From 5c8c4d1306d56090892b0bc777771914f0a0fbd2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 08:49:26 -0700 Subject: [PATCH 01/38] Update the Download page to mention the Git repository Signed-off-by: Tom Eastep --- web/download.htm | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/web/download.htm b/web/download.htm index 504f4676e..8e70020db 100644 --- a/web/download.htm +++ b/web/download.htm @@ -28,11 +28,14 @@ SVN
+ Git
+

-
2009-03-02 +
2009-04-12

Package Information

Before trying to install, we strongly urge you to read and print a @@ -508,6 +511,17 @@ Shorewall version 4.2.4. +

Git

+Beginning with Shorewall 4.3, the Shorewall project is migrating from +SVN to Git. You may browse the Shorewall +Git repository at Sourceforge.
+
+To create your own copy of the repository, use this command:
+
+
git clone git://shorewall.git.sourceforge.net/gitroot/shorewall
+
+

Copyright ©  2001-2009 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this From e7c71eecb80446fd2a55c1b322cea415b71d5d1a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 09:19:32 -0700 Subject: [PATCH 02/38] Update download page to include Ben Montgomery's Ubuntu Repository Signed-off-by: Tom Eastep --- web/download.htm | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/web/download.htm b/web/download.htm index 8e70020db..a9e74fc98 100644 --- a/web/download.htm +++ b/web/download.htm @@ -16,11 +16,14 @@ cellspacing="0"> - Package Information
- + Package Information
+
+ Distribution-specific Download Sites
+
Download Sites
+ style="font-weight: bold;">Standard Download Sites
Finding Updates that Correct Known Problems
@@ -118,6 +121,7 @@ single execution of the rpm utility.

Here are the installation instructions.

+

Distribution-specific Download Sites

Once you've printed the appropriate QuickStart Guide, download the appropriate modules:

You will probably also want to download the HTML version of the documentation for easy reference.

-

Download Sites

+

Standard Download Sites

Use the sites below to download the tarball, the documentation and the standard RPM for @@ -353,21 +365,6 @@ using our public key -

Redhat and Fedora RPMS -provided -by Simon Matter: http://www.invoca.ch/pub/packages/shorewall/
-
-Slackware SlackBuild scripts are -at http://slackbuilds.org/result/?search=shorewall&sv=.
-
-OpenWRT package provided by Marc Zonzon: http://www.iut-lannion.fr/ZONZON/memos_index.php?part=Network&section=WRTMemo&subsec=shorewall
-
-Leaf/Bering package is available at http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=3&MMN_position=3:3
-

Finding Updates that Correct Known Problems

Beginning with Shorewall 4.0.6, updated packages that include fixes to From ebd7a139fad97b14f73a8eb820714e82c4cc93c9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 09:24:19 -0700 Subject: [PATCH 03/38] Add a link in the download page. Improve readability of the LEAF/Bering bullet Signed-off-by: Tom Eastep --- web/download.htm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/web/download.htm b/web/download.htm index a9e74fc98..e1777f5d5 100644 --- a/web/download.htm +++ b/web/download.htm @@ -150,7 +150,8 @@ it from the Arch Linux site.

  • If you run a SUSE, Linux PPC, Trustix or TurboLinux distribution with a 2.4 -or 2.6 kernel, you can use the standard RPM version (note: the RPM +or 2.6 kernel, you can use the standard RPM version +(note: the RPM should also work with other distributions that store init scripts in /etc/init.d and that include chkconfig or insserv). If you find that it works in other cases, let me @@ -184,7 +185,10 @@ Hardy Heron.
    or one if it's derivatives, you can download a .lrp file from the Leaf site.

    -From the LEAF Bering-uClibc Team: We try to provide the latest stable +From the LEAF Bering-uClibc Team:
    +
    +

    +
    We try to provide the latest stable version shortly after release, but we also want to do some internal tests before making it available. So we may be behind sometimes. But better be sure that the new version is running on LEAF, than being too @@ -200,9 +204,9 @@ shorewall.lrp is part of the packages page:
    which itself links to cvs:

    http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream
    + href="http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream">http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream


    -

    +
  • Shorewall packages for Slackware From 52546657f19ac63e78aa28d3068728e697751a25 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 14:38:33 -0700 Subject: [PATCH 04/38] Add a connection rate limiting doc Signed-off-by: Tom Eastep --- docs/ConnectionRate.xml | 99 ++++++++++++++++++++++++++++++++++++ docs/Documentation_Index.xml | 11 +++- 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 docs/ConnectionRate.xml diff --git a/docs/ConnectionRate.xml b/docs/ConnectionRate.xml new file mode 100644 index 000000000..fe4c2e745 --- /dev/null +++ b/docs/ConnectionRate.xml @@ -0,0 +1,99 @@ + + +
    + + + + Connection Rate Limiting + + + + Tom + + Eastep + + + + + + + 2008 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
    + Introduction + + Shorewall supports several mechanisms for limiting connection rates. + These are described in the following sections. + + Rates are expressed in terms of a connections per unit + time and a burst. An + interval is calculated by dividing the unit of time + by the number of connections allowed in that unit of time + (connections/{||||week|month}[:burst] + + Example: 4/min:5 + + + Connections = 4 + + Unit of time = 1 minute + + Interval = 1 minute/4 = 15 seconds. + + Burst = 5 + + + As each connection arrives,if the burst count is > 0 the + burst count is reduced by one and the connection is + accepted. After each interval (15 seconds) that passes without a + connection arriving, the burst count is incremented + by 1 but is not allowed to exceed its initial setting (5). + + By default, the aggregate connection rate is limited. If the + specification is preceeded by "" or + "", then the rate is limited per SOURCE or per + DESTINATION IP address respectively. + +
    + Policy Rate Limiting + + The LIMIT:BURST column in the + /etc/shorewall/policy file applies to TCP + connections that are subject to the policy. The limiting is applied + BEFORE the connection request is passed through the rules generated by + entries in /etc/shorewall/rules. Those connections + in excess of the limit are logged and dropped. +
    + +
    + Rules Rate Limiting + + The RATE LIMIT column in the + /etc/shorewall/rules file allows limiting of + ACCEPT, DNAT and Action rules. +
    + +
    + Limit Action + + The Limit Action is a + legacy mechanism that limits connections per source IP. It does not + support the notion of a burst size. +
    +
    +
    diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index ac73a6945..3f304b3fb 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -55,11 +55,20 @@ - 6to4 Tunnels + KVM (Kernel-mode Virtual Machine) + + + + + 6to4 Tunnels + + Limiting Connection + Rates + Shorewall Setup Guide From 271c339903458e859cda294ef77184292c878822 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 18:50:33 -0700 Subject: [PATCH 05/38] Make the mss interface option clear Signed-off-by: Tom Eastep --- manpages/shorewall-interfaces.xml | 2 +- manpages6/shorewall6-interfaces.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index c09355a2a..256e2e953 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -349,7 +349,7 @@ loc eth2 - mss[=number] + role="bold">mss=number Added in Shorewall 4.0.3. Causes forwarded TCP SYN diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index d0f59b07f..7989ff702 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -133,7 +133,7 @@ loc eth2 - mss[=number] + role="bold">mss=number Causes forwarded TCP SYN packets entering or leaving on From 516d361d09b739864d2966dbb480c0de83fa7e95 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 13 Apr 2009 07:26:01 -0700 Subject: [PATCH 06/38] Clarify the usage of the GATEWAY column when USE_DEFAULT_RT = Yes Signed-off-by: Tom Eastep --- docs/MultiISP.xml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index ae17297c3..09429aa30 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1042,16 +1042,6 @@ gateway:~ #Note that because we used a priority of 1000, the for inserting rules that bypass the main table. - - All provider gateways must be specified explicitly in the - GATEWAY column. 'detect' may not be specified. Note that for ppp - interfaces, the GATEWAY may remain unspecified ("-"). - 'detect' may be specified for interfaces whose - configuration is managed by dhcpcd. Shorewall will use dhcpcd's - database to determine the gateway IP address. - - - You should disable all default route management outside of Shorewall. If a default route is inadvertently added to the main @@ -1059,6 +1049,14 @@ gateway:~ #Note that because we used a priority of 1000, the working except for those routing rules in the priority range 1-998. + + + For ppp interfaces, the GATEWAY may remain unspecified ("-"). + For those interfaces managed by dhcpcd or dhclient, you may specify + 'detect' in the GATEWAY column; Shorewall will use the dhcp client's + database to determine the gateway IP address. All other interfaces + must have a GATEWAY specified explicitly. + Although 'balance' is automatically assumed when From eafad3389eaf5b24ee23e7640b7ce6816efeeede Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 14 Apr 2009 15:20:03 -0700 Subject: [PATCH 07/38] Fix Typo in FTP doc Signed-off-by: Tom Eastep --- docs/FTP.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/FTP.xml b/docs/FTP.xml index 6e81ff89d..abba2bd82 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -196,7 +196,7 @@ ftp> uname -r - Note: If you are running kernel 3.6.19 or earlier, then the module + Note: If you are running kernel 2.6.19 or earlier, then the module names are ip_nat_ftp and ip_conntrack_ftp and they are normally loaded from From 078a639213b25fee1e29189c40f28d064ae24b5a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 11:57:27 -0700 Subject: [PATCH 08/38] Update web site for 4.2.8; fix broken link Signed-off-by: Tom Eastep --- docs/KVM.xml | 9 +++++---- web/shorewall_index.htm | 8 ++++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/KVM.xml b/docs/KVM.xml index 79d1f8e25..3d9414ce8 100644 --- a/docs/KVM.xml +++ b/docs/KVM.xml @@ -82,10 +82,11 @@ With this configuration, and with only a single network interface on the laptop, this is just a simple two-interface masquerading setup where the - local network interface is br0. As - with all bridges, br0 must be - configured with the option in two-interface masquerading setup where + the local network interface is br0. As with all bridges, br0 must be configured with the + option in shorewall-interfaces(5). For additional information about this setup, including the Shorewall diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 8bb2fe520..746e1b61a 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,7 +47,7 @@ -
    2009-03-29
    +
    2009-04-16

    Important Notice to Shorewall-perl 4.2 Users

    @@ -67,13 +67,13 @@ Shorewall team members Tom and Roberto will be there!
    Stable Release

    - 4.2.7 + 4.2.8 (includes IPv6 support.) Release + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.8/releasenotes.txt">Release notes Known + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.8/known_problems.txt">Known Problems From f09b15b2bde746b5bdf956510f4792ee50e567f8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 12:42:36 -0700 Subject: [PATCH 09/38] Add 'FORMAT 2' to the macro template file --- Shorewall/Macros/macro.template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index ae357d1bd..81aab0abf 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -365,4 +365,7 @@ FORMAT 2 ####################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL # PORT(S) PORT(S) DEST LIMIT GROUP DEST +# Don't delete the next line +FORMAT 2 +# Add your rules below #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE From 1ea375c4e3aea9ade7332fc55eb35dca2316b5c8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 13:19:16 -0700 Subject: [PATCH 10/38] Document FORMAT 2 and the ORIGINAL DEST column --- docs/Macros.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/Macros.xml b/docs/Macros.xml index 9bfed0ae2..37a8e722f 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -426,6 +426,45 @@ ACCEPT fw loc tcp 135,139,445 port.
    + + ORIGINAL DEST (Shorewall-perl 4.2.0 and later) + + To use this column, you must include 'FORMAT 2' as the first + non-comment line in your macro file. + + If ACTION is DNAT[-] or REDIRECT[-] then if this column is + included and is different from the IP address given in the SERVER + column, then connections destined for that address will be forwarded + to the IP and port specified in the DEST column. + + A comma-separated list of addresses may also be used. This is + most useful with the REDIRECT target where you want to redirect + traffic destined for particular set of hosts. Finally, if the list of + addresses begins with "!" (exclusion) then the rule will be followed + only if the original destination address in the connection request + does not match any of the addresses listed. + + For other actions, this column may be included and may contain + one or more addresses (host or network) separated by commas. Address + ranges are not allowed. When this column is supplied, rules are + generated that require that the original destination address matches + one of the listed addresses. This feature is most useful when you want + to generate a filter rule that corresponds to a DNAT- or REDIRECT- + rule. In this usage, the list of addresses should not begin with + "!". + + It is also possible to specify a set of addresses then exclude + part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 + specifies the addresses 192.168.1.0-182.168.1.15 and + 192.168.1.32-192.168.1.255. See shorewall-exclusion(5). + + See http://shorewall.net/PortKnocking.html + for an example of using an entry in this column with a user-defined + action rule. + + RATE LIMIT - You may rate-limit the rule by placing a value in this column: From dea3f3bc29011a3b794f15935cd04057f5baad40 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 13:21:26 -0700 Subject: [PATCH 11/38] Fix bug in manpage6 generation --- tools/build/buildshorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/build/buildshorewall b/tools/build/buildshorewall index 8d5b25023..a5f050ee3 100755 --- a/tools/build/buildshorewall +++ b/tools/build/buildshorewall @@ -889,7 +889,7 @@ if [ -n "${BUILDXML}${BUILDHTML}" ]; then if [ -n "$MANPAGE6TAG" ]; then progress_message "Exporting $MANPAGE6TAG from SVN..." do_or_die "svn export --non-interactive --force ${SVN}/$MANPAGE6TAG manpages >> $LOGFILE 2>&1" - do_or_die mv manpages/* manpages6.save/ + do_or_die mv manpages manpages6.save/ fi progress_message "Exporting $LITEMANPAGETAG from SVN..." From a1e642c4c155d637a3f7db1d11cffee7f0e17a68 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 16:53:59 -0700 Subject: [PATCH 12/38] Another go-around with the macro.template file --- Shorewall/Macros/macro.template | 3 --- 1 file changed, 3 deletions(-) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index 81aab0abf..ae357d1bd 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -365,7 +365,4 @@ FORMAT 2 ####################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL # PORT(S) PORT(S) DEST LIMIT GROUP DEST -# Don't delete the next line -FORMAT 2 -# Add your rules below #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE From 8b6fe58264b53a44e7d39b2680e6aebf92211d3e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 18:40:11 -0700 Subject: [PATCH 13/38] Update for 4.3.8 --- web/shorewall_index.htm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 746e1b61a..9965b8631 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -99,14 +99,14 @@ Problems
    Release
    - 4.3.7
    + 4.3.8
    Release + href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.8/releasenotes.txt">Release Notes
    Known + href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.8/known_problems.txt">Known Problems From 061ba856242b7c65c98d3f46cbf075ce8ef35a7a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 08:31:45 -0700 Subject: [PATCH 14/38] Update web site for 4.2.8 -perl fiasco Signed-off-by: Tom Eastep --- web/Notices.html | 14 +++++++++++++- web/shorewall_index.htm | 7 ++++--- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/web/Notices.html b/web/Notices.html index 014d60edf..6ba068889 100644 --- a/web/Notices.html +++ b/web/Notices.html @@ -33,7 +33,7 @@ Users of Shorewall's Multi-ISP Feature
    -
    2009-03-29
    +
    2009-04-17

    End-of-life for Shorewall-shell in Shorewall 4.4
    @@ -52,6 +52,18 @@ with Shorewall-perl installed on an administrative system (may be a Windows[tm] system running Cygwin[tm]).

    Attention Shorewall-perl 4.2 Users

    +

    Shorewall-perl 4.2.8

    +Shorewall-perl 4.2.8 was dead on arrival. The compiler did not rename +the generated script file with the result that it was removed when the +compiler terminated. This lead to:
    +
      +
    1. It was not possible to start Shorewall or Shorewall6 for the +first time after installing 4.2.8
    2. +
    3. Changes to the configuration were apparently ignored.
    4. +
    +This problem was corrected in Shorewall-perl-4.2.8.1.
    +

    Shorewall-perl 4.2.6 and Earlier
    +

    On February 28, Klemens Rutz reported a problem that affects all Shorewall-perl 4.2 versions prior to 4.2.6.1.
    diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 9965b8631..0de147214 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,10 +47,11 @@ -
    2009-04-16
    +
    2009-04-17
    -

    Important -Notice to Shorewall-perl 4.2 Users

    +

    Attention +re: Shorewall-perl 4.2.8
    +

    LFNW LogoPlan to Attend From b8828d6ee1ed12fc47568b803850f5f890b85ae5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 09:00:14 -0700 Subject: [PATCH 15/38] Allow Shorewall6 on kernel 4.2.24 Signed-off-by: Tom Eastep --- Shorewall/Perl/prog.footer6 | 4 ++-- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/prog.footer6 b/Shorewall/Perl/prog.footer6 index 6f03e47de..7513b9696 100644 --- a/Shorewall/Perl/prog.footer6 +++ b/Shorewall/Perl/prog.footer6 @@ -68,8 +68,8 @@ COMMAND="$1" [ -n "${PRODUCT:=Shorewall6}" ] kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1) -if [ $kernel -lt 20625 ]; then - error_message "ERROR: $PRODUCT requires Linux kernel 2.6.25 or later" +if [ $kernel -lt 20624 ]; then + error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later" status=2 else case "$COMMAND" in diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 262df7fe0..a65b5fcdd 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,8 @@ Changes in Shorewall 4.3.9 2) Fix netmask genereation in tcfilters. +3) Allow Shorewall6 with kernel 2.6.24 + Changes in Shorewall 4.3.8 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c247b39dd..b8d9b3231 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -110,6 +110,9 @@ None. Notice also that the new LOG rule reflects the original action ("REJECT") rather than what Shorewall maps that to ("reject"). +2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and + hence will now start successfully when running on that kernel. + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3 ---------------------------------------------------------------------------- From c3616bdc7183b4a7e8a7b5b5999460abc1c4d5a1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 09:08:25 -0700 Subject: [PATCH 16/38] Document Shorewall6 support on kernel 2.6.24 Signed-off-by: Tom Eastep --- docs/FAQ.xml | 19 ++++++++++--------- docs/IPv6Support.xml | 2 +- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index e2b936acf..91cf4687b 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -2176,7 +2176,7 @@ We have an error talking to the kernel later.
    - (FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.25 + <title>(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24 or later? Answer: Shorewall implements a @@ -2187,16 +2187,17 @@ We have an error talking to the kernel problems with the facility until at least kernel 2.6.23. When distributions began offering IPv6 connection tracking support, it was with kernel 2.6.25. So that is what we developed IPv6 support on and - that's all that it has been tested on. If you are running 2.6.20 or - later, you can try to run Shorewall6 - by hacking /usr/share/shorewall/prog.footer6 and - changing the kernel version test to check for your kernel version - rather than 2.6.25 (20625). But after that, you are on your - own. + that's all that we initially tested on. Subsequently, we have tested + Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running + 2.6.20 or later, you can try to run + Shorewall6 by hacking + /usr/share/shorewall/prog.footer6 and changing the kernel + version test to check for your kernel version rather than 2.6.24 + (20624). But after that, you are on your own. kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1) -if [ $kernel -lt 20625 ]; then - error_message "ERROR: $PRODUCT requires Linux kernel 2.6.25 or later" +if [ $kernel -lt 20624 ]; then + error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later" status=2 else diff --git a/docs/IPv6Support.xml b/docs/IPv6Support.xml index 7a50c892b..115cb74fe 100644 --- a/docs/IPv6Support.xml +++ b/docs/IPv6Support.xml @@ -57,7 +57,7 @@ - Kernel 2.6.25 or + Kernel 2.6.24 or later. From bd4bbd57ea21c6b26064823bdba08e676711ef96 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 11:20:58 -0700 Subject: [PATCH 17/38] Remove extraneous character from sample rules file Signed-off-by: Tom Eastep --- Samples/one-interface/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index a3ac5175e..58dca3254 100644 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -1,4 +1,4 @@ -L# +# # Shorewall version 4.0 - Sample Rules File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # From fdea4a4020457c03cc99721cbd3179f02602607b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 11:27:00 -0700 Subject: [PATCH 18/38] Remove SUBSYSLOCK value from sample config files Signed-off-by: Tom Eastep --- Samples6/one-interface/shorewall6.conf | 2 +- Samples6/three-interfaces/shorewall6.conf | 2 +- Samples6/two-interfaces/shorewall6.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index b02d9fe09..789be9c3f 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -62,7 +62,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK= MODULESDIR= diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index fd2e7fabd..f07e36e71 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -62,7 +62,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK= MODULESDIR= diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index ea51755c4..ecf9d18dd 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -62,7 +62,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK= MODULESDIR= From 2f053ed7b6643de5756fc137560b88f464aba5a5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 17:56:11 -0700 Subject: [PATCH 19/38] Handle empty setup_common() --- Shorewall/Perl/Shorewall/Compiler.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index f6870fcc4..004cee6bc 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -682,6 +682,7 @@ sub compiler { setup_zone_mss; unless ( $command eq 'check' ) { + emit 'return 0'; pop_indent; emit '}'; } From 3e03e5d8ad5833ff0f0b963fe383daafb2a9756b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 18 Apr 2009 06:31:42 -0700 Subject: [PATCH 20/38] Update Notices to correctly refer to the next Debian release. --- web/Notices.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/Notices.html b/web/Notices.html index 6ba068889..15bb3c58d 100644 --- a/web/Notices.html +++ b/web/Notices.html @@ -33,7 +33,7 @@ Users of Shorewall's Multi-ISP Feature
    -
    2009-04-17
    +
    2009-04-18

    End-of-life for Shorewall-shell in Shorewall 4.4
    @@ -41,7 +41,7 @@ Shorewall 4.4
    The Shorewall 4.4 release in late 2009 will not include Shorewall-shell. Because Shorewall 4.0 is included in Debian Lenny, the 4.0 release of Shorewall-shell will continue to be supported until -Debian Sid is released. The 4.2 release of Shorewall-shell will +Debian Squeeze is released. The 4.2 release of Shorewall-shell will continue to be supported until Shorewall 4.6 is released in 2010.

    Shorewall-shell users are encouraged to From 2e516f7518b264c57b200f2525601988879c0a1c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 11:57:27 -0700 Subject: [PATCH 21/38] Update web site for 4.2.8; fix broken link Signed-off-by: Tom Eastep --- web/shorewall_index.htm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 0de147214..94dbfc10f 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,7 +47,7 @@ -
    2009-04-17
    +
    2009-04-16

    Attention re: Shorewall-perl 4.2.8
    From 2e5c5264bb016c0bc51889051f2d661ebbafd440 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 12:42:36 -0700 Subject: [PATCH 22/38] Add 'FORMAT 2' to the macro template file --- Shorewall/Macros/macro.template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index ae357d1bd..81aab0abf 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -365,4 +365,7 @@ FORMAT 2 ####################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL # PORT(S) PORT(S) DEST LIMIT GROUP DEST +# Don't delete the next line +FORMAT 2 +# Add your rules below #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE From 910c260cb386e1cb09a919814f5cc4ed7992ab95 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 13:19:16 -0700 Subject: [PATCH 23/38] Document FORMAT 2 and the ORIGINAL DEST column --- docs/Macros.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/Macros.xml b/docs/Macros.xml index 37a8e722f..f32323fa8 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -465,6 +465,45 @@ ACCEPT fw loc tcp 135,139,445 action rule. + + ORIGINAL DEST (Shorewall-perl 4.2.0 and later) + + To use this column, you must include 'FORMAT 2' as the first + non-comment line in your macro file. + + If ACTION is DNAT[-] or REDIRECT[-] then if this column is + included and is different from the IP address given in the SERVER + column, then connections destined for that address will be forwarded + to the IP and port specified in the DEST column. + + A comma-separated list of addresses may also be used. This is + most useful with the REDIRECT target where you want to redirect + traffic destined for particular set of hosts. Finally, if the list of + addresses begins with "!" (exclusion) then the rule will be followed + only if the original destination address in the connection request + does not match any of the addresses listed. + + For other actions, this column may be included and may contain + one or more addresses (host or network) separated by commas. Address + ranges are not allowed. When this column is supplied, rules are + generated that require that the original destination address matches + one of the listed addresses. This feature is most useful when you want + to generate a filter rule that corresponds to a DNAT- or REDIRECT- + rule. In this usage, the list of addresses should not begin with + "!". + + It is also possible to specify a set of addresses then exclude + part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 + specifies the addresses 192.168.1.0-182.168.1.15 and + 192.168.1.32-192.168.1.255. See shorewall-exclusion(5). + + See http://shorewall.net/PortKnocking.html + for an example of using an entry in this column with a user-defined + action rule. + + RATE LIMIT - You may rate-limit the rule by placing a value in this column: From c20bc85dcf1fe5993eed2c1490e29e46470507c3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 16:53:59 -0700 Subject: [PATCH 24/38] Another go-around with the macro.template file --- Shorewall/Macros/macro.template | 3 --- 1 file changed, 3 deletions(-) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index 81aab0abf..ae357d1bd 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -365,7 +365,4 @@ FORMAT 2 ####################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL # PORT(S) PORT(S) DEST LIMIT GROUP DEST -# Don't delete the next line -FORMAT 2 -# Add your rules below #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE From 01fa627e13d9c12f596feefb6b01b3b3456385f4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 08:31:45 -0700 Subject: [PATCH 25/38] Update web site for 4.2.8 -perl fiasco Signed-off-by: Tom Eastep --- web/shorewall_index.htm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 94dbfc10f..0de147214 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,7 +47,7 @@ -
    2009-04-16
    +
    2009-04-17

    Attention re: Shorewall-perl 4.2.8
    From 26c8058069b4b21dddbee2f62e30fb9710f9ae8a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 09:00:14 -0700 Subject: [PATCH 26/38] Allow Shorewall6 on kernel 4.2.24 Signed-off-by: Tom Eastep --- Shorewall/changelog.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 3484d7669..e7eb72975 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -8,6 +8,8 @@ Changes in Shorewall 4.3.9 4) Avoid 'Invalid BROADCAST address' errors. +5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt + Changes in Shorewall 4.3.8 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT. From 1ee8835a73822584f41cda128ac402e66c2e8cb4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 17:56:11 -0700 Subject: [PATCH 27/38] Handle empty setup_common() --- Shorewall/Perl/Shorewall/Compiler.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index f6870fcc4..004cee6bc 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -682,6 +682,7 @@ sub compiler { setup_zone_mss; unless ( $command eq 'check' ) { + emit 'return 0'; pop_indent; emit '}'; } From 677245a59c9689796d0e1d938d8cdcb2b8d8584c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 18 Apr 2009 06:31:42 -0700 Subject: [PATCH 28/38] Update Notices to correctly refer to the next Debian release. --- web/Notices.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/Notices.html b/web/Notices.html index 6ba068889..15bb3c58d 100644 --- a/web/Notices.html +++ b/web/Notices.html @@ -33,7 +33,7 @@ Users of Shorewall's Multi-ISP Feature

    -
    2009-04-17
    +
    2009-04-18

    End-of-life for Shorewall-shell in Shorewall 4.4
    @@ -41,7 +41,7 @@ Shorewall 4.4
    The Shorewall 4.4 release in late 2009 will not include Shorewall-shell. Because Shorewall 4.0 is included in Debian Lenny, the 4.0 release of Shorewall-shell will continue to be supported until -Debian Sid is released. The 4.2 release of Shorewall-shell will +Debian Squeeze is released. The 4.2 release of Shorewall-shell will continue to be supported until Shorewall 4.6 is released in 2010.

    Shorewall-shell users are encouraged to From 990fda9f19e98d4f6d6fd24cd6ad3e6ef466ba4d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 18 Apr 2009 09:06:35 -0700 Subject: [PATCH 29/38] Add IP, Tc and IPSET configuration options Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 24 ++++++++++++ Shorewall/Perl/Shorewall/Compiler.pm | 30 +++++++++------ Shorewall/Perl/Shorewall/Config.pm | 17 ++++++--- Shorewall/Perl/Shorewall/Proc.pm | 2 +- Shorewall/Perl/Shorewall/Providers.pm | 46 +++++++++++----------- Shorewall/Perl/Shorewall/Rules.pm | 4 +- Shorewall/Perl/Shorewall/Tc.pm | 4 +- Shorewall/Perl/prog.functions | 12 +++--- Shorewall/Perl/prog.functions6 | 8 ++-- Shorewall/Perl/prog.header | 46 +++++++++++----------- Shorewall/Perl/prog.header6 | 55 +++++++++------------------ Shorewall/changelog.txt | 2 + Shorewall/configfiles/shorewall.conf | 6 +++ Shorewall/releasenotes.txt | 14 +++++++ Shorewall6/shorewall6.conf | 6 +++ 15 files changed, 161 insertions(+), 115 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index a6adc1f2c..4e23a88fb 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2064,6 +2064,30 @@ sub set_chain_variables() { emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore', '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); } + + if ( $config{IP} ) { + emit( qq(IP="$config{IP}") , + '[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"' + ); + } else { + emit 'IP=ip'; + } + + if ( $config{TC} ) { + emit( qq(TC="$config{TC}") , + '[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"' + ); + } else { + emit 'TC=tc'; + } + + if ( $config{IPSET} ) { + emit( qq(IPSET="$config{IPSET}") , + '[ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"' + ); + } else { + emit 'IPSET=ipset'; + } } # diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 004cee6bc..571494e53 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -329,7 +329,7 @@ sub generate_script_3($) { if ( $family == F_IPV4 ) { for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { - emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", + emit ( "addr=\$(\$IP -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", 'if [ -n "$addr" ]; then', ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', @@ -343,28 +343,36 @@ sub generate_script_3($) { my @ipsets = all_ipsets; if ( @ipsets ) { - emit ( '[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"' , + emit ( 'case $IPSET in', + ' */*)', + ' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"', + ' ;;', + ' *)', + ' IPSET="$(which ipset)"', + ' [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' , + ' ;;', + 'esac', '', 'if [ "$COMMAND" = start ]; then' , ' if [ -f ${VARDIR}/ipsets.save ]; then' , - ' ipset -U :all: :all:' , - ' ipset -U :all: :default:' , - ' ipset -F' , - ' ipset -X' , - ' ipset -R < ${VARDIR}/ipsets.save' , + ' $IPSET -U :all: :all:' , + ' $IPSET -U :all: :default:' , + ' $IPSET -F' , + ' $IPSET -X' , + ' $IPSET -R < ${VARDIR}/ipsets.save' , ' fi' , '' ); - emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; emit ( '' , 'elif [ "$COMMAND" = restart ]; then' , '' ); - emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; emit ( '' , - ' if ipset -S > ${VARDIR}/ipsets.tmp; then' , + ' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' , ' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' , ' fi' ); emit ( 'fi', @@ -374,7 +382,7 @@ sub generate_script_3($) { emit ( 'if [ "$COMMAND" = refresh ]; then' , ' run_refresh_exit' ); - emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; emit ( 'else' , ' run_init_exit', diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9d25fd076..564f9ad1e 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -356,6 +356,9 @@ sub initialize( $ ) { # Location of Files # IPTABLES => undef, + IP => undef, + TC => undef, + IPSEC => undef, # #PATH is inherited # @@ -1946,16 +1949,20 @@ sub determine_capabilities( $ ) { $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" ); - if ( which 'ipset' ) { - qt( "ipset -X $sillyname" ); + my $ipset = $config{IPSET} || 'tc'; - if ( qt( "ipset -N $sillyname iphash" ) ) { + $ipset = which 'ipset' unless $ipset =~ '//'; + + if ( $ipset && -x $ipset ) { + qt( "$ipset -X $sillyname" ); + + if ( qt( "$ipset -N $sillyname iphash" ) ) { if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); $capabilities{IPSET_MATCH} = 1; } - qt( "ipset -X $sillyname" ); + qt( "$ipset -X $sillyname" ); } } @@ -2544,7 +2551,7 @@ sub generate_aux_config() { emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#"; - for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { + for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { conditionally_add_option $option; } diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm index 06941015f..8c2246c85 100644 --- a/Shorewall/Perl/Shorewall/Proc.pm +++ b/Shorewall/Perl/Shorewall/Proc.pm @@ -124,7 +124,7 @@ sub setup_route_filtering() { emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; } - emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache"; + emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache"; } } diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 3dafa5896..ae9dda2f0 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -137,9 +137,9 @@ sub copy_table( $$$ ) { my ( $duplicate, $number, $realm ) = @_; if ( $realm ) { - emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) + emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) } else { - emit ( "ip -$family route show table $duplicate | while read net route; do" ) + emit ( "\$IP -$family route show table $duplicate | while read net route; do" ) } emit ( ' case $net in', @@ -157,9 +157,9 @@ sub copy_and_edit_table( $$$$ ) { my ( $duplicate, $number, $copy, $realm) = @_; if ( $realm ) { - emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) + emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) } else { - emit ( "ip -$family route show table $duplicate | while read net route; do" ) + emit ( "\$IP -$family route show table $duplicate | while read net route; do" ) } emit ( ' case $net in', @@ -233,7 +233,7 @@ sub start_provider( $$$ ) { emit "#\n# Add Provider $table ($number)\n#"; emit "qt ip -$family route flush table $number"; - emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing"; + emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing"; } sub add_a_provider( $$$$$$$$ ) { @@ -305,10 +305,10 @@ sub add_a_provider( $$$$$$$$ ) { my $pref = 10000 + $number - 1; - emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; + emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; emit ( "run_ip rule add fwmark $mark pref $pref table $number", - "echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing" + "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing" ); } @@ -421,33 +421,33 @@ sub add_a_provider( $$$$$$$$ ) { emit ''; if ( $gateway ) { emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number); - emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); + emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); } else { emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number); - emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); + emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); } } if ( $loose ) { if ( $config{DELETE_THEN_ADD} ) { emit ( "\nfind_interface_addresses $interface | while read address; do", - " qt ip -$family rule del from \$address", + " qt \$IP -$family rule del from \$address", 'done' ); } } elsif ( $shared ) { - emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD}; + emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD}; emit( "run_ip rule add from $address pref 20000 table $number" , - "echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" ); + "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" ); } else { my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); emit "\nrulenum=0\n"; emit ( "find_interface_addresses $interface | while read address; do" ); - emit ( " qt ip -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; + emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", - " echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing", + " echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing", ' rulenum=$(($rulenum + 1))', 'done' ); @@ -529,7 +529,7 @@ sub add_an_rtrule( $$$$ ) { $priority = "priority $priority"; - emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; + emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); @@ -540,7 +540,7 @@ sub add_an_rtrule( $$$$ ) { } emit ( "run_ip rule add $source $dest $priority table $number", - "echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); + "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); pop_indent, emit ( "fi\n" ) if $optional; @@ -555,7 +555,7 @@ sub setup_null_routing() { save_progress_message "Null Routing the RFC 1918 subnets"; for ( rfc1918_networks ) { emit( "run_ip route replace unreachable $_" ); - emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" ); + emit( "echo \"qt \$IP -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" ); } } @@ -593,7 +593,7 @@ sub setup_providers() { emit ( '#', '# Capture the default route(s) if we don\'t have it (them) already.', '#', - '[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', + '[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', '#', '# Initialize the file that holds \'undo\' commands', '#', @@ -624,16 +624,16 @@ sub setup_providers() { if ( $config{USE_DEFAULT_RT} ) { emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999', - "ip -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766', - qq(echo "qt ip -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', - qq(echo "qt ip -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', + "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766', + qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', + qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', '' ); $table = DEFAULT_TABLE; } emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" ); - emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; + emit ( " qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", 'else', ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' ); @@ -641,7 +641,7 @@ sub setup_providers() { if ( $config{RESTORE_DEFAULT_ROUTE} ) { emit ' restore_default_route && error_message "NOTICE: Default route restored"' } else { - emit qq( qt ip -$family route del default table $table && error_message "WARNING: Default route deleted from table $table"); + emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table"); } emit( 'fi', diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 7094b8756..dc0ad1b6d 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2158,7 +2158,7 @@ EOF if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp @@ -2253,7 +2253,7 @@ EOF emit <<'EOF'; if [ -n "$(mywhich ipset)" ]; then - if ipset -S > ${VARDIR}/ipsets.tmp; then + if $IPSET -S > ${VARDIR}/ipsets.tmp; then # # Don't save an 'empty' file # diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 8c8bcef38..c5ac46065 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -813,8 +813,8 @@ sub setup_traffic_shaping() { push_indent; emit ( "${dev}_exists=Yes", - "qt tc qdisc del dev $device root", - "qt tc qdisc del dev $device ingress", + "qt \$TC qdisc del dev $device root", + "qt \$TC qdisc del dev $device ingress", "run_tc qdisc add dev $device root handle $devnum: htb default $defmark", "${dev}_mtu=\$(get_device_mtu $device)", "${dev}_mtu1=\$(get_device_mtu1 $device)", diff --git a/Shorewall/Perl/prog.functions b/Shorewall/Perl/prog.functions index 8941cc679..e53dea6f1 100644 --- a/Shorewall/Perl/prog.functions +++ b/Shorewall/Perl/prog.functions @@ -8,7 +8,7 @@ delete_proxyarp() { if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip -4 route del $address dev $interface + [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp @@ -140,8 +140,8 @@ do_iptables() # run_ip() { - if ! ip -4 $@; then - error_message "ERROR: Command \"ip -4 $@\" Failed" + if ! $IP -4 $@; then + error_message "ERROR: Command \"$IP -4 $@\" Failed" stop_firewall exit 2 fi @@ -151,8 +151,8 @@ run_ip() # Run tc and if an error occurs, stop/restore the firewall # run_tc() { - if ! tc $@ ; then - error_message "ERROR: Command \"tc $@\" Failed" + if ! $TC $@ ; then + error_message "ERROR: Command \"$TC $@\" Failed" stop_firewall exit 2 fi @@ -191,7 +191,7 @@ restore_dynamic_rules() { # get_all_bcasts() { - ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u + $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u } # diff --git a/Shorewall/Perl/prog.functions6 b/Shorewall/Perl/prog.functions6 index 7a544a967..d98462600 100644 --- a/Shorewall/Perl/prog.functions6 +++ b/Shorewall/Perl/prog.functions6 @@ -116,8 +116,8 @@ do_iptables() # run_ip() { - if ! ip -6 $@; then - error_message "ERROR: Command \"ip -6 $@\" Failed" + if ! $IP -6 $@; then + error_message "ERROR: Command \"$IP -6 $@\" Failed" stop_firewall exit 2 fi @@ -127,8 +127,8 @@ run_ip() # Run tc and if an error occurs, stop/restore the firewall # run_tc() { - if ! tc $@ ; then - error_message "ERROR: Command \"tc $@\" Failed" + if ! $TC $@ ; then + error_message "ERROR: Command \"$TC $@\" Failed" stop_firewall exit 2 fi diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index c8da161cf..1c95cdcab 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -485,7 +485,7 @@ find_peer() { # find_rt_interface() { - ip -4 route list | while read addr rest; do + $IP -4 route list | while read addr rest; do case $addr in */*) in_network ${1%/*} $addr && echo $(find_device $rest) @@ -506,14 +506,14 @@ find_rt_interface() { find_nexthop() # $1 = interface { - echo $(find_gateway `ip -4 route list | grep "[[:space:]]nexthop.* $1"`) + echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`) } # # Find the default route's interface # find_default_interface() { - ip -4 route list | while read first rest; do + $IP -4 route list | while read first rest; do [ "$first" = default ] && echo $(find_device $rest) && return done } @@ -546,7 +546,7 @@ find_interface_by_mac() { local rest local dev - ip link list | while read first second rest; do + $IP link list | while read first second rest; do case $first in *:) dev=$second @@ -564,7 +564,7 @@ find_interface_by_mac() { # Determine if Interface is up # interface_is_up() { - [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] + [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] } # @@ -576,7 +576,7 @@ find_first_interface_address() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) # # If there wasn't one, bail out now # @@ -593,7 +593,7 @@ find_first_interface_address_if_any() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) # # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # along with everything else on the line @@ -615,7 +615,7 @@ interface_is_usable() # $1 = interface # find_interface_addresses() # $1 = interface { - ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' + $IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' } # @@ -626,7 +626,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message local address local rest - ip -4 route show dev $1 2> /dev/null | + $IP -4 route show dev $1 2> /dev/null | while read address rest; do case "$address" in default) @@ -655,7 +655,7 @@ get_interface_bcasts() # $1 = interface local addresses addresses= - ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u + $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u } # @@ -728,7 +728,7 @@ INCLUDE() { # del_ip_addr() # $1 = address, $2 = interface { - [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 + [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2 } # Add IP Aliases @@ -757,7 +757,7 @@ add_ip_aliases() # $* = List of addresses # # Get all of the lines that contain inet addresses with broadcast # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do + $IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do case $cidr in */*) if in_network $external $cidr; then @@ -773,7 +773,7 @@ add_ip_aliases() # $* = List of addresses { val=$(address_details) - ip addr add ${external}${val} dev $interface $label + $IP addr add ${external}${val} dev $interface $label [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external echo "$external $interface" >> $VARDIR/nat [ -n "$label" ] && label="with $label" @@ -811,7 +811,7 @@ detect_dynamic_gateway() { # $1 = interface # # First assume that this is some sort of point-to-point interface # - gateway=$( find_peer $(ip addr list $interface ) ) + gateway=$( find_peer $($IP addr list $interface ) ) # # If that didn't work, then try DHCP # @@ -842,7 +842,7 @@ detect_gateway() # $1 = interface # # Maybe there's a default route through this gateway already # - [ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default)) + [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default)) # # Last hope -- is there a load-balancing route through the interface? # @@ -858,7 +858,7 @@ detect_gateway() # $1 = interface # disable_ipv6() { local foo - foo="$(ip -f inet6 addr list 2> /dev/null)" + foo="$($IP -f inet6 addr list 2> /dev/null)" if [ -n "$foo" ]; then if qt mywhich ip6tables; then @@ -892,8 +892,8 @@ truncate() # $1 = length delete_tc1() { clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null + $TC qdisc del dev $1 root 2> /dev/null + $TC qdisc del dev $1 ingress 2> /dev/null } @@ -917,7 +917,7 @@ delete_tc1() get_device_mtu() # $1 = device { local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash if [ -n "$output" ]; then echo $(find_mtu $output) @@ -933,7 +933,7 @@ get_device_mtu() # $1 = device get_device_mtu1() # $1 = device { local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash local mtu if [ -n "$output" ]; then @@ -990,11 +990,11 @@ restore_default_route() { # # Don't restore a route with a metric -- we only replace the one with metric == 0 # - qt ip -4 route delete default metric 0 && \ + qt $IP -4 route delete default metric 0 && \ progress_message "Default Route with metric 0 deleted" ;; *) - qt ip -4 route replace $default_route && \ + qt $IP -4 route replace $default_route && \ result=0 && \ progress_message "Default Route (${default_route# }) restored" ;; @@ -1045,7 +1045,7 @@ find_mac() # $1 = IP address, $2 = interface qt ping -nc 1 -t 2 -I $2 $1 local result - result=$(ip neigh list | awk "/^$1 / {print \$5}") + result=$($IP neigh list | awk "/^$1 / {print \$5}") case $result in \<*\>) diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 1432c3d95..6155336bc 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -388,14 +388,14 @@ find_peer() { find_nexthop() # $1 = interface { - echo $(find_gateway `ip -6 route list | grep "[[:space:]]nexthop.* $1"`) + echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`) } # # Find the default route's interface # find_default_interface() { - ip -6 route list | while read first rest; do + $IP -6 route list | while read first rest; do [ "$first" = default ] && echo $(find_device $rest) && return done } @@ -412,7 +412,7 @@ find_interface_by_mac() { local rest local dev - ip link list | while read first second rest; do + $IP link list | while read first second rest; do case $first in *:) dev=$second @@ -430,7 +430,7 @@ find_interface_by_mac() { # Determine if Interface is up # interface_is_up() { - [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] + [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] } # @@ -442,7 +442,7 @@ find_first_interface_address() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1) + addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1) # # If there wasn't one, bail out now # @@ -459,7 +459,7 @@ find_first_interface_address_if_any() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1) + addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1) # # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # along with everything else on the line @@ -481,7 +481,7 @@ interface_is_usable() # $1 = interface # find_interface_addresses() # $1 = interface { - ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' + $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' } # @@ -490,7 +490,7 @@ find_interface_addresses() # $1 = interface find_interface_full_addresses() # $1 = interface { - ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//' + $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//' } # @@ -501,7 +501,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message local address local rest - ip -6 route show dev $1 2> /dev/null | + $IP -6 route show dev $1 2> /dev/null | while read address rest; do case "$address" in default) @@ -756,11 +756,11 @@ detect_gateway() # $1 = interface # # First assume that this is some sort of point-to-point interface # - gateway=$( find_peer $(ip -6 addr list $interface ) ) + gateway=$( find_peer $($IP -6 addr list $interface ) ) # # Maybe there's a default route through this gateway already # - [ -n "$gateway" ] || gateway=$(find_gateway $(ip -6 route list dev $interface | grep '^default')) + [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default')) # # Last hope -- is there a load-balancing route through the interface? # @@ -788,8 +788,8 @@ truncate() # $1 = length delete_tc1() { clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null + $TC qdisc del dev $1 root 2> /dev/null + $TC qdisc del dev $1 ingress 2> /dev/null } @@ -813,7 +813,7 @@ delete_tc1() get_device_mtu() # $1 = device { local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash if [ -n "$output" ]; then echo $(find_mtu $output) @@ -829,7 +829,7 @@ get_device_mtu() # $1 = device get_device_mtu1() # $1 = device { local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash local mtu if [ -n "$output" ]; then @@ -886,11 +886,11 @@ restore_default_route() { # # Don't restore a route with a metric -- we only replace the one with metric == 0 # - qt ip -6 route delete default metric 0 && \ + qt $IP -6 route delete default metric 0 && \ progress_message "Default Route with metric 0 deleted" ;; *) - qt ip -6 route replace $default_route && \ + qt $IP -6 route replace $default_route && \ result=0 && \ progress_message "Default Route (${default_route# }) restored" ;; @@ -932,27 +932,6 @@ find_echo() { echo echo } -# -# Determine the MAC address of the passed IP through the passed interface -# -find_mac() # $1 = IP address, $2 = interface -{ - if interface_is_usable $2 ; then - qt ping -nc 1 -t 2 -I $2 $1 - - local result - result=$(ip neigh list | awk "/^$1 / {print \$5}") - - case $result in - \<*\>) - ;; - *) - [ -n "$result" ] && echo $result - ;; - esac - fi -} - # # Flush the conntrack table if $PURGE is non-empty # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index e7eb72975..d3af28524 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -10,6 +10,8 @@ Changes in Shorewall 4.3.9 5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt +6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf. + Changes in Shorewall 4.3.8 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT. diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 70ca42791..558184d3d 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -70,6 +70,12 @@ LOG_MARTIANS=Yes IPTABLES= +IP= + +TC= + +IPSET= + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c09f6aa86..a8d4b8785 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -117,6 +117,20 @@ None. 2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and hence will now start successfully when running on that kernel. +3) Three new options (IP, TC and IPSET) have been added to + shorewall.conf and shorwall6.conf. These options specify the name + of the executable for the 'ip', 'tc' and 'ipset' utilities + respectively. + + If not specified, the default values are: + + IP=ip + TC=tc + IPSET=ipset + + In other words, the utilities will be located via the current PATH + setting. + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3 ---------------------------------------------------------------------------- diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index 7ac94debc..238b92d4e 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -58,6 +58,12 @@ SMURF_LOG_LEVEL=info IP6TABLES= +IP= + +TC= + +IPSET= + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh From 11018b072bcac5ced3cf5fe64ad63d5f7332c9c6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 18 Apr 2009 09:16:27 -0700 Subject: [PATCH 30/38] Document new options (IP, IPSET and TC) Signed-off-by: Tom Eastep --- manpages/shorewall.conf.xml | 33 +++++++++++++++++++++++++------ manpages6/shorewall6.conf.xml | 37 ++++++++++++++++++++++++++++++++--- 2 files changed, 61 insertions(+), 9 deletions(-) diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 5b02e9212..ffa69d22f 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -661,6 +661,17 @@ net all DROP infothen the chain name is 'net2all' + + IP=[pathname] + + + If specified, gives the pathname of the 'ip' executable. If + not specified, 'ip' is assumed and the utility will be located using + the current PATH setting. + + + IP_FORWARDING=[On|then the chain name is 'net2all' - IPSECFILE={zones|ipsec} + IPSET=[pathname] - This should be set to zones - for all new Shorewall installations. IPSECFILE=ipsec is only used - for compatibility with pre-Shorewall-3.0 configurations. + If specified, gives the pathname of the 'ipset' executable. If + not specified, 'ipset' is assumed and the utility will be located + using the current PATH setting. @@ -1504,6 +1514,17 @@ net all DROP infothen the chain name is 'net2all' + + TC=[pathname] + + + If specified, gives the pathname of the 'tc' executable. If + not specified, 'tc' is assumed and the utility will be located using + the current PATH setting. + + + TC_ENABLED=[Yes|then the chain name is 'net2all' + + IP=[pathname] + + + If specified, gives the pathname of the 'ip' executable. If + not specified, 'ip' is assumed and the utility will be located using + the current PATH setting. + + + IP_FORWARDING=[On|then the chain name is 'net2all' Shorewall6 will neither enable nor disable packet - forwarding. + forwarding - -
    If this variable is not set or is given an empty value (IP_FORWARD="") then IP_FORWARD=On is assumed. @@ -581,6 +590,17 @@ net all DROP infothen the chain name is 'net2all' + + IPSET=[pathname] + + + If specified, gives the pathname of the 'ipset' executable. If + not specified, 'ipset' is assumed and the utility will be located + using the current PATH setting. + + + KEEP_RT_TABLES={Yes|No} @@ -1056,6 +1076,17 @@ net all DROP infothen the chain name is 'net2all' + + TC=[pathname] + + + If specified, gives the pathname of the 'tc' executable. If + not specified, 'tc' is assumed and the utility will be located using + the current PATH setting. + + + TC_ENABLED=[Yes| Date: Sat, 18 Apr 2009 10:16:57 -0700 Subject: [PATCH 31/38] Correct IPSET expansion --- Shorewall/Perl/Shorewall/Compiler.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 52d4e1abe..49771ef3d 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -349,7 +349,7 @@ sub generate_script_3($) { ' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"', ' ;;', ' *)', - ' IPSET="$(which ipset)"', + ' IPSET="$(which $IPSET)"', ' [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' , ' ;;', 'esac', From f53a2f87c6b9d6f4b5d7028df2f5ff6e3615e1df Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 18 Apr 2009 10:26:12 -0700 Subject: [PATCH 32/38] More IP, IPSET and TC integration Fix 'shorewall del' command --- Shorewall/lib.base | 652 -------------------------------------------- Shorewall/lib.cli | 25 +- Shorewall/shorewall | 72 ++++- 3 files changed, 89 insertions(+), 660 deletions(-) diff --git a/Shorewall/lib.base b/Shorewall/lib.base index e045d2e7b..c7a3f57f6 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -161,46 +161,6 @@ run_user_exit() # $1 = file name fi } -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Set a standard chain to enable established and related connections -# -setcontinue() # $1 = name of chain -{ - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT -} - -# -# Flush one of the NAT table chains -# -flushnat() # $1 = name of chain -{ - run_iptables -t nat -F $1 -} - -# -# Flush one of the Mangle table chains -# -flushmangle() # $1 = name of chain -{ - run_iptables -t mangle -F $1 -} - -# -# Flush and delete all user-defined chains in the filter table -# -deleteallchains() { - run_iptables -F - run_iptables -X -} - # # Load a Kernel Module -- assumes that the variable 'moduledirectories' contains # a space-separated list of directories to search for @@ -373,38 +333,6 @@ mutex_off() rm -f ${LOCKFILE:=${VARDIR}/lock} } -# -# Load an optional library -# -lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found -{ - local lib - lib=${SHAREDIR}/lib.$1 - local loaded - - eval loaded=\$LIB_${1}_LOADED - - if [ -z "$loaded" ]; then - [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1 - - if [ -f $lib ]; then - progress_message "Loading library $lib..." - . $lib - eval LIB_${1}_LOADED=Yes - else - startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed" - fi - fi -} - -# -# Determine if an optional library is available -# -lib_avail() # $1 = Name of the Library -{ - [ -f ${SHAREDIR}/lib.$1 ] -} - # # Note: The following set of IP address manipulation functions have anomalous # behavior when the shell only supports 32-bit signed arithmetic and @@ -662,41 +590,6 @@ ip_vlsm() { fi } - -# -# Chain name base for an interface -- replace all periods with underscores in the passed name. -# The result is echoed (less trailing "+"). -# -chain_base() #$1 = interface -{ - local c - c=${1%%+} - - while true; do - case $c in - @*) - c=at_${c#@} - ;; - *.*) - c="${c%.*}_${c##*.}" - ;; - *-*) - c="${c%-*}_${c##*-}" - ;; - *%*) - c="${c%\%*}_${c##*%}" - ;; - *@*) - c="${c%@*}_${c##*@}" - ;; - *) - echo ${c:=common} - return - ;; - esac - done -} - # # Query NetFilter about the existence of a filter chain # @@ -705,224 +598,6 @@ chain_exists() # $1 = chain name qt $IPTABLES -L $1 -n } -# -# Find the value 'dev' in the passed arguments then echo the next value -# - -find_device() { - while [ $# -gt 1 ]; do - [ "x$1" = xdev ] && echo $2 && return - shift - done -} - -# -# Find the value 'via' in the passed arguments then echo the next value -# - -find_gateway() { - while [ $# -gt 1 ]; do - [ "x$1" = xvia ] && echo $2 && return - shift - done -} - -# -# Find the value 'mtu' in the passed arguments then echo the next value -# - -find_mtu() { - while [ $# -gt 1 ]; do - [ "x$1" = xmtu ] && echo $2 && return - shift - done -} - -# -# Find the value 'peer' in the passed arguments then echo the next value up to -# "/" -# - -find_peer() { - while [ $# -gt 1 ]; do - [ "x$1" = xpeer ] && echo ${2%/*} && return - shift - done -} - -# -# Find the interfaces that have a route to the passed address - the default -# route is not used. -# - -find_rt_interface() { - ip route list | while read addr rest; do - case $addr in - */*) - in_network ${1%/*} $addr && echo $(find_device $rest) - ;; - default) - ;; - *) - if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then - echo $(find_device $rest) - fi - ;; - esac - done -} - -# -# Try to find the gateway through an interface looking for 'nexthop' - -find_nexthop() # $1 = interface -{ - echo $(find_gateway `ip route list | grep "[[:space:]]nexthop.* $1"`) -} - -# -# Find the default route's interface -# -find_default_interface() { - ip route list | while read first rest; do - [ "$first" = default ] && echo $(find_device $rest) && return - done -} - -# -# Echo the name of the interface(s) that will be used to send to the -# passed address -# - -find_interface_by_address() { - local dev - dev="$(find_rt_interface $1)" - local first - local rest - - [ -z "$dev" ] && dev=$(find_default_interface) - - [ -n "$dev" ] && echo $dev -} - -# -# Find the interface with the passed MAC address -# - -find_interface_by_mac() { - local mac - mac=$1 - local first - local second - local rest - local dev - - ip link list | while read first second rest; do - case $first in - *:) - dev=$second - ;; - *) - if [ "$second" = $mac ]; then - echo ${dev%:} - return - fi - esac - done -} - -# -# Determine if Interface is up -# -interface_is_up() { - [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_first_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' -} - -find_first_interface_address_if_any() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 -} - -# -# Determine if interface is usable from a Netfilter prespective -# -interface_is_usable() # $1 = interface -{ - interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] -} - -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' -} - -# -# echo the list of networks routed out of a given interface -# -get_routed_networks() # $1 = interface name, $2-n = Fatal error message -{ - local address - local rest - - ip route show dev $1 2> /dev/null | - while read address rest; do - case "$address" in - default) - if [ $# -gt 1 ]; then - shift - fatal_error "$@" - else - echo "WARNING: default route ignored on interface $1" >&2 - fi - ;; - multicast|broadcast|prohibit|nat|throw|nexthop) - ;; - *) - [ "$address" = "${address%/*}" ] && address="${address}/32" - echo $address - ;; - esac - done -} - -get_interface_bcasts() # $1 = interface -{ - ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u -} - # # Internal version of 'which' # @@ -1329,125 +1004,6 @@ report_capabilities1() { echo CAPVERSION=$SHOREWALL_CAPVERSION } -# -# Delete IP address -# -del_ip_addr() # $1 = address, $2 = interface -{ - [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 -} - -# Add IP Aliases -# -add_ip_aliases() # $* = List of addresses -{ - local addresses - local external - local interface - local inet - local cidr - local rest - local val1 - local arping - arping=$(mywhich arping) - - address_details() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same networks - # - # Get all of the lines that contain inet addresses with broadcast - # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do - case $cidr in - */*) - if in_network $external $cidr; then - echo "/${cidr#*/} brd $(broadcastaddress $cidr)" - break - fi - ;; - esac - done - } - - do_one() - { - val=$(address_details) - - ip addr add ${external}${val} dev $interface $label - [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external - echo "$external $interface" >> $VARDIR/nat - [ -n "$label" ] && label="with $label" - progress_message " IP Address $external added to interface $interface $label" - } - - progress_message "Adding IP Addresses..." - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - shift 2 - - list_search $external $(find_interface_addresses $interface) || do_one - done -} - -detect_gateway() # $1 = interface -{ - local interface - interface=$1 - # - # First assume that this is some sort of point-to-point interface - # - gateway=$( find_peer $(ip addr list $interface ) ) - # - # Maybe there's a default route through this gateway already - # - [ -n "$gateway" ] || gateway=$(find_gateway $(ip route list dev $interface)) - # - # Last hope -- is there a load-balancing route through the interface? - # - [ -n "$gateway" ] || gateway=$(find_nexthop $interface) - # - # Be sure we found one - # - [ -n "$gateway" ] && echo $gateway -} - -# -# Disable IPV6 -# -disable_ipv6() { - local foo - foo="$(ip -f inet6 addr list 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt mywhich ip6tables; then - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - ip6tables -F - ip6tables -X - ip6tables -A OUTPUT -o lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and # dash do not support that form of expansion. @@ -1458,214 +1014,6 @@ truncate() # $1 = length cut -b -${1} } -# -# Add a logging rule. -# -do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local displayChain - displayChain=$3 - local disposition - disposition=$4 - local rulenum - rulenum= - local limit - limit= - local tag - tag= - local command - command= - local prefix - local base - base=$(chain_base $displayChain) - local pf - - limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. - tag=${6:+$6 } - command=${7:--A} - - shift 7 - - if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then - displayChain=$tag - tag= - fi - - if [ -n "$LOGRULENUMBERS" ]; then - # - # Hack for broken printf on some lightweight shells - # - [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf) - - eval rulenum=\$${base}_logrules - - rulenum=${rulenum:-1} - - prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" - - rulenum=$(($rulenum + 1)) - eval ${base}_logrules=$rulenum - else - prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" - fi - - if [ ${#prefix} -gt 29 ]; then - prefix="`echo "$prefix" | truncate 28` " - error_message "WARNING: Log Prefix shortened to \"$prefix\"" - fi - - case $level in - ULOG) - $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" - ;; - *) - $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$STOPPING" ] && { stop_firewall; exit 2; } - fi -} - -do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local disposition - disposition=$3 - - shift 3 - - do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ -} - -delete_tc1() -{ - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Detect a device's MTU -- echos the passed device's MTU -# -get_device_mtu() # $1 = device -{ - local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash - - if [ -n "$output" ]; then - echo $(find_mtu $output) - else - echo 1500 - fi -} - -# -# Version of the above that doesn't generate any output for MTU 1500. -# Generates 'mtu ' otherwise, where is the device's MTU + 100 -# -get_device_mtu1() # $1 = device -{ - local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash - local mtu - - if [ -n "$output" ]; then - mtu=$(find_mtu $output) - if [ -n "$mtu" ]; then - [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) - fi - fi - -} - -# -# Undo changes to routing -# -undo_routing() { - - if [ -z "$NOROUTES" ]; then - # - # Restore rt_tables database - # - if [ -f ${VARDIR}/rt_tables ]; then - [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" - rm -f ${VARDIR}/rt_tables - fi - # - # Restore the rest of the routing table - # - if [ -f ${VARDIR}/undo_routing ]; then - . ${VARDIR}/undo_routing - progress_message "Shorewall-generated routing tables and routing rules removed" - rm -f ${VARDIR}/undo_routing - fi - fi - -} - -restore_default_route() { - if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then - local default_route - default_route= - local route - - while read route ; do - case $route in - default*) - if [ -n "$default_route" ]; then - case "$default_route" in - *metric*) - # - # Don't restore a route with a metric -- we only replace the one with metric == 0 - # - qt ip route delete default metric 0 && \ - progress_message "Default Route with metric 0 deleted" - ;; - *) - qt ip route replace $default_route && \ - progress_message "Default Route (${default_route# }) restored" - ;; - esac - - break - fi - - default_route="$default_route $route" - ;; - *) - default_route="$default_route $route" - ;; - esac - done < ${VARDIR}/default_route - - rm -f ${VARDIR}/default_route - fi -} - # # Determine how to do "echo -e" # diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 266c92501..dbe2339b1 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1062,8 +1062,13 @@ add_command() { exit 2; fi - [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" - + case "$IPSET" in + */*) + ;; + *) + [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located" + ;; + esac # # Normalize host list # @@ -1090,13 +1095,13 @@ add_command() { ipset=${zone}_${interface}; - if ! qt ipset -L $ipset -n; then + if ! qt $IPSET -L $ipset -n; then fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" fi host=${host#*:} - if ipset -A $ipset $host; then + if $IPSET -A $ipset $host; then echo "Host $interface:$host added to zone $zone" else fatal_error "Unable to add $interface:$host to zone $zone" @@ -1115,7 +1120,13 @@ delete_command() { exit 2; fi - [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" + case "$IPSET" in + */*) + ;; + *) + [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located" + ;; + esac # # Normalize host list @@ -1143,13 +1154,13 @@ delete_command() { ipset=${zone}_${interface}; - if ! qt ipset -L $ipset -n; then + if ! qt $IPSET -L $ipset -n; then fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" fi host=${hostent#*:} - if ipset -D $ipset $host; then + if $IPSET -D $ipset $host; then echo "Host $hostend deleted from zone $zone" else echo " WARNING: Unable to delete host $hostent to zone $zone" >&2 diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 80c6b82c9..ed1d0b3a7 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -125,6 +125,7 @@ # # get_config() { + local prog ensure_config_path @@ -186,6 +187,75 @@ get_config() { export IPTABLES + if [ -n "$IP" ]; then + case "$IP" in + */*) + if [ ! -x "$IP" ] ; then + echo " ERROR: The program specified in IP ($IP) does not exist or is not executable" >&2 + exit 2 + fi + ;; + *) + prog="$(mywhich $IP 2> /dev/null)" + if [ -z "$prog" ] ; then + echo " ERROR: Can't find $IP executable" >&2 + exit 2 + fi + IP=$prog + ;; + esac + else + IP='ip' + fi + + export IP + + if [ -n "$IPSET" ]; then + case "$IPSET" in + */*) + if [ ! -x "$IPSET" ] ; then + echo " ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2 + exit 2 + fi + ;; + *) + prog="$(mywhich $IPSET 2> /dev/null)" + if [ -z "$prog" ] ; then + echo " ERROR: Can't find $IPSET executable" >&2 + exit 2 + fi + IPSET=$prog + ;; + esac + else + IPSET='ipset' + fi + + export IPSET + + if [ -n "$TC" ]; then + case "$TC" in + */*) + if [ ! -x "$TC" ] ; then + echo " ERROR: The program specified in TC ($TC) does not exist or is not executable" >&2 + exit 2 + fi + ;; + *) + prog="$(mywhich $IP 2> /dev/null)" + if [ -z "$prog" ] ; then + echo " ERROR: Can't find $IP executable" >&2 + exit 2 + fi + TC=$prog + ;; + esac + else + TC='tc' + fi + + export TC + # # Compile by non-root needs no restore file # @@ -1808,7 +1878,7 @@ case "$COMMAND" in delete) get_config shift - add_command $@ + delete_command $@ ;; save) get_config From 1ea8beb47ac52d63660be7c3bb90d440c65ffab2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 18 Apr 2009 11:44:57 -0700 Subject: [PATCH 33/38] Fix a couple of bugs in IP, IPSET and TC implementation --- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/shorewall | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 564f9ad1e..3fc3d9df3 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -358,7 +358,7 @@ sub initialize( $ ) { IPTABLES => undef, IP => undef, TC => undef, - IPSEC => undef, + IPSET => undef, # #PATH is inherited # diff --git a/Shorewall/shorewall b/Shorewall/shorewall index ed1d0b3a7..f02fdf17d 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -242,9 +242,9 @@ get_config() { fi ;; *) - prog="$(mywhich $IP 2> /dev/null)" + prog="$(mywhich $TC 2> /dev/null)" if [ -z "$prog" ] ; then - echo " ERROR: Can't find $IP executable" >&2 + echo " ERROR: Can't find $TC executable" >&2 exit 2 fi TC=$prog From 7b3935089013fe943f2d27826dc9e2c408b7c334 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 18 Apr 2009 11:46:22 -0700 Subject: [PATCH 34/38] Recommit lost commit --- Shorewall/Perl/Shorewall/Compiler.pm | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/lib.base | 652 --------------------------- Shorewall/lib.cli | 25 +- Shorewall/shorewall | 72 ++- 5 files changed, 91 insertions(+), 662 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 52d4e1abe..49771ef3d 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -349,7 +349,7 @@ sub generate_script_3($) { ' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"', ' ;;', ' *)', - ' IPSET="$(which ipset)"', + ' IPSET="$(which $IPSET)"', ' [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' , ' ;;', 'esac', diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 564f9ad1e..3fc3d9df3 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -358,7 +358,7 @@ sub initialize( $ ) { IPTABLES => undef, IP => undef, TC => undef, - IPSEC => undef, + IPSET => undef, # #PATH is inherited # diff --git a/Shorewall/lib.base b/Shorewall/lib.base index e045d2e7b..c7a3f57f6 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -161,46 +161,6 @@ run_user_exit() # $1 = file name fi } -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Set a standard chain to enable established and related connections -# -setcontinue() # $1 = name of chain -{ - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT -} - -# -# Flush one of the NAT table chains -# -flushnat() # $1 = name of chain -{ - run_iptables -t nat -F $1 -} - -# -# Flush one of the Mangle table chains -# -flushmangle() # $1 = name of chain -{ - run_iptables -t mangle -F $1 -} - -# -# Flush and delete all user-defined chains in the filter table -# -deleteallchains() { - run_iptables -F - run_iptables -X -} - # # Load a Kernel Module -- assumes that the variable 'moduledirectories' contains # a space-separated list of directories to search for @@ -373,38 +333,6 @@ mutex_off() rm -f ${LOCKFILE:=${VARDIR}/lock} } -# -# Load an optional library -# -lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found -{ - local lib - lib=${SHAREDIR}/lib.$1 - local loaded - - eval loaded=\$LIB_${1}_LOADED - - if [ -z "$loaded" ]; then - [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1 - - if [ -f $lib ]; then - progress_message "Loading library $lib..." - . $lib - eval LIB_${1}_LOADED=Yes - else - startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed" - fi - fi -} - -# -# Determine if an optional library is available -# -lib_avail() # $1 = Name of the Library -{ - [ -f ${SHAREDIR}/lib.$1 ] -} - # # Note: The following set of IP address manipulation functions have anomalous # behavior when the shell only supports 32-bit signed arithmetic and @@ -662,41 +590,6 @@ ip_vlsm() { fi } - -# -# Chain name base for an interface -- replace all periods with underscores in the passed name. -# The result is echoed (less trailing "+"). -# -chain_base() #$1 = interface -{ - local c - c=${1%%+} - - while true; do - case $c in - @*) - c=at_${c#@} - ;; - *.*) - c="${c%.*}_${c##*.}" - ;; - *-*) - c="${c%-*}_${c##*-}" - ;; - *%*) - c="${c%\%*}_${c##*%}" - ;; - *@*) - c="${c%@*}_${c##*@}" - ;; - *) - echo ${c:=common} - return - ;; - esac - done -} - # # Query NetFilter about the existence of a filter chain # @@ -705,224 +598,6 @@ chain_exists() # $1 = chain name qt $IPTABLES -L $1 -n } -# -# Find the value 'dev' in the passed arguments then echo the next value -# - -find_device() { - while [ $# -gt 1 ]; do - [ "x$1" = xdev ] && echo $2 && return - shift - done -} - -# -# Find the value 'via' in the passed arguments then echo the next value -# - -find_gateway() { - while [ $# -gt 1 ]; do - [ "x$1" = xvia ] && echo $2 && return - shift - done -} - -# -# Find the value 'mtu' in the passed arguments then echo the next value -# - -find_mtu() { - while [ $# -gt 1 ]; do - [ "x$1" = xmtu ] && echo $2 && return - shift - done -} - -# -# Find the value 'peer' in the passed arguments then echo the next value up to -# "/" -# - -find_peer() { - while [ $# -gt 1 ]; do - [ "x$1" = xpeer ] && echo ${2%/*} && return - shift - done -} - -# -# Find the interfaces that have a route to the passed address - the default -# route is not used. -# - -find_rt_interface() { - ip route list | while read addr rest; do - case $addr in - */*) - in_network ${1%/*} $addr && echo $(find_device $rest) - ;; - default) - ;; - *) - if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then - echo $(find_device $rest) - fi - ;; - esac - done -} - -# -# Try to find the gateway through an interface looking for 'nexthop' - -find_nexthop() # $1 = interface -{ - echo $(find_gateway `ip route list | grep "[[:space:]]nexthop.* $1"`) -} - -# -# Find the default route's interface -# -find_default_interface() { - ip route list | while read first rest; do - [ "$first" = default ] && echo $(find_device $rest) && return - done -} - -# -# Echo the name of the interface(s) that will be used to send to the -# passed address -# - -find_interface_by_address() { - local dev - dev="$(find_rt_interface $1)" - local first - local rest - - [ -z "$dev" ] && dev=$(find_default_interface) - - [ -n "$dev" ] && echo $dev -} - -# -# Find the interface with the passed MAC address -# - -find_interface_by_mac() { - local mac - mac=$1 - local first - local second - local rest - local dev - - ip link list | while read first second rest; do - case $first in - *:) - dev=$second - ;; - *) - if [ "$second" = $mac ]; then - echo ${dev%:} - return - fi - esac - done -} - -# -# Determine if Interface is up -# -interface_is_up() { - [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_first_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' -} - -find_first_interface_address_if_any() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 -} - -# -# Determine if interface is usable from a Netfilter prespective -# -interface_is_usable() # $1 = interface -{ - interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] -} - -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' -} - -# -# echo the list of networks routed out of a given interface -# -get_routed_networks() # $1 = interface name, $2-n = Fatal error message -{ - local address - local rest - - ip route show dev $1 2> /dev/null | - while read address rest; do - case "$address" in - default) - if [ $# -gt 1 ]; then - shift - fatal_error "$@" - else - echo "WARNING: default route ignored on interface $1" >&2 - fi - ;; - multicast|broadcast|prohibit|nat|throw|nexthop) - ;; - *) - [ "$address" = "${address%/*}" ] && address="${address}/32" - echo $address - ;; - esac - done -} - -get_interface_bcasts() # $1 = interface -{ - ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u -} - # # Internal version of 'which' # @@ -1329,125 +1004,6 @@ report_capabilities1() { echo CAPVERSION=$SHOREWALL_CAPVERSION } -# -# Delete IP address -# -del_ip_addr() # $1 = address, $2 = interface -{ - [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 -} - -# Add IP Aliases -# -add_ip_aliases() # $* = List of addresses -{ - local addresses - local external - local interface - local inet - local cidr - local rest - local val1 - local arping - arping=$(mywhich arping) - - address_details() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same networks - # - # Get all of the lines that contain inet addresses with broadcast - # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do - case $cidr in - */*) - if in_network $external $cidr; then - echo "/${cidr#*/} brd $(broadcastaddress $cidr)" - break - fi - ;; - esac - done - } - - do_one() - { - val=$(address_details) - - ip addr add ${external}${val} dev $interface $label - [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external - echo "$external $interface" >> $VARDIR/nat - [ -n "$label" ] && label="with $label" - progress_message " IP Address $external added to interface $interface $label" - } - - progress_message "Adding IP Addresses..." - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - shift 2 - - list_search $external $(find_interface_addresses $interface) || do_one - done -} - -detect_gateway() # $1 = interface -{ - local interface - interface=$1 - # - # First assume that this is some sort of point-to-point interface - # - gateway=$( find_peer $(ip addr list $interface ) ) - # - # Maybe there's a default route through this gateway already - # - [ -n "$gateway" ] || gateway=$(find_gateway $(ip route list dev $interface)) - # - # Last hope -- is there a load-balancing route through the interface? - # - [ -n "$gateway" ] || gateway=$(find_nexthop $interface) - # - # Be sure we found one - # - [ -n "$gateway" ] && echo $gateway -} - -# -# Disable IPV6 -# -disable_ipv6() { - local foo - foo="$(ip -f inet6 addr list 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt mywhich ip6tables; then - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - ip6tables -F - ip6tables -X - ip6tables -A OUTPUT -o lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and # dash do not support that form of expansion. @@ -1458,214 +1014,6 @@ truncate() # $1 = length cut -b -${1} } -# -# Add a logging rule. -# -do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local displayChain - displayChain=$3 - local disposition - disposition=$4 - local rulenum - rulenum= - local limit - limit= - local tag - tag= - local command - command= - local prefix - local base - base=$(chain_base $displayChain) - local pf - - limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. - tag=${6:+$6 } - command=${7:--A} - - shift 7 - - if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then - displayChain=$tag - tag= - fi - - if [ -n "$LOGRULENUMBERS" ]; then - # - # Hack for broken printf on some lightweight shells - # - [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf) - - eval rulenum=\$${base}_logrules - - rulenum=${rulenum:-1} - - prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" - - rulenum=$(($rulenum + 1)) - eval ${base}_logrules=$rulenum - else - prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" - fi - - if [ ${#prefix} -gt 29 ]; then - prefix="`echo "$prefix" | truncate 28` " - error_message "WARNING: Log Prefix shortened to \"$prefix\"" - fi - - case $level in - ULOG) - $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" - ;; - *) - $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$STOPPING" ] && { stop_firewall; exit 2; } - fi -} - -do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local disposition - disposition=$3 - - shift 3 - - do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ -} - -delete_tc1() -{ - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Detect a device's MTU -- echos the passed device's MTU -# -get_device_mtu() # $1 = device -{ - local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash - - if [ -n "$output" ]; then - echo $(find_mtu $output) - else - echo 1500 - fi -} - -# -# Version of the above that doesn't generate any output for MTU 1500. -# Generates 'mtu ' otherwise, where is the device's MTU + 100 -# -get_device_mtu1() # $1 = device -{ - local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash - local mtu - - if [ -n "$output" ]; then - mtu=$(find_mtu $output) - if [ -n "$mtu" ]; then - [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) - fi - fi - -} - -# -# Undo changes to routing -# -undo_routing() { - - if [ -z "$NOROUTES" ]; then - # - # Restore rt_tables database - # - if [ -f ${VARDIR}/rt_tables ]; then - [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" - rm -f ${VARDIR}/rt_tables - fi - # - # Restore the rest of the routing table - # - if [ -f ${VARDIR}/undo_routing ]; then - . ${VARDIR}/undo_routing - progress_message "Shorewall-generated routing tables and routing rules removed" - rm -f ${VARDIR}/undo_routing - fi - fi - -} - -restore_default_route() { - if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then - local default_route - default_route= - local route - - while read route ; do - case $route in - default*) - if [ -n "$default_route" ]; then - case "$default_route" in - *metric*) - # - # Don't restore a route with a metric -- we only replace the one with metric == 0 - # - qt ip route delete default metric 0 && \ - progress_message "Default Route with metric 0 deleted" - ;; - *) - qt ip route replace $default_route && \ - progress_message "Default Route (${default_route# }) restored" - ;; - esac - - break - fi - - default_route="$default_route $route" - ;; - *) - default_route="$default_route $route" - ;; - esac - done < ${VARDIR}/default_route - - rm -f ${VARDIR}/default_route - fi -} - # # Determine how to do "echo -e" # diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 266c92501..dbe2339b1 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1062,8 +1062,13 @@ add_command() { exit 2; fi - [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" - + case "$IPSET" in + */*) + ;; + *) + [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located" + ;; + esac # # Normalize host list # @@ -1090,13 +1095,13 @@ add_command() { ipset=${zone}_${interface}; - if ! qt ipset -L $ipset -n; then + if ! qt $IPSET -L $ipset -n; then fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" fi host=${host#*:} - if ipset -A $ipset $host; then + if $IPSET -A $ipset $host; then echo "Host $interface:$host added to zone $zone" else fatal_error "Unable to add $interface:$host to zone $zone" @@ -1115,7 +1120,13 @@ delete_command() { exit 2; fi - [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" + case "$IPSET" in + */*) + ;; + *) + [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located" + ;; + esac # # Normalize host list @@ -1143,13 +1154,13 @@ delete_command() { ipset=${zone}_${interface}; - if ! qt ipset -L $ipset -n; then + if ! qt $IPSET -L $ipset -n; then fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" fi host=${hostent#*:} - if ipset -D $ipset $host; then + if $IPSET -D $ipset $host; then echo "Host $hostend deleted from zone $zone" else echo " WARNING: Unable to delete host $hostent to zone $zone" >&2 diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 80c6b82c9..f02fdf17d 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -125,6 +125,7 @@ # # get_config() { + local prog ensure_config_path @@ -186,6 +187,75 @@ get_config() { export IPTABLES + if [ -n "$IP" ]; then + case "$IP" in + */*) + if [ ! -x "$IP" ] ; then + echo " ERROR: The program specified in IP ($IP) does not exist or is not executable" >&2 + exit 2 + fi + ;; + *) + prog="$(mywhich $IP 2> /dev/null)" + if [ -z "$prog" ] ; then + echo " ERROR: Can't find $IP executable" >&2 + exit 2 + fi + IP=$prog + ;; + esac + else + IP='ip' + fi + + export IP + + if [ -n "$IPSET" ]; then + case "$IPSET" in + */*) + if [ ! -x "$IPSET" ] ; then + echo " ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2 + exit 2 + fi + ;; + *) + prog="$(mywhich $IPSET 2> /dev/null)" + if [ -z "$prog" ] ; then + echo " ERROR: Can't find $IPSET executable" >&2 + exit 2 + fi + IPSET=$prog + ;; + esac + else + IPSET='ipset' + fi + + export IPSET + + if [ -n "$TC" ]; then + case "$TC" in + */*) + if [ ! -x "$TC" ] ; then + echo " ERROR: The program specified in TC ($TC) does not exist or is not executable" >&2 + exit 2 + fi + ;; + *) + prog="$(mywhich $TC 2> /dev/null)" + if [ -z "$prog" ] ; then + echo " ERROR: Can't find $TC executable" >&2 + exit 2 + fi + TC=$prog + ;; + esac + else + TC='tc' + fi + + export TC + # # Compile by non-root needs no restore file # @@ -1808,7 +1878,7 @@ case "$COMMAND" in delete) get_config shift - add_command $@ + delete_command $@ ;; save) get_config From 50b2f5ffae1d966a01642f651a5ba8327559efed Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 19 Apr 2009 07:17:56 -0700 Subject: [PATCH 35/38] Modify regression test to ensure that modification timestamp of the output file changes --- Shorewall/Perl/compiler.pl | 5 ++++- tools/testing/regression | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/compiler.pl b/Shorewall/Perl/compiler.pl index f47e5becf..766219b95 100755 --- a/Shorewall/Perl/compiler.pl +++ b/Shorewall/Perl/compiler.pl @@ -44,6 +44,8 @@ use Shorewall::Compiler; use Getopt::Long; sub usage( $ ) { + my $returnval = shift @_; + print STDERR 'usage: compiler.pl [