mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 07:08:53 +01:00
Add extra-quiet mode using -qq
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3262 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d1bf397545
commit
ee3a9a9456
@ -3,3 +3,5 @@ Changes in 3.1.0
|
|||||||
1) Removal of dynamic zones.
|
1) Removal of dynamic zones.
|
||||||
|
|
||||||
2) Implement 'generate' command.
|
2) Implement 'generate' command.
|
||||||
|
|
||||||
|
3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq).
|
||||||
|
@ -1122,7 +1122,7 @@ determine_hosts() {
|
|||||||
eval ${zone}_hosts="\$hosts"
|
eval ${zone}_hosts="\$hosts"
|
||||||
|
|
||||||
if [ -n "$hosts" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
display_list "$zone Zone:" $hosts
|
[ $QUIET -lt 2 ] && display_list "$zone Zone:" $hosts
|
||||||
else
|
else
|
||||||
error_message "WARNING: Zone $zone is empty"
|
error_message "WARNING: Zone $zone is empty"
|
||||||
fi
|
fi
|
||||||
@ -1393,11 +1393,11 @@ setup_providers()
|
|||||||
|
|
||||||
if [ -s $TMP_DIR/providers ]; then
|
if [ -s $TMP_DIR/providers ]; then
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
echo "Processing $1..."
|
progress_message2 "Processing $1..."
|
||||||
|
|
||||||
save_progress_message "Restoring Providers..."
|
save_progress_message "Restoring Providers..."
|
||||||
else
|
else
|
||||||
echo "Validating $1..."
|
progress_message2 "Validating $1..."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
while read table number mark duplicate interface gateway options copy; do
|
while read table number mark duplicate interface gateway options copy; do
|
||||||
@ -1547,7 +1547,7 @@ validate_hosts_file() {
|
|||||||
|
|
||||||
done < $TMP_DIR/hosts
|
done < $TMP_DIR/hosts
|
||||||
|
|
||||||
[ -n "$ALL_PORTS" ] && echo " Bridge ports are: $ALL_PORTS"
|
[ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1889,11 +1889,11 @@ setup_forwarding() {
|
|||||||
case "$IP_FORWARDING" in
|
case "$IP_FORWARDING" in
|
||||||
[Oo][Nn])
|
[Oo][Nn])
|
||||||
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
|
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
|
||||||
echo "IP Forwarding Enabled"
|
progress_message2 "IP Forwarding Enabled"
|
||||||
;;
|
;;
|
||||||
[Oo][Ff][Ff])
|
[Oo][Ff][Ff])
|
||||||
run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
|
run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
|
||||||
echo "IP Forwarding Disabled!"
|
progress_message2 "IP Forwarding Disabled!"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
@ -2108,7 +2108,7 @@ stop_firewall() {
|
|||||||
if [ -x $RESTOREPATH ]; then
|
if [ -x $RESTOREPATH ]; then
|
||||||
|
|
||||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||||
echo Restoring Ipsets...
|
progress_message2 Restoring Ipsets...
|
||||||
#
|
#
|
||||||
# We must purge iptables to be sure that there are no
|
# We must purge iptables to be sure that there are no
|
||||||
# references to ipsets
|
# references to ipsets
|
||||||
@ -2245,11 +2245,11 @@ stop_firewall() {
|
|||||||
case "$IP_FORWARDING" in
|
case "$IP_FORWARDING" in
|
||||||
[Oo][Nn])
|
[Oo][Nn])
|
||||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
echo "IP Forwarding Enabled"
|
progress_message2 "IP Forwarding Enabled"
|
||||||
;;
|
;;
|
||||||
[Oo][Ff][Ff])
|
[Oo][Ff][Ff])
|
||||||
echo 0 > /proc/sys/net/ipv4/ip_forward
|
echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||||
echo "IP Forwarding Disabled!"
|
progress_message2 "IP Forwarding Disabled!"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -3147,7 +3147,7 @@ setup_ecn() # $1 = file name
|
|||||||
|
|
||||||
strip_file ecn $1
|
strip_file ecn $1
|
||||||
|
|
||||||
echo "Processing $1..."
|
progress_message2 "Processing $1..."
|
||||||
|
|
||||||
while read interface host; do
|
while read interface host; do
|
||||||
expandv interface host
|
expandv interface host
|
||||||
@ -3311,7 +3311,7 @@ setup_traffic_shaping()
|
|||||||
}
|
}
|
||||||
|
|
||||||
validate_tcdevices_file() {
|
validate_tcdevices_file() {
|
||||||
echo "Validating $devfile..."
|
progress_message2 "Validating $devfile..."
|
||||||
local device local device inband outband
|
local device local device inband outband
|
||||||
while read device inband outband; do
|
while read device inband outband; do
|
||||||
expandv device inband outband
|
expandv device inband outband
|
||||||
@ -3328,7 +3328,7 @@ setup_traffic_shaping()
|
|||||||
}
|
}
|
||||||
|
|
||||||
validate_tcclasses_file() {
|
validate_tcclasses_file() {
|
||||||
echo "Validating $classfile..."
|
progress_message2 "Validating $classfile..."
|
||||||
local classlist device mark rate ceil prio bandw wrongopt allopts opt
|
local classlist device mark rate ceil prio bandw wrongopt allopts opt
|
||||||
allopts=""
|
allopts=""
|
||||||
while read device mark rate ceil prio options; do
|
while read device mark rate ceil prio options; do
|
||||||
@ -3417,7 +3417,7 @@ setup_traffic_shaping()
|
|||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
if [ -s $TMP_DIR/tcdevices ]; then
|
if [ -s $TMP_DIR/tcdevices ]; then
|
||||||
save_progress_message "Restoring Traffic Control..."
|
save_progress_message "Restoring Traffic Control..."
|
||||||
echo "Processing $devfile..."
|
progress_message2 "Processing $devfile..."
|
||||||
|
|
||||||
while read device inband outband defmark ackmark; do
|
while read device inband outband defmark ackmark; do
|
||||||
expandv device inband outband defmark ackmark
|
expandv device inband outband defmark ackmark
|
||||||
@ -3435,7 +3435,7 @@ setup_traffic_shaping()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -s $TMP_DIR/tcclasses ]; then
|
if [ -s $TMP_DIR/tcclasses ]; then
|
||||||
echo "Processing $classfile..."
|
progress_message2 "Processing $classfile..."
|
||||||
|
|
||||||
while read device mark rate ceil prio options; do
|
while read device mark rate ceil prio options; do
|
||||||
expandv device mark rate ceil prio options
|
expandv device mark rate ceil prio options
|
||||||
@ -3787,7 +3787,7 @@ setup_tc1() {
|
|||||||
|
|
||||||
setup_tc() {
|
setup_tc() {
|
||||||
|
|
||||||
echo "Setting up Traffic Control Rules..."
|
progress_message2 "Setting up Traffic Control Rules..."
|
||||||
|
|
||||||
setup_tc1
|
setup_tc1
|
||||||
}
|
}
|
||||||
@ -4058,7 +4058,7 @@ process_accounting_rule() {
|
|||||||
setup_accounting() # $1 = Name of accounting file
|
setup_accounting() # $1 = Name of accounting file
|
||||||
{
|
{
|
||||||
|
|
||||||
echo "Setting up Accounting..."
|
progress_message2 "Setting up Accounting..."
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Restoring Accounting..."
|
[ $COMMAND = generate ] && save_progress_message "Restoring Accounting..."
|
||||||
|
|
||||||
@ -4108,31 +4108,33 @@ check_config() {
|
|||||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Determining Zones..."
|
progress_message2 "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
|
|
||||||
display_list "IPv4_Zones:" $IPV4_ZONES
|
if [ $QUIET -lt 2 ]; then
|
||||||
[ -n "$IPSEC_ZONES" ] && \
|
display_list "IPv4_Zones:" $IPV4_ZONES
|
||||||
display_list "IPSEC Zones:" $IPSEC_ZONES
|
[ -n "$IPSEC_ZONES" ] && \
|
||||||
display_list "Firewall Zone:" $FW
|
display_list "IPSEC Zones:" $IPSEC_ZONES
|
||||||
|
display_list "Firewall Zone:" $FW
|
||||||
|
fi
|
||||||
|
|
||||||
setup_ipsec
|
setup_ipsec
|
||||||
|
|
||||||
echo "Validating interfaces file..."
|
progress_message2 "Validating interfaces file..."
|
||||||
|
|
||||||
validate_interfaces_file
|
validate_interfaces_file
|
||||||
|
|
||||||
echo "Validating hosts file..."
|
progress_message2 "Validating hosts file..."
|
||||||
|
|
||||||
validate_hosts_file
|
validate_hosts_file
|
||||||
|
|
||||||
echo "Determining Hosts in Zones..."
|
progress_message2 "Determining Hosts in Zones..."
|
||||||
|
|
||||||
determine_interfaces
|
determine_interfaces
|
||||||
determine_hosts
|
determine_hosts
|
||||||
|
|
||||||
echo "Validating policy file..."
|
progress_message2 "Validating policy file..."
|
||||||
|
|
||||||
validate_policy
|
validate_policy
|
||||||
|
|
||||||
@ -4140,25 +4142,25 @@ check_config() {
|
|||||||
|
|
||||||
validate_blacklist
|
validate_blacklist
|
||||||
|
|
||||||
echo "Validating Proxy ARP"
|
progress_message2 "Validating Proxy ARP"
|
||||||
strip_file proxyarp
|
strip_file proxyarp
|
||||||
setup_proxy_arp
|
setup_proxy_arp
|
||||||
|
|
||||||
echo "Validating NAT..."
|
progress_message2 "Validating NAT..."
|
||||||
strip_file nat
|
strip_file nat
|
||||||
setup_nat
|
setup_nat
|
||||||
|
|
||||||
echo "Pre-validating Actions..."
|
progress_message2 "Pre-validating Actions..."
|
||||||
|
|
||||||
process_actions1
|
process_actions1
|
||||||
|
|
||||||
echo "Validating rules file..."
|
progress_message2 "Validating rules file..."
|
||||||
|
|
||||||
rules=$(find_file rules)
|
rules=$(find_file rules)
|
||||||
strip_file rules $rules
|
strip_file rules $rules
|
||||||
process_rules
|
process_rules
|
||||||
|
|
||||||
echo "Validating Actions..."
|
progress_message2 "Validating Actions..."
|
||||||
|
|
||||||
process_actions2
|
process_actions2
|
||||||
process_actions3
|
process_actions3
|
||||||
@ -4182,7 +4184,7 @@ check_config() {
|
|||||||
#
|
#
|
||||||
refresh_tc() {
|
refresh_tc() {
|
||||||
|
|
||||||
echo "Refreshing Traffic Control Rules..."
|
progress_message2 "Refreshing Traffic Control Rules..."
|
||||||
|
|
||||||
[ -n "$CLEAR_TC" ] && delete_tc1
|
[ -n "$CLEAR_TC" ] && delete_tc1
|
||||||
|
|
||||||
@ -5021,7 +5023,7 @@ process_actions1() {
|
|||||||
eval requiredby_${action}=
|
eval requiredby_${action}=
|
||||||
|
|
||||||
if [ -f $fn ]; then
|
if [ -f $fn ]; then
|
||||||
echo " Pre-processing $fn..."
|
progress_message2 " Pre-processing $fn..."
|
||||||
strip_file $f $fn
|
strip_file $f $fn
|
||||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
|
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
|
||||||
expandv xtarget
|
expandv xtarget
|
||||||
@ -5278,7 +5280,7 @@ process_actions3() {
|
|||||||
#
|
#
|
||||||
f=action.$xaction1
|
f=action.$xaction1
|
||||||
|
|
||||||
echo "Processing $(find_file $f) for Chain $xchain..."
|
progress_message2 "Processing $(find_file $f) for Chain $xchain..."
|
||||||
|
|
||||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
|
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
|
||||||
expandv xtarget
|
expandv xtarget
|
||||||
@ -6782,7 +6784,7 @@ process_tos_rule() {
|
|||||||
#
|
#
|
||||||
process_tos() # $1 = name of tos file
|
process_tos() # $1 = name of tos file
|
||||||
{
|
{
|
||||||
echo "Processing $1..."
|
progress_message2 "Processing $1..."
|
||||||
|
|
||||||
strip_file tos $1
|
strip_file tos $1
|
||||||
|
|
||||||
@ -7367,14 +7369,17 @@ setup_masq()
|
|||||||
strip_file masq $1
|
strip_file masq $1
|
||||||
|
|
||||||
if [ -n "$NAT_ENABLED" ]; then
|
if [ -n "$NAT_ENABLED" ]; then
|
||||||
echo "Masqueraded Networks and Hosts:"
|
progress_message2 "Masqueraded Networks and Hosts:"
|
||||||
[ $COMMAND = check ] || save_progress_message "Restoring Masquerading/SNAT..."
|
[ $COMMAND = check ] || save_progress_message "Restoring Masquerading/SNAT..."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
while read fullinterface networks addresses proto ports ipsec; do
|
while read fullinterface networks addresses proto ports ipsec; do
|
||||||
expandv fullinterface networks addresses proto ports ipsec
|
expandv fullinterface networks addresses proto ports ipsec
|
||||||
[ -n "$NAT_ENABLED" ] && setup_one || \
|
if [ -n "$NAT_ENABLED" ]; then
|
||||||
|
setup_one
|
||||||
|
else
|
||||||
error_message "WARNING: NAT disabled; masq rule ignored"
|
error_message "WARNING: NAT disabled; masq rule ignored"
|
||||||
|
fi
|
||||||
done < $TMP_DIR/masq
|
done < $TMP_DIR/masq
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -7489,7 +7494,7 @@ setup_blacklist() {
|
|||||||
local ipsec policy
|
local ipsec policy
|
||||||
|
|
||||||
if [ -n "$hosts" -a -f $f ]; then
|
if [ -n "$hosts" -a -f $f ]; then
|
||||||
echo "Setting up Blacklisting..."
|
progress_message2 "Setting up Blacklisting..."
|
||||||
|
|
||||||
[ $COMMAND = restore ] && save_progress_message "Restoring Blacklisting..."
|
[ $COMMAND = restore ] && save_progress_message "Restoring Blacklisting..."
|
||||||
|
|
||||||
@ -7534,7 +7539,7 @@ refresh_blacklist() {
|
|||||||
local disposition=$BLACKLIST_DISPOSITION
|
local disposition=$BLACKLIST_DISPOSITION
|
||||||
|
|
||||||
if qt $IPTABLES -L blacklst -n ; then
|
if qt $IPTABLES -L blacklst -n ; then
|
||||||
echo "Loading Black List..."
|
progress_message2 "Loading Black List..."
|
||||||
|
|
||||||
strip_file blacklist $f
|
strip_file blacklist $f
|
||||||
|
|
||||||
@ -7556,7 +7561,7 @@ validate_blacklist() {
|
|||||||
local f=$(find_file blacklist)
|
local f=$(find_file blacklist)
|
||||||
local disposition=$BLACKLIST_DISPOSITION
|
local disposition=$BLACKLIST_DISPOSITION
|
||||||
|
|
||||||
echo "Checking Black List..."
|
progress_message2 "Checking Black List..."
|
||||||
|
|
||||||
strip_file blacklist $f
|
strip_file blacklist $f
|
||||||
|
|
||||||
@ -7746,28 +7751,30 @@ initialize_netfilter () {
|
|||||||
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||||
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
||||||
|
|
||||||
echo "Determining Zones..."
|
progress_message2 "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
|
|
||||||
display_list "IPv4 Zones:" $IPV4_ZONES
|
if [ $QUIET -lt 2 ]; then
|
||||||
[ -n "$IPSEC_ZONES" ] && \
|
display_list "IPv4 Zones:" $IPV4_ZONES
|
||||||
display_list "IPSEC Zones:" $IPSEC_ZONES
|
[ -n "$IPSEC_ZONES" ] && \
|
||||||
display_list "Firewall Zone:" $FW
|
display_list "IPSEC Zones:" $IPSEC_ZONES
|
||||||
|
display_list "Firewall Zone:" $FW
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Validating interfaces file..."
|
progress_message2 "Validating interfaces file..."
|
||||||
|
|
||||||
validate_interfaces_file
|
validate_interfaces_file
|
||||||
|
|
||||||
echo "Validating hosts file..."
|
progress_message2 "Validating hosts file..."
|
||||||
|
|
||||||
validate_hosts_file
|
validate_hosts_file
|
||||||
|
|
||||||
echo "Validating Policy file..."
|
progress_message2 "Validating Policy file..."
|
||||||
|
|
||||||
validate_policy
|
validate_policy
|
||||||
|
|
||||||
echo "Determining Hosts in Zones..."
|
progress_message2 "Determining Hosts in Zones..."
|
||||||
|
|
||||||
determine_interfaces
|
determine_interfaces
|
||||||
determine_hosts
|
determine_hosts
|
||||||
@ -7786,7 +7793,7 @@ initialize_netfilter () {
|
|||||||
strip_file nat
|
strip_file nat
|
||||||
strip_file netmap
|
strip_file netmap
|
||||||
|
|
||||||
echo "Pre-processing Actions..."
|
progress_message2 "Pre-processing Actions..."
|
||||||
process_actions1
|
process_actions1
|
||||||
|
|
||||||
TERMINATOR=fatal_error
|
TERMINATOR=fatal_error
|
||||||
@ -7820,7 +7827,7 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
[ -n "$CLEAR_TC" ] && delete_tc
|
[ -n "$CLEAR_TC" ] && delete_tc
|
||||||
|
|
||||||
echo "Deleting user chains..."
|
progress_message2 "Deleting user chains..."
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Deleting user chains..."
|
[ $COMMAND = generate ] && save_progress_message "Deleting user chains..."
|
||||||
|
|
||||||
@ -7866,7 +7873,7 @@ initialize_netfilter () {
|
|||||||
f=$(find_file ipsets)
|
f=$(find_file ipsets)
|
||||||
|
|
||||||
if [ -f $f ]; then
|
if [ -f $f ]; then
|
||||||
echo "Processing $f ..."
|
progress_message2 "Processing $f ..."
|
||||||
save_progress_message "Restoring IPSETS..."
|
save_progress_message "Restoring IPSETS..."
|
||||||
run_and_save_command "ipset -U :all: :all:"
|
run_and_save_command "ipset -U :all: :all:"
|
||||||
run_and_save_command "run_ipset -F"
|
run_and_save_command "run_ipset -F"
|
||||||
@ -7878,7 +7885,7 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
f=$(find_file routestopped)
|
f=$(find_file routestopped)
|
||||||
|
|
||||||
echo "Processing $f ..."
|
progress_message2 "Processing $f ..."
|
||||||
|
|
||||||
strip_file routestopped $f
|
strip_file routestopped $f
|
||||||
|
|
||||||
@ -7911,7 +7918,7 @@ initialize_netfilter () {
|
|||||||
createchain smurfs no
|
createchain smurfs no
|
||||||
|
|
||||||
if [ -f /var/lib/shorewall/save ]; then
|
if [ -f /var/lib/shorewall/save ]; then
|
||||||
echo "Restoring dynamic rules..."
|
progress_message2 "Restoring dynamic rules..."
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Restoring dynamic rules..."
|
[ $COMMAND = generate ] && save_progress_message "Restoring dynamic rules..."
|
||||||
|
|
||||||
@ -7930,7 +7937,7 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
|
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
|
||||||
|
|
||||||
echo "Creating Interface Chains..."
|
progress_message2 "Creating Interface Chains..."
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Creating Interface Chains..."
|
[ $COMMAND = generate ] && save_progress_message "Creating Interface Chains..."
|
||||||
|
|
||||||
@ -8015,7 +8022,7 @@ add_common_rules() {
|
|||||||
|
|
||||||
if [ -n "$hosts" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
|
|
||||||
echo "Adding Anti-smurf Rules"
|
progress_message2 "Adding Anti-smurf Rules"
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Adding Anti-smurf Jumps..."
|
[ $COMMAND = generate ] && save_progress_message "Adding Anti-smurf Jumps..."
|
||||||
|
|
||||||
@ -8038,7 +8045,7 @@ add_common_rules() {
|
|||||||
|
|
||||||
if [ -n "$interfaces" ]; then
|
if [ -n "$interfaces" ]; then
|
||||||
|
|
||||||
echo "Adding rules for DHCP"
|
progress_message2 "Adding rules for DHCP"
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Restoring rules for DHCP..."
|
[ $COMMAND = generate ] && save_progress_message "Restoring rules for DHCP..."
|
||||||
|
|
||||||
@ -8058,7 +8065,7 @@ add_common_rules() {
|
|||||||
hosts="$(find_hosts_by_option norfc1918)"
|
hosts="$(find_hosts_by_option norfc1918)"
|
||||||
|
|
||||||
if [ -n "$hosts" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
echo "Enabling RFC1918 Filtering"
|
progress_message2 "Enabling RFC1918 Filtering"
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Restoring RFC1918 Filtering..."
|
[ $COMMAND = generate ] && save_progress_message "Restoring RFC1918 Filtering..."
|
||||||
|
|
||||||
@ -8151,7 +8158,7 @@ add_common_rules() {
|
|||||||
hosts=$(find_hosts_by_option tcpflags)
|
hosts=$(find_hosts_by_option tcpflags)
|
||||||
|
|
||||||
if [ -n "$hosts" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
echo "Setting up TCP Flags checking..."
|
progress_message2 "Setting up TCP Flags checking..."
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Restoring TCP Flags checking..."
|
[ $COMMAND = generate ] && save_progress_message "Restoring TCP Flags checking..."
|
||||||
|
|
||||||
@ -8219,7 +8226,7 @@ add_common_rules() {
|
|||||||
interfaces1=$(find_interfaces_by_option1 arp_ignore)
|
interfaces1=$(find_interfaces_by_option1 arp_ignore)
|
||||||
|
|
||||||
if [ -n "${interfaces}${interfaces1}" ]; then
|
if [ -n "${interfaces}${interfaces1}" ]; then
|
||||||
echo "Setting up ARP Filtering..."
|
progress_message2 "Setting up ARP Filtering..."
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for interface in $interfaces; do
|
||||||
file=/proc/sys/net/ipv4/conf/$interface/arp_filter
|
file=/proc/sys/net/ipv4/conf/$interface/arp_filter
|
||||||
@ -8248,7 +8255,7 @@ add_common_rules() {
|
|||||||
interfaces="$(find_interfaces_by_option routefilter)"
|
interfaces="$(find_interfaces_by_option routefilter)"
|
||||||
|
|
||||||
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
|
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
|
||||||
echo "Setting up Kernel Route Filtering..."
|
progress_message2 "Setting up Kernel Route Filtering..."
|
||||||
|
|
||||||
save_progress_message "Restoring Route Filtering..."
|
save_progress_message "Restoring Route Filtering..."
|
||||||
|
|
||||||
@ -8282,7 +8289,7 @@ add_common_rules() {
|
|||||||
interfaces="$(find_interfaces_by_option logmartians)"
|
interfaces="$(find_interfaces_by_option logmartians)"
|
||||||
|
|
||||||
if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then
|
if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then
|
||||||
echo "Setting up Martian Logging..."
|
progress_message2 "Setting up Martian Logging..."
|
||||||
|
|
||||||
save_progress_message "Restoring Martian Logging..."
|
save_progress_message "Restoring Martian Logging..."
|
||||||
|
|
||||||
@ -8319,7 +8326,7 @@ add_common_rules() {
|
|||||||
interfaces=$(find_interfaces_by_option sourceroute)
|
interfaces=$(find_interfaces_by_option sourceroute)
|
||||||
|
|
||||||
if [ -n "$interfaces" ]; then
|
if [ -n "$interfaces" ]; then
|
||||||
echo "Setting up Accept Source Routing..."
|
progress_message2 "Setting up Accept Source Routing..."
|
||||||
|
|
||||||
save_progress_message "Restoring Source Routing..."
|
save_progress_message "Restoring Source Routing..."
|
||||||
|
|
||||||
@ -8340,7 +8347,7 @@ add_common_rules() {
|
|||||||
interfaces=$(find_interfaces_by_option upnp)
|
interfaces=$(find_interfaces_by_option upnp)
|
||||||
|
|
||||||
if [ -n "$interfaces" ]; then
|
if [ -n "$interfaces" ]; then
|
||||||
echo "Setting up UPnP..."
|
progress_message2 "Setting up UPnP..."
|
||||||
|
|
||||||
[ $COMMAND = generate ] && save_progress_message "Restoring UPnP..."
|
[ $COMMAND = generate ] && save_progress_message "Restoring UPnP..."
|
||||||
|
|
||||||
@ -8739,52 +8746,52 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
|
|
||||||
save_load_kernel_modules
|
save_load_kernel_modules
|
||||||
|
|
||||||
echo "Initializing..."; initialize_netfilter
|
progress_message2 "Initializing..."; initialize_netfilter
|
||||||
|
|
||||||
echo "Configuring Proxy ARP"; setup_proxy_arp
|
progress_message2 "Configuring Proxy ARP"; setup_proxy_arp
|
||||||
#
|
#
|
||||||
# [re]-Establish routing
|
# [re]-Establish routing
|
||||||
#
|
#
|
||||||
setup_providers $(find_file providers)
|
setup_providers $(find_file providers)
|
||||||
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
|
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
|
||||||
|
|
||||||
|
|
||||||
echo "Setting up NAT..."; setup_nat
|
progress_message2 "Setting up NAT..."; setup_nat
|
||||||
echo "Setting up NETMAP..."; setup_netmap
|
progress_message2 "Setting up NETMAP..."; setup_netmap
|
||||||
echo "Adding Common Rules"; add_common_rules
|
progress_message2 "Adding Common Rules"; add_common_rules
|
||||||
|
|
||||||
setup_syn_flood_chains
|
setup_syn_flood_chains
|
||||||
|
|
||||||
setup_ipsec
|
setup_ipsec
|
||||||
|
|
||||||
maclist_hosts=$(find_hosts_by_option maclist)
|
maclist_hosts=$(find_hosts_by_option maclist)
|
||||||
[ -n "$maclist_hosts" ] && setup_mac_lists
|
[ -n "$maclist_hosts" ] && setup_mac_lists
|
||||||
|
|
||||||
echo "Processing $(find_file rules)..."; process_rules
|
progress_message2 "Processing $(find_file rules)..."; process_rules
|
||||||
|
|
||||||
tunnels=$(find_file tunnels)
|
tunnels=$(find_file tunnels)
|
||||||
[ -f $tunnels ] && \
|
[ -f $tunnels ] && \
|
||||||
echo "Processing $tunnels..." && setup_tunnels $tunnels
|
progress_message2 "Processing $tunnels..." && setup_tunnels $tunnels
|
||||||
|
|
||||||
echo "Processing Actions..."; process_actions2
|
progress_message2 "Processing Actions..."; process_actions2
|
||||||
process_actions3
|
process_actions3
|
||||||
echo "Processing $(find_file policy)..."; apply_policy_rules
|
progress_message2 "Processing $(find_file policy)..."; apply_policy_rules
|
||||||
|
|
||||||
masq=$(find_file masq)
|
masq=$(find_file masq)
|
||||||
[ -f $masq ] && setup_masq $masq
|
[ -f $masq ] && setup_masq $masq
|
||||||
|
|
||||||
tos=$(find_file tos)
|
tos=$(find_file tos)
|
||||||
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
|
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
|
||||||
|
|
||||||
ecn=$(find_file ecn)
|
ecn=$(find_file ecn)
|
||||||
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
|
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
|
||||||
|
|
||||||
[ -n "$MANGLE_ENABLED" ] && setup_tc
|
[ -n "$MANGLE_ENABLED" ] && setup_tc
|
||||||
|
|
||||||
echo "Activating Rules..."; activate_rules
|
progress_message2 "Activating Rules..."; activate_rules
|
||||||
|
|
||||||
if [ -n "$ALIASES_TO_ADD" ]; then
|
if [ -n "$ALIASES_TO_ADD" ]; then
|
||||||
echo "Adding IP Addresses..."
|
progress_message2 "Adding IP Addresses..."
|
||||||
add_ip_aliases
|
add_ip_aliases
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -8959,20 +8966,20 @@ compile_firewall() # $1 = File Name
|
|||||||
|
|
||||||
save_load_kernel_modules
|
save_load_kernel_modules
|
||||||
|
|
||||||
echo "Initializing..."
|
progress_message2 "Initializing..."
|
||||||
save_progress_message "Initializing..."
|
save_progress_message "Initializing..."
|
||||||
initialize_netfilter
|
initialize_netfilter
|
||||||
|
|
||||||
echo "Compiling Proxy ARP"; setup_proxy_arp
|
progress_message2 "Compiling Proxy ARP"; setup_proxy_arp
|
||||||
#
|
#
|
||||||
# [re]-Establish routing
|
# [re]-Establish routing
|
||||||
#
|
#
|
||||||
setup_providers $(find_file providers)
|
setup_providers $(find_file providers)
|
||||||
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
|
[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
|
||||||
|
|
||||||
echo "Compiling NAT..."; setup_nat
|
progress_message2 "Compiling NAT..."; setup_nat
|
||||||
echo "Compiling NETMAP..."; setup_netmap
|
progress_message2 "Compiling NETMAP..."; setup_netmap
|
||||||
echo "Compiling Common Rules"; add_common_rules
|
progress_message2 "Compiling Common Rules"; add_common_rules
|
||||||
|
|
||||||
save_progress_message "Restoring SYN Flood Protection..."
|
save_progress_message "Restoring SYN Flood Protection..."
|
||||||
|
|
||||||
@ -8989,25 +8996,25 @@ compile_firewall() # $1 = File Name
|
|||||||
setup_mac_lists
|
setup_mac_lists
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Compiling $(find_file rules)..."
|
progress_message2 "Compiling $(find_file rules)..."
|
||||||
save_progress_message "Restoring Rules..."
|
save_progress_message "Restoring Rules..."
|
||||||
process_rules
|
process_rules
|
||||||
|
|
||||||
tunnels=$(find_file tunnels)
|
tunnels=$(find_file tunnels)
|
||||||
if [ -f $tunnels ]; then
|
if [ -f $tunnels ]; then
|
||||||
echo "Compiling $tunnels..."
|
progress_message2 "Compiling $tunnels..."
|
||||||
save_progress_message "Restoring Tunnels..."
|
save_progress_message "Restoring Tunnels..."
|
||||||
setup_tunnels $tunnels
|
setup_tunnels $tunnels
|
||||||
fi
|
fi
|
||||||
|
|
||||||
save_progress_message "Restoring Actions..."
|
save_progress_message "Restoring Actions..."
|
||||||
|
|
||||||
echo "Compiling Actions..."; process_actions2
|
progress_message2 "Compiling Actions..."; process_actions2
|
||||||
process_actions3
|
process_actions3
|
||||||
|
|
||||||
save_progress_message "Applying Policies..."
|
save_progress_message "Applying Policies..."
|
||||||
|
|
||||||
echo "Compiling $(find_file policy)..."; apply_policy_rules
|
progress_message2 "Compiling $(find_file policy)..."; apply_policy_rules
|
||||||
|
|
||||||
masq=$(find_file masq)
|
masq=$(find_file masq)
|
||||||
if [ -f $masq ]; then
|
if [ -f $masq ]; then
|
||||||
@ -9031,12 +9038,12 @@ compile_firewall() # $1 = File Name
|
|||||||
setup_tc
|
setup_tc
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Compiling Rule Activation..."
|
progress_message2 "Compiling Rule Activation..."
|
||||||
save_progress_message "Activating Rules..."
|
save_progress_message "Activating Rules..."
|
||||||
activate_rules
|
activate_rules
|
||||||
|
|
||||||
[ -n "$ALIASES_TO_ADD" ] && \
|
[ -n "$ALIASES_TO_ADD" ] && \
|
||||||
echo "Adding IP Addresses..." && add_ip_aliases
|
progress_message2 "Adding IP Addresses..." && add_ip_aliases
|
||||||
|
|
||||||
for file in chains nat proxyarp zones; do
|
for file in chains nat proxyarp zones; do
|
||||||
append_file $file
|
append_file $file
|
||||||
@ -9046,7 +9053,7 @@ compile_firewall() # $1 = File Name
|
|||||||
|
|
||||||
run_user_exit start
|
run_user_exit start
|
||||||
|
|
||||||
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
|
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
|
||||||
|
|
||||||
createchain shorewall no
|
createchain shorewall no
|
||||||
|
|
||||||
@ -9090,7 +9097,7 @@ refresh_firewall()
|
|||||||
|
|
||||||
echo "Refreshing Shorewall..."
|
echo "Refreshing Shorewall..."
|
||||||
|
|
||||||
echo "Determining Zones and Interfaces..."
|
progress_message2 "Determining Zones and Interfaces..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
|
|
||||||
@ -9256,7 +9263,7 @@ do_initialize() {
|
|||||||
FUNCTIONS=$SHARED_DIR/functions
|
FUNCTIONS=$SHARED_DIR/functions
|
||||||
|
|
||||||
if [ -f $FUNCTIONS ]; then
|
if [ -f $FUNCTIONS ]; then
|
||||||
[ -n "$QUIET" ] || echo "Loading $FUNCTIONS..."
|
[ $QUIET -lt 1 ] && echo "Loading $FUNCTIONS..."
|
||||||
. $FUNCTIONS
|
. $FUNCTIONS
|
||||||
else
|
else
|
||||||
startup_error "$FUNCTIONS does not exist!"
|
startup_error "$FUNCTIONS does not exist!"
|
||||||
@ -9281,7 +9288,7 @@ do_initialize() {
|
|||||||
|
|
||||||
if [ -f $config ]; then
|
if [ -f $config ]; then
|
||||||
if [ -r $config ]; then
|
if [ -r $config ]; then
|
||||||
[ -n "$QUIET" ] || echo "Processing $config..."
|
progress_message "Processing $config..."
|
||||||
. $config
|
. $config
|
||||||
else
|
else
|
||||||
startup_error "Cannot read $config (Hint: Are you root?)"
|
startup_error "Cannot read $config (Hint: Are you root?)"
|
||||||
|
@ -59,7 +59,12 @@ list_count() {
|
|||||||
#
|
#
|
||||||
progress_message() # $* = Message
|
progress_message() # $* = Message
|
||||||
{
|
{
|
||||||
[ -n "$QUIET" ] || echo "$@"
|
[ $QUIET -lt 1 ] && echo "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
progress_message2() # $* = Message
|
||||||
|
{
|
||||||
|
[ $QUIET -lt 2 ] && echo "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -949,25 +954,28 @@ report_capability() # $1 = Capability Description , $2 Capability Setting (if an
|
|||||||
}
|
}
|
||||||
|
|
||||||
report_capabilities() {
|
report_capabilities() {
|
||||||
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
if [ $QUIET -lt 2 ]; then
|
||||||
report_capability "NAT" $NAT_ENABLED
|
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||||
report_capability "Packet Mangling" $MANGLE_ENABLED
|
report_capability "NAT" $NAT_ENABLED
|
||||||
report_capability "Multi-port Match" $MULTIPORT
|
report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
report_capability "Multi-port Match" $MULTIPORT
|
||||||
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||||
report_capability "Packet Type Match" $USEPKTTYPE
|
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||||
|
report_capability "Packet Type Match" $USEPKTTYPE
|
||||||
|
report_capability "Policy Match" $POLICY_MATCH
|
||||||
|
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||||
|
report_capability "IP range Match" $IPRANGE_MATCH
|
||||||
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
|
report_capability "Owner Match" $OWNER_MATCH
|
||||||
|
report_capability "Ipset Match" $IPSET_MATCH
|
||||||
|
report_capability "CONNMARK Target" $CONNMARK
|
||||||
|
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||||
|
report_capability "Raw Table" $RAW_TABLE
|
||||||
|
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||||
|
report_capability "Extended REJECT" $ENHANCED_REJECT
|
||||||
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
report_capability "Policy Match" $POLICY_MATCH
|
|
||||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
|
||||||
report_capability "IP range Match" $IPRANGE_MATCH
|
|
||||||
report_capability "Recent Match" $RECENT_MATCH
|
|
||||||
report_capability "Owner Match" $OWNER_MATCH
|
|
||||||
report_capability "Ipset Match" $IPSET_MATCH
|
|
||||||
report_capability "CONNMARK Target" $CONNMARK
|
|
||||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
|
||||||
report_capability "Raw Table" $RAW_TABLE
|
|
||||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
|
||||||
report_capability "Extended REJECT" $ENHANCED_REJECT
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -120,3 +120,13 @@ New Features:
|
|||||||
The time difference from B to C reflects the difference between
|
The time difference from B to C reflects the difference between
|
||||||
"iptables-restore" and multiple executions of "iptables". The system is a
|
"iptables-restore" and multiple executions of "iptables". The system is a
|
||||||
1.4Ghz Celeron with 512MB RAM.
|
1.4Ghz Celeron with 512MB RAM.
|
||||||
|
|
||||||
|
2) You may now repeat the -q option to cause Shorewall to be extra quiet.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
gateway:~ # shorewall -qq reload
|
||||||
|
Shorewall configuration compiled to /var/lib/shorewall/.reload
|
||||||
|
Restoring Shorewall...
|
||||||
|
Shorewall restored from /var/lib/shorewall/.reload
|
||||||
|
gateway:~ #
|
||||||
|
@ -582,6 +582,23 @@ heading() {
|
|||||||
echo
|
echo
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create the appropriate -q option to pass oneward
|
||||||
|
#
|
||||||
|
make_quiet() {
|
||||||
|
local q=$QUIET
|
||||||
|
|
||||||
|
if [ $QUIET -gt 0 ]; then
|
||||||
|
local option=-
|
||||||
|
|
||||||
|
while [ $q -gt 0 ]; do
|
||||||
|
option="${option}q"
|
||||||
|
q=$(($q - 1))
|
||||||
|
done
|
||||||
|
|
||||||
|
echo $option
|
||||||
|
fi
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# Execution begins here
|
# Execution begins here
|
||||||
#
|
#
|
||||||
@ -600,7 +617,7 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
SHOREWALL_DIR=
|
SHOREWALL_DIR=
|
||||||
QUIET=
|
export QUIET=0
|
||||||
IPT_OPTIONS="-nv"
|
IPT_OPTIONS="-nv"
|
||||||
FAST=
|
FAST=
|
||||||
VERBOSE=
|
VERBOSE=
|
||||||
@ -640,7 +657,7 @@ while [ $done -eq 0 ]; do
|
|||||||
option=${option#x}
|
option=${option#x}
|
||||||
;;
|
;;
|
||||||
q*)
|
q*)
|
||||||
QUIET=Yes
|
QUIET=$(($QUIET + 1 ))
|
||||||
option=${option#q}
|
option=${option#q}
|
||||||
;;
|
;;
|
||||||
f*)
|
f*)
|
||||||
@ -673,8 +690,6 @@ if [ $# -eq 0 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
||||||
[ -n "$QUIET" ] && export QUIET
|
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
MUTEX_TIMEOUT=
|
MUTEX_TIMEOUT=
|
||||||
|
|
||||||
@ -903,8 +918,7 @@ case "$1" in
|
|||||||
export NOROUTES
|
export NOROUTES
|
||||||
|
|
||||||
if $SHOREWALL_SHELL $FIREWALL $debugging $nolock compile .reload; then
|
if $SHOREWALL_SHELL $FIREWALL $debugging $nolock compile .reload; then
|
||||||
[ -n "$QUIET" ] && QUIET=-q
|
$0 $(make_quiet) restore .reload
|
||||||
$0 $QUIET restore .reload
|
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
show|list)
|
show|list)
|
||||||
@ -1162,7 +1176,7 @@ case "$1" in
|
|||||||
try)
|
try)
|
||||||
[ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\""
|
[ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\""
|
||||||
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
||||||
[ -n "$QUIET" ] && QUIET=-q
|
[ -n "$QUIET" ] && QUIET=$(make_quiet)
|
||||||
[ -n "$NOROUTES" ] && NOROUTES=-n
|
[ -n "$NOROUTES" ] && NOROUTES=-n
|
||||||
if ! $0 $debugging $QUIET -c $2 restart; then
|
if ! $0 $debugging $QUIET -c $2 restart; then
|
||||||
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||||
@ -1379,7 +1393,7 @@ case "$1" in
|
|||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$QUIET" ] && QUIET=-q
|
[ -n "$QUIET" ] && QUIET=$(make_quiet)
|
||||||
|
|
||||||
mutex_on
|
mutex_on
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user