'shorewall check' now checks the nat and providers files

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2594 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-08-30 20:29:42 +00:00 · 2005-08-30 20:29:42 +00:00 · 6a47756293
commit 6a47756293
parent e949e18749
4 changed files with 79 additions and 53 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -8,6 +8,10 @@ Changes in 2.5.4

 4) "shorewall check" now checks the proxyarp file.

+5) "shorewall check" now checks the nat file.
+
+6) "shorewall check" now checks the providers file.
+
 Changes in 2.5.3

 1) Allow exclusion lists in /etc/shorewall/tcrules.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -1216,6 +1216,7 @@ setup_providers()

 	eval ${table}_number=$number

+	if [ $COMMAND != check ]; then
 	    run_and_save_command qt ip route flush table $number

 	    if [ "x${duplicate:=-}" != x- ]; then
@ -1226,6 +1227,7 @@ setup_providers()
 		    copy_table
 		fi
 	    fi
+	fi

 	if [ "x$gateway" = xdetect ] ; then
 	    #
@ -1246,16 +1248,19 @@ setup_providers()
 	    [ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface"
 	fi

+	if [ $COMMAND != check ]; then
 	    ensure_and_save_command ip route replace $gateway dev $interface table $number
 	    ensure_and_save_command ip route add default via $gateway dev $interface table $number
+	fi

 	verify_mark $mark

 	eval ${table}_mark=$mark

+	if [ $COMMAND != check ]; then
 	    run_and_save_command qt ip rule del fwmark $mark
-	
 	    ensure_and_save_command ip rule add fwmark $mark pref $((10000 + $mark)) table $number
+	fi

 	loose=

@ -1287,6 +1292,7 @@ setup_providers()

 	rulenum=0

+	if [ $COMMAND != check ]; then
 	    find_interface_addresses $interface | while read address; do
 		run_and_save_command qt ip rule del from $address
 		if [ -z "$loose" ]; then
@ -1295,14 +1301,19 @@ setup_providers()
 		    ensure_and_save_command ip rule add from $address pref $pref table $number
 		fi
 	    done
+	fi
    }
 		
    strip_file providers $1

    if [ -s $TMP_DIR/providers ]; then
+	if [ $COMMAND != check ]; then
 	    echo "Processing $1..."

 	    save_progress_message "Restoring Providers..."
+	else
+	    echo "Validating $1..."
+	fi
 	
 	while read table number mark duplicate interface gateway options copy; do
 	    expandv table number mark duplicate interface gateway options copy
@ -1312,6 +1323,7 @@ setup_providers()
 	    progress_message "   Provider $provider Added"
 	done < $TMP_DIR/providers

+	if [ $COMMAND != check ]; then
 	    if [ -n "$PROVIDERS" ]; then
 		if [ -n "$DEFAULT_ROUTE" ]; then
 		    ensure_and_save_command ip route replace default scope global $DEFAULT_ROUTE
@ -1344,6 +1356,7 @@ EOF
 	
 	    ensure_and_save_command ip route flush cache
 	fi
+    fi
 }

 #
@ -2878,6 +2891,7 @@ setup_nat() {
 	validate_one allints  "ALL INTERFACES" $allints
 	validate_one localnat "LOCAL"          $localnat
 	
+	if [ $COMMAND != check ]; then
 	    if [ -n "$allints" ]; then
 		addnatrule nat_in  -d $external $policyin  -j DNAT --to-destination $internal
 		addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
@ -2888,6 +2902,7 @@ setup_nat() {
 	    
 	    [ -n "$localnat" ] && \
 		run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
+	fi

 	if [ -n "$add_ip_aliases" ]; then
 	    list_search $external $ALIASES_TO_ADD || \
@ -2897,14 +2912,14 @@ setup_nat() {
    #
    # At this point, we're just interested in the network translation
    #
-    > /var/lib/shorewall/nat
+    [ $COMMAND = check ] || > /var/lib/shorewall/nat

    if [ -n "$POLICY_MATCH" ]; then
 	policyin="-m policy --pol none --dir in"
 	policyout="-m policy --pol none --dir out"
    fi

-    [ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring one-to-one NAT..."
+    [ -n "$RETAIN_ALIASES" -o $COMMAND = check ] || save_progress_message "Restoring one-to-one NAT..."

    while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
@ -3670,12 +3685,18 @@ check_config() {

    validate_policy

+    setup_providers $(find_file providers)
+
    validate_blacklist

    echo "Validating Proxy ARP"
    strip_file proxyarp
    setup_proxy_arp

+    echo "Validating NAT..."
+    strip_file nat
+    setup_nat
+
    echo "Pre-validating Actions..."

    process_actions1
--- a/Shorewall/help
+++ b/Shorewall/help
@ -74,9 +74,9 @@ allow)
 check)
 	echo "check: check [ <configuration-directory> ]
   Performs a cursory validation of the zones, interfaces, hosts,
-   rules, policy, masq, blacklist and proxyarp files.  Use this if you are
-   unsure of any edits you have made to the shorewall configuration.  See the
-   try command examples for a recommended way to make changes."
+   rules, policy, masq, blacklist, proxyarp, nat and provider files.  Use this
+   if you are unsure of any edits you have made to the shorewall configuration.
+   See the try command examples for a recommended way to make changes."
 	;;

 clear)
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -30,7 +30,8 @@ New Features in Shorewall 2.5.4
    Now, $1 = these, $2 = are and $3 = parameters

 2)  The "shorewall check" command now checks the /etc/shorewall/masq,
-    /etc/shorewall/blacklist and /etc/shorewall/proxyarp files.
+    /etc/shorewall/blacklist, /etc/shorewall/proxyarp files, 
+    /etc/shorewall/nat and /etc/shorewall/providers.

 Problems Corrected in 2.5.3: