mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-11 08:51:13 +01:00
01dad7b494
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6782 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
789 lines
20 KiB
Plaintext
789 lines
20 KiB
Plaintext
--- ../Shorewall-common/lib.base 2007-07-02 15:50:32.000000000 -0700
|
|
+++ prog.header 2007-07-04 09:32:31.000000000 -0700
|
|
@@ -1,48 +1,27 @@
|
|
-#!/bin/sh
|
|
-#
|
|
-# Shorewall 4.0 -- /usr/share/shorewall/lib.base
|
|
-#
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
#
|
|
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
|
|
#
|
|
-# Complete documentation is available at http://shorewall.net
|
|
+# Options are:
|
|
#
|
|
-# This program is free software; you can redistribute it and/or modify
|
|
-# it under the terms of Version 2 of the GNU General Public License
|
|
-# as published by the Free Software Foundation.
|
|
-#
|
|
-# This program is distributed in the hope that it will be useful,
|
|
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
-# GNU General Public License for more details.
|
|
-#
|
|
-# You should have received a copy of the GNU General Public License
|
|
-# along with this program; if not, write to the Free Software
|
|
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
-#
|
|
-# This library contains the code common to all Shorewall components.
|
|
-#
|
|
-# - It is copied into the compiled script with the -e compiler flag is specified to
|
|
-# shorewall-shell.
|
|
-# - It is loaded by /sbin/shorewall.
|
|
-# - It is loaded by /usr/share/shorewall/firewall.
|
|
-# - It is loaded by /usr/share/shorewall-shell/compiler.
|
|
-# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
|
|
-# and /usr/share/shorewall-lite/shorecap.
|
|
-# - It is released as part of Shorewall Perl where it is copied into the compiled script
|
|
-# by the compiler.
|
|
-#
|
|
-
|
|
-SHOREWALL_LIBVERSION=40000
|
|
-SHOREWALL_CAPVERSION=30405
|
|
-
|
|
-[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
|
-[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
|
-[ -n "${CONFDIR:=/etc/shorewall}" ]
|
|
-SHELLSHAREDIR=/usr/share/shorewall-shell
|
|
-PERLSHAREDIR=/usr/share/shorewall-perl
|
|
-
|
|
+# -n Don't alter Routing
|
|
+# -v and -q Standard Shorewall Verbosity control
|
|
+#
|
|
+# Commands are:
|
|
+#
|
|
+# start Starts the firewall
|
|
+# refresh Refresh the firewall
|
|
+# restart Restarts the firewall
|
|
+# reload Reload the firewall
|
|
+# clear Removes all firewall rules
|
|
+# stop Stops the firewall
|
|
+# status Displays firewall status
|
|
+# version Displays the version of Shorewall that
|
|
+# generated this program
|
|
+#
|
|
+################################################################################
|
|
+# Functions imported from /usr/share/shorewall/lib.base
|
|
+################################################################################
|
|
#
|
|
# Message to stderr
|
|
#
|
|
@@ -111,20 +90,6 @@
|
|
}
|
|
|
|
#
|
|
-# Undo the effect of 'separate_list()'
|
|
-#
|
|
-combine_list()
|
|
-{
|
|
- local f o=
|
|
-
|
|
- for f in $* ; do
|
|
- o="${o:+$o,}$f"
|
|
- done
|
|
-
|
|
- echo $o
|
|
-}
|
|
-
|
|
-#
|
|
# Suppress all output for a command
|
|
#
|
|
qt()
|
|
@@ -310,83 +275,6 @@
|
|
}
|
|
|
|
#
|
|
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
|
|
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
|
|
-# the first argument. Example "shorewall nolock refresh"
|
|
-#
|
|
-# This function uses the lockfile utility from procmail if it exists.
|
|
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
|
|
-# behavior of lockfile.
|
|
-#
|
|
-mutex_on()
|
|
-{
|
|
- local try=0
|
|
- local lockf=${LOCKFILE:=${VARDIR}/lock}
|
|
-
|
|
- MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
|
|
-
|
|
- if [ $MUTEX_TIMEOUT -gt 0 ]; then
|
|
-
|
|
- [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
|
-
|
|
- if qt mywhich lockfile; then
|
|
- lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
|
|
- else
|
|
- while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
|
- sleep 1
|
|
- try=$((${try} + 1))
|
|
- done
|
|
-
|
|
- if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
|
|
- # Create the lockfile
|
|
- echo $$ > ${lockf}
|
|
- else
|
|
- echo "Giving up on lock file ${lockf}" >&2
|
|
- fi
|
|
- fi
|
|
- fi
|
|
-}
|
|
-
|
|
-#
|
|
-# Call this function to release mutual exclusion
|
|
-#
|
|
-mutex_off()
|
|
-{
|
|
- rm -f ${LOCKFILE:=${VARDIR}/lock}
|
|
-}
|
|
-
|
|
-#
|
|
-# Load an optional library
|
|
-#
|
|
-lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found
|
|
-{
|
|
- local lib=${SHAREDIR}/lib.$1
|
|
- local loaded
|
|
-
|
|
- eval loaded=\$LIB_${1}_LOADED
|
|
-
|
|
- if [ -z "$loaded" ]; then
|
|
- [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
|
|
-
|
|
- if [ -f $lib ]; then
|
|
- progress_message "Loading library $lib..."
|
|
- . $lib
|
|
- eval LIB_${1}_LOADED=Yes
|
|
- else
|
|
- startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed"
|
|
- fi
|
|
- fi
|
|
-}
|
|
-
|
|
-#
|
|
-# Determine if an optional library is available
|
|
-#
|
|
-lib_avail() # $1 = Name of the Library
|
|
-{
|
|
- [ -f ${SHAREDIR}/lib.$1 ]
|
|
-}
|
|
-
|
|
-#
|
|
# Note: The following set of IP address manipulation functions have anomalous
|
|
# behavior when the shell only supports 32-bit signed arithmatic and
|
|
# the IP address is 128.0.0.0 or 128.0.0.1.
|
|
@@ -395,32 +283,6 @@
|
|
LEFTSHIFT='<<'
|
|
|
|
#
|
|
-# Validate an IP address
|
|
-#
|
|
-valid_address() {
|
|
- local x y
|
|
- local ifs=$IFS
|
|
-
|
|
- IFS=.
|
|
-
|
|
- for x in $1; do
|
|
- case $x in
|
|
- [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
|
|
- [ $x -lt 256 ] || { IFS=$ifs; return 2; }
|
|
- ;;
|
|
- *)
|
|
- IFS=$ifs
|
|
- return 2
|
|
- ;;
|
|
- esac
|
|
- done
|
|
-
|
|
- IFS=$ifs
|
|
-
|
|
- return 0
|
|
-}
|
|
-
|
|
-#
|
|
# Convert an IP address in dot quad format to an integer
|
|
#
|
|
decodeaddr() {
|
|
@@ -456,88 +318,6 @@
|
|
}
|
|
|
|
#
|
|
-# Enumerate the members of an IP range -- When using a shell supporting only
|
|
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
|
|
-#
|
|
-# Comes in two flavors:
|
|
-#
|
|
-# ip_range() - produces a mimimal list of network/host addresses that spans
|
|
-# the range.
|
|
-#
|
|
-# ip_range_explicit() - explicitly enumerates the range.
|
|
-#
|
|
-ip_range() {
|
|
- local first last l x y z vlsm
|
|
-
|
|
- case $1 in
|
|
- !*)
|
|
- #
|
|
- # Let iptables complain if it's a range
|
|
- #
|
|
- echo $1
|
|
- return
|
|
- ;;
|
|
- [0-9]*.*.*.*-*.*.*.*)
|
|
- ;;
|
|
- *)
|
|
- echo $1
|
|
- return
|
|
- ;;
|
|
- esac
|
|
-
|
|
- first=$(decodeaddr ${1%-*})
|
|
- last=$(decodeaddr ${1#*-})
|
|
-
|
|
- if [ $first -gt $last ]; then
|
|
- fatal_error "Invalid IP address range: $1"
|
|
- fi
|
|
-
|
|
- l=$(( $last + 1 ))
|
|
-
|
|
- while [ $first -le $last ]; do
|
|
- vlsm=
|
|
- x=31
|
|
- y=2
|
|
- z=1
|
|
-
|
|
- while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
|
|
- vlsm=/$x
|
|
- x=$(( $x - 1 ))
|
|
- z=$y
|
|
- y=$(( $y * 2 ))
|
|
- done
|
|
-
|
|
- echo $(encodeaddr $first)$vlsm
|
|
- first=$(($first + $z))
|
|
- done
|
|
-}
|
|
-
|
|
-ip_range_explicit() {
|
|
- local first last
|
|
-
|
|
- case $1 in
|
|
- [0-9]*.*.*.*-*.*.*.*)
|
|
- ;;
|
|
- *)
|
|
- echo $1
|
|
- return
|
|
- ;;
|
|
- esac
|
|
-
|
|
- first=$(decodeaddr ${1%-*})
|
|
- last=$(decodeaddr ${1#*-})
|
|
-
|
|
- if [ $first -gt $last ]; then
|
|
- fatal_error "Invalid IP address range: $1"
|
|
- fi
|
|
-
|
|
- while [ $first -le $last ]; do
|
|
- echo $(encodeaddr $first)
|
|
- first=$(($first + 1))
|
|
- done
|
|
-}
|
|
-
|
|
-#
|
|
# Netmask from CIDR
|
|
#
|
|
ip_netmask() {
|
|
@@ -588,60 +368,6 @@
|
|
}
|
|
|
|
#
|
|
-# Netmask to VLSM
|
|
-#
|
|
-ip_vlsm() {
|
|
- local mask=$(decodeaddr $1)
|
|
- local vlsm=0
|
|
- local x=$(( 128 << 24 )) # 0x80000000
|
|
-
|
|
- while [ $(( $x & $mask )) -ne 0 ]; do
|
|
- [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
|
|
- vlsm=$(($vlsm + 1))
|
|
- done
|
|
-
|
|
- if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
|
|
- echo "Invalid net mask: $1" >&2
|
|
- else
|
|
- echo $vlsm
|
|
- fi
|
|
-}
|
|
-
|
|
-
|
|
-#
|
|
-# Chain name base for an interface -- replace all periods with underscores in the passed name.
|
|
-# The result is echoed (less trailing "+").
|
|
-#
|
|
-chain_base() #$1 = interface
|
|
-{
|
|
- local c=${1%%+}
|
|
-
|
|
- while true; do
|
|
- case $c in
|
|
- @*)
|
|
- c=at_${c#@}
|
|
- ;;
|
|
- *.*)
|
|
- c="${c%.*}_${c##*.}"
|
|
- ;;
|
|
- *-*)
|
|
- c="${c%-*}_${c##*-}"
|
|
- ;;
|
|
- *%*)
|
|
- c="${c%\%*}_${c##*%}"
|
|
- ;;
|
|
- *@*)
|
|
- c="${c%@*}_${c##*@}"
|
|
- ;;
|
|
- *)
|
|
- echo ${c:=common}
|
|
- return
|
|
- ;;
|
|
- esac
|
|
- done
|
|
-}
|
|
-
|
|
-#
|
|
# Query NetFilter about the existence of a filter chain
|
|
#
|
|
chain_exists() # $1 = chain name
|
|
@@ -879,21 +605,6 @@
|
|
}
|
|
|
|
#
|
|
-# Set default config path
|
|
-#
|
|
-ensure_config_path() {
|
|
- local F=${SHAREDIR}/configpath
|
|
- if [ -z "$CONFIG_PATH" ]; then
|
|
- [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
|
|
- . $F
|
|
- fi
|
|
-
|
|
- if [ -n "$SHOREWALL_DIR" ]; then
|
|
- [ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
|
|
- fi
|
|
-}
|
|
-
|
|
-#
|
|
# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
|
|
#
|
|
find_file()
|
|
@@ -918,54 +629,6 @@
|
|
}
|
|
|
|
#
|
|
-# Get fully-qualified name of file
|
|
-#
|
|
-resolve_file() # $1 = file name
|
|
-{
|
|
- local pwd=$PWD
|
|
-
|
|
- case $1 in
|
|
- /*)
|
|
- echo $1
|
|
- ;;
|
|
- .)
|
|
- echo $pwd
|
|
- ;;
|
|
- ./*)
|
|
- echo ${pwd}${1#.}
|
|
- ;;
|
|
- ..)
|
|
- cd ..
|
|
- echo $PWD
|
|
- cd $pwd
|
|
- ;;
|
|
- ../*)
|
|
- cd ..
|
|
- resolve_file ${1#../}
|
|
- cd $pwd
|
|
- ;;
|
|
- *)
|
|
- echo $pwd/$1
|
|
- ;;
|
|
- esac
|
|
-}
|
|
-
|
|
-#
|
|
-# Perform variable substitution on the passed argument and echo the result
|
|
-#
|
|
-expand() # $@ = contents of variable which may be the name of another variable
|
|
-{
|
|
- eval echo \"$@\"
|
|
-}
|
|
-
|
|
-#
|
|
-# Function for including one file into another
|
|
-#
|
|
-INCLUDE() {
|
|
- . $(find_file $(expand $@))
|
|
-}
|
|
-
|
|
-#
|
|
# Set the Shorewall state
|
|
#
|
|
set_state () # $1 = state
|
|
@@ -974,200 +637,6 @@
|
|
}
|
|
|
|
#
|
|
-# Determine which optional facilities are supported by iptables/netfilter
|
|
-#
|
|
-determine_capabilities() {
|
|
- qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
|
- qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
|
-
|
|
- CONNTRACK_MATCH=
|
|
- MULTIPORT=
|
|
- XMULTIPORT=
|
|
- POLICY_MATCH=
|
|
- PHYSDEV_MATCH=
|
|
- IPRANGE_MATCH=
|
|
- RECENT_MATCH=
|
|
- OWNER_MATCH=
|
|
- IPSET_MATCH=
|
|
- CONNMARK=
|
|
- XCONNMARK=
|
|
- CONNMARK_MATCH=
|
|
- XCONNMARK_MATCH=
|
|
- RAW_TABLE=
|
|
- IPP2P_MATCH=
|
|
- LENGTH_MATCH=
|
|
- CLASSIFY_TARGET=
|
|
- ENHANCED_REJECT=
|
|
- USEPKTTYPE=
|
|
- KLUDGEFREE=
|
|
- MARK=
|
|
- XMARK=
|
|
- MANGLE_FORWARD=
|
|
- COMMENTS=
|
|
- ADDRTYPE=
|
|
- TCPMSS_MATCH=
|
|
-
|
|
- qt $IPTABLES -N fooX1234
|
|
- qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
|
- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
|
- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
|
- qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
|
-
|
|
- if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
|
|
- PHYSDEV_MATCH=Yes
|
|
- fi
|
|
-
|
|
- if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
|
|
- IPRANGE_MATCH=Yes
|
|
- if [ -z "${KLUDGEFREE}" ]; then
|
|
- qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
|
|
- fi
|
|
- fi
|
|
-
|
|
- qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
|
- qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
|
-
|
|
- if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then
|
|
- CONNMARK_MATCH=Yes
|
|
- qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
|
|
- fi
|
|
-
|
|
- qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
|
|
- qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
|
|
- qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
|
|
-
|
|
- qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
|
|
-
|
|
- if [ -n "$MANGLE_ENABLED" ]; then
|
|
- qt $IPTABLES -t mangle -N fooX1234
|
|
-
|
|
- if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
|
|
- MARK=Yes
|
|
- qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
|
|
- fi
|
|
-
|
|
- if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
|
|
- CONNMARK=Yes
|
|
- qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
|
|
- fi
|
|
-
|
|
- qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
|
|
- qt $IPTABLES -t mangle -F fooX1234
|
|
- qt $IPTABLES -t mangle -X fooX1234
|
|
- qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
|
|
- fi
|
|
-
|
|
- qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
|
|
-
|
|
- if qt mywhich ipset; then
|
|
- qt ipset -X fooX1234 # Just in case something went wrong the last time
|
|
-
|
|
- if qt ipset -N fooX1234 iphash ; then
|
|
- if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
|
|
- qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
|
|
- IPSET_MATCH=Yes
|
|
- fi
|
|
- qt ipset -X fooX1234
|
|
- fi
|
|
- fi
|
|
-
|
|
- qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
|
- qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
|
- qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
|
-
|
|
- qt $IPTABLES -F fooX1234
|
|
- qt $IPTABLES -X fooX1234
|
|
-
|
|
- CAPVERSION=$SHOREWALL_CAPVERSION
|
|
-}
|
|
-
|
|
-report_capabilities() {
|
|
- report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
|
- {
|
|
- local setting=
|
|
-
|
|
- [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
|
-
|
|
- echo " " $1: $setting
|
|
- }
|
|
-
|
|
- if [ $VERBOSE -gt 1 ]; then
|
|
- echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
|
- report_capability "NAT" $NAT_ENABLED
|
|
- report_capability "Packet Mangling" $MANGLE_ENABLED
|
|
- report_capability "Multi-port Match" $MULTIPORT
|
|
- [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
|
- report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
|
- report_capability "Packet Type Match" $USEPKTTYPE
|
|
- report_capability "Policy Match" $POLICY_MATCH
|
|
- report_capability "Physdev Match" $PHYSDEV_MATCH
|
|
- report_capability "Packet length Match" $LENGTH_MATCH
|
|
- report_capability "IP range Match" $IPRANGE_MATCH
|
|
- report_capability "Recent Match" $RECENT_MATCH
|
|
- report_capability "Owner Match" $OWNER_MATCH
|
|
- report_capability "Ipset Match" $IPSET_MATCH
|
|
- report_capability "CONNMARK Target" $CONNMARK
|
|
- [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
|
- report_capability "Connmark Match" $CONNMARK_MATCH
|
|
- [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
|
- report_capability "Raw Table" $RAW_TABLE
|
|
- report_capability "IPP2P Match" $IPP2P_MATCH
|
|
- report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
|
- report_capability "Extended REJECT" $ENHANCED_REJECT
|
|
- report_capability "Repeat match" $KLUDGEFREE
|
|
- report_capability "MARK Target" $MARK
|
|
- [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
|
|
- report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
|
|
- report_capability "Comments" $COMMENTS
|
|
- report_capability "Address Type Match" $ADDRTYPE
|
|
- report_capability "TCPMSS Match" $TCPMSS_MATCH
|
|
- fi
|
|
-
|
|
- [ -n "$PKTTYPE" ] || USEPKTTYPE=
|
|
-
|
|
-}
|
|
-
|
|
-report_capabilities1() {
|
|
- report_capability1() # $1 = Capability
|
|
- {
|
|
- eval echo $1=\$$1
|
|
- }
|
|
-
|
|
- echo "#"
|
|
- echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
|
|
- echo "#"
|
|
- report_capability1 NAT_ENABLED
|
|
- report_capability1 MANGLE_ENABLED
|
|
- report_capability1 MULTIPORT
|
|
- report_capability1 XMULTIPORT
|
|
- report_capability1 CONNTRACK_MATCH
|
|
- report_capability1 USEPKTTYPE
|
|
- report_capability1 POLICY_MATCH
|
|
- report_capability1 PHYSDEV_MATCH
|
|
- report_capability1 LENGTH_MATCH
|
|
- report_capability1 IPRANGE_MATCH
|
|
- report_capability1 RECENT_MATCH
|
|
- report_capability1 OWNER_MATCH
|
|
- report_capability1 IPSET_MATCH
|
|
- report_capability1 CONNMARK
|
|
- report_capability1 XCONNMARK
|
|
- report_capability1 CONNMARK_MATCH
|
|
- report_capability1 XCONNMARK_MATCH
|
|
- report_capability1 RAW_TABLE
|
|
- report_capability1 IPP2P_MATCH
|
|
- report_capability1 CLASSIFY_TARGET
|
|
- report_capability1 ENHANCED_REJECT
|
|
- report_capability1 KLUDGEFREE
|
|
- report_capability1 MARK
|
|
- report_capability1 XMARK
|
|
- report_capability1 MANGLE_FORWARD
|
|
- report_capability1 COMMENTS
|
|
- report_capability1 ADDRTYPE
|
|
-
|
|
- echo CAPVERSION=$SHOREWALL_CAPVERSION
|
|
-}
|
|
-
|
|
-#
|
|
# Delete IP address
|
|
#
|
|
del_ip_addr() # $1 = address, $2 = interface
|
|
@@ -1286,82 +755,6 @@
|
|
cut -b -${1}
|
|
}
|
|
|
|
-#
|
|
-# Add a logging rule.
|
|
-#
|
|
-do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
|
|
-{
|
|
- local level=$1
|
|
- local chain=$2
|
|
- local displayChain=$3
|
|
- local disposition=$4
|
|
- local rulenum=
|
|
- local limit=
|
|
- local tag=
|
|
- local command=
|
|
- local prefix
|
|
- local base=$(chain_base $displayChain)
|
|
- local pf
|
|
-
|
|
- limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
|
|
- tag=${6:+$6 }
|
|
- command=${7:--A}
|
|
-
|
|
- shift 7
|
|
-
|
|
- if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
|
|
- displayChain=$tag
|
|
- tag=
|
|
- fi
|
|
-
|
|
- if [ -n "$LOGRULENUMBERS" ]; then
|
|
- #
|
|
- # Hack for broken printf on some lightweight shells
|
|
- #
|
|
- [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf)
|
|
-
|
|
- eval rulenum=\$${base}_logrules
|
|
-
|
|
- rulenum=${rulenum:-1}
|
|
-
|
|
- prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}"
|
|
-
|
|
- rulenum=$(($rulenum + 1))
|
|
- eval ${base}_logrules=$rulenum
|
|
- else
|
|
- prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}"
|
|
- fi
|
|
-
|
|
- if [ ${#prefix} -gt 29 ]; then
|
|
- prefix=`echo "$prefix" | truncate 29`
|
|
- error_message "WARNING: Log Prefix shortened to \"$prefix\""
|
|
- fi
|
|
-
|
|
- case $level in
|
|
- ULOG)
|
|
- $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
|
- ;;
|
|
- *)
|
|
- $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
|
- ;;
|
|
- esac
|
|
-
|
|
- if [ $? -ne 0 ] ; then
|
|
- [ -z "$STOPPING" ] && { stop_firewall; exit 2; }
|
|
- fi
|
|
-}
|
|
-
|
|
-do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
|
|
-{
|
|
- local level=$1
|
|
- local chain=$2
|
|
- local disposition=$3
|
|
-
|
|
- shift 3
|
|
-
|
|
- do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
|
|
-}
|
|
-
|
|
delete_tc1()
|
|
{
|
|
clear_one_tc() {
|
|
@@ -1496,65 +889,6 @@
|
|
|
|
echo echo
|
|
}
|
|
-
|
|
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
|
|
-#
|
|
-# None - No mktemp
|
|
-# BSD - BSD mktemp (Mandrake)
|
|
-# STD - mktemp.org mktemp
|
|
-#
|
|
-find_mktemp() {
|
|
- local mktemp=`mywhich mktemp 2> /dev/null`
|
|
-
|
|
- if [ -n "$mktemp" ]; then
|
|
- if qt mktemp -V ; then
|
|
- MKTEMP=STD
|
|
- else
|
|
- MKTEMP=BSD
|
|
- fi
|
|
- else
|
|
- MKTEMP=None
|
|
- fi
|
|
-}
|
|
-
|
|
-#
|
|
-# create a temporary file. If a directory name is passed, the file will be created in
|
|
-# that directory. Otherwise, it will be created in a temporary directory.
|
|
-#
|
|
-mktempfile() {
|
|
-
|
|
- [ -z "$MKTEMP" ] && find_mktemp
|
|
-
|
|
- if [ $# -gt 0 ]; then
|
|
- case "$MKTEMP" in
|
|
- BSD)
|
|
- mktemp $1/shorewall.XXXXXX
|
|
- ;;
|
|
- STD)
|
|
- mktemp -p $1 shorewall.XXXXXX
|
|
- ;;
|
|
- None)
|
|
- > $1/shorewall-$$ && echo $1/shorewall-$$
|
|
- ;;
|
|
- *)
|
|
- error_message "ERROR:Internal error in mktempfile"
|
|
- ;;
|
|
- esac
|
|
- else
|
|
- case "$MKTEMP" in
|
|
- BSD)
|
|
- mktemp /tmp/shorewall.XXXXXX
|
|
- ;;
|
|
- STD)
|
|
- mktemp -t shorewall.XXXXXX
|
|
- ;;
|
|
- None)
|
|
- rm -f /tmp/shorewall-$$
|
|
- > /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
|
- ;;
|
|
- *)
|
|
- error_message "ERROR:Internal error in mktempfile"
|
|
- ;;
|
|
- esac
|
|
- fi
|
|
-}
|
|
+################################################################################
|
|
+# End of functions imported from /usr/share/shorewall/lib.base
|
|
+################################################################################
|