Re-add 'check' -- delete trailing white space

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@475 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -51,3 +51,4 @@ Changes since 1.3.14
 
 23. Add TCP ports 445 and 139 to the common silent list.
 
+24. Remove 'check' command support.

Shorewall/firewall

@@ -94,7 +94,7 @@ error_message() # $* = Error Message
 fatal_error() # $* = Error Message
 {
     echo "   Error: $@" >&2
-    stop_firewall
+    [ $command = check ] || stop_firewall
     exit 2
 }
 
@@ -668,6 +668,14 @@ validate_policy()
     local loglevel
     local synparams
 
+    print_policy() # $1 = source zone, $2 = destination zone
+    {
+	[ $command != check ] || \
+	    [ $1 = all ] || \
+	    [ $2 = all ] || \
+	    echo "   Policy for $1 to $2 is $policy"
+    }
+
     all_policy_chains=
 
     strip_file policy
@@ -734,6 +742,7 @@ validate_policy()
 
 			if [ -z "$pc" ]; then
 			    eval ${zone}2${zone1}_policychain=$chain
+			    print_policy $zone $zone1
 			fi
 		    done
 		done
@@ -743,6 +752,7 @@ validate_policy()
 
 		    if [ -z "$pc" ]; then
 			eval ${zone}2${server}_policychain=$chain
+			print_policy $zone $server
 		    fi
 		done
 	    fi
@@ -752,10 +762,12 @@ validate_policy()
 
 		    if [ -z "$pc" ]; then
 			eval ${client}2${zone}_policychain=$chain
+			print_policy $client $zone
 		    fi
 	    done
 	else
 	    eval ${chain}_policychain=${chain}
+	    print_policy $client $server
 	fi
 
     done < $TMP_DIR/policy
@@ -903,6 +915,10 @@ stop_firewall() {
     case $command in
 	stop|clear)
 	    ;;
+	check)
+	    kill $$
+	    exit 2
+	    ;;
 	*)
 	    set +x
 	    ;;
@@ -1622,6 +1638,66 @@ delete_tc()
     done
 }
 
+#
+# Check the configuration
+#
+check_config() {
+
+    disclaimer() {
+	echo
+	echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM"
+	echo "         REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH"
+	echo "         WILL NOT BE ACCEPTED"
+	echo
+    }
+
+    disclaimer
+    
+    echo "Verifying Configuration..."
+
+    verify_os_version
+	
+    load_kernel_modules
+    
+    echo "Determining Zones..."
+	
+    determine_zones
+	
+    [ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
+	
+    display_list "Zones:" $zones
+	
+    echo "Validating interfaces file..."
+	
+    validate_interfaces_file
+	
+    echo "Validating hosts file..."
+	
+    validate_hosts_file
+		
+    echo "Determining Hosts in Zones..."
+
+    determine_interfaces
+    determine_hosts
+
+    echo "Validating rules file..."
+
+    rules=`find_file rules`
+    strip_file rules $rules
+    process_rules
+	
+    echo "Validating policy file..."
+	
+    validate_policy	
+	
+    rm -rf $TMP_DIR
+
+    echo "Configuration Validated"
+
+    disclaimer
+
+}
+
 #
 # Refresh queuing and classes
 #
@@ -1662,6 +1738,8 @@ refresh_tc() {
 # Add a NAT rule - Helper function for the rules file processor
 #
 # The caller has established the following variables:
+#    command        = The current command -- if 'check', we just go through
+#                     the motions.
 #    cli	    = Source IP, interface or MAC Specification
 #    serv	    = Destination IP Specification
 #    servport	    = Port the server is listening on
@@ -1728,32 +1806,34 @@ add_nat_rule() {
 
     # Generate nat table rules
 
-    if [ "$source" = "$FW" ]; then
+    if [ $command != check ]; then
-	run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \
+	if [ "$source" = "$FW" ]; then
-	    $multiport $dports -j $target1
+	    run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \
-    else
+		$multiport $dports -j $target1
-	chain=`dnat_chain $source`
+	else
+	    chain=`dnat_chain $source`
 
-	if [ -n "$excludezones" ]; then
+	    if [ -n "$excludezones" ]; then
-	    chain=nonat${nonat_seq}
+		chain=nonat${nonat_seq}
-	    nonat_seq=$(($nonat_seq + 1))
+		nonat_seq=$(($nonat_seq + 1))
-	    createnatchain $chain
+		createnatchain $chain
-	    addnatrule `dnat_chain $source` -j $chain
+		addnatrule `dnat_chain $source` -j $chain
-	    for z in $excludezones; do
+		for z in $excludezones; do
-		eval hosts=\$${z}_hosts
+		    eval hosts=\$${z}_hosts
-		for host in $hosts; do
+		    for host in $hosts; do
-		    for adr in $addr; do
+			for adr in $addr; do
-			addnatrule $chain $proto -s ${host#*:} \
+			    addnatrule $chain $proto -s ${host#*:} \
-			    $multiport $sports -d $adr $dports -j RETURN
+				$multiport $sports -d $adr $dports -j RETURN
+			done
 		    done
 		done
+	    fi
+
+	    for adr in $addr; do
+		addnatrule $chain $proto $cli $sports \
+		    -d $adr $multiport $dports -j $target1
 	    done
 	fi
-
-	for adr in $addr; do
-	    addnatrule $chain $proto $cli $sports \
-		-d $adr $multiport $dports -j $target1
-	done
     fi
 
     # Replace destination port by the new destination port
@@ -1770,14 +1850,14 @@ add_nat_rule() {
 
     if [ -n "$snat" ]; then
 	if [ -n "$cli" ]; then
-	    addnatrule `snat_chain $dest` $proto $cli $multiport \
+	    [ $command = check ] || addnatrule `snat_chain $dest` $proto $cli $multiport \
 		$sports -d $serv $dports -j SNAT --to-source $snat
 	else
 	    for source_host in $source_hosts; do
 		[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
 		    error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
 
-		addnatrule `snat_chain $dest` \
+		[ $command = check ] || addnatrule `snat_chain $dest` \
 		    -s ${source_host#*:} $proto $sports $multiport \
 		    -d $serv $dports -j SNAT --to-source $snat
 	    done
@@ -1789,6 +1869,8 @@ add_nat_rule() {
 # Add one Filter Rule -- Helper function for the rules file processor
 #
 # The caller has established the following variables:
+#    check       = current command. If 'check', we're executing a 'check'
+#                  which only goes through the motions.
 #    client	 = SOURCE IP or MAC
 #    server	 = DESTINATION IP or interface
 #    protocol	 = Protocol
@@ -1921,34 +2003,36 @@ add_a_rule()
     fi
 
     if [ -n "${serv}${servport}" ]; then
+	if [ $command != check ]; then
 
-	# A specific server or server port given
+	    # A specific server or server port given
 
-	if [ -n "$addr" -a "$addr" != "$serv" ]; then
+	    if [ -n "$addr" -a "$addr" != "$serv" ]; then
-	    add_nat_rule
+		add_nat_rule
-	elif [ -n "$servport" -a "$servport" != "$port" ]; then
+	    elif [ -n "$servport" -a "$servport" != "$port" ]; then
-	    add_nat_rule
+		add_nat_rule
-	fi
-
-	if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
-	    serv="${serv:+-d $serv}"
-
-	    if [ -n "$loglevel" ]; then
-		if [ "$loglevel" = ULOG ]; then
-		    run_iptables2 -A $chain $proto $multiport \
-			$state $cli $sports $serv $dports -j ULOG $LOGPARMS \
-			--ulog-prefix "Shorewall:$chain:$logtarget:"
-		else
-		    run_iptables2 -A $chain $proto $multiport \
-			$state $cli $sports $serv $dports -j LOG $LOGPARMS \
-			--log-prefix "Shorewall:$chain:$logtarget:" \
-			--log-level $loglevel
-		fi
 	    fi
 	    
+	    if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
+		serv="${serv:+-d $serv}"
 		
-	    run_iptables2 -A $chain $proto $multiport $state $cli $sports \
+		if [ -n "$loglevel" ]; then
-		$serv $dports -j $target
+		    if [ "$loglevel" = ULOG ]; then
+			run_iptables2 -A $chain $proto $multiport \
+			    $state $cli $sports $serv $dports -j ULOG $LOGPARMS \
+			    --ulog-prefix "Shorewall:$chain:$logtarget:"
+		    else
+			run_iptables2 -A $chain $proto $multiport \
+			    $state $cli $sports $serv $dports -j LOG $LOGPARMS \
+			    --log-prefix "Shorewall:$chain:$logtarget:" \
+			    --log-level $loglevel
+		    fi
+		fi
+		
+
+		run_iptables2 -A $chain $proto $multiport $state $cli $sports \
+		    $serv $dports -j $target
+	    fi
 	fi
     else
 
@@ -1958,28 +2042,30 @@ add_a_rule()
 	    "An ORIGINAL DESTINATION ($addr) is only allowed in" \
 	    " a DNAT or REDIRECT: \"$rule\""
 
-	if [ -n "$loglevel" ]; then
+	if [ $command != check ]; then
-	    if [ "$loglevel" = ULOG ]; then
+	    if [ -n "$loglevel" ]; then
-		run_iptables2 -A $chain $proto $multiport \
+		if [ "$loglevel" = ULOG ]; then
-		    $dest_interface $state $cli $sports $dports -j ULOG \
+		    run_iptables2 -A $chain $proto $multiport \
-		    $LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
+			$dest_interface $state $cli $sports $dports -j ULOG \
-	    else
+			$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
-		run_iptables2 -A $chain $proto $multiport \
+		else
-		    $dest_interface $state $cli $sports $dports -j LOG \
+		    run_iptables2 -A $chain $proto $multiport \
-		    $LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
+			$dest_interface $state $cli $sports $dports -j LOG \
-		    --log-level $loglevel
+			$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
+			--log-level $loglevel
+		fi
 	    fi
-	fi
 
-	if [ $logtarget != LOG ]; then
+	    if [ $logtarget != LOG ]; then
-	    run_iptables2 -A $chain $proto $multiport $dest_interface $state \
+		run_iptables2 -A $chain $proto $multiport $dest_interface $state \
-		$cli $sports $dports -j $target
+		    $cli $sports $dports -j $target
+	    fi
 	fi
     fi
 }
 
 #
-# Process a record from the rules file
+# Process a record from the rules file for the 'start', 'restart' or 'check' commands
 #
 process_rule() # $1 = target
                # $2 = clients
@@ -2098,7 +2184,7 @@ process_rule() # $1 = target
 
     chain=${source}2${dest}
 
-    ensurechain $chain
+    [ $command = check ] || ensurechain $chain
 
     if [ "x$chain" = x${FW}2${FW} ]; then
 	case $logtarget in
@@ -2110,7 +2196,7 @@ process_rule() # $1 = target
 		;;
 	esac
     else
-	ensurechain $chain
+	[ $command = check ] || ensurechain $chain
     fi
 
     # Generate Netfilter rule(s)
@@ -2142,11 +2228,15 @@ process_rule() # $1 = target
 	done
     fi
 
-    echo "   Rule \"$rule\" added."
+    if [ $command = check ]; then
+	echo "   Rule \"$rule\" checked."
+    else
+	echo "   Rule \"$rule\" added."
+    fi
 }
 
 #
-# Process the rules file
+# Process the rules file for the 'start', 'restart' or 'check' command.
 #
 process_rules() # $1 = name of rules file
 {
@@ -4476,6 +4566,12 @@ case "$command" in
 	my_mutex_off
 	;;
 
+    check)
+	[ $# -ne 1 ] && usage
+	do_initialize
+	check_config
+	;;
+    
     add)
 	[ $# -ne 3 ] && usage
 	do_initialize

Shorewall/releasenotes.txt

@@ -2,30 +2,32 @@ This is a major release of Shorewall.
 
 Function from 1.3 that has been omitted from this version includes:
 
-1) The MERGE_HOSTS variable in shorewall.conf is no longer
+1) The 'check' command is no longer supported.
+
+2) The MERGE_HOSTS variable in shorewall.conf is no longer
    supported. Shorewall 1.4 behavior is the same as 1.3 with
    MERGE_HOSTS=Yes.
 
-2. Interface names of the form <device>:<integer> in
+3) Interface names of the form <device>:<integer> in
    /etc/shorewall/interfaces now generate an error.
 
-3. Shorewall 1.4 implements behavior consistent with
+4) Shorewall 1.4 implements behavior consistent with
    OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
    at startup as will specification of the 'noping' or 'filterping'
    interface options.
 
-4. The 'routestopped' option in the /etc/shorewall/interfaces and
+5) The 'routestopped' option in the /etc/shorewall/interfaces and
    /etc/shorewall/hosts files is no longer supported and will generate
    an error at startup if specified.
 
-5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
+6) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
    accepted.
 
-6. The ALLOWRELATED variable in shorewall.conf is no longer
+7) The ALLOWRELATED variable in shorewall.conf is no longer
    supported. Shorewall 1.4 behavior is the same as 1.3 with
    ALLOWRELATED=Yes.
 
-7. The 'multi' interface option is no longer supported. Shorewall will
+8) The 'multi' interface option is no longer supported. Shorewall will
    generate rules for sending packets back out the same interface
    that they arrived on in two cases:
 
@@ -41,31 +43,31 @@ Function from 1.3 that has been omitted from this version includes:
 
 Changes for 1.4 include:
 
-1. shorewall.conf has been completely reorganized into logical
+1) shorewall.conf has been completely reorganized into logical
    sections.
 
-2. LOG is now a valid action for a rule (/etc/shorewall/rules).
+2) LOG is now a valid action for a rule (/etc/shorewall/rules).
 
-3. The firewall script and version file are now installed in
+3) The firewall script and version file are now installed in
    /usr/share/shorewall.
 
 4. Late arriving DNS replies are now silently dropped in the common
    chain by default.
 
-5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
+5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
    longer unconditionally accepts outbound ICMP packets. So if you want
    to 'ping' from the firewall, you will need the appropriate rule or
    policy.
 
-6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
+6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
 
-7. 802.11b devices with names of the form wlan<n> now support the
+7) 802.11b devices with names of the form wlan<n> now support the
    'maclist' option.
 
-8. IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
+8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
    utility).
 
-9. Explicit Congestion Notification (ECN - RFC 3168) may now be turned
+9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
    off on a host or network basis using the new /etc/shorewall/ecn
    file. To use this facility:
 

Shorewall/shorewall

@@ -60,6 +60,8 @@
 #	   shorewall show tc			   Display traffic control info
 #	   shorewall show classifiers		   Display classifiers
 #	   shorewall version			   Display the installed version id
+#	   shorewall check			   Verify the more heavily-used
+#						   configuration files.
 #	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
 #						   it doesn't work, revert to the
 #						   standard one. If a timeout is supplied
@@ -499,6 +501,7 @@ usage() # $1 = exit status
     echo "   hits"
     echo "   monitor [<refresh interval>]"
     echo "   version"
+    echo "   check"
     echo "   try <directory> [ <timeout> ]"
     echo "   logwatch [<refresh interval>]"
     echo "   drop <address> ..."
@@ -639,7 +642,7 @@ case `echo -n "Testing"` in
 esac
 
 case "$1" in
-    start|stop|restart|reset|clear|refresh)
+    start|stop|restart|reset|clear|refresh|check)
 	[ $# -ne 1 ] && usage 1
 	exec $FIREWALL $debugging $nolock $1
 	;;