
strip_file_and_lib_load tcclasses tc
2007-03-11 22:20:31 +01:00
fi
2007-04-02 01:46:27 +02:00
strip_file_and_lib_load tcrules tcrules
strip_file tos
strip_file_and_lib_load tunnels tunnels
2006-12-09 20:01:42 +01:00
fi
2007-04-17 00:39:29 +02:00
2007-05-30 00:24:37 +02:00
[ "$IPSECFILE" = zones ] && FW=
2006-09-07 01:07:29 +02:00
}