mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
First releast of 'shorewall generate'
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3237 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
d145351222
commit
d81f2ca29e
@ -147,7 +147,7 @@ ensure_and_save_command()
|
|||||||
append_file() # $1 = File Name
|
append_file() # $1 = File Name
|
||||||
{
|
{
|
||||||
save_command "cat > /var/lib/shorewall/$1 << __EOF__"
|
save_command "cat > /var/lib/shorewall/$1 << __EOF__"
|
||||||
cat /var/lib/shorewall/$1 >> $RESTOREBASE
|
cat $STATEDIR/$1 >> $RESTOREBASE
|
||||||
save_command __EOF__
|
save_command __EOF__
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1400,14 +1400,28 @@ setup_providers()
|
|||||||
provider="$table $number $mark $duplicate $interface $gateway $options $copy"
|
provider="$table $number $mark $duplicate $interface $gateway $options $copy"
|
||||||
add_a_provider
|
add_a_provider
|
||||||
PROVIDERS="$PROVIDERS $table"
|
PROVIDERS="$PROVIDERS $table"
|
||||||
progress_message " Provider $provider Added"
|
case $COMMAND in
|
||||||
|
generate)
|
||||||
|
progress_message " Provider $provider comipled"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
progress_message " Provider $provider Added"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
done < $TMP_DIR/providers
|
done < $TMP_DIR/providers
|
||||||
|
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
if [ -n "$PROVIDERS" ]; then
|
if [ -n "$PROVIDERS" ]; then
|
||||||
if [ -n "$DEFAULT_ROUTE" ]; then
|
if [ -n "$DEFAULT_ROUTE" ]; then
|
||||||
ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route replace default scope global $DEFAULT_ROUTE"
|
ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route replace default scope global $DEFAULT_ROUTE"
|
||||||
progress_message " Default route $DEFAULT_ROUTE Added."
|
case $COMMAND in
|
||||||
|
generate)
|
||||||
|
progress_message " Default route $DEFAULT_ROUTE Compiled."
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
progress_message " Default route $DEFAULT_ROUTE Added."
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat > /etc/iproute2/rt_tables <<EOF
|
cat > /etc/iproute2/rt_tables <<EOF
|
||||||
@ -2724,14 +2738,14 @@ setup_proxy_arp() {
|
|||||||
|
|
||||||
ensure_and_save_command arp -i $external -Ds $address $external pub
|
ensure_and_save_command arp -i $external -Ds $address $external pub
|
||||||
|
|
||||||
echo $address $interface $external $haveroute >> /var/lib/shorewall/proxyarp
|
echo $address $interface $external $haveroute >> $STATEDIR/proxyarp
|
||||||
fi
|
fi
|
||||||
|
|
||||||
progress_message " Host $address connected to $interface added to ARP on $external"
|
progress_message " Host $address connected to $interface added to ARP on $external"
|
||||||
}
|
}
|
||||||
|
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
> /var/lib/shorewall/proxyarp
|
> $STATEDIR/proxyarp
|
||||||
|
|
||||||
save_progress_message "Restoring Proxy ARP..."
|
save_progress_message "Restoring Proxy ARP..."
|
||||||
fi
|
fi
|
||||||
@ -2756,9 +2770,9 @@ setup_proxy_arp() {
|
|||||||
interfaces=$(find_interfaces_by_option proxyarp)
|
interfaces=$(find_interfaces_by_option proxyarp)
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for interface in $interfaces; do
|
||||||
if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then
|
if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then
|
||||||
|
run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
|
||||||
progress_message " Enabled proxy ARP on $interface"
|
progress_message " Enabled proxy ARP on $interface"
|
||||||
save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
|
|
||||||
else
|
else
|
||||||
error_message "WARNING: Unable to enable proxy ARP on $interface"
|
error_message "WARNING: Unable to enable proxy ARP on $interface"
|
||||||
fi
|
fi
|
||||||
@ -2977,16 +2991,16 @@ setup_syn_flood_chains()
|
|||||||
delete_proxy_arp() {
|
delete_proxy_arp() {
|
||||||
if [ -f /var/lib/shorewall/proxyarp ]; then
|
if [ -f /var/lib/shorewall/proxyarp ]; then
|
||||||
while read address interface external haveroute; do
|
while read address interface external haveroute; do
|
||||||
qt arp -i $external -d $address pub
|
[ $COMMAND = generate ] || qt arp -i $external -d $address pub
|
||||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||||
done < /var/lib/shorewall/proxyarp
|
done < /var/lib/shorewall/proxyarp
|
||||||
|
|
||||||
rm -f /var/lib/shorewall/proxyarp
|
[ $COMMAND = generate ] || rm -f /var/lib/shorewall/proxyarp
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -d /var/lib/shorewall ] && touch /var/lib/shorewall/proxyarp
|
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp
|
||||||
|
|
||||||
for f in /proc/sys/net/ipv4/conf/*; do
|
[ $COMMAND = generate ] || for f in /proc/sys/net/ipv4/conf/*; do
|
||||||
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
|
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
@ -3053,7 +3067,7 @@ setup_nat() {
|
|||||||
#
|
#
|
||||||
# At this point, we're just interested in the network translation
|
# At this point, we're just interested in the network translation
|
||||||
#
|
#
|
||||||
[ $COMMAND = check ] || > /var/lib/shorewall/nat
|
[ $COMMAND = check ] || > $STATEDIR/nat
|
||||||
|
|
||||||
if [ -n "$POLICY_MATCH" ]; then
|
if [ -n "$POLICY_MATCH" ]; then
|
||||||
policyin="-m policy --pol none --dir in"
|
policyin="-m policy --pol none --dir in"
|
||||||
@ -3083,10 +3097,10 @@ delete_nat() {
|
|||||||
qt ip addr del $external dev $interface
|
qt ip addr del $external dev $interface
|
||||||
done < /var/lib/shorewall/nat
|
done < /var/lib/shorewall/nat
|
||||||
|
|
||||||
rm -f {/var/lib/shorewall}/nat
|
[ $COMMAND = generate ] || rm -f {/var/lib/shorewall}/nat
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -d /var/lib/shorewall ] && touch /var/lib/shorewall/nat
|
[ -d $STATEDIR ] && touch $STATEDIR/nat
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -3404,7 +3418,14 @@ setup_traffic_shaping()
|
|||||||
expandv device inband outband defmark ackmark
|
expandv device inband outband defmark ackmark
|
||||||
tcdev="$device $inband $outband"
|
tcdev="$device $inband $outband"
|
||||||
add_root_tc
|
add_root_tc
|
||||||
progress_message " TC Device $tcdev Added."
|
case $COMMAND in
|
||||||
|
generate)
|
||||||
|
progress_message " TC Device $tcdev Compiled."
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
progress_message " TC Device $tcdev Added."
|
||||||
|
;;
|
||||||
|
esac
|
||||||
done < $TMP_DIR/tcdevices
|
done < $TMP_DIR/tcdevices
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3416,7 +3437,14 @@ setup_traffic_shaping()
|
|||||||
tcdev="$device $mark $rate $ceil $prio $options"
|
tcdev="$device $mark $rate $ceil $prio $options"
|
||||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||||
add_tc_class
|
add_tc_class
|
||||||
progress_message " TC Class \"$tcdev\" Added."
|
case $COMMAND in
|
||||||
|
generate)
|
||||||
|
progress_message " TC Class $tcdev Compiled."
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
progress_message " TC Class \"$tcdev\" Added."
|
||||||
|
;;
|
||||||
|
esac
|
||||||
done < $TMP_DIR/tcclasses
|
done < $TMP_DIR/tcclasses
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -3691,7 +3719,14 @@ process_tc_rule()
|
|||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
progress_message " TC Rule \"$rule\" added"
|
case $COMMAND in
|
||||||
|
generate)
|
||||||
|
progress_message " TC Rule \"$rule\" compiled"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
progress_message " TC Rule \"$rule\" added"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -4602,11 +4637,17 @@ process_action() # $1 = chain (Chain to add the rules to)
|
|||||||
#
|
#
|
||||||
# Report Result
|
# Report Result
|
||||||
#
|
#
|
||||||
if [ $COMMAND = check ]; then
|
case $COMMAND in
|
||||||
progress_message " Rule \"$rule\" checked."
|
check)
|
||||||
else
|
progress_message " Rule \"$rule\" checked."
|
||||||
progress_message " Rule \"$rule\" added."
|
;;
|
||||||
fi
|
generate)
|
||||||
|
progress_message " Rule \"$rule\" compiled."
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
progress_message " Rule \"$rule\" added."
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -6259,11 +6300,18 @@ process_rule() # $1 = target
|
|||||||
#
|
#
|
||||||
# Report Result
|
# Report Result
|
||||||
#
|
#
|
||||||
if [ $COMMAND = check ]; then
|
case $COMMAND in
|
||||||
progress_message " Rule \"$rule\" checked."
|
check)
|
||||||
else
|
progress_message " Rule \"$rule\" checked."
|
||||||
progress_message " Rule \"$rule\" added."
|
;;
|
||||||
fi
|
generate)
|
||||||
|
progress_message " Rule \"$rule\" compiled."
|
||||||
|
save_command "progress_message ' Rule \"'$rule'\" added.'"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
progress_message " Rule \"$rule\" added."
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -6700,7 +6748,14 @@ process_tos_rule() {
|
|||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
progress_message " Rule \"$rule\" added."
|
case $COMMAND in
|
||||||
|
generate)
|
||||||
|
progress_message " Rule \"$rule\" compiled."
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
progress_message " Rule \"$rule\" added."
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7546,7 +7601,7 @@ add_ip_aliases()
|
|||||||
val=$(address_details)
|
val=$(address_details)
|
||||||
|
|
||||||
if [ -n "$RETAIN_ALIASES" ]; then
|
if [ -n "$RETAIN_ALIASES" ]; then
|
||||||
run_ip addr add ${external}${val} dev $interface $label
|
[ "$COMMAND" = generate ] || run_ip addr add ${external}${val} dev $interface $label
|
||||||
save_command qt ip addr add ${external}${val} dev $interface $label
|
save_command qt ip addr add ${external}${val} dev $interface $label
|
||||||
else
|
else
|
||||||
ensure_and_save_command ip addr add ${external}${val} dev $interface $label
|
ensure_and_save_command ip addr add ${external}${val} dev $interface $label
|
||||||
@ -7554,7 +7609,7 @@ add_ip_aliases()
|
|||||||
|
|
||||||
[ -n "$arping" ] && run_and_save_command qt $arping -U -c 2 -I $interface $external
|
[ -n "$arping" ] && run_and_save_command qt $arping -U -c 2 -I $interface $external
|
||||||
|
|
||||||
echo "$external $interface" >> /var/lib/shorewall/nat
|
echo "$external $interface" >> $STATEDIR/nat
|
||||||
[ -n "$label" ] && label="with $label"
|
[ -n "$label" ] && label="with $label"
|
||||||
progress_message " IP Address $external added to interface $interface $label"
|
progress_message " IP Address $external added to interface $interface $label"
|
||||||
}
|
}
|
||||||
@ -7883,7 +7938,7 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
if [ -n "$USEPKTTYPE" ]; then
|
if [ -n "$USEPKTTYPE" ]; then
|
||||||
run_iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
run_iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||||
run_iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
run_iptables -A reject -m pkttype --pkt-type multicast -j DROP
|
||||||
else
|
else
|
||||||
drop_broadcasts
|
drop_broadcasts
|
||||||
fi
|
fi
|
||||||
@ -7899,7 +7954,7 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# Not all versions of iptables support these so don't complain if they don't work
|
# Not all versions of iptables support these so don't complain if they don't work
|
||||||
#
|
#
|
||||||
if [ -n "$ENHANCED_REJECT" ]; THEN
|
if [ -n "$ENHANCED_REJECT" ]; then
|
||||||
run_iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
run_iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
||||||
run_iptables -A reject -j REJECT --reject-with icmp-host-prohibited
|
run_iptables -A reject -j REJECT --reject-with icmp-host-prohibited
|
||||||
else
|
else
|
||||||
@ -8374,8 +8429,8 @@ activate_rules()
|
|||||||
addnatjump POSTROUTING $(output_chain $interface) -o $interface
|
addnatjump POSTROUTING $(output_chain $interface) -o $interface
|
||||||
done
|
done
|
||||||
|
|
||||||
> /var/lib/shorewall/chains
|
> $STATEDIR/chains
|
||||||
echo "$FW firewall" > /var/lib/shorewall/zones
|
echo "$FW firewall" > $STATEDIR/zones
|
||||||
#
|
#
|
||||||
# Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain.
|
# Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain.
|
||||||
#
|
#
|
||||||
@ -8419,7 +8474,7 @@ activate_rules()
|
|||||||
|
|
||||||
[ -n "$complex" ] && frwd_chain=${zone}_frwd
|
[ -n "$complex" ] && frwd_chain=${zone}_frwd
|
||||||
|
|
||||||
echo $zone $type $source_hosts >> /var/lib/shorewall/zones
|
echo $zone $type $source_hosts >> $STATEDIR/zones
|
||||||
|
|
||||||
need_broadcast=
|
need_broadcast=
|
||||||
|
|
||||||
@ -8616,6 +8671,8 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
|
|
||||||
[ -d /var/lib/shorewall ] || { mkdir -p /var/lib/shorewall ; chmod 700 /var/lib/shorewall; }
|
[ -d /var/lib/shorewall ] || { mkdir -p /var/lib/shorewall ; chmod 700 /var/lib/shorewall; }
|
||||||
|
|
||||||
|
STATEDIR=/var/lib/shorewall
|
||||||
|
|
||||||
RESTOREBASE=$(mktempfile /var/lib/shorewall)
|
RESTOREBASE=$(mktempfile /var/lib/shorewall)
|
||||||
|
|
||||||
[ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall"
|
[ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall"
|
||||||
@ -8724,6 +8781,180 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Compile a Restore Script
|
||||||
|
#
|
||||||
|
generate_firewall() # $1 = File Name
|
||||||
|
{
|
||||||
|
ensure_and_save_command()
|
||||||
|
{
|
||||||
|
echo "$@" >> $RESTOREBASE
|
||||||
|
}
|
||||||
|
|
||||||
|
run_and_save_command()
|
||||||
|
{
|
||||||
|
echo "$@" >> $RESTOREBASE
|
||||||
|
}
|
||||||
|
|
||||||
|
do_iptables() {
|
||||||
|
save_command $IPTABLES $@
|
||||||
|
}
|
||||||
|
|
||||||
|
qt_iptables() {
|
||||||
|
save_command qt $IPTABLES $@
|
||||||
|
}
|
||||||
|
|
||||||
|
createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||||
|
{
|
||||||
|
local c=$(chain_base $1)
|
||||||
|
|
||||||
|
ensurechain $1
|
||||||
|
|
||||||
|
if [ $2 = yes ]; then
|
||||||
|
case $SECTION in
|
||||||
|
NEW|DONE)
|
||||||
|
finish_chain_section $1 ESTABLISHED,RELATED
|
||||||
|
;;
|
||||||
|
RELATED)
|
||||||
|
finish_chain_section $1 ESTABLISHED
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
eval exists_${c}=Yes
|
||||||
|
}
|
||||||
|
|
||||||
|
run_iptables() {
|
||||||
|
#
|
||||||
|
# Purge the temporary files that we use to prevent duplicate '-m' specifications
|
||||||
|
#
|
||||||
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
|
save_command $IPTABLES $@
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
run_ip() {
|
||||||
|
if ! ip $@ ; then
|
||||||
|
error_message "ERROR: Command \"ip $@\" Failed"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
run_tc() {
|
||||||
|
save_command tc $@
|
||||||
|
}
|
||||||
|
|
||||||
|
run_ipset() {
|
||||||
|
save_command ipset $@
|
||||||
|
}
|
||||||
|
|
||||||
|
deletechain() # $1 = name of chain
|
||||||
|
{
|
||||||
|
save_command "qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1"
|
||||||
|
}
|
||||||
|
|
||||||
|
verify_os_version
|
||||||
|
verify_ip
|
||||||
|
|
||||||
|
[ -d /var/lib/shorewall ] || { mkdir -p /var/lib/shorewall ; chmod 700 /var/lib/shorewall; }
|
||||||
|
|
||||||
|
RESTOREBASE=$(mktempfile /var/lib/shorewall)
|
||||||
|
|
||||||
|
STATEDIR=$TMP_DIR
|
||||||
|
|
||||||
|
[ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall"
|
||||||
|
|
||||||
|
echo '#bin/sh' >> $RESTOREBASE
|
||||||
|
save_command "#"
|
||||||
|
save_command "# Compiled startup file generated by Shorewall $version - $(date)"
|
||||||
|
save_command "#"
|
||||||
|
save_command ". /usr/share/shorewall/functions"
|
||||||
|
|
||||||
|
f=$(find_file params)
|
||||||
|
|
||||||
|
[ -f $f ] && \
|
||||||
|
save_command ". $(resolve_file $f)"
|
||||||
|
|
||||||
|
save_command "#"
|
||||||
|
save_command "COMMAND=restore"
|
||||||
|
save_command "MODULESDIR=\"$MODULESDIR\""
|
||||||
|
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
|
||||||
|
|
||||||
|
save_load_kernel_modules
|
||||||
|
|
||||||
|
echo "Initializing..."; initialize_netfilter
|
||||||
|
|
||||||
|
echo "Compiling Proxy ARP"; setup_proxy_arp
|
||||||
|
#
|
||||||
|
# [re]-Establish routing
|
||||||
|
#
|
||||||
|
setup_providers $(find_file providers)
|
||||||
|
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
|
||||||
|
|
||||||
|
|
||||||
|
echo "Compiling NAT..."; setup_nat
|
||||||
|
echo "Compiling NETMAP..."; setup_netmap
|
||||||
|
echo "Compiling Common Rules"; add_common_rules
|
||||||
|
|
||||||
|
setup_syn_flood_chains
|
||||||
|
|
||||||
|
setup_ipsec
|
||||||
|
|
||||||
|
maclist_hosts=$(find_hosts_by_option maclist)
|
||||||
|
[ -n "$maclist_hosts" ] && setup_mac_lists
|
||||||
|
|
||||||
|
echo "Compiling $(find_file rules)..."; process_rules
|
||||||
|
|
||||||
|
tunnels=$(find_file tunnels)
|
||||||
|
[ -f $tunnels ] && \
|
||||||
|
echo "Compiling $tunnels..." && setup_tunnels $tunnels
|
||||||
|
|
||||||
|
echo "Compiling Actions..."; process_actions2
|
||||||
|
process_actions3
|
||||||
|
echo "Compiling $(find_file policy)..."; apply_policy_rules
|
||||||
|
|
||||||
|
masq=$(find_file masq)
|
||||||
|
[ -f $masq ] && setup_masq $masq
|
||||||
|
|
||||||
|
tos=$(find_file tos)
|
||||||
|
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
|
||||||
|
|
||||||
|
ecn=$(find_file ecn)
|
||||||
|
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
|
||||||
|
|
||||||
|
[ -n "$MANGLE_ENABLED" ] && setup_tc
|
||||||
|
|
||||||
|
echo "Compiling Rule Activation..."; activate_rules
|
||||||
|
|
||||||
|
[ -n "$ALIASES_TO_ADD" ] && \
|
||||||
|
echo "Adding IP Addresses..." && add_ip_aliases
|
||||||
|
|
||||||
|
for file in chains nat proxyarp zones; do
|
||||||
|
append_file $file
|
||||||
|
done
|
||||||
|
|
||||||
|
save_command "date > /var/lib/shorewall/restarted"
|
||||||
|
|
||||||
|
run_user_exit start
|
||||||
|
|
||||||
|
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
|
||||||
|
|
||||||
|
createchain shorewall no
|
||||||
|
|
||||||
|
save_command set_state "Started"
|
||||||
|
|
||||||
|
run_user_exit started
|
||||||
|
|
||||||
|
mv -f $RESTOREBASE /var/lib/shorewall/$1
|
||||||
|
|
||||||
|
chmod 700 /var/lib/shorewall/$1
|
||||||
|
|
||||||
|
rm -rf $TMP_DIR
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Refresh the firewall
|
# Refresh the firewall
|
||||||
#
|
#
|
||||||
@ -9271,8 +9502,8 @@ case "$COMMAND" in
|
|||||||
|
|
||||||
generate)
|
generate)
|
||||||
[ $# -ne 2 ] && usage
|
[ $# -ne 2 ] && usage
|
||||||
. /usr/share/shorewall/compiler
|
do_initialize
|
||||||
compile $2
|
generate_firewall $2
|
||||||
;;
|
;;
|
||||||
|
|
||||||
call)
|
call)
|
||||||
|
|||||||
@ -967,7 +967,7 @@ report_capabilities() {
|
|||||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||||
report_capability "Raw Table" $RAW_TABLE
|
report_capability "Raw Table" $RAW_TABLE
|
||||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||||
report_capability "Enhanced REJECT" $ENHANCED_REJECT
|
report_capability "Extended REJECT" $ENHANCED_REJECT
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -111,6 +111,12 @@ forget)
|
|||||||
See also \"help save\""
|
See also \"help save\""
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
generate)
|
||||||
|
echo "generate: generate [ -d <directory name> ] <file name>
|
||||||
|
Compiles the current configuration into the executable file
|
||||||
|
/var/lib/shorewall/<file name>"
|
||||||
|
;;
|
||||||
|
|
||||||
help)
|
help)
|
||||||
echo "help: help [<command> | host | address ]
|
echo "help: help [<command> | host | address ]
|
||||||
Display helpful information about the shorewall commands."
|
Display helpful information about the shorewall commands."
|
||||||
|
|||||||
@ -108,6 +108,8 @@
|
|||||||
# confirmation to accept or reject the new
|
# confirmation to accept or reject the new
|
||||||
# configuration
|
# configuration
|
||||||
#
|
#
|
||||||
|
# shorewall generate <filename> Compile a pseudo restore file.
|
||||||
|
#
|
||||||
# Fatal Error
|
# Fatal Error
|
||||||
#
|
#
|
||||||
fatal_error() # $@ = Message
|
fatal_error() # $@ = Message
|
||||||
@ -503,6 +505,7 @@ usage() # $1 = exit status
|
|||||||
echo " drop <address> ..."
|
echo " drop <address> ..."
|
||||||
echo " dump"
|
echo " dump"
|
||||||
echo " forget [ <file name> ]"
|
echo " forget [ <file name> ]"
|
||||||
|
echo " generate [ <file name> ]"
|
||||||
echo " help [ <command > | host | address ]"
|
echo " help [ <command > | host | address ]"
|
||||||
echo " hits"
|
echo " hits"
|
||||||
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
||||||
@ -811,6 +814,10 @@ case "$1" in
|
|||||||
export NOROUTES
|
export NOROUTES
|
||||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||||
;;
|
;;
|
||||||
|
generate)
|
||||||
|
[ $# -ne 2 ] && usage 1
|
||||||
|
exec $SHOREWALL_SHELL $FIREWALL $debugging generate $2
|
||||||
|
;;
|
||||||
check|restart)
|
check|restart)
|
||||||
case $# in
|
case $# in
|
||||||
1)
|
1)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user