diff --git a/New/compiler.pl b/New/compiler.pl index cb358a2ea..3083a6f13 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -142,8 +142,6 @@ my $line; # Current config file line my $object; # Object file Handle Reference -my $indent = ''; - # # Zone Table. # @@ -235,7 +233,7 @@ my $comment = ''; # # Current Indentation # -my %indent; +my $indent; # # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ... # @@ -457,7 +455,10 @@ sub save_progress_message_short( $ ) { emit "progress_message $_[0]"; } -sub indent( $ ) { +# +# Functions for copying files into the object +# +sub copy( $ ) { my $file = $_[0]; open IF , $file or fatal_error "Unable to open $file: $!"; @@ -470,7 +471,7 @@ sub indent( $ ) { close IF; } -sub indent1( $ ) { +sub copy1( $ ) { my $file = $_[0]; open IF , $file or fatal_error "Unable to open $file: $!"; @@ -498,7 +499,7 @@ sub append_file( $ ) { unless ( $user_exit =~ /$env{SHAREDIR}/ ) { if ( -f $user_exit ) { save_progress_message "Processing $user_exit ..."; - indent1 $user_exit; + copy1 $user_exit; } } } @@ -5409,9 +5410,6 @@ sub do_initialize() { initialize_chain_table; } -sub compile_stop_firewall() { -} - sub compile_firewall( $ ) { my $objectfile = $_[0]; @@ -5444,8 +5442,9 @@ sub compile_firewall( $ ) { emit 'SHAREDIR=/usr/share/shorewall-lite'; emit 'CONFDIR=/etc/shorewall-lite'; emit 'VARDIR=/var/lib/shorewall-lite'; + emit 'PRODUCT="Shorewall Lite"'; - indent "$env{SHAREDIR}/lib.base"; + copy "$env{SHAREDIR}/lib.base"; emit '################################################################################'; emit '# End of /usr/share/shorewall/lib.base'; @@ -5453,14 +5452,36 @@ sub compile_firewall( $ ) { } else { emit 'SHAREDIR=/usr/share/shorewall'; emit 'CONFDIR=/etc/shorewall'; - emit "VARDIR=/var/lib/shorewall\n"; + emit 'VARDIR=/var/lib/shorewall\n'; + emit 'PRODUCT=\'Shorewall\''; emit '. /usr/share/shoreall-lite/lib.base'; } + + emit ''; + + for my $exit qw/init initdone start started stop stopped/ { + emit "run_${exit}_exit() {"; + $indent = ' '; + append_file $exit; + $indent = ''; + emit "}\n"; + } + + emit 'initialize()'; + emit '{'; + + $indent = ' '; + + while ( my ( $option, $value ) = ( each %config ) ) { + emit "${option}=${value}"; + } + + emit '}'; + + $indent = ''; + + copy "$env{SHAREDIR}/prog.functions"; } - # - # Compile the program to stop the firewall - # - compile_stop_firewall; # # Process the zones file. diff --git a/New/prog.footer b/New/prog.footer new file mode 100644 index 000000000..a92846bb1 --- /dev/null +++ b/New/prog.footer @@ -0,0 +1,175 @@ +# +# Give Usage Information +# +usage() { + echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]" + exit $1 +} +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ +# +# Start trace if first arg is "debug" or "trace" +# +if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then + set -x + shift +fi + +initialize + +finished=0 + +while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + [ -z "$option" ] && usage 1 + + while [ -n "$option" ]; do + case $option in + v*) + VERBOSE=$(($VERBOSE + 1 )) + option=${option#v} + ;; + q*) + VERBOSE=$(($VERBOSE - 1 )) + option=${option#q} + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac +done + +if [ $# -ne 1 ]; then + usage 2 +else + COMMAND="$1" +fi + +[ -n "${PRODUCT:=Shorewall}" ] + +case "$COMMAND" in + start) + if shorewall_is_started; then + error_message "$PRODUCT is already Running" + status=0 + else + progress_message3 "Starting $PRODUCT...." + define_firewall + status=$? + [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK + progress_message3 "done." + fi + ;; + stop) + progress_message3 "Stopping $PRODUCT...." + stop_firewall + status=0 + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." + ;; + reset) + if ! shorewall_is_started ; then + error_message "$PRODUCT is not running" + status=2 + else + $IPTABLES -Z + $IPTABLES -t nat -Z + $IPTABLES -t mangle -Z + date > ${VARDIR}/restarted + status=0 + progress_message3 "$PRODUCT Counters Reset" + fi + ;; + restart) + if shorewall_is_started; then + progress_message3 "Restarting $PRODUCT...." + else + error_message "$PRODUCT is not running" + progress_message3 "Starting $PRODUCT...." + fi + + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi + progress_message3 "done." + ;; + refresh) + if shorewall_is_started; then + progress_message3 "Refreshing $PRODUCT...." + refresh_firewall + status=$? + progress_message3 "done." + else + echo "$PRODUCT is not running" >&2 + status=2 + fi + ;; + restore) + restore_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi + ;; + clear) + progress_message3 "Clearing $PRODUCT...." + clear_firewall + status=0 + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." + ;; + status) + echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)" + echo + if shorewall_is_started; then + echo "$PRODUCT is running" + status=0 + else + echo "$PRODUCT is stopped" + status=4 + fi + + if [ -f ${VARDIR}/state ]; then + state="$(cat ${VARDIR}/state)" + case $state in + Stopped*|Clear*) + status=3 + ;; + esac + else + state=Unknown + fi + echo "State:$state" + echo + ;; + version) + echo $VERSION + status=0 + ;; + help) + usage 0 + ;; + *) + usage 2 + ;; +esac + +exit $status diff --git a/New/prog.functions b/New/prog.functions new file mode 100644 index 000000000..29761c2c6 --- /dev/null +++ b/New/prog.functions @@ -0,0 +1,387 @@ +#!/bin/sh + +# +# Clear Proxy Arp +# +delete_proxyarp() { + if [ -f ${VARDIR}/proxyarp ]; then + while read address interface external haveroute; do + qt arp -i $external -d $address pub + [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + done < ${VARDIR}/proxyarp + + for f in /proc/sys/net/ipv4/conf/*; do + [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp + done + fi + + rm -f ${VARDIR}/proxyarp +} + +# +# Stop/restore the firewall after an error or because of a "stop" or "clear" command +# +stop_firewall() { + + deletechain() { + qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 + } + + deleteallchains() { + $IPTABLES -F + $IPTABLES -X + } + + setcontinue() { + $IPTABLES -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT + } + + delete_nat() { + $IPTABLES -t nat -F + $IPTABLES -t nat -X + + if [ -f ${VARDIR}/nat ]; then + while read external interface; do + del_ip_addr $external $interface + done < ${VARDIR}/nat + + rm -f ${VARDIR}/nat + fi + } + + case $COMMAND in + stop|clear) + ;; + *) + set +x + + case $COMMAND in + start) + logger -p kern.err "ERROR:$PRODUCT start failed" + ;; + restart) + logger -p kern.err "ERROR:$PRODUCT restart failed" + ;; + restore) + logger -p kern.err "ERROR:$PRODUCT restore failed" + ;; + esac + + if [ "$RESTOREFILE" = NONE ]; then + COMMAND=clear + clear_firewall + echo "$PRODUCT Cleared" + + kill $$ + exit 2 + else + RESTOREPATH=${VARDIR}/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + progress_message2 Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + for table in mangle nat filter; do + $IPTABLES -t $table -F + $IPTABLES -t $table -X + done + + ${RESTOREPATH}-ipsets + fi + + echo Restoring ${PRODUCT:=Shorewall}... + + if $RESTOREPATH restore; then + echo "$PRODUCT restored from $RESTOREPATH" + set_state "Started" + else + set_state "Unknown" + fi + + kill $$ + exit 2 + fi + fi + ;; + esac + + set_state "Stopping" + + STOPPING="Yes" + + TERMINATOR= + + deletechain shorewall + + determine_capabilities + + run_stop_exit + + if [ -n "$MANGLE_ENABLED" ]; then + run_iptables -t mangle -F + run_iptables -t mangle -X + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt $IPTABLES -t mangle -P $chain ACCEPT + done + fi + + if [ -n "$RAW_TABLE" ]; then + run_iptables -t raw -F + run_iptables -t raw -X + for chain in PREROUTING OUTPUT; do + qt $IPTABLES -t raw -P $chain ACCEPT + done + fi + + if [ -n "$NAT_ENABLED" ]; then + delete_nat + for chain in PREROUTING POSTROUTING OUTPUT; do + qt $IPTABLES -t nat -P $chain ACCEPT + done + fi + + delete_proxyarp + + [ -n "$CLEAR_TC" ] && delete_tc1 + + [ -n "$DISABLE_IPV6" ] && disable_ipv6 + + undo_routing + + restore_default_route + + if [ -n "$CRITICALHOSTS" ]; then + if [ -z "$ADMINISABSENTMINDED" ]; then + + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done + + for chain in INPUT OUTPUT; do + setpolicy $chain DROP + done + else + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done + + setpolicy INPUT DROP + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + elif [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT FORWARD; do + setpolicy $chain DROP + done + + deleteallchains + else + for chain in INPUT FORWARD; do + setpolicy $chain DROP + done + + setpolicy OUTPUT ACCEPT + + deleteallchains + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + + $IPTABLES -A INPUT -i lo -j ACCEPT + + [ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -o lo -j ACCEPT + + for interface in $DHCP_INTERFACES; do + $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + # + # This might be a bridge + # + $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT + done + + case "$IP_FORWARDING" in + On|on|ON) + echo 1 > /proc/sys/net/ipv4/ip_forward + progress_message2 IP Forwarding Enabled + ;; + Off|off|OFF) + echo 0 > /proc/sys/net/ipv4/ip_forward + progress_message2 IP Forwarding Disabled! + ;; + esac + + run_stopped_exit + + set_state "Stopped" + + logger -p kern.info "$PRODUCT Stopped" + + case $COMMAND in + stop|clear) + ;; + *) + # + # The firewall is being stopped when we were trying to do something + # else. Remove the lock file and Kill the shell in case we're in a + # subshell + # + kill $$ + ;; + esac +} + +# +# Set policy of chain $1 to $2 +# +setpolicy() { + $IPTABLES -P $1 $2 +} +# +# Remove all Shorewall-added rules +# +clear_firewall() { + stop_firewall + + setpolicy INPUT ACCEPT + setpolicy FORWARD ACCEPT + setpolicy OUTPUT ACCEPT + + run_iptables -F + + echo 1 > /proc/sys/net/ipv4/ip_forward + + if [ -n "$DISABLE_IPV6" ]; then + if qt mywhich ip6tables; then + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null + fi + fi + + run_clear_exit + + set_state "Cleared" + + logger -p kern.info "$PRODUCT Cleared" +} + +# +# Issue a message and stop/restore the firewall +# +fatal_error() +{ + echo " ERROR: $@" >&2 + stop_firewall + exit 2 +} + +# +# Issue a message and stop +# +startup_error() # $* = Error Message +{ + echo " ERROR: $@" >&2 + case $COMMAND in + start) + logger -p kern.err "ERROR:$PRODUCT start failed" + ;; + restart) + logger -p kern.err "ERROR:$PRODUCT restart failed" + ;; + restore) + logger -p kern.err "ERROR:$PRODUCT restore failed" + ;; + esac + + kill $$ + exit 2 +} + +# +# Run iptables and if an error occurs, stop/restore the firewall +# +run_iptables() +{ + if [ -n "$COMMENT" ]; then + $IPTABLES $@ -m comment --comment "$COMMENT" + else + $IPTABLES $@ + fi + + if [ $? -ne 0 ]; then + error_message "ERROR: Command \"$IPTABLES $@\" Failed" + stop_firewall + exit 2 + fi +} + +# +# Run iptables and if an error occurs, stop/restore the firewall +# +run_ip() +{ + if ! ip $@; then + error_message "ERROR: Command \"ip $@\" Failed" + stop_firewall + exit 2 + fi +} + +# +# Run tc and if an error occurs, stop/restore the firewall +# +run_tc() { + if ! tc $@ ; then + error_message "ERROR: Command \"tc $@\" Failed" + stop_firewall + exit 2 + fi +} + +# +# Functions to appease unconverted extension scripts +# +save_command() +{ + return 0 +} + +run_and_save_command() { + eval $@ +} + +ensure_and_save_command() { + eval $@ || fatal_error "Command \"$@\" failed" +} + diff --git a/New/prog.header b/New/prog.header new file mode 100644 index 000000000..ac887702d --- /dev/null +++ b/New/prog.header @@ -0,0 +1,26 @@ +#!/bin/sh +# +# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.4 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# +# +# Options are: +# +# -n Don't alter Routing +# -v and -q Standard Shorewall Verbosity control +# +# Commands are: +# +# start Starts the firewall +# refresh Refresh the firewall +# restart Restarts the firewall +# reload Reload the firewall +# clear Removes all firewall rules +# stop Stops the firewall +# status Displays firewall status +# version Displays the version of Shorewall that +# generated this program +#