forked from extern/shorewall_code
Allow users to preview the generated ruleset.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
271e472d3d
commit
4420eed8d7
@ -157,6 +157,7 @@ our %EXPORT_TAGS = (
|
|||||||
have_global_variables
|
have_global_variables
|
||||||
set_global_variables
|
set_global_variables
|
||||||
create_netfilter_load
|
create_netfilter_load
|
||||||
|
preview_netfilter_load
|
||||||
create_chainlist_reload
|
create_chainlist_reload
|
||||||
create_stop_load
|
create_stop_load
|
||||||
$section
|
$section
|
||||||
@ -2853,6 +2854,20 @@ sub enter_cmd_mode() {
|
|||||||
$mode = CMD_MODE;
|
$mode = CMD_MODE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# These versions are used by 'preview'
|
||||||
|
#
|
||||||
|
sub enter_cat_mode1() {
|
||||||
|
print "\n";
|
||||||
|
emitstd "cat << __EOF__";
|
||||||
|
$mode = CAT_MODE;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub enter_cmd_mode1() {
|
||||||
|
print "__EOF__\n\n" if $mode == CAT_MODE;
|
||||||
|
$mode = CMD_MODE;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Emits the passed rule (input to iptables-restore) or command
|
# Emits the passed rule (input to iptables-restore) or command
|
||||||
#
|
#
|
||||||
@ -2874,6 +2889,25 @@ sub emitr( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub emitr1( $ ) {
|
||||||
|
if ( my $rule = $_[0] ) {
|
||||||
|
if ( substr( $rule, 0, 2 ) eq '-A' ) {
|
||||||
|
#
|
||||||
|
# A rule
|
||||||
|
#
|
||||||
|
enter_cat_mode1 unless $mode == CAT_MODE;
|
||||||
|
print "$rule\n";
|
||||||
|
} else {
|
||||||
|
#
|
||||||
|
# A command
|
||||||
|
#
|
||||||
|
enter_cmd_mode1 unless $mode == CMD_MODE;
|
||||||
|
$rule =~ s/ >&3//;
|
||||||
|
emitstd $rule;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate the netfilter input
|
# Generate the netfilter input
|
||||||
#
|
#
|
||||||
@ -2977,6 +3011,74 @@ sub create_netfilter_load( $ ) {
|
|||||||
emit "}\n";
|
emit "}\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preview netfilter input
|
||||||
|
#
|
||||||
|
sub preview_netfilter_load() {
|
||||||
|
|
||||||
|
my @table_list;
|
||||||
|
|
||||||
|
push @table_list, 'raw' if $capabilities{RAW_TABLE};
|
||||||
|
push @table_list, 'nat' if $capabilities{NAT_ENABLED};
|
||||||
|
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||||
|
push @table_list, 'filter';
|
||||||
|
|
||||||
|
$mode = NULL_MODE;
|
||||||
|
|
||||||
|
push_indent;
|
||||||
|
|
||||||
|
enter_cat_mode1;
|
||||||
|
|
||||||
|
my $date = localtime;
|
||||||
|
|
||||||
|
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||||
|
|
||||||
|
for my $table ( @table_list ) {
|
||||||
|
print "*$table\n";
|
||||||
|
|
||||||
|
my @chains;
|
||||||
|
#
|
||||||
|
# iptables-restore seems to be quite picky about the order of the builtin chains
|
||||||
|
#
|
||||||
|
for my $chain ( @builtins ) {
|
||||||
|
my $chainref = $chain_table{$table}{$chain};
|
||||||
|
if ( $chainref ) {
|
||||||
|
assert( $chainref->{cmdlevel} == 0 );
|
||||||
|
print ":$chain $chainref->{policy} [0:0]\n";
|
||||||
|
push @chains, $chainref;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# First create the chains in the current table
|
||||||
|
#
|
||||||
|
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||||
|
my $chainref = $chain_table{$table}{$chain};
|
||||||
|
unless ( $chainref->{builtin} ) {
|
||||||
|
assert( $chainref->{cmdlevel} == 0 );
|
||||||
|
print ":$chainref->{name} - [0:0]\n";
|
||||||
|
push @chains, $chainref;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# Then emit the rules
|
||||||
|
#
|
||||||
|
for my $chainref ( @chains ) {
|
||||||
|
emitr1 $_ for ( grep defined $_, @{$chainref->{rules}} );
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# Commit the changes to the table
|
||||||
|
#
|
||||||
|
enter_cat_mode1 unless $mode == CAT_MODE;
|
||||||
|
print "COMMIT\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
enter_cmd_mode1;
|
||||||
|
|
||||||
|
pop_indent;
|
||||||
|
|
||||||
|
print "\n";
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate the netfilter input for refreshing a list of chains
|
# Generate the netfilter input for refreshing a list of chains
|
||||||
#
|
#
|
||||||
|
@ -562,8 +562,8 @@ EOF
|
|||||||
#
|
#
|
||||||
sub compiler {
|
sub compiler {
|
||||||
|
|
||||||
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
|
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
|
||||||
( '', '', -1, '', 0, '', '', -1 );
|
( '', '', -1, '', 0, '', '', -1, 0 );
|
||||||
|
|
||||||
$export = 0;
|
$export = 0;
|
||||||
$test = 0;
|
$test = 0;
|
||||||
@ -595,6 +595,7 @@ sub compiler {
|
|||||||
log => { store => \$log },
|
log => { store => \$log },
|
||||||
log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
|
log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
|
||||||
test => { store => \$test },
|
test => { store => \$test },
|
||||||
|
preview => { store => \$preview },
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# P A R A M E T E R P R O C E S S I N G
|
# P A R A M E T E R P R O C E S S I N G
|
||||||
@ -866,6 +867,23 @@ sub compiler {
|
|||||||
#
|
#
|
||||||
enable_script, generate_aux_config if $export;
|
enable_script, generate_aux_config if $export;
|
||||||
} else {
|
} else {
|
||||||
|
if ( $preview ) {
|
||||||
|
generate_matrix;
|
||||||
|
|
||||||
|
if ( $config{OPTIMIZE} & 6 ) {
|
||||||
|
progress_message2 'Optimizing Ruleset...';
|
||||||
|
#
|
||||||
|
# Optimize Policy Chains
|
||||||
|
#
|
||||||
|
optimize_policy_chains if $config{OPTIMIZE} & 2;
|
||||||
|
#
|
||||||
|
# More Optimization
|
||||||
|
#
|
||||||
|
optimize_ruleset if $config{OPTIMIZE} & 4;
|
||||||
|
}
|
||||||
|
|
||||||
|
preview_netfilter_load;
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# Re-initialize the chain table so that process_routestopped() has the same
|
# Re-initialize the chain table so that process_routestopped() has the same
|
||||||
# environment that it would when called by compile_stop_firewall().
|
# environment that it would when called by compile_stop_firewall().
|
||||||
|
@ -36,6 +36,7 @@
|
|||||||
# --log=<filename> # Log file
|
# --log=<filename> # Log file
|
||||||
# --log_verbosity=<number> # Log Verbosity range -1 to 2
|
# --log_verbosity=<number> # Log Verbosity range -1 to 2
|
||||||
# --family=<number> # IP family; 4 = IPv4 (default), 6 = IPv6
|
# --family=<number> # IP family; 4 = IPv4 (default), 6 = IPv6
|
||||||
|
# --preview # Preview the ruleset.
|
||||||
#
|
#
|
||||||
use strict;
|
use strict;
|
||||||
use FindBin;
|
use FindBin;
|
||||||
@ -58,6 +59,7 @@ sub usage( $ ) {
|
|||||||
[ --log=<filename> ]
|
[ --log=<filename> ]
|
||||||
[ --log-verbose={-1|0-2} ]
|
[ --log-verbose={-1|0-2} ]
|
||||||
[ --test ]
|
[ --test ]
|
||||||
|
[ --preview ]
|
||||||
[ --family={4|6} ]
|
[ --family={4|6} ]
|
||||||
';
|
';
|
||||||
|
|
||||||
@ -78,6 +80,7 @@ my $log_verbose = 0;
|
|||||||
my $help = 0;
|
my $help = 0;
|
||||||
my $test = 0;
|
my $test = 0;
|
||||||
my $family = 4; # F_IPV4
|
my $family = 4; # F_IPV4
|
||||||
|
my $preview = 0;
|
||||||
|
|
||||||
Getopt::Long::Configure ('bundling');
|
Getopt::Long::Configure ('bundling');
|
||||||
|
|
||||||
@ -98,6 +101,7 @@ my $result = GetOptions('h' => \$help,
|
|||||||
'l=s' => \$log,
|
'l=s' => \$log,
|
||||||
'log_verbosity=i' => \$log_verbose,
|
'log_verbosity=i' => \$log_verbose,
|
||||||
'test' => \$test,
|
'test' => \$test,
|
||||||
|
'preview' => \$preview,
|
||||||
'f=i' => \$family,
|
'f=i' => \$family,
|
||||||
'family=i' => \$family,
|
'family=i' => \$family,
|
||||||
);
|
);
|
||||||
@ -115,4 +119,5 @@ compiler( script => defined $ARGV[0] ? $ARGV[0] : '',
|
|||||||
log => $log,
|
log => $log,
|
||||||
log_verbosity => $log_verbose,
|
log_verbosity => $log_verbose,
|
||||||
test => $test,
|
test => $test,
|
||||||
|
preview => $preview,
|
||||||
family => $family );
|
family => $family );
|
||||||
|
@ -14,6 +14,8 @@ Changes in Shorewall 4.4.6
|
|||||||
|
|
||||||
7) Add 'show macro' command.
|
7) Add 'show macro' command.
|
||||||
|
|
||||||
|
8) Add -p option to check.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.5
|
Changes in Shorewall 4.4.5
|
||||||
|
|
||||||
1) Fix 15-port limit removal change.
|
1) Fix 15-port limit removal change.
|
||||||
|
@ -49,6 +49,9 @@ Shorewall 4.4.6
|
|||||||
you to trace selected packets through Netfilter, including marking
|
you to trace selected packets through Netfilter, including marking
|
||||||
by tcrules.
|
by tcrules.
|
||||||
|
|
||||||
|
12) You may now preview the generated ruleset by using the '-r' option
|
||||||
|
to the 'check' command (e.g., "shorewall check -r").
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
M I G R A T I O N I S S U E S
|
M I G R A T I O N I S S U E S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
@ -265,6 +268,12 @@ None.
|
|||||||
|
|
||||||
The command displays the contents of the macro.<macro> file.
|
The command displays the contents of the macro.<macro> file.
|
||||||
|
|
||||||
|
6) You may now preview the generated ruleset by using the '-r' option
|
||||||
|
to the 'check' command (e.g., "shorewall check -r").
|
||||||
|
|
||||||
|
The output is a shell script fragment, similar to the way it
|
||||||
|
appears in the generated script.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
N E W F E A T U R E S I N 4 . 4 . 0
|
N E W F E A T U R E S I N 4 . 4 . 0
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
@ -362,6 +362,7 @@ compiler() {
|
|||||||
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
|
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
|
||||||
[ -n "$TIMESTAMP" ] && options="$options --timestamp"
|
[ -n "$TIMESTAMP" ] && options="$options --timestamp"
|
||||||
[ -n "$TEST" ] && options="$options --test"
|
[ -n "$TEST" ] && options="$options --test"
|
||||||
|
[ -n "$PREVIEW" ] && options="$options --preview"
|
||||||
[ "$debugging" = trace ] && options="$options --debug"
|
[ "$debugging" = trace ] && options="$options --debug"
|
||||||
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
|
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
|
||||||
#
|
#
|
||||||
@ -642,6 +643,10 @@ check_command() {
|
|||||||
DEBUG=Yes;
|
DEBUG=Yes;
|
||||||
option=${option#d}
|
option=${option#d}
|
||||||
;;
|
;;
|
||||||
|
r*)
|
||||||
|
PREVIEW=Yes;
|
||||||
|
option=${option#r}
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
usage 1
|
usage 1
|
||||||
;;
|
;;
|
||||||
@ -1351,7 +1356,7 @@ usage() # $1 = exit status
|
|||||||
echo "where <command> is one of:"
|
echo "where <command> is one of:"
|
||||||
echo " add <interface>[:<host-list>] ... <zone>"
|
echo " add <interface>[:<host-list>] ... <zone>"
|
||||||
echo " allow <address> ..."
|
echo " allow <address> ..."
|
||||||
echo " check [ -e ] [ <directory> ]"
|
echo " check [ -e ] [ -r ] [ <directory> ]"
|
||||||
echo " clear [ -f ]"
|
echo " clear [ -f ]"
|
||||||
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
|
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
|
||||||
echo " delete <interface>[:<host-list>] ... <zone>"
|
echo " delete <interface>[:<host-list>] ... <zone>"
|
||||||
|
@ -279,6 +279,7 @@ compiler() {
|
|||||||
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
|
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
|
||||||
[ -n "$TIMESTAMP" ] && options="$options --timestamp"
|
[ -n "$TIMESTAMP" ] && options="$options --timestamp"
|
||||||
[ -n "$TEST" ] && options="$options --test"
|
[ -n "$TEST" ] && options="$options --test"
|
||||||
|
[ -n "$PREVIEW" ] && options="$options --preview"
|
||||||
[ "$debugging" = trace ] && options="$options --debug"
|
[ "$debugging" = trace ] && options="$options --debug"
|
||||||
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
|
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
|
||||||
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
|
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
|
||||||
@ -552,6 +553,10 @@ check_command() {
|
|||||||
PROFILE=Yes
|
PROFILE=Yes
|
||||||
option=${option#p}
|
option=${option#p}
|
||||||
;;
|
;;
|
||||||
|
r*)
|
||||||
|
PREVIEW=Yes;
|
||||||
|
option=${option#r}
|
||||||
|
;;
|
||||||
d*)
|
d*)
|
||||||
DEBUG=Yes;
|
DEBUG=Yes;
|
||||||
option=${option#d}
|
option=${option#d}
|
||||||
@ -1267,7 +1272,7 @@ usage() # $1 = exit status
|
|||||||
echo "where <command> is one of:"
|
echo "where <command> is one of:"
|
||||||
echo " add <interface>[:<host-list>] ... <zone>"
|
echo " add <interface>[:<host-list>] ... <zone>"
|
||||||
echo " allow <address> ..."
|
echo " allow <address> ..."
|
||||||
echo " check [ -e ] [ <directory> ]"
|
echo " check [ -e ] [ -r ] [ <directory> ]"
|
||||||
echo " clear [ -f ]"
|
echo " clear [ -f ]"
|
||||||
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
|
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
|
||||||
echo " delete <interface>[:<host-list>] ... <zone>"
|
echo " delete <interface>[:<host-list>] ... <zone>"
|
||||||
|
@ -60,6 +60,8 @@
|
|||||||
|
|
||||||
<arg><option>-p</option></arg>
|
<arg><option>-p</option></arg>
|
||||||
|
|
||||||
|
<arg><option>-r</option></arg>
|
||||||
|
|
||||||
<arg><replaceable>directory</replaceable></arg>
|
<arg><replaceable>directory</replaceable></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
@ -720,6 +722,10 @@
|
|||||||
<para>The <option>-p</option> option causes the compiler to be
|
<para>The <option>-p</option> option causes the compiler to be
|
||||||
profiled via the Perl <option>-wd:DProf</option> command-line
|
profiled via the Perl <option>-wd:DProf</option> command-line
|
||||||
option.</para>
|
option.</para>
|
||||||
|
|
||||||
|
<para>The <option>-r</option> option was added in Shorewall 4.5.2
|
||||||
|
and causes the compiler to print the generated ruleset to standard
|
||||||
|
out.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -44,6 +44,8 @@
|
|||||||
|
|
||||||
<arg><option>-p</option></arg>
|
<arg><option>-p</option></arg>
|
||||||
|
|
||||||
|
<arg><option>-r</option></arg>
|
||||||
|
|
||||||
<arg><replaceable>directory</replaceable></arg>
|
<arg><replaceable>directory</replaceable></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
@ -584,6 +586,10 @@
|
|||||||
<para>The <option>-p</option> option causes the compiler to be
|
<para>The <option>-p</option> option causes the compiler to be
|
||||||
profiled via the Perl <option>-wd:DProf</option> command-line
|
profiled via the Perl <option>-wd:DProf</option> command-line
|
||||||
option.</para>
|
option.</para>
|
||||||
|
|
||||||
|
<para>The <option>-r</option> option was added in Shorewall 4.5.2
|
||||||
|
and causes the compiler to print the generated ruleset to standard
|
||||||
|
out.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user