From 112dca90674f1ceb24306b50dcdf024a138d5fd2 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 27 Oct 2006 22:42:05 +0000 Subject: [PATCH] Add lib.commands git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4743 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 + Shorewall/lib.command | 826 +++++++++++++++++++++++++++++++++++++ Shorewall/releasenotes.txt | 5 + Shorewall/shorewall | 811 +----------------------------------- 4 files changed, 842 insertions(+), 802 deletions(-) create mode 100644 Shorewall/lib.command diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 97b090d13..669d2f5d0 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -14,6 +14,8 @@ Changes in 3.3.4 7) Support ip ranges in the drop, logdrop, reject, and allow commands. +8) Add lib.commands. + Changes in 3.3.3 1) Fix excluding in SUBNET column. diff --git a/Shorewall/lib.command b/Shorewall/lib.command new file mode 100644 index 000000000..85cd5a813 --- /dev/null +++ b/Shorewall/lib.command @@ -0,0 +1,826 @@ +#!/bin/sh +# +# Shorewall 3.3 -- /usr/share/shorewall/lib.command +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# This library contains the command processing code common to /sbin/shorewall and +# /sbin/shorewall-lite. +# + +# +# Fatal Error +# +fatal_error() # $@ = Message +{ + echo " $@" >&2 + exit 2 +} + +# Display a chain if it exists +# + +showfirstchain() # $1 = name of chain +{ + awk \ + 'BEGIN {prnt=0; rslt=1; }; \ + /^$/ { next; };\ + /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ + /Chain '$1'/ { prnt=1; }; \ + { if (prnt == 1) print; };\ + END { exit rslt; }' $TMPFILE +} + +showchain() # $1 = name of chain +{ + if [ "$firstchain" = "Yes" ]; then + if showfirstchain $1; then + firstchain= + fi + else + awk \ + 'BEGIN {prnt=0;};\ + /^$|^ pkts/ { next; };\ + /^Chain/ {if ( prnt == 1 ) exit; };\ + /Chain '$1'/ { prnt=1; };\ + { if (prnt == 1) print; }' $TMPFILE + fi +} + +# +# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules). +# + +iptablesbug() +{ + if qt mywhich awk ; then + awk 'BEGIN { sline=""; };\ + /^-j/ { print sline $0; next };\ + /-m policy.*-j/ { print $0; next };\ + /-m policy/ { sline=$0; next };\ + /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ + { print ; sline="" }' + else + echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 + cat + fi +} + +# +# Validate the value of RESTOREFILE +# +validate_restorefile() # $* = label +{ + case $RESTOREFILE in + */*) + error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE" + exit 2 + ;; + .*) + error_message "ERROR: Reserved File Name: $RESTOREFILE" + exit 2 + ;; + esac +} + +# +# Clear descriptor 1 if it is a terminal +# +clear_term() { + [ -t 1 ] && clear +} + +# +# Delay $timeout seconds -- if we're running on a recent bash2 then allow +# to terminate the delay +# +timed_read () +{ + read -t $timeout foo 2> /dev/null + + test $? -eq 2 && sleep $timeout +} + +# +# Display the last $1 packets logged +# +packet_log() # $1 = number of messages +{ + local options + + [ -n "$realtail" ] && options="-n$1" + + if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then + grep 'IN=.* OUT=' $LOGFILE | \ + sed s/" kernel:"// | \ + sed s/" $host $LOGFORMAT"/" "/ | \ + tail $options + else + grep 'IN=.* OUT=' $LOGFILE | \ + sed s/" kernel:"// | \ + sed s/" $host $LOGFORMAT"/" "/ | \ + sed 's/MAC=.* SRC=/SRC=/' | \ + tail $options + fi +} + +# +# Show traffic control information +# +show_tc() { + + show_one_tc() { + local device=${1%@*} + qdisc=$(tc qdisc list dev $device) + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s -d qdisc show dev $device + tc -s -d class show dev $device + echo + fi + } + + ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + show_one_tc ${interface%:} + ;; + *) + ;; + esac + done + +} + +# +# Show classifier information +# +show_classifiers() { + + show_one_classifier() { + local device=${1%@*} + qdisc=$(tc qdisc list dev $device) + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s filter ls dev $device + echo + fi + } + + ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + show_one_classifier ${interface%:} + ;; + *) + ;; + esac + done + +} + +# +# Watch the Firewall Log +# +logwatch() # $1 = timeout -- if negative, prompt each time that + # an 'interesting' packet count changes +{ + + host=$(echo $HOSTNAME | sed 's/\..*$//') + oldrejects=$($IPTABLES -L -v -n | grep 'LOG') + + if [ $1 -lt 0 ]; then + timeout=$((- $1)) + pause="Yes" + else + pause="No" + timeout=$1 + fi + + qt mywhich awk && haveawk=Yes || haveawk= + + while true; do + clear_term + echo "$banner $(date)" + echo + + echo "Dropped/Rejected Packet Log ($LOGFILE)" + echo + + show_reset + + rejects=$($IPTABLES -L -v -n | grep 'LOG') + + if [ "$rejects" != "$oldrejects" ]; then + oldrejects="$rejects" + + $RING_BELL + + packet_log 40 + + if [ "$pause" = "Yes" ]; then + echo + echo $ECHO_N 'Enter any character to continue: ' + read foo + else + timed_read + fi + else + echo + packet_log 40 + timed_read + fi + done +} + +# +# Save currently running configuration +# +save_config() { + if shorewall_is_started ; then + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} + + if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then + echo " ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" + else + case $RESTOREFILE in + save|restore-base) + echo " ERROR: Reserved file name: $RESTOREFILE" + ;; + *) + if $IPTABLES -L dynamic -n > ${VARDIR}/save; then + echo " Dynamic Rules Saved" + if [ -f ${VARDIR}/.restore ]; then + if iptables-save | iptablesbug > ${VARDIR}/restore-$$; then + cp -f ${VARDIR}/.restore $RESTOREPATH + mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables + chmod +x $RESTOREPATH + echo " Currently-running Configuration Saved to $RESTOREPATH" + + rm -f ${RESTOREPATH}-ipsets + + case ${SAVE_IPSETS:-No} in + [Yy][Ee][Ss]) + RESTOREPATH=${RESTOREPATH}-ipsets + + f=${VARDIR}/restore-$$ + + echo "#!/bin/sh" > $f + echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f + echo >> $f + echo ". ${SHAREDIR}/lib.base" >> $f + echo >> $f + grep '^MODULE' ${VARDIR}/restore-base >> $f + echo "reload_kernel_modules << __EOF__" >> $f + grep 'loadmodule ip_set' ${VARDIR}/restore-base >> $f + echo "__EOF__" >> $f + echo >> $f + echo "ipset -U :all: :all:" >> $f + echo "ipset -F" >> $f + echo "ipset -X" >> $f + echo "ipset -R << __EOF__" >> $f + ipset -S >> $f + echo "__EOF__" >> $f + mv -f $f $RESTOREPATH + chmod +x $RESTOREPATH + echo " Current Ipset Contents Saved to $RESTOREPATH" + ;; + [Nn][Oo]) + ;; + *) + echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" + ;; + esac + else + rm -f ${VARDIR}/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" + fi + else + echo " ERROR: ${VARDIR}/.restore does not exist" + fi + else + echo "Error Saving the Dynamic Rules" + fi + ;; + esac + fi + else + echo "Shorewall isn't started" + fi + +} + +# +# Show routing configuration +# +show_routing() { + if [ -n "$(ip rule ls)" ]; then + heading "Routing Rules" + ip rule ls + ip rule ls | while read rule; do + echo ${rule##* } + done | sort -u | while read table; do + heading "Table $table:" + ip route ls table $table + done + else + heading "Routing Table" + ip route ls + fi +} + +# +# Show Command Executor +# +show_command() { + local finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + v*) + VERBOSE=$(($VERBOSE + 1 )) + option=${option#v} + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + m*) + SHOWMACS=Yes + option=${option#m} + ;; + f*) + FILEMODE=Yes + option=${option#f} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ -n "$debugging" ] && set -x + case "$1" in + connections) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Connections at $HOSTNAME - $(date)" + echo + cat /proc/net/ip_conntrack + ;; + nat) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version NAT Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t nat -L $IPT_OPTIONS + ;; + tos|mangle) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t mangle -L $IPT_OPTIONS + ;; + log) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + packet_log 20 + ;; + tc) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)" + echo + show_tc + ;; + classifiers) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Clasifiers at $HOSTNAME - $(date)" + echo + show_classifiers + ;; + zones) + [ $# -gt 1 ] && usage 1 + if [ -f ${VARDIR}/zones ]; then + echo "$PRODUCT $version Zones at $HOSTNAME - $(date)" + echo + while read zone type hosts; do + echo "$zone ($type)" + for host in $hosts; do + case $host in + exclude) + echo " exclude:" + ;; + *) + echo " $host" + ;; + esac + done + done < ${VARDIR}/zones + echo + else + echo " ERROR: ${VARDIR}/zones does not exist" >&2 + exit 1 + fi + ;; + capabilities) + [ $# -gt 1 ] && usage 1 + determine_capabilities + VERBOSE=2 + if [ -n "$FILEMODE" ]; then + report_capabilities1 + else + report_capabilities + fi + ;; + ip) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version IP at $HOSTNAME - $(date)" + echo + ip addr ls + ;; + routing) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Routing at $HOSTNAME - $(date)" + echo + show_routing + ;; + config) + . ${SHAREDIR}/configpath + echo "Default CONFIG_PATH is $CONFIG_PATH" + echo "LITEDIR is $LITEDIR" + ;; + *) + if [ "$PRODUCT" = Shorewall ]; then + case $1 in + actions) + [ $# -gt 1 ] && usage 1 + echo "allowBcast # Silently Allow Broadcast/multicast" + echo "dropBcast # Silently Drop Broadcast/multicast" + echo "dropNotSyn # Silently Drop Non-syn TCP packets" + echo "rejNotSyn # Silently Reject Non-syn TCP packets" + echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" + echo "allowInvalid # Accept packets that are in the INVALID conntrack state." + echo "allowoutUPnP # Allow traffic from local command 'upnpd'" + echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" + echo "forwardUPnP # Allow traffic that upnpd has redirected from" + cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' + return + ;; + macros) + [ $# -gt 1 ] && usage 1 + for macro in ${SHAREDIR}/macro.*; do + foo=`grep 'This macro' $macro | sed 's/This macro //'` + if [ -n "$foo" ]; then + macro=${macro#*.} + foo=${foo%.*} + echo " $macro ${foo#\#}" + fi + done + return + ;; + esac + fi + + echo "$PRODUCT $version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + $IPTABLES -L $chain $IPT_OPTIONS + done + else + $IPTABLES -L $IPT_OPTIONS + fi + ;; + esac +} + +# +# Dump Command Executor +# +dump_command() { + local finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ $VERBOSE -lt 2 ] && VERBOSE=2 + + [ -n "$debugging" ] && set -x + [ $# -eq 0 ] || usage 1 + clear_term + echo "$PRODUCT $version Dump at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + $IPTABLES -L $IPT_OPTIONS + + heading "Log ($LOGFILE)" + packet_log 20 + + heading "NAT Table" + $IPTABLES -t nat -L $IPT_OPTIONS + + heading "Mangle Table" + $IPTABLES -t mangle -L $IPT_OPTIONS + + heading "Conntrack Table" + cat /proc/net/ip_conntrack + + heading "IP Configuration" + ip addr ls + + heading "IP Stats" + ip -stat link ls + + if qt mywhich brctl; then + heading "Bridges" + brctl show + fi + + heading "/proc" + show_proc /proc/version + show_proc /proc/sys/net/ipv4/ip_forward + show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all + + for directory in /proc/sys/net/ipv4/conf/*; do + for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do + show_proc $directory/$file + done + done + + show_routing + + heading "ARP" + arp -na + + if qt mywhich lsmod; then + heading "Modules" + lsmod | grep -E '^ip_|^ipt_|^iptable_' + fi + + determine_capabilities + echo + report_capabilities + + if [ -n "$TC_ENABLED" ]; then + heading "Traffic Control" + show_tc + heading "TC Filters" + show_classifiers + fi +} + +# +# Restore Comand Executor +# +restore_command() { + local finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + RESTOREFILE="$1" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + if [ -z "$STARTUP_ENABLED" ]; then + error_message "ERROR: Startup is disabled" + exit 2 + fi + + RESTOREPATH=${VARDIR}/$RESTOREFILE + + export NOROUTES + + [ -n "$nolock" ] || mutex_on + + if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ] ; then + echo Restoring Ipsets... + iptables -F + iptables -X + $SHOREWALL_SHELL ${RESTOREPATH}-ipsets + fi + + progress_message3 "Restoring Shorewall..." + $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE" + [ -n "$nolock" ] || mutex_off + else + echo "File ${VARDIR}/$RESTOREFILE: file not found" + [ -n "$nolock" ] || mutex_off + exit 2 + fi +} + +# +# Help information +# +help() +{ + [ -x $HELP ] && { export version; exec $HELP $*; } + echo "Help subsystem is not installed at $HELP" +} + +# +# Display the time that the counters were last reset +# +show_reset() { + [ -f ${VARDIR}/restarted ] && \ + echo "Counters reset $(cat ${VARDIR}/restarted)" && \ + echo +} + +# +# Display's the passed file name followed by "=" and the file's contents. +# +show_proc() # $1 = name of a file +{ + [ -f $1 ] && echo " $1 = $(cat $1)" +} + +read_yesno_with_timeout() { + read -t 60 yn 2> /dev/null + if [ $? -eq 2 ] + then + # read doesn't support timeout + test -x /bin/bash || return 2 # bash is not installed so the feature is not available + /bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read + return $? + else + # read supports timeout + case "$yn" in + y|Y) + return 0 + ;; + *) + return 1 + ;; + esac + fi +} + +# +# Print a heading with leading and trailing black lines +# +heading() { + echo + echo "$@" + echo +} + +# +# Create the appropriate -q option to pass onward +# +make_verbose() { + local v=$VERBOSE_OFFSET option=- + + if [ $VERBOSE_OFFSET -gt 0 ]; then + while [ $v -gt 0 ]; do + option="${option}v" + v=$(($v - 1)) + done + + echo $option + elif [ $VERBOSE_OFFSET -lt 0 ]; then + while [ $v -lt 0 ]; do + option="${option}q" + v=$(($v + 1)) + done + + echo $option + fi +} + +# +# Executor for drop,reject,... commands +# +block() # $1 = command, $2 = Finished, $3 = Original Command $4 - $n addresses +{ + local chain=$1 finished=$2 + + shift 3 + + while [ $# -gt 0 ]; do + case $1 in + *-*) + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop + $IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1 + ;; + *) + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + qt $IPTABLES -D dynamic -s $1 -j logreject + qt $IPTABLES -D dynamic -s $1 -j logdrop + $IPTABLES -A dynamic -s $1 -j $chain || break 1 + ;; + esac + + echo "$1 $finished" + shift + done +} diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e524f83ec..1293cc633 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -145,6 +145,11 @@ Other Changes in 3.3.4. 4) IP Address ranges are now allowed in the drop, reject, allow and logdrop shorewall[-lite] commands. +5) The lib.commands library has been added. It is distributed with + both Shorewall and Shorewall Lite and contains the + command-processing code that is common to both /sbin/shorewall and + /sbin/shorewall-lite. + Migration Considerations: 1) Shorewall supports the notion of "default actions". A default diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 890c56bc6..b515df1ac 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -114,81 +114,6 @@ # # shorewall compile [ -e ] [ ] # Compile a firewall program file. -# -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " $@" >&2 - exit 2 -} - -# Display a chain if it exists -# - -showfirstchain() # $1 = name of chain -{ - awk \ - 'BEGIN {prnt=0; rslt=1; }; \ - /^$/ { next; };\ - /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ - /Chain '$1'/ { prnt=1; }; \ - { if (prnt == 1) print; };\ - END { exit rslt; }' $TMPFILE -} - -showchain() # $1 = name of chain -{ - if [ "$firstchain" = "Yes" ]; then - if showfirstchain $1; then - firstchain= - fi - else - awk \ - 'BEGIN {prnt=0;};\ - /^$|^ pkts/ { next; };\ - /^Chain/ {if ( prnt == 1 ) exit; };\ - /Chain '$1'/ { prnt=1; };\ - { if (prnt == 1) print; }' $TMPFILE - fi -} - -# -# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules). -# - -iptablesbug() -{ - if qt mywhich awk ; then - awk 'BEGIN { sline=""; };\ - /^-j/ { print sline $0; next };\ - /-m policy.*-j/ { print $0; next };\ - /-m policy/ { sline=$0; next };\ - /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ - { print ; sline="" }' - else - echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 - cat - fi -} - -# -# Validate the value of RESTOREFILE -# -validate_restorefile() # $* = label -{ - case $RESTOREFILE in - */*) - error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE" - exit 2 - ;; - .*) - error_message "ERROR: Reserved File Name: $RESTOREFILE" - exit 2 - ;; - esac -} - # # Set the configuration variables from shorewall.conf # @@ -284,237 +209,6 @@ get_config() { } -# -# Clear descriptor 1 if it is a terminal -# -clear_term() { - [ -t 1 ] && clear -} - -# -# Delay $timeout seconds -- if we're running on a recent bash2 then allow -# to terminate the delay -# -timed_read () -{ - read -t $timeout foo 2> /dev/null - - test $? -eq 2 && sleep $timeout -} - -# -# Display the last $1 packets logged -# -packet_log() # $1 = number of messages -{ - local options - - [ -n "$realtail" ] && options="-n$1" - - if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then - grep 'IN=.* OUT=' $LOGFILE | \ - sed s/" kernel:"// | \ - sed s/" $host $LOGFORMAT"/" "/ | \ - tail $options - else - grep 'IN=.* OUT=' $LOGFILE | \ - sed s/" kernel:"// | \ - sed s/" $host $LOGFORMAT"/" "/ | \ - sed 's/MAC=.* SRC=/SRC=/' | \ - tail $options - fi -} - -# -# Show traffic control information -# -show_tc() { - - show_one_tc() { - local device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s -d qdisc show dev $device - tc -s -d class show dev $device - echo - fi - } - - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_tc ${interface%:} - ;; - *) - ;; - esac - done - -} - -# -# Show classifier information -# -show_classifiers() { - - show_one_classifier() { - local device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s filter ls dev $device - echo - fi - } - - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_classifier ${interface%:} - ;; - *) - ;; - esac - done - -} - -# -# Watch the Firewall Log -# -logwatch() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - timeout=$((- $1)) - pause="Yes" - else - pause="No" - timeout=$1 - fi - - qt mywhich awk && haveawk=Yes || haveawk= - - while true; do - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log ($LOGFILE)" - echo - - show_reset - - rejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 40 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 40 - timed_read - fi - done -} - -# -# Save currently running configuration -# -save_config() { - if shorewall_is_started ; then - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - - if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" - else - case $RESTOREFILE in - save|restore-base) - echo " ERROR: Reserved file name: $RESTOREFILE" - ;; - *) - if $IPTABLES -L dynamic -n > ${VARDIR}/save; then - echo " Dynamic Rules Saved" - if [ -f ${VARDIR}/.restore ]; then - if iptables-save | iptablesbug > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/.restore $RESTOREPATH - mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables - chmod +x $RESTOREPATH - echo " Currently-running Configuration Saved to $RESTOREPATH" - - rm -f ${RESTOREPATH}-ipsets - - case ${SAVE_IPSETS:-No} in - [Yy][Ee][Ss]) - RESTOREPATH=${RESTOREPATH}-ipsets - - f=${VARDIR}/restore-$$ - - echo "#!/bin/sh" > $f - echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f - echo >> $f - echo ". ${SHAREDIR}/lib.base" >> $f - echo >> $f - grep '^MODULE' ${VARDIR}/restore-base >> $f - echo "reload_kernel_modules << __EOF__" >> $f - grep 'loadmodule ip_set' ${VARDIR}/restore-base >> $f - echo "__EOF__" >> $f - echo >> $f - echo "ipset -U :all: :all:" >> $f - echo "ipset -F" >> $f - echo "ipset -X" >> $f - echo "ipset -R << __EOF__" >> $f - ipset -S >> $f - echo "__EOF__" >> $f - mv -f $f $RESTOREPATH - chmod +x $RESTOREPATH - echo " Current Ipset Contents Saved to $RESTOREPATH" - ;; - [Nn][Oo]) - ;; - *) - echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" - ;; - esac - else - rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" - fi - else - echo " ERROR: ${VARDIR}/.restore does not exist" - fi - else - echo "Error Saving the Dynamic Rules" - fi - ;; - esac - fi - else - echo "Shorewall isn't started" - fi - -} - # # Start Command Executor # @@ -917,305 +611,6 @@ refresh_command() { [ -n "$nolock" ] || mutex_off } -# -# Show routing configuration -# -show_routing() { - if [ -n "$(ip rule ls)" ]; then - heading "Routing Rules" - ip rule ls - ip rule ls | while read rule; do - echo ${rule##* } - done | sort -u | while read table; do - heading "Table $table:" - ip route ls table $table - done - else - heading "Routing Table" - ip route ls - fi -} - -# -# Show Command Executor -# -show_command() { - local finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - v*) - VERBOSE=$(($VERBOSE + 1 )) - option=${option#v} - ;; - x*) - IPT_OPTIONS="-xnv" - option=${option#x} - ;; - m*) - SHOWMACS=Yes - option=${option#m} - ;; - f*) - FILEMODE=Yes - option=${option#f} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ -n "$debugging" ] && set -x - case "$1" in - connections) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Connections at $HOSTNAME - $(date)" - echo - cat /proc/net/ip_conntrack - ;; - nat) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t nat -L $IPT_OPTIONS - ;; - tos|mangle) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t mangle -L $IPT_OPTIONS - ;; - log) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Log ($LOGFILE) at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - packet_log 20 - ;; - tc) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)" - echo - show_tc - ;; - classifiers) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)" - echo - show_classifiers - ;; - zones) - [ $# -gt 1 ] && usage 1 - if [ -f ${VARDIR}/zones ]; then - echo "Shorewall-$version Zones at $HOSTNAME - $(date)" - echo - while read zone type hosts; do - echo "$zone ($type)" - for host in $hosts; do - case $host in - exclude) - echo " exclude:" - ;; - *) - echo " $host" - ;; - esac - done - done < ${VARDIR}/zones - echo - else - echo " ERROR: ${VARDIR}/zones does not exist" >&2 - exit 1 - fi - ;; - capabilities) - [ $# -gt 1 ] && usage 1 - determine_capabilities - VERBOSE=2 - if [ -n "$FILEMODE" ]; then - report_capabilities1 - else - report_capabilities - fi - ;; - actions) - [ $# -gt 1 ] && usage 1 - echo "allowBcast # Silently Allow Broadcast/multicast" - echo "dropBcast # Silently Drop Broadcast/multicast" - echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "rejNotSyn # Silently Reject Non-syn TCP packets" - echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" - echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowoutUPnP # Allow traffic from local command 'upnpd'" - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "forwardUPnP # Allow traffic that upnpd has redirected from" - cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' - ;; - macros) - [ $# -gt 1 ] && usage 1 - for macro in ${SHAREDIR}/macro.*; do - foo=`grep 'This macro' $macro | sed 's/This macro //'` - if [ -n "$foo" ]; then - macro=${macro#*.} - foo=${foo%.*} - echo " $macro ${foo#\#}" - fi - done - ;; - ip) - [ $# -gt 1 ] && usage 1 - echo "Shorewall Lite $version IP at $HOSTNAME - $(date)" - echo - ip addr ls - ;; - routing) - [ $# -gt 1 ] && usage 1 - echo "Shorewall Lite $version Routing at $HOSTNAME - $(date)" - echo - show_routing - ;; - config) - . ${SHAREDIR}/configpath - echo "Default CONFIG_PATH is $CONFIG_PATH" - echo "LITEDIR is $LITEDIR" - ;; - *) - echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - $IPTABLES -L $chain $IPT_OPTIONS - done - else - $IPTABLES -L $IPT_OPTIONS - fi - ;; - esac -} -# -# Dump Command Executor -# -dump_command() { - local finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - x*) - IPT_OPTIONS="-xnv" - option=${option#x} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ $VERBOSE -lt 2 ] && VERBOSE=2 - - [ -n "$debugging" ] && set -x - [ $# -eq 0 ] || usage 1 - clear_term - echo "Shorewall-$version Dump at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - $IPTABLES -L $IPT_OPTIONS - - heading "Log ($LOGFILE)" - packet_log 20 - - heading "NAT Table" - $IPTABLES -t nat -L $IPT_OPTIONS - - heading "Mangle Table" - $IPTABLES -t mangle -L $IPT_OPTIONS - - heading "Conntrack Table" - cat /proc/net/ip_conntrack - - heading "IP Configuration" - ip addr ls - - heading "IP Stats" - ip -stat link ls - - if qt mywhich brctl; then - heading "Bridges" - brctl show - fi - - heading "/proc" - show_proc /proc/version - show_proc /proc/sys/net/ipv4/ip_forward - show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all - - for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do - show_proc $directory/$file - done - done - - show_routing - - heading "ARP" - arp -na - - if qt mywhich lsmod; then - heading "Modules" - lsmod | grep -E '^ip_|^ipt_|^iptable_' - fi - - determine_capabilities - echo - report_capabilities - - if [ -n "$TC_ENABLED" ]; then - heading "Traffic Control" - show_tc - heading "TC Filters" - show_classifiers - fi -} - # # Safe-start/safe-restart Command Executor # @@ -1331,81 +726,6 @@ safe_commands() { mutex_off } -# -# Restore Comand Executor -# -restore_command() { - local finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - NOROUTES=Yes - option=${option#n} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - RESTOREFILE="$1" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - if [ -z "$STARTUP_ENABLED" ]; then - error_message "ERROR: Startup is disabled" - exit 2 - fi - - RESTOREPATH=${VARDIR}/$RESTOREFILE - - export NOROUTES - - [ -n "$nolock" ] || mutex_on - - if [ -x $RESTOREPATH ]; then - if [ -x ${RESTOREPATH}-ipsets ] ; then - echo Restoring Ipsets... - iptables -F - iptables -X - $SHOREWALL_SHELL ${RESTOREPATH}-ipsets - fi - - progress_message3 "Restoring Shorewall..." - $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "Shorewall restored from ${VARDIR}/$RESTOREFILE" - [ -n "$nolock" ] || mutex_off - else - echo "File ${VARDIR}/$RESTOREFILE: file not found" - [ -n "$nolock" ] || mutex_off - exit 2 - fi -} # # [Re]load command executor # @@ -1544,15 +864,6 @@ export_command() # $* = original arguments less the command. fi } -# -# Help information -# -help() -{ - [ -x $HELP ] && { export version; exec $HELP $*; } - echo "Help subsystem is not installed at $HELP" -} - # # Give Usage Information # @@ -1598,109 +909,6 @@ usage() # $1 = exit status exit $1 } -# -# Display the time that the counters were last reset -# -show_reset() { - [ -f ${VARDIR}/restarted ] && \ - echo "Counters reset $(cat ${VARDIR}/restarted)" && \ - echo -} - -# -# Display's the passed file name followed by "=" and the file's contents. -# -show_proc() # $1 = name of a file -{ - [ -f $1 ] && echo " $1 = $(cat $1)" -} - -read_yesno_with_timeout() { - read -t 60 yn 2> /dev/null - if [ $? -eq 2 ] - then - # read doesn't support timeout - test -x /bin/bash || return 2 # bash is not installed so the feature is not available - /bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read - return $? - else - # read supports timeout - case "$yn" in - y|Y) - return 0 - ;; - *) - return 1 - ;; - esac - fi -} - -# -# Print a heading with leading and trailing black lines -# -heading() { - echo - echo "$@" - echo -} - -# -# Create the appropriate -q option to pass onward -# -make_verbose() { - local v=$VERBOSE_OFFSET option=- - - if [ $VERBOSE_OFFSET -gt 0 ]; then - while [ $v -gt 0 ]; do - option="${option}v" - v=$(($v - 1)) - done - - echo $option - elif [ $VERBOSE_OFFSET -lt 0 ]; then - while [ $v -lt 0 ]; do - option="${option}q" - v=$(($v + 1)) - done - - echo $option - fi -} - -# -# Executor for drop,reject,... commands -# -block() # $1 = command, $2 = Finished, $3 = Original Command $4 - $n addresses -{ - local chain=$1 finished=$2 - - shift 3 - - while [ $# -gt 0 ]; do - case $1 in - *-*) - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop - $IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1 - ;; - *) - qt $IPTABLES -D dynamic -s $1 -j reject - qt $IPTABLES -D dynamic -s $1 -j DROP - qt $IPTABLES -D dynamic -s $1 -j logreject - qt $IPTABLES -D dynamic -s $1 -j logdrop - $IPTABLES -A dynamic -s $1 -j $chain || break 1 - ;; - esac - - echo "$1 $finished" - shift - done -} - - # # Execution begins here # @@ -1818,6 +1026,7 @@ export PRODUCT="Shorewall" FIREWALL=$SHAREDIR/firewall FUNCTIONS=$SHAREDIR/lib.base +FUNCTIONS1=$SHAREDIR/lib.commands VERSION_FILE=$SHAREDIR/version HELP=$SHAREDIR/help @@ -1828,6 +1037,13 @@ else exit 2 fi +if [ -f $FUNCTIONS1 ]; then + . $FUNCTIONS1 +else + echo "$FUNCTIONS1 does not exist!" >&2 + exit 2 +fi + ensure_config_path config=$(find_file shorewall.conf) @@ -2073,16 +1289,7 @@ case "$COMMAND" in ;; esac done - shift while [ $# -gt 1 ]; do - shift - qt $IPTABLES -D dynamic -s $1 -j reject - qt $IPTABLES -D dynamic -s $1 -j DROP - qt $IPTABLES -D dynamic -s $1 -j logreject - qt $IPTABLES -D dynamic -s $1 -j logdrop - $IPTABLES -A dynamic -s $1 -j DROP || break 1 - echo "$1 Dropped" - done - + shift ;; *) finished=1