holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow remote compiles

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3269 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-12 23:26:37 +00:00
parent 521ec7bd73
commit e9423d9c04
6 changed files with 160 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -7,3 +7,5 @@ Changes in 3.1.0
3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq).
4) Add back dynamic zones.
5) Allow remote compiles.

163
Shorewall/firewall
View File

@ -1218,6 +1218,8 @@ validate_interfaces_file() {
options=$(separate_list $options)
iface=$(chain_base $interface)
[ -n "$EXPORT" -a x$networks = detect ] && startup_error "BROADCAST 'detect' is incompatible with the -e option: Interface \"$interface\""
eval ${iface}_broadcast="$networks"
eval ${iface}_zone="$z"
eval ${iface}_options=\"$options\"
@ -1226,7 +1228,10 @@ validate_interfaces_file() {
case $option in
-)
;;
dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-)
;;
maclist)
[ -n "$EXPORT" ] && startup_error "The 'maclist' option is incompatible with the -e option: Interface \"$interface\""
;;
norfc1918)
if [ $COMMAND = generate ]; then
@ -1266,6 +1271,8 @@ __EOF__
detectnets)
[ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
[ -n $EXPORT ] && \
startup_error "'detectnets' not permitted with the -e option"
;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
@ -1478,16 +1485,44 @@ __EOF__
rulenum=0
if [ $COMMAND != check ]; then
find_interface_addresses $interface | while read address; do
run_and_save_command " qt ip rule del from $address"
case $COMMAND in
check)
;;
generate)
if [ -z "$loose" ]; then
pref=$((20000 + $rulenum * 1000 + $number ))
rulenum=$(($rulenum + 1))
ensure_and_save_command " ip rule add from $address pref $pref table $number"
cat >> $RESTOREBASE << __EOF__
rulenum=0
find_interface_addresses $interface | while read address; do
qt ip rule del from \$address
pref=\$((20000 + \$rulenum * 1000 + $number ))
rulenum=\$((\$rulenum + 1))
ip rule add from \$address pref \$pref table $number"
done
__EOF__
else
cat >> $RESTOREBASE << __EOF__
find_interface_addresses $interface | while read address; do
qt ip rule del from \$address
done
__EOF__
fi
done
fi
;;
*)
find_interface_addresses $interface | while read address; do
run_and_save_command " qt ip rule del from $address"
if [ -z "$loose" ]; then
pref=$((20000 + $rulenum * 1000 + $number ))
rulenum=$(($rulenum + 1))
ensure_and_save_command " ip rule add from $address pref $pref table $number"
fi
done
;;
esac
}
strip_file providers $1
@ -1632,8 +1667,11 @@ validate_hosts_file() {
for option in $(separate_list $options) ; do
case $option in
maclist|norfc1918|blacklist|tcpflags|nosmurfs|-)
norfc1918|blacklist|tcpflags|nosmurfs|-)
;;
maclist)
[ -n "$EXPORT" ] && startup_error "The 'maclist' option is incompatible with the -e option: \"$host\""
;;
ipsec)
[ -n "$POLICY_MATCH" ] || \
startup_error "Your kernel and/or iptables does not support policy match: ipsec"
@ -1822,27 +1860,6 @@ find_broadcasts() {
done
}
#
# Find interface address--returns the first IP address assigned to the passed
# device
#
find_first_interface_address() # $1 = interface
{
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
#
# If there wasn't one, bail out now
#
[ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
#
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line
#
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
#
# Find interfaces that have the passed option specified
#
@ -2006,28 +2023,6 @@ setup_forwarding() {
esac
}
#
# Disable IPV6
#
disable_ipv6() {
local foo="$(ip -f inet6 addr ls 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
save_progress_message "Disabling IPV6..."
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
ip6tables -F && save_command ip6tables -F
ip6tables -X && save_command ip6tables -X
ip6tables -A OUTPUT -o lo -j ACCEPT && save_command ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT && save_command ip6tables -A INPUT -i lo -j ACCEPT
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
fi
}
disable_ipv6_1() {
local foo="$(ip -f inet6 addr ls 2> /dev/null)"
@ -3015,6 +3010,7 @@ setup_mac_lists() {
# chains
#
for interface in $maclist_interfaces; do
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
blob=$(ip link show $interface 2> /dev/null)
@ -3104,8 +3100,12 @@ setup_syn_flood_chains()
delete_proxy_arp() {
if [ -f /var/lib/shorewall/proxyarp ]; then
while read address interface external haveroute; do
[ $COMMAND = generate ] || qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
run_and_save_command "qt arp -i $external -d $address pub"
if [ $COMMAND = generate ]; then
[ -z "$haveroute" ] && save_command "qt ip route del $address dev $interface"
else
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
fi
done < /var/lib/shorewall/proxyarp
[ $COMMAND = generate ] || rm -f /var/lib/shorewall/proxyarp
@ -3113,9 +3113,19 @@ delete_proxy_arp() {
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp
[ $COMMAND = generate ] || for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
if [ $COMMAND = generate ]; then
cat >> $RESTOREBASE << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
[ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
done
__EOF__
else
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
fi
}
#
@ -3205,15 +3215,31 @@ delete_nat() {
run_iptables -t nat -F
run_iptables -t nat -X
if [ -f /var/lib/shorewall/nat ]; then
while read external interface; do
qt ip addr del $external dev $interface
done < /var/lib/shorewall/nat
if [ $COMMAND = generate ]; then
[ -d $STATEDIR ] && touch $STATEDIR/nat
[ $COMMAND = generate ] || rm -f {/var/lib/shorewall}/nat
cat >> $RESTOREBASE << __EOF__
if [ -f /var/lib/shorewall/nat ]; then
while read external interface; do
qt ip addr del \$external dev \$interface
done < /var/lib/shorewall/nat
rm -f {/var/lib/shorewall}/nat
fi
__EOF__
else
if [ -f /var/lib/shorewall/nat ]; then
while read external interface; do
qt ip addr del $external dev $interface
done < /var/lib/shorewall/nat
rm -f {/var/lib/shorewall}/nat
fi
[ -d $STATEDIR ] && touch $STATEDIR/nat
fi
[ -d $STATEDIR ] && touch $STATEDIR/nat
}
#
@ -7285,6 +7311,7 @@ setup_masq()
*.*.*|+*|!+*)
;;
*)
[ -n "$EXPORT" ] && fatal_error "An interface name in the SUBNET column is not allowed with the -e option"
networks=$(get_routed_networks $networks)
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\""
networks="$networks"
@ -7900,7 +7927,9 @@ initialize_netfilter () {
process_routestopped -A
[ -n "$DISABLE_IPV6" ] && disable_ipv6
if [ -n "$DISABLE_IPV6" ]; then
run_and_save_command disable_ipv6
fi
[ $COMMAND = generate ] && save_progress_message "Enabling Loopback and DNS Lookups"
@ -9771,6 +9800,8 @@ do_initialize() {
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
[ -n "$DETECT_DNAT_IPADDRS" -a -n "$EXPORT" ] && \
startup_error "DETECT_DNAT_IPADDRS=Yes not allowed with the -e option"
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
[ -n "$FORWARDPING" ] && \
startup_error "FORWARDPING=Yes is no longer supported"

21
Shorewall/functions
View File

@ -1108,4 +1108,25 @@ detect_gateway() # $1 = interface
[ -n "$gateway" ] && echo $gateway
}
#
# Disable IPV6
#
disable_ipv6() {
local foo="$(ip -f inet6 addr ls 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
ip6tables -F && save_command ip6tables -F
ip6tables -X && save_command ip6tables -X
ip6tables -A OUTPUT -o lo -j ACCEPT && save_command ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT && save_command ip6tables -A INPUT -i lo -j ACCEPT
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
fi
}
SHOREWALL_LIBRARY=Loaded

20
Shorewall/help
View File

@ -88,11 +88,16 @@ clear)
;;
compile)
echo "compile: compile [ <directory name> ] <file name>
echo "compile: compile [ -e ] [ <directory name> ] <file name>
Compiles the current configuration into the executable file
/var/lib/shorewall/<file name>"
/var/lib/shorewall/<file name>
'generate' is a synonym for 'compile'.
When -e is specified, the compilation is being performed on a system
other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled
where it is to be run.
'generate' is a synonym for 'compile'."
;;
debug)
@ -166,9 +171,14 @@ forget)
generate)
echo "generate: generate [ <directory name> ] <file name>
Compiles the current configuration into the executable file
/var/lib/shorewall/<file name>"
/var/lib/shorewall/<file name>
'compile' is a synonym for 'generate'.
When -e is specified, the compilation is being performed on a system
other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled
where it is to be run.
'compile' is a synonym for 'generate'."
;;
help)

24
Shorewall/releasenotes.txt
View File

@ -39,11 +39,16 @@ New Features:
1) A new 'shorewall generate' command has been added.
shorewall [ -q ] generate [ <config directory> ] <script file>
shorewall [ -q ] [ -e ] generate [ <config directory> ] <script file>
where:
-q Suppresses many of the progress messages
-e Generates an error if the configuration used
an option that would prevent the generated
script from running on a system other than
where the 'generate' command is running (see
additional consideration a) below).
<config directory> Is an optional directory to be searched for
configuration files prior to those listed
in CONFIG_DIR in /etc/shorewall/shorewall.conf.
@ -57,7 +62,7 @@ New Features:
'compile' is a synonym for 'generate':
shorewall [ -q ] compile [ <config directory> ] <script file>
shorewall [ -q ] [ -e ] compile [ <config directory> ] <script file>
WARNING: The generated script HAS ABSOLUTELY NO ERROR CHECKING so if there
are errors in your configuration files that result in errors when
@ -70,9 +75,14 @@ New Features:
Some additional considerations:
a) All 'detect' operations are done at the time that the 'generate' command
is run. So it is generally not possible to run 'generate' on one system
then move the generated script to another system.
a) It is possible to run 'generate' ('compile') on one system and then
run the generated script on another system but there are certain
limitation.
1) The same version of Shorewall must be running on the remote system
2) The 'detectnets' interface option is not allowed.
3) 'detect' in the BROADCAST column of /etc/shorewall/ is not allowed.
4) DETECT_DNAT_ADDRS=Yes is not allowed.
b) If you have extension scripts, they may need modification. The scripts
will be run at generation time, rather than when the generated script
@ -83,14 +93,14 @@ New Features:
In addition to 'generate', a 'shorewall reload' command has been added.
shorewall [ -q ] reload [ <config directory>
shorewall [ -q ] reload [ <config directory> ]
where -q and <config directory> are as above.
The 'reload' command creates a script using 'generate' and if there are
no errors, it then restores that script. It is equivalent to:
if shorewall generate <temp file>; then restore <tempfile>; fi
if shorewall generate .reload; then restore .reload; fi
The advantage of using reload over restart is that reload results in new
connections being dropped for a much shorter time. Here are the results of

9
Shorewall/shorewall
View File

@ -502,7 +502,7 @@ help()
#
usage() # $1 = exit status
{
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] [ -n ] <command>"
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] [ -n ] [ -e ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..."
@ -626,6 +626,7 @@ IPT_OPTIONS="-nv"
FAST=
VERBOSE=
NOROUTES=
EXPORT=
noroutes=
done=0
@ -656,6 +657,10 @@ while [ $done -eq 0 ]; do
option=
shift
;;
e*)
EXPORT=Yes
option=${option#e}
;;
x*)
IPT_OPTIONS="-xnv"
option=${option#x}
@ -867,6 +872,8 @@ case "$1" in
;;
esac
export EXPORT
exec $SHOREWALL_SHELL $FIREWALL $debugging generate $file
;;
check|restart)