forked from extern/shorewall_code
Changes for 2.2.0 Beta 7
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1803 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
884e405222
commit
594884732a
@ -609,7 +609,7 @@ usage() # $1 = exit status
|
|||||||
echo " restart [ <directory> ]"
|
echo " restart [ <directory> ]"
|
||||||
echo " restore [ <file name> ]"
|
echo " restore [ <file name> ]"
|
||||||
echo " save [ <file name> ]"
|
echo " save [ <file name> ]"
|
||||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
|
||||||
echo " start [ <directory> ]"
|
echo " start [ <directory> ]"
|
||||||
echo " stop"
|
echo " stop"
|
||||||
echo " status"
|
echo " status"
|
||||||
@ -913,6 +913,24 @@ case "$1" in
|
|||||||
echo
|
echo
|
||||||
show_classifiers
|
show_classifiers
|
||||||
;;
|
;;
|
||||||
|
zones)
|
||||||
|
[ $# -gt 2 ] && usage 1
|
||||||
|
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||||
|
if [ -f $STATEDIR/zones ]; then
|
||||||
|
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
|
||||||
|
echo
|
||||||
|
while read zone hosts; do
|
||||||
|
echo $zone
|
||||||
|
for host in $hosts; do
|
||||||
|
echo " $host"
|
||||||
|
done
|
||||||
|
done < $STATEDIR/zones
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
echo " ERROR: $STATEDIR/zones does not exist" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
shift
|
shift
|
||||||
|
|
||||||
@ -964,6 +982,10 @@ case "$1" in
|
|||||||
echo "IP Configuration"
|
echo "IP Configuration"
|
||||||
echo
|
echo
|
||||||
ip addr ls
|
ip addr ls
|
||||||
|
echo
|
||||||
|
echo "IP Stats"
|
||||||
|
echo
|
||||||
|
ip -stat link ls
|
||||||
|
|
||||||
if qt which brctl; then
|
if qt which brctl; then
|
||||||
echo
|
echo
|
||||||
@ -1143,6 +1165,8 @@ case "$1" in
|
|||||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||||
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
|
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
|
||||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||||
|
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||||
|
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||||
chmod +x $RESTOREPATH
|
chmod +x $RESTOREPATH
|
||||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||||
|
@ -181,6 +181,17 @@ run_iptables2() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Quietly run iptables
|
||||||
|
#
|
||||||
|
qt_iptables() {
|
||||||
|
|
||||||
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
|
qt $IPTABLES $@
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Run ip and if an error occurs, stop the firewall and quit
|
# Run ip and if an error occurs, stop the firewall and quit
|
||||||
#
|
#
|
||||||
@ -1756,9 +1767,14 @@ setup_ipsec() {
|
|||||||
set_mss1() # $1 = chain, $2 = MSS
|
set_mss1() # $1 = chain, $2 = MSS
|
||||||
{
|
{
|
||||||
eval local policy=\$${1}_policy
|
eval local policy=\$${1}_policy
|
||||||
if [ "$policy" != NONE -a "$COMMAND" != add ]; then
|
|
||||||
ensurechain $1
|
if [ "$policy" != NONE ]; then
|
||||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
case $COMMAND in
|
||||||
|
start|restart)
|
||||||
|
ensurechain $1
|
||||||
|
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
@ -2066,8 +2082,9 @@ setup_mac_lists() {
|
|||||||
setup_syn_flood_chain ()
|
setup_syn_flood_chain ()
|
||||||
# $1 = policy chain
|
# $1 = policy chain
|
||||||
# $2 = synparams
|
# $2 = synparams
|
||||||
|
# $3 = loglevel
|
||||||
{
|
{
|
||||||
local chain=$1
|
local chain=@$1
|
||||||
local limit=$2
|
local limit=$2
|
||||||
local limit_burst=
|
local limit_burst=
|
||||||
|
|
||||||
@ -2078,9 +2095,11 @@ setup_syn_flood_chain ()
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
run_iptables -N @$chain
|
run_iptables -N $chain
|
||||||
run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
|
run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN
|
||||||
run_iptables -A @$chain -j DROP
|
[ -n "$3" ] && \
|
||||||
|
log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" ""
|
||||||
|
run_iptables -A $chain -j DROP
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5465,21 +5484,20 @@ determine_capabilities() {
|
|||||||
PHYSDEV_MATCH=
|
PHYSDEV_MATCH=
|
||||||
IPRANGE_MATCH=
|
IPRANGE_MATCH=
|
||||||
|
|
||||||
if qt $IPTABLES -N fooX1234 ; then
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||||
|
|
||||||
|
|
||||||
if [ -n "$PKTTYPE" ]; then
|
if [ -n "$PKTTYPE" ]; then
|
||||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||||
fi
|
|
||||||
|
|
||||||
qt $IPTABLES -F fooX1234
|
|
||||||
qt $IPTABLES -X fooX1234
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
qt $IPTABLES -F fooX1234
|
||||||
|
qt $IPTABLES -X fooX1234
|
||||||
}
|
}
|
||||||
|
|
||||||
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
|
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
|
||||||
@ -6106,7 +6124,7 @@ add_common_rules() {
|
|||||||
|
|
||||||
run_iptables -A $(input_chain $interface) -j $chain
|
run_iptables -A $(input_chain $interface) -j $chain
|
||||||
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
|
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
|
||||||
run_iptables -A OUTPUT -j $(dynamic_out $interface)
|
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -6126,7 +6144,7 @@ apply_policy_rules() {
|
|||||||
eval loglevel=\$${chain}_loglevel
|
eval loglevel=\$${chain}_loglevel
|
||||||
eval synparams=\$${chain}_synparams
|
eval synparams=\$${chain}_synparams
|
||||||
|
|
||||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
|
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
|
||||||
|
|
||||||
if havechain $chain; then
|
if havechain $chain; then
|
||||||
[ -n "$synparams" ] && \
|
[ -n "$synparams" ] && \
|
||||||
@ -6280,8 +6298,9 @@ activate_rules()
|
|||||||
|
|
||||||
[ -n "$complex" ] && frwd_chain=${zone}_frwd
|
[ -n "$complex" ] && frwd_chain=${zone}_frwd
|
||||||
|
|
||||||
|
echo $zone $source_hosts >> ${STATEDIR}/zones
|
||||||
|
|
||||||
if [ -n "$DYNAMIC_ZONES" ]; then
|
if [ -n "$DYNAMIC_ZONES" ]; then
|
||||||
echo $zone $source_hosts >> ${STATEDIR}/zones
|
|
||||||
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
||||||
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
|
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
|
||||||
fi
|
fi
|
||||||
@ -6541,9 +6560,28 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
[ -n "$aliases_to_add" ] && \
|
[ -n "$aliases_to_add" ] && \
|
||||||
echo "Adding IP Addresses..." && add_ip_aliases
|
echo "Adding IP Addresses..." && add_ip_aliases
|
||||||
|
|
||||||
|
for file in chains nat proxyarp zones; do
|
||||||
|
append_file $file
|
||||||
|
done
|
||||||
|
|
||||||
|
save_progress_message "Restoring Netfilter Configuration..."
|
||||||
|
|
||||||
|
save_command 'iptables-restore << __EOF__'
|
||||||
|
|
||||||
|
# 'shorewall save' appends the iptables-save output and '__EOF__'
|
||||||
|
|
||||||
|
mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$
|
||||||
|
|
||||||
|
> $RESTOREBASE
|
||||||
|
|
||||||
|
save_command "#"
|
||||||
|
save_command "# Restore tail file generated by Shorewall $version - $(date)"
|
||||||
|
save_command "#"
|
||||||
|
save_command "date > $STATEDIR/restarted"
|
||||||
|
|
||||||
run_user_exit start
|
run_user_exit start
|
||||||
|
|
||||||
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
|
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
|
||||||
|
|
||||||
createchain shorewall no
|
createchain shorewall no
|
||||||
|
|
||||||
@ -6553,19 +6591,8 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
|
|
||||||
rm -rf $TMP_DIR
|
rm -rf $TMP_DIR
|
||||||
|
|
||||||
for file in chains nat proxyarp zones; do
|
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
||||||
append_file $file
|
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||||
done
|
|
||||||
|
|
||||||
save_command "date > $STATEDIR/restarted"
|
|
||||||
|
|
||||||
save_progress_message "Restoring Netfilter Configuration..."
|
|
||||||
|
|
||||||
save_command 'iptables-restore << __EOF__'
|
|
||||||
|
|
||||||
# 'shorewall save' appends the iptables-save output and '__EOF__'
|
|
||||||
|
|
||||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-base
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -6622,6 +6649,9 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
|
|
||||||
do_iptables() # $@ = command
|
do_iptables() # $@ = command
|
||||||
{
|
{
|
||||||
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
if ! $IPTABLES $@ ; then
|
if ! $IPTABLES $@ ; then
|
||||||
startup_error "Can't add $1 to zone $2"
|
startup_error "Can't add $1 to zone $2"
|
||||||
fi
|
fi
|
||||||
@ -6630,7 +6660,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Isolate interface and host parts
|
# Isolate interface and host parts
|
||||||
#
|
#
|
||||||
interface=${1%:*}
|
interface=${1%%:*}
|
||||||
host=${1#*:}
|
host=${1#*:}
|
||||||
|
|
||||||
[ -z "$host" ] && host="0.0.0.0/0"
|
[ -z "$host" ] && host="0.0.0.0/0"
|
||||||
@ -6735,7 +6765,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
while read z1 z2 chain; do
|
while read z1 z2 chain; do
|
||||||
if [ "$z1" = "$zone" ]; then
|
if [ "$z1" = "$zone" ]; then
|
||||||
if [ "$z2" = "$FW" ]; then
|
if [ "$z2" = "$FW" ]; then
|
||||||
do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
|
||||||
else
|
else
|
||||||
source_chain=$(dynamic_fwd $interface)
|
source_chain=$(dynamic_fwd $interface)
|
||||||
eval dest_hosts=\"\$${z2}_hosts\"
|
eval dest_hosts=\"\$${z2}_hosts\"
|
||||||
@ -6745,7 +6775,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -6754,7 +6784,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Add a rule to the dynamic out chain for the interface
|
# Add a rule to the dynamic out chain for the interface
|
||||||
#
|
#
|
||||||
do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
|
||||||
else
|
else
|
||||||
eval source_hosts=\"\$${z1}_hosts\"
|
eval source_hosts=\"\$${z1}_hosts\"
|
||||||
|
|
||||||
@ -6763,7 +6793,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -6809,7 +6839,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Isolate interface and host parts
|
# Isolate interface and host parts
|
||||||
#
|
#
|
||||||
interface=${1%:*}
|
interface=${1%%:*}
|
||||||
host=${1#*:}
|
host=${1#*:}
|
||||||
|
|
||||||
[ -z "$host" ] && host="0.0.0.0/0"
|
[ -z "$host" ] && host="0.0.0.0/0"
|
||||||
@ -6878,14 +6908,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Delete any nat table entries for the host(s)
|
# Delete any nat table entries for the host(s)
|
||||||
#
|
#
|
||||||
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
|
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j ${zone}_dnat
|
||||||
#
|
#
|
||||||
# Delete rules rules the input chains for the passed interface
|
# Delete rules rules the input chains for the passed interface
|
||||||
#
|
#
|
||||||
while read z1 z2 chain; do
|
while read z1 z2 chain; do
|
||||||
if [ "$z1" = "$zone" ]; then
|
if [ "$z1" = "$zone" ]; then
|
||||||
if [ "$z2" = "$FW" ]; then
|
if [ "$z2" = "$FW" ]; then
|
||||||
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
|
||||||
else
|
else
|
||||||
source_chain=$(dynamic_fwd $interface)
|
source_chain=$(dynamic_fwd $interface)
|
||||||
eval dest_hosts=\"\$${z2}_hosts\"
|
eval dest_hosts=\"\$${z2}_hosts\"
|
||||||
@ -6895,13 +6925,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
elif [ "$z2" = "$zone" ]; then
|
elif [ "$z2" = "$zone" ]; then
|
||||||
if [ "$z1" = "$FW" ]; then
|
if [ "$z1" = "$FW" ]; then
|
||||||
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
|
||||||
else
|
else
|
||||||
eval source_hosts=\"\$${z1}_hosts\"
|
eval source_hosts=\"\$${z1}_hosts\"
|
||||||
|
|
||||||
@ -6910,7 +6940,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Shorewall 2.1 -- /usr/share/shorewall/functions
|
# Shorewall 2.2 -- /usr/share/shorewall/functions
|
||||||
|
|
||||||
# Function to truncate a string -- It uses 'cut -b -<n>'
|
# Function to truncate a string -- It uses 'cut -b -<n>'
|
||||||
# rather than ${v:first:last} because light-weight shells like ash and
|
# rather than ${v:first:last} because light-weight shells like ash and
|
||||||
@ -73,9 +73,9 @@ qt()
|
|||||||
#
|
#
|
||||||
# Perform variable substitution on the passed argument and echo the result
|
# Perform variable substitution on the passed argument and echo the result
|
||||||
#
|
#
|
||||||
expand() # $1 = contents of variable which may be the name of another variable
|
expand() # $@ = contents of variable which may be the name of another variable
|
||||||
{
|
{
|
||||||
eval echo \"$1\"
|
eval echo \"$@\"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -459,7 +459,7 @@ read_file() # $1 = file name, $2 = nest count
|
|||||||
while read first rest; do
|
while read first rest; do
|
||||||
if [ "x$first" = "xINCLUDE" ]; then
|
if [ "x$first" = "xINCLUDE" ]; then
|
||||||
if [ $2 -lt 4 ]; then
|
if [ $2 -lt 4 ]; then
|
||||||
read_file $(find_file ${rest%#*}) $(($2 + 1))
|
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
|
||||||
else
|
else
|
||||||
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
|
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
|
||||||
fi
|
fi
|
||||||
@ -477,7 +477,7 @@ read_file() # $1 = file name, $2 = nest count
|
|||||||
# Function for including one file into another
|
# Function for including one file into another
|
||||||
#
|
#
|
||||||
INCLUDE() {
|
INCLUDE() {
|
||||||
. $(find_file $@)
|
. $(find_file $(expand $@))
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -29,11 +29,11 @@
|
|||||||
case $1 in
|
case $1 in
|
||||||
|
|
||||||
add)
|
add)
|
||||||
echo "add: add <interface>[:<host>] <zone>
|
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
|
||||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||||
|
|
||||||
shorewall add interface[:host] zone - Adds the specified interface
|
shorewall add interface[:host] zone - Adds the specified interface
|
||||||
(and host if included) to the specified zone.
|
(and bridge port/host if included) to the specified zone.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
@ -95,11 +95,11 @@ debug)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
delete)
|
delete)
|
||||||
echo "delete: delete <interface>[:<host>] <zone>
|
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
|
||||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||||
|
|
||||||
shorewall delete interface[:host] zone - Deletes the specified
|
shorewall delete interface[:port][:host] zone - Deletes the specified
|
||||||
interface (and host if included) from the specified zone.
|
interface (and bridge port/host if included) from the specified zone.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
@ -219,7 +219,7 @@ save)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
show)
|
show)
|
||||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
|
||||||
|
|
||||||
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||||
(iptables -L chain -n -v)
|
(iptables -L chain -n -v)
|
||||||
@ -238,6 +238,8 @@ show)
|
|||||||
shorewall show tc - displays information about the traffic
|
shorewall show tc - displays information about the traffic
|
||||||
control/shaping configuration.
|
control/shaping configuration.
|
||||||
|
|
||||||
|
shorewall show zones - displays the contents of all zones.
|
||||||
|
|
||||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
@ -1 +1 @@
|
|||||||
2.2.0-Beta6
|
2.2.0-Beta7
|
||||||
|
@ -1635,7 +1635,7 @@ alias ipt_pkttype off</programlisting>
|
|||||||
url="http://www.cityofshoreline.com">the city where I live</ulink>) and
|
url="http://www.cityofshoreline.com">the city where I live</ulink>) and
|
||||||
<quote>Fire<emphasis>wall</emphasis></quote>. The full name of the
|
<quote>Fire<emphasis>wall</emphasis></quote>. The full name of the
|
||||||
product is actually <quote>Shoreline Firewall</quote> but
|
product is actually <quote>Shoreline Firewall</quote> but
|
||||||
<quote>Shorewall</quote> is must more commonly used.</para>
|
<quote>Shorewall</quote> is much more commonly used.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq23">
|
<section id="faq23">
|
||||||
@ -1740,8 +1740,9 @@ alias ipt_pkttype off</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Netfilter/iptables doesn't fully support IPSEC in the 2.6
|
<para>Netfilter/iptables doesn't fully support IPSEC in the 2.6
|
||||||
Kernels -- there are interim instructions linked from the <ulink
|
Kernels -- kernel and iptables patches are available and the details
|
||||||
url="IPSEC.htm">Shorewall IPSEC page</ulink>.</para>
|
may be found at the <ulink url="IPSEC-2.6.htm">Shorewall IPSEC-2.6
|
||||||
|
page</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
Loading…
Reference in New Issue
Block a user