forked from extern/shorewall_code
Changes for 2.1.6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1564 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
414356a535
commit
79c7f644b2
@ -15,9 +15,9 @@
|
||||
# Encrypted hosts are designated using the 'ipsec'
|
||||
# option in /etc/shorewall/hosts.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options as follows:
|
||||
# reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# OPTIONS, A comma-separated list of options as follows:
|
||||
# IN OPTIONS, reqid=<number> where <number> is specified
|
||||
# OUT OPTIONS using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
@ -35,8 +35,16 @@
|
||||
#
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
#
|
||||
# The options in the OPTIONS column are applied to both incoming
|
||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||
# applied to outgoing traffic.
|
||||
#
|
||||
# If you wish to leave a column empty but need to make an entry
|
||||
# in a following column, use "-".
|
||||
################################################################################
|
||||
#ZONE IPSEC OPTIONS
|
||||
# ONLY
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
@ -33,7 +33,7 @@
|
||||
#
|
||||
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
|
||||
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
|
||||
@ -564,7 +564,7 @@ usage() # $1 = exit status
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " check"
|
||||
echo " check [ <directory> ]"
|
||||
echo " clear"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " drop <address> ..."
|
||||
@ -578,15 +578,17 @@ usage() # $1 = exit status
|
||||
echo " refresh"
|
||||
echo " reject <address> ..."
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " restart [ <directory> ]"
|
||||
echo " restore [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " start [ <directory> ]"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " version"
|
||||
echo
|
||||
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -761,8 +763,30 @@ esac
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
get_config
|
||||
|
||||
if [ -n "$FAST" ]; then
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
@ -779,11 +803,36 @@ case "$1" in
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
||||
fi
|
||||
;;
|
||||
stop|restart|reset|clear|refresh|check)
|
||||
stop|reset|clear|refresh)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
check|restart)
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
add|delete)
|
||||
[ $# -ne 3 ] && usage 1
|
||||
get_config
|
||||
|
@ -613,12 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local is_ipsec=\$${1}_is_ipsec
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
eval local options=\"\$${1}_ipsec_options\"
|
||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
|
||||
|
||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||
echo "-m policy --pol ipsec --dir in $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir in $options"
|
||||
echo "-m policy --pol none --dir in"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -629,12 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local is_ipsec=\$${1}_is_ipsec
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
eval local options=\"\$${1}_ipsec_options\"
|
||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
|
||||
|
||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||
echo "-m policy --pol ipsec --dir out $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir out $options"
|
||||
echo "-m policy --pol none --dir out"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1636,47 +1636,36 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_ipsec() {
|
||||
|
||||
do_options() {
|
||||
local option newoptions=
|
||||
do_options() # $1 = _in, _out or "" - $2 = option list
|
||||
{
|
||||
local option opts newoptions=
|
||||
|
||||
options=$(separate_list $options)
|
||||
[ x${2} = x- ] && return
|
||||
|
||||
for option in $options; do
|
||||
opts=$(separate_list $2)
|
||||
|
||||
for option in $opts; do
|
||||
case $option in
|
||||
reqid=*)
|
||||
newoptions="$newoptions --reqid ${option#*=}"
|
||||
;;
|
||||
spi=*)
|
||||
newoptions="$newoptions --spi ${option#*=}"
|
||||
;;
|
||||
proto=*)
|
||||
newoptions="$newoptions --proto ${option#*=}"
|
||||
;;
|
||||
mode=*)
|
||||
newoptions="$newoptions --mode ${option#*=}"
|
||||
;;
|
||||
tunnel-src=*)
|
||||
newoptions="$newoptions --tunnel-src ${option#*=}"
|
||||
;;
|
||||
tunnel-dst=*)
|
||||
newoptions="$newoptions --tunnel-dst ${option#*=}"
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid option \"$option\" for zone $zone"
|
||||
;;
|
||||
reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;;
|
||||
spi=*) newoptions="$newoptions --spi ${option#*=}" ;;
|
||||
proto=*) newoptions="$newoptions --proto ${option#*=}" ;;
|
||||
mode=*) newoptions="$newoptions --mode ${option#*=}" ;;
|
||||
tunnel-src=*) newoptions="$newoptions --tunnel-src ${option#*=}" ;;
|
||||
tunnel-dst=*) newoptions="$newoptions --tunnel-dst ${option#*=}" ;;
|
||||
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
|
||||
if [ -n "$newoptions" ]; then
|
||||
eval ${zone}_is_complex=Yes
|
||||
eval ${zone}_ipsec_options=\"${newoptions# }\"
|
||||
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
|
||||
fi
|
||||
}
|
||||
|
||||
strip_file ipsec $1
|
||||
|
||||
while read zone ipsec options; do
|
||||
expandv zone ipsec options
|
||||
while read zone ipsec options in_options out_options; do
|
||||
expandv zone ipsec options in_options out_options
|
||||
|
||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||
|
||||
@ -1694,7 +1683,9 @@ setup_ipsec() {
|
||||
;;
|
||||
esac
|
||||
|
||||
do_options
|
||||
do_options "" $options
|
||||
do_options "_in" $in_options
|
||||
do_options "_out" $out_options
|
||||
|
||||
done < $TMP_DIR/ipsec
|
||||
}
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall help subsystem - V2.0 - 2/14/2004
|
||||
# Shorewall help subsystem - V2.1
|
||||
#
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
@ -60,7 +60,7 @@ allow)
|
||||
;;
|
||||
|
||||
check)
|
||||
echo "check: check [ -c <configuration-directory> ]
|
||||
echo "check: check [ <configuration-directory> ]
|
||||
Performs a cursory validation of the zones, interfaces, hosts,
|
||||
rules and policy files. Use this if you are unsure of any edits
|
||||
you have made to the shorewall configuration. See the try command
|
||||
@ -187,7 +187,7 @@ reset)
|
||||
;;
|
||||
|
||||
restart)
|
||||
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
|
||||
echo "restart: [ -q ] restart [ <configuration-directory> ]
|
||||
Restart is the same as a shorewall stop && shorewall start.
|
||||
Existing connections are maintained.
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||
@ -240,13 +240,14 @@ show)
|
||||
;;
|
||||
|
||||
start)
|
||||
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
|
||||
echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies.
|
||||
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
||||
in shorewall.conf will be restored if that saved configuration exists"
|
||||
in shorewall.conf will be restored if that saved configuration exists. In that
|
||||
case, a <configuration-directory> may not be specified".
|
||||
;;
|
||||
|
||||
stop)
|
||||
|
@ -1 +1 @@
|
||||
2.1.5
|
||||
2.1.6
|
||||
|
Loading…
Reference in New Issue
Block a user