diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 1e1394283..a99905e4f 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -18,3 +18,5 @@ Changes in 3.1.x. 8) Add error checking to generated script. 9) Merge Fabio Longerai's 'length' patch. + +10) Add the "-p" option to the compile command. diff --git a/Shorewall/firewall b/Shorewall/firewall index 879094eaf..b671184e2 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -100,6 +100,11 @@ save_command() echo "${INDENT}${@}" >> $RESTOREBASE } +save_command_unindented() +{ + echo "${@}" >> $RESTOREBASE +} + # # Write a progress_message command to $RESTOREBASE # @@ -146,7 +151,7 @@ append_file() # $1 = File Name { save_command "cat > /var/lib/shorewall/$1 << __EOF__" cat $STATEDIR/$1 >> $RESTOREBASE - save_command __EOF__ + save_command_unindented __EOF__ } # @@ -1190,13 +1195,13 @@ setup_providers() if [ $COMMAND = compile ]; then cat >> $RESTOREBASE << __EOF__ ${INDENT} ip route show table $duplicate | while read net route; do -${INDENT} case \$net in -${INDENT} default|nexthop) -${INDENT} ;; -${INDENT} *) -${INDENT} run_ip route add table $number \$net \$route" -${INDENT} ;; -${INDENT} esac +${INDENT} case \$net in +${INDENT} default|nexthop) +${INDENT} ;; +${INDENT} *) +${INDENT} run_ip route add table $number \$net \$route" +${INDENT} ;; +${INDENT} esac ${INDENT} done __EOF__ else @@ -1216,17 +1221,17 @@ __EOF__ if [ $COMMAND = compile ]; then cat >> $RESTOREBASE << __EOF__ ${INDENT} ip route show table $duplicate | while read net route; do -${INDENT} case \$net in -${INDENT} default|nexthop) -${INDENT} ;; -${INDENT} *) -${INDENT} case \$(find_device \$route) in -${INDENT} `echo $copy\) | sed 's/ /|/g'` -${INDENT} run_ip route add table $number \$net \$route -${INDENT} ;; -${INDENT} esac -${INDENT} ;; -${INDENT} esac +${INDENT} case \$net in +${INDENT} default|nexthop) +${INDENT} ;; +${INDENT} *) +${INDENT} case \$(find_device \$route) in +${INDENT} `echo $copy\) | sed 's/ /|/g'` +${INDENT} run_ip route add table $number \$net \$route +${INDENT} ;; +${INDENT} esac +${INDENT} ;; +${INDENT} esac ${INDENT} done __EOF__ @@ -1287,10 +1292,10 @@ __EOF__ ${INDENT} gateway=\$(detect_gateway $interface) ${INDENT} if [ -n "\$gateway" ]; then -${INDENT} run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number -${INDENT} run_ip route add default via \$gateway dev $interface table $number +${INDENT} run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number +${INDENT} run_ip route add default via \$gateway dev $interface table $number ${INDENT} else -${INDENT} fatal_error "Unable to detect the gateway through interface $interface" +${INDENT} fatal_error "Unable to detect the gateway through interface $interface" ${INDENT} fi __EOF__ @@ -1476,7 +1481,7 @@ EOF save_command " cat > /etc/iproute2/rt_tables << __EOF__" cat /etc/iproute2/rt_tables >> $RESTOREBASE - save_command __EOF__ + save_command_unindented __EOF__ fi @@ -2852,7 +2857,7 @@ ${INDENT} fatal_error "Interface $interface must be up before Shorewall can s ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do ${INDENT} address=\${address%/*} ${INDENT} if [ -n "\$broadcast" ]; then -${INDENT} run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN +${INDENT} run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN ${INDENT} fi ${INDENT}done @@ -3068,7 +3073,7 @@ delete_nat() { ${INDENT}if [ -f /var/lib/shorewall/nat ]; then ${INDENT} while read external interface; do -${INDENT} qt ip addr del \$external dev \$interface +${INDENT} qt ip addr del \$external dev \$interface ${INDENT} done < /var/lib/shorewall/nat ${INDENT} ${INDENT} rm -f {/var/lib/shorewall}/nat @@ -3807,12 +3812,12 @@ delete_tc() cat >> $RESTOREBASE << __EOF__ ${INDENT}ip link list | while read inx interface details; do ${INDENT} case \$inx in -${INDENT} [0-9]*) -${INDENT} qt tc qdisc del dev \${interface%:} root -${INDENT} qt tc qdisc del dev \${interface%:} ingress -${INDENT} ;; -${INDENT} *) -${INDENT} ;; +${INDENT} [0-9]*) +${INDENT} qt tc qdisc del dev \${interface%:} root +${INDENT} qt tc qdisc del dev \${interface%:} ingress +${INDENT} ;; +${INDENT} *) +${INDENT} ;; ${INDENT} esac ${INDENT}done __EOF__ @@ -8926,7 +8931,7 @@ compile_stop_firewall() { stop_firewall() { - detetechain() { + deletechain() { qt $IPTABLES -L \$1 -n && qt $IPTABLES -F \$1 && qt $IPTABLES -X \$1 } @@ -8936,7 +8941,11 @@ stop_firewall() { } setpolicy() { - $IPTABLES -P $1 $2 + $IPTABLES -P \$1 \$2 + } + + setcontinue() { + $IPTABLES -A \$1 -m state --state ESTABLISHED,RELATED -j ACCEPT } case \$COMMAND in @@ -9261,6 +9270,7 @@ compile_firewall() # $1 = File Name # # END OVERLOADED FUNCTIONS # + verify_os_version verify_ip @@ -9280,8 +9290,9 @@ compile_firewall() # $1 = File Name [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall" + [ -z "$PROGRAM" ] && save_command "#! $SHOREWALL_SHELL --" + cat >> $RESTOREBASE << __EOF__ -#! $SHOREWALL_SHELL # # Compiled startup file generated by Shorewall $VERSION - $(date)" # @@ -9336,36 +9347,36 @@ run_tc() { fi } -__EOF__ - f=$(find_file params) +initialize() { + # + # These variables are required by the library functions called in this script + # + [ -n \${COMMAND:=restart} ] + [ -n \${QUIET:=0} ] + MODULESDIR="$MODULESDIR" + MODULE_SUFFIX="$MODULE_SUFFIX" + LOGLIMIT="$LOGLIMIT" + LOGTAGONLY="$LOGTAGONLY" + LOGRULENUMBERS="$LOGRULENUMBERS" + LOGFORMAT="$LOGFORMAT" + RESTOREFILE="$RESTOREFILE" - [ -f $f ] && \ - save_command ". $(resolve_file $f)" - cat >> $RESTOREBASE << __EOF__ -# -# These variables are required by the library functions called in this script -# -[ -n \${COMMAND:=restart} ]; -[ -n \${QUIET:=0} ] -MODULESDIR="$MODULESDIR" -MODULE_SUFFIX="$MODULE_SUFFIX" -LOGLIMIT="$LOGLIMIT" -LOGTAGONLY="$LOGTAGONLY" -LOGRULENUMBERS="$LOGRULENUMBERS" -LOGFORMAT="$LOGFORMAT" -RESTOREFILE="$RESTOREFILE" - -STOPPING= + STOPPING= + # + # The library requires that /var/lib/shorewall exist + # + mkdir -p /var/lib/shorewall +} __EOF__ - if [ -n "$PROGRAM" ]; then save_command "define_firewall() {" INDENT=" " - fi + fi if [ -z "$EXPORT" ]; then cat >> $RESTOREBASE << __EOF__ + ${INDENT}if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then ${INDENT} error_message "ERROR: This script requires Shorewall version $VERSION" ${INDENT} exit 2 @@ -9381,6 +9392,7 @@ __EOF__ progress_message2 "Initializing..." save_progress_message "Initializing..." + initialize_netfilter progress_message2 "Compiling Proxy ARP"; setup_proxy_arp @@ -9478,11 +9490,14 @@ __EOF__ if [ -n "$PROGRAM" ]; then INDENT= save_command "}" + write_globals save_command "" + cat $(find_file prog.header) $RESTOREBASE $(find_file prog.footer) > $outfile + rm $RESTOREBASE + else + mv -f $RESTOREBASE $outfile fi - mv -f $RESTOREBASE $outfile - chmod 700 $outfile echo "Shorewall configuration compiled to $outfile" diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 880dc6eb3..9a1b40ee8 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -588,7 +588,14 @@ for f in macro.* ; do echo echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" done - +# +# Install the program skeleton files +# +for f in prog.* ; do + install_file $f ${PREFIX}/usr/share/shorewall/$f 0600 + echo + echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f" +done # # Create the version file # diff --git a/Shorewall/prog.footer b/Shorewall/prog.footer new file mode 100644 index 000000000..e53841eaa --- /dev/null +++ b/Shorewall/prog.footer @@ -0,0 +1,70 @@ +################################################################################ +# Give Usage Information # +################################################################################ +usage() { + echo "Usage: $0 start|stop|reload|restart|status" + exit 1 +} +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ +initialize + +COMMAND="$1" + +case "$COMMAND" in + start) + echo "Starting Shorewall...." + define_firewall + status=$? + echo "done." + ;; + stop) + echo "Stopping Shorewall...." + stop_firewall + status=0 + echo "done." + ;; + restart) + echo "Restarting Shorewall...." + define_firewall + status=$? + echo "done." + ;; + clear) + echo "Clearing Shorewall...." + clear_firewall + status=0 + echo "done." + ;; + status) + echo "Shorewall Status at $HOSTNAME - $(date)" + echo + if iptables -L shorewall -n > /dev/null 2>&1; then + echo "Shorewall is running" + status=0 + else + echo "Shorewall is stopped" + status=4 + fi + + if [ -f /var/lib/shorewall/state ]; then + state="$(cat /var/lib/shorewall/state)" + case $state in + Stopped*|Clear*) + status=3 + ;; + esac + else + state=Unknown + fi + echo "State:$state" + echo + ;; + *) + usage + status=2 + ;; +esac + +exit $status diff --git a/Shorewall/prog.header b/Shorewall/prog.header new file mode 100644 index 000000000..e10378271 --- /dev/null +++ b/Shorewall/prog.header @@ -0,0 +1,54 @@ +#!/bin/sh +RCDLINKS="2,S41 3,S41 6,K41" +# +# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.2 +# +# Generated $(date) by $USER +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# +# On most distributions, this file should be called /etc/init.d/shorewall. +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# Commands are: +# +# start Starts the firewall +# restart Restarts the firewall +# reload Reload the firewall +# clear Removes all firewall rules +# stop Stops the firewall +# status Displays firewall status +# + +# chkconfig: 2345 25 90 +# description: Packet filtering firewall + +### BEGIN INIT INFO +# Provides: firewall +# Required-Start: $network +# Required-Stop: +# Default-Start: 2 3 5 +# Default-Stop: 0 1 6 +# Description: starts and stops the shorewall-generated firewall +### END INIT INFO + + diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 18c399286..b1085b817 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -34,6 +34,11 @@ New Features in 3.1.3 2) When a compiled script encounters an error, the firewall is now put in the "stopped" state without the need for running "/sbin/shorewall stop". +3) The -p option now generates a complete firewall program that can be installed + in /etc/init.d (on SuSE) and installed using "insserv". If the system where + you install the program does not have Shorewall installed, you will need to + generate the program with the "-e" option. + Migration Considerations: None. @@ -54,6 +59,8 @@ New Features: additional consideration a) below). Also allows the generated script to run on a system without Shorewall installed. + -p Generate a complete program that can start, + stop, restart, clear and status the firewall Is an optional directory to be searched for configuration files prior to those listed in CONFIG_DIR in /etc/shorewall/shorewall.conf. @@ -132,6 +139,11 @@ New Features: "iptables-restore" and multiple executions of "iptables". The system is a 1.4Ghz Celeron with 512MB RAM. + The "-p' option creates a complete program. This program is suitable for + installation into /etc/init.d and, when generated with the "-e" option + can serve as your firewall on a system that doesn't even have Shorewall + installed. + 2) You may now repeat the -q option to cause Shorewall to be extra quiet. Example: diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 29805965e..876125e73 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -154,12 +154,16 @@ fi %attr(0600,root,root) /usr/share/shorewall/macro.VNCL %attr(0600,root,root) /usr/share/shorewall/macro.Web %attr(0600,root,root) /usr/share/shorewall/macro.Webmin +%attr(0600,root,root) /usr/share/shorewall/prog.footer +%attr(0600,root,root) /usr/share/shorewall/prog.header %attr(0600,root,root) /usr/share/shorewall/rfc1918 %attr(0600,root,root) /usr/share/shorewall/configpath %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Sun Tue 17 2006 Tom Eastep tom@shorewall.net +- Added program skeleton Files * Sun Jan 15 2006 Tom Eastep tom@shorewall.net - Updated to 3.1.2-1 * Thu Jan 12 2006 Tom Eastep tom@shorewall.net