Retreat

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3305 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-01-16 23:15:51 +00:00 · 2006-01-16 23:15:51 +00:00 · 49fbc960c0
commit 49fbc960c0
parent 9db140bc5e
3 changed files with 293 additions and 397 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -47,7 +47,6 @@
 #		      the corresponding function in that file if the user did
 #		      not specify "nolock" on the runline.
 #
-#
 my_mutex_on() {
    [ -n "$nolock" ] || { mutex_on; HAVE_MUTEX=Yes; }
 }
@ -458,6 +457,14 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule
    run_iptables2 -t nat -A $@
 }

+#
+# Delete a chain if it exists
+#
+deletechain() # $1 = name of chain
+{
+    qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
+}
+
 #
 # Determine if a chain is a policy chain
 #
@ -1678,7 +1685,7 @@ validate_hosts_file() {
 #
 # Format a match by the passed MAC address
 # The passed address begins with "~" and uses "-" as a separator between bytes
-# Example: ~01-02-03.24-05-06
+# Example: ~01-02-03-04-05-06
 #
 mac_match() # $1 = MAC address formated as described above
 {
@ -2093,6 +2100,231 @@ disable_critical_hosts()
    done
 }

+#
+# Stop the Firewall
+#
+stop_firewall() {
+    #
+    # Turn off trace unless we were tracing "stop" or "clear"
+    #
+
+    [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
+
+    case $COMMAND in
+	stop|clear)
+	    ;;
+	check|compile)
+	    kill $$
+	    exit 2
+	    ;;
+	*)
+	    set +x
+
+	    [ -n "${RESTOREFILE:=restore}" ]
+
+	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
+
+	    if [ -x $RESTOREPATH ]; then
+
+		if [ -x ${RESTOREPATH}-ipsets ]; then
+		    progress_message2 Restoring Ipsets...
+		    #
+		    # We must purge iptables to be sure that there are no
+		    # references to ipsets
+		    #
+		    for table in mangle nat filter; do
+			iptables -t $table -F
+			iptables -t $table -X
+		    done
+
+		    ${RESTOREPATH}-ipsets
+		fi
+
+		echo Restoring Shorewall...
+
+		if $RESTOREPATH; then
+		    echo "Shorewall restored from $RESTOREPATH"
+		    set_state "Started"
+		else
+		    set_state "Unknown"
+		fi
+
+		my_mutex_off
+		kill $$
+		exit 2
+	    fi
+	    ;;
+    esac
+
+    set_state "Stopping"
+
+    STOPPING="Yes"
+
+    TERMINATOR=
+
+    deletechain shorewall
+
+    run_user_exit stop
+
+    if [ -n "$MANGLE_ENABLED" ]; then
+	run_iptables -t mangle -F
+	run_iptables -t mangle -X
+	for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	    qt $IPTABLES -t mangle -P $chain ACCEPT
+	done
+    fi
+
+    if [ -n "$RAW_TABLE" ]; then
+	run_iptables -t raw -F
+	run_iptables -t raw -X
+	for chain in PREROUTING OUTPUT; do
+	    qt $IPTABLES -t raw -P $chain ACCEPT
+	done
+    fi
+
+    if [ -n "$NAT_ENABLED" ]; then
+	delete_nat
+	for chain in PREROUTING POSTROUTING OUTPUT; do
+	    qt $IPTABLES -t nat -P $chain ACCEPT
+	done
+    fi
+
+    delete_proxy_arp
+    [ -n "$CLEAR_TC" ] && delete_tc1
+
+    [ -n "$DISABLE_IPV6" ] && disable_ipv6
+
+    process_criticalhosts
+
+    if [ -n "$CRITICALHOSTS" ]; then
+	if [ -z "$ADMINISABSENTMINDED" ]; then
+	    for chain in INPUT OUTPUT; do
+		setpolicy $chain ACCEPT
+	    done
+
+	    setpolicy FORWARD DROP
+
+	    deleteallchains
+
+	    enable_critical_hosts
+
+	    for chain in INPUT OUTPUT; do
+		setpolicy $chain DROP
+	    done
+	else
+	    for chain in INPUT OUTPUT; do
+		setpolicy $chain ACCEPT
+	    done
+
+	    setpolicy FORWARD DROP
+
+	    deleteallchains
+
+	    enable_critical_hosts
+
+	    setpolicy INPUT DROP
+
+	    for chain in INPUT FORWARD; do
+		setcontinue $chain
+	    done
+	fi
+    elif [ -z "$ADMINISABSENTMINDED" ]; then
+	for chain in INPUT OUTPUT FORWARD; do
+	    setpolicy $chain DROP
+	done
+
+	deleteallchains
+    else
+	for chain in INPUT FORWARD; do
+	    setpolicy $chain DROP
+	done
+
+	setpolicy OUTPUT ACCEPT
+
+	deleteallchains
+
+	for chain in INPUT FORWARD; do
+	    setcontinue $chain
+	done
+    fi
+
+    process_routestopped -A
+
+    $IPTABLES -A INPUT  -i lo -j ACCEPT
+    [ -z "$ADMINISABSENTMINDED" ] && \
+	$IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+    for interface in $(find_interfaces_by_option dhcp); do
+	$IPTABLES -A INPUT  -p udp -i $interface --dport 67:68 -j ACCEPT
+	[ -z "$ADMINISABSENTMINDED" ] && \
+	    $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
+	#
+	# This might be a bridge
+	#
+	$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
+    done
+
+    case "$IP_FORWARDING" in
+    [Oo][Nn])
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	progress_message2 "IP Forwarding Enabled"
+	;;
+    [Oo][Ff][Ff])
+	echo 0 > /proc/sys/net/ipv4/ip_forward
+	progress_message2 "IP Forwarding Disabled!"
+	;;
+    esac
+
+    run_user_exit stopped
+
+    set_state "Stopped"
+
+    logger "Shorewall Stopped"
+
+    rm -rf $TMP_DIR
+
+    case $COMMAND in
+    stop|clear)
+	;;
+    *)
+	#
+	# The firewall is being stopped when we were trying to do something
+	# else. Remove the lock file and Kill the shell in case we're in a
+	# subshell
+	#
+	my_mutex_off
+	kill $$
+	;;
+    esac
+}
+
+#
+# Remove all rules and remove all user-defined chains
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if qt mywhich ip6tables; then
+	ip6tables -P INPUT   ACCEPT 2> /dev/null
+	ip6tables -P OUTPUT  ACCEPT 2> /dev/null
+	ip6tables -P FORWARD ACCEPT 2> /dev/null
+    fi
+
+    run_user_exit clear
+
+    set_state "Cleared"
+
+    logger "Shorewall Cleared"
+}
+
 #
 # Set up ipsec tunnels
 #
@ -2825,20 +3057,12 @@ setup_syn_flood_chains()
 delete_proxy_arp() {
    if [ -f /var/lib/shorewall/proxyarp ]; then
 	while read address interface external haveroute; do
-	    case $COMMAND in
-		compile)
-		    save_command "qt arp -i $external -d $address pub"
-		    [ -z "$haveroute" ] && save_command "qt ip route del $address dev $interface"
-		    ;;
-		stop|clear)
-		    qt arp -i $external -d $address pub
-		    [ -z "$haveroute" ] || qt ip route del $address dev $interface
-		    ;;
-		*)
-		    run_and_save_command qt arp -i $external -d $address pub
-		    [ -z "${haveroute}" ] && run_and_save_command "[ -n \"\$NOROUTES\" ] || qt ip route del $address dev $interface"
-		    ;;
-	    esac
+	    run_and_save_command "qt arp -i $external -d $address pub"
+	    if [ $COMMAND = compile ]; then
+		[ -z "$haveroute" ] && save_command "qt ip route del $address dev $interface"
+	    else
+		[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
+	    fi
 	done < /var/lib/shorewall/proxyarp

 	[ $COMMAND = compile ] || rm -f /var/lib/shorewall/proxyarp
@ -3432,9 +3656,9 @@ process_tc_rule()
 	    esac
 	fi

-	if [ "x${length:=-}" != "x-" ]; then
-		[ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
-		r="${r}-m length --length ${length} "
+	if [ "x{$length:=-}" != "x-" ]; then
+	    [ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
+	    r="${r}-m length --length ${length} "
 	fi

 	multiport=
@ -8952,6 +9176,46 @@ fi

 cat >> $RESTOREBASE << __EOF__

+stop_firewall()
+{
+    set +x
+
+    [ -n "\${RESTOREFILE:=restore}" ]
+
+    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
+
+    if [ -x \$RESTOREPATH ]; then
+
+	if [ -x \${RESTOREPATH}-ipsets ]; then
+	    progress_message2 Restoring Ipsets...
+	    #
+	    # We must purge iptables to be sure that there are no
+	    # references to ipsets
+	    #
+	    for table in nat mangle filter; do
+		iptables -t \$table -F
+		iptables -t \$table -X
+	    done
+
+	    \${RESTOREPATH}-ipsets
+	fi
+
+	echo Restoring Shorewall...
+
+	if \$RESTOREPATH; then
+	    echo "Shorewall restored from \$RESTOREPATH"
+	    set_state "Started"
+	else
+	    set_state "Unknown"
+	fi
+    elif [ -x /sbin/shorewall ]; then
+	/sbin/shorewall stop
+    fi
+
+    kill \$\$
+    exit 2
+}
+
 fatal_error()
 {
    echo "   ERROR: \$@" >&2
@ -8968,11 +9232,6 @@ run_iptables()
    fi
 }

-my_mutex_off()
-{
-    true
-}
-
 run_ip()
 {
    if ! ip \$@; then
@ -8990,54 +9249,16 @@ run_tc() {
    fi
 }

-stop_firewall() {
-
-    [ -n "\${RESTOREFILE:=restore}" ]
-
-    RESTOREPATH=/var/lib/shorewall/\$RESTOREFILE
-
-    if [ -x \$RESTOREPATH ]; then
-	if [ -x \${RESTOREPATH}-ipsets ]; then
-	    progress_message2 Restoring Ipsets...
-	    #
-	    # We must purge iptables to be sure that there are no
-	    # references to ipsets
-	    #
-	    for table in mangle nat filter; do
-		iptables -t \$table -F
-		iptables -t \$table -X
-	    done
-
-	    \${RESTOREPATH}-ipsets
-	fi
-
-	echo Restoring Shorewall...
-
-	if \$RESTOREPATH; then
-	    echo "Shorewall restored from \$RESTOREPATH"
-	    set_state "Started"
-	else
-	    set_state "Unknown"
-	fi
-    elif [ -x /sbin/shorewall ]; then
-	/sbin/shorewall nolock stop
-    fi
-
-    kill \$\$
-    exit 2
-}
-
 __EOF__
    f=$(find_file params)

    [ -f $f ] && \
 	save_command ". $(resolve_file $f)"
-
    cat >> $RESTOREBASE << __EOF__
 #
 # These variables are required by the library functions called in this script
 #
-COMMAND=run
+COMMAND=restore
 [ -n \${QUIET:=0} ]
 MODULESDIR="$MODULESDIR"
 MODULE_SUFFIX="$MODULE_SUFFIX"
@ -9046,42 +9267,24 @@ LOGTAGONLY="$LOGTAGONLY"
 LOGRULENUMBERS="$LOGRULENUMBERS"
 LOGFORMAT="$LOGFORMAT"
 RESTOREFILE="$RESTOREFILE"
-PKTTYPE="$PKTTYPE"
-CLEAR_TC="$CLEAR_TC"
-DISABLE_IPV6="$DISABLE_IPV6"
-CRITICALHOSTS="$CRITICALHOSTS"
-ADMINISABSENTMINDED="$ADMINISABSENTMINDED"
-IP_FORWARDING="$IP_FORWARDING"
-CONFIG_PATH="$CONFIG_PATH"

 STOPPING=
-#
-# The library function require the existence of /var/lib/shorewall
-#
-mkdir -p /var/lib/shorewall
-#
-# And they require knowledge of the capabilities
-#
-determine_capabilities

 __EOF__

-    if [ -z "$EXPORT" ]; then
-	cat >> $RESTOREBASE << __EOF__
+if [ -z "$EXPORT" ]; then
+    cat >> $RESTOREBASE << __EOF__
 if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then
    error_message "ERROR: This script requires Shorewall version $VERSION"
    exit 2
 fi
+__EOF__
+fi
+cat >> $RESTOREBASE << __EOF__
+
+load_kernel_modules

 __EOF__
-    fi
-
-    if [ -n "$PROGRAM" ]; then
-	save_command "define_firewall() {"
-	save_command ""
-    fi
-
-    save_command "load_kernel_modules"

    progress_message2 "Initializing..."
    save_progress_message "Initializing..."
@ -9179,80 +9382,6 @@ __EOF__

    run_user_exit started

-    if [ -n "$PROGRAM" ]; then
-	cat >> $RESTOREBASE << __EOF__
-}
-
-usage()
-{
-    echo "Usage: \$0 {start|stop|restart|reload|clear|status}"
-    exit 1
-}
-
-[ \$# -ne 1 ] && usage
-
-
-COMMAND="\$1"
-
-case "\$COMMAND" in
-    stop)
-	echo "Stopping Firewall..."
-	stop_firewall
-	echo "done."
-	;;
-
-    start)
-	echo "Starting Firewall..."
-	define_firewall
-	echo "done."
-	;;
-    restart)
-	echo "Restarting Firewall..."
-	define_firewall
-	echo "done."
-	;;
-    reload)
-	echo "Reloading Firewall..."
-	define_firewall
-	echo "done."
-	;;
-    clear)
-	echo "Clearing Firewall..."
-	clear_firewall
-	echo "done."
-	;;
-    status)
-	echo "Firewall Status at \$HOSTNAME - \$(date)"
-	echo
-	if qt iptables -L shorewall -n ; then
-	    echo "Firewall is running"
-	    status=0
-	else
-	    echo "Firewall is stopped"
-	    status=4
-	fi
-
-	if [ -f /var/lib/shorewall/state ]; then
-	    state="\$(cat /var/lib/shorewall/state)"
-	    case $state in
-		Stopped*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:\$state"
-	echo
-	exit \$status
-	;;
-    *)
-	usage
-	;;
-esac
-__EOF__
-    fi
-
    mv -f $RESTOREBASE $outfile

    chmod 700 $outfile
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -1217,237 +1217,4 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
    log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
 }

-#
-# Delete a chain if it exists
-#
-deletechain() # $1 = name of chain
-{
-    qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
-}
-
-#
-# Stop the Firewall
-#
-stop_firewall() {
-    #
-    # Turn off trace unless we were tracing "stop" or "clear"
-    #
-
-    [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
-
-    case $COMMAND in
-	stop|clear)
-	    ;;
-	check|compile)
-	    kill $$
-	    exit 2
-	    ;;
-	*)
-	    set +x
-
-	    [ -n "${RESTOREFILE:=restore}" ]
-
-	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
-
-	    if [ -x $RESTOREPATH ]; then
-
-		if [ -x ${RESTOREPATH}-ipsets ]; then
-		    progress_message2 Restoring Ipsets...
-		    #
-		    # We must purge iptables to be sure that there are no
-		    # references to ipsets
-		    #
-		    for table in mangle nat filter; do
-			iptables -t $table -F
-			iptables -t $table -X
-		    done
-
-		    ${RESTOREPATH}-ipsets
-		fi
-
-		echo Restoring Shorewall...
-
-		if $RESTOREPATH; then
-		    echo "Shorewall restored from $RESTOREPATH"
-		    set_state "Started"
-		else
-		    set_state "Unknown"
-		fi
-
-		my_mutex_off
-		kill $$
-		exit 2
-	    fi
-	    ;;
-    esac
-
-    set_state "Stopping"
-
-    STOPPING="Yes"
-
-    TERMINATOR=
-
-    deletechain shorewall
-
-    run_user_exit stop
-
-    if [ -n "$MANGLE_ENABLED" ]; then
-	run_iptables -t mangle -F
-	run_iptables -t mangle -X
-	for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	    qt $IPTABLES -t mangle -P $chain ACCEPT
-	done
-    fi
-
-    if [ -n "$RAW_TABLE" ]; then
-	run_iptables -t raw -F
-	run_iptables -t raw -X
-	for chain in PREROUTING OUTPUT; do
-	    qt $IPTABLES -t raw -P $chain ACCEPT
-	done
-    fi
-
-    if [ -n "$NAT_ENABLED" ]; then
-	delete_nat
-	for chain in PREROUTING POSTROUTING OUTPUT; do
-	    qt $IPTABLES -t nat -P $chain ACCEPT
-	done
-    fi
-
-    delete_proxy_arp
-    [ -n "$CLEAR_TC" ] && delete_tc1
-
-    [ -n "$DISABLE_IPV6" ] && disable_ipv6
-
-    process_criticalhosts
-
-    if [ -n "$CRITICALHOSTS" ]; then
-	if [ -z "$ADMINISABSENTMINDED" ]; then
-	    for chain in INPUT OUTPUT; do
-		setpolicy $chain ACCEPT
-	    done
-
-	    setpolicy FORWARD DROP
-
-	    deleteallchains
-
-	    enable_critical_hosts
-
-	    for chain in INPUT OUTPUT; do
-		setpolicy $chain DROP
-	    done
-	else
-	    for chain in INPUT OUTPUT; do
-		setpolicy $chain ACCEPT
-	    done
-
-	    setpolicy FORWARD DROP
-
-	    deleteallchains
-
-	    enable_critical_hosts
-
-	    setpolicy INPUT DROP
-
-	    for chain in INPUT FORWARD; do
-		setcontinue $chain
-	    done
-	fi
-    elif [ -z "$ADMINISABSENTMINDED" ]; then
-	for chain in INPUT OUTPUT FORWARD; do
-	    setpolicy $chain DROP
-	done
-
-	deleteallchains
-    else
-	for chain in INPUT FORWARD; do
-	    setpolicy $chain DROP
-	done
-
-	setpolicy OUTPUT ACCEPT
-
-	deleteallchains
-
-	for chain in INPUT FORWARD; do
-	    setcontinue $chain
-	done
-    fi
-
-    process_routestopped -A
-
-    $IPTABLES -A INPUT  -i lo -j ACCEPT
-    [ -z "$ADMINISABSENTMINDED" ] && \
-	$IPTABLES -A OUTPUT -o lo -j ACCEPT
-
-    for interface in $(find_interfaces_by_option dhcp); do
-	$IPTABLES -A INPUT  -p udp -i $interface --dport 67:68 -j ACCEPT
-	[ -z "$ADMINISABSENTMINDED" ] && \
-	    $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
-	#
-	# This might be a bridge
-	#
-	$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
-    done
-
-    case "$IP_FORWARDING" in
-    [Oo][Nn])
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	progress_message2 "IP Forwarding Enabled"
-	;;
-    [Oo][Ff][Ff])
-	echo 0 > /proc/sys/net/ipv4/ip_forward
-	progress_message2 "IP Forwarding Disabled!"
-	;;
-    esac
-
-    run_user_exit stopped
-
-    set_state "Stopped"
-
-    logger "Shorewall Stopped"
-
-    rm -rf $TMP_DIR
-
-    case $COMMAND in
-    stop|clear)
-	;;
-    *)
-	#
-	# The firewall is being stopped when we were trying to do something
-	# else. Remove the lock file and Kill the shell in case we're in a
-	# subshell
-	#
-	my_mutex_off
-	kill $$
-	;;
-    esac
-}
-
-#
-# Remove all rules and remove all user-defined chains
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if qt mywhich ip6tables; then
-	ip6tables -P INPUT   ACCEPT 2> /dev/null
-	ip6tables -P OUTPUT  ACCEPT 2> /dev/null
-	ip6tables -P FORWARD ACCEPT 2> /dev/null
-    fi
-
-    run_user_exit clear
-
-    set_state "Cleared"
-
-    logger "Shorewall Cleared"
-}
-
 SHOREWALL_LIBRARY=Loaded
--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@ -164,10 +164,10 @@
 #
 #			If you don't want to define a test but need to specify
 #			anything in the following columns, place a "-" in this
-#			field. 
+#			field.
 #
 #	LENGTH		(Optional) Packet Length. This field, if present
-#			allow you to match the length of a packet against   
+#			allow you to match the length of a packet against
 #			a specific value or range of values. You must have
 #			iptables length support for this to work. If you let
 #			it empy or place an "-" here, no length match will be