holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement -q

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1283 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-04-21 21:44:22 +00:00
parent c232bb529a
commit d5a3e8ebeb
5 changed files with 67 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -26,3 +26,5 @@ Changes since 2.0.1
12) Added example for log rate limiting knobs in shorewall.conf. 12) Added example for log rate limiting knobs in shorewall.conf.
13) Fix init.debian.sh. 13) Fix init.debian.sh.
14) Implement the -q option.

72
Shorewall2/firewall
View File

@ -51,6 +51,11 @@ my_mutex_off() {
[ -n "$have_mutex" ] && { mutex_off; have_mutex=; } [ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
} }
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo $@
}
# #
# Message to stderr # Message to stderr
# #
@ -840,7 +845,7 @@ validate_policy()
[ $1 = $2 ] || \ [ $1 = $2 ] || \
[ $1 = all ] || \ [ $1 = all ] || \
[ $2 = all ] || \ [ $2 = all ] || \
echo " Policy for $1 to $2 is $policy using chain $chain" progress_message " Policy for $1 to $2 is $policy using chain $chain"
} }
all_policy_chains= all_policy_chains=
@ -1063,7 +1068,7 @@ run_user_exit() # $1 = file name
local user_exit=$(find_file $1) local user_exit=$(find_file $1)
if [ -f $user_exit ]; then if [ -f $user_exit ]; then
echo "Processing $user_exit ..." progress_message "Processing $user_exit ..."
. $user_exit . $user_exit
fi fi
} }
@ -1373,7 +1378,7 @@ setup_tunnels() # $1 = name of tunnels file
fi fi
done done
echo " IPSEC tunnel to $gateway defined." progress_message " IPSEC tunnel to $gateway defined."
} }
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
@ -1381,7 +1386,7 @@ setup_tunnels() # $1 = name of tunnels file
addrule $inchain -p $3 -s $2 -j ACCEPT addrule $inchain -p $3 -s $2 -j ACCEPT
addrule $outchain -p $3 -d $2 -j ACCEPT addrule $outchain -p $3 -d $2 -j ACCEPT
echo " $1 tunnel to $2 defined." progress_message " $1 tunnel to $2 defined."
} }
setup_pptp_client() # $1 = gateway setup_pptp_client() # $1 = gateway
@ -1390,7 +1395,7 @@ setup_tunnels() # $1 = name of tunnels file
addrule $inchain -p 47 -j ACCEPT addrule $inchain -p 47 -j ACCEPT
addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT
echo " PPTP tunnel to $1 defined." progress_message " PPTP tunnel to $1 defined."
} }
setup_pptp_server() setup_pptp_server()
@ -1399,7 +1404,7 @@ setup_tunnels() # $1 = name of tunnels file
addrule $outchain -p 47 -j ACCEPT addrule $outchain -p 47 -j ACCEPT
addrule $inchain -p tcp --dport 1723 -j ACCEPT addrule $inchain -p tcp --dport 1723 -j ACCEPT
echo " PPTP server defined." progress_message " PPTP server defined."
} }
setup_one_openvpn() # $1 = gateway, $2 = kind[:port] setup_one_openvpn() # $1 = gateway, $2 = kind[:port]
@ -1416,7 +1421,7 @@ setup_tunnels() # $1 = name of tunnels file
addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT
addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT
echo " OPENVPN tunnel to $1:$p defined." progress_message " OPENVPN tunnel to $1:$p defined."
} }
setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone
@ -1454,7 +1459,7 @@ setup_tunnels() # $1 = name of tunnels file
fi fi
done done
echo " GENERIC tunnel to $1:$p defined." progress_message " GENERIC tunnel to $1:$p defined."
} }
strip_file tunnels $1 strip_file tunnels $1
@ -1546,14 +1551,13 @@ setup_proxy_arp() {
persistent= persistent=
;; ;;
[Yy][Ee][Ss]) [Yy][Ee][Ss])
[ -z "$haveroute" ] || print_warning
;; ;;
*) *)
if [ -n "$persistent" ]; then if [ -n "$persistent" ]; then
print_error1 print_error1
return return
fi fi
[ -z "$haveroute" ] || print_warning
;; ;;
esac esac
@ -1569,7 +1573,7 @@ setup_proxy_arp() {
echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp
echo " Host $address connected to $interface added to ARP on $external" progress_message " Host $address connected to $interface added to ARP on $external"
} }
> ${STATEDIR}/proxyarp > ${STATEDIR}/proxyarp
@ -1583,7 +1587,7 @@ setup_proxy_arp() {
for interface in $interfaces; do for interface in $interfaces; do
if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then
echo " Enabled proxy ARP on $interface" progress_message " Enabled proxy ARP on $interface"
else else
error_message "Warning: Unable to enable proxy ARP on $interface" error_message "Warning: Unable to enable proxy ARP on $interface"
fi fi
@ -1619,7 +1623,7 @@ setup_mac_lists() {
fi fi
done done
echo "Setting up MAC Verification on $maclist_interfaces..." progress_message "Setting up MAC Verification on $maclist_interfaces..."
# #
# Be sure that they are all ethernet interfaces # Be sure that they are all ethernet interfaces
# #
@ -1740,7 +1744,7 @@ setup_syn_flood_chain ()
enable_syn_flood_protection() # $1 = chain, $2 = protection chain enable_syn_flood_protection() # $1 = chain, $2 = protection chain
{ {
run_iptables -I $1 2 -p tcp --syn -j @$2 run_iptables -I $1 2 -p tcp --syn -j @$2
echo " Enabled SYN flood protection" progress_message " Enabled SYN flood protection"
} }
# #
@ -1807,7 +1811,7 @@ setup_nat() {
aliases_to_add="$aliases_to_add $external $interface" aliases_to_add="$aliases_to_add $external $interface"
fi fi
echo " Host $internal NAT $external on $interface" progress_message " Host $internal NAT $external on $interface"
done < $TMP_DIR/nat done < $TMP_DIR/nat
} }
@ -1852,7 +1856,7 @@ setup_netmap() {
;; ;;
esac esac
echo " Network $net1 on $interface mapped to $net2 ($type)" progress_message " Network $net1 on $interface mapped to $net2 ($type)"
done < $TMP_DIR/netmap done < $TMP_DIR/netmap
} }
@ -1883,7 +1887,7 @@ setup_ecn() # $1 = file name
done < $TMP_DIR/ecn done < $TMP_DIR/ecn
if [ -n "$interfaces" ]; then if [ -n "$interfaces" ]; then
echo "Setting up ECN control on${interfaces}..." progress_message "Setting up ECN control on${interfaces}..."
for interface in $interfaces; do for interface in $interfaces; do
chain=$(ecn_chain $interface) chain=$(ecn_chain $interface)
@ -1900,7 +1904,7 @@ setup_ecn() # $1 = file name
interface=${host%:*} interface=${host%:*}
h=${host#*:} h=${host#*:}
run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove
echo " ECN Disabled to $h through $interface" progress_message " ECN Disabled to $h through $interface"
done done
fi fi
} }
@ -1995,7 +1999,7 @@ process_tc_rule()
done done
done done
echo " TC Rule \"$rule\" added" progress_message " TC Rule \"$rule\" added"
} }
# #
@ -2166,7 +2170,7 @@ process_accounting_rule() {
if iptables -A $chain $rule ; then if iptables -A $chain $rule ; then
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
echo " Accounting rule" $action $chain $source $dest $proto $port $sport Added progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added
else else
accounting_error accounting_error
fi fi
@ -2590,9 +2594,9 @@ process_action() # $1 = action
# Report Result # Report Result
# #
if [ $COMMAND = check ]; then if [ $COMMAND = check ]; then
echo " Rule \"$rule\" checked." progress_message " Rule \"$rule\" checked."
else else
echo " Rule \"$rule\" added." progress_message " Rule \"$rule\" added."
fi fi
} }
@ -3491,9 +3495,9 @@ process_rule() # $1 = target
# Report Result # Report Result
# #
if [ $COMMAND = check ]; then if [ $COMMAND = check ]; then
echo " Rule \"$rule\" checked." progress_message " Rule \"$rule\" checked."
else else
echo " Rule \"$rule\" added." progress_message " Rule \"$rule\" added."
fi fi
} }
@ -3728,7 +3732,7 @@ process_tos_rule() {
esac esac
done done
echo " Rule \"$rule\" added." progress_message " Rule \"$rule\" added."
} }
# #
@ -3906,7 +3910,7 @@ default_policy() # $1 = client $2 = server
esac esac
fi fi
echo " Policy $policy for $1 to $2 using chain $chain" progress_message " Policy $policy for $1 to $2 using chain $chain"
} }
eval chain1=\$${1}2${2}_policychain eval chain1=\$${1}2${2}_policychain
@ -4140,12 +4144,12 @@ setup_masq()
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet -j SNAT $addrlist addnatrule $chain -s $s -d $destnet -j SNAT $addrlist
done done
echo " To $destination from $s through ${interface} using $addresses" progress_message " To $destination from $s through ${interface} using $addresses"
else else
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet -j MASQUERADE addnatrule $chain -s $s -d $destnet -j MASQUERADE
done done
echo " To $destination from $s through ${interface}" progress_message " To $destination from $s through ${interface}"
fi fi
done done
elif [ -n "$addresses" ]; then elif [ -n "$addresses" ]; then
@ -4157,7 +4161,7 @@ setup_masq()
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j MASQUERADE addnatrule $chain -d $destnet -j MASQUERADE
done done
echo " To $destination from $source through ${interface}" progress_message " To $destination from $source through ${interface}"
fi fi
} }
@ -4259,7 +4263,7 @@ process_blacklist_rec() {
addr="$addr $protocol" addr="$addr $protocol"
fi fi
echo " $addr added to Black List" progress_message " $addr added to Black List"
done done
} }
@ -4290,7 +4294,7 @@ setup_blacklist() {
[ $network = 0/0.0.0.0 ] && network= || network=":$network" [ $network = 0/0.0.0.0 ] && network= || network=":$network"
echo " Blacklisting enabled on ${interface}${network}" progress_message " Blacklisting enabled on ${interface}${network}"
done done
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
@ -4381,7 +4385,7 @@ add_ip_aliases()
run_ip addr add ${external}${val} dev $interface $label run_ip addr add ${external}${val} dev $interface $label
echo "$external $interface" >> ${STATEDIR}/nat echo "$external $interface" >> ${STATEDIR}/nat
[ -n "$label" ] && label="with $label" [ -n "$label" ] && label="with $label"
echo " IP Address $external added to interface $interface $label" progress_message " IP Address $external added to interface $interface $label"
} }
set -- $aliases_to_add set -- $aliases_to_add
@ -5488,7 +5492,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
rm -rf $TMP_DIR rm -rf $TMP_DIR
echo "$1 added to zone $2" progress_message "$1 added to zone $2"
} }
# #
@ -5615,7 +5619,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
rm -rf $TMP_DIR rm -rf $TMP_DIR
echo "$1 removed from zone $2" progress_message "$1 removed from zone $2"
} }
# #

15
Shorewall2/help
View File

@ -157,10 +157,11 @@ monitor)
;; ;;
refresh) refresh)
echo "refresh: refresh echo "refresh: [ -q ] refresh
The rules involving the broadcast addresses of firewall interfaces, The rules involving the broadcast addresses of firewall interfaces,
the black list, traffic control rules and ECN control rules are recreated the black list, traffic control rules and ECN control rules are recreated
to reflect any changes made. Existing connections are untouched" to reflect any changes made. Existing connections are untouched
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;; ;;
reject) reject)
@ -178,9 +179,10 @@ reset)
;; ;;
restart) restart)
echo "restart: restart [ -c <configuration-directory> ] echo "restart: restart [ -q ] [ -c <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start. Restart is the same as a shorewall stop && shorewall start.
Existing connections are dropped." Existing connections are maintained.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;; ;;
save) save)
@ -213,10 +215,11 @@ show)
;; ;;
start) start)
echo "start: start [ -c <configuration-directory> ] echo "start: [ -q ] [ -c <configuration-directory> ] start
Start shorewall. Existing connections through shorewall managed Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies." if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;; ;;
stop) stop)

15
Shorewall2/releasenotes.txt
View File

@ -9,6 +9,9 @@ Problems Corrected since 2.0.1
normal Shorewall distribution and is provided by the Debian normal Shorewall distribution and is provided by the Debian
maintainer. maintainer.
2) A meaningless warning message out of the proxyarp file processing
has been eliminated.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1: Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
@ -63,9 +66,9 @@ New Features:
independently of the contents of the ALL INTERFACES column. independently of the contents of the ALL INTERFACES column.
4) The folks at Mandrake have created yet another kernel module 4) The folks at Mandrake have created yet another kernel module
naming convention. As a consequence, beginning with this release, naming convention (module names end in "ko.gz"). As a consequence,
if MODULE_PREFIX isn't specified in shorewall.conf, then the default beginning with this release, if MODULE_PREFIX isn't specified in
value is "o gz ko o.gz ko.gz". shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
5) An updated bogons file is included in this release. 5) An updated bogons file is included in this release.
@ -87,7 +90,11 @@ New Features:
characters; if a larger prefix is generated, Shorewall will issue a characters; if a larger prefix is generated, Shorewall will issue a
warning message and will truncate the prefix to 29 characters. warning message and will truncate the prefix to 29 characters.
7) A new "-q" option has been added to /sbin/shorewall commands. It
causes the start, restart, check and refresh commands to produce
much less output so that warning messages are more visible. When
testing this change, I discovered a bug where a bogus warning
message was being generated :-)

8
Shorewall2/shorewall
View File

@ -531,7 +531,7 @@ help()
# #
usage() # $1 = exit status usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..." echo " allow <address> ..."
@ -586,6 +586,7 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
fi fi
SHOREWALL_DIR= SHOREWALL_DIR=
QUIET=
IPT_OPTIONS="-nv" IPT_OPTIONS="-nv"
done=0 done=0
@ -611,6 +612,10 @@ while [ $done -eq 0 ]; do
IPT_OPTIONS="-xnv" IPT_OPTIONS="-xnv"
shift shift
;; ;;
-q)
QUIET=Yes
shift
;;
*) *)
done=1 done=1
;; ;;
@ -622,6 +627,7 @@ if [ $# -eq 0 ]; then
fi fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
[ -n "$QUIET" ] && export QUIET
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT= MUTEX_TIMEOUT=