mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-13 17:18:12 +01:00
Defer determining iptables executable until runtime when compiling
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3335 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
31eac676fd
commit
befcecf5fb
@ -8945,7 +8945,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
# from that script are available here
|
# from that script are available here
|
||||||
#
|
#
|
||||||
compile_stop_firewall() {
|
compile_stop_firewall() {
|
||||||
local IPTABLES_COMMAND="$IPTABLES"
|
local IPTABLES_COMMAND="\$IPTABLES"
|
||||||
local INDENT=" "
|
local INDENT=" "
|
||||||
|
|
||||||
cat >> $RESTOREBASE << __EOF__
|
cat >> $RESTOREBASE << __EOF__
|
||||||
@ -8953,16 +8953,16 @@ compile_stop_firewall() {
|
|||||||
stop_firewall() {
|
stop_firewall() {
|
||||||
|
|
||||||
deletechain() {
|
deletechain() {
|
||||||
qt $IPTABLES -L \$1 -n && qt $IPTABLES -F \$1 && qt $IPTABLES -X \$1
|
qt \$IPTABLES -L \$1 -n && qt \$IPTABLES -F \$1 && qt \$IPTABLES -X \$1
|
||||||
}
|
}
|
||||||
|
|
||||||
deleteallchains() {
|
deleteallchains() {
|
||||||
$IPTABLES -F
|
\$IPTABLES -F
|
||||||
$IPTABLES -X
|
\$IPTABLES -X
|
||||||
}
|
}
|
||||||
|
|
||||||
setcontinue() {
|
setcontinue() {
|
||||||
$IPTABLES -A \$1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
\$IPTABLES -A \$1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
}
|
}
|
||||||
|
|
||||||
case \$COMMAND in
|
case \$COMMAND in
|
||||||
@ -8984,8 +8984,8 @@ stop_firewall() {
|
|||||||
# references to ipsets
|
# references to ipsets
|
||||||
#
|
#
|
||||||
for table in mangle nat filter; do
|
for table in mangle nat filter; do
|
||||||
$IPTABLES -t \$table -F
|
\$IPTABLES -t \$table -F
|
||||||
$IPTABLES -t \$table -X
|
\$IPTABLES -t \$table -X
|
||||||
done
|
done
|
||||||
|
|
||||||
\${RESTOREPATH}-ipsets
|
\${RESTOREPATH}-ipsets
|
||||||
@ -9023,7 +9023,7 @@ stop_firewall() {
|
|||||||
run_iptables -t mangle -F
|
run_iptables -t mangle -F
|
||||||
run_iptables -t mangle -X
|
run_iptables -t mangle -X
|
||||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||||
qt $IPTABLES -t mangle -P \$chain ACCEPT
|
qt \$IPTABLES -t mangle -P \$chain ACCEPT
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -9031,14 +9031,14 @@ stop_firewall() {
|
|||||||
run_iptables -t raw -F
|
run_iptables -t raw -F
|
||||||
run_iptables -t raw -X
|
run_iptables -t raw -X
|
||||||
for chain in PREROUTING OUTPUT; do
|
for chain in PREROUTING OUTPUT; do
|
||||||
qt $IPTABLES -t raw -P \$chain ACCEPT
|
qt \$IPTABLES -t raw -P \$chain ACCEPT
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "\$NAT_ENABLED" ]; then
|
if [ -n "\$NAT_ENABLED" ]; then
|
||||||
delete_nat
|
delete_nat
|
||||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||||
qt $IPTABLES -t nat -P \$chain ACCEPT
|
qt \$IPTABLES -t nat -P \$chain ACCEPT
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -9075,8 +9075,8 @@ __EOF__
|
|||||||
for host in $CRITICALHOSTS; do
|
for host in $CRITICALHOSTS; do
|
||||||
interface=\${host%:*}
|
interface=\${host%:*}
|
||||||
networks=\${host#*:}
|
networks=\${host#*:}
|
||||||
$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
|
\$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
|
||||||
$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
|
\$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
for chain in INPUT OUTPUT; do
|
for chain in INPUT OUTPUT; do
|
||||||
@ -9098,8 +9098,8 @@ __EOF__
|
|||||||
for host in $CRITICALHOSTS; do
|
for host in $CRITICALHOSTS; do
|
||||||
interface=\${host%:*}
|
interface=\${host%:*}
|
||||||
networks=\${host#*:}
|
networks=\${host#*:}
|
||||||
$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
|
\$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
|
||||||
$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
|
\$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
setpolicy INPUT DROP
|
setpolicy INPUT DROP
|
||||||
@ -9140,19 +9140,19 @@ __EOF__
|
|||||||
|
|
||||||
process_routestopped -A
|
process_routestopped -A
|
||||||
|
|
||||||
save_command "$IPTABLES -A INPUT -i lo -j ACCEPT"
|
save_command "\$IPTABLES -A INPUT -i lo -j ACCEPT"
|
||||||
|
|
||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
save_command "$IPTABLES -A OUTPUT -o lo -j ACCEPT"
|
save_command "\$IPTABLES -A OUTPUT -o lo -j ACCEPT"
|
||||||
|
|
||||||
for interface in $(find_interfaces_by_option dhcp); do
|
for interface in $(find_interfaces_by_option dhcp); do
|
||||||
save_command "$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"
|
save_command "\$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"
|
||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
save_command "$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT"
|
save_command "\$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT"
|
||||||
#
|
#
|
||||||
# This might be a bridge
|
# This might be a bridge
|
||||||
#
|
#
|
||||||
save_command "$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"
|
save_command "\$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"
|
||||||
done
|
done
|
||||||
|
|
||||||
save_command
|
save_command
|
||||||
@ -9215,7 +9215,7 @@ compile_firewall() # $1 = File Name
|
|||||||
}
|
}
|
||||||
|
|
||||||
do_iptables() {
|
do_iptables() {
|
||||||
save_command $IPTABLES $@
|
save_command \$IPTABLES $@
|
||||||
}
|
}
|
||||||
|
|
||||||
qt_iptables() {
|
qt_iptables() {
|
||||||
@ -9225,7 +9225,7 @@ compile_firewall() # $1 = File Name
|
|||||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
save_command qt $IPTABLES $@
|
save_command qt \$IPTABLES $@
|
||||||
}
|
}
|
||||||
|
|
||||||
createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||||
@ -9278,7 +9278,7 @@ compile_firewall() # $1 = File Name
|
|||||||
|
|
||||||
deletechain() # $1 = name of chain
|
deletechain() # $1 = name of chain
|
||||||
{
|
{
|
||||||
save_command "qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1"
|
save_command "qt \$IPTABLES -L $1 -n && qt \$IPTABLES -F $1 && qt \$IPTABLES -X $1"
|
||||||
}
|
}
|
||||||
|
|
||||||
fix_bang() {
|
fix_bang() {
|
||||||
@ -9330,7 +9330,7 @@ __EOF__
|
|||||||
cat >> $RESTOREBASE << __EOF__
|
cat >> $RESTOREBASE << __EOF__
|
||||||
|
|
||||||
setpolicy() {
|
setpolicy() {
|
||||||
$IPTABLES -P \$1 \$2
|
\$IPTABLES -P \$1 \$2
|
||||||
}
|
}
|
||||||
|
|
||||||
clear_firewall() {
|
clear_firewall() {
|
||||||
@ -9373,8 +9373,8 @@ fatal_error()
|
|||||||
|
|
||||||
run_iptables()
|
run_iptables()
|
||||||
{
|
{
|
||||||
if ! $IPTABLES \$@; then
|
if ! \$IPTABLES \$@; then
|
||||||
error_message "ERROR: Command \"$IPTABLES \$@\" Failed"
|
error_message "ERROR: Command \"\$IPTABLES \$@\" Failed"
|
||||||
stop_firewall
|
stop_firewall
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
@ -9423,9 +9423,25 @@ __EOF__
|
|||||||
LOGFORMAT="$LOGFORMAT"
|
LOGFORMAT="$LOGFORMAT"
|
||||||
RESTOREFILE="$RESTOREFILE"
|
RESTOREFILE="$RESTOREFILE"
|
||||||
VERSION="$VERSION"
|
VERSION="$VERSION"
|
||||||
IPTABLES="$IPTABLES"
|
|
||||||
CONFIG_PATH="$CONFIG_PATH"
|
CONFIG_PATH="$CONFIG_PATH"
|
||||||
|
|
||||||
|
__EOF__
|
||||||
|
if [ -n "$IPTABLES" ]; then
|
||||||
|
cat >> $RESTOREBASE << __EOF__
|
||||||
|
IPTABLES="$IPTABLES"
|
||||||
|
|
||||||
|
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
||||||
|
__EOF__
|
||||||
|
else
|
||||||
|
cat >> $RESTOREBASE << __EOF__
|
||||||
|
IPTABLES=\$(mywhich iptables 2> /dev/null)
|
||||||
|
|
||||||
|
[ -z "\$IPTABLES" ] && startup_error "Can't find iptables executable"
|
||||||
|
__EOF__
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat >> $RESTOREBASE << __EOF__
|
||||||
|
|
||||||
STOPPING=
|
STOPPING=
|
||||||
#
|
#
|
||||||
# The library requires that /var/lib/shorewall exist
|
# The library requires that /var/lib/shorewall exist
|
||||||
@ -10158,20 +10174,22 @@ do_initialize() {
|
|||||||
# We load the kernel modules here to accurately determine
|
# We load the kernel modules here to accurately determine
|
||||||
# capabilities when module autoloading isn't enabled.
|
# capabilities when module autoloading isn't enabled.
|
||||||
#
|
#
|
||||||
|
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
||||||
|
|
||||||
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
|
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
|
||||||
|
|
||||||
load_kernel_modules
|
load_kernel_modules
|
||||||
|
|
||||||
if [ -z "$IPTABLES" ]; then
|
if [ -z "$EXPORT" ]; then
|
||||||
IPTABLES=$(mywhich iptables 2> /dev/null)
|
if [ -z "$IPTABLES" ]; then
|
||||||
|
IPTABLES=$(mywhich iptables 2> /dev/null)
|
||||||
|
|
||||||
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
|
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
|
||||||
else
|
else
|
||||||
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
|
||||||
|
|
||||||
determine_capabilities
|
determine_capabilities
|
||||||
|
|
||||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user