From a0482132c6b2f9cf5881f5cf6b24d23aea199310 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 19 Oct 2009 07:28:30 -0700 Subject: [PATCH] Move all function declarations from prog.footer6 to prog.header6 --- Shorewall/Perl/prog.header6 | 238 ++++++++++++++++++++++++++++++++++++ 1 file changed, 238 insertions(+) diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 66b497c6a..60045b25f 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -946,6 +946,244 @@ conditionally_flush_conntrack() { fi } +# +# Remove all Shorewall-added rules +# +clear_firewall() { + stop_firewall + + setpolicy INPUT ACCEPT + setpolicy FORWARD ACCEPT + setpolicy OUTPUT ACCEPT + + run_iptables -F + + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + + run_clear_exit + + set_state "Cleared" + + logger -p kern.info "$PRODUCT Cleared" +} + +# +# Issue a message and stop/restore the firewall +# +fatal_error() +{ + echo " ERROR: $@" >&2 + + if [ $LOG_VERBOSE -gt 1 ]; then + timestamp="$(date +'%_b %d %T') " + echo "${timestamp} ERROR: $@" >> $STARTUP_LOG + fi + + stop_firewall + [ -n "$TEMPFILE" ] && rm -f $TEMPFILE + exit 2 +} + +# +# Issue a message and stop +# +startup_error() # $* = Error Message +{ + echo " ERROR: $@: Firewall state not changed" >&2 + case $COMMAND in + start) + logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed" + ;; + restart) + logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed" + ;; + restore) + logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed" + ;; + esac + + if [ $LOG_VERBOSE -gt 1 ]; then + timestamp="$(date +'%_b %d %T') " + + case $COMMAND in + start) + echo "${timestamp} ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG + ;; + restart) + echo "${timestamp} ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG + ;; + restore) + echo "${timestamp} ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG + ;; + esac + fi + + kill $$ + exit 2 +} + +# +# Run iptables and if an error occurs, stop/restore the firewall +# +run_iptables() +{ + local status + + while [ 1 ]; do + $IP6TABLES $@ + status=$? + [ $status -ne 4 ] && break + done + + if [ $status -ne 0 ]; then + error_message "ERROR: Command \"$IP6TABLES $@\" Failed" + stop_firewall + exit 2 + fi +} + +# +# Run iptables retrying exit status 4 +# +do_iptables() +{ + local status + + while [ 1 ]; do + $IP6TABLES $@ + status=$? + [ $status -ne 4 ] && return $status; + done +} + +# +# Run iptables and if an error occurs, stop/restore the firewall +# +run_ip() +{ + if ! $IP -6 $@; then + error_message "ERROR: Command \"$IP -6 $@\" Failed" + stop_firewall + exit 2 + fi +} + +# +# Run tc and if an error occurs, stop/restore the firewall +# +run_tc() { + if ! $TC $@ ; then + error_message "ERROR: Command \"$TC $@\" Failed" + stop_firewall + exit 2 + fi +} + +# +# Restore the rules generated by 'drop','reject','logdrop', etc. +# +restore_dynamic_rules() { + if [ -f ${VARDIR}/save ]; then + progress_message2 "Setting up dynamic rules..." + rangematch='source IP range' + while read target ignore1 ignore2 address ignore3 rest; do + case $target in + DROP|reject|logdrop|logreject) + case $rest in + $rangematch*) + run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target + ;; + *) + if [ -z "$rest" ]; then + run_iptables -A dynamic -s $address -j $target + else + error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\"" + fi + ;; + esac + ;; + esac + done < ${VARDIR}/save + fi +} + +# +# Run the .iptables_restore_input as a set of discrete iptables commands +# +debug_restore_input() { + local first second rest table chain + # + # Clear the ruleset + # + qt1 $IP6TABLES -t mangle -F + qt1 $IP6TABLES -t mangle -X + + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt1 $IP6TABLES -t mangle -P $chain ACCEPT + done + + qt1 $IP6TABLES -t raw -F + qt1 $IP6TABLES -t raw -X + + for chain in PREROUTING OUTPUT; do + qt1 $IP6TABLES -t raw -P $chain ACCEPT + done + + qt1 $IP6TABLES -t filter -F + qt1 $IP6TABLES -t filter -X + + for chain in INPUT FORWARD OUTPUT; do + qt1 $IP6TABLES -t filter -P $chain -P ACCEPT + done + + while read first second rest; do + case $first in + -*) + # + # We can't call run_iptables() here because the rules may contain quoted strings + # + eval $IP6TABLES -t $table $first $second $rest + + if [ $? -ne 0 ]; then + error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed" + stop_firewall + exit 2 + fi + ;; + :*) + chain=${first#:} + + if [ "x$second" = x- ]; then + do_iptables -t $table -N $chain + else + do_iptables -t $table -P $chain $second + fi + + if [ $? -ne 0 ]; then + error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed" + stop_firewall + exit 2 + fi + ;; + # + # This grotesque hack with the table names works around a bug/feature with ash + # + '*'raw) + table=raw + ;; + '*'mangle) + table=mangle + ;; + '*'nat) + table=nat + ;; + '*'filter) + table=filter + ;; + esac + done +} + ################################################################################ # End of functions imported from /usr/share/shorewall/prog.header6 ################################################################################