diff --git a/Shorewall/compiler b/Shorewall/compiler index e3bedcb03..bd297723c 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4633,8 +4633,9 @@ SHAREDIR=/usr/share/shorewall-lite CONFDIR=/etc/shorewall-lite VARDIR=/var/lib/shorewall-lite -. \${SHAREDIR}/functions __EOF__ + + cat ${SHAREDIR}/lib.base >&3 else cat >&3 << __EOF__ SHAREDIR=/usr/share/shorewall @@ -4771,15 +4772,6 @@ __EOF__ if [ -n "$EXPORT" ]; then cat >&3 << __EOF__ - if [ ! -f \${SHAREDIR}/version ]; then - fatal_error "This script requires Shorewall Lite which do not appear to be installed on this system" - fi - - local version=\$(cat \${SHAREDIR}/version) - - if [ \${LIBVERSION:-0} -lt 30200 ]; then - fatal_error "This script requires Shorewall Lite version 3.2.3 or later; current version is \$version" - fi # # These variables are required by the library functions called in this script # diff --git a/Shorewall/lib.base b/Shorewall/lib.base index f92612dc3..b5bd296b6 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall 3.2 -- /usr/share/shorewall/lib.common +# Shorewall 3.2 -- /usr/share/shorewall/lib.base # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -79,6 +79,22 @@ split() { IFS=$ifs } +# +# Search a list looking for a match -- returns zero if a match found +# 1 otherwise +# +list_search() # $1 = element to search for , $2-$n = list +{ + local e=$1 + + while [ $# -gt 1 ]; do + shift + [ "x$e" = "x$1" ] && return 0 + done + + return 1 +} + # # Suppress all output for a command # @@ -806,6 +822,31 @@ find_file() esac } +# +# Get fully-qualified name of file +# +resolve_file() # $1 = file name +{ + local pwd=$PWD + + case $1 in + /*) + echo $1 + ;; + ./*) + echo ${pwd}${1#.} + ;; + ../*) + cd .. + resolve_file ${1#../} + cd $pwd + ;; + *) + echo $pwd/$1 + ;; + esac +} + # # Set the Shorewall state # @@ -1194,439 +1235,17 @@ delete_tc1() } # -# Determine the value for a parameter that defaults to Yes +# Detect a device's MTU # -added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value +get_device_mtu() # $1 = device { - local val="$2" + local output="$(ip link ls dev $1 2> /dev/null)" # quotes required for /bin/ash - if [ -z "$val" ]; then - echo "Yes" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Determine the value for a parameter that defaults to No -# -added_param_value_no() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Initialize this program -# -do_initialize() { - - # Run all utility programs using the C locale - # - # Thanks to Vincent Planchenault for this tip # - - export LC_ALL=C - - # Make sure umask is sane - umask 077 - - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - # - # Establish termination function - # - TERMINATOR=fatal_error - # - # Clear all configuration variables - # - VERSION= - IPTABLES= - FW= - SUBSYSLOCK= - ALLOWRELATED=Yes - LOGRATE= - LOGBURST= - ADD_IP_ALIASES= - ADD_SNAT_ALIASES= - TC_ENABLED= - BLACKLIST_DISPOSITION= - BLACKLIST_LOGLEVEL= - CLAMPMSS= - ROUTE_FILTER= - LOG_MARTIANS= - DETECT_DNAT_IPADDRS= - MUTEX_TIMEOUT= - FORWARDPING= - MACLIST_DISPOSITION= - MACLIST_LOG_LEVEL= - TCP_FLAGS_DISPOSITION= - TCP_FLAGS_LOG_LEVEL= - RFC1918_LOG_LEVEL= - MARK_IN_FORWARD_CHAIN= - VERSION_FILE= - LOGFORMAT= - LOGRULENUMBERS= - ADMINISABSENTMINDED= - BLACKLISTNEWONLY= - MODULE_SUFFIX= - ACTIONS= - USEDACTIONS= - SMURF_LOG_LEVEL= - DISABLE_IPV6= - BRIDGING= - DYNAMIC_ZONES= - PKTTYPE= - USEPKTYPE= - RETAIN_ALIASES= - DELAYBLACKLISTLOAD= - LOGTAGONLY= - LOGALLNEW= - RFC1918_STRICT= - MACLIST_TTL= - SAVE_IPSETS= - RESTOREFILE= - MAPOLDACTIONS= - IMPLICIT_CONTINUE= - HIGH_ROUTE_MARKS= - TC_EXPERT= - MODULESDIR= - IPSECFILE= - IP_FORWARDING= - CLEAR_TC= - MACLIST_TABLE= - FASTACCEPT= - USE_ACTIONS= - DROP_DEFAULT= - REJECT_DEFAULT= - ACCEPT_DEFAULT= - QUEUE_DEFAULT= - - LOGLIMIT= - LOGPARMS= - OUTPUT= - TMP_DIR= - ALL_INTERFACES= - ROUTEMARK_INTERFACES= - IPSECMARK=256 - PROVIDERS= - CRITICALHOSTS= - EXCLUSION_SEQ=1 - STOPPING= - HAVE_MUTEX= - ALIASES_TO_ADD= - SECTION=ESTABLISHED - SECTIONS= - ALL_PORTS= - DEFAULT_MACROS= - - TMP_DIR=$(mktempdir) - - [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ - fatal_error "Can't create a temporary directory" - - case $PROGRAM in - compiler) - trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 - ;; - firewall) - trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 - ;; - esac - - ensure_config_path - - VERSION_FILE=$SHAREDIR/version - - [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE) - - run_user_exit params - - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - progress_message "Processing $config..." - . $config - else - fatal_error "Cannot read $config (Hint: Are you root?)" - fi + if [ -n "$output" ]; then + echo $(find_mtu $output) else - fatal_error "$config does not exist!" + echo 1500 fi - - # - # Restore CONFIG_PATH if the shorewall.conf file cleared it - # - ensure_config_path - # - # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to accurately determine - # capabilities when module autoloading isn't enabled. - # - PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) - - [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - - if [ -z "$EXPORT" -a "$(whoami)" = root ]; then - - load_kernel_modules - - if [ -z "$IPTABLES" ]; then - IPTABLES=$(mywhich iptables 2> /dev/null) - - [ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable" - else - [ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable" - fi - determine_capabilities - - else - f=$(find_file capabilities) - - [ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file" - fi - - ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" - [ -n "$ALLOWRELATED" ] || \ - fatal_error "ALLOWRELATED=No is not supported" - ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" - - if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGLIMIT="--match limit" - [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" - fi - - if [ -n "$IP_FORWARDING" ]; then - case "$IP_FORWARDING" in - [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) - ;; - *) - fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" - ;; - esac - else - IP_FORWARDING=On - fi - - [ -n "${BLACKLIST_DISPOSITION:=DROP}" ] - - case "$CLAMPMSS" in - [0-9]*) - ;; - *) - CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) - ;; - esac - - ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) - ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) - LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) - DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) - FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) - [ -n "$FORWARDPING" ] && \ - fatal_error "FORWARDPING=Yes is no longer supported" - - maclist_target=reject - - if [ -n "$MACLIST_DISPOSITION" ] ; then - case $MACLIST_DISPOSITION in - REJECT) - ;; - DROP) - maclist_target=DROP - ;; - ACCEPT) - maclist_target=RETURN - ;; - *) - fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" - ;; - esac - else - MACLIST_DISPOSITION=REJECT - fi - - if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then - case $TCP_FLAGS_DISPOSITION in - REJECT|ACCEPT|DROP) - ;; - *) - fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" - ;; - esac - else - TCP_FLAGS_DISPOSITION=DROP - fi - - [ -n "${RFC1918_LOG_LEVEL:=info}" ] - - MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) - [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre - CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) - - if [ -n "$LOGFORMAT" ]; then - if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then - LOGRULENUMBERS=Yes - temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) - if [ $? -ne 0 ]; then - fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - else - temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) - if [ $? -ne 0 ]; then - fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - fi - - [ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" - else - LOGFORMAT="Shorewall:%s:%s:" - fi - - ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) - BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) - DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) - BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) - - DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) - if [ -n "$DYNAMIC_ZONES" ]; then - [ -n "$EXPORT" ] && fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" - lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed" - fi - - STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) - RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) - [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= - DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) - LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) - RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) - MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) - FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) - IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) - HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) - TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) - USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) - [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" - - [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= - [ -n "$XMARK" ] || XCONNMARK= - - [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" - - case ${IPSECFILE:=ipsec} in - ipsec|zones) - ;; - *) - fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option" - ;; - esac - - case ${MACLIST_TABLE:=filter} in - filter) - ;; - mangle) - [ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle" - ;; *) - fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option" - ;; - esac - - TC_SCRIPT= - - if [ -n "$TC_ENABLED" ] ; then - case "$TC_ENABLED" in - [Yy][Ee][Ss]) - TC_ENABLED= - TC_SCRIPT=$(find_file tcstart) - [ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file" - ;; - [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll]) - TC_ENABLED=Yes - ;; - [Nn][Oo]) - TC_ENABLED= - ;; - esac - else - TC_ENABLED=Yes - fi - - if [ -n "$TC_ENABLED" ];then - [ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables" - fi - - [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" - [ -n "${RESTOREFILE:=restore}" ] - - case "${DROP_DEFAULT:=Drop}" in - None) - DROP_DEFAULT=none - ;; - esac - - case "${REJECT_DEFAULT:=Reject}" in - None) - REJECT_DEFAULT=none - ;; - esac - - case "${QUEUE_DEFAULT:=none}" in - None) - QUEUE_DEFAULT=none - ;; - esac - - case "${ACCEPT_DEFAULT:=none}" in - None) - ACCEPT_DEFAULT=none - ;; - esac - - # - # Strip the files that we use often - # - strip_file interfaces - strip_file hosts - # - # Check out the user's shell - # - [ -n "${SHOREWALL_SHELL:=/bin/sh}" ] - - temp=$(decodeaddr 192.168.1.1) - if [ $(encodeaddr $temp) != 192.168.1.1 ]; then - fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" - fi - - if [ -z "$KLUDGEFREE" ]; then - rm -f $TMP_DIR/physdev - rm -f $TMP_DIR/iprange - fi - - qt mywhich awk && HAVEAWK=Yes || HAVEAWK= } SHOREWALL_LIBRARY=Loaded diff --git a/Shorewall/lib.common b/Shorewall/lib.common index f35345e36..ca4efa7aa 100644 --- a/Shorewall/lib.common +++ b/Shorewall/lib.common @@ -134,22 +134,6 @@ truncate() # $1 = length cut -b -${1} } -# -# Search a list looking for a match -- returns zero if a match found -# 1 otherwise -# -list_search() # $1 = element to search for , $2-$n = list -{ - local e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - # # Return a space separated list of values matching # @@ -227,31 +211,6 @@ fix_bang() echo $result } -# -# Get fully-qualified name of file -# -resolve_file() # $1 = file name -{ - local pwd=$PWD - - case $1 in - /*) - echo $1 - ;; - ./*) - echo ${pwd}${1#.} - ;; - ../*) - cd .. - resolve_file ${1#../} - cd $pwd - ;; - *) - echo $pwd/$1 - ;; - esac -} - # # This function assumes that the TMP_DIR variable is set and that # its value names an existing directory. @@ -1614,15 +1573,437 @@ verify_mark() # $1 = value to test } # -# Detect a device's MTU +# Determine the value for a parameter that defaults to Yes # -get_device_mtu() # $1 = device +added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value { - local output="$(ip link ls dev $1 2> /dev/null)" # quotes required for /bin/ash + local val="$2" - if [ -n "$output" ]; then - echo $(find_mtu $output) - else - echo 1500 + if [ -z "$val" ]; then + echo "Yes" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + startup_error "Invalid value ($val) for $1" + ;; + esac fi } + +# +# Determine the value for a parameter that defaults to No +# +added_param_value_no() # $1 = Parameter Name, $2 = Parameter value +{ + local val="$2" + + if [ -z "$val" ]; then + echo "" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + startup_error "Invalid value ($val) for $1" + ;; + esac + fi +} + +# +# Initialize this program +# +do_initialize() { + + # Run all utility programs using the C locale + # + # Thanks to Vincent Planchenault for this tip # + + export LC_ALL=C + + # Make sure umask is sane + umask 077 + + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + # + # Establish termination function + # + TERMINATOR=fatal_error + # + # Clear all configuration variables + # + VERSION= + IPTABLES= + FW= + SUBSYSLOCK= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + LOG_MARTIANS= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + MARK_IN_FORWARD_CHAIN= + VERSION_FILE= + LOGFORMAT= + LOGRULENUMBERS= + ADMINISABSENTMINDED= + BLACKLISTNEWONLY= + MODULE_SUFFIX= + ACTIONS= + USEDACTIONS= + SMURF_LOG_LEVEL= + DISABLE_IPV6= + BRIDGING= + DYNAMIC_ZONES= + PKTTYPE= + USEPKTYPE= + RETAIN_ALIASES= + DELAYBLACKLISTLOAD= + LOGTAGONLY= + LOGALLNEW= + RFC1918_STRICT= + MACLIST_TTL= + SAVE_IPSETS= + RESTOREFILE= + MAPOLDACTIONS= + IMPLICIT_CONTINUE= + HIGH_ROUTE_MARKS= + TC_EXPERT= + MODULESDIR= + IPSECFILE= + IP_FORWARDING= + CLEAR_TC= + MACLIST_TABLE= + FASTACCEPT= + USE_ACTIONS= + DROP_DEFAULT= + REJECT_DEFAULT= + ACCEPT_DEFAULT= + QUEUE_DEFAULT= + + LOGLIMIT= + LOGPARMS= + OUTPUT= + TMP_DIR= + ALL_INTERFACES= + ROUTEMARK_INTERFACES= + IPSECMARK=256 + PROVIDERS= + CRITICALHOSTS= + EXCLUSION_SEQ=1 + STOPPING= + HAVE_MUTEX= + ALIASES_TO_ADD= + SECTION=ESTABLISHED + SECTIONS= + ALL_PORTS= + DEFAULT_MACROS= + + TMP_DIR=$(mktempdir) + + [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ + fatal_error "Can't create a temporary directory" + + case $PROGRAM in + compiler) + trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 + ;; + firewall) + trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 + ;; + esac + + ensure_config_path + + VERSION_FILE=$SHAREDIR/version + + [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE) + + run_user_exit params + + config=$(find_file shorewall.conf) + + if [ -f $config ]; then + if [ -r $config ]; then + progress_message "Processing $config..." + . $config + else + fatal_error "Cannot read $config (Hint: Are you root?)" + fi + else + fatal_error "$config does not exist!" + fi + + # + # Restore CONFIG_PATH if the shorewall.conf file cleared it + # + ensure_config_path + # + # Determine the capabilities of the installed iptables/netfilter + # We load the kernel modules here to accurately determine + # capabilities when module autoloading isn't enabled. + # + PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) + + [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] + + if [ -z "$EXPORT" -a "$(whoami)" = root ]; then + + load_kernel_modules + + if [ -z "$IPTABLES" ]; then + IPTABLES=$(mywhich iptables 2> /dev/null) + + [ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable" + else + [ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable" + fi + determine_capabilities + + else + f=$(find_file capabilities) + + [ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file" + fi + + ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" + [ -n "$ALLOWRELATED" ] || \ + fatal_error "ALLOWRELATED=No is not supported" + ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" + + if [ -n "${LOGRATE}${LOGBURST}" ]; then + LOGLIMIT="--match limit" + [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" + [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" + fi + + if [ -n "$IP_FORWARDING" ]; then + case "$IP_FORWARDING" in + [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) + ;; + *) + fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" + ;; + esac + else + IP_FORWARDING=On + fi + + [ -n "${BLACKLIST_DISPOSITION:=DROP}" ] + + case "$CLAMPMSS" in + [0-9]*) + ;; + *) + CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) + ;; + esac + + ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) + ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) + LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) + DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) + FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) + [ -n "$FORWARDPING" ] && \ + fatal_error "FORWARDPING=Yes is no longer supported" + + maclist_target=reject + + if [ -n "$MACLIST_DISPOSITION" ] ; then + case $MACLIST_DISPOSITION in + REJECT) + ;; + DROP) + maclist_target=DROP + ;; + ACCEPT) + maclist_target=RETURN + ;; + *) + fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" + ;; + esac + else + MACLIST_DISPOSITION=REJECT + fi + + if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then + case $TCP_FLAGS_DISPOSITION in + REJECT|ACCEPT|DROP) + ;; + *) + fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" + ;; + esac + else + TCP_FLAGS_DISPOSITION=DROP + fi + + [ -n "${RFC1918_LOG_LEVEL:=info}" ] + + MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) + [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre + CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) + + if [ -n "$LOGFORMAT" ]; then + if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then + LOGRULENUMBERS=Yes + temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) + if [ $? -ne 0 ]; then + fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + else + temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) + if [ $? -ne 0 ]; then + fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + fi + + [ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" + else + LOGFORMAT="Shorewall:%s:%s:" + fi + + ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) + BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) + DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) + BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) + + DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) + if [ -n "$DYNAMIC_ZONES" ]; then + [ -n "$EXPORT" ] && fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" + lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed" + fi + + STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) + RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) + [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= + DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) + LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) + RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) + SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) + MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) + FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) + IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) + HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) + TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) + USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) + [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" + + [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= + [ -n "$XMARK" ] || XCONNMARK= + + [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" + + case ${IPSECFILE:=ipsec} in + ipsec|zones) + ;; + *) + fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option" + ;; + esac + + case ${MACLIST_TABLE:=filter} in + filter) + ;; + mangle) + [ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle" + ;; *) + fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option" + ;; + esac + + TC_SCRIPT= + + if [ -n "$TC_ENABLED" ] ; then + case "$TC_ENABLED" in + [Yy][Ee][Ss]) + TC_ENABLED= + TC_SCRIPT=$(find_file tcstart) + [ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file" + ;; + [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll]) + TC_ENABLED=Yes + ;; + [Nn][Oo]) + TC_ENABLED= + ;; + esac + else + TC_ENABLED=Yes + fi + + if [ -n "$TC_ENABLED" ];then + [ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables" + fi + + [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" + [ -n "${RESTOREFILE:=restore}" ] + + case "${DROP_DEFAULT:=Drop}" in + None) + DROP_DEFAULT=none + ;; + esac + + case "${REJECT_DEFAULT:=Reject}" in + None) + REJECT_DEFAULT=none + ;; + esac + + case "${QUEUE_DEFAULT:=none}" in + None) + QUEUE_DEFAULT=none + ;; + esac + + case "${ACCEPT_DEFAULT:=none}" in + None) + ACCEPT_DEFAULT=none + ;; + esac + + # + # Strip the files that we use often + # + strip_file interfaces + strip_file hosts + # + # Check out the user's shell + # + [ -n "${SHOREWALL_SHELL:=/bin/sh}" ] + + temp=$(decodeaddr 192.168.1.1) + if [ $(encodeaddr $temp) != 192.168.1.1 ]; then + fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" + fi + + if [ -z "$KLUDGEFREE" ]; then + rm -f $TMP_DIR/physdev + rm -f $TMP_DIR/iprange + fi + + qt mywhich awk && HAVEAWK=Yes || HAVEAWK= +}