Shorewall 1.4.6_20030727

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@679 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -6,3 +6,5 @@ Changes since 1.4.6
    MANGLE_ENABLED is set before it is tested.
 
 3) Fixed MAC address handling in the SOURCE column of tcrules.
+
+4) Merged and corrected Steve Herber's command-specific help patch.

Shorewall/fallback.sh

@@ -82,6 +82,7 @@ restore_file /etc/shorewall/functions
 restore_file /usr/lib/shorewall/functions
 restore_file /var/lib/shorewall/functions
 restore_file /usr/lib/shorewall/firewall
+restore_file /usr/lib/shorewall/help
 
 restore_file /etc/shorewall/common.def
 

Shorewall/help

@@ -0,0 +1,260 @@
+#!/bin/sh
+#
+# Shorewall help subsystem - V1.4 - 3/14/2003
+#
+#
+#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
+#
+#     (c) 2003 - Tom Eastep (teastep@shorewall.net)
+#                Steve Herber (herber@thing.com)
+#
+#	This file should be placed in /usr/share/shorewall/help
+#
+#	Shorewall documentation is available at http://shorewall.sourceforge.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
+##################################################################################
+
+case $1 in
+
+add)
+	echo "add: add <interface>[:<host>] <zone>
+    Adds a host or subnet to a dynamic zone usually used with VPN's.
+
+    shorewall add interface[:host] zone - Adds the specified interface
+    (and host if included) to the specified zone.
+
+    Example:
+
+    shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
+    from interface ipsec0 to the zone vpn1.
+
+    See also \"help host\""
+	;;
+
+address|host)
+        echo "<$1>: 
+    May be either a host IP address such as 192.168.1.4 or a network address in
+    CIDR format like 192.168.1.0/24"
+	;;
+
+allow)
+	echo "allow: allow <address> ...
+    Re-enables receipt of packets from hosts previously blacklisted
+    by a drop, dropall, reject or rejectall command.
+
+    Shorewall allow, drop, dropall, reject, rejectall, and save implement
+    dynamic blacklisting.
+
+    See also \"help address\""
+	;;
+
+check)
+	echo "check: check [ -c <configuration-directory> ]
+   Performs a cursory validation of the zones, interfaces, hosts,
+   rules and policy files.  Use this if you are unsure of any edits
+   you have made to the shorewall configuration.  See the try command
+   examples for a recommended way to make changes."
+	;;
+
+clear)
+	echo "clear: clear
+    Clear will remove all rules and chains installed by Shoreline.
+    The firewall is then wide open and unprotected.  Existing
+    connections are untouched.  Clear is often used to see if the
+    firewall is causing connection problems."
+	;;
+
+debug)
+	echo "debug: debug
+    If you include the keyword debug as the first argument to any
+    of these commands:
+
+	start|stop|restart|reset|clear|refresh|check|add|delete
+
+    then a shell trace of the command is produced.  For example:
+
+	shorewall debug start 2> /tmp/trace
+
+    The above command would trace the 'start' command and
+    place the trace information in the file /tmp/trace."
+	;;
+
+delete)
+	echo "delete: delete <interface>[:<host>] <zone>
+    Deletes a host or subnet from a dynamic zone usually used with VPN's.
+
+    shorewall delete interface[:host] zone - Deletes the specified
+    interface (and host if included) from the specified zone.
+
+    Example:
+
+    shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
+    192.0.2.24 from interface ipsec0 from zone vpn1
+
+    See also \"help host\""
+	;;
+
+drop|dropall)
+	echo "$1: $1 <address> ...
+    Causes packets from the specified <address> to be ignored
+
+    Shorewall allow, drop, dropall, reject, rejectall, and save implement
+    dynamic blacklisting.
+
+    'dropall' causes all interfaces to be monitored for packets from the
+    given address while 'drop' causes only those interfaces with a route
+    to the address to be monitored.
+
+    See also \"help address\""
+	;;
+
+help)
+	echo "help: help [<command> | host | address ]
+    Display helpful information about the shorewall commands."
+	;;
+
+hits)
+    echo "hits: hits
+    Produces several reports about the Shorewall packet log messages
+    in the current /var/log/messages file."
+	;;
+
+ipcalc)
+	echo "ipcalc: ipcalc [ address mask | address/vlsm ]
+    Ipcalc displays the network address, broadcast address,
+    network in CIDR notation and netmask corresponding to the input[s]."
+	;;
+
+iprange)
+	echo "iprange: iprange address1-address2
+    Iprange decomposes the specified range of IP addresses into the
+    equivalent list of network/host addresses."
+	;;
+
+logwatch)
+	echo "logwatch: logwatch [<refresh interval>]
+    Monitors the LOGFILE, $LOGFILE,
+    and produces an audible alarm when new Shorewall messages are logged."
+	;;
+
+monitor)
+	echo "monitor: monitor [<refresh_interval>]
+    Continuously display the firewall status, last 20 log entries and nat.
+    When the log entry display changes, an audible alarm is sounded."
+	;;
+
+refresh)
+	echo "refresh: refresh
+    The rules involving the broadcast addresses of firewall interfaces,
+    the black list, traffic control rules and ECN control rules are recreated
+    to reflect any changes made.  Existing connections are untouched"
+	;;
+
+reject|rejectall)
+	echo "$1: $1 <address> ...
+    Causes packets from the specified <address> to be rejected
+
+    Shorewall allow, drop, dropall, reject, rejectall, and save implement
+    dynamic blacklisting.
+
+    'rejectall' causes all interfaces to be monitored for packets from the
+    given address while 'reject' causes only those interfaces with a route
+    to the address to be monitored.
+
+    See also \"help address\""
+	;;
+
+reset)
+	echo "reset: reset
+    All the packet and byte counters in the firewall are reset."
+	;;
+
+restart)
+	echo "restart: restart [ -c <configuration-directory> ]
+    Restart is the same as a shorewall stop && shorewall start.
+    Existing connections are dropped."
+	;;
+
+save)
+	echo "save: save
+    The dynamic data is stored in /var/lib/shorewall/save
+    Shorewall allow, drop, dropall, reject, rejectall, and save implement
+    dynamic blacklisting."
+	;;
+
+show)
+	echo "show: show [<chain>|classifiers|connections|log|nat|tc|tos]
+    shorewall show chain - produce a verbose report about the IPtable chains.
+    (iptables -L chain -n -v)
+
+    shorewall show nat - produce a verbose report about the nat table.
+    (iptables -t nat -L -n -v)
+
+    shorewall show tos - produce a verbose report about the mangle table.
+    (iptables -t mangle -L -n -v)
+
+    shorewall show log - display the last 20 packet log entries.
+
+    shorewall show connections - displays the IP connections currently
+	being tracked by the firewall.
+
+    shorewall show tc - displays information about the traffic
+	control/shaping configuration."
+	;;
+
+start)
+	echo "start: start [ -c <configuration-directory> ]
+    Start shorewall.  Existing connections through shorewall managed
+    interfaces are untouched.  New connections will be allowed only
+    if they are allowed by the firewall rules or policies."
+	;;
+
+stop)
+	echo "stop: stop
+    Stops the firewall.  All existing connections, except those
+    listed in /etc/shorewall/routestopped, are taken down.
+    The only new traffic permitted through the firewall
+    is from systems listed in /etc/shorewall/routestopped."
+	;;
+
+status)
+	echo "status: status
+    Produce a verbose report about the firewall.
+   
+    (iptables -L -n -v)"
+	;;
+
+try)
+	echo "try: try <configuration-directory> [ <timeout> ]
+    Restart shorewall using the specified configuration.  If an error
+    occurs during the restart, then another shorewall restart is performed
+    using the default configuration.  If a timeout is specified then
+    the restart is always performed after the timeout occurs and uses
+    the default configuration."
+	;;
+
+version)
+	echo "version: version
+    Show the current shorewall version which is: $version"
+	;;
+
+*)
+	echo "$1: $1 is not recognized by the help command"
+	;;
+
+esac
+
+exit 0	# always ok
+

Shorewall/install.sh

@@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
 
-VERSION=1.4.6-20030726
+VERSION=1.4.6-20030727
 
 usage() # $1 = exit status
 {
@@ -316,6 +316,14 @@ install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
 
 echo
 echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
+
+#
+# Install the Help file
+#
+install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
+
+echo
+echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
 #
 # Install the common.def file
 #

Shorewall/releasenotes.txt

@@ -9,8 +9,6 @@ Problems Corrected since version 1.4.6:
    tcrules file. Previously, these addresses resulted in an invalid
    iptables command.
 
-None.
-
 Migration Issues:
 
 1) Once you have installed this version of Shorewall, you must 
@@ -32,3 +30,5 @@ New Features:
    that do what 'drop' and 'reject' used to do; namely, when an address
    is blacklisted using these new commands, it will be blacklisted on
    all of your firewall's interfaces.
+2) Thanks to Steve Herber, the help command can now give
+   command-specific help.

Shorewall/shorewall

@@ -555,6 +555,16 @@ save_dynamic_blacklist() {
     fi
 
 }
+
+#
+# Help information
+#
+help()
+{
+    [ -x $HELP ] && { export version; exec $HELP $*; }
+    echo "Help subsystem is not installed at $HELP"
+}
+ 
 #
 # Give Usage Information
 #
@@ -563,27 +573,28 @@ usage() # $1 = exit status
     echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
     echo "where <command> is one of:"
     echo "   add <interface>[:<host>] <zone>"
+    echo "   allow <address> ..."
+    echo "   check"
+    echo "   clear"
     echo "   delete <interface>[:<host>] <zone>"
+    echo "   drop|dropall <address> ..."
+    echo "   help [ <command > | host | address ]"
+    echo "   hits"
+    echo "   ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
+    echo "   iprange <address>-<address>"
+    echo "   logwatch [<refresh interval>]"
+    echo "   monitor [<refresh interval>]"
+    echo "   refresh"
+    echo "   reject|rejectall <address> ..."
+    echo "   reset"
+    echo "   restart"
+    echo "   save"
     echo "   show [<chain>|classifiers|connections|log|nat|tc|tos]"
     echo "   start"
     echo "   stop"
-    echo "   reset"
-    echo "   restart"
     echo "   status"
-    echo "   clear"
-    echo "   refresh"
-    echo "   hits"
-    echo "   monitor [<refresh interval>]"
-    echo "   version"
-    echo "   check"
     echo "   try <directory> [ <timeout> ]"
-    echo "   logwatch [<refresh interval>]"
+    echo "   version"
-    echo "   drop|dropall <address> ..."
-    echo "   reject|rejectall <address> ..."
-    echo "   allow <address> ..."
-    echo "   save"
-    echo "   ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
-    echo "   iprange <address>-<address>"
     exit $1
 }
 
@@ -653,6 +664,7 @@ SHARED_DIR=/usr/share/shorewall
 FIREWALL=$SHARED_DIR/firewall
 FUNCTIONS=$SHARED_DIR/functions
 VERSION_FILE=$SHARED_DIR/version
+HELP=$SHARED_DIR/help
 
 if [ -f $FUNCTIONS ]; then
     . $FUNCTIONS
@@ -1008,6 +1020,11 @@ case "$1" in
 	shift;
 	$@
 	;;
+    help)
+	shift
+	[ $# -ne 1 ] && usage 1
+	help $@
+	;;
     *)
 	usage 1
 	;;

Shorewall/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.6_20030726
+%define version 1.4.6_20030727
 %define release 1
 %define prefix /usr
 
@@ -101,10 +101,14 @@ fi
 %attr(0544,root,root) /sbin/shorewall
 %attr(0444,root,root) /usr/share/shorewall/functions
 %attr(0544,root,root) /usr/share/shorewall/firewall
+%attr(0544,root,root) /usr/share/shorewall/help
 %doc documentation
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
+- Added /usr/share/shorewall/help
+- Changed version to 1.4.6_20030727-1
 * Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030726-1
 * Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>