forked from extern/shorewall_code
Add IP, TC and IPSET configuration options
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9932 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
24d94621cb
commit
985c551d26
@ -2064,6 +2064,30 @@ sub set_chain_variables() {
|
||||
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
|
||||
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
|
||||
}
|
||||
|
||||
if ( $config{IP} ) {
|
||||
emit( qq(IP="$config{IP}") ,
|
||||
'[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'
|
||||
);
|
||||
} else {
|
||||
emit 'IP=ip';
|
||||
}
|
||||
|
||||
if ( $config{TC} ) {
|
||||
emit( qq(TC="$config{TC}") ,
|
||||
'[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"'
|
||||
);
|
||||
} else {
|
||||
emit 'TC=tc';
|
||||
}
|
||||
|
||||
if ( $config{IPSET} ) {
|
||||
emit( qq(IPSET="$config{IPSET}") ,
|
||||
'[ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"'
|
||||
);
|
||||
} else {
|
||||
emit 'IPSET=ipset';
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -329,7 +329,7 @@ sub generate_script_3($) {
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
|
||||
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
|
||||
emit ( "addr=\$(\$IP -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
|
||||
'if [ -n "$addr" ]; then',
|
||||
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
|
||||
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
|
||||
@ -343,28 +343,36 @@ sub generate_script_3($) {
|
||||
my @ipsets = all_ipsets;
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit ( '[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"' ,
|
||||
emit ( 'case $IPSET in',
|
||||
' */*)',
|
||||
' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
|
||||
' ;;',
|
||||
' *)',
|
||||
' IPSET="$(which ipset)"',
|
||||
' [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
|
||||
' ;;',
|
||||
'esac',
|
||||
'',
|
||||
'if [ "$COMMAND" = start ]; then' ,
|
||||
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||
' ipset -U :all: :all:' ,
|
||||
' ipset -U :all: :default:' ,
|
||||
' ipset -F' ,
|
||||
' ipset -X' ,
|
||||
' ipset -R < ${VARDIR}/ipsets.save' ,
|
||||
' $IPSET -U :all: :all:' ,
|
||||
' $IPSET -U :all: :default:' ,
|
||||
' $IPSET -F' ,
|
||||
' $IPSET -X' ,
|
||||
' $IPSET -R < ${VARDIR}/ipsets.save' ,
|
||||
' fi' ,
|
||||
'' );
|
||||
|
||||
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
|
||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||
|
||||
emit ( '' ,
|
||||
'elif [ "$COMMAND" = restart ]; then' ,
|
||||
'' );
|
||||
|
||||
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
|
||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||
|
||||
emit ( '' ,
|
||||
' if ipset -S > ${VARDIR}/ipsets.tmp; then' ,
|
||||
' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
|
||||
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
||||
' fi' );
|
||||
emit ( 'fi',
|
||||
@ -374,7 +382,7 @@ sub generate_script_3($) {
|
||||
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
||||
' run_refresh_exit' );
|
||||
|
||||
emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets;
|
||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||
|
||||
emit ( 'else' ,
|
||||
' run_init_exit',
|
||||
|
@ -356,6 +356,9 @@ sub initialize( $ ) {
|
||||
# Location of Files
|
||||
#
|
||||
IPTABLES => undef,
|
||||
IP => undef,
|
||||
TC => undef,
|
||||
IPSEC => undef,
|
||||
#
|
||||
#PATH is inherited
|
||||
#
|
||||
@ -1946,16 +1949,20 @@ sub determine_capabilities( $ ) {
|
||||
|
||||
$capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
|
||||
|
||||
if ( which 'ipset' ) {
|
||||
qt( "ipset -X $sillyname" );
|
||||
my $ipset = $config{IPSET} || 'tc';
|
||||
|
||||
if ( qt( "ipset -N $sillyname iphash" ) ) {
|
||||
$ipset = which 'ipset' unless $ipset =~ '//';
|
||||
|
||||
if ( $ipset && -x $ipset ) {
|
||||
qt( "$ipset -X $sillyname" );
|
||||
|
||||
if ( qt( "$ipset -N $sillyname iphash" ) ) {
|
||||
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
|
||||
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
|
||||
$capabilities{IPSET_MATCH} = 1;
|
||||
}
|
||||
|
||||
qt( "ipset -X $sillyname" );
|
||||
qt( "$ipset -X $sillyname" );
|
||||
}
|
||||
}
|
||||
|
||||
@ -2544,7 +2551,7 @@ sub generate_aux_config() {
|
||||
|
||||
emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#";
|
||||
|
||||
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
|
||||
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
|
||||
conditionally_add_option $option;
|
||||
}
|
||||
|
||||
|
@ -124,7 +124,7 @@ sub setup_route_filtering() {
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
|
||||
}
|
||||
|
||||
emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache";
|
||||
emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -137,9 +137,9 @@ sub copy_table( $$$ ) {
|
||||
my ( $duplicate, $number, $realm ) = @_;
|
||||
|
||||
if ( $realm ) {
|
||||
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
} else {
|
||||
emit ( "ip -$family route show table $duplicate | while read net route; do" )
|
||||
emit ( "\$IP -$family route show table $duplicate | while read net route; do" )
|
||||
}
|
||||
|
||||
emit ( ' case $net in',
|
||||
@ -157,9 +157,9 @@ sub copy_and_edit_table( $$$$ ) {
|
||||
my ( $duplicate, $number, $copy, $realm) = @_;
|
||||
|
||||
if ( $realm ) {
|
||||
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
} else {
|
||||
emit ( "ip -$family route show table $duplicate | while read net route; do" )
|
||||
emit ( "\$IP -$family route show table $duplicate | while read net route; do" )
|
||||
}
|
||||
|
||||
emit ( ' case $net in',
|
||||
@ -233,7 +233,7 @@ sub start_provider( $$$ ) {
|
||||
emit "#\n# Add Provider $table ($number)\n#";
|
||||
|
||||
emit "qt ip -$family route flush table $number";
|
||||
emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||
emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||
}
|
||||
|
||||
sub add_a_provider( $$$$$$$$ ) {
|
||||
@ -305,10 +305,10 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
|
||||
my $pref = 10000 + $number - 1;
|
||||
|
||||
emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
|
||||
"echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
|
||||
"echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
|
||||
);
|
||||
}
|
||||
|
||||
@ -421,33 +421,33 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
emit '';
|
||||
if ( $gateway ) {
|
||||
emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
|
||||
emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||
emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||
} else {
|
||||
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
|
||||
emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||
emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||
}
|
||||
}
|
||||
|
||||
if ( $loose ) {
|
||||
if ( $config{DELETE_THEN_ADD} ) {
|
||||
emit ( "\nfind_interface_addresses $interface | while read address; do",
|
||||
" qt ip -$family rule del from \$address",
|
||||
" qt \$IP -$family rule del from \$address",
|
||||
'done'
|
||||
);
|
||||
}
|
||||
} elsif ( $shared ) {
|
||||
emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD};
|
||||
emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
|
||||
emit( "run_ip rule add from $address pref 20000 table $number" ,
|
||||
"echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
|
||||
"echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
|
||||
} else {
|
||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||
|
||||
emit "\nrulenum=0\n";
|
||||
|
||||
emit ( "find_interface_addresses $interface | while read address; do" );
|
||||
emit ( " qt ip -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||
" echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||
" echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||
' rulenum=$(($rulenum + 1))',
|
||||
'done'
|
||||
);
|
||||
@ -529,7 +529,7 @@ sub add_an_rtrule( $$$$ ) {
|
||||
|
||||
$priority = "priority $priority";
|
||||
|
||||
emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
|
||||
|
||||
@ -540,7 +540,7 @@ sub add_an_rtrule( $$$$ ) {
|
||||
}
|
||||
|
||||
emit ( "run_ip rule add $source $dest $priority table $number",
|
||||
"echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
|
||||
"echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
|
||||
|
||||
pop_indent, emit ( "fi\n" ) if $optional;
|
||||
|
||||
@ -555,7 +555,7 @@ sub setup_null_routing() {
|
||||
save_progress_message "Null Routing the RFC 1918 subnets";
|
||||
for ( rfc1918_networks ) {
|
||||
emit( "run_ip route replace unreachable $_" );
|
||||
emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
||||
emit( "echo \"qt \$IP -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
||||
}
|
||||
}
|
||||
|
||||
@ -593,7 +593,7 @@ sub setup_providers() {
|
||||
emit ( '#',
|
||||
'# Capture the default route(s) if we don\'t have it (them) already.',
|
||||
'#',
|
||||
'[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
|
||||
'[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
|
||||
'#',
|
||||
'# Initialize the file that holds \'undo\' commands',
|
||||
'#',
|
||||
@ -624,16 +624,16 @@ sub setup_providers() {
|
||||
|
||||
if ( $config{USE_DEFAULT_RT} ) {
|
||||
emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
|
||||
"ip -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
|
||||
qq(echo "qt ip -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
|
||||
qq(echo "qt ip -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
|
||||
"\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
|
||||
qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
|
||||
qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
|
||||
'' );
|
||||
$table = DEFAULT_TABLE;
|
||||
}
|
||||
|
||||
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
|
||||
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
|
||||
emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
|
||||
emit ( " qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
|
||||
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
|
||||
'else',
|
||||
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
|
||||
@ -641,7 +641,7 @@ sub setup_providers() {
|
||||
if ( $config{RESTORE_DEFAULT_ROUTE} ) {
|
||||
emit ' restore_default_route && error_message "NOTICE: Default route restored"'
|
||||
} else {
|
||||
emit qq( qt ip -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
|
||||
emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
|
||||
}
|
||||
|
||||
emit( 'fi',
|
||||
|
@ -2158,7 +2158,7 @@ EOF
|
||||
if [ -f ${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
|
||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||
[ -f $f ] && echo 0 > $f
|
||||
done < ${VARDIR}/proxyarp
|
||||
@ -2253,7 +2253,7 @@ EOF
|
||||
emit <<'EOF';
|
||||
|
||||
if [ -n "$(mywhich ipset)" ]; then
|
||||
if ipset -S > ${VARDIR}/ipsets.tmp; then
|
||||
if $IPSET -S > ${VARDIR}/ipsets.tmp; then
|
||||
#
|
||||
# Don't save an 'empty' file
|
||||
#
|
||||
|
@ -813,8 +813,8 @@ sub setup_traffic_shaping() {
|
||||
push_indent;
|
||||
|
||||
emit ( "${dev}_exists=Yes",
|
||||
"qt tc qdisc del dev $device root",
|
||||
"qt tc qdisc del dev $device ingress",
|
||||
"qt \$TC qdisc del dev $device root",
|
||||
"qt \$TC qdisc del dev $device ingress",
|
||||
"run_tc qdisc add dev $device root handle $devnum: htb default $defmark",
|
||||
"${dev}_mtu=\$(get_device_mtu $device)",
|
||||
"${dev}_mtu1=\$(get_device_mtu1 $device)",
|
||||
|
@ -8,7 +8,7 @@ delete_proxyarp() {
|
||||
if [ -f ${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip -4 route del $address dev $interface
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
|
||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||
[ -f $f ] && echo 0 > $f
|
||||
done < ${VARDIR}/proxyarp
|
||||
@ -140,8 +140,8 @@ do_iptables()
|
||||
#
|
||||
run_ip()
|
||||
{
|
||||
if ! ip -4 $@; then
|
||||
error_message "ERROR: Command \"ip -4 $@\" Failed"
|
||||
if ! $IP -4 $@; then
|
||||
error_message "ERROR: Command \"$IP -4 $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
@ -151,8 +151,8 @@ run_ip()
|
||||
# Run tc and if an error occurs, stop/restore the firewall
|
||||
#
|
||||
run_tc() {
|
||||
if ! tc $@ ; then
|
||||
error_message "ERROR: Command \"tc $@\" Failed"
|
||||
if ! $TC $@ ; then
|
||||
error_message "ERROR: Command \"$TC $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
@ -191,7 +191,7 @@ restore_dynamic_rules() {
|
||||
#
|
||||
get_all_bcasts()
|
||||
{
|
||||
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
$IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -116,8 +116,8 @@ do_iptables()
|
||||
#
|
||||
run_ip()
|
||||
{
|
||||
if ! ip -6 $@; then
|
||||
error_message "ERROR: Command \"ip -6 $@\" Failed"
|
||||
if ! $IP -6 $@; then
|
||||
error_message "ERROR: Command \"$IP -6 $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
@ -127,8 +127,8 @@ run_ip()
|
||||
# Run tc and if an error occurs, stop/restore the firewall
|
||||
#
|
||||
run_tc() {
|
||||
if ! tc $@ ; then
|
||||
error_message "ERROR: Command \"tc $@\" Failed"
|
||||
if ! $TC $@ ; then
|
||||
error_message "ERROR: Command \"$TC $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
|
@ -485,7 +485,7 @@ find_peer() {
|
||||
#
|
||||
|
||||
find_rt_interface() {
|
||||
ip -4 route list | while read addr rest; do
|
||||
$IP -4 route list | while read addr rest; do
|
||||
case $addr in
|
||||
*/*)
|
||||
in_network ${1%/*} $addr && echo $(find_device $rest)
|
||||
@ -506,14 +506,14 @@ find_rt_interface() {
|
||||
|
||||
find_nexthop() # $1 = interface
|
||||
{
|
||||
echo $(find_gateway `ip -4 route list | grep "[[:space:]]nexthop.* $1"`)
|
||||
echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
|
||||
}
|
||||
|
||||
#
|
||||
# Find the default route's interface
|
||||
#
|
||||
find_default_interface() {
|
||||
ip -4 route list | while read first rest; do
|
||||
$IP -4 route list | while read first rest; do
|
||||
[ "$first" = default ] && echo $(find_device $rest) && return
|
||||
done
|
||||
}
|
||||
@ -546,7 +546,7 @@ find_interface_by_mac() {
|
||||
local rest
|
||||
local dev
|
||||
|
||||
ip link list | while read first second rest; do
|
||||
$IP link list | while read first second rest; do
|
||||
case $first in
|
||||
*:)
|
||||
dev=$second
|
||||
@ -564,7 +564,7 @@ find_interface_by_mac() {
|
||||
# Determine if Interface is up
|
||||
#
|
||||
interface_is_up() {
|
||||
[ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
|
||||
[ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
|
||||
}
|
||||
|
||||
#
|
||||
@ -576,7 +576,7 @@ find_first_interface_address() # $1 = interface
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
#
|
||||
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||
addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||
#
|
||||
# If there wasn't one, bail out now
|
||||
#
|
||||
@ -593,7 +593,7 @@ find_first_interface_address_if_any() # $1 = interface
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
#
|
||||
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||
addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||
#
|
||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
||||
# along with everything else on the line
|
||||
@ -615,7 +615,7 @@ interface_is_usable() # $1 = interface
|
||||
#
|
||||
find_interface_addresses() # $1 = interface
|
||||
{
|
||||
ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
|
||||
$IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
||||
#
|
||||
@ -626,7 +626,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
|
||||
local address
|
||||
local rest
|
||||
|
||||
ip -4 route show dev $1 2> /dev/null |
|
||||
$IP -4 route show dev $1 2> /dev/null |
|
||||
while read address rest; do
|
||||
case "$address" in
|
||||
default)
|
||||
@ -655,7 +655,7 @@ get_interface_bcasts() # $1 = interface
|
||||
local addresses
|
||||
addresses=
|
||||
|
||||
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
$IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
}
|
||||
|
||||
#
|
||||
@ -728,7 +728,7 @@ INCLUDE() {
|
||||
#
|
||||
del_ip_addr() # $1 = address, $2 = interface
|
||||
{
|
||||
[ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2
|
||||
[ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
|
||||
}
|
||||
|
||||
# Add IP Aliases
|
||||
@ -757,7 +757,7 @@ add_ip_aliases() # $* = List of addresses
|
||||
#
|
||||
# Get all of the lines that contain inet addresses with broadcast
|
||||
#
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
|
||||
$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
|
||||
case $cidr in
|
||||
*/*)
|
||||
if in_network $external $cidr; then
|
||||
@ -773,7 +773,7 @@ add_ip_aliases() # $* = List of addresses
|
||||
{
|
||||
val=$(address_details)
|
||||
|
||||
ip addr add ${external}${val} dev $interface $label
|
||||
$IP addr add ${external}${val} dev $interface $label
|
||||
[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
|
||||
echo "$external $interface" >> $VARDIR/nat
|
||||
[ -n "$label" ] && label="with $label"
|
||||
@ -811,7 +811,7 @@ detect_dynamic_gateway() { # $1 = interface
|
||||
#
|
||||
# First assume that this is some sort of point-to-point interface
|
||||
#
|
||||
gateway=$( find_peer $(ip addr list $interface ) )
|
||||
gateway=$( find_peer $($IP addr list $interface ) )
|
||||
#
|
||||
# If that didn't work, then try DHCP
|
||||
#
|
||||
@ -842,7 +842,7 @@ detect_gateway() # $1 = interface
|
||||
#
|
||||
# Maybe there's a default route through this gateway already
|
||||
#
|
||||
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default))
|
||||
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
|
||||
#
|
||||
# Last hope -- is there a load-balancing route through the interface?
|
||||
#
|
||||
@ -858,7 +858,7 @@ detect_gateway() # $1 = interface
|
||||
#
|
||||
disable_ipv6() {
|
||||
local foo
|
||||
foo="$(ip -f inet6 addr list 2> /dev/null)"
|
||||
foo="$($IP -f inet6 addr list 2> /dev/null)"
|
||||
|
||||
if [ -n "$foo" ]; then
|
||||
if qt mywhich ip6tables; then
|
||||
@ -892,8 +892,8 @@ truncate() # $1 = length
|
||||
delete_tc1()
|
||||
{
|
||||
clear_one_tc() {
|
||||
tc qdisc del dev $1 root 2> /dev/null
|
||||
tc qdisc del dev $1 ingress 2> /dev/null
|
||||
$TC qdisc del dev $1 root 2> /dev/null
|
||||
$TC qdisc del dev $1 ingress 2> /dev/null
|
||||
|
||||
}
|
||||
|
||||
@ -917,7 +917,7 @@ delete_tc1()
|
||||
get_device_mtu() # $1 = device
|
||||
{
|
||||
local output
|
||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
echo $(find_mtu $output)
|
||||
@ -933,7 +933,7 @@ get_device_mtu() # $1 = device
|
||||
get_device_mtu1() # $1 = device
|
||||
{
|
||||
local output
|
||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local mtu
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
@ -990,11 +990,11 @@ restore_default_route() {
|
||||
#
|
||||
# Don't restore a route with a metric -- we only replace the one with metric == 0
|
||||
#
|
||||
qt ip -4 route delete default metric 0 && \
|
||||
qt $IP -4 route delete default metric 0 && \
|
||||
progress_message "Default Route with metric 0 deleted"
|
||||
;;
|
||||
*)
|
||||
qt ip -4 route replace $default_route && \
|
||||
qt $IP -4 route replace $default_route && \
|
||||
result=0 && \
|
||||
progress_message "Default Route (${default_route# }) restored"
|
||||
;;
|
||||
@ -1045,7 +1045,7 @@ find_mac() # $1 = IP address, $2 = interface
|
||||
qt ping -nc 1 -t 2 -I $2 $1
|
||||
|
||||
local result
|
||||
result=$(ip neigh list | awk "/^$1 / {print \$5}")
|
||||
result=$($IP neigh list | awk "/^$1 / {print \$5}")
|
||||
|
||||
case $result in
|
||||
\<*\>)
|
||||
|
@ -388,14 +388,14 @@ find_peer() {
|
||||
|
||||
find_nexthop() # $1 = interface
|
||||
{
|
||||
echo $(find_gateway `ip -6 route list | grep "[[:space:]]nexthop.* $1"`)
|
||||
echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
|
||||
}
|
||||
|
||||
#
|
||||
# Find the default route's interface
|
||||
#
|
||||
find_default_interface() {
|
||||
ip -6 route list | while read first rest; do
|
||||
$IP -6 route list | while read first rest; do
|
||||
[ "$first" = default ] && echo $(find_device $rest) && return
|
||||
done
|
||||
}
|
||||
@ -412,7 +412,7 @@ find_interface_by_mac() {
|
||||
local rest
|
||||
local dev
|
||||
|
||||
ip link list | while read first second rest; do
|
||||
$IP link list | while read first second rest; do
|
||||
case $first in
|
||||
*:)
|
||||
dev=$second
|
||||
@ -430,7 +430,7 @@ find_interface_by_mac() {
|
||||
# Determine if Interface is up
|
||||
#
|
||||
interface_is_up() {
|
||||
[ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
|
||||
[ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
|
||||
}
|
||||
|
||||
#
|
||||
@ -442,7 +442,7 @@ find_first_interface_address() # $1 = interface
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
#
|
||||
addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
|
||||
addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
|
||||
#
|
||||
# If there wasn't one, bail out now
|
||||
#
|
||||
@ -459,7 +459,7 @@ find_first_interface_address_if_any() # $1 = interface
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
#
|
||||
addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
|
||||
addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
|
||||
#
|
||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
||||
# along with everything else on the line
|
||||
@ -481,7 +481,7 @@ interface_is_usable() # $1 = interface
|
||||
#
|
||||
find_interface_addresses() # $1 = interface
|
||||
{
|
||||
ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
|
||||
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
||||
#
|
||||
@ -490,7 +490,7 @@ find_interface_addresses() # $1 = interface
|
||||
|
||||
find_interface_full_addresses() # $1 = interface
|
||||
{
|
||||
ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
|
||||
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
|
||||
}
|
||||
|
||||
#
|
||||
@ -501,7 +501,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
|
||||
local address
|
||||
local rest
|
||||
|
||||
ip -6 route show dev $1 2> /dev/null |
|
||||
$IP -6 route show dev $1 2> /dev/null |
|
||||
while read address rest; do
|
||||
case "$address" in
|
||||
default)
|
||||
@ -756,11 +756,11 @@ detect_gateway() # $1 = interface
|
||||
#
|
||||
# First assume that this is some sort of point-to-point interface
|
||||
#
|
||||
gateway=$( find_peer $(ip -6 addr list $interface ) )
|
||||
gateway=$( find_peer $($IP -6 addr list $interface ) )
|
||||
#
|
||||
# Maybe there's a default route through this gateway already
|
||||
#
|
||||
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -6 route list dev $interface | grep '^default'))
|
||||
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
|
||||
#
|
||||
# Last hope -- is there a load-balancing route through the interface?
|
||||
#
|
||||
@ -788,8 +788,8 @@ truncate() # $1 = length
|
||||
delete_tc1()
|
||||
{
|
||||
clear_one_tc() {
|
||||
tc qdisc del dev $1 root 2> /dev/null
|
||||
tc qdisc del dev $1 ingress 2> /dev/null
|
||||
$TC qdisc del dev $1 root 2> /dev/null
|
||||
$TC qdisc del dev $1 ingress 2> /dev/null
|
||||
|
||||
}
|
||||
|
||||
@ -813,7 +813,7 @@ delete_tc1()
|
||||
get_device_mtu() # $1 = device
|
||||
{
|
||||
local output
|
||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
echo $(find_mtu $output)
|
||||
@ -829,7 +829,7 @@ get_device_mtu() # $1 = device
|
||||
get_device_mtu1() # $1 = device
|
||||
{
|
||||
local output
|
||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local mtu
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
@ -886,11 +886,11 @@ restore_default_route() {
|
||||
#
|
||||
# Don't restore a route with a metric -- we only replace the one with metric == 0
|
||||
#
|
||||
qt ip -6 route delete default metric 0 && \
|
||||
qt $IP -6 route delete default metric 0 && \
|
||||
progress_message "Default Route with metric 0 deleted"
|
||||
;;
|
||||
*)
|
||||
qt ip -6 route replace $default_route && \
|
||||
qt $IP -6 route replace $default_route && \
|
||||
result=0 && \
|
||||
progress_message "Default Route (${default_route# }) restored"
|
||||
;;
|
||||
@ -932,27 +932,6 @@ find_echo() {
|
||||
echo echo
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the MAC address of the passed IP through the passed interface
|
||||
#
|
||||
find_mac() # $1 = IP address, $2 = interface
|
||||
{
|
||||
if interface_is_usable $2 ; then
|
||||
qt ping -nc 1 -t 2 -I $2 $1
|
||||
|
||||
local result
|
||||
result=$(ip neigh list | awk "/^$1 / {print \$5}")
|
||||
|
||||
case $result in
|
||||
\<*\>)
|
||||
;;
|
||||
*)
|
||||
[ -n "$result" ] && echo $result
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Flush the conntrack table if $PURGE is non-empty
|
||||
#
|
||||
|
@ -10,6 +10,8 @@ Changes in Shorewall 4.3.9
|
||||
|
||||
5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
|
||||
|
||||
6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
|
||||
|
||||
Changes in Shorewall 4.3.8
|
||||
|
||||
1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
|
||||
|
@ -70,6 +70,12 @@ LOG_MARTIANS=Yes
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
TC=
|
||||
|
||||
IPSET=
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
|
@ -117,6 +117,20 @@ None.
|
||||
2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
|
||||
hence will now start successfully when running on that kernel.
|
||||
|
||||
3) Three new options (IP, TC and IPSET) have been added to
|
||||
shorewall.conf and shorwall6.conf. These options specify the name
|
||||
of the executable for the 'ip', 'tc' and 'ipset' utilities
|
||||
respectively.
|
||||
|
||||
If not specified, the default values are:
|
||||
|
||||
IP=ip
|
||||
TC=tc
|
||||
IPSET=ipset
|
||||
|
||||
In other words, the utilities will be located via the current PATH
|
||||
setting.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S IN 4 . 3
|
||||
----------------------------------------------------------------------------
|
||||
|
@ -58,6 +58,12 @@ SMURF_LOG_LEVEL=info
|
||||
|
||||
IP6TABLES=
|
||||
|
||||
IP=
|
||||
|
||||
TC=
|
||||
|
||||
IPSET=
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
|
@ -661,6 +661,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, gives the pathname of the 'ip' executable. If
|
||||
not specified, 'ip' is assumed and the utility will be located using
|
||||
the current PATH setting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
|
||||
role="bold">On</emphasis>|<emphasis
|
||||
@ -712,14 +723,13 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">IPSECFILE=</emphasis>{<emphasis
|
||||
role="bold">zones</emphasis>|<emphasis
|
||||
role="bold">ipsec</emphasis>}</term>
|
||||
<term><emphasis
|
||||
role="bold">IPSET</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This should be set to <emphasis role="bold">zones</emphasis>
|
||||
for all new Shorewall installations. IPSECFILE=ipsec is only used
|
||||
for compatibility with pre-Shorewall-3.0 configurations.</para>
|
||||
<para>If specified, gives the pathname of the 'ipset' executable. If
|
||||
not specified, 'ipset' is assumed and the utility will be located
|
||||
using the current PATH setting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1504,6 +1514,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">TC</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, gives the pathname of the 'tc' executable. If
|
||||
not specified, 'tc' is assumed and the utility will be located using
|
||||
the current PATH setting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
|
@ -514,6 +514,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, gives the pathname of the 'ip' executable. If
|
||||
not specified, 'ip' is assumed and the utility will be located using
|
||||
the current PATH setting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
|
||||
role="bold">On</emphasis>|<emphasis
|
||||
@ -550,13 +561,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall6 will neither enable nor disable packet
|
||||
forwarding.</para>
|
||||
forwarding</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>If this variable is not set or is given an empty value
|
||||
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
|
||||
@ -581,6 +590,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">IPSET</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, gives the pathname of the 'ipset' executable. If
|
||||
not specified, 'ipset' is assumed and the utility will be located
|
||||
using the current PATH setting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
@ -1056,6 +1076,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">TC</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, gives the pathname of the 'tc' executable. If
|
||||
not specified, 'tc' is assumed and the utility will be located using
|
||||
the current PATH setting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
|
Loading…
Reference in New Issue
Block a user