Bring forward 3.2.2 changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-22 15:43:30 +01:00 · 2006-08-09 16:18:32 +00:00 · 2006-08-09 16:18:32 +00:00 · aaa06b41c2
commit aaa06b41c2
parent 5f7af88022
5 changed files with 91 additions and 92 deletions
--- a/Shorewall-lite/help
+++ b/Shorewall-lite/help
@ -44,7 +44,7 @@ allow)
    Re-enables receipt of packets from hosts previously blacklisted
    by a drop or reject command.

-    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
+    shorewall-lite allow, drop, rejct and save implement dynamic blacklisting.

    See also \"help address\""
 	;;
@ -66,7 +66,7 @@ debug)

    then a shell trace of the command is produced.  For example:

-	shorewall debug start 2> /tmp/trace
+	shorewall-lite debug start 2> /tmp/trace

    The above command would trace the 'start' command and
    place the trace information in the file /tmp/trace.
@ -78,7 +78,7 @@ drop)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be ignored

-    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help address\""
 	;;
@ -86,7 +86,7 @@ drop)
 dump)
 	echo "dump: dump

-    shorewall [-x] dump
+    shorewall-lite [-x] dump

    Produce a verbose report about the firewall for problem analysis.

@ -105,7 +105,7 @@ forget)

 help)
 	echo "help: help [<command> | host | address ]
-    Display helpful information about the shorewall commands."
+    Display helpful information about the shorewall-lite commands."
 	;;

 hits)
@ -136,7 +136,7 @@ logdrop)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be ignored and loged.

-    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help address\""
 	;;
@ -152,7 +152,7 @@ logreject)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be rejected and logged.

-    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help address\""
 	;;
@ -161,7 +161,7 @@ reject)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be rejected

-    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help address\""
 	;;
@ -173,7 +173,7 @@ reset)

 restart)
 	echo "restart: restart [ -n ] [ <configuration-directory> ]
-    Restart is the same as a shorewall stop && shorewall start.
+    Restart is the same as a shorewall-lite stop && shorewall-lite start.
    Existing connections are maintained.

    If \"-n\" is specified, no changes to routing will be made"
@ -183,9 +183,9 @@ restore)
 	echo "restore: restore [ -n ] [ <file name> ]
    Restore Shorewall to a state saved using the 'save' command
    Existing connections are maintained. The <file name> names a restore file in
-    /var/lib/shorewall-lite created using \"shorewall save\"; if no <file name> is given
-    then Shorewall will be restored from the file specified by the RESTOREFILE
-    option in shorewall.conf.
+    /var/lib/shorewall-lite created using \"shorewall-lite save\"; if no 
+    <file name> is given then Shorewall Lite will be restored from the file
+    specified by the RESTOREFILE option in shorewall.conf.

    If \"-n\" is specified, no changes to routing will be made.

@ -195,50 +195,53 @@ restore)
 save)
 	echo "save: save [ <file name> ]
    The dynamic data is stored in /var/lib/shorewall-lite/save. The state of the
-    firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall restore'
-    and 'shorewall -f start' commands. If <file name> is not given then the state is saved
+    firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall-lite restore'
+    and 'shorewall-lite -f start' commands. If <file name> is not given then the state is saved
    in the file specified by the RESTOREFILE option in shorewall.conf.

-    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help restore\" and \"help forget\""
 	;;

 show)
-	echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
+	echo "show: show [ <chain> [ <chain> ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]

-    shorewall [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
+    shorewall-lite [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)

-    shorewall [-x] show mangle - produce a verbose report about the mangle table.
+    shorewall-lite [-x] show mangle - produce a verbose report about the mangle table.
    (iptables -t mangle -L -n -v)

-    shorewall [-x] show nat - produce a verbose report about the nat table.
+    shorewall-lite [-x] show nat - produce a verbose report about the nat table.
    (iptables -t nat -L -n -v)

-    shorewall show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
+    shorewall-lite show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
 	MAC addresses in the log entries (if any) are displayed.

-    shorewall show connections - displays the IP connections currently
+    shorewall-lite show connections - displays the IP connections currently
 	being tracked by the firewall.

-    shorewall show tc - displays information about the traffic
+    shorewall-lite show tc - displays information about the traffic
 	control/shaping configuration.

-    shorewall show zones - displays the contents of all zones.
+    shorewall-lite show zones - displays the contents of all zones.

-    shorewall show capabilities - displays your kernel/iptables capabilities
+    shorewall-lite show - [ -f ] capabilities - displays your kernel/iptables capabilities.  When \"-f\" is
+    specified, then the output is suitable for use as /etc/shorewall/capabilities on your administrative
+    system.

-    shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution
+    shorewall-lite show config - displays the default CONFIG_PATH and LITEDIR for your distribution

    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
 	;;

 start)
 	echo "start: start [ -f ] [ -n ] [ <configuration-directory> ]
-    Start shorewall.  Existing connections through shorewall managed
+    Start Shorewall Lite.  Existing connections through shorewall managed
    interfaces are untouched.  New connections will be allowed only
    if they are allowed by the firewall rules or policies.
+
    If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
    in shorewall.conf will be restored if that saved configuration exists. In that
    case, a <configuration-directory> may not be specified.
@ -256,7 +259,7 @@ stop)
 status)
 	echo "status: status

-    shorewall status
+    shorewall-lite status

    Displays the Shorewall Lite status (running/not-running).

@ -270,11 +273,11 @@ trace)
    If you include the keyword trace as the first argument to any
    of these commands:

-	start|stop|restart|reset|clear|check|add|delete
+	start|stop|restart|reset|clear

    then a shell trace of the command is produced.  For example:

-	shorewall trace start 2> /tmp/trace
+	shorewall-lite trace start 2> /tmp/trace

    The above command would trace the 'start' command and
    place the trace information in the file /tmp/trace.
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #

-VERSION=3.2.0
+VERSION=3.2.2

 usage() # $1 = exit status
 {
@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

@ -88,7 +89,7 @@ backup_directory() # $1 = directory to backup

 backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
 {
-    if [ -z "$PREFIX" ]; then
+    if [ -z "${PREFIX}${NOBACKUP}" ]; then
 	if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
 	    if [ -n "$2" ]; then
 		if [ -d $2 ]; then
@ -155,6 +156,8 @@ if [ -z "$GROUP" ] ; then
 	GROUP=root
 fi

+NOBACKUP=
+
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@ -164,6 +167,9 @@ while [ $# -gt 0 ] ; do
 	    echo "Shorewall Lite Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
+	-n)
+	    NOBACKUP=Yes
+	    ;;
 	*)
 	    usage 1
 	    ;;
@ -216,9 +222,11 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
    first_install=""
-    backup_directory /etc/shorewall-lite
-    backup_directory /usr/share/shorewall-lite
-    backup_directory /var/lib/shorewall-lite
+    if [ -z "$NOBACKUP" ]; then
+	backup_directory /etc/shorewall-lite
+	backup_directory /usr/share/shorewall-lite
+	backup_directory /var/lib/shorewall-lite
+    fi
 else
    first_install="Yes"
    rm -rf ${PREFIX}/etc/shorewall-lite
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@ -44,50 +44,18 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

+PRODUCT="Shorewall Lite"
+
 . /usr/share/shorewall-lite/functions
 . /usr/share/shorewall-lite/configpath
-. /etc/shorewall-lite/shorewall.conf
+
+[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 VERSION=$(cat /usr/share/shorewall-lite/version)

-report_capability() # $1 = Capability
-{
-    eval echo $1=\$$1
-}
-
-report_capabilities() {
-    echo "#"
-    echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
-    echo "#"
-    report_capability NAT_ENABLED
-    report_capability MANGLE_ENABLED
-    report_capability MULTIPORT
-    report_capability XMULTIPORT
-    report_capability CONNTRACK_MATCH
-    report_capability USEPKTTYPE
-    report_capability POLICY_MATCH
-    report_capability PHYSDEV_MATCH
-    report_capability LENGTH_MATCH
-    report_capability IPRANGE_MATCH
-    report_capability RECENT_MATCH
-    report_capability OWNER_MATCH
-    report_capability IPSET_MATCH
-    report_capability CONNMARK
-    report_capability XCONNMARK
-    report_capability CONNMARK_MATCH
-    report_capability XCONNMARK_MATCH
-    report_capability RAW_TABLE
-    report_capability IPP2P_MATCH
-    report_capability CLASSIFY_TARGET
-    report_capability ENHANCED_REJECT
-    report_capability KLUDGEFREE
-    report_capability MARK
-    report_capability XMARK
-    report_capability MANGLE_FORWARD
-}
-
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
 VERBOSE=0
 load_kernel_modules
 determine_capabilities
-report_capabilities
+report_capabilities1
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@ -162,6 +162,8 @@ validate_restorefile() # $* = label
 #
 get_config() {

+    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

    if [ ! -f $LOGFILE ]; then
@ -376,10 +378,29 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
    done
 }

+#
+# Verify that we have a compiled firewall script
+#
+verify_firewall_script() {
+    if [ ! -f $FIREWALL ]; then
+	echo "   ERROR: Shorewall Lite is not properly installed" >&2
+	if [ -L $FIREWALL ]; then
+	    echo "          $FIREWALL is a symbolic link to a" >&2
+	    echo "          non-existant file" >&2
+	else
+	    echo "          The file $FIREWALL does not exist" >&2
+	fi
+	
+	exit 2
+    fi
+}
+
 #
 # Save currently running configuration
 #
 save_config() {
+    verify_firewall_script
+    
    if shorewall_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

@ -471,6 +492,8 @@ start_command() {
 	[ -n "$nolock" ] || mutex_off
    }

+    verify_firewall_script
+
    if shorewall_is_started; then
 	error_message "Shorewall is already running"
 	exit 1
@ -574,6 +597,8 @@ start_command() {
 restart_command() {
    local finished=0

+    verify_firewall_script
+
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
@ -668,6 +693,10 @@ show_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
+			f*)
+			    FILEMODE=Yes
+			    option=${option#f}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@ -744,7 +773,11 @@ show_command() {
 	    [ $# -gt 1 ] && usage 1
 	    determine_capabilities
 	    VERBOSE=2
-	    report_capabilities
+	    if [ -n "$FILEMODE" ]; then
+		report_capabilities1
+	    else
+		report_capabilities
+	    fi
 	    ;;
 	config)
 	    . ${SHAREDIR}/configpath
@ -964,7 +997,6 @@ usage() # $1 = exit status
    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>"
    echo "where <command> is one of:"
    echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
    echo "   clear"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
@ -982,7 +1014,7 @@ usage() # $1 = exit status
    echo "   restart [ -n ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
+    echo "   show [ -x ] [ -m ] [ -f ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
    echo "   start [ -f ] [ -n ] [ <directory> ]"
    echo "   stop"
    echo "   status"
@ -1214,18 +1246,6 @@ get_config

 FIREWALL=$LITEDIR/firewall

-if [ ! -f $FIREWALL ]; then
-    echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    if [ -L $FIREWALL ]; then
-	echo "          $FIREWALL is a symbolic link to a" >&2
-	echo "          non-existant file" >&2
-    else
-	echo "          The file $FIREWALL does not exist" >&2
-    fi
-
-    exit 2
-fi
-
 if [ -f $VERSION_FILE ]; then
    version=$(cat $VERSION_FILE)
 else
@ -1263,6 +1283,7 @@ case "$COMMAND" in
 	;;
    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
+	verify_firewall_script
 	export NOROUTES
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
 	;;
@ -1270,10 +1291,6 @@ case "$COMMAND" in
 	shift
 	restart_command $@
 	;;
-    check)
-	shift
-	check_command $@
-	;;
    show|list)
    	shift
    	show_command $@
--- a/Shorewall-lite/shorewall.conf
+++ b/Shorewall-lite/shorewall.conf
@ -12,8 +12,11 @@
 #                                   N 0 T E
 ###############################################################################
 # Entries in this file override entries in the shorewall.conf file in the
-# configuration directory when the firewall script was compiled. Any variable
+# export directory when the firewall script was compiled. Any variable
 # not set here assumes the value defined at firewall compilation time.
+#
+# PROVIDED THAT shorewall.conf IN THE EXPORT DIRECTORY IS CORRECT, YOU DO NOT
+# NEED TO MODIFY THIS FILE IN ANY WAY
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################