holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More shorewall/shorewall6 unification

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-23 16:17:09 -07:00
parent a64d882a36
commit 552ab52f92
1 changed files with 108 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
Shorewall6/shorewall6
View File

@ -33,9 +33,9 @@
# $1 = Yes: read the params file
# $2 = Yes: check for STARTUP_ENABLED
# $3 = Yes: Check for LOGFILE
#
#
get_config() {
local prog
ensure_config_path
@ -93,6 +93,68 @@ get_config() {
fi
fi
if [ -n "$IP" ]; then
case "$IP" in
*/*)
if [ ! -x "$IP" ] ; then
echo " ERROR: The program specified in IP ($IP) does not exist or is not executable" >&2
exit 2
fi
;;
*)
prog="$(mywhich $IP 2> /dev/null)"
if [ -z "$prog" ] ; then
echo " ERROR: Can't find $IP executable" >&2
exit 2
fi
IP=$prog
;;
esac
else
IP='ip'
fi
if [ -n "$IPSET" ]; then
case "$IPSET" in
*/*)
if [ ! -x "$IPSET" ] ; then
echo " ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
exit 2
fi
;;
*)
prog="$(mywhich $IPSET 2> /dev/null)"
if [ -z "$prog" ] ; then
echo " ERROR: Can't find $IPSET executable" >&2
exit 2
fi
IPSET=$prog
;;
esac
else
IPSET='ipset'
fi
if [ -n "$TC" ]; then
case "$TC" in
*/*)
if [ ! -x "$TC" ] ; then
echo " ERROR: The program specified in TC ($TC) does not exist or is not executable" >&2
exit 2
fi
;;
*)
prog="$(mywhich $TC 2> /dev/null)"
if [ -z "$prog" ] ; then
echo " ERROR: Can't find $TC executable" >&2
exit 2
fi
TC=$prog
;;
esac
else
TC='tc'
fi
#
# Compile by non-root needs no restore file
#
@ -117,6 +179,18 @@ get_config() {
esac
fi
case ${SHOREWALL_COMPILER:=perl} in
perl|Perl)
;;
shell|Shell)
echo " WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell support has been removed in this release" >&2
;;
*)
echo " ERROR: Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" >&2
exit 2
;;
esac
case ${TC_ENABLED:=Internal} in
No|NO|no)
TC_ENABLED=
@ -263,13 +337,9 @@ uptodate() {
# Run the compiler
#
compiler() {
local pc
pc=$g_libexec/shorewall/compiler.pl
local command
command=$1
shift
if [ $(id -u) -ne 0 ]; then
if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall6 ]; then
startup_error "Ordinary users may not compile the /etc/shorewall6 configuration"
@ -280,8 +350,6 @@ compiler() {
#
ensure_config_path
haveparams=
case $COMMAND in
*start|try|refresh)
;;
@ -291,8 +359,6 @@ compiler() {
;;
esac
[ $command = exec ] || command=
debugflags="-w"
[ -n "$g_debug" ] && debugflags='-wd'
[ -n "$g_profile" ] && debugflags='-wd:DProf'
@ -325,11 +391,11 @@ compiler() {
fi
if [ $g_perllib = ${g_libexec}/shorewall ]; then
$command $PERL $debugflags $pc $options $@
$PERL $debugflags $pc $options $@
else
PERL5LIB=$g_perllib
export PERL5LIB
$command $PERL $debugflags $pc $options $@
$PERL $debugflags $pc $options $@
fi
}
@ -353,7 +419,7 @@ start_command() {
else
progress_message3 "Compiling..."
if compiler run $g_debugging $nolock compile ${VARDIR}/.start; then
if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
[ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/.start $g_debugging start
rc=$?
@ -394,6 +460,11 @@ start_command() {
g_fast=Yes
option=${option#f}
;;
p*)
[ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
g_purge=Yes
option=${option%p}
;;
*)
usage 1
;;
@ -548,7 +619,7 @@ compile_command() {
[ "x$file" = x- ] || progress_message3 "Compiling..."
compiler exec $g_debugging compile $file
compiler $g_debugging compile $file
}
#
@ -622,7 +693,7 @@ check_command() {
progress_message3 "Checking..."
compiler exec $g_debugging $nolock check
compiler $g_debugging $nolock check
}
#
@ -710,10 +781,10 @@ restart_command() {
uptodate ${VARDIR}/firewall && g_fast=Yes
fi
if [ -z "$g_fast" ]; then
if [ -z "$g_fast" ]; then
progress_message3 "Compiling..."
if compiler run $g_debugging $nolock compile ${VARDIR}/.restart; then
if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
[ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/.restart $g_debugging restart
rc=$?
@ -783,7 +854,7 @@ refresh_command() {
progress_message3 "Compiling..."
if compiler run $g_debugging $nolock compile ${VARDIR}/.refresh; then
if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
[ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/.refresh $g_debugging refresh
rc=$?
@ -801,6 +872,7 @@ refresh_command() {
safe_commands() {
local finished
finished=0
local command
# test is the shell supports timed read
read -t 0 junk 2> /dev/null
@ -883,7 +955,7 @@ safe_commands() {
progress_message3 "Compiling..."
if ! compiler run $g_debugging nolock compile ${VARDIR}/.$command; then
if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then
status=$?
exit $status
fi
@ -903,7 +975,7 @@ safe_commands() {
[ -n "$nolock" ] || mutex_on
if run_it ${VARDIR}/.$command $command; then
if run_it ${VARDIR}/.$command $g_debugging $command; then
echo -n "Do you want to accept the new firewall configuration? [y/n] "
@ -1019,7 +1091,7 @@ try_command() {
progress_message3 "Compiling..."
if ! compiler run $g_debugging $nolock compile ${VARDIR}/.$command; then
if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then
status=$?
exit $status
fi
@ -1089,8 +1161,6 @@ reload_command() # $* = original arguments less the command.
getcaps=
local root
root=root
local compiler
compiler=
local libexec
libexec=/usr/share
@ -1179,8 +1249,10 @@ reload_command() # $* = original arguments less the command.
ensure_config_path
fi
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
progress_message "Getting Capabilities on system $system..."
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then
fatal_error "ERROR: Capturing capabilities on system $system failed"
fi
fi
@ -1226,8 +1298,6 @@ export_command() # $* = original arguments less the command.
finished=0
local directory
local target
local compiler
compiler=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -1338,6 +1408,7 @@ version_command() {
finished=0
local all
all=
local product
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -1682,6 +1753,11 @@ case "$COMMAND" in
[ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall6_is_started ; then
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not supported in the current $g_product configuration"
exit 2
fi
[ -n "$nolock" ] || mutex_on
block DROP Dropped $*
[ -n "$nolock" ] || mutex_off
@ -1694,6 +1770,11 @@ case "$COMMAND" in
[ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall6_is_started ; then
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not supported in the current $g_product configuration"
exit 2
fi
[ -n "$nolock" ] || mutex_on
block logdrop Dropped $*
[ -n "$nolock" ] || mutex_off
@ -1762,14 +1843,9 @@ case "$COMMAND" in
g_restorepath=${VARDIR}/$RESTOREFILE
if [ -x $g_restorepath ]; then
if [ -x ${g_restorepath}-ipsets ]; then
rm -f ${g_restorepath}-ipsets
echo " ${g_restorepath}-ipsets removed"
fi
rm -f $g_restorepath
rm -f ${g_restorepath}-iptables
rm -f ${g_restorepath}-ipsets
echo " $g_restorepath removed"
elif [ -f $g_restorepath ]; then
echo " $g_restorepath exists and is not a saved Shorewall6 configuration"