From 79c7f644b2d7ffe1760986fdf5eafb70cace394b Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 20 Aug 2004 22:41:21 +0000 Subject: [PATCH] Changes for 2.1.6 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1564 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- LrpN/etc/shorewall/ipsec | 18 ++++++--- LrpN/sbin/shorewall | 61 ++++++++++++++++++++++++++++--- LrpN/usr/share/shorewall/firewall | 59 +++++++++++++----------------- LrpN/usr/share/shorewall/help | 11 +++--- LrpN/usr/share/shorewall/version | 2 +- 5 files changed, 100 insertions(+), 51 deletions(-) diff --git a/LrpN/etc/shorewall/ipsec b/LrpN/etc/shorewall/ipsec index 9413de096..6a0b881d6 100644 --- a/LrpN/etc/shorewall/ipsec +++ b/LrpN/etc/shorewall/ipsec @@ -15,9 +15,9 @@ # Encrypted hosts are designated using the 'ipsec' # option in /etc/shorewall/hosts. # -# OPTIONS A comma-separated list of options as follows: -# reqid= where is specified -# using setkey(8) using the 'unique: +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, reqid= where is specified +# OUT OPTIONS using setkey(8) using the 'unique: # option for the SPD level. # # spi= where is the SPI of @@ -35,8 +35,16 @@ # # Example: # mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". ################################################################################ -#ZONE IPSEC OPTIONS -# ONLY +#ZONE IPSEC OPTIONS IN OUT +# ONLY OPTIONS OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall index f120bcb05..8d48e2c0f 100755 --- a/LrpN/sbin/shorewall +++ b/LrpN/sbin/shorewall @@ -33,7 +33,7 @@ # # shorewall add [:] zone Adds a host or subnet to a zone # shorewall delete [:] zone Deletes a host or subnet from a zone -# shorewall start Starts the firewall +# shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status @@ -564,7 +564,7 @@ usage() # $1 = exit status echo "where is one of:" echo " add [:] " echo " allow
..." - echo " check" + echo " check [ ]" echo " clear" echo " delete [:] " echo " drop
..." @@ -578,15 +578,17 @@ usage() # $1 = exit status echo " refresh" echo " reject
..." echo " reset" - echo " restart" + echo " restart [ ]" echo " restore [ ]" echo " save [ ]" echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos]" - echo " start" + echo " start [ ]" echo " stop" echo " status" echo " try [ ]" echo " version" + echo + echo "The -c and -f options may not be specified with a in the start, restart and check commands" exit $1 } @@ -761,8 +763,30 @@ esac case "$1" in start) - [ $# -ne 1 ] && usage 1 + case $# in + 1) + ;; + 2) + [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2 + + if [ ! -d $2 ]; then + if [ -e $2 ]; then + echo "$2 is not a directory" >&2 && exit 2 + else + echo "Directory $2 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$2 + export SHOREWALL_DIR + ;; + *) + usage 1 + ;; + esac + get_config + if [ -n "$FAST" ]; then RESTOREPATH=/var/lib/shorewall/$RESTOREFILE @@ -779,11 +803,36 @@ case "$1" in exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi ;; - stop|restart|reset|clear|refresh|check) + stop|reset|clear|refresh) [ $# -ne 1 ] && usage 1 get_config exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 ;; + check|restart) + case $# in + 1) + ;; + 2) + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $2 ]; then + if [ -e $2 ]; then + echo "$2 is not a directory" >&2 && exit 2 + else + echo "Directory $2 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$2 + export SHOREWALL_DIR + ;; + *) + usage 1 + ;; + esac + get_config + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 + ;; add|delete) [ $# -ne 3 ] && usage 1 get_config diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index 2a27e414c..ba630b7ff 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -613,12 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host { eval local is_ipsec=\$${1}_is_ipsec eval local hosts=\"\$${1}_ipsec_hosts\" - eval local options=\"\$${1}_ipsec_options\" + eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" if [ -n "$is_ipsec" ] || list_search $2 $hosts; then echo "-m policy --pol ipsec --dir in $options" elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in $options" + echo "-m policy --pol none --dir in" fi } @@ -629,12 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host { eval local is_ipsec=\$${1}_is_ipsec eval local hosts=\"\$${1}_ipsec_hosts\" - eval local options=\"\$${1}_ipsec_options\" + eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" if [ -n "$is_ipsec" ] || list_search $2 $hosts; then echo "-m policy --pol ipsec --dir out $options" elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out $options" + echo "-m policy --pol none --dir out" fi } @@ -1636,47 +1636,36 @@ setup_tunnels() # $1 = name of tunnels file setup_ipsec() { - do_options() { - local option newoptions= + do_options() # $1 = _in, _out or "" - $2 = option list + { + local option opts newoptions= - options=$(separate_list $options) + [ x${2} = x- ] && return - for option in $options; do + opts=$(separate_list $2) + + for option in $opts; do case $option in - reqid=*) - newoptions="$newoptions --reqid ${option#*=}" - ;; - spi=*) - newoptions="$newoptions --spi ${option#*=}" - ;; - proto=*) - newoptions="$newoptions --proto ${option#*=}" - ;; - mode=*) - newoptions="$newoptions --mode ${option#*=}" - ;; - tunnel-src=*) - newoptions="$newoptions --tunnel-src ${option#*=}" - ;; - tunnel-dst=*) - newoptions="$newoptions --tunnel-dst ${option#*=}" - ;; - *) - fatal_error "Invalid option \"$option\" for zone $zone" - ;; + reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;; + spi=*) newoptions="$newoptions --spi ${option#*=}" ;; + proto=*) newoptions="$newoptions --proto ${option#*=}" ;; + mode=*) newoptions="$newoptions --mode ${option#*=}" ;; + tunnel-src=*) newoptions="$newoptions --tunnel-src ${option#*=}" ;; + tunnel-dst=*) newoptions="$newoptions --tunnel-dst ${option#*=}" ;; + *) fatal_error "Invalid option \"$option\" for zone $zone" ;; esac done - + if [ -n "$newoptions" ]; then eval ${zone}_is_complex=Yes - eval ${zone}_ipsec_options=\"${newoptions# }\" + eval ${zone}_ipsec${1}_options=\"${newoptions# }\" fi } strip_file ipsec $1 - while read zone ipsec options; do - expandv zone ipsec options + while read zone ipsec options in_options out_options; do + expandv zone ipsec options in_options out_options [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" @@ -1694,7 +1683,9 @@ setup_ipsec() { ;; esac - do_options + do_options "" $options + do_options "_in" $in_options + do_options "_out" $out_options done < $TMP_DIR/ipsec } diff --git a/LrpN/usr/share/shorewall/help b/LrpN/usr/share/shorewall/help index 09e61e179..c29a8f301 100755 --- a/LrpN/usr/share/shorewall/help +++ b/LrpN/usr/share/shorewall/help @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall help subsystem - V2.0 - 2/14/2004 +# Shorewall help subsystem - V2.1 # # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] @@ -60,7 +60,7 @@ allow) ;; check) - echo "check: check [ -c ] + echo "check: check [ ] Performs a cursory validation of the zones, interfaces, hosts, rules and policy files. Use this if you are unsure of any edits you have made to the shorewall configuration. See the try command @@ -187,7 +187,7 @@ reset) ;; restart) - echo "restart: restart [ -q ] [ -c ] + echo "restart: [ -q ] restart [ ] Restart is the same as a shorewall stop && shorewall start. Existing connections are maintained. If \"-q\" is specified, less detain is displayed making it easier to spot warnings" @@ -240,13 +240,14 @@ show) ;; start) - echo "start: [ -q ] [ -f ] [ -c ] start + echo "start: [ -q ] [ -f ] start [ ] Start shorewall. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. If \"-q\" is specified, less detail is displayed making it easier to spot warnings If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option - in shorewall.conf will be restored if that saved configuration exists" + in shorewall.conf will be restored if that saved configuration exists. In that + case, a may not be specified". ;; stop) diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version index cd57a8b95..399088bf4 100644 --- a/LrpN/usr/share/shorewall/version +++ b/LrpN/usr/share/shorewall/version @@ -1 +1 @@ -2.1.5 +2.1.6