From 018ba394e3b96c4d55db23d399cb2d960af11a6d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 2 Jan 2012 14:13:19 -0800 Subject: [PATCH] Move common code from prog.header[6] to lib.common --- Shorewall-core/lib.common | 508 +++++++++++++++++++++++++++++++++- Shorewall/Perl/prog.header | 464 ------------------------------- Shorewall/Perl/prog.header6 | 529 ++---------------------------------- 3 files changed, 526 insertions(+), 975 deletions(-) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 71ad15042..d2c805f48 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/lib.common. +# Shorewall 4.5 -- /usr/share/shorewall/lib.common. # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2010 - Tom Eastep (teastep@shorewall.net) +# (c) 2010-2012 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -24,6 +24,509 @@ # generated firewall scripts. To avoid versioning issues, it is copied into generated # scripts rather than loaded at run-time. # +######################################################################################### +# +# Conditionally produce message +# +progress_message() # $* = Message +{ + local timestamp + timestamp= + + if [ $VERBOSITY -gt 1 ]; then + [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi + + if [ $LOG_VERBOSITY -gt 1 ]; then + timestamp="$(date +'%b %_d %T') " + echo "${timestamp}$@" >> $STARTUP_LOG + fi +} + +progress_message2() # $* = Message +{ + local timestamp + timestamp= + + if [ $VERBOSITY -gt 0 ]; then + [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi + + if [ $LOG_VERBOSITY -gt 0 ]; then + timestamp="$(date +'%b %_d %T') " + echo "${timestamp}$@" >> $STARTUP_LOG + fi +} + +progress_message3() # $* = Message +{ + local timestamp + timestamp= + + if [ $VERBOSITY -ge 0 ]; then + [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi + + if [ $LOG_VERBOSITY -ge 0 ]; then + timestamp="$(date +'%b %_d %T') " + echo "${timestamp}$@" >> $STARTUP_LOG + fi +} + +# +# Set a standard chain's policy +# +setpolicy() # $1 = name of chain, $2 = policy +{ + run_iptables -P $1 $2 +} + +# +# Generate a list of all network interfaces on the system +# +find_all_interfaces() { + ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//' +} + +# +# Generate a list of all network interfaces on the system that have an ipv4 address +# +find_all_interfaces1() { + ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//' +} + +# +# Find the value 'dev' in the passed arguments then echo the next value +# + +find_device() { + while [ $# -gt 1 ]; do + [ "x$1" = xdev ] && echo $2 && return + shift + done +} + +# +# Find the value 'via' in the passed arguments then echo the next value +# + +find_gateway() { + while [ $# -gt 1 ]; do + [ "x$1" = xvia ] && echo $2 && return + shift + done +} + +# +# Find the value 'mtu' in the passed arguments then echo the next value +# + +find_mtu() { + while [ $# -gt 1 ]; do + [ "x$1" = xmtu ] && echo $2 && return + shift + done +} + +# +# Find the value 'peer' in the passed arguments then echo the next value up to +# "/" +# + +find_peer() { + while [ $# -gt 1 ]; do + [ "x$1" = xpeer ] && echo ${2%/*} && return + shift + done +} + +# +# Try to find the gateway through an interface looking for 'nexthop' + +find_nexthop() # $1 = interface +{ + echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`) +} + +# +# Find the default route's interface +# +find_default_interface() { + $IP -$g_family route list | while read first rest; do + [ "$first" = default ] && echo $(find_device $rest) && return + done +} + +# +# Determine if Interface is up +# +interface_is_up() { + [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] +} + +# +# Determine if interface is usable from a Netfilter prespective +# +interface_is_usable() # $1 = interface +{ + [ "$1" = lo ] && return 0 + interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1 +} + +# +# Find interface addresses--returns the set of addresses assigned to the passed +# device +# +find_interface_addresses() # $1 = interface +{ + if [ $g_family -eq 4 ]; then + $IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' + else + $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' + fi +} + +# +# echo the list of networks routed out of a given interface +# +get_routed_networks() # $1 = interface name, $2-n = Fatal error message +{ + local address + local rest + + $IP -$g_family route show dev $1 2> /dev/null | + while read address rest; do + case "$address" in + default) + if [ $# -gt 1 ]; then + shift + fatal_error "$@" + else + echo "WARNING: default route ignored on interface $1" >&2 + fi + ;; + multicast|broadcast|prohibit|nat|throw|nexthop) + ;; + [2-9]*) + [ "$address" = "${address%/*}" ] && address="${address}/128" + echo $address + ;; + *) + if [ $g_family -eq 4 ]; then + [ "$address" = "${address%/*}" ] && address="${address}/128" + echo $address + fi + ;; + esac + done +} + +# +# Clear the current traffic shaping configuration +# + +delete_tc1() +{ + clear_one_tc() { + $TC qdisc del dev $1 root 2> /dev/null + $TC qdisc del dev $1 ingress 2> /dev/null + + } + + run_tcclear_exit + + run_ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + clear_one_tc ${interface%:} + ;; + *) + ;; + esac + done +} + +# +# Detect a device's MTU -- echos the passed device's MTU +# +get_device_mtu() # $1 = device +{ + local output + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash + + if [ -n "$output" ]; then + echo $(find_mtu $output) + else + echo 1500 + fi +} + +# +# Version of the above that doesn't generate any output for MTU 1500. +# Generates 'mtu ' otherwise, where is the device's MTU + 100 +# +get_device_mtu1() # $1 = device +{ + local output + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash + local mtu + + if [ -n "$output" ]; then + mtu=$(find_mtu $output) + if [ -n "$mtu" ]; then + [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) + fi + fi + +} + +# +# Undo changes to routing +# +undo_routing() { + local undofiles + local f + + if [ -z "$g_noroutes" ]; then + # + # Restore rt_tables database + # + if [ -f ${VARDIR}/rt_tables ]; then + [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" + rm -f ${VARDIR}/rt_tables + fi + # + # Restore the rest of the routing table + # + undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)" + + if [ -n "$undofiles" ]; then + for f in $undofiles; do + . $f + done + + rm -f $undofiles + + progress_message "Shorewall-generated routing tables and routing rules removed" + fi + fi + +} + +# +# Save the default route +# +save_default_route() { + awk \ + 'BEGIN {defroute=0;}; + /^default / {defroute=1; print; next}; + /nexthop/ {if (defroute == 1 ) {print ; next} }; + { defroute=0; };' +} + +# +# Restore the default route that was in place before the initial 'shorewall start' +# +replace_default_route() # $1 = USE_DEFAULT_RT +{ + # + # default_route and result are inherited from the caller + # + if [ -n "$default_route" ]; then + case "$default_route" in + *metric*) + # + # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0 + # + [ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored" + default_route= + ;; + *) + qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored" + result=0 + default_route= + ;; + esac + fi +} + +restore_default_route() # $1 = USE_DEFAULT_RT +{ + local result + result=1 + + if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then + local default_route + default_route= + local route + + while read route ; do + case $route in + default*) + replace_default_route $1 + default_route="$default_route $route" + ;; + *) + default_route="$default_route $route" + ;; + esac + done < ${VARDIR}/default_route + + replace_default_route $1 + + if [ $result = 1 ]; then + # + # We didn't restore a default route with metric 0 + # + if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then + # + # But we added a default route with metric 0 + # + qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted" + fi + fi + + rm -f ${VARDIR}/default_route + fi + + return $result +} + +# +# Flush the conntrack table if $g_purge is non-empty +# +conditionally_flush_conntrack() { + + if [ -n "$g_purge" ]; then + if [ -n $(mywhich conntrack) ]; then + conntrack -f ipv$_family -F + else + error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system" + fi + fi +} + +# +# Issue a message and stop/restore the firewall +# +fatal_error() +{ + echo " ERROR: $@" >&2 + + if [ $LOG_VERBOSITY -ge 0 ]; then + timestamp="$(date +'%_b %d %T') " + echo "${timestamp} ERROR: $@" >> $STARTUP_LOG + fi + + stop_firewall + [ -n "$TEMPFILE" ] && rm -f $TEMPFILE + exit 2 +} + +# +# Issue a message and stop +# +startup_error() # $* = Error Message +{ + echo " ERROR: $@: Firewall state not changed" >&2 + + if [ $LOG_VERBOSITY -ge 0 ]; then + timestamp="$(date +'%_b %d %T') " + echo "${timestamp} ERROR: $@" >> $STARTUP_LOG + fi + + case $COMMAND in + start) + logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed" + ;; + restart) + logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed" + ;; + restore) + logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed" + ;; + esac + + if [ $LOG_VERBOSITY -ge 0 ]; then + timestamp="$(date +'%_b %d %T') " + + case $COMMAND in + start) + echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG + ;; + restart) + echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG + ;; + restore) + echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG + ;; + esac + fi + + kill $$ + exit 2 +} + +# +# Run iptables and if an error occurs, stop/restore the firewall +# +run_iptables() +{ + local status + + while [ 1 ]; do + $g_tool $@ + status=$? + [ $status -ne 4 ] && break + done + + if [ $status -ne 0 ]; then + error_message "ERROR: Command \"$g_tool $@\" Failed" + stop_firewall + exit 2 + fi +} + +# +# Run iptables retrying exit status 4 +# +do_iptables() +{ + local status + + while [ 1 ]; do + $g_tool $@ + status=$? + [ $status -ne 4 ] && return $status; + done +} + +# +# Run iptables and if an error occurs, stop/restore the firewall +# +run_ip() +{ + if ! $IP -$g_family $@; then + error_message "ERROR: Command \"$IP -$g_family $@\" Failed" + stop_firewall + exit 2 + fi +} + +# +# Run tc and if an error occurs, stop/restore the firewall +# +run_tc() { + if ! $TC $@ ; then + error_message "ERROR: Command \"$TC $@\" Failed" + stop_firewall + exit 2 + fi +} # # Get the Shorewall version of the passed script @@ -673,3 +1176,4 @@ truncate() # $1 = length { cut -b -${1} } + diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 8f9ed401b..feb574d17 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -27,90 +27,6 @@ ################################################################################ # Functions imported from /usr/share/shorewall/prog.header ################################################################################ -# -# Conditionally produce message -# -progress_message() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -gt 1 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi - - if [ $LOG_VERBOSITY -gt 1 ]; then - timestamp="$(date +'%b %_d %T') " - echo "${timestamp}$@" >> $STARTUP_LOG - fi -} - -progress_message2() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -gt 0 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi - - if [ $LOG_VERBOSITY -gt 0 ]; then - timestamp="$(date +'%b %_d %T') " - echo "${timestamp}$@" >> $STARTUP_LOG - fi -} - -progress_message3() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -ge 0 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi - - if [ $LOG_VERBOSITY -ge 0 ]; then - timestamp="$(date +'%b %_d %T') " - echo "${timestamp}$@" >> $STARTUP_LOG - fi -} - -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Generate a list of all network interfaces on the system -# -find_all_interfaces() { - ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//' -} - -# -# Generate a list of all network interfaces on the system that have an ipv4 address -# -find_all_interfaces1() { - ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//' -} - -# -# Find the value 'dev' in the passed arguments then echo the next value -# - -find_device() { - while [ $# -gt 1 ]; do - [ "x$1" = xdev ] && echo $2 && return - shift - done -} - # # Find the value 'weight' in the passed arguments then echo the next value # @@ -122,40 +38,6 @@ find_weight() { done } -# -# Find the value 'via' in the passed arguments then echo the next value -# - -find_gateway() { - while [ $# -gt 1 ]; do - [ "x$1" = xvia ] && echo $2 && return - shift - done -} - -# -# Find the value 'mtu' in the passed arguments then echo the next value -# - -find_mtu() { - while [ $# -gt 1 ]; do - [ "x$1" = xmtu ] && echo $2 && return - shift - done -} - -# -# Find the value 'peer' in the passed arguments then echo the next value up to -# "/" -# - -find_peer() { - while [ $# -gt 1 ]; do - [ "x$1" = xpeer ] && echo ${2%/*} && return - shift - done -} - # # Find the interfaces that have a route to the passed address - the default # route is not used. @@ -178,23 +60,6 @@ find_rt_interface() { done } -# -# Try to find the gateway through an interface looking for 'nexthop' - -find_nexthop() # $1 = interface -{ - echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`) -} - -# -# Find the default route's interface -# -find_default_interface() { - $IP -4 route list | while read first rest; do - [ "$first" = default ] && echo $(find_device $rest) && return - done -} - # # Echo the name of the interface(s) that will be used to send to the # passed address @@ -211,31 +76,6 @@ find_interface_by_address() { [ -n "$dev" ] && echo $dev } -# -# Determine if Interface is up -# -interface_is_up() { - [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] -} - -# -# Determine if interface is usable from a Netfilter prespective -# -interface_is_usable() # $1 = interface -{ - [ "$1" = lo ] && return 0 - interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1 -} - -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - $IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' -} - # # echo the list of networks routed out of a given interface # @@ -428,178 +268,6 @@ disable_ipv6() { fi } -# -# Clear the current traffic shaping configuration -# - -delete_tc1() -{ - clear_one_tc() { - $TC qdisc del dev $1 root 2> /dev/null - $TC qdisc del dev $1 ingress 2> /dev/null - - } - - run_tcclear_exit - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Detect a device's MTU -- echos the passed device's MTU -# -get_device_mtu() # $1 = device -{ - local output - output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash - - if [ -n "$output" ]; then - echo $(find_mtu $output) - else - echo 1500 - fi -} - -# -# Version of the above that doesn't generate any output for MTU 1500. -# Generates 'mtu ' otherwise, where is the device's MTU + 100 -# -get_device_mtu1() # $1 = device -{ - local output - output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash - local mtu - - if [ -n "$output" ]; then - mtu=$(find_mtu $output) - if [ -n "$mtu" ]; then - [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) - fi - fi - -} - -# -# Undo changes to routing -# -undo_routing() { - local undofiles - local f - - if [ -z "$g_noroutes" ]; then - # - # Restore rt_tables database - # - if [ -f ${VARDIR}/rt_tables ]; then - [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" - rm -f ${VARDIR}/rt_tables - fi - # - # Restore the rest of the routing table - # - undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)" - - if [ -n "$undofiles" ]; then - for f in $undofiles; do - . $f - done - - rm -f $undofiles - - progress_message "Shorewall-generated routing tables and routing rules removed" - fi - fi - -} - -# -# Save the default route -# -save_default_route() { - awk \ - 'BEGIN {defroute=0;}; - /^default / {deroute=1; print; next}; - /nexthop/ {if (defroute == 1 ) {print ; next} }; - { defroute=0; };' -} - -# -# Restore the default route that was in place before the initial 'shorewall start' -# -replace_default_route() # $1 = USE_DEFAULT_RT -{ - # - # default_route and result are inherited from the caller - # - if [ -n "$default_route" ]; then - case "$default_route" in - *metric*) - # - # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0 - # - [ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored" - default_route= - ;; - *) - qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored" - result=0 - default_route= - ;; - esac - fi -} - -restore_default_route() # $1 = USE_DEFAULT_RT -{ - local result - result=1 - - if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then - local default_route - default_route= - local route - - while read route ; do - case $route in - default*) - replace_default_route $1 - default_route="$default_route $route" - ;; - *) - default_route="$default_route $route" - ;; - esac - done < ${VARDIR}/default_route - - replace_default_route $1 - - if [ $result = 1 ]; then - # - # We didn't restore a default route with metric 0 - # - if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then - # - # But we added a default route with metric 0 - # - qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted" - fi - fi - - rm -f ${VARDIR}/default_route - fi - - return $result -} - # # Add an additional gateway to the default route # @@ -675,20 +343,6 @@ find_mac() # $1 = IP address, $2 = interface fi } -# -# Flush the conntrack table if $g_purge is non-empty -# -conditionally_flush_conntrack() { - - if [ -n "$g_purge" ]; then - if [ -n $(mywhich conntrack) ]; then - conntrack -F - else - error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system" - fi - fi -} - # # Clear Proxy Arp # @@ -735,124 +389,6 @@ clear_firewall() { logger -p kern.info "$g_product Cleared" } -# -# Issue a message and stop/restore the firewall -# -fatal_error() -{ - echo " ERROR: $@" >&2 - - if [ $LOG_VERBOSITY -ge 0 ]; then - timestamp="$(date +'%_b %d %T') " - echo "${timestamp} ERROR: $@" >> $STARTUP_LOG - fi - - stop_firewall - [ -n "$TEMPFILE" ] && rm -f $TEMPFILE - exit 2 -} - -# -# Issue a message and stop -# -startup_error() # $* = Error Message -{ - echo " ERROR: $@: Firewall state not changed" >&2 - - if [ $LOG_VERBOSITY -ge 0 ]; then - timestamp="$(date +'%_b %d %T') " - echo "${timestamp} ERROR: $@" >> $STARTUP_LOG - fi - - case $COMMAND in - start) - logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed" - ;; - restart) - logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed" - ;; - restore) - logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed" - ;; - esac - - if [ $LOG_VERBOSITY -ge 0 ]; then - timestamp="$(date +'%_b %d %T') " - - case $COMMAND in - start) - echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG - ;; - restart) - echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG - ;; - restore) - echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG - ;; - esac - fi - - kill $$ - exit 2 -} - -# -# Run iptables and if an error occurs, stop/restore the firewall -# -run_iptables() -{ - local status - - while [ 1 ]; do - $IPTABLES $@ - status=$? - [ $status -ne 4 ] && break - done - - if [ $status -ne 0 ]; then - error_message "ERROR: Command \"$IPTABLES $@\" Failed" - stop_firewall - exit 2 - fi -} - -# -# Run iptables retrying exit status 4 -# -do_iptables() -{ - local status - - while [ 1 ]; do - $IPTABLES $@ - status=$? - [ $status -ne 4 ] && return $status; - done -} - -# -# Run iptables and if an error occurs, stop/restore the firewall -# -run_ip() -{ - if ! $IP -4 $@; then - error_message "ERROR: Command \"$IP -4 $@\" Failed" - stop_firewall - exit 2 - fi -} - -# -# Run tc and if an error occurs, stop/restore the firewall -# -run_tc() { - if ! $TC $@ ; then - error_message "ERROR: Command \"$TC $@\" Failed" - stop_firewall - exit 2 - fi -} - # # Get a list of all configured broadcast addresses on the system # diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 49ca7bdbf..8ad3c3a81 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -27,166 +27,6 @@ ################################################################################ # Functions imported from /usr/share/shorewall/prog.header6 ################################################################################ -# -# Conditionally produce message -# -progress_message() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -gt 1 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi - - if [ $LOG_VERBOSITY -gt 1 ]; then - timestamp="$(date +'%b %_d %T') " - echo "${timestamp}$@" >> $STARTUP_LOG - fi -} - -progress_message2() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -gt 0 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi - - if [ $LOG_VERBOSITY -gt 0 ]; then - timestamp="$(date +'%b %_d %T') " - echo "${timestamp}$@" >> $STARTUP_LOG - fi -} - -progress_message3() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -ge 0 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi - - if [ $LOG_VERBOSITY -ge 0 ]; then - timestamp="$(date +'%b %_d %T') " - echo "${timestamp}$@" >> $STARTUP_LOG - fi -} - -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Generate a list of all network interfaces on the system -# -find_all_interfaces() { - ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//' -} - -# -# Generate a list of all network interfaces on the system that have an ipv6 address -# -find_all_interfaces1() { - ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//' -} - -# -# Find the value 'dev' in the passed arguments then echo the next value -# - -find_device() { - while [ $# -gt 1 ]; do - [ "x$1" = xdev ] && echo $2 && return - shift - done -} - -# -# Find the value 'via' in the passed arguments then echo the next value -# - -find_gateway() { - while [ $# -gt 1 ]; do - [ "x$1" = xvia ] && echo $2 && return - shift - done -} - -# -# Find the value 'mtu' in the passed arguments then echo the next value -# - -find_mtu() { - while [ $# -gt 1 ]; do - [ "x$1" = xmtu ] && echo $2 && return - shift - done -} - -# -# Find the value 'peer' in the passed arguments then echo the next value up to -# "/" -# - -find_peer() { - while [ $# -gt 1 ]; do - [ "x$1" = xpeer ] && echo ${2%/*} && return - shift - done -} - -# -# Try to find the gateway through an interface looking for 'nexthop' - -find_nexthop() # $1 = interface -{ - echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`) -} - -# -# Find the default route's interface -# -find_default_interface() { - $IP -6 route list | while read first rest; do - [ "$first" = default ] && echo $(find_device $rest) && return - done -} - -# -# Determine if Interface is up -# -interface_is_up() { - [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] -} - -# -# Determine if interface is usable from a Netfilter prespective -# -interface_is_usable() # $1 = interface -{ - [ "$1" = lo ] && return 0 - interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1 -} - -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' -} - # # Get all interface addresses with VLSMs # @@ -196,64 +36,6 @@ find_interface_full_addresses() # $1 = interface $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//' } -# -# Add an additional gateway to the default route -# -add_gateway() # $1 = Delta $2 = Table Number -{ - local route - local weight - local delta - local dev - - run_ip route add default scope global table $2 $1 -} - -# -# Remove a gateway from the default route -# -delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device -{ - local route - local gateway - local dev - - route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'` - gateway=$1 - - dev=$(find_device $route) - [ "$dev" = "$3" ] && run_ip route delete default table $2 -} - -# -# echo the list of networks routed out of a given interface -# -get_routed_networks() # $1 = interface name, $2-n = Fatal error message -{ - local address - local rest - - $IP -6 route show dev $1 2> /dev/null | - while read address rest; do - case "$address" in - default) - if [ $# -gt 1 ]; then - shift - fatal_error "$@" - else - echo "WARNING: default route ignored on interface $1" >&2 - fi - ;; - multicast|broadcast|prohibit|nat|throw|nexthop) - ;; - 2*) - [ "$address" = "${address%/*}" ] && address="${address}/128" - echo $address - ;; - esac - done -} - # # Normalize an IPv6 Address by compressing out consecutive zero elements # @@ -438,172 +220,33 @@ detect_gateway() # $1 = interface [ -n "$gateway" ] && echo $gateway } -delete_tc1() +# +# Add an additional gateway to the default route +# +add_gateway() # $1 = Delta $2 = Table Number { - clear_one_tc() { - $TC qdisc del dev $1 root 2> /dev/null - $TC qdisc del dev $1 ingress 2> /dev/null - - } - - run_tcclear_exit - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done + local route + local weight + local delta + local dev + + run_ip route add default scope global table $2 $1 } # -# Detect a device's MTU -- echos the passed device's MTU +# Remove a gateway from the default route # -get_device_mtu() # $1 = device +delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device { - local output - output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash + local route + local gateway + local dev - if [ -n "$output" ]; then - echo $(find_mtu $output) - else - echo 1500 - fi -} - -# -# Version of the above that doesn't generate any output for MTU 1500. -# Generates 'mtu ' otherwise, where is the device's MTU + 100 -# -get_device_mtu1() # $1 = device -{ - local output - output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash - local mtu - - if [ -n "$output" ]; then - mtu=$(find_mtu $output) - if [ -n "$mtu" ]; then - [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) - fi - fi - -} - -# -# Undo changes to routing -# -undo_routing() { - local undofiles - local f - - if [ -z "$g_noroutes" ]; then - # - # Restore rt_tables database - # - if [ -f ${VARDIR}/rt_tables ]; then - [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" - rm -f ${VARDIR}/rt_tables - fi - # - # Restore the rest of the routing table - # - undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)" - - if [ -n "$undofiles" ]; then - for f in $undofiles; do - . $f - done - - rm -f $undofiles - - progress_message "Shorewall6-generated routing tables and routing rules removed" - fi - fi - -} - -# -# Save the default route -# -save_default_route() { - awk \ - 'BEGIN {defroute=0;}; - /^default / {defroute=1; print; next}; - /nexthop/ {if (defroute == 1 ) {print ; next} }; - { defroute=0; };' -} - -# -# Restore the default route that was in place before the initial 'shorewall start' -# -replace_default_route() # $1 = USE_DEFAULT_RT -{ - # - # default_route and result are inherited from the caller - # - if [ -n "$default_route" ]; then - case "$default_route" in - *metric*) - # - # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0 - # - [ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored" - default_route= - ;; - *) - qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored" - result=0 - default_route= - ;; - esac - fi -} - -restore_default_route() # $1 = USE_DEFAULT_RT -{ - local result - result=1 - - if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then - local default_route - default_route= - local route - - while read route ; do - case $route in - default*) - replace_default_route $1 - default_route="$default_route $route" - ;; - *) - default_route="$default_route $route" - ;; - esac - done < ${VARDIR}/default_route - - replace_default_route $1 - - if [ $result = 1 ]; then - # - # We didn't restore a default route with metric 0 - # - if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then - # - # But we added a default route with metric 0 - # - qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted" - fi - fi - - rm -f ${VARDIR}/default_route - fi - - return $result + route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'` + gateway=$1 + + dev=$(find_device $route) + [ "$dev" = "$3" ] && run_ip route delete default table $2 } # @@ -625,20 +268,6 @@ find_echo() { echo echo } -# -# Flush the conntrack table if $g_purge is non-empty -# -conditionally_flush_conntrack() { - - if [ -n "$g_purge" ]; then - if [ -n $(which conntrack) ]; then - conntrack -F - else - error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system" - fi - fi -} - # # Clear Proxy NDP # @@ -677,124 +306,6 @@ clear_firewall() { logger -p kern.info "$g_product Cleared" } -# -# Issue a message and stop/restore the firewall -# -fatal_error() -{ - echo " ERROR: $@" >&2 - - if [ $LOG_VERBOSITY -gt 1 ]; then - timestamp="$(date +'%_b %d %T') " - echo "${timestamp} ERROR: $@" >> $STARTUP_LOG - fi - - stop_firewall - [ -n "$TEMPFILE" ] && rm -f $TEMPFILE - exit 2 -} - -# -# Issue a message and stop -# -startup_error() # $* = Error Message -{ - echo " ERROR: $@: Firewall state not changed" >&2 - - if [ $LOG_VERBOSITY -ge 0 ]; then - timestamp="$(date +'%_b %d %T') " - echo "${timestamp} ERROR: $@" >> $STARTUP_LOG - fi - - case $COMMAND in - start) - logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed" - ;; - restart) - logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed" - ;; - restore) - logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed" - ;; - esac - - if [ $LOG_VERBOSITY -gt 1 ]; then - timestamp="$(date +'%_b %d %T') " - - case $COMMAND in - start) - echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG - ;; - restart) - echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG - ;; - restore) - echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG - ;; - esac - fi - - kill $$ - exit 2 -} - -# -# Run iptables and if an error occurs, stop/restore the firewall -# -run_iptables() -{ - local status - - while [ 1 ]; do - $IP6TABLES $@ - status=$? - [ $status -ne 4 ] && break - done - - if [ $status -ne 0 ]; then - error_message "ERROR: Command \"$IP6TABLES $@\" Failed" - stop_firewall - exit 2 - fi -} - -# -# Run iptables retrying exit status 4 -# -do_iptables() -{ - local status - - while [ 1 ]; do - $IP6TABLES $@ - status=$? - [ $status -ne 4 ] && return $status; - done -} - -# -# Run iptables and if an error occurs, stop/restore the firewall -# -run_ip() -{ - if ! $IP -6 $@; then - error_message "ERROR: Command \"$IP -6 $@\" Failed" - stop_firewall - exit 2 - fi -} - -# -# Run tc and if an error occurs, stop/restore the firewall -# -run_tc() { - if ! $TC $@ ; then - error_message "ERROR: Command \"$TC $@\" Failed" - stop_firewall - exit 2 - fi -} - # # Run the .iptables_restore_input as a set of discrete iptables commands #