extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow remote compiles

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3269 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-12 23:26:37 +00:00
parent 521ec7bd73
commit e9423d9c04
6 changed files with 160 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -7,3 +7,5 @@ Changes in 3.1.0
3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq). 3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq).
4) Add back dynamic zones. 4) Add back dynamic zones.
5) Allow remote compiles.

163
Shorewall/firewall
View File

@ -1218,6 +1218,8 @@ validate_interfaces_file() {
options=$(separate_list $options) options=$(separate_list $options)
iface=$(chain_base $interface) iface=$(chain_base $interface)
[ -n "$EXPORT" -a x$networks = detect ] && startup_error "BROADCAST 'detect' is incompatible with the -e option: Interface \"$interface\""
eval ${iface}_broadcast="$networks" eval ${iface}_broadcast="$networks"
eval ${iface}_zone="$z" eval ${iface}_zone="$z"
eval ${iface}_options=\"$options\" eval ${iface}_options=\"$options\"
@ -1226,7 +1228,10 @@ validate_interfaces_file() {
case $option in case $option in
-) -)
;; ;;
dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-)
;;
maclist)
[ -n "$EXPORT" ] && startup_error "The 'maclist' option is incompatible with the -e option: Interface \"$interface\""
;; ;;
norfc1918) norfc1918)
if [ $COMMAND = generate ]; then if [ $COMMAND = generate ]; then
@ -1266,6 +1271,8 @@ __EOF__
detectnets) detectnets)
[ -n "$wildcard" ] && \ [ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface" startup_error "The \"detectnets\" option may not be used with a wild-card interface"
[ -n $EXPORT ] && \
startup_error "'detectnets' not permitted with the -e option"
;; ;;
routeback) routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
@ -1478,16 +1485,44 @@ __EOF__
rulenum=0 rulenum=0
if [ $COMMAND != check ]; then case $COMMAND in
find_interface_addresses $interface | while read address; do check)
run_and_save_command " qt ip rule del from $address" ;;
generate)
if [ -z "$loose" ]; then if [ -z "$loose" ]; then
pref=$((20000 + $rulenum * 1000 + $number )) cat >> $RESTOREBASE << __EOF__
rulenum=$(($rulenum + 1))
ensure_and_save_command " ip rule add from $address pref $pref table $number" rulenum=0
find_interface_addresses $interface | while read address; do
qt ip rule del from \$address
pref=\$((20000 + \$rulenum * 1000 + $number ))
rulenum=\$((\$rulenum + 1))
ip rule add from \$address pref \$pref table $number"
done
__EOF__
else
cat >> $RESTOREBASE << __EOF__
find_interface_addresses $interface | while read address; do
qt ip rule del from \$address
done
__EOF__
fi fi
done ;;
fi *)
find_interface_addresses $interface | while read address; do
run_and_save_command " qt ip rule del from $address"
if [ -z "$loose" ]; then
pref=$((20000 + $rulenum * 1000 + $number ))
rulenum=$(($rulenum + 1))
ensure_and_save_command " ip rule add from $address pref $pref table $number"
fi
done
;;
esac
} }
strip_file providers $1 strip_file providers $1
@ -1632,8 +1667,11 @@ validate_hosts_file() {
for option in $(separate_list $options) ; do for option in $(separate_list $options) ; do
case $option in case $option in
maclist|norfc1918|blacklist|tcpflags|nosmurfs|-) norfc1918|blacklist|tcpflags|nosmurfs|-)
;; ;;
maclist)
[ -n "$EXPORT" ] && startup_error "The 'maclist' option is incompatible with the -e option: \"$host\""
;;
ipsec) ipsec)
[ -n "$POLICY_MATCH" ] || \ [ -n "$POLICY_MATCH" ] || \
startup_error "Your kernel and/or iptables does not support policy match: ipsec" startup_error "Your kernel and/or iptables does not support policy match: ipsec"
@ -1822,27 +1860,6 @@ find_broadcasts() {
done done
} }
#
# Find interface address--returns the first IP address assigned to the passed
# device
#
find_first_interface_address() # $1 = interface
{
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
#
# If there wasn't one, bail out now
#
[ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
#
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line
#
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
# #
# Find interfaces that have the passed option specified # Find interfaces that have the passed option specified
# #
@ -2006,28 +2023,6 @@ setup_forwarding() {
esac esac
} }
#
# Disable IPV6
#
disable_ipv6() {
local foo="$(ip -f inet6 addr ls 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
save_progress_message "Disabling IPV6..."
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
ip6tables -F && save_command ip6tables -F
ip6tables -X && save_command ip6tables -X
ip6tables -A OUTPUT -o lo -j ACCEPT && save_command ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT && save_command ip6tables -A INPUT -i lo -j ACCEPT
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
fi
}
disable_ipv6_1() { disable_ipv6_1() {
local foo="$(ip -f inet6 addr ls 2> /dev/null)" local foo="$(ip -f inet6 addr ls 2> /dev/null)"
@ -3015,6 +3010,7 @@ setup_mac_lists() {
# chains # chains
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
blob=$(ip link show $interface 2> /dev/null) blob=$(ip link show $interface 2> /dev/null)
@ -3104,8 +3100,12 @@ setup_syn_flood_chains()
delete_proxy_arp() { delete_proxy_arp() {
if [ -f /var/lib/shorewall/proxyarp ]; then if [ -f /var/lib/shorewall/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
[ $COMMAND = generate ] || qt arp -i $external -d $address pub run_and_save_command "qt arp -i $external -d $address pub"
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface if [ $COMMAND = generate ]; then
[ -z "$haveroute" ] && save_command "qt ip route del $address dev $interface"
else
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
fi
done < /var/lib/shorewall/proxyarp done < /var/lib/shorewall/proxyarp
[ $COMMAND = generate ] || rm -f /var/lib/shorewall/proxyarp [ $COMMAND = generate ] || rm -f /var/lib/shorewall/proxyarp
@ -3113,9 +3113,19 @@ delete_proxy_arp() {
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp [ -d $STATEDIR ] && touch $STATEDIR/proxyarp
[ $COMMAND = generate ] || for f in /proc/sys/net/ipv4/conf/*; do if [ $COMMAND = generate ]; then
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp cat >> $RESTOREBASE << __EOF__
done
for f in /proc/sys/net/ipv4/conf/*; do
[ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
done
__EOF__
else
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
fi
} }
# #
@ -3205,15 +3215,31 @@ delete_nat() {
run_iptables -t nat -F run_iptables -t nat -F
run_iptables -t nat -X run_iptables -t nat -X
if [ -f /var/lib/shorewall/nat ]; then if [ $COMMAND = generate ]; then
while read external interface; do [ -d $STATEDIR ] && touch $STATEDIR/nat
qt ip addr del $external dev $interface
done < /var/lib/shorewall/nat
[ $COMMAND = generate ] || rm -f {/var/lib/shorewall}/nat cat >> $RESTOREBASE << __EOF__
if [ -f /var/lib/shorewall/nat ]; then
while read external interface; do
qt ip addr del \$external dev \$interface
done < /var/lib/shorewall/nat
rm -f {/var/lib/shorewall}/nat
fi
__EOF__
else
if [ -f /var/lib/shorewall/nat ]; then
while read external interface; do
qt ip addr del $external dev $interface
done < /var/lib/shorewall/nat
rm -f {/var/lib/shorewall}/nat
fi
[ -d $STATEDIR ] && touch $STATEDIR/nat
fi fi
[ -d $STATEDIR ] && touch $STATEDIR/nat
} }
# #
@ -7285,6 +7311,7 @@ setup_masq()
*.*.*|+*|!+*) *.*.*|+*|!+*)
;; ;;
*) *)
[ -n "$EXPORT" ] && fatal_error "An interface name in the SUBNET column is not allowed with the -e option"
networks=$(get_routed_networks $networks) networks=$(get_routed_networks $networks)
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\"" [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\""
networks="$networks" networks="$networks"
@ -7900,7 +7927,9 @@ initialize_netfilter () {
process_routestopped -A process_routestopped -A
[ -n "$DISABLE_IPV6" ] && disable_ipv6 if [ -n "$DISABLE_IPV6" ]; then
run_and_save_command disable_ipv6
fi
[ $COMMAND = generate ] && save_progress_message "Enabling Loopback and DNS Lookups" [ $COMMAND = generate ] && save_progress_message "Enabling Loopback and DNS Lookups"
@ -9771,6 +9800,8 @@ do_initialize() {
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
[ -n "$DETECT_DNAT_IPADDRS" -a -n "$EXPORT" ] && \
startup_error "DETECT_DNAT_IPADDRS=Yes not allowed with the -e option"
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
[ -n "$FORWARDPING" ] && \ [ -n "$FORWARDPING" ] && \
startup_error "FORWARDPING=Yes is no longer supported" startup_error "FORWARDPING=Yes is no longer supported"

21
Shorewall/functions
View File

@ -1108,4 +1108,25 @@ detect_gateway() # $1 = interface
[ -n "$gateway" ] && echo $gateway [ -n "$gateway" ] && echo $gateway
} }
#
# Disable IPV6
#
disable_ipv6() {
local foo="$(ip -f inet6 addr ls 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
ip6tables -F && save_command ip6tables -F
ip6tables -X && save_command ip6tables -X
ip6tables -A OUTPUT -o lo -j ACCEPT && save_command ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT && save_command ip6tables -A INPUT -i lo -j ACCEPT
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
fi
}
SHOREWALL_LIBRARY=Loaded SHOREWALL_LIBRARY=Loaded

20
Shorewall/help
View File

@ -88,11 +88,16 @@ clear)
;; ;;
compile) compile)
echo "compile: compile [ <directory name> ] <file name> echo "compile: compile [ -e ] [ <directory name> ] <file name>
Compiles the current configuration into the executable file Compiles the current configuration into the executable file
/var/lib/shorewall/<file name>" /var/lib/shorewall/<file name>
'generate' is a synonym for 'compile'. When -e is specified, the compilation is being performed on a system
other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled
where it is to be run.
'generate' is a synonym for 'compile'."
;; ;;
debug) debug)
@ -166,9 +171,14 @@ forget)
generate) generate)
echo "generate: generate [ <directory name> ] <file name> echo "generate: generate [ <directory name> ] <file name>
Compiles the current configuration into the executable file Compiles the current configuration into the executable file
/var/lib/shorewall/<file name>" /var/lib/shorewall/<file name>
'compile' is a synonym for 'generate'. When -e is specified, the compilation is being performed on a system
other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled
where it is to be run.
'compile' is a synonym for 'generate'."
;; ;;
help) help)

24
Shorewall/releasenotes.txt
View File

@ -39,11 +39,16 @@ New Features:
1) A new 'shorewall generate' command has been added. 1) A new 'shorewall generate' command has been added.
shorewall [ -q ] generate [ <config directory> ] <script file> shorewall [ -q ] [ -e ] generate [ <config directory> ] <script file>
where: where:
-q Suppresses many of the progress messages -q Suppresses many of the progress messages
-e Generates an error if the configuration used
an option that would prevent the generated
script from running on a system other than
where the 'generate' command is running (see
additional consideration a) below).
<config directory> Is an optional directory to be searched for <config directory> Is an optional directory to be searched for
configuration files prior to those listed configuration files prior to those listed
in CONFIG_DIR in /etc/shorewall/shorewall.conf. in CONFIG_DIR in /etc/shorewall/shorewall.conf.
@ -57,7 +62,7 @@ New Features:
'compile' is a synonym for 'generate': 'compile' is a synonym for 'generate':
shorewall [ -q ] compile [ <config directory> ] <script file> shorewall [ -q ] [ -e ] compile [ <config directory> ] <script file>
WARNING: The generated script HAS ABSOLUTELY NO ERROR CHECKING so if there WARNING: The generated script HAS ABSOLUTELY NO ERROR CHECKING so if there
are errors in your configuration files that result in errors when are errors in your configuration files that result in errors when
@ -70,9 +75,14 @@ New Features:
Some additional considerations: Some additional considerations:
a) All 'detect' operations are done at the time that the 'generate' command a) It is possible to run 'generate' ('compile') on one system and then
is run. So it is generally not possible to run 'generate' on one system run the generated script on another system but there are certain
then move the generated script to another system. limitation.
1) The same version of Shorewall must be running on the remote system
2) The 'detectnets' interface option is not allowed.
3) 'detect' in the BROADCAST column of /etc/shorewall/ is not allowed.
4) DETECT_DNAT_ADDRS=Yes is not allowed.
b) If you have extension scripts, they may need modification. The scripts b) If you have extension scripts, they may need modification. The scripts
will be run at generation time, rather than when the generated script will be run at generation time, rather than when the generated script
@ -83,14 +93,14 @@ New Features:
In addition to 'generate', a 'shorewall reload' command has been added. In addition to 'generate', a 'shorewall reload' command has been added.
shorewall [ -q ] reload [ <config directory> shorewall [ -q ] reload [ <config directory> ]
where -q and <config directory> are as above. where -q and <config directory> are as above.
The 'reload' command creates a script using 'generate' and if there are The 'reload' command creates a script using 'generate' and if there are
no errors, it then restores that script. It is equivalent to: no errors, it then restores that script. It is equivalent to:
if shorewall generate <temp file>; then restore <tempfile>; fi if shorewall generate .reload; then restore .reload; fi
The advantage of using reload over restart is that reload results in new The advantage of using reload over restart is that reload results in new
connections being dropped for a much shorter time. Here are the results of connections being dropped for a much shorter time. Here are the results of

9
Shorewall/shorewall
View File

@ -502,7 +502,7 @@ help()
# #
usage() # $1 = exit status usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] [ -n ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] [ -n ] [ -e ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>" echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
@ -626,6 +626,7 @@ IPT_OPTIONS="-nv"
FAST= FAST=
VERBOSE= VERBOSE=
NOROUTES= NOROUTES=
EXPORT=
noroutes= noroutes=
done=0 done=0
@ -656,6 +657,10 @@ while [ $done -eq 0 ]; do
option= option=
shift shift
;; ;;
e*)
EXPORT=Yes
option=${option#e}
;;
x*) x*)
IPT_OPTIONS="-xnv" IPT_OPTIONS="-xnv"
option=${option#x} option=${option#x}
@ -867,6 +872,8 @@ case "$1" in
;; ;;
esac esac
export EXPORT
exec $SHOREWALL_SHELL $FIREWALL $debugging generate $file exec $SHOREWALL_SHELL $FIREWALL $debugging generate $file
;; ;;
check|restart) check|restart)