extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-08-10 08:04:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add extra-quiet mode using -qq

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3262 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
2006-01-09 17:11:30 +00:00
parent d1bf397545
commit ee3a9a9456
5 changed files with 166 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -3,3 +3,5 @@ Changes in 3.1.0
1) Removal of dynamic zones. 1) Removal of dynamic zones.
2) Implement 'generate' command. 2) Implement 'generate' command.
3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq).

203
Shorewall/firewall
View File

@ -1122,7 +1122,7 @@ determine_hosts() {
eval ${zone}_hosts="\$hosts" eval ${zone}_hosts="\$hosts"
if [ -n "$hosts" ]; then if [ -n "$hosts" ]; then
display_list "$zone Zone:" $hosts [ $QUIET -lt 2 ] && display_list "$zone Zone:" $hosts
else else
error_message "WARNING: Zone $zone is empty" error_message "WARNING: Zone $zone is empty"
fi fi
@ -1393,11 +1393,11 @@ setup_providers()
if [ -s $TMP_DIR/providers ]; then if [ -s $TMP_DIR/providers ]; then
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
echo "Processing $1..." progress_message2 "Processing $1..."
save_progress_message "Restoring Providers..." save_progress_message "Restoring Providers..."
else else
echo "Validating $1..." progress_message2 "Validating $1..."
fi fi
while read table number mark duplicate interface gateway options copy; do while read table number mark duplicate interface gateway options copy; do
@ -1547,7 +1547,7 @@ validate_hosts_file() {
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
[ -n "$ALL_PORTS" ] && echo " Bridge ports are: $ALL_PORTS" [ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS"
} }
# #
@ -1889,11 +1889,11 @@ setup_forwarding() {
case "$IP_FORWARDING" in case "$IP_FORWARDING" in
[Oo][Nn]) [Oo][Nn])
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
echo "IP Forwarding Enabled" progress_message2 "IP Forwarding Enabled"
;; ;;
[Oo][Ff][Ff]) [Oo][Ff][Ff])
run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
echo "IP Forwarding Disabled!" progress_message2 "IP Forwarding Disabled!"
;; ;;
esac esac
} }
@ -2108,7 +2108,7 @@ stop_firewall() {
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets... progress_message2 Restoring Ipsets...
# #
# We must purge iptables to be sure that there are no # We must purge iptables to be sure that there are no
# references to ipsets # references to ipsets
@ -2245,11 +2245,11 @@ stop_firewall() {
case "$IP_FORWARDING" in case "$IP_FORWARDING" in
[Oo][Nn]) [Oo][Nn])
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding Enabled" progress_message2 "IP Forwarding Enabled"
;; ;;
[Oo][Ff][Ff]) [Oo][Ff][Ff])
echo 0 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding Disabled!" progress_message2 "IP Forwarding Disabled!"
;; ;;
esac esac
@ -3147,7 +3147,7 @@ setup_ecn() # $1 = file name
strip_file ecn $1 strip_file ecn $1
echo "Processing $1..." progress_message2 "Processing $1..."
while read interface host; do while read interface host; do
expandv interface host expandv interface host
@ -3311,7 +3311,7 @@ setup_traffic_shaping()
} }
validate_tcdevices_file() { validate_tcdevices_file() {
echo "Validating $devfile..." progress_message2 "Validating $devfile..."
local device local device inband outband local device local device inband outband
while read device inband outband; do while read device inband outband; do
expandv device inband outband expandv device inband outband
@ -3328,7 +3328,7 @@ setup_traffic_shaping()
} }
validate_tcclasses_file() { validate_tcclasses_file() {
echo "Validating $classfile..." progress_message2 "Validating $classfile..."
local classlist device mark rate ceil prio bandw wrongopt allopts opt local classlist device mark rate ceil prio bandw wrongopt allopts opt
allopts="" allopts=""
while read device mark rate ceil prio options; do while read device mark rate ceil prio options; do
@ -3417,7 +3417,7 @@ setup_traffic_shaping()
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -s $TMP_DIR/tcdevices ]; then if [ -s $TMP_DIR/tcdevices ]; then
save_progress_message "Restoring Traffic Control..." save_progress_message "Restoring Traffic Control..."
echo "Processing $devfile..." progress_message2 "Processing $devfile..."
while read device inband outband defmark ackmark; do while read device inband outband defmark ackmark; do
expandv device inband outband defmark ackmark expandv device inband outband defmark ackmark
@ -3435,7 +3435,7 @@ setup_traffic_shaping()
fi fi
if [ -s $TMP_DIR/tcclasses ]; then if [ -s $TMP_DIR/tcclasses ]; then
echo "Processing $classfile..." progress_message2 "Processing $classfile..."
while read device mark rate ceil prio options; do while read device mark rate ceil prio options; do
expandv device mark rate ceil prio options expandv device mark rate ceil prio options
@ -3787,7 +3787,7 @@ setup_tc1() {
setup_tc() { setup_tc() {
echo "Setting up Traffic Control Rules..." progress_message2 "Setting up Traffic Control Rules..."
setup_tc1 setup_tc1
} }
@ -4058,7 +4058,7 @@ process_accounting_rule() {
setup_accounting() # $1 = Name of accounting file setup_accounting() # $1 = Name of accounting file
{ {
echo "Setting up Accounting..." progress_message2 "Setting up Accounting..."
[ $COMMAND = generate ] && save_progress_message "Restoring Accounting..." [ $COMMAND = generate ] && save_progress_message "Restoring Accounting..."
@ -4108,31 +4108,33 @@ check_config() {
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi fi
echo "Determining Zones..." progress_message2 "Determining Zones..."
determine_zones determine_zones
display_list "IPv4_Zones:" $IPV4_ZONES if [ $QUIET -lt 2 ]; then
[ -n "$IPSEC_ZONES" ] && \ display_list "IPv4_Zones:" $IPV4_ZONES
display_list "IPSEC Zones:" $IPSEC_ZONES [ -n "$IPSEC_ZONES" ] && \
display_list "Firewall Zone:" $FW display_list "IPSEC Zones:" $IPSEC_ZONES
display_list "Firewall Zone:" $FW
fi
setup_ipsec setup_ipsec
echo "Validating interfaces file..." progress_message2 "Validating interfaces file..."
validate_interfaces_file validate_interfaces_file
echo "Validating hosts file..." progress_message2 "Validating hosts file..."
validate_hosts_file validate_hosts_file
echo "Determining Hosts in Zones..." progress_message2 "Determining Hosts in Zones..."
determine_interfaces determine_interfaces
determine_hosts determine_hosts
echo "Validating policy file..." progress_message2 "Validating policy file..."
validate_policy validate_policy
@ -4140,25 +4142,25 @@ check_config() {
validate_blacklist validate_blacklist
echo "Validating Proxy ARP" progress_message2 "Validating Proxy ARP"
strip_file proxyarp strip_file proxyarp
setup_proxy_arp setup_proxy_arp
echo "Validating NAT..." progress_message2 "Validating NAT..."
strip_file nat strip_file nat
setup_nat setup_nat
echo "Pre-validating Actions..." progress_message2 "Pre-validating Actions..."
process_actions1 process_actions1
echo "Validating rules file..." progress_message2 "Validating rules file..."
rules=$(find_file rules) rules=$(find_file rules)
strip_file rules $rules strip_file rules $rules
process_rules process_rules
echo "Validating Actions..." progress_message2 "Validating Actions..."
process_actions2 process_actions2
process_actions3 process_actions3
@ -4182,7 +4184,7 @@ check_config() {
# #
refresh_tc() { refresh_tc() {
echo "Refreshing Traffic Control Rules..." progress_message2 "Refreshing Traffic Control Rules..."
[ -n "$CLEAR_TC" ] && delete_tc1 [ -n "$CLEAR_TC" ] && delete_tc1
@ -5021,7 +5023,7 @@ process_actions1() {
eval requiredby_${action}= eval requiredby_${action}=
if [ -f $fn ]; then if [ -f $fn ]; then
echo " Pre-processing $fn..." progress_message2 " Pre-processing $fn..."
strip_file $f $fn strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
expandv xtarget expandv xtarget
@ -5278,7 +5280,7 @@ process_actions3() {
# #
f=action.$xaction1 f=action.$xaction1
echo "Processing $(find_file $f) for Chain $xchain..." progress_message2 "Processing $(find_file $f) for Chain $xchain..."
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
expandv xtarget expandv xtarget
@ -6782,7 +6784,7 @@ process_tos_rule() {
# #
process_tos() # $1 = name of tos file process_tos() # $1 = name of tos file
{ {
echo "Processing $1..." progress_message2 "Processing $1..."
strip_file tos $1 strip_file tos $1
@ -7367,14 +7369,17 @@ setup_masq()
strip_file masq $1 strip_file masq $1
if [ -n "$NAT_ENABLED" ]; then if [ -n "$NAT_ENABLED" ]; then
echo "Masqueraded Networks and Hosts:" progress_message2 "Masqueraded Networks and Hosts:"
[ $COMMAND = check ] || save_progress_message "Restoring Masquerading/SNAT..." [ $COMMAND = check ] || save_progress_message "Restoring Masquerading/SNAT..."
fi fi
while read fullinterface networks addresses proto ports ipsec; do while read fullinterface networks addresses proto ports ipsec; do
expandv fullinterface networks addresses proto ports ipsec expandv fullinterface networks addresses proto ports ipsec
[ -n "$NAT_ENABLED" ] && setup_one || \ if [ -n "$NAT_ENABLED" ]; then
setup_one
else
error_message "WARNING: NAT disabled; masq rule ignored" error_message "WARNING: NAT disabled; masq rule ignored"
fi
done < $TMP_DIR/masq done < $TMP_DIR/masq
} }
@ -7489,7 +7494,7 @@ setup_blacklist() {
local ipsec policy local ipsec policy
if [ -n "$hosts" -a -f $f ]; then if [ -n "$hosts" -a -f $f ]; then
echo "Setting up Blacklisting..." progress_message2 "Setting up Blacklisting..."
[ $COMMAND = restore ] && save_progress_message "Restoring Blacklisting..." [ $COMMAND = restore ] && save_progress_message "Restoring Blacklisting..."
@ -7534,7 +7539,7 @@ refresh_blacklist() {
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
if qt $IPTABLES -L blacklst -n ; then if qt $IPTABLES -L blacklst -n ; then
echo "Loading Black List..." progress_message2 "Loading Black List..."
strip_file blacklist $f strip_file blacklist $f
@ -7556,7 +7561,7 @@ validate_blacklist() {
local f=$(find_file blacklist) local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
echo "Checking Black List..." progress_message2 "Checking Black List..."
strip_file blacklist $f strip_file blacklist $f
@ -7746,28 +7751,30 @@ initialize_netfilter () {
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match" startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
echo "Determining Zones..." progress_message2 "Determining Zones..."
determine_zones determine_zones
display_list "IPv4 Zones:" $IPV4_ZONES if [ $QUIET -lt 2 ]; then
[ -n "$IPSEC_ZONES" ] && \ display_list "IPv4 Zones:" $IPV4_ZONES
display_list "IPSEC Zones:" $IPSEC_ZONES [ -n "$IPSEC_ZONES" ] && \
display_list "Firewall Zone:" $FW display_list "IPSEC Zones:" $IPSEC_ZONES
display_list "Firewall Zone:" $FW
fi
echo "Validating interfaces file..." progress_message2 "Validating interfaces file..."
validate_interfaces_file validate_interfaces_file
echo "Validating hosts file..." progress_message2 "Validating hosts file..."
validate_hosts_file validate_hosts_file
echo "Validating Policy file..." progress_message2 "Validating Policy file..."
validate_policy validate_policy
echo "Determining Hosts in Zones..." progress_message2 "Determining Hosts in Zones..."
determine_interfaces determine_interfaces
determine_hosts determine_hosts
@ -7786,7 +7793,7 @@ initialize_netfilter () {
strip_file nat strip_file nat
strip_file netmap strip_file netmap
echo "Pre-processing Actions..." progress_message2 "Pre-processing Actions..."
process_actions1 process_actions1
TERMINATOR=fatal_error TERMINATOR=fatal_error
@ -7820,7 +7827,7 @@ initialize_netfilter () {
[ -n "$CLEAR_TC" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
echo "Deleting user chains..." progress_message2 "Deleting user chains..."
[ $COMMAND = generate ] && save_progress_message "Deleting user chains..." [ $COMMAND = generate ] && save_progress_message "Deleting user chains..."
@ -7866,7 +7873,7 @@ initialize_netfilter () {
f=$(find_file ipsets) f=$(find_file ipsets)
if [ -f $f ]; then if [ -f $f ]; then
echo "Processing $f ..." progress_message2 "Processing $f ..."
save_progress_message "Restoring IPSETS..." save_progress_message "Restoring IPSETS..."
run_and_save_command "ipset -U :all: :all:" run_and_save_command "ipset -U :all: :all:"
run_and_save_command "run_ipset -F" run_and_save_command "run_ipset -F"
@ -7878,7 +7885,7 @@ initialize_netfilter () {
f=$(find_file routestopped) f=$(find_file routestopped)
echo "Processing $f ..." progress_message2 "Processing $f ..."
strip_file routestopped $f strip_file routestopped $f
@ -7911,7 +7918,7 @@ initialize_netfilter () {
createchain smurfs no createchain smurfs no
if [ -f /var/lib/shorewall/save ]; then if [ -f /var/lib/shorewall/save ]; then
echo "Restoring dynamic rules..." progress_message2 "Restoring dynamic rules..."
[ $COMMAND = generate ] && save_progress_message "Restoring dynamic rules..." [ $COMMAND = generate ] && save_progress_message "Restoring dynamic rules..."
@ -7930,7 +7937,7 @@ initialize_netfilter () {
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
echo "Creating Interface Chains..." progress_message2 "Creating Interface Chains..."
[ $COMMAND = generate ] && save_progress_message "Creating Interface Chains..." [ $COMMAND = generate ] && save_progress_message "Creating Interface Chains..."
@ -8015,7 +8022,7 @@ add_common_rules() {
if [ -n "$hosts" ]; then if [ -n "$hosts" ]; then
echo "Adding Anti-smurf Rules" progress_message2 "Adding Anti-smurf Rules"
[ $COMMAND = generate ] && save_progress_message "Adding Anti-smurf Jumps..." [ $COMMAND = generate ] && save_progress_message "Adding Anti-smurf Jumps..."
@ -8038,7 +8045,7 @@ add_common_rules() {
if [ -n "$interfaces" ]; then if [ -n "$interfaces" ]; then
echo "Adding rules for DHCP" progress_message2 "Adding rules for DHCP"
[ $COMMAND = generate ] && save_progress_message "Restoring rules for DHCP..." [ $COMMAND = generate ] && save_progress_message "Restoring rules for DHCP..."
@ -8058,7 +8065,7 @@ add_common_rules() {
hosts="$(find_hosts_by_option norfc1918)" hosts="$(find_hosts_by_option norfc1918)"
if [ -n "$hosts" ]; then if [ -n "$hosts" ]; then
echo "Enabling RFC1918 Filtering" progress_message2 "Enabling RFC1918 Filtering"
[ $COMMAND = generate ] && save_progress_message "Restoring RFC1918 Filtering..." [ $COMMAND = generate ] && save_progress_message "Restoring RFC1918 Filtering..."
@ -8151,7 +8158,7 @@ add_common_rules() {
hosts=$(find_hosts_by_option tcpflags) hosts=$(find_hosts_by_option tcpflags)
if [ -n "$hosts" ]; then if [ -n "$hosts" ]; then
echo "Setting up TCP Flags checking..." progress_message2 "Setting up TCP Flags checking..."
[ $COMMAND = generate ] && save_progress_message "Restoring TCP Flags checking..." [ $COMMAND = generate ] && save_progress_message "Restoring TCP Flags checking..."
@ -8219,7 +8226,7 @@ add_common_rules() {
interfaces1=$(find_interfaces_by_option1 arp_ignore) interfaces1=$(find_interfaces_by_option1 arp_ignore)
if [ -n "${interfaces}${interfaces1}" ]; then if [ -n "${interfaces}${interfaces1}" ]; then
echo "Setting up ARP Filtering..." progress_message2 "Setting up ARP Filtering..."
for interface in $interfaces; do for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/arp_filter file=/proc/sys/net/ipv4/conf/$interface/arp_filter
@ -8248,7 +8255,7 @@ add_common_rules() {
interfaces="$(find_interfaces_by_option routefilter)" interfaces="$(find_interfaces_by_option routefilter)"
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..." progress_message2 "Setting up Kernel Route Filtering..."
save_progress_message "Restoring Route Filtering..." save_progress_message "Restoring Route Filtering..."
@ -8282,7 +8289,7 @@ add_common_rules() {
interfaces="$(find_interfaces_by_option logmartians)" interfaces="$(find_interfaces_by_option logmartians)"
if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then
echo "Setting up Martian Logging..." progress_message2 "Setting up Martian Logging..."
save_progress_message "Restoring Martian Logging..." save_progress_message "Restoring Martian Logging..."
@ -8319,7 +8326,7 @@ add_common_rules() {
interfaces=$(find_interfaces_by_option sourceroute) interfaces=$(find_interfaces_by_option sourceroute)
if [ -n "$interfaces" ]; then if [ -n "$interfaces" ]; then
echo "Setting up Accept Source Routing..." progress_message2 "Setting up Accept Source Routing..."
save_progress_message "Restoring Source Routing..." save_progress_message "Restoring Source Routing..."
@ -8340,7 +8347,7 @@ add_common_rules() {
interfaces=$(find_interfaces_by_option upnp) interfaces=$(find_interfaces_by_option upnp)
if [ -n "$interfaces" ]; then if [ -n "$interfaces" ]; then
echo "Setting up UPnP..." progress_message2 "Setting up UPnP..."
[ $COMMAND = generate ] && save_progress_message "Restoring UPnP..." [ $COMMAND = generate ] && save_progress_message "Restoring UPnP..."
@ -8739,52 +8746,52 @@ define_firewall() # $1 = Command (Start or Restart)
save_load_kernel_modules save_load_kernel_modules
echo "Initializing..."; initialize_netfilter progress_message2 "Initializing..."; initialize_netfilter
echo "Configuring Proxy ARP"; setup_proxy_arp progress_message2 "Configuring Proxy ARP"; setup_proxy_arp
# #
# [re]-Establish routing # [re]-Establish routing
# #
setup_providers $(find_file providers) setup_providers $(find_file providers)
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes [ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
echo "Setting up NAT..."; setup_nat progress_message2 "Setting up NAT..."; setup_nat
echo "Setting up NETMAP..."; setup_netmap progress_message2 "Setting up NETMAP..."; setup_netmap
echo "Adding Common Rules"; add_common_rules progress_message2 "Adding Common Rules"; add_common_rules
setup_syn_flood_chains setup_syn_flood_chains
setup_ipsec setup_ipsec
maclist_hosts=$(find_hosts_by_option maclist) maclist_hosts=$(find_hosts_by_option maclist)
[ -n "$maclist_hosts" ] && setup_mac_lists [ -n "$maclist_hosts" ] && setup_mac_lists
echo "Processing $(find_file rules)..."; process_rules progress_message2 "Processing $(find_file rules)..."; process_rules
tunnels=$(find_file tunnels) tunnels=$(find_file tunnels)
[ -f $tunnels ] && \ [ -f $tunnels ] && \
echo "Processing $tunnels..." && setup_tunnels $tunnels progress_message2 "Processing $tunnels..." && setup_tunnels $tunnels
echo "Processing Actions..."; process_actions2 progress_message2 "Processing Actions..."; process_actions2
process_actions3 process_actions3
echo "Processing $(find_file policy)..."; apply_policy_rules progress_message2 "Processing $(find_file policy)..."; apply_policy_rules
masq=$(find_file masq) masq=$(find_file masq)
[ -f $masq ] && setup_masq $masq [ -f $masq ] && setup_masq $masq
tos=$(find_file tos) tos=$(find_file tos)
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
ecn=$(find_file ecn) ecn=$(find_file ecn)
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
[ -n "$MANGLE_ENABLED" ] && setup_tc [ -n "$MANGLE_ENABLED" ] && setup_tc
echo "Activating Rules..."; activate_rules progress_message2 "Activating Rules..."; activate_rules
if [ -n "$ALIASES_TO_ADD" ]; then if [ -n "$ALIASES_TO_ADD" ]; then
echo "Adding IP Addresses..." progress_message2 "Adding IP Addresses..."
add_ip_aliases add_ip_aliases
fi fi
@ -8959,20 +8966,20 @@ compile_firewall() # $1 = File Name
save_load_kernel_modules save_load_kernel_modules
echo "Initializing..." progress_message2 "Initializing..."
save_progress_message "Initializing..." save_progress_message "Initializing..."
initialize_netfilter initialize_netfilter
echo "Compiling Proxy ARP"; setup_proxy_arp progress_message2 "Compiling Proxy ARP"; setup_proxy_arp
# #
# [re]-Establish routing # [re]-Establish routing
# #
setup_providers $(find_file providers) setup_providers $(find_file providers)
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes [ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
echo "Compiling NAT..."; setup_nat progress_message2 "Compiling NAT..."; setup_nat
echo "Compiling NETMAP..."; setup_netmap progress_message2 "Compiling NETMAP..."; setup_netmap
echo "Compiling Common Rules"; add_common_rules progress_message2 "Compiling Common Rules"; add_common_rules
save_progress_message "Restoring SYN Flood Protection..." save_progress_message "Restoring SYN Flood Protection..."
@ -8989,25 +8996,25 @@ compile_firewall() # $1 = File Name
setup_mac_lists setup_mac_lists
fi fi
echo "Compiling $(find_file rules)..." progress_message2 "Compiling $(find_file rules)..."
save_progress_message "Restoring Rules..." save_progress_message "Restoring Rules..."
process_rules process_rules
tunnels=$(find_file tunnels) tunnels=$(find_file tunnels)
if [ -f $tunnels ]; then if [ -f $tunnels ]; then
echo "Compiling $tunnels..." progress_message2 "Compiling $tunnels..."
save_progress_message "Restoring Tunnels..." save_progress_message "Restoring Tunnels..."
setup_tunnels $tunnels setup_tunnels $tunnels
fi fi
save_progress_message "Restoring Actions..." save_progress_message "Restoring Actions..."
echo "Compiling Actions..."; process_actions2 progress_message2 "Compiling Actions..."; process_actions2
process_actions3 process_actions3
save_progress_message "Applying Policies..." save_progress_message "Applying Policies..."
echo "Compiling $(find_file policy)..."; apply_policy_rules progress_message2 "Compiling $(find_file policy)..."; apply_policy_rules
masq=$(find_file masq) masq=$(find_file masq)
if [ -f $masq ]; then if [ -f $masq ]; then
@ -9031,12 +9038,12 @@ compile_firewall() # $1 = File Name
setup_tc setup_tc
fi fi
echo "Compiling Rule Activation..." progress_message2 "Compiling Rule Activation..."
save_progress_message "Activating Rules..." save_progress_message "Activating Rules..."
activate_rules activate_rules
[ -n "$ALIASES_TO_ADD" ] && \ [ -n "$ALIASES_TO_ADD" ] && \
echo "Adding IP Addresses..." && add_ip_aliases progress_message2 "Adding IP Addresses..." && add_ip_aliases
for file in chains nat proxyarp zones; do for file in chains nat proxyarp zones; do
append_file $file append_file $file
@ -9046,7 +9053,7 @@ compile_firewall() # $1 = File Name
run_user_exit start run_user_exit start
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist [ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
createchain shorewall no createchain shorewall no
@ -9090,7 +9097,7 @@ refresh_firewall()
echo "Refreshing Shorewall..." echo "Refreshing Shorewall..."
echo "Determining Zones and Interfaces..." progress_message2 "Determining Zones and Interfaces..."
determine_zones determine_zones
@ -9256,7 +9263,7 @@ do_initialize() {
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
if [ -f $FUNCTIONS ]; then if [ -f $FUNCTIONS ]; then
[ -n "$QUIET" ] || echo "Loading $FUNCTIONS..." [ $QUIET -lt 1 ] && echo "Loading $FUNCTIONS..."
. $FUNCTIONS . $FUNCTIONS
else else
startup_error "$FUNCTIONS does not exist!" startup_error "$FUNCTIONS does not exist!"
@ -9281,7 +9288,7 @@ do_initialize() {
if [ -f $config ]; then if [ -f $config ]; then
if [ -r $config ]; then if [ -r $config ]; then
[ -n "$QUIET" ] || echo "Processing $config..." progress_message "Processing $config..."
. $config . $config
else else
startup_error "Cannot read $config (Hint: Are you root?)" startup_error "Cannot read $config (Hint: Are you root?)"

46
Shorewall/functions
View File

@ -59,7 +59,12 @@ list_count() {
# #
progress_message() # $* = Message progress_message() # $* = Message
{ {
[ -n "$QUIET" ] || echo "$@" [ $QUIET -lt 1 ] && echo "$@"
}
progress_message2() # $* = Message
{
[ $QUIET -lt 2 ] && echo "$@"
} }
# #
@ -949,25 +954,28 @@ report_capability() # $1 = Capability Description , $2 Capability Setting (if an
} }
report_capabilities() { report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:" if [ $QUIET -lt 2 ]; then
report_capability "NAT" $NAT_ENABLED echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability "Packet Mangling" $MANGLE_ENABLED report_capability "NAT" $NAT_ENABLED
report_capability "Multi-port Match" $MULTIPORT report_capability "Packet Mangling" $MANGLE_ENABLED
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT report_capability "Multi-port Match" $MULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Packet Type Match" $USEPKTTYPE report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "CONNMARK Target" $CONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
report_capability "Extended REJECT" $ENHANCED_REJECT
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "CONNMARK Target" $CONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
report_capability "Extended REJECT" $ENHANCED_REJECT
} }

10
Shorewall/releasenotes.txt
View File

@ -120,3 +120,13 @@ New Features:
The time difference from B to C reflects the difference between The time difference from B to C reflects the difference between
"iptables-restore" and multiple executions of "iptables". The system is a "iptables-restore" and multiple executions of "iptables". The system is a
1.4Ghz Celeron with 512MB RAM. 1.4Ghz Celeron with 512MB RAM.
2) You may now repeat the -q option to cause Shorewall to be extra quiet.
Example:
gateway:~ # shorewall -qq reload
Shorewall configuration compiled to /var/lib/shorewall/.reload
Restoring Shorewall...
Shorewall restored from /var/lib/shorewall/.reload
gateway:~ #

30
Shorewall/shorewall
View File

@ -582,6 +582,23 @@ heading() {
echo echo
} }
#
# Create the appropriate -q option to pass oneward
#
make_quiet() {
local q=$QUIET
if [ $QUIET -gt 0 ]; then
local option=-
while [ $q -gt 0 ]; do
option="${option}q"
q=$(($q - 1))
done
echo $option
fi
}
# #
# Execution begins here # Execution begins here
# #
@ -600,7 +617,7 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
fi fi
SHOREWALL_DIR= SHOREWALL_DIR=
QUIET= export QUIET=0
IPT_OPTIONS="-nv" IPT_OPTIONS="-nv"
FAST= FAST=
VERBOSE= VERBOSE=
@ -640,7 +657,7 @@ while [ $done -eq 0 ]; do
option=${option#x} option=${option#x}
;; ;;
q*) q*)
QUIET=Yes QUIET=$(($QUIET + 1 ))
option=${option#q} option=${option#q}
;; ;;
f*) f*)
@ -673,8 +690,6 @@ if [ $# -eq 0 ]; then
fi fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
[ -n "$QUIET" ] && export QUIET
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
@ -903,8 +918,7 @@ case "$1" in
export NOROUTES export NOROUTES
if $SHOREWALL_SHELL $FIREWALL $debugging $nolock compile .reload; then if $SHOREWALL_SHELL $FIREWALL $debugging $nolock compile .reload; then
[ -n "$QUIET" ] && QUIET=-q $0 $(make_quiet) restore .reload
$0 $QUIET restore .reload
fi fi
;; ;;
show|list) show|list)
@ -1162,7 +1176,7 @@ case "$1" in
try) try)
[ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\"" [ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1 [ $# -lt 2 -o $# -gt 3 ] && usage 1
[ -n "$QUIET" ] && QUIET=-q [ -n "$QUIET" ] && QUIET=$(make_quiet)
[ -n "$NOROUTES" ] && NOROUTES=-n [ -n "$NOROUTES" ] && NOROUTES=-n
if ! $0 $debugging $QUIET -c $2 restart; then if ! $0 $debugging $QUIET -c $2 restart; then
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
@ -1379,7 +1393,7 @@ case "$1" in
exit 2 exit 2
fi fi
[ -n "$QUIET" ] && QUIET=-q [ -n "$QUIET" ] && QUIET=$(make_quiet)
mutex_on mutex_on