holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

"Fix" bashisms (at least they are bashims according to the Debian people)

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8289 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
el_cubano 2008-03-14 02:07:28 +00:00
parent b0a5c577f4
commit bbe6dfb5fd
32 changed files with 1816 additions and 368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall-common/fallback.sh
View File

@ -53,7 +53,8 @@ restore_directory() # $1 = directory to restore
restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
{
if [ -n "$2" ]; then
local file=$(basename $1)
local file
file=$(basename $1)
if [ -f $2/$file ]; then
if mv -f $2/$file $1 ; then

3
Shorewall-common/install.sh
View File

@ -35,7 +35,8 @@ usage() # $1 = exit status
}
split() {
local ifs=$IFS
local ifs
ifs=$IFS
IFS=:
set -- $1
echo $*

203
Shorewall-common/lib.base
View File

@ -56,7 +56,8 @@ error_message() # $* = Error Message
#
progress_message() # $* = Message
{
local timestamp=
local timestamp
timestamp=
if [ $VERBOSE -gt 1 ]; then
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -66,7 +67,8 @@ progress_message() # $* = Message
progress_message2() # $* = Message
{
local timestamp=
local timestamp
timestamp=
if [ $VERBOSE -gt 0 ]; then
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -76,7 +78,8 @@ progress_message2() # $* = Message
progress_message3() # $* = Message
{
local timestamp=
local timestamp
timestamp=
if [ $VERBOSE -ge 0 ]; then
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -88,7 +91,8 @@ progress_message3() # $* = Message
# Split a colon-separated list into a space-separated list
#
split() {
local ifs=$IFS
local ifs
ifs=$IFS
IFS=:
echo $*
IFS=$ifs
@ -100,7 +104,8 @@ split() {
#
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
local e
e=$1
while [ $# -gt 1 ]; do
shift
@ -115,7 +120,9 @@ list_search() # $1 = element to search for , $2-$n = list
#
combine_list()
{
local f o=
local f
local o
o=
for f in $* ; do
o="${o:+$o,}$f"
@ -152,7 +159,8 @@ my_pathname() {
#
run_user_exit() # $1 = file name
{
local user_exit=$(find_file $1)
local user_exit
user_exit=$(find_file $1)
if [ -f $user_exit ]; then
progress_message "Processing $user_exit ..."
@ -208,7 +216,8 @@ deleteallchains() {
#
loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulename
modulename=$1
local modulefile
local suffix
@ -240,10 +249,13 @@ loadmodule() # $1 = module name, $2 - * arguments
#
reload_kernel_modules() {
local save_modules_dir=$MODULESDIR
local save_modules_dir
save_modules_dir=$MODULESDIR
local directory
local moduledirectories=
local moduleloader=modprobe
local moduledirectories
moduledirectories=
local moduleloader
moduleloader=modprobe
if ! qt mywhich modprobe; then
moduleloader=insmod
@ -270,11 +282,15 @@ reload_kernel_modules() {
#
load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
{
local save_modules_dir=$MODULESDIR
local save_modules_dir
save_modules_dir=$MODULESDIR
local directory
local moduledirectories=
local moduleloader=modprobe
local savemoduleinfo=${1:-Yes} # So old compiled scripts still work
local moduledirectories
moduledirectories=
local moduleloader
moduleloader=modprobe
local savemoduleinfo
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
if ! qt mywhich modprobe; then
moduleloader=insmod
@ -320,8 +336,10 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
#
mutex_on()
{
local try=0
local lockf=${LOCKFILE:=${VARDIR}/lock}
local try
try=0
local lockf
lockf=${LOCKFILE:=${VARDIR}/lock}
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
@ -360,7 +378,8 @@ mutex_off()
#
lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found
{
local lib=${SHAREDIR}/lib.$1
local lib
lib=${SHAREDIR}/lib.$1
local loaded
eval loaded=\$LIB_${1}_LOADED
@ -398,8 +417,10 @@ LEFTSHIFT='<<'
# Validate an IP address
#
valid_address() {
local x y
local ifs=$IFS
local x
local y
local ifs
ifs=$IFS
IFS=.
@ -425,8 +446,10 @@ valid_address() {
#
decodeaddr() {
local x
local temp=0
local ifs=$IFS
local temp
temp=0
local ifs
ifs=$IFS
IFS=.
@ -445,7 +468,8 @@ decodeaddr() {
encodeaddr() {
addr=$1
local x
local y=$(($addr & 255))
local y
y=$(($addr & 255))
for x in 1 2 3 ; do
addr=$(($addr >> 8))
@ -478,7 +502,13 @@ EOF
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() {
local first last l x y z vlsm
local first
local last
local l
local x
local y
local z
local vlsm
case $1 in
!*)
@ -524,7 +554,8 @@ ip_range() {
}
ip_range_explicit() {
local first last
local first
local last
case $1 in
[0-9]*.*.*.*-*.*.*.*)
@ -552,7 +583,8 @@ ip_range_explicit() {
# Netmask from CIDR
#
ip_netmask() {
local vlsm=${1#*/}
local vlsm
vlsm=${1#*/}
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
}
@ -561,8 +593,10 @@ ip_netmask() {
# Network address from CIDR
#
ip_network() {
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
local decodedaddr
decodedaddr=$(decodeaddr ${1%/*})
local netmask
netmask=$(ip_netmask $1)
echo $(encodeaddr $(($decodedaddr & $netmask)))
}
@ -572,7 +606,8 @@ ip_network() {
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#
ip_broadcast() {
local x=$(( 32 - ${1#*/} ))
local x
x=$(( 32 - ${1#*/} ))
[ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
}
@ -581,9 +616,12 @@ ip_broadcast() {
# Calculate broadcast address from CIDR
#
broadcastaddress() {
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
local broadcast=$(ip_broadcast $1)
local decodedaddr
decodedaddr=$(decodeaddr ${1%/*})
local netmask
netmask=$(ip_netmask $1)
local broadcast
broadcast=$(ip_broadcast $1)
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
}
@ -593,7 +631,8 @@ broadcastaddress() {
#
in_network() # $1 = IP address, $2 = CIDR network
{
local netmask=$(ip_netmask $2)
local netmask
netmask=$(ip_netmask $2)
#
# We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT
#
@ -604,9 +643,12 @@ in_network() # $1 = IP address, $2 = CIDR network
# Netmask to VLSM
#
ip_vlsm() {
local mask=$(decodeaddr $1)
local vlsm=0
local x=$(( 128 << 24 )) # 0x80000000
local mask
mask=$(decodeaddr $1)
local vlsm
vlsm=0
local x
x=$(( 128 << 24 )) # 0x80000000
while [ $(( $x & $mask )) -ne 0 ]; do
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
@ -627,7 +669,8 @@ ip_vlsm() {
#
chain_base() #$1 = interface
{
local c=${1%%+}
local c
c=${1%%+}
while true; do
case $c in
@ -752,8 +795,10 @@ find_default_interface() {
#
find_interface_by_address() {
local dev="$(find_rt_interface $1)"
local first rest
local dev
dev="$(find_rt_interface $1)"
local first
local rest
[ -z "$dev" ] && dev=$(find_default_interface)
@ -765,7 +810,8 @@ find_interface_by_address() {
#
find_interface_by_mac() {
local mac=$1 first second rest dev
local mac
mac=$1 first second rest dev
ip link list | while read first second rest; do
case $first in
@ -893,7 +939,8 @@ mywhich() {
# Set default config path
#
ensure_config_path() {
local F=${SHAREDIR}/configpath
local F
F=${SHAREDIR}/configpath
if [ -z "$CONFIG_PATH" ]; then
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
. $F
@ -909,7 +956,8 @@ ensure_config_path() {
#
find_file()
{
local saveifs= directory
local saveifs
saveifs= directory
case $1 in
/*)
@ -933,7 +981,8 @@ find_file()
#
resolve_file() # $1 = file name
{
local pwd=$PWD
local pwd
pwd=$PWD
case $1 in
/*)
@ -1127,7 +1176,8 @@ determine_capabilities() {
report_capabilities() {
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
local setting
setting=
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
@ -1231,7 +1281,15 @@ del_ip_addr() # $1 = address, $2 = interface
#
add_ip_aliases() # $* = List of addresses
{
local addresses external interface inet cidr rest val arping=$(mywhich arping)
local addresses
local external
local interface
local inet
local cidr
local rest
local val1
local arping
arping=$(mywhich arping)
address_details()
{
@ -1288,7 +1346,8 @@ add_ip_aliases() # $* = List of addresses
detect_gateway() # $1 = interface
{
local interface=$1
local interface
interface=$1
#
# First assume that this is some sort of point-to-point interface
#
@ -1311,7 +1370,8 @@ detect_gateway() # $1 = interface
# Disable IPV6
#
disable_ipv6() {
local foo="$(ip -f inet6 addr list 2> /dev/null)"
local foo
foo="$(ip -f inet6 addr list 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
@ -1343,16 +1403,25 @@ truncate() # $1 = length
#
do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{
local level=$1
local chain=$2
local displayChain=$3
local disposition=$4
local rulenum=
local limit=
local tag=
local command=
local level
level=$1
local chain
chain=$2
local displayChain
displayChain=$3
local disposition
disposition=$4
local rulenum
rulenum=
local limit
limit=
local tag
tag=
local command
command=
local prefix
local base=$(chain_base $displayChain)
local base
base=$(chain_base $displayChain)
local pf
limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
@ -1405,9 +1474,12 @@ do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispos
do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
local level=$1
local chain=$2
local disposition=$3
local level
level=$1
local chain
chain=$2
local disposition
disposition=$3
shift 3
@ -1441,7 +1513,8 @@ delete_tc1()
#
get_device_mtu() # $1 = device
{
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then
echo $(find_mtu $output)
@ -1456,7 +1529,8 @@ get_device_mtu() # $1 = device
#
get_device_mtu1() # $1 = device
{
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
@ -1495,7 +1569,9 @@ undo_routing() {
restore_default_route() {
if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
local default_route= route
local default_route
default_route=
local route
while read route ; do
case $route in
@ -1556,7 +1632,8 @@ find_echo() {
# STD - mktemp.org mktemp
#
find_mktemp() {
local mktemp=`mywhich mktemp 2> /dev/null`
local mktemp
mktemp=`mywhich mktemp 2> /dev/null`
if [ -n "$mktemp" ]; then
if qt mktemp -V ; then

45
Shorewall-common/lib.cli
View File

@ -124,7 +124,13 @@ timed_read ()
# Determine if 'syslog -C' is running
#
syslog_circular_buffer() {
local pid tty flags cputime path args arg
local pid
local tty
local flags
local cputime
local path
local args
local arg
ps ax 2> /dev/null | while read pid tty flags cputime path args; do
case $path in
@ -160,7 +166,8 @@ packet_log() # $1 = number of messages
show_tc() {
show_one_tc() {
local device=${1%@*}
local device
device=${1%@*}
qdisc=$(tc qdisc list dev $device)
if [ -n "$qdisc" ]; then
@ -183,7 +190,8 @@ show_tc() {
show_classifiers() {
show_one_classifier() {
local device=${1%@*}
local device
device=${1%@*}
qdisc=$(tc qdisc list dev $device)
if [ -n "$qdisc" ]; then
@ -258,7 +266,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
#
save_config() {
local result=1
local result
result=1
iptables_save=${IPTABLES}-save
@ -367,7 +376,12 @@ show_routing() {
# Show Command Executor
#
show_command() {
local finished=0 local table=filter table_given=
local finished
finished=0
local table
table=filter
local table_given
table_given=
show_macro() {
foo=`grep 'This macro' $macro | sed 's/This macro //'`
@ -619,7 +633,8 @@ show_command() {
# Dump Command Executor
#
dump_command() {
local finished=0
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -743,7 +758,8 @@ dump_command() {
# Restore Comand Executor
#
restore_command() {
local finished=0
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -868,7 +884,10 @@ heading() {
# Create the appropriate -q option to pass onward
#
make_verbose() {
local v=$VERBOSE_OFFSET option=-
local v
v=$VERBOSE_OFFSET
local option
option=-
if [ -n "$USE_VERBOSITY" ]; then
echo "-v$USE_VERBOSITY"
@ -894,7 +913,10 @@ make_verbose() {
#
block() # $1 = command, $2 = Finished, $3 - $n addresses
{
local chain=$1 finished=$2
local chain
chain=$1
local finished
finished=$2
shift 3
@ -925,7 +947,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
# 'hits' commmand executor
#
hits_command() {
local finished=0 today=
local finished
finished=0
local today
today=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1

170
Shorewall-common/lib.config
View File

@ -31,7 +31,8 @@ SHOREWALL_CONFIGVERSION=40000
# Replace commas with spaces and echo the result
#
separate_list() {
local list="$@"
local list
list="$@"
local part
local newlist
local firstpart
@ -121,7 +122,10 @@ is_policy_chain() # $1 = name of chain
#
list_walk() # $1 = element to search for, $2-$n = list
{
local e=$1 result=
local e
e=$1
local result
result=
while [ $# -gt 1 ]; do
shift
@ -165,7 +169,8 @@ expand_line() {
#
fix_bang()
{
local result=
local result
result=
while [ $# -gt 0 ]; do
case $1 in
@ -186,7 +191,13 @@ fix_bang()
# Read the zones file and find the firewall zone
#
get_firewall_zone() {
local zone type rest comment='#*' f=$(find_file zones)
local zone
local type
local rest
local comment
comment='#*'
local f
f=$(find_file zones)
[ -f $f ] || startup_error "Unable to find zones file"
@ -212,11 +223,21 @@ get_firewall_zone() {
#
determine_zones()
{
local zone parent parents rest new_zone_file= r
local zone
local parent
local parents
local rest
local new_zone_file
new_zone_file=
local r
merge_zone()
{
local z zones="$ZONES" merged=
local z
local zones
zones="$ZONES"
local merged
merged=
if [ -n "$parents" ]; then
ZONES=
@ -323,8 +344,15 @@ determine_zones()
#
validate_interfaces_file() {
local wildcard
local found_obsolete_option=
local z interface networks options r iface option
local found_obsolete_option
found_obsolete_option=
local z
local interface
local networks
local options
local r
local iface
local option
while read z interface networks options; do
r="$z $interface $networks $options"
@ -346,7 +374,8 @@ validate_interfaces_file() {
#
# Assume that this is 4.0 syntax for a bridge
#
local bridge=${interface%:*}
local bridge
bridge=${interface%:*}
list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge"
interface=${interface#*:}
else
@ -423,17 +452,21 @@ validate_interfaces_file() {
# Process the ipsec information in the zones file
#
setup_ipsec() {
local zone using_ipsec=
local zone
local using_ipsec
using_ipsec=
#
# Add a --set-mss rule to the passed chain
#
set_mss1() # $1 = chain, $2 = MSS
{
eval local policy=\$${1}_policy
local policy
eval policy=\$${1}_policy
if [ "$policy" != NONE ]; then
ensurechain $1
local match=
local match
match=
[ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: "
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2
fi
@ -461,7 +494,10 @@ setup_ipsec() {
do_options() # $1 = _in, _out or "" - $2 = option list
{
local option newoptions= val
local option
local newoptions
newoptions=
local val
[ x${2} = x- ] && return
@ -547,7 +583,16 @@ setup_ipsec() {
# Validate the zone names and options in the hosts file
#
validate_hosts_file() {
local z hosts options r interface host option zports ipsec=
local z
local hosts
local options
local r
local interface
local host
local option
local zports
local ipsec
ipsec=
check_bridge_port()
{
@ -667,7 +712,8 @@ validate_hosts_file() {
#
find_interfaces() # $1 = interface zone
{
local zne=$1
local zne
zne=$1
local z
local interface
@ -742,7 +788,8 @@ dynamic_out() # $1 = interface
dynamic_chains() #$1 = interface
{
local c=$(chain_base $1)
local c
c=$(chain_base $1)
echo ${c}_dyni ${c}_dynf ${c}_dyno
}
@ -776,7 +823,8 @@ ecn_chain() # $1 = interface
#
first_chains() #$1 = interface
{
local c=$(chain_base $1)
local c
c=$(chain_base $1)
echo ${c}_fwd ${c}_in
}
@ -809,7 +857,11 @@ iprange_echo()
#
get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
{
local temp setname=$1 options=$2
local temp
local setname
setname=$1
local options
options=$2
[ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"
@ -908,7 +960,14 @@ dest_ip_range() # $1 = Address or Address Range
both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
{
local rangeprefix= setprefix= rangematch= setmatch=
local rangeprefix
rangeprefix=
local setprefix
setprefix=
local rangematch
rangematch=
local setmatch
setmatch=
case $1 in
*.*.*.*-*.*.*.*)
@ -956,7 +1015,8 @@ both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Full interface name - may also end in "+"
{
local pattern=${1%+}
local pattern
pattern=${1%+}
case $1 in
*+)
@ -1106,8 +1166,10 @@ verify_interface()
#
is_ipsec_host() # $1 = zone, $2 = host
{
eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\"
local is_ipsec
eval is_ipsec=\$${1}_is_ipsec
local hosts
eval hosts=\"\$${1}_ipsec_hosts\"
test -n "$is_ipsec" || list_search $2 $hosts
}
@ -1118,7 +1180,8 @@ is_ipsec_host() # $1 = zone, $2 = host
match_ipsec_in() # $1 = zone, $2 = host
{
if is_ipsec_host $1 $2 ; then
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
local options
eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in"
@ -1131,7 +1194,8 @@ match_ipsec_in() # $1 = zone, $2 = host
match_ipsec_out() # $1 = zone, $2 = host
{
if is_ipsec_host $1 $2 ; then
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
local options
eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir out"
@ -1156,7 +1220,10 @@ firewall_ip_range() # $1 = IP address or range
#
find_hosts() # $1 = host zone
{
local hosts interface address addresses
local hosts
local interface
local address
local addresses
while read z hosts options; do
if [ "x$(expand $z)" = "x$1" ]; then
@ -1185,7 +1252,10 @@ find_hosts() # $1 = host zone
#
find_exclusions() # $1 = host zone
{
local hosts interface address addresses
local hosts
local interface
local address
local addresses
while read z hosts options; do
if [ "x$z" = "x$1" ]; then
@ -1335,7 +1405,8 @@ find_interfaces_by_option() # $1 = option
#
find_interfaces_by_option1() # $1 = option
{
local options option
local options
local option
for interface in $ALL_INTERFACES; do
eval options=\$$(chain_base $interface)_options
@ -1353,7 +1424,15 @@ find_interfaces_by_option1() # $1 = option
#
find_hosts_by_option() # $1 = option
{
local ignore hosts interface address addresses options ipsec= list
local ignore
local hosts
local interface
local address
local addresses
local options
local ipsec
ipsec=
local list
while read ignore hosts options; do
list=$(separate_list $options)
@ -1378,7 +1457,18 @@ find_hosts_by_option() # $1 = option
#
process_routestopped() # $1 = command
{
local hosts= interface host host1 options networks source= dest= matched
local hosts
hosts=
local interface
local host
local host1
local options
local networks
local source
source=
local dest
dest=
local matched
while read interface host options; do
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
@ -1454,7 +1544,15 @@ process_routestopped() # $1 = command
process_criticalhosts()
{
local hosts= interface host h options networks criticalhosts=
local hosts
hosts=
local interface
local host
local h
local options
local networks
local criticalhosts
criticalhosts=
while read interface host options; do
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)
@ -1514,7 +1612,8 @@ mktempdir() {
read_file() # $1 = file name, $2 = nest count
{
local first rest
local first
local rest
if [ -f $1 ]; then
while read first rest; do
@ -1562,7 +1661,8 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
#
strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty
{
local f=$(find_file $1)
local f
f=$(find_file $1)
strip_file $1 $f
@ -1609,7 +1709,8 @@ verify_mark() # $1 = value to test
#
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
local val
val="$2"
if [ -z "$val" ]; then
echo "Yes"
@ -1632,7 +1733,8 @@ added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
#
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
local val
val="$2"
if [ -z "$val" ]; then
echo ""

65
Shorewall-common/shorewall
View File

@ -289,15 +289,18 @@ get_config() {
# Run the appropriate compiler
#
compiler() {
local sc=${SHELLSHAREDIR}/compiler
local pc=${PERLSHAREDIR}/compiler.pl
local sc
sc=${SHELLSHAREDIR}/compiler
local pc
pc=${PERLSHAREDIR}/compiler.pl
startup_error() {
echo " ERROR: $@" >&2
exit 1
}
local command=$1
local command
command=$1
shift
@ -413,10 +416,12 @@ compiler() {
# Start Command Executor
#
start_command() {
local finished=0
local finished
finished=0
do_it() {
local rc=0
local rc
rc=0
progress_message3 "Compiling..."
@ -546,7 +551,8 @@ start_command() {
# Compile Command Executor
#
compile_command() {
local finished=0
local finished
finished=0
while [ $finished -eq 0 ]; do
[ $# -eq 0 ] && usage 1
@ -636,7 +642,8 @@ compile_command() {
# Check Command Executor
#
check_command() {
local finished=0
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -714,7 +721,10 @@ check_command() {
# Restart Command Executor
#
restart_command() {
local finished=0 rc=0
local finished
finished=0
local rc
rc=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -801,7 +811,8 @@ restart_command() {
# Refresh Command Executor
#
refresh_command() {
local finished=0
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -868,7 +879,8 @@ refresh_command() {
# Safe-start/safe-restart Command Executor
#
safe_commands() {
local finished=0
local finished
finished=0
# test is the shell supports timed read
read -t 0 junk 2> /dev/null
@ -1006,7 +1018,10 @@ safe_commands() {
# 'try' Command Executor
#
try_command() {
local finished=0 timeout=
local finished
finished=0
local timeout
timeout=
handle_directory() {
[ -n "$SHOREWALL_DIR" ] && usage 2
@ -1151,7 +1166,25 @@ rcp_command() {
#
reload_command() # $* = original arguments less the command.
{
local verbose=$(make_verbose) file= capabilities= finished=0 saveit= result directory system getcaps= root=root compiler=
local verbose
verbose=$(make_verbose)
local file
file=
local capabilities
capabilities=
local finished
finished=0
local saveit
saveit=
local result
local directory
local system
local getcaps
getcaps=
local root
root=root
local compiler
compiler=
LITEDIR=/var/lib/shorewall-lite
@ -1266,7 +1299,8 @@ reload_command() # $* = original arguments less the command.
#
export_command() # $* = original arguments less the command.
{
local verbose=$(make_verbose) file= finished=0 directory target compiler=
local verbose
verbose=$(make_verbose) file= finished=0 directory target compiler=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -1499,7 +1533,10 @@ while [ $finished -eq 0 ]; do
done
version_command() {
local finished=0 all=
local finished
finished=0
local all
all=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1

10
Shorewall-common/strip
View File

@ -38,7 +38,8 @@ expand_line() {
read_file() # $1 = file name, $2 = nest count
{
local first rest
local first
local rest
if [ -f $1 ]; then
while read first rest; do
@ -61,7 +62,8 @@ read_file() # $1 = file name, $2 = nest count
# Split a colon-separated list into a space-separated list
#
split() {
local ifs=$IFS
local ifs
ifs=$IFS
IFS=:
echo $*
IFS=$ifs
@ -72,7 +74,9 @@ split() {
#
find_file()
{
local saveifs= directory
local saveifs
saveifs=
local directory
case $1 in
/*)

3
Shorewall-lite/fallback.sh
View File

@ -53,7 +53,8 @@ restore_directory() # $1 = directory to restore
restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
{
if [ -n "$2" ]; then
local file=$(basename $1)
local file
file=$(basename $1)
if [ -f $2/$file ]; then
if mv -f $2/$file $1 ; then

3
Shorewall-lite/install.sh
View File

@ -35,7 +35,8 @@ usage() # $1 = exit status
}
split() {
local ifs=$IFS
local ifs
ifs=$IFS
IFS=:
set -- $1
echo $*

11
Shorewall-lite/shorewall-lite
View File

@ -178,10 +178,12 @@ verify_firewall_script() {
# Start Command Executor
#
start_command() {
local finished=0
local finished
finished=0
do_it() {
local rc=0
local rc
rc=0
[ -n "$nolock" ] || mutex_on
if [ -x ${LITEDIR}/firewall ]; then
@ -286,7 +288,10 @@ start_command() {
# Restart Command Executor
#
restart_command() {
local finished=0 rc=0
local finished
finished=0
local rc
rc=0
verify_firewall_script

3
Shorewall-perl/install.sh
View File

@ -35,7 +35,8 @@ usage() # $1 = exit status
}
split() {
local ifs=$IFS
local ifs
ifs=$IFS
IFS=:
set -- $1
echo $*

125
Shorewall-perl/prog.header
View File

@ -35,7 +35,8 @@ error_message() # $* = Error Message
#
progress_message() # $* = Message
{
local timestamp=
local timestamp
timestamp=
if [ $VERBOSE -gt 1 ]; then
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -50,7 +51,8 @@ progress_message() # $* = Message
progress_message2() # $* = Message
{
local timestamp=
local timestamp
timestamp=
if [ $VERBOSE -gt 0 ]; then
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -65,7 +67,8 @@ progress_message2() # $* = Message
progress_message3() # $* = Message
{
local timestamp=
local timestamp
timestamp=
if [ $VERBOSE -ge 0 ]; then
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -82,7 +85,8 @@ progress_message3() # $* = Message
# Split a colon-separated list into a space-separated list
#
split() {
local ifs=$IFS
local ifs
ifs=$IFS
IFS=:
echo $*
IFS=$ifs
@ -94,7 +98,8 @@ split() {
#
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
local e
e=$1
while [ $# -gt 1 ]; do
shift
@ -143,7 +148,8 @@ my_pathname() {
#
run_user_exit() # $1 = file name
{
local user_exit=$(find_file $1)
local user_exit
user_exit=$(find_file $1)
if [ -f $user_exit ]; then
progress_message "Processing $user_exit ..."
@ -199,7 +205,8 @@ deleteallchains() {
#
loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulename
modulename=$1
local modulefile
local suffix
@ -231,10 +238,13 @@ loadmodule() # $1 = module name, $2 - * arguments
#
reload_kernel_modules() {
local save_modules_dir=$MODULESDIR
local save_modules_dir
save_modules_dir=$MODULESDIR
local directory
local moduledirectories=
local moduleloader=modprobe
local moduledirectories
moduledirectories=
local moduleloader
moduleloader=modprobe
if ! qt mywhich modprobe; then
moduleloader=insmod
@ -261,11 +271,15 @@ reload_kernel_modules() {
#
load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
{
local save_modules_dir=$MODULESDIR
local save_modules_dir
save_modules_dir=$MODULESDIR
local directory
local moduledirectories=
local moduleloader=modprobe
local savemoduleinfo=${1:-Yes} # So old compiled scripts still work
local moduledirectories
moduledirectories=
local moduleloader
moduleloader=modprobe
local savemoduleinfo
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
if ! qt mywhich modprobe; then
moduleloader=insmod
@ -313,8 +327,10 @@ LEFTSHIFT='<<'
#
decodeaddr() {
local x
local temp=0
local ifs=$IFS
local temp
temp=0
local ifs
ifs=$IFS
IFS=.
@ -333,7 +349,8 @@ decodeaddr() {
encodeaddr() {
addr=$1
local x
local y=$(($addr & 255))
local y
y=$(($addr & 255))
for x in 1 2 3 ; do
addr=$(($addr >> 8))
@ -347,7 +364,8 @@ encodeaddr() {
# Netmask from CIDR
#
ip_netmask() {
local vlsm=${1#*/}
local vlsm
vlsm=${1#*/}
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
}
@ -356,8 +374,10 @@ ip_netmask() {
# Network address from CIDR
#
ip_network() {
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
local decodedaddr
decodedaddr=$(decodeaddr ${1%/*})
local netmask
netmask=$(ip_netmask $1)
echo $(encodeaddr $(($decodedaddr & $netmask)))
}
@ -367,7 +387,8 @@ ip_network() {
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#
ip_broadcast() {
local x=$(( 32 - ${1#*/} ))
local x
x=$(( 32 - ${1#*/} ))
[ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
}
@ -376,9 +397,12 @@ ip_broadcast() {
# Calculate broadcast address from CIDR
#
broadcastaddress() {
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
local broadcast=$(ip_broadcast $1)
local decodedaddr
decodedaddr=$(decodeaddr ${1%/*})
local netmask
netmask=$(ip_netmask $1)
local broadcast
broadcast=$(ip_broadcast $1)
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
}
@ -388,7 +412,8 @@ broadcastaddress() {
#
in_network() # $1 = IP address, $2 = CIDR network
{
local netmask=$(ip_netmask $2)
local netmask
netmask=$(ip_netmask $2)
#
# Use string comparison to work around a broken BusyBox ash in OpenWRT
#
@ -493,8 +518,10 @@ find_default_interface() {
#
find_interface_by_address() {
local dev="$(find_rt_interface $1)"
local first rest
local dev
dev="$(find_rt_interface $1)"
local first
local rest
[ -z "$dev" ] && dev=$(find_default_interface)
@ -506,7 +533,12 @@ find_interface_by_address() {
#
find_interface_by_mac() {
local mac=$1 first second rest dev
local mac
mac=$1
local first
local second
local rest
local dev
ip link list | while read first second rest; do
case $first in
@ -611,7 +643,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
get_interface_bcasts() # $1 = interface
{
local addresses=
local addresses
addresses=
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
@ -637,7 +670,9 @@ mywhich() {
#
find_file()
{
local saveifs= directory
local saveifs
saveifs=
directory
case $1 in
/*)
@ -691,7 +726,16 @@ del_ip_addr() # $1 = address, $2 = interface
#
add_ip_aliases() # $* = List of addresses
{
local addresses external interface inet cidr rest val arping=$(mywhich arping)
local local
local addresses
local external
local interface
local inet
local cidr
local rest
local val
local arping
arping=$(mywhich arping)
address_details()
{
@ -748,7 +792,8 @@ add_ip_aliases() # $* = List of addresses
detect_gateway() # $1 = interface
{
local interface=$1
local interface
interface=$1
#
# First assume that this is some sort of point-to-point interface
#
@ -771,7 +816,8 @@ detect_gateway() # $1 = interface
# Disable IPV6
#
disable_ipv6() {
local foo="$(ip -f inet6 addr list 2> /dev/null)"
local foo
foo="$(ip -f inet6 addr list 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
@ -825,7 +871,8 @@ delete_tc1()
#
get_device_mtu() # $1 = device
{
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then
echo $(find_mtu $output)
@ -840,7 +887,8 @@ get_device_mtu() # $1 = device
#
get_device_mtu1() # $1 = device
{
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local output
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
@ -879,7 +927,9 @@ undo_routing() {
restore_default_route() {
if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
local default_route= route
local default_route
default_route=
local route
while read route ; do
case $route in
@ -940,7 +990,8 @@ find_mac() # $1 = IP address, $2 = interface
{
qt ping -nc 1 -t 2 -I $2 $1
local result=$(arp -na | awk "/[(]$1[)].* $2$/ {print \$4}")
local result
result=$(arp -na | awk "/[(]$1[)].* $2$/ {print \$4}")
case $result in
\<*\>)

367
Shorewall-shell/compiler
View File

@ -133,7 +133,8 @@ indent1() {
#
append_file() # $1 = File Name
{
local user_exit=$(find_file $1)
local user_exit
user_exit=$(find_file $1)
case $user_exit in
$SHAREDIR/*)
@ -215,7 +216,8 @@ run_tc() {
#
finish_chain_section() # $1 = canonical chain $2 = state list
{
local policy policychain
local policy
local policychain
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
@ -246,7 +248,9 @@ finish_chain_section() # $1 = canonical chain $2 = state list
finish_section() # $1 = Section(s)
{
local zone zone1 chain
local zone
local zone1
local chain
for zone in $ZONES $FW; do
for zone1 in $ZONES $FW; do
@ -268,7 +272,8 @@ finish_section() # $1 = Section(s)
#
createchain() # $1 = chain name, $2 = If "yes", do section-end processing
{
local c=$(chain_base $1)
local c
c=$(chain_base $1)
run_iptables -N $1
@ -291,7 +296,8 @@ createchain() # $1 = chain name, $2 = If "yes", do section-end processing
#
createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
local c=$(chain_base $1)
local c
c=$(chain_base $1)
ensurechain $1
@ -318,7 +324,8 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
#
havechain() # $1 = name of chain
{
local c=$(chain_base $1)
local c
c=$(chain_base $1)
eval test \"\$exists_${c}\" = Yes
}
@ -724,16 +731,25 @@ disable_critical_hosts()
#
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{
local level=$1
local chain=$2
local displayChain=$3
local disposition=$4
local rulenum=
local limit=
local tag=$6
local command=${7:--A}
local level
level=$1
local chain
chain=$2
local displayChain
displayChain=$3
local disposition
disposition=$4
local rulenum
rulenum=
local limit
limit=
local tag
tag=$6
local command
command=${7:--A}
local prefix
local base=$(chain_base $displayChain)
local base
base=$(chain_base $displayChain)
limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
@ -744,9 +760,12 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
local level=$1
local chain=$2
local disposition=$3
local level
level=$1
local chain
chain=$2
local disposition
disposition=$3
shift 3
@ -761,9 +780,12 @@ setup_syn_flood_chain ()
# $2 = synparams
# $3 = loglevel
{
local chain=@$1
local limit=$2
local limit_burst=
local chain
chain=@$1
local limit
limit=$2
local limit_burst
limit_burst=
case $limit in
*:*)
@ -842,8 +864,10 @@ __EOF__
#
setup_ecn() # $1 = file name
{
local interfaces=""
local hosts=
local interfaces
interfaces=""
local hosts
hosts=
local h
if [ -s ${TMP_DIR}/ecn ]; then
@ -891,7 +915,8 @@ setup_ecn() # $1 = file name
#
build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
{
local c=excl_${EXCLUSION_SEQ} net
local c
c=excl_${EXCLUSION_SEQ} net
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
@ -921,7 +946,10 @@ build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3
# Setup queuing and classes
#
setup_tc1() {
local mark_part= comment=
local mark_part
mark_part=
local comment
comment=
#
# Create the TC mangle chains
#
@ -1030,7 +1058,8 @@ __EOF__
#
refresh_tc() {
local comment=
local comment
comment=
if [ -n "$CLEAR_TC" ]; then
delete_tc
@ -1094,9 +1123,12 @@ __EOF__
#
compile_refresh_firewall()
{
local INDENT=""
local DOING="Compiling Refresh of"
local DONE="Compiled"
local INDENT
INDENT=""
local DOING
DOING="Compiling Refresh of"
local DONE
DONE="Compiled"
local indent
save_command "refresh_firewall()"
@ -1147,7 +1179,8 @@ compile_refresh_firewall()
process_action_file() # $1 = File Name
{
if ! list_search $1 $BUILTIN_ACTIONS; then
local user_exit=$(find_file $1)
local user_exit
user_exit=$(find_file $1)
if [ -f $user_exit ]; then
progress_message "Processing $user_exit ..."
@ -1178,7 +1211,12 @@ process_action_file() # $1 = File Name
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
{
local actchain= action=$1 level=$2
local actchain
actchain=
local action
action=$1
local level
level=$2
eval actchain=\${${action}_actchain}
@ -1264,7 +1302,14 @@ createactionchain() # $1 = Action, including log level and tag if any
#
find_logactionchain() # $1 = Action, including log level and tag if any
{
local fullaction=$1 action=${1%%:*} level= chains=
local fullaction
fullaction=$1
local action
action=${1%%:*}
local level
level=
local chains
chains=
find_simpleaction() {
havechain $action || fatal_error "Fatal error in find_logactionchain"
@ -1307,7 +1352,10 @@ find_logactionchain() # $1 = Action, including log level and tag if any
#
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
{
local superior=$1 subordinate=$2
local superior
superior=$1
local subordinate
subordinate=$2
set -- $(split $1)
@ -1384,7 +1432,9 @@ define_builtin_actions() {
#
map_old_action() # $1 = Potential Old Action
{
local macro= aktion
local macro
macro=
local aktion
if [ -n "$MAPOLDACTIONS" ]; then
case $1 in
@ -1437,7 +1487,8 @@ map_old_action() # $1 = Potential Old Action
#
substitute_action() # $1 = parameter, $2 = action
{
local logpart=${2#*:}
local logpart
logpart=${2#*:}
case $2 in
*:*)
@ -1635,7 +1686,8 @@ __EOF__
# policy = Applicable Policy
#
add_a_rule() {
local natrule=
local natrule
natrule=
do_ports() {
if [ -n "$port" ]; then
@ -2123,19 +2175,32 @@ process_rule() # $1 = target
# $9 = userspec
# $10= mark
{
local target="$1"
local clients="$2"
local servers="$3"
local protocol="$4"
local ports="$5"
local cports="$6"
local address="$7"
local ratelimit="$8"
local userspec="$9"
local mark="${10}"
local userandgroup=
local logtag=
local nonat=
local target
target="$1"
local clients
clients="$2"
local servers
servers="$3"
local protocol
protocol="$4"
local ports
ports="$5"
local cports
cports="$6"
local address
address="$7"
local ratelimit
ratelimit="$8"
local userspec
userspec="$9"
local mark
mark="${10}"
local userandgroup
userandgroup=
local logtag
logtag=
local nonat
nonat=
# # # # # F u n c t i o n B o d y # # # # #
@ -2488,17 +2553,28 @@ process_macro() # $1 = target
# $9 = userspec
# $10= mark
{
local itarget="$1"
local param="$2"
local iclients="$3"
local iservers="$4"
local iprotocol="$5"
local iports="$6"
local icports="$7"
local iaddress="$8"
local iratelimit="$9"
local iuserspec="${10}"
local imark="${11}"
local itarget
itarget="$1"
local param
param="$2"
local iclients
iclients="$3"
local iservers
iservers="$4"
local iprotocol
iprotocol="$5"
local iports
iports="$6"
local icports
icports="$7"
local iaddress
iaddress="$8"
local iratelimit
iratelimit="$9"
local iuserspec
iuserspec="${10}"
local imark
imark="${11}"
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
@ -2583,13 +2659,19 @@ process_macro() # $1 = target
#
process_rules()
{
local comment= optimize
local comment
comment=
local optimize
#
# Process a rule where the source or destination is "all"
#
process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
{
local yclients yservers ysourcezone ydestzone ypolicy
local yclients
local yservers
local ysourcezone
local ydestzone
local ypolicy
for yclients in $xclients; do
for yservers in $xservers; do
@ -2622,7 +2704,8 @@ process_rules()
do_it() # $1 = "Yes" if the target is a macro.
{
local intrazone=
local intrazone
intrazone=
if [ -z "$SECTIONS" ]; then
finish_section ESTABLISHED,RELATED
@ -2802,17 +2885,35 @@ process_rules()
#
process_default_macro() # $1 = macro name
{
local macro=$1
local address=
local multioption=
local servport=
local chain=$1
local logchain=$1
local userandgroup=
local logtag=
local excludesource=
local target client server protocol port cport ratelimit userspec rule
local f=$(find_file macro.${macro})
local macro
macro=$1
local address
address=
local multioption
multioption=
local servport
servport=
local chain
chain=$1
local logchain
logchain=$1
local userandgroup
userandgroup=
local logtag
logtag=
local excludesource
excludesource=
local target
local client
local server
local protocol
local port
local cport
local ratelimit
local userspec
local rule
local f
f=$(find_file macro.${macro})
havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
@ -3070,7 +3171,10 @@ process_tos_rule() {
#
process_tos() # $1 = name of tos file
{
local chain=pretos stdchain=PREROUTING
local chain
chain=pretos
local stdchain
stdchain=PREROUTING
if [ -n "$MANGLE_FORWARD" ]; then
chain=fortos
@ -3101,8 +3205,10 @@ policy_rules() # $1 = chain to add rules to
# $3 = loglevel
# $4 = Default Action/Macro
{
local target="$2"
local default="$4"
local target
target="$2"
local default
default="$4"
if [ -n "$default" ]; then
[ "$default" = none ] || run_iptables -A $1 -j $default
@ -3139,9 +3245,12 @@ policy_rules() # $1 = chain to add rules to
#
default_policy() # $1 = client $2 = server
{
local chain="${1}2${2}"
local policy=
local loglevel=
local chain
chain="${1}2${2}"
local policy
policy=
local loglevel
loglevel=
local chain1
jump_to_policy_chain() {
@ -3243,10 +3352,14 @@ default_policy() # $1 = client $2 = server
#
complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
{
local policy=
local loglevel=
local policychain=
local default=
local policy
policy=
local loglevel
loglevel=
local policychain
policychain=
local default
default=
run_user_exit $1
@ -3275,7 +3388,8 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
#
rules_chain() # $1 = source zone, $2 = destination zone
{
local chain=${1}2${2} local policy
local chain
chain=${1}2${2} local policy
havechain $chain && { echo $chain; return; }
@ -3384,8 +3498,10 @@ process_blacklist_rec() {
process_blacklist()
{
local disposition=$BLACKLIST_DISPOSITION
local f=$(find_file blacklist)
local disposition
disposition=$BLACKLIST_DISPOSITION
local f
f=$(find_file blacklist)
local target
if [ -s $TMP_DIR/blacklist ]; then
@ -3419,8 +3535,10 @@ __EOF__
# Setup the Black List
#
setup_blacklist() {
local hosts="$(find_hosts_by_option blacklist)"
local ipsec policy
local hosts
hosts="$(find_hosts_by_option blacklist)"
local ipsec
local policy
if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
progress_message2 "$DOING Blacklisting..."
@ -3465,8 +3583,10 @@ setup_blacklist() {
# Construct zone-independent rules
#
add_common_rules() {
local savelogparms="$LOGPARMS"
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
local savelogparms
savelogparms="$LOGPARMS"
local broadcasts
broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
#
# Populate the smurf chain
#
@ -3997,14 +4117,19 @@ apply_policy_rules() {
#
activate_rules()
{
local PREROUTING_rule=1
local POSTROUTING_rule=1
local PREROUTING_rule
PREROUTING_rule=1
local POSTROUTING_rule
POSTROUTING_rule=1
#
# Jump to a NAT chain from one of the builtin nat chains
#
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
local sourcechain=$1 destchain=$2
local sourcechain
sourcechain=$1
local destchain
destchain=$2
shift
shift
@ -4022,7 +4147,10 @@ activate_rules()
#
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
local sourcechain=$1 destchain=$2
local sourcechain
sourcechain=$1
local destchain
destchain=$2
shift
shift
@ -4050,7 +4178,15 @@ activate_rules()
#
insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
{
local t=$1 c=$2 num=0 host1 interface1 networks1
local t
t=$1
local c
c=$2
local num
num=0
local host1
local interface1
local networks1
shift 2
@ -4066,7 +4202,13 @@ activate_rules()
#
add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
{
local t=$1 c=$2 host1 interface1 networks1
local t
t=$1
local c
c=$2
local host1
local interface1
local networks1
shift 2
@ -4114,7 +4256,8 @@ activate_rules()
eval exclusions=\"\$${zone}_exclusions\"
if [ -n "$exclusions" ]; then
local num=1
local num
num=1
in_chain=${zone}_input
out_chain=${zone}_output
createchain $in_chain No
@ -4562,8 +4705,10 @@ activate_rules()
# from that script are available here
#
compile_stop_firewall() {
local IPTABLES_COMMAND="\$IPTABLES"
local INDENT=" "
local IPTABLES_COMMAND
IPTABLES_COMMAND="\$IPTABLES"
local INDENT
INDENT=" "
cat >&3 << __EOF__
@ -4907,10 +5052,18 @@ mycat()
#
compile_firewall() # $1 = File Name
{
local IPTABLES_COMMAND=run_iptables
local INDENT=""
local checking= outfile=$1 dir=
local match=
local IPTABLES_COMMAND
IPTABLES_COMMAND=run_iptables
local INDENT
INDENT=""
local checking
checking=
local outfile
outfile=$1
local dir
dir=
local match
match=
setup_mss()
{
@ -5158,7 +5311,8 @@ __EOF__
fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
fi
local version=\$(cat \${SHAREDIR}/version)
local version
version=\$(cat \${SHAREDIR}/version)
if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
@ -5298,7 +5452,8 @@ __EOF__
# Start/Restart/Reload the firewall
#
define_firewall() {
local restore_file=\$1
local restore_file
restore_file=\$1
__EOF__
INDENT=" "

769
Shorewall-shell/diff-3.4-compiler
View File

@ -1,6 +1,14 @@
--- /home/teastep/shorewall/branches/3.4/Shorewall/compiler 2007-07-04 08:07:46.000000000 -0700
+++ compiler 2007-07-08 07:18:45.000000000 -0700
@@ -35,6 +35,12 @@
--- ../../3.4/Shorewall/compiler 2007-10-26 19:10:45.000000000 -0400
+++ compiler 2008-03-09 16:00:16.000000000 -0400
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.4
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
@@ -35,6 +35,11 @@
# SHOREWALL_DIR A directory name was passed to /sbin/shorewall
# VERBOSE Standard Shorewall verbosity control.
@ -8,12 +16,72 @@
+BASE_VERSION_PRINTABLE=4.0.0
+CONFIG_VERSION=40000
+CONFIG_VERSION_PRINTABLE=4.0.0
+
+
#
# Fatal error -- stops the compiler after issuing the error message
#
@@ -673,11 +679,11 @@
@@ -128,7 +133,8 @@
#
append_file() # $1 = File Name
{
- local user_exit=$(find_file $1)
+ local user_exit
+ user_exit=$(find_file $1)
case $user_exit in
$SHAREDIR/*)
@@ -210,7 +216,8 @@
#
finish_chain_section() # $1 = canonical chain $2 = state list
{
- local policy policychain
+ local policy
+ local policychain
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
@@ -241,7 +248,9 @@
finish_section() # $1 = Section(s)
{
- local zone zone1 chain
+ local zone
+ local zone1
+ local chain
for zone in $ZONES $FW; do
for zone1 in $ZONES $FW; do
@@ -263,7 +272,8 @@
#
createchain() # $1 = chain name, $2 = If "yes", do section-end processing
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
run_iptables -N $1
@@ -286,7 +296,8 @@
#
createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
ensurechain $1
@@ -313,7 +324,8 @@
#
havechain() # $1 = name of chain
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
eval test \"\$exists_${c}\" = Yes
}
@@ -675,11 +687,11 @@
progress_message2 "Compiling IP Forwarding..."
case "$IP_FORWARDING" in
@ -27,7 +95,504 @@
save_progress_message "IP Forwarding Disabled!"
save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
;;
@@ -3767,7 +3773,7 @@
@@ -719,16 +731,25 @@
#
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{
- local level=$1
- local chain=$2
- local displayChain=$3
- local disposition=$4
- local rulenum=
- local limit=
- local tag=$6
- local command=${7:--A}
+ local level
+ level=$1
+ local chain
+ chain=$2
+ local displayChain
+ displayChain=$3
+ local disposition
+ disposition=$4
+ local rulenum
+ rulenum=
+ local limit
+ limit=
+ local tag
+ tag=$6
+ local command
+ command=${7:--A}
local prefix
- local base=$(chain_base $displayChain)
+ local base
+ base=$(chain_base $displayChain)
limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
@@ -739,9 +760,12 @@
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
- local level=$1
- local chain=$2
- local disposition=$3
+ local level
+ level=$1
+ local chain
+ chain=$2
+ local disposition
+ disposition=$3
shift 3
@@ -756,9 +780,12 @@
# $2 = synparams
# $3 = loglevel
{
- local chain=@$1
- local limit=$2
- local limit_burst=
+ local chain
+ chain=@$1
+ local limit
+ limit=$2
+ local limit_burst
+ limit_burst=
case $limit in
*:*)
@@ -837,8 +864,10 @@
#
setup_ecn() # $1 = file name
{
- local interfaces=""
- local hosts=
+ local interfaces
+ interfaces=""
+ local hosts
+ hosts=
local h
if [ -s ${TMP_DIR}/ecn ]; then
@@ -886,7 +915,8 @@
#
build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
{
- local c=excl_${EXCLUSION_SEQ} net
+ local c
+ c=excl_${EXCLUSION_SEQ} net
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
@@ -916,7 +946,10 @@
# Setup queuing and classes
#
setup_tc1() {
- local mark_part= comment=
+ local mark_part
+ mark_part=
+ local comment
+ comment=
#
# Create the TC mangle chains
#
@@ -1025,7 +1058,8 @@
#
refresh_tc() {
- local comment=
+ local comment
+ comment=
if [ -n "$CLEAR_TC" ]; then
delete_tc
@@ -1089,9 +1123,12 @@
#
compile_refresh_firewall()
{
- local INDENT=""
- local DOING="Compiling Refresh of"
- local DONE="Compiled"
+ local INDENT
+ INDENT=""
+ local DOING
+ DOING="Compiling Refresh of"
+ local DONE
+ DONE="Compiled"
local indent
save_command "refresh_firewall()"
@@ -1142,7 +1179,8 @@
process_action_file() # $1 = File Name
{
if ! list_search $1 $BUILTIN_ACTIONS; then
- local user_exit=$(find_file $1)
+ local user_exit
+ user_exit=$(find_file $1)
if [ -f $user_exit ]; then
progress_message "Processing $user_exit ..."
@@ -1173,7 +1211,12 @@
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
{
- local actchain= action=$1 level=$2
+ local actchain
+ actchain=
+ local action
+ action=$1
+ local level
+ level=$2
eval actchain=\${${action}_actchain}
@@ -1259,7 +1302,14 @@
#
find_logactionchain() # $1 = Action, including log level and tag if any
{
- local fullaction=$1 action=${1%%:*} level= chains=
+ local fullaction
+ fullaction=$1
+ local action
+ action=${1%%:*}
+ local level
+ level=
+ local chains
+ chains=
find_simpleaction() {
havechain $action || fatal_error "Fatal error in find_logactionchain"
@@ -1302,7 +1352,10 @@
#
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
{
- local superior=$1 subordinate=$2
+ local superior
+ superior=$1
+ local subordinate
+ subordinate=$2
set -- $(split $1)
@@ -1379,7 +1432,9 @@
#
map_old_action() # $1 = Potential Old Action
{
- local macro= aktion
+ local macro
+ macro=
+ local aktion
if [ -n "$MAPOLDACTIONS" ]; then
case $1 in
@@ -1432,7 +1487,8 @@
#
substitute_action() # $1 = parameter, $2 = action
{
- local logpart=${2#*:}
+ local logpart
+ logpart=${2#*:}
case $2 in
*:*)
@@ -1630,7 +1686,8 @@
# policy = Applicable Policy
#
add_a_rule() {
- local natrule=
+ local natrule
+ natrule=
do_ports() {
if [ -n "$port" ]; then
@@ -2118,19 +2175,32 @@
# $9 = userspec
# $10= mark
{
- local target="$1"
- local clients="$2"
- local servers="$3"
- local protocol="$4"
- local ports="$5"
- local cports="$6"
- local address="$7"
- local ratelimit="$8"
- local userspec="$9"
- local mark="${10}"
- local userandgroup=
- local logtag=
- local nonat=
+ local target
+ target="$1"
+ local clients
+ clients="$2"
+ local servers
+ servers="$3"
+ local protocol
+ protocol="$4"
+ local ports
+ ports="$5"
+ local cports
+ cports="$6"
+ local address
+ address="$7"
+ local ratelimit
+ ratelimit="$8"
+ local userspec
+ userspec="$9"
+ local mark
+ mark="${10}"
+ local userandgroup
+ userandgroup=
+ local logtag
+ logtag=
+ local nonat
+ nonat=
# # # # # F u n c t i o n B o d y # # # # #
@@ -2483,21 +2553,35 @@
# $9 = userspec
# $10= mark
{
- local itarget="$1"
- local param="$2"
- local iclients="$3"
- local iservers="$4"
- local iprotocol="$5"
- local iports="$6"
- local icports="$7"
- local iaddress="$8"
- local iratelimit="$9"
- local iuserspec="${10}"
- local imark="${11}"
+ local itarget
+ itarget="$1"
+ local param
+ param="$2"
+ local iclients
+ iclients="$3"
+ local iservers
+ iservers="$4"
+ local iprotocol
+ iprotocol="$5"
+ local iports
+ iports="$6"
+ local icports
+ icports="$7"
+ local iaddress
+ iaddress="$8"
+ local iratelimit
+ iratelimit="$9"
+ local iuserspec
+ iuserspec="${10}"
+ local imark
+ imark="${11}"
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
+
+ [ $mtarget = COMMENT ] && continue
+
mtarget=$(merge_levels $itarget $mtarget)
case $mtarget in
@@ -2575,13 +2659,19 @@
#
process_rules()
{
- local comment= optimize
+ local comment
+ comment=
+ local optimize
#
# Process a rule where the source or destination is "all"
#
process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
{
- local yclients yservers ysourcezone ydestzone ypolicy
+ local yclients
+ local yservers
+ local ysourcezone
+ local ydestzone
+ local ypolicy
for yclients in $xclients; do
for yservers in $xservers; do
@@ -2614,7 +2704,8 @@
do_it() # $1 = "Yes" if the target is a macro.
{
- local intrazone=
+ local intrazone
+ intrazone=
if [ -z "$SECTIONS" ]; then
finish_section ESTABLISHED,RELATED
@@ -2794,17 +2885,35 @@
#
process_default_macro() # $1 = macro name
{
- local macro=$1
- local address=
- local multioption=
- local servport=
- local chain=$1
- local logchain=$1
- local userandgroup=
- local logtag=
- local excludesource=
- local target client server protocol port cport ratelimit userspec rule
- local f=$(find_file macro.${macro})
+ local macro
+ macro=$1
+ local address
+ address=
+ local multioption
+ multioption=
+ local servport
+ servport=
+ local chain
+ chain=$1
+ local logchain
+ logchain=$1
+ local userandgroup
+ userandgroup=
+ local logtag
+ logtag=
+ local excludesource
+ excludesource=
+ local target
+ local client
+ local server
+ local protocol
+ local port
+ local cport
+ local ratelimit
+ local userspec
+ local rule
+ local f
+ f=$(find_file macro.${macro})
havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
@@ -3062,7 +3171,10 @@
#
process_tos() # $1 = name of tos file
{
- local chain=pretos stdchain=PREROUTING
+ local chain
+ chain=pretos
+ local stdchain
+ stdchain=PREROUTING
if [ -n "$MANGLE_FORWARD" ]; then
chain=fortos
@@ -3093,8 +3205,10 @@
# $3 = loglevel
# $4 = Default Action/Macro
{
- local target="$2"
- local default="$4"
+ local target
+ target="$2"
+ local default
+ default="$4"
if [ -n "$default" ]; then
[ "$default" = none ] || run_iptables -A $1 -j $default
@@ -3131,9 +3245,12 @@
#
default_policy() # $1 = client $2 = server
{
- local chain="${1}2${2}"
- local policy=
- local loglevel=
+ local chain
+ chain="${1}2${2}"
+ local policy
+ policy=
+ local loglevel
+ loglevel=
local chain1
jump_to_policy_chain() {
@@ -3235,14 +3352,18 @@
#
complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
{
- local policy=
- local loglevel=
- local policychain=
- local default=
+ local policy
+ policy=
+ local loglevel
+ loglevel=
+ local policychain
+ policychain=
+ local default
+ default=
run_user_exit $1
- run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
eval policychain=\$${2}2${3}_policychain
@@ -3267,7 +3388,8 @@
#
rules_chain() # $1 = source zone, $2 = destination zone
{
- local chain=${1}2${2} local policy
+ local chain
+ chain=${1}2${2} local policy
havechain $chain && { echo $chain; return; }
@@ -3376,8 +3498,10 @@
process_blacklist()
{
- local disposition=$BLACKLIST_DISPOSITION
- local f=$(find_file blacklist)
+ local disposition
+ disposition=$BLACKLIST_DISPOSITION
+ local f
+ f=$(find_file blacklist)
local target
if [ -s $TMP_DIR/blacklist ]; then
@@ -3411,8 +3535,10 @@
# Setup the Black List
#
setup_blacklist() {
- local hosts="$(find_hosts_by_option blacklist)"
- local ipsec policy
+ local hosts
+ hosts="$(find_hosts_by_option blacklist)"
+ local ipsec
+ local policy
if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
progress_message2 "$DOING Blacklisting..."
@@ -3457,8 +3583,10 @@
# Construct zone-independent rules
#
add_common_rules() {
- local savelogparms="$LOGPARMS"
- local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
+ local savelogparms
+ savelogparms="$LOGPARMS"
+ local broadcasts
+ broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
#
# Populate the smurf chain
#
@@ -3788,7 +3916,7 @@
save_progress_message "Setting up Route Filtering..."
@ -36,7 +601,7 @@
indent >&3 << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
@@ -3791,8 +3797,10 @@
@@ -3812,8 +3940,10 @@
save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
@ -48,7 +613,7 @@
fi
save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache"
@@ -3808,7 +3816,7 @@
@@ -3829,7 +3959,7 @@
save_progress_message "Setting up Martian Logging..."
@ -57,7 +622,7 @@
indent >&3 << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
@@ -3831,9 +3839,12 @@
@@ -3852,9 +3982,12 @@
__EOF__
done
@ -71,16 +636,120 @@
fi
fi
@@ -4890,7 +4901,7 @@
;;
esac
@@ -3984,14 +4117,19 @@
#
activate_rules()
{
- local PREROUTING_rule=1
- local POSTROUTING_rule=1
+ local PREROUTING_rule
+ PREROUTING_rule=1
+ local POSTROUTING_rule
+ POSTROUTING_rule=1
#
# Jump to a NAT chain from one of the builtin nat chains
#
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
- local sourcechain=$1 destchain=$2
+ local sourcechain
+ sourcechain=$1
+ local destchain
+ destchain=$2
shift
shift
- run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option
+ run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
}
@@ -4009,7 +4147,10 @@
#
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
- local sourcechain=$1 destchain=$2
+ local sourcechain
+ sourcechain=$1
+ local destchain
+ destchain=$2
shift
shift
progress_message2 "Initializing..."
@@ -4930,7 +4941,7 @@
@@ -4037,7 +4178,15 @@
#
insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
{
- local t=$1 c=$2 num=0 host1 interface1 networks1
+ local t
+ t=$1
+ local c
+ c=$2
+ local num
+ num=0
+ local host1
+ local interface1
+ local networks1
shift 2
@@ -4053,7 +4202,13 @@
#
add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
{
- local t=$1 c=$2 host1 interface1 networks1
+ local t
+ t=$1
+ local c
+ c=$2
+ local host1
+ local interface1
+ local networks1
shift 2
@@ -4101,7 +4256,8 @@
eval exclusions=\"\$${zone}_exclusions\"
if [ -n "$exclusions" ]; then
- local num=1
+ local num
+ num=1
in_chain=${zone}_input
out_chain=${zone}_output
createchain $in_chain No
@@ -4549,8 +4705,10 @@
# from that script are available here
#
compile_stop_firewall() {
- local IPTABLES_COMMAND="\$IPTABLES"
- local INDENT=" "
+ local IPTABLES_COMMAND
+ IPTABLES_COMMAND="\$IPTABLES"
+ local INDENT
+ INDENT=" "
cat >&3 << __EOF__
@@ -4894,10 +5052,18 @@
#
compile_firewall() # $1 = File Name
{
- local IPTABLES_COMMAND=run_iptables
- local INDENT=""
- local checking= outfile=$1 dir=
- local match=
+ local IPTABLES_COMMAND
+ IPTABLES_COMMAND=run_iptables
+ local INDENT
+ INDENT=""
+ local checking
+ checking=
+ local outfile
+ outfile=$1
+ local dir
+ dir=
+ local match
+ match=
setup_mss()
{
@@ -4951,7 +5117,7 @@
cat >&3 << __EOF__
#
@ -89,7 +758,71 @@
#
__EOF__
@@ -5732,6 +5743,11 @@
@@ -4959,7 +5125,10 @@
cat >&3 << __EOF__
SHAREDIR=/usr/share/shorewall-lite
CONFDIR=/etc/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
+
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
+
+[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ]
__EOF__
@@ -4976,7 +5145,10 @@
cat >&3 << __EOF__
SHAREDIR=/usr/share/shorewall
CONFDIR=/etc/shorewall
-VARDIR=/var/lib/shorewall
+
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
+
+[ -n "\${VARDIR:=/var/lib/shorewall}" ]
. \${SHAREDIR}/lib.base
__EOF__
@@ -5139,7 +5311,8 @@
fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
fi
- local version=\$(cat \${SHAREDIR}/version)
+ local version
+ version=\$(cat \${SHAREDIR}/version)
if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
@@ -5178,6 +5351,7 @@
LOCKFILE="$LOCKFILE"
PATH="$PATH"
TERMINATOR=fatal_error
+ DONT_LOAD="$DONT_LOAD"
__EOF__
if [ -n "$IPTABLES" ]; then
@@ -5278,7 +5452,8 @@
# Start/Restart/Reload the firewall
#
define_firewall() {
- local restore_file=\$1
+ local restore_file
+ restore_file=\$1
__EOF__
INDENT=" "
@@ -5727,9 +5902,9 @@
# E X E C U T I O N B E G I N S H E R E
#
#
-# Start trace if first arg is "debug"
+# Start trace if first arg is "debug" or "trace"
#
-[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
+[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; }
NOLOCK=
@@ -5754,6 +5929,11 @@
fi
done

68
Shorewall-shell/diff-3.4-lib.tunnels
View File

@ -1,11 +1,22 @@
--- /home/teastep/shorewall/branches/3.4/Shorewall/lib.tunnels 2007-03-22 15:27:26.000000000 -0700
+++ lib.tunnels 2007-07-03 07:57:16.000000000 -0700
@@ -37,19 +37,28 @@
--- ../../3.4/Shorewall/lib.tunnels 2007-10-26 19:10:45.000000000 -0400
+++ lib.tunnels 2008-03-09 15:55:46.000000000 -0400
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Shorewall 3.4 -- /usr/share/shorewall/lib.tunnels
+# Shorewall 4.1 -- /usr/share/shorewall/lib.tunnels
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
@@ -37,19 +37,31 @@
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
{
- local kind=$1 noah=
+ local kind=$1 noah=noah
+ local kind
+ kind=$1
+ local noah
+ noah=noah
case $kind in
*:*)
@ -32,3 +43,52 @@
options="-m state --state NEW -j ACCEPT"
addrule2 $inchain -p 50 $source -j ACCEPT
@@ -125,8 +137,10 @@
setup_one_openvpn() # $1 = kind[:port]
{
- local protocol=udp
- local p=1194
+ local protocol
+ protocol=udp
+ local p
+ p=1194
case $1 in
*:*:*)
@@ -150,8 +164,10 @@
setup_one_openvpn_server() # $1 = kind[:port]
{
- local protocol=udp
- local p=1194
+ local protocol
+ protocol=udp
+ local p
+ p=1194
case $1 in
*:*:*)
@@ -175,8 +191,10 @@
setup_one_openvpn_client() # $1 = kind[:port]
{
- local protocol=udp
- local p=1194
+ local protocol
+ protocol=udp
+ local p
+ p=1194
case $1 in
*:*:*)
@@ -201,7 +219,8 @@
setup_one_generic() # $1 = kind:protocol[:port]
{
local protocol
- local p=
+ local p
+ p=
case $1 in
*:*:*)

3
Shorewall-shell/install.sh
View File

@ -35,7 +35,8 @@ usage() # $1 = exit status
}
split() {
local ifs=$IFS
local ifs
ifs=$IFS
IFS=:
set -- $1
echo $*

52
Shorewall-shell/lib.actions
View File

@ -252,19 +252,32 @@ process_action() # $1 = chain (Chain to add the rules to)
# $10 = userspec
# $11 = mark
{
local chain="$1"
local action="$2"
local target="$3"
local clients="$4"
local servers="$5"
local protocol="$6"
local ports="$7"
local cports="$8"
local ratelimit="$9"
local userspec="${10}"
local mark="${11}"
local userandgroup=
local logtag=
local chain
chain="$1"
local action
action="$2"
local target
target="$3"
local clients
clients="$4"
local servers
servers="$5"
local protocol
protocol="$6"
local ports
ports="$7"
local cports
cports="$8"
local ratelimit
ratelimit="$9"
local userspec
userspec="${10}"
local mark
mark="${11}"
local userandgroup
userandgroup=
local logtag
logtag=
if [ -n "$ratelimit" ]; then
case $ratelimit in
@ -483,7 +496,10 @@ process_action() # $1 = chain (Chain to add the rules to)
#
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
{
local superior=$1 subordinate=$2
local superior
superior=$1
local subordinate
subordinate=$2
set -- $(split $1)
@ -690,7 +706,8 @@ process_actions1() {
process_actions2() {
local interfaces="$(find_interfaces_by_option upnp)"
local interfaces
interfaces="$(find_interfaces_by_option upnp)"
if [ -n "$interfaces" ]; then
if ! list_search forwardUPnP $USEDACTIONS; then
@ -735,7 +752,10 @@ process_actions2() {
process_action3() {
local f=action.$xaction1 comment=
local f
f=action.$xaction1
local comment
comment=
progress_message2 "$DOING $(find_file $f) for Chain $xchain..."

3
Shorewall-shell/lib.maclist
View File

@ -40,7 +40,8 @@ setup_mac_lists() # $1 = Phase Number
local blob
local hosts
local ipsec
local policy=
local policy
policy=
create_mac_chain()
{

41
Shorewall-shell/lib.nat
View File

@ -31,10 +31,13 @@
#
setup_masq()
{
local comment=
local comment
comment=
do_ipsec_options() {
local options="$(separate_list $ipsec)" option
local options
options="$(separate_list $ipsec)"
local option
[ -n "$ORIGINAL_POLICY_MATCH" ] || \
fatal_error "IPSEC options require policy match support in your kernel and iptables"
policy="-m policy --pol ipsec --dir out"
@ -62,7 +65,14 @@ setup_masq()
}
setup_one() {
local add_snat_aliases=$ADD_SNAT_ALIASES pre_nat= policy= destnets=
local add_snat_aliases
add_snat_aliases=$ADD_SNAT_ALIASES
local pre_nat
pre_nat=
local policy
policy=
local destnets
destnets=
[ "x$ipsec" = x- ] && ipsec=
@ -475,7 +485,22 @@ __EOF__
# Setup Static Network Address Translation (NAT)
#
setup_nat() {
local external= interface= internal= allints= localnat= policyin= policyout= comment=
local external
external=
local interface
interface=
local internal
internal=
local allints
allints=
local localnat
localnat=
local policyin
policyin=
local policyout
policyout=
local comment
comment=
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
{
@ -493,7 +518,10 @@ setup_nat() {
}
do_one_nat() {
local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}
local add_ip_aliases
add_ip_aliases=$ADD_IP_ALIASES
local iface
iface=${interface%:*}
if [ -n "$add_ip_aliases" ]; then
case $interface in
@ -613,7 +641,8 @@ setup_netmap() {
#
add_nat_rule() {
local chain
local excludedests=
local excludedests
excludedests=
# Be sure we can NAT

40
Shorewall-shell/lib.providers
View File

@ -30,7 +30,30 @@
#
setup_providers()
{
local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase balance save_indent="$INDENT" mask= first=Yes save_indent1=
local table
local number
local mark
local duplicate
local interface
local gateway
local options
local provider
local address
local copy
local route
local loose
local addresses
local rulenum
local rulebase
local balance
local save_indent
save_indent="$INDENT"
local mask
mask=
local first
first=Yes
local save_indent1
save_indent1=
copy_table() {
indent >&3 << __EOF__
@ -88,7 +111,12 @@ __EOF__
}
add_a_provider() {
local t n iface option optional=
local t
local n
local iface
local option
local optional
optional=
[ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables"
@ -269,7 +297,8 @@ __EOF__
verify_provider()
{
local p n
local p
local n
for p in $PROVIDERS main; do
[ "$p" = "$1" ] && return 0
@ -434,7 +463,10 @@ __EOF__
#
setup_route_marking()
{
local mask=0xFF save_indent="$INDENT"
local mask
mask=0xFF
local save_indent
save_indent="$INDENT"
[ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00

5
Shorewall-shell/lib.proxyarp
View File

@ -30,7 +30,10 @@
#
setup_proxy_arp() {
local setlist= resetlist=
local setlist
setlist=
local resetlist
resetlist=
print_error() {
error_message "Invalid value for HAVEROUTE - ($haveroute)"

63
Shorewall-shell/lib.tc
View File

@ -37,11 +37,30 @@
#
setup_traffic_shaping()
{
local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1 last_device=
r2q=10 indent= prefix=1
local mtu
local r2q
local tc_all_devices
local device
local mark
local rate
local ceil
local prio
local options
local devfile
devfile=$(find_file tcdevices)
local classfile
classfile=$(find_file tcclasses)
local devnum
devnum=1
local last_device
last_device=
r2q=10
indent=
prefix=1
rate_to_kbit() {
local rateunit rate
local rateunit
local rate
rate=$1
rateunit=$( echo $rate | sed -e 's/[0-9]*//')
rate=$( echo $rate | sed -e 's/[a-zA-Z]*//g')
@ -68,13 +87,16 @@ setup_traffic_shaping()
}
calculate_quantum() {
local rate=$(rate_to_kbit $1)
local rate
rate=$(rate_to_kbit $1)
echo $(( $rate * ( 128 / $r2q ) ))
}
# get given outbandwidth for device
get_outband_for_dev() {
local device inband outband
local device
local inband
local outband
while read device inband outband; do
tcdev="$device $inband $outband"
if [ "$1" = "$device" ] ; then
@ -102,7 +124,12 @@ setup_traffic_shaping()
}
get_defmark_for_dev() {
local searchdev searchmark device ceil prio options
local searchdev
local searchmark
local device
local ceil
local prio
local options
searchdev=$1
while read device mark rate ceil prio options; do
@ -122,7 +149,9 @@ setup_traffic_shaping()
validate_tcdevices_file() {
progress_message2 "Validating $devfile..."
local device inband outband
local device
local inband
local outband
while read device inband outband; do
tcdev="$device $inband $outband"
check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
@ -140,7 +169,16 @@ setup_traffic_shaping()
validate_tcclasses_file() {
progress_message2 "Validating $classfile..."
local classlist device mark rate ceil prio bandw wrongopt allopts opt
local classlist
local device
local mark
local rate
local ceil
local prio
local bandw
local wrongopt
local allopts
local opt
allopts=""
while read device mark rate ceil prio options; do
tcdev="$device $mark $rate $ceil $prio $options"
@ -171,7 +209,8 @@ setup_traffic_shaping()
}
add_root_tc() {
local defmark dev
local defmark
local dev
dev=$(chain_base $device)
@ -211,7 +250,11 @@ setup_traffic_shaping()
}
add_tc_class() {
local full classid tospair tosmask quantum
local full
local classid
local tospair
local tosmask
local quantum
full=$(get_outband_for_dev $device)
full=$(rate_to_kbit $full)

26
Shorewall-shell/lib.tunnels
View File

@ -37,7 +37,10 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
{
local kind=$1 noah=noah
local kind
kind=$1
local noah
noah=noah
case $kind in
*:*)
@ -134,8 +137,10 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_openvpn() # $1 = kind[:port]
{
local protocol=udp
local p=1194
local protocol
protocol=udp
local p
p=1194
case $1 in
*:*:*)
@ -159,8 +164,10 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_openvpn_server() # $1 = kind[:port]
{
local protocol=udp
local p=1194
local protocol
protocol=udp
local p
p=1194
case $1 in
*:*:*)
@ -184,8 +191,10 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_openvpn_client() # $1 = kind[:port]
{
local protocol=udp
local p=1194
local protocol
protocol=udp
local p
p=1194
case $1 in
*:*:*)
@ -210,7 +219,8 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_generic() # $1 = kind:protocol[:port]
{
local protocol
local p=
local p
p=
case $1 in
*:*:*)

59
Shorewall6/shorewall6
View File

@ -247,7 +247,8 @@ compiler() {
exit 1
}
local command=$1
local command
command=$1
shift
@ -293,10 +294,12 @@ compiler() {
# Start Command Executor
#
start_command() {
local finished=0
local finished
finished=0
do_it() {
local rc=0
local rc
rc=0
progress_message3 "Compiling..."
@ -405,7 +408,8 @@ start_command() {
# Compile Command Executor
#
compile_command() {
local finished=0
local finished
finished=0
while [ $finished -eq 0 ]; do
[ $# -eq 0 ] && usage 1
@ -485,7 +489,8 @@ compile_command() {
# Check Command Executor
#
check_command() {
local finished=0
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -557,7 +562,10 @@ check_command() {
# Restart Command Executor
#
restart_command() {
local finished=0 rc=0
local finished
finished=0
local rc
rc=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -634,7 +642,8 @@ restart_command() {
# Refresh Command Executor
#
refresh_command() {
local finished=0
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -695,7 +704,8 @@ refresh_command() {
# Safe-start/safe-restart Command Executor
#
safe_commands() {
local finished=0
local finished
finished=0
# test is the shell supports timed read
read -t 0 junk 2> /dev/null
@ -827,7 +837,10 @@ safe_commands() {
# 'try' Command Executor
#
try_command() {
local finished=0 timeout=
local finished
finished=0
local timeout
timeout=
handle_directory() {
[ -n "$SHOREWALL_DIR" ] && usage 2
@ -966,7 +979,25 @@ rcp_command() {
#
reload_command() # $* = original arguments less the command.
{
local verbose=$(make_verbose) file= capabilities= finished=0 saveit= result directory system getcaps= root=root compiler=
local verbose
verbose=$(make_verbose)
local file
file=
local capabilities
capabilities=
local finished
finished=0
local saveit
saveit=
local result
local directory
local system
local getcaps
getcaps=
local root
root=root
local compiler
compiler=
LITEDIR=/var/lib/shorewall-lite
@ -1073,7 +1104,8 @@ reload_command() # $* = original arguments less the command.
#
export_command() # $* = original arguments less the command.
{
local verbose=$(make_verbose) file= finished=0 directory target compiler=
local verbose
verbose=$(make_verbose) file= finished=0 directory target compiler=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
@ -1272,7 +1304,10 @@ while [ $finished -eq 0 ]; do
done
version_command() {
local finished=0 all=
local finished
finished=0
local all
all=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1

13
docs/XenMyWay-Routed.xml
View File

@ -995,7 +995,12 @@ usage() {
# Find the interface with the passed MAC address
#################################################################################
find_interface_by_mac() {
local mac=$1 first second rest dev
local mac
mac=$1
local first
local second
local rest
local dev
/sbin/ip link ls | while read first second rest; do
case $first in
@ -1014,7 +1019,9 @@ find_interface_by_mac() {
# Convert MAC addresses to interface names
################################################################################
get_interfaces() {
local interfaces= interface
local interfaces
interfaces=
local interface
for interface in $INTERFACES; do
case $interface in
@ -1097,4 +1104,4 @@ esac
</blockquote>
</section>
</section>
</article>
</article>

13
docs/XenMyWay.xml
View File

@ -915,7 +915,12 @@ usage() {
# Find the interface with the passed MAC address
#################################################################################
find_interface_by_mac() {
local mac=$1 first second rest dev
local mac
mac=$1
local first
local second
local rest
local dev
/sbin/ip link ls | while read first second rest; do
case $first in
@ -934,7 +939,9 @@ find_interface_by_mac() {
# Convert MAC addresses to interface names
################################################################################
get_interfaces() {
local interfaces= interface
local interfaces
interfaces=
local interface
for interface in $INTERFACES; do
case $interface in
@ -1017,4 +1024,4 @@ esac
</blockquote>
</section>
</section>
</article>
</article>

3
tools/build/buildshorewall
View File

@ -142,7 +142,8 @@ fatal_error() {
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
local e
e=$1
while [ $# -gt 1 ]; do
shift

3
tools/build/makeshorewall
View File

@ -128,7 +128,8 @@ fatal_error() {
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
local e
e=$1
while [ $# -gt 1 ]; do
shift

3
tools/web/publish
View File

@ -61,7 +61,8 @@ NOTOC="
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
local e
e=$1
while [ $# -gt 1 ]; do
shift

3
tools/web/publish-3.0
View File

@ -61,7 +61,8 @@ NOTOC="
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
local e
e=$1
while [ $# -gt 1 ]; do
shift

3
tools/web/publish-manpage
View File

@ -6,7 +6,8 @@ WEBSITE=/home/teastep/Shorewall/Website
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
local e
e=$1
while [ $# -gt 1 ]; do
shift

3
tools/web/publish-manpage-3.0
View File

@ -6,7 +6,8 @@ WEBSITE=/home/teastep/Shorewall/Website
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
local e
e=$1
while [ $# -gt 1 ]; do
shift