holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add the -p option to the compile command

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3311 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-17 23:27:54 +00:00
parent 2b96059e7d
commit 49cb3fa6c6
7 changed files with 222 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -18,3 +18,5 @@ Changes in 3.1.x.
8) Add error checking to generated script. 8) Add error checking to generated script.
9) Merge Fabio Longerai's 'length' patch. 9) Merge Fabio Longerai's 'length' patch.
10) Add the "-p" option to the compile command.

129
Shorewall/firewall
View File

@ -100,6 +100,11 @@ save_command()
echo "${INDENT}${@}" >> $RESTOREBASE echo "${INDENT}${@}" >> $RESTOREBASE
} }
save_command_unindented()
{
echo "${@}" >> $RESTOREBASE
}
# #
# Write a progress_message command to $RESTOREBASE # Write a progress_message command to $RESTOREBASE
# #
@ -146,7 +151,7 @@ append_file() # $1 = File Name
{ {
save_command "cat > /var/lib/shorewall/$1 << __EOF__" save_command "cat > /var/lib/shorewall/$1 << __EOF__"
cat $STATEDIR/$1 >> $RESTOREBASE cat $STATEDIR/$1 >> $RESTOREBASE
save_command __EOF__ save_command_unindented __EOF__
} }
# #
@ -1190,13 +1195,13 @@ setup_providers()
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
${INDENT} ip route show table $duplicate | while read net route; do ${INDENT} ip route show table $duplicate | while read net route; do
${INDENT} case \$net in ${INDENT} case \$net in
${INDENT} default|nexthop) ${INDENT} default|nexthop)
${INDENT} ;; ${INDENT} ;;
${INDENT} *) ${INDENT} *)
${INDENT} run_ip route add table $number \$net \$route" ${INDENT} run_ip route add table $number \$net \$route"
${INDENT} ;; ${INDENT} ;;
${INDENT} esac ${INDENT} esac
${INDENT} done ${INDENT} done
__EOF__ __EOF__
else else
@ -1216,17 +1221,17 @@ __EOF__
if [ $COMMAND = compile ]; then if [ $COMMAND = compile ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
${INDENT} ip route show table $duplicate | while read net route; do ${INDENT} ip route show table $duplicate | while read net route; do
${INDENT} case \$net in ${INDENT} case \$net in
${INDENT} default|nexthop) ${INDENT} default|nexthop)
${INDENT} ;; ${INDENT} ;;
${INDENT} *) ${INDENT} *)
${INDENT} case \$(find_device \$route) in ${INDENT} case \$(find_device \$route) in
${INDENT} `echo $copy\) | sed 's/ /|/g'` ${INDENT} `echo $copy\) | sed 's/ /|/g'`
${INDENT} run_ip route add table $number \$net \$route ${INDENT} run_ip route add table $number \$net \$route
${INDENT} ;; ${INDENT} ;;
${INDENT} esac ${INDENT} esac
${INDENT} ;; ${INDENT} ;;
${INDENT} esac ${INDENT} esac
${INDENT} done ${INDENT} done
__EOF__ __EOF__
@ -1287,10 +1292,10 @@ __EOF__
${INDENT} gateway=\$(detect_gateway $interface) ${INDENT} gateway=\$(detect_gateway $interface)
${INDENT} if [ -n "\$gateway" ]; then ${INDENT} if [ -n "\$gateway" ]; then
${INDENT} run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number ${INDENT} run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number
${INDENT} run_ip route add default via \$gateway dev $interface table $number ${INDENT} run_ip route add default via \$gateway dev $interface table $number
${INDENT} else ${INDENT} else
${INDENT} fatal_error "Unable to detect the gateway through interface $interface" ${INDENT} fatal_error "Unable to detect the gateway through interface $interface"
${INDENT} fi ${INDENT} fi
__EOF__ __EOF__
@ -1476,7 +1481,7 @@ EOF
save_command " cat > /etc/iproute2/rt_tables << __EOF__" save_command " cat > /etc/iproute2/rt_tables << __EOF__"
cat /etc/iproute2/rt_tables >> $RESTOREBASE cat /etc/iproute2/rt_tables >> $RESTOREBASE
save_command __EOF__ save_command_unindented __EOF__
fi fi
@ -2852,7 +2857,7 @@ ${INDENT} fatal_error "Interface $interface must be up before Shorewall can s
${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do ${INDENT}ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
${INDENT} address=\${address%/*} ${INDENT} address=\${address%/*}
${INDENT} if [ -n "\$broadcast" ]; then ${INDENT} if [ -n "\$broadcast" ]; then
${INDENT} run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN ${INDENT} run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
${INDENT} fi ${INDENT} fi
${INDENT}done ${INDENT}done
@ -3068,7 +3073,7 @@ delete_nat() {
${INDENT}if [ -f /var/lib/shorewall/nat ]; then ${INDENT}if [ -f /var/lib/shorewall/nat ]; then
${INDENT} while read external interface; do ${INDENT} while read external interface; do
${INDENT} qt ip addr del \$external dev \$interface ${INDENT} qt ip addr del \$external dev \$interface
${INDENT} done < /var/lib/shorewall/nat ${INDENT} done < /var/lib/shorewall/nat
${INDENT} ${INDENT}
${INDENT} rm -f {/var/lib/shorewall}/nat ${INDENT} rm -f {/var/lib/shorewall}/nat
@ -3807,12 +3812,12 @@ delete_tc()
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
${INDENT}ip link list | while read inx interface details; do ${INDENT}ip link list | while read inx interface details; do
${INDENT} case \$inx in ${INDENT} case \$inx in
${INDENT} [0-9]*) ${INDENT} [0-9]*)
${INDENT} qt tc qdisc del dev \${interface%:} root ${INDENT} qt tc qdisc del dev \${interface%:} root
${INDENT} qt tc qdisc del dev \${interface%:} ingress ${INDENT} qt tc qdisc del dev \${interface%:} ingress
${INDENT} ;; ${INDENT} ;;
${INDENT} *) ${INDENT} *)
${INDENT} ;; ${INDENT} ;;
${INDENT} esac ${INDENT} esac
${INDENT}done ${INDENT}done
__EOF__ __EOF__
@ -8926,7 +8931,7 @@ compile_stop_firewall() {
stop_firewall() { stop_firewall() {
detetechain() { deletechain() {
qt $IPTABLES -L \$1 -n && qt $IPTABLES -F \$1 && qt $IPTABLES -X \$1 qt $IPTABLES -L \$1 -n && qt $IPTABLES -F \$1 && qt $IPTABLES -X \$1
} }
@ -8936,7 +8941,11 @@ stop_firewall() {
} }
setpolicy() { setpolicy() {
$IPTABLES -P $1 $2 $IPTABLES -P \$1 \$2
}
setcontinue() {
$IPTABLES -A \$1 -m state --state ESTABLISHED,RELATED -j ACCEPT
} }
case \$COMMAND in case \$COMMAND in
@ -9261,6 +9270,7 @@ compile_firewall() # $1 = File Name
# #
# END OVERLOADED FUNCTIONS # END OVERLOADED FUNCTIONS
# #
verify_os_version verify_os_version
verify_ip verify_ip
@ -9280,8 +9290,9 @@ compile_firewall() # $1 = File Name
[ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall" [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall"
[ -z "$PROGRAM" ] && save_command "#! $SHOREWALL_SHELL --"
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
#! $SHOREWALL_SHELL
# #
# Compiled startup file generated by Shorewall $VERSION - $(date)" # Compiled startup file generated by Shorewall $VERSION - $(date)"
# #
@ -9336,36 +9347,36 @@ run_tc() {
fi fi
} }
__EOF__ initialize() {
f=$(find_file params) #
# These variables are required by the library functions called in this script
#
[ -n \${COMMAND:=restart} ]
[ -n \${QUIET:=0} ]
MODULESDIR="$MODULESDIR"
MODULE_SUFFIX="$MODULE_SUFFIX"
LOGLIMIT="$LOGLIMIT"
LOGTAGONLY="$LOGTAGONLY"
LOGRULENUMBERS="$LOGRULENUMBERS"
LOGFORMAT="$LOGFORMAT"
RESTOREFILE="$RESTOREFILE"
[ -f $f ] && \ STOPPING=
save_command ". $(resolve_file $f)" #
cat >> $RESTOREBASE << __EOF__ # The library requires that /var/lib/shorewall exist
# #
# These variables are required by the library functions called in this script mkdir -p /var/lib/shorewall
# }
[ -n \${COMMAND:=restart} ];
[ -n \${QUIET:=0} ]
MODULESDIR="$MODULESDIR"
MODULE_SUFFIX="$MODULE_SUFFIX"
LOGLIMIT="$LOGLIMIT"
LOGTAGONLY="$LOGTAGONLY"
LOGRULENUMBERS="$LOGRULENUMBERS"
LOGFORMAT="$LOGFORMAT"
RESTOREFILE="$RESTOREFILE"
STOPPING=
__EOF__ __EOF__
if [ -n "$PROGRAM" ]; then if [ -n "$PROGRAM" ]; then
save_command "define_firewall() {" save_command "define_firewall() {"
INDENT=" " INDENT=" "
fi fi
if [ -z "$EXPORT" ]; then if [ -z "$EXPORT" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
${INDENT}if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then ${INDENT}if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then
${INDENT} error_message "ERROR: This script requires Shorewall version $VERSION" ${INDENT} error_message "ERROR: This script requires Shorewall version $VERSION"
${INDENT} exit 2 ${INDENT} exit 2
@ -9381,6 +9392,7 @@ __EOF__
progress_message2 "Initializing..." progress_message2 "Initializing..."
save_progress_message "Initializing..." save_progress_message "Initializing..."
initialize_netfilter initialize_netfilter
progress_message2 "Compiling Proxy ARP"; setup_proxy_arp progress_message2 "Compiling Proxy ARP"; setup_proxy_arp
@ -9478,11 +9490,14 @@ __EOF__
if [ -n "$PROGRAM" ]; then if [ -n "$PROGRAM" ]; then
INDENT= INDENT=
save_command "}" save_command "}"
write_globals
save_command "" save_command ""
cat $(find_file prog.header) $RESTOREBASE $(find_file prog.footer) > $outfile
rm $RESTOREBASE
else
mv -f $RESTOREBASE $outfile
fi fi
mv -f $RESTOREBASE $outfile
chmod 700 $outfile chmod 700 $outfile
echo "Shorewall configuration compiled to $outfile" echo "Shorewall configuration compiled to $outfile"

9
Shorewall/install.sh
View File

@ -588,7 +588,14 @@ for f in macro.* ; do
echo echo
echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done done
#
# Install the program skeleton files
#
for f in prog.* ; do
install_file $f ${PREFIX}/usr/share/shorewall/$f 0600
echo
echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f"
done
# #
# Create the version file # Create the version file
# #

70
Shorewall/prog.footer Normal file
View File

@ -0,0 +1,70 @@
################################################################################
# Give Usage Information #
################################################################################
usage() {
echo "Usage: $0 start|stop|reload|restart|status"
exit 1
}
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
initialize
COMMAND="$1"
case "$COMMAND" in
start)
echo "Starting Shorewall...."
define_firewall
status=$?
echo "done."
;;
stop)
echo "Stopping Shorewall...."
stop_firewall
status=0
echo "done."
;;
restart)
echo "Restarting Shorewall...."
define_firewall
status=$?
echo "done."
;;
clear)
echo "Clearing Shorewall...."
clear_firewall
status=0
echo "done."
;;
status)
echo "Shorewall Status at $HOSTNAME - $(date)"
echo
if iptables -L shorewall -n > /dev/null 2>&1; then
echo "Shorewall is running"
status=0
else
echo "Shorewall is stopped"
status=4
fi
if [ -f /var/lib/shorewall/state ]; then
state="$(cat /var/lib/shorewall/state)"
case $state in
Stopped*|Clear*)
status=3
;;
esac
else
state=Unknown
fi
echo "State:$state"
echo
;;
*)
usage
status=2
;;
esac
exit $status

54
Shorewall/prog.header Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.2
#
# Generated $(date) by $USER
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
# start Starts the firewall
# restart Restarts the firewall
# reload Reload the firewall
# clear Removes all firewall rules
# stop Stops the firewall
# status Displays firewall status
#
# chkconfig: 2345 25 90
# description: Packet filtering firewall
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops the shorewall-generated firewall
### END INIT INFO

12
Shorewall/releasenotes.txt
View File

@ -34,6 +34,11 @@ New Features in 3.1.3
2) When a compiled script encounters an error, the firewall is now put in the 2) When a compiled script encounters an error, the firewall is now put in the
"stopped" state without the need for running "/sbin/shorewall stop". "stopped" state without the need for running "/sbin/shorewall stop".
3) The -p option now generates a complete firewall program that can be installed
in /etc/init.d (on SuSE) and installed using "insserv". If the system where
you install the program does not have Shorewall installed, you will need to
generate the program with the "-e" option.
Migration Considerations: Migration Considerations:
None. None.
@ -54,6 +59,8 @@ New Features:
additional consideration a) below). additional consideration a) below).
Also allows the generated script to run Also allows the generated script to run
on a system without Shorewall installed. on a system without Shorewall installed.
-p Generate a complete program that can start,
stop, restart, clear and status the firewall
<config directory> Is an optional directory to be searched for <config directory> Is an optional directory to be searched for
configuration files prior to those listed configuration files prior to those listed
in CONFIG_DIR in /etc/shorewall/shorewall.conf. in CONFIG_DIR in /etc/shorewall/shorewall.conf.
@ -132,6 +139,11 @@ New Features:
"iptables-restore" and multiple executions of "iptables". The system is a "iptables-restore" and multiple executions of "iptables". The system is a
1.4Ghz Celeron with 512MB RAM. 1.4Ghz Celeron with 512MB RAM.
The "-p' option creates a complete program. This program is suitable for
installation into /etc/init.d and, when generated with the "-e" option
can serve as your firewall on a system that doesn't even have Shorewall
installed.
2) You may now repeat the -q option to cause Shorewall to be extra quiet. 2) You may now repeat the -q option to cause Shorewall to be extra quiet.
Example: Example:

4
Shorewall/shorewall.spec
View File

@ -154,12 +154,16 @@ fi
%attr(0600,root,root) /usr/share/shorewall/macro.VNCL %attr(0600,root,root) /usr/share/shorewall/macro.VNCL
%attr(0600,root,root) /usr/share/shorewall/macro.Web %attr(0600,root,root) /usr/share/shorewall/macro.Web
%attr(0600,root,root) /usr/share/shorewall/macro.Webmin %attr(0600,root,root) /usr/share/shorewall/macro.Webmin
%attr(0600,root,root) /usr/share/shorewall/prog.footer
%attr(0600,root,root) /usr/share/shorewall/prog.header
%attr(0600,root,root) /usr/share/shorewall/rfc1918 %attr(0600,root,root) /usr/share/shorewall/rfc1918
%attr(0600,root,root) /usr/share/shorewall/configpath %attr(0600,root,root) /usr/share/shorewall/configpath
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog %changelog
* Sun Tue 17 2006 Tom Eastep tom@shorewall.net
- Added program skeleton Files
* Sun Jan 15 2006 Tom Eastep tom@shorewall.net * Sun Jan 15 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.2-1 - Updated to 3.1.2-1
* Thu Jan 12 2006 Tom Eastep tom@shorewall.net * Thu Jan 12 2006 Tom Eastep tom@shorewall.net