INCLUDE directive; make 'traceroute -I' work again

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@528 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-03-29 14:37:50 +00:00 · 2003-03-29 14:37:50 +00:00 · 02a42e2fb0
commit 02a42e2fb0
parent e7d83205db
4 changed files with 83 additions and 1 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -7,3 +7,7 @@ Changes since 1.4.1
   of specific hosts or networks.

 3. Fixed common.def to use 'reject' rather than 'REJECT'.
+
+4. Added support for INCLUDE directive in all files.
+
+5. Made traceroute -I work.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -3188,6 +3188,12 @@ initialize_netfilter () {
    setcontinue FORWARD
    setcontinue INPUT
    setcontinue OUTPUT
+
+    #
+    # Make 'traceroute -I' work
+    #
+    run_iptables -I OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+
    #
    # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
    #
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -181,6 +181,30 @@ mutex_off()
    rm -f $STATEDIR/lock
 }

+#
+# Read a file and handle "INCLUDE" directives
+#
+
+read_file() # $1 = file name
+{
+    local first rest
+
+    while read first rest; do
+	if [ "x$first"  = "xINCLUDE" ]; then
+	    read_file `find_file ${rest%#*}`
+	else
+	    echo "$first $rest"
+	fi
+    done < $1
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . `find_file $@`
+}
+
 #
 # Strip comments and blank lines from a file and place the result in the
 # temporary directory
@ -192,7 +216,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
    [ $# = 1 ] && fname=`find_file $1` || fname=$2

    if [ -f $fname ]; then
-	cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
+	read_file $fname | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
    else
 	> $TMP_DIR/$1
    fi
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -6,6 +6,9 @@ Problems Corrected:
   properly rejected with TCP RST; previously, some of these requests
   were rejeced with an ICMP port-unreachable response.

+2) 'traceroute -I' from behind the firewall previously timed out on the
+   first hop (e.g., to the firewall). This has been worked around.
+
 New Features:

 1) Where an entry in the/etc/shorewall/hosts file specifies a
@ -14,4 +17,49 @@ New Features:
   substantially reduce the number of rules traversed by connections
   requests from such zones.

+2) Any file may include an INCLUDE directive. An INCLUDE directive
+   consists of the word INCLUDE followed by a file name and causes the
+   contents of the named file to be logically included into the file
+   containing the INCLUDE. File names given in an INCLUDE directive
+   are assumed to reside in /etc/shorewall or in an alternate
+   configuration directory if one has been specified for the command. 
+
+   Examples:
+  shorewall/params.mgmt:
+  MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
+  TIME_SERVERS=4.4.4.4
+  BACKUP_SERVERS=5.5.5.5
+  ----- end params.mgmt -----
+
+
+  shorewall/params:
+  # Shorewall 1.3 /etc/shorewall/params
+  [..]
+  #######################################
+
+  INCLUDE params.mgmt    
+  
+  # params unique to this host here
+  #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+  ----- end params -----
+
+
+  shorewall/rules.mgmt:
+  ACCEPT net:$MGMT_SERVERS          $FW    tcp    22
+  ACCEPT $FW          net:$TIME_SERVERS    udp    123
+  ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22
+  ----- end rules.mgmt -----
+
+  shorewall/rules:
+  # Shorewall version 1.3 - Rules File
+  [..]
+  #######################################
+
+  INCLUDE rules.mgmt     
+  
+  # rules unique to this host here
+  #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+  ----- end rules -----
+
+