holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code

Browse Source
This commit is contained in:
Tuomo Soini 2015-11-02 00:02:56 +02:00
commit 85df53841b
17 changed files with 316 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall-core/configure vendored
View File

@ -158,6 +158,9 @@ else
if [ ! -f $rcfile ]; then
echo "ERROR: $vendor is not a recognized host type" >&2
exit 1
elif [ $vendor = default ]; then
params[HOST]=linux
vendor=linux
fi
fi

6
Shorewall-core/configure.pl
View File

@ -82,7 +82,11 @@ unless ( defined $vendor ) {
if ( defined $vendor ) {
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
unless ( -f $rcfilename ) {
die qq("ERROR: $vendor" is not a recognized host type);
} elsif ( $vendor eq 'default' ) {
$params{HOST} = $vendor = 'linux';
}
} else {
if ( -f '/etc/debian_version' ) {
$vendor = 'debian';

6
Shorewall-core/install.sh
View File

@ -133,6 +133,8 @@ while [ $finished -eq 0 ]; do
esac
done
[ -n $(mywhich install) ] || fatal_error "This installer requires the 'install' utility"
#
# Read the RC file
#
@ -407,9 +409,9 @@ fi
if [ ${SHAREDIR} != /usr/share ]; then
for f in lib.*; do
if [ $BUILD != apple ]; then
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
else
eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
fi
done
fi

208
Shorewall-core/lib.cli
View File

@ -149,23 +149,56 @@ syslog_circular_buffer() {
local pid
local tty
local flags
local cputime
local time
local path
local args
local arg
ps ax 2> /dev/null | while read pid tty flags cputime path args; do
ps w 2> /dev/null | while read pid tty stat time path args; do
case $path in
syslogd|*/syslogd)
for arg in $args; do
if [ x$arg = x-C ]; then
echo Yes
return
fi
case $arg in
-C*)
return 0
;;
esac
done
;;
logd|*/logd)
for arg in $args; do
case $arg in
-S*)
return 0
;;
esac
done
;;
esac
done
return 1
}
setup_logread() {
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if syslog_circular_buffer; then
LOGFILE=logread
if qt mywhich tac; then
g_logread="logread | tac"
else
g_logread="logread"
fi
elif [ -r $LOGFILE ]; then
if qt mywhich tac; then
g_logread="tac $LOGFILE"
else
g_logread="cat $LOGFILE"
fi
else
fatal_error "LOGFILE ($LOGFILE) does not exist or is not readable!"
fi
}
#
@ -173,31 +206,59 @@ syslog_circular_buffer() {
#
packet_log() # $1 = number of messages
{
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
if qt mywhich tac; then
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | tail -n$1 | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | tail -n$1 | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | tail -n$1 | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | tail -n$1 | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
fi
}
search_log() # $1 = IP address to search for
{
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
if qt mywhich tac; then
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
if [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
elif [ $g_family -eq 4 ]; then
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
else
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
fi
fi
}
@ -280,17 +341,7 @@ show_bl() {
logwatch() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes
{
if [ -z "$LOGFILE" ]; then
LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist!"
fi
fi
setup_logread
host=$(echo $g_hostname | sed 's/\..*$//')
oldrejects=$($g_tool -L -v -n | grep 'LOG')
@ -1038,17 +1089,7 @@ show_command() {
log)
[ $# -gt 2 ] && usage 1
if [ -z "$LOGFILE" ]; then
LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist!"
fi
fi
setup_logread
echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
echo
@ -1427,17 +1468,7 @@ do_dump_command() {
esac
done
if [ -z "$LOGFILE" ]; then
LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html"
fi
fi
setup_logread
g_ipt_options="$g_ipt_options $g_ipt_options1"
@ -3495,10 +3526,34 @@ noiptrace_command() {
fatal_error "$g_product is not started"
fi
}
#
# Set the configuration variables from shorewall-lite.conf
# Verify that we have a compiled firewall script
#
verify_firewall_script() {
if [ ! -f $g_firewall ]; then
echo " ERROR: $g_product is not properly installed" >&2
if [ -L $g_firewall ]; then
echo " $g_firewall is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $g_firewall does not exist" >&2
fi
exit 2
fi
}
################################################################################
# The remaining functions are used by the Lite cli - they are overloaded by
# the Standard CLI by loading lib.cli-std
################################################################################
#
# Set the configuration variables from shorewall[6]-lite.conf.
#
get_config() {
local config
local lib
ensure_config_path
@ -3520,15 +3575,7 @@ get_config() {
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist!"
fi
setup_logread
#
# See if we have a real version of "tail" -- use separate redirection so
# that ash (aka /bin/sh on LRP) doesn't crap
@ -3636,29 +3683,11 @@ get_config() {
g_loopback=$(find_loopback_interfaces)
lib=$(find_file lib.cli-user)
[ -f $lib ] && . $lib
}
#
# Verify that we have a compiled firewall script
#
verify_firewall_script() {
if [ ! -f $g_firewall ]; then
echo " ERROR: $g_product is not properly installed" >&2
if [ -L $g_firewall ]; then
echo " $g_firewall is a symbolic link to a" >&2
echo " non-existant file" >&2
else
echo " The file $g_firewall does not exist" >&2
fi
exit 2
fi
}
################################################################################
# The remaining functions are used by the Lite cli - they are overloaded by
# the Standard CLI by loading lib.cli-std
################################################################################
#
# Start Command Executor
#
@ -3885,6 +3914,13 @@ usage() # $1 = exit status
ecko " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
echo " reject <address> ..."
ecko " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
if [ -z "$g_lite" ]; then
echo " remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
fi
echo " reset [ <chain> ... ]"
if [ -n "$g_lite" ]; then

4
Shorewall-core/lib.common
View File

@ -33,7 +33,7 @@ startup_error() # $* = Error Message
echo " ERROR: $@: Firewall state not changed" >&2
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
timestamp="$(date +'%b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
@ -50,7 +50,7 @@ startup_error() # $* = Error Message
esac
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
timestamp="$(date +'%b %d %T') "
case $COMMAND in
start)

18
Shorewall-lite/install.sh
View File

@ -151,6 +151,8 @@ while [ $finished -eq 0 ] ; do
esac
done
[ -n $(mywhich install) ] || fatal_error "This installer requires the 'install' utility"
#
# Read the RC file
#
@ -187,7 +189,7 @@ elif [ -z "${VARDIR}" ]; then
VARDIR=${VARLIB}/${PRODUCT}
fi
for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
require $var
done
@ -316,7 +318,7 @@ if [ -n "$DESTDIR" ]; then
OWNERSHIP=""
fi
install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
install -d $OWNERSHIP -m 755 ${DESTDIR}${SBINDIR}
install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
else
if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@ -422,8 +424,8 @@ fi
# Install the Makefile
#
run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
[ $SBINDIR = /sbin ] || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
[ $SBINDIR = /sbin ] || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
#
@ -438,7 +440,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
for f in lib.* ; do
if [ -f $f ]; then
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
fi
done
@ -451,7 +453,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
#
install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap
echo
echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@ -538,8 +540,8 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
fi
if [ ${SHAREDIR} != /usr/share ]; then
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
fi
if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then

7
Shorewall-lite/uninstall.sh
View File

@ -168,7 +168,11 @@ if [ $configure -eq 1 ]; then
fi
if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
if [ $HOST = "linux" ] && [ -f /etc/openwrt_release -o -f /etc/openwrt_version ]; then
FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
else
FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
fi
elif [ -n "$INITFILE" ]; then
FIREWALL=${INITDIR}/${INITFILE}
fi
@ -199,6 +203,7 @@ rm -rf ${VARDIR}/shorewall-lite
rm -rf ${SHAREDIR}/shorewall-lite
rm -rf ${LIBEXECDIR}/shorewall-lite
rm -f ${CONFDIR}/logrotate.d/shorewall-lite
rm -f ${SYSCONFDIR}/shorewall-lite
rm -f ${MANDIR}/man5/shorewall-lite*
rm -f ${MANDIR}/man8/shorewall-lite*

49
Shorewall/Perl/Shorewall/Config.pm
View File

@ -5147,6 +5147,7 @@ sub unsupported_yes_no_warning( $ ) {
#
sub get_params( $ ) {
my $export = $_[0];
my $cygwin = ( $shorewallrc{HOST} eq 'cygwin' );
my $fn = find_file 'params';
@ -5188,14 +5189,16 @@ sub get_params( $ ) {
$shell = BASH;
for ( @params ) {
if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
chomp;
if ( $cygwin && /^declare -x (.*?)="(.*)"$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^declare -x (.*?)="(.*)$/ ) {
$params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
$params{$1} = '';
} else {
chomp;
if ($variable) {
s/"$//;
$params{$variable} .= $_;
@ -5216,14 +5219,16 @@ sub get_params( $ ) {
$shell = OLDBASH;
for ( @params ) {
if ( /^export (.*?)="(.*[^\\])"$/ ) {
chomp;
if ( $cygwin && /^export (.*?)="(.*)"$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^export (.*?)="(.*[^\\])"$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^export (.*?)="(.*)$/ ) {
$params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
$params{$1} = '';
} else {
chomp;
if ($variable) {
s/"$//;
$params{$variable} .= $_;
@ -5243,6 +5248,7 @@ sub get_params( $ ) {
$shell = ASH;
for ( @params ) {
chomp;
if ( /^export (.*?)='(.*'"'"')$/ ) {
$params{$variable=$1}="${2}\n";
} elsif ( /^export (.*?)='(.*)'$/ ) {
@ -5250,7 +5256,6 @@ sub get_params( $ ) {
} elsif ( /^export (.*?)='(.*)$/ ) {
$params{$variable=$1}="${2}\n";
} else {
chomp;
if ($variable) {
s/'$//;
$params{$variable} .= $_;
@ -5262,9 +5267,23 @@ sub get_params( $ ) {
}
for ( keys %params ) {
unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
fatal_error "The variable name $_ is reserved and may not be set in the params file"
if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
if ( /[^\w]/ ) {
#
# Useless variable with special characters in its name
#
delete $params{$_};
} elsif ( /^(?:SHLVL|OLDPWD)$/ ) {
#
# The shell running getparams generates those
#
delete $params{$_};
} else {
unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
fatal_error "The variable name $_ is reserved and may not be set in the params file"
if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
}
$params{$_} = '' unless defined $params{$_};
}
}
@ -5314,6 +5333,8 @@ sub export_params() {
next if exists $compiler_params{$param};
my $value = $params{$param};
chomp $value;
#
# Values in %params are generated from the output of 'export -p'.
# The different shells have different conventions for delimiting
@ -5324,19 +5345,27 @@ sub export_params() {
$value =~ s/\\"/"/g;
} elsif ( $shell == OLDBASH ) {
$value =~ s/\\'/'/g;
$value =~ s/\\"/"/g;
$value =~ s/\\\\/\\/g;
} else {
$value =~ s/'"'"'/'/g;
}
#
# Don't export pairs from %ENV
#
next if defined $ENV{$param} && $value eq $ENV{$param};
if ( defined $ENV{$param} ) {
next if $value eq $ENV{$param};
} elsif ( exists $ENV{$param} ) {
next unless supplied $value;
}
emit "#\n# From the params file\n#" unless $count++;
#
# We will use double quotes and escape embedded quotes with \.
#
if ( $value =~ /[\s()['"]/ ) {
if ( $value =~ /^"[^"]*"$/ ) {
emit "$param=$value";
} elsif ( $value =~ /[\s()['"]/ ) {
$value =~ s/"/\\"/g;
emit "$param='$value'";
} else {

8
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -661,6 +661,10 @@ sub process_a_provider( $ ) {
fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
}
if ( $persistent ) {
warning_message( "Provider $table is not optional -- the 'persistent' option is ignored" ), $persistent = 0 unless $optional;
}
$providers{$table} = { provider => $table,
number => $number ,
id => $config{USE_RT_NAMES} ? $table : $number,
@ -702,7 +706,7 @@ sub process_a_provider( $ ) {
if ( $track ) {
if ( $routemarked_interfaces{$interface} ) {
fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED;
fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
fatal_error "Multiple providers through the same interface must have their IP address specified in the INTERFACES column" unless $shared;
} else {
$routemarked_interfaces{$interface} = $shared ? ROUTEMARKED_SHARED : ROUTEMARKED_UNSHARED;
push @routemarked_interfaces, $interface;
@ -1346,7 +1350,7 @@ sub add_a_route( ) {
my $persistent;
if ( $options != '-' ) {
if ( $options ne '-' ) {
for ( split_list1( 'option', $options ) ) {
my ( $option, $value ) = split /=/, $options;

24
Shorewall/install.sh
View File

@ -389,7 +389,7 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
fi
install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/${PRODUCT}
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
#
@ -468,16 +468,16 @@ if [ -z "$first_install" ]; then
#
# Delete obsolete config files and manpages
#
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/tos
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/tcrules
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/stoppedrules
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/notrack
delete_file ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/blacklist
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-tos
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-tcrules
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack
delete_file ${DESTDIR}/${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/tos
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/tcrules
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/stoppedrules
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/notrack
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/blacklist
delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-tos
delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-tcrules
delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules
delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack
delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist
fi
#
@ -1082,7 +1082,7 @@ if [ $PRODUCT = shorewall6 ]; then
# Symbolically link 'functions' to lib.base
#
ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
fi
if [ -d Perl ]; then

86
Shorewall/lib.cli-std
View File

@ -31,6 +31,7 @@
#
get_config() {
local prog
local lib
ensure_config_path
@ -70,15 +71,7 @@ get_config() {
# This block is avoided for compile for export and when the user isn't root
#
if [ "$3" = Yes ]; then
if [ -n "$LOGFILE" ]; then
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then
g_logread="tac $LOGFILE"
else
fatal_error "LOGFILE ($LOGFILE) does not exist!"
fi
fi
setup_logread
fi
if [ $g_family -eq 4 ]; then
@ -322,6 +315,10 @@ get_config() {
fi
g_loopback=$(find_loopback_interfaces)
lib=$(find_file lib.cli-user)
[ -f $lib ] && . $lib
}
#
@ -1394,6 +1391,7 @@ remote_reload_command() # $* = original arguments less the command.
local sharedir
sharedir=${SHAREDIR}
local litedir
local exitstatus
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -1510,32 +1508,60 @@ remote_reload_command() # $* = original arguments less the command.
g_file="$g_shorewalldir/firewall"
if compiler $g_debugging compiler "$g_file" && \
progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \
rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}
then
save=$(find_file save);
exitstatus=0
[ -f $save ] && progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" && rcp_command $save ${confdir}/shorewall-lite/
if compiler $g_debugging compiler "$g_file"; then
progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..."
if rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}; then
save=$(find_file save);
progress_message3 "Copy complete"
if [ -f $save ]; then
progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
rcp_command $save ${confdir}/shorewall-lite/
exitstatus=$?
fi
if [ $COMMAND = remote-reload ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload" && \
progress_message3 "System $system reloaded" || saveit=
elif [ $COMMAND = remote-restart ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
progress_message3 "System $system restarted" || saveit=
if [ $exitstatus -eq 0 ]; then
progress_message3 "Copy complete"
if [ $COMMAND = remote-reload ]; then
if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
progress_message3 "System $system reloaded"
else
exitstatus=$?
savit=
fi
elif [ $COMMAND = remote-restart ]; then
if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
progress_message3 "System $system restarted"
else
exitstatus=$?
saveit=
fi
elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
progress_message3 "System $system started"
else
exitstatus=$?
saveit=
fi
if [ -n "$saveit" ]; then
if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
progress_message3 "Configuration on system $system saved"
else
exitstatus=$?
fi
fi
fi
else
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \
progress_message3 "System $system started" || saveit=
fi
if [ -n "$saveit" ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save" && \
progress_message3 "Configuration on system $system saved"
exitstatus=$?
fi
else
exitstatus=$?
fi
return $exitstatus
}
#
@ -1645,7 +1671,7 @@ compiler_command() {
shift
update_command $@
;;
remote-start|remote-reload-reload|remote-restart)
remote-start|remote-reload|remote-restart)
shift
remote_reload_command $@
;;

14
Shorewall/manpages/shorewall.xml
View File

@ -424,7 +424,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_start</option></arg>
<arg choice="plain"><option>remote-start</option></arg>
<arg><option>-s</option></arg>
@ -448,7 +448,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_reload</option></arg>
<arg choice="plain"><option>remote-reload</option></arg>
<arg><option>-s</option></arg>
@ -472,7 +472,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_restart</option></arg>
<arg choice="plain"><option>remote-restart</option></arg>
<arg><option>-s</option></arg>
@ -1522,7 +1522,7 @@
<listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The
pre-5.0.0 <command>reload</command> command is now called
<command>remote_restart</command> (see below).</para>
<command>remote-restart</command> (see below).</para>
<para>Reload is similar to <emphasis role="bold">shorewall
start</emphasis> except that it assumes that the firewall is already
@ -1575,7 +1575,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_start</emphasis>
<term><emphasis role="bold">remote-start</emphasis>
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
@ -1637,7 +1637,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_reload
<term><emphasis role="bold">remote-reload
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
@ -1699,7 +1699,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_restart
<term><emphasis role="bold">remote-restart
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [

1
Shorewall6-lite/uninstall.sh
View File

@ -196,6 +196,7 @@ rm -rf ${VARDIR}/shorewall6-lite
rm -rf ${SHAREDIR}/shorewall6-lite
rm -rf ${LIBEXECDIR}/shorewall6-lite
rm -f ${CONFDIR}/logrotate.d/shorewall6-lite
rm -f ${SYSCONFDIR}/shorewall6-lite
[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6-lite.service
rm -f ${MANDIR}/man5/shorewall6-lite*

14
Shorewall6/manpages/shorewall6.xml
View File

@ -378,7 +378,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_start</option></arg>
<arg choice="plain"><option>remote-start</option></arg>
<arg><option>-s</option></arg>
@ -402,7 +402,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_reload</option></arg>
<arg choice="plain"><option>remote-reload</option></arg>
<arg><option>-s</option></arg>
@ -426,7 +426,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_restart</option></arg>
<arg choice="plain"><option>remote-restart</option></arg>
<arg><option>-s</option></arg>
@ -1457,7 +1457,7 @@
<listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The
pre-5.0.0 <command>reload</command> command is now called
<command>remote_restart</command> (see below).</para>
<command>remote-restart</command> (see below).</para>
<para>Reload is similar to <command>shorewall6 start</command>
except that it assumes that the firewall is already started.
@ -1511,7 +1511,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_reload
<term><emphasis role="bold">remote-reload
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
@ -1573,7 +1573,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_ restart
<term><emphasis role="bold">remote- restart
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
@ -1636,7 +1636,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_start </emphasis>
<term><emphasis role="bold">remote-start </emphasis>
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]

4
docs/Shorewall-5.xml
View File

@ -323,7 +323,7 @@
<title>load</title>
<para>The function performed by the Shorewall-4 <command>load</command>
command is now performed by the <command>remote_start</command>
command is now performed by the <command>remote-start</command>
command.</para>
</section>
@ -334,7 +334,7 @@
the same function as the <command>restart</command> command did in
Shorewall 4. The action taken by the Shorewall-4
<command>reload</command> command is now performed by the
<command>remote_restart</command> command.</para>
<command>remote-restart</command> command.</para>
<para>For those that can't get used to the idea of using
<command>reload</command> in place of <command>restart</command>, a

35
docs/shorewall_extension_scripts.xml
View File

@ -175,7 +175,7 @@ esac</programlisting><caution>
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
output on an interface is not allowed by <ulink
url="manpages/shorewall-stoppedrules.html">stoppedrules</ulink>(8)
then the isuasable script must blow it's own holes in the firewall
then the isuasable script must blow it's own holes in the firewall
before probing.</para>
</caution></para>
</listitem>
@ -227,6 +227,13 @@ cat -</programlisting>
/sbin/shorewall</emphasis> after a script has been compiled. $1 is the
path name of the compiled script.</para>
</listitem>
<listitem>
<para><filename>lib.cli-user</filename> -- Added in Shorewall 5.0.2.
This is actually a shell library (set of function declarations) that
can be used to augment or replace functions in the standard CLI
libraries.</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">If your version of Shorewall doesn't have the
@ -264,7 +271,7 @@ cat -</programlisting>
<row>
<entry>continue</entry>
<entry></entry>
<entry/>
</row>
<row>
@ -459,10 +466,10 @@ cat -</programlisting>
<para>VARDIR - The product state directory. Defaults <filename
class="directory">/var/lib/shorewall</filename>, <filename
class="directory">/var/lib/shorewall6/</filename>, <filename
class="directory">/var/lib/shorewall-lite</filename>, or
<filename class="directory">/var/lib/shorewall6-lite</filename>
depending on which product is running, but may be overridden by an
entry in ${CONFDIR}/vardir.</para>
class="directory">/var/lib/shorewall-lite</filename>, or <filename
class="directory">/var/lib/shorewall6-lite</filename> depending on
which product is running, but may be overridden by an entry in
${CONFDIR}/vardir.</para>
</listitem>
</itemizedlist>
</listitem>
@ -474,7 +481,7 @@ cat -</programlisting>
</listitem>
</itemizedlist>
<para></para>
<para/>
<section id="Perl">
<title>Compile-time vs Run-time Scripts</title>
@ -524,43 +531,43 @@ cat -</programlisting>
</row>
<row>
<entry></entry>
<entry/>
<entry>stop</entry>
</row>
<row>
<entry></entry>
<entry/>
<entry>stopped</entry>
</row>
<row>
<entry></entry>
<entry/>
<entry>tcclear</entry>
</row>
<row>
<entry></entry>
<entry/>
<entry>refresh</entry>
</row>
<row>
<entry></entry>
<entry/>
<entry>refreshed</entry>
</row>
<row>
<entry></entry>
<entry/>
<entry>restored</entry>
</row>
<row>
<entry></entry>
<entry/>
<entry>scfilter</entry>
</row>

19
docs/upgrade_issues.xml
View File

@ -37,7 +37,7 @@
<holder>Thomas M. Eastep</holder>
<holder></holder>
<holder/>
</copyright>
<legalnotice>
@ -78,6 +78,13 @@
zones.</para>
</section>
<section>
<title>Version &gt;= 5.0.0</title>
<para>See the <ulink url="Shorewall-5.html">Shorewall 5
documentation</ulink>.</para>
</section>
<section>
<title>Version &gt;= 4.6.0</title>
@ -85,7 +92,7 @@
<listitem>
<para>Beginning with Shorewall 4.6.0, ection headers are now preceded
by '?' (e.g., '?SECTION ...'). If your configuration contains any bare
'SECTION' entries, the following warning is issued: </para>
'SECTION' entries, the following warning is issued:</para>
<programlisting>WARNING: 'SECTION' is deprecated in favor of '?SECTION' - consider running 'shorewall update -D' ...</programlisting>
@ -111,7 +118,7 @@
</listitem>
<listitem>
<para> Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are
<para>Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are
deprecated and a warning will be issued for each FORMAT-1 action or
macro found.</para>
@ -119,8 +126,8 @@
<programlisting>WARNING: FORMAT-1 macros are deprecated and support will be dropped in a future release.</programlisting>
<para> To eliminate these warnings, add the following line before the
first rule in the action or macro: </para>
<para>To eliminate these warnings, add the following line before the
first rule in the action or macro:</para>
<programlisting>?FORMAT 2</programlisting>
@ -325,7 +332,7 @@
<para>?ENDIF.</para>
</blockquote>
<para></para>
<para/>
</listitem>
<listitem>