Add program pieces

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5494 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

New/compiler.pl

@@ -142,8 +142,6 @@ my $line; # Current config file line
 
 my $object; # Object file Handle Reference
 
-my $indent = '';
-
 #
 # Zone Table. 
 #
@@ -235,7 +233,7 @@ my $comment = '';
 #
 # Current Indentation 
 # 
-my %indent;
+my $indent;
 #
 # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
 #
@@ -457,7 +455,10 @@ sub save_progress_message_short( $ ) {
     emit "progress_message $_[0]";
 }
 
-sub indent( $ ) {
+#
+# Functions for copying files into the object
+#
+sub copy( $ ) {
     my $file = $_[0];
     
     open IF , $file or fatal_error "Unable to open $file: $!";
@@ -470,7 +471,7 @@ sub indent( $ ) {
     close IF;
 }
 
-sub indent1( $ ) {
+sub copy1( $ ) {
     my $file = $_[0];
     
     open IF , $file or fatal_error "Unable to open $file: $!";
@@ -498,7 +499,7 @@ sub append_file( $ ) {
     unless ( $user_exit =~ /$env{SHAREDIR}/ ) {
 	if ( -f $user_exit ) {
 	    save_progress_message "Processing $user_exit ...";
-	    indent1 $user_exit;
+	    copy1 $user_exit;
 	}
     }   
 }
@@ -5409,9 +5410,6 @@ sub do_initialize() {
     initialize_chain_table;
 }
 
-sub compile_stop_firewall() {
-}
-
 sub compile_firewall( $ ) {
     
     my $objectfile = $_[0];
@@ -5444,8 +5442,9 @@ sub compile_firewall( $ ) {
 	    emit 'SHAREDIR=/usr/share/shorewall-lite';
 	    emit 'CONFDIR=/etc/shorewall-lite';
 	    emit 'VARDIR=/var/lib/shorewall-lite';
+	    emit 'PRODUCT="Shorewall Lite"';
 
-	    indent "$env{SHAREDIR}/lib.base";
+	    copy "$env{SHAREDIR}/lib.base";
 	    
 	    emit '################################################################################';
 	    emit '# End of /usr/share/shorewall/lib.base';
@@ -5453,14 +5452,36 @@ sub compile_firewall( $ ) {
 	} else {
 	    emit 'SHAREDIR=/usr/share/shorewall';
 	    emit 'CONFDIR=/etc/shorewall';
-	    emit "VARDIR=/var/lib/shorewall\n";
+	    emit 'VARDIR=/var/lib/shorewall\n';
+	    emit 'PRODUCT=\'Shorewall\'';
 	    emit '. /usr/share/shoreall-lite/lib.base';
 	}
+
+	emit '';
+
+	for my $exit qw/init initdone start started stop stopped/ {
+	    emit "run_${exit}_exit() {";
+	    $indent = '    ';
+	    append_file $exit;
+	    $indent = '';
+	    emit "}\n";
+	}
+
+	emit 'initialize()';
+	emit '{';
+
+	$indent = '    ';
+
+	while ( my ( $option, $value ) = ( each %config ) ) {
+	    emit "${option}=${value}";
+	}
+
+	emit '}';
+	
+	$indent = '';
+	
+	copy "$env{SHAREDIR}/prog.functions";
     }
-    #
-    # Compile the program to stop the firewall
-    #
-    compile_stop_firewall;
 
     #
     # Process the zones file.

New/prog.footer

@@ -0,0 +1,175 @@
+#
+# Give Usage Information
+#
+usage() {
+    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    exit $1
+}
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+#
+# Start trace if first arg is "debug" or "trace"
+#
+if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
+    set -x
+    shift
+fi
+
+initialize
+
+finished=0
+
+while [ $finished -eq 0 -a $# -gt 0 ]; do
+    option=$1
+    case $option in
+	-*)
+	    option=${option#-}
+
+	    [ -z "$option" ] && usage 1
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    v*)
+			VERBOSE=$(($VERBOSE + 1 ))
+			option=${option#v}
+			;;
+		    q*)
+			VERBOSE=$(($VERBOSE - 1 ))
+			option=${option#q}
+			;;
+		    n*)
+			NOROUTES=Yes
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+	    shift
+	    ;;
+	*)
+	    finished=1
+            ;;
+    esac
+done
+
+if [ $# -ne 1 ]; then
+    usage 2
+else
+    COMMAND="$1"
+fi
+
+[ -n "${PRODUCT:=Shorewall}" ]
+
+case "$COMMAND" in
+    start)
+	if shorewall_is_started; then
+	    error_message "$PRODUCT is already Running"
+	    status=0
+	else
+	    progress_message3 "Starting $PRODUCT...."
+	    define_firewall
+	    status=$?
+	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
+	    progress_message3 "done."
+	fi
+	;;
+    stop)
+	progress_message3 "Stopping $PRODUCT...."
+	stop_firewall
+	status=0
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	progress_message3 "done."
+	;;
+    reset)
+	if ! shorewall_is_started ; then
+	    error_message "$PRODUCT is not running"
+	    status=2
+	else
+	    $IPTABLES -Z
+	    $IPTABLES -t nat -Z
+	    $IPTABLES -t mangle -Z
+	    date > ${VARDIR}/restarted
+	    status=0
+	    progress_message3 "$PRODUCT Counters Reset"
+	fi
+	;;
+    restart)
+	if shorewall_is_started; then
+	    progress_message3 "Restarting $PRODUCT...."
+	else
+	    error_message "$PRODUCT is not running"
+	    progress_message3 "Starting $PRODUCT...."
+	fi
+
+	define_firewall
+	status=$?
+	if [ -n "$SUBSYSLOCK" ]; then
+ 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+        fi
+	progress_message3 "done."
+	;;
+    refresh)
+	if shorewall_is_started; then
+	    progress_message3 "Refreshing $PRODUCT...."
+	    refresh_firewall
+	    status=$?
+	    progress_message3 "done."
+	else
+	    echo "$PRODUCT is not running" >&2
+	    status=2
+	fi
+	;;
+    restore)
+	restore_firewall
+	status=$?
+	if [ -n "$SUBSYSLOCK" ]; then
+ 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+        fi
+	;;
+    clear)
+	progress_message3 "Clearing $PRODUCT...."
+	clear_firewall
+	status=0
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	progress_message3 "done."
+	;;
+    status)
+	echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
+	echo
+	if shorewall_is_started; then
+	    echo "$PRODUCT is running"
+	    status=0
+	else
+	    echo "$PRODUCT is stopped"
+	    status=4
+	fi
+
+	if [ -f ${VARDIR}/state ]; then
+	    state="$(cat ${VARDIR}/state)"
+	    case $state in
+		Stopped*|Clear*)
+		    status=3
+		    ;;
+	    esac
+	else
+	    state=Unknown
+	fi
+	echo "State:$state"
+	echo
+	;;
+    version)
+	echo $VERSION
+	status=0
+	;;
+    help)
+	usage 0
+	;;
+    *)
+	usage 2
+	;;
+esac
+
+exit $status

New/prog.functions

@@ -0,0 +1,387 @@
+#!/bin/sh
+
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
+	done < ${VARDIR}/proxyarp
+
+	for f in /proc/sys/net/ipv4/conf/*; do
+	    [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
+	done
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Stop/restore the firewall after an error or because of a "stop" or "clear" command
+#
+stop_firewall() {
+
+    deletechain() {
+	qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
+    }
+
+    deleteallchains() {
+	$IPTABLES -F
+	$IPTABLES -X
+    }
+
+    setcontinue() {
+	$IPTABLES -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+    }
+
+    delete_nat() {
+	$IPTABLES -t nat -F
+	$IPTABLES -t nat -X
+
+	if [ -f ${VARDIR}/nat ]; then
+	    while read external interface; do
+		del_ip_addr $external $interface
+	    done < ${VARDIR}/nat
+
+	    rm -f ${VARDIR}/nat
+	fi
+    }
+
+    case $COMMAND in
+	stop|clear)
+	    ;;
+	*)
+	    set +x
+
+            case $COMMAND in
+	        start)
+	            logger -p kern.err "ERROR:$PRODUCT start failed"
+	            ;;
+	        restart)
+	            logger -p kern.err "ERROR:$PRODUCT restart failed"
+	            ;;
+	        restore)
+	            logger -p kern.err "ERROR:$PRODUCT restore failed"
+	            ;;
+            esac
+            
+            if [ "$RESTOREFILE" = NONE ]; then
+                COMMAND=clear
+                clear_firewall
+                echo "$PRODUCT Cleared"
+
+	        kill $$
+	        exit 2
+            else
+	        RESTOREPATH=${VARDIR}/$RESTOREFILE
+
+	        if [ -x $RESTOREPATH ]; then
+
+		    if [ -x ${RESTOREPATH}-ipsets ]; then
+		        progress_message2 Restoring Ipsets...
+		        #
+		        # We must purge iptables to be sure that there are no
+		        # references to ipsets
+		        #
+		        for table in mangle nat filter; do
+			    $IPTABLES -t $table -F
+			    $IPTABLES -t $table -X
+		        done
+
+		        ${RESTOREPATH}-ipsets
+		    fi
+
+		    echo Restoring ${PRODUCT:=Shorewall}...
+
+		    if $RESTOREPATH restore; then
+		        echo "$PRODUCT restored from $RESTOREPATH"
+		        set_state "Started"
+		    else
+		        set_state "Unknown"
+		    fi
+
+	            kill $$
+	            exit 2
+	        fi
+            fi
+	    ;;
+    esac
+
+    set_state "Stopping"
+
+    STOPPING="Yes"
+
+    TERMINATOR=
+
+    deletechain shorewall
+
+    determine_capabilities
+
+    run_stop_exit
+
+    if [ -n "$MANGLE_ENABLED" ]; then
+	run_iptables -t mangle -F
+	run_iptables -t mangle -X
+	for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	    qt $IPTABLES -t mangle -P $chain ACCEPT
+	done
+    fi
+
+    if [ -n "$RAW_TABLE" ]; then
+	run_iptables -t raw -F
+	run_iptables -t raw -X
+	for chain in PREROUTING OUTPUT; do
+	    qt $IPTABLES -t raw -P $chain ACCEPT
+	done
+    fi
+
+    if [ -n "$NAT_ENABLED" ]; then
+	delete_nat
+	for chain in PREROUTING POSTROUTING OUTPUT; do
+	    qt $IPTABLES -t nat -P $chain ACCEPT
+	done
+    fi
+
+    delete_proxyarp
+
+    [ -n "$CLEAR_TC" ] && delete_tc1
+
+    [ -n "$DISABLE_IPV6" ] && disable_ipv6
+
+    undo_routing
+
+    restore_default_route
+
+    if [ -n "$CRITICALHOSTS" ]; then
+	if [ -z "$ADMINISABSENTMINDED" ]; then
+
+	    for chain in INPUT OUTPUT; do
+		setpolicy $chain ACCEPT
+	    done
+
+	    setpolicy FORWARD DROP
+
+	    deleteallchains
+
+	    for host in $CRITICALHOSTS; do
+		interface=${host%:*}
+		networks=${host#*:}
+		$IPTABLES -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
+		$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+	    done
+
+	    for chain in INPUT OUTPUT; do
+		setpolicy $chain DROP
+	    done
+	else
+	    for chain in INPUT OUTPUT; do
+		setpolicy $chain ACCEPT
+	    done
+
+	    setpolicy FORWARD DROP
+
+	    deleteallchains
+
+	    for host in $CRITICALHOSTS; do
+		interface=${host%:*}
+		networks=${host#*:}
+		$IPTABLES -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
+		$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+	    done
+
+	    setpolicy INPUT DROP
+
+	    for chain in INPUT FORWARD; do
+		setcontinue $chain
+	    done
+	fi
+    elif [ -z "$ADMINISABSENTMINDED" ]; then
+	for chain in INPUT OUTPUT FORWARD; do
+	    setpolicy $chain DROP
+	done
+
+	deleteallchains
+    else
+	for chain in INPUT FORWARD; do
+	    setpolicy $chain DROP
+	done
+
+	setpolicy OUTPUT ACCEPT
+
+	deleteallchains
+
+	for chain in INPUT FORWARD; do
+	    setcontinue $chain
+	done
+    fi
+
+    $IPTABLES -A INPUT  -i lo -j ACCEPT
+
+    [ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+    for interface in $DHCP_INTERFACES; do
+	$IPTABLES -A INPUT  -p udp -i $interface --dport 67:68 -j ACCEPT
+	[ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
+	#
+	# This might be a bridge
+	#
+	$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
+    done
+
+    case "$IP_FORWARDING" in
+	On|on|ON)
+	    echo 1 > /proc/sys/net/ipv4/ip_forward
+	    progress_message2 IP Forwarding Enabled
+	    ;;
+	Off|off|OFF)
+	    echo 0 > /proc/sys/net/ipv4/ip_forward
+	    progress_message2 IP Forwarding Disabled!
+	    ;;
+    esac
+
+    run_stopped_exit
+
+    set_state "Stopped"
+
+    logger -p kern.info "$PRODUCT Stopped"
+
+    case $COMMAND in
+    stop|clear)
+	;;
+    *)
+	#
+	# The firewall is being stopped when we were trying to do something
+	# else. Remove the lock file and Kill the shell in case we're in a
+	# subshell
+	#
+	kill $$
+	;;
+    esac
+}
+
+#
+# Set policy of chain $1 to $2
+#
+setpolicy() {
+    $IPTABLES -P $1 $2
+}
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if qt mywhich ip6tables; then
+	    ip6tables -P INPUT   ACCEPT 2> /dev/null
+	    ip6tables -P OUTPUT  ACCEPT 2> /dev/null
+	    ip6tables -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    stop_firewall
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed"
+	    ;;
+    esac
+            
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    if [ -n "$COMMENT" ]; then
+        $IPTABLES $@ -m comment --comment "$COMMENT"
+    else
+        $IPTABLES $@
+    fi
+
+    if [ $? -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! ip $@; then
+	error_message "ERROR: Command \"ip $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! tc $@ ; then
+	error_message "ERROR: Command \"tc $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Functions to appease unconverted extension scripts
+#
+save_command()
+{
+    return 0
+}
+
+run_and_save_command() {
+    eval $@
+}
+
+ensure_and_save_command() {
+    eval $@ || fatal_error "Command \"$@\" failed"
+}
+

New/prog.header

@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+#     Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.4
+#
+#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
+#
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#
+#
+#	Options are:
+#
+#	    -n				  Don't alter Routing
+#	    -v and -q			  Standard Shorewall Verbosity control
+#
+#	Commands are:
+#
+#	   start			  Starts the firewall
+#          refresh                        Refresh the firewall
+#	   restart			  Restarts the firewall
+#	   reload			  Reload the firewall
+#	   clear			  Removes all firewall rules
+#	   stop				  Stops the firewall
+#	   status			  Displays firewall status
+#	   version			  Displays the version of Shorewall that
+#	   				  generated this program
+#