extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 09:33:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Bring forward 3.2.2 changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-08-09 16:18:32 +00:00
parent 5f7af88022
commit aaa06b41c2
5 changed files with 91 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Shorewall-lite/help
View File

@ -44,7 +44,7 @@ allow)
Re-enables receipt of packets from hosts previously blacklisted Re-enables receipt of packets from hosts previously blacklisted
by a drop or reject command. by a drop or reject command.
Shorewall allow, drop, rejct and save implement dynamic blacklisting. shorewall-lite allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\"" See also \"help address\""
;; ;;
@ -66,7 +66,7 @@ debug)
then a shell trace of the command is produced. For example: then a shell trace of the command is produced. For example:
shorewall debug start 2> /tmp/trace shorewall-lite debug start 2> /tmp/trace
The above command would trace the 'start' command and The above command would trace the 'start' command and
place the trace information in the file /tmp/trace. place the trace information in the file /tmp/trace.
@ -78,7 +78,7 @@ drop)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored Causes packets from the specified <address> to be ignored
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\"" See also \"help address\""
;; ;;
@ -86,7 +86,7 @@ drop)
dump) dump)
echo "dump: dump echo "dump: dump
shorewall [-x] dump shorewall-lite [-x] dump
Produce a verbose report about the firewall for problem analysis. Produce a verbose report about the firewall for problem analysis.
@ -105,7 +105,7 @@ forget)
help) help)
echo "help: help [<command> | host | address ] echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands." Display helpful information about the shorewall-lite commands."
;; ;;
hits) hits)
@ -136,7 +136,7 @@ logdrop)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored and loged. Causes packets from the specified <address> to be ignored and loged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\"" See also \"help address\""
;; ;;
@ -152,7 +152,7 @@ logreject)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected and logged. Causes packets from the specified <address> to be rejected and logged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\"" See also \"help address\""
;; ;;
@ -161,7 +161,7 @@ reject)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected Causes packets from the specified <address> to be rejected
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\"" See also \"help address\""
;; ;;
@ -173,7 +173,7 @@ reset)
restart) restart)
echo "restart: restart [ -n ] [ <configuration-directory> ] echo "restart: restart [ -n ] [ <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start. Restart is the same as a shorewall-lite stop && shorewall-lite start.
Existing connections are maintained. Existing connections are maintained.
If \"-n\" is specified, no changes to routing will be made" If \"-n\" is specified, no changes to routing will be made"
@ -183,9 +183,9 @@ restore)
echo "restore: restore [ -n ] [ <file name> ] echo "restore: restore [ -n ] [ <file name> ]
Restore Shorewall to a state saved using the 'save' command Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall-lite created using \"shorewall save\"; if no <file name> is given /var/lib/shorewall-lite created using \"shorewall-lite save\"; if no
then Shorewall will be restored from the file specified by the RESTOREFILE <file name> is given then Shorewall Lite will be restored from the file
option in shorewall.conf. specified by the RESTOREFILE option in shorewall.conf.
If \"-n\" is specified, no changes to routing will be made. If \"-n\" is specified, no changes to routing will be made.
@ -195,50 +195,53 @@ restore)
save) save)
echo "save: save [ <file name> ] echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall-lite/save. The state of the The dynamic data is stored in /var/lib/shorewall-lite/save. The state of the
firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall restore' firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall-lite restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved and 'shorewall-lite -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf. in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\"" See also \"help restore\" and \"help forget\""
;; ;;
show) show)
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones] echo "show: show [ <chain> [ <chain> ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s). shorewall-lite [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v) (iptables -L chain -n -v)
shorewall [-x] show mangle - produce a verbose report about the mangle table. shorewall-lite [-x] show mangle - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v) (iptables -t mangle -L -n -v)
shorewall [-x] show nat - produce a verbose report about the nat table. shorewall-lite [-x] show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v) (iptables -t nat -L -n -v)
shorewall show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then shorewall-lite show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
MAC addresses in the log entries (if any) are displayed. MAC addresses in the log entries (if any) are displayed.
shorewall show connections - displays the IP connections currently shorewall-lite show connections - displays the IP connections currently
being tracked by the firewall. being tracked by the firewall.
shorewall show tc - displays information about the traffic shorewall-lite show tc - displays information about the traffic
control/shaping configuration. control/shaping configuration.
shorewall show zones - displays the contents of all zones. shorewall-lite show zones - displays the contents of all zones.
shorewall show capabilities - displays your kernel/iptables capabilities shorewall-lite show - [ -f ] capabilities - displays your kernel/iptables capabilities. When \"-f\" is
specified, then the output is suitable for use as /etc/shorewall/capabilities on your administrative
system.
shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution shorewall-lite show config - displays the default CONFIG_PATH and LITEDIR for your distribution
When -x is given, that option is also passed to iptables to display actual packet and byte counts." When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;; ;;
start) start)
echo "start: start [ -f ] [ -n ] [ <configuration-directory> ] echo "start: start [ -f ] [ -n ] [ <configuration-directory> ]
Start shorewall. Existing connections through shorewall managed Start Shorewall Lite. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies. if they are allowed by the firewall rules or policies.
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists. In that in shorewall.conf will be restored if that saved configuration exists. In that
case, a <configuration-directory> may not be specified. case, a <configuration-directory> may not be specified.
@ -256,7 +259,7 @@ stop)
status) status)
echo "status: status echo "status: status
shorewall status shorewall-lite status
Displays the Shorewall Lite status (running/not-running). Displays the Shorewall Lite status (running/not-running).
@ -270,11 +273,11 @@ trace)
If you include the keyword trace as the first argument to any If you include the keyword trace as the first argument to any
of these commands: of these commands:
start|stop|restart|reset|clear|check|add|delete start|stop|restart|reset|clear
then a shell trace of the command is produced. For example: then a shell trace of the command is produced. For example:
shorewall trace start 2> /tmp/trace shorewall-lite trace start 2> /tmp/trace
The above command would trace the 'start' command and The above command would trace the 'start' command and
place the trace information in the file /tmp/trace. place the trace information in the file /tmp/trace.

18
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=3.2.0 VERSION=3.2.2
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -30,6 +30,7 @@ usage() # $1 = exit status
echo "usage: $ME" echo "usage: $ME"
echo " $ME -v" echo " $ME -v"
echo " $ME -h" echo " $ME -h"
echo " $ME -n"
exit $1 exit $1
} }
@ -88,7 +89,7 @@ backup_directory() # $1 = directory to backup
backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
{ {
if [ -z "$PREFIX" ]; then if [ -z "${PREFIX}${NOBACKUP}" ]; then
if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if [ -n "$2" ]; then if [ -n "$2" ]; then
if [ -d $2 ]; then if [ -d $2 ]; then
@ -155,6 +156,8 @@ if [ -z "$GROUP" ] ; then
GROUP=root GROUP=root
fi fi
NOBACKUP=
while [ $# -gt 0 ] ; do while [ $# -gt 0 ] ; do
case "$1" in case "$1" in
-h|help|?) -h|help|?)
@ -164,6 +167,9 @@ while [ $# -gt 0 ] ; do
echo "Shorewall Lite Firewall Installer Version $VERSION" echo "Shorewall Lite Firewall Installer Version $VERSION"
exit 0 exit 0
;; ;;
-n)
NOBACKUP=Yes
;;
*) *)
usage 1 usage 1
;; ;;
@ -216,9 +222,11 @@ echo "Installing Shorewall Lite Version $VERSION"
# #
if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
first_install="" first_install=""
backup_directory /etc/shorewall-lite if [ -z "$NOBACKUP" ]; then
backup_directory /usr/share/shorewall-lite backup_directory /etc/shorewall-lite
backup_directory /var/lib/shorewall-lite backup_directory /usr/share/shorewall-lite
backup_directory /var/lib/shorewall-lite
fi
else else
first_install="Yes" first_install="Yes"
rm -rf ${PREFIX}/etc/shorewall-lite rm -rf ${PREFIX}/etc/shorewall-lite

44
Shorewall-lite/shorecap
View File

@ -44,50 +44,18 @@
# used during firewall compilation, then the generated firewall program will likewise not # used during firewall compilation, then the generated firewall program will likewise not
# require Shorewall to be installed. # require Shorewall to be installed.
PRODUCT="Shorewall Lite"
. /usr/share/shorewall-lite/functions . /usr/share/shorewall-lite/functions
. /usr/share/shorewall-lite/configpath . /usr/share/shorewall-lite/configpath
. /etc/shorewall-lite/shorewall.conf
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
VERSION=$(cat /usr/share/shorewall-lite/version) VERSION=$(cat /usr/share/shorewall-lite/version)
report_capability() # $1 = Capability
{
eval echo $1=\$$1
}
report_capabilities() {
echo "#"
echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
echo "#"
report_capability NAT_ENABLED
report_capability MANGLE_ENABLED
report_capability MULTIPORT
report_capability XMULTIPORT
report_capability CONNTRACK_MATCH
report_capability USEPKTTYPE
report_capability POLICY_MATCH
report_capability PHYSDEV_MATCH
report_capability LENGTH_MATCH
report_capability IPRANGE_MATCH
report_capability RECENT_MATCH
report_capability OWNER_MATCH
report_capability IPSET_MATCH
report_capability CONNMARK
report_capability XCONNMARK
report_capability CONNMARK_MATCH
report_capability XCONNMARK_MATCH
report_capability RAW_TABLE
report_capability IPP2P_MATCH
report_capability CLASSIFY_TARGET
report_capability ENHANCED_REJECT
report_capability KLUDGEFREE
report_capability MARK
report_capability XMARK
report_capability MANGLE_FORWARD
}
[ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables) [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
VERBOSE=0 VERBOSE=0
load_kernel_modules load_kernel_modules
determine_capabilities determine_capabilities
report_capabilities report_capabilities1

55
Shorewall-lite/shorewall-lite
View File

@ -162,6 +162,8 @@ validate_restorefile() # $* = label
# #
get_config() { get_config() {
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if [ ! -f $LOGFILE ]; then if [ ! -f $LOGFILE ]; then
@ -376,10 +378,29 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done done
} }
#
# Verify that we have a compiled firewall script
#
verify_firewall_script() {
if [ ! -f $FIREWALL ]; then
echo " ERROR: Shorewall Lite is not properly installed" >&2
if [ -L $FIREWALL ]; then
echo " $FIREWALL is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $FIREWALL does not exist" >&2
fi
exit 2
fi
}
# #
# Save currently running configuration # Save currently running configuration
# #
save_config() { save_config() {
verify_firewall_script
if shorewall_is_started ; then if shorewall_is_started ; then
[ -d ${VARDIR} ] || mkdir -p ${VARDIR} [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@ -471,6 +492,8 @@ start_command() {
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
} }
verify_firewall_script
if shorewall_is_started; then if shorewall_is_started; then
error_message "Shorewall is already running" error_message "Shorewall is already running"
exit 1 exit 1
@ -574,6 +597,8 @@ start_command() {
restart_command() { restart_command() {
local finished=0 local finished=0
verify_firewall_script
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1 option=$1
case $option in case $option in
@ -668,6 +693,10 @@ show_command() {
SHOWMACS=Yes SHOWMACS=Yes
option=${option#m} option=${option#m}
;; ;;
f*)
FILEMODE=Yes
option=${option#f}
;;
*) *)
usage 1 usage 1
;; ;;
@ -744,7 +773,11 @@ show_command() {
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
determine_capabilities determine_capabilities
VERBOSE=2 VERBOSE=2
report_capabilities if [ -n "$FILEMODE" ]; then
report_capabilities1
else
report_capabilities
fi
;; ;;
config) config)
. ${SHAREDIR}/configpath . ${SHAREDIR}/configpath
@ -964,7 +997,6 @@ usage() # $1 = exit status
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " allow <address> ..." echo " allow <address> ..."
echo " check [ -e ] [ <directory> ]"
echo " clear" echo " clear"
echo " drop <address> ..." echo " drop <address> ..."
echo " dump [ -x ]" echo " dump [ -x ]"
@ -982,7 +1014,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ <directory> ]" echo " restart [ -n ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]" echo " show [ -x ] [ -m ] [ -f ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
echo " start [ -f ] [ -n ] [ <directory> ]" echo " start [ -f ] [ -n ] [ <directory> ]"
echo " stop" echo " stop"
echo " status" echo " status"
@ -1214,18 +1246,6 @@ get_config
FIREWALL=$LITEDIR/firewall FIREWALL=$LITEDIR/firewall
if [ ! -f $FIREWALL ]; then
echo " ERROR: Shorewall Lite is not properly installed" >&2
if [ -L $FIREWALL ]; then
echo " $FIREWALL is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $FIREWALL does not exist" >&2
fi
exit 2
fi
if [ -f $VERSION_FILE ]; then if [ -f $VERSION_FILE ]; then
version=$(cat $VERSION_FILE) version=$(cat $VERSION_FILE)
else else
@ -1263,6 +1283,7 @@ case "$COMMAND" in
;; ;;
stop|reset|clear) stop|reset|clear)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
verify_firewall_script
export NOROUTES export NOROUTES
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
;; ;;
@ -1270,10 +1291,6 @@ case "$COMMAND" in
shift shift
restart_command $@ restart_command $@
;; ;;
check)
shift
check_command $@
;;
show|list) show|list)
shift shift
show_command $@ show_command $@

5
Shorewall-lite/shorewall.conf
View File

@ -12,8 +12,11 @@
# N 0 T E # N 0 T E
############################################################################### ###############################################################################
# Entries in this file override entries in the shorewall.conf file in the # Entries in this file override entries in the shorewall.conf file in the
# configuration directory when the firewall script was compiled. Any variable # export directory when the firewall script was compiled. Any variable
# not set here assumes the value defined at firewall compilation time. # not set here assumes the value defined at firewall compilation time.
#
# PROVIDED THAT shorewall.conf IN THE EXPORT DIRECTORY IS CORRECT, YOU DO NOT
# NEED TO MODIFY THIS FILE IN ANY WAY
############################################################################### ###############################################################################
# V E R B O S I T Y # V E R B O S I T Y
############################################################################### ###############################################################################