From 1e763c24d9f2c3d431dd70b26976cf9334912220 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 20 Jan 2006 23:34:19 +0000
Subject: [PATCH] Many changes to make non-root compile possible

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3336 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/capabilities |  31 +++++
 Shorewall/firewall     | 289 +++++++++++++++++++++++++++++------------
 Shorewall/functions    |   2 +
 3 files changed, 240 insertions(+), 82 deletions(-)
 create mode 100644 Shorewall/capabilities

diff --git a/Shorewall/capabilities b/Shorewall/capabilities
new file mode 100644
index 000000000..36ac2adac
--- /dev/null
+++ b/Shorewall/capabilities
@@ -0,0 +1,31 @@
+#
+# Shorewall version 3.2 - Capabilities File
+#
+# /etc/shorewall/capabilities
+#
+#	This file is used when compiling with the -e flag. It specifies
+#	the capabilities of the kernel/iptables on the remote system.
+#	The capabilities are listed in the same order as they appear in
+#	the output of "shorewall show capabilities". If the capability
+#	is available, set the corresponding variable to "Yes". Otherwise
+#	leave it empty.
+
+NAT_ENABLED=Yes			# NAT
+MANGLE_ENABLED=Yes		# Packet Mangling
+CONNTRACK_MATCH=Yes		# Connection Tracking Match
+USEPKTTYPE=			# Packet Type Match
+MULTIPORT=Yes			# Multi-port Match
+XMULTIPORT=Yes			# Extended Multi-port Match
+POLICY_MATCH=Yes		# Policy Match
+PHYSDEV_MATCH=Yes		# Physdev Match
+LENGTH_MATCH=Yes		# Packet Length Match
+IPRANGE_MATCH=Yes		# IP range Match
+RECENT_MATCH=Yes		# Recent Match
+OWNER_MATCH=Yes			# Owner match
+IPSET_MATCH=			# Ipset Match
+CONNMARK=Yes			# CONNMARK Target
+CONNMARK_MATCH=Yes		# Connmark Match
+RAW_TABLE=Yes			# Raw Table
+IPP2P_MATCH=			# IPP2P Match
+CLASSIFY_TARGET=Yes		# CLASSIFY Target
+ENHANCED_REJECT=Yes		# Extended REJECT
diff --git a/Shorewall/firewall b/Shorewall/firewall
index f462a1bb6..618729985 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -1461,7 +1461,9 @@ __EOF__
 			;;
 		esac
 
-		cat > /etc/iproute2/rt_tables <<EOF
+		if [ $COMMAND = compile ]; then
+		    cat >> $RESTOREBASE << __EOF__
+${INDENT}    		cat > /etc/iproute2/rt_tables <<EOF
 #
 # reserved values
 #
@@ -1473,16 +1475,35 @@ __EOF__
 # local
 #
 EOF
+__EOF__
+		    for table in $PROVIDERS; do
+			eval number=\$${table}_number
+${INDENT}               cat >> $RESTOREBASE << __EOF__
+${INDENT}    \${echobin:-echo} -e "$number\t$table" >>  /etc/iproute2/rt_tables
+__EOF__
+		    done
+		else
+		    cat > /etc/iproute2/rt_tables <<EOF
+#
+# reserved values
+#
+255     local
+254     main
+253     default
+0       unspec
+#
+# local
+#
+EOF
+		    for table in $PROVIDERS; do
+			eval number=\$${table}_number
+			${echobin:-echo} -e "$number\t$table" >>  /etc/iproute2/rt_tables
+		    done
 
-		for table in $PROVIDERS; do
-		    eval number=\$${table}_number
-		    ${echobin:-echo} -e "$number\t$table" >>  /etc/iproute2/rt_tables
-		done
-
-		save_command "    cat > /etc/iproute2/rt_tables << __EOF__"
-		cat /etc/iproute2/rt_tables >> $RESTOREBASE
-		save_command_unindented __EOF__
-
+		    save_command "    cat > /etc/iproute2/rt_tables << __EOF__"
+		    cat /etc/iproute2/rt_tables >> $RESTOREBASE
+		    save_command_unindented __EOF__
+		fi
 	    fi
 
 	    if [ $COMMAND = compile ]; then
@@ -8291,10 +8312,20 @@ __EOF__
     #
     save_progress_message "Setting up ARP filtering..."
 
-    for f in /proc/sys/net/ipv4/conf/*; do
-	run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_filter"
-	run_and_save_command "[ -f $f/arp_ignore ] && echo 0 > $f/arp_ignore"
-    done
+    if [ $COMMAND = compile ]; then
+	cat >> $RESTOREBASE << __EOF__
+${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
+${INDENT}    [ -f \$f/arp_filter ] && echo 0 > \$f/arp_filter
+${INDENT}    [ -f \$f/arp_ignore ] && echo 0 > \$f/arp_ignore
+${INDENT}done
+
+__EOF__
+    else
+	for f in /proc/sys/net/ipv4/conf/*; do
+	    run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_filter"
+	    run_and_save_command "[ -f $f/arp_ignore ] && echo 0 > $f/arp_ignore"
+	done
+    fi
 
     interfaces=$(find_interfaces_by_option arp_filter)
     interfaces1=$(find_interfaces_by_option1 arp_ignore)
@@ -8302,26 +8333,51 @@ __EOF__
     if [ -n "${interfaces}${interfaces1}" ]; then
 	progress_message2 "Setting up ARP Filtering..."
 
-	for interface in $interfaces; do
-	    file=/proc/sys/net/ipv4/conf/$interface/arp_filter
-	    if [ -f $file ]; then
-		run_and_save_command "echo 1 > $file"
-	    else
-		error_message \
-		    "WARNING: Cannot set ARP filtering on $interface"
-	    fi
-	done
+	if [ $COMMAND = compile ]; then
+	    for interface in $interfaces; do
+		file=/proc/sys/net/ipv4/conf/$interface/arp_filter
+		cat >> $RESTOREBASE << __EOF__
+${INDENT}if [ -f $file ]; then
+${INDENT}    echo 1 > $file
+${INDENT}else
+${INDENT}    error_message "WARNING: Cannot set ARP filtering on $interface"
+${INDENT}fi
+__EOF__
+	    done
 
-	for interface in $interfaces1; do
-	    file=/proc/sys/net/ipv4/conf/$interface/arp_ignore
-	    if [ -f $file ]; then
-		eval command="\"echo \$$(chain_base $interface)_arp_ignore > $file\""
-		run_and_save_command "$command"
-	    else
-		error_message \
-		    "WARNING: Cannot set ARP filtering on $interface"
-	    fi
-	done
+	    for interface in $interfaces1; do
+		file=/proc/sys/net/ipv4/conf/$interface/arp_ignore
+		eval value="\$$(chain_base $interface)_arp_ignore"
+		cat >> $RESTOREBASE << __EOF__
+${INDENT}if [ -f $file ]; then
+${INDENT}    echo $value > $file
+${INDENT}else
+${INDENT}    error_message "WARNING: Cannot set ARP filtering on $interface"
+${INDENT}fi
+__EOF__
+	    done
+	else
+	    for interface in $interfaces; do
+		file=/proc/sys/net/ipv4/conf/$interface/arp_filter
+		if [ -f $file ]; then
+		    run_and_save_command "echo 1 > $file"
+		else
+		    error_message \
+			"WARNING: Cannot set ARP filtering on $interface"
+		fi
+	    done
+
+	    for interface in $interfaces1; do
+		file=/proc/sys/net/ipv4/conf/$interface/arp_ignore
+		if [ -f $file ]; then
+		    eval command="\"echo \$$(chain_base $interface)_arp_ignore > $file\""
+		    run_and_save_command "$command"
+		else
+		    error_message \
+			"WARNING: Cannot set ARP filtering on $interface"
+		fi
+	    done
+	fi
     fi
     #
     # Route Filtering
@@ -8333,19 +8389,40 @@ __EOF__
 
 	save_progress_message "Setting up Route Filtering..."
 
-	for f in /proc/sys/net/ipv4/conf/*; do
-	    run_and_save_command "[ -f $f/rp_filter ]    && echo 0 > $f/rp_filter"
-	done
+	if [ $COMMAND = compile ]; then
+	    cat >> $RESTOREBASE << __EOF__
 
-	for interface in $interfaces; do
-	    file=/proc/sys/net/ipv4/conf/$interface/rp_filter
-	    if [ -f $file ]; then
-		run_and_save_command "echo 1 > $file"
-	    else
-		error_message \
-		    "WARNING: Cannot set route filtering on $interface"
-	    fi
-	done
+${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
+${INDENT}    [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter
+${INDENT}done
+
+__EOF__
+	    for interface in $interfaces; do
+		file=/proc/sys/net/ipv4/conf/$interface/rp_filter
+
+		cat >> $RESTOREBASE << __EOF__
+${INDENT}if [ -f $file ]; then
+${INDENT}    echo 1 > $file
+${INDENT}else
+${INDENT}    error_message "WARNING: Cannot set route filtering on $interface"
+${INDENT}fi
+__EOF__
+	    done
+	else
+	    for f in /proc/sys/net/ipv4/conf/*; do
+		run_and_save_command "[ -f $f/rp_filter ]    && echo 0 > $f/rp_filter"
+	    done
+
+	    for interface in $interfaces; do
+		file=/proc/sys/net/ipv4/conf/$interface/rp_filter
+		if [ -f $file ]; then
+		    run_and_save_command "echo 1 > $file"
+		else
+		    error_message \
+			"WARNING: Cannot set route filtering on $interface"
+		fi
+	    done
+	fi
 
 	run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
 
@@ -8367,19 +8444,40 @@ __EOF__
 
 	save_progress_message "Setting up Martian Logging..."
 
-	for f in /proc/sys/net/ipv4/conf/*; do
-	    run_and_save_command "[ -f $f/log_martians ]    && echo 0 > $f/log_martians"
-	done
+	if [ $COMMAND = compile ]; then
+	    cat >> $RESTOREBASE << __EOF__
 
-	for interface in $interfaces; do
-	    file=/proc/sys/net/ipv4/conf/$interface/log_martians
-	    if [ -f $file ]; then
-		run_and_save_command "echo 1 > $file"
-	    else
-		error_message \
-		    "WARNING: Cannot set Martian logging on $interface"
-	    fi
-	done
+${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
+${INDENT}    [ -f \$f/log_martians ] && echo 0 > \$f/log_martians
+${INDENT}done
+
+__EOF__
+	    for interface in $interfaces; do
+		file=/proc/sys/net/ipv4/conf/$interface/log_martians
+
+		cat >> $RESTOREBASE << __EOF__
+${INDENT}if [ -f $file ]; then
+${INDENT}    echo 1 > $file
+${INDENT}else
+${INDENT}    error_message "WARNING: Cannot set Martian logging on $interface"
+${INDENT}fi
+__EOF__
+	    done
+	else
+	    for f in /proc/sys/net/ipv4/conf/*; do
+		run_and_save_command "[ -f $f/log_martians ]    && echo 0 > $f/log_martians"
+	    done
+
+	    for interface in $interfaces; do
+		file=/proc/sys/net/ipv4/conf/$interface/log_martians
+		if [ -f $file ]; then
+		    run_and_save_command "echo 1 > $file"
+		else
+		    error_message \
+			"WARNING: Cannot set Martian logging on $interface"
+		fi
+	    done
+	fi
 
 	if [ -n "$LOG_MARTIANS" ]; then
 	    run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians"
@@ -8393,9 +8491,18 @@ __EOF__
     #
     save_progress_message "Setting up Accept Source Routing..."
 
-    for f in /proc/sys/net/ipv4/conf/*; do
-	run_and_save_command "[ -f $f/accept_source_route ] && echo 0 > $f/accept_source_route"
-    done
+    if [ $COMMAND = compile ]; then
+	cat >> $RESTOREBASE << __EOF__
+${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
+${INDENT}    [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route
+${INDENT}done
+
+__EOF__
+    else
+	for f in /proc/sys/net/ipv4/conf/*; do
+	    run_and_save_command "[ -f $f/accept_source_route ] && echo 0 > $f/accept_source_route"
+	done
+    fi
 
     interfaces=$(find_interfaces_by_option sourceroute)
 
@@ -8404,15 +8511,29 @@ __EOF__
 
 	save_progress_message "Setting up Source Routing..."
 
-	for interface in $interfaces; do
-	    file=/proc/sys/net/ipv4/conf/$interface/accept_source_route
-	    if [ -f $file ]; then
-		run_and_save_command "echo 1 > $file"
-	    else
-		error_message \
-		    "WARNING: Cannot set Accept Source Routing on $interface"
-	    fi
-	done
+	if [ $COMMAND = compile ]; then
+	    for interface in $interfaces; do
+		file=/proc/sys/net/ipv4/conf/$interface/accept_source_route
+
+		cat >> $RESTOREBASE << __EOF__
+${INDENT}if [ -f $file ]; then
+${INDENT}    echo 1 > $file
+${INDENT}else
+${INDENT}    error_message "WARNING: Cannot set Accept Source Routing on $interface"
+${INDENT}fi
+__EOF__
+	    done
+	else
+	    for interface in $interfaces; do
+		file=/proc/sys/net/ipv4/conf/$interface/accept_source_route
+		if [ -f $file ]; then
+		    run_and_save_command "echo 1 > $file"
+		else
+		    error_message \
+			"WARNING: Cannot set Accept Source Routing on $interface"
+		fi
+	    done
+	fi
     fi
 
     if [ -n "$DYNAMIC_ZONES" ]; then
@@ -8577,7 +8698,7 @@ activate_rules()
 	addnatjump POSTROUTING $(output_chain $interface) -o $interface
     done
 
-    > /var/lib/shorewall/chains
+    > $STATEDIR/chains
     echo "$FW firewall" > $STATEDIR/zones
     #
     # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain.
@@ -9299,13 +9420,13 @@ compile_firewall() # $1 = File Name
     [ -h $outfile ] && startup_error "$outfile is a Symbolic Link"
     [ -f $outfile -a ! -x $outfile ] && startup_error "$outfile exists and is not a restore file"
 
-    RESTOREBASE=$(mktempfile /var/lib/shorewall)
+    RESTOREBASE=$(mktempfile /tmp)
 
-    STATEDIR=/var/lib/shorewall/.compiler
+    STATEDIR=/tmp/$USER/.compiler
 
-    [ -d $STATEDIR ] || mkdir $STATEDIR
+    [ -d $STATEDIR ] || mkdir -p $STATEDIR
 
-    [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall"
+    [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /tmp"
 
     [ -z "$PROGRAM" ] && save_command "#! $SHOREWALL_SHELL --"
 
@@ -10051,7 +10172,7 @@ do_initialize() {
     export LC_ALL=C
 
     # Make sure umask is sane
-    umask 177
+    umask 077
 
     PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
     #
@@ -10177,10 +10298,10 @@ do_initialize() {
     PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    load_kernel_modules
-
     if [ -z "$EXPORT" ]; then
+
+	load_kernel_modules
+
 	if [ -z "$IPTABLES" ]; then
 	    IPTABLES=$(mywhich iptables 2> /dev/null)
 
@@ -10188,12 +10309,16 @@ do_initialize() {
 	else
 	    [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
 	fi
+	determine_capabilities
+
+	[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
+
+    else
+	f=$(find_file capabilities)
+
+	[ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file"
     fi
 
-    determine_capabilities
-
-    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
-
     ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
     [ -n "$ALLOWRELATED" ] || \
 	startup_error "ALLOWRELATED=No is not supported"
diff --git a/Shorewall/functions b/Shorewall/functions
index 5e8bc4527..99825ec62 100755
--- a/Shorewall/functions
+++ b/Shorewall/functions
@@ -1085,6 +1085,7 @@ determine_capabilities() {
     LENGTH_MATCH=
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
+    USEPKTTYPE=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -1154,6 +1155,7 @@ report_capabilities() {
 	report_capability "CONNMARK Target" $CONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
+	report_capability "IPP2P Match" $IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
 	report_capability "Extended REJECT" $ENHANCED_REJECT
     fi