--- ../../3.4/Shorewall/compiler 2007-10-26 19:10:45.000000000 -0400 +++ compiler 2008-03-09 16:00:16.000000000 -0400 @@ -1,6 +1,6 @@ #!/bin/sh # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.4 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0 # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # @@ -35,6 +35,11 @@ # SHOREWALL_DIR A directory name was passed to /sbin/shorewall # VERBOSE Standard Shorewall verbosity control. +BASE_VERSION=40000 +BASE_VERSION_PRINTABLE=4.0.0 +CONFIG_VERSION=40000 +CONFIG_VERSION_PRINTABLE=4.0.0 + # # Fatal error -- stops the compiler after issuing the error message # @@ -128,7 +133,8 @@ # append_file() # $1 = File Name { - local user_exit=$(find_file $1) + local user_exit + user_exit=$(find_file $1) case $user_exit in $SHAREDIR/*) @@ -210,7 +216,8 @@ # finish_chain_section() # $1 = canonical chain $2 = state list { - local policy policychain + local policy + local policychain [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT @@ -241,7 +248,9 @@ finish_section() # $1 = Section(s) { - local zone zone1 chain + local zone + local zone1 + local chain for zone in $ZONES $FW; do for zone1 in $ZONES $FW; do @@ -263,7 +272,8 @@ # createchain() # $1 = chain name, $2 = If "yes", do section-end processing { - local c=$(chain_base $1) + local c + c=$(chain_base $1) run_iptables -N $1 @@ -286,7 +296,8 @@ # createchain2() # $1 = chain name, $2 = If "yes", create default rules { - local c=$(chain_base $1) + local c + c=$(chain_base $1) ensurechain $1 @@ -313,7 +324,8 @@ # havechain() # $1 = name of chain { - local c=$(chain_base $1) + local c + c=$(chain_base $1) eval test \"\$exists_${c}\" = Yes } @@ -675,11 +687,11 @@ progress_message2 "Compiling IP Forwarding..." case "$IP_FORWARDING" in - On|on) + On|on|ON|Yes|yes|YES) save_progress_message "IP Forwarding Enabled" save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" ;; - Off|off) + Off|off|OFF|No|no|NO) save_progress_message "IP Forwarding Disabled!" save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" ;; @@ -719,16 +731,25 @@ # log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule { - local level=$1 - local chain=$2 - local displayChain=$3 - local disposition=$4 - local rulenum= - local limit= - local tag=$6 - local command=${7:--A} + local level + level=$1 + local chain + chain=$2 + local displayChain + displayChain=$3 + local disposition + disposition=$4 + local rulenum + rulenum= + local limit + limit= + local tag + tag=$6 + local command + command=${7:--A} local prefix - local base=$(chain_base $displayChain) + local base + base=$(chain_base $displayChain) limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. @@ -739,9 +760,12 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule { - local level=$1 - local chain=$2 - local disposition=$3 + local level + level=$1 + local chain + chain=$2 + local disposition + disposition=$3 shift 3 @@ -756,9 +780,12 @@ # $2 = synparams # $3 = loglevel { - local chain=@$1 - local limit=$2 - local limit_burst= + local chain + chain=@$1 + local limit + limit=$2 + local limit_burst + limit_burst= case $limit in *:*) @@ -837,8 +864,10 @@ # setup_ecn() # $1 = file name { - local interfaces="" - local hosts= + local interfaces + interfaces="" + local hosts + hosts= local h if [ -s ${TMP_DIR}/ecn ]; then @@ -886,7 +915,8 @@ # build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list { - local c=excl_${EXCLUSION_SEQ} net + local c + c=excl_${EXCLUSION_SEQ} net EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 )) @@ -916,7 +946,10 @@ # Setup queuing and classes # setup_tc1() { - local mark_part= comment= + local mark_part + mark_part= + local comment + comment= # # Create the TC mangle chains # @@ -1025,7 +1058,8 @@ # refresh_tc() { - local comment= + local comment + comment= if [ -n "$CLEAR_TC" ]; then delete_tc @@ -1089,9 +1123,12 @@ # compile_refresh_firewall() { - local INDENT="" - local DOING="Compiling Refresh of" - local DONE="Compiled" + local INDENT + INDENT="" + local DOING + DOING="Compiling Refresh of" + local DONE + DONE="Compiled" local indent save_command "refresh_firewall()" @@ -1142,7 +1179,8 @@ process_action_file() # $1 = File Name { if ! list_search $1 $BUILTIN_ACTIONS; then - local user_exit=$(find_file $1) + local user_exit + user_exit=$(find_file $1) if [ -f $user_exit ]; then progress_message "Processing $user_exit ..." @@ -1173,7 +1211,12 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] { - local actchain= action=$1 level=$2 + local actchain + actchain= + local action + action=$1 + local level + level=$2 eval actchain=\${${action}_actchain} @@ -1259,7 +1302,14 @@ # find_logactionchain() # $1 = Action, including log level and tag if any { - local fullaction=$1 action=${1%%:*} level= chains= + local fullaction + fullaction=$1 + local action + action=${1%%:*} + local level + level= + local chains + chains= find_simpleaction() { havechain $action || fatal_error "Fatal error in find_logactionchain" @@ -1302,7 +1352,10 @@ # merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called { - local superior=$1 subordinate=$2 + local superior + superior=$1 + local subordinate + subordinate=$2 set -- $(split $1) @@ -1379,7 +1432,9 @@ # map_old_action() # $1 = Potential Old Action { - local macro= aktion + local macro + macro= + local aktion if [ -n "$MAPOLDACTIONS" ]; then case $1 in @@ -1432,7 +1487,8 @@ # substitute_action() # $1 = parameter, $2 = action { - local logpart=${2#*:} + local logpart + logpart=${2#*:} case $2 in *:*) @@ -1630,7 +1686,8 @@ # policy = Applicable Policy # add_a_rule() { - local natrule= + local natrule + natrule= do_ports() { if [ -n "$port" ]; then @@ -2118,19 +2175,32 @@ # $9 = userspec # $10= mark { - local target="$1" - local clients="$2" - local servers="$3" - local protocol="$4" - local ports="$5" - local cports="$6" - local address="$7" - local ratelimit="$8" - local userspec="$9" - local mark="${10}" - local userandgroup= - local logtag= - local nonat= + local target + target="$1" + local clients + clients="$2" + local servers + servers="$3" + local protocol + protocol="$4" + local ports + ports="$5" + local cports + cports="$6" + local address + address="$7" + local ratelimit + ratelimit="$8" + local userspec + userspec="$9" + local mark + mark="${10}" + local userandgroup + userandgroup= + local logtag + logtag= + local nonat + nonat= # # # # # F u n c t i o n B o d y # # # # # @@ -2483,21 +2553,35 @@ # $9 = userspec # $10= mark { - local itarget="$1" - local param="$2" - local iclients="$3" - local iservers="$4" - local iprotocol="$5" - local iports="$6" - local icports="$7" - local iaddress="$8" - local iratelimit="$9" - local iuserspec="${10}" - local imark="${11}" + local itarget + itarget="$1" + local param + param="$2" + local iclients + iclients="$3" + local iservers + iservers="$4" + local iprotocol + iprotocol="$5" + local iports + iports="$6" + local icports + icports="$7" + local iaddress + iaddress="$8" + local iratelimit + iratelimit="$9" + local iuserspec + iuserspec="${10}" + local imark + imark="${11}" progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + + [ $mtarget = COMMENT ] && continue + mtarget=$(merge_levels $itarget $mtarget) case $mtarget in @@ -2575,13 +2659,19 @@ # process_rules() { - local comment= optimize + local comment + comment= + local optimize # # Process a rule where the source or destination is "all" # process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic { - local yclients yservers ysourcezone ydestzone ypolicy + local yclients + local yservers + local ysourcezone + local ydestzone + local ypolicy for yclients in $xclients; do for yservers in $xservers; do @@ -2614,7 +2704,8 @@ do_it() # $1 = "Yes" if the target is a macro. { - local intrazone= + local intrazone + intrazone= if [ -z "$SECTIONS" ]; then finish_section ESTABLISHED,RELATED @@ -2794,17 +2885,35 @@ # process_default_macro() # $1 = macro name { - local macro=$1 - local address= - local multioption= - local servport= - local chain=$1 - local logchain=$1 - local userandgroup= - local logtag= - local excludesource= - local target client server protocol port cport ratelimit userspec rule - local f=$(find_file macro.${macro}) + local macro + macro=$1 + local address + address= + local multioption + multioption= + local servport + servport= + local chain + chain=$1 + local logchain + logchain=$1 + local userandgroup + userandgroup= + local logtag + logtag= + local excludesource + excludesource= + local target + local client + local server + local protocol + local port + local cport + local ratelimit + local userspec + local rule + local f + f=$(find_file macro.${macro}) havechain $macro && fatal_error "Illegal duplicate default macro name: $macro" @@ -3062,7 +3171,10 @@ # process_tos() # $1 = name of tos file { - local chain=pretos stdchain=PREROUTING + local chain + chain=pretos + local stdchain + stdchain=PREROUTING if [ -n "$MANGLE_FORWARD" ]; then chain=fortos @@ -3093,8 +3205,10 @@ # $3 = loglevel # $4 = Default Action/Macro { - local target="$2" - local default="$4" + local target + target="$2" + local default + default="$4" if [ -n "$default" ]; then [ "$default" = none ] || run_iptables -A $1 -j $default @@ -3131,9 +3245,12 @@ # default_policy() # $1 = client $2 = server { - local chain="${1}2${2}" - local policy= - local loglevel= + local chain + chain="${1}2${2}" + local policy + policy= + local loglevel + loglevel= local chain1 jump_to_policy_chain() { @@ -3235,14 +3352,18 @@ # complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone { - local policy= - local loglevel= - local policychain= - local default= + local policy + policy= + local loglevel + loglevel= + local policychain + policychain= + local default + default= run_user_exit $1 - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT + [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT eval policychain=\$${2}2${3}_policychain @@ -3267,7 +3388,8 @@ # rules_chain() # $1 = source zone, $2 = destination zone { - local chain=${1}2${2} local policy + local chain + chain=${1}2${2} local policy havechain $chain && { echo $chain; return; } @@ -3376,8 +3498,10 @@ process_blacklist() { - local disposition=$BLACKLIST_DISPOSITION - local f=$(find_file blacklist) + local disposition + disposition=$BLACKLIST_DISPOSITION + local f + f=$(find_file blacklist) local target if [ -s $TMP_DIR/blacklist ]; then @@ -3411,8 +3535,10 @@ # Setup the Black List # setup_blacklist() { - local hosts="$(find_hosts_by_option blacklist)" - local ipsec policy + local hosts + hosts="$(find_hosts_by_option blacklist)" + local ipsec + local policy if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then progress_message2 "$DOING Blacklisting..." @@ -3457,8 +3583,10 @@ # Construct zone-independent rules # add_common_rules() { - local savelogparms="$LOGPARMS" - local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" + local savelogparms + savelogparms="$LOGPARMS" + local broadcasts + broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" # # Populate the smurf chain # @@ -3788,7 +3916,7 @@ save_progress_message "Setting up Route Filtering..." - if [ -z "$ROUTE_FILTER" ]; then + if [ "$ROUTE_FILTER" = no ]; then indent >&3 << __EOF__ for f in /proc/sys/net/ipv4/conf/*; do @@ -3812,8 +3940,10 @@ save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" - if [ -n "$ROUTE_FILTER" ]; then + if [ "$ROUTE_FILTER" = yes ]; then save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" + elif [ "$ROUTE_FILTER" = no ]; then + save_command "echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter" fi save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache" @@ -3829,7 +3959,7 @@ save_progress_message "Setting up Martian Logging..." - if [ -z "$LOG_MARTIANS" ]; then + if [ "$LOG_MARTIANS" = no ]; then indent >&3 << __EOF__ for f in /proc/sys/net/ipv4/conf/*; do @@ -3852,9 +3982,12 @@ __EOF__ done - if [ -n "$LOG_MARTIANS" ]; then + if [ "$LOG_MARTIANS" = yes ]; then save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians" + elif [ "$LOG_MARTIANS" = no ]; then + save_command "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians" + save_command "echo 0 > /proc/sys/net/ipv4/conf/default/log_martians" fi fi @@ -3984,14 +4117,19 @@ # activate_rules() { - local PREROUTING_rule=1 - local POSTROUTING_rule=1 + local PREROUTING_rule + PREROUTING_rule=1 + local POSTROUTING_rule + POSTROUTING_rule=1 # # Jump to a NAT chain from one of the builtin nat chains # addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments { - local sourcechain=$1 destchain=$2 + local sourcechain + sourcechain=$1 + local destchain + destchain=$2 shift shift @@ -4009,7 +4147,10 @@ # addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments { - local sourcechain=$1 destchain=$2 + local sourcechain + sourcechain=$1 + local destchain + destchain=$2 shift shift @@ -4037,7 +4178,15 @@ # insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions { - local t=$1 c=$2 num=0 host1 interface1 networks1 + local t + t=$1 + local c + c=$2 + local num + num=0 + local host1 + local interface1 + local networks1 shift 2 @@ -4053,7 +4202,13 @@ # add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions { - local t=$1 c=$2 host1 interface1 networks1 + local t + t=$1 + local c + c=$2 + local host1 + local interface1 + local networks1 shift 2 @@ -4101,7 +4256,8 @@ eval exclusions=\"\$${zone}_exclusions\" if [ -n "$exclusions" ]; then - local num=1 + local num + num=1 in_chain=${zone}_input out_chain=${zone}_output createchain $in_chain No @@ -4549,8 +4705,10 @@ # from that script are available here # compile_stop_firewall() { - local IPTABLES_COMMAND="\$IPTABLES" - local INDENT=" " + local IPTABLES_COMMAND + IPTABLES_COMMAND="\$IPTABLES" + local INDENT + INDENT=" " cat >&3 << __EOF__ @@ -4894,10 +5052,18 @@ # compile_firewall() # $1 = File Name { - local IPTABLES_COMMAND=run_iptables - local INDENT="" - local checking= outfile=$1 dir= - local match= + local IPTABLES_COMMAND + IPTABLES_COMMAND=run_iptables + local INDENT + INDENT="" + local checking + checking= + local outfile + outfile=$1 + local dir + dir= + local match + match= setup_mss() { @@ -4951,7 +5117,7 @@ cat >&3 << __EOF__ # -# Compiled firewall script generated by Shorewall $VERSION - $(date)" +# Compiled firewall script generated by Shorewall-shell $VERSION - $(date)" # __EOF__ @@ -4959,7 +5125,10 @@ cat >&3 << __EOF__ SHAREDIR=/usr/share/shorewall-lite CONFDIR=/etc/shorewall-lite -VARDIR=/var/lib/shorewall-lite + +[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir + +[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ] __EOF__ @@ -4976,7 +5145,10 @@ cat >&3 << __EOF__ SHAREDIR=/usr/share/shorewall CONFDIR=/etc/shorewall -VARDIR=/var/lib/shorewall + +[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir + +[ -n "\${VARDIR:=/var/lib/shorewall}" ] . \${SHAREDIR}/lib.base __EOF__ @@ -5139,7 +5311,8 @@ fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)" fi - local version=\$(cat \${SHAREDIR}/version) + local version + version=\$(cat \${SHAREDIR}/version) if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version" @@ -5178,6 +5351,7 @@ LOCKFILE="$LOCKFILE" PATH="$PATH" TERMINATOR=fatal_error + DONT_LOAD="$DONT_LOAD" __EOF__ if [ -n "$IPTABLES" ]; then @@ -5278,7 +5452,8 @@ # Start/Restart/Reload the firewall # define_firewall() { - local restore_file=\$1 + local restore_file + restore_file=\$1 __EOF__ INDENT=" " @@ -5727,9 +5902,9 @@ # E X E C U T I O N B E G I N S H E R E # # -# Start trace if first arg is "debug" +# Start trace if first arg is "debug" or "trace" # -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } +[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; } NOLOCK= @@ -5754,6 +5929,11 @@ fi done +VERSION=$(cat $SHELLSHAREDIR/version) + +[ "$SHOREWALL_LIBVERSION" -eq $BASE_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.base version $BASE_VERSION_PRINTABLE" +[ "$SHOREWALL_CONFIGVERSION" -eq $CONFIG_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.config version $CONFIG_VERSION_PRINTABLE" + PROGRAM=compiler COMMAND="$1"