extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add 'shorewall show config' command to display distribution-specific defaults

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4130 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-17 15:58:48 +00:00
parent 3cd962fc61
commit fb89790044
8 changed files with 255 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-lite/help
View File

@ -205,7 +205,7 @@ save)
;; ;;
show) show)
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|connections|log|macros|mangle|nat|tc|zones] echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s). shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v) (iptables -L chain -n -v)
@ -229,6 +229,8 @@ show)
shorewall show capabilities - displays your kernel/iptables capabilities shorewall show capabilities - displays your kernel/iptables capabilities
shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution
When -x is given, that option is also passed to iptables to display actual packet and byte counts." When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;; ;;

153
Shorewall-lite/shorewall-lite
View File

@ -683,81 +683,86 @@ show_command() {
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
case "$1" in case "$1" in
connections) connections)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Connections at $HOSTNAME - $(date)" echo "Shorewall Lite $version Connections at $HOSTNAME - $(date)"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version NAT Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Mangle Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Log at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall Lite $version Zones at $HOSTNAME - $(date)"
echo echo
while read zone type hosts; do cat /proc/net/ip_conntrack
echo "$zone ($type)" ;;
for host in $hosts; do nat)
echo " $host" [ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version NAT Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Mangle Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Log at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall Lite $version Zones at $HOSTNAME - $(date)"
echo
while read zone type hosts; do
echo "$zone ($type)"
for host in $hosts; do
echo " $host"
done
done < ${VARDIR}/zones
echo
else
echo " ERROR: ${VARDIR}/zones does not exist" >&2
exit 1
fi
;;
capabilities)
[ $# -gt 1 ] && usage 1
determine_capabilities
VERBOSE=2
report_capabilities
;;
config)
. ${SHAREDIR}/configpath
echo "Default CONFIG_PATH is $CONFIG_PATH"
echo "LITEDIR is $LITEDIR"
;;
*)
echo "Shorewall Lite $version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$IPTABLES -L $chain $IPT_OPTIONS
done done
done < ${VARDIR}/zones else
echo $IPTABLES -L $IPT_OPTIONS
else fi
echo " ERROR: ${VARDIR}/zones does not exist" >&2 ;;
exit 1
fi
;;
capabilities)
[ $# -gt 1 ] && usage 1
determine_capabilities
VERBOSE=2
report_capabilities
;;
*)
echo "Shorewall Lite $version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$IPTABLES -L $chain $IPT_OPTIONS
done
else
$IPTABLES -L $IPT_OPTIONS
fi
;;
esac esac
} }
# #
@ -977,7 +982,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ <directory> ]" echo " restart [ -n ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|mangle|nat|tc|zones]" echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
echo " start [ -f ] [ -n ] [ <directory> ]" echo " start [ -f ] [ -n ] [ <directory> ]"
echo " stop" echo " stop"
echo " status" echo " status"

4
Shorewall/help
View File

@ -308,7 +308,7 @@ save)
;; ;;
show) show)
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|connections|log|macros|mangle|nat|tc|zones] echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s). shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v) (iptables -L chain -n -v)
@ -336,6 +336,8 @@ show)
shorewall show capabilities - displays your kernel/iptables capabilities shorewall show capabilities - displays your kernel/iptables capabilities
shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution
When -x is given, that option is also passed to iptables to display actual packet and byte counts." When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;; ;;

197
Shorewall/shorewall
View File

@ -889,105 +889,110 @@ show_command() {
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
case "$1" in case "$1" in
connections) connections)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - $(date)" echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo echo
while read zone type hosts; do cat /proc/net/ip_conntrack
echo "$zone ($type)" ;;
for host in $hosts; do nat)
echo " $host" [ $# -gt 1 ] && usage 1
done echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)"
done < ${VARDIR}/zones
echo echo
else show_reset
echo " ERROR: ${VARDIR}/zones does not exist" >&2 $IPTABLES -t nat -L $IPT_OPTIONS
exit 1 ;;
fi tos|mangle)
;; [ $# -gt 1 ] && usage 1
capabilities) echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)"
[ $# -gt 1 ] && usage 1 echo
determine_capabilities show_reset
VERBOSE=2 $IPTABLES -t mangle -L $IPT_OPTIONS
report_capabilities ;;
;; log)
actions) [ $# -gt 1 ] && usage 1
[ $# -gt 1 ] && usage 1 echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo "allowBcast # Silently Allow Broadcast/multicast" echo
echo "dropBcast # Silently Drop Broadcast/multicast" show_reset
echo "dropNotSyn # Silently Drop Non-syn TCP packets" host=$(echo $HOSTNAME | sed 's/\..*$//')
echo "rejNotSyn # Silently Reject Non-syn TCP packets" packet_log 20
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" ;;
echo "allowInvalid # Accept packets that are in the INVALID conntrack state." tc)
echo "allowoutUPnP # Allow traffic from local command 'upnpd'" [ $# -gt 1 ] && usage 1
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
echo "forwardUPnP # Allow traffic that upnpd has redirected from" echo
cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' show_tc
;; ;;
macros) classifiers)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
for macro in ${SHAREDIR}/macro.*; do echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
foo=`grep 'This macro' $macro | head -n 1` echo
if [ -n "$foo" ]; then show_classifiers
macro=${macro#*.} ;;
foo=${foo%.*} zones)
echo " $macro ${foo#\#}" | sed 's/This macro //' [ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo
while read zone type hosts; do
echo "$zone ($type)"
for host in $hosts; do
echo " $host"
done
done < ${VARDIR}/zones
echo
else
echo " ERROR: ${VARDIR}/zones does not exist" >&2
exit 1
fi fi
done ;;
;; capabilities)
*) [ $# -gt 1 ] && usage 1
echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" determine_capabilities
echo VERBOSE=2
show_reset report_capabilities
if [ $# -gt 0 ]; then ;;
for chain in $*; do actions)
$IPTABLES -L $chain $IPT_OPTIONS [ $# -gt 1 ] && usage 1
echo "allowBcast # Silently Allow Broadcast/multicast"
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowoutUPnP # Allow traffic from local command 'upnpd'"
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
;;
macros)
[ $# -gt 1 ] && usage 1
for macro in ${SHAREDIR}/macro.*; do
foo=`grep 'This macro' $macro | head -n 1`
if [ -n "$foo" ]; then
macro=${macro#*.}
foo=${foo%.*}
echo " $macro ${foo#\#}" | sed 's/This macro //'
fi
done done
else ;;
$IPTABLES -L $IPT_OPTIONS config)
fi . ${SHAREDIR}/configpath
;; echo "Default CONFIG_PATH is $CONFIG_PATH"
echo "LITEDIR is $LITEDIR"
;;
*)
echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$IPTABLES -L $chain $IPT_OPTIONS
done
else
$IPTABLES -L $IPT_OPTIONS
fi
;;
esac esac
} }
# #
@ -1347,7 +1352,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ <directory> ]" echo " restart [ -n ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|actions|capabilities|classifiers|connections|log|macros|mangle|nat|tc|zones]" echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]"
echo " start [ -f ] [ -n ] [ <directory> ]" echo " start [ -f ] [ -n ] [ <directory> ]"
echo " stop" echo " stop"
echo " status" echo " status"

3
Shorewall/shorewall.conf
View File

@ -339,7 +339,8 @@ MODULESDIR=
# to the front of this list. # to the front of this list.
# #
# If not specified or specified as null ("CONFIG_PATH=""), # If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. # the default is distribution-defined. See the output of "shorewall show
# config" to find the default value on your distribution.
# #
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

37
docs/CompiledPrograms.xml
View File

@ -247,9 +247,16 @@
class="directory">/var/lib/shorewall-lite</filename> in packages class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script distributions are free to choose the directory where the script
will be stored under their distribution. You can look in your will be stored under their distribution. See the output of
/usr/share/shorewall/configpath file to see what your <command>shorewall[-lite] show config</command> for the value of
distribution defines for the value of LITEDIR.</para> LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note> </note>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -398,6 +405,23 @@
<programlisting><command>cd &lt;configuration directory&gt;</command> <programlisting><command>cd &lt;configuration directory&gt;</command>
<command>/sbin/shorewall compile -e . firewall</command> <command>/sbin/shorewall compile -e . firewall</command>
<command>scp firewall root@&lt;firewall system&gt;:/var/lib/shorewall-lite/</command></programlisting> <command>scp firewall root@&lt;firewall system&gt;:/var/lib/shorewall-lite/</command></programlisting>
<note>
<para>The 'firewall' script is in <filename
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
</listitem> </listitem>
<listitem> <listitem>
@ -433,10 +457,13 @@
<programlisting>teastep@wookie:~$ <command>cd Configs/gateway</command> <programlisting>teastep@wookie:~$ <command>cd Configs/gateway</command>
teastep@wookie:~/Configs/gateway$ <command>/sbin/shorewall reload gateway</command> teastep@wookie:~/Configs/gateway$ <command>/sbin/shorewall reload gateway</command>
Compiling... Compiling...
Shorewall configuration compiled to firewall Shorewall configuration compiled to ./firewall
firewall 100% 29KB 29.3KB/s 00:00 Copying ./firewall to gateway:/var/lib/shorewall-lite...
firewall 100% 67KB 66.7KB/s 00:00
Copy complete
Restarting Shorewall Lite.... Restarting Shorewall Lite....
done. done.
System gateway reloaded
teastep@wookie:~/Configs/gateway$</programlisting> teastep@wookie:~/Configs/gateway$</programlisting>
</blockquote> </blockquote>

9
docs/Documentation.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2006-06-12</pubdate> <pubdate>2006-06-17</pubdate>
<copyright> <copyright>
<year>2001-2006</year> <year>2001-2006</year>
@ -3058,8 +3058,9 @@ $FW chld ACCEPT</programlisting>
<filename>/usr/share/shorewall/configpath</filename> are used. As <filename>/usr/share/shorewall/configpath</filename> are used. As
released from shorewall.net, that file sets the CONFIG_PATH to released from shorewall.net, that file sets the CONFIG_PATH to
<emphasis role="bold">/etc/shorewall:/usr/share/shorewall <emphasis role="bold">/etc/shorewall:/usr/share/shorewall
</emphasis>but your particular distribution may set it </emphasis>but your particular distribution may set it differently.
differently.</para> See the output of <command>shorewall show config</command> for the
default on your system.</para>
<para>Note that the setting in <para>Note that the setting in
<filename>/usr/share/shorewall/configpath</filename> is always used <filename>/usr/share/shorewall/configpath</filename> is always used
@ -4085,4 +4086,4 @@ eth1 -</programlisting>
<para>This file is described in the <ulink url="Accounting.html">Traffic <para>This file is described in the <ulink url="Accounting.html">Traffic
Accounting Documentation</ulink>.</para> Accounting Documentation</ulink>.</para>
</section> </section>
</article> </article>

33
docs/starting_and_stopping_shorewall.xml
View File

@ -166,6 +166,23 @@
firewall program. The program is generated using the firewall program. The program is generated using the
<command>shorewall compile -e</command> command on a system with the <command>shorewall compile -e</command> command on a system with the
full Shorewall product installed.</para> full Shorewall product installed.</para>
<note>
<para>The 'firewall' script is in <filename
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script will
be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
</listitem> </listitem>
<listitem> <listitem>
@ -982,9 +999,16 @@
class="directory">/var/lib/shorewall-lite</filename> in packages class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script distributions are free to choose the directory where the script
will be stored under their distribution. You can look in your will be stored under their distribution. See the output of
/usr/share/shorewall/configpath file to see what your distribution <command>shorewall[-lite] show config</command> for the value of
defines for the value of LITEDIR.</para> LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note> </note>
<para>Example: <command>shorewall reload gateway</command></para> <para>Example: <command>shorewall reload gateway</command></para>
@ -1128,6 +1152,9 @@
displays information about the traffic control/shaping displays information about the traffic control/shaping
classifiers.</para> classifiers.</para>
<para><command>shorewall[-lite] show config</command> - displays the
default CONFIG_PATH and LITEDIR for your distribution.</para>
<para><command>shorewall [ -x ] show macros (Not supported by <para><command>shorewall [ -x ] show macros (Not supported by
Shorewall Lite)</command> — produces a list of macros available on Shorewall Lite)</command> — produces a list of macros available on
the system.</para> the system.</para>