diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 3ee10be2b..d53b8a18f 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -157,6 +157,7 @@ our %EXPORT_TAGS = ( have_global_variables set_global_variables create_netfilter_load + preview_netfilter_load create_chainlist_reload create_stop_load $section @@ -2853,6 +2854,20 @@ sub enter_cmd_mode() { $mode = CMD_MODE; } +# +# These versions are used by 'preview' +# +sub enter_cat_mode1() { + print "\n"; + emitstd "cat << __EOF__"; + $mode = CAT_MODE; +} + +sub enter_cmd_mode1() { + print "__EOF__\n\n" if $mode == CAT_MODE; + $mode = CMD_MODE; +} + # # Emits the passed rule (input to iptables-restore) or command # @@ -2874,6 +2889,25 @@ sub emitr( $ ) { } } +sub emitr1( $ ) { + if ( my $rule = $_[0] ) { + if ( substr( $rule, 0, 2 ) eq '-A' ) { + # + # A rule + # + enter_cat_mode1 unless $mode == CAT_MODE; + print "$rule\n"; + } else { + # + # A command + # + enter_cmd_mode1 unless $mode == CMD_MODE; + $rule =~ s/ >&3//; + emitstd $rule; + } + } +} + # # Generate the netfilter input # @@ -2977,6 +3011,74 @@ sub create_netfilter_load( $ ) { emit "}\n"; } +# +# Preview netfilter input +# +sub preview_netfilter_load() { + + my @table_list; + + push @table_list, 'raw' if $capabilities{RAW_TABLE}; + push @table_list, 'nat' if $capabilities{NAT_ENABLED}; + push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; + push @table_list, 'filter'; + + $mode = NULL_MODE; + + push_indent; + + enter_cat_mode1; + + my $date = localtime; + + print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n"; + + for my $table ( @table_list ) { + print "*$table\n"; + + my @chains; + # + # iptables-restore seems to be quite picky about the order of the builtin chains + # + for my $chain ( @builtins ) { + my $chainref = $chain_table{$table}{$chain}; + if ( $chainref ) { + assert( $chainref->{cmdlevel} == 0 ); + print ":$chain $chainref->{policy} [0:0]\n"; + push @chains, $chainref; + } + } + # + # First create the chains in the current table + # + for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { + my $chainref = $chain_table{$table}{$chain}; + unless ( $chainref->{builtin} ) { + assert( $chainref->{cmdlevel} == 0 ); + print ":$chainref->{name} - [0:0]\n"; + push @chains, $chainref; + } + } + # + # Then emit the rules + # + for my $chainref ( @chains ) { + emitr1 $_ for ( grep defined $_, @{$chainref->{rules}} ); + } + # + # Commit the changes to the table + # + enter_cat_mode1 unless $mode == CAT_MODE; + print "COMMIT\n"; + } + + enter_cmd_mode1; + + pop_indent; + + print "\n"; +} + # # Generate the netfilter input for refreshing a list of chains # diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index f43278ca2..174289883 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -562,8 +562,8 @@ EOF # sub compiler { - my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = - ( '', '', -1, '', 0, '', '', -1 ); + my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) = + ( '', '', -1, '', 0, '', '', -1, 0 ); $export = 0; $test = 0; @@ -595,6 +595,7 @@ sub compiler { log => { store => \$log }, log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } , test => { store => \$test }, + preview => { store => \$preview }, ); # # P A R A M E T E R P R O C E S S I N G @@ -866,6 +867,23 @@ sub compiler { # enable_script, generate_aux_config if $export; } else { + if ( $preview ) { + generate_matrix; + + if ( $config{OPTIMIZE} & 6 ) { + progress_message2 'Optimizing Ruleset...'; + # + # Optimize Policy Chains + # + optimize_policy_chains if $config{OPTIMIZE} & 2; + # + # More Optimization + # + optimize_ruleset if $config{OPTIMIZE} & 4; + } + + preview_netfilter_load; + } # # Re-initialize the chain table so that process_routestopped() has the same # environment that it would when called by compile_stop_firewall(). diff --git a/Shorewall/Perl/compiler.pl b/Shorewall/Perl/compiler.pl index 1a8f24e6e..23ba9cbfe 100755 --- a/Shorewall/Perl/compiler.pl +++ b/Shorewall/Perl/compiler.pl @@ -36,6 +36,7 @@ # --log= # Log file # --log_verbosity= # Log Verbosity range -1 to 2 # --family= # IP family; 4 = IPv4 (default), 6 = IPv6 +# --preview # Preview the ruleset. # use strict; use FindBin; @@ -58,6 +59,7 @@ sub usage( $ ) { [ --log= ] [ --log-verbose={-1|0-2} ] [ --test ] + [ --preview ] [ --family={4|6} ] '; @@ -78,6 +80,7 @@ my $log_verbose = 0; my $help = 0; my $test = 0; my $family = 4; # F_IPV4 +my $preview = 0; Getopt::Long::Configure ('bundling'); @@ -98,6 +101,7 @@ my $result = GetOptions('h' => \$help, 'l=s' => \$log, 'log_verbosity=i' => \$log_verbose, 'test' => \$test, + 'preview' => \$preview, 'f=i' => \$family, 'family=i' => \$family, ); @@ -115,4 +119,5 @@ compiler( script => defined $ARGV[0] ? $ARGV[0] : '', log => $log, log_verbosity => $log_verbose, test => $test, + preview => $preview, family => $family ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index edb52c3bd..dc90876a4 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -14,6 +14,8 @@ Changes in Shorewall 4.4.6 7) Add 'show macro' command. +8) Add -p option to check. + Changes in Shorewall 4.4.5 1) Fix 15-port limit removal change. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f37e9319f..55a8a92d5 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -49,6 +49,9 @@ Shorewall 4.4.6 you to trace selected packets through Netfilter, including marking by tcrules. +12) You may now preview the generated ruleset by using the '-r' option + to the 'check' command (e.g., "shorewall check -r"). + ---------------------------------------------------------------------------- M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -265,6 +268,12 @@ None. The command displays the contents of the macro. file. +6) You may now preview the generated ruleset by using the '-r' option + to the 'check' command (e.g., "shorewall check -r"). + + The output is a shell script fragment, similar to the way it + appears in the generated script. + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ---------------------------------------------------------------------------- diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 4badd2a6d..b135d7dfd 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -362,6 +362,7 @@ compiler() { [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" [ -n "$TIMESTAMP" ] && options="$options --timestamp" [ -n "$TEST" ] && options="$options --test" + [ -n "$PREVIEW" ] && options="$options --preview" [ "$debugging" = trace ] && options="$options --debug" [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" # @@ -642,6 +643,10 @@ check_command() { DEBUG=Yes; option=${option#d} ;; + r*) + PREVIEW=Yes; + option=${option#r} + ;; *) usage 1 ;; @@ -1351,7 +1356,7 @@ usage() # $1 = exit status echo "where is one of:" echo " add [:] ... " echo " allow
..." - echo " check [ -e ] [ ]" + echo " check [ -e ] [ -r ] [ ]" echo " clear [ -f ]" echo " compile [ -e ] [ -d ] [ ] [ ]" echo " delete [:] ... " diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index 58dd7cb71..9a89e069e 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -279,6 +279,7 @@ compiler() { [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" [ -n "$TIMESTAMP" ] && options="$options --timestamp" [ -n "$TEST" ] && options="$options --test" + [ -n "$PREVIEW" ] && options="$options --preview" [ "$debugging" = trace ] && options="$options --debug" [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed" @@ -552,6 +553,10 @@ check_command() { PROFILE=Yes option=${option#p} ;; + r*) + PREVIEW=Yes; + option=${option#r} + ;; d*) DEBUG=Yes; option=${option#d} @@ -1267,7 +1272,7 @@ usage() # $1 = exit status echo "where is one of:" echo " add [:] ... " echo " allow
..." - echo " check [ -e ] [ ]" + echo " check [ -e ] [ -r ] [ ]" echo " clear [ -f ]" echo " compile [ -e ] [ -d ] [ ] [ ]" echo " delete [:] ... " diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 236c481e4..940101625 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -60,6 +60,8 @@ + + directory @@ -720,6 +722,10 @@ The option causes the compiler to be profiled via the Perl command-line option. + + The option was added in Shorewall 4.5.2 + and causes the compiler to print the generated ruleset to standard + out. diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index 437f67526..197edc2ce 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -44,6 +44,8 @@ + + directory @@ -584,6 +586,10 @@ The option causes the compiler to be profiled via the Perl command-line option. + + The option was added in Shorewall 4.5.2 + and causes the compiler to print the generated ruleset to standard + out.