|
|
|
@ -222,7 +222,7 @@ get_firewall_zone() {
|
|
|
|
|
esac
|
|
|
|
|
done < $f
|
|
|
|
|
|
|
|
|
|
startup_error "No firewall zone defined"
|
|
|
|
|
startup_error "No firewall zone defined in $f"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
@ -255,7 +255,7 @@ determine_zones()
|
|
|
|
|
IPV4_ZONES=
|
|
|
|
|
IPSEC_ZONES=
|
|
|
|
|
|
|
|
|
|
[ "$IPSECFILE" = zones ] && new_zone_file=Yes
|
|
|
|
|
[ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}"
|
|
|
|
|
|
|
|
|
|
while read zone type rest; do
|
|
|
|
|
case $zone in
|
|
|
|
@ -1717,9 +1717,12 @@ do_initialize() {
|
|
|
|
|
#
|
|
|
|
|
TERMINATOR=fatal_error
|
|
|
|
|
#
|
|
|
|
|
# Clear all configuration variables
|
|
|
|
|
# Clear all configuration variables (shorewall.conf)
|
|
|
|
|
#
|
|
|
|
|
VERSION=
|
|
|
|
|
STARTUP_ENABLED=
|
|
|
|
|
#
|
|
|
|
|
#VERBOSE is inherited -- VERBOSITY is only used in the CIs
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Logging
|
|
|
|
|
#
|
|
|
|
@ -1795,6 +1798,7 @@ do_initialize() {
|
|
|
|
|
#
|
|
|
|
|
# Other Globals
|
|
|
|
|
#
|
|
|
|
|
VERSION=
|
|
|
|
|
FW=
|
|
|
|
|
USEPKTYPE=
|
|
|
|
|
LOGLIMIT=
|
|
|
|
@ -1820,7 +1824,7 @@ do_initialize() {
|
|
|
|
|
TMP_DIR=$(mktempdir)
|
|
|
|
|
|
|
|
|
|
[ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
|
|
|
|
|
fatal_error "Can't create a temporary directory"
|
|
|
|
|
startup_error "Can't create a temporary directory"
|
|
|
|
|
|
|
|
|
|
case $PROGRAM in
|
|
|
|
|
compiler)
|
|
|
|
@ -1846,10 +1850,10 @@ do_initialize() {
|
|
|
|
|
progress_message "Processing $config..."
|
|
|
|
|
. $config
|
|
|
|
|
else
|
|
|
|
|
fatal_error "Cannot read $config (Hint: Are you root?)"
|
|
|
|
|
startup_error "Cannot read $config (Hint: Are you root?)"
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
fatal_error "$config does not exist!"
|
|
|
|
|
startup_error "$config does not exist!"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
@ -1872,9 +1876,9 @@ do_initialize() {
|
|
|
|
|
if [ -z "$IPTABLES" ]; then
|
|
|
|
|
IPTABLES=$(mywhich iptables 2> /dev/null)
|
|
|
|
|
|
|
|
|
|
[ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
|
|
|
|
|
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
|
|
|
|
|
else
|
|
|
|
|
[ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
|
|
|
|
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
f=$(find_file capabilities)
|
|
|
|
@ -1884,7 +1888,7 @@ do_initialize() {
|
|
|
|
|
else
|
|
|
|
|
f=$(find_file capabilities)
|
|
|
|
|
|
|
|
|
|
[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
|
|
|
|
|
[ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
|
|
|
|
@ -1900,7 +1904,7 @@ do_initialize() {
|
|
|
|
|
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
|
|
|
|
|
startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
else
|
|
|
|
@ -1935,7 +1939,7 @@ do_initialize() {
|
|
|
|
|
MACLIST_TARGET=RETURN
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
|
|
|
|
|
startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
else
|
|
|
|
@ -1947,7 +1951,7 @@ do_initialize() {
|
|
|
|
|
REJECT|ACCEPT|DROP)
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
|
|
|
|
|
startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
else
|
|
|
|
@ -1965,16 +1969,16 @@ do_initialize() {
|
|
|
|
|
LOGRULENUMBERS=Yes
|
|
|
|
|
temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null)
|
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
|
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
|
|
|
|
|
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null)
|
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
|
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
|
|
|
|
|
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
|
|
|
|
|
[ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
|
|
|
|
|
|
|
|
|
|
MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) ))
|
|
|
|
|
MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*}
|
|
|
|
@ -1990,7 +1994,7 @@ do_initialize() {
|
|
|
|
|
|
|
|
|
|
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
|
|
|
|
if [ -n "$DYNAMIC_ZONES" ]; then
|
|
|
|
|
[ -n "$EXPORT" ] && fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option"
|
|
|
|
|
[ -n "$EXPORT" ] && startup_error "DYNAMIC_ZONES=Yes is incompatible with the -e option"
|
|
|
|
|
lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
@ -2012,15 +2016,15 @@ do_initialize() {
|
|
|
|
|
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
|
|
|
|
|
[ -n "$XMARK" ] || XCONNMARK=
|
|
|
|
|
|
|
|
|
|
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
|
|
|
|
|
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
|
|
|
|
|
|
|
|
|
|
case ${MACLIST_TABLE:=filter} in
|
|
|
|
|
filter)
|
|
|
|
|
;;
|
|
|
|
|
mangle)
|
|
|
|
|
[ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
|
|
|
|
|
[ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
|
|
|
|
|
;; *)
|
|
|
|
|
fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
|
|
|
|
|
startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
@ -2031,7 +2035,7 @@ do_initialize() {
|
|
|
|
|
[Yy][Ee][Ss])
|
|
|
|
|
TC_ENABLED=Yes
|
|
|
|
|
TC_SCRIPT=$(find_file tcstart)
|
|
|
|
|
[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
|
|
|
|
|
[ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file"
|
|
|
|
|
;;
|
|
|
|
|
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
|
|
|
|
|
TC_ENABLED=Internal
|
|
|
|
@ -2045,7 +2049,7 @@ do_initialize() {
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ -n "$TC_ENABLED" ];then
|
|
|
|
|
[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
|
|
|
|
|
[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
|
|
|
|
@ -2079,7 +2083,7 @@ do_initialize() {
|
|
|
|
|
0|1)
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
fatal_error "Invalid OPTIMIZE value ($OPTIMIZE)"
|
|
|
|
|
startup_error "Invalid OPTIMIZE value ($OPTIMIZE)"
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
#
|
|
|
|
@ -2089,7 +2093,7 @@ do_initialize() {
|
|
|
|
|
|
|
|
|
|
temp=$(decodeaddr 192.168.1.1)
|
|
|
|
|
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
|
|
|
|
|
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
|
|
|
|
|
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ -z "$KLUDGEFREE" ]; then
|
|
|
|
@ -2098,7 +2102,12 @@ do_initialize() {
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Pre-process all of the standard files
|
|
|
|
|
#
|
|
|
|
|
# Because 'strip_file()' does shell variable expansion, we must first determine the
|
|
|
|
|
# setting of $FW
|
|
|
|
|
#
|
|
|
|
|
case ${IPSECFILE:=ipsec} in
|
|
|
|
|
ipsec)
|
|
|
|
|
[ -n "${FW:=fw}" ]
|
|
|
|
@ -2108,7 +2117,7 @@ do_initialize() {
|
|
|
|
|
get_firewall_zone
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
|
|
|
|
|
startup_error "Invalid value ($IPSECFILE) for IPSECFILE option"
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
@ -2118,7 +2127,13 @@ do_initialize() {
|
|
|
|
|
strip_file hosts
|
|
|
|
|
|
|
|
|
|
if [ $PROGRAM = compiler ]; then
|
|
|
|
|
strip_file_and_lib_load accounting accounting
|
|
|
|
|
strip_file_and_lib_load accounting accounting
|
|
|
|
|
|
|
|
|
|
if [ -n "$USE_ACTIONS" ]; then
|
|
|
|
|
strip_file actions
|
|
|
|
|
strip_file actions.std ${SHAREDIR}/actions.std
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
strip_file blacklist
|
|
|
|
|
strip_file ecn
|
|
|
|
|
strip_file maclist
|
|
|
|
@ -2141,7 +2156,9 @@ do_initialize() {
|
|
|
|
|
strip_file tos
|
|
|
|
|
strip_file_and_lib_load tunnels tunnels
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Clear $FW
|
|
|
|
|
#
|
|
|
|
|
FW=
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|