holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More shorewall/shorewall6 unification

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-23 16:17:09 -07:00
parent a64d882a36
commit 552ab52f92
1 changed files with 108 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
Shorewall6/shorewall6
View File

@ -34,8 +34,8 @@
# $2 = Yes: check for STARTUP_ENABLED # $2 = Yes: check for STARTUP_ENABLED
# $3 = Yes: Check for LOGFILE # $3 = Yes: Check for LOGFILE
# #
#
get_config() { get_config() {
local prog
ensure_config_path ensure_config_path
@ -93,6 +93,68 @@ get_config() {
fi fi
fi fi
if [ -n "$IP" ]; then
case "$IP" in
*/*)
if [ ! -x "$IP" ] ; then
echo " ERROR: The program specified in IP ($IP) does not exist or is not executable" >&2
exit 2
fi
;;
*)
prog="$(mywhich $IP 2> /dev/null)"
if [ -z "$prog" ] ; then
echo " ERROR: Can't find $IP executable" >&2
exit 2
fi
IP=$prog
;;
esac
else
IP='ip'
fi
if [ -n "$IPSET" ]; then
case "$IPSET" in
*/*)
if [ ! -x "$IPSET" ] ; then
echo " ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
exit 2
fi
;;
*)
prog="$(mywhich $IPSET 2> /dev/null)"
if [ -z "$prog" ] ; then
echo " ERROR: Can't find $IPSET executable" >&2
exit 2
fi
IPSET=$prog
;;
esac
else
IPSET='ipset'
fi
if [ -n "$TC" ]; then
case "$TC" in
*/*)
if [ ! -x "$TC" ] ; then
echo " ERROR: The program specified in TC ($TC) does not exist or is not executable" >&2
exit 2
fi
;;
*)
prog="$(mywhich $TC 2> /dev/null)"
if [ -z "$prog" ] ; then
echo " ERROR: Can't find $TC executable" >&2
exit 2
fi
TC=$prog
;;
esac
else
TC='tc'
fi
# #
# Compile by non-root needs no restore file # Compile by non-root needs no restore file
# #
@ -117,6 +179,18 @@ get_config() {
esac esac
fi fi
case ${SHOREWALL_COMPILER:=perl} in
perl|Perl)
;;
shell|Shell)
echo " WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell support has been removed in this release" >&2
;;
*)
echo " ERROR: Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" >&2
exit 2
;;
esac
case ${TC_ENABLED:=Internal} in case ${TC_ENABLED:=Internal} in
No|NO|no) No|NO|no)
TC_ENABLED= TC_ENABLED=
@ -263,13 +337,9 @@ uptodate() {
# Run the compiler # Run the compiler
# #
compiler() { compiler() {
local pc
pc=$g_libexec/shorewall/compiler.pl pc=$g_libexec/shorewall/compiler.pl
local command
command=$1
shift
if [ $(id -u) -ne 0 ]; then if [ $(id -u) -ne 0 ]; then
if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall6 ]; then if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall6 ]; then
startup_error "Ordinary users may not compile the /etc/shorewall6 configuration" startup_error "Ordinary users may not compile the /etc/shorewall6 configuration"
@ -280,8 +350,6 @@ compiler() {
# #
ensure_config_path ensure_config_path
haveparams=
case $COMMAND in case $COMMAND in
*start|try|refresh) *start|try|refresh)
;; ;;
@ -291,8 +359,6 @@ compiler() {
;; ;;
esac esac
[ $command = exec ] || command=
debugflags="-w" debugflags="-w"
[ -n "$g_debug" ] && debugflags='-wd' [ -n "$g_debug" ] && debugflags='-wd'
[ -n "$g_profile" ] && debugflags='-wd:DProf' [ -n "$g_profile" ] && debugflags='-wd:DProf'
@ -325,11 +391,11 @@ compiler() {
fi fi
if [ $g_perllib = ${g_libexec}/shorewall ]; then if [ $g_perllib = ${g_libexec}/shorewall ]; then
$command $PERL $debugflags $pc $options $@ $PERL $debugflags $pc $options $@
else else
PERL5LIB=$g_perllib PERL5LIB=$g_perllib
export PERL5LIB export PERL5LIB
$command $PERL $debugflags $pc $options $@ $PERL $debugflags $pc $options $@
fi fi
} }
@ -353,7 +419,7 @@ start_command() {
else else
progress_message3 "Compiling..." progress_message3 "Compiling..."
if compiler run $g_debugging $nolock compile ${VARDIR}/.start; then if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/.start $g_debugging start run_it ${VARDIR}/.start $g_debugging start
rc=$? rc=$?
@ -394,6 +460,11 @@ start_command() {
g_fast=Yes g_fast=Yes
option=${option#f} option=${option#f}
;; ;;
p*)
[ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
g_purge=Yes
option=${option%p}
;;
*) *)
usage 1 usage 1
;; ;;
@ -548,7 +619,7 @@ compile_command() {
[ "x$file" = x- ] || progress_message3 "Compiling..." [ "x$file" = x- ] || progress_message3 "Compiling..."
compiler exec $g_debugging compile $file compiler $g_debugging compile $file
} }
# #
@ -622,7 +693,7 @@ check_command() {
progress_message3 "Checking..." progress_message3 "Checking..."
compiler exec $g_debugging $nolock check compiler $g_debugging $nolock check
} }
# #
@ -713,7 +784,7 @@ restart_command() {
if [ -z "$g_fast" ]; then if [ -z "$g_fast" ]; then
progress_message3 "Compiling..." progress_message3 "Compiling..."
if compiler run $g_debugging $nolock compile ${VARDIR}/.restart; then if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/.restart $g_debugging restart run_it ${VARDIR}/.restart $g_debugging restart
rc=$? rc=$?
@ -783,7 +854,7 @@ refresh_command() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
if compiler run $g_debugging $nolock compile ${VARDIR}/.refresh; then if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/.refresh $g_debugging refresh run_it ${VARDIR}/.refresh $g_debugging refresh
rc=$? rc=$?
@ -801,6 +872,7 @@ refresh_command() {
safe_commands() { safe_commands() {
local finished local finished
finished=0 finished=0
local command
# test is the shell supports timed read # test is the shell supports timed read
read -t 0 junk 2> /dev/null read -t 0 junk 2> /dev/null
@ -883,7 +955,7 @@ safe_commands() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
if ! compiler run $g_debugging nolock compile ${VARDIR}/.$command; then if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then
status=$? status=$?
exit $status exit $status
fi fi
@ -903,7 +975,7 @@ safe_commands() {
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
if run_it ${VARDIR}/.$command $command; then if run_it ${VARDIR}/.$command $g_debugging $command; then
echo -n "Do you want to accept the new firewall configuration? [y/n] " echo -n "Do you want to accept the new firewall configuration? [y/n] "
@ -1019,7 +1091,7 @@ try_command() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
if ! compiler run $g_debugging $nolock compile ${VARDIR}/.$command; then if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then
status=$? status=$?
exit $status exit $status
fi fi
@ -1089,8 +1161,6 @@ reload_command() # $* = original arguments less the command.
getcaps= getcaps=
local root local root
root=root root=root
local compiler
compiler=
local libexec local libexec
libexec=/usr/share libexec=/usr/share
@ -1179,8 +1249,10 @@ reload_command() # $* = original arguments less the command.
ensure_config_path ensure_config_path
fi fi
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
progress_message "Getting Capabilities on system $system..." progress_message "Getting Capabilities on system $system..."
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then
fatal_error "ERROR: Capturing capabilities on system $system failed" fatal_error "ERROR: Capturing capabilities on system $system failed"
fi fi
fi fi
@ -1226,8 +1298,6 @@ export_command() # $* = original arguments less the command.
finished=0 finished=0
local directory local directory
local target local target
local compiler
compiler=
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1 option=$1
@ -1338,6 +1408,7 @@ version_command() {
finished=0 finished=0
local all local all
all= all=
local product
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1 option=$1
@ -1682,6 +1753,11 @@ case "$COMMAND" in
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall6_is_started ; then if shorewall6_is_started ; then
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not supported in the current $g_product configuration"
exit 2
fi
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
block DROP Dropped $* block DROP Dropped $*
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
@ -1694,6 +1770,11 @@ case "$COMMAND" in
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall6_is_started ; then if shorewall6_is_started ; then
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not supported in the current $g_product configuration"
exit 2
fi
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
block logdrop Dropped $* block logdrop Dropped $*
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
@ -1762,14 +1843,9 @@ case "$COMMAND" in
g_restorepath=${VARDIR}/$RESTOREFILE g_restorepath=${VARDIR}/$RESTOREFILE
if [ -x $g_restorepath ]; then if [ -x $g_restorepath ]; then
if [ -x ${g_restorepath}-ipsets ]; then
rm -f ${g_restorepath}-ipsets
echo " ${g_restorepath}-ipsets removed"
fi
rm -f $g_restorepath rm -f $g_restorepath
rm -f ${g_restorepath}-iptables rm -f ${g_restorepath}-iptables
rm -f ${g_restorepath}-ipsets
echo " $g_restorepath removed" echo " $g_restorepath removed"
elif [ -f $g_restorepath ]; then elif [ -f $g_restorepath ]; then
echo " $g_restorepath exists and is not a saved Shorewall6 configuration" echo " $g_restorepath exists and is not a saved Shorewall6 configuration"