holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove 'check' command

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@470 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-25 16:21:41 +00:00
parent 99bcc9cc39
commit 5f0d26d1b9
2 changed files with 2 additions and 400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

396
Shorewall/firewall
View File

@ -38,8 +38,6 @@
# shorewall clear Remove all Shorewall chains # shorewall clear Remove all Shorewall chains
# and rules/policies. # and rules/policies.
# shorewall refresh . Rebuild the common chain # shorewall refresh . Rebuild the common chain
# shorewall check Verify the more heavily-used
# configuration files.
# #
# Search a list looking for a match -- returns zero if a match found # Search a list looking for a match -- returns zero if a match found
@ -655,338 +653,6 @@ mac_match() # $1 = MAC address formated as described above
echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`" echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`"
} }
#
# validate a record from the rules file
#
# The caller has loaded the column contents from the record into the following
# variables:
#
# target clients servers protocol ports cports address
#
# and has loaded a space-separated list of their values in "rule".
#
validate_rule() {
#
# Ensure that the passed comma-separated list has 15 or fewer elements
#
validate_list() {
local temp="`separate_list $1`"
[ `echo $temp | wc -w` -le 15 ]
}
#
# validate one rule
#
validate_a_rule() {
#
# Determine the format of the client
#
cli=
[ -n "$client" ] && case "$client" in
-)
;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
~*)
cli=`mac_match $client`
;;
*.*.*)
#
# IP Address, address or subnet
#
cli="-s $client"
;;
*)
#
# Assume that this is a device name
#
cli="-i $client"
;;
esac
dest_interface=
[ -n "$server" ] && case "$server" in
-)
serv=
;;
*.*.*)
serv=$server
;;
~*)
startup_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
dest_interface="-o $server"
serv=
;;
esac
#
# Setup PROTOCOL, PORT and STATE variables
#
sports=""
dports=""
state="-m state --state NEW"
proto=$protocol
addr=$address
servport=$serverport
case $proto in
tcp|udp|TCP|UDP|6|17)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
dports="--dport $port"
[ -n "$cport" ] && [ "x${cport}" != "x-" ] && \
sports="--sport $cport"
;;
icmp|ICMP|0)
[ -n "$port" ] && dports="--icmp-type $port"
state=""
;;
*)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
startup_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\""
;;
esac
proto="${proto:+-p $proto}"
case "$logtarget" in
REJECT)
target=reject
[ -n "$servport" ] && \
startup_error "Server port may not be specified in a REJECT rule;"\
"rule: \"$rule\""
;;
ACCEPT)
[ -n "$servport" ] && \
startup_error "Server port may not be specified in an ACCEPT rule;"\
"rule: \"$rule\""
;;
CONTINUE)
target=RETURN
[ -n "$servport" ] && \
startup_error "Server port may not be specified in a CONTINUE rule;"\
"rule: \"$rule\""
;;
LOG)
[ -n "$servport" ] && \
startup_error "Server port may not be specified in an LOG rule;"\
"rule: \"$rule\""
[ -n "$loglevel" ] || \
startup_error "LOG target requires a log level"
;;
REDIRECT)
[ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\""
servport=${servport:=$port}
;;
DNAT)
[ -n "$serv" ] || startup_error "DNAT rules require a" \
" server address; rule: \"$rule\""
;;
esac
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file"
fi
if [ -n "${serv}${servport}" ]; then
#
# Destination is a Specific Server or we're redirecting a port
#
if [ -n "$addr" -a "$addr" != "$serv" ]; then
#
# Must use Prerouting DNAT
#
if [ -z "$NAT_ENABLED" ]; then
startup_error \
"Rule \"$rule\" requires NAT which is disabled"
fi
if [ "$target" != "ACCEPT" ]; then
startup_error "Only ACCEPT rules may specify " \
"port mapping; rule \"$rule\""
fi
fi
else
[ -n "$addr" ] && startup_error \
"An ADDRESS ($addr) is only allowed in" \
" a DNAT or REDIRECT rule: \"$rule\""
fi
}
#
# V a l i d a t e _ R u l e S t a r t s H e r e
#
# Parse the Target and Clients columns
#
if [ "$target" = "${target%:*}" ]; then
loglevel=
else
loglevel="${target#*:}"
target="${target%:*}"
expandv loglevel
fi
logtarget="$target"
#
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
# an older syntax. We simply map the new syntax into the old and proceed.
#
case $target in
DNAT)
target=ACCEPT
address=${address:=detect}
;;
DNAT-)
target=ACCEPT
address=${address:=detect}
logtarget=DNAT
;;
REDIRECT)
target=ACCEPT
address=${address:=all}
if [ "x-" = "x$servers" ]; then
servers=$FW
else
servers="fw::$servers"
fi
;;
ACCEPT|DROP|REJECT|LOG)
;;
*)
startup_error "Invalid target; rule: \"$rule\""
esac
if [ "$clients" = "${clients%:*}" ]; then
clientzone="$clients"
clients=
else
clientzone="${clients%%:*}"
clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \
startup_error "Empty source zone or qualifier: rule \"$rule\""
fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones=
else
excludezones="${clientzone#*\!}"
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
startup_error "Exclude list only allowed with DNAT or REDIRECT"
fi
#
# Validate the Source Zone
#
if ! validate_zone $clientzone; then
[ "x$clientzone" = xall ] || startup_error "Undefined Client Zone in rule \"$rule\""
fi
source=$clientzone
[ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\"
#
# Parse the servers column
#
if [ "$servers" = "${servers%:*}" ] ; then
serverzone="$servers"
servers=
serverport=
else
serverzone="${servers%%:*}"
servers="${servers#*:}"
if [ "$servers" != "${servers%:*}" ] ; then
serverport="${servers#*:}"
servers="${servers%:*}"
[ -z "$serverzone" -o -z "$serverport" ] && \
startup_error "Empty destination zone or server port: rule \"$rule\""
else
serverport=
[ -z "$serverzone" -o -z "$servers" ] && \
startup_error "Empty destination zone or qualifier: rule \"$rule\""
fi
fi
#
# Validate the destination zone
#
if ! validate_zone $serverzone; then
[ "x$serverzone" = xall ] || startup_error "Undefined Server Zone in rule \"$rule\""
fi
dest=$serverzone
chain=${source}2${dest}
if [ "x$chain" = x${FW}2${FW} ]; then
case $logtarget in
REDIRECT)
;;
*)
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
return
;;
esac
fi
#
# Check length of port lists if MULTIPORT set
#
if [ -n "$MULTIPORT" ]; then
validate_list $ports ||
error_message "Warning: Too many destination ports: Rule \"$rule\""
validate_list $cports ||
error_message "Warning: Too many source ports: Rule \"$rule\""
fi
#
# Iterate through the various lists validating individual rules
#
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
validate_a_rule
done
done
done
done
echo " Rule \"$rule\" validated."
}
#
# validate the rules file
#
validate_rules() # $1 = name of rules file
{
strip_file rules
while read target clients servers protocol ports cports address; do
expandv clients servers protocol ports cports address
case "$target" in
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*|CONTINUE*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
validate_rule
;;
*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
startup_error "Invalid Target - rule \"$rule\" ignored"
;;
esac
done < $TMP_DIR/rules
}
# #
# validate the policy file # validate the policy file
# #
@ -1002,14 +668,6 @@ validate_policy()
local loglevel local loglevel
local synparams local synparams
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
}
all_policy_chains= all_policy_chains=
strip_file policy strip_file policy
@ -1076,7 +734,6 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain eval ${zone}2${zone1}_policychain=$chain
print_policy $zone $zone1
fi fi
done done
done done
@ -1086,7 +743,6 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
fi fi
done done
fi fi
@ -1096,12 +752,10 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi fi
done done
else else
eval ${chain}_policychain=${chain} eval ${chain}_policychain=${chain}
print_policy $client $server
fi fi
done < $TMP_DIR/policy done < $TMP_DIR/policy
@ -4091,50 +3745,6 @@ define_firewall() # $1 = Command (Start or Restart)
rm -rf $TMP_DIR rm -rf $TMP_DIR
} }
#
# Check the configuration
#
check_config() {
echo "Verifying Configuration..."
verify_os_version
load_kernel_modules
echo "Determining Zones..."
determine_zones
[ -z "$zones" ] && startup_error "No Zones Defined"
display_list "Zones:" $zones
echo "Validating interfaces file..."
validate_interfaces_file
echo "Validating hosts file..."
validate_hosts_file
echo "Determining Hosts in Zones..."
determine_interfaces
determine_hosts
echo "Validating rules file..."
validate_rules
echo "Validating policy file..."
validate_policy
rm -rf $TMP_DIR
echo "Configuration Validated"
}
# #
# Rebuild the common chain # Rebuild the common chain
# #
@ -4864,12 +4474,6 @@ case "$command" in
my_mutex_off my_mutex_off
;; ;;
check)
[ $# -ne 1 ] && usage
do_initialize
check_config
;;
add) add)
[ $# -ne 3 ] && usage [ $# -ne 3 ] && usage
do_initialize do_initialize

6
Shorewall/shorewall
View File

@ -60,8 +60,6 @@
# shorewall show tc Display traffic control info # shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers # shorewall show classifiers Display classifiers
# shorewall version Display the installed version id # shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
# shorewall try <directory> [ <timeout> ] Try a new configuration and if # shorewall try <directory> [ <timeout> ] Try a new configuration and if
# it doesn't work, revert to the # it doesn't work, revert to the
# standard one. If a timeout is supplied # standard one. If a timeout is supplied
@ -84,6 +82,7 @@
# #
# Display a chain if it exists # Display a chain if it exists
# #
showfirstchain() # $1 = name of chain showfirstchain() # $1 = name of chain
{ {
awk \ awk \
@ -500,7 +499,6 @@ usage() # $1 = exit status
echo " hits" echo " hits"
echo " monitor [<refresh interval>]" echo " monitor [<refresh interval>]"
echo " version" echo " version"
echo " check"
echo " try <directory> [ <timeout> ]" echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]" echo " logwatch [<refresh interval>]"
echo " drop <address> ..." echo " drop <address> ..."
@ -641,7 +639,7 @@ case `echo -n "Testing"` in
esac esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $FIREWALL $debugging $nolock $1 exec $FIREWALL $debugging $nolock $1
;; ;;