2006-12-10 04:01:24 +01:00
#!/bin/sh
2002-05-01 01:13:15 +02:00
#
2007-08-26 17:09:27 +02:00
# Shorewall Packet Filtering Firewall Control Program - V4.0
2002-05-01 01:13:15 +02:00
#
2007-09-08 18:09:51 +02:00
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
2002-05-01 01:13:15 +02:00
#
2007-01-12 23:06:29 +01:00
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
2002-05-01 01:13:15 +02:00
#
2002-07-06 00:24:40 +02:00
# This file should be placed in /sbin/shorewall.
2002-05-01 01:13:15 +02:00
#
2006-11-11 18:21:04 +01:00
# Shorewall documentation is available at http://www.shorewall.net
2002-05-01 01:13:15 +02:00
#
2002-07-06 00:24:40 +02:00
# This program is free software; you can redistribute it and/or modify
2003-02-23 15:10:37 +01:00
# it under the terms of Version 2 of the GNU General Public License
2002-07-06 00:24:40 +02:00
# as published by the Free Software Foundation.
2002-05-01 01:13:15 +02:00
#
2002-07-06 00:24:40 +02:00
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
2002-05-01 01:13:15 +02:00
#
2002-07-06 00:24:40 +02:00
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
2007-09-08 18:09:51 +02:00
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
2003-02-23 15:10:37 +01:00
#
2002-07-06 00:24:40 +02:00
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
2002-05-01 01:13:15 +02:00
#
2002-07-06 00:24:40 +02:00
# The firewall uses configuration files in /etc/shorewall/ - skeleton
2007-05-17 17:38:41 +02:00
# files are included with the firewall.
2002-05-01 01:13:15 +02:00
#
2002-07-06 00:24:40 +02:00
# Commands are:
2002-05-01 01:13:15 +02:00
#
2006-08-27 19:27:48 +02:00
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
2005-07-28 16:37:56 +02:00
# shorewall dump Dumps all Shorewall-related information
# for problem analysis
2005-07-09 07:45:05 +02:00
# shorewall start Starts the firewall
2002-07-06 00:24:40 +02:00
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
2003-02-23 15:10:37 +01:00
# shorewall status Displays firewall status
2002-07-06 00:24:40 +02:00
# shorewall reset Resets iptables packet and
# byte counts
# shorewall clear Open the floodgates by
# removing all iptables rules
# and setting the three permanent
# chain policies to ACCEPT
2002-05-01 01:13:15 +02:00
# shorewall refresh Rebuild the common chain to
# compensate for a change of
# broadcast address on any "detect"
# interface.
2006-06-17 19:17:45 +02:00
# shorewall [re]load [ <directory> ] <system>
# Compile a script and install it on a
# remote Shorewall Lite system.
2003-08-15 02:59:06 +02:00
# shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed
2005-07-24 18:27:21 +02:00
# shorewall show actions Displays the available actions
2002-07-06 00:24:40 +02:00
# shorewall show log Print the last 20 log messages
# shorewall show connections Show the kernel's connection
# tracking table
# shorewall show nat Display the rules in the nat table
# shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info
2002-12-10 21:42:19 +01:00
# shorewall show classifiers Display classifiers
2005-07-09 07:45:05 +02:00
# shorewall show capabilities Display iptables/kernel capabilities
2007-11-16 00:24:54 +01:00
# shorewall show vardir Display the VARDIR setting.
2002-05-01 01:13:15 +02:00
# shorewall version Display the installed version id
2006-08-17 19:46:25 +02:00
# shorewall check [ -e ] [ <directory> ] Dry-run compilation.
2006-12-03 19:18:21 +01:00
# shorewall try <directory> [ <timeout> ] Try a new configuration and if
# it doesn't work, revert to the
# standard one. If a timeout is supplied
# the command reverts back to the
# standard configuration after that many
# seconds have elapsed after successfully
# starting the new configuration.
2002-06-04 17:08:50 +02:00
# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
# messages.
2002-07-06 00:24:40 +02:00
# shorewall drop <address> ... Temporarily drop all packets from the
2002-06-04 22:17:46 +02:00
# listed address(es)
2002-07-06 00:24:40 +02:00
# shorewall reject <address> ... Temporarily reject all packets from the
2002-06-04 22:17:46 +02:00
# listed address(es)
2003-02-23 15:10:37 +01:00
# shorewall allow <address> ... Reenable address(es) previously
2002-06-04 22:58:53 +02:00
# disabled with "drop" or "reject"
2005-07-09 06:45:32 +02:00
# shorewall save [ <file> ] Save the list of "rejected" and
2002-06-04 22:58:53 +02:00
# "dropped" addresses so that it will
# be automatically reinstated the
2002-06-11 22:14:58 +02:00
# next time that Shorewall starts.
2005-07-09 06:45:32 +02:00
# Save the current state so that 'shorewall
# restore' can be used.
#
# shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
#
# shorewall restore [ <file> ] Restore the state of the firewall from
# previously saved information.
2002-05-01 01:13:15 +02:00
#
2005-12-03 00:58:57 +01:00
# shorewall ipaddr { <address>/<cidr> | <address> <netmask> }
2003-07-05 19:14:21 +02:00
#
# Displays information about the network
# defined by the argument[s]
2003-07-06 15:24:23 +02:00
#
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
# a list of network/host addresses.
#
2005-12-03 00:58:57 +01:00
# shorewall ipdecimal { <address> | <integer> }
#
# Displays the decimal equivalent of an IP
# address and vice versa.
#
2006-12-03 19:18:21 +01:00
# shorewall safe-start [ <directory> ] Starts the firewall and promtp for a c
2005-08-02 18:46:30 +02:00
# confirmation to accept or reject the new
2005-07-09 07:55:29 +02:00
# configuration
#
2006-12-03 19:18:21 +01:00
# shorewall safe-restart [ <directory> ] Restarts the firewall and prompt for a
2005-08-02 18:46:30 +02:00
# confirmation to accept or reject the new
2005-07-09 07:55:29 +02:00
# configuration
#
2006-06-16 23:43:55 +02:00
# shorewall compile [ -e ] [ <directory> ] <filename>
2006-02-03 16:10:46 +01:00
# Compile a firewall program file.
2006-10-28 16:46:43 +02:00
2002-10-23 18:48:40 +02:00
#
# Set the configuration variables from shorewall.conf
#
2007-10-19 21:43:14 +02:00
# $1 = Yes: read the params file
# $2 = Yes: check for STARTUP_ENABLED
# $3 = Yes: Check for LOGFILE
#
#
2002-05-01 01:13:15 +02:00
get_config() {
2007-04-19 16:30:14 +02:00
ensure_config_path
if [ "$1" = Yes ]; then
params=$(find_file params)
if [ -f $params ]; then
. $params
fi
fi
config=$(find_file shorewall.conf)
if [ -f $config ]; then
if [ -r $config ]; then
. $config
else
echo "Cannot read $config! (Hint: Are you root?)" >&2
exit 1
fi
else
echo "$config does not exist!" >&2
exit 2
fi
ensure_config_path
2006-12-11 19:42:53 +01:00
if [ -z "$EXPORT" -a "$(id -u)" = 0 ]; then
2006-06-17 00:40:36 +02:00
#
# This block is avoided for compile for export and when the user isn't root
#
2006-06-17 00:19:18 +02:00
export CONFIG_PATH
2006-06-17 19:17:45 +02:00
2007-06-12 23:43:26 +02:00
if [ "$3" = Yes ]; then
2007-05-28 22:34:48 +02:00
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
2002-05-01 01:13:15 +02:00
2007-05-28 22:34:48 +02:00
if [ -n "$(syslog_circular_buffer)" ]; then
2007-08-26 17:09:27 +02:00
LOGREAD="logread | tac"
2007-05-28 22:34:48 +02:00
elif [ -f $LOGFILE ]; then
2007-08-26 17:09:27 +02:00
LOGREAD="tac $LOGFILE"
2007-05-28 22:34:48 +02:00
else
echo "LOGFILE ($LOGFILE) does not exist!" >&2
exit 2
fi
2006-06-16 23:43:55 +02:00
fi
2006-06-17 19:17:45 +02:00
2006-06-16 23:43:55 +02:00
if [ -n "$IPTABLES" ]; then
2006-09-05 16:29:47 +02:00
if [ ! -x "$IPTABLES" ]; then
2006-06-16 23:43:55 +02:00
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
exit 2
fi
else
IPTABLES=$(mywhich iptables 2> /dev/null)
if [ -z "$IPTABLES" ] ; then
echo " ERROR: Can't find iptables executable" >&2
exit 2
fi
fi
2006-06-17 19:17:45 +02:00
2006-06-16 23:43:55 +02:00
export IPTABLES
2006-06-17 19:17:45 +02:00
2006-06-17 00:40:36 +02:00
#
# Compile by non-root needs no restore file
#
2006-06-16 23:43:55 +02:00
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
validate_restorefile RESTOREFILE
export RESTOREFILE
2006-06-17 19:17:45 +02:00
2007-05-28 22:34:48 +02:00
if [ "$2" = Yes ]; then
case $STARTUP_ENABLED in
No|no|NO)
echo " ERROR: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2
2006-06-16 23:43:55 +02:00
exit 2
2007-05-28 22:34:48 +02:00
;;
Yes|yes|YES)
;;
*)
if [ -n "$STARTUP_ENABLED" ]; then
echo " ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
exit 2
fi
;;
esac
fi
2006-06-17 19:17:45 +02:00
2006-06-16 23:43:55 +02:00
case ${TC_ENABLED:=Internal} in
No|NO|no)
TC_ENABLED=
;;
esac
2006-06-08 23:49:34 +02:00
2006-06-17 00:40:36 +02:00
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
2006-06-17 19:17:45 +02:00
2006-06-17 00:40:36 +02:00
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
export LOGFORMAT
2006-06-16 23:43:55 +02:00
2006-06-17 00:40:36 +02:00
fi
2006-06-08 23:49:34 +02:00
2003-06-28 17:22:22 +02:00
if [ -n "$SHOREWALL_SHELL" ]; then
2006-09-05 16:29:47 +02:00
if [ ! -x "$SHOREWALL_SHELL" ]; then
2005-07-09 06:45:32 +02:00
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
2003-06-28 17:22:22 +02:00
exit 2
fi
fi
2005-07-09 06:45:32 +02:00
2006-01-24 18:44:19 +01:00
[ -n "${VERBOSITY:=2}" ]
2006-03-24 00:26:41 +01:00
VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
2006-01-24 18:44:19 +01:00
export VERBOSE
2006-01-24 16:41:38 +01:00
2006-11-30 22:28:31 +01:00
[ -n "${HOSTNAME:=$(hostname)}" ]
2007-05-01 19:21:14 +02:00
[ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}'
[ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
2002-05-01 01:13:15 +02:00
}
2007-04-03 05:25:22 +02:00
#
# Run the appropriate compiler
#
compiler() {
2007-04-03 18:26:05 +02:00
local sc=${SHELLSHAREDIR}/compiler
local pc=${PERLSHAREDIR}/compiler.pl
2007-04-17 19:48:09 +02:00
startup_error() {
echo " ERROR: $@" >&2
exit 1
}
2007-04-03 18:26:05 +02:00
2007-04-03 16:47:57 +02:00
local command=$1
shift
2007-05-16 05:37:37 +02:00
2007-05-16 05:48:13 +02:00
if [ $(id -u) -ne 0 ]; then
if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
startup_error "Ordinary users may not compile the /etc/shorewall configuration"
fi
2007-05-16 05:37:37 +02:00
fi
2007-04-03 05:25:22 +02:00
#
# We've now set SHOREWALL_DIR so recalculate CONFIG_PATH
#
ensure_config_path
2007-06-18 20:05:15 +02:00
compiler=
2007-06-20 16:31:51 +02:00
haveparams=
2007-04-03 05:25:22 +02:00
2007-04-13 01:45:46 +02:00
if [ -n "$SHOREWALL_COMPILER" ]; then
2007-06-18 20:05:15 +02:00
compiler="$SHOREWALL_COMPILER" #Compiler specified in /etc/shorewall/shorewall.conf or on the run-line
2007-04-13 01:45:46 +02:00
elif [ -x $sc ]; then
2007-06-18 20:05:15 +02:00
if [ ! -x $pc ]; then
compiler=shell
fi
2007-04-03 16:47:57 +02:00
elif [ -x $pc ]; then
2007-04-03 05:25:22 +02:00
compiler=perl
else
fatal_error "No shorewall compiler installed"
fi
if [ -z "$compiler" ]; then
#
2007-04-03 16:47:57 +02:00
# Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER
2007-04-03 05:25:22 +02:00
#
2007-06-20 16:31:51 +02:00
if [ -n "$SHOREWALL_DIR" ]; then
2007-10-19 21:43:14 +02:00
shell=$SHOREWALL_SHELL
2007-06-20 16:31:51 +02:00
[ -x $pc ] && set -a
run_user_exit params
set +a
haveparams=Yes
2007-10-19 21:43:14 +02:00
get_config No No No
SHOREWALL_SHELL=$shell
2007-04-03 05:25:22 +02:00
fi
#
# And initiate the appropriate compiler
#
2007-06-18 20:05:15 +02:00
if [ -n "$SHOREWALL_COMPILER" ]; then
compiler="$SHOREWALL_COMPILER"
elif [ -x $sc ]; then
compiler=shell
else
compiler=perl
fi
2007-04-03 05:25:22 +02:00
fi
2007-04-03 16:47:57 +02:00
[ $command = exec ] || command=
2007-04-03 05:25:22 +02:00
case "$compiler" in
perl)
debugflags="-w"
2007-04-22 21:15:05 +02:00
[ -n "$DEBUG" ] && debugflags='-wd'
2007-04-03 16:47:57 +02:00
[ -n "$PROFILE" ] && debugflags='-wd:DProf'
2007-06-17 16:16:25 +02:00
# Perl compiler only takes the output file as a argument
2007-10-19 21:43:14 +02:00
[ "$1" = debug -o "$1" = trace ] && shift;
2007-06-17 16:16:25 +02:00
[ "$1" = nolock ] && shift;
shift
2007-04-03 16:47:57 +02:00
2007-06-11 20:07:34 +02:00
options="--verbose $VERBOSE ";
2007-09-10 17:52:57 +02:00
[ -n "$EXPORT" ] && options="$options --export "
[ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "
[ -n "$TIMESTAMP" ] && options="$options --timestamp "
2007-10-19 21:43:14 +02:00
[ "$debugging" = trace ] && options="$options --debug "
2007-09-10 17:52:57 +02:00
[ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS"
2007-06-11 20:07:34 +02:00
[ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed"
2007-06-18 20:05:15 +02:00
#
# Run the appropriate params file
#
2007-06-20 16:31:51 +02:00
if [ -z "$haveparams" ]; then
set -a;
run_user_exit params
set +a
fi
2007-06-11 20:07:34 +02:00
$command perl $debugflags $pc $options $@
2007-04-03 05:25:22 +02:00
;;
shell)
2007-04-03 18:26:05 +02:00
[ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed"
2007-09-10 17:52:57 +02:00
[ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains"
2007-04-03 16:47:57 +02:00
$command $SHOREWALL_SHELL $sc $@
2007-04-03 05:25:22 +02:00
;;
*)
startup_error "Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER"
;;
esac
}
2006-01-22 03:35:15 +01:00
#
# Start Command Executor
#
2006-01-19 01:20:23 +01:00
start_command() {
2006-07-17 01:06:18 +02:00
local finished=0
2006-01-19 01:20:23 +01:00
2006-01-24 00:30:58 +01:00
do_it() {
2006-09-27 22:11:52 +02:00
local rc=0
2006-01-24 00:30:58 +01:00
progress_message3 "Compiling..."
2007-04-03 16:47:57 +02:00
if compiler run $debugging $nolock compile ${VARDIR}/.start; then
2007-07-30 16:35:03 +02:00
[ -n "$nolock" ] || mutex_on
2006-07-17 01:06:18 +02:00
${VARDIR}/.start $debugging start
2006-09-27 22:11:52 +02:00
rc=$?
2007-07-30 16:35:03 +02:00
[ -n "$nolock" ] || mutex_off
2006-09-27 22:11:52 +02:00
else
rc=$?
2007-02-20 20:33:56 +01:00
logger -p kern.err "ERROR:Shorewall start failed"
2006-01-24 00:30:58 +01:00
fi
2006-09-27 22:11:52 +02:00
exit $rc
2006-01-24 00:30:58 +01:00
}
if shorewall_is_started; then
error_message "Shorewall is already running"
2006-11-11 17:20:59 +01:00
exit 0
2006-01-24 00:30:58 +01:00
fi
2007-04-14 16:38:16 +02:00
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
2006-02-04 04:45:03 +01:00
2006-01-19 01:20:23 +01:00
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
2007-04-13 03:02:03 +02:00
C)
2007-04-14 16:38:16 +02:00
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
2007-04-13 03:02:03 +02:00
SHOREWALL_COMPILER=$2
option=
shift
;;
2006-01-19 01:20:23 +01:00
f*)
FAST=Yes
option=${option#f}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
2007-05-17 16:52:37 +02:00
[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
2006-01-19 01:20:23 +01:00
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
2006-12-10 21:21:02 +01:00
SHOREWALL_DIR=$(resolve_file $1)
2006-12-10 05:12:28 +01:00
export SHOREWALL_DIR
2006-01-19 01:20:23 +01:00
;;
*)
usage 1
;;
esac
export NOROUTES
if [ -n "$FAST" ]; then
if qt mywhich make; then
2006-03-12 01:19:33 +01:00
#
# RESTOREFILE is exported by get_config()
#
2006-06-09 18:35:55 +02:00
make -qf ${CONFDIR}/Makefile || FAST=
2006-01-19 01:20:23 +01:00
fi
if [ -n "$FAST" ]; then
2006-06-09 18:35:55 +02:00
RESTOREPATH=${VARDIR}/$RESTOREFILE
2006-01-19 01:20:23 +01:00
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
iptables -F
iptables -X
2006-06-09 17:40:31 +02:00
$SHOREWALL_SHELL ${RESTOREPATH}-ipsets
2006-01-19 01:20:23 +01:00
fi
echo Restoring Shorewall...
2006-06-09 17:40:31 +02:00
$SHOREWALL_SHELL $RESTOREPATH restore
2006-06-09 18:35:55 +02:00
date > ${VARDIR}/restarted
2006-05-10 22:11:37 +02:00
progress_message3 Shorewall restored from $RESTOREPATH
2006-01-19 01:20:23 +01:00
else
2006-01-24 00:30:58 +01:00
do_it
2006-01-19 01:20:23 +01:00
fi
else
2006-01-24 00:30:58 +01:00
do_it
2006-01-19 01:20:23 +01:00
fi
else
2006-01-24 00:30:58 +01:00
do_it
2006-01-19 01:20:23 +01:00
fi
}
2006-09-07 22:48:40 +02:00
2006-01-22 03:35:15 +01:00
#
# Compile Command Executor
#
2006-01-19 01:20:23 +01:00
compile_command() {
2006-07-17 01:06:18 +02:00
local finished=0
2006-01-19 01:20:23 +01:00
while [ $finished -eq 0 ]; do
[ $# -eq 0 ] && usage 1
option=$1
case $option in
-*)
2006-02-03 18:08:37 +01:00
shift
2006-01-19 01:20:23 +01:00
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
e*)
EXPORT=Yes
option=${option#e}
;;
2007-04-13 01:45:46 +02:00
p*)
2007-04-13 03:02:03 +02:00
PROFILE=Yes
2007-03-21 20:08:52 +01:00
option=${option#p}
;;
2007-04-13 03:02:03 +02:00
C)
2007-04-14 16:38:16 +02:00
[ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name"
2007-04-13 03:02:03 +02:00
SHOREWALL_COMPILER=$1
option=
shift
2007-04-13 01:45:46 +02:00
;;
2007-03-21 20:08:52 +01:00
d*)
2007-04-03 05:25:22 +02:00
DEBUG=Yes;
2007-03-21 20:08:52 +01:00
option=${option#d}
;;
2006-01-19 01:20:23 +01:00
-)
finished=1
option=
;;
*)
usage 1
;;
esac
done
;;
*)
finished=1
;;
esac
done
file=
case $# in
1)
file=$1
2007-05-04 17:58:26 +02:00
[ -d $file ] && echo " ERROR: $file is a directory" >&2 && exit 2;
2006-01-19 01:20:23 +01:00
;;
2)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
2006-12-10 21:21:02 +01:00
SHOREWALL_DIR=$(resolve_file $1)
2006-12-10 05:12:28 +01:00
export SHOREWALL_DIR
2006-01-19 01:20:23 +01:00
file=$2
;;
*)
usage 1
;;
esac
export EXPORT
2006-02-03 22:39:00 +01:00
progress_message3 "Compiling..."
2007-04-03 16:47:57 +02:00
compiler exec $debugging compile $file
2006-01-19 01:20:23 +01:00
}
2006-09-07 22:48:40 +02:00
2006-01-22 03:35:15 +01:00
#
2006-01-24 00:30:58 +01:00
# Check Command Executor
2006-01-22 03:35:15 +01:00
#
2006-01-24 00:30:58 +01:00
check_command() {
2006-07-17 01:06:18 +02:00
local finished=0
2006-01-19 01:20:23 +01:00
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
2006-02-03 16:27:54 +01:00
e*)
EXPORT=Yes
option=${option#e}
2006-01-23 02:41:24 +01:00
;;
2007-04-13 01:45:46 +02:00
p*)
2007-04-13 03:02:03 +02:00
PROFILE=Yes
2007-05-08 20:08:14 +02:00
option=${option#p}
2007-04-13 01:45:46 +02:00
;;
2007-03-30 05:35:03 +02:00
d*)
2007-04-03 05:25:22 +02:00
DEBUG=Yes;
2007-03-30 05:35:03 +02:00
option=${option#d}
;;
2007-04-27 02:15:12 +02:00
C)
[ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name"
SHOREWALL_COMPILER=$2
option=
shift
;;
2006-01-19 01:20:23 +01:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
2006-12-10 21:21:02 +01:00
SHOREWALL_DIR=$(resolve_file $1)
2006-12-10 05:12:28 +01:00
export SHOREWALL_DIR
2006-01-19 01:20:23 +01:00
;;
*)
usage 1
;;
esac
2006-02-10 19:45:05 +01:00
export EXPORT
2006-01-19 01:20:23 +01:00
2006-02-03 22:39:00 +01:00
progress_message3 "Checking..."
2007-04-03 16:47:57 +02:00
compiler exec $debugging $nolock check
2006-01-19 01:20:23 +01:00
}
2006-01-24 00:30:58 +01:00
2006-01-22 03:35:15 +01:00
#
2006-01-24 00:30:58 +01:00
# Restart Command Executor
2006-01-22 03:35:15 +01:00
#
2006-01-24 00:30:58 +01:00
restart_command() {
2006-09-27 22:11:52 +02:00
local finished=0 rc=0
2006-01-19 01:20:23 +01:00
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
n*)
NOROUTES=Yes
option=${option#n}
;;
2007-04-13 03:02:03 +02:00
C)
2007-04-14 16:38:16 +02:00
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
2007-04-13 03:02:03 +02:00
SHOREWALL_COMPILER=$2
option=
shift
2007-04-13 01:45:46 +02:00
;;
2006-01-19 01:20:23 +01:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
2006-12-10 21:21:02 +01:00
SHOREWALL_DIR=$(resolve_file $1)
2006-12-10 05:12:28 +01:00
export SHOREWALL_DIR
2006-01-19 01:20:23 +01:00
;;
*)
usage 1
;;
esac
2007-04-14 16:38:16 +02:00
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
2006-02-04 04:45:03 +01:00
2006-01-19 01:20:23 +01:00
export NOROUTES
2006-01-23 21:44:31 +01:00
progress_message3 "Compiling..."
2007-04-03 16:47:57 +02:00
if compiler run $debugging $nolock compile ${VARDIR}/.restart; then
2007-07-30 16:35:03 +02:00
[ -n "$nolock" ] || mutex_on
2006-06-09 18:35:55 +02:00
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
2006-09-27 22:11:52 +02:00
rc=$?
2007-07-30 16:35:03 +02:00
[ -n "$nolock" ] || mutex_off
2006-09-27 22:11:52 +02:00
else
rc=$?
2007-02-20 18:52:29 +01:00
logger -p kern.err "ERROR:Shorewall restart failed"
2006-01-19 01:20:23 +01:00
fi
2007-02-21 03:16:05 +01:00
2006-09-27 22:11:52 +02:00
return $rc
2006-01-19 01:20:23 +01:00
}
2006-01-24 00:30:58 +01:00
2006-08-27 19:27:48 +02:00
#
# Refresh Command Executor
#
refresh_command() {
local finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
2007-04-13 03:02:03 +02:00
C)
2007-04-14 16:38:16 +02:00
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
2007-04-13 03:02:03 +02:00
SHOREWALL_COMPILER=$2
option=
shift
2007-04-13 01:45:46 +02:00
;;
2006-08-27 19:27:48 +02:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
2007-09-10 17:52:57 +02:00
if [ $# -gt 0 ]; then
REFRESHCHAINS=$1
shift
while [ $# -gt 0 ]; do
REFRESHCHAINS="$REFRESHCHAINS,$1"
shift
done
fi
2006-08-27 19:27:48 +02:00
2007-04-14 16:38:16 +02:00
shorewall_is_started || fatal_error "Shorewall is not running"
2006-08-27 19:27:48 +02:00
2007-04-14 16:38:16 +02:00
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
2006-08-27 19:27:48 +02:00
export NOROUTES
progress_message3 "Compiling..."
2007-04-03 16:47:57 +02:00
if compiler run $debugging $nolock compile ${VARDIR}/.refresh; then
2007-07-30 16:35:03 +02:00
[ -n "$nolock" ] || mutex_on
2006-08-27 19:27:48 +02:00
$SHOREWALL_SHELL ${VARDIR}/.refresh $debugging refresh
2007-07-30 16:35:03 +02:00
rc=$?
[ -n "$nolock" ] || mutex_off
else
rc=$?
2006-08-27 19:27:48 +02:00
fi
2007-02-20 20:33:56 +01:00
return $rc
2006-08-27 19:27:48 +02:00
}
2006-01-24 16:24:20 +01:00
#
# Safe-start/safe-restart Command Executor
#
safe_commands() {
local finished=0
# test is the shell supports timed read
read -t 0 junk 2> /dev/null
if [ $? -eq 2 -a ! -x /bin/bash ];then
echo "Your shell does not support a feature required to execute this command".
exit 2
fi
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
n*)
NOROUTES=Yes
option=${option#n}
;;
2007-04-13 03:02:03 +02:00
C)
2007-04-14 16:38:16 +02:00
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
2007-04-13 03:02:03 +02:00
SHOREWALL_COMPILER=$2
option=
shift
2007-04-13 01:45:46 +02:00
;;
2006-01-24 16:24:20 +01:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
2006-12-03 19:18:21 +01:00
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
2006-12-10 21:21:02 +01:00
SHOREWALL_DIR=$(resolve_file $1)
2006-12-10 05:12:28 +01:00
export SHOREWALL_DIR
2006-12-03 19:18:21 +01:00
;;
*)
usage 1
;;
esac
2006-01-24 16:24:20 +01:00
2007-04-14 16:38:16 +02:00
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
2006-02-04 04:45:03 +01:00
2006-01-24 16:24:20 +01:00
if shorewall_is_started; then
running=Yes
else
running=
fi
if [ "$COMMAND" = "safe-start" -a -n "$running" ]; then
# the command is safe-start but the firewall is already running
error_message "Shorewall is already started"
2006-12-03 19:18:21 +01:00
exit 0
2006-01-24 16:24:20 +01:00
fi
if [ "$COMMAND" = "safe-start" -o -z "$running" ]; then
# the command is safe-start or shorewall is not started yet
command="start"
else
# the command is safe-restart and the firewall is already running
command="restart"
fi
2006-02-03 22:39:00 +01:00
progress_message3 "Compiling..."
2007-06-17 16:16:25 +02:00
if ! compiler run $debugging nolock compile ${VARDIR}/.$command; then
2006-01-24 16:24:20 +01:00
status=$?
exit $status
fi
2006-02-03 22:39:00 +01:00
case $command in
start)
2006-12-03 19:18:21 +01:00
export RESTOREFILE=NONE
2006-02-03 22:39:00 +01:00
progress_message3 "Starting..."
;;
restart)
2006-12-03 19:18:21 +01:00
export RESTOREFILE=.safe
RESTOREPATH=${VARDIR}/.safe
save_config
2006-02-03 22:39:00 +01:00
progress_message3 "Restarting..."
;;
esac
2007-07-30 16:35:03 +02:00
[ -n "$nolock" ] || mutex_on
2006-12-03 19:18:21 +01:00
if ${VARDIR}/.$command $command; then
2006-01-24 16:24:20 +01:00
2006-12-03 19:18:21 +01:00
echo -n "Do you want to accept the new firewall configuration? [y/n] "
2006-01-24 16:24:20 +01:00
2006-12-03 19:18:21 +01:00
if read_yesno_with_timeout; then
echo "New configuration has been accepted"
2006-01-24 16:24:20 +01:00
else
2006-12-03 19:18:21 +01:00
if [ "$command" = "restart" ]; then
${VARDIR}/.safe restore
else
${VARDIR}/.$command clear
fi
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_off
2007-06-16 03:40:07 +02:00
2006-12-03 19:18:21 +01:00
echo "New configuration has been rejected and the old one restored"
exit 2
2006-01-24 16:24:20 +01:00
fi
2006-12-03 19:18:21 +01:00
fi
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_off
2006-12-03 19:18:21 +01:00
}
#
# 'try' Command Executor
#
try_command() {
local finished=0 timeout=
handle_directory() {
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
2006-12-10 21:21:02 +01:00
SHOREWALL_DIR=$(resolve_file $1)
2006-12-10 05:12:28 +01:00
export SHOREWALL_DIR
2006-12-03 19:18:21 +01:00
}
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
n*)
NOROUTES=Yes
option=${option#n}
;;
2007-04-13 03:02:03 +02:00
C)
2007-04-14 16:38:16 +02:00
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
2007-04-13 03:02:03 +02:00
SHOREWALL_COMPILER=$2
option=
shift
2007-04-13 01:45:46 +02:00
;;
2006-12-03 19:18:21 +01:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
usage 1
;;
1)
handle_directory $1
;;
2)
handle_directory $1
timeout=$2
2007-05-17 16:42:25 +02:00
case $timeout in
*[!0-9]*)
echo " ERROR: Invalid timeout ($timeout)" >&2;
exit 1
;;
esac
2006-12-03 19:18:21 +01:00
;;
*)
usage 1
;;
esac
2007-04-14 16:38:16 +02:00
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
2006-01-24 16:24:20 +01:00
2006-12-03 19:18:21 +01:00
if shorewall_is_started; then
running=Yes
else
running=
fi
if [ -z "$running" ]; then
# shorewall is not started yet
command="start"
else
# the firewall is already running
command="restart"
fi
progress_message3 "Compiling..."
2007-05-17 04:04:49 +02:00
if ! compiler run $debugging $nolock compile ${VARDIR}/.$command; then
2006-12-03 19:18:21 +01:00
status=$?
exit $status
fi
case $command in
start)
export RESTOREFILE=NONE
progress_message3 "Starting..."
;;
restart)
export RESTOREFILE=.try
RESTOREPATH=${VARDIR}/.try
save_config
progress_message3 "Restarting..."
;;
esac
2007-07-30 16:35:03 +02:00
[ -n "$nolock" ] || mutex_on
2006-12-03 19:18:21 +01:00
if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
sleep $timeout
if [ "$command" = "restart" ]; then
${VARDIR}/.try restore
else
${VARDIR}/.$command clear
fi
fi
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_off
2006-12-03 19:18:21 +01:00
return 0
2006-01-24 16:24:20 +01:00
}
2007-05-01 19:21:14 +02:00
rsh_command() {
command="$*"
eval $RSH_COMMAND
}
rcp_command() {
files="$1"
destination=$2
2007-05-16 17:09:37 +02:00
eval $RCP_COMMAND
2007-05-01 19:21:14 +02:00
}
2003-07-27 20:17:39 +02:00
#
2006-06-17 19:17:45 +02:00
# [Re]load command executor
2006-06-14 19:25:37 +02:00
#
2006-08-09 01:03:06 +02:00
reload_command() # $* = original arguments less the command.
2006-06-14 19:25:37 +02:00
{
2007-05-18 23:34:51 +02:00
local verbose=$(make_verbose) file= capabilities= finished=0 saveit= result directory system getcaps= root=root compiler=
2006-06-17 01:04:12 +02:00
2007-07-08 19:46:38 +02:00
LITEDIR=/var/lib/shorewall-lite
2006-06-19 17:54:30 +02:00
2006-08-09 01:03:06 +02:00
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
s*)
saveit=Yes
option=${option#s}
;;
2006-11-09 16:57:58 +01:00
c*)
getcaps=Yes
option=${option#c}
;;
2006-12-11 19:42:53 +01:00
r)
[ $# -gt 1 ] || fatal_error "Missing Root User name"
root=$2
option=
shift
;;
2007-04-13 03:02:03 +02:00
C)
2007-04-14 16:38:16 +02:00
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
2007-05-18 23:34:51 +02:00
compiler="-C $2"
2007-04-13 03:02:03 +02:00
option=
shift
;;
2006-08-09 01:03:06 +02:00
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
1)
directory="."
system=$1
;;
2)
directory=$1
system=$2
;;
*)
usage 1
;;
esac
2007-05-01 19:21:14 +02:00
litedir=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
2007-01-24 20:18:49 +01:00
[ -n "$litedir" ] && LITEDIR=$litedir
2007-01-22 23:17:42 +01:00
2006-11-09 19:30:36 +01:00
if [ -z "$getcaps" ]; then
2006-12-10 21:21:02 +01:00
SHOREWALL_DIR=$(resolve_file $directory)
2007-04-14 00:40:37 +02:00
ensure_config_path
2006-11-09 19:30:36 +01:00
capabilities=$(find_file capabilities)
[ -f $capabilities ] || getcaps=Yes
fi
2006-08-09 01:03:06 +02:00
2006-11-09 19:30:36 +01:00
if [ -n "$getcaps" ]; then
2007-01-22 23:17:42 +01:00
if [ -f $directory/shorewall.conf ]; then
2007-04-13 21:36:34 +02:00
. $directory/shorewall.conf
2007-04-14 16:38:16 +02:00
ensure_config_path
2007-01-22 23:17:42 +01:00
fi
2006-11-09 16:57:58 +01:00
progress_message "Getting Capabilities on system $system..."
2007-05-01 19:21:14 +02:00
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
2006-11-09 19:30:36 +01:00
fatal_error "ERROR: Capturing capabilities on system $system failed"
2006-11-09 16:57:58 +01:00
fi
fi
2006-11-09 17:11:32 +01:00
file=$(resolve_file $directory/firewall)
2007-05-18 23:34:51 +02:00
if shorewall $debugging $verbose compile -e $compiler $directory $directory/firewall && \
2006-11-09 16:57:58 +01:00
progress_message "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \
2007-05-01 19:21:14 +02:00
rcp_command "$directory/firewall $directory/firewall.conf" ${LITEDIR}
2006-06-17 19:17:45 +02:00
then
echo "Copy complete"
if [ $COMMAND = reload ]; then
2007-05-01 19:21:14 +02:00
rsh_command "/sbin/shorewall-lite $debugging $verbose restart" && \
2006-08-09 01:03:06 +02:00
progress_message3 "System $system reloaded" || saveit=
2006-06-17 19:17:45 +02:00
else
2007-05-18 21:18:46 +02:00
rsh_command "/sbin/shorewall-lite $debugging $verbose start" && \
progress_message3 "System $system loaded" || saveit=
2006-08-09 01:03:06 +02:00
fi
if [ -n "$saveit" ]; then
2007-05-01 19:21:14 +02:00
rsh_command "/sbin/shorewall-lite $debugging $verbose save" && \
2006-08-09 01:03:06 +02:00
progress_message3 "Configuration on system $system saved"
2006-06-17 19:17:45 +02:00
fi
fi
2006-06-14 19:25:37 +02:00
}
2006-08-13 17:34:52 +02:00
#
# Export command executor
#
export_command() # $* = original arguments less the command.
{
2007-05-16 17:09:37 +02:00
local verbose=$(make_verbose) file= finished=0 directory target compiler=
2006-08-13 17:34:52 +02:00
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
2007-04-13 03:02:03 +02:00
C)
2007-04-14 16:38:16 +02:00
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
2007-05-16 17:09:37 +02:00
compiler="-C $2"
2007-04-13 03:02:03 +02:00
option=
shift
;;
2006-08-13 17:34:52 +02:00
*)
2006-11-09 19:30:36 +01:00
fatal_error "Unrecognized option \"$option\""
2006-08-13 17:34:52 +02:00
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
1)
directory="."
target=$1
;;
2)
directory=$1
target=$2
;;
*)
2006-11-21 23:52:07 +01:00
fatal_error "ERROR: Invalid command syntax (\"man shorewall\" for help)"
2006-08-13 17:34:52 +02:00
;;
esac
case $target in
*:*)
;;
*)
2006-12-02 18:11:33 +01:00
target=$target:
2006-08-13 17:34:52 +02:00
;;
esac
file=$(resolve_file $directory/firewall)
2007-05-16 17:09:37 +02:00
if shorewall $debugging $verbose compile -e $compiler $directory $directory/firewall && \
2006-08-13 17:34:52 +02:00
echo "Copying $file and ${file}.conf to ${target#*@}..." && \
scp $directory/firewall $directory/firewall.conf $target
then
progress_message3 "Copy complete"
fi
}
2002-10-23 18:48:40 +02:00
#
# Give Usage Information
#
2002-05-01 01:13:15 +02:00
usage() # $1 = exit status
{
2006-02-15 16:20:17 +01:00
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>"
2002-05-01 01:13:15 +02:00
echo "where <command> is one of:"
2006-08-27 19:27:48 +02:00
echo " add <interface>[:<host-list>] ... <zone>"
2003-07-27 20:17:39 +02:00
echo " allow <address> ..."
2007-04-13 03:02:03 +02:00
echo " check [ -e ] [ -C {shell|perl} ] [ <directory> ]"
2007-08-26 17:09:27 +02:00
echo " clear [ -f ]"
2007-04-13 03:02:03 +02:00
echo " compile [ -e ] [ -C {shell|perl} ] [ <directory name> ] <path name>"
2006-08-27 19:27:48 +02:00
echo " delete <interface>[:<host-list>] ... <zone>"
2003-08-24 03:24:23 +02:00
echo " drop <address> ..."
2006-02-03 16:27:54 +01:00
echo " dump [ -x ]"
2007-04-13 03:02:03 +02:00
echo " export [ -C {shell|perl} ] [ <directory1> ] [<user>@]<system>[:<directory2>]"
2005-07-09 06:45:32 +02:00
echo " forget [ <file name> ]"
2006-11-21 23:52:07 +01:00
echo " help"
2007-11-16 00:24:54 +01:00
echo " hits [ -t ]"
2005-12-03 00:58:57 +01:00
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }"
2003-07-27 20:17:39 +02:00
echo " iprange <address>-<address>"
2007-04-13 03:02:03 +02:00
echo " load [ -s ] [ -c ] [ -r <root user> ] [ -C {shell|perl} ] [ <directory> ] <system>"
2006-03-23 17:37:45 +01:00
echo " logdrop <address> ..."
echo " logreject <address> ..."
2006-01-25 23:33:50 +01:00
echo " logwatch [<refresh interval>]"
2007-09-10 17:52:57 +02:00
echo " refresh [ -C {shell|perl} ] [ <chain>... ]"
2003-08-24 03:24:23 +02:00
echo " reject <address> ..."
2007-04-13 03:02:03 +02:00
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -C {shell|perl} ] [ <directory> ] <system>"
2003-07-27 20:17:39 +02:00
echo " reset"
2007-04-13 03:02:03 +02:00
echo " restart [ -n ] [ -C {shell|perl} ] [ <directory> ]"
2006-02-03 16:27:54 +01:00
echo " restore [ -n ] [ <file name> ]"
2005-07-09 06:45:32 +02:00
echo " save [ <file name> ]"
2007-11-16 00:24:54 +01:00
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]"
2007-04-13 03:02:03 +02:00
echo " start [ -f ] [ -n ] [ -C {shell|perl} ] [ <directory> ]"
2007-08-26 17:09:27 +02:00
echo " stop [ -f ]"
2002-05-01 01:13:15 +02:00
echo " status"
2007-04-13 03:02:03 +02:00
echo " try [ -C {shell|perl} ] <directory> [ <timeout> ]"
2007-06-16 17:27:40 +02:00
echo " version [ -a ]"
2007-04-13 03:02:03 +02:00
echo " safe-start [ -C {shell|perl} ] [ <directory> ]"
echo " safe-restart [ -C {shell|perl} ] [ <directory> ]"
2005-08-02 18:46:30 +02:00
echo
2002-05-01 01:13:15 +02:00
exit $1
}
2002-10-23 18:48:40 +02:00
#
2006-10-31 20:01:23 +01:00
# Execution begins here
2002-10-23 18:48:40 +02:00
#
2002-05-01 01:13:15 +02:00
debugging=
2006-08-27 19:27:48 +02:00
if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
2007-10-19 21:43:14 +02:00
debugging=$1
2006-08-27 19:27:48 +02:00
shift
2002-05-01 01:13:15 +02:00
fi
nolock=
if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
nolock=nolock
shift
fi
SHOREWALL_DIR=
2005-07-09 06:45:32 +02:00
IPT_OPTIONS="-nv"
FAST=
2006-03-24 00:26:41 +01:00
VERBOSE_OFFSET=0
2005-09-15 01:01:13 +02:00
NOROUTES=
2006-01-13 00:26:37 +01:00
EXPORT=
2006-02-15 16:20:17 +01:00
export TIMESTAMP=
2005-09-15 03:07:12 +02:00
noroutes=
2005-07-09 06:45:32 +02:00
2006-01-17 18:00:54 +01:00
finished=0
2002-05-01 01:13:15 +02:00
2006-01-17 18:00:54 +01:00
while [ $finished -eq 0 ]; do
2002-05-01 01:13:15 +02:00
[ $# -eq 0 ] && usage 1
2005-07-09 06:45:32 +02:00
option=$1
case $option in
2006-01-17 18:08:41 +01:00
-)
finished=1
;;
2005-07-09 06:45:32 +02:00
-*)
option=${option#-}
2002-05-01 01:13:15 +02:00
2005-07-09 06:45:32 +02:00
while [ -n "$option" ]; do
case $option in
c)
[ $# -eq 1 ] && usage 1
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
2005-09-30 18:54:24 +02:00
2006-12-10 21:21:02 +01:00
SHOREWALL_DIR=$(resolve_file $2)
2005-07-09 06:45:32 +02:00
option=
shift
;;
2006-01-13 00:26:37 +01:00
e*)
EXPORT=Yes
option=${option#e}
;;
2005-07-09 06:45:32 +02:00
x*)
IPT_OPTIONS="-xnv"
option=${option#x}
;;
q*)
2006-03-24 00:26:41 +01:00
VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
2005-07-09 06:45:32 +02:00
option=${option#q}
;;
f*)
FAST=Yes
option=${option#f}
;;
2005-07-09 07:45:05 +02:00
v*)
2006-03-24 00:26:41 +01:00
VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
2006-01-24 17:10:41 +01:00
option=${option#v}
2005-07-09 07:45:05 +02:00
;;
2005-09-15 01:01:13 +02:00
n*)
NOROUTES=Yes
option=${option#n}
2005-09-30 18:54:24 +02:00
;;
2006-02-15 16:20:17 +01:00
t*)
TIMESTAMP=Yes
option=${option#t}
;;
2006-01-17 18:00:54 +01:00
-)
finished=1
option=
;;
2005-07-09 06:45:32 +02:00
*)
usage 1
;;
esac
done
shift
;;
*)
2006-01-17 18:00:54 +01:00
finished=1
2005-07-09 06:45:32 +02:00
;;
2002-05-01 01:13:15 +02:00
esac
done
2007-06-16 17:24:17 +02:00
version_command() {
local finished=0 all=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
a*)
all=Yes
option=${option#a}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
[ $# -gt 0 ] && usage 1
echo $version
if [ -n "$all" ]; then
2007-06-16 17:26:20 +02:00
if [ -f /usr/share/shorewall-shell/version ]; then
echo "Shorewall-shell $(cat /usr/share/shorewall-shell/version)"
fi
2007-06-16 17:24:17 +02:00
if [ -f /usr/share/shorewall-perl/version ]; then
echo "Shorewall-perl $(cat /usr/share/shorewall-perl/version)"
fi
fi
}
2002-06-04 17:08:50 +02:00
if [ $# -eq 0 ]; then
2002-05-01 01:13:15 +02:00
usage 1
fi
2006-12-10 05:12:28 +01:00
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
2003-01-07 00:01:23 +01:00
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT=
2006-06-11 17:07:34 +02:00
SHAREDIR=/usr/share/shorewall
CONFDIR=/etc/shorewall
2006-06-14 18:32:13 +02:00
export PRODUCT="Shorewall"
2006-06-11 17:07:34 +02:00
2007-07-08 21:42:04 +02:00
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
[ -n "${VARDIR:=/var/lib/shorewall}" ]
2006-06-11 17:07:34 +02:00
FIREWALL=$SHAREDIR/firewall
2006-10-28 16:46:43 +02:00
LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
2006-06-11 17:07:34 +02:00
VERSION_FILE=$SHAREDIR/version
2007-09-10 17:52:57 +02:00
REFRESHCHAINS=
2003-01-07 00:01:23 +01:00
2006-10-28 16:46:43 +02:00
for library in $LIBRARIES; do
if [ -f $library ]; then
. $library
else
echo "$library does not exist!" >&2
exit 2
fi
done
2006-10-28 00:42:05 +02:00
2003-01-07 00:01:23 +01:00
if [ ! -f $FIREWALL ]; then
2006-06-12 18:48:07 +02:00
echo " ERROR: Shorewall is not properly installed" >&2
2003-01-07 00:01:23 +01:00
if [ -L $FIREWALL ]; then
2006-06-12 18:48:07 +02:00
echo " $FIREWALL is a symbolic link to a" >&2
echo " non-existant file" >&2
2002-05-01 01:13:15 +02:00
else
2006-06-12 18:48:07 +02:00
echo " The file $FIREWALL does not exist" >&2
2002-05-01 01:13:15 +02:00
fi
exit 2
fi
2003-01-07 00:01:23 +01:00
if [ -f $VERSION_FILE ]; then
2006-07-17 01:06:18 +02:00
version=$(cat $VERSION_FILE)
2002-05-01 01:13:15 +02:00
else
2006-06-12 18:48:07 +02:00
echo " ERROR: Shorewall is not properly installed" >&2
echo " The file $VERSION_FILE does not exist" >&2
2002-05-01 01:13:15 +02:00
exit 1
fi
banner="Shorewall-$version Status at $HOSTNAME -"
2005-07-09 06:45:32 +02:00
case $(echo -e) in
2002-11-11 17:46:50 +01:00
-e*)
2003-01-06 20:54:50 +01:00
RING_BELL="echo \a"
2002-11-11 17:46:50 +01:00
;;
*)
2003-01-06 20:54:50 +01:00
RING_BELL="echo -e \a"
2002-11-11 17:46:50 +01:00
;;
esac
2005-07-09 06:45:32 +02:00
case $(echo -n "Testing") in
2002-11-11 17:46:50 +01:00
-n*)
ECHO_N=
;;
*)
ECHO_N=-n
;;
esac
2006-01-18 21:17:58 +01:00
COMMAND=$1
case "$COMMAND" in
2005-07-09 06:45:32 +02:00
start)
2007-06-20 16:31:51 +02:00
get_config Yes Yes
2006-01-18 21:17:58 +01:00
shift
2006-01-19 01:20:23 +01:00
start_command $@
2005-07-09 06:45:32 +02:00
;;
2007-08-26 17:09:27 +02:00
stop|clear)
if [ "x$2" = x-f ]; then
[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
shift;
fi
2002-05-01 01:13:15 +02:00
[ $# -ne 1 ] && usage 1
2007-04-19 16:49:09 +02:00
get_config
2005-09-15 01:01:13 +02:00
export NOROUTES
2007-07-30 19:50:30 +02:00
mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
mutex_off
2005-07-09 07:45:05 +02:00
;;
2007-08-26 17:09:27 +02:00
reset)
[ $# -ne 1 ] && usage 1
get_config
export NOROUTES
mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock reset
mutex_off
;;
2006-02-03 16:10:46 +01:00
compile)
2007-06-20 16:31:51 +02:00
get_config Yes
2006-01-15 17:35:09 +01:00
shift
2006-01-19 01:20:23 +01:00
compile_command $@
2006-01-07 02:08:23 +01:00
;;
2006-01-18 21:17:58 +01:00
restart)
2007-06-20 16:31:51 +02:00
get_config Yes Yes
2006-01-18 21:17:58 +01:00
shift
2006-01-19 01:20:23 +01:00
restart_command $@
2006-01-18 21:17:58 +01:00
;;
2006-08-27 19:27:48 +02:00
refresh)
2007-06-20 16:31:51 +02:00
get_config Yes Yes
2006-08-27 19:27:48 +02:00
shift
refresh_command $@
;;
2006-01-18 21:17:58 +01:00
check)
2007-06-20 16:31:51 +02:00
get_config Yes
2006-01-19 01:20:23 +01:00
shift
check_command $@
2006-01-07 07:04:16 +01:00
;;
2006-08-27 19:27:48 +02:00
add|delete)
[ $# -lt 3 ] && usage 1
2007-04-19 16:49:09 +02:00
get_config
2007-07-30 19:50:30 +02:00
mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
mutex_off
2006-08-27 19:27:48 +02:00
;;
2003-01-23 02:13:36 +01:00
show|list)
2007-06-12 23:43:26 +02:00
get_config Yes No Yes
2006-01-19 01:20:23 +01:00
shift
show_command $@
2002-05-01 01:13:15 +02:00
;;
2006-06-17 19:17:45 +02:00
load|reload)
2007-06-20 16:31:51 +02:00
get_config Yes
2006-06-14 19:25:37 +02:00
shift
2006-08-09 01:03:06 +02:00
reload_command $@
2006-06-14 19:25:37 +02:00
;;
2006-08-13 17:34:52 +02:00
export)
2007-06-20 16:31:51 +02:00
get_config Yes
2006-08-13 17:34:52 +02:00
shift
export_command $@
;;
2002-05-01 01:13:15 +02:00
status)
2005-07-28 16:37:56 +02:00
[ $# -eq 1 ] || usage 1
2007-04-19 16:49:09 +02:00
get_config
2006-07-17 01:06:18 +02:00
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
2005-07-30 23:59:12 +02:00
echo
2005-07-29 21:06:37 +02:00
if shorewall_is_started ; then
2005-07-29 20:32:50 +02:00
echo "Shorewall is running"
2005-07-30 23:59:12 +02:00
status=0
else
echo "Shorewall is stopped"
status=4
2005-07-29 20:32:50 +02:00
fi
2006-06-09 18:35:55 +02:00
if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)"
2006-01-17 18:34:34 +01:00
case $state in
2005-07-29 20:32:50 +02:00
Stopped*|Clear*)
status=3
;;
esac
2005-07-28 16:37:56 +02:00
else
2005-07-29 20:32:50 +02:00
state=Unknown
2005-07-28 16:37:56 +02:00
fi
2005-07-30 23:59:12 +02:00
echo "State:$state"
2005-07-29 20:32:50 +02:00
echo
2005-08-02 18:46:30 +02:00
exit $status
2005-07-28 16:37:56 +02:00
;;
dump)
2007-06-12 23:43:26 +02:00
get_config Yes No Yes
2006-01-19 01:20:23 +01:00
shift
dump_command $@
2002-05-01 01:13:15 +02:00
;;
hits)
2007-07-02 17:37:11 +02:00
get_config Yes No Yes
2005-12-03 00:58:57 +01:00
[ -n "$debugging" ] && set -x
2007-11-16 00:24:54 +01:00
shift
hits_command $@
2002-07-06 00:24:40 +02:00
;;
2002-05-01 01:13:15 +02:00
version)
2007-06-16 17:24:17 +02:00
shift
version_command $@
2002-05-01 01:13:15 +02:00
;;
2006-12-03 19:18:21 +01:00
try)
2007-06-20 16:31:51 +02:00
get_config Yes
2006-12-03 19:18:21 +01:00
shift
try_command $@
;;
2002-06-02 19:05:51 +02:00
logwatch)
2007-06-12 23:43:26 +02:00
get_config Yes Yes Yes
2007-05-03 18:33:49 +02:00
banner="Shorewall-$version Logwatch at $HOSTNAME -"
2006-11-29 02:11:29 +01:00
logwatch_command $@
2002-07-06 00:24:40 +02:00
;;
2002-06-04 22:17:46 +02:00
drop)
2007-04-19 16:30:14 +02:00
get_config
2005-12-03 00:58:57 +01:00
[ -n "$debugging" ] && set -x
2002-07-06 00:24:40 +02:00
[ $# -eq 1 ] && usage 1
2006-02-04 18:14:46 +01:00
if shorewall_is_started ; then
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_on
2006-10-28 00:00:48 +02:00
block DROP Dropped $*
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_off
2006-02-04 18:14:46 +01:00
else
2007-04-14 16:38:16 +02:00
fatal_error "Shorewall is not started"
2006-02-04 18:14:46 +01:00
fi
2002-06-04 17:08:50 +02:00
;;
2006-03-23 17:37:45 +01:00
logdrop)
2007-04-19 16:30:14 +02:00
get_config
2005-12-03 00:58:57 +01:00
[ -n "$debugging" ] && set -x
2002-07-06 00:24:40 +02:00
[ $# -eq 1 ] && usage 1
2006-02-04 18:14:46 +01:00
if shorewall_is_started ; then
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_on
2006-10-28 00:00:48 +02:00
block logdrop Dropped $*
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_off
2006-03-23 17:37:45 +01:00
else
2007-04-14 16:38:16 +02:00
fatal_error "Shorewall is not started"
2006-03-23 17:37:45 +01:00
fi
;;
reject|logreject)
2007-04-19 16:30:14 +02:00
get_config
2006-03-23 17:37:45 +01:00
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_on
2006-10-28 00:00:48 +02:00
block $COMMAND Rejected $*
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_off
2006-02-04 18:14:46 +01:00
else
2007-04-14 16:38:16 +02:00
fatal_error "Shorewall is not started"
2006-02-04 18:14:46 +01:00
fi
2002-06-04 22:17:46 +02:00
;;
allow)
2007-04-19 16:30:14 +02:00
get_config
2006-11-29 01:53:39 +01:00
allow_command $@
2002-06-04 22:17:46 +02:00
;;
save)
2007-04-19 16:30:14 +02:00
get_config
2005-12-03 00:58:57 +01:00
[ -n "$debugging" ] && set -x
2005-07-09 06:45:32 +02:00
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
2006-06-09 18:35:55 +02:00
RESTOREPATH=${VARDIR}/$RESTOREFILE
2005-07-09 06:45:32 +02:00
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_on
2006-01-24 16:24:20 +01:00
2005-07-09 07:55:29 +02:00
save_config
2003-08-24 03:24:23 +02:00
2007-06-25 19:20:08 +02:00
result=$?
2007-06-16 17:43:14 +02:00
[ -n "$nolock" ] || mutex_off
2007-06-25 19:20:08 +02:00
exit $result
2002-06-04 22:17:46 +02:00
;;
2005-07-09 06:45:32 +02:00
forget)
2007-04-19 16:30:14 +02:00
get_config
2005-07-09 06:45:32 +02:00
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
2006-06-09 18:35:55 +02:00
RESTOREPATH=${VARDIR}/$RESTOREFILE
2005-07-09 06:45:32 +02:00
if [ -x $RESTOREPATH ]; then
2005-07-09 07:55:29 +02:00
if [ -x ${RESTOREPATH}-ipsets ]; then
rm -f ${RESTOREPATH}-ipsets
echo " ${RESTOREPATH}-ipsets removed"
fi
2005-07-09 06:45:32 +02:00
rm -f $RESTOREPATH
2006-01-25 18:33:38 +01:00
rm -f ${RESTOREPATH}-iptables
2005-07-09 06:45:32 +02:00
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
2005-07-09 07:45:05 +02:00
echo " $RESTOREPATH exists and is not a saved Shorewall configuration"
2005-07-09 06:45:32 +02:00
fi
2006-06-09 18:35:55 +02:00
rm -f ${VARDIR}/save
2005-07-09 06:45:32 +02:00
;;
2003-07-05 19:14:21 +02:00
ipcalc)
2005-07-09 06:45:32 +02:00
[ -n "$debugging" ] && set -x
2003-07-05 19:14:21 +02:00
if [ $# -eq 2 ]; then
address=${2%/*}
2003-07-05 19:23:53 +02:00
vlsm=${2#*/}
2003-07-05 19:14:21 +02:00
elif [ $# -eq 3 ]; then
address=$2
2005-07-09 06:45:32 +02:00
vlsm=$(ip_vlsm $3)
2003-07-05 19:14:21 +02:00
else
usage 1
fi
2005-09-30 18:54:24 +02:00
2006-12-21 03:29:32 +01:00
valid_address $address || fatal_error "Invalid IP address: $address"
2003-07-05 19:23:53 +02:00
[ -z "$vlsm" ] && exit 2
[ "x$address" = "x$vlsm" ] && usage 2
2003-07-05 19:41:28 +02:00
[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
2003-07-05 19:14:21 +02:00
2003-07-05 19:23:53 +02:00
address=$address/$vlsm
2003-07-05 19:14:21 +02:00
2005-07-09 06:45:32 +02:00
echo " CIDR=$address"
temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)"
temp=$(ip_network $address); echo " NETWORK=$temp"
temp=$(broadcastaddress $address); echo " BROADCAST=$temp"
2003-07-05 19:14:21 +02:00
;;
2003-07-06 15:24:23 +02:00
iprange)
2005-12-03 00:58:57 +01:00
[ -n "$debugging" ] && set -x
2003-07-06 15:24:23 +02:00
case $2 in
*.*.*.*-*.*.*.*)
2006-12-21 03:29:32 +01:00
for address in ${2%-*} ${2#*-}; do
valid_address $address || fatal_error "Invalid IP address: $address"
done
2003-07-06 15:24:23 +02:00
ip_range $2
;;
*)
usage 1
;;
esac
;;
2005-12-03 00:58:57 +01:00
ipdecimal)
[ -n "$debugging" ] && set -x
2007-05-17 00:16:21 +02:00
[ $# -eq 2 ] || usage 1
2005-12-03 00:58:57 +01:00
case $2 in
*.*.*.*)
2006-12-21 03:29:32 +01:00
valid_address $2 || fatal_error "Invalid IP address: $2"
2005-12-03 00:58:57 +01:00
echo " $(decodeaddr $2)"
;;
*)
echo " $(encodeaddr $2)"
;;
esac
;;
2005-07-09 06:45:32 +02:00
restore)
2007-04-19 16:30:14 +02:00
get_config
2006-01-18 21:17:58 +01:00
shift
2006-12-21 03:29:32 +01:00
restore_command $@
2005-07-09 06:45:32 +02:00
;;
2005-08-02 18:46:30 +02:00
call)
2007-04-19 16:30:14 +02:00
get_config
2005-12-03 00:58:57 +01:00
[ -n "$debugging" ] && set -x
2003-07-05 19:55:43 +02:00
#
2006-06-09 18:35:55 +02:00
# Undocumented way to call functions in ${SHAREDIR}/functions directly
2003-07-05 19:55:43 +02:00
#
2006-01-05 00:34:07 +01:00
shift
2003-07-05 19:55:43 +02:00
$@
;;
2003-07-27 20:17:39 +02:00
help)
shift
2006-11-21 23:52:07 +01:00
usage
2003-07-27 20:17:39 +02:00
;;
2005-07-09 07:55:29 +02:00
safe-restart|safe-start)
2007-06-20 16:31:51 +02:00
get_config Yes
2006-01-24 16:24:20 +01:00
shift
safe_commands $@
2005-07-09 07:55:29 +02:00
;;
2002-05-01 01:13:15 +02:00
*)
usage 1
;;
2003-07-05 19:14:21 +02:00
2003-02-23 15:10:37 +01:00
esac