From f5a019becc11afa26725193fba35dae531ab00c3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 15 Nov 2009 09:24:56 -0800 Subject: [PATCH] Implement 'show policies' command --- Shorewall/Perl/Shorewall/Compiler.pm | 4 ++++ Shorewall/Perl/Shorewall/Policy.pm | 17 ++++++++++++++++- Shorewall/changelog.txt | 2 ++ Shorewall/lib.cli | 6 ++++++ Shorewall/releasenotes.txt | 12 ++++++++++++ Shorewall/shorewall | 1 + Shorewall6/shorewall6 | 2 +- manpages/shorewall.xml | 21 +++++++++++++++++++++ manpages6/shorewall6.xml | 22 +++++++++++++++------- 9 files changed, 78 insertions(+), 9 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index f5c698191..90a3659e3 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -459,6 +459,10 @@ sub generate_script_3($) { dump_zone_contents; emit_unindented '__EOF__'; + emit 'cat > ${VARDIR}/policies << __EOF__'; + save_policies; + emit_unindented '__EOF__'; + pop_indent; emit "fi\n"; diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index cff29e165..411483273 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -32,7 +32,7 @@ use Shorewall::Actions; use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains ); +our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies ); our @EXPORT_OK = qw( ); our $VERSION = '4.4_1'; @@ -273,6 +273,21 @@ sub process_a_policy() { } } +sub save_policies() { + for my $zone1 ( all_zones ) { + for my $zone2 ( all_zones ) { + my $chainref = $filter_table->{ rules_chain( $zone1, $zone2 ) }; + my $policyref = $filter_table->{ $chainref->{policychain} }; + + if ( $policyref->{referenced} ) { + emit_unindented "$zone1 \t=> $zone2 is " . $policyref->{policy} . ' using chain ' . $policyref->{name}; + } else { + emit_unindented "$zone1 \t=> $zone2 is " . $policyref->{policy}; + } + } + } +} + sub validate_policy() { our %validpolicies = ( diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 182fdcf86..c8f826954 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -14,6 +14,8 @@ Changes in Shorewall 4.4.4 7) Suppress duplicate COMMENT warnings. +8) Implement 'show policies' command. + Changes in Shorewall 4.4.3 1) Move Debian INITLOG initialization to /etc/default/shorewall diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index db21cae5a..4cae771c2 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -560,6 +560,12 @@ show_command() { vardir) echo $VARDIR; ;; + policies) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Policies at $HOSTNAME - $(date)" + echo + [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies; + ;; *) if [ "$PRODUCT" = Shorewall ]; then case $1 in diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e0dd69c0f..001607d6e 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -275,6 +275,18 @@ None. COMMENTs ignored -- require comment support in iptables/Netfilter +6) The shorewall and shorewall6 utilities now support a 'show + policies' command. Once Shorewall or Shorewall6 has been restarted + using a script generated by this version, the 'show policies' + command will list each pair of zones and give the applicable + policy. If the policy is enforced in a chain, the name of the chain + is given. + + Example: + + net => loc is DROP using chain net2loc + + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ---------------------------------------------------------------------------- diff --git a/Shorewall/shorewall b/Shorewall/shorewall index a93922c2b..5220dcf45 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1387,6 +1387,7 @@ usage() # $1 = exit status echo " show [ -m ] log" echo " show macros" echo " show [ -x ] mangle|nat|raw|routing" + echo " show policies" echo " show tc" echo " show vardir" echo " show zones" diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index b224aac4e..b720cb8f5 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -1289,7 +1289,7 @@ usage() # $1 = exit status echo " restart [ -n ] [ -f ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]" + echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]" echo " start [ -f ] [ -n ] [ ]" echo " stop [ -f ]" echo " status" diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 565c4b545..98bd2ee78 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -498,6 +498,18 @@ + + shorewall + + | + + -options + + + + + + shorewall @@ -1272,6 +1284,15 @@ + + policies + + + Added in Shorewall 4.4.4. Displays the applicable policy + between each pair of zones. + + + raw diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index c93293117..5d1aca093 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -401,6 +401,18 @@ choice="req"> + + shorewall6 + + | + + -options + + + + + + shorewall6 @@ -1081,15 +1093,11 @@ - nat + policies - Displays the Netfilter nat table using the command - ip6tables -t nat -L -n -v.The - -x option is passed directly - through to ip6tables and causes actual packet and byte counts - to be displayed. Without this option, those counts are - abbreviated. + Added in Shorewall 4.4.4. Displays the applicable policy + between each pair of zones.