First set of changes to allow compilation on a different system

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3266 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -55,14 +55,6 @@ my_mutex_off() {
     [ -n "$HAVE_MUTEX" ] && { mutex_off; HAVE_MUTEX=; }
 }
 
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Fatal error -- stops the firewall after issuing the error message
 #
@@ -1237,6 +1229,23 @@ validate_interfaces_file() {
 		dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
 		    ;;
 		norfc1918)
+		    if [ $COMMAND = generate ]; then
+			cat >> $RESTOREBASE << __EOF__
+
+progress_message "Verifying 'norfc1918' on $interface"
+
+addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
+if [ -n "\$addr" ]; then
+    addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
+    for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do
+	if in_network \$addr \$network; then
+	    fatal_error "The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface"
+	fi
+    done
+fi
+
+__EOF__
+		    else
 			addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
 			if [ -n "$addr" ]; then
 			    addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
@@ -1246,6 +1255,7 @@ validate_interfaces_file() {
 				fi
 			    done
 			fi
+		    fi
 		    ;;
 		arp_ignore=*)
 		    eval ${iface}_arp_ignore=${option#*=}
@@ -1296,6 +1306,19 @@ setup_providers()
     local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum pref echobin=$(mywhich echo)
 
     copy_table() {
+	if [ $COMMAND = generate ]; then
+	    cat >> $RESTOREBASE << __EOF__
+    ip route show table $duplicate | while read net route; do
+	case \$net in
+	    default|nexthop)
+		;;
+	    *)
+		ip route add table $number \$net \$route"
+		;;
+	esac
+    done
+__EOF__
+	else
 	    run_ip route show table $duplicate | while read net route; do
 		case $net in
 		    default|nexthop)
@@ -1305,9 +1328,28 @@ setup_providers()
 			;;
 		esac
 	    done
+	fi
     }
 
     copy_and_edit_table() {
+	if [ $COMMAND = generate ]; then
+	    cat >> $RESTOREBASE << __EOF__
+    ip route show table $duplicate | while read net route; do
+	case \$net in
+	    default|nexthop)
+		;;
+	    *)
+		case \$(find_device \$route) in
+		    `echo $copy\) | sed 's/ /|/g'`
+			ip route add table $number \$net \$route
+			;;
+		esac
+		;;
+	esac
+    done
+
+__EOF__
+	else
 	    run_ip route show table $duplicate | while read net route; do
 		case $net in
 		    default|nexthop)
@@ -1319,6 +1361,7 @@ setup_providers()
 			;;
 		esac
 	    done
+	fi
     }
 
     add_a_provider() {
@@ -1358,28 +1401,32 @@ setup_providers()
 	fi
 
 	if [ "x$gateway" = xdetect ] ; then
-	    #
+	    if [ $COMMAND = generate ]; then
-	    # First assume that this is some sort of point-to-point interface
+		cat >> $RESTOREBASE << __EOF__
-	    #
+    gateway=\$(detect_gateway $interface)
-	    gateway=$( find_peer $(ip addr ls $interface ) )
+
-	    #
+    if [ -z \"\$gateway\" ]; then
-	    # Maybe there's a default route through this gateway already
+	ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number
-	    #
+	ip route add default via \$gateway dev $interface table $number
-	    [ -n "$gateway" ] || gateway=$(find_gateway $(ip route ls dev $interface))
+    else
-	    #
+	fatal_error "Unable to detect the gateway through interface $interface"
-	    # Last hope -- is there a load-balancing route through the interface?
-	    #
-	    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
-	    #
-	    # Be sure we found one
-	    #
-	    [ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface"
     fi
 
-	if [ $COMMAND != check ]; then
+__EOF__
+	    else
+		gateway=$(detect_gateway $interface)
+		[ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface"
+	    fi
+	fi
+
+	case $COMMAND in
+	    check|generate)
+		;;
+	    *)
 		ensure_and_save_command "    ip route replace $gateway src $(find_first_interface_address $interface) dev $interface table $number"
 		ensure_and_save_command "    ip route add default via $gateway dev $interface table $number"
-	fi
+		;;
+	esac
 
 	if [ x${mark} != x- ]; then
 	    verify_mark $mark
@@ -1407,10 +1454,18 @@ setup_providers()
 		    ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface"
 		    ;;
 		balance=*)
+		    if [ $COMMAND = generate ]; then
+			save_command "    DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via \$gateway dev $interface weight ${option#*=}\""
+		    else
 			DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight ${option#*=}"
+		    fi
 		    ;;
 		balance)
+		    if [ $COMMAND = generate ]; then
+			save_command "    DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via \$gateway dev $interface weight 1\""
+		    else
 			DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight 1"
+		    fi
 		    ;;
 		loose)
 		    loose=Yes
@@ -1438,10 +1493,13 @@ setup_providers()
     strip_file providers $1
 
     if [ -s $TMP_DIR/providers ]; then
+	DEFAULT_ROUTE=
+
 	if [ $COMMAND != check ]; then
 	    progress_message2 "Processing $1..."
 	    save_progress_message "Restoring Providers..."
 	    save_command "if [ -z \"\$NOROUTES\" ]; then"
+	    [ $COMMAND = generate ] && save_command "    DEFAULT_ROUTE="
 	else
 	    progress_message2 "Validating $1..."
 	fi
@@ -1463,17 +1521,18 @@ setup_providers()
 
 	if [ $COMMAND != check ]; then
 	    if [ -n "$PROVIDERS" ]; then
-		if [ -n "$DEFAULT_ROUTE" ]; then
-		    ensure_and_save_command "    ip route replace default scope global $DEFAULT_ROUTE"
 		case $COMMAND in
 		    generate)
-			progress_message "   Default route $DEFAULT_ROUTE Compiled."
+			    save_command "    [ -n \"\$DEFAULT_ROUTE\" ] && ip route replace default scope global \$DEFAULT_ROUTE"
+			    save_command "    progress_message Default route \$DEFAULT_ROUTE Added"
 			    ;;
 		    *)
+			if [ -n "$DEFAULT_ROUTE" ]; then
+			    ensure_and_save_command "    ip route replace default scope global $DEFAULT_ROUTE"
 			    progress_message "   Default route $DEFAULT_ROUTE Added."
+			fi
 			;;
 		esac
-		fi
 
 		cat > /etc/iproute2/rt_tables <<EOF
 #
@@ -3856,6 +3915,20 @@ delete_tc()
 
     run_user_exit tcclear
 
+    if [ $COMMAND = generate ]; then
+	cat >> $RESTOREBASE << __EOF__
+ip link list | while read inx interface details; do
+    case \$inx in
+	[0-9]*)
+	    qt tc qdisc del dev \${interface%:} root
+	    qt tc qdisc del dev \${interface%:} ingress
+	    ;;
+	*)
+	    ;;
+    esac
+done
+__EOF__
+    else
 	run_ip link list | \
 	while read inx interface details; do
 	    case $inx in
@@ -3866,6 +3939,7 @@ delete_tc()
 		    ;;
 	    esac
 	done
+    fi
 }
 
 delete_tc1()
@@ -7641,120 +7715,6 @@ verify_os_version() {
 	startup_error "Shorewall can't start with the ipchains kernel module loaded - see FAQ #8"
 }
 
-#
-# Add IP Aliases
-#
-add_ip_aliases()
-{
-    local addresses external interface inet cidr rest val arping=$(mywhich arping)
-
-    address_details()
-    {
-	#
-	# Folks feel uneasy if they don't see all of the same
-	# decoration on these IP addresses that they see when their
-	# distro's net config tool adds them. In an attempt to reduce
-	# the anxiety level, we have the following code which sets
-	# the VLSM and BRD from an existing address in the same networks
-	#
-	# Get all of the lines that contain inet addresses with broadcast
-	#
-	ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
-	    case $cidr in
-		*/*)
-		    if in_network $external $cidr; then
-			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
-			break
-		    fi
-		    ;;
-	    esac
-	done
-    }
-
-    do_one()
-    {
-	val=$(address_details)
-
-	if [ -n "$RETAIN_ALIASES" ]; then
-	    [ "$COMMAND" = generate ] || run_ip addr add ${external}${val} dev $interface $label
-	    save_command qt ip addr add ${external}${val} dev $interface $label
-	else
-	    ensure_and_save_command ip addr add ${external}${val} dev $interface $label
-	fi
-
-	[ -n "$arping" ] && run_and_save_command qt $arping -U -c 2 -I $interface $external
-
-	echo "$external $interface" >> $STATEDIR/nat
-	[ -n "$label" ] && label="with $label"
-	progress_message "   IP Address $external added to interface $interface $label"
-    }
-
-    set -- $ALIASES_TO_ADD
-
-    save_progress_message "Restoring IP Addresses..."
-
-    while [ $# -gt 0 ]; do
-	external=$1
-	interface=$2
-	label=
-
-	if [ "$interface" != "${interface%:*}" ]; then
-	    label="${interface#*:}"
-	    interface="${interface%:*}"
-	    label="label $interface:$label"
-	fi
-
-	shift 2
-
-	if list_search $external $(find_interface_addresses $interface) ; then
-	    save_command qt ip addr add ${external}$(address_details) dev $interface $label
-	else
-	    do_one
-	fi
-    done
-}
-
-#
-# Load kernel modules required for Shorewall
-#
-load_kernel_modules()
-{
-    save_modules_dir=$MODULESDIR
-
-    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-
-    modules=$(find_file modules)
-
-    if [ -f $modules -a -d $MODULESDIR ]; then
-	progress_message "Loading Modules..."
-	. $modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-save_load_kernel_modules()
-{
-
-    modules=$(find_file modules)
-
-    save_progress_message "Loading kernel modules..."
-    save_command "reload_kernel_modules <<__EOF__"
-
-    while read command; do
-	case "$command" in
-	    loadmodule*)
-		save_command $command
-		;;
-	esac
-    done < $modules
-
-    save_command __EOF__
-    save_command ""
-
-}
-
 # Verify that the 'ip' program is installed
 
 verify_ip() {
@@ -8726,9 +8686,7 @@ activate_rules()
 	#
 	# There is a fw->fw chain. Send loopback output through that chain
 	#
-	run_ip link ls | grep LOOPBACK | while read ordinal interface rest ; do
+	run_iptables -A OUTPUT -o lo -j $chain
-	    run_iptables -A OUTPUT -o ${interface%:*} -j $chain
-	done
 	#
 	# And delete the unconditional ACCEPT rule
 	#
@@ -8825,7 +8783,7 @@ define_firewall() # $1 = Command (Start or Restart)
     save_command "MODULESDIR=\"$MODULESDIR\""
     save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
 
-    save_load_kernel_modules
+    save_command "load_kernel_modules"
 
     progress_message2 "Initializing...";                    initialize_netfilter
 
@@ -9029,23 +8987,32 @@ compile_firewall() # $1 = File Name
 
     [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall"
 
-    echo '#bin/sh' >> $RESTOREBASE
+    cat >> $RESTOREBASE << __EOF__
-    save_command "#"
+#
-    save_command "# Compiled startup file generated by Shorewall $version - $(date)"
+# Compiled startup file generated by Shorewall $version - $(date)"
-    save_command "#"
+#
-    save_command ". /usr/share/shorewall/functions"
+. /usr/share/shorewall/functions
-
+__EOF__
     f=$(find_file params)
 
     [ -f $f ] && \
 	save_command ". $(resolve_file $f)"
+    cat >> $RESTOREBASE << __EOF__
+#
+COMMAND=restore
+[ -n \${QUIET:=0} ]
+MODULESDIR="$MODULESDIR"
+MODULE_SUFFIX="$MODULE_SUFFIX"
 
-    save_command "#"
+fatal_error()
-    save_command "COMMAND=restore"
+{
-    save_command "MODULESDIR=\"$MODULESDIR\""
+    echo "   ERROR: \$@" >&2
-    save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
+    exit 2
+}
 
-    save_load_kernel_modules
+load_kernel_modules
+
+__EOF__
 
     progress_message2 "Initializing..."
     save_progress_message "Initializing..."

Shorewall/functions

@@ -2,6 +2,14 @@
 #
 # Shorewall 3.0 -- /usr/share/shorewall/functions
 
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
 # dash do not support that form of expansion.
@@ -314,6 +322,26 @@ reload_kernel_modules() {
 
 }
 
+#
+# Load kernel modules required for Shorewall
+#
+load_kernel_modules()
+{
+    save_modules_dir=$MODULESDIR
+
+    [ -z "$MODULESDIR" ] && \
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -d $MODULESDIR ]; then
+	progress_message "Loading Modules..."
+	. $modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
 #
 # Call this function to assert MUTEX with Shorewall. If you invoke the
 # /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
@@ -849,6 +877,27 @@ find_interface_by_mac() {
     done
 }
 
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
+}
+
 #
 # Find interface addresses--returns the set of addresses assigned to the passed
 # device
@@ -979,5 +1028,84 @@ report_capabilities() {
 
 }
 
+# Add IP Aliases
+#
+add_ip_aliases() # $1 = List of addresses
+{
+    local addresses external interface inet cidr rest val arping=$(mywhich arping)
+
+    address_details()
+    {
+	#
+	# Folks feel uneasy if they don't see all of the same
+	# decoration on these IP addresses that they see when their
+	# distro's net config tool adds them. In an attempt to reduce
+	# the anxiety level, we have the following code which sets
+	# the VLSM and BRD from an existing address in the same networks
+	#
+	# Get all of the lines that contain inet addresses with broadcast
+	#
+	ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
+	    case $cidr in
+		*/*)
+		    if in_network $external $cidr; then
+			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
+			break
+		    fi
+		    ;;
+	    esac
+	done
+    }
+
+    do_one()
+    {
+	val=$(address_details)
+
+	ip addr add ${external}${val} dev $interface $label
+	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
+	echo "$external $interface" >> $STATEDIR/nat
+	[ -n "$label" ] && label="with $label"
+	progress_message "   IP Address $external added to interface $interface $label"
+    }
+
+    progress_message "Adding IP Addresses..."
+
+    while [ $# -gt 0 ]; do
+	external=$1
+	interface=$2
+	label=
+
+	if [ "$interface" != "${interface%:*}" ]; then
+	    label="${interface#*:}"
+	    interface="${interface%:*}"
+	    label="label $interface:$label"
+	fi
+
+	shift 2
+
+	list_search $external $(find_interface_addresses $interface) || do_one
+    done
+}
+
+detect_gateway() # $1 = interface
+{
+    local interface=$1
+    #
+    # First assume that this is some sort of point-to-point interface
+    #
+    gateway=$( find_peer $(ip addr ls $interface ) )
+    #
+    # Maybe there's a default route through this gateway already
+    #
+    [ -n "$gateway" ] || gateway=$(find_gateway $(ip route ls dev $interface))
+    #
+    # Last hope -- is there a load-balancing route through the interface?
+    #
+    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+    #
+    # Be sure we found one
+    #
+    [ -n "$gateway" ] && echo $gateway
+}
 
 SHOREWALL_LIBRARY=Loaded