From 3110f7c74ac3a4de5f322586cc2399dbdff72baf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 1 Dec 2011 10:25:51 -0800 Subject: [PATCH 1/3] Add enable/disable commands to the CLIs Signed-off-by: Tom Eastep --- Shorewall-lite/shorewall-lite | 12 +++++++++++- Shorewall/Perl/Shorewall/Zones.pm | 1 + Shorewall/lib.cli | 2 +- Shorewall/shorewall | 16 +++++++++++++--- Shorewall6-lite/shorewall6-lite | 13 +++++++++++-- Shorewall6/lib.cli | 2 +- Shorewall6/shorewall6 | 16 +++++++++++++--- manpages-lite/shorewall-lite.xml | 26 ++++++++++++++++++++++++++ manpages/shorewall.xml | 26 ++++++++++++++++++++++++++ manpages6-lite/shorewall6-lite.xml | 26 ++++++++++++++++++++++++++ manpages6/shorewall6.xml | 26 ++++++++++++++++++++++++++ 11 files changed, 155 insertions(+), 11 deletions(-) diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 0e6ca4753..3f6a91b0a 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -365,8 +365,10 @@ usage() # $1 = exit status echo " allow
..." echo " clear" echo " delete [:] ... " + echo " disable " echo " drop
..." echo " dump [ -x ]" + echo " enable " echo " forget [ ]" echo " help" echo " ipcalc {
/ |
}" @@ -664,7 +666,7 @@ case "$COMMAND" in ;; status) [ $# -eq 1 ] || usage 1 - [ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root" + [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)" echo if shorewall_is_started ; then @@ -754,6 +756,14 @@ case "$COMMAND" in shift add_command $@ ;; + disable|enable) + get_config Yes + if shorewall_is_started; then + run_it ${VARDIR}/firewall $g_debugging $@ + else + fatal_error "Shorewall is not running" + fi + ;; save) [ -n "$debugging" ] && set -x diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 406e61845..3917838cc 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -76,6 +76,7 @@ our @EXPORT = qw( NOTHING get_interface_option interface_has_option set_interface_option + set_interface_provider interface_zones verify_required_interfaces compile_updown diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index bc7236e92..230ae6ffd 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -29,7 +29,7 @@ # fatal_error() # $@ = Message { - echo " $@" >&2 + echo " ERROR: $@" >&2 exit 2 } diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 7da8c1f61..7da8e8127 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1379,7 +1379,7 @@ reload_command() # $* = original arguments less the command. progress_message "Getting Capabilities on system $system..." if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then - fatal_error "ERROR: Capturing capabilities on system $system failed" + fatal_error "Capturing capabilities on system $system failed" fi fi @@ -1460,7 +1460,7 @@ export_command() # $* = original arguments less the command. target=$2 ;; *) - fatal_error "ERROR: Invalid command syntax (\"man shorewall\" for help)" + fatal_error "Invalid command syntax (\"man shorewall\" for help)" ;; esac @@ -1499,8 +1499,10 @@ usage() # $1 = exit status echo " clear" echo " compile [ -e ] [ -d ] [ ] [ ]" echo " delete [:] ... " + echo " disable " echo " drop
..." echo " dump [ -x ]" + echo " enable " echo " export [ ] [@][:]" echo " forget [ ]" echo " help" @@ -1844,6 +1846,14 @@ case "$COMMAND" in shift update_command $@ ;; + disable|enable) + get_config Yes + if shorewall_is_started; then + run_it ${VARDIR}/firewall $g_debugging $@ + else + fatal_error "Shorewall is not running" + fi + ;; show|list) get_config Yes No Yes shift @@ -1861,7 +1871,7 @@ case "$COMMAND" in ;; status) [ $# -eq 1 ] || usage 1 - [ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root" + [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" get_config echo "Shorewall-$SHOREWALL_VERSION Status at $g_hostname - $(date)" echo diff --git a/Shorewall6-lite/shorewall6-lite b/Shorewall6-lite/shorewall6-lite index 1dd9017d9..6c82412b5 100755 --- a/Shorewall6-lite/shorewall6-lite +++ b/Shorewall6-lite/shorewall6-lite @@ -361,8 +361,10 @@ usage() # $1 = exit status echo "where is one of:" echo " allow
..." echo " clear" + echo " disable " echo " drop
..." echo " dump [ -x ]" + echo " enable " echo " forget [ ]" echo " help" echo " load [ -s ] [ -c ] [ -r ] [ ] " @@ -648,7 +650,7 @@ case "$COMMAND" in ;; status) [ $# -eq 1 ] || usage 1 - [ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root" + [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" echo "Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)" echo if shorewall6_is_started ; then @@ -728,6 +730,14 @@ case "$COMMAND" in allow) allow_command $@ ;; + disable|enable) + get_config Yes + if shorewall6_is_started; then + run_it ${VARDIR}/firewall $g_debugging $@ + else + fatal_error "Shorewall is not running" + fi + ;; save) [ -n "$debugging" ] && set -x @@ -806,7 +816,6 @@ case "$COMMAND" in temp=$(ip_network $address); echo " NETWORK=$temp" temp=$(broadcastaddress $address); echo " BROADCAST=$temp" ;; - iprange) [ -n "$debugging" ] && set -x case $2 in diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 180eb5064..b64a53d5b 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -29,7 +29,7 @@ # fatal_error() # $@ = Message { - echo " $@" >&2 + echo " ERROR: $@" >&2 exit 2 } diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index ca6a0cb86..4c0a36d9e 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -1380,7 +1380,7 @@ reload_command() # $* = original arguments less the command. progress_message "Getting Capabilities on system $system..." if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then - fatal_error "ERROR: Capturing capabilities on system $system failed" + fatal_error "Capturing capabilities on system $system failed" fi fi @@ -1461,7 +1461,7 @@ export_command() # $* = original arguments less the command. target=$2 ;; *) - fatal_error "ERROR: Invalid command syntax (\"man shorewall6\" for help)" + fatal_error "Invalid command syntax (\"man shorewall6\" for help)" ;; esac @@ -1500,8 +1500,10 @@ usage() # $1 = exit status echo " clear" echo " compile [ -e ] [ -d ] [ ] [ ]" echo " delete [:] ... " + echo " disable " echo " drop
..." echo " dump [ -x ]" + echo " enable " echo " export [ ] [@][:]" echo " forget [ ]" echo " help" @@ -1840,6 +1842,14 @@ case "$COMMAND" in shift update_command $@ ;; + disable|enable) + get_config Yes + if shorewall6_is_started; then + run_it ${VARDIR}/firewall $g_debugging $@ + else + fatal_error "Shorewall is not running" + fi + ;; show|list) get_config Yes No Yes shift @@ -1857,7 +1867,7 @@ case "$COMMAND" in ;; status) [ $# -eq 1 ] || usage 1 - [ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root" + [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" get_config echo "Shorewall6-$SHOREWALL_VERSION Status at $g_hostname - $(date)" echo diff --git a/manpages-lite/shorewall-lite.xml b/manpages-lite/shorewall-lite.xml index 96206998b..e5f2b2721 100644 --- a/manpages-lite/shorewall-lite.xml +++ b/manpages-lite/shorewall-lite.xml @@ -40,6 +40,19 @@ + + shorewall + + | + + -options + + + + interface + + shorewall-lite @@ -67,6 +80,19 @@ + + shorewall + + | + + -options + + + + interface + + shorewall-lite diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 46763e04a..f8446014b 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -117,6 +117,19 @@ zone + + shorewall + + | + + -options + + + + interface + + shorewall @@ -146,6 +159,19 @@ + + shorewall + + | + + -options + + + + interface + + shorewall diff --git a/manpages6-lite/shorewall6-lite.xml b/manpages6-lite/shorewall6-lite.xml index 9f9d6b19b..3d12ab446 100644 --- a/manpages6-lite/shorewall6-lite.xml +++ b/manpages6-lite/shorewall6-lite.xml @@ -40,6 +40,19 @@ + + shorewall + + | + + -options + + + + interface + + shorewall6-lite @@ -67,6 +80,19 @@ + + shorewall + + | + + -options + + + + interface + + shorewall6-lite diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index a885b6b6c..445ed285f 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -98,6 +98,19 @@ pathname + + shorewall + + | + + -options + + + + interface + + shorewall6 @@ -127,6 +140,19 @@ + + shorewall + + | + + -options + + + + interface + + shorewall6 From 8f14485d67e9d791a99441929b83c8352fc57e5f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 1 Dec 2011 10:30:42 -0800 Subject: [PATCH 2/3] Allow a provider name in addition to an interface name in enable/disable Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index ccb4bfc02..2fd6770ad 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -780,7 +780,7 @@ sub add_a_provider( $$ ) { "qt \$TC qdisc del dev $physical root", "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface}; - emit( "progress_message2 \"Provider $table stopped\"" ); + emit( "progress_message2 \" Provider $table ($number) stopped\"" ); pop_indent; @@ -1125,14 +1125,21 @@ EOF for my $provider (@providers ) { my $providerref = $providers{$provider}; - emit( "$providerref->{physical})", - " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", - " start_provider_$provider", - ' else', - ' startup_error "Interface $g_interface is already enabled"', - ' fi', - ' ;;' - ) if $providerref->{optional}; + if ( $providerref->{optional} ) { + if ( $providerref->{shared} || $providerref->{physical} eq $provider) { + emit "$provider})"; + } else { + emit( "$providerref->{physical}|$provider)" ); + } + + emit ( " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", + " start_provider_$provider", + ' else', + ' startup_error "Interface $g_interface is already enabled"', + ' fi', + ' ;;' + ); + } } pop_indent; @@ -1140,7 +1147,7 @@ EOF emit << 'EOF';; *) - startup_error "$g_interface is not an optional provider interface" + startup_error "$g_interface is not an optional provider or provider interface" ;; esac } From 8c6914d1a2e8d7ba9135b64558a8677544489f4b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 1 Dec 2011 11:23:22 -0800 Subject: [PATCH 3/3] Don't deprecate 'optional' for shared providers Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 7 +++++-- manpages/shorewall-providers.xml | 9 +++++---- manpages6/shorewall6-providers.xml | 7 +++++-- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index b966c88a8..01b33888c 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -385,8 +385,11 @@ sub process_a_provider() { $loose = 1; $default_balance = 0; } elsif ( $option eq 'optional' ) { - warning_message q(The 'optional' provider option is deprecated - use the 'optional' interface option instead); - set_interface_option $interface, 'optional', 1; + unless ( $shared ) { + warning_message q(The 'optional' provider option is deprecated - use the 'optional' interface option instead); + set_interface_option $interface, 'optional', 1; + } + $optional = 1; } elsif ( $option =~ /^src=(.*)$/ ) { fatal_error "OPTION 'src' not allowed on shared interface" if $shared; diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml index d2fb1fdcb..8a3bc0912 100644 --- a/manpages/shorewall-providers.xml +++ b/manpages/shorewall-providers.xml @@ -211,8 +211,8 @@ - optional - (deprecated) + optional (deprecated for use with + providers that do not share an interface) If the interface named in the INTERFACE column is not up @@ -220,8 +220,9 @@ If not specified, the value of the option for the INTERFACE in shorewall-interfaces(5) - is assumed. Use of that option is preferred to this - one. + is assumed. Use of that option is preferred to this one, + unless an address is provider in + the INTERFACE column. diff --git a/manpages6/shorewall6-providers.xml b/manpages6/shorewall6-providers.xml index dcfa6537f..66eade929 100644 --- a/manpages6/shorewall6-providers.xml +++ b/manpages6/shorewall6-providers.xml @@ -208,7 +208,8 @@ - optional + optional (deprecated for + use with providers that do not share an interface) If the interface named in the INTERFACE column is not up @@ -216,7 +217,9 @@ If not specified, the value of the option for the INTERFACE in shorewall6-interfaces(5) - is assumed. + is assumed. Use of that option is preferred to this one, + unless an address is provider in + the INTERFACE column.