diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 3f6a91b0a..fc6ffcd4d 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -25,65 +25,6 @@ # # If an error occurs while starting or restarting the firewall, the # firewall is automatically stopped. -# -# Commands are: -# -# shorewall-lite dump Dumps all Shorewall-related information -# for problem analysis -# shorewall-lite start Starts the firewall -# shorewall-lite restart Restarts the firewall -# shorewall-lite stop Stops the firewall -# shorewall-lite status Displays firewall status -# shorewall-lite reset Resets iptables packet and -# byte counts -# shorewall-lite clear Open the floodgates by -# removing all iptables rules -# and setting the three permanent -# chain policies to ACCEPT -# shorewall-lite show [ ... ] Display the rules in each listed -# shorewall-lite show log Print the last 20 log messages -# shorewall-lite show connections Show the kernel's connection -# tracking table -# shorewall-lite show nat Display the rules in the nat table -# shorewall-lite show {mangle|tos} Display the rules in the mangle table -# shorewall-lite show tc Display traffic control info -# shorewall-lite show classifiers Display classifiers -# shorewall-lite show capabilities Display iptables/kernel capabilities -# shorewall-lite show vardir Display VARDIR setting -# shorewall-lite version Display the installed version id -# shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall -# messages. -# shorewall-lite drop
... Temporarily drop all packets from the -# listed address(es) -# shorewall-lite reject
... Temporarily reject all packets from the -# listed address(es) -# shorewall-lite allow
... Reenable address(es) previously -# disabled with "drop" or "reject" -# shorewall-lite save [ ] Save the list of "rejected" and -# "dropped" addresses so that it will -# be automatically reinstated the -# next time that Shorewall starts. -# Save the current state so that 'shorewall -# restore' can be used. -# -# shorewall-lite forget [ ] Discard the data saved by 'shorewall save' -# -# shorewall-lite restore [ ] Restore the state of the firewall from -# previously saved information. -# -# shorewall-lite ipaddr {
/ |
} -# -# Displays information about the network -# defined by the argument[s] -# -# shorewall-lite iprange
-
Decomposes a range of IP addresses into -# a list of network/host addresses. -# -# shorewall-lite ipdecimal {
| } -# -# Displays the decimal equivalent of an IP -# address and vice versa. - # # Set the configuration variables from shorewall-lite.conf # @@ -113,17 +54,36 @@ get_config() { [ -n "$FW" ] || FW=fw - if [ -n "$IPTABLES" ]; then - if [ ! -x "$IPTABLES" ]; then - echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 - exit 2 + if [ $g_family -eq 4 ]; then + if [ -n "$IPTABLES" ]; then + if [ ! -x "$IPTABLES" ]; then + echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IPTABLES=$(mywhich iptables 2> /dev/null) + if [ -z "$IPTABLES" ] ; then + echo " ERROR: Can't find iptables executable" >&2 + exit 2 + fi fi + + g_tool=#$IPTABLES else - IPTABLES=$(mywhich iptables 2> /dev/null) - if [ -z "$IPTABLES" ] ; then - echo " ERROR: Can't find iptables executable" >&2 - exit 2 + if [ -n "$IP6TABLES" ]; then + if [ ! -x "$IP6TABLES" ]; then + echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IP6TABLES=$(mywhich ip6tables 2> /dev/null) + if [ -z "$IP6TABLES" ] ; then + echo " ERROR: Can't find ip6tables executable" >&2 + exit 2 + fi fi + + g_tool=$IP6TABLES fi if [ -n "$SHOREWALL_SHELL" ]; then @@ -165,7 +125,7 @@ get_config() { # verify_firewall_script() { if [ ! -f $g_firewall ]; then - echo " ERROR: Shorewall Lite is not properly installed" >&2 + echo " ERROR: $g_product is not properly installed" >&2 if [ -L $g_firewall ]; then echo " $g_firewall is a symbolic link to a" >&2 echo " non-existant file" >&2 @@ -203,7 +163,7 @@ start_command() { rc=$? else error_message "${LITEDIR}/firewall is missing or is not executable" - logger -p kern.err "ERROR:Shorewall Lite start failed" + logger -p kern.err "ERROR:$g_product start failed" rc=2 fi @@ -213,8 +173,13 @@ start_command() { verify_firewall_script - if shorewall_is_started; then - error_message "Shorewall is already running" + if product_is_started; then + if [ $g_family -eq 4 ]; then + error_message "Shorewall is already running" + else + error_message "Shorewall6 is already running" + fi + exit 0 fi @@ -271,10 +236,10 @@ start_command() { g_restorepath=${VARDIR}/$RESTOREFILE if [ -x $g_restorepath ]; then - echo Restoring Shorewall Lite... + echo Restoring $g_product... run_it $g_restorepath restore date > ${VARDIR}/restarted - progress_message3 Shorewall Lite restored from $g_restorepath + progress_message3 $g_product restored from $g_restorepath else do_it fi @@ -346,7 +311,7 @@ restart_command() { rc=$? else error_message "${LITEDIR}/firewall is missing or is not executable" - logger -p kern.err "ERROR:Shorewall Lite restart failed" + logger -p kern.err "ERROR:$g_product restart failed" rc=2 fi @@ -371,9 +336,13 @@ usage() # $1 = exit status echo " enable " echo " forget [ ]" echo " help" - echo " ipcalc {
/ |
}" - echo " ipdecimal {
| }" - echo " iprange
-
" + + if [ $g_family -eq 4 ]; then + echo " ipcalc {
/ |
}" + echo " ipdecimal {
| }" + echo " iprange
-
" + fi + echo " logdrop
..." echo " logreject
..." echo " logwatch []" @@ -390,7 +359,7 @@ usage() # $1 = exit status echo " show filters" echo " show ip" echo " show [ -m ] log []" - echo " show [ -x ] mangle|nat|raw|routing" + echo " show [ -x ] mangle|nat|raw|rawpost|routing" echo " show policies" echo " show tc [ device ]" echo " show vardir" @@ -444,8 +413,8 @@ version_command() { echo $SHOREWALL_VERSION if [ -n "$all" ]; then - for product in shorewall shorewall6 shorewall6-lite shorewall-init; do - if [ -f /usr/share/$product/version ]; then + for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do + if [ $product ~= $g_program] && [ -f /usr/share/$product/version ]; then echo "$product: $(cat /usr/share/$product/version)" fi done @@ -476,6 +445,7 @@ g_use_verbosity= g_noroutes= g_timestamp= g_recovering= +g_purge= g_logread= # @@ -569,14 +539,30 @@ fi PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MUTEX_TIMEOUT= -SHAREDIR=/usr/share/shorewall-lite -CONFDIR=/etc/shorewall-lite -g_product="Shorewall Lite" +g_program=$(basename $0) + +if [ $g_program = shorewall6-lite ]; then + SHAREDIR=/usr/share/shorewall6-lite + CONFDIR=/etc/shorewall6-lite + g_product="Shorewall6 Lite" + g_family=6 + g_base=shorewall6 + g_tool=ip6tables +else + g_program=shorewall-lite + SHAREDIR=/usr/share/shorewall-lite + CONFDIR=/etc/shorewall-lite + g_product="Shorewall Lite" + g_family=4 + g_base=shorewall + g_tool=iptables +fi + g_libexec=share [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ] -[ -n "${VARDIR:=/var/lib/shorewall-lite}" ] +[ -n "${VARDIR:=/var/lib/${g_base}-lite}" ] [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR" @@ -588,7 +574,7 @@ done ensure_config_path -config=$(find_file shorewall-lite.conf) +config=$(find_file ${g_base}-lite.conf) if [ -f $config ]; then if [ -r $config ]; then @@ -615,12 +601,12 @@ g_firewall=$LITEDIR/firewall if [ -f $version_file ]; then SHOREWALL_VERSION=$(cat $version_file) else - echo " ERROR: Shorewall Lite is not properly installed" >&2 + echo " ERROR: $g_product is not properly installed" >&2 echo " The file $version_file does not exist" >&2 exit 1 fi -banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -" +banner="$g_product $SHOREWALL_VERSION Status at $g_hostname -" case $(echo -e) in -e*) @@ -658,7 +644,7 @@ case "$COMMAND" in ;; restart) shift - restart_command + restart_command @ ;; show|list) shift @@ -667,13 +653,13 @@ case "$COMMAND" in status) [ $# -eq 1 ] || usage 1 [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" - echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)" + echo "$g_product $SHOREWALL_VERSION Status at $g_hostname - $(date)" echo - if shorewall_is_started ; then - echo "Shorewall Lite is running" + if product_is_started ; then + echo "$g_product is running" status=0 else - echo "Shorewall Lite is stopped" + echo "$g_product is stopped" status=4 fi @@ -710,36 +696,36 @@ case "$COMMAND" in drop) [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if product_is_started ; then [ -n "$nolock" ] || mutex_on block DROP Dropped $* [ -n "$nolock" ] || mutex_off else - error_message "ERROR: Shorewall Lite is not started" + error_message "ERROR: $g_product is not started" exit 2 fi ;; logdrop) [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if product_is_started ; then [ -n "$nolock" ] || mutex_on block logdrop Dropped $* [ -n "$nolock" ] || mutex_off else - error_message "ERROR: Shorewall Lite is not started" + error_message "ERROR: $g_product is not started" exit 2 fi ;; reject|logreject) [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if product_is_started ; then [ -n "$nolock" ] || mutex_on block $COMMAND Rejected $* [ -n "$nolock" ] || mutex_off else - error_message "ERROR: Shorewall Lite is not started" + error_message "ERROR: $g_product is not started" exit 2 fi ;; @@ -758,7 +744,7 @@ case "$COMMAND" in ;; disable|enable) get_config Yes - if shorewall_is_started; then + if product_is_started; then run_it ${VARDIR}/firewall $g_debugging $@ else fatal_error "Shorewall is not running" diff --git a/Shorewall/lib.base b/Shorewall/lib.base index 893077345..eff439e95 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -23,16 +23,17 @@ # This library contains the code common to all Shorewall components. # # - It is loaded by /sbin/shorewall. -# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite -# and /usr/share/shorewall-lite/shorecap. +# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite +# and /usr/share/shorewall[6]-lite/shorecap. # SHOREWALL_LIBVERSION=40407 SHOREWALL_CAPVERSION=40426 -[ -n "${VARDIR:=/var/lib/shorewall}" ] -[ -n "${SHAREDIR:=/usr/share/shorewall}" ] -[ -n "${CONFDIR:=/etc/shorewall}" ] +[ -n "${g_program:=shorewall}" ] +[ -n "${VARDIR:=/var/lib/$g_program}" ] +[ -n "${SHAREDIR:=/usr/share/g_program}" ] +[ -n "${CONFDIR:=/etc/$g_program}" ] # # Conditionally produce message @@ -378,9 +379,8 @@ resolve_file() # $1 = file name esac } -# Function to truncate a string -- It uses 'cut -b -' -# rather than ${v:first:last} because light-weight shells like ash and -# dash do not support that form of expansion. +# +# Determine how to do "echo -e" # find_echo() { diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 230ae6ffd..2a822de0e 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -3,7 +3,7 @@ # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net) +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -20,8 +20,8 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# This library contains the command processing code common to /sbin/shorewall and -# /sbin/shorewall-lite. +# This library contains the command processing code common to /sbin/shorewall[6] and +# /sbin/shorewall[6]-lite. # # @@ -70,15 +70,18 @@ showchain() # $1 = name of chain iptablesbug() { - if qt mywhich awk ; then - awk 'BEGIN { sline=""; };\ + if [ $g_family -eq 4 ]; then + if qt mywhich awk ; then + awk 'BEGIN { sline=""; };\ /^-j/ { print sline $0; next };\ /-m policy.*-j/ { print $0; next };\ /-m policy/ { sline=$0; next };\ /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ { print ; sline="" }' + else + echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 + cat else - echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 cat fi } @@ -152,18 +155,30 @@ syslog_circular_buffer() { packet_log() # $1 = number of messages { if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ - else + if [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + fi + elif [ $family -eq 4 ]; then $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ fi } search_log() # $1 = IP address to search for { if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ - else + if [ $g_family -eq 4 ]; then + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ + fi + elif [ $g_family -eq 4 ]; then $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ + else + $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ fi } @@ -239,7 +254,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that fi host=$(echo $g_hostname | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') + oldrejects=$($g_tool -L -v -n | grep 'LOG') if [ $1 -lt 0 ]; then timeout=$((- $1)) @@ -261,7 +276,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that show_reset - rejects=$($IPTABLES -L -v -n | grep 'LOG') + rejects=$($g_tool -L -v -n | grep 'LOG') if [ "$rejects" != "$oldrejects" ]; then oldrejects="$rejects" @@ -357,11 +372,11 @@ save_config() { local result result=1 - iptables_save=${IPTABLES}-save + iptables_save=${g_tool}-save [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 - if shorewall_is_started ; then + if product_is_started ; then [ -d ${VARDIR} ] || mkdir -p ${VARDIR} if [ -f $g_restorepath -a ! -x $g_restorepath ]; then @@ -378,7 +393,7 @@ save_config() { esac fi else - echo "Shorewall isn't started" >&2 + echo "$g_product isn't started" >&2 fi return 0 @@ -389,23 +404,23 @@ save_config() { # Show routing configuration # show_routing() { - if [ -n "$(ip rule list)" ]; then + if [ -n "$(ip -$g_family rule list)" ]; then heading "Routing Rules" - ip rule list - ip rule list | while read rule; do + ip -$g_family rule list + ip -$g_family rule list | while read rule; do echo ${rule##* } done | sort -u | while read table; do heading "Table $table:" - ip route list table $table + ip -$g_family route list table $table done if [ -n "$g_routecache" ]; then heading "Route Cache" - ip -4 route list cache + ip -$g_family route list cache fi else heading "Routing Table" - ip route list + ip -$g_family route list fi } @@ -426,7 +441,11 @@ list_zone() { [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" - sets=$(ipset -L -n | grep '^$1_'); + if [ $g_family -eq 4 ]; then + sets=$(ipset -L -n | grep '^$1_'); + else + sets=$(ipset -L -n | grep "^6_$1_") + fi [ -n "$sets" ] || sets=$(find_sets $1) @@ -440,7 +459,7 @@ list_zone() { } # -# Show Filter - For Shorewall-lite, if there was an scfilter file at compile-time, +# Show Filter - For Shorewall[6]-lite, if there was an scfilter file at compile-time, # then the compiler generated another version of this function and # embedded it in the firewall.conf file. That version supersedes this # one. @@ -566,26 +585,38 @@ show_command() { connections) [ $# -gt 1 ] && usage 1 - if [ -d /proc/sys/net/netfilter/ ]; then - local count - local max - count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) - max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) - echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)" - else - echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)" - fi - - echo - - if qt mywhich conntrack ; then - conntrack -f ipv4 -L | show_connections_filter - else - if [ -f /proc/net/ip_conntrack ]; then - cat /proc/net/ip_conntrack | show_connections_filter + if [ $g_family -eq 4 ]; then + if [ -d /proc/sys/net/netfilter/ ]; then + local count + local max + count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) + max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)" else - grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter + echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)" fi + + echo + + if qt mywhich conntrack ; then + conntrack -f ipv${g_family} -L | show_connections_filter + else + if [ -f /proc/net/ip_conntrack ]; then + cat /proc/net/ip_conntrack | show_connections_filter + else + grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter + fi + fi + elif qt mywhich conntrack ; then + echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)" + echo + conntrack -f ipv6 -L | show_connections_filter + else + local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) + local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)" + echo + grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter fi ;; nat) @@ -593,28 +624,28 @@ show_command() { echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)" echo show_reset - $IPTABLES -t nat -L $g_ipt_options + $g_tool -t nat -L $g_ipt_options ;; raw) [ $# -gt 1 ] && usage 1 echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)" echo show_reset - $IPTABLES -t raw -L $g_ipt_options + $g_tool-t raw -L $g_ipt_options ;; rawpost) [ $# -gt 1 ] && usage 1 echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)" echo show_reset - $IPTABLES -t rawpost -L $g_ipt_options + $g_tool -t rawpost -L $g_ipt_options ;; tos|mangle) [ $# -gt 1 ] && usage 1 echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)" echo show_reset - $IPTABLES -t mangle -L $g_ipt_options + $g_tool -t mangle -L $g_ipt_options ;; log) [ $# -gt 2 ] && usage 1 @@ -650,7 +681,7 @@ show_command() { shift if [ -z "$1" ]; then - $IPTABLES -t mangle -L -n -v + $g_tool -t mangle -L -n -v echo fi @@ -700,7 +731,7 @@ show_command() { [ $# -gt 1 ] && usage 1 echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)" echo - ip -4 addr list + ip -$g_family addr list ;; routing) [ $# -gt 1 ] && usage 1 @@ -729,11 +760,11 @@ show_command() { show_reset if [ $# -gt 0 ]; then for chain in $*; do - $IPTABLES -t $table -L $chain $g_ipt_options + $g_tool -t $table -L $chain $g_ipt_options echo done else - $IPTABLES -t $table -L $g_ipt_options + $g_tool -t $table -L $g_ipt_options fi ;; vardir) @@ -746,6 +777,7 @@ show_command() { [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies; ;; ipa) + [ $g_family -eq 4 ] && usage 1 echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)" echo [ $# -gt 1 ] && usage 1 @@ -758,69 +790,72 @@ show_command() { [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks; ;; *) - if [ "$g_product" = Shorewall ]; then - case $1 in - actions) - [ $# -gt 1 ] && usage 1 - echo "A_ACCEPT # Audit and accept the connection" - echo "A_DROP # Audit and drop the connection" - echo "A_REJECT # Audit and reject the connection " - echo "allowBcast # Silently Allow Broadcast/multicast" - echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" - echo "dropBcast # Silently Drop Broadcast/multicast" - echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" - echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "forwardUPnP # Allow traffic that upnpd has redirected from" - echo "rejNotSyn # Silently Reject Non-syn TCP packets" + case "$g_product" in + *lite) + ;; + *) + case $1 in + actions) + [ $# -gt 1 ] && usage 1 + echo "A_ACCEPT # Audit and accept the connection" + echo "A_DROP # Audit and drop the connection" + echo "A_REJECT # Audit and reject the connection " + echo "allowBcast # Silently Allow Broadcast/multicast" + echo "allowInvalid # Accept packets that are in the INVALID conntrack state." + echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" + echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" + echo "dropBcast # Silently Drop Broadcast/multicast" + echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" + echo "dropNotSyn # Silently Drop Non-syn TCP packets" + echo "forwardUPnP # Allow traffic that upnpd has redirected from" + echo "rejNotSyn # Silently Reject Non-syn TCP packets" - if [ -f ${CONFDIR}/actions ]; then - cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' - else - grep -Ev '^\#|^$' ${SHAREDIR}/actions.std - fi - - return - ;; - macro) - [ $# -ne 2 ] && usage 1 - for directory in $(split $CONFIG_PATH); do - if [ -f ${directory}/macro.$2 ]; then - echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)" - cat ${directory}/macro.$2 - return + if [ -f ${CONFDIR}/actions ]; then + cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' + else + grep -Ev '^\#|^$' ${SHAREDIR}/actions.std fi - done - echo " WARNING: Macro $2 not found" >&2 - return - ;; - macros) - [ $# -gt 1 ] && usage 1 - for directory in $(split $CONFIG_PATH); do - temp= - for macro in ${directory}/macro.*; do - case $macro in - *\*) - ;; - *) - if [ -z "$temp" ]; then - echo - echo "Macros in $directory:" - echo - temp=Yes - fi - show_macro - ;; - esac + return + ;; + macro) + [ $# -ne 2 ] && usage 1 + for directory in $(split $CONFIG_PATH); do + if [ -f ${directory}/macro.$2 ]; then + echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)" + cat ${directory}/macro.$2 + return + fi done - done - return - ;; - esac - fi + echo " WARNING: Macro $2 not found" >&2 + return + ;; + macros) + [ $# -gt 1 ] && usage 1 + for directory in $(split $CONFIG_PATH); do + temp= + for macro in ${directory}/macro.*; do + case $macro in + *\*) + ;; + *) + if [ -z "$temp" ]; then + echo + echo "Macros in $directory:" + echo + temp=Yes + fi + show_macro + ;; + esac + done + done + return + ;; + esac + ;; + esac if [ $# -gt 0 ]; then if [ $1 = dynamic -a $# -gt 1 ]; then @@ -831,8 +866,8 @@ show_command() { fi [ -n "$table_given" ] || for chain in $*; do - if ! qt $IPTABLES -t $table -L $chain $g_ipt_options; then - error_message "ERROR: Chain '$chain' is not recognized by $IPTABLES." + if ! qt $g_tool -t $table -L $chain $g_ipt_options; then + error_message "ERROR: Chain '$chain' is not recognized by $g_tool." exit 1 fi done @@ -841,14 +876,14 @@ show_command() { echo show_reset for chain in $*; do - $IPTABLES -t $table -L $chain $g_ipt_options + $g_tool -t $table -L $chain $g_ipt_options echo done else echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)" echo show_reset - $IPTABLES -t $table -L $g_ipt_options + $g_tool -t $table -L $g_ipt_options fi ;; esac @@ -976,41 +1011,51 @@ do_dump_command() { echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)" echo + if [ $g_family -eq 6 ] && [ -f /usr/share/shorewall/version ]; then + echo " Shorewall $(cat /usr/share/shorewall/version)" + echo + fi + show_reset host=$(echo $g_hostname | sed 's/\..*$//') - $IPTABLES -L $g_ipt_options + $g_tool -L $g_ipt_options heading "Log ($LOGFILE)" packet_log 20 - if qt $IPTABLES -t nat -L -n; then + if qt $g_tool -t nat -L -n; then heading "NAT Table" - $IPTABLES -t nat -L $g_ipt_options + $g_tool -t nat -L $g_ipt_options fi - if qt $IPTABLES -t mangle -L -n; then + if qt $g_tool -t mangle -L -n; then heading "Mangle Table" - $IPTABLES -t mangle -L $g_ipt_options + $g_tool -t mangle -L $g_ipt_options fi - if qt $IPTABLES -t raw -L -n; then + if qt $g_tool -t raw -L -n; then heading "Raw Table" - $IPTABLES -t raw -L $g_ipt_options + $g_tool -t raw -L $g_ipt_options fi - if qt $IPTABLES -t rawpost -L -n; then + if qt $g_tool -t rawpost -L -n; then heading "Rawpost Table" - $IPTABLES -t rawpost -L $g_ipt_options + $g_tool -t rawpost -L $g_ipt_options fi local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) heading "Conntrack Table ($count out of $max)" - [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack + + if [ $g_family -eq 4 ]; then + [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack + else + grep '^ipv6' /proc/net/nf_conntrack + fi heading "IP Configuration" - ip -4 addr list + ip -$g_family addr list heading "IP Stats" ip -stat link list @@ -1020,9 +1065,11 @@ do_dump_command() { brctl show fi - heading "Per-IP Counters" + if [ $g_family -eq 4 ]; then + heading "Per-IP Counters" - perip_accounting + perip_accounting + fi if qt mywhich setkey; then heading "PFKEY SPD" @@ -1033,23 +1080,42 @@ do_dump_command() { heading "/proc" show_proc /proc/version - show_proc /proc/sys/net/ipv4/ip_forward - show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all - for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do - show_proc $directory/$file + if [ $g_family -eq 4 ]; then + show_proc /proc/sys/net/ipv4/ip_forward + show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all + + for directory in /proc/sys/net/ipv4/conf/*; do + for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do + show_proc $directory/$file + done done - done + else + for directory in /proc/sys/net/ipv6/conf/*; do + for file in forwarding proxy_ra proxy_ndp; do + show_proc $directory/$file + done + done + fi show_routing - heading "ARP" - arp -na + if [ $g_family -eq 4 ]; then + heading "ARP" + arp -na + else + heading "Neighbors" + ip -6 neigh ls + fi if qt mywhich lsmod; then heading "Modules" - lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort + + if [ $g_family -eq 4 ]; then + lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort + else + lsmod | grep -E '^(x_|ip6|nf_|xt_)' | sort + fi fi determine_capabilities @@ -1057,7 +1123,7 @@ do_dump_command() { report_capabilities echo - netstat -tunap + netstat -${g_family}tunap if [ -n "$TC_ENABLED" ]; then heading "Traffic Control" @@ -1129,7 +1195,7 @@ restore_command() { [ -n "$nolock" ] || mutex_on if [ -x $g_restorepath ]; then - progress_message3 "Restoring Shorewall..." + progress_message3 "Restoring $g_product..." run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE" @@ -1253,18 +1319,18 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses continue ;; *-*) - qt $IPTABLES -D dynamic -m iprange $range $1 -j reject - qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP - qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject - qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop - $IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1 + qt $g_tool -D dynamic -m iprange $range $1 -j reject + qt $g_tool -D dynamic -m iprange $range $1 -j DROP + qt $g_tool -D dynamic -m iprange $range $1 -j logreject + qt $g_tool -D dynamic -m iprange $range $1 -j logdrop + $g_tool -A dynamic -m iprange $range $1 -j $chain || break 1 ;; *) - qt $IPTABLES -D dynamic $which $1 -j reject - qt $IPTABLES -D dynamic $which $1 -j DROP - qt $IPTABLES -D dynamic $which $1 -j logreject - qt $IPTABLES -D dynamic $which $1 -j logdrop - $IPTABLES -A dynamic $which $1 -j $chain || break 1 + qt $g_tool -D dynamic $which $1 -j reject + qt $g_tool -D dynamic $which $1 -j DROP + qt $g_tool -D dynamic $which $1 -j logreject + qt $g_tool -D dynamic $which $1 -j logdrop + $g_tool -A dynamic $which $1 -j $chain || break 1 ;; esac @@ -1346,8 +1412,8 @@ separate_list() { # add_command() { local interface host hostlist zone ipset - if ! shorewall_is_started ; then - echo "Shorewall Not Started" >&2 + if ! product_is_started ; then + echo "$g_product Not Started" >&2 exit 2 fi @@ -1367,7 +1433,11 @@ add_command() { [ "$host" = "$1" ] && host= if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" + if [ $g_family -eq 4 ]; then + hostlist="$hostlist $interface:0.0.0.0/0" + else + hostlist="$hostlist $interface:::/0" + fi else for h in $(separate_list $host); do hostlist="$hostlist $interface:$h" @@ -1380,9 +1450,13 @@ add_command() { zone=$1 for host in $hostlist; do - interface=${host%:*} - - ipset=${zone}_${interface}; + if [ $g_family -eq 4 ]; then + interface=${host%:*} + ipset=${zone}_${interface}; + else + interface=${host%%:*} + ipset=6_${zone}_${interface}; + fi if ! qt $IPSET -L $ipset -n; then fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" @@ -1404,8 +1478,8 @@ add_command() { # delete_command() { local interface host hostent hostlist zone ipset - if ! shorewall_is_started ; then - echo "Shorewall Not Started" >&2 + if ! product_is_started ; then + echo "$g_product Not Started" >&2 exit 2; fi @@ -1426,7 +1500,11 @@ delete_command() { [ "$host" = "$1" ] && host= if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" + if [ $g_family -eq 4 ]; then + hostlist="$hostlist $interface:0.0.0.0/0" + else + hostlist="$hostlist $interface:::/0" + fi else for h in $(separate_list $host); do hostlist="$hostlist $interface:$h" @@ -1439,9 +1517,13 @@ delete_command() { zone=$1 for hostent in $hostlist; do - interface=${hostent%:*} - - ipset=${zone}_${interface}; + if [ $g_family -eq 4 ]; then + interface=${hostent%:*} + ipset=${zone}_${interface}; + else + interface=${hostent%%:*} + ipset=6_${zone}_${interface}; + fi if ! qt $IPSET -L $ipset -n; then fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" @@ -1450,7 +1532,7 @@ delete_command() { host=${hostent#*:} if $IPSET -D $ipset $host; then - echo "Host $hostend deleted from zone $zone" + echo "Host $hostent deleted from zone $zone" else echo " WARNING: Unable to delete host $hostent to zone $zone" >&2 fi @@ -1554,7 +1636,7 @@ hits_command() { allow_command() { [ -n "$g_debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if product_is_started ; then local which which='-s' local range @@ -1580,10 +1662,10 @@ allow_command() { continue ;; *-*) - if qt $IPTABLES -D dynamic -m iprange $range $1 -j reject ||\ - qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP ||\ - qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop ||\ - qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject + if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\ + qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\ + qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\ + qt $g_tool -D dynamic -m iprange $range $1 -j logreject then echo "$1 Allowed" else @@ -1591,10 +1673,10 @@ allow_command() { fi ;; *) - if qt $IPTABLES -D dynamic $which $1 -j reject ||\ - qt $IPTABLES -D dynamic $which $1 -j DROP ||\ - qt $IPTABLES -D dynamic $which $1 -j logdrop ||\ - qt $IPTABLES -D dynamic $which $1 -j logreject + if qt $g_tool -D dynamic $which $1 -j reject ||\ + qt $g_tool -D dynamic $which $1 -j DROP ||\ + qt $g_tool -D dynamic $which $1 -j logdrop ||\ + qt $g_tool -D dynamic $which $1 -j logreject then echo "$1 Allowed" else @@ -1671,7 +1753,7 @@ logwatch_command() { # # Determine which optional facilities are supported by iptables/netfilter # -determine_capabilities() { +determine_4_capabilities() { [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables) if [ -z "$IPTABLES" ]; then @@ -1924,6 +2006,253 @@ determine_capabilities() { esac } +determine_6_capabilities() { + CONNTRACK_MATCH= + NEW_CONNTRACK_MATCH= + OLD_CONNTRACK_MATCH= + MULTIPORT= + XMULTIPORT= + POLICY_MATCH= + PHYSDEV_MATCH= + PHYSDEV_BRIDGE= + IPRANGE_MATCH= + RECENT_MATCH= + OWNER_MATCH= + IPSET_MATCH= + OLD_IPSET_MATCH= + IPSET_V5= + CONNMARK= + XCONNMARK= + CONNMARK_MATCH= + XCONNMARK_MATCH= + RAW_TABLE= + RAWPOST_TABLE= + IPP2P_MATCH= + OLD_IPP2P_MATCH= + LENGTH_MATCH= + CLASSIFY_TARGET= + ENHANCED_REJECT= + USEPKTTYPE= + KLUDGEFREE= + MARK= + XMARK= + EXMARK= + TPROXY_TARGET= + MANGLE_FORWARD= + COMMENTS= + ADDRTYPE= + TCPMSS_MATCH= + HASHLIMIT_MATCH= + NFQUEUE_TARGET= + REALM_MATCH= + HELPER_MATCH= + CONNLIMIT_MATCH= + TIME_MATCH= + GOTO_TARGET= + IPMARK_TARGET= + LOG_TARGET=Yes + ULOG_TARGET= + NFLOG_TARGET= + LOGMARK_TARGET= + FLOW_FILTER= + FWMARK_RT_MASK= + MARK_ANYWHERE= + HEADER_MATCH= + ACCOUNT_TARGET= + AUDIT_TARGET= + IPSET_V5= + CONDITION_MATCH= + IPTABLES_S= + BASIC_FILTER= + + chain=fooX$$ + + [ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables) + + if [ -z "$IP6TABLES" ]; then + echo " ERROR: No executable iptables binary can be found on your PATH" >&2 + exit 1 + fi + + [ -n "$IP" ] || IP=$(which ip) + + [ -n "$IP" -a -x "$IP" ] || IP= + + [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc) + + [ -n "$TC" -a -x "$TC" ] || TC= + + qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + + qt $IP6TABLES -F $chain + qt $IP6TABLES -X $chain + if ! $IP6TABLES -N $chain; then + echo " ERROR: The command \"$IP6TABLES -N $chain\" failed" >&2 + exit 1 + fi + + chain1=${chain}1 + + qt $IP6TABLES -F $chain1 + qt $IP6TABLES -X $chain1 + if ! $IP6TABLES -N $chain1; then + echo " ERROR: The command \"$IP6TABLES -N $chain1\" failed" >&2 + exit 1 + fi + + if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT && + ! qt $IP6TABLES -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then + echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2 + exit 1 + fi + + qt $IP6TABLES -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes + + if [ -n "$CONNTRACK_MATCH" ]; then + qt $IP6TABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes + qt $IP6TABLES -A $chain -m conntrack ! --ctorigdst ::1 || OLD_CONNTRACK_MATCH=Yes + fi + + if qt $IP6TABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then + MULTIPORT=Yes + qt $IP6TABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes + fi + + qt $IP6TABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes + qt $IP6TABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes + + if qt $IP6TABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then + PHYSDEV_MATCH=Yes + qt $IP6TABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes + if [ -z "${KLUDGEFREE}" ]; then + qt $IP6TABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes + fi + fi + + if qt $IP6TABLES -A $chain -m iprange --src-range ::1-::2 -j ACCEPT; then + IPRANGE_MATCH=Yes + if [ -z "${KLUDGEFREE}" ]; then + qt $IP6TABLES -A $chain -m iprange --src-range ::1-::2 -m iprange --dst-range ::1-::2 -j ACCEPT && KLUDGEFREE=Yes + fi + fi + + qt $IP6TABLES -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes + qt $IP6TABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes + + if qt $IP6TABLES -A $chain -m connmark --mark 2 -j ACCEPT; then + CONNMARK_MATCH=Yes + qt $IP6TABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes + fi + + qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes + if [ -n "$IPP2P_MATCH" ]; then + qt $IP6TABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes + fi + + qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes + qt $IP6TABLES -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes + + qt $IP6TABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes + + if [ -n "$MANGLE_ENABLED" ]; then + qt $IP6TABLES -t mangle -N $chain + + if qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1; then + MARK=Yes + qt $IP6TABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes + qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes + fi + + if qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark; then + CONNMARK=Yes + qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes + fi + + qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes + qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes + qt $IP6TABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes + qt $IP6TABLES -t mangle -F $chain + qt $IP6TABLES -t mangle -X $chain + qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes + fi + + qt $IP6TABLES -t raw -L -n && RAW_TABLE=Yes + qt $IP6TABLES -t rawpost -L -n && RAWPOST_TABLE=Yes + + if qt mywhich ipset; then + qt ipset -X $chain # Just in case something went wrong the last time + + if qt ipset -N $chain hash:ip family inet6; then + IPSET_V5=Yes + if qt $IP6TABLES -A $chain -m set --match-set $chain src -j ACCEPT; then + qt $IP6TABLES -D $chain -m set --match-set $chain src -j ACCEPT + IPSET_MATCH=Yes + elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then + qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT + IPSET_MATCH=Yes + OLD_IPSET_MATCH=Yes + fi + qt ipset -X $chain + fi + fi + + qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes + qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes + qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes + qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes + if [ -z "$HASHLIMIT_MATCH" ]; then + qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes + HASHLIMIT_MATCH=$OLD_HL_MATCH + fi + qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes + qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes + qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes + qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes + qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes + qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes + qt $IP6TABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes + qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= + qt $IP6TABLES -A $chain -j ULOG && ULOG_TARGET=Yes + qt $IP6TABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes + qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes + qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes + qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes + qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes + qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes + qt $IP6TABLES -S INPUT && IPTABLES_S=Yes + + + qt $IP6TABLES -F $chain + qt $IP6TABLES -X $chain + qt $IP6TABLES -F $chain1 + qt $IP6TABLES -X $chain1 + + [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes + [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes + [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes + + CAPVERSION=$SHOREWALL_CAPVERSION + + KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//') + + case "$KERNELVERSION" in + *.*.*) + KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) + ;; + *) + KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g')) + ;; + esac +} + +determine_capabilities() { + if [ $g_family -eq 4 ]; then + determine_4_capabilities + else + determine_6_capabilities; + fi +} + report_capabilities() { report_capability() # $1 = Capability Description , $2 Capability Setting (if any) { @@ -1936,7 +2265,7 @@ report_capabilities() { } if [ $VERBOSITY -gt 1 ]; then - echo "Shorewall has detected the following iptables/netfilter capabilities:" + echo "$g_product has detected the following iptables/netfilter capabilities:" report_capability "NAT" $NAT_ENABLED report_capability "Packet Mangling" $MANGLE_ENABLED report_capability "Multi-port Match" $MULTIPORT @@ -1999,7 +2328,13 @@ report_capabilities() { report_capability "AUDIT Target" $AUDIT_TARGET report_capability "ipset V5" $IPSET_V5 report_capability "Condition Match" $CONDITION_MATCH - report_capability "iptables -S" $IPTABLES_S + + if [ $g_family -eq 4 ]; then + report_capability "iptables -S" $IPTABLES_S + else + report_capability "ip6tables -S" $IPTABLES_S + fi + report_capability "Basic Filter" $BASIC_FILTER fi @@ -2014,7 +2349,7 @@ report_capabilities1() { } echo "#" - echo "# Shorewall $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)" + echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)" echo "#" report_capability1 NAT_ENABLED report_capability1 MANGLE_ENABLED diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 1dd369f02..47e098625 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -24,11 +24,11 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# For a list of supported commands, type 'shorewall help' +# For a list of supported commands, type 'shorewall help' or 'shorewall6 help' # ################################################################################################ # -# Set the configuration variables from shorewall.conf +# Set the configuration variables from the .conf file # # $1 = Yes: read the params file # $2 = Yes: check for STARTUP_ENABLED @@ -47,7 +47,7 @@ get_config() { fi fi - config=$(find_file shorewall.conf) + config=$(find_file $g_program.conf) if [ -f $config ]; then if [ -r $config ]; then @@ -80,17 +80,36 @@ get_config() { fi fi - if [ -n "$IPTABLES" ]; then - if [ ! -x "$IPTABLES" ]; then - echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 - exit 2 + if [ $g_family -eq 4 ]; then + if [ -n "$IPTABLES" ]; then + if [ ! -x "$IPTABLES" ]; then + echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IPTABLES=$(mywhich iptables 2> /dev/null) + if [ -z "$IPTABLES" ] ; then + echo " ERROR: Can't find iptables executable" >&2 + exit 2 + fi fi + + g_tool=$IPTABLES else - IPTABLES=$(mywhich iptables 2> /dev/null) - if [ -z "$IPTABLES" ] ; then - echo " ERROR: Can't find iptables executable" >&2 - exit 2 + if [ -n "$IP6TABLES" ]; then + if [ ! -x "$IP6TABLES" ]; then + echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IP6TABLES=$(mywhich ip6tables 2> /dev/null) + if [ -z "$IP6TABLES" ] ; then + echo " ERROR: Can't find ip6tables executable" >&2 + exit 2 + fi fi + + g_tool=$IP6TABLES fi if [ -n "$IP" ]; then @@ -165,7 +184,7 @@ get_config() { if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) - echo " ERROR: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2 + echo " ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/${g_program}.conf" >&2 exit 2 ;; Yes|yes|YES) @@ -358,8 +377,8 @@ compiler() { pc=$g_libexec/shorewall/compiler.pl if [ $(id -u) -ne 0 ]; then - if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then - startup_error "Ordinary users may not compile the /etc/shorewall configuration" + if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/$g_program ]; then + startup_error "Ordinary users may not compile the /etc/$g_program configuration" fi fi # @@ -369,7 +388,7 @@ compiler() { # # Get the config from $SHOREWALL_DIR # - [ -n "$SHOREWALL_DIR" -a "$SHOREWALL_DIR" != /etc/shorewall ] && get_config + [ -n "$SHOREWALL_DIR" -a "$SHOREWALL_DIR" != /etc/$g_program ] && get_config case $COMMAND in *start|try|refresh) @@ -390,7 +409,7 @@ compiler() { [ "$1" = nolock ] && shift; shift - options="--verbose=$VERBOSITY --config_path=$CONFIG_PATH" + options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH" [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY"; [ -n "$g_export" ] && options="$options --export" @@ -423,6 +442,17 @@ compiler() { fi } +# +# Determine if the current product is in the started state +# +product_is_started() { + if [ $g_family -eq 4 ]; then + shorewall_is_started + else + shorewall6_is_started + fi +} + # # Start Command Executor # @@ -449,14 +479,14 @@ start_command() { [ -n "$nolock" ] || mutex_off else rc=$? - logger -p kern.err "ERROR:Shorewall start failed" + logger -p kern.err "ERROR:$g_product start failed" fi fi exit $rc } - if shorewall_is_started; then + if product_is_started; then error_message "Shorewall is already running" exit 0 fi @@ -552,7 +582,7 @@ start_command() { run_it $g_restorepath restore rc=$? [ -n "$nolock" ] || mutex_off - [ $rc -eq 0 ] && progress_message3 "Shorewall restored from $g_restorepath" + [ $rc -eq 0 ] && progress_message3 "$g_product restored from $g_restorepath" exit $rc else do_it @@ -916,7 +946,7 @@ restart_command() { [ -n "$nolock" ] || mutex_off else rc=$? - logger -p kern.err "ERROR:Shorewall restart failed" + logger -p kern.err "ERROR:$g_product restart failed" fi else [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found" @@ -973,7 +1003,7 @@ refresh_command() { g_refreshchains=:refresh: fi - shorewall_is_started || fatal_error "Shorewall is not running" + product_is_started || fatal_error "$g_product is not running" [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" @@ -1058,7 +1088,7 @@ safe_commands() { [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - if shorewall_is_started; then + if product_is_started; then running=Yes else running= @@ -1071,7 +1101,7 @@ safe_commands() { fi if [ "$COMMAND" = "safe-start" -o -z "$running" ]; then - # the command is safe-start or shorewall is not started yet + # the command is safe-start or shorewall[6] is not started yet command="start" else # the command is safe-restart and the firewall is already running @@ -1200,14 +1230,14 @@ try_command() { [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - if shorewall_is_started; then + if product_is_started; then running=Yes else running= fi if [ -z "$running" ]; then - # shorewall is not started yet + # shorewall[6] is not started yet command="start" else # the firewall is already running @@ -1289,7 +1319,7 @@ reload_command() # $* = original arguments less the command. local libexec libexec=/usr/share - litedir=/var/lib/shorewall-lite + litedir=/var/lib/${g_program}-lite while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -1344,11 +1374,11 @@ reload_command() # $* = original arguments less the command. ;; esac - temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') + temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') [ -n "$temp" ] && litedir="$temp" - temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //') + temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //') if [ -n "$temp" ]; then case $temp in @@ -1368,12 +1398,12 @@ reload_command() # $* = original arguments less the command. [ -f $capabilities ] || getcaps=Yes fi - if [ -f $directory/shorewall.conf ]; then + if [ -f $directory/${g_program}.conf ]; then if [ -f $directory/params ]; then . $directory/params fi - . $directory/shorewall.conf + . $directory/$g_program.conf ensure_config_path fi @@ -1382,7 +1412,11 @@ reload_command() # $* = original arguments less the command. [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')" progress_message "Getting Capabilities on system $system..." - if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then + if [ $g_family -eq 4 ]; then + if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then + fatal_error "Capturing capabilities on system $system failed" + fi + elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then fatal_error "Capturing capabilities on system $system failed" fi fi @@ -1391,25 +1425,25 @@ reload_command() # $* = original arguments less the command. [ -n "$g_timestamp" ] && timestamp='-t' || timestamp= - if shorewall $g_debugging $verbose $timestamp compile -e $directory $directory/firewall && \ + if $g_program $g_debugging $verbose $timestamp compile -e $directory $directory/firewall && \ progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \ rcp_command "$directory/firewall $directory/firewall.conf" ${litedir} then save=$(find_file save); - [ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/shorewall-lite/" && rcp_command $save /etc/shorewall-lite/ + [ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/${g_program}-lite/" && rcp_command $save /etc/shorewall-lite/ progress_message3 "Copy complete" if [ $COMMAND = reload ]; then - rsh_command "/sbin/shorewall-lite $g_debugging $verbose $timestamp restart" && \ + rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp restart" && \ progress_message3 "System $system reloaded" || saveit= else - rsh_command "/sbin/shorewall-lite $g_debugging $verbose $timestamp start" && \ + rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp start" && \ progress_message3 "System $system loaded" || saveit= fi if [ -n "$saveit" ]; then - rsh_command "/sbin/shorewall-lite $g_debugging $verbose $timestamp save" && \ + rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp save" && \ progress_message3 "Configuration on system $system saved" fi fi @@ -1464,7 +1498,7 @@ export_command() # $* = original arguments less the command. target=$2 ;; *) - fatal_error "Invalid command syntax (\"man shorewall\" for help)" + fatal_error "Invalid command syntax (\"man $g_program\" for help)" ;; esac @@ -1478,7 +1512,7 @@ export_command() # $* = original arguments less the command. file=$(resolve_file $directory/firewall) - if shorewall $g_debugging $verbose compile -e $directory $directory/firewall && \ + if $g_program $g_debugging $verbose compile -e $directory $directory/firewall && \ echo "Copying $file and ${file}.conf to ${target#*@}..." && \ scp $directory/firewall $directory/firewall.conf $target then @@ -1510,16 +1544,26 @@ usage() # $1 = exit status echo " export [ ] [@][:]" echo " forget [ ]" echo " help" - echo " hits [ -t ]" - echo " ipcalc {
/ |
}" - echo " ipdecimal {
| }" - echo " iprange
-
" + + if [ $g_family -eq 4 ]; then + echo " hits [ -t ]" + echo " ipcalc {
/ |
}" + echo " ipdecimal {
| }" + echo " iprange
-
" + fi + echo " iptrace " echo " load [ -s ] [ -c ] [ -r ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" - echo " noiptrace " + + if [ $g_family -eq 4 ]; then + echo " noiptrace " + else + echo " noiptrace " + fi + echo " refresh [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ ] " @@ -1538,7 +1582,7 @@ usage() # $1 = exit status echo " show dynamic " echo " show filters" echo " show ip" - echo " show ipa" + [ $g_family -eq 4 ] && echo " show ipa" echo " show [ -m ] log []" echo " show macro " echo " show macros" @@ -1599,8 +1643,8 @@ version_command() { echo $SHOREWALL_VERSION if [ -n "$all" ]; then - for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do - if [ -f /usr/share/$product/version ]; then + for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do + if [ $product != $g_program -a -f /usr/share/$product/version ]; then echo "$product: $(cat /usr/share/$product/version)" fi done @@ -1748,9 +1792,22 @@ fi PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MUTEX_TIMEOUT= -SHAREDIR=/usr/share/shorewall -CONFDIR=/etc/shorewall -g_product="Shorewall" +g_program=$(basename $0) + +if [ $g_program = shorewall6 ]; then + SHAREDIR=/usr/share/shorewall6 + CONFDIR=/etc/shorewall6 + g_product="Shorewall6" + g_family=6 + g_tool= +else + g_program=shorewall + SHAREDIR=/usr/share/shorewall + CONFDIR=/etc/shorewall + g_product="Shorewall" + g_family=4 +fi + g_recovering= g_timestamp= g_libexec=/usr/share @@ -1758,7 +1815,7 @@ g_perllib=/usr/share/shorewall [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir -[ -n "${VARDIR:=/var/lib/shorewall}" ] +[ -n "${VARDIR:=/var/lib/$g_program}" ] if [ ! -f ${VARDIR}/firewall ]; then [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall @@ -1774,12 +1831,12 @@ version_file=$SHAREDIR/version if [ -f $version_file ]; then SHOREWALL_VERSION=$(cat $version_file) else - echo " ERROR: Shorewall is not properly installed" >&2 + echo " ERROR: $g_product is not properly installed" >&2 echo " The file $version_file does not exist" >&2 exit 1 fi -banner="Shorewall-$SHOREWALL_VERSION Status at $g_hostname -" +banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -" case $(echo -e) in -e*) @@ -1812,7 +1869,7 @@ case "$COMMAND" in stop|clear) [ $# -ne 1 ] && usage 1 get_config - [ -x $g_firewall ] || fatal_error "Shorewall has never been started" + [ -x $g_firewall ] || fatal_error "$g_product has never been started" [ -n "$nolock" ] || mutex_on run_it $g_firewall $g_debugging $COMMAND [ -n "$nolock" ] || mutex_off @@ -1821,7 +1878,7 @@ case "$COMMAND" in get_config shift [ -n "$nolock" ] || mutex_on - [ -x $g_firewall ] || fatal_error "Shorewall has never been started" + [ -x $g_firewall ] || fatal_error "$g_product has never been started" run_it $g_firewall $g_debugging reset $@ [ -n "$nolock" ] || mutex_off ;; @@ -1852,7 +1909,7 @@ case "$COMMAND" in ;; disable|enable) get_config Yes - if shorewall_is_started; then + if product_is_started; then run_it ${VARDIR}/firewall $g_debugging $@ else fatal_error "Shorewall is not running" @@ -1877,13 +1934,13 @@ case "$COMMAND" in [ $# -eq 1 ] || usage 1 [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" get_config - echo "Shorewall-$SHOREWALL_VERSION Status at $g_hostname - $(date)" + echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" echo - if shorewall_is_started ; then - echo "Shorewall is running" + if product_is_started ; then + echo "$g_product is running" status=0 else - echo "Shorewall is stopped" + echo "$g_product is stopped" status=4 fi @@ -1907,6 +1964,7 @@ case "$COMMAND" in dump_command $@ ;; hits) + [ $g_family -eq 6 ] && usage 1 get_config Yes No Yes [ -n "$g_debugging" ] && set -x shift @@ -1923,14 +1981,14 @@ case "$COMMAND" in ;; logwatch) get_config Yes Yes Yes - banner="Shorewall-$SHOREWALL_VERSION Logwatch at $g_hostname -" + banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -" logwatch_command $@ ;; drop) get_config [ -n "$g_debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if product_is_started ; then if ! chain_exists dynamic; then echo "Dynamic blacklisting is not supported in the current $g_product configuration" exit 2 @@ -1940,14 +1998,14 @@ case "$COMMAND" in block DROP Dropped $* [ -n "$nolock" ] || mutex_off else - fatal_error "Shorewall is not started" + fatal_error "$g_product is not started" fi ;; logdrop) get_config [ -n "$g_debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if product_is_started ; then if ! chain_exists dynamic; then echo "Dynamic blacklisting is not supported in the current $g_product configuration" exit 2 @@ -1957,19 +2015,19 @@ case "$COMMAND" in block logdrop Dropped $* [ -n "$nolock" ] || mutex_off else - fatal_error "Shorewall is not started" + fatal_error "$g_product is not started" fi ;; reject|logreject) get_config [ -n "$g_debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if product_is_started ; then [ -n "$nolock" ] || mutex_on block $COMMAND Rejected $* [ -n "$nolock" ] || mutex_off else - fatal_error "Shorewall is not started" + fatal_error "$g_product is not started" fi ;; allow) @@ -2036,11 +2094,12 @@ case "$COMMAND" in rm -f ${g_restorepath}-ipsets echo " $g_restorepath removed" elif [ -f $g_restorepath ]; then - echo " $g_restorepath exists and is not a saved Shorewall configuration" + echo " $g_restorepath exists and is not a saved $g_product configuration" fi rm -f ${VARDIR}/save ;; ipcalc) + [ $g_family -eq 6 ] && usage 1 [ -n "$g_debugging" ] && set -x if [ $# -eq 2 ]; then address=${2%/*} @@ -2120,20 +2179,20 @@ case "$COMMAND" in get_config shift if shorewall_is_started ; then - $IPTABLES -t raw -A PREROUTING $@ -j TRACE - $IPTABLES -t raw -A OUTPUT $@ -j TRACE + $g_tool -t raw -A PREROUTING $@ -j TRACE + $g_tool -t raw -A OUTPUT $@ -j TRACE else - fatal_error "Shorewall is not started" + fatal_error "$g_product is not started" fi ;; noiptrace) get_config shift if shorewall_is_started ; then - $IPTABLES -t raw -D PREROUTING $@ -j TRACE - $IPTABLES -t raw -D OUTPUT $@ -j TRACE + $g_tool -t raw -D PREROUTING $@ -j TRACE + $g_tool -t raw -D OUTPUT $@ -j TRACE else - fatal_error "Shorewall is not started" + fatal_error "$g_product is not started" fi ;; *)