extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 01:23:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Commit after first successful compilation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8960 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-09 21:55:39 +00:00
parent 3cf44b9640
commit 5834b574f2
15 changed files with 467 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall-perl/Shorewall/Chains.pm
View File

@ -960,15 +960,10 @@ sub initialize_chain_table()
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
);
for my $chain qw(OUTPUT PREROUTING) {
@ -1990,6 +1985,8 @@ sub expand_rule( $$$$$$$$$$$ )
} elsif ( $source =~ /^(.+?):\[(.+)\]\s+$/ ) {
$iiface = $1;
$inets = $2;
} elsif ( $source =~ /:/ ) {
$inets = $source;
} elsif ( $source =~ /\+|~|\..*\./ ) {
$inets = $source;
} else {
@ -2071,6 +2068,8 @@ sub expand_rule( $$$$$$$$$$$ )
} elsif ( $dest =~ /^(.+?):\[(.+)\]\s+$/ ) {
$diface = $1;
$dnets = $2;
} elsif ( $dest =~ /:/ ) {
$dnets = $dest;
} elsif ( $dest =~ /\+|~|\..*\./ ) {
$dnets = $dest;
} else {

233
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -71,6 +71,7 @@ sub reinitialize() {
Shorewall::Accounting::initialize;
Shorewall::Rules::initialize($family);
Shorewall::Proxyarp::initialize;
Shorewall::IPAddrs::initialize($family);
}
#
@ -162,18 +163,33 @@ sub generate_script_1() {
''
);
if ( $config{IPTABLES} ) {
emit( qq(IPTABLES="$config{IPTABLES}"),
'[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
);
} else {
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
'[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
);
}
if ( $family == F_IPV4 ) {
if ( $config{IPTABLES} ) {
emit( qq(IPTABLES="$config{IPTABLES}"),
'[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
);
} else {
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
'[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
);
}
emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
'[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
'[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
} else {
if ( $config{IP6TABLES} ) {
emit( qq(IP6TABLES="$config{IP6TABLES}"),
'[ -x "$I6PTABLES" ] || startup_error "IP6TABLES=$IP6TABLES does not exist or is not executable"',
);
} else {
emit( '[ -z "$IP6TABLES" ] && IP6TABLES=$(mywhich iptables) # /sbin/shorewall6 exports IP6TABLES',
'[ -n "$IP6TABLES" -a -x "$IP6TABLES" ] || startup_error "Can\'t find ip6tables executable"'
);
}
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
}
append_file 'params' if $config{EXPORTPARAMS};
@ -186,17 +202,31 @@ sub generate_script_1() {
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
);
emit ( '',
'#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
'#',
'qt1 $IPTABLES -N foox1234',
'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
'result=$?',
'qt1 $IPTABLES -F foox1234',
'qt1 $IPTABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
'' );
if ( $family == F_IPV4 ) {
emit ( '',
'#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
'#',
'qt1 $IPTABLES -N foox1234',
'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
'result=$?',
'qt1 $IPTABLES -F foox1234',
'qt1 $IPTABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
'' );
} else {
emit ( '',
'#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
'#',
'qt1 $IP6TABLES -N foox1234',
'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
'result=$?',
'qt1 $IP6TABLES -F foox1234',
'qt1 $IP6TABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall6 will run on this system"',
'' );
}
pop_indent;
@ -213,7 +243,15 @@ sub compile_stop_firewall() {
stop_firewall() {
deletechain() {
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
EOF
if ( $family == F_IPV4 ) {
emit ' qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1';
} else {
emit ' qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1';
}
emit <<'EOF';
}
deleteallchains() {
@ -324,9 +362,15 @@ EOF
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IPTABLES -t raw -P $chain ACCEPT
done
EOF
if ( $family == F_IPV4 ) {
emit ' qt1 $IPTABLES -t raw -P $chain ACCEPT';
} else {
emit ' qt1 $IP6TABLES -t raw -P $chain ACCEPT';
}
emit ' done';
}
if ( $capabilities{NAT_ENABLED} ) {
@ -338,7 +382,8 @@ EOF
EOF
}
emit <<'EOF';
if ( $family == F_IPV4 ) {
emit <<'EOF';
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
@ -350,6 +395,7 @@ EOF
rm -f ${VARDIR}/proxyarp
EOF
}
push_indent;
@ -446,26 +492,34 @@ EOF
emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
my $interfaces = find_interfaces_by_option 'dhcp';
if ( $family == F_IPV4 ) {
my $interfaces = find_interfaces_by_option 'dhcp';
for my $interface ( @$interfaces ) {
emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
#
# This might be a bridge
#
emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
for my $interface ( @$interfaces ) {
emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
#
# This might be a bridge
#
emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
}
} else {
for my $interface ( all_bridges ) {
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
}
}
emit '';
if ( $config{IP_FORWARDING} eq 'on' ) {
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
'progress_message2 IP Forwarding Enabled' );
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward',
'progress_message2 IP Forwarding Disabled!'
);
if ( $family == F_IPV4 ) {
if ( $config{IP_FORWARDING} eq 'on' ) {
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
'progress_message2 IP Forwarding Enabled' );
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward',
'progress_message2 IP Forwarding Disabled!'
);
}
}
emit 'run_stopped_exit';
@ -556,38 +610,49 @@ sub generate_script_2 () {
emit '';
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
'if [ -n "$addr" ]; then',
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
' if in_network $addr $network; then',
" error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
' fi',
' done',
"fi\n" );
}
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
'',
'delete_proxyarp',
''
);
if ( $capabilities{NAT_ENABLED} ) {
emit( 'if [ -f ${VARDIR}/nat ]; then',
' while read external interface; do',
' del_ip_addr $external $interface',
' done < ${VARDIR}/nat',
if ( $family == F_IPV4 ) {
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
'if [ -n "$addr" ]; then',
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
' if in_network $addr $network; then',
" error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
' fi',
' done',
"fi\n" );
}
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
' rm -f ${VARDIR}/nat',
"fi\n" );
}
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
'',
'delete_proxyarp',
''
);
emit "delete_tc1\n" if $config{CLEAR_TC};
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
if ( $capabilities{NAT_ENABLED} ) {
emit( 'if [ -f ${VARDIR}/nat ]; then',
' while read external interface; do',
' del_ip_addr $external $interface',
' done < ${VARDIR}/nat',
'',
' rm -f ${VARDIR}/nat',
"fi\n" );
}
emit "delete_tc1\n" if $config{CLEAR_TC};
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else {
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
''
);
emit "delete_tc1\n" if $config{CLEAR_TC};
}
pop_indent;
@ -643,7 +708,11 @@ sub generate_script_3($) {
emit "}\n";
progress_message2 "Creating iptables-restore input...";
if ( $family == F_IPV4 ) {
progress_message2 "Creating iptables-restore input...";
} else {
progress_message2 "Creating ip6tables-restore input...";
}
create_netfilter_load;
create_chainlist_reload( $_[0] );
@ -669,7 +738,7 @@ if [ $COMMAND = restore ]; then
fi
EOF
pop_indent;
setup_forwarding;
setup_forwarding( $family );
push_indent;
emit<<'EOF';
set_state "Started"
@ -677,7 +746,7 @@ else
if [ $COMMAND = refresh ]; then
chainlist_reload
EOF
setup_forwarding;
setup_forwarding( $family );
emit<<'EOF';
run_refreshed_exit
do_iptables -N shorewall
@ -687,7 +756,7 @@ EOF
restore_dynamic_rules
conditionally_flush_conntrack
EOF
setup_forwarding;
setup_forwarding( $family );
emit<<'EOF';
run_start_exit
do_iptables -N shorewall
@ -720,7 +789,13 @@ EOF
emit "}\n";
copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
unless ( $test ) {
if ( $family == F_IPV4 ) {
copy $globals{SHAREDIRPL} . 'prog.footer';
} else {
copy $globals{SHAREDIRPL} . 'prog.footer6';
}
}
}
#
@ -926,7 +1001,11 @@ sub compiler {
generate_matrix;
if ( $command eq 'check' ) {
progress_message3 "Shorewall configuration verified";
if ( $family == F_IPV4 ) {
progress_message3 "Shorewall configuration verified";
} else {
progress_message3 "Shorewall6 configuration verified";
}
} else {
#
# Finish the script.

42
Shorewall-perl/Shorewall/Config.pm
View File

@ -469,7 +469,7 @@ sub initialize( $ ) {
MODULE_SUFFIX => undef,
MACLIST_TABLE => undef,
MACLIST_TTL => undef,
MAPOLDACTIONS => 'Yes',
MAPOLDACTIONS => '',
FASTACCEPT => undef,
IMPLICIT_CONTINUE => undef,
HIGH_ROUTE_MARKS => undef,
@ -1677,14 +1677,19 @@ sub determine_capabilities( $ ) {
my $pid = $$;
my $sillyname = "fooX$pid";
my $sillyname1 = "foo1X$pid";
$capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" );
$capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
$capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
qt1( "$iptables -N $sillyname" );
qt1( "$iptables -N $sillyname1" );
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
if ( $family == F_IPV4 ) {
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
} else {
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst ::1 -j ACCEPT" );
}
if ( $capabilities{CONNTRACK_MATCH} ) {
$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
@ -1707,10 +1712,19 @@ sub determine_capabilities( $ ) {
}
}
if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
$capabilities{IPRANGE_MATCH} = 1;
unless ( $capabilities{KLUDGEFREE} ) {
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
if ( $family == F_IPV4 ) {
if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
$capabilities{IPRANGE_MATCH} = 1;
unless ( $capabilities{KLUDGEFREE} ) {
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
}
}
} else {
if ( qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -j ACCEPT" ) ) {
$capabilities{IPRANGE_MATCH} = 1;
unless ( $capabilities{KLUDGEFREE} ) {
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
}
}
}
@ -1994,7 +2008,13 @@ sub get_configuration( $ ) {
check_trivalue ( 'IP_FORWARDING', 'on' );
check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
check_trivalue ( 'LOG_MARTIANS', 'on' ); fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on' && $family == F_IPV6;
if ( $family == F_IPV4 ) {
check_trivalue ( 'LOG_MARTIANS', 'on' );
} else {
check_trivalue ( 'LOG_MARTIANS', 'ff' );
fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on';
}
default 'STARTUP_LOG' , '';
@ -2338,7 +2358,7 @@ sub generate_aux_config() {
emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#";
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
conditionally_add_option $option;
}

1
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -69,6 +69,7 @@ our @EXPORT = qw( ALLIPv4
validate_portpair
validate_port_list
validate_icmp
validate_icmp6
);
our @EXPORT_OK = qw( );
our $VERSION = 4.3.0;

46
Shorewall-perl/Shorewall/Proc.pm
View File

@ -197,16 +197,44 @@ sub setup_source_routing() {
}
}
sub setup_forwarding() {
if ( $config{IP_FORWARDING} eq 'on' ) {
emit ' echo 1 > /proc/sys/net/ipv4/ip_forward';
emit ' progress_message2 IP Forwarding Enabled';
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
emit ' echo 0 > /proc/sys/net/ipv4/ip_forward';
emit ' progress_message2 IP Forwarding Disabled!';
}
sub setup_forwarding( $ ) {
my $family = shift;
emit '';
if ( $family == F_IPV4 ) {
if ( $config{IP_FORWARDING} eq 'on' ) {
emit ' echo 1 > /proc/sys/net/ipv4/ip_forward';
emit ' progress_message2 IP Forwarding Enabled';
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
emit ' echo 0 > /proc/sys/net/ipv4/ip_forward';
emit ' progress_message2 IP Forwarding Disabled!';
emit '';
}
} else {
my $interfaces = find_interfaces_by_option 'forward';
if ( @$interfaces ) {
progress_message2 "$doing Interface forwarding...";
push_indent;
push_indent;
save_progress_message 'Setting up IPv6 Interface Forwarding...';
for my $interface ( @$interfaces ) {
my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
my $value = get_interface_option $interface, 'forward';
emit ( "if [ -f $file ]; then" ,
" echo $value > $file" );
emit ( 'else' ,
" error_message \"WARNING: Cannot set IPv4 forwarding on $interface\"" ) unless interface_is_optional( $interface);
emit "fi\n";
}
pop_indent;
pop_indent;
}
}
}
1;

2
Shorewall-perl/Shorewall/Rules.pm
View File

@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
setup_mss
);
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our $VERSION = 4.1.5;
our $VERSION = 4.3.0;
#
# Set to one if we find a SECTION

14
Shorewall-perl/Shorewall/Zones.pm
View File

@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
single_interface
validate_interfaces_file
all_interfaces
all_bridges
interface_number
find_interface
known_interface
@ -618,7 +619,7 @@ sub validate_interfaces_file( $ )
} else {
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
sourceroute => BINARY_IF_OPTION,
@ -864,6 +865,13 @@ sub all_interfaces() {
@interfaces;
}
#
# Return a list of bridges
#
sub all_bridges() {
grep ( $interfaces{$_}{options}{bridge} , @interfaces );
}
#
# Return a reference to the interfaces table entry for an interface
#
@ -966,13 +974,9 @@ sub validate_hosts_file()
} else {
%validoptions = (
blacklist => 1,
maclist => 1,
nosmurfs => 1,
routeback => 1,
tcpflags => 1,
broadcast => 1,
destonly => 1,
sourceonly => 1,
);
}

200
Shorewall-perl/prog.footer6 Normal file
View File

@ -0,0 +1,200 @@
#
# Give Usage Information
#
usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1
}
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
#
# Start trace if first arg is "debug" or "trace"
#
if [ $# -gt 1 ]; then
if [ "x$1" = "xtrace" ]; then
set -x
shift
elif [ "x$1" = "xdebug" ]; then
DEBUG=Yes
shift
fi
fi
initialize
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
v*)
VERBOSE=$(($VERBOSE + 1 ))
option=${option#v}
;;
q*)
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
n*)
NOROUTES=Yes
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
COMMAND="$1"
[ -n "${PRODUCT:=Shorewall6}" ]
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
if shorewall6_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
progress_message3 "done."
fi
;;
stop)
[ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...."
stop_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
if ! shorewall6_is_started ; then
error_message "$PRODUCT is not running"
status=2
elif [ $# -eq 1 ]; then
$IP6TABLES -Z
$IP6TABLES -t mangle -Z
date > ${VARDIR}/restarted
status=0
progress_message3 "$PRODUCT Counters Reset"
else
shift
status=0
for chain in $@; do
if chain_exists $chain; then
if qt $IP6TABLES -Z $chain; then
progress_message3 "Filter $chain Counters Reset"
else
error_message "ERROR: Reset of chain $chain failed"
status=2
break
fi
else
error_message "WARNING: Filter Chain $chain does not exist"
fi
done
fi
;;
restart)
[ $# -ne 1 ] && usage 2
if shorewall6_is_started; then
progress_message3 "Restarting $PRODUCT...."
else
error_message "$PRODUCT is not running"
progress_message3 "Starting $PRODUCT...."
fi
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
progress_message3 "done."
;;
refresh)
[ $# -ne 1 ] && usage 2
if shorewall6_is_started; then
progress_message3 "Refreshing $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
else
echo "$PRODUCT is not running" >&2
status=2
fi
;;
restore)
[ $# -ne 1 ] && usage 2
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
;;
clear)
[ $# -ne 1 ] && usage 2
progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
status)
[ $# -ne 1 ] && usage 2
echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
echo
if shorewall6_is_started; then
echo "$PRODUCT is running"
status=0
else
echo "$PRODUCT is stopped"
status=4
fi
if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)"
case $state in
Stopped*|Clear*)
status=3
;;
esac
else
state=Unknown
fi
echo "State:$state"
echo
;;
version)
[ $# -ne 1 ] && usage 2
echo $VERSION
status=0
;;
help)
[ $# -ne 1 ] && usage 2
usage 0
;;
*)
usage 2
;;
esac
exit $status

28
Shorewall-perl/prog.functions6
View File

@ -110,7 +110,7 @@ do_iptables()
local status
while [ 1 ]; do
$IPTABLES $@
$IP6TABLES $@
status=$?
[ $status -ne 4 ] && return $status;
done
@ -180,32 +180,32 @@ debug_restore_input() {
#
# Clear the ruleset
#
qt1 $IPTABLES -t mangle -F
qt1 $IPTABLES -t mangle -X
qt1 $IP6TABLES -t mangle -F
qt1 $IP6TABLES -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt1 $IPTABLES -t mangle -P $chain ACCEPT
qt1 $IP6TABLES -t mangle -P $chain ACCEPT
done
qt1 $IPTABLES -t raw -F
qt1 $IPTABLES -t raw -X
qt1 $IP6TABLES -t raw -F
qt1 $IP6TABLES -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IPTABLES -t raw -P $chain ACCEPT
qt1 $IP6TABLES -t raw -P $chain ACCEPT
done
run_iptables -t nat -F
run_iptables -t nat -X
for chain in PREROUTING POSTROUTING OUTPUT; do
qt1 $IPTABLES -t nat -P $chain ACCEPT
qt1 $IP6TABLES -t nat -P $chain ACCEPT
done
qt1 $IPTABLES -t filter -F
qt1 $IPTABLES -t filter -X
qt1 $IP6TABLES -t filter -F
qt1 $IP6TABLES -t filter -X
for chain in INPUT FORWARD OUTPUT; do
qt1 $IPTABLES -t filter -P $chain -P ACCEPT
qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
done
while read first second rest; do
@ -214,10 +214,10 @@ debug_restore_input() {
#
# We can't call run_iptables() here because the rules may contain quoted strings
#
eval $IPTABLES -t $table $first $second $rest
eval $IP6TABLES -t $table $first $second $rest
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
@ -232,7 +232,7 @@ debug_restore_input() {
fi
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi

105
Shorewall-perl/prog.header6
View File

@ -131,7 +131,7 @@ qt1()
#
# Determine if Shorewall is "running"
#
shorewall_is_started() {
shorewall6_is_started() {
qt1 $IP6TABLES -L shorewall -n
}
@ -562,82 +562,6 @@ INCLUDE() {
. $(find_file $(expand $@))
}
#
# Delete IP address
#
del_ip_addr() # $1 = address, $2 = interface
{
[ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2
}
# Add IP Aliases
#
add_ip_aliases() # $* = List of addresses
{
local local
local addresses
local external
local interface
local inet
local cidr
local rest
local val
local arping
arping=$(mywhich arping)
address_details()
{
#
# Folks feel uneasy if they don't see all of the same
# decoration on these IP addresses that they see when their
# distro's net config tool adds them. In an attempt to reduce
# the anxiety level, we have the following code which sets
# the VLSM and BRD from an existing address in the same networks
#
# Get all of the lines that contain inet addresses with broadcast
#
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
case $cidr in
*/*)
if in_network $external $cidr; then
echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
break
fi
;;
esac
done
}
do_one()
{
val=$(address_details)
ip addr add ${external}${val} dev $interface $label
[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
echo "$external $interface" >> $VARDIR/nat
[ -n "$label" ] && label="with $label"
progress_message " IP Address $external added to interface $interface $label"
}
progress_message "Adding IP Addresses..."
while [ $# -gt 0 ]; do
external=$1
interface=$2
label=
if [ "$interface" != "${interface%:*}" ]; then
label="${interface#*:}"
interface="${interface%:*}"
label="label $interface:$label"
fi
shift 2
list_search $external $(find_interface_addresses $interface) || do_one
done
}
detect_gateway() # $1 = interface
{
local interface
@ -660,33 +584,6 @@ detect_gateway() # $1 = interface
[ -n "$gateway" ] && echo $gateway
}
#
# Disable IPV6
#
disable_ipv6() {
local foo
foo="$(ip -f inet6 addr list 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -F
ip6tables -X
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
fi
}
# Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and
# dash do not support that form of expansion.
#
truncate() # $1 = length
{
cut -b -${1}

7
Shorewall6/action.Drop
View File

@ -24,13 +24,9 @@
#
Auth/REJECT
#
# Don't log broadcasts
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
AllowICMPs - - ipv6-icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
@ -40,7 +36,6 @@ dropInvalid
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB/DROP
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#

8
Shorewall6/action.Reject
View File

@ -20,14 +20,9 @@
#
Auth/REJECT
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
AllowICMPs - - ipv6-icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
@ -38,7 +33,6 @@ dropInvalid
# Reject Microsoft noise so that it doesn't clutter up the log.
#
SMB/REJECT
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#

2
Shorewall6/lib.base
View File

@ -696,7 +696,7 @@ set_state () # $1 = state
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
NEW_CONNTRACK_MATCH=

7
Shorewall6/macro.AllowICMPs
View File

@ -11,6 +11,9 @@
COMMENT Needed ICMP types
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
ACCEPT - - ipv6-icmp packet-too-big
ACCEPT - - ipv6-icmp time-exceeded
ACCEPT - - ipv6-icmp router-solicitation
ACCEPT - - ipv6-icmp neighbour-solicitation
ACCEPT - - ipv6-icmp neighbour-advertisement
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall6/macro.Ping
View File

@ -1,12 +1,12 @@
#
# Shorewall version 4 - Ping Macro
# Shorewall6 version 4 - Ping Macro
#
# /usr/share/shorewall/macro.Ping
# /usr/share/shorewall6/macro.Ping
#
# This macro handles 'ping' requests.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - icmp 8
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - ipv6-icmp 128
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE