extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-05 13:08:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move common code from prog.header[6] to lib.common

Browse Source
This commit is contained in:
Tom Eastep 2012-01-02 14:13:19 -08:00
parent 4912199396
commit 018ba394e3
3 changed files with 526 additions and 975 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

508
Shorewall-core/lib.common
View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/lib.common. # Shorewall 4.5 -- /usr/share/shorewall/lib.common.
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2010 - Tom Eastep (teastep@shorewall.net) # (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -24,6 +24,509 @@
# generated firewall scripts. To avoid versioning issues, it is copied into generated # generated firewall scripts. To avoid versioning issues, it is copied into generated
# scripts rather than loaded at run-time. # scripts rather than loaded at run-time.
# #
#########################################################################################
#
# Conditionally produce message
#
progress_message() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -gt 1 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -gt 1 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message2() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -gt 0 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -gt 0 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message3() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -ge 0 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
#
# Set a standard chain's policy
#
setpolicy() # $1 = name of chain, $2 = policy
{
run_iptables -P $1 $2
}
#
# Generate a list of all network interfaces on the system
#
find_all_interfaces() {
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}
#
# Generate a list of all network interfaces on the system that have an ipv4 address
#
find_all_interfaces1() {
${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the value 'via' in the passed arguments then echo the next value
#
find_gateway() {
while [ $# -gt 1 ]; do
[ "x$1" = xvia ] && echo $2 && return
shift
done
}
#
# Find the value 'mtu' in the passed arguments then echo the next value
#
find_mtu() {
while [ $# -gt 1 ]; do
[ "x$1" = xmtu ] && echo $2 && return
shift
done
}
#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#
find_peer() {
while [ $# -gt 1 ]; do
[ "x$1" = xpeer ] && echo ${2%/*} && return
shift
done
}
#
# Try to find the gateway through an interface looking for 'nexthop'
find_nexthop() # $1 = interface
{
echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
}
#
# Find the default route's interface
#
find_default_interface() {
$IP -$g_family route list | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
#
# Determine if Interface is up
#
interface_is_up() {
[ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
}
#
# Determine if interface is usable from a Netfilter prespective
#
interface_is_usable() # $1 = interface
{
[ "$1" = lo ] && return 0
interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
if [ $g_family -eq 4 ]; then
$IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
else
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
fi
}
#
# echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name, $2-n = Fatal error message
{
local address
local rest
$IP -$g_family route show dev $1 2> /dev/null |
while read address rest; do
case "$address" in
default)
if [ $# -gt 1 ]; then
shift
fatal_error "$@"
else
echo "WARNING: default route ignored on interface $1" >&2
fi
;;
multicast|broadcast|prohibit|nat|throw|nexthop)
;;
[2-9]*)
[ "$address" = "${address%/*}" ] && address="${address}/128"
echo $address
;;
*)
if [ $g_family -eq 4 ]; then
[ "$address" = "${address%/*}" ] && address="${address}/128"
echo $address
fi
;;
esac
done
}
#
# Clear the current traffic shaping configuration
#
delete_tc1()
{
clear_one_tc() {
$TC qdisc del dev $1 root 2> /dev/null
$TC qdisc del dev $1 ingress 2> /dev/null
}
run_tcclear_exit
run_ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
clear_one_tc ${interface%:}
;;
*)
;;
esac
done
}
#
# Detect a device's MTU -- echos the passed device's MTU
#
get_device_mtu() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then
echo $(find_mtu $output)
else
echo 1500
fi
}
#
# Version of the above that doesn't generate any output for MTU 1500.
# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
#
get_device_mtu1() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
mtu=$(find_mtu $output)
if [ -n "$mtu" ]; then
[ $mtu = 1500 ] || echo mtu $(($mtu + 100))
fi
fi
}
#
# Undo changes to routing
#
undo_routing() {
local undofiles
local f
if [ -z "$g_noroutes" ]; then
#
# Restore rt_tables database
#
if [ -f ${VARDIR}/rt_tables ]; then
[ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
rm -f ${VARDIR}/rt_tables
fi
#
# Restore the rest of the routing table
#
undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
if [ -n "$undofiles" ]; then
for f in $undofiles; do
. $f
done
rm -f $undofiles
progress_message "Shorewall-generated routing tables and routing rules removed"
fi
fi
}
#
# Save the default route
#
save_default_route() {
awk \
'BEGIN {defroute=0;};
/^default / {defroute=1; print; next};
/nexthop/ {if (defroute == 1 ) {print ; next} };
{ defroute=0; };'
}
#
# Restore the default route that was in place before the initial 'shorewall start'
#
replace_default_route() # $1 = USE_DEFAULT_RT
{
#
# default_route and result are inherited from the caller
#
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
#
[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
default_route=
;;
*)
qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
result=0
default_route=
;;
esac
fi
}
restore_default_route() # $1 = USE_DEFAULT_RT
{
local result
result=1
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route
default_route=
local route
while read route ; do
case $route in
default*)
replace_default_route $1
default_route="$default_route $route"
;;
*)
default_route="$default_route $route"
;;
esac
done < ${VARDIR}/default_route
replace_default_route $1
if [ $result = 1 ]; then
#
# We didn't restore a default route with metric 0
#
if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
#
# But we added a default route with metric 0
#
qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
fi
fi
rm -f ${VARDIR}/default_route
fi
return $result
}
#
# Flush the conntrack table if $g_purge is non-empty
#
conditionally_flush_conntrack() {
if [ -n "$g_purge" ]; then
if [ -n $(mywhich conntrack) ]; then
conntrack -f ipv$_family -F
else
error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
fi
fi
}
#
# Issue a message and stop/restore the firewall
#
fatal_error()
{
echo " ERROR: $@" >&2
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
stop_firewall
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
exit 2
}
#
# Issue a message and stop
#
startup_error() # $* = Error Message
{
echo " ERROR: $@: Firewall state not changed" >&2
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
case $COMMAND in
start)
logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
;;
restart)
logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
;;
restore)
logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
;;
esac
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
case $COMMAND in
start)
echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
;;
restart)
echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
;;
restore)
echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
;;
esac
fi
kill $$
exit 2
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_iptables()
{
local status
while [ 1 ]; do
$g_tool $@
status=$?
[ $status -ne 4 ] && break
done
if [ $status -ne 0 ]; then
error_message "ERROR: Command \"$g_tool $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run iptables retrying exit status 4
#
do_iptables()
{
local status
while [ 1 ]; do
$g_tool $@
status=$?
[ $status -ne 4 ] && return $status;
done
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_ip()
{
if ! $IP -$g_family $@; then
error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! $TC $@ ; then
error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall
exit 2
fi
}
# #
# Get the Shorewall version of the passed script # Get the Shorewall version of the passed script
@ -673,3 +1176,4 @@ truncate() # $1 = length
{ {
cut -b -${1} cut -b -${1}
} }

464
Shorewall/Perl/prog.header
View File

@ -27,90 +27,6 @@
################################################################################ ################################################################################
# Functions imported from /usr/share/shorewall/prog.header # Functions imported from /usr/share/shorewall/prog.header
################################################################################ ################################################################################
#
# Conditionally produce message
#
progress_message() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -gt 1 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -gt 1 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message2() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -gt 0 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -gt 0 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message3() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -ge 0 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
#
# Set a standard chain's policy
#
setpolicy() # $1 = name of chain, $2 = policy
{
run_iptables -P $1 $2
}
#
# Generate a list of all network interfaces on the system
#
find_all_interfaces() {
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}
#
# Generate a list of all network interfaces on the system that have an ipv4 address
#
find_all_interfaces1() {
${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
# #
# Find the value 'weight' in the passed arguments then echo the next value # Find the value 'weight' in the passed arguments then echo the next value
# #
@ -122,40 +38,6 @@ find_weight() {
done done
} }
#
# Find the value 'via' in the passed arguments then echo the next value
#
find_gateway() {
while [ $# -gt 1 ]; do
[ "x$1" = xvia ] && echo $2 && return
shift
done
}
#
# Find the value 'mtu' in the passed arguments then echo the next value
#
find_mtu() {
while [ $# -gt 1 ]; do
[ "x$1" = xmtu ] && echo $2 && return
shift
done
}
#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#
find_peer() {
while [ $# -gt 1 ]; do
[ "x$1" = xpeer ] && echo ${2%/*} && return
shift
done
}
# #
# Find the interfaces that have a route to the passed address - the default # Find the interfaces that have a route to the passed address - the default
# route is not used. # route is not used.
@ -178,23 +60,6 @@ find_rt_interface() {
done done
} }
#
# Try to find the gateway through an interface looking for 'nexthop'
find_nexthop() # $1 = interface
{
echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
}
#
# Find the default route's interface
#
find_default_interface() {
$IP -4 route list | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
# #
# Echo the name of the interface(s) that will be used to send to the # Echo the name of the interface(s) that will be used to send to the
# passed address # passed address
@ -211,31 +76,6 @@ find_interface_by_address() {
[ -n "$dev" ] && echo $dev [ -n "$dev" ] && echo $dev
} }
#
# Determine if Interface is up
#
interface_is_up() {
[ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
}
#
# Determine if interface is usable from a Netfilter prespective
#
interface_is_usable() # $1 = interface
{
[ "$1" = lo ] && return 0
interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
$IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
}
# #
# echo the list of networks routed out of a given interface # echo the list of networks routed out of a given interface
# #
@ -428,178 +268,6 @@ disable_ipv6() {
fi fi
} }
#
# Clear the current traffic shaping configuration
#
delete_tc1()
{
clear_one_tc() {
$TC qdisc del dev $1 root 2> /dev/null
$TC qdisc del dev $1 ingress 2> /dev/null
}
run_tcclear_exit
run_ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
clear_one_tc ${interface%:}
;;
*)
;;
esac
done
}
#
# Detect a device's MTU -- echos the passed device's MTU
#
get_device_mtu() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then
echo $(find_mtu $output)
else
echo 1500
fi
}
#
# Version of the above that doesn't generate any output for MTU 1500.
# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
#
get_device_mtu1() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
mtu=$(find_mtu $output)
if [ -n "$mtu" ]; then
[ $mtu = 1500 ] || echo mtu $(($mtu + 100))
fi
fi
}
#
# Undo changes to routing
#
undo_routing() {
local undofiles
local f
if [ -z "$g_noroutes" ]; then
#
# Restore rt_tables database
#
if [ -f ${VARDIR}/rt_tables ]; then
[ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
rm -f ${VARDIR}/rt_tables
fi
#
# Restore the rest of the routing table
#
undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
if [ -n "$undofiles" ]; then
for f in $undofiles; do
. $f
done
rm -f $undofiles
progress_message "Shorewall-generated routing tables and routing rules removed"
fi
fi
}
#
# Save the default route
#
save_default_route() {
awk \
'BEGIN {defroute=0;};
/^default / {deroute=1; print; next};
/nexthop/ {if (defroute == 1 ) {print ; next} };
{ defroute=0; };'
}
#
# Restore the default route that was in place before the initial 'shorewall start'
#
replace_default_route() # $1 = USE_DEFAULT_RT
{
#
# default_route and result are inherited from the caller
#
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
#
[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
default_route=
;;
*)
qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
result=0
default_route=
;;
esac
fi
}
restore_default_route() # $1 = USE_DEFAULT_RT
{
local result
result=1
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route
default_route=
local route
while read route ; do
case $route in
default*)
replace_default_route $1
default_route="$default_route $route"
;;
*)
default_route="$default_route $route"
;;
esac
done < ${VARDIR}/default_route
replace_default_route $1
if [ $result = 1 ]; then
#
# We didn't restore a default route with metric 0
#
if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
#
# But we added a default route with metric 0
#
qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
fi
fi
rm -f ${VARDIR}/default_route
fi
return $result
}
# #
# Add an additional gateway to the default route # Add an additional gateway to the default route
# #
@ -675,20 +343,6 @@ find_mac() # $1 = IP address, $2 = interface
fi fi
} }
#
# Flush the conntrack table if $g_purge is non-empty
#
conditionally_flush_conntrack() {
if [ -n "$g_purge" ]; then
if [ -n $(mywhich conntrack) ]; then
conntrack -F
else
error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
fi
fi
}
# #
# Clear Proxy Arp # Clear Proxy Arp
# #
@ -735,124 +389,6 @@ clear_firewall() {
logger -p kern.info "$g_product Cleared" logger -p kern.info "$g_product Cleared"
} }
#
# Issue a message and stop/restore the firewall
#
fatal_error()
{
echo " ERROR: $@" >&2
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
stop_firewall
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
exit 2
}
#
# Issue a message and stop
#
startup_error() # $* = Error Message
{
echo " ERROR: $@: Firewall state not changed" >&2
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
case $COMMAND in
start)
logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
;;
restart)
logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
;;
restore)
logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
;;
esac
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
case $COMMAND in
start)
echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
;;
restart)
echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
;;
restore)
echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
;;
esac
fi
kill $$
exit 2
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_iptables()
{
local status
while [ 1 ]; do
$IPTABLES $@
status=$?
[ $status -ne 4 ] && break
done
if [ $status -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run iptables retrying exit status 4
#
do_iptables()
{
local status
while [ 1 ]; do
$IPTABLES $@
status=$?
[ $status -ne 4 ] && return $status;
done
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_ip()
{
if ! $IP -4 $@; then
error_message "ERROR: Command \"$IP -4 $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! $TC $@ ; then
error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall
exit 2
fi
}
# #
# Get a list of all configured broadcast addresses on the system # Get a list of all configured broadcast addresses on the system
# #

531
Shorewall/Perl/prog.header6
View File

@ -27,166 +27,6 @@
################################################################################ ################################################################################
# Functions imported from /usr/share/shorewall/prog.header6 # Functions imported from /usr/share/shorewall/prog.header6
################################################################################ ################################################################################
#
# Conditionally produce message
#
progress_message() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -gt 1 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -gt 1 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message2() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -gt 0 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -gt 0 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message3() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -ge 0 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
#
# Set a standard chain's policy
#
setpolicy() # $1 = name of chain, $2 = policy
{
run_iptables -P $1 $2
}
#
# Generate a list of all network interfaces on the system
#
find_all_interfaces() {
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}
#
# Generate a list of all network interfaces on the system that have an ipv6 address
#
find_all_interfaces1() {
${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the value 'via' in the passed arguments then echo the next value
#
find_gateway() {
while [ $# -gt 1 ]; do
[ "x$1" = xvia ] && echo $2 && return
shift
done
}
#
# Find the value 'mtu' in the passed arguments then echo the next value
#
find_mtu() {
while [ $# -gt 1 ]; do
[ "x$1" = xmtu ] && echo $2 && return
shift
done
}
#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#
find_peer() {
while [ $# -gt 1 ]; do
[ "x$1" = xpeer ] && echo ${2%/*} && return
shift
done
}
#
# Try to find the gateway through an interface looking for 'nexthop'
find_nexthop() # $1 = interface
{
echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
}
#
# Find the default route's interface
#
find_default_interface() {
$IP -6 route list | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
#
# Determine if Interface is up
#
interface_is_up() {
[ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
}
#
# Determine if interface is usable from a Netfilter prespective
#
interface_is_usable() # $1 = interface
{
[ "$1" = lo ] && return 0
interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
}
# #
# Get all interface addresses with VLSMs # Get all interface addresses with VLSMs
# #
@ -196,64 +36,6 @@ find_interface_full_addresses() # $1 = interface
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//' $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
} }
#
# Add an additional gateway to the default route
#
add_gateway() # $1 = Delta $2 = Table Number
{
local route
local weight
local delta
local dev
run_ip route add default scope global table $2 $1
}
#
# Remove a gateway from the default route
#
delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
{
local route
local gateway
local dev
route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
gateway=$1
dev=$(find_device $route)
[ "$dev" = "$3" ] && run_ip route delete default table $2
}
#
# echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name, $2-n = Fatal error message
{
local address
local rest
$IP -6 route show dev $1 2> /dev/null |
while read address rest; do
case "$address" in
default)
if [ $# -gt 1 ]; then
shift
fatal_error "$@"
else
echo "WARNING: default route ignored on interface $1" >&2
fi
;;
multicast|broadcast|prohibit|nat|throw|nexthop)
;;
2*)
[ "$address" = "${address%/*}" ] && address="${address}/128"
echo $address
;;
esac
done
}
# #
# Normalize an IPv6 Address by compressing out consecutive zero elements # Normalize an IPv6 Address by compressing out consecutive zero elements
# #
@ -438,172 +220,33 @@ detect_gateway() # $1 = interface
[ -n "$gateway" ] && echo $gateway [ -n "$gateway" ] && echo $gateway
} }
delete_tc1() #
# Add an additional gateway to the default route
#
add_gateway() # $1 = Delta $2 = Table Number
{ {
clear_one_tc() {
$TC qdisc del dev $1 root 2> /dev/null
$TC qdisc del dev $1 ingress 2> /dev/null
}
run_tcclear_exit
run_ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
clear_one_tc ${interface%:}
;;
*)
;;
esac
done
}
#
# Detect a device's MTU -- echos the passed device's MTU
#
get_device_mtu() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then
echo $(find_mtu $output)
else
echo 1500
fi
}
#
# Version of the above that doesn't generate any output for MTU 1500.
# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
#
get_device_mtu1() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
mtu=$(find_mtu $output)
if [ -n "$mtu" ]; then
[ $mtu = 1500 ] || echo mtu $(($mtu + 100))
fi
fi
}
#
# Undo changes to routing
#
undo_routing() {
local undofiles
local f
if [ -z "$g_noroutes" ]; then
#
# Restore rt_tables database
#
if [ -f ${VARDIR}/rt_tables ]; then
[ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
rm -f ${VARDIR}/rt_tables
fi
#
# Restore the rest of the routing table
#
undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
if [ -n "$undofiles" ]; then
for f in $undofiles; do
. $f
done
rm -f $undofiles
progress_message "Shorewall6-generated routing tables and routing rules removed"
fi
fi
}
#
# Save the default route
#
save_default_route() {
awk \
'BEGIN {defroute=0;};
/^default / {defroute=1; print; next};
/nexthop/ {if (defroute == 1 ) {print ; next} };
{ defroute=0; };'
}
#
# Restore the default route that was in place before the initial 'shorewall start'
#
replace_default_route() # $1 = USE_DEFAULT_RT
{
#
# default_route and result are inherited from the caller
#
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
#
[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
default_route=
;;
*)
qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
result=0
default_route=
;;
esac
fi
}
restore_default_route() # $1 = USE_DEFAULT_RT
{
local result
result=1
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route
default_route=
local route local route
local weight
local delta
local dev
while read route ; do run_ip route add default scope global table $2 $1
case $route in }
default*)
replace_default_route $1
default_route="$default_route $route"
;;
*)
default_route="$default_route $route"
;;
esac
done < ${VARDIR}/default_route
replace_default_route $1 #
# Remove a gateway from the default route
#
delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
{
local route
local gateway
local dev
if [ $result = 1 ]; then route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
# gateway=$1
# We didn't restore a default route with metric 0
#
if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
#
# But we added a default route with metric 0
#
qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
fi
fi
rm -f ${VARDIR}/default_route dev=$(find_device $route)
fi [ "$dev" = "$3" ] && run_ip route delete default table $2
return $result
} }
# #
@ -625,20 +268,6 @@ find_echo() {
echo echo echo echo
} }
#
# Flush the conntrack table if $g_purge is non-empty
#
conditionally_flush_conntrack() {
if [ -n "$g_purge" ]; then
if [ -n $(which conntrack) ]; then
conntrack -F
else
error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
fi
fi
}
# #
# Clear Proxy NDP # Clear Proxy NDP
# #
@ -677,124 +306,6 @@ clear_firewall() {
logger -p kern.info "$g_product Cleared" logger -p kern.info "$g_product Cleared"
} }
#
# Issue a message and stop/restore the firewall
#
fatal_error()
{
echo " ERROR: $@" >&2
if [ $LOG_VERBOSITY -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
stop_firewall
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
exit 2
}
#
# Issue a message and stop
#
startup_error() # $* = Error Message
{
echo " ERROR: $@: Firewall state not changed" >&2
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
case $COMMAND in
start)
logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
;;
restart)
logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
;;
restore)
logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
;;
esac
if [ $LOG_VERBOSITY -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
case $COMMAND in
start)
echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
;;
restart)
echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
;;
restore)
echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
;;
esac
fi
kill $$
exit 2
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_iptables()
{
local status
while [ 1 ]; do
$IP6TABLES $@
status=$?
[ $status -ne 4 ] && break
done
if [ $status -ne 0 ]; then
error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run iptables retrying exit status 4
#
do_iptables()
{
local status
while [ 1 ]; do
$IP6TABLES $@
status=$?
[ $status -ne 4 ] && return $status;
done
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_ip()
{
if ! $IP -6 $@; then
error_message "ERROR: Command \"$IP -6 $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! $TC $@ ; then
error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall
exit 2
fi
}
# #
# Run the .iptables_restore_input as a set of discrete iptables commands # Run the .iptables_restore_input as a set of discrete iptables commands
# #