extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-11 08:08:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Some headway on safe/restore

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3374 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-25 00:13:45 +00:00
parent c137f1992a
commit 0c084c3055
5 changed files with 140 additions and 6065 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

202
Shorewall/compiler
View File

@ -46,62 +46,62 @@
fatal_error() # $* = Error Message fatal_error() # $* = Error Message
{ echo " ERROR: $@" >&2 { echo " ERROR: $@" >&2
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE [ -n "$OUTPUT" ] && rm -f $OUTPUT
exit 2 exit 2
} }
# #
# Write the passed args to $RESTOREBASE -- We need all of these varieties to support # Write the passed args to $OUTPUT -- We need all of these varieties to support
# extension scripts. # extension scripts.
# #
save_command() save_command()
{ {
echo "${INDENT}${@}" >> $RESTOREBASE echo "${INDENT}${@}" >> $OUTPUT
} }
run_and_save_command() run_and_save_command()
{ {
echo "${INDENT}${@}" >> $RESTOREBASE echo "${INDENT}${@}" >> $OUTPUT
} }
ensure_and_save_command() ensure_and_save_command()
{ {
echo "${INDENT}${@}" >> $RESTOREBASE echo "${INDENT}${@}" >> $OUTPUT
} }
save_command_unindented() save_command_unindented()
{ {
echo "${@}" >> $RESTOREBASE echo "${@}" >> $OUTPUT
} }
# #
# Write a progress_message2 command to $RESTOREBASE # Write a progress_message2 command to $OUTPUT
# #
save_progress_message() save_progress_message()
{ {
echo >> $RESTOREBASE echo >> $OUTPUT
echo "${INDENT}progress_message2 \"$@\"" >> $RESTOREBASE echo "${INDENT}progress_message2 \"$@\"" >> $OUTPUT
echo >> $RESTOREBASE echo >> $OUTPUT
} }
save_progress_message_short() save_progress_message_short()
{ {
echo "${INDENT}progress_message \"$@\"" >> $RESTOREBASE echo "${INDENT}progress_message \"$@\"" >> $OUTPUT
} }
progress_message_and_save() progress_message_and_save()
{ {
[ $VERBOSE -gt 1 ] && echo "$@" [ $VERBOSE -gt 1 ] && echo "$@"
echo "${INDENT}progress_message \"$@\"" >> $RESTOREBASE echo "${INDENT}progress_message \"$@\"" >> $OUTPUT
} }
# #
# Append a file in /var/lib/shorewall to $RESTOREBASE # Append a file in /var/lib/shorewall to $OUTPUT
# #
append_file() # $1 = File Name append_file() # $1 = File Name
{ {
save_command "cat > /var/lib/shorewall/$1 << __EOF__" save_command "cat > /var/lib/shorewall/$1 << __EOF__"
cat $STATEDIR/$1 >> $RESTOREBASE cat $STATEDIR/$1 >> $OUTPUT
save_command_unindented __EOF__ save_command_unindented __EOF__
} }
@ -1027,7 +1027,7 @@ validate_interfaces_file() {
dhcp|tcpflags|arp_filter|routefilter|maclist|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-) dhcp|tcpflags|arp_filter|routefilter|maclist|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-)
;; ;;
norfc1918) norfc1918)
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) ${INDENT}addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
${INDENT}if [ -n "\$addr" ]; then ${INDENT}if [ -n "\$addr" ]; then
@ -1092,7 +1092,7 @@ setup_providers()
local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum pref echobin=$(mywhich echo) balance local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum pref echobin=$(mywhich echo) balance
copy_table() { copy_table() {
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} ip route show table $duplicate | while read net route; do ${INDENT} ip route show table $duplicate | while read net route; do
${INDENT} case \$net in ${INDENT} case \$net in
${INDENT} default|nexthop) ${INDENT} default|nexthop)
@ -1106,7 +1106,7 @@ __EOF__
} }
copy_and_edit_table() { copy_and_edit_table() {
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} ip route show table $duplicate | while read net route; do ${INDENT} ip route show table $duplicate | while read net route; do
${INDENT} case \$net in ${INDENT} case \$net in
${INDENT} default|nexthop) ${INDENT} default|nexthop)
@ -1159,7 +1159,7 @@ __EOF__
fi fi
if [ "x$gateway" = xdetect ] ; then if [ "x$gateway" = xdetect ] ; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} gateway=\$(detect_gateway $interface) ${INDENT} gateway=\$(detect_gateway $interface)
${INDENT} if [ -n "\$gateway" ]; then ${INDENT} if [ -n "\$gateway" ]; then
@ -1215,7 +1215,7 @@ __EOF__
rulenum=0 rulenum=0
if [ -z "$loose" ]; then if [ -z "$loose" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} rulenum=0 ${INDENT} rulenum=0
@ -1228,7 +1228,7 @@ ${INDENT} done
__EOF__ __EOF__
else else
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} find_interface_addresses $interface | while read address; do ${INDENT} find_interface_addresses $interface | while read address; do
${INDENT} qt ip rule del from \$address ${INDENT} qt ip rule del from \$address
@ -1263,7 +1263,7 @@ __EOF__
save_command " progress_message Default route \$DEFAULT_ROUTE Added" save_command " progress_message Default route \$DEFAULT_ROUTE Added"
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} cat > /etc/iproute2/rt_tables <<EOF ${INDENT} cat > /etc/iproute2/rt_tables <<EOF
# #
# reserved values # reserved values
@ -1279,7 +1279,7 @@ EOF
__EOF__ __EOF__
for table in $PROVIDERS; do for table in $PROVIDERS; do
eval number=\$${table}_number eval number=\$${table}_number
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} \${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables ${INDENT} \${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables
__EOF__ __EOF__
done done
@ -2202,7 +2202,7 @@ setup_proxy_arp() {
[ -n "$persistent" ] && haveroute=yes [ -n "$persistent" ] && haveroute=yes
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}if ! arp -i $external -Ds $address $external pub; then ${INDENT}if ! arp -i $external -Ds $address $external pub; then
${INDENT} fatal_error "Command \"arp -i $external -Ds $address $external pub\" failed" ${INDENT} fatal_error "Command \"arp -i $external -Ds $address $external pub\" failed"
${INDENT}fi ${INDENT}fi
@ -2424,7 +2424,7 @@ setup_mac_lists() {
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}blob=\$(ip link show $interface 2> /dev/null) ${INDENT}blob=\$(ip link show $interface 2> /dev/null)
@ -2510,7 +2510,7 @@ setup_syn_flood_chains()
# Delete existing Proxy ARP # Delete existing Proxy ARP
# #
delete_proxy_arp() { delete_proxy_arp() {
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}if [ -f /var/lib/shorewall/proxyarp ]; then ${INDENT}if [ -f /var/lib/shorewall/proxyarp ]; then
${INDENT} while read address interface external haveroute; do ${INDENT} while read address interface external haveroute; do
${INDENT} qt arp -i \$external -d \$address pub ${INDENT} qt arp -i \$external -d \$address pub
@ -2523,7 +2523,7 @@ __EOF__
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp [ -d $STATEDIR ] && touch $STATEDIR/proxyarp
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}for f in /proc/sys/net/ipv4/conf/*; do ${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
${INDENT} [ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp ${INDENT} [ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
@ -2619,7 +2619,7 @@ delete_nat() {
[ -d $STATEDIR ] && touch $STATEDIR/nat [ -d $STATEDIR ] && touch $STATEDIR/nat
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}if [ -f /var/lib/shorewall/nat ]; then ${INDENT}if [ -f /var/lib/shorewall/nat ]; then
${INDENT} while read external interface; do ${INDENT} while read external interface; do
@ -2950,7 +2950,7 @@ setup_traffic_shaping()
expandv device inband outband defmark ackmark expandv device inband outband defmark ackmark
tcdev="$device $inband $outband" tcdev="$device $inband $outband"
add_root_tc add_root_tc
progress_message_and_save " TC Device $tcdev $DONE." progress_message_and_save " TC Device $tcdev defined."
done < $TMP_DIR/tcdevices done < $TMP_DIR/tcdevices
fi fi
@ -2962,7 +2962,7 @@ setup_traffic_shaping()
tcdev="$device $mark $rate $ceil $prio $options" tcdev="$device $mark $rate $ceil $prio $options"
options=$(separate_list $options | tr '[A-Z]' '[a-z]') options=$(separate_list $options | tr '[A-Z]' '[a-z]')
add_tc_class add_tc_class
progress_message_and_save " TC Class $tcdev $DONE." progress_message_and_save " TC Class $tcdev defined."
done < $TMP_DIR/tcclasses done < $TMP_DIR/tcclasses
fi fi
} }
@ -3318,7 +3318,7 @@ delete_tc()
run_user_exit tcclear run_user_exit tcclear
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}ip link list | while read inx interface details; do ${INDENT}ip link list | while read inx interface details; do
${INDENT} case \$inx in ${INDENT} case \$inx in
${INDENT} [0-9]*) ${INDENT} [0-9]*)
@ -4499,7 +4499,7 @@ process_actions3() {
run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP
else else
for interface in $(find_bcastdetect_interfaces); do for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__ __EOF__
@ -4508,13 +4508,13 @@ __EOF__
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address ${INDENT} log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address
__EOF__ __EOF__
;; ;;
esac esac
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} run_iptables -A $xchain -d \$address -j DROP ${INDENT} run_iptables -A $xchain -d \$address -j DROP
${INDENT}done ${INDENT}done
@ -4552,7 +4552,7 @@ __EOF__
run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
else else
for interface in $(find_bcastdetect_interfaces); do for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__ __EOF__
@ -4561,13 +4561,13 @@ __EOF__
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address ${INDENT} log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address
__EOF__ __EOF__
;; ;;
esac esac
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} run_iptables -A $xchain -d \$address -j ${INDENT} run_iptables -A $xchain -d \$address -j
${INDENT}done ${INDENT}done
@ -4791,7 +4791,7 @@ add_nat_rule() {
else else
savecomment "addr=" savecomment "addr="
for interface in $interfaces; do for interface in $interfaces; do
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}addr="\$addr \$(find_first_interface_address $interface)" ${INDENT}addr="\$addr \$(find_first_interface_address $interface)"
__EOF__ __EOF__
done done
@ -4864,7 +4864,7 @@ __EOF__
if [ $addr = detect ]; then if [ $addr = detect ]; then
ensurenatchain $(dnat_chain $source) ensurenatchain $(dnat_chain $source)
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}for adr in \$addr; do ${INDENT}for adr in \$addr; do
${INDENT} run_iptables -t nat -A $(fix_bang $(dnat_chain $source) $cli $proto $multiport $sports $dports) -d \$adr -j $chain ${INDENT} run_iptables -t nat -A $(fix_bang $(dnat_chain $source) $cli $proto $multiport $sports $dports) -d \$adr -j $chain
@ -4893,17 +4893,17 @@ __EOF__
if [ $addr = detect ]; then if [ $addr = detect ]; then
ensurenatchain $chain ensurenatchain $chain
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}for adr in \$addr; do ${INDENT}for adr in \$addr; do
__EOF__ __EOF__
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat $(fix_bang $proto $cli $sports $multiport $dports) -d \$adr ${INDENT} log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat $(fix_bang $proto $cli $sports $multiport $dports) -d \$adr
__EOF__ __EOF__
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} run_iptables -t nat -A $chain $(fix_bang $proto $ratelimit $cli $sports $multiport $dports) -d \$adr -j $target1 ${INDENT} run_iptables -t nat -A $chain $(fix_bang $proto $ratelimit $cli $sports $multiport $dports) -d \$adr -j $target1
__EOF__ __EOF__
else else
@ -5216,7 +5216,7 @@ process_rule() # $1 = target
for srv in $(firewall_ip_range $serv1); do for srv in $(firewall_ip_range $serv1); do
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
if [ "$addr" = detect ]; then if [ "$addr" = detect ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target ${INDENT} run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target
${INDENT}done ${INDENT}done
@ -6615,7 +6615,7 @@ setup_masq()
done done
networks= networks=
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}networks="\$(get_routed_networks $detectinterface)" ${INDENT}networks="\$(get_routed_networks $detectinterface)"
@ -6649,7 +6649,7 @@ __EOF__
done done
done done
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}networks="\$(get_routed_networks $detectinterface)" ${INDENT}networks="\$(get_routed_networks $detectinterface)"
@ -6658,11 +6658,11 @@ ${INDENT}[ -z "\$networks" ] && fatal_error "Unable to determine the routes thro
${INDENT}for network in \$networks; do ${INDENT}for network in \$networks; do
__EOF__ __EOF__
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain ${INDENT} run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain
__EOF__ __EOF__
done done
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}done ${INDENT}done
__EOF__ __EOF__
@ -6732,7 +6732,7 @@ __EOF__
fi fi
done done
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}networks="\$(get_routed_networks $detectinterface)" ${INDENT}networks="\$(get_routed_networks $detectinterface)"
@ -6741,7 +6741,7 @@ ${INDENT}[ -z "\$networks" ] && fatal_error "Unable to determine the routes thro
${INDENT}for network in \$networks; do ${INDENT}for network in \$networks; do
__EOF__ __EOF__
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist ${INDENT} run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
__EOF__ __EOF__
done done
@ -6752,7 +6752,7 @@ __EOF__
message=" To $destination $displayproto from \$network through ${interface}" message=" To $destination $displayproto from \$network through ${interface}"
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} progress_message "$message" ${INDENT} progress_message "$message"
${INDENT}done ${INDENT}done
@ -7178,7 +7178,7 @@ initialize_netfilter () {
createchain dynamic no createchain dynamic no
createchain smurfs no createchain smurfs no
echo >> $RESTOREBASE << __EOF__ echo >> $OUTPUT << __EOF__
${INDENT}if [ -f /var/lib/shorewall/save ]; then ${INDENT}if [ -f /var/lib/shorewall/save ]; then
${INDENT} progress_message2 "Setting up dynamic rules..." ${INDENT} progress_message2 "Setting up dynamic rules..."
${INDENT} while read target ignore1 ignore2 address rest; do ${INDENT} while read target ignore1 ignore2 address rest; do
@ -7214,7 +7214,7 @@ add_common_rules() {
drop_broadcasts() { drop_broadcasts() {
for interface in $(find_bcastdetect_interfaces); do for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
${INDENT} run_iptables -A reject -d \$address -j DROP ${INDENT} run_iptables -A reject -d \$address -j DROP
@ -7233,15 +7233,15 @@ __EOF__
save_progress_message "Setting up SMURF control..." save_progress_message "Setting up SMURF control..."
for interface in $(find_bcastdetect_interfaces); do for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__ __EOF__
[ -n "$SMURF_LOG_LEVEL" ] && \ [ -n "$SMURF_LOG_LEVEL" ] && \
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} log_rule $SMURF_LOG_LEVEL smurfs DROP -s \$address ${INDENT} log_rule $SMURF_LOG_LEVEL smurfs DROP -s \$address
__EOF__ __EOF__
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT} run_iptables -A smurfs -s \$address -j DROP ${INDENT} run_iptables -A smurfs -s \$address -j DROP
${INDENT}done ${INDENT}done
@ -7499,7 +7499,7 @@ __EOF__
# #
save_progress_message "Setting up ARP filtering..." save_progress_message "Setting up ARP filtering..."
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}for f in /proc/sys/net/ipv4/conf/*; do ${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
${INDENT} [ -f \$f/arp_filter ] && echo 0 > \$f/arp_filter ${INDENT} [ -f \$f/arp_filter ] && echo 0 > \$f/arp_filter
${INDENT} [ -f \$f/arp_ignore ] && echo 0 > \$f/arp_ignore ${INDENT} [ -f \$f/arp_ignore ] && echo 0 > \$f/arp_ignore
@ -7515,7 +7515,7 @@ __EOF__
for interface in $interfaces; do for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/arp_filter file=/proc/sys/net/ipv4/conf/$interface/arp_filter
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}if [ -f $file ]; then ${INDENT}if [ -f $file ]; then
${INDENT} echo 1 > $file ${INDENT} echo 1 > $file
${INDENT}else ${INDENT}else
@ -7527,7 +7527,7 @@ __EOF__
for interface in $interfaces1; do for interface in $interfaces1; do
file=/proc/sys/net/ipv4/conf/$interface/arp_ignore file=/proc/sys/net/ipv4/conf/$interface/arp_ignore
eval value="\$$(chain_base $interface)_arp_ignore" eval value="\$$(chain_base $interface)_arp_ignore"
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}if [ -f $file ]; then ${INDENT}if [ -f $file ]; then
${INDENT} echo $value > $file ${INDENT} echo $value > $file
${INDENT}else ${INDENT}else
@ -7546,7 +7546,7 @@ __EOF__
save_progress_message "Setting up Route Filtering..." save_progress_message "Setting up Route Filtering..."
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}for f in /proc/sys/net/ipv4/conf/*; do ${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
${INDENT} [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter ${INDENT} [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter
@ -7556,7 +7556,7 @@ __EOF__
for interface in $interfaces; do for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/rp_filter file=/proc/sys/net/ipv4/conf/$interface/rp_filter
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}if [ -f $file ]; then ${INDENT}if [ -f $file ]; then
${INDENT} echo 1 > $file ${INDENT} echo 1 > $file
${INDENT}else ${INDENT}else
@ -7585,7 +7585,7 @@ __EOF__
save_progress_message "Setting up Martian Logging..." save_progress_message "Setting up Martian Logging..."
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}for f in /proc/sys/net/ipv4/conf/*; do ${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
${INDENT} [ -f \$f/log_martians ] && echo 0 > \$f/log_martians ${INDENT} [ -f \$f/log_martians ] && echo 0 > \$f/log_martians
@ -7595,7 +7595,7 @@ __EOF__
for interface in $interfaces; do for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/log_martians file=/proc/sys/net/ipv4/conf/$interface/log_martians
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}if [ -f $file ]; then ${INDENT}if [ -f $file ]; then
${INDENT} echo 1 > $file ${INDENT} echo 1 > $file
${INDENT}else ${INDENT}else
@ -7616,7 +7616,7 @@ __EOF__
# #
save_progress_message "Setting up Accept Source Routing..." save_progress_message "Setting up Accept Source Routing..."
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}for f in /proc/sys/net/ipv4/conf/*; do ${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
${INDENT} [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route ${INDENT} [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route
${INDENT}done ${INDENT}done
@ -7633,7 +7633,7 @@ __EOF__
for interface in $interfaces; do for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/accept_source_route file=/proc/sys/net/ipv4/conf/$interface/accept_source_route
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
${INDENT}if [ -f $file ]; then ${INDENT}if [ -f $file ]; then
${INDENT} echo 1 > $file ${INDENT} echo 1 > $file
${INDENT}else ${INDENT}else
@ -8032,7 +8032,7 @@ compile_stop_firewall() {
local IPTABLES_COMMAND="\$IPTABLES" local IPTABLES_COMMAND="\$IPTABLES"
local INDENT=" " local INDENT=" "
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
stop_firewall() { stop_firewall() {
@ -8145,7 +8145,7 @@ __EOF__
if [ -n "$CRITICALHOSTS" ]; then if [ -n "$CRITICALHOSTS" ]; then
if [ -z "$ADMINISABSENTMINDED" ]; then if [ -z "$ADMINISABSENTMINDED" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
for chain in INPUT OUTPUT; do for chain in INPUT OUTPUT; do
setpolicy \$chain ACCEPT setpolicy \$chain ACCEPT
@ -8168,7 +8168,7 @@ __EOF__
__EOF__ __EOF__
else else
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
for chain in INPUT OUTPUT; do for chain in INPUT OUTPUT; do
setpolicy \$chain ACCEPT setpolicy \$chain ACCEPT
@ -8194,7 +8194,7 @@ __EOF__
__EOF__ __EOF__
fi fi
elif [ -z "$ADMINISABSENTMINDED" ]; then elif [ -z "$ADMINISABSENTMINDED" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
setpolicy \$chain DROP setpolicy \$chain DROP
@ -8204,7 +8204,7 @@ __EOF__
__EOF__ __EOF__
else else
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
for chain in INPUT FORWARD; do for chain in INPUT FORWARD; do
setpolicy \$chain DROP setpolicy \$chain DROP
@ -8251,7 +8251,7 @@ __EOF__
;; ;;
esac esac
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
run_user_exit stopped run_user_exit stopped
@ -8314,24 +8314,22 @@ compile_firewall() # $1 = File Name
DONE=checked DONE=checked
fi fi
RESTOREBASE=$(mktempfile /tmp)
STATEDIR=$(mktempdir) STATEDIR=$(mktempdir)
[ -n "$RESTOREBASE" ] || fatal_error "Cannot create temporary file in /tmp" OUTPUT=$(mktempfile $STATEDIR)
[ -z "$PROGRAM" ] && save_command "#! $SHOREWALL_SHELL --" [ -n "$OUTPUT" ] || fatal_error "Cannot create temporary file in /tmp"
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
# #
# Compiled startup file generated by Shorewall $VERSION - $(date)" # Compiled startup file generated by Shorewall $VERSION - $(date)"
# #
__EOF__ __EOF__
if [ -n "$EXPORT" ]; then if [ -n "$EXPORT" ]; then
cat /usr/share/shorewall/functions >> $RESTOREBASE cat /usr/share/shorewall/functions >> $OUTPUT
else else
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
. /usr/share/shorewall/functions . /usr/share/shorewall/functions
__EOF__ __EOF__
@ -8340,7 +8338,7 @@ __EOF__
compile_stop_firewall compile_stop_firewall
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
setpolicy() { setpolicy() {
\$IPTABLES -P \$1 \$2 \$IPTABLES -P \$1 \$2
@ -8359,7 +8357,7 @@ clear_firewall() {
__EOF__ __EOF__
if [ -n "$DISABLE_IPV6" ]; then if [ -n "$DISABLE_IPV6" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
if qt mywhich ip6tables; then if qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null ip6tables -P OUTPUT ACCEPT 2> /dev/null
@ -8369,7 +8367,7 @@ __EOF__
__EOF__ __EOF__
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
run_user_exit clear run_user_exit clear
set_state "Cleared" set_state "Cleared"
@ -8420,7 +8418,7 @@ run_tc() {
initialize() { initialize() {
__EOF__ __EOF__
if [ -z "$EXPORT" ]; then if [ -z "$EXPORT" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then
startup_error "This script requires Shorewall version $VERSION" startup_error "This script requires Shorewall version $VERSION"
fi fi
@ -8428,7 +8426,7 @@ __EOF__
__EOF__ __EOF__
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
# #
# These variables are required by the library functions called in this script # These variables are required by the library functions called in this script
# #
@ -8447,20 +8445,20 @@ __EOF__
__EOF__ __EOF__
if [ -n "$IPTABLES" ]; then if [ -n "$IPTABLES" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
IPTABLES="$IPTABLES" IPTABLES="$IPTABLES"
[ -e "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable" [ -e "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"
__EOF__ __EOF__
else else
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
IPTABLES=\$(mywhich iptables 2> /dev/null) IPTABLES=\$(mywhich iptables 2> /dev/null)
[ -z "\$IPTABLES" ] && startup_error "Can't find iptables executable" [ -z "\$IPTABLES" ] && startup_error "Can't find iptables executable"
__EOF__ __EOF__
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
STOPPING= STOPPING=
# #
@ -8473,7 +8471,7 @@ __EOF__
save_command "define_firewall() {" save_command "define_firewall() {"
INDENT=" " INDENT=" "
cat >> $RESTOREBASE << __EOF__ cat >> $OUTPUT << __EOF__
load_kernel_modules load_kernel_modules
@ -8564,6 +8562,13 @@ __EOF__
append_file $file append_file $file
done done
# Logical break between restore-base and restore-tail
if [ $COMMAND = compile ]; then
mv -f $OUTPUT $STATEDIR/restore-base
OUTPUT=$(mktempfile $STATEDIR)
fi
save_command "date > /var/lib/shorewall/restarted" save_command "date > /var/lib/shorewall/restarted"
run_user_exit start run_user_exit start
@ -8576,28 +8581,21 @@ __EOF__
run_user_exit started run_user_exit started
INDENT=
save_command "}"
save_command ""
if [ -n "$PROGRAM" ]; then
cat $(find_file prog.header) $RESTOREBASE $(find_file prog.footer) > $outfile
rm $RESTOREBASE
elif [ $COMMAND = compile ]; then
save_command "initialize"
save_command "define_firewall"
mv -f $RESTOREBASE $outfile
fi
if [ $COMMAND = check ]; then if [ $COMMAND = check ]; then
rm -f $RESTOREBASE
echo "Shorewall configuration verified" echo "Shorewall configuration verified"
else else
cp $OUTPUT $STATEDIR/restore-tail
append_file restore-base
append_file restore-tail
INDENT=
save_command "}"
cat $(find_file prog.header) $STATEDIR/restore-base $OUTPUT $(find_file prog.footer) > $outfile
chmod 700 $outfile chmod 700 $outfile
rm -f $STATEDIR/restore-base rm -f $STATEDIR/restore-tail
progress_message2 "Shorewall configuration compiled to $outfile" progress_message2 "Shorewall configuration compiled to $outfile"
fi fi
rm -f $OUTPUT
rm -rf $TMP_DIR rm -rf $TMP_DIR
rm -rf $STATEDIR rm -rf $STATEDIR
@ -8723,7 +8721,7 @@ do_initialize() {
RESTOREFILE= RESTOREFILE=
MAPOLDACTIONS= MAPOLDACTIONS=
RESTOREBASE= OUTPUT=
TMP_DIR= TMP_DIR=
ALL_INTERFACES= ALL_INTERFACES=
ROUTEMARK_INTERFACES= ROUTEMARK_INTERFACES=
@ -8754,7 +8752,7 @@ do_initialize() {
[ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
fatal_error "Can't create a temporary directory" fatal_error "Can't create a temporary directory"
trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
ensure_config_path ensure_config_path

5976
Shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

9
Shorewall/help
View File

@ -88,7 +88,7 @@ clear)
;; ;;
compile) compile)
echo "compile: compile [ -e ] [ -p ] [ <directory name> ] <path name> echo "compile: compile [ -e ] [ <directory name> ] <path name>
Compiles the current configuration into the executable file Compiles the current configuration into the executable file
<path name>. If <path name> names a file in /var/lib/shorewall then <path name>. If <path name> names a file in /var/lib/shorewall then
the file may be executed using the \"restore\" command. the file may be executed using the \"restore\" command.
@ -98,11 +98,6 @@ compile)
certain configuration options that require the script to be compiled certain configuration options that require the script to be compiled
where it is to be run. where it is to be run.
When -p is specified, a complete program is produced that supports
the 'start', 'stop', 'restart', etc. commands. That program is suitable
for placing in /etc/init.d/ and can provide a firewall on a system
without Shorewall installed.
'generate' is a synonym for 'compile'." 'generate' is a synonym for 'compile'."
;; ;;
@ -175,7 +170,7 @@ forget)
;; ;;
generate) generate)
echo "generate: generate [ <directory name> ] <file name> echo "generate: generate [ -e ] [ <directory name> ] <file name>
Compiles the current configuration into the executable file Compiles the current configuration into the executable file
/var/lib/shorewall/<file name> /var/lib/shorewall/<file name>

5
Shorewall/prog.footer
View File

@ -2,7 +2,7 @@
# Give Usage Information # # Give Usage Information #
################################################################################ ################################################################################
usage() { usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reload|restart|status|version ]" echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reload|restart|status|restore|version ]"
exit $1 exit $1
} }
################################################################################ ################################################################################
@ -138,6 +138,9 @@ case "$COMMAND" in
help) help)
usage 0 usage 0
;; ;;
restore)
restore_command
;;
*) *)
usage 2 usage 2
;; ;;

13
Shorewall/shorewall
View File

@ -578,7 +578,6 @@ start_command() {
esac esac
export NOROUTES export NOROUTES
export PROGRAM=Yes
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
if qt mywhich make; then if qt mywhich make; then
@ -644,10 +643,6 @@ compile_command() {
VERBOSE=$(($VERBOSE + 1 )) VERBOSE=$(($VERBOSE + 1 ))
option=${option#v} option=${option#v}
;; ;;
p*)
export PROGRAM=Yes
option=${option#p}
;;
-) -)
finished=1 finished=1
option= option=
@ -827,7 +822,6 @@ reload_command() {
esac esac
export NOROUTES export NOROUTES
export PROGRAM=Yes
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
@ -906,7 +900,6 @@ restart_command() {
esac esac
export NOROUTES export NOROUTES
export PROGRAM=Yes
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
@ -1221,8 +1214,6 @@ safe_commands() {
[ $# -eq 0 ] || usage 2 [ $# -eq 0 ] || usage 2
export PROGRAM=Yes
mutex_on mutex_on
if shorewall_is_started; then if shorewall_is_started; then
@ -1376,12 +1367,12 @@ usage() # $1 = exit status
echo " allow <address> ..." echo " allow <address> ..."
echo " check [ -q ] [ <directory> ]" echo " check [ -q ] [ <directory> ]"
echo " clear" echo " clear"
echo " compile [ -e ] [ -p ] [ <directory name> ] <path name>" echo " compile [ -e ] [ -v ] [ -q ] [ <directory name> ] <path name>"
echo " delete <interface>[:<host-list>] ... <zone>" echo " delete <interface>[:<host-list>] ... <zone>"
echo " drop <address> ..." echo " drop <address> ..."
echo " dump [ -q ] [ -v ]" echo " dump [ -q ] [ -v ]"
echo " forget [ <file name> ]" echo " forget [ <file name> ]"
echo " generate [ -e ] [-p ] [ <directory name> ] <path name>" echo " generate [ -e ] [-v ] [ -q ] [ <directory name> ] <path name>"
echo " help [ <command > | host | address ]" echo " help [ <command > | host | address ]"
echo " hits" echo " hits"
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }" echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"