#!/bin/sh # # Shorewall 4.1 -- /usr/share/shorewall/lib.config # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # This library contains the configuration file parsing code common to # /usr/share/shorewall/compiler and /usr/share/shorewall/firewall # SHOREWALL_CONFIGVERSION=40000 # # Replace commas with spaces and echo the result # separate_list() { local list list="$@" local part local newlist local firstpart local lastpart local enclosure case "$list" in *,|,*|*,,*|*[[:space:]]*) # # There's been whining about us not catching embedded white space in # comma-separated lists. This is an attempt to snag some of the cases. # # The 'TERMINATOR' function will be set by the 'firewall' script to # either 'startup_error' or 'fatal_error' depending on the command and # command phase # [ -n "$TERMINATOR" ] && \ $TERMINATOR "Invalid comma-separated list \"$@\"" echo "WARNING -- invalid comma-separated list \"$@\"" >&2 ;; *\[*\]*) # # Where we need to embed comma-separated lists within lists, we enclose them # within square brackets. # firstpart=${list%%\[*} lastpart=${list#*\[} enclosure=${lastpart%%\]*} lastpart=${lastpart#*\]} case $lastpart in \,*) case $firstpart in *\,) echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})" ;; *) echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" ;; esac ;; *) case $firstpart in *\,) echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" ;; *) echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" ;; esac ;; esac return ;; esac list="$@" part="${list%%,*}" newlist="$part" while [ "x$part" != "x$list" ]; do list="${list#*,}"; part="${list%%,*}"; newlist="$newlist $part"; done echo "$newlist" } # # Display elements of a list with leading white space # display_list() # $1 = List Title, rest of $* = list to display { [ $# -gt 1 ] && echo " $*" } # # Determine if a chain is a policy chain # is_policy_chain() # $1 = name of chain { eval test \"\$${1}_is_policy\" = Yes } # # Return a space separated list of values matching # list_walk() # $1 = element to search for, $2-$n = list { local e e=$1 local result result= while [ $# -gt 1 ]; do shift case $1 in $e*) result="$result ${1##$e}" ;; esac done echo $result } # # Functions to count list elements # - - - - - - - - - - - - - - - - # Whitespace-separated list # list_count1() { echo $# } # # Comma-separated list # list_count() { list_count1 $(separate_list $1) } # # Filter that expands variables # expand_line() { local line while read line; do echo $(expand $line) done } # # Add whitespace after leading "!" # fix_bang() { local result result= while [ $# -gt 0 ]; do case $1 in !*) result="$result ! ${1#!}" ;; *) result="$result $1" ;; esac shift done echo $result } # # Read the zones file and find the firewall zone # get_firewall_zone() { local zone local type local rest local comment comment='#*' local f f=$(find_file zones) [ -f $f ] || startup_error "Unable to find zones file" while read zone type rest; do case $zone in $comment) ;; *) if [ "x$type" = xfirewall ]; then FW=$zone return fi ;; esac done < $f startup_error "No firewall zone defined in $f" } # # This function assumes that the TMP_DIR variable is set and that # its value names an existing directory. # determine_zones() { local zone local parent local parents local rest local new_zone_file new_zone_file= local r merge_zone() { local z local zones zones="$ZONES" local merged merged= if [ -n "$parents" ]; then ZONES= for z in $zones; do if [ -z "$merged" ] && list_search $z $parents; then ZONES="$ZONES $zone" merged=Yes fi ZONES="$ZONES $z" done else ZONES="$ZONES $zone" fi } ZONES= IPV4_ZONES= IPSEC_ZONES= [ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}" while read zone type rest; do case $zone in *:*) parents=${zone#*:} zone=${zone%:*} [ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents" parents=$(separate_list $parents) eval ${zone}_parents=\"$parents\" ;; *) parents= eval ${zone}_parents= ;; esac for parent in $parents; do [ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed" list_search $parent $ZONES || startup_error "Parent zone not defined: $parent" done [ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone" case "$zone" in [0-9*]) startup_error "Illegal zone name \"$zone\" in zones file" ;; all|none|SOURCE|DEST) startup_error "Reserved zone name \"$zone\" in zones file" ;; esac if [ -n "$new_zone_file" ]; then case ${type:=ipv4} in ipv4|IPv4|IPV4|plain|-) list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" merge_zone IPV4_ZONES="$IPV4_ZONES $zone" ;; ipsec|IPSEC|ipsec4|IPSEC4) list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" [ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables does not support policy match" eval ${zone}_is_ipsec=Yes eval ${zone}_is_complex=Yes merge_zone IPSEC_ZONES="$IPSEC_ZONES $zone" ;; firewall) [ -n "$FW" ] && startup_error "Only one firewall zone may be defined" list_search $zone $ZONES && startup_error "Zone $zone is defined more than once" [ -n "$parents" ] && startup_error "The firewall zone may not be nested" for r in $rest; do [ "x$r" = x- ] || startup_error "OPTIONS not allowed on the firewall zone" done FW=$zone ;; bport|bport4) [ "$PROGRAM" = compiler ] && startup_error "Invalid Zone Type: $type" list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" merge_zone BRIDGING=Yes ;; *) startup_error "Invalid Zone Type: $type" ;; esac eval ${zone}_type=$type else list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" ZONES="$ZONES $zone" IPV4_ZONES="$IPV4_ZONES $zone" eval ${zone}_type=ipv4 fi done < $TMP_DIR/zones [ -z "$ZONES" ] && startup_error "No ipv4 or ipsec Zones Defined" [ -z "$FW" ] && startup_error "No Firewall Zone Defined" } # # Validate the zone names and options in the interfaces file # validate_interfaces_file() { local wildcard local found_obsolete_option found_obsolete_option= local z local interface local networks local options local r local iface local option while read z interface networks options; do r="$z $interface $networks $options" [ "x$z" = "x-" ] && z= if [ -n "$z" ]; then validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" fi list_search $interface $ALL_INTERFACES && \ startup_error "Duplicate Interface $interface" wildcard= case $interface in *:*) if [ "$PROGRAM" != compiler ]; then # # Assume that this is 4.0 syntax for a bridge # local bridge bridge=${interface%:*} list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge" interface=${interface#*:} else startup_error "Invalid Interface Name: $interface" fi ;; +) startup_error "Invalid Interface Name: +" ;; *+) wildcard=Yes ;; esac ALL_INTERFACES="$ALL_INTERFACES $interface" options=$(separate_list $options) iface=$(chain_base $interface) eval ${iface}_broadcast="$networks" eval ${iface}_zone="$z" eval ${iface}_options=\"$options\" for option in $options; do case $option in -) ;; dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|nosmurfs|upnp|-) ;; proxyarp) [ "$PROGRAM" = compiler ] && lib_load proxyarp "The 'proxyarp' option on interface $interface" ;; maclist) [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" ;; norfc1918) if [ "$PROGRAM" != compiler ]; then addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) if [ -n "$addr" ]; then addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//') for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do if in_network $addr $network; then startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface" fi done fi fi ;; arp_ignore=*) eval ${iface}_arp_ignore=${option#*=} ;; arp_ignore) eval ${iface}_arp_ignore=1 ;; detectnets) [ -n "$wildcard" ] && \ startup_error "The \"detectnets\" option may not be used with a wild-card interface" [ -n "$EXPORT" ] && \ startup_error "'detectnets' not permitted with the -e run-line option" ;; routeback) [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" ;; *) [ $PROGRAM = compiler ] && error_message "WARNING: Invalid option ($option) in record \"$r\"" ;; esac done done < $TMP_DIR/interfaces [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" } # # Process the ipsec information in the zones file # setup_ipsec() { local zone local using_ipsec using_ipsec= # # Add a --set-mss rule to the passed chain # set_mss1() # $1 = chain, $2 = MSS { local policy eval policy=\$${1}_policy if [ "$policy" != NONE ]; then ensurechain $1 local match match= [ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: " run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2 fi } # # Set up rules to set MSS to and/or from zone "$zone" # set_mss() # $1 = MSS value, $2 = _in, _out or "" { for z in $ZONES $FW; do case $2 in _in) set_mss1 ${zone}2${z} $1 ;; _out) set_mss1 ${z}2${zone} $1 ;; *) set_mss1 ${z}2${zone} $1 set_mss1 ${zone}2${z} $1 ;; esac done } do_options() # $1 = _in, _out or "" - $2 = option list { local option local newoptions newoptions= local val [ x${2} = x- ] && return for option in $(separate_list $2); do val=${option#*=} case $option in mss=[0-9]*) [ "$PROGRAM" = compiler ] && set_mss $val $1 ;; strict) newoptions="$newoptions --strict" ;; next) newoptions="$newoptions --next" ;; reqid=*) newoptions="$newoptions --reqid $val" ;; spi=*) newoptions="$newoptions --spi $val" ;; proto=*) newoptions="$newoptions --proto $val" ;; mode=*) newoptions="$newoptions --mode $val" ;; tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; reqid!=*) newoptions="$newoptions ! --reqid $val" ;; spi!=*) newoptions="$newoptions ! --spi $val" ;; proto!=*) newoptions="$newoptions ! --proto $val" ;; mode!=*) newoptions="$newoptions ! --mode $val" ;; tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; *) fatal_error "Invalid option \"$option\" for zone $zone" ;; esac done if [ -n "$newoptions" ]; then [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" eval ${zone}_is_complex=Yes eval ${zone}_ipsec${1}_options=\"${newoptions# }\" fi } case $IPSECFILE in zones) f=zones progress_message "$DOING IPSEC..." [ $PROGRAM = compiler -a -n "$IPSEC_ZONES" ] && save_progress_message "Setting up IPSEC management..." ;; ipsec) using_ipsec=Yes if [ -s ${TMP_DIR}/ipsec ]; then progress_message "$DOING ipsec..." [ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..." f=ipsec else return fi ;; esac while read zone type options in_options out_options mss; do if [ -n "$using_ipsec" ]; then validate_zone1 $zone || fatal_error "Unknown zone: $zone" fi if [ -n "$type" ]; then if [ -n "$using_ipsec" ]; then case $type in No|no) ;; Yes|yes) [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" eval ${zone}_is_ipsec=Yes eval ${zone}_is_complex=Yes eval ${zone}_type=ipsec4 ;; *) fatal_error "Invalid IPSEC column contents" ;; esac fi do_options "" $options do_options "_in" $in_options do_options "_out" $out_options fi done < $TMP_DIR/$f } # # Validate the zone names and options in the hosts file # validate_hosts_file() { local z local hosts local options local r local interface local host local option local zports local ipsec ipsec= check_bridge_port() { list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" list_search $1 $ALL_PORTS || ALL_PORTS="$ALL_PORTS $1" } while read z hosts options; do r="$z $hosts $options" validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" case $hosts in *:*) interface=${hosts%%:*} iface=$(chain_base $interface) list_search $interface $ALL_INTERFACES || \ startup_error "Unknown interface ($interface) in record \"$r\"" hosts=${hosts#*:} ;; *) startup_error "Invalid HOST(S) column contents: $hosts" ;; esac eval zports=\$${z}_ports if [ -z "$BRIDGING" ]; then case $hosts in *!*!*) startup_error "Invalid hosts file entry: \"$r\"" ;; !*) hosts=0.0.0.0/0 eval ${z}_is_complex=Yes ;; *!*) hosts=${hosts%%!*} eval ${z}_is_complex=Yes ;; esac fi for host in $(separate_list $hosts); do if [ -n "$BRIDGING" ]; then case $host in *:*) known_interface ${host%:*} && \ startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" check_bridge_port ${host%%:*} ;; *.*.*) ;; *+|+*|*!*) eval ${z}_is_complex=Yes ;; *) known_interface $host && \ startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" check_bridge_port $host ;; esac else case $host in *.*.*) ;; +*) eval ${z}_is_complex=Yes ;; *) startup_error "BRIDGING=Yes is needed for this zone definition: $r" ;; esac fi for option in $(separate_list $options) ; do case $option in norfc1918|blacklist|tcpflags|nosmurfs|-) ;; maclist) [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" ;; ipsec) [ -n "$POLICY_MATCH" ] || \ startup_error "Your kernel and/or iptables does not support policy match: ipsec" eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" eval ${z}_is_complex=Yes ipsec=Yes ;; routeback) eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" ;; *) error_message "WARNING: Invalid option ($option) in record \"$r\"" ;; esac done done [ -n "$zports" ] && eval ${z}_ports=\"$zports\" done < $TMP_DIR/hosts [ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS" [ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH= } # # Find interfaces to a given zone # # Search the variables representing the contents of the interfaces file and # for each record matching the passed ZONE, echo the expanded contents of # the "INTERFACE" column # find_interfaces() # $1 = interface zone { local zne zne=$1 local z local interface for interface in $ALL_INTERFACES; do eval z=\$$(chain_base $interface)_zone [ "x${z}" = x${zne} ] && echo $interface done } # # Forward Chain for an interface # forward_chain() # $1 = interface { echo $(chain_base $1)_fwd } # # Input Chain for an interface # input_chain() # $1 = interface { echo $(chain_base $1)_in } # # Output Chain for an interface # output_chain() # $1 = interface { echo $(chain_base $1)_out } # # Masquerade Chain for an interface # masq_chain() # $1 = interface { echo $(chain_base $1)_masq } # # MAC Verification Chain for an interface # mac_chain() # $1 = interface { echo $(chain_base $1)_mac } macrecent_target() # $1 - interface { [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN } # # Functions for creating dynamic zone rules # dynamic_fwd() # $1 = interface { echo $(chain_base $1)_dynf } dynamic_in() # $1 = interface { echo $(chain_base $1)_dyni } dynamic_out() # $1 = interface { echo $(chain_base $1)_dyno } dynamic_chains() #$1 = interface { local c c=$(chain_base $1) echo ${c}_dyni ${c}_dynf ${c}_dyno } # # DNAT Chain from a zone # dnat_chain() # $1 = zone { echo ${1}_dnat } # # SNAT Chain to an interface # snat_chain() # $1 = interface { echo $(chain_base $1)_snat } # # ECN Chain to an interface # ecn_chain() # $1 = interface { echo $(chain_base $1)_ecn } # # First chains for an interface # first_chains() #$1 = interface { local c c=$(chain_base $1) echo ${c}_fwd ${c}_in } # # Out Chain to an interface # out_chain() # $1 = interface { echo $(chain_base $1)_out } # # Horrible hack to work around an iptables limitation # iprange_echo() { if [ -n "$KLUDGEFREE" ]; then echo "-m iprange $@" elif [ -f $TMP_DIR/iprange ]; then echo $@ else echo "-m iprange $@" > $TMP_DIR/iprange fi } # # Get set flags (ipsets). # get_set_flags() # $1 = set name and optional [levels], $2 = src or dst { local temp local setname setname=$1 local options options=$2 [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1" case $1 in *\[[1-6]\]) temp=${1#*\[} temp=${temp%\]} setname=${1%\[*} while [ $temp -gt 1 ]; do options="$options,$2" temp=$(($temp - 1)) done ;; *\[*\]) options=${1#*\[} options=${options%\]} setname=${1%\[*} ;; *) ;; esac echo "--set ${setname#+} $options" } # # Horrible hack to work around an iptables limitation # physdev_echo() { if [ -n "$KLUDGEFREE" ]; then echo -m physdev $@ elif [ -f $TMP_DIR/physdev ]; then echo $@ else echo -m physdev $@ > $TMP_DIR/physdev fi } # # Source IP range # source_ip_range() # $1 = Address or Address Range { [ $# -gt 0 ] && case $1 in *.*.*.*-*.*.*.*) case $1 in !*) iprange_echo "! --src-range ${1#!}" ;; *) iprange_echo "--src-range $1" ;; esac ;; !+*) echo "-m set ! $(get_set_flags ${1#!} src)" ;; +*) echo "-m set $(get_set_flags $1 src)" ;; *) echo "-s $1" ;; esac } # # Destination IP range # dest_ip_range() # $1 = Address or Address Range { [ $# -gt 0 ] && case $1 in *.*.*.*-*.*.*.*) case $1 in !*) iprange_echo "! --dst-range ${1#!}" ;; *) iprange_echo "--dst-range $1" ;; esac ;; !+*) echo "-m set ! $(get_set_flags ${1#!} dst)" ;; +*) echo "-m set $(get_set_flags $1 dst)" ;; *) echo "-d $1" ;; esac } both_ip_ranges() # $1 = Source address or range, $2 = dest address or range { local rangeprefix rangeprefix= local setprefix setprefix= local rangematch rangematch= local setmatch setmatch= case $1 in *.*.*.*-*.*.*.*) rangeprefix="-m iprange" rangematch="--src-range $1" ;; !+*) setprefix="-m set" setmatch="! $(get_set_flags ${1#!} src)" ;; +*) setprefix="-m set" setmatch="$(get_set_flags $1 src)" ;; *) rangematch="-s $1" ;; esac case $2 in *.*.*.*-*.*.*.*) rangeprefix="-m iprange" rangematch="$rangematch --dst-range $2" ;; !+*) setprefix="-m set" match="$setmatch ! $(get_set_flags ${2#!} dst)" ;; +*) setprefix="-m set" setmatch="$setmatch $(get_set_flags $2 dst)" ;; *) rangematch="$rangematch -d $2" ;; esac echo "$rangeprefix $rangematch $setprefix $setmatch" } # # Loosly Match the name of an interface # if_match() # $1 = Name in interfaces file - may end in "+" # $2 = Full interface name - may also end in "+" { local pattern pattern=${1%+} case $1 in *+) test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" ;; *) test "x$1" = "x$2" ;; esac } # # We allow hosts to be specified by IP address or by physdev. These two functions # are used to produce the proper match in a netfilter rule. # match_source_hosts() { if [ -n "$BRIDGING" ]; then case $1 in *:*) physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" ;; *.*.*.*|+*|!+*) echo $(source_ip_range $1) ;; *) physdev_echo "--physdev-in $1" ;; esac else echo $(source_ip_range $1) fi } match_dest_hosts() { if [ -n "$BRIDGING" ]; then case $1 in *:*) physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" ;; *.*.*.*|+*|!+*) echo $(dest_ip_range $1) ;; *) physdev_echo "--physdev-out $1" ;; esac else echo $(dest_ip_range $1) fi } # # Matches for either or :
# match_source() { case "$1" in *:*) echo "-i ${1%%:*} $(match_source_hosts ${1#*:})" ;; *) echo $(dest_ip_range $1) ;; esac } match_dest() { case "$1" in *:*) echo "-o ${1%%:*} $(match_dest_hosts ${1#*:})" ;; *) echo $(dest_ip_range $1) ;; esac } # # Similarly, the source or destination in a rule can be qualified by a device name. If # the device is defined in ${CONFDIR}/interfaces then a normal interface match is # generated (-i or -o); otherwise, a physdev match is generated. #------------------------------------------------------------------------------------- # # loosely match the passed interface with those in ${CONFDIR}/interfaces. # known_interface() # $1 = interface name { local iface for iface in $ALL_INTERFACES ; do if if_match $iface $1 ; then return 0 fi done return 1 } known_port() # $1 = port name { local port for port in $ALL_PORTS ; do if if_match $port $1 ; then return 0 fi done return 1 } match_source_dev() { if [ -n "$BRIDGING" ]; then known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1 elif known_interface $1; then echo -i $1 elif [ -n "$PHYSDEV_MATCH" ]; then physdev_echo "--physdev-in $1" else echo -i $1 fi } match_dest_dev() { if [ -n "$BRIDGING" ]; then known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1 elif known_interface $1; then echo -o $1 elif [ -n "$PHYSDEV_MATCH" ]; then physdev_echo "--physdev-out $1" else echo -o $1 fi } verify_interface() { known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; } } # # Determine if communication to/from a host is encrypted using IPSEC # is_ipsec_host() # $1 = zone, $2 = host { local is_ipsec eval is_ipsec=\$${1}_is_ipsec local hosts eval hosts=\"\$${1}_ipsec_hosts\" test -n "$is_ipsec" || list_search $2 $hosts } # # Generate a match for decrypted packets # match_ipsec_in() # $1 = zone, $2 = host { if is_ipsec_host $1 $2 ; then local options eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" echo "-m policy --pol ipsec --dir in $options" elif [ -n "$POLICY_MATCH" ]; then echo "-m policy --pol none --dir in" fi } # # Generate a match for packets that will be encrypted # match_ipsec_out() # $1 = zone, $2 = host { if is_ipsec_host $1 $2 ; then local options eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" echo "-m policy --pol ipsec --dir out $options" elif [ -n "$POLICY_MATCH" ]; then echo "-m policy --pol none --dir out" fi } # # Jacket for ip_range() that takes care of iprange match # firewall_ip_range() # $1 = IP address or range { [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 } # # # Find hosts in a given zone # # Read hosts file and for each record matching the passed ZONE, # echo the expanded contents of the "HOST(S)" column # find_hosts() # $1 = host zone { local hosts local interface local address local addresses while read z hosts options; do if [ "x$(expand $z)" = "x$1" ]; then interface=${hosts%%:*} addresses=${hosts#*:} case $addresses in !*) echo $interface:0.0.0.0/0 ;; *) for address in $(separate_list ${addresses%%!*}); do echo $interface:$address done ;; esac fi done < $TMP_DIR/hosts } # # # Find exclusions in a given zone # # Read hosts file and for each record matching the passed ZONE, # echo any exclusions # find_exclusions() # $1 = host zone { local hosts local interface local address local addresses while read z hosts options; do if [ "x$z" = "x$1" ]; then interface=${hosts%%:*} addresses=${hosts#*:} case $addresses in *!*) for address in $(separate_list ${addresses#*!}); do echo $interface:$address done ;; esac fi done < $TMP_DIR/hosts } # # Determine the interfaces on the firewall # # For each zone, create a variable called ${zone}_interfaces. This # variable contains a space-separated list of interfaces to the zone # determine_interfaces() { for zone in $ZONES; do interfaces=$(find_interfaces $zone) interfaces=$(echo $interfaces) # Remove extra trash eval ${zone}_interfaces=\"\$interfaces\" done } # # Determine if an interface has a given option # interface_has_option() # $1 = interface, #2 = option { local options eval options=\$$(chain_base $1)_options list_search $2 $options } # # Determine the defined hosts in each zone # determine_hosts() { for zone in $ZONES; do hosts=$(find_hosts $zone) hosts=$(echo $hosts) # Remove extra trash exclusions=$(find_exclusions $zone) exclusions=$(echo $exclusions) # Remove extra trash eval interfaces=\$${zone}_interfaces for interface in $interfaces; do if interface_has_option $interface detectnets; then networks=$(get_routed_networks $interface "detectnets not allowed on interface with default route - $interface" ) else networks=0.0.0.0/0 fi for network in $networks; do if [ -z "$hosts" ]; then hosts=$interface:$network else hosts="$hosts $interface:$network" fi if interface_has_option $interface routeback; then eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\" fi done done interfaces= for host in $hosts; do interface=${host%:*} if list_search $interface $interfaces; then list_search $interface:0.0.0.0/0 $hosts && \ startup_error "Invalid zone definition for zone $zone" list_search $interface:0/0 $hosts && \ startup_error "Invalid zone definition for zone $zone" eval ${zone}_is_complex=Yes else if [ -z "$interfaces" ]; then interfaces=$interface else interfaces="$interfaces $interface" fi fi done eval ${zone}_exclusions="\$exclusions" eval ${zone}_interfaces="\$interfaces" eval ${zone}_hosts="\$hosts" if [ -n "$hosts" ]; then if [ $VERBOSE -ge 1 ]; then [ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts fi else error_message "WARNING: Zone $zone is empty" fi done } # # Ensure that the passed zone is defined in the zones file or is the firewall # validate_zone() # $1 = zone { list_search $1 $ZONES $FW } # # Ensure that the passed zone is defined in the zones file. # validate_zone1() # $1 = zone { list_search $1 $ZONES } # # Format a match by the passed MAC address # The passed address begins with "~" and uses "-" as a separator between bytes # Example: ~01-02-03-04-05-06 # mac_match() # $1 = MAC address formated as described above { echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" } # # Find interfaces that have the passed option specified # find_interfaces_by_option() # $1 = option { for interface in $ALL_INTERFACES; do eval options=\$$(chain_base $interface)_options list_search $1 $options && echo $interface done } # # This slightly slower version is used to find both the option and option followed # by equal sign ("=") and a value # find_interfaces_by_option1() # $1 = option { local options local option for interface in $ALL_INTERFACES; do eval options=\$$(chain_base $interface)_options for option in $options; do if [ "${option%=*}" = "$1" ]; then echo $interface break fi done done } # # Find hosts with the passed option # find_hosts_by_option() # $1 = option { local ignore local hosts local interface local address local addresses local options local ipsec ipsec= local list while read ignore hosts options; do list=$(separate_list $options) if list_search $1 $list; then list_search ipsec $list && ipsec=ipsec || ipsec=none interface=${hosts%%:*} addresses=${hosts#*:} for address in $(separate_list $addresses); do echo ${ipsec}^$interface:$address done fi done < $TMP_DIR/hosts for interface in $ALL_INTERFACES; do interface_has_option $interface $1 && \ echo none^${interface}:0.0.0.0/0 done } # # Process the routestopped file either adding or deleting rules # process_routestopped() # $1 = command { local hosts hosts= local interface local host local host1 local options local networks local source source= local dest dest= local matched while read interface host options; do [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 for h in $(separate_list $host); do hosts="$hosts $interface:$h" done routeback= if [ -n "$options" ]; then for option in $(separate_list $options); do case $option in routeback) if [ -n "$routeback" ]; then error_message "WARNING: Duplicate routestopped option ignored: routeback" else routeback=Yes for h in $(separate_list $host); do run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT done fi ;; source) for h in $(separate_list $host); do source="$source $interface:$h" done ;; dest) for h in $(separate_list $host); do dest="$dest $interface:$h" done ;; critical) ;; *) error_message "WARNING: Unknown routestopped option ignored: $option" ;; esac done fi done < $TMP_DIR/routestopped for host in $hosts; do interface=${host%:*} networks=${host#*:} source_range=$(source_ip_range $networks) dest_range=$(dest_ip_range $networks) run_iptables $1 INPUT -i $interface $source_range -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ run_iptables $1 OUTPUT -o $interface $dest_range -j ACCEPT matched= if list_search $host $source ; then run_iptables $1 FORWARD -i $interface $source_range -j ACCEPT matched=Yes fi if list_search $host $dest ; then run_iptables $1 FORWARD -o $interface $dest_range -j ACCEPT matched=Yes fi if [ -z "$matched" ]; then for host1 in $hosts; do [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT done fi done } process_criticalhosts() { local hosts hosts= local interface local host local h local options local networks local criticalhosts criticalhosts= while read interface host options; do [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host) if [ -n "$options" ]; then for option in $(separate_list $options); do case $option in routeback|source|dest) ;; critical) for h in $host; do criticalhosts="$criticalhosts $interface:$h" done ;; *) error_message "WARNING: Unknown routestopped option ignored: $option" ;; esac done fi done < $TMP_DIR/routestopped if [ -n "$criticalhosts" ]; then CRITICALHOSTS=$criticalhosts progress_message "Critical Hosts are:$CRITICALHOSTS" fi } # # create a temporary directory # mktempdir() { [ -z "$MKTEMP" ] && find_mktemp case "$MKTEMP" in STD) mktemp -td shorewall.XXXXXX ;; None|BSD) # # Not all versions of the BSD mktemp support the -d option under Linux # qt rm -rf /tmp/shorewall-$$ mkdir -p /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ ;; *) error_message "ERROR:Internal error in mktempdir" ;; esac } # # Read a file and handle "INCLUDE" directives # read_file() # $1 = file name, $2 = nest count { local first local rest if [ -f $1 ]; then while read first rest; do if [ "x$first" = "xINCLUDE" ]; then if [ $2 -lt 4 ]; then read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) else error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)" fi else echo "$first $rest" fi done < $1 else [ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1" echo "WARNING -- No such file: $1" fi } # # Strip comments and blank lines from a file and place the result in the # temporary directory # strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) { local fname if [ ! -f $TMP_DIR/$1 ]; then [ $# = 1 ] && fname=$(find_file $1) || fname=$2 if [ -f $fname ]; then read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1 else > $TMP_DIR/$1 fi fi } # # Strip the passed file. # # Return success if # a) the stripped file is non-empty and the library was successfully loaded; or # b) the stripped file is empty but the library had been loaded previously # strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty { local f f=$(find_file $1) strip_file $1 $f if [ -s $TMP_DIR/$1 ]; then lib_load $2 "A non-empty $1 file ($f)" return 0 fi eval test -n \"\$LIB_${2}_LOADED\" } # # Check that a mark value or mask is less that 256 or that it is less than 65536 and # that it's lower 8 bits are zero. # verify_mark() # $1 = value to test { verify_mark2() { case $1 in 0*) [ $(($1)) -lt 256 ] && return 0 [ -n "$HIGH_ROUTE_MARKS" ] || return 1 [ $(($1)) -gt 65535 ] && return 1 return $(($1 & 0xFF)) ;; [1-9]*) [ $1 -lt 256 ] && return 0 [ -n "$HIGH_ROUTE_MARKS" ] || return 1 [ $1 -gt 65535 ] && return 1 return $(($1 & 0xFF)) ;; *) return 2 ;; esac } verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" } # # Determine the value for a parameter that defaults to Yes # added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value { local val val="$2" if [ -z "$val" ]; then echo "Yes" else case $val in [Yy][Ee][Ss]) echo "Yes" ;; [Nn][Oo]) echo "" ;; *) startup_error "Invalid value ($val) for $1" ;; esac fi } # # Determine the value for a parameter that defaults to No # added_param_value_no() # $1 = Parameter Name, $2 = Parameter value { local val val="$2" if [ -z "$val" ]; then echo "" else case $val in [Yy][Ee][Ss]) echo "Yes" ;; [Nn][Oo]) echo "" ;; *) startup_error "Invalid value ($val) for $1" ;; esac fi } # # Initialize this program # do_initialize() { # Run all utility programs using the C locale # # Thanks to Vincent Planchenault for this tip # export LC_ALL=C # Make sure umask is sane umask 077 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin # # Establish termination function # TERMINATOR=fatal_error # # Clear all configuration variables (shorewall.conf) # STARTUP_ENABLED= # #VERBOSE is inherited -- VERBOSITY is only used in the CIs # # # Logging # LOGFILE= LOGFORMAT= LOGTAGONLY= LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= SMURF_LOG_LEVEL= LOG_MARTIANS= # # Location of files # IPTABLES= #PATH is inherited SHOREWALL_SHELL= SUBSYSLOCK= MODULESDIR= #CONFIG_PATH is inherited RESTOREFILE= IPSECFILE= LOCKFILE= # # Default Actions/Macros # DROP_DEFAULT= REJECT_DEFAULT= ACCEPT_DEFAULT= QUEUE_DEFAULT= # # Firewall Options # IP_FORWARDING= ADD_IP_ALIASES= ADD_SNAT_ALIASES= RETAIN_ALIASES= TC_ENABLED= TC_EXPERT= CLEAR_TC= MARK_IN_FORWARD_CHAIN= CLAMPMSS= ROUTE_FILTER= DETECT_DNAT_IPADDRS= MUTEX_TIMEOUT= ADMINISABSENTMINDED= BLACKLISTNEWONLY= DELAYBLACKLISTLOAD= MODULE_SUFFIX= DISABLE_IPV6= BRIDGING= DYNAMIC_ZONES= PKTTYPE= RFC1918_STRICT= MACLIST_TABLE= MACLIST_TTL= SAVE_IPSETS= MAPOLDACTIONS= FASTACCEPT= IMPLICIT_CONTINUE= HIGH_ROUTE_MARKS= USE_ACTIONS= OPTIMIZE= EXPORTPARAMS= KEEP_TC_RULES= DELETE_THEN_ADD= DONT_LOAD= # # Packet Disposition # MACLIST_DISPOSITION= TCP_FLAGS_DISPOSITION= BLACKLIST_DISPOSITION= # # Other Globals # VERSION= FW= USEPKTYPE= LOGLIMIT= LOGPARMS= OUTPUT= ALL_INTERFACES= ROUTEMARK_INTERFACES= PROVIDERS= CRITICALHOSTS= EXCLUSION_SEQ=1 STOPPING= HAVE_MUTEX= ALIASES_TO_ADD= SECTION=ESTABLISHED SECTIONS= ALL_PORTS= ACTIONS= USEDACTIONS= DEFAULT_MACROS= COMMENT= VERSION_FILE= LOGRULENUMBERS= ORIGINAL_POLICY_MATCH= ORIGINAL_MANGLE_ENABLED= ensure_config_path VERSION_FILE=$SHAREDIR/version [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE) [ -d /usr/share/shorewall-perl ] && set -a; run_user_exit params set +a config=$(find_file shorewall.conf) if [ -f $config ]; then if [ -r $config ]; then progress_message "Processing $config..." . $config else startup_error "Cannot read $config (Hint: Are you root?)" fi else startup_error "$config does not exist!" fi # # Restore CONFIG_PATH if the shorewall.conf file cleared it # ensure_config_path TMP_DIR=$(mktempdir) [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ startup_error "Can't create a temporary directory" case $PROGRAM in compiler) trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 ;; firewall) trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 ;; esac # # Determine the capabilities of the installed iptables/netfilter # We load the kernel modules here to accurately determine # capabilities when module autoloading isn't enabled. # PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )" [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] if [ -z "$EXPORT" -a $(id -u) -eq 0 ]; then load_kernel_modules Yes if [ -z "$IPTABLES" ]; then IPTABLES=$(mywhich iptables 2> /dev/null) [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" else [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" fi f=$(find_file capabilities) [ -f $f ] && . $f || determine_capabilities else f=$(find_file capabilities) [ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file" fi if [ -n "$CAPVERSION" ]; then [ $CAPVERSION -ge $SHOREWALL_CAPVERSION ] || error_message "WARNING: $f is out of date -- it does not contain all of the capabilities defined by Shorewall version $VERSION" else error_message "WARNING: $f may be not contain all of the capabilities defined by Shorewall version $VERSION" fi ORIGINAL_POLICY_MATCH=$POLICY_MATCH ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" if [ -n "${LOGRATE}${LOGBURST}" ]; then LOGLIMIT="--match limit" [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" fi if [ -n "$IP_FORWARDING" ]; then case "$IP_FORWARDING" in On|Off|Yes|No|Keep|on|off|yes|no|keep|ON|OFF|YES|NO|KEEP) ;; *) startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" ;; esac else IP_FORWARDING=On fi if [ -n "$ROUTE_FILTER" ]; then case "$ROUTE_FILTER" in Yes|yes|YES) ROUTE_FILTER=yes ;; No|no|NO) ROUTE_FILTER=no ;; Keep|keep|KEEP) ROUTE_FILTER= ;; *) startup_error "Invalid value ($ROUTE_FILTER) for ROUTE_FILTER" ;; esac else ROUTE_FILTER= fi if [ -n "$LOG_MARTIANS" ]; then case "$LOG_MARTIANS" in Yes|yes|YES) LOG_MARTIANS=yes ;; No|no|NO) LOG_MARTIANS=no ;; Keep|keep|KEEP) LOG_MARTIANS= ;; *) startup_error "Invalid value ($LOG_MARTIANS) for LOG_MARTIANS" ;; esac else LOG_MARTIANS=yes fi [ -n "${BLACKLIST_DISPOSITION:=DROP}" ] case "$CLAMPMSS" in [0-9]*) ;; *) CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) ;; esac ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) MACLIST_TARGET=reject if [ -n "$MACLIST_DISPOSITION" ] ; then case $MACLIST_DISPOSITION in REJECT) ;; DROP) MACLIST_TARGET=DROP ;; ACCEPT) MACLIST_TARGET=RETURN ;; *) startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" ;; esac else MACLIST_DISPOSITION=REJECT fi if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then case $TCP_FLAGS_DISPOSITION in REJECT|ACCEPT|DROP) ;; *) startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" ;; esac else TCP_FLAGS_DISPOSITION=DROP fi [ -n "${RFC1918_LOG_LEVEL:=info}" ] MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) if [ -n "$LOGFORMAT" ]; then if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then LOGRULENUMBERS=Yes temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null) if [ $? -ne 0 ]; then startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" fi else temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null) if [ $? -ne 0 ]; then startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" fi fi [ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) )) MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*} else LOGFORMAT="Shorewall:%s:%s:" MAXZONENAMELENGTH=5 fi ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) if [ -n "$DYNAMIC_ZONES" ]; then [ -n "$EXPORT" ] && startup_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed" fi STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) [ -n "$FASTACCEPT" -a -z "$BLACKLISTNEWONLY" ] && error_message "WARNING: BLACKLISTNEWONLY=No does not work with FASTACCEPT=Yes" IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS) KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES) DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD) if [ -n "$MANGLE_ENABLED" ] ; then case $MANGLE_ENABLED in Yes|yes) ;; No|no) MANGLE_ENABLED= ;; *) startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED"; ;; esac fi [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= [ -n "$XMARK" ] || XCONNMARK= [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" case ${MACLIST_TABLE:=filter} in filter) ;; mangle) [ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle" ;; *) startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option" ;; esac TC_SCRIPT= if [ -n "$TC_ENABLED" ] ; then case "$TC_ENABLED" in [Yy][Ee][Ss]) TC_ENABLED=Yes TC_SCRIPT=$(find_file tcstart) [ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file" ;; [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll]) TC_ENABLED=Internal ;; [Nn][Oo]) TC_ENABLED= ;; esac else TC_ENABLED=Yes fi if [ -n "$TC_ENABLED" ];then [ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables" [ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf" fi [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" [ -n "${RESTOREFILE:=restore}" ] case "${DROP_DEFAULT:=Drop}" in None) DROP_DEFAULT=none ;; esac case "${REJECT_DEFAULT:=Reject}" in None) REJECT_DEFAULT=none ;; esac case "${QUEUE_DEFAULT:=none}" in None) QUEUE_DEFAULT=none ;; esac case "${ACCEPT_DEFAULT:=none}" in None) ACCEPT_DEFAULT=none ;; esac case "${OPTIMIZE:=0}" in 0|1) ;; *) startup_error "Invalid OPTIMIZE value ($OPTIMIZE)" ;; esac if [ -n "$LOCKFILE" ]; then [ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist" fi # # Check out the user's shell # [ -n "${SHOREWALL_SHELL:=/bin/sh}" ] temp=$(decodeaddr 192.168.1.1) if [ $(encodeaddr $temp) != 192.168.1.1 ]; then startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" fi if [ -z "$KLUDGEFREE" ]; then rm -f $TMP_DIR/physdev rm -f $TMP_DIR/iprange fi qt mywhich awk && HAVEAWK=Yes || HAVEAWK= # # Pre-process all of the standard files # # Because 'strip_file()' does shell variable expansion, we must first determine the # setting of $FW # case ${IPSECFILE:=ipsec} in ipsec) [ -n "${FW:=fw}" ] strip_file ipsec ;; zones) get_firewall_zone ;; *) startup_error "Invalid value ($IPSECFILE) for IPSECFILE option" ;; esac strip_file zones strip_file routestopped strip_file interfaces strip_file hosts if [ $PROGRAM = compiler ]; then strip_file_and_lib_load accounting accounting if [ -n "$USE_ACTIONS" ]; then strip_file actions strip_file actions.std ${SHAREDIR}/actions.std fi strip_file blacklist strip_file ecn strip_file maclist strip_file_and_lib_load masq nat strip_file_and_lib_load nat nat strip_file_and_lib_load netmap nat strip_file policy strip_file_and_lib_load providers providers && strip_file route_rules strip_file_and_lib_load proxyarp proxyarp strip_file rfc1918 strip_file routestopped strip_file rules if [ "$TC_ENABLED" = Internal ]; then strip_file_and_lib_load tcdevices tc strip_file_and_lib_load tcclasses tc fi strip_file_and_lib_load tcrules tcrules strip_file tos strip_file_and_lib_load tunnels tunnels fi [ "$IPSECFILE" = zones ] && FW= }