forked from extern/shorewall_code
"Fix" bashisms (at least they are bashims according to the Debian people)
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8289 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b0a5c577f4
commit
bbe6dfb5fd
@ -53,7 +53,8 @@ restore_directory() # $1 = directory to restore
|
||||
restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
|
||||
{
|
||||
if [ -n "$2" ]; then
|
||||
local file=$(basename $1)
|
||||
local file
|
||||
file=$(basename $1)
|
||||
|
||||
if [ -f $2/$file ]; then
|
||||
if mv -f $2/$file $1 ; then
|
||||
|
@ -35,7 +35,8 @@ usage() # $1 = exit status
|
||||
}
|
||||
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
IFS=:
|
||||
set -- $1
|
||||
echo $*
|
||||
|
@ -56,7 +56,8 @@ error_message() # $* = Error Message
|
||||
#
|
||||
progress_message() # $* = Message
|
||||
{
|
||||
local timestamp=
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSE -gt 1 ]; then
|
||||
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
|
||||
@ -66,7 +67,8 @@ progress_message() # $* = Message
|
||||
|
||||
progress_message2() # $* = Message
|
||||
{
|
||||
local timestamp=
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSE -gt 0 ]; then
|
||||
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
|
||||
@ -76,7 +78,8 @@ progress_message2() # $* = Message
|
||||
|
||||
progress_message3() # $* = Message
|
||||
{
|
||||
local timestamp=
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSE -ge 0 ]; then
|
||||
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
|
||||
@ -88,7 +91,8 @@ progress_message3() # $* = Message
|
||||
# Split a colon-separated list into a space-separated list
|
||||
#
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
IFS=:
|
||||
echo $*
|
||||
IFS=$ifs
|
||||
@ -100,7 +104,8 @@ split() {
|
||||
#
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
local e
|
||||
e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
@ -115,7 +120,9 @@ list_search() # $1 = element to search for , $2-$n = list
|
||||
#
|
||||
combine_list()
|
||||
{
|
||||
local f o=
|
||||
local f
|
||||
local o
|
||||
o=
|
||||
|
||||
for f in $* ; do
|
||||
o="${o:+$o,}$f"
|
||||
@ -152,7 +159,8 @@ my_pathname() {
|
||||
#
|
||||
run_user_exit() # $1 = file name
|
||||
{
|
||||
local user_exit=$(find_file $1)
|
||||
local user_exit
|
||||
user_exit=$(find_file $1)
|
||||
|
||||
if [ -f $user_exit ]; then
|
||||
progress_message "Processing $user_exit ..."
|
||||
@ -208,7 +216,8 @@ deleteallchains() {
|
||||
#
|
||||
loadmodule() # $1 = module name, $2 - * arguments
|
||||
{
|
||||
local modulename=$1
|
||||
local modulename
|
||||
modulename=$1
|
||||
local modulefile
|
||||
local suffix
|
||||
|
||||
@ -240,10 +249,13 @@ loadmodule() # $1 = module name, $2 - * arguments
|
||||
#
|
||||
reload_kernel_modules() {
|
||||
|
||||
local save_modules_dir=$MODULESDIR
|
||||
local save_modules_dir
|
||||
save_modules_dir=$MODULESDIR
|
||||
local directory
|
||||
local moduledirectories=
|
||||
local moduleloader=modprobe
|
||||
local moduledirectories
|
||||
moduledirectories=
|
||||
local moduleloader
|
||||
moduleloader=modprobe
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@ -270,11 +282,15 @@ reload_kernel_modules() {
|
||||
#
|
||||
load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
{
|
||||
local save_modules_dir=$MODULESDIR
|
||||
local save_modules_dir
|
||||
save_modules_dir=$MODULESDIR
|
||||
local directory
|
||||
local moduledirectories=
|
||||
local moduleloader=modprobe
|
||||
local savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||
local moduledirectories
|
||||
moduledirectories=
|
||||
local moduleloader
|
||||
moduleloader=modprobe
|
||||
local savemoduleinfo
|
||||
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@ -320,8 +336,10 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
#
|
||||
mutex_on()
|
||||
{
|
||||
local try=0
|
||||
local lockf=${LOCKFILE:=${VARDIR}/lock}
|
||||
local try
|
||||
try=0
|
||||
local lockf
|
||||
lockf=${LOCKFILE:=${VARDIR}/lock}
|
||||
|
||||
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
|
||||
|
||||
@ -360,7 +378,8 @@ mutex_off()
|
||||
#
|
||||
lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found
|
||||
{
|
||||
local lib=${SHAREDIR}/lib.$1
|
||||
local lib
|
||||
lib=${SHAREDIR}/lib.$1
|
||||
local loaded
|
||||
|
||||
eval loaded=\$LIB_${1}_LOADED
|
||||
@ -398,8 +417,10 @@ LEFTSHIFT='<<'
|
||||
# Validate an IP address
|
||||
#
|
||||
valid_address() {
|
||||
local x y
|
||||
local ifs=$IFS
|
||||
local x
|
||||
local y
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
|
||||
IFS=.
|
||||
|
||||
@ -425,8 +446,10 @@ valid_address() {
|
||||
#
|
||||
decodeaddr() {
|
||||
local x
|
||||
local temp=0
|
||||
local ifs=$IFS
|
||||
local temp
|
||||
temp=0
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
|
||||
IFS=.
|
||||
|
||||
@ -445,7 +468,8 @@ decodeaddr() {
|
||||
encodeaddr() {
|
||||
addr=$1
|
||||
local x
|
||||
local y=$(($addr & 255))
|
||||
local y
|
||||
y=$(($addr & 255))
|
||||
|
||||
for x in 1 2 3 ; do
|
||||
addr=$(($addr >> 8))
|
||||
@ -478,7 +502,13 @@ EOF
|
||||
# ip_range_explicit() - explicitly enumerates the range.
|
||||
#
|
||||
ip_range() {
|
||||
local first last l x y z vlsm
|
||||
local first
|
||||
local last
|
||||
local l
|
||||
local x
|
||||
local y
|
||||
local z
|
||||
local vlsm
|
||||
|
||||
case $1 in
|
||||
!*)
|
||||
@ -524,7 +554,8 @@ ip_range() {
|
||||
}
|
||||
|
||||
ip_range_explicit() {
|
||||
local first last
|
||||
local first
|
||||
local last
|
||||
|
||||
case $1 in
|
||||
[0-9]*.*.*.*-*.*.*.*)
|
||||
@ -552,7 +583,8 @@ ip_range_explicit() {
|
||||
# Netmask from CIDR
|
||||
#
|
||||
ip_netmask() {
|
||||
local vlsm=${1#*/}
|
||||
local vlsm
|
||||
vlsm=${1#*/}
|
||||
|
||||
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
|
||||
}
|
||||
@ -561,8 +593,10 @@ ip_netmask() {
|
||||
# Network address from CIDR
|
||||
#
|
||||
ip_network() {
|
||||
local decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask=$(ip_netmask $1)
|
||||
local decodedaddr
|
||||
decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask
|
||||
netmask=$(ip_netmask $1)
|
||||
|
||||
echo $(encodeaddr $(($decodedaddr & $netmask)))
|
||||
}
|
||||
@ -572,7 +606,8 @@ ip_network() {
|
||||
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
|
||||
#
|
||||
ip_broadcast() {
|
||||
local x=$(( 32 - ${1#*/} ))
|
||||
local x
|
||||
x=$(( 32 - ${1#*/} ))
|
||||
|
||||
[ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
|
||||
}
|
||||
@ -581,9 +616,12 @@ ip_broadcast() {
|
||||
# Calculate broadcast address from CIDR
|
||||
#
|
||||
broadcastaddress() {
|
||||
local decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask=$(ip_netmask $1)
|
||||
local broadcast=$(ip_broadcast $1)
|
||||
local decodedaddr
|
||||
decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask
|
||||
netmask=$(ip_netmask $1)
|
||||
local broadcast
|
||||
broadcast=$(ip_broadcast $1)
|
||||
|
||||
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
|
||||
}
|
||||
@ -593,7 +631,8 @@ broadcastaddress() {
|
||||
#
|
||||
in_network() # $1 = IP address, $2 = CIDR network
|
||||
{
|
||||
local netmask=$(ip_netmask $2)
|
||||
local netmask
|
||||
netmask=$(ip_netmask $2)
|
||||
#
|
||||
# We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT
|
||||
#
|
||||
@ -604,9 +643,12 @@ in_network() # $1 = IP address, $2 = CIDR network
|
||||
# Netmask to VLSM
|
||||
#
|
||||
ip_vlsm() {
|
||||
local mask=$(decodeaddr $1)
|
||||
local vlsm=0
|
||||
local x=$(( 128 << 24 )) # 0x80000000
|
||||
local mask
|
||||
mask=$(decodeaddr $1)
|
||||
local vlsm
|
||||
vlsm=0
|
||||
local x
|
||||
x=$(( 128 << 24 )) # 0x80000000
|
||||
|
||||
while [ $(( $x & $mask )) -ne 0 ]; do
|
||||
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
|
||||
@ -627,7 +669,8 @@ ip_vlsm() {
|
||||
#
|
||||
chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+}
|
||||
local c
|
||||
c=${1%%+}
|
||||
|
||||
while true; do
|
||||
case $c in
|
||||
@ -752,8 +795,10 @@ find_default_interface() {
|
||||
#
|
||||
|
||||
find_interface_by_address() {
|
||||
local dev="$(find_rt_interface $1)"
|
||||
local first rest
|
||||
local dev
|
||||
dev="$(find_rt_interface $1)"
|
||||
local first
|
||||
local rest
|
||||
|
||||
[ -z "$dev" ] && dev=$(find_default_interface)
|
||||
|
||||
@ -765,7 +810,8 @@ find_interface_by_address() {
|
||||
#
|
||||
|
||||
find_interface_by_mac() {
|
||||
local mac=$1 first second rest dev
|
||||
local mac
|
||||
mac=$1 first second rest dev
|
||||
|
||||
ip link list | while read first second rest; do
|
||||
case $first in
|
||||
@ -893,7 +939,8 @@ mywhich() {
|
||||
# Set default config path
|
||||
#
|
||||
ensure_config_path() {
|
||||
local F=${SHAREDIR}/configpath
|
||||
local F
|
||||
F=${SHAREDIR}/configpath
|
||||
if [ -z "$CONFIG_PATH" ]; then
|
||||
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
|
||||
. $F
|
||||
@ -909,7 +956,8 @@ ensure_config_path() {
|
||||
#
|
||||
find_file()
|
||||
{
|
||||
local saveifs= directory
|
||||
local saveifs
|
||||
saveifs= directory
|
||||
|
||||
case $1 in
|
||||
/*)
|
||||
@ -933,7 +981,8 @@ find_file()
|
||||
#
|
||||
resolve_file() # $1 = file name
|
||||
{
|
||||
local pwd=$PWD
|
||||
local pwd
|
||||
pwd=$PWD
|
||||
|
||||
case $1 in
|
||||
/*)
|
||||
@ -1127,7 +1176,8 @@ determine_capabilities() {
|
||||
report_capabilities() {
|
||||
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
||||
{
|
||||
local setting=
|
||||
local setting
|
||||
setting=
|
||||
|
||||
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
||||
|
||||
@ -1231,7 +1281,15 @@ del_ip_addr() # $1 = address, $2 = interface
|
||||
#
|
||||
add_ip_aliases() # $* = List of addresses
|
||||
{
|
||||
local addresses external interface inet cidr rest val arping=$(mywhich arping)
|
||||
local addresses
|
||||
local external
|
||||
local interface
|
||||
local inet
|
||||
local cidr
|
||||
local rest
|
||||
local val1
|
||||
local arping
|
||||
arping=$(mywhich arping)
|
||||
|
||||
address_details()
|
||||
{
|
||||
@ -1288,7 +1346,8 @@ add_ip_aliases() # $* = List of addresses
|
||||
|
||||
detect_gateway() # $1 = interface
|
||||
{
|
||||
local interface=$1
|
||||
local interface
|
||||
interface=$1
|
||||
#
|
||||
# First assume that this is some sort of point-to-point interface
|
||||
#
|
||||
@ -1311,7 +1370,8 @@ detect_gateway() # $1 = interface
|
||||
# Disable IPV6
|
||||
#
|
||||
disable_ipv6() {
|
||||
local foo="$(ip -f inet6 addr list 2> /dev/null)"
|
||||
local foo
|
||||
foo="$(ip -f inet6 addr list 2> /dev/null)"
|
||||
|
||||
if [ -n "$foo" ]; then
|
||||
if qt mywhich ip6tables; then
|
||||
@ -1343,16 +1403,25 @@ truncate() # $1 = length
|
||||
#
|
||||
do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
|
||||
{
|
||||
local level=$1
|
||||
local chain=$2
|
||||
local displayChain=$3
|
||||
local disposition=$4
|
||||
local rulenum=
|
||||
local limit=
|
||||
local tag=
|
||||
local command=
|
||||
local level
|
||||
level=$1
|
||||
local chain
|
||||
chain=$2
|
||||
local displayChain
|
||||
displayChain=$3
|
||||
local disposition
|
||||
disposition=$4
|
||||
local rulenum
|
||||
rulenum=
|
||||
local limit
|
||||
limit=
|
||||
local tag
|
||||
tag=
|
||||
local command
|
||||
command=
|
||||
local prefix
|
||||
local base=$(chain_base $displayChain)
|
||||
local base
|
||||
base=$(chain_base $displayChain)
|
||||
local pf
|
||||
|
||||
limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
|
||||
@ -1405,9 +1474,12 @@ do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispos
|
||||
|
||||
do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
|
||||
{
|
||||
local level=$1
|
||||
local chain=$2
|
||||
local disposition=$3
|
||||
local level
|
||||
level=$1
|
||||
local chain
|
||||
chain=$2
|
||||
local disposition
|
||||
disposition=$3
|
||||
|
||||
shift 3
|
||||
|
||||
@ -1441,7 +1513,8 @@ delete_tc1()
|
||||
#
|
||||
get_device_mtu() # $1 = device
|
||||
{
|
||||
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local output
|
||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
echo $(find_mtu $output)
|
||||
@ -1456,7 +1529,8 @@ get_device_mtu() # $1 = device
|
||||
#
|
||||
get_device_mtu1() # $1 = device
|
||||
{
|
||||
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local output
|
||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local mtu
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
@ -1495,7 +1569,9 @@ undo_routing() {
|
||||
|
||||
restore_default_route() {
|
||||
if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
|
||||
local default_route= route
|
||||
local default_route
|
||||
default_route=
|
||||
local route
|
||||
|
||||
while read route ; do
|
||||
case $route in
|
||||
@ -1556,7 +1632,8 @@ find_echo() {
|
||||
# STD - mktemp.org mktemp
|
||||
#
|
||||
find_mktemp() {
|
||||
local mktemp=`mywhich mktemp 2> /dev/null`
|
||||
local mktemp
|
||||
mktemp=`mywhich mktemp 2> /dev/null`
|
||||
|
||||
if [ -n "$mktemp" ]; then
|
||||
if qt mktemp -V ; then
|
||||
|
@ -124,7 +124,13 @@ timed_read ()
|
||||
# Determine if 'syslog -C' is running
|
||||
#
|
||||
syslog_circular_buffer() {
|
||||
local pid tty flags cputime path args arg
|
||||
local pid
|
||||
local tty
|
||||
local flags
|
||||
local cputime
|
||||
local path
|
||||
local args
|
||||
local arg
|
||||
|
||||
ps ax 2> /dev/null | while read pid tty flags cputime path args; do
|
||||
case $path in
|
||||
@ -160,7 +166,8 @@ packet_log() # $1 = number of messages
|
||||
show_tc() {
|
||||
|
||||
show_one_tc() {
|
||||
local device=${1%@*}
|
||||
local device
|
||||
device=${1%@*}
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
@ -183,7 +190,8 @@ show_tc() {
|
||||
show_classifiers() {
|
||||
|
||||
show_one_classifier() {
|
||||
local device=${1%@*}
|
||||
local device
|
||||
device=${1%@*}
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
@ -258,7 +266,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
#
|
||||
save_config() {
|
||||
|
||||
local result=1
|
||||
local result
|
||||
result=1
|
||||
|
||||
iptables_save=${IPTABLES}-save
|
||||
|
||||
@ -367,7 +376,12 @@ show_routing() {
|
||||
# Show Command Executor
|
||||
#
|
||||
show_command() {
|
||||
local finished=0 local table=filter table_given=
|
||||
local finished
|
||||
finished=0
|
||||
local table
|
||||
table=filter
|
||||
local table_given
|
||||
table_given=
|
||||
|
||||
show_macro() {
|
||||
foo=`grep 'This macro' $macro | sed 's/This macro //'`
|
||||
@ -619,7 +633,8 @@ show_command() {
|
||||
# Dump Command Executor
|
||||
#
|
||||
dump_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -743,7 +758,8 @@ dump_command() {
|
||||
# Restore Comand Executor
|
||||
#
|
||||
restore_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -868,7 +884,10 @@ heading() {
|
||||
# Create the appropriate -q option to pass onward
|
||||
#
|
||||
make_verbose() {
|
||||
local v=$VERBOSE_OFFSET option=-
|
||||
local v
|
||||
v=$VERBOSE_OFFSET
|
||||
local option
|
||||
option=-
|
||||
|
||||
if [ -n "$USE_VERBOSITY" ]; then
|
||||
echo "-v$USE_VERBOSITY"
|
||||
@ -894,7 +913,10 @@ make_verbose() {
|
||||
#
|
||||
block() # $1 = command, $2 = Finished, $3 - $n addresses
|
||||
{
|
||||
local chain=$1 finished=$2
|
||||
local chain
|
||||
chain=$1
|
||||
local finished
|
||||
finished=$2
|
||||
|
||||
shift 3
|
||||
|
||||
@ -925,7 +947,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
|
||||
# 'hits' commmand executor
|
||||
#
|
||||
hits_command() {
|
||||
local finished=0 today=
|
||||
local finished
|
||||
finished=0
|
||||
local today
|
||||
today=
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
|
@ -31,7 +31,8 @@ SHOREWALL_CONFIGVERSION=40000
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
separate_list() {
|
||||
local list="$@"
|
||||
local list
|
||||
list="$@"
|
||||
local part
|
||||
local newlist
|
||||
local firstpart
|
||||
@ -121,7 +122,10 @@ is_policy_chain() # $1 = name of chain
|
||||
#
|
||||
list_walk() # $1 = element to search for, $2-$n = list
|
||||
{
|
||||
local e=$1 result=
|
||||
local e
|
||||
e=$1
|
||||
local result
|
||||
result=
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
@ -165,7 +169,8 @@ expand_line() {
|
||||
#
|
||||
fix_bang()
|
||||
{
|
||||
local result=
|
||||
local result
|
||||
result=
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
case $1 in
|
||||
@ -186,7 +191,13 @@ fix_bang()
|
||||
# Read the zones file and find the firewall zone
|
||||
#
|
||||
get_firewall_zone() {
|
||||
local zone type rest comment='#*' f=$(find_file zones)
|
||||
local zone
|
||||
local type
|
||||
local rest
|
||||
local comment
|
||||
comment='#*'
|
||||
local f
|
||||
f=$(find_file zones)
|
||||
|
||||
[ -f $f ] || startup_error "Unable to find zones file"
|
||||
|
||||
@ -212,11 +223,21 @@ get_firewall_zone() {
|
||||
#
|
||||
determine_zones()
|
||||
{
|
||||
local zone parent parents rest new_zone_file= r
|
||||
local zone
|
||||
local parent
|
||||
local parents
|
||||
local rest
|
||||
local new_zone_file
|
||||
new_zone_file=
|
||||
local r
|
||||
|
||||
merge_zone()
|
||||
{
|
||||
local z zones="$ZONES" merged=
|
||||
local z
|
||||
local zones
|
||||
zones="$ZONES"
|
||||
local merged
|
||||
merged=
|
||||
|
||||
if [ -n "$parents" ]; then
|
||||
ZONES=
|
||||
@ -323,8 +344,15 @@ determine_zones()
|
||||
#
|
||||
validate_interfaces_file() {
|
||||
local wildcard
|
||||
local found_obsolete_option=
|
||||
local z interface networks options r iface option
|
||||
local found_obsolete_option
|
||||
found_obsolete_option=
|
||||
local z
|
||||
local interface
|
||||
local networks
|
||||
local options
|
||||
local r
|
||||
local iface
|
||||
local option
|
||||
|
||||
while read z interface networks options; do
|
||||
r="$z $interface $networks $options"
|
||||
@ -346,7 +374,8 @@ validate_interfaces_file() {
|
||||
#
|
||||
# Assume that this is 4.0 syntax for a bridge
|
||||
#
|
||||
local bridge=${interface%:*}
|
||||
local bridge
|
||||
bridge=${interface%:*}
|
||||
list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge"
|
||||
interface=${interface#*:}
|
||||
else
|
||||
@ -423,17 +452,21 @@ validate_interfaces_file() {
|
||||
# Process the ipsec information in the zones file
|
||||
#
|
||||
setup_ipsec() {
|
||||
local zone using_ipsec=
|
||||
local zone
|
||||
local using_ipsec
|
||||
using_ipsec=
|
||||
#
|
||||
# Add a --set-mss rule to the passed chain
|
||||
#
|
||||
set_mss1() # $1 = chain, $2 = MSS
|
||||
{
|
||||
eval local policy=\$${1}_policy
|
||||
local policy
|
||||
eval policy=\$${1}_policy
|
||||
|
||||
if [ "$policy" != NONE ]; then
|
||||
ensurechain $1
|
||||
local match=
|
||||
local match
|
||||
match=
|
||||
[ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: "
|
||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2
|
||||
fi
|
||||
@ -461,7 +494,10 @@ setup_ipsec() {
|
||||
|
||||
do_options() # $1 = _in, _out or "" - $2 = option list
|
||||
{
|
||||
local option newoptions= val
|
||||
local option
|
||||
local newoptions
|
||||
newoptions=
|
||||
local val
|
||||
|
||||
[ x${2} = x- ] && return
|
||||
|
||||
@ -547,7 +583,16 @@ setup_ipsec() {
|
||||
# Validate the zone names and options in the hosts file
|
||||
#
|
||||
validate_hosts_file() {
|
||||
local z hosts options r interface host option zports ipsec=
|
||||
local z
|
||||
local hosts
|
||||
local options
|
||||
local r
|
||||
local interface
|
||||
local host
|
||||
local option
|
||||
local zports
|
||||
local ipsec
|
||||
ipsec=
|
||||
|
||||
check_bridge_port()
|
||||
{
|
||||
@ -667,7 +712,8 @@ validate_hosts_file() {
|
||||
#
|
||||
find_interfaces() # $1 = interface zone
|
||||
{
|
||||
local zne=$1
|
||||
local zne
|
||||
zne=$1
|
||||
local z
|
||||
local interface
|
||||
|
||||
@ -742,7 +788,8 @@ dynamic_out() # $1 = interface
|
||||
|
||||
dynamic_chains() #$1 = interface
|
||||
{
|
||||
local c=$(chain_base $1)
|
||||
local c
|
||||
c=$(chain_base $1)
|
||||
|
||||
echo ${c}_dyni ${c}_dynf ${c}_dyno
|
||||
}
|
||||
@ -776,7 +823,8 @@ ecn_chain() # $1 = interface
|
||||
#
|
||||
first_chains() #$1 = interface
|
||||
{
|
||||
local c=$(chain_base $1)
|
||||
local c
|
||||
c=$(chain_base $1)
|
||||
|
||||
echo ${c}_fwd ${c}_in
|
||||
}
|
||||
@ -809,7 +857,11 @@ iprange_echo()
|
||||
#
|
||||
get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
|
||||
{
|
||||
local temp setname=$1 options=$2
|
||||
local temp
|
||||
local setname
|
||||
setname=$1
|
||||
local options
|
||||
options=$2
|
||||
|
||||
[ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"
|
||||
|
||||
@ -908,7 +960,14 @@ dest_ip_range() # $1 = Address or Address Range
|
||||
|
||||
both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
|
||||
{
|
||||
local rangeprefix= setprefix= rangematch= setmatch=
|
||||
local rangeprefix
|
||||
rangeprefix=
|
||||
local setprefix
|
||||
setprefix=
|
||||
local rangematch
|
||||
rangematch=
|
||||
local setmatch
|
||||
setmatch=
|
||||
|
||||
case $1 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
@ -956,7 +1015,8 @@ both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
|
||||
if_match() # $1 = Name in interfaces file - may end in "+"
|
||||
# $2 = Full interface name - may also end in "+"
|
||||
{
|
||||
local pattern=${1%+}
|
||||
local pattern
|
||||
pattern=${1%+}
|
||||
|
||||
case $1 in
|
||||
*+)
|
||||
@ -1106,8 +1166,10 @@ verify_interface()
|
||||
#
|
||||
is_ipsec_host() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local is_ipsec=\$${1}_is_ipsec
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
local is_ipsec
|
||||
eval is_ipsec=\$${1}_is_ipsec
|
||||
local hosts
|
||||
eval hosts=\"\$${1}_ipsec_hosts\"
|
||||
|
||||
test -n "$is_ipsec" || list_search $2 $hosts
|
||||
}
|
||||
@ -1118,7 +1180,8 @@ is_ipsec_host() # $1 = zone, $2 = host
|
||||
match_ipsec_in() # $1 = zone, $2 = host
|
||||
{
|
||||
if is_ipsec_host $1 $2 ; then
|
||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
|
||||
local options
|
||||
eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
|
||||
echo "-m policy --pol ipsec --dir in $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir in"
|
||||
@ -1131,7 +1194,8 @@ match_ipsec_in() # $1 = zone, $2 = host
|
||||
match_ipsec_out() # $1 = zone, $2 = host
|
||||
{
|
||||
if is_ipsec_host $1 $2 ; then
|
||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
|
||||
local options
|
||||
eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
|
||||
echo "-m policy --pol ipsec --dir out $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir out"
|
||||
@ -1156,7 +1220,10 @@ firewall_ip_range() # $1 = IP address or range
|
||||
#
|
||||
find_hosts() # $1 = host zone
|
||||
{
|
||||
local hosts interface address addresses
|
||||
local hosts
|
||||
local interface
|
||||
local address
|
||||
local addresses
|
||||
|
||||
while read z hosts options; do
|
||||
if [ "x$(expand $z)" = "x$1" ]; then
|
||||
@ -1185,7 +1252,10 @@ find_hosts() # $1 = host zone
|
||||
#
|
||||
find_exclusions() # $1 = host zone
|
||||
{
|
||||
local hosts interface address addresses
|
||||
local hosts
|
||||
local interface
|
||||
local address
|
||||
local addresses
|
||||
|
||||
while read z hosts options; do
|
||||
if [ "x$z" = "x$1" ]; then
|
||||
@ -1335,7 +1405,8 @@ find_interfaces_by_option() # $1 = option
|
||||
#
|
||||
find_interfaces_by_option1() # $1 = option
|
||||
{
|
||||
local options option
|
||||
local options
|
||||
local option
|
||||
|
||||
for interface in $ALL_INTERFACES; do
|
||||
eval options=\$$(chain_base $interface)_options
|
||||
@ -1353,7 +1424,15 @@ find_interfaces_by_option1() # $1 = option
|
||||
#
|
||||
find_hosts_by_option() # $1 = option
|
||||
{
|
||||
local ignore hosts interface address addresses options ipsec= list
|
||||
local ignore
|
||||
local hosts
|
||||
local interface
|
||||
local address
|
||||
local addresses
|
||||
local options
|
||||
local ipsec
|
||||
ipsec=
|
||||
local list
|
||||
|
||||
while read ignore hosts options; do
|
||||
list=$(separate_list $options)
|
||||
@ -1378,7 +1457,18 @@ find_hosts_by_option() # $1 = option
|
||||
#
|
||||
process_routestopped() # $1 = command
|
||||
{
|
||||
local hosts= interface host host1 options networks source= dest= matched
|
||||
local hosts
|
||||
hosts=
|
||||
local interface
|
||||
local host
|
||||
local host1
|
||||
local options
|
||||
local networks
|
||||
local source
|
||||
source=
|
||||
local dest
|
||||
dest=
|
||||
local matched
|
||||
|
||||
while read interface host options; do
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
||||
@ -1454,7 +1544,15 @@ process_routestopped() # $1 = command
|
||||
|
||||
process_criticalhosts()
|
||||
{
|
||||
local hosts= interface host h options networks criticalhosts=
|
||||
local hosts
|
||||
hosts=
|
||||
local interface
|
||||
local host
|
||||
local h
|
||||
local options
|
||||
local networks
|
||||
local criticalhosts
|
||||
criticalhosts=
|
||||
|
||||
while read interface host options; do
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)
|
||||
@ -1514,7 +1612,8 @@ mktempdir() {
|
||||
|
||||
read_file() # $1 = file name, $2 = nest count
|
||||
{
|
||||
local first rest
|
||||
local first
|
||||
local rest
|
||||
|
||||
if [ -f $1 ]; then
|
||||
while read first rest; do
|
||||
@ -1562,7 +1661,8 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
|
||||
#
|
||||
strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty
|
||||
{
|
||||
local f=$(find_file $1)
|
||||
local f
|
||||
f=$(find_file $1)
|
||||
|
||||
strip_file $1 $f
|
||||
|
||||
@ -1609,7 +1709,8 @@ verify_mark() # $1 = value to test
|
||||
#
|
||||
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
|
||||
{
|
||||
local val="$2"
|
||||
local val
|
||||
val="$2"
|
||||
|
||||
if [ -z "$val" ]; then
|
||||
echo "Yes"
|
||||
@ -1632,7 +1733,8 @@ added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
|
||||
#
|
||||
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
|
||||
{
|
||||
local val="$2"
|
||||
local val
|
||||
val="$2"
|
||||
|
||||
if [ -z "$val" ]; then
|
||||
echo ""
|
||||
|
@ -289,15 +289,18 @@ get_config() {
|
||||
# Run the appropriate compiler
|
||||
#
|
||||
compiler() {
|
||||
local sc=${SHELLSHAREDIR}/compiler
|
||||
local pc=${PERLSHAREDIR}/compiler.pl
|
||||
local sc
|
||||
sc=${SHELLSHAREDIR}/compiler
|
||||
local pc
|
||||
pc=${PERLSHAREDIR}/compiler.pl
|
||||
|
||||
startup_error() {
|
||||
echo " ERROR: $@" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
local command=$1
|
||||
local command
|
||||
command=$1
|
||||
|
||||
shift
|
||||
|
||||
@ -413,10 +416,12 @@ compiler() {
|
||||
# Start Command Executor
|
||||
#
|
||||
start_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
do_it() {
|
||||
local rc=0
|
||||
local rc
|
||||
rc=0
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
@ -546,7 +551,8 @@ start_command() {
|
||||
# Compile Command Executor
|
||||
#
|
||||
compile_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 ]; do
|
||||
[ $# -eq 0 ] && usage 1
|
||||
@ -636,7 +642,8 @@ compile_command() {
|
||||
# Check Command Executor
|
||||
#
|
||||
check_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -714,7 +721,10 @@ check_command() {
|
||||
# Restart Command Executor
|
||||
#
|
||||
restart_command() {
|
||||
local finished=0 rc=0
|
||||
local finished
|
||||
finished=0
|
||||
local rc
|
||||
rc=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -801,7 +811,8 @@ restart_command() {
|
||||
# Refresh Command Executor
|
||||
#
|
||||
refresh_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -868,7 +879,8 @@ refresh_command() {
|
||||
# Safe-start/safe-restart Command Executor
|
||||
#
|
||||
safe_commands() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
# test is the shell supports timed read
|
||||
read -t 0 junk 2> /dev/null
|
||||
@ -1006,7 +1018,10 @@ safe_commands() {
|
||||
# 'try' Command Executor
|
||||
#
|
||||
try_command() {
|
||||
local finished=0 timeout=
|
||||
local finished
|
||||
finished=0
|
||||
local timeout
|
||||
timeout=
|
||||
|
||||
handle_directory() {
|
||||
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||
@ -1151,7 +1166,25 @@ rcp_command() {
|
||||
#
|
||||
reload_command() # $* = original arguments less the command.
|
||||
{
|
||||
local verbose=$(make_verbose) file= capabilities= finished=0 saveit= result directory system getcaps= root=root compiler=
|
||||
local verbose
|
||||
verbose=$(make_verbose)
|
||||
local file
|
||||
file=
|
||||
local capabilities
|
||||
capabilities=
|
||||
local finished
|
||||
finished=0
|
||||
local saveit
|
||||
saveit=
|
||||
local result
|
||||
local directory
|
||||
local system
|
||||
local getcaps
|
||||
getcaps=
|
||||
local root
|
||||
root=root
|
||||
local compiler
|
||||
compiler=
|
||||
|
||||
LITEDIR=/var/lib/shorewall-lite
|
||||
|
||||
@ -1266,7 +1299,8 @@ reload_command() # $* = original arguments less the command.
|
||||
#
|
||||
export_command() # $* = original arguments less the command.
|
||||
{
|
||||
local verbose=$(make_verbose) file= finished=0 directory target compiler=
|
||||
local verbose
|
||||
verbose=$(make_verbose) file= finished=0 directory target compiler=
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -1499,7 +1533,10 @@ while [ $finished -eq 0 ]; do
|
||||
done
|
||||
|
||||
version_command() {
|
||||
local finished=0 all=
|
||||
local finished
|
||||
finished=0
|
||||
local all
|
||||
all=
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
|
@ -38,7 +38,8 @@ expand_line() {
|
||||
|
||||
read_file() # $1 = file name, $2 = nest count
|
||||
{
|
||||
local first rest
|
||||
local first
|
||||
local rest
|
||||
|
||||
if [ -f $1 ]; then
|
||||
while read first rest; do
|
||||
@ -61,7 +62,8 @@ read_file() # $1 = file name, $2 = nest count
|
||||
# Split a colon-separated list into a space-separated list
|
||||
#
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
IFS=:
|
||||
echo $*
|
||||
IFS=$ifs
|
||||
@ -72,7 +74,9 @@ split() {
|
||||
#
|
||||
find_file()
|
||||
{
|
||||
local saveifs= directory
|
||||
local saveifs
|
||||
saveifs=
|
||||
local directory
|
||||
|
||||
case $1 in
|
||||
/*)
|
||||
|
@ -53,7 +53,8 @@ restore_directory() # $1 = directory to restore
|
||||
restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
|
||||
{
|
||||
if [ -n "$2" ]; then
|
||||
local file=$(basename $1)
|
||||
local file
|
||||
file=$(basename $1)
|
||||
|
||||
if [ -f $2/$file ]; then
|
||||
if mv -f $2/$file $1 ; then
|
||||
|
@ -35,7 +35,8 @@ usage() # $1 = exit status
|
||||
}
|
||||
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
IFS=:
|
||||
set -- $1
|
||||
echo $*
|
||||
|
@ -178,10 +178,12 @@ verify_firewall_script() {
|
||||
# Start Command Executor
|
||||
#
|
||||
start_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
do_it() {
|
||||
local rc=0
|
||||
local rc
|
||||
rc=0
|
||||
[ -n "$nolock" ] || mutex_on
|
||||
|
||||
if [ -x ${LITEDIR}/firewall ]; then
|
||||
@ -286,7 +288,10 @@ start_command() {
|
||||
# Restart Command Executor
|
||||
#
|
||||
restart_command() {
|
||||
local finished=0 rc=0
|
||||
local finished
|
||||
finished=0
|
||||
local rc
|
||||
rc=0
|
||||
|
||||
verify_firewall_script
|
||||
|
||||
|
@ -35,7 +35,8 @@ usage() # $1 = exit status
|
||||
}
|
||||
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
IFS=:
|
||||
set -- $1
|
||||
echo $*
|
||||
|
@ -35,7 +35,8 @@ error_message() # $* = Error Message
|
||||
#
|
||||
progress_message() # $* = Message
|
||||
{
|
||||
local timestamp=
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSE -gt 1 ]; then
|
||||
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
|
||||
@ -50,7 +51,8 @@ progress_message() # $* = Message
|
||||
|
||||
progress_message2() # $* = Message
|
||||
{
|
||||
local timestamp=
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSE -gt 0 ]; then
|
||||
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
|
||||
@ -65,7 +67,8 @@ progress_message2() # $* = Message
|
||||
|
||||
progress_message3() # $* = Message
|
||||
{
|
||||
local timestamp=
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSE -ge 0 ]; then
|
||||
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
|
||||
@ -82,7 +85,8 @@ progress_message3() # $* = Message
|
||||
# Split a colon-separated list into a space-separated list
|
||||
#
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
IFS=:
|
||||
echo $*
|
||||
IFS=$ifs
|
||||
@ -94,7 +98,8 @@ split() {
|
||||
#
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
local e
|
||||
e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
@ -143,7 +148,8 @@ my_pathname() {
|
||||
#
|
||||
run_user_exit() # $1 = file name
|
||||
{
|
||||
local user_exit=$(find_file $1)
|
||||
local user_exit
|
||||
user_exit=$(find_file $1)
|
||||
|
||||
if [ -f $user_exit ]; then
|
||||
progress_message "Processing $user_exit ..."
|
||||
@ -199,7 +205,8 @@ deleteallchains() {
|
||||
#
|
||||
loadmodule() # $1 = module name, $2 - * arguments
|
||||
{
|
||||
local modulename=$1
|
||||
local modulename
|
||||
modulename=$1
|
||||
local modulefile
|
||||
local suffix
|
||||
|
||||
@ -231,10 +238,13 @@ loadmodule() # $1 = module name, $2 - * arguments
|
||||
#
|
||||
reload_kernel_modules() {
|
||||
|
||||
local save_modules_dir=$MODULESDIR
|
||||
local save_modules_dir
|
||||
save_modules_dir=$MODULESDIR
|
||||
local directory
|
||||
local moduledirectories=
|
||||
local moduleloader=modprobe
|
||||
local moduledirectories
|
||||
moduledirectories=
|
||||
local moduleloader
|
||||
moduleloader=modprobe
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@ -261,11 +271,15 @@ reload_kernel_modules() {
|
||||
#
|
||||
load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
{
|
||||
local save_modules_dir=$MODULESDIR
|
||||
local save_modules_dir
|
||||
save_modules_dir=$MODULESDIR
|
||||
local directory
|
||||
local moduledirectories=
|
||||
local moduleloader=modprobe
|
||||
local savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||
local moduledirectories
|
||||
moduledirectories=
|
||||
local moduleloader
|
||||
moduleloader=modprobe
|
||||
local savemoduleinfo
|
||||
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@ -313,8 +327,10 @@ LEFTSHIFT='<<'
|
||||
#
|
||||
decodeaddr() {
|
||||
local x
|
||||
local temp=0
|
||||
local ifs=$IFS
|
||||
local temp
|
||||
temp=0
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
|
||||
IFS=.
|
||||
|
||||
@ -333,7 +349,8 @@ decodeaddr() {
|
||||
encodeaddr() {
|
||||
addr=$1
|
||||
local x
|
||||
local y=$(($addr & 255))
|
||||
local y
|
||||
y=$(($addr & 255))
|
||||
|
||||
for x in 1 2 3 ; do
|
||||
addr=$(($addr >> 8))
|
||||
@ -347,7 +364,8 @@ encodeaddr() {
|
||||
# Netmask from CIDR
|
||||
#
|
||||
ip_netmask() {
|
||||
local vlsm=${1#*/}
|
||||
local vlsm
|
||||
vlsm=${1#*/}
|
||||
|
||||
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
|
||||
}
|
||||
@ -356,8 +374,10 @@ ip_netmask() {
|
||||
# Network address from CIDR
|
||||
#
|
||||
ip_network() {
|
||||
local decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask=$(ip_netmask $1)
|
||||
local decodedaddr
|
||||
decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask
|
||||
netmask=$(ip_netmask $1)
|
||||
|
||||
echo $(encodeaddr $(($decodedaddr & $netmask)))
|
||||
}
|
||||
@ -367,7 +387,8 @@ ip_network() {
|
||||
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
|
||||
#
|
||||
ip_broadcast() {
|
||||
local x=$(( 32 - ${1#*/} ))
|
||||
local x
|
||||
x=$(( 32 - ${1#*/} ))
|
||||
|
||||
[ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
|
||||
}
|
||||
@ -376,9 +397,12 @@ ip_broadcast() {
|
||||
# Calculate broadcast address from CIDR
|
||||
#
|
||||
broadcastaddress() {
|
||||
local decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask=$(ip_netmask $1)
|
||||
local broadcast=$(ip_broadcast $1)
|
||||
local decodedaddr
|
||||
decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask
|
||||
netmask=$(ip_netmask $1)
|
||||
local broadcast
|
||||
broadcast=$(ip_broadcast $1)
|
||||
|
||||
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
|
||||
}
|
||||
@ -388,7 +412,8 @@ broadcastaddress() {
|
||||
#
|
||||
in_network() # $1 = IP address, $2 = CIDR network
|
||||
{
|
||||
local netmask=$(ip_netmask $2)
|
||||
local netmask
|
||||
netmask=$(ip_netmask $2)
|
||||
#
|
||||
# Use string comparison to work around a broken BusyBox ash in OpenWRT
|
||||
#
|
||||
@ -493,8 +518,10 @@ find_default_interface() {
|
||||
#
|
||||
|
||||
find_interface_by_address() {
|
||||
local dev="$(find_rt_interface $1)"
|
||||
local first rest
|
||||
local dev
|
||||
dev="$(find_rt_interface $1)"
|
||||
local first
|
||||
local rest
|
||||
|
||||
[ -z "$dev" ] && dev=$(find_default_interface)
|
||||
|
||||
@ -506,7 +533,12 @@ find_interface_by_address() {
|
||||
#
|
||||
|
||||
find_interface_by_mac() {
|
||||
local mac=$1 first second rest dev
|
||||
local mac
|
||||
mac=$1
|
||||
local first
|
||||
local second
|
||||
local rest
|
||||
local dev
|
||||
|
||||
ip link list | while read first second rest; do
|
||||
case $first in
|
||||
@ -611,7 +643,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
|
||||
|
||||
get_interface_bcasts() # $1 = interface
|
||||
{
|
||||
local addresses=
|
||||
local addresses
|
||||
addresses=
|
||||
|
||||
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
}
|
||||
@ -637,7 +670,9 @@ mywhich() {
|
||||
#
|
||||
find_file()
|
||||
{
|
||||
local saveifs= directory
|
||||
local saveifs
|
||||
saveifs=
|
||||
directory
|
||||
|
||||
case $1 in
|
||||
/*)
|
||||
@ -691,7 +726,16 @@ del_ip_addr() # $1 = address, $2 = interface
|
||||
#
|
||||
add_ip_aliases() # $* = List of addresses
|
||||
{
|
||||
local addresses external interface inet cidr rest val arping=$(mywhich arping)
|
||||
local local
|
||||
local addresses
|
||||
local external
|
||||
local interface
|
||||
local inet
|
||||
local cidr
|
||||
local rest
|
||||
local val
|
||||
local arping
|
||||
arping=$(mywhich arping)
|
||||
|
||||
address_details()
|
||||
{
|
||||
@ -748,7 +792,8 @@ add_ip_aliases() # $* = List of addresses
|
||||
|
||||
detect_gateway() # $1 = interface
|
||||
{
|
||||
local interface=$1
|
||||
local interface
|
||||
interface=$1
|
||||
#
|
||||
# First assume that this is some sort of point-to-point interface
|
||||
#
|
||||
@ -771,7 +816,8 @@ detect_gateway() # $1 = interface
|
||||
# Disable IPV6
|
||||
#
|
||||
disable_ipv6() {
|
||||
local foo="$(ip -f inet6 addr list 2> /dev/null)"
|
||||
local foo
|
||||
foo="$(ip -f inet6 addr list 2> /dev/null)"
|
||||
|
||||
if [ -n "$foo" ]; then
|
||||
if qt mywhich ip6tables; then
|
||||
@ -825,7 +871,8 @@ delete_tc1()
|
||||
#
|
||||
get_device_mtu() # $1 = device
|
||||
{
|
||||
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local output
|
||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
echo $(find_mtu $output)
|
||||
@ -840,7 +887,8 @@ get_device_mtu() # $1 = device
|
||||
#
|
||||
get_device_mtu1() # $1 = device
|
||||
{
|
||||
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local output
|
||||
output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local mtu
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
@ -879,7 +927,9 @@ undo_routing() {
|
||||
|
||||
restore_default_route() {
|
||||
if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
|
||||
local default_route= route
|
||||
local default_route
|
||||
default_route=
|
||||
local route
|
||||
|
||||
while read route ; do
|
||||
case $route in
|
||||
@ -940,7 +990,8 @@ find_mac() # $1 = IP address, $2 = interface
|
||||
{
|
||||
qt ping -nc 1 -t 2 -I $2 $1
|
||||
|
||||
local result=$(arp -na | awk "/[(]$1[)].* $2$/ {print \$4}")
|
||||
local result
|
||||
result=$(arp -na | awk "/[(]$1[)].* $2$/ {print \$4}")
|
||||
|
||||
case $result in
|
||||
\<*\>)
|
||||
|
@ -133,7 +133,8 @@ indent1() {
|
||||
#
|
||||
append_file() # $1 = File Name
|
||||
{
|
||||
local user_exit=$(find_file $1)
|
||||
local user_exit
|
||||
user_exit=$(find_file $1)
|
||||
|
||||
case $user_exit in
|
||||
$SHAREDIR/*)
|
||||
@ -215,7 +216,8 @@ run_tc() {
|
||||
#
|
||||
finish_chain_section() # $1 = canonical chain $2 = state list
|
||||
{
|
||||
local policy policychain
|
||||
local policy
|
||||
local policychain
|
||||
|
||||
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
|
||||
|
||||
@ -246,7 +248,9 @@ finish_chain_section() # $1 = canonical chain $2 = state list
|
||||
|
||||
finish_section() # $1 = Section(s)
|
||||
{
|
||||
local zone zone1 chain
|
||||
local zone
|
||||
local zone1
|
||||
local chain
|
||||
|
||||
for zone in $ZONES $FW; do
|
||||
for zone1 in $ZONES $FW; do
|
||||
@ -268,7 +272,8 @@ finish_section() # $1 = Section(s)
|
||||
#
|
||||
createchain() # $1 = chain name, $2 = If "yes", do section-end processing
|
||||
{
|
||||
local c=$(chain_base $1)
|
||||
local c
|
||||
c=$(chain_base $1)
|
||||
|
||||
run_iptables -N $1
|
||||
|
||||
@ -291,7 +296,8 @@ createchain() # $1 = chain name, $2 = If "yes", do section-end processing
|
||||
#
|
||||
createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
{
|
||||
local c=$(chain_base $1)
|
||||
local c
|
||||
c=$(chain_base $1)
|
||||
|
||||
ensurechain $1
|
||||
|
||||
@ -318,7 +324,8 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
#
|
||||
havechain() # $1 = name of chain
|
||||
{
|
||||
local c=$(chain_base $1)
|
||||
local c
|
||||
c=$(chain_base $1)
|
||||
|
||||
eval test \"\$exists_${c}\" = Yes
|
||||
}
|
||||
@ -724,16 +731,25 @@ disable_critical_hosts()
|
||||
#
|
||||
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
|
||||
{
|
||||
local level=$1
|
||||
local chain=$2
|
||||
local displayChain=$3
|
||||
local disposition=$4
|
||||
local rulenum=
|
||||
local limit=
|
||||
local tag=$6
|
||||
local command=${7:--A}
|
||||
local level
|
||||
level=$1
|
||||
local chain
|
||||
chain=$2
|
||||
local displayChain
|
||||
displayChain=$3
|
||||
local disposition
|
||||
disposition=$4
|
||||
local rulenum
|
||||
rulenum=
|
||||
local limit
|
||||
limit=
|
||||
local tag
|
||||
tag=$6
|
||||
local command
|
||||
command=${7:--A}
|
||||
local prefix
|
||||
local base=$(chain_base $displayChain)
|
||||
local base
|
||||
base=$(chain_base $displayChain)
|
||||
|
||||
limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
|
||||
|
||||
@ -744,9 +760,12 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
||||
|
||||
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
|
||||
{
|
||||
local level=$1
|
||||
local chain=$2
|
||||
local disposition=$3
|
||||
local level
|
||||
level=$1
|
||||
local chain
|
||||
chain=$2
|
||||
local disposition
|
||||
disposition=$3
|
||||
|
||||
shift 3
|
||||
|
||||
@ -761,9 +780,12 @@ setup_syn_flood_chain ()
|
||||
# $2 = synparams
|
||||
# $3 = loglevel
|
||||
{
|
||||
local chain=@$1
|
||||
local limit=$2
|
||||
local limit_burst=
|
||||
local chain
|
||||
chain=@$1
|
||||
local limit
|
||||
limit=$2
|
||||
local limit_burst
|
||||
limit_burst=
|
||||
|
||||
case $limit in
|
||||
*:*)
|
||||
@ -842,8 +864,10 @@ __EOF__
|
||||
#
|
||||
setup_ecn() # $1 = file name
|
||||
{
|
||||
local interfaces=""
|
||||
local hosts=
|
||||
local interfaces
|
||||
interfaces=""
|
||||
local hosts
|
||||
hosts=
|
||||
local h
|
||||
|
||||
if [ -s ${TMP_DIR}/ecn ]; then
|
||||
@ -891,7 +915,8 @@ setup_ecn() # $1 = file name
|
||||
#
|
||||
build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
|
||||
{
|
||||
local c=excl_${EXCLUSION_SEQ} net
|
||||
local c
|
||||
c=excl_${EXCLUSION_SEQ} net
|
||||
|
||||
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
|
||||
|
||||
@ -921,7 +946,10 @@ build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3
|
||||
# Setup queuing and classes
|
||||
#
|
||||
setup_tc1() {
|
||||
local mark_part= comment=
|
||||
local mark_part
|
||||
mark_part=
|
||||
local comment
|
||||
comment=
|
||||
#
|
||||
# Create the TC mangle chains
|
||||
#
|
||||
@ -1030,7 +1058,8 @@ __EOF__
|
||||
#
|
||||
refresh_tc() {
|
||||
|
||||
local comment=
|
||||
local comment
|
||||
comment=
|
||||
|
||||
if [ -n "$CLEAR_TC" ]; then
|
||||
delete_tc
|
||||
@ -1094,9 +1123,12 @@ __EOF__
|
||||
#
|
||||
compile_refresh_firewall()
|
||||
{
|
||||
local INDENT=""
|
||||
local DOING="Compiling Refresh of"
|
||||
local DONE="Compiled"
|
||||
local INDENT
|
||||
INDENT=""
|
||||
local DOING
|
||||
DOING="Compiling Refresh of"
|
||||
local DONE
|
||||
DONE="Compiled"
|
||||
local indent
|
||||
|
||||
save_command "refresh_firewall()"
|
||||
@ -1147,7 +1179,8 @@ compile_refresh_firewall()
|
||||
process_action_file() # $1 = File Name
|
||||
{
|
||||
if ! list_search $1 $BUILTIN_ACTIONS; then
|
||||
local user_exit=$(find_file $1)
|
||||
local user_exit
|
||||
user_exit=$(find_file $1)
|
||||
|
||||
if [ -f $user_exit ]; then
|
||||
progress_message "Processing $user_exit ..."
|
||||
@ -1178,7 +1211,12 @@ process_action_file() # $1 = File Name
|
||||
|
||||
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
||||
{
|
||||
local actchain= action=$1 level=$2
|
||||
local actchain
|
||||
actchain=
|
||||
local action
|
||||
action=$1
|
||||
local level
|
||||
level=$2
|
||||
|
||||
eval actchain=\${${action}_actchain}
|
||||
|
||||
@ -1264,7 +1302,14 @@ createactionchain() # $1 = Action, including log level and tag if any
|
||||
#
|
||||
find_logactionchain() # $1 = Action, including log level and tag if any
|
||||
{
|
||||
local fullaction=$1 action=${1%%:*} level= chains=
|
||||
local fullaction
|
||||
fullaction=$1
|
||||
local action
|
||||
action=${1%%:*}
|
||||
local level
|
||||
level=
|
||||
local chains
|
||||
chains=
|
||||
|
||||
find_simpleaction() {
|
||||
havechain $action || fatal_error "Fatal error in find_logactionchain"
|
||||
@ -1307,7 +1352,10 @@ find_logactionchain() # $1 = Action, including log level and tag if any
|
||||
#
|
||||
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
|
||||
{
|
||||
local superior=$1 subordinate=$2
|
||||
local superior
|
||||
superior=$1
|
||||
local subordinate
|
||||
subordinate=$2
|
||||
|
||||
set -- $(split $1)
|
||||
|
||||
@ -1384,7 +1432,9 @@ define_builtin_actions() {
|
||||
#
|
||||
map_old_action() # $1 = Potential Old Action
|
||||
{
|
||||
local macro= aktion
|
||||
local macro
|
||||
macro=
|
||||
local aktion
|
||||
|
||||
if [ -n "$MAPOLDACTIONS" ]; then
|
||||
case $1 in
|
||||
@ -1437,7 +1487,8 @@ map_old_action() # $1 = Potential Old Action
|
||||
#
|
||||
substitute_action() # $1 = parameter, $2 = action
|
||||
{
|
||||
local logpart=${2#*:}
|
||||
local logpart
|
||||
logpart=${2#*:}
|
||||
|
||||
case $2 in
|
||||
*:*)
|
||||
@ -1635,7 +1686,8 @@ __EOF__
|
||||
# policy = Applicable Policy
|
||||
#
|
||||
add_a_rule() {
|
||||
local natrule=
|
||||
local natrule
|
||||
natrule=
|
||||
|
||||
do_ports() {
|
||||
if [ -n "$port" ]; then
|
||||
@ -2123,19 +2175,32 @@ process_rule() # $1 = target
|
||||
# $9 = userspec
|
||||
# $10= mark
|
||||
{
|
||||
local target="$1"
|
||||
local clients="$2"
|
||||
local servers="$3"
|
||||
local protocol="$4"
|
||||
local ports="$5"
|
||||
local cports="$6"
|
||||
local address="$7"
|
||||
local ratelimit="$8"
|
||||
local userspec="$9"
|
||||
local mark="${10}"
|
||||
local userandgroup=
|
||||
local logtag=
|
||||
local nonat=
|
||||
local target
|
||||
target="$1"
|
||||
local clients
|
||||
clients="$2"
|
||||
local servers
|
||||
servers="$3"
|
||||
local protocol
|
||||
protocol="$4"
|
||||
local ports
|
||||
ports="$5"
|
||||
local cports
|
||||
cports="$6"
|
||||
local address
|
||||
address="$7"
|
||||
local ratelimit
|
||||
ratelimit="$8"
|
||||
local userspec
|
||||
userspec="$9"
|
||||
local mark
|
||||
mark="${10}"
|
||||
local userandgroup
|
||||
userandgroup=
|
||||
local logtag
|
||||
logtag=
|
||||
local nonat
|
||||
nonat=
|
||||
|
||||
# # # # # F u n c t i o n B o d y # # # # #
|
||||
|
||||
@ -2488,17 +2553,28 @@ process_macro() # $1 = target
|
||||
# $9 = userspec
|
||||
# $10= mark
|
||||
{
|
||||
local itarget="$1"
|
||||
local param="$2"
|
||||
local iclients="$3"
|
||||
local iservers="$4"
|
||||
local iprotocol="$5"
|
||||
local iports="$6"
|
||||
local icports="$7"
|
||||
local iaddress="$8"
|
||||
local iratelimit="$9"
|
||||
local iuserspec="${10}"
|
||||
local imark="${11}"
|
||||
local itarget
|
||||
itarget="$1"
|
||||
local param
|
||||
param="$2"
|
||||
local iclients
|
||||
iclients="$3"
|
||||
local iservers
|
||||
iservers="$4"
|
||||
local iprotocol
|
||||
iprotocol="$5"
|
||||
local iports
|
||||
iports="$6"
|
||||
local icports
|
||||
icports="$7"
|
||||
local iaddress
|
||||
iaddress="$8"
|
||||
local iratelimit
|
||||
iratelimit="$9"
|
||||
local iuserspec
|
||||
iuserspec="${10}"
|
||||
local imark
|
||||
imark="${11}"
|
||||
|
||||
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
|
||||
|
||||
@ -2583,13 +2659,19 @@ process_macro() # $1 = target
|
||||
#
|
||||
process_rules()
|
||||
{
|
||||
local comment= optimize
|
||||
local comment
|
||||
comment=
|
||||
local optimize
|
||||
#
|
||||
# Process a rule where the source or destination is "all"
|
||||
#
|
||||
process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
|
||||
{
|
||||
local yclients yservers ysourcezone ydestzone ypolicy
|
||||
local yclients
|
||||
local yservers
|
||||
local ysourcezone
|
||||
local ydestzone
|
||||
local ypolicy
|
||||
|
||||
for yclients in $xclients; do
|
||||
for yservers in $xservers; do
|
||||
@ -2622,7 +2704,8 @@ process_rules()
|
||||
|
||||
do_it() # $1 = "Yes" if the target is a macro.
|
||||
{
|
||||
local intrazone=
|
||||
local intrazone
|
||||
intrazone=
|
||||
|
||||
if [ -z "$SECTIONS" ]; then
|
||||
finish_section ESTABLISHED,RELATED
|
||||
@ -2802,17 +2885,35 @@ process_rules()
|
||||
#
|
||||
process_default_macro() # $1 = macro name
|
||||
{
|
||||
local macro=$1
|
||||
local address=
|
||||
local multioption=
|
||||
local servport=
|
||||
local chain=$1
|
||||
local logchain=$1
|
||||
local userandgroup=
|
||||
local logtag=
|
||||
local excludesource=
|
||||
local target client server protocol port cport ratelimit userspec rule
|
||||
local f=$(find_file macro.${macro})
|
||||
local macro
|
||||
macro=$1
|
||||
local address
|
||||
address=
|
||||
local multioption
|
||||
multioption=
|
||||
local servport
|
||||
servport=
|
||||
local chain
|
||||
chain=$1
|
||||
local logchain
|
||||
logchain=$1
|
||||
local userandgroup
|
||||
userandgroup=
|
||||
local logtag
|
||||
logtag=
|
||||
local excludesource
|
||||
excludesource=
|
||||
local target
|
||||
local client
|
||||
local server
|
||||
local protocol
|
||||
local port
|
||||
local cport
|
||||
local ratelimit
|
||||
local userspec
|
||||
local rule
|
||||
local f
|
||||
f=$(find_file macro.${macro})
|
||||
|
||||
havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
|
||||
|
||||
@ -3070,7 +3171,10 @@ process_tos_rule() {
|
||||
#
|
||||
process_tos() # $1 = name of tos file
|
||||
{
|
||||
local chain=pretos stdchain=PREROUTING
|
||||
local chain
|
||||
chain=pretos
|
||||
local stdchain
|
||||
stdchain=PREROUTING
|
||||
|
||||
if [ -n "$MANGLE_FORWARD" ]; then
|
||||
chain=fortos
|
||||
@ -3101,8 +3205,10 @@ policy_rules() # $1 = chain to add rules to
|
||||
# $3 = loglevel
|
||||
# $4 = Default Action/Macro
|
||||
{
|
||||
local target="$2"
|
||||
local default="$4"
|
||||
local target
|
||||
target="$2"
|
||||
local default
|
||||
default="$4"
|
||||
|
||||
if [ -n "$default" ]; then
|
||||
[ "$default" = none ] || run_iptables -A $1 -j $default
|
||||
@ -3139,9 +3245,12 @@ policy_rules() # $1 = chain to add rules to
|
||||
#
|
||||
default_policy() # $1 = client $2 = server
|
||||
{
|
||||
local chain="${1}2${2}"
|
||||
local policy=
|
||||
local loglevel=
|
||||
local chain
|
||||
chain="${1}2${2}"
|
||||
local policy
|
||||
policy=
|
||||
local loglevel
|
||||
loglevel=
|
||||
local chain1
|
||||
|
||||
jump_to_policy_chain() {
|
||||
@ -3243,10 +3352,14 @@ default_policy() # $1 = client $2 = server
|
||||
#
|
||||
complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
|
||||
{
|
||||
local policy=
|
||||
local loglevel=
|
||||
local policychain=
|
||||
local default=
|
||||
local policy
|
||||
policy=
|
||||
local loglevel
|
||||
loglevel=
|
||||
local policychain
|
||||
policychain=
|
||||
local default
|
||||
default=
|
||||
|
||||
run_user_exit $1
|
||||
|
||||
@ -3275,7 +3388,8 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
|
||||
#
|
||||
rules_chain() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
local chain=${1}2${2} local policy
|
||||
local chain
|
||||
chain=${1}2${2} local policy
|
||||
|
||||
havechain $chain && { echo $chain; return; }
|
||||
|
||||
@ -3384,8 +3498,10 @@ process_blacklist_rec() {
|
||||
|
||||
process_blacklist()
|
||||
{
|
||||
local disposition=$BLACKLIST_DISPOSITION
|
||||
local f=$(find_file blacklist)
|
||||
local disposition
|
||||
disposition=$BLACKLIST_DISPOSITION
|
||||
local f
|
||||
f=$(find_file blacklist)
|
||||
local target
|
||||
|
||||
if [ -s $TMP_DIR/blacklist ]; then
|
||||
@ -3419,8 +3535,10 @@ __EOF__
|
||||
# Setup the Black List
|
||||
#
|
||||
setup_blacklist() {
|
||||
local hosts="$(find_hosts_by_option blacklist)"
|
||||
local ipsec policy
|
||||
local hosts
|
||||
hosts="$(find_hosts_by_option blacklist)"
|
||||
local ipsec
|
||||
local policy
|
||||
|
||||
if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
|
||||
progress_message2 "$DOING Blacklisting..."
|
||||
@ -3465,8 +3583,10 @@ setup_blacklist() {
|
||||
# Construct zone-independent rules
|
||||
#
|
||||
add_common_rules() {
|
||||
local savelogparms="$LOGPARMS"
|
||||
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
|
||||
local savelogparms
|
||||
savelogparms="$LOGPARMS"
|
||||
local broadcasts
|
||||
broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
|
||||
#
|
||||
# Populate the smurf chain
|
||||
#
|
||||
@ -3997,14 +4117,19 @@ apply_policy_rules() {
|
||||
#
|
||||
activate_rules()
|
||||
{
|
||||
local PREROUTING_rule=1
|
||||
local POSTROUTING_rule=1
|
||||
local PREROUTING_rule
|
||||
PREROUTING_rule=1
|
||||
local POSTROUTING_rule
|
||||
POSTROUTING_rule=1
|
||||
#
|
||||
# Jump to a NAT chain from one of the builtin nat chains
|
||||
#
|
||||
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
||||
{
|
||||
local sourcechain=$1 destchain=$2
|
||||
local sourcechain
|
||||
sourcechain=$1
|
||||
local destchain
|
||||
destchain=$2
|
||||
shift
|
||||
shift
|
||||
|
||||
@ -4022,7 +4147,10 @@ activate_rules()
|
||||
#
|
||||
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
||||
{
|
||||
local sourcechain=$1 destchain=$2
|
||||
local sourcechain
|
||||
sourcechain=$1
|
||||
local destchain
|
||||
destchain=$2
|
||||
shift
|
||||
shift
|
||||
|
||||
@ -4050,7 +4178,15 @@ activate_rules()
|
||||
#
|
||||
insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
|
||||
{
|
||||
local t=$1 c=$2 num=0 host1 interface1 networks1
|
||||
local t
|
||||
t=$1
|
||||
local c
|
||||
c=$2
|
||||
local num
|
||||
num=0
|
||||
local host1
|
||||
local interface1
|
||||
local networks1
|
||||
|
||||
shift 2
|
||||
|
||||
@ -4066,7 +4202,13 @@ activate_rules()
|
||||
#
|
||||
add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
|
||||
{
|
||||
local t=$1 c=$2 host1 interface1 networks1
|
||||
local t
|
||||
t=$1
|
||||
local c
|
||||
c=$2
|
||||
local host1
|
||||
local interface1
|
||||
local networks1
|
||||
|
||||
shift 2
|
||||
|
||||
@ -4114,7 +4256,8 @@ activate_rules()
|
||||
eval exclusions=\"\$${zone}_exclusions\"
|
||||
|
||||
if [ -n "$exclusions" ]; then
|
||||
local num=1
|
||||
local num
|
||||
num=1
|
||||
in_chain=${zone}_input
|
||||
out_chain=${zone}_output
|
||||
createchain $in_chain No
|
||||
@ -4562,8 +4705,10 @@ activate_rules()
|
||||
# from that script are available here
|
||||
#
|
||||
compile_stop_firewall() {
|
||||
local IPTABLES_COMMAND="\$IPTABLES"
|
||||
local INDENT=" "
|
||||
local IPTABLES_COMMAND
|
||||
IPTABLES_COMMAND="\$IPTABLES"
|
||||
local INDENT
|
||||
INDENT=" "
|
||||
|
||||
cat >&3 << __EOF__
|
||||
|
||||
@ -4907,10 +5052,18 @@ mycat()
|
||||
#
|
||||
compile_firewall() # $1 = File Name
|
||||
{
|
||||
local IPTABLES_COMMAND=run_iptables
|
||||
local INDENT=""
|
||||
local checking= outfile=$1 dir=
|
||||
local match=
|
||||
local IPTABLES_COMMAND
|
||||
IPTABLES_COMMAND=run_iptables
|
||||
local INDENT
|
||||
INDENT=""
|
||||
local checking
|
||||
checking=
|
||||
local outfile
|
||||
outfile=$1
|
||||
local dir
|
||||
dir=
|
||||
local match
|
||||
match=
|
||||
|
||||
setup_mss()
|
||||
{
|
||||
@ -5158,7 +5311,8 @@ __EOF__
|
||||
fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
|
||||
fi
|
||||
|
||||
local version=\$(cat \${SHAREDIR}/version)
|
||||
local version
|
||||
version=\$(cat \${SHAREDIR}/version)
|
||||
|
||||
if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
|
||||
fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
|
||||
@ -5298,7 +5452,8 @@ __EOF__
|
||||
# Start/Restart/Reload the firewall
|
||||
#
|
||||
define_firewall() {
|
||||
local restore_file=\$1
|
||||
local restore_file
|
||||
restore_file=\$1
|
||||
__EOF__
|
||||
|
||||
INDENT=" "
|
||||
|
@ -1,6 +1,14 @@
|
||||
--- /home/teastep/shorewall/branches/3.4/Shorewall/compiler 2007-07-04 08:07:46.000000000 -0700
|
||||
+++ compiler 2007-07-08 07:18:45.000000000 -0700
|
||||
@@ -35,6 +35,12 @@
|
||||
--- ../../3.4/Shorewall/compiler 2007-10-26 19:10:45.000000000 -0400
|
||||
+++ compiler 2008-03-09 16:00:16.000000000 -0400
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
-# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.4
|
||||
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
@@ -35,6 +35,11 @@
|
||||
# SHOREWALL_DIR A directory name was passed to /sbin/shorewall
|
||||
# VERBOSE Standard Shorewall verbosity control.
|
||||
|
||||
@ -8,12 +16,72 @@
|
||||
+BASE_VERSION_PRINTABLE=4.0.0
|
||||
+CONFIG_VERSION=40000
|
||||
+CONFIG_VERSION_PRINTABLE=4.0.0
|
||||
+
|
||||
+
|
||||
#
|
||||
# Fatal error -- stops the compiler after issuing the error message
|
||||
#
|
||||
@@ -673,11 +679,11 @@
|
||||
@@ -128,7 +133,8 @@
|
||||
#
|
||||
append_file() # $1 = File Name
|
||||
{
|
||||
- local user_exit=$(find_file $1)
|
||||
+ local user_exit
|
||||
+ user_exit=$(find_file $1)
|
||||
|
||||
case $user_exit in
|
||||
$SHAREDIR/*)
|
||||
@@ -210,7 +216,8 @@
|
||||
#
|
||||
finish_chain_section() # $1 = canonical chain $2 = state list
|
||||
{
|
||||
- local policy policychain
|
||||
+ local policy
|
||||
+ local policychain
|
||||
|
||||
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
|
||||
|
||||
@@ -241,7 +248,9 @@
|
||||
|
||||
finish_section() # $1 = Section(s)
|
||||
{
|
||||
- local zone zone1 chain
|
||||
+ local zone
|
||||
+ local zone1
|
||||
+ local chain
|
||||
|
||||
for zone in $ZONES $FW; do
|
||||
for zone1 in $ZONES $FW; do
|
||||
@@ -263,7 +272,8 @@
|
||||
#
|
||||
createchain() # $1 = chain name, $2 = If "yes", do section-end processing
|
||||
{
|
||||
- local c=$(chain_base $1)
|
||||
+ local c
|
||||
+ c=$(chain_base $1)
|
||||
|
||||
run_iptables -N $1
|
||||
|
||||
@@ -286,7 +296,8 @@
|
||||
#
|
||||
createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
{
|
||||
- local c=$(chain_base $1)
|
||||
+ local c
|
||||
+ c=$(chain_base $1)
|
||||
|
||||
ensurechain $1
|
||||
|
||||
@@ -313,7 +324,8 @@
|
||||
#
|
||||
havechain() # $1 = name of chain
|
||||
{
|
||||
- local c=$(chain_base $1)
|
||||
+ local c
|
||||
+ c=$(chain_base $1)
|
||||
|
||||
eval test \"\$exists_${c}\" = Yes
|
||||
}
|
||||
@@ -675,11 +687,11 @@
|
||||
progress_message2 "Compiling IP Forwarding..."
|
||||
|
||||
case "$IP_FORWARDING" in
|
||||
@ -27,7 +95,504 @@
|
||||
save_progress_message "IP Forwarding Disabled!"
|
||||
save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
|
||||
;;
|
||||
@@ -3767,7 +3773,7 @@
|
||||
@@ -719,16 +731,25 @@
|
||||
#
|
||||
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
|
||||
{
|
||||
- local level=$1
|
||||
- local chain=$2
|
||||
- local displayChain=$3
|
||||
- local disposition=$4
|
||||
- local rulenum=
|
||||
- local limit=
|
||||
- local tag=$6
|
||||
- local command=${7:--A}
|
||||
+ local level
|
||||
+ level=$1
|
||||
+ local chain
|
||||
+ chain=$2
|
||||
+ local displayChain
|
||||
+ displayChain=$3
|
||||
+ local disposition
|
||||
+ disposition=$4
|
||||
+ local rulenum
|
||||
+ rulenum=
|
||||
+ local limit
|
||||
+ limit=
|
||||
+ local tag
|
||||
+ tag=$6
|
||||
+ local command
|
||||
+ command=${7:--A}
|
||||
local prefix
|
||||
- local base=$(chain_base $displayChain)
|
||||
+ local base
|
||||
+ base=$(chain_base $displayChain)
|
||||
|
||||
limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
|
||||
|
||||
@@ -739,9 +760,12 @@
|
||||
|
||||
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
|
||||
{
|
||||
- local level=$1
|
||||
- local chain=$2
|
||||
- local disposition=$3
|
||||
+ local level
|
||||
+ level=$1
|
||||
+ local chain
|
||||
+ chain=$2
|
||||
+ local disposition
|
||||
+ disposition=$3
|
||||
|
||||
shift 3
|
||||
|
||||
@@ -756,9 +780,12 @@
|
||||
# $2 = synparams
|
||||
# $3 = loglevel
|
||||
{
|
||||
- local chain=@$1
|
||||
- local limit=$2
|
||||
- local limit_burst=
|
||||
+ local chain
|
||||
+ chain=@$1
|
||||
+ local limit
|
||||
+ limit=$2
|
||||
+ local limit_burst
|
||||
+ limit_burst=
|
||||
|
||||
case $limit in
|
||||
*:*)
|
||||
@@ -837,8 +864,10 @@
|
||||
#
|
||||
setup_ecn() # $1 = file name
|
||||
{
|
||||
- local interfaces=""
|
||||
- local hosts=
|
||||
+ local interfaces
|
||||
+ interfaces=""
|
||||
+ local hosts
|
||||
+ hosts=
|
||||
local h
|
||||
|
||||
if [ -s ${TMP_DIR}/ecn ]; then
|
||||
@@ -886,7 +915,8 @@
|
||||
#
|
||||
build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
|
||||
{
|
||||
- local c=excl_${EXCLUSION_SEQ} net
|
||||
+ local c
|
||||
+ c=excl_${EXCLUSION_SEQ} net
|
||||
|
||||
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
|
||||
|
||||
@@ -916,7 +946,10 @@
|
||||
# Setup queuing and classes
|
||||
#
|
||||
setup_tc1() {
|
||||
- local mark_part= comment=
|
||||
+ local mark_part
|
||||
+ mark_part=
|
||||
+ local comment
|
||||
+ comment=
|
||||
#
|
||||
# Create the TC mangle chains
|
||||
#
|
||||
@@ -1025,7 +1058,8 @@
|
||||
#
|
||||
refresh_tc() {
|
||||
|
||||
- local comment=
|
||||
+ local comment
|
||||
+ comment=
|
||||
|
||||
if [ -n "$CLEAR_TC" ]; then
|
||||
delete_tc
|
||||
@@ -1089,9 +1123,12 @@
|
||||
#
|
||||
compile_refresh_firewall()
|
||||
{
|
||||
- local INDENT=""
|
||||
- local DOING="Compiling Refresh of"
|
||||
- local DONE="Compiled"
|
||||
+ local INDENT
|
||||
+ INDENT=""
|
||||
+ local DOING
|
||||
+ DOING="Compiling Refresh of"
|
||||
+ local DONE
|
||||
+ DONE="Compiled"
|
||||
local indent
|
||||
|
||||
save_command "refresh_firewall()"
|
||||
@@ -1142,7 +1179,8 @@
|
||||
process_action_file() # $1 = File Name
|
||||
{
|
||||
if ! list_search $1 $BUILTIN_ACTIONS; then
|
||||
- local user_exit=$(find_file $1)
|
||||
+ local user_exit
|
||||
+ user_exit=$(find_file $1)
|
||||
|
||||
if [ -f $user_exit ]; then
|
||||
progress_message "Processing $user_exit ..."
|
||||
@@ -1173,7 +1211,12 @@
|
||||
|
||||
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
||||
{
|
||||
- local actchain= action=$1 level=$2
|
||||
+ local actchain
|
||||
+ actchain=
|
||||
+ local action
|
||||
+ action=$1
|
||||
+ local level
|
||||
+ level=$2
|
||||
|
||||
eval actchain=\${${action}_actchain}
|
||||
|
||||
@@ -1259,7 +1302,14 @@
|
||||
#
|
||||
find_logactionchain() # $1 = Action, including log level and tag if any
|
||||
{
|
||||
- local fullaction=$1 action=${1%%:*} level= chains=
|
||||
+ local fullaction
|
||||
+ fullaction=$1
|
||||
+ local action
|
||||
+ action=${1%%:*}
|
||||
+ local level
|
||||
+ level=
|
||||
+ local chains
|
||||
+ chains=
|
||||
|
||||
find_simpleaction() {
|
||||
havechain $action || fatal_error "Fatal error in find_logactionchain"
|
||||
@@ -1302,7 +1352,10 @@
|
||||
#
|
||||
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
|
||||
{
|
||||
- local superior=$1 subordinate=$2
|
||||
+ local superior
|
||||
+ superior=$1
|
||||
+ local subordinate
|
||||
+ subordinate=$2
|
||||
|
||||
set -- $(split $1)
|
||||
|
||||
@@ -1379,7 +1432,9 @@
|
||||
#
|
||||
map_old_action() # $1 = Potential Old Action
|
||||
{
|
||||
- local macro= aktion
|
||||
+ local macro
|
||||
+ macro=
|
||||
+ local aktion
|
||||
|
||||
if [ -n "$MAPOLDACTIONS" ]; then
|
||||
case $1 in
|
||||
@@ -1432,7 +1487,8 @@
|
||||
#
|
||||
substitute_action() # $1 = parameter, $2 = action
|
||||
{
|
||||
- local logpart=${2#*:}
|
||||
+ local logpart
|
||||
+ logpart=${2#*:}
|
||||
|
||||
case $2 in
|
||||
*:*)
|
||||
@@ -1630,7 +1686,8 @@
|
||||
# policy = Applicable Policy
|
||||
#
|
||||
add_a_rule() {
|
||||
- local natrule=
|
||||
+ local natrule
|
||||
+ natrule=
|
||||
|
||||
do_ports() {
|
||||
if [ -n "$port" ]; then
|
||||
@@ -2118,19 +2175,32 @@
|
||||
# $9 = userspec
|
||||
# $10= mark
|
||||
{
|
||||
- local target="$1"
|
||||
- local clients="$2"
|
||||
- local servers="$3"
|
||||
- local protocol="$4"
|
||||
- local ports="$5"
|
||||
- local cports="$6"
|
||||
- local address="$7"
|
||||
- local ratelimit="$8"
|
||||
- local userspec="$9"
|
||||
- local mark="${10}"
|
||||
- local userandgroup=
|
||||
- local logtag=
|
||||
- local nonat=
|
||||
+ local target
|
||||
+ target="$1"
|
||||
+ local clients
|
||||
+ clients="$2"
|
||||
+ local servers
|
||||
+ servers="$3"
|
||||
+ local protocol
|
||||
+ protocol="$4"
|
||||
+ local ports
|
||||
+ ports="$5"
|
||||
+ local cports
|
||||
+ cports="$6"
|
||||
+ local address
|
||||
+ address="$7"
|
||||
+ local ratelimit
|
||||
+ ratelimit="$8"
|
||||
+ local userspec
|
||||
+ userspec="$9"
|
||||
+ local mark
|
||||
+ mark="${10}"
|
||||
+ local userandgroup
|
||||
+ userandgroup=
|
||||
+ local logtag
|
||||
+ logtag=
|
||||
+ local nonat
|
||||
+ nonat=
|
||||
|
||||
# # # # # F u n c t i o n B o d y # # # # #
|
||||
|
||||
@@ -2483,21 +2553,35 @@
|
||||
# $9 = userspec
|
||||
# $10= mark
|
||||
{
|
||||
- local itarget="$1"
|
||||
- local param="$2"
|
||||
- local iclients="$3"
|
||||
- local iservers="$4"
|
||||
- local iprotocol="$5"
|
||||
- local iports="$6"
|
||||
- local icports="$7"
|
||||
- local iaddress="$8"
|
||||
- local iratelimit="$9"
|
||||
- local iuserspec="${10}"
|
||||
- local imark="${11}"
|
||||
+ local itarget
|
||||
+ itarget="$1"
|
||||
+ local param
|
||||
+ param="$2"
|
||||
+ local iclients
|
||||
+ iclients="$3"
|
||||
+ local iservers
|
||||
+ iservers="$4"
|
||||
+ local iprotocol
|
||||
+ iprotocol="$5"
|
||||
+ local iports
|
||||
+ iports="$6"
|
||||
+ local icports
|
||||
+ icports="$7"
|
||||
+ local iaddress
|
||||
+ iaddress="$8"
|
||||
+ local iratelimit
|
||||
+ iratelimit="$9"
|
||||
+ local iuserspec
|
||||
+ iuserspec="${10}"
|
||||
+ local imark
|
||||
+ imark="${11}"
|
||||
|
||||
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
|
||||
|
||||
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||||
+
|
||||
+ [ $mtarget = COMMENT ] && continue
|
||||
+
|
||||
mtarget=$(merge_levels $itarget $mtarget)
|
||||
|
||||
case $mtarget in
|
||||
@@ -2575,13 +2659,19 @@
|
||||
#
|
||||
process_rules()
|
||||
{
|
||||
- local comment= optimize
|
||||
+ local comment
|
||||
+ comment=
|
||||
+ local optimize
|
||||
#
|
||||
# Process a rule where the source or destination is "all"
|
||||
#
|
||||
process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
|
||||
{
|
||||
- local yclients yservers ysourcezone ydestzone ypolicy
|
||||
+ local yclients
|
||||
+ local yservers
|
||||
+ local ysourcezone
|
||||
+ local ydestzone
|
||||
+ local ypolicy
|
||||
|
||||
for yclients in $xclients; do
|
||||
for yservers in $xservers; do
|
||||
@@ -2614,7 +2704,8 @@
|
||||
|
||||
do_it() # $1 = "Yes" if the target is a macro.
|
||||
{
|
||||
- local intrazone=
|
||||
+ local intrazone
|
||||
+ intrazone=
|
||||
|
||||
if [ -z "$SECTIONS" ]; then
|
||||
finish_section ESTABLISHED,RELATED
|
||||
@@ -2794,17 +2885,35 @@
|
||||
#
|
||||
process_default_macro() # $1 = macro name
|
||||
{
|
||||
- local macro=$1
|
||||
- local address=
|
||||
- local multioption=
|
||||
- local servport=
|
||||
- local chain=$1
|
||||
- local logchain=$1
|
||||
- local userandgroup=
|
||||
- local logtag=
|
||||
- local excludesource=
|
||||
- local target client server protocol port cport ratelimit userspec rule
|
||||
- local f=$(find_file macro.${macro})
|
||||
+ local macro
|
||||
+ macro=$1
|
||||
+ local address
|
||||
+ address=
|
||||
+ local multioption
|
||||
+ multioption=
|
||||
+ local servport
|
||||
+ servport=
|
||||
+ local chain
|
||||
+ chain=$1
|
||||
+ local logchain
|
||||
+ logchain=$1
|
||||
+ local userandgroup
|
||||
+ userandgroup=
|
||||
+ local logtag
|
||||
+ logtag=
|
||||
+ local excludesource
|
||||
+ excludesource=
|
||||
+ local target
|
||||
+ local client
|
||||
+ local server
|
||||
+ local protocol
|
||||
+ local port
|
||||
+ local cport
|
||||
+ local ratelimit
|
||||
+ local userspec
|
||||
+ local rule
|
||||
+ local f
|
||||
+ f=$(find_file macro.${macro})
|
||||
|
||||
havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
|
||||
|
||||
@@ -3062,7 +3171,10 @@
|
||||
#
|
||||
process_tos() # $1 = name of tos file
|
||||
{
|
||||
- local chain=pretos stdchain=PREROUTING
|
||||
+ local chain
|
||||
+ chain=pretos
|
||||
+ local stdchain
|
||||
+ stdchain=PREROUTING
|
||||
|
||||
if [ -n "$MANGLE_FORWARD" ]; then
|
||||
chain=fortos
|
||||
@@ -3093,8 +3205,10 @@
|
||||
# $3 = loglevel
|
||||
# $4 = Default Action/Macro
|
||||
{
|
||||
- local target="$2"
|
||||
- local default="$4"
|
||||
+ local target
|
||||
+ target="$2"
|
||||
+ local default
|
||||
+ default="$4"
|
||||
|
||||
if [ -n "$default" ]; then
|
||||
[ "$default" = none ] || run_iptables -A $1 -j $default
|
||||
@@ -3131,9 +3245,12 @@
|
||||
#
|
||||
default_policy() # $1 = client $2 = server
|
||||
{
|
||||
- local chain="${1}2${2}"
|
||||
- local policy=
|
||||
- local loglevel=
|
||||
+ local chain
|
||||
+ chain="${1}2${2}"
|
||||
+ local policy
|
||||
+ policy=
|
||||
+ local loglevel
|
||||
+ loglevel=
|
||||
local chain1
|
||||
|
||||
jump_to_policy_chain() {
|
||||
@@ -3235,14 +3352,18 @@
|
||||
#
|
||||
complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
|
||||
{
|
||||
- local policy=
|
||||
- local loglevel=
|
||||
- local policychain=
|
||||
- local default=
|
||||
+ local policy
|
||||
+ policy=
|
||||
+ local loglevel
|
||||
+ loglevel=
|
||||
+ local policychain
|
||||
+ policychain=
|
||||
+ local default
|
||||
+ default=
|
||||
|
||||
run_user_exit $1
|
||||
|
||||
- run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
+ [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
eval policychain=\$${2}2${3}_policychain
|
||||
|
||||
@@ -3267,7 +3388,8 @@
|
||||
#
|
||||
rules_chain() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
- local chain=${1}2${2} local policy
|
||||
+ local chain
|
||||
+ chain=${1}2${2} local policy
|
||||
|
||||
havechain $chain && { echo $chain; return; }
|
||||
|
||||
@@ -3376,8 +3498,10 @@
|
||||
|
||||
process_blacklist()
|
||||
{
|
||||
- local disposition=$BLACKLIST_DISPOSITION
|
||||
- local f=$(find_file blacklist)
|
||||
+ local disposition
|
||||
+ disposition=$BLACKLIST_DISPOSITION
|
||||
+ local f
|
||||
+ f=$(find_file blacklist)
|
||||
local target
|
||||
|
||||
if [ -s $TMP_DIR/blacklist ]; then
|
||||
@@ -3411,8 +3535,10 @@
|
||||
# Setup the Black List
|
||||
#
|
||||
setup_blacklist() {
|
||||
- local hosts="$(find_hosts_by_option blacklist)"
|
||||
- local ipsec policy
|
||||
+ local hosts
|
||||
+ hosts="$(find_hosts_by_option blacklist)"
|
||||
+ local ipsec
|
||||
+ local policy
|
||||
|
||||
if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
|
||||
progress_message2 "$DOING Blacklisting..."
|
||||
@@ -3457,8 +3583,10 @@
|
||||
# Construct zone-independent rules
|
||||
#
|
||||
add_common_rules() {
|
||||
- local savelogparms="$LOGPARMS"
|
||||
- local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
|
||||
+ local savelogparms
|
||||
+ savelogparms="$LOGPARMS"
|
||||
+ local broadcasts
|
||||
+ broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
|
||||
#
|
||||
# Populate the smurf chain
|
||||
#
|
||||
@@ -3788,7 +3916,7 @@
|
||||
|
||||
save_progress_message "Setting up Route Filtering..."
|
||||
|
||||
@ -36,7 +601,7 @@
|
||||
indent >&3 << __EOF__
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
@@ -3791,8 +3797,10 @@
|
||||
@@ -3812,8 +3940,10 @@
|
||||
|
||||
save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
|
||||
|
||||
@ -48,7 +613,7 @@
|
||||
fi
|
||||
|
||||
save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache"
|
||||
@@ -3808,7 +3816,7 @@
|
||||
@@ -3829,7 +3959,7 @@
|
||||
|
||||
save_progress_message "Setting up Martian Logging..."
|
||||
|
||||
@ -57,7 +622,7 @@
|
||||
indent >&3 << __EOF__
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
@@ -3831,9 +3839,12 @@
|
||||
@@ -3852,9 +3982,12 @@
|
||||
__EOF__
|
||||
done
|
||||
|
||||
@ -71,16 +636,120 @@
|
||||
fi
|
||||
|
||||
fi
|
||||
@@ -4890,7 +4901,7 @@
|
||||
;;
|
||||
esac
|
||||
@@ -3984,14 +4117,19 @@
|
||||
#
|
||||
activate_rules()
|
||||
{
|
||||
- local PREROUTING_rule=1
|
||||
- local POSTROUTING_rule=1
|
||||
+ local PREROUTING_rule
|
||||
+ PREROUTING_rule=1
|
||||
+ local POSTROUTING_rule
|
||||
+ POSTROUTING_rule=1
|
||||
#
|
||||
# Jump to a NAT chain from one of the builtin nat chains
|
||||
#
|
||||
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
||||
{
|
||||
- local sourcechain=$1 destchain=$2
|
||||
+ local sourcechain
|
||||
+ sourcechain=$1
|
||||
+ local destchain
|
||||
+ destchain=$2
|
||||
shift
|
||||
shift
|
||||
|
||||
- run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option
|
||||
+ run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
|
||||
}
|
||||
@@ -4009,7 +4147,10 @@
|
||||
#
|
||||
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
||||
{
|
||||
- local sourcechain=$1 destchain=$2
|
||||
+ local sourcechain
|
||||
+ sourcechain=$1
|
||||
+ local destchain
|
||||
+ destchain=$2
|
||||
shift
|
||||
shift
|
||||
|
||||
progress_message2 "Initializing..."
|
||||
@@ -4930,7 +4941,7 @@
|
||||
@@ -4037,7 +4178,15 @@
|
||||
#
|
||||
insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
|
||||
{
|
||||
- local t=$1 c=$2 num=0 host1 interface1 networks1
|
||||
+ local t
|
||||
+ t=$1
|
||||
+ local c
|
||||
+ c=$2
|
||||
+ local num
|
||||
+ num=0
|
||||
+ local host1
|
||||
+ local interface1
|
||||
+ local networks1
|
||||
|
||||
shift 2
|
||||
|
||||
@@ -4053,7 +4202,13 @@
|
||||
#
|
||||
add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
|
||||
{
|
||||
- local t=$1 c=$2 host1 interface1 networks1
|
||||
+ local t
|
||||
+ t=$1
|
||||
+ local c
|
||||
+ c=$2
|
||||
+ local host1
|
||||
+ local interface1
|
||||
+ local networks1
|
||||
|
||||
shift 2
|
||||
|
||||
@@ -4101,7 +4256,8 @@
|
||||
eval exclusions=\"\$${zone}_exclusions\"
|
||||
|
||||
if [ -n "$exclusions" ]; then
|
||||
- local num=1
|
||||
+ local num
|
||||
+ num=1
|
||||
in_chain=${zone}_input
|
||||
out_chain=${zone}_output
|
||||
createchain $in_chain No
|
||||
@@ -4549,8 +4705,10 @@
|
||||
# from that script are available here
|
||||
#
|
||||
compile_stop_firewall() {
|
||||
- local IPTABLES_COMMAND="\$IPTABLES"
|
||||
- local INDENT=" "
|
||||
+ local IPTABLES_COMMAND
|
||||
+ IPTABLES_COMMAND="\$IPTABLES"
|
||||
+ local INDENT
|
||||
+ INDENT=" "
|
||||
|
||||
cat >&3 << __EOF__
|
||||
|
||||
@@ -4894,10 +5052,18 @@
|
||||
#
|
||||
compile_firewall() # $1 = File Name
|
||||
{
|
||||
- local IPTABLES_COMMAND=run_iptables
|
||||
- local INDENT=""
|
||||
- local checking= outfile=$1 dir=
|
||||
- local match=
|
||||
+ local IPTABLES_COMMAND
|
||||
+ IPTABLES_COMMAND=run_iptables
|
||||
+ local INDENT
|
||||
+ INDENT=""
|
||||
+ local checking
|
||||
+ checking=
|
||||
+ local outfile
|
||||
+ outfile=$1
|
||||
+ local dir
|
||||
+ dir=
|
||||
+ local match
|
||||
+ match=
|
||||
|
||||
setup_mss()
|
||||
{
|
||||
@@ -4951,7 +5117,7 @@
|
||||
|
||||
cat >&3 << __EOF__
|
||||
#
|
||||
@ -89,7 +758,71 @@
|
||||
#
|
||||
__EOF__
|
||||
|
||||
@@ -5732,6 +5743,11 @@
|
||||
@@ -4959,7 +5125,10 @@
|
||||
cat >&3 << __EOF__
|
||||
SHAREDIR=/usr/share/shorewall-lite
|
||||
CONFDIR=/etc/shorewall-lite
|
||||
-VARDIR=/var/lib/shorewall-lite
|
||||
+
|
||||
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
|
||||
+
|
||||
+[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ]
|
||||
|
||||
__EOF__
|
||||
|
||||
@@ -4976,7 +5145,10 @@
|
||||
cat >&3 << __EOF__
|
||||
SHAREDIR=/usr/share/shorewall
|
||||
CONFDIR=/etc/shorewall
|
||||
-VARDIR=/var/lib/shorewall
|
||||
+
|
||||
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
|
||||
+
|
||||
+[ -n "\${VARDIR:=/var/lib/shorewall}" ]
|
||||
|
||||
. \${SHAREDIR}/lib.base
|
||||
__EOF__
|
||||
@@ -5139,7 +5311,8 @@
|
||||
fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
|
||||
fi
|
||||
|
||||
- local version=\$(cat \${SHAREDIR}/version)
|
||||
+ local version
|
||||
+ version=\$(cat \${SHAREDIR}/version)
|
||||
|
||||
if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
|
||||
fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
|
||||
@@ -5178,6 +5351,7 @@
|
||||
LOCKFILE="$LOCKFILE"
|
||||
PATH="$PATH"
|
||||
TERMINATOR=fatal_error
|
||||
+ DONT_LOAD="$DONT_LOAD"
|
||||
|
||||
__EOF__
|
||||
if [ -n "$IPTABLES" ]; then
|
||||
@@ -5278,7 +5452,8 @@
|
||||
# Start/Restart/Reload the firewall
|
||||
#
|
||||
define_firewall() {
|
||||
- local restore_file=\$1
|
||||
+ local restore_file
|
||||
+ restore_file=\$1
|
||||
__EOF__
|
||||
|
||||
INDENT=" "
|
||||
@@ -5727,9 +5902,9 @@
|
||||
# E X E C U T I O N B E G I N S H E R E
|
||||
#
|
||||
#
|
||||
-# Start trace if first arg is "debug"
|
||||
+# Start trace if first arg is "debug" or "trace"
|
||||
#
|
||||
-[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
|
||||
+[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; }
|
||||
|
||||
NOLOCK=
|
||||
|
||||
@@ -5754,6 +5929,11 @@
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -1,11 +1,22 @@
|
||||
--- /home/teastep/shorewall/branches/3.4/Shorewall/lib.tunnels 2007-03-22 15:27:26.000000000 -0700
|
||||
+++ lib.tunnels 2007-07-03 07:57:16.000000000 -0700
|
||||
@@ -37,19 +37,28 @@
|
||||
--- ../../3.4/Shorewall/lib.tunnels 2007-10-26 19:10:45.000000000 -0400
|
||||
+++ lib.tunnels 2008-03-09 15:55:46.000000000 -0400
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
-# Shorewall 3.4 -- /usr/share/shorewall/lib.tunnels
|
||||
+# Shorewall 4.1 -- /usr/share/shorewall/lib.tunnels
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
@@ -37,19 +37,31 @@
|
||||
|
||||
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
|
||||
{
|
||||
- local kind=$1 noah=
|
||||
+ local kind=$1 noah=noah
|
||||
+ local kind
|
||||
+ kind=$1
|
||||
+ local noah
|
||||
+ noah=noah
|
||||
|
||||
case $kind in
|
||||
*:*)
|
||||
@ -32,3 +43,52 @@
|
||||
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
addrule2 $inchain -p 50 $source -j ACCEPT
|
||||
@@ -125,8 +137,10 @@
|
||||
|
||||
setup_one_openvpn() # $1 = kind[:port]
|
||||
{
|
||||
- local protocol=udp
|
||||
- local p=1194
|
||||
+ local protocol
|
||||
+ protocol=udp
|
||||
+ local p
|
||||
+ p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
@@ -150,8 +164,10 @@
|
||||
|
||||
setup_one_openvpn_server() # $1 = kind[:port]
|
||||
{
|
||||
- local protocol=udp
|
||||
- local p=1194
|
||||
+ local protocol
|
||||
+ protocol=udp
|
||||
+ local p
|
||||
+ p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
@@ -175,8 +191,10 @@
|
||||
|
||||
setup_one_openvpn_client() # $1 = kind[:port]
|
||||
{
|
||||
- local protocol=udp
|
||||
- local p=1194
|
||||
+ local protocol
|
||||
+ protocol=udp
|
||||
+ local p
|
||||
+ p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
@@ -201,7 +219,8 @@
|
||||
setup_one_generic() # $1 = kind:protocol[:port]
|
||||
{
|
||||
local protocol
|
||||
- local p=
|
||||
+ local p
|
||||
+ p=
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
|
@ -35,7 +35,8 @@ usage() # $1 = exit status
|
||||
}
|
||||
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
IFS=:
|
||||
set -- $1
|
||||
echo $*
|
||||
|
@ -252,19 +252,32 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
# $10 = userspec
|
||||
# $11 = mark
|
||||
{
|
||||
local chain="$1"
|
||||
local action="$2"
|
||||
local target="$3"
|
||||
local clients="$4"
|
||||
local servers="$5"
|
||||
local protocol="$6"
|
||||
local ports="$7"
|
||||
local cports="$8"
|
||||
local ratelimit="$9"
|
||||
local userspec="${10}"
|
||||
local mark="${11}"
|
||||
local userandgroup=
|
||||
local logtag=
|
||||
local chain
|
||||
chain="$1"
|
||||
local action
|
||||
action="$2"
|
||||
local target
|
||||
target="$3"
|
||||
local clients
|
||||
clients="$4"
|
||||
local servers
|
||||
servers="$5"
|
||||
local protocol
|
||||
protocol="$6"
|
||||
local ports
|
||||
ports="$7"
|
||||
local cports
|
||||
cports="$8"
|
||||
local ratelimit
|
||||
ratelimit="$9"
|
||||
local userspec
|
||||
userspec="${10}"
|
||||
local mark
|
||||
mark="${11}"
|
||||
local userandgroup
|
||||
userandgroup=
|
||||
local logtag
|
||||
logtag=
|
||||
|
||||
if [ -n "$ratelimit" ]; then
|
||||
case $ratelimit in
|
||||
@ -483,7 +496,10 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
#
|
||||
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
|
||||
{
|
||||
local superior=$1 subordinate=$2
|
||||
local superior
|
||||
superior=$1
|
||||
local subordinate
|
||||
subordinate=$2
|
||||
|
||||
set -- $(split $1)
|
||||
|
||||
@ -690,7 +706,8 @@ process_actions1() {
|
||||
|
||||
process_actions2() {
|
||||
|
||||
local interfaces="$(find_interfaces_by_option upnp)"
|
||||
local interfaces
|
||||
interfaces="$(find_interfaces_by_option upnp)"
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
if ! list_search forwardUPnP $USEDACTIONS; then
|
||||
@ -735,7 +752,10 @@ process_actions2() {
|
||||
|
||||
process_action3() {
|
||||
|
||||
local f=action.$xaction1 comment=
|
||||
local f
|
||||
f=action.$xaction1
|
||||
local comment
|
||||
comment=
|
||||
|
||||
progress_message2 "$DOING $(find_file $f) for Chain $xchain..."
|
||||
|
||||
|
@ -40,7 +40,8 @@ setup_mac_lists() # $1 = Phase Number
|
||||
local blob
|
||||
local hosts
|
||||
local ipsec
|
||||
local policy=
|
||||
local policy
|
||||
policy=
|
||||
|
||||
create_mac_chain()
|
||||
{
|
||||
|
@ -31,10 +31,13 @@
|
||||
#
|
||||
setup_masq()
|
||||
{
|
||||
local comment=
|
||||
local comment
|
||||
comment=
|
||||
|
||||
do_ipsec_options() {
|
||||
local options="$(separate_list $ipsec)" option
|
||||
local options
|
||||
options="$(separate_list $ipsec)"
|
||||
local option
|
||||
[ -n "$ORIGINAL_POLICY_MATCH" ] || \
|
||||
fatal_error "IPSEC options require policy match support in your kernel and iptables"
|
||||
policy="-m policy --pol ipsec --dir out"
|
||||
@ -62,7 +65,14 @@ setup_masq()
|
||||
}
|
||||
|
||||
setup_one() {
|
||||
local add_snat_aliases=$ADD_SNAT_ALIASES pre_nat= policy= destnets=
|
||||
local add_snat_aliases
|
||||
add_snat_aliases=$ADD_SNAT_ALIASES
|
||||
local pre_nat
|
||||
pre_nat=
|
||||
local policy
|
||||
policy=
|
||||
local destnets
|
||||
destnets=
|
||||
|
||||
[ "x$ipsec" = x- ] && ipsec=
|
||||
|
||||
@ -475,7 +485,22 @@ __EOF__
|
||||
# Setup Static Network Address Translation (NAT)
|
||||
#
|
||||
setup_nat() {
|
||||
local external= interface= internal= allints= localnat= policyin= policyout= comment=
|
||||
local external
|
||||
external=
|
||||
local interface
|
||||
interface=
|
||||
local internal
|
||||
internal=
|
||||
local allints
|
||||
allints=
|
||||
local localnat
|
||||
localnat=
|
||||
local policyin
|
||||
policyin=
|
||||
local policyout
|
||||
policyout=
|
||||
local comment
|
||||
comment=
|
||||
|
||||
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
|
||||
{
|
||||
@ -493,7 +518,10 @@ setup_nat() {
|
||||
}
|
||||
|
||||
do_one_nat() {
|
||||
local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}
|
||||
local add_ip_aliases
|
||||
add_ip_aliases=$ADD_IP_ALIASES
|
||||
local iface
|
||||
iface=${interface%:*}
|
||||
|
||||
if [ -n "$add_ip_aliases" ]; then
|
||||
case $interface in
|
||||
@ -613,7 +641,8 @@ setup_netmap() {
|
||||
#
|
||||
add_nat_rule() {
|
||||
local chain
|
||||
local excludedests=
|
||||
local excludedests
|
||||
excludedests=
|
||||
|
||||
# Be sure we can NAT
|
||||
|
||||
|
@ -30,7 +30,30 @@
|
||||
#
|
||||
setup_providers()
|
||||
{
|
||||
local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase balance save_indent="$INDENT" mask= first=Yes save_indent1=
|
||||
local table
|
||||
local number
|
||||
local mark
|
||||
local duplicate
|
||||
local interface
|
||||
local gateway
|
||||
local options
|
||||
local provider
|
||||
local address
|
||||
local copy
|
||||
local route
|
||||
local loose
|
||||
local addresses
|
||||
local rulenum
|
||||
local rulebase
|
||||
local balance
|
||||
local save_indent
|
||||
save_indent="$INDENT"
|
||||
local mask
|
||||
mask=
|
||||
local first
|
||||
first=Yes
|
||||
local save_indent1
|
||||
save_indent1=
|
||||
|
||||
copy_table() {
|
||||
indent >&3 << __EOF__
|
||||
@ -88,7 +111,12 @@ __EOF__
|
||||
}
|
||||
|
||||
add_a_provider() {
|
||||
local t n iface option optional=
|
||||
local t
|
||||
local n
|
||||
local iface
|
||||
local option
|
||||
local optional
|
||||
optional=
|
||||
|
||||
[ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables"
|
||||
|
||||
@ -269,7 +297,8 @@ __EOF__
|
||||
|
||||
verify_provider()
|
||||
{
|
||||
local p n
|
||||
local p
|
||||
local n
|
||||
|
||||
for p in $PROVIDERS main; do
|
||||
[ "$p" = "$1" ] && return 0
|
||||
@ -434,7 +463,10 @@ __EOF__
|
||||
#
|
||||
setup_route_marking()
|
||||
{
|
||||
local mask=0xFF save_indent="$INDENT"
|
||||
local mask
|
||||
mask=0xFF
|
||||
local save_indent
|
||||
save_indent="$INDENT"
|
||||
|
||||
[ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00
|
||||
|
||||
|
@ -30,7 +30,10 @@
|
||||
#
|
||||
setup_proxy_arp() {
|
||||
|
||||
local setlist= resetlist=
|
||||
local setlist
|
||||
setlist=
|
||||
local resetlist
|
||||
resetlist=
|
||||
|
||||
print_error() {
|
||||
error_message "Invalid value for HAVEROUTE - ($haveroute)"
|
||||
|
@ -37,11 +37,30 @@
|
||||
#
|
||||
setup_traffic_shaping()
|
||||
{
|
||||
local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1 last_device=
|
||||
r2q=10 indent= prefix=1
|
||||
local mtu
|
||||
local r2q
|
||||
local tc_all_devices
|
||||
local device
|
||||
local mark
|
||||
local rate
|
||||
local ceil
|
||||
local prio
|
||||
local options
|
||||
local devfile
|
||||
devfile=$(find_file tcdevices)
|
||||
local classfile
|
||||
classfile=$(find_file tcclasses)
|
||||
local devnum
|
||||
devnum=1
|
||||
local last_device
|
||||
last_device=
|
||||
r2q=10
|
||||
indent=
|
||||
prefix=1
|
||||
|
||||
rate_to_kbit() {
|
||||
local rateunit rate
|
||||
local rateunit
|
||||
local rate
|
||||
rate=$1
|
||||
rateunit=$( echo $rate | sed -e 's/[0-9]*//')
|
||||
rate=$( echo $rate | sed -e 's/[a-zA-Z]*//g')
|
||||
@ -68,13 +87,16 @@ setup_traffic_shaping()
|
||||
}
|
||||
|
||||
calculate_quantum() {
|
||||
local rate=$(rate_to_kbit $1)
|
||||
local rate
|
||||
rate=$(rate_to_kbit $1)
|
||||
echo $(( $rate * ( 128 / $r2q ) ))
|
||||
}
|
||||
|
||||
# get given outbandwidth for device
|
||||
get_outband_for_dev() {
|
||||
local device inband outband
|
||||
local device
|
||||
local inband
|
||||
local outband
|
||||
while read device inband outband; do
|
||||
tcdev="$device $inband $outband"
|
||||
if [ "$1" = "$device" ] ; then
|
||||
@ -102,7 +124,12 @@ setup_traffic_shaping()
|
||||
}
|
||||
|
||||
get_defmark_for_dev() {
|
||||
local searchdev searchmark device ceil prio options
|
||||
local searchdev
|
||||
local searchmark
|
||||
local device
|
||||
local ceil
|
||||
local prio
|
||||
local options
|
||||
searchdev=$1
|
||||
|
||||
while read device mark rate ceil prio options; do
|
||||
@ -122,7 +149,9 @@ setup_traffic_shaping()
|
||||
|
||||
validate_tcdevices_file() {
|
||||
progress_message2 "Validating $devfile..."
|
||||
local device inband outband
|
||||
local device
|
||||
local inband
|
||||
local outband
|
||||
while read device inband outband; do
|
||||
tcdev="$device $inband $outband"
|
||||
check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
|
||||
@ -140,7 +169,16 @@ setup_traffic_shaping()
|
||||
|
||||
validate_tcclasses_file() {
|
||||
progress_message2 "Validating $classfile..."
|
||||
local classlist device mark rate ceil prio bandw wrongopt allopts opt
|
||||
local classlist
|
||||
local device
|
||||
local mark
|
||||
local rate
|
||||
local ceil
|
||||
local prio
|
||||
local bandw
|
||||
local wrongopt
|
||||
local allopts
|
||||
local opt
|
||||
allopts=""
|
||||
while read device mark rate ceil prio options; do
|
||||
tcdev="$device $mark $rate $ceil $prio $options"
|
||||
@ -171,7 +209,8 @@ setup_traffic_shaping()
|
||||
}
|
||||
|
||||
add_root_tc() {
|
||||
local defmark dev
|
||||
local defmark
|
||||
local dev
|
||||
|
||||
dev=$(chain_base $device)
|
||||
|
||||
@ -211,7 +250,11 @@ setup_traffic_shaping()
|
||||
}
|
||||
|
||||
add_tc_class() {
|
||||
local full classid tospair tosmask quantum
|
||||
local full
|
||||
local classid
|
||||
local tospair
|
||||
local tosmask
|
||||
local quantum
|
||||
|
||||
full=$(get_outband_for_dev $device)
|
||||
full=$(rate_to_kbit $full)
|
||||
|
@ -37,7 +37,10 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
|
||||
{
|
||||
local kind=$1 noah=noah
|
||||
local kind
|
||||
kind=$1
|
||||
local noah
|
||||
noah=noah
|
||||
|
||||
case $kind in
|
||||
*:*)
|
||||
@ -134,8 +137,10 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_one_openvpn() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
local protocol
|
||||
protocol=udp
|
||||
local p
|
||||
p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
@ -159,8 +164,10 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_one_openvpn_server() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
local protocol
|
||||
protocol=udp
|
||||
local p
|
||||
p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
@ -184,8 +191,10 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_one_openvpn_client() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
local protocol
|
||||
protocol=udp
|
||||
local p
|
||||
p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
@ -210,7 +219,8 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
setup_one_generic() # $1 = kind:protocol[:port]
|
||||
{
|
||||
local protocol
|
||||
local p=
|
||||
local p
|
||||
p=
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
|
@ -247,7 +247,8 @@ compiler() {
|
||||
exit 1
|
||||
}
|
||||
|
||||
local command=$1
|
||||
local command
|
||||
command=$1
|
||||
|
||||
shift
|
||||
|
||||
@ -293,10 +294,12 @@ compiler() {
|
||||
# Start Command Executor
|
||||
#
|
||||
start_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
do_it() {
|
||||
local rc=0
|
||||
local rc
|
||||
rc=0
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
@ -405,7 +408,8 @@ start_command() {
|
||||
# Compile Command Executor
|
||||
#
|
||||
compile_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 ]; do
|
||||
[ $# -eq 0 ] && usage 1
|
||||
@ -485,7 +489,8 @@ compile_command() {
|
||||
# Check Command Executor
|
||||
#
|
||||
check_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -557,7 +562,10 @@ check_command() {
|
||||
# Restart Command Executor
|
||||
#
|
||||
restart_command() {
|
||||
local finished=0 rc=0
|
||||
local finished
|
||||
finished=0
|
||||
local rc
|
||||
rc=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -634,7 +642,8 @@ restart_command() {
|
||||
# Refresh Command Executor
|
||||
#
|
||||
refresh_command() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -695,7 +704,8 @@ refresh_command() {
|
||||
# Safe-start/safe-restart Command Executor
|
||||
#
|
||||
safe_commands() {
|
||||
local finished=0
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
# test is the shell supports timed read
|
||||
read -t 0 junk 2> /dev/null
|
||||
@ -827,7 +837,10 @@ safe_commands() {
|
||||
# 'try' Command Executor
|
||||
#
|
||||
try_command() {
|
||||
local finished=0 timeout=
|
||||
local finished
|
||||
finished=0
|
||||
local timeout
|
||||
timeout=
|
||||
|
||||
handle_directory() {
|
||||
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||
@ -966,7 +979,25 @@ rcp_command() {
|
||||
#
|
||||
reload_command() # $* = original arguments less the command.
|
||||
{
|
||||
local verbose=$(make_verbose) file= capabilities= finished=0 saveit= result directory system getcaps= root=root compiler=
|
||||
local verbose
|
||||
verbose=$(make_verbose)
|
||||
local file
|
||||
file=
|
||||
local capabilities
|
||||
capabilities=
|
||||
local finished
|
||||
finished=0
|
||||
local saveit
|
||||
saveit=
|
||||
local result
|
||||
local directory
|
||||
local system
|
||||
local getcaps
|
||||
getcaps=
|
||||
local root
|
||||
root=root
|
||||
local compiler
|
||||
compiler=
|
||||
|
||||
LITEDIR=/var/lib/shorewall-lite
|
||||
|
||||
@ -1073,7 +1104,8 @@ reload_command() # $* = original arguments less the command.
|
||||
#
|
||||
export_command() # $* = original arguments less the command.
|
||||
{
|
||||
local verbose=$(make_verbose) file= finished=0 directory target compiler=
|
||||
local verbose
|
||||
verbose=$(make_verbose) file= finished=0 directory target compiler=
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -1272,7 +1304,10 @@ while [ $finished -eq 0 ]; do
|
||||
done
|
||||
|
||||
version_command() {
|
||||
local finished=0 all=
|
||||
local finished
|
||||
finished=0
|
||||
local all
|
||||
all=
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
|
@ -995,7 +995,12 @@ usage() {
|
||||
# Find the interface with the passed MAC address
|
||||
#################################################################################
|
||||
find_interface_by_mac() {
|
||||
local mac=$1 first second rest dev
|
||||
local mac
|
||||
mac=$1
|
||||
local first
|
||||
local second
|
||||
local rest
|
||||
local dev
|
||||
|
||||
/sbin/ip link ls | while read first second rest; do
|
||||
case $first in
|
||||
@ -1014,7 +1019,9 @@ find_interface_by_mac() {
|
||||
# Convert MAC addresses to interface names
|
||||
################################################################################
|
||||
get_interfaces() {
|
||||
local interfaces= interface
|
||||
local interfaces
|
||||
interfaces=
|
||||
local interface
|
||||
|
||||
for interface in $INTERFACES; do
|
||||
case $interface in
|
||||
|
@ -915,7 +915,12 @@ usage() {
|
||||
# Find the interface with the passed MAC address
|
||||
#################################################################################
|
||||
find_interface_by_mac() {
|
||||
local mac=$1 first second rest dev
|
||||
local mac
|
||||
mac=$1
|
||||
local first
|
||||
local second
|
||||
local rest
|
||||
local dev
|
||||
|
||||
/sbin/ip link ls | while read first second rest; do
|
||||
case $first in
|
||||
@ -934,7 +939,9 @@ find_interface_by_mac() {
|
||||
# Convert MAC addresses to interface names
|
||||
################################################################################
|
||||
get_interfaces() {
|
||||
local interfaces= interface
|
||||
local interfaces
|
||||
interfaces=
|
||||
local interface
|
||||
|
||||
for interface in $INTERFACES; do
|
||||
case $interface in
|
||||
|
@ -142,7 +142,8 @@ fatal_error() {
|
||||
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
local e
|
||||
e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
@ -128,7 +128,8 @@ fatal_error() {
|
||||
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
local e
|
||||
e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
@ -61,7 +61,8 @@ NOTOC="
|
||||
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
local e
|
||||
e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
@ -61,7 +61,8 @@ NOTOC="
|
||||
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
local e
|
||||
e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
@ -6,7 +6,8 @@ WEBSITE=/home/teastep/Shorewall/Website
|
||||
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
local e
|
||||
e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
@ -6,7 +6,8 @@ WEBSITE=/home/teastep/Shorewall/Website
|
||||
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
local e
|
||||
e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
Loading…
Reference in New Issue
Block a user