Preparation for 'generate' command

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3236 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-01-06 23:02:55 +00:00 · 2006-01-06 23:02:55 +00:00 · d145351222
commit d145351222
parent e3bf8645b0
2 changed files with 90 additions and 59 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -151,6 +151,21 @@ append_file() # $1 = File Name
    save_command __EOF__
 }

+#
+# Run iptables -- we define this so that it may be overloaded in the compiler
+#
+do_iptables() {
+    $IPTABLES $@
+}
+
+#
+# Run iptables quietly -- we define this so that it may be overloaded in the compiler
+#
+qt_iptables() {
+    $IPTABLES $@
+}
+
+
 #
 # Run iptables and if an error occurs, stop the firewall and quit
 #
@ -342,14 +357,6 @@ havechain() # $1 = name of chain
    eval test \"\$exists_${c}\" = Yes
 }

-#
-# Query NetFilter about the existence of a mangle chain
-#
-mangle_chain_exists() # $1 = chain name
-{
-    qt $IPTABLES -t mangle -L $1 -n
-}
-
 #
 # Ensure that a chain exists (create it if it doesn't)
 #
@ -378,6 +385,39 @@ addrule2() # $1 = chain name, remainder of arguments specify the rule
    run_iptables2 -A $@
 }

+#
+# Create a mangle chain
+#
+# Create a variable exists_mangle_${1} and set its value to Yes to indicate that
+# the chain now exists.
+#
+createmanglechain() # $1 = chain name
+{
+    run_iptables -t mangle -N $1
+
+    eval exists_mangle_${1}=Yes
+}
+
+#
+# Determine if a mangle chain exists
+#
+# When we create a chain "chain", we create a variable named exists_nat_chain
+# and set its value to Yes. This function tests for the "exists_" variable
+# corresponding to the passed chain having the value of "Yes".
+#
+havemanglechain() # $1 = name of chain
+{
+    eval test \"\$exists_mangle_${1}\" = Yes
+}
+
+#
+# Ensure that a mangle chain exists (create it if it doesn't)
+#
+ensuremanglechain() # $1 = chain name
+{
+    havemanglechain $1 || createmanglechain $1
+}
+
 #
 # Create a nat chain
 #
@ -1797,22 +1837,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi

    case $level in
 	ULOG)
-	    if ! $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ; then
-		if [ -z "$STOPPING" ]; then
-		    error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix \"$prefix\"\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-	    fi
+	    run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
 	    ;;
 	*)
-	    if ! $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"; then
-		if [ -z "$STOPPING" ]; then
-		    error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j  LOG $LOGPARMS --log-level $level --log-prefix \"$prefix\"\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-	    fi
+	    run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
 	    ;;
    esac

@ -1946,7 +1974,7 @@ process_routestopped() # $1 = command
    for host in $hosts; do
 	interface=${host%:*}
 	networks=${host#*:}
-	$IPTABLES $1 INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
+	do_iptables $1 INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
 	[ -z "$ADMINISABSENTMINDED" -o $COMMAND != stop ] && \
 	    run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT

@ -2015,8 +2043,8 @@ enable_critical_hosts()
    for host in $CRITICALHOSTS; do
 	interface=${host%:*}
 	networks=${host#*:}
-	$IPTABLES -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
-	$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+	do_iptables -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
+	do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
    done
 }

@ -2029,8 +2057,8 @@ disable_critical_hosts()
    for host in $CRITICALHOSTS; do
 	interface=${host%:*}
 	networks=${host#*:}
-	$IPTABLES -D INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
-	$IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+	do_iptables -D INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
+	do_iptables -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
    done
 }

@ -2761,7 +2789,7 @@ setup_mac_lists() {
 		createchain $1 no
 		;;
 	    *)
-		run_iptables -t mangle -N $1
+		createmanglechain $1
 		;;
 	esac
    }
@ -2775,7 +2803,7 @@ setup_mac_lists() {
 		havechain $1 && result=0 || result=1
 		;;
 	    *)
-		mangle_chain_exists $1 && result=0 || result=1
+		havemanglechain $1 && result=0 || result=1
 		;;
 	esac

@ -3119,10 +3147,10 @@ setup_ecn() # $1 = file name

 	for interface in $interfaces; do
 	    chain=$(ecn_chain $interface)
-	    if mangle_chain_exists $chain; then
+	    if havemanglechain $chain; then
 		flushmangle $chain
 	    else
-		run_iptables -t mangle -N $chain
+		createmanglechain $chain
 		run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
 		run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
 	    fi
@ -3674,10 +3702,10 @@ setup_tc1() {
    # Create the TC mangle chains
    #

-    run_iptables -t mangle -N tcpre
-    run_iptables -t mangle -N tcfor
-    run_iptables -t mangle -N tcout
-    run_iptables -t mangle -N tcpost
+    createmanglechain tcpre
+    createmanglechain tcfor
+    createmanglechain tcout
+    createmanglechain tcpost
    #
    # Process the TC Rules File
    #
@ -3968,7 +3996,7 @@ process_accounting_rule() {

    ensurechain1 $chain

-    if $IPTABLES -A $chain $(fix_bang $rule) ; then
+    if do_iptables -A $chain $(fix_bang $rule) ; then
 	[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
 	progress_message "   Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
    else
@ -4110,7 +4138,7 @@ refresh_tc() {

    [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre

-    if mangle_chain_exists $chain; then
+    if qt $IPTABLES -t mangle -L $chain -n ; then
        #
        # Flush the TC mangle chains
        #
@ -6685,8 +6713,8 @@ process_tos() # $1 = name of tos file
    strip_file tos $1

    if [ -s $TMP_DIR/tos ] ; then
-	run_iptables -t mangle -N pretos
-	run_iptables -t mangle -N outtos
+	createmanglechain pretos
+	createmanglechain outtos

 	while read src dst protocol sport dport tos; do
 	    expandv src dst protocol sport dport tos
@ -6928,7 +6956,7 @@ setup_routes()

    run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark
    run_iptables -t mangle -A OUTPUT     -m connmark ! --mark 0 -j CONNMARK --restore-mark
-    run_iptables -t mangle -N routemark
+    createmanglechain routemark

    for interface in $ROUTEMARK_INTERFACES ; do

@ -7692,7 +7720,7 @@ initialize_netfilter () {
    if [ -n "$NAT_ENABLED" ]; then
 	delete_nat
 	for chain in PREROUTING POSTROUTING OUTPUT; do
-	    qt $IPTABLES -t nat -P $chain ACCEPT
+	    qt_iptables -t nat -P $chain ACCEPT
 	done
    fi

@ -7702,7 +7730,7 @@ initialize_netfilter () {
 	run_iptables -t mangle -F
 	run_iptables -t mangle -X
 	for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	    qt $IPTABLES -t mangle -P $chain ACCEPT
+	    qt_iptables -t mangle -P $chain ACCEPT
 	done
    fi

@ -7710,7 +7738,7 @@ initialize_netfilter () {
 	run_iptables -t raw -F
 	run_iptables -t raw -X
 	for chain in PREROUTING OUTPUT; do
-	    qt $IPTABLES -t raw -P $chain ACCEPT
+	    qt_iptables -t raw -P $chain ACCEPT
 	done
    fi

@ -7854,13 +7882,8 @@ add_common_rules() {
    # Reject Rules -- Don't respond to broadcasts with an ICMP
    #
    if [ -n "$USEPKTTYPE" ]; then
-	qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP
-	if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then
-            #
-	    # No pkttype support -- do it the hard way
-	    #
-	    drop_broadcasts
-	fi
+	run_iptables -A reject -m pkttype --pkt-type broadcast -j DROP
+	run_iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
    else
 	drop_broadcasts
    fi
@ -7876,11 +7899,10 @@ add_common_rules() {
    #
    # Not all versions of iptables support these so don't complain if they don't work
    #
-    qt $IPTABLES  -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-    if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then
-	#
-	# In case the above doesn't work
-	#
+    if [ -n "$ENHANCED_REJECT" ]; THEN
+	run_iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
+	run_iptables -A reject -j REJECT --reject-with icmp-host-prohibited
+    else
 	run_iptables -A reject -j REJECT
    fi

@ -7932,7 +7954,7 @@ add_common_rules() {
 	    if [ -n "$BRIDGING" ]; then
 		is_bridge=$( brctl show $interface 2> /dev/null | grep ^$interface[[:space:]] )
 		[ -n "$is_bridge" ] && \
-		    $IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
+		    do_iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
            fi
 	    run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT
 	    run_iptables -A OUTPUT -o $interface      -p udp --dport 67:68 -j ACCEPT
@ -7973,8 +7995,8 @@ add_common_rules() {
 	    #
 	    # Also add a chain to log and drop any RFC1918 packets that we find
 	    #
-	    run_iptables -t mangle -N man1918
-	    run_iptables -t mangle -N rfc1918
+	    createmanglechain man1918
+	    createmanglechain rfc1918
 	    log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle
 	    run_iptables -t mangle -A rfc1918 -j DROP
 	fi
@ -9132,7 +9154,7 @@ do_initialize() {
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [debug] {start|stop|reset|restart|refresh|clear|{add|delete} <interface>[:hosts] zone}}"
+    echo "Usage: $0 [debug] {start|stop|reset|restart|refresh|clear|generate <filename>}"
    exit 1
 }

@ -9247,6 +9269,12 @@ case "$COMMAND" in
 	check_config
 	;;

+    generate)
+	[ $# -ne 2 ] && usage
+	. /usr/share/shorewall/compiler
+	compile $2
+	;;
+
    call)
 	#
 	# Undocumented way to call functions in /usr/share/shorewall/firewall directly
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -898,6 +898,7 @@ determine_capabilities() {
    RAW_TABLE=
    IPP2P_MATCH=
    CLASSIFY_TARGET=
+    ENHANCED_REJECT=

    qt $IPTABLES -N fooX1234
    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@ -910,6 +911,7 @@ determine_capabilities() {
    qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT                           && OWNER_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT                            && CONNMARK_MATCH=Yes
    qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT                          && IPP2P_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited               && ENHANCED_REJECT=Yes

    qt $IPTABLES -t mangle -N fooX1234
    qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark                          && CONNMARK=Yes
@ -965,6 +967,7 @@ report_capabilities() {
    report_capability "Connmark Match" $CONNMARK_MATCH
    report_capability "Raw Table" $RAW_TABLE
    report_capability "CLASSIFY Target" $CLASSIFY_TARGET
+    report_capability "Enhanced REJECT" $ENHANCED_REJECT

 }