holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add proper indentation for -p

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3310 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-17 21:34:18 +00:00
parent 4bebbdad3b
commit 2b96059e7d
1 changed files with 168 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

318
Shorewall/firewall
View File

@ -97,7 +97,7 @@ report () { # $* = message
# #
save_command() save_command()
{ {
echo "$@" >> $RESTOREBASE echo "${INDENT}${@}" >> $RESTOREBASE
} }
# #
@ -106,13 +106,13 @@ save_command()
save_progress_message() save_progress_message()
{ {
echo >> $RESTOREBASE echo >> $RESTOREBASE
echo "progress_message \"$@\"" >> $RESTOREBASE echo "${INDENT}progress_message \"$@\"" >> $RESTOREBASE
echo >> $RESTOREBASE echo >> $RESTOREBASE
} }
save_progress_message_short() save_progress_message_short()
{ {
echo "progress_message \"$@\"" >> $RESTOREBASE echo "${INDENT}progress_message \"$@\"" >> $RESTOREBASE
} }
# #
@ -1113,15 +1113,15 @@ validate_interfaces_file() {
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) ${INDENT}addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
if [ -n "\$addr" ]; then ${INDENT}if [ -n "\$addr" ]; then
addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//') ${INDENT} addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do ${INDENT} for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do
if in_network \$addr \$network; then ${INDENT} if in_network \$addr \$network; then
fatal_error "The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface" ${INDENT} fatal_error "The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface"
fi ${INDENT} fi
done ${INDENT} done
fi ${INDENT}fi
__EOF__ __EOF__
else else
@ -1189,15 +1189,15 @@ setup_providers()
copy_table() { copy_table() {
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
ip route show table $duplicate | while read net route; do ${INDENT} ip route show table $duplicate | while read net route; do
case \$net in ${INDENT} case \$net in
default|nexthop) ${INDENT} default|nexthop)
;; ${INDENT} ;;
*) ${INDENT} *)
run_ip route add table $number \$net \$route" ${INDENT} run_ip route add table $number \$net \$route"
;; ${INDENT} ;;
esac ${INDENT} esac
done ${INDENT} done
__EOF__ __EOF__
else else
run_ip route show table $duplicate | while read net route; do run_ip route show table $duplicate | while read net route; do
@ -1215,19 +1215,19 @@ __EOF__
copy_and_edit_table() { copy_and_edit_table() {
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
ip route show table $duplicate | while read net route; do ${INDENT} ip route show table $duplicate | while read net route; do
case \$net in ${INDENT} case \$net in
default|nexthop) ${INDENT} default|nexthop)
;; ${INDENT} ;;
*) ${INDENT} *)
case \$(find_device \$route) in ${INDENT} case \$(find_device \$route) in
`echo $copy\) | sed 's/ /|/g'` ${INDENT} `echo $copy\) | sed 's/ /|/g'`
run_ip route add table $number \$net \$route ${INDENT} run_ip route add table $number \$net \$route
;; ${INDENT} ;;
esac ${INDENT} esac
;; ${INDENT} ;;
esac ${INDENT} esac
done ${INDENT} done
__EOF__ __EOF__
else else
@ -1284,14 +1284,14 @@ __EOF__
if [ "x$gateway" = xdetect ] ; then if [ "x$gateway" = xdetect ] ; then
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
gateway=\$(detect_gateway $interface) ${INDENT} gateway=\$(detect_gateway $interface)
if [ -n "\$gateway" ]; then ${INDENT} if [ -n "\$gateway" ]; then
run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number ${INDENT} run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number
run_ip route add default via \$gateway dev $interface table $number ${INDENT} run_ip route add default via \$gateway dev $interface table $number
else ${INDENT} else
fatal_error "Unable to detect the gateway through interface $interface" ${INDENT} fatal_error "Unable to detect the gateway through interface $interface"
fi ${INDENT} fi
__EOF__ __EOF__
else else
@ -1376,22 +1376,22 @@ __EOF__
if [ -z "$loose" ]; then if [ -z "$loose" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
rulenum=0 ${INDENT} rulenum=0
find_interface_addresses $interface | while read address; do ${INDENT} find_interface_addresses $interface | while read address; do
qt ip rule del from \$address ${INDENT} qt ip rule del from \$address
pref=\$((20000 + \$rulenum * 1000 + $number )) ${INDENT} pref=\$((20000 + \$rulenum * 1000 + $number ))
rulenum=\$((\$rulenum + 1)) ${INDENT} rulenum=\$((\$rulenum + 1))
run_ip rule add from \$address pref \$pref table $number ${INDENT} run_ip rule add from \$address pref \$pref table $number
done ${INDENT} done
__EOF__ __EOF__
else else
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
find_interface_addresses $interface | while read address; do ${INDENT} find_interface_addresses $interface | while read address; do
qt ip rule del from \$address ${INDENT} qt ip rule del from \$address
done ${INDENT} done
__EOF__ __EOF__
fi fi
@ -2654,11 +2654,11 @@ setup_proxy_arp() {
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
if ! arp -i $external -Ds $address $external pub; then ${INDENT}if ! arp -i $external -Ds $address $external pub; then
fatal_error "Command \"arp -i $external -Ds $address $external pub\" failed" ${INDENT} fatal_error "Command \"arp -i $external -Ds $address $external pub\" failed"
fi ${INDENT}fi
progress_message " Host $address connected to $interface added to ARP on $external" ${INDENT}progress_message " Host $address connected to $interface added to ARP on $external"
__EOF__ __EOF__
echo $address $interface $external $haveroute >> $STATEDIR/proxyarp echo $address $interface $external $haveroute >> $STATEDIR/proxyarp
@ -2844,17 +2844,17 @@ setup_mac_lists() {
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
blob=\$(ip link show $interface 2> /dev/null) ${INDENT}blob=\$(ip link show $interface 2> /dev/null)
[ -z "\$blob" ] && \ ${INDENT}[ -z "\$blob" ] && \
fatal_error "Interface $interface must be up before Shorewall can start" ${INDENT} fatal_error "Interface $interface must be up before Shorewall can start"
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
address=\${address%/*} ${INDENT} address=\${address%/*}
if [ -n "\$broadcast" ]; then ${INDENT} if [ -n "\$broadcast" ]; then
run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN ${INDENT} run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
fi ${INDENT} fi
done ${INDENT}done
__EOF__ __EOF__
else else
@ -2962,10 +2962,10 @@ delete_proxy_arp() {
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do ${INDENT}for f in /proc/sys/net/ipv4/conf/*; do
[ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp ${INDENT} [ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
done ${INDENT}done
${INDENT}
__EOF__ __EOF__
else else
for f in /proc/sys/net/ipv4/conf/*; do for f in /proc/sys/net/ipv4/conf/*; do
@ -3066,13 +3066,13 @@ delete_nat() {
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
if [ -f /var/lib/shorewall/nat ]; then ${INDENT}if [ -f /var/lib/shorewall/nat ]; then
while read external interface; do ${INDENT} while read external interface; do
qt ip addr del \$external dev \$interface ${INDENT} qt ip addr del \$external dev \$interface
done < /var/lib/shorewall/nat ${INDENT} done < /var/lib/shorewall/nat
${INDENT}
rm -f {/var/lib/shorewall}/nat ${INDENT} rm -f {/var/lib/shorewall}/nat
fi ${INDENT}fi
__EOF__ __EOF__
else else
@ -3805,16 +3805,16 @@ delete_tc()
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
ip link list | while read inx interface details; do ${INDENT}ip link list | while read inx interface details; do
case \$inx in ${INDENT} case \$inx in
[0-9]*) ${INDENT} [0-9]*)
qt tc qdisc del dev \${interface%:} root ${INDENT} qt tc qdisc del dev \${interface%:} root
qt tc qdisc del dev \${interface%:} ingress ${INDENT} qt tc qdisc del dev \${interface%:} ingress
;; ${INDENT} ;;
*) ${INDENT} *)
;; ${INDENT} ;;
esac ${INDENT} esac
done ${INDENT}done
__EOF__ __EOF__
else else
run_ip link list | \ run_ip link list | \
@ -5171,7 +5171,7 @@ process_actions3() {
for interface in $(find_bcastdetect_interfaces); do for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__ __EOF__
case $xlevel in case $xlevel in
none*) none*)
@ -5179,14 +5179,14 @@ __EOF__
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address ${INDENT} log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address
__EOF__ __EOF__
;; ;;
esac esac
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
run_iptables -A $xchain -d \$address -j DROP ${INDENT} run_iptables -A $xchain -d \$address -j DROP
done ${INDENT}done
__EOF__ __EOF__
done done
@ -5226,7 +5226,7 @@ __EOF__
for interface in $(find_bcastdetect_interfaces); do for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__ __EOF__
case $xlevel in case $xlevel in
none*) none*)
@ -5234,14 +5234,14 @@ __EOF__
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address ${INDENT} log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address
__EOF__ __EOF__
;; ;;
esac esac
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
run_iptables -A $xchain -d \$address -j ${INDENT} run_iptables -A $xchain -d \$address -j
done ${INDENT}done
__EOF__ __EOF__
done done
@ -5478,7 +5478,7 @@ add_nat_rule() {
savecomment "addr=" savecomment "addr="
for interface in $interfaces; do for interface in $interfaces; do
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
addr="\$addr \$(find_first_interface_address $interface)" ${INDENT}addr="\$addr \$(find_first_interface_address $interface)"
__EOF__ __EOF__
done done
fi fi
@ -5559,8 +5559,8 @@ __EOF__
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
for adr in \$addr; do ${INDENT}for adr in \$addr; do
run_iptables -t nat -A $(fix_bang $(dnat_chain $source) $cli $proto $multiport $sports $dports) -d \$adr -j $chain ${INDENT} run_iptables -t nat -A $(fix_bang $(dnat_chain $source) $cli $proto $multiport $sports $dports) -d \$adr -j $chain
__EOF__ __EOF__
else else
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
@ -5588,16 +5588,16 @@ __EOF__
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
for adr in \$addr; do ${INDENT}for adr in \$addr; do
__EOF__ __EOF__
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat $(fix_bang $proto $cli $sports $multiport $dports) -d \$adr ${INDENT} log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat $(fix_bang $proto $cli $sports $multiport $dports) -d \$adr
__EOF__ __EOF__
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
run_iptables -t nat -A $chain $(fix_bang $proto $ratelimit $cli $sports $multiport $dports) -d \$adr -j $target1 ${INDENT} run_iptables -t nat -A $chain $(fix_bang $proto $ratelimit $cli $sports $multiport $dports) -d \$adr -j $target1
__EOF__ __EOF__
else else
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
@ -5912,8 +5912,8 @@ process_rule() # $1 = target
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
if [ "$addr" = detect ]; then if [ "$addr" = detect ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target ${INDENT} run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target
done ${INDENT}done
__EOF__ __EOF__
else else
@ -7337,13 +7337,13 @@ setup_masq()
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
networks="\$(get_routed_networks $detectinterface)" ${INDENT}networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" ${INDENT}[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do ${INDENT}for network in \$networks; do
run_iptables -t nat -A $chain -s \$network $proto $ports $policy -j $newchain ${INDENT} run_iptables -t nat -A $chain -s \$network $proto $ports $policy -j $newchain
done ${INDENT}done
__EOF__ __EOF__
else else
@ -7375,20 +7375,20 @@ __EOF__
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
networks="\$(get_routed_networks $detectinterface)" ${INDENT}networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" ${INDENT}[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do ${INDENT}for network in \$networks; do
__EOF__ __EOF__
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain ${INDENT} run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain
__EOF__ __EOF__
done done
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
done ${INDENT}done
__EOF__ __EOF__
else else
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
@ -7460,15 +7460,15 @@ __EOF__
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
networks="\$(get_routed_networks $detectinterface)" ${INDENT}networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" ${INDENT}[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do ${INDENT}for network in \$networks; do
__EOF__ __EOF__
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist ${INDENT} run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
__EOF__ __EOF__
done done
@ -7479,8 +7479,8 @@ __EOF__
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
progress_message "$message" ${INDENT} progress_message "$message"
done ${INDENT}done
__EOF__ __EOF__
@ -7982,9 +7982,9 @@ add_common_rules() {
for interface in $(find_bcastdetect_interfaces); do for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
run_iptables -A reject -d \$address -j DROP ${INDENT} run_iptables -A reject -d \$address -j DROP
done ${INDENT}done
__EOF__ __EOF__
done done
@ -8001,15 +8001,15 @@ __EOF__
for interface in $(find_bcastdetect_interfaces); do for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__ __EOF__
[ -n "$SMURF_LOG_LEVEL" ] && \ [ -n "$SMURF_LOG_LEVEL" ] && \
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
log_rule $SMURF_LOG_LEVEL smurfs DROP -s \$address ${INDENT} log_rule $SMURF_LOG_LEVEL smurfs DROP -s \$address
__EOF__ __EOF__
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
run_iptables -A smurfs -s \$address -j DROP ${INDENT} run_iptables -A smurfs -s \$address -j DROP
done ${INDENT}done
__EOF__ __EOF__
done done
@ -8919,17 +8919,8 @@ define_firewall() # $1 = Command (Start or Restart)
# from that script are available here # from that script are available here
# #
compile_stop_firewall() { compile_stop_firewall() {
local IPTABLES_COMMAND="$IPTABLES"
run_iptables() { local INDENT=" "
#
# Purge the temporary files that we use to prevent duplicate '-m' specifications
#
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
save_command " $IPTABLES $@"
}
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
@ -9035,12 +9026,11 @@ stop_firewall() {
for f in /proc/sys/net/ipv4/conf/*; do for f in /proc/sys/net/ipv4/conf/*; do
[ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp [ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
done done
fi
__EOF__ __EOF__
[ -n "$CLEAR_TC" ] && save_command " delete_tc1" [ -n "$CLEAR_TC" ] && save_command "delete_tc1"
[ -n "$DISABLE_IPV6" ] && save_command " disable_ipv6" [ -n "$DISABLE_IPV6" ] && save_command "disable_ipv6"
process_criticalhosts process_criticalhosts
@ -9124,7 +9114,8 @@ __EOF__
process_routestopped -A process_routestopped -A
$IPTABLES -A INPUT -i lo -j ACCEPT save_command "$IPTABLES -A INPUT -i lo -j ACCEPT"
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
save_command "$IPTABLES -A OUTPUT -o lo -j ACCEPT" save_command "$IPTABLES -A OUTPUT -o lo -j ACCEPT"
@ -9138,18 +9129,21 @@ __EOF__
save_command "$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT" save_command "$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"
done done
save_command
case "$IP_FORWARDING" in case "$IP_FORWARDING" in
[Oo][Nn]) [Oo][Nn])
save_command " echo 1 > /proc/sys/net/ipv4/ip_forward" save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
save_command " progress_message2 IP Forwarding Enabled" save_command "progress_message2 IP Forwarding Enabled"
;; ;;
[Oo][Ff][Ff]) [Oo][Ff][Ff])
save_command " echo 0 > /proc/sys/net/ipv4/ip_forward" save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
save_command " progress_message2 IP Forwarding Disabled!" save_command "progress_message2 IP Forwarding Disabled!"
;; ;;
esac esac
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
run_user_exit stopped run_user_exit stopped
set_state "Stopped" set_state "Stopped"
@ -9177,18 +9171,21 @@ __EOF__
# #
compile_firewall() # $1 = File Name compile_firewall() # $1 = File Name
{ {
local IPTABLES_COMMAND=run_iptables
local INDENT=""
outfile=$1 dir=$(dirname $1) outfile=$1 dir=$(dirname $1)
# #
# We overload a number of functions when compiling. # We overload a number of functions when compiling.
# #
ensure_and_save_command() ensure_and_save_command()
{ {
echo $@ >> $RESTOREBASE echo "${INDENT}${@} >> $RESTOREBASE"
} }
run_and_save_command() run_and_save_command()
{ {
echo "$@" >> $RESTOREBASE echo "${INDENT}${@}" >> $RESTOREBASE
} }
do_iptables() { do_iptables() {
@ -9233,7 +9230,7 @@ compile_firewall() # $1 = File Name
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
save_command run_iptables $@ save_command "$IPTABLES_COMMAND $@"
} }
@ -9284,6 +9281,7 @@ compile_firewall() # $1 = File Name
[ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall" [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall"
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
#! $SHOREWALL_SHELL
# #
# Compiled startup file generated by Shorewall $VERSION - $(date)" # Compiled startup file generated by Shorewall $VERSION - $(date)"
# #
@ -9347,7 +9345,7 @@ __EOF__
# #
# These variables are required by the library functions called in this script # These variables are required by the library functions called in this script
# #
COMMAND=restore [ -n \${COMMAND:=restart} ];
[ -n \${QUIET:=0} ] [ -n \${QUIET:=0} ]
MODULESDIR="$MODULESDIR" MODULESDIR="$MODULESDIR"
MODULE_SUFFIX="$MODULE_SUFFIX" MODULE_SUFFIX="$MODULE_SUFFIX"
@ -9361,17 +9359,23 @@ STOPPING=
__EOF__ __EOF__
if [ -z "$EXPORT" ]; then if [ -n "$PROGRAM" ]; then
save_command "define_firewall() {"
INDENT=" "
fi
if [ -z "$EXPORT" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then ${INDENT}if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then
error_message "ERROR: This script requires Shorewall version $VERSION" ${INDENT} error_message "ERROR: This script requires Shorewall version $VERSION"
exit 2 ${INDENT} exit 2
fi ${INDENT}fi
__EOF__ __EOF__
fi fi
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
load_kernel_modules ${INDENT}load_kernel_modules
__EOF__ __EOF__
@ -9471,6 +9475,12 @@ __EOF__
run_user_exit started run_user_exit started
if [ -n "$PROGRAM" ]; then
INDENT=
save_command "}"
save_command ""
fi
mv -f $RESTOREBASE $outfile mv -f $RESTOREBASE $outfile
chmod 700 $outfile chmod 700 $outfile