extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 17:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add IP, TC and IPSET configuration options

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9932 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-04-18 16:28:25 +00:00
parent 24d94621cb
commit 985c551d26
17 changed files with 222 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -2064,6 +2064,30 @@ sub set_chain_variables() {
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
}
if ( $config{IP} ) {
emit( qq(IP="$config{IP}") ,
'[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'
);
} else {
emit 'IP=ip';
}
if ( $config{TC} ) {
emit( qq(TC="$config{TC}") ,
'[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"'
);
} else {
emit 'TC=tc';
}
if ( $config{IPSET} ) {
emit( qq(IPSET="$config{IPSET}") ,
'[ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"'
);
} else {
emit 'IPSET=ipset';
}
}
#

30
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -329,7 +329,7 @@ sub generate_script_3($) {
if ( $family == F_IPV4 ) {
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
emit ( "addr=\$(\$IP -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
'if [ -n "$addr" ]; then',
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
@ -343,28 +343,36 @@ sub generate_script_3($) {
my @ipsets = all_ipsets;
if ( @ipsets ) {
emit ( '[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"' ,
emit ( 'case $IPSET in',
' */*)',
' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
' ;;',
' *)',
' IPSET="$(which ipset)"',
' [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
' ;;',
'esac',
'',
'if [ "$COMMAND" = start ]; then' ,
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' ipset -U :all: :all:' ,
' ipset -U :all: :default:' ,
' ipset -F' ,
' ipset -X' ,
' ipset -R < ${VARDIR}/ipsets.save' ,
' $IPSET -U :all: :all:' ,
' $IPSET -U :all: :default:' ,
' $IPSET -F' ,
' $IPSET -X' ,
' $IPSET -R < ${VARDIR}/ipsets.save' ,
' fi' ,
'' );
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( '' ,
'elif [ "$COMMAND" = restart ]; then' ,
'' );
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( '' ,
' if ipset -S > ${VARDIR}/ipsets.tmp; then' ,
' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' );
emit ( 'fi',
@ -374,7 +382,7 @@ sub generate_script_3($) {
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
' run_refresh_exit' );
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( 'else' ,
' run_init_exit',

17
Shorewall/Perl/Shorewall/Config.pm
View File

@ -356,6 +356,9 @@ sub initialize( $ ) {
# Location of Files
#
IPTABLES => undef,
IP => undef,
TC => undef,
IPSEC => undef,
#
#PATH is inherited
#
@ -1946,16 +1949,20 @@ sub determine_capabilities( $ ) {
$capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
if ( which 'ipset' ) {
qt( "ipset -X $sillyname" );
my $ipset = $config{IPSET} || 'tc';
if ( qt( "ipset -N $sillyname iphash" ) ) {
$ipset = which 'ipset' unless $ipset =~ '//';
if ( $ipset && -x $ipset ) {
qt( "$ipset -X $sillyname" );
if ( qt( "$ipset -N $sillyname iphash" ) ) {
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
$capabilities{IPSET_MATCH} = 1;
}
qt( "ipset -X $sillyname" );
qt( "$ipset -X $sillyname" );
}
}
@ -2544,7 +2551,7 @@ sub generate_aux_config() {
emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#";
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
conditionally_add_option $option;
}

2
Shorewall/Perl/Shorewall/Proc.pm
View File

@ -124,7 +124,7 @@ sub setup_route_filtering() {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
}
emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache";
emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
}
}

46
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -137,9 +137,9 @@ sub copy_table( $$$ ) {
my ( $duplicate, $number, $realm ) = @_;
if ( $realm ) {
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
} else {
emit ( "ip -$family route show table $duplicate | while read net route; do" )
emit ( "\$IP -$family route show table $duplicate | while read net route; do" )
}
emit ( ' case $net in',
@ -157,9 +157,9 @@ sub copy_and_edit_table( $$$$ ) {
my ( $duplicate, $number, $copy, $realm) = @_;
if ( $realm ) {
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
} else {
emit ( "ip -$family route show table $duplicate | while read net route; do" )
emit ( "\$IP -$family route show table $duplicate | while read net route; do" )
}
emit ( ' case $net in',
@ -233,7 +233,7 @@ sub start_provider( $$$ ) {
emit "#\n# Add Provider $table ($number)\n#";
emit "qt ip -$family route flush table $number";
emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing";
emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing";
}
sub add_a_provider( $$$$$$$$ ) {
@ -305,10 +305,10 @@ sub add_a_provider( $$$$$$$$ ) {
my $pref = 10000 + $number - 1;
emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
"echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
"echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
);
}
@ -421,33 +421,33 @@ sub add_a_provider( $$$$$$$$ ) {
emit '';
if ( $gateway ) {
emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
} else {
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
}
}
if ( $loose ) {
if ( $config{DELETE_THEN_ADD} ) {
emit ( "\nfind_interface_addresses $interface | while read address; do",
" qt ip -$family rule del from \$address",
" qt \$IP -$family rule del from \$address",
'done'
);
}
} elsif ( $shared ) {
emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD};
emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
emit( "run_ip rule add from $address pref 20000 table $number" ,
"echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
"echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
} else {
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
emit "\nrulenum=0\n";
emit ( "find_interface_addresses $interface | while read address; do" );
emit ( " qt ip -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
" echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
" echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
' rulenum=$(($rulenum + 1))',
'done'
);
@ -529,7 +529,7 @@ sub add_an_rtrule( $$$$ ) {
$priority = "priority $priority";
emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
@ -540,7 +540,7 @@ sub add_an_rtrule( $$$$ ) {
}
emit ( "run_ip rule add $source $dest $priority table $number",
"echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
"echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
pop_indent, emit ( "fi\n" ) if $optional;
@ -555,7 +555,7 @@ sub setup_null_routing() {
save_progress_message "Null Routing the RFC 1918 subnets";
for ( rfc1918_networks ) {
emit( "run_ip route replace unreachable $_" );
emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
emit( "echo \"qt \$IP -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
}
}
@ -593,7 +593,7 @@ sub setup_providers() {
emit ( '#',
'# Capture the default route(s) if we don\'t have it (them) already.',
'#',
'[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
'[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
'#',
'# Initialize the file that holds \'undo\' commands',
'#',
@ -624,16 +624,16 @@ sub setup_providers() {
if ( $config{USE_DEFAULT_RT} ) {
emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
"ip -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
qq(echo "qt ip -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
qq(echo "qt ip -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
"\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
'' );
$table = DEFAULT_TABLE;
}
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
emit ( " qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
'else',
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
@ -641,7 +641,7 @@ sub setup_providers() {
if ( $config{RESTORE_DEFAULT_ROUTE} ) {
emit ' restore_default_route && error_message "NOTICE: Default route restored"'
} else {
emit qq( qt ip -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
}
emit( 'fi',

4
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2158,7 +2158,7 @@ EOF
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
[ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
@ -2253,7 +2253,7 @@ EOF
emit <<'EOF';
if [ -n "$(mywhich ipset)" ]; then
if ipset -S > ${VARDIR}/ipsets.tmp; then
if $IPSET -S > ${VARDIR}/ipsets.tmp; then
#
# Don't save an 'empty' file
#

4
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -813,8 +813,8 @@ sub setup_traffic_shaping() {
push_indent;
emit ( "${dev}_exists=Yes",
"qt tc qdisc del dev $device root",
"qt tc qdisc del dev $device ingress",
"qt \$TC qdisc del dev $device root",
"qt \$TC qdisc del dev $device ingress",
"run_tc qdisc add dev $device root handle $devnum: htb default $defmark",
"${dev}_mtu=\$(get_device_mtu $device)",
"${dev}_mtu1=\$(get_device_mtu1 $device)",

12
Shorewall/Perl/prog.functions
View File

@ -8,7 +8,7 @@ delete_proxyarp() {
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip -4 route del $address dev $interface
[ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
@ -140,8 +140,8 @@ do_iptables()
#
run_ip()
{
if ! ip -4 $@; then
error_message "ERROR: Command \"ip -4 $@\" Failed"
if ! $IP -4 $@; then
error_message "ERROR: Command \"$IP -4 $@\" Failed"
stop_firewall
exit 2
fi
@ -151,8 +151,8 @@ run_ip()
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! tc $@ ; then
error_message "ERROR: Command \"tc $@\" Failed"
if ! $TC $@ ; then
error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall
exit 2
fi
@ -191,7 +191,7 @@ restore_dynamic_rules() {
#
get_all_bcasts()
{
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
$IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
#

8
Shorewall/Perl/prog.functions6
View File

@ -116,8 +116,8 @@ do_iptables()
#
run_ip()
{
if ! ip -6 $@; then
error_message "ERROR: Command \"ip -6 $@\" Failed"
if ! $IP -6 $@; then
error_message "ERROR: Command \"$IP -6 $@\" Failed"
stop_firewall
exit 2
fi
@ -127,8 +127,8 @@ run_ip()
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! tc $@ ; then
error_message "ERROR: Command \"tc $@\" Failed"
if ! $TC $@ ; then
error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall
exit 2
fi

46
Shorewall/Perl/prog.header
View File

@ -485,7 +485,7 @@ find_peer() {
#
find_rt_interface() {
ip -4 route list | while read addr rest; do
$IP -4 route list | while read addr rest; do
case $addr in
*/*)
in_network ${1%/*} $addr && echo $(find_device $rest)
@ -506,14 +506,14 @@ find_rt_interface() {
find_nexthop() # $1 = interface
{
echo $(find_gateway `ip -4 route list | grep "[[:space:]]nexthop.* $1"`)
echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
}
#
# Find the default route's interface
#
find_default_interface() {
ip -4 route list | while read first rest; do
$IP -4 route list | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
@ -546,7 +546,7 @@ find_interface_by_mac() {
local rest
local dev
ip link list | while read first second rest; do
$IP link list | while read first second rest; do
case $first in
*:)
dev=$second
@ -564,7 +564,7 @@ find_interface_by_mac() {
# Determine if Interface is up
#
interface_is_up() {
[ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
[ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
}
#
@ -576,7 +576,7 @@ find_first_interface_address() # $1 = interface
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
#
# If there wasn't one, bail out now
#
@ -593,7 +593,7 @@ find_first_interface_address_if_any() # $1 = interface
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
#
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line
@ -615,7 +615,7 @@ interface_is_usable() # $1 = interface
#
find_interface_addresses() # $1 = interface
{
ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
$IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
}
#
@ -626,7 +626,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
local address
local rest
ip -4 route show dev $1 2> /dev/null |
$IP -4 route show dev $1 2> /dev/null |
while read address rest; do
case "$address" in
default)
@ -655,7 +655,7 @@ get_interface_bcasts() # $1 = interface
local addresses
addresses=
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
$IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
#
@ -728,7 +728,7 @@ INCLUDE() {
#
del_ip_addr() # $1 = address, $2 = interface
{
[ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2
[ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
}
# Add IP Aliases
@ -757,7 +757,7 @@ add_ip_aliases() # $* = List of addresses
#
# Get all of the lines that contain inet addresses with broadcast
#
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
case $cidr in
*/*)
if in_network $external $cidr; then
@ -773,7 +773,7 @@ add_ip_aliases() # $* = List of addresses
{
val=$(address_details)
ip addr add ${external}${val} dev $interface $label
$IP addr add ${external}${val} dev $interface $label
[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
echo "$external $interface" >> $VARDIR/nat
[ -n "$label" ] && label="with $label"
@ -811,7 +811,7 @@ detect_dynamic_gateway() { # $1 = interface
#
# First assume that this is some sort of point-to-point interface
#
gateway=$( find_peer $(ip addr list $interface ) )
gateway=$( find_peer $($IP addr list $interface ) )
#
# If that didn't work, then try DHCP
#
@ -842,7 +842,7 @@ detect_gateway() # $1 = interface
#
# Maybe there's a default route through this gateway already
#
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default))
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
#
# Last hope -- is there a load-balancing route through the interface?
#
@ -858,7 +858,7 @@ detect_gateway() # $1 = interface
#
disable_ipv6() {
local foo
foo="$(ip -f inet6 addr list 2> /dev/null)"
foo="$($IP -f inet6 addr list 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
@ -892,8 +892,8 @@ truncate() # $1 = length
delete_tc1()
{
clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null
$TC qdisc del dev $1 root 2> /dev/null
$TC qdisc del dev $1 ingress 2> /dev/null
}
@ -917,7 +917,7 @@ delete_tc1()
get_device_mtu() # $1 = device
{
local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then
echo $(find_mtu $output)
@ -933,7 +933,7 @@ get_device_mtu() # $1 = device
get_device_mtu1() # $1 = device
{
local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
@ -990,11 +990,11 @@ restore_default_route() {
#
# Don't restore a route with a metric -- we only replace the one with metric == 0
#
qt ip -4 route delete default metric 0 && \
qt $IP -4 route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted"
;;
*)
qt ip -4 route replace $default_route && \
qt $IP -4 route replace $default_route && \
result=0 && \
progress_message "Default Route (${default_route# }) restored"
;;
@ -1045,7 +1045,7 @@ find_mac() # $1 = IP address, $2 = interface
qt ping -nc 1 -t 2 -I $2 $1
local result
result=$(ip neigh list | awk "/^$1 / {print \$5}")
result=$($IP neigh list | awk "/^$1 / {print \$5}")
case $result in
\<*\>)

55
Shorewall/Perl/prog.header6
View File

@ -388,14 +388,14 @@ find_peer() {
find_nexthop() # $1 = interface
{
echo $(find_gateway `ip -6 route list | grep "[[:space:]]nexthop.* $1"`)
echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
}
#
# Find the default route's interface
#
find_default_interface() {
ip -6 route list | while read first rest; do
$IP -6 route list | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
@ -412,7 +412,7 @@ find_interface_by_mac() {
local rest
local dev
ip link list | while read first second rest; do
$IP link list | while read first second rest; do
case $first in
*:)
dev=$second
@ -430,7 +430,7 @@ find_interface_by_mac() {
# Determine if Interface is up
#
interface_is_up() {
[ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
[ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
}
#
@ -442,7 +442,7 @@ find_first_interface_address() # $1 = interface
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
#
# If there wasn't one, bail out now
#
@ -459,7 +459,7 @@ find_first_interface_address_if_any() # $1 = interface
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
#
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line
@ -481,7 +481,7 @@ interface_is_usable() # $1 = interface
#
find_interface_addresses() # $1 = interface
{
ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
}
#
@ -490,7 +490,7 @@ find_interface_addresses() # $1 = interface
find_interface_full_addresses() # $1 = interface
{
ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
}
#
@ -501,7 +501,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
local address
local rest
ip -6 route show dev $1 2> /dev/null |
$IP -6 route show dev $1 2> /dev/null |
while read address rest; do
case "$address" in
default)
@ -756,11 +756,11 @@ detect_gateway() # $1 = interface
#
# First assume that this is some sort of point-to-point interface
#
gateway=$( find_peer $(ip -6 addr list $interface ) )
gateway=$( find_peer $($IP -6 addr list $interface ) )
#
# Maybe there's a default route through this gateway already
#
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -6 route list dev $interface | grep '^default'))
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
#
# Last hope -- is there a load-balancing route through the interface?
#
@ -788,8 +788,8 @@ truncate() # $1 = length
delete_tc1()
{
clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null
$TC qdisc del dev $1 root 2> /dev/null
$TC qdisc del dev $1 ingress 2> /dev/null
}
@ -813,7 +813,7 @@ delete_tc1()
get_device_mtu() # $1 = device
{
local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then
echo $(find_mtu $output)
@ -829,7 +829,7 @@ get_device_mtu() # $1 = device
get_device_mtu1() # $1 = device
{
local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
@ -886,11 +886,11 @@ restore_default_route() {
#
# Don't restore a route with a metric -- we only replace the one with metric == 0
#
qt ip -6 route delete default metric 0 && \
qt $IP -6 route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted"
;;
*)
qt ip -6 route replace $default_route && \
qt $IP -6 route replace $default_route && \
result=0 && \
progress_message "Default Route (${default_route# }) restored"
;;
@ -932,27 +932,6 @@ find_echo() {
echo echo
}
#
# Determine the MAC address of the passed IP through the passed interface
#
find_mac() # $1 = IP address, $2 = interface
{
if interface_is_usable $2 ; then
qt ping -nc 1 -t 2 -I $2 $1
local result
result=$(ip neigh list | awk "/^$1 / {print \$5}")
case $result in
\<*\>)
;;
*)
[ -n "$result" ] && echo $result
;;
esac
fi
}
#
# Flush the conntrack table if $PURGE is non-empty
#

2
Shorewall/changelog.txt
View File

@ -10,6 +10,8 @@ Changes in Shorewall 4.3.9
5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
Changes in Shorewall 4.3.8
1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.

6
Shorewall/configfiles/shorewall.conf
View File

@ -70,6 +70,12 @@ LOG_MARTIANS=Yes
IPTABLES=
IP=
TC=
IPSET=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh

14
Shorewall/releasenotes.txt
View File

@ -117,6 +117,20 @@ None.
2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
hence will now start successfully when running on that kernel.
3) Three new options (IP, TC and IPSET) have been added to
shorewall.conf and shorwall6.conf. These options specify the name
of the executable for the 'ip', 'tc' and 'ipset' utilities
respectively.
If not specified, the default values are:
IP=ip
TC=tc
IPSET=ipset
In other words, the utilities will be located via the current PATH
setting.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3
----------------------------------------------------------------------------

6
Shorewall6/shorewall6.conf
View File

@ -58,6 +58,12 @@ SMURF_LOG_LEVEL=info
IP6TABLES=
IP=
TC=
IPSET=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh

33
manpages/shorewall.conf.xml
View File

@ -661,6 +661,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'ip' executable. If
not specified, 'ip' is assumed and the utility will be located using
the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
role="bold">On</emphasis>|<emphasis
@ -712,14 +723,13 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSECFILE=</emphasis>{<emphasis
role="bold">zones</emphasis>|<emphasis
role="bold">ipsec</emphasis>}</term>
<term><emphasis
role="bold">IPSET</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>This should be set to <emphasis role="bold">zones</emphasis>
for all new Shorewall installations. IPSECFILE=ipsec is only used
for compatibility with pre-Shorewall-3.0 configurations.</para>
<para>If specified, gives the pathname of the 'ipset' executable. If
not specified, 'ipset' is assumed and the utility will be located
using the current PATH setting.</para>
</listitem>
</varlistentry>
@ -1504,6 +1514,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TC</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'tc' executable. If
not specified, 'tc' is assumed and the utility will be located using
the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis

37
manpages6/shorewall6.conf.xml
View File

@ -514,6 +514,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'ip' executable. If
not specified, 'ip' is assumed and the utility will be located using
the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
role="bold">On</emphasis>|<emphasis
@ -550,13 +561,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Shorewall6 will neither enable nor disable packet
forwarding.</para>
forwarding</para>
</listitem>
</varlistentry>
</variablelist>
<para></para>
<blockquote>
<para>If this variable is not set or is given an empty value
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
@ -581,6 +590,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">IPSET</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'ipset' executable. If
not specified, 'ipset' is assumed and the utility will be located
using the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1056,6 +1076,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TC</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'tc' executable. If
not specified, 'tc' is assumed and the utility will be located using
the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis