holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add program pieces

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5494 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-11 20:35:38 +00:00
parent 6ad67cfb80
commit c20446d32b
4 changed files with 624 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
New/compiler.pl
View File

@ -142,8 +142,6 @@ my $line; # Current config file line
my $object; # Object file Handle Reference my $object; # Object file Handle Reference
my $indent = '';
# #
# Zone Table. # Zone Table.
# #
@ -235,7 +233,7 @@ my $comment = '';
# #
# Current Indentation # Current Indentation
# #
my %indent; my $indent;
# #
# Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ... # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
# #
@ -457,7 +455,10 @@ sub save_progress_message_short( $ ) {
emit "progress_message $_[0]"; emit "progress_message $_[0]";
} }
sub indent( $ ) { #
# Functions for copying files into the object
#
sub copy( $ ) {
my $file = $_[0]; my $file = $_[0];
open IF , $file or fatal_error "Unable to open $file: $!"; open IF , $file or fatal_error "Unable to open $file: $!";
@ -470,7 +471,7 @@ sub indent( $ ) {
close IF; close IF;
} }
sub indent1( $ ) { sub copy1( $ ) {
my $file = $_[0]; my $file = $_[0];
open IF , $file or fatal_error "Unable to open $file: $!"; open IF , $file or fatal_error "Unable to open $file: $!";
@ -498,7 +499,7 @@ sub append_file( $ ) {
unless ( $user_exit =~ /$env{SHAREDIR}/ ) { unless ( $user_exit =~ /$env{SHAREDIR}/ ) {
if ( -f $user_exit ) { if ( -f $user_exit ) {
save_progress_message "Processing $user_exit ..."; save_progress_message "Processing $user_exit ...";
indent1 $user_exit; copy1 $user_exit;
} }
} }
} }
@ -5409,9 +5410,6 @@ sub do_initialize() {
initialize_chain_table; initialize_chain_table;
} }
sub compile_stop_firewall() {
}
sub compile_firewall( $ ) { sub compile_firewall( $ ) {
my $objectfile = $_[0]; my $objectfile = $_[0];
@ -5444,8 +5442,9 @@ sub compile_firewall( $ ) {
emit 'SHAREDIR=/usr/share/shorewall-lite'; emit 'SHAREDIR=/usr/share/shorewall-lite';
emit 'CONFDIR=/etc/shorewall-lite'; emit 'CONFDIR=/etc/shorewall-lite';
emit 'VARDIR=/var/lib/shorewall-lite'; emit 'VARDIR=/var/lib/shorewall-lite';
emit 'PRODUCT="Shorewall Lite"';
indent "$env{SHAREDIR}/lib.base"; copy "$env{SHAREDIR}/lib.base";
emit '################################################################################'; emit '################################################################################';
emit '# End of /usr/share/shorewall/lib.base'; emit '# End of /usr/share/shorewall/lib.base';
@ -5453,14 +5452,36 @@ sub compile_firewall( $ ) {
} else { } else {
emit 'SHAREDIR=/usr/share/shorewall'; emit 'SHAREDIR=/usr/share/shorewall';
emit 'CONFDIR=/etc/shorewall'; emit 'CONFDIR=/etc/shorewall';
emit "VARDIR=/var/lib/shorewall\n"; emit 'VARDIR=/var/lib/shorewall\n';
emit 'PRODUCT=\'Shorewall\'';
emit '. /usr/share/shoreall-lite/lib.base'; emit '. /usr/share/shoreall-lite/lib.base';
} }
emit '';
for my $exit qw/init initdone start started stop stopped/ {
emit "run_${exit}_exit() {";
$indent = ' ';
append_file $exit;
$indent = '';
emit "}\n";
}
emit 'initialize()';
emit '{';
$indent = ' ';
while ( my ( $option, $value ) = ( each %config ) ) {
emit "${option}=${value}";
}
emit '}';
$indent = '';
copy "$env{SHAREDIR}/prog.functions";
} }
#
# Compile the program to stop the firewall
#
compile_stop_firewall;
# #
# Process the zones file. # Process the zones file.

175
New/prog.footer Normal file
View File

@ -0,0 +1,175 @@
#
# Give Usage Information
#
usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1
}
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
#
# Start trace if first arg is "debug" or "trace"
#
if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
set -x
shift
fi
initialize
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
v*)
VERBOSE=$(($VERBOSE + 1 ))
option=${option#v}
;;
q*)
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
n*)
NOROUTES=Yes
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
if [ $# -ne 1 ]; then
usage 2
else
COMMAND="$1"
fi
[ -n "${PRODUCT:=Shorewall}" ]
case "$COMMAND" in
start)
if shorewall_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
progress_message3 "done."
fi
;;
stop)
progress_message3 "Stopping $PRODUCT...."
stop_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
if ! shorewall_is_started ; then
error_message "$PRODUCT is not running"
status=2
else
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
date > ${VARDIR}/restarted
status=0
progress_message3 "$PRODUCT Counters Reset"
fi
;;
restart)
if shorewall_is_started; then
progress_message3 "Restarting $PRODUCT...."
else
error_message "$PRODUCT is not running"
progress_message3 "Starting $PRODUCT...."
fi
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
progress_message3 "done."
;;
refresh)
if shorewall_is_started; then
progress_message3 "Refreshing $PRODUCT...."
refresh_firewall
status=$?
progress_message3 "done."
else
echo "$PRODUCT is not running" >&2
status=2
fi
;;
restore)
restore_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
;;
clear)
progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
status)
echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
echo
if shorewall_is_started; then
echo "$PRODUCT is running"
status=0
else
echo "$PRODUCT is stopped"
status=4
fi
if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)"
case $state in
Stopped*|Clear*)
status=3
;;
esac
else
state=Unknown
fi
echo "State:$state"
echo
;;
version)
echo $VERSION
status=0
;;
help)
usage 0
;;
*)
usage 2
;;
esac
exit $status

387
New/prog.functions Normal file
View File

@ -0,0 +1,387 @@
#!/bin/sh
#
# Clear Proxy Arp
#
delete_proxyarp() {
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
done < ${VARDIR}/proxyarp
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
fi
rm -f ${VARDIR}/proxyarp
}
#
# Stop/restore the firewall after an error or because of a "stop" or "clear" command
#
stop_firewall() {
deletechain() {
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
}
deleteallchains() {
$IPTABLES -F
$IPTABLES -X
}
setcontinue() {
$IPTABLES -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
}
delete_nat() {
$IPTABLES -t nat -F
$IPTABLES -t nat -X
if [ -f ${VARDIR}/nat ]; then
while read external interface; do
del_ip_addr $external $interface
done < ${VARDIR}/nat
rm -f ${VARDIR}/nat
fi
}
case $COMMAND in
stop|clear)
;;
*)
set +x
case $COMMAND in
start)
logger -p kern.err "ERROR:$PRODUCT start failed"
;;
restart)
logger -p kern.err "ERROR:$PRODUCT restart failed"
;;
restore)
logger -p kern.err "ERROR:$PRODUCT restore failed"
;;
esac
if [ "$RESTOREFILE" = NONE ]; then
COMMAND=clear
clear_firewall
echo "$PRODUCT Cleared"
kill $$
exit 2
else
RESTOREPATH=${VARDIR}/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
progress_message2 Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
for table in mangle nat filter; do
$IPTABLES -t $table -F
$IPTABLES -t $table -X
done
${RESTOREPATH}-ipsets
fi
echo Restoring ${PRODUCT:=Shorewall}...
if $RESTOREPATH restore; then
echo "$PRODUCT restored from $RESTOREPATH"
set_state "Started"
else
set_state "Unknown"
fi
kill $$
exit 2
fi
fi
;;
esac
set_state "Stopping"
STOPPING="Yes"
TERMINATOR=
deletechain shorewall
determine_capabilities
run_stop_exit
if [ -n "$MANGLE_ENABLED" ]; then
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt $IPTABLES -t mangle -P $chain ACCEPT
done
fi
if [ -n "$RAW_TABLE" ]; then
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt $IPTABLES -t raw -P $chain ACCEPT
done
fi
if [ -n "$NAT_ENABLED" ]; then
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt $IPTABLES -t nat -P $chain ACCEPT
done
fi
delete_proxyarp
[ -n "$CLEAR_TC" ] && delete_tc1
[ -n "$DISABLE_IPV6" ] && disable_ipv6
undo_routing
restore_default_route
if [ -n "$CRITICALHOSTS" ]; then
if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT; do
setpolicy $chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
for host in $CRITICALHOSTS; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
done
for chain in INPUT OUTPUT; do
setpolicy $chain DROP
done
else
for chain in INPUT OUTPUT; do
setpolicy $chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
for host in $CRITICALHOSTS; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
done
setpolicy INPUT DROP
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
elif [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
done
deleteallchains
else
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
setpolicy OUTPUT ACCEPT
deleteallchains
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
$IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -o lo -j ACCEPT
for interface in $DHCP_INTERFACES; do
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
#
# This might be a bridge
#
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
On|on|ON)
echo 1 > /proc/sys/net/ipv4/ip_forward
progress_message2 IP Forwarding Enabled
;;
Off|off|OFF)
echo 0 > /proc/sys/net/ipv4/ip_forward
progress_message2 IP Forwarding Disabled!
;;
esac
run_stopped_exit
set_state "Stopped"
logger -p kern.info "$PRODUCT Stopped"
case $COMMAND in
stop|clear)
;;
*)
#
# The firewall is being stopped when we were trying to do something
# else. Remove the lock file and Kill the shell in case we're in a
# subshell
#
kill $$
;;
esac
}
#
# Set policy of chain $1 to $2
#
setpolicy() {
$IPTABLES -P $1 $2
}
#
# Remove all Shorewall-added rules
#
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then
if qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
fi
fi
run_clear_exit
set_state "Cleared"
logger -p kern.info "$PRODUCT Cleared"
}
#
# Issue a message and stop/restore the firewall
#
fatal_error()
{
echo " ERROR: $@" >&2
stop_firewall
exit 2
}
#
# Issue a message and stop
#
startup_error() # $* = Error Message
{
echo " ERROR: $@" >&2
case $COMMAND in
start)
logger -p kern.err "ERROR:$PRODUCT start failed"
;;
restart)
logger -p kern.err "ERROR:$PRODUCT restart failed"
;;
restore)
logger -p kern.err "ERROR:$PRODUCT restore failed"
;;
esac
kill $$
exit 2
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_iptables()
{
if [ -n "$COMMENT" ]; then
$IPTABLES $@ -m comment --comment "$COMMENT"
else
$IPTABLES $@
fi
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_ip()
{
if ! ip $@; then
error_message "ERROR: Command \"ip $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! tc $@ ; then
error_message "ERROR: Command \"tc $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Functions to appease unconverted extension scripts
#
save_command()
{
return 0
}
run_and_save_command() {
eval $@
}
ensure_and_save_command() {
eval $@ || fatal_error "Command \"$@\" failed"
}

26
New/prog.header Normal file
View File

@ -0,0 +1,26 @@
#!/bin/sh
#
# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.4
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
#
# Options are:
#
# -n Don't alter Routing
# -v and -q Standard Shorewall Verbosity control
#
# Commands are:
#
# start Starts the firewall
# refresh Refresh the firewall
# restart Restarts the firewall
# reload Reload the firewall
# clear Removes all firewall rules
# stop Stops the firewall
# status Displays firewall status
# version Displays the version of Shorewall that
# generated this program
#