From d7d8acc764258f62be92250c7421d11a6ecce926 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 22 Feb 2009 18:28:18 +0000 Subject: [PATCH] Even More product consolidation changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9491 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/Shorewall/Compiler.pm | 12 +- Shorewall/Shorewall/Config.pm | 1 - Shorewall/install.sh | 21 + Shorewall/lib.cli | 33 + Shorewall/lib.config | 2296 ------------------------------- Shorewall/lib.dynamiczones | 427 ------ Shorewall/shorewall | 39 +- Shorewall/shorewall.spec | 3 - 8 files changed, 63 insertions(+), 2769 deletions(-) delete mode 100644 Shorewall/lib.config delete mode 100644 Shorewall/lib.dynamiczones diff --git a/Shorewall/Shorewall/Compiler.pm b/Shorewall/Shorewall/Compiler.pm index 1e32d2572..b1e81a62e 100644 --- a/Shorewall/Shorewall/Compiler.pm +++ b/Shorewall/Shorewall/Compiler.pm @@ -90,9 +90,9 @@ sub generate_script_1() { } else { emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl $globals{VERSION} - $date\n#"; if ( $family == F_IPV4 ) { - copy $globals{SHAREDIRPL} . 'prog.header'; + copy $globals{SHAREDIR} . 'prog.header'; } else { - copy $globals{SHAREDIRPL} . 'prog.header6'; + copy $globals{SHAREDIR} . 'prog.header6'; } } @@ -786,9 +786,9 @@ EOF unless ( $test ) { if ( $family == F_IPV4 ) { - copy $globals{SHAREDIRPL} . 'prog.footer'; + copy $globals{SHAREDIR} . 'prog.footer'; } else { - copy $globals{SHAREDIRPL} . 'prog.footer6'; + copy $globals{SHAREDIR} . 'prog.footer6'; } } } @@ -940,9 +940,9 @@ sub compiler { unless ( $command eq 'check' ) { unless ( $test ) { if ( $family == F_IPV4 ) { - copy $globals{SHAREDIRPL} . 'prog.functions'; + copy $globals{SHAREDIR} . 'prog.functions'; } else { - copy $globals{SHAREDIRPL} . 'prog.functions6'; + copy $globals{SHAREDIR} . 'prog.functions6'; } } diff --git a/Shorewall/Shorewall/Config.pm b/Shorewall/Shorewall/Config.pm index c5bef952d..9d0029533 100644 --- a/Shorewall/Shorewall/Config.pm +++ b/Shorewall/Shorewall/Config.pm @@ -311,7 +311,6 @@ sub initialize( $ ) { # %globals = ( SHAREDIR => '/usr/share/shorewall' , CONFDIR => '/etc/shorewall', - SHAREDIRPL => '/usr/share/shorewall-perl/', ORIGINAL_POLICY_MATCH => '', LOGPARMS => '', TC_SCRIPT => '', diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 69f084397..c9540d41d 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -664,6 +664,27 @@ done # ln -sf lib.base ${PREFIX}/usr/share/shorewall/functions # +# Install the Compiler +# +install_file compiler.pl ${PREFIX}/usr/share/shorewall/compiler.pl 0755 + +echo +echo "Compiler installed in ${PREFIX}/usr/share/shorewall/compiler.pl" +# +# Install the libraries +# +for f in Shorewall/*.pm ; do + install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 + echo "Module ${f%.*} installed as ${PREFIX}/usr/share/shorewall/$f" +done +# +# Install the program skeleton files +# +for f in prog.* ; do + install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 + echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f" +done +# # Create the version file # echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 82a9a5cde..b82cadfb7 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -846,6 +846,39 @@ restore_command() { fi } +# +# Reset command executor +# +reset_command() { + if ! shorewall_is_started ; then + echo "Shorewall Not Started" + exit 2; + fi + + if [ $# -eq 0 ]; then + $IPTABLES -Z + $IPTABLES -t nat -Z + $IPTABLES -t raw -Z + $IPTABLES -t mangle -Z + report "Shorewall Counters Reset" + date > ${VARDIR}/restarted + else + for chain in $@; do + if chain_exists $chain; then + if qt $IPTABLES -Z $chain; then + progress_message3 "Filter table $chain Counters Reset" + else + error_message "ERROR: Reset of chain $chain failed" + status=2 + break + fi + else + error_message "WARNING: Filter Chain $chain does not exist" + fi + done + fi +} + # # Display the time that the counters were last reset # diff --git a/Shorewall/lib.config b/Shorewall/lib.config deleted file mode 100644 index 5bccf9caa..000000000 --- a/Shorewall/lib.config +++ /dev/null @@ -1,2296 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.config -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the configuration file parsing code common to -# /usr/share/shorewall/compiler and /usr/share/shorewall/firewall -# - -SHOREWALL_CONFIGVERSION=40000 - -# -# Replace commas with spaces and echo the result -# -separate_list() { - local list - list="$@" - local part - local newlist - local firstpart - local lastpart - local enclosure - - case "$list" in - *,|,*|*,,*|*[[:space:]]*) - # - # There's been whining about us not catching embedded white space in - # comma-separated lists. This is an attempt to snag some of the cases. - # - # The 'TERMINATOR' function will be set by the 'firewall' script to - # either 'startup_error' or 'fatal_error' depending on the command and - # command phase - # - [ -n "$TERMINATOR" ] && \ - $TERMINATOR "Invalid comma-separated list \"$@\"" - echo "WARNING -- invalid comma-separated list \"$@\"" >&2 - ;; - *\[*\]*) - # - # Where we need to embed comma-separated lists within lists, we enclose them - # within square brackets. - # - firstpart=${list%%\[*} - lastpart=${list#*\[} - enclosure=${lastpart%%\]*} - lastpart=${lastpart#*\]} - case $lastpart in - \,*) - case $firstpart in - *\,) - echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})" - ;; - *) - echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" - ;; - esac - ;; - *) - case $firstpart in - *\,) - echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" - ;; - *) - echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" - ;; - esac - ;; - esac - return - ;; - esac - - list="$@" - part="${list%%,*}" - newlist="$part" - - while [ "x$part" != "x$list" ]; do - list="${list#*,}"; - part="${list%%,*}"; - newlist="$newlist $part"; - done - - echo "$newlist" -} - -# -# Display elements of a list with leading white space -# -display_list() # $1 = List Title, rest of $* = list to display -{ - [ $# -gt 1 ] && echo " $*" -} - -# -# Determine if a chain is a policy chain -# -is_policy_chain() # $1 = name of chain -{ - eval test \"\$${1}_is_policy\" = Yes -} - -# -# Return a space separated list of values matching -# -list_walk() # $1 = element to search for, $2-$n = list -{ - local e - e=$1 - local result - result= - - while [ $# -gt 1 ]; do - shift - case $1 in - $e*) - result="$result ${1##$e}" - ;; - esac - done - echo $result -} - -# -# Functions to count list elements -# - - - - - - - - - - - - - - - - -# Whitespace-separated list -# -list_count1() { - echo $# -} -# -# Comma-separated list -# -list_count() { - list_count1 $(separate_list $1) -} - -# -# Filter that expands variables -# -expand_line() { - local line - - while read line; do - echo $(expand $line) - done -} - -# -# Add whitespace after leading "!" -# -fix_bang() -{ - local result - result= - - while [ $# -gt 0 ]; do - case $1 in - !*) - result="$result ! ${1#!}" - ;; - *) - result="$result $1" - ;; - esac - shift - done - - echo $result -} - -# -# Read the zones file and find the firewall zone -# -get_firewall_zone() { - local zone - local type - local rest - local comment - comment='#*' - local f - f=$(find_file zones) - - [ -f $f ] || startup_error "Unable to find zones file" - - while read zone type rest; do - case $zone in - $comment) - ;; - *) - if [ "x$type" = xfirewall ]; then - FW=$zone - return - fi - ;; - esac - done < $f - - startup_error "No firewall zone defined in $f" -} - -# -# This function assumes that the TMP_DIR variable is set and that -# its value names an existing directory. -# -determine_zones() -{ - local zone - local parent - local parents - local rest - local new_zone_file - new_zone_file= - local r - - merge_zone() - { - local z - local zones - zones="$ZONES" - local merged - merged= - - if [ -n "$parents" ]; then - ZONES= - for z in $zones; do - if [ -z "$merged" ] && list_search $z $parents; then - ZONES="$ZONES $zone" - merged=Yes - fi - ZONES="$ZONES $z" - done - else - ZONES="$ZONES $zone" - fi - } - - ZONES= - IPV4_ZONES= - IPSEC_ZONES= - - [ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}" - - while read zone type rest; do - case $zone in - *:*) - parents=${zone#*:} - zone=${zone%:*} - [ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents" - parents=$(separate_list $parents) - eval ${zone}_parents=\"$parents\" - ;; - *) - parents= - eval ${zone}_parents= - ;; - esac - - for parent in $parents; do - [ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed" - list_search $parent $ZONES || startup_error "Parent zone not defined: $parent" - done - - [ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone" - - case "$zone" in - [0-9*]) - startup_error "Illegal zone name \"$zone\" in zones file" - ;; - all|none|SOURCE|DEST) - startup_error "Reserved zone name \"$zone\" in zones file" - ;; - esac - - if [ -n "$new_zone_file" ]; then - case ${type:=ipv4} in - ipv4|IPv4|IPV4|plain|-) - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - merge_zone - IPV4_ZONES="$IPV4_ZONES $zone" - ;; - ipsec|IPSEC|ipsec4|IPSEC4) - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - [ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - merge_zone - IPSEC_ZONES="$IPSEC_ZONES $zone" - ;; - firewall) - [ -n "$FW" ] && startup_error "Only one firewall zone may be defined" - list_search $zone $ZONES && startup_error "Zone $zone is defined more than once" - [ -n "$parents" ] && startup_error "The firewall zone may not be nested" - for r in $rest; do - [ "x$r" = x- ] || startup_error "OPTIONS not allowed on the firewall zone" - done - FW=$zone - ;; - bport|bport4) - [ "$PROGRAM" = compiler ] && startup_error "Invalid Zone Type: $type" - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - merge_zone - BRIDGING=Yes - ;; - *) - startup_error "Invalid Zone Type: $type" - ;; - esac - - eval ${zone}_type=$type - else - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - ZONES="$ZONES $zone" - IPV4_ZONES="$IPV4_ZONES $zone" - eval ${zone}_type=ipv4 - fi - done < $TMP_DIR/zones - - [ -z "$ZONES" ] && startup_error "No ipv4 or ipsec Zones Defined" - - [ -z "$FW" ] && startup_error "No Firewall Zone Defined" -} - -# -# Validate the zone names and options in the interfaces file -# -validate_interfaces_file() { - local wildcard - local found_obsolete_option - found_obsolete_option= - local z - local interface - local networks - local options - local r - local iface - local option - - while read z interface networks options; do - r="$z $interface $networks $options" - - [ "x$z" = "x-" ] && z= - - if [ -n "$z" ]; then - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - fi - - list_search $interface $ALL_INTERFACES && \ - startup_error "Duplicate Interface $interface" - - wildcard= - - case $interface in - *:*) - if [ "$PROGRAM" != compiler ]; then - # - # Assume that this is 4.0 syntax for a bridge - # - local bridge - bridge=${interface%:*} - list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge" - interface=${interface#*:} - else - startup_error "Invalid Interface Name: $interface" - fi - ;; - +) - startup_error "Invalid Interface Name: +" - ;; - *+) - wildcard=Yes - ;; - esac - - ALL_INTERFACES="$ALL_INTERFACES $interface" - options=$(separate_list $options) - iface=$(chain_base $interface) - - eval ${iface}_broadcast="$networks" - eval ${iface}_zone="$z" - eval ${iface}_options=\"$options\" - - for option in $options; do - case $option in - -) - ;; - dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|nosmurfs|upnp|-) - ;; - proxyarp) - [ "$PROGRAM" = compiler ] && lib_load proxyarp "The 'proxyarp' option on interface $interface" - ;; - maclist) - [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" - ;; - norfc1918) - if [ "$PROGRAM" != compiler ]; then - addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) - if [ -n "$addr" ]; then - addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//') - for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do - if in_network $addr $network; then - startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface" - fi - done - fi - fi - ;; - arp_ignore=*) - eval ${iface}_arp_ignore=${option#*=} - ;; - arp_ignore) - eval ${iface}_arp_ignore=1 - ;; - detectnets) - [ -n "$wildcard" ] && \ - startup_error "The \"detectnets\" option may not be used with a wild-card interface" - [ -n "$EXPORT" ] && \ - startup_error "'detectnets' not permitted with the -e run-line option" - ;; - routeback) - [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" - ;; - *) - [ $PROGRAM = compiler ] && error_message "WARNING: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done < $TMP_DIR/interfaces - - [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" -} - -# -# Process the ipsec information in the zones file -# -setup_ipsec() { - local zone - local using_ipsec - using_ipsec= - # - # Add a --set-mss rule to the passed chain - # - set_mss1() # $1 = chain, $2 = MSS - { - local policy - eval policy=\$${1}_policy - - if [ "$policy" != NONE ]; then - ensurechain $1 - local match - match= - [ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: " - run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2 - fi - } - # - # Set up rules to set MSS to and/or from zone "$zone" - # - set_mss() # $1 = MSS value, $2 = _in, _out or "" - { - for z in $ZONES $FW; do - case $2 in - _in) - set_mss1 ${zone}2${z} $1 - ;; - _out) - set_mss1 ${z}2${zone} $1 - ;; - *) - set_mss1 ${z}2${zone} $1 - set_mss1 ${zone}2${z} $1 - ;; - esac - done - } - - do_options() # $1 = _in, _out or "" - $2 = option list - { - local option - local newoptions - newoptions= - local val - - [ x${2} = x- ] && return - - for option in $(separate_list $2); do - val=${option#*=} - - case $option in - mss=[0-9]*) [ "$PROGRAM" = compiler ] && set_mss $val $1 ;; - strict) newoptions="$newoptions --strict" ;; - next) newoptions="$newoptions --next" ;; - reqid=*) newoptions="$newoptions --reqid $val" ;; - spi=*) newoptions="$newoptions --spi $val" ;; - proto=*) newoptions="$newoptions --proto $val" ;; - mode=*) newoptions="$newoptions --mode $val" ;; - tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; - tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; - reqid!=*) newoptions="$newoptions ! --reqid $val" ;; - spi!=*) newoptions="$newoptions ! --spi $val" ;; - proto!=*) newoptions="$newoptions ! --proto $val" ;; - mode!=*) newoptions="$newoptions ! --mode $val" ;; - tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; - tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; - *) fatal_error "Invalid option \"$option\" for zone $zone" ;; - esac - done - - if [ -n "$newoptions" ]; then - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_complex=Yes - eval ${zone}_ipsec${1}_options=\"${newoptions# }\" - fi - } - - case $IPSECFILE in - zones) - f=zones - progress_message "$DOING IPSEC..." - [ $PROGRAM = compiler -a -n "$IPSEC_ZONES" ] && save_progress_message "Setting up IPSEC management..." - ;; - ipsec) - using_ipsec=Yes - if [ -s ${TMP_DIR}/ipsec ]; then - progress_message "$DOING ipsec..." - [ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..." - f=ipsec - else - return - fi - ;; - esac - - while read zone type options in_options out_options mss; do - if [ -n "$using_ipsec" ]; then - validate_zone1 $zone || fatal_error "Unknown zone: $zone" - fi - - if [ -n "$type" ]; then - if [ -n "$using_ipsec" ]; then - case $type in - No|no) - ;; - Yes|yes) - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - eval ${zone}_type=ipsec4 - ;; - *) - fatal_error "Invalid IPSEC column contents" - ;; - esac - fi - - do_options "" $options - do_options "_in" $in_options - do_options "_out" $out_options - fi - - done < $TMP_DIR/$f -} - -# -# Validate the zone names and options in the hosts file -# -validate_hosts_file() { - local z - local hosts - local options - local r - local interface - local host - local option - local zports - local ipsec - ipsec= - - check_bridge_port() - { - list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" - list_search $1 $ALL_PORTS || ALL_PORTS="$ALL_PORTS $1" - } - - while read z hosts options; do - r="$z $hosts $options" - validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" - - case $hosts in - *:*) - - interface=${hosts%%:*} - iface=$(chain_base $interface) - - list_search $interface $ALL_INTERFACES || \ - startup_error "Unknown interface ($interface) in record \"$r\"" - - hosts=${hosts#*:} - ;; - *) - startup_error "Invalid HOST(S) column contents: $hosts" - ;; - esac - - eval zports=\$${z}_ports - - if [ -z "$BRIDGING" ]; then - case $hosts in - *!*!*) - startup_error "Invalid hosts file entry: \"$r\"" - ;; - !*) - hosts=0.0.0.0/0 - eval ${z}_is_complex=Yes - ;; - *!*) - hosts=${hosts%%!*} - eval ${z}_is_complex=Yes - ;; - esac - fi - - for host in $(separate_list $hosts); do - if [ -n "$BRIDGING" ]; then - case $host in - *:*) - known_interface ${host%:*} && \ - startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" - check_bridge_port ${host%%:*} - ;; - *.*.*) - ;; - *+|+*|*!*) - eval ${z}_is_complex=Yes - ;; - *) - known_interface $host && \ - startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" - check_bridge_port $host - ;; - esac - else - case $host in - *.*.*) - ;; - +*) - eval ${z}_is_complex=Yes - ;; - *) - startup_error "BRIDGING=Yes is needed for this zone definition: $r" - ;; - esac - fi - - for option in $(separate_list $options) ; do - case $option in - norfc1918|blacklist|tcpflags|nosmurfs|-) - ;; - maclist) - [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" - ;; - ipsec) - [ -n "$POLICY_MATCH" ] || \ - startup_error "Your kernel and/or iptables does not support policy match: ipsec" - eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" - eval ${z}_is_complex=Yes - ipsec=Yes - ;; - routeback) - eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" - ;; - *) - error_message "WARNING: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done - - [ -n "$zports" ] && eval ${z}_ports=\"$zports\" - - done < $TMP_DIR/hosts - - [ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS" - - [ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH= -} - -# -# Find interfaces to a given zone -# -# Search the variables representing the contents of the interfaces file and -# for each record matching the passed ZONE, echo the expanded contents of -# the "INTERFACE" column -# -find_interfaces() # $1 = interface zone -{ - local zne - zne=$1 - local z - local interface - - for interface in $ALL_INTERFACES; do - eval z=\$$(chain_base $interface)_zone - [ "x${z}" = x${zne} ] && echo $interface - done -} - -# -# Forward Chain for an interface -# -forward_chain() # $1 = interface -{ - echo $(chain_base $1)_fwd -} - -# -# Input Chain for an interface -# -input_chain() # $1 = interface -{ - echo $(chain_base $1)_in -} - -# -# Output Chain for an interface -# -output_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Masquerade Chain for an interface -# -masq_chain() # $1 = interface -{ - echo $(chain_base $1)_masq -} - -# -# MAC Verification Chain for an interface -# -mac_chain() # $1 = interface -{ - echo $(chain_base $1)_mac -} - -macrecent_target() # $1 - interface -{ - [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN -} - -# -# Functions for creating dynamic zone rules -# -dynamic_fwd() # $1 = interface -{ - echo $(chain_base $1)_dynf -} - -dynamic_in() # $1 = interface -{ - echo $(chain_base $1)_dyni -} - -dynamic_out() # $1 = interface -{ - echo $(chain_base $1)_dyno -} - -dynamic_chains() #$1 = interface -{ - local c - c=$(chain_base $1) - - echo ${c}_dyni ${c}_dynf ${c}_dyno -} - -# -# DNAT Chain from a zone -# -dnat_chain() # $1 = zone -{ - echo ${1}_dnat -} - -# -# SNAT Chain to an interface -# -snat_chain() # $1 = interface -{ - echo $(chain_base $1)_snat -} - -# -# ECN Chain to an interface -# -ecn_chain() # $1 = interface -{ - echo $(chain_base $1)_ecn -} - -# -# First chains for an interface -# -first_chains() #$1 = interface -{ - local c - c=$(chain_base $1) - - echo ${c}_fwd ${c}_in -} - -# -# Out Chain to an interface -# -out_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Horrible hack to work around an iptables limitation -# -iprange_echo() -{ - if [ -n "$KLUDGEFREE" ]; then - echo "-m iprange $@" - elif [ -f $TMP_DIR/iprange ]; then - echo $@ - else - echo "-m iprange $@" - > $TMP_DIR/iprange - fi -} - -# -# Get set flags (ipsets). -# -get_set_flags() # $1 = set name and optional [levels], $2 = src or dst -{ - local temp - local setname - setname=$1 - local options - options=$2 - - [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1" - - case $1 in - *\[[1-6]\]) - temp=${1#*\[} - temp=${temp%\]} - setname=${1%\[*} - while [ $temp -gt 1 ]; do - options="$options,$2" - temp=$(($temp - 1)) - done - ;; - *\[*\]) - options=${1#*\[} - options=${options%\]} - setname=${1%\[*} - ;; - *) - ;; - esac - - echo "--set ${setname#+} $options" -} - -# -# Horrible hack to work around an iptables limitation -# -physdev_echo() -{ - if [ -n "$KLUDGEFREE" ]; then - echo -m physdev $@ - elif [ -f $TMP_DIR/physdev ]; then - echo $@ - else - echo -m physdev $@ - > $TMP_DIR/physdev - fi -} - -# -# Source IP range -# -source_ip_range() # $1 = Address or Address Range -{ - [ $# -gt 0 ] && case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --src-range ${1#!}" - ;; - *) - iprange_echo "--src-range $1" - ;; - esac - ;; - !+*) - echo "-m set ! $(get_set_flags ${1#!} src)" - ;; - +*) - echo "-m set $(get_set_flags $1 src)" - ;; - *) - echo "-s $1" - ;; - esac -} - -# -# Destination IP range -# -dest_ip_range() # $1 = Address or Address Range -{ - [ $# -gt 0 ] && case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --dst-range ${1#!}" - ;; - *) - iprange_echo "--dst-range $1" - ;; - esac - ;; - !+*) - echo "-m set ! $(get_set_flags ${1#!} dst)" - ;; - +*) - echo "-m set $(get_set_flags $1 dst)" - ;; - *) - echo "-d $1" - ;; - esac -} - -both_ip_ranges() # $1 = Source address or range, $2 = dest address or range -{ - local rangeprefix - rangeprefix= - local setprefix - setprefix= - local rangematch - rangematch= - local setmatch - setmatch= - - case $1 in - *.*.*.*-*.*.*.*) - rangeprefix="-m iprange" - rangematch="--src-range $1" - ;; - !+*) - setprefix="-m set" - setmatch="! $(get_set_flags ${1#!} src)" - ;; - +*) - setprefix="-m set" - setmatch="$(get_set_flags $1 src)" - ;; - *) - rangematch="-s $1" - ;; - esac - - case $2 in - *.*.*.*-*.*.*.*) - rangeprefix="-m iprange" - rangematch="$rangematch --dst-range $2" - ;; - !+*) - setprefix="-m set" - match="$setmatch ! $(get_set_flags ${2#!} dst)" - ;; - +*) - setprefix="-m set" - setmatch="$setmatch $(get_set_flags $2 dst)" - ;; - *) - rangematch="$rangematch -d $2" - ;; - esac - - echo "$rangeprefix $rangematch $setprefix $setmatch" -} - -# -# Loosly Match the name of an interface -# - -if_match() # $1 = Name in interfaces file - may end in "+" - # $2 = Full interface name - may also end in "+" -{ - local pattern - pattern=${1%+} - - case $1 in - *+) - test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" - ;; - *) - test "x$1" = "x$2" - ;; - esac -} - -# -# We allow hosts to be specified by IP address or by physdev. These two functions -# are used to produce the proper match in a netfilter rule. -# -match_source_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" - ;; - *.*.*.*|+*|!+*) - echo $(source_ip_range $1) - ;; - *) - physdev_echo "--physdev-in $1" - ;; - esac - else - echo $(source_ip_range $1) - fi -} - -match_dest_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" - ;; - *.*.*.*|+*|!+*) - echo $(dest_ip_range $1) - ;; - *) - physdev_echo "--physdev-out $1" - ;; - esac - else - echo $(dest_ip_range $1) - fi -} -# -# Matches for either or :
-# -match_source() -{ - case "$1" in - *:*) - echo "-i ${1%%:*} $(match_source_hosts ${1#*:})" - ;; - *) - echo $(dest_ip_range $1) - ;; - esac -} - -match_dest() -{ - case "$1" in - *:*) - echo "-o ${1%%:*} $(match_dest_hosts ${1#*:})" - ;; - *) - echo $(dest_ip_range $1) - ;; - esac -} - -# -# Similarly, the source or destination in a rule can be qualified by a device name. If -# the device is defined in ${CONFDIR}/interfaces then a normal interface match is -# generated (-i or -o); otherwise, a physdev match is generated. -#------------------------------------------------------------------------------------- -# -# loosely match the passed interface with those in ${CONFDIR}/interfaces. -# -known_interface() # $1 = interface name -{ - local iface - - for iface in $ALL_INTERFACES ; do - if if_match $iface $1 ; then - return 0 - fi - done - - return 1 -} - -known_port() # $1 = port name -{ - local port - - for port in $ALL_PORTS ; do - if if_match $port $1 ; then - return 0 - fi - done - - return 1 -} - -match_source_dev() -{ - if [ -n "$BRIDGING" ]; then - known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1 - elif known_interface $1; then - echo -i $1 - elif [ -n "$PHYSDEV_MATCH" ]; then - physdev_echo "--physdev-in $1" - else - echo -i $1 - fi -} - -match_dest_dev() -{ - if [ -n "$BRIDGING" ]; then - known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1 - elif known_interface $1; then - echo -o $1 - elif [ -n "$PHYSDEV_MATCH" ]; then - physdev_echo "--physdev-out $1" - else - echo -o $1 - fi -} - -verify_interface() -{ - known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; } -} - -# -# Determine if communication to/from a host is encrypted using IPSEC -# -is_ipsec_host() # $1 = zone, $2 = host -{ - local is_ipsec - eval is_ipsec=\$${1}_is_ipsec - local hosts - eval hosts=\"\$${1}_ipsec_hosts\" - - test -n "$is_ipsec" || list_search $2 $hosts -} - -# -# Generate a match for decrypted packets -# -match_ipsec_in() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - local options - eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" - echo "-m policy --pol ipsec --dir in $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in" - fi -} - -# -# Generate a match for packets that will be encrypted -# -match_ipsec_out() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - local options - eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" - echo "-m policy --pol ipsec --dir out $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out" - fi -} - -# -# Jacket for ip_range() that takes care of iprange match -# - -firewall_ip_range() # $1 = IP address or range -{ - [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 -} - -# -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts - local interface - local address - local addresses - - while read z hosts options; do - if [ "x$(expand $z)" = "x$1" ]; then - interface=${hosts%%:*} - addresses=${hosts#*:} - case $addresses in - !*) - echo $interface:0.0.0.0/0 - ;; - *) - for address in $(separate_list ${addresses%%!*}); do - echo $interface:$address - done - ;; - esac - fi - done < $TMP_DIR/hosts -} - -# -# -# Find exclusions in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo any exclusions -# -find_exclusions() # $1 = host zone -{ - local hosts - local interface - local address - local addresses - - while read z hosts options; do - if [ "x$z" = "x$1" ]; then - interface=${hosts%%:*} - addresses=${hosts#*:} - case $addresses in - *!*) - for address in $(separate_list ${addresses#*!}); do - echo $interface:$address - done - ;; - esac - fi - done < $TMP_DIR/hosts -} - -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $ZONES; do - interfaces=$(find_interfaces $zone) - interfaces=$(echo $interfaces) # Remove extra trash - eval ${zone}_interfaces=\"\$interfaces\" - done -} - -# -# Determine if an interface has a given option -# -interface_has_option() # $1 = interface, #2 = option -{ - local options - - eval options=\$$(chain_base $1)_options - - list_search $2 $options -} - -# -# Determine the defined hosts in each zone -# -determine_hosts() { - for zone in $ZONES; do - hosts=$(find_hosts $zone) - hosts=$(echo $hosts) # Remove extra trash - exclusions=$(find_exclusions $zone) - exclusions=$(echo $exclusions) # Remove extra trash - - eval interfaces=\$${zone}_interfaces - - for interface in $interfaces; do - if interface_has_option $interface detectnets; then - networks=$(get_routed_networks $interface "detectnets not allowed on interface with default route - $interface" ) - else - networks=0.0.0.0/0 - fi - - for network in $networks; do - if [ -z "$hosts" ]; then - hosts=$interface:$network - else - hosts="$hosts $interface:$network" - fi - - if interface_has_option $interface routeback; then - eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\" - fi - done - done - - interfaces= - - for host in $hosts; do - interface=${host%:*} - if list_search $interface $interfaces; then - list_search $interface:0.0.0.0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - list_search $interface:0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - eval ${zone}_is_complex=Yes - else - if [ -z "$interfaces" ]; then - interfaces=$interface - else - interfaces="$interfaces $interface" - fi - fi - done - - eval ${zone}_exclusions="\$exclusions" - eval ${zone}_interfaces="\$interfaces" - eval ${zone}_hosts="\$hosts" - - if [ -n "$hosts" ]; then - if [ $VERBOSE -ge 1 ]; then - [ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts - fi - else - error_message "WARNING: Zone $zone is empty" - fi - done -} - -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $ZONES $FW -} -# -# Ensure that the passed zone is defined in the zones file. -# -validate_zone1() # $1 = zone -{ - list_search $1 $ZONES -} - -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" -} - -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && echo $interface - done -} - -# -# This slightly slower version is used to find both the option and option followed -# by equal sign ("=") and a value -# -find_interfaces_by_option1() # $1 = option -{ - local options - local option - - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - for option in $options; do - if [ "${option%=*}" = "$1" ]; then - echo $interface - break - fi - done - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - local ignore - local hosts - local interface - local address - local addresses - local options - local ipsec - ipsec= - local list - - while read ignore hosts options; do - list=$(separate_list $options) - if list_search $1 $list; then - list_search ipsec $list && ipsec=ipsec || ipsec=none - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo ${ipsec}^$interface:$address - done - fi - done < $TMP_DIR/hosts - - for interface in $ALL_INTERFACES; do - interface_has_option $interface $1 && \ - echo none^${interface}:0.0.0.0/0 - done -} - -# -# Process the routestopped file either adding or deleting rules -# -process_routestopped() # $1 = command -{ - local hosts - hosts= - local interface - local host - local host1 - local options - local networks - local source - source= - local dest - dest= - local matched - - while read interface host options; do - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 - for h in $(separate_list $host); do - hosts="$hosts $interface:$h" - done - - routeback= - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback) - if [ -n "$routeback" ]; then - error_message "WARNING: Duplicate routestopped option ignored: routeback" - else - routeback=Yes - for h in $(separate_list $host); do - run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT - done - fi - ;; - source) - for h in $(separate_list $host); do - source="$source $interface:$h" - done - ;; - dest) - for h in $(separate_list $host); do - dest="$dest $interface:$h" - done - ;; - critical) - ;; - *) - error_message "WARNING: Unknown routestopped option ignored: $option" - ;; - esac - done - fi - - done < $TMP_DIR/routestopped - - - for host in $hosts; do - interface=${host%:*} - networks=${host#*:} - source_range=$(source_ip_range $networks) - dest_range=$(dest_ip_range $networks) - run_iptables $1 INPUT -i $interface $source_range -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - run_iptables $1 OUTPUT -o $interface $dest_range -j ACCEPT - - matched= - - if list_search $host $source ; then - run_iptables $1 FORWARD -i $interface $source_range -j ACCEPT - matched=Yes - fi - - if list_search $host $dest ; then - run_iptables $1 FORWARD -o $interface $dest_range -j ACCEPT - matched=Yes - fi - - if [ -z "$matched" ]; then - for host1 in $hosts; do - [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done - fi - done -} - -process_criticalhosts() -{ - local hosts - hosts= - local interface - local host - local h - local options - local networks - local criticalhosts - criticalhosts= - - while read interface host options; do - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host) - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback|source|dest) - ;; - critical) - for h in $host; do - criticalhosts="$criticalhosts $interface:$h" - done - ;; - *) - error_message "WARNING: Unknown routestopped option ignored: $option" - ;; - esac - done - fi - done < $TMP_DIR/routestopped - - if [ -n "$criticalhosts" ]; then - CRITICALHOSTS=$criticalhosts - progress_message "Critical Hosts are:$CRITICALHOSTS" - fi - -} - -# -# create a temporary directory -# -mktempdir() { - - [ -z "$MKTEMP" ] && find_mktemp - - case "$MKTEMP" in - STD) - mktemp -td shorewall.XXXXXX - ;; - None|BSD) - # - # Not all versions of the BSD mktemp support the -d option under Linux - # - qt rm -rf /tmp/shorewall-$$ - mkdir -p /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - error_message "ERROR:Internal error in mktempdir" - ;; - esac -} - -# -# Read a file and handle "INCLUDE" directives -# - -read_file() # $1 = file name, $2 = nest count -{ - local first - local rest - - if [ -f $1 ]; then - while read first rest; do - if [ "x$first" = "xINCLUDE" ]; then - if [ $2 -lt 4 ]; then - read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) - else - error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)" - fi - else - echo "$first $rest" - fi - done < $1 - else - [ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1" - echo "WARNING -- No such file: $1" - fi -} - -# -# Strip comments and blank lines from a file and place the result in the -# temporary directory -# -strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) -{ - local fname - - if [ ! -f $TMP_DIR/$1 ]; then - [ $# = 1 ] && fname=$(find_file $1) || fname=$2 - - if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1 - else - > $TMP_DIR/$1 - fi - fi -} - -# -# Strip the passed file. -# -# Return success if -# a) the stripped file is non-empty and the library was successfully loaded; or -# b) the stripped file is empty but the library had been loaded previously -# -strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty -{ - local f - f=$(find_file $1) - - strip_file $1 $f - - if [ -s $TMP_DIR/$1 ]; then - lib_load $2 "A non-empty $1 file ($f)" - return 0 - fi - - eval test -n \"\$LIB_${2}_LOADED\" -} - -# -# Check that a mark value or mask is less that 256 or that it is less than 65536 and -# that it's lower 8 bits are zero. -# -verify_mark() # $1 = value to test -{ - verify_mark2() - { - case $1 in - 0*) - [ $(($1)) -lt 256 ] && return 0 - [ -n "$HIGH_ROUTE_MARKS" ] || return 1 - [ $(($1)) -gt 65535 ] && return 1 - return $(($1 & 0xFF)) - ;; - [1-9]*) - [ $1 -lt 256 ] && return 0 - [ -n "$HIGH_ROUTE_MARKS" ] || return 1 - [ $1 -gt 65535 ] && return 1 - return $(($1 & 0xFF)) - ;; - *) - return 2 - ;; - esac - } - - verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" -} - -# -# Determine the value for a parameter that defaults to Yes -# -added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value -{ - local val - val="$2" - - if [ -z "$val" ]; then - echo "Yes" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Determine the value for a parameter that defaults to No -# -added_param_value_no() # $1 = Parameter Name, $2 = Parameter value -{ - local val - val="$2" - - if [ -z "$val" ]; then - echo "" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Initialize this program -# -do_initialize() { - - # Run all utility programs using the C locale - # - # Thanks to Vincent Planchenault for this tip # - - export LC_ALL=C - - # Make sure umask is sane - umask 077 - - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - # - # Establish termination function - # - TERMINATOR=fatal_error - # - # Clear all configuration variables (shorewall.conf) - # - STARTUP_ENABLED= - # - #VERBOSE is inherited -- VERBOSITY is only used in the CIs - # - # - # Logging - # - LOGFILE= - LOGFORMAT= - LOGTAGONLY= - LOGRATE= - LOGBURST= - LOGALLNEW= - BLACKLIST_LOGLEVEL= - MACLIST_LOG_LEVEL= - TCP_FLAGS_LOG_LEVEL= - RFC1918_LOG_LEVEL= - SMURF_LOG_LEVEL= - LOG_MARTIANS= - # - # Location of files - # - IPTABLES= - #PATH is inherited - SHOREWALL_SHELL= - SUBSYSLOCK= - MODULESDIR= - #CONFIG_PATH is inherited - RESTOREFILE= - IPSECFILE= - LOCKFILE= - # - # Default Actions/Macros - # - DROP_DEFAULT= - REJECT_DEFAULT= - ACCEPT_DEFAULT= - QUEUE_DEFAULT= - # - # Firewall Options - # - IP_FORWARDING= - ADD_IP_ALIASES= - ADD_SNAT_ALIASES= - RETAIN_ALIASES= - TC_ENABLED= - TC_EXPERT= - CLEAR_TC= - MARK_IN_FORWARD_CHAIN= - CLAMPMSS= - ROUTE_FILTER= - DETECT_DNAT_IPADDRS= - MUTEX_TIMEOUT= - ADMINISABSENTMINDED= - BLACKLISTNEWONLY= - DELAYBLACKLISTLOAD= - MODULE_SUFFIX= - DISABLE_IPV6= - BRIDGING= - DYNAMIC_ZONES= - PKTTYPE= - RFC1918_STRICT= - MACLIST_TABLE= - MACLIST_TTL= - SAVE_IPSETS= - MAPOLDACTIONS= - FASTACCEPT= - IMPLICIT_CONTINUE= - HIGH_ROUTE_MARKS= - USE_ACTIONS= - OPTIMIZE= - EXPORTPARAMS= - KEEP_TC_RULES= - DELETE_THEN_ADD= - DONT_LOAD= - # - # Packet Disposition - # - MACLIST_DISPOSITION= - TCP_FLAGS_DISPOSITION= - BLACKLIST_DISPOSITION= - # - # Other Globals - # - VERSION= - FW= - USEPKTYPE= - LOGLIMIT= - LOGPARMS= - OUTPUT= - ALL_INTERFACES= - ROUTEMARK_INTERFACES= - PROVIDERS= - CRITICALHOSTS= - EXCLUSION_SEQ=1 - STOPPING= - HAVE_MUTEX= - ALIASES_TO_ADD= - SECTION=ESTABLISHED - SECTIONS= - ALL_PORTS= - ACTIONS= - USEDACTIONS= - DEFAULT_MACROS= - COMMENT= - VERSION_FILE= - LOGRULENUMBERS= - ORIGINAL_POLICY_MATCH= - ORIGINAL_MANGLE_ENABLED= - - ensure_config_path - - VERSION_FILE=$SHAREDIR/version - - [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE) - - set -a; - - run_user_exit params - - set +a - - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - progress_message "Processing $config..." - . $config - else - startup_error "Cannot read $config (Hint: Are you root?)" - fi - else - startup_error "$config does not exist!" - fi - # - # Restore CONFIG_PATH if the shorewall.conf file cleared it - # - ensure_config_path - - TMP_DIR=$(mktempdir) - - [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ - startup_error "Can't create a temporary directory" - - case $PROGRAM in - compiler) - trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 - ;; - firewall) - trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 - ;; - esac - - # - # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to accurately determine - # capabilities when module autoloading isn't enabled. - # - PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) - [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )" - - [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - - if [ -z "$EXPORT" -a $(id -u) -eq 0 ]; then - - load_kernel_modules Yes - - if [ -z "$IPTABLES" ]; then - IPTABLES=$(mywhich iptables 2> /dev/null) - [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" - else - [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" - fi - - f=$(find_file capabilities) - - [ -f $f ] && . $f || determine_capabilities - else - f=$(find_file capabilities) - [ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file" - fi - - if [ -n "$CAPVERSION" ]; then - [ $CAPVERSION -ge $SHOREWALL_CAPVERSION ] || error_message "WARNING: $f is out of date -- it does not contain all of the capabilities defined by Shorewall version $VERSION" - else - error_message "WARNING: $f may be not contain all of the capabilities defined by Shorewall version $VERSION" - fi - - ORIGINAL_POLICY_MATCH=$POLICY_MATCH - ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED - - ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" - - if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGLIMIT="--match limit" - [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" - fi - - if [ -n "$IP_FORWARDING" ]; then - case "$IP_FORWARDING" in - On|Off|Yes|No|Keep|on|off|yes|no|keep|ON|OFF|YES|NO|KEEP) - ;; - *) - startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" - ;; - esac - else - IP_FORWARDING=On - fi - - if [ -n "$ROUTE_FILTER" ]; then - case "$ROUTE_FILTER" in - Yes|yes|YES) - ROUTE_FILTER=yes - ;; - No|no|NO) - ROUTE_FILTER=no - ;; - Keep|keep|KEEP) - ROUTE_FILTER= - ;; - *) - startup_error "Invalid value ($ROUTE_FILTER) for ROUTE_FILTER" - ;; - esac - else - ROUTE_FILTER= - fi - - if [ -n "$LOG_MARTIANS" ]; then - case "$LOG_MARTIANS" in - Yes|yes|YES) - LOG_MARTIANS=yes - ;; - No|no|NO) - LOG_MARTIANS=no - ;; - Keep|keep|KEEP) - LOG_MARTIANS= - ;; - *) - startup_error "Invalid value ($LOG_MARTIANS) for LOG_MARTIANS" - ;; - esac - else - LOG_MARTIANS=yes - fi - - [ -n "${BLACKLIST_DISPOSITION:=DROP}" ] - - case "$CLAMPMSS" in - [0-9]*) - ;; - *) - CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) - ;; - esac - - ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) - DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) - - MACLIST_TARGET=reject - - if [ -n "$MACLIST_DISPOSITION" ] ; then - case $MACLIST_DISPOSITION in - REJECT) - ;; - DROP) - MACLIST_TARGET=DROP - ;; - ACCEPT) - MACLIST_TARGET=RETURN - ;; - *) - startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" - ;; - esac - else - MACLIST_DISPOSITION=REJECT - fi - - if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then - case $TCP_FLAGS_DISPOSITION in - REJECT|ACCEPT|DROP) - ;; - *) - startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" - ;; - esac - else - TCP_FLAGS_DISPOSITION=DROP - fi - - [ -n "${RFC1918_LOG_LEVEL:=info}" ] - - MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) - [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre - CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) - - if [ -n "$LOGFORMAT" ]; then - if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then - LOGRULENUMBERS=Yes - temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - else - temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - fi - - [ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" - - MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) )) - MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*} - else - LOGFORMAT="Shorewall:%s:%s:" - MAXZONENAMELENGTH=5 - fi - - ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) - BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) - DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) - BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) - - DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) - if [ -n "$DYNAMIC_ZONES" ]; then - [ -n "$EXPORT" ] && startup_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" - lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed" - fi - - STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) - RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) - [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= - DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) - LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) - RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) - MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) - FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) - - [ -n "$FASTACCEPT" -a -z "$BLACKLISTNEWONLY" ] && error_message "WARNING: BLACKLISTNEWONLY=No does not work with FASTACCEPT=Yes" - - IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) - HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) - TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) - USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) - EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS) - KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES) - DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD) - - if [ -n "$MANGLE_ENABLED" ] ; then - case $MANGLE_ENABLED in - Yes|yes) - ;; - No|no) - MANGLE_ENABLED= - ;; - *) - startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED"; - ;; - esac - fi - - [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" - - [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= - [ -n "$XMARK" ] || XCONNMARK= - - [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" - - case ${MACLIST_TABLE:=filter} in - filter) - ;; - mangle) - [ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle" - ;; *) - startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option" - ;; - esac - - TC_SCRIPT= - - if [ -n "$TC_ENABLED" ] ; then - case "$TC_ENABLED" in - [Yy][Ee][Ss]) - TC_ENABLED=Yes - TC_SCRIPT=$(find_file tcstart) - [ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file" - ;; - [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll]) - TC_ENABLED=Internal - ;; - [Nn][Oo]) - TC_ENABLED= - ;; - esac - else - TC_ENABLED=Yes - fi - - if [ -n "$TC_ENABLED" ];then - [ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables" - [ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf" - fi - - [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" - [ -n "${RESTOREFILE:=restore}" ] - - case "${DROP_DEFAULT:=Drop}" in - None) - DROP_DEFAULT=none - ;; - esac - - case "${REJECT_DEFAULT:=Reject}" in - None) - REJECT_DEFAULT=none - ;; - esac - - case "${QUEUE_DEFAULT:=none}" in - None) - QUEUE_DEFAULT=none - ;; - esac - - case "${ACCEPT_DEFAULT:=none}" in - None) - ACCEPT_DEFAULT=none - ;; - esac - - case "${OPTIMIZE:=0}" in - 0|1) - ;; - *) - startup_error "Invalid OPTIMIZE value ($OPTIMIZE)" - ;; - esac - - if [ -n "$LOCKFILE" ]; then - [ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist" - fi - # - # Check out the user's shell - # - [ -n "${SHOREWALL_SHELL:=/bin/sh}" ] - - temp=$(decodeaddr 192.168.1.1) - if [ $(encodeaddr $temp) != 192.168.1.1 ]; then - startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" - fi - - if [ -z "$KLUDGEFREE" ]; then - rm -f $TMP_DIR/physdev - rm -f $TMP_DIR/iprange - fi - - qt mywhich awk && HAVEAWK=Yes || HAVEAWK= - # - # Pre-process all of the standard files - # - # Because 'strip_file()' does shell variable expansion, we must first determine the - # setting of $FW - # - case ${IPSECFILE:=ipsec} in - ipsec) - [ -n "${FW:=fw}" ] - strip_file ipsec - ;; - zones) - get_firewall_zone - ;; - *) - startup_error "Invalid value ($IPSECFILE) for IPSECFILE option" - ;; - esac - - strip_file zones - strip_file routestopped - strip_file interfaces - strip_file hosts - - if [ $PROGRAM = compiler ]; then - strip_file_and_lib_load accounting accounting - - if [ -n "$USE_ACTIONS" ]; then - strip_file actions - strip_file actions.std ${SHAREDIR}/actions.std - fi - - strip_file blacklist - strip_file ecn - strip_file maclist - strip_file_and_lib_load masq nat - strip_file_and_lib_load nat nat - strip_file_and_lib_load netmap nat - strip_file policy - strip_file_and_lib_load providers providers && strip_file route_rules - strip_file_and_lib_load proxyarp proxyarp - strip_file rfc1918 - strip_file routestopped - strip_file rules - - if [ "$TC_ENABLED" = Internal ]; then - strip_file_and_lib_load tcdevices tc - strip_file_and_lib_load tcclasses tc - fi - - strip_file_and_lib_load tcrules tcrules - strip_file tos - strip_file_and_lib_load tunnels tunnels - fi - - [ "$IPSECFILE" = zones ] && FW= -} diff --git a/Shorewall/lib.dynamiczones b/Shorewall/lib.dynamiczones deleted file mode 100644 index 826da53de..000000000 --- a/Shorewall/lib.dynamiczones +++ /dev/null @@ -1,427 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.dynamiczones -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/firewall when processing -# the 'add' and 'delete' commands. -# - -# -# Add a host or networks to a zone -# -add_to_zone() # $1...${n-1} = [:] $n = zone -{ - local interface host zone z h z1 z2 chain - local dhcp_interfaces blacklist_interfaces maclist_interfaces - local tcpflags_interfaces newhostlist= - local rulenum source_chain dest_hosts iface hosts hostlist= - - nat_chain_exists() # $1 = chain name - { - qt $IPTABLES -t nat -L $1 -n - } - - do_iptables() # $@ = command - { - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - if ! $IPTABLES $@ ; then - error_message "ERROR: Can't add $newhost to zone $zone" - fi - } - - DOING=Processing - DONE=Processed - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file $IPSECFILE) - - [ -f $f ] && setup_ipsec $f - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - [ "$host" = "$1" ] && host= - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" - [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" - # - # Check for duplicates and create a new zone state file - # - > ${VARDIR}/zones_$$ - - while read z type hosts; do - if [ "$z" = "$zone" ]; then - case $type in - bport4:*) - rm -f ${VARDIR}/zones_$$ - startup_error "Bridge Port zones may not be dynamically modified" - ;; - esac - - case "$hosts" in - *exclude*) - rm -f ${VARDIR}/zones_$$ - startup_error "Modifying a zone that has an exclude list is not supported" - ;; - *) - for h in $hostlist; do - if ! list_search +$h $hosts; then - if ! list_search $h $hosts; then - newhostlist="$newhostlist +$h" - else - error_message "$h is already in zone $zone" - fi - else - error_message "$h is already in zone $zone" - fi - done - - [ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist" - ;; - esac - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $type $hosts" >> ${VARDIR}/zones_$$ - done < ${VARDIR}/zones - - mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones - - TERMINATOR=fatal_error - # - # Create a new Zone state file - # - for newhost in $newhostlist; do - newhost=${newhost#+} - # - # Isolate interface and host parts - # - interface=${newhost%%:*} - host=${newhost#*:} - # - # If the zone passed in the command has a dnat chain then insert a rule in - # the nat table PREROUTING chain to jump to that chain when the source - # matches the new host(s)# - # - chain=${zone}_dnat - - if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain - fi - # - # Insert new rules into the filter table for the passed interface - # - while read z1 z2 chain; do - [ "$z1" = "$z2" ] && op="-I" || op="-A" - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $newhost ; then - do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - # - # Add a rule to the dynamic out chain for the interface - # - do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - fi - fi - done - fi - fi - done < ${VARDIR}/chains - - progress_message "$newhost added to zone $zone" - - done - - rm -rf $TMP_DIR -} - -# -# Delete a host or networks from a zone -# -delete_from_zone() # $1 = [:] $2 = zone -{ - local interface host zone z h z1 z2 chain delhost - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts hostlist= - - DOING=Processing - DONE=Processed - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file ipsec) - - [ -f $f ] && setup_ipsec $f - - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - [ "$host" = "$1" ] && host= - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" - [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" - # - # Delete the passed hosts from the zone state file - # - > ${VARDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - temp=$hosts - hosts= - - for host in $hostlist; do - found= - for h in $temp; do - if [ "$h" = "+$host" ]; then - found=Yes - break - fi - - if [ "$h" = "$host" ]; then - found=No - break - fi - done - - [ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone" - [ "$found" = No ] && startup_error "$host is a permanent member of zone $zone" - done - - for h in $temp; do - found= - for host in $hostlist; do - if [ "$h" = "+$host" ]; then - found=Yes - break - fi - done - - [ -n "$found" ] || hosts="$hosts $h" - done - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${VARDIR}/zones_$$ - done < ${VARDIR}/zones - - mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones - - TERMINATOR=fatal_error - - for delhost in $hostlist; do - interface=${delhost%%:*} - host=${delhost#*:} - # - # Delete any nat table entries for the host(s) - # - qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat - # - # Delete rules rules the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $delhost ; then - qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" - - for h in $dest_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - fi - fi - done - fi - fi - done < ${VARDIR}/chains - - progress_message "$delhost removed from zone $zone" - - done - - rm -rf $TMP_DIR -} diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 38c6ac983..0d4b6d7d4 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1324,12 +1324,10 @@ usage() # $1 = exit status { echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " echo "where is one of:" - echo " add [:] ... " echo " allow
..." echo " check [ -e ] [ ]" echo " clear [ -f ]" echo " compile [ -e ] [ ] " - echo " delete [:] ... " echo " drop
..." echo " dump [ -x ]" echo " export [ ] [@][:]" @@ -1542,7 +1540,7 @@ export PRODUCT="Shorewall" [ -n "${VARDIR:=/var/lib/shorewall}" ] -FIREWALL=$SHAREDIR/firewall +FIREWALL=${VARDIR}/.restore LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli" VERSION_FILE=$SHAREDIR/version REFRESHCHAINS= @@ -1556,18 +1554,6 @@ for library in $LIBRARIES; do fi done -if [ ! -f $FIREWALL ]; then - echo " ERROR: Shorewall is not properly installed" >&2 - if [ -L $FIREWALL ]; then - echo " $FIREWALL is a symbolic link to a" >&2 - echo " non-existant file" >&2 - else - echo " The file $FIREWALL does not exist" >&2 - fi - - exit 2 -fi - if [ -f $VERSION_FILE ]; then version=$(cat $VERSION_FILE) else @@ -1608,19 +1594,8 @@ case "$COMMAND" in ;; stop|clear) get_config - if [ "x$2" = x-s ]; then - shift - else - if [ "x$2" = x-f -o "$FAST_STOP" ]; then - [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore - - if [ "x$2" = x-f ]; then - shift - fi - fi - fi - [ $# -ne 1 ] && usage 1 + [ -x $FIREWALL ] || fatal_error "Shorewall has never been started" export NOROUTES mutex_on $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND @@ -1628,10 +1603,9 @@ case "$COMMAND" in ;; reset) get_config - export NOROUTES shift mutex_on - $SHOREWALL_SHELL $FIREWALL $debugging $nolock reset $@ + reset_command $@ mutex_off ;; compile) @@ -1654,13 +1628,6 @@ case "$COMMAND" in shift check_command $@ ;; - add|delete) - [ $# -lt 3 ] && usage 1 - get_config - mutex_on - $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@ - mutex_off - ;; show|list) get_config Yes No Yes shift diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 2bc74c8e2..cd4aed053 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -118,12 +118,9 @@ fi %attr(0644,root,root) /usr/share/shorewall/action.Drop %attr(0644,root,root) /usr/share/shorewall/action.Reject %attr(0644,root,root) /usr/share/shorewall/action.template -%attr(0755,root,root) /usr/share/shorewall/firewall %attr(- ,root,root) /usr/share/shorewall/functions %attr(0644,root,root) /usr/share/shorewall/lib.base %attr(0644,root,root) /usr/share/shorewall/lib.cli -%attr(0644,root,root) /usr/share/shorewall/lib.config -%attr(0644,root,root) /usr/share/shorewall/lib.dynamiczones %attr(0644,root,root) /usr/share/shorewall/macro.* %attr(0644,root,root) /usr/share/shorewall/modules %attr(0644,root,root) /usr/share/shorewall/rfc1918