From aaa06b41c2703bc09f869abd13ead12d1ce90ee3 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 9 Aug 2006 16:18:32 +0000 Subject: [PATCH] Bring forward 3.2.2 changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-lite/help | 61 ++++++++++++++++++----------------- Shorewall-lite/install.sh | 18 ++++++++--- Shorewall-lite/shorecap | 44 ++++--------------------- Shorewall-lite/shorewall-lite | 55 ++++++++++++++++++++----------- Shorewall-lite/shorewall.conf | 5 ++- 5 files changed, 91 insertions(+), 92 deletions(-) diff --git a/Shorewall-lite/help b/Shorewall-lite/help index 0f32d1b5f..e1337b9ed 100755 --- a/Shorewall-lite/help +++ b/Shorewall-lite/help @@ -44,7 +44,7 @@ allow) Re-enables receipt of packets from hosts previously blacklisted by a drop or reject command. - Shorewall allow, drop, rejct and save implement dynamic blacklisting. + shorewall-lite allow, drop, rejct and save implement dynamic blacklisting. See also \"help address\"" ;; @@ -66,7 +66,7 @@ debug) then a shell trace of the command is produced. For example: - shorewall debug start 2> /tmp/trace + shorewall-lite debug start 2> /tmp/trace The above command would trace the 'start' command and place the trace information in the file /tmp/trace. @@ -78,7 +78,7 @@ drop) echo "$1: $1
... Causes packets from the specified
to be ignored - Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; @@ -86,7 +86,7 @@ drop) dump) echo "dump: dump - shorewall [-x] dump + shorewall-lite [-x] dump Produce a verbose report about the firewall for problem analysis. @@ -105,7 +105,7 @@ forget) help) echo "help: help [ | host | address ] - Display helpful information about the shorewall commands." + Display helpful information about the shorewall-lite commands." ;; hits) @@ -136,7 +136,7 @@ logdrop) echo "$1: $1
... Causes packets from the specified
to be ignored and loged. - Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; @@ -152,7 +152,7 @@ logreject) echo "$1: $1
... Causes packets from the specified
to be rejected and logged. - Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; @@ -161,7 +161,7 @@ reject) echo "$1: $1
... Causes packets from the specified
to be rejected - Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; @@ -173,7 +173,7 @@ reset) restart) echo "restart: restart [ -n ] [ ] - Restart is the same as a shorewall stop && shorewall start. + Restart is the same as a shorewall-lite stop && shorewall-lite start. Existing connections are maintained. If \"-n\" is specified, no changes to routing will be made" @@ -183,9 +183,9 @@ restore) echo "restore: restore [ -n ] [ ] Restore Shorewall to a state saved using the 'save' command Existing connections are maintained. The names a restore file in - /var/lib/shorewall-lite created using \"shorewall save\"; if no is given - then Shorewall will be restored from the file specified by the RESTOREFILE - option in shorewall.conf. + /var/lib/shorewall-lite created using \"shorewall-lite save\"; if no + is given then Shorewall Lite will be restored from the file + specified by the RESTOREFILE option in shorewall.conf. If \"-n\" is specified, no changes to routing will be made. @@ -195,50 +195,53 @@ restore) save) echo "save: save [ ] The dynamic data is stored in /var/lib/shorewall-lite/save. The state of the - firewall is stored in /var/lib/shorewall-lite/ for use by the 'shorewall restore' - and 'shorewall -f start' commands. If is not given then the state is saved + firewall is stored in /var/lib/shorewall-lite/ for use by the 'shorewall-lite restore' + and 'shorewall-lite -f start' commands. If is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall.conf. - Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help restore\" and \"help forget\"" ;; show) - echo "show: show [ [ ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones] + echo "show: show [ [ ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones] - shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). + shorewall-lite [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). (iptables -L chain -n -v) - shorewall [-x] show mangle - produce a verbose report about the mangle table. + shorewall-lite [-x] show mangle - produce a verbose report about the mangle table. (iptables -t mangle -L -n -v) - shorewall [-x] show nat - produce a verbose report about the nat table. + shorewall-lite [-x] show nat - produce a verbose report about the nat table. (iptables -t nat -L -n -v) - shorewall show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then + shorewall-lite show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then MAC addresses in the log entries (if any) are displayed. - shorewall show connections - displays the IP connections currently + shorewall-lite show connections - displays the IP connections currently being tracked by the firewall. - shorewall show tc - displays information about the traffic + shorewall-lite show tc - displays information about the traffic control/shaping configuration. - shorewall show zones - displays the contents of all zones. + shorewall-lite show zones - displays the contents of all zones. - shorewall show capabilities - displays your kernel/iptables capabilities + shorewall-lite show - [ -f ] capabilities - displays your kernel/iptables capabilities. When \"-f\" is + specified, then the output is suitable for use as /etc/shorewall/capabilities on your administrative + system. - shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution + shorewall-lite show config - displays the default CONFIG_PATH and LITEDIR for your distribution When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; start) echo "start: start [ -f ] [ -n ] [ ] - Start shorewall. Existing connections through shorewall managed + Start Shorewall Lite. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. + If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option in shorewall.conf will be restored if that saved configuration exists. In that case, a may not be specified. @@ -256,7 +259,7 @@ stop) status) echo "status: status - shorewall status + shorewall-lite status Displays the Shorewall Lite status (running/not-running). @@ -270,11 +273,11 @@ trace) If you include the keyword trace as the first argument to any of these commands: - start|stop|restart|reset|clear|check|add|delete + start|stop|restart|reset|clear then a shell trace of the command is produced. For example: - shorewall trace start 2> /tmp/trace + shorewall-lite trace start 2> /tmp/trace The above command would trace the 'start' command and place the trace information in the file /tmp/trace. diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 788490a74..462ace1cc 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=3.2.0 +VERSION=3.2.2 usage() # $1 = exit status { @@ -30,6 +30,7 @@ usage() # $1 = exit status echo "usage: $ME" echo " $ME -v" echo " $ME -h" + echo " $ME -n" exit $1 } @@ -88,7 +89,7 @@ backup_directory() # $1 = directory to backup backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup { - if [ -z "$PREFIX" ]; then + if [ -z "${PREFIX}${NOBACKUP}" ]; then if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then if [ -n "$2" ]; then if [ -d $2 ]; then @@ -155,6 +156,8 @@ if [ -z "$GROUP" ] ; then GROUP=root fi +NOBACKUP= + while [ $# -gt 0 ] ; do case "$1" in -h|help|?) @@ -164,6 +167,9 @@ while [ $# -gt 0 ] ; do echo "Shorewall Lite Firewall Installer Version $VERSION" exit 0 ;; + -n) + NOBACKUP=Yes + ;; *) usage 1 ;; @@ -216,9 +222,11 @@ echo "Installing Shorewall Lite Version $VERSION" # if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then first_install="" - backup_directory /etc/shorewall-lite - backup_directory /usr/share/shorewall-lite - backup_directory /var/lib/shorewall-lite + if [ -z "$NOBACKUP" ]; then + backup_directory /etc/shorewall-lite + backup_directory /usr/share/shorewall-lite + backup_directory /var/lib/shorewall-lite + fi else first_install="Yes" rm -rf ${PREFIX}/etc/shorewall-lite diff --git a/Shorewall-lite/shorecap b/Shorewall-lite/shorecap index 0b77428d1..7833f9f12 100755 --- a/Shorewall-lite/shorecap +++ b/Shorewall-lite/shorecap @@ -44,50 +44,18 @@ # used during firewall compilation, then the generated firewall program will likewise not # require Shorewall to be installed. +PRODUCT="Shorewall Lite" + . /usr/share/shorewall-lite/functions . /usr/share/shorewall-lite/configpath -. /etc/shorewall-lite/shorewall.conf + +[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin VERSION=$(cat /usr/share/shorewall-lite/version) -report_capability() # $1 = Capability -{ - eval echo $1=\$$1 -} - -report_capabilities() { - echo "#" - echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" - echo "#" - report_capability NAT_ENABLED - report_capability MANGLE_ENABLED - report_capability MULTIPORT - report_capability XMULTIPORT - report_capability CONNTRACK_MATCH - report_capability USEPKTTYPE - report_capability POLICY_MATCH - report_capability PHYSDEV_MATCH - report_capability LENGTH_MATCH - report_capability IPRANGE_MATCH - report_capability RECENT_MATCH - report_capability OWNER_MATCH - report_capability IPSET_MATCH - report_capability CONNMARK - report_capability XCONNMARK - report_capability CONNMARK_MATCH - report_capability XCONNMARK_MATCH - report_capability RAW_TABLE - report_capability IPP2P_MATCH - report_capability CLASSIFY_TARGET - report_capability ENHANCED_REJECT - report_capability KLUDGEFREE - report_capability MARK - report_capability XMARK - report_capability MANGLE_FORWARD -} - [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables) + VERBOSE=0 load_kernel_modules determine_capabilities -report_capabilities +report_capabilities1 diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 02cab9f1a..2cbdaf6e8 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -162,6 +162,8 @@ validate_restorefile() # $* = label # get_config() { + [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages if [ ! -f $LOGFILE ]; then @@ -376,10 +378,29 @@ logwatch() # $1 = timeout -- if negative, prompt each time that done } +# +# Verify that we have a compiled firewall script +# +verify_firewall_script() { + if [ ! -f $FIREWALL ]; then + echo " ERROR: Shorewall Lite is not properly installed" >&2 + if [ -L $FIREWALL ]; then + echo " $FIREWALL is a symbolic link to a" >&2 + echo " non-existant file" >&2 + else + echo " The file $FIREWALL does not exist" >&2 + fi + + exit 2 + fi +} + # # Save currently running configuration # save_config() { + verify_firewall_script + if shorewall_is_started ; then [ -d ${VARDIR} ] || mkdir -p ${VARDIR} @@ -471,6 +492,8 @@ start_command() { [ -n "$nolock" ] || mutex_off } + verify_firewall_script + if shorewall_is_started; then error_message "Shorewall is already running" exit 1 @@ -574,6 +597,8 @@ start_command() { restart_command() { local finished=0 + verify_firewall_script + while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in @@ -668,6 +693,10 @@ show_command() { SHOWMACS=Yes option=${option#m} ;; + f*) + FILEMODE=Yes + option=${option#f} + ;; *) usage 1 ;; @@ -744,7 +773,11 @@ show_command() { [ $# -gt 1 ] && usage 1 determine_capabilities VERBOSE=2 - report_capabilities + if [ -n "$FILEMODE" ]; then + report_capabilities1 + else + report_capabilities + fi ;; config) . ${SHAREDIR}/configpath @@ -964,7 +997,6 @@ usage() # $1 = exit status echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] " echo "where is one of:" echo " allow
..." - echo " check [ -e ] [ ]" echo " clear" echo " drop
..." echo " dump [ -x ]" @@ -982,7 +1014,7 @@ usage() # $1 = exit status echo " restart [ -n ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [ [ ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]" + echo " show [ -x ] [ -m ] [ -f ] [ [ ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]" echo " start [ -f ] [ -n ] [ ]" echo " stop" echo " status" @@ -1214,18 +1246,6 @@ get_config FIREWALL=$LITEDIR/firewall -if [ ! -f $FIREWALL ]; then - echo " ERROR: Shorewall Lite is not properly installed" >&2 - if [ -L $FIREWALL ]; then - echo " $FIREWALL is a symbolic link to a" >&2 - echo " non-existant file" >&2 - else - echo " The file $FIREWALL does not exist" >&2 - fi - - exit 2 -fi - if [ -f $VERSION_FILE ]; then version=$(cat $VERSION_FILE) else @@ -1263,6 +1283,7 @@ case "$COMMAND" in ;; stop|reset|clear) [ $# -ne 1 ] && usage 1 + verify_firewall_script export NOROUTES exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND ;; @@ -1270,10 +1291,6 @@ case "$COMMAND" in shift restart_command $@ ;; - check) - shift - check_command $@ - ;; show|list) shift show_command $@ diff --git a/Shorewall-lite/shorewall.conf b/Shorewall-lite/shorewall.conf index 5f4b4057f..0cc936efb 100644 --- a/Shorewall-lite/shorewall.conf +++ b/Shorewall-lite/shorewall.conf @@ -12,8 +12,11 @@ # N 0 T E ############################################################################### # Entries in this file override entries in the shorewall.conf file in the -# configuration directory when the firewall script was compiled. Any variable +# export directory when the firewall script was compiled. Any variable # not set here assumes the value defined at firewall compilation time. +# +# PROVIDED THAT shorewall.conf IN THE EXPORT DIRECTORY IS CORRECT, YOU DO NOT +# NEED TO MODIFY THIS FILE IN ANY WAY ############################################################################### # V E R B O S I T Y ###############################################################################