Add capabilities report to 'shorewall dump' output

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-09-30 16:54:24 +00:00 · 2005-09-30 16:54:24 +00:00 · 84af786df4
commit 84af786df4
parent 9c956521d8
5 changed files with 157 additions and 217 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -2,6 +2,10 @@ Changes in 2.5.7

 1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped.

+2) Fix traffic shaping and "shorewall refresh"
+
+3) Add capabilities report to "shorewall dump".
+
 Changes in 2.5.6

 1) Finish install/fallback cleanup.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -7234,97 +7234,6 @@ verify_ip() {
 	startup_error "Shorewall $version requires the iproute package ('ip' utility)"
 }

-#
-# Determine which optional facilities are supported by iptables/netfilter
-#
-determine_capabilities() {
-    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
-    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
-    CONNTRACK_MATCH=
-    MULTIPORT=
-    XMULTIPORT=
-    POLICY_MATCH=
-    PHYSDEV_MATCH=
-    IPRANGE_MATCH=
-    RECENT_MATCH=
-    OWNER_MATCH=
-    IPSET_MATCH=
-    ROUTE_TARGET=
-    XMARK=
-    CONNMARK=
-    CONNMARK_MATCH=
-    RAW_TABLE=
-
-    qt $IPTABLES -N fooX1234
-    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
-    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
-    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT                         && OWNER_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT                            && CONNMARK_MATCH=Yes
-
-    qt $IPTABLES -t mangle -N fooX1234
-    qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0                              && ROUTE_TARGET=Yes
-    qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2                              && XMARK=Yes
-    qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark                          && CONNMARK=Yes
-    qt $IPTABLES -t mangle -F fooX1234
-    qt $IPTABLES -t mangle -X fooX1234
-
-    qt $IPTABLES -t raw	   -L -n							&& RAW_TABLE=Yes
-
-    if qt mywhich ipset; then
-	qt ipset -X fooX1234 # Just in case something went wrong the last time
-
-	if qt ipset -N fooX1234 iphash ; then
-	    if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
-		qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
-		IPSET_MATCH=Yes
-	    fi
-	    qt ipset -X fooX1234
-	fi
-    fi
-
-    qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
-
-    qt $IPTABLES -F fooX1234
-    qt $IPTABLES -X fooX1234
-}
-
-report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
-{
-    local setting=
-
-    [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
-
-    echo "  " $1: $setting
-}
-
-report_capabilities() {
-    echo "Shorewall has detected the following iptables/netfilter capabilities:"
-    report_capability "NAT" $NAT_ENABLED
-    report_capability "Packet Mangling" $MANGLE_ENABLED
-    report_capability "Multi-port Match" $MULTIPORT
-    [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
-    report_capability "Connection Tracking Match" $CONNTRACK_MATCH
-    report_capability "Packet Type Match" $USEPKTTYPE
-    [ -n "$PKTTYPE" ] || USEPKTTYPE=
-    report_capability "Policy Match" $POLICY_MATCH
-    report_capability "Physdev Match" $PHYSDEV_MATCH
-    report_capability "IP range Match" $IPRANGE_MATCH
-    report_capability "Recent Match" $RECENT_MATCH
-    report_capability "Owner Match" $OWNER_MATCH
-    report_capability "Ipset Match" $IPSET_MATCH
-    report_capability "ROUTE Target" $ROUTE_TARGET
-    report_capability "Extended MARK Target" $XMARK
-    report_capability "CONNMARK Target" $CONNMARK
-    report_capability "Connmark Match" $CONNMARK_MATCH
-    report_capability "Raw Table" $RAW_TABLE
-}
-
 #
 # Perform Initialization
 #	- Delete all old rules
@ -9372,12 +9281,6 @@ case "$COMMAND" in
 	$@
 	;;

-    capabilities)
-	[ $# -ne 1 ] && usage
-	do_initialize
-	report_capabilities
-	;;
-
    *)
 	usage
 	;;
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -877,4 +877,96 @@ set_state () # $1 = state
    echo "$1 ($(date))" > /var/lib/shorewall/state
 }

+#
+# Determine which optional facilities are supported by iptables/netfilter
+#
+determine_capabilities() {
+    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
+    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
+    CONNTRACK_MATCH=
+    MULTIPORT=
+    XMULTIPORT=
+    POLICY_MATCH=
+    PHYSDEV_MATCH=
+    IPRANGE_MATCH=
+    RECENT_MATCH=
+    OWNER_MATCH=
+    IPSET_MATCH=
+    ROUTE_TARGET=
+    XMARK=
+    CONNMARK=
+    CONNMARK_MATCH=
+    RAW_TABLE=
+
+    qt $IPTABLES -N fooX1234
+    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
+    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
+    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT                         && OWNER_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT                            && CONNMARK_MATCH=Yes
+
+    qt $IPTABLES -t mangle -N fooX1234
+    qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0                              && ROUTE_TARGET=Yes
+    qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2                              && XMARK=Yes
+    qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark                          && CONNMARK=Yes
+    qt $IPTABLES -t mangle -F fooX1234
+    qt $IPTABLES -t mangle -X fooX1234
+
+    qt $IPTABLES -t raw	   -L -n							&& RAW_TABLE=Yes
+
+    if qt mywhich ipset; then
+	qt ipset -X fooX1234 # Just in case something went wrong the last time
+
+	if qt ipset -N fooX1234 iphash ; then
+	    if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
+		qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
+		IPSET_MATCH=Yes
+	    fi
+	    qt ipset -X fooX1234
+	fi
+    fi
+
+    qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
+
+    qt $IPTABLES -F fooX1234
+    qt $IPTABLES -X fooX1234
+}
+
+report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
+{
+    local setting=
+
+    [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
+
+    echo "  " $1: $setting
+}
+
+report_capabilities() {
+    echo "Shorewall has detected the following iptables/netfilter capabilities:"
+    report_capability "NAT" $NAT_ENABLED
+    report_capability "Packet Mangling" $MANGLE_ENABLED
+    report_capability "Multi-port Match" $MULTIPORT
+    [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
+    report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+    report_capability "Packet Type Match" $USEPKTTYPE
+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+    report_capability "Policy Match" $POLICY_MATCH
+    report_capability "Physdev Match" $PHYSDEV_MATCH
+    report_capability "IP range Match" $IPRANGE_MATCH
+    report_capability "Recent Match" $RECENT_MATCH
+    report_capability "Owner Match" $OWNER_MATCH
+    report_capability "Ipset Match" $IPSET_MATCH
+    report_capability "ROUTE Target" $ROUTE_TARGET
+    report_capability "Extended MARK Target" $XMARK
+    report_capability "CONNMARK Target" $CONNMARK
+    report_capability "Connmark Match" $CONNMARK_MATCH
+    report_capability "Raw Table" $RAW_TABLE
+}
+
+
 SHOREWALL_LIBRARY=Loaded
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -11,94 +11,10 @@ Problems Corrected in 2.5.7:
 2) The "shorewall refresh" command was clearing traffic shaping but not
   reconfiguring it.

-Problems Corrected in 2.5.6:
+New Features in 2.5.7:

-1)  The following fatal error could occur at startup:
-
-    ERROR: Command "/sbin/iptables -A INPUT   -j  LOG  --log-level NONE
-        --log-prefix "Shorewall:INPUT:ACCEPT:"" Failed
-
-    That problem has been corrected.
-
-2)  The Makefile is now unconditionally installed in /etc/shorewall
-    during an upgrade (the prior copy has been saved in
-    /etc/shorewall-<version>.bkout/Makefile).
-
-New Features in 2.5.6:
-
-1)  The install.sh script now does a much cleaner job of backing up the
-    current installation. It copies the directories /etc/shorewall,
-    /usr/share/shorewall and /var/lib/shorewall to a directory of the
-    same name with "-$VERSION.bkout" appended. The init script and
-    /sbin/shorewall are backed up to the /usr/share/shorewall and
-    /var/lib/shorewall directories respectively. This makes it very
-    simple to remove the backups:
-
-	   rm -rf /etc/shorewall-*.bkout
-	   rm -rf /usr/share/shorewall-*.bkout
-	   rm -rf /var/lib/shorewall-*.bkout
-
-2)  A new '-n' option has been added to the "start", "restart",
-    "restore",  "stop" and "try" commands. This option instructs
-    Shorewall to not alter the routing in any way.
-
-    This option is useful when you have a multi-ISP environment because
-    it prevents the route cache from being flushed which preserves the
-    mapping of end-point address pairs to routes.
-
-Problems Corrected in 2.5.5:
-
-1)  The install script now installs the correct Makefile. Previously,
-    the /etc/shorewall/actions file was identical to the Makefile.
-
-2)  Error Handling was completely broken; operations such as 
-    "shorewall start" would continue after what should have been fatal
-    errors.
-
-Problems Corrected in 2.5.4:
-
-1)  Several serious problems associated with macros have been corrected.
-
-Problems Corrected in 2.5.3:
-
-1)  The Netfilter 'raw' table is now cleared during "shorewall stop",
-    "shorewall [re]start" and "shorewall clear".
-
-Problems Corrected in 2.5.2:
-
-1) You may now include port lists in in the /etc/shorewall/accounting
-   file.
-
-2) The packet type match capability is now correctly reported when
-   PKTTYPE=No in /etc/shorewall/shorewall.conf.
-
-Problems Corrected in 2.5.1:
-
-1) Shorewall is no longer dependent on the 'which' utility.
-
-2) "shorewall add" no longer fails when the 'ipsec' option has appeared
-   in /etc/shorewall/hosts.
-
-3) The Makefile has been changed to compare the modification times of
-   the files in /etc/shorewall with
-   /var/lib/shorewall/restore-base. That file is modified each time
-   that Shorewall is [re]started whereas /var/lib/shorewall/restarted
-   is also modified by "shorewall reset" and "shorewall refresh".
-
-4) The handling of log levels passed to macros has been
-   corrected. Previously, passing a log level to a macro resulted in a
-   [re]start error.
-
-Problems Corrected in 2.5.0:
-
-1) The behavior of CONTINUE policies has been improved. Shorewall no
-   longer generates a useless policy chain corresponding to these
-   policies.
-
-2) The combining of the zones and ipsec files has now been made upward
-   compatible provided that the user doesn't do something idiotic such
-   as install the new shorewall.conf file then manually update it
-   with exactly the changes that had been applied to the old file.
+1) The output of "shorewall dump" now includes a capabilities report
+   such as the one produced by "shorewall show capabilities".

 Migration Considerations:

@ -575,3 +491,23 @@ New Features in Shorewall 2.5.*
    variable to determine if the library has been loaded into the
    current shell process.

+20) The install.sh script now does a much cleaner job of backing up the
+    current installation. It copies the directories /etc/shorewall,
+    /usr/share/shorewall and /var/lib/shorewall to a directory of the
+    same name with "-$VERSION.bkout" appended. The init script and
+    /sbin/shorewall are backed up to the /usr/share/shorewall and
+    /var/lib/shorewall directories respectively. This makes it very
+    simple to remove the backups:
+
+	   rm -rf /etc/shorewall-*.bkout
+	   rm -rf /usr/share/shorewall-*.bkout
+	   rm -rf /var/lib/shorewall-*.bkout
+
+21) A new '-n' option has been added to the "start", "restart",
+    "restore",  "stop" and "try" commands. This option instructs
+    Shorewall to not alter the routing in any way.
+
+    This option is useful when you have a multi-ISP environment because
+    it prevents the route cache from being flushed which preserves the
+    mapping of end-point address pairs to routes.
+
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -898,7 +898,8 @@ case "$1" in
 	    fi
 	    ;;
 	capabilities)
-	    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
+	    determine_capabilities
+	    report_capabilities
 	    ;;
 	actions)
 	    echo "allowBcast         #Silently Allow Broadcast/multicast"
@ -1017,6 +1018,10 @@ case "$1" in
 	    heading "Modules"
 	    lsmod | grep -E '^ip_|^ipt_|^iptable_'
 	fi
+
+	determine_capabilities
+	echo
+	report_capabilities
 	;;
    hits)
    	[ -n "$debugging" ] && set -x