holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Re-add 'check' -- delete trailing white space

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@475 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-27 22:28:06 +00:00
parent a9d201f4f6
commit 2894700fcf
4 changed files with 185 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/changelog.txt
View File

@ -51,3 +51,4 @@ Changes since 1.3.14
23. Add TCP ports 445 and 139 to the common silent list.
24. Remove 'check' command support.

230
Shorewall/firewall
View File

@ -94,7 +94,7 @@ error_message() # $* = Error Message
fatal_error() # $* = Error Message
{
echo " Error: $@" >&2
stop_firewall
[ $command = check ] || stop_firewall
exit 2
}
@ -668,6 +668,14 @@ validate_policy()
local loglevel
local synparams
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
}
all_policy_chains=
strip_file policy
@ -734,6 +742,7 @@ validate_policy()
if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain
print_policy $zone $zone1
fi
done
done
@ -743,6 +752,7 @@ validate_policy()
if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
fi
done
fi
@ -752,10 +762,12 @@ validate_policy()
if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi
done
else
eval ${chain}_policychain=${chain}
print_policy $client $server
fi
done < $TMP_DIR/policy
@ -903,6 +915,10 @@ stop_firewall() {
case $command in
stop|clear)
;;
check)
kill $$
exit 2
;;
*)
set +x
;;
@ -1622,6 +1638,66 @@ delete_tc()
done
}
#
# Check the configuration
#
check_config() {
disclaimer() {
echo
echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM"
echo " REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH"
echo " WILL NOT BE ACCEPTED"
echo
}
disclaimer
echo "Verifying Configuration..."
verify_os_version
load_kernel_modules
echo "Determining Zones..."
determine_zones
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
display_list "Zones:" $zones
echo "Validating interfaces file..."
validate_interfaces_file
echo "Validating hosts file..."
validate_hosts_file
echo "Determining Hosts in Zones..."
determine_interfaces
determine_hosts
echo "Validating rules file..."
rules=`find_file rules`
strip_file rules $rules
process_rules
echo "Validating policy file..."
validate_policy
rm -rf $TMP_DIR
echo "Configuration Validated"
disclaimer
}
#
# Refresh queuing and classes
#
@ -1662,6 +1738,8 @@ refresh_tc() {
# Add a NAT rule - Helper function for the rules file processor
#
# The caller has established the following variables:
# command = The current command -- if 'check', we just go through
# the motions.
# cli = Source IP, interface or MAC Specification
# serv = Destination IP Specification
# servport = Port the server is listening on
@ -1728,32 +1806,34 @@ add_nat_rule() {
# Generate nat table rules
if [ "$source" = "$FW" ]; then
run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \
$multiport $dports -j $target1
else
chain=`dnat_chain $source`
if [ $command != check ]; then
if [ "$source" = "$FW" ]; then
run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \
$multiport $dports -j $target1
else
chain=`dnat_chain $source`
if [ -n "$excludezones" ]; then
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
createnatchain $chain
addnatrule `dnat_chain $source` -j $chain
for z in $excludezones; do
eval hosts=\$${z}_hosts
for host in $hosts; do
for adr in $addr; do
addnatrule $chain $proto -s ${host#*:} \
$multiport $sports -d $adr $dports -j RETURN
if [ -n "$excludezones" ]; then
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
createnatchain $chain
addnatrule `dnat_chain $source` -j $chain
for z in $excludezones; do
eval hosts=\$${z}_hosts
for host in $hosts; do
for adr in $addr; do
addnatrule $chain $proto -s ${host#*:} \
$multiport $sports -d $adr $dports -j RETURN
done
done
done
fi
for adr in $addr; do
addnatrule $chain $proto $cli $sports \
-d $adr $multiport $dports -j $target1
done
fi
for adr in $addr; do
addnatrule $chain $proto $cli $sports \
-d $adr $multiport $dports -j $target1
done
fi
# Replace destination port by the new destination port
@ -1770,14 +1850,14 @@ add_nat_rule() {
if [ -n "$snat" ]; then
if [ -n "$cli" ]; then
addnatrule `snat_chain $dest` $proto $cli $multiport \
[ $command = check ] || addnatrule `snat_chain $dest` $proto $cli $multiport \
$sports -d $serv $dports -j SNAT --to-source $snat
else
for source_host in $source_hosts; do
[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
addnatrule `snat_chain $dest` \
[ $command = check ] || addnatrule `snat_chain $dest` \
-s ${source_host#*:} $proto $sports $multiport \
-d $serv $dports -j SNAT --to-source $snat
done
@ -1789,6 +1869,8 @@ add_nat_rule() {
# Add one Filter Rule -- Helper function for the rules file processor
#
# The caller has established the following variables:
# check = current command. If 'check', we're executing a 'check'
# which only goes through the motions.
# client = SOURCE IP or MAC
# server = DESTINATION IP or interface
# protocol = Protocol
@ -1921,34 +2003,36 @@ add_a_rule()
fi
if [ -n "${serv}${servport}" ]; then
if [ $command != check ]; then
# A specific server or server port given
# A specific server or server port given
if [ -n "$addr" -a "$addr" != "$serv" ]; then
add_nat_rule
elif [ -n "$servport" -a "$servport" != "$port" ]; then
add_nat_rule
fi
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:$chain:$logtarget:"
else
run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
fi
if [ -n "$addr" -a "$addr" != "$serv" ]; then
add_nat_rule
elif [ -n "$servport" -a "$servport" != "$port" ]; then
add_nat_rule
fi
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:$chain:$logtarget:"
else
run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
fi
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target
fi
fi
else
@ -1958,28 +2042,30 @@ add_a_rule()
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\""
if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j ULOG \
$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
else
run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j LOG \
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
if [ $command != check ]; then
if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j ULOG \
$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
else
run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j LOG \
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
fi
fi
fi
if [ $logtarget != LOG ]; then
run_iptables2 -A $chain $proto $multiport $dest_interface $state \
$cli $sports $dports -j $target
if [ $logtarget != LOG ]; then
run_iptables2 -A $chain $proto $multiport $dest_interface $state \
$cli $sports $dports -j $target
fi
fi
fi
}
#
# Process a record from the rules file
# Process a record from the rules file for the 'start', 'restart' or 'check' commands
#
process_rule() # $1 = target
# $2 = clients
@ -2098,7 +2184,7 @@ process_rule() # $1 = target
chain=${source}2${dest}
ensurechain $chain
[ $command = check ] || ensurechain $chain
if [ "x$chain" = x${FW}2${FW} ]; then
case $logtarget in
@ -2110,7 +2196,7 @@ process_rule() # $1 = target
;;
esac
else
ensurechain $chain
[ $command = check ] || ensurechain $chain
fi
# Generate Netfilter rule(s)
@ -2142,11 +2228,15 @@ process_rule() # $1 = target
done
fi
echo " Rule \"$rule\" added."
if [ $command = check ]; then
echo " Rule \"$rule\" checked."
else
echo " Rule \"$rule\" added."
fi
}
#
# Process the rules file
# Process the rules file for the 'start', 'restart' or 'check' command.
#
process_rules() # $1 = name of rules file
{
@ -4476,6 +4566,12 @@ case "$command" in
my_mutex_off
;;
check)
[ $# -ne 1 ] && usage
do_initialize
check_config
;;
add)
[ $# -ne 3 ] && usage
do_initialize

32
Shorewall/releasenotes.txt
View File

@ -2,30 +2,32 @@ This is a major release of Shorewall.
Function from 1.3 that has been omitted from this version includes:
1) The MERGE_HOSTS variable in shorewall.conf is no longer
1) The 'check' command is no longer supported.
2) The MERGE_HOSTS variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with
MERGE_HOSTS=Yes.
2. Interface names of the form <device>:<integer> in
3) Interface names of the form <device>:<integer> in
/etc/shorewall/interfaces now generate an error.
3. Shorewall 1.4 implements behavior consistent with
4) Shorewall 1.4 implements behavior consistent with
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
at startup as will specification of the 'noping' or 'filterping'
interface options.
4. The 'routestopped' option in the /etc/shorewall/interfaces and
5) The 'routestopped' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.
5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
6) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted.
6. The ALLOWRELATED variable in shorewall.conf is no longer
7) The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.
7. The 'multi' interface option is no longer supported. Shorewall will
8) The 'multi' interface option is no longer supported. Shorewall will
generate rules for sending packets back out the same interface
that they arrived on in two cases:
@ -41,31 +43,31 @@ Function from 1.3 that has been omitted from this version includes:
Changes for 1.4 include:
1. shorewall.conf has been completely reorganized into logical
1) shorewall.conf has been completely reorganized into logical
sections.
2. LOG is now a valid action for a rule (/etc/shorewall/rules).
2) LOG is now a valid action for a rule (/etc/shorewall/rules).
3. The firewall script and version file are now installed in
3) The firewall script and version file are now installed in
/usr/share/shorewall.
4. Late arriving DNS replies are now silently dropped in the common
chain by default.
5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or
policy.
6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
7. 802.11b devices with names of the form wlan<n> now support the
7) 802.11b devices with names of the form wlan<n> now support the
'maclist' option.
8. IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
utility).
9. Explicit Congestion Notification (ECN - RFC 3168) may now be turned
9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:

5
Shorewall/shorewall
View File

@ -60,6 +60,8 @@
# shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
# shorewall try <directory> [ <timeout> ] Try a new configuration and if
# it doesn't work, revert to the
# standard one. If a timeout is supplied
@ -499,6 +501,7 @@ usage() # $1 = exit status
echo " hits"
echo " monitor [<refresh interval>]"
echo " version"
echo " check"
echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]"
echo " drop <address> ..."
@ -639,7 +642,7 @@ case `echo -n "Testing"` in
esac
case "$1" in
start|stop|restart|reset|clear|refresh)
start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1
exec $FIREWALL $debugging $nolock $1
;;