diff --git a/Shorewall-shell/COPYING b/Shorewall-shell/COPYING deleted file mode 100644 index 2ba72d57f..000000000 --- a/Shorewall-shell/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) 19yy - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) 19yy name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/Shorewall-shell/INSTALL b/Shorewall-shell/INSTALL deleted file mode 100644 index d6566da04..000000000 --- a/Shorewall-shell/INSTALL +++ /dev/null @@ -1,48 +0,0 @@ -Shoreline Firewall (Shorewall) Version 3.4 ------ ---- - ------------------------------------------------------------------------------ - - This program is free software; you can redistribute it and/or modify - it under the terms of Version 2 of the GNU General Public License - as published by the Free Software Foundation. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - ---------------------------------------------------------------------------- -If your system supports rpm, I recommend that you install the Shorewall -.rpm. If you want to install from the tarball: - -o Unpack the tarball -o cd to the shorewall- directory -o If you have an earlier version of Shoreline Firewall installed,see the - upgrade instructions below -o Type: - - ./install.sh - -o Edit the configuration files in /etc/shorewall/ to fit your environment. - - To do this, I strongly advise you to follow the instructions at: - - http://www.shorewall.net/shorewall_quickstart_guide.htm - -o Start the firewall by typing "shorewall start" -o If the install script was unable to configure Shoreline Firewall to - start automatically at boot, you will have to used your - distribution's runlevel editor to configure Shorewall manually. - -Upgrade: - -o run the install script as described above. -o "shorewall check" and correct any errors found. -o "shorewall restart" - - diff --git a/Shorewall-shell/README.txt b/Shorewall-shell/README.txt deleted file mode 100644 index 0f0ff527c..000000000 --- a/Shorewall-shell/README.txt +++ /dev/null @@ -1 +0,0 @@ -This is the Shorewall-shell Stable 4.2 branch of SVN. diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler deleted file mode 100755 index c57481f67..000000000 --- a/Shorewall-shell/compiler +++ /dev/null @@ -1,6022 +0,0 @@ -#!/bin/sh -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# compile check Verify the configuration files. -# compile compile Compile into -# -# Environmental Variables: -# -# EXPORT=Yes -e option specified to /sbin/shorewall -# SHOREWALL_DIR A directory name was passed to /sbin/shorewall -# VERBOSE Standard Shorewall verbosity control. - -BASE_VERSION=40000 -BASE_VERSION_PRINTABLE=4.0.0 -CONFIG_VERSION=40000 -CONFIG_VERSION_PRINTABLE=4.0.0 - -# -# Fatal error -- stops the compiler after issuing the error message -# -fatal_error() # $* = Error Message -{ - echo " ERROR: $@" >&2 - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - [ -n "$OUTPUT" ] && rm -f $OUTPUT - kill $$ - exit 2 -} - -# -# We include this for compatibility with the 'firewall' script. That script -# distinguishes between Fatal Errors (stop or restore required) and Startup -# Errors (errors detected before the firewall state has been changed. This -# allows us to use common parsing routines in both programs. -# -startup_error() -{ - echo " ERROR: $@" >&2 - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - [ -n "$OUTPUT" ] && rm -f $OUTPUT - kill $$ - exit 2 -} - -# -# Write the passed args to the compiler output file. -# -save_command() -{ - [ $# -gt 0 ] && echo "${INDENT}${@}" >&3 || echo >&3 -} - -save_command_unindented() -{ - echo "${@}" >&3 -} - -# -# Write a progress_message2 command to the output file. -# -save_progress_message() -{ - echo >&3 - echo "${INDENT}progress_message2 \"$@\"" >&3 - echo >&3 -} - -save_progress_message_short() -{ - echo "${INDENT}progress_message \"$@\"" >&3 -} - -progress_message_and_save() -{ - progress_message "$@" - echo "${INDENT}progress_message \"$@\"" >&3 -} - -# -# Echo the contents of the passed file indented by $INDENT -# -indent() { - if [ -n "$INDENT" ]; then - eval sed \'s\/^/"$INDENT"\/\' $1 - else - cat $1 - fi -} - -# -# Echo the contents of the passed file indented by $INDENT while handling line -# continuation -# -indent1() { - if [ -n "$INDENT" ]; then - if [ -n "$HAVEAWK" ]; then - eval awk \''BEGIN { indent=1; }; /^[[:space:]]*$/ { print ""; indent=1; next; }; { if (indent == 1) print "'"$INDENT"'" $0; else print; }; { indent=1; }; /\\$/ { indent=0; };'\' $1 - else - eval sed \'s\/^/"$INDENT"\/\' $1 - fi - else - cat $1 - fi -} - -# -# Append a file to the compiler's output with indentation. -# -append_file() # $1 = File Name -{ - local user_exit - user_exit=$(find_file $1) - - case $user_exit in - $SHAREDIR/*) - # - # Don't copy files from /usr/share/shorewall into the compiled script - # - ;; - *) - if [ -f $user_exit ]; then - save_progress_message "Processing $user_exit ..." - indent1 $user_exit >&3 - save_command - fi - ;; - esac -} - -# -# Generate a command to run iptables -# -do_iptables() { - save_command \$IPTABLES $@ -} - -# -# Generate an IPTABLES command. Include hacks to work around iptables limitations -# -run_iptables() { - if [ -z "$KLUDGEFREE" ]; then - # - # Purge the temporary files that we use to prevent duplicate '-m' specifications - # - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - - save_command "$IPTABLES_COMMAND $@" -} - -# -# Version of 'run_iptables' that inserts white space after "!" in the arg list -# -run_iptables2() { - if [ -z "$KLUDGEFREE" ]; then - # - # Purge the temporary files that we use to prevent duplicate '-m' specifications - # - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - - save_command run_iptables $(fix_bang $@) -} - -# -# Generate command to quietly run iptables -# -qt_iptables() { - if [ -z "$KLUDGEFREE" ]; then - # - # Purge the temporary files that we use to prevent duplicate '-m' specifications - # - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - - save_command qt \$IPTABLES $@ -} - -# -# Generate a command to run tc -# -run_tc() { - save_command run_tc $@ -} - -# -# Add the implicit ACCEPT rules at the end of a rules file section -# -finish_chain_section() # $1 = canonical chain $2 = state list -{ - local policy - local policychain - - [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT - - if list_search RELATED $(separate_list $2) ; then - if is_policy_chain $1 ; then - if eval test -n \"\$${1}_synparams\" ; then - if [ $SECTION = DONE ]; then - eval policy=\$${1}_policy - - case $policy in - ACCEPT|CONTINUE|QUEUE) - run_iptables -A $1 -p tcp --syn -j @$1 - ;; - esac - else - run_iptables -A $1 -p tcp --syn -j @$1 - fi - fi - else - eval policychain=\$${1}_policychain - - if eval test -n \"\$${policychain}_synparams\" ; then - run_iptables -A $1 -p tcp --syn -j @$policychain - fi - fi - fi -} - -finish_section() # $1 = Section(s) -{ - local zone - local zone1 - local chain - - for zone in $ZONES $FW; do - for zone1 in $ZONES $FW; do - chain=${zone}2${zone1} - if havechain $chain; then - finish_chain_section $chain $1 - fi - done - done -} - -# -# Create a filter chain -# -# If the chain isn't one of the common chains then add a rule to the chain -# allowing packets that are part of an established connection. Create a -# variable exists_${1} and set its value to Yes to indicate that the chain now -# exists. -# -createchain() # $1 = chain name, $2 = If "yes", do section-end processing -{ - local c - c=$(chain_base $1) - - run_iptables -N $1 - - if [ $2 = yes ]; then - case $SECTION in - NEW|DONE) - finish_chain_section $1 ESTABLISHED,RELATED - ;; - RELATED) - finish_chain_section $1 ESTABLISHED - ;; - esac - fi - - eval exists_${c}=Yes -} - -# -# This version creates the chain if it doesn't already exist -# -createchain2() # $1 = chain name, $2 = If "yes", create default rules -{ - local c - c=$(chain_base $1) - - ensurechain $1 - - if [ $2 = yes ]; then - case $SECTION in - NEW|DONE) - finish_chain_section $1 ESTABLISHED,RELATED - ;; - RELATED) - finish_chain_section $1 ESTABLISHED - ;; - esac - fi - - eval exists_${c}=Yes -} - -# -# Determine if a chain exists -# -# When we create a chain "x", we create a variable named exists_x and -# set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havechain() # $1 = name of chain -{ - local c - c=$(chain_base $1) - - eval test \"\$exists_${c}\" = Yes -} - -# -# Ensure that a chain exists (create it if it doesn't) -# -ensurechain() # $1 = chain name -{ - havechain $1 || createchain $1 yes -} - -ensurechain1() # $1 = chain name -{ - havechain $1 || createchain $1 no -} - -# -# Add a rule to a chain creating the chain if necessary -# -addrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurechain $1 - run_iptables -A $@ -} - -addrule2() # $1 = chain name, remainder of arguments specify the rule -{ - ensurechain $1 - run_iptables2 -A $@ -} - -# -# Create a mangle chain -# -# Create a variable exists_mangle_${1} and set its value to Yes to indicate that -# the chain now exists. -# -createmanglechain() # $1 = chain name -{ - run_iptables -t mangle -N $1 - - eval exists_mangle_${1}=Yes -} - -# -# Determine if a mangle chain exists -# -# When we create a chain "chain", we create a variable named exists_nat_chain -# and set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havemanglechain() # $1 = name of chain -{ - eval test \"\$exists_mangle_${1}\" = Yes -} - -# -# Ensure that a mangle chain exists (create it if it doesn't) -# -ensuremanglechain() # $1 = chain name -{ - havemanglechain $1 || createmanglechain $1 -} - -# -# Create a nat chain -# -# Create a variable exists_nat_${1} and set its value to Yes to indicate that -# the chain now exists. -# -createnatchain() # $1 = chain name -{ - run_iptables -t nat -N $1 - - eval exists_nat_${1}=Yes -} - -# -# Determine if a nat chain exists -# -# When we create a chain "chain", we create a variable named exists_nat_chain -# and set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havenatchain() # $1 = name of chain -{ - eval test \"\$exists_nat_${1}\" = Yes -} - -# -# Ensure that a nat chain exists (create it if it doesn't) -# -ensurenatchain() # $1 = chain name -{ - havenatchain $1 || createnatchain $1 -} - -# -# Add a rule to a nat chain creating the chain if necessary - -# -addnatrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurenatchain $1 - run_iptables2 -t nat -A $@ -} - -# -# Create a rule to delete a chain if it exists -# -deletechain() # $1 = name of chain -{ - save_command "qt \$IPTABLES -L $1 -n && qt \$IPTABLES -F $1 && qt \$IPTABLES -X $1" -} - -# -# validate the policy file -# -validate_policy() -{ - local clientwild - local serverwild - local zone - local zone1 - local pc - local chain - local policy - local loglevel - local synparams - local parents - local default - local var - - print_policy() # $1 = source zone, $2 = destination zone - { - [ $1 = $2 ] || \ - [ $1 = all ] || \ - [ $2 = all ] || \ - progress_message " Policy for $1 to $2 is $policy using chain $chain" - } - - for var in DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT; do - eval default=\$$var - - case $default in - none) - ;; - *) - if ! list_search $default $USEDACTIONS; then - if ! list_search $default $DEFAULT_MACROS; then - if [ ! -f $(find_file macro.$default) ]; then - fatal_error "Default Action/Macro $var=$default not found" - fi - DEFAULT_MACROS="$DEFAULT_MACROS $default" - fi - fi - esac - done - - ALL_POLICY_CHAINS= - - for zone in $ZONES $FW; do - chain=${zone}2${zone} - eval ${chain}_is_policy=Yes - eval ${chain}_is_optional=Yes - eval ${chain}_policy=ACCEPT - eval ${chain}_policychain=$chain - ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" - - if [ -n "$IMPLICIT_CONTINUE" ]; then - eval parents=\$${zone}_parents - if [ -n "$parents" ]; then - for zone1 in $ZONES $FW; do - if [ $zone != $zone1 ]; then - chain=${zone}2${zone1} - eval ${chain}_is_policy=Yes - eval ${chain}_is_optional=Yes - eval ${chain}_policy=CONTINUE - eval ${chain}_policychain=$chain - ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" - chain=${zone1}2${zone} - eval ${chain}_is_policy=Yes - eval ${chain}_is_optional=Yes - eval ${chain}_policy=CONTINUE - eval ${chain}_policychain=$chain - ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" - fi - done - fi - fi - done - - while read client server policy loglevel synparams; do - clientwild= - serverwild= - - case "$client" in - all|ALL) - clientwild=Yes - ;; - *) - if ! validate_zone $client; then - fatal_error "Undefined zone $client" - fi - esac - - case "$server" in - all|ALL) - serverwild=Yes - ;; - *) - if ! validate_zone $server; then - fatal_error "Undefined zone $server" - fi - esac - - default= - - case $policy in - *:None|*:none) - default=none - ;; - *:*) - default=${policy#*:} - if list_search $default $ACTIONS; then - if ! list_search $default $USEDACTIONS; then - USEDACTIONS="$USEDACTIONS $default" - fi - elif ! list_search $default $DEFAULT_MACROS; then - [ -f $(find_file macro.${default}) ] || fatal_error "$client $server $policy $loglevel $synparams: Default Macro $default not found" - DEFAULT_MACROS="$DEFAULT_MACROS $default" - fi - ;; - *) - ;; - esac - - case ${policy%:*} in - DROP) - [ -n "${default:=$DROP_DEFAULT}" ] - ;; - REJECT) - [ -n "${default:=$REJECT_DEFAULT}" ] - ;; - ACCEPT) - [ -n "${default:=$ACCEPT_DEFAULT}" ] - ;; - CONTINUE) - ;; - QUEUE) - [ -n "${default:=$QUEUE_DEFAULT}" ] - ;; - NONE) - [ "$client" = "$FW" -o "$server" = "$FW" ] && \ - fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" - - [ -n "$clientwild" -o -n "$serverwild" ] && \ - fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" - ;; - *) - fatal_error "Invalid policy $policy" - ;; - esac - - chain=${client}2${server} - - if is_policy_chain $chain ; then - if eval test -n \"\$${chain}_is_optional\" ; then - eval ${chain}_is_optional= - else - fatal_error "Duplicate policy: $client $server $policy" - fi - fi - - [ "x$loglevel" = "x-" ] && loglevel= - [ "x$synparams" = "x-" ] && synparams= - - policy=${policy%:*} - - [ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" - - eval ${chain}_is_policy=Yes - eval ${chain}_policy=$policy - eval ${chain}_loglevel=$loglevel - eval ${chain}_synparams=$synparams - eval ${chain}_default=$default - - if [ -n "${clientwild}" ]; then - if [ -n "${serverwild}" ]; then - for zone in $ZONES $FW all; do - for zone1 in $ZONES $FW all; do - eval pc=\$${zone}2${zone1}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${zone1}_policychain=$chain - eval ${zone}2${zone1}_policy=$policy - print_policy $zone $zone1 - fi - done - done - else - for zone in $ZONES $FW all; do - eval pc=\$${zone}2${server}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${server}_policychain=$chain - eval ${zone}2${server}_policy=$policy - print_policy $zone $server - fi - done - fi - elif [ -n "$serverwild" ]; then - for zone in $ZONES $FW all; do - eval pc=\$${client}2${zone}_policychain - - if [ -z "$pc" ]; then - eval ${client}2${zone}_policychain=$chain - eval ${client}2${zone}_policy=$policy - print_policy $client $zone - fi - done - else - eval ${chain}_policychain=${chain} - print_policy $client $server - fi - - done < $TMP_DIR/policy -} - -# -# Find broadcast addresses -- if we are compiling a script and 'detect' is specified for an interface -# the function returns nothing for that interface -# -find_broadcasts() { - for interface in $ALL_INTERFACES; do - eval bcast=\$$(chain_base $interface)_broadcast - if [ "x$bcast" != "xdetect" -a "x${bcast}" != "x-" ]; then - echo $(separate_list $bcast) - fi - done -} - -# -# Find interfaces with BROADCAST=detect -# -find_bcastdetect_interfaces() { - for interface in $ALL_INTERFACES; do - eval bcast=\$$(chain_base $interface)_broadcast - [ "x$bcast" = "xdetect" ] && echo $interface - done -} - -# -# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING -# -setup_forwarding() { - - progress_message2 "Compiling IP Forwarding..." - - case "$IP_FORWARDING" in - On|on|ON|Yes|yes|YES) - save_progress_message "IP Forwarding Enabled" - save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" - save_command "" - ;; - Off|off|OFF|No|no|NO) - save_progress_message "IP Forwarding Disabled!" - save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" - save_command "" - ;; - esac -} - -# -# For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to -# enable traffic to/from those hosts. -# -enable_critical_hosts() -{ - for host in $CRITICALHOSTS; do - interface=${host%:*} - networks=${host#*:} - do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - done -} - -# -# For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that -# enable traffic to/from those hosts. -# -disable_critical_hosts() -{ - for host in $CRITICALHOSTS; do - interface=${host%:*} - networks=${host#*:} - do_iptables -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - do_iptables -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - done -} - -# -# Logging Rules -# -log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local displayChain - displayChain=$3 - local disposition - disposition=$4 - local rulenum - rulenum= - local limit - limit= - local tag - tag=$6 - local command - command=${7:--A} - local prefix - local base - base=$(chain_base $displayChain) - - limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. - - shift 7 - - save_command "do_log_rule_limit \"$level\" \"$chain\" \"$displayChain\" \"$disposition\" \"$limit\" \"$tag\" \"$command\" $(fix_bang $@)" -} - -log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local disposition - disposition=$3 - - shift 3 - - log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ -} - -# -# Set up SYN flood protection -# -setup_syn_flood_chain () - # $1 = policy chain - # $2 = synparams - # $3 = loglevel -{ - local chain - chain=@$1 - local limit - limit=$2 - local limit_burst - limit_burst= - - case $limit in - *:*) - limit_burst="--limit-burst ${limit#*:}" - limit=${limit%:*} - ;; - esac - - if ! havechain $chain ; then - createchain $chain no - run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN - [ -n "$3" ] && \ - log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" "" - run_iptables -A $chain -j DROP - fi -} - -setup_syn_flood_chains() -{ - for chain in $ALL_POLICY_CHAINS; do - eval loglevel=\$${chain}_loglevel - eval synparams=\$${chain}_synparams - - [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel - done -} - -# -# Delete existing Proxy ARP -# -delete_proxy_arp() { - indent >&3 << __EOF__ -if [ -s \${VARDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i \$external -d \$address pub - [ -z "\$haveroute" -a -z "\$NOROUTE" ] && qt ip route del \$address dev \$interface - done < \${VARDIR}/proxyarp - - for f in /proc/sys/net/ipv4/conf/*; do - [ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp - done -fi - -rm -f \${VARDIR}/proxyarp - -__EOF__ - - [ -d $STATEDIR ] && touch $STATEDIR/proxyarp - - } - -# -# Delete existing Static NAT -# -delete_nat() { - run_iptables -t nat -F - run_iptables -t nat -X - - [ -d $STATEDIR ] && touch $STATEDIR/nat - - indent >&3 << __EOF__ - -if [ -f \${VARDIR}/nat ]; then - while read external interface; do - del_ip_addr \$external \$interface - done < \${VARDIR}/nat - - rm -f \${VARDIR}/nat -fi - -__EOF__ -} - -# -# Setup ECN disabling rules -# -setup_ecn() # $1 = file name -{ - local interfaces - interfaces="" - local hosts - hosts= - local h - - if [ -s ${TMP_DIR}/ecn ]; then - save_progress_message "Setting up ECN..." - - progress_message2 "$DOING $1..." - - while read interface host; do - list_search $interface $ALL_INTERFACES || \ - fatal_error "Unknown interface $interface" - list_search $interface $interfaces || \ - interfaces="$interfaces $interface" - [ "x$host" = "x-" ] && host= - for h in $(separate_list ${host:-0.0.0.0/0}); do - hosts="$hosts $interface:$h" - done - done < $TMP_DIR/ecn - - if [ -n "$interfaces" ]; then - progress_message "$DOING ECN control on${interfaces}..." - - for interface in $interfaces; do - chain=$(ecn_chain $interface) - if havemanglechain $chain; then - flushmangle $chain - else - createmanglechain $chain - run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain - run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain - fi - done - - for host in $hosts; do - interface=${host%:*} - h=${host#*:} - run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove - progress_message_and_save " ECN Disabled to $h through $interface" - done - fi - fi -} - -# -# Set up an exclusion chain -# -build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list -{ - local c - c=excl_${EXCLUSION_SEQ} - local net - - EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 )) - - run_iptables -t $2 -N $c - - for net in $(separate_list $3); do - run_iptables -t $2 -A $c $(source_ip_range $net) -j RETURN - done - - for net in $(separate_list $4); do - run_iptables -t $2 -A $c $(dest_ip_range $net) -j RETURN - done - - case $2 in - filter) - eval exists_${c}=Yes - ;; - nat) - eval exists_nat_${c}=Yes - ;; - esac - - eval $1=$c -} - -# -# Setup queuing and classes -# -setup_tc1() { - local mark_part - mark_part= - local comment - comment= - # - # Create the TC mangle chains - # - - createmanglechain tcpre - - if [ -n "$MANGLE_FORWARD" ]; then - createmanglechain tcfor - createmanglechain tcpost - fi - - createmanglechain tcout - # - # Process the TC Rules File - # - if [ -s $TMP_DIR/tcrules ]; then - save_progress_message "Setting up TC Rules..." - save_command setup_tc_rules - save_command - - fi - # - # Just in case the file ended with a comment - # - if [ -n "$COMMENTS" ]; then - save_command - save_command COMMENT= - save_command - fi - # - # Link to the TC mangle chains from the main chains - # - - # - # Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send - # packets that are not part of a marked connection to the 'tcpre/tcout' chains. - # - if [ -n "$ROUTEMARK_INTERFACES" -a -z "$TC_EXPERT" ]; then - [ -n "$HIGH_ROUTE_MARKS" ] && mark_part="-m mark --mark 0/0xFF00" || mark_part="-m mark --mark 0/0xFF" - # - # But let marks in tcpre override those assigned by 'track' - # - for interface in $ROUTEMARK_INTERFACES; do - run_iptables -t mangle -A PREROUTING -i $interface -j tcpre - done - fi - - run_iptables -t mangle -A PREROUTING $mark_part -j tcpre - run_iptables -t mangle -A OUTPUT $mark_part -j tcout - - if [ -n "$MANGLE_FORWARD" ]; then - run_iptables -t mangle -A FORWARD -j tcfor - run_iptables -t mangle -A POSTROUTING -j tcpost - fi - - if [ -n "$HIGH_ROUTE_MARKS" ]; then - for chain in INPUT FORWARD POSTROUTING; do - run_iptables -t mangle -I $chain -j MARK --and-mark 0xFF - done - fi - - if [ -n "$TC_SCRIPT" ]; then - save_progress_message "Setting up Traffic Control..." - append_file $TC_SCRIPT - elif [ "$TC_ENABLED" = Internal ]; then - if [ -n "$LIB_tc_LOADED" ]; then - save_command - save_command setup_traffic_shaping - save_command - fi - fi -} - -setup_tc() { - - progress_message2 "$DOING Traffic Control Rules..." - - setup_tc1 -} - -# -# Clear Traffic Shaping -# -delete_tc() -{ - save_progress_message "Clearing Traffic Control/QOS" - - append_file tcclear - - indent >&3 << __EOF__ -ip link list | while read inx interface details; do - case \$inx in - [0-9]*) - qt tc qdisc del dev \${interface%:} root - qt tc qdisc del dev \${interface%:} ingress - ;; - *) - ;; - esac -done -__EOF__ -} - -# -# Refresh queuing and classes -# -refresh_tc() { - - local comment - comment= - - if [ -n "$CLEAR_TC" ]; then - delete_tc - save_command - fi - - [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre - - # - # Flush the TC mangle chains - # - - if [ -n "$MANGLE_FORWARD" ]; then - run_iptables -t mangle -F tcfor - run_iptables -t mangle -F tcpost - fi - - run_iptables -t mangle -F tcpre - run_iptables -t mangle -F tcout - # - # Remove all exclusion chains from the mangle table - # - indent >&3 << __EOF__ - -\$IPTABLES -t mangle -L -n | grep '^Chain excl_' | while read junk chain rest; do - run_iptables -t mangle -F \$chain - run_iptables -t mangle -X \$chain -done - -__EOF__ - # - # Process the TC Rules File - # - if [ -s $TMP_DIR/tcrules ]; then - save_progress_message "Refreshing Traffic Control Rules..." - - save_command setup_tc_rules - save_command - fi - # - # Just in case the file ended with a comment - # - if [ -n "$COMMENTS" ]; then - save_command - save_command COMMENT= - save_command - fi - - if [ -n "$TC_SCRIPT" ]; then - save_progress_message "Refreshing Traffic Shaping" - run_user_exit $TC_SCRIPT - elif [ "$TC_ENABLED" = Internal -a -n "$LIB_tc_LOADED" ]; then - save_command - save_command setup_traffic_shaping - save_command - fi -} - -# -# Compile refresh of the firewall -# -compile_refresh_firewall() -{ - local INDENT - INDENT="" - local DOING - DOING="Compiling Refresh of" - local DONE - DONE="Compiled" - local indent - - save_command "refresh_firewall()" - save_command "{" - INDENT=" " - - append_file refresh - - # - # Blacklist - # - save_command "if chain_exists blacklst; then" - indent="$INDENT" - INDENT="$INDENT " - - save_command progress_message2 \"Refreshing Black List...\" - run_iptables -F blacklst - - [ -s ${TMP_DIR}/blacklist ] && save_command load_blacklist - - INDENT="$indent" - save_command "fi" - - ecn=$(find_file ecn) - - if [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ]; then - setup_ecn $ecn - fi - # - # Refresh Traffic Control - # - [ -n "$MANGLE_ENABLED" ] && refresh_tc - - append_file refreshed - - save_command "[ \$0 = \${VARDIR}/.restore ] || cp -f \$(my_pathname) \${VARDIR}/.restore" - - INDENT="" - - save_command "}" - save_command - -} - -# -# Source the extension script for an action, if any -# -process_action_file() # $1 = File Name -{ - if ! list_search $1 $BUILTIN_ACTIONS; then - local user_exit - user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - progress_message "Processing $user_exit ..." - - . $user_exit - fi - fi -} - -# -# Create and record a log action chain -- Log action chains have names -# that are formed from the action name by prepending a "%" and appending -# a 1- or 2-digit sequence number. In the functions that follow, -# the CHAIN, LEVEL and TAG variable serves as arguments to the user's -# exit. We call the exit corresponding to the name of the action but we -# set CHAIN to the name of the iptables chain where rules are to be added. -# Similarly, LEVEL and TAG contain the log level and log tag respectively. -# -# For each , we maintain two variables: -# -# _actchain - The action chain number. -# _chains - List of ( level[:tag] , chainname ) pairs -# -# The maximum length of a chain name is 30 characters -- since the log -# action chain name is 2-3 characters longer than the base chain name, -# this function truncates the original chain name where necessary before -# it adds the leading "%" and trailing sequence number. - -createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] -{ - local actchain - actchain= - local action - action=$1 - local level - level=$2 - - eval actchain=\${${action}_actchain} - - case ${#action} in - 29|30) - CHAIN=$(echo $action | truncate 28) # %...n makes 30 - ;; - *) - CHAIN=${action} - ;; - esac - - while havechain %${CHAIN}${actchain}; do - actchain=$(($actchain + 1)) - [ $actchain -eq 10 -a ${#CHAIN} -eq 28 ] && CHAIN=$(echo $CHAIN | truncate 27) # %...nn makes 30 - done - - CHAIN=%${CHAIN}${actchain} - - eval ${action}_actchain=$(($actchain + 1)) - - createchain $CHAIN No - LEVEL=${level%:*} - if [ "$LEVEL" != "$level" ]; then - TAG=${level#*:} - else - TAG= - fi - - [ none = "${LEVEL%\!}" ] && LEVEL= - - process_action_file $1 - - eval ${action}_chains=\"\$${action}_chains $level $CHAIN\" - -} - -# -# Create an action chain and run it's associated user exit -# - -createactionchain() # $1 = Action, including log level and tag if any -{ - create_simple_chain() - { - CHAIN=$1 - LEVEL= - TAG= - createchain $CHAIN no - - process_action_file $CHAIN - } - - case $1 in - *::*) - fatal_error "Invalid ACTION $1" - ;; - *:*:*) - set -- $(split $1) - createlogactionchain $1 $2:$3 - ;; - *:) - create_simple_chain ${1%:*} - ;; - *:*) - set -- $(split $1) - - if [ "x$2" = xnone ]; then - create_simple_chain $1 - else - createlogactionchain $1 $2 - fi - ;; - *) - create_simple_chain $1 - ;; - esac -} - -# -# Find the chain that handles the passed action. If the chain cannot be found, -# a fatal error is generated and the function does not return. -# -find_logactionchain() # $1 = Action, including log level and tag if any -{ - local fullaction - fullaction=$1 - local action - action=${1%%:*} - local level - level= - local chains - chains= - - find_simpleaction() { - havechain $action || fatal_error "Fatal error in find_logactionchain" - echo $action - } - - case $fullaction in - *:) - find_simpleaction - return - ;; - *:*) - level=${fullaction#*:} - if [ "x$level" = xnone ]; then - find_simpleaction - return - fi - ;; - *) - find_simpleaction - return - ;; - esac - - eval chains="\$${action}_chains" - - set -- $chains - - while [ $# -gt 0 ]; do - [ "$1" = "$level" ] && { echo $2 ; return ; } - shift 2 - done - - fatal_error "Fatal error in find_logactionchain" - -} - -# -# This function determines the logging for a subordinate action or a rule within a subordinate action -# -merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called -{ - local superior - superior=$1 - local subordinate - subordinate=$2 - - set -- $(split $1) - - case $superior in - *:*:*) - case $2 in - 'none!') - echo ${subordinate%%:*}:'none!':$3 - return - ;; - *'!') - echo ${subordinate%%:*}:$2:$3 - return - ;; - *) - case $subordinate in - *:*:*) - echo $subordinate - return - ;; - *:*) - echo $subordinate:$3 - return - ;; - *) - echo ${subordinate%%:*}:$2:$3 - return - ;; - esac - ;; - esac - ;; - *:*) - case $2 in - 'none!') - echo ${subordinate%%:*}:'none!' - return - ;; - *'!') - echo ${subordinate%%:*}:$2 - return - ;; - *) - case $subordinate in - *:*) - echo $subordinate - return - ;; - *) - echo ${subordinate%%:*}:$2 - return - ;; - esac - ;; - esac - ;; - *) - echo $subordinate - ;; - esac -} - -# -# Define the builtin actions. They are available even when USE_ACTIONS=No -# -define_builtin_actions() { - ACTIONS="dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP Limit" - BUILTIN_ACTIONS="$ACTIONS" - USEDACTIONS= -} - -# -# This function maps old action names into their new macro equivalents -# -map_old_action() # $1 = Potential Old Action -{ - local macro - macro= - local aktion - - if [ -n "$MAPOLDACTIONS" ]; then - case $1 in - */*) - echo $1 - return - ;; - *) - if [ -f $(find_file macro.$1) ]; then - echo $1 - return - fi - - case $1 in - Allow*) - macro=${1#*w} - aktion=ACCEPT - ;; - Drop*) - macro=${1#*p} - aktion=DROP - ;; - Reject*) - macro=${1#*t} - aktion=REJECT - ;; - *) - echo $1 - return - ;; - esac - esac - - if [ -f $(find_file macro.$macro) ]; then - echo $macro/$aktion - return - fi - fi - - echo $1 -} - -# This function substitutes the second argument for the first part of the first argument up to the first colon (":") -# -# Example: -# -# substitute_action DNAT PARAM:info:FTP -# -# produces "DNAT:info:FTP" -# -substitute_action() # $1 = parameter, $2 = action -{ - local logpart - logpart=${2#*:} - - case $2 in - *:*) - echo $1:${logpart%/} - ;; - *) - echo $1 - ;; - esac -} - -# -# Third phase of action processing. It needs to be here in the compiler because -# it handles builtin actions. -# -process_actions3() -{ - for xaction in $USEDACTIONS; do - # - # Find the chain associated with this action:level:tag - # - xchain=$(find_logactionchain $xaction) - # - # Split the action:level:tag - # - set -- $(split $xaction) - - xaction1=$1 - xlevel=$2 - xtag=$3 - - case $xlevel in - none|none'!') - ylevel= - ;; - *) - ylevel=$xlevel; - ;; - esac - - save_progress_message "Creating action chain $xaction1" - - # - # Handle Builtin actions - # - case $xaction1 in - dropBcast) - if [ -n "$USEPKTTYPE" ]; then - if [ -n "$ylevel" ]; then - log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast - fi - - run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP - run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP - else - for interface in $(find_bcastdetect_interfaces); do - indent >&3 << __EOF__ - -ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do -__EOF__ - [ -n "$ylevel" ] && indent >&3 << __EOF__ - log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address -__EOF__ - indent >&3 << __EOF__ - run_iptables -A $xchain -d \$address -j DROP -done - -__EOF__ - done - - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - [ -n "$ylevel" ] && log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address - - run_iptables -A $xchain -d $address -j DROP - done - fi - ;; - allowBcast) - if [ -n "$USEPKTTYPE" ]; then - if [ -n "$ylevel" ]; then - log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast - fi - - run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT - run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT - else - for interface in $(find_bcastdetect_interfaces); do - indent >&3 << __EOF__ - -ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do -__EOF__ - [ -n "$ylevel" ] && indent >&3 << __EOF__ - log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address -__EOF__ - - indent >&3 << __EOF__ - run_iptables -A $xchain -d \$address -j ACCEPT -done - -__EOF__ - done - - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - [ -n "$ylevel" ] && log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address - - run_iptables -A $xchain -d $address -j ACCEPT - done - fi - ;; - dropNotSyn) - [ -n "$ylevel" ] && \ - log_rule_limit ${ylevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn - run_iptables -A $xchain -p tcp ! --syn -j DROP - ;; - rejNotSyn) - [ -n "$ylevel" ] && \ - log_rule_limit ${ylevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn - run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset - ;; - dropInvalid) - [ -n "$ylevel" ] && \ - log_rule_limit ${ylevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID - run_iptables -A $xchain -m state --state INVALID -j DROP - ;; - allowInvalid) - [ -n "$ylevel" ] && \ - log_rule_limit ${ylevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID - run_iptables -A $xchain -m state --state INVALID -j ACCEPT - ;; - forwardUPnP) - ;; - allowinUPnP) - if [ -n "$ylevel" ]; then - log_rule_limit ${ylevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900 - log_rule_limit ${ylevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152 - fi - - run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT - run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT - ;; - allowoutUPnP) - [ -n "$ylevel" ] && \ - log_rule_limit ${ylevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd - run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT - ;; - Limit) - set -- $(separate_list $xtag) - - [ $# -eq 3 ] || fatal_error "Limit rules must include ,, as the log tag" - - run_iptables -A $xchain -m recent --name $1 --set - - if [ -n "$ylevel" ]; then - run_iptables -N $xchain% - log_rule_limit $ylevel $xchain% $1 DROP "" "" -A - run_iptables -A $xchain% -j DROP - run_iptables -A $xchain -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $xchain% - else - run_iptables -A $xchain -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP - fi - - run_iptables -A $xchain -j ACCEPT - ;; - *) - # - # Not a builtin - # - process_action3 - ;; - esac - done -} - -# -# Add one Filter Rule -# -# The caller has established the following variables: -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# servport = Port the server listens on -# chain = The canonical chain for this rule -# logchain = The chain that should be mentioned in log messages -# ratelimit = Optional rate limiting clause -# userandgroup = -m owner clause -# userspec = User name -# mark = Packet mark -# logtag = Log tag -# policy = Applicable Policy -# -add_a_rule() { - local natrule - natrule= - - do_ports() { - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - } - - interface_error() - { - fatal_error "Unknown interface $1 in rule: \"$rule\"" - } - - rule_interface_verify() - { - verify_interface $1 || interface_error $1 - } - - handle_exclusion() - { - build_exclusion_chain chain filter "$excludesource" "$excludedest" - - if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then - match='--ctorigdst' - if [ -z "$OLD_CONNTRACK_MATCH" ]; then - case $adr in - !*) - match='!--ctorigdst' - adr=${adr#!} - ;; - esac - fi - - for adr in $(separate_list $addr); do - run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack $match $adr -j $chain - done - addr= - else - run_iptables -A $logchain $state $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain - fi - - cli= - proto= - sports= - multiport= - dports= - user= - state= - } - - do_ipp2p() { - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - - dports="-m ipp2p --${port:-ipp2p}" - - case $proto in - ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP) - port= - proto=tcp - do_ports - ;; - ipp2p:udp|IPP2P:UDP) - port= - proto=udp - do_ports - ;; - ipp2p:all|IPP2P:ALL) - port= - proto=all - ;; - *) - fatal_error "Invalid IPP2P protocol ${proto#*:}. Rule: \"$rule\"" - ;; - esac - } - - # Set source variables. The 'cli' variable will hold the client match predicate(s). - - cli= - - case "$client" in - -) - ;; - *:*) - rule_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" - ;; - *.*.*|+*) - cli="$(source_ip_range $client)" - ;; - ~*|!~*) - cli=$(mac_match $client) - ;; - *) - if [ -n "$client" ]; then - rule_interface_verify $client - cli="$(match_source_dev $client)" - fi - ;; - esac - - # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). - - dest_interface= - serv= - - case "$server" in - -) - ;; - *.*.*|+*) - serv=$server - ;; - ~*|!~*) - fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - if [ -n "$server" ]; then - [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget" - rule_interface_verify $server - dest_interface="$(match_dest_dev $server)" - fi - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - proto=$protocol - addr=$address - servport=$serverport - multiport= - user="$userandgroup" - mrk="$mark" - - # Restore $chain to the canonical chain. - - chain=$logchain - - [ x$port = x- ] && port= - [ x$cport = x- ] && cport= - - case $proto in - tcp|TCP|6) - do_ports - ;; - tcp:syn) - proto="tcp --syn" - do_ports - ;; - udp|UDP|17) - do_ports - ;; - icmp|ICMP|1) - [ -n "$port" ] && dports="--icmp-type $port" - ;; - all|ALL) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" - proto= - ;; - ipp2p|IPP2P|ipp2p:*|IPP2P:*) - do_ipp2p - ;; - *) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - ACCEPT|DROP|REJECT|CONTINUE) - if [ "$SECTION" != DONE ]; then - # - # This function is called from process_default_macro() after rules are DONE - # - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" -a -z "$mark" ] ; then - error_message "WARNING -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - fi - ;; - REDIRECT) - [ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\"" - - [ -n "$serv" ] && \ - fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\"" - servport=${servport:=$port} - natrule=Yes - ;; - DNAT|SAME) - [ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\"" - - [ -n "$serv" ] || \ - fatal_error "$logtarget rules require a server address; rule: \"$rule\"" - natrule=Yes - ;; - LOG) - [ -z "$loglevel" ] && \ - fatal_error "LOG requires log level" - ;; - esac - - case $SECTION in - ESTABLISHED|RELATED) - [ -n "$FASTACCEPT" ] && fatal_error "Entries in the $SECTION SECTION of the rules file not permitted with FASTACCEPT=Yes" - state="-m state --state $SECTION" - ;; - *) - state= - ;; - esac - - if [ -n "${serv}${servport}" ]; then - - # A specific server or server port given - - if [ -n "$natrule" ]; then - lib_load nat "$logtarget Rules" - add_nat_rule - elif [ -n "$servport" -a "$servport" != "$port" ]; then - fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\"" - fi - - if [ -n "${excludesource}${excludedest}" ]; then - handle_exclusion - fi - - if [ -z "$dnat_only" ]; then - if [ -n "$serv" ]; then - for serv1 in $(separate_list $serv); do - for srv in $(firewall_ip_range $serv1); do - srv=$(dest_ip_range $srv) - if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then - if [ "$addr" = detect ]; then - indent >&3 << __EOF__ - run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $srv $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target -done - -__EOF__ - else - for adr in $(separate_list $addr); do - match='--ctorigdst' - if [ -z "$OLD_CONNTRACK_MATCH" ]; then - case $adr in - !*) - match='!--ctorigdst' - adr=${adr#!} - ;; - esac - fi - - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack $match $adr \ - $user $mrk $(fix_bang $proto $multiport $sports $cli $srv $dports) $state - fi - - if [ "$logtarget" != LOG ]; then - run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ - $srv $dports -m conntrack $match $adr $user $mrk -j $target - fi - done - fi - else - if [ "$addr" = detect ]; then - save_command 'done' - save_command '' - fi - - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ - $state $(fix_bang $proto $multiport $sports $cli $srv $dports) - fi - - if [ -n "$nonat" ]; then - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $srv $dports $ratelimit $user $mrk -j RETURN - fi - - if [ "$logtarget" != NONAT -a "$logtarget" != LOG ]; then - run_iptables2 -A $chain $state $proto $multiport $cli $sports \ - $srv $dports $ratelimit $user $mrk -j $target - fi - fi - done - done - else - if [ "$addr" = detect ]; then - save_command 'done' - save_command '' - fi - - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ - $state $(fix_bang $proto $multiport $sports $cli $dports) - fi - - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user $mrk -j RETURN - - [ "$logtarget" != NONAT -a "$logtarget" != LOG ] && \ - run_iptables2 -A $chain $state $proto $multiport $cli $sports \ - $dports $ratelimit $user $mrk -j $target - fi - elif [ -n "$serv" -a "$addr" = detect ]; then - save_command 'done' - save_command '' - fi - else - - # Destination is a simple zone - - if [ -n "${excludesource}${excludedest}" ]; then - handle_exclusion - fi - - if [ -n "$addr" ]; then - for adr in $(separate_list $addr); do - match='--ctorigdst' - if [ -z "$OLD_CONNTRACK_MATCH" ]; then - case $adr in - !*) - match='!--ctorigdst' - adr=${adr#!} - ;; - esac - fi - - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ - $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack $match $adr) - fi - - if [ "$logtarget" != LOG ]; then - if [ -n "$nonat" ]; then - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user $mrk -m conntrack $match $adr -j RETURN - fi - - if [ "$logtarget" != NONAT ]; then - run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $user $mrk -m conntrack $match $adr -j $target - fi - fi - done - else - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ - $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) - fi - - if [ "$logtarget" != LOG ]; then - if [ -n "$nonat" ]; then - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user $mrk -j RETURN - fi - - if [ "$logtarget" != NONAT ]; then - run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $user $mrk -j $target - fi - fi - fi - fi - - if [ "$logtarget" = LOG -a -z "$KLUDGEFREE" ]; then - # - # Purge the temporary files that we use to prevent duplicate '-m' specifications - # - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - -} - -# -# Process the contents of the USER/GROUP column -# -process_userspec() -{ - [ "x$userspec" = x- ] && userspec= - - if [ -n "$userspec" ]; then - - userandgroup="-m owner" - - case "$userspec" in - !*+*) - if [ -n "${userspec#*+}" ]; then - userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" - fi - userspec=${userspec%+*} - ;; - *+*) - if [ -n "${userspec#*+}" ]; then - userandgroup="$userandgroup --cmd-owner ${userspec#*+}" - fi - userspec=${userspec%+*} - ;; - esac - - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - [ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}" - ;; - *) - [ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec" - ;; - esac - - [ "$userandgroup" = "-m owner" ] && userandgroup= - fi -} - -# -# Process the RATE/LIMIT column contents -# -process_ratelimit() { - [ "x$ratelimit" = "x-" ] && ratelimit= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi -} - -# -# Process the MARK column contents -# -process_mark() { - [ "x$mark" = "x-" ] && mark= - - if [ -n "$mark" ]; then - if [ "$mark" = "${mark%!*}" ]; then - mark="-m mark --mark $mark" - else - mark="-m mark ! --mark ${mark#*!}" - fi - fi -} - -# -# Combine a source/dest from the macro body with one from the macro invocation -# -merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest from invocation -{ - case $2 in - -) - echo ${1} - ;; - *.*.*|+*|~*|!~*) - # - # Value in the invocation is an address -- put it behind the value from the macro - # - echo ${1}:${2} - ;; - *) - echo ${2}:${1} - ;; - esac -} - -# -# Process a record from the rules file -# -process_rule() # $1 = target - # $2 = clients - # $3 = servers - # $4 = protocol - # $5 = ports - # $6 = cports - # $7 = address - # $8 = ratelimit - # $9 = userspec - # $10= mark -{ - local target - target="$1" - local clients - clients="$2" - local servers - servers="$3" - local protocol - protocol="$4" - local ports - ports="$5" - local cports - cports="$6" - local address - address="$7" - local ratelimit - ratelimit="$8" - local userspec - userspec="$9" - local mark - mark="${10}" - local userandgroup - userandgroup= - local logtag - logtag= - local nonat - nonat= - - # # # # # F u n c t i o n B o d y # # # # # - - process_mark - - process_ratelimit - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - fi - - case $loglevel in - none*) - loglevel= - [ $target = LOG ] && return - ;; - *) - [ -n "$loglevel" ] || target=${target%:*} - ;; - esac - - loglevel=${loglevel%\!} - fi - # - # Save the original target in 'logtarget' for logging rules - # - logtarget=${target%-} - # - # Targets ending in "-" only apply to the nat table - # - [ $target = $logtarget ] && dnat_only= || dnat_only=Yes - - # Tranform the rule: - # - # - parse the user specification - # - set 'target' to the filter table target. - # - make $FW the destination for REDIRECT - # - remove '-' suffix from logtargets while setting 'dnat_only' - # - clear 'address' if it has been set to '-' - - [ "x$address" = "x-" ] && address= - - process_userspec - - case $target in - *!) - target=${target%!} - ;; - esac - - case $target in - ACCEPT+|NONAT) - [ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION" - nonat=Yes - target=ACCEPT - ;; - ACCEPT|LOG) - ;; - DROP) - [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP" - ;; - REJECT) - [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with REJECT" - target=reject - ;; - CONTINUE) - target=RETURN - ;; - DNAT*|SAME*) - [ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION" - target=ACCEPT - address=${address:=detect} - ;; - REDIRECT*) - [ $SECTION = NEW ] || fatal_error "REDIRECT rules are not allowed in the $SECTION SECTION" - target=ACCEPT - address=${address:=all} - if [ "x-" = "x$servers" ]; then - servers=$FW - else - servers="$FW::$servers" - fi - ;; - *-) - [ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION" - ;; - esac - - # Parse and validate source - - if [ "$clients" = "${clients%:*}" ]; then - clientzone="$clients" - clients= - else - clientzone="${clients%%:*}" - clients="${clients#*:}" - [ -z "$clientzone" -o -z "$clients" ] && \ - fatal_error "Empty source zone or qualifier: rule \"$rule\"" - fi - - excludesource= - - case $clients in - *!*!*) - fatal_error "Invalid SOURCE in rule \"$rule\"" - ;; - !*) - if [ $(list_count $clients) -gt 1 ]; then - excludesource=${clients#!} - clients= - fi - ;; - *!*) - excludesource=${clients#*!} - clients=${clients%!*} - ;; - esac - - validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" - - source=$clientzone - - if [ $source != $FW -a -n "$userspec" ]; then - fatal_error "Invalid use of a user-qualification: rule \"$rule\"" - fi - - # Parse and validate destination - - if [ "$servers" = "${servers%:*}" ] ; then - serverzone="$servers" - servers= - serverport= - else - serverzone="${servers%%:*}" - servers="${servers#*:}" - if [ "$servers" != "${servers%:*}" ] ; then - serverport="${servers#*:}" - servers="${servers%:*}" - [ -z "$serverzone" -o -z "$serverport" ] && \ - fatal_error "Empty destination zone or server port: rule \"$rule\"" - if [ $(list_count $servers) -gt 1 ]; then - case $servers in - !*) - fatal_error "Exclude lists not supported in the DEST column" - ;; - esac - fi - else - serverport= - [ -z "$serverzone" -o -z "$servers" ] && \ - fatal_error "Empty destination zone or qualifier: rule \"$rule\"" - fi - fi - - excludedest= - - case $servers in - *!*!*) - fatal_error "Invalid DEST in rule \"$rule\"" - ;; - !*) - if [ $(list_count $servers) -gt 1 ]; then - excludedest=${servers#*!} - servers= - fi - ;; - *!*) - excludedest=${servers#*!} - servers=${servers%!*} - ;; - esac - - if ! validate_zone $serverzone; then - fatal_error "Undefined Server Zone in rule \"$rule\"" - fi - - dest=$serverzone - - # Ensure that this rule doesn't apply to a NONE policy pair of zones - - chain=${source}2${dest} - - # If we have one or more exclusion lists, we will create a new chain and - # store it's name in 'chain'. We still want log rules to reflect the - # canonical chain so we store it's name in $logchain. - - logchain=$chain - - eval policy=\$${chain}_policy - - [ -z "$policy" ] && \ - fatal_error "No policy defined from zone $source to zone $dest" - - [ $policy = NONE ] && \ - fatal_error "Rules may not override a NONE policy: rule \"$rule\"" - - [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} - - ensurechain $chain - - # Generate Netfilter rule(s) - - case $logtarget in - DNAT*|SAME) - - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - server=${servers:=-} - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - server=${servers:=-} - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - server=${servers:=-} - add_a_rule - done - done - done - fi - ;; - *) - - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_a_rule - done - done - done - done - fi - ;; - esac - # - # Report Result - # - progress_message " Rule \"$rule\" $DONE." - save_progress_message_short " Rule \\\"$rule\\\" added." -} - -# -# Process a macro invocation in the rules file -# - -process_macro() # $1 = target - # $2 = param - # $2 = clients - # $3 = servers - # $4 = protocol - # $5 = ports - # $6 = cports - # $7 = address - # $8 = ratelimit - # $9 = userspec - # $10= mark -{ - local itarget - itarget="$1" - local param - param="$2" - local iclients - iclients="$3" - local iservers - iservers="$4" - local iprotocol - iprotocol="$5" - local iports - iports="$6" - local icports - icports="$7" - local iaddress - iaddress="$8" - local iratelimit - iratelimit="$9" - local iuserspec - iuserspec="${10}" - local imark - imark="${11}" - - progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." - - while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do - - [ $mtarget = COMMENT -o $mtarget = COUNT ] && continue - - mtarget=$(merge_levels $itarget $mtarget) - - case $mtarget in - PARAM|PARAM:*) - [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" - ;; - esac - - case ${mtarget%%:*} in - ACCEPT|ACCEPT!|ACCEPT+|NONAT|DROP|DROP!|REJECT|REJECT!|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|CONTINUE!|QUEUE|SAME|SAME-) - ;; - *) - if list_search ${mtarget%%:*} $ACTIONS; then - if ! list_search $mtarget $USEDACTIONS; then - createactionchain $mtarget - USEDACTIONS="$USEDACTIONS $mtarget" - fi - - mtarget=$(find_logactionchain $mtarget) - else - fatal_error "Invalid Action in rule \"$mtarget ${mclients:--} ${mservers:--} ${mprotocol:--} ${mports:--} ${mcports:--} ${xaddress:--} ${mratelimit:--} ${muserspec:--}\"" - fi - ;; - esac - - if [ -n "$mclients" ]; then - case $mclients in - -|SOURCE) - mclients=${iclients} - ;; - DEST) - mclients=${iservers} - ;; - *) - mclients=$(merge_macro_source_dest $mclients $iclients) - ;; - esac - else - mclients=${iclients} - fi - - if [ -n "$mservers" ]; then - case $mservers in - -|DEST) - mservers=${iservers} - ;; - SOURCE) - mservers=${iclients} - ;; - *) - mservers=$(merge_macro_source_dest $mservers $iservers) - ;; - esac - else - mservers=${iservers} - fi - - [ -n "$iprotocol" ] && [ "x${iprotocol}" != x- ] && mprotocol=$iprotocol - [ -n "$iports" ] && [ "x${iports}" != x- ] && mports=$iports - [ -n "$icports" ] && [ "x${icports}" != x- ] && mcports=$icports - [ -n "$iratelimit" ] && [ "x${iratelimit}" != x- ] && mratelimit=$iratelimit - [ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec - - rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}" - process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec $imark - - done < $TMP_DIR/macro.${itarget%%:*} - - progress_message "..End Macro" - -} - -# -# Process the rules file -# -process_rules() -{ - local comment - comment= - local optimize - # - # Process a rule where the source or destination is "all" - # - process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic - { - local yclients - local yservers - local ysourcezone - local ydestzone - local ypolicy - - for yclients in $xclients; do - for yservers in $xservers; do - ysourcezone=${yclients%%:*} - ydestzone=${yservers%%:*} - if [ "${ysourcezone}" != "${ydestzone}" -o "$2" = Yes ] ; then - eval ypolicy=\$${ysourcezone}2${ydestzone}_policy - if [ "$ypolicy" != NONE ]; then - if [ $optimize -gt 0 ]; then - eval yloglevel=\$${ysourcezone}2${ydestzone}_loglevel - if [ -n "$yloglevel" ]; then - if [ x$ypolicy:$yloglevel = x$xtarget ]; then - continue - fi - elif [ x$ypolicy = x$xtarget ]; then - continue - fi - fi - if [ "$1" = Yes ]; then - process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark - else - rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark - fi - fi - fi - done - done - } - - do_it() # $1 = "Yes" if the target is a macro. - { - local intrazone - intrazone= - - if [ -z "$SECTIONS" ]; then - finish_section ESTABLISHED,RELATED - SECTIONS="ESTABLISHED RELATED NEW" - SECTION=NEW - fi - - case $xclients in - all+) - xclients=all - intrazone=Yes - ;; - all+-|all-+) - xclients=all- - intrazone=Yes - ;; - esac - - case $xservers in - all+) - xservers=all - intrazone=Yes - ;; - all+-|all-+) - xservers=all- - intrazone=Yes - ;; - esac - - case $xclients in - all|all-) - [ $xclients = all ] && xclients="$ZONES $FW" || xclients="$ZONES" - - if [ "x$xservers" = xall ]; then - xservers="$ZONES $FW" - elif [ "x$xservers" = xall- ]; then - xservers="$ZONES" - fi - - process_wildcard_rule "$1" $intrazone - return - ;; - esac - - case $xservers in - all|all-) - if [ "x$xservers" = xall ]; then - xservers="$ZONES $FW" - elif [ "x$xservers" = xall- ]; then - xservers="$ZONES" - fi - process_wildcard_rule "$1" $intrazone - return - ;; - esac - - if [ "$1" = Yes ]; then - process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark - else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark - fi - } - - while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xmark; do - if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" - progress_message " Rule \"$rule\" ignored." - continue - fi - - optimize=$OPTIMIZE; - - case "${xtarget%%:*}" in - ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-) - do_it No - ;; - ACCEPT!|DROP!|REJECT!|QUEUE!|CONTINUE!) - optimize=0 - do_it No - ;; - COMMENT) - if [ -n "$COMMENTS" ]; then - comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark) - save_command COMMENT=\"$comment\" - else - error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" - fi - continue - ;; - SECTION) - list_search $xclients $SECTIONS && fatal_error "Duplicate or out of order SECTION $xclients" - - case $xclients in - ESTABLISHED) - SECTIONS=ESTABLISHED - ;; - RELATED) - finish_section ESTABLISHED - SECTIONS="ESTABLISHED RELATED" - ;; - NEW) - [ $SECTION = RELATED ] && finish_section RELATED || finish_section ESTABLISHED,RELATED - SECTIONS="ESTABLISHED RELATED NEW" - ;; - *) - fatal_error "Invalid SECTION $xclients" - ;; - esac - - [ -n "$xservers" ] && fatal_error "Invalid SECTION $xclients $xservers" - - SECTION=$xclients - ;; - *) - if list_search ${xtarget%%:*} $ACTIONS; then - if ! list_search $xtarget $USEDACTIONS; then - createactionchain $xtarget - USEDACTIONS="$USEDACTIONS $xtarget" - fi - - xtarget=$(find_logactionchain $xtarget) - do_it No - else - xtarget1=$(map_old_action ${xtarget%%:*}) - - case $xtarget1 in - */*) - xparam=${xtarget1#*/} - xtarget1=${xtarget1%%/*} - xtarget=$(substitute_action $xtarget1 $xtarget) - ;; - *) - xparam= - ;; - esac - - f=macro.$xtarget1 - - if [ -f $TMP_DIR/$f ]; then - do_it Yes - else - fn=$(find_file $f) - - if [ -f $fn ]; then - strip_file $f $fn - do_it Yes - else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" - fatal_error "Invalid Action in rule \"$rule\"" - fi - fi - fi - ;; - - esac - - done < $TMP_DIR/rules - # - # Just in case the file ended with a comment - # - if [ -n "$COMMENTS" ]; then - save_command - save_command COMMENT= - fi - - case $SECTION in - ESTABLISHED) - finish_section ESTABLISHED,RELATED - ;; - RELATED) - finish_section RELATED - ;; - esac - - SECTION=DONE -} - -# -# Process a default macro -# -process_default_macro() # $1 = macro name -{ - local macro - macro=$1 - local address - address= - local multioption - multioption= - local servport - servport= - local chain - chain=$1 - local logchain - logchain=$1 - local userandgroup - userandgroup= - local logtag - logtag= - local excludesource - excludesource= - local target - local client - local server - local protocol - local port - local cport - local ratelimit - local userspec - local rule - local f - f=$(find_file macro.${macro}) - - havechain $macro && fatal_error "Illegal duplicate default macro name: $macro" - - createchain $macro no - strip_file macro.$macro $f - progress_message "..Expanding Default Macro $f into chain $macro..." - - while read target client server protocol port cport ratelimit userspec; do - rule="$target ${client:--} ${server:--} ${protocol:--} ${port:--} ${cport:--} ${ratelimit:--} ${userspec:--}" - - case $target in - PARAM|PARAM:*) - fatal_error "Invalid target ($target) in default macro $macro" - ;; - esac - - case ${target} in - ACCEPT|DROP|REJECT) - ;; - *) - if ! list_search $target $USEDACTIONS; then - if list_search $target $ACTIONS; then - createactionchain $target - USEDACTIONS="$USEDACTIONS $target" - else - fatal_error "Invalid target ($target) in default macro $macro" - fi - fi - ;; - esac - - if [ $(list_count ${port}${cport}) -gt 1 ]; then - multioption="-m multiport" - fi - - if [ -n "$client" ]; then - case $client in - -|SOURCE) - client= - ;; - esac - fi - - if [ -n "$server" ]; then - case $server in - -|DEST) - server= - ;; - *) - ;; - esac - fi - - process_userspec - - process_ratelimit - - add_a_rule - progress_message "Rule \"$target $protocol $port $cport $ratelimit $userspec\" $DONE" - - done < $TMP_DIR/macro.$macro - - progress_message "..End Macro" - -} - -# -# Process a record from the tos file -# -# The caller has loaded the column contents from the record into the following -# variables: -# -# src dst protocol sport dport tos -# -# and has loaded a space-separated list of their values in "rule". The caller -# has also set the variable 'chain' to contain the name of the mangle table -# chain where forward rules are to be in placed in. -# -process_tos_rule() { - # - # Parse the contents of the 'src' variable - # - if [ "$src" = "${src%:*}" ]; then - srczone="$src" - src= - else - srczone="${src%:*}" - src="${src#*:}" - fi - - source= - # - # Validate the source zone - # - if validate_zone $srczone; then - source=$srczone - elif [ "$srczone" = "all" ]; then - source="all" - else - error_message "WARNING: Undefined Source Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$src" ] && case "$src" in - *.*.*|+*|!+*) - # - # IP Address or networks - # - src="$(source_ip_range $src)" - ;; - ~*|!~*) - src=$(mac_match $src) - ;; - *) - # - # Assume that this is a device name - # - if ! verify_interface $src ; then - error_message "WARNING: Unknown Interface in rule \"$rule\" ignored" - return - fi - - src="$(match_source_dev $src)" - ;; - esac - - # - # Parse the contents of the 'dst' variable - # - if [ "$dst" = "${dst%:*}" ]; then - dstzone="$dst" - dst= - else - dstzone="${dst%:*}" - dst="${dst#*:}" - fi - - dest= - # - # Validate the destination zone - # - if validate_zone $dstzone; then - dest=$dstzone - elif [ "$dstzone" = "all" ]; then - dest="all" - else - error_message \ - "WARNING: Undefined Destination Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$dst" ] && case "$dst" in - *.*.*|+*|!+*) - # - # IP Address or networks - # - ;; - *) - # - # Assume that this is a device name - # - error_message \ - "WARNING: Invalid Destination - rule \"$rule\" ignored" - return - ;; - esac - - # - # Setup PROTOCOL and PORT variables - # - sports="" - dports="" - - case $protocol in - tcp|udp|TCP|UDP|6|17) - [ -n "$sport" ] && [ "x${sport}" != "x-" ] && \ - sports="--sport $sport" - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--dport $dport" - ;; - icmp|ICMP|0) - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--icmp-type $dport" - ;; - all|ALL) - protocol= - ;; - *) - ;; - esac - - protocol="${protocol:+-p $protocol}" - - [ "x$mark" = x- ] && mark= - if [ -n "$mark" ]; then - if [ "$mark" = "${mark%!*}" ]; then - mark="-m mark --mark $mark" - else - mark="-m mark ! --mark ${mark#*!}" - fi - fi - - tos="-j TOS --set-tos $tos" - - case "$dstzone" in - all|ALL) - dst=0.0.0.0/0 - ;; - *) - if [ -z "$MANGLE_FORWARD" ]; then - error_message "WARNING: A zone name in the DEST column requires Mangle FORWARD Chain support in your kernel and iptables: rule \"$rule\" ignored" - return - fi - - [ -z "$dst" ] && eval dst=\$${dstzone}_hosts - ;; - esac - - for dest in $dst; do - dest="$(match_dest $dest)" - - case $srczone in - $FW) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $mark $tos - ;; - all|ALL) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $mark $tos - run_iptables2 -t mangle -A $chain \ - $protocol $dest $dports $sports $mark $tos - ;; - *) - if [ -n "$src" ]; then - run_iptables2 -t mangle -A $chain $src \ - $protocol $dest $dports $sports $mark $tos - else - eval hosts=\$${srczone}_hosts - - for host in $hosts; do - run_iptables2 -t mangle -A $chain $(match_source $host) \ - $protocol $dest $dports $sports $mark $tos - done - fi - ;; - esac - done - - progress_message " Rule \"$rule\" $DONE." - save_progress_message "Rule \\\"$rule\\\" Added." -} - -# -# Process the tos file -# -process_tos() # $1 = name of tos file -{ - local chain - chain=pretos - local stdchain - stdchain=PREROUTING - - if [ -n "$MANGLE_FORWARD" ]; then - chain=fortos - stdchain=FORWARD - fi - - if [ -s $TMP_DIR/tos ] ; then - - save_progress_message "Setting up TOS..." - - progress_message2 "$DOING $1..." - - createmanglechain $chain - createmanglechain outtos - - while read src dst protocol sport dport tos mark; do - rule="$(echo $src $dst $protocol $sport $dport $tos $mark)" - process_tos_rule - done < $TMP_DIR/tos - - run_iptables -t mangle -A $stdchain -j $chain - run_iptables -t mangle -A OUTPUT -j outtos - fi -} - -policy_rules() # $1 = chain to add rules to - # $2 = policy - # $3 = loglevel - # $4 = Default Action/Macro -{ - local target - target="$2" - local default - default="$4" - - if [ -n "$default" ]; then - [ "$default" = none ] || run_iptables -A $1 -j $default - fi - - - if [ $# -ge 3 -a "x${3}" != "x-" ]; then - log_rule $3 $1 $2 - fi - - if [ -n "$target" ]; then - case $target in - REJECT) - run_iptables -A $1 -j reject - ;; - CONTINUE) - ;; - *) - run_iptables -A $1 -j $target - ;; - esac - fi -} - -# -# Generate default policy & log level rules for the passed client & server -# zones -# -# This function is only called when the canonical chain for this client/server -# pair is known to exist. If the default policy for this pair specifies the -# same chain then we add the policy (and logging) rule to the canonical chain; -# otherwise add a rule to the canonical chain to jump to the appropriate -# policy chain. -# -default_policy() # $1 = client $2 = server -{ - local chain - chain="${1}2${2}" - local policy - policy= - local loglevel - loglevel= - local chain1 - - jump_to_policy_chain() { - # - # Add a jump to from the canonical chain to the policy chain. On return, - # $chain is set to the name of the policy chain - # - run_iptables -A $chain -j $chain1 - chain=$chain1 - } - - report_syn_flood_protection() - { - progress_message " Enabled SYN flood protection" - } - - apply_default() - { - # - # Generate policy file column values for the policy chain - # - eval policy=\$${chain1}_policy - eval loglevel=\$${chain1}_loglevel - eval synparams=\$${chain1}_synparams - eval default=\$${chain1}_default - # - # Add the appropriate rules to the canonical chain ($chain) to enforce - # the specified policy - - if [ "$chain" = "$chain1" ]; then - # - # The policy chain is the canonical chain; add policy rule to it - # The syn flood jump has already been added if required. - # - policy_rules $chain $policy "${loglevel:--}" $default - else - # - # The policy chain is different from the canonical chain -- approach - # depends on the policy - # - case $policy in - ACCEPT|QUEUE) - if [ -n "$synparams" ]; then - # - # To avoid double-counting SYN packets, enforce the policy - # in this chain. - # - report_syn_flood_protection - policy_rules $chain $policy "${loglevel:--}" $default - else - # - # No problem with double-counting so just jump to the - # policy chain. - # - jump_to_policy_chain - fi - ;; - CONTINUE) - # - # Silly to jump to the policy chain -- add any logging - # rules and enable SYN flood protection if requested - # - [ -n "$synparams" ] && \ - report_syn_flood_protection - policy_rules $chain $policy "${loglevel:--}" $default - ;; - *) - # - # DROP or REJECT policy -- enforce in the policy chain and - # enable SYN flood protection if requested. - # - [ -n "$synparams" ] && \ - report_syn_flood_protection - jump_to_policy_chain - ;; - esac - fi - - progress_message " Policy $policy for $1 to $2 using chain $chain" - } - - eval chain1=\$${1}2${2}_policychain - - if [ -n "$chain1" ]; then - apply_default $1 $2 - else - fatal_error "No default policy for zone $1 to zone $2" - fi -} - -# -# Complete a standard chain -# -# - run any supplied user exit -# - search the policy file for an applicable policy and add rules as -# appropriate -# - If no applicable policy is found, add rules for an assummed -# policy of DROP INFO -# -complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone -{ - local policy - policy= - local loglevel - loglevel= - local policychain - policychain= - local default - default= - - run_user_exit $1 - - [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - - eval policychain=\$${2}2${3}_policychain - - if [ -n "$policychain" ]; then - eval policy=\$${policychain}_policy - eval loglevel=\$${policychain}_loglevel - eval default=\$${policychain}_default - eval - - policy_rules $1 $policy "${loglevel:--}" $default - else - policy_rules $1 DROP info $DROP_DEFAULT - fi -} - -# -# Find the appropriate chain to pass packets from a source zone to a -# destination zone -# -# If the canonical chain for this zone pair exists, echo it's name; otherwise -# locate and echo the name of the appropriate policy chain -# -rules_chain() # $1 = source zone, $2 = destination zone -{ - local chain - chain=${1}2${2} - local policy - - havechain $chain && { echo $chain; return; } - - [ "$1" = "$2" ] && { echo ACCEPT; return; } - - eval chain=\$${chain}_policychain - - eval policy=\$${chain}_policy - - if [ "$policy" != CONTINUE ] ; then - [ -n "$chain" ] && { echo $chain; return; } - fatal_error "No policy defined for zone $1 to zone $2" - fi -} - -# -# Add a record to the blacklst chain -# -# $source = address match -# $proto = protocol selector -# $dport = destination port selector -# -add_blacklist_rule() { - run_iptables2 -A blacklst $source $proto $dport -j $target -} - -# -# Process a record from the blacklist file -# -# $networks = address/networks -# $protocol = Protocol Number/Name -# $port = Port Number/Name -# -process_blacklist_rec() { - local source - local addr - local proto - local dport - local temp - local setname - - for addr in $(separate_list $networks); do - case $addr in - -) - source= - ;; - ~*|!~*) - addr=$(echo $addr | sed 's/~//;s/-/:/g') - source="--match mac --mac-source $addr" - ;; - *) - source="$(source_ip_range $addr)" - ;; - esac - - if [ -n "$protocol" ]; then - proto=" -p $protocol " - - case $protocol in - tcp|TCP|6|udp|UDP|17) - if [ -n "$ports" ]; then - if [ -n "$MULTIPORT" -a \ - "$ports" != "${ports%,*}" -a \ - "$ports" = "${ports%:*}" -a \ - $(list_count $ports) -le 15 ] - then - dport="-m multiport --dports $ports" - add_blacklist_rule - else - for dport in $(separate_list $ports); do - dport="--dport $dport" - add_blacklist_rule - done - fi - else - add_blacklist_rule - fi - ;; - icmp|ICMP|0) - if [ -n "$ports" ]; then - for dport in $(separate_list $ports); do - dport="--icmp-type $dport" - add_blacklist_rule - done - else - add_blacklist_rule - fi - ;; - *) - add_blacklist_rule - ;; - esac - else - add_blacklist_rule - fi - - if [ -n "$ports" ]; then - addr="$addr $protocol $ports" - elif [ -n "$protocol" ]; then - addr="$addr $protocol" - fi - - progress_message_and_save " $addr added to Black List" - done -} - -process_blacklist() -{ - local disposition - disposition=$BLACKLIST_DISPOSITION - local f - f=$(find_file blacklist) - local target - - if [ -s $TMP_DIR/blacklist ]; then - - [ "$disposition" = REJECT ] && disposition=reject - - [ -n "$BLACKLIST_LOGLEVEL" ] && target=blacklog || target=$disposition - - progress_message2 "Compiling $f..." - - cat >&3 << __EOF__ -# -# Load the blacklist -# -load_blacklist() -{ -__EOF__ - INDENT=" " - - while read networks protocol ports; do - process_blacklist_rec - done < $TMP_DIR/blacklist - - INDENT= - save_command "}" - save_command - fi -} - -# -# Setup the Black List -# -setup_blacklist() { - local hosts - hosts="$(find_hosts_by_option blacklist)" - local ipsec - local policy - - if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then - progress_message2 "$DOING Blacklisting..." - - createchain blacklst no - - if [ -n "$BLACKLIST_LOGLEVEL" ]; then - createchain blacklog no - log_rule_limit $BLACKLIST_LOGLEVEL blacklog blacklst $BLACKLIST_DISPOSITION "$LOGLIMIT" "" -A - - if [ $BLACKLIST_DISPOSITION = REJECT ]; then - run_iptables -A blacklog -j reject - else - run_iptables -A blacklog -j $BLACKLIST_DISPOSITION - fi - fi - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain $state $(match_source_hosts $network) $policy -j blacklst - done - - [ $network = 0/0.0.0.0 ] && network= || network=":$network" - - progress_message_and_save " Blacklisting enabled on ${interface}${network}" - done - - if [ -z "$DELAYBLACKLISTLOAD" -a -s ${TMP_DIR}/blacklist ]; then - save_command load_blacklist - fi - fi -} - -# Construct zone-independent rules -# -add_common_rules() { - local savelogparms - savelogparms="$LOGPARMS" - local broadcasts - broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" - # - # Populate the smurf chain - # - save_progress_message "Setting up SMURF control..." - - for interface in $(find_bcastdetect_interfaces); do - indent >&3 << __EOF__ - -ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do -__EOF__ - [ -n "$SMURF_LOG_LEVEL" ] && \ - indent >&3 << __EOF__ - do_log_rule $SMURF_LOG_LEVEL smurfs DROP -s \$address -__EOF__ - indent >&3 << __EOF__ - run_iptables -A smurfs -s \$address -j DROP -done - -__EOF__ - done - - for address in $broadcasts ; do - [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address - run_iptables -A smurfs $(source_ip_range $address) -j DROP - done - # - # Reject Rules -- Don't respond to broadcasts with an ICMP - # - if [ -n "$USEPKTTYPE" ]; then - run_iptables -A reject -m pkttype --pkt-type broadcast -j DROP - run_iptables -A reject -m pkttype --pkt-type multicast -j DROP - else - for interface in $(find_bcastdetect_interfaces); do - indent >&3 << __EOF__ - -ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do - run_iptables -A reject -d \$address -j DROP -done - -__EOF__ - done - - for address in $broadcasts ; do - run_iptables -A reject -d $address -j DROP - done - fi - # - # Don't feed the smurfs - # - for address in $broadcasts ; do - run_iptables -A reject -s $address -j DROP - done - - # - # Don't respond to IGMP with an ICMP - # - run_iptables -A reject -p 2 -j DROP - - run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset - run_iptables -A reject -p udp -j REJECT - # - # Not all versions of iptables support these so don't complain if they don't work - # - if [ -n "$ENHANCED_REJECT" ]; then - run_iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable - run_iptables -A reject -j REJECT --reject-with icmp-host-prohibited - else - run_iptables -A reject -j REJECT - fi - - # - # Create default action chains - # - for action in $USEDACTIONS; do - createactionchain $action - done - - append_file initdone - - # - # Process Black List - # - save_progress_message "Setting up Black List..." - - setup_blacklist - - # - # SMURFS - # - hosts=$(find_hosts_by_option nosmurfs) - - if [ -n "$hosts" ]; then - - progress_message2 "Adding Anti-smurf Rules" - - save_progress_message "Adding Anti-smurf Jumps..." - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs - done - done - fi - # - # DHCP - # - interfaces=$(find_interfaces_by_option dhcp) - - if [ -n "$interfaces" ]; then - - progress_message2 "Adding rules for DHCP" - - save_progress_message "Setting up rules for DHCP..." - - for interface in $interfaces; do - if [ -n "$BRIDGING" ]; then - indent >&3 << __EOF__ -is_bridge="\$( brctl show 2> /dev/null | grep '^$interface[[:space:]]' )" -[ -n "\$is_bridge" ] && run_iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT -__EOF__ - fi - run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT - run_iptables -A $(out_chain $interface) -p udp --dport 67:68 -j ACCEPT - done - fi - # - # RFC 1918 - # - hosts="$(find_hosts_by_option norfc1918)" - - if [ -n "$hosts" ]; then - progress_message2 "Enabling RFC1918 Filtering" - - save_progress_message "Setting up RFC1918 Filtering..." - - createchain norfc1918 no - - createchain rfc1918 no - - log_rule $RFC1918_LOG_LEVEL rfc1918 DROP - - run_iptables -A rfc1918 -j DROP - - chain=norfc1918 - - if [ -n "$RFC1918_STRICT" ]; then - # - # We'll generate two chains - one for source and one for destination - # - chain=rfc1918d - createchain $chain no - elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then - # - # Mangling is enabled but conntrack match isn't available -- - # create a chain in the mangle table to filter RFC1918 destination - # addresses. This must be done in the mangle table before we apply - # any DNAT rules in the nat table - # - # Also add a chain to log and drop any RFC1918 packets that we find - # - createmanglechain man1918 - createmanglechain rfc1918 - log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle - run_iptables -t mangle -A rfc1918 -j DROP - fi - - while read networks target; do - case $target in - logdrop) - target=rfc1918 - s_target=rfc1918 - ;; - DROP) - s_target=DROP - ;; - RETURN) - [ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - for network in $(separate_list $networks); do - run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target - - if [ -n "$CONNTRACK_MATCH" ]; then - # - # We have connection tracking match -- match on the original destination - # - match='--ctorigdst' - if [ -z "$OLD_CONNTRACK_MATCH" ]; then - case $network in - !*) - match='!--ctorigdst' - network=${network#!} - ;; - esac - fi - - run_iptables2 -A $chain -m conntrack $match $network -j $target - elif [ -n "$MANGLE_ENABLED" ]; then - # - # No connection tracking match but we have mangling -- add a rule to - # the mangle table - # - run_iptables2 -t mangle -A man1918 $(dest_ip_range $network) -j $target - fi - done - done < $TMP_DIR/rfc1918 - - [ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - networks=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $networks) $policy -j norfc1918 - done - - [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ - run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $networks) $policy -j man1918 - done - fi - - hosts=$(find_hosts_by_option tcpflags) - - if [ -n "$hosts" ]; then - progress_message2 "$DOING TCP Flags checking..." - - save_progress_message "Setting up TCP Flags checking..." - - createchain tcpflags no - - if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then - createchain logflags no - - savelogparms="$LOGPARMS" - - [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ] || LOGPARMS="$LOGPARMS --log-ip-options" - - log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION - - LOGPARMS="$savelogparms" - - case $TCP_FLAGS_DISPOSITION in - REJECT) - run_iptables -A logflags -p tcp -j REJECT --reject-with tcp-reset - ;; - *) - run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION - ;; - esac - - disposition="-j logflags" - else - disposition="-j $TCP_FLAGS_DISPOSITION" - fi - - run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition - run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition - # - # There are a lot of probes to ports 80, 3128 and 8080 that use a source - # port of 0. This catches them even if they are directed at an IP that - # hosts a web server. - # - run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -p tcp $(match_source_hosts $network) $policy -j tcpflags - done - done - fi - # - # ARP Filtering - # - save_progress_message "Setting up ARP filtering..." - - indent >&3 << __EOF__ -for f in /proc/sys/net/ipv4/conf/*; do - [ -f \$f/arp_filter ] && echo 0 > \$f/arp_filter - [ -f \$f/arp_ignore ] && echo 0 > \$f/arp_ignore -done - -__EOF__ - - interfaces=$(find_interfaces_by_option arp_filter) - interfaces1=$(find_interfaces_by_option1 arp_ignore) - - if [ -n "${interfaces}${interfaces1}" ]; then - progress_message2 "$DOING ARP Filtering..." - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/arp_filter - indent >&3 << __EOF__ -if [ -f $file ]; then - echo 1 > $file -else - error_message "WARNING: Cannot set ARP filtering on $interface" -fi -__EOF__ - done - - for interface in $interfaces1; do - file=/proc/sys/net/ipv4/conf/$interface/arp_ignore - eval value="\$$(chain_base $interface)_arp_ignore" - indent >&3 << __EOF__ -if [ -f $file ]; then - echo $value > $file -else - error_message "WARNING: Cannot set ARP filtering on $interface" -fi -__EOF__ - done - fi - # - # Route Filtering - # - interfaces="$(find_interfaces_by_option routefilter)" - - if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then - progress_message2 "$DOING Kernel Route Filtering..." - - save_progress_message "Setting up Route Filtering..." - - if [ "$ROUTE_FILTER" = no ]; then - indent >&3 << __EOF__ - -for f in /proc/sys/net/ipv4/conf/*; do - [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter -done - -__EOF__ - fi - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/rp_filter - - indent >&3 << __EOF__ -if [ -f $file ]; then - echo 1 > $file -else - error_message "WARNING: Cannot set route filtering on $interface" -fi -__EOF__ - done - - save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" - - if [ "$ROUTE_FILTER" = yes ]; then - save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" - elif [ "$ROUTE_FILTER" = no ]; then - save_command "echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter" - fi - - save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache" - fi - - # - # Martian Logging - # - interfaces="$(find_interfaces_by_option logmartians)" - - if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then - progress_message2 "$DOING Martian Logging..." - - save_progress_message "Setting up Martian Logging..." - - if [ "$LOG_MARTIANS" = no ]; then - indent >&3 << __EOF__ - -for f in /proc/sys/net/ipv4/conf/*; do - [ -f \$f/log_martians ] && echo 0 > \$f/log_martians -done - -__EOF__ - fi - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/log_martians - - indent >&3 << __EOF__ -if [ -f $file ]; then - echo 1 > $file -else - error_message "WARNING: Cannot set Martian logging on $interface" -fi - -__EOF__ - done - - if [ "$LOG_MARTIANS" = yes ]; then - save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" - save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians" - elif [ "$LOG_MARTIANS" = no ]; then - save_command "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians" - save_command "echo 0 > /proc/sys/net/ipv4/conf/default/log_martians" - fi - - fi - - # - # Source Routing - # - save_progress_message "Setting up Accept Source Routing..." - - indent >&3 << __EOF__ -for f in /proc/sys/net/ipv4/conf/*; do - [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route -done - -__EOF__ - - interfaces=$(find_interfaces_by_option sourceroute) - - if [ -n "$interfaces" ]; then - progress_message2 "$DOING Accept Source Routing..." - - save_progress_message "Setting up Source Routing..." - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/accept_source_route - - indent >&3 << __EOF__ -if [ -f $file ]; then - echo 1 > $file -else - error_message "WARNING: Cannot set Accept Source Routing on $interface" -fi -__EOF__ - done - fi - - if [ -n "$DYNAMIC_ZONES" ]; then - progress_message "$DOING Dynamic Zone Chains..." - - for interface in $ALL_INTERFACES; do - for chain in $(dynamic_chains $interface); do - createchain $chain no - done - - chain=$(dynamic_in $interface) - createnatchain $chain - - run_iptables -A $(input_chain $interface) -j $chain - run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) - run_iptables -A $(out_chain $interface) -j $(dynamic_out $interface) - done - fi - # - # UPnP - # - interfaces=$(find_interfaces_by_option upnp) - - if [ -n "$interfaces" ]; then - progress_message2 "$DOING UPnP..." - - save_progress_message "Setting up UPnP..." - - createnatchain UPnP - - for interface in $interfaces; do - run_iptables -t nat -A PREROUTING -i $interface -j UPnP - done - fi -} - -# -# Scan the policy file defining the necessary chains -# Add the appropriate policy rule(s) to the end of each canonical chain -# -apply_policy_rules() { - # - # Create policy chains - # - for chain in $ALL_POLICY_CHAINS; do - eval policy=\$${chain}_policy - eval loglevel=\$${chain}_loglevel - eval optional=\$${chain}_is_optional - eval default=\$${chain}_default - - if [ "$policy" != NONE ]; then - if ! havechain $chain && [ -z "$optional" -a "$policy" != CONTINUE ]; then - # - # The chain doesn't exist. Create the chain and add policy - # rules - # - createchain $chain yes - # - # If either client or server is 'all' then this MUST be - # a policy chain and we must apply the appropriate policy rules - # - # Otherwise, this is a canonical chain which will be handled in - # the for loop below - # - case $chain in - all2*|*2all) - run_user_exit $chain - policy_rules $chain $policy "${loglevel:--}" $default - ;; - esac - fi - fi - done - - # - # Add policy rules to canonical chains - # - for zone in $FW $ZONES; do - for zone1 in $FW $ZONES; do - chain=${zone}2${zone1} - if havechain $chain; then - run_user_exit $chain - default_policy $zone $zone1 - fi - done - done -} - -# -# Activate the rules -# -activate_rules() -{ - local PREROUTING_rule - PREROUTING_rule=1 - local POSTROUTING_rule - POSTROUTING_rule=1 - # - # Jump to a NAT chain from one of the builtin nat chains - # - addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain - sourcechain=$1 - local destchain - destchain=$2 - shift - shift - - if havenatchain $destchain ; then - run_iptables2 -t nat -A $sourcechain $@ -j $destchain - elif [ -z "$KLUDGEFREE" ]; then - [ -n "$PHYSDEV_MATCH" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - } - - # - # Jump to a RULES chain from one of the builtin nat chains. These jumps - # are inserted before jumps to one-to-one NAT chains. - # - addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain - sourcechain=$1 - local destchain - destchain=$2 - shift - shift - - if havenatchain $destchain; then - eval run_iptables2 -t nat -I $sourcechain \ - \$${sourcechain}_rule $@ -j $destchain - eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) - elif [ -z "$KLUDGEFREE" ]; then - [ -n "$PHYSDEV_MATCH" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - fi - } - - # - # Create a dynamic chain for a zone and jump to it from a second chain - # - create_zone_dyn_chain() # $1 = zone, $2 = second chain - { - createchain ${1}_dyn No - run_iptables -A $2 -j ${1}_dyn - } - # - # Insert a set of exclusions at the front of a chain - # - insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions - { - local t - t=$1 - local c - c=$2 - local num - num=0 - local host1 - local interface1 - local networks1 - - shift 2 - - for host1 in $*; do - interface1=${host1%%:*} - networks1=${host1#*:} - num=$(($num + 1)) - run_iptables -t $t -I $c $num -o $interface1 -d $networks1 -j RETURN - done - } - # - # Add a set of exclusions to the end of a chain - # - add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions - { - local t - t=$1 - local c - c=$2 - local host1 - local interface1 - local networks1 - - shift 2 - - for host1 in $*; do - interface1=${host1%%:*} - networks1=${host1#*:} - run_iptables -t $t -A $c -o $interface1 -d $networks1 -j RETURN - done - } - # - # E x e c u t i o n S t a r t s H e r e - # - # Add jumps to early SNAT chains - # - for interface in $ALL_INTERFACES; do - addnatjump POSTROUTING $(snat_chain $interface) -o $interface - done - # - # Add jumps for dynamic nat chains - # - [ -n "$DYNAMIC_ZONES" ] && for interface in $ALL_INTERFACES ; do - addrulejump PREROUTING $(dynamic_in $interface) -i $interface - done - # - # Add jumps from the builtin chains to the nat chains - # - addnatjump PREROUTING nat_in - addnatjump POSTROUTING nat_out - - for interface in $ALL_INTERFACES; do - addnatjump PREROUTING $(input_chain $interface) -i $interface - addnatjump POSTROUTING $(output_chain $interface) -o $interface - done - - > $STATEDIR/chains - echo "$FW firewall" > $STATEDIR/zones - # - # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain. - # - for zone in $ZONES; do - if eval test -n \"\$${zone}_is_complex\" ; then - frwd_chain=${zone}_frwd - createchain $frwd_chain No - - eval exclusions=\"\$${zone}_exclusions\" - - if [ -n "$exclusions" ]; then - local num - num=1 - in_chain=${zone}_input - out_chain=${zone}_output - createchain $in_chain No - createchain $out_chain No - - if [ "$(rules_chain $zone $zone)" = ACCEPT ]; then - createchain ${zone}2${zone} yes - run_iptables -A ${zone}2${zone} -j ACCEPT - fi - - for host in $exclusions; do - interface=${host%%:*} - address=${host#*:} - run_iptables -A $frwd_chain -i $interface -s $address -j RETURN - run_iptables -A $in_chain -i $interface -s $address -j RETURN - run_iptables -A $out_chain -i $interface -s $address -j RETURN - done - fi - - if [ -n "$POLICY_MATCH" ]; then - # - # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the - # '--pol ipsec --dir in' rules at the front of the interface forwarding chains. Otherwise, decrypted packets - # can match '--pol none --dir out' rules and send the packets down the wrong rules chain. - # - eval is_ipsec=\$${zone}_is_ipsec - - if [ -n "$is_ipsec" ]; then - eval source_hosts=\$${zone}_hosts - [ -n "$DYNAMIC_ZONES" ] && create_zone_dyn_chain $zone $frwd_chain - else - eval source_hosts=\$${zone}_ipsec_hosts - [ -n "$DYNAMIC_ZONES" -a -n "$source_hosts" ] && create_zone_dyn_chain $zone $frwd_chain - fi - - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain - done - fi - fi - done - # - # Main source zone rule-activation loop - # - for zone in $ZONES; do - eval source_hosts=\$${zone}_hosts - - chain1=$(rules_chain $FW $zone) - chain2=$(rules_chain $zone $FW) - chain3=$(rules_chain $zone $zone) - - eval complex=\$${zone}_is_complex - eval type=\$${zone}_type - eval exclusions=\"\$${zone}_exclusions\" - - if [ -n "$exclusions" ]; then - echo "$zone $type $source_hosts exclude $exclusions" >> $STATEDIR/zones - else - echo "$zone $type $source_hosts" >> $STATEDIR/zones - fi - - if [ -n "$DYNAMIC_ZONES" ]; then - [ -n "$chain1" ] && echo "$FW $zone $chain1" >> $STATEDIR/chains - [ -n "$chain2" ] && echo "$zone $FW $chain2" >> $STATEDIR/chains - fi - - need_broadcast= - - if [ -n "$complex" ]; then - frwd_chain=${zone}_frwd - chain=$(dnat_chain $zone) - if havenatchain $chain; then - insert_exclusions nat $chain $exclusions - fi - fi - # - # Take care of PREROUTING, INPUT and OUTPUT jumps - # - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - if [ -n "$chain1" ]; then - if [ -n "$exclusions" ]; then - run_iptables2 -A $(out_chain $interface) $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j ${zone}_output - run_iptables -A ${zone}_output -j $chain1 - else - run_iptables2 -A $(out_chain $interface) $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 - fi - fi - # - # Add jumps from the builtin chain for DNAT rules - # - addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) - - if [ -n "$chain2" ]; then - if [ -n "$exclusions" ]; then - run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j ${zone}_input - run_iptables -A ${zone}_input -j $chain2 - else - run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 - fi - fi - - if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then - run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain - fi - - case $networks in - *.*.*.*|+*) - if [ "$networks" != 0.0.0.0/0 ]; then - if ! list_search $interface $need_broadcast ; then - if interface_has_option $interface detectnets; then - need_broadcast="$need_broadcast $interface" - iface=$(chain_base $interface) - eval need_bcast_$iface=\"$(match_source_hosts $networks)\" - fi - fi - fi - ;; - esac - done - - if [ -n "$chain1" ]; then - for interface in $need_broadcast ; do - run_iptables -A $(out_chain $interface) -d 255.255.255.255 -j $chain1 - run_iptables -A $(out_chain $interface) -d 224.0.0.0/4 -j $chain1 - done - fi - # - # F O R W A R D I N G - # - temp_zones= - last_chain= - - if [ $OPTIMIZE -gt 0 ]; then - - dest_zones= - # - # The following loop attempts to eliminate redundant sequences of jumps to - # all2all or 2all. It does so by combining all trailing - # jumps to the same policy-only chain. - # - for zone1 in $ZONES; do - - eval policy=\$${zone}2${zone1}_policy - - [ "$policy" = NONE ] && continue - - chain="$(rules_chain $zone $zone1)" - - [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. - - if [ $zone = $zone1 ]; then - # - # Try not to generate superfluous intra-zone rules - # - eval routeback=\"\$${zone}_routeback\" - eval interfaces=\"\$${zone}_interfaces\" - eval ports="\$${zone}_ports" - - num_ifaces=$(list_count1 $interfaces) - # - # If the zone has a single interface then what matters is how many ports it has - # - [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) - # - # If we don't need to route back and if we have only one interface or one port to - # the zone then assume that hosts in the zone can communicate directly. - # - if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then - continue - fi - fi - - case $chain in - *2all) - # - # Rules chain is a policy-only chain that could be used more than once (all2all or ${zone}2all - # - if [ -n "$last_chain" ]; then - # - # And the last rules chain was a policy-only chain - # - if [ "$chain" != "$last_chain" ]; then - # - # But it was a different one -- back to square 1 - # - last_chain=$chain - dest_zones="$dest_zones $temp_zones" - temp_zones=$zone1 - else - # - # Same chain -- add this dest zone to the running list of - # zones using the same rules chain - # - temp_zones="$temp_zones $zone1" - fi - elif [ $policy = ACCEPT ]; then - # - # We don't wild-card ACCEPT policies -- could open up security holes through interfaces - # that aren't described in /etc/shorewall/interfaces - # - dest_zones="$dest_zones $zone1" - else - # - # First in a potential run of rules using this chain - # - last_chain=$chain - temp_zones=$zone1 - fi - ;; - *) - # - # Not a policy-only chain -- add accumulated sequence of dest zones to those needing processing - # - dest_zones="$dest_zones $temp_zones $zone1" - temp_zones= - last_chain= - ;; - esac - done - # - # If there is no reduction in the number of rules then don't bother with the optimization - # - if [ -n "$last_chain" -a $(list_count1 $temp_zones) -eq 1 ]; then - dest_zones="$dest_zones $temp_zones" - last_chain= - fi - else - dest_zones=$ZONES - fi - # - # We now loop through the destination zones creating jumps to the rules chain for each source/dest combination. - # $dest_zones is the list of destination zones that we need to handle from this source zone - # - for zone1 in $dest_zones; do - - eval policy=\$${zone}2${zone1}_policy - - [ "$policy" = NONE ] && continue - - eval dest_hosts=\$${zone1}_hosts - eval exclusions1=\"\$${zone1}_exclusions\" - - chain="$(rules_chain $zone $zone1)" - - [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. - - [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains - - if [ $zone = $zone1 ]; then - eval routeback=\"\$${zone}_routeback\" - eval interfaces=\"\$${zone}_interfaces\" - eval ports="\$${zone}_ports" - - num_ifaces=$(list_count1 $interfaces) - - [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) - - if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then - continue - fi - - if [ -n "$chain3" ]; then - for interface in $need_broadcast ; do - if interface_has_option $interface routeback; then - iface=$(chain_base $interface) - eval source=\"\$need_bcast_$iface\" - run_iptables -A $(forward_chain $interface) $source $(match_dest_dev $interface) -d 255.255.255.255 -j $chain3; - run_iptables -A $(forward_chain $interface) $source $(match_dest_dev $interface) -d 224.0.0.0/4 -j $chain3; - fi - done - fi - else - routeback= - num_ifaces=0 - fi - - if [ -n "$exclusions1" ]; then - # - # We handle exclusions in the dest zone by inserting RETURN rules at the front of - # each rules chain where the zone is the destination - # - case $chain in - all2$zone1) - # - # We only want to add the exclusions once - # - if eval test -z \"\$${chain}_exclusions\"; then - eval ${chain}_exclusions=Yes - insert_exclusions filter $chain $exclusions1 - fi - ;; - *2all) - # - # A policy-only chain -- we create one exclusion chain for this - # dest zone/chain combination, and re-use - # it if the occasion presents itself - # - eval chain1=\$${chain}_${zone1}_ex - - if [ -z "$chain1" ]; then - # - # Must create the chain - # - chain1=excl_${EXCLUSION_SEQ} - EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 )) - eval ${chain}_${zone1}_ex=$chain1 - createchain $chain1 no - add_exclusions filter $chain1 $exclusions1 - run_iptables -A $chain1 -j $chain - fi - # - # We must jump to the exclusion chain rather than to the policy chain - # - chain=$chain1 - ;; - *) - insert_exclusions filter $chain $exclusions1 - ;; - esac - fi - - if [ -n "$complex" ]; then - for host1 in $dest_hosts; do - interface1=${host1%%:*} - networks1=${host1#*:} - # - # Only generate an intrazone rule if the zone has more than one interface (port) or if - # routeback was specified for this host group - # - if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then - run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain - fi - done - else - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - chain4=$(forward_chain $interface) - - for host1 in $dest_hosts; do - interface1=${host1%%:*} - networks1=${host1#*:} - - if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables2 -A $chain4 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain - fi - done - done - fi - done - # - # E N D F O R W A R D I N G - # - # Now add (an) unconditional jump(s) to the last unique policy-only chain determined above, if any - # - if [ -n "$last_chain" ]; then - if [ -n "$complex" ]; then - run_iptables -A $frwd_chain -j $last_chain - else - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - chain=$(forward_chain $interface) - - run_iptables -A $chain $(match_source_hosts $networks) -j $last_chain - done - fi - fi - done - # - # Now add the jumps to the interface chains from FORWARD, INPUT, OUTPUT and POSTROUTING - # - for interface in $ALL_INTERFACES ; do - run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) - run_iptables -A INPUT -i $interface -j $(input_chain $interface) - run_iptables -A OUTPUT -o $interface -j $(out_chain $interface) - addnatjump POSTROUTING $(masq_chain $interface) -o $interface - done - # - # Handle fw->fw - # - chain=${FW}2${FW} - - if havechain $chain; then - # - # There is a fw->fw chain. Send loopback output through that chain - # - run_iptables -A OUTPUT -o lo -j $chain - # - # And delete the unconditional ACCEPT rule - # - run_iptables -D OUTPUT -o lo -j ACCEPT - fi - # - # Add policy enforcement to the builtin filter chains to catch underfined hosts - # - complete_standard_chain INPUT all $FW - complete_standard_chain OUTPUT $FW all - complete_standard_chain FORWARD all all - # - # Remove rules added to keep the firewall alive during [re]start" - # - disable_critical_hosts - - for chain in INPUT OUTPUT FORWARD; do - [ -n "$FASTACCEPT" ] || run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT - run_iptables -D $chain -p udp --dport 53 -j ACCEPT - done - - process_routestopped -D - - if [ -n "$LOGALLNEW" ]; then - for table in mangle nat filter; do - case $table in - mangle) - [ -n "$MANGLE_FORWARD" ] && chains="PREROUTING INPUT FORWARD POSTROUTING" || chains="PREROUTING INPUT" - ;; - nat) - chains="PREROUTING POSTROUTING OUTPUT" - ;; - *) - chains="INPUT FORWARD OUTPUT" - ;; - esac - - for chain in $chains; do - log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table - done - done - fi -} - -# -# Compile a script that will stop the firewall -# -# This function is called by compile_firewall() so all of the overloaded functions -# from that script are available here -# -compile_stop_firewall() { - local IPTABLES_COMMAND - IPTABLES_COMMAND="\$IPTABLES" - local INDENT - INDENT=" " - - cat >&3 << __EOF__ - -# -# Stop/restore the firewall after an error or because of a "stop" or "clear" command -# -stop_firewall() { - - deletechain() { - qt \$IPTABLES -L \$1 -n && qt \$IPTABLES -F \$1 && qt \$IPTABLES -X \$1 - } - - deleteallchains() { - \$IPTABLES -F - \$IPTABLES -X - } - - setcontinue() { - \$IPTABLES -A \$1 -m state --state ESTABLISHED,RELATED -j ACCEPT - } - - delete_nat() { - \$IPTABLES -t nat -F - \$IPTABLES -t nat -X - - if [ -f \${VARDIR}/nat ]; then - while read external interface; do - del_ip_addr \$external \$interface - done < \${VARDIR}/nat - - rm -f \${VARDIR}/nat - fi - } - - case \$COMMAND in - stop|clear|restore) - ;; - *) - set +x - - case \$COMMAND in - start) - logger -p kern.err "ERROR:\$PRODUCT start failed" - ;; - restart) - logger -p kern.err "ERROR:\$PRODUCT restart failed" - ;; - restore) - logger -p kern.err "ERROR:\$PRODUCT restore failed" - ;; - esac - - if [ "\$RESTOREFILE" = NONE ]; then - COMMAND=clear - clear_firewall - echo "\$PRODUCT Cleared" - - kill \$\$ - exit 2 - else - RESTOREPATH=\${VARDIR}/\$RESTOREFILE - - if [ -x \$RESTOREPATH ]; then - - if [ -x \${RESTOREPATH}-ipsets ]; then - progress_message2 Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - for table in mangle nat filter; do - \$IPTABLES -t \$table -F - \$IPTABLES -t \$table -X - done - - \${RESTOREPATH}-ipsets - fi - - echo Restoring \${PRODUCT:=Shorewall}... - - if \$RESTOREPATH restore; then - echo "\$PRODUCT restored from \$RESTOREPATH" - set_state "Started" - else - set_state "Unknown" - fi - - kill \$\$ - exit 2 - fi - fi - ;; - esac - - set_state "Stopping" - - STOPPING="Yes" - - TERMINATOR= - - deletechain shorewall - - determine_capabilities - -__EOF__ - - append_file stop - - cat >&3 << __EOF__ - - if [ -n "\$MANGLE_ENABLED" ]; then - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt \$IPTABLES -t mangle -P \$chain ACCEPT - done - fi - - if [ -n "\$RAW_TABLE" ]; then - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt \$IPTABLES -t raw -P \$chain ACCEPT - done - fi - - if [ -n "\$NAT_ENABLED" ]; then - delete_nat - for chain in PREROUTING POSTROUTING OUTPUT; do - qt \$IPTABLES -t nat -P \$chain ACCEPT - done - fi - - if [ -f \${VARDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i \$external -d \$address pub - [ -z "\${haveroute}\${NOROUTES}" ] && qt ip route del \$address dev \$interface - done < \${VARDIR}/proxyarp - - for f in /proc/sys/net/ipv4/conf/*; do - [ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp - done - fi - - rm -f \${VARDIR}/proxyarp - -__EOF__ - [ -n "$CLEAR_TC" ] && save_command "delete_tc1" - - [ -n "$DISABLE_IPV6" ] && save_command "disable_ipv6" - - save_command "undo_routing" - - save_command "restore_default_route" - - process_criticalhosts - - if [ -n "$CRITICALHOSTS" ]; then - if [ -z "$ADMINISABSENTMINDED" ]; then - cat >&3 << __EOF__ - - for chain in INPUT OUTPUT; do - setpolicy \$chain ACCEPT - done - - setpolicy FORWARD DROP - - deleteallchains - -__EOF__ - - for host in $CRITICALHOSTS; do - interface=${host%:*} - networks=${host#*:} - do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - done - - cat >&3 << __EOF__ - - for chain in INPUT OUTPUT; do - setpolicy \$chain DROP - done - -__EOF__ - else - cat >&3 << __EOF__ - - for chain in INPUT OUTPUT; do - setpolicy \$chain ACCEPT - done - - setpolicy FORWARD DROP - - deleteallchains - -__EOF__ - for host in $CRITICALHOSTS; do - interface=${host%:*} - networks=${host#*:} - do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - done - - cat >&3 << __EOF__ - - setpolicy INPUT DROP - - for chain in INPUT FORWARD; do - setcontinue \$chain - done - -__EOF__ - fi - elif [ -z "$ADMINISABSENTMINDED" ]; then - cat >&3 << __EOF__ - - for chain in INPUT OUTPUT FORWARD; do - setpolicy \$chain DROP - done - - deleteallchains - -__EOF__ - else - cat >&3 << __EOF__ - - for chain in INPUT FORWARD; do - setpolicy \$chain DROP - done - - setpolicy OUTPUT ACCEPT - - deleteallchains - - for chain in INPUT FORWARD; do - setcontinue \$chain - done - -__EOF__ - fi - - process_routestopped -A - - save_command "\$IPTABLES -A INPUT -i lo -j ACCEPT" - - [ -z "$ADMINISABSENTMINDED" ] && \ - save_command "\$IPTABLES -A OUTPUT -o lo -j ACCEPT" - - for interface in $(find_interfaces_by_option dhcp); do - save_command "\$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT" - [ -z "$ADMINISABSENTMINDED" ] && \ - save_command "\$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" - # - # This might be a bridge - # - save_command "\$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT" - done - - save_command - - case "$IP_FORWARDING" in - On|on|ON) - save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" - save_command "progress_message2 IP Forwarding Enabled" - ;; - Off|off|OFF) - save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" - save_command "progress_message2 IP Forwarding Disabled!" - ;; - esac - - append_file stopped - - cat >&3 << __EOF__ - - set_state "Stopped" - - logger -p kern.info "\$PRODUCT Stopped" - - case \$COMMAND in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Remove the lock file and Kill the shell in case we're in a - # subshell - # - kill \$\$ - ;; - esac -} -__EOF__ -} - -# -# Conditionally add an option to .conf file (FD 3) -# -conditionally_add_option() { # $1 = option name - local value - - eval value=\"\$$1\" - - if [ -n "$value" ]; then - cat >&3 << __EOF__ -[ -n "\${$1:=$value}" ] -__EOF__ - fi -} - -conditionally_add_option1() { # $1 = option name - local value - - eval value=\"\$$1\" - - if [ -n "$value" ]; then - cat >&3 << __EOF__ -$1="$value" -__EOF__ - fi -} - -# -# Post-process generated script to: -# -# - Suppress redundant blank lines -# - Replace leading spaces with tabs -# -mycat() -{ - if [ -n "$HAVEAWK" ]; then - awk 'BEGIN {blnk=0;}; /^[[:space:]]*$/ {blnk=1; next; }; { while (/^\t* /) sub(/ /, "\t" ); if (blnk == 1 ) { print ""; blnk=0; }; print; }' $* - else - cat $* - fi -} - -# -# Compile a Firewall Script -# -compile_firewall() # $1 = File Name -{ - local IPTABLES_COMMAND - IPTABLES_COMMAND=run_iptables - local INDENT - INDENT="" - local checking - checking= - local outfile - outfile=$1 - local dir - dir= - local match - match= - - setup_mss() - { - case $CLAMPMSS in - Yes) - option="--clamp-mss-to-pmtu" - ;; - *) - option="--set-mss $CLAMPMSS" - [ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $CLAMPMSS: " - ;; - esac - - run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option - } - - progress_message2 "Initializing..." - - # - # So that mktempdir doesn't have to jump through hoops when there isn't a working 'mktemp', - # we create the compiler's temporary directory in TMP_DIR - # - STATEDIR=$TMP_DIR/compiler_state/ - - mkdir $STATEDIR || fatal_error "Cannot create temporary directory in $TMP_DIR" - - if [ $COMMAND = compile ]; then - dir=$(dirname $1) - [ -d $dir ] || fatal_error "Directory $dir does not exist" - [ -h $dir ] && fatal_error "$dir is a Symbolic Link" - [ -d $outfile ] && fatal_error "$outfile is a Directory" - [ -h $outfile ] && fatal_error "$outfile is a Symbolic Link" - [ -f $outfile -a ! -x $outfile ] && fatal_error "$outfile exists and is not a restore file" - [ $(basename $1) = shorewall ] && fatal_error "A compiled script may not be named 'shorewall'" - - DOING=Compiling - DONE=compiled - - OUTPUT=$(mktempfile $STATEDIR) - - [ -n "$OUTPUT" ] || fatal_error "Cannot create temporary file in /tmp" - - exec 3>>$OUTPUT - else - DOING=Checking - DONE=checked - checking=Yes - COMMAND=compile - - exec 3>/dev/null - fi - - cat >&3 << __EOF__ -# -# Compiled firewall script generated by Shorewall-shell $VERSION - $(date)" -# -__EOF__ - - if [ -n "$EXPORT" ]; then - cat >&3 << __EOF__ -SHAREDIR=/usr/share/shorewall-lite -CONFDIR=/etc/shorewall-lite - -[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir - -[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ] - -__EOF__ - - cat ${SHAREDIR}/lib.base >&3 - - cat >&3 << __EOF__ - -################################################################################ -# End of ${SHAREDIR}/lib.base -################################################################################ - -__EOF__ - else - cat >&3 << __EOF__ -SHAREDIR=/usr/share/shorewall -CONFDIR=/etc/shorewall - -[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir - -[ -n "\${VARDIR:=/var/lib/shorewall}" ] - -. \${SHAREDIR}/lib.base -__EOF__ - fi - - cat >&3 << __EOF__ -# -# Set policy of chain \$1 to \$2 -# -setpolicy() { - \$IPTABLES -P \$1 \$2 -} -__EOF__ - - compile_stop_firewall - - cat >&3 << __EOF__ - -# -# Remove all Shorewall-added rules -# -clear_firewall() { - stop_firewall - - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT - - run_iptables -F - - echo 1 > /proc/sys/net/ipv4/ip_forward - -__EOF__ - if [ -n "$DISABLE_IPV6" ]; then - cat >&3 << __EOF__ - if qt mywhich ip6tables; then - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null - fi - -__EOF__ - fi - - append_file clear - - cat >&3 << __EOF__ - - set_state "Cleared" - - logger -p kern.info "\$PRODUCT Cleared" -} - -# -# Issue a message and stop/restore the firewall -# -fatal_error() -{ - echo " ERROR: \$@" >&2 - stop_firewall - exit 2 -} - -# -# Issue a message and stop -# -startup_error() # \$* = Error Message -{ - echo " ERROR: \$@" >&2 - case \$COMMAND in - start) - logger -p kern.err "ERROR:\$PRODUCT start failed" - ;; - restart) - logger -p kern.err "ERROR:\$PRODUCT restart failed" - ;; - restore) - logger -p kern.err "ERROR:\$PRODUCT restore failed" - ;; - esac - - kill \$\$ - exit 2 -} - -# -# Run iptables and if an error occurs, stop/restore the firewall -# -run_iptables() -{ - if [ -n "\$COMMENT" ]; then - \$IPTABLES \$@ -m comment --comment "\$COMMENT" - else - \$IPTABLES \$@ - fi - - if [ \$? -ne 0 ]; then - error_message "ERROR: Command \"\$IPTABLES \$@\" Failed" - stop_firewall - exit 2 - fi -} - -# -# Run iptables and if an error occurs, stop/restore the firewall -# -run_ip() -{ - if ! ip \$@; then - error_message "ERROR: Command \"ip \$@\" Failed" - stop_firewall - exit 2 - fi -} - -# -# Run tc and if an error occurs, stop/restore the firewall -# -run_tc() { - if ! tc \$@ ; then - error_message "ERROR: Command \"tc \$@\" Failed" - stop_firewall - exit 2 - fi -} - -# -# Functions to appease unconverted extension scripts -# -save_command() -{ - return 0 -} - -run_and_save_command() { - eval \$@ -} - -ensure_and_save_command() { - eval \$@ || fatal_error "Command \"\$@\" failed" -} - -# -# Initialize environment -# -initialize() { -__EOF__ - INDENT=" " - - if [ -n "$EXPORT" ]; then - cat >&3 << __EOF__ - # - # These variables are required by the library functions called in this script - # - CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite" -__EOF__ - else - cat >&3 << __EOF__ - if [ ! -f \${SHAREDIR}/version ]; then - fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)" - fi - - local version - version=\$(cat \${SHAREDIR}/version) - - if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then - fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version" - fi - # - # These variables are required by the library functions called in this script - # - CONFIG_PATH="$CONFIG_PATH" -__EOF__ - fi - - cat >&3 << __EOF__ - [ -n "\${COMMAND:=restart}" ] - [ -n "\${VERBOSE:=0}" ] - [ -n "\${RESTOREFILE:=$RESTOREFILE}" ] - MODULESDIR="$MODULESDIR" - MODULE_SUFFIX="$MODULE_SUFFIX" - LOGLIMIT="$LOGLIMIT" - LOGTAGONLY="$LOGTAGONLY" - LOGRULENUMBERS="$LOGRULENUMBERS" -__EOF__ - - if [ -n "$LOGFORMAT" ]; then - cat >&3 << __EOF__ - LOGFORMAT="$LOGFORMAT" -__EOF__ - else - cat >&3 << __EOF__ - [ -n "\$LOGFORMAT\" ] || LOGFORMAT="Shorewall:%s:%s:" -__EOF__ - fi - - cat >&3 << __EOF__ - VERSION="$VERSION" - SUBSYSLOCK="$SUBSYSLOCK" - LOCKFILE="$LOCKFILE" - PATH="$PATH" - TERMINATOR=fatal_error - DONT_LOAD="$DONT_LOAD" - -__EOF__ - if [ -n "$IPTABLES" ]; then - cat >&3 << __EOF__ - IPTABLES="$IPTABLES" - - [ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable" -__EOF__ - else - cat >&3 << __EOF__ - [ -z "\$IPTABLES" ] && IPTABLES=\$(mywhich iptables 2> /dev/null) - - [ -n "\$IPTABLES" -a -x "\$IPTABLES" ] || startup_error "Can't find iptables executable" -__EOF__ - fi - - [ -n "$EXPORTPARAMS" ] && append_file params - - cat >&3 << __EOF__ - - STOPPING= - COMMENT= - - # - # The library requires that ${VARDIR} exist - # - [ -d \${VARDIR} ] || mkdir -p \${VARDIR} - -} -__EOF__ - - report_capabilities - - if [ -n "$BRIDGING" ]; then - [ -n "$PHYSDEV_MATCH" ] || fatal_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" - fi - - [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= - - if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - fatal_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" - fi - - [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ - fatal_error "RFC1918_STRICT=Yes requires Connection Tracking match" - - progress_message2 "Determining Zones..." - - determine_zones - - if [ $VERBOSE -ge 1 ]; then - display_list "IPv4 Zones:" $IPV4_ZONES - [ -n "$IPSEC_ZONES" ] && \ - display_list "IPSEC Zones:" $IPSEC_ZONES - display_list "Firewall Zone:" $FW - fi - - progress_message2 "Validating interfaces file..." - - validate_interfaces_file - - progress_message2 "Validating hosts file..." - - validate_hosts_file - - define_builtin_actions - - if [ -n "$USE_ACTIONS" ]; then - progress_message2 "Pre-processing Actions..." - process_actions1 - fi - - progress_message2 "Validating Policy file..." - - validate_policy - - progress_message2 "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - if [ -s $TMP_DIR/tcrules ]; then - progress_message2 "Compiling $(find_file tcrules)..." - process_tc_rules - fi - - if [ "$TC_ENABLED" = Internal ]; then - [ -n "$LIB_tc_LOADED" ] && setup_traffic_shaping - fi - - if [ -n "$(find_hosts_by_option blacklist)" ]; then - process_blacklist - fi - - cat >&3 << __EOF__ - -# -# Start/Restart/Reload the firewall -# -define_firewall() { - local restore_file - restore_file=\$1 -__EOF__ - - INDENT=" " - - save_progress_message "Initializing..." - - if [ -n "$EXPORT" ]; then - f=$(find_file modules) - - if [ "$f" != ${SHAREDIR}/modules -a -f $f ]; then - save_command 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir' - save_command "cat > \${VARDIR}/.modules $LEFTSHIFT EOF" - grep loadmodule $f | sed 's/^\s*//' >&3 - save_command_unindented EOF - save_command "reload_kernel_modules < \${VARDIR}/.modules" - else - save_command load_kernel_modules Yes - fi - else - save_command load_kernel_modules Yes - fi - - for interface in $ALL_INTERFACES; do - if interface_has_option $interface norfc1918; then - indent >&3 << __EOF__ -addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1) -if [ -n "\$addr" ]; then - addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//') - for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do - if in_network \$addr \$network; then - error_message "WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface" - fi - done -fi - -__EOF__ - fi - done - - append_file init - - TERMINATOR=fatal_error - - deletechain shorewall - - if [ -n "$NAT_ENABLED" ]; then - delete_nat - for chain in PREROUTING POSTROUTING OUTPUT; do - qt_iptables -t nat -P $chain ACCEPT - done - fi - - delete_proxy_arp - - if [ -n "$MANGLE_ENABLED" ]; then - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt_iptables -t mangle -P $chain ACCEPT - done - fi - - if [ -n "$RAW_TABLE" ]; then - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt_iptables -t raw -P $chain ACCEPT - done - fi - - [ -n "$CLEAR_TC" ] && delete_tc - - progress_message2 "Deleting user chains..." - - save_progress_message "Deleting user chains..." - - exists_INPUT=Yes - exists_OUTPUT=Yes - exists_FORWARD=Yes - - process_criticalhosts - - if [ -n "$CRITICALHOSTS" ]; then - - setpolicy INPUT ACCEPT - setpolicy OUTPUT ACCEPT - setpolicy FORWARD DROP - - deleteallchains - - enable_critical_hosts - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - - [ -n "$CLAMPMSS" ] && setup_mss - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - else - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP - - deleteallchains - - [ -n "$CLAMPMSS" ] && setup_mss - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - fi - - indent >&3 << __EOF__ - -f=\$(find_file ipsets) - -if [ -f \$f ]; then - progress_message2 "Restoring IPSETS..." - ipset -U :all: :all: - ipset -U :all: :default: - ipset -F - ipset -X - ipset -R < \$f -fi - -__EOF__ - - append_file continue - - f=$(find_file routestopped) - - progress_message2 "$DOING $f ..." - - process_routestopped -A - - if [ -n "$DISABLE_IPV6" ]; then - save_command disable_ipv6 - fi - - save_progress_message "Enabling Loopback and DNS Lookups" - - # - # Enable the Loopback interface for now - # - run_iptables -A INPUT -i lo -j ACCEPT - run_iptables -A OUTPUT -o lo -j ACCEPT - - # - # Allow DNS lookups during startup for FQDNs - # - - for chain in INPUT OUTPUT FORWARD; do - run_iptables -A $chain -p udp --dport 53 -j ACCEPT - done - - [ -n "$LIB_accounting_LOADED" ] && setup_accounting $(find_file accounting) - - createchain reject no - createchain dynamic no - createchain logdrop no - createchain logreject no - createchain smurfs no - - log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP - log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT - - run_iptables -A logdrop -j DROP - run_iptables -A logreject -j reject - - indent >&3 << __EOF__ - -if [ -f \${VARDIR}/save ]; then - progress_message2 "Setting up dynamic rules..." - rangematch='source IP range' - while read target ignore1 ignore2 address ignore3 rest; do - case \$target in - DROP|reject|logdrop|logreject) - case \$rest in - \$rangematch*) - run_iptables -A dynamic -m iprange --src-range \${rest#source IP range} -j \$target - ;; - *) - if [ -z "\$rest" ]; then - run_iptables -A dynamic -s \$address -j \$target - else - error_message "WARNING: Unable to restore dynamic rule \"\$target \$ignore1 \$ignore2 \$address \$ignore3 \$rest\"" - fi - ;; - esac - ;; - esac - done < \${VARDIR}/save -fi -__EOF__ - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - progress_message2 "Creating Interface Chains..." - - save_progress_message "Creating Interface Chains..." - - for interface in $ALL_INTERFACES; do - for chain in $(input_chain $interface) $(forward_chain $interface); do - createchain $chain no - run_iptables -A $chain $state -j dynamic - done - - createchain $(out_chain $interface) no - done - - if [ -n "$LIB_proxyarp_LOADED" ]; then - progress_message2 "$DOING Proxy ARP" - setup_proxy_arp - else - > $STATEDIR/proxyarp - fi - - # - # [re]-Establish routing - # - if [ -s $TMP_DIR/providers ]; then - setup_providers $(find_file providers) - [ -n "$ROUTEMARK_INTERFACES" ] && setup_route_marking - else - save_command - save_command undo_routing - save_command restore_default_route - fi - - - if [ -s $TMP_DIR/nat ]; then - progress_message2 "$DOING NAT..." - setup_nat - else - > $STATEDIR/nat - fi - - if [ -s $TMP_DIR/netmap ]; then - progress_message2 "$DOING NETMAP..." - setup_netmap - fi - - progress_message2 "$DOING Common Rules" - add_common_rules - - save_progress_message "Setting up SYN Flood Protection..." - - setup_syn_flood_chains - - setup_ipsec - - maclist_hosts=$(find_hosts_by_option maclist) - - if [ -n "$maclist_hosts" ]; then - save_progress_message "Setting up MAC Filtration -- Phase 1..." - setup_mac_lists 1 - fi - - progress_message2 "$DOING $(find_file rules)..." - save_progress_message "Setting up Rules..." - process_rules - - if [ -s $TMP_DIR/tunnels ]; then - tunnels=$(find_file tunnels) - progress_message2 "$DOING $tunnels..." - save_progress_message "Setting up Tunnels..." - setup_tunnels $tunnels - fi - - if [ -n "$DEFAULT_MACROS" ]; then - progress_message2 "$DOING default macros..." - save_progress_message "Creating default macro chains..." - for macro in $DEFAULT_MACROS; do - process_default_macro $macro - done - fi - - if [ -n "$USEDACTIONS" ]; then - save_progress_message "Setting up Actions..." - - progress_message2 "$DOING Actions..."; - [ -n "$USE_ACTIONS" ] && process_actions2 - process_actions3 - fi - - if [ -n "$maclist_hosts" ]; then - save_progress_message "Setting up MAC Filtration -- Phase 2..." - setup_mac_lists 2 - fi - - save_progress_message "Applying Policies..." - - progress_message2 "$DOING $(find_file policy)..."; apply_policy_rules - - if [ -s $TMP_DIR/masq ]; then - setup_masq $(find_file masq) - fi - - if [ -n "$MANGLE_ENABLED" ]; then - tos=$(find_file tos) - [ -f $tos ] && process_tos $tos - - ecn=$(find_file ecn) - [ -f $ecn ] && setup_ecn $ecn - - setup_tc - fi - - progress_message2 "$DOING Rule Activation..." - save_progress_message "Activating Rules..." - activate_rules - - for file in chains nat proxyarp zones; do - save_command "cat > \${VARDIR}/$file $LEFTSHIFT __EOF__" - cat $STATEDIR/$file >&3 - save_command_unindented __EOF__ - done - - if [ -n "$ALIASES_TO_ADD" ]; then - save_command add_ip_aliases $ALIASES_TO_ADD - fi - - cat >&3 << __EOF__ - - if [ \$COMMAND = restore ]; then - iptables-restore < \$restore_file - fi - -__EOF__ - setup_forwarding - save_command "date > \${VARDIR}/restarted" - - append_file start - - if [ -n "$DELAYBLACKLISTLOAD" -a -s ${TMP_DIR}/blacklist ]; then - save_command - save_command progress_message2 \"Loading Black List...\" - save_command load_blacklist - save_command - fi - - createchain shorewall no - - save_command set_state "Started" - - append_file started - - cat >&3 << __EOF__ - - cp -f \$(my_pathname) \${VARDIR}/.restore - - case \$COMMAND in - start) - logger -p kern.info "\$PRODUCT started" - ;; - restart) - logger -p kern.info "\$PRODUCT restarted" - ;; - restore) - logger -p kern.info "\$PRODUCT restored" - ;; - esac - -} - -# -# Silently define Firewall and ignore errors -# -restore_firewall() -{ - iptables_save_file=\${VARDIR}/\$(basename \$0)-iptables - - fatal_error() - { - echo " ERROR: \$@" >&2 - } - - startup_error() # \$@ = Error Message - { - echo " ERROR: \$@" >&2 - } - - run_iptables() { return 0; } - - VERBOSE=-1 # The progress messages don't make sense without iptables - - IPTABLES=run_iptables - - if [ -f \$iptables_save_file ]; then - { - define_firewall \$iptables_save_file - } - else - fatal_error "\$iptables_save_file does not exist" - exit 2 - fi -} - -__EOF__ - - compile_refresh_firewall - - exec 3>&- - - if [ -n "$checking" ]; then - progress_message3 "Shorewall configuration verified" - else - INDENT= - mycat ${SHELLSHAREDIR}/prog.header $OUTPUT ${SHELLSHAREDIR}/prog.footer > $outfile - chmod 700 $outfile - if [ -n "$EXPORT" ]; then - exec 3>${outfile}.conf - cat >&3 << __EOF__ -# -# Shorewall auxiliary configuration file created by Shorewall version $VERSION - $(date) -# -__EOF__ - for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE LOCKFILE SAVE_IPSETS; do - conditionally_add_option $option - done - - conditionally_add_option1 TC_ENABLED - - exec 3>&- - fi - - progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)" - rm -f $OUTPUT - fi - - rm -rf $TMP_DIR - -} - -# -# Give Usage Information -# -usage() { - echo "Usage: $0 [debug] check|compile }" - exit 1 -} - -# -# E X E C U T I O N B E G I N S H E R E -# -# -# Start trace if first arg is "debug" or "trace" -# -[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; } - -NOLOCK= - -[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; } - -trap "exit 2" 1 2 3 4 5 6 9 - -SHAREDIR=/usr/share/shorewall -VARDIR=/var/lib/shorewall -[ -z "$EXPORT" ] && CONFDIR=/etc/shorewall || CONFDIR=${SHAREDIR}/configfiles - -[ -n "${VERBOSE:=2}" ] - -for library in lib.base lib.config; do - FUNCTIONS=${SHAREDIR}/${library} - - if [ -f $FUNCTIONS ]; then - [ $VERBOSE -ge 2 ] && echo "Loading $FUNCTIONS..." - . $FUNCTIONS - else - fatal_error "Installation Error: $FUNCTIONS does not exist!" - fi -done - -VERSION=$(cat $SHELLSHAREDIR/version) - -[ "$SHOREWALL_LIBVERSION" -eq $BASE_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.base version $BASE_VERSION_PRINTABLE" -[ "$SHOREWALL_CONFIGVERSION" -eq $CONFIG_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.config version $CONFIG_VERSION_PRINTABLE" - -PROGRAM=compiler - -COMMAND="$1" - -case "$COMMAND" in - - check) - [ $# -ne 1 ] && usage - do_initialize - compile_firewall - ;; - - compile) - [ $# -ne 2 ] && usage - do_initialize - compile_firewall $2 - ;; - - call) - # - # Undocumented way to call functions in ${SHAREDIR}/compiler directly - # - shift - do_initialize - EMPTY= - $@ - ;; - - *) - usage - ;; - -esac diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh deleted file mode 100755 index 8715292f6..000000000 --- a/Shorewall-shell/install.sh +++ /dev/null @@ -1,260 +0,0 @@ -#!/bin/sh -# -# Script to install Shoreline Firewall -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -VERSION=4.2.6 - -usage() # $1 = exit status -{ - ME=$(basename $0) - echo "usage: $ME" - echo " $ME -v" - echo " $ME -h" - echo " $ME -n" - exit $1 -} - -split() { - local ifs - ifs=$IFS - IFS=: - set -- $1 - echo $* - IFS=$ifs -} - -qt() -{ - "$@" >/dev/null 2>&1 -} - -mywhich() { - local dir - - for dir in $(split $PATH); do - if [ -x $dir/$1 ]; then - echo $dir/$1 - return 0 - fi - done - - return 2 -} - -run_install() -{ - if ! install $*; then - echo - echo "ERROR: Failed to install $*" >&2 - exit 1 - fi -} - -cant_autostart() -{ - echo - echo "WARNING: Unable to configure shorewall to start automatically at boot" >&2 -} - -backup_directory() # $1 = directory to backup -{ - if [ -d $1 ]; then - if cp -a $1 ${1}-${VERSION}.bkout ; then - echo - echo "$1 saved to ${1}-${VERSION}.bkout" - else - exit 1 - fi - fi -} - -backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup -{ - if [ -z "${PREFIX}{NOBACKUP}" ]; then - if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then - if [ -n "$2" ]; then - if [ -d $2 ]; then - if cp -f $1 $2 ; then - echo - echo "$1 saved to $2/$(basename $1)" - else - exit 1 - fi - fi - elif cp $1 ${1}-${VERSION}.bkout; then - echo - echo "$1 saved to ${1}-${VERSION}.bkout" - else - exit 1 - fi - fi - fi -} - -delete_file() # $1 = file to delete -{ - rm -f $1 -} - -install_file() # $1 = source $2 = target $3 = mode -{ - run_install $OWNERSHIP -m $3 $1 ${2} -} - -install_file_with_backup() # $1 = source $2 = target $3 = mode $4 = (optional) backup directory -{ - backup_file $2 $4 - run_install $OWNERSHIP -m $3 $1 ${2} -} - -# -# Parse the run line -# -# DEST is the SysVInit script directory -# INIT is the name of the script in the $DEST directory -# RUNLEVELS is the chkconfig parmeters for firewall -# ARGS is "yes" if we've already parsed an argument -# -ARGS="" - -if [ -z "$DEST" ] ; then - DEST="/etc/init.d" -fi - -if [ -z "$INIT" ] ; then - INIT="shorewall" -fi - -if [ -z "$RUNLEVELS" ] ; then - RUNLEVELS="" -fi - -case $(uname) in - CYGWIN*) - DEST= - INIT= - [ -z "$OWNER" ] && OWNER=$(id -un) - [ -z "$GROUP" ] && GROUP=$(id -gn) - ;; - *) - [ -z "$OWNER" ] && OWNER=root - [ -z "$GROUP" ] && GROUP=root - ;; -esac - -NOBACKUP= - -while [ $# -gt 0 ] ; do - case "$1" in - -h|help|?) - usage 0 - ;; - -v) - echo "Shorewall Firewall Installer Version $VERSION" - exit 0 - ;; - -n) - NOBACKUP=Yes - ;; - *) - usage 1 - ;; - esac - shift - ARGS="yes" -done - -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - -# -# Determine where to install the firewall script -# - -OWNERSHIP="-o $OWNER -g $GROUP" - -if [ -n "$PREFIX" ]; then - if [ `id -u` != 0 ] ; then - echo "Not setting file owner/group permissions, not running as root." - OWNERSHIP="" - fi -fi - -# -# Change to the directory containing this script -# -cd "$(dirname $0)" - -echo "Installing Shorewall-shell Version $VERSION" - -# -# Check for /usr/share/shorewall-shell -# -if [ -d ${PREFIX}/usr/share/shorewall-shell ]; then - first_install="" - if [ -z "$NOBACKUP" ]; then - backup_directory ${PREFIX}/usr/share/shorewall-shell - fi -else - first_install="Yes" -fi - -# -# Create /etc/shorewall, /usr/share/shorewall-shell and /var/shorewall if needed -# -mkdir -p ${PREFIX}/usr/share/shorewall-shell - -chmod 755 ${PREFIX}/usr/share/shorewall-shell - -# -# Install the Compiler -# - -install_file compiler ${PREFIX}/usr/share/shorewall-shell/compiler 0755 - -echo -echo "Compiler installed in ${PREFIX}/usr/share/shorewall-shell/compiler" - -# -# -# Install the libraries -# -for f in lib.* ; do - if [ -f $f ]; then - install_file $f ${PREFIX}/usr/share/shorewall-shell/$f 0644 - echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-shell/$f" - fi -done - -# -# Install the program skeleton files -# -for f in prog.* ; do - install_file $f ${PREFIX}/usr/share/shorewall-shell/$f 0644 - echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall-shell/$f" -done - -echo $VERSION > ${PREFIX}/usr/share/shorewall-shell/version -# -# Report Success -# -echo "shorewall-shell Version $VERSION Installed" diff --git a/Shorewall-shell/lib.accounting b/Shorewall-shell/lib.accounting deleted file mode 100644 index 6568be75e..000000000 --- a/Shorewall-shell/lib.accounting +++ /dev/null @@ -1,265 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.accounting -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when the accounting file is -# non-empty. -# - -# -# Process a record from the accounting file -# -process_accounting_rule() { - rule= - rule2= - jumpchain= - user1= - - accounting_error() { - error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user $mark - } - - accounting_interface_error() { - error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user $mark - } - - accounting_interface_verify() { - verify_interface $1 || accounting_interface_error $1 - } - - jump_to_chain() { - if ! havechain $jumpchain; then - if ! createchain2 $jumpchain No; then - accounting_error - return 2 - fi - fi - - rule="$rule -j $jumpchain" - } - - do_ipp2p() { - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" - case $proto in - *:*) - proto=${proto#*:} - ;; - *) - proto=tcp - ;; - esac - - rule="$rule -p $proto -m ipp2p --${port:-ipp2p}" - } - - case $source in - *:*) - accounting_interface_verify ${source%:*} - rule="$(source_ip_range ${source#*:}) $(match_source_dev ${source%:*})" - ;; - *.*.*.*|+*|!+*) - rule="$(source_ip_range $source)" - ;; - -|all|any) - ;; - *) - if [ -n "$source" ]; then - accounting_interface_verify $source - rule="$(match_source_dev $source)" - fi - ;; - esac - - [ -n "$dest" ] && case $dest in - *:*) - accounting_interface_verify ${dest%:*} - rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})" - ;; - *.*.*.*|+*|!*) - rule="$rule $(dest_ip_range $dest)" - ;; - -|all|any) - ;; - *) - accounting_interface_verify $dest - rule="$rule $(match_dest_dev $dest)" - ;; - esac - - [ -n "$proto" ] && case $proto in - -|any|all) - ;; - ipp2p|IPP2P|ipp2p:*|IPP2P:*) - do_ipp2p - ;; - *) - rule="$rule -p $proto" - ;; - esac - - multiport= - - [ -n "$port" ] && case $port in - -|any|all) - ;; - *) - if [ -n "$MULTIPORT" ]; then - rule="$rule -m multiport --dports $port" - multiport=Yes - else - rule="$rule --dport $port" - fi - ;; - esac - - [ -n "$sport" ] && case $sport in - -|any|all) - ;; - *) - if [ -n "$MULTIPORT" ]; then - [ -n "$multiport" ] && rule="$rule --sports $sport" || rule="$rule -m multiport --sports $sport" - else - rule="$rule --sport $sport" - fi - ;; - esac - - [ -n "$user" ] && case $user in - -|any|all) - ;; - *) - [ "$chain" != OUTPUT ] && \ - fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain" - rule="$rule -m owner" - user1="$user" - - case "$user" in - !*+*) - if [ -n "${user#*+}" ]; then - rule="$rule ! --cmd-owner ${user#*+} " - fi - user1=${user%+*} - ;; - *+*) - if [ -n "${user#*+}" ]; then - rule="$rule --cmd-owner ${user#*+} " - fi - user1=${user%+*} - ;; - esac - - case "$user1" in - !*:*) - if [ "$user1" != "!:" ]; then - temp="${user1#!}" - temp="${temp%:*}" - [ -n "$temp" ] && rule="$rule ! --uid-owner $temp " - temp="${user1#*:}" - [ -n "$temp" ] && rule="$rule ! --gid-owner $temp " - fi - ;; - *:*) - if [ "$user1" != ":" ]; then - temp="${user1%:*}" - [ -n "$temp" ] && rule="$rule --uid-owner $temp " - temp="${user1#*:}" - [ -n "$temp" ] && rule="$rule --gid-owner $temp " - fi - ;; - !*) - [ "$user1" != "!" ] && rule="$rule ! --uid-owner ${user1#!} " - ;; - *) - [ -n "$user1" ] && rule="$rule --uid-owner $user1 " - ;; - esac - ;; - esac - - [ -n "$mark" ] && case $mark in - -|any|all) - mark= - ;; - !*) - rule="$rule -m mark ! --mark ${mark#*!}" - ;; - *) - rule="$rule -m mark --mark $mark" - ;; - esac - - case $action in - COUNT) - ;; - DONE) - rule="$rule -j RETURN" - ;; - *:COUNT) - rule2="$rule" - jumpchain=${action%:*} - jump_to_chain || return - ;; - JUMP:*) - jumpchain=${action#*:} - jump_to_chain || return - ;; - *) - jumpchain=$action - jump_to_chain || return - ;; - esac - - [ "x${chain:=accounting}" = "x-" ] && chain=accounting - - ensurechain1 $chain - - if do_iptables -A $chain $(fix_bang $rule) ; then - [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 - progress_message " Accounting rule \"$action $chain $source $dest $proto $port $sport $user\" $DONE" - save_progress_message_short " Accounting rule \\\"$action $chain $source $dest $proto $port $sport $user\\\" Added" - else - accounting_error - fi -} - -# -# Set up Accounting -# -setup_accounting() # $1 = Name of accounting file -{ - - progress_message2 "$DOING Accounting..." - - save_progress_message "Setting up Accounting..." - - while read action chain source dest proto port sport user mark ; do - process_accounting_rule - done < $TMP_DIR/accounting - - if havechain accounting; then - for chain in INPUT FORWARD OUTPUT; do - run_iptables -I $chain -j accounting - done - fi - -} - diff --git a/Shorewall-shell/lib.actions b/Shorewall-shell/lib.actions deleted file mode 100644 index e8528bc8d..000000000 --- a/Shorewall-shell/lib.actions +++ /dev/null @@ -1,885 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.actions -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when USE_ACTIONS=Yes -# (either explicitly specified or defaulted). -# - -# -# Add one Filter Rule from an action -- Helper function for the action file processor -# -# The caller has established the following variables: -# COMMAND = current command. -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# action = The chain for this rule -# ratelimit = Optional rate limiting clause -# userandgroup = owner match clause -# logtag = Log tag -# -add_an_action() -{ - local chain1 - - do_ports() { - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - } - - interface_error() - { - fatal_error "Unknown interface $1 in rule: \"$rule\"" - } - - action_interface_verify() - { - verify_interface $1 || interface_error $1 - } - - handle_exclusion() - { - build_exclusion_chain chain1 filter "$excludesource" "$excludedest" - - run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain1 - - cli= - proto= - sports= - multiport= - dports= - user= - } - - do_ipp2p() { - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - - dports="-m ipp2p --${port:-ipp2p}" - - case $proto in - ipp2p|IPP2P) - proto=tcp - port= - do_ports - ;; - ipp2p:udp|IPP2P:UDP) - proto=udp - port= - do_ports - ;; - ipp2p:all|IPP2P:ALL) - proto=all - ;; - esac - } - - # Set source variables. The 'cli' variable will hold the client match predicate(s). - - cli= - - case "$client" in - -) - ;; - *:*) - action_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" - ;; - *.*.*|+*|!+*) - cli="$(source_ip_range $client)" - ;; - ~*|!~*) - cli=$(mac_match $client) - ;; - *) - if [ -n "$client" ]; then - action_interface_verify $client - cli="$(match_source_dev $client)" - fi - ;; - esac - - # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). - - dest_interface= - serv= - - case "$server" in - -) - ;; - *:*) - action_interface_verify ${server%:*} - dest_interface=$(match_dest_dev ${server%:*}) - serv=${server#*:} - ;; - *.*.*|+*|!+*) - serv=$server - ;; - ~*|!~*) - fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - if [ -n "$server" ]; then - action_interface_verify $server - dest_interface="$(match_dest_dev $server)" - fi - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - proto=$protocol - servport=$serverport - multiport= - chain1=$chain - user="$userandgroup" - - [ x$port = x- ] && port= - [ x$cport = x- ] && cport= - - case $proto in - tcp|TCP|6) - do_ports - ;; - tcp:syn) - proto="$proto --syn" - do_ports - ;; - udp|UDP|17) - do_ports - ;; - icmp|ICMP|1) - [ -n "$port" ] && dports="--icmp-type $port" - ;; - ipp2p|IPP2P|ipp2p:*|IPP2P:*) - do_ipp2p - ;; - *) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - LOG) - [ -z "$loglevel" ] && fatal_error "LOG requires log level" - ;; - esac - - if [ -n "${excludesource}${excludedest}" ]; then - handle_exclusion - fi - - if [ -n "${serv}" ]; then - for serv1 in $(separate_list $serv); do - for srv in $(firewall_ip_range $serv1); do - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \ - $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dest_interface $dports) - fi - - run_iptables2 -A $chain1 $proto $multiport $cli $sports \ - $(dest_ip_range $srv) $dest_interface $dports $ratelimit $user -j $target - done - done - else - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \ - $(fix_bang $proto $multiport $sports $cli $dest_interface $dports) - fi - - run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \ - $dports $ratelimit $user -j $target - fi -} - -# -# Process a record from an action file -# -process_action() # $1 = chain (Chain to add the rules to) - # $2 = action (The action name for logging purposes) - # $3 = target (The (possibly modified) contents of the TARGET column) - # $4 = clients - # $5 = servers - # $6 = protocol - # $7 = ports - # $8 = cports - # $9 = ratelimit - # $10 = userspec - # $11 = mark -{ - local chain - chain="$1" - local action - action="$2" - local target - target="$3" - local clients - clients="$4" - local servers - servers="$5" - local protocol - protocol="$6" - local ports - ports="$7" - local cports - cports="$8" - local ratelimit - ratelimit="$9" - local userspec - userspec="${10}" - local mark - mark="${11}" - local userandgroup - userandgroup= - local logtag - logtag= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - -) - ratelimit= - ;; - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi - - [ "x$userspec" = "x-" ] && userspec= - - if [ -n "$userspec" ]; then - userandgroup="-m owner" - - case "$userspec" in - !*+*) - if [ -n "${userspec#*+}" ]; then - userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" - fi - userspec=${userspec%+*} - ;; - *+*) - if [ -n "${userspec#*+}" ]; then - userandgroup="$userandgroup --cmd-owner ${userspec#*+}" - fi - userspec=${userspec%+*} - ;; - esac - - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - [ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}" - ;; - *) - [ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec" - ;; - esac - - [ "$userandgroup" = "-m owner" ] && userandgroup= - fi - - [ "x$mark" = "x-" ] && mark= - - if [ -n "$mark" ]; then - if [ "$mark" = "${mark%!*}" ]; then - mark="-m mark --mark $mark" - else - mark="-m mark ! --mark ${mark#*!}" - fi - fi - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - fi - - case $loglevel in - none*) - loglevel= - [ $target = LOG ] && return - ;; - esac - - loglevel=${loglevel%\!} - fi - - logtarget="$target" - - case $target in - REJECT) - target=reject - ;; - CONTINUE) - target=RETURN - ;; - COUNT) - return; - ;; - *) - ;; - esac - - excludesource= - - case ${clients:=-} in - *!*!*) - fatal_error "Invalid SOURCE in rule \"$rule\"" - ;; - !*) - if [ $(list_count $clients) -gt 1 ]; then - excludesource=${clients#!} - clients= - fi - ;; - *!*) - excludesource=${clients#*!} - clients=${clients%!*} - ;; - esac - - excludedest= - - case ${servers:=-} in - *!*!*) - fatal_error "Invalid DEST in rule \"$rule\"" - ;; - !*) - if [ $(list_count $servers) -gt 1 ]; then - excludedest=${servers#*!} - servers= - fi - ;; - *!*) - excludedest=${servers#*!} - servers=${servers%!*} - ;; - esac - - # Generate Netfilter rule(s) - - [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} - - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list $clients); do - for server in $(separate_list $servers); do - # - # add_an_action() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_an_action - done - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list $clients); do - for server in $(separate_list $servers); do - # - # add_an_action() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_an_action - done - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list $clients); do - for server in $(separate_list $servers); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_an_action - done - done - done - done - fi - # - # Report Result - # - progress_message " Rule \"$rule\" $DONE." - save_progress_message_short " Rule \\\"$rule\\\" added." -} - -# -# This function determines the logging for a subordinate action or a rule within a subordinate action -# -merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called -{ - local superior - superior=$1 - local subordinate - subordinate=$2 - - set -- $(split $1) - - case $superior in - *:*:*) - case $2 in - 'none!') - echo ${subordinate%%:*}:'none!':$3 - return - ;; - *'!') - echo ${subordinate%%:*}:$2:$3 - return - ;; - *) - case $subordinate in - *:*:*) - echo $subordinate - return - ;; - *:*) - echo $subordinate:$3 - return - ;; - *) - echo ${subordinate%%:*}:$2:$3 - return - ;; - esac - ;; - esac - ;; - *:*) - case $2 in - 'none!') - echo ${subordinate%%:*}:'none!' - return - ;; - *'!') - echo ${subordinate%%:*}:$2 - return - ;; - *) - case $subordinate in - *:*) - echo $subordinate - return - ;; - *) - echo ${subordinate%%:*}:$2 - return - ;; - esac - ;; - esac - ;; - *) - echo $subordinate - ;; - esac -} - -# -# The next three functions implement the three phases of action processing. -# -# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std -# and ${CONFDIR}/actions are scanned (in that order) and for each action: -# -# a) The related action definition file is located and scanned. -# b) Forward and unresolved action references are trapped as errors. -# c) A dependency graph is created. For each , the variable 'requiredby_' lists the -# action[:level[:tag]] of each action invoked by . -# d) All actions are listed in the global variable ACTIONS. -# -# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an -# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name -# %n is used where the name is truncated on the right where necessary to ensure that the total -# length of the chain name does not exceed 30 characters. -# -# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of -# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created. -# -# The final phase (process_actions3) is to traverse the USEDACTIONS list populating each chain appropriately -# by reading the action definition files and creating rules. Note that a given action definition file is -# processed once for each unique [:level[:tag]] applied to an invocation of the action. -# -process_actions1() { - - for inputfile in actions.std actions; do - while read xaction rest; do - [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" - - case $xaction in - *:*) - error_message "WARNING: Default Actions are now specified in /etc/shorewall/shorewall.conf" - xaction=${xaction%:*} - ;; - esac - - [ -z "$xaction" ] && continue - - [ "$xaction" = "$(chain_base $xaction)" ] || fatal_error "Invalid Action Name: $xaction" - - if ! list_search $xaction $ACTIONS; then - f=action.$xaction - fn=$(find_file $f) - - eval requiredby_${action}= - - if [ -f $fn ]; then - progress_message2 " Pre-processing $fn..." - strip_file $f $fn - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec $xmark; do - temp="${xtarget%%:*}" - case "$temp" in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|COUNT) - ;; - COMMENT) - if [ "$temp" != "$xtarget" ]; then - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark" - fatal_error "Invalid TARGET in rule \"$rule\"" - fi - ;; - *) - if list_search $temp $ACTIONS; then - eval requiredby=\"\$requiredby_${xaction}\" - list_search $xtarget $requiredby || eval requiredby_${xaction}=\"$requiredby $xtarget\" - else - temp=$(map_old_action $temp) - - case $temp in - */*) - param=${temp#*/} - case $param in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) - ;; - *) - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark" - fatal_error "Invalid Macro Parameter in rule \"$rule\"" - ;; - esac - temp=${temp%%/*} - ;; - esac - - f1=macro.${temp} - fn=$(find_file $f1) - - if [ ! -f $TMP_DIR/$f1 ]; then - # - # We must only verify macros once to ensure that they don't invoke any non-standard actions - # - if [ -f $fn ]; then - strip_file $f1 $fn - - progress_message " ..Expanding Macro $fn..." - - while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do - - [ $mtarget = COMMENT -o $mtarget = COUNT ] && continue - - temp="${mtarget%%:*}" - case "$temp" in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM) - ;; - *) - rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec" - fatal_error "Invalid TARGET in rule \"$rule\"" - esac - done < $TMP_DIR/$f1 - - progress_message " ..End Macro" - else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark" - fatal_error "Invalid TARGET in rule \"$rule\"" - fi - fi - fi - ;; - - esac - done < $TMP_DIR/$f - else - fatal_error "Missing Action File: $f" - fi - - ACTIONS="$ACTIONS $xaction" - fi - done < $TMP_DIR/$inputfile - done - - for action in $DROP_DEFAULT $REJECT_DEFAULT $ACCEPT_DEFAULT $QUEUE_DEFAULT; do - case $action in - none) - ;; - *) - if list_search $action $ACTIONS; then - list_search $action $USEDACTIONS || USEDACTIONS="$USEDACTIONS $action" - fi - ;; - esac - done -} - -process_actions2() { - - local interfaces - interfaces="$(find_interfaces_by_option upnp)" - - if [ -n "$interfaces" ]; then - if ! list_search forwardUPnP $USEDACTIONS; then - error_message "WARNING:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)" - fi - fi - - progress_message " Generating Transitive Closure of Used-action List..." - - changed=Yes - - while [ -n "$changed" ]; do - changed= - for xaction in $USEDACTIONS; do - - eval required=\"\$requiredby_${xaction%%:*}\" - - for xaction1 in $required; do - # - # Generate the action that will be passed to process_action by merging the - # logging specified when the action was invoked with the logging in the - # invocation of the subordinate action (usually no logging) - # - xaction2=$(merge_levels $xaction $xaction1) - - if ! list_search $xaction2 $USEDACTIONS; then - # - # We haven't seen this one before -- create and record a chain to handle it - # - USEDACTIONS="$USEDACTIONS $xaction2" - createactionchain $xaction2 - changed=Yes - fi - done - done - done -} - -# -# process_actions3() is in the compiler. What follows is called from that function when the action -# being processed is not a builtin. - -process_action3() { - - local f - f=action.$xaction1 - local comment - comment= - - progress_message2 "$DOING $(find_file $f) for Chain $xchain..." - - while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec xmark; do - # - # Generate the target:level:tag to pass to process_action() - # - xaction2=$(merge_levels $xaction $xtarget) - - is_macro= - param= - - xtarget1=${xaction2%%:*} - - case $xtarget1 in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|COUNT) - # - # Builtin target -- Nothing to do - # - ;; - COMMENT) - if [ -n "$COMMENTS" ]; then - comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark) - save_command COMMENT=\"$comment\" - else - error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" - fi - continue - ;; - *) - if list_search $xtarget1 $ACTIONS ; then - # - # An Action -- Replace the target from the file - # -- with the one generated above - xtarget=$xaction2 - # - # And locate the chain for that action:level:tag - # - xaction2=$(find_logactionchain $xtarget) - else - is_macro=yes - fi - ;; - esac - - if [ -n "$is_macro" ]; then - - xtarget1=$(map_old_action $xtarget1) - - case $xtarget1 in - */*) - param=${xtarget1#*/} - xtarget1=${xtarget1%%/*} - ;; - esac - - progress_message "..Expanding Macro $(find_file macro.$xtarget1)..." - - while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do - - [ $mtarget = COMMENT -o $mtarget = COUNT ] && continue - - mtarget=$(merge_levels $xaction2 $mtarget) - - case $mtarget in - PARAM|PARAM:*) - [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" - ;; - esac - - if [ -n "$mclients" ]; then - case $mclients in - -|SOURCE) - mclients=${xclients} - ;; - DEST) - mclients=${xservers} - ;; - *) - mclients=$(merge_macro_source_dest $mclients $xclients) - ;; - esac - else - mclients=${xclients} - fi - - if [ -n "$mservers" ]; then - case $mservers in - -|DEST) - mservers=${xservers} - ;; - SOURCE) - mservers=${xclients} - ;; - *) - mservers=$(merge_macro_source_dest $mservers $xservers) - ;; - esac - else - mservers=${xserverss} - fi - - [ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol - [ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports - [ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports - [ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit - [ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec - - rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-} $xmark" - process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec $xmark - done < $TMP_DIR/macro.$xtarget1 - progress_message "..End Macro" - else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark" - process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark - fi - done < $TMP_DIR/$f - - if [ -n "$COMMENTS" ]; then - save_command - save_command COMMENT= - fi - -} diff --git a/Shorewall-shell/lib.maclist b/Shorewall-shell/lib.maclist deleted file mode 100644 index 38b2fe000..000000000 --- a/Shorewall-shell/lib.maclist +++ /dev/null @@ -1,270 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.tcrules -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when the maclist option -# is specified in an entry in the interfaces file. -# - -# -# Set up MAC Verification -# -setup_mac_lists() # $1 = Phase Number -{ - local interface - local mac - local addresses - local address - local chain - local chain1 - local macpart - local blob - local hosts - local ipsec - local policy - policy= - - create_mac_chain() - { - case $MACLIST_TABLE in - filter) - createchain $1 no - ;; - *) - createmanglechain $1 - ;; - esac - } - - have_mac_chain() - { - local result - - case $MACLIST_TABLE in - filter) - havechain $1 && result=0 || result=1 - ;; - *) - havemanglechain $1 && result=0 || result=1 - ;; - esac - - return $result - } - # - # Generate the list of interfaces having MAC verification - # - maclist_interfaces= - - for hosts in $maclist_hosts; do - hosts=${hosts#*^} - interface=${hosts%%:*} - if ! list_search $interface $maclist_interfaces; then\ - if [ -z "$maclist_interfaces" ]; then - maclist_interfaces=$interface - else - maclist_interfaces="$maclist_interfaces $interface" - fi - fi - done - - progress_message "$DOING MAC Verification on $maclist_interfaces -- Phase $1..." - # - # Create chains. - # - if [ $1 -eq 1 ]; then - for interface in $maclist_interfaces; do - chain=$(mac_chain $interface) - create_mac_chain $chain - # - # If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0 - # - if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then - run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN - fi - - if [ -n "$MACLIST_TTL" ]; then - chain1=$(macrecent_target $interface) - create_mac_chain $chain1 - run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN - run_iptables -A $chain -t $MACLIST_TABLE -j $chain1 - run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN - run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain - fi - done - # - # Process the maclist file producing the verification rules - # - while read disposition interface mac addresses; do - - level= - - case $disposition in - ACCEPT:*) - level=${disposition#*:} - disposition=ACCEPT - target=RETURN - ;; - ACCEPT) - target=RETURN - ;; - REJECT:*) - [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle" - target=reject - disposition=REJECT - ;; - REJECT) - [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle" - target=reject - ;; - DROP:*) - level=${disposition#*:} - disposition=DROP - target=DROP - ;; - DROP) - target=DROP - ;; - *) - case "$interface" in - *:*:*|~*-*-*) - # - # Pre-3.2 record format - # - addresses="$mac" - mac="$interface" - interface="$disposition" - disposition=ACCEPT - target=RETURN - ;; - *) - fatal_error "Invalid DISPOSITION ($disposition) in rule \"$disposition $interface $mac $addresses\"" - ;; - esac - ;; - esac - - physdev_part= - - if [ -n "$BRIDGING" ]; then - case $interface in - *:*) - physdev_part="-m physdev --physdev-in ${interface#*:}" - interface=${interface%:*} - ;; - esac - fi - - [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) - - if ! have_mac_chain $chain ; then - fatal_error "No hosts on $interface have the maclist option specified" - fi - - if [ x${mac:=-} = x- ]; then - if [ -z "$addresses" ]; then - fatal_error "You must specify a MAC address or an IP address" - else - macpart= - fi - else - macpart=$(mac_match $mac) - fi - - if [ -z "$addresses" ]; then - [ -n "$level" ] && \ - log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part - run_iptables2 -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target - else - for address in $(separate_list $addresses) ; do - [ -n "$level" ] && \ - log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $(match_source_hosts $address) $physdev_part - run_iptables2 -A $chain -t $MACLIST_TABLE $macpart $(match_source_hosts $address) $physdev_part -j $target - done - fi - done < $TMP_DIR/maclist - # - # Generate jumps from the input and forward chains - # - for hosts in $maclist_hosts; do - ipsec=${hosts%^*} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - hosts=${hosts#*^} - interface=${hosts%%:*} - hosts=${hosts#*:} - case $MACLIST_TABLE in - filter) - for chain in $(first_chains $interface) ; do - run_iptables2 -A $chain $(match_source_hosts $hosts) -m state --state NEW \ - $policy -j $(mac_chain $interface) - done - ;; - *) - run_iptables2 -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \ - $policy -j $(mac_chain $interface) - ;; - esac - done - else - # - # Must take care of our own broadcasts and multicasts then terminate the verification - # chains - # - for interface in $maclist_interfaces; do - - [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) - - if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then - indent >&3 << __EOF__ - -if interface_is_usable $interface; then - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do - address=\${address%/*} - if [ -n "\$broadcast" ]; then - run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN - fi - - run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 255.255.255.255 -j RETURN - run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 224.0.0.0/4 -j RETURN - done -else - fatal_error "Interface $interface must be up before Shorewall can start" -fi - -CHAIN=$chain - -__EOF__ - fi - - append_file maclog - - if [ -n "$MACLIST_LOG_LEVEL" ]; then - log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE - fi - - if [ $MACLIST_DISPOSITION != ACCEPT ]; then - run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET - fi - done - fi -} - diff --git a/Shorewall-shell/lib.nat b/Shorewall-shell/lib.nat deleted file mode 100644 index 7fc305805..000000000 --- a/Shorewall-shell/lib.nat +++ /dev/null @@ -1,811 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.nat -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when any of the following -# configuration files are non-empty: masq, nat, netmap; or when there are -# DNAT/REDIRECT rules in the /etc/shorewall/rules file. -# - -# -# Set up Source NAT (including masquerading) -# -setup_masq() -{ - local comment - comment= - - do_ipsec_options() { - local options - options="$(separate_list $ipsec)" - local option - [ -n "$ORIGINAL_POLICY_MATCH" ] || \ - fatal_error "IPSEC options require policy match support in your kernel and iptables" - policy="-m policy --pol ipsec --dir out" - - for option in $options; do - case $option in - [Yy]es) ;; - strict) policy="$policy --strict" ;; - next) policy="$policy --next" ;; - reqid=*) policy="$policy --reqid ${option#*=}" ;; - spi=*) policy="$policy --spi ${option#*=}" ;; - proto=*) policy="$policy --proto ${option#*=}" ;; - mode=*) policy="$policy --mode ${option#*=}" ;; - tunnel-src=*) policy="$policy --tunnel-src ${option#*=}" ;; - tunnel-dst=*) policy="$policy --tunnel-dst ${option#*=}" ;; - reqid!=*) policy="$policy ! --reqid ${option#*=}" ;; - spi!=*) policy="$policy ! --spi ${option#*=}" ;; - proto!=*) policy="$policy ! --proto ${option#*=}" ;; - mode!=*) policy="$policy ! --mode ${option#*=}" ;; - tunnel-src!=*) policy="$policy ! --tunnel-src ${option#*=}" ;; - tunnel-dst!=*) policy="$policy ! --tunnel-dst ${option#*=}" ;; - *) fatal_error "Invalid IPSEC option \"$option\"" ;; - esac - done - } - - setup_one() { - local add_snat_aliases - add_snat_aliases=$ADD_SNAT_ALIASES - local pre_nat - pre_nat= - local policy - policy= - local destnets - destnets= - - [ "x$ipsec" = x- ] && ipsec= - - case $ipsec in - Yes|yes) - [ -n "$ORIGINAL_POLICY_MATCH" ] || \ - fatal_error "IPSEC=Yes requires policy match support in your kernel and iptables" - policy="-m policy --pol ipsec --dir out" - ;; - No|no) - [ -n "$ORIGINAL_POLICY_MATCH" ] || \ - fatal_error "IPSEC=No requires policy match support in your kernel and iptables" - policy="-m policy --pol none --dir out" - ;; - *) - if [ -n "$ipsec" ]; then - do_ipsec_options - elif [ -n "$POLICY_MATCH" ]; then - policy="-m policy --pol none --dir out" - fi - ;; - esac - - case $fullinterface in - +*) - pre_nat=Yes - fullinterface=${fullinterface#+} - ;; - esac - - case $fullinterface in - *::*) - add_snat_aliases= - destnets="${fullinterface##*:}" - fullinterface="${fullinterface%:*}" - ;; - *:*:*) - # Both alias name and networks - destnets="${fullinterface##*:}" - fullinterface="${fullinterface%:*}" - ;; - *:) - add_snat_aliases= - fullinterface=${fullinterface%:} - ;; - *:*) - # Alias name OR networks - case ${fullinterface#*:} in - *.*) - # It's a networks - destnets="${fullinterface#*:}" - fullinterface="${fullinterface%:*}" - ;; - *) - #it's an alias name - ;; - esac - ;; - *) - ;; - esac - - interface=${fullinterface%:*} - - if ! list_search $interface $ALL_INTERFACES; then - fatal_error "Unknown interface $interface" - fi - - if [ "$networks" = "${networks%!*}" ]; then - nomasq= - else - nomasq="${networks#*!}" - networks="${networks%!*}" - fi - - source="${networks:=0.0.0.0/0}" - - detectinterface= - - case $source in - *.*.*|+*|!+*) - ;; - *) - detectinterface=$networks - networks= - ;; - esac - - [ "x$proto" = x- ] && proto= - [ "x$ports" = x- ] && ports= - - [ "x$mark" = x- ] && mark= - - if [ -n "$proto" ]; then - - displayproto="($proto)" - - case $proto in - tcp|TCP|udp|UDP|6|17) - if [ -n "$ports" ]; then - displayproto="($proto $ports)" - - listcount=$(list_count $ports) - - if [ $listcount -gt 1 ]; then - case $ports in - *:*) - if [ -n "$XMULTIPORT" ]; then - if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then - ports="-m multiport --dports $ports" - else - fatal_error "More than 15 entries in port list ($ports)" - fi - else - fatal_error "Port Range not allowed in list ($ports)" - fi - ;; - *) - if [ -n "$MULTIPORT" ]; then - [ $listcount -le 15 ] || fatal_error "More than 15 entries in port list ($ports)" - ports="-m multiport --dports $ports" - else - fatal_error "Port Ranges require multiport match support in your kernel ($ports)" - fi - ;; - esac - else - ports="--dport $ports" - fi - fi - ;; - *) - [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" - ;; - esac - - proto="-p $proto" - else - displayproto="(all)" - [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" - fi - - if [ -n "$mark" ]; then - displaymark="($mark)" - if [ "$mark" = "${mark%!*}" ]; then - mark="-m mark --mark $mark" - else - mark="-m mark ! --mark ${mark#*!}" - fi - fi - - destination=${destnets:=0.0.0.0/0} - - [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) - - ensurenatchain $chain - - case $destnets in - !*) - destnets=${destnets#!} - - build_exclusion_chain newchain nat "$nomasq" "$destnets" - - if [ -n "$networks" ]; then - for s in $(separate_list $networks); do - addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain - done - networks= - elif [ -n "$detectinterface" ]; then - indent >&3 << __EOF__ - -networks="\$(get_routed_networks $detectinterface)" - -[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" - -for network in \$networks; do - run_iptables -t nat -A $chain -s \$network $proto $ports $mark $policy -j $newchain -done - -__EOF__ - else - addnatrule $chain -j $newchain - fi - - chain=$newchain - destnets=0.0.0.0/0 - proto= - ports= - policy= - detectinterface= - - [ -n "$nomasq" ] && source="$source except $nomasq" - ;; - *) - if [ -n "$nomasq" ]; then - build_exclusion_chain newchain nat $nomasq - - if [ -n "$networks" ]; then - for s in $(separate_list $networks); do - for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain - done - done - elif [ -n "$detectinterface" ]; then - indent >&3 << __EOF__ - -networks="\$(get_routed_networks $detectinterface)" - -[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" - -for network in \$networks; do -__EOF__ - for destnet in $(separate_list $destnets); do - indent >&3 << __EOF__ - run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain -__EOF__ - done - indent >&3 << __EOF__ - -done -__EOF__ - else - for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain - done - fi - - chain=$newchain - networks= - destnets=0.0.0.0/0 - proto= - ports= - policy= - detectinterface= - source="$source except $nomasq" - fi - - ;; - esac - - addrlist= - target=MASQUERADE - - [ "x$addresses" = x- ] && addresses= - - if [ -n "$addresses" ]; then - case "$addresses" in - SAME:nodst:*) - target="SAME --nodst" - addresses=${addresses#SAME:nodst:} - if [ "$addresses" = detect ]; then - addrlist='$addrlist' - else - for address in $(separate_list $addresses); do - addrlist="$addrlist --to $address"; - done - fi - ;; - SAME:*) - target="SAME" - addresses=${addresses#SAME:} - if [ "$addresses" = detect ]; then - addrlist='$addrlist' - else - for address in $(separate_list $addresses); do - addrlist="$addrlist --to $address"; - done - fi - ;; - detect) - target=SNAT - addrlist='$addrlist' - ;; - *) - for address in $(separate_list $addresses); do - case $address in - *.*.*.*) - target=SNAT - addrlist="$addrlist --to-source $address" - ;; - *) - addrlist="$addrlist --to-ports ${address#:}" - ;; - esac - done - ;; - esac - - if [ "$addrlist" = '$addrlist' ]; then - addresses='$(combine_list $addresses)' - indent >&3 << __EOF__ - -addrlist= -addresses=\$(find_interface_addresses $interface) - -if [ -n "\$addresses" ]; then - for address in \$addresses; do - addrlist="$addrlist --to-source \$address" - done -else - fatal_error "Unable to determine the IP address(es) of $interface" -fi - -__EOF__ - elif [ -n "$add_snat_aliases" ]; then - for address in $(separate_list $addresses); do - address=${address%:)} - if [ -n "$address" ]; then - for addr in $(ip_range_explicit ${address%:*}) ; do - if ! list_search $addr $ALIASES_TO_ADD; then - [ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $addr $interface - ALIASES_TO_ADD="$ALIASES_TO_ADD $addr $fullinterface" - case $fullinterface in - *:*) - fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) - ;; - esac - fi - done - fi - done - fi - fi - - if [ -n "$networks" ]; then - for network in $(separate_list $networks); do - for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist - done - - if [ -n "$addresses" ]; then - progress_message_and_save " To $destination $displayproto from $network through ${interface} using $addresses" - else - progress_message_and_save " To $destination $displayproto from $network through ${interface}" - fi - done - elif [ -n "$detectinterface" ]; then - indent >&3 << __EOF__ - -networks="\$(get_routed_networks $detectinterface)" - -[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" - -for network in \$networks; do -__EOF__ - for destnet in $(separate_list $destnets); do - indent >&3 << __EOF__ - run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist -__EOF__ - done - - if [ -n "$addresses" ]; then - message=" To $destination $displayproto from \$network through ${interface} using $addresses" - else - message=" To $destination $displayproto from \$network through ${interface}" - fi - - indent >&3 << __EOF__ - progress_message "$message" -done - -__EOF__ - - else - for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist - done - - if [ -n "$addresses" ]; then - progress_message_and_save " To $destination $displayproto from $source through ${interface} using $addresses" - else - progress_message_and_save " To $destination $displayproto from $source through ${interface}" - fi - fi - - } #setup_one() - - if [ -s $TMP_DIR/masq ]; then - progress_message2 "$DOING Masquerading/SNAT" - save_progress_message "Setting up Masquerading/SNAT..." - - while read fullinterface networks addresses proto ports ipsec mark; do - if [ -n "$NAT_ENABLED" ]; then - if [ "x$fullinterface" = xCOMMENT ]; then - if [ -n "$COMMENTS" ]; then - comment=$(echo $networks $addresses $proto $ports $ipsec $mark) - save_command COMMENT=\"$comment\" - else - error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" - fi - else - setup_one - fi - else - error_message "WARNING: NAT disabled; masq rule ignored" - fi - done < $TMP_DIR/masq - # - # Just in case the file ended with a comment - # - if [ -n "$COMMENTS" ]; then - save_command - save_command COMMENT= - save_command - fi - fi -} - -# -# Setup Static Network Address Translation (NAT) -# -setup_nat() { - local external - external= - local interface - interface= - local internal - internal= - local allints - allints= - local localnat - localnat= - local policyin - policyin= - local policyout - policyout= - local comment - comment= - - validate_one() #1 = Variable Name, $2 = Column name, $3 = value - { - case $3 in - Yes|yes) - ;; - No|no) - eval ${1}= - ;; - *) - [ -n "$3" ] && \ - fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\"" - ;; - esac - } - - do_one_nat() { - local add_ip_aliases - add_ip_aliases=$ADD_IP_ALIASES - local iface - iface=${interface%:*} - - if [ -n "$add_ip_aliases" ]; then - case $interface in - *:) - interface=${interface%:} - add_ip_aliases= - ;; - *) - [ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $external $iface - ;; - esac - else - interface=${interface%:} - fi - - validate_one allints "ALL INTERFACES" $allints - validate_one localnat "LOCAL" $localnat - - if [ -n "$allints" ]; then - addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal - addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external - else - addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal - addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external - fi - - [ -n "$localnat" ] && \ - run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal - - if [ -n "$add_ip_aliases" ]; then - list_search $external $ALIASES_TO_ADD || \ - ALIASES_TO_ADD="$ALIASES_TO_ADD $external $interface" - fi - } - # - # At this point, we're just interested in the network translation - # - > $STATEDIR/nat - - if [ -n "$POLICY_MATCH" ]; then - policyin="-m policy --pol none --dir in" - policyout="-m policy --pol none --dir out" - fi - - if [ -s $TMP_DIR/nat ]; then - save_progress_message "Setting up one-to-one NAT..." - - while read external interface internal allints localnat; do - - if [ "x$external" = xCOMMENT ]; then - if [ -n "$COMMENTS" ]; then - comment=$(echo $interface $internal $allints $localnat) - save_command COMMENT=\"$comment\" - else - error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" - fi - else - do_one_nat - fi - progress_message_and_save " Host $internal NAT $external on $interface" - done < $TMP_DIR/nat - - if [ -n "$COMMENTS" ]; then - save_command - save_command COMMENT= - save_command - fi - fi - -} - -# -# Setup Network Mapping (NETMAP) -# -setup_netmap() { - - while read type net1 interface net2 ; do - - list_search $interface $ALL_INTERFACES || \ - fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\"" - - case $type in - DNAT) - addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2 - ;; - SNAT) - addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2 - ;; - *) - fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\"" - ;; - esac - - progress_message_and_save " Network $net1 on $interface mapped to $net2 ($type)" - - done < $TMP_DIR/netmap -} - -# -# Add a NAT rule - Helper function for the rules file processor -# -# The caller has established the following variables: -# cli = Source IP, interface or MAC Specification -# serv = Destination IP Specification -# servport = Port the server is listening on -# dest_interface = Destination Interface Specification -# proto = Protocol Specification -# addr = Original Destination Address -# dports = Destination Port Specification. 'dports' may be changed -# by this function -# cport = Source Port Specification -# multiport = String to invoke multiport match if appropriate -# ratelimit = Optional rate limiting clause -# userandgroup = -m owner match to limit the rule to a particular user and/or group -# logtag = Log tag -# excludesource = Source Exclusion List -# -add_nat_rule() { - local chain - local excludedests - excludedests= - - # Be sure we can NAT - - if [ -z "$NAT_ENABLED" ]; then - fatal_error "Rule \"$rule\" requires NAT which is disabled" - fi - - # Parse SNAT address if any - - if [ "$addr" != "${addr%:*}" ]; then - fatal_error "SNAT may no longer be specified in a DNAT rule; use ${CONFDIR}/masq instead" - fi - - # Set original destination address - - case $addr in - all) - addr= - ;; - detect) - eval interfaces=\$${source}_interfaces - - if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then - - save_command - if [ $(list_count1 $interfaces) -eq 1 ]; then - save_command "addr=\$(find_first_interface_address $interfaces)" - else - save_command "addr=" - for interface in $interfaces; do - ident >&3 << __EOF__ -addr="\$addr \$(find_first_interface_address $interface)" -__EOF__ - done - fi - else - addr= - fi - ;; - !*) - if [ $(list_count $addr) -gt 1 ]; then - excludedests="${addr#\!}" - addr= - fi - ;; - esac - - addr=${addr:-0.0.0.0/0} - - # Select target - - if [ "$logtarget" = SAME ]; then - [ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules" - serv1= - for srv in $(separate_list $serv); do - serv1="$serv1 --to ${srv}" - done - target1="SAME $serv1" - elif [ -n "$serv" ]; then - servport="${servport:+:$servport}" - serv1= - for srv in $(separate_list $serv); do - serv1="$serv1 --to-destination ${srv}${servport}" - done - target1="DNAT $serv1" - else - target1="REDIRECT --to-port $servport" - fi - - # Generate nat table rules - - if [ "$source" = "$FW" ]; then - if [ -n "${excludesource}${excludedests}" ]; then - build_exclusion_chain chain nat "$excludesource" $excludedests - - for adr in $(separate_list $addr); do - run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain - done - - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat - fi - - addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection - else - for adr in $(separate_list $addr); do - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \ - $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) - fi - - run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup $(dest_ip_range $adr) $multiport $dports -j $target1 - done - fi - else - if [ -n "${excludesource}${excludedests}" ]; then - build_exclusion_chain chain nat "$excludesource" $excludedests - - if [ $addr = detect ]; then - ensurenatchain $(dnat_chain $source) - # - # The 'for loops' begun below are completed in add_a_rule() (in the compiler) - # - indent >&3 << __EOF__ - -for adr in \$addr; do - run_iptables -t nat -A $(fix_bang $(dnat_chain $source) $cli $proto $multiport $sports $dports) -d \$adr -j $chain -__EOF__ - else - for adr in $(separate_list $addr); do - addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain - done - fi - - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $(dnat_chain $source) $logtarget "$ratelimit" "$logtag" -A -t nat - fi - - addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection - else - chain=$(dnat_chain $source) - - if [ $addr = detect ]; then - ensurenatchain $chain - - indent >&3 << __EOF__ - -for adr in \$addr; do -__EOF__ - if [ -n "$loglevel" ]; then - indent >&3 << __EOF__ - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat $(fix_bang $proto $cli $sports $multiport $dports) -d \$adr -__EOF__ - fi - - indent >&3 << __EOF__ - run_iptables -t nat -A $chain $(fix_bang $proto $ratelimit $cli $sports $multiport $dports) -d \$adr -j $target1 -__EOF__ - else - for adr in $(separate_list $addr); do - if [ -n "$loglevel" ]; then - ensurenatchain $chain - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \ - $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) - fi - - addnatrule $chain $proto $ratelimit $cli $sports \ - -d $adr $multiport $dports -j $target1 - done - fi - fi - fi - - # Replace destination port by the new destination port - - if [ -n "$servport" ]; then - if [ -z "$multiport" ]; then - dports="--dport ${servport#*:}" - else - dports="--dports ${servport#*:}" - fi - fi - - [ "x$addr" = "x0.0.0.0/0" ] && addr= - ratelimit= -} diff --git a/Shorewall-shell/lib.providers b/Shorewall-shell/lib.providers deleted file mode 100644 index 7b5d9fc0a..000000000 --- a/Shorewall-shell/lib.providers +++ /dev/null @@ -1,494 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.providers -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when the providers file is -# non-empty. -# - -# -# Process the providers file -# -setup_providers() -{ - local table - local number - local mark - local duplicate - local interface - local gateway - local options - local provider - local address - local copy - local route - local loose - local addresses - local rulenum - local rulebase - local balance - local save_indent - save_indent="$INDENT" - local mask - mask= - local first - first=Yes - local save_indent1 - save_indent1= - - copy_table() { - indent >&3 << __EOF__ -ip route show table $duplicate | while read net route; do - case \$net in - default|nexthop) - ;; - *) - run_ip route add table $number \$net \$route - ;; - esac -done -__EOF__ - } - - copy_and_edit_table() { - indent >&3 << __EOF__ -ip route show table $duplicate | while read net route; do - case \$net in - default|nexthop) - ;; - *) - case \$(find_device \$route) in - `echo $copy\) | sed 's/ /|/g'` - run_ip route add table $number \$net \$route - ;; - esac - ;; - esac -done - -__EOF__ - } - - balance_default_route() # $1 = weight - { - balance=yes - - save_command - if [ -n "$first" ]; then - if [ -n "$gateway" ] ; then - save_command "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $1\"" - else - save_command "DEFAULT_ROUTE=\"nexthop dev $interface weight $1\"" - fi - - first= - else - if [ -n "$gateway" ] ; then - save_command "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $1\"" - else - save_command "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $1\"" - fi - fi - } - - add_a_provider() { - local t - local n - local iface - local option - local optional - optional= - - [ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables" - - for t in $PROVIDERS local main default unspec; do - if [ "$t" = "$table" ]; then - fatal_error "Duplicate Provider: $table, provider: \"$provider\"" - fi - - eval n=\$${t}_number - # - # The following is because the %$#@ shell doesn't accept hex numbers in '-eq' tests - # - if [ $(($n)) -eq $(($number)) ]; then - fatal_error "Duplicate Provider number: $number, provider: \"$provider\"" - fi - done - - eval ${table}_number=$number - - indent >&3 << __EOF__ -# -# Add Provider $table ($number) -# -__EOF__ - save_command "if interface_is_usable $interface; then" - save_indent1="$INDENT" - INDENT="$INDENT " - - iface=$(chain_base $interface) - - save_command "${iface}_up=Yes" - - save_command "qt ip route flush table $number" - - indent >&3 << __EOF__ -echo "qt ip route flush table $number" >> \${VARDIR}/undo_routing -__EOF__ - - if [ "x${duplicate:=-}" != x- ]; then - if [ "x${copy:=-}" != "x-" ]; then - if [ "x${copy}" = xnone ]; then - copy=$interface - else - copy="$interface $(separate_list $copy)" - fi - copy_and_edit_table - else - copy_table - fi - elif [ "x${copy:=-}" != x- ]; then - fatal_error "A non-empty COPY column requires that a routing table be specified in the DUPLICATE column" - fi - - if [ "x$gateway" = xdetect ] ; then - gateway='$gateway' - indent >&3 << __EOF__ -gateway=\$(detect_gateway $interface) - -if [ -n "\$gateway" ]; then - run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number - run_ip route add default via \$gateway dev $interface table $number -else - fatal_error "Unable to detect the gateway through interface $interface" -fi - -__EOF__ - elif [ "x$gateway" != "x-" -a -n "$gateway" ]; then - indent >&3 << __EOF__ -run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number -run_ip route add default via $gateway dev $interface table $number -__EOF__ - else - gateway= - save_command "run_ip route add default dev $interface table $number" - fi - - if [ x${mark} != x- ]; then - verify_mark $mark - - if [ $(($mark)) -lt 256 ]; then - if [ -n "$HIGH_ROUTE_MARKS" ]; then - fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" - fi - elif [ -z "$HIGH_ROUTE_MARKS" ]; then - fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" - fi - - eval ${table}_mark=$mark - - [ -n "$DELETE_THEN_ADD" ] && qt ip rule del fwmark $mark - indent >&3 << __EOF__ -run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number -echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing -__EOF__ - fi - - loose= - - for option in $(separate_list $options); do - case $option in - -) - ;; - track) - list_search $interface $ROUTEMARK_INTERFACES && \ - fatal_error "Interface $interface is tracked through an earlier provider" - [ x${mark} = x- ] && fatal_error "The 'track' option requires a numeric value in the MARK column - Provider \"$provider\"" - eval ${iface}_routemark=$mark - ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface" - ;; - balance=*) - balance_default_route ${option#*=} - ;; - balance) - balance_default_route 1 - ;; - loose) - loose=Yes - ;; - optional) - optional=Yes - ;; - *) - error_message "WARNING: Invalid option ($option) ignored in provider \"$provider\"" - ;; - esac - done - - rulenum=0 - - if [ -z "$loose" ]; then - rulebase=$(( 20000 + ( 256 * ($number-1) ) )) - indent >&3 << __EOF__ - -rulenum=0 - -find_interface_addresses $interface | while read address; do -__EOF__ - - [ -n "$DELETE_THEN_ADD" ] && save_command " qt ip rule del from \$address" - - indent >&3 << __EOF__ - run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number - echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing - rulenum=\$((\$rulenum + 1)) -done -__EOF__ - elif [ -n "$DELETE_THEN_ADD" ]; then - indent >&3 << __EOF__ - -find_interface_addresses $interface | while read address; do - qt ip rule del from \$address -done -__EOF__ - [ -n "$balance" ] && error_message "WARNING: 'balance' and 'loose' should not be specified together - Provider \"$provider\"" - fi - - - indent >&3 << __EOF__ - -progress_message " Provider $table ($number) Added" - -__EOF__ - - INDENT="$save_indent1" - save_command else - - if [ -n "$optional" ]; then - save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" - save_command " ${iface}_up=" - else - save_command " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" - fi - - save_command fi - save_command - - } - - verify_provider() - { - local p - local n - - for p in $PROVIDERS main; do - [ "$p" = "$1" ] && return 0 - eval n=\$${p}_number - [ "$n" = "$1" ] && return 0 - done - - fatal_error "Unknown provider $1 in route rule \"$rule\"" - } - - add_an_rtrule() - { - verify_provider $provider - - [ "x$source" = x- ] && source= - [ "x$dest" = x- ] && dest= || dest="to $dest" - - [ -n "${source}${dest}" ] || fatal_error "You must specify either the source or destination in an rt rule: \"$rule\"" - - [ -n "${dest:=to 0.0.0.0/0}" ] - - if [ -n "$source" ]; then - case $source in - *:*) - source="iif ${source%:*} from ${source#*:}" - ;; - *.*.*) - source="from $source" - ;; - *) - source="iif $source" - ;; - esac - else - source='from 0.0.0.0/0' - fi - - case "$priority" in - [0-9][0-9][0-9][0-9]|[0-9][0-9][0-9][0-9][0-9]) - ;; - *) - fatal_error "Invalid priority ($priority) in rule \"$rule\"" - ;; - esac - - priority="priority $priority" - - [ -n "$DELETE_THEN_ADD" ] && save_command "qt ip rule del $source $dest $priority" - save_command "run_ip rule add $source $dest $priority table $provider" - indent >&3 << __EOF__ -echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing -__EOF__ - progress_message "Routing rule \"$rule\" $DONE" - } - # - # E x e c u t i o n B e g i n s H e r e - # - local_number=255 - main_number=254 - default_number=253 - unspec_number=0 - balance= - - progress_message2 "$DOING $1..." - save_command - save_command "if [ -z \"\$NOROUTES\" ]; then" - INDENT="$INDENT " - indent >&3 << __EOF__ -# -# Undo any changes made since the last time that we [re]started -- this will not restore the default route -# -undo_routing -# -# Save current routing table database so that it can be restored later -# -cp /etc/iproute2/rt_tables \${VARDIR}/ -# -# Capture the default route(s) if we don't have it (them) already. -# -[ -f \${VARDIR}/default_route ] || ip route list | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route -# -# Initialize the file that holds 'undo' commands -# -> \${VARDIR}/undo_routing -__EOF__ - save_progress_message "Adding Providers..." - save_command "DEFAULT_ROUTE=" - - while read table number mark duplicate interface gateway options copy; do - provider="$table $number $mark $duplicate $interface $gateway $options $copy" - add_a_provider - PROVIDERS="$PROVIDERS $table" - progress_message "Provider $provider $DONE" - done < $TMP_DIR/providers - - if [ -n "$PROVIDERS" ]; then - if [ -n "$balance" ]; then - save_command "if [ -n \"\$DEFAULT_ROUTE\" ]; then" - save_command " run_ip route replace default scope global \$DEFAULT_ROUTE" - save_command " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"" - save_command "else" - save_command " error_message \"WARNING: No Default route added (all 'balance' providers are down)\"" - save_command " restore_default_route" - save_command "fi" - save_command - else - save_command "#" - save_command "# We don't have any 'balance' providers so we retore any default route that we've saved" - save_command "#" - save_command restore_default_route - fi - - save_command "if [ -w /etc/iproute2/rt_tables ]; then" - - cat >&3 << __EOF__ -${INDENT} cat > /etc/iproute2/rt_tables <&3 << __EOF__ - \$echocommand "$number\t$table" >> /etc/iproute2/rt_tables -__EOF__ - done - - save_command "fi" - save_command - - if [ -s $TMP_DIR/route_rules ]; then - progress_message2 "$DOING $(find_file route_rules)..." - - save_command - - while read source dest provider priority; do - rule="$source $dest $priority $provider" - add_an_rtrule - done < $TMP_DIR/route_rules - fi - fi - - save_command - save_command "run_ip route flush cache" - INDENT="$save_indent" - save_command "fi" - save_command -} - -# -# Set up Route marking (Only called if $ROUTEMARK_INTERFACES is non-empty) -# -setup_route_marking() -{ - local mask - mask=0xFF - local save_indent - save_indent="$INDENT" - - [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 - - run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask - run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask - createmanglechain routemark - - for interface in $ROUTEMARK_INTERFACES ; do - iface=$(chain_base $interface) - eval mark_value=\$${iface}_routemark - - save_command - save_command "if [ -n \"\$${iface}_up\" ]; then" - INDENT="$INDENT " - run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark - run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value - INDENT="$save_indent" - save_command "fi" - done - - save_command - - run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask - -} diff --git a/Shorewall-shell/lib.proxyarp b/Shorewall-shell/lib.proxyarp deleted file mode 100644 index acb39b8ec..000000000 --- a/Shorewall-shell/lib.proxyarp +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.0 -- /usr/share/shorewall/lib.proxyarp -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when the 'proxyarp' option is -# specified in the interfaces file or when the proxyarp file is non-empty. -# - -# -# Setup Proxy ARP -# -setup_proxy_arp() { - - local setlist - setlist= - local resetlist - resetlist= - - print_error() { - error_message "Invalid value for HAVEROUTE - ($haveroute)" - error_message "Entry \"$address $interface $external $haveroute\" ignored" - } - - print_error1() { - error_message "Invalid value for PERSISTENT - ($persistent)" - error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored" - } - - print_warning() { - error_message "PERSISTENT setting ignored - ($persistent)" - error_message "Entry \"$address $interface $external $haveroute $persistent\"" - } - - setup_one_proxy_arp() { - - case $haveroute in - [Nn][Oo]) - haveroute= - ;; - [Yy][Ee][Ss]) - ;; - *) - if [ -n "$haveroute" ]; then - print_error - return - fi - ;; - esac - - case $persistent in - [Nn][Oo]) - persistent= - ;; - [Yy][Ee][Ss]) - [ -z "$haveroute" ] || print_warning - ;; - *) - if [ -n "$persistent" ]; then - print_error1 - return - fi - ;; - esac - - if [ -z "$haveroute" ]; then - save_command "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface" - [ -n "$persistent" ] && haveroute=yes - fi - - indent >&3 << __EOF__ -if ! arp -i $external -Ds $address $external pub; then - fatal_error "Command \"arp -i $external -Ds $address $external pub\" failed" -fi - -progress_message " Host $address connected to $interface added to ARP on $external" - -__EOF__ - echo $address $interface $external $haveroute >> $STATEDIR/proxyarp - - progress_message " Host $address connected to $interface added to ARP on $external" - } - - > $STATEDIR/proxyarp - - save_progress_message "Setting up Proxy ARP..." - - while read address interface external haveroute persistent; do - list_search $interface $setlist || setlist="$setlist $interface" - list_search $external $resetlist || list_search $external $setlist || resetlist="$resetlist $external" - setup_one_proxy_arp - done < $TMP_DIR/proxyarp - - for interface in $resetlist; do - list_search $interface $setlist || \ - save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - done - - for interface in $setlist; do - save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - done - - interfaces=$(find_interfaces_by_option proxyarp) - - for interface in $interfaces; do - indent >&3 << __EOF__ -if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then - echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp -else - error_message "WARNING: Unable to enable proxy ARP on $interface" -fi - -__EOF__ - done - -} diff --git a/Shorewall-shell/lib.tc b/Shorewall-shell/lib.tc deleted file mode 100644 index dfc519754..000000000 --- a/Shorewall-shell/lib.tc +++ /dev/null @@ -1,397 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.tc -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# tcstart from tc4shorewall Version 0.5 -# (c) 2005 Arne Bernin -# Modified by Tom Eastep for integration into the Shorewall distribution -# published under GPL Version 2# -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when TC_ENABLED=Internal -# and the tcdevices and/or the tcclasses file is non-empty. It is also loaded under -# the same circumstances by the compiled firewall script when processing the -# 'refresh' command. -# - -# -# Arne Bernin's 'tc4shorewall' -# -setup_traffic_shaping() -{ - local mtu - local r2q - local tc_all_devices - local device - local mark - local rate - local ceil - local prio - local options - local devfile - devfile=$(find_file tcdevices) - local classfile - classfile=$(find_file tcclasses) - local devnum - devnum=1 - local last_device - last_device= - r2q=10 - indent= - prefix=1 - - rate_to_kbit() { - local rateunit - local rate - rate=$1 - rateunit=$( echo $rate | sed -e 's/[0-9]*//') - rate=$( echo $rate | sed -e 's/[a-zA-Z]*//g') - - case $rateunit in - kbit|Kbit) - rate=$rate - ;; - mbit|Mbit) - rate=$(expr $rate \* 1024) - ;; - mbps|Mbps) - rate=$(expr $rate \* 8192) - ;; - kbps|Kbps) - rate=$(expr $rate \* 8) - ;; - *) - [ -n "$rateunit" ] && fatal_error "Invalid Rate ($1)" - rate=$(expr $rate / 128) - ;; - esac - echo $rate - } - - calculate_quantum() { - local rate - rate=$(rate_to_kbit $1) - echo $(( $rate * ( 128 / $r2q ) )) - } - - # get given outbandwidth for device - get_outband_for_dev() { - local device - local inband - local outband - while read device inband outband; do - tcdev="$device $inband $outband" - if [ "$1" = "$device" ] ; then - echo $outband - return - fi - done < $TMP_DIR/tcdevices - } - - check_tcclasses_options() { - while [ $# -gt 1 ]; do - shift - case $1 in - default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service) - ;; - tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f]) - ;; - *) - echo $1 - return 1 - ;; - esac - done - return 0 - } - - get_defmark_for_dev() { - local searchdev - local searchmark - local device - local ceil - local prio - local options - searchdev=$1 - - while read device mark rate ceil prio options; do - options=$(separate_list $options | tr '[A-Z]' '[a-z]') - tcdev="$device $mark $rate $ceil $prio $options" - if [ "$searchdev" = "$device" ] ; then - list_search "default" $options && echo $mark &&return 0 - fi - done < $TMP_DIR/tcclasses - - return 1 - } - - check_defmark_for_dev() { - get_defmark_for_dev $1 >/dev/null - } - - validate_tcdevices_file() { - progress_message2 "Validating $devfile..." - local device - local inband - local outband - while read device inband outband; do - tcdev="$device $inband $outband" - check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device" - case $interface in - *:*|+) - fatal_error "Invalid Interface Name: $interface" - ;; - esac - list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices" - inband=$(rate_to_kbit $inband) - outband=$(rate_to_kbit $outband) - tc_all_devices="$tc_all_devices $device" - done < $TMP_DIR/tcdevices - } - - validate_tcclasses_file() { - progress_message2 "Validating $classfile..." - local classlist - local device - local mark - local rate - local ceil - local prio - local bandw - local wrongopt - local allopts - local opt - allopts="" - while read device mark rate ceil prio options; do - tcdev="$device $mark $rate $ceil $prio $options" - ratew=$(get_outband_for_dev $device) - options=$(separate_list $options | tr '[A-Z]' '[a-z]') - for opt in $options; do - case $opt in - tos=0x??) - opt="$opt/0xff" - ;; - esac - list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" - allopts="$allopts $device-$opt" - done - wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file" - if [ -z "$ratew" ] ; then - fatal_error "device $device seems not to be configured in tcdevices" - fi - list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses" - # - # Convert HEX/OCTAL mark representation to decimal - # - mark=$(($mark)) - verify_mark $mark - [ $mark -lt 256 ] || fatal_error "Invalid Mark Value" - classlist="$classlist $device-$mark" - done < $TMP_DIR/tcclasses - } - - add_root_tc() { - local defmark - local dev - - dev=$(chain_base $device) - - save_command "if interface_is_up $device; then" - indent="$INDENT" - INDENT="$INDENT " - save_command ${dev}_exists=Yes - save_command qt tc qdisc del dev $device root - save_command qt tc qdisc del dev $device ingress - - defmark=$(get_defmark_for_dev $device) - - run_tc qdisc add dev $device root handle $devnum: htb default ${prefix}${defmark} - - save_command "${dev}_mtu=\$(get_device_mtu $device)" - run_tc "class add dev $device parent $devnum: classid $devnum:1 htb rate $outband mtu \$${dev}_mtu" - - if [ $(rate_to_kbit ${inband}) -gt 0 ]; then - run_tc qdisc add dev $device handle ffff: ingress - run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1 - fi - - eval ${dev}_devnum=$devnum - devnum=$(($devnum + 1)) - - save_progress_message_short " TC Device $tcdev defined." - INDENT="$indent" - save_command else - INDENT="$INDENT " - save_command error_message "\"WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped\"" - save_command "${dev}_exists=" - INDENT="$indent" - save_command "fi" - save_command - - return 0 - } - - add_tc_class() { - local full - local classid - local tospair - local tosmask - local quantum - - full=$(get_outband_for_dev $device) - full=$(rate_to_kbit $full) - - if [ -z "$prio" ] ; then - prio=1 - fi - - case $rate in - *full*) - rate=$(echo $rate | sed -e "s/full/$full/") - rate="$(($rate))kbit" - ;; - esac - - case $ceil in - *full*) - ceil=$(echo $ceil | sed -e "s/full/$full/") - ceil="$(($ceil))kbit" - ;; - esac - - eval devnum=\$${dev}_devnum - # - # Convert HEX/OCTAL mark representation to decimal - # - mark=$(($mark)) - - classid=$devnum:${prefix}${mark} - - [ -n "$devnum" ] || fatal_error "Device $device not defined in $devfile" - - quantum=$(calculate_quantum $rate) - - save_command "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" - run_tc "class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio mtu \$${dev}_mtu quantum \$quantum" - - run_tc qdisc add dev $device parent $classid handle ${prefix}${mark}: sfq perturb 10 - # - # add filters - # - if [ -n "$CLASSIFY_TARGET" ] && known_interface $device; then - run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark/0xFF -j CLASSIFY --set-class $classid - else - run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid - fi - # - #options - # - list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid - list_search "tos-minimize-delay" $options && options="$options tos=0x10/0x10" - list_search "tos-maximize-throughput" $options && options="$options tos=0x08/0x08" - list_search "tos-maximize-reliability" $options && options="$options tos=0x04/0x04" - list_search "tos-minimize-cost" $options && options="$options tos=0x02/0x02" - list_search "tos-normal-service" $options && options="$options tos=0x00/0x1e" - - for tospair in $(list_walk "tos=" $options) ; do - case $tospair in - */*) - tosmask=${tospair##*/} - ;; - *) - tosmask=0xff - ;; - esac - run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid - done - - save_progress_message_short " TC Class $tcdev defined." - - return 0 - } - - finish_device() { - INDENT="$indent" - save_command fi - save_command - } - - validate_tcdevices_file - validate_tcclasses_file - - cat >&3 << __EOF__ - -# -# Set up Traffic Shaping -# -setup_traffic_shaping() -{ -__EOF__ - - INDENT=" " - - if [ -s $TMP_DIR/tcdevices ]; then - [ $(list_count1 $all_tc_devices) -gt 10 ] && prefix=10 - - save_progress_message "Setting up Traffic Control..." - progress_message2 "$DOING $devfile..." - - while read device inband outband; do - tcdev="$device $inband $outband" - add_root_tc && progress_message " TC Device $tcdev defined." - done < $TMP_DIR/tcdevices - fi - - if [ -s $TMP_DIR/tcclasses ]; then - progress_message2 "$DOING $classfile..." - - last_device= - - while read device mark rate ceil prio options; do - tcdev="$device $mark $rate $ceil $prio $options" - options=$(separate_list $options | tr '[A-Z]' '[a-z]') - - dev=$(chain_base $device) - - if [ "$device" != "$last_device" ]; then - - [ -n "$last_device" ] && finish_device - - save_command "if [ -n \"\$${dev}_exists\" ] ; then" - indent="$INDENT" - INDENT="$INDENT " - last_device=$device - else - save_command - fi - - add_tc_class && progress_message " TC Class $tcdev defined." - done < $TMP_DIR/tcclasses - - [ -n "$last_device" ] && finish_device - - fi - - INDENT= - - save_command "}" - save_command -} diff --git a/Shorewall-shell/lib.tcrules b/Shorewall-shell/lib.tcrules deleted file mode 100644 index 55f2c5c12..000000000 --- a/Shorewall-shell/lib.tcrules +++ /dev/null @@ -1,477 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.tcrules -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when the tcrules file is -# non-empty. It is also loaded by the compiled firewall script under the same -# condition when the script is processing the 'refresh' command. -# - -# -# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the -# default marking chain -# -# The caller has established values for the following variables: -# -# mark - MARK column -# sources - SOURCE column -# dests - DEST column -# proto - PROTO column -# ports - PORT(S) column -# sports - CLIENT PORT(S) column -# user - USER column -# testval - TEST column -# length - LENGTH column -# tos - TOS column -# -process_tc_rule() -{ - local did_connmark= multiport= classid= - - chain=$MARKING_CHAIN target="MARK --set-mark" marktest= - - handle_designator() { - chain=$1 - mark="${mark%:*}" - } - - do_ipp2p() - { - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. TC Rule: \"$rule\"" - [ "x$port" = "x-" ] && port="ipp2p" - - case $proto in - *:*) - proto=${proto#*:} - ;; - *) - proto=tcp - ;; - esac - - r="${r}-p $proto -m ipp2p --${port} " - } - - verify_small_mark() - { - verify_mark $1 - [ $(($1)) -lt 256 ] || fatal_error "Mark Value ($1) too large, rule \"$rule\"" - } - - do_connmark() - { - target="CONNMARK --set-mark" - mark=$mark/0xff - did_connmark=Yes - } - - validate_mark() - { - case $1 in - */*) - verify_mark ${1%/*} - verify_mark ${1#*/} - ;; - *) - verify_mark $1 - ;; - esac - } - - add_a_tc_rule() { - r= - - if [ "x$source" != "x-" ]; then - case $source in - $FW:*) - r="$(source_ip_range ${source#*:}) " - ;; - *:~*|*:!~*) - interface=${source%:*} - verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\"" - r="$(match_source_dev $interface) $(mac_match ${source#*:}) " - ;; - *:*) - interface=${source%:*} - verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\"" - r="$(match_source_dev $interface) $(source_ip_range ${source#*:}) " - ;; - *.*.*|+*|!+*) - r="$(source_ip_range $source) " - ;; - ~*|!~*) - r="$(mac_match $source) " - ;; - $FW) - ;; - *) - verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" - r="$(match_source_dev $source) " - ;; - esac - fi - - if [ "x${user:--}" != "x-" ]; then - - [ "$chain" != tcout ] && \ - fatal_error "Invalid use of a user/group: rule \"$rule\"" - - r="$r-m owner" - - case "$user" in - *+*) - r="$r --cmd-owner ${user#*+} " - user=${user%+*} - ;; - esac - - case "$user" in - *:*) - temp="${user%:*}" - [ -n "$temp" ] && r="$r --uid-owner $temp " - temp="${user#*:}" - [ -n "$temp" ] && r="$r --gid-owner $temp " - ;; - *) - [ -n "$user" ] && r="$r --uid-owner $user " - ;; - esac - fi - - [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " - - if [ "x$dest" != "x-" ]; then - case $dest in - *:*) - [ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\"" - interface=${dest%:*} - verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\"" - r="$(match_dest_dev $interface) $(dest_ip_range ${dest#*:}) " - ;; - *.*.*|+*|!+*) - r="${r}$(dest_ip_range $dest) " - ;; - *) - [ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\"" - verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" - r="${r}$(match_dest_dev $dest) " - ;; - esac - fi - - if [ "x${length:=-}" != "x-" ]; then - [ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\"" - r="${r}-m length --length ${length} " - fi - - if [ "x${tos:=-}" != "x-" ]; then - r="${r}-m tos --tos ${tos} " - fi - - case $proto in - ipp2p|IPP2P|ipp2p:*|IPP2P:*) - do_ipp2p - ;; - icmp|ICMP|1) - r="${r}-p icmp " - [ "x$port" = "x-" ] || r="${r}--icmp-type $port" - ;; - *) - [ "x$proto" = "x-" ] && proto=all - [ "x$proto" = "x" ] && proto=all - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}$multiport $port " - ;; - esac - - [ "x$sport" = "x-" ] || r="${r}--sport $sport " - - if [ -n "${excludesources}${excludedests}" ]; then - - [ $target = RETURN ] && \ - fatal_error "Exclusion is currently not supported with CONTINUE" - - build_exclusion_chain chain1 mangle "$excludesources" "$excludedests" - - run_iptables2 -t mangle -A $chain $r -j $chain1 - - run_iptables -t mangle -A $chain1 -j $target $mark - else - run_iptables2 -t mangle -A $chain $r -j $target $mark - fi - - } - # - # E x e c u t i o n B e g i n s H e r e - # - case $sources in - $FW|$FW:*) - chain=tcout - - if [ "x$mark" != "x${mark%:*}" ]; then - case "${mark#*:}" in - t|T) - handle_designator tcpost - ;; - ct|CT) - handle_designator tcpost - do_connmark - ;; - c|C) - mark=${mark%:*} - do_connmark - ;; - p|P|cp|CP|f|F|cf|CF) - fatal_error "Invalid chain designator for source \$FW; rule \"$rule\"" - ;; - *) - chain=tcpost - target="CLASSIFY --set-class" - classid=Yes - ;; - esac - fi - ;; - *) - if [ "x$mark" != "x${mark%:*}" ]; then - case "${mark#*:}" in - p|P) - handle_designator tcpre - ;; - cp|CP) - handle_designator tcpre - do_connmark - ;; - f|F) - handle_designator tcfor - ;; - cf|CF) - handle_designator tcfor - do_connmark - ;; - t|T) - handle_designator tcpost - ;; - ct|CT) - handle_designator tcpost - do_connmark - ;; - c|C) - mark=${mark%:*} - do_connmark - ;; - *) - chain=tcpost - classid=Yes - target="CLASSIFY --set-class" - ;; - esac - fi - ;; - esac - - mask=0xffff - - case $mark in - SAVE) - [ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]" - target="CONNMARK --save-mark --mask 0xFF" - mark= - ;; - SAVE/*) - [ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]" - target="CONNMARK --save-mark --mask" - mark=${mark#*/} - verify_small_mark $mark - ;; - RESTORE) - [ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]" - target="CONNMARK --restore-mark --mask 0xFF" - mark= - ;; - RESTORE/*) - [ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]" - target="CONNMARK --restore-mark --mask" - mark=${mark#*/} - verify_small_mark $mark - ;; - CONTINUE) - [ -n "$did_connmark" ] && fatal_error "CONTINUE not valid with :C[FP]" - target=RETURN - mark= - ;; - \|*) - [ -n "$classid" ] && fatal_error "Invalid class ID: $mark" - [ -n "$did_connmark" ] && fatal_error "Logical OR not valid with :C[FP]" - target="MARK --or-mark" - mark=${mark#|} - validate_mark $mark - if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then - fatal_error "Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes" - fi - ;; - \&*) - [ -n "$classid" ] && fatal_error "Invalid class ID: $mark" - [ -n "$did_connmark" ] && fatal_error "Logical AND not valid with :C[FP]" - target="MARK --and-mark" - mark=${mark#&} - validate_mark $mark - if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then - fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes" - fi - ;; - *) - if [ -z "$classid" ]; then - validate_mark $mark - if [ $((${mark%/*})) -gt 255 ]; then - case $chain in - tcpre|tcout) - ;; - *) - fatal_error "Invalid mark value ($mark) in rule \"$rule\"" - ;; - esac - elif [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then - fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes" - fi - fi - ;; - esac - - case $testval in - -) - ;; - !*:C) - marktest="connmark ! " - testval=${testval%:*} - testval=${testval#!} - ;; - *:C) - marktest="connmark " - testval=${testval%:*} - ;; - !*) - marktest="mark ! " - testval=${testval#!} - ;; - *) - [ -n "$testval" ] && marktest="mark " - ;; - esac - - if [ -n "$marktest" ] ; then - case $testval in - */*) - verify_mark ${testval%/*} - verify_mark ${testval#*/} - ;; - *) - verify_mark $testval - testval=$testval/$mask - ;; - esac - fi - - excludesources= - - case ${sources:=-} in - *!*!*) - fatal_error "Invalid SOURCE in rule \"$rule\"" - ;; - !*) - if [ $(list_count $sources) -gt 1 ]; then - excludesources=${sources#!} - sources=- - fi - ;; - *!*) - excludesources=${sources#*!} - sources=${sources%!*} - ;; - esac - - excludedests= - - case ${dests:=-} in - *!*!*) - fatal_error "Invalid DEST in rule \"$rule\"" - ;; - !*) - if [ $(list_count $dests) -gt 1 ]; then - excludedests=${dests#*!} - dests=- - fi - ;; - *!*) - excludedests=${dests#*!} - dests=${dests%!*} - ;; - esac - - multiport=--dport - for source in $(separate_list $sources); do - for dest in $(separate_list $dests); do - for port in $(separate_list ${ports:=-}); do - for sport in $(separate_list ${sports:=-}); do - add_a_tc_rule - done - done - done - done - - progress_message " TC Rule \"$rule\" $DONE" - save_progress_message_short " TC Rule \\\"$rule\\\" Added" -} - -# -# Process the tcrules file -# -process_tc_rules() -{ - cat >&3 << __EOF__ - -# -# Create Marking Rules from the tcrules file -# -setup_tc_rules() -{ -__EOF__ - INDENT=" " - - while read mark sources dests proto ports sports user testval length tos; do - if [ "x$mark" = xCOMMENT ]; then - if [ -n "$COMMENTS" ]; then - comment=$(echo $sources $dests $proto $ports $sports $user $testval $length $tos) - save_command COMMENT=\"$comment\" - else - error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" - fi - else - rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos") - process_tc_rule - fi - done < $TMP_DIR/tcrules - - INDENT="" - save_command "}" - save_command -} diff --git a/Shorewall-shell/lib.tunnels b/Shorewall-shell/lib.tunnels deleted file mode 100644 index 0efd63dca..000000000 --- a/Shorewall-shell/lib.tunnels +++ /dev/null @@ -1,302 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.tunnels -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/compiler when the tunnels file is -# non-empty. -# - -# -# Set up ipsec tunnels -# -setup_tunnels() # $1 = name of tunnels file -{ - local inchain - local outchain - local source - local dest - - setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones - { - local kind - kind=$1 - local noah - noah=noah - - case $kind in - *:*) - noah=${kind#*:} - case $noah in - ah|AH) - noah= - ;; - noah|NOAH) - ;; - *) - fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\"" - ;; - esac - kind=${kind%:*} - ;; - esac - - [ $kind = IPSEC ] && kind=ipsec - - [ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels" - - options="-m state --state NEW -j ACCEPT" - addrule2 $inchain -p 50 $source -j ACCEPT - addrule2 $outchain -p 50 $dest -j ACCEPT - - if [ -z "$noah" ]; then - run_iptables -A $inchain -p 51 $source -j ACCEPT - run_iptables -A $outchain -p 51 $dest -j ACCEPT - fi - - run_iptables -A $outchain -p udp $dest --dport 500 $options - - if [ $kind = ipsec ]; then - run_iptables -A $inchain -p udp $source --dport 500 $options - else - run_iptables -A $inchain -p udp $source --dport 500 $options - run_iptables -A $inchain -p udp $source --dport 4500 $options - run_iptables -A $outchain -p udp $dest --dport 4500 $options - fi - - for z in $(separate_list $2); do - if validate_zone $z; then - if [ -z "$POLICY_MATCH" ]; then - addrule ${z}2${FW} -p 50 $source -j ACCEPT - addrule ${FW}2${z} -p 50 $dest -j ACCEPT - if [ -z "$noah" ]; then - addrule ${z}2${FW} -p 51 $source -j ACCEPT - addrule ${FW}2${z} -p 51 $dest -j ACCEPT - fi - fi - if [ $kind = ipsec ]; then - addrule ${z}2${FW} -p udp $source --dport 500 $options - addrule ${FW}2${z} -p udp $dest --dport 500 $options - else - addrule ${z}2${FW} -p udp $source --dport 500 $options - addrule ${FW}2${z} -p udp $dest --dport 500 $options - addrule ${z}2${FW} -p udp $source --dport 4500 $options - addrule ${FW}2${z} -p udp $dest --dport 4500 $options - fi - else - fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\"" - fi - done - - progress_message_and_save " IPSEC tunnel to $gateway defined." - } - - setup_one_other() # $1 = TYPE, $2 = protocol - { - addrule2 $inchain -p $2 $source -j ACCEPT - addrule2 $outchain -p $2 $dest -j ACCEPT - - progress_message_and_save " $1 tunnel to $gateway compiled." - } - - setup_pptp_client() - { - addrule2 $outchain -p 47 $dest -j ACCEPT - addrule2 $inchain -p 47 $source -j ACCEPT - addrule2 $outchain -p tcp --dport 1723 $dest -j ACCEPT - - progress_message_and_save " PPTP tunnel to $gateway defined." - } - - setup_pptp_server() - { - addrule2 $inchain -p 47 $source -j ACCEPT - addrule2 $outchain -p 47 $dest -j ACCEPT - addrule2 $inchain -p tcp --dport 1723 $source -j ACCEPT - - progress_message_and_save " PPTP server defined." - } - - setup_one_openvpn() # $1 = kind[:port] - { - local protocol - protocol=udp - local p - p=1194 - - case $1 in - *:*:*) - protocol=${1%:*} - protocol=${protocol#*:} - p=${1##*:} - ;; - *:tcp|*:udp|*:TCP|*:UDP) - protocol=${1#*:} - ;; - *:*) - p=${1#*:} - ;; - esac - - addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT - addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT - - progress_message_and_save " OPENVPN tunnel to $gateway:$protocol:$p defined." - } - - setup_one_openvpn_server() # $1 = kind[:port] - { - local protocol - protocol=udp - local p - p=1194 - - case $1 in - *:*:*) - protocol=${1%:*} - protocol=${protocol#*:} - p=${1##*:} - ;; - *:tcp|*:udp|*:TCP|*:UDP) - protocol=${1#*:} - ;; - *:*) - p=${1#*:} - ;; - esac - - addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT - addrule2 $outchain -p $protocol $dest --sport $p -j ACCEPT - - progress_message_and_save " OPENVPN server tunnel from $gateway:$protocol:$p defined." - } - - setup_one_openvpn_client() # $1 = kind[:port] - { - local protocol - protocol=udp - local p - p=1194 - - case $1 in - *:*:*) - protocol=${1%:*} - protocol=${protocol#*:} - p=${1##*:} - ;; - *:tcp|*:udp|*:TCP|*:UDP) - protocol=${1#*:} - ;; - *:*) - p=${1#*:} - ;; - esac - - addrule2 $inchain -p $protocol $source --sport $p -j ACCEPT - addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT - - progress_message_and_save " OPENVPN client tunnel to $gateway:$protocol:$p defined." - } - - setup_one_generic() # $1 = kind:protocol[:port] - { - local protocol - local p - p= - - case $1 in - *:*:*) - p=${1##*:} - protocol=${1%:*} - protocol=${protocol#*:} - ;; - *:*) - protocol=${1#*:} - ;; - *) - protocol=udp - p=5000 - ;; - esac - - p=${p:+--dport $p} - - addrule2 $inchain -p $protocol $source $p -j ACCEPT - addrule2 $outchain -p $protocol $dest $p -j ACCEPT - - progress_message_and_save " GENERIC tunnel to $1:$p defined." - } - - while read kind z gateway z1; do - tunnel="$(echo $kind $z $gateway $z1)" - if validate_zone $z; then - inchain=${z}2${FW} - outchain=${FW}2${z} - gateway=${gateway:-0.0.0.0/0} - source=$(source_ip_range $gateway) - dest=$(dest_ip_range $gateway) - - case $kind in - ipsec|IPSEC|ipsec:*|IPSEC:*) - setup_one_ipsec $kind $z1 - ;; - ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*) - setup_one_ipsec $kind $z1 - ;; - ipip|IPIP) - setup_one_other IPIP 4 - ;; - gre|GRE) - setup_one_other GRE 47 - ;; - 6to4|6TO4) - setup_one_other 6to4 41 - ;; - pptpclient|PPTPCLIENT) - setup_pptp_client - ;; - pptpserver|PPTPSERVER) - setup_pptp_server - ;; - openvpn|OPENVPN|openvpn:*|OPENVPN:*) - setup_one_openvpn $kind - ;; - openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*) - setup_one_openvpn_client $kind - ;; - openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*) - setup_one_openvpn_server $kind - ;; - generic:*|GENERIC:*) - setup_one_generic $kind - ;; - *) - error_message "WARNING: Tunnels of type $kind are not supported:" \ - "Tunnel \"$tunnel\" Ignored" - ;; - esac - save_command - else - error_message "ERROR: Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" Ignored" - fi - done < $TMP_DIR/tunnels -} diff --git a/Shorewall-shell/prog.footer b/Shorewall-shell/prog.footer deleted file mode 100644 index f02f47799..000000000 --- a/Shorewall-shell/prog.footer +++ /dev/null @@ -1,203 +0,0 @@ -# -# Give Usage Information -# -usage() { - echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]" - exit $1 -} -################################################################################ -# E X E C U T I O N B E G I N S H E R E # -################################################################################ -# -# Start trace if first arg is "debug" or "trace" -# -if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then - set -x - shift -fi - -initialize - -finished=0 - -while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - v*) - VERBOSE=$(($VERBOSE + 1 )) - option=${option#v} - ;; - q*) - VERBOSE=$(($VERBOSE - 1 )) - option=${option#q} - ;; - n*) - NOROUTES=Yes - option=${option#n} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac -done - -COMMAND="$1" - -[ -n "${PRODUCT:=Shorewall}" ] - -case "$COMMAND" in - start) - [ $# -ne 1 ] && usage 2 - if shorewall_is_started; then - error_message "$PRODUCT is already Running" - status=0 - else - progress_message3 "Starting $PRODUCT...." - define_firewall - status=$? - if [ $status -eq 0 ]; then - [ -n "$PURGE" ] && conntrack -F - [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - fi - progress_message3 "done." - fi - ;; - stop) - [ $# -ne 1 ] && usage 2 - progress_message3 "Stopping $PRODUCT...." - stop_firewall - status=0 - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - progress_message3 "done." - ;; - reset) - if ! shorewall_is_started ; then - error_message "$PRODUCT is not running" - status=2 - elif [ $# -eq 1 ]; then - $IPTABLES -Z - $IPTABLES -t nat -Z - $IPTABLES -t mangle -Z - date > ${VARDIR}/restarted - status=0 - progress_message3 "$PRODUCT Counters Reset" - else - status=0 - for chain in $@; do - if chain_exists $chain; then - if qt $IPTABLES -Z $chain; then - progress_message3 "Filter table $chain Counters Reset" - else - error_message "ERROR: Reset of chain $chain failed" - status=2 - break - fi - else - error_message "WARNING: Filter Chain $chain does not exist" - fi - done - fi - ;; - restart) - [ $# -ne 1 ] && usage 2 - if shorewall_is_started; then - progress_message3 "Restarting $PRODUCT...." - else - error_message "$PRODUCT is not running" - progress_message3 "Starting $PRODUCT...." - fi - - define_firewall - status=$? - - if [ $status -eq 0 ]; then - [ -n "$PURGE" ] && conntrack -F - [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - else - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - fi - - progress_message3 "done." - ;; - refresh) - [ $# -ne 1 ] && usage 2 - if shorewall_is_started; then - progress_message3 "Refreshing $PRODUCT...." - refresh_firewall - status=$? - progress_message3 "done." - else - echo "$PRODUCT is not running" >&2 - status=2 - fi - ;; - restore) - [ $# -ne 1 ] && usage 2 - restore_firewall - status=$? - if [ -n "$SUBSYSLOCK" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi - ;; - clear) - [ $# -ne 1 ] && usage 2 - progress_message3 "Clearing $PRODUCT...." - clear_firewall - status=0 - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - progress_message3 "done." - ;; - status) - [ $# -ne 1 ] && usage 2 - echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)" - echo - if shorewall_is_started; then - echo "$PRODUCT is running" - status=0 - else - echo "$PRODUCT is stopped" - status=4 - fi - - if [ -f ${VARDIR}/state ]; then - state="$(cat ${VARDIR}/state)" - case $state in - Stopped*|Clear*) - status=3 - ;; - esac - else - state=Unknown - fi - echo "State:$state" - echo - ;; - version) - [ $# -ne 1 ] && usage 2 - echo $VERSION - status=0 - ;; - help) - [ $# -ne 1 ] && usage 2 - usage 0 - ;; - *) - usage 2 - ;; -esac - -exit $status diff --git a/Shorewall-shell/prog.header b/Shorewall-shell/prog.header deleted file mode 100644 index 70f51d78d..000000000 --- a/Shorewall-shell/prog.header +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -# -# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2006 - 2009 - Tom Eastep (teastep@shorewall.net) -# -# -# Options are: -# -# -n Don't alter Routing -# -v and -q Standard Shorewall Verbosity control -# -# Commands are: -# -# start Starts the firewall -# refresh Refresh the firewall -# restart Restarts the firewall -# reload Reload the firewall -# clear Removes all firewall rules -# stop Stops the firewall -# status Displays firewall status -# version Displays the version of Shorewall that -# generated this program -# diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec deleted file mode 100644 index bb511f6fd..000000000 --- a/Shorewall-shell/shorewall-shell.spec +++ /dev/null @@ -1,200 +0,0 @@ -%define name shorewall-shell -%define version 4.2.6 -%define release 0base - -Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. -Name: %{name} -Version: %{version} -Release: %{release} -License: GPL -Packager: Tom Eastep -Group: Networking/Utilities -Source: %{name}-%{version}.tgz -URL: http://www.shorewall.net/ -BuildArch: noarch -BuildRoot: %{_tmppath}/%{name}-%{version}-root -Requires: iptables -Requires: iproute -Requires: shorewall-common >= 4.0.0-0RC1 -Provides: shorewall_compiler = %{version}-%{release} -Provides: shorewall = %{version}-%{release} -Obsoletes: shorewall < 4.0.0-0Beta7 - -%description - -The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter -(iptables) based firewall that can be used on a dedicated firewall system, -a multi-function gateway/ router/server or on a standalone GNU/Linux system. - -Shorewall-shell is a part of Shorewall that alows running shorewall with -legacy configurations. Shorewall-perl is the preferred compiler, please use -it for new installations. - -%prep - -%setup - -%build - -%install -export PREFIX=$RPM_BUILD_ROOT ; \ -export OWNER=`id -n -u` ; \ -export GROUP=`id -n -g` ;\ -./install.sh -n - -%clean -rm -rf $RPM_BUILD_ROOT - -%post - -%preun - -%postun - -if [ "$1" -eq 0 -a -f /etc/shorewall/shorewall.conf ]; then - sed -i.rpmsave -e 's/SHOREWALL_COMPILER=shell/SHOREWALL_COMPILER=/' /etc/shorewall/shorewall.conf - if cmp -s /etc/shorewall/shorewall.conf.rpmsave /etc/shorewall/shorewall.conf; then - rm -f /etc/shorewall/shorewall.conf.rpmsave - else - echo "/etc/shorewall/shorewall.conf modified - original saved as /etc/shorewall/shorewall.conf.rpmsave" - fi -fi - -%files -%defattr(0644,root,root,0755) -%attr(0755,root,root) %dir /usr/share/shorewall-shell - -%attr(0755,root,root) /usr/share/shorewall-shell/compiler -%attr(0644,root,root) /usr/share/shorewall-shell/lib.accounting -%attr(0644,root,root) /usr/share/shorewall-shell/lib.actions -%attr(0644,root,root) /usr/share/shorewall-shell/lib.maclist -%attr(0644,root,root) /usr/share/shorewall-shell/lib.nat -%attr(0644,root,root) /usr/share/shorewall-shell/lib.providers -%attr(0644,root,root) /usr/share/shorewall-shell/lib.proxyarp -%attr(0644,root,root) /usr/share/shorewall-shell/lib.tc -%attr(0644,root,root) /usr/share/shorewall-shell/lib.tcrules -%attr(0644,root,root) /usr/share/shorewall-shell/lib.tunnels -%attr(0644,root,root) /usr/share/shorewall-shell/prog.footer -%attr(0644,root,root) /usr/share/shorewall-shell/prog.header -%attr(0644,root,root) /usr/share/shorewall-shell/version - -%doc COPYING INSTALL - -%changelog -* Wed Feb 04 2009 Tom Eastep tom@shorewall.net -- Updated to 4.2.6-0base -* Thu Jan 29 2009 Tom Eastep tom@shorewall.net -- Updated to 4.2.6-0base -* Tue Jan 06 2009 Tom Eastep tom@shorewall.net -- Updated to 4.2.5-0base -* Thu Dec 25 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0base -* Sun Dec 21 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC2 -* Wed Dec 17 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC1 -* Tue Dec 16 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.4-0base -* Sat Dec 13 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.3-0base -* Fri Dec 12 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.2-0base -* Thu Dec 11 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.1-0base -* Thu Dec 11 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.1-0base -* Wed Dec 10 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.0-0base -* Wed Dec 10 2008 Tom Eastep tom@shorewall.net -- Updated to 2.3.0-0base -* Wed Oct 08 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.1-0base -* Fri Oct 03 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0base -* Tue Sep 23 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0RC4 -* Mon Sep 15 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0RC3 -* Mon Sep 08 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0RC2 -* Tue Aug 19 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0RC1 -* Thu Jul 03 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0Beta3 -* Mon Jun 02 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0Beta2 -* Wed May 07 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0Beta1 -* Mon Apr 28 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.8-0base -* Mon Mar 24 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.7-0base -* Thu Mar 13 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.6-0base -* Tue Feb 05 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.5-0base -* Fri Jan 04 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.4-0base -* Wed Dec 12 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.3-0base -* Fri Dec 07 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.3-1 -* Tue Nov 27 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.2-1 -* Wed Nov 21 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.1-1 -* Mon Nov 19 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.0-1 -* Thu Nov 15 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.6-1 -* Sat Nov 10 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.6-0RC3 -* Thu Oct 25 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.6-0RC2 -* Tue Oct 03 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.5-1 -* Wed Sep 05 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.4-1 -* Mon Aug 13 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.3-1 -* Thu Aug 09 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.2-1 -* Sat Jul 21 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.1-1 -* Wed Jul 11 2007 Tom Eastep tom@shorewall.net -- Modify shorewall.conf on uninstall -- Updated to 4.0.0-1 -* Sun Jul 08 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0RC2 -* Fri Jun 29 2007 Tom EAstep tom@shorewall.net -- Updated to 4.0.0-0RC1 -* Sun Jun 24 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta7 -* Wed Jun 20 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta6 -* Thu Jun 14 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta5 -* Fri Jun 08 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta4 -* Tue Jun 05 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta3 -* Tue May 15 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta1 -* Fri May 11 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.6-1 -* Sat May 05 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.6-1 -* Mon Apr 30 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.5-1 -* Mon Apr 23 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.4-1 -* Wed Apr 18 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.3-1 -* Mon Apr 16 2007 Tom Eastep tom@shorewall.net -- Moved lib.dynamiczones to Shorewall-common -* Sat Apr 14 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.2-1 -* Tue Apr 03 2007 Tom Eastep tom@shorewall.net -- Initial Version - -