mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Add capabilities report to 'shorewall dump' output
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9c956521d8
commit
84af786df4
@ -2,6 +2,10 @@ Changes in 2.5.7
|
||||
|
||||
1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped.
|
||||
|
||||
2) Fix traffic shaping and "shorewall refresh"
|
||||
|
||||
3) Add capabilities report to "shorewall dump".
|
||||
|
||||
Changes in 2.5.6
|
||||
|
||||
1) Finish install/fallback cleanup.
|
||||
|
@ -7234,97 +7234,6 @@ verify_ip() {
|
||||
startup_error "Shorewall $version requires the iproute package ('ip' utility)"
|
||||
}
|
||||
|
||||
#
|
||||
# Determine which optional facilities are supported by iptables/netfilter
|
||||
#
|
||||
determine_capabilities() {
|
||||
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||
|
||||
CONNTRACK_MATCH=
|
||||
MULTIPORT=
|
||||
XMULTIPORT=
|
||||
POLICY_MATCH=
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
RECENT_MATCH=
|
||||
OWNER_MATCH=
|
||||
IPSET_MATCH=
|
||||
ROUTE_TARGET=
|
||||
XMARK=
|
||||
CONNMARK=
|
||||
CONNMARK_MATCH=
|
||||
RAW_TABLE=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
|
||||
|
||||
qt $IPTABLES -t mangle -N fooX1234
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
|
||||
qt $IPTABLES -t mangle -F fooX1234
|
||||
qt $IPTABLES -t mangle -X fooX1234
|
||||
|
||||
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
|
||||
|
||||
if qt mywhich ipset; then
|
||||
qt ipset -X fooX1234 # Just in case something went wrong the last time
|
||||
|
||||
if qt ipset -N fooX1234 iphash ; then
|
||||
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
|
||||
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
|
||||
IPSET_MATCH=Yes
|
||||
fi
|
||||
qt ipset -X fooX1234
|
||||
fi
|
||||
fi
|
||||
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
||||
|
||||
qt $IPTABLES -F fooX1234
|
||||
qt $IPTABLES -X fooX1234
|
||||
}
|
||||
|
||||
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
||||
{
|
||||
local setting=
|
||||
|
||||
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
||||
|
||||
echo " " $1: $setting
|
||||
}
|
||||
|
||||
report_capabilities() {
|
||||
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||
report_capability "NAT" $NAT_ENABLED
|
||||
report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||
report_capability "Multi-port Match" $MULTIPORT
|
||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||
report_capability "Packet Type Match" $USEPKTTYPE
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
report_capability "ROUTE Target" $ROUTE_TARGET
|
||||
report_capability "Extended MARK Target" $XMARK
|
||||
report_capability "CONNMARK Target" $CONNMARK
|
||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
report_capability "Raw Table" $RAW_TABLE
|
||||
}
|
||||
|
||||
#
|
||||
# Perform Initialization
|
||||
# - Delete all old rules
|
||||
@ -9372,12 +9281,6 @@ case "$COMMAND" in
|
||||
$@
|
||||
;;
|
||||
|
||||
capabilities)
|
||||
[ $# -ne 1 ] && usage
|
||||
do_initialize
|
||||
report_capabilities
|
||||
;;
|
||||
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
|
@ -153,9 +153,9 @@ find_file()
|
||||
return
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
IFS=$saveifs
|
||||
|
||||
|
||||
echo /etc/shorewall/$1
|
||||
fi
|
||||
;;
|
||||
@ -185,7 +185,7 @@ resolve_file() # $1 = file name
|
||||
echo $pwd/$1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Replace commas with spaces and echo the result
|
||||
@ -234,7 +234,7 @@ separate_list() {
|
||||
;;
|
||||
*)
|
||||
case $firstpart in
|
||||
*\,)
|
||||
*\,)
|
||||
echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
|
||||
;;
|
||||
*)
|
||||
@ -276,7 +276,7 @@ loadmodule() # $1 = module name, $2 - * arguments
|
||||
|
||||
if [ -z "$(lsmod | grep $modulename)" ]; then
|
||||
shift
|
||||
|
||||
|
||||
for suffix in $MODULE_SUFFIX ; do
|
||||
modulefile=$MODULESDIR/${modulename}.${suffix}
|
||||
|
||||
@ -439,7 +439,7 @@ mktempdir() {
|
||||
echo " ERROR:Internal error in mktempdir" >&2
|
||||
;;
|
||||
esac
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Read a file and handle "INCLUDE" directives
|
||||
@ -877,4 +877,96 @@ set_state () # $1 = state
|
||||
echo "$1 ($(date))" > /var/lib/shorewall/state
|
||||
}
|
||||
|
||||
#
|
||||
# Determine which optional facilities are supported by iptables/netfilter
|
||||
#
|
||||
determine_capabilities() {
|
||||
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||
|
||||
CONNTRACK_MATCH=
|
||||
MULTIPORT=
|
||||
XMULTIPORT=
|
||||
POLICY_MATCH=
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
RECENT_MATCH=
|
||||
OWNER_MATCH=
|
||||
IPSET_MATCH=
|
||||
ROUTE_TARGET=
|
||||
XMARK=
|
||||
CONNMARK=
|
||||
CONNMARK_MATCH=
|
||||
RAW_TABLE=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
|
||||
|
||||
qt $IPTABLES -t mangle -N fooX1234
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
|
||||
qt $IPTABLES -t mangle -F fooX1234
|
||||
qt $IPTABLES -t mangle -X fooX1234
|
||||
|
||||
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
|
||||
|
||||
if qt mywhich ipset; then
|
||||
qt ipset -X fooX1234 # Just in case something went wrong the last time
|
||||
|
||||
if qt ipset -N fooX1234 iphash ; then
|
||||
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
|
||||
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
|
||||
IPSET_MATCH=Yes
|
||||
fi
|
||||
qt ipset -X fooX1234
|
||||
fi
|
||||
fi
|
||||
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
||||
|
||||
qt $IPTABLES -F fooX1234
|
||||
qt $IPTABLES -X fooX1234
|
||||
}
|
||||
|
||||
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
||||
{
|
||||
local setting=
|
||||
|
||||
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
||||
|
||||
echo " " $1: $setting
|
||||
}
|
||||
|
||||
report_capabilities() {
|
||||
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||
report_capability "NAT" $NAT_ENABLED
|
||||
report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||
report_capability "Multi-port Match" $MULTIPORT
|
||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||
report_capability "Packet Type Match" $USEPKTTYPE
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
report_capability "ROUTE Target" $ROUTE_TARGET
|
||||
report_capability "Extended MARK Target" $XMARK
|
||||
report_capability "CONNMARK Target" $CONNMARK
|
||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
report_capability "Raw Table" $RAW_TABLE
|
||||
}
|
||||
|
||||
|
||||
SHOREWALL_LIBRARY=Loaded
|
||||
|
@ -11,94 +11,10 @@ Problems Corrected in 2.5.7:
|
||||
2) The "shorewall refresh" command was clearing traffic shaping but not
|
||||
reconfiguring it.
|
||||
|
||||
Problems Corrected in 2.5.6:
|
||||
New Features in 2.5.7:
|
||||
|
||||
1) The following fatal error could occur at startup:
|
||||
|
||||
ERROR: Command "/sbin/iptables -A INPUT -j LOG --log-level NONE
|
||||
--log-prefix "Shorewall:INPUT:ACCEPT:"" Failed
|
||||
|
||||
That problem has been corrected.
|
||||
|
||||
2) The Makefile is now unconditionally installed in /etc/shorewall
|
||||
during an upgrade (the prior copy has been saved in
|
||||
/etc/shorewall-<version>.bkout/Makefile).
|
||||
|
||||
New Features in 2.5.6:
|
||||
|
||||
1) The install.sh script now does a much cleaner job of backing up the
|
||||
current installation. It copies the directories /etc/shorewall,
|
||||
/usr/share/shorewall and /var/lib/shorewall to a directory of the
|
||||
same name with "-$VERSION.bkout" appended. The init script and
|
||||
/sbin/shorewall are backed up to the /usr/share/shorewall and
|
||||
/var/lib/shorewall directories respectively. This makes it very
|
||||
simple to remove the backups:
|
||||
|
||||
rm -rf /etc/shorewall-*.bkout
|
||||
rm -rf /usr/share/shorewall-*.bkout
|
||||
rm -rf /var/lib/shorewall-*.bkout
|
||||
|
||||
2) A new '-n' option has been added to the "start", "restart",
|
||||
"restore", "stop" and "try" commands. This option instructs
|
||||
Shorewall to not alter the routing in any way.
|
||||
|
||||
This option is useful when you have a multi-ISP environment because
|
||||
it prevents the route cache from being flushed which preserves the
|
||||
mapping of end-point address pairs to routes.
|
||||
|
||||
Problems Corrected in 2.5.5:
|
||||
|
||||
1) The install script now installs the correct Makefile. Previously,
|
||||
the /etc/shorewall/actions file was identical to the Makefile.
|
||||
|
||||
2) Error Handling was completely broken; operations such as
|
||||
"shorewall start" would continue after what should have been fatal
|
||||
errors.
|
||||
|
||||
Problems Corrected in 2.5.4:
|
||||
|
||||
1) Several serious problems associated with macros have been corrected.
|
||||
|
||||
Problems Corrected in 2.5.3:
|
||||
|
||||
1) The Netfilter 'raw' table is now cleared during "shorewall stop",
|
||||
"shorewall [re]start" and "shorewall clear".
|
||||
|
||||
Problems Corrected in 2.5.2:
|
||||
|
||||
1) You may now include port lists in in the /etc/shorewall/accounting
|
||||
file.
|
||||
|
||||
2) The packet type match capability is now correctly reported when
|
||||
PKTTYPE=No in /etc/shorewall/shorewall.conf.
|
||||
|
||||
Problems Corrected in 2.5.1:
|
||||
|
||||
1) Shorewall is no longer dependent on the 'which' utility.
|
||||
|
||||
2) "shorewall add" no longer fails when the 'ipsec' option has appeared
|
||||
in /etc/shorewall/hosts.
|
||||
|
||||
3) The Makefile has been changed to compare the modification times of
|
||||
the files in /etc/shorewall with
|
||||
/var/lib/shorewall/restore-base. That file is modified each time
|
||||
that Shorewall is [re]started whereas /var/lib/shorewall/restarted
|
||||
is also modified by "shorewall reset" and "shorewall refresh".
|
||||
|
||||
4) The handling of log levels passed to macros has been
|
||||
corrected. Previously, passing a log level to a macro resulted in a
|
||||
[re]start error.
|
||||
|
||||
Problems Corrected in 2.5.0:
|
||||
|
||||
1) The behavior of CONTINUE policies has been improved. Shorewall no
|
||||
longer generates a useless policy chain corresponding to these
|
||||
policies.
|
||||
|
||||
2) The combining of the zones and ipsec files has now been made upward
|
||||
compatible provided that the user doesn't do something idiotic such
|
||||
as install the new shorewall.conf file then manually update it
|
||||
with exactly the changes that had been applied to the old file.
|
||||
1) The output of "shorewall dump" now includes a capabilities report
|
||||
such as the one produced by "shorewall show capabilities".
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
@ -165,13 +81,13 @@ Migration Considerations:
|
||||
Your kernel and iptables must include policy
|
||||
match support.
|
||||
firewall
|
||||
- Designates the firewall itself. You must have
|
||||
- Designates the firewall itself. You must have
|
||||
exactly one 'firewall' zone. No options are
|
||||
permitted with a 'firewall' zone.
|
||||
|
||||
OPTIONS, A comma-separated list of options as
|
||||
IN OPTIONS, follows:
|
||||
OUT OPTIONS
|
||||
OUT OPTIONS
|
||||
reqid=<number> where <number> is
|
||||
specified using setkey(8) using the
|
||||
'unique:<number> option for the SPD
|
||||
@ -414,10 +330,10 @@ New Features in Shorewall 2.5.*
|
||||
|
||||
ACCEPT loc all+ tcp 22
|
||||
|
||||
would allow SSH traffic from loc->loc whereas
|
||||
would allow SSH traffic from loc->loc whereas
|
||||
|
||||
ACCEPT loc all tcp 22
|
||||
|
||||
|
||||
does not.
|
||||
|
||||
7) A new FASTACCEPT option has been added to shorewall.conf.
|
||||
@ -437,7 +353,7 @@ New Features in Shorewall 2.5.*
|
||||
specified for an interface with an RFC 1918 address.
|
||||
|
||||
9) You may now specify "!" followed by a list of addresses in the
|
||||
SOURCE and DEST columns of entries in /etc/shorewall/rules,
|
||||
SOURCE and DEST columns of entries in /etc/shorewall/rules,
|
||||
/etc/shorewall/tcrules and in action files and Shorewall will
|
||||
generate the rule that you expect.
|
||||
|
||||
@ -493,7 +409,7 @@ New Features in Shorewall 2.5.*
|
||||
14) Prior to Shorewall 2.5.3, the rules file only controlled packets in
|
||||
the Netfilter states NEW and INVALID. Beginning with this release,
|
||||
the rules file can also deal with packets in the ESTABLISHED and
|
||||
RELATED states.
|
||||
RELATED states.
|
||||
|
||||
The /etc/shorewall/rules file may now be divided into
|
||||
"sections". Each section is introduced by a line that begins with
|
||||
@ -558,7 +474,7 @@ New Features in Shorewall 2.5.*
|
||||
Now, $1 = these, $2 = are and $3 = parameters
|
||||
|
||||
17) The "shorewall check" command now checks the /etc/shorewall/masq,
|
||||
/etc/shorewall/blacklist, /etc/shorewall/proxyarp,
|
||||
/etc/shorewall/blacklist, /etc/shorewall/proxyarp,
|
||||
/etc/shorewall/nat and /etc/shorewall/providers files.
|
||||
|
||||
18) Arne Bernin's "tc4shorewall" package has been integrated into
|
||||
@ -575,3 +491,23 @@ New Features in Shorewall 2.5.*
|
||||
variable to determine if the library has been loaded into the
|
||||
current shell process.
|
||||
|
||||
20) The install.sh script now does a much cleaner job of backing up the
|
||||
current installation. It copies the directories /etc/shorewall,
|
||||
/usr/share/shorewall and /var/lib/shorewall to a directory of the
|
||||
same name with "-$VERSION.bkout" appended. The init script and
|
||||
/sbin/shorewall are backed up to the /usr/share/shorewall and
|
||||
/var/lib/shorewall directories respectively. This makes it very
|
||||
simple to remove the backups:
|
||||
|
||||
rm -rf /etc/shorewall-*.bkout
|
||||
rm -rf /usr/share/shorewall-*.bkout
|
||||
rm -rf /var/lib/shorewall-*.bkout
|
||||
|
||||
21) A new '-n' option has been added to the "start", "restart",
|
||||
"restore", "stop" and "try" commands. This option instructs
|
||||
Shorewall to not alter the routing in any way.
|
||||
|
||||
This option is useful when you have a multi-ISP environment because
|
||||
it prevents the route cache from being flushed which preserves the
|
||||
mapping of end-point address pairs to routes.
|
||||
|
||||
|
@ -401,7 +401,7 @@ save_config() {
|
||||
|
||||
if shorewall_is_started ; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
else
|
||||
@ -421,9 +421,9 @@ save_config() {
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
|
||||
|
||||
rm -f ${RESTOREPATH}-ipsets
|
||||
|
||||
|
||||
case ${SAVE_IPSETS:-No} in
|
||||
[Yy][Ee][Ss])
|
||||
RESTOREPATH=${RESTOREPATH}-ipsets
|
||||
@ -604,7 +604,7 @@ while [ $done -eq 0 ]; do
|
||||
option=${option#-}
|
||||
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
c)
|
||||
@ -617,7 +617,7 @@ while [ $done -eq 0 ]; do
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
option=
|
||||
shift
|
||||
@ -641,7 +641,7 @@ while [ $done -eq 0 ]; do
|
||||
n*)
|
||||
NOROUTES=Yes
|
||||
option=${option#n}
|
||||
;;
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
@ -755,7 +755,7 @@ case "$1" in
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
@ -765,14 +765,14 @@ case "$1" in
|
||||
esac
|
||||
|
||||
export NOROUTES
|
||||
|
||||
|
||||
if [ -n "$FAST" ]; then
|
||||
if qt mywhich make; then
|
||||
make -qf /etc/shorewall/Makefile || FAST=
|
||||
fi
|
||||
|
||||
if [ -n "$FAST" ]; then
|
||||
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
@ -820,7 +820,7 @@ case "$1" in
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
@ -830,7 +830,7 @@ case "$1" in
|
||||
esac
|
||||
|
||||
export NOROUTES
|
||||
|
||||
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
add|delete)
|
||||
@ -898,7 +898,8 @@ case "$1" in
|
||||
fi
|
||||
;;
|
||||
capabilities)
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
|
||||
determine_capabilities
|
||||
report_capabilities
|
||||
;;
|
||||
actions)
|
||||
echo "allowBcast #Silently Allow Broadcast/multicast"
|
||||
@ -914,7 +915,7 @@ case "$1" in
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
|
||||
|
||||
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
@ -979,7 +980,7 @@ case "$1" in
|
||||
|
||||
heading "IP Stats"
|
||||
ip -stat link ls
|
||||
|
||||
|
||||
if qt mywhich brctl; then
|
||||
heading "Bridges"
|
||||
brctl show
|
||||
@ -1012,11 +1013,15 @@ case "$1" in
|
||||
|
||||
heading "ARP"
|
||||
arp -na
|
||||
|
||||
|
||||
if qt mywhich lsmod; then
|
||||
heading "Modules"
|
||||
lsmod | grep -E '^ip_|^ipt_|^iptable_'
|
||||
fi
|
||||
|
||||
determine_capabilities
|
||||
echo
|
||||
report_capabilities
|
||||
;;
|
||||
hits)
|
||||
[ -n "$debugging" ] && set -x
|
||||
@ -1191,7 +1196,7 @@ case "$1" in
|
||||
else
|
||||
usage 1
|
||||
fi
|
||||
|
||||
|
||||
[ -z "$vlsm" ] && exit 2
|
||||
[ "x$address" = "x$vlsm" ] && usage 2
|
||||
[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
|
||||
@ -1290,7 +1295,7 @@ case "$1" in
|
||||
mutex_off
|
||||
exit 0
|
||||
fi
|
||||
|
||||
|
||||
if [ "$1" = "safe-start" -o $running -ne 0 ]
|
||||
then
|
||||
# the command is safe-start or shorewall is not started yet
|
||||
@ -1318,15 +1323,15 @@ case "$1" in
|
||||
# removed previous configuration
|
||||
rm /var/lib/shorewall/safe-start-restart
|
||||
fi
|
||||
else
|
||||
else
|
||||
if [ "$command" = "restart" ]
|
||||
then
|
||||
$0 nolock $debugging restore "safe-start-restart"
|
||||
rm /var/lib/shorewall/safe-start-restart
|
||||
else
|
||||
else
|
||||
$0 nolock $debugging clear
|
||||
fi
|
||||
|
||||
|
||||
mutex_off
|
||||
echo "New configuration has been rejected and the old one restored"
|
||||
exit 2
|
||||
|
Loading…
Reference in New Issue
Block a user