Bring forward 3.2.2 changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-08-09 16:18:32 +00:00
parent 5f7af88022
commit aaa06b41c2
5 changed files with 91 additions and 92 deletions

View File

@ -44,7 +44,7 @@ allow)
Re-enables receipt of packets from hosts previously blacklisted
by a drop or reject command.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
shorewall-lite allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
@ -66,7 +66,7 @@ debug)
then a shell trace of the command is produced. For example:
shorewall debug start 2> /tmp/trace
shorewall-lite debug start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
@ -78,7 +78,7 @@ drop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
@ -86,7 +86,7 @@ drop)
dump)
echo "dump: dump
shorewall [-x] dump
shorewall-lite [-x] dump
Produce a verbose report about the firewall for problem analysis.
@ -105,7 +105,7 @@ forget)
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
Display helpful information about the shorewall-lite commands."
;;
hits)
@ -136,7 +136,7 @@ logdrop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored and loged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
@ -152,7 +152,7 @@ logreject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected and logged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
@ -161,7 +161,7 @@ reject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
@ -173,7 +173,7 @@ reset)
restart)
echo "restart: restart [ -n ] [ <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Restart is the same as a shorewall-lite stop && shorewall-lite start.
Existing connections are maintained.
If \"-n\" is specified, no changes to routing will be made"
@ -183,9 +183,9 @@ restore)
echo "restore: restore [ -n ] [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall-lite created using \"shorewall save\"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
/var/lib/shorewall-lite created using \"shorewall-lite save\"; if no
<file name> is given then Shorewall Lite will be restored from the file
specified by the RESTOREFILE option in shorewall.conf.
If \"-n\" is specified, no changes to routing will be made.
@ -195,50 +195,53 @@ restore)
save)
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall-lite/save. The state of the
firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall-lite restore'
and 'shorewall-lite -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;;
show)
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
echo "show: show [ <chain> [ <chain> ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
shorewall-lite [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
shorewall [-x] show mangle - produce a verbose report about the mangle table.
shorewall-lite [-x] show mangle - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v)
shorewall [-x] show nat - produce a verbose report about the nat table.
shorewall-lite [-x] show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v)
shorewall show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
shorewall-lite show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
MAC addresses in the log entries (if any) are displayed.
shorewall show connections - displays the IP connections currently
shorewall-lite show connections - displays the IP connections currently
being tracked by the firewall.
shorewall show tc - displays information about the traffic
shorewall-lite show tc - displays information about the traffic
control/shaping configuration.
shorewall show zones - displays the contents of all zones.
shorewall-lite show zones - displays the contents of all zones.
shorewall show capabilities - displays your kernel/iptables capabilities
shorewall-lite show - [ -f ] capabilities - displays your kernel/iptables capabilities. When \"-f\" is
specified, then the output is suitable for use as /etc/shorewall/capabilities on your administrative
system.
shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution
shorewall-lite show config - displays the default CONFIG_PATH and LITEDIR for your distribution
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
start)
echo "start: start [ -f ] [ -n ] [ <configuration-directory> ]
Start shorewall. Existing connections through shorewall managed
Start Shorewall Lite. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies.
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists. In that
case, a <configuration-directory> may not be specified.
@ -256,7 +259,7 @@ stop)
status)
echo "status: status
shorewall status
shorewall-lite status
Displays the Shorewall Lite status (running/not-running).
@ -270,11 +273,11 @@ trace)
If you include the keyword trace as the first argument to any
of these commands:
start|stop|restart|reset|clear|check|add|delete
start|stop|restart|reset|clear
then a shell trace of the command is produced. For example:
shorewall trace start 2> /tmp/trace
shorewall-lite trace start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=3.2.0
VERSION=3.2.2
usage() # $1 = exit status
{
@ -30,6 +30,7 @@ usage() # $1 = exit status
echo "usage: $ME"
echo " $ME -v"
echo " $ME -h"
echo " $ME -n"
exit $1
}
@ -88,7 +89,7 @@ backup_directory() # $1 = directory to backup
backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
{
if [ -z "$PREFIX" ]; then
if [ -z "${PREFIX}${NOBACKUP}" ]; then
if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if [ -n "$2" ]; then
if [ -d $2 ]; then
@ -155,6 +156,8 @@ if [ -z "$GROUP" ] ; then
GROUP=root
fi
NOBACKUP=
while [ $# -gt 0 ] ; do
case "$1" in
-h|help|?)
@ -164,6 +167,9 @@ while [ $# -gt 0 ] ; do
echo "Shorewall Lite Firewall Installer Version $VERSION"
exit 0
;;
-n)
NOBACKUP=Yes
;;
*)
usage 1
;;
@ -216,9 +222,11 @@ echo "Installing Shorewall Lite Version $VERSION"
#
if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
first_install=""
backup_directory /etc/shorewall-lite
backup_directory /usr/share/shorewall-lite
backup_directory /var/lib/shorewall-lite
if [ -z "$NOBACKUP" ]; then
backup_directory /etc/shorewall-lite
backup_directory /usr/share/shorewall-lite
backup_directory /var/lib/shorewall-lite
fi
else
first_install="Yes"
rm -rf ${PREFIX}/etc/shorewall-lite

View File

@ -44,50 +44,18 @@
# used during firewall compilation, then the generated firewall program will likewise not
# require Shorewall to be installed.
PRODUCT="Shorewall Lite"
. /usr/share/shorewall-lite/functions
. /usr/share/shorewall-lite/configpath
. /etc/shorewall-lite/shorewall.conf
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
VERSION=$(cat /usr/share/shorewall-lite/version)
report_capability() # $1 = Capability
{
eval echo $1=\$$1
}
report_capabilities() {
echo "#"
echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
echo "#"
report_capability NAT_ENABLED
report_capability MANGLE_ENABLED
report_capability MULTIPORT
report_capability XMULTIPORT
report_capability CONNTRACK_MATCH
report_capability USEPKTTYPE
report_capability POLICY_MATCH
report_capability PHYSDEV_MATCH
report_capability LENGTH_MATCH
report_capability IPRANGE_MATCH
report_capability RECENT_MATCH
report_capability OWNER_MATCH
report_capability IPSET_MATCH
report_capability CONNMARK
report_capability XCONNMARK
report_capability CONNMARK_MATCH
report_capability XCONNMARK_MATCH
report_capability RAW_TABLE
report_capability IPP2P_MATCH
report_capability CLASSIFY_TARGET
report_capability ENHANCED_REJECT
report_capability KLUDGEFREE
report_capability MARK
report_capability XMARK
report_capability MANGLE_FORWARD
}
[ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
VERBOSE=0
load_kernel_modules
determine_capabilities
report_capabilities
report_capabilities1

View File

@ -162,6 +162,8 @@ validate_restorefile() # $* = label
#
get_config() {
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if [ ! -f $LOGFILE ]; then
@ -376,10 +378,29 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done
}
#
# Verify that we have a compiled firewall script
#
verify_firewall_script() {
if [ ! -f $FIREWALL ]; then
echo " ERROR: Shorewall Lite is not properly installed" >&2
if [ -L $FIREWALL ]; then
echo " $FIREWALL is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $FIREWALL does not exist" >&2
fi
exit 2
fi
}
#
# Save currently running configuration
#
save_config() {
verify_firewall_script
if shorewall_is_started ; then
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@ -471,6 +492,8 @@ start_command() {
[ -n "$nolock" ] || mutex_off
}
verify_firewall_script
if shorewall_is_started; then
error_message "Shorewall is already running"
exit 1
@ -574,6 +597,8 @@ start_command() {
restart_command() {
local finished=0
verify_firewall_script
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
@ -668,6 +693,10 @@ show_command() {
SHOWMACS=Yes
option=${option#m}
;;
f*)
FILEMODE=Yes
option=${option#f}
;;
*)
usage 1
;;
@ -744,7 +773,11 @@ show_command() {
[ $# -gt 1 ] && usage 1
determine_capabilities
VERBOSE=2
report_capabilities
if [ -n "$FILEMODE" ]; then
report_capabilities1
else
report_capabilities
fi
;;
config)
. ${SHAREDIR}/configpath
@ -964,7 +997,6 @@ usage() # $1 = exit status
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>"
echo "where <command> is one of:"
echo " allow <address> ..."
echo " check [ -e ] [ <directory> ]"
echo " clear"
echo " drop <address> ..."
echo " dump [ -x ]"
@ -982,7 +1014,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
echo " show [ -x ] [ -m ] [ -f ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
echo " start [ -f ] [ -n ] [ <directory> ]"
echo " stop"
echo " status"
@ -1214,18 +1246,6 @@ get_config
FIREWALL=$LITEDIR/firewall
if [ ! -f $FIREWALL ]; then
echo " ERROR: Shorewall Lite is not properly installed" >&2
if [ -L $FIREWALL ]; then
echo " $FIREWALL is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $FIREWALL does not exist" >&2
fi
exit 2
fi
if [ -f $VERSION_FILE ]; then
version=$(cat $VERSION_FILE)
else
@ -1263,6 +1283,7 @@ case "$COMMAND" in
;;
stop|reset|clear)
[ $# -ne 1 ] && usage 1
verify_firewall_script
export NOROUTES
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
;;
@ -1270,10 +1291,6 @@ case "$COMMAND" in
shift
restart_command $@
;;
check)
shift
check_command $@
;;
show|list)
shift
show_command $@

View File

@ -12,8 +12,11 @@
# N 0 T E
###############################################################################
# Entries in this file override entries in the shorewall.conf file in the
# configuration directory when the firewall script was compiled. Any variable
# export directory when the firewall script was compiled. Any variable
# not set here assumes the value defined at firewall compilation time.
#
# PROVIDED THAT shorewall.conf IN THE EXPORT DIRECTORY IS CORRECT, YOU DO NOT
# NEED TO MODIFY THIS FILE IN ANY WAY
###############################################################################
# V E R B O S I T Y
###############################################################################