Add 'shorewall show config' command to display distribution-specific defaults

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4130 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-17 15:58:48 +00:00
parent 3cd962fc61
commit fb89790044
8 changed files with 255 additions and 185 deletions

View File

@ -205,7 +205,7 @@ save)
;;
show)
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|connections|log|macros|mangle|nat|tc|zones]
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
@ -229,6 +229,8 @@ show)
shorewall show capabilities - displays your kernel/iptables capabilities
shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;

View File

@ -683,81 +683,86 @@ show_command() {
[ -n "$debugging" ] && set -x
case "$1" in
connections)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Connections at $HOSTNAME - $(date)"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version NAT Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Mangle Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Log at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall Lite $version Zones at $HOSTNAME - $(date)"
connections)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Connections at $HOSTNAME - $(date)"
echo
while read zone type hosts; do
echo "$zone ($type)"
for host in $hosts; do
echo " $host"
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version NAT Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Mangle Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Log at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 1 ] && usage 1
echo "Shorewall Lite $version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall Lite $version Zones at $HOSTNAME - $(date)"
echo
while read zone type hosts; do
echo "$zone ($type)"
for host in $hosts; do
echo " $host"
done
done < ${VARDIR}/zones
echo
else
echo " ERROR: ${VARDIR}/zones does not exist" >&2
exit 1
fi
;;
capabilities)
[ $# -gt 1 ] && usage 1
determine_capabilities
VERBOSE=2
report_capabilities
;;
config)
. ${SHAREDIR}/configpath
echo "Default CONFIG_PATH is $CONFIG_PATH"
echo "LITEDIR is $LITEDIR"
;;
*)
echo "Shorewall Lite $version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$IPTABLES -L $chain $IPT_OPTIONS
done
done < ${VARDIR}/zones
echo
else
echo " ERROR: ${VARDIR}/zones does not exist" >&2
exit 1
fi
;;
capabilities)
[ $# -gt 1 ] && usage 1
determine_capabilities
VERBOSE=2
report_capabilities
;;
*)
echo "Shorewall Lite $version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$IPTABLES -L $chain $IPT_OPTIONS
done
else
$IPTABLES -L $IPT_OPTIONS
fi
;;
else
$IPTABLES -L $IPT_OPTIONS
fi
;;
esac
}
#
@ -977,7 +982,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|mangle|nat|tc|zones]"
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
echo " start [ -f ] [ -n ] [ <directory> ]"
echo " stop"
echo " status"

View File

@ -308,7 +308,7 @@ save)
;;
show)
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|connections|log|macros|mangle|nat|tc|zones]
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
@ -336,6 +336,8 @@ show)
shorewall show capabilities - displays your kernel/iptables capabilities
shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;

View File

@ -889,105 +889,110 @@ show_command() {
[ -n "$debugging" ] && set -x
case "$1" in
connections)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
connections)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
echo
while read zone type hosts; do
echo "$zone ($type)"
for host in $hosts; do
echo " $host"
done
done < ${VARDIR}/zones
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)"
echo
else
echo " ERROR: ${VARDIR}/zones does not exist" >&2
exit 1
fi
;;
capabilities)
[ $# -gt 1 ] && usage 1
determine_capabilities
VERBOSE=2
report_capabilities
;;
actions)
[ $# -gt 1 ] && usage 1
echo "allowBcast # Silently Allow Broadcast/multicast"
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowoutUPnP # Allow traffic from local command 'upnpd'"
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
;;
macros)
[ $# -gt 1 ] && usage 1
for macro in ${SHAREDIR}/macro.*; do
foo=`grep 'This macro' $macro | head -n 1`
if [ -n "$foo" ]; then
macro=${macro#*.}
foo=${foo%.*}
echo " $macro ${foo#\#}" | sed 's/This macro //'
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 1 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
zones)
[ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo
while read zone type hosts; do
echo "$zone ($type)"
for host in $hosts; do
echo " $host"
done
done < ${VARDIR}/zones
echo
else
echo " ERROR: ${VARDIR}/zones does not exist" >&2
exit 1
fi
done
;;
*)
echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$IPTABLES -L $chain $IPT_OPTIONS
;;
capabilities)
[ $# -gt 1 ] && usage 1
determine_capabilities
VERBOSE=2
report_capabilities
;;
actions)
[ $# -gt 1 ] && usage 1
echo "allowBcast # Silently Allow Broadcast/multicast"
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowoutUPnP # Allow traffic from local command 'upnpd'"
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
;;
macros)
[ $# -gt 1 ] && usage 1
for macro in ${SHAREDIR}/macro.*; do
foo=`grep 'This macro' $macro | head -n 1`
if [ -n "$foo" ]; then
macro=${macro#*.}
foo=${foo%.*}
echo " $macro ${foo#\#}" | sed 's/This macro //'
fi
done
else
$IPTABLES -L $IPT_OPTIONS
fi
;;
;;
config)
. ${SHAREDIR}/configpath
echo "Default CONFIG_PATH is $CONFIG_PATH"
echo "LITEDIR is $LITEDIR"
;;
*)
echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
$IPTABLES -L $chain $IPT_OPTIONS
done
else
$IPTABLES -L $IPT_OPTIONS
fi
;;
esac
}
#
@ -1347,7 +1352,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|actions|capabilities|classifiers|connections|log|macros|mangle|nat|tc|zones]"
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]"
echo " start [ -f ] [ -n ] [ <directory> ]"
echo " stop"
echo " status"

View File

@ -339,7 +339,8 @@ MODULESDIR=
# to the front of this list.
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
# the default is distribution-defined. See the output of "shorewall show
# config" to find the default value on your distribution.
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

View File

@ -247,9 +247,16 @@
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script
will be stored under their distribution. You can look in your
/usr/share/shorewall/configpath file to see what your
distribution defines for the value of LITEDIR.</para>
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
</listitem>
</orderedlist>
@ -398,6 +405,23 @@
<programlisting><command>cd &lt;configuration directory&gt;</command>
<command>/sbin/shorewall compile -e . firewall</command>
<command>scp firewall root@&lt;firewall system&gt;:/var/lib/shorewall-lite/</command></programlisting>
<note>
<para>The 'firewall' script is in <filename
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
</listitem>
<listitem>
@ -433,10 +457,13 @@
<programlisting>teastep@wookie:~$ <command>cd Configs/gateway</command>
teastep@wookie:~/Configs/gateway$ <command>/sbin/shorewall reload gateway</command>
Compiling...
Shorewall configuration compiled to firewall
firewall 100% 29KB 29.3KB/s 00:00
Shorewall configuration compiled to ./firewall
Copying ./firewall to gateway:/var/lib/shorewall-lite...
firewall 100% 67KB 66.7KB/s 00:00
Copy complete
Restarting Shorewall Lite....
done.
System gateway reloaded
teastep@wookie:~/Configs/gateway$</programlisting>
</blockquote>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2006-06-12</pubdate>
<pubdate>2006-06-17</pubdate>
<copyright>
<year>2001-2006</year>
@ -3058,8 +3058,9 @@ $FW chld ACCEPT</programlisting>
<filename>/usr/share/shorewall/configpath</filename> are used. As
released from shorewall.net, that file sets the CONFIG_PATH to
<emphasis role="bold">/etc/shorewall:/usr/share/shorewall
</emphasis>but your particular distribution may set it
differently.</para>
</emphasis>but your particular distribution may set it differently.
See the output of <command>shorewall show config</command> for the
default on your system.</para>
<para>Note that the setting in
<filename>/usr/share/shorewall/configpath</filename> is always used

View File

@ -166,6 +166,23 @@
firewall program. The program is generated using the
<command>shorewall compile -e</command> command on a system with the
full Shorewall product installed.</para>
<note>
<para>The 'firewall' script is in <filename
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script will
be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
</listitem>
<listitem>
@ -982,9 +999,16 @@
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script
will be stored under their distribution. You can look in your
/usr/share/shorewall/configpath file to see what your distribution
defines for the value of LITEDIR.</para>
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
<para>Example: <command>shorewall reload gateway</command></para>
@ -1128,6 +1152,9 @@
displays information about the traffic control/shaping
classifiers.</para>
<para><command>shorewall[-lite] show config</command> - displays the
default CONFIG_PATH and LITEDIR for your distribution.</para>
<para><command>shorewall [ -x ] show macros (Not supported by
Shorewall Lite)</command> — produces a list of macros available on
the system.</para>