extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 04:04:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make prog.header even smaller

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-07-02 23:52:49 +00:00
parent 079915544c
commit 6bfe25e0e8
3 changed files with 192 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -275,33 +275,43 @@ stop_firewall() {
deletechain shorewall
determine_capabilities
run_stop_exit;
if [ -n "$MANGLE_ENABLED" ]; then
EOF
if ( $capabilities{MANGLE_ENABLED} ) {
emit <<'EOF';
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt $IPTABLES -t mangle -P $chain ACCEPT
done
fi
if [ -n "$RAW_TABLE" ]; then
EOF
}
if ( $capabilities{RAW_TABLE} ) {
emit <<'EOF';
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt $IPTABLES -t raw -P $chain ACCEPT
done
fi
if [ -n "$NAT_ENABLED" ]; then
EOF
}
if ( $capabilities{NAT_ENABLED} ) {
emit <<'EOF';
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt $IPTABLES -t nat -P $chain ACCEPT
done
fi
EOF
}
emit <<'EOF';
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub

170
Shorewall-perl/diff-4.0-lib.base
View File

@ -1,15 +1,15 @@
--- ../Shorewall-common/lib.base 2007-07-02 15:50:32.000000000 -0700
+++ prog.header 2007-07-02 16:27:59.000000000 -0700
+++ prog.header 2007-07-02 16:50:14.000000000 -0700
@@ -1,48 +1,29 @@
#!/bin/sh
#
-# Shorewall 4.0 -- /usr/share/shorewall/lib.base
+# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.4
+# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.0
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
-# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+# (c) 2006 - Tom Eastep (teastep@shorewall.net)
+# (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
#
-# Complete documentation is available at http://shorewall.net
#
@ -291,10 +291,163 @@
# Set the Shorewall state
#
set_state () # $1 = state
@@ -1127,46 +920,6 @@
@@ -974,200 +767,6 @@
}
#
-# Determine which optional facilities are supported by iptables/netfilter
-#
-determine_capabilities() {
- qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
- qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
- CONNTRACK_MATCH=
- MULTIPORT=
- XMULTIPORT=
- POLICY_MATCH=
- PHYSDEV_MATCH=
- IPRANGE_MATCH=
- RECENT_MATCH=
- OWNER_MATCH=
- IPSET_MATCH=
- CONNMARK=
- XCONNMARK=
- CONNMARK_MATCH=
- XCONNMARK_MATCH=
- RAW_TABLE=
- IPP2P_MATCH=
- LENGTH_MATCH=
- CLASSIFY_TARGET=
- ENHANCED_REJECT=
- USEPKTTYPE=
- KLUDGEFREE=
- MARK=
- XMARK=
- MANGLE_FORWARD=
- COMMENTS=
- ADDRTYPE=
- TCPMSS_MATCH=
-
- qt $IPTABLES -N fooX1234
- qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
- qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
-
- if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
- PHYSDEV_MATCH=Yes
- fi
-
- if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
- IPRANGE_MATCH=Yes
- if [ -z "${KLUDGEFREE}" ]; then
- qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
- fi
- fi
-
- qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
- qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
-
- if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then
- CONNMARK_MATCH=Yes
- qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
- fi
-
- qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
- qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
- qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
-
- qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
-
- if [ -n "$MANGLE_ENABLED" ]; then
- qt $IPTABLES -t mangle -N fooX1234
-
- if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
- MARK=Yes
- qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
- fi
-
- if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
- CONNMARK=Yes
- qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
- fi
-
- qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
- qt $IPTABLES -t mangle -F fooX1234
- qt $IPTABLES -t mangle -X fooX1234
- qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
- fi
-
- qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
-
- if qt mywhich ipset; then
- qt ipset -X fooX1234 # Just in case something went wrong the last time
-
- if qt ipset -N fooX1234 iphash ; then
- if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
- qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
- IPSET_MATCH=Yes
- fi
- qt ipset -X fooX1234
- fi
- fi
-
- qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
- qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
- qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-
- qt $IPTABLES -F fooX1234
- qt $IPTABLES -X fooX1234
-
- CAPVERSION=$SHOREWALL_CAPVERSION
-}
-
-report_capabilities() {
- report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
- {
- local setting=
-
- [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
-
- echo " " $1: $setting
- }
-
- if [ $VERBOSE -gt 1 ]; then
- echo "Shorewall has detected the following iptables/netfilter capabilities:"
- report_capability "NAT" $NAT_ENABLED
- report_capability "Packet Mangling" $MANGLE_ENABLED
- report_capability "Multi-port Match" $MULTIPORT
- [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
- report_capability "Connection Tracking Match" $CONNTRACK_MATCH
- report_capability "Packet Type Match" $USEPKTTYPE
- report_capability "Policy Match" $POLICY_MATCH
- report_capability "Physdev Match" $PHYSDEV_MATCH
- report_capability "Packet length Match" $LENGTH_MATCH
- report_capability "IP range Match" $IPRANGE_MATCH
- report_capability "Recent Match" $RECENT_MATCH
- report_capability "Owner Match" $OWNER_MATCH
- report_capability "Ipset Match" $IPSET_MATCH
- report_capability "CONNMARK Target" $CONNMARK
- [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
- report_capability "Connmark Match" $CONNMARK_MATCH
- [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
- report_capability "Raw Table" $RAW_TABLE
- report_capability "IPP2P Match" $IPP2P_MATCH
- report_capability "CLASSIFY Target" $CLASSIFY_TARGET
- report_capability "Extended REJECT" $ENHANCED_REJECT
- report_capability "Repeat match" $KLUDGEFREE
- report_capability "MARK Target" $MARK
- [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
- report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
- report_capability "Comments" $COMMENTS
- report_capability "Address Type Match" $ADDRTYPE
- report_capability "TCPMSS Match" $TCPMSS_MATCH
- fi
-
- [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
-}
-
-report_capabilities1() {
- report_capability1() # $1 = Capability
- {
@ -335,10 +488,11 @@
- echo CAPVERSION=$SHOREWALL_CAPVERSION
-}
-
#
-#
# Delete IP address
#
@@ -1286,82 +1039,6 @@
del_ip_addr() # $1 = address, $2 = interface
@@ -1286,82 +885,6 @@
cut -b -${1}
}
@ -421,7 +575,7 @@
delete_tc1()
{
clear_one_tc() {
@@ -1496,65 +1173,3 @@
@@ -1496,65 +1019,3 @@
echo echo
}

158
Shorewall-perl/prog.header
View File

@ -1,10 +1,10 @@
#!/bin/sh
#
# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.4
# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.0
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
# (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
#
#
# Options are:
@ -766,160 +766,6 @@ set_state () # $1 = state
echo "$1 ($(date))" > ${VARDIR}/state
}
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
CONNMARK=
XCONNMARK=
CONNMARK_MATCH=
XCONNMARK_MATCH=
RAW_TABLE=
IPP2P_MATCH=
LENGTH_MATCH=
CLASSIFY_TARGET=
ENHANCED_REJECT=
USEPKTTYPE=
KLUDGEFREE=
MARK=
XMARK=
MANGLE_FORWARD=
COMMENTS=
ADDRTYPE=
TCPMSS_MATCH=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
PHYSDEV_MATCH=Yes
fi
if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
IPRANGE_MATCH=Yes
if [ -z "${KLUDGEFREE}" ]; then
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
fi
fi
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then
CONNMARK_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
fi
qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
if [ -n "$MANGLE_ENABLED" ]; then
qt $IPTABLES -t mangle -N fooX1234
if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
MARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
fi
if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
CONNMARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
fi
qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
fi
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
if qt mywhich ipset; then
qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
IPSET_MATCH=Yes
fi
qt ipset -X fooX1234
fi
fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
CAPVERSION=$SHOREWALL_CAPVERSION
}
report_capabilities() {
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
if [ $VERBOSE -gt 1 ]; then
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "Packet length Match" $LENGTH_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "CONNMARK Target" $CONNMARK
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
report_capability "IPP2P Match" $IPP2P_MATCH
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
report_capability "Extended REJECT" $ENHANCED_REJECT
report_capability "Repeat match" $KLUDGEFREE
report_capability "MARK Target" $MARK
[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
report_capability "Comments" $COMMENTS
report_capability "Address Type Match" $ADDRTYPE
report_capability "TCPMSS Match" $TCPMSS_MATCH
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
}
#
# Delete IP address
#