Add IP, TC and IPSET configuration options

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9932 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-04-18 16:28:25 +00:00
parent 24d94621cb
commit 985c551d26
17 changed files with 222 additions and 124 deletions

View File

@ -2064,6 +2064,30 @@ sub set_chain_variables() {
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore', emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
} }
if ( $config{IP} ) {
emit( qq(IP="$config{IP}") ,
'[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'
);
} else {
emit 'IP=ip';
}
if ( $config{TC} ) {
emit( qq(TC="$config{TC}") ,
'[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"'
);
} else {
emit 'TC=tc';
}
if ( $config{IPSET} ) {
emit( qq(IPSET="$config{IPSET}") ,
'[ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"'
);
} else {
emit 'IPSET=ipset';
}
} }
# #

View File

@ -329,7 +329,7 @@ sub generate_script_3($) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", emit ( "addr=\$(\$IP -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
'if [ -n "$addr" ]; then', 'if [ -n "$addr" ]; then',
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
@ -343,28 +343,36 @@ sub generate_script_3($) {
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
if ( @ipsets ) { if ( @ipsets ) {
emit ( '[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"' , emit ( 'case $IPSET in',
' */*)',
' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
' ;;',
' *)',
' IPSET="$(which ipset)"',
' [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
' ;;',
'esac',
'', '',
'if [ "$COMMAND" = start ]; then' , 'if [ "$COMMAND" = start ]; then' ,
' if [ -f ${VARDIR}/ipsets.save ]; then' , ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' ipset -U :all: :all:' , ' $IPSET -U :all: :all:' ,
' ipset -U :all: :default:' , ' $IPSET -U :all: :default:' ,
' ipset -F' , ' $IPSET -F' ,
' ipset -X' , ' $IPSET -X' ,
' ipset -R < ${VARDIR}/ipsets.save' , ' $IPSET -R < ${VARDIR}/ipsets.save' ,
' fi' , ' fi' ,
'' ); '' );
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( '' , emit ( '' ,
'elif [ "$COMMAND" = restart ]; then' , 'elif [ "$COMMAND" = restart ]; then' ,
'' ); '' );
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( '' , emit ( '' ,
' if ipset -S > ${VARDIR}/ipsets.tmp; then' , ' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' , ' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' ); ' fi' );
emit ( 'fi', emit ( 'fi',
@ -374,7 +382,7 @@ sub generate_script_3($) {
emit ( 'if [ "$COMMAND" = refresh ]; then' , emit ( 'if [ "$COMMAND" = refresh ]; then' ,
' run_refresh_exit' ); ' run_refresh_exit' );
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( 'else' , emit ( 'else' ,
' run_init_exit', ' run_init_exit',

View File

@ -356,6 +356,9 @@ sub initialize( $ ) {
# Location of Files # Location of Files
# #
IPTABLES => undef, IPTABLES => undef,
IP => undef,
TC => undef,
IPSEC => undef,
# #
#PATH is inherited #PATH is inherited
# #
@ -1946,16 +1949,20 @@ sub determine_capabilities( $ ) {
$capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" ); $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
if ( which 'ipset' ) { my $ipset = $config{IPSET} || 'tc';
qt( "ipset -X $sillyname" );
if ( qt( "ipset -N $sillyname iphash" ) ) { $ipset = which 'ipset' unless $ipset =~ '//';
if ( $ipset && -x $ipset ) {
qt( "$ipset -X $sillyname" );
if ( qt( "$ipset -N $sillyname iphash" ) ) {
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
$capabilities{IPSET_MATCH} = 1; $capabilities{IPSET_MATCH} = 1;
} }
qt( "ipset -X $sillyname" ); qt( "$ipset -X $sillyname" );
} }
} }
@ -2544,7 +2551,7 @@ sub generate_aux_config() {
emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#"; emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#";
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
conditionally_add_option $option; conditionally_add_option $option;
} }

View File

@ -124,7 +124,7 @@ sub setup_route_filtering() {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
} }
emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache"; emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
} }
} }

View File

@ -137,9 +137,9 @@ sub copy_table( $$$ ) {
my ( $duplicate, $number, $realm ) = @_; my ( $duplicate, $number, $realm ) = @_;
if ( $realm ) { if ( $realm ) {
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
} else { } else {
emit ( "ip -$family route show table $duplicate | while read net route; do" ) emit ( "\$IP -$family route show table $duplicate | while read net route; do" )
} }
emit ( ' case $net in', emit ( ' case $net in',
@ -157,9 +157,9 @@ sub copy_and_edit_table( $$$$ ) {
my ( $duplicate, $number, $copy, $realm) = @_; my ( $duplicate, $number, $copy, $realm) = @_;
if ( $realm ) { if ( $realm ) {
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
} else { } else {
emit ( "ip -$family route show table $duplicate | while read net route; do" ) emit ( "\$IP -$family route show table $duplicate | while read net route; do" )
} }
emit ( ' case $net in', emit ( ' case $net in',
@ -233,7 +233,7 @@ sub start_provider( $$$ ) {
emit "#\n# Add Provider $table ($number)\n#"; emit "#\n# Add Provider $table ($number)\n#";
emit "qt ip -$family route flush table $number"; emit "qt ip -$family route flush table $number";
emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing"; emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing";
} }
sub add_a_provider( $$$$$$$$ ) { sub add_a_provider( $$$$$$$$ ) {
@ -305,10 +305,10 @@ sub add_a_provider( $$$$$$$$ ) {
my $pref = 10000 + $number - 1; my $pref = 10000 + $number - 1;
emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
emit ( "run_ip rule add fwmark $mark pref $pref table $number", emit ( "run_ip rule add fwmark $mark pref $pref table $number",
"echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing" "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
); );
} }
@ -421,33 +421,33 @@ sub add_a_provider( $$$$$$$$ ) {
emit ''; emit '';
if ( $gateway ) { if ( $gateway ) {
emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number); emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
} else { } else {
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number); emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
} }
} }
if ( $loose ) { if ( $loose ) {
if ( $config{DELETE_THEN_ADD} ) { if ( $config{DELETE_THEN_ADD} ) {
emit ( "\nfind_interface_addresses $interface | while read address; do", emit ( "\nfind_interface_addresses $interface | while read address; do",
" qt ip -$family rule del from \$address", " qt \$IP -$family rule del from \$address",
'done' 'done'
); );
} }
} elsif ( $shared ) { } elsif ( $shared ) {
emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD}; emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
emit( "run_ip rule add from $address pref 20000 table $number" , emit( "run_ip rule add from $address pref 20000 table $number" ,
"echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" ); "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
} else { } else {
my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
emit "\nrulenum=0\n"; emit "\nrulenum=0\n";
emit ( "find_interface_addresses $interface | while read address; do" ); emit ( "find_interface_addresses $interface | while read address; do" );
emit ( " qt ip -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
" echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing", " echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
' rulenum=$(($rulenum + 1))', ' rulenum=$(($rulenum + 1))',
'done' 'done'
); );
@ -529,7 +529,7 @@ sub add_an_rtrule( $$$$ ) {
$priority = "priority $priority"; $priority = "priority $priority";
emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
@ -540,7 +540,7 @@ sub add_an_rtrule( $$$$ ) {
} }
emit ( "run_ip rule add $source $dest $priority table $number", emit ( "run_ip rule add $source $dest $priority table $number",
"echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
pop_indent, emit ( "fi\n" ) if $optional; pop_indent, emit ( "fi\n" ) if $optional;
@ -555,7 +555,7 @@ sub setup_null_routing() {
save_progress_message "Null Routing the RFC 1918 subnets"; save_progress_message "Null Routing the RFC 1918 subnets";
for ( rfc1918_networks ) { for ( rfc1918_networks ) {
emit( "run_ip route replace unreachable $_" ); emit( "run_ip route replace unreachable $_" );
emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" ); emit( "echo \"qt \$IP -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
} }
} }
@ -593,7 +593,7 @@ sub setup_providers() {
emit ( '#', emit ( '#',
'# Capture the default route(s) if we don\'t have it (them) already.', '# Capture the default route(s) if we don\'t have it (them) already.',
'#', '#',
'[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', '[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
'#', '#',
'# Initialize the file that holds \'undo\' commands', '# Initialize the file that holds \'undo\' commands',
'#', '#',
@ -624,16 +624,16 @@ sub setup_providers() {
if ( $config{USE_DEFAULT_RT} ) { if ( $config{USE_DEFAULT_RT} ) {
emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999', emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
"ip -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766', "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
qq(echo "qt ip -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
qq(echo "qt ip -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
'' ); '' );
$table = DEFAULT_TABLE; $table = DEFAULT_TABLE;
} }
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" ); emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; emit ( " qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
'else', 'else',
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' ); ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
@ -641,7 +641,7 @@ sub setup_providers() {
if ( $config{RESTORE_DEFAULT_ROUTE} ) { if ( $config{RESTORE_DEFAULT_ROUTE} ) {
emit ' restore_default_route && error_message "NOTICE: Default route restored"' emit ' restore_default_route && error_message "NOTICE: Default route restored"'
} else { } else {
emit qq( qt ip -$family route del default table $table && error_message "WARNING: Default route deleted from table $table"); emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
} }
emit( 'fi', emit( 'fi',

View File

@ -2158,7 +2158,7 @@ EOF
if [ -f ${VARDIR}/proxyarp ]; then if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
qt arp -i $external -d $address pub qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f [ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp done < ${VARDIR}/proxyarp
@ -2253,7 +2253,7 @@ EOF
emit <<'EOF'; emit <<'EOF';
if [ -n "$(mywhich ipset)" ]; then if [ -n "$(mywhich ipset)" ]; then
if ipset -S > ${VARDIR}/ipsets.tmp; then if $IPSET -S > ${VARDIR}/ipsets.tmp; then
# #
# Don't save an 'empty' file # Don't save an 'empty' file
# #

View File

@ -813,8 +813,8 @@ sub setup_traffic_shaping() {
push_indent; push_indent;
emit ( "${dev}_exists=Yes", emit ( "${dev}_exists=Yes",
"qt tc qdisc del dev $device root", "qt \$TC qdisc del dev $device root",
"qt tc qdisc del dev $device ingress", "qt \$TC qdisc del dev $device ingress",
"run_tc qdisc add dev $device root handle $devnum: htb default $defmark", "run_tc qdisc add dev $device root handle $devnum: htb default $defmark",
"${dev}_mtu=\$(get_device_mtu $device)", "${dev}_mtu=\$(get_device_mtu $device)",
"${dev}_mtu1=\$(get_device_mtu1 $device)", "${dev}_mtu1=\$(get_device_mtu1 $device)",

View File

@ -8,7 +8,7 @@ delete_proxyarp() {
if [ -f ${VARDIR}/proxyarp ]; then if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
qt arp -i $external -d $address pub qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip -4 route del $address dev $interface [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f [ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp done < ${VARDIR}/proxyarp
@ -140,8 +140,8 @@ do_iptables()
# #
run_ip() run_ip()
{ {
if ! ip -4 $@; then if ! $IP -4 $@; then
error_message "ERROR: Command \"ip -4 $@\" Failed" error_message "ERROR: Command \"$IP -4 $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2
fi fi
@ -151,8 +151,8 @@ run_ip()
# Run tc and if an error occurs, stop/restore the firewall # Run tc and if an error occurs, stop/restore the firewall
# #
run_tc() { run_tc() {
if ! tc $@ ; then if ! $TC $@ ; then
error_message "ERROR: Command \"tc $@\" Failed" error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2
fi fi
@ -191,7 +191,7 @@ restore_dynamic_rules() {
# #
get_all_bcasts() get_all_bcasts()
{ {
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
} }
# #

View File

@ -116,8 +116,8 @@ do_iptables()
# #
run_ip() run_ip()
{ {
if ! ip -6 $@; then if ! $IP -6 $@; then
error_message "ERROR: Command \"ip -6 $@\" Failed" error_message "ERROR: Command \"$IP -6 $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2
fi fi
@ -127,8 +127,8 @@ run_ip()
# Run tc and if an error occurs, stop/restore the firewall # Run tc and if an error occurs, stop/restore the firewall
# #
run_tc() { run_tc() {
if ! tc $@ ; then if ! $TC $@ ; then
error_message "ERROR: Command \"tc $@\" Failed" error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2
fi fi

View File

@ -485,7 +485,7 @@ find_peer() {
# #
find_rt_interface() { find_rt_interface() {
ip -4 route list | while read addr rest; do $IP -4 route list | while read addr rest; do
case $addr in case $addr in
*/*) */*)
in_network ${1%/*} $addr && echo $(find_device $rest) in_network ${1%/*} $addr && echo $(find_device $rest)
@ -506,14 +506,14 @@ find_rt_interface() {
find_nexthop() # $1 = interface find_nexthop() # $1 = interface
{ {
echo $(find_gateway `ip -4 route list | grep "[[:space:]]nexthop.* $1"`) echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
} }
# #
# Find the default route's interface # Find the default route's interface
# #
find_default_interface() { find_default_interface() {
ip -4 route list | while read first rest; do $IP -4 route list | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return [ "$first" = default ] && echo $(find_device $rest) && return
done done
} }
@ -546,7 +546,7 @@ find_interface_by_mac() {
local rest local rest
local dev local dev
ip link list | while read first second rest; do $IP link list | while read first second rest; do
case $first in case $first in
*:) *:)
dev=$second dev=$second
@ -564,7 +564,7 @@ find_interface_by_mac() {
# Determine if Interface is up # Determine if Interface is up
# #
interface_is_up() { interface_is_up() {
[ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
} }
# #
@ -576,7 +576,7 @@ find_first_interface_address() # $1 = interface
# #
# get the line of output containing the first IP address # get the line of output containing the first IP address
# #
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
# #
# If there wasn't one, bail out now # If there wasn't one, bail out now
# #
@ -593,7 +593,7 @@ find_first_interface_address_if_any() # $1 = interface
# #
# get the line of output containing the first IP address # get the line of output containing the first IP address
# #
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
# #
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line # along with everything else on the line
@ -615,7 +615,7 @@ interface_is_usable() # $1 = interface
# #
find_interface_addresses() # $1 = interface find_interface_addresses() # $1 = interface
{ {
ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' $IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
} }
# #
@ -626,7 +626,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
local address local address
local rest local rest
ip -4 route show dev $1 2> /dev/null | $IP -4 route show dev $1 2> /dev/null |
while read address rest; do while read address rest; do
case "$address" in case "$address" in
default) default)
@ -655,7 +655,7 @@ get_interface_bcasts() # $1 = interface
local addresses local addresses
addresses= addresses=
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
} }
# #
@ -728,7 +728,7 @@ INCLUDE() {
# #
del_ip_addr() # $1 = address, $2 = interface del_ip_addr() # $1 = address, $2 = interface
{ {
[ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
} }
# Add IP Aliases # Add IP Aliases
@ -757,7 +757,7 @@ add_ip_aliases() # $* = List of addresses
# #
# Get all of the lines that contain inet addresses with broadcast # Get all of the lines that contain inet addresses with broadcast
# #
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do $IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
case $cidr in case $cidr in
*/*) */*)
if in_network $external $cidr; then if in_network $external $cidr; then
@ -773,7 +773,7 @@ add_ip_aliases() # $* = List of addresses
{ {
val=$(address_details) val=$(address_details)
ip addr add ${external}${val} dev $interface $label $IP addr add ${external}${val} dev $interface $label
[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
echo "$external $interface" >> $VARDIR/nat echo "$external $interface" >> $VARDIR/nat
[ -n "$label" ] && label="with $label" [ -n "$label" ] && label="with $label"
@ -811,7 +811,7 @@ detect_dynamic_gateway() { # $1 = interface
# #
# First assume that this is some sort of point-to-point interface # First assume that this is some sort of point-to-point interface
# #
gateway=$( find_peer $(ip addr list $interface ) ) gateway=$( find_peer $($IP addr list $interface ) )
# #
# If that didn't work, then try DHCP # If that didn't work, then try DHCP
# #
@ -842,7 +842,7 @@ detect_gateway() # $1 = interface
# #
# Maybe there's a default route through this gateway already # Maybe there's a default route through this gateway already
# #
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default)) [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
# #
# Last hope -- is there a load-balancing route through the interface? # Last hope -- is there a load-balancing route through the interface?
# #
@ -858,7 +858,7 @@ detect_gateway() # $1 = interface
# #
disable_ipv6() { disable_ipv6() {
local foo local foo
foo="$(ip -f inet6 addr list 2> /dev/null)" foo="$($IP -f inet6 addr list 2> /dev/null)"
if [ -n "$foo" ]; then if [ -n "$foo" ]; then
if qt mywhich ip6tables; then if qt mywhich ip6tables; then
@ -892,8 +892,8 @@ truncate() # $1 = length
delete_tc1() delete_tc1()
{ {
clear_one_tc() { clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null $TC qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null $TC qdisc del dev $1 ingress 2> /dev/null
} }
@ -917,7 +917,7 @@ delete_tc1()
get_device_mtu() # $1 = device get_device_mtu() # $1 = device
{ {
local output local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then if [ -n "$output" ]; then
echo $(find_mtu $output) echo $(find_mtu $output)
@ -933,7 +933,7 @@ get_device_mtu() # $1 = device
get_device_mtu1() # $1 = device get_device_mtu1() # $1 = device
{ {
local output local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu local mtu
if [ -n "$output" ]; then if [ -n "$output" ]; then
@ -990,11 +990,11 @@ restore_default_route() {
# #
# Don't restore a route with a metric -- we only replace the one with metric == 0 # Don't restore a route with a metric -- we only replace the one with metric == 0
# #
qt ip -4 route delete default metric 0 && \ qt $IP -4 route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted" progress_message "Default Route with metric 0 deleted"
;; ;;
*) *)
qt ip -4 route replace $default_route && \ qt $IP -4 route replace $default_route && \
result=0 && \ result=0 && \
progress_message "Default Route (${default_route# }) restored" progress_message "Default Route (${default_route# }) restored"
;; ;;
@ -1045,7 +1045,7 @@ find_mac() # $1 = IP address, $2 = interface
qt ping -nc 1 -t 2 -I $2 $1 qt ping -nc 1 -t 2 -I $2 $1
local result local result
result=$(ip neigh list | awk "/^$1 / {print \$5}") result=$($IP neigh list | awk "/^$1 / {print \$5}")
case $result in case $result in
\<*\>) \<*\>)

View File

@ -388,14 +388,14 @@ find_peer() {
find_nexthop() # $1 = interface find_nexthop() # $1 = interface
{ {
echo $(find_gateway `ip -6 route list | grep "[[:space:]]nexthop.* $1"`) echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
} }
# #
# Find the default route's interface # Find the default route's interface
# #
find_default_interface() { find_default_interface() {
ip -6 route list | while read first rest; do $IP -6 route list | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return [ "$first" = default ] && echo $(find_device $rest) && return
done done
} }
@ -412,7 +412,7 @@ find_interface_by_mac() {
local rest local rest
local dev local dev
ip link list | while read first second rest; do $IP link list | while read first second rest; do
case $first in case $first in
*:) *:)
dev=$second dev=$second
@ -430,7 +430,7 @@ find_interface_by_mac() {
# Determine if Interface is up # Determine if Interface is up
# #
interface_is_up() { interface_is_up() {
[ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
} }
# #
@ -442,7 +442,7 @@ find_first_interface_address() # $1 = interface
# #
# get the line of output containing the first IP address # get the line of output containing the first IP address
# #
addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1) addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
# #
# If there wasn't one, bail out now # If there wasn't one, bail out now
# #
@ -459,7 +459,7 @@ find_first_interface_address_if_any() # $1 = interface
# #
# get the line of output containing the first IP address # get the line of output containing the first IP address
# #
addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1) addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
# #
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line # along with everything else on the line
@ -481,7 +481,7 @@ interface_is_usable() # $1 = interface
# #
find_interface_addresses() # $1 = interface find_interface_addresses() # $1 = interface
{ {
ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
} }
# #
@ -490,7 +490,7 @@ find_interface_addresses() # $1 = interface
find_interface_full_addresses() # $1 = interface find_interface_full_addresses() # $1 = interface
{ {
ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//' $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
} }
# #
@ -501,7 +501,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
local address local address
local rest local rest
ip -6 route show dev $1 2> /dev/null | $IP -6 route show dev $1 2> /dev/null |
while read address rest; do while read address rest; do
case "$address" in case "$address" in
default) default)
@ -756,11 +756,11 @@ detect_gateway() # $1 = interface
# #
# First assume that this is some sort of point-to-point interface # First assume that this is some sort of point-to-point interface
# #
gateway=$( find_peer $(ip -6 addr list $interface ) ) gateway=$( find_peer $($IP -6 addr list $interface ) )
# #
# Maybe there's a default route through this gateway already # Maybe there's a default route through this gateway already
# #
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -6 route list dev $interface | grep '^default')) [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
# #
# Last hope -- is there a load-balancing route through the interface? # Last hope -- is there a load-balancing route through the interface?
# #
@ -788,8 +788,8 @@ truncate() # $1 = length
delete_tc1() delete_tc1()
{ {
clear_one_tc() { clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null $TC qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null $TC qdisc del dev $1 ingress 2> /dev/null
} }
@ -813,7 +813,7 @@ delete_tc1()
get_device_mtu() # $1 = device get_device_mtu() # $1 = device
{ {
local output local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then if [ -n "$output" ]; then
echo $(find_mtu $output) echo $(find_mtu $output)
@ -829,7 +829,7 @@ get_device_mtu() # $1 = device
get_device_mtu1() # $1 = device get_device_mtu1() # $1 = device
{ {
local output local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu local mtu
if [ -n "$output" ]; then if [ -n "$output" ]; then
@ -886,11 +886,11 @@ restore_default_route() {
# #
# Don't restore a route with a metric -- we only replace the one with metric == 0 # Don't restore a route with a metric -- we only replace the one with metric == 0
# #
qt ip -6 route delete default metric 0 && \ qt $IP -6 route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted" progress_message "Default Route with metric 0 deleted"
;; ;;
*) *)
qt ip -6 route replace $default_route && \ qt $IP -6 route replace $default_route && \
result=0 && \ result=0 && \
progress_message "Default Route (${default_route# }) restored" progress_message "Default Route (${default_route# }) restored"
;; ;;
@ -932,27 +932,6 @@ find_echo() {
echo echo echo echo
} }
#
# Determine the MAC address of the passed IP through the passed interface
#
find_mac() # $1 = IP address, $2 = interface
{
if interface_is_usable $2 ; then
qt ping -nc 1 -t 2 -I $2 $1
local result
result=$(ip neigh list | awk "/^$1 / {print \$5}")
case $result in
\<*\>)
;;
*)
[ -n "$result" ] && echo $result
;;
esac
fi
}
# #
# Flush the conntrack table if $PURGE is non-empty # Flush the conntrack table if $PURGE is non-empty
# #

View File

@ -10,6 +10,8 @@ Changes in Shorewall 4.3.9
5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt 5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
Changes in Shorewall 4.3.8 Changes in Shorewall 4.3.8
1) Apply Tuomo Soini's patch for USE_DEFAULT_RT. 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.

View File

@ -70,6 +70,12 @@ LOG_MARTIANS=Yes
IPTABLES= IPTABLES=
IP=
TC=
IPSET=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh

View File

@ -117,6 +117,20 @@ None.
2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and 2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
hence will now start successfully when running on that kernel. hence will now start successfully when running on that kernel.
3) Three new options (IP, TC and IPSET) have been added to
shorewall.conf and shorwall6.conf. These options specify the name
of the executable for the 'ip', 'tc' and 'ipset' utilities
respectively.
If not specified, the default values are:
IP=ip
TC=tc
IPSET=ipset
In other words, the utilities will be located via the current PATH
setting.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3 N E W F E A T U R E S IN 4 . 3
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

View File

@ -58,6 +58,12 @@ SMURF_LOG_LEVEL=info
IP6TABLES= IP6TABLES=
IP=
TC=
IPSET=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh

View File

@ -661,6 +661,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'ip' executable. If
not specified, 'ip' is assumed and the utility will be located using
the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis <term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
role="bold">On</emphasis>|<emphasis role="bold">On</emphasis>|<emphasis
@ -712,14 +723,13 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">IPSECFILE=</emphasis>{<emphasis <term><emphasis
role="bold">zones</emphasis>|<emphasis role="bold">IPSET</emphasis>=[<emphasis>pathname</emphasis>]</term>
role="bold">ipsec</emphasis>}</term>
<listitem> <listitem>
<para>This should be set to <emphasis role="bold">zones</emphasis> <para>If specified, gives the pathname of the 'ipset' executable. If
for all new Shorewall installations. IPSECFILE=ipsec is only used not specified, 'ipset' is assumed and the utility will be located
for compatibility with pre-Shorewall-3.0 configurations.</para> using the current PATH setting.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1504,6 +1514,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">TC</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'tc' executable. If
not specified, 'tc' is assumed and the utility will be located using
the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis <term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis

View File

@ -514,6 +514,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'ip' executable. If
not specified, 'ip' is assumed and the utility will be located using
the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis <term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
role="bold">On</emphasis>|<emphasis role="bold">On</emphasis>|<emphasis
@ -550,13 +561,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem> <listitem>
<para>Shorewall6 will neither enable nor disable packet <para>Shorewall6 will neither enable nor disable packet
forwarding.</para> forwarding</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para></para>
<blockquote> <blockquote>
<para>If this variable is not set or is given an empty value <para>If this variable is not set or is given an empty value
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para> (IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
@ -581,6 +590,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">IPSET</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'ipset' executable. If
not specified, 'ipset' is assumed and the utility will be located
using the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1056,6 +1076,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">TC</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>If specified, gives the pathname of the 'tc' executable. If
not specified, 'tc' is assumed and the utility will be located using
the current PATH setting.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis <term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis