Changes for 2.1.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1564 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-20 22:41:21 +00:00
parent 414356a535
commit 79c7f644b2
5 changed files with 100 additions and 51 deletions

View File

@ -15,9 +15,9 @@
# Encrypted hosts are designated using the 'ipsec' # Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts. # option in /etc/shorewall/hosts.
# #
# OPTIONS A comma-separated list of options as follows: # OPTIONS, A comma-separated list of options as follows:
# reqid=<number> where <number> is specified # IN OPTIONS, reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number> # OUT OPTIONS using setkey(8) using the 'unique:<number>
# option for the SPD level. # option for the SPD level.
# #
# spi=<number> where <number> is the SPI of # spi=<number> where <number> is the SPI of
@ -35,8 +35,16 @@
# #
# Example: # Example:
# mode=transport,reqid=44 # mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
################################################################################ ################################################################################
#ZONE IPSEC OPTIONS #ZONE IPSEC OPTIONS IN OUT
# ONLY # ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -564,7 +564,7 @@ usage() # $1 = exit status
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..." echo " allow <address> ..."
echo " check" echo " check [ <directory> ]"
echo " clear" echo " clear"
echo " delete <interface>[:<host>] <zone>" echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..." echo " drop <address> ..."
@ -578,15 +578,17 @@ usage() # $1 = exit status
echo " refresh" echo " refresh"
echo " reject <address> ..." echo " reject <address> ..."
echo " reset" echo " reset"
echo " restart" echo " restart [ <directory> ]"
echo " restore [ <file name> ]" echo " restore [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]" echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start" echo " start [ <directory> ]"
echo " stop" echo " stop"
echo " status" echo " status"
echo " try <directory> [ <timeout> ]" echo " try <directory> [ <timeout> ]"
echo " version" echo " version"
echo
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
exit $1 exit $1
} }
@ -761,8 +763,30 @@ esac
case "$1" in case "$1" in
start) start)
[ $# -ne 1 ] && usage 1 case $# in
1)
;;
2)
[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
export SHOREWALL_DIR
;;
*)
usage 1
;;
esac
get_config get_config
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
@ -779,11 +803,36 @@ case "$1" in
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi fi
;; ;;
stop|restart|reset|clear|refresh|check) stop|reset|clear|refresh)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
get_config get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
;; ;;
check|restart)
case $# in
1)
;;
2)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
export SHOREWALL_DIR
;;
*)
usage 1
;;
esac
get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
;;
add|delete) add|delete)
[ $# -ne 3 ] && usage 1 [ $# -ne 3 ] && usage 1
get_config get_config

View File

@ -613,12 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
{ {
eval local is_ipsec=\$${1}_is_ipsec eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\" eval local hosts=\"\$${1}_ipsec_hosts\"
eval local options=\"\$${1}_ipsec_options\" eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir in $options" echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in $options" echo "-m policy --pol none --dir in"
fi fi
} }
@ -629,12 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
{ {
eval local is_ipsec=\$${1}_is_ipsec eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\" eval local hosts=\"\$${1}_ipsec_hosts\"
eval local options=\"\$${1}_ipsec_options\" eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir out $options" echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir out $options" echo "-m policy --pol none --dir out"
fi fi
} }
@ -1636,47 +1636,36 @@ setup_tunnels() # $1 = name of tunnels file
setup_ipsec() { setup_ipsec() {
do_options() { do_options() # $1 = _in, _out or "" - $2 = option list
local option newoptions= {
local option opts newoptions=
options=$(separate_list $options) [ x${2} = x- ] && return
for option in $options; do opts=$(separate_list $2)
for option in $opts; do
case $option in case $option in
reqid=*) reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;;
newoptions="$newoptions --reqid ${option#*=}" spi=*) newoptions="$newoptions --spi ${option#*=}" ;;
;; proto=*) newoptions="$newoptions --proto ${option#*=}" ;;
spi=*) mode=*) newoptions="$newoptions --mode ${option#*=}" ;;
newoptions="$newoptions --spi ${option#*=}" tunnel-src=*) newoptions="$newoptions --tunnel-src ${option#*=}" ;;
;; tunnel-dst=*) newoptions="$newoptions --tunnel-dst ${option#*=}" ;;
proto=*) *) fatal_error "Invalid option \"$option\" for zone $zone" ;;
newoptions="$newoptions --proto ${option#*=}"
;;
mode=*)
newoptions="$newoptions --mode ${option#*=}"
;;
tunnel-src=*)
newoptions="$newoptions --tunnel-src ${option#*=}"
;;
tunnel-dst=*)
newoptions="$newoptions --tunnel-dst ${option#*=}"
;;
*)
fatal_error "Invalid option \"$option\" for zone $zone"
;;
esac esac
done done
if [ -n "$newoptions" ]; then if [ -n "$newoptions" ]; then
eval ${zone}_is_complex=Yes eval ${zone}_is_complex=Yes
eval ${zone}_ipsec_options=\"${newoptions# }\" eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
fi fi
} }
strip_file ipsec $1 strip_file ipsec $1
while read zone ipsec options; do while read zone ipsec options in_options out_options; do
expandv zone ipsec options expandv zone ipsec options in_options out_options
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
@ -1694,7 +1683,9 @@ setup_ipsec() {
;; ;;
esac esac
do_options do_options "" $options
do_options "_in" $in_options
do_options "_out" $out_options
done < $TMP_DIR/ipsec done < $TMP_DIR/ipsec
} }

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall help subsystem - V2.0 - 2/14/2004 # Shorewall help subsystem - V2.1
# #
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -60,7 +60,7 @@ allow)
;; ;;
check) check)
echo "check: check [ -c <configuration-directory> ] echo "check: check [ <configuration-directory> ]
Performs a cursory validation of the zones, interfaces, hosts, Performs a cursory validation of the zones, interfaces, hosts,
rules and policy files. Use this if you are unsure of any edits rules and policy files. Use this if you are unsure of any edits
you have made to the shorewall configuration. See the try command you have made to the shorewall configuration. See the try command
@ -187,7 +187,7 @@ reset)
;; ;;
restart) restart)
echo "restart: restart [ -q ] [ -c <configuration-directory> ] echo "restart: [ -q ] restart [ <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start. Restart is the same as a shorewall stop && shorewall start.
Existing connections are maintained. Existing connections are maintained.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings" If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
@ -240,13 +240,14 @@ show)
;; ;;
start) start)
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
Start shorewall. Existing connections through shorewall managed Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies. if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detail is displayed making it easier to spot warnings If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists" in shorewall.conf will be restored if that saved configuration exists. In that
case, a <configuration-directory> may not be specified".
;; ;;
stop) stop)

View File

@ -1 +1 @@
2.1.5 2.1.6