mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 22:58:52 +01:00
Remove 'check' command
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@470 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
99bcc9cc39
commit
5f0d26d1b9
@ -38,8 +38,6 @@
|
||||
# shorewall clear Remove all Shorewall chains
|
||||
# and rules/policies.
|
||||
# shorewall refresh . Rebuild the common chain
|
||||
# shorewall check Verify the more heavily-used
|
||||
# configuration files.
|
||||
|
||||
#
|
||||
# Search a list looking for a match -- returns zero if a match found
|
||||
@ -655,338 +653,6 @@ mac_match() # $1 = MAC address formated as described above
|
||||
echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`"
|
||||
}
|
||||
|
||||
#
|
||||
# validate a record from the rules file
|
||||
#
|
||||
# The caller has loaded the column contents from the record into the following
|
||||
# variables:
|
||||
#
|
||||
# target clients servers protocol ports cports address
|
||||
#
|
||||
# and has loaded a space-separated list of their values in "rule".
|
||||
#
|
||||
validate_rule() {
|
||||
#
|
||||
# Ensure that the passed comma-separated list has 15 or fewer elements
|
||||
#
|
||||
validate_list() {
|
||||
local temp="`separate_list $1`"
|
||||
|
||||
[ `echo $temp | wc -w` -le 15 ]
|
||||
}
|
||||
|
||||
#
|
||||
# validate one rule
|
||||
#
|
||||
validate_a_rule() {
|
||||
#
|
||||
# Determine the format of the client
|
||||
#
|
||||
cli=
|
||||
|
||||
[ -n "$client" ] && case "$client" in
|
||||
-)
|
||||
;;
|
||||
*:*)
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
;;
|
||||
~*)
|
||||
cli=`mac_match $client`
|
||||
;;
|
||||
*.*.*)
|
||||
#
|
||||
# IP Address, address or subnet
|
||||
#
|
||||
cli="-s $client"
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# Assume that this is a device name
|
||||
#
|
||||
cli="-i $client"
|
||||
;;
|
||||
esac
|
||||
|
||||
dest_interface=
|
||||
|
||||
[ -n "$server" ] && case "$server" in
|
||||
-)
|
||||
serv=
|
||||
;;
|
||||
*.*.*)
|
||||
serv=$server
|
||||
;;
|
||||
~*)
|
||||
startup_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
|
||||
;;
|
||||
*)
|
||||
dest_interface="-o $server"
|
||||
serv=
|
||||
;;
|
||||
esac
|
||||
#
|
||||
# Setup PROTOCOL, PORT and STATE variables
|
||||
#
|
||||
sports=""
|
||||
dports=""
|
||||
state="-m state --state NEW"
|
||||
proto=$protocol
|
||||
addr=$address
|
||||
servport=$serverport
|
||||
|
||||
case $proto in
|
||||
tcp|udp|TCP|UDP|6|17)
|
||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
||||
dports="--dport $port"
|
||||
[ -n "$cport" ] && [ "x${cport}" != "x-" ] && \
|
||||
sports="--sport $cport"
|
||||
;;
|
||||
icmp|ICMP|0)
|
||||
[ -n "$port" ] && dports="--icmp-type $port"
|
||||
state=""
|
||||
;;
|
||||
*)
|
||||
state=
|
||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
||||
startup_error "Port number not allowed with protocol " \
|
||||
"\"$proto\"; rule: \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
proto="${proto:+-p $proto}"
|
||||
|
||||
case "$logtarget" in
|
||||
REJECT)
|
||||
target=reject
|
||||
[ -n "$servport" ] && \
|
||||
startup_error "Server port may not be specified in a REJECT rule;"\
|
||||
"rule: \"$rule\""
|
||||
;;
|
||||
ACCEPT)
|
||||
[ -n "$servport" ] && \
|
||||
startup_error "Server port may not be specified in an ACCEPT rule;"\
|
||||
"rule: \"$rule\""
|
||||
;;
|
||||
CONTINUE)
|
||||
target=RETURN
|
||||
[ -n "$servport" ] && \
|
||||
startup_error "Server port may not be specified in a CONTINUE rule;"\
|
||||
"rule: \"$rule\""
|
||||
;;
|
||||
LOG)
|
||||
[ -n "$servport" ] && \
|
||||
startup_error "Server port may not be specified in an LOG rule;"\
|
||||
"rule: \"$rule\""
|
||||
|
||||
[ -n "$loglevel" ] || \
|
||||
startup_error "LOG target requires a log level"
|
||||
;;
|
||||
REDIRECT)
|
||||
[ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
|
||||
" specify a server IP; rule: \"$rule\""
|
||||
servport=${servport:=$port}
|
||||
;;
|
||||
DNAT)
|
||||
[ -n "$serv" ] || startup_error "DNAT rules require a" \
|
||||
" server address; rule: \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
|
||||
error_message "Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
fi
|
||||
|
||||
if [ -n "${serv}${servport}" ]; then
|
||||
#
|
||||
# Destination is a Specific Server or we're redirecting a port
|
||||
#
|
||||
if [ -n "$addr" -a "$addr" != "$serv" ]; then
|
||||
#
|
||||
# Must use Prerouting DNAT
|
||||
#
|
||||
if [ -z "$NAT_ENABLED" ]; then
|
||||
startup_error \
|
||||
"Rule \"$rule\" requires NAT which is disabled"
|
||||
fi
|
||||
|
||||
if [ "$target" != "ACCEPT" ]; then
|
||||
startup_error "Only ACCEPT rules may specify " \
|
||||
"port mapping; rule \"$rule\""
|
||||
fi
|
||||
fi
|
||||
else
|
||||
[ -n "$addr" ] && startup_error \
|
||||
"An ADDRESS ($addr) is only allowed in" \
|
||||
" a DNAT or REDIRECT rule: \"$rule\""
|
||||
fi
|
||||
}
|
||||
#
|
||||
# V a l i d a t e _ R u l e S t a r t s H e r e
|
||||
#
|
||||
# Parse the Target and Clients columns
|
||||
#
|
||||
if [ "$target" = "${target%:*}" ]; then
|
||||
loglevel=
|
||||
else
|
||||
loglevel="${target#*:}"
|
||||
target="${target%:*}"
|
||||
expandv loglevel
|
||||
fi
|
||||
|
||||
logtarget="$target"
|
||||
#
|
||||
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
|
||||
# an older syntax. We simply map the new syntax into the old and proceed.
|
||||
#
|
||||
case $target in
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
DNAT-)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
logtarget=DNAT
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
if [ "x-" = "x$servers" ]; then
|
||||
servers=$FW
|
||||
else
|
||||
servers="fw::$servers"
|
||||
fi
|
||||
;;
|
||||
ACCEPT|DROP|REJECT|LOG)
|
||||
;;
|
||||
*)
|
||||
startup_error "Invalid target; rule: \"$rule\""
|
||||
|
||||
esac
|
||||
|
||||
if [ "$clients" = "${clients%:*}" ]; then
|
||||
clientzone="$clients"
|
||||
clients=
|
||||
else
|
||||
clientzone="${clients%%:*}"
|
||||
clients="${clients#*:}"
|
||||
[ -z "$clientzone" -o -z "$clients" ] && \
|
||||
startup_error "Empty source zone or qualifier: rule \"$rule\""
|
||||
fi
|
||||
|
||||
if [ "$clientzone" = "${clientzone%\!*}" ]; then
|
||||
excludezones=
|
||||
else
|
||||
excludezones="${clientzone#*\!}"
|
||||
clientzone="${clientzone%\!*}"
|
||||
|
||||
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
|
||||
startup_error "Exclude list only allowed with DNAT or REDIRECT"
|
||||
fi
|
||||
#
|
||||
# Validate the Source Zone
|
||||
#
|
||||
if ! validate_zone $clientzone; then
|
||||
[ "x$clientzone" = xall ] || startup_error "Undefined Client Zone in rule \"$rule\""
|
||||
fi
|
||||
|
||||
source=$clientzone
|
||||
|
||||
[ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\"
|
||||
|
||||
#
|
||||
# Parse the servers column
|
||||
#
|
||||
if [ "$servers" = "${servers%:*}" ] ; then
|
||||
serverzone="$servers"
|
||||
servers=
|
||||
serverport=
|
||||
else
|
||||
serverzone="${servers%%:*}"
|
||||
servers="${servers#*:}"
|
||||
if [ "$servers" != "${servers%:*}" ] ; then
|
||||
serverport="${servers#*:}"
|
||||
servers="${servers%:*}"
|
||||
[ -z "$serverzone" -o -z "$serverport" ] && \
|
||||
startup_error "Empty destination zone or server port: rule \"$rule\""
|
||||
else
|
||||
serverport=
|
||||
[ -z "$serverzone" -o -z "$servers" ] && \
|
||||
startup_error "Empty destination zone or qualifier: rule \"$rule\""
|
||||
fi
|
||||
fi
|
||||
#
|
||||
# Validate the destination zone
|
||||
#
|
||||
if ! validate_zone $serverzone; then
|
||||
[ "x$serverzone" = xall ] || startup_error "Undefined Server Zone in rule \"$rule\""
|
||||
fi
|
||||
|
||||
dest=$serverzone
|
||||
|
||||
chain=${source}2${dest}
|
||||
|
||||
if [ "x$chain" = x${FW}2${FW} ]; then
|
||||
case $logtarget in
|
||||
REDIRECT)
|
||||
;;
|
||||
*)
|
||||
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
|
||||
return
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
#
|
||||
# Check length of port lists if MULTIPORT set
|
||||
#
|
||||
if [ -n "$MULTIPORT" ]; then
|
||||
validate_list $ports ||
|
||||
error_message "Warning: Too many destination ports: Rule \"$rule\""
|
||||
validate_list $cports ||
|
||||
error_message "Warning: Too many source ports: Rule \"$rule\""
|
||||
fi
|
||||
|
||||
#
|
||||
# Iterate through the various lists validating individual rules
|
||||
#
|
||||
for client in `separate_list ${clients:=-}`; do
|
||||
for server in `separate_list ${servers:=-}`; do
|
||||
for port in `separate_list ${ports:=-}`; do
|
||||
for cport in `separate_list ${cports:=-}`; do
|
||||
validate_a_rule
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
echo " Rule \"$rule\" validated."
|
||||
}
|
||||
|
||||
#
|
||||
# validate the rules file
|
||||
#
|
||||
validate_rules() # $1 = name of rules file
|
||||
{
|
||||
strip_file rules
|
||||
|
||||
while read target clients servers protocol ports cports address; do
|
||||
expandv clients servers protocol ports cports address
|
||||
case "$target" in
|
||||
|
||||
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*|CONTINUE*)
|
||||
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
|
||||
validate_rule
|
||||
;;
|
||||
*)
|
||||
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
|
||||
startup_error "Invalid Target - rule \"$rule\" ignored"
|
||||
;;
|
||||
esac
|
||||
done < $TMP_DIR/rules
|
||||
}
|
||||
|
||||
#
|
||||
# validate the policy file
|
||||
#
|
||||
@ -1002,14 +668,6 @@ validate_policy()
|
||||
local loglevel
|
||||
local synparams
|
||||
|
||||
print_policy() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
[ $command != check ] || \
|
||||
[ $1 = all ] || \
|
||||
[ $2 = all ] || \
|
||||
echo " Policy for $1 to $2 is $policy"
|
||||
}
|
||||
|
||||
all_policy_chains=
|
||||
|
||||
strip_file policy
|
||||
@ -1076,7 +734,6 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${zone1}_policychain=$chain
|
||||
print_policy $zone $zone1
|
||||
fi
|
||||
done
|
||||
done
|
||||
@ -1086,7 +743,6 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${server}_policychain=$chain
|
||||
print_policy $zone $server
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -1096,12 +752,10 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
print_policy $client $zone
|
||||
fi
|
||||
done
|
||||
else
|
||||
eval ${chain}_policychain=${chain}
|
||||
print_policy $client $server
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/policy
|
||||
@ -4091,50 +3745,6 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
rm -rf $TMP_DIR
|
||||
}
|
||||
|
||||
#
|
||||
# Check the configuration
|
||||
#
|
||||
check_config() {
|
||||
echo "Verifying Configuration..."
|
||||
|
||||
verify_os_version
|
||||
|
||||
load_kernel_modules
|
||||
|
||||
echo "Determining Zones..."
|
||||
|
||||
determine_zones
|
||||
|
||||
[ -z "$zones" ] && startup_error "No Zones Defined"
|
||||
|
||||
display_list "Zones:" $zones
|
||||
|
||||
echo "Validating interfaces file..."
|
||||
|
||||
validate_interfaces_file
|
||||
|
||||
echo "Validating hosts file..."
|
||||
|
||||
validate_hosts_file
|
||||
|
||||
echo "Determining Hosts in Zones..."
|
||||
|
||||
determine_interfaces
|
||||
determine_hosts
|
||||
|
||||
echo "Validating rules file..."
|
||||
|
||||
validate_rules
|
||||
|
||||
echo "Validating policy file..."
|
||||
|
||||
validate_policy
|
||||
|
||||
rm -rf $TMP_DIR
|
||||
|
||||
echo "Configuration Validated"
|
||||
}
|
||||
|
||||
#
|
||||
# Rebuild the common chain
|
||||
#
|
||||
@ -4864,12 +4474,6 @@ case "$command" in
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
check)
|
||||
[ $# -ne 1 ] && usage
|
||||
do_initialize
|
||||
check_config
|
||||
;;
|
||||
|
||||
add)
|
||||
[ $# -ne 3 ] && usage
|
||||
do_initialize
|
||||
|
@ -60,8 +60,6 @@
|
||||
# shorewall show tc Display traffic control info
|
||||
# shorewall show classifiers Display classifiers
|
||||
# shorewall version Display the installed version id
|
||||
# shorewall check Verify the more heavily-used
|
||||
# configuration files.
|
||||
# shorewall try <directory> [ <timeout> ] Try a new configuration and if
|
||||
# it doesn't work, revert to the
|
||||
# standard one. If a timeout is supplied
|
||||
@ -84,6 +82,7 @@
|
||||
#
|
||||
# Display a chain if it exists
|
||||
#
|
||||
|
||||
showfirstchain() # $1 = name of chain
|
||||
{
|
||||
awk \
|
||||
@ -500,7 +499,6 @@ usage() # $1 = exit status
|
||||
echo " hits"
|
||||
echo " monitor [<refresh interval>]"
|
||||
echo " version"
|
||||
echo " check"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " drop <address> ..."
|
||||
@ -641,7 +639,7 @@ case `echo -n "Testing"` in
|
||||
esac
|
||||
|
||||
case "$1" in
|
||||
start|stop|restart|reset|clear|refresh|check)
|
||||
start|stop|restart|reset|clear|refresh)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
exec $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
|
Loading…
Reference in New Issue
Block a user