Enhance status IP/routing output

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1490 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-22 21:48:39 +01:00 · 2004-07-21 18:57:45 +00:00 · 2004-07-21 18:57:45 +00:00 · 5fa329c658
commit 5fa329c658
parent d49f474ff5
6 changed files with 98 additions and 19 deletions
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@ -38,3 +38,5 @@ Changes in 2.0.7
   status".
 2) Consult PKTTYPE when generating 'REJECT' rules.
 3) Enhance IP/Routing output in "shorewall status".
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@ -41,16 +41,72 @@ Problems Corrected in version 2.0.6
 -----------------------------------------------------------------------
 Problems Corrected in version 2.0.7
-1) To improve supportability, the "shorewall status" command now
+1) The PKTTYPE option introduced in version 2.0.6 is now used when
   includes the output from "ip rule ls", "ip route ls" and 
   "ip addr ls".
 2) The PKTTYPE option introduced in version 2.0.6 is now used when
   generating rules to REJECT packets. Broadcast packets are silently
   dropped rather than being rejected with an ICMP (which is a protocol
   violation) and users whose kernels have broken packet type match
   support are likely to see messages reporting this violation.
   Setting PKTTYPE=No should cause these messages to cease. 
 New Features in version 2.0.7
 1) To improve supportability, the "shorewall status" command now
   includes IP and Route configuration information.
   Example:
   IP Configuration
   1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
      inet6 ::1/128 scope host
   2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
      inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
   3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
      inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
   5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
      link/sit 0.0.0.0 brd 0.0.0.0
   6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
      inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
   7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
      link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
      inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
      inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
   Routing Rules
   0:      from all lookup local	
   32765:  from all fwmark       ca lookup www.out
   32766:  from all lookup main
   32767:  from all lookup default
   Table local:
   broadcast 192.168.1.0 dev br0  proto kernel  scope link  src 192.168.1.3
   broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
   local 192.168.1.3 dev br0  proto kernel  scope host  src 192.168.1.3
   broadcast 192.168.1.255 dev br0  proto kernel  scope link  src 192.168.1.3
   broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
   local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
   local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
   Table www.out:
   default via 192.168.1.3 dev br0
   Table main:
   192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.3
   default via 192.168.1.254 dev br0
   Table default:
--- a/STABLE2/shorewall
+++ b/STABLE2/shorewall
@ -886,11 +886,16 @@ case "$1" in
 	echo
 	ip addr ls
 	echo
-	echo "Routing"
+	echo "Routing Rules"
 	echo
 	ip rule ls
-	echo
+	ip rule ls | while read rule; do
-	ip route ls
+	    table=${rule##* }
 	    echo
 	    echo "Table $table:"
 	    echo
 	    ip route ls table $table
 	done
 	;;
    hits)
    	[ -n "$debugging" ] && set -x
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -31,3 +31,5 @@ Changes since 2.0.3
 9) Fix syntax error in setup_nat()
       firewall
 10) Port "shorewall status" changes from 2.0.7.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -4979,6 +4979,13 @@ initialize_netfilter () {
 add_common_rules() {
    local savelogparms="$LOGPARMS"
    local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
    drop_broadcasts() {
 	for address in $broadcasts ; do
 	    run_iptables -A reject -d $address -j DROP
 	done
    }
    #
    # Populate the smurf chain
    #
@ -4989,14 +4996,16 @@ add_common_rules() {
    #
    # Reject Rules -- Don't respond to broadcasts with an ICMP
    #
-    qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
+    if [ -n "$PKTTYPE" ]; then
-    if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
+	qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
-	#
+	if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
-	# No pkttype support -- do it the hard way
+            #
-	#
+	    # No pkttype support -- do it the hard way
-	for address in $broadcasts ; do
+	    #
-	    run_iptables -A reject -d $address -j DROP
+	    drop_broadcasts
-	done
+	fi
    else
 	drop_broadcasts
    fi
    #
    # Don't feed the smurfs
--- a/Shorewall2/shorewall
+++ b/Shorewall2/shorewall
@ -886,11 +886,16 @@ case "$1" in
 	echo
 	ip addr ls
 	echo
-	echo "Routing"
+	echo "Routing Rules"
 	echo
 	ip rule ls
-	echo
+	ip rule ls | while read rule; do
-	ip route ls
+	    table=${rule##* }
 	    echo
 	    echo "Table $table:"
 	    echo
 	    ip route ls table $table
 	done
 	;;
    hits)
    	[ -n "$debugging" ] && set -x