###############################################################################
# Code imported from /usr/share/shorewall/prog.footer
#
# (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see .
#
###############################################################################
#
# Give Usage Information
#
usage() {
echo "Usage: $0 [ options ] "
echo
echo " is one of:"
echo " start"
echo " stop"
echo " clear"
echo " disable "
echo " down "
echo " enable "
echo " reset"
echo " reenable "
echo " refresh"
echo " reload"
echo " restart"
echo " run [ ... ]"
echo " status"
echo " up "
echo " savesets "
echo " call [ ... ]"
echo " help"
echo " version"
echo " info"
echo
echo "Options are:"
echo
echo " -v and -q Standard Shorewall verbosity controls"
echo " -n Don't update routing configuration"
echo " -p Purge Conntrack Table"
echo " -t Timestamp progress Messages"
echo " -c Save/restore iptables counters"
echo " -V Set verbosity explicitly"
echo " -R Override RESTOREFILE setting"
echo " -T Trace execution"
echo " -D Debug iptables"
exit $1
}
start_command() {
if product_is_started; then
error_message "$g_product is already Running"
status=0
else
progress_message3 "Starting $g_product...."
detect_configuration
define_firewall
status=$?
if [ $status -eq 0 ]; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
progress_message3 "done."
fi
fi
return $status
}
stop_command() {
progress_message3 "Stopping $g_product...."
detect_configuration
stop_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
return 0
}
reload_command() {
if product_is_started; then
progress_message3 "Reloading $g_product...."
else
error_message "$g_product is not running"
progress_message3 "Starting $g_product...."
COMMAND=start
fi
detect_configuration
define_firewall
status=$?
if [ $status -eq 0 ]; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
progress_message3 "done."
else
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
fi
}
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
#
# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
#
[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
#
# Map other old exported variables
#
g_purge=$PURGE
g_noroutes=$NOROUTES
g_timestamp=$TIMESTAMP
g_recovering=$RECOVERING
#
# These two variables contain the high-order and low-order parts respectively of
# an SHA1 digest of this file. The digest is generated before the two following
# lines are updated to contain the value of that digest.
#
g_sha1sum1=
g_sha1sum2=
#
# Other Globals
#
g_counters=
g_compiled=
g_file=
g_docker=
g_dockeringress=
g_dockeriso=
g_dockerisostage=
g_forcereload=
g_fallback=
g_debug_iptables=
[ -n "$SERVICEDIR" ] && SUBSYSLOCK=
initialize
if [ -n "$STARTUP_LOG" ]; then
touch $STARTUP_LOG
chmod 0600 $STARTUP_LOG
if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
#
# We're being run by a startup script that isn't redirecting STDOUT
# Redirect it to the log
#
exec 2>>$STARTUP_LOG
fi
fi
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
v*)
[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
option=${option#v}
;;
q*)
[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
option=${option#q}
;;
n*)
g_noroutes=Yes
option=${option#n}
;;
t*)
g_timestamp=Yes
option=${option#t}
;;
p*)
g_purge=Yes
option=${option#p}
;;
r*)
g_recovering=Yes
option=${option#r}
;;
c*)
g_counters=Yes
option=${option#c}
;;
V*)
option=${option#V}
if [ -z "$option" -a $# -gt 0 ]; then
shift
option=$1
fi
if [ -n "$option" ]; then
case $option in
-1|0|1|2)
VERBOSITY=$option
option=
;;
*)
startup_error "Invalid -V option value ($option)"
;;
esac
else
startup_error "Missing -V option value"
fi
;;
R*)
option=${option#R}
if [ -z "$option" -a $# -gt 0 ]; then
shift
option=$1
fi
if [ -n "$option" ]; then
case $option in
*/*)
startup_error "-R must specify a simple file name: $option"
;;
.safe|.try|NONE)
;;
.*)
error_message "ERROR: Reserved File Name: $RESTOREFILE"
exit 2
;;
esac
else
startup_error "Missing -R option value"
fi
RESTOREFILE=$option
option=
;;
T*)
set -x;
option=${option#T}
;;
D*)
g_debug_iptables=Yes
option=${option#D}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
COMMAND="$1"
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
start_command
;;
stop)
[ $# -ne 1 ] && usage 2
stop_command
;;
reset)
if ! product_is_started ; then
error_message "$g_product is not running"
status=2
elif [ $# -eq 1 ]; then
for table in raw mangle nat filter; do
qt $g_tool -t $table -Z
done
date > ${VARDIR}/restarted
status=0
progress_message3 "$g_product Counters Reset"
else
shift
status=0
table=filter
for chain in $@; do
case $chain in
*:*)
table=${chain%:*}
chain=${chain#*:}
case $table in
raw|nat|mangle|filter)
;;
*)
error_message "ERROR: Invalid table name ($table)"
status=2
;;
esac
;;
*)
;;
esac
if [ $status -eq 0 ]; then
if chain_exists $chain $table; then
if qt $g_tool -t $table -Z $chain; then
progress_message3 "Completed counter reset of $table chain $chain"
else
error_message "ERROR: Reset of $table chain $chain failed"
status=2
break
fi
else
error_message "WARNING: $table chain $chain does not exist"
fi
else
break;
fi
done
fi
;;
reload)
[ $# -ne 1 ] && usage 2
reload_command
;;
restart)
[ $# -ne 1 ] && usage 2
if [ "$RESTART" = restart ]; then
COMMAND=stop stop_command && COMMAND=start start_command
else
COMMAND=reload
reload_command
fi
;;
refresh)
[ $# -ne 1 ] && usage 2
if product_is_started; then
progress_message3 "Refreshing $g_product...."
detect_configuration
define_firewall
status=$?
[ $status -eq 0 ] && progress_message3 "done."
else
echo "$g_product is not running" >&2
status=2
fi
;;
restore)
[ $# -ne 1 ] && usage 2
detect_configuration
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
[ $status -eq 0 ] && progress_message3 "done."
;;
clear)
[ $# -ne 1 ] && usage 2
progress_message3 "Clearing $g_product...."
detect_configuration
clear_firewall
status=0
if [ -n "$SUBSYSLOCK" ]; then
rm -f $SUBSYSLOCK
fi
progress_message3 "done."
;;
status)
[ $# -ne 1 ] && usage 2
[ $VERBOSITY -ge 1 ] && echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)" && echo
if product_is_started; then
[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
status=0
else
[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
status=4
fi
if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)"
case $state in
Stopped*|Clear*)
status=3
;;
esac
else
state=Unknown
fi
[ $VERBOSITY -ge 1 ] && echo "State:$state" && echo
;;
up|down)
[ $# -eq 1 ] && exit 0
shift
[ $# -ne 1 ] && usage 2
mutex_on
( updown $1 )
mutex_off
status=0
;;
enable)
[ $# -eq 1 ] && exit 0
shift
[ $# -ne 1 ] && usage 2
mutex_on
if product_is_started; then
detect_configuration $1
enable_provider $1 Yes
fi
mutex_off
status=0
;;
disable)
[ $# -eq 1 ] && exit 0
shift
[ $# -ne 1 ] && usage 2
mutex_on
if product_is_started; then
detect_configuration $1
disable_provider $1 Yes
fi
mutex_off
status=0
;;
reenable)
[ $# -eq 1 ] && exit 0
shift
[ $# -ne 1 ] && usage 2
mutex_on
if product_is_started; then
COMMAND=disable
detect_configuration $1
disable_provider $1 Yes
COMMAND=enable
detect_configuration $1
enable_provider $1 Yes
fi
mutex_off
status=0
;;
run)
if [ $# -gt 1 ]; then
shift
detect_configuration
run_init_exit
eval $@
status=$?
else
error_message "ERROR: Missing command"
fi
;;
savesets)
if [ $# -eq 2 ]; then
save_ipsets $2
status=$?
else
usage 2
fi
;;
call)
#
# Way to call functions in the generated script directly
#
detect_configuration
shift
if [ $# -gt 0 ]; then
#
# See what it is
#
if type $1 2> /dev/null | fgrep -q 'is a function'; then
#
# It's a shell function -- call it
#
$@
else
fatal_error "$1 is not a known shell function"
fi
else
usage 1
fi
;;
version)
[ $# -ne 1 ] && usage 2
echo $SHOREWALL_VERSION
status=0
;;
info)
[ $# -ne 1 ] && usage 2
info_command
;;
help)
[ $# -ne 1 ] && usage 2
usage 0
;;
*)
usage 2
;;
esac
exit $status