From f822afef9999326f6ab6af41b41582c78ca7acf4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 26 Oct 2015 13:07:28 -0700 Subject: [PATCH 01/27] Issue warning if a persistent provider isn't optional Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index c777992db..d7f2dbc92 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -661,6 +661,10 @@ sub process_a_provider( $ ) { fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none'; } + if ( $persistent ) { + warning_message( "Provider $table is not optional -- the 'persistent' option is ignored" ), $persistent = 0 unless $optional; + } + $providers{$table} = { provider => $table, number => $number , id => $config{USE_RT_NAMES} ? $table : $number, From 4f4358d4dbc99379a3754f601c051c6d6b10900a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 26 Oct 2015 13:07:40 -0700 Subject: [PATCH 02/27] Correct error message Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index d7f2dbc92..68a86bf96 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -706,7 +706,7 @@ sub process_a_provider( $ ) { if ( $track ) { if ( $routemarked_interfaces{$interface} ) { fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED; - fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared; + fatal_error "Multiple providers through the same interface must have their IP address specified in the INTERFACES column" unless $shared; } else { $routemarked_interfaces{$interface} = $shared ? ROUTEMARKED_SHARED : ROUTEMARKED_UNSHARED; push @routemarked_interfaces, $interface; From c2768a2d64ca7301e2aebb8872e58272ea7ebdf1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 26 Oct 2015 13:07:40 -0700 Subject: [PATCH 03/27] Correct error message Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 80263fcc5..7ead6068c 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -695,7 +695,7 @@ sub process_a_provider( $ ) { if ( $track ) { if ( $routemarked_interfaces{$interface} ) { fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED; - fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared; + fatal_error "Multiple providers through the same interface must have their IP address specified in the INTERFACES column" unless $shared; } else { $routemarked_interfaces{$interface} = $shared ? ROUTEMARKED_SHARED : ROUTEMARKED_UNSHARED; push @routemarked_interfaces, $interface; From 38049fd0df681fa11c87c8ba99c735f255060f4d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 26 Oct 2015 20:06:10 -0700 Subject: [PATCH 04/27] Correct "remote-" commands Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 7 +++++++ Shorewall/lib.cli-std | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 1c8f12f18..76ea839b6 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3885,6 +3885,13 @@ usage() # $1 = exit status ecko " refresh [ -d ] [ -n ] [ -T ] [ -D ] [ ... ]" echo " reject
..." ecko " reload [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " + + if [ -z "$g_lite" ]; then + echo " remote-reload [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " + echo " remote-restart [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " + echo " remote-start [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " + fi + echo " reset [ ... ]" if [ -n "$g_lite" ]; then diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index cfc0a7d0e..ba46c81cf 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -1645,7 +1645,7 @@ compiler_command() { shift update_command $@ ;; - remote-start|remote-reload-reload|remote-restart) + remote-start|remote-reload|remote-restart) shift remote_reload_command $@ ;; From 79a145bf83ac8d31c2ba06ba86fd71cff8d37f6a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 26 Oct 2015 20:06:10 -0700 Subject: [PATCH 05/27] Correct "remote-" commands Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 7 +++++++ Shorewall/lib.cli-std | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 62685ab39..c3cb7c287 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3879,6 +3879,13 @@ usage() # $1 = exit status ecko " refresh [ -d ] [ -n ] [ -T ] [ -D ] [ ... ]" echo " reject
..." ecko " reload [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " + + if [ -z "$g_lite" ]; then + echo " remote-reload [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " + echo " remote-restart [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " + echo " remote-start [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " + fi + echo " reset [ ... ]" if [ -n "$g_lite" ]; then diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index cfc0a7d0e..ba46c81cf 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -1645,7 +1645,7 @@ compiler_command() { shift update_command $@ ;; - remote-start|remote-reload-reload|remote-restart) + remote-start|remote-reload|remote-restart) shift remote_reload_command $@ ;; From 35b90c270928b527095626b7311d5f12a070107a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 27 Oct 2015 08:16:06 -0700 Subject: [PATCH 06/27] Update documentation for 'remote-' vs. 'remote_' Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall.xml | 14 +++++++------- Shorewall6/manpages/shorewall6.xml | 14 +++++++------- docs/Shorewall-5.xml | 4 ++-- docs/upgrade_issues.xml | 19 +++++++++++++------ 4 files changed, 29 insertions(+), 22 deletions(-) diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 570c46985..d808a5ce6 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -424,7 +424,7 @@ -options - + @@ -448,7 +448,7 @@ -options - + @@ -472,7 +472,7 @@ -options - + @@ -1522,7 +1522,7 @@ This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0 reload command is now called - remote_restart (see below). + remote-restart (see below). Reload is similar to shorewall start except that it assumes that the firewall is already @@ -1575,7 +1575,7 @@ - remote_start + remote-start [-] [-] [- root-user-name] [-] [-] [ directory ] @@ -1637,7 +1637,7 @@ - remote_reload + remote-reload [-] [-] [- root-user-name] [-] [-] [ @@ -1699,7 +1699,7 @@ - remote_restart + remote-restart [-] [-] [- root-user-name] [-] [-] [ diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index 16fa452b2..9ec51fa37 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -378,7 +378,7 @@ -options - + @@ -402,7 +402,7 @@ -options - + @@ -426,7 +426,7 @@ -options - + @@ -1457,7 +1457,7 @@ This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0 reload command is now called - remote_restart (see below). + remote-restart (see below). Reload is similar to shorewall6 start except that it assumes that the firewall is already started. @@ -1511,7 +1511,7 @@ - remote_reload + remote-reload [-] [-] [- root-user-name] [-] [-] [ @@ -1573,7 +1573,7 @@ - remote_ restart + remote- restart [-] [-] [- root-user-name] [-] [-] [ @@ -1636,7 +1636,7 @@ - remote_start + remote-start [-] [-] [- root-user-name] [-] [-] [ directory ] diff --git a/docs/Shorewall-5.xml b/docs/Shorewall-5.xml index 2b50eeb3a..5b27dc171 100644 --- a/docs/Shorewall-5.xml +++ b/docs/Shorewall-5.xml @@ -323,7 +323,7 @@ load The function performed by the Shorewall-4 load - command is now performed by the remote_start + command is now performed by the remote-start command. @@ -334,7 +334,7 @@ the same function as the restart command did in Shorewall 4. The action taken by the Shorewall-4 reload command is now performed by the - remote_restart command. + remote-restart command. For those that can't get used to the idea of using reload in place of restart, a diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 91c00e3e6..7241bd244 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -37,7 +37,7 @@ Thomas M. Eastep - + @@ -78,6 +78,13 @@ zones. +
+ Version >= 5.0.0 + + See the Shorewall 5 + documentation. +
+
Version >= 4.6.0 @@ -85,7 +92,7 @@ Beginning with Shorewall 4.6.0, ection headers are now preceded by '?' (e.g., '?SECTION ...'). If your configuration contains any bare - 'SECTION' entries, the following warning is issued: + 'SECTION' entries, the following warning is issued: WARNING: 'SECTION' is deprecated in favor of '?SECTION' - consider running 'shorewall update -D' ... @@ -111,7 +118,7 @@ - Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are + Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are deprecated and a warning will be issued for each FORMAT-1 action or macro found. @@ -119,8 +126,8 @@ WARNING: FORMAT-1 macros are deprecated and support will be dropped in a future release. - To eliminate these warnings, add the following line before the - first rule in the action or macro: + To eliminate these warnings, add the following line before the + first rule in the action or macro: ?FORMAT 2 @@ -325,7 +332,7 @@ ?ENDIF. - + From 081cf30447908206dfcdc5187f057b6b72f5e640 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 27 Oct 2015 17:45:22 -0700 Subject: [PATCH 07/27] Don't export variables with parentheses in their names Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 56 +++++++++++++++++------------- 1 file changed, 32 insertions(+), 24 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index f0acfd644..59f82e0bf 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5188,19 +5188,23 @@ sub get_params( $ ) { $shell = BASH; for ( @params ) { - if ( /^declare -x (.*?)="(.*[^\\])"$/ ) { - $params{$1} = $2 unless $1 eq '_'; - } elsif ( /^declare -x (.*?)="(.*)$/ ) { - $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n"; - } elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) { - $params{$1} = ''; - } else { - chomp; - if ($variable) { - s/"$//; - $params{$variable} .= $_; + my $var = $1; + + unless ( $var =~ /\(/ ) { + if ( /^declare -x (.*?)="(.*[^\\])"$/ ) { + $params{$var} = $2 unless $1 eq '_'; + } elsif ( /^declare -x (.*?)="(.*)$/ ) { + $params{$variable=$var} = $2 eq '"' ? '' : "${2}\n"; + } elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) { + $params{$var} = ''; } else { - warning_message "Param line ($_) ignored" unless $bug++; + chomp; + if ($variable) { + s/"$//; + $params{$variable} .= $_; + } else { + warning_message "Param line ($_) ignored" unless $bug++; + } } } } @@ -5216,19 +5220,23 @@ sub get_params( $ ) { $shell = OLDBASH; for ( @params ) { - if ( /^export (.*?)="(.*[^\\])"$/ ) { - $params{$1} = $2 unless $1 eq '_'; - } elsif ( /^export (.*?)="(.*)$/ ) { - $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n"; - } elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) { - $params{$1} = ''; - } else { - chomp; - if ($variable) { - s/"$//; - $params{$variable} .= $_; + my $var = $1; + + unless ( $var =~ /\(/ ) { + if ( /^export (.*?)="(.*[^\\])"$/ ) { + $params{$var} = $2 unless $1 eq '_'; + } elsif ( /^export (.*?)="(.*)$/ ) { + $params{$variable=$var} = $2 eq '"' ? '' : "${2}\n"; + } elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) { + $params{$var} = ''; } else { - warning_message "Param line ($_) ignored" unless $bug++; + chomp; + if ($variable) { + s/"$//; + $params{$variable} .= $_; + } else { + warning_message "Param line ($_) ignored" unless $bug++; + } } } } From 3873ebe06aa78b0889e3ed1daadd3e417f3b0701 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 28 Oct 2015 09:37:52 -0700 Subject: [PATCH 08/27] More param handling fixes Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 76 +++++++++++++++--------------- 1 file changed, 39 insertions(+), 37 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 59f82e0bf..f2c3db25f 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5188,23 +5188,19 @@ sub get_params( $ ) { $shell = BASH; for ( @params ) { - my $var = $1; - - unless ( $var =~ /\(/ ) { - if ( /^declare -x (.*?)="(.*[^\\])"$/ ) { - $params{$var} = $2 unless $1 eq '_'; - } elsif ( /^declare -x (.*?)="(.*)$/ ) { - $params{$variable=$var} = $2 eq '"' ? '' : "${2}\n"; - } elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) { - $params{$var} = ''; + chomp; + if ( /^declare -x (.*?)="(.*[^\\])"$/ ) { + $params{$1} = $2 unless $1 eq '_'; + } elsif ( /^declare -x (.*?)="(.*)$/ ) { + $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n"; + } elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) { + $params{$1} = ''; + } else { + if ($variable) { + s/"$//; + $params{$variable} .= $_; } else { - chomp; - if ($variable) { - s/"$//; - $params{$variable} .= $_; - } else { - warning_message "Param line ($_) ignored" unless $bug++; - } + warning_message "Param line ($_) ignored" unless $bug++; } } } @@ -5220,23 +5216,19 @@ sub get_params( $ ) { $shell = OLDBASH; for ( @params ) { - my $var = $1; - - unless ( $var =~ /\(/ ) { - if ( /^export (.*?)="(.*[^\\])"$/ ) { - $params{$var} = $2 unless $1 eq '_'; - } elsif ( /^export (.*?)="(.*)$/ ) { - $params{$variable=$var} = $2 eq '"' ? '' : "${2}\n"; - } elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) { - $params{$var} = ''; + chomp; + if ( /^export (.*?)="(.*[^\\])"$/ ) { + $params{$1} = $2 unless $1 eq '_'; + } elsif ( /^export (.*?)="(.*)$/ ) { + $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n"; + } elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) { + $params{$1} = ''; + } else { + if ($variable) { + s/"$//; + $params{$variable} .= $_; } else { - chomp; - if ($variable) { - s/"$//; - $params{$variable} .= $_; - } else { - warning_message "Param line ($_) ignored" unless $bug++; - } + warning_message "Param line ($_) ignored" unless $bug++; } } } @@ -5251,6 +5243,7 @@ sub get_params( $ ) { $shell = ASH; for ( @params ) { + chomp; if ( /^export (.*?)='(.*'"'"')$/ ) { $params{$variable=$1}="${2}\n"; } elsif ( /^export (.*?)='(.*)'$/ ) { @@ -5258,7 +5251,6 @@ sub get_params( $ ) { } elsif ( /^export (.*?)='(.*)$/ ) { $params{$variable=$1}="${2}\n"; } else { - chomp; if ($variable) { s/'$//; $params{$variable} .= $_; @@ -5270,9 +5262,13 @@ sub get_params( $ ) { } for ( keys %params ) { - unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) { - fatal_error "The variable name $_ is reserved and may not be set in the params file" - if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_}; + if ( /[^\w]/ ) { + delete $params{$_} + } else { + unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) { + fatal_error "The variable name $_ is reserved and may not be set in the params file" + if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_}; + } } } @@ -5322,6 +5318,8 @@ sub export_params() { next if exists $compiler_params{$param}; my $value = $params{$param}; + + chomp $value; # # Values in %params are generated from the output of 'export -p'. # The different shells have different conventions for delimiting @@ -5332,6 +5330,8 @@ sub export_params() { $value =~ s/\\"/"/g; } elsif ( $shell == OLDBASH ) { $value =~ s/\\'/'/g; + $value =~ s/\\"/"/g; + $value =~ s/\\\\/\\/g; } else { $value =~ s/'"'"'/'/g; } @@ -5344,7 +5344,9 @@ sub export_params() { # # We will use double quotes and escape embedded quotes with \. # - if ( $value =~ /[\s()['"]/ ) { + if ( $value =~ /^"[^"]*"$/ ) { + emit "$param=$value"; + } elsif ( $value =~ /[\s()['"]/ ) { $value =~ s/"/\\"/g; emit "$param='$value'"; } else { From 239560be8d93f6259a8560de7c4d9a5ae102d13e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 28 Oct 2015 13:47:40 -0700 Subject: [PATCH 09/27] Add Cygwin-specific code in get_params() Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index f2c3db25f..32a2610bf 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5147,6 +5147,7 @@ sub unsupported_yes_no_warning( $ ) { # sub get_params( $ ) { my $export = $_[0]; + my $cygwin = ( $shorewallrc{HOST} eq 'cygwin' ); my $fn = find_file 'params'; @@ -5189,7 +5190,9 @@ sub get_params( $ ) { for ( @params ) { chomp; - if ( /^declare -x (.*?)="(.*[^\\])"$/ ) { + if ( $cygwin && /^declare -x (.*?)="(.*)"$/ ) { + $params{$1} = $2 unless $1 eq '_'; + } elsif ( /^declare -x (.*?)="(.*[^\\])"$/ ) { $params{$1} = $2 unless $1 eq '_'; } elsif ( /^declare -x (.*?)="(.*)$/ ) { $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n"; @@ -5217,7 +5220,9 @@ sub get_params( $ ) { for ( @params ) { chomp; - if ( /^export (.*?)="(.*[^\\])"$/ ) { + if ( $cygwin && /^export (.*?)="(.*)"$/ ) { + $params{$1} = $2 unless $1 eq '_'; + } elsif ( /^export (.*?)="(.*[^\\])"$/ ) { $params{$1} = $2 unless $1 eq '_'; } elsif ( /^export (.*?)="(.*)$/ ) { $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n"; From e39d405e8658d732fc39b917129c46a59f7f160e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 28 Oct 2015 14:33:55 -0700 Subject: [PATCH 10/27] More tweaks to params processing and exporting Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 32a2610bf..c2dadd370 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5268,12 +5268,16 @@ sub get_params( $ ) { for ( keys %params ) { if ( /[^\w]/ ) { - delete $params{$_} + delete $params{$_}; + } elsif ( /^(?:SHLVL|OLDPWD)$/ ) { + delete $params{$_}; } else { unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) { fatal_error "The variable name $_ is reserved and may not be set in the params file" if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_}; } + + $params{$_} = '' unless defined $params{$_}; } } @@ -5343,7 +5347,11 @@ sub export_params() { # # Don't export pairs from %ENV # - next if defined $ENV{$param} && $value eq $ENV{$param}; + if ( defined $ENV{$param} ) { + next if $value eq $ENV{$param}; + } elsif ( exists $ENV{$param} ) { + next unless supplied $value; + } emit "#\n# From the params file\n#" unless $count++; # From 5a3589b9a60f51e0ae80ee162199d67fb9bc2320 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 30 Oct 2015 08:18:45 -0700 Subject: [PATCH 11/27] Add some comments in get_params() Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index c2dadd370..533eea50d 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5268,8 +5268,14 @@ sub get_params( $ ) { for ( keys %params ) { if ( /[^\w]/ ) { + # + # Useless variable with special characters in its name + # delete $params{$_}; } elsif ( /^(?:SHLVL|OLDPWD)$/ ) { + # + # The shell running getparams generates those + # delete $params{$_}; } else { unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) { From 1848c3fa458cf883071953130b81f47504ec06b6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 30 Oct 2015 08:47:01 -0700 Subject: [PATCH 12/27] Add lib.cli-user support to the -lite products Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 76ea839b6..11b221347 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3496,9 +3496,12 @@ noiptrace_command() { fi } # -# Set the configuration variables from shorewall-lite.conf +# Set the configuration variables from shorewall[6]-lite.conf. +# This function is overloaded by lib.cli-std in the full products # get_config() { + local config + local lib ensure_config_path @@ -3636,6 +3639,10 @@ get_config() { g_loopback=$(find_loopback_interfaces) + lib=$(find_file lib.cli-user) + + [ -f $lib ] && . $lib + } # From 6209616766b220d8b5ce520e9256cf55ace9c4d8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 30 Oct 2015 08:47:16 -0700 Subject: [PATCH 13/27] Add lib.cli-user support to the full products Signed-off-by: Tom Eastep --- Shorewall/lib.cli-std | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index ba46c81cf..f18f9ea3f 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -31,6 +31,7 @@ # get_config() { local prog + local lib ensure_config_path @@ -322,6 +323,10 @@ get_config() { fi g_loopback=$(find_loopback_interfaces) + + lib=$(find_file lib.cli-user) + + [ -f $lib ] && . $lib } # From c83536767e411f27421d21919c825f2bf1ddb0a8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 30 Oct 2015 08:54:07 -0700 Subject: [PATCH 14/27] Move get_config() into the overloadable part of the file Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 45 +++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 11b221347..b17d68d9f 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3495,9 +3495,30 @@ noiptrace_command() { fatal_error "$g_product is not started" fi } + +# +# Verify that we have a compiled firewall script +# +verify_firewall_script() { + if [ ! -f $g_firewall ]; then + echo " ERROR: $g_product is not properly installed" >&2 + if [ -L $g_firewall ]; then + echo " $g_firewall is a symbolic link to a" >&2 + echo " non-existant file" >&2 + else + echo " The file $g_firewall does not exist" >&2 + fi + + exit 2 + fi +} + +################################################################################ +# The remaining functions are used by the Lite cli - they are overloaded by +# the Standard CLI by loading lib.cli-std +################################################################################ # # Set the configuration variables from shorewall[6]-lite.conf. -# This function is overloaded by lib.cli-std in the full products # get_config() { local config @@ -3644,28 +3665,6 @@ get_config() { [ -f $lib ] && . $lib } - -# -# Verify that we have a compiled firewall script -# -verify_firewall_script() { - if [ ! -f $g_firewall ]; then - echo " ERROR: $g_product is not properly installed" >&2 - if [ -L $g_firewall ]; then - echo " $g_firewall is a symbolic link to a" >&2 - echo " non-existant file" >&2 - else - echo " The file $g_firewall does not exist" >&2 - fi - - exit 2 - fi -} - -################################################################################ -# The remaining functions are used by the Lite cli - they are overloaded by -# the Standard CLI by loading lib.cli-std -################################################################################ # # Start Command Executor # From 74a839b12e81c444aac2212c50b7549ef394ec97 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 30 Oct 2015 09:09:53 -0700 Subject: [PATCH 15/27] Mention lib.cli-user in the extension script article. Signed-off-by: Tom Eastep --- docs/shorewall_extension_scripts.xml | 35 +++++++++++++++++----------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 7ffbe4620..2947ee246 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -175,7 +175,7 @@ esac url="manpages/shorewall.conf.html">shorewall.conf(8) and output on an interface is not allowed by stoppedrules(8) - then the isuasable script must blow it's own holes in the firewall + then the isuasable script must blow it's own holes in the firewall before probing. @@ -227,6 +227,13 @@ cat - /sbin/shorewall after a script has been compiled. $1 is the path name of the compiled script. + + + lib.cli-user -- Added in Shorewall 5.0.2. + This is actually a shell library (set of function declarations) that + can be used to augment or replace functions in the standard CLI + libraries. + If your version of Shorewall doesn't have the @@ -264,7 +271,7 @@ cat - continue - + @@ -459,10 +466,10 @@ cat - VARDIR - The product state directory. Defaults /var/lib/shorewall, /var/lib/shorewall6/, /var/lib/shorewall-lite, or - /var/lib/shorewall6-lite - depending on which product is running, but may be overridden by an - entry in ${CONFDIR}/vardir. + class="directory">/var/lib/shorewall-lite, or /var/lib/shorewall6-lite depending on + which product is running, but may be overridden by an entry in + ${CONFDIR}/vardir. @@ -474,7 +481,7 @@ cat - - +
Compile-time vs Run-time Scripts @@ -524,43 +531,43 @@ cat - - + stop - + stopped - + tcclear - + refresh - + refreshed - + restored - + scfilter From f90567abf102f301f997572c5caa6a7083e2944a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 08:08:17 -0700 Subject: [PATCH 16/27] Add support for OpenWRT BB and later Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 140 +++++++++++++++++++++++------------------ Shorewall/lib.cli-std | 10 +-- 2 files changed, 80 insertions(+), 70 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index b17d68d9f..a1abfb5de 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -149,23 +149,51 @@ syslog_circular_buffer() { local pid local tty local flags - local cputime + local time local path local args local arg - ps ax 2> /dev/null | while read pid tty flags cputime path args; do + ps w 2> /dev/null | while read pid tty stat time path args; do case $path in syslogd|*/syslogd) for arg in $args; do if [ x$arg = x-C ]; then - echo Yes - return + return 0 + fi + done + ;; + logd|*/logd) + for arg in $args; do + if [ x$arg = x-S ]; then + return 0 fi done ;; esac done + + return 1 +} + +setup_logread() { + [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages + + if syslog_circular_buffer; then + if qt mywhich tac; then + g_logread="logread | tac" + else + g_logread="logread" + fi + elif [ -r $LOGFILE ]; then + if qt mywhich tac; then + g_logread="tac $LOGFILE" + else + g_logread="cat $LOGFILE" + fi + else + fatal_error "LOGFILE ($LOGFILE) does not exist or is not readable!" + fi } # @@ -173,31 +201,59 @@ syslog_circular_buffer() { # packet_log() # $1 = number of messages { - if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then - if [ $g_family -eq 4 ]; then - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + if qt mywhich tac; then + if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then + if [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + fi + elif [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ else - $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ fi - elif [ $g_family -eq 4 ]; then - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ else - $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ - fi + if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then + if [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | tail -n$1 | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | tail -n$1 | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + fi + elif [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | tail -n$1 | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | tail -n$1 | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + fi + fi } search_log() # $1 = IP address to search for { - if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then - if [ $g_family -eq 4 ]; then - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + if qt mywhich tac; then + if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then + if [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + fi + elif [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ else - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ fi - elif [ $g_family -eq 4 ]; then - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ else - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then + if [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + fi + elif [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + fi fi } @@ -280,17 +336,7 @@ show_bl() { logwatch() # $1 = timeout -- if negative, prompt each time that # an 'interesting' packet count changes { - if [ -z "$LOGFILE" ]; then - LOGFILE=/var/log/messages - - if [ -n "$(syslog_circular_buffer)" ]; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - fatal_error "LOGFILE ($LOGFILE) does not exist!" - fi - fi + setup_logread host=$(echo $g_hostname | sed 's/\..*$//') oldrejects=$($g_tool -L -v -n | grep 'LOG') @@ -1038,17 +1084,7 @@ show_command() { log) [ $# -gt 2 ] && usage 1 - if [ -z "$LOGFILE" ]; then - LOGFILE=/var/log/messages - - if [ -n "$(syslog_circular_buffer)" ]; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - fatal_error "LOGFILE ($LOGFILE) does not exist!" - fi - fi + setup_logread echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)" echo @@ -1427,17 +1463,7 @@ do_dump_command() { esac done - if [ -z "$LOGFILE" ]; then - LOGFILE=/var/log/messages - - if [ -n "$(syslog_circular_buffer)" ]; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - fatal_error "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" - fi - fi + setup_logread g_ipt_options="$g_ipt_options $g_ipt_options1" @@ -3544,15 +3570,7 @@ get_config() { [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages - - if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - fatal_error "LOGFILE ($LOGFILE) does not exist!" - fi + setup_logread # # See if we have a real version of "tail" -- use separate redirection so # that ash (aka /bin/sh on LRP) doesn't crap diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index f18f9ea3f..7ee768549 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -71,15 +71,7 @@ get_config() { # This block is avoided for compile for export and when the user isn't root # if [ "$3" = Yes ]; then - if [ -n "$LOGFILE" ]; then - if [ -n "$(syslog_circular_buffer)" ]; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - fatal_error "LOGFILE ($LOGFILE) does not exist!" - fi - fi + setup_logread fi if [ $g_family -eq 4 ]; then From 460f4bc5b7355b2cc2d81b7e3f1f8db7ecfa0657 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 08:15:10 -0700 Subject: [PATCH 17/27] Correct defect in processing the 'persistent' route option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 68a86bf96..3aea167c7 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1350,7 +1350,7 @@ sub add_a_route( ) { my $persistent; - if ( $options != '-' ) { + if ( $options ne '-' ) { for ( split_list1( 'option', $options ) ) { my ( $option, $value ) = split /=/, $options; From 27d94c8921e90c92d42fd2c2e4d2c94390b897ff Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 08:31:46 -0700 Subject: [PATCH 18/27] Improve check for circular log buffer Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index a1abfb5de..1af8eb398 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -158,16 +158,20 @@ syslog_circular_buffer() { case $path in syslogd|*/syslogd) for arg in $args; do - if [ x$arg = x-C ]; then - return 0 - fi + case $arg in + -C*) + return 0 + ;; + esac done ;; logd|*/logd) for arg in $args; do - if [ x$arg = x-S ]; then - return 0 - fi + case $arg in + -S*) + return 0 + ;; + esac done ;; esac From 073b2992cc96f8258774bfd3cccabcab79100884 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 12:43:01 -0700 Subject: [PATCH 19/27] Require the 'install' utility in the installers Signed-off-by: Tom Eastep --- Shorewall-core/install.sh | 2 ++ Shorewall-lite/install.sh | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Shorewall-core/install.sh b/Shorewall-core/install.sh index e9643850c..253af810b 100755 --- a/Shorewall-core/install.sh +++ b/Shorewall-core/install.sh @@ -133,6 +133,8 @@ while [ $finished -eq 0 ]; do esac done +[ -n $(mywhich install) ] || { fatal_error "This installer requires the 'install' utility" + # # Read the RC file # diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 0c6d8cc0e..6f5f3fb1d 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -151,6 +151,8 @@ while [ $finished -eq 0 ] ; do esac done +[ -n $(mywhich install) ] || { fatal_error "This installer requires the 'install' utility" + # # Read the RC file # @@ -187,7 +189,7 @@ elif [ -z "${VARDIR}" ]; then VARDIR=${VARLIB}/${PRODUCT} fi -for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do +for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do require $var done From 3d06a7576809abbd7cceb49ea30f483568423cbf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 12:43:22 -0700 Subject: [PATCH 20/27] Remove more %_b instances Signed-off-by: Tom Eastep --- Shorewall-core/lib.common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 5814189fd..917338aa2 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -33,7 +33,7 @@ startup_error() # $* = Error Message echo " ERROR: $@: Firewall state not changed" >&2 if [ $LOG_VERBOSITY -ge 0 ]; then - timestamp="$(date +'%_b %d %T') " + timestamp="$(date +'%b %d %T') " echo "${timestamp} ERROR: $@" >> $STARTUP_LOG fi @@ -50,7 +50,7 @@ startup_error() # $* = Error Message esac if [ $LOG_VERBOSITY -ge 0 ]; then - timestamp="$(date +'%_b %d %T') " + timestamp="$(date +'%b %d %T') " case $COMMAND in start) From aa680d8472c79fb53188acbb5a8a2f7aabacd531 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 12:57:33 -0700 Subject: [PATCH 21/27] Avoid double slashes in pathnames within the installers Signed-off-by: Tom Eastep --- Shorewall-core/install.sh | 4 ++-- Shorewall-lite/install.sh | 14 +++++++------- Shorewall/install.sh | 24 ++++++++++++------------ 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/Shorewall-core/install.sh b/Shorewall-core/install.sh index 253af810b..4a2830671 100755 --- a/Shorewall-core/install.sh +++ b/Shorewall-core/install.sh @@ -409,9 +409,9 @@ fi if [ ${SHAREDIR} != /usr/share ]; then for f in lib.*; do if [ $BUILD != apple ]; then - eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f + eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f else - eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f + eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f fi done fi diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 6f5f3fb1d..b0bd09d61 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -318,7 +318,7 @@ if [ -n "$DESTDIR" ]; then OWNERSHIP="" fi - install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR} + install -d $OWNERSHIP -m 755 ${DESTDIR}${SBINDIR} install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR} else if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then @@ -424,8 +424,8 @@ fi # Install the Makefile # run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT -[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile -[ $SBINDIR = /sbin ] || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile +[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile +[ $SBINDIR = /sbin ] || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile" # @@ -440,7 +440,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi for f in lib.* ; do if [ -f $f ]; then install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644 - echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f" + echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f" fi done @@ -453,7 +453,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions" # install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755 -[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap +[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap echo echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap" @@ -540,8 +540,8 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR fi if [ ${SHAREDIR} != /usr/share ]; then - eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base - eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT + eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base + eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT fi if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then diff --git a/Shorewall/install.sh b/Shorewall/install.sh index db359d185..14923eeb5 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -389,7 +389,7 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve fi install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755 -[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/${PRODUCT} +[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT} echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT" # @@ -468,16 +468,16 @@ if [ -z "$first_install" ]; then # # Delete obsolete config files and manpages # - delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/tos - delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/tcrules - delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/stoppedrules - delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/notrack - delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/blacklist - delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-tos - delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-tcrules - delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules - delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack - delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist + delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/tos + delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/tcrules + delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/stoppedrules + delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/notrack + delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/blacklist + delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-tos + delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-tcrules + delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules + delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack + delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist fi # @@ -1082,7 +1082,7 @@ if [ $PRODUCT = shorewall6 ]; then # Symbolically link 'functions' to lib.base # ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions - [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base + [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base fi if [ -d Perl ]; then From 209d5d076638ef979d1cce3cf747531b162dd0f6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 13:23:19 -0700 Subject: [PATCH 22/27] Make the -lite uninstallers work on OpenWRT Signed-off-by: Tom Eastep --- Shorewall-lite/uninstall.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index ebcf8da04..54b52fb63 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -168,7 +168,11 @@ if [ $configure -eq 1 ]; then fi if [ -L ${SHAREDIR}/shorewall-lite/init ]; then - FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init) + if [ $HOST = "linux" ] && [ -f /etc/openwrt_release -o -f /etc/openwrt_version ]; then + FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init) + else + FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init) + fi elif [ -n "$INITFILE" ]; then FIREWALL=${INITDIR}/${INITFILE} fi From 5807d44733160611c203f0ee0a30424d1bfa3a29 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 13:29:02 -0700 Subject: [PATCH 23/27] Allow HOST=default in the configure scripts Signed-off-by: Tom Eastep --- Shorewall-core/configure | 3 +++ Shorewall-core/configure.pl | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Shorewall-core/configure b/Shorewall-core/configure index 522cb443b..e40a09c44 100755 --- a/Shorewall-core/configure +++ b/Shorewall-core/configure @@ -158,6 +158,9 @@ else if [ ! -f $rcfile ]; then echo "ERROR: $vendor is not a recognized host type" >&2 exit 1 + elif [ $vendor = default ]; then + params[HOST]=linux + vendor=linux fi fi diff --git a/Shorewall-core/configure.pl b/Shorewall-core/configure.pl index 25e7505d4..466f35a93 100755 --- a/Shorewall-core/configure.pl +++ b/Shorewall-core/configure.pl @@ -82,7 +82,11 @@ unless ( defined $vendor ) { if ( defined $vendor ) { $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor; - die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename; + unless ( -f $rcfilename ) { + die qq("ERROR: $vendor" is not a recognized host type); + } elsif ( $vendor eq 'default' ) { + $params{HOST} = $vendor = 'linux'; + } } else { if ( -f '/etc/debian_version' ) { $vendor = 'debian'; From 1358ec2d8759ec9fbd4dc8cc5438a49a8f1d78db Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 13:37:08 -0700 Subject: [PATCH 24/27] Remove ${SYSCONFDIR}/$PRODUCT in the -lite uninstallers Signed-off-by: Tom Eastep --- Shorewall-lite/uninstall.sh | 1 + Shorewall6-lite/uninstall.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 54b52fb63..dca03e770 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -203,6 +203,7 @@ rm -rf ${VARDIR}/shorewall-lite rm -rf ${SHAREDIR}/shorewall-lite rm -rf ${LIBEXECDIR}/shorewall-lite rm -f ${CONFDIR}/logrotate.d/shorewall-lite +rm -f ${SYSCONFDIR}/shorewall-lite rm -f ${MANDIR}/man5/shorewall-lite* rm -f ${MANDIR}/man8/shorewall-lite* diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 495cf4da3..b245811cf 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -196,6 +196,7 @@ rm -rf ${VARDIR}/shorewall6-lite rm -rf ${SHAREDIR}/shorewall6-lite rm -rf ${LIBEXECDIR}/shorewall6-lite rm -f ${CONFDIR}/logrotate.d/shorewall6-lite +rm -f ${SYSCONFDIR}/shorewall6-lite [ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6-lite.service rm -f ${MANDIR}/man5/shorewall6-lite* From d1bad364e996668c81625b28956a1e2851f30560 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Oct 2015 17:54:20 -0700 Subject: [PATCH 25/27] Correct syntax error in installers Signed-off-by: Tom Eastep --- Shorewall-core/install.sh | 2 +- Shorewall-lite/install.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall-core/install.sh b/Shorewall-core/install.sh index 4a2830671..c40b8a2f8 100755 --- a/Shorewall-core/install.sh +++ b/Shorewall-core/install.sh @@ -133,7 +133,7 @@ while [ $finished -eq 0 ]; do esac done -[ -n $(mywhich install) ] || { fatal_error "This installer requires the 'install' utility" +[ -n $(mywhich install) ] || fatal_error "This installer requires the 'install' utility" # # Read the RC file diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index b0bd09d61..239a2be0e 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -151,7 +151,7 @@ while [ $finished -eq 0 ] ; do esac done -[ -n $(mywhich install) ] || { fatal_error "This installer requires the 'install' utility" +[ -n $(mywhich install) ] || fatal_error "This installer requires the 'install' utility" # # Read the RC file From 332f636d29064ddc74d89587fb73d118f2514a3e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 1 Nov 2015 07:25:34 -0800 Subject: [PATCH 26/27] Adjust LOGFILE if circular log buffer Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 1 + 1 file changed, 1 insertion(+) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 1af8eb398..ce3a262a3 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -184,6 +184,7 @@ setup_logread() { [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages if syslog_circular_buffer; then + LOGFILE=logread if qt mywhich tac; then g_logread="logread | tac" else From 2b733b610c212508ce20e84773a1ab6ae23c9b64 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 1 Nov 2015 07:53:31 -0800 Subject: [PATCH 27/27] Return proper exit status from the remote-* commands Signed-off-by: Tom Eastep --- Shorewall/lib.cli-std | 69 ++++++++++++++++++++++++++++++------------- 1 file changed, 49 insertions(+), 20 deletions(-) diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 7ee768549..ffafebc35 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -1391,6 +1391,7 @@ remote_reload_command() # $* = original arguments less the command. local sharedir sharedir=${SHAREDIR} local litedir + local exitstatus while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -1507,32 +1508,60 @@ remote_reload_command() # $* = original arguments less the command. g_file="$g_shorewalldir/firewall" - if compiler $g_debugging compiler "$g_file" && \ - progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \ - rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir} - then - save=$(find_file save); + exitstatus=0 - [ -f $save ] && progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" && rcp_command $save ${confdir}/shorewall-lite/ + if compiler $g_debugging compiler "$g_file"; then + progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." + if rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}; then + save=$(find_file save); - progress_message3 "Copy complete" + if [ -f $save ]; then + progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" + rcp_command $save ${confdir}/shorewall-lite/ + exitstatus=$? + fi - if [ $COMMAND = remote-reload ]; then - rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload" && \ - progress_message3 "System $system reloaded" || saveit= - elif [ $COMMAND = remote-restart ]; then - rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \ - progress_message3 "System $system restarted" || saveit= + if [ $exitstatus -eq 0 ]; then + + progress_message3 "Copy complete" + + if [ $COMMAND = remote-reload ]; then + if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then + progress_message3 "System $system reloaded" + else + exitstatus=$? + savit= + fi + elif [ $COMMAND = remote-restart ]; then + if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then + progress_message3 "System $system restarted" + else + exitstatus=$? + saveit= + fi + elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then + progress_message3 "System $system started" + else + exitstatus=$? + saveit= + fi + + if [ -n "$saveit" ]; then + if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then + progress_message3 "Configuration on system $system saved" + else + exitstatus=$? + fi + fi + fi else - rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \ - progress_message3 "System $system started" || saveit= - fi - - if [ -n "$saveit" ]; then - rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save" && \ - progress_message3 "Configuration on system $system saved" + exitstatus=$? fi + else + exitstatus=$? fi + + return $exitstatus } #