Add the -p option to the compile command

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3311 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-01-17 23:27:54 +00:00 · 2006-01-17 23:27:54 +00:00 · 49cb3fa6c6
commit 49cb3fa6c6
parent 2b96059e7d
7 changed files with 222 additions and 58 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -18,3 +18,5 @@ Changes in 3.1.x.
 8) Add error checking to generated script.

 9) Merge Fabio Longerai's 'length' patch.
+
+10) Add the "-p" option to the compile command.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -100,6 +100,11 @@ save_command()
    echo "${INDENT}${@}" >> $RESTOREBASE
 }

+save_command_unindented()
+{
+    echo "${@}" >> $RESTOREBASE
+}
+
 #
 # Write a progress_message command to $RESTOREBASE
 #
@ -146,7 +151,7 @@ append_file() # $1 = File Name
 {
    save_command "cat > /var/lib/shorewall/$1 << __EOF__"
    cat $STATEDIR/$1 >> $RESTOREBASE
-    save_command __EOF__
+    save_command_unindented __EOF__
 }

 #
@ -1190,13 +1195,13 @@ setup_providers()
 	if [ $COMMAND = compile ]; then
 	    cat >> $RESTOREBASE << __EOF__
 ${INDENT}    ip route show table $duplicate | while read net route; do
-${INDENT}	case \$net in
-${INDENT}	    default|nexthop)
-${INDENT}		;;
-${INDENT}	    *)
-${INDENT}		run_ip route add table $number \$net \$route"
-${INDENT}		;;
-${INDENT}	esac
+${INDENT}        case \$net in
+${INDENT}            default|nexthop)
+${INDENT}                ;;
+${INDENT}            *)
+${INDENT}                run_ip route add table $number \$net \$route"
+${INDENT}                ;;
+${INDENT}        esac
 ${INDENT}    done
 __EOF__
 	else
@ -1216,17 +1221,17 @@ __EOF__
 	if [ $COMMAND = compile ]; then
 	    cat >> $RESTOREBASE << __EOF__
 ${INDENT}    ip route show table $duplicate | while read net route; do
-${INDENT}	case \$net in
-${INDENT}	    default|nexthop)
-${INDENT}		;;
-${INDENT}	    *)
-${INDENT}		case \$(find_device \$route) in
-${INDENT}		    `echo $copy\) | sed 's/ /|/g'`
-${INDENT}			run_ip route add table $number \$net \$route
-${INDENT}			;;
-${INDENT}		esac
-${INDENT}		;;
-${INDENT}	esac
+${INDENT}        case \$net in
+${INDENT}            default|nexthop)
+${INDENT}                ;;
+${INDENT}            *)
+${INDENT}                case \$(find_device \$route) in
+${INDENT}                    `echo $copy\) | sed 's/ /|/g'`
+${INDENT}                         run_ip route add table $number \$net \$route
+${INDENT}                         ;;
+${INDENT}                esac
+${INDENT}                ;;
+${INDENT}        esac
 ${INDENT}    done

 __EOF__
@ -1287,10 +1292,10 @@ __EOF__
 ${INDENT}    gateway=\$(detect_gateway $interface)

 ${INDENT}    if [ -n "\$gateway" ]; then
-${INDENT}	run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number
-${INDENT}	run_ip route add default via \$gateway dev $interface table $number
+${INDENT}        run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number
+${INDENT}        run_ip route add default via \$gateway dev $interface table $number
 ${INDENT}    else
-${INDENT}	fatal_error "Unable to detect the gateway through interface $interface"
+${INDENT}        fatal_error "Unable to detect the gateway through interface $interface"
 ${INDENT}    fi

 __EOF__
@ -1476,7 +1481,7 @@ EOF

 		save_command "    cat > /etc/iproute2/rt_tables << __EOF__"
 		cat /etc/iproute2/rt_tables >> $RESTOREBASE
-		save_command __EOF__
+		save_command_unindented __EOF__

 	    fi

@ -2852,7 +2857,7 @@ ${INDENT}    fatal_error "Interface $interface must be up before Shorewall can s
 ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
 ${INDENT}    address=\${address%/*}
 ${INDENT}    if [ -n "\$broadcast" ]; then
-${INDENT}	run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
+${INDENT}       run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
 ${INDENT}    fi
 ${INDENT}done

@ -3068,7 +3073,7 @@ delete_nat() {

 ${INDENT}if [ -f /var/lib/shorewall/nat ]; then
 ${INDENT}   while read external interface; do
-${INDENT}	qt ip addr del \$external dev \$interface
+${INDENT}       qt ip addr del \$external dev \$interface
 ${INDENT}    done < /var/lib/shorewall/nat
 ${INDENT}
 ${INDENT}    rm -f {/var/lib/shorewall}/nat
@ -3807,12 +3812,12 @@ delete_tc()
 	cat >> $RESTOREBASE << __EOF__
 ${INDENT}ip link list | while read inx interface details; do
 ${INDENT}    case \$inx in
-${INDENT}	[0-9]*)
-${INDENT}	    qt tc qdisc del dev \${interface%:} root
-${INDENT}	    qt tc qdisc del dev \${interface%:} ingress
-${INDENT}	    ;;
-${INDENT}	*)
-${INDENT}	    ;;
+${INDENT}       [0-9]*)
+${INDENT}           qt tc qdisc del dev \${interface%:} root
+${INDENT}           qt tc qdisc del dev \${interface%:} ingress
+${INDENT}           ;;
+${INDENT}       *)
+${INDENT}           ;;
 ${INDENT}    esac
 ${INDENT}done
 __EOF__
@ -8926,7 +8931,7 @@ compile_stop_firewall() {

 stop_firewall() {

-    detetechain() {
+    deletechain() {
 	qt $IPTABLES -L \$1 -n && qt $IPTABLES -F \$1 && qt $IPTABLES -X \$1
    }

@ -8936,7 +8941,11 @@ stop_firewall() {
    }

    setpolicy() {
-	$IPTABLES -P $1 $2
+	$IPTABLES -P \$1 \$2
+    }
+
+    setcontinue() {
+	$IPTABLES -A \$1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    }

    case \$COMMAND in
@ -9261,6 +9270,7 @@ compile_firewall() # $1 = File Name
    #
    # END OVERLOADED FUNCTIONS
    #
+
    verify_os_version
    verify_ip

@ -9280,8 +9290,9 @@ compile_firewall() # $1 = File Name

    [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall"

+    [ -z "$PROGRAM" ] && save_command "#! $SHOREWALL_SHELL --"
+
    cat >> $RESTOREBASE << __EOF__
-#! $SHOREWALL_SHELL
 #
 # Compiled startup file generated by Shorewall $VERSION - $(date)"
 #
@ -9336,36 +9347,36 @@ run_tc() {
    fi
 }

-__EOF__
-    f=$(find_file params)
+initialize() {
+    #
+    # These variables are required by the library functions called in this script
+    #
+    [ -n \${COMMAND:=restart} ]
+    [ -n \${QUIET:=0} ]
+    MODULESDIR="$MODULESDIR"
+    MODULE_SUFFIX="$MODULE_SUFFIX"
+    LOGLIMIT="$LOGLIMIT"
+    LOGTAGONLY="$LOGTAGONLY"
+    LOGRULENUMBERS="$LOGRULENUMBERS"
+    LOGFORMAT="$LOGFORMAT"
+    RESTOREFILE="$RESTOREFILE"

-    [ -f $f ] && \
-	save_command ". $(resolve_file $f)"
-    cat >> $RESTOREBASE << __EOF__
-#
-# These variables are required by the library functions called in this script
-#
-[ -n \${COMMAND:=restart} ];
-[ -n \${QUIET:=0} ]
-MODULESDIR="$MODULESDIR"
-MODULE_SUFFIX="$MODULE_SUFFIX"
-LOGLIMIT="$LOGLIMIT"
-LOGTAGONLY="$LOGTAGONLY"
-LOGRULENUMBERS="$LOGRULENUMBERS"
-LOGFORMAT="$LOGFORMAT"
-RESTOREFILE="$RESTOREFILE"
-
-STOPPING=
+    STOPPING=
+    #
+    # The library requires that /var/lib/shorewall exist
+    #
+    mkdir -p /var/lib/shorewall
+}

 __EOF__
-
    if [ -n "$PROGRAM" ]; then
 	save_command "define_firewall() {"
 	INDENT="    "
-    fi
+   fi

    if [ -z "$EXPORT" ]; then
 	cat >> $RESTOREBASE << __EOF__
+
 ${INDENT}if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then
 ${INDENT}    error_message "ERROR: This script requires Shorewall version $VERSION"
 ${INDENT}    exit 2
@ -9381,6 +9392,7 @@ __EOF__

    progress_message2 "Initializing..."
    save_progress_message "Initializing..."
+
    initialize_netfilter

    progress_message2 "Compiling Proxy ARP";                setup_proxy_arp
@ -9478,11 +9490,14 @@ __EOF__
    if [ -n "$PROGRAM" ]; then
 	INDENT=
 	save_command "}"
+	write_globals
 	save_command ""
+	cat $(find_file prog.header) $RESTOREBASE $(find_file prog.footer) > $outfile
+	rm $RESTOREBASE
+    else
+	mv -f $RESTOREBASE $outfile
    fi

-    mv -f $RESTOREBASE $outfile
-
    chmod 700 $outfile

    echo "Shorewall configuration compiled to $outfile"
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -588,7 +588,14 @@ for f in macro.* ; do
    echo
    echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
 done
-
+#
+# Install the program skeleton files
+#
+for f in prog.* ; do
+    install_file $f ${PREFIX}/usr/share/shorewall/$f 0600
+    echo
+    echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f"
+done
 #
 # Create the version file
 #
--- a/Shorewall/prog.footer
+++ b/Shorewall/prog.footer
@ -0,0 +1,70 @@
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+initialize
+
+COMMAND="$1"
+
+case "$COMMAND" in
+    start)
+	echo "Starting Shorewall...."
+	define_firewall
+	status=$?
+	echo "done."
+	;;
+    stop)
+	echo "Stopping Shorewall...."
+	stop_firewall
+	status=0
+	echo "done."
+	;;
+    restart)
+	echo "Restarting Shorewall...."
+	define_firewall
+	status=$?
+	echo "done."
+	;;
+    clear)
+	echo "Clearing Shorewall...."
+	clear_firewall
+	status=0
+	echo "done."
+	;;
+    status)
+	echo "Shorewall Status at $HOSTNAME - $(date)"
+	echo
+	if iptables -L shorewall -n > /dev/null 2>&1; then
+	    echo "Shorewall is running"
+	    status=0
+	else
+	    echo "Shorewall is stopped"
+	    status=4
+	fi
+
+	if [ -f /var/lib/shorewall/state ]; then
+	    state="$(cat /var/lib/shorewall/state)"
+	    case $state in
+		Stopped*|Clear*)
+		    status=3
+		    ;;
+	    esac
+	else
+	    state=Unknown
+	fi
+	echo "State:$state"
+	echo
+	;;
+    *)
+	usage
+	status=2
+	;;
+esac
+
+exit $status
--- a/Shorewall/prog.header
+++ b/Shorewall/prog.header
@ -0,0 +1,54 @@
+#!/bin/sh
+RCDLINKS="2,S41 3,S41 6,K41"
+#
+#     Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.2
+#
+#     Generated $(date) by $USER
+#
+#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
+#
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   start			  Starts the firewall
+#	   restart			  Restarts the firewall
+#	   reload			  Reload the firewall
+#	   clear			  Removes all firewall rules
+#	   stop				  Stops the firewall
+#	   status			  Displays firewall status
+#
+
+# chkconfig: 2345 25 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides:	  firewall
+# Required-Start: $network
+# Required-Stop:
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall-generated firewall
+### END INIT INFO
+
+
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -34,6 +34,11 @@ New Features in 3.1.3
 2)  When a compiled script encounters an error, the firewall is now put in the
    "stopped" state without the need for running "/sbin/shorewall stop".

+3)  The -p option now generates a complete firewall program that can be installed
+    in /etc/init.d (on SuSE) and installed using "insserv". If the system where
+    you install the program does not have Shorewall installed, you will need to
+    generate the program with the "-e" option.
+
 Migration Considerations:

 None.
@ -54,6 +59,8 @@ New Features:
 	                      additional consideration a) below).
 	                      Also allows the generated script to run
 	                      on a system without Shorewall installed.
+	-p                    Generate a complete program that can start,
+	                      stop, restart, clear and status the firewall
 	<config directory>    Is an optional directory to be searched for
 	                      configuration files prior to those listed
 	                      in CONFIG_DIR in /etc/shorewall/shorewall.conf.
@ -132,6 +139,11 @@ New Features:
    "iptables-restore" and multiple executions of "iptables". The system is a
    1.4Ghz Celeron with 512MB RAM.

+    The "-p' option creates a complete program. This program is suitable for
+    installation into /etc/init.d and, when generated with the "-e" option
+    can serve as your firewall on a system that doesn't even have Shorewall
+    installed.
+
 2)  You may now repeat the -q option to cause Shorewall to be extra quiet.

    Example:
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -154,12 +154,16 @@ fi
 %attr(0600,root,root) /usr/share/shorewall/macro.VNCL
 %attr(0600,root,root) /usr/share/shorewall/macro.Web
 %attr(0600,root,root) /usr/share/shorewall/macro.Webmin
+%attr(0600,root,root) /usr/share/shorewall/prog.footer
+%attr(0600,root,root) /usr/share/shorewall/prog.header
 %attr(0600,root,root) /usr/share/shorewall/rfc1918
 %attr(0600,root,root) /usr/share/shorewall/configpath

 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples

 %changelog
+* Sun Tue 17 2006 Tom Eastep tom@shorewall.net
+- Added program skeleton Files
 * Sun Jan 15 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.1.2-1
 * Thu Jan 12 2006 Tom Eastep tom@shorewall.net