extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

More periodic removal of trailing white space

Browse Source
This commit is contained in:
Tom Eastep 2010-06-07 09:16:56 -07:00
parent 3467969c26
commit 0978f3d41a
15 changed files with 135 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/Makefile-lite
View File

@ -23,10 +23,10 @@
# to the name of the remote firewall corresponding to the directory.
#
# To make the 'firewall' script, type "make".
#
#
# Once the script is compiling correctly, you can install it by
# typing "make install".
#
#
################################################################################
# V A R I A B L E S
#
@ -55,7 +55,7 @@ all: firewall
#
# Only generate the capabilities file if it doesn't already exist
#
capabilities:
capabilities:
ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
scp root@$(HOST):$(LITEDIR)/capabilities .
#
@ -78,5 +78,5 @@ save:
#
# Remove generated files
#
clean:
clean:
rm -f capabilities firewall firewall.conf reload

6
Shorewall/Perl/prog.footer
View File

@ -6,7 +6,7 @@
#
usage() {
echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
echo
echo
echo "Options are:"
echo
echo " -v and -q Standard Shorewall verbosity controls"
@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
t*)
g_timestamp=Yes
option=${option#t}
;;
;;
p*)
g_purge=Yes
option=${option#p}
@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
if [ -n "$option" ]; then
case $option in
*/*)
*/*)
startup_error "-R must specify a simple file name: $option"
;;
.safe|.try|NONE)

6
Shorewall/Perl/prog.footer6
View File

@ -6,7 +6,7 @@
#
usage() {
echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
echo
echo
echo "Options are:"
echo
echo " -v and -q Standard Shorewall verbosity controls"
@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
t*)
g_timestamp=Yes
option=${option#t}
;;
;;
p*)
g_purge=Yes
option=${option#p}
@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
if [ -n "$option" ]; then
case $option in
*/*)
*/*)
startup_error "-R must specify a simple file name: $option"
;;
.safe|.try|NONE)

2
Shorewall/Perl/prog.header
View File

@ -124,7 +124,7 @@ deleteallchains() {
# Generate a list of all network interfaces on the system
#
find_all_interfaces() {
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
}
#

2
Shorewall/Perl/prog.header6
View File

@ -116,7 +116,7 @@ deleteallchains() {
# Generate a list of all network interfaces on the system
#
find_all_interfaces() {
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
}
#

8
Shorewall/init.debian.sh
View File

@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall-init.log}
test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ;
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
@ -32,9 +32,9 @@ fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done."
else
else
echo "not done (check $INITLOG)."
fi
@ -71,7 +71,7 @@ fi
export SHOREWALL_INIT_SCRIPT
# wait for an unconfigured interface
# wait for an unconfigured interface
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then

2
Shorewall/init.slackware.firewall.sh
View File

@ -45,7 +45,7 @@ status() {
export SHOREWALL_INIT_SCRIPT=1
case $1 in
case $1 in
'start')
start
;;

8
Shorewall/install.sh
View File

@ -133,7 +133,7 @@ case $(uname) in
MAC=Yes
INSTALLD=
T=
;;
;;
*)
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=root
@ -178,7 +178,7 @@ if [ -n "$DESTDIR" ]; then
install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
CYGWIN=
MAC=
else
@ -194,7 +194,7 @@ else
if [ -n "$CYGWIN" ]; then
echo "Installing Cygwin-specific configuration..."
elif [ -n "$MAC" ]; then
echo "Installing Mac-specific configuration..."
echo "Installing Mac-specific configuration..."
else
if [ -f /etc/debian_version ]; then
echo "Installing Debian-specific configuration..."
@ -270,7 +270,7 @@ if [ -n "$DESTDIR" ]; then
mkdir -p ${DESTDIR}/etc/logrotate.d
chmod 755 ${DESTDIR}/etc/logrotate.d
fi
#
# Install the config file
#

4
Shorewall/lib.base
View File

@ -185,7 +185,7 @@ valid_address() {
;;
esac
done
IFS=$ifs
return 0
@ -381,7 +381,7 @@ find_echo() {
result=$(which echo)
[ -n "$result" ] && { echo "$result -e"; return; }
echo echo
echo echo
}
# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:

34
Shorewall/lib.cli
View File

@ -166,7 +166,7 @@ search_log() # $1 = IP address to search for
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
fi
}
}
#
# Show traffic control information
@ -298,7 +298,7 @@ do_save() {
status=1
fi
case ${SAVE_IPSETS:=No} in
case ${SAVE_IPSETS:=No} in
[Yy]es)
case ${IPSET:=ipset} in
*/*)
@ -345,7 +345,7 @@ save_config() {
local result
result=1
iptables_save=${IPTABLES}-save
[ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
@ -495,7 +495,7 @@ show_command() {
fatal_error "Invalid table name ($s)"
;;
esac
option=
shift
;;
@ -713,7 +713,7 @@ show_command() {
;;
esac
fi
if [ $# -gt 0 ]; then
if [ $1 = dynamic -a $# -gt 1 ]; then
@ -729,7 +729,7 @@ show_command() {
exit 1
fi
done
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
echo
show_reset
@ -800,7 +800,7 @@ dump_command() {
clear_term
echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
echo
show_reset
host=$(echo $g_hostname | sed 's/\..*$//')
$IPTABLES -L $g_ipt_options
@ -844,7 +844,7 @@ dump_command() {
heading "PFKEY SPD"
setkey -DP
heading "PFKEY SAD"
setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys
setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys
fi
heading "/proc"
@ -1183,7 +1183,7 @@ add_command() {
if ! qt $IPSET -L $ipset -n; then
fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
fi
host=${host#*:}
if $IPSET -A $ipset $host; then
@ -1192,7 +1192,7 @@ add_command() {
fatal_error "Unable to add $interface:$host to zone $zone"
fi
done
}
#
@ -1242,7 +1242,7 @@ delete_command() {
if ! qt $IPSET -L $ipset -n; then
fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
fi
host=${hostent#*:}
if $IPSET -D $ipset $host; then
@ -1251,7 +1251,7 @@ delete_command() {
echo " WARNING: Unable to delete host $hostent to zone $zone" >&2
fi
done
}
#
@ -1403,9 +1403,9 @@ logwatch_command() {
case $option in
-*)
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
v*)
@ -1436,7 +1436,7 @@ logwatch_command() {
;;
esac
done
[ -n "$g_debugging" ] && set -x
if [ $# -eq 1 ]; then
@ -1634,7 +1634,7 @@ determine_capabilities() {
if [ -z "$HASHLIMIT_MATCH" ]; then
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
HASHLIMIT_MATCH=$OLD_HL_MATCH
fi
fi
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@ -1779,7 +1779,7 @@ report_capabilities1() {
report_capability1 PERSISTENT_SNAT
report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION
}

12
Shorewall/lib.common
View File

@ -45,17 +45,17 @@ get_script_version() { # $1 = script
temp=$(echo $temp)
IFS=$ifs
digits=0
for temp in $temp; do
version=${version}$(printf '%02d' $temp)
digits=$(($digits + 1))
[ $digits -eq 3 ] && break
done
fi
echo $version
}
#
# Do required exports or create the required option string and run the passed script using
# $SHOREWALL_SHELL
@ -66,7 +66,7 @@ run_it() {
local version
export VARDIR
script=$1
shift
@ -82,7 +82,7 @@ run_it() {
export PURGE=$g_purge
export TIMESTAMP=$g_timestamp
export RECOVERING=$g_recovering
if [ "$g_product" != Shorewall ]; then
#
# Shorewall Lite
@ -105,7 +105,7 @@ run_it() {
[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
fi
$SHOREWALL_SHELL $script $options $@
}

112
Shorewall/releasenotes.txt
View File

@ -7,7 +7,7 @@ II. MIGRATION ISSUES
III. PROBLEMS CORRECTED IN THIS RELEASE
IV. KNOWN PROBLEMS REMAINING
V. NEW FEATURES IN THIS RELEASE
VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
----------------------------------------------------------------------------
I. R E L E A S E 4 . 4 H I G H L I G H T S
@ -56,7 +56,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
11) Support for netfilter's TRACE facility has been added. TRACE allows
you to trace selected packets through Netfilter, including marking
by tcrules.
by tcrules.
12) You may now preview the generated ruleset by using the '-r' option
to the 'check' command (e.g., "shorewall check -r").
@ -155,7 +155,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
8) The install.sh scripts in the Shorewall and Shorewall6 packages no
longer create a backup copy of the existing configuration. If you
want your configuration backed up prior to upgrading, you will
need to do that yourself.
need to do that yourself.
As part of this change, the fallback.sh scripts are no longer
released.
@ -182,7 +182,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
explicitly call the module's 'initialize' function after the module
has been loaded.
12) Checking for zone membership has been tighened up. Previously,
12) Checking for zone membership has been tighened up. Previously,
a zone could contain <interface>:0.0.0.0/0 along with other hosts;
now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
then it may have no additional members in /etc/shorewall/hosts.
@ -208,12 +208,12 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
iface_ADDRESSES SW_iface_ADDRESSES
iface_NETWORKS SW_iface_NETWORKS
iface_MAC SW_iface_MAC
provider_IS_USABLE SW_provider_IS_USABLE
where 'iface' is a capitalized interface name (e.g., ETH0) and
'provider' is the capitalized name of a provider.
----------------------------------------------------------------------------
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
@ -231,7 +231,7 @@ None.
----------------------------------------------------------------------------
1) Beginning with this release, UPnP state and the dynamic blacklist
are preserved across 'restart'.
are preserved across 'restart'.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
@ -256,7 +256,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
3) Under rare circumstances involving a complex configuration,
OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore
input to be generated.
input to be generated.
Sample error message:
@ -324,7 +324,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
b) be sure that your current firewall script(s) (normally in
/var/lib/<product>/firewall) is(are) compiled with the 4.4.10
compiler.
compiler.
Shorewall and Shorewall6 users can execute these commands:
@ -361,8 +361,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
On Debian-based systems, set startup=0 in /etc/default/<product>.
On other systems, use your service startup configuration tool
(chkconfig, insserv, ...) to disable startup.
(chkconfig, insserv, ...) to disable startup.
The following actions occur when an interface comes up:
FIREWALL INTERFACE ACTION
@ -423,7 +423,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
shorewall-lite: 4.4.10-RC1
shorewall6-lite: 4.4.10-RC1
shorewall-init: 4.4.10-RC1
gateway:~#
gateway:~#
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 9
@ -498,7 +498,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS PROTO PORT
tun0 192.168.1.0/24
tun0 192.168.1.0/24
Use of tunN in the nat and netmap files also produced invalid
iptables-restore input.
@ -540,7 +540,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I - Inserted a rule into a chain.
T - Shell source text appended/inserted into a chain --
converted into rules at run-time.
D - Deleted Rule from a chain; note that this causes the
D - Deleted Rule from a chain; note that this causes the
following rules to be renumbered.
X - Deleted a chain
P - Change a built-in chains policy. Chains in the filter table
@ -555,7 +555,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Netfilter trace records indicate the table and chain being
changed. If the change involves a particular rule, then the rule
number is also included.
number is also included.
Example (append the first rule to the filter FORWARD chain):
@ -585,7 +585,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
dummy br0 - routeback
/etc/shorewall/policy:
#SOURCE DEST POLICY
dummy all DROP
@ -611,7 +611,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
P R O B L E M S C O R R E C T E D I N 4 . 4 . 9
----------------------------------------------------------------------------
1) A CONTINUE rule specifying a log level would cause the compiler to
1) A CONTINUE rule specifying a log level would cause the compiler to
generate an incorrect rule sequence. The packet would be logged
but the CONTINUE action would not occur.
@ -643,7 +643,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
1/2 of the values given in the rule.
5) Detection of the 'Old hashlimit match' capability was broken in
/sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
/sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
shorecap.
6) On older distributions such as RHEL5 and derivatives, Shorewall
@ -651,7 +651,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been
specified in /etc/shorewall/shorewall.conf.
7) The Debian init scripts are modified to include $remote_fs in the
7) The Debian init scripts are modified to include $remote_fs in the
Required-start and Required-stop specifications.
8) Previously, when a supported command failed, the Debian Shorewall
@ -715,7 +715,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
VERBOSE
VERBOSE_OFFSET
VERSION
See Migration Issue 14 above for additional information.
2) The Shorewall and Shorewall6 installers now accept a '-s' (sparse)
@ -739,7 +739,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Resulting error message
ERROR: The separator for a port range is ':', not '-' (21-22) :
ERROR: The separator for a port range is ':', not '-' (21-22) :
/etc/shorewall/rules (line 3)
5) Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
@ -750,7 +750,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
'status' command now gives the detailed status as 'Restored from
<filename>' rather than 'Started'; <filename> is the saved script
used to restore the configuration.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 7
----------------------------------------------------------------------------
@ -759,7 +759,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
installer and are included in the rpm.
2) An invalid octal number (e.g., 080) appearing in a port list
resulted in a perl error message.
resulted in a perl error message.
As part of this fix, both hex and octal numbers are now accepted
for protocol and port numbers.
@ -824,7 +824,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
f) If a chain ends with an unconditional branch to a second chain
(other than to 'reject'), then the branch is deleted from the
first chain and the rules from the second chain are appended
to it.
to it.
The following chains are exempted from optimization 4:
@ -881,7 +881,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol
helpers. These cannot be autoloaded.
In addition, the nf_conntrack_sip module is loaded with
sip_direct_media=0. This setting is slightly less secure than
sip_direct_media=1, but it solves many VOIP problems that users
@ -914,7 +914,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
the setting of net.ipv4.config.all.rp_filter.
Beginning with kernel 2.6.31, the value is the arithmetic MAX of
those two values.
those two values.
Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
there are any interfaces specifying 'routefilter', specifying
@ -946,7 +946,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Keep - Shorewall does not change the setting of
net.ipv4.config.all.rp_filter if the kernel version
is 2.6.31 or later.
The default remains Keep.
e) The 'routefilter' interface option can have values 0,1 or 2. If
@ -1021,7 +1021,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
2) If any interfaces had the 'bridge' option specified, compilation
failed with the error:
Undefined subroutine &Shorewall::Rules::match_source_interface called
Undefined subroutine &Shorewall::Rules::match_source_interface called
at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
3) The compiler now flags port number 0 as an error in all
@ -1049,7 +1049,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
9) The 'reload -c' command would ignore the setting of DONT_LOAD in
shorewall.conf. The 'reload' command without '-c' worked as
expected.
expected.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 5
@ -1135,7 +1135,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/etc/shorewall/zones:
#ZONE TYPE
#ZONE TYPE
fw firewall
world ipv4
z1:world bport4
@ -1268,7 +1268,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
STARTUP_LOG=/var/log/shorewall-init.log
LOG_VERBOSITY=2
The effect is much the same as the old defaults, with the exception
The effect is much the same as the old defaults, with the exception
that:
a) Start, stop, etc. commands issued through /sbin/shorewall
@ -1276,7 +1276,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
b) Logging will occur at maximum verbosity.
c) Log entries will be date/time stamped.
On non-Debian systems, new installs will now log all Shorewall
On non-Debian systems, new installs will now log all Shorewall
commands to /var/log/shorewall-init.log.
2) A new TRACK_PROVIDERS option has been added in shorewall.conf.
@ -1294,9 +1294,9 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
P R O B L E M S C O R R E C T E D I N 4 . 4 . 2
----------------------------------------------------------------------------
1) Detection of Persistent SNAT was broken in the rules compiler.
1) Detection of Persistent SNAT was broken in the rules compiler.
2) Initialization of the compiler's chain table was occurring before
2) Initialization of the compiler's chain table was occurring before
shorewall.conf had been read and before the capabilities had been
determined. This could lead to incorrect rules and Perl runtime
errors.
@ -1348,14 +1348,14 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
N E W F E A T U R E S I N 4 . 4 . 2
----------------------------------------------------------------------------
1) Prior to this release, line continuation has taken precedence over
1) Prior to this release, line continuation has taken precedence over
#-style comments. This prevented us from doing the following:
ACCEPT net:206.124.146.176,\ #Gateway
206.124.146.177,\ #Mail
206.124.146.178\ #Server
...
Now, unless a line ends with '\', any trailing comment is stripped
off (including any white-space preceding the '#'). Then if the line
ends with '\', it is treated as a continuation line as normal.
@ -1407,7 +1407,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
7) MULTICAST=Yes generates an incorrect rule that limits its
effectiveness to a small part of the multicast address space.
8) Checking for zone membership has been tighened up. Previously,
8) Checking for zone membership has been tighened up. Previously,
a zone could contain <interface>:0.0.0.0/0 along with other hosts;
now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
then it may have no additional members in /etc/shorewall/hosts.
@ -1431,7 +1431,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent
This feature requires Persistent SNAT support in your kernel and
iptables.
iptables.
If you use a capabilities file, you will need to create a new one
as a result of this feature.
@ -1444,7 +1444,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
iptables when asked.
2) A 'clean' target has been added to the Makefiles. It removes backup
files (*~ and .*~).
files (*~ and .*~).
3) The meaning of 'full' has been redefined when used in the context
of a traffic shaping sub-class. Previously, 'full' always meant the
@ -1580,7 +1580,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
As always, /var/lib/shorewall[6] is the default directory which may
be overridden using the /etc/shorewall[6]/vardir file.
5) Dynamic zone support is once again available for IPv4. This support
5) Dynamic zone support is once again available for IPv4. This support
is built on top of ipsets so you must have the xtables-addons
installed on the firewall system.
@ -1598,7 +1598,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
- By specifying <interface>:dynamic in the HOST(S) column of an
entry for the zone in /etc/shorewall/hosts.
When there are any dynamic zones present in your configuration,
When there are any dynamic zones present in your configuration,
Shorewall (Shorewall-lite) will:
a) Execute the following commands during 'shorewall start' or
@ -1607,7 +1607,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -X
ipset -R < ${VARDIR}/ipsets.save
where $VARDIR normally contains /var/lib/shorewall
@ -1700,7 +1700,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
gateway:~ # shorewall restart
Restarting Shorewall....
done.
gateway:~ #
gateway:~ #
In other words, you can compile the current configuration then
install it at a later time.
@ -1750,8 +1750,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
This previously generated these two rules (long rules folded):
-A loc2net -p 6 --dport 25 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:reject:"
-A loc2net -p 6 --dport 25 -j reject
--log-prefix "Shorewall:loc2net:reject:"
-A loc2net -p 6 --dport 25 -j reject
It now generates these rules:
@ -1760,8 +1760,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
-A loc2net -p 6 --dport 25 -g log0
...
-A log0 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:REJECT:"
-A log0 -j reject
--log-prefix "Shorewall:loc2net:REJECT:"
-A log0 -j reject
Notice that now there is only a single rule generated in the
'loc2net' chain where before there were two. Packets for other than
@ -1861,7 +1861,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
It is important to realize that, while class IDs are composed of a
<major> and a <minor> value, the set of <minor> values must be
unique. You must keep this in mind when deciding how to map IP
addresses to class IDs.
addresses to class IDs.
For example, suppose that your internal network is 192.168.1.0/29
(host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
@ -1974,7 +1974,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
1:100 - 16mbit 20mbit 2
1:100:101 - 8mbit 20mbit 3 default
1:100:102 - 8mbit 20mbit 3
/etc/shorewall/tcrules
#MARK SOURCE DEST
@ -1990,7 +1990,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Local traffic (that coming from the firewall and from the DMZ
server) is placed in the effectively unrestricted class 1:10. The
default class is guaranteed half of the download capacity and my
work system (172.20.1.107) is guarandeed the other half.
work system (172.20.1.107) is guarandeed the other half.
19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
discipline has been added. HFSC is claimed to be superior to the
@ -2018,7 +2018,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
in the class should experience. The delay is expressed
in milliseconds and may be followed by 'ms' (e.g.,
10ms. Note that there may be no white space between the
number and 'ms').
number and 'ms').
3. The maximum transmission unit (UMAX) for this class of
traffic. If not specified, the MTU of the interface is
used. The length is specified in bytes and may be
@ -2101,7 +2101,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
25) A new extension script, 'lib.private' has been added. This file is
intended to include declarations of shell functions that will be
called by the other run-time extension scripts.
called by the other run-time extension scripts.
26) Paul Gear has contributed the following macros:
@ -2178,7 +2178,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
If flow is not supported, you will see:
Unknown filter "flow", hence option "help" is unparsable
If your kernel supports module autoloading, just type (as root):
modprobe cls_flow
@ -2187,7 +2187,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
see:
FATAL: Module cls_flow not found.
If your kernel is not modularized or does not support module
autoloading, look at your kernel configuration (either
/proc/config.gz or the .config file in
@ -2195,7 +2195,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
If 'flow' is supported, you will see:
NET_CLS_FLOW=m
NET_CLS_FLOW=m
or
@ -2203,4 +2203,4 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
For modularized kernels, Shorewall will attempt to load
/lib/modules/<kernel-version>/net/sched/cls_flow.ko by default.

60
Shorewall/shorewall
View File

@ -32,7 +32,7 @@
# $1 = Yes: read the params file
# $2 = Yes: check for STARTUP_ENABLED
# $3 = Yes: Check for LOGFILE
#
#
get_config() {
local prog
@ -47,7 +47,7 @@ get_config() {
fi
config=$(find_file shorewall.conf)
if [ -f $config ]; then
if [ -r $config ]; then
. $config
@ -61,7 +61,7 @@ get_config() {
fi
ensure_config_path
if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
#
# This block is avoided for compile for export and when the user isn't root
@ -109,7 +109,7 @@ get_config() {
IP=$prog
;;
esac
else
else
IP='ip'
fi
@ -130,7 +130,7 @@ get_config() {
IPSET=$prog
;;
esac
else
else
IPSET='ipset'
fi
@ -151,7 +151,7 @@ get_config() {
TC=$prog
;;
esac
else
else
TC='tc'
fi
#
@ -196,7 +196,7 @@ get_config() {
;;
esac
[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s'
[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s'
[ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
@ -222,7 +222,7 @@ get_config() {
else
STARTUP_LOG=
LOG_VERBOSITY=-1
fi
fi
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -x "$SHOREWALL_SHELL" ]; then
@ -313,7 +313,7 @@ startup_error() {
# Run the compiler
#
compiler() {
if [ $(id -u) -ne 0 ]; then
if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
startup_error "Ordinary users may not compile the /etc/shorewall configuration"
@ -338,10 +338,10 @@ compiler() {
[ -n "$g_profile" ] && debugflags='-wd:DProf'
# Perl compiler only takes the output file as a argument
[ "$1" = debug -o "$1" = trace ] && shift;
[ "$1" = nolock ] && shift;
shift
shift
options="--verbose=$VERBOSITY"
[ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
@ -356,7 +356,7 @@ compiler() {
#
# Run the appropriate params file
#
set -a;
set -a;
run_user_exit params
set +a
@ -537,7 +537,7 @@ compile_command() {
t*)
g_test=Yes
option=${option#t}
;;
;;
d*)
g_debug=Yes;
option=${option#d}
@ -755,7 +755,7 @@ restart_command() {
fi
fi
if [ -z "$g_fast" ]; then
if [ -z "$g_fast" ]; then
progress_message3 "Compiling..."
if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
@ -774,7 +774,7 @@ restart_command() {
rc=$?
[ -n "$nolock" ] || mutex_off
fi
return $rc
}
@ -958,7 +958,7 @@ safe_commands() {
else
${VARDIR}/.$command clear
fi
[ -n "$nolock" ] || mutex_off
echo "New configuration has been rejected and the old one restored"
@ -989,7 +989,7 @@ try_command() {
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$(resolve_file $1)
}
@ -1032,7 +1032,7 @@ try_command() {
2)
handle_directory $1
timeout=$2
case $timeout in
case $timeout in
*[!0-9]*)
echo " ERROR: Invalid timeout ($timeout)" >&2;
exit 1
@ -1084,12 +1084,12 @@ try_command() {
if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
sleep $timeout
if [ "$command" = "restart" ]; then
${VARDIR}/.try restore
else
${VARDIR}/.$command clear
fi
fi
fi
[ -n "$nolock" ] || mutex_off
@ -1106,7 +1106,7 @@ rsh_command() {
rcp_command() {
files="$1"
destination=$2
eval $RCP_COMMAND
}
@ -1247,12 +1247,12 @@ reload_command() # $* = original arguments less the command.
export_command() # $* = original arguments less the command.
{
local verbose
verbose=$(make_verbose)
verbose=$(make_verbose)
local file
file=
file=
local finished
finished=0
local directory
finished=0
local directory
local target
while [ $finished -eq 0 -a $# -gt 0 ]; do
@ -1455,7 +1455,7 @@ while [ $finished -eq 0 ]; do
;;
v*)
option=${option#v}
case $option in
case $option in
-1*)
g_use_verbosity=-1
option=${option#-1}
@ -1542,7 +1542,7 @@ version_command() {
[ $# -gt 0 ] && usage 1
echo $SHOREWALL_VERSION
if [ -n "$all" ]; then
for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
if [ -f /usr/share/$product/version ]; then
@ -1570,7 +1570,7 @@ g_timestamp=
[ -n "${VARDIR:=/var/lib/shorewall}" ]
if [ ! -f ${VARDIR}/firewall ]; then
[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
fi
g_firewall=${VARDIR}/firewall
@ -1920,7 +1920,7 @@ case "$COMMAND" in
else
fatal_error "Shorewall is not started"
fi
;;
;;
noiptrace)
get_config
shift
@ -1930,7 +1930,7 @@ case "$COMMAND" in
else
fatal_error "Shorewall is not started"
fi
;;
;;
*)
usage 1
;;

2
Shorewall/shorewall.spec
View File

@ -105,7 +105,7 @@ fi
%attr(0644,root,root) %{_mandir}/man5/*
%attr(0644,root,root) %{_mandir}/man8/*
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
* Sun Jun 06 2010 Tom Eastep tom@shorewall.net

4
Shorewall/wait4ifup
View File

@ -33,7 +33,7 @@
#
interface_is_up() {
[ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ]
[ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ]
}
case $# in
@ -57,4 +57,4 @@ done
exit 1