forked from extern/shorewall_code
Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code
# Conflicts: # Shorewall-init/install.sh # Shorewall/Perl/Shorewall/Providers.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
commit
dddde56454
@ -429,6 +429,7 @@ case $HOST in
|
||||
if [ $configure -eq 1 ]; then
|
||||
install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
|
||||
install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
|
||||
rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
|
||||
else
|
||||
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
|
||||
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
|
||||
|
@ -24,21 +24,8 @@
|
||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
# Check to see if any of the products are running. If so, issue a warning
|
||||
# and exits with value 1
|
||||
firewall_stopped() {
|
||||
for PRODUCT in $PRODUCTS; do
|
||||
if $PRODUCT status > /dev/null 2>&1; then
|
||||
echo " WARNING: $PRODUCT is running -- ignoring $1 command" >&2
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# set the STATEDIR variable
|
||||
|
||||
setstatedir() {
|
||||
local statedir
|
||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
||||
@ -56,12 +43,35 @@ setstatedir() {
|
||||
fi
|
||||
}
|
||||
|
||||
# Initialize the firewall
|
||||
shorewall_start () {
|
||||
#
|
||||
# This is modified by the installer when ${SHAREDIR} <> /usr/share
|
||||
#
|
||||
. /usr/share/shorewall/shorewallrc
|
||||
|
||||
# check if shorewall-init is configured or not
|
||||
if [ -f "$SYSCONFDIR/shorewall-init" ]; then
|
||||
. $SYSCONFDIR/shorewall-init
|
||||
if [ -z "$PRODUCTS" ]; then
|
||||
echo "ERROR: No products configured" >&2
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Initialize the firewalls
|
||||
|
||||
shorewall_init_start () {
|
||||
local PRODUCT
|
||||
local STATEDIR
|
||||
|
||||
printf "Initializing \"Shorewall-based firewalls\": "
|
||||
|
||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
||||
ipset -R < "$SAVE_IPSETS"
|
||||
fi
|
||||
|
||||
for PRODUCT in $PRODUCTS; do
|
||||
if setstatedir; then
|
||||
#
|
||||
@ -75,19 +85,17 @@ shorewall_start () {
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
||||
ipset -R < "$SAVE_IPSETS"
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# Clear the firewall
|
||||
shorewall_stop () {
|
||||
# Clear the firewalls
|
||||
|
||||
shorewall_init_stop () {
|
||||
local PRODUCT
|
||||
local STATEDIR
|
||||
|
||||
printf "Clearing \"Shorewall-based firewalls\": "
|
||||
|
||||
for PRODUCT in $PRODUCTS; do
|
||||
if setstatedir; then
|
||||
#
|
||||
@ -113,29 +121,12 @@ shorewall_stop () {
|
||||
return 0
|
||||
}
|
||||
|
||||
#
|
||||
# This is modified by the installer when ${SHAREDIR} <> /usr/share
|
||||
#
|
||||
. /usr/share/shorewall/shorewallrc
|
||||
|
||||
# check if shorewall-init is configured or not
|
||||
if [ -f "$SYSCONFDIR/shorewall-init" ]; then
|
||||
. $SYSCONFDIR/shorewall-init
|
||||
if [ -z "$PRODUCTS" ]; then
|
||||
echo "ERROR: No products configured" >&2
|
||||
exit 6
|
||||
fi
|
||||
else
|
||||
echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
firewall_stopped 'start' && shorewall_start
|
||||
shorewall_init_start
|
||||
;;
|
||||
stop)
|
||||
firewall_stopped 'stop' && shorewall_stop
|
||||
shorewall_init_stop
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop}"
|
||||
|
@ -726,6 +726,7 @@ our %opttype = ( rule => CONTROL,
|
||||
'icmpv6-type' => UNIQUE,
|
||||
|
||||
comment => CONTROL,
|
||||
digest => CONTROL,
|
||||
|
||||
policy => MATCH,
|
||||
state => EXCLUSIVE,
|
||||
@ -3521,6 +3522,33 @@ sub irule_to_string( $ ) {
|
||||
$string;
|
||||
}
|
||||
|
||||
#
|
||||
# This one omits the comment
|
||||
#
|
||||
sub irule_to_string1( $ ) {
|
||||
my ( $ruleref ) = @_;
|
||||
|
||||
return $ruleref->{cmd} if exists $ruleref->{cmd};
|
||||
|
||||
my $string = '';
|
||||
|
||||
for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}}) {
|
||||
my $value = $ruleref->{$_};
|
||||
if ( reftype $value ) {
|
||||
$string .= "$_=" . join( ',', @$value ) . ' ';
|
||||
} else {
|
||||
$string .= "$_=$value ";
|
||||
}
|
||||
}
|
||||
|
||||
if ( $ruleref->{target} ) {
|
||||
$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
|
||||
$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
|
||||
}
|
||||
|
||||
$string;
|
||||
}
|
||||
|
||||
sub calculate_digest( $ ) {
|
||||
my $chainref = shift;
|
||||
my $rules = '';
|
||||
@ -4190,10 +4218,10 @@ sub get_multi_sports( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
|
||||
# Return an array of keys for the passed rule. 'dport', 'comment', 'origin' and 'digest' are omitted;
|
||||
#
|
||||
sub get_keys( $ ) {
|
||||
my %skip = ( dport => 1, comment => 1, origin => 1 );
|
||||
my %skip = ( dport => 1, comment => 1, origin => 1, digest => 1 );
|
||||
|
||||
sort grep ! $skip{$_}, keys %{$_[0]};
|
||||
}
|
||||
@ -4374,64 +4402,54 @@ sub delete_duplicates {
|
||||
my @rules;
|
||||
my $chainref = shift;
|
||||
my $lastrule = @_;
|
||||
my $baseref = pop;
|
||||
my $ruleref;
|
||||
my %skip = ( comment => 1, origin => 1 );
|
||||
|
||||
for ( @_ ) {
|
||||
$_->{digest} = sha1_hex irule_to_string1( $_ );
|
||||
}
|
||||
|
||||
my $baseref = pop;
|
||||
|
||||
while ( @_ ) {
|
||||
my $docheck;
|
||||
my $duplicate = 0;
|
||||
|
||||
if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
|
||||
my $ports1;
|
||||
my @keys1 = sort( grep ! $skip{$_}, keys( %$baseref ) );
|
||||
my $bad_key;
|
||||
my $rulenum = @_;
|
||||
my $adjacent = 1;
|
||||
|
||||
{
|
||||
RULE:
|
||||
my $digest = $baseref->{digest};
|
||||
|
||||
while ( --$rulenum >= 0 ) {
|
||||
$ruleref = $_[$rulenum];
|
||||
for ( grep ! $skip{$_}, keys( %$baseref ) ) {
|
||||
$bad_key = 1, last if $bad_match{$_};
|
||||
}
|
||||
|
||||
last unless $ruleref->{mode} == CAT_MODE;
|
||||
while ( --$rulenum >= 0 ) {
|
||||
$ruleref = $_[$rulenum];
|
||||
|
||||
my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
|
||||
last unless $ruleref->{mode} == CAT_MODE;
|
||||
|
||||
next unless @keys1 == @keys2 ;
|
||||
next unless $digest eq $ruleref->{digest};
|
||||
|
||||
my $keynum = 0;
|
||||
|
||||
if ( $adjacent > 0 ) {
|
||||
#
|
||||
# There are no non-duplicate rules between this rule and the base rule
|
||||
#
|
||||
for my $key ( @keys1 ) {
|
||||
next RULE unless $key eq $keys2[$keynum++];
|
||||
next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# There are non-duplicate rules between this rule and the base rule
|
||||
#
|
||||
for my $key ( @keys1 ) {
|
||||
next RULE unless $key eq $keys2[$keynum++];
|
||||
next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
|
||||
last RULE if $bad_match{$key};
|
||||
}
|
||||
}
|
||||
unless ( $adjacent > 0 ) {
|
||||
#
|
||||
# This rule is a duplicate
|
||||
# There are non-duplicate rules between this rule and the base rule
|
||||
#
|
||||
$duplicate = 1;
|
||||
#
|
||||
# Increment $adjacent so that the continue block won't set it to zero
|
||||
#
|
||||
$adjacent++;
|
||||
|
||||
} continue {
|
||||
$adjacent--;
|
||||
last if $bad_key;
|
||||
}
|
||||
#
|
||||
# This rule is a duplicate
|
||||
#
|
||||
$duplicate = 1;
|
||||
#
|
||||
# Increment $adjacent so that the continue block won't set it to zero
|
||||
#
|
||||
$adjacent++;
|
||||
|
||||
} continue {
|
||||
$adjacent--;
|
||||
}
|
||||
}
|
||||
|
||||
@ -4468,10 +4486,10 @@ sub get_conntrack( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Return an array of keys for the passed rule. 'conntrack', 'comment' & 'origin' are omitted;
|
||||
# Return an array of keys for the passed rule. 'conntrack', 'comment', 'origin' and 'digest' are omitted;
|
||||
#
|
||||
sub get_keys1( $ ) {
|
||||
my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
|
||||
my %skip = ( comment => 1, origin => 1 , digest => 1, 'conntrack --ctstate' => 1 );
|
||||
|
||||
sort grep ! $skip{$_}, keys %{$_[0]};
|
||||
}
|
||||
@ -8875,7 +8893,7 @@ sub ensure_ipsets( @ ) {
|
||||
if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
|
||||
shift;
|
||||
|
||||
emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then));
|
||||
emit( qq( if qt \$IPSET list $globals{DBL_IPSET}; then));
|
||||
|
||||
push_indent;
|
||||
|
||||
@ -9065,10 +9083,14 @@ sub create_load_ipsets() {
|
||||
# Requires V5 or later
|
||||
#
|
||||
emit( '' ,
|
||||
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
|
||||
' $IPSET flush $set' ,
|
||||
' $IPSET destroy $set' ,
|
||||
" done" ,
|
||||
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||
' while read ${VARDIR}/ipsets.save verb set; do' ,
|
||||
' if [ $verb = create ]; then' ,
|
||||
' $IPSET flush $set' ,
|
||||
' $IPSET destroy $set' ,
|
||||
' fi' ,
|
||||
' done' ,
|
||||
' fi',
|
||||
);
|
||||
} else {
|
||||
#
|
||||
|
@ -2064,7 +2064,7 @@ sub compile_updown() {
|
||||
push_indent;
|
||||
|
||||
emit( q(if [ "$state" = started ]; then) ,
|
||||
q( if [ "$COMMAND" = up ]; then) ,
|
||||
q( if [ "$COMMAND" = up ]; then) ,
|
||||
q( progress_message3 "Attempting enable on interface $1") ,
|
||||
q( COMMAND=enable) ,
|
||||
q( detect_configuration $1),
|
||||
|
@ -2028,7 +2028,7 @@ sub verify_required_interfaces( $ ) {
|
||||
|
||||
push_indent;
|
||||
|
||||
emit( 'start|reload|restore)' );
|
||||
emit( 'start|reload|restore|enable)' );
|
||||
|
||||
push_indent;
|
||||
|
||||
|
@ -1113,7 +1113,7 @@ interface_is_usable() # $1 = interface
|
||||
status=0
|
||||
|
||||
if [ "$1" != lo ]; then
|
||||
if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
|
||||
if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
|
||||
if [ "$COMMAND" != enable ]; then
|
||||
[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
|
||||
status=$?
|
||||
|
Loading…
Reference in New Issue
Block a user