holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add capabilities report to 'shorewall dump' output

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-30 16:54:24 +00:00
parent 9c956521d8
commit 84af786df4
5 changed files with 157 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -2,6 +2,10 @@ Changes in 2.5.7
1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped. 1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped.
2) Fix traffic shaping and "shorewall refresh"
3) Add capabilities report to "shorewall dump".
Changes in 2.5.6 Changes in 2.5.6
1) Finish install/fallback cleanup. 1) Finish install/fallback cleanup.

97
Shorewall/firewall
View File

@ -7234,97 +7234,6 @@ verify_ip() {
startup_error "Shorewall $version requires the iproute package ('ip' utility)" startup_error "Shorewall $version requires the iproute package ('ip' utility)"
} }
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
ROUTE_TARGET=
XMARK=
CONNMARK=
CONNMARK_MATCH=
RAW_TABLE=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
qt $IPTABLES -t mangle -N fooX1234
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
if qt mywhich ipset; then
qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
IPSET_MATCH=Yes
fi
qt ipset -X fooX1234
fi
fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
[ -n "$PKTTYPE" ] || USEPKTTYPE=
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "ROUTE Target" $ROUTE_TARGET
report_capability "Extended MARK Target" $XMARK
report_capability "CONNMARK Target" $CONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
}
# #
# Perform Initialization # Perform Initialization
# - Delete all old rules # - Delete all old rules
@ -9372,12 +9281,6 @@ case "$COMMAND" in
$@ $@
;; ;;
capabilities)
[ $# -ne 1 ] && usage
do_initialize
report_capabilities
;;
*) *)
usage usage
;; ;;

104
Shorewall/functions
View File

@ -153,9 +153,9 @@ find_file()
return return
fi fi
done done
IFS=$saveifs IFS=$saveifs
echo /etc/shorewall/$1 echo /etc/shorewall/$1
fi fi
;; ;;
@ -185,7 +185,7 @@ resolve_file() # $1 = file name
echo $pwd/$1 echo $pwd/$1
;; ;;
esac esac
} }
# #
# Replace commas with spaces and echo the result # Replace commas with spaces and echo the result
@ -234,7 +234,7 @@ separate_list() {
;; ;;
*) *)
case $firstpart in case $firstpart in
*\,) *\,)
echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
;; ;;
*) *)
@ -276,7 +276,7 @@ loadmodule() # $1 = module name, $2 - * arguments
if [ -z "$(lsmod | grep $modulename)" ]; then if [ -z "$(lsmod | grep $modulename)" ]; then
shift shift
for suffix in $MODULE_SUFFIX ; do for suffix in $MODULE_SUFFIX ; do
modulefile=$MODULESDIR/${modulename}.${suffix} modulefile=$MODULESDIR/${modulename}.${suffix}
@ -439,7 +439,7 @@ mktempdir() {
echo " ERROR:Internal error in mktempdir" >&2 echo " ERROR:Internal error in mktempdir" >&2
;; ;;
esac esac
} }
# #
# Read a file and handle "INCLUDE" directives # Read a file and handle "INCLUDE" directives
@ -877,4 +877,96 @@ set_state () # $1 = state
echo "$1 ($(date))" > /var/lib/shorewall/state echo "$1 ($(date))" > /var/lib/shorewall/state
} }
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
ROUTE_TARGET=
XMARK=
CONNMARK=
CONNMARK_MATCH=
RAW_TABLE=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
qt $IPTABLES -t mangle -N fooX1234
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
if qt mywhich ipset; then
qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
IPSET_MATCH=Yes
fi
qt ipset -X fooX1234
fi
fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
[ -n "$PKTTYPE" ] || USEPKTTYPE=
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH
report_capability "ROUTE Target" $ROUTE_TARGET
report_capability "Extended MARK Target" $XMARK
report_capability "CONNMARK Target" $CONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
}
SHOREWALL_LIBRARY=Loaded SHOREWALL_LIBRARY=Loaded

124
Shorewall/releasenotes.txt
View File

@ -11,94 +11,10 @@ Problems Corrected in 2.5.7:
2) The "shorewall refresh" command was clearing traffic shaping but not 2) The "shorewall refresh" command was clearing traffic shaping but not
reconfiguring it. reconfiguring it.
Problems Corrected in 2.5.6: New Features in 2.5.7:
1) The following fatal error could occur at startup: 1) The output of "shorewall dump" now includes a capabilities report
such as the one produced by "shorewall show capabilities".
ERROR: Command "/sbin/iptables -A INPUT -j LOG --log-level NONE
--log-prefix "Shorewall:INPUT:ACCEPT:"" Failed
That problem has been corrected.
2) The Makefile is now unconditionally installed in /etc/shorewall
during an upgrade (the prior copy has been saved in
/etc/shorewall-<version>.bkout/Makefile).
New Features in 2.5.6:
1) The install.sh script now does a much cleaner job of backing up the
current installation. It copies the directories /etc/shorewall,
/usr/share/shorewall and /var/lib/shorewall to a directory of the
same name with "-$VERSION.bkout" appended. The init script and
/sbin/shorewall are backed up to the /usr/share/shorewall and
/var/lib/shorewall directories respectively. This makes it very
simple to remove the backups:
rm -rf /etc/shorewall-*.bkout
rm -rf /usr/share/shorewall-*.bkout
rm -rf /var/lib/shorewall-*.bkout
2) A new '-n' option has been added to the "start", "restart",
"restore", "stop" and "try" commands. This option instructs
Shorewall to not alter the routing in any way.
This option is useful when you have a multi-ISP environment because
it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes.
Problems Corrected in 2.5.5:
1) The install script now installs the correct Makefile. Previously,
the /etc/shorewall/actions file was identical to the Makefile.
2) Error Handling was completely broken; operations such as
"shorewall start" would continue after what should have been fatal
errors.
Problems Corrected in 2.5.4:
1) Several serious problems associated with macros have been corrected.
Problems Corrected in 2.5.3:
1) The Netfilter 'raw' table is now cleared during "shorewall stop",
"shorewall [re]start" and "shorewall clear".
Problems Corrected in 2.5.2:
1) You may now include port lists in in the /etc/shorewall/accounting
file.
2) The packet type match capability is now correctly reported when
PKTTYPE=No in /etc/shorewall/shorewall.conf.
Problems Corrected in 2.5.1:
1) Shorewall is no longer dependent on the 'which' utility.
2) "shorewall add" no longer fails when the 'ipsec' option has appeared
in /etc/shorewall/hosts.
3) The Makefile has been changed to compare the modification times of
the files in /etc/shorewall with
/var/lib/shorewall/restore-base. That file is modified each time
that Shorewall is [re]started whereas /var/lib/shorewall/restarted
is also modified by "shorewall reset" and "shorewall refresh".
4) The handling of log levels passed to macros has been
corrected. Previously, passing a log level to a macro resulted in a
[re]start error.
Problems Corrected in 2.5.0:
1) The behavior of CONTINUE policies has been improved. Shorewall no
longer generates a useless policy chain corresponding to these
policies.
2) The combining of the zones and ipsec files has now been made upward
compatible provided that the user doesn't do something idiotic such
as install the new shorewall.conf file then manually update it
with exactly the changes that had been applied to the old file.
Migration Considerations: Migration Considerations:
@ -165,13 +81,13 @@ Migration Considerations:
Your kernel and iptables must include policy Your kernel and iptables must include policy
match support. match support.
firewall firewall
- Designates the firewall itself. You must have - Designates the firewall itself. You must have
exactly one 'firewall' zone. No options are exactly one 'firewall' zone. No options are
permitted with a 'firewall' zone. permitted with a 'firewall' zone.
OPTIONS, A comma-separated list of options as OPTIONS, A comma-separated list of options as
IN OPTIONS, follows: IN OPTIONS, follows:
OUT OPTIONS OUT OPTIONS
reqid=<number> where <number> is reqid=<number> where <number> is
specified using setkey(8) using the specified using setkey(8) using the
'unique:<number> option for the SPD 'unique:<number> option for the SPD
@ -414,10 +330,10 @@ New Features in Shorewall 2.5.*
ACCEPT loc all+ tcp 22 ACCEPT loc all+ tcp 22
would allow SSH traffic from loc->loc whereas would allow SSH traffic from loc->loc whereas
ACCEPT loc all tcp 22 ACCEPT loc all tcp 22
does not. does not.
7) A new FASTACCEPT option has been added to shorewall.conf. 7) A new FASTACCEPT option has been added to shorewall.conf.
@ -437,7 +353,7 @@ New Features in Shorewall 2.5.*
specified for an interface with an RFC 1918 address. specified for an interface with an RFC 1918 address.
9) You may now specify "!" followed by a list of addresses in the 9) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/rules, SOURCE and DEST columns of entries in /etc/shorewall/rules,
/etc/shorewall/tcrules and in action files and Shorewall will /etc/shorewall/tcrules and in action files and Shorewall will
generate the rule that you expect. generate the rule that you expect.
@ -493,7 +409,7 @@ New Features in Shorewall 2.5.*
14) Prior to Shorewall 2.5.3, the rules file only controlled packets in 14) Prior to Shorewall 2.5.3, the rules file only controlled packets in
the Netfilter states NEW and INVALID. Beginning with this release, the Netfilter states NEW and INVALID. Beginning with this release,
the rules file can also deal with packets in the ESTABLISHED and the rules file can also deal with packets in the ESTABLISHED and
RELATED states. RELATED states.
The /etc/shorewall/rules file may now be divided into The /etc/shorewall/rules file may now be divided into
"sections". Each section is introduced by a line that begins with "sections". Each section is introduced by a line that begins with
@ -558,7 +474,7 @@ New Features in Shorewall 2.5.*
Now, $1 = these, $2 = are and $3 = parameters Now, $1 = these, $2 = are and $3 = parameters
17) The "shorewall check" command now checks the /etc/shorewall/masq, 17) The "shorewall check" command now checks the /etc/shorewall/masq,
/etc/shorewall/blacklist, /etc/shorewall/proxyarp, /etc/shorewall/blacklist, /etc/shorewall/proxyarp,
/etc/shorewall/nat and /etc/shorewall/providers files. /etc/shorewall/nat and /etc/shorewall/providers files.
18) Arne Bernin's "tc4shorewall" package has been integrated into 18) Arne Bernin's "tc4shorewall" package has been integrated into
@ -575,3 +491,23 @@ New Features in Shorewall 2.5.*
variable to determine if the library has been loaded into the variable to determine if the library has been loaded into the
current shell process. current shell process.
20) The install.sh script now does a much cleaner job of backing up the
current installation. It copies the directories /etc/shorewall,
/usr/share/shorewall and /var/lib/shorewall to a directory of the
same name with "-$VERSION.bkout" appended. The init script and
/sbin/shorewall are backed up to the /usr/share/shorewall and
/var/lib/shorewall directories respectively. This makes it very
simple to remove the backups:
rm -rf /etc/shorewall-*.bkout
rm -rf /usr/share/shorewall-*.bkout
rm -rf /var/lib/shorewall-*.bkout
21) A new '-n' option has been added to the "start", "restart",
"restore", "stop" and "try" commands. This option instructs
Shorewall to not alter the routing in any way.
This option is useful when you have a multi-ISP environment because
it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes.

45
Shorewall/shorewall
View File

@ -401,7 +401,7 @@ save_config() {
if shorewall_is_started ; then if shorewall_is_started ; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
else else
@ -421,9 +421,9 @@ save_config() {
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH" echo " Currently-running Configuration Saved to $RESTOREPATH"
rm -f ${RESTOREPATH}-ipsets rm -f ${RESTOREPATH}-ipsets
case ${SAVE_IPSETS:-No} in case ${SAVE_IPSETS:-No} in
[Yy][Ee][Ss]) [Yy][Ee][Ss])
RESTOREPATH=${RESTOREPATH}-ipsets RESTOREPATH=${RESTOREPATH}-ipsets
@ -604,7 +604,7 @@ while [ $done -eq 0 ]; do
option=${option#-} option=${option#-}
[ -z "$option" ] && usage 1 [ -z "$option" ] && usage 1
while [ -n "$option" ]; do while [ -n "$option" ]; do
case $option in case $option in
c) c)
@ -617,7 +617,7 @@ while [ $done -eq 0 ]; do
echo "Directory $2 does not exist" >&2 && exit 2 echo "Directory $2 does not exist" >&2 && exit 2
fi fi
fi fi
SHOREWALL_DIR=$2 SHOREWALL_DIR=$2
option= option=
shift shift
@ -641,7 +641,7 @@ while [ $done -eq 0 ]; do
n*) n*)
NOROUTES=Yes NOROUTES=Yes
option=${option#n} option=${option#n}
;; ;;
*) *)
usage 1 usage 1
;; ;;
@ -755,7 +755,7 @@ case "$1" in
echo "Directory $2 does not exist" >&2 && exit 2 echo "Directory $2 does not exist" >&2 && exit 2
fi fi
fi fi
SHOREWALL_DIR=$2 SHOREWALL_DIR=$2
export SHOREWALL_DIR export SHOREWALL_DIR
;; ;;
@ -765,14 +765,14 @@ case "$1" in
esac esac
export NOROUTES export NOROUTES
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
if qt mywhich make; then if qt mywhich make; then
make -qf /etc/shorewall/Makefile || FAST= make -qf /etc/shorewall/Makefile || FAST=
fi fi
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
@ -820,7 +820,7 @@ case "$1" in
echo "Directory $2 does not exist" >&2 && exit 2 echo "Directory $2 does not exist" >&2 && exit 2
fi fi
fi fi
SHOREWALL_DIR=$2 SHOREWALL_DIR=$2
export SHOREWALL_DIR export SHOREWALL_DIR
;; ;;
@ -830,7 +830,7 @@ case "$1" in
esac esac
export NOROUTES export NOROUTES
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
;; ;;
add|delete) add|delete)
@ -898,7 +898,8 @@ case "$1" in
fi fi
;; ;;
capabilities) capabilities)
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities determine_capabilities
report_capabilities
;; ;;
actions) actions)
echo "allowBcast #Silently Allow Broadcast/multicast" echo "allowBcast #Silently Allow Broadcast/multicast"
@ -914,7 +915,7 @@ case "$1" in
;; ;;
*) *)
shift shift
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
@ -979,7 +980,7 @@ case "$1" in
heading "IP Stats" heading "IP Stats"
ip -stat link ls ip -stat link ls
if qt mywhich brctl; then if qt mywhich brctl; then
heading "Bridges" heading "Bridges"
brctl show brctl show
@ -1012,11 +1013,15 @@ case "$1" in
heading "ARP" heading "ARP"
arp -na arp -na
if qt mywhich lsmod; then if qt mywhich lsmod; then
heading "Modules" heading "Modules"
lsmod | grep -E '^ip_|^ipt_|^iptable_' lsmod | grep -E '^ip_|^ipt_|^iptable_'
fi fi
determine_capabilities
echo
report_capabilities
;; ;;
hits) hits)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
@ -1191,7 +1196,7 @@ case "$1" in
else else
usage 1 usage 1
fi fi
[ -z "$vlsm" ] && exit 2 [ -z "$vlsm" ] && exit 2
[ "x$address" = "x$vlsm" ] && usage 2 [ "x$address" = "x$vlsm" ] && usage 2
[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
@ -1290,7 +1295,7 @@ case "$1" in
mutex_off mutex_off
exit 0 exit 0
fi fi
if [ "$1" = "safe-start" -o $running -ne 0 ] if [ "$1" = "safe-start" -o $running -ne 0 ]
then then
# the command is safe-start or shorewall is not started yet # the command is safe-start or shorewall is not started yet
@ -1318,15 +1323,15 @@ case "$1" in
# removed previous configuration # removed previous configuration
rm /var/lib/shorewall/safe-start-restart rm /var/lib/shorewall/safe-start-restart
fi fi
else else
if [ "$command" = "restart" ] if [ "$command" = "restart" ]
then then
$0 nolock $debugging restore "safe-start-restart" $0 nolock $debugging restore "safe-start-restart"
rm /var/lib/shorewall/safe-start-restart rm /var/lib/shorewall/safe-start-restart
else else
$0 nolock $debugging clear $0 nolock $debugging clear
fi fi
mutex_off mutex_off
echo "New configuration has been rejected and the old one restored" echo "New configuration has been rejected and the old one restored"
exit 2 exit 2