'shorewall check' now checks the nat and providers files

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2594 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-30 20:29:42 +00:00
parent e949e18749
commit 6a47756293
4 changed files with 79 additions and 53 deletions

View File

@ -8,6 +8,10 @@ Changes in 2.5.4
4) "shorewall check" now checks the proxyarp file. 4) "shorewall check" now checks the proxyarp file.
5) "shorewall check" now checks the nat file.
6) "shorewall check" now checks the providers file.
Changes in 2.5.3 Changes in 2.5.3
1) Allow exclusion lists in /etc/shorewall/tcrules. 1) Allow exclusion lists in /etc/shorewall/tcrules.

View File

@ -1216,6 +1216,7 @@ setup_providers()
eval ${table}_number=$number eval ${table}_number=$number
if [ $COMMAND != check ]; then
run_and_save_command qt ip route flush table $number run_and_save_command qt ip route flush table $number
if [ "x${duplicate:=-}" != x- ]; then if [ "x${duplicate:=-}" != x- ]; then
@ -1226,6 +1227,7 @@ setup_providers()
copy_table copy_table
fi fi
fi fi
fi
if [ "x$gateway" = xdetect ] ; then if [ "x$gateway" = xdetect ] ; then
# #
@ -1246,16 +1248,19 @@ setup_providers()
[ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface" [ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface"
fi fi
if [ $COMMAND != check ]; then
ensure_and_save_command ip route replace $gateway dev $interface table $number ensure_and_save_command ip route replace $gateway dev $interface table $number
ensure_and_save_command ip route add default via $gateway dev $interface table $number ensure_and_save_command ip route add default via $gateway dev $interface table $number
fi
verify_mark $mark verify_mark $mark
eval ${table}_mark=$mark eval ${table}_mark=$mark
if [ $COMMAND != check ]; then
run_and_save_command qt ip rule del fwmark $mark run_and_save_command qt ip rule del fwmark $mark
ensure_and_save_command ip rule add fwmark $mark pref $((10000 + $mark)) table $number ensure_and_save_command ip rule add fwmark $mark pref $((10000 + $mark)) table $number
fi
loose= loose=
@ -1287,6 +1292,7 @@ setup_providers()
rulenum=0 rulenum=0
if [ $COMMAND != check ]; then
find_interface_addresses $interface | while read address; do find_interface_addresses $interface | while read address; do
run_and_save_command qt ip rule del from $address run_and_save_command qt ip rule del from $address
if [ -z "$loose" ]; then if [ -z "$loose" ]; then
@ -1295,14 +1301,19 @@ setup_providers()
ensure_and_save_command ip rule add from $address pref $pref table $number ensure_and_save_command ip rule add from $address pref $pref table $number
fi fi
done done
fi
} }
strip_file providers $1 strip_file providers $1
if [ -s $TMP_DIR/providers ]; then if [ -s $TMP_DIR/providers ]; then
if [ $COMMAND != check ]; then
echo "Processing $1..." echo "Processing $1..."
save_progress_message "Restoring Providers..." save_progress_message "Restoring Providers..."
else
echo "Validating $1..."
fi
while read table number mark duplicate interface gateway options copy; do while read table number mark duplicate interface gateway options copy; do
expandv table number mark duplicate interface gateway options copy expandv table number mark duplicate interface gateway options copy
@ -1312,6 +1323,7 @@ setup_providers()
progress_message " Provider $provider Added" progress_message " Provider $provider Added"
done < $TMP_DIR/providers done < $TMP_DIR/providers
if [ $COMMAND != check ]; then
if [ -n "$PROVIDERS" ]; then if [ -n "$PROVIDERS" ]; then
if [ -n "$DEFAULT_ROUTE" ]; then if [ -n "$DEFAULT_ROUTE" ]; then
ensure_and_save_command ip route replace default scope global $DEFAULT_ROUTE ensure_and_save_command ip route replace default scope global $DEFAULT_ROUTE
@ -1344,6 +1356,7 @@ EOF
ensure_and_save_command ip route flush cache ensure_and_save_command ip route flush cache
fi fi
fi
} }
# #
@ -2878,6 +2891,7 @@ setup_nat() {
validate_one allints "ALL INTERFACES" $allints validate_one allints "ALL INTERFACES" $allints
validate_one localnat "LOCAL" $localnat validate_one localnat "LOCAL" $localnat
if [ $COMMAND != check ]; then
if [ -n "$allints" ]; then if [ -n "$allints" ]; then
addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
@ -2888,6 +2902,7 @@ setup_nat() {
[ -n "$localnat" ] && \ [ -n "$localnat" ] && \
run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
fi
if [ -n "$add_ip_aliases" ]; then if [ -n "$add_ip_aliases" ]; then
list_search $external $ALIASES_TO_ADD || \ list_search $external $ALIASES_TO_ADD || \
@ -2897,14 +2912,14 @@ setup_nat() {
# #
# At this point, we're just interested in the network translation # At this point, we're just interested in the network translation
# #
> /var/lib/shorewall/nat [ $COMMAND = check ] || > /var/lib/shorewall/nat
if [ -n "$POLICY_MATCH" ]; then if [ -n "$POLICY_MATCH" ]; then
policyin="-m policy --pol none --dir in" policyin="-m policy --pol none --dir in"
policyout="-m policy --pol none --dir out" policyout="-m policy --pol none --dir out"
fi fi
[ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring one-to-one NAT..." [ -n "$RETAIN_ALIASES" -o $COMMAND = check ] || save_progress_message "Restoring one-to-one NAT..."
while read external interface internal allints localnat; do while read external interface internal allints localnat; do
expandv external interface internal allints localnat expandv external interface internal allints localnat
@ -3670,12 +3685,18 @@ check_config() {
validate_policy validate_policy
setup_providers $(find_file providers)
validate_blacklist validate_blacklist
echo "Validating Proxy ARP" echo "Validating Proxy ARP"
strip_file proxyarp strip_file proxyarp
setup_proxy_arp setup_proxy_arp
echo "Validating NAT..."
strip_file nat
setup_nat
echo "Pre-validating Actions..." echo "Pre-validating Actions..."
process_actions1 process_actions1

View File

@ -74,9 +74,9 @@ allow)
check) check)
echo "check: check [ <configuration-directory> ] echo "check: check [ <configuration-directory> ]
Performs a cursory validation of the zones, interfaces, hosts, Performs a cursory validation of the zones, interfaces, hosts,
rules, policy, masq, blacklist and proxyarp files. Use this if you are rules, policy, masq, blacklist, proxyarp, nat and provider files. Use this
unsure of any edits you have made to the shorewall configuration. See the if you are unsure of any edits you have made to the shorewall configuration.
try command examples for a recommended way to make changes." See the try command examples for a recommended way to make changes."
;; ;;
clear) clear)

View File

@ -30,7 +30,8 @@ New Features in Shorewall 2.5.4
Now, $1 = these, $2 = are and $3 = parameters Now, $1 = these, $2 = are and $3 = parameters
2) The "shorewall check" command now checks the /etc/shorewall/masq, 2) The "shorewall check" command now checks the /etc/shorewall/masq,
/etc/shorewall/blacklist and /etc/shorewall/proxyarp files. /etc/shorewall/blacklist, /etc/shorewall/proxyarp files,
/etc/shorewall/nat and /etc/shorewall/providers.
Problems Corrected in 2.5.3: Problems Corrected in 2.5.3: