forked from extern/shorewall_code
Compare commits
4 Commits
4.5.1-Beta
...
4.5.0.1
| Author | SHA1 | Date | |
|---|---|---|---|
|
12b92acef1 | ||
|
|
966597ee9d | ||
|
|
98aa70bcae | ||
|
|
71a8ffca2e |
@@ -30,6 +30,8 @@ usage() # $1 = exit status
|
||||
echo "usage: $ME"
|
||||
echo " $ME -v"
|
||||
echo " $ME -h"
|
||||
echo " $ME -s"
|
||||
echo " $ME -f"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@@ -96,13 +98,13 @@ T="-T"
|
||||
|
||||
[ -n "${LIBEXEC:=/usr/share}" ]
|
||||
[ -n "${PERLLIB:=/usr/share/shorewall}" ]
|
||||
MACHOST=
|
||||
|
||||
case "$LIBEXEC" in
|
||||
/*)
|
||||
;;
|
||||
*)
|
||||
echo "The LIBEXEC setting must be an absolute path name" >&2
|
||||
exit 1
|
||||
LIBEXEC=/usr/${LIBEXEC}
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -110,41 +112,14 @@ case "$PERLLIB" in
|
||||
/*)
|
||||
;;
|
||||
*)
|
||||
echo "The PERLLIB setting must be an absolute path name" >&2
|
||||
exit 1
|
||||
PERLLIB=/usr/${PERLLIB}
|
||||
;;
|
||||
esac
|
||||
|
||||
INSTALLD='-D'
|
||||
|
||||
if [ -z "$BUILD" ]; then
|
||||
case $(uname) in
|
||||
cygwin*)
|
||||
BUILD=cygwin
|
||||
;;
|
||||
Darwin)
|
||||
BUILD=apple
|
||||
;;
|
||||
*)
|
||||
if [ -f /etc/debian_version ]; then
|
||||
BUILD=debian
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
BUILD=redhat
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
BUILD=slackware
|
||||
elif [ -f /etc/SuSE-release ]; then
|
||||
BUILD=suse
|
||||
elif [ -f /etc/arch-release ] ; then
|
||||
BUILD=archlinux
|
||||
else
|
||||
BUILD=linux
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
case $BUILD in
|
||||
cygwin*)
|
||||
case $(uname) in
|
||||
CYGWIN*)
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
DEST=
|
||||
INIT=
|
||||
@@ -152,16 +127,18 @@ case $BUILD in
|
||||
|
||||
OWNER=$(id -un)
|
||||
GROUP=$(id -gn)
|
||||
CYGWIN=Yes
|
||||
;;
|
||||
apple)
|
||||
Darwin)
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
DEST=
|
||||
INIT=
|
||||
SPARSE=Yes
|
||||
fi
|
||||
|
||||
[ -z "$OWNER" ] && OWNER=root
|
||||
[ -z "$GROUP" ] && GROUP=wheel
|
||||
MAC=Yes
|
||||
MACHOST=Yes
|
||||
INSTALLD=
|
||||
T=
|
||||
;;
|
||||
@@ -191,6 +168,14 @@ while [ $finished -eq 0 ]; do
|
||||
echo "Shorewall Firewall Installer Version $VERSION"
|
||||
exit 0
|
||||
;;
|
||||
a*)
|
||||
ANNOTATED=Yes
|
||||
option=${option#a}
|
||||
;;
|
||||
p*)
|
||||
ANNOTATED=
|
||||
option=${option#p}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
@@ -212,30 +197,43 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
|
||||
[ -n "$HOST" ] || HOST=$BUILD
|
||||
|
||||
case "$HOST" in
|
||||
cygwin)
|
||||
echo "Installing Cygwin-specific configuration..."
|
||||
;;
|
||||
apple)
|
||||
echo "Installing Mac-specific configuration...";
|
||||
;;
|
||||
debian|redhat|slackware|archlinux|linux|suse)
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unknown HOST \"$HOST\"" >&2
|
||||
exit 1;
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$DESTDIR" ]; then
|
||||
if [ $BUILD != cygwin ]; then
|
||||
if [ -z "$CYGWIN" ]; then
|
||||
if [ `id -u` != 0 ] ; then
|
||||
echo "Not setting file owner/group permissions, not running as root."
|
||||
OWNERSHIP=""
|
||||
fi
|
||||
fi
|
||||
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
|
||||
|
||||
CYGWIN=
|
||||
MAC=
|
||||
else
|
||||
if [ -n "$CYGWIN" ]; then
|
||||
echo "Installing Cygwin-specific configuration..."
|
||||
elif [ -n "$MAC" ]; then
|
||||
echo "Installing Mac-specific configuration..."
|
||||
else
|
||||
if [ -f /etc/debian_version ]; then
|
||||
echo "Installing Debian-specific configuration..."
|
||||
DEBIAN=yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
echo "Installing Redhat/Fedora-specific configuration..."
|
||||
FEDORA=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
echo "Installing Slackware-specific configuration..."
|
||||
DEST="/etc/rc.d"
|
||||
MANDIR="/usr/man"
|
||||
SLACKWARE=yes
|
||||
elif [ -f /etc/arch-release ] ; then
|
||||
echo "Installing ArchLinux-specific configuration..."
|
||||
DEST="/etc/rc.d"
|
||||
INIT="shorewall"
|
||||
ARCHLINUX=yes
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
@@ -249,12 +247,7 @@ echo "Installing Shorewall Core Version $VERSION"
|
||||
# Create /usr/share/shorewall
|
||||
#
|
||||
mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
|
||||
chmod 755 ${DESTDIR}${LIBEXEC}/shorewall
|
||||
|
||||
if [ $LIBEXEC != /usr/shorewall/ ]; then
|
||||
mkdir -p ${DESTDIR}/usr/share/shorewall
|
||||
chmod 755 ${DESTDIR}/usr/share/shorewall
|
||||
fi
|
||||
chmod 755 ${DESTDIR}/usr/share/shorewall
|
||||
#
|
||||
# Install wait4ifup
|
||||
#
|
||||
@@ -271,7 +264,7 @@ for f in lib.* ; do
|
||||
echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
|
||||
done
|
||||
|
||||
if [ $BUILD != apple ]; then
|
||||
if [ -z "$MACHOST" ]; then
|
||||
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
|
||||
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
|
||||
else
|
||||
|
||||
@@ -1957,8 +1957,6 @@ determine_capabilities() {
|
||||
CT_TARGET=
|
||||
STATISTIC_MATCH=
|
||||
IMQ_TARGET=
|
||||
DSCP_MATCH=
|
||||
DSCP_TARGET=
|
||||
|
||||
chain=fooX$$
|
||||
|
||||
@@ -2083,14 +2081,10 @@ determine_capabilities() {
|
||||
qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
|
||||
qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
|
||||
qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
|
||||
qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
|
||||
qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
|
||||
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
|
||||
|
||||
qt $g_tool -t mangle -F $chain
|
||||
qt $g_tool -t mangle -X $chain
|
||||
|
||||
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
|
||||
qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
|
||||
fi
|
||||
|
||||
qt $g_tool -t raw -L -n && RAW_TABLE=Yes
|
||||
@@ -2273,8 +2267,6 @@ report_capabilities() {
|
||||
report_capability "Condition Match" $CONDITION_MATCH
|
||||
report_capability "Statistic Match" $STATISTIC_MATCH
|
||||
report_capability "IMQ Target" $IMQ_TARGET
|
||||
report_capability "DSCP Match" $DSCP_MATCH
|
||||
report_capability "DSCP Target" $DSCP_TARGET
|
||||
|
||||
if [ $g_family -eq 4 ]; then
|
||||
report_capability "iptables -S" $IPTABLES_S
|
||||
@@ -2362,8 +2354,6 @@ report_capabilities1() {
|
||||
report_capability1 CT_TARGET
|
||||
report_capability1 STATISTIC_MATCH
|
||||
report_capability1 IMQ_TARGET
|
||||
report_capability1 DSCP_MATCH
|
||||
report_capability1 DSCP_TARGET
|
||||
|
||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
echo KERNELVERSION=$KERNELVERSION
|
||||
|
||||
@@ -88,6 +88,20 @@ install_file() # $1 = source $2 = target $3 = mode
|
||||
|
||||
[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
|
||||
|
||||
# DEST is the SysVInit script directory
|
||||
# INIT is the name of the script in the $DEST directory
|
||||
# ARGS is "yes" if we've already parsed an argument
|
||||
#
|
||||
ARGS=""
|
||||
|
||||
if [ -z "$DEST" ] ; then
|
||||
DEST="/etc/init.d"
|
||||
fi
|
||||
|
||||
if [ -z "$INIT" ] ; then
|
||||
INIT="shorewall-init"
|
||||
fi
|
||||
|
||||
while [ $# -gt 0 ] ; do
|
||||
case "$1" in
|
||||
-h|help|?)
|
||||
@@ -102,6 +116,7 @@ while [ $# -gt 0 ] ; do
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
ARGS="yes"
|
||||
done
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
@@ -112,98 +127,60 @@ case "$LIBEXEC" in
|
||||
/*)
|
||||
;;
|
||||
*)
|
||||
echo "The LIBEXEC setting must be an absolute path name" >&2
|
||||
exit 1
|
||||
LIBEXEC=/usr/${LIBEXEC}
|
||||
;;
|
||||
esac
|
||||
|
||||
INITFILE="shorewall-init"
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
|
||||
if [ -z "$BUILD" ]; then
|
||||
case $(uname) in
|
||||
cygwin*)
|
||||
BUILD=cygwin
|
||||
;;
|
||||
Darwin)
|
||||
BUILD=apple
|
||||
;;
|
||||
*)
|
||||
if [ -f /etc/debian_version ]; then
|
||||
BUILD=debian
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
BUILD=redhat
|
||||
elif [ -f /etc/SuSE-release ]; then
|
||||
BUILD=suse
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
BUILD=slackware
|
||||
elif [ -f /etc/arch-release ] ; then
|
||||
BUILD=archlinux
|
||||
else
|
||||
BUILD=linux
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
[ -n "$OWNER" ] || OWNER=$(id -un)
|
||||
[ -n "$GROUP" ] || GROUP=$(id -gn)
|
||||
|
||||
case $BUILD in
|
||||
apple)
|
||||
case $(uname) in
|
||||
Darwin)
|
||||
[ -z "$OWNER" ] && OWNER=root
|
||||
[ -z "$GROUP" ] && GROUP=wheel
|
||||
T=
|
||||
;;
|
||||
debian|redhat|suse|slackware|archlinux)
|
||||
;;
|
||||
;;
|
||||
*)
|
||||
[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
|
||||
exit 1
|
||||
[ -z "$OWNER" ] && OWNER=root
|
||||
[ -z "$GROUP" ] && GROUP=root
|
||||
;;
|
||||
esac
|
||||
|
||||
OWNERSHIP="-o $OWNER -g $GROUP"
|
||||
|
||||
[ -n "$HOST" ] || HOST=$BUILD
|
||||
|
||||
case "$HOST" in
|
||||
debian)
|
||||
echo "Installing Debian-specific configuration..."
|
||||
SPARSE=yes
|
||||
;;
|
||||
redhat|redhat)
|
||||
echo "Installing Redhat/Fedora-specific configuration..."
|
||||
[ -n "$INITDIR" ] || INITDIR=/etc/rc.d/init.d
|
||||
;;
|
||||
slackware)
|
||||
echo "Shorewall-init is currently not supported on Slackware" >&2
|
||||
exit 1
|
||||
;;
|
||||
archlinux)
|
||||
echo "Shorewall-init is currently not supported on Arch Linux" >&2
|
||||
exit 1
|
||||
;;
|
||||
suse|suse)
|
||||
echo "Installing SuSE-specific configuration..."
|
||||
;;
|
||||
linux)
|
||||
echo "ERROR: Shorewall-init is not supported on this system" >&2
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
|
||||
exit 1;
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
|
||||
INITDIR="/etc/init.d"
|
||||
fi
|
||||
|
||||
if [ -n "$DESTDIR" ]; then
|
||||
if [ `id -u` != 0 ] ; then
|
||||
echo "Not setting file owner/group permissions, not running as root."
|
||||
OWNERSHIP=""
|
||||
fi
|
||||
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
|
||||
elif [ -f /etc/debian_version ]; then
|
||||
DEBIAN=yes
|
||||
elif [ -f /etc/SuSE-release ]; then
|
||||
SUSE=Yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
FEDORA=Yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
echo "Shorewall-init is currently not supported on Slackware" >&2
|
||||
exit 1
|
||||
# DEST="/etc/rc.d"
|
||||
# INIT="rc.firewall"
|
||||
elif [ -f /etc/arch-release ] ; then
|
||||
echo "Shorewall-init is currently not supported on Arch Linux" >&2
|
||||
exit 1
|
||||
# DEST="/etc/rc.d"
|
||||
# INIT="shorewall-init"
|
||||
# ARCHLINUX=yes
|
||||
elif [ -d /etc/sysconfig/network-scripts/ ]; then
|
||||
#
|
||||
# Assume RedHat-based
|
||||
#
|
||||
REDHAT=Yes
|
||||
else
|
||||
echo "Unknown distribution: Shorewall-init support is not available" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
@@ -233,19 +210,18 @@ fi
|
||||
#
|
||||
# Install the Init Script
|
||||
#
|
||||
case $TARGET in
|
||||
debian)
|
||||
install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
redhat)
|
||||
install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
*)
|
||||
install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
esac
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
|
||||
elif [ -n "$FEDORA" ]; then
|
||||
install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
|
||||
#elif [ -n "$ARCHLINUX" ]; then
|
||||
# install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
else
|
||||
install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
fi
|
||||
|
||||
echo "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
|
||||
|
||||
echo "$Product script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
|
||||
#
|
||||
# Install the .service file
|
||||
#
|
||||
@@ -271,10 +247,10 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
|
||||
#
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
rm -f /usr/share/shorewall-init/init
|
||||
ln -s ${INITDIR}/${INITFILE} /usr/share/shorewall-init/init
|
||||
ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
|
||||
fi
|
||||
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
if [ -n "${DESTDIR}" ]; then
|
||||
mkdir -p ${DESTDIR}/etc/network/if-up.d/
|
||||
mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
|
||||
@@ -292,7 +268,7 @@ else
|
||||
mkdir -p ${DESTDIR}/etc/sysconfig
|
||||
|
||||
if [ -z "$RPM" ]; then
|
||||
if [ $HOST = suse ]; then
|
||||
if [ -n "$SUSE" ]; then
|
||||
mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
|
||||
mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
|
||||
else
|
||||
@@ -318,30 +294,24 @@ if [ -d ${DESTDIR}/etc/NetworkManager ]; then
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
|
||||
fi
|
||||
|
||||
case $HOST in
|
||||
debian)
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
|
||||
;;
|
||||
suse)
|
||||
if [ -z "$RPM" ]; then
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
|
||||
fi
|
||||
;;
|
||||
redhat)
|
||||
if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
|
||||
echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
|
||||
elif [ -z "$DESTDIR" ]; then
|
||||
install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
|
||||
install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
|
||||
elif [ -n "$SUSE" ]; then
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
|
||||
elif [ -n "$REDHAT" ]; then
|
||||
if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
|
||||
echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
|
||||
else
|
||||
install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
|
||||
install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
if [ -n "$first_install" ]; then
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
|
||||
update-rc.d shorewall-init defaults
|
||||
|
||||
@@ -370,7 +340,7 @@ if [ -z "$DESTDIR" ]; then
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
else
|
||||
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||
cant_autostart
|
||||
fi
|
||||
|
||||
@@ -378,7 +348,7 @@ if [ -z "$DESTDIR" ]; then
|
||||
fi
|
||||
else
|
||||
if [ -n "$first_install" ]; then
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
if [ -n "${DESTDIR}" ]; then
|
||||
mkdir -p ${DESTDIR}/etc/rcS.d
|
||||
fi
|
||||
@@ -390,33 +360,31 @@ else
|
||||
fi
|
||||
|
||||
if [ -f ${DESTDIR}/etc/ppp ]; then
|
||||
case $HOST in
|
||||
debian|suse)
|
||||
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
|
||||
mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
|
||||
cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
|
||||
done
|
||||
;;
|
||||
redhat)
|
||||
#
|
||||
# Must use the dreaded ip_xxx.local file
|
||||
#
|
||||
for file in ip-up.local ip-down.local; do
|
||||
FILE=${DESTDIR}/etc/ppp/$file
|
||||
if [ -f $FILE ]; then
|
||||
if fgrep -q Shorewall-based $FILE ; then
|
||||
cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
|
||||
else
|
||||
echo "$FILE already exists -- ppp devices will not be handled"
|
||||
break
|
||||
fi
|
||||
else
|
||||
if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
|
||||
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
|
||||
mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
|
||||
cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
|
||||
done
|
||||
elif [ -n "$REDHAT" ]; then
|
||||
#
|
||||
# Must use the dreaded ip_xxx.local file
|
||||
#
|
||||
for file in ip-up.local ip-down.local; do
|
||||
FILE=${DESTDIR}/etc/ppp/$file
|
||||
if [ -f $FILE ]; then
|
||||
if fgrep -q Shorewall-based $FILE ; then
|
||||
cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
|
||||
else
|
||||
echo "$FILE already exists -- ppp devices will not be handled"
|
||||
break
|
||||
fi
|
||||
done
|
||||
;;
|
||||
esac
|
||||
else
|
||||
cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
# Report Success
|
||||
#
|
||||
|
||||
@@ -76,10 +76,10 @@ command="$1"
|
||||
|
||||
case "$command" in
|
||||
start)
|
||||
exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
|
||||
exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
|
||||
;;
|
||||
restart|reload)
|
||||
exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
|
||||
exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
|
||||
;;
|
||||
status|stop)
|
||||
exec /sbin/shorewall-lite $OPTIONS $command $@
|
||||
|
||||
@@ -103,6 +103,17 @@ fi
|
||||
#
|
||||
# Parse the run line
|
||||
#
|
||||
# DEST is the SysVInit script directory
|
||||
# INIT is the name of the script in the $DEST directory
|
||||
#
|
||||
if [ -z "$DEST" ] ; then
|
||||
DEST="/etc/init.d"
|
||||
fi
|
||||
|
||||
if [ -z "$INIT" ] ; then
|
||||
INIT="$PRODUCT"
|
||||
fi
|
||||
|
||||
while [ $# -gt 0 ] ; do
|
||||
case "$1" in
|
||||
-h|help|?)
|
||||
@@ -127,56 +138,31 @@ case "$LIBEXEC" in
|
||||
/*)
|
||||
;;
|
||||
*)
|
||||
echo "The LIBEXEC setting must be an absolute path name" >&2
|
||||
exit 1
|
||||
LIBEXEC=/usr/${LIBEXEC}
|
||||
;;
|
||||
esac
|
||||
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
cygwin=
|
||||
CYGWIN=
|
||||
INSTALLD='-D'
|
||||
INITFILE=$PRODUCT
|
||||
T='-T'
|
||||
|
||||
if [ -z "$BUILD" ]; then
|
||||
case $(uname) in
|
||||
cygwin*)
|
||||
BUILD=cygwin
|
||||
;;
|
||||
Darwin)
|
||||
BUILD=apple
|
||||
;;
|
||||
*)
|
||||
if [ -f /etc/debian_version ]; then
|
||||
BUILD=debian
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
BUILD=redhat
|
||||
elif [ -f /etc/SuSE-release ]; then
|
||||
BUILD=suse
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
BUILD=slackware
|
||||
elif [ -f /etc/arch-release ] ; then
|
||||
BUILD=archlinux
|
||||
else
|
||||
BUILD=linux
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
case $(uname) in
|
||||
CYGWIN*)
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
DEST=
|
||||
INIT=
|
||||
fi
|
||||
|
||||
case $BUILD in
|
||||
cygwin*)
|
||||
OWNER=$(id -un)
|
||||
GROUP=$(id -gn)
|
||||
;;
|
||||
apple)
|
||||
[ -z "$OWNER" ] && OWNER=root
|
||||
[ -z "$GROUP" ] && GROUP=wheel
|
||||
Darwin)
|
||||
INSTALLD=
|
||||
T=
|
||||
;;
|
||||
;;
|
||||
*)
|
||||
[ -z "$OWNER" ] && OWNER=root
|
||||
[ -z "$GROUP" ] && GROUP=root
|
||||
@@ -185,45 +171,6 @@ esac
|
||||
|
||||
OWNERSHIP="-o $OWNER -g $GROUP"
|
||||
|
||||
[ -n "$HOST" ] || HOST=$BUILD
|
||||
|
||||
case "$HOST" in
|
||||
cygwin)
|
||||
echo "$PRODUCT is not supported on Cygwin" >&2
|
||||
exit 1
|
||||
;;
|
||||
apple)
|
||||
echo "$PRODUCT is not supported on OS X" >&2
|
||||
exit 1
|
||||
;;
|
||||
debian)
|
||||
echo "Installing Debian-specific configuration..."
|
||||
SPARSE=yes
|
||||
;;
|
||||
redhat)
|
||||
echo "Installing Redhat/Fedora-specific configuration..."
|
||||
[ -n "$INITDIR" ] || INITDIR=/etc/rc.d/init.d
|
||||
;;
|
||||
slackware)
|
||||
echo "Installing Slackware-specific configuration..."
|
||||
[ -n "$INITDIR" ] || INITDIR="/etc/rc.d"
|
||||
[ -n "$INITFILE" ] || INITFILE="rc.firewall"
|
||||
[ -n "$MANDIR=" ] || MANDIR=/usr/man
|
||||
;;
|
||||
archlinux)
|
||||
echo "Installing ArchLinux-specific configuration..."
|
||||
[ -n "$INITDIR" ] || INITDIR="/etc/rc.d"
|
||||
;;
|
||||
linux|suse)
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unknown HOST \"$HOST\"" >&2
|
||||
exit 1;
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -z "$INITDIR" ] && INITDIR="/etc/init.d"
|
||||
|
||||
if [ -n "$DESTDIR" ]; then
|
||||
if [ `id -u` != 0 ] ; then
|
||||
echo "Not setting file owner/group permissions, not running as root."
|
||||
@@ -231,12 +178,21 @@ if [ -n "$DESTDIR" ]; then
|
||||
fi
|
||||
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${DESTFILE}
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
|
||||
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
|
||||
DEBIAN=yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
FEDORA=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"
|
||||
elif [ -f /etc/arch-release ] ; then
|
||||
DEST="/etc/rc.d"
|
||||
INIT="$PRODUCT"
|
||||
ARCHLINUX=yes
|
||||
fi
|
||||
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
mkdir -p ${DESTDIR}/lib/systemd/system
|
||||
fi
|
||||
else
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
if [ ! -f /usr/share/shorewall/coreversion ]; then
|
||||
echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
|
||||
exit 1
|
||||
@@ -245,6 +201,8 @@ else
|
||||
if [ -f /lib/systemd/system ]; then
|
||||
SYSTEMD=Yes
|
||||
fi
|
||||
elif [ -n "$SYSTEMD" ]; then
|
||||
mkdir -p ${DESTDIR}/lib/systemd/system
|
||||
fi
|
||||
|
||||
echo "Installing $Product Version $VERSION"
|
||||
@@ -264,7 +222,7 @@ else
|
||||
rm -rf ${DESTDIR}/etc/$PRODUCT
|
||||
rm -rf ${DESTDIR}/usr/share/$PRODUCT
|
||||
rm -rf ${DESTDIR}/var/lib/$PRODUCT
|
||||
[ "$LIBEXEC" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
|
||||
[ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
|
||||
fi
|
||||
|
||||
#
|
||||
@@ -282,6 +240,21 @@ install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
|
||||
|
||||
echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
|
||||
|
||||
#
|
||||
# Install the Firewall Script
|
||||
#
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
|
||||
elif [ -n "$FEDORA" ]; then
|
||||
install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
|
||||
elif [ -n "$ARCHLINUX" ]; then
|
||||
install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
|
||||
else
|
||||
install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
|
||||
fi
|
||||
|
||||
echo "$Product script installed in ${DESTDIR}${DEST}/$INIT"
|
||||
|
||||
#
|
||||
# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
|
||||
#
|
||||
@@ -296,27 +269,8 @@ chmod 755 ${DESTDIR}/usr/share/$PRODUCT
|
||||
if [ -n "$DESTDIR" ]; then
|
||||
mkdir -p ${DESTDIR}/etc/logrotate.d
|
||||
chmod 755 ${DESTDIR}/etc/logrotate.d
|
||||
mkdir -p ${DESTDIR}${INITDIR}
|
||||
chmod 755 ${DESTDIR}${INITDIR}
|
||||
fi
|
||||
|
||||
case $TARGET in
|
||||
debian)
|
||||
install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
redhat)
|
||||
install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
archlinux)
|
||||
install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
*)
|
||||
install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "$Product script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
|
||||
|
||||
#
|
||||
# Install the .service file
|
||||
#
|
||||
@@ -333,7 +287,7 @@ if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
|
||||
echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
|
||||
fi
|
||||
|
||||
if [ $HOST = archlinux ] ; then
|
||||
if [ -n "$ARCHLINUX" ] ; then
|
||||
sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
|
||||
fi
|
||||
|
||||
@@ -433,7 +387,7 @@ chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
rm -f /usr/share/$PRODUCT/init
|
||||
ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
|
||||
ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
|
||||
fi
|
||||
|
||||
delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
|
||||
@@ -444,7 +398,7 @@ if [ -z "$DESTDIR" ]; then
|
||||
touch /var/log/$PRODUCT-init.log
|
||||
|
||||
if [ -n "$first_install" ]; then
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
|
||||
|
||||
update-rc.d $PRODUCT defaults
|
||||
@@ -480,7 +434,7 @@ if [ -z "$DESTDIR" ]; then
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ "$INITFILE" != rc.firewall ]; then #Slackware starts this automatically
|
||||
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||
cant_autostart
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -322,7 +322,7 @@ sub process_accounting_rule( ) {
|
||||
}
|
||||
}
|
||||
|
||||
set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';
|
||||
dont_optimize( $chainref ) if $target eq 'RETURN';
|
||||
|
||||
if ( $jumpchainref ) {
|
||||
if ( $asection ) {
|
||||
@@ -407,7 +407,7 @@ sub setup_accounting() {
|
||||
}
|
||||
|
||||
if ( $tableref->{accounting} ) {
|
||||
set_optflags( 'accounting' , DONT_OPTIMIZE );
|
||||
dont_optimize( 'accounting' );
|
||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||
insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
|
||||
}
|
||||
@@ -429,7 +429,7 @@ sub setup_accounting() {
|
||||
insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
|
||||
}
|
||||
} elsif ( $tableref->{accounting} ) {
|
||||
set_optflags( 'accounting' , DONT_OPTIMIZE );
|
||||
dont_optimize( 'accounting' );
|
||||
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
||||
insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
|
||||
}
|
||||
|
||||
@@ -36,10 +36,6 @@ use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw(
|
||||
DONT_OPTIMIZE
|
||||
DONT_DELETE
|
||||
DONT_MOVE
|
||||
|
||||
add_rule
|
||||
add_irule
|
||||
add_jump
|
||||
@@ -66,11 +62,6 @@ our @EXPORT = qw(
|
||||
require_audit
|
||||
newlogchain
|
||||
log_rule_limit
|
||||
allow_optimize
|
||||
allow_delete
|
||||
allow_move
|
||||
set_optflags
|
||||
reset_optflags
|
||||
dont_optimize
|
||||
dont_delete
|
||||
dont_move
|
||||
@@ -198,7 +189,6 @@ our %EXPORT_TAGS = (
|
||||
do_headers
|
||||
do_probability
|
||||
do_condition
|
||||
do_dscp
|
||||
have_ipset_rules
|
||||
record_runtime_address
|
||||
conditional_rule
|
||||
@@ -238,7 +228,6 @@ our %EXPORT_TAGS = (
|
||||
create_chainlist_reload
|
||||
create_stop_load
|
||||
%targets
|
||||
%dscpmap
|
||||
) ],
|
||||
);
|
||||
|
||||
@@ -257,7 +246,9 @@ our $VERSION = 'MODULEVERSION';
|
||||
# builtin => undef|1 -- If 1, one of Netfilter's built-in chains.
|
||||
# manual => undef|1 -- If 1, a manual chain.
|
||||
# accounting => undef|1 -- If 1, an accounting chain
|
||||
# optflags => <optimization flags>
|
||||
# dont_optimize=> undef|1 -- Don't optimize away if this chain is 'short'
|
||||
# dont_delete => undef|1 -- Don't delete if this chain is not referenced
|
||||
# dont_move => undef|1 -- Don't copy the rules of this chain somewhere else
|
||||
# log => <logging rule number for use when LOGRULENUMBERS>
|
||||
# policy => <policy>
|
||||
# policychain => <name of policy chain> -- self-reference if this is a policy chain
|
||||
@@ -369,32 +360,6 @@ use constant {
|
||||
|
||||
use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
|
||||
|
||||
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 };
|
||||
|
||||
our %dscpmap = ( CS0 => 0x00,
|
||||
CS1 => 0x08,
|
||||
CS2 => 0x10,
|
||||
CS3 => 0x18,
|
||||
CS4 => 0x20,
|
||||
CS5 => 0x28,
|
||||
CS6 => 0x30,
|
||||
CS7 => 0x38,
|
||||
BE => 0x00,
|
||||
AF11 => 0x0a,
|
||||
AF12 => 0x0c,
|
||||
AF13 => 0x0e,
|
||||
AF21 => 0x12,
|
||||
AF22 => 0x14,
|
||||
AF23 => 0x16,
|
||||
AF31 => 0x1a,
|
||||
AF32 => 0x1c,
|
||||
AF33 => 0x1e,
|
||||
AF41 => 0x22,
|
||||
AF42 => 0x24,
|
||||
AF43 => 0x26,
|
||||
EF => 0x2e,
|
||||
);
|
||||
|
||||
#
|
||||
# These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
|
||||
#
|
||||
@@ -1186,7 +1151,7 @@ sub push_matches {
|
||||
}
|
||||
}
|
||||
|
||||
DONT_OPTIMIZE if $dont_optimize;
|
||||
$dont_optimize;
|
||||
}
|
||||
|
||||
sub push_irule( $$$;@ ) {
|
||||
@@ -1215,7 +1180,7 @@ sub push_irule( $$$;@ ) {
|
||||
$chainref->{referenced} = 1;
|
||||
|
||||
unless ( $ruleref->{simple} = ! @matches ) {
|
||||
$chainref->{optflags} |= push_matches( $ruleref, @matches );
|
||||
$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
|
||||
}
|
||||
|
||||
push @{$chainref->{rules}}, $ruleref;
|
||||
@@ -1329,7 +1294,7 @@ sub insert_irule( $$$$;@ ) {
|
||||
}
|
||||
|
||||
unless ( $ruleref->{simple} = ! @matches ) {
|
||||
$chainref->{optflags} |= push_matches( $ruleref, @matches );
|
||||
$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
|
||||
}
|
||||
|
||||
if ( $comment ) {
|
||||
@@ -1902,8 +1867,7 @@ sub new_chain($$)
|
||||
log => 1,
|
||||
cmdlevel => 0,
|
||||
references => {},
|
||||
filtered => 0,
|
||||
optflags => 0,
|
||||
filtered => 0
|
||||
};
|
||||
|
||||
trace( $chainref, 'N', undef, '' ) if $debug;
|
||||
@@ -1964,7 +1928,7 @@ sub add_jump( $$$;$$$ ) {
|
||||
|
||||
my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';
|
||||
|
||||
$fromref->{optflags} |= DONT_OPTIMIZE if $predicate =~ /! -[piosd] /;
|
||||
$fromref->{dont_optimize} = 1 if $predicate =~ /! -[piosd] /;
|
||||
|
||||
if ( defined $index ) {
|
||||
assert( ! $expandports );
|
||||
@@ -2088,70 +2052,49 @@ sub delete_jumps ( $$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub reset_optflags( $$ ) {
|
||||
my ( $chain, $flags ) = @_;
|
||||
|
||||
my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
|
||||
|
||||
$chainref->{optflags} ^= $flags;
|
||||
|
||||
trace( $chainref, '!O', undef, '' ) if $debug;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub set_optflags( $$ ) {
|
||||
my ( $chain, $flags ) = @_;
|
||||
|
||||
my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
|
||||
|
||||
$chainref->{optflags} |= $flags;
|
||||
|
||||
trace( $chainref, '!O', undef, '' ) if $debug;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Reset the dont_optimize flag for a chain
|
||||
#
|
||||
sub allow_optimize( $ ) {
|
||||
reset_optflags( shift, DONT_OPTIMIZE );
|
||||
}
|
||||
|
||||
#
|
||||
# Reset the dont_delete flags for a chain
|
||||
#
|
||||
sub allow_delete( $ ) {
|
||||
reset_optflags( shift, DONT_DELETE );
|
||||
}
|
||||
|
||||
#
|
||||
# Reset the dont_move flag for a chain
|
||||
#
|
||||
sub allow_move( $ ) {
|
||||
reset_optflags( shift, DONT_MOVE );
|
||||
}
|
||||
|
||||
#
|
||||
# Set the dont_optimize flag for a chain
|
||||
#
|
||||
sub dont_optimize( $ ) {
|
||||
set_optflags( shift, DONT_OPTIMIZE );
|
||||
my $chain = shift;
|
||||
|
||||
my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
|
||||
|
||||
$chainref->{dont_optimize} = 1;
|
||||
|
||||
trace( $chainref, '!O', undef, '' ) if $debug;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Set the dont_optimize and dont_delete flags for a chain
|
||||
#
|
||||
sub dont_delete( $ ) {
|
||||
set_optflags( shift, DONT_OPTIMIZE | DONT_DELETE );
|
||||
my $chain = shift;
|
||||
|
||||
my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
|
||||
|
||||
$chainref->{dont_optimize} = $chainref->{dont_delete} = 1;
|
||||
|
||||
trace( $chainref, '!OD', undef, '' ) if $debug;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Set the dont_move flag for a chain
|
||||
#
|
||||
sub dont_move( $ ) {
|
||||
set_optflags( shift, DONT_MOVE );
|
||||
my $chain = shift;
|
||||
|
||||
my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
|
||||
|
||||
$chainref->{dont_move} = 1;
|
||||
|
||||
trace( $chainref, '!M', undef, '' ) if $debug;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2193,7 +2136,7 @@ sub ensure_accounting_chain( $$$ )
|
||||
$chainref->{restriction} = $restriction;
|
||||
$chainref->{restricted} = NO_RESTRICT;
|
||||
$chainref->{ipsec} = $ipsec;
|
||||
$chainref->{optflags} |= DONT_OPTIMIZE unless $config{OPTIMIZE_ACCOUNTING};
|
||||
$chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING};
|
||||
|
||||
unless ( $chain eq 'accounting' ) {
|
||||
my $file = find_file $chain;
|
||||
@@ -2265,7 +2208,7 @@ sub new_builtin_chain($$$)
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref->{policy} = $policy;
|
||||
$chainref->{builtin} = 1;
|
||||
$chainref->{optflags} = DONT_DELETE;
|
||||
$chainref->{dont_delete} = 1;
|
||||
$chainref;
|
||||
}
|
||||
|
||||
@@ -2693,7 +2636,7 @@ sub conditionally_copy_rules( $$ ) {
|
||||
|
||||
my $targetref = $chain_table{$chainref->{table}}{$basictarget};
|
||||
|
||||
if ( $targetref && ! ( $targetref->{optflags} & DONT_MOVE ) ) {
|
||||
if ( $targetref && ! $targetref->{dont_move} ) {
|
||||
#
|
||||
# Move is safe -- start with an empty rule list
|
||||
#
|
||||
@@ -2735,7 +2678,7 @@ sub optimize_level0() {
|
||||
#
|
||||
# If the chain isn't branched to, then delete it
|
||||
#
|
||||
unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
|
||||
unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
|
||||
delete_chain $chainref if $chainref->{referenced};
|
||||
}
|
||||
}
|
||||
@@ -2753,7 +2696,7 @@ sub optimize_level4( $$ ) {
|
||||
# When a chain with a single entry is found, replace it's references by its contents
|
||||
#
|
||||
# The search continues until no short chains remain
|
||||
# Chains with 'DONT_OPTIMIZE' are exempted from optimization
|
||||
# Chains with 'dont_optimize = 1' are exempted from optimization
|
||||
#
|
||||
while ( $progress ) {
|
||||
$progress = 0;
|
||||
@@ -2765,16 +2708,15 @@ sub optimize_level4( $$ ) {
|
||||
progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
|
||||
|
||||
for my $chainref ( @chains ) {
|
||||
my $optflags = $chainref->{optflags};
|
||||
#
|
||||
# If the chain isn't branched to, then delete it
|
||||
#
|
||||
unless ( ( $optflags & DONT_DELETE ) || keys %{$chainref->{references}} ) {
|
||||
unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
|
||||
delete_chain $chainref if $chainref->{referenced};
|
||||
next;
|
||||
}
|
||||
|
||||
unless ( $optflags & DONT_OPTIMIZE ) {
|
||||
unless ( $chainref->{dont_optimize} ) {
|
||||
my $numrules = @{$chainref->{rules}};
|
||||
|
||||
if ( $numrules == 0 ) {
|
||||
@@ -2785,7 +2727,7 @@ sub optimize_level4( $$ ) {
|
||||
#
|
||||
# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
|
||||
#
|
||||
$chainref->{optflags} |= DONT_OPTIMIZE;
|
||||
$chainref->{dont_optimize} = 1;
|
||||
} else {
|
||||
#
|
||||
# Not a built-in -- we can delete it and it's references
|
||||
@@ -2816,7 +2758,7 @@ sub optimize_level4( $$ ) {
|
||||
#
|
||||
# Target was a built-in. Ignore this chain in follow-on passes
|
||||
#
|
||||
$chainref->{optflags} |= DONT_OPTIMIZE;
|
||||
$chainref->{dont_optimize} = 1;
|
||||
}
|
||||
} else {
|
||||
#
|
||||
@@ -2832,9 +2774,9 @@ sub optimize_level4( $$ ) {
|
||||
if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
|
||||
#
|
||||
# This case requires a new rule merging algorithm. Ignore this chain for
|
||||
# now on.
|
||||
# now.
|
||||
#
|
||||
$chainref->{optflags} |= DONT_OPTIMIZE;
|
||||
$chainref->{dont_optimize} = 1;
|
||||
} else {
|
||||
#
|
||||
# Replace references to this chain with the target and add the matches
|
||||
@@ -2924,7 +2866,7 @@ sub optimize_level8( $$$ ) {
|
||||
#
|
||||
for my $chainref1 ( @chains1 ) {
|
||||
next unless @{$chainref1->{rules}};
|
||||
next if $chainref1->{optflags} & DONT_DELETE;
|
||||
next if $chainref1->{dont_delete};
|
||||
if ( $chainref->{digest} eq $chainref1->{digest} ) {
|
||||
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
|
||||
replace_references $chainref1, $chainref->{name}, undef;
|
||||
@@ -4244,26 +4186,6 @@ sub do_condition( $ ) {
|
||||
"-m condition ${invert}--condition $condition "
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a -m dscp match
|
||||
#
|
||||
sub do_dscp( $ ) {
|
||||
my $dscp = shift;
|
||||
|
||||
return '' if $dscp eq '-';
|
||||
|
||||
require_capability 'DSCP_MATCH', 'A non-empty DSCP column', 's';
|
||||
|
||||
my $invert = $dscp =~ s/^!// ? '! ' : '';
|
||||
my $value = numeric_value( $dscp );
|
||||
|
||||
$value = $dscpmap{$value} unless defined $value;
|
||||
|
||||
fatal_error( "Invalid DSCP ($dscp)" ) unless defined $value && $value < 0x2f && ! ( $value & 1 );
|
||||
|
||||
"-m dscp ${invert}--dscp $value ";
|
||||
}
|
||||
|
||||
#
|
||||
# Match Source Interface
|
||||
#
|
||||
@@ -4391,13 +4313,6 @@ sub get_set_flags( $$ ) {
|
||||
} elsif ( $setname =~ /^(.*)\[((src|dst)(,(src|dst))*)\]$/ ) {
|
||||
$setname = $1;
|
||||
$options = $2;
|
||||
|
||||
my @options = split /,/, $options;
|
||||
my %typemap = ( src => 'Source', dst => 'Destination' );
|
||||
|
||||
for ( @options ) {
|
||||
warning_messsage( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
|
||||
}
|
||||
}
|
||||
|
||||
$setname =~ s/^\+//;
|
||||
|
||||
@@ -292,8 +292,6 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
STATISTIC_MATCH =>
|
||||
'Statistics Match',
|
||||
IMQ_TARGET => 'IMQ Target',
|
||||
DSCP_MATCH => 'DSCP Match',
|
||||
DSCP_TARGET => 'DSCP Target',
|
||||
CAPVERSION => 'Capability Version',
|
||||
KERNELVERSION => 'Kernel Version',
|
||||
);
|
||||
@@ -391,8 +389,8 @@ my $toolNAME; # Tool name in CAPS
|
||||
our $product; # Name of product that will run the generated script
|
||||
our $Product; # $product with initial cap.
|
||||
|
||||
our $sillyname; # Name of temporary filter chains for testing capabilities
|
||||
our $sillyname1;
|
||||
my $sillyname; # Name of temporary filter chains for testing capabilities
|
||||
my $sillyname1;
|
||||
my $iptables; # Path to iptables/ip6tables
|
||||
my $tc; # Path to tc
|
||||
my $ip; # Path to ip
|
||||
@@ -694,8 +692,6 @@ sub initialize( $ ) {
|
||||
CT_TARGET => undef,
|
||||
STATISTIC_MATCH => undef,
|
||||
IMQ_TARGET => undef,
|
||||
DSCP_MATCH => undef,
|
||||
DSCP_TARGET => undef,
|
||||
CAPVERSION => undef,
|
||||
KERNELVERSION => undef,
|
||||
);
|
||||
@@ -2782,15 +2778,7 @@ sub Statistic_Match() {
|
||||
}
|
||||
|
||||
sub Imq_Target() {
|
||||
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
|
||||
}
|
||||
|
||||
sub Dscp_Match() {
|
||||
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" );
|
||||
}
|
||||
|
||||
sub Dscp_Target() {
|
||||
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
|
||||
qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
|
||||
}
|
||||
|
||||
our %detect_capability =
|
||||
@@ -2806,8 +2794,6 @@ our %detect_capability =
|
||||
CONNMARK_MATCH => \&Connmark_Match,
|
||||
CONNTRACK_MATCH => \&Conntrack_Match,
|
||||
CT_TARGET => \&Ct_Target,
|
||||
DSCP_MATCH => \&Dscp_Match,
|
||||
DSCP_TARGET => \&Dscp_Target,
|
||||
ENHANCED_REJECT => \&Enhanced_Reject,
|
||||
EXMARK => \&Exmark,
|
||||
FLOW_FILTER => \&Flow_Filter,
|
||||
@@ -2955,6 +2941,11 @@ sub determine_capabilities() {
|
||||
$capabilities{IPMARK_TARGET} = detect_capability( 'IPMARK_TARGET' );
|
||||
$capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' );
|
||||
|
||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||
qt1( "$iptables -t mangle -F $sillyname" );
|
||||
qt1( "$iptables -t mangle -X $sillyname" );
|
||||
}
|
||||
|
||||
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
|
||||
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
|
||||
$capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' );
|
||||
@@ -2984,8 +2975,6 @@ sub determine_capabilities() {
|
||||
$capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' );
|
||||
$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
|
||||
$capabilities{IMQ_TARGET} = detect_capability( 'IMQ_TARGET' );
|
||||
$capabilities{DSCP_MATCH} = detect_capability( 'DSCP_MATCH' );
|
||||
$capabilities{DSCP_TARGET} = detect_capability( 'DSCP_TARGET' );
|
||||
|
||||
|
||||
qt1( "$iptables -F $sillyname" );
|
||||
@@ -2993,16 +2982,6 @@ sub determine_capabilities() {
|
||||
qt1( "$iptables -F $sillyname1" );
|
||||
qt1( "$iptables -X $sillyname1" );
|
||||
|
||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||
qt1( "$iptables -t mangle -F $sillyname" );
|
||||
qt1( "$iptables -t mangle -X $sillyname" );
|
||||
}
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
qt1( "$iptables -t nat -F $sillyname" );
|
||||
qt1( "$iptables -t nat -X $sillyname" );
|
||||
}
|
||||
|
||||
$sillyname = $sillyname1 = undef;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -216,8 +216,8 @@ sub setup_blacklist() {
|
||||
# for 'refresh' to work properly.
|
||||
#
|
||||
if ( @$zones || @$zones1 ) {
|
||||
$chainref = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
|
||||
$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
|
||||
$chainref = dont_delete new_standard_chain 'blacklst' if @$zones;
|
||||
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
|
||||
|
||||
if ( supplied $level ) {
|
||||
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
|
||||
@@ -695,9 +695,9 @@ sub add_common_rules ( $ ) {
|
||||
my $rejectref = $filter_table->{reject};
|
||||
|
||||
if ( $config{DYNAMIC_BLACKLIST} ) {
|
||||
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level );
|
||||
add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level );
|
||||
$dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE );
|
||||
add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ), '' , 'DROP' , $level ;
|
||||
add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
|
||||
$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
|
||||
add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
|
||||
}
|
||||
|
||||
@@ -994,7 +994,7 @@ sub add_common_rules ( $ ) {
|
||||
if ( @$list ) {
|
||||
progress_message2 "$doing UPnP";
|
||||
|
||||
$chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
|
||||
$chainref = dont_optimize new_nat_chain( 'UPnP' );
|
||||
|
||||
add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
|
||||
|
||||
|
||||
@@ -54,8 +54,8 @@ sub initialize() {
|
||||
#
|
||||
sub process_one_masq( )
|
||||
{
|
||||
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
|
||||
split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
|
||||
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) =
|
||||
split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
|
||||
|
||||
if ( $interfacelist eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
@@ -117,9 +117,9 @@ sub process_one_masq( )
|
||||
}
|
||||
|
||||
#
|
||||
# Handle Protocol, Ports and Condition
|
||||
# Handle Protocol and Ports
|
||||
#
|
||||
$baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
|
||||
$baserule .= do_proto $proto, $ports, '';
|
||||
#
|
||||
# Handle Mark
|
||||
#
|
||||
|
||||
@@ -160,7 +160,9 @@ sub setup_route_marking() {
|
||||
|
||||
my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
|
||||
|
||||
set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
|
||||
dont_optimize $chainref2;
|
||||
dont_move $chainref2;
|
||||
dont_delete $chainref2;
|
||||
|
||||
add_ijump ( $chainref1,
|
||||
j => $chainref2 ,
|
||||
|
||||
@@ -963,7 +963,7 @@ sub createlogactionchain( $$$$$ ) {
|
||||
|
||||
unless ( $targets{$action} & BUILTIN ) {
|
||||
|
||||
set_optflags( $chainref, DONT_OPTIMIZE );
|
||||
dont_optimize $chainref;
|
||||
|
||||
my $file = find_file $chain;
|
||||
|
||||
@@ -997,7 +997,7 @@ sub createsimpleactionchain( $ ) {
|
||||
|
||||
unless ( $targets{$action} & BUILTIN ) {
|
||||
|
||||
set_optflags( $chainref, DONT_OPTIMIZE );
|
||||
dont_optimize $chainref;
|
||||
|
||||
my $file = find_file $action;
|
||||
|
||||
@@ -1306,7 +1306,7 @@ sub allowInvalid ( $$$$ ) {
|
||||
}
|
||||
|
||||
sub forwardUPnP ( $$$$ ) {
|
||||
my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
|
||||
my $chainref = dont_optimize 'forwardUPnP';
|
||||
|
||||
add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
|
||||
}
|
||||
@@ -2238,7 +2238,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
}
|
||||
}
|
||||
|
||||
set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
|
||||
dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
|
||||
|
||||
expand_rule( $nonat_chain ,
|
||||
PREROUTE_RESTRICT ,
|
||||
@@ -2262,7 +2262,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
$action = $usedactions{$normalized_target}{name};
|
||||
$loglevel = '';
|
||||
} else {
|
||||
set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
|
||||
dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
|
||||
}
|
||||
|
||||
if ( $origdest ) {
|
||||
|
||||
@@ -194,14 +194,14 @@ sub initialize( $ ) {
|
||||
}
|
||||
|
||||
sub process_tc_rule( ) {
|
||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
|
||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
|
||||
if ( $family == F_IPV4 ) {
|
||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
|
||||
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
|
||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
|
||||
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
|
||||
$headers = '-';
|
||||
} else {
|
||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
|
||||
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
|
||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) =
|
||||
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
|
||||
}
|
||||
|
||||
our @tccmd;
|
||||
@@ -239,153 +239,6 @@ sub process_tc_rule( ) {
|
||||
my $device = '';
|
||||
my $fw = firewall_zone;
|
||||
my $list;
|
||||
my $restriction = 0;
|
||||
my $cmd;
|
||||
my $rest;
|
||||
|
||||
my %processtcc = ( sticky => sub() {
|
||||
if ( $chain eq 'tcout' ) {
|
||||
$target = 'sticko';
|
||||
} else {
|
||||
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
|
||||
}
|
||||
|
||||
$restriction = DESTIFACE_DISALLOW;
|
||||
|
||||
ensure_mangle_chain($target);
|
||||
|
||||
$sticky++;
|
||||
},
|
||||
IPMARK => sub() {
|
||||
my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
|
||||
|
||||
require_capability 'IPMARK_TARGET', 'IPMARK', 's';
|
||||
|
||||
if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
|
||||
my $params = $1;
|
||||
my $val;
|
||||
|
||||
my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
|
||||
|
||||
fatal_error "Invalid IPMARK parameters ($params)" if $bad;
|
||||
fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
|
||||
$srcdst = $sd;
|
||||
|
||||
if ( supplied $m1 ) {
|
||||
$val = numeric_value ($m1);
|
||||
fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
|
||||
$mask1 = in_hex ( $val & 0xffffffff );
|
||||
}
|
||||
|
||||
if ( supplied $m2 ) {
|
||||
$val = numeric_value ($m2);
|
||||
fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
|
||||
$mask2 = in_hex ( $val & 0xffffffff );
|
||||
}
|
||||
|
||||
if ( defined $s ) {
|
||||
$val = numeric_value ($s);
|
||||
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
|
||||
$shift = $s;
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
|
||||
}
|
||||
|
||||
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
|
||||
},
|
||||
TPROXY => sub() {
|
||||
require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
|
||||
|
||||
$chain = 'tcpre';
|
||||
|
||||
$cmd =~ /TPROXY\((.+?)\)$/;
|
||||
|
||||
my $params = $1;
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
|
||||
|
||||
( $mark, my $port, my $ip, my $bad ) = split ',', $params;
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
|
||||
|
||||
if ( $port ) {
|
||||
$port = validate_port( 'tcp', $port );
|
||||
} else {
|
||||
$port = 0;
|
||||
}
|
||||
|
||||
$target .= " --on-port $port";
|
||||
|
||||
if ( supplied $ip ) {
|
||||
if ( $family == F_IPV6 ) {
|
||||
$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
|
||||
}
|
||||
|
||||
validate_address $ip, 1;
|
||||
$target .= " --on-ip $ip";
|
||||
}
|
||||
|
||||
$target .= ' --tproxy-mark';
|
||||
},
|
||||
TTL => sub() {
|
||||
fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
|
||||
fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
|
||||
fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
|
||||
|
||||
$chain = 'tcfor';
|
||||
|
||||
$cmd =~ /^TTL\(([-+]?\d+)\)$/;
|
||||
|
||||
my $param = $1;
|
||||
|
||||
fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
|
||||
|
||||
if ( $1 =~ /^\+/ ) {
|
||||
$target .= " --ttl-inc $param";
|
||||
} elsif ( $1 =~ /\-/ ) {
|
||||
$target .= " --ttl-dec $param";
|
||||
} else {
|
||||
$target .= " --ttl-set $param";
|
||||
}
|
||||
},
|
||||
HL => sub() {
|
||||
fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
|
||||
fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
|
||||
fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
|
||||
|
||||
$chain = 'tcfor';
|
||||
|
||||
$cmd =~ /^HL\(([-+]?\d+)\)$/;
|
||||
|
||||
my $param = $1;
|
||||
|
||||
fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
|
||||
|
||||
if ( $1 =~ /^\+/ ) {
|
||||
$target .= " --hl-inc $param";
|
||||
} elsif ( $1 =~ /\-/ ) {
|
||||
$target .= " --hl-dec $param";
|
||||
} else {
|
||||
$target .= " --hl-set $param";
|
||||
}
|
||||
},
|
||||
IMQ => sub() {
|
||||
assert( $cmd =~ /^IMQ\((\d+)\)$/ );
|
||||
require_capability 'IMQ_TARGET', 'IMQ', 's';
|
||||
$target .= " --todev $1";
|
||||
},
|
||||
DSCP => sub() {
|
||||
assert( $cmd =~ /^DSCP\((\w+)\)$/ );
|
||||
require_capability 'DSCP_TARGET', 'The DSCP action', 's';
|
||||
my $dscp = numeric_value( $1);
|
||||
$dscp = $dscpmap{$1} unless defined $dscp;
|
||||
fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp < 0x2f && ! ( $dscp & 1 );
|
||||
$target .= ' --set-dscp ' . in_hex( $dscp );
|
||||
}
|
||||
);
|
||||
|
||||
if ( $source ) {
|
||||
if ( $source eq $fw ) {
|
||||
@@ -459,10 +312,12 @@ sub process_tc_rule( ) {
|
||||
}
|
||||
}
|
||||
|
||||
($cmd, $rest) = split( '/', $mark, 2 );
|
||||
my ($cmd, $rest) = split( '/', $mark, 2 );
|
||||
|
||||
$list = '';
|
||||
|
||||
my $restriction = 0;
|
||||
|
||||
unless ( $classid ) {
|
||||
MARK:
|
||||
{
|
||||
@@ -481,8 +336,134 @@ sub process_tc_rule( ) {
|
||||
$mark =~ s/^[|&]//;
|
||||
}
|
||||
|
||||
if ( my $f = $processtcc{$target} ) {
|
||||
$f->();
|
||||
if ( $target eq 'sticky' ) {
|
||||
if ( $chain eq 'tcout' ) {
|
||||
$target = 'sticko';
|
||||
} else {
|
||||
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
|
||||
}
|
||||
|
||||
$restriction = DESTIFACE_DISALLOW;
|
||||
|
||||
ensure_mangle_chain($target);
|
||||
|
||||
$sticky++;
|
||||
} elsif ( $target eq 'IPMARK' ) {
|
||||
my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
|
||||
|
||||
require_capability 'IPMARK_TARGET', 'IPMARK', 's';
|
||||
|
||||
if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
|
||||
my $params = $1;
|
||||
my $val;
|
||||
|
||||
my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
|
||||
|
||||
fatal_error "Invalid IPMARK parameters ($params)" if $bad;
|
||||
fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
|
||||
$srcdst = $sd;
|
||||
|
||||
if ( supplied $m1 ) {
|
||||
$val = numeric_value ($m1);
|
||||
fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
|
||||
$mask1 = in_hex ( $val & 0xffffffff );
|
||||
}
|
||||
|
||||
if ( supplied $m2 ) {
|
||||
$val = numeric_value ($m2);
|
||||
fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
|
||||
$mask2 = in_hex ( $val & 0xffffffff );
|
||||
}
|
||||
|
||||
if ( defined $s ) {
|
||||
$val = numeric_value ($s);
|
||||
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
|
||||
$shift = $s;
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
|
||||
}
|
||||
|
||||
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
|
||||
} elsif ( $target eq 'TPROXY' ) {
|
||||
require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
|
||||
|
||||
$chain = 'tcpre';
|
||||
|
||||
$cmd =~ /TPROXY\((.+?)\)$/;
|
||||
|
||||
my $params = $1;
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
|
||||
|
||||
( $mark, my $port, my $ip, my $bad ) = split ',', $params;
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
|
||||
|
||||
if ( $port ) {
|
||||
$port = validate_port( 'tcp', $port );
|
||||
} else {
|
||||
$port = 0;
|
||||
}
|
||||
|
||||
$target .= " --on-port $port";
|
||||
|
||||
if ( supplied $ip ) {
|
||||
if ( $family == F_IPV6 ) {
|
||||
$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
|
||||
}
|
||||
|
||||
validate_address $ip, 1;
|
||||
$target .= " --on-ip $ip";
|
||||
}
|
||||
|
||||
$target .= ' --tproxy-mark';
|
||||
} elsif ( $target eq 'TTL' ) {
|
||||
fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
|
||||
fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
|
||||
fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
|
||||
|
||||
$chain = 'tcfor';
|
||||
|
||||
$cmd =~ /^TTL\(([-+]?\d+)\)$/;
|
||||
|
||||
my $param = $1;
|
||||
|
||||
fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
|
||||
|
||||
if ( $1 =~ /^\+/ ) {
|
||||
$target .= " --ttl-inc $param";
|
||||
} elsif ( $1 =~ /\-/ ) {
|
||||
$target .= " --ttl-dec $param";
|
||||
} else {
|
||||
$target .= " --ttl-set $param";
|
||||
}
|
||||
} elsif ( $target eq 'HL' ) {
|
||||
fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
|
||||
fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
|
||||
fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
|
||||
|
||||
$chain = 'tcfor';
|
||||
|
||||
$cmd =~ /^HL\(([-+]?\d+)\)$/;
|
||||
|
||||
my $param = $1;
|
||||
|
||||
fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
|
||||
|
||||
if ( $1 =~ /^\+/ ) {
|
||||
$target .= " --hl-inc $param";
|
||||
} elsif ( $1 =~ /\-/ ) {
|
||||
$target .= " --hl-dec $param";
|
||||
} else {
|
||||
$target .= " --hl-set $param";
|
||||
}
|
||||
} elsif ( $target eq 'IMQ' ) {
|
||||
assert( $cmd =~ /^IMQ\((\d+)\)$/ );
|
||||
require_capability 'IMQ_TARGET', 'IMQ', 's';
|
||||
$target .= " --todev $1";
|
||||
}
|
||||
|
||||
if ( $rest ) {
|
||||
@@ -529,8 +510,7 @@ sub process_tc_rule( ) {
|
||||
do_connbytes( $connbytes ) .
|
||||
do_helper( $helper ) .
|
||||
do_headers( $headers ) .
|
||||
do_probability( $probability ) .
|
||||
do_dscp( $dscp ),
|
||||
do_probability( $probability ) ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
@@ -875,7 +855,7 @@ sub validate_tc_device( ) {
|
||||
pfifo => $pfifo,
|
||||
tablenumber => 1 ,
|
||||
redirected => \@redirected,
|
||||
default => undef,
|
||||
default => 0,
|
||||
nextclass => 2,
|
||||
qdisc => $qdisc,
|
||||
guarantee => 0,
|
||||
@@ -1018,7 +998,6 @@ sub validate_tc_class( ) {
|
||||
}
|
||||
} else {
|
||||
fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
|
||||
$markval = '-';
|
||||
}
|
||||
|
||||
if ( $parentclass != 1 ) {
|
||||
@@ -1135,10 +1114,8 @@ sub validate_tc_class( ) {
|
||||
}
|
||||
|
||||
unless ( $devref->{classify} || $occurs > 1 ) {
|
||||
if ( $mark ne '-' ) {
|
||||
fatal_error "Missing MARK" if $mark eq '-';
|
||||
warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option" if $devclass =~ /:/;
|
||||
}
|
||||
fatal_error "Missing MARK" if $mark eq '-';
|
||||
warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option" if $devclass =~ /:/;
|
||||
}
|
||||
|
||||
$tcref->{flow} = $devref->{flow} unless $tcref->{flow};
|
||||
@@ -1619,7 +1596,7 @@ sub process_traffic_shaping() {
|
||||
my $devnum = in_hexp $devref->{number};
|
||||
my $r2q = int calculate_r2q $devref->{out_bandwidth};
|
||||
|
||||
fatal_error "No default class defined for device $devname" unless defined $devref->{default};
|
||||
fatal_error "No default class defined for device $devname" unless $devref->{default};
|
||||
|
||||
my $device = physical_name $devname;
|
||||
|
||||
@@ -1731,7 +1708,7 @@ sub process_traffic_shaping() {
|
||||
#
|
||||
# add filters
|
||||
#
|
||||
unless ( $mark eq '-' ) {
|
||||
unless ( $devref->{classify} ) {
|
||||
emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
|
||||
}
|
||||
|
||||
@@ -2011,12 +1988,6 @@ sub setup_tc() {
|
||||
mask => '',
|
||||
connmark => 0
|
||||
},
|
||||
{ match => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
|
||||
target => 'DSCP',
|
||||
mark => NOMARK,
|
||||
mask => '',
|
||||
connmark => 0
|
||||
},
|
||||
);
|
||||
|
||||
if ( my $fn = open_file 'tcrules' ) {
|
||||
|
||||
@@ -227,25 +227,6 @@ my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
|
||||
|
||||
my %validhostoptions;
|
||||
|
||||
my %validzoneoptions = ( mss => NUMERIC,
|
||||
nomark => NOTHING,
|
||||
blacklist => NOTHING,
|
||||
strict => NOTHING,
|
||||
next => NOTHING,
|
||||
reqid => NUMERIC,
|
||||
spi => NUMERIC,
|
||||
proto => IPSECPROTO,
|
||||
mode => IPSECMODE,
|
||||
"tunnel-src" => NETWORK,
|
||||
"tunnel-dst" => NETWORK,
|
||||
);
|
||||
|
||||
use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
|
||||
#
|
||||
# Hash of options that have their own key in the returned hash.
|
||||
#
|
||||
my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
|
||||
|
||||
#
|
||||
# Rather than initializing globals in an INIT block or during declaration,
|
||||
# we initialize them in a function. This is done for two reasons:
|
||||
@@ -348,6 +329,25 @@ sub initialize( $$ ) {
|
||||
#
|
||||
sub parse_zone_option_list($$\$$)
|
||||
{
|
||||
my %validoptions = ( mss => NUMERIC,
|
||||
nomark => NOTHING,
|
||||
blacklist => NOTHING,
|
||||
strict => NOTHING,
|
||||
next => NOTHING,
|
||||
reqid => NUMERIC,
|
||||
spi => NUMERIC,
|
||||
proto => IPSECPROTO,
|
||||
mode => IPSECMODE,
|
||||
"tunnel-src" => NETWORK,
|
||||
"tunnel-dst" => NETWORK,
|
||||
);
|
||||
|
||||
use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
|
||||
#
|
||||
# Hash of options that have their own key in the returned hash.
|
||||
#
|
||||
my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
|
||||
|
||||
my ( $list, $zonetype, $complexref, $column ) = @_;
|
||||
my %h;
|
||||
my $options = '';
|
||||
@@ -367,7 +367,7 @@ sub parse_zone_option_list($$\$$)
|
||||
$e = $1;
|
||||
}
|
||||
|
||||
$fmt = $validzoneoptions{$e};
|
||||
$fmt = $validoptions{$e};
|
||||
|
||||
fatal_error "Invalid Option ($e)" unless $fmt;
|
||||
|
||||
@@ -378,7 +378,7 @@ sub parse_zone_option_list($$\$$)
|
||||
fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
|
||||
}
|
||||
|
||||
my $key = $zonekey{$e};
|
||||
my $key = $key{$e};
|
||||
|
||||
if ( $key ) {
|
||||
fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
|
||||
@@ -403,7 +403,7 @@ sub parse_zone_option_list($$\$$)
|
||||
#
|
||||
# Set the super option on the passed zoneref and propagate to its parents
|
||||
#
|
||||
sub set_super( $ ); #required for recursion
|
||||
sub set_super( $ );
|
||||
|
||||
sub set_super( $ ) {
|
||||
my $zoneref = shift;
|
||||
@@ -769,13 +769,13 @@ sub add_group_to_zone($$$$$)
|
||||
|
||||
my $gtype = $type & IPSEC ? 'ipsec' : 'ip';
|
||||
|
||||
$hostsref = ( $zoneref->{hosts} ||= {} );
|
||||
$typeref = ( $hostsref->{$gtype} ||= {} );
|
||||
$interfaceref = ( $typeref->{$interface} ||= [] );
|
||||
$hostsref = ( $zoneref->{hosts} || ( $zoneref->{hosts} = {} ) );
|
||||
$typeref = ( $hostsref->{$gtype} || ( $hostsref->{$gtype} = {} ) );
|
||||
$interfaceref = ( $typeref->{$interface} || ( $typeref->{$interface} = [] ) );
|
||||
|
||||
fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
|
||||
|
||||
$zoneref->{options}{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
|
||||
$zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
|
||||
|
||||
push @{$interfaceref}, { options => $options,
|
||||
hosts => \@newnetworks,
|
||||
@@ -912,27 +912,10 @@ sub process_interface( $$ ) {
|
||||
my ( $nextinum, $export ) = @_;
|
||||
my $netsref = '';
|
||||
my $filterref = [];
|
||||
my ($zone, $originalinterface, $bcasts, $options );
|
||||
my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
|
||||
my $zoneref;
|
||||
my $bridge = '';
|
||||
our $format;
|
||||
|
||||
if ( $format == 1 ) {
|
||||
($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
|
||||
} else {
|
||||
($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
|
||||
$bcasts = '-';
|
||||
}
|
||||
|
||||
if ( $zone eq 'FORMAT' ) {
|
||||
if ( $originalinterface =~ /^([12])$/ ) {
|
||||
$format = $1;
|
||||
return;
|
||||
}
|
||||
|
||||
fatal_error "Invalid FORMAT ($1)";
|
||||
}
|
||||
|
||||
if ( $zone eq '-' ) {
|
||||
$zone = '';
|
||||
} else {
|
||||
@@ -1202,8 +1185,7 @@ sub process_interface( $$ ) {
|
||||
# Parse the interfaces file.
|
||||
#
|
||||
sub validate_interfaces_file( $ ) {
|
||||
my $export = shift;
|
||||
our $format = 1;
|
||||
my $export = shift;
|
||||
|
||||
my @ifaces;
|
||||
my $nextinum = 1;
|
||||
@@ -1933,6 +1915,7 @@ sub validate_hosts_file()
|
||||
$have_ipsec = $ipsec || haveipseczones;
|
||||
|
||||
$_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@@ -49,7 +49,7 @@ my $target = require_audit ( $action , $audit );
|
||||
log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
||||
add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
|
||||
|
||||
allow_optimize( $chainref );
|
||||
$chainref->{dont_optimize} = 0;
|
||||
|
||||
1;
|
||||
|
||||
|
||||
@@ -49,7 +49,7 @@ my $target = require_audit ( $action , $audit );
|
||||
log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
|
||||
add_jump $chainref , $target, 0, '-p 6 ! --syn ';
|
||||
|
||||
allow_optimize( $chainref );
|
||||
$chainref->{dont_optimize} = 0;
|
||||
|
||||
1;
|
||||
|
||||
|
||||
@@ -7,8 +7,4 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-interfaces.html
|
||||
#
|
||||
###############################################################################
|
||||
FORMAT 1
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
|
||||
FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
|
||||
@@ -6,6 +6,6 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-masq.html
|
||||
#
|
||||
######################################################################################################
|
||||
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH
|
||||
#############################################################################################
|
||||
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
|
||||
# GROUP
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
#
|
||||
# See http://shorewall.net/PacketMarking.html for a detailed description of
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
##########################################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
######################################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
|
||||
@@ -78,13 +78,13 @@ shift
|
||||
|
||||
case "$command" in
|
||||
start)
|
||||
exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
|
||||
exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
|
||||
;;
|
||||
restart|reload)
|
||||
exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS
|
||||
exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
|
||||
;;
|
||||
status|stop)
|
||||
exec /sbin/shorewall $OPTIONS $command
|
||||
exec /sbin/shorewall $OPTIONS $command $@
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
|
||||
@@ -105,15 +105,26 @@ fi
|
||||
#
|
||||
# Parse the run line
|
||||
#
|
||||
# DEST is the SysVInit script directory
|
||||
# INIT is the name of the script in the $DEST directory
|
||||
#
|
||||
T="-T"
|
||||
|
||||
if [ -z "$DEST" ] ; then
|
||||
DEST="/etc/init.d"
|
||||
fi
|
||||
|
||||
if [ -z "$INIT" ] ; then
|
||||
INIT="$PRODUCT"
|
||||
fi
|
||||
|
||||
ANNOTATED=
|
||||
CYGWIN=
|
||||
MAC=
|
||||
MACHOST=
|
||||
MANDIR=${MANDIR:-"/usr/share/man"}
|
||||
SPARSE=
|
||||
INSTALLD='-D'
|
||||
INITFILE="$PRODUCT"
|
||||
|
||||
[ -n "${LIBEXEC:=/usr/share}" ]
|
||||
[ -n "${PERLLIB:=/usr/share/shorewall}" ]
|
||||
|
||||
@@ -121,8 +132,7 @@ case "$LIBEXEC" in
|
||||
/*)
|
||||
;;
|
||||
*)
|
||||
echo "The LIBEXEC setting must be an absolute path name" >&2
|
||||
exit 1
|
||||
LIBEXEC=/usr/${LIBEXEC}
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -130,45 +140,33 @@ case "$PERLLIB" in
|
||||
/*)
|
||||
;;
|
||||
*)
|
||||
echo "The PERLLIB setting must be an absolute path name" >&2
|
||||
exit 1
|
||||
PERLLIB=/usr/${PERLLIB}
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$BUILD" ]; then
|
||||
case $(uname) in
|
||||
cygwin*)
|
||||
BUILD=cygwin
|
||||
;;
|
||||
Darwin)
|
||||
BUILD=apple
|
||||
;;
|
||||
*)
|
||||
if [ -f /etc/debian_version ]; then
|
||||
BUILD=debian
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
BUILD=redhat
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
BUILD=slackware
|
||||
elif [ -f /etc/SuSE-release ]; then
|
||||
BUILD=suse
|
||||
elif [ -f /etc/arch-release ] ; then
|
||||
BUILD=archlinux
|
||||
else
|
||||
BUILD=linux
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
case $(uname) in
|
||||
CYGWIN*)
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
DEST=
|
||||
INIT=
|
||||
fi
|
||||
|
||||
case $BUILD in
|
||||
cygwin*)
|
||||
OWNER=$(id -un)
|
||||
GROUP=$(id -gn)
|
||||
CYGWIN=Yes
|
||||
SPARSE=Yes
|
||||
;;
|
||||
apple)
|
||||
Darwin)
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
DEST=
|
||||
INIT=
|
||||
SPARSE=Yes
|
||||
fi
|
||||
|
||||
[ -z "$OWNER" ] && OWNER=root
|
||||
[ -z "$GROUP" ] && GROUP=wheel
|
||||
MAC=Yes
|
||||
MACHOST=Yes
|
||||
INSTALLD=
|
||||
T=
|
||||
;;
|
||||
@@ -231,64 +229,8 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
|
||||
if [ $PRODUCT = shorewall ]; then
|
||||
#
|
||||
# Verify that Perl is installed
|
||||
#
|
||||
if ! perl -c Perl/compiler.pl; then
|
||||
echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product perl code" >&2
|
||||
echo " Try perl -c $PWD/Perl/compiler.pl" >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -n "$HOST" ] || HOST=$BUILD
|
||||
|
||||
case "$HOST" in
|
||||
cygwin)
|
||||
echo "Installing Cygwin-specific configuration..."
|
||||
INITFILE=
|
||||
;;
|
||||
apple)
|
||||
echo "Installing Mac-specific configuration...";
|
||||
INITFILE=
|
||||
;;
|
||||
debian)
|
||||
echo "Installing Debian-specific configuration..."
|
||||
SPARSE=yes
|
||||
;;
|
||||
redhat)
|
||||
echo "Installing Redhat/Fedora-specific configuration..."
|
||||
[ -n "$INITDIR" ] || INITDIR="/etc/rc.d/init.d"
|
||||
;;
|
||||
suse)
|
||||
echo "Installing SuSE-specific configuration...";
|
||||
;;
|
||||
slackware)
|
||||
echo "Installing Slackware-specific configuration..."
|
||||
[ -n "$INITDIR" ] || INITDIR="/etc/rc.d"
|
||||
[ -n "$MANDIR" ] || MANDIR="/usr/man"
|
||||
[ -n "$INITFILE" ] || INITFILE="rc.firewall"
|
||||
;;
|
||||
archlinux)
|
||||
echo "Installing ArchLinux-specific configuration..."
|
||||
[ -n "$INITDIR" ] || INITDIR="/etc/rc.d"
|
||||
[ -n "$INITFILE" ] || INITFILE="$PRODUCT"
|
||||
;;
|
||||
linux)
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unknown HOST \"$HOST\"" >&2
|
||||
exit 1;
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
|
||||
INITDIR="/etc/init.d"
|
||||
fi
|
||||
|
||||
if [ -n "$DESTDIR" ]; then
|
||||
if [ $BUILD != cygwin ]; then
|
||||
if [ -z "$CYGWIN" ]; then
|
||||
if [ `id -u` != 0 ] ; then
|
||||
echo "Not setting file owner/group permissions, not running as root."
|
||||
OWNERSHIP=""
|
||||
@@ -296,10 +238,50 @@ if [ -n "$DESTDIR" ]; then
|
||||
fi
|
||||
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
|
||||
|
||||
CYGWIN=
|
||||
MAC=
|
||||
else
|
||||
[ -x /usr/share/shorewall/compiler.pl ] || \
|
||||
{ echo " ERROR: Shorewall >= 4.3.5 is not installed" >&2; exit 1; }
|
||||
if [ $PRODUCT = shorewall ]; then
|
||||
#
|
||||
# Verify that Perl is installed
|
||||
#
|
||||
if ! perl -c Perl/compiler.pl; then
|
||||
echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product perl code" >&2
|
||||
echo " Try perl -c $PWD/Perl/compiler.pl" >&2
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
[ -x /usr/share/shorewall/compiler.pl ] || \
|
||||
{ echo " ERROR: Shorewall >= 4.3.5 is not installed" >&2; exit 1; }
|
||||
fi
|
||||
|
||||
if [ -n "$CYGWIN" ]; then
|
||||
echo "Installing Cygwin-specific configuration..."
|
||||
elif [ -n "$MAC" ]; then
|
||||
echo "Installing Mac-specific configuration..."
|
||||
else
|
||||
if [ -f /etc/debian_version ]; then
|
||||
echo "Installing Debian-specific configuration..."
|
||||
DEBIAN=yes
|
||||
SPARSE=yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
echo "Installing Redhat/Fedora-specific configuration..."
|
||||
FEDORA=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
echo "Installing Slackware-specific configuration..."
|
||||
DEST="/etc/rc.d"
|
||||
MANDIR="/usr/man"
|
||||
SLACKWARE=yes
|
||||
INIT="rc.firewall"
|
||||
elif [ -f /etc/arch-release ] ; then
|
||||
echo "Installing ArchLinux-specific configuration..."
|
||||
DEST="/etc/rc.d"
|
||||
INIT="$PRODUCT"
|
||||
ARCHLINUX=yes
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
@@ -326,7 +308,7 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f /usr/share/$PRODUCT/corever
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $HOST != cygwin ]; then
|
||||
if [ -z "$CYGWIN" ]; then
|
||||
install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0755
|
||||
echo "$PRODUCT control program installed in ${DESTDIR}/sbin/$PRODUCT"
|
||||
else
|
||||
@@ -337,27 +319,20 @@ fi
|
||||
#
|
||||
# Install the Firewall Script
|
||||
#
|
||||
case $HOST in
|
||||
debian)
|
||||
install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
redhat)
|
||||
install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
|
||||
;;
|
||||
slackware)
|
||||
if [ $PRODUCT = shorewall ]; then
|
||||
install_file init.slackware.firewall.sh ${DESTDIR}${DEST}/rc.firewall 0644
|
||||
install_file init.slackware.$PRODUCT.sh ${DESTDIR}${DEST}/rc.$PRODUCT 0644
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$INITFILE" ]; then
|
||||
install_file init.sh ${DESTDIR}${INITDIR}/$INITFILE 0544
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
|
||||
elif [ -n "$FEDORA" ]; then
|
||||
install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
|
||||
elif [ -n "$ARCHLINUX" ]; then
|
||||
install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
elif [ -n "$SLACKWARE" -a $PRODUCT = shorewall ]; then
|
||||
install_file init.slackware.firewall.sh ${DESTDIR}${DEST}/rc.firewall 0644
|
||||
install_file init.slackware.$PRODUCT.sh ${DESTDIR}${DEST}/rc.$PRODUCT 0644
|
||||
elif [ -n "$INIT" ]; then
|
||||
install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
fi
|
||||
|
||||
[ -n "$INITFILE" ] && echo "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
|
||||
[ -n "$INIT" ] && echo "$Product script installed in ${DESTDIR}${DEST}/$INIT"
|
||||
|
||||
#
|
||||
# Create /etc/$PRODUCT and /var/lib/$PRODUCT if needed
|
||||
@@ -452,7 +427,7 @@ run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}/usr/share/$PRO
|
||||
if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
|
||||
run_install $OWNERSHIP -m 0644 $PRODUCT.conf${suffix} ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
|
||||
|
||||
if [ $HOST = debian ] && mywhich perl; then
|
||||
if [ -n "$DEBIAN" ] && mywhich perl; then
|
||||
#
|
||||
# Make a Debian-like $PRODUCT.conf
|
||||
#
|
||||
@@ -463,7 +438,7 @@ if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
|
||||
fi
|
||||
|
||||
|
||||
if [ $HOST = archlinux ] ; then
|
||||
if [ -n "$ARCHLINUX" ] ; then
|
||||
sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
|
||||
fi
|
||||
|
||||
@@ -607,7 +582,7 @@ run_install $OWNERSHIP -m 0644 maclist.annotated ${DESTDIR}/usr/share/$PRODUCT/c
|
||||
|
||||
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/$PRODUCT/maclist ]; then
|
||||
run_install $OWNERSHIP -m 0600 maclist${suffix} ${DESTDIR}/etc/$PRODUCT/maclist
|
||||
echo "mac list file installed as ${DESTDIR}/etc/$PRODUCT/maclist"
|
||||
echo "MAC list file installed as ${DESTDIR}/etc/$PRODUCT/maclist"
|
||||
fi
|
||||
|
||||
if [ -f masq ]; then
|
||||
@@ -1073,7 +1048,7 @@ chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
rm -f /usr/share/$PRODUCT/init
|
||||
ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
|
||||
ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
|
||||
fi
|
||||
|
||||
#
|
||||
@@ -1105,8 +1080,8 @@ if [ -d ${DESTDIR}/etc/logrotate.d ]; then
|
||||
echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
|
||||
|
||||
update-rc.d $PRODUCT defaults
|
||||
@@ -1142,7 +1117,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ "$INITFILE" != rc.f ]; then #Slackware starts this automatically
|
||||
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||
cant_autostart
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -35,8 +35,8 @@
|
||||
<para>If you have more than one ISP link, adding entries to this file
|
||||
will <emphasis role="bold">not</emphasis> force connections to go out
|
||||
through a particular link. You must use entries in <ulink
|
||||
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
|
||||
entries in <ulink
|
||||
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
|
||||
PREROUTING entries in <ulink
|
||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
|
||||
that.</para>
|
||||
</warning>
|
||||
@@ -88,8 +88,7 @@
|
||||
addresses to indicate that you only want to change the source IP
|
||||
address for packets being sent to those particular destinations.
|
||||
Exclusion is allowed (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
|
||||
are ipset names preceded by a plus sign '+';</para>
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
|
||||
entry then include the ":" but omit the digit:</para>
|
||||
@@ -150,10 +149,6 @@
|
||||
|
||||
<para>In that example traffic from eth1 would be masqueraded unless
|
||||
it came from 192.168.1.4 or 196.168.32.0/27</para>
|
||||
|
||||
<para>The preferred way to specify the SOURCE is to supply one or
|
||||
more host or network addresses separated by comma. You may use ipset
|
||||
names preceded by a plus sign (+) to specify a set of hosts.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -472,43 +467,6 @@
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SWITCH -
|
||||
[!]<replaceable>switch-name</replaceable></emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.1 and allows enabling and disabling the
|
||||
rule without requiring <command>shorewall restart</command>.</para>
|
||||
|
||||
<para>The rule is enabled if the value stored in
|
||||
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
|
||||
is 1. The rule is disabled if that file contains 0 (the default). If
|
||||
'!' is supplied, the test is inverted such that the rule is enabled
|
||||
if the file contains 0. <replaceable>switch-name</replaceable> must
|
||||
begin with a letter and be composed of letters, decimal digits,
|
||||
underscores or hyphens. Switch names must be 30 characters or less
|
||||
in length.</para>
|
||||
|
||||
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
|
||||
turn a switch <emphasis role="bold">on</emphasis>:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><command>echo 1 >
|
||||
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
|
||||
</simplelist>
|
||||
|
||||
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><command>echo 0 >
|
||||
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
|
||||
</simplelist>
|
||||
|
||||
<para>Switch settings are retained over <command>shorewall
|
||||
restart</command>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
@@ -590,19 +548,6 @@
|
||||
</warning>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 6:</term>
|
||||
|
||||
<listitem>
|
||||
<para>Connections leaving on eth0 and destined to any host defined
|
||||
in the ipset <emphasis>myset</emphasis> should have the source IP
|
||||
address changed to 206.124.146.177.</para>
|
||||
|
||||
<programlisting> #INTERFACE SOURCE ADDRESS
|
||||
eth0:+myset[dst] - 206.124.146.177</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@@ -468,41 +468,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
<replaceable>number</replaceable>. Requires IMQ Target support
|
||||
in your kernel and iptables.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
|
||||
|
||||
<para>Added in Shorewall 4.5.1. Sets the
|
||||
<firstterm>Differentiated Services Code Point</firstterm> field
|
||||
in the IP header. The <replaceable>dscp</replaceable> value may
|
||||
be given as an even number (hex or decimal) or as the name of a
|
||||
DSCP class. Valid class names and their associated hex numeric
|
||||
values are:</para>
|
||||
|
||||
<programlisting> CS0 => 0x00
|
||||
CS1 => 0x08
|
||||
CS2 => 0x10
|
||||
CS3 => 0x18
|
||||
CS4 => 0x20
|
||||
CS5 => 0x28
|
||||
CS6 => 0x30
|
||||
CS7 => 0x38
|
||||
BE => 0x00
|
||||
AF11 => 0x0a
|
||||
AF12 => 0x0c
|
||||
AF13 => 0x0e
|
||||
AF21 => 0x12
|
||||
AF22 => 0x14
|
||||
AF23 => 0x16
|
||||
AF31 => 0x1a
|
||||
AF32 => 0x1c
|
||||
AF33 => 0x1e
|
||||
AF41 => 0x22
|
||||
AF42 => 0x24
|
||||
AF43 => 0x26
|
||||
EF => 0x2e</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -875,7 +840,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROBABILITY</emphasis> -
|
||||
[<replaceable>probability</replaceable>]</term>
|
||||
[probability]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.0. When non-empty, requires the
|
||||
@@ -887,44 +852,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
at up to 8 decimal points of precision.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DSCP -</emphasis>
|
||||
[[!]<replaceable>dscp</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.1. When non-empty, match packets whose
|
||||
<firstterm>Differentiated Service Code Point</firstterm> field
|
||||
matches the supplied value (when '!' is given, the rule matches
|
||||
packets whose DSCP field does not match the supplied value). The
|
||||
<replaceable>dscp</replaceable> value may be given as an even number
|
||||
(hex or decimal) or as the name of a DSCP class. Valid class names
|
||||
and their associated hex numeric values are:</para>
|
||||
|
||||
<programlisting> CS0 => 0x00
|
||||
CS1 => 0x08
|
||||
CS2 => 0x10
|
||||
CS3 => 0x18
|
||||
CS4 => 0x20
|
||||
CS5 => 0x28
|
||||
CS6 => 0x30
|
||||
CS7 => 0x38
|
||||
BE => 0x00
|
||||
AF11 => 0x0a
|
||||
AF12 => 0x0c
|
||||
AF13 => 0x0e
|
||||
AF21 => 0x12
|
||||
AF22 => 0x14
|
||||
AF23 => 0x16
|
||||
AF31 => 0x1a
|
||||
AF32 => 0x1c
|
||||
AF33 => 0x1e
|
||||
AF41 => 0x22
|
||||
AF42 => 0x24
|
||||
AF43 => 0x26
|
||||
EF => 0x2e</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@@ -112,7 +112,7 @@ rm -rf /etc/shorewall
|
||||
rm -rf /etc/shorewall-*.bkout
|
||||
rm -rf /var/lib/shorewall
|
||||
rm -rf /var/lib/shorewall-*.bkout
|
||||
rm -rf ${PERLLIB}/Shorewall/*
|
||||
rm -rf $PERLLIB}/Shorewall/*
|
||||
rm -rf ${LIBEXEC}/shorewall
|
||||
rm -rf /usr/share/shorewall/configfiles/
|
||||
rm -rf /usr/share/shorewall/Samples/
|
||||
|
||||
@@ -76,10 +76,10 @@ command="$1"
|
||||
|
||||
case "$command" in
|
||||
start)
|
||||
exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
|
||||
exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS $@
|
||||
;;
|
||||
restart|reload)
|
||||
exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
|
||||
exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS $@
|
||||
;;
|
||||
status|stop)
|
||||
exec /sbin/shorewall6-lite $OPTIONS $command $@
|
||||
|
||||
@@ -7,8 +7,4 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-interfaces.html
|
||||
#
|
||||
###############################################################################
|
||||
FORMAT 1
|
||||
#ZONE INTERFACE ANYCAST OPTIONS
|
||||
|
||||
FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
|
||||
@@ -9,6 +9,6 @@
|
||||
#
|
||||
# See http://shorewall.net/PacketMarking.html for a detailed description of
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
###################################################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
##############################################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -77,10 +77,10 @@ command="$1"
|
||||
|
||||
case "$command" in
|
||||
start)
|
||||
exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
|
||||
exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS $@
|
||||
;;
|
||||
restart|reload)
|
||||
exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS
|
||||
exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS $@
|
||||
;;
|
||||
status|stop)
|
||||
exec /sbin/shorewall6 $OPTIONS $command $@
|
||||
|
||||
@@ -365,41 +365,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
<replaceable>number</replaceable>. Requires IMQ Target support
|
||||
in your kernel and ip6tables.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
|
||||
|
||||
<para>Added in Shorewall 4.5.1. Sets the
|
||||
<firstterm>Differentiated Services Code Point</firstterm> field
|
||||
in the IP header. The <replaceable>dscp</replaceable> value may
|
||||
be given as an even number (hex or decimal) or as the name of a
|
||||
DSCP class. Valid class names and their associated hex numeric
|
||||
values are:</para>
|
||||
|
||||
<programlisting> CS0 => 0x00
|
||||
CS1 => 0x08
|
||||
CS2 => 0x10
|
||||
CS3 => 0x18
|
||||
CS4 => 0x20
|
||||
CS5 => 0x28
|
||||
CS6 => 0x30
|
||||
CS7 => 0x38
|
||||
BE => 0x00
|
||||
AF11 => 0x0a
|
||||
AF12 => 0x0c
|
||||
AF13 => 0x0e
|
||||
AF21 => 0x12
|
||||
AF22 => 0x14
|
||||
AF23 => 0x16
|
||||
AF31 => 0x1a
|
||||
AF32 => 0x1c
|
||||
AF33 => 0x1e
|
||||
AF41 => 0x22
|
||||
AF42 => 0x24
|
||||
AF43 => 0x26
|
||||
EF => 0x2e</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -106,7 +106,7 @@
|
||||
|
||||
<para>The <filename>/sbin/shorewall</filename> shell program is used to
|
||||
interact with Shorewall. See <ulink
|
||||
url="manpages/shorewall.html">shorewall</ulink>(8).</para>
|
||||
url="manpages/shorewall.html">shorewall</ulink>(8). </para>
|
||||
</section>
|
||||
|
||||
<section id="share-shorewall">
|
||||
|
||||
@@ -223,8 +223,8 @@
|
||||
|
||||
<entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
|
||||
|
||||
<entry><ulink url="upgrade_issues.htm">Upgrade
|
||||
Issues</ulink></entry>
|
||||
<entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
|
||||
(Upgrading Debian Lenny to Squeeze)</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -234,8 +234,7 @@
|
||||
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
|
||||
Shorewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
|
||||
(Upgrading Debian Lenny to Squeeze)</ulink></entry>
|
||||
<entry><ulink url="VPNBasics.html">VPN</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -246,7 +245,7 @@
|
||||
<entry><ulink url="PacketMarking.html">Packet
|
||||
Marking</ulink></entry>
|
||||
|
||||
<entry><ulink url="VPNBasics.html">VPN</ulink></entry>
|
||||
<entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -256,7 +255,8 @@
|
||||
<entry><ulink url="PacketHandling.html">Packet Processing in a
|
||||
Shorewall-based Firewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
|
||||
<entry><ulink url="blacklisting_support.htm#whitelisting">White
|
||||
List Creation</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -264,8 +264,8 @@
|
||||
|
||||
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
|
||||
|
||||
<entry><ulink url="blacklisting_support.htm#whitelisting">White
|
||||
List Creation</ulink></entry>
|
||||
<entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
|
||||
DomU</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -275,8 +275,8 @@
|
||||
<entry><ulink url="two-interface.htm#DNAT">Port
|
||||
Forwarding</ulink></entry>
|
||||
|
||||
<entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
|
||||
DomU</ulink></entry>
|
||||
<entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
|
||||
Xen Dom0</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -285,8 +285,7 @@
|
||||
|
||||
<entry><ulink url="ports.htm">Port Information</ulink></entry>
|
||||
|
||||
<entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
|
||||
Xen Dom0</ulink></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
||||
343
docs/Install.xml
343
docs/Install.xml
@@ -24,8 +24,6 @@
|
||||
|
||||
<year>2009</year>
|
||||
|
||||
<year>2012</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@@ -137,31 +135,11 @@
|
||||
<section id="Install_Tarball">
|
||||
<title>Install using tarball</title>
|
||||
|
||||
<para>Beginning with Shorewall-4.5.0, the Shorewall packages depend on
|
||||
Shorewall-core. So the first step is to install that package:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-core-4.5.0.tar.bz2</command></programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in <quote>shorewall-core-4.5.0</quote>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Type:</para>
|
||||
|
||||
<programlisting><command>./install.sh </command></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>To install Shorewall using the tarball and install script:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-4.5.0.tar.bz2</command></programlisting></para>
|
||||
<para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-4.3.5.tar.bz2</command></programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -263,9 +241,6 @@
|
||||
<para>Beginning with Shorewall 4.4.20, you can specify an absolute
|
||||
path name for LIBEXEC, in which case the listed executables will
|
||||
be installed in ${LIBEXEC}/shorewall*.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.1, you must specify an absolute
|
||||
pathname for LIBEXEC.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -283,302 +258,10 @@
|
||||
<para>Beginning with Shorewall 4.4.20, you can specify an absolute
|
||||
path name for PERLLIB, in which case the Shorewall Perl modules
|
||||
will be installed in ${PERLLIB}/Shorewall/.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.1, you must specify an absolute
|
||||
pathname for PERLLIB.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Default Install Locations</title>
|
||||
|
||||
<para>The default install locations are distribution dependent as shown
|
||||
in the following sections. These are the locations that are chosen by
|
||||
the install.sh scripts.</para>
|
||||
|
||||
<section>
|
||||
<title>All Distributions</title>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><emphasis role="bold">COMPONENT</emphasis></entry>
|
||||
|
||||
<entry><emphasis role="bold">LOCATION</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>man pages</entry>
|
||||
|
||||
<entry>/usr/share/man/ (may ve overridden using
|
||||
MANDIR)</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Shorewall Perl Modules</entry>
|
||||
|
||||
<entry>/usr/share/shorewall/ (may be overridden using
|
||||
PERLLIB)</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Executable helper scripts (compiler.pl, getparams,
|
||||
wait4ifup)</entry>
|
||||
|
||||
<entry>/usr/share/shorewall/ (may be overridden using
|
||||
LIBEXEC)</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ifupdown.sh (from Shorewall-init)</entry>
|
||||
|
||||
<entry>/usr/share/shorewall-init/ (may be overridden using
|
||||
LIBEXEC)</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Debian</title>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><emphasis role="bold">COMPONENT</emphasis></entry>
|
||||
|
||||
<entry><emphasis role="bold">LOCATION</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>CLI programs</entry>
|
||||
|
||||
<entry>/sbin/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Distribution-specific configuration file</entry>
|
||||
|
||||
<entry>/etc/default/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Init Scripts</entry>
|
||||
|
||||
<entry>/etc/init.d/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>/etc/network/if-up.d/shorewall,
|
||||
/etc/network/if-post-down.d/shorewall</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ppp ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>/etc/ppp/ip-up.d/shorewall,
|
||||
/etc/ppp/ip-down.d/shorewall /etc/ppp/ipv6-up.d/shorewall
|
||||
/etc/ppp/ipv6-down.d/shorewall</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Redhat and Derivatives</title>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><emphasis role="bold">COMPONENT</emphasis></entry>
|
||||
|
||||
<entry><emphasis role="bold">LOCATION</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>CLI programs</entry>
|
||||
|
||||
<entry>/sbin/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Distribution-specific configuration file</entry>
|
||||
|
||||
<entry>/etc/sysconfig/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Init Scripts</entry>
|
||||
|
||||
<entry>/etc/rc.d/init.d/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>/sbin/ifup-local, /sbin/ifdown-local</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ppp ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>/etc/ppp/ip-up.local, /etc/ppp/ip-down.local</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>SuSE</title>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><emphasis role="bold">COMPONENT</emphasis></entry>
|
||||
|
||||
<entry><emphasis role="bold">LOCATION</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>CLI programs</entry>
|
||||
|
||||
<entry>/sbin/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Distribution-specific configuration file</entry>
|
||||
|
||||
<entry>/etc/sysconfig/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Init Scripts</entry>
|
||||
|
||||
<entry>/etc/init.d/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>/etc/sysconfig/network/if-up.d/shorewall,
|
||||
/etc/sysconfig/network/if-down.d/shorewall</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ppp ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>/etc/ppp/ip-up.d/shorewall,
|
||||
/etc/ppp/ip-down.d/shorewall /etc/ppp/ipv6-up.d/shorewall
|
||||
/etc/ppp/ipv6-down.d/shorewall</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Cygwin</title>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><emphasis role="bold">COMPONENT</emphasis></entry>
|
||||
|
||||
<entry><emphasis role="bold">LOCATION</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>CLI programs</entry>
|
||||
|
||||
<entry>/bin/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Distribution-specific configuration file</entry>
|
||||
|
||||
<entry>N/A</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Init Scripts</entry>
|
||||
|
||||
<entry>N/A</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>N/A</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ppp ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>N/A</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>OS X</title>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><emphasis role="bold">COMPONENT</emphasis></entry>
|
||||
|
||||
<entry><emphasis role="bold">LOCATION</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>CLI programs</entry>
|
||||
|
||||
<entry>/sbin/<replaceable>product</replaceable></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Distribution-specific configuration file</entry>
|
||||
|
||||
<entry>N/A</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Init Scripts</entry>
|
||||
|
||||
<entry>N/A</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>N/A</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ppp ifupdown scripts from Shorewall-init</entry>
|
||||
|
||||
<entry>N/A</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Debian">
|
||||
@@ -723,37 +406,17 @@ Pin-Priority: 700</programlisting><emphasis role="bold"><emphasis>Then
|
||||
issues</ulink> for specific instructions.</para>
|
||||
</important></para>
|
||||
|
||||
<para>If you are upgrading to version 4.5.0 or later, you must first
|
||||
install or upgrade the Shorewall-core package:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-core-4.5.0.tar.bz2</command></programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in <quote>shorewall-core-4.5.0</quote>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Type:</para>
|
||||
|
||||
<programlisting><command>./install.sh </command></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>If you already have Shorewall installed and are upgrading to a new
|
||||
version using the tarball:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>unpack the tarball:<programlisting><command>tar -jxf shorewall-4.5.0.tar.bz2</command></programlisting></para>
|
||||
<para>unpack the tarball:<programlisting><command>tar -jxf shorewall-4.3.5.tar.bz2</command></programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the shorewall-perl directory (the version is encoded in
|
||||
the directory name as in <quote>shorewall-4.5.0</quote>).</para>
|
||||
the directory name as in <quote>shorewall-4.3.5</quote>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2012</year>
|
||||
<year>2003-2009</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@@ -385,14 +385,9 @@ ACCEPT net $FW tcp 22</programlisting>
|
||||
<section id="Packages">
|
||||
<title>Shorewall Packages</title>
|
||||
|
||||
<para>Shorewall 4.5 and later consists of six packages.</para>
|
||||
<para>Shorewall 4.3 and later consists of four packages.</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall-core</emphasis>. All of the
|
||||
other packages depend on this one.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall</emphasis>. This package must be
|
||||
installed on at least one system in your network. It contains
|
||||
@@ -422,13 +417,6 @@ ACCEPT net $FW tcp 22</programlisting>
|
||||
scripts are generated. These scripts are copied to the firewall
|
||||
systems where they run under the control of Shorewall6-lite.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall-init</emphasis>. May be
|
||||
installed with any of the other firewall packages. Allows the firewall
|
||||
to be close prior to bringing up network interfaces. It can also react
|
||||
to interface up/down events.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
|
||||
@@ -31,11 +31,9 @@
|
||||
|
||||
<year>2009</year>
|
||||
|
||||
<year>2012</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
|
||||
<holder/>
|
||||
<holder></holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
@@ -76,39 +74,6 @@
|
||||
zones.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Versions >= 4.5.0</title>
|
||||
|
||||
<para/>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>The BLACKLIST section of the rules file has been eliminated. If
|
||||
you have entries in that file section, you must move them to the
|
||||
blrules file. </para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>This version of Shorewall requires the Digest::SHA1 Perl
|
||||
module.</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Debian: libdigest-sha1-perl</member>
|
||||
|
||||
<member>Fedora: perl-Digest-SHA1</member>
|
||||
|
||||
<member>OpenSuSE: perl-Digest-SHA1 </member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The generated firewall script now maintains the
|
||||
/var/lib/shorewall[6][-lite]/interface.status files used by SWPING and
|
||||
by LSM.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Versions >= 4.4.0</title>
|
||||
|
||||
@@ -353,7 +318,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is
|
||||
<para> Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is
|
||||
deprecated. With EXPORTPARAMS=No, the variables set by <ulink
|
||||
url="manpages/shorewall-params.html">/etc/shorewall/params</ulink>
|
||||
(<ulink
|
||||
|
||||
Reference in New Issue
Block a user