Bring 3.2.2 Changes forward

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-02 02:49:54 +01:00 · 2006-08-08 23:03:06 +00:00 · 2006-08-08 23:03:06 +00:00 · 3d81581c01
commit 3d81581c01
parent 5e552654aa
10 changed files with 234 additions and 88 deletions
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -1076,7 +1076,7 @@ __EOF__
 #
 setup_providers()
 {
-    local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase echobin=$(mywhich echo) balance save_indent="$INDENT" mask= first=Yes
+    local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase echobin=$(mywhich echo) balance save_indent="$INDENT" mask= first=Yes save_indent1=

    copy_table() {
 	    indent >&3 << __EOF__
@ -1115,6 +1115,7 @@ __EOF__
    {
 	balance=yes

+	save_command
 	if [ -n "$first" ]; then
 	    if [ -n "$gateway" ] ; then
 		save_command "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $1\""
@ -1133,7 +1134,7 @@ __EOF__
    }

    add_a_provider() {
-	local t n iface option
+	local t n iface option optional=

 	[ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables"

@ -1158,6 +1159,14 @@ __EOF__
 # Add Provider $table ($number)
 #
 __EOF__
+	save_command "if [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then"
+	save_indent1="$INDENT"
+	INDENT="$INDENT    "
+
+	iface=$(chain_base $interface)
+	
+	save_command "${iface}_up=Yes"
+	
 	save_command "qt ip route flush table $number"

 	if [ "x${duplicate:=-}" != x- ]; then
@ -1222,7 +1231,6 @@ __EOF__
 		track)
 		    list_search $interface $ROUTEMARK_INTERFACES && \
 			fatal_error "Interface $interface is tracked through an earlier provider"
-		    iface=$(chain_base $interface)
 		    [ x${mark} = x- ] && fatal_error "The 'track' option requires a numeric value in the MARK column - Provider \"$provider\""
 		    eval ${iface}_routemark=$mark
 		    ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface"
@ -1236,6 +1244,9 @@ __EOF__
 		loose)
 		    loose=Yes
 		    ;;
+		optional)
+		    optional=Yes
+		    ;;
 		*)
 		    error_message "WARNING: Invalid option ($option) ignored in provider \"$provider\""
 		    ;;
@ -1271,6 +1282,19 @@ progress_message "   Provider $table ($number) Added"

 __EOF__

+    INDENT="$save_indent1"
+    save_command else
+    
+    if [ -n "$optional" ]; then
+	save_command "    error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\""
+	save_command "    ${iface}_up="
+    else
+	save_command "    fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\""
+    fi
+
+    save_command fi
+    save_command
+
    }

    verify_provider()
@ -1331,7 +1355,6 @@ __EOF__
    strip_file providers $1

    if [ -s $TMP_DIR/providers ]; then
-	DEFAULT_ROUTE=
 	balance=

 	progress_message2 "$DOING $1..."
@ -1351,8 +1374,13 @@ __EOF__

 	if [ -n "$PROVIDERS" ]; then
 	    if [ -n "$balance" ]; then
-		save_command "run_ip route replace default scope global \$DEFAULT_ROUTE"
-		save_command "progress_message Default route \$DEFAULT_ROUTE Added"
+		save_command "if [ -n \"\$DEFAULT_ROUTE\" ]; then"
+		save_command "    run_ip route replace default scope global \$DEFAULT_ROUTE"
+		save_command "    progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\""
+		save_command "else"
+		save_command "    error_message \"WARNING: No Default route added (all 'balance' providers are down)\""
+		save_command "fi"
+		save_command
 	    fi

 	    cat >&3 << __EOF__
@ -6072,7 +6100,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
 #
 setup_routes()
 {
-    local mask=0xFF mark_op="--set-mark"
+    local mask=0xFF mark_op="--set-mark" save_indent="$INDENT"

    [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 && mark_op="--or-mark"

@ -6080,15 +6108,22 @@ setup_routes()
    run_iptables -t mangle -A OUTPUT     -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
    createmanglechain routemark

-    for interface in $ROUTEMARK_INTERFACES ; do
+    if [ -n "$ROUTEMARK_INTERFACES" ]; then
+	for interface in $ROUTEMARK_INTERFACES ; do
+	    iface=$(chain_base $interface)
+	    eval mark_value=\$${iface}_routemark

-	iface=$(chain_base $interface)
-	eval mark_value=\$${iface}_routemark
-
-	run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
-	run_iptables -t mangle -A routemark  -i $interface                        -j MARK $mark_op $mark_value
-
-    done
+	    save_command
+	    save_command "if [ -n \"\$${iface}_up\" ]; then"
+	    INDENT="$INDENT    "
+	    run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
+	    run_iptables -t mangle -A routemark  -i $interface                        -j MARK $mark_op $mark_value
+	    INDENT="$save_indent"
+	    save_command "fi"
+	done
+	
+	save_command
+    fi

    run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask

@ -7327,6 +7362,7 @@ if [ -f $file ]; then
 else
    error_message "WARNING: Cannot set Martian logging on $interface"
 fi
+
 __EOF__
 	    done

@ -7368,7 +7404,6 @@ fi
 __EOF__
 	done
    fi
-
    #
    # UPnP
    #
@ -7485,14 +7520,6 @@ activate_rules()
 	fi
    }

-    #
-    # Create a dynamic chain for a zone and jump to it from a second chain
-    #
-    create_zone_dyn_chain() # $1 = zone, $2 = second chain
-    {
-	createchain ${1}_dyn No
-	run_iptables -A $2 -j ${1}_dyn
-    }
    #
    # Add jumps to early SNAT chains
    #
@ -7991,6 +8018,21 @@ __EOF__
 __EOF__
 }

+#
+# Conditionally add an option to .conf file (FD 3)
+#
+conditionally_add_option() { # $1 = option name
+    local value
+
+    eval value=\"\$$1\"
+
+    if [ -n "$value" ]; then
+	    cat >&3 << __EOF__
+[ -n "\${$1:=$value}" ]
+__EOF__
+    fi
+}	
+
 #
 # Compile a Restore Script
 #
@ -8484,19 +8526,13 @@ __EOF__
 	    exec 3>${outfile}.conf
 	    cat >&3 << __EOF__
 #
-# Shorewall auxillary configuration file created by Shorewall version $VERSION - $(date)
+# Shorewall auxiliary configuration file created by Shorewall version $VERSION - $(date)
 #
-[ -n "\${VERBOSITY:=$VERBOSITY}" ]
-[ -n "\${LOGFILE:=$LOGFILE}" ]
-[ -n "\${LOGFORMAT:=$LOGFORMAT}" ]
-[ -n "\${IPTABLES:=$IPTABLES}" ]
-[ -n "\${PATH:=$PATH}" ]
-[ -n "\${SHOREWALL_SHELL:=$SHOREWALL_SHELL}" ]
-[ -n "\${LOGFILE:=$LOGFILE}" ]
-[ -n "\${SUBSYSLOCK:=$SUBSYSLOCK}" ]
-[ -n "\${RESTOREFILE:=$RESTOREFILE}" ]
 __EOF__
-	    exec 3>&-
+	    for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE; do
+		conditionally_add_option $option
+	    done
+	    exec 3>&-	    
 	fi

 	progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)"
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=3.2.0
+VERSION=3.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -1221,12 +1221,11 @@ determine_capabilities() {

    if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
 	PHYSDEV_MATCH=Yes
-	qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
    fi

    if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
 	IPRANGE_MATCH=Yes
-	if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
+	if [ -z "${KLUDGEFREE}" ]; then
 	    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
 	fi
    fi
@ -1282,16 +1281,16 @@ determine_capabilities() {
    qt $IPTABLES -X fooX1234
 }

-report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
-{
-    local setting=
-
-    [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
-
-    echo "  " $1: $setting
-}
-
 report_capabilities() {
+    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
+    {
+	local setting=
+	
+	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
+	
+	echo "  " $1: $setting
+    }
+
    if [ $VERBOSE -gt 1 ]; then
 	echo "Shorewall has detected the following iptables/netfilter capabilities:"
 	report_capability "NAT" $NAT_ENABLED
@ -1325,6 +1324,41 @@ report_capabilities() {

 }

+report_capabilities1() {
+    report_capability1() # $1 = Capability
+    {
+	eval echo $1=\$$1
+    }
+
+    echo "#"
+    echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
+    echo "#"
+    report_capability1 NAT_ENABLED
+    report_capability1 MANGLE_ENABLED
+    report_capability1 MULTIPORT
+    report_capability1 XMULTIPORT
+    report_capability1 CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
+    report_capability1 POLICY_MATCH
+    report_capability1 PHYSDEV_MATCH
+    report_capability1 LENGTH_MATCH
+    report_capability1 IPRANGE_MATCH
+    report_capability1 RECENT_MATCH
+    report_capability1 OWNER_MATCH
+    report_capability1 IPSET_MATCH
+    report_capability1 CONNMARK
+    report_capability1 XCONNMARK
+    report_capability1 CONNMARK_MATCH
+    report_capability1 XCONNMARK_MATCH
+    report_capability1 RAW_TABLE
+    report_capability1 IPP2P_MATCH
+    report_capability1 CLASSIFY_TARGET
+    report_capability1 ENHANCED_REJECT
+    report_capability1 KLUDGEFREE
+    report_capability1 MARK
+    report_capability1 XMARK
+    report_capability1 MANGLE_FORWARD
+}

 #
 # Delete IP address
--- a/Shorewall/help
+++ b/Shorewall/help
@ -88,7 +88,7 @@ debug)
    If you include the keyword debug as the first argument to any
    of these commands:

-	start|stop|restart|reset|clear|refresh|check|add|delete|compile
+	start|stop|restart|reset|clear|refresh|check|compile

    then a shell trace of the command is produced.  For example:

@ -159,7 +159,7 @@ iprange)
 	;;

 load)
-	echo "load: load [ <directory> ] <system>
+	echo "load: load [ -s ] [ <directory> ] <system>
    If <directory> is omitted, then the current working directory is assumed.

    Requires that Shorewall Lite be installed on the named <system>.
@ -168,7 +168,10 @@ load)
    program called '<directory>/firewall'. If compilation is successful,
    the '<directory>/firewall' script is copied via scp to the
    ${LITEDIR} directory on <system>. If the script is copied
-    successfully, Shorewall Lite on <system> is started via ssh."
+    successfully, Shorewall Lite on <system> is started via ssh.
+
+    If the -s option is given and Shorewall Lite starts successfully then
+    ssh is used to execute 'shorewall-lite save' on <system>"
 	;;

 logdrop)
@ -227,7 +230,10 @@ reload)
    program called '<directory>/firewall'. If compilation is successful,
    the '<directory>/firewall' script is copied via scp to the
    ${LITEDIR} directory on <system>. If the script is copied
-    successfully, Shorewall Lite on <system> is restarted via ssh."
+    successfully, Shorewall Lite on <system> is restarted via ssh.
+
+    If the -s option is given and Shorewall Lite restarts successfully then
+    ssh is used to execute 'shorewall-lite save' on <system>"
 	;;

 restart)
@ -277,7 +283,7 @@ save)
 	;;

 show)
-	echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
+	echo "show: show [ <chain> [ <chain> ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]

    shorewall [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)
@ -303,7 +309,8 @@ show)

    shorewall show zones - displays the contents of all zones.

-    shorewall show capabilities - displays your kernel/iptables capabilities
+    shorewall show [ -f ] capabilities - displays your kernel/iptables capabilities. When \"-f\" is
+    specified, then the output is suitable for use as /etc/shorewall/capabilities.

    shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution

--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #

-VERSION=3.2.0
+VERSION=3.2.2

 usage() # $1 = exit status
 {
@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

@ -88,7 +89,7 @@ backup_directory() # $1 = directory to backup

 backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
 {
-    if [ -z "$PREFIX" ]; then
+    if [ -z "${PREFIX}{NOBACKUP}" ]; then
 	if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
 	    if [ -n "$2" ]; then
 		if [ -d $2 ]; then
@ -155,6 +156,8 @@ if [ -z "$GROUP" ] ; then
 	GROUP=root
 fi

+NOBACKUP=
+
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@ -164,6 +167,9 @@ while [ $# -gt 0 ] ; do
 	    echo "Shorewall Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
+	-n)
+	    NOBACKUP=Yes
+	    ;;
 	*)
 	    usage 1
 	    ;;
@ -216,9 +222,11 @@ echo "Installing Shorewall Version $VERSION"
 #
 if [ -d ${PREFIX}/etc/shorewall ]; then
    first_install=""
-    backup_directory ${PREFIX}/etc/shorewall
-    backup_directory ${PREFIX}/usr/share/shorewall
-    backup_directory ${PREFIX}/var/lib/shorewall
+    if [ -z "$NOBACKUP" ]; then
+	backup_directory ${PREFIX}/etc/shorewall
+	backup_directory ${PREFIX}/usr/share/shorewall
+	backup_directory ${PREFIX}/var/lib/shorewall
+    fi
 else
    first_install="Yes"
 fi
--- a/Shorewall/providers
+++ b/Shorewall/providers
@ -69,6 +69,11 @@
 #			'loose' prevents creation of such rules on this
 #			interface.
 #
+#		optional
+#			If the interface named in the INTERFACE column is not
+#			up and configured with an IPv4 address then ignore
+#			this provider.
+#
 #	COPY		A comma-separated lists of other interfaces on your
 #			firewall. Only makes sense when DUPLICATE is 'main'.
 #			Only copy routes through INTERFACE and through
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -872,6 +872,10 @@ show_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
+			f*)
+			    FILEMODE=Yes
+			    option=${option#f}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@ -948,7 +952,11 @@ show_command() {
 	    [ $# -gt 1 ] && usage 1
 	    determine_capabilities
 	    VERBOSE=2
-	    report_capabilities
+	    if [ -n "$FILEMODE" ]; then
+		report_capabilities1
+	    else
+		report_capabilities
+	    fi
 	    ;;
 	actions)
 	    [ $# -gt 1 ] && usage 1
@ -1299,23 +1307,73 @@ restore_command() {
 #
 # [Re]load command executor
 #
-reload_command()) # $1 = directory, $2 = system
+reload_command() # $* = original arguments less the command.
 {
-    local verbose=$(make_verbose) file=$(resolve_file $1/firewall)
+    local verbose=$(make_verbose) file= finished=0 saveit= result directory system

    [ -n "$LITEDIR" ] || { echo "   ERROR: LITEDIR not defined in ${SHAREDIR}/configpath" >&2; exit 2; }

-    if shorewall $debugging $verbose compile -e $1 $1/firewall && \
-	echo "Copying $(resolve_file ${1}/firewall) to ${2}:${LITEDIR}..." && \
-	scp $1/firewall root@${2}:${LITEDIR}
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			s*)
+			    saveit=Yes
+			    option=${option#s}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	1)
+	    directory="."
+	    system=$1
+	    ;;
+	2)
+	    directory=$1
+	    system=$2
+	    ;;
+	*)
+	    usage 1
+	    ;;
+    esac
+
+    file=$(resolve_file $directory/firewall)
+
+    if shorewall $debugging $verbose compile -e $directory $directory/firewall && \
+	echo "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \
+	scp $directory/firewall $directory/firewall.conf root@${system}:${LITEDIR}
    then
 	echo "Copy complete"
 	if [ $COMMAND = reload ]; then
-	    ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
-	    progress_message3 "System $2 reloaded"
+	    ssh root@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \
+	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
-	    progress_message3 "System $2 reloaded"
+	    ssh root@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \
+	    progress_message3 "System $system reloaded" || saveit=
+	fi
+
+	if [ -n "$saveit" ]; then
+	    ssh root@${system} "/sbin/shorewall-lite $debugging $verbose save" && \
+	    progress_message3 "Configuration on system $system saved"
 	fi
    fi
 }
@ -1347,18 +1405,18 @@ usage() # $1 = exit status
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
    echo "   ipdecimal { <address> | <integer> }"
    echo "   iprange <address>-<address>"
-    echo "   load [ <directory> ] <system>"
+    echo "   load [ -s ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
    echo "   refresh"
    echo "   reject <address> ..."
-    echo "   reload [ <directory> ] <system>"
+    echo "   reload [ -s ] [ <directory> ] <system>"
    echo "   reset"
    echo "   restart [ -n ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]"
+    echo "   show [ -x ] [ -m ] [-f] [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]"
    echo "   start [ -f ] [ -n ] [ <directory> ]"
    echo "   stop"
    echo "   status"
@ -1657,21 +1715,7 @@ case "$COMMAND" in
 	;;
    load|reload)
 	shift
-	case $# in
-	    1)
-		directory="."
-		system=$1
-		;;
-	    2)
-		directory=$1
-		system=$2
-		;;
-	    *)
-		usage 1
-		;;
-	esac
-
-	reload_command $directory $system
+	reload_command $@
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -710,6 +710,14 @@ DISABLE_IPV6=Yes

 BRIDGING=No

+#
+# DYNAMIC ZONES
+#
+# If you need to be able to add and delete hosts from zones dynamically then
+# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
+
+DYNAMIC_ZONES=No
+
 #
 # USE PKTTYPE MATCH
 #
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 3.2.0
+%define version 3.2.2
 %define release 1
 %define prefix /usr

@ -209,6 +209,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples

 %changelog
+* Wed Aug 02 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.2.2-1
+* Fri Jul 21 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.2.1-1
 * Sat Jul 08 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.2.0-1
 * Thu Jun 29 2006 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=3.2.0
+VERSION=3.2.2

 usage() # $1 = exit status
 {