From e7d2b1d4ed6490075939203d43e4eeb549ad3cc0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 4 Dec 2011 09:19:48 -0800 Subject: [PATCH] Consolidate the lib.common files. Signed-off-by: Tom Eastep --- Shorewall-lite/install.sh | 2 + Shorewall-lite/shorecap | 6 + Shorewall-lite/shorewall-lite | 8 +- Shorewall/Perl/Shorewall/Chains.pm | 4 + Shorewall/Perl/Shorewall/Compiler.pm | 22 +- Shorewall/Perl/getparams | 20 +- Shorewall/lib.base | 3 +- Shorewall/lib.cli | 4 +- Shorewall/lib.common | 170 ++++++--- Shorewall/shorewall | 14 +- Shorewall6-lite/install.sh | 3 + Shorewall6-lite/shorecap | 7 +- Shorewall6/install.sh | 8 +- Shorewall6/lib.base | 34 ++ Shorewall6/lib.common | 523 --------------------------- 15 files changed, 232 insertions(+), 596 deletions(-) create mode 100644 Shorewall6/lib.base delete mode 100644 Shorewall6/lib.common diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 39a949c1e..d3be8eb0a 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -301,6 +301,8 @@ for f in lib.* ; do fi done +eval sed -i \'s\|g_program:=shorewall\|g_program:=shorewall-lite\|\' ${DESTDIR}/usr/share/shorewall-lite/lib.base + ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions" diff --git a/Shorewall-lite/shorecap b/Shorewall-lite/shorecap index 3bd7a7534..f88ccc70d 100755 --- a/Shorewall-lite/shorecap +++ b/Shorewall-lite/shorecap @@ -48,7 +48,11 @@ SHAREDIR=/usr/share/shorewall-lite VARDIR=/var/lib/shorewall-lite CONFDIR=/etc/shorewall-lite +g_program=shorewall-lite g_product="Shorewall Lite" +g_family=4 +g_base=shorewall +g_basedir=/usr/share/shorewall-lite . /usr/share/shorewall-lite/lib.base . /usr/share/shorewall-lite/lib.cli @@ -60,6 +64,8 @@ SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version) [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables) +g_tool=$IPTABLES + VERBOSITY=0 load_kernel_modules No determine_capabilities diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index eeb976bd9..b72482496 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -68,7 +68,7 @@ get_config() { fi fi - g_tool=#$IPTABLES + g_tool=$IPTABLES else if [ -n "$IP6TABLES" ]; then if [ ! -x "$IP6TABLES" ]; then @@ -414,7 +414,7 @@ version_command() { if [ -n "$all" ]; then for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do - if [ $product ~= $g_program] && [ -f /usr/share/$product/version ]; then + if [ $product != $g_program ] && [ -f /usr/share/$product/version ]; then echo "$product: $(cat /usr/share/$product/version)" fi done @@ -457,6 +457,7 @@ if [ $g_program = shorewall6-lite ]; then g_family=6 g_base=shorewall6 g_tool=ip6tables + g_basedir=/usr/share/shorewall6-lite else g_program=shorewall-lite SHAREDIR=/usr/share/shorewall-lite @@ -465,6 +466,7 @@ else g_family=4 g_base=shorewall g_tool=iptables + g_basedir=/usr/share/shorewall-lite fi # @@ -644,7 +646,7 @@ case "$COMMAND" in ;; restart) shift - restart_command @ + restart_command $@ ;; show|list) shift diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 5281e1252..93badcd87 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4796,6 +4796,8 @@ sub set_chain_variables() { emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); + + emit( 'g_tool=$IPTABLES' ); } else { if ( $config{IP6TABLES} ) { emit( qq(IP6TABLES="$config{IP6TABLES}"), @@ -4809,6 +4811,8 @@ sub set_chain_variables() { emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore', '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); + + emit( 'g_tool=$IP6TABLES' ); } if ( $config{IP} ) { diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index b7734c6f7..7f7768f62 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -95,7 +95,7 @@ sub generate_script_1( $ ) { copy $globals{SHAREDIRPL} . 'prog.header6'; } - copy2 $globals{SHAREDIR} . '/lib.common', 0; + copy2 $globals{SHAREDIRPL} . '/lib.common', 0; } } @@ -162,27 +162,39 @@ sub generate_script_2() { push_indent; if ( $family == F_IPV4 ) { + emit( 'g_family=4' ); + if ( $export ) { emit ( 'SHAREDIR=/usr/share/shorewall-lite', 'CONFDIR=/etc/shorewall-lite', - 'g_product="Shorewall Lite"' + 'g_product="Shorewall Lite"', + 'g_program=shorewall-lite', + 'g_basedir=/usr/share/shorewall-lite', ); } else { emit ( 'SHAREDIR=/usr/share/shorewall', 'CONFDIR=/etc/shorewall', - 'g_product=\'Shorewall\'', + 'g_product=Shorewall', + 'g_program=shorewall', + 'g_basedir=/usr/share/shorewall', ); } } else { + emit( 'g_family=6' ); + if ( $export ) { emit ( 'SHAREDIR=/usr/share/shorewall6-lite', 'CONFDIR=/etc/shorewall6-lite', - 'g_product="Shorewall6 Lite"' + 'g_product="Shorewall6 Lite"', + 'g_program=shorewall6-lite', + 'g_basedir=/usr/share/shorewall6', ); } else { emit ( 'SHAREDIR=/usr/share/shorewall6', 'CONFDIR=/etc/shorewall6', - 'g_product=\'Shorewall6\'', + 'g_product=Shorewall6', + 'g_program=shorewall6', + 'g_basedir=/usr/share/shorewall' ); } } diff --git a/Shorewall/Perl/getparams b/Shorewall/Perl/getparams index ced3ed5dc..99471fcfc 100755 --- a/Shorewall/Perl/getparams +++ b/Shorewall/Perl/getparams @@ -28,13 +28,25 @@ # $3 = Address family (4 o4 6) # if [ "$3" = 6 ]; then - . /usr/share/shorewall6/lib.base - . /usr/share/shorewall6/lib.cli + SHAREDIR=/usr/share/shorewall6 + CONFDIR=/etc/shorewall6 + g_product="Shorewall6" + g_family=6 + g_tool= + g_basedir=/usr/share/shorewall else - . /usr/share/shorewall/lib.base - . /usr/share/shorewall/lib.cli + g_program=shorewall + SHAREDIR=/usr/share/shorewall + CONFDIR=/etc/shorewall + g_product="Shorewall" + g_family=4 + g_tool= + g_basedir=/usr/share/shorewall fi +. /usr/share/shorewall/lib.base +. /usr/share/shorewall/lib.cli + CONFIG_PATH="$2" set -a diff --git a/Shorewall/lib.base b/Shorewall/lib.base index eecc442e8..cc422889a 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -34,6 +34,7 @@ SHOREWALL_CAPVERSION=40426 [ -n "${VARDIR:=/var/lib/$g_program}" ] [ -n "${SHAREDIR:=/usr/share/$g_program}" ] [ -n "${CONFDIR:=/etc/$g_program}" ] +[ -n "${g_family:=4}" ] # # Conditionally produce message @@ -176,7 +177,7 @@ find_interface_by_mac() { done } -[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common +[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common # # Validate an IP address diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 064b1fcaf..60a587466 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -791,8 +791,8 @@ show_command() { [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks; ;; *) - case "$g_product" in - *lite) + case "$g_program" in + *-lite) ;; *) case $1 in diff --git a/Shorewall/lib.common b/Shorewall/lib.common index 007946bf5..a3722f54d 100644 --- a/Shorewall/lib.common +++ b/Shorewall/lib.common @@ -88,13 +88,15 @@ run_it() { export TIMESTAMP=$g_timestamp export RECOVERING=$g_recovering - if [ "$g_product" != Shorewall ]; then - # - # Shorewall Lite - # - export LOGFORMAT - export IPTABLES - fi + case "$g_program" in + *-lite) + # + # Shorewall Lite + # + export LOGFORMAT + export IPTABLES + ;; + esac else # # 4.4.8 or later -- no additional exports required @@ -127,6 +129,30 @@ error_message() # $* = Error Message echo " $@" >&2 } +# +# Undo the effect of 'split()' +# +join() +{ + local f + local o + o= + + for f in $* ; do + o="${o:+$o:}$f" + done + + echo $o +} + +# +# Return the number of elements in a list +# +list_count() # $* = list +{ + return $# +} + # # Split a colon-separated list into a space-separated list # @@ -184,12 +210,20 @@ qt1() } # -# Determine if Shorewall is "running" +# Determine if Shorewall[6] is "running" # +product_is_started() { + qt1 $g_tool -L shorewall -n +} + shorewall_is_started() { qt1 $IPTABLES -L shorewall -n } +shorewall6_is_started() { + qt1 $IP6TABLES -L shorewall -n +} + # # Echos the fully-qualified name of the calling shell program # @@ -294,7 +328,7 @@ reload_kernel_modules() { [ -z "$MODULESDIR" ] && \ uname=$(uname -r) && \ - MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset + MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) @@ -333,7 +367,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR [ -z "$MODULESDIR" ] && \ uname=$(uname -r) && \ - MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset + MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" @@ -465,38 +499,100 @@ in_network() # $1 = IP address, $2 = CIDR network test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask )) } +# +# Query NetFilter about the existence of a filter chain +# +chain_exists() # $1 = chain name +{ + qt1 $IP6TABLES -L $1 -n +} + +# +# Find the interface with the passed MAC address +# + +find_interface_by_mac() { + local mac + mac=$1 + local first + local second + local rest + local dev + + $IP link list | while read first second rest; do + case $first in + *:) + dev=$second + ;; + *) + if [ "$second" = $mac ]; then + echo ${dev%:} + return + fi + esac + done +} + # # Find interface address--returns the first IP address assigned to the passed # device # find_first_interface_address() # $1 = interface { - # - # get the line of output containing the first IP address - # - addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || startup_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' + if [ $g_family -eq 4 ]; then + # + # get the line of output containing the first IP address + # + addr=$(${IP:-ip} -$g_family addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + # + # If there wasn't one, bail out now + # + [ -n "$addr" ] || startup_error "Can't determine the IP address of $1" + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' + else + # + # get the line of output containing the first IP address + # + addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1) + # + # If there wasn't one, bail out now + # + [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1" + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' + fi } find_first_interface_address_if_any() # $1 = interface { - # - # get the line of output containing the first IP address - # - addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 + if [ $g_family -eq 4 ]; then + # + # get the line of output containing the first IP address + # + addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 + else + # + # get the line of output containing the first IP address + # + addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1) + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo :: + fi } # @@ -515,14 +611,6 @@ mywhich() { return 2 } -# -# Query NetFilter about the existence of a filter chain -# -chain_exists() # $1 = chain name -{ - qt1 $IPTABLES -L $1 -n -} - # # Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR} # @@ -552,7 +640,7 @@ find_file() # # Set the Shorewall state # -set_state () # $1 = state $2 +set_state () # $1 = state { if [ $# -gt 1 ]; then echo "$1 ($(date)) from $2" > ${VARDIR}/state diff --git a/Shorewall/shorewall b/Shorewall/shorewall index dd0c74f62..1edb79e33 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -442,17 +442,6 @@ compiler() { fi } -# -# Determine if the current product is in the started state -# -product_is_started() { - if [ $g_family -eq 4 ]; then - shorewall_is_started - else - shorewall6_is_started - fi -} - # # Start Command Executor # @@ -1698,12 +1687,15 @@ if [ $g_program = shorewall6 ]; then g_product="Shorewall6" g_family=6 g_tool= + g_basedir=/usr/share/shorewall else g_program=shorewall SHAREDIR=/usr/share/shorewall CONFDIR=/etc/shorewall g_product="Shorewall" g_family=4 + g_tool= + g_basedir=/usr/share/shorewall fi finished=0 diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index e02de234c..face770d1 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -301,6 +301,9 @@ for f in lib.* ; do fi done +eval sed -i \'s\|g_program:=shorewall\|g_program:=shorewall6-lite\|\' ${DESTDIR}/usr/share/shorewall6-lite/lib.base +eval sed -i \'s\|g_family:=4\|g_family:=6\|\' ${DESTDIR}/usr/share/shorewall6-lite/lib.base + ln -sf lib.base ${DESTDIR}/usr/share/shorewall6-lite/functions echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/functions" diff --git a/Shorewall6-lite/shorecap b/Shorewall6-lite/shorecap index cd068e4e8..cc1c07428 100755 --- a/Shorewall6-lite/shorecap +++ b/Shorewall6-lite/shorecap @@ -48,7 +48,10 @@ SHAREDIR=/usr/share/shorewall6-lite VARDIR=/var/lib/shorewall6-lite CONFDIR=/etc/shorewall6-lite -g_product="Shorewall Lite" +g_product="Shorewall6 Lite" +g_family=6 +g_base=shorewall6 +g_basedir=/usr/share/shorewall6-lite . /usr/share/shorewall6-lite/lib.base . /usr/share/shorewall6-lite/lib.cli @@ -60,6 +63,8 @@ SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version) [ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables) +g_tool=$IP6TABLES + VERBOSITY=0 load_kernel_modules No determine_capabilities diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 4400c38fd..81b8025d1 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -354,8 +354,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels -delete_file ${DESTDIR}/usr/share/shorewall6/lib.base delete_file ${DESTDIR}/usr/share/shorewall6/lib.cli +delete_file ${DESTDIR}/usr/share/shorewall6/lib.common delete_file ${DESTDIR}/usr/share/shorewall6/prog.header6 delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6 @@ -838,10 +838,8 @@ done # Install the libraries # for f in lib.* ; do - if [ -f $f ]; then - install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644 - echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f" - fi + install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644 + echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f" done # # Symbolically link 'functions' to lib.base diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base new file mode 100644 index 000000000..7c49ea29d --- /dev/null +++ b/Shorewall6/lib.base @@ -0,0 +1,34 @@ +# +# Shorewall 4.4 -- /usr/share/shorewall6/lib.base +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2011 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# This library contains the code common to all Shorewall components. + +g_program=shorewall6 +g_family=6 +g_basedir=/usr/share/shorewall + +[ -n "${VARDIR:=/var/lib/$g_program}" ] +[ -n "${SHAREDIR:=/usr/share/$g_program}" ] +[ -n "${CONFDIR:=/etc/$g_program}" ] + +. /usr/share/shorewall/lib.base + diff --git a/Shorewall6/lib.common b/Shorewall6/lib.common deleted file mode 100644 index dac6d32ea..000000000 --- a/Shorewall6/lib.common +++ /dev/null @@ -1,523 +0,0 @@ -# -# Shorewall 4.4 -- /usr/share/shorewall6/lib.common. -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2010 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the wrapper code for running a generated script. -# - -# -# Get the Shorewall version of the passed script -# -get_script_version() { # $1 = script - local temp - local version - local ifs - local digits - local verbosity - - verbosity="$VERBOSITY" - VERBOSITY=0 - - temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' ) - - if [ -z "$temp" ]; then - version=0 - else - ifs=$IFS - IFS=. - temp=$(echo $temp) - IFS=$ifs - digits=0 - - for temp in $temp; do - version=${version}$(printf '%02d' $temp) - digits=$(($digits + 1)) - [ $digits -eq 3 ] && break - done - fi - - echo $version - - VERBOSITY="$verbosity" -} - -# -# Do required exports and create the required option string and run the passed script using -# $SHOREWALL_SHELL -# -run_it() { - local script - local options - local version - - export VARDIR - - script=$1 - shift - - version=$(get_script_version $script) - - if [ $version -lt 040408 ]; then - # - # Old script that doesn't understand 4.4.8 script options - # - export RESTOREFILE= - export VERBOSITY - export NOROUTES=$g_noroutes - export PURGE=$g_purge - export TIMESTAMP=$g_timestamp - export RECOVERING=$g_recovering - - if [ "$g_product" != Shorewall6 ]; then - # - # Shorewall6 Lite - # - export LOGFORMAT - export IP6TABLES - fi - else - # - # 4.4.8 or later -- no additional exports required - # - if [ x$1 = xtrace -o x$1 = xdebug ]; then - options="$1 -" - shift; - else - options='-' - fi - - [ -n "$g_noroutes" ] && options=${options}n - [ -n "$g_timestamp" ] && options=${options}t - [ -n "$g_purge" ] && options=${options}p - [ -n "$g_recovering" ] && options=${options}r - - options="${options}V $VERBOSITY" - - [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE" - fi - - $SHOREWALL_SHELL $script $options $@ -} - -# -# Message to stderr -# -error_message() # $* = Error Message -{ - echo " $@" >&2 -} - -# -# Split a colon-separated list into a space-separated list -# -split() { - local ifs - ifs=$IFS - IFS=: - echo $* - IFS=$ifs -} - -# -# Undo the effect of 'split()' -# -join() -{ - local f - local o - o= - - for f in $* ; do - o="${o:+$o:}$f" - done - - echo $o -} - -# -# Return the number of elements in a list -# -list_count() # $* = list -{ - return $# -} - -# -# Search a list looking for a match -- returns zero if a match found -# 1 otherwise -# -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -# -# Suppress all output for a command -# -qt() -{ - "$@" >/dev/null 2>&1 -} - -# -# Suppress all output and input - mainly for preventing leaked file descriptors -# to avoid SELinux denials -# -qtnoin() -{ - "$@" /dev/null 2>&1 -} - -qt1() -{ - local status - - while [ 1 ]; do - "$@" /dev/null 2>&1 - status=$? - [ $status -ne 4 ] && return $status - done -} - -# -# Determine if Shorewall is "running" -# -shorewall6_is_started() { - qt1 $IP6TABLES -L shorewall -n -} - -# -# Echos the fully-qualified name of the calling shell program -# -my_pathname() { - cd $(dirname $0) - echo $PWD/$(basename $0) -} - -# -# Source a user exit file if it exists -# -run_user_exit() # $1 = file name -{ - local user_exit - user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - progress_message "Processing $user_exit ..." - . $user_exit - fi -} - -# -# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains -# a space-separated list of directories to search for -# the module and that 'moduleloader' contains the -# module loader command. -# -loadmodule() # $1 = module name, $2 - * arguments -{ - local modulename - modulename=$1 - local modulefile - local suffix - - if [ -d /sys/module/ ]; then - if ! list_search $modulename $DONT_LOAD; then - if [ ! -d /sys/module/$modulename ]; then - shift - - for suffix in $MODULE_SUFFIX ; do - for directory in $moduledirectories; do - modulefile=$directory/${modulename}.${suffix} - - if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename $* - ;; - esac - break 2 - fi - done - done - fi - fi - elif ! list_search $modulename $MODULES $DONT_LOAD ; then - shift - - for suffix in $MODULE_SUFFIX ; do - for directory in $moduledirectories; do - modulefile=$directory/${modulename}.${suffix} - - if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename $* - ;; - esac - break 2 - fi - done - done - fi -} - -# -# Reload the Modules -# -reload_kernel_modules() { - - local save_modules_dir - save_modules_dir=$MODULESDIR - local directory - local moduledirectories - moduledirectories= - local moduleloader - moduleloader=modprobe - - if ! qt mywhich modprobe; then - moduleloader=insmod - fi - - [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ] - - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched - [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) - - for directory in $(split $MODULESDIR); do - [ -d $directory ] && moduledirectories="$moduledirectories $directory" - done - - [ -n "$moduledirectories" ] && while read command; do - eval $command - done - - MODULESDIR=$save_modules_dir -} - -# -# Load kernel modules required for Shorewall -# -load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR -{ - local save_modules_dir - save_modules_dir=$MODULESDIR - local directory - local moduledirectories - moduledirectories= - local moduleloader - moduleloader=modprobe - local savemoduleinfo - savemoduleinfo=${1:-Yes} # So old compiled scripts still work - - if ! qt mywhich modprobe; then - moduleloader=insmod - fi - - [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - - [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched - - for directory in $(split $MODULESDIR); do - [ -d $directory ] && moduledirectories="$moduledirectories $directory" - done - - [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules) - - if [ -f $modules -a -n "$moduledirectories" ]; then - [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) - progress_message "Loading Modules..." - . $modules - if [ $savemoduleinfo = Yes ]; then - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir - cp -f $modules ${VARDIR}/.modules - fi - elif [ $savemoduleinfo = Yes ]; then - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - > ${VARDIR}/.modulesdir - > ${VARDIR}/.modules - fi - - MODULESDIR=$save_modules_dir -} - -# -# Query NetFilter about the existence of a filter chain -# -chain_exists() # $1 = chain name -{ - qt1 $IP6TABLES -L $1 -n -} - -# -# Find the interface with the passed MAC address -# - -find_interface_by_mac() { - local mac - mac=$1 - local first - local second - local rest - local dev - - $IP link list | while read first second rest; do - case $first in - *:) - dev=$second - ;; - *) - if [ "$second" = $mac ]; then - echo ${dev%:} - return - fi - esac - done -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_first_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' -} - -find_first_interface_address_if_any() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1) - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo :: -} - -# -# Internal version of 'which' -# -mywhich() { - local dir - - for dir in $(split $PATH); do - if [ -x $dir/$1 ]; then - echo $dir/$1 - return 0 - fi - done - - return 2 -} - -# -# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR} -# -find_file() -{ - local saveifs - saveifs= - local directory - - case $1 in - /*) - echo $1 - ;; - *) - for directory in $(split $CONFIG_PATH); do - if [ -f $directory/$1 ]; then - echo $directory/$1 - return - fi - done - - echo ${CONFDIR}/$1 - ;; - esac -} - -# -# Set the Shorewall state -# -set_state () # $1 = state -{ - if [ $# -gt 1 ]; then - echo "$1 ($(date)) from $2" > ${VARDIR}/state - else - echo "$1 ($(date))" > ${VARDIR}/state - fi -} - -# -# Perform variable substitution on the passed argument and echo the result -# -expand() # $@ = contents of variable which may be the name of another variable -{ - eval echo \"$@\" -} - -# -# Function for including one file into another -# -INCLUDE() { - . $(find_file $(expand $@)) -} - -# Function to truncate a string -- It uses 'cut -b -' -# rather than ${v:first:last} because light-weight shells like ash and -# dash do not support that form of expansion. -# - -truncate() # $1 = length -{ - cut -b -${1} -}