holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Bring trunk up to date with 4.0

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7226 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-08-26 15:09:27 +00:00
parent 9f0967b2c6
commit cd00210273
9 changed files with 47 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.0.2 VERSION=4.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall-common/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=4.0.2 VERSION=4.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

14
Shorewall-common/lib.base
View File

@ -35,7 +35,7 @@
# #
SHOREWALL_LIBVERSION=40000 SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=30405 SHOREWALL_CAPVERSION=40003
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -1004,6 +1004,8 @@ determine_capabilities() {
COMMENTS= COMMENTS=
ADDRTYPE= ADDRTYPE=
TCPMSS_MATCH= TCPMSS_MATCH=
HASHLIMIT_MATCH=
NFQUEUE_TARGET=
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -1072,6 +1074,9 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IPTABLES -A fooX1234 -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
qt $IPTABLES -A fooX1234 -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IPTABLES -F fooX1234 qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234 qt $IPTABLES -X fooX1234
@ -1119,6 +1124,8 @@ report_capabilities() {
report_capability "Comments" $COMMENTS report_capability "Comments" $COMMENTS
report_capability "Address Type Match" $ADDRTYPE report_capability "Address Type Match" $ADDRTYPE
report_capability "TCPMSS Match" $TCPMSS_MATCH report_capability "TCPMSS Match" $TCPMSS_MATCH
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1161,6 +1168,9 @@ report_capabilities1() {
report_capability1 MANGLE_FORWARD report_capability1 MANGLE_FORWARD
report_capability1 COMMENTS report_capability1 COMMENTS
report_capability1 ADDRTYPE report_capability1 ADDRTYPE
report_capability1 TCPMSS_MATCH
report_capability1 HASHLIMIT_MATCH
report_capability1 NFQUEUE_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
} }
@ -1331,7 +1341,7 @@ do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispos
fi fi
if [ ${#prefix} -gt 29 ]; then if [ ${#prefix} -gt 29 ]; then
prefix=`echo "$prefix" | truncate 29` prefix="`echo "$prefix" | truncate 28` "
error_message "WARNING: Log Prefix shortened to \"$prefix\"" error_message "WARNING: Log Prefix shortened to \"$prefix\""
fi fi

24
Shorewall-common/lib.cli
View File

@ -147,12 +147,10 @@ packet_log() # $1 = number of messages
{ {
local options local options
[ -n "$realtail" ] && options="-n$1"
if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then
$LOGREAD | grep 'IN=.* OUT=' | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ | tail $options $LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
else else
$LOGREAD | grep 'IN=.* OUT=' | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ | tail $options $LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
fi fi
} }
@ -173,15 +171,8 @@ show_tc() {
fi fi
} }
ip link list | \ ip -o link list | while read inx interface details; do
while read inx interface details; do
case $inx in
[0-9]*)
show_one_tc ${interface%:} show_one_tc ${interface%:}
;;
*)
;;
esac
done done
} }
@ -202,15 +193,8 @@ show_classifiers() {
fi fi
} }
ip link list | \ ip -o link list | while read inx interface details; do
while read inx interface details; do
case $inx in
[0-9]*)
show_one_classifier ${interface%:} show_one_classifier ${interface%:}
;;
*)
;;
esac
done done
} }

3
Shorewall-common/lib.config
View File

@ -506,6 +506,9 @@ setup_ipsec() {
if [ -s ${TMP_DIR}/ipsec ]; then if [ -s ${TMP_DIR}/ipsec ]; then
progress_message "$DOING ipsec..." progress_message "$DOING ipsec..."
[ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..." [ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..."
f=ipsec
else
return
fi fi
;; ;;
esac esac

1
Shorewall-common/modules
View File

@ -102,6 +102,7 @@ loadmodule sch_sfq
loadmodule sch_ingress loadmodule sch_ingress
loadmodule sch_htb loadmodule sch_htb
loadmodule cls_u32 loadmodule cls_u32
loadmodule act_police
# #
# Extensions # Extensions
# #

26
Shorewall-common/shorewall
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall Packet Filtering Firewall Control Program - V3.4 # Shorewall Packet Filtering Firewall Control Program - V4.0
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
@ -156,9 +156,9 @@ get_config() {
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then if [ -n "$(syslog_circular_buffer)" ]; then
LOGREAD="logread" LOGREAD="logread | tac"
elif [ -f $LOGFILE ]; then elif [ -f $LOGFILE ]; then
LOGREAD="cat $LOGFILE" LOGREAD="tac $LOGFILE"
else else
echo "LOGFILE ($LOGFILE) does not exist!" >&2 echo "LOGFILE ($LOGFILE) does not exist!" >&2
exit 2 exit 2
@ -1282,7 +1282,7 @@ usage() # $1 = exit status
echo " add <interface>[:<host-list>] ... <zone>" echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
echo " check [ -e ] [ -C {shell|perl} ] [ <directory> ]" echo " check [ -e ] [ -C {shell|perl} ] [ <directory> ]"
echo " clear" echo " clear [ -f ]"
echo " compile [ -e ] [ -C {shell|perl} ] [ <directory name> ] <path name>" echo " compile [ -e ] [ -C {shell|perl} ] [ <directory name> ] <path name>"
echo " delete <interface>[:<host-list>] ... <zone>" echo " delete <interface>[:<host-list>] ... <zone>"
echo " drop <address> ..." echo " drop <address> ..."
@ -1307,7 +1307,7 @@ usage() # $1 = exit status
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]" echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]"
echo " start [ -f ] [ -n ] [ -C {shell|perl} ] [ <directory> ]" echo " start [ -f ] [ -n ] [ -C {shell|perl} ] [ <directory> ]"
echo " stop" echo " stop [ -f ]"
echo " status" echo " status"
echo " try [ -C {shell|perl} ] <directory> [ <timeout> ]" echo " try [ -C {shell|perl} ] <directory> [ <timeout> ]"
echo " version [ -a ]" echo " version [ -a ]"
@ -1542,15 +1542,27 @@ case "$COMMAND" in
shift shift
start_command $@ start_command $@
;; ;;
stop|reset|clear) stop|clear)
if [ "x$2" = x-f ]; then
[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
shift;
fi
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
get_config get_config
export NOROUTES export NOROUTES
[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
mutex_on mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
mutex_off mutex_off
;; ;;
reset)
[ $# -ne 1 ] && usage 1
get_config
export NOROUTES
mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock reset
mutex_off
;;
compile) compile)
get_config Yes get_config Yes
shift shift

4
Shorewall-common/shorewall-common.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-common %define name shorewall-common
%define version 4.0.2 %define version 4.0.3
%define release 1 %define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -240,6 +240,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog %changelog
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net * Thu Aug 09 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.2-1 - Updated to 4.0.2-1
* Sat Jul 21 2007 Tom Eastep tom@shorewall.net * Sat Jul 21 2007 Tom Eastep tom@shorewall.net

2
Shorewall-common/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.2 VERSION=4.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {