extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-11 08:08:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move all functions from prog.footer to prog.header; minor tweaks elsewhere

Browse Source
This commit is contained in:
Tom Eastep 2009-10-18 08:47:20 -07:00
parent 0a74320bc2
commit 65e4a5ff66
4 changed files with 292 additions and 285 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -90,14 +90,23 @@ sub generate_script_1() {
}
}
my $lib = find_file 'lib.private';
if ( -f $lib ) {
emit <<'EOF';
################################################################################
# Functions imported from lib.private
################################################################################
EOF
copy1 $lib;
}
emit <<'EOF';
################################################################################
# Functions to execute the various user exits (extension scripts)
################################################################################
EOF
my $lib = find_file 'lib.private';
copy1 $lib, emit "\n" if -f $lib;
for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
emit "\nrun_${exit}_exit() {";

8
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1680,7 +1680,7 @@ sub generate_matrix() {
# Special processing for complex configurations
#
for my $zone ( @zones ) {
my $zoneref = find_zone( $zone );
my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{options}{complex};
@ -1893,7 +1893,6 @@ sub generate_matrix() {
if ( $config{OPTIMIZE} > 0 ) {
my @temp_zones;
ZONE1:
for my $zone1 ( @zones ) {
my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
@ -1943,7 +1942,6 @@ sub generate_matrix() {
# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
# @dest_zones is the list of destination zones that we need to handle from this source zone
#
ZONE1:
for my $zone1 ( @dest_zones ) {
my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
@ -1957,11 +1955,11 @@ sub generate_matrix() {
my $num_ifaces = 0;
if ( $zone eq $zone1 ) {
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
}
if ( $zone1ref->{type} == BPORT ) {
next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
next unless $zoneref->{bridge} eq $zone1ref->{bridge};
}
my $chainref = $filter_table->{$chain};

277
Shorewall/Perl/prog.footer
View File

@ -1,283 +1,6 @@
###############################################################################
# Code imported from /usr/share/shorewall/prog.footer
###############################################################################
#
# Clear Proxy Arp
#
delete_proxyarp() {
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
fi
rm -f ${VARDIR}/proxyarp
}
#
# Remove all Shorewall-added rules
#
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then
if [ -x $IPTABLES ]; then
$IP6TABLES -P INPUT ACCEPT 2> /dev/null
$IP6TABLES -P OUTPUT ACCEPT 2> /dev/null
$IP6TABLES -P FORWARD ACCEPT 2> /dev/null
fi
fi
run_clear_exit
set_state "Cleared"
logger -p kern.info "$PRODUCT Cleared"
}
#
# Issue a message and stop/restore the firewall
#
fatal_error()
{
echo " ERROR: $@" >&2
if [ $LOG_VERBOSE -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
stop_firewall
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
exit 2
}
#
# Issue a message and stop
#
startup_error() # $* = Error Message
{
echo " ERROR: $@: Firewall state not changed" >&2
case $COMMAND in
start)
logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
;;
restart)
logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
;;
restore)
logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
;;
esac
if [ $LOG_VERBOSE -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
case $COMMAND in
start)
echo "${timestamp} ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
;;
restart)
echo "${timestamp} ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
;;
restore)
echo "${timestamp} ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
;;
esac
fi
kill $$
exit 2
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_iptables()
{
local status
while [ 1 ]; do
$IPTABLES $@
status=$?
[ $status -ne 4 ] && break
done
if [ $status -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run iptables retrying exit status 4
#
do_iptables()
{
local status
while [ 1 ]; do
$IPTABLES $@
status=$?
[ $status -ne 4 ] && return $status;
done
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_ip()
{
if ! $IP -4 $@; then
error_message "ERROR: Command \"$IP -4 $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! $TC $@ ; then
error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Restore the rules generated by 'drop','reject','logdrop', etc.
#
restore_dynamic_rules() {
if [ -f ${VARDIR}/save ]; then
progress_message2 "Setting up dynamic rules..."
rangematch='source IP range'
while read target ignore1 ignore2 address ignore3 rest; do
case $target in
DROP|reject|logdrop|logreject)
case $rest in
$rangematch*)
run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
;;
*)
if [ -z "$rest" ]; then
run_iptables -A dynamic -s $address -j $target
else
error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
fi
;;
esac
;;
esac
done < ${VARDIR}/save
fi
}
#
# Get a list of all configured broadcast addresses on the system
#
get_all_bcasts()
{
$IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
#
# Run the .iptables_restore_input as a set of discrete iptables commands
#
debug_restore_input() {
local first second rest table chain
#
# Clear the ruleset
#
qt1 $IPTABLES -t mangle -F
qt1 $IPTABLES -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt1 $IPTABLES -t mangle -P $chain ACCEPT
done
qt1 $IPTABLES -t raw -F
qt1 $IPTABLES -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IPTABLES -t raw -P $chain ACCEPT
done
run_iptables -t nat -F
run_iptables -t nat -X
for chain in PREROUTING POSTROUTING OUTPUT; do
qt1 $IPTABLES -t nat -P $chain ACCEPT
done
qt1 $IPTABLES -t filter -F
qt1 $IPTABLES -t filter -X
for chain in INPUT FORWARD OUTPUT; do
qt1 $IPTABLES -t filter -P $chain -P ACCEPT
done
while read first second rest; do
case $first in
-*)
#
# We can't call run_iptables() here because the rules may contain quoted strings
#
eval $IPTABLES -t $table $first $second $rest
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
;;
:*)
chain=${first#:}
if [ "x$second" = x- ]; then
do_iptables -t $table -N $chain
else
do_iptables -t $table -P $chain $second
fi
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
;;
#
# This grotesque hack with the table names works around a bug/feature with ash
#
'*'raw)
table=raw
;;
'*'mangle)
table=mangle
;;
'*'nat)
table=nat
;;
'*'filter)
table=filter
;;
esac
done
}
#
# Give Usage Information
#

277
Shorewall/Perl/prog.header
View File

@ -1071,6 +1071,283 @@ conditionally_flush_conntrack() {
fi
}
#
# Clear Proxy Arp
#
delete_proxyarp() {
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
fi
rm -f ${VARDIR}/proxyarp
}
#
# Remove all Shorewall-added rules
#
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then
if [ -x $IPTABLES ]; then
$IP6TABLES -P INPUT ACCEPT 2> /dev/null
$IP6TABLES -P OUTPUT ACCEPT 2> /dev/null
$IP6TABLES -P FORWARD ACCEPT 2> /dev/null
fi
fi
run_clear_exit
set_state "Cleared"
logger -p kern.info "$PRODUCT Cleared"
}
#
# Issue a message and stop/restore the firewall
#
fatal_error()
{
echo " ERROR: $@" >&2
if [ $LOG_VERBOSE -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
stop_firewall
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
exit 2
}
#
# Issue a message and stop
#
startup_error() # $* = Error Message
{
echo " ERROR: $@: Firewall state not changed" >&2
case $COMMAND in
start)
logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
;;
restart)
logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
;;
restore)
logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
;;
esac
if [ $LOG_VERBOSE -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
case $COMMAND in
start)
echo "${timestamp} ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
;;
restart)
echo "${timestamp} ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
;;
restore)
echo "${timestamp} ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
;;
esac
fi
kill $$
exit 2
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_iptables()
{
local status
while [ 1 ]; do
$IPTABLES $@
status=$?
[ $status -ne 4 ] && break
done
if [ $status -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run iptables retrying exit status 4
#
do_iptables()
{
local status
while [ 1 ]; do
$IPTABLES $@
status=$?
[ $status -ne 4 ] && return $status;
done
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_ip()
{
if ! $IP -4 $@; then
error_message "ERROR: Command \"$IP -4 $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! $TC $@ ; then
error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Restore the rules generated by 'drop','reject','logdrop', etc.
#
restore_dynamic_rules() {
if [ -f ${VARDIR}/save ]; then
progress_message2 "Setting up dynamic rules..."
rangematch='source IP range'
while read target ignore1 ignore2 address ignore3 rest; do
case $target in
DROP|reject|logdrop|logreject)
case $rest in
$rangematch*)
run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
;;
*)
if [ -z "$rest" ]; then
run_iptables -A dynamic -s $address -j $target
else
error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
fi
;;
esac
;;
esac
done < ${VARDIR}/save
fi
}
#
# Get a list of all configured broadcast addresses on the system
#
get_all_bcasts()
{
$IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
#
# Run the .iptables_restore_input as a set of discrete iptables commands
#
debug_restore_input() {
local first second rest table chain
#
# Clear the ruleset
#
qt1 $IPTABLES -t mangle -F
qt1 $IPTABLES -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt1 $IPTABLES -t mangle -P $chain ACCEPT
done
qt1 $IPTABLES -t raw -F
qt1 $IPTABLES -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IPTABLES -t raw -P $chain ACCEPT
done
run_iptables -t nat -F
run_iptables -t nat -X
for chain in PREROUTING POSTROUTING OUTPUT; do
qt1 $IPTABLES -t nat -P $chain ACCEPT
done
qt1 $IPTABLES -t filter -F
qt1 $IPTABLES -t filter -X
for chain in INPUT FORWARD OUTPUT; do
qt1 $IPTABLES -t filter -P $chain -P ACCEPT
done
while read first second rest; do
case $first in
-*)
#
# We can't call run_iptables() here because the rules may contain quoted strings
#
eval $IPTABLES -t $table $first $second $rest
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
;;
:*)
chain=${first#:}
if [ "x$second" = x- ]; then
do_iptables -t $table -N $chain
else
do_iptables -t $table -P $chain $second
fi
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
;;
#
# This grotesque hack with the table names works around a bug/feature with ash
#
'*'raw)
table=raw
;;
'*'mangle)
table=mangle
;;
'*'nat)
table=nat
;;
'*'filter)
table=filter
;;
esac
done
}
################################################################################
# End of functions in /usr/share/shorewall/prog.header
################################################################################