Lay the groundwork for rewriting the compiler in Perl

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4223 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-07-15 16:22:55 +00:00
parent b6ab74f737
commit e0d934e62a
3 changed files with 495 additions and 362 deletions

View File

@ -1,3 +1,5 @@
Changes in 3.3.1
1) Once again, remove dynamic zones.
2) Lay the groundwork for rewriting the compiler in Perl

View File

@ -8488,126 +8488,13 @@ __EOF__
}
#
# Determine the value for a parameter that defaults to Yes
#
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo "Yes"
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
fatal_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Determine the value for a parameter that defaults to No
#
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo ""
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
fatal_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Initialize this program
#
do_initialize() {
# Run all utility programs using the C locale
#
# Thanks to Vincent Planchenault for this tip #
export LC_ALL=C
# Make sure umask is sane
umask 077
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
#
# Establish termination function
#
TERMINATOR=fatal_error
#
# Clear all configuration variables
#
VERSION=
IPTABLES=
FW=
SUBSYSLOCK=
ALLOWRELATED=Yes
LOGRATE=
LOGBURST=
LOGPARMS=
LOGLIMIT=
ADD_IP_ALIASES=
ADD_SNAT_ALIASES=
TC_ENABLED=
BLACKLIST_DISPOSITION=
BLACKLIST_LOGLEVEL=
CLAMPMSS=
ROUTE_FILTER=
LOG_MARTIANS=
DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT=
FORWARDPING=
MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL=
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN=
FUNCTIONS=
VERSION_FILE=
LOGFORMAT=
LOGRULENUMBERS=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
MODULE_SUFFIX=
ACTIONS=
USEDACTIONS=
SMURF_LOG_LEVEL=
DISABLE_IPV6=
BRIDGING=
PKTTYPE=
USEPKTYPE=
RETAIN_ALIASES=
DELAYBLACKLISTLOAD=
LOGTAGONLY=
LOGALLNEW=
RFC1918_STRICT=
MACLIST_TTL=
SAVE_IPSETS=
RESTOREFILE=
MAPOLDACTIONS=
IMPLICIT_CONTINUE=
HIGH_ROUTE_MARKS=
OUTPUT=
TMP_DIR=
ALL_INTERFACES=
@ -8615,7 +8502,6 @@ do_initialize() {
IPSECMARK=256
PROVIDERS=
CRITICALHOSTS=
IPSECFILE=
EXCLUSION_SEQ=1
STOPPING=
HAVE_MUTEX=
@ -8623,6 +8509,8 @@ do_initialize() {
SECTION=ESTABLISHED
SECTIONS=
ALL_PORTS=
ACTIONS=
USEDACTIONS=
SHAREDIR=/usr/share/shorewall
VARDIR=/var/lib/shorewall
@ -8646,234 +8534,11 @@ do_initialize() {
trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
ensure_config_path
VERSION_FILE=$SHAREDIR/version
[ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)
run_user_exit params
config=$(find_file shorewall.conf)
if [ -f $config ]; then
if [ -r $config ]; then
progress_message "Processing $config..."
. $config
else
fatal_error "Cannot read $config (Hint: Are you root?)"
fi
else
fatal_error "$config does not exist!"
fi
#
# Restore CONFIG_PATH if the shorewall.conf file cleared it
#
ensure_config_path
#
# Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules here to accurately determine
# capabilities when module autoloading isn't enabled.
#
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
if [ -z "$EXPORT" -a "$(whoami)" = root ]; then
load_kernel_modules
if [ -z "$IPTABLES" ]; then
IPTABLES=$(mywhich iptables 2> /dev/null)
[ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
determine_capabilities
else
f=$(find_file capabilities)
[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
fi
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
[ -n "$ALLOWRELATED" ] || \
fatal_error "ALLOWRELATED=No is not supported"
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
if [ -n "${LOGRATE}${LOGBURST}" ]; then
LOGLIMIT="--match limit"
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
fi
if [ -n "$IP_FORWARDING" ]; then
case "$IP_FORWARDING" in
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
;;
*)
fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
;;
esac
else
IP_FORWARDING=On
fi
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
[ -n "$FORWARDPING" ] && \
fatal_error "FORWARDPING=Yes is no longer supported"
maclist_target=reject
if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in
REJECT)
;;
DROP)
maclist_target=DROP
;;
ACCEPT)
maclist_target=RETURN
;;
*)
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
;;
esac
else
MACLIST_DISPOSITION=REJECT
fi
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
if [ -n "$LOGFORMAT" ]; then
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
LOGRULENUMBERS=Yes
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
else
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
fi
[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
else
LOGFORMAT="Shorewall:%s:%s:"
fi
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK=
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
case ${IPSECFILE:=ipsec} in
ipsec|zones)
;;
*)
fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
;;
esac
case ${MACLIST_TABLE:=filter} in
filter)
;;
mangle)
[ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
;; *)
fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
;;
esac
TC_SCRIPT=
if [ -n "$TC_ENABLED" ] ; then
case "$TC_ENABLED" in
[Yy][Ee][Ss])
TC_ENABLED=
TC_SCRIPT=$(find_file tcstart)
[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
;;
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
TC_ENABLED=Yes
;;
[Nn][Oo])
TC_ENABLED=
;;
esac
else
TC_ENABLED=Yes
fi
if [ -n "$TC_ENABLED" ];then
[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
fi
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
#
# Check out the user's shell
#
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
temp=$(decodeaddr 192.168.1.1)
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
if [ -z "$KLUDGEFREE" ]; then
rm -f $TMP_DIR/physdev

View File

@ -283,6 +283,464 @@ get_config() {
}
#
# Determine the value for a parameter that defaults to Yes
#
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo "Yes"
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
fatal_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Determine the value for a parameter that defaults to No
#
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo ""
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
fatal_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Process the shell-style configuration files that set variables needed by the compiler
# To allow the compiler to be rewritten in a language other than Bourne Shell, we need
# to pass all of those setting to the compiler in environmental variables
#
do_initialize() {
#
# Generate a sequence of 'export' commands corresponding to the variables set in
# the user's params file.
#
export_params() {
f=$(find_file params)
if [ -f $f ]; then
read_file $f 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | while read line; do
case $line in
*=*)
echo export ${line%=*}
;;
esac
done
fi
}
# Run all utility programs using the C locale
#
# Thanks to Vincent Planchenault for this tip #
export LC_ALL=C
# Make sure umask is sane
umask 077
#
# Establish termination function
#
TERMINATOR=fatal_error
#
# Clear all configuration variables
#
IPTABLES=
FW=
SUBSYSLOCK=
LOGRATE=
LOGBURST=
LOGPARMS=
LOGLIMIT=
ADD_IP_ALIASES=
ADD_SNAT_ALIASES=
TC_ENABLED=
BLACKLIST_DISPOSITION=
BLACKLIST_LOGLEVEL=
CLAMPMSS=
ROUTE_FILTER=
LOG_MARTIANS=
DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT=
FORWARDPING=
MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL=
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN=
LOGFORMAT=
LOGRULENUMBERS=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
MODULE_SUFFIX=
SMURF_LOG_LEVEL=
DISABLE_IPV6=
BRIDGING=
PKTTYPE=
RETAIN_ALIASES=
DELAYBLACKLISTLOAD=
LOGTAGONLY=
LOGALLNEW=
RFC1918_STRICT=
MACLIST_TTL=
SAVE_IPSETS=
RESTOREFILE=
MAPOLDACTIONS=
IMPLICIT_CONTINUE=
HIGH_ROUTE_MARKS=
IPSECFILE=
CLEAR_TC=
FASTACCEPT=
run_user_exit params
config=$(find_file shorewall.conf)
if [ -f $config ]; then
if [ -r $config ]; then
progress_message "Processing $config..."
. $config
else
fatal_error "Cannot read $config (Hint: Are you root?)"
fi
else
fatal_error "$config does not exist!"
fi
#
# Restore CONFIG_PATH if the shorewall.conf file cleared it
#
ensure_config_path
#
# Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules here to accurately determine
# capabilities when module autoloading isn't enabled.
#
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
if [ -z "$EXPORT" -a "$(whoami)" = root ]; then
load_kernel_modules
if [ -z "$IPTABLES" ]; then
IPTABLES=$(mywhich iptables 2> /dev/null)
[ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
determine_capabilities
else
f=$(find_file capabilities)
[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
fi
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
if [ -n "${LOGRATE}${LOGBURST}" ]; then
LOGLIMIT="--match limit"
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
fi
if [ -n "$IP_FORWARDING" ]; then
case "$IP_FORWARDING" in
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
;;
*)
fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
;;
esac
else
IP_FORWARDING=On
fi
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
maclist_target=reject
if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in
REJECT)
;;
DROP)
maclist_target=DROP
;;
ACCEPT)
maclist_target=RETURN
;;
*)
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
;;
esac
else
MACLIST_DISPOSITION=REJECT
fi
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
if [ -n "$LOGFORMAT" ]; then
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
LOGRULENUMBERS=Yes
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
else
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
fi
[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
else
LOGFORMAT="Shorewall:%s:%s:"
fi
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK=
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
case ${IPSECFILE:=ipsec} in
ipsec|zones)
;;
*)
fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
;;
esac
case ${MACLIST_TABLE:=filter} in
filter)
;;
mangle)
[ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
;; *)
fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
;;
esac
TC_SCRIPT=
if [ -n "$TC_ENABLED" ] ; then
case "$TC_ENABLED" in
[Yy][Ee][Ss])
TC_ENABLED=
TC_SCRIPT=$(find_file tcstart)
[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
;;
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
TC_ENABLED=Yes
;;
[Nn][Oo])
TC_ENABLED=
;;
esac
else
TC_ENABLED=Yes
fi
if [ -n "$TC_ENABLED" ];then
[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
fi
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
#
# Check out the user's shell
#
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
temp=$(decodeaddr 192.168.1.1)
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
#
# Export variables set in shorewall.conf
#
# Logging
export LOGFORMAT
export LOGTAGONLY
export LOGRATE
export LOGBURST
export LOGALLNEW
export BLACKLIST_LOGLEVEL
export MACLIST_LOG_LEVEL
export TCP_FLAGS_LOG_LEVEL
export RFC1918_LOG_LEVEL
export SMURF_LOG_LEVEL
export LOG_MARTIANS
# Files and directories
export IPTABLES
export SHOREWALL_SHELL
export SUBSYSLOCK
export MODULESDIR
export CONFIG_PATH
export RESTOREFILE
export IPSECFILE
# Firewall options
export FW
export IP_FORWARDING
export ADD_IP_ALIASES
export ADD_SNAT_ALIASES
export RETAIN_ALIASES
export TC_ENABLED
export CLEAR_TC
export MARK_IN_FORWARD_CHAIN
export CLAMPMSS
export ROUTE_FILTER
export DETECT_DNAT_IPADDRS
export MUTEX_TIMEOUT
export ADMINISABSENTMINDED
export BLACKLISTNEWONLY
export DELAYBLACKLISTLOAD
export MODULE_SUFFIX
export DISABLE_IPV6
export BRIDGING
export PKTTYPE
export RFC1918_STRICT
export MACLIST_TABLE
export MACLIST_TTL
export SAVE_IPSETS
export MAPOLDACTIONS
export FASTACCEPT
export IMPLICIT_CONTINUE
export HIGH_ROUTE_MARKS
# Packet Disposition
export BLACKLIST_DISPOSITION
export MACLIST_DISPOSITION
export TCP_FLAGS_DISPOSITION
# Generated values
export LOGPARMS
export LOGLIMIT
export LOGRULENUMBERS
export VERSION
#
# Export capabilities
#
export NAT_ENABLED
export MANGLE_ENABLED
export CONNTRACK_MATCH
export MULTIPORT
export XMULTIPORT
export POLICY_MATCH
export PHYSDEV_MATCH
export IPRANGE_MATCH
export RECENT_MATCH
export OWNER_MATCH
export IPSET_MATCH
export CONNMARK
export XCONNMARK
export CONNMARK_MATCH
export XCONNMARK_MATCH
export RAW_TABLE
export IPP2P_MATCH
export LENGTH_MATCH
export CLASSIFY_TARGET
export ENHANCED_REJECT
export USEPKTTYPE
export KLUDGEFREE
export MARK
export XMARK
export MANGLE_FORWARD
#
# Export user's params
#
$(export_params)
}
#
# Give Usage Information
#
usage() {
echo "Usage: $0 [debug] check|compile <filename>}"
exit 1
}
#
# Clear descriptor 1 if it is a terminal
#
@ -470,7 +928,7 @@ save_config() {
f=${VARDIR}/restore-$$
echo "#!/bin/sh" > $f
echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f
echo "#This ipset restore file generated $(date) by Shorewall $VERSION" >> $f
echo >> $f
echo ". ${SHAREDIR}/functions" >> $f
echo >> $f
@ -518,15 +976,17 @@ save_config() {
# Start Command Executor
#
start_command() {
local finished=0
local finished=0 shell=$SHOREWALL_SHELL
do_it() {
[ -n "$nolock" ] || mutex_on
progress_message3 "Compiling..."
if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then
${VARDIR}/.start $debugging start
do_initialize
if $shell ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then
$SHOREWALL_SHELL ${VARDIR}/.start $debugging start
fi
[ -n "$nolock" ] || mutex_off
@ -637,7 +1097,7 @@ start_command() {
# Compile Command Executor
#
compile_command() {
local finished=0
local finished=0 shell=$SHOREWALL_SHELL
while [ $finished -eq 0 ]; do
[ $# -eq 0 ] && usage 1
@ -701,13 +1161,15 @@ compile_command() {
progress_message3 "Compiling..."
exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging compile $file
do_initialize
exec $shell ${SHAREDIR}/compiler $debugging compile $file
}
#
# Check Command Executor
#
check_command() {
local finished=0
local finished=0 shell=$SHOREWALL_SHELL
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -764,14 +1226,16 @@ check_command() {
progress_message3 "Checking..."
exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock check
do_initialize
exec $shell ${SHAREDIR}/compiler $debugging $nolock check
}
#
# Restart Command Executor
#
restart_command() {
local finished=0
local finished=0 shell=$SHOREWALL_SHELL
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -835,7 +1299,9 @@ restart_command() {
progress_message3 "Compiling..."
if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then
do_initialize
if $shell ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
fi
@ -889,27 +1355,27 @@ show_command() {
case "$1" in
connections)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Connections at $HOSTNAME - $(date)"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION NAT Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Mangle Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Log at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
@ -917,20 +1383,20 @@ show_command() {
;;
tc)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Zones at $HOSTNAME - $(date)"
echo
while read zone type hosts; do
echo "$zone ($type)"
@ -980,7 +1446,7 @@ show_command() {
echo "LITEDIR is $LITEDIR"
;;
*)
echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
@ -1031,7 +1497,7 @@ dump_command() {
[ -n "$debugging" ] && set -x
[ $# -eq 0 ] || usage 1
clear_term
echo "Shorewall-$version Dump at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Dump at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
@ -1324,7 +1790,7 @@ reload_command()
#
help()
{
[ -x $HELP ] && { export version; exec $HELP $*; }
[ -x $HELP ] && { export version=$VERSION; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP"
}
@ -1600,7 +2066,7 @@ if [ ! -f $FIREWALL ]; then
fi
if [ -f $VERSION_FILE ]; then
version=$(cat $VERSION_FILE)
VERSION=$(cat $VERSION_FILE)
else
echo " ERROR: Shorewall is not properly installed" >&2
echo " The file $VERSION_FILE does not exist" >&2
@ -1675,7 +2141,7 @@ case "$COMMAND" in
;;
status)
[ $# -eq 1 ] || usage 1
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Status at $HOSTNAME - $(date)"
echo
if shorewall_is_started ; then
echo "Shorewall is running"
@ -1707,7 +2173,7 @@ case "$COMMAND" in
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo "Shorewall-$VERSION Hits at $HOSTNAME - $(date)"
echo
timeout=30
@ -1747,7 +2213,7 @@ case "$COMMAND" in
fi
;;
version)
echo $version
echo $VERSION
;;
try)
[ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\""