From 860ce45924e4c51afb8bb75c50a28b65a3774fab Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 3 Dec 2011 11:22:22 -0800 Subject: [PATCH] Delete redundant files Signed-off-by: Tom Eastep --- Shorewall6-lite/shorewall6-lite | 868 ------------- Shorewall6/lib.base | 314 ----- Shorewall6/lib.cli | 1910 ---------------------------- Shorewall6/shorewall6 | 2080 ------------------------------- 4 files changed, 5172 deletions(-) delete mode 100755 Shorewall6-lite/shorewall6-lite delete mode 100644 Shorewall6/lib.base delete mode 100644 Shorewall6/lib.cli delete mode 100755 Shorewall6/shorewall6 diff --git a/Shorewall6-lite/shorewall6-lite b/Shorewall6-lite/shorewall6-lite deleted file mode 100755 index 6c82412b5..000000000 --- a/Shorewall6-lite/shorewall6-lite +++ /dev/null @@ -1,868 +0,0 @@ -#!/bin/sh -# -# Shorewall6 Lite Packet Filtering Firewall Control Program - V4.4 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net) -# -# This file should be placed in /sbin/shorewall-lite. -# -# Shorewall documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# shorewall6-lite dump Dumps all Shorewall-related information -# for problem analysis -# shorewall6-lite start Starts the firewall -# shorewall6-lite restart Restarts the firewall -# shorewall6-lite stop Stops the firewall -# shorewall6-lite status Displays firewall status -# shorewall6-lite reset Resets ip6tables packet and -# byte counts -# shorewall6-lite clear Open the floodgates by -# removing all ip6tables rules -# and setting the three permanent -# chain policies to ACCEPT -# shorewall6-lite show [ ... ] Display the rules in each listed -# shorewall6-lite show log Print the last 20 log messages -# shorewall6-lite show connections Show the kernel's connection -# tracking table -# shorewall6-lite show nat Display the rules in the nat table -# shorewall6-lite show {mangle|tos} Display the rules in the mangle table -# shorewall6-lite show tc Display traffic control info -# shorewall6-lite show classifiers Display classifiers -# shorewall6-lite show capabilities Display ip6tables/kernel capabilities -# shorewall6-lite show vardir Display VARDIR setting -# shorewall6-lite version Display the installed version id -# shorewall6-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall -# messages. -# shorewall6-lite drop
... Temporarily drop all packets from the -# listed address(es) -# shorewall6-lite reject
... Temporarily reject all packets from the -# listed address(es) -# shorewall6-lite allow
... Reenable address(es) previously -# disabled with "drop" or "reject" -# shorewall6-lite save [ ] Save the list of "rejected" and -# "dropped" addresses so that it will -# be automatically reinstated the -# next time that Shorewall6-lite starts. -# Save the current state so that 'shorewall6-lite -# restore' can be used. -# -# shorewall6-lite forget [ ] Discard the data saved by 'shorewall6-lite save' -# -# shorewall6-lite restore [ ] Restore the state of the firewall from -# previously saved information. -# -# shorewall6-lite ipaddr {
/ |
} -# -# Displays information about the network -# defined by the argument[s] -# -# shorewall6-lite iprange
-
Decomposes a range of IP addresses into -# a list of network/host addresses. -# -# shorewall6-lite ipdecimal {
| } -# -# Displays the decimal equivalent of an IP -# address and vice versa. - -# -# Set the configuration variables from shorewall6-lite.conf -# -get_config() { - - [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - - [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages - - if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - # - # See if we have a real version of "tail" -- use separate redirection so - # that ash (aka /bin/sh on LRP) doesn't crap - # - if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then - realtail="Yes" - else - realtail="" - fi - - [ -n "$FW" ] || FW=fw - - if [ -n "$IP6TABLES" ]; then - if [ ! -x "$IP6TABLES" ]; then - echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2 - exit 2 - fi - else - IP6TABLES=$(mywhich ip6tables 2> /dev/null) - if [ -z "$IP6TABLES" ] ; then - echo " ERROR: Can't find ip6tables executable" >&2 - exit 2 - fi - fi - - if [ -n "$SHOREWALL_SHELL" ]; then - if [ ! -x "$SHOREWALL_SHELL" ]; then - echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 - SHOREWALL_SHELL=/bin/sh - fi - fi - - [ -n "$RESTOREFILE" ] || RESTOREFILE=restore - - validate_restorefile RESTOREFILE - - [ -n "${VERBOSITY:=2}" ] - - [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY)) - - if [ $VERBOSITY -lt -1 ]; then - VERBOSITY=-1 - elif [ $VERBOSITY -gt 2 ]; then - VERBOSITY=2 - fi - - g_hostname=$(hostname 2> /dev/null) - - IP=$(mywhich ip 2> /dev/null) - if [ -z "$IP" ] ; then - echo " ERROR: Can't find ip executable" >&2 - exit 2 - fi - - IPSET=ipset - TC=tc -} - -# -# Verify that we have a compiled firewall script -# -verify_firewall_script() { - if [ ! -f $g_firewall ]; then - echo " ERROR: Shorewall6 Lite is not properly installed" >&2 - if [ -L $g_firewall ]; then - echo " $g_firewall is a symbolic link to a" >&2 - echo " non-existant file" >&2 - else - echo " The file $g_firewall does not exist" >&2 - fi - - exit 2 - fi -} - -# -# Fatal error -# -startup_error() { - echo " ERROR: $@" >&2 - kill $$ - exit 1 -} - -# -# Start Command Executor -# -start_command() { - local finished - finished=0 - - do_it() { - local rc - rc=0 - [ -n "$nolock" ] || mutex_on - - if [ -x ${LITEDIR}/firewall ]; then - run_it ${LITEDIR}/firewall $debugging start - rc=$? - else - error_message "${LITEDIR}/firewall is missing or is not executable" - logger -p kern.err "ERROR:Shorewall6 Lite start failed" - rc=2 - fi - - [ -n "$nolock" ] || mutex_off - exit $rc - } - - verify_firewall_script - - if shorewall6_is_started; then - error_message "Shorewall6 is already running" - exit 0 - fi - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - f*) - g_fast=Yes - option=${option#f} - ;; - p*) - [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" - g_purge=Yes - option=${option%p} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - *) - usage 1 ;; - esac - - if [ -n "$g_fast" ]; then - if qt mywhich make; then - export RESTOREFILE - make -qf ${CONFDIR}/Makefile || g_fast= - fi - - if [ -n "$g_fast" ]; then - - g_restorepath=${VARDIR}/$RESTOREFILE - - if [ -x $g_restorepath ]; then - echo Restoring Shorewall6 Lite... - run_it $g_restorepath restore - date > ${VARDIR}/restarted - progress_message3 Shorewall6 Lite restored from $g_restorepath - else - do_it - fi - else - do_it - fi - else - do_it - fi -} - -# -# Restart Command Executor -# -restart_command() { - local finished - finished=0 - local rc - rc=0 - - verify_firewall_script - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - p*) - [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" - g_purge=Yes - option=${option%p} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - *) - usage 1 - ;; - esac - - [ -n "$nolock" ] || mutex_on - - if [ -x ${LITEDIR}/firewall ]; then - run_it ${LITEDIR}/firewall $debugging restart - rc=$? - else - error_message "${LITEDIR}/firewall is missing or is not executable" - logger -p kern.err "ERROR:Shorewall6 Lite restart failed" - rc=2 - fi - - [ -n "$nolock" ] || mutex_off - return $rc -} - -# -# Give Usage Information -# -usage() # $1 = exit status -{ - echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " - echo "where is one of:" - echo " allow
..." - echo " clear" - echo " disable " - echo " drop
..." - echo " dump [ -x ]" - echo " enable " - echo " forget [ ]" - echo " help" - echo " load [ -s ] [ -c ] [ -r ] [ ] " - echo " logdrop
..." - echo " logreject
..." - echo " logwatch []" - echo " refresh [ ... ]" - echo " reject
..." - echo " reset [ ... ]" - echo " restart [ -n ] [ -f ]" - echo " restore [ -n ] [ ]" - echo " save [ ]" - echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [ [ ... ]capabilities|classifiers|config|connections|filters|ip|log []|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]" - echo " start [ -f ] [ ]" - echo " stop" - echo " status" - echo " version [ -a ]" - echo - exit $1 -} - -version_command() { - local finished - finished=0 - local all - all= - local product - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - a*) - all=Yes - option=${option#a} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ $# -gt 0 ] && usage 1 - - echo $SHOREWALL_VERSION - - if [ -n "$all" ]; then - for product in shorewall shorewall6 shorewall-lite shorewall-init; do - if [ -f /usr/share/$product/version ]; then - echo "$product: $(cat /usr/share/$product/version)" - fi - done - fi -} - -# -# Execution begins here -# -debugging= - -if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then - debugging=$1 - shift -fi - -nolock= - -if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then - nolock=nolock - shift -fi - -g_ipt_options="-nv" -g_fast= -g_verbose_offset=0 -g_use_verbosity= -g_noroutes= -g_timestamp= -g_recovering= -g_purge= -g_logread= - -# -# Make sure that these variables are cleared -# -VERBOSE= -VERBOSITY= - -finished=0 - -while [ $finished -eq 0 ]; do - [ $# -eq 0 ] && usage 1 - option=$1 - case $option in - -) - finished=1 - ;; - -*) - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - x*) - g_ipt_options="-xnv" - option=${option#x} - ;; - q*) - g_verbose_offset=$(($g_verbose_offset - 1 )) - option=${option#q} - ;; - f*) - g_fast=Yes - option=${option#f} - ;; - v*) - option=${option#v} - case $option in - -1*) - g_use_verbosity=-1 - option=${option#-1} - ;; - 0*) - g_use_verbosity=0 - option=${option#0} - ;; - 1*) - g_use_verbosity=1 - option=${option#1} - ;; - 2*) - g_use_verbosity=2 - option=${option#2} - ;; - *) - g_verbose_offset=$(($g_verbose_offset + 1 )) - g_use_verbosity= - ;; - esac - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - t*) - g_timestamp=Yes - option=${option#t} - ;; - -) - finished=1 - option= - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac -done - -if [ $# -eq 0 ]; then - usage 1 -fi - -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -MUTEX_TIMEOUT= - -SHAREDIR=/usr/share/shorewall6-lite -CONFDIR=/etc/shorewall6-lite -g_product="Shorewall6 Lite" -g_libexec=share - -[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ] - -[ -n "${VARDIR:=/var/lib/shorewall6-lite}" ] - -[ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR" - -version_file=$SHAREDIR/version - -for library in base cli; do - . ${SHAREDIR}/lib.$library -done - -ensure_config_path - -config=$(find_file shorewall6-lite.conf) - -if [ -f $config ]; then - if [ -r $config ]; then - . $config - else - echo "Cannot read $config! (Hint: Are you root?)" >&2 - exit 1 - fi -else - echo "$config does not exist!" >&2 - exit 2 -fi - -ensure_config_path - -LITEDIR=${VARDIR} - -[ -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf - -get_config - -g_firewall=$LITEDIR/firewall - -if [ -f $version_file ]; then - SHOREWALL_VERSION=$(cat $version_file) -else - echo " ERROR: Shorewall6 Lite is not properly installed" >&2 - echo " The file $SHOREWALL_VERSION_FILE does not exist" >&2 - exit 1 -fi - -banner="Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname -" - -case $(echo -e) in - -e*) - RING_BELL="echo \a" - ECHO_E="echo" - ;; - *) - RING_BELL="echo -e \a" - ECHO_E="echo -e" - ;; -esac - -case $(echo -n "Testing") in - -n*) - ECHO_N= - ;; - *) - ECHO_N=-n - ;; -esac - -COMMAND=$1 - -case "$COMMAND" in - start) - shift - start_command $@ - ;; - stop|reset|clear) - [ $# -ne 1 ] && usage 1 - verify_firewall_script - [ -n "$nolock" ] || mutex_on - run_it $g_firewall $debugging $COMMAND - [ -n "$nolock" ] || mutex_off - ;; - restart) - shift - restart_command $@ - ;; - show|list) - shift - show_command $@ - ;; - status) - [ $# -eq 1 ] || usage 1 - [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" - echo "Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)" - echo - if shorewall6_is_started ; then - echo "Shorewall6 Lite is running" - status=0 - else - echo "Shorewall6 Lite is stopped" - status=4 - fi - - if [ -f ${VARDIR}/state ]; then - state="$(cat ${VARDIR}/state)" - case $state in - Stopped*|Closed*|Clear*) - status=3 - ;; - esac - else - state=Unknown - fi - echo "State:$state" - echo - exit $status - ;; - dump) - shift - dump_command $@ - ;; - hits) - [ -n "$debugging" ] && set -x - shift - hits_command $@ - ;; - version) - shift - version_command $@ - ;; - logwatch) - logwatch_command $@ - ;; - drop) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall6_is_started ; then - [ -n "$nolock" ] || mutex_on - block DROP Dropped $* - [ -n "$nolock" ] || mutex_off - else - error_message "ERROR: Shorewall6 Lite is not started" - exit 2 - fi - ;; - logdrop) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall6_is_started ; then - [ -n "$nolock" ] || mutex_on - block logdrop Dropped $* - [ -n "$nolock" ] || mutex_off - else - error_message "ERROR: Shorewall6 Lite is not started" - exit 2 - fi - ;; - reject|logreject) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall6_is_started ; then - [ -n "$nolock" ] || mutex_on - block $COMMAND Rejected $* - [ -n "$nolock" ] || mutex_off - else - error_message "ERROR: Shorewall6 Lite is not started" - exit 2 - fi - ;; - allow) - allow_command $@ - ;; - disable|enable) - get_config Yes - if shorewall6_is_started; then - run_it ${VARDIR}/firewall $g_debugging $@ - else - fatal_error "Shorewall is not running" - fi - ;; - save) - [ -n "$debugging" ] && set -x - - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - g_restorepath=${VARDIR}/$RESTOREFILE - - [ "$nolock" ] || mutex_on - - save_config - - [ "$nolock" ] || mutex_off - ;; - forget) - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - - g_restorepath=${VARDIR}/$RESTOREFILE - - if [ -x $g_restorepath ]; then - - if [ -x ${g_restorepath}-ipsets ]; then - rm -f ${g_restorepath}-ipsets - echo " ${g_restorepath}-ipsets removed" - fi - - rm -f $g_restorepath - rm -f ${g_restorepath}-iptables - echo " $g_restorepath removed" - elif [ -f $g_restorepath ]; then - echo " $g_restorepath exists and is not a saved Shorewall6 configuration" - fi - rm -f ${VARDIR}/save - ;; - ipcalc) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - address=${2%/*} - vlsm=${2#*/} - elif [ $# -eq 3 ]; then - address=$2 - vlsm=$(ip_vlsm $3) - else - usage 1 - fi - - valid_address $address || fatal_error "Invalid IP address: $address" - [ -z "$vlsm" ] && exit 2 - [ "x$address" = "x$vlsm" ] && usage 2 - [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 - - address=$address/$vlsm - - echo " CIDR=$address" - temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" - temp=$(ip_network $address); echo " NETWORK=$temp" - temp=$(broadcastaddress $address); echo " BROADCAST=$temp" - ;; - iprange) - [ -n "$debugging" ] && set -x - case $2 in - *.*.*.*-*.*.*.*) - for address in ${2%-*} ${2#*-}; do - valid_address $address || fatal_error "Invalid IP address: $address" - done - - ip_range $2 - ;; - *) - usage 1 - ;; - esac - ;; - ipdecimal) - [ -n "$debugging" ] && set -x - [ $# -eq 2 ] || usage 1 - case $2 in - *.*.*.*) - valid_address $2 || fatal_error "Invalid IP address: $2" - echo " $(decodeaddr $2)" - ;; - *) - echo " $(encodeaddr $2)" - ;; - esac - ;; - restore) - shift - STARTUP_ENABLED=Yes - restore_command $@ - ;; - call) - [ -n "$debugging" ] && set -x - # - # Undocumented way to call functions in ${SHAREDIR}/functions directly - # - shift - $@ - ;; - help) - shift - usage - ;; - *) - usage 1 - ;; - -esac diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base deleted file mode 100644 index a020f98a3..000000000 --- a/Shorewall6/lib.base +++ /dev/null @@ -1,314 +0,0 @@ -# -# Shorewall6 4.2-- /usr/share/shorewall/lib.base -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the code common to all Shorewall components. -# -# - It is loaded by /sbin/shorewall. -# - It is loaded by /usr/share/shorewall/firewall. -# - It is loaded by /usr/share/shorewall-shell/compiler. -# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite -# and /usr/share/shorewall-lite/shorecap. -# - It is released as part of Shorewall Perl where it is copied into the compiled script -# by the compiler. -# - -SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40426 - -[ -n "${VARDIR:=/var/lib/shorewall6}" ] -[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] -[ -n "${CONFDIR:=/etc/shorewall6}" ] - -# -# Conditionally produce message -# -progress_message() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -gt 1 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi -} - -progress_message2() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -gt 0 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi -} - -progress_message3() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSITY -ge 0 ]; then - [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi -} - -# -# Undo the effect of 'separate_list()' -# -combine_list() -{ - local f - local o - o= - - for f in $* ; do - o="${o:+$o,}$f" - done - - echo $o -} - -# -# Call this function to assert mutual exclusion with Shorewall. If you invoke the -# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as -# the first argument. Example "shorewall nolock refresh" -# -# This function uses the lockfile utility from procmail if it exists. -# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the -# behavior of lockfile. -# -mutex_on() -{ - local try - try=0 - local lockf - lockf=${LOCKFILE:=${VARDIR}/lock} - local lockpid - - MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} - - if [ $MUTEX_TIMEOUT -gt 0 ]; then - - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - - if [ -f $lockf ]; then - lockpid=`cat ${lockf} 2> /dev/null` - if [ -z "$lockpid" -o $lockpid = 0 ]; then - rm -f ${lockf} - error_message "WARNING: Stale lockfile ${lockf} removed" - elif ! qt ps p ${lockpid}; then - rm -f ${lockf} - error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed" - fi - fi - - if qt mywhich lockfile; then - lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} - chmod u+w ${lockf} - echo $$ > ${lockf} - chmod u-w ${lockf} - else - while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do - sleep 1 - try=$((${try} + 1)) - done - - if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then - # Create the lockfile - echo $$ > ${lockf} - else - echo "Giving up on lock file ${lockf}" >&2 - fi - fi - fi -} - -# -# Call this function to release mutual exclusion -# -mutex_off() -{ - rm -f ${LOCKFILE:=${VARDIR}/lock} -} - -# -# Find the interface with the passed MAC address -# - -find_interface_by_mac() { - local mac - mac=$1 - local first - local second - local rest - local dev - - ip link list | while read first second rest; do - case $first in - *:) - dev=$second - ;; - *) - if [ "$second" = $mac ]; then - echo ${dev%:} - return - fi - esac - done -} - -# -# Set default config path -# -ensure_config_path() { - local F - F=${SHAREDIR}/configpath - if [ -z "$CONFIG_PATH" ]; then - [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } - . $F - fi - - if [ -n "$SHOREWALL_DIR" ]; then - [ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH - fi -} - -# -# Get fully-qualified name of file -# -resolve_file() # $1 = file name -{ - local pwd - pwd=$PWD - - case $1 in - /*) - echo $1 - ;; - .) - echo $pwd - ;; - ./*) - echo ${pwd}${1#.} - ;; - ..) - cd .. - echo $PWD - cd $pwd - ;; - ../*) - cd .. - resolve_file ${1#../} - cd $pwd - ;; - *) - echo $pwd/$1 - ;; - esac -} - -# -# Determine how to do "echo -e" -# - -find_echo() { - local result - - result=$(echo "a\tb") - [ ${#result} -eq 3 ] && { echo echo; return; } - - result=$(echo -e "a\tb") - [ ${#result} -eq 3 ] && { echo "echo -e"; return; } - - result=$(which echo) - [ -n "$result" ] && { echo "$result -e"; return; } - - echo echo -} - -# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: -# -# None - No mktemp -# BSD - BSD mktemp (Mandrake) -# STD - mktemp.org mktemp -# -find_mktemp() { - local mktemp - mktemp=`mywhich mktemp 2> /dev/null` - - if [ -n "$mktemp" ]; then - if qt mktemp -V ; then - MKTEMP=STD - else - MKTEMP=BSD - fi - else - MKTEMP=None - fi -} - -# -# create a temporary file. If a directory name is passed, the file will be created in -# that directory. Otherwise, it will be created in a temporary directory. -# -mktempfile() { - - [ -z "$MKTEMP" ] && find_mktemp - - if [ $# -gt 0 ]; then - case "$MKTEMP" in - BSD) - mktemp $1/shorewall.XXXXXX - ;; - STD) - mktemp -p $1 shorewall.XXXXXX - ;; - None) - > $1/shorewall-$$ && echo $1/shorewall-$$ - ;; - *) - error_message "ERROR:Internal error in mktempfile" - ;; - esac - else - case "$MKTEMP" in - BSD) - mktemp /tmp/shorewall.XXXXXX - ;; - STD) - mktemp -t shorewall.XXXXXX - ;; - None) - rm -f /tmp/shorewall-$$ - > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - error_message "ERROR:Internal error in mktempfile" - ;; - esac - fi -} - -. ${SHAREDIR}/lib.common diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli deleted file mode 100644 index b64a53d5b..000000000 --- a/Shorewall6/lib.cli +++ /dev/null @@ -1,1910 +0,0 @@ -# -# Shorewall6 4.2 -- /usr/share/shorewall6/lib.cli. -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the command processing code common to /sbin/shorewall6 and -# /sbin/shorewall6-lite. -# - -# -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " ERROR: $@" >&2 - exit 2 -} - -# -# Display a chain if it exists -# - -showfirstchain() # $1 = name of chain -{ - awk \ - 'BEGIN {prnt=0; rslt=1; }; \ - /^$/ { next; };\ - /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ - /Chain '$1'/ { prnt=1; }; \ - { if (prnt == 1) print; };\ - END { exit rslt; }' $TMPFILE -} - -showchain() # $1 = name of chain -{ - if [ "$firstchain" = "Yes" ]; then - if showfirstchain $1; then - firstchain= - fi - else - awk \ - 'BEGIN {prnt=0;};\ - /^$|^ pkts/ { next; };\ - /^Chain/ {if ( prnt == 1 ) exit; };\ - /Chain '$1'/ { prnt=1; };\ - { if (prnt == 1) print; }' $TMPFILE - fi -} - -# -# Validate the value of RESTOREFILE -# -validate_restorefile() # $* = label -{ - case $RESTOREFILE in - */*) - error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE" - exit 2 - ;; - .safe|.try) - ;; - .*|NONE) - error_message "ERROR: Reserved File Name: $RESTOREFILE" - exit 2 - ;; - esac -} - -# -# Clear descriptor 1 if it is a terminal -# -clear_term() { - [ -t 1 ] && clear -} - -# -# Delay $timeout seconds -- if we're running on a recent bash2 then allow -# to terminate the delay -# -timed_read () -{ - read -t $timeout foo 2> /dev/null - - test $? -eq 2 && sleep $timeout -} - -# -# Determine if 'syslog -C' is running -# -syslog_circular_buffer() { - local pid - local tty - local flags - local cputime - local path - local args - local arg - - ps ax 2> /dev/null | while read pid tty flags cputime path args; do - case $path in - syslogd|*/syslogd) - for arg in $args; do - if [ x$arg = x-C ]; then - echo Yes - return - fi - done - ;; - esac - done -} - -# -# Display the last $1 packets logged -# -packet_log() # $1 = number of messages -{ - if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then - $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ - else - $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ - fi -} - -search_log() # $1 = IP address to search for -{ - if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ - else - $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/ - fi -} - -# -# Show traffic control information -# -show_tc() { - - show_one_tc() { - local device - device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s -d qdisc show dev $device - echo - tc -s -d class show dev $device - echo - fi - } - - if [ $# -gt 0 ]; then - show_one_tc $1 - else - ip -o link list | while read inx interface details; do - show_one_tc ${interface%:} - done - fi - -} - -# -# Show classifier information -# -show_classifiers() { - - show_one_classifier() { - local device - device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s filter ls dev $device - echo - fi - } - - ip -o link list | while read inx interface details; do - show_one_classifier ${interface%:} - done - -} - -# -# Watch the Firewall Log -# -logwatch() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - if [ -z "$LOGFILE" ]; then - LOGFILE=/var/log/messages - - if [ -n "$(syslog_circular_buffer)" ]; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - fi - - host=$(echo $g_hostname | sed 's/\..*$//') - oldrejects=$($IP6TABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - timeout=$((- $1)) - pause="Yes" - else - pause="No" - timeout=$1 - fi - - qt mywhich awk && haveawk=Yes || haveawk= - - while true; do - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log ($LOGFILE)" - echo - - show_reset - - rejects=$($IP6TABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $g_ring_bell - - packet_log 40 - - if [ "$pause" = "Yes" ]; then - echo - echo $g_echo_n 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 40 - timed_read - fi - done -} - -# -# Save currently running configuration -# -do_save() { - local status - status=0 - - if [ -f ${VARDIR}/firewall ]; then - if $iptables_save > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/firewall $g_restorepath - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables - chmod +x $g_restorepath - echo " Currently-running Configuration Saved to $g_restorepath" - run_user_exit save - else - rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" >&2 - status=1 - fi - else - echo " ERROR: ${VARDIR}/firewall does not exist" >&2 - status=1 - fi - - case ${SAVE_IPSETS:=No} in - [Yy]es) - case ${IPSET:=ipset} in - */*) - if [ ! -x "$IPSET" ]; then - error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved" - IPSET= - fi - ;; - *) - IPSET="$(mywhich $IPSET)" - [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved" - ;; - esac - - if [ -n "$IPSET" ]; then - if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then - # - # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny - # - hack='| grep -v /31' - else - hack= - fi - - if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then - # - # Don't save an 'empty' file - # - grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets - fi - fi - ;; - [Nn]o) - ;; - *) - error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS" - ;; - esac - - return $status -} - -save_config() { - - local result - result=1 - - iptables_save=${IP6TABLES}-save - - [ -x $iptables_save ] || echo "$iptables_save does not exist or is not executable" >&2 - - if shorewall6_is_started ; then - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - - if [ -f $g_restorepath -a ! -x $g_restorepath ]; then - echo " ERROR: $g_restorepath exists and is not a saved $g_product configuration" >&2 - else - case $RESTOREFILE in - capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones) - echo " ERROR: Reserved file name: $RESTOREFILE" >&2 - ;; - *) - validate_restorefile RESTOREFILE - - if chain_exists dynamic; then - if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then - echo " Dynamic Rules Saved" - do_save - else - echo "Error Saving the Dynamic Rules" >&2 - fi - else - do_save && rm -f ${VARDIR}/save - fi - ;; - esac - fi - else - echo "Shorewall6 isn't started" >&2 - fi - - return 0 - -} - -# -# Show routing configuration -# -show_routing() { - if [ -n "$(ip -6 rule list)" ]; then - heading "Routing Rules" - ip -6 rule list - ip -6 rule list | while read rule; do - echo ${rule##* } - done | sort -u | while read table; do - heading "Table $table:" - ip -6 route list table $table - done - - if [ -n "$g_routecache" ]; then - heading "Route Cache" - ip -6 route list cache - fi - else - heading "Routing Table" - ip -6 route list - fi - - -} - -# -# 'list dynamic' command executor -# -list_zone() { - - local sets - local setname - - [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" - - sets=$(ipset -L -n | grep "^6_$1_") - - for setname in $sets; do - echo "${setname#${1}_}:" - ipset -L $setname | awk 'BEGIN {prnt=0;}; \ - /^Members:/ {prnt=1; next; }; \ - /^Bindings:/ {prnt=0; }; \ - { if (prnt == 1) print " ", $1; };' - done -} - -# -# Show Filter - For Shorewall6-lite, if there was an scfilter file at compile-time, -# then the compiler generated another version of this function and -# embedded it in the firewall.conf file. That version supersedes this -# one. -# -show_connections_filter() { - local filter - local command - local first - - command=${SHOREWALL_SHELL} - - filter=$(find_file scfilter) - - if [ -f $filter ]; then - first=$(head -n1 $filter) - - case $first in - \#!*) - command=${first#\#!} - ;; - esac - - $command $filter - else - cat - - fi -} - -# -# Show Command Executor -# -show_command() { - local finished - finished=0 - local table - table=filter - local table_given - table_given= - - show_macro() { - foo=`grep 'This macro' $macro | sed 's/This macro //'` - if [ -n "$foo" ]; then - macro=${macro#*.} - foo=${foo%.*} - if [ ${#macro} -gt 10 ]; then - echo " $macro ${foo#\#}" - else - $g_echo_e " $macro \t${foo#\#}" - fi - fi - } - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - v*) - VERBOSITY=$(($VERBOSITY + 1 )) - option=${option#v} - ;; - x*) - g_ipt_options="-xnv" - option=${option#x} - ;; - m*) - g_showmacs=Yes - option=${option#m} - ;; - f*) - g_filemode=Yes - option=${option#f} - ;; - t) - [ $# -eq 1 ] && usage 1 - - case $2 in - mangle|nat|filter|raw|rawpost) - table=$2 - table_given=Yes - ;; - *) - fatal_error "Invalid table name ($s)" - ;; - esac - - option= - shift - ;; - l*) - g_ipt_options1="--line-numbers" - option=${option#l} - ;; - c*) - g_routecache=Yes - option=${option#c} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - g_ipt_options="$g_ipt_options $g_ipt_options1" - - [ -n "$g_debugging" ] && set -x - case "$1" in - connections) - [ $# -gt 1 ] && usage 1 - if qt mywhich conntrack ; then - echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)" - echo - conntrack -f ipv6 -L | show_connections_filter - else - local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) - local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) - echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)" - echo - grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter - fi - ;; - tos|mangle) - [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)" - echo - show_reset - $IP6TABLES -t mangle -L $g_ipt_options - ;; - raw) - [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION raw Table at $g_hostname - $(date)" - echo - show_reset - $IP6TABLES -t raw -L $g_ipt_options - ;; - rawpost) - [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION rawpost Table at $g_hostname - $(date)" - echo - show_reset - $IP6TABLES -t rawpost -L $g_ipt_options - ;; - log) - [ $# -gt 2 ] && usage 1 - - if [ -z "$LOGFILE" ]; then - LOGFILE=/var/log/messages - - if [ -n "$(syslog_circular_buffer)" ]; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - fi - - echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)" - echo - show_reset - host=$(echo $g_hostname | sed 's/\..*$//') - - if [ $# -eq 2 ]; then - search_log $2 - else - packet_log 20 - fi - ;; - tc) - [ $# -gt 2 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)" - echo - shift - - if [ -z "$1" ]; then - $IP6TABLES -t mangle -L -n -v - echo - fi - - show_tc $1 - ;; - classifiers|filters) - [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)" - echo - show_classifiers - ;; - zones) - [ $# -gt 1 ] && usage 1 - if [ -f ${VARDIR}/zones ]; then - echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)" - echo - while read zone type hosts; do - echo "$zone ($type)" - for host in $hosts; do - case $host in - exclude) - echo " exclude:" - ;; - *) - echo " $host" - ;; - esac - done - done < ${VARDIR}/zones - echo - else - echo " ERROR: ${VARDIR}/zones does not exist" >&2 - exit 1 - fi - ;; - capabilities) - [ $# -gt 1 ] && usage 1 - determine_capabilities - VERBOSITY=2 - if [ -n "$g_filemode" ]; then - report_capabilities1 - else - report_capabilities - fi - ;; - ip) - [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)" - echo - ip -6 addr list - ;; - routing) - [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)" - echo - show_routing - ;; - config) - . ${SHAREDIR}/configpath - if [ -n "$g_filemode" ]; then - echo "CONFIG_PATH=$CONFIG_PATH" - echo "VARDIR=$VARDIR" - echo "LIBEXEC=$g_libexec" - [ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR" - else - echo "Default CONFIG_PATH is $CONFIG_PATH" - echo "Default VARDIR is $VARDIR" - echo "LIBEXEC is $g_libexec" - [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR" - fi - ;; - chain) - shift - echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - $IP6TABLES -t $table -L $chain $g_ipt_options - done - else - $IP6TABLES -t $table -L $g_ipt_options - fi - ;; - vardir) - echo $VARDIR; - ;; - policies) - [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)" - echo - [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies; - ;; - marks) - [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)" - echo - [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks; - ;; - *) - if [ "$g_product" = Shorewall6 ]; then - case $1 in - actions) - [ $# -gt 1 ] && usage 1 - echo "A_ACCEPT # Audit and accept the connection" - echo "A_DROP # Audit and drop the connection" - echo "A_REJECT # Audit and reject the connection " - echo "allowBcast # Silently Allow Broadcast/multicast" - echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" - echo "dropBcast # Silently Drop Broadcast/multicast" - echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" - echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "rejNotSyn # Silently Reject Non-syn TCP packets" - - if [ -f ${CONFDIR}/actions ]; then - cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' - else - grep -Ev '^\#|^$' ${SHAREDIR}/actions.std - fi - - return - ;; - macro) - [ $# -ne 2 ] && usage 1 - for directory in $(split $CONFIG_PATH); do - if [ -f ${directory}/macro.$2 ]; then - echo "Shorewall6 $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)" - cat ${directory}/macro.$2 - return - fi - done - echo " WARNING: Macro $2 not found" >&2 - return - ;; - macros) - [ $# -gt 1 ] && usage 1 - - for directory in $(split $CONFIG_PATH); do - temp= - for macro in ${directory}/macro.*; do - case $macro in - *\*) - ;; - *) - if [ -z "$temp" ]; then - echo - echo "Macros in $directory:" - echo - temp=Yes - fi - show_macro - ;; - esac - done - done - return - ;; - esac - fi - - if [ $# -gt 0 ]; then - if [ $1 = dynamic -a $# -gt 1 ]; then - shift - [ $# -eq 1 ] || usage 1 - list_zone $1 - return; - fi - - [ -n "$table_given" ] || for chain in $*; do - if ! qt $IP6TABLES -t $table -L $chain $g_ipt_options; then - error_message "ERROR: Chain '$chain' is not recognized by $IP6TABLES." - exit 1 - fi - done - - echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)" - echo - show_reset - for chain in $*; do - $IP6TABLES -t $table -L $chain $g_ipt_options - done - else - echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)" - echo - show_reset - $IP6TABLES -t $table -L $g_ipt_options - fi - ;; - esac -} - -# -# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time, -# then the compiler generated another version of this function and -# embedded it in the firewall.conf file. That version supersedes this -# one. -# -dump_filter() { - local filter - local command - local first - - command=${SHOREWALL_SHELL} - - filter=$(find_file dumpfilter) - - if [ -f $filter ]; then - first=$(head -n1 $filter) - - case $first in - \#!*) - command=${first#\#!} - ;; - esac - - $command $filter - else - cat - - fi -} - -# -# Dump Command Executor -# -do_dump_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - x*) - g_ipt_options="-xnv" - option=${option#x} - ;; - m*) - g_showmacs=Yes - option=${option#m} - ;; - l*) - g_ipt_options1="--line-numbers" - option=${option#l} - ;; - c*) - g_routecache=Yes - option=${option#c} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - if [ -z "$LOGFILE" ]; then - LOGFILE=/var/log/messages - - if [ -n "$(syslog_circular_buffer)" ]; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - fi - - g_ipt_options="$g_ipt_options $g_ipt_options1" - - [ $VERBOSITY -lt 2 ] && VERBOSITY=2 - - [ -n "$g_debugging" ] && set -x - [ $# -eq 0 ] || usage 1 - clear_term - echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)" - echo - - if [ -f /usr/share/shorewall/version ]; then - echo " Shorewall $(cat /usr/share/shorewall/version)" - echo - fi - - show_reset - host=$(echo $g_hostname | sed 's/\..*$//') - $IP6TABLES -L $g_ipt_options - - heading "Log ($LOGFILE)" - packet_log 20 - - if qt $IP6TABLES -t mangle -L -n; then - heading "Mangle Table" - $IP6TABLES -t mangle -L $g_ipt_options - fi - - if qt $IP6TABLES -t raw -L -n; then - heading "Raw Table" - $IP6TABLES -t raw -L $g_ipt_options - fi - - if qt $IP6TABLES -t rawpost -L -n; then - heading "Rawpost Table" - $IP6TABLES -t rawpost -L $g_ipt_options - fi - - local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) - local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) - - heading "Conntrack Table ($count out of $max)" - grep '^ipv6' /proc/net/nf_conntrack - - heading "IP Configuration" - ip -6 addr list - - heading "IP Stats" - ip -stat link list - - if qt mywhich brctl; then - heading "Bridges" - brctl show - fi - - if qt mywhich setkey; then - heading "PFKEY SPD" - setkey -DP - heading "PFKEY SAD" - setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys - fi - - heading "/proc" - show_proc /proc/version - - for directory in /proc/sys/net/ipv6/conf/*; do - for file in forwarding proxy_ra proxy_ndp; do - show_proc $directory/$file - done - done - - show_routing - - heading "Neighbors" - ip -6 neigh ls - - if qt mywhich lsmod; then - heading "Modules" - lsmod | grep -E '^(x_|ip6|nf_|xt_)' | sort - fi - - determine_capabilities - echo - report_capabilities - - echo - netstat -6tunap - - if [ -n "$TC_ENABLED" ]; then - heading "Traffic Control" - show_tc - heading "TC Filters" - show_classifiers - fi -} - -dump_command() { - do_dump_command | dump_filter -} - -# -# Restore Comand Executor -# -restore_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - RESTOREFILE="$1" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - if [ -z "$STARTUP_ENABLED" ]; then - error_message "ERROR: Startup is disabled" - exit 2 - fi - - g_restorepath=${VARDIR}/$RESTOREFILE - - [ -n "$nolock" ] || mutex_on - - if [ -x $g_restorepath ]; then - if [ -x ${g_restorepath}-ipsets ] ; then - echo Restoring Ipsets... - $IP6TABLES -F - $IP6TABLES -X - $SHOREWALL_SHELL ${g_restorepath}-ipsets - fi - - progress_message3 "Restoring Shorewall6..." - - run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE" - - [ -n "$nolock" ] || mutex_off - else - echo "File $g_restorepath: file not found" - [ -n "$nolock" ] || mutex_off - exit 2 - fi -} - -# -# Display the time that the counters were last reset -# -show_reset() { - [ -f ${VARDIR}/restarted ] && \ - echo "Counters reset $(cat ${VARDIR}/restarted)" && \ - echo -} - -# -# Display's the passed file name followed by "=" and the file's contents. -# -show_proc() # $1 = name of a file -{ - [ -f $1 ] && echo " $1 = $(cat $1)" -} - -read_yesno_with_timeout() { - read -t 60 yn 2> /dev/null - if [ $? -eq 2 ] - then - # read doesn't support timeout - test -x /bin/bash || return 2 # bash is not installed so the feature is not available - /bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read - return $? - else - # read supports timeout - case "$yn" in - y|Y) - return 0 - ;; - *) - return 1 - ;; - esac - fi -} - -# -# Print a heading with leading and trailing black lines -# -heading() { - echo - echo "$@" - echo -} - -# -# Create the appropriate -q option to pass onward -# -make_verbose() { - local v - v=$g_verbose_offset - local option - option=- - - if [ -n "$g_use_verbosity" ]; then - echo "-v$g_use_verbosity" - elif [ $g_verbose_offset -gt 0 ]; then - while [ $v -gt 0 ]; do - option="${option}v" - v=$(($v - 1)) - done - - echo $option - elif [ $g_verbose_offset -lt 0 ]; then - while [ $v -lt 0 ]; do - option="${option}q" - v=$(($v + 1)) - done - - echo $option - fi -} - -# -# Executor for drop,reject,... commands -# -block() # $1 = command, $2 = Finished, $3 - $n addresses -{ - local chain - chain=$1 - local finished - finished=$2 - local which - which='-s' - local range - range='--src-range' - - if ! chain_exists dynamic; then - echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2 - [ -n "$nolock" ] || mutex_off - exit 2 - fi - - shift 3 - - while [ $# -gt 0 ]; do - case $1 in - from) - which='-s' - range='--src-range' - shift - continue - ;; - to) - which='-d' - range='--dst-range' - shift - continue - ;; - *-*) - qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject - qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP - qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject - qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop - $IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1 - ;; - *) - qt $IP6TABLES -D dynamic $which $1 -j reject - qt $IP6TABLES -D dynamic $which $1 -j DROP - qt $IP6TABLES -D dynamic $which $1 -j logreject - qt $IP6TABLES -D dynamic $which $1 -j logdrop - $IP6TABLES -A dynamic $which $1 -j $chain || break 1 - ;; - esac - - echo "$1 $finished" - shift - done -} - -# -# Replace commas with spaces and echo the result -# -separate_list() { - local list - list="$@" - local part - local newlist - local firstpart - local lastpart - local enclosure - - case "$list" in - *,|,*|*,,*|*[[:space:]]*) - # - # There's been whining about us not catching embedded white space in - # comma-separated lists. This is an attempt to snag some of the cases. - # - echo "WARNING -- invalid comma-separated list \"$@\"" >&2 - ;; - *\[*\]*) - # - # Where we need to embed comma-separated lists within lists, we enclose them - # within square brackets. - # - firstpart=${list%%\[*} - lastpart=${list#*\[} - enclosure=${lastpart%%\]*} - lastpart=${lastpart#*\]} - case $lastpart in - \,*) - case $firstpart in - *\,) - echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})" - ;; - *) - echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" - ;; - esac - ;; - *) - case $firstpart in - *\,) - echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" - ;; - *) - echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" - ;; - esac - ;; - esac - return - ;; - esac - - list="$@" - part="${list%%,*}" - newlist="$part" - - while [ "x$part" != "x$list" ]; do - list="${list#*,}"; - part="${list%%,*}"; - newlist="$newlist $part"; - done - - echo "$newlist" -} - -# -# add command executor -# -add_command() { - local interface host hostlist zone ipset - if ! shorewall6_is_started ; then - echo "Shorewall6 Not Started" >&2 - exit 2 - fi - - case "$IPSET" in - */*) - ;; - *) - [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located" - ;; - esac - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - [ "$host" = "$1" ] && host= - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:::/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - - zone=$1 - - for host in $hostlist; do - interface=${host%%:*} - - ipset=6_${zone}_${interface}; - - if ! qt $IPSET -L $ipset -n; then - fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" - fi - - host=${host#*:} - - if $IPSET -A $ipset $host; then - echo "Host $interface:$host added to zone $zone" - else - fatal_error "Unable to add $interface:$host to zone $zone" - fi - done - -} - -# -# delete command executor -# -delete_command() { - local interface host hostent hostlist zone ipset - if ! shorewall6_is_started ; then - echo "Shorewall6 Not Started" >&2 - exit 2; - fi - - case "$IPSET" in - */*) - ;; - *) - [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located" - ;; - esac - - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - [ "$host" = "$1" ] && host= - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:::/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - - zone=$1 - - for hostent in $hostlist; do - interface=${hostent%%:*} - - ipset=6_${zone}_${interface}; - - if ! qt $IPSET -L $ipset -n; then - fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" - fi - - host=${hostent#*:} - - if $IPSET -D $ipset $host; then - echo "Host $hostent deleted from zone $zone" - else - echo " WARNING: Unable to delete host $hostent to zone $zone" >&2 - fi - done - -} - -# -# 'allow' command executor -# -allow_command() { - [ -n "$g_debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall6_is_started ; then - local which - which='-s' - local range - range='--src-range' - - if ! chain_exists dynamic; then - echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2 - exit 2 - fi - - [ -n "$nolock" ] || mutex_on - while [ $# -gt 1 ]; do - shift - case $1 in - from) - which='-s' - range='--src-range' - continue - ;; - to) - which='-d' - range='--dst-range' - continue - ;; - *-*) - if qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject ||\ - qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP ||\ - qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop ||\ - qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject - then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" - fi - ;; - *) - if qt $IP6TABLES -D dynamic $which $1 -j reject ||\ - qt $IP6TABLES -D dynamic $which $1 -j DROP ||\ - qt $IP6TABLES -D dynamic $which $1 -j logdrop ||\ - qt $IP6TABLES -D dynamic $which $1 -j logreject - then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" - fi - ;; - esac - done - [ -n "$nolock" ] || mutex_off - else - error_message "ERROR: $g_product is not started" - exit 2 - fi -} - -# -# 'logwatch' command executor -# -logwatch_command() { - shift - - finished=0 - - while [ $finished -eq 0 -a $# -ne 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - v*) - VERBOSITY=$(($VERBOSITY + 1 )) - option=${option#v} - ;; - q*) - VERBOSITY=$(($VERBOSITY - 1 )) - option=${option#q} - ;; - m*) - g_showmacs=Yes - option=${option#m} - ;; - -) - finished=1 - option= - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ -n "$g_debugging" ] && set -x - - if [ $# -eq 1 ]; then - logwatch $1 - elif [ $# -eq 0 ]; then - logwatch 30 - else - usage 1 - fi -} - -# -# Determine which optional facilities are supported by iptables/netfilter -# -determine_capabilities() { - CONNTRACK_MATCH= - NEW_CONNTRACK_MATCH= - OLD_CONNTRACK_MATCH= - MULTIPORT= - XMULTIPORT= - POLICY_MATCH= - PHYSDEV_MATCH= - PHYSDEV_BRIDGE= - IPRANGE_MATCH= - RECENT_MATCH= - OWNER_MATCH= - IPSET_MATCH= - OLD_IPSET_MATCH= - IPSET_V5= - CONNMARK= - XCONNMARK= - CONNMARK_MATCH= - XCONNMARK_MATCH= - RAW_TABLE= - RAWPOST_TABLE= - IPP2P_MATCH= - OLD_IPP2P_MATCH= - LENGTH_MATCH= - CLASSIFY_TARGET= - ENHANCED_REJECT= - USEPKTTYPE= - KLUDGEFREE= - MARK= - XMARK= - EXMARK= - TPROXY_TARGET= - MANGLE_FORWARD= - COMMENTS= - ADDRTYPE= - TCPMSS_MATCH= - HASHLIMIT_MATCH= - NFQUEUE_TARGET= - REALM_MATCH= - HELPER_MATCH= - CONNLIMIT_MATCH= - TIME_MATCH= - GOTO_TARGET= - IPMARK_TARGET= - LOG_TARGET=Yes - ULOG_TARGET= - NFLOG_TARGET= - LOGMARK_TARGET= - FLOW_FILTER= - FWMARK_RT_MASK= - MARK_ANYWHERE= - HEADER_MATCH= - ACCOUNT_TARGET= - AUDIT_TARGET= - IPSET_V5= - CONDITION_MATCH= - IPTABLES_S= - BASIC_FILTER= - - chain=fooX$$ - - [ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables) - - if [ -z "$IP6TABLES" ]; then - echo " ERROR: No executable iptables binary can be found on your PATH" >&2 - exit 1 - fi - - [ -n "$IP" ] || IP=$(which ip) - - [ -n "$IP" -a -x "$IP" ] || IP= - - [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc) - - [ -n "$TC" -a -x "$TC" ] || TC= - - qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= - - qt $IP6TABLES -F $chain - qt $IP6TABLES -X $chain - if ! $IP6TABLES -N $chain; then - echo " ERROR: The command \"$IP6TABLES -N $chain\" failed" >&2 - exit 1 - fi - - chain1=${chain}1 - - qt $IP6TABLES -F $chain1 - qt $IP6TABLES -X $chain1 - if ! $IP6TABLES -N $chain1; then - echo " ERROR: The command \"$IP6TABLES -N $chain1\" failed" >&2 - exit 1 - fi - - if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT && - ! qt $IP6TABLES -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then - echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2 - exit 1 - fi - - qt $IP6TABLES -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes - - if [ -n "$CONNTRACK_MATCH" ]; then - qt $IP6TABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes - qt $IP6TABLES -A $chain -m conntrack ! --ctorigdst ::1 || OLD_CONNTRACK_MATCH=Yes - fi - - if qt $IP6TABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then - MULTIPORT=Yes - qt $IP6TABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes - fi - - qt $IP6TABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes - qt $IP6TABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes - - if qt $IP6TABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then - PHYSDEV_MATCH=Yes - qt $IP6TABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes - if [ -z "${KLUDGEFREE}" ]; then - qt $IP6TABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes - fi - fi - - if qt $IP6TABLES -A $chain -m iprange --src-range ::1-::2 -j ACCEPT; then - IPRANGE_MATCH=Yes - if [ -z "${KLUDGEFREE}" ]; then - qt $IP6TABLES -A $chain -m iprange --src-range ::1-::2 -m iprange --dst-range ::1-::2 -j ACCEPT && KLUDGEFREE=Yes - fi - fi - - qt $IP6TABLES -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes - qt $IP6TABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes - - if qt $IP6TABLES -A $chain -m connmark --mark 2 -j ACCEPT; then - CONNMARK_MATCH=Yes - qt $IP6TABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes - fi - - qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes - if [ -n "$IPP2P_MATCH" ]; then - qt $IP6TABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes - fi - - qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes - qt $IP6TABLES -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes - - qt $IP6TABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes - - if [ -n "$MANGLE_ENABLED" ]; then - qt $IP6TABLES -t mangle -N $chain - - if qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1; then - MARK=Yes - qt $IP6TABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes - qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes - fi - - if qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark; then - CONNMARK=Yes - qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes - fi - - qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes - qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes - qt $IP6TABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes - qt $IP6TABLES -t mangle -F $chain - qt $IP6TABLES -t mangle -X $chain - qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes - fi - - qt $IP6TABLES -t raw -L -n && RAW_TABLE=Yes - qt $IP6TABLES -t rawpost -L -n && RAWPOST_TABLE=Yes - - if qt mywhich ipset; then - qt ipset -X $chain # Just in case something went wrong the last time - - if qt ipset -N $chain hash:ip family inet6; then - IPSET_V5=Yes - if qt $IP6TABLES -A $chain -m set --match-set $chain src -j ACCEPT; then - qt $IP6TABLES -D $chain -m set --match-set $chain src -j ACCEPT - IPSET_MATCH=Yes - elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then - qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT - IPSET_MATCH=Yes - OLD_IPSET_MATCH=Yes - fi - qt ipset -X $chain - fi - fi - - qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes - qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes - qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes - qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes - if [ -z "$HASHLIMIT_MATCH" ]; then - qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes - HASHLIMIT_MATCH=$OLD_HL_MATCH - fi - qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes - qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes - qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes - qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes - qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes - qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes - qt $IP6TABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes - qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= - qt $IP6TABLES -A $chain -j ULOG && ULOG_TARGET=Yes - qt $IP6TABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes - qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes - qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes - qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes - qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes - qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes - qt $IP6TABLES -S INPUT && IPTABLES_S=Yes - - - qt $IP6TABLES -F $chain - qt $IP6TABLES -X $chain - qt $IP6TABLES -F $chain1 - qt $IP6TABLES -X $chain1 - - [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes - [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes - [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes - - CAPVERSION=$SHOREWALL_CAPVERSION - - KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//') - - case "$KERNELVERSION" in - *.*.*) - KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) - ;; - *) - KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g')) - ;; - esac -} - -report_capabilities() { - report_capability() # $1 = Capability Description , $2 Capability Setting (if any) - { - local setting - setting= - - [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - - echo " " $1: $setting - } - - if [ $VERBOSITY -gt 1 ]; then - echo "Shorewall6 has detected the following ip6tables/netfilter capabilities:" - report_capability "Packet Mangling" $MANGLE_ENABLED - report_capability "Multi-port Match" $MULTIPORT - [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT - report_capability "Connection Tracking Match" $CONNTRACK_MATCH - if [ -n "$CONNTRACK_MATCH" ]; then - report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH - [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH - fi - report_capability "Packet Type Match" $USEPKTTYPE - report_capability "Policy Match" $POLICY_MATCH - report_capability "Physdev Match" $PHYSDEV_MATCH - report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE - report_capability "Packet length Match" $LENGTH_MATCH - report_capability "IP range Match" $IPRANGE_MATCH - report_capability "Recent Match" $RECENT_MATCH - report_capability "Owner Match" $OWNER_MATCH - if [ -n "$IPSET_MATCH" ]; then - report_capability "Ipset Match" $IPSET_MATCH - [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH - fi - report_capability "CONNMARK Target" $CONNMARK - [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK - report_capability "Connmark Match" $CONNMARK_MATCH - [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH - report_capability "Raw Table" $RAW_TABLE - report_capability "Rawpost Table" $RAWPOST_TABLE - report_capability "IPP2P Match" $IPP2P_MATCH - [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH - report_capability "CLASSIFY Target" $CLASSIFY_TARGET - report_capability "Extended REJECT" $ENHANCED_REJECT - report_capability "Repeat match" $KLUDGEFREE - report_capability "MARK Target" $MARK - [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK - [ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK - report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD - report_capability "Comments" $COMMENTS - report_capability "Address Type Match" $ADDRTYPE - report_capability "TCPMSS Match" $TCPMSS_MATCH - report_capability "Hashlimit Match" $HASHLIMIT_MATCH - [ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH - report_capability "NFQUEUE Target" $NFQUEUE_TARGET - report_capability "Realm Match" $REALM_MATCH - report_capability "Helper Match" $HELPER_MATCH - report_capability "Connlimit Match" $CONNLIMIT_MATCH - report_capability "Time Match" $TIME_MATCH - report_capability "Goto Support" $GOTO_TARGET - report_capability "IPMARK Target" $IPMARK_TARGET - report_capability "LOGMARK Target" $LOGMARK_TARGET - report_capability "LOG Target" $LOG_TARGET - report_capability "ULOG Target" $ULOG_TARGET - report_capability "NFLOG Target" $NFLOG_TARGET - report_capability "TPROXY Target" $TPROXY_TARGET - report_capability "FLOW Classifier" $FLOW_FILTER - report_capability "fwmark route mask" $FWMARK_RT_MASK - report_capability "Mark in any table" $MARK_ANYWHERE - report_capability "Header Match" $HEADER_MATCH - report_capability "ACCOUNT Target" $ACCOUNT_TARGET - report_capability "AUDIT Target" $AUDIT_TARGET - report_capability "ipset V5" $IPSET_V5 - report_capability "Condition Match" $CONDITION_MATCH - report_capability "ip6tables -S" $IPTABLES_S - report_capability "Basic Filter" $BASIC_FILTER - fi - - [ -n "$PKTTYPE" ] || USEPKTTYPE= - -} - -report_capabilities1() { - report_capability1() # $1 = Capability - { - eval echo $1=\$$1 - } - - echo "#" - echo "# Shorewall6 $SHOREWALL_VERSION detected the following ip6tables/netfilter capabilities - $(date)" - echo "#" - report_capability1 MANGLE_ENABLED - report_capability1 MULTIPORT - report_capability1 XMULTIPORT - report_capability1 CONNTRACK_MATCH - report_capability1 NEW_CONNTRACK_MATCH - report_capability1 OLD_CONNTRACK_MATCH - report_capability1 USEPKTTYPE - report_capability1 POLICY_MATCH - report_capability1 PHYSDEV_MATCH - report_capability1 PHYSDEV_BRIDGE - report_capability1 LENGTH_MATCH - report_capability1 IPRANGE_MATCH - report_capability1 RECENT_MATCH - report_capability1 OWNER_MATCH - report_capability1 IPSET_MATCH - report_capability1 OLD_IPSET_MATCH - report_capability1 CONNMARK - report_capability1 XCONNMARK - report_capability1 CONNMARK_MATCH - report_capability1 XCONNMARK_MATCH - report_capability1 RAW_TABLE - report_capability1 RAWPOST_TABLE - report_capability1 IPP2P_MATCH - report_capability1 OLD_IPP2P_MATCH - report_capability1 CLASSIFY_TARGET - report_capability1 ENHANCED_REJECT - report_capability1 KLUDGEFREE - report_capability1 MARK - report_capability1 XMARK - report_capability1 EXMARK - report_capability1 MANGLE_FORWARD - report_capability1 COMMENTS - report_capability1 ADDRTYPE - report_capability1 TCPMSS_MATCH - report_capability1 HASHLIMIT_MATCH - report_capability1 OLD_HL_MATCH - report_capability1 NFQUEUE_TARGET - report_capability1 REALM_MATCH - report_capability1 HELPER_MATCH - report_capability1 CONNLIMIT_MATCH - report_capability1 TIME_MATCH - report_capability1 GOTO_TARGET - report_capability1 IPMARK_TARGET - report_capability1 LOGMARK_TARGET - report_capability1 LOG_TARGET - report_capability1 ULOG_TARGET - report_capability1 NFLOG_TARGET - report_capability1 TPROXY_TARGET - report_capability1 FLOW_FILTER - report_capability1 FWMARK_RT_MASK - report_capability1 MARK_ANYWHERE - report_capability1 HEADER_MATCH - report_capability1 ACCOUNT_TARGET - report_capability1 AUDIT_TARGET - report_capability1 IPSET_V5 - report_capability1 CONDITION_MATCH - report_capability1 IPTABLES_S - report_capability1 BASIC_FILTER - - echo CAPVERSION=$SHOREWALL_CAPVERSION - echo KERNELVERSION=$KERNELVERSION -} diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 deleted file mode 100755 index 360b829e9..000000000 --- a/Shorewall6/shorewall6 +++ /dev/null @@ -1,2080 +0,0 @@ -#!/bin/sh -# -# Shorewall Packet Filtering Firewall Control Program - V4.4 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - -# Tom Eastep (teastep@shorewall.net) -# -# This file should be placed in /sbin/shorewall6. -# -# Shorewall documentation is available at http://www.shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# For a list of supported commands, type 'shorewall6 help' -# -################################################################################################ -# -# Set the configuration variables from shorewall6.conf -# -# $1 = Yes: read the params file -# $2 = Yes: check for STARTUP_ENABLED -# $3 = Yes: Check for LOGFILE -# -get_config() { - local prog - - ensure_config_path - - if [ "$1" = Yes ]; then - params=$(find_file params) - - if [ -f $params ]; then - . $params - fi - fi - - config=$(find_file shorewall6.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - . $config - else - echo "Cannot read $config! (Hint: Are you root?)" >&2 - exit 1 - fi - else - echo "$config does not exist!" >&2 - exit 2 - fi - - ensure_config_path - - if [ -z "$g_export" -a "$(id -u)" = 0 ]; then - # - # This block is avoided for compile for export and when the user isn't root - # - if [ "$3" = Yes ]; then - if [ -n "$LOGFILE" ]; then - if [ -n "$(syslog_circular_buffer)" ]; then - g_logread="logread | tac" - elif [ -r $LOGFILE ]; then - g_logread="tac $LOGFILE" - else - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - fi - fi - - if [ -n "$IP6TABLES" ]; then - if [ ! -x "$IP6TABLES" ]; then - echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2 - exit 2 - fi - else - IP6TABLES=$(mywhich ip6tables 2> /dev/null) - if [ -z "$IP6TABLES" ] ; then - echo " ERROR: Can't find ip6tables executable" >&2 - exit 2 - fi - fi - - if [ -n "$IP" ]; then - case "$IP" in - */*) - if [ ! -x "$IP" ] ; then - echo " ERROR: The program specified in IP ($IP) does not exist or is not executable" >&2 - exit 2 - fi - ;; - *) - prog="$(mywhich $IP 2> /dev/null)" - if [ -z "$prog" ] ; then - echo " ERROR: Can't find $IP executable" >&2 - exit 2 - fi - IP=$prog - ;; - esac - else - IP='ip' - fi - - if [ -n "$IPSET" ]; then - case "$IPSET" in - */*) - if [ ! -x "$IPSET" ] ; then - echo " ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2 - exit 2 - fi - ;; - *) - prog="$(mywhich $IPSET 2> /dev/null)" - if [ -z "$prog" ] ; then - echo " ERROR: Can't find $IPSET executable" >&2 - exit 2 - fi - IPSET=$prog - ;; - esac - else - IPSET='ipset' - fi - - if [ -n "$TC" ]; then - case "$TC" in - */*) - if [ ! -x "$TC" ] ; then - echo " ERROR: The program specified in TC ($TC) does not exist or is not executable" >&2 - exit 2 - fi - ;; - *) - prog="$(mywhich $TC 2> /dev/null)" - if [ -z "$prog" ] ; then - echo " ERROR: Can't find $TC executable" >&2 - exit 2 - fi - TC=$prog - ;; - esac - else - TC='tc' - fi - # - # Compile by non-root needs no restore file - # - [ -n "$RESTOREFILE" ] || RESTOREFILE=restore - - validate_restorefile RESTOREFILE - - if [ "$2" = Yes ]; then - case $STARTUP_ENABLED in - No|no|NO) - echo " ERROR: Shorewall6 startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall6.conf" >&2 - exit 2 - ;; - Yes|yes|YES) - ;; - *) - if [ -n "$STARTUP_ENABLED" ]; then - echo " ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2 - exit 2 - fi - ;; - esac - fi - - case ${SHOREWALL_COMPILER:=perl} in - perl|Perl) - ;; - shell|Shell) - echo " WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell support has been removed in this release" >&2 - ;; - *) - echo " ERROR: Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" >&2 - exit 2 - ;; - esac - - case ${TC_ENABLED:=Internal} in - No|NO|no) - TC_ENABLED= - ;; - esac - - [ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' - - [ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" - - if [ -n "$STARTUP_LOG" ]; then - if [ -n "$LOG_VERBOSITY" ]; then - case $LOG_VERBOSITY in - -1) - ;; - 0|1|2) - ;; - *) - echo " ERROR: Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2 - exit 2; - ;; - esac - else - LOG_VERBOSITY=2; - fi - else - LOG_VERBOSITY=-1; - fi - - else - STARTUP_LOG= - LOG_VERBOSITY=-1 - fi - - if [ -n "$SHOREWALL_SHELL" ]; then - if [ ! -x "$SHOREWALL_SHELL" ]; then - echo " WARNING: The program specified in SHOREWALL6_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 - SHOREWALL_SHELL=/bin/sh - fi - fi - - case $VERBOSITY in - -1|0|1|2) - ;; - *) - if [ -n "$VERBOSITY" ]; then - echo " ERROR: Invalid VERBOSITY setting ($VERBOSITY)" >&2 - exit 2 - else - VERBOSITY=2 - fi - ;; - esac - - [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY)) - - if [ $VERBOSITY -lt -1 ]; then - VERBOSITY=-1 - elif [ $VERBOSITY -gt 2 ]; then - VERBOSITY=2 - fi - - g_hostname=$(hostname 2> /dev/null) - - [ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}' - [ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' - - case $MANGLE_ENABLED in - Yes|yes) - ;; - No|no) - MANGLE_ENABLED= - ;; - *) - if [ -n "$MANGLE_ENABLED" ]; then - echo " ERROR: Invalid MANGLE_ENABLED setting ($MANGLE_ENABLED)" >&2 - exit 2 - fi - ;; - esac - - case $AUTOMAKE in - Yes|yes) - ;; - No|no) - AUTOMAKE= - ;; - *) - if [ -n "$AUTOMAKE" ]; then - echo " ERROR: Invalid AUTOMAKE setting ($AUTOMAKE)" >&2 - exit 1 - fi - ;; - esac - - case $LOAD_HELPERS_ONLY in - Yes|yes) - ;; - No|no) - LOAD_HELPERS_ONLY= - ;; - *) - if [ -n "$LOAD_HELPERS_ONLY" ]; then - echo " ERROR: Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)" >&2 - exit 1 - fi - ;; - esac - - case $LEGACY_FASTSTART in - Yes|yes) - ;; - No|no) - LEGACY_FASTSTART= - ;; - *) - if [ -n "$LEGACY_FASTSTART" ]; then - echo " ERROR: Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)" >&2 - exit 1 - fi - - LEGACY_FASTSTART=Yes - ;; - esac -} - -# -# Issue an error message and die -# -startup_error() { - echo " ERROR: $@" >&2 - kill $$ - exit 1 -} - -# -# Determine if there are config files newer than the passed object -# -uptodate() { - [ -x $1 ] || return 1 - - local dir - local ifs - - ifs="$IFS" - IFS=':' - - for dir in $CONFIG_PATH; do - if [ -n "$(find ${dir} -newer $1)" ]; then - IFS="$ifs" - return 1; - fi - done - - IFS="$ifs" - - return 0 -} - -# -# Run the compiler -# -compiler() { - local pc - pc=$g_libexec/shorewall/compiler.pl - - if [ $(id -u) -ne 0 ]; then - if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall6 ]; then - startup_error "Ordinary users may not compile the /etc/shorewall6 configuration" - fi - fi - # - # We've now set SHOREWALL_DIR so recalculate CONFIG_PATH - # - ensure_config_path - # - # Get the config from $SHOREWALL_DIR - # - [ -n "$SHOREWALL_DIR" -a "$SHOREWALL_DIR" != /etc/shorewall6 ] && get_config - - case $COMMAND in - *start|try|refresh) - ;; - *) - STARTUP_LOG= - LOG_VERBOSITY=-1 - ;; - esac - - debugflags="-w" - [ -n "$g_debug" ] && debugflags='-wd' - [ -n "$g_profile" ] && debugflags='-wd:DProf' - - # Perl compiler only takes the output file as a argument - - [ "$1" = debug -o "$1" = trace ] && shift; - [ "$1" = nolock ] && shift; - shift - - options="--verbose=$VERBOSITY --family=6 --config_path=$CONFIG_PATH" - [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" - [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY"; - [ -n "$g_export" ] && options="$options --export" - [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" - [ -n "$g_timestamp" ] && options="$options --timestamp" - [ -n "$g_test" ] && options="$options --test" - [ -n "$g_preview" ] && options="$options --preview" - [ "$g_debugging" = trace ] && options="$options --debug" - [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains" - [ -n "$g_confess" ] && options="$options --confess" - [ -n "$g_update" ] && options="$options --update" - [ -n "$g_convert" ] && options="$options --convert" - [ -n "$g_annotate" ] && options="$options --annotate" - [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed" - - if [ -n "$PERL" ]; then - if [ ! -x "$PERL" ]; then - echo " WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2 - PERL=/usr/bin/perl - fi - else - PERL=/usr/bin/perl - fi - - if [ $g_perllib = ${g_libexec}/shorewall ]; then - $PERL $debugflags $pc $options $@ - else - PERL5LIB=$g_perllib - export PERL5LIB - $PERL $debugflags $pc $options $@ - fi -} - -# -# Start Command Executor -# -start_command() { - local finished - finished=0 - local object - local rc - rc=0 - - do_it() { - if [ -n "$AUTOMAKE" ]; then - [ -n "$nolock" ] || mutex_on - run_it ${VARDIR}/firewall $g_debugging start - rc=$? - [ -n "$nolock" ] || mutex_off - else - progress_message3 "Compiling..." - - if compiler $g_debugging $nolock compile ${VARDIR}/.start; then - [ -n "$nolock" ] || mutex_on - run_it ${VARDIR}/.start $g_debugging start - rc=$? - [ -n "$nolock" ] || mutex_off - else - rc=$? - logger -p kern.err "ERROR:Shorewall6 start failed" - fi - fi - - exit $rc - } - - if shorewall6_is_started; then - error_message "Shorewall6 is already running" - exit 0 - fi - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - d*) - g_debug=Yes - option=${option#d} - ;; - f*) - g_fast=Yes - option=${option#f} - ;; - p*) - [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" - g_purge=Yes - option=${option%p} - ;; - c*) - AUTOMAKE= - option=${option#c} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" -o -n "$g_fast" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - AUTOMAKE= - ;; - *) - usage 1 - ;; - esac - - if [ -n "${g_fast}${AUTOMAKE}" ]; then - if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then - # - # Automake or LEGACY_FASTSTART=No -- use the last compiled script - # - object=firewall - else - # - # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration - # - object=$RESTOREFILE - fi - - if ! uptodate ${VARDIR}/$object; then - g_fast= - AUTOMAKE= - fi - - if [ -n "$g_fast" -a $object = $RESTOREFILE ]; then - g_restorepath=${VARDIR}/$object - [ -n "$nolock" ] || mutex_on - echo Restoring Shorewall... - run_it $g_restorepath restore - rc=$? - [ -n "$nolock" ] || mutex_off - [ $rc -eq 0 ] && progress_message3 "Shorewall6 restored from $g_restorepath" - exit $rc - else - do_it - fi - else - do_it - fi -} - -# -# Compile Command Executor -# -compile_command() { - local finished - finished=0 - - while [ $finished -eq 0 ]; do - [ $# -eq 0 ] && break - option=$1 - case $option in - -*) - shift - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - e*) - g_export=Yes - option=${option#e} - ;; - p*) - g_profile=Yes - option=${option#p} - ;; - t*) - g_test=Yes - option=${option#t} - ;; - d*) - g_debug=Yes; - option=${option#d} - ;; - T*) - g_confess=Yes - option=${option#T} - ;; - -) - finished=1 - option= - ;; - *) - usage 1 - ;; - esac - done - ;; - *) - finished=1 - ;; - esac - done - - file= - - case $# in - 0) - file=${VARDIR}/firewall - ;; - 1) - file=$1 - [ -d $file ] && echo " ERROR: $file is a directory" >&2 && exit 2; - ;; - 2) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - file=$2 - ;; - *) - usage 1 - ;; - esac - - [ "x$file" = x- ] || progress_message3 "Compiling..." - - compiler $g_debugging compile $file -} - -# -# Check Command Executor -# -check_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - e*) - g_export=Yes - option=${option#e} - ;; - p*) - g_profile=Yes - option=${option#p} - ;; - d*) - g_debug=Yes; - option=${option#d} - ;; - r*) - g_preview=Yes - option=${option#r} - ;; - T*) - g_confess=Yes - option=${option#T} - ;; - a*) - g_annotate=Yes - option=${option#a} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - ;; - *) - usage 1 - ;; - esac - - progress_message3 "Checking..." - - compiler $g_debugging $nolock check -} - -# -# Update Command Executor -# -update_command() { - local finished - finished=0 - - g_update=Yes - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - e*) - g_export=Yes - option=${option#e} - ;; - p*) - g_profile=Yes - option=${option#p} - ;; - d*) - g_debug=Yes; - option=${option#d} - ;; - r*) - g_preview=Yes - option=${option#r} - ;; - T*) - g_confess=Yes - option=${option#T} - ;; - a*) - g_annotate=Yes - option=${option#a} - ;; - b*) - g_convert=Yes - option=${option#b} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - ;; - *) - usage 1 - ;; - esac - - progress_message3 "Updating..." - - compiler $g_debugging $nolock check -} - -# -# Restart Command Executor -# -restart_command() { - local finished - finished=0 - local rc - rc=0 - local restorefile - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - d*) - g_debug=Yes - option=${option#d} - ;; - f*) - g_fast=Yes - option=${option#f} - ;; - c*) - AUTOMAKE= - option=${option#c} - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - p*) - [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" - g_purge=Yes - option=${option%p} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - [ -n "$g_fast" ] && fatal_error "Directory may not be specified with the -f option" - AUTOMAKE= - ;; - *) - usage 1 - ;; - esac - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then - uptodate ${VARDIR}/firewall && g_fast=Yes - fi - - if [ -z "$g_fast" ]; then - progress_message3 "Compiling..." - - if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then - [ -n "$nolock" ] || mutex_on - run_it ${VARDIR}/.restart $g_debugging restart - rc=$? - [ -n "$nolock" ] || mutex_off - else - rc=$? - logger -p kern.err "ERROR:Shorewall6 restart failed" - fi - else - [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found" - [ -n "$nolock" ] || mutex_on - run_it ${VARDIR}/firewall $g_debugging restart - rc=$? - [ -n "$nolock" ] || mutex_off - fi - - return $rc -} - -# -# Refresh Command Executor -# -refresh_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - if [ $# -gt 0 ]; then - g_refreshchains=$1 - shift - - while [ $# -gt 0 ]; do - g_refreshchains="$g_refreshchains,$1" - shift - done - else - g_refreshchains=:refresh: - fi - - shorewall6_is_started || fatal_error "Shorewall6 is not running" - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - progress_message3 "Compiling..." - - if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then - [ -n "$nolock" ] || mutex_on - run_it ${VARDIR}/.refresh $g_debugging refresh - rc=$? - [ -n "$nolock" ] || mutex_off - else - rc=$? - fi - - return $rc -} - -# -# Safe-start/safe-restart Command Executor -# -safe_commands() { - local finished - finished=0 - local command - - # test is the shell supports timed read - read -t 0 junk 2> /dev/null - if [ $? -eq 2 -a ! -x /bin/bash ];then - echo "Your shell does not support a feature required to execute this command". - exit 2 - fi - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - ;; - *) - usage 1 - ;; - esac - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - if shorewall6_is_started; then - running=Yes - else - running= - fi - - if [ "$COMMAND" = "safe-start" -a -n "$running" ]; then - # the command is safe-start but the firewall is already running - error_message "Shorewall6 is already started" - exit 0 - fi - - if [ "$COMMAND" = "safe-start" -o -z "$running" ]; then - # the command is safe-start or shorewall6 is not started yet - command="start" - else - # the command is safe-restart and the firewall is already running - command="restart" - fi - - progress_message3 "Compiling..." - - if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then - status=$? - exit $status - fi - - case $command in - start) - RESTOREFILE=NONE - progress_message3 "Starting..." - ;; - restart) - RESTOREFILE=.safe - g_restorepath=${VARDIR}/.safe - save_config - progress_message3 "Restarting..." - ;; - esac - - [ -n "$nolock" ] || mutex_on - - if run_it ${VARDIR}/.$command $g_debugging $command; then - - echo -n "Do you want to accept the new firewall configuration? [y/n] " - - if read_yesno_with_timeout; then - echo "New configuration has been accepted" - else - if [ "$command" = "restart" ]; then - run_it ${VARDIR}/.safe restore - else - run_it ${VARDIR}/.$command clear - fi - - [ -n "$nolock" ] || mutex_off - - echo "New configuration has been rejected and the old one restored" - exit 2 - fi - - fi - - [ -n "$nolock" ] || mutex_off -} - -# -# 'try' Command Executor -# -try_command() { - local finished - finished=0 - local timeout - timeout= - - handle_directory() { - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - } - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - usage 1 - ;; - 1) - handle_directory $1 - ;; - 2) - handle_directory $1 - timeout=$2 - case $timeout in - *[!0-9]*) - echo " ERROR: Invalid timeout ($timeout)" >&2; - exit 1 - ;; - esac - ;; - *) - usage 1 - ;; - esac - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - if shorewall6_is_started; then - running=Yes - else - running= - fi - - if [ -z "$running" ]; then - # shorewall6 is not started yet - command="start" - else - # the firewall is already running - command="restart" - fi - - progress_message3 "Compiling..." - - if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then - status=$? - exit $status - fi - - case $command in - start) - RESTOREFILE=NONE - progress_message3 "Starting..." - ;; - restart) - RESTOREFILE=.try - g_restorepath=${VARDIR}/.try - save_config - progress_message3 "Restarting..." - ;; - esac - - [ -n "$nolock" ] || mutex_on - - if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then - sleep $timeout - - if [ "$command" = "restart" ]; then - run_it ${VARDIR}/.try restore - else - run_it ${VARDIR}/.$command clear - fi - fi - - [ -n "$nolock" ] || mutex_off - - return 0 -} - -rsh_command() { - command="$*" - - eval $RSH_COMMAND -} - -rcp_command() { - files="$1" - destination=$2 - - eval $RCP_COMMAND -} - -# -# [Re]load command executor -# -reload_command() # $* = original arguments less the command. -{ - local verbose - verbose=$(make_verbose) - local file - file= - local capabilities - capabilities= - local finished - finished=0 - local saveit - saveit= - local result - local directory - local system - local getcaps - getcaps= - local root - root=root - local libexec - libexec=/usr/share - - litedir=/var/lib/shorewall6-lite - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - s*) - saveit=Yes - option=${option#s} - ;; - c*) - getcaps=Yes - option=${option#c} - ;; - r) - [ $# -gt 1 ] || fatal_error "Missing Root User name" - root=$2 - option= - shift - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 1) - directory="." - system=$1 - ;; - 2) - directory=$1 - system=$2 - ;; - *) - usage 1 - ;; - esac - - temp=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') - - [ -n "$temp" ] && litedir="$temp" - - temp=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //') - - if [ -n "$temp" ]; then - case $temp in - /*) - libexec="$temp" - ;; - *) - libexec=/usr/$temp - ;; - esac - fi - - if [ -z "$getcaps" ]; then - SHOREWALL_DIR=$(resolve_file $directory) - ensure_config_path - capabilities=$(find_file capabilities) - [ -f $capabilities ] || getcaps=Yes - fi - - if [ -f $directory/shorewall6.conf ]; then - if [ -f $directory/params ]; then - . $directory/params - fi - - . $directory/shorewall6.conf - - ensure_config_path - fi - - if [ -n "$getcaps" ]; then - [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')" - - progress_message "Getting Capabilities on system $system..." - if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then - fatal_error "Capturing capabilities on system $system failed" - fi - fi - - file=$(resolve_file $directory/firewall) - - [ -n "$g_timestamp" ] && timestamp='-t' || timestamp= - - if shorewall6 $g_debugging $verbose $timestamp compile -e $directory $directory/firewall && \ - progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \ - rcp_command "$directory/firewall $directory/firewall.conf" ${litedir} - then - save=$(find_file save); - - [ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/shorewall6-lite/" && rcp_command $save /etc/shorewall6-lite/ - - progress_message3 "Copy complete" - if [ $COMMAND = reload ]; then - rsh_command "/sbin/shorewall6-lite $g_debugging $verbose $timestamp restart" && \ - progress_message3 "System $system reloaded" || saveit= - else - rsh_command "/sbin/shorewall6-lite $g_debugging $verbose $timestamp start" && \ - progress_message3 "System $system loaded" || saveit= - fi - - if [ -n "$saveit" ]; then - rsh_command "/sbin/shorewall6-lite $g_debugging $verbose $timestamp save" && \ - progress_message3 "Configuration on system $system saved" - fi - fi -} - -# -# Export command executor -# -export_command() # $* = original arguments less the command. -{ - local verbose - verbose=$(make_verbose) - local file - file= - local finished - finished=0 - local directory - local target - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - *) - fatal_error "Unrecognized option \"$option\"" - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 1) - directory="." - target=$1 - ;; - 2) - directory=$1 - target=$2 - ;; - *) - fatal_error "Invalid command syntax (\"man shorewall6\" for help)" - ;; - esac - - case $target in - *:*) - ;; - *) - target=$target: - ;; - esac - - file=$(resolve_file $directory/firewall) - - if shorewall6 $g_debugging $verbose compile -e $directory $directory/firewall && \ - echo "Copying $file and ${file}.conf to ${target#*@}..." && \ - scp $directory/firewall $directory/firewall.conf $target - then - save=$(find_file save); - - [ -f $save ] && progress_message3 "Copying $save to ${target#*}..." && rcp_command $save $target - - progress_message3 "Copy complete" - fi -} - -# -# Give Usage Information -# -usage() # $1 = exit status -{ - echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " - echo "where is one of:" - echo " add [:] ... " - echo " allow
..." - echo " check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ ]" - echo " clear" - echo " compile [ -e ] [ -d ] [ ] [ ]" - echo " delete [:] ... " - echo " disable " - echo " drop
..." - echo " dump [ -x ]" - echo " enable " - echo " export [ ] [@][:]" - echo " forget [ ]" - echo " help" - echo " iptrace " - echo " load [ -s ] [ -c ] [ -r ] [ ] " - echo " logdrop
..." - echo " logreject
..." - echo " logwatch []" - echo " noiptrace " - echo " refresh [ ... ]" - echo " reject
..." - echo " reload [ -s ] [ -c ] [ -r ] [ ] " - echo " reset [ ... ]" - echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ ]" - echo " restore [ -n ] [ ]" - echo " safe-restart [ ]" - echo " safe-start [ ]" - echo " save [ ]" - echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]" - echo " show actions" - echo " show [ -f ] capabilities" - echo " show classifiers" - echo " show config" - echo " show connections" - echo " show dynamic " - echo " show filters" - echo " show ip" - echo " show [ -m ] log []" - echo " show macro " - echo " show macros" - echo " show marks" - echo " show [ -x ] mangle|raw|routing" - echo " show policies" - echo " show tc [ device ]" - echo " show vardir" - echo " show zones" - echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ ]" - echo " status" - echo " stop" - echo " try [ ]" - echo " update [ -b ] [ -r ] [ -T ] [ ]" - echo " version [ -a ]" - echo - exit $1 -} - -version_command() { - local finished - finished=0 - local all - all= - local product - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - a*) - all=Yes - option=${option#a} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ $# -gt 0 ] && usage 1 - - echo $SHOREWALL_VERSION - - if [ -n "$all" ]; then - for product in shorewall shorewall-lite shorewall6-lite shorewall-init; do - if [ -f /usr/share/$product/version ]; then - echo "$product: $(cat /usr/share/$product/version)" - fi - done - fi -} - -# -# Execution begins here -# -g_debugging= - -if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then - g_debugging=$1 - shift -fi - -nolock= - -if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then - nolock=nolock - shift -fi - -SHOREWALL_DIR= -g_noroutes= -g_purge= - -g_ipt_options="-nv" -g_fast= -g_verbose_offset=0 -g_use_verbosity= -g_debug= -g_export= -g_refreshchains=:none: -g_confess= -g_update= -g_convert= -g_annotate= - -# -# Make sure that these variables are cleared -# -VERBOSE= -VERBOSITY= - -finished=0 - -while [ $finished -eq 0 ]; do - [ $# -eq 0 ] && usage 1 - option=$1 - case $option in - -) - finished=1 - ;; - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - c) - [ $# -eq 1 ] && usage 1 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $2) - option= - shift - ;; - e*) - g_export=Yes - option=${option#e} - ;; - x*) - g_ipt_options="-xnv" - option=${option#x} - ;; - q*) - g_verbose_offset=$(($g_verbose_offset - 1 )) - option=${option#q} - ;; - f*) - g_fast=Yes - option=${option#f} - ;; - v*) - option=${option#v} - case $option in - -1*) - g_use_verbosity=-1 - option=${option#-1} - ;; - 0*) - g_use_verbosity=0 - option=${option#0} - ;; - 1*) - g_use_verbosity=1 - option=${option#1} - ;; - 2*) - g_use_verbosity=2 - option=${option#2} - ;; - *) - g_verbose_offset=$(($g_verbose_offset + 1 )) - g_use_verbosity= - ;; - esac - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - t*) - g_timestamp=Yes - option=${option#t} - ;; - -) - finished=1 - option= - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac -done - -if [ $# -eq 0 ]; then - usage 1 -fi - -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -MUTEX_TIMEOUT= - -SHAREDIR=/usr/share/shorewall6 -CONFDIR=/etc/shorewall6 -g_product="Shorewall6" -g_recovering= -g_timestamp= -g_libexec=/usr/share -g_perllib=/usr/share/shorewall - -[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir - -[ -n "${VARDIR:=/var/lib/shorewall6}" ] - -if [ ! -f ${VARDIR}/firewall ]; then - [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall -fi - -g_firewall=${VARDIR}/firewall - -for library in base cli; do - . ${SHAREDIR}/lib.$library -done - -version_file=$SHAREDIR/version -if [ -f $version_file ]; then - SHOREWALL_VERSION=$(cat $version_file) -else - echo " ERROR: Shorewall6 is not properly installed" >&2 - echo " The file $version_file does not exist" >&2 - exit 1 -fi - -banner="Shorewall6-$SHOREWALL_VERSION Status at $g_hostname -" - -case $(echo -e) in - -e*) - g_ring_bell="echo \a" - g_echo_e="echo" - ;; - *) - g_ring_bell="echo -e \a" - g_echo_e="echo -e" - ;; -esac - -case $(echo -n "Testing") in - -n*) - g_echo_n= - ;; - *) - g_echo_n=-n - ;; -esac - -COMMAND=$1 - -case "$COMMAND" in - start) - get_config Yes Yes - shift - start_command $@ - ;; - stop|clear) - [ $# -ne 1 ] && usage 1 - get_config - [ -x $g_firewall ] || fatal_error "Shorewall6 has never been started" - [ -n "$nolock" ] || mutex_on - run_it $g_firewall $g_debugging $COMMAND - [ -n "$nolock" ] || mutex_off - ;; - reset) - get_config - shift - [ -n "$nolock" ] || mutex_on - [ -x $g_firewall ] || fatal_error "Shorewall6 has never been started" - run_it $g_firewall $g_debugging reset $@ - [ -n "$nolock" ] || mutex_off - ;; - compile) - get_config Yes - shift - compile_command $@ - ;; - restart) - get_config Yes Yes - shift - restart_command $@ - ;; - refresh) - get_config Yes Yes - shift - refresh_command $@ - ;; - check) - get_config Yes - shift - check_command $@ - ;; - update) - get_config Yes - shift - update_command $@ - ;; - disable|enable) - get_config Yes - if shorewall6_is_started; then - run_it ${VARDIR}/firewall $g_debugging $@ - else - fatal_error "Shorewall is not running" - fi - ;; - show|list) - get_config Yes No Yes - shift - show_command $@ - ;; - load|reload) - get_config Yes - shift - reload_command $@ - ;; - export) - get_config Yes - shift - export_command $@ - ;; - status) - [ $# -eq 1 ] || usage 1 - [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" - get_config - echo "Shorewall6-$SHOREWALL_VERSION Status at $g_hostname - $(date)" - echo - if shorewall6_is_started ; then - echo "Shorewall6 is running" - status=0 - else - echo "Shorewall6 is stopped" - status=4 - fi - - if [ -f ${VARDIR}/state ]; then - state="$(cat ${VARDIR}/state)" - case $state in - Stopped*|Closed*|Clear*) - status=3 - ;; - esac - else - state=Unknown - fi - echo "State:$state" - echo - exit $status - ;; - dump) - get_config Yes No Yes - shift - dump_command $@ - ;; - version) - shift - version_command $@ - ;; - try) - get_config Yes - shift - try_command $@ - ;; - logwatch) - get_config Yes Yes Yes - banner="Shorewall6-$SHOREWALL_VERSION Logwatch at $g_hostname -" - logwatch_command $@ - ;; - drop) - get_config - [ -n "$g_debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall6_is_started ; then - if ! chain_exists dynamic; then - echo "Dynamic blacklisting is not supported in the current $g_product configuration" - exit 2 - fi - - [ -n "$nolock" ] || mutex_on - block DROP Dropped $* - [ -n "$nolock" ] || mutex_off - else - fatal_error "Shorewall6 is not started" - fi - ;; - logdrop) - get_config - [ -n "$g_debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall6_is_started ; then - if ! chain_exists dynamic; then - echo "Dynamic blacklisting is not supported in the current $g_product configuration" - exit 2 - fi - - [ -n "$nolock" ] || mutex_on - block logdrop Dropped $* - [ -n "$nolock" ] || mutex_off - else - fatal_error "Shorewall6 is not started" - fi - ;; - reject|logreject) - get_config - [ -n "$g_debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall6_is_started ; then - [ -n "$nolock" ] || mutex_on - block $COMMAND Rejected $* - [ -n "$nolock" ] || mutex_off - else - fatal_error "Shorewall6 is not started" - fi - ;; - allow) - get_config - allow_command $@ - ;; - add) - get_config - shift - add_command $@ - ;; - delete) - get_config - shift - delete_command $@ - ;; - save) - get_config - [ -n "$g_debugging" ] && set -x - - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - g_restorepath=${VARDIR}/$RESTOREFILE - - [ -n "$nolock" ] || mutex_on - - save_config - - result=$? - - [ -n "$nolock" ] || mutex_off - - exit $result - ;; - forget) - get_config - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - g_restorepath=${VARDIR}/$RESTOREFILE - - if [ -x $g_restorepath ]; then - rm -f $g_restorepath - rm -f ${g_restorepath}-iptables - rm -f ${g_restorepath}-ipsets - echo " $g_restorepath removed" - elif [ -f $g_restorepath ]; then - echo " $g_restorepath exists and is not a saved Shorewall6 configuration" - fi - rm -f ${VARDIR}/save - ;; - restore) - get_config - shift - restore_command $@ - ;; - call) - get_config - [ -n "$g_debugging" ] && set -x - # - # Undocumented way to call functions in ${SHAREDIR}/functions directly - # - shift - $@ - ;; - help) - shift - usage - ;; - safe-restart|safe-start) - get_config Yes - shift - safe_commands $@ - ;; - iptrace) - get_config - shift - if shorewall_is_started ; then - $IP6TABLES -t raw -A PREROUTING $@ -j TRACE - $IP6TABLES -t raw -A OUTPUT $@ -j TRACE - else - fatal_error "Shorewall6 is not started" - fi - ;; - noiptrace) - get_config - shift - if shorewall_is_started ; then - $IP6TABLES -t raw -D PREROUTING $@ -j TRACE - $IP6TABLES -t raw -D OUTPUT $@ -j TRACE - else - fatal_error "Shorewall6 is not started" - fi - ;; - *) - usage 1 - ;; - -esac