extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow users to preview the generated ruleset.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-01-12 15:32:50 -08:00
parent 271e472d3d
commit 4420eed8d7
9 changed files with 162 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -157,6 +157,7 @@ our %EXPORT_TAGS = (
have_global_variables have_global_variables
set_global_variables set_global_variables
create_netfilter_load create_netfilter_load
preview_netfilter_load
create_chainlist_reload create_chainlist_reload
create_stop_load create_stop_load
$section $section
@ -2853,6 +2854,20 @@ sub enter_cmd_mode() {
$mode = CMD_MODE; $mode = CMD_MODE;
} }
#
# These versions are used by 'preview'
#
sub enter_cat_mode1() {
print "\n";
emitstd "cat << __EOF__";
$mode = CAT_MODE;
}
sub enter_cmd_mode1() {
print "__EOF__\n\n" if $mode == CAT_MODE;
$mode = CMD_MODE;
}
# #
# Emits the passed rule (input to iptables-restore) or command # Emits the passed rule (input to iptables-restore) or command
# #
@ -2874,6 +2889,25 @@ sub emitr( $ ) {
} }
} }
sub emitr1( $ ) {
if ( my $rule = $_[0] ) {
if ( substr( $rule, 0, 2 ) eq '-A' ) {
#
# A rule
#
enter_cat_mode1 unless $mode == CAT_MODE;
print "$rule\n";
} else {
#
# A command
#
enter_cmd_mode1 unless $mode == CMD_MODE;
$rule =~ s/ >&3//;
emitstd $rule;
}
}
}
# #
# Generate the netfilter input # Generate the netfilter input
# #
@ -2977,6 +3011,74 @@ sub create_netfilter_load( $ ) {
emit "}\n"; emit "}\n";
} }
#
# Preview netfilter input
#
sub preview_netfilter_load() {
my @table_list;
push @table_list, 'raw' if $capabilities{RAW_TABLE};
push @table_list, 'nat' if $capabilities{NAT_ENABLED};
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
push @table_list, 'filter';
$mode = NULL_MODE;
push_indent;
enter_cat_mode1;
my $date = localtime;
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
for my $table ( @table_list ) {
print "*$table\n";
my @chains;
#
# iptables-restore seems to be quite picky about the order of the builtin chains
#
for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain};
if ( $chainref ) {
assert( $chainref->{cmdlevel} == 0 );
print ":$chain $chainref->{policy} [0:0]\n";
push @chains, $chainref;
}
}
#
# First create the chains in the current table
#
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) {
assert( $chainref->{cmdlevel} == 0 );
print ":$chainref->{name} - [0:0]\n";
push @chains, $chainref;
}
}
#
# Then emit the rules
#
for my $chainref ( @chains ) {
emitr1 $_ for ( grep defined $_, @{$chainref->{rules}} );
}
#
# Commit the changes to the table
#
enter_cat_mode1 unless $mode == CAT_MODE;
print "COMMIT\n";
}
enter_cmd_mode1;
pop_indent;
print "\n";
}
# #
# Generate the netfilter input for refreshing a list of chains # Generate the netfilter input for refreshing a list of chains
# #

22
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -562,8 +562,8 @@ EOF
# #
sub compiler { sub compiler {
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
( '', '', -1, '', 0, '', '', -1 ); ( '', '', -1, '', 0, '', '', -1, 0 );
$export = 0; $export = 0;
$test = 0; $test = 0;
@ -595,6 +595,7 @@ sub compiler {
log => { store => \$log }, log => { store => \$log },
log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } , log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
test => { store => \$test }, test => { store => \$test },
preview => { store => \$preview },
); );
# #
# P A R A M E T E R P R O C E S S I N G # P A R A M E T E R P R O C E S S I N G
@ -866,6 +867,23 @@ sub compiler {
# #
enable_script, generate_aux_config if $export; enable_script, generate_aux_config if $export;
} else { } else {
if ( $preview ) {
generate_matrix;
if ( $config{OPTIMIZE} & 6 ) {
progress_message2 'Optimizing Ruleset...';
#
# Optimize Policy Chains
#
optimize_policy_chains if $config{OPTIMIZE} & 2;
#
# More Optimization
#
optimize_ruleset if $config{OPTIMIZE} & 4;
}
preview_netfilter_load;
}
# #
# Re-initialize the chain table so that process_routestopped() has the same # Re-initialize the chain table so that process_routestopped() has the same
# environment that it would when called by compile_stop_firewall(). # environment that it would when called by compile_stop_firewall().

5
Shorewall/Perl/compiler.pl
View File

@ -36,6 +36,7 @@
# --log=<filename> # Log file # --log=<filename> # Log file
# --log_verbosity=<number> # Log Verbosity range -1 to 2 # --log_verbosity=<number> # Log Verbosity range -1 to 2
# --family=<number> # IP family; 4 = IPv4 (default), 6 = IPv6 # --family=<number> # IP family; 4 = IPv4 (default), 6 = IPv6
# --preview # Preview the ruleset.
# #
use strict; use strict;
use FindBin; use FindBin;
@ -58,6 +59,7 @@ sub usage( $ ) {
[ --log=<filename> ] [ --log=<filename> ]
[ --log-verbose={-1|0-2} ] [ --log-verbose={-1|0-2} ]
[ --test ] [ --test ]
[ --preview ]
[ --family={4|6} ] [ --family={4|6} ]
'; ';
@ -78,6 +80,7 @@ my $log_verbose = 0;
my $help = 0; my $help = 0;
my $test = 0; my $test = 0;
my $family = 4; # F_IPV4 my $family = 4; # F_IPV4
my $preview = 0;
Getopt::Long::Configure ('bundling'); Getopt::Long::Configure ('bundling');
@ -98,6 +101,7 @@ my $result = GetOptions('h' => \$help,
'l=s' => \$log, 'l=s' => \$log,
'log_verbosity=i' => \$log_verbose, 'log_verbosity=i' => \$log_verbose,
'test' => \$test, 'test' => \$test,
'preview' => \$preview,
'f=i' => \$family, 'f=i' => \$family,
'family=i' => \$family, 'family=i' => \$family,
); );
@ -115,4 +119,5 @@ compiler( script => defined $ARGV[0] ? $ARGV[0] : '',
log => $log, log => $log,
log_verbosity => $log_verbose, log_verbosity => $log_verbose,
test => $test, test => $test,
preview => $preview,
family => $family ); family => $family );

2
Shorewall/changelog.txt
View File

@ -14,6 +14,8 @@ Changes in Shorewall 4.4.6
7) Add 'show macro' command. 7) Add 'show macro' command.
8) Add -p option to check.
Changes in Shorewall 4.4.5 Changes in Shorewall 4.4.5
1) Fix 15-port limit removal change. 1) Fix 15-port limit removal change.

9
Shorewall/releasenotes.txt
View File

@ -49,6 +49,9 @@ Shorewall 4.4.6
you to trace selected packets through Netfilter, including marking you to trace selected packets through Netfilter, including marking
by tcrules. by tcrules.
12) You may now preview the generated ruleset by using the '-r' option
to the 'check' command (e.g., "shorewall check -r").
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
M I G R A T I O N I S S U E S M I G R A T I O N I S S U E S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -265,6 +268,12 @@ None.
The command displays the contents of the macro.<macro> file. The command displays the contents of the macro.<macro> file.
6) You may now preview the generated ruleset by using the '-r' option
to the 'check' command (e.g., "shorewall check -r").
The output is a shell script fragment, similar to the way it
appears in the generated script.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0 N E W F E A T U R E S I N 4 . 4 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

7
Shorewall/shorewall
View File

@ -362,6 +362,7 @@ compiler() {
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
[ -n "$TIMESTAMP" ] && options="$options --timestamp" [ -n "$TIMESTAMP" ] && options="$options --timestamp"
[ -n "$TEST" ] && options="$options --test" [ -n "$TEST" ] && options="$options --test"
[ -n "$PREVIEW" ] && options="$options --preview"
[ "$debugging" = trace ] && options="$options --debug" [ "$debugging" = trace ] && options="$options --debug"
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
# #
@ -642,6 +643,10 @@ check_command() {
DEBUG=Yes; DEBUG=Yes;
option=${option#d} option=${option#d}
;; ;;
r*)
PREVIEW=Yes;
option=${option#r}
;;
*) *)
usage 1 usage 1
;; ;;
@ -1351,7 +1356,7 @@ usage() # $1 = exit status
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>" echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
echo " check [ -e ] [ <directory> ]" echo " check [ -e ] [ -r ] [ <directory> ]"
echo " clear [ -f ]" echo " clear [ -f ]"
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]" echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
echo " delete <interface>[:<host-list>] ... <zone>" echo " delete <interface>[:<host-list>] ... <zone>"

7
Shorewall6/shorewall6
View File

@ -279,6 +279,7 @@ compiler() {
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
[ -n "$TIMESTAMP" ] && options="$options --timestamp" [ -n "$TIMESTAMP" ] && options="$options --timestamp"
[ -n "$TEST" ] && options="$options --test" [ -n "$TEST" ] && options="$options --test"
[ -n "$PREVIEW" ] && options="$options --preview"
[ "$debugging" = trace ] && options="$options --debug" [ "$debugging" = trace ] && options="$options --debug"
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed" [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
@ -552,6 +553,10 @@ check_command() {
PROFILE=Yes PROFILE=Yes
option=${option#p} option=${option#p}
;; ;;
r*)
PREVIEW=Yes;
option=${option#r}
;;
d*) d*)
DEBUG=Yes; DEBUG=Yes;
option=${option#d} option=${option#d}
@ -1267,7 +1272,7 @@ usage() # $1 = exit status
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>" echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
echo " check [ -e ] [ <directory> ]" echo " check [ -e ] [ -r ] [ <directory> ]"
echo " clear [ -f ]" echo " clear [ -f ]"
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]" echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
echo " delete <interface>[:<host-list>] ... <zone>" echo " delete <interface>[:<host-list>] ... <zone>"

6
manpages/shorewall.xml
View File

@ -60,6 +60,8 @@
<arg><option>-p</option></arg> <arg><option>-p</option></arg>
<arg><option>-r</option></arg>
<arg><replaceable>directory</replaceable></arg> <arg><replaceable>directory</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
@ -720,6 +722,10 @@
<para>The <option>-p</option> option causes the compiler to be <para>The <option>-p</option> option causes the compiler to be
profiled via the Perl <option>-wd:DProf</option> command-line profiled via the Perl <option>-wd:DProf</option> command-line
option.</para> option.</para>
<para>The <option>-r</option> option was added in Shorewall 4.5.2
and causes the compiler to print the generated ruleset to standard
out.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
manpages6/shorewall6.xml
View File

@ -44,6 +44,8 @@
<arg><option>-p</option></arg> <arg><option>-p</option></arg>
<arg><option>-r</option></arg>
<arg><replaceable>directory</replaceable></arg> <arg><replaceable>directory</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
@ -584,6 +586,10 @@
<para>The <option>-p</option> option causes the compiler to be <para>The <option>-p</option> option causes the compiler to be
profiled via the Perl <option>-wd:DProf</option> command-line profiled via the Perl <option>-wd:DProf</option> command-line
option.</para> option.</para>
<para>The <option>-r</option> option was added in Shorewall 4.5.2
and causes the compiler to print the generated ruleset to standard
out.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>