More unification of prog.header and prog.header6

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.base

@@ -36,42 +36,6 @@ SHOREWALL_CAPVERSION=40427
 [ -n "${CONFDIR:=/etc/$g_program}" ]
 [ -n "${g_family:=4}" ]
 
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
 #
 # Undo the effect of 'separate_list()'
 #
@@ -151,32 +115,6 @@ mutex_off()
     rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 
-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
 [ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
 
 #

Shorewall-core/lib.common

@@ -92,7 +92,7 @@ find_all_interfaces() {
 }
 
 #
-# Generate a list of all network interfaces on the system that have an ipv4 address
+# Generate a list of all network interfaces on the system that have an ipvX address
 #
 find_all_interfaces1() {
     ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
@@ -168,7 +168,7 @@ interface_is_up() {
 }
 
 #
-# Determine if interface is usable from a Netfilter prespective
+# Determine if interface is usable from a Netfilter perspective
 #
 interface_is_usable() # $1 = interface
 {
@@ -210,7 +210,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 		    ;;
 		multicast|broadcast|prohibit|nat|throw|nexthop)
 		    ;;
-		[2-9]*)
+		[2-3]*)
 		    [ "$address" = "${address%/*}" ] && address="${address}/128"
 		    echo $address
 		    ;;
@@ -403,7 +403,7 @@ conditionally_flush_conntrack() {
 
     if [ -n "$g_purge" ]; then
 	if [ -n $(mywhich conntrack) ]; then
-            conntrack -f ipv$_family -F
+            conntrack -f ipv$g_family -F
 	else
             error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 	fi
@@ -411,7 +411,7 @@ conditionally_flush_conntrack() {
 }
 
 #
-# Issue a message and stop/restore the firewall
+# Issue a message and stop/restore the firewall -- In the CLI, this function is overloaded by the one in lib.cli.
 #
 fatal_error()
 {
@@ -472,7 +472,7 @@ startup_error() # $* = Error Message
 }
 
 #
-# Run iptables and if an error occurs, stop/restore the firewall
+# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
 #
 run_iptables()
 {
@@ -492,7 +492,7 @@ run_iptables()
 }
 
 #
-# Run iptables retrying exit status 4
+# Run iptables/ip6tables retrying exit status 4
 #
 do_iptables()
 {
@@ -506,7 +506,7 @@ do_iptables()
 }
 
 #
-# Run iptables and if an error occurs, stop/restore the firewall
+# Run ip and if an error occurs, stop/restore the firewall
 #
 run_ip()
 {
@@ -528,6 +528,86 @@ run_tc() {
     fi
 }
 
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $g_tool -t mangle -F
+    qt1 $g_tool -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $g_tool -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t raw    -F
+    qt1 $g_tool -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $g_tool -t raw -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t filter -F
+    qt1 $g_tool -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $g_tool -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $g_tool -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 #
 # Get the Shorewall version of the passed script
 #
@@ -1046,7 +1126,7 @@ find_first_interface_address() # $1 = interface
 	#
 	# get the line of output containing the first IP address
 	#
-	addr=$(${IP:-ip} -$g_family addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
 	#
 	# If there wasn't one, bail out now
 	#
@@ -1176,4 +1256,3 @@ truncate() # $1 = length
 {
     cut -b -${1}
 }
-

Shorewall/Perl/prog.header

@@ -397,97 +397,6 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw     -F
-    qt1 $IPTABLES -t raw     -X
-    qt1 $IPTABLES -t rawpost -F
-    qt1 $IPTABLES -t rawpost -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -306,86 +306,6 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################