# # Shorewall 4.5 -- /usr/share/shorewall/lib.cli-std. # # (c) 1999-2014 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see <http://www.gnu.org/licenses/>. # # This library contains the command processing code common to /sbin/shorewall and /sbin/shorewall6. # #################################################################################################### # Set the configuration variables from the .conf file # # $1 = Yes: read the params file # $2 = Yes: check for STARTUP_ENABLED # $3 = Yes: Check for LOGFILE # get_config() { local prog ensure_config_path if [ "$1" = Yes ]; then if [ "$(id -u)" -eq 0 ]; then params=$(find_file params) else params="$g_shorewalldir/params" fi if [ -f $params ]; then . $params fi fi if [ "$(id -u)" -eq 0 ]; then config=$(find_file $g_program.conf) else [ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration" config="$g_shorewalldir/$g_program.conf" fi if [ -f $config ]; then if [ -r $config ]; then . $config else fatal_error "Cannot read $config! (Hint: Are you root?)" fi else fatal_error "$config does not exist!" fi ensure_config_path if [ -z "$g_export" -a "$(id -u)" = 0 ]; then # # This block is avoided for compile for export and when the user isn't root # if [ "$3" = Yes ]; then if [ -n "$LOGFILE" ]; then if [ -n "$(syslog_circular_buffer)" ]; then g_logread="logread | tac" elif [ -r $LOGFILE ]; then g_logread="tac $LOGFILE" else fatal_error "LOGFILE ($LOGFILE) does not exist!" fi fi fi if [ $g_family -eq 4 ]; then if [ -n "$IPTABLES" ]; then if [ ! -x "$IPTABLES" ]; then fatal_error "The program specified in IPTABLES does not exist or is not executable" fi else IPTABLES=$(mywhich iptables 2> /dev/null) if [ -z "$IPTABLES" ] ; then fatal_error "Can't find iptables executable" fi fi g_tool=$IPTABLES else if [ -n "$IP6TABLES" ]; then if [ ! -x "$IP6TABLES" ]; then fatal_error "The program specified in IP6TABLES does not exist or is not executable" fi else IP6TABLES=$(mywhich ip6tables 2> /dev/null) if [ -z "$IP6TABLES" ] ; then fatal_error "Can't find ip6tables executable" fi fi g_tool=$IP6TABLES fi if [ -n "$IP" ]; then case "$IP" in */*) if [ ! -x "$IP" ] ; then fatal_error "The program specified in IP ($IP) does not exist or is not executable" fi ;; *) prog="$(mywhich $IP 2> /dev/null)" if [ -z "$prog" ] ; then fatal_error "Can't find $IP executable" fi IP=$prog ;; esac else IP='ip' fi if [ -n "$IPSET" ]; then case "$IPSET" in */*) if [ ! -x "$IPSET" ] ; then fatal_error "The program specified in IPSET ($IPSET) does not exist or is not executable" fi ;; ipset) # # Old config files had this as default # IPSET='' ;; *) prog="$(mywhich $IPSET 2> /dev/null)" if [ -z "$prog" ] ; then fatal_error "Can't find $IPSET executable" fi IPSET=$prog ;; esac else IPSET='' fi if [ -n "$TC" ]; then case "$TC" in */*) if [ ! -x "$TC" ] ; then fatal_error "The program specified in TC ($TC) does not exist or is not executable" fi ;; *) prog="$(mywhich $TC 2> /dev/null)" if [ -z "$prog" ] ; then fatal_error "Can't find $TC executable" fi TC=$prog ;; esac else TC='tc' fi # # Compile by non-root needs no restore file # [ -n "$RESTOREFILE" ] || RESTOREFILE=restore validate_restorefile RESTOREFILE if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) fatal_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" ;; Yes|yes|YES) ;; *) if [ -n "$STARTUP_ENABLED" ]; then fatal_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" exit 2 fi ;; esac fi case ${SHOREWALL_COMPILER:=perl} in perl|Perl) ;; shell|Shell) echo " WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell support has been removed in this release" >&2 ;; *) fatal_error "Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" ;; esac case ${TC_ENABLED:=Internal} in No|NO|no) TC_ENABLED= ;; esac [ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' [ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" if [ -n "$STARTUP_LOG" ]; then if [ -n "$LOG_VERBOSITY" ]; then case $LOG_VERBOSITY in -1) ;; 0|1|2) ;; *) fatal_error "Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" ;; esac else LOG_VERBOSITY=2; fi else LOG_VERBOSITY=-1; fi else STARTUP_LOG= LOG_VERBOSITY=-1 fi if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then if [ ! -x "$SHOREWALL_SHELL" ]; then echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 SHOREWALL_SHELL=/bin/sh fi fi case $VERBOSITY in -1|0|1|2) ;; *) if [ -n "$VERBOSITY" ]; then fatal_error "Invalid VERBOSITY setting ($VERBOSITY)" else VERBOSITY=2 fi ;; esac [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY)) if [ $VERBOSITY -lt -1 ]; then VERBOSITY=-1 elif [ $VERBOSITY -gt 2 ]; then VERBOSITY=2 fi g_hostname=$(hostname 2> /dev/null) [ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}' [ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' case $MANGLE_ENABLED in Yes|yes) ;; No|no) MANGLE_ENABLED= ;; *) if [ -n "$MANGLE_ENABLED" ]; then fatal_error "Invalid MANGLE_ENABLED setting ($MANGLE_ENABLED)" fi ;; esac case $AUTOMAKE in Yes|yes) ;; No|no) AUTOMAKE= ;; *) if [ -n "$AUTOMAKE" ]; then fatal_error "Invalid AUTOMAKE setting ($AUTOMAKE)" fi ;; esac case $LOAD_HELPERS_ONLY in Yes|yes) ;; No|no) LOAD_HELPERS_ONLY= ;; *) if [ -n "$LOAD_HELPERS_ONLY" ]; then fatal_error "Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)" fi ;; esac case $LEGACY_FASTSTART in Yes|yes) ;; No|no) LEGACY_FASTSTART= ;; *) if [ -n "$LEGACY_FASTSTART" ]; then fatal_error "Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)" fi LEGACY_FASTSTART=Yes ;; esac } # # Determine if there are config files newer than the passed object # uptodate() { [ -x $1 ] || return 1 local dir local ifs ifs="$IFS" IFS=':' for dir in $g_shorewalldir $CONFIG_PATH; do if [ -n "$(find ${dir} -newer $1)" ]; then IFS="$ifs" return 1; fi done IFS="$ifs" return 0 } # # Run the compiler # compiler() { local pc local shorewallrc local shorewallrc1 pc=${LIBEXECDIR}/shorewall/compiler.pl if [ $(id -u) -ne 0 ]; then if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration" fi fi # # We've now set g_shorewalldir so recalculate CONFIG_PATH # [ -n "$g_haveconfig" ] || ensure_config_path # # Get the config from $g_shorewalldir # get_config Yes [ -n "$g_doing" ] && progress_message3 "$g_doing..." case $COMMAND in *start|try|refresh) ;; *) STARTUP_LOG= LOG_VERBOSITY=-1 ;; esac debugflags="-w" [ -n "$g_debug" ] && debugflags='-wd' [ -n "$g_profile" ] && debugflags='-wd:DProf' # Perl compiler only takes the output file as a argument [ "$1" = debug -o "$1" = trace ] && shift; [ "$1" = nolock ] && shift; shift shorewallrc=${g_basedir}/shorewallrc if [ -n "$g_export" ]; then shorewallrc1=$(find_file shorewallrc) [ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file" fi if [ -n "$g_conditional" ] && uptodate $g_file; then echo "$g_file is up to date -- no compilation required" return 0 fi options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}" [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}" [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY"; [ -n "$g_export" ] && options="$options --export" [ -n "$g_shorewalldir" ] && options="$options --directory=$g_shorewalldir" [ -n "$g_timestamp" ] && options="$options --timestamp" [ -n "$g_test" ] && options="$options --test" [ -n "$g_preview" ] && options="$options --preview" [ "$g_debugging" = trace ] && options="$options --debug" [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains" [ -n "$g_confess" ] && options="$options --confess" [ -n "$g_update" ] && options="$options --update" [ -n "$g_convert" ] && options="$options --convert" [ -n "$g_annotate" ] && options="$options --annotate" [ -n "$g_directives" ] && options="$options --directives" [ -n "$g_tcrules" ] && options="$options --tcrules" [ -n "$g_inline" ] && options="$options --inline" if [ -n "$PERL" ]; then if [ ! -x "$PERL" ]; then echo " WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2 PERL=/usr/bin/perl fi else PERL=/usr/bin/perl fi if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then $PERL $debugflags $pc $options $@ else PERL5LIB=${PERLLIBDIR} export PERL5LIB $PERL $debugflags $pc $options $@ fi } # # Run the postcompile user exit # run_postcompile() { # $1 is the compiled script local script script=$(find_file postcompile) if [ -f $script ]; then . $script $1 else return 0 fi } # # Start Command Executor # start_command() { local finished finished=0 local object local rc rc=0 do_it() { if [ -n "$AUTOMAKE" ]; then [ -n "$nolock" ] || mutex_on run_it ${VARDIR}/firewall $g_debugging start rc=$? [ -n "$nolock" ] || mutex_off else if compiler $g_debugging $nolock compile ${VARDIR}/.start; then run_postcompile ${VARDIR}/.start [ -n "$nolock" ] || mutex_on run_it ${VARDIR}/.start $g_debugging start rc=$? [ -n "$nolock" ] || mutex_off else rc=$? logger -p kern.err "ERROR:$g_product start failed" fi fi exit $rc } if product_is_started; then error_message "Shorewall is already running" exit 0 fi [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; d*) g_debug=Yes option=${option#d} ;; f*) g_fast=Yes option=${option#f} ;; p*) [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" g_purge=Yes option=${option%p} ;; c*) AUTOMAKE= option=${option#c} ;; T*) g_confess=Yes option=${option#T} ;; i*) g_inline=Yes option=${option#i} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then fatal_error "$1 is not a directory" else fatal_error "Directory $1 does not exist" fi fi g_shorewalldir=$(resolve_file $1) AUTOMAKE= ;; *) usage 1 ;; esac if [ -n "${g_fast}${AUTOMAKE}" ]; then if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then # # Automake or LEGACY_FASTSTART=No -- use the last compiled script # object=firewall else # # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration # object=$RESTOREFILE fi if ! uptodate ${VARDIR}/$object; then g_fast= AUTOMAKE= fi if [ -n "$g_fast" -a $object = $RESTOREFILE ]; then g_restorepath=${VARDIR}/$object [ -n "$nolock" ] || mutex_on echo Restoring Shorewall... run_it $g_restorepath restore rc=$? [ -n "$nolock" ] || mutex_off [ $rc -eq 0 ] && progress_message3 "$g_product restored from $g_restorepath" exit $rc else do_it fi else do_it fi } # # Compile Command Executor # compile_command() { local finished finished=0 while [ $finished -eq 0 ]; do [ $# -eq 0 ] && break option=$1 case $option in -*) shift option=${option#-} [ -z "$option" ] && usage 1 while [ -n "$option" ]; do case $option in e*) g_export=Yes g_shorewalldir='.' option=${option#e} ;; p*) g_profile=Yes option=${option#p} ;; t*) g_test=Yes option=${option#t} ;; d*) g_debug=Yes; option=${option#d} ;; c*) g_conditional=Yes; option=${option#c} ;; T*) g_confess=Yes option=${option#T} ;; i*) g_inline=Yes option=${option#i} ;; -) finished=1 option= ;; *) usage 1 ;; esac done ;; *) finished=1 ;; esac done g_file= case $# in 0) [ -n "$g_export" ] && g_file=firewall || g_file=${VARDIR}/firewall ;; 1) g_file=$1 [ -d $g_file ] && fatal_error "$g_file is a directory" ;; 2) [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then fatal_error "$1 is not a directory" else fatal_error "Directory $1 does not exist" fi fi g_shorewalldir=$(resolve_file $1) g_file=$2 ;; *) usage 1 ;; esac [ "x$g_file" = x- ] && g_doing='' compiler $g_debugging compile $g_file && run_postcompile $g_file } # # Check Command Executor # check_command() { local finished finished=0 while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; e*) g_export=Yes g_shorewalldir='.' option=${option#e} ;; p*) g_profile=Yes option=${option#p} ;; d*) g_debug=Yes; option=${option#d} ;; r*) g_preview=Yes option=${option#r} ;; T*) g_confess=Yes option=${option#T} ;; i*) g_inline=Yes option=${option#i} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then fatal_error "$1 is not a directory" else fatal_error "Directory $1 does not exist" fi fi g_shorewalldir=$(resolve_file $1) ;; *) usage 1 ;; esac g_doing="Checking" compiler $g_debugging $nolock check } # # Update Command Executor # update_command() { local finished finished=0 g_update=Yes while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; e*) g_export=Yes option=${option#e} ;; p*) g_profile=Yes option=${option#p} ;; d*) g_debug=Yes; option=${option#d} ;; r*) g_preview=Yes option=${option#r} ;; T*) g_confess=Yes option=${option#T} ;; i*) g_inline=Yes option=${option#i} ;; a*) g_annotate=Yes option=${option#a} ;; b*) g_convert=Yes option=${option#b} ;; D*) g_directives=Yes option=${option#D} ;; t*) g_tcrules=Yes option=${option#t} ;; A*) g_inline=Yes g_convert=Yes g_directives=Yes g_tcrules=Yes option=${option#A} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$g_shorewalldir" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then fatal_error "$1 is not a directory" else fatal_error "Directory $1 does not exist" fi fi g_shorewalldir=$(resolve_file $1) ;; *) usage 1 ;; esac g_doing="Updating..." compiler $g_debugging $nolock check } # # Restart Command Executor # restart_command() { local finished finished=0 local rc rc=0 local restorefile while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; d*) g_debug=Yes option=${option#d} ;; f*) g_fast=Yes option=${option#f} ;; c*) AUTOMAKE= option=${option#c} ;; n*) g_noroutes=Yes option=${option#n} ;; p*) [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" g_purge=Yes option=${option%p} ;; T*) g_confess=Yes option=${option#T} ;; i*) g_inline=Yes option=${option#i} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$g_shorewalldir" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then fatal_error "$1 is not a directory" else fatal_error "Directory $1 does not exist" fi fi g_shorewalldir=$(resolve_file $1) [ -n "$g_fast" ] && fatal_error "Directory may not be specified with the -f option" AUTOMAKE= ;; *) usage 1 ;; esac [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then uptodate ${VARDIR}/firewall && g_fast=Yes fi if [ -z "$g_fast" ]; then if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then run_postcompile ${VARDIR}/.restart [ -n "$nolock" ] || mutex_on run_it ${VARDIR}/.restart $g_debugging restart rc=$? [ -n "$nolock" ] || mutex_off else rc=$? logger -p kern.err "ERROR:$g_product restart failed" fi else [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found" [ -n "$nolock" ] || mutex_on run_it ${VARDIR}/firewall $g_debugging restart rc=$? [ -n "$nolock" ] || mutex_off fi return $rc } # # Refresh Command Executor # refresh_command() { local finished finished=0 while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; d*) g_debug=Yes option=${option#d} ;; n*) g_noroutes=Yes option=${option#n} ;; T*) g_confess=Yes option=${option#T} ;; i*) g_inline=Yes option=${option#i} ;; D) if [ $# -gt 1 ]; then g_shorewalldir="$2" option= shift else fatal_error "The -D option requires a directory name" fi ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done if [ $# -gt 0 ]; then g_refreshchains=$1 shift while [ $# -gt 0 ]; do g_refreshchains="$g_refreshchains,$1" shift done else g_refreshchains=:refresh: fi product_is_started || fatal_error "$g_product is not running" [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then run_postcompile ${VARDIR}/.refresh [ -n "$nolock" ] || mutex_on run_it ${VARDIR}/.refresh $g_debugging refresh rc=$? [ -n "$nolock" ] || mutex_off else rc=$? fi return $rc } # # Safe-start/safe-restart Command Executor # safe_commands() { local finished finished=0 local command local timeout timeout=60 # test is the shell supports timed read read -t 0 junk 2> /dev/null if [ $? -eq 2 -a ! -x /bin/bash ];then echo "Your shell does not support a feature required to execute this command". exit 2 fi while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; n*) g_noroutes=Yes option=${option#n} ;; t) [ $# -eq 1 ] && fatal_error "The -t option requires a timeout value" echo $2 | egrep -q '[[:digit:]]+[smh]' || fatal_error "The timeout value must be numeric, optionally followed by a suffix (s, m or h)" timeout=$2 option= shift; ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$g_shorewalldir" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then fatal_error "$1 is not a directory" else fatal_error "Directory $1 does not exist" fi fi g_shorewalldir=$(resolve_file $1) ;; *) usage 1 ;; esac [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" if product_is_started; then running=Yes else running= fi if [ "$COMMAND" = "safe-start" -a -n "$running" ]; then # the command is safe-start but the firewall is already running error_message "Shorewall is already started" exit 0 fi if [ "$COMMAND" = "safe-start" -o -z "$running" ]; then # the command is safe-start or shorewall[6] is not started yet command="start" else # the command is safe-restart and the firewall is already running command="restart" fi if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then status=$? exit $status fi run_postcompile ${VARDIR}/.$command case $command in start) RESTOREFILE=NONE progress_message3 "Starting..." ;; restart) RESTOREFILE=.safe g_restorepath=${VARDIR}/.safe save_config progress_message3 "Restarting..." ;; esac [ -n "$nolock" ] || mutex_on if run_it ${VARDIR}/.$command $g_debugging $command; then echo -n "Do you want to accept the new firewall configuration? [y/n] " if read_yesno_with_timeout $timeout ; then echo "New configuration has been accepted" else if [ "$command" = "restart" ]; then run_it ${VARDIR}/.safe restore else run_it ${VARDIR}/.$command clear fi [ -n "$nolock" ] || mutex_off echo "New configuration has been rejected and the old one restored" exit 2 fi fi [ -n "$nolock" ] || mutex_off } # # 'try' Command Executor # try_command() { local finished finished=0 local timeout timeout= handle_directory() { [ -n "$g_shorewalldir" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then fatal_error "$1 is not a directory" else fatal_error "Directory $1 does not exist" fi fi g_shorewalldir=$(resolve_file $1) } while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; n*) g_noroutes=Yes option=${option#n} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) usage 1 ;; 1) handle_directory $1 ;; 2) handle_directory $1 echo $2 | egrep -q '[[:digit:]]+[smh]' || fatal_error "The timeout value must be numeric, optionally followed by a suffix (s, m or h)" timeout=$2 ;; *) usage 1 ;; esac [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" if product_is_started; then running=Yes else running= fi if [ -z "$running" ]; then # shorewall[6] is not started yet command="start" else # the firewall is already running command="restart" fi if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then status=$? exit $status fi run_postcompile ${VARDIR}/.restart case $command in start) RESTOREFILE=NONE progress_message3 "Starting..." ;; restart) RESTOREFILE=.try g_restorepath=${VARDIR}/.try save_config progress_message3 "Restarting..." ;; esac [ -n "$nolock" ] || mutex_on if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then sleep $timeout if [ "$command" = "restart" ]; then run_it ${VARDIR}/.try restore else run_it ${VARDIR}/.$command clear fi fi [ -n "$nolock" ] || mutex_off return 0 } rsh_command() { command="$*" eval $RSH_COMMAND } rcp_command() { files="$1" destination=$2 eval $RCP_COMMAND } # # [Re]load command executor # reload_command() # $* = original arguments less the command. { local verbose verbose=$(make_verbose) local file file= local capabilities capabilities= local finished finished=0 local saveit saveit= local result local system local getcaps getcaps= local root root=root local libexec libexec=${LIBEXECDIR} local confdir confdir=${CONFDIR} local sbindir sbindir=${SBINDIR} local sharedir sharedir=${SHAREDIR} local litedir while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; s*) saveit=Yes option=${option#s} ;; c*) getcaps=Yes option=${option#c} ;; r) [ $# -gt 1 ] || fatal_error "Missing Root User name" root=$2 option= shift ;; T*) g_confess=Yes option=${option#T} ;; i*) g_inline=Yes option=${option#i} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 1) g_shorewalldir="." system=$1 ;; 2) g_shorewalldir=$1 system=$2 ;; *) usage 1 ;; esac if [ -f $g_shorewalldir/shorewallrc ]; then . $g_shorewalldir/shorewallrc sbindir="$SBINDIR" confdir="$CONFDIR" libexec="$LIBEXECDIR" . $sharedir/shorewall/shorewallrc else error_message " WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2 fi if [ -f $g_shorewalldir/${g_program}.conf ]; then if [ -f $g_shorewalldir/params ]; then . $g_shorewalldir/params fi ensure_config_path get_config No g_haveconfig=Yes else fatal_error "$g_shorewalldir/$g_program.conf does not exist" fi if [ -z "$getcaps" ]; then capabilities=$(find_file capabilities) [ -f $capabilities ] || getcaps=Yes fi if [ -n "$getcaps" ]; then [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')" progress_message "Getting Capabilities on system $system..." if [ $g_family -eq 4 ]; then if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then fatal_error "Capturing capabilities on system $system failed" fi elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then fatal_error "Capturing capabilities on system $system failed" fi fi file=$(resolve_file $g_shorewalldir/firewall) g_export=Yes temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') [ -n "$temp" ] && litedir="$temp" [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite if compiler $g_debugging compiler $g_shorewalldir/firewall && \ progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \ rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir} then save=$(find_file save); [ -f $save ] && progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" && rcp_command $save ${confdir}/shorewall-lite/ progress_message3 "Copy complete" if [ $COMMAND = reload ]; then rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \ progress_message3 "System $system reloaded" || saveit= else rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \ progress_message3 "System $system loaded" || saveit= fi if [ -n "$saveit" ]; then rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save" && \ progress_message3 "Configuration on system $system saved" fi fi } # # Export command executor # export_command() # $* = original arguments less the command. { local verbose verbose=$(make_verbose) local file file= local finished finished=0 local target while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; *) fatal_error "Unrecognized option \"$option\"" ;; esac done shift ;; *) finished=1 ;; esac done case $# in 1) g_shorewalldir="." target=$1 ;; 2) g_shorewalldir=$1 target=$2 ;; *) fatal_error "Invalid command syntax (\"man $g_program\" for help)" ;; esac case $target in *:*) ;; *) target=$target: ;; esac file=$(resolve_file $g_shorewalldir/firewall) g_export=Yes if compiler $g_debugging compile $g_shorewalldir/firewall && \ echo "Copying $file and ${file}.conf to ${target#*@}..." && \ scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target then save=$(find_file save); [ -f $save ] && progress_message3 "Copying $save to ${target#*}..." && rcp_command $save $target progress_message3 "Copy complete" fi } # # Give Usage Information # usage() # $1 = exit status { echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>" echo "where <command> is one of:" echo " add <interface>[:<host-list>] ... <zone>" echo " allow <address> ..." echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]" echo " clear" echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]" echo " delete <interface>[:<host-list>] ... <zone>" echo " disable <interface>" echo " drop <address> ..." echo " dump [ -x ] [ -l ] [ -m ]" echo " enable <interface>" echo " export [ <directory1> ] [<user>@]<system>[:<directory2>]" echo " forget [ <file name> ]" echo " help" if [ $g_family -eq 4 ]; then echo " hits [ -t ]" echo " ipcalc { <address>/<vlsm> | <address> <netmask> }" echo " ipdecimal { <address> | <integer> }" echo " iprange <address>-<address>" fi if [ $g_family -eq 4 ]; then echo " iptrace <iptables match expression>" else echo " iptrace <ip6tables match expression>" fi echo " load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>" echo " logdrop <address> ..." echo " logreject <address> ..." echo " logwatch [<refresh interval>]" if [ $g_family -eq 4 ]; then echo " noiptrace <iptables match expression>" else echo " noiptrace <ip6tables match expression>" fi echo " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]" echo " reject <address> ..." echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>" echo " reset [ <chain> ... ]" echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]" echo " restore [ -n ] [ <file name> ]" echo " safe-restart [ -t <timeout> ] [ <directory> ]" echo " safe-start [ -t <timeout> ] [ <directory> ]" echo " save [ <file name> ]" echo " [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]" echo " [ show | list | ls ] actions" echo " [ show | list | ls ] [ -f ] capabilities" echo " [ show | list | ls ] classifiers" echo " [ show | list | ls ] config" echo " [ show | list | ls ] connections" echo " [ show | list | ls ] dynamic <zone>" echo " [ show | list | ls ] filters" echo " [ show | list | ls ] ip" if [ $g_family -eq 4 ]; then echo " [ show | list | ls ] ipa" fi echo " [ show | list | ls ] [ -m ] log [<regex>]" echo " [ show | list | ls ] macro <macro>" echo " [ show | list | ls ] macros" echo " [ show | list | ls ] marks" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing" echo " [ show | list | ls ] nfacct" echo " [ show | list | ls ] policies" echo " [ show | list | ls ] routing" echo " [ show | list | ls ] tc [ device ]" echo " [ show | list | ls ] vardir" echo " [ show | list | ls ] zones" echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]" echo " status" echo " stop" echo " try <directory> [ <timeout> ]" echo " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]" echo " version [ -a ]" echo exit $1 } compiler_command() { case $COMMAND in compile|co) shift compile_command $@ ;; refresh) get_config Yes Yes shift refresh_command $@ ;; check|ck) shift check_command $@ ;; update) shift update_command $@ ;; load|reload) shift reload_command $@ ;; export) shift export_command $@ ;; try) get_config Yes shift try_command $@ ;; safe-restart|safe-start) get_config Yes shift safe_commands $@ ;; *) usage 1 ;; esac }