From 3d81581c01f2f0802d91f06b4ce9b933c1fa73c4 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 8 Aug 2006 23:03:06 +0000 Subject: [PATCH] Bring 3.2.2 Changes forward git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 106 ++++++++++++++++++++++++++------------- Shorewall/fallback.sh | 2 +- Shorewall/functions | 56 +++++++++++++++++---- Shorewall/help | 19 ++++--- Shorewall/install.sh | 18 +++++-- Shorewall/providers | 5 ++ Shorewall/shorewall | 100 +++++++++++++++++++++++++----------- Shorewall/shorewall.conf | 8 +++ Shorewall/shorewall.spec | 6 ++- Shorewall/uninstall.sh | 2 +- 10 files changed, 234 insertions(+), 88 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 2596f2b12..09ba8e81b 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -1076,7 +1076,7 @@ __EOF__ # setup_providers() { - local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase echobin=$(mywhich echo) balance save_indent="$INDENT" mask= first=Yes + local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase echobin=$(mywhich echo) balance save_indent="$INDENT" mask= first=Yes save_indent1= copy_table() { indent >&3 << __EOF__ @@ -1115,6 +1115,7 @@ __EOF__ { balance=yes + save_command if [ -n "$first" ]; then if [ -n "$gateway" ] ; then save_command "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $1\"" @@ -1133,7 +1134,7 @@ __EOF__ } add_a_provider() { - local t n iface option + local t n iface option optional= [ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables" @@ -1158,6 +1159,14 @@ __EOF__ # Add Provider $table ($number) # __EOF__ + save_command "if [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then" + save_indent1="$INDENT" + INDENT="$INDENT " + + iface=$(chain_base $interface) + + save_command "${iface}_up=Yes" + save_command "qt ip route flush table $number" if [ "x${duplicate:=-}" != x- ]; then @@ -1222,7 +1231,6 @@ __EOF__ track) list_search $interface $ROUTEMARK_INTERFACES && \ fatal_error "Interface $interface is tracked through an earlier provider" - iface=$(chain_base $interface) [ x${mark} = x- ] && fatal_error "The 'track' option requires a numeric value in the MARK column - Provider \"$provider\"" eval ${iface}_routemark=$mark ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface" @@ -1236,6 +1244,9 @@ __EOF__ loose) loose=Yes ;; + optional) + optional=Yes + ;; *) error_message "WARNING: Invalid option ($option) ignored in provider \"$provider\"" ;; @@ -1271,6 +1282,19 @@ progress_message " Provider $table ($number) Added" __EOF__ + INDENT="$save_indent1" + save_command else + + if [ -n "$optional" ]; then + save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" + save_command " ${iface}_up=" + else + save_command " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" + fi + + save_command fi + save_command + } verify_provider() @@ -1331,7 +1355,6 @@ __EOF__ strip_file providers $1 if [ -s $TMP_DIR/providers ]; then - DEFAULT_ROUTE= balance= progress_message2 "$DOING $1..." @@ -1351,8 +1374,13 @@ __EOF__ if [ -n "$PROVIDERS" ]; then if [ -n "$balance" ]; then - save_command "run_ip route replace default scope global \$DEFAULT_ROUTE" - save_command "progress_message Default route \$DEFAULT_ROUTE Added" + save_command "if [ -n \"\$DEFAULT_ROUTE\" ]; then" + save_command " run_ip route replace default scope global \$DEFAULT_ROUTE" + save_command " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"" + save_command "else" + save_command " error_message \"WARNING: No Default route added (all 'balance' providers are down)\"" + save_command "fi" + save_command fi cat >&3 << __EOF__ @@ -6072,7 +6100,7 @@ rules_chain() # $1 = source zone, $2 = destination zone # setup_routes() { - local mask=0xFF mark_op="--set-mark" + local mask=0xFF mark_op="--set-mark" save_indent="$INDENT" [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 && mark_op="--or-mark" @@ -6080,15 +6108,22 @@ setup_routes() run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask createmanglechain routemark - for interface in $ROUTEMARK_INTERFACES ; do + if [ -n "$ROUTEMARK_INTERFACES" ]; then + for interface in $ROUTEMARK_INTERFACES ; do + iface=$(chain_base $interface) + eval mark_value=\$${iface}_routemark - iface=$(chain_base $interface) - eval mark_value=\$${iface}_routemark - - run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark - run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value - - done + save_command + save_command "if [ -n \"\$${iface}_up\" ]; then" + INDENT="$INDENT " + run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark + run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value + INDENT="$save_indent" + save_command "fi" + done + + save_command + fi run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask @@ -7327,6 +7362,7 @@ if [ -f $file ]; then else error_message "WARNING: Cannot set Martian logging on $interface" fi + __EOF__ done @@ -7368,7 +7404,6 @@ fi __EOF__ done fi - # # UPnP # @@ -7485,14 +7520,6 @@ activate_rules() fi } - # - # Create a dynamic chain for a zone and jump to it from a second chain - # - create_zone_dyn_chain() # $1 = zone, $2 = second chain - { - createchain ${1}_dyn No - run_iptables -A $2 -j ${1}_dyn - } # # Add jumps to early SNAT chains # @@ -7991,6 +8018,21 @@ __EOF__ __EOF__ } +# +# Conditionally add an option to .conf file (FD 3) +# +conditionally_add_option() { # $1 = option name + local value + + eval value=\"\$$1\" + + if [ -n "$value" ]; then + cat >&3 << __EOF__ +[ -n "\${$1:=$value}" ] +__EOF__ + fi +} + # # Compile a Restore Script # @@ -8484,19 +8526,13 @@ __EOF__ exec 3>${outfile}.conf cat >&3 << __EOF__ # -# Shorewall auxillary configuration file created by Shorewall version $VERSION - $(date) +# Shorewall auxiliary configuration file created by Shorewall version $VERSION - $(date) # -[ -n "\${VERBOSITY:=$VERBOSITY}" ] -[ -n "\${LOGFILE:=$LOGFILE}" ] -[ -n "\${LOGFORMAT:=$LOGFORMAT}" ] -[ -n "\${IPTABLES:=$IPTABLES}" ] -[ -n "\${PATH:=$PATH}" ] -[ -n "\${SHOREWALL_SHELL:=$SHOREWALL_SHELL}" ] -[ -n "\${LOGFILE:=$LOGFILE}" ] -[ -n "\${SUBSYSLOCK:=$SUBSYSLOCK}" ] -[ -n "\${RESTOREFILE:=$RESTOREFILE}" ] __EOF__ - exec 3>&- + for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE; do + conditionally_add_option $option + done + exec 3>&- fi progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)" diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index bd5f17fab..c1852e9e5 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=3.2.0 +VERSION=3.2.2 usage() # $1 = exit status { diff --git a/Shorewall/functions b/Shorewall/functions index 3c9544fa7..54051140d 100644 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -1221,12 +1221,11 @@ determine_capabilities() { if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then PHYSDEV_MATCH=Yes - qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes fi if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then IPRANGE_MATCH=Yes - if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then + if [ -z "${KLUDGEFREE}" ]; then qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes fi fi @@ -1282,16 +1281,16 @@ determine_capabilities() { qt $IPTABLES -X fooX1234 } -report_capability() # $1 = Capability Description , $2 Capability Setting (if any) -{ - local setting= - - [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - - echo " " $1: $setting -} - report_capabilities() { + report_capability() # $1 = Capability Description , $2 Capability Setting (if any) + { + local setting= + + [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" + + echo " " $1: $setting + } + if [ $VERBOSE -gt 1 ]; then echo "Shorewall has detected the following iptables/netfilter capabilities:" report_capability "NAT" $NAT_ENABLED @@ -1325,6 +1324,41 @@ report_capabilities() { } +report_capabilities1() { + report_capability1() # $1 = Capability + { + eval echo $1=\$$1 + } + + echo "#" + echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" + echo "#" + report_capability1 NAT_ENABLED + report_capability1 MANGLE_ENABLED + report_capability1 MULTIPORT + report_capability1 XMULTIPORT + report_capability1 CONNTRACK_MATCH + report_capability1 USEPKTTYPE + report_capability1 POLICY_MATCH + report_capability1 PHYSDEV_MATCH + report_capability1 LENGTH_MATCH + report_capability1 IPRANGE_MATCH + report_capability1 RECENT_MATCH + report_capability1 OWNER_MATCH + report_capability1 IPSET_MATCH + report_capability1 CONNMARK + report_capability1 XCONNMARK + report_capability1 CONNMARK_MATCH + report_capability1 XCONNMARK_MATCH + report_capability1 RAW_TABLE + report_capability1 IPP2P_MATCH + report_capability1 CLASSIFY_TARGET + report_capability1 ENHANCED_REJECT + report_capability1 KLUDGEFREE + report_capability1 MARK + report_capability1 XMARK + report_capability1 MANGLE_FORWARD +} # # Delete IP address diff --git a/Shorewall/help b/Shorewall/help index 61831ffba..230ecddc3 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -88,7 +88,7 @@ debug) If you include the keyword debug as the first argument to any of these commands: - start|stop|restart|reset|clear|refresh|check|add|delete|compile + start|stop|restart|reset|clear|refresh|check|compile then a shell trace of the command is produced. For example: @@ -159,7 +159,7 @@ iprange) ;; load) - echo "load: load [ ] + echo "load: load [ -s ] [ ] If is omitted, then the current working directory is assumed. Requires that Shorewall Lite be installed on the named . @@ -168,7 +168,10 @@ load) program called '/firewall'. If compilation is successful, the '/firewall' script is copied via scp to the ${LITEDIR} directory on . If the script is copied - successfully, Shorewall Lite on is started via ssh." + successfully, Shorewall Lite on is started via ssh. + + If the -s option is given and Shorewall Lite starts successfully then + ssh is used to execute 'shorewall-lite save' on " ;; logdrop) @@ -227,7 +230,10 @@ reload) program called '/firewall'. If compilation is successful, the '/firewall' script is copied via scp to the ${LITEDIR} directory on . If the script is copied - successfully, Shorewall Lite on is restarted via ssh." + successfully, Shorewall Lite on is restarted via ssh. + + If the -s option is given and Shorewall Lite restarts successfully then + ssh is used to execute 'shorewall-lite save' on " ;; restart) @@ -277,7 +283,7 @@ save) ;; show) - echo "show: show [ [ ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones] + echo "show: show [ [ ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones] shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). (iptables -L chain -n -v) @@ -303,7 +309,8 @@ show) shorewall show zones - displays the contents of all zones. - shorewall show capabilities - displays your kernel/iptables capabilities + shorewall show [ -f ] capabilities - displays your kernel/iptables capabilities. When \"-f\" is + specified, then the output is suitable for use as /etc/shorewall/capabilities. shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution diff --git a/Shorewall/install.sh b/Shorewall/install.sh index c0ccc2294..84e11f0f3 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=3.2.0 +VERSION=3.2.2 usage() # $1 = exit status { @@ -30,6 +30,7 @@ usage() # $1 = exit status echo "usage: $ME" echo " $ME -v" echo " $ME -h" + echo " $ME -n" exit $1 } @@ -88,7 +89,7 @@ backup_directory() # $1 = directory to backup backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup { - if [ -z "$PREFIX" ]; then + if [ -z "${PREFIX}{NOBACKUP}" ]; then if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then if [ -n "$2" ]; then if [ -d $2 ]; then @@ -155,6 +156,8 @@ if [ -z "$GROUP" ] ; then GROUP=root fi +NOBACKUP= + while [ $# -gt 0 ] ; do case "$1" in -h|help|?) @@ -164,6 +167,9 @@ while [ $# -gt 0 ] ; do echo "Shorewall Firewall Installer Version $VERSION" exit 0 ;; + -n) + NOBACKUP=Yes + ;; *) usage 1 ;; @@ -216,9 +222,11 @@ echo "Installing Shorewall Version $VERSION" # if [ -d ${PREFIX}/etc/shorewall ]; then first_install="" - backup_directory ${PREFIX}/etc/shorewall - backup_directory ${PREFIX}/usr/share/shorewall - backup_directory ${PREFIX}/var/lib/shorewall + if [ -z "$NOBACKUP" ]; then + backup_directory ${PREFIX}/etc/shorewall + backup_directory ${PREFIX}/usr/share/shorewall + backup_directory ${PREFIX}/var/lib/shorewall + fi else first_install="Yes" fi diff --git a/Shorewall/providers b/Shorewall/providers index 712fca55e..e42156016 100644 --- a/Shorewall/providers +++ b/Shorewall/providers @@ -69,6 +69,11 @@ # 'loose' prevents creation of such rules on this # interface. # +# optional +# If the interface named in the INTERFACE column is not +# up and configured with an IPv4 address then ignore +# this provider. +# # COPY A comma-separated lists of other interfaces on your # firewall. Only makes sense when DUPLICATE is 'main'. # Only copy routes through INTERFACE and through diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 481ede948..47b1d5506 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -872,6 +872,10 @@ show_command() { SHOWMACS=Yes option=${option#m} ;; + f*) + FILEMODE=Yes + option=${option#f} + ;; *) usage 1 ;; @@ -948,7 +952,11 @@ show_command() { [ $# -gt 1 ] && usage 1 determine_capabilities VERBOSE=2 - report_capabilities + if [ -n "$FILEMODE" ]; then + report_capabilities1 + else + report_capabilities + fi ;; actions) [ $# -gt 1 ] && usage 1 @@ -1299,23 +1307,73 @@ restore_command() { # # [Re]load command executor # -reload_command()) # $1 = directory, $2 = system +reload_command() # $* = original arguments less the command. { - local verbose=$(make_verbose) file=$(resolve_file $1/firewall) + local verbose=$(make_verbose) file= finished=0 saveit= result directory system [ -n "$LITEDIR" ] || { echo " ERROR: LITEDIR not defined in ${SHAREDIR}/configpath" >&2; exit 2; } - if shorewall $debugging $verbose compile -e $1 $1/firewall && \ - echo "Copying $(resolve_file ${1}/firewall) to ${2}:${LITEDIR}..." && \ - scp $1/firewall root@${2}:${LITEDIR} + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + s*) + saveit=Yes + option=${option#s} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 1) + directory="." + system=$1 + ;; + 2) + directory=$1 + system=$2 + ;; + *) + usage 1 + ;; + esac + + file=$(resolve_file $directory/firewall) + + if shorewall $debugging $verbose compile -e $directory $directory/firewall && \ + echo "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \ + scp $directory/firewall $directory/firewall.conf root@${system}:${LITEDIR} then echo "Copy complete" if [ $COMMAND = reload ]; then - ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \ - progress_message3 "System $2 reloaded" + ssh root@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \ + progress_message3 "System $system reloaded" || saveit= else - ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \ - progress_message3 "System $2 reloaded" + ssh root@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \ + progress_message3 "System $system reloaded" || saveit= + fi + + if [ -n "$saveit" ]; then + ssh root@${system} "/sbin/shorewall-lite $debugging $verbose save" && \ + progress_message3 "Configuration on system $system saved" fi fi } @@ -1347,18 +1405,18 @@ usage() # $1 = exit status echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" - echo " load [ ] " + echo " load [ -s ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" echo " refresh" echo " reject
..." - echo " reload [ ] " + echo " reload [ -s ] [ ] " echo " reset" echo " restart [ -n ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [ [ ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]" + echo " show [ -x ] [ -m ] [-f] [ [ ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]" echo " start [ -f ] [ -n ] [ ]" echo " stop" echo " status" @@ -1657,21 +1715,7 @@ case "$COMMAND" in ;; load|reload) shift - case $# in - 1) - directory="." - system=$1 - ;; - 2) - directory=$1 - system=$2 - ;; - *) - usage 1 - ;; - esac - - reload_command $directory $system + reload_command $@ ;; status) [ $# -eq 1 ] || usage 1 diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 867dc0adb..bdc8f7b8c 100644 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -710,6 +710,14 @@ DISABLE_IPV6=Yes BRIDGING=No +# +# DYNAMIC ZONES +# +# If you need to be able to add and delete hosts from zones dynamically then +# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No. + +DYNAMIC_ZONES=No + # # USE PKTTYPE MATCH # diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 4f57335b1..bfe49864f 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 3.2.0 +%define version 3.2.2 %define release 1 %define prefix /usr @@ -209,6 +209,10 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Wed Aug 02 2006 Tom Eastep tom@shorewall.net +- Updated to 3.2.2-1 +* Fri Jul 21 2006 Tom Eastep tom@shorewall.net +- Updated to 3.2.1-1 * Sat Jul 08 2006 Tom Eastep tom@shorewall.net - Updated to 3.2.0-1 * Thu Jun 29 2006 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index ff064c9f5..0ed1efef2 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=3.2.0 +VERSION=3.2.2 usage() # $1 = exit status {