From 8b036f23f2008c2722d8466554a36ff953d2fe92 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 9 Dec 2008 19:05:18 +0000 Subject: [PATCH] First round of changes to Shorewall6 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8958 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall6/configpath | 10 +- Shorewall6/interfaces | 8 +- Shorewall6/lib.base | 706 +------- Shorewall6/lib.cli | 190 +-- Shorewall6/lib.config | 2296 -------------------------- Shorewall6/lib.dynamiczones | 427 ----- Shorewall6/masq | 11 - Shorewall6/nat | 11 - Shorewall6/netmap | 11 - Shorewall6/proxyarp | 10 - Shorewall6/rfc1918 | 9 - Shorewall6/{shorewall => shorewall6} | 427 ++--- Shorewall6/strip | 110 -- 13 files changed, 278 insertions(+), 3948 deletions(-) delete mode 100644 Shorewall6/lib.config delete mode 100644 Shorewall6/lib.dynamiczones delete mode 100644 Shorewall6/masq delete mode 100644 Shorewall6/nat delete mode 100644 Shorewall6/netmap delete mode 100644 Shorewall6/proxyarp delete mode 100644 Shorewall6/rfc1918 rename Shorewall6/{shorewall => shorewall6} (72%) delete mode 100755 Shorewall6/strip diff --git a/Shorewall6/configpath b/Shorewall6/configpath index 9c442bbbc..fcefa6ecd 100644 --- a/Shorewall6/configpath +++ b/Shorewall6/configpath @@ -1,13 +1,13 @@ # -# Shorewall version 4 - Default Config Path +# Shorewall6 version 4 - Default Config Path # -# /usr/share/shorewall/configpath +# /usr/share/shorewall6/configpath # # Note to maintainers. # -# The CONFDIR variable is normally set to /etc/shorewall but when +# The CONFDIR variable is normally set to /etc/shorewall6 but when # the command is "compile -e" then CONFDIR is set to -# /usr/share/shorewall/configfiles/. This prevents 'compile -e' +# /usr/share/shorewall6/configfiles/. This prevents 'compile -e' # from trying to use configuration information from /etc/shorewall. -CONFIG_PATH=${CONFDIR}:/usr/share/shorewall +CONFIG_PATH=${CONFDIR}:/usr/share/shorewall6 diff --git a/Shorewall6/interfaces b/Shorewall6/interfaces index af555d44f..5c808b693 100644 --- a/Shorewall6/interfaces +++ b/Shorewall6/interfaces @@ -1,11 +1,11 @@ # -# Shorewall version 4 - Interfaces File +# Shorewall6 version 4 - Interfaces File # -# For information about entries in this file, type "man shorewall-interfaces" +# For information about entries in this file, type "man shorewall6-interfaces" # # The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-interfaces.html +# http://www.shorewall.net/manpages6/shorewall6-interfaces.html # ############################################################################### -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE ANYCAST OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index f7122ebe5..ba1bbc71c 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -1,10 +1,10 @@ #!/bin/sh # -# Shorewall 4.2 -- /usr/share/shorewall/lib.base +# Shorewall6 4.4 -- /usr/share/shorewall/lib.base # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -23,8 +23,6 @@ # # This library contains the code common to all Shorewall components. # -# - It is copied into the compiled script with the -e compiler flag is specified to -# shorewall-shell. # - It is loaded by /sbin/shorewall. # - It is loaded by /usr/share/shorewall/firewall. # - It is loaded by /usr/share/shorewall-shell/compiler. @@ -34,13 +32,12 @@ # by the compiler. # -SHOREWALL_LIBVERSION=40000 +SHOREWALL_LIBVERSION=40300 SHOREWALL_CAPVERSION=40203 -[ -n "${VARDIR:=/var/lib/shorewall}" ] -[ -n "${SHAREDIR:=/usr/share/shorewall}" ] -[ -n "${CONFDIR:=/etc/shorewall}" ] -SHELLSHAREDIR=/usr/share/shorewall-shell +[ -n "${VARDIR:=/var/lib/shorewall6}" ] +[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] +[ -n "${CONFDIR:=/etc/shorewall6}" ] PERLSHAREDIR=/usr/share/shorewall-perl # @@ -142,8 +139,8 @@ qt() # # Determine if Shorewall is "running" # -shorewall_is_started() { - qt $IPTABLES -L shorewall -n +shorewall6_is_started() { + qt $IP6TABLES -L shorewall -n } # @@ -263,7 +260,7 @@ reload_kernel_modules() { [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter MODULES=$(lsmod | cut -d ' ' -f1) for directory in $(split $MODULESDIR); do @@ -299,7 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" @@ -397,312 +394,12 @@ lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library fi } -# -# Determine if an optional library is available -# -lib_avail() # $1 = Name of the Library -{ - [ -f ${SHAREDIR}/lib.$1 ] -} - -# -# Note: The following set of IP address manipulation functions have anomalous -# behavior when the shell only supports 32-bit signed arithmetic and -# the IP address is 128.0.0.0 or 128.0.0.1. -# - -LEFTSHIFT='<<' - -# -# Validate an IP address -# -valid_address() { - local x - local y - local ifs - ifs=$IFS - - IFS=. - - for x in $1; do - case $x in - [0-9]|[0-9][0-9]|[1-2][0-9][0-9]) - [ $x -lt 256 ] || { IFS=$ifs; return 2; } - ;; - *) - IFS=$ifs - return 2 - ;; - esac - done - - IFS=$ifs - - return 0 -} - -# -# Convert an IP address in dot quad format to an integer -# -decodeaddr() { - local x - local temp - temp=0 - local ifs - ifs=$IFS - - IFS=. - - for x in $1; do - temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x )) - done - - echo $temp - - IFS=$ifs -} - -# -# convert an integer to dot quad format -# -encodeaddr() { - addr=$1 - local x - local y - y=$(($addr & 255)) - - for x in 1 2 3 ; do - addr=$(($addr >> 8)) - y=$(($addr & 255)).$y - done - - echo $y -} - -# -# Miserable Hack to work around broken BusyBox ash in OpenWRT -# -addr_comp() { - test $(bc < $2 -EOF -) -eq 1 - -} - -# -# Enumerate the members of an IP range -- When using a shell supporting only -# 32-bit signed arithmetic, the range cannot span 128.0.0.0. -# -# Comes in two flavors: -# -# ip_range() - produces a mimimal list of network/host addresses that spans -# the range. -# -# ip_range_explicit() - explicitly enumerates the range. -# -ip_range() { - local first - local last - local l - local x - local y - local z - local vlsm - - case $1 in - !*) - # - # Let iptables complain if it's a range - # - echo $1 - return - ;; - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if addr_comp $first $last; then - fatal_error "Invalid IP address range: $1" - fi - - l=$(( $last + 1 )) - - while addr_comp $l $first; do - vlsm= - x=31 - y=2 - z=1 - - while [ $(( $first % $y )) -eq 0 ] && addr_comp $l $(( $first + $y )) ; do - vlsm=/$x - x=$(( $x - 1 )) - z=$y - y=$(( $y * 2 )) - done - - echo $(encodeaddr $first)$vlsm - first=$(($first + $z)) - done -} - -ip_range_explicit() { - local first - local last - - case $1 in - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if addr_comp $first $last; then - fatal_error "Invalid IP address range: $1" - fi - - while ! addr_comp $first $last; do - echo $(encodeaddr $first) - first=$(($first + 1)) - done -} - -# -# Netmask from CIDR -# -ip_netmask() { - local vlsm - vlsm=${1#*/} - - [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) )) -} - -# -# Network address from CIDR -# -ip_network() { - local decodedaddr - decodedaddr=$(decodeaddr ${1%/*}) - local netmask - netmask=$(ip_netmask $1) - - echo $(encodeaddr $(($decodedaddr & $netmask))) -} - -# -# The following hack is supplied to compensate for the fact that many of -# the popular light-weight Bourne shell derivatives don't support XOR ("^"). -# -ip_broadcast() { - local x - x=$(( 32 - ${1#*/} )) - - [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 )) -} - -# -# Calculate broadcast address from CIDR -# -broadcastaddress() { - local decodedaddr - decodedaddr=$(decodeaddr ${1%/*}) - local netmask - netmask=$(ip_netmask $1) - local broadcast - broadcast=$(ip_broadcast $1) - - echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))) -} - -# -# Test for network membership -# -in_network() # $1 = IP address, $2 = CIDR network -{ - local netmask - netmask=$(ip_netmask $2) - # - # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT - # - test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask )) -} - -# -# Netmask to VLSM -# -ip_vlsm() { - local mask - mask=$(decodeaddr $1) - local vlsm - vlsm=0 - local x - x=$(( 128 << 24 )) # 0x80000000 - - while [ $(( $x & $mask )) -ne 0 ]; do - [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. - vlsm=$(($vlsm + 1)) - done - - if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff - echo "Invalid net mask: $1" >&2 - else - echo $vlsm - fi -} - - -# -# Chain name base for an interface -- replace all periods with underscores in the passed name. -# The result is echoed (less trailing "+"). -# -chain_base() #$1 = interface -{ - local c - c=${1%%+} - - while true; do - case $c in - @*) - c=at_${c#@} - ;; - *.*) - c="${c%.*}_${c##*.}" - ;; - *-*) - c="${c%-*}_${c##*-}" - ;; - *%*) - c="${c%\%*}_${c##*%}" - ;; - *@*) - c="${c%@*}_${c##*@}" - ;; - *) - echo ${c:=common} - return - ;; - esac - done -} - # # Query NetFilter about the existence of a filter chain # chain_exists() # $1 = chain name { - qt $IPTABLES -L $1 -n + qt $IP6TABLES -L $1 -n } # @@ -750,61 +447,23 @@ find_peer() { done } -# -# Find the interfaces that have a route to the passed address - the default -# route is not used. -# - -find_rt_interface() { - ip route list | while read addr rest; do - case $addr in - */*) - in_network ${1%/*} $addr && echo $(find_device $rest) - ;; - default) - ;; - *) - if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then - echo $(find_device $rest) - fi - ;; - esac - done -} - # # Try to find the gateway through an interface looking for 'nexthop' find_nexthop() # $1 = interface { - echo $(find_gateway `ip route list | grep "[[:space:]]nexthop.* $1"`) + echo $(find_gateway `ip -6 route list | grep "[[:space:]]nexthop.* $1"`) } # # Find the default route's interface # find_default_interface() { - ip route list | while read first rest; do + ip -6 route list | while read first rest; do [ "$first" = default ] && echo $(find_device $rest) && return done } -# -# Echo the name of the interface(s) that will be used to send to the -# passed address -# - -find_interface_by_address() { - local dev - dev="$(find_rt_interface $1)" - local first - local rest - - [ -z "$dev" ] && dev=$(find_default_interface) - - [ -n "$dev" ] && echo $dev -} - # # Find the interface with the passed MAC address # @@ -847,16 +506,16 @@ find_first_interface_address() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1) # # If there wasn't one, bail out now # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" + [ -n "$addr" ] || fatal_error "Can't determine the IPv6 address of $1" # # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # along with everything else on the line # - echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' + echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' } find_first_interface_address_if_any() # $1 = interface @@ -864,12 +523,12 @@ find_first_interface_address_if_any() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1) # # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # along with everything else on the line # - [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 + [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo :: } # @@ -877,7 +536,7 @@ find_first_interface_address_if_any() # $1 = interface # interface_is_usable() # $1 = interface { - interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] + interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] } # @@ -886,7 +545,7 @@ interface_is_usable() # $1 = interface # find_interface_addresses() # $1 = interface { - ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' + ip -f inet6 addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' } # @@ -897,7 +556,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message local address local rest - ip route show dev $1 2> /dev/null | + ip -6 route show dev $1 2> /dev/null | while read address rest; do case "$address" in default) @@ -911,18 +570,13 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message multicast|broadcast|prohibit|nat|throw|nexthop) ;; *) - [ "$address" = "${address%/*}" ] && address="${address}/32" + [ "$address" = "${address%/*}" ] && address="${address}/128" echo $address ;; esac done } -get_interface_bcasts() # $1 = interface -{ - ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u -} - # # Internal version of 'which' # @@ -1042,7 +696,6 @@ set_state () # $1 = state # Determine which optional facilities are supported by iptables/netfilter # determine_capabilities() { - qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= CONNTRACK_MATCH= @@ -1084,126 +737,126 @@ determine_capabilities() { chain=fooX$$ - [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables) + [ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables) - if [ -z "$IPTABLES" ]; then + if [ -z "$IP6TABLES" ]; then echo " ERROR: No executable iptables binary can be found on your PATH" >&2 exit 1 fi - qt $IPTABLES -F $chain - qt $IPTABLES -X $chain - if ! $IPTABLES -N $chain; then - echo " ERROR: The command \"$IPTABLES -N $chain\" failed" >&2 + qt $IP6TABLES -F $chain + qt $IP6TABLES -X $chain + if ! $IP6TABLES -N $chain; then + echo " ERROR: The command \"$IP6TABLES -N $chain\" failed" >&2 exit 1 fi chain1=${chain}1 - qt $IPTABLES -F $chain1 - qt $IPTABLES -X $chain1 - if ! $IPTABLES -N $chain1; then - echo " ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2 + qt $IP6TABLES -F $chain1 + qt $IP6TABLES -X $chain1 + if ! $IP6TABLES -N $chain1; then + echo " ERROR: The command \"$IP6TABLES -N $chain1\" failed" >&2 exit 1 fi - if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then + if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2 exit 1 fi - qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt $IP6TABLES -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes if [ -n "$CONNTRACK_MATCH" ]; then - qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes - qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes + qt $IP6TABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes + qt $IP6TABLES -A $chain -m conntrack ! --ctorigdst ::1 || OLD_CONNTRACK_MATCH=Yes fi - if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then + if qt $IP6TABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then MULTIPORT=Yes - qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes + qt $IP6TABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes fi - qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes - qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes + qt $IP6TABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes + qt $IP6TABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes - if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then + if qt $IP6TABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then PHYSDEV_MATCH=Yes - qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes + qt $IP6TABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes if [ -z "${KLUDGEFREE}" ]; then - qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes + qt $IP6TABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes fi fi - if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then + if qt $IP6TABLES -A $chain -m iprange --src-range ::1-::2 -j ACCEPT; then IPRANGE_MATCH=Yes if [ -z "${KLUDGEFREE}" ]; then - qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes + qt $IP6TABLES -A $chain -m iprange --src-range ::1-::2 -m iprange --dst-range ::1-::2 -j ACCEPT && KLUDGEFREE=Yes fi fi - qt $IPTABLES -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes - qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes + qt $IP6TABLES -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes + qt $IP6TABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes - if qt $IPTABLES -A $chain -m connmark --mark 2 -j ACCEPT; then + if qt $IP6TABLES -A $chain -m connmark --mark 2 -j ACCEPT; then CONNMARK_MATCH=Yes - qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes + qt $IP6TABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes fi - qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes - qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes - qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes + qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes + qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes + qt $IP6TABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes - qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes + qt $IP6TABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes if [ -n "$MANGLE_ENABLED" ]; then - qt $IPTABLES -t mangle -N $chain + qt $IP6TABLES -t mangle -N $chain - if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then + if qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1; then MARK=Yes - qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes + qt $IP6TABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes fi - if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then + if qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark; then CONNMARK=Yes - qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes + qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes fi - qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes - qt $IPTABLES -t mangle -F $chain - qt $IPTABLES -t mangle -X $chain - qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes + qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes + qt $IP6TABLES -t mangle -F $chain + qt $IP6TABLES -t mangle -X $chain + qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes fi - qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes + qt $IP6TABLES -t raw -L -n && RAW_TABLE=Yes if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time if qt ipset -N $chain iphash ; then - if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then - qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT + if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then + qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT IPSET_MATCH=Yes fi qt ipset -X $chain fi fi - qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes - qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes - qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes - qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes - qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes - qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes - qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes - qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes - qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes - qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes + qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes + qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes + qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes + qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes + qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes + qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes + qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes + qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes + qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes + qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes - qt $IPTABLES -F $chain - qt $IPTABLES -X $chain - qt $IPTABLES -F $chain1 - qt $IPTABLES -X $chain1 + qt $IP6TABLES -F $chain + qt $IP6TABLES -X $chain + qt $IP6TABLES -F $chain1 + qt $IP6TABLES -X $chain1 CAPVERSION=$SHOREWALL_CAPVERSION } @@ -1220,8 +873,7 @@ report_capabilities() { } if [ $VERBOSE -gt 1 ]; then - echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability "NAT" $NAT_ENABLED + echo "Shorewall6 has detected the following ip6tables/netfilter capabilities:" report_capability "Packet Mangling" $MANGLE_ENABLED report_capability "Multi-port Match" $MULTIPORT [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT @@ -1274,9 +926,8 @@ report_capabilities1() { } echo "#" - echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" + echo "# Shorewall6 $VERSION detected the following ip6tables/netfilter capabilities - $(date)" echo "#" - report_capability1 NAT_ENABLED report_capability1 MANGLE_ENABLED report_capability1 MULTIPORT report_capability1 XMULTIPORT @@ -1318,81 +969,6 @@ report_capabilities1() { echo CAPVERSION=$SHOREWALL_CAPVERSION } -# -# Delete IP address -# -del_ip_addr() # $1 = address, $2 = interface -{ - [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 -} - -# Add IP Aliases -# -add_ip_aliases() # $* = List of addresses -{ - local addresses - local external - local interface - local inet - local cidr - local rest - local val1 - local arping - arping=$(mywhich arping) - - address_details() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same networks - # - # Get all of the lines that contain inet addresses with broadcast - # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do - case $cidr in - */*) - if in_network $external $cidr; then - echo "/${cidr#*/} brd $(broadcastaddress $cidr)" - break - fi - ;; - esac - done - } - - do_one() - { - val=$(address_details) - - ip addr add ${external}${val} dev $interface $label - [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external - echo "$external $interface" >> $VARDIR/nat - [ -n "$label" ] && label="with $label" - progress_message " IP Address $external added to interface $interface $label" - } - - progress_message "Adding IP Addresses..." - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - shift 2 - - list_search $external $(find_interface_addresses $interface) || do_one - done -} - detect_gateway() # $1 = interface { local interface @@ -1400,11 +976,11 @@ detect_gateway() # $1 = interface # # First assume that this is some sort of point-to-point interface # - gateway=$( find_peer $(ip addr list $interface ) ) + gateway=$( find_peer $(ip -6 addr list $interface ) ) # # Maybe there's a default route through this gateway already # - [ -n "$gateway" ] || gateway=$(find_gateway $(ip route list dev $interface)) + [ -n "$gateway" ] || gateway=$(find_gateway $(ip -6 route list dev $interface)) # # Last hope -- is there a load-balancing route through the interface? # @@ -1415,28 +991,6 @@ detect_gateway() # $1 = interface [ -n "$gateway" ] && echo $gateway } -# -# Disable IPV6 -# -disable_ipv6() { - local foo - foo="$(ip -f inet6 addr list 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt mywhich ip6tables; then - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - ip6tables -F - ip6tables -X - ip6tables -A OUTPUT -o lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and # dash do not support that form of expansion. @@ -1447,94 +1001,6 @@ truncate() # $1 = length cut -b -${1} } -# -# Add a logging rule. -# -do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local displayChain - displayChain=$3 - local disposition - disposition=$4 - local rulenum - rulenum= - local limit - limit= - local tag - tag= - local command - command= - local prefix - local base - base=$(chain_base $displayChain) - local pf - - limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. - tag=${6:+$6 } - command=${7:--A} - - shift 7 - - if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then - displayChain=$tag - tag= - fi - - if [ -n "$LOGRULENUMBERS" ]; then - # - # Hack for broken printf on some lightweight shells - # - [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf) - - eval rulenum=\$${base}_logrules - - rulenum=${rulenum:-1} - - prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" - - rulenum=$(($rulenum + 1)) - eval ${base}_logrules=$rulenum - else - prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" - fi - - if [ ${#prefix} -gt 29 ]; then - prefix="`echo "$prefix" | truncate 28` " - error_message "WARNING: Log Prefix shortened to \"$prefix\"" - fi - - case $level in - ULOG) - $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" - ;; - *) - $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$STOPPING" ] && { stop_firewall; exit 2; } - fi -} - -do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local disposition - disposition=$3 - - shift 3 - - do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ -} - delete_tc1() { clear_one_tc() { @@ -1609,7 +1075,7 @@ undo_routing() { # if [ -f ${VARDIR}/undo_routing ]; then . ${VARDIR}/undo_routing - progress_message "Shorewall-generated routing tables and routing rules removed" + progress_message "Shorewall6-generated routing tables and routing rules removed" rm -f ${VARDIR}/undo_routing fi fi @@ -1631,11 +1097,11 @@ restore_default_route() { # # Don't restore a route with a metric -- we only replace the one with metric == 0 # - qt ip route delete default metric 0 && \ + qt ip -6 route delete default metric 0 && \ progress_message "Default Route with metric 0 deleted" ;; *) - qt ip route replace $default_route && \ + qt ip -6 route replace $default_route && \ progress_message "Default Route (${default_route# }) restored" ;; esac diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index a09c40f5f..de5adcebe 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1,10 +1,10 @@ #!/bin/sh # -# Shorewall 4.2 -- /usr/share/shorewall/lib.cli. +# Shorewall6 4.4 -- /usr/share/shorewall6/lib.cli. # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -21,8 +21,8 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# This library contains the command processing code common to /sbin/shorewall and -# /sbin/shorewall-lite. +# This library contains the command processing code common to /sbin/shorewall6 and +# /sbin/shorewall6-lite. # # @@ -64,25 +64,6 @@ showchain() # $1 = name of chain fi } -# -# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules). -# - -iptablesbug() -{ - if qt mywhich awk ; then - awk 'BEGIN { sline=""; };\ - /^-j/ { print sline $0; next };\ - /-m policy.*-j/ { print $0; next };\ - /-m policy/ { sline=$0; next };\ - /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ - { print ; sline="" }' - else - echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 - cat - fi -} - # # Validate the value of RESTOREFILE # @@ -216,7 +197,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that { host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') + oldrejects=$($IP6TABLES -L -v -n | grep 'LOG') if [ $1 -lt 0 ]; then timeout=$((- $1)) @@ -238,7 +219,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that show_reset - rejects=$($IPTABLES -L -v -n | grep 'LOG') + rejects=$($IP6TABLES -L -v -n | grep 'LOG') if [ "$rejects" != "$oldrejects" ]; then oldrejects="$rejects" @@ -270,11 +251,11 @@ save_config() { local result result=1 - iptables_save=${IPTABLES}-save + iptables_save=${IP6TABLES}-save - [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 + [ -x $iptables_save ] || echo "$ip6tables-save does not exist or is not executable" >&2 - if shorewall_is_started ; then + if shorewall66_is_started ; then [ -d ${VARDIR} ] || mkdir -p ${VARDIR} if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then @@ -295,45 +276,6 @@ save_config() { mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" - - rm -f ${RESTOREPATH}-ipsets - - case ${SAVE_IPSETS:-No} in - [Yy][Ee][Ss]) - RESTOREPATH=${RESTOREPATH}-ipsets - - f=${VARDIR}/restore-$$ - - echo "#!/bin/sh" > $f - echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f - echo >> $f - echo ". ${SHAREDIR}/lib.base" >> $f - echo >> $f - cat ${VARDIR}/.modulesdir >> $f - echo >> $f - echo "reload_kernel_modules << __EOF__" >> $f - grep 'loadmodule ip_set' ${VARDIR}/.modules >> $f - echo "__EOF__" >> $f - echo >> $f - echo "ipset -U :all: :all:" >> $f - echo "ipset -U :all: :default:" >> $f - echo "ipset -F" >> $f - echo "ipset -X" >> $f - echo "ipset -R << __EOF__" >> $f - ipset -S >> $f - echo "__EOF__" >> $f - mv -f $f $RESTOREPATH - chmod +x $RESTOREPATH - echo " Current Ipset Contents Saved to $RESTOREPATH" - result=0 - ;; - [Nn][Oo]) - ;; - *) - echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" >&2 - ;; - esac - run_user_exit save else rm -f ${VARDIR}/restore-$$ @@ -349,7 +291,7 @@ save_config() { esac fi else - echo "Shorewall isn't started" >&2 + echo "Shorewall6 isn't started" >&2 fi return 0 @@ -360,18 +302,18 @@ save_config() { # Show routing configuration # show_routing() { - if [ -n "$(ip rule list)" ]; then + if [ -n "$(ip -6 rule list)" ]; then heading "Routing Rules" - ip rule list - ip rule list | while read rule; do + ip -6 rule list + ip -6 rule list | while read rule; do echo ${rule##* } done | sort -u | while read table; do heading "Table $table:" - ip route list table $table + ip -6 route list table $table done else heading "Routing Table" - ip route list + ip -6 route list fi } @@ -464,19 +406,13 @@ show_command() { echo [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack ;; - nat) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version NAT Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t nat -L $IPT_OPTIONS ;; tos|mangle) [ $# -gt 1 ] && usage 1 echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)" echo show_reset - $IPTABLES -t mangle -L $IPT_OPTIONS + $IP6TABLES -t mangle -L $IPT_OPTIONS ;; log) [ $# -gt 1 ] && usage 1 @@ -536,7 +472,7 @@ show_command() { [ $# -gt 1 ] && usage 1 echo "$PRODUCT $version IP at $HOSTNAME - $(date)" echo - ip -4 addr list + ip -6 addr list ;; routing) [ $# -gt 1 ] && usage 1 @@ -556,33 +492,24 @@ show_command() { show_reset if [ $# -gt 0 ]; then for chain in $*; do - $IPTABLES -t $table -L $chain $IPT_OPTIONS + $IP6TABLES -t $table -L $chain $IPT_OPTIONS done else - $IPTABLES -t $table -L $IPT_OPTIONS + $IP6TABLES -t $table -L $IPT_OPTIONS fi ;; vardir) echo $VARDIR; ;; *) - if [ "$PRODUCT" = Shorewall ]; then + if [ "$PRODUCT" = Shorewall6 ]; then case $1 in actions) [ $# -gt 1 ] && usage 1 - echo "allowBcast # Silently Allow Broadcast/multicast" echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" - echo "dropBcast # Silently Drop Broadcast/multicast" echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "drop1918src # Drop packets with an RFC 1918 source address (Shorewall-perl only)" - echo "drop1918dst # Drop packets with an RFC 1918 original dest address (Shorewall-perl only)" - echo "forwardUPnP # Allow traffic that upnpd has redirected from" echo "rejNotSyn # Silently Reject Non-syn TCP packets" - echo "rej1918src # Reject packets with an RFC 1918 source address (Shorewall-perl only)" - echo "rej1918dst # Reject packets with an RFC 1918 original dest address (Shorewall-perl only)" if [ -f ${CONFDIR}/actions ]; then cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' @@ -620,8 +547,8 @@ show_command() { if [ $# -gt 0 ]; then [ -n "$table_given" ] || for chain in $*; do - if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then - echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2 + if ! qt $IP6TABLES -t $table -L $chain $IPT_OPTIONS; then + echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|routing|tc|zones} ] " >&2 exit 1 fi done @@ -630,13 +557,13 @@ show_command() { echo show_reset for chain in $*; do - $IPTABLES -t $table -L $chain $IPT_OPTIONS + $IP6TABLES -t $table -L $chain $IPT_OPTIONS done else echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)" echo show_reset - $IPTABLES -t $table -L $IPT_OPTIONS + $IP6TABLES -t $table -L $IPT_OPTIONS fi ;; esac @@ -689,35 +616,32 @@ dump_command() { clear_term echo "$PRODUCT $version Dump at $HOSTNAME - $(date)" echo - if [ -f /usr/share/shorewall-shell/version ]; then - echo " Shorewall-shell $(cat /usr/share/shorewall-shell/version)" - if [ -f /usr/share/shorewall-perl/version ]; then - echo " Shorewall-perl $(cat /usr/share/shorewall-perl/version)" + if [ -f /usr/share/shorewall6-shell/version ]; then + echo " Shorewall6-shell $(cat /usr/share/shorewall6-shell/version)" + if [ -f /usr/share/shorewall6-perl/version ]; then + echo " Shorewall6-perl $(cat /usr/share/shorewall6-perl/version)" fi echo - elif [ -f /usr/share/shorewall-perl/version ]; then - echo " Shorewall-perl $(cat /usr/share/shorewall-perl/version)" + elif [ -f /usr/share/shorewall6-perl/version ]; then + echo " Shorewall6-perl $(cat /usr/share/shorewall6-perl/version)" echo fi show_reset host=$(echo $HOSTNAME | sed 's/\..*$//') - $IPTABLES -L $IPT_OPTIONS + $IP6TABLES -L $IPT_OPTIONS heading "Log ($LOGFILE)" packet_log 20 - heading "NAT Table" - $IPTABLES -t nat -L $IPT_OPTIONS - heading "Mangle Table" - $IPTABLES -t mangle -L $IPT_OPTIONS + $IP6TABLES -t mangle -L $IPT_OPTIONS heading "Conntrack Table" [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack heading "IP Configuration" - ip -4 addr list + ip -6 addr list heading "IP Stats" ip -stat link list @@ -736,11 +660,9 @@ dump_command() { heading "/proc" show_proc /proc/version - show_proc /proc/sys/net/ipv4/ip_forward - show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all - for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do + for directory in /proc/sys/net/ipv6/conf/*; do + for file in proxy_ra proxy_ndp; do show_proc $directory/$file done done @@ -752,7 +674,7 @@ dump_command() { if qt mywhich lsmod; then heading "Modules" - lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort + lsmod | grep -E '^(ip_|ipt_|ip6table_|nf_|xt_)' | sort fi determine_capabilities @@ -837,7 +759,7 @@ restore_command() { $SHOREWALL_SHELL ${RESTOREPATH}-ipsets fi - progress_message3 "Restoring Shorewall..." + progress_message3 "Restoring Shorewall6..." $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE" @@ -939,18 +861,18 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses while [ $# -gt 0 ]; do case $1 in *-*) - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop - $IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1 + qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject + qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP + qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject + qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop + $IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1 ;; *) - qt $IPTABLES -D dynamic -s $1 -j reject - qt $IPTABLES -D dynamic -s $1 -j DROP - qt $IPTABLES -D dynamic -s $1 -j logreject - qt $IPTABLES -D dynamic -s $1 -j logdrop - $IPTABLES -A dynamic -s $1 -j $chain || break 1 + qt $IP6TABLES -D dynamic -s $1 -j reject + qt $IP6TABLES -D dynamic -s $1 -j DROP + qt $IP6TABLES -D dynamic -s $1 -j logreject + qt $IP6TABLES -D dynamic -s $1 -j logdrop + $IP6TABLES -A dynamic -s $1 -j $chain || break 1 ;; esac @@ -1054,16 +976,16 @@ hits_command() { allow_command() { [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if shorewall6_is_started ; then [ -n "$nolock" ] || mutex_on while [ $# -gt 1 ]; do shift case $1 in *-*) - if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\ - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\ - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\ - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject + if qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject ||\ + qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP ||\ + qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\ + qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject then echo "$1 Allowed" else @@ -1071,10 +993,10 @@ allow_command() { fi ;; *) - if qt $IPTABLES -D dynamic -s $1 -j reject ||\ - qt $IPTABLES -D dynamic -s $1 -j DROP ||\ - qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ - qt $IPTABLES -D dynamic -s $1 -j logreject + if qt $IP6TABLES -D dynamic -s $1 -j reject ||\ + qt $IP6TABLES -D dynamic -s $1 -j DROP ||\ + qt $IP6TABLES -D dynamic -s $1 -j logdrop ||\ + qt $IP6TABLES -D dynamic -s $1 -j logreject then echo "$1 Allowed" else diff --git a/Shorewall6/lib.config b/Shorewall6/lib.config deleted file mode 100644 index 27608981e..000000000 --- a/Shorewall6/lib.config +++ /dev/null @@ -1,2296 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.config -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the configuration file parsing code common to -# /usr/share/shorewall/compiler and /usr/share/shorewall/firewall -# - -SHOREWALL_CONFIGVERSION=40000 - -# -# Replace commas with spaces and echo the result -# -separate_list() { - local list - list="$@" - local part - local newlist - local firstpart - local lastpart - local enclosure - - case "$list" in - *,|,*|*,,*|*[[:space:]]*) - # - # There's been whining about us not catching embedded white space in - # comma-separated lists. This is an attempt to snag some of the cases. - # - # The 'TERMINATOR' function will be set by the 'firewall' script to - # either 'startup_error' or 'fatal_error' depending on the command and - # command phase - # - [ -n "$TERMINATOR" ] && \ - $TERMINATOR "Invalid comma-separated list \"$@\"" - echo "WARNING -- invalid comma-separated list \"$@\"" >&2 - ;; - *\[*\]*) - # - # Where we need to embed comma-separated lists within lists, we enclose them - # within square brackets. - # - firstpart=${list%%\[*} - lastpart=${list#*\[} - enclosure=${lastpart%%\]*} - lastpart=${lastpart#*\]} - case $lastpart in - \,*) - case $firstpart in - *\,) - echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})" - ;; - *) - echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" - ;; - esac - ;; - *) - case $firstpart in - *\,) - echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" - ;; - *) - echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" - ;; - esac - ;; - esac - return - ;; - esac - - list="$@" - part="${list%%,*}" - newlist="$part" - - while [ "x$part" != "x$list" ]; do - list="${list#*,}"; - part="${list%%,*}"; - newlist="$newlist $part"; - done - - echo "$newlist" -} - -# -# Display elements of a list with leading white space -# -display_list() # $1 = List Title, rest of $* = list to display -{ - [ $# -gt 1 ] && echo " $*" -} - -# -# Determine if a chain is a policy chain -# -is_policy_chain() # $1 = name of chain -{ - eval test \"\$${1}_is_policy\" = Yes -} - -# -# Return a space separated list of values matching -# -list_walk() # $1 = element to search for, $2-$n = list -{ - local e - e=$1 - local result - result= - - while [ $# -gt 1 ]; do - shift - case $1 in - $e*) - result="$result ${1##$e}" - ;; - esac - done - echo $result -} - -# -# Functions to count list elements -# - - - - - - - - - - - - - - - - -# Whitespace-separated list -# -list_count1() { - echo $# -} -# -# Comma-separated list -# -list_count() { - list_count1 $(separate_list $1) -} - -# -# Filter that expands variables -# -expand_line() { - local line - - while read line; do - echo $(expand $line) - done -} - -# -# Add whitespace after leading "!" -# -fix_bang() -{ - local result - result= - - while [ $# -gt 0 ]; do - case $1 in - !*) - result="$result ! ${1#!}" - ;; - *) - result="$result $1" - ;; - esac - shift - done - - echo $result -} - -# -# Read the zones file and find the firewall zone -# -get_firewall_zone() { - local zone - local type - local rest - local comment - comment='#*' - local f - f=$(find_file zones) - - [ -f $f ] || startup_error "Unable to find zones file" - - while read zone type rest; do - case $zone in - $comment) - ;; - *) - if [ "x$type" = xfirewall ]; then - FW=$zone - return - fi - ;; - esac - done < $f - - startup_error "No firewall zone defined in $f" -} - -# -# This function assumes that the TMP_DIR variable is set and that -# its value names an existing directory. -# -determine_zones() -{ - local zone - local parent - local parents - local rest - local new_zone_file - new_zone_file= - local r - - merge_zone() - { - local z - local zones - zones="$ZONES" - local merged - merged= - - if [ -n "$parents" ]; then - ZONES= - for z in $zones; do - if [ -z "$merged" ] && list_search $z $parents; then - ZONES="$ZONES $zone" - merged=Yes - fi - ZONES="$ZONES $z" - done - else - ZONES="$ZONES $zone" - fi - } - - ZONES= - IPV4_ZONES= - IPSEC_ZONES= - - [ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}" - - while read zone type rest; do - case $zone in - *:*) - parents=${zone#*:} - zone=${zone%:*} - [ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents" - parents=$(separate_list $parents) - eval ${zone}_parents=\"$parents\" - ;; - *) - parents= - eval ${zone}_parents= - ;; - esac - - for parent in $parents; do - [ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed" - list_search $parent $ZONES || startup_error "Parent zone not defined: $parent" - done - - [ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone" - - case "$zone" in - [0-9*]) - startup_error "Illegal zone name \"$zone\" in zones file" - ;; - all|none|SOURCE|DEST) - startup_error "Reserved zone name \"$zone\" in zones file" - ;; - esac - - if [ -n "$new_zone_file" ]; then - case ${type:=ipv4} in - ipv4|IPv4|IPV4|plain|-) - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - merge_zone - IPV4_ZONES="$IPV4_ZONES $zone" - ;; - ipsec|IPSEC|ipsec4|IPSEC4) - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - [ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - merge_zone - IPSEC_ZONES="$IPSEC_ZONES $zone" - ;; - firewall) - [ -n "$FW" ] && startup_error "Only one firewall zone may be defined" - list_search $zone $ZONES && startup_error "Zone $zone is defined more than once" - [ -n "$parents" ] && startup_error "The firewall zone may not be nested" - for r in $rest; do - [ "x$r" = x- ] || startup_error "OPTIONS not allowed on the firewall zone" - done - FW=$zone - ;; - bport|bport4) - [ "$PROGRAM" = compiler ] && startup_error "Invalid Zone Type: $type" - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - merge_zone - BRIDGING=Yes - ;; - *) - startup_error "Invalid Zone Type: $type" - ;; - esac - - eval ${zone}_type=$type - else - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - ZONES="$ZONES $zone" - IPV4_ZONES="$IPV4_ZONES $zone" - eval ${zone}_type=ipv4 - fi - done < $TMP_DIR/zones - - [ -z "$ZONES" ] && startup_error "No ipv4 or ipsec Zones Defined" - - [ -z "$FW" ] && startup_error "No Firewall Zone Defined" -} - -# -# Validate the zone names and options in the interfaces file -# -validate_interfaces_file() { - local wildcard - local found_obsolete_option - found_obsolete_option= - local z - local interface - local networks - local options - local r - local iface - local option - - while read z interface networks options; do - r="$z $interface $networks $options" - - [ "x$z" = "x-" ] && z= - - if [ -n "$z" ]; then - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - fi - - list_search $interface $ALL_INTERFACES && \ - startup_error "Duplicate Interface $interface" - - wildcard= - - case $interface in - *:*) - if [ "$PROGRAM" != compiler ]; then - # - # Assume that this is 4.0 syntax for a bridge - # - local bridge - bridge=${interface%:*} - list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge" - interface=${interface#*:} - else - startup_error "Invalid Interface Name: $interface" - fi - ;; - +) - startup_error "Invalid Interface Name: +" - ;; - *+) - wildcard=Yes - ;; - esac - - ALL_INTERFACES="$ALL_INTERFACES $interface" - options=$(separate_list $options) - iface=$(chain_base $interface) - - eval ${iface}_broadcast="$networks" - eval ${iface}_zone="$z" - eval ${iface}_options=\"$options\" - - for option in $options; do - case $option in - -) - ;; - dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|nosmurfs|upnp|-) - ;; - proxyarp) - [ "$PROGRAM" = compiler ] && lib_load proxyarp "The 'proxyarp' option on interface $interface" - ;; - maclist) - [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" - ;; - norfc1918) - if [ "$PROGRAM" != compiler ]; then - addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) - if [ -n "$addr" ]; then - addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//') - for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do - if in_network $addr $network; then - startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface" - fi - done - fi - fi - ;; - arp_ignore=*) - eval ${iface}_arp_ignore=${option#*=} - ;; - arp_ignore) - eval ${iface}_arp_ignore=1 - ;; - detectnets) - [ -n "$wildcard" ] && \ - startup_error "The \"detectnets\" option may not be used with a wild-card interface" - [ -n "$EXPORT" ] && \ - startup_error "'detectnets' not permitted with the -e run-line option" - ;; - routeback) - [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" - ;; - *) - [ $PROGRAM = compiler ] && error_message "WARNING: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done < $TMP_DIR/interfaces - - [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" -} - -# -# Process the ipsec information in the zones file -# -setup_ipsec() { - local zone - local using_ipsec - using_ipsec= - # - # Add a --set-mss rule to the passed chain - # - set_mss1() # $1 = chain, $2 = MSS - { - local policy - eval policy=\$${1}_policy - - if [ "$policy" != NONE ]; then - ensurechain $1 - local match - match= - [ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: " - run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2 - fi - } - # - # Set up rules to set MSS to and/or from zone "$zone" - # - set_mss() # $1 = MSS value, $2 = _in, _out or "" - { - for z in $ZONES $FW; do - case $2 in - _in) - set_mss1 ${zone}2${z} $1 - ;; - _out) - set_mss1 ${z}2${zone} $1 - ;; - *) - set_mss1 ${z}2${zone} $1 - set_mss1 ${zone}2${z} $1 - ;; - esac - done - } - - do_options() # $1 = _in, _out or "" - $2 = option list - { - local option - local newoptions - newoptions= - local val - - [ x${2} = x- ] && return - - for option in $(separate_list $2); do - val=${option#*=} - - case $option in - mss=[0-9]*) [ "$PROGRAM" = compiler ] && set_mss $val $1 ;; - strict) newoptions="$newoptions --strict" ;; - next) newoptions="$newoptions --next" ;; - reqid=*) newoptions="$newoptions --reqid $val" ;; - spi=*) newoptions="$newoptions --spi $val" ;; - proto=*) newoptions="$newoptions --proto $val" ;; - mode=*) newoptions="$newoptions --mode $val" ;; - tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; - tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; - reqid!=*) newoptions="$newoptions ! --reqid $val" ;; - spi!=*) newoptions="$newoptions ! --spi $val" ;; - proto!=*) newoptions="$newoptions ! --proto $val" ;; - mode!=*) newoptions="$newoptions ! --mode $val" ;; - tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; - tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; - *) fatal_error "Invalid option \"$option\" for zone $zone" ;; - esac - done - - if [ -n "$newoptions" ]; then - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_complex=Yes - eval ${zone}_ipsec${1}_options=\"${newoptions# }\" - fi - } - - case $IPSECFILE in - zones) - f=zones - progress_message "$DOING IPSEC..." - [ $PROGRAM = compiler -a -n "$IPSEC_ZONES" ] && save_progress_message "Setting up IPSEC management..." - ;; - ipsec) - using_ipsec=Yes - if [ -s ${TMP_DIR}/ipsec ]; then - progress_message "$DOING ipsec..." - [ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..." - f=ipsec - else - return - fi - ;; - esac - - while read zone type options in_options out_options mss; do - if [ -n "$using_ipsec" ]; then - validate_zone1 $zone || fatal_error "Unknown zone: $zone" - fi - - if [ -n "$type" ]; then - if [ -n "$using_ipsec" ]; then - case $type in - No|no) - ;; - Yes|yes) - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - eval ${zone}_type=ipsec4 - ;; - *) - fatal_error "Invalid IPSEC column contents" - ;; - esac - fi - - do_options "" $options - do_options "_in" $in_options - do_options "_out" $out_options - fi - - done < $TMP_DIR/$f -} - -# -# Validate the zone names and options in the hosts file -# -validate_hosts_file() { - local z - local hosts - local options - local r - local interface - local host - local option - local zports - local ipsec - ipsec= - - check_bridge_port() - { - list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" - list_search $1 $ALL_PORTS || ALL_PORTS="$ALL_PORTS $1" - } - - while read z hosts options; do - r="$z $hosts $options" - validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" - - case $hosts in - *:*) - - interface=${hosts%%:*} - iface=$(chain_base $interface) - - list_search $interface $ALL_INTERFACES || \ - startup_error "Unknown interface ($interface) in record \"$r\"" - - hosts=${hosts#*:} - ;; - *) - startup_error "Invalid HOST(S) column contents: $hosts" - ;; - esac - - eval zports=\$${z}_ports - - if [ -z "$BRIDGING" ]; then - case $hosts in - *!*!*) - startup_error "Invalid hosts file entry: \"$r\"" - ;; - !*) - hosts=0.0.0.0/0 - eval ${z}_is_complex=Yes - ;; - *!*) - hosts=${hosts%%!*} - eval ${z}_is_complex=Yes - ;; - esac - fi - - for host in $(separate_list $hosts); do - if [ -n "$BRIDGING" ]; then - case $host in - *:*) - known_interface ${host%:*} && \ - startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" - check_bridge_port ${host%%:*} - ;; - *.*.*) - ;; - *+|+*|*!*) - eval ${z}_is_complex=Yes - ;; - *) - known_interface $host && \ - startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" - check_bridge_port $host - ;; - esac - else - case $host in - *.*.*) - ;; - +*) - eval ${z}_is_complex=Yes - ;; - *) - startup_error "BRIDGING=Yes is needed for this zone definition: $r" - ;; - esac - fi - - for option in $(separate_list $options) ; do - case $option in - norfc1918|blacklist|tcpflags|nosmurfs|-) - ;; - maclist) - [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" - ;; - ipsec) - [ -n "$POLICY_MATCH" ] || \ - startup_error "Your kernel and/or iptables does not support policy match: ipsec" - eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" - eval ${z}_is_complex=Yes - ipsec=Yes - ;; - routeback) - eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" - ;; - *) - error_message "WARNING: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done - - [ -n "$zports" ] && eval ${z}_ports=\"$zports\" - - done < $TMP_DIR/hosts - - [ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS" - - [ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH= -} - -# -# Find interfaces to a given zone -# -# Search the variables representing the contents of the interfaces file and -# for each record matching the passed ZONE, echo the expanded contents of -# the "INTERFACE" column -# -find_interfaces() # $1 = interface zone -{ - local zne - zne=$1 - local z - local interface - - for interface in $ALL_INTERFACES; do - eval z=\$$(chain_base $interface)_zone - [ "x${z}" = x${zne} ] && echo $interface - done -} - -# -# Forward Chain for an interface -# -forward_chain() # $1 = interface -{ - echo $(chain_base $1)_fwd -} - -# -# Input Chain for an interface -# -input_chain() # $1 = interface -{ - echo $(chain_base $1)_in -} - -# -# Output Chain for an interface -# -output_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Masquerade Chain for an interface -# -masq_chain() # $1 = interface -{ - echo $(chain_base $1)_masq -} - -# -# MAC Verification Chain for an interface -# -mac_chain() # $1 = interface -{ - echo $(chain_base $1)_mac -} - -macrecent_target() # $1 - interface -{ - [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN -} - -# -# Functions for creating dynamic zone rules -# -dynamic_fwd() # $1 = interface -{ - echo $(chain_base $1)_dynf -} - -dynamic_in() # $1 = interface -{ - echo $(chain_base $1)_dyni -} - -dynamic_out() # $1 = interface -{ - echo $(chain_base $1)_dyno -} - -dynamic_chains() #$1 = interface -{ - local c - c=$(chain_base $1) - - echo ${c}_dyni ${c}_dynf ${c}_dyno -} - -# -# DNAT Chain from a zone -# -dnat_chain() # $1 = zone -{ - echo ${1}_dnat -} - -# -# SNAT Chain to an interface -# -snat_chain() # $1 = interface -{ - echo $(chain_base $1)_snat -} - -# -# ECN Chain to an interface -# -ecn_chain() # $1 = interface -{ - echo $(chain_base $1)_ecn -} - -# -# First chains for an interface -# -first_chains() #$1 = interface -{ - local c - c=$(chain_base $1) - - echo ${c}_fwd ${c}_in -} - -# -# Out Chain to an interface -# -out_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Horrible hack to work around an iptables limitation -# -iprange_echo() -{ - if [ -n "$KLUDGEFREE" ]; then - echo "-m iprange $@" - elif [ -f $TMP_DIR/iprange ]; then - echo $@ - else - echo "-m iprange $@" - > $TMP_DIR/iprange - fi -} - -# -# Get set flags (ipsets). -# -get_set_flags() # $1 = set name and optional [levels], $2 = src or dst -{ - local temp - local setname - setname=$1 - local options - options=$2 - - [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1" - - case $1 in - *\[[1-6]\]) - temp=${1#*\[} - temp=${temp%\]} - setname=${1%\[*} - while [ $temp -gt 1 ]; do - options="$options,$2" - temp=$(($temp - 1)) - done - ;; - *\[*\]) - options=${1#*\[} - options=${options%\]} - setname=${1%\[*} - ;; - *) - ;; - esac - - echo "--set ${setname#+} $options" -} - -# -# Horrible hack to work around an iptables limitation -# -physdev_echo() -{ - if [ -n "$KLUDGEFREE" ]; then - echo -m physdev $@ - elif [ -f $TMP_DIR/physdev ]; then - echo $@ - else - echo -m physdev $@ - > $TMP_DIR/physdev - fi -} - -# -# Source IP range -# -source_ip_range() # $1 = Address or Address Range -{ - [ $# -gt 0 ] && case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --src-range ${1#!}" - ;; - *) - iprange_echo "--src-range $1" - ;; - esac - ;; - !+*) - echo "-m set ! $(get_set_flags ${1#!} src)" - ;; - +*) - echo "-m set $(get_set_flags $1 src)" - ;; - *) - echo "-s $1" - ;; - esac -} - -# -# Destination IP range -# -dest_ip_range() # $1 = Address or Address Range -{ - [ $# -gt 0 ] && case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --dst-range ${1#!}" - ;; - *) - iprange_echo "--dst-range $1" - ;; - esac - ;; - !+*) - echo "-m set ! $(get_set_flags ${1#!} dst)" - ;; - +*) - echo "-m set $(get_set_flags $1 dst)" - ;; - *) - echo "-d $1" - ;; - esac -} - -both_ip_ranges() # $1 = Source address or range, $2 = dest address or range -{ - local rangeprefix - rangeprefix= - local setprefix - setprefix= - local rangematch - rangematch= - local setmatch - setmatch= - - case $1 in - *.*.*.*-*.*.*.*) - rangeprefix="-m iprange" - rangematch="--src-range $1" - ;; - !+*) - setprefix="-m set" - setmatch="! $(get_set_flags ${1#!} src)" - ;; - +*) - setprefix="-m set" - setmatch="$(get_set_flags $1 src)" - ;; - *) - rangematch="-s $1" - ;; - esac - - case $2 in - *.*.*.*-*.*.*.*) - rangeprefix="-m iprange" - rangematch="$rangematch --dst-range $2" - ;; - !+*) - setprefix="-m set" - match="$setmatch ! $(get_set_flags ${2#!} dst)" - ;; - +*) - setprefix="-m set" - setmatch="$setmatch $(get_set_flags $2 dst)" - ;; - *) - rangematch="$rangematch -d $2" - ;; - esac - - echo "$rangeprefix $rangematch $setprefix $setmatch" -} - -# -# Loosly Match the name of an interface -# - -if_match() # $1 = Name in interfaces file - may end in "+" - # $2 = Full interface name - may also end in "+" -{ - local pattern - pattern=${1%+} - - case $1 in - *+) - test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" - ;; - *) - test "x$1" = "x$2" - ;; - esac -} - -# -# We allow hosts to be specified by IP address or by physdev. These two functions -# are used to produce the proper match in a netfilter rule. -# -match_source_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" - ;; - *.*.*.*|+*|!+*) - echo $(source_ip_range $1) - ;; - *) - physdev_echo "--physdev-in $1" - ;; - esac - else - echo $(source_ip_range $1) - fi -} - -match_dest_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" - ;; - *.*.*.*|+*|!+*) - echo $(dest_ip_range $1) - ;; - *) - physdev_echo "--physdev-out $1" - ;; - esac - else - echo $(dest_ip_range $1) - fi -} -# -# Matches for either or :
-# -match_source() -{ - case "$1" in - *:*) - echo "-i ${1%%:*} $(match_source_hosts ${1#*:})" - ;; - *) - echo $(dest_ip_range $1) - ;; - esac -} - -match_dest() -{ - case "$1" in - *:*) - echo "-o ${1%%:*} $(match_dest_hosts ${1#*:})" - ;; - *) - echo $(dest_ip_range $1) - ;; - esac -} - -# -# Similarly, the source or destination in a rule can be qualified by a device name. If -# the device is defined in ${CONFDIR}/interfaces then a normal interface match is -# generated (-i or -o); otherwise, a physdev match is generated. -#------------------------------------------------------------------------------------- -# -# loosely match the passed interface with those in ${CONFDIR}/interfaces. -# -known_interface() # $1 = interface name -{ - local iface - - for iface in $ALL_INTERFACES ; do - if if_match $iface $1 ; then - return 0 - fi - done - - return 1 -} - -known_port() # $1 = port name -{ - local port - - for port in $ALL_PORTS ; do - if if_match $port $1 ; then - return 0 - fi - done - - return 1 -} - -match_source_dev() -{ - if [ -n "$BRIDGING" ]; then - known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1 - elif known_interface $1; then - echo -i $1 - elif [ -n "$PHYSDEV_MATCH" ]; then - physdev_echo "--physdev-in $1" - else - echo -i $1 - fi -} - -match_dest_dev() -{ - if [ -n "$BRIDGING" ]; then - known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1 - elif known_interface $1; then - echo -o $1 - elif [ -n "$PHYSDEV_MATCH" ]; then - physdev_echo "--physdev-out $1" - else - echo -o $1 - fi -} - -verify_interface() -{ - known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; } -} - -# -# Determine if communication to/from a host is encrypted using IPSEC -# -is_ipsec_host() # $1 = zone, $2 = host -{ - local is_ipsec - eval is_ipsec=\$${1}_is_ipsec - local hosts - eval hosts=\"\$${1}_ipsec_hosts\" - - test -n "$is_ipsec" || list_search $2 $hosts -} - -# -# Generate a match for decrypted packets -# -match_ipsec_in() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - local options - eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" - echo "-m policy --pol ipsec --dir in $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in" - fi -} - -# -# Generate a match for packets that will be encrypted -# -match_ipsec_out() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - local options - eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" - echo "-m policy --pol ipsec --dir out $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out" - fi -} - -# -# Jacket for ip_range() that takes care of iprange match -# - -firewall_ip_range() # $1 = IP address or range -{ - [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 -} - -# -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts - local interface - local address - local addresses - - while read z hosts options; do - if [ "x$(expand $z)" = "x$1" ]; then - interface=${hosts%%:*} - addresses=${hosts#*:} - case $addresses in - !*) - echo $interface:0.0.0.0/0 - ;; - *) - for address in $(separate_list ${addresses%%!*}); do - echo $interface:$address - done - ;; - esac - fi - done < $TMP_DIR/hosts -} - -# -# -# Find exclusions in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo any exclusions -# -find_exclusions() # $1 = host zone -{ - local hosts - local interface - local address - local addresses - - while read z hosts options; do - if [ "x$z" = "x$1" ]; then - interface=${hosts%%:*} - addresses=${hosts#*:} - case $addresses in - *!*) - for address in $(separate_list ${addresses#*!}); do - echo $interface:$address - done - ;; - esac - fi - done < $TMP_DIR/hosts -} - -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $ZONES; do - interfaces=$(find_interfaces $zone) - interfaces=$(echo $interfaces) # Remove extra trash - eval ${zone}_interfaces=\"\$interfaces\" - done -} - -# -# Determine if an interface has a given option -# -interface_has_option() # $1 = interface, #2 = option -{ - local options - - eval options=\$$(chain_base $1)_options - - list_search $2 $options -} - -# -# Determine the defined hosts in each zone -# -determine_hosts() { - for zone in $ZONES; do - hosts=$(find_hosts $zone) - hosts=$(echo $hosts) # Remove extra trash - exclusions=$(find_exclusions $zone) - exclusions=$(echo $exclusions) # Remove extra trash - - eval interfaces=\$${zone}_interfaces - - for interface in $interfaces; do - if interface_has_option $interface detectnets; then - networks=$(get_routed_networks $interface "detectnets not allowed on interface with default route - $interface" ) - else - networks=0.0.0.0/0 - fi - - for network in $networks; do - if [ -z "$hosts" ]; then - hosts=$interface:$network - else - hosts="$hosts $interface:$network" - fi - - if interface_has_option $interface routeback; then - eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\" - fi - done - done - - interfaces= - - for host in $hosts; do - interface=${host%:*} - if list_search $interface $interfaces; then - list_search $interface:0.0.0.0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - list_search $interface:0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - eval ${zone}_is_complex=Yes - else - if [ -z "$interfaces" ]; then - interfaces=$interface - else - interfaces="$interfaces $interface" - fi - fi - done - - eval ${zone}_exclusions="\$exclusions" - eval ${zone}_interfaces="\$interfaces" - eval ${zone}_hosts="\$hosts" - - if [ -n "$hosts" ]; then - if [ $VERBOSE -ge 1 ]; then - [ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts - fi - else - error_message "WARNING: Zone $zone is empty" - fi - done -} - -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $ZONES $FW -} -# -# Ensure that the passed zone is defined in the zones file. -# -validate_zone1() # $1 = zone -{ - list_search $1 $ZONES -} - -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" -} - -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && echo $interface - done -} - -# -# This slightly slower version is used to find both the option and option followed -# by equal sign ("=") and a value -# -find_interfaces_by_option1() # $1 = option -{ - local options - local option - - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - for option in $options; do - if [ "${option%=*}" = "$1" ]; then - echo $interface - break - fi - done - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - local ignore - local hosts - local interface - local address - local addresses - local options - local ipsec - ipsec= - local list - - while read ignore hosts options; do - list=$(separate_list $options) - if list_search $1 $list; then - list_search ipsec $list && ipsec=ipsec || ipsec=none - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo ${ipsec}^$interface:$address - done - fi - done < $TMP_DIR/hosts - - for interface in $ALL_INTERFACES; do - interface_has_option $interface $1 && \ - echo none^${interface}:0.0.0.0/0 - done -} - -# -# Process the routestopped file either adding or deleting rules -# -process_routestopped() # $1 = command -{ - local hosts - hosts= - local interface - local host - local host1 - local options - local networks - local source - source= - local dest - dest= - local matched - - while read interface host options; do - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 - for h in $(separate_list $host); do - hosts="$hosts $interface:$h" - done - - routeback= - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback) - if [ -n "$routeback" ]; then - error_message "WARNING: Duplicate routestopped option ignored: routeback" - else - routeback=Yes - for h in $(separate_list $host); do - run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT - done - fi - ;; - source) - for h in $(separate_list $host); do - source="$source $interface:$h" - done - ;; - dest) - for h in $(separate_list $host); do - dest="$dest $interface:$h" - done - ;; - critical) - ;; - *) - error_message "WARNING: Unknown routestopped option ignored: $option" - ;; - esac - done - fi - - done < $TMP_DIR/routestopped - - - for host in $hosts; do - interface=${host%:*} - networks=${host#*:} - source_range=$(source_ip_range $networks) - dest_range=$(dest_ip_range $networks) - run_iptables $1 INPUT -i $interface $source_range -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - run_iptables $1 OUTPUT -o $interface $dest_range -j ACCEPT - - matched= - - if list_search $host $source ; then - run_iptables $1 FORWARD -i $interface $source_range -j ACCEPT - matched=Yes - fi - - if list_search $host $dest ; then - run_iptables $1 FORWARD -o $interface $dest_range -j ACCEPT - matched=Yes - fi - - if [ -z "$matched" ]; then - for host1 in $hosts; do - [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done - fi - done -} - -process_criticalhosts() -{ - local hosts - hosts= - local interface - local host - local h - local options - local networks - local criticalhosts - criticalhosts= - - while read interface host options; do - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host) - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback|source|dest) - ;; - critical) - for h in $host; do - criticalhosts="$criticalhosts $interface:$h" - done - ;; - *) - error_message "WARNING: Unknown routestopped option ignored: $option" - ;; - esac - done - fi - done < $TMP_DIR/routestopped - - if [ -n "$criticalhosts" ]; then - CRITICALHOSTS=$criticalhosts - progress_message "Critical Hosts are:$CRITICALHOSTS" - fi - -} - -# -# create a temporary directory -# -mktempdir() { - - [ -z "$MKTEMP" ] && find_mktemp - - case "$MKTEMP" in - STD) - mktemp -td shorewall.XXXXXX - ;; - None|BSD) - # - # Not all versions of the BSD mktemp support the -d option under Linux - # - qt rm -rf /tmp/shorewall-$$ - mkdir -p /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - error_message "ERROR:Internal error in mktempdir" - ;; - esac -} - -# -# Read a file and handle "INCLUDE" directives -# - -read_file() # $1 = file name, $2 = nest count -{ - local first - local rest - - if [ -f $1 ]; then - while read first rest; do - if [ "x$first" = "xINCLUDE" ]; then - if [ $2 -lt 4 ]; then - read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) - else - error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)" - fi - else - echo "$first $rest" - fi - done < $1 - else - [ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1" - echo "WARNING -- No such file: $1" - fi -} - -# -# Strip comments and blank lines from a file and place the result in the -# temporary directory -# -strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) -{ - local fname - - if [ ! -f $TMP_DIR/$1 ]; then - [ $# = 1 ] && fname=$(find_file $1) || fname=$2 - - if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1 - else - > $TMP_DIR/$1 - fi - fi -} - -# -# Strip the passed file. -# -# Return success if -# a) the stripped file is non-empty and the library was successfully loaded; or -# b) the stripped file is empty but the library had been loaded previously -# -strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty -{ - local f - f=$(find_file $1) - - strip_file $1 $f - - if [ -s $TMP_DIR/$1 ]; then - lib_load $2 "A non-empty $1 file ($f)" - return 0 - fi - - eval test -n \"\$LIB_${2}_LOADED\" -} - -# -# Check that a mark value or mask is less that 256 or that it is less than 65536 and -# that it's lower 8 bits are zero. -# -verify_mark() # $1 = value to test -{ - verify_mark2() - { - case $1 in - 0*) - [ $(($1)) -lt 256 ] && return 0 - [ -n "$HIGH_ROUTE_MARKS" ] || return 1 - [ $(($1)) -gt 65535 ] && return 1 - return $(($1 & 0xFF)) - ;; - [1-9]*) - [ $1 -lt 256 ] && return 0 - [ -n "$HIGH_ROUTE_MARKS" ] || return 1 - [ $1 -gt 65535 ] && return 1 - return $(($1 & 0xFF)) - ;; - *) - return 2 - ;; - esac - } - - verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" -} - -# -# Determine the value for a parameter that defaults to Yes -# -added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value -{ - local val - val="$2" - - if [ -z "$val" ]; then - echo "Yes" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Determine the value for a parameter that defaults to No -# -added_param_value_no() # $1 = Parameter Name, $2 = Parameter value -{ - local val - val="$2" - - if [ -z "$val" ]; then - echo "" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Initialize this program -# -do_initialize() { - - # Run all utility programs using the C locale - # - # Thanks to Vincent Planchenault for this tip # - - export LC_ALL=C - - # Make sure umask is sane - umask 077 - - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - # - # Establish termination function - # - TERMINATOR=fatal_error - # - # Clear all configuration variables (shorewall.conf) - # - STARTUP_ENABLED= - # - #VERBOSE is inherited -- VERBOSITY is only used in the CIs - # - # - # Logging - # - LOGFILE= - LOGFORMAT= - LOGTAGONLY= - LOGRATE= - LOGBURST= - LOGALLNEW= - BLACKLIST_LOGLEVEL= - MACLIST_LOG_LEVEL= - TCP_FLAGS_LOG_LEVEL= - RFC1918_LOG_LEVEL= - SMURF_LOG_LEVEL= - LOG_MARTIANS= - # - # Location of files - # - IPTABLES= - #PATH is inherited - SHOREWALL_SHELL= - SUBSYSLOCK= - MODULESDIR= - #CONFIG_PATH is inherited - RESTOREFILE= - IPSECFILE= - LOCKFILE= - # - # Default Actions/Macros - # - DROP_DEFAULT= - REJECT_DEFAULT= - ACCEPT_DEFAULT= - QUEUE_DEFAULT= - # - # Firewall Options - # - IP_FORWARDING= - ADD_IP_ALIASES= - ADD_SNAT_ALIASES= - RETAIN_ALIASES= - TC_ENABLED= - TC_EXPERT= - CLEAR_TC= - MARK_IN_FORWARD_CHAIN= - CLAMPMSS= - ROUTE_FILTER= - DETECT_DNAT_IPADDRS= - MUTEX_TIMEOUT= - ADMINISABSENTMINDED= - BLACKLISTNEWONLY= - DELAYBLACKLISTLOAD= - MODULE_SUFFIX= - DISABLE_IPV6= - BRIDGING= - DYNAMIC_ZONES= - PKTTYPE= - RFC1918_STRICT= - MACLIST_TABLE= - MACLIST_TTL= - SAVE_IPSETS= - MAPOLDACTIONS= - FASTACCEPT= - IMPLICIT_CONTINUE= - HIGH_ROUTE_MARKS= - USE_ACTIONS= - OPTIMIZE= - EXPORTPARAMS= - KEEP_TC_RULES= - DELETE_THEN_ADD= - DONT_LOAD= - # - # Packet Disposition - # - MACLIST_DISPOSITION= - TCP_FLAGS_DISPOSITION= - BLACKLIST_DISPOSITION= - # - # Other Globals - # - VERSION= - FW= - USEPKTYPE= - LOGLIMIT= - LOGPARMS= - OUTPUT= - ALL_INTERFACES= - ROUTEMARK_INTERFACES= - PROVIDERS= - CRITICALHOSTS= - EXCLUSION_SEQ=1 - STOPPING= - HAVE_MUTEX= - ALIASES_TO_ADD= - SECTION=ESTABLISHED - SECTIONS= - ALL_PORTS= - ACTIONS= - USEDACTIONS= - DEFAULT_MACROS= - COMMENT= - VERSION_FILE= - LOGRULENUMBERS= - ORIGINAL_POLICY_MATCH= - ORIGINAL_MANGLE_ENABLED= - - ensure_config_path - - VERSION_FILE=$SHAREDIR/version - - [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE) - - [ -d /usr/share/shorewall-perl ] && set -a; - - run_user_exit params - - set +a - - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - progress_message "Processing $config..." - . $config - else - startup_error "Cannot read $config (Hint: Are you root?)" - fi - else - startup_error "$config does not exist!" - fi - # - # Restore CONFIG_PATH if the shorewall.conf file cleared it - # - ensure_config_path - - TMP_DIR=$(mktempdir) - - [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ - startup_error "Can't create a temporary directory" - - case $PROGRAM in - compiler) - trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 - ;; - firewall) - trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 - ;; - esac - - # - # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to accurately determine - # capabilities when module autoloading isn't enabled. - # - PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) - [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )" - - [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - - if [ -z "$EXPORT" -a $(id -u) -eq 0 ]; then - - load_kernel_modules Yes - - if [ -z "$IPTABLES" ]; then - IPTABLES=$(mywhich iptables 2> /dev/null) - [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" - else - [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" - fi - - f=$(find_file capabilities) - - [ -f $f ] && . $f || determine_capabilities - else - f=$(find_file capabilities) - [ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file" - fi - - if [ -n "$CAPVERSION" ]; then - [ $CAPVERSION -ge $SHOREWALL_CAPVERSION ] || error_message "WARNING: $f is out of date -- it does not contain all of the capabilities defined by Shorewall version $VERSION" - else - error_message "WARNING: $f may be not contain all of the capabilities defined by Shorewall version $VERSION" - fi - - ORIGINAL_POLICY_MATCH=$POLICY_MATCH - ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED - - ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" - - if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGLIMIT="--match limit" - [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" - fi - - if [ -n "$IP_FORWARDING" ]; then - case "$IP_FORWARDING" in - On|Off|Yes|No|Keep|on|off|yes|no|keep|ON|OFF|YES|NO|KEEP) - ;; - *) - startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" - ;; - esac - else - IP_FORWARDING=On - fi - - if [ -n "$ROUTE_FILTER" ]; then - case "$ROUTE_FILTER" in - Yes|yes|YES) - ROUTE_FILTER=yes - ;; - No|no|NO) - ROUTE_FILTER=no - ;; - Keep|keep|KEEP) - ROUTE_FILTER= - ;; - *) - startup_error "Invalid value ($ROUTE_FILTER) for ROUTE_FILTER" - ;; - esac - else - ROUTE_FILTER= - fi - - if [ -n "$LOG_MARTIANS" ]; then - case "$LOG_MARTIANS" in - Yes|yes|YES) - LOG_MARTIANS=yes - ;; - No|no|NO) - LOG_MARTIANS=no - ;; - Keep|keep|KEEP) - LOG_MARTIANS= - ;; - *) - startup_error "Invalid value ($LOG_MARTIANS) for LOG_MARTIANS" - ;; - esac - else - LOG_MARTIANS=yes - fi - - [ -n "${BLACKLIST_DISPOSITION:=DROP}" ] - - case "$CLAMPMSS" in - [0-9]*) - ;; - *) - CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) - ;; - esac - - ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) - DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) - - MACLIST_TARGET=reject - - if [ -n "$MACLIST_DISPOSITION" ] ; then - case $MACLIST_DISPOSITION in - REJECT) - ;; - DROP) - MACLIST_TARGET=DROP - ;; - ACCEPT) - MACLIST_TARGET=RETURN - ;; - *) - startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" - ;; - esac - else - MACLIST_DISPOSITION=REJECT - fi - - if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then - case $TCP_FLAGS_DISPOSITION in - REJECT|ACCEPT|DROP) - ;; - *) - startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" - ;; - esac - else - TCP_FLAGS_DISPOSITION=DROP - fi - - [ -n "${RFC1918_LOG_LEVEL:=info}" ] - - MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) - [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre - CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) - - if [ -n "$LOGFORMAT" ]; then - if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then - LOGRULENUMBERS=Yes - temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - else - temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - fi - - [ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" - - MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) )) - MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*} - else - LOGFORMAT="Shorewall:%s:%s:" - MAXZONENAMELENGTH=5 - fi - - ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) - BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) - DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) - BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) - - DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) - if [ -n "$DYNAMIC_ZONES" ]; then - [ -n "$EXPORT" ] && startup_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" - lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed" - fi - - STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) - RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) - [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= - DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) - LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) - RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) - MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) - FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) - - [ -n "$FASTACCEPT" -a -z "$BLACKLISTNEWONLY" ] && error_message "WARNING: BLACKLISTNEWONLY=No does not work with FASTACCEPT=Yes" - - IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) - HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) - TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) - USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) - EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS) - KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES) - DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD) - - if [ -n "$MANGLE_ENABLED" ] ; then - case $MANGLE_ENABLED in - Yes|yes) - ;; - No|no) - MANGLE_ENABLED= - ;; - *) - startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED"; - ;; - esac - fi - - [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" - - [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= - [ -n "$XMARK" ] || XCONNMARK= - - [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" - - case ${MACLIST_TABLE:=filter} in - filter) - ;; - mangle) - [ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle" - ;; *) - startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option" - ;; - esac - - TC_SCRIPT= - - if [ -n "$TC_ENABLED" ] ; then - case "$TC_ENABLED" in - [Yy][Ee][Ss]) - TC_ENABLED=Yes - TC_SCRIPT=$(find_file tcstart) - [ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file" - ;; - [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll]) - TC_ENABLED=Internal - ;; - [Nn][Oo]) - TC_ENABLED= - ;; - esac - else - TC_ENABLED=Yes - fi - - if [ -n "$TC_ENABLED" ];then - [ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables" - [ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf" - fi - - [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" - [ -n "${RESTOREFILE:=restore}" ] - - case "${DROP_DEFAULT:=Drop}" in - None) - DROP_DEFAULT=none - ;; - esac - - case "${REJECT_DEFAULT:=Reject}" in - None) - REJECT_DEFAULT=none - ;; - esac - - case "${QUEUE_DEFAULT:=none}" in - None) - QUEUE_DEFAULT=none - ;; - esac - - case "${ACCEPT_DEFAULT:=none}" in - None) - ACCEPT_DEFAULT=none - ;; - esac - - case "${OPTIMIZE:=0}" in - 0|1) - ;; - *) - startup_error "Invalid OPTIMIZE value ($OPTIMIZE)" - ;; - esac - - if [ -n "$LOCKFILE" ]; then - [ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist" - fi - # - # Check out the user's shell - # - [ -n "${SHOREWALL_SHELL:=/bin/sh}" ] - - temp=$(decodeaddr 192.168.1.1) - if [ $(encodeaddr $temp) != 192.168.1.1 ]; then - startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" - fi - - if [ -z "$KLUDGEFREE" ]; then - rm -f $TMP_DIR/physdev - rm -f $TMP_DIR/iprange - fi - - qt mywhich awk && HAVEAWK=Yes || HAVEAWK= - # - # Pre-process all of the standard files - # - # Because 'strip_file()' does shell variable expansion, we must first determine the - # setting of $FW - # - case ${IPSECFILE:=ipsec} in - ipsec) - [ -n "${FW:=fw}" ] - strip_file ipsec - ;; - zones) - get_firewall_zone - ;; - *) - startup_error "Invalid value ($IPSECFILE) for IPSECFILE option" - ;; - esac - - strip_file zones - strip_file routestopped - strip_file interfaces - strip_file hosts - - if [ $PROGRAM = compiler ]; then - strip_file_and_lib_load accounting accounting - - if [ -n "$USE_ACTIONS" ]; then - strip_file actions - strip_file actions.std ${SHAREDIR}/actions.std - fi - - strip_file blacklist - strip_file ecn - strip_file maclist - strip_file_and_lib_load masq nat - strip_file_and_lib_load nat nat - strip_file_and_lib_load netmap nat - strip_file policy - strip_file_and_lib_load providers providers && strip_file route_rules - strip_file_and_lib_load proxyarp proxyarp - strip_file rfc1918 - strip_file routestopped - strip_file rules - - if [ "$TC_ENABLED" = Internal ]; then - strip_file_and_lib_load tcdevices tc - strip_file_and_lib_load tcclasses tc - fi - - strip_file_and_lib_load tcrules tcrules - strip_file tos - strip_file_and_lib_load tunnels tunnels - fi - - [ "$IPSECFILE" = zones ] && FW= -} diff --git a/Shorewall6/lib.dynamiczones b/Shorewall6/lib.dynamiczones deleted file mode 100644 index 826da53de..000000000 --- a/Shorewall6/lib.dynamiczones +++ /dev/null @@ -1,427 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.dynamiczones -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/firewall when processing -# the 'add' and 'delete' commands. -# - -# -# Add a host or networks to a zone -# -add_to_zone() # $1...${n-1} = [:] $n = zone -{ - local interface host zone z h z1 z2 chain - local dhcp_interfaces blacklist_interfaces maclist_interfaces - local tcpflags_interfaces newhostlist= - local rulenum source_chain dest_hosts iface hosts hostlist= - - nat_chain_exists() # $1 = chain name - { - qt $IPTABLES -t nat -L $1 -n - } - - do_iptables() # $@ = command - { - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - if ! $IPTABLES $@ ; then - error_message "ERROR: Can't add $newhost to zone $zone" - fi - } - - DOING=Processing - DONE=Processed - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file $IPSECFILE) - - [ -f $f ] && setup_ipsec $f - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - [ "$host" = "$1" ] && host= - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" - [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" - # - # Check for duplicates and create a new zone state file - # - > ${VARDIR}/zones_$$ - - while read z type hosts; do - if [ "$z" = "$zone" ]; then - case $type in - bport4:*) - rm -f ${VARDIR}/zones_$$ - startup_error "Bridge Port zones may not be dynamically modified" - ;; - esac - - case "$hosts" in - *exclude*) - rm -f ${VARDIR}/zones_$$ - startup_error "Modifying a zone that has an exclude list is not supported" - ;; - *) - for h in $hostlist; do - if ! list_search +$h $hosts; then - if ! list_search $h $hosts; then - newhostlist="$newhostlist +$h" - else - error_message "$h is already in zone $zone" - fi - else - error_message "$h is already in zone $zone" - fi - done - - [ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist" - ;; - esac - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $type $hosts" >> ${VARDIR}/zones_$$ - done < ${VARDIR}/zones - - mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones - - TERMINATOR=fatal_error - # - # Create a new Zone state file - # - for newhost in $newhostlist; do - newhost=${newhost#+} - # - # Isolate interface and host parts - # - interface=${newhost%%:*} - host=${newhost#*:} - # - # If the zone passed in the command has a dnat chain then insert a rule in - # the nat table PREROUTING chain to jump to that chain when the source - # matches the new host(s)# - # - chain=${zone}_dnat - - if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain - fi - # - # Insert new rules into the filter table for the passed interface - # - while read z1 z2 chain; do - [ "$z1" = "$z2" ] && op="-I" || op="-A" - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $newhost ; then - do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - # - # Add a rule to the dynamic out chain for the interface - # - do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - fi - fi - done - fi - fi - done < ${VARDIR}/chains - - progress_message "$newhost added to zone $zone" - - done - - rm -rf $TMP_DIR -} - -# -# Delete a host or networks from a zone -# -delete_from_zone() # $1 = [:] $2 = zone -{ - local interface host zone z h z1 z2 chain delhost - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts hostlist= - - DOING=Processing - DONE=Processed - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file ipsec) - - [ -f $f ] && setup_ipsec $f - - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - [ "$host" = "$1" ] && host= - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" - [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" - # - # Delete the passed hosts from the zone state file - # - > ${VARDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - temp=$hosts - hosts= - - for host in $hostlist; do - found= - for h in $temp; do - if [ "$h" = "+$host" ]; then - found=Yes - break - fi - - if [ "$h" = "$host" ]; then - found=No - break - fi - done - - [ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone" - [ "$found" = No ] && startup_error "$host is a permanent member of zone $zone" - done - - for h in $temp; do - found= - for host in $hostlist; do - if [ "$h" = "+$host" ]; then - found=Yes - break - fi - done - - [ -n "$found" ] || hosts="$hosts $h" - done - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${VARDIR}/zones_$$ - done < ${VARDIR}/zones - - mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones - - TERMINATOR=fatal_error - - for delhost in $hostlist; do - interface=${delhost%%:*} - host=${delhost#*:} - # - # Delete any nat table entries for the host(s) - # - qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat - # - # Delete rules rules the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $delhost ; then - qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" - - for h in $dest_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - fi - fi - done - fi - fi - done < ${VARDIR}/chains - - progress_message "$delhost removed from zone $zone" - - done - - rm -rf $TMP_DIR -} diff --git a/Shorewall6/masq b/Shorewall6/masq deleted file mode 100644 index 9b4f38dd1..000000000 --- a/Shorewall6/masq +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Masq file -# -# For information about entries in this file, type "man shorewall-masq" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-masq.html -# -############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall6/nat b/Shorewall6/nat deleted file mode 100644 index 5c8874c8e..000000000 --- a/Shorewall6/nat +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Nat File -# -# For information about entries in this file, type "man shorewall-nat" -# -# For additional information, see http://shorewall.net/NAT.htm -# -############################################################################### -#EXTERNAL INTERFACE INTERNAL ALL LOCAL -# INTERFACES -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall6/netmap b/Shorewall6/netmap deleted file mode 100644 index 6290bcfb4..000000000 --- a/Shorewall6/netmap +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Netmap File -# -# For information about entries in this file, type "man shorewall-netmap" -# -# See http://shorewall.net/netmap.html for an example and usage -# information. -# -############################################################################### -#TYPE NET1 INTERFACE NET2 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall6/proxyarp b/Shorewall6/proxyarp deleted file mode 100644 index 4bc86f21b..000000000 --- a/Shorewall6/proxyarp +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall version 4 - Proxyarp File -# -# For information about entries in this file, type "man shorewall-proxyarp" -# -# See http://shorewall.net/ProxyARP.htm for additional information. -# -############################################################################### -#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall6/rfc1918 b/Shorewall6/rfc1918 deleted file mode 100644 index abdfc2825..000000000 --- a/Shorewall6/rfc1918 +++ /dev/null @@ -1,9 +0,0 @@ -# -# Shorewall version 4 - Rfc1918 File -# -############################################################################### -#SUBNETS TARGET -172.16.0.0/12 logdrop # RFC 1918 -192.168.0.0/16 logdrop # RFC 1918 -10.0.0.0/8 logdrop # RFC 1918 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall6/shorewall b/Shorewall6/shorewall6 similarity index 72% rename from Shorewall6/shorewall rename to Shorewall6/shorewall6 index 6abf579f3..cae30f441 100755 --- a/Shorewall6/shorewall +++ b/Shorewall6/shorewall6 @@ -6,7 +6,7 @@ # # (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 - Tom Eastep (teastep@shorewall.net) # -# This file should be placed in /sbin/shorewall. +# This file should be placed in /sbin/shorewall6. # # Shorewall documentation is available at http://www.shorewall.net # @@ -31,93 +31,93 @@ # # Commands are: # -# shorewall add [:] zone Adds a host or subnet to a zone -# shorewall delete [:] zone Deletes a host or subnet from a zone -# shorewall dump Dumps all Shorewall-related information +# shorewall6 add [:] zone Adds a host or subnet to a zone +# shorewall6 delete [:] zone Deletes a host or subnet from a zone +# shorewall6 dump Dumps all Shorewall6-related information # for problem analysis -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# shorewall reset Resets iptables packet and +# shorewall6 start Starts the firewall +# shorewall6 restart Restarts the firewall +# shorewall6 stop Stops the firewall +# shorewall6 status Displays firewall status +# shorewall6 reset Resets iptables packet and # byte counts -# shorewall clear Open the floodgates by +# shorewall6 clear Open the floodgates by # removing all iptables rules # and setting the three permanent # chain policies to ACCEPT -# shorewall refresh Rebuild the common chain to +# shorewall6 refresh Rebuild the common chain to # compensate for a change of # broadcast address on any "detect" # interface. -# shorewall [re]load [ ] +# shorewall6 [re]load [ ] # Compile a script and install it on a -# remote Shorewall Lite system. -# shorewall show [ ... ] Display the rules in each listed -# shorewall show actions Displays the available actions -# shorewall show log Print the last 20 log messages -# shorewall show connections Show the kernel's connection +# remote Shorewall6 Lite system. +# shorewall6 show [ ... ] Display the rules in each listed +# shorewall6 show actions Displays the available actions +# shorewall6 show log Print the last 20 log messages +# shorewall6 show connections Show the kernel's connection # tracking table -# shorewall show nat Display the rules in the nat table -# shorewall show {mangle|tos} Display the rules in the mangle table -# shorewall show tc Display traffic control info -# shorewall show classifiers Display classifiers -# shorewall show capabilities Display iptables/kernel capabilities -# shorewall show vardir Display the VARDIR setting. -# shorewall version Display the installed version id -# shorewall check [ -e ] [ ] Dry-run compilation. -# shorewall try [ ] Try a new configuration and if +# shorewall6 show nat Display the rules in the nat table +# shorewall6 show {mangle|tos} Display the rules in the mangle table +# shorewall6 show tc Display traffic control info +# shorewall6 show classifiers Display classifiers +# shorewall6 show capabilities Display iptables/kernel capabilities +# shorewall6 show vardir Display the VARDIR setting. +# shorewall6 version Display the installed version id +# shorewall6 check [ -e ] [ ] Dry-run compilation. +# shorewall6 try [ ] Try a new configuration and if # it doesn't work, revert to the # standard one. If a timeout is supplied # the command reverts back to the # standard configuration after that many # seconds have elapsed after successfully # starting the new configuration. -# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall -# messages. -# shorewall drop
... Temporarily drop all packets from the +# shorewall6 logwatch [ refresh-interval ] Monitor the local log for Shorewall6 +# messages. +# shorewall6 drop
... Temporarily drop all packets from the # listed address(es) -# shorewall reject
... Temporarily reject all packets from the +# shorewall6 reject
... Temporarily reject all packets from the # listed address(es) -# shorewall allow
... Reenable address(es) previously +# shorewall6 allow
... Reenable address(es) previously # disabled with "drop" or "reject" -# shorewall save [ ] Save the list of "rejected" and +# shorewall6 save [ ] Save the list of "rejected" and # "dropped" addresses so that it will # be automatically reinstated the -# next time that Shorewall starts. -# Save the current state so that 'shorewall +# next time that Shorewall6 starts. +# Save the current state so that 'shorewall6 # restore' can be used. # -# shorewall forget [ ] Discard the data saved by 'shorewall save' +# shorewall6 forget [ ] Discard the data saved by 'shorewall6 save' # -# shorewall restore [ ] Restore the state of the firewall from +# shorewall6 restore [ ] Restore the state of the firewall from # previously saved information. # -# shorewall ipaddr {
/ |
} +# shorewall6 ipaddr {
/ |
} # # Displays information about the network # defined by the argument[s] # -# shorewall iprange
-
Decomposes a range of IP addresses into +# shorewall6 iprange
-
Decomposes a range of IP addresses into # a list of network/host addresses. # -# shorewall ipdecimal {
| } +# shorewall6 ipdecimal {
| } # # Displays the decimal equivalent of an IP # address and vice versa. # -# shorewall safe-start [ ] Starts the firewall and promtp for a c +# shorewall6 safe-start [ ] Starts the firewall and promtp for a c # confirmation to accept or reject the new # configuration # -# shorewall safe-restart [ ] Restarts the firewall and prompt for a +# shorewall6 safe-restart [ ] Restarts the firewall and prompt for a # confirmation to accept or reject the new # configuration # -# shorewall compile [ -e ] [ ] +# shorewall6 compile [ -e ] [ ] # Compile a firewall program file. # -# Set the configuration variables from shorewall.conf +# Set the configuration variables from shorewall6.conf # # $1 = Yes: read the params file # $2 = Yes: check for STARTUP_ENABLED @@ -136,7 +136,7 @@ get_config() { fi fi - config=$(find_file shorewall.conf) + config=$(find_file shorewall6.conf) if [ -f $config ]; then if [ -r $config ]; then @@ -198,7 +198,7 @@ get_config() { if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) - echo " ERROR: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2 + echo " ERROR: Shorewall6 startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall6.conf" >&2 exit 2 ;; Yes|yes|YES) @@ -220,7 +220,7 @@ get_config() { [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" - [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" + [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall6:" export LOGFORMAT @@ -250,7 +250,7 @@ get_config() { if [ -n "$SHOREWALL_SHELL" ]; then if [ ! -x "$SHOREWALL_SHELL" ]; then - echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 + echo " WARNING: The program specified in SHOREWALL6_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 SHOREWALL_SHELL=/bin/sh fi fi @@ -318,8 +318,8 @@ compiler() { shift if [ $(id -u) -ne 0 ]; then - if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then - startup_error "Ordinary users may not compile the /etc/shorewall configuration" + if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall6 ]; then + startup_error "Ordinary users may not compile the /etc/shorewall6 configuration" fi fi # @@ -327,49 +327,9 @@ compiler() { # ensure_config_path - compiler= + compiler=perl haveparams= - if [ -n "$SHOREWALL_COMPILER" ]; then - compiler="$SHOREWALL_COMPILER" #Compiler specified in /etc/shorewall/shorewall.conf or on the run-line - elif [ -x $sc ]; then - if [ ! -x $pc ]; then - compiler=shell - fi - elif [ -x $pc ]; then - compiler=perl - else - fatal_error "No shorewall compiler installed" - fi - - if [ -z "$compiler" ]; then - # - # Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER - # - if [ -n "$SHOREWALL_DIR" ]; then - shell=$SHOREWALL_SHELL - - [ -x $pc ] && set -a - run_user_exit params - set +a - haveparams=Yes - - get_config No No No - - SHOREWALL_SHELL=$shell - fi - # - # And initiate the appropriate compiler - # - if [ -n "$SHOREWALL_COMPILER" ]; then - compiler="$SHOREWALL_COMPILER" - elif [ -x $sc ]; then - compiler=shell - else - compiler=perl - fi - fi - case $COMMAND in *start|try|refresh) ;; @@ -381,48 +341,36 @@ compiler() { [ $command = exec ] || command= - case "$compiler" in - perl) - debugflags="-w" - [ -n "$DEBUG" ] && debugflags='-wd' - [ -n "$PROFILE" ] && debugflags='-wd:DProf' + debugflags="-w" + [ -n "$DEBUG" ] && debugflags='-wd' + [ -n "$PROFILE" ] && debugflags='-wd:DProf' - # Perl compiler only takes the output file as a argument + # Perl compiler only takes the output file as a argument - [ "$1" = debug -o "$1" = trace ] && shift; - [ "$1" = nolock ] && shift; - shift + [ "$1" = debug -o "$1" = trace ] && shift; + [ "$1" = nolock ] && shift; + shift - options="--verbose=$VERBOSE" - [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" - [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY"; - [ -n "$EXPORT" ] && options="$options --export" - [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" - [ -n "$TIMESTAMP" ] && options="$options --timestamp" - [ -n "$TEST" ] && options="$options --test" - [ "$debugging" = trace ] && options="$options --debug" - [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" - [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed" - # - # Run the appropriate params file - # - if [ -z "$haveparams" ]; then - set -a; - run_user_exit params - set +a - fi + options="--verbose=$VERBOSE" + [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" + [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY"; + [ -n "$EXPORT" ] && options="$options --export" + [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" + [ -n "$TIMESTAMP" ] && options="$options --timestamp" + [ -n "$TEST" ] && options="$options --test" + [ "$debugging" = trace ] && options="$options --debug" + [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" + [ -x $pc ] || startup_error "Shorewall6 requires the shorewall-perl package which is not installed" + # + # Run the appropriate params file + # + if [ -z "$haveparams" ]; then + set -a; + run_user_exit params + set +a + fi - $command perl $debugflags $pc $options $@ - ;; - shell) - [ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed" - [ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains" - $command $SHOREWALL_SHELL $sc $@ - ;; - *) - startup_error "Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" - ;; - esac + $command perl $debugflags $pc $options $@ } # @@ -445,14 +393,14 @@ start_command() { [ -n "$nolock" ] || mutex_off else rc=$? - logger -p kern.err "ERROR:Shorewall start failed" + logger -p kern.err "ERROR:Shorewall6 start failed" fi exit $rc } - if shorewall_is_started; then - error_message "Shorewall is already running" + if shorewall6_is_started; then + error_message "Shorewall6 is already running" exit 0 fi @@ -470,12 +418,6 @@ start_command() { finished=1 option= ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; d*) DEBUG=Yes option=${option#d} @@ -551,10 +493,10 @@ start_command() { $SHOREWALL_SHELL ${RESTOREPATH}-ipsets fi - echo Restoring Shorewall... + echo Restoring Shorewall6... $SHOREWALL_SHELL $RESTOREPATH restore date > ${VARDIR}/restarted - progress_message3 Shorewall restored from $RESTOREPATH + progress_message3 Shorewall6 restored from $RESTOREPATH else do_it fi @@ -593,12 +535,6 @@ compile_command() { PROFILE=Yes option=${option#p} ;; - C) - [ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$1 - option= - shift - ;; t*) TEST=Yes option=${option#t} @@ -688,12 +624,6 @@ check_command() { DEBUG=Yes; option=${option#d} ;; - C) - [ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; *) usage 1 ;; @@ -769,12 +699,6 @@ restart_command() { NOROUTES=Yes option=${option#n} ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; p*) [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" PURGE=Yes @@ -831,7 +755,7 @@ restart_command() { [ -n "$nolock" ] || mutex_off else rc=$? - logger -p kern.err "ERROR:Shorewall restart failed" + logger -p kern.err "ERROR:Shorewall6 restart failed" fi else [ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found" @@ -863,12 +787,6 @@ refresh_command() { finished=1 option= ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; *) usage 1 ;; @@ -892,7 +810,7 @@ refresh_command() { done fi - shorewall_is_started || fatal_error "Shorewall is not running" + shorewall6_is_started || fatal_error "Shorewall6 is not running" [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" @@ -942,12 +860,6 @@ safe_commands() { NOROUTES=Yes option=${option#n} ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; *) usage 1 ;; @@ -985,7 +897,7 @@ safe_commands() { [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - if shorewall_is_started; then + if shorewall6_is_started; then running=Yes else running= @@ -993,12 +905,12 @@ safe_commands() { if [ "$COMMAND" = "safe-start" -a -n "$running" ]; then # the command is safe-start but the firewall is already running - error_message "Shorewall is already started" + error_message "Shorewall6 is already started" exit 0 fi if [ "$COMMAND" = "safe-start" -o -z "$running" ]; then - # the command is safe-start or shorewall is not started yet + # the command is safe-start or shorewall6 is not started yet command="start" else # the command is safe-restart and the firewall is already running @@ -1091,12 +1003,6 @@ try_command() { NOROUTES=Yes option=${option#n} ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; *) usage 1 ;; @@ -1134,14 +1040,14 @@ try_command() { [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - if shorewall_is_started; then + if shorewall6_is_started; then running=Yes else running= fi if [ -z "$running" ]; then - # shorewall is not started yet + # shorewall6 is not started yet command="start" else # the firewall is already running @@ -1223,7 +1129,7 @@ reload_command() # $* = original arguments less the command. local compiler compiler= - LITEDIR=/var/lib/shorewall-lite + LITEDIR=/var/lib/shorewall6-lite while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -1251,12 +1157,6 @@ reload_command() # $* = original arguments less the command. option= shift ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - compiler="-C $2" - option= - shift - ;; *) usage 1 ;; @@ -1284,7 +1184,7 @@ reload_command() # $* = original arguments less the command. ;; esac - litedir=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') + litedir=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') [ -n "$litedir" ] && LITEDIR=$litedir @@ -1296,13 +1196,13 @@ reload_command() # $* = original arguments less the command. fi if [ -n "$getcaps" ]; then - if [ -f $directory/shorewall.conf ]; then - . $directory/shorewall.conf + if [ -f $directory/shorewall6.conf ]; then + . $directory/shorewall6.conf ensure_config_path fi progress_message "Getting Capabilities on system $system..." - if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then + if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall6-lite/shorecap" > $directory/capabilities; then fatal_error "ERROR: Capturing capabilities on system $system failed" fi fi @@ -1311,25 +1211,25 @@ reload_command() # $* = original arguments less the command. [ -n "$TIMESTAMP" ] && timestamp='-t' || timestamp= - if shorewall $debugging $verbose $timestamp compile -e $compiler $directory $directory/firewall && \ + if shorewall6 $debugging $verbose $timestamp compile -e $compiler $directory $directory/firewall && \ progress_message3 "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \ rcp_command "$directory/firewall $directory/firewall.conf" ${LITEDIR} then save=$(find_file save); - [ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/shorewall-lite/" && rcp_command $save /etc/shorewall-lite/ + [ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/shorewall6-lite/" && rcp_command $save /etc/shorewall6-lite/ progress_message3 "Copy complete" if [ $COMMAND = reload ]; then - rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp restart" && \ + rsh_command "/sbin/shorewall6-lite $debugging $verbose $timestamp restart" && \ progress_message3 "System $system reloaded" || saveit= else - rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp start" && \ + rsh_command "/sbin/shorewall6-lite $debugging $verbose $timestamp start" && \ progress_message3 "System $system loaded" || saveit= fi if [ -n "$saveit" ]; then - rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp save" && \ + rsh_command "/sbin/shorewall6-lite $debugging $verbose $timestamp save" && \ progress_message3 "Configuration on system $system saved" fi fi @@ -1363,12 +1263,6 @@ export_command() # $* = original arguments less the command. finished=1 option= ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - compiler="-C $2" - option= - shift - ;; *) fatal_error "Unrecognized option \"$option\"" ;; @@ -1392,7 +1286,7 @@ export_command() # $* = original arguments less the command. target=$2 ;; *) - fatal_error "ERROR: Invalid command syntax (\"man shorewall\" for help)" + fatal_error "ERROR: Invalid command syntax (\"man shorewall6\" for help)" ;; esac @@ -1406,7 +1300,7 @@ export_command() # $* = original arguments less the command. file=$(resolve_file $directory/firewall) - if shorewall $debugging $verbose compile -e $compiler $directory $directory/firewall && \ + if shorewall6 $debugging $verbose compile -e $compiler $directory $directory/firewall && \ echo "Copying $file and ${file}.conf to ${target#*@}..." && \ scp $directory/firewall $directory/firewall.conf $target then @@ -1427,32 +1321,28 @@ usage() # $1 = exit status echo "where is one of:" echo " add [:] ... " echo " allow
..." - echo " check [ -e ] [ -C {shell|perl} ] [ ]" + echo " check [ -e ] [ ]" echo " clear [ -f ]" - echo " compile [ -e ] [ -C {shell|perl} ] [ ] " + echo " compile [ -e ] [ ] " echo " delete [:] ... " echo " drop
..." echo " dump [ -x ]" - echo " export [ -C {shell|perl} ] [ ] [@][:]" + echo " export [ ] [@][:]" echo " forget [ ]" echo " help" - echo " hits [ -t ]" - echo " ipcalc {
/ |
}" - echo " ipdecimal {
| }" - echo " iprange
-
" echo " load [ -s ] [ -c ] [ -r ] [ -C {shell|perl} ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" - echo " refresh [ -C {shell|perl} ] [ ... ]" + echo " refresh [ ... ]" echo " reject
..." - echo " reload [ -s ] [ -c ] [ -r ] [ -C {shell|perl} ] [ ] " + echo " reload [ -s ] [ -c ] [ -r ] [ ] " echo " reset [ ... ]" - echo " restart [ -n ] [ -p ] [ -f ] [ -C {shell|perl} ] [ ]" + echo " restart [ -n ] [ -p ] [ -f ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" - echo " start [ -f ] [ -n ] [ -p ] [ -C {shell|perl} ] [ ]" + echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" + echo " start [ -f ] [ -n ] [ -p ] [ ]" echo " stop [ -f ]" echo " status" echo " try [ -C {shell|perl} ] [ ]" @@ -1626,10 +1516,6 @@ version_command() { echo $version if [ -n "$all" ]; then - if [ -f /usr/share/shorewall-shell/version ]; then - echo "Shorewall-shell $(cat /usr/share/shorewall-shell/version)" - fi - if [ -f /usr/share/shorewall-perl/version ]; then echo "Shorewall-perl $(cat /usr/share/shorewall-perl/version)" fi @@ -1644,13 +1530,13 @@ fi PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MUTEX_TIMEOUT= -SHAREDIR=/usr/share/shorewall -CONFDIR=/etc/shorewall -export PRODUCT="Shorewall" +SHAREDIR=/usr/share/shorewall6 +CONFDIR=/etc/shorewall6 +export PRODUCT="Shorewall6" [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir -[ -n "${VARDIR:=/var/lib/shorewall}" ] +[ -n "${VARDIR:=/var/lib/shorewall6}" ] FIREWALL=$SHAREDIR/firewall LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli" @@ -1667,7 +1553,7 @@ for library in $LIBRARIES; do done if [ ! -f $FIREWALL ]; then - echo " ERROR: Shorewall is not properly installed" >&2 + echo " ERROR: Shorewall6 is not properly installed" >&2 if [ -L $FIREWALL ]; then echo " $FIREWALL is a symbolic link to a" >&2 echo " non-existant file" >&2 @@ -1681,12 +1567,12 @@ fi if [ -f $VERSION_FILE ]; then version=$(cat $VERSION_FILE) else - echo " ERROR: Shorewall is not properly installed" >&2 + echo " ERROR: Shorewall6 is not properly installed" >&2 echo " The file $VERSION_FILE does not exist" >&2 exit 1 fi -banner="Shorewall-$version Status at $HOSTNAME -" +banner="Shorewall6-$version Status at $HOSTNAME -" case $(echo -e) in -e*) @@ -1782,13 +1668,13 @@ case "$COMMAND" in status) [ $# -eq 1 ] || usage 1 get_config - echo "Shorewall-$version Status at $HOSTNAME - $(date)" + echo "Shorewall6-$version Status at $HOSTNAME - $(date)" echo - if shorewall_is_started ; then - echo "Shorewall is running" + if shorewall6_is_started ; then + echo "Shorewall6 is running" status=0 else - echo "Shorewall is stopped" + echo "Shorewall6 is stopped" status=4 fi @@ -1811,12 +1697,6 @@ case "$COMMAND" in shift dump_command $@ ;; - hits) - get_config Yes No Yes - [ -n "$debugging" ] && set -x - shift - hits_command $@ - ;; version) shift version_command $@ @@ -1828,43 +1708,43 @@ case "$COMMAND" in ;; logwatch) get_config Yes Yes Yes - banner="Shorewall-$version Logwatch at $HOSTNAME -" + banner="Shorewall6-$version Logwatch at $HOSTNAME -" logwatch_command $@ ;; drop) get_config [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if shorewall6_is_started ; then [ -n "$nolock" ] || mutex_on block DROP Dropped $* [ -n "$nolock" ] || mutex_off else - fatal_error "Shorewall is not started" + fatal_error "Shorewall6 is not started" fi ;; logdrop) get_config [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if shorewall6_is_started ; then [ -n "$nolock" ] || mutex_on block logdrop Dropped $* [ -n "$nolock" ] || mutex_off else - fatal_error "Shorewall is not started" + fatal_error "Shorewall6 is not started" fi ;; reject|logreject) get_config [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then + if shorewall6_is_started ; then [ -n "$nolock" ] || mutex_on block $COMMAND Rejected $* [ -n "$nolock" ] || mutex_off else - fatal_error "Shorewall is not started" + fatal_error "Shorewall6 is not started" fi ;; allow) @@ -1927,63 +1807,10 @@ case "$COMMAND" in rm -f ${RESTOREPATH}-iptables echo " $RESTOREPATH removed" elif [ -f $RESTOREPATH ]; then - echo " $RESTOREPATH exists and is not a saved Shorewall configuration" + echo " $RESTOREPATH exists and is not a saved Shorewall6 configuration" fi rm -f ${VARDIR}/save ;; - ipcalc) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - address=${2%/*} - vlsm=${2#*/} - elif [ $# -eq 3 ]; then - address=$2 - vlsm=$(ip_vlsm $3) - else - usage 1 - fi - - valid_address $address || fatal_error "Invalid IP address: $address" - [ -z "$vlsm" ] && exit 2 - [ "x$address" = "x$vlsm" ] && usage 2 - [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 - - address=$address/$vlsm - - echo " CIDR=$address" - temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" - temp=$(ip_network $address); echo " NETWORK=$temp" - temp=$(broadcastaddress $address); echo " BROADCAST=$temp" - ;; - - iprange) - [ -n "$debugging" ] && set -x - case $2 in - *.*.*.*-*.*.*.*) - for address in ${2%-*} ${2#*-}; do - valid_address $address || fatal_error "Invalid IP address: $address" - done - - ip_range $2 - ;; - *) - usage 1 - ;; - esac - ;; - ipdecimal) - [ -n "$debugging" ] && set -x - [ $# -eq 2 ] || usage 1 - case $2 in - *.*.*.*) - valid_address $2 || fatal_error "Invalid IP address: $2" - echo " $(decodeaddr $2)" - ;; - *) - echo " $(encodeaddr $2)" - ;; - esac - ;; restore) get_config shift diff --git a/Shorewall6/strip b/Shorewall6/strip deleted file mode 100755 index eae1ffe6e..000000000 --- a/Shorewall6/strip +++ /dev/null @@ -1,110 +0,0 @@ -#! /bin/sh -# -# Script for use from Perl to strip config files and perform shell variable -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -############################################################################### -# Filter that expands variables -# -expand_line() { - local line - - while read line; do - echo $(expand $line) - done -} - -# -# Read a file and handle "INCLUDE" directives -# - -read_file() # $1 = file name, $2 = nest count -{ - local first - local rest - - if [ -f $1 ]; then - while read first rest; do - if [ "x$first" = "xINCLUDE" ]; then - if [ $2 -lt 4 ]; then - read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) - else - echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 - fi - else - eval "$first $rest" - fi - done < $1 - else - echo " WARNING -- No such file: $1" >&2 - fi -} - -# -# Split a colon-separated list into a space-separated list -# -split() { - local ifs - ifs=$IFS - IFS=: - echo $* - IFS=$ifs -} - -# -# Find a File -- For relative file name, look in ${SHOREWALL_DIR} then each ${CONFIG_PATH} then ${CONFDIR} -# -find_file() -{ - local saveifs - saveifs= - local directory - - case $1 in - /*) - echo $1 - ;; - *) - for directory in $(split $CONFIG_PATH); do - if [ -f $directory/$1 ]; then - echo $directory/$1 - return - fi - done - - echo ${CONFDIR}/$1 - ;; - esac -} - -# -# Strip comments and blank lines from a file and place the result in the -# temporary directory -# -if [ ! -f $TMP_DIR/$1 ]; then - [ $# = 1 ] && fname=$(find_file $1) || fname=$2 - - if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1 - else - > $TMP_DIR/$1 - fi -fi