From 985c551d2623aee6eb08920167cfd6c0b121ef8e Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 18 Apr 2009 16:28:25 +0000 Subject: [PATCH] Add IP, TC and IPSET configuration options git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9932 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/Perl/Shorewall/Chains.pm | 24 ++++++++++++ Shorewall/Perl/Shorewall/Compiler.pm | 30 +++++++++------ Shorewall/Perl/Shorewall/Config.pm | 17 ++++++--- Shorewall/Perl/Shorewall/Proc.pm | 2 +- Shorewall/Perl/Shorewall/Providers.pm | 46 +++++++++++----------- Shorewall/Perl/Shorewall/Rules.pm | 4 +- Shorewall/Perl/Shorewall/Tc.pm | 4 +- Shorewall/Perl/prog.functions | 12 +++--- Shorewall/Perl/prog.functions6 | 8 ++-- Shorewall/Perl/prog.header | 46 +++++++++++----------- Shorewall/Perl/prog.header6 | 55 +++++++++------------------ Shorewall/changelog.txt | 2 + Shorewall/configfiles/shorewall.conf | 6 +++ Shorewall/releasenotes.txt | 14 +++++++ Shorewall6/shorewall6.conf | 6 +++ manpages/shorewall.conf.xml | 33 +++++++++++++--- manpages6/shorewall6.conf.xml | 37 ++++++++++++++++-- 17 files changed, 222 insertions(+), 124 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index a6adc1f2c..4e23a88fb 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2064,6 +2064,30 @@ sub set_chain_variables() { emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore', '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); } + + if ( $config{IP} ) { + emit( qq(IP="$config{IP}") , + '[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"' + ); + } else { + emit 'IP=ip'; + } + + if ( $config{TC} ) { + emit( qq(TC="$config{TC}") , + '[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"' + ); + } else { + emit 'TC=tc'; + } + + if ( $config{IPSET} ) { + emit( qq(IPSET="$config{IPSET}") , + '[ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"' + ); + } else { + emit 'IPSET=ipset'; + } } # diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 004cee6bc..571494e53 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -329,7 +329,7 @@ sub generate_script_3($) { if ( $family == F_IPV4 ) { for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { - emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", + emit ( "addr=\$(\$IP -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", 'if [ -n "$addr" ]; then', ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', @@ -343,28 +343,36 @@ sub generate_script_3($) { my @ipsets = all_ipsets; if ( @ipsets ) { - emit ( '[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"' , + emit ( 'case $IPSET in', + ' */*)', + ' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"', + ' ;;', + ' *)', + ' IPSET="$(which ipset)"', + ' [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' , + ' ;;', + 'esac', '', 'if [ "$COMMAND" = start ]; then' , ' if [ -f ${VARDIR}/ipsets.save ]; then' , - ' ipset -U :all: :all:' , - ' ipset -U :all: :default:' , - ' ipset -F' , - ' ipset -X' , - ' ipset -R < ${VARDIR}/ipsets.save' , + ' $IPSET -U :all: :all:' , + ' $IPSET -U :all: :default:' , + ' $IPSET -F' , + ' $IPSET -X' , + ' $IPSET -R < ${VARDIR}/ipsets.save' , ' fi' , '' ); - emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; emit ( '' , 'elif [ "$COMMAND" = restart ]; then' , '' ); - emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; emit ( '' , - ' if ipset -S > ${VARDIR}/ipsets.tmp; then' , + ' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' , ' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' , ' fi' ); emit ( 'fi', @@ -374,7 +382,7 @@ sub generate_script_3($) { emit ( 'if [ "$COMMAND" = refresh ]; then' , ' run_refresh_exit' ); - emit ( " qt ipset -L $_ -n || ipset -N $_ iphash" ) for @ipsets; + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; emit ( 'else' , ' run_init_exit', diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9d25fd076..564f9ad1e 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -356,6 +356,9 @@ sub initialize( $ ) { # Location of Files # IPTABLES => undef, + IP => undef, + TC => undef, + IPSEC => undef, # #PATH is inherited # @@ -1946,16 +1949,20 @@ sub determine_capabilities( $ ) { $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" ); - if ( which 'ipset' ) { - qt( "ipset -X $sillyname" ); + my $ipset = $config{IPSET} || 'tc'; - if ( qt( "ipset -N $sillyname iphash" ) ) { + $ipset = which 'ipset' unless $ipset =~ '//'; + + if ( $ipset && -x $ipset ) { + qt( "$ipset -X $sillyname" ); + + if ( qt( "$ipset -N $sillyname iphash" ) ) { if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); $capabilities{IPSET_MATCH} = 1; } - qt( "ipset -X $sillyname" ); + qt( "$ipset -X $sillyname" ); } } @@ -2544,7 +2551,7 @@ sub generate_aux_config() { emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#"; - for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { + for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { conditionally_add_option $option; } diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm index 06941015f..8c2246c85 100644 --- a/Shorewall/Perl/Shorewall/Proc.pm +++ b/Shorewall/Perl/Shorewall/Proc.pm @@ -124,7 +124,7 @@ sub setup_route_filtering() { emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; } - emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache"; + emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache"; } } diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 3dafa5896..ae9dda2f0 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -137,9 +137,9 @@ sub copy_table( $$$ ) { my ( $duplicate, $number, $realm ) = @_; if ( $realm ) { - emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) + emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) } else { - emit ( "ip -$family route show table $duplicate | while read net route; do" ) + emit ( "\$IP -$family route show table $duplicate | while read net route; do" ) } emit ( ' case $net in', @@ -157,9 +157,9 @@ sub copy_and_edit_table( $$$$ ) { my ( $duplicate, $number, $copy, $realm) = @_; if ( $realm ) { - emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) + emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) } else { - emit ( "ip -$family route show table $duplicate | while read net route; do" ) + emit ( "\$IP -$family route show table $duplicate | while read net route; do" ) } emit ( ' case $net in', @@ -233,7 +233,7 @@ sub start_provider( $$$ ) { emit "#\n# Add Provider $table ($number)\n#"; emit "qt ip -$family route flush table $number"; - emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing"; + emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing"; } sub add_a_provider( $$$$$$$$ ) { @@ -305,10 +305,10 @@ sub add_a_provider( $$$$$$$$ ) { my $pref = 10000 + $number - 1; - emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; + emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; emit ( "run_ip rule add fwmark $mark pref $pref table $number", - "echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing" + "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing" ); } @@ -421,33 +421,33 @@ sub add_a_provider( $$$$$$$$ ) { emit ''; if ( $gateway ) { emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number); - emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); + emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); } else { emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number); - emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); + emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); } } if ( $loose ) { if ( $config{DELETE_THEN_ADD} ) { emit ( "\nfind_interface_addresses $interface | while read address; do", - " qt ip -$family rule del from \$address", + " qt \$IP -$family rule del from \$address", 'done' ); } } elsif ( $shared ) { - emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD}; + emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD}; emit( "run_ip rule add from $address pref 20000 table $number" , - "echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" ); + "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" ); } else { my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); emit "\nrulenum=0\n"; emit ( "find_interface_addresses $interface | while read address; do" ); - emit ( " qt ip -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; + emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", - " echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing", + " echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing", ' rulenum=$(($rulenum + 1))', 'done' ); @@ -529,7 +529,7 @@ sub add_an_rtrule( $$$$ ) { $priority = "priority $priority"; - emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; + emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); @@ -540,7 +540,7 @@ sub add_an_rtrule( $$$$ ) { } emit ( "run_ip rule add $source $dest $priority table $number", - "echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); + "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); pop_indent, emit ( "fi\n" ) if $optional; @@ -555,7 +555,7 @@ sub setup_null_routing() { save_progress_message "Null Routing the RFC 1918 subnets"; for ( rfc1918_networks ) { emit( "run_ip route replace unreachable $_" ); - emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" ); + emit( "echo \"qt \$IP -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" ); } } @@ -593,7 +593,7 @@ sub setup_providers() { emit ( '#', '# Capture the default route(s) if we don\'t have it (them) already.', '#', - '[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', + '[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', '#', '# Initialize the file that holds \'undo\' commands', '#', @@ -624,16 +624,16 @@ sub setup_providers() { if ( $config{USE_DEFAULT_RT} ) { emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999', - "ip -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766', - qq(echo "qt ip -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', - qq(echo "qt ip -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', + "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766', + qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', + qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', '' ); $table = DEFAULT_TABLE; } emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" ); - emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; + emit ( " qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", 'else', ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' ); @@ -641,7 +641,7 @@ sub setup_providers() { if ( $config{RESTORE_DEFAULT_ROUTE} ) { emit ' restore_default_route && error_message "NOTICE: Default route restored"' } else { - emit qq( qt ip -$family route del default table $table && error_message "WARNING: Default route deleted from table $table"); + emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table"); } emit( 'fi', diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 7094b8756..dc0ad1b6d 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2158,7 +2158,7 @@ EOF if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp @@ -2253,7 +2253,7 @@ EOF emit <<'EOF'; if [ -n "$(mywhich ipset)" ]; then - if ipset -S > ${VARDIR}/ipsets.tmp; then + if $IPSET -S > ${VARDIR}/ipsets.tmp; then # # Don't save an 'empty' file # diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 8c8bcef38..c5ac46065 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -813,8 +813,8 @@ sub setup_traffic_shaping() { push_indent; emit ( "${dev}_exists=Yes", - "qt tc qdisc del dev $device root", - "qt tc qdisc del dev $device ingress", + "qt \$TC qdisc del dev $device root", + "qt \$TC qdisc del dev $device ingress", "run_tc qdisc add dev $device root handle $devnum: htb default $defmark", "${dev}_mtu=\$(get_device_mtu $device)", "${dev}_mtu1=\$(get_device_mtu1 $device)", diff --git a/Shorewall/Perl/prog.functions b/Shorewall/Perl/prog.functions index 8941cc679..e53dea6f1 100644 --- a/Shorewall/Perl/prog.functions +++ b/Shorewall/Perl/prog.functions @@ -8,7 +8,7 @@ delete_proxyarp() { if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip -4 route del $address dev $interface + [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp @@ -140,8 +140,8 @@ do_iptables() # run_ip() { - if ! ip -4 $@; then - error_message "ERROR: Command \"ip -4 $@\" Failed" + if ! $IP -4 $@; then + error_message "ERROR: Command \"$IP -4 $@\" Failed" stop_firewall exit 2 fi @@ -151,8 +151,8 @@ run_ip() # Run tc and if an error occurs, stop/restore the firewall # run_tc() { - if ! tc $@ ; then - error_message "ERROR: Command \"tc $@\" Failed" + if ! $TC $@ ; then + error_message "ERROR: Command \"$TC $@\" Failed" stop_firewall exit 2 fi @@ -191,7 +191,7 @@ restore_dynamic_rules() { # get_all_bcasts() { - ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u + $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u } # diff --git a/Shorewall/Perl/prog.functions6 b/Shorewall/Perl/prog.functions6 index 7a544a967..d98462600 100644 --- a/Shorewall/Perl/prog.functions6 +++ b/Shorewall/Perl/prog.functions6 @@ -116,8 +116,8 @@ do_iptables() # run_ip() { - if ! ip -6 $@; then - error_message "ERROR: Command \"ip -6 $@\" Failed" + if ! $IP -6 $@; then + error_message "ERROR: Command \"$IP -6 $@\" Failed" stop_firewall exit 2 fi @@ -127,8 +127,8 @@ run_ip() # Run tc and if an error occurs, stop/restore the firewall # run_tc() { - if ! tc $@ ; then - error_message "ERROR: Command \"tc $@\" Failed" + if ! $TC $@ ; then + error_message "ERROR: Command \"$TC $@\" Failed" stop_firewall exit 2 fi diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index c8da161cf..1c95cdcab 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -485,7 +485,7 @@ find_peer() { # find_rt_interface() { - ip -4 route list | while read addr rest; do + $IP -4 route list | while read addr rest; do case $addr in */*) in_network ${1%/*} $addr && echo $(find_device $rest) @@ -506,14 +506,14 @@ find_rt_interface() { find_nexthop() # $1 = interface { - echo $(find_gateway `ip -4 route list | grep "[[:space:]]nexthop.* $1"`) + echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`) } # # Find the default route's interface # find_default_interface() { - ip -4 route list | while read first rest; do + $IP -4 route list | while read first rest; do [ "$first" = default ] && echo $(find_device $rest) && return done } @@ -546,7 +546,7 @@ find_interface_by_mac() { local rest local dev - ip link list | while read first second rest; do + $IP link list | while read first second rest; do case $first in *:) dev=$second @@ -564,7 +564,7 @@ find_interface_by_mac() { # Determine if Interface is up # interface_is_up() { - [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] + [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] } # @@ -576,7 +576,7 @@ find_first_interface_address() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) # # If there wasn't one, bail out now # @@ -593,7 +593,7 @@ find_first_interface_address_if_any() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) # # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # along with everything else on the line @@ -615,7 +615,7 @@ interface_is_usable() # $1 = interface # find_interface_addresses() # $1 = interface { - ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' + $IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' } # @@ -626,7 +626,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message local address local rest - ip -4 route show dev $1 2> /dev/null | + $IP -4 route show dev $1 2> /dev/null | while read address rest; do case "$address" in default) @@ -655,7 +655,7 @@ get_interface_bcasts() # $1 = interface local addresses addresses= - ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u + $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u } # @@ -728,7 +728,7 @@ INCLUDE() { # del_ip_addr() # $1 = address, $2 = interface { - [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 + [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2 } # Add IP Aliases @@ -757,7 +757,7 @@ add_ip_aliases() # $* = List of addresses # # Get all of the lines that contain inet addresses with broadcast # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do + $IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do case $cidr in */*) if in_network $external $cidr; then @@ -773,7 +773,7 @@ add_ip_aliases() # $* = List of addresses { val=$(address_details) - ip addr add ${external}${val} dev $interface $label + $IP addr add ${external}${val} dev $interface $label [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external echo "$external $interface" >> $VARDIR/nat [ -n "$label" ] && label="with $label" @@ -811,7 +811,7 @@ detect_dynamic_gateway() { # $1 = interface # # First assume that this is some sort of point-to-point interface # - gateway=$( find_peer $(ip addr list $interface ) ) + gateway=$( find_peer $($IP addr list $interface ) ) # # If that didn't work, then try DHCP # @@ -842,7 +842,7 @@ detect_gateway() # $1 = interface # # Maybe there's a default route through this gateway already # - [ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default)) + [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default)) # # Last hope -- is there a load-balancing route through the interface? # @@ -858,7 +858,7 @@ detect_gateway() # $1 = interface # disable_ipv6() { local foo - foo="$(ip -f inet6 addr list 2> /dev/null)" + foo="$($IP -f inet6 addr list 2> /dev/null)" if [ -n "$foo" ]; then if qt mywhich ip6tables; then @@ -892,8 +892,8 @@ truncate() # $1 = length delete_tc1() { clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null + $TC qdisc del dev $1 root 2> /dev/null + $TC qdisc del dev $1 ingress 2> /dev/null } @@ -917,7 +917,7 @@ delete_tc1() get_device_mtu() # $1 = device { local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash if [ -n "$output" ]; then echo $(find_mtu $output) @@ -933,7 +933,7 @@ get_device_mtu() # $1 = device get_device_mtu1() # $1 = device { local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash local mtu if [ -n "$output" ]; then @@ -990,11 +990,11 @@ restore_default_route() { # # Don't restore a route with a metric -- we only replace the one with metric == 0 # - qt ip -4 route delete default metric 0 && \ + qt $IP -4 route delete default metric 0 && \ progress_message "Default Route with metric 0 deleted" ;; *) - qt ip -4 route replace $default_route && \ + qt $IP -4 route replace $default_route && \ result=0 && \ progress_message "Default Route (${default_route# }) restored" ;; @@ -1045,7 +1045,7 @@ find_mac() # $1 = IP address, $2 = interface qt ping -nc 1 -t 2 -I $2 $1 local result - result=$(ip neigh list | awk "/^$1 / {print \$5}") + result=$($IP neigh list | awk "/^$1 / {print \$5}") case $result in \<*\>) diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 1432c3d95..6155336bc 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -388,14 +388,14 @@ find_peer() { find_nexthop() # $1 = interface { - echo $(find_gateway `ip -6 route list | grep "[[:space:]]nexthop.* $1"`) + echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`) } # # Find the default route's interface # find_default_interface() { - ip -6 route list | while read first rest; do + $IP -6 route list | while read first rest; do [ "$first" = default ] && echo $(find_device $rest) && return done } @@ -412,7 +412,7 @@ find_interface_by_mac() { local rest local dev - ip link list | while read first second rest; do + $IP link list | while read first second rest; do case $first in *:) dev=$second @@ -430,7 +430,7 @@ find_interface_by_mac() { # Determine if Interface is up # interface_is_up() { - [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] + [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] } # @@ -442,7 +442,7 @@ find_first_interface_address() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1) + addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1) # # If there wasn't one, bail out now # @@ -459,7 +459,7 @@ find_first_interface_address_if_any() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1) + addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1) # # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # along with everything else on the line @@ -481,7 +481,7 @@ interface_is_usable() # $1 = interface # find_interface_addresses() # $1 = interface { - ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' + $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' } # @@ -490,7 +490,7 @@ find_interface_addresses() # $1 = interface find_interface_full_addresses() # $1 = interface { - ip -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//' + $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//' } # @@ -501,7 +501,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message local address local rest - ip -6 route show dev $1 2> /dev/null | + $IP -6 route show dev $1 2> /dev/null | while read address rest; do case "$address" in default) @@ -756,11 +756,11 @@ detect_gateway() # $1 = interface # # First assume that this is some sort of point-to-point interface # - gateway=$( find_peer $(ip -6 addr list $interface ) ) + gateway=$( find_peer $($IP -6 addr list $interface ) ) # # Maybe there's a default route through this gateway already # - [ -n "$gateway" ] || gateway=$(find_gateway $(ip -6 route list dev $interface | grep '^default')) + [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default')) # # Last hope -- is there a load-balancing route through the interface? # @@ -788,8 +788,8 @@ truncate() # $1 = length delete_tc1() { clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null + $TC qdisc del dev $1 root 2> /dev/null + $TC qdisc del dev $1 ingress 2> /dev/null } @@ -813,7 +813,7 @@ delete_tc1() get_device_mtu() # $1 = device { local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash if [ -n "$output" ]; then echo $(find_mtu $output) @@ -829,7 +829,7 @@ get_device_mtu() # $1 = device get_device_mtu1() # $1 = device { local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash local mtu if [ -n "$output" ]; then @@ -886,11 +886,11 @@ restore_default_route() { # # Don't restore a route with a metric -- we only replace the one with metric == 0 # - qt ip -6 route delete default metric 0 && \ + qt $IP -6 route delete default metric 0 && \ progress_message "Default Route with metric 0 deleted" ;; *) - qt ip -6 route replace $default_route && \ + qt $IP -6 route replace $default_route && \ result=0 && \ progress_message "Default Route (${default_route# }) restored" ;; @@ -932,27 +932,6 @@ find_echo() { echo echo } -# -# Determine the MAC address of the passed IP through the passed interface -# -find_mac() # $1 = IP address, $2 = interface -{ - if interface_is_usable $2 ; then - qt ping -nc 1 -t 2 -I $2 $1 - - local result - result=$(ip neigh list | awk "/^$1 / {print \$5}") - - case $result in - \<*\>) - ;; - *) - [ -n "$result" ] && echo $result - ;; - esac - fi -} - # # Flush the conntrack table if $PURGE is non-empty # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index e7eb72975..d3af28524 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -10,6 +10,8 @@ Changes in Shorewall 4.3.9 5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt +6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf. + Changes in Shorewall 4.3.8 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT. diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 70ca42791..558184d3d 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -70,6 +70,12 @@ LOG_MARTIANS=Yes IPTABLES= +IP= + +TC= + +IPSET= + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c09f6aa86..a8d4b8785 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -117,6 +117,20 @@ None. 2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and hence will now start successfully when running on that kernel. +3) Three new options (IP, TC and IPSET) have been added to + shorewall.conf and shorwall6.conf. These options specify the name + of the executable for the 'ip', 'tc' and 'ipset' utilities + respectively. + + If not specified, the default values are: + + IP=ip + TC=tc + IPSET=ipset + + In other words, the utilities will be located via the current PATH + setting. + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3 ---------------------------------------------------------------------------- diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index 7ac94debc..238b92d4e 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -58,6 +58,12 @@ SMURF_LOG_LEVEL=info IP6TABLES= +IP= + +TC= + +IPSET= + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 5b02e9212..ffa69d22f 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -661,6 +661,17 @@ net all DROP infothen the chain name is 'net2all' + + IP=[pathname] + + + If specified, gives the pathname of the 'ip' executable. If + not specified, 'ip' is assumed and the utility will be located using + the current PATH setting. + + + IP_FORWARDING=[On|then the chain name is 'net2all' - IPSECFILE={zones|ipsec} + IPSET=[pathname] - This should be set to zones - for all new Shorewall installations. IPSECFILE=ipsec is only used - for compatibility with pre-Shorewall-3.0 configurations. + If specified, gives the pathname of the 'ipset' executable. If + not specified, 'ipset' is assumed and the utility will be located + using the current PATH setting. @@ -1504,6 +1514,17 @@ net all DROP infothen the chain name is 'net2all' + + TC=[pathname] + + + If specified, gives the pathname of the 'tc' executable. If + not specified, 'tc' is assumed and the utility will be located using + the current PATH setting. + + + TC_ENABLED=[Yes|then the chain name is 'net2all' + + IP=[pathname] + + + If specified, gives the pathname of the 'ip' executable. If + not specified, 'ip' is assumed and the utility will be located using + the current PATH setting. + + + IP_FORWARDING=[On|then the chain name is 'net2all' Shorewall6 will neither enable nor disable packet - forwarding. + forwarding - -
If this variable is not set or is given an empty value (IP_FORWARD="") then IP_FORWARD=On is assumed. @@ -581,6 +590,17 @@ net all DROP infothen the chain name is 'net2all' + + IPSET=[pathname] + + + If specified, gives the pathname of the 'ipset' executable. If + not specified, 'ipset' is assumed and the utility will be located + using the current PATH setting. + + + KEEP_RT_TABLES={Yes|No} @@ -1056,6 +1076,17 @@ net all DROP infothen the chain name is 'net2all' + + TC=[pathname] + + + If specified, gives the pathname of the 'tc' executable. If + not specified, 'tc' is assumed and the utility will be located using + the current PATH setting. + + + TC_ENABLED=[Yes|