extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-16 17:51:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

More periodic removal of trailing white space

Browse Source
This commit is contained in:
Tom Eastep 2010-06-07 09:16:56 -07:00
parent 3467969c26
commit 0978f3d41a
15 changed files with 135 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/Makefile-lite
View File

@ -23,10 +23,10 @@
# to the name of the remote firewall corresponding to the directory. # to the name of the remote firewall corresponding to the directory.
# #
# To make the 'firewall' script, type "make". # To make the 'firewall' script, type "make".
# #
# Once the script is compiling correctly, you can install it by # Once the script is compiling correctly, you can install it by
# typing "make install". # typing "make install".
# #
################################################################################ ################################################################################
# V A R I A B L E S # V A R I A B L E S
# #
@ -55,7 +55,7 @@ all: firewall
# #
# Only generate the capabilities file if it doesn't already exist # Only generate the capabilities file if it doesn't already exist
# #
capabilities: capabilities:
ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities" ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
scp root@$(HOST):$(LITEDIR)/capabilities . scp root@$(HOST):$(LITEDIR)/capabilities .
# #
@ -78,5 +78,5 @@ save:
# #
# Remove generated files # Remove generated files
# #
clean: clean:
rm -f capabilities firewall firewall.conf reload rm -f capabilities firewall firewall.conf reload

6
Shorewall/Perl/prog.footer
View File

@ -6,7 +6,7 @@
# #
usage() { usage() {
echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]" echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
echo echo
echo "Options are:" echo "Options are:"
echo echo
echo " -v and -q Standard Shorewall verbosity controls" echo " -v and -q Standard Shorewall verbosity controls"
@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
t*) t*)
g_timestamp=Yes g_timestamp=Yes
option=${option#t} option=${option#t}
;; ;;
p*) p*)
g_purge=Yes g_purge=Yes
option=${option#p} option=${option#p}
@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
if [ -n "$option" ]; then if [ -n "$option" ]; then
case $option in case $option in
*/*) */*)
startup_error "-R must specify a simple file name: $option" startup_error "-R must specify a simple file name: $option"
;; ;;
.safe|.try|NONE) .safe|.try|NONE)

6
Shorewall/Perl/prog.footer6
View File

@ -6,7 +6,7 @@
# #
usage() { usage() {
echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]" echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
echo echo
echo "Options are:" echo "Options are:"
echo echo
echo " -v and -q Standard Shorewall verbosity controls" echo " -v and -q Standard Shorewall verbosity controls"
@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
t*) t*)
g_timestamp=Yes g_timestamp=Yes
option=${option#t} option=${option#t}
;; ;;
p*) p*)
g_purge=Yes g_purge=Yes
option=${option#p} option=${option#p}
@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
if [ -n "$option" ]; then if [ -n "$option" ]; then
case $option in case $option in
*/*) */*)
startup_error "-R must specify a simple file name: $option" startup_error "-R must specify a simple file name: $option"
;; ;;
.safe|.try|NONE) .safe|.try|NONE)

2
Shorewall/Perl/prog.header
View File

@ -124,7 +124,7 @@ deleteallchains() {
# Generate a list of all network interfaces on the system # Generate a list of all network interfaces on the system
# #
find_all_interfaces() { find_all_interfaces() {
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//' ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
} }
# #

2
Shorewall/Perl/prog.header6
View File

@ -116,7 +116,7 @@ deleteallchains() {
# Generate a list of all network interfaces on the system # Generate a list of all network interfaces on the system
# #
find_all_interfaces() { find_all_interfaces() {
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//' ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
} }
# #

8
Shorewall/init.debian.sh
View File

@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall-init.log}
test -x $SRWL || exit 0 test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0 test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || { test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ; echo "INITLOG cannot be empty, please configure $0" ;
exit 1; exit 1;
} }
@ -32,9 +32,9 @@ fi
echo_notdone () { echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done." echo "not done."
else else
echo "not done (check $INITLOG)." echo "not done (check $INITLOG)."
fi fi
@ -71,7 +71,7 @@ fi
export SHOREWALL_INIT_SCRIPT export SHOREWALL_INIT_SCRIPT
# wait for an unconfigured interface # wait for an unconfigured interface
wait_for_pppd () { wait_for_pppd () {
if [ "$wait_interface" != "" ] if [ "$wait_interface" != "" ]
then then

2
Shorewall/init.slackware.firewall.sh
View File

@ -45,7 +45,7 @@ status() {
export SHOREWALL_INIT_SCRIPT=1 export SHOREWALL_INIT_SCRIPT=1
case $1 in case $1 in
'start') 'start')
start start
;; ;;

8
Shorewall/install.sh
View File

@ -133,7 +133,7 @@ case $(uname) in
MAC=Yes MAC=Yes
INSTALLD= INSTALLD=
T= T=
;; ;;
*) *)
[ -z "$OWNER" ] && OWNER=root [ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=root [ -z "$GROUP" ] && GROUP=root
@ -178,7 +178,7 @@ if [ -n "$DESTDIR" ]; then
install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST} install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
CYGWIN= CYGWIN=
MAC= MAC=
else else
@ -194,7 +194,7 @@ else
if [ -n "$CYGWIN" ]; then if [ -n "$CYGWIN" ]; then
echo "Installing Cygwin-specific configuration..." echo "Installing Cygwin-specific configuration..."
elif [ -n "$MAC" ]; then elif [ -n "$MAC" ]; then
echo "Installing Mac-specific configuration..." echo "Installing Mac-specific configuration..."
else else
if [ -f /etc/debian_version ]; then if [ -f /etc/debian_version ]; then
echo "Installing Debian-specific configuration..." echo "Installing Debian-specific configuration..."
@ -270,7 +270,7 @@ if [ -n "$DESTDIR" ]; then
mkdir -p ${DESTDIR}/etc/logrotate.d mkdir -p ${DESTDIR}/etc/logrotate.d
chmod 755 ${DESTDIR}/etc/logrotate.d chmod 755 ${DESTDIR}/etc/logrotate.d
fi fi
# #
# Install the config file # Install the config file
# #

4
Shorewall/lib.base
View File

@ -185,7 +185,7 @@ valid_address() {
;; ;;
esac esac
done done
IFS=$ifs IFS=$ifs
return 0 return 0
@ -381,7 +381,7 @@ find_echo() {
result=$(which echo) result=$(which echo)
[ -n "$result" ] && { echo "$result -e"; return; } [ -n "$result" ] && { echo "$result -e"; return; }
echo echo echo echo
} }
# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:

34
Shorewall/lib.cli
View File

@ -166,7 +166,7 @@ search_log() # $1 = IP address to search for
else else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
fi fi
} }
# #
# Show traffic control information # Show traffic control information
@ -298,7 +298,7 @@ do_save() {
status=1 status=1
fi fi
case ${SAVE_IPSETS:=No} in case ${SAVE_IPSETS:=No} in
[Yy]es) [Yy]es)
case ${IPSET:=ipset} in case ${IPSET:=ipset} in
*/*) */*)
@ -345,7 +345,7 @@ save_config() {
local result local result
result=1 result=1
iptables_save=${IPTABLES}-save iptables_save=${IPTABLES}-save
[ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
@ -495,7 +495,7 @@ show_command() {
fatal_error "Invalid table name ($s)" fatal_error "Invalid table name ($s)"
;; ;;
esac esac
option= option=
shift shift
;; ;;
@ -713,7 +713,7 @@ show_command() {
;; ;;
esac esac
fi fi
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then
if [ $1 = dynamic -a $# -gt 1 ]; then if [ $1 = dynamic -a $# -gt 1 ]; then
@ -729,7 +729,7 @@ show_command() {
exit 1 exit 1
fi fi
done done
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)" echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
echo echo
show_reset show_reset
@ -800,7 +800,7 @@ dump_command() {
clear_term clear_term
echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)" echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
echo echo
show_reset show_reset
host=$(echo $g_hostname | sed 's/\..*$//') host=$(echo $g_hostname | sed 's/\..*$//')
$IPTABLES -L $g_ipt_options $IPTABLES -L $g_ipt_options
@ -844,7 +844,7 @@ dump_command() {
heading "PFKEY SPD" heading "PFKEY SPD"
setkey -DP setkey -DP
heading "PFKEY SAD" heading "PFKEY SAD"
setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys
fi fi
heading "/proc" heading "/proc"
@ -1183,7 +1183,7 @@ add_command() {
if ! qt $IPSET -L $ipset -n; then if ! qt $IPSET -L $ipset -n; then
fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
fi fi
host=${host#*:} host=${host#*:}
if $IPSET -A $ipset $host; then if $IPSET -A $ipset $host; then
@ -1192,7 +1192,7 @@ add_command() {
fatal_error "Unable to add $interface:$host to zone $zone" fatal_error "Unable to add $interface:$host to zone $zone"
fi fi
done done
} }
# #
@ -1242,7 +1242,7 @@ delete_command() {
if ! qt $IPSET -L $ipset -n; then if ! qt $IPSET -L $ipset -n; then
fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
fi fi
host=${hostent#*:} host=${hostent#*:}
if $IPSET -D $ipset $host; then if $IPSET -D $ipset $host; then
@ -1251,7 +1251,7 @@ delete_command() {
echo " WARNING: Unable to delete host $hostent to zone $zone" >&2 echo " WARNING: Unable to delete host $hostent to zone $zone" >&2
fi fi
done done
} }
# #
@ -1403,9 +1403,9 @@ logwatch_command() {
case $option in case $option in
-*) -*)
option=${option#-} option=${option#-}
[ -z "$option" ] && usage 1 [ -z "$option" ] && usage 1
while [ -n "$option" ]; do while [ -n "$option" ]; do
case $option in case $option in
v*) v*)
@ -1436,7 +1436,7 @@ logwatch_command() {
;; ;;
esac esac
done done
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
if [ $# -eq 1 ]; then if [ $# -eq 1 ]; then
@ -1634,7 +1634,7 @@ determine_capabilities() {
if [ -z "$HASHLIMIT_MATCH" ]; then if [ -z "$HASHLIMIT_MATCH" ]; then
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
HASHLIMIT_MATCH=$OLD_HL_MATCH HASHLIMIT_MATCH=$OLD_HL_MATCH
fi fi
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@ -1779,7 +1779,7 @@ report_capabilities1() {
report_capability1 PERSISTENT_SNAT report_capability1 PERSISTENT_SNAT
report_capability1 TPROXY_TARGET report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER report_capability1 FLOW_FILTER
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION
} }

12
Shorewall/lib.common
View File

@ -45,17 +45,17 @@ get_script_version() { # $1 = script
temp=$(echo $temp) temp=$(echo $temp)
IFS=$ifs IFS=$ifs
digits=0 digits=0
for temp in $temp; do for temp in $temp; do
version=${version}$(printf '%02d' $temp) version=${version}$(printf '%02d' $temp)
digits=$(($digits + 1)) digits=$(($digits + 1))
[ $digits -eq 3 ] && break [ $digits -eq 3 ] && break
done done
fi fi
echo $version echo $version
} }
# #
# Do required exports or create the required option string and run the passed script using # Do required exports or create the required option string and run the passed script using
# $SHOREWALL_SHELL # $SHOREWALL_SHELL
@ -66,7 +66,7 @@ run_it() {
local version local version
export VARDIR export VARDIR
script=$1 script=$1
shift shift
@ -82,7 +82,7 @@ run_it() {
export PURGE=$g_purge export PURGE=$g_purge
export TIMESTAMP=$g_timestamp export TIMESTAMP=$g_timestamp
export RECOVERING=$g_recovering export RECOVERING=$g_recovering
if [ "$g_product" != Shorewall ]; then if [ "$g_product" != Shorewall ]; then
# #
# Shorewall Lite # Shorewall Lite
@ -105,7 +105,7 @@ run_it() {
[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE" [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
fi fi
$SHOREWALL_SHELL $script $options $@ $SHOREWALL_SHELL $script $options $@
} }

112
Shorewall/releasenotes.txt
View File

@ -7,7 +7,7 @@ II. MIGRATION ISSUES
III. PROBLEMS CORRECTED IN THIS RELEASE III. PROBLEMS CORRECTED IN THIS RELEASE
IV. KNOWN PROBLEMS REMAINING IV. KNOWN PROBLEMS REMAINING
V. NEW FEATURES IN THIS RELEASE V. NEW FEATURES IN THIS RELEASE
VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. R E L E A S E 4 . 4 H I G H L I G H T S I. R E L E A S E 4 . 4 H I G H L I G H T S
@ -56,7 +56,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
11) Support for netfilter's TRACE facility has been added. TRACE allows 11) Support for netfilter's TRACE facility has been added. TRACE allows
you to trace selected packets through Netfilter, including marking you to trace selected packets through Netfilter, including marking
by tcrules. by tcrules.
12) You may now preview the generated ruleset by using the '-r' option 12) You may now preview the generated ruleset by using the '-r' option
to the 'check' command (e.g., "shorewall check -r"). to the 'check' command (e.g., "shorewall check -r").
@ -155,7 +155,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
8) The install.sh scripts in the Shorewall and Shorewall6 packages no 8) The install.sh scripts in the Shorewall and Shorewall6 packages no
longer create a backup copy of the existing configuration. If you longer create a backup copy of the existing configuration. If you
want your configuration backed up prior to upgrading, you will want your configuration backed up prior to upgrading, you will
need to do that yourself. need to do that yourself.
As part of this change, the fallback.sh scripts are no longer As part of this change, the fallback.sh scripts are no longer
released. released.
@ -182,7 +182,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
explicitly call the module's 'initialize' function after the module explicitly call the module's 'initialize' function after the module
has been loaded. has been loaded.
12) Checking for zone membership has been tighened up. Previously, 12) Checking for zone membership has been tighened up. Previously,
a zone could contain <interface>:0.0.0.0/0 along with other hosts; a zone could contain <interface>:0.0.0.0/0 along with other hosts;
now, if the zone has <interface>:0.0.0.0/0 (even with exclusions), now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
then it may have no additional members in /etc/shorewall/hosts. then it may have no additional members in /etc/shorewall/hosts.
@ -208,12 +208,12 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
iface_ADDRESSES SW_iface_ADDRESSES iface_ADDRESSES SW_iface_ADDRESSES
iface_NETWORKS SW_iface_NETWORKS iface_NETWORKS SW_iface_NETWORKS
iface_MAC SW_iface_MAC iface_MAC SW_iface_MAC
provider_IS_USABLE SW_provider_IS_USABLE provider_IS_USABLE SW_provider_IS_USABLE
where 'iface' is a capitalized interface name (e.g., ETH0) and where 'iface' is a capitalized interface name (e.g., ETH0) and
'provider' is the capitalized name of a provider. 'provider' is the capitalized name of a provider.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -231,7 +231,7 @@ None.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Beginning with this release, UPnP state and the dynamic blacklist 1) Beginning with this release, UPnP state and the dynamic blacklist
are preserved across 'restart'. are preserved across 'restart'.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
@ -256,7 +256,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
3) Under rare circumstances involving a complex configuration, 3) Under rare circumstances involving a complex configuration,
OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore
input to be generated. input to be generated.
Sample error message: Sample error message:
@ -324,7 +324,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
b) be sure that your current firewall script(s) (normally in b) be sure that your current firewall script(s) (normally in
/var/lib/<product>/firewall) is(are) compiled with the 4.4.10 /var/lib/<product>/firewall) is(are) compiled with the 4.4.10
compiler. compiler.
Shorewall and Shorewall6 users can execute these commands: Shorewall and Shorewall6 users can execute these commands:
@ -361,8 +361,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
On Debian-based systems, set startup=0 in /etc/default/<product>. On Debian-based systems, set startup=0 in /etc/default/<product>.
On other systems, use your service startup configuration tool On other systems, use your service startup configuration tool
(chkconfig, insserv, ...) to disable startup. (chkconfig, insserv, ...) to disable startup.
The following actions occur when an interface comes up: The following actions occur when an interface comes up:
FIREWALL INTERFACE ACTION FIREWALL INTERFACE ACTION
@ -423,7 +423,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
shorewall-lite: 4.4.10-RC1 shorewall-lite: 4.4.10-RC1
shorewall6-lite: 4.4.10-RC1 shorewall6-lite: 4.4.10-RC1
shorewall-init: 4.4.10-RC1 shorewall-init: 4.4.10-RC1
gateway:~# gateway:~#
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 9 P R O B L E M S C O R R E C T E D I N 4 . 4 . 9
@ -498,7 +498,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/etc/shorewall/masq: /etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS PROTO PORT #INTERFACE SOURCE ADDRESS PROTO PORT
tun0 192.168.1.0/24 tun0 192.168.1.0/24
Use of tunN in the nat and netmap files also produced invalid Use of tunN in the nat and netmap files also produced invalid
iptables-restore input. iptables-restore input.
@ -540,7 +540,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I - Inserted a rule into a chain. I - Inserted a rule into a chain.
T - Shell source text appended/inserted into a chain -- T - Shell source text appended/inserted into a chain --
converted into rules at run-time. converted into rules at run-time.
D - Deleted Rule from a chain; note that this causes the D - Deleted Rule from a chain; note that this causes the
following rules to be renumbered. following rules to be renumbered.
X - Deleted a chain X - Deleted a chain
P - Change a built-in chains policy. Chains in the filter table P - Change a built-in chains policy. Chains in the filter table
@ -555,7 +555,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Netfilter trace records indicate the table and chain being Netfilter trace records indicate the table and chain being
changed. If the change involves a particular rule, then the rule changed. If the change involves a particular rule, then the rule
number is also included. number is also included.
Example (append the first rule to the filter FORWARD chain): Example (append the first rule to the filter FORWARD chain):
@ -585,7 +585,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/etc/shorewall/interfaces: /etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
dummy br0 - routeback dummy br0 - routeback
/etc/shorewall/policy: /etc/shorewall/policy:
#SOURCE DEST POLICY #SOURCE DEST POLICY
dummy all DROP dummy all DROP
@ -611,7 +611,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
P R O B L E M S C O R R E C T E D I N 4 . 4 . 9 P R O B L E M S C O R R E C T E D I N 4 . 4 . 9
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) A CONTINUE rule specifying a log level would cause the compiler to 1) A CONTINUE rule specifying a log level would cause the compiler to
generate an incorrect rule sequence. The packet would be logged generate an incorrect rule sequence. The packet would be logged
but the CONTINUE action would not occur. but the CONTINUE action would not occur.
@ -643,7 +643,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
1/2 of the values given in the rule. 1/2 of the values given in the rule.
5) Detection of the 'Old hashlimit match' capability was broken in 5) Detection of the 'Old hashlimit match' capability was broken in
/sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
shorecap. shorecap.
6) On older distributions such as RHEL5 and derivatives, Shorewall 6) On older distributions such as RHEL5 and derivatives, Shorewall
@ -651,7 +651,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been /etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been
specified in /etc/shorewall/shorewall.conf. specified in /etc/shorewall/shorewall.conf.
7) The Debian init scripts are modified to include $remote_fs in the 7) The Debian init scripts are modified to include $remote_fs in the
Required-start and Required-stop specifications. Required-start and Required-stop specifications.
8) Previously, when a supported command failed, the Debian Shorewall 8) Previously, when a supported command failed, the Debian Shorewall
@ -715,7 +715,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
VERBOSE VERBOSE
VERBOSE_OFFSET VERBOSE_OFFSET
VERSION VERSION
See Migration Issue 14 above for additional information. See Migration Issue 14 above for additional information.
2) The Shorewall and Shorewall6 installers now accept a '-s' (sparse) 2) The Shorewall and Shorewall6 installers now accept a '-s' (sparse)
@ -739,7 +739,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Resulting error message Resulting error message
ERROR: The separator for a port range is ':', not '-' (21-22) : ERROR: The separator for a port range is ':', not '-' (21-22) :
/etc/shorewall/rules (line 3) /etc/shorewall/rules (line 3)
5) Support has been added for UDPLITE (proto 136) in that DEST PORT(S) 5) Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
@ -750,7 +750,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
'status' command now gives the detailed status as 'Restored from 'status' command now gives the detailed status as 'Restored from
<filename>' rather than 'Started'; <filename> is the saved script <filename>' rather than 'Started'; <filename> is the saved script
used to restore the configuration. used to restore the configuration.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 P R O B L E M S C O R R E C T E D I N 4 . 4 . 7
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -759,7 +759,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
installer and are included in the rpm. installer and are included in the rpm.
2) An invalid octal number (e.g., 080) appearing in a port list 2) An invalid octal number (e.g., 080) appearing in a port list
resulted in a perl error message. resulted in a perl error message.
As part of this fix, both hex and octal numbers are now accepted As part of this fix, both hex and octal numbers are now accepted
for protocol and port numbers. for protocol and port numbers.
@ -824,7 +824,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
f) If a chain ends with an unconditional branch to a second chain f) If a chain ends with an unconditional branch to a second chain
(other than to 'reject'), then the branch is deleted from the (other than to 'reject'), then the branch is deleted from the
first chain and the rules from the second chain are appended first chain and the rules from the second chain are appended
to it. to it.
The following chains are exempted from optimization 4: The following chains are exempted from optimization 4:
@ -881,7 +881,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol
helpers. These cannot be autoloaded. helpers. These cannot be autoloaded.
In addition, the nf_conntrack_sip module is loaded with In addition, the nf_conntrack_sip module is loaded with
sip_direct_media=0. This setting is slightly less secure than sip_direct_media=0. This setting is slightly less secure than
sip_direct_media=1, but it solves many VOIP problems that users sip_direct_media=1, but it solves many VOIP problems that users
@ -914,7 +914,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
the setting of net.ipv4.config.all.rp_filter. the setting of net.ipv4.config.all.rp_filter.
Beginning with kernel 2.6.31, the value is the arithmetic MAX of Beginning with kernel 2.6.31, the value is the arithmetic MAX of
those two values. those two values.
Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
there are any interfaces specifying 'routefilter', specifying there are any interfaces specifying 'routefilter', specifying
@ -946,7 +946,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Keep - Shorewall does not change the setting of Keep - Shorewall does not change the setting of
net.ipv4.config.all.rp_filter if the kernel version net.ipv4.config.all.rp_filter if the kernel version
is 2.6.31 or later. is 2.6.31 or later.
The default remains Keep. The default remains Keep.
e) The 'routefilter' interface option can have values 0,1 or 2. If e) The 'routefilter' interface option can have values 0,1 or 2. If
@ -1021,7 +1021,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
2) If any interfaces had the 'bridge' option specified, compilation 2) If any interfaces had the 'bridge' option specified, compilation
failed with the error: failed with the error:
Undefined subroutine &Shorewall::Rules::match_source_interface called Undefined subroutine &Shorewall::Rules::match_source_interface called
at /usr/share/shorewall/Shorewall/Rules.pm line 2319. at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
3) The compiler now flags port number 0 as an error in all 3) The compiler now flags port number 0 as an error in all
@ -1049,7 +1049,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
9) The 'reload -c' command would ignore the setting of DONT_LOAD in 9) The 'reload -c' command would ignore the setting of DONT_LOAD in
shorewall.conf. The 'reload' command without '-c' worked as shorewall.conf. The 'reload' command without '-c' worked as
expected. expected.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 5 N E W F E A T U R E S I N 4 . 4 . 5
@ -1135,7 +1135,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/etc/shorewall/zones: /etc/shorewall/zones:
#ZONE TYPE #ZONE TYPE
fw firewall fw firewall
world ipv4 world ipv4
z1:world bport4 z1:world bport4
@ -1268,7 +1268,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
STARTUP_LOG=/var/log/shorewall-init.log STARTUP_LOG=/var/log/shorewall-init.log
LOG_VERBOSITY=2 LOG_VERBOSITY=2
The effect is much the same as the old defaults, with the exception The effect is much the same as the old defaults, with the exception
that: that:
a) Start, stop, etc. commands issued through /sbin/shorewall a) Start, stop, etc. commands issued through /sbin/shorewall
@ -1276,7 +1276,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
b) Logging will occur at maximum verbosity. b) Logging will occur at maximum verbosity.
c) Log entries will be date/time stamped. c) Log entries will be date/time stamped.
On non-Debian systems, new installs will now log all Shorewall On non-Debian systems, new installs will now log all Shorewall
commands to /var/log/shorewall-init.log. commands to /var/log/shorewall-init.log.
2) A new TRACK_PROVIDERS option has been added in shorewall.conf. 2) A new TRACK_PROVIDERS option has been added in shorewall.conf.
@ -1294,9 +1294,9 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 P R O B L E M S C O R R E C T E D I N 4 . 4 . 2
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Detection of Persistent SNAT was broken in the rules compiler. 1) Detection of Persistent SNAT was broken in the rules compiler.
2) Initialization of the compiler's chain table was occurring before 2) Initialization of the compiler's chain table was occurring before
shorewall.conf had been read and before the capabilities had been shorewall.conf had been read and before the capabilities had been
determined. This could lead to incorrect rules and Perl runtime determined. This could lead to incorrect rules and Perl runtime
errors. errors.
@ -1348,14 +1348,14 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
N E W F E A T U R E S I N 4 . 4 . 2 N E W F E A T U R E S I N 4 . 4 . 2
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Prior to this release, line continuation has taken precedence over 1) Prior to this release, line continuation has taken precedence over
#-style comments. This prevented us from doing the following: #-style comments. This prevented us from doing the following:
ACCEPT net:206.124.146.176,\ #Gateway ACCEPT net:206.124.146.176,\ #Gateway
206.124.146.177,\ #Mail 206.124.146.177,\ #Mail
206.124.146.178\ #Server 206.124.146.178\ #Server
... ...
Now, unless a line ends with '\', any trailing comment is stripped Now, unless a line ends with '\', any trailing comment is stripped
off (including any white-space preceding the '#'). Then if the line off (including any white-space preceding the '#'). Then if the line
ends with '\', it is treated as a continuation line as normal. ends with '\', it is treated as a continuation line as normal.
@ -1407,7 +1407,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
7) MULTICAST=Yes generates an incorrect rule that limits its 7) MULTICAST=Yes generates an incorrect rule that limits its
effectiveness to a small part of the multicast address space. effectiveness to a small part of the multicast address space.
8) Checking for zone membership has been tighened up. Previously, 8) Checking for zone membership has been tighened up. Previously,
a zone could contain <interface>:0.0.0.0/0 along with other hosts; a zone could contain <interface>:0.0.0.0/0 along with other hosts;
now, if the zone has <interface>:0.0.0.0/0 (even with exclusions), now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
then it may have no additional members in /etc/shorewall/hosts. then it may have no additional members in /etc/shorewall/hosts.
@ -1431,7 +1431,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent
This feature requires Persistent SNAT support in your kernel and This feature requires Persistent SNAT support in your kernel and
iptables. iptables.
If you use a capabilities file, you will need to create a new one If you use a capabilities file, you will need to create a new one
as a result of this feature. as a result of this feature.
@ -1444,7 +1444,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
iptables when asked. iptables when asked.
2) A 'clean' target has been added to the Makefiles. It removes backup 2) A 'clean' target has been added to the Makefiles. It removes backup
files (*~ and .*~). files (*~ and .*~).
3) The meaning of 'full' has been redefined when used in the context 3) The meaning of 'full' has been redefined when used in the context
of a traffic shaping sub-class. Previously, 'full' always meant the of a traffic shaping sub-class. Previously, 'full' always meant the
@ -1580,7 +1580,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
As always, /var/lib/shorewall[6] is the default directory which may As always, /var/lib/shorewall[6] is the default directory which may
be overridden using the /etc/shorewall[6]/vardir file. be overridden using the /etc/shorewall[6]/vardir file.
5) Dynamic zone support is once again available for IPv4. This support 5) Dynamic zone support is once again available for IPv4. This support
is built on top of ipsets so you must have the xtables-addons is built on top of ipsets so you must have the xtables-addons
installed on the firewall system. installed on the firewall system.
@ -1598,7 +1598,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
- By specifying <interface>:dynamic in the HOST(S) column of an - By specifying <interface>:dynamic in the HOST(S) column of an
entry for the zone in /etc/shorewall/hosts. entry for the zone in /etc/shorewall/hosts.
When there are any dynamic zones present in your configuration, When there are any dynamic zones present in your configuration,
Shorewall (Shorewall-lite) will: Shorewall (Shorewall-lite) will:
a) Execute the following commands during 'shorewall start' or a) Execute the following commands during 'shorewall start' or
@ -1607,7 +1607,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
ipset -U :all: :all: ipset -U :all: :all:
ipset -U :all: :default: ipset -U :all: :default:
ipset -F ipset -F
ipset -X ipset -X
ipset -R < ${VARDIR}/ipsets.save ipset -R < ${VARDIR}/ipsets.save
where $VARDIR normally contains /var/lib/shorewall where $VARDIR normally contains /var/lib/shorewall
@ -1700,7 +1700,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
gateway:~ # shorewall restart gateway:~ # shorewall restart
Restarting Shorewall.... Restarting Shorewall....
done. done.
gateway:~ # gateway:~ #
In other words, you can compile the current configuration then In other words, you can compile the current configuration then
install it at a later time. install it at a later time.
@ -1750,8 +1750,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
This previously generated these two rules (long rules folded): This previously generated these two rules (long rules folded):
-A loc2net -p 6 --dport 25 -j LOG --log-level 6 -A loc2net -p 6 --dport 25 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:reject:" --log-prefix "Shorewall:loc2net:reject:"
-A loc2net -p 6 --dport 25 -j reject -A loc2net -p 6 --dport 25 -j reject
It now generates these rules: It now generates these rules:
@ -1760,8 +1760,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
-A loc2net -p 6 --dport 25 -g log0 -A loc2net -p 6 --dport 25 -g log0
... ...
-A log0 -j LOG --log-level 6 -A log0 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:REJECT:" --log-prefix "Shorewall:loc2net:REJECT:"
-A log0 -j reject -A log0 -j reject
Notice that now there is only a single rule generated in the Notice that now there is only a single rule generated in the
'loc2net' chain where before there were two. Packets for other than 'loc2net' chain where before there were two. Packets for other than
@ -1861,7 +1861,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
It is important to realize that, while class IDs are composed of a It is important to realize that, while class IDs are composed of a
<major> and a <minor> value, the set of <minor> values must be <major> and a <minor> value, the set of <minor> values must be
unique. You must keep this in mind when deciding how to map IP unique. You must keep this in mind when deciding how to map IP
addresses to class IDs. addresses to class IDs.
For example, suppose that your internal network is 192.168.1.0/29 For example, suppose that your internal network is 192.168.1.0/29
(host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
@ -1974,7 +1974,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
1:100 - 16mbit 20mbit 2 1:100 - 16mbit 20mbit 2
1:100:101 - 8mbit 20mbit 3 default 1:100:101 - 8mbit 20mbit 3 default
1:100:102 - 8mbit 20mbit 3 1:100:102 - 8mbit 20mbit 3
/etc/shorewall/tcrules /etc/shorewall/tcrules
#MARK SOURCE DEST #MARK SOURCE DEST
@ -1990,7 +1990,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Local traffic (that coming from the firewall and from the DMZ Local traffic (that coming from the firewall and from the DMZ
server) is placed in the effectively unrestricted class 1:10. The server) is placed in the effectively unrestricted class 1:10. The
default class is guaranteed half of the download capacity and my default class is guaranteed half of the download capacity and my
work system (172.20.1.107) is guarandeed the other half. work system (172.20.1.107) is guarandeed the other half.
19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing 19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
discipline has been added. HFSC is claimed to be superior to the discipline has been added. HFSC is claimed to be superior to the
@ -2018,7 +2018,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
in the class should experience. The delay is expressed in the class should experience. The delay is expressed
in milliseconds and may be followed by 'ms' (e.g., in milliseconds and may be followed by 'ms' (e.g.,
10ms. Note that there may be no white space between the 10ms. Note that there may be no white space between the
number and 'ms'). number and 'ms').
3. The maximum transmission unit (UMAX) for this class of 3. The maximum transmission unit (UMAX) for this class of
traffic. If not specified, the MTU of the interface is traffic. If not specified, the MTU of the interface is
used. The length is specified in bytes and may be used. The length is specified in bytes and may be
@ -2101,7 +2101,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
25) A new extension script, 'lib.private' has been added. This file is 25) A new extension script, 'lib.private' has been added. This file is
intended to include declarations of shell functions that will be intended to include declarations of shell functions that will be
called by the other run-time extension scripts. called by the other run-time extension scripts.
26) Paul Gear has contributed the following macros: 26) Paul Gear has contributed the following macros:
@ -2178,7 +2178,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
If flow is not supported, you will see: If flow is not supported, you will see:
Unknown filter "flow", hence option "help" is unparsable Unknown filter "flow", hence option "help" is unparsable
If your kernel supports module autoloading, just type (as root): If your kernel supports module autoloading, just type (as root):
modprobe cls_flow modprobe cls_flow
@ -2187,7 +2187,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
see: see:
FATAL: Module cls_flow not found. FATAL: Module cls_flow not found.
If your kernel is not modularized or does not support module If your kernel is not modularized or does not support module
autoloading, look at your kernel configuration (either autoloading, look at your kernel configuration (either
/proc/config.gz or the .config file in /proc/config.gz or the .config file in
@ -2195,7 +2195,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
If 'flow' is supported, you will see: If 'flow' is supported, you will see:
NET_CLS_FLOW=m NET_CLS_FLOW=m
or or
@ -2203,4 +2203,4 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
For modularized kernels, Shorewall will attempt to load For modularized kernels, Shorewall will attempt to load
/lib/modules/<kernel-version>/net/sched/cls_flow.ko by default. /lib/modules/<kernel-version>/net/sched/cls_flow.ko by default.

60
Shorewall/shorewall
View File

@ -32,7 +32,7 @@
# $1 = Yes: read the params file # $1 = Yes: read the params file
# $2 = Yes: check for STARTUP_ENABLED # $2 = Yes: check for STARTUP_ENABLED
# $3 = Yes: Check for LOGFILE # $3 = Yes: Check for LOGFILE
# #
get_config() { get_config() {
local prog local prog
@ -47,7 +47,7 @@ get_config() {
fi fi
config=$(find_file shorewall.conf) config=$(find_file shorewall.conf)
if [ -f $config ]; then if [ -f $config ]; then
if [ -r $config ]; then if [ -r $config ]; then
. $config . $config
@ -61,7 +61,7 @@ get_config() {
fi fi
ensure_config_path ensure_config_path
if [ -z "$g_export" -a "$(id -u)" = 0 ]; then if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
# #
# This block is avoided for compile for export and when the user isn't root # This block is avoided for compile for export and when the user isn't root
@ -109,7 +109,7 @@ get_config() {
IP=$prog IP=$prog
;; ;;
esac esac
else else
IP='ip' IP='ip'
fi fi
@ -130,7 +130,7 @@ get_config() {
IPSET=$prog IPSET=$prog
;; ;;
esac esac
else else
IPSET='ipset' IPSET='ipset'
fi fi
@ -151,7 +151,7 @@ get_config() {
TC=$prog TC=$prog
;; ;;
esac esac
else else
TC='tc' TC='tc'
fi fi
# #
@ -196,7 +196,7 @@ get_config() {
;; ;;
esac esac
[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' [ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s'
[ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" [ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
@ -222,7 +222,7 @@ get_config() {
else else
STARTUP_LOG= STARTUP_LOG=
LOG_VERBOSITY=-1 LOG_VERBOSITY=-1
fi fi
if [ -n "$SHOREWALL_SHELL" ]; then if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -x "$SHOREWALL_SHELL" ]; then if [ ! -x "$SHOREWALL_SHELL" ]; then
@ -313,7 +313,7 @@ startup_error() {
# Run the compiler # Run the compiler
# #
compiler() { compiler() {
if [ $(id -u) -ne 0 ]; then if [ $(id -u) -ne 0 ]; then
if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
startup_error "Ordinary users may not compile the /etc/shorewall configuration" startup_error "Ordinary users may not compile the /etc/shorewall configuration"
@ -338,10 +338,10 @@ compiler() {
[ -n "$g_profile" ] && debugflags='-wd:DProf' [ -n "$g_profile" ] && debugflags='-wd:DProf'
# Perl compiler only takes the output file as a argument # Perl compiler only takes the output file as a argument
[ "$1" = debug -o "$1" = trace ] && shift; [ "$1" = debug -o "$1" = trace ] && shift;
[ "$1" = nolock ] && shift; [ "$1" = nolock ] && shift;
shift shift
options="--verbose=$VERBOSITY" options="--verbose=$VERBOSITY"
[ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
@ -356,7 +356,7 @@ compiler() {
# #
# Run the appropriate params file # Run the appropriate params file
# #
set -a; set -a;
run_user_exit params run_user_exit params
set +a set +a
@ -537,7 +537,7 @@ compile_command() {
t*) t*)
g_test=Yes g_test=Yes
option=${option#t} option=${option#t}
;; ;;
d*) d*)
g_debug=Yes; g_debug=Yes;
option=${option#d} option=${option#d}
@ -755,7 +755,7 @@ restart_command() {
fi fi
fi fi
if [ -z "$g_fast" ]; then if [ -z "$g_fast" ]; then
progress_message3 "Compiling..." progress_message3 "Compiling..."
if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
@ -774,7 +774,7 @@ restart_command() {
rc=$? rc=$?
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
fi fi
return $rc return $rc
} }
@ -958,7 +958,7 @@ safe_commands() {
else else
${VARDIR}/.$command clear ${VARDIR}/.$command clear
fi fi
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
echo "New configuration has been rejected and the old one restored" echo "New configuration has been rejected and the old one restored"
@ -989,7 +989,7 @@ try_command() {
echo "Directory $1 does not exist" >&2 && exit 2 echo "Directory $1 does not exist" >&2 && exit 2
fi fi
fi fi
SHOREWALL_DIR=$(resolve_file $1) SHOREWALL_DIR=$(resolve_file $1)
} }
@ -1032,7 +1032,7 @@ try_command() {
2) 2)
handle_directory $1 handle_directory $1
timeout=$2 timeout=$2
case $timeout in case $timeout in
*[!0-9]*) *[!0-9]*)
echo " ERROR: Invalid timeout ($timeout)" >&2; echo " ERROR: Invalid timeout ($timeout)" >&2;
exit 1 exit 1
@ -1084,12 +1084,12 @@ try_command() {
if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
sleep $timeout sleep $timeout
if [ "$command" = "restart" ]; then if [ "$command" = "restart" ]; then
${VARDIR}/.try restore ${VARDIR}/.try restore
else else
${VARDIR}/.$command clear ${VARDIR}/.$command clear
fi fi
fi fi
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
@ -1106,7 +1106,7 @@ rsh_command() {
rcp_command() { rcp_command() {
files="$1" files="$1"
destination=$2 destination=$2
eval $RCP_COMMAND eval $RCP_COMMAND
} }
@ -1247,12 +1247,12 @@ reload_command() # $* = original arguments less the command.
export_command() # $* = original arguments less the command. export_command() # $* = original arguments less the command.
{ {
local verbose local verbose
verbose=$(make_verbose) verbose=$(make_verbose)
local file local file
file= file=
local finished local finished
finished=0 finished=0
local directory local directory
local target local target
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
@ -1455,7 +1455,7 @@ while [ $finished -eq 0 ]; do
;; ;;
v*) v*)
option=${option#v} option=${option#v}
case $option in case $option in
-1*) -1*)
g_use_verbosity=-1 g_use_verbosity=-1
option=${option#-1} option=${option#-1}
@ -1542,7 +1542,7 @@ version_command() {
[ $# -gt 0 ] && usage 1 [ $# -gt 0 ] && usage 1
echo $SHOREWALL_VERSION echo $SHOREWALL_VERSION
if [ -n "$all" ]; then if [ -n "$all" ]; then
for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
if [ -f /usr/share/$product/version ]; then if [ -f /usr/share/$product/version ]; then
@ -1570,7 +1570,7 @@ g_timestamp=
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
if [ ! -f ${VARDIR}/firewall ]; then if [ ! -f ${VARDIR}/firewall ]; then
[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
fi fi
g_firewall=${VARDIR}/firewall g_firewall=${VARDIR}/firewall
@ -1920,7 +1920,7 @@ case "$COMMAND" in
else else
fatal_error "Shorewall is not started" fatal_error "Shorewall is not started"
fi fi
;; ;;
noiptrace) noiptrace)
get_config get_config
shift shift
@ -1930,7 +1930,7 @@ case "$COMMAND" in
else else
fatal_error "Shorewall is not started" fatal_error "Shorewall is not started"
fi fi
;; ;;
*) *)
usage 1 usage 1
;; ;;

2
Shorewall/shorewall.spec
View File

@ -105,7 +105,7 @@ fi
%attr(0644,root,root) %{_mandir}/man5/* %attr(0644,root,root) %{_mandir}/man5/*
%attr(0644,root,root) %{_mandir}/man8/* %attr(0644,root,root) %{_mandir}/man8/*
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog %changelog
* Sun Jun 06 2010 Tom Eastep tom@shorewall.net * Sun Jun 06 2010 Tom Eastep tom@shorewall.net

4
Shorewall/wait4ifup
View File

@ -33,7 +33,7 @@
# #
interface_is_up() { interface_is_up() {
[ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ]
} }
case $# in case $# in
@ -57,4 +57,4 @@ done
exit 1 exit 1