holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Make all references to directories indirect

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4033 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-09 16:35:55 +00:00
parent 1605f6d9bd
commit 6f073f6cfd
4 changed files with 142 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
Shorewall/compiler
View File

@ -40,6 +40,10 @@
# SHOREWALL_DIR A directory name was passed to /sbin/shorewall # SHOREWALL_DIR A directory name was passed to /sbin/shorewall
# VERBOSE Standard Shorewall verbosity control. # VERBOSE Standard Shorewall verbosity control.
SHAREDIR=/usr/share/shorewall
VARDIR=/var/lib/shorewall
CONFDIR=/etc/shorewall
# Fatal error -- stops the compiler after issuing the error message # Fatal error -- stops the compiler after issuing the error message
# #
fatal_error() # $* = Error Message fatal_error() # $* = Error Message
@ -783,11 +787,11 @@ match_dest_hosts()
# #
# Similarly, the source or destination in a rule can be qualified by a device name. If # Similarly, the source or destination in a rule can be qualified by a device name. If
# the device is defined in /etc/shorewall/interfaces then a normal interface match is # the device is defined in ${CONFDIR}/interfaces then a normal interface match is
# generated (-i or -o); otherwise, a physdev match is generated. # generated (-i or -o); otherwise, a physdev match is generated.
#------------------------------------------------------------------------------------- #-------------------------------------------------------------------------------------
# #
# loosely match the passed interface with those in /etc/shorewall/interfaces. # loosely match the passed interface with those in ${CONFDIR}/interfaces.
# #
known_interface() # $1 = interface name known_interface() # $1 = interface name
{ {
@ -1466,7 +1470,7 @@ validate_hosts_file() {
case $host in case $host in
*:*) *:*)
known_interface ${host%:*} && \ known_interface ${host%:*} && \
fatal_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" fatal_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host"
check_bridge_port ${host%%:*} check_bridge_port ${host%%:*}
;; ;;
*.*.*) *.*.*)
@ -1476,7 +1480,7 @@ validate_hosts_file() {
;; ;;
*) *)
known_interface $host && \ known_interface $host && \
fatal_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" fatal_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host"
check_bridge_port $host check_bridge_port $host
;; ;;
esac esac
@ -2692,13 +2696,13 @@ setup_syn_flood_chains()
# #
delete_proxy_arp() { delete_proxy_arp() {
indent >&3 << __EOF__ indent >&3 << __EOF__
if [ -f /var/lib/shorewall/proxyarp ]; then if [ -f \${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
qt arp -i \$external -d \$address pub qt arp -i \$external -d \$address pub
[ -z "\$haveroute" -a -z "\$NOROUTE" ] && qt ip route del \$address dev \$interface [ -z "\$haveroute" -a -z "\$NOROUTE" ] && qt ip route del \$address dev \$interface
done < /var/lib/shorewall/proxyarp done < \${VARDIR}/proxyarp
rm -f {/var/lib/shorewall}/nat rm -f ${VARDIR}/nat
fi fi
for f in /proc/sys/net/ipv4/conf/*; do for f in /proc/sys/net/ipv4/conf/*; do
@ -2800,12 +2804,12 @@ delete_nat() {
indent >&3 << __EOF__ indent >&3 << __EOF__
if [ -f /var/lib/shorewall/nat ]; then if [ -f \${VARDIR}/nat ]; then
while read external interface; do while read external interface; do
ip_addr_del \$external \$interface ip_addr_del \$external \$interface
done < /var/lib/shorewall/nat done < \${VARDIR}/nat
rm -f {/var/lib/shorewall}/nat rm -f \${VARDIR}/nat
fi fi
__EOF__ __EOF__
@ -3689,7 +3693,7 @@ process_action() # $1 = chain (Chain to add the rules to)
} }
# #
# Append a file in /var/lib/shorewall to $OUTPUT # Append a file in ${VARDIR} to $OUTPUT
# #
append_action_file() # $1 = File Name append_action_file() # $1 = File Name
{ {
@ -3987,8 +3991,8 @@ merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest f
# #
# The next three functions implement the three phases of action processing. # The next three functions implement the three phases of action processing.
# #
# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std # The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
# and /etc/shorewall/actions are scanned (in that order) and for each action: # and ${CONFDIR}/actions are scanned (in that order) and for each action:
# #
# a) The related action definition file is located and scanned. # a) The related action definition file is located and scanned.
# b) Forward and unresolved action references are trapped as errors. # b) Forward and unresolved action references are trapped as errors.
@ -4018,7 +4022,7 @@ process_actions1() {
strip_file actions strip_file actions
strip_file actions.std /usr/share/shorewall/actions.std strip_file actions.std ${SHAREDIR}/actions.std
for inputfile in actions.std actions; do for inputfile in actions.std actions; do
while read xaction rest; do while read xaction rest; do
@ -4486,7 +4490,7 @@ add_nat_rule() {
# Parse SNAT address if any # Parse SNAT address if any
if [ "$addr" != "${addr%:*}" ]; then if [ "$addr" != "${addr%:*}" ]; then
fatal_error "SNAT may no longer be specified in a DNAT rule; use /etc/shorewall/masq instead" fatal_error "SNAT may no longer be specified in a DNAT rule; use ${CONFDIR}/masq instead"
fi fi
# Set original destination address # Set original destination address
@ -6908,7 +6912,7 @@ initialize_netfilter () {
indent >&3 << __EOF__ indent >&3 << __EOF__
if [ -f /var/lib/shorewall/save ]; then if [ -f \${VARDIR}/save ]; then
progress_message2 "Setting up dynamic rules..." progress_message2 "Setting up dynamic rules..."
while read target ignore1 ignore2 address rest; do while read target ignore1 ignore2 address rest; do
case \$target in case \$target in
@ -6916,7 +6920,7 @@ if [ -f /var/lib/shorewall/save ]; then
run_iptables -A dynamic -s \$address -j \$target run_iptables -A dynamic -s \$address -j \$target
;; ;;
esac esac
done < /var/lib/shorewall/save done < \${VARDIR}/save
fi fi
__EOF__ __EOF__
@ -7785,12 +7789,12 @@ stop_firewall() {
\$IPTABLES -t nat -F \$IPTABLES -t nat -F
\$IPTABLES -t nat -X \$IPTABLES -t nat -X
if [ -f /var/lib/shorewall/nat ]; then if [ -f \${VARDIR}/nat ]; then
while read external interface; do while read external interface; do
ip_addr_del \$external dev \$interface ip_addr_del \$external dev \$interface
done < /var/lib/shorewall/nat done < \${VARDIR}/nat
rm -f /var/lib/shorewall/nat rm -f \${VARDIR}/nat
fi fi
} }
@ -7802,7 +7806,7 @@ stop_firewall() {
[ -n "\${RESTOREFILE:=restore}" ] [ -n "\${RESTOREFILE:=restore}" ]
RESTOREPATH=/var/lib/shorewall/\$RESTOREFILE RESTOREPATH=\${VARDIR}/\$RESTOREFILE
if [ -x \$RESTOREPATH ]; then if [ -x \$RESTOREPATH ]; then
@ -7874,11 +7878,11 @@ __EOF__
done done
fi fi
if [ -f /var/lib/shorewall/proxyarp ]; then if [ -f \${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
qt arp -i \$external -d \$address pub qt arp -i \$external -d \$address pub
[ -z "\${haveroute}\${NOROUTES}" ] && qt ip route del \$address dev \$interface [ -z "\${haveroute}\${NOROUTES}" ] && qt ip route del \$address dev \$interface
done < /var/lib/shorewall/proxyarp done < \${VARDIR}/proxyarp
fi fi
for f in /proc/sys/net/ipv4/conf/*; do for f in /proc/sys/net/ipv4/conf/*; do
@ -8081,9 +8085,23 @@ compile_firewall() # $1 = File Name
# #
__EOF__ __EOF__
if [ -n "$EXPORT" ]; then
cat >&3 << __EOF__
SHAREDIR=/usr/share/shorewall
CONFDIR=/etc/shorewall
VARDIR=/var/lib/shorewall
__EOF__
else
cat >&3 << __EOF__
SHAREDIR=/usr/share/shorewall
CONFDIR=/etc/shorewall
VARDIR=/var/lib/shorewall
__EOF__
fi
cat >&3 << __EOF__ cat >&3 << __EOF__
. /usr/share/shorewall/functions . \${SHAREDIR}/functions
__EOF__ __EOF__
compile_stop_firewall compile_stop_firewall
@ -8211,11 +8229,11 @@ __EOF__
INDENT=" " INDENT=" "
cat >&3 << __EOF__ cat >&3 << __EOF__
if [ ! -f /usr/share/shorewall/version ]; then if [ ! -f \${SHAREDIR}/version ]; then
fatal_error "This script requires Shorewall or Shorewall Lite which do not appear to be installed on this system" fatal_error "This script requires Shorewall or Shorewall Lite which do not appear to be installed on this system"
fi fi
local version=\$(cat /usr/share/shorewall/version) local version=\$(cat \${SHAREDIR}/version)
if [ \${LIBVERSION:-0} -lt 30191 ]; then if [ \${LIBVERSION:-0} -lt 30191 ]; then
fatal_error "This script requires Shorewall [Lite] version 3.2.0-Beta7 or later; current version is \$version" fatal_error "This script requires Shorewall [Lite] version 3.2.0-Beta7 or later; current version is \$version"
@ -8275,9 +8293,9 @@ __EOF__
STOPPING= STOPPING=
# #
# The library requires that /var/lib/shorewall exist # The library requires that ${VARDIR} exist
# #
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d \${VARDIR} ] || mkdir -p \${VARDIR}
} }
@ -8378,7 +8396,7 @@ __EOF__
fi fi
for file in chains nat proxyarp zones; do for file in chains nat proxyarp zones; do
save_command "cat > /var/lib/shorewall/$file $LEFTSHIFT __EOF__" save_command "cat > \${VARDIR}/$file $LEFTSHIFT __EOF__"
cat $STATEDIR/$file >&3 cat $STATEDIR/$file >&3
save_command_unindented __EOF__ save_command_unindented __EOF__
done done
@ -8390,7 +8408,7 @@ __EOF__
fi fi
__EOF__ __EOF__
save_command "date > /var/lib/shorewall/restarted" save_command "date > \${VARDIR}/restarted"
append_file start append_file start
@ -8404,7 +8422,7 @@ __EOF__
cat >&3 << __EOF__ cat >&3 << __EOF__
cp -f \$(my_pathname) /var/lib/shorewall/.restore cp -f \$(my_pathname) \${VARDIR}/.restore
case \$COMMAND in case \$COMMAND in
start) start)
@ -8425,7 +8443,7 @@ __EOF__
# #
restore_firewall() restore_firewall()
{ {
iptables_save_file=/var/lib/shorewall/\$(basename \$0)-iptables iptables_save_file=\${VARDIR}/\$(basename \$0)-iptables
fatal_error() fatal_error()
{ {
@ -8565,7 +8583,7 @@ do_initialize() {
TCP_FLAGS_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL= RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN= MARK_IN_FORWARD_CHAIN=
SHARED_DIR=/usr/share/shorewall SHARED_DIR=${SHAREDIR}
FUNCTIONS= FUNCTIONS=
VERSION_FILE= VERSION_FILE=
LOGFORMAT= LOGFORMAT=
@ -8905,7 +8923,7 @@ case "$COMMAND" in
call) call)
# #
# Undocumented way to call functions in /usr/share/shorewall/compiler directly # Undocumented way to call functions in ${SHAREDIR}/compiler directly
# #
shift shift
do_initialize do_initialize

59
Shorewall/firewall
View File

@ -40,6 +40,9 @@
# and rules/policies. # and rules/policies.
# shorewall refresh . Rebuild the common chain # shorewall refresh . Rebuild the common chain
# #
SHAREDIR=/usr/share/shorewall
VARDIR=/var/lib/shorewall
CONFDIR=/etc/shorewall
# Mutual exclusion -- These functions are jackets for the mutual exclusion # Mutual exclusion -- These functions are jackets for the mutual exclusion
# routines in $FUNCTIONS. They invoke # routines in $FUNCTIONS. They invoke
# the corresponding function in that file if the user did # the corresponding function in that file if the user did
@ -551,11 +554,11 @@ match_dest_hosts()
# #
# Similarly, the source or destination in a rule can be qualified by a device name. If # Similarly, the source or destination in a rule can be qualified by a device name. If
# the device is defined in /etc/shorewall/interfaces then a normal interface match is # the device is defined in ${CONFDIR}/interfaces then a normal interface match is
# generated (-i or -o); otherwise, a physdev match is generated. # generated (-i or -o); otherwise, a physdev match is generated.
#------------------------------------------------------------------------------------- #-------------------------------------------------------------------------------------
# #
# loosely match the passed interface with those in /etc/shorewall/interfaces. # loosely match the passed interface with those in ${CONFDIR}/interfaces.
# #
known_interface() # $1 = interface name known_interface() # $1 = interface name
{ {
@ -1126,7 +1129,7 @@ stop_firewall() {
[ -n "${RESTOREFILE:=restore}" ] [ -n "${RESTOREFILE:=restore}" ]
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=${VARDIR}/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
@ -1422,7 +1425,7 @@ setup_ipsec() {
# Delete existing Proxy ARP # Delete existing Proxy ARP
# #
delete_proxy_arp() { delete_proxy_arp() {
if [ -f /var/lib/shorewall/proxyarp ]; then if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
case $COMMAND in case $COMMAND in
stop|clear) stop|clear)
@ -1442,9 +1445,9 @@ delete_proxy_arp() {
fi fi
;; ;;
esac esac
done < /var/lib/shorewall/proxyarp done < ${VARDIR}/proxyarp
rm -f /var/lib/shorewall/proxyarp rm -f ${VARDIR}/proxyarp
fi fi
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp [ -d $STATEDIR ] && touch $STATEDIR/proxyarp
@ -1476,12 +1479,12 @@ delete_nat() {
run_iptables -t nat -F run_iptables -t nat -F
run_iptables -t nat -X run_iptables -t nat -X
if [ -f /var/lib/shorewall/nat ]; then if [ -f ${VARDIR}/nat ]; then
while read external interface; do while read external interface; do
qt ip addr del $external dev $interface qt ip addr del $external dev $interface
done < /var/lib/shorewall/nat done < ${VARDIR}/nat
rm -f {/var/lib/shorewall}/nat rm -f ${VARDIR}/nat
fi fi
[ -d $STATEDIR ] && touch $STATEDIR/nat [ -d $STATEDIR ] && touch $STATEDIR/nat
@ -1734,7 +1737,7 @@ check_disabled_startup() {
echo " Shorewall Startup is disabled -- to enable startup" echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration," echo " after you have completed Shorewall configuration,"
echo " change the setting of STARTUP_ENABLED to Yes in" echo " change the setting of STARTUP_ENABLED to Yes in"
echo " /etc/shorewall/shorewall.conf" echo " ${CONFDIR}/shorewall.conf"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
@ -1921,12 +1924,12 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
# #
# Be sure that Shorewall has been restarted using a DZ-aware version of the code # Be sure that Shorewall has been restarted using a DZ-aware version of the code
# #
[ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found" [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
[ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found" [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
# #
# Check for duplicates and create a new zone state file # Check for duplicates and create a new zone state file
# #
> /var/lib/shorewall/zones_$$ > ${VARDIR}/zones_$$
while read z type hosts; do while read z type hosts; do
if [ "$z" = "$zone" ]; then if [ "$z" = "$zone" ]; then
@ -1944,10 +1947,10 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
eval ${z}_hosts=\"$hosts\" eval ${z}_hosts=\"$hosts\"
echo "$z $type $hosts" >> /var/lib/shorewall/zones_$$ echo "$z $type $hosts" >> ${VARDIR}/zones_$$
done < /var/lib/shorewall/zones done < ${VARDIR}/zones
mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
TERMINATOR=fatal_error TERMINATOR=fatal_error
# #
@ -2017,7 +2020,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
done done
fi fi
fi fi
done < /var/lib/shorewall/chains done < ${VARDIR}/chains
progress_message "$newhost added to zone $zone" progress_message "$newhost added to zone $zone"
@ -2093,12 +2096,12 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Be sure that Shorewall has been restarted using a DZ-aware version of the code # Be sure that Shorewall has been restarted using a DZ-aware version of the code
# #
[ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found" [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
[ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found" [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
# #
# Delete the passed hosts from the zone state file # Delete the passed hosts from the zone state file
# #
> /var/lib/shorewall/zones_$$ > ${VARDIR}/zones_$$
while read z hosts; do while read z hosts; do
if [ "$z" = "$zone" ]; then if [ "$z" = "$zone" ]; then
@ -2132,10 +2135,10 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
eval ${z}_hosts=\"$hosts\" eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> /var/lib/shorewall/zones_$$ echo "$z $hosts" >> ${VARDIR}/zones_$$
done < /var/lib/shorewall/zones done < ${VARDIR}/zones
mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
TERMINATOR=fatal_error TERMINATOR=fatal_error
@ -2192,7 +2195,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
done done
fi fi
fi fi
done < /var/lib/shorewall/chains done < ${VARDIR}/chains
progress_message "$delhost removed from zone $zone" progress_message "$delhost removed from zone $zone"
@ -2295,7 +2298,7 @@ do_initialize() {
TCP_FLAGS_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL= RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN= MARK_IN_FORWARD_CHAIN=
SHARED_DIR=/usr/share/shorewall SHARED_DIR=${SHAREDIR}
FUNCTIONS= FUNCTIONS=
VERSION_FILE= VERSION_FILE=
LOGFORMAT= LOGFORMAT=
@ -2399,7 +2402,7 @@ do_initialize() {
fi fi
determine_capabilities determine_capabilities
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
else else
f=$(find_file capabilities) f=$(find_file capabilities)
@ -2640,7 +2643,7 @@ case "$COMMAND" in
$IPTABLES -t nat -Z $IPTABLES -t nat -Z
$IPTABLES -t mangle -Z $IPTABLES -t mangle -Z
report "Shorewall Counters Reset" report "Shorewall Counters Reset"
date > /var/lib/shorewall/restarted date > ${VARDIR}/restarted
my_mutex_off my_mutex_off
;; ;;
@ -2701,7 +2704,7 @@ case "$COMMAND" in
call) call)
# #
# Undocumented way to call functions in /usr/share/shorewall/firewall directly # Undocumented way to call functions in ${SHAREDIR}/firewall directly
# #
shift shift
do_initialize do_initialize

18
Shorewall/functions
View File

@ -28,6 +28,10 @@
LIBVERSION=30191 LIBVERSION=30191
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
[ -n "${CONFDIR:=/etc/shorewall}" ]
# #
# Message to stderr # Message to stderr
# #
@ -210,7 +214,7 @@ my_pathname() {
# Set default config path # Set default config path
# #
ensure_config_path() { ensure_config_path() {
local F=/usr/share/shorewall/configpath local F=${SHAREDIR}/configpath
if [ -z "$CONFIG_PATH" ]; then if [ -z "$CONFIG_PATH" ]; then
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
. $F . $F
@ -218,7 +222,7 @@ ensure_config_path() {
} }
# #
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall # Find a File -- For relative file name, look first in $SHOREWALL_DIR then in ${CONFDIR}
# #
find_file() find_file()
{ {
@ -244,7 +248,7 @@ find_file()
IFS=$saveifs IFS=$saveifs
echo /etc/shorewall/$1 echo ${CONFDIR}/$1
fi fi
;; ;;
esac esac
@ -445,13 +449,13 @@ load_kernel_modules()
mutex_on() mutex_on()
{ {
local try=0 local try=0
local lockf=/var/lib/shorewall/lock local lockf=${VARDIR}/lock
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
if [ $MUTEX_TIMEOUT -gt 0 ]; then if [ $MUTEX_TIMEOUT -gt 0 ]; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
if qt mywhich lockfile; then if qt mywhich lockfile; then
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
@ -476,7 +480,7 @@ mutex_on()
# #
mutex_off() mutex_off()
{ {
rm -f /var/lib/shorewall/lock rm -f ${VARDIR}/lock
} }
# #
@ -1161,7 +1165,7 @@ mywhich() {
# #
set_state () # $1 = state set_state () # $1 = state
{ {
echo "$1 ($(date))" > /var/lib/shorewall/state echo "$1 ($(date))" > ${VARDIR}/state
} }
# #

92
Shorewall/shorewall
View File

@ -113,6 +113,10 @@
# shorewall compile [ <directory> ] ]<filename> # shorewall compile [ <directory> ] ]<filename>
# Compile a firewall program file. # Compile a firewall program file.
# #
SHAREDIR=/usr/share/shorewall
VARDIR=/var/lib/shorewall
CONFDIR=/etc/shorewall
# Fatal Error # Fatal Error
# #
fatal_error() # $@ = Message fatal_error() # $@ = Message
@ -246,7 +250,7 @@ get_config() {
case $STARTUP_ENABLED in case $STARTUP_ENABLED in
[Nn][Oo]) [Nn][Oo])
echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf" >&2 echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2
STARTUP_ENABLED= STARTUP_ENABLED=
;; ;;
[Yy][Ee][Ss]) [Yy][Ee][Ss])
@ -432,7 +436,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
# #
save_config() { save_config() {
if shorewall_is_started ; then if shorewall_is_started ; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
@ -442,12 +446,12 @@ save_config() {
echo " ERROR: Reserved file name: $RESTOREFILE" echo " ERROR: Reserved file name: $RESTOREFILE"
;; ;;
*) *)
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
echo " Dynamic Rules Saved" echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/.restore ]; then if [ -f ${VARDIR}/.restore ]; then
if iptables-save | iptablesbug > /var/lib/shorewall/restore-$$; then if iptables-save | iptablesbug > ${VARDIR}/restore-$$; then
cp -f /var/lib/shorewall/.restore $RESTOREPATH cp -f ${VARDIR}/.restore $RESTOREPATH
mv -f /var/lib/shorewall/restore-$$ ${RESTOREPATH}-iptables mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
chmod +x $RESTOREPATH chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH" echo " Currently-running Configuration Saved to $RESTOREPATH"
@ -457,16 +461,16 @@ save_config() {
[Yy][Ee][Ss]) [Yy][Ee][Ss])
RESTOREPATH=${RESTOREPATH}-ipsets RESTOREPATH=${RESTOREPATH}-ipsets
f=/var/lib/shorewall/restore-$$ f=${VARDIR}/restore-$$
echo "#!/bin/sh" > $f echo "#!/bin/sh" > $f
echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f
echo >> $f echo >> $f
echo ". /usr/share/shorewall/functions" >> $f echo ". ${SHAREDIR}/functions" >> $f
echo >> $f echo >> $f
grep '^MODULE' /var/lib/shorewall/restore-base >> $f grep '^MODULE' ${VARDIR}/restore-base >> $f
echo "reload_kernel_modules << __EOF__" >> $f echo "reload_kernel_modules << __EOF__" >> $f
grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f grep 'loadmodule ip_set' ${VARDIR}/restore-base >> $f
echo "__EOF__" >> $f echo "__EOF__" >> $f
echo >> $f echo >> $f
echo "ipset -U :all: :all:" >> $f echo "ipset -U :all: :all:" >> $f
@ -486,11 +490,11 @@ save_config() {
;; ;;
esac esac
else else
rm -f /var/lib/shorewall/restore-$$ rm -f ${VARDIR}/restore-$$
echo " ERROR: Currently-running Configuration Not Saved" echo " ERROR: Currently-running Configuration Not Saved"
fi fi
else else
echo " ERROR: /var/lib/shorewall/.restored oes not exist" echo " ERROR: ${VARDIR}/.restored oes not exist"
fi fi
else else
echo "Error Saving the Dynamic Rules" echo "Error Saving the Dynamic Rules"
@ -515,8 +519,8 @@ start_command() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.start; then if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then
/var/lib/shorewall/.start $debugging start ${VARDIR}/.start $debugging start
fi fi
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
@ -590,12 +594,12 @@ start_command() {
# #
# RESTOREFILE is exported by get_config() # RESTOREFILE is exported by get_config()
# #
make -qf /etc/shorewall/Makefile || FAST= make -qf ${CONFDIR}/Makefile || FAST=
fi fi
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=${VARDIR}/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then if [ -x ${RESTOREPATH}-ipsets ]; then
@ -611,7 +615,7 @@ start_command() {
echo Restoring Shorewall... echo Restoring Shorewall...
$SHOREWALL_SHELL $RESTOREPATH restore $SHOREWALL_SHELL $RESTOREPATH restore
date > /var/lib/shorewall/restarted date > ${VARDIR}/restarted
progress_message3 Shorewall restored from $RESTOREPATH progress_message3 Shorewall restored from $RESTOREPATH
else else
do_it do_it
@ -691,7 +695,7 @@ compile_command() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging compile $file exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging compile $file
} }
# #
# Check Command Executor # Check Command Executor
@ -754,7 +758,7 @@ check_command() {
progress_message3 "Checking..." progress_message3 "Checking..."
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock check exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock check
} }
# #
@ -825,8 +829,8 @@ restart_command() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.restart; then if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then
$SHOREWALL_SHELL /var/lib/shorewall/.restart $debugging restart $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
fi fi
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
@ -919,7 +923,7 @@ show_command() {
;; ;;
zones) zones)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
if [ -f /var/lib/shorewall/zones ]; then if [ -f ${VARDIR}/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)" echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo echo
while read zone type hosts; do while read zone type hosts; do
@ -927,10 +931,10 @@ show_command() {
for host in $hosts; do for host in $hosts; do
echo " $host" echo " $host"
done done
done < /var/lib/shorewall/zones done < ${VARDIR}/zones
echo echo
else else
echo " ERROR: /var/lib/shorewall/zones does not exist" >&2 echo " ERROR: ${VARDIR}/zones does not exist" >&2
exit 1 exit 1
fi fi
;; ;;
@ -951,11 +955,11 @@ show_command() {
echo "allowoutUPnP # Allow traffic from local command 'upnpd'" echo "allowoutUPnP # Allow traffic from local command 'upnpd'"
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "forwardUPnP # Allow traffic that upnpd has redirected from" echo "forwardUPnP # Allow traffic that upnpd has redirected from"
cat /usr/share/shorewall/actions.std /etc/shorewall/actions | grep -Ev '^\#|^$' cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
;; ;;
macros) macros)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
for macro in /usr/share/shorewall/macro.*; do for macro in ${SHAREDIR}/macro.*; do
foo=`grep 'This macro' $macro | head -n 1` foo=`grep 'This macro' $macro | head -n 1`
if [ -n "$foo" ]; then if [ -n "$foo" ]; then
macro=${macro#*.} macro=${macro#*.}
@ -1164,14 +1168,14 @@ safe_commands() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
if ! $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging nolock compile /var/lib/shorewall/.$command; then if ! $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging nolock compile ${VARDIR}/.$command; then
status=$? status=$?
mutex_off mutex_off
exit $status exit $status
fi fi
RESTOREFILE=.safe RESTOREFILE=.safe
RESTOREPATH=/var/lib/shorewall/.safe RESTOREPATH=${VARDIR}/.safe
save_config save_config
@ -1184,7 +1188,7 @@ safe_commands() {
;; ;;
esac esac
/var/lib/shorewall/.$command $command ${VARDIR}/.$command $command
echo -n "Do you want to accept the new firewall configuration? [y/n] " echo -n "Do you want to accept the new firewall configuration? [y/n] "
@ -1192,9 +1196,9 @@ safe_commands() {
echo "New configuration has been accepted" echo "New configuration has been accepted"
else else
if [ "$command" = "restart" ]; then if [ "$command" = "restart" ]; then
/var/lib/shorewall/.safe restore ${VARDIR}/.safe restore
else else
/var/lib/shorewall/.$command clear ${VARDIR}/.$command clear
fi fi
mutex_off mutex_off
@ -1258,7 +1262,7 @@ restore_command() {
exit 2 exit 2
fi fi
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=${VARDIR}/$RESTOREFILE
export NOROUTES export NOROUTES
@ -1273,10 +1277,10 @@ restore_command() {
fi fi
progress_message3 "Restoring Shorewall..." progress_message3 "Restoring Shorewall..."
$SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "Shorewall restored from ${VARDIR}/$RESTOREFILE"
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
else else
echo "File /var/lib/shorewall/$RESTOREFILE: file not found" echo "File ${VARDIR}/$RESTOREFILE: file not found"
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
exit 2 exit 2
fi fi
@ -1336,8 +1340,8 @@ usage() # $1 = exit status
# Display the time that the counters were last reset # Display the time that the counters were last reset
# #
show_reset() { show_reset() {
[ -f /var/lib/shorewall/restarted ] && \ [ -f ${VARDIR}/restarted ] && \
echo "Counters reset $(cat /var/lib/shorewall/restarted)" && \ echo "Counters reset $(cat ${VARDIR}/restarted)" && \
echo echo
} }
@ -1512,7 +1516,7 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
SHARED_DIR=/usr/share/shorewall SHARED_DIR=${SHAREDIR}
FIREWALL=$SHARED_DIR/firewall FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version VERSION_FILE=$SHARED_DIR/version
@ -1630,8 +1634,8 @@ case "$COMMAND" in
status=4 status=4
fi fi
if [ -f /var/lib/shorewall/state ]; then if [ -f ${VARDIR}/state ]; then
state="$(cat /var/lib/shorewall/state)" state="$(cat ${VARDIR}/state)"
case $state in case $state in
Stopped*|Clear*) Stopped*|Clear*)
status=3 status=3
@ -1862,7 +1866,7 @@ case "$COMMAND" in
;; ;;
esac esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=${VARDIR}/$RESTOREFILE
[ "$nolock" ] || mutex_on [ "$nolock" ] || mutex_on
@ -1884,7 +1888,7 @@ case "$COMMAND" in
esac esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=${VARDIR}/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
@ -1899,7 +1903,7 @@ case "$COMMAND" in
elif [ -f $RESTOREPATH ]; then elif [ -f $RESTOREPATH ]; then
echo " $RESTOREPATH exists and is not a saved Shorewall configuration" echo " $RESTOREPATH exists and is not a saved Shorewall configuration"
fi fi
rm -f /var/lib/shorewall/save rm -f ${VARDIR}/save
;; ;;
ipcalc) ipcalc)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
@ -1954,7 +1958,7 @@ case "$COMMAND" in
call) call)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
# #
# Undocumented way to call functions in /usr/share/shorewall/functions directly # Undocumented way to call functions in ${SHAREDIR}/functions directly
# #
shift shift
$@ $@