Add capabilities report to 'shorewall dump' output

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-30 16:54:24 +00:00
parent 9c956521d8
commit 84af786df4
5 changed files with 157 additions and 217 deletions

View File

@ -2,6 +2,10 @@ Changes in 2.5.7
1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped.
2) Fix traffic shaping and "shorewall refresh"
3) Add capabilities report to "shorewall dump".
Changes in 2.5.6
1) Finish install/fallback cleanup.

View File

@ -7234,97 +7234,6 @@ verify_ip() {
startup_error "Shorewall $version requires the iproute package ('ip' utility)"
}
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
ROUTE_TARGET=
XMARK=
CONNMARK=
CONNMARK_MATCH=
RAW_TABLE=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
qt $IPTABLES -t mangle -N fooX1234
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
if qt mywhich ipset; then
qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
IPSET_MATCH=Yes
fi
qt ipset -X fooX1234
fi
fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
[ -n "$PKTTYPE" ] || USEPKTTYPE=
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "ROUTE Target" $ROUTE_TARGET
report_capability "Extended MARK Target" $XMARK
report_capability "CONNMARK Target" $CONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
}
#
# Perform Initialization
# - Delete all old rules
@ -9372,12 +9281,6 @@ case "$COMMAND" in
$@
;;
capabilities)
[ $# -ne 1 ] && usage
do_initialize
report_capabilities
;;
*)
usage
;;

View File

@ -153,9 +153,9 @@ find_file()
return
fi
done
IFS=$saveifs
echo /etc/shorewall/$1
fi
;;
@ -185,7 +185,7 @@ resolve_file() # $1 = file name
echo $pwd/$1
;;
esac
}
}
#
# Replace commas with spaces and echo the result
@ -234,7 +234,7 @@ separate_list() {
;;
*)
case $firstpart in
*\,)
*\,)
echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
;;
*)
@ -276,7 +276,7 @@ loadmodule() # $1 = module name, $2 - * arguments
if [ -z "$(lsmod | grep $modulename)" ]; then
shift
for suffix in $MODULE_SUFFIX ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
@ -439,7 +439,7 @@ mktempdir() {
echo " ERROR:Internal error in mktempdir" >&2
;;
esac
}
}
#
# Read a file and handle "INCLUDE" directives
@ -877,4 +877,96 @@ set_state () # $1 = state
echo "$1 ($(date))" > /var/lib/shorewall/state
}
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
ROUTE_TARGET=
XMARK=
CONNMARK=
CONNMARK_MATCH=
RAW_TABLE=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
qt $IPTABLES -t mangle -N fooX1234
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
if qt mywhich ipset; then
qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
IPSET_MATCH=Yes
fi
qt ipset -X fooX1234
fi
fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
[ -n "$PKTTYPE" ] || USEPKTTYPE=
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "ROUTE Target" $ROUTE_TARGET
report_capability "Extended MARK Target" $XMARK
report_capability "CONNMARK Target" $CONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
}
SHOREWALL_LIBRARY=Loaded

View File

@ -11,94 +11,10 @@ Problems Corrected in 2.5.7:
2) The "shorewall refresh" command was clearing traffic shaping but not
reconfiguring it.
Problems Corrected in 2.5.6:
New Features in 2.5.7:
1) The following fatal error could occur at startup:
ERROR: Command "/sbin/iptables -A INPUT -j LOG --log-level NONE
--log-prefix "Shorewall:INPUT:ACCEPT:"" Failed
That problem has been corrected.
2) The Makefile is now unconditionally installed in /etc/shorewall
during an upgrade (the prior copy has been saved in
/etc/shorewall-<version>.bkout/Makefile).
New Features in 2.5.6:
1) The install.sh script now does a much cleaner job of backing up the
current installation. It copies the directories /etc/shorewall,
/usr/share/shorewall and /var/lib/shorewall to a directory of the
same name with "-$VERSION.bkout" appended. The init script and
/sbin/shorewall are backed up to the /usr/share/shorewall and
/var/lib/shorewall directories respectively. This makes it very
simple to remove the backups:
rm -rf /etc/shorewall-*.bkout
rm -rf /usr/share/shorewall-*.bkout
rm -rf /var/lib/shorewall-*.bkout
2) A new '-n' option has been added to the "start", "restart",
"restore", "stop" and "try" commands. This option instructs
Shorewall to not alter the routing in any way.
This option is useful when you have a multi-ISP environment because
it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes.
Problems Corrected in 2.5.5:
1) The install script now installs the correct Makefile. Previously,
the /etc/shorewall/actions file was identical to the Makefile.
2) Error Handling was completely broken; operations such as
"shorewall start" would continue after what should have been fatal
errors.
Problems Corrected in 2.5.4:
1) Several serious problems associated with macros have been corrected.
Problems Corrected in 2.5.3:
1) The Netfilter 'raw' table is now cleared during "shorewall stop",
"shorewall [re]start" and "shorewall clear".
Problems Corrected in 2.5.2:
1) You may now include port lists in in the /etc/shorewall/accounting
file.
2) The packet type match capability is now correctly reported when
PKTTYPE=No in /etc/shorewall/shorewall.conf.
Problems Corrected in 2.5.1:
1) Shorewall is no longer dependent on the 'which' utility.
2) "shorewall add" no longer fails when the 'ipsec' option has appeared
in /etc/shorewall/hosts.
3) The Makefile has been changed to compare the modification times of
the files in /etc/shorewall with
/var/lib/shorewall/restore-base. That file is modified each time
that Shorewall is [re]started whereas /var/lib/shorewall/restarted
is also modified by "shorewall reset" and "shorewall refresh".
4) The handling of log levels passed to macros has been
corrected. Previously, passing a log level to a macro resulted in a
[re]start error.
Problems Corrected in 2.5.0:
1) The behavior of CONTINUE policies has been improved. Shorewall no
longer generates a useless policy chain corresponding to these
policies.
2) The combining of the zones and ipsec files has now been made upward
compatible provided that the user doesn't do something idiotic such
as install the new shorewall.conf file then manually update it
with exactly the changes that had been applied to the old file.
1) The output of "shorewall dump" now includes a capabilities report
such as the one produced by "shorewall show capabilities".
Migration Considerations:
@ -165,13 +81,13 @@ Migration Considerations:
Your kernel and iptables must include policy
match support.
firewall
- Designates the firewall itself. You must have
- Designates the firewall itself. You must have
exactly one 'firewall' zone. No options are
permitted with a 'firewall' zone.
OPTIONS, A comma-separated list of options as
IN OPTIONS, follows:
OUT OPTIONS
OUT OPTIONS
reqid=<number> where <number> is
specified using setkey(8) using the
'unique:<number> option for the SPD
@ -414,10 +330,10 @@ New Features in Shorewall 2.5.*
ACCEPT loc all+ tcp 22
would allow SSH traffic from loc->loc whereas
would allow SSH traffic from loc->loc whereas
ACCEPT loc all tcp 22
does not.
7) A new FASTACCEPT option has been added to shorewall.conf.
@ -437,7 +353,7 @@ New Features in Shorewall 2.5.*
specified for an interface with an RFC 1918 address.
9) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/rules,
SOURCE and DEST columns of entries in /etc/shorewall/rules,
/etc/shorewall/tcrules and in action files and Shorewall will
generate the rule that you expect.
@ -493,7 +409,7 @@ New Features in Shorewall 2.5.*
14) Prior to Shorewall 2.5.3, the rules file only controlled packets in
the Netfilter states NEW and INVALID. Beginning with this release,
the rules file can also deal with packets in the ESTABLISHED and
RELATED states.
RELATED states.
The /etc/shorewall/rules file may now be divided into
"sections". Each section is introduced by a line that begins with
@ -558,7 +474,7 @@ New Features in Shorewall 2.5.*
Now, $1 = these, $2 = are and $3 = parameters
17) The "shorewall check" command now checks the /etc/shorewall/masq,
/etc/shorewall/blacklist, /etc/shorewall/proxyarp,
/etc/shorewall/blacklist, /etc/shorewall/proxyarp,
/etc/shorewall/nat and /etc/shorewall/providers files.
18) Arne Bernin's "tc4shorewall" package has been integrated into
@ -575,3 +491,23 @@ New Features in Shorewall 2.5.*
variable to determine if the library has been loaded into the
current shell process.
20) The install.sh script now does a much cleaner job of backing up the
current installation. It copies the directories /etc/shorewall,
/usr/share/shorewall and /var/lib/shorewall to a directory of the
same name with "-$VERSION.bkout" appended. The init script and
/sbin/shorewall are backed up to the /usr/share/shorewall and
/var/lib/shorewall directories respectively. This makes it very
simple to remove the backups:
rm -rf /etc/shorewall-*.bkout
rm -rf /usr/share/shorewall-*.bkout
rm -rf /var/lib/shorewall-*.bkout
21) A new '-n' option has been added to the "start", "restart",
"restore", "stop" and "try" commands. This option instructs
Shorewall to not alter the routing in any way.
This option is useful when you have a multi-ISP environment because
it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes.

View File

@ -401,7 +401,7 @@ save_config() {
if shorewall_is_started ; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
else
@ -421,9 +421,9 @@ save_config() {
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
rm -f ${RESTOREPATH}-ipsets
case ${SAVE_IPSETS:-No} in
[Yy][Ee][Ss])
RESTOREPATH=${RESTOREPATH}-ipsets
@ -604,7 +604,7 @@ while [ $done -eq 0 ]; do
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
c)
@ -617,7 +617,7 @@ while [ $done -eq 0 ]; do
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
option=
shift
@ -641,7 +641,7 @@ while [ $done -eq 0 ]; do
n*)
NOROUTES=Yes
option=${option#n}
;;
;;
*)
usage 1
;;
@ -755,7 +755,7 @@ case "$1" in
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
export SHOREWALL_DIR
;;
@ -765,14 +765,14 @@ case "$1" in
esac
export NOROUTES
if [ -n "$FAST" ]; then
if qt mywhich make; then
make -qf /etc/shorewall/Makefile || FAST=
fi
if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
@ -820,7 +820,7 @@ case "$1" in
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
export SHOREWALL_DIR
;;
@ -830,7 +830,7 @@ case "$1" in
esac
export NOROUTES
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
;;
add|delete)
@ -898,7 +898,8 @@ case "$1" in
fi
;;
capabilities)
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
determine_capabilities
report_capabilities
;;
actions)
echo "allowBcast #Silently Allow Broadcast/multicast"
@ -914,7 +915,7 @@ case "$1" in
;;
*)
shift
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
@ -979,7 +980,7 @@ case "$1" in
heading "IP Stats"
ip -stat link ls
if qt mywhich brctl; then
heading "Bridges"
brctl show
@ -1012,11 +1013,15 @@ case "$1" in
heading "ARP"
arp -na
if qt mywhich lsmod; then
heading "Modules"
lsmod | grep -E '^ip_|^ipt_|^iptable_'
fi
determine_capabilities
echo
report_capabilities
;;
hits)
[ -n "$debugging" ] && set -x
@ -1191,7 +1196,7 @@ case "$1" in
else
usage 1
fi
[ -z "$vlsm" ] && exit 2
[ "x$address" = "x$vlsm" ] && usage 2
[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
@ -1290,7 +1295,7 @@ case "$1" in
mutex_off
exit 0
fi
if [ "$1" = "safe-start" -o $running -ne 0 ]
then
# the command is safe-start or shorewall is not started yet
@ -1318,15 +1323,15 @@ case "$1" in
# removed previous configuration
rm /var/lib/shorewall/safe-start-restart
fi
else
else
if [ "$command" = "restart" ]
then
$0 nolock $debugging restore "safe-start-restart"
rm /var/lib/shorewall/safe-start-restart
else
else
$0 nolock $debugging clear
fi
mutex_off
echo "New configuration has been rejected and the old one restored"
exit 2