forked from extern/shorewall_code
Allow users to preview the generated ruleset.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
271e472d3d
commit
4420eed8d7
@ -157,6 +157,7 @@ our %EXPORT_TAGS = (
|
||||
have_global_variables
|
||||
set_global_variables
|
||||
create_netfilter_load
|
||||
preview_netfilter_load
|
||||
create_chainlist_reload
|
||||
create_stop_load
|
||||
$section
|
||||
@ -2853,6 +2854,20 @@ sub enter_cmd_mode() {
|
||||
$mode = CMD_MODE;
|
||||
}
|
||||
|
||||
#
|
||||
# These versions are used by 'preview'
|
||||
#
|
||||
sub enter_cat_mode1() {
|
||||
print "\n";
|
||||
emitstd "cat << __EOF__";
|
||||
$mode = CAT_MODE;
|
||||
}
|
||||
|
||||
sub enter_cmd_mode1() {
|
||||
print "__EOF__\n\n" if $mode == CAT_MODE;
|
||||
$mode = CMD_MODE;
|
||||
}
|
||||
|
||||
#
|
||||
# Emits the passed rule (input to iptables-restore) or command
|
||||
#
|
||||
@ -2874,6 +2889,25 @@ sub emitr( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub emitr1( $ ) {
|
||||
if ( my $rule = $_[0] ) {
|
||||
if ( substr( $rule, 0, 2 ) eq '-A' ) {
|
||||
#
|
||||
# A rule
|
||||
#
|
||||
enter_cat_mode1 unless $mode == CAT_MODE;
|
||||
print "$rule\n";
|
||||
} else {
|
||||
#
|
||||
# A command
|
||||
#
|
||||
enter_cmd_mode1 unless $mode == CMD_MODE;
|
||||
$rule =~ s/ >&3//;
|
||||
emitstd $rule;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Generate the netfilter input
|
||||
#
|
||||
@ -2977,6 +3011,74 @@ sub create_netfilter_load( $ ) {
|
||||
emit "}\n";
|
||||
}
|
||||
|
||||
#
|
||||
# Preview netfilter input
|
||||
#
|
||||
sub preview_netfilter_load() {
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if $capabilities{RAW_TABLE};
|
||||
push @table_list, 'nat' if $capabilities{NAT_ENABLED};
|
||||
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$mode = NULL_MODE;
|
||||
|
||||
push_indent;
|
||||
|
||||
enter_cat_mode1;
|
||||
|
||||
my $date = localtime;
|
||||
|
||||
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||
|
||||
for my $table ( @table_list ) {
|
||||
print "*$table\n";
|
||||
|
||||
my @chains;
|
||||
#
|
||||
# iptables-restore seems to be quite picky about the order of the builtin chains
|
||||
#
|
||||
for my $chain ( @builtins ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
if ( $chainref ) {
|
||||
assert( $chainref->{cmdlevel} == 0 );
|
||||
print ":$chain $chainref->{policy} [0:0]\n";
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
#
|
||||
# First create the chains in the current table
|
||||
#
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
assert( $chainref->{cmdlevel} == 0 );
|
||||
print ":$chainref->{name} - [0:0]\n";
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
#
|
||||
# Then emit the rules
|
||||
#
|
||||
for my $chainref ( @chains ) {
|
||||
emitr1 $_ for ( grep defined $_, @{$chainref->{rules}} );
|
||||
}
|
||||
#
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_mode1 unless $mode == CAT_MODE;
|
||||
print "COMMIT\n";
|
||||
}
|
||||
|
||||
enter_cmd_mode1;
|
||||
|
||||
pop_indent;
|
||||
|
||||
print "\n";
|
||||
}
|
||||
|
||||
#
|
||||
# Generate the netfilter input for refreshing a list of chains
|
||||
#
|
||||
|
||||
@ -562,8 +562,8 @@ EOF
|
||||
#
|
||||
sub compiler {
|
||||
|
||||
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
|
||||
( '', '', -1, '', 0, '', '', -1 );
|
||||
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
|
||||
( '', '', -1, '', 0, '', '', -1, 0 );
|
||||
|
||||
$export = 0;
|
||||
$test = 0;
|
||||
@ -595,6 +595,7 @@ sub compiler {
|
||||
log => { store => \$log },
|
||||
log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
|
||||
test => { store => \$test },
|
||||
preview => { store => \$preview },
|
||||
);
|
||||
#
|
||||
# P A R A M E T E R P R O C E S S I N G
|
||||
@ -866,6 +867,23 @@ sub compiler {
|
||||
#
|
||||
enable_script, generate_aux_config if $export;
|
||||
} else {
|
||||
if ( $preview ) {
|
||||
generate_matrix;
|
||||
|
||||
if ( $config{OPTIMIZE} & 6 ) {
|
||||
progress_message2 'Optimizing Ruleset...';
|
||||
#
|
||||
# Optimize Policy Chains
|
||||
#
|
||||
optimize_policy_chains if $config{OPTIMIZE} & 2;
|
||||
#
|
||||
# More Optimization
|
||||
#
|
||||
optimize_ruleset if $config{OPTIMIZE} & 4;
|
||||
}
|
||||
|
||||
preview_netfilter_load;
|
||||
}
|
||||
#
|
||||
# Re-initialize the chain table so that process_routestopped() has the same
|
||||
# environment that it would when called by compile_stop_firewall().
|
||||
|
||||
@ -36,6 +36,7 @@
|
||||
# --log=<filename> # Log file
|
||||
# --log_verbosity=<number> # Log Verbosity range -1 to 2
|
||||
# --family=<number> # IP family; 4 = IPv4 (default), 6 = IPv6
|
||||
# --preview # Preview the ruleset.
|
||||
#
|
||||
use strict;
|
||||
use FindBin;
|
||||
@ -58,6 +59,7 @@ sub usage( $ ) {
|
||||
[ --log=<filename> ]
|
||||
[ --log-verbose={-1|0-2} ]
|
||||
[ --test ]
|
||||
[ --preview ]
|
||||
[ --family={4|6} ]
|
||||
';
|
||||
|
||||
@ -78,6 +80,7 @@ my $log_verbose = 0;
|
||||
my $help = 0;
|
||||
my $test = 0;
|
||||
my $family = 4; # F_IPV4
|
||||
my $preview = 0;
|
||||
|
||||
Getopt::Long::Configure ('bundling');
|
||||
|
||||
@ -98,6 +101,7 @@ my $result = GetOptions('h' => \$help,
|
||||
'l=s' => \$log,
|
||||
'log_verbosity=i' => \$log_verbose,
|
||||
'test' => \$test,
|
||||
'preview' => \$preview,
|
||||
'f=i' => \$family,
|
||||
'family=i' => \$family,
|
||||
);
|
||||
@ -115,4 +119,5 @@ compiler( script => defined $ARGV[0] ? $ARGV[0] : '',
|
||||
log => $log,
|
||||
log_verbosity => $log_verbose,
|
||||
test => $test,
|
||||
preview => $preview,
|
||||
family => $family );
|
||||
|
||||
@ -14,6 +14,8 @@ Changes in Shorewall 4.4.6
|
||||
|
||||
7) Add 'show macro' command.
|
||||
|
||||
8) Add -p option to check.
|
||||
|
||||
Changes in Shorewall 4.4.5
|
||||
|
||||
1) Fix 15-port limit removal change.
|
||||
|
||||
@ -49,6 +49,9 @@ Shorewall 4.4.6
|
||||
you to trace selected packets through Netfilter, including marking
|
||||
by tcrules.
|
||||
|
||||
12) You may now preview the generated ruleset by using the '-r' option
|
||||
to the 'check' command (e.g., "shorewall check -r").
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
M I G R A T I O N I S S U E S
|
||||
----------------------------------------------------------------------------
|
||||
@ -265,6 +268,12 @@ None.
|
||||
|
||||
The command displays the contents of the macro.<macro> file.
|
||||
|
||||
6) You may now preview the generated ruleset by using the '-r' option
|
||||
to the 'check' command (e.g., "shorewall check -r").
|
||||
|
||||
The output is a shell script fragment, similar to the way it
|
||||
appears in the generated script.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S I N 4 . 4 . 0
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
@ -362,6 +362,7 @@ compiler() {
|
||||
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
|
||||
[ -n "$TIMESTAMP" ] && options="$options --timestamp"
|
||||
[ -n "$TEST" ] && options="$options --test"
|
||||
[ -n "$PREVIEW" ] && options="$options --preview"
|
||||
[ "$debugging" = trace ] && options="$options --debug"
|
||||
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
|
||||
#
|
||||
@ -642,6 +643,10 @@ check_command() {
|
||||
DEBUG=Yes;
|
||||
option=${option#d}
|
||||
;;
|
||||
r*)
|
||||
PREVIEW=Yes;
|
||||
option=${option#r}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
@ -1351,7 +1356,7 @@ usage() # $1 = exit status
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host-list>] ... <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " check [ -e ] [ <directory> ]"
|
||||
echo " check [ -e ] [ -r ] [ <directory> ]"
|
||||
echo " clear [ -f ]"
|
||||
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
|
||||
echo " delete <interface>[:<host-list>] ... <zone>"
|
||||
|
||||
@ -279,6 +279,7 @@ compiler() {
|
||||
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
|
||||
[ -n "$TIMESTAMP" ] && options="$options --timestamp"
|
||||
[ -n "$TEST" ] && options="$options --test"
|
||||
[ -n "$PREVIEW" ] && options="$options --preview"
|
||||
[ "$debugging" = trace ] && options="$options --debug"
|
||||
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
|
||||
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
|
||||
@ -552,6 +553,10 @@ check_command() {
|
||||
PROFILE=Yes
|
||||
option=${option#p}
|
||||
;;
|
||||
r*)
|
||||
PREVIEW=Yes;
|
||||
option=${option#r}
|
||||
;;
|
||||
d*)
|
||||
DEBUG=Yes;
|
||||
option=${option#d}
|
||||
@ -1267,7 +1272,7 @@ usage() # $1 = exit status
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host-list>] ... <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " check [ -e ] [ <directory> ]"
|
||||
echo " check [ -e ] [ -r ] [ <directory> ]"
|
||||
echo " clear [ -f ]"
|
||||
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
|
||||
echo " delete <interface>[:<host-list>] ... <zone>"
|
||||
|
||||
@ -60,6 +60,8 @@
|
||||
|
||||
<arg><option>-p</option></arg>
|
||||
|
||||
<arg><option>-r</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
@ -720,6 +722,10 @@
|
||||
<para>The <option>-p</option> option causes the compiler to be
|
||||
profiled via the Perl <option>-wd:DProf</option> command-line
|
||||
option.</para>
|
||||
|
||||
<para>The <option>-r</option> option was added in Shorewall 4.5.2
|
||||
and causes the compiler to print the generated ruleset to standard
|
||||
out.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -44,6 +44,8 @@
|
||||
|
||||
<arg><option>-p</option></arg>
|
||||
|
||||
<arg><option>-r</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
@ -584,6 +586,10 @@
|
||||
<para>The <option>-p</option> option causes the compiler to be
|
||||
profiled via the Perl <option>-wd:DProf</option> command-line
|
||||
option.</para>
|
||||
|
||||
<para>The <option>-r</option> option was added in Shorewall 4.5.2
|
||||
and causes the compiler to print the generated ruleset to standard
|
||||
out.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user