extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 09:33:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code

Browse Source
This commit is contained in:
Tuomo Soini 2015-11-02 00:02:56 +02:00
commit 85df53841b
17 changed files with 316 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall-core/configure vendored
View File

@ -158,6 +158,9 @@ else
if [ ! -f $rcfile ]; then if [ ! -f $rcfile ]; then
echo "ERROR: $vendor is not a recognized host type" >&2 echo "ERROR: $vendor is not a recognized host type" >&2
exit 1 exit 1
elif [ $vendor = default ]; then
params[HOST]=linux
vendor=linux
fi fi
fi fi

6
Shorewall-core/configure.pl
View File

@ -82,7 +82,11 @@ unless ( defined $vendor ) {
if ( defined $vendor ) { if ( defined $vendor ) {
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor; $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename; unless ( -f $rcfilename ) {
die qq("ERROR: $vendor" is not a recognized host type);
} elsif ( $vendor eq 'default' ) {
$params{HOST} = $vendor = 'linux';
}
} else { } else {
if ( -f '/etc/debian_version' ) { if ( -f '/etc/debian_version' ) {
$vendor = 'debian'; $vendor = 'debian';

6
Shorewall-core/install.sh
View File

@ -133,6 +133,8 @@ while [ $finished -eq 0 ]; do
esac esac
done done
[ -n $(mywhich install) ] || fatal_error "This installer requires the 'install' utility"
# #
# Read the RC file # Read the RC file
# #
@ -407,9 +409,9 @@ fi
if [ ${SHAREDIR} != /usr/share ]; then if [ ${SHAREDIR} != /usr/share ]; then
for f in lib.*; do for f in lib.*; do
if [ $BUILD != apple ]; then if [ $BUILD != apple ]; then
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
else else
eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
fi fi
done done
fi fi

208
Shorewall-core/lib.cli
View File

@ -149,23 +149,56 @@ syslog_circular_buffer() {
local pid local pid
local tty local tty
local flags local flags
local cputime local time
local path local path
local args local args
local arg local arg
ps ax 2> /dev/null | while read pid tty flags cputime path args; do ps w 2> /dev/null | while read pid tty stat time path args; do
case $path in case $path in
syslogd|*/syslogd) syslogd|*/syslogd)
for arg in $args; do for arg in $args; do
if [ x$arg = x-C ]; then case $arg in
echo Yes -C*)
return return 0
fi ;;
esac
done
;;
logd|*/logd)
for arg in $args; do
case $arg in
-S*)
return 0
;;
esac
done done
;; ;;
esac esac
done done
return 1
}
setup_logread() {
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if syslog_circular_buffer; then
LOGFILE=logread
if qt mywhich tac; then
g_logread="logread | tac"
else
g_logread="logread"
fi
elif [ -r $LOGFILE ]; then
if qt mywhich tac; then
g_logread="tac $LOGFILE"
else
g_logread="cat $LOGFILE"
fi
else
fatal_error "LOGFILE ($LOGFILE) does not exist or is not readable!"
fi
} }
# #
@ -173,31 +206,59 @@ syslog_circular_buffer() {
# #
packet_log() # $1 = number of messages packet_log() # $1 = number of messages
{ {
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then if qt mywhich tac; then
if [ $g_family -eq 4 ]; then if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
fi if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | tail -n$1 | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | tail -n$1 | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | tail -n$1 | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | tail -n$1 | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
fi
} }
search_log() # $1 = IP address to search for search_log() # $1 = IP address to search for
{ {
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then if qt mywhich tac; then
if [ $g_family -eq 4 ]; then if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
fi fi
} }
@ -280,17 +341,7 @@ show_bl() {
logwatch() # $1 = timeout -- if negative, prompt each time that logwatch() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes # an 'interesting' packet count changes
{ {
if [ -z "$LOGFILE" ]; then setup_logread
LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist!"
fi
fi
host=$(echo $g_hostname | sed 's/\..*$//') host=$(echo $g_hostname | sed 's/\..*$//')
oldrejects=$($g_tool -L -v -n | grep 'LOG') oldrejects=$($g_tool -L -v -n | grep 'LOG')
@ -1038,17 +1089,7 @@ show_command() {
log) log)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
if [ -z "$LOGFILE" ]; then setup_logread
LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist!"
fi
fi
echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)" echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
echo echo
@ -1427,17 +1468,7 @@ do_dump_command() {
esac esac
done done
if [ -z "$LOGFILE" ]; then setup_logread
LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html"
fi
fi
g_ipt_options="$g_ipt_options $g_ipt_options1" g_ipt_options="$g_ipt_options $g_ipt_options1"
@ -3495,10 +3526,34 @@ noiptrace_command() {
fatal_error "$g_product is not started" fatal_error "$g_product is not started"
fi fi
} }
# #
# Set the configuration variables from shorewall-lite.conf # Verify that we have a compiled firewall script
#
verify_firewall_script() {
if [ ! -f $g_firewall ]; then
echo " ERROR: $g_product is not properly installed" >&2
if [ -L $g_firewall ]; then
echo " $g_firewall is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $g_firewall does not exist" >&2
fi
exit 2
fi
}
################################################################################
# The remaining functions are used by the Lite cli - they are overloaded by
# the Standard CLI by loading lib.cli-std
################################################################################
#
# Set the configuration variables from shorewall[6]-lite.conf.
# #
get_config() { get_config() {
local config
local lib
ensure_config_path ensure_config_path
@ -3520,15 +3575,7 @@ get_config() {
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages setup_logread
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist!"
fi
# #
# See if we have a real version of "tail" -- use separate redirection so # See if we have a real version of "tail" -- use separate redirection so
# that ash (aka /bin/sh on LRP) doesn't crap # that ash (aka /bin/sh on LRP) doesn't crap
@ -3636,29 +3683,11 @@ get_config() {
g_loopback=$(find_loopback_interfaces) g_loopback=$(find_loopback_interfaces)
lib=$(find_file lib.cli-user)
[ -f $lib ] && . $lib
} }
#
# Verify that we have a compiled firewall script
#
verify_firewall_script() {
if [ ! -f $g_firewall ]; then
echo " ERROR: $g_product is not properly installed" >&2
if [ -L $g_firewall ]; then
echo " $g_firewall is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $g_firewall does not exist" >&2
fi
exit 2
fi
}
################################################################################
# The remaining functions are used by the Lite cli - they are overloaded by
# the Standard CLI by loading lib.cli-std
################################################################################
# #
# Start Command Executor # Start Command Executor
# #
@ -3885,6 +3914,13 @@ usage() # $1 = exit status
ecko " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]" ecko " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
echo " reject <address> ..." echo " reject <address> ..."
ecko " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>" ecko " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
if [ -z "$g_lite" ]; then
echo " remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
fi
echo " reset [ <chain> ... ]" echo " reset [ <chain> ... ]"
if [ -n "$g_lite" ]; then if [ -n "$g_lite" ]; then

4
Shorewall-core/lib.common
View File

@ -33,7 +33,7 @@ startup_error() # $* = Error Message
echo " ERROR: $@: Firewall state not changed" >&2 echo " ERROR: $@: Firewall state not changed" >&2
if [ $LOG_VERBOSITY -ge 0 ]; then if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') " timestamp="$(date +'%b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi fi
@ -50,7 +50,7 @@ startup_error() # $* = Error Message
esac esac
if [ $LOG_VERBOSITY -ge 0 ]; then if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') " timestamp="$(date +'%b %d %T') "
case $COMMAND in case $COMMAND in
start) start)

18
Shorewall-lite/install.sh
View File

@ -151,6 +151,8 @@ while [ $finished -eq 0 ] ; do
esac esac
done done
[ -n $(mywhich install) ] || fatal_error "This installer requires the 'install' utility"
# #
# Read the RC file # Read the RC file
# #
@ -187,7 +189,7 @@ elif [ -z "${VARDIR}" ]; then
VARDIR=${VARLIB}/${PRODUCT} VARDIR=${VARLIB}/${PRODUCT}
fi fi
for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
require $var require $var
done done
@ -316,7 +318,7 @@ if [ -n "$DESTDIR" ]; then
OWNERSHIP="" OWNERSHIP=""
fi fi
install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR} install -d $OWNERSHIP -m 755 ${DESTDIR}${SBINDIR}
install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR} install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
else else
if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@ -422,8 +424,8 @@ fi
# Install the Makefile # Install the Makefile
# #
run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
[ $SBINDIR = /sbin ] || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile [ $SBINDIR = /sbin ] || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile" echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
# #
@ -438,7 +440,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
for f in lib.* ; do for f in lib.* ; do
if [ -f $f ]; then if [ -f $f ]; then
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644 install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f" echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
fi fi
done done
@ -451,7 +453,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
# #
install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap
echo echo
echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap" echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@ -538,8 +540,8 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
fi fi
if [ ${SHAREDIR} != /usr/share ]; then if [ ${SHAREDIR} != /usr/share ]; then
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
fi fi
if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then

7
Shorewall-lite/uninstall.sh
View File

@ -168,7 +168,11 @@ if [ $configure -eq 1 ]; then
fi fi
if [ -L ${SHAREDIR}/shorewall-lite/init ]; then if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init) if [ $HOST = "linux" ] && [ -f /etc/openwrt_release -o -f /etc/openwrt_version ]; then
FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
else
FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
fi
elif [ -n "$INITFILE" ]; then elif [ -n "$INITFILE" ]; then
FIREWALL=${INITDIR}/${INITFILE} FIREWALL=${INITDIR}/${INITFILE}
fi fi
@ -199,6 +203,7 @@ rm -rf ${VARDIR}/shorewall-lite
rm -rf ${SHAREDIR}/shorewall-lite rm -rf ${SHAREDIR}/shorewall-lite
rm -rf ${LIBEXECDIR}/shorewall-lite rm -rf ${LIBEXECDIR}/shorewall-lite
rm -f ${CONFDIR}/logrotate.d/shorewall-lite rm -f ${CONFDIR}/logrotate.d/shorewall-lite
rm -f ${SYSCONFDIR}/shorewall-lite
rm -f ${MANDIR}/man5/shorewall-lite* rm -f ${MANDIR}/man5/shorewall-lite*
rm -f ${MANDIR}/man8/shorewall-lite* rm -f ${MANDIR}/man8/shorewall-lite*

49
Shorewall/Perl/Shorewall/Config.pm
View File

@ -5147,6 +5147,7 @@ sub unsupported_yes_no_warning( $ ) {
# #
sub get_params( $ ) { sub get_params( $ ) {
my $export = $_[0]; my $export = $_[0];
my $cygwin = ( $shorewallrc{HOST} eq 'cygwin' );
my $fn = find_file 'params'; my $fn = find_file 'params';
@ -5188,14 +5189,16 @@ sub get_params( $ ) {
$shell = BASH; $shell = BASH;
for ( @params ) { for ( @params ) {
if ( /^declare -x (.*?)="(.*[^\\])"$/ ) { chomp;
if ( $cygwin && /^declare -x (.*?)="(.*)"$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
$params{$1} = $2 unless $1 eq '_'; $params{$1} = $2 unless $1 eq '_';
} elsif ( /^declare -x (.*?)="(.*)$/ ) { } elsif ( /^declare -x (.*?)="(.*)$/ ) {
$params{$variable=$1} = $2 eq '"' ? '' : "${2}\n"; $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) { } elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
$params{$1} = ''; $params{$1} = '';
} else { } else {
chomp;
if ($variable) { if ($variable) {
s/"$//; s/"$//;
$params{$variable} .= $_; $params{$variable} .= $_;
@ -5216,14 +5219,16 @@ sub get_params( $ ) {
$shell = OLDBASH; $shell = OLDBASH;
for ( @params ) { for ( @params ) {
if ( /^export (.*?)="(.*[^\\])"$/ ) { chomp;
if ( $cygwin && /^export (.*?)="(.*)"$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^export (.*?)="(.*[^\\])"$/ ) {
$params{$1} = $2 unless $1 eq '_'; $params{$1} = $2 unless $1 eq '_';
} elsif ( /^export (.*?)="(.*)$/ ) { } elsif ( /^export (.*?)="(.*)$/ ) {
$params{$variable=$1} = $2 eq '"' ? '' : "${2}\n"; $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) { } elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
$params{$1} = ''; $params{$1} = '';
} else { } else {
chomp;
if ($variable) { if ($variable) {
s/"$//; s/"$//;
$params{$variable} .= $_; $params{$variable} .= $_;
@ -5243,6 +5248,7 @@ sub get_params( $ ) {
$shell = ASH; $shell = ASH;
for ( @params ) { for ( @params ) {
chomp;
if ( /^export (.*?)='(.*'"'"')$/ ) { if ( /^export (.*?)='(.*'"'"')$/ ) {
$params{$variable=$1}="${2}\n"; $params{$variable=$1}="${2}\n";
} elsif ( /^export (.*?)='(.*)'$/ ) { } elsif ( /^export (.*?)='(.*)'$/ ) {
@ -5250,7 +5256,6 @@ sub get_params( $ ) {
} elsif ( /^export (.*?)='(.*)$/ ) { } elsif ( /^export (.*?)='(.*)$/ ) {
$params{$variable=$1}="${2}\n"; $params{$variable=$1}="${2}\n";
} else { } else {
chomp;
if ($variable) { if ($variable) {
s/'$//; s/'$//;
$params{$variable} .= $_; $params{$variable} .= $_;
@ -5262,9 +5267,23 @@ sub get_params( $ ) {
} }
for ( keys %params ) { for ( keys %params ) {
unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) { if ( /[^\w]/ ) {
fatal_error "The variable name $_ is reserved and may not be set in the params file" #
if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_}; # Useless variable with special characters in its name
#
delete $params{$_};
} elsif ( /^(?:SHLVL|OLDPWD)$/ ) {
#
# The shell running getparams generates those
#
delete $params{$_};
} else {
unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
fatal_error "The variable name $_ is reserved and may not be set in the params file"
if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
}
$params{$_} = '' unless defined $params{$_};
} }
} }
@ -5314,6 +5333,8 @@ sub export_params() {
next if exists $compiler_params{$param}; next if exists $compiler_params{$param};
my $value = $params{$param}; my $value = $params{$param};
chomp $value;
# #
# Values in %params are generated from the output of 'export -p'. # Values in %params are generated from the output of 'export -p'.
# The different shells have different conventions for delimiting # The different shells have different conventions for delimiting
@ -5324,19 +5345,27 @@ sub export_params() {
$value =~ s/\\"/"/g; $value =~ s/\\"/"/g;
} elsif ( $shell == OLDBASH ) { } elsif ( $shell == OLDBASH ) {
$value =~ s/\\'/'/g; $value =~ s/\\'/'/g;
$value =~ s/\\"/"/g;
$value =~ s/\\\\/\\/g;
} else { } else {
$value =~ s/'"'"'/'/g; $value =~ s/'"'"'/'/g;
} }
# #
# Don't export pairs from %ENV # Don't export pairs from %ENV
# #
next if defined $ENV{$param} && $value eq $ENV{$param}; if ( defined $ENV{$param} ) {
next if $value eq $ENV{$param};
} elsif ( exists $ENV{$param} ) {
next unless supplied $value;
}
emit "#\n# From the params file\n#" unless $count++; emit "#\n# From the params file\n#" unless $count++;
# #
# We will use double quotes and escape embedded quotes with \. # We will use double quotes and escape embedded quotes with \.
# #
if ( $value =~ /[\s()['"]/ ) { if ( $value =~ /^"[^"]*"$/ ) {
emit "$param=$value";
} elsif ( $value =~ /[\s()['"]/ ) {
$value =~ s/"/\\"/g; $value =~ s/"/\\"/g;
emit "$param='$value'"; emit "$param='$value'";
} else { } else {

8
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -661,6 +661,10 @@ sub process_a_provider( $ ) {
fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none'; fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
} }
if ( $persistent ) {
warning_message( "Provider $table is not optional -- the 'persistent' option is ignored" ), $persistent = 0 unless $optional;
}
$providers{$table} = { provider => $table, $providers{$table} = { provider => $table,
number => $number , number => $number ,
id => $config{USE_RT_NAMES} ? $table : $number, id => $config{USE_RT_NAMES} ? $table : $number,
@ -702,7 +706,7 @@ sub process_a_provider( $ ) {
if ( $track ) { if ( $track ) {
if ( $routemarked_interfaces{$interface} ) { if ( $routemarked_interfaces{$interface} ) {
fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED; fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED;
fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared; fatal_error "Multiple providers through the same interface must have their IP address specified in the INTERFACES column" unless $shared;
} else { } else {
$routemarked_interfaces{$interface} = $shared ? ROUTEMARKED_SHARED : ROUTEMARKED_UNSHARED; $routemarked_interfaces{$interface} = $shared ? ROUTEMARKED_SHARED : ROUTEMARKED_UNSHARED;
push @routemarked_interfaces, $interface; push @routemarked_interfaces, $interface;
@ -1346,7 +1350,7 @@ sub add_a_route( ) {
my $persistent; my $persistent;
if ( $options != '-' ) { if ( $options ne '-' ) {
for ( split_list1( 'option', $options ) ) { for ( split_list1( 'option', $options ) ) {
my ( $option, $value ) = split /=/, $options; my ( $option, $value ) = split /=/, $options;

24
Shorewall/install.sh
View File

@ -389,7 +389,7 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
fi fi
install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/${PRODUCT} [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT" echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
# #
@ -468,16 +468,16 @@ if [ -z "$first_install" ]; then
# #
# Delete obsolete config files and manpages # Delete obsolete config files and manpages
# #
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/tos delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/tos
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/tcrules delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/tcrules
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/stoppedrules delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/stoppedrules
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/notrack delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/notrack
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/blacklist delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/blacklist
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-tos delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-tos
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-tcrules delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-tcrules
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist
fi fi
# #
@ -1082,7 +1082,7 @@ if [ $PRODUCT = shorewall6 ]; then
# Symbolically link 'functions' to lib.base # Symbolically link 'functions' to lib.base
# #
ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
fi fi
if [ -d Perl ]; then if [ -d Perl ]; then

86
Shorewall/lib.cli-std
View File

@ -31,6 +31,7 @@
# #
get_config() { get_config() {
local prog local prog
local lib
ensure_config_path ensure_config_path
@ -70,15 +71,7 @@ get_config() {
# This block is avoided for compile for export and when the user isn't root # This block is avoided for compile for export and when the user isn't root
# #
if [ "$3" = Yes ]; then if [ "$3" = Yes ]; then
if [ -n "$LOGFILE" ]; then setup_logread
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist!"
fi
fi
fi fi
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
@ -322,6 +315,10 @@ get_config() {
fi fi
g_loopback=$(find_loopback_interfaces) g_loopback=$(find_loopback_interfaces)
lib=$(find_file lib.cli-user)
[ -f $lib ] && . $lib
} }
# #
@ -1394,6 +1391,7 @@ remote_reload_command() # $* = original arguments less the command.
local sharedir local sharedir
sharedir=${SHAREDIR} sharedir=${SHAREDIR}
local litedir local litedir
local exitstatus
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1 option=$1
@ -1510,32 +1508,60 @@ remote_reload_command() # $* = original arguments less the command.
g_file="$g_shorewalldir/firewall" g_file="$g_shorewalldir/firewall"
if compiler $g_debugging compiler "$g_file" && \ exitstatus=0
progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \
rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}
then
save=$(find_file save);
[ -f $save ] && progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" && rcp_command $save ${confdir}/shorewall-lite/ if compiler $g_debugging compiler "$g_file"; then
progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..."
if rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}; then
save=$(find_file save);
progress_message3 "Copy complete" if [ -f $save ]; then
progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
rcp_command $save ${confdir}/shorewall-lite/
exitstatus=$?
fi
if [ $COMMAND = remote-reload ]; then if [ $exitstatus -eq 0 ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload" && \
progress_message3 "System $system reloaded" || saveit= progress_message3 "Copy complete"
elif [ $COMMAND = remote-restart ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \ if [ $COMMAND = remote-reload ]; then
progress_message3 "System $system restarted" || saveit= if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
progress_message3 "System $system reloaded"
else
exitstatus=$?
savit=
fi
elif [ $COMMAND = remote-restart ]; then
if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
progress_message3 "System $system restarted"
else
exitstatus=$?
saveit=
fi
elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
progress_message3 "System $system started"
else
exitstatus=$?
saveit=
fi
if [ -n "$saveit" ]; then
if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
progress_message3 "Configuration on system $system saved"
else
exitstatus=$?
fi
fi
fi
else else
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \ exitstatus=$?
progress_message3 "System $system started" || saveit=
fi
if [ -n "$saveit" ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save" && \
progress_message3 "Configuration on system $system saved"
fi fi
else
exitstatus=$?
fi fi
return $exitstatus
} }
# #
@ -1645,7 +1671,7 @@ compiler_command() {
shift shift
update_command $@ update_command $@
;; ;;
remote-start|remote-reload-reload|remote-restart) remote-start|remote-reload|remote-restart)
shift shift
remote_reload_command $@ remote_reload_command $@
;; ;;

14
Shorewall/manpages/shorewall.xml
View File

@ -424,7 +424,7 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_start</option></arg> <arg choice="plain"><option>remote-start</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -448,7 +448,7 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_reload</option></arg> <arg choice="plain"><option>remote-reload</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -472,7 +472,7 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_restart</option></arg> <arg choice="plain"><option>remote-restart</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -1522,7 +1522,7 @@
<listitem> <listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The <para>This command was re-implemented in Shorewall 5.0.0. The
pre-5.0.0 <command>reload</command> command is now called pre-5.0.0 <command>reload</command> command is now called
<command>remote_restart</command> (see below).</para> <command>remote-restart</command> (see below).</para>
<para>Reload is similar to <emphasis role="bold">shorewall <para>Reload is similar to <emphasis role="bold">shorewall
start</emphasis> except that it assumes that the firewall is already start</emphasis> except that it assumes that the firewall is already
@ -1575,7 +1575,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">remote_start</emphasis> <term><emphasis role="bold">remote-start</emphasis>
[-<option>s</option>] [-<option>c</option>] [-<option>r</option> [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>] <replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ] [-<option>i</option>] [ <replaceable>directory</replaceable> ]
@ -1637,7 +1637,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">remote_reload <term><emphasis role="bold">remote-reload
</emphasis>[-<option>s</option>] [-<option>c</option>] </emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>] [-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [ [-<option>T</option>] [-<option>i</option>] [
@ -1699,7 +1699,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">remote_restart <term><emphasis role="bold">remote-restart
</emphasis>[-<option>s</option>] [-<option>c</option>] </emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>] [-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [ [-<option>T</option>] [-<option>i</option>] [

1
Shorewall6-lite/uninstall.sh
View File

@ -196,6 +196,7 @@ rm -rf ${VARDIR}/shorewall6-lite
rm -rf ${SHAREDIR}/shorewall6-lite rm -rf ${SHAREDIR}/shorewall6-lite
rm -rf ${LIBEXECDIR}/shorewall6-lite rm -rf ${LIBEXECDIR}/shorewall6-lite
rm -f ${CONFDIR}/logrotate.d/shorewall6-lite rm -f ${CONFDIR}/logrotate.d/shorewall6-lite
rm -f ${SYSCONFDIR}/shorewall6-lite
[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6-lite.service [ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6-lite.service
rm -f ${MANDIR}/man5/shorewall6-lite* rm -f ${MANDIR}/man5/shorewall6-lite*

14
Shorewall6/manpages/shorewall6.xml
View File

@ -378,7 +378,7 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_start</option></arg> <arg choice="plain"><option>remote-start</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -402,7 +402,7 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_reload</option></arg> <arg choice="plain"><option>remote-reload</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -426,7 +426,7 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_restart</option></arg> <arg choice="plain"><option>remote-restart</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -1457,7 +1457,7 @@
<listitem> <listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The <para>This command was re-implemented in Shorewall 5.0.0. The
pre-5.0.0 <command>reload</command> command is now called pre-5.0.0 <command>reload</command> command is now called
<command>remote_restart</command> (see below).</para> <command>remote-restart</command> (see below).</para>
<para>Reload is similar to <command>shorewall6 start</command> <para>Reload is similar to <command>shorewall6 start</command>
except that it assumes that the firewall is already started. except that it assumes that the firewall is already started.
@ -1511,7 +1511,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">remote_reload <term><emphasis role="bold">remote-reload
</emphasis>[-<option>s</option>] [-<option>c</option>] </emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>] [-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [ [-<option>T</option>] [-<option>i</option>] [
@ -1573,7 +1573,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">remote_ restart <term><emphasis role="bold">remote- restart
</emphasis>[-<option>s</option>] [-<option>c</option>] </emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>] [-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [ [-<option>T</option>] [-<option>i</option>] [
@ -1636,7 +1636,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">remote_start </emphasis> <term><emphasis role="bold">remote-start </emphasis>
[-<option>s</option>] [-<option>c</option>] [-<option>r</option> [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>] <replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ] [-<option>i</option>] [ <replaceable>directory</replaceable> ]

4
docs/Shorewall-5.xml
View File

@ -323,7 +323,7 @@
<title>load</title> <title>load</title>
<para>The function performed by the Shorewall-4 <command>load</command> <para>The function performed by the Shorewall-4 <command>load</command>
command is now performed by the <command>remote_start</command> command is now performed by the <command>remote-start</command>
command.</para> command.</para>
</section> </section>
@ -334,7 +334,7 @@
the same function as the <command>restart</command> command did in the same function as the <command>restart</command> command did in
Shorewall 4. The action taken by the Shorewall-4 Shorewall 4. The action taken by the Shorewall-4
<command>reload</command> command is now performed by the <command>reload</command> command is now performed by the
<command>remote_restart</command> command.</para> <command>remote-restart</command> command.</para>
<para>For those that can't get used to the idea of using <para>For those that can't get used to the idea of using
<command>reload</command> in place of <command>restart</command>, a <command>reload</command> in place of <command>restart</command>, a

35
docs/shorewall_extension_scripts.xml
View File

@ -175,7 +175,7 @@ esac</programlisting><caution>
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
output on an interface is not allowed by <ulink output on an interface is not allowed by <ulink
url="manpages/shorewall-stoppedrules.html">stoppedrules</ulink>(8) url="manpages/shorewall-stoppedrules.html">stoppedrules</ulink>(8)
then the isuasable script must blow it's own holes in the firewall then the isuasable script must blow it's own holes in the firewall
before probing.</para> before probing.</para>
</caution></para> </caution></para>
</listitem> </listitem>
@ -227,6 +227,13 @@ cat -</programlisting>
/sbin/shorewall</emphasis> after a script has been compiled. $1 is the /sbin/shorewall</emphasis> after a script has been compiled. $1 is the
path name of the compiled script.</para> path name of the compiled script.</para>
</listitem> </listitem>
<listitem>
<para><filename>lib.cli-user</filename> -- Added in Shorewall 5.0.2.
This is actually a shell library (set of function declarations) that
can be used to augment or replace functions in the standard CLI
libraries.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para><emphasis role="bold">If your version of Shorewall doesn't have the <para><emphasis role="bold">If your version of Shorewall doesn't have the
@ -264,7 +271,7 @@ cat -</programlisting>
<row> <row>
<entry>continue</entry> <entry>continue</entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -459,10 +466,10 @@ cat -</programlisting>
<para>VARDIR - The product state directory. Defaults <filename <para>VARDIR - The product state directory. Defaults <filename
class="directory">/var/lib/shorewall</filename>, <filename class="directory">/var/lib/shorewall</filename>, <filename
class="directory">/var/lib/shorewall6/</filename>, <filename class="directory">/var/lib/shorewall6/</filename>, <filename
class="directory">/var/lib/shorewall-lite</filename>, or class="directory">/var/lib/shorewall-lite</filename>, or <filename
<filename class="directory">/var/lib/shorewall6-lite</filename> class="directory">/var/lib/shorewall6-lite</filename> depending on
depending on which product is running, but may be overridden by an which product is running, but may be overridden by an entry in
entry in ${CONFDIR}/vardir.</para> ${CONFDIR}/vardir.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
@ -474,7 +481,7 @@ cat -</programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para></para> <para/>
<section id="Perl"> <section id="Perl">
<title>Compile-time vs Run-time Scripts</title> <title>Compile-time vs Run-time Scripts</title>
@ -524,43 +531,43 @@ cat -</programlisting>
</row> </row>
<row> <row>
<entry></entry> <entry/>
<entry>stop</entry> <entry>stop</entry>
</row> </row>
<row> <row>
<entry></entry> <entry/>
<entry>stopped</entry> <entry>stopped</entry>
</row> </row>
<row> <row>
<entry></entry> <entry/>
<entry>tcclear</entry> <entry>tcclear</entry>
</row> </row>
<row> <row>
<entry></entry> <entry/>
<entry>refresh</entry> <entry>refresh</entry>
</row> </row>
<row> <row>
<entry></entry> <entry/>
<entry>refreshed</entry> <entry>refreshed</entry>
</row> </row>
<row> <row>
<entry></entry> <entry/>
<entry>restored</entry> <entry>restored</entry>
</row> </row>
<row> <row>
<entry></entry> <entry/>
<entry>scfilter</entry> <entry>scfilter</entry>
</row> </row>

19
docs/upgrade_issues.xml
View File

@ -37,7 +37,7 @@
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
<holder></holder> <holder/>
</copyright> </copyright>
<legalnotice> <legalnotice>
@ -78,6 +78,13 @@
zones.</para> zones.</para>
</section> </section>
<section>
<title>Version &gt;= 5.0.0</title>
<para>See the <ulink url="Shorewall-5.html">Shorewall 5
documentation</ulink>.</para>
</section>
<section> <section>
<title>Version &gt;= 4.6.0</title> <title>Version &gt;= 4.6.0</title>
@ -85,7 +92,7 @@
<listitem> <listitem>
<para>Beginning with Shorewall 4.6.0, ection headers are now preceded <para>Beginning with Shorewall 4.6.0, ection headers are now preceded
by '?' (e.g., '?SECTION ...'). If your configuration contains any bare by '?' (e.g., '?SECTION ...'). If your configuration contains any bare
'SECTION' entries, the following warning is issued: </para> 'SECTION' entries, the following warning is issued:</para>
<programlisting>WARNING: 'SECTION' is deprecated in favor of '?SECTION' - consider running 'shorewall update -D' ...</programlisting> <programlisting>WARNING: 'SECTION' is deprecated in favor of '?SECTION' - consider running 'shorewall update -D' ...</programlisting>
@ -111,7 +118,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para> Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are <para>Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are
deprecated and a warning will be issued for each FORMAT-1 action or deprecated and a warning will be issued for each FORMAT-1 action or
macro found.</para> macro found.</para>
@ -119,8 +126,8 @@
<programlisting>WARNING: FORMAT-1 macros are deprecated and support will be dropped in a future release.</programlisting> <programlisting>WARNING: FORMAT-1 macros are deprecated and support will be dropped in a future release.</programlisting>
<para> To eliminate these warnings, add the following line before the <para>To eliminate these warnings, add the following line before the
first rule in the action or macro: </para> first rule in the action or macro:</para>
<programlisting>?FORMAT 2</programlisting> <programlisting>?FORMAT 2</programlisting>
@ -325,7 +332,7 @@
<para>?ENDIF.</para> <para>?ENDIF.</para>
</blockquote> </blockquote>
<para></para> <para/>
</listitem> </listitem>
<listitem> <listitem>