holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add capabilities report to 'shorewall dump' output

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-30 16:54:24 +00:00
parent 9c956521d8
commit 84af786df4
5 changed files with 157 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -2,6 +2,10 @@ Changes in 2.5.7
1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped. 1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped.
2) Fix traffic shaping and "shorewall refresh"
3) Add capabilities report to "shorewall dump".
Changes in 2.5.6 Changes in 2.5.6
1) Finish install/fallback cleanup. 1) Finish install/fallback cleanup.

97
Shorewall/firewall
View File

@ -7234,97 +7234,6 @@ verify_ip() {
startup_error "Shorewall $version requires the iproute package ('ip' utility)" startup_error "Shorewall $version requires the iproute package ('ip' utility)"
} }
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
ROUTE_TARGET=
XMARK=
CONNMARK=
CONNMARK_MATCH=
RAW_TABLE=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
qt $IPTABLES -t mangle -N fooX1234
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
if qt mywhich ipset; then
qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
IPSET_MATCH=Yes
fi
qt ipset -X fooX1234
fi
fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
[ -n "$PKTTYPE" ] || USEPKTTYPE=
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "ROUTE Target" $ROUTE_TARGET
report_capability "Extended MARK Target" $XMARK
report_capability "CONNMARK Target" $CONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
}
# #
# Perform Initialization # Perform Initialization
# - Delete all old rules # - Delete all old rules
@ -9372,12 +9281,6 @@ case "$COMMAND" in
$@ $@
;; ;;
capabilities)
[ $# -ne 1 ] && usage
do_initialize
report_capabilities
;;
*) *)
usage usage
;; ;;

92
Shorewall/functions
View File

@ -877,4 +877,96 @@ set_state () # $1 = state
echo "$1 ($(date))" > /var/lib/shorewall/state echo "$1 ($(date))" > /var/lib/shorewall/state
} }
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
ROUTE_TARGET=
XMARK=
CONNMARK=
CONNMARK_MATCH=
RAW_TABLE=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
qt $IPTABLES -t mangle -N fooX1234
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
if qt mywhich ipset; then
qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
IPSET_MATCH=Yes
fi
qt ipset -X fooX1234
fi
fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
[ -n "$PKTTYPE" ] || USEPKTTYPE=
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "ROUTE Target" $ROUTE_TARGET
report_capability "Extended MARK Target" $XMARK
report_capability "CONNMARK Target" $CONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
}
SHOREWALL_LIBRARY=Loaded SHOREWALL_LIBRARY=Loaded

110
Shorewall/releasenotes.txt
View File

@ -11,94 +11,10 @@ Problems Corrected in 2.5.7:
2) The "shorewall refresh" command was clearing traffic shaping but not 2) The "shorewall refresh" command was clearing traffic shaping but not
reconfiguring it. reconfiguring it.
Problems Corrected in 2.5.6: New Features in 2.5.7:
1) The following fatal error could occur at startup: 1) The output of "shorewall dump" now includes a capabilities report
such as the one produced by "shorewall show capabilities".
ERROR: Command "/sbin/iptables -A INPUT -j LOG --log-level NONE
--log-prefix "Shorewall:INPUT:ACCEPT:"" Failed
That problem has been corrected.
2) The Makefile is now unconditionally installed in /etc/shorewall
during an upgrade (the prior copy has been saved in
/etc/shorewall-<version>.bkout/Makefile).
New Features in 2.5.6:
1) The install.sh script now does a much cleaner job of backing up the
current installation. It copies the directories /etc/shorewall,
/usr/share/shorewall and /var/lib/shorewall to a directory of the
same name with "-$VERSION.bkout" appended. The init script and
/sbin/shorewall are backed up to the /usr/share/shorewall and
/var/lib/shorewall directories respectively. This makes it very
simple to remove the backups:
rm -rf /etc/shorewall-*.bkout
rm -rf /usr/share/shorewall-*.bkout
rm -rf /var/lib/shorewall-*.bkout
2) A new '-n' option has been added to the "start", "restart",
"restore", "stop" and "try" commands. This option instructs
Shorewall to not alter the routing in any way.
This option is useful when you have a multi-ISP environment because
it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes.
Problems Corrected in 2.5.5:
1) The install script now installs the correct Makefile. Previously,
the /etc/shorewall/actions file was identical to the Makefile.
2) Error Handling was completely broken; operations such as
"shorewall start" would continue after what should have been fatal
errors.
Problems Corrected in 2.5.4:
1) Several serious problems associated with macros have been corrected.
Problems Corrected in 2.5.3:
1) The Netfilter 'raw' table is now cleared during "shorewall stop",
"shorewall [re]start" and "shorewall clear".
Problems Corrected in 2.5.2:
1) You may now include port lists in in the /etc/shorewall/accounting
file.
2) The packet type match capability is now correctly reported when
PKTTYPE=No in /etc/shorewall/shorewall.conf.
Problems Corrected in 2.5.1:
1) Shorewall is no longer dependent on the 'which' utility.
2) "shorewall add" no longer fails when the 'ipsec' option has appeared
in /etc/shorewall/hosts.
3) The Makefile has been changed to compare the modification times of
the files in /etc/shorewall with
/var/lib/shorewall/restore-base. That file is modified each time
that Shorewall is [re]started whereas /var/lib/shorewall/restarted
is also modified by "shorewall reset" and "shorewall refresh".
4) The handling of log levels passed to macros has been
corrected. Previously, passing a log level to a macro resulted in a
[re]start error.
Problems Corrected in 2.5.0:
1) The behavior of CONTINUE policies has been improved. Shorewall no
longer generates a useless policy chain corresponding to these
policies.
2) The combining of the zones and ipsec files has now been made upward
compatible provided that the user doesn't do something idiotic such
as install the new shorewall.conf file then manually update it
with exactly the changes that had been applied to the old file.
Migration Considerations: Migration Considerations:
@ -575,3 +491,23 @@ New Features in Shorewall 2.5.*
variable to determine if the library has been loaded into the variable to determine if the library has been loaded into the
current shell process. current shell process.
20) The install.sh script now does a much cleaner job of backing up the
current installation. It copies the directories /etc/shorewall,
/usr/share/shorewall and /var/lib/shorewall to a directory of the
same name with "-$VERSION.bkout" appended. The init script and
/sbin/shorewall are backed up to the /usr/share/shorewall and
/var/lib/shorewall directories respectively. This makes it very
simple to remove the backups:
rm -rf /etc/shorewall-*.bkout
rm -rf /usr/share/shorewall-*.bkout
rm -rf /var/lib/shorewall-*.bkout
21) A new '-n' option has been added to the "start", "restart",
"restore", "stop" and "try" commands. This option instructs
Shorewall to not alter the routing in any way.
This option is useful when you have a multi-ISP environment because
it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes.

7
Shorewall/shorewall
View File

@ -898,7 +898,8 @@ case "$1" in
fi fi
;; ;;
capabilities) capabilities)
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities determine_capabilities
report_capabilities
;; ;;
actions) actions)
echo "allowBcast #Silently Allow Broadcast/multicast" echo "allowBcast #Silently Allow Broadcast/multicast"
@ -1017,6 +1018,10 @@ case "$1" in
heading "Modules" heading "Modules"
lsmod | grep -E '^ip_|^ipt_|^iptable_' lsmod | grep -E '^ip_|^ipt_|^iptable_'
fi fi
determine_capabilities
echo
report_capabilities
;; ;;
hits) hits)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x