diff --git a/Shorewall-lite/lib.cli-lite b/Shorewall-lite/lib.cli-lite deleted file mode 100644 index 2bfb8fe25..000000000 --- a/Shorewall-lite/lib.cli-lite +++ /dev/null @@ -1,356 +0,0 @@ -# -# Shorewall 4.4 -- /usr/share/shorewall[6]/lib.cli-lite. -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the command processing code common to /sbin/shorewall-lite and /sbin/shorewall6-lite. -# - -# -# Set the configuration variables from shorewall-lite.conf -# -get_config() { - - ensure_config_path - - config=$(find_file ${g_base}-lite.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - . $config - else - echo "Cannot read $config! (Hint: Are you root?)" >&2 - exit 1 - fi - else - echo "$config does not exist!" >&2 - exit 2 - fi - - ensure_config_path - - [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf - - [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - - [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages - - if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - # - # See if we have a real version of "tail" -- use separate redirection so - # that ash (aka /bin/sh on LRP) doesn't crap - # - if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then - realtail="Yes" - else - realtail="" - fi - - [ -n "$FW" ] || FW=fw - - if [ $g_family -eq 4 ]; then - if [ -n "$IPTABLES" ]; then - if [ ! -x "$IPTABLES" ]; then - echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 - exit 2 - fi - else - IPTABLES=$(mywhich iptables 2> /dev/null) - if [ -z "$IPTABLES" ] ; then - echo " ERROR: Can't find iptables executable" >&2 - exit 2 - fi - fi - - g_tool=$IPTABLES - else - if [ -n "$IP6TABLES" ]; then - if [ ! -x "$IP6TABLES" ]; then - echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2 - exit 2 - fi - else - IP6TABLES=$(mywhich ip6tables 2> /dev/null) - if [ -z "$IP6TABLES" ] ; then - echo " ERROR: Can't find ip6tables executable" >&2 - exit 2 - fi - fi - - g_tool=$IP6TABLES - fi - - if [ -n "$SHOREWALL_SHELL" ]; then - if [ ! -x "$SHOREWALL_SHELL" ]; then - echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 - SHOREWALL_SHELL=/bin/sh - fi - fi - - [ -n "$RESTOREFILE" ] || RESTOREFILE=restore - - validate_restorefile RESTOREFILE - - [ -n "${VERBOSITY:=2}" ] - - [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY)) - - if [ $VERBOSITY -lt -1 ]; then - VERBOSITY=-1 - elif [ $VERBOSITY -gt 2 ]; then - VERBOSITY=2 - fi - - g_hostname=$(hostname 2> /dev/null) - - IP=$(mywhich ip 2> /dev/null) - if [ -z "$IP" ] ; then - echo " ERROR: Can't find ip executable" >&2 - exit 2 - fi - - IPSET=ipset - TC=tc - -} - -# -# Verify that we have a compiled firewall script -# -verify_firewall_script() { - if [ ! -f $g_firewall ]; then - echo " ERROR: $g_product is not properly installed" >&2 - if [ -L $g_firewall ]; then - echo " $g_firewall is a symbolic link to a" >&2 - echo " non-existant file" >&2 - else - echo " The file $g_firewall does not exist" >&2 - fi - - exit 2 - fi -} - -# -# Start Command Executor -# -start_command() { - local finished - finished=0 - - do_it() { - local rc - rc=0 - [ -n "$nolock" ] || mutex_on - - if [ -x ${VARDIR}/firewall ]; then - run_it ${VARDIR}/firewall $debugging start - rc=$? - else - error_message "${VARDIR}/firewall is missing or is not executable" - logger -p kern.err "ERROR:$g_product start failed" - rc=2 - fi - - [ -n "$nolock" ] || mutex_off - exit $rc - } - - verify_firewall_script - - if product_is_started; then - if [ $g_family -eq 4 ]; then - error_message "Shorewall is already running" - else - error_message "Shorewall6 is already running" - fi - - exit 0 - fi - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - p*) - [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" - g_purge=Yes - option=${option%p} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - *) - usage 1 - ;; - esac - - do_it -} - -# -# Restart Command Executor -# -restart_command() { - local finished - finished=0 - local rc - rc=0 - - verify_firewall_script - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - p*) - [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" - g_purge=Yes - option=${option%p} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - *) - usage 1 - ;; - esac - - [ -n "$nolock" ] || mutex_on - - if [ -x ${VARDIR}/firewall ]; then - run_it ${VARDIR}/firewall $debugging restart - rc=$? - else - error_message "${VARDIR}/firewall is missing or is not executable" - logger -p kern.err "ERROR:$g_product restart failed" - rc=2 - fi - - [ -n "$nolock" ] || mutex_off - return $rc -} - -# -# Give Usage Information -# -usage() # $1 = exit status -{ - echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " - echo "where is one of:" - echo " add [:] ... " - echo " allow
..." - echo " clear" - echo " delete [:] ... " - echo " disable " - echo " drop
..." - echo " dump [ -x ]" - echo " enable " - echo " forget [ ]" - echo " help" - - if [ $g_family -eq 4 ]; then - echo " ipcalc {
/ |
}" - echo " ipdecimal {
| }" - echo " iprange
-
" - fi - - echo " logdrop
..." - echo " logreject
..." - echo " logwatch []" - echo " reject
..." - echo " reset [ ... ]" - echo " restart [ -n ] [ -p ] [ -f ] [ ]" - echo " restore [ -n ] [ ]" - echo " save [ ]" - echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]" - echo " show [ -f ] capabilities" - echo " show classifiers" - echo " show config" - echo " show connections" - echo " show filters" - echo " show ip" - echo " show [ -m ] log []" - echo " show [ -x ] mangle|nat|raw|rawpost|routing" - echo " show policies" - echo " show tc [ device ]" - echo " show vardir" - echo " show zones" - echo " start [ -f ] [ -p ] [ ]" - echo " stop" - echo " status" - echo " version [ -a ]" - echo - exit $1 -} - diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 35b474a6d..196096dc5 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -2493,3 +2493,338 @@ noiptrace_command() { fatal_error "$g_product is not started" fi } +# +# Set the configuration variables from shorewall-lite.conf +# +get_config() { + + ensure_config_path + + config=$(find_file ${g_base}-lite.conf) + + if [ -f $config ]; then + if [ -r $config ]; then + . $config + else + echo "Cannot read $config! (Hint: Are you root?)" >&2 + exit 1 + fi + else + echo "$config does not exist!" >&2 + exit 2 + fi + + ensure_config_path + + [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf + + [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + + [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages + + if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then + g_logread="logread | tac" + elif [ -r $LOGFILE ]; then + g_logread="tac $LOGFILE" + else + echo "LOGFILE ($LOGFILE) does not exist!" >&2 + exit 2 + fi + # + # See if we have a real version of "tail" -- use separate redirection so + # that ash (aka /bin/sh on LRP) doesn't crap + # + if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then + realtail="Yes" + else + realtail="" + fi + + [ -n "$FW" ] || FW=fw + + if [ $g_family -eq 4 ]; then + if [ -n "$IPTABLES" ]; then + if [ ! -x "$IPTABLES" ]; then + echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IPTABLES=$(mywhich iptables 2> /dev/null) + if [ -z "$IPTABLES" ] ; then + echo " ERROR: Can't find iptables executable" >&2 + exit 2 + fi + fi + + g_tool=$IPTABLES + else + if [ -n "$IP6TABLES" ]; then + if [ ! -x "$IP6TABLES" ]; then + echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IP6TABLES=$(mywhich ip6tables 2> /dev/null) + if [ -z "$IP6TABLES" ] ; then + echo " ERROR: Can't find ip6tables executable" >&2 + exit 2 + fi + fi + + g_tool=$IP6TABLES + fi + + if [ -n "$SHOREWALL_SHELL" ]; then + if [ ! -x "$SHOREWALL_SHELL" ]; then + echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 + SHOREWALL_SHELL=/bin/sh + fi + fi + + [ -n "$RESTOREFILE" ] || RESTOREFILE=restore + + validate_restorefile RESTOREFILE + + [ -n "${VERBOSITY:=2}" ] + + [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY)) + + if [ $VERBOSITY -lt -1 ]; then + VERBOSITY=-1 + elif [ $VERBOSITY -gt 2 ]; then + VERBOSITY=2 + fi + + g_hostname=$(hostname 2> /dev/null) + + IP=$(mywhich ip 2> /dev/null) + if [ -z "$IP" ] ; then + echo " ERROR: Can't find ip executable" >&2 + exit 2 + fi + + IPSET=ipset + TC=tc + +} + +# +# Verify that we have a compiled firewall script +# +verify_firewall_script() { + if [ ! -f $g_firewall ]; then + echo " ERROR: $g_product is not properly installed" >&2 + if [ -L $g_firewall ]; then + echo " $g_firewall is a symbolic link to a" >&2 + echo " non-existant file" >&2 + else + echo " The file $g_firewall does not exist" >&2 + fi + + exit 2 + fi +} + +################################################################################ +# The remaining functions are used by the Lite cli - they are overloaded by +# the Standard CLI by loading lib.cli-std +################################################################################ +# +# Start Command Executor +# +start_command() { + local finished + finished=0 + + do_it() { + local rc + rc=0 + [ -n "$nolock" ] || mutex_on + + if [ -x ${VARDIR}/firewall ]; then + run_it ${VARDIR}/firewall $debugging start + rc=$? + else + error_message "${VARDIR}/firewall is missing or is not executable" + logger -p kern.err "ERROR:$g_product start failed" + rc=2 + fi + + [ -n "$nolock" ] || mutex_off + exit $rc + } + + verify_firewall_script + + if product_is_started; then + if [ $g_family -eq 4 ]; then + error_message "Shorewall is already running" + else + error_message "Shorewall6 is already running" + fi + + exit 0 + fi + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + p*) + [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" + g_purge=Yes + option=${option%p} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + *) + usage 1 + ;; + esac + + do_it +} + +# +# Restart Command Executor +# +restart_command() { + local finished + finished=0 + local rc + rc=0 + + verify_firewall_script + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + n*) + g_noroutes=Yes + option=${option#n} + ;; + p*) + [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" + g_purge=Yes + option=${option%p} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + *) + usage 1 + ;; + esac + + [ -n "$nolock" ] || mutex_on + + if [ -x ${VARDIR}/firewall ]; then + run_it ${VARDIR}/firewall $debugging restart + rc=$? + else + error_message "${VARDIR}/firewall is missing or is not executable" + logger -p kern.err "ERROR:$g_product restart failed" + rc=2 + fi + + [ -n "$nolock" ] || mutex_off + return $rc +} + +# +# Give Usage Information +# +usage() # $1 = exit status +{ + echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " + echo "where is one of:" + echo " add [:] ... " + echo " allow
..." + echo " clear" + echo " delete [:] ... " + echo " disable " + echo " drop
..." + echo " dump [ -x ]" + echo " enable " + echo " forget [ ]" + echo " help" + + if [ $g_family -eq 4 ]; then + echo " ipcalc {
/ |
}" + echo " ipdecimal {
| }" + echo " iprange
-
" + fi + + echo " logdrop
..." + echo " logreject
..." + echo " logwatch []" + echo " reject
..." + echo " reset [ ... ]" + echo " restart [ -n ] [ -p ] [ -f ] [ ]" + echo " restore [ -n ] [ ]" + echo " save [ ]" + echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]" + echo " show [ -f ] capabilities" + echo " show classifiers" + echo " show config" + echo " show connections" + echo " show filters" + echo " show ip" + echo " show [ -m ] log []" + echo " show [ -x ] mangle|nat|raw|rawpost|routing" + echo " show policies" + echo " show tc [ device ]" + echo " show vardir" + echo " show zones" + echo " start [ -f ] [ -p ] [ ]" + echo " stop" + echo " status" + echo " version [ -a ]" + echo + exit $1 +} + diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 1c8d4d3d8..a2e8f6972 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -224,7 +224,7 @@ if [ -z "$g_lite" ]; then . /usr/share/shorewall/lib.$library done else - for library in base cli cli-lite; do + for library in base cli; do . ${SHAREDIR}/lib.$library done fi