extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-03 03:19:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Delete Shorewall-shell from trunk

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9481 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-22 16:16:17 +00:00
parent 66fa406bcb
commit a3d0f8e222
17 changed files with 0 additions and 11135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
Shorewall-shell/COPYING
View File

@ -1,340 +0,0 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

48
Shorewall-shell/INSTALL
View File

@ -1,48 +0,0 @@
Shoreline Firewall (Shorewall) Version 3.4
----- ----
-----------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify
it under the terms of Version 2 of the GNU General Public License
as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
---------------------------------------------------------------------------
If your system supports rpm, I recommend that you install the Shorewall
.rpm. If you want to install from the tarball:
o Unpack the tarball
o cd to the shorewall-<version> directory
o If you have an earlier version of Shoreline Firewall installed,see the
upgrade instructions below
o Type:
./install.sh
o Edit the configuration files in /etc/shorewall/ to fit your environment.
To do this, I strongly advise you to follow the instructions at:
http://www.shorewall.net/shorewall_quickstart_guide.htm
o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to
start automatically at boot, you will have to used your
distribution's runlevel editor to configure Shorewall manually.
Upgrade:
o run the install script as described above.
o "shorewall check" and correct any errors found.
o "shorewall restart"

1
Shorewall-shell/README.txt
View File

@ -1 +0,0 @@
This is the Shorewall-shell Stable 4.2 branch of SVN.

6022
Shorewall-shell/compiler
View File

File diff suppressed because it is too large Load Diff

260
Shorewall-shell/install.sh
View File

@ -1,260 +0,0 @@
#!/bin/sh
#
# Script to install Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.6
usage() # $1 = exit status
{
ME=$(basename $0)
echo "usage: $ME"
echo " $ME -v"
echo " $ME -h"
echo " $ME -n"
exit $1
}
split() {
local ifs
ifs=$IFS
IFS=:
set -- $1
echo $*
IFS=$ifs
}
qt()
{
"$@" >/dev/null 2>&1
}
mywhich() {
local dir
for dir in $(split $PATH); do
if [ -x $dir/$1 ]; then
echo $dir/$1
return 0
fi
done
return 2
}
run_install()
{
if ! install $*; then
echo
echo "ERROR: Failed to install $*" >&2
exit 1
fi
}
cant_autostart()
{
echo
echo "WARNING: Unable to configure shorewall to start automatically at boot" >&2
}
backup_directory() # $1 = directory to backup
{
if [ -d $1 ]; then
if cp -a $1 ${1}-${VERSION}.bkout ; then
echo
echo "$1 saved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
}
backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
{
if [ -z "${PREFIX}{NOBACKUP}" ]; then
if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if [ -n "$2" ]; then
if [ -d $2 ]; then
if cp -f $1 $2 ; then
echo
echo "$1 saved to $2/$(basename $1)"
else
exit 1
fi
fi
elif cp $1 ${1}-${VERSION}.bkout; then
echo
echo "$1 saved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
fi
}
delete_file() # $1 = file to delete
{
rm -f $1
}
install_file() # $1 = source $2 = target $3 = mode
{
run_install $OWNERSHIP -m $3 $1 ${2}
}
install_file_with_backup() # $1 = source $2 = target $3 = mode $4 = (optional) backup directory
{
backup_file $2 $4
run_install $OWNERSHIP -m $3 $1 ${2}
}
#
# Parse the run line
#
# DEST is the SysVInit script directory
# INIT is the name of the script in the $DEST directory
# RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument
#
ARGS=""
if [ -z "$DEST" ] ; then
DEST="/etc/init.d"
fi
if [ -z "$INIT" ] ; then
INIT="shorewall"
fi
if [ -z "$RUNLEVELS" ] ; then
RUNLEVELS=""
fi
case $(uname) in
CYGWIN*)
DEST=
INIT=
[ -z "$OWNER" ] && OWNER=$(id -un)
[ -z "$GROUP" ] && GROUP=$(id -gn)
;;
*)
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=root
;;
esac
NOBACKUP=
while [ $# -gt 0 ] ; do
case "$1" in
-h|help|?)
usage 0
;;
-v)
echo "Shorewall Firewall Installer Version $VERSION"
exit 0
;;
-n)
NOBACKUP=Yes
;;
*)
usage 1
;;
esac
shift
ARGS="yes"
done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# Determine where to install the firewall script
#
OWNERSHIP="-o $OWNER -g $GROUP"
if [ -n "$PREFIX" ]; then
if [ `id -u` != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
fi
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
echo "Installing Shorewall-shell Version $VERSION"
#
# Check for /usr/share/shorewall-shell
#
if [ -d ${PREFIX}/usr/share/shorewall-shell ]; then
first_install=""
if [ -z "$NOBACKUP" ]; then
backup_directory ${PREFIX}/usr/share/shorewall-shell
fi
else
first_install="Yes"
fi
#
# Create /etc/shorewall, /usr/share/shorewall-shell and /var/shorewall if needed
#
mkdir -p ${PREFIX}/usr/share/shorewall-shell
chmod 755 ${PREFIX}/usr/share/shorewall-shell
#
# Install the Compiler
#
install_file compiler ${PREFIX}/usr/share/shorewall-shell/compiler 0755
echo
echo "Compiler installed in ${PREFIX}/usr/share/shorewall-shell/compiler"
#
#
# Install the libraries
#
for f in lib.* ; do
if [ -f $f ]; then
install_file $f ${PREFIX}/usr/share/shorewall-shell/$f 0644
echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-shell/$f"
fi
done
#
# Install the program skeleton files
#
for f in prog.* ; do
install_file $f ${PREFIX}/usr/share/shorewall-shell/$f 0644
echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall-shell/$f"
done
echo $VERSION > ${PREFIX}/usr/share/shorewall-shell/version
#
# Report Success
#
echo "shorewall-shell Version $VERSION Installed"

265
Shorewall-shell/lib.accounting
View File

@ -1,265 +0,0 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.accounting
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when the accounting file is
# non-empty.
#
#
# Process a record from the accounting file
#
process_accounting_rule() {
rule=
rule2=
jumpchain=
user1=
accounting_error() {
error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user $mark
}
accounting_interface_error() {
error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user $mark
}
accounting_interface_verify() {
verify_interface $1 || accounting_interface_error $1
}
jump_to_chain() {
if ! havechain $jumpchain; then
if ! createchain2 $jumpchain No; then
accounting_error
return 2
fi
fi
rule="$rule -j $jumpchain"
}
do_ipp2p() {
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
case $proto in
*:*)
proto=${proto#*:}
;;
*)
proto=tcp
;;
esac
rule="$rule -p $proto -m ipp2p --${port:-ipp2p}"
}
case $source in
*:*)
accounting_interface_verify ${source%:*}
rule="$(source_ip_range ${source#*:}) $(match_source_dev ${source%:*})"
;;
*.*.*.*|+*|!+*)
rule="$(source_ip_range $source)"
;;
-|all|any)
;;
*)
if [ -n "$source" ]; then
accounting_interface_verify $source
rule="$(match_source_dev $source)"
fi
;;
esac
[ -n "$dest" ] && case $dest in
*:*)
accounting_interface_verify ${dest%:*}
rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})"
;;
*.*.*.*|+*|!*)
rule="$rule $(dest_ip_range $dest)"
;;
-|all|any)
;;
*)
accounting_interface_verify $dest
rule="$rule $(match_dest_dev $dest)"
;;
esac
[ -n "$proto" ] && case $proto in
-|any|all)
;;
ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p
;;
*)
rule="$rule -p $proto"
;;
esac
multiport=
[ -n "$port" ] && case $port in
-|any|all)
;;
*)
if [ -n "$MULTIPORT" ]; then
rule="$rule -m multiport --dports $port"
multiport=Yes
else
rule="$rule --dport $port"
fi
;;
esac
[ -n "$sport" ] && case $sport in
-|any|all)
;;
*)
if [ -n "$MULTIPORT" ]; then
[ -n "$multiport" ] && rule="$rule --sports $sport" || rule="$rule -m multiport --sports $sport"
else
rule="$rule --sport $sport"
fi
;;
esac
[ -n "$user" ] && case $user in
-|any|all)
;;
*)
[ "$chain" != OUTPUT ] && \
fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
rule="$rule -m owner"
user1="$user"
case "$user" in
!*+*)
if [ -n "${user#*+}" ]; then
rule="$rule ! --cmd-owner ${user#*+} "
fi
user1=${user%+*}
;;
*+*)
if [ -n "${user#*+}" ]; then
rule="$rule --cmd-owner ${user#*+} "
fi
user1=${user%+*}
;;
esac
case "$user1" in
!*:*)
if [ "$user1" != "!:" ]; then
temp="${user1#!}"
temp="${temp%:*}"
[ -n "$temp" ] && rule="$rule ! --uid-owner $temp "
temp="${user1#*:}"
[ -n "$temp" ] && rule="$rule ! --gid-owner $temp "
fi
;;
*:*)
if [ "$user1" != ":" ]; then
temp="${user1%:*}"
[ -n "$temp" ] && rule="$rule --uid-owner $temp "
temp="${user1#*:}"
[ -n "$temp" ] && rule="$rule --gid-owner $temp "
fi
;;
!*)
[ "$user1" != "!" ] && rule="$rule ! --uid-owner ${user1#!} "
;;
*)
[ -n "$user1" ] && rule="$rule --uid-owner $user1 "
;;
esac
;;
esac
[ -n "$mark" ] && case $mark in
-|any|all)
mark=
;;
!*)
rule="$rule -m mark ! --mark ${mark#*!}"
;;
*)
rule="$rule -m mark --mark $mark"
;;
esac
case $action in
COUNT)
;;
DONE)
rule="$rule -j RETURN"
;;
*:COUNT)
rule2="$rule"
jumpchain=${action%:*}
jump_to_chain || return
;;
JUMP:*)
jumpchain=${action#*:}
jump_to_chain || return
;;
*)
jumpchain=$action
jump_to_chain || return
;;
esac
[ "x${chain:=accounting}" = "x-" ] && chain=accounting
ensurechain1 $chain
if do_iptables -A $chain $(fix_bang $rule) ; then
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule \"$action $chain $source $dest $proto $port $sport $user\" $DONE"
save_progress_message_short " Accounting rule \\\"$action $chain $source $dest $proto $port $sport $user\\\" Added"
else
accounting_error
fi
}
#
# Set up Accounting
#
setup_accounting() # $1 = Name of accounting file
{
progress_message2 "$DOING Accounting..."
save_progress_message "Setting up Accounting..."
while read action chain source dest proto port sport user mark ; do
process_accounting_rule
done < $TMP_DIR/accounting
if havechain accounting; then
for chain in INPUT FORWARD OUTPUT; do
run_iptables -I $chain -j accounting
done
fi
}

885
Shorewall-shell/lib.actions
View File

@ -1,885 +0,0 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.actions
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when USE_ACTIONS=Yes
# (either explicitly specified or defaulted).
#
#
# Add one Filter Rule from an action -- Helper function for the action file processor
#
# The caller has established the following variables:
# COMMAND = current command.
# client = SOURCE IP or MAC
# server = DESTINATION IP or interface
# protocol = Protocol
# address = Original Destination Address
# port = Destination Port
# cport = Source Port
# multioption = String to invoke multiport match if appropriate
# action = The chain for this rule
# ratelimit = Optional rate limiting clause
# userandgroup = owner match clause
# logtag = Log tag
#
add_an_action()
{
local chain1
do_ports() {
if [ -n "$port" ]; then
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dports"
fi
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
}
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
action_interface_verify()
{
verify_interface $1 || interface_error $1
}
handle_exclusion()
{
build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain1
cli=
proto=
sports=
multiport=
dports=
user=
}
do_ipp2p() {
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}"
case $proto in
ipp2p|IPP2P)
proto=tcp
port=
do_ports
;;
ipp2p:udp|IPP2P:UDP)
proto=udp
port=
do_ports
;;
ipp2p:all|IPP2P:ALL)
proto=all
;;
esac
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli=
case "$client" in
-)
;;
*:*)
action_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})"
;;
*.*.*|+*|!+*)
cli="$(source_ip_range $client)"
;;
~*|!~*)
cli=$(mac_match $client)
;;
*)
if [ -n "$client" ]; then
action_interface_verify $client
cli="$(match_source_dev $client)"
fi
;;
esac
# Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s).
dest_interface=
serv=
case "$server" in
-)
;;
*:*)
action_interface_verify ${server%:*}
dest_interface=$(match_dest_dev ${server%:*})
serv=${server#*:}
;;
*.*.*|+*|!+*)
serv=$server
;;
~*|!~*)
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
if [ -n "$server" ]; then
action_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;;
esac
# Setup protocol and port variables
sports=
dports=
proto=$protocol
servport=$serverport
multiport=
chain1=$chain
user="$userandgroup"
[ x$port = x- ] && port=
[ x$cport = x- ] && cport=
case $proto in
tcp|TCP|6)
do_ports
;;
tcp:syn)
proto="$proto --syn"
do_ports
;;
udp|UDP|17)
do_ports
;;
icmp|ICMP|1)
[ -n "$port" ] && dports="--icmp-type $port"
;;
ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p
;;
*)
[ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
;;
esac
proto="${proto:+-p $proto}"
# Some misc. setup
case "$logtarget" in
LOG)
[ -z "$loglevel" ] && fatal_error "LOG requires log level"
;;
esac
if [ -n "${excludesource}${excludedest}" ]; then
handle_exclusion
fi
if [ -n "${serv}" ]; then
for serv1 in $(separate_list $serv); do
for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dest_interface $dports $ratelimit $user -j $target
done
done
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $multiport $sports $cli $dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \
$dports $ratelimit $user -j $target
fi
}
#
# Process a record from an action file
#
process_action() # $1 = chain (Chain to add the rules to)
# $2 = action (The action name for logging purposes)
# $3 = target (The (possibly modified) contents of the TARGET column)
# $4 = clients
# $5 = servers
# $6 = protocol
# $7 = ports
# $8 = cports
# $9 = ratelimit
# $10 = userspec
# $11 = mark
{
local chain
chain="$1"
local action
action="$2"
local target
target="$3"
local clients
clients="$4"
local servers
servers="$5"
local protocol
protocol="$6"
local ports
ports="$7"
local cports
cports="$8"
local ratelimit
ratelimit="$9"
local userspec
userspec="${10}"
local mark
mark="${11}"
local userandgroup
userandgroup=
local logtag
logtag=
if [ -n "$ratelimit" ]; then
case $ratelimit in
-)
ratelimit=
;;
*:*)
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
;;
*)
ratelimit="-m limit --limit $ratelimit"
;;
esac
fi
[ "x$userspec" = "x-" ] && userspec=
if [ -n "$userspec" ]; then
userandgroup="-m owner"
case "$userspec" in
!*+*)
if [ -n "${userspec#*+}" ]; then
userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}"
fi
userspec=${userspec%+*}
;;
*+*)
if [ -n "${userspec#*+}" ]; then
userandgroup="$userandgroup --cmd-owner ${userspec#*+}"
fi
userspec=${userspec%+*}
;;
esac
case "$userspec" in
!*:*)
if [ "$userspec" != "!:" ]; then
temp="${userspec#!}"
temp="${temp%:*}"
[ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp"
temp="${userspec#*:}"
[ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp"
fi
;;
*:*)
if [ "$userspec" != ":" ]; then
temp="${userspec%:*}"
[ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp"
temp="${userspec#*:}"
[ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp"
fi
;;
!*)
[ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}"
;;
*)
[ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec"
;;
esac
[ "$userandgroup" = "-m owner" ] && userandgroup=
fi
[ "x$mark" = "x-" ] && mark=
if [ -n "$mark" ]; then
if [ "$mark" = "${mark%!*}" ]; then
mark="-m mark --mark $mark"
else
mark="-m mark ! --mark ${mark#*!}"
fi
fi
# Isolate log level
if [ "$target" = "${target%:*}" ]; then
loglevel=
else
loglevel="${target#*:}"
target="${target%%:*}"
if [ "$loglevel" != "${loglevel%:*}" ]; then
logtag="${loglevel#*:}"
loglevel="${loglevel%:*}"
fi
case $loglevel in
none*)
loglevel=
[ $target = LOG ] && return
;;
esac
loglevel=${loglevel%\!}
fi
logtarget="$target"
case $target in
REJECT)
target=reject
;;
CONTINUE)
target=RETURN
;;
COUNT)
return;
;;
*)
;;
esac
excludesource=
case ${clients:=-} in
*!*!*)
fatal_error "Invalid SOURCE in rule \"$rule\""
;;
!*)
if [ $(list_count $clients) -gt 1 ]; then
excludesource=${clients#!}
clients=
fi
;;
*!*)
excludesource=${clients#*!}
clients=${clients%!*}
;;
esac
excludedest=
case ${servers:=-} in
*!*!*)
fatal_error "Invalid DEST in rule \"$rule\""
;;
!*)
if [ $(list_count $servers) -gt 1 ]; then
excludedest=${servers#*!}
servers=
fi
;;
*!*)
excludedest=${servers#*!}
servers=${servers%!*}
;;
esac
# Generate Netfilter rule(s)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list $clients); do
for server in $(separate_list $servers); do
#
# add_an_action() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_an_action
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
$(list_count $ports) -le 15 -a \
$(list_count $cports) -le 15 ]
then
#
# MULTIPORT is enabled, there are no port ranges in the rule and less than
# 16 ports are listed - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list $clients); do
for server in $(separate_list $servers); do
#
# add_an_action() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_an_action
done
done
else
#
# MULTIPORT is disabled or the rule isn't compatible with multiport match
#
multioption=
for client in $(separate_list $clients); do
for server in $(separate_list $servers); do
for port in $(separate_list ${ports:=-}); do
for cport in $(separate_list ${cports:=-}); do
add_an_action
done
done
done
done
fi
#
# Report Result
#
progress_message " Rule \"$rule\" $DONE."
save_progress_message_short " Rule \\\"$rule\\\" added."
}
#
# This function determines the logging for a subordinate action or a rule within a subordinate action
#
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
{
local superior
superior=$1
local subordinate
subordinate=$2
set -- $(split $1)
case $superior in
*:*:*)
case $2 in
'none!')
echo ${subordinate%%:*}:'none!':$3
return
;;
*'!')
echo ${subordinate%%:*}:$2:$3
return
;;
*)
case $subordinate in
*:*:*)
echo $subordinate
return
;;
*:*)
echo $subordinate:$3
return
;;
*)
echo ${subordinate%%:*}:$2:$3
return
;;
esac
;;
esac
;;
*:*)
case $2 in
'none!')
echo ${subordinate%%:*}:'none!'
return
;;
*'!')
echo ${subordinate%%:*}:$2
return
;;
*)
case $subordinate in
*:*)
echo $subordinate
return
;;
*)
echo ${subordinate%%:*}:$2
return
;;
esac
;;
esac
;;
*)
echo $subordinate
;;
esac
}
#
# The next three functions implement the three phases of action processing.
#
# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
# and ${CONFDIR}/actions are scanned (in that order) and for each action:
#
# a) The related action definition file is located and scanned.
# b) Forward and unresolved action references are trapped as errors.
# c) A dependency graph is created. For each <action>, the variable 'requiredby_<action>' lists the
# action[:level[:tag]] of each action invoked by <action>.
# d) All actions are listed in the global variable ACTIONS.
#
# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an <action>
# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name
# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
# length of the chain name does not exceed 30 characters.
#
# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created.
#
# The final phase (process_actions3) is to traverse the USEDACTIONS list populating each chain appropriately
# by reading the action definition files and creating rules. Note that a given action definition file is
# processed once for each unique [:level[:tag]] applied to an invocation of the action.
#
process_actions1() {
for inputfile in actions.std actions; do
while read xaction rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
case $xaction in
*:*)
error_message "WARNING: Default Actions are now specified in /etc/shorewall/shorewall.conf"
xaction=${xaction%:*}
;;
esac
[ -z "$xaction" ] && continue
[ "$xaction" = "$(chain_base $xaction)" ] || fatal_error "Invalid Action Name: $xaction"
if ! list_search $xaction $ACTIONS; then
f=action.$xaction
fn=$(find_file $f)
eval requiredby_${action}=
if [ -f $fn ]; then
progress_message2 " Pre-processing $fn..."
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec $xmark; do
temp="${xtarget%%:*}"
case "$temp" in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|COUNT)
;;
COMMENT)
if [ "$temp" != "$xtarget" ]; then
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
*)
if list_search $temp $ACTIONS; then
eval requiredby=\"\$requiredby_${xaction}\"
list_search $xtarget $requiredby || eval requiredby_${xaction}=\"$requiredby $xtarget\"
else
temp=$(map_old_action $temp)
case $temp in
*/*)
param=${temp#*/}
case $param in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
;;
*)
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
fatal_error "Invalid Macro Parameter in rule \"$rule\""
;;
esac
temp=${temp%%/*}
;;
esac
f1=macro.${temp}
fn=$(find_file $f1)
if [ ! -f $TMP_DIR/$f1 ]; then
#
# We must only verify macros once to ensure that they don't invoke any non-standard actions
#
if [ -f $fn ]; then
strip_file $f1 $fn
progress_message " ..Expanding Macro $fn..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
[ $mtarget = COMMENT -o $mtarget = COUNT ] && continue
temp="${mtarget%%:*}"
case "$temp" in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
;;
*)
rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec"
fatal_error "Invalid TARGET in rule \"$rule\""
esac
done < $TMP_DIR/$f1
progress_message " ..End Macro"
else
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
fi
fi
;;
esac
done < $TMP_DIR/$f
else
fatal_error "Missing Action File: $f"
fi
ACTIONS="$ACTIONS $xaction"
fi
done < $TMP_DIR/$inputfile
done
for action in $DROP_DEFAULT $REJECT_DEFAULT $ACCEPT_DEFAULT $QUEUE_DEFAULT; do
case $action in
none)
;;
*)
if list_search $action $ACTIONS; then
list_search $action $USEDACTIONS || USEDACTIONS="$USEDACTIONS $action"
fi
;;
esac
done
}
process_actions2() {
local interfaces
interfaces="$(find_interfaces_by_option upnp)"
if [ -n "$interfaces" ]; then
if ! list_search forwardUPnP $USEDACTIONS; then
error_message "WARNING:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
fi
fi
progress_message " Generating Transitive Closure of Used-action List..."
changed=Yes
while [ -n "$changed" ]; do
changed=
for xaction in $USEDACTIONS; do
eval required=\"\$requiredby_${xaction%%:*}\"
for xaction1 in $required; do
#
# Generate the action that will be passed to process_action by merging the
# logging specified when the action was invoked with the logging in the
# invocation of the subordinate action (usually no logging)
#
xaction2=$(merge_levels $xaction $xaction1)
if ! list_search $xaction2 $USEDACTIONS; then
#
# We haven't seen this one before -- create and record a chain to handle it
#
USEDACTIONS="$USEDACTIONS $xaction2"
createactionchain $xaction2
changed=Yes
fi
done
done
done
}
#
# process_actions3() is in the compiler. What follows is called from that function when the action
# being processed is not a builtin.
process_action3() {
local f
f=action.$xaction1
local comment
comment=
progress_message2 "$DOING $(find_file $f) for Chain $xchain..."
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec xmark; do
#
# Generate the target:level:tag to pass to process_action()
#
xaction2=$(merge_levels $xaction $xtarget)
is_macro=
param=
xtarget1=${xaction2%%:*}
case $xtarget1 in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|COUNT)
#
# Builtin target -- Nothing to do
#
;;
COMMENT)
if [ -n "$COMMENTS" ]; then
comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark)
save_command COMMENT=\"$comment\"
else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
fi
continue
;;
*)
if list_search $xtarget1 $ACTIONS ; then
#
# An Action -- Replace the target from the file
# -- with the one generated above
xtarget=$xaction2
#
# And locate the chain for that action:level:tag
#
xaction2=$(find_logactionchain $xtarget)
else
is_macro=yes
fi
;;
esac
if [ -n "$is_macro" ]; then
xtarget1=$(map_old_action $xtarget1)
case $xtarget1 in
*/*)
param=${xtarget1#*/}
xtarget1=${xtarget1%%/*}
;;
esac
progress_message "..Expanding Macro $(find_file macro.$xtarget1)..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
[ $mtarget = COMMENT -o $mtarget = COUNT ] && continue
mtarget=$(merge_levels $xaction2 $mtarget)
case $mtarget in
PARAM|PARAM:*)
[ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation"
;;
esac
if [ -n "$mclients" ]; then
case $mclients in
-|SOURCE)
mclients=${xclients}
;;
DEST)
mclients=${xservers}
;;
*)
mclients=$(merge_macro_source_dest $mclients $xclients)
;;
esac
else
mclients=${xclients}
fi
if [ -n "$mservers" ]; then
case $mservers in
-|DEST)
mservers=${xservers}
;;
SOURCE)
mservers=${xclients}
;;
*)
mservers=$(merge_macro_source_dest $mservers $xservers)
;;
esac
else
mservers=${xserverss}
fi
[ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol
[ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports
[ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports
[ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit
[ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec
rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-} $xmark"
process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec $xmark
done < $TMP_DIR/macro.$xtarget1
progress_message "..End Macro"
else
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark
fi
done < $TMP_DIR/$f
if [ -n "$COMMENTS" ]; then
save_command
save_command COMMENT=
fi
}

270
Shorewall-shell/lib.maclist
View File

@ -1,270 +0,0 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.tcrules
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when the maclist option
# is specified in an entry in the interfaces file.
#
#
# Set up MAC Verification
#
setup_mac_lists() # $1 = Phase Number
{
local interface
local mac
local addresses
local address
local chain
local chain1
local macpart
local blob
local hosts
local ipsec
local policy
policy=
create_mac_chain()
{
case $MACLIST_TABLE in
filter)
createchain $1 no
;;
*)
createmanglechain $1
;;
esac
}
have_mac_chain()
{
local result
case $MACLIST_TABLE in
filter)
havechain $1 && result=0 || result=1
;;
*)
havemanglechain $1 && result=0 || result=1
;;
esac
return $result
}
#
# Generate the list of interfaces having MAC verification
#
maclist_interfaces=
for hosts in $maclist_hosts; do
hosts=${hosts#*^}
interface=${hosts%%:*}
if ! list_search $interface $maclist_interfaces; then\
if [ -z "$maclist_interfaces" ]; then
maclist_interfaces=$interface
else
maclist_interfaces="$maclist_interfaces $interface"
fi
fi
done
progress_message "$DOING MAC Verification on $maclist_interfaces -- Phase $1..."
#
# Create chains.
#
if [ $1 -eq 1 ]; then
for interface in $maclist_interfaces; do
chain=$(mac_chain $interface)
create_mac_chain $chain
#
# If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0
#
if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN
fi
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
create_mac_chain $chain1
run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
run_iptables -A $chain -t $MACLIST_TABLE -j $chain1
run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN
run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain
fi
done
#
# Process the maclist file producing the verification rules
#
while read disposition interface mac addresses; do
level=
case $disposition in
ACCEPT:*)
level=${disposition#*:}
disposition=ACCEPT
target=RETURN
;;
ACCEPT)
target=RETURN
;;
REJECT:*)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
target=reject
disposition=REJECT
;;
REJECT)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
target=reject
;;
DROP:*)
level=${disposition#*:}
disposition=DROP
target=DROP
;;
DROP)
target=DROP
;;
*)
case "$interface" in
*:*:*|~*-*-*)
#
# Pre-3.2 record format
#
addresses="$mac"
mac="$interface"
interface="$disposition"
disposition=ACCEPT
target=RETURN
;;
*)
fatal_error "Invalid DISPOSITION ($disposition) in rule \"$disposition $interface $mac $addresses\""
;;
esac
;;
esac
physdev_part=
if [ -n "$BRIDGING" ]; then
case $interface in
*:*)
physdev_part="-m physdev --physdev-in ${interface#*:}"
interface=${interface%:*}
;;
esac
fi
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
if ! have_mac_chain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified"
fi
if [ x${mac:=-} = x- ]; then
if [ -z "$addresses" ]; then
fatal_error "You must specify a MAC address or an IP address"
else
macpart=
fi
else
macpart=$(mac_match $mac)
fi
if [ -z "$addresses" ]; then
[ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
run_iptables2 -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
else
for address in $(separate_list $addresses) ; do
[ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $(match_source_hosts $address) $physdev_part
run_iptables2 -A $chain -t $MACLIST_TABLE $macpart $(match_source_hosts $address) $physdev_part -j $target
done
fi
done < $TMP_DIR/maclist
#
# Generate jumps from the input and forward chains
#
for hosts in $maclist_hosts; do
ipsec=${hosts%^*}
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
hosts=${hosts#*^}
interface=${hosts%%:*}
hosts=${hosts#*:}
case $MACLIST_TABLE in
filter)
for chain in $(first_chains $interface) ; do
run_iptables2 -A $chain $(match_source_hosts $hosts) -m state --state NEW \
$policy -j $(mac_chain $interface)
done
;;
*)
run_iptables2 -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \
$policy -j $(mac_chain $interface)
;;
esac
done
else
#
# Must take care of our own broadcasts and multicasts then terminate the verification
# chains
#
for interface in $maclist_interfaces; do
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
indent >&3 << __EOF__
if interface_is_usable $interface; then
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
address=\${address%/*}
if [ -n "\$broadcast" ]; then
run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
fi
run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 255.255.255.255 -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 224.0.0.0/4 -j RETURN
done
else
fatal_error "Interface $interface must be up before Shorewall can start"
fi
CHAIN=$chain
__EOF__
fi
append_file maclog
if [ -n "$MACLIST_LOG_LEVEL" ]; then
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
fi
if [ $MACLIST_DISPOSITION != ACCEPT ]; then
run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
fi
done
fi
}

811
Shorewall-shell/lib.nat
View File

@ -1,811 +0,0 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.nat
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when any of the following
# configuration files are non-empty: masq, nat, netmap; or when there are
# DNAT/REDIRECT rules in the /etc/shorewall/rules file.
#
#
# Set up Source NAT (including masquerading)
#
setup_masq()
{
local comment
comment=
do_ipsec_options() {
local options
options="$(separate_list $ipsec)"
local option
[ -n "$ORIGINAL_POLICY_MATCH" ] || \
fatal_error "IPSEC options require policy match support in your kernel and iptables"
policy="-m policy --pol ipsec --dir out"
for option in $options; do
case $option in
[Yy]es) ;;
strict) policy="$policy --strict" ;;
next) policy="$policy --next" ;;
reqid=*) policy="$policy --reqid ${option#*=}" ;;
spi=*) policy="$policy --spi ${option#*=}" ;;
proto=*) policy="$policy --proto ${option#*=}" ;;
mode=*) policy="$policy --mode ${option#*=}" ;;
tunnel-src=*) policy="$policy --tunnel-src ${option#*=}" ;;
tunnel-dst=*) policy="$policy --tunnel-dst ${option#*=}" ;;
reqid!=*) policy="$policy ! --reqid ${option#*=}" ;;
spi!=*) policy="$policy ! --spi ${option#*=}" ;;
proto!=*) policy="$policy ! --proto ${option#*=}" ;;
mode!=*) policy="$policy ! --mode ${option#*=}" ;;
tunnel-src!=*) policy="$policy ! --tunnel-src ${option#*=}" ;;
tunnel-dst!=*) policy="$policy ! --tunnel-dst ${option#*=}" ;;
*) fatal_error "Invalid IPSEC option \"$option\"" ;;
esac
done
}
setup_one() {
local add_snat_aliases
add_snat_aliases=$ADD_SNAT_ALIASES
local pre_nat
pre_nat=
local policy
policy=
local destnets
destnets=
[ "x$ipsec" = x- ] && ipsec=
case $ipsec in
Yes|yes)
[ -n "$ORIGINAL_POLICY_MATCH" ] || \
fatal_error "IPSEC=Yes requires policy match support in your kernel and iptables"
policy="-m policy --pol ipsec --dir out"
;;
No|no)
[ -n "$ORIGINAL_POLICY_MATCH" ] || \
fatal_error "IPSEC=No requires policy match support in your kernel and iptables"
policy="-m policy --pol none --dir out"
;;
*)
if [ -n "$ipsec" ]; then
do_ipsec_options
elif [ -n "$POLICY_MATCH" ]; then
policy="-m policy --pol none --dir out"
fi
;;
esac
case $fullinterface in
+*)
pre_nat=Yes
fullinterface=${fullinterface#+}
;;
esac
case $fullinterface in
*::*)
add_snat_aliases=
destnets="${fullinterface##*:}"
fullinterface="${fullinterface%:*}"
;;
*:*:*)
# Both alias name and networks
destnets="${fullinterface##*:}"
fullinterface="${fullinterface%:*}"
;;
*:)
add_snat_aliases=
fullinterface=${fullinterface%:}
;;
*:*)
# Alias name OR networks
case ${fullinterface#*:} in
*.*)
# It's a networks
destnets="${fullinterface#*:}"
fullinterface="${fullinterface%:*}"
;;
*)
#it's an alias name
;;
esac
;;
*)
;;
esac
interface=${fullinterface%:*}
if ! list_search $interface $ALL_INTERFACES; then
fatal_error "Unknown interface $interface"
fi
if [ "$networks" = "${networks%!*}" ]; then
nomasq=
else
nomasq="${networks#*!}"
networks="${networks%!*}"
fi
source="${networks:=0.0.0.0/0}"
detectinterface=
case $source in
*.*.*|+*|!+*)
;;
*)
detectinterface=$networks
networks=
;;
esac
[ "x$proto" = x- ] && proto=
[ "x$ports" = x- ] && ports=
[ "x$mark" = x- ] && mark=
if [ -n "$proto" ]; then
displayproto="($proto)"
case $proto in
tcp|TCP|udp|UDP|6|17)
if [ -n "$ports" ]; then
displayproto="($proto $ports)"
listcount=$(list_count $ports)
if [ $listcount -gt 1 ]; then
case $ports in
*:*)
if [ -n "$XMULTIPORT" ]; then
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
ports="-m multiport --dports $ports"
else
fatal_error "More than 15 entries in port list ($ports)"
fi
else
fatal_error "Port Range not allowed in list ($ports)"
fi
;;
*)
if [ -n "$MULTIPORT" ]; then
[ $listcount -le 15 ] || fatal_error "More than 15 entries in port list ($ports)"
ports="-m multiport --dports $ports"
else
fatal_error "Port Ranges require multiport match support in your kernel ($ports)"
fi
;;
esac
else
ports="--dport $ports"
fi
fi
;;
*)
[ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)"
;;
esac
proto="-p $proto"
else
displayproto="(all)"
[ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)"
fi
if [ -n "$mark" ]; then
displaymark="($mark)"
if [ "$mark" = "${mark%!*}" ]; then
mark="-m mark --mark $mark"
else
mark="-m mark ! --mark ${mark#*!}"
fi
fi
destination=${destnets:=0.0.0.0/0}
[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
ensurenatchain $chain
case $destnets in
!*)
destnets=${destnets#!}
build_exclusion_chain newchain nat "$nomasq" "$destnets"
if [ -n "$networks" ]; then
for s in $(separate_list $networks); do
addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain
done
networks=
elif [ -n "$detectinterface" ]; then
indent >&3 << __EOF__
networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do
run_iptables -t nat -A $chain -s \$network $proto $ports $mark $policy -j $newchain
done
__EOF__
else
addnatrule $chain -j $newchain
fi
chain=$newchain
destnets=0.0.0.0/0
proto=
ports=
policy=
detectinterface=
[ -n "$nomasq" ] && source="$source except $nomasq"
;;
*)
if [ -n "$nomasq" ]; then
build_exclusion_chain newchain nat $nomasq
if [ -n "$networks" ]; then
for s in $(separate_list $networks); do
for destnet in $(separate_list $destnets); do
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain
done
done
elif [ -n "$detectinterface" ]; then
indent >&3 << __EOF__
networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do
__EOF__
for destnet in $(separate_list $destnets); do
indent >&3 << __EOF__
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain
__EOF__
done
indent >&3 << __EOF__
done
__EOF__
else
for destnet in $(separate_list $destnets); do
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain
done
fi
chain=$newchain
networks=
destnets=0.0.0.0/0
proto=
ports=
policy=
detectinterface=
source="$source except $nomasq"
fi
;;
esac
addrlist=
target=MASQUERADE
[ "x$addresses" = x- ] && addresses=
if [ -n "$addresses" ]; then
case "$addresses" in
SAME:nodst:*)
target="SAME --nodst"
addresses=${addresses#SAME:nodst:}
if [ "$addresses" = detect ]; then
addrlist='$addrlist'
else
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
fi
;;
SAME:*)
target="SAME"
addresses=${addresses#SAME:}
if [ "$addresses" = detect ]; then
addrlist='$addrlist'
else
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
fi
;;
detect)
target=SNAT
addrlist='$addrlist'
;;
*)
for address in $(separate_list $addresses); do
case $address in
*.*.*.*)
target=SNAT
addrlist="$addrlist --to-source $address"
;;
*)
addrlist="$addrlist --to-ports ${address#:}"
;;
esac
done
;;
esac
if [ "$addrlist" = '$addrlist' ]; then
addresses='$(combine_list $addresses)'
indent >&3 << __EOF__
addrlist=
addresses=\$(find_interface_addresses $interface)
if [ -n "\$addresses" ]; then
for address in \$addresses; do
addrlist="$addrlist --to-source \$address"
done
else
fatal_error "Unable to determine the IP address(es) of $interface"
fi
__EOF__
elif [ -n "$add_snat_aliases" ]; then
for address in $(separate_list $addresses); do
address=${address%:)}
if [ -n "$address" ]; then
for addr in $(ip_range_explicit ${address%:*}) ; do
if ! list_search $addr $ALIASES_TO_ADD; then
[ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $addr $interface
ALIASES_TO_ADD="$ALIASES_TO_ADD $addr $fullinterface"
case $fullinterface in
*:*)
fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 ))
;;
esac
fi
done
fi
done
fi
fi
if [ -n "$networks" ]; then
for network in $(separate_list $networks); do
for destnet in $(separate_list $destnets); do
addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist
done
if [ -n "$addresses" ]; then
progress_message_and_save " To $destination $displayproto from $network through ${interface} using $addresses"
else
progress_message_and_save " To $destination $displayproto from $network through ${interface}"
fi
done
elif [ -n "$detectinterface" ]; then
indent >&3 << __EOF__
networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do
__EOF__
for destnet in $(separate_list $destnets); do
indent >&3 << __EOF__
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist
__EOF__
done
if [ -n "$addresses" ]; then
message=" To $destination $displayproto from \$network through ${interface} using $addresses"
else
message=" To $destination $displayproto from \$network through ${interface}"
fi
indent >&3 << __EOF__
progress_message "$message"
done
__EOF__
else
for destnet in $(separate_list $destnets); do
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist
done
if [ -n "$addresses" ]; then
progress_message_and_save " To $destination $displayproto from $source through ${interface} using $addresses"
else
progress_message_and_save " To $destination $displayproto from $source through ${interface}"
fi
fi
} #setup_one()
if [ -s $TMP_DIR/masq ]; then
progress_message2 "$DOING Masquerading/SNAT"
save_progress_message "Setting up Masquerading/SNAT..."
while read fullinterface networks addresses proto ports ipsec mark; do
if [ -n "$NAT_ENABLED" ]; then
if [ "x$fullinterface" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then
comment=$(echo $networks $addresses $proto $ports $ipsec $mark)
save_command COMMENT=\"$comment\"
else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
fi
else
setup_one
fi
else
error_message "WARNING: NAT disabled; masq rule ignored"
fi
done < $TMP_DIR/masq
#
# Just in case the file ended with a comment
#
if [ -n "$COMMENTS" ]; then
save_command
save_command COMMENT=
save_command
fi
fi
}
#
# Setup Static Network Address Translation (NAT)
#
setup_nat() {
local external
external=
local interface
interface=
local internal
internal=
local allints
allints=
local localnat
localnat=
local policyin
policyin=
local policyout
policyout=
local comment
comment=
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
{
case $3 in
Yes|yes)
;;
No|no)
eval ${1}=
;;
*)
[ -n "$3" ] && \
fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\""
;;
esac
}
do_one_nat() {
local add_ip_aliases
add_ip_aliases=$ADD_IP_ALIASES
local iface
iface=${interface%:*}
if [ -n "$add_ip_aliases" ]; then
case $interface in
*:)
interface=${interface%:}
add_ip_aliases=
;;
*)
[ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $external $iface
;;
esac
else
interface=${interface%:}
fi
validate_one allints "ALL INTERFACES" $allints
validate_one localnat "LOCAL" $localnat
if [ -n "$allints" ]; then
addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
else
addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal
addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
fi
[ -n "$localnat" ] && \
run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
if [ -n "$add_ip_aliases" ]; then
list_search $external $ALIASES_TO_ADD || \
ALIASES_TO_ADD="$ALIASES_TO_ADD $external $interface"
fi
}
#
# At this point, we're just interested in the network translation
#
> $STATEDIR/nat
if [ -n "$POLICY_MATCH" ]; then
policyin="-m policy --pol none --dir in"
policyout="-m policy --pol none --dir out"
fi
if [ -s $TMP_DIR/nat ]; then
save_progress_message "Setting up one-to-one NAT..."
while read external interface internal allints localnat; do
if [ "x$external" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then
comment=$(echo $interface $internal $allints $localnat)
save_command COMMENT=\"$comment\"
else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
fi
else
do_one_nat
fi
progress_message_and_save " Host $internal NAT $external on $interface"
done < $TMP_DIR/nat
if [ -n "$COMMENTS" ]; then
save_command
save_command COMMENT=
save_command
fi
fi
}
#
# Setup Network Mapping (NETMAP)
#
setup_netmap() {
while read type net1 interface net2 ; do
list_search $interface $ALL_INTERFACES || \
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
case $type in
DNAT)
addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2
;;
SNAT)
addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
;;
*)
fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
;;
esac
progress_message_and_save " Network $net1 on $interface mapped to $net2 ($type)"
done < $TMP_DIR/netmap
}
#
# Add a NAT rule - Helper function for the rules file processor
#
# The caller has established the following variables:
# cli = Source IP, interface or MAC Specification
# serv = Destination IP Specification
# servport = Port the server is listening on
# dest_interface = Destination Interface Specification
# proto = Protocol Specification
# addr = Original Destination Address
# dports = Destination Port Specification. 'dports' may be changed
# by this function
# cport = Source Port Specification
# multiport = String to invoke multiport match if appropriate
# ratelimit = Optional rate limiting clause
# userandgroup = -m owner match to limit the rule to a particular user and/or group
# logtag = Log tag
# excludesource = Source Exclusion List
#
add_nat_rule() {
local chain
local excludedests
excludedests=
# Be sure we can NAT
if [ -z "$NAT_ENABLED" ]; then
fatal_error "Rule \"$rule\" requires NAT which is disabled"
fi
# Parse SNAT address if any
if [ "$addr" != "${addr%:*}" ]; then
fatal_error "SNAT may no longer be specified in a DNAT rule; use ${CONFDIR}/masq instead"
fi
# Set original destination address
case $addr in
all)
addr=
;;
detect)
eval interfaces=\$${source}_interfaces
if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
save_command
if [ $(list_count1 $interfaces) -eq 1 ]; then
save_command "addr=\$(find_first_interface_address $interfaces)"
else
save_command "addr="
for interface in $interfaces; do
ident >&3 << __EOF__
addr="\$addr \$(find_first_interface_address $interface)"
__EOF__
done
fi
else
addr=
fi
;;
!*)
if [ $(list_count $addr) -gt 1 ]; then
excludedests="${addr#\!}"
addr=
fi
;;
esac
addr=${addr:-0.0.0.0/0}
# Select target
if [ "$logtarget" = SAME ]; then
[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
serv1=
for srv in $(separate_list $serv); do
serv1="$serv1 --to ${srv}"
done
target1="SAME $serv1"
elif [ -n "$serv" ]; then
servport="${servport:+:$servport}"
serv1=
for srv in $(separate_list $serv); do
serv1="$serv1 --to-destination ${srv}${servport}"
done
target1="DNAT $serv1"
else
target1="REDIRECT --to-port $servport"
fi
# Generate nat table rules
if [ "$source" = "$FW" ]; then
if [ -n "${excludesource}${excludedests}" ]; then
build_exclusion_chain chain nat "$excludesource" $excludedests
for adr in $(separate_list $addr); do
run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain
done
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat
fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
else
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \
$(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports)
fi
run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup $(dest_ip_range $adr) $multiport $dports -j $target1
done
fi
else
if [ -n "${excludesource}${excludedests}" ]; then
build_exclusion_chain chain nat "$excludesource" $excludedests
if [ $addr = detect ]; then
ensurenatchain $(dnat_chain $source)
#
# The 'for loops' begun below are completed in add_a_rule() (in the compiler)
#
indent >&3 << __EOF__
for adr in \$addr; do
run_iptables -t nat -A $(fix_bang $(dnat_chain $source) $cli $proto $multiport $sports $dports) -d \$adr -j $chain
__EOF__
else
for adr in $(separate_list $addr); do
addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain
done
fi
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $(dnat_chain $source) $logtarget "$ratelimit" "$logtag" -A -t nat
fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
else
chain=$(dnat_chain $source)
if [ $addr = detect ]; then
ensurenatchain $chain
indent >&3 << __EOF__
for adr in \$addr; do
__EOF__
if [ -n "$loglevel" ]; then
indent >&3 << __EOF__
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat $(fix_bang $proto $cli $sports $multiport $dports) -d \$adr
__EOF__
fi
indent >&3 << __EOF__
run_iptables -t nat -A $chain $(fix_bang $proto $ratelimit $cli $sports $multiport $dports) -d \$adr -j $target1
__EOF__
else
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
ensurenatchain $chain
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
fi
addnatrule $chain $proto $ratelimit $cli $sports \
-d $adr $multiport $dports -j $target1
done
fi
fi
fi
# Replace destination port by the new destination port
if [ -n "$servport" ]; then
if [ -z "$multiport" ]; then
dports="--dport ${servport#*:}"
else
dports="--dports ${servport#*:}"
fi
fi
[ "x$addr" = "x0.0.0.0/0" ] && addr=
ratelimit=
}

494
Shorewall-shell/lib.providers
View File

@ -1,494 +0,0 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.providers
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when the providers file is
# non-empty.
#
#
# Process the providers file
#
setup_providers()
{
local table
local number
local mark
local duplicate
local interface
local gateway
local options
local provider
local address
local copy
local route
local loose
local addresses
local rulenum
local rulebase
local balance
local save_indent
save_indent="$INDENT"
local mask
mask=
local first
first=Yes
local save_indent1
save_indent1=
copy_table() {
indent >&3 << __EOF__
ip route show table $duplicate | while read net route; do
case \$net in
default|nexthop)
;;
*)
run_ip route add table $number \$net \$route
;;
esac
done
__EOF__
}
copy_and_edit_table() {
indent >&3 << __EOF__
ip route show table $duplicate | while read net route; do
case \$net in
default|nexthop)
;;
*)
case \$(find_device \$route) in
`echo $copy\) | sed 's/ /|/g'`
run_ip route add table $number \$net \$route
;;
esac
;;
esac
done
__EOF__
}
balance_default_route() # $1 = weight
{
balance=yes
save_command
if [ -n "$first" ]; then
if [ -n "$gateway" ] ; then
save_command "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $1\""
else
save_command "DEFAULT_ROUTE=\"nexthop dev $interface weight $1\""
fi
first=
else
if [ -n "$gateway" ] ; then
save_command "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $1\""
else
save_command "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $1\""
fi
fi
}
add_a_provider() {
local t
local n
local iface
local option
local optional
optional=
[ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables"
for t in $PROVIDERS local main default unspec; do
if [ "$t" = "$table" ]; then
fatal_error "Duplicate Provider: $table, provider: \"$provider\""
fi
eval n=\$${t}_number
#
# The following is because the %$#@ shell doesn't accept hex numbers in '-eq' tests
#
if [ $(($n)) -eq $(($number)) ]; then
fatal_error "Duplicate Provider number: $number, provider: \"$provider\""
fi
done
eval ${table}_number=$number
indent >&3 << __EOF__
#
# Add Provider $table ($number)
#
__EOF__
save_command "if interface_is_usable $interface; then"
save_indent1="$INDENT"
INDENT="$INDENT "
iface=$(chain_base $interface)
save_command "${iface}_up=Yes"
save_command "qt ip route flush table $number"
indent >&3 << __EOF__
echo "qt ip route flush table $number" >> \${VARDIR}/undo_routing
__EOF__
if [ "x${duplicate:=-}" != x- ]; then
if [ "x${copy:=-}" != "x-" ]; then
if [ "x${copy}" = xnone ]; then
copy=$interface
else
copy="$interface $(separate_list $copy)"
fi
copy_and_edit_table
else
copy_table
fi
elif [ "x${copy:=-}" != x- ]; then
fatal_error "A non-empty COPY column requires that a routing table be specified in the DUPLICATE column"
fi
if [ "x$gateway" = xdetect ] ; then
gateway='$gateway'
indent >&3 << __EOF__
gateway=\$(detect_gateway $interface)
if [ -n "\$gateway" ]; then
run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number
run_ip route add default via \$gateway dev $interface table $number
else
fatal_error "Unable to detect the gateway through interface $interface"
fi
__EOF__
elif [ "x$gateway" != "x-" -a -n "$gateway" ]; then
indent >&3 << __EOF__
run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number
run_ip route add default via $gateway dev $interface table $number
__EOF__
else
gateway=
save_command "run_ip route add default dev $interface table $number"
fi
if [ x${mark} != x- ]; then
verify_mark $mark
if [ $(($mark)) -lt 256 ]; then
if [ -n "$HIGH_ROUTE_MARKS" ]; then
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes"
fi
elif [ -z "$HIGH_ROUTE_MARKS" ]; then
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No"
fi
eval ${table}_mark=$mark
[ -n "$DELETE_THEN_ADD" ] && qt ip rule del fwmark $mark
indent >&3 << __EOF__
run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number
echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing
__EOF__
fi
loose=
for option in $(separate_list $options); do
case $option in
-)
;;
track)
list_search $interface $ROUTEMARK_INTERFACES && \
fatal_error "Interface $interface is tracked through an earlier provider"
[ x${mark} = x- ] && fatal_error "The 'track' option requires a numeric value in the MARK column - Provider \"$provider\""
eval ${iface}_routemark=$mark
ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface"
;;
balance=*)
balance_default_route ${option#*=}
;;
balance)
balance_default_route 1
;;
loose)
loose=Yes
;;
optional)
optional=Yes
;;
*)
error_message "WARNING: Invalid option ($option) ignored in provider \"$provider\""
;;
esac
done
rulenum=0
if [ -z "$loose" ]; then
rulebase=$(( 20000 + ( 256 * ($number-1) ) ))
indent >&3 << __EOF__
rulenum=0
find_interface_addresses $interface | while read address; do
__EOF__
[ -n "$DELETE_THEN_ADD" ] && save_command " qt ip rule del from \$address"
indent >&3 << __EOF__
run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number
echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing
rulenum=\$((\$rulenum + 1))
done
__EOF__
elif [ -n "$DELETE_THEN_ADD" ]; then
indent >&3 << __EOF__
find_interface_addresses $interface | while read address; do
qt ip rule del from \$address
done
__EOF__
[ -n "$balance" ] && error_message "WARNING: 'balance' and 'loose' should not be specified together - Provider \"$provider\""
fi
indent >&3 << __EOF__
progress_message " Provider $table ($number) Added"
__EOF__
INDENT="$save_indent1"
save_command else
if [ -n "$optional" ]; then
save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\""
save_command " ${iface}_up="
else
save_command " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\""
fi
save_command fi
save_command
}
verify_provider()
{
local p
local n
for p in $PROVIDERS main; do
[ "$p" = "$1" ] && return 0
eval n=\$${p}_number
[ "$n" = "$1" ] && return 0
done
fatal_error "Unknown provider $1 in route rule \"$rule\""
}
add_an_rtrule()
{
verify_provider $provider
[ "x$source" = x- ] && source=
[ "x$dest" = x- ] && dest= || dest="to $dest"
[ -n "${source}${dest}" ] || fatal_error "You must specify either the source or destination in an rt rule: \"$rule\""
[ -n "${dest:=to 0.0.0.0/0}" ]
if [ -n "$source" ]; then
case $source in
*:*)
source="iif ${source%:*} from ${source#*:}"
;;
*.*.*)
source="from $source"
;;
*)
source="iif $source"
;;
esac
else
source='from 0.0.0.0/0'
fi
case "$priority" in
[0-9][0-9][0-9][0-9]|[0-9][0-9][0-9][0-9][0-9])
;;
*)
fatal_error "Invalid priority ($priority) in rule \"$rule\""
;;
esac
priority="priority $priority"
[ -n "$DELETE_THEN_ADD" ] && save_command "qt ip rule del $source $dest $priority"
save_command "run_ip rule add $source $dest $priority table $provider"
indent >&3 << __EOF__
echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing
__EOF__
progress_message "Routing rule \"$rule\" $DONE"
}
#
# E x e c u t i o n B e g i n s H e r e
#
local_number=255
main_number=254
default_number=253
unspec_number=0
balance=
progress_message2 "$DOING $1..."
save_command
save_command "if [ -z \"\$NOROUTES\" ]; then"
INDENT="$INDENT "
indent >&3 << __EOF__
#
# Undo any changes made since the last time that we [re]started -- this will not restore the default route
#
undo_routing
#
# Save current routing table database so that it can be restored later
#
cp /etc/iproute2/rt_tables \${VARDIR}/
#
# Capture the default route(s) if we don't have it (them) already.
#
[ -f \${VARDIR}/default_route ] || ip route list | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route
#
# Initialize the file that holds 'undo' commands
#
> \${VARDIR}/undo_routing
__EOF__
save_progress_message "Adding Providers..."
save_command "DEFAULT_ROUTE="
while read table number mark duplicate interface gateway options copy; do
provider="$table $number $mark $duplicate $interface $gateway $options $copy"
add_a_provider
PROVIDERS="$PROVIDERS $table"
progress_message "Provider $provider $DONE"
done < $TMP_DIR/providers
if [ -n "$PROVIDERS" ]; then
if [ -n "$balance" ]; then
save_command "if [ -n \"\$DEFAULT_ROUTE\" ]; then"
save_command " run_ip route replace default scope global \$DEFAULT_ROUTE"
save_command " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\""
save_command "else"
save_command " error_message \"WARNING: No Default route added (all 'balance' providers are down)\""
save_command " restore_default_route"
save_command "fi"
save_command
else
save_command "#"
save_command "# We don't have any 'balance' providers so we retore any default route that we've saved"
save_command "#"
save_command restore_default_route
fi
save_command "if [ -w /etc/iproute2/rt_tables ]; then"
cat >&3 << __EOF__
${INDENT} cat > /etc/iproute2/rt_tables <<EOF
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
EOF
${INDENT} echocommand=\$(find_echo)
__EOF__
for table in $PROVIDERS; do
eval number=\$${table}_number
indent >&3 << __EOF__
\$echocommand "$number\t$table" >> /etc/iproute2/rt_tables
__EOF__
done
save_command "fi"
save_command
if [ -s $TMP_DIR/route_rules ]; then
progress_message2 "$DOING $(find_file route_rules)..."
save_command
while read source dest provider priority; do
rule="$source $dest $priority $provider"
add_an_rtrule
done < $TMP_DIR/route_rules
fi
fi
save_command
save_command "run_ip route flush cache"
INDENT="$save_indent"
save_command "fi"
save_command
}
#
# Set up Route marking (Only called if $ROUTEMARK_INTERFACES is non-empty)
#
setup_route_marking()
{
local mask
mask=0xFF
local save_indent
save_indent="$INDENT"
[ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00
run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
createmanglechain routemark
for interface in $ROUTEMARK_INTERFACES ; do
iface=$(chain_base $interface)
eval mark_value=\$${iface}_routemark
save_command
save_command "if [ -n \"\$${iface}_up\" ]; then"
INDENT="$INDENT "
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value
INDENT="$save_indent"
save_command "fi"
done
save_command
run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask
}

134
Shorewall-shell/lib.proxyarp
View File

@ -1,134 +0,0 @@
#!/bin/sh
#
# Shorewall 4.0 -- /usr/share/shorewall/lib.proxyarp
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when the 'proxyarp' option is
# specified in the interfaces file or when the proxyarp file is non-empty.
#
#
# Setup Proxy ARP
#
setup_proxy_arp() {
local setlist
setlist=
local resetlist
resetlist=
print_error() {
error_message "Invalid value for HAVEROUTE - ($haveroute)"
error_message "Entry \"$address $interface $external $haveroute\" ignored"
}
print_error1() {
error_message "Invalid value for PERSISTENT - ($persistent)"
error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored"
}
print_warning() {
error_message "PERSISTENT setting ignored - ($persistent)"
error_message "Entry \"$address $interface $external $haveroute $persistent\""
}
setup_one_proxy_arp() {
case $haveroute in
[Nn][Oo])
haveroute=
;;
[Yy][Ee][Ss])
;;
*)
if [ -n "$haveroute" ]; then
print_error
return
fi
;;
esac
case $persistent in
[Nn][Oo])
persistent=
;;
[Yy][Ee][Ss])
[ -z "$haveroute" ] || print_warning
;;
*)
if [ -n "$persistent" ]; then
print_error1
return
fi
;;
esac
if [ -z "$haveroute" ]; then
save_command "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"
[ -n "$persistent" ] && haveroute=yes
fi
indent >&3 << __EOF__
if ! arp -i $external -Ds $address $external pub; then
fatal_error "Command \"arp -i $external -Ds $address $external pub\" failed"
fi
progress_message " Host $address connected to $interface added to ARP on $external"
__EOF__
echo $address $interface $external $haveroute >> $STATEDIR/proxyarp
progress_message " Host $address connected to $interface added to ARP on $external"
}
> $STATEDIR/proxyarp
save_progress_message "Setting up Proxy ARP..."
while read address interface external haveroute persistent; do
list_search $interface $setlist || setlist="$setlist $interface"
list_search $external $resetlist || list_search $external $setlist || resetlist="$resetlist $external"
setup_one_proxy_arp
done < $TMP_DIR/proxyarp
for interface in $resetlist; do
list_search $interface $setlist || \
save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
done
for interface in $setlist; do
save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
done
interfaces=$(find_interfaces_by_option proxyarp)
for interface in $interfaces; do
indent >&3 << __EOF__
if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then
echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
else
error_message "WARNING: Unable to enable proxy ARP on $interface"
fi
__EOF__
done
}

397
Shorewall-shell/lib.tc
View File

@ -1,397 +0,0 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.tc
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# tcstart from tc4shorewall Version 0.5
# (c) 2005 Arne Bernin <arne@ucbering.de>
# Modified by Tom Eastep for integration into the Shorewall distribution
# published under GPL Version 2#
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when TC_ENABLED=Internal
# and the tcdevices and/or the tcclasses file is non-empty. It is also loaded under
# the same circumstances by the compiled firewall script when processing the
# 'refresh' command.
#
#
# Arne Bernin's 'tc4shorewall'
#
setup_traffic_shaping()
{
local mtu
local r2q
local tc_all_devices
local device
local mark
local rate
local ceil
local prio
local options
local devfile
devfile=$(find_file tcdevices)
local classfile
classfile=$(find_file tcclasses)
local devnum
devnum=1
local last_device
last_device=
r2q=10
indent=
prefix=1
rate_to_kbit() {
local rateunit
local rate
rate=$1
rateunit=$( echo $rate | sed -e 's/[0-9]*//')
rate=$( echo $rate | sed -e 's/[a-zA-Z]*//g')
case $rateunit in
kbit|Kbit)
rate=$rate
;;
mbit|Mbit)
rate=$(expr $rate \* 1024)
;;
mbps|Mbps)
rate=$(expr $rate \* 8192)
;;
kbps|Kbps)
rate=$(expr $rate \* 8)
;;
*)
[ -n "$rateunit" ] && fatal_error "Invalid Rate ($1)"
rate=$(expr $rate / 128)
;;
esac
echo $rate
}
calculate_quantum() {
local rate
rate=$(rate_to_kbit $1)
echo $(( $rate * ( 128 / $r2q ) ))
}
# get given outbandwidth for device
get_outband_for_dev() {
local device
local inband
local outband
while read device inband outband; do
tcdev="$device $inband $outband"
if [ "$1" = "$device" ] ; then
echo $outband
return
fi
done < $TMP_DIR/tcdevices
}
check_tcclasses_options() {
while [ $# -gt 1 ]; do
shift
case $1 in
default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
;;
tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f])
;;
*)
echo $1
return 1
;;
esac
done
return 0
}
get_defmark_for_dev() {
local searchdev
local searchmark
local device
local ceil
local prio
local options
searchdev=$1
while read device mark rate ceil prio options; do
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
tcdev="$device $mark $rate $ceil $prio $options"
if [ "$searchdev" = "$device" ] ; then
list_search "default" $options && echo $mark &&return 0
fi
done < $TMP_DIR/tcclasses
return 1
}
check_defmark_for_dev() {
get_defmark_for_dev $1 >/dev/null
}
validate_tcdevices_file() {
progress_message2 "Validating $devfile..."
local device
local inband
local outband
while read device inband outband; do
tcdev="$device $inband $outband"
check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
case $interface in
*:*|+)
fatal_error "Invalid Interface Name: $interface"
;;
esac
list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices"
inband=$(rate_to_kbit $inband)
outband=$(rate_to_kbit $outband)
tc_all_devices="$tc_all_devices $device"
done < $TMP_DIR/tcdevices
}
validate_tcclasses_file() {
progress_message2 "Validating $classfile..."
local classlist
local device
local mark
local rate
local ceil
local prio
local bandw
local wrongopt
local allopts
local opt
allopts=""
while read device mark rate ceil prio options; do
tcdev="$device $mark $rate $ceil $prio $options"
ratew=$(get_outband_for_dev $device)
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
for opt in $options; do
case $opt in
tos=0x??)
opt="$opt/0xff"
;;
esac
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
allopts="$allopts $device-$opt"
done
wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
if [ -z "$ratew" ] ; then
fatal_error "device $device seems not to be configured in tcdevices"
fi
list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses"
#
# Convert HEX/OCTAL mark representation to decimal
#
mark=$(($mark))
verify_mark $mark
[ $mark -lt 256 ] || fatal_error "Invalid Mark Value"
classlist="$classlist $device-$mark"
done < $TMP_DIR/tcclasses
}
add_root_tc() {
local defmark
local dev
dev=$(chain_base $device)
save_command "if interface_is_up $device; then"
indent="$INDENT"
INDENT="$INDENT "
save_command ${dev}_exists=Yes
save_command qt tc qdisc del dev $device root
save_command qt tc qdisc del dev $device ingress
defmark=$(get_defmark_for_dev $device)
run_tc qdisc add dev $device root handle $devnum: htb default ${prefix}${defmark}
save_command "${dev}_mtu=\$(get_device_mtu $device)"
run_tc "class add dev $device parent $devnum: classid $devnum:1 htb rate $outband mtu \$${dev}_mtu"
if [ $(rate_to_kbit ${inband}) -gt 0 ]; then
run_tc qdisc add dev $device handle ffff: ingress
run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1
fi
eval ${dev}_devnum=$devnum
devnum=$(($devnum + 1))
save_progress_message_short " TC Device $tcdev defined."
INDENT="$indent"
save_command else
INDENT="$INDENT "
save_command error_message "\"WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped\""
save_command "${dev}_exists="
INDENT="$indent"
save_command "fi"
save_command
return 0
}
add_tc_class() {
local full
local classid
local tospair
local tosmask
local quantum
full=$(get_outband_for_dev $device)
full=$(rate_to_kbit $full)
if [ -z "$prio" ] ; then
prio=1
fi
case $rate in
*full*)
rate=$(echo $rate | sed -e "s/full/$full/")
rate="$(($rate))kbit"
;;
esac
case $ceil in
*full*)
ceil=$(echo $ceil | sed -e "s/full/$full/")
ceil="$(($ceil))kbit"
;;
esac
eval devnum=\$${dev}_devnum
#
# Convert HEX/OCTAL mark representation to decimal
#
mark=$(($mark))
classid=$devnum:${prefix}${mark}
[ -n "$devnum" ] || fatal_error "Device $device not defined in $devfile"
quantum=$(calculate_quantum $rate)
save_command "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum"
run_tc "class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio mtu \$${dev}_mtu quantum \$quantum"
run_tc qdisc add dev $device parent $classid handle ${prefix}${mark}: sfq perturb 10
#
# add filters
#
if [ -n "$CLASSIFY_TARGET" ] && known_interface $device; then
run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark/0xFF -j CLASSIFY --set-class $classid
else
run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
fi
#
#options
#
list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid
list_search "tos-minimize-delay" $options && options="$options tos=0x10/0x10"
list_search "tos-maximize-throughput" $options && options="$options tos=0x08/0x08"
list_search "tos-maximize-reliability" $options && options="$options tos=0x04/0x04"
list_search "tos-minimize-cost" $options && options="$options tos=0x02/0x02"
list_search "tos-normal-service" $options && options="$options tos=0x00/0x1e"
for tospair in $(list_walk "tos=" $options) ; do
case $tospair in
*/*)
tosmask=${tospair##*/}
;;
*)
tosmask=0xff
;;
esac
run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid
done
save_progress_message_short " TC Class $tcdev defined."
return 0
}
finish_device() {
INDENT="$indent"
save_command fi
save_command
}
validate_tcdevices_file
validate_tcclasses_file
cat >&3 << __EOF__
#
# Set up Traffic Shaping
#
setup_traffic_shaping()
{
__EOF__
INDENT=" "
if [ -s $TMP_DIR/tcdevices ]; then
[ $(list_count1 $all_tc_devices) -gt 10 ] && prefix=10
save_progress_message "Setting up Traffic Control..."
progress_message2 "$DOING $devfile..."
while read device inband outband; do
tcdev="$device $inband $outband"
add_root_tc && progress_message " TC Device $tcdev defined."
done < $TMP_DIR/tcdevices
fi
if [ -s $TMP_DIR/tcclasses ]; then
progress_message2 "$DOING $classfile..."
last_device=
while read device mark rate ceil prio options; do
tcdev="$device $mark $rate $ceil $prio $options"
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
dev=$(chain_base $device)
if [ "$device" != "$last_device" ]; then
[ -n "$last_device" ] && finish_device
save_command "if [ -n \"\$${dev}_exists\" ] ; then"
indent="$INDENT"
INDENT="$INDENT "
last_device=$device
else
save_command
fi
add_tc_class && progress_message " TC Class $tcdev defined."
done < $TMP_DIR/tcclasses
[ -n "$last_device" ] && finish_device
fi
INDENT=
save_command "}"
save_command
}

477
Shorewall-shell/lib.tcrules
View File

@ -1,477 +0,0 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.tcrules
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when the tcrules file is
# non-empty. It is also loaded by the compiled firewall script under the same
# condition when the script is processing the 'refresh' command.
#
#
# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
# default marking chain
#
# The caller has established values for the following variables:
#
# mark - MARK column
# sources - SOURCE column
# dests - DEST column
# proto - PROTO column
# ports - PORT(S) column
# sports - CLIENT PORT(S) column
# user - USER column
# testval - TEST column
# length - LENGTH column
# tos - TOS column
#
process_tc_rule()
{
local did_connmark= multiport= classid=
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
handle_designator() {
chain=$1
mark="${mark%:*}"
}
do_ipp2p()
{
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. TC Rule: \"$rule\""
[ "x$port" = "x-" ] && port="ipp2p"
case $proto in
*:*)
proto=${proto#*:}
;;
*)
proto=tcp
;;
esac
r="${r}-p $proto -m ipp2p --${port} "
}
verify_small_mark()
{
verify_mark $1
[ $(($1)) -lt 256 ] || fatal_error "Mark Value ($1) too large, rule \"$rule\""
}
do_connmark()
{
target="CONNMARK --set-mark"
mark=$mark/0xff
did_connmark=Yes
}
validate_mark()
{
case $1 in
*/*)
verify_mark ${1%/*}
verify_mark ${1#*/}
;;
*)
verify_mark $1
;;
esac
}
add_a_tc_rule() {
r=
if [ "x$source" != "x-" ]; then
case $source in
$FW:*)
r="$(source_ip_range ${source#*:}) "
;;
*:~*|*:!~*)
interface=${source%:*}
verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\""
r="$(match_source_dev $interface) $(mac_match ${source#*:}) "
;;
*:*)
interface=${source%:*}
verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\""
r="$(match_source_dev $interface) $(source_ip_range ${source#*:}) "
;;
*.*.*|+*|!+*)
r="$(source_ip_range $source) "
;;
~*|!~*)
r="$(mac_match $source) "
;;
$FW)
;;
*)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev $source) "
;;
esac
fi
if [ "x${user:--}" != "x-" ]; then
[ "$chain" != tcout ] && \
fatal_error "Invalid use of a user/group: rule \"$rule\""
r="$r-m owner"
case "$user" in
*+*)
r="$r --cmd-owner ${user#*+} "
user=${user%+*}
;;
esac
case "$user" in
*:*)
temp="${user%:*}"
[ -n "$temp" ] && r="$r --uid-owner $temp "
temp="${user#*:}"
[ -n "$temp" ] && r="$r --gid-owner $temp "
;;
*)
[ -n "$user" ] && r="$r --uid-owner $user "
;;
esac
fi
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
if [ "x$dest" != "x-" ]; then
case $dest in
*:*)
[ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\""
interface=${dest%:*}
verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\""
r="$(match_dest_dev $interface) $(dest_ip_range ${dest#*:}) "
;;
*.*.*|+*|!+*)
r="${r}$(dest_ip_range $dest) "
;;
*)
[ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\""
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
;;
esac
fi
if [ "x${length:=-}" != "x-" ]; then
[ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
r="${r}-m length --length ${length} "
fi
if [ "x${tos:=-}" != "x-" ]; then
r="${r}-m tos --tos ${tos} "
fi
case $proto in
ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p
;;
icmp|ICMP|1)
r="${r}-p icmp "
[ "x$port" = "x-" ] || r="${r}--icmp-type $port"
;;
*)
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}$multiport $port "
;;
esac
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
if [ -n "${excludesources}${excludedests}" ]; then
[ $target = RETURN ] && \
fatal_error "Exclusion is currently not supported with CONTINUE"
build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
run_iptables2 -t mangle -A $chain $r -j $chain1
run_iptables -t mangle -A $chain1 -j $target $mark
else
run_iptables2 -t mangle -A $chain $r -j $target $mark
fi
}
#
# E x e c u t i o n B e g i n s H e r e
#
case $sources in
$FW|$FW:*)
chain=tcout
if [ "x$mark" != "x${mark%:*}" ]; then
case "${mark#*:}" in
t|T)
handle_designator tcpost
;;
ct|CT)
handle_designator tcpost
do_connmark
;;
c|C)
mark=${mark%:*}
do_connmark
;;
p|P|cp|CP|f|F|cf|CF)
fatal_error "Invalid chain designator for source \$FW; rule \"$rule\""
;;
*)
chain=tcpost
target="CLASSIFY --set-class"
classid=Yes
;;
esac
fi
;;
*)
if [ "x$mark" != "x${mark%:*}" ]; then
case "${mark#*:}" in
p|P)
handle_designator tcpre
;;
cp|CP)
handle_designator tcpre
do_connmark
;;
f|F)
handle_designator tcfor
;;
cf|CF)
handle_designator tcfor
do_connmark
;;
t|T)
handle_designator tcpost
;;
ct|CT)
handle_designator tcpost
do_connmark
;;
c|C)
mark=${mark%:*}
do_connmark
;;
*)
chain=tcpost
classid=Yes
target="CLASSIFY --set-class"
;;
esac
fi
;;
esac
mask=0xffff
case $mark in
SAVE)
[ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]"
target="CONNMARK --save-mark --mask 0xFF"
mark=
;;
SAVE/*)
[ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]"
target="CONNMARK --save-mark --mask"
mark=${mark#*/}
verify_small_mark $mark
;;
RESTORE)
[ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]"
target="CONNMARK --restore-mark --mask 0xFF"
mark=
;;
RESTORE/*)
[ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]"
target="CONNMARK --restore-mark --mask"
mark=${mark#*/}
verify_small_mark $mark
;;
CONTINUE)
[ -n "$did_connmark" ] && fatal_error "CONTINUE not valid with :C[FP]"
target=RETURN
mark=
;;
\|*)
[ -n "$classid" ] && fatal_error "Invalid class ID: $mark"
[ -n "$did_connmark" ] && fatal_error "Logical OR not valid with :C[FP]"
target="MARK --or-mark"
mark=${mark#|}
validate_mark $mark
if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
fatal_error "Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
fi
;;
\&*)
[ -n "$classid" ] && fatal_error "Invalid class ID: $mark"
[ -n "$did_connmark" ] && fatal_error "Logical AND not valid with :C[FP]"
target="MARK --and-mark"
mark=${mark#&}
validate_mark $mark
if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
fi
;;
*)
if [ -z "$classid" ]; then
validate_mark $mark
if [ $((${mark%/*})) -gt 255 ]; then
case $chain in
tcpre|tcout)
;;
*)
fatal_error "Invalid mark value ($mark) in rule \"$rule\""
;;
esac
elif [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
fi
fi
;;
esac
case $testval in
-)
;;
!*:C)
marktest="connmark ! "
testval=${testval%:*}
testval=${testval#!}
;;
*:C)
marktest="connmark "
testval=${testval%:*}
;;
!*)
marktest="mark ! "
testval=${testval#!}
;;
*)
[ -n "$testval" ] && marktest="mark "
;;
esac
if [ -n "$marktest" ] ; then
case $testval in
*/*)
verify_mark ${testval%/*}
verify_mark ${testval#*/}
;;
*)
verify_mark $testval
testval=$testval/$mask
;;
esac
fi
excludesources=
case ${sources:=-} in
*!*!*)
fatal_error "Invalid SOURCE in rule \"$rule\""
;;
!*)
if [ $(list_count $sources) -gt 1 ]; then
excludesources=${sources#!}
sources=-
fi
;;
*!*)
excludesources=${sources#*!}
sources=${sources%!*}
;;
esac
excludedests=
case ${dests:=-} in
*!*!*)
fatal_error "Invalid DEST in rule \"$rule\""
;;
!*)
if [ $(list_count $dests) -gt 1 ]; then
excludedests=${dests#*!}
dests=-
fi
;;
*!*)
excludedests=${dests#*!}
dests=${dests%!*}
;;
esac
multiport=--dport
for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do
for port in $(separate_list ${ports:=-}); do
for sport in $(separate_list ${sports:=-}); do
add_a_tc_rule
done
done
done
done
progress_message " TC Rule \"$rule\" $DONE"
save_progress_message_short " TC Rule \\\"$rule\\\" Added"
}
#
# Process the tcrules file
#
process_tc_rules()
{
cat >&3 << __EOF__
#
# Create Marking Rules from the tcrules file
#
setup_tc_rules()
{
__EOF__
INDENT=" "
while read mark sources dests proto ports sports user testval length tos; do
if [ "x$mark" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then
comment=$(echo $sources $dests $proto $ports $sports $user $testval $length $tos)
save_command COMMENT=\"$comment\"
else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
fi
else
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")
process_tc_rule
fi
done < $TMP_DIR/tcrules
INDENT=""
save_command "}"
save_command
}

302
Shorewall-shell/lib.tunnels
View File

@ -1,302 +0,0 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.tunnels
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/compiler when the tunnels file is
# non-empty.
#
#
# Set up ipsec tunnels
#
setup_tunnels() # $1 = name of tunnels file
{
local inchain
local outchain
local source
local dest
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
{
local kind
kind=$1
local noah
noah=noah
case $kind in
*:*)
noah=${kind#*:}
case $noah in
ah|AH)
noah=
;;
noah|NOAH)
;;
*)
fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
;;
esac
kind=${kind%:*}
;;
esac
[ $kind = IPSEC ] && kind=ipsec
[ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
options="-m state --state NEW -j ACCEPT"
addrule2 $inchain -p 50 $source -j ACCEPT
addrule2 $outchain -p 50 $dest -j ACCEPT
if [ -z "$noah" ]; then
run_iptables -A $inchain -p 51 $source -j ACCEPT
run_iptables -A $outchain -p 51 $dest -j ACCEPT
fi
run_iptables -A $outchain -p udp $dest --dport 500 $options
if [ $kind = ipsec ]; then
run_iptables -A $inchain -p udp $source --dport 500 $options
else
run_iptables -A $inchain -p udp $source --dport 500 $options
run_iptables -A $inchain -p udp $source --dport 4500 $options
run_iptables -A $outchain -p udp $dest --dport 4500 $options
fi
for z in $(separate_list $2); do
if validate_zone $z; then
if [ -z "$POLICY_MATCH" ]; then
addrule ${z}2${FW} -p 50 $source -j ACCEPT
addrule ${FW}2${z} -p 50 $dest -j ACCEPT
if [ -z "$noah" ]; then
addrule ${z}2${FW} -p 51 $source -j ACCEPT
addrule ${FW}2${z} -p 51 $dest -j ACCEPT
fi
fi
if [ $kind = ipsec ]; then
addrule ${z}2${FW} -p udp $source --dport 500 $options
addrule ${FW}2${z} -p udp $dest --dport 500 $options
else
addrule ${z}2${FW} -p udp $source --dport 500 $options
addrule ${FW}2${z} -p udp $dest --dport 500 $options
addrule ${z}2${FW} -p udp $source --dport 4500 $options
addrule ${FW}2${z} -p udp $dest --dport 4500 $options
fi
else
fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
fi
done
progress_message_and_save " IPSEC tunnel to $gateway defined."
}
setup_one_other() # $1 = TYPE, $2 = protocol
{
addrule2 $inchain -p $2 $source -j ACCEPT
addrule2 $outchain -p $2 $dest -j ACCEPT
progress_message_and_save " $1 tunnel to $gateway compiled."
}
setup_pptp_client()
{
addrule2 $outchain -p 47 $dest -j ACCEPT
addrule2 $inchain -p 47 $source -j ACCEPT
addrule2 $outchain -p tcp --dport 1723 $dest -j ACCEPT
progress_message_and_save " PPTP tunnel to $gateway defined."
}
setup_pptp_server()
{
addrule2 $inchain -p 47 $source -j ACCEPT
addrule2 $outchain -p 47 $dest -j ACCEPT
addrule2 $inchain -p tcp --dport 1723 $source -j ACCEPT
progress_message_and_save " PPTP server defined."
}
setup_one_openvpn() # $1 = kind[:port]
{
local protocol
protocol=udp
local p
p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
progress_message_and_save " OPENVPN tunnel to $gateway:$protocol:$p defined."
}
setup_one_openvpn_server() # $1 = kind[:port]
{
local protocol
protocol=udp
local p
p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --sport $p -j ACCEPT
progress_message_and_save " OPENVPN server tunnel from $gateway:$protocol:$p defined."
}
setup_one_openvpn_client() # $1 = kind[:port]
{
local protocol
protocol=udp
local p
p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
addrule2 $inchain -p $protocol $source --sport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
progress_message_and_save " OPENVPN client tunnel to $gateway:$protocol:$p defined."
}
setup_one_generic() # $1 = kind:protocol[:port]
{
local protocol
local p
p=
case $1 in
*:*:*)
p=${1##*:}
protocol=${1%:*}
protocol=${protocol#*:}
;;
*:*)
protocol=${1#*:}
;;
*)
protocol=udp
p=5000
;;
esac
p=${p:+--dport $p}
addrule2 $inchain -p $protocol $source $p -j ACCEPT
addrule2 $outchain -p $protocol $dest $p -j ACCEPT
progress_message_and_save " GENERIC tunnel to $1:$p defined."
}
while read kind z gateway z1; do
tunnel="$(echo $kind $z $gateway $z1)"
if validate_zone $z; then
inchain=${z}2${FW}
outchain=${FW}2${z}
gateway=${gateway:-0.0.0.0/0}
source=$(source_ip_range $gateway)
dest=$(dest_ip_range $gateway)
case $kind in
ipsec|IPSEC|ipsec:*|IPSEC:*)
setup_one_ipsec $kind $z1
;;
ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
setup_one_ipsec $kind $z1
;;
ipip|IPIP)
setup_one_other IPIP 4
;;
gre|GRE)
setup_one_other GRE 47
;;
6to4|6TO4)
setup_one_other 6to4 41
;;
pptpclient|PPTPCLIENT)
setup_pptp_client
;;
pptpserver|PPTPSERVER)
setup_pptp_server
;;
openvpn|OPENVPN|openvpn:*|OPENVPN:*)
setup_one_openvpn $kind
;;
openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*)
setup_one_openvpn_client $kind
;;
openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*)
setup_one_openvpn_server $kind
;;
generic:*|GENERIC:*)
setup_one_generic $kind
;;
*)
error_message "WARNING: Tunnels of type $kind are not supported:" \
"Tunnel \"$tunnel\" Ignored"
;;
esac
save_command
else
error_message "ERROR: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" Ignored"
fi
done < $TMP_DIR/tunnels
}

203
Shorewall-shell/prog.footer
View File

@ -1,203 +0,0 @@
#
# Give Usage Information
#
usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1
}
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
#
# Start trace if first arg is "debug" or "trace"
#
if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
set -x
shift
fi
initialize
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
v*)
VERBOSE=$(($VERBOSE + 1 ))
option=${option#v}
;;
q*)
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
n*)
NOROUTES=Yes
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
COMMAND="$1"
[ -n "${PRODUCT:=Shorewall}" ]
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
if shorewall_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
if [ $status -eq 0 ]; then
[ -n "$PURGE" ] && conntrack -F
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
fi
progress_message3 "done."
fi
;;
stop)
[ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...."
stop_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
if ! shorewall_is_started ; then
error_message "$PRODUCT is not running"
status=2
elif [ $# -eq 1 ]; then
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
date > ${VARDIR}/restarted
status=0
progress_message3 "$PRODUCT Counters Reset"
else
status=0
for chain in $@; do
if chain_exists $chain; then
if qt $IPTABLES -Z $chain; then
progress_message3 "Filter table $chain Counters Reset"
else
error_message "ERROR: Reset of chain $chain failed"
status=2
break
fi
else
error_message "WARNING: Filter Chain $chain does not exist"
fi
done
fi
;;
restart)
[ $# -ne 1 ] && usage 2
if shorewall_is_started; then
progress_message3 "Restarting $PRODUCT...."
else
error_message "$PRODUCT is not running"
progress_message3 "Starting $PRODUCT...."
fi
define_firewall
status=$?
if [ $status -eq 0 ]; then
[ -n "$PURGE" ] && conntrack -F
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
else
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
fi
progress_message3 "done."
;;
refresh)
[ $# -ne 1 ] && usage 2
if shorewall_is_started; then
progress_message3 "Refreshing $PRODUCT...."
refresh_firewall
status=$?
progress_message3 "done."
else
echo "$PRODUCT is not running" >&2
status=2
fi
;;
restore)
[ $# -ne 1 ] && usage 2
restore_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
;;
clear)
[ $# -ne 1 ] && usage 2
progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
status)
[ $# -ne 1 ] && usage 2
echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
echo
if shorewall_is_started; then
echo "$PRODUCT is running"
status=0
else
echo "$PRODUCT is stopped"
status=4
fi
if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)"
case $state in
Stopped*|Clear*)
status=3
;;
esac
else
state=Unknown
fi
echo "State:$state"
echo
;;
version)
[ $# -ne 1 ] && usage 2
echo $VERSION
status=0
;;
help)
[ $# -ne 1 ] && usage 2
usage 0
;;
*)
usage 2
;;
esac
exit $status

26
Shorewall-shell/prog.header
View File

@ -1,26 +0,0 @@
#!/bin/sh
#
# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2006 - 2009 - Tom Eastep (teastep@shorewall.net)
#
#
# Options are:
#
# -n Don't alter Routing
# -v and -q Standard Shorewall Verbosity control
#
# Commands are:
#
# start Starts the firewall
# refresh Refresh the firewall
# restart Restarts the firewall
# reload Reload the firewall
# clear Removes all firewall rules
# stop Stops the firewall
# status Displays firewall status
# version Displays the version of Shorewall that
# generated this program
#

200
Shorewall-shell/shorewall-shell.spec
View File

@ -1,200 +0,0 @@
%define name shorewall-shell
%define version 4.2.6
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
Version: %{version}
Release: %{release}
License: GPL
Packager: Tom Eastep <teastep@shorewall.net>
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
URL: http://www.shorewall.net/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: iptables
Requires: iproute
Requires: shorewall-common >= 4.0.0-0RC1
Provides: shorewall_compiler = %{version}-%{release}
Provides: shorewall = %{version}-%{release}
Obsoletes: shorewall < 4.0.0-0Beta7
%description
The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/ router/server or on a standalone GNU/Linux system.
Shorewall-shell is a part of Shorewall that alows running shorewall with
legacy configurations. Shorewall-perl is the preferred compiler, please use
it for new installations.
%prep
%setup
%build
%install
export PREFIX=$RPM_BUILD_ROOT ; \
export OWNER=`id -n -u` ; \
export GROUP=`id -n -g` ;\
./install.sh -n
%clean
rm -rf $RPM_BUILD_ROOT
%post
%preun
%postun
if [ "$1" -eq 0 -a -f /etc/shorewall/shorewall.conf ]; then
sed -i.rpmsave -e 's/SHOREWALL_COMPILER=shell/SHOREWALL_COMPILER=/' /etc/shorewall/shorewall.conf
if cmp -s /etc/shorewall/shorewall.conf.rpmsave /etc/shorewall/shorewall.conf; then
rm -f /etc/shorewall/shorewall.conf.rpmsave
else
echo "/etc/shorewall/shorewall.conf modified - original saved as /etc/shorewall/shorewall.conf.rpmsave"
fi
fi
%files
%defattr(0644,root,root,0755)
%attr(0755,root,root) %dir /usr/share/shorewall-shell
%attr(0755,root,root) /usr/share/shorewall-shell/compiler
%attr(0644,root,root) /usr/share/shorewall-shell/lib.accounting
%attr(0644,root,root) /usr/share/shorewall-shell/lib.actions
%attr(0644,root,root) /usr/share/shorewall-shell/lib.maclist
%attr(0644,root,root) /usr/share/shorewall-shell/lib.nat
%attr(0644,root,root) /usr/share/shorewall-shell/lib.providers
%attr(0644,root,root) /usr/share/shorewall-shell/lib.proxyarp
%attr(0644,root,root) /usr/share/shorewall-shell/lib.tc
%attr(0644,root,root) /usr/share/shorewall-shell/lib.tcrules
%attr(0644,root,root) /usr/share/shorewall-shell/lib.tunnels
%attr(0644,root,root) /usr/share/shorewall-shell/prog.footer
%attr(0644,root,root) /usr/share/shorewall-shell/prog.header
%attr(0644,root,root) /usr/share/shorewall-shell/version
%doc COPYING INSTALL
%changelog
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC2
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC1
* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.4-0base
* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.3-0base
* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.2-0base
* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.1-0base
* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.1-0base
* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.0-0base
* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
- Updated to 2.3.0-0base
* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.1-0base
* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0base
* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC4
* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC3
* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC2
* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC1
* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta3
* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta2
* Wed May 07 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta1
* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.8-0base
* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.7-0base
* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.6-0base
* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.5-0base
* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.4-0base
* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-0base
* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-1
* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.2-1
* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.1-1
* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.0-1
* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-1
* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC3
* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC2
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.2-1
* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.1-1
* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
- Modify shorewall.conf on uninstall
- Updated to 4.0.0-1
* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0RC2
* Fri Jun 29 2007 Tom EAstep tom@shorewall.net
- Updated to 4.0.0-0RC1
* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta7
* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta6
* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta5
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta4
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta3
* Tue May 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta1
* Fri May 11 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.6-1
* Sat May 05 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.6-1
* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.5-1
* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.4-1
* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.3-1
* Mon Apr 16 2007 Tom Eastep tom@shorewall.net
- Moved lib.dynamiczones to Shorewall-common
* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.2-1
* Tue Apr 03 2007 Tom Eastep tom@shorewall.net
- Initial Version