Bring 3.2.2 Changes forward

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-08-08 23:03:06 +00:00 · 2006-08-08 23:03:06 +00:00 · 3d81581c01
commit 3d81581c01
parent 5e552654aa
10 changed files with 234 additions and 88 deletions
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -1076,7 +1076,7 @@ __EOF__
 #
 setup_providers()
 {
-    local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase echobin=$(mywhich echo) balance save_indent="$INDENT" mask= first=Yes
+    local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase echobin=$(mywhich echo) balance save_indent="$INDENT" mask= first=Yes save_indent1=
    copy_table() {
 	    indent >&3 << __EOF__
@ -1115,6 +1115,7 @@ __EOF__
    {
 	balance=yes
 	save_command
 	if [ -n "$first" ]; then
 	    if [ -n "$gateway" ] ; then
 		save_command "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $1\""
@ -1133,7 +1134,7 @@ __EOF__
    }
    add_a_provider() {
-	local t n iface option
+	local t n iface option optional=
 	[ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables"
@ -1158,6 +1159,14 @@ __EOF__
 # Add Provider $table ($number)
 #
 __EOF__
 	save_command "if [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then"
 	save_indent1="$INDENT"
 	INDENT="$INDENT    "
 	iface=$(chain_base $interface)
 	save_command "${iface}_up=Yes"
 	save_command "qt ip route flush table $number"
 	if [ "x${duplicate:=-}" != x- ]; then
@ -1222,7 +1231,6 @@ __EOF__
 		track)
 		    list_search $interface $ROUTEMARK_INTERFACES && \
 			fatal_error "Interface $interface is tracked through an earlier provider"
 		    iface=$(chain_base $interface)
 		    [ x${mark} = x- ] && fatal_error "The 'track' option requires a numeric value in the MARK column - Provider \"$provider\""
 		    eval ${iface}_routemark=$mark
 		    ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface"
@ -1236,6 +1244,9 @@ __EOF__
 		loose)
 		    loose=Yes
 		    ;;
 		optional)
 		    optional=Yes
 		    ;;
 		*)
 		    error_message "WARNING: Invalid option ($option) ignored in provider \"$provider\""
 		    ;;
@ -1271,6 +1282,19 @@ progress_message "   Provider $table ($number) Added"
 __EOF__
    INDENT="$save_indent1"
    save_command else
    if [ -n "$optional" ]; then
 	save_command "    error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\""
 	save_command "    ${iface}_up="
    else
 	save_command "    fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\""
    fi
    save_command fi
    save_command
    }
    verify_provider()
@ -1331,7 +1355,6 @@ __EOF__
    strip_file providers $1
    if [ -s $TMP_DIR/providers ]; then
 	DEFAULT_ROUTE=
 	balance=
 	progress_message2 "$DOING $1..."
@ -1351,8 +1374,13 @@ __EOF__
 	if [ -n "$PROVIDERS" ]; then
 	    if [ -n "$balance" ]; then
-		save_command "run_ip route replace default scope global \$DEFAULT_ROUTE"
+		save_command "if [ -n \"\$DEFAULT_ROUTE\" ]; then"
-		save_command "progress_message Default route \$DEFAULT_ROUTE Added"
+		save_command "    run_ip route replace default scope global \$DEFAULT_ROUTE"
 		save_command "    progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\""
 		save_command "else"
 		save_command "    error_message \"WARNING: No Default route added (all 'balance' providers are down)\""
 		save_command "fi"
 		save_command
 	    fi
 	    cat >&3 << __EOF__
@ -6072,7 +6100,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
 #
 setup_routes()
 {
-    local mask=0xFF mark_op="--set-mark"
+    local mask=0xFF mark_op="--set-mark" save_indent="$INDENT"
    [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 && mark_op="--or-mark"
@ -6080,15 +6108,22 @@ setup_routes()
    run_iptables -t mangle -A OUTPUT     -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
    createmanglechain routemark
-    for interface in $ROUTEMARK_INTERFACES ; do
+    if [ -n "$ROUTEMARK_INTERFACES" ]; then
 	for interface in $ROUTEMARK_INTERFACES ; do
 	    iface=$(chain_base $interface)
 	    eval mark_value=\$${iface}_routemark
-	iface=$(chain_base $interface)
+	    save_command
-	eval mark_value=\$${iface}_routemark
+	    save_command "if [ -n \"\$${iface}_up\" ]; then"
 	    INDENT="$INDENT    "
 	    run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
 	    run_iptables -t mangle -A routemark  -i $interface                        -j MARK $mark_op $mark_value
 	    INDENT="$save_indent"
 	    save_command "fi"
 	done
-	run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
+	save_command
-	run_iptables -t mangle -A routemark  -i $interface                        -j MARK $mark_op $mark_value
+    fi
    done
    run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask
@ -7327,6 +7362,7 @@ if [ -f $file ]; then
 else
    error_message "WARNING: Cannot set Martian logging on $interface"
 fi
 __EOF__
 	    done
@ -7368,7 +7404,6 @@ fi
 __EOF__
 	done
    fi
    #
    # UPnP
    #
@ -7485,14 +7520,6 @@ activate_rules()
 	fi
    }
    #
    # Create a dynamic chain for a zone and jump to it from a second chain
    #
    create_zone_dyn_chain() # $1 = zone, $2 = second chain
    {
 	createchain ${1}_dyn No
 	run_iptables -A $2 -j ${1}_dyn
    }
    #
    # Add jumps to early SNAT chains
    #
@ -7991,6 +8018,21 @@ __EOF__
 __EOF__
 }
 #
 # Conditionally add an option to .conf file (FD 3)
 #
 conditionally_add_option() { # $1 = option name
    local value
    eval value=\"\$$1\"
    if [ -n "$value" ]; then
 	    cat >&3 << __EOF__
 [ -n "\${$1:=$value}" ]
 __EOF__
    fi
 }	
 #
 # Compile a Restore Script
 #
@ -8484,18 +8526,12 @@ __EOF__
 	    exec 3>${outfile}.conf
 	    cat >&3 << __EOF__
 #
-# Shorewall auxillary configuration file created by Shorewall version $VERSION - $(date)
+# Shorewall auxiliary configuration file created by Shorewall version $VERSION - $(date)
 #
 [ -n "\${VERBOSITY:=$VERBOSITY}" ]
 [ -n "\${LOGFILE:=$LOGFILE}" ]
 [ -n "\${LOGFORMAT:=$LOGFORMAT}" ]
 [ -n "\${IPTABLES:=$IPTABLES}" ]
 [ -n "\${PATH:=$PATH}" ]
 [ -n "\${SHOREWALL_SHELL:=$SHOREWALL_SHELL}" ]
 [ -n "\${LOGFILE:=$LOGFILE}" ]
 [ -n "\${SUBSYSLOCK:=$SUBSYSLOCK}" ]
 [ -n "\${RESTOREFILE:=$RESTOREFILE}" ]
 __EOF__
 	    for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE; do
 		conditionally_add_option $option
 	    done
 	    exec 3>&-	    
 	fi
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=3.2.0
+VERSION=3.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -1221,12 +1221,11 @@ determine_capabilities() {
    if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
 	PHYSDEV_MATCH=Yes
 	qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
    fi
    if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
 	IPRANGE_MATCH=Yes
-	if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
+	if [ -z "${KLUDGEFREE}" ]; then
 	    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
 	fi
    fi
@ -1282,16 +1281,16 @@ determine_capabilities() {
    qt $IPTABLES -X fooX1234
 }
 report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
 {
    local setting=
    [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
    echo "  " $1: $setting
 }
 report_capabilities() {
    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
    {
 	local setting=
 	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
 	echo "  " $1: $setting
    }
    if [ $VERBOSE -gt 1 ]; then
 	echo "Shorewall has detected the following iptables/netfilter capabilities:"
 	report_capability "NAT" $NAT_ENABLED
@ -1325,6 +1324,41 @@ report_capabilities() {
 }
 report_capabilities1() {
    report_capability1() # $1 = Capability
    {
 	eval echo $1=\$$1
    }
    echo "#"
    echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
    echo "#"
    report_capability1 NAT_ENABLED
    report_capability1 MANGLE_ENABLED
    report_capability1 MULTIPORT
    report_capability1 XMULTIPORT
    report_capability1 CONNTRACK_MATCH
    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 LENGTH_MATCH
    report_capability1 IPRANGE_MATCH
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 CONNMARK
    report_capability1 XCONNMARK
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
    report_capability1 ENHANCED_REJECT
    report_capability1 KLUDGEFREE
    report_capability1 MARK
    report_capability1 XMARK
    report_capability1 MANGLE_FORWARD
 }
 #
 # Delete IP address
--- a/Shorewall/help
+++ b/Shorewall/help
@ -88,7 +88,7 @@ debug)
    If you include the keyword debug as the first argument to any
    of these commands:
-	start|stop|restart|reset|clear|refresh|check|add|delete|compile
+	start|stop|restart|reset|clear|refresh|check|compile
    then a shell trace of the command is produced.  For example:
@ -159,7 +159,7 @@ iprange)
 	;;
 load)
-	echo "load: load [ <directory> ] <system>
+	echo "load: load [ -s ] [ <directory> ] <system>
    If <directory> is omitted, then the current working directory is assumed.
    Requires that Shorewall Lite be installed on the named <system>.
@ -168,7 +168,10 @@ load)
    program called '<directory>/firewall'. If compilation is successful,
    the '<directory>/firewall' script is copied via scp to the
    ${LITEDIR} directory on <system>. If the script is copied
-    successfully, Shorewall Lite on <system> is started via ssh."
+    successfully, Shorewall Lite on <system> is started via ssh.
    If the -s option is given and Shorewall Lite starts successfully then
    ssh is used to execute 'shorewall-lite save' on <system>"
 	;;
 logdrop)
@ -227,7 +230,10 @@ reload)
    program called '<directory>/firewall'. If compilation is successful,
    the '<directory>/firewall' script is copied via scp to the
    ${LITEDIR} directory on <system>. If the script is copied
-    successfully, Shorewall Lite on <system> is restarted via ssh."
+    successfully, Shorewall Lite on <system> is restarted via ssh.
    If the -s option is given and Shorewall Lite restarts successfully then
    ssh is used to execute 'shorewall-lite save' on <system>"
 	;;
 restart)
@ -277,7 +283,7 @@ save)
 	;;
 show)
-	echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
+	echo "show: show [ <chain> [ <chain> ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
    shorewall [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)
@ -303,7 +309,8 @@ show)
    shorewall show zones - displays the contents of all zones.
-    shorewall show capabilities - displays your kernel/iptables capabilities
+    shorewall show [ -f ] capabilities - displays your kernel/iptables capabilities. When \"-f\" is
    specified, then the output is suitable for use as /etc/shorewall/capabilities.
    shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
-VERSION=3.2.0
+VERSION=3.2.2
 usage() # $1 = exit status
 {
@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@ -88,7 +89,7 @@ backup_directory() # $1 = directory to backup
 backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
 {
-    if [ -z "$PREFIX" ]; then
+    if [ -z "${PREFIX}{NOBACKUP}" ]; then
 	if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
 	    if [ -n "$2" ]; then
 		if [ -d $2 ]; then
@ -155,6 +156,8 @@ if [ -z "$GROUP" ] ; then
 	GROUP=root
 fi
 NOBACKUP=
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@ -164,6 +167,9 @@ while [ $# -gt 0 ] ; do
 	    echo "Shorewall Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
 	-n)
 	    NOBACKUP=Yes
 	    ;;
 	*)
 	    usage 1
 	    ;;
@ -216,9 +222,11 @@ echo "Installing Shorewall Version $VERSION"
 #
 if [ -d ${PREFIX}/etc/shorewall ]; then
    first_install=""
-    backup_directory ${PREFIX}/etc/shorewall
+    if [ -z "$NOBACKUP" ]; then
-    backup_directory ${PREFIX}/usr/share/shorewall
+	backup_directory ${PREFIX}/etc/shorewall
-    backup_directory ${PREFIX}/var/lib/shorewall
+	backup_directory ${PREFIX}/usr/share/shorewall
 	backup_directory ${PREFIX}/var/lib/shorewall
    fi
 else
    first_install="Yes"
 fi
--- a/Shorewall/providers
+++ b/Shorewall/providers
@ -69,6 +69,11 @@
 #			'loose' prevents creation of such rules on this
 #			interface.
 #
 #		optional
 #			If the interface named in the INTERFACE column is not
 #			up and configured with an IPv4 address then ignore
 #			this provider.
 #
 #	COPY		A comma-separated lists of other interfaces on your
 #			firewall. Only makes sense when DUPLICATE is 'main'.
 #			Only copy routes through INTERFACE and through
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -872,6 +872,10 @@ show_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
 			f*)
 			    FILEMODE=Yes
 			    option=${option#f}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@ -948,7 +952,11 @@ show_command() {
 	    [ $# -gt 1 ] && usage 1
 	    determine_capabilities
 	    VERBOSE=2
-	    report_capabilities
+	    if [ -n "$FILEMODE" ]; then
 		report_capabilities1
 	    else
 		report_capabilities
 	    fi
 	    ;;
 	actions)
 	    [ $# -gt 1 ] && usage 1
@ -1299,23 +1307,73 @@ restore_command() {
 #
 # [Re]load command executor
 #
-reload_command()) # $1 = directory, $2 = system
+reload_command() # $* = original arguments less the command.
 {
-    local verbose=$(make_verbose) file=$(resolve_file $1/firewall)
+    local verbose=$(make_verbose) file= finished=0 saveit= result directory system
    [ -n "$LITEDIR" ] || { echo "   ERROR: LITEDIR not defined in ${SHAREDIR}/configpath" >&2; exit 2; }
-    if shorewall $debugging $verbose compile -e $1 $1/firewall && \
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	echo "Copying $(resolve_file ${1}/firewall) to ${2}:${LITEDIR}..." && \
+	option=$1
-	scp $1/firewall root@${2}:${LITEDIR}
+	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			s*)
 			    saveit=Yes
 			    option=${option#s}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
 	1)
 	    directory="."
 	    system=$1
 	    ;;
 	2)
 	    directory=$1
 	    system=$2
 	    ;;
 	*)
 	    usage 1
 	    ;;
    esac
    file=$(resolve_file $directory/firewall)
    if shorewall $debugging $verbose compile -e $directory $directory/firewall && \
 	echo "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \
 	scp $directory/firewall $directory/firewall.conf root@${system}:${LITEDIR}
    then
 	echo "Copy complete"
 	if [ $COMMAND = reload ]; then
-	    ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
+	    ssh root@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \
-	    progress_message3 "System $2 reloaded"
+	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
+	    ssh root@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \
-	    progress_message3 "System $2 reloaded"
+	    progress_message3 "System $system reloaded" || saveit=
 	fi
 	if [ -n "$saveit" ]; then
 	    ssh root@${system} "/sbin/shorewall-lite $debugging $verbose save" && \
 	    progress_message3 "Configuration on system $system saved"
 	fi
    fi
 }
@ -1347,18 +1405,18 @@ usage() # $1 = exit status
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
    echo "   ipdecimal { <address> | <integer> }"
    echo "   iprange <address>-<address>"
-    echo "   load [ <directory> ] <system>"
+    echo "   load [ -s ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
    echo "   refresh"
    echo "   reject <address> ..."
-    echo "   reload [ <directory> ] <system>"
+    echo "   reload [ -s ] [ <directory> ] <system>"
    echo "   reset"
    echo "   restart [ -n ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]"
+    echo "   show [ -x ] [ -m ] [-f] [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]"
    echo "   start [ -f ] [ -n ] [ <directory> ]"
    echo "   stop"
    echo "   status"
@ -1657,21 +1715,7 @@ case "$COMMAND" in
 	;;
    load|reload)
 	shift
-	case $# in
+	reload_command $@
 	    1)
 		directory="."
 		system=$1
 		;;
 	    2)
 		directory=$1
 		system=$2
 		;;
 	    *)
 		usage 1
 		;;
 	esac
 	reload_command $directory $system
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -710,6 +710,14 @@ DISABLE_IPV6=Yes
 BRIDGING=No
 #
 # DYNAMIC ZONES
 #
 # If you need to be able to add and delete hosts from zones dynamically then
 # set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
 DYNAMIC_ZONES=No
 #
 # USE PKTTYPE MATCH
 #
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 3.2.0
+%define version 3.2.2
 %define release 1
 %define prefix /usr
@ -209,6 +209,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
 %changelog
 * Wed Aug 02 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.2.2-1
 * Fri Jul 21 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.2.1-1
 * Sat Jul 08 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.2.0-1
 * Thu Jun 29 2006 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=3.2.0
+VERSION=3.2.2
 usage() # $1 = exit status
 {