extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-18 03:29:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

More code generation changes; remove trailing whitespace

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4772 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-31 19:01:23 +00:00
parent 058bb60e26
commit 2e949f5aa8
25 changed files with 229 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
Shorewall/compiler
View File

@ -39,7 +39,7 @@
# Fatal error -- stops the compiler after issuing the error message # Fatal error -- stops the compiler after issuing the error message
# #
fatal_error() # $* = Error Message fatal_error() # $* = Error Message
{ {
echo " ERROR: $@" >&2 echo " ERROR: $@" >&2
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
[ -n "$OUTPUT" ] && rm -f $OUTPUT [ -n "$OUTPUT" ] && rm -f $OUTPUT
@ -49,10 +49,10 @@ fatal_error() # $* = Error Message
# #
# We include this for compatibility with the 'firewall' script. It distinguishes between # We include this for compatibility with the 'firewall' script. It distinguishes between
# Fatal Errors (stop or restore required) and Startup Errors (errors detected before the firewall # Fatal Errors (stop or restore required) and Startup Errors (errors detected before the firewall
# state has been changed. This allows us to use common parsing routines in both programs. # state has been changed. This allows us to use common parsing routines in both programs.
# #
startup_error() startup_error()
{ {
echo " ERROR: $@" >&2 echo " ERROR: $@" >&2
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
@ -508,7 +508,7 @@ validate_policy()
esac esac
default= default=
case $policy in case $policy in
*:None|*:none) *:None|*:none)
default=none default=none
@ -546,7 +546,7 @@ validate_policy()
NONE) NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \ [ "$client" = "$FW" -o "$server" = "$FW" ] && \
fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
[ -n "$clientwild" -o -n "$serverwild" ] && \ [ -n "$clientwild" -o -n "$serverwild" ] && \
fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
;; ;;
@ -569,7 +569,7 @@ validate_policy()
[ "x$synparams" = "x-" ] && synparams= [ "x$synparams" = "x-" ] && synparams=
policy=${policy%:*} policy=${policy%:*}
[ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" [ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes
@ -802,7 +802,7 @@ setup_ecn() # $1 = file name
if [ -n "$interfaces" ]; then if [ -n "$interfaces" ]; then
progress_message "$DOING ECN control on${interfaces}..." progress_message "$DOING ECN control on${interfaces}..."
for interface in $interfaces; do for interface in $interfaces; do
chain=$(ecn_chain $interface) chain=$(ecn_chain $interface)
if havemanglechain $chain; then if havemanglechain $chain; then
@ -813,7 +813,7 @@ setup_ecn() # $1 = file name
run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain
fi fi
done done
for host in $hosts; do for host in $hosts; do
interface=${host%:*} interface=${host%:*}
h=${host#*:} h=${host#*:}
@ -897,7 +897,7 @@ setup_tc1() {
# Just in case the file ended with a comment # Just in case the file ended with a comment
# #
[ -n "$COMMENTS" ] && save_command COMMENT= [ -n "$COMMENTS" ] && save_command COMMENT=
# #
# Link to the TC mangle chains from the main chains # Link to the TC mangle chains from the main chains
# #
@ -1371,7 +1371,7 @@ substitute_action() # $1 = parameter, $2 = action
# it handles builtin actions. # it handles builtin actions.
# #
process_actions3() process_actions3()
{ {
for xaction in $USEDACTIONS; do for xaction in $USEDACTIONS; do
# #
# Find the chain associated with this action:level:tag # Find the chain associated with this action:level:tag
@ -1538,7 +1538,7 @@ __EOF__
set -- $(separate_list $xtag) set -- $(separate_list $xtag)
[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag" [ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
run_iptables -A $xchain -m recent --name $1 --set run_iptables -A $xchain -m recent --name $1 --set
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
@ -1796,12 +1796,12 @@ add_a_rule() {
{ {
fatal_error "Unknown interface $1 in rule: \"$rule\"" fatal_error "Unknown interface $1 in rule: \"$rule\""
} }
rule_interface_verify() rule_interface_verify()
{ {
verify_interface $1 || interface_error $1 verify_interface $1 || interface_error $1
} }
handle_exclusion() handle_exclusion()
{ {
build_exclusion_chain chain filter "$excludesource" "$excludedest" build_exclusion_chain chain filter "$excludesource" "$excludedest"
@ -1826,7 +1826,7 @@ add_a_rule() {
do_ipp2p() { do_ipp2p() {
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}" dports="-m ipp2p --${port:-ipp2p}"
case $proto in case $proto in
@ -1879,7 +1879,7 @@ add_a_rule() {
dest_interface= dest_interface=
serv= serv=
case "$server" in case "$server" in
-) -)
;; ;;
@ -1907,7 +1907,7 @@ add_a_rule() {
servport=$serverport servport=$serverport
multiport= multiport=
user="$userandgroup" user="$userandgroup"
# Restore $chain to the canonical chain. # Restore $chain to the canonical chain.
chain=$logchain chain=$logchain
@ -1958,7 +1958,7 @@ add_a_rule() {
;; ;;
REDIRECT) REDIRECT)
[ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\"" [ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\""
[ -n "$serv" ] && \ [ -n "$serv" ] && \
fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\"" fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\""
servport=${servport:=$port} servport=${servport:=$port}
@ -1966,7 +1966,7 @@ add_a_rule() {
;; ;;
DNAT|SAME) DNAT|SAME)
[ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\"" [ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\""
[ -n "$serv" ] || \ [ -n "$serv" ] || \
fatal_error "$logtarget rules require a server address; rule: \"$rule\"" fatal_error "$logtarget rules require a server address; rule: \"$rule\""
natrule=Yes natrule=Yes
@ -1986,7 +1986,7 @@ add_a_rule() {
state= state=
;; ;;
esac esac
if [ -n "${serv}${servport}" ]; then if [ -n "${serv}${servport}" ]; then
# A specific server or server port given # A specific server or server port given
@ -1997,11 +1997,11 @@ add_a_rule() {
elif [ -n "$servport" -a "$servport" != "$port" ]; then elif [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\"" fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\""
fi fi
if [ -n "${excludesource}${excludedest}" ]; then if [ -n "${excludesource}${excludedest}" ]; then
handle_exclusion handle_exclusion
fi fi
if [ -z "$dnat_only" ]; then if [ -z "$dnat_only" ]; then
if [ -n "$serv" ]; then if [ -n "$serv" ]; then
for serv1 in $(separate_list $serv); do for serv1 in $(separate_list $serv); do
@ -2019,7 +2019,7 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state $user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
fi fi
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target
done done
@ -2029,12 +2029,12 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $sports \ run_iptables2 -A $chain $state $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $user -j $target $(dest_ip_range $srv) $dports $ratelimit $user -j $target
@ -2047,11 +2047,11 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$state $(fix_bang $proto $sports $multiport $cli $dports) $state $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
[ -n "$nonat" ] && \ [ -n "$nonat" ] && \
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -j RETURN $cli $sports $dports $ratelimit $user -j RETURN
[ "$logtarget" != NONAT ] && \ [ "$logtarget" != NONAT ] && \
run_iptables2 -A $chain $state $proto $multiport $cli $sports \ run_iptables2 -A $chain $state $proto $multiport $cli $sports \
$dports $ratelimit $user -j $target $dports $ratelimit $user -j $target
@ -2071,13 +2071,13 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
fi fi
if [ "$logtarget" != LOG ]; then if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN $cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target
@ -2089,13 +2089,13 @@ __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi fi
if [ "$logtarget" != LOG ]; then if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -j RETURN $cli $sports $dports $ratelimit $user -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $user -j $target $sports $dports $ratelimit $user -j $target
@ -2923,13 +2923,13 @@ process_default_macro() # $1 = macro name
add_a_rule add_a_rule
progress_message "Rule \"$target $protocol $port $cport $ratelimit $userspec\" $DONE" progress_message "Rule \"$target $protocol $port $cport $ratelimit $userspec\" $DONE"
done < $TMP_DIR/macro.$macro done < $TMP_DIR/macro.$macro
progress_message "..End Macro" progress_message "..End Macro"
} }
# #
# Process a record from the tos file # Process a record from the tos file
# #
@ -3118,11 +3118,11 @@ process_tos() # $1 = name of tos file
chain=fortos chain=fortos
stdchain=FORWARD stdchain=FORWARD
fi fi
strip_file tos $1 strip_file tos $1
if [ -s $TMP_DIR/tos ] ; then if [ -s $TMP_DIR/tos ] ; then
save_progress_message "Setting up TOS..." save_progress_message "Setting up TOS..."
progress_message2 "$DOING $1..." progress_message2 "$DOING $1..."
@ -3496,7 +3496,7 @@ refresh_blacklist() {
expandv networks protocol ports expandv networks protocol ports
process_blacklist_rec process_blacklist_rec
done < $TMP_DIR/blacklist done < $TMP_DIR/blacklist
INDENT="$indent" INDENT="$indent"
save_command "fi" save_command "fi"
} }
@ -4234,7 +4234,7 @@ activate_rules()
fi fi
need_broadcast= need_broadcast=
if [ -n "$complex" ]; then if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd frwd_chain=${zone}_frwd
chain=$(dnat_chain $zone) chain=$(dnat_chain $zone)
@ -4266,7 +4266,7 @@ activate_rules()
if [ -n "$exclusions" ]; then if [ -n "$exclusions" ]; then
run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j ${zone}_input run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j ${zone}_input
run_iptables -A ${zone}_input -j $chain2 run_iptables -A ${zone}_input -j $chain2
else else
run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
fi fi
fi fi
@ -4302,20 +4302,20 @@ activate_rules()
dest_zones= dest_zones=
# #
# The following loop attempts to eliminate redundant sequences of jumps to # The following loop attempts to eliminate redundant sequences of jumps to
# all2all or <source zone>2all. It does so by combining all trailing # all2all or <source zone>2all. It does so by combining all trailing
# jumps to the same policy-only chain. # jumps to the same policy-only chain.
# #
for zone1 in $ZONES; do for zone1 in $ZONES; do
eval policy=\$${zone}2${zone1}_policy eval policy=\$${zone}2${zone1}_policy
[ "$policy" = NONE ] && continue [ "$policy" = NONE ] && continue
chain="$(rules_chain $zone $zone1)" chain="$(rules_chain $zone $zone1)"
[ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
if [ $zone = $zone1 ]; then if [ $zone = $zone1 ]; then
# #
# Try not to generate superfluous intra-zone rules # Try not to generate superfluous intra-zone rules
@ -4323,7 +4323,7 @@ activate_rules()
eval routeback=\"\$${zone}_routeback\" eval routeback=\"\$${zone}_routeback\"
eval interfaces=\"\$${zone}_interfaces\" eval interfaces=\"\$${zone}_interfaces\"
eval ports="\$${zone}_ports" eval ports="\$${zone}_ports"
num_ifaces=$(list_count1 $interfaces) num_ifaces=$(list_count1 $interfaces)
# #
# If the zone has a single interface then what matters is how many ports it has # If the zone has a single interface then what matters is how many ports it has
@ -4335,8 +4335,8 @@ activate_rules()
# #
if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
continue continue
fi fi
fi fi
case $chain in case $chain in
*2all) *2all)
@ -4402,7 +4402,7 @@ activate_rules()
for zone1 in $dest_zones; do for zone1 in $dest_zones; do
eval policy=\$${zone}2${zone1}_policy eval policy=\$${zone}2${zone1}_policy
[ "$policy" = NONE ] && continue [ "$policy" = NONE ] && continue
eval dest_hosts=\$${zone1}_hosts eval dest_hosts=\$${zone1}_hosts
@ -4411,7 +4411,7 @@ activate_rules()
chain="$(rules_chain $zone $zone1)" chain="$(rules_chain $zone $zone1)"
[ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
[ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains
if [ $zone = $zone1 ]; then if [ $zone = $zone1 ]; then
@ -4420,12 +4420,12 @@ activate_rules()
eval ports="\$${zone}_ports" eval ports="\$${zone}_ports"
num_ifaces=$(list_count1 $interfaces) num_ifaces=$(list_count1 $interfaces)
[ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports)
if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
continue continue
fi fi
else else
routeback= routeback=
num_ifaces=0 num_ifaces=0
@ -4473,8 +4473,8 @@ activate_rules()
*) *)
insert_exclusions filter $chain $exclusions1 insert_exclusions filter $chain $exclusions1
;; ;;
esac esac
fi fi
if [ -n "$complex" ]; then if [ -n "$complex" ]; then
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
@ -4519,9 +4519,9 @@ activate_rules()
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
chain=$(forward_chain $interface) chain=$(forward_chain $interface)
run_iptables -A $chain $(match_source_hosts $networks) -j $last_chain run_iptables -A $chain $(match_source_hosts $networks) -j $last_chain
done done
fi fi
@ -4880,7 +4880,7 @@ conditionally_add_option() { # $1 = option name
[ -n "\${$1:=$value}" ] [ -n "\${$1:=$value}" ]
__EOF__ __EOF__
fi fi
} }
conditionally_add_option1() { # $1 = option name conditionally_add_option1() { # $1 = option name
local value local value
@ -4892,7 +4892,7 @@ conditionally_add_option1() { # $1 = option name
$1="$value" $1="$value"
__EOF__ __EOF__
fi fi
} }
# #
# Compile a Firewall Script # Compile a Firewall Script
@ -5054,7 +5054,7 @@ run_iptables()
else else
\$IPTABLES \$@ \$IPTABLES \$@
fi fi
if [ \$? -ne 0 ]; then if [ \$? -ne 0 ]; then
error_message "ERROR: Command \"\$IPTABLES \$@\" Failed" error_message "ERROR: Command \"\$IPTABLES \$@\" Failed"
stop_firewall stop_firewall
@ -5377,7 +5377,7 @@ __EOF__
done done
strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting) strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting)
createchain reject no createchain reject no
createchain dynamic no createchain dynamic no
createchain logdrop no createchain logdrop no
@ -5431,8 +5431,9 @@ __EOF__
# #
if strip_file_and_lib_load providers providers; then if strip_file_and_lib_load providers providers; then
setup_providers $(find_file providers) setup_providers $(find_file providers)
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes [ -n "$ROUTEMARK_INTERFACES" ] && setup_route_marking
else else
save_command
save_command undo_routing save_command undo_routing
save_command restore_default_route save_command restore_default_route
fi fi
@ -5624,10 +5625,10 @@ __EOF__
for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE; do for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE; do
conditionally_add_option $option conditionally_add_option $option
done done
conditionally_add_option1 TC_ENABLED conditionally_add_option1 TC_ENABLED
exec 3>&- exec 3>&-
fi fi
progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)" progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)"

8
Shorewall/configpath
View File

@ -6,8 +6,8 @@
# Note to maintainers. # Note to maintainers.
# #
# The CONFDIR variable is normally set to /etc/shorewall but when # The CONFDIR variable is normally set to /etc/shorewall but when
# the command is "compile -e" then CONFDIR is set to # the command is "compile -e" then CONFDIR is set to
# /usr/share/shorewall/configfiles/. This prevents 'compile -e' # /usr/share/shorewall/configfiles/. This prevents 'compile -e'
# from trying to use configuration information from /etc/shorewall. # from trying to use configuration information from /etc/shorewall.
CONFIG_PATH=${CONFDIR}:/usr/share/shorewall CONFIG_PATH=${CONFDIR}:/usr/share/shorewall
@ -15,8 +15,8 @@ CONFIG_PATH=${CONFDIR}:/usr/share/shorewall
# #
# SHOREWALL LITE'S FIREWALL SCRIPT DIRECTORY # SHOREWALL LITE'S FIREWALL SCRIPT DIRECTORY
# #
# There is lack of agreement about where exactly in the file hierarchy the # There is lack of agreement about where exactly in the file hierarchy the
# firewall script in Shorewall Lite systems should be stored. To allow # firewall script in Shorewall Lite systems should be stored. To allow
# everyone's opinion to prevail (and to prevent the Shorewall author from # everyone's opinion to prevail (and to prevent the Shorewall author from
# going crazy), the LITEDIR option allows you to decide where the file will # going crazy), the LITEDIR option allows you to decide where the file will
# be stored on Shorewall Lite systems under your distribution. # be stored on Shorewall Lite systems under your distribution.

2
Shorewall/help
View File

@ -175,7 +175,7 @@ export)
the '<directory1>/firewall' script is copied via scp to the specified the '<directory1>/firewall' script is copied via scp to the specified
<target> <target>
<target> is of the form [user@]<system>:[<directory1>] <target> is of the form [user@]<system>:[<directory1>]
Example: Example:

18
Shorewall/lib.actions
View File

@ -773,7 +773,7 @@ process_action3() {
if [ -n "$is_macro" ]; then if [ -n "$is_macro" ]; then
xtarget1=$(map_old_action $xtarget1) xtarget1=$(map_old_action $xtarget1)
case $xtarget1 in case $xtarget1 in
*/*) */*)
param=${xtarget1#*/} param=${xtarget1#*/}
@ -784,15 +784,15 @@ process_action3() {
progress_message "..Expanding Macro $(find_file macro.$xtarget1)..." progress_message "..Expanding Macro $(find_file macro.$xtarget1)..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
mtarget=$(merge_levels $xaction2 $mtarget) mtarget=$(merge_levels $xaction2 $mtarget)
case $mtarget in case $mtarget in
PARAM|PARAM:*) PARAM|PARAM:*)
[ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation"
;; ;;
esac esac
if [ -n "$mclients" ]; then if [ -n "$mclients" ]; then
case $mclients in case $mclients in
-|SOURCE) -|SOURCE)
@ -808,7 +808,7 @@ process_action3() {
else else
mclients=${xclients} mclients=${xclients}
fi fi
if [ -n "$mservers" ]; then if [ -n "$mservers" ]; then
case $mservers in case $mservers in
-|DEST) -|DEST)
@ -824,13 +824,13 @@ process_action3() {
else else
mservers=${xserverss} mservers=${xserverss}
fi fi
[ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol [ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol
[ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports [ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports
[ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports [ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports
[ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit [ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit
[ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec [ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec
rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}" rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}"
process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec
done < $TMP_DIR/macro.$xtarget1 done < $TMP_DIR/macro.$xtarget1
@ -840,7 +840,7 @@ process_action3() {
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
fi fi
done < $TMP_DIR/$f done < $TMP_DIR/$f
[ -n "$COMMENTS" ] && save_command COMMENT= [ -n "$COMMENTS" ] && save_command COMMENT=
} }

32
Shorewall/lib.base
View File

@ -22,9 +22,9 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
# This library contains the code common to all Shorewall components. It is copied into # This library contains the code common to all Shorewall components. It is copied into
# the compiled script with the -e compiler flag is specified and is loaded by # the compiled script with the -e compiler flag is specified and is loaded by
# /sbin/shorewall, /usr/share/shorewall/compiler and /usr/share/shorewall/firewall. It # /sbin/shorewall, /usr/share/shorewall/compiler and /usr/share/shorewall/firewall. It
# is also released as part of Shorewall Lite where it is used by /sbin/shorewall-lite # is also released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
# and /usr/share/shorewall-lite/shorecap. # and /usr/share/shorewall-lite/shorecap.
# #
@ -179,9 +179,9 @@ deleteallchains() {
} }
# #
# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains # Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
# a space-separated list of directories to search for # a space-separated list of directories to search for
# the module and that 'moduleloader' contains the # the module and that 'moduleloader' contains the
# module loader command. # module loader command.
# #
loadmodule() # $1 = module name, $2 - * arguments loadmodule() # $1 = module name, $2 - * arguments
@ -346,7 +346,7 @@ lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library
lib_avail() # $1 = Name of the Library lib_avail() # $1 = Name of the Library
{ {
[ -f ${SHAREDIR}/lib.$1 ] [ -f ${SHAREDIR}/lib.$1 ]
} }
# #
# Note: The following set of IP address manipulation functions have anomalous # Note: The following set of IP address manipulation functions have anomalous
@ -758,6 +758,14 @@ find_first_interface_address_if_any() # $1 = interface
[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
} }
#
# Determine if interface is usable from a Netfilter prespective
#
interface_is_usable() # $1 = interface
{
interface_is_up $1 && [ "\$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]
}
# #
# Find interface addresses--returns the set of addresses assigned to the passed # Find interface addresses--returns the set of addresses assigned to the passed
# device # device
@ -990,9 +998,9 @@ report_capabilities() {
report_capability() # $1 = Capability Description , $2 Capability Setting (if any) report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{ {
local setting= local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available" [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting echo " " $1: $setting
} }
@ -1286,7 +1294,7 @@ get_device_mtu() # $1 = device
# Undo changes to routing # Undo changes to routing
# #
undo_routing() { undo_routing() {
if [ -z "$NOROUTES" ]; then if [ -z "$NOROUTES" ]; then
# #
# Restore rt_tables database # Restore rt_tables database
@ -1308,7 +1316,7 @@ undo_routing() {
} }
restore_default_route() { restore_default_route() {
if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
local default_route= route local default_route= route
@ -1329,10 +1337,10 @@ restore_default_route() {
progress_message "Default Route (${default_route# }) restored" progress_message "Default Route (${default_route# }) restored"
;; ;;
esac esac
break break
fi fi
default_route="$default_route $route" default_route="$default_route $route"
;; ;;
*) *)
@ -1340,7 +1348,7 @@ restore_default_route() {
;; ;;
esac esac
done < ${VARDIR}/default_route done < ${VARDIR}/default_route
rm -f ${VARDIR}/default_route rm -f ${VARDIR}/default_route
fi fi
} }

20
Shorewall/lib.config
View File

@ -102,13 +102,13 @@ separate_list() {
# Undo the effect of 'separate_list()' # Undo the effect of 'separate_list()'
# #
combine_list() combine_list()
{ {
local f o= local f o=
for f in $* ; do for f in $* ; do
o="${o:+$o,}$f" o="${o:+$o,}$f"
done done
echo $o echo $o
} }
@ -448,7 +448,7 @@ setup_ipsec() {
# Set up rules to set MSS to and/or from zone "$zone" # Set up rules to set MSS to and/or from zone "$zone"
# #
set_mss() # $1 = MSS value, $2 = _in, _out or "" set_mss() # $1 = MSS value, $2 = _in, _out or ""
{ {
for z in $ZONES $FW; do for z in $ZONES $FW; do
case $2 in case $2 in
_in) _in)
@ -599,7 +599,7 @@ validate_hosts_file() {
eval ${z}_is_complex=Yes eval ${z}_is_complex=Yes
;; ;;
esac esac
fi fi
for host in $(separate_list $hosts); do for host in $(separate_list $hosts); do
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
@ -632,7 +632,7 @@ validate_hosts_file() {
;; ;;
esac esac
fi fi
for option in $(separate_list $options) ; do for option in $(separate_list $options) ; do
case $option in case $option in
norfc1918|blacklist|tcpflags|nosmurfs|-) norfc1918|blacklist|tcpflags|nosmurfs|-)
@ -998,7 +998,7 @@ match_dest_hosts()
# #
# Matches for either <address-range> or <interface>:<address range> # Matches for either <address-range> or <interface>:<address range>
# #
match_source() match_source()
{ {
case "$1" in case "$1" in
*:*) *:*)
@ -1273,7 +1273,7 @@ determine_hosts() {
if [ -n "$hosts" ]; then if [ -n "$hosts" ]; then
if [ $VERBOSE -ge 1 ]; then if [ $VERBOSE -ge 1 ]; then
[ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts [ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts
fi fi
else else
error_message "WARNING: Zone $zone is empty" error_message "WARNING: Zone $zone is empty"
@ -1635,7 +1635,7 @@ strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the
lib_load $2 "A non-empty $1 file ($f)" lib_load $2 "A non-empty $1 file ($f)"
return 0 return 0
fi fi
eval test -n \"\$LIB_${2}_LOADED\" eval test -n \"\$LIB_${2}_LOADED\"
} }
@ -2013,7 +2013,7 @@ do_initialize() {
TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
[ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK= [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK= [ -n "$XMARK" ] || XCONNMARK=

20
Shorewall/lib.maclist
View File

@ -42,7 +42,7 @@ setup_mac_lists() # $1 = Phase Number
local ipsec local ipsec
local policy= local policy=
create_mac_chain() create_mac_chain()
{ {
case $MACLIST_TABLE in case $MACLIST_TABLE in
filter) filter)
@ -100,7 +100,7 @@ setup_mac_lists() # $1 = Phase Number
if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN
fi fi
if [ -n "$MACLIST_TTL" ]; then if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface) chain1=$(macrecent_target $interface)
create_mac_chain $chain1 create_mac_chain $chain1
@ -117,7 +117,7 @@ setup_mac_lists() # $1 = Phase Number
expandv disposition interface mac addresses expandv disposition interface mac addresses
level= level=
case $disposition in case $disposition in
ACCEPT:*) ACCEPT:*)
level=${disposition#*:} level=${disposition#*:}
@ -165,11 +165,11 @@ setup_mac_lists() # $1 = Phase Number
fi fi
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
if ! have_mac_chain $chain ; then if ! have_mac_chain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified" fatal_error "No hosts on $interface have the maclist option specified"
fi fi
if [ x${mac:=-} = x- ]; then if [ x${mac:=-} = x- ]; then
if [ -z "$addresses" ]; then if [ -z "$addresses" ]; then
fatal_error "You must specify a MAC address or an IP address" fatal_error "You must specify a MAC address or an IP address"
@ -196,7 +196,7 @@ setup_mac_lists() # $1 = Phase Number
# Generate jumps from the input and forward chains # Generate jumps from the input and forward chains
# #
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
for hosts in $maclist_hosts; do for hosts in $maclist_hosts; do
ipsec=${hosts%^*} ipsec=${hosts%^*}
hosts=${hosts#*^} hosts=${hosts#*^}
@ -223,11 +223,11 @@ setup_mac_lists() # $1 = Phase Number
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
indent >&3 << __EOF__ indent >&3 << __EOF__
if interface_is_up $interface && [ "\$(find_first_interface_address_if_any $interface)" != 0.0.0.0 ]; then if interface_is_usable $interface; then
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
address=\${address%/*} address=\${address%/*}
if [ -n "\$broadcast" ]; then if [ -n "\$broadcast" ]; then
@ -247,11 +247,11 @@ __EOF__
CHAIN=$chain CHAIN=$chain
append_file maclog append_file maclog
if [ -n "$MACLIST_LOG_LEVEL" ]; then if [ -n "$MACLIST_LOG_LEVEL" ]; then
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
fi fi
if [ $MACLIST_DISPOSITION != ACCEPT ]; then if [ $MACLIST_DISPOSITION != ACCEPT ]; then
run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
fi fi

6
Shorewall/lib.nat
View File

@ -526,7 +526,7 @@ setup_nat() {
while read external interface internal allints localnat; do while read external interface internal allints localnat; do
expandv external interface internal allints localnat expandv external interface internal allints localnat
if [ "x$external" = xCOMMENT ]; then if [ "x$external" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then if [ -n "$COMMENTS" ]; then
comment=$(echo $interface $internal $allints $localnat) comment=$(echo $interface $internal $allints $localnat)
@ -539,10 +539,10 @@ setup_nat() {
fi fi
progress_message_and_save " Host $internal NAT $external on $interface" progress_message_and_save " Host $internal NAT $external on $interface"
done < $TMP_DIR/nat done < $TMP_DIR/nat
[ -n "$COMMENTS" ] && save_command COMMENT= [ -n "$COMMENTS" ] && save_command COMMENT=
fi fi
} }
# #

44
Shorewall/lib.providers
View File

@ -113,14 +113,14 @@ __EOF__
# Add Provider $table ($number) # Add Provider $table ($number)
# #
__EOF__ __EOF__
save_command "if interface_is_up $interface && [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then" save_command "if interface_is_usable $interface; then"
save_indent1="$INDENT" save_indent1="$INDENT"
INDENT="$INDENT " INDENT="$INDENT "
iface=$(chain_base $interface) iface=$(chain_base $interface)
save_command "${iface}_up=Yes" save_command "${iface}_up=Yes"
save_command "qt ip route flush table $number" save_command "qt ip route flush table $number"
indent >&3 << __EOF__ indent >&3 << __EOF__
@ -246,7 +246,7 @@ __EOF__
INDENT="$save_indent1" INDENT="$save_indent1"
save_command else save_command else
if [ -n "$optional" ]; then if [ -n "$optional" ]; then
save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\""
save_command " ${iface}_up=" save_command " ${iface}_up="
@ -386,19 +386,19 @@ __EOF__
for table in $PROVIDERS; do for table in $PROVIDERS; do
eval number=\$${table}_number eval number=\$${table}_number
indent >&3 << __EOF__ indent >&3 << __EOF__
echobin=\$(mywhich echo) echobin=\$(mywhich echo)
\${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables \${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables
__EOF__ __EOF__
done done
f=$(find_file route_rules) f=$(find_file route_rules)
if [ -f $f ]; then if [ -f $f ]; then
strip_file route_rules $f strip_file route_rules $f
if [ -s $TMP_DIR/route_rules ]; then if [ -s $TMP_DIR/route_rules ]; then
progress_message2 "$DOING $f..." progress_message2 "$DOING $f..."
save_command save_command
while read source dest provider priority; do while read source dest provider priority; do
@ -417,9 +417,9 @@ __EOF__
} }
# #
# Set up Routing # Set up Route marking (Only called if $ROUTEMARK_INTERFACES is non-empty)
# #
setup_routes() setup_route_marking()
{ {
local mask=0xFF mark_op="--set-mark" save_indent="$INDENT" local mask=0xFF mark_op="--set-mark" save_indent="$INDENT"
@ -429,22 +429,20 @@ setup_routes()
run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
createmanglechain routemark createmanglechain routemark
if [ -n "$ROUTEMARK_INTERFACES" ]; then for interface in $ROUTEMARK_INTERFACES ; do
for interface in $ROUTEMARK_INTERFACES ; do iface=$(chain_base $interface)
iface=$(chain_base $interface) eval mark_value=\$${iface}_routemark
eval mark_value=\$${iface}_routemark
save_command
save_command "if [ -n \"\$${iface}_up\" ]; then"
INDENT="$INDENT "
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value
INDENT="$save_indent"
save_command "fi"
done
save_command save_command
fi save_command "if [ -n \"\$${iface}_up\" ]; then"
INDENT="$INDENT "
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value
INDENT="$save_indent"
save_command "fi"
done
save_command
run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask

27
Shorewall/lib.tc
View File

@ -26,7 +26,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
# This library is loaded by /usr/share/shorewall/compiler when TC_ENABLED=Internal # This library is loaded by /usr/share/shorewall/compiler when TC_ENABLED=Internal
# and the tcdevices and/or the tcclasses file is non-empty. It is also loaded under # and the tcdevices and/or the tcclasses file is non-empty. It is also loaded under
# the same circumstances by the compiled firewall script when processing the # the same circumstances by the compiled firewall script when processing the
# 'refresh' command. # 'refresh' command.
@ -179,7 +179,7 @@ setup_traffic_shaping()
dev=$(chain_base $device) dev=$(chain_base $device)
save_command "if qt ip link ls dev $device; then" save_command "if interface_is_usable $device; then"
indent="$INDENT" indent="$INDENT"
INDENT="$INDENT " INDENT="$INDENT "
save_command ${dev}_exists=Yes save_command ${dev}_exists=Yes
@ -202,7 +202,7 @@ setup_traffic_shaping()
INDENT="$indent" INDENT="$indent"
save_command else save_command else
INDENT="$INDENT " INDENT="$INDENT "
save_command error_message "\"WARNING: Device $device not found -- traffic-shaping configuration skipped\"" save_command error_message "\"WARNING: Device $device not up and configured -- traffic-shaping configuration skipped\""
save_command "${dev}_exists=" save_command "${dev}_exists="
INDENT="$indent" INDENT="$indent"
save_command "fi" save_command "fi"
@ -282,6 +282,12 @@ setup_traffic_shaping()
return 0 return 0
} }
finish_device() {
INDENT="$indent"
save_command fi
save_command
}
validate_tcdevices_file validate_tcdevices_file
validate_tcclasses_file validate_tcclasses_file
@ -309,12 +315,9 @@ setup_traffic_shaping()
dev=$(chain_base $device) dev=$(chain_base $device)
if [ "$device" != "$last_device" ]; then if [ "$device" != "$last_device" ]; then
if [ -n "$last_device" ]; then
INDENT="$indent" [ -n "$last_device" ] && finish_device
save_command fi
save_command
fi
save_command "if [ -n \"\$${dev}_exists\" ] ; then" save_command "if [ -n \"\$${dev}_exists\" ] ; then"
indent="$INDENT" indent="$INDENT"
INDENT="$INDENT " INDENT="$INDENT "
@ -326,10 +329,6 @@ setup_traffic_shaping()
add_tc_class && progress_message " TC Class $tcdev defined." add_tc_class && progress_message " TC Class $tcdev defined."
done < $TMP_DIR/tcclasses done < $TMP_DIR/tcclasses
if [ -n "$last_device" ]; then [ -n "$last_device" ] && finish_device
INDENT="$indent"
save_command fi
save_command
fi
fi fi
} }

2
Shorewall/lib.tcrules
View File

@ -85,7 +85,7 @@ process_tc_rule()
mark=$mark/0xff mark=$mark/0xff
did_connmark=Yes did_connmark=Yes
} }
validate_mark() validate_mark()
{ {
case $1 in case $1 in

2
Shorewall/lib.tunnels
View File

@ -21,7 +21,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
# This library is loaded by /usr/share/shorewall/compiler when the tunnels file is # This library is loaded by /usr/share/shorewall/compiler when the tunnels file is
# non-empty. # non-empty.
# #

2
Shorewall/macro.Drop
View File

@ -8,7 +8,7 @@
# #
# Example: # Example:
# #
# Drop net all # Drop net all
# #
############################################################################### ###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/

2
Shorewall/macro.Reject
View File

@ -8,7 +8,7 @@
# #
# Example: # Example:
# #
# Reject loc fw # Reject loc fw
# #
# #
############################################################################### ###############################################################################

2
Shorewall/masq
View File

@ -87,7 +87,7 @@
# Example: 206.124.146.177-206.124.146.180 # Example: 206.124.146.177-206.124.146.180
# #
# You may also use the special value "detect" # You may also use the special value "detect"
# which causes Shorewall to determine the # which causes Shorewall to determine the
# IP addresses configured on the interface named # IP addresses configured on the interface named
# in the INTERFACES column and substitute them # in the INTERFACES column and substitute them
# in this column. # in this column.

2
Shorewall/netmap
View File

@ -20,7 +20,7 @@
# If SNAT, traffic leaving INTERFACE with a source # If SNAT, traffic leaving INTERFACE with a source
# address in NET1 has it's source address rewritten to # address in NET1 has it's source address rewritten to
# the corresponding address in NET2. # the corresponding address in NET2.
# #
# NET1 Network in CIDR format (e.g., 192.168.1.0/24) # NET1 Network in CIDR format (e.g., 192.168.1.0/24)
# #
# INTERFACE The name of a network interface. The interface must # INTERFACE The name of a network interface. The interface must

4
Shorewall/policy
View File

@ -61,12 +61,12 @@
# #
# If the policy is DROP or REJECT then the policy should # If the policy is DROP or REJECT then the policy should
# be followed by ":" and one of the following: # be followed by ":" and one of the following:
# #
# a) The word "None" or "none". This causes any default # a) The word "None" or "none". This causes any default
# action defined in /etc/shorewall/shorewall.conf to # action defined in /etc/shorewall/shorewall.conf to
# be omitted for this policy. # be omitted for this policy.
# b) The name of an action (requires that USE_ACTIONS=Yes # b) The name of an action (requires that USE_ACTIONS=Yes
# in shorewall.conf). That action will be invoked # in shorewall.conf). That action will be invoked
# before the policy is enforced. # before the policy is enforced.
# c) The name of a macro. The rules in that macro will # c) The name of a macro. The rules in that macro will
# be applied before the policy is enforced. This # be applied before the policy is enforced. This

8
Shorewall/prog.footer
View File

@ -14,7 +14,7 @@ initialize
# Start trace if first arg is "debug" or "trace" # Start trace if first arg is "debug" or "trace"
# #
if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
set -x set -x
shift shift
fi fi
@ -95,7 +95,7 @@ case "$COMMAND" in
status=0 status=0
progress_message3 "$PRODUCT Counters Reset" progress_message3 "$PRODUCT Counters Reset"
fi fi
;; ;;
restart) restart)
if shorewall_is_started; then if shorewall_is_started; then
progress_message3 "Restarting $PRODUCT...." progress_message3 "Restarting $PRODUCT...."
@ -108,7 +108,7 @@ case "$COMMAND" in
status=$? status=$?
if [ -n "$SUBSYSLOCK" ]; then if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi fi
progress_message3 "done." progress_message3 "done."
;; ;;
refresh) refresh)
@ -127,7 +127,7 @@ case "$COMMAND" in
status=$? status=$?
if [ -n "$SUBSYSLOCK" ]; then if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi fi
;; ;;
clear) clear)
progress_message3 "Clearing $PRODUCT...." progress_message3 "Clearing $PRODUCT...."

100
Shorewall/releasenotes.txt
View File

@ -1,36 +1,36 @@
Shorewall 3.3.5 Shorewall 3.3.5
Note to users upgrading from Shorewall 3.0 or 3.3 Note to users upgrading from Shorewall 3.0 or 3.3
Most problems associated with upgrades come from two causes: Most problems associated with upgrades come from two causes:
- The user didn't read and follow the migration considerations in these - The user didn't read and follow the migration considerations in these
release notes. release notes.
- The user mis-handled the /etc/shorewall/shorewall.conf file during - The user mis-handled the /etc/shorewall/shorewall.conf file during
upgrade. Shorewall is designed to allow the default behavior of upgrade. Shorewall is designed to allow the default behavior of
the product to evolve over time. To make this possible, the design the product to evolve over time. To make this possible, the design
assumes that you will not replace your current shorewall.conf file assumes that you will not replace your current shorewall.conf file
during upgrades. If you feel absolutely compelled to have the latest during upgrades. If you feel absolutely compelled to have the latest
comments and options in your shorewall.conf then you must proceed comments and options in your shorewall.conf then you must proceed
carefully. carefully.
While you are at it, if you have a file named /etc/shorewall/rfc1918 then While you are at it, if you have a file named /etc/shorewall/rfc1918 then
please check that file. If it has addresses listed that are NOT in one of please check that file. If it has addresses listed that are NOT in one of
these three ranges, then please rename the file to these three ranges, then please rename the file to
/etc/shorewall/rfc1918.old. /etc/shorewall/rfc1918.old.
10.0.0.0 - 10.255.255.255 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255 172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255 192.168.0.0 - 192.168.255.255
If you have a file named /etc/shorewall/modules, please remove If you have a file named /etc/shorewall/modules, please remove
it. The default modules file is now located in /usr/share/shorewall/ it. The default modules file is now located in /usr/share/shorewall/
(see the "Migration Considerations" below). (see the "Migration Considerations" below).
Please see the "Migration Considerations" below for additional upgrade Please see the "Migration Considerations" below for additional upgrade
information. information.
Problems Corrected in 3.3.5 Problems Corrected in 3.3.5
1) Previously, if the last 'balance' provider was removed from 1) Previously, if the last 'balance' provider was removed from
@ -98,7 +98,7 @@ New Features:
- lib.accounting. Must be available if you include entries in - lib.accounting. Must be available if you include entries in
/etc/shorewall/accounting. /etc/shorewall/accounting.
- lib.actions. Must be available if you do not specify - lib.actions. Must be available if you do not specify
USE_ACTIONS=No in /etc/shorewall/shorewall.conf. USE_ACTIONS=No in /etc/shorewall/shorewall.conf.
- lib.dynamiczones. Must be available if you specify - lib.dynamiczones. Must be available if you specify
@ -179,7 +179,7 @@ New Features:
The value assigned to these may be: The value assigned to these may be:
a) The name of an action. a) The name of an action.
b) The name of a macro b) The name of a macro
c) 'None' or 'none' c) 'None' or 'none'
@ -203,12 +203,12 @@ New Features:
In /etc/shorewall/policy, when the POLICY is DROP, REJECT, In /etc/shorewall/policy, when the POLICY is DROP, REJECT,
ACCEPT or QUEUE then the policy may be followed by ":" and one ACCEPT or QUEUE then the policy may be followed by ":" and one
of the following: of the following:
a) The word "None" or "none". This causes any default a) The word "None" or "none". This causes any default
action defined in /etc/shorewall/shorewall.conf action defined in /etc/shorewall/shorewall.conf
to be omitted for this policy. to be omitted for this policy.
b) The name of an action (requires that USE_ACTIONS=Yes b) The name of an action (requires that USE_ACTIONS=Yes
in shorewall.conf). That action will be invoked in shorewall.conf). That action will be invoked
before the policy is enforced. before the policy is enforced.
c) The name of a macro. The rules in that macro will c) The name of a macro. The rules in that macro will
be applied before the policy is enforced. This be applied before the policy is enforced. This
@ -248,8 +248,8 @@ New Features:
than 5 but it may be greater than 5). For example, setting than 5 but it may be greater than 5). For example, setting
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters. LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
6) Netfilter provides support for attaching comments to Netfilter 6) Netfilter provides support for attaching comments to Netfilter
rules. Comments can be up to 255 bytes in length and are rules. Comments can be up to 255 bytes in length and are
visible using the "shorewall show <chain>", "shorewall show nat", visible using the "shorewall show <chain>", "shorewall show nat",
"shorewall show mangle" and "shorewall dump" commands. Comments are "shorewall show mangle" and "shorewall dump" commands. Comments are
delimited by '/* ... */" in the output. delimited by '/* ... */" in the output.
@ -280,12 +280,12 @@ New Features:
Example from my rules file: Example from my rules file:
#SOURCE SOURCE DEST PROTO DEST PORT(S) #SOURCE SOURCE DEST PROTO DEST PORT(S)
COMMENT Stop Microsoft Noise COMMENT Stop Microsoft Noise
REJECT loc net tcp 137,445 REJECT loc net tcp 137,445
REJECT loc net udp 137:139 REJECT loc net udp 137:139
COMMENT # Stop comment from being attached to rules below COMMENT # Stop comment from being attached to rules below
The output of "shorewall show loc2net" includes (folded): The output of "shorewall show loc2net" includes (folded):
@ -348,7 +348,7 @@ New Features:
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
gateway:~ # gateway:~ #
This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf. This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf.
@ -362,7 +362,7 @@ New Features:
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~ # gateway:~ #
Note that with OPTIMIZE=1, traffic destined for an Note that with OPTIMIZE=1, traffic destined for an
interface/Address that falls outside of all defined zones may now interface/Address that falls outside of all defined zones may now
be logged out of a '2all' chain rather than out of the FORWARD be logged out of a '2all' chain rather than out of the FORWARD
@ -395,26 +395,26 @@ New Features:
Counters reset Thu Oct 26 07:54:58 PDT 2006 Counters reset Thu Oct 26 07:54:58 PDT 2006
Chain loc2net (1 references) Chain loc2net (1 references)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
... ...
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~ gateway:~
OPTIMIZE=1 OPTIMIZE=1
gateway:~ # shorewall show loc2net gateway:~ # shorewall show loc2net
Shorewall Lite 3.3.3 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006 Shorewall Lite 3.3.3 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006
Counters reset Thu Oct 26 07:56:38 PDT 2006 Counters reset Thu Oct 26 07:56:38 PDT 2006
Chain loc2net (1 references) Chain loc2net (1 references)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
... ...
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~ gateway:~

2
Shorewall/rules
View File

@ -116,7 +116,7 @@
# COMMENT -- the rest of the line will be attached # COMMENT -- the rest of the line will be attached
# as a comment to the Netfilter rule(s) # as a comment to the Netfilter rule(s)
# generated by the following entres. # generated by the following entres.
# The comment will appear delimited by # The comment will appear delimited by
# "/* ... */" in the output of # "/* ... */" in the output of
# "shorewall show <chain>". To stop # "shorewall show <chain>". To stop
# the comment from being attached to # the comment from being attached to

2
Shorewall/shorewall
View File

@ -911,7 +911,7 @@ usage() # $1 = exit status
} }
# #
# Execution begins here # Execution begins here
# #
debugging= debugging=

14
Shorewall/shorewall.conf
View File

@ -150,7 +150,7 @@ LOGFILE=/var/log/messages
# longer than 29 bytes when passed the chain name, [rule number], and 'ACCEPT'. # longer than 29 bytes when passed the chain name, [rule number], and 'ACCEPT'.
# Using the default LOGFORMAT, the name of a chain must be 11 characters or # Using the default LOGFORMAT, the name of a chain must be 11 characters or
# less; since chain names are often of the form <zone1>2<zone2>, zone names are # less; since chain names are often of the form <zone1>2<zone2>, zone names are
# limited to 5 characters using the default LOGFORMAT. In contrast, if # limited to 5 characters using the default LOGFORMAT. In contrast, if
# LOGFORMAT="FW:%s:%s:", then zone names can be as long as 8 characters. # LOGFORMAT="FW:%s:%s:", then zone names can be as long as 8 characters.
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
@ -227,7 +227,7 @@ BLACKLIST_LOGLEVEL=
# Specifies the logging level for connection requests that fail MAC # Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged. # such connection requests will not be logged.
# #
# See the comment at the top of this section for a description of log levels # See the comment at the top of this section for a description of log levels
# #
# If you wish to filter messages logged under this option, then supply # If you wish to filter messages logged under this option, then supply
@ -240,7 +240,7 @@ BLACKLIST_LOGLEVEL=
# If you set MACLIST_TABLE=mangle later in this file, be sure that your # If you set MACLIST_TABLE=mangle later in this file, be sure that your
# 'run_iptables' commands include '-t mangle'. # 'run_iptables' commands include '-t mangle'.
# #
# See http://www.shorewall.net/shorewall_extension_scripts.htm for more # See http://www.shorewall.net/shorewall_extension_scripts.htm for more
# information about extension scripts. # information about extension scripts.
# #
@ -409,7 +409,7 @@ IPSECFILE=zones
# #
# The value applied to these may be: # The value applied to these may be:
# #
# a) The name of an action. # a) The name of an action.
# b) The name of a macro # b) The name of a macro
# c) 'None' or 'none' # c) 'None' or 'none'
# #
@ -517,7 +517,7 @@ RETAIN_ALIASES=No
# See http://shorewall.net/traffic_shaping.htm for more information. # See http://shorewall.net/traffic_shaping.htm for more information.
TC_ENABLED=Internal TC_ENABLED=Internal
# #
# TRAFFIC SHAPING EXPERT # TRAFFIC SHAPING EXPERT
# #
@ -953,10 +953,10 @@ USE_ACTIONS=Yes
# #
# Optimize Ruleset # Optimize Ruleset
# #
# Traditionally, Shorewall has created rules for the complete matrix of # Traditionally, Shorewall has created rules for the complete matrix of
# Networks defined by the zones, interfaces and hosts files. Any traffic that # Networks defined by the zones, interfaces and hosts files. Any traffic that
# didn't correspond to an element of that matrix was rejected in one of the # didn't correspond to an element of that matrix was rejected in one of the
# built-in changes. When the matrix is sparse, this results in lots of # built-in changes. When the matrix is sparse, this results in lots of
# largely useless rules. # largely useless rules.
# #
# These extra rules can be eliminated by setting OPTIMIZE=1 # These extra rules can be eliminated by setting OPTIMIZE=1

6
Shorewall/tcdevices
View File

@ -19,7 +19,7 @@
# once in this file. You may NOT specify the name of # once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18 # http://www.shorewall.net/FAQ.htm#faq18
# #
# You man NOT specify wildcards here, e.g. if you # You man NOT specify wildcards here, e.g. if you
# have multiple ppp interfaces, you need to put # have multiple ppp interfaces, you need to put
# them all in here! # them all in here!
@ -46,10 +46,10 @@
# speed, and make sure there is NO space between the # speed, and make sure there is NO space between the
# number and the unit. # number and the unit.
# #
# OUT-BANDWIDTH The outgoing Bandwidth of that interface. # OUT-BANDWIDTH The outgoing Bandwidth of that interface.
# This is the maximum speed you connection can handle. # This is the maximum speed you connection can handle.
# It is also the speed you can refer as "full" if # It is also the speed you can refer as "full" if
# you define the tc classes. # you define the tc classes.
# Outgoing traffic above this rate will be dropped. # Outgoing traffic above this rate will be dropped.
# #
# Use kbit or kbps(for Kilobytes per second) for # Use kbit or kbps(for Kilobytes per second) for

2
Shorewall/tcrules
View File

@ -29,7 +29,7 @@
# ampersand ("&"), will be logically ANDed with the # ampersand ("&"), will be logically ANDed with the
# current mark value to produce a new mark value. # current mark value to produce a new mark value.
# #
# Both "|" and "&" require Extended MARK Target # Both "|" and "&" require Extended MARK Target
# support in your kernel and iptables; neither may # support in your kernel and iptables; neither may
# be used with connection marks (see below). # be used with connection marks (see below).
# #

2
Shorewall/zones
View File

@ -22,7 +22,7 @@
# #
# ZONE Short name of the zone. The names "all" and "none" are reserved # ZONE Short name of the zone. The names "all" and "none" are reserved
# and may not be used as zone names. The maximum length of a # and may not be used as zone names. The maximum length of a
# zone name is determined by the setting of the LOGFORMAT option # zone name is determined by the setting of the LOGFORMAT option
# in shorewall.conf. With the default LOGFORMAT, zone names can # in shorewall.conf. With the default LOGFORMAT, zone names can
# be at most 5 characters long. # be at most 5 characters long.
# #