mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 11:04:03 +01:00
Add IP, TC and IPSET configuration options
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9932 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
24d94621cb
commit
985c551d26
@ -2064,6 +2064,30 @@ sub set_chain_variables() {
|
|||||||
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
|
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
|
||||||
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
|
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $config{IP} ) {
|
||||||
|
emit( qq(IP="$config{IP}") ,
|
||||||
|
'[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
emit 'IP=ip';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $config{TC} ) {
|
||||||
|
emit( qq(TC="$config{TC}") ,
|
||||||
|
'[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"'
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
emit 'TC=tc';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $config{IPSET} ) {
|
||||||
|
emit( qq(IPSET="$config{IPSET}") ,
|
||||||
|
'[ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"'
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
emit 'IPSET=ipset';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -329,7 +329,7 @@ sub generate_script_3($) {
|
|||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
|
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
|
||||||
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
|
emit ( "addr=\$(\$IP -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
|
||||||
'if [ -n "$addr" ]; then',
|
'if [ -n "$addr" ]; then',
|
||||||
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
|
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
|
||||||
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
|
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
|
||||||
@ -343,28 +343,36 @@ sub generate_script_3($) {
|
|||||||
my @ipsets = all_ipsets;
|
my @ipsets = all_ipsets;
|
||||||
|
|
||||||
if ( @ipsets ) {
|
if ( @ipsets ) {
|
||||||
emit ( '[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"' ,
|
emit ( 'case $IPSET in',
|
||||||
|
' */*)',
|
||||||
|
' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
|
||||||
|
' ;;',
|
||||||
|
' *)',
|
||||||
|
' IPSET="$(which ipset)"',
|
||||||
|
' [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
|
||||||
|
' ;;',
|
||||||
|
'esac',
|
||||||
'',
|
'',
|
||||||
'if [ "$COMMAND" = start ]; then' ,
|
'if [ "$COMMAND" = start ]; then' ,
|
||||||
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||||
' ipset -U :all: :all:' ,
|
' $IPSET -U :all: :all:' ,
|
||||||
' ipset -U :all: :default:' ,
|
' $IPSET -U :all: :default:' ,
|
||||||
' ipset -F' ,
|
' $IPSET -F' ,
|
||||||
' ipset -X' ,
|
' $IPSET -X' ,
|
||||||
' ipset -R < ${VARDIR}/ipsets.save' ,
|
' $IPSET -R < ${VARDIR}/ipsets.save' ,
|
||||||
' fi' ,
|
' fi' ,
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
emit ( '' ,
|
emit ( '' ,
|
||||||
'elif [ "$COMMAND" = restart ]; then' ,
|
'elif [ "$COMMAND" = restart ]; then' ,
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
emit ( '' ,
|
emit ( '' ,
|
||||||
' if ipset -S > ${VARDIR}/ipsets.tmp; then' ,
|
' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
|
||||||
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
||||||
' fi' );
|
' fi' );
|
||||||
emit ( 'fi',
|
emit ( 'fi',
|
||||||
@ -374,7 +382,7 @@ sub generate_script_3($) {
|
|||||||
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
||||||
' run_refresh_exit' );
|
' run_refresh_exit' );
|
||||||
|
|
||||||
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
emit ( 'else' ,
|
emit ( 'else' ,
|
||||||
' run_init_exit',
|
' run_init_exit',
|
||||||
|
@ -356,6 +356,9 @@ sub initialize( $ ) {
|
|||||||
# Location of Files
|
# Location of Files
|
||||||
#
|
#
|
||||||
IPTABLES => undef,
|
IPTABLES => undef,
|
||||||
|
IP => undef,
|
||||||
|
TC => undef,
|
||||||
|
IPSEC => undef,
|
||||||
#
|
#
|
||||||
#PATH is inherited
|
#PATH is inherited
|
||||||
#
|
#
|
||||||
@ -1946,16 +1949,20 @@ sub determine_capabilities( $ ) {
|
|||||||
|
|
||||||
$capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
|
$capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
|
||||||
|
|
||||||
if ( which 'ipset' ) {
|
my $ipset = $config{IPSET} || 'tc';
|
||||||
qt( "ipset -X $sillyname" );
|
|
||||||
|
|
||||||
if ( qt( "ipset -N $sillyname iphash" ) ) {
|
$ipset = which 'ipset' unless $ipset =~ '//';
|
||||||
|
|
||||||
|
if ( $ipset && -x $ipset ) {
|
||||||
|
qt( "$ipset -X $sillyname" );
|
||||||
|
|
||||||
|
if ( qt( "$ipset -N $sillyname iphash" ) ) {
|
||||||
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
|
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
|
||||||
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
|
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
|
||||||
$capabilities{IPSET_MATCH} = 1;
|
$capabilities{IPSET_MATCH} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
qt( "ipset -X $sillyname" );
|
qt( "$ipset -X $sillyname" );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2544,7 +2551,7 @@ sub generate_aux_config() {
|
|||||||
|
|
||||||
emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#";
|
emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#";
|
||||||
|
|
||||||
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
|
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
|
||||||
conditionally_add_option $option;
|
conditionally_add_option $option;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -124,7 +124,7 @@ sub setup_route_filtering() {
|
|||||||
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
|
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
|
||||||
}
|
}
|
||||||
|
|
||||||
emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache";
|
emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -137,9 +137,9 @@ sub copy_table( $$$ ) {
|
|||||||
my ( $duplicate, $number, $realm ) = @_;
|
my ( $duplicate, $number, $realm ) = @_;
|
||||||
|
|
||||||
if ( $realm ) {
|
if ( $realm ) {
|
||||||
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||||
} else {
|
} else {
|
||||||
emit ( "ip -$family route show table $duplicate | while read net route; do" )
|
emit ( "\$IP -$family route show table $duplicate | while read net route; do" )
|
||||||
}
|
}
|
||||||
|
|
||||||
emit ( ' case $net in',
|
emit ( ' case $net in',
|
||||||
@ -157,9 +157,9 @@ sub copy_and_edit_table( $$$$ ) {
|
|||||||
my ( $duplicate, $number, $copy, $realm) = @_;
|
my ( $duplicate, $number, $copy, $realm) = @_;
|
||||||
|
|
||||||
if ( $realm ) {
|
if ( $realm ) {
|
||||||
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||||
} else {
|
} else {
|
||||||
emit ( "ip -$family route show table $duplicate | while read net route; do" )
|
emit ( "\$IP -$family route show table $duplicate | while read net route; do" )
|
||||||
}
|
}
|
||||||
|
|
||||||
emit ( ' case $net in',
|
emit ( ' case $net in',
|
||||||
@ -233,7 +233,7 @@ sub start_provider( $$$ ) {
|
|||||||
emit "#\n# Add Provider $table ($number)\n#";
|
emit "#\n# Add Provider $table ($number)\n#";
|
||||||
|
|
||||||
emit "qt ip -$family route flush table $number";
|
emit "qt ip -$family route flush table $number";
|
||||||
emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing";
|
emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub add_a_provider( $$$$$$$$ ) {
|
sub add_a_provider( $$$$$$$$ ) {
|
||||||
@ -305,10 +305,10 @@ sub add_a_provider( $$$$$$$$ ) {
|
|||||||
|
|
||||||
my $pref = 10000 + $number - 1;
|
my $pref = 10000 + $number - 1;
|
||||||
|
|
||||||
emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
||||||
|
|
||||||
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
|
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
|
||||||
"echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
|
"echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -421,33 +421,33 @@ sub add_a_provider( $$$$$$$$ ) {
|
|||||||
emit '';
|
emit '';
|
||||||
if ( $gateway ) {
|
if ( $gateway ) {
|
||||||
emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
|
emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
|
||||||
emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||||
} else {
|
} else {
|
||||||
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
|
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
|
||||||
emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $loose ) {
|
if ( $loose ) {
|
||||||
if ( $config{DELETE_THEN_ADD} ) {
|
if ( $config{DELETE_THEN_ADD} ) {
|
||||||
emit ( "\nfind_interface_addresses $interface | while read address; do",
|
emit ( "\nfind_interface_addresses $interface | while read address; do",
|
||||||
" qt ip -$family rule del from \$address",
|
" qt \$IP -$family rule del from \$address",
|
||||||
'done'
|
'done'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
} elsif ( $shared ) {
|
} elsif ( $shared ) {
|
||||||
emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD};
|
emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
|
||||||
emit( "run_ip rule add from $address pref 20000 table $number" ,
|
emit( "run_ip rule add from $address pref 20000 table $number" ,
|
||||||
"echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
|
"echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
|
||||||
} else {
|
} else {
|
||||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||||
|
|
||||||
emit "\nrulenum=0\n";
|
emit "\nrulenum=0\n";
|
||||||
|
|
||||||
emit ( "find_interface_addresses $interface | while read address; do" );
|
emit ( "find_interface_addresses $interface | while read address; do" );
|
||||||
emit ( " qt ip -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
|
emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
|
||||||
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||||
" echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
|
" echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||||
' rulenum=$(($rulenum + 1))',
|
' rulenum=$(($rulenum + 1))',
|
||||||
'done'
|
'done'
|
||||||
);
|
);
|
||||||
@ -529,7 +529,7 @@ sub add_an_rtrule( $$$$ ) {
|
|||||||
|
|
||||||
$priority = "priority $priority";
|
$priority = "priority $priority";
|
||||||
|
|
||||||
emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
||||||
|
|
||||||
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
|
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
|
||||||
|
|
||||||
@ -540,7 +540,7 @@ sub add_an_rtrule( $$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
emit ( "run_ip rule add $source $dest $priority table $number",
|
emit ( "run_ip rule add $source $dest $priority table $number",
|
||||||
"echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
|
"echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
|
||||||
|
|
||||||
pop_indent, emit ( "fi\n" ) if $optional;
|
pop_indent, emit ( "fi\n" ) if $optional;
|
||||||
|
|
||||||
@ -555,7 +555,7 @@ sub setup_null_routing() {
|
|||||||
save_progress_message "Null Routing the RFC 1918 subnets";
|
save_progress_message "Null Routing the RFC 1918 subnets";
|
||||||
for ( rfc1918_networks ) {
|
for ( rfc1918_networks ) {
|
||||||
emit( "run_ip route replace unreachable $_" );
|
emit( "run_ip route replace unreachable $_" );
|
||||||
emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
emit( "echo \"qt \$IP -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -593,7 +593,7 @@ sub setup_providers() {
|
|||||||
emit ( '#',
|
emit ( '#',
|
||||||
'# Capture the default route(s) if we don\'t have it (them) already.',
|
'# Capture the default route(s) if we don\'t have it (them) already.',
|
||||||
'#',
|
'#',
|
||||||
'[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
|
'[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
|
||||||
'#',
|
'#',
|
||||||
'# Initialize the file that holds \'undo\' commands',
|
'# Initialize the file that holds \'undo\' commands',
|
||||||
'#',
|
'#',
|
||||||
@ -624,16 +624,16 @@ sub setup_providers() {
|
|||||||
|
|
||||||
if ( $config{USE_DEFAULT_RT} ) {
|
if ( $config{USE_DEFAULT_RT} ) {
|
||||||
emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
|
emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
|
||||||
"ip -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
|
"\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
|
||||||
qq(echo "qt ip -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
|
qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
|
||||||
qq(echo "qt ip -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
|
qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
|
||||||
'' );
|
'' );
|
||||||
$table = DEFAULT_TABLE;
|
$table = DEFAULT_TABLE;
|
||||||
}
|
}
|
||||||
|
|
||||||
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
|
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
|
||||||
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
|
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
|
||||||
emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
|
emit ( " qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
|
||||||
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
|
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
|
||||||
'else',
|
'else',
|
||||||
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
|
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
|
||||||
@ -641,7 +641,7 @@ sub setup_providers() {
|
|||||||
if ( $config{RESTORE_DEFAULT_ROUTE} ) {
|
if ( $config{RESTORE_DEFAULT_ROUTE} ) {
|
||||||
emit ' restore_default_route && error_message "NOTICE: Default route restored"'
|
emit ' restore_default_route && error_message "NOTICE: Default route restored"'
|
||||||
} else {
|
} else {
|
||||||
emit qq( qt ip -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
|
emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
|
||||||
}
|
}
|
||||||
|
|
||||||
emit( 'fi',
|
emit( 'fi',
|
||||||
|
@ -2158,7 +2158,7 @@ EOF
|
|||||||
if [ -f ${VARDIR}/proxyarp ]; then
|
if [ -f ${VARDIR}/proxyarp ]; then
|
||||||
while read address interface external haveroute; do
|
while read address interface external haveroute; do
|
||||||
qt arp -i $external -d $address pub
|
qt arp -i $external -d $address pub
|
||||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
[ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
|
||||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||||
[ -f $f ] && echo 0 > $f
|
[ -f $f ] && echo 0 > $f
|
||||||
done < ${VARDIR}/proxyarp
|
done < ${VARDIR}/proxyarp
|
||||||
@ -2253,7 +2253,7 @@ EOF
|
|||||||
emit <<'EOF';
|
emit <<'EOF';
|
||||||
|
|
||||||
if [ -n "$(mywhich ipset)" ]; then
|
if [ -n "$(mywhich ipset)" ]; then
|
||||||
if ipset -S > ${VARDIR}/ipsets.tmp; then
|
if $IPSET -S > ${VARDIR}/ipsets.tmp; then
|
||||||
#
|
#
|
||||||
# Don't save an 'empty' file
|
# Don't save an 'empty' file
|
||||||
#
|
#
|
||||||
|
@ -813,8 +813,8 @@ sub setup_traffic_shaping() {
|
|||||||
push_indent;
|
push_indent;
|
||||||
|
|
||||||
emit ( "${dev}_exists=Yes",
|
emit ( "${dev}_exists=Yes",
|
||||||
"qt tc qdisc del dev $device root",
|
"qt \$TC qdisc del dev $device root",
|
||||||
"qt tc qdisc del dev $device ingress",
|
"qt \$TC qdisc del dev $device ingress",
|
||||||
"run_tc qdisc add dev $device root handle $devnum: htb default $defmark",
|
"run_tc qdisc add dev $device root handle $devnum: htb default $defmark",
|
||||||
"${dev}_mtu=\$(get_device_mtu $device)",
|
"${dev}_mtu=\$(get_device_mtu $device)",
|
||||||
"${dev}_mtu1=\$(get_device_mtu1 $device)",
|
"${dev}_mtu1=\$(get_device_mtu1 $device)",
|
||||||
|
@ -8,7 +8,7 @@ delete_proxyarp() {
|
|||||||
if [ -f ${VARDIR}/proxyarp ]; then
|
if [ -f ${VARDIR}/proxyarp ]; then
|
||||||
while read address interface external haveroute; do
|
while read address interface external haveroute; do
|
||||||
qt arp -i $external -d $address pub
|
qt arp -i $external -d $address pub
|
||||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip -4 route del $address dev $interface
|
[ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
|
||||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||||
[ -f $f ] && echo 0 > $f
|
[ -f $f ] && echo 0 > $f
|
||||||
done < ${VARDIR}/proxyarp
|
done < ${VARDIR}/proxyarp
|
||||||
@ -140,8 +140,8 @@ do_iptables()
|
|||||||
#
|
#
|
||||||
run_ip()
|
run_ip()
|
||||||
{
|
{
|
||||||
if ! ip -4 $@; then
|
if ! $IP -4 $@; then
|
||||||
error_message "ERROR: Command \"ip -4 $@\" Failed"
|
error_message "ERROR: Command \"$IP -4 $@\" Failed"
|
||||||
stop_firewall
|
stop_firewall
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
@ -151,8 +151,8 @@ run_ip()
|
|||||||
# Run tc and if an error occurs, stop/restore the firewall
|
# Run tc and if an error occurs, stop/restore the firewall
|
||||||
#
|
#
|
||||||
run_tc() {
|
run_tc() {
|
||||||
if ! tc $@ ; then
|
if ! $TC $@ ; then
|
||||||
error_message "ERROR: Command \"tc $@\" Failed"
|
error_message "ERROR: Command \"$TC $@\" Failed"
|
||||||
stop_firewall
|
stop_firewall
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
@ -191,7 +191,7 @@ restore_dynamic_rules() {
|
|||||||
#
|
#
|
||||||
get_all_bcasts()
|
get_all_bcasts()
|
||||||
{
|
{
|
||||||
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
$IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -116,8 +116,8 @@ do_iptables()
|
|||||||
#
|
#
|
||||||
run_ip()
|
run_ip()
|
||||||
{
|
{
|
||||||
if ! ip -6 $@; then
|
if ! $IP -6 $@; then
|
||||||
error_message "ERROR: Command \"ip -6 $@\" Failed"
|
error_message "ERROR: Command \"$IP -6 $@\" Failed"
|
||||||
stop_firewall
|
stop_firewall
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
@ -127,8 +127,8 @@ run_ip()
|
|||||||
# Run tc and if an error occurs, stop/restore the firewall
|
# Run tc and if an error occurs, stop/restore the firewall
|
||||||
#
|
#
|
||||||
run_tc() {
|
run_tc() {
|
||||||
if ! tc $@ ; then
|
if ! $TC $@ ; then
|
||||||
error_message "ERROR: Command \"tc $@\" Failed"
|
error_message "ERROR: Command \"$TC $@\" Failed"
|
||||||
stop_firewall
|
stop_firewall
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
@ -485,7 +485,7 @@ find_peer() {
|
|||||||
#
|
#
|
||||||
|
|
||||||
find_rt_interface() {
|
find_rt_interface() {
|
||||||
ip -4 route list | while read addr rest; do
|
$IP -4 route list | while read addr rest; do
|
||||||
case $addr in
|
case $addr in
|
||||||
*/*)
|
*/*)
|
||||||
in_network ${1%/*} $addr && echo $(find_device $rest)
|
in_network ${1%/*} $addr && echo $(find_device $rest)
|
||||||
@ -506,14 +506,14 @@ find_rt_interface() {
|
|||||||
|
|
||||||
find_nexthop() # $1 = interface
|
find_nexthop() # $1 = interface
|
||||||
{
|
{
|
||||||
echo $(find_gateway `ip -4 route list | grep "[[:space:]]nexthop.* $1"`)
|
echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Find the default route's interface
|
# Find the default route's interface
|
||||||
#
|
#
|
||||||
find_default_interface() {
|
find_default_interface() {
|
||||||
ip -4 route list | while read first rest; do
|
$IP -4 route list | while read first rest; do
|
||||||
[ "$first" = default ] && echo $(find_device $rest) && return
|
[ "$first" = default ] && echo $(find_device $rest) && return
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
@ -546,7 +546,7 @@ find_interface_by_mac() {
|
|||||||
local rest
|
local rest
|
||||||
local dev
|
local dev
|
||||||
|
|
||||||
ip link list | while read first second rest; do
|
$IP link list | while read first second rest; do
|
||||||
case $first in
|
case $first in
|
||||||
*:)
|
*:)
|
||||||
dev=$second
|
dev=$second
|
||||||
@ -564,7 +564,7 @@ find_interface_by_mac() {
|
|||||||
# Determine if Interface is up
|
# Determine if Interface is up
|
||||||
#
|
#
|
||||||
interface_is_up() {
|
interface_is_up() {
|
||||||
[ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
|
[ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -576,7 +576,7 @@ find_first_interface_address() # $1 = interface
|
|||||||
#
|
#
|
||||||
# get the line of output containing the first IP address
|
# get the line of output containing the first IP address
|
||||||
#
|
#
|
||||||
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||||
#
|
#
|
||||||
# If there wasn't one, bail out now
|
# If there wasn't one, bail out now
|
||||||
#
|
#
|
||||||
@ -593,7 +593,7 @@ find_first_interface_address_if_any() # $1 = interface
|
|||||||
#
|
#
|
||||||
# get the line of output containing the first IP address
|
# get the line of output containing the first IP address
|
||||||
#
|
#
|
||||||
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||||
#
|
#
|
||||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
||||||
# along with everything else on the line
|
# along with everything else on the line
|
||||||
@ -615,7 +615,7 @@ interface_is_usable() # $1 = interface
|
|||||||
#
|
#
|
||||||
find_interface_addresses() # $1 = interface
|
find_interface_addresses() # $1 = interface
|
||||||
{
|
{
|
||||||
ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
|
$IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -626,7 +626,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
|
|||||||
local address
|
local address
|
||||||
local rest
|
local rest
|
||||||
|
|
||||||
ip -4 route show dev $1 2> /dev/null |
|
$IP -4 route show dev $1 2> /dev/null |
|
||||||
while read address rest; do
|
while read address rest; do
|
||||||
case "$address" in
|
case "$address" in
|
||||||
default)
|
default)
|
||||||
@ -655,7 +655,7 @@ get_interface_bcasts() # $1 = interface
|
|||||||
local addresses
|
local addresses
|
||||||
addresses=
|
addresses=
|
||||||
|
|
||||||
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
$IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -728,7 +728,7 @@ INCLUDE() {
|
|||||||
#
|
#
|
||||||
del_ip_addr() # $1 = address, $2 = interface
|
del_ip_addr() # $1 = address, $2 = interface
|
||||||
{
|
{
|
||||||
[ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2
|
[ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
|
||||||
}
|
}
|
||||||
|
|
||||||
# Add IP Aliases
|
# Add IP Aliases
|
||||||
@ -757,7 +757,7 @@ add_ip_aliases() # $* = List of addresses
|
|||||||
#
|
#
|
||||||
# Get all of the lines that contain inet addresses with broadcast
|
# Get all of the lines that contain inet addresses with broadcast
|
||||||
#
|
#
|
||||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
|
$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
|
||||||
case $cidr in
|
case $cidr in
|
||||||
*/*)
|
*/*)
|
||||||
if in_network $external $cidr; then
|
if in_network $external $cidr; then
|
||||||
@ -773,7 +773,7 @@ add_ip_aliases() # $* = List of addresses
|
|||||||
{
|
{
|
||||||
val=$(address_details)
|
val=$(address_details)
|
||||||
|
|
||||||
ip addr add ${external}${val} dev $interface $label
|
$IP addr add ${external}${val} dev $interface $label
|
||||||
[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
|
[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
|
||||||
echo "$external $interface" >> $VARDIR/nat
|
echo "$external $interface" >> $VARDIR/nat
|
||||||
[ -n "$label" ] && label="with $label"
|
[ -n "$label" ] && label="with $label"
|
||||||
@ -811,7 +811,7 @@ detect_dynamic_gateway() { # $1 = interface
|
|||||||
#
|
#
|
||||||
# First assume that this is some sort of point-to-point interface
|
# First assume that this is some sort of point-to-point interface
|
||||||
#
|
#
|
||||||
gateway=$( find_peer $(ip addr list $interface ) )
|
gateway=$( find_peer $($IP addr list $interface ) )
|
||||||
#
|
#
|
||||||
# If that didn't work, then try DHCP
|
# If that didn't work, then try DHCP
|
||||||
#
|
#
|
||||||
@ -842,7 +842,7 @@ detect_gateway() # $1 = interface
|
|||||||
#
|
#
|
||||||
# Maybe there's a default route through this gateway already
|
# Maybe there's a default route through this gateway already
|
||||||
#
|
#
|
||||||
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default))
|
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
|
||||||
#
|
#
|
||||||
# Last hope -- is there a load-balancing route through the interface?
|
# Last hope -- is there a load-balancing route through the interface?
|
||||||
#
|
#
|
||||||
@ -858,7 +858,7 @@ detect_gateway() # $1 = interface
|
|||||||
#
|
#
|
||||||
disable_ipv6() {
|
disable_ipv6() {
|
||||||
local foo
|
local foo
|
||||||
foo="$(ip -f inet6 addr list 2> /dev/null)"
|
foo="$($IP -f inet6 addr list 2> /dev/null)"
|
||||||
|
|
||||||
if [ -n "$foo" ]; then
|
if [ -n "$foo" ]; then
|
||||||
if qt mywhich ip6tables; then
|
if qt mywhich ip6tables; then
|
||||||
@ -892,8 +892,8 @@ truncate() # $1 = length
|
|||||||
delete_tc1()
|
delete_tc1()
|
||||||
{
|
{
|
||||||
clear_one_tc() {
|
clear_one_tc() {
|
||||||
tc qdisc del dev $1 root 2> /dev/null
|
$TC qdisc del dev $1 root 2> /dev/null
|
||||||
tc qdisc del dev $1 ingress 2> /dev/null
|
$TC qdisc del dev $1 ingress 2> /dev/null
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -917,7 +917,7 @@ delete_tc1()
|
|||||||
get_device_mtu() # $1 = device
|
get_device_mtu() # $1 = device
|
||||||
{
|
{
|
||||||
local output
|
local output
|
||||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||||
|
|
||||||
if [ -n "$output" ]; then
|
if [ -n "$output" ]; then
|
||||||
echo $(find_mtu $output)
|
echo $(find_mtu $output)
|
||||||
@ -933,7 +933,7 @@ get_device_mtu() # $1 = device
|
|||||||
get_device_mtu1() # $1 = device
|
get_device_mtu1() # $1 = device
|
||||||
{
|
{
|
||||||
local output
|
local output
|
||||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||||
local mtu
|
local mtu
|
||||||
|
|
||||||
if [ -n "$output" ]; then
|
if [ -n "$output" ]; then
|
||||||
@ -990,11 +990,11 @@ restore_default_route() {
|
|||||||
#
|
#
|
||||||
# Don't restore a route with a metric -- we only replace the one with metric == 0
|
# Don't restore a route with a metric -- we only replace the one with metric == 0
|
||||||
#
|
#
|
||||||
qt ip -4 route delete default metric 0 && \
|
qt $IP -4 route delete default metric 0 && \
|
||||||
progress_message "Default Route with metric 0 deleted"
|
progress_message "Default Route with metric 0 deleted"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
qt ip -4 route replace $default_route && \
|
qt $IP -4 route replace $default_route && \
|
||||||
result=0 && \
|
result=0 && \
|
||||||
progress_message "Default Route (${default_route# }) restored"
|
progress_message "Default Route (${default_route# }) restored"
|
||||||
;;
|
;;
|
||||||
@ -1045,7 +1045,7 @@ find_mac() # $1 = IP address, $2 = interface
|
|||||||
qt ping -nc 1 -t 2 -I $2 $1
|
qt ping -nc 1 -t 2 -I $2 $1
|
||||||
|
|
||||||
local result
|
local result
|
||||||
result=$(ip neigh list | awk "/^$1 / {print \$5}")
|
result=$($IP neigh list | awk "/^$1 / {print \$5}")
|
||||||
|
|
||||||
case $result in
|
case $result in
|
||||||
\<*\>)
|
\<*\>)
|
||||||
|
@ -388,14 +388,14 @@ find_peer() {
|
|||||||
|
|
||||||
find_nexthop() # $1 = interface
|
find_nexthop() # $1 = interface
|
||||||
{
|
{
|
||||||
echo $(find_gateway `ip -6 route list | grep "[[:space:]]nexthop.* $1"`)
|
echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Find the default route's interface
|
# Find the default route's interface
|
||||||
#
|
#
|
||||||
find_default_interface() {
|
find_default_interface() {
|
||||||
ip -6 route list | while read first rest; do
|
$IP -6 route list | while read first rest; do
|
||||||
[ "$first" = default ] && echo $(find_device $rest) && return
|
[ "$first" = default ] && echo $(find_device $rest) && return
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
@ -412,7 +412,7 @@ find_interface_by_mac() {
|
|||||||
local rest
|
local rest
|
||||||
local dev
|
local dev
|
||||||
|
|
||||||
ip link list | while read first second rest; do
|
$IP link list | while read first second rest; do
|
||||||
case $first in
|
case $first in
|
||||||
*:)
|
*:)
|
||||||
dev=$second
|
dev=$second
|
||||||
@ -430,7 +430,7 @@ find_interface_by_mac() {
|
|||||||
# Determine if Interface is up
|
# Determine if Interface is up
|
||||||
#
|
#
|
||||||
interface_is_up() {
|
interface_is_up() {
|
||||||
[ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
|
[ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -442,7 +442,7 @@ find_first_interface_address() # $1 = interface
|
|||||||
#
|
#
|
||||||
# get the line of output containing the first IP address
|
# get the line of output containing the first IP address
|
||||||
#
|
#
|
||||||
addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
|
addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
|
||||||
#
|
#
|
||||||
# If there wasn't one, bail out now
|
# If there wasn't one, bail out now
|
||||||
#
|
#
|
||||||
@ -459,7 +459,7 @@ find_first_interface_address_if_any() # $1 = interface
|
|||||||
#
|
#
|
||||||
# get the line of output containing the first IP address
|
# get the line of output containing the first IP address
|
||||||
#
|
#
|
||||||
addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
|
addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
|
||||||
#
|
#
|
||||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
||||||
# along with everything else on the line
|
# along with everything else on the line
|
||||||
@ -481,7 +481,7 @@ interface_is_usable() # $1 = interface
|
|||||||
#
|
#
|
||||||
find_interface_addresses() # $1 = interface
|
find_interface_addresses() # $1 = interface
|
||||||
{
|
{
|
||||||
ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
|
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -490,7 +490,7 @@ find_interface_addresses() # $1 = interface
|
|||||||
|
|
||||||
find_interface_full_addresses() # $1 = interface
|
find_interface_full_addresses() # $1 = interface
|
||||||
{
|
{
|
||||||
ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
|
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -501,7 +501,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
|
|||||||
local address
|
local address
|
||||||
local rest
|
local rest
|
||||||
|
|
||||||
ip -6 route show dev $1 2> /dev/null |
|
$IP -6 route show dev $1 2> /dev/null |
|
||||||
while read address rest; do
|
while read address rest; do
|
||||||
case "$address" in
|
case "$address" in
|
||||||
default)
|
default)
|
||||||
@ -756,11 +756,11 @@ detect_gateway() # $1 = interface
|
|||||||
#
|
#
|
||||||
# First assume that this is some sort of point-to-point interface
|
# First assume that this is some sort of point-to-point interface
|
||||||
#
|
#
|
||||||
gateway=$( find_peer $(ip -6 addr list $interface ) )
|
gateway=$( find_peer $($IP -6 addr list $interface ) )
|
||||||
#
|
#
|
||||||
# Maybe there's a default route through this gateway already
|
# Maybe there's a default route through this gateway already
|
||||||
#
|
#
|
||||||
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -6 route list dev $interface | grep '^default'))
|
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
|
||||||
#
|
#
|
||||||
# Last hope -- is there a load-balancing route through the interface?
|
# Last hope -- is there a load-balancing route through the interface?
|
||||||
#
|
#
|
||||||
@ -788,8 +788,8 @@ truncate() # $1 = length
|
|||||||
delete_tc1()
|
delete_tc1()
|
||||||
{
|
{
|
||||||
clear_one_tc() {
|
clear_one_tc() {
|
||||||
tc qdisc del dev $1 root 2> /dev/null
|
$TC qdisc del dev $1 root 2> /dev/null
|
||||||
tc qdisc del dev $1 ingress 2> /dev/null
|
$TC qdisc del dev $1 ingress 2> /dev/null
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -813,7 +813,7 @@ delete_tc1()
|
|||||||
get_device_mtu() # $1 = device
|
get_device_mtu() # $1 = device
|
||||||
{
|
{
|
||||||
local output
|
local output
|
||||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||||
|
|
||||||
if [ -n "$output" ]; then
|
if [ -n "$output" ]; then
|
||||||
echo $(find_mtu $output)
|
echo $(find_mtu $output)
|
||||||
@ -829,7 +829,7 @@ get_device_mtu() # $1 = device
|
|||||||
get_device_mtu1() # $1 = device
|
get_device_mtu1() # $1 = device
|
||||||
{
|
{
|
||||||
local output
|
local output
|
||||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||||
local mtu
|
local mtu
|
||||||
|
|
||||||
if [ -n "$output" ]; then
|
if [ -n "$output" ]; then
|
||||||
@ -886,11 +886,11 @@ restore_default_route() {
|
|||||||
#
|
#
|
||||||
# Don't restore a route with a metric -- we only replace the one with metric == 0
|
# Don't restore a route with a metric -- we only replace the one with metric == 0
|
||||||
#
|
#
|
||||||
qt ip -6 route delete default metric 0 && \
|
qt $IP -6 route delete default metric 0 && \
|
||||||
progress_message "Default Route with metric 0 deleted"
|
progress_message "Default Route with metric 0 deleted"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
qt ip -6 route replace $default_route && \
|
qt $IP -6 route replace $default_route && \
|
||||||
result=0 && \
|
result=0 && \
|
||||||
progress_message "Default Route (${default_route# }) restored"
|
progress_message "Default Route (${default_route# }) restored"
|
||||||
;;
|
;;
|
||||||
@ -932,27 +932,6 @@ find_echo() {
|
|||||||
echo echo
|
echo echo
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Determine the MAC address of the passed IP through the passed interface
|
|
||||||
#
|
|
||||||
find_mac() # $1 = IP address, $2 = interface
|
|
||||||
{
|
|
||||||
if interface_is_usable $2 ; then
|
|
||||||
qt ping -nc 1 -t 2 -I $2 $1
|
|
||||||
|
|
||||||
local result
|
|
||||||
result=$(ip neigh list | awk "/^$1 / {print \$5}")
|
|
||||||
|
|
||||||
case $result in
|
|
||||||
\<*\>)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
[ -n "$result" ] && echo $result
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Flush the conntrack table if $PURGE is non-empty
|
# Flush the conntrack table if $PURGE is non-empty
|
||||||
#
|
#
|
||||||
|
@ -10,6 +10,8 @@ Changes in Shorewall 4.3.9
|
|||||||
|
|
||||||
5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
|
5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
|
||||||
|
|
||||||
|
6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
|
||||||
|
|
||||||
Changes in Shorewall 4.3.8
|
Changes in Shorewall 4.3.8
|
||||||
|
|
||||||
1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
|
1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
|
||||||
|
@ -70,6 +70,12 @@ LOG_MARTIANS=Yes
|
|||||||
|
|
||||||
IPTABLES=
|
IPTABLES=
|
||||||
|
|
||||||
|
IP=
|
||||||
|
|
||||||
|
TC=
|
||||||
|
|
||||||
|
IPSET=
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
@ -117,6 +117,20 @@ None.
|
|||||||
2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
|
2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
|
||||||
hence will now start successfully when running on that kernel.
|
hence will now start successfully when running on that kernel.
|
||||||
|
|
||||||
|
3) Three new options (IP, TC and IPSET) have been added to
|
||||||
|
shorewall.conf and shorwall6.conf. These options specify the name
|
||||||
|
of the executable for the 'ip', 'tc' and 'ipset' utilities
|
||||||
|
respectively.
|
||||||
|
|
||||||
|
If not specified, the default values are:
|
||||||
|
|
||||||
|
IP=ip
|
||||||
|
TC=tc
|
||||||
|
IPSET=ipset
|
||||||
|
|
||||||
|
In other words, the utilities will be located via the current PATH
|
||||||
|
setting.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
N E W F E A T U R E S IN 4 . 3
|
N E W F E A T U R E S IN 4 . 3
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
@ -58,6 +58,12 @@ SMURF_LOG_LEVEL=info
|
|||||||
|
|
||||||
IP6TABLES=
|
IP6TABLES=
|
||||||
|
|
||||||
|
IP=
|
||||||
|
|
||||||
|
TC=
|
||||||
|
|
||||||
|
IPSET=
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
@ -661,6 +661,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If specified, gives the pathname of the 'ip' executable. If
|
||||||
|
not specified, 'ip' is assumed and the utility will be located using
|
||||||
|
the current PATH setting.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
|
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
|
||||||
role="bold">On</emphasis>|<emphasis
|
role="bold">On</emphasis>|<emphasis
|
||||||
@ -712,14 +723,13 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">IPSECFILE=</emphasis>{<emphasis
|
<term><emphasis
|
||||||
role="bold">zones</emphasis>|<emphasis
|
role="bold">IPSET</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||||
role="bold">ipsec</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This should be set to <emphasis role="bold">zones</emphasis>
|
<para>If specified, gives the pathname of the 'ipset' executable. If
|
||||||
for all new Shorewall installations. IPSECFILE=ipsec is only used
|
not specified, 'ipset' is assumed and the utility will be located
|
||||||
for compatibility with pre-Shorewall-3.0 configurations.</para>
|
using the current PATH setting.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1504,6 +1514,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">TC</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If specified, gives the pathname of the 'tc' executable. If
|
||||||
|
not specified, 'tc' is assumed and the utility will be located using
|
||||||
|
the current PATH setting.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
|
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
|
@ -514,6 +514,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If specified, gives the pathname of the 'ip' executable. If
|
||||||
|
not specified, 'ip' is assumed and the utility will be located using
|
||||||
|
the current PATH setting.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
|
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
|
||||||
role="bold">On</emphasis>|<emphasis
|
role="bold">On</emphasis>|<emphasis
|
||||||
@ -550,13 +561,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Shorewall6 will neither enable nor disable packet
|
<para>Shorewall6 will neither enable nor disable packet
|
||||||
forwarding.</para>
|
forwarding</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para></para>
|
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>If this variable is not set or is given an empty value
|
<para>If this variable is not set or is given an empty value
|
||||||
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
|
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
|
||||||
@ -581,6 +590,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">IPSET</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If specified, gives the pathname of the 'ipset' executable. If
|
||||||
|
not specified, 'ipset' is assumed and the utility will be located
|
||||||
|
using the current PATH setting.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
|
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
@ -1056,6 +1076,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">TC</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If specified, gives the pathname of the 'tc' executable. If
|
||||||
|
not specified, 'tc' is assumed and the utility will be located using
|
||||||
|
the current PATH setting.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
|
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
|
Loading…
Reference in New Issue
Block a user