holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Re-add 'check' -- delete trailing white space

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@475 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-27 22:28:06 +00:00
parent a9d201f4f6
commit 2894700fcf
4 changed files with 185 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/changelog.txt
View File

@ -51,3 +51,4 @@ Changes since 1.3.14
23. Add TCP ports 445 and 139 to the common silent list. 23. Add TCP ports 445 and 139 to the common silent list.
24. Remove 'check' command support.

110
Shorewall/firewall
View File

@ -94,7 +94,7 @@ error_message() # $* = Error Message
fatal_error() # $* = Error Message fatal_error() # $* = Error Message
{ {
echo " Error: $@" >&2 echo " Error: $@" >&2
stop_firewall [ $command = check ] || stop_firewall
exit 2 exit 2
} }
@ -668,6 +668,14 @@ validate_policy()
local loglevel local loglevel
local synparams local synparams
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
}
all_policy_chains= all_policy_chains=
strip_file policy strip_file policy
@ -734,6 +742,7 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain eval ${zone}2${zone1}_policychain=$chain
print_policy $zone $zone1
fi fi
done done
done done
@ -743,6 +752,7 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
fi fi
done done
fi fi
@ -752,10 +762,12 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi fi
done done
else else
eval ${chain}_policychain=${chain} eval ${chain}_policychain=${chain}
print_policy $client $server
fi fi
done < $TMP_DIR/policy done < $TMP_DIR/policy
@ -903,6 +915,10 @@ stop_firewall() {
case $command in case $command in
stop|clear) stop|clear)
;; ;;
check)
kill $$
exit 2
;;
*) *)
set +x set +x
;; ;;
@ -1622,6 +1638,66 @@ delete_tc()
done done
} }
#
# Check the configuration
#
check_config() {
disclaimer() {
echo
echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM"
echo " REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH"
echo " WILL NOT BE ACCEPTED"
echo
}
disclaimer
echo "Verifying Configuration..."
verify_os_version
load_kernel_modules
echo "Determining Zones..."
determine_zones
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
display_list "Zones:" $zones
echo "Validating interfaces file..."
validate_interfaces_file
echo "Validating hosts file..."
validate_hosts_file
echo "Determining Hosts in Zones..."
determine_interfaces
determine_hosts
echo "Validating rules file..."
rules=`find_file rules`
strip_file rules $rules
process_rules
echo "Validating policy file..."
validate_policy
rm -rf $TMP_DIR
echo "Configuration Validated"
disclaimer
}
# #
# Refresh queuing and classes # Refresh queuing and classes
# #
@ -1662,6 +1738,8 @@ refresh_tc() {
# Add a NAT rule - Helper function for the rules file processor # Add a NAT rule - Helper function for the rules file processor
# #
# The caller has established the following variables: # The caller has established the following variables:
# command = The current command -- if 'check', we just go through
# the motions.
# cli = Source IP, interface or MAC Specification # cli = Source IP, interface or MAC Specification
# serv = Destination IP Specification # serv = Destination IP Specification
# servport = Port the server is listening on # servport = Port the server is listening on
@ -1728,6 +1806,7 @@ add_nat_rule() {
# Generate nat table rules # Generate nat table rules
if [ $command != check ]; then
if [ "$source" = "$FW" ]; then if [ "$source" = "$FW" ]; then
run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \ run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \
$multiport $dports -j $target1 $multiport $dports -j $target1
@ -1755,6 +1834,7 @@ add_nat_rule() {
-d $adr $multiport $dports -j $target1 -d $adr $multiport $dports -j $target1
done done
fi fi
fi
# Replace destination port by the new destination port # Replace destination port by the new destination port
@ -1770,14 +1850,14 @@ add_nat_rule() {
if [ -n "$snat" ]; then if [ -n "$snat" ]; then
if [ -n "$cli" ]; then if [ -n "$cli" ]; then
addnatrule `snat_chain $dest` $proto $cli $multiport \ [ $command = check ] || addnatrule `snat_chain $dest` $proto $cli $multiport \
$sports -d $serv $dports -j SNAT --to-source $snat $sports -d $serv $dports -j SNAT --to-source $snat
else else
for source_host in $source_hosts; do for source_host in $source_hosts; do
[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \ [ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
addnatrule `snat_chain $dest` \ [ $command = check ] || addnatrule `snat_chain $dest` \
-s ${source_host#*:} $proto $sports $multiport \ -s ${source_host#*:} $proto $sports $multiport \
-d $serv $dports -j SNAT --to-source $snat -d $serv $dports -j SNAT --to-source $snat
done done
@ -1789,6 +1869,8 @@ add_nat_rule() {
# Add one Filter Rule -- Helper function for the rules file processor # Add one Filter Rule -- Helper function for the rules file processor
# #
# The caller has established the following variables: # The caller has established the following variables:
# check = current command. If 'check', we're executing a 'check'
# which only goes through the motions.
# client = SOURCE IP or MAC # client = SOURCE IP or MAC
# server = DESTINATION IP or interface # server = DESTINATION IP or interface
# protocol = Protocol # protocol = Protocol
@ -1921,6 +2003,7 @@ add_a_rule()
fi fi
if [ -n "${serv}${servport}" ]; then if [ -n "${serv}${servport}" ]; then
if [ $command != check ]; then
# A specific server or server port given # A specific server or server port given
@ -1950,6 +2033,7 @@ add_a_rule()
run_iptables2 -A $chain $proto $multiport $state $cli $sports \ run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target $serv $dports -j $target
fi fi
fi
else else
# Destination is a simple zone # Destination is a simple zone
@ -1958,6 +2042,7 @@ add_a_rule()
"An ORIGINAL DESTINATION ($addr) is only allowed in" \ "An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\"" " a DNAT or REDIRECT: \"$rule\""
if [ $command != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
@ -1976,10 +2061,11 @@ add_a_rule()
$cli $sports $dports -j $target $cli $sports $dports -j $target
fi fi
fi fi
fi
} }
# #
# Process a record from the rules file # Process a record from the rules file for the 'start', 'restart' or 'check' commands
# #
process_rule() # $1 = target process_rule() # $1 = target
# $2 = clients # $2 = clients
@ -2098,7 +2184,7 @@ process_rule() # $1 = target
chain=${source}2${dest} chain=${source}2${dest}
ensurechain $chain [ $command = check ] || ensurechain $chain
if [ "x$chain" = x${FW}2${FW} ]; then if [ "x$chain" = x${FW}2${FW} ]; then
case $logtarget in case $logtarget in
@ -2110,7 +2196,7 @@ process_rule() # $1 = target
;; ;;
esac esac
else else
ensurechain $chain [ $command = check ] || ensurechain $chain
fi fi
# Generate Netfilter rule(s) # Generate Netfilter rule(s)
@ -2142,11 +2228,15 @@ process_rule() # $1 = target
done done
fi fi
if [ $command = check ]; then
echo " Rule \"$rule\" checked."
else
echo " Rule \"$rule\" added." echo " Rule \"$rule\" added."
fi
} }
# #
# Process the rules file # Process the rules file for the 'start', 'restart' or 'check' command.
# #
process_rules() # $1 = name of rules file process_rules() # $1 = name of rules file
{ {
@ -4476,6 +4566,12 @@ case "$command" in
my_mutex_off my_mutex_off
;; ;;
check)
[ $# -ne 1 ] && usage
do_initialize
check_config
;;
add) add)
[ $# -ne 3 ] && usage [ $# -ne 3 ] && usage
do_initialize do_initialize

32
Shorewall/releasenotes.txt
View File

@ -2,30 +2,32 @@ This is a major release of Shorewall.
Function from 1.3 that has been omitted from this version includes: Function from 1.3 that has been omitted from this version includes:
1) The MERGE_HOSTS variable in shorewall.conf is no longer 1) The 'check' command is no longer supported.
2) The MERGE_HOSTS variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with supported. Shorewall 1.4 behavior is the same as 1.3 with
MERGE_HOSTS=Yes. MERGE_HOSTS=Yes.
2. Interface names of the form <device>:<integer> in 3) Interface names of the form <device>:<integer> in
/etc/shorewall/interfaces now generate an error. /etc/shorewall/interfaces now generate an error.
3. Shorewall 1.4 implements behavior consistent with 4) Shorewall 1.4 implements behavior consistent with
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
at startup as will specification of the 'noping' or 'filterping' at startup as will specification of the 'noping' or 'filterping'
interface options. interface options.
4. The 'routestopped' option in the /etc/shorewall/interfaces and 5) The 'routestopped' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is no longer supported and will generate /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified. an error at startup if specified.
5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer 6) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted. accepted.
6. The ALLOWRELATED variable in shorewall.conf is no longer 7) The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes. ALLOWRELATED=Yes.
7. The 'multi' interface option is no longer supported. Shorewall will 8) The 'multi' interface option is no longer supported. Shorewall will
generate rules for sending packets back out the same interface generate rules for sending packets back out the same interface
that they arrived on in two cases: that they arrived on in two cases:
@ -41,31 +43,31 @@ Function from 1.3 that has been omitted from this version includes:
Changes for 1.4 include: Changes for 1.4 include:
1. shorewall.conf has been completely reorganized into logical 1) shorewall.conf has been completely reorganized into logical
sections. sections.
2. LOG is now a valid action for a rule (/etc/shorewall/rules). 2) LOG is now a valid action for a rule (/etc/shorewall/rules).
3. The firewall script and version file are now installed in 3) The firewall script and version file are now installed in
/usr/share/shorewall. /usr/share/shorewall.
4. Late arriving DNS replies are now silently dropped in the common 4. Late arriving DNS replies are now silently dropped in the common
chain by default. chain by default.
5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no 5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
longer unconditionally accepts outbound ICMP packets. So if you want longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or to 'ping' from the firewall, you will need the appropriate rule or
policy. policy.
6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules). 6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
7. 802.11b devices with names of the form wlan<n> now support the 7) 802.11b devices with names of the form wlan<n> now support the
'maclist' option. 'maclist' option.
8. IMPORTANT: Shorewall now REQUIRES the iproute package ('ip' 8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
utility). utility).
9. Explicit Congestion Notification (ECN - RFC 3168) may now be turned 9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
off on a host or network basis using the new /etc/shorewall/ecn off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility: file. To use this facility:

5
Shorewall/shorewall
View File

@ -60,6 +60,8 @@
# shorewall show tc Display traffic control info # shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers # shorewall show classifiers Display classifiers
# shorewall version Display the installed version id # shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
# shorewall try <directory> [ <timeout> ] Try a new configuration and if # shorewall try <directory> [ <timeout> ] Try a new configuration and if
# it doesn't work, revert to the # it doesn't work, revert to the
# standard one. If a timeout is supplied # standard one. If a timeout is supplied
@ -499,6 +501,7 @@ usage() # $1 = exit status
echo " hits" echo " hits"
echo " monitor [<refresh interval>]" echo " monitor [<refresh interval>]"
echo " version" echo " version"
echo " check"
echo " try <directory> [ <timeout> ]" echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]" echo " logwatch [<refresh interval>]"
echo " drop <address> ..." echo " drop <address> ..."
@ -639,7 +642,7 @@ case `echo -n "Testing"` in
esac esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $FIREWALL $debugging $nolock $1 exec $FIREWALL $debugging $nolock $1
;; ;;