extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 16:54:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

More code generation changes; remove trailing whitespace

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4772 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-31 19:01:23 +00:00
parent 058bb60e26
commit 2e949f5aa8
25 changed files with 229 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
Shorewall/compiler
View File

@ -39,7 +39,7 @@
# Fatal error -- stops the compiler after issuing the error message
#
fatal_error() # $* = Error Message
{
{
echo " ERROR: $@" >&2
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
[ -n "$OUTPUT" ] && rm -f $OUTPUT
@ -49,10 +49,10 @@ fatal_error() # $* = Error Message
#
# We include this for compatibility with the 'firewall' script. It distinguishes between
# Fatal Errors (stop or restore required) and Startup Errors (errors detected before the firewall
# Fatal Errors (stop or restore required) and Startup Errors (errors detected before the firewall
# state has been changed. This allows us to use common parsing routines in both programs.
#
startup_error()
startup_error()
{
echo " ERROR: $@" >&2
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
@ -508,7 +508,7 @@ validate_policy()
esac
default=
case $policy in
*:None|*:none)
default=none
@ -546,7 +546,7 @@ validate_policy()
NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
[ -n "$clientwild" -o -n "$serverwild" ] && \
fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
;;
@ -569,7 +569,7 @@ validate_policy()
[ "x$synparams" = "x-" ] && synparams=
policy=${policy%:*}
[ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
eval ${chain}_is_policy=Yes
@ -802,7 +802,7 @@ setup_ecn() # $1 = file name
if [ -n "$interfaces" ]; then
progress_message "$DOING ECN control on${interfaces}..."
for interface in $interfaces; do
chain=$(ecn_chain $interface)
if havemanglechain $chain; then
@ -813,7 +813,7 @@ setup_ecn() # $1 = file name
run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain
fi
done
for host in $hosts; do
interface=${host%:*}
h=${host#*:}
@ -897,7 +897,7 @@ setup_tc1() {
# Just in case the file ended with a comment
#
[ -n "$COMMENTS" ] && save_command COMMENT=
#
# Link to the TC mangle chains from the main chains
#
@ -1371,7 +1371,7 @@ substitute_action() # $1 = parameter, $2 = action
# it handles builtin actions.
#
process_actions3()
{
{
for xaction in $USEDACTIONS; do
#
# Find the chain associated with this action:level:tag
@ -1538,7 +1538,7 @@ __EOF__
set -- $(separate_list $xtag)
[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
run_iptables -A $xchain -m recent --name $1 --set
if [ -n "$xlevel" ]; then
@ -1796,12 +1796,12 @@ add_a_rule() {
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
rule_interface_verify()
{
verify_interface $1 || interface_error $1
}
handle_exclusion()
{
build_exclusion_chain chain filter "$excludesource" "$excludedest"
@ -1826,7 +1826,7 @@ add_a_rule() {
do_ipp2p() {
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}"
case $proto in
@ -1879,7 +1879,7 @@ add_a_rule() {
dest_interface=
serv=
case "$server" in
-)
;;
@ -1907,7 +1907,7 @@ add_a_rule() {
servport=$serverport
multiport=
user="$userandgroup"
# Restore $chain to the canonical chain.
chain=$logchain
@ -1958,7 +1958,7 @@ add_a_rule() {
;;
REDIRECT)
[ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\""
[ -n "$serv" ] && \
fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\""
servport=${servport:=$port}
@ -1966,7 +1966,7 @@ add_a_rule() {
;;
DNAT|SAME)
[ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\""
[ -n "$serv" ] || \
fatal_error "$logtarget rules require a server address; rule: \"$rule\""
natrule=Yes
@ -1986,7 +1986,7 @@ add_a_rule() {
state=
;;
esac
if [ -n "${serv}${servport}" ]; then
# A specific server or server port given
@ -1997,11 +1997,11 @@ add_a_rule() {
elif [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\""
fi
if [ -n "${excludesource}${excludedest}" ]; then
handle_exclusion
fi
if [ -z "$dnat_only" ]; then
if [ -n "$serv" ]; then
for serv1 in $(separate_list $serv); do
@ -2019,7 +2019,7 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target
done
@ -2029,12 +2029,12 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi
if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN
fi
if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $user -j $target
@ -2047,11 +2047,11 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$state $(fix_bang $proto $sports $multiport $cli $dports)
fi
[ -n "$nonat" ] && \
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -j RETURN
[ "$logtarget" != NONAT ] && \
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
$dports $ratelimit $user -j $target
@ -2071,13 +2071,13 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
fi
if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN
fi
if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target
@ -2089,13 +2089,13 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi
if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -j RETURN
fi
if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $user -j $target
@ -2923,13 +2923,13 @@ process_default_macro() # $1 = macro name
add_a_rule
progress_message "Rule \"$target $protocol $port $cport $ratelimit $userspec\" $DONE"
done < $TMP_DIR/macro.$macro
progress_message "..End Macro"
}
#
# Process a record from the tos file
#
@ -3118,11 +3118,11 @@ process_tos() # $1 = name of tos file
chain=fortos
stdchain=FORWARD
fi
strip_file tos $1
if [ -s $TMP_DIR/tos ] ; then
save_progress_message "Setting up TOS..."
progress_message2 "$DOING $1..."
@ -3496,7 +3496,7 @@ refresh_blacklist() {
expandv networks protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
INDENT="$indent"
save_command "fi"
}
@ -4234,7 +4234,7 @@ activate_rules()
fi
need_broadcast=
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd
chain=$(dnat_chain $zone)
@ -4266,7 +4266,7 @@ activate_rules()
if [ -n "$exclusions" ]; then
run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j ${zone}_input
run_iptables -A ${zone}_input -j $chain2
else
else
run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
fi
fi
@ -4302,20 +4302,20 @@ activate_rules()
dest_zones=
#
# The following loop attempts to eliminate redundant sequences of jumps to
# all2all or <source zone>2all. It does so by combining all trailing
# The following loop attempts to eliminate redundant sequences of jumps to
# all2all or <source zone>2all. It does so by combining all trailing
# jumps to the same policy-only chain.
#
for zone1 in $ZONES; do
eval policy=\$${zone}2${zone1}_policy
[ "$policy" = NONE ] && continue
chain="$(rules_chain $zone $zone1)"
[ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
if [ $zone = $zone1 ]; then
#
# Try not to generate superfluous intra-zone rules
@ -4323,7 +4323,7 @@ activate_rules()
eval routeback=\"\$${zone}_routeback\"
eval interfaces=\"\$${zone}_interfaces\"
eval ports="\$${zone}_ports"
num_ifaces=$(list_count1 $interfaces)
#
# If the zone has a single interface then what matters is how many ports it has
@ -4335,8 +4335,8 @@ activate_rules()
#
if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
continue
fi
fi
fi
fi
case $chain in
*2all)
@ -4402,7 +4402,7 @@ activate_rules()
for zone1 in $dest_zones; do
eval policy=\$${zone}2${zone1}_policy
[ "$policy" = NONE ] && continue
eval dest_hosts=\$${zone1}_hosts
@ -4411,7 +4411,7 @@ activate_rules()
chain="$(rules_chain $zone $zone1)"
[ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
[ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains
if [ $zone = $zone1 ]; then
@ -4420,12 +4420,12 @@ activate_rules()
eval ports="\$${zone}_ports"
num_ifaces=$(list_count1 $interfaces)
[ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports)
if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
continue
fi
fi
else
routeback=
num_ifaces=0
@ -4473,8 +4473,8 @@ activate_rules()
*)
insert_exclusions filter $chain $exclusions1
;;
esac
fi
esac
fi
if [ -n "$complex" ]; then
for host1 in $dest_hosts; do
@ -4519,9 +4519,9 @@ activate_rules()
for host in $source_hosts; do
interface=${host%%:*}
networks=${host#*:}
chain=$(forward_chain $interface)
run_iptables -A $chain $(match_source_hosts $networks) -j $last_chain
done
fi
@ -4880,7 +4880,7 @@ conditionally_add_option() { # $1 = option name
[ -n "\${$1:=$value}" ]
__EOF__
fi
}
}
conditionally_add_option1() { # $1 = option name
local value
@ -4892,7 +4892,7 @@ conditionally_add_option1() { # $1 = option name
$1="$value"
__EOF__
fi
}
}
#
# Compile a Firewall Script
@ -5054,7 +5054,7 @@ run_iptables()
else
\$IPTABLES \$@
fi
if [ \$? -ne 0 ]; then
error_message "ERROR: Command \"\$IPTABLES \$@\" Failed"
stop_firewall
@ -5377,7 +5377,7 @@ __EOF__
done
strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting)
createchain reject no
createchain dynamic no
createchain logdrop no
@ -5431,8 +5431,9 @@ __EOF__
#
if strip_file_and_lib_load providers providers; then
setup_providers $(find_file providers)
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
[ -n "$ROUTEMARK_INTERFACES" ] && setup_route_marking
else
save_command
save_command undo_routing
save_command restore_default_route
fi
@ -5624,10 +5625,10 @@ __EOF__
for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE; do
conditionally_add_option $option
done
conditionally_add_option1 TC_ENABLED
exec 3>&-
exec 3>&-
fi
progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)"

8
Shorewall/configpath
View File

@ -6,8 +6,8 @@
# Note to maintainers.
#
# The CONFDIR variable is normally set to /etc/shorewall but when
# the command is "compile -e" then CONFDIR is set to
# /usr/share/shorewall/configfiles/. This prevents 'compile -e'
# the command is "compile -e" then CONFDIR is set to
# /usr/share/shorewall/configfiles/. This prevents 'compile -e'
# from trying to use configuration information from /etc/shorewall.
CONFIG_PATH=${CONFDIR}:/usr/share/shorewall
@ -15,8 +15,8 @@ CONFIG_PATH=${CONFDIR}:/usr/share/shorewall
#
# SHOREWALL LITE'S FIREWALL SCRIPT DIRECTORY
#
# There is lack of agreement about where exactly in the file hierarchy the
# firewall script in Shorewall Lite systems should be stored. To allow
# There is lack of agreement about where exactly in the file hierarchy the
# firewall script in Shorewall Lite systems should be stored. To allow
# everyone's opinion to prevail (and to prevent the Shorewall author from
# going crazy), the LITEDIR option allows you to decide where the file will
# be stored on Shorewall Lite systems under your distribution.

2
Shorewall/help
View File

@ -175,7 +175,7 @@ export)
the '<directory1>/firewall' script is copied via scp to the specified
<target>
<target> is of the form [user@]<system>:[<directory1>]
<target> is of the form [user@]<system>:[<directory1>]
Example:

18
Shorewall/lib.actions
View File

@ -773,7 +773,7 @@ process_action3() {
if [ -n "$is_macro" ]; then
xtarget1=$(map_old_action $xtarget1)
case $xtarget1 in
*/*)
param=${xtarget1#*/}
@ -784,15 +784,15 @@ process_action3() {
progress_message "..Expanding Macro $(find_file macro.$xtarget1)..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
mtarget=$(merge_levels $xaction2 $mtarget)
case $mtarget in
PARAM|PARAM:*)
[ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation"
;;
esac
if [ -n "$mclients" ]; then
case $mclients in
-|SOURCE)
@ -808,7 +808,7 @@ process_action3() {
else
mclients=${xclients}
fi
if [ -n "$mservers" ]; then
case $mservers in
-|DEST)
@ -824,13 +824,13 @@ process_action3() {
else
mservers=${xserverss}
fi
[ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol
[ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports
[ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports
[ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit
[ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec
rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}"
process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec
done < $TMP_DIR/macro.$xtarget1
@ -840,7 +840,7 @@ process_action3() {
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
fi
done < $TMP_DIR/$f
[ -n "$COMMENTS" ] && save_command COMMENT=
}

32
Shorewall/lib.base
View File

@ -22,9 +22,9 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# This library contains the code common to all Shorewall components. It is copied into
# the compiled script with the -e compiler flag is specified and is loaded by
# the compiled script with the -e compiler flag is specified and is loaded by
# /sbin/shorewall, /usr/share/shorewall/compiler and /usr/share/shorewall/firewall. It
# is also released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
# is also released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
# and /usr/share/shorewall-lite/shorecap.
#
@ -179,9 +179,9 @@ deleteallchains() {
}
#
# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
# a space-separated list of directories to search for
# the module and that 'moduleloader' contains the
# the module and that 'moduleloader' contains the
# module loader command.
#
loadmodule() # $1 = module name, $2 - * arguments
@ -346,7 +346,7 @@ lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library
lib_avail() # $1 = Name of the Library
{
[ -f ${SHAREDIR}/lib.$1 ]
}
}
#
# Note: The following set of IP address manipulation functions have anomalous
@ -758,6 +758,14 @@ find_first_interface_address_if_any() # $1 = interface
[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
}
#
# Determine if interface is usable from a Netfilter prespective
#
interface_is_usable() # $1 = interface
{
interface_is_up $1 && [ "\$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
@ -990,9 +998,9 @@ report_capabilities() {
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
@ -1286,7 +1294,7 @@ get_device_mtu() # $1 = device
# Undo changes to routing
#
undo_routing() {
if [ -z "$NOROUTES" ]; then
#
# Restore rt_tables database
@ -1308,7 +1316,7 @@ undo_routing() {
}
restore_default_route() {
if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
local default_route= route
@ -1329,10 +1337,10 @@ restore_default_route() {
progress_message "Default Route (${default_route# }) restored"
;;
esac
break
fi
default_route="$default_route $route"
;;
*)
@ -1340,7 +1348,7 @@ restore_default_route() {
;;
esac
done < ${VARDIR}/default_route
rm -f ${VARDIR}/default_route
fi
}

20
Shorewall/lib.config
View File

@ -102,13 +102,13 @@ separate_list() {
# Undo the effect of 'separate_list()'
#
combine_list()
{
{
local f o=
for f in $* ; do
for f in $* ; do
o="${o:+$o,}$f"
done
echo $o
}
@ -448,7 +448,7 @@ setup_ipsec() {
# Set up rules to set MSS to and/or from zone "$zone"
#
set_mss() # $1 = MSS value, $2 = _in, _out or ""
{
{
for z in $ZONES $FW; do
case $2 in
_in)
@ -599,7 +599,7 @@ validate_hosts_file() {
eval ${z}_is_complex=Yes
;;
esac
fi
fi
for host in $(separate_list $hosts); do
if [ -n "$BRIDGING" ]; then
@ -632,7 +632,7 @@ validate_hosts_file() {
;;
esac
fi
for option in $(separate_list $options) ; do
case $option in
norfc1918|blacklist|tcpflags|nosmurfs|-)
@ -998,7 +998,7 @@ match_dest_hosts()
#
# Matches for either <address-range> or <interface>:<address range>
#
match_source()
match_source()
{
case "$1" in
*:*)
@ -1273,7 +1273,7 @@ determine_hosts() {
if [ -n "$hosts" ]; then
if [ $VERBOSE -ge 1 ]; then
[ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts
[ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts
fi
else
error_message "WARNING: Zone $zone is empty"
@ -1635,7 +1635,7 @@ strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the
lib_load $2 "A non-empty $1 file ($f)"
return 0
fi
eval test -n \"\$LIB_${2}_LOADED\"
}
@ -2013,7 +2013,7 @@ do_initialize() {
TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
[ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK=

20
Shorewall/lib.maclist
View File

@ -42,7 +42,7 @@ setup_mac_lists() # $1 = Phase Number
local ipsec
local policy=
create_mac_chain()
create_mac_chain()
{
case $MACLIST_TABLE in
filter)
@ -100,7 +100,7 @@ setup_mac_lists() # $1 = Phase Number
if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN
fi
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
create_mac_chain $chain1
@ -117,7 +117,7 @@ setup_mac_lists() # $1 = Phase Number
expandv disposition interface mac addresses
level=
case $disposition in
ACCEPT:*)
level=${disposition#*:}
@ -165,11 +165,11 @@ setup_mac_lists() # $1 = Phase Number
fi
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
if ! have_mac_chain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified"
fi
if [ x${mac:=-} = x- ]; then
if [ -z "$addresses" ]; then
fatal_error "You must specify a MAC address or an IP address"
@ -196,7 +196,7 @@ setup_mac_lists() # $1 = Phase Number
# Generate jumps from the input and forward chains
#
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
for hosts in $maclist_hosts; do
ipsec=${hosts%^*}
hosts=${hosts#*^}
@ -223,11 +223,11 @@ setup_mac_lists() # $1 = Phase Number
for interface in $maclist_interfaces; do
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
indent >&3 << __EOF__
if interface_is_up $interface && [ "\$(find_first_interface_address_if_any $interface)" != 0.0.0.0 ]; then
if interface_is_usable $interface; then
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
address=\${address%/*}
if [ -n "\$broadcast" ]; then
@ -247,11 +247,11 @@ __EOF__
CHAIN=$chain
append_file maclog
if [ -n "$MACLIST_LOG_LEVEL" ]; then
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
fi
if [ $MACLIST_DISPOSITION != ACCEPT ]; then
run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
fi

6
Shorewall/lib.nat
View File

@ -526,7 +526,7 @@ setup_nat() {
while read external interface internal allints localnat; do
expandv external interface internal allints localnat
if [ "x$external" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then
comment=$(echo $interface $internal $allints $localnat)
@ -539,10 +539,10 @@ setup_nat() {
fi
progress_message_and_save " Host $internal NAT $external on $interface"
done < $TMP_DIR/nat
[ -n "$COMMENTS" ] && save_command COMMENT=
fi
}
#

44
Shorewall/lib.providers
View File

@ -113,14 +113,14 @@ __EOF__
# Add Provider $table ($number)
#
__EOF__
save_command "if interface_is_up $interface && [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then"
save_command "if interface_is_usable $interface; then"
save_indent1="$INDENT"
INDENT="$INDENT "
iface=$(chain_base $interface)
save_command "${iface}_up=Yes"
save_command "qt ip route flush table $number"
indent >&3 << __EOF__
@ -246,7 +246,7 @@ __EOF__
INDENT="$save_indent1"
save_command else
if [ -n "$optional" ]; then
save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\""
save_command " ${iface}_up="
@ -386,19 +386,19 @@ __EOF__
for table in $PROVIDERS; do
eval number=\$${table}_number
indent >&3 << __EOF__
echobin=\$(mywhich echo)
echobin=\$(mywhich echo)
\${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables
__EOF__
done
f=$(find_file route_rules)
if [ -f $f ]; then
strip_file route_rules $f
if [ -s $TMP_DIR/route_rules ]; then
progress_message2 "$DOING $f..."
save_command
while read source dest provider priority; do
@ -417,9 +417,9 @@ __EOF__
}
#
# Set up Routing
# Set up Route marking (Only called if $ROUTEMARK_INTERFACES is non-empty)
#
setup_routes()
setup_route_marking()
{
local mask=0xFF mark_op="--set-mark" save_indent="$INDENT"
@ -429,22 +429,20 @@ setup_routes()
run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
createmanglechain routemark
if [ -n "$ROUTEMARK_INTERFACES" ]; then
for interface in $ROUTEMARK_INTERFACES ; do
iface=$(chain_base $interface)
eval mark_value=\$${iface}_routemark
for interface in $ROUTEMARK_INTERFACES ; do
iface=$(chain_base $interface)
eval mark_value=\$${iface}_routemark
save_command
save_command "if [ -n \"\$${iface}_up\" ]; then"
INDENT="$INDENT "
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value
INDENT="$save_indent"
save_command "fi"
done
save_command
fi
save_command "if [ -n \"\$${iface}_up\" ]; then"
INDENT="$INDENT "
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value
INDENT="$save_indent"
save_command "fi"
done
save_command
run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask

27
Shorewall/lib.tc
View File

@ -26,7 +26,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# This library is loaded by /usr/share/shorewall/compiler when TC_ENABLED=Internal
# This library is loaded by /usr/share/shorewall/compiler when TC_ENABLED=Internal
# and the tcdevices and/or the tcclasses file is non-empty. It is also loaded under
# the same circumstances by the compiled firewall script when processing the
# 'refresh' command.
@ -179,7 +179,7 @@ setup_traffic_shaping()
dev=$(chain_base $device)
save_command "if qt ip link ls dev $device; then"
save_command "if interface_is_usable $device; then"
indent="$INDENT"
INDENT="$INDENT "
save_command ${dev}_exists=Yes
@ -202,7 +202,7 @@ setup_traffic_shaping()
INDENT="$indent"
save_command else
INDENT="$INDENT "
save_command error_message "\"WARNING: Device $device not found -- traffic-shaping configuration skipped\""
save_command error_message "\"WARNING: Device $device not up and configured -- traffic-shaping configuration skipped\""
save_command "${dev}_exists="
INDENT="$indent"
save_command "fi"
@ -282,6 +282,12 @@ setup_traffic_shaping()
return 0
}
finish_device() {
INDENT="$indent"
save_command fi
save_command
}
validate_tcdevices_file
validate_tcclasses_file
@ -309,12 +315,9 @@ setup_traffic_shaping()
dev=$(chain_base $device)
if [ "$device" != "$last_device" ]; then
if [ -n "$last_device" ]; then
INDENT="$indent"
save_command fi
save_command
fi
[ -n "$last_device" ] && finish_device
save_command "if [ -n \"\$${dev}_exists\" ] ; then"
indent="$INDENT"
INDENT="$INDENT "
@ -326,10 +329,6 @@ setup_traffic_shaping()
add_tc_class && progress_message " TC Class $tcdev defined."
done < $TMP_DIR/tcclasses
if [ -n "$last_device" ]; then
INDENT="$indent"
save_command fi
save_command
fi
[ -n "$last_device" ] && finish_device
fi
}

2
Shorewall/lib.tcrules
View File

@ -85,7 +85,7 @@ process_tc_rule()
mark=$mark/0xff
did_connmark=Yes
}
validate_mark()
{
case $1 in

2
Shorewall/lib.tunnels
View File

@ -21,7 +21,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# This library is loaded by /usr/share/shorewall/compiler when the tunnels file is
# This library is loaded by /usr/share/shorewall/compiler when the tunnels file is
# non-empty.
#

2
Shorewall/macro.Drop
View File

@ -8,7 +8,7 @@
#
# Example:
#
# Drop net all
# Drop net all
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/

2
Shorewall/macro.Reject
View File

@ -8,7 +8,7 @@
#
# Example:
#
# Reject loc fw
# Reject loc fw
#
#
###############################################################################

2
Shorewall/masq
View File

@ -87,7 +87,7 @@
# Example: 206.124.146.177-206.124.146.180
#
# You may also use the special value "detect"
# which causes Shorewall to determine the
# which causes Shorewall to determine the
# IP addresses configured on the interface named
# in the INTERFACES column and substitute them
# in this column.

2
Shorewall/netmap
View File

@ -20,7 +20,7 @@
# If SNAT, traffic leaving INTERFACE with a source
# address in NET1 has it's source address rewritten to
# the corresponding address in NET2.
#
#
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
#
# INTERFACE The name of a network interface. The interface must

4
Shorewall/policy
View File

@ -61,12 +61,12 @@
#
# If the policy is DROP or REJECT then the policy should
# be followed by ":" and one of the following:
#
#
# a) The word "None" or "none". This causes any default
# action defined in /etc/shorewall/shorewall.conf to
# be omitted for this policy.
# b) The name of an action (requires that USE_ACTIONS=Yes
# in shorewall.conf). That action will be invoked
# in shorewall.conf). That action will be invoked
# before the policy is enforced.
# c) The name of a macro. The rules in that macro will
# be applied before the policy is enforced. This

8
Shorewall/prog.footer
View File

@ -14,7 +14,7 @@ initialize
# Start trace if first arg is "debug" or "trace"
#
if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
set -x
set -x
shift
fi
@ -95,7 +95,7 @@ case "$COMMAND" in
status=0
progress_message3 "$PRODUCT Counters Reset"
fi
;;
;;
restart)
if shorewall_is_started; then
progress_message3 "Restarting $PRODUCT...."
@ -108,7 +108,7 @@ case "$COMMAND" in
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
progress_message3 "done."
;;
refresh)
@ -127,7 +127,7 @@ case "$COMMAND" in
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;;
clear)
progress_message3 "Clearing $PRODUCT...."

100
Shorewall/releasenotes.txt
View File

@ -1,36 +1,36 @@
Shorewall 3.3.5
Note to users upgrading from Shorewall 3.0 or 3.3
Most problems associated with upgrades come from two causes:
- The user didn't read and follow the migration considerations in these
release notes.
- The user mis-handled the /etc/shorewall/shorewall.conf file during
upgrade. Shorewall is designed to allow the default behavior of
the product to evolve over time. To make this possible, the design
assumes that you will not replace your current shorewall.conf file
during upgrades. If you feel absolutely compelled to have the latest
comments and options in your shorewall.conf then you must proceed
carefully.
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
please check that file. If it has addresses listed that are NOT in one of
these three ranges, then please rename the file to
/etc/shorewall/rfc1918.old.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
If you have a file named /etc/shorewall/modules, please remove
it. The default modules file is now located in /usr/share/shorewall/
(see the "Migration Considerations" below).
Please see the "Migration Considerations" below for additional upgrade
information.
Note to users upgrading from Shorewall 3.0 or 3.3
Most problems associated with upgrades come from two causes:
- The user didn't read and follow the migration considerations in these
release notes.
- The user mis-handled the /etc/shorewall/shorewall.conf file during
upgrade. Shorewall is designed to allow the default behavior of
the product to evolve over time. To make this possible, the design
assumes that you will not replace your current shorewall.conf file
during upgrades. If you feel absolutely compelled to have the latest
comments and options in your shorewall.conf then you must proceed
carefully.
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
please check that file. If it has addresses listed that are NOT in one of
these three ranges, then please rename the file to
/etc/shorewall/rfc1918.old.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
If you have a file named /etc/shorewall/modules, please remove
it. The default modules file is now located in /usr/share/shorewall/
(see the "Migration Considerations" below).
Please see the "Migration Considerations" below for additional upgrade
information.
Problems Corrected in 3.3.5
1) Previously, if the last 'balance' provider was removed from
@ -98,7 +98,7 @@ New Features:
- lib.accounting. Must be available if you include entries in
/etc/shorewall/accounting.
- lib.actions. Must be available if you do not specify
- lib.actions. Must be available if you do not specify
USE_ACTIONS=No in /etc/shorewall/shorewall.conf.
- lib.dynamiczones. Must be available if you specify
@ -179,7 +179,7 @@ New Features:
The value assigned to these may be:
a) The name of an action.
a) The name of an action.
b) The name of a macro
c) 'None' or 'none'
@ -203,12 +203,12 @@ New Features:
In /etc/shorewall/policy, when the POLICY is DROP, REJECT,
ACCEPT or QUEUE then the policy may be followed by ":" and one
of the following:
a) The word "None" or "none". This causes any default
action defined in /etc/shorewall/shorewall.conf
to be omitted for this policy.
b) The name of an action (requires that USE_ACTIONS=Yes
in shorewall.conf). That action will be invoked
in shorewall.conf). That action will be invoked
before the policy is enforced.
c) The name of a macro. The rules in that macro will
be applied before the policy is enforced. This
@ -248,8 +248,8 @@ New Features:
than 5 but it may be greater than 5). For example, setting
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
6) Netfilter provides support for attaching comments to Netfilter
rules. Comments can be up to 255 bytes in length and are
6) Netfilter provides support for attaching comments to Netfilter
rules. Comments can be up to 255 bytes in length and are
visible using the "shorewall show <chain>", "shorewall show nat",
"shorewall show mangle" and "shorewall dump" commands. Comments are
delimited by '/* ... */" in the output.
@ -280,12 +280,12 @@ New Features:
Example from my rules file:
#SOURCE SOURCE DEST PROTO DEST PORT(S)
COMMENT Stop Microsoft Noise
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
COMMENT # Stop comment from being attached to rules below
The output of "shorewall show loc2net" includes (folded):
@ -348,7 +348,7 @@ New Features:
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
gateway:~ #
gateway:~ #
This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf.
@ -362,7 +362,7 @@ New Features:
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~ #
Note that with OPTIMIZE=1, traffic destined for an
interface/Address that falls outside of all defined zones may now
be logged out of a '2all' chain rather than out of the FORWARD
@ -395,26 +395,26 @@ New Features:
Counters reset Thu Oct 26 07:54:58 PDT 2006
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
pkts bytes target prot opt in out source destination
...
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~
OPTIMIZE=1
gateway:~ # shorewall show loc2net
Shorewall Lite 3.3.3 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006
Counters reset Thu Oct 26 07:56:38 PDT 2006
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
pkts bytes target prot opt in out source destination
...
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~

2
Shorewall/rules
View File

@ -116,7 +116,7 @@
# COMMENT -- the rest of the line will be attached
# as a comment to the Netfilter rule(s)
# generated by the following entres.
# The comment will appear delimited by
# The comment will appear delimited by
# "/* ... */" in the output of
# "shorewall show <chain>". To stop
# the comment from being attached to

2
Shorewall/shorewall
View File

@ -911,7 +911,7 @@ usage() # $1 = exit status
}
#
# Execution begins here
# Execution begins here
#
debugging=

14
Shorewall/shorewall.conf
View File

@ -150,7 +150,7 @@ LOGFILE=/var/log/messages
# longer than 29 bytes when passed the chain name, [rule number], and 'ACCEPT'.
# Using the default LOGFORMAT, the name of a chain must be 11 characters or
# less; since chain names are often of the form <zone1>2<zone2>, zone names are
# limited to 5 characters using the default LOGFORMAT. In contrast, if
# limited to 5 characters using the default LOGFORMAT. In contrast, if
# LOGFORMAT="FW:%s:%s:", then zone names can be as long as 8 characters.
LOGFORMAT="Shorewall:%s:%s:"
@ -227,7 +227,7 @@ BLACKLIST_LOGLEVEL=
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
#
# See the comment at the top of this section for a description of log levels
#
# If you wish to filter messages logged under this option, then supply
@ -240,7 +240,7 @@ BLACKLIST_LOGLEVEL=
# If you set MACLIST_TABLE=mangle later in this file, be sure that your
# 'run_iptables' commands include '-t mangle'.
#
# See http://www.shorewall.net/shorewall_extension_scripts.htm for more
# See http://www.shorewall.net/shorewall_extension_scripts.htm for more
# information about extension scripts.
#
@ -409,7 +409,7 @@ IPSECFILE=zones
#
# The value applied to these may be:
#
# a) The name of an action.
# a) The name of an action.
# b) The name of a macro
# c) 'None' or 'none'
#
@ -517,7 +517,7 @@ RETAIN_ALIASES=No
# See http://shorewall.net/traffic_shaping.htm for more information.
TC_ENABLED=Internal
#
# TRAFFIC SHAPING EXPERT
#
@ -953,10 +953,10 @@ USE_ACTIONS=Yes
#
# Optimize Ruleset
#
# Traditionally, Shorewall has created rules for the complete matrix of
# Traditionally, Shorewall has created rules for the complete matrix of
# Networks defined by the zones, interfaces and hosts files. Any traffic that
# didn't correspond to an element of that matrix was rejected in one of the
# built-in changes. When the matrix is sparse, this results in lots of
# built-in changes. When the matrix is sparse, this results in lots of
# largely useless rules.
#
# These extra rules can be eliminated by setting OPTIMIZE=1

6
Shorewall/tcdevices
View File

@ -19,7 +19,7 @@
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
#
# You man NOT specify wildcards here, e.g. if you
# have multiple ppp interfaces, you need to put
# them all in here!
@ -46,10 +46,10 @@
# speed, and make sure there is NO space between the
# number and the unit.
#
# OUT-BANDWIDTH The outgoing Bandwidth of that interface.
# OUT-BANDWIDTH The outgoing Bandwidth of that interface.
# This is the maximum speed you connection can handle.
# It is also the speed you can refer as "full" if
# you define the tc classes.
# you define the tc classes.
# Outgoing traffic above this rate will be dropped.
#
# Use kbit or kbps(for Kilobytes per second) for

2
Shorewall/tcrules
View File

@ -29,7 +29,7 @@
# ampersand ("&"), will be logically ANDed with the
# current mark value to produce a new mark value.
#
# Both "|" and "&" require Extended MARK Target
# Both "|" and "&" require Extended MARK Target
# support in your kernel and iptables; neither may
# be used with connection marks (see below).
#

2
Shorewall/zones
View File

@ -22,7 +22,7 @@
#
# ZONE Short name of the zone. The names "all" and "none" are reserved
# and may not be used as zone names. The maximum length of a
# zone name is determined by the setting of the LOGFORMAT option
# zone name is determined by the setting of the LOGFORMAT option
# in shorewall.conf. With the default LOGFORMAT, zone names can
# be at most 5 characters long.
#