forked from extern/shorewall_code
Bring forward some changes from 2.0.8; Improve error messages; Implement STARTUP_ENABLED
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1519 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
502a00cc26
commit
d8a733aac0
@ -14,23 +14,12 @@ Changes since 2.0.3
|
||||
|
||||
7) Add PKTTYPE option.
|
||||
|
||||
firewall
|
||||
shorewall.conf
|
||||
|
||||
8) Enhancements to /etc/shorewall/masq
|
||||
|
||||
masq
|
||||
firewall
|
||||
|
||||
8) Allow overriding ADD_IP_ALIASES=Yes
|
||||
|
||||
nat
|
||||
firewall
|
||||
|
||||
9) Fix syntax error in setup_nat()
|
||||
|
||||
firewall
|
||||
|
||||
10) Port "shorewall status" changes from 2.0.7.
|
||||
|
||||
11) All config files are now empty.
|
||||
@ -39,3 +28,7 @@ Changes since 2.0.3
|
||||
|
||||
13) Pass rule chain and display chain separately to log_rule_limit.
|
||||
Prep work for action logging.
|
||||
|
||||
14) Show the iptables/ip/tc command that failed when failure is fatal.
|
||||
|
||||
15) Implement STARTUP_ENABLED.
|
||||
|
@ -156,7 +156,11 @@ run_iptables() {
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
|
||||
if ! iptables $@ ; then
|
||||
[ -z "$stopping" ] && { stop_firewall; exit 2; }
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"$@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -183,7 +187,11 @@ run_iptables2() {
|
||||
#
|
||||
run_ip() {
|
||||
if ! ip $@ ; then
|
||||
[ -z "$stopping" ] && { stop_firewall; exit 2; }
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"$@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -192,7 +200,11 @@ run_ip() {
|
||||
#
|
||||
run_tc() {
|
||||
if ! tc $@ ; then
|
||||
[ -z "$stopping" ] && { stop_firewall; exit 2; }
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"$@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -2784,7 +2796,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
||||
|
||||
[ "$COMMAND" != check ] && \
|
||||
while havechain %${CHAIN}${actchain}; do
|
||||
actchain=$((${actchain-0} + 1))
|
||||
actchain=$(($actchain + 1))
|
||||
[ $actchain -eq 10 -a ${#CHAIN} -eq 9 ] && CHAIN=$(echo $CHAIN | cut -b -8)
|
||||
done
|
||||
|
||||
@ -2865,6 +2877,9 @@ find_logactionchain() # $1 = Action, including log level and tag if any
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# This function determines the logging for a subordinate action or a rule within a subordinate action
|
||||
#
|
||||
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
|
||||
{
|
||||
local superior=$1 subordinate=$2
|
||||
@ -2926,12 +2941,32 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
||||
esac
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Read /etc/shorewall/actions and /usr/share/shorewall/actions.std and for each defined <action>, pre-process
|
||||
# /etc/shorewall/action.<action>
|
||||
# The next two functions implement the two phases of action processing.
|
||||
#
|
||||
# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std
|
||||
# and /etc/shorewall/actions are scanned (in that order) and for each action:
|
||||
#
|
||||
# a) The related action definition file is located and scanned.
|
||||
# b) Forward and unresolved action references are trapped as errors.
|
||||
# c) A dependency graph is created. For each <action>, the variable 'requiredby_<action>' lists the
|
||||
# action[:level[:tag]] of each action invoked by <action>.
|
||||
# d) All actions are listed in the global variable ACTIONS.
|
||||
# e) Common actions are recorded (in variables of the name <policy>_common) and are added to the global
|
||||
# USEDACTIONS list and their action chain is created.
|
||||
#
|
||||
# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an <action>
|
||||
# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name
|
||||
# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
|
||||
# length of the chain name does not exceed 11 characters.
|
||||
#
|
||||
# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
|
||||
# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created.
|
||||
#
|
||||
# The final step is to traverse the USEDACTIONS list populating each chain appropriately by reading the
|
||||
# action definition files and creating rules. Note that a given action definition file is processed once for
|
||||
# each unique [:level[:tag]] applied to an invocation of the action.
|
||||
#
|
||||
|
||||
process_actions1() {
|
||||
|
||||
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
|
||||
@ -3003,53 +3038,8 @@ process_actions1() {
|
||||
done < $TMP_DIR/$inputfile
|
||||
done
|
||||
}
|
||||
#
|
||||
# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then
|
||||
# process the associated action files.
|
||||
#
|
||||
|
||||
process_actions2() {
|
||||
#
|
||||
# Process a rule where the source or destination is "all"
|
||||
#
|
||||
process_wildcard_rule() {
|
||||
local yclients yservers ysourcezone ydestzone ypolicy
|
||||
|
||||
for yclients in $xclients; do
|
||||
for yservers in $xservers; do
|
||||
ysourcezone=${yclients%%:*}
|
||||
ydestzone=${yservers%%:*}
|
||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||
if [ "$ypolicy" != NONE ] ; then
|
||||
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
|
||||
process_action $xchain $xaction1 $xaction2 $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
do_it() {
|
||||
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
xclients="$zones $FW"
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
fi
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
|
||||
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
||||
}
|
||||
|
||||
drop_broadcasts() {
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
@ -3065,9 +3055,7 @@ process_actions2() {
|
||||
run_iptables -A $xchain -d $address -j DROP
|
||||
done
|
||||
}
|
||||
#
|
||||
# B O D Y S T A R T S H E R E
|
||||
#
|
||||
|
||||
progress_message " Generating Transitive Closure of Used-action List..."
|
||||
|
||||
changed=Yes
|
||||
@ -3179,7 +3167,7 @@ process_actions2() {
|
||||
|
||||
echo "Processing $fn for Chain $xchain..."
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
|
||||
expandv xtarget
|
||||
#
|
||||
# Generate the target:level:tag to pass to process_action()
|
||||
@ -3204,7 +3192,11 @@ process_actions2() {
|
||||
;;
|
||||
esac
|
||||
|
||||
do_it
|
||||
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
|
||||
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
|
||||
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
||||
|
||||
done < $TMP_DIR/$f
|
||||
;;
|
||||
esac
|
||||
@ -5819,10 +5811,11 @@ activate_rules()
|
||||
# Check for disabled startup
|
||||
#
|
||||
check_disabled_startup() {
|
||||
if [ -f /etc/shorewall/startup_disabled ]; then
|
||||
if [ -z "$STARTUP_ENABLED" ]; then
|
||||
echo " Shorewall Startup is disabled -- to enable startup"
|
||||
echo " after you have completed Shorewall configuration,"
|
||||
echo " remove the file /etc/shorewall/startup_disabled"
|
||||
echo " change the setting of STARTUP_ENABLED to Yes in"
|
||||
echo " /etc/shorewall/shorewall.conf"
|
||||
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
@ -6509,6 +6502,7 @@ do_initialize() {
|
||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
||||
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
||||
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
|
@ -551,7 +551,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||
if insserv /etc/init.d/shorewall ; then
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
@ -559,7 +559,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||
if chkconfig --add shorewall ; then
|
||||
echo
|
||||
echo "shorewall will start automatically in run levels as follows:"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||
chkconfig --list shorewall
|
||||
else
|
||||
cant_autostart
|
||||
@ -568,18 +568,13 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||
if rc-update add shorewall default; then
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||
cant_autostart
|
||||
fi
|
||||
|
||||
echo \
|
||||
"########################################################################
|
||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
||||
########################################################################" > /etc/shorewall/startup_disabled
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -161,3 +161,14 @@ New Features:
|
||||
$LEVEL="info"
|
||||
$TAG="test"
|
||||
|
||||
6) The /etc/shorewall/startup_disabled file is no longer created when
|
||||
Shorewall is first installed. Rather, the variable STARTUP_ENABLED
|
||||
is set to 'No' in /etc/shorewall/shorewall.conf. In order to get
|
||||
Shorewall to start, that variable's value must be set to
|
||||
'Yes'. This change accomplishes two things:
|
||||
|
||||
a) It prevents Shorewall from being started prematurely by the
|
||||
user's initialization scripts.
|
||||
|
||||
b) It causes /etc/shorewall/shorewall.conf to be modified so that
|
||||
it won't be replaced by upgrades using RPM.
|
||||
|
@ -7,6 +7,14 @@
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
# S T A R T U P E N A B L E D
|
||||
##############################################################################
|
||||
# Once you have configured Shorewall, you may change the setting of
|
||||
# this variable to 'Yes'
|
||||
|
||||
STARTUP_ENABLED=No
|
||||
|
||||
##############################################################################
|
||||
# L O G G I N G
|
||||
##############################################################################
|
||||
|
@ -40,20 +40,6 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%post
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
echo \
|
||||
"########################################################################
|
||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
||||
########################################################################" \
|
||||
> /etc/shorewall/startup_disabled
|
||||
|
||||
if [ -x /sbin/insserv ]; then
|
||||
/sbin/insserv /etc/rc.d/shorewall
|
||||
elif [ -x /sbin/chkconfig ]; then
|
||||
/sbin/chkconfig --add shorewall;
|
||||
fi
|
||||
fi
|
||||
|
||||
%preun
|
||||
|
||||
if [ $1 = 0 ]; then
|
||||
@ -141,6 +127,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Mon Aug 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Remove startup_disabled.
|
||||
* Thu Jul 29 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.1.2-1
|
||||
* Mon Jul 12 2004 Tom Eastep tom@shorewall.net
|
||||
|
Loading…
Reference in New Issue
Block a user