forked from extern/shorewall_code
Compare commits
5 Commits
5.0.10-Bet
...
5.0.8.2
| Author | SHA1 | Date | |
|---|---|---|---|
|
5fbc5f1430 | ||
|
|
cae7c5d300 | ||
|
|
bba851117a | ||
|
91702f094d | ||
|
|
49c94bc5ec |
@@ -731,29 +731,12 @@ list_zone() {
|
||||
done
|
||||
}
|
||||
|
||||
option_error() {
|
||||
fatal_error "The $COMMAND command does not accept this option: -$1"
|
||||
}
|
||||
|
||||
too_many_arguments() {
|
||||
fatal_error "Too many arguments: $1"
|
||||
}
|
||||
|
||||
missing_argument() {
|
||||
fatal_error "Missing argument"
|
||||
}
|
||||
|
||||
missing_option_value() {
|
||||
fatal_error "The $1 option requires a value"
|
||||
}
|
||||
|
||||
version_command() {
|
||||
local finished
|
||||
finished=0
|
||||
local all
|
||||
all=
|
||||
local product
|
||||
local compiletime
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@@ -772,7 +755,7 @@ version_command() {
|
||||
option=${option#a}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -784,7 +767,7 @@ version_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -gt 0 ] && too_many_arguments
|
||||
[ $# -gt 0 ] && usage 1
|
||||
|
||||
if [ -n "$all" ]; then
|
||||
echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
|
||||
@@ -796,16 +779,8 @@ version_command() {
|
||||
done
|
||||
|
||||
if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
|
||||
compiletime=$(run_it $g_firewall info 2>/dev/null)
|
||||
|
||||
case $compiletime in
|
||||
compiled\ *)
|
||||
echo "$g_firewall was $compiletime"
|
||||
;;
|
||||
*)
|
||||
echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
|
||||
;;
|
||||
esac
|
||||
echo $g_echo_n "$g_firewall was compiled by Shorewall version "
|
||||
$g_firewall version
|
||||
fi
|
||||
else
|
||||
echo $SHOREWALL_VERSION
|
||||
@@ -1090,7 +1065,7 @@ show_connections() {
|
||||
shift
|
||||
conntrack -f ipv4 -L $@ | show_connections_filter
|
||||
else
|
||||
[ $# -gt 1 ] && too_many_arguments
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f /proc/net/ip_conntrack ]; then
|
||||
cat /proc/net/ip_conntrack | show_connections_filter
|
||||
else
|
||||
@@ -1103,7 +1078,7 @@ show_connections() {
|
||||
echo
|
||||
conntrack -f ipv6 -L $@ | show_connections_filter
|
||||
else
|
||||
[ $# -gt 1 ] && too_many_arguments
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
|
||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
@@ -1224,7 +1199,7 @@ show_command() {
|
||||
option=${option#f}
|
||||
;;
|
||||
t)
|
||||
[ $# -eq 1 ] && missing_option_value -t
|
||||
[ $# -eq 1 ] && usage 1
|
||||
|
||||
case $2 in
|
||||
mangle|nat|filter|raw|rawpost)
|
||||
@@ -1252,7 +1227,7 @@ show_command() {
|
||||
option=${option#b}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1274,37 +1249,37 @@ show_command() {
|
||||
eval show_connections $@ $g_pager
|
||||
;;
|
||||
nat)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_nat $g_pager
|
||||
;;
|
||||
raw)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_raw $g_pager
|
||||
;;
|
||||
rawpost)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_rawpost $g_pager
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_mangle $g_pager
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && too_many_arguments $2
|
||||
[ $# -gt 2 ] && usage 1
|
||||
|
||||
setup_logread
|
||||
eval show_log $g_pager
|
||||
;;
|
||||
tc)
|
||||
[ $# -gt 2 ] && too_many_arguments $2
|
||||
[ $# -gt 2 ] && usage 1
|
||||
eval show_tc $@ $g_pager
|
||||
;;
|
||||
classifiers|filters)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_classifiers_command $g_pager
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f ${VARDIR}/zones ]; then
|
||||
echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
|
||||
echo
|
||||
@@ -1327,7 +1302,7 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
capabilities)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
determine_capabilities
|
||||
VERBOSITY=2
|
||||
if [ -n "$g_filemode" ]; then
|
||||
@@ -1337,11 +1312,11 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
ip)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_ip_addresses $g_pager
|
||||
;;
|
||||
routing)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_routing_command $g_pager
|
||||
;;
|
||||
config)
|
||||
@@ -1370,26 +1345,26 @@ show_command() {
|
||||
echo $VARDIR;
|
||||
;;
|
||||
policies)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_policies $g_pager
|
||||
;;
|
||||
ipa)
|
||||
[ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $g_family -eq 4 ] || usage 1
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_ipa $g_pager
|
||||
;;
|
||||
marks)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
|
||||
echo
|
||||
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
|
||||
;;
|
||||
nfacct)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_nfacct_command $g_pager
|
||||
;;
|
||||
arptables)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
resolve_arptables
|
||||
if [ -n "$arptables" -a -x $arptables ]; then
|
||||
eval show_arptables $g_pager
|
||||
@@ -1398,22 +1373,22 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
event)
|
||||
[ $# -gt 1 ] || too_many_arguments $2
|
||||
[ $# -gt 1 ] || usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
|
||||
echo
|
||||
shift
|
||||
show_events $@
|
||||
;;
|
||||
events)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_events_command $g_pager
|
||||
;;
|
||||
bl|blacklists)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_blacklists $g_pager
|
||||
;;
|
||||
opens)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
|
||||
|
||||
if chain_exists dynamic; then
|
||||
@@ -1429,12 +1404,12 @@ show_command() {
|
||||
*)
|
||||
case $1 in
|
||||
actions)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_actions_sorted $g_pager
|
||||
return
|
||||
;;
|
||||
macro)
|
||||
[ $# -ne 2 ] && too_many_arguments $2
|
||||
[ $# -ne 2 ] && usage 1
|
||||
for directory in $(split $CONFIG_PATH); do
|
||||
if [ -f ${directory}/macro.$2 ]; then
|
||||
echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
|
||||
@@ -1446,7 +1421,7 @@ show_command() {
|
||||
return
|
||||
;;
|
||||
macros)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_macros $g_pager
|
||||
return
|
||||
;;
|
||||
@@ -1457,7 +1432,7 @@ show_command() {
|
||||
if [ $# -gt 0 ]; then
|
||||
if [ $1 = dynamic -a $# -gt 1 ]; then
|
||||
shift
|
||||
[ $# -eq 1 ] || too_many_arguments $2
|
||||
[ $# -eq 1 ] || usage 1
|
||||
list_zone $1
|
||||
return;
|
||||
fi
|
||||
@@ -1532,49 +1507,6 @@ dump_filter_wrapper() {
|
||||
eval dump_filter $g_pager
|
||||
}
|
||||
|
||||
show_status() {
|
||||
local compiletime
|
||||
local state
|
||||
|
||||
if product_is_started ; then
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
|
||||
status=0
|
||||
else
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
Stopped*|Closed*|Clear*)
|
||||
status=3
|
||||
;;
|
||||
esac
|
||||
else
|
||||
state=Unknown
|
||||
fi
|
||||
|
||||
if [ $VERBOSITY -ge 1 ]; then
|
||||
if [ -f $g_firewall ]; then
|
||||
compiletime=$(run_it $g_firewall info 2>/dev/null)
|
||||
|
||||
case $compiletime in
|
||||
compiled\ *)
|
||||
state="$state ($g_firewall $compiletime)"
|
||||
;;
|
||||
*)
|
||||
state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
echo "State:$state"
|
||||
echo
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Dump Command Executor
|
||||
#
|
||||
@@ -1614,7 +1546,7 @@ do_dump_command() {
|
||||
option=${option#c}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1633,7 +1565,7 @@ do_dump_command() {
|
||||
[ $VERBOSITY -lt 2 ] && VERBOSITY=2
|
||||
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 0 ] || too_many_arguments $1
|
||||
[ $# -eq 0 ] || usage 1
|
||||
clear_term
|
||||
echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
|
||||
echo
|
||||
@@ -1828,7 +1760,7 @@ restore_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1848,7 +1780,7 @@ restore_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -2454,7 +2386,7 @@ hits_command() {
|
||||
option=${option#t}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -2466,7 +2398,7 @@ hits_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -eq 0 ] || too_many_arguments $1
|
||||
[ $# -eq 0 ] || usage 1
|
||||
|
||||
clear_term
|
||||
echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
|
||||
@@ -2522,46 +2454,21 @@ hits_command() {
|
||||
# 'allow' command executor
|
||||
#
|
||||
allow_command() {
|
||||
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
|
||||
[ $# -eq 1 ] && usage 1
|
||||
if product_is_started ; then
|
||||
local allowed
|
||||
local which
|
||||
which='-s'
|
||||
local range
|
||||
range='--src-range'
|
||||
local dynexists
|
||||
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
|
||||
case ${IPSET:=ipset} in
|
||||
*/*)
|
||||
if [ ! -x "$IPSET" ]; then
|
||||
fatal_error "IPSET=$IPSET does not exist or is not executable"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
IPSET="$(mywhich $IPSET)"
|
||||
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if chain_exists dynamic; then
|
||||
dynexists=Yes
|
||||
elif [ -z "$g_blacklistipset" ]; then
|
||||
if ! chain_exists dynamic; then
|
||||
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
|
||||
fi
|
||||
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
||||
allowed=''
|
||||
|
||||
case $1 in
|
||||
from)
|
||||
which='-s'
|
||||
@@ -2574,48 +2481,29 @@ allow_command() {
|
||||
continue
|
||||
;;
|
||||
*-*)
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
if qt $IPSET -D $g_blacklistipset $1; then
|
||||
allowed=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$dynexists" ]; then
|
||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||
then
|
||||
allowed=Yes
|
||||
fi
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
if qt $IPSET -D $g_blacklistipset $1; then
|
||||
allowed=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$dynexists" ]; then
|
||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logreject
|
||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logreject
|
||||
then
|
||||
allowed=Yes
|
||||
fi
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$allowed" ]; then
|
||||
progress_message2 "$1 Allowed"
|
||||
else
|
||||
error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
|
||||
fi
|
||||
done
|
||||
|
||||
[ -n "$g_nolock" ] || mutex_off
|
||||
else
|
||||
error_message "ERROR: $g_product is not started"
|
||||
@@ -2637,6 +2525,8 @@ logwatch_command() {
|
||||
-*)
|
||||
option=${option#-}
|
||||
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
v*)
|
||||
@@ -2656,7 +2546,7 @@ logwatch_command() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -2675,7 +2565,7 @@ logwatch_command() {
|
||||
elif [ $# -eq 0 ]; then
|
||||
logwatch 30
|
||||
else
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -3419,6 +3309,36 @@ report_capabilities1() {
|
||||
report_capabilities_unsorted1 | sort
|
||||
}
|
||||
|
||||
show_status() {
|
||||
if product_is_started ; then
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
|
||||
status=0
|
||||
else
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
Stopped*|Closed*|Clear*)
|
||||
status=3
|
||||
;;
|
||||
esac
|
||||
else
|
||||
state=Unknown
|
||||
fi
|
||||
|
||||
if [ $VERBOSITY -ge 1 ]; then
|
||||
if [ -f $g_firewall ]; then
|
||||
state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
|
||||
fi
|
||||
echo "State:$state"
|
||||
echo
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
interface_status() {
|
||||
case $(cat $1) in
|
||||
0)
|
||||
@@ -3472,7 +3392,7 @@ status_command() {
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -3484,7 +3404,7 @@ status_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -eq 0 ] || missing_argument
|
||||
[ $# -eq 0 ] || usage 1
|
||||
|
||||
[ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
|
||||
show_status
|
||||
@@ -3551,7 +3471,7 @@ blacklist_command() {
|
||||
;;
|
||||
esac
|
||||
|
||||
$IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -3578,7 +3498,7 @@ save_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -3598,7 +3518,7 @@ save_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -3617,9 +3537,6 @@ save_command() {
|
||||
|
||||
forget_command() {
|
||||
case $# in
|
||||
0)
|
||||
missing_argument
|
||||
;;
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
@@ -3627,7 +3544,7 @@ forget_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $3
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -3649,7 +3566,7 @@ ipcalc_command() {
|
||||
local address
|
||||
local vlsm
|
||||
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
|
||||
if [ $# -eq 2 ]; then
|
||||
address=${2%/*}
|
||||
@@ -3657,15 +3574,13 @@ ipcalc_command() {
|
||||
elif [ $# -eq 3 ]; then
|
||||
address=$2
|
||||
vlsm=$(ip_vlsm $3)
|
||||
elif [ $# -eq 0 ]; then
|
||||
missing_argument
|
||||
else
|
||||
too_many_arguments $4
|
||||
usage 1
|
||||
fi
|
||||
|
||||
valid_address $address || fatal_error "Invalid IP address: $address"
|
||||
[ -z "$vlsm" ] && fatal_error "Missing VLSM"
|
||||
[ "x$address" = "x$vlsm" ] && "Invalid VLSM"
|
||||
[ -z "$vlsm" ] && usage 2
|
||||
[ "x$address" = "x$vlsm" ] && usage 2
|
||||
[ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
|
||||
|
||||
address=$address/$vlsm
|
||||
@@ -3679,7 +3594,7 @@ ipcalc_command() {
|
||||
iprange_command() {
|
||||
local range
|
||||
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
|
||||
range=''
|
||||
|
||||
@@ -3697,19 +3612,15 @@ iprange_command() {
|
||||
ip_range $range
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid ip range: $range"
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
ipdecimal_command() {
|
||||
if [ $# eq 1 ]; then
|
||||
missing_argument
|
||||
else
|
||||
[ $# -eq 2 ] || too_many_arguments $3
|
||||
fi
|
||||
[ $# -eq 2 ] || usage 1
|
||||
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
|
||||
case $2 in
|
||||
*.*.*.*)
|
||||
@@ -4017,7 +3928,7 @@ start_command() {
|
||||
option=${option%p}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -4033,7 +3944,7 @@ start_command() {
|
||||
0)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $1
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -4077,7 +3988,7 @@ restart_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -4093,7 +4004,7 @@ restart_command() {
|
||||
0)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $1
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -4309,8 +4220,7 @@ shorewall_cli() {
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
c)
|
||||
[ $# -eq 1 ] && missing_option_value -c
|
||||
[ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
|
||||
[ $# -eq 1 -o -n "$g_lite" ] && usage 1
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
@@ -4325,7 +4235,7 @@ shorewall_cli() {
|
||||
shift
|
||||
;;
|
||||
e*)
|
||||
[ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
|
||||
[ -n "$g_lite" ] && usage 1
|
||||
g_export=Yes
|
||||
option=${option#e}
|
||||
;;
|
||||
@@ -4387,7 +4297,7 @@ shorewall_cli() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -4452,7 +4362,7 @@ shorewall_cli() {
|
||||
start_command $@
|
||||
;;
|
||||
stop|clear)
|
||||
[ $# -ne 1 ] && too_many_arguments $2
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
@@ -4509,7 +4419,7 @@ shorewall_cli() {
|
||||
dump_command $@
|
||||
;;
|
||||
hits)
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
get_config Yes No Yes
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
shift
|
||||
@@ -4527,19 +4437,19 @@ shorewall_cli() {
|
||||
drop)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
[ $# -eq 1 ] && usage 1
|
||||
drop_command $@
|
||||
;;
|
||||
logdrop)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
[ $# -eq 1 ] && usage 1
|
||||
logdrop_command $@
|
||||
;;
|
||||
reject|logreject)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
[ $# -eq 1 ] && usage 1
|
||||
reject_command $@
|
||||
;;
|
||||
open|close)
|
||||
@@ -4604,11 +4514,6 @@ shorewall_cli() {
|
||||
# It's a shell function -- call it
|
||||
#
|
||||
$@
|
||||
elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
|
||||
#
|
||||
# It's a shell function -- call it
|
||||
#
|
||||
$@
|
||||
else
|
||||
#
|
||||
# It isn't a function visible to this script -- try
|
||||
@@ -4617,7 +4522,7 @@ shorewall_cli() {
|
||||
run_it $g_firewall $g_debugging call $@
|
||||
fi
|
||||
else
|
||||
missing_argument
|
||||
usage 1
|
||||
fi
|
||||
;;
|
||||
help)
|
||||
@@ -4635,7 +4540,7 @@ shorewall_cli() {
|
||||
noiptrace_command $@
|
||||
;;
|
||||
savesets)
|
||||
[ $# -eq 1 ] || too_many_arguments $2
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
savesets1
|
||||
@@ -4644,7 +4549,7 @@ shorewall_cli() {
|
||||
if [ -z "$g_lite" ]; then
|
||||
compiler_command $@
|
||||
else
|
||||
fatal_error "Invalid command: $COMMAND"
|
||||
usage 1
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -712,9 +712,9 @@ find_file()
|
||||
set_state () # $1 = state
|
||||
{
|
||||
if [ $# -gt 1 ]; then
|
||||
echo "$1 $(date) from $2" > ${VARDIR}/state
|
||||
echo "$1 ($(date)) from $2" > ${VARDIR}/state
|
||||
else
|
||||
echo "$1 $(date)" > ${VARDIR}/state
|
||||
echo "$1 ($(date))" > ${VARDIR}/state
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -776,7 +776,7 @@ mutex_on()
|
||||
error_message "WARNING: Stale lockfile ${lockf} removed"
|
||||
elif [ $lockpid -eq $$ ]; then
|
||||
return 0
|
||||
elif ! ps | grep -v grep | qt grep ${lockpid}; then
|
||||
elif ! qt ps p ${lockpid}; then
|
||||
rm -f ${lockf}
|
||||
error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
|
||||
fi
|
||||
@@ -788,8 +788,10 @@ mutex_on()
|
||||
echo $$ > ${lockf}
|
||||
chmod u-w ${lockf}
|
||||
elif qt mywhich lock; then
|
||||
lock ${lockf}
|
||||
chmod u=r ${lockf}
|
||||
lock -${MUTEX_TIMEOUT} -r1 ${lockf}
|
||||
chmod u+w ${lockf}
|
||||
echo $$ > ${lockf}
|
||||
chmod u-w ${lockf}
|
||||
else
|
||||
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
||||
sleep 1
|
||||
@@ -811,7 +813,6 @@ mutex_on()
|
||||
#
|
||||
mutex_off()
|
||||
{
|
||||
[ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
|
||||
rm -f ${LOCKFILE:=${VARDIR}/lock}
|
||||
}
|
||||
|
||||
|
||||
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
|
||||
|
||||
if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
|
||||
if [ -n "${DESTDIR}" ]; then
|
||||
mkdir -p ${DESTDIR}${ETC}/default
|
||||
mkdir ${DESTDIR}${ETC}/default
|
||||
fi
|
||||
|
||||
[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
|
||||
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
|
||||
fi
|
||||
else
|
||||
if [ $configure -eq 1 -a -n "$first_install" ]; then
|
||||
if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -n "${DESTDIR}" ]; then
|
||||
mkdir -p ${DESTDIR}/etc/rcS.d
|
||||
fi
|
||||
|
||||
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
|
||||
fi
|
||||
|
||||
install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
|
||||
echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||
echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||
fi
|
||||
|
||||
if [ ${SHAREDIR} != /usr/share ]; then
|
||||
|
||||
@@ -702,9 +702,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
|
||||
|
||||
emit "exec 3>\${VARDIR}/.arptables-input";
|
||||
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
unless ( $test ) {
|
||||
emit_unindented '#';
|
||||
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
|
||||
#
|
||||
sub preview_arptables_load() {
|
||||
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||
|
||||
|
||||
@@ -8575,7 +8575,7 @@ sub create_netfilter_load( $ ) {
|
||||
|
||||
enter_cat_mode;
|
||||
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
unless ( $test ) {
|
||||
emit_unindented '#';
|
||||
@@ -8683,7 +8683,7 @@ sub preview_netfilter_load() {
|
||||
|
||||
enter_cat_mode1;
|
||||
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||
|
||||
@@ -8919,7 +8919,7 @@ sub create_stop_load( $ ) {
|
||||
enter_cat_mode;
|
||||
|
||||
unless ( $test ) {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
emit_unindented '#';
|
||||
emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
|
||||
emit_unindented '#';
|
||||
|
||||
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
|
||||
#
|
||||
# First stage of script generation.
|
||||
#
|
||||
# Copy lib.runtime and lib.common to the generated script.
|
||||
# Copy lib.core and lib.common to the generated script.
|
||||
# Generate the various user-exit jacket functions.
|
||||
#
|
||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
||||
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
|
||||
if ( $test ) {
|
||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
|
||||
} else {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
|
||||
|
||||
copy $globals{SHAREDIRPL} . '/lib.runtime', 0;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
|
||||
copy $globals{SHAREDIRPL} . '/lib.core', 0;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
|
||||
}
|
||||
|
||||
}
|
||||
@@ -596,21 +596,6 @@ EOF
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Generate info_command()
|
||||
#
|
||||
sub compile_info_command() {
|
||||
my $date = compiletime;
|
||||
|
||||
emit( "\n",
|
||||
"#",
|
||||
"# Echo the date and time when this script was compiled along with the Shorewall version",
|
||||
"#",
|
||||
"info_command() {" ,
|
||||
qq( echo "compiled $date by Shorewall version $globals{VERSION}") ,
|
||||
"}\n" );
|
||||
}
|
||||
|
||||
#
|
||||
# The Compiler.
|
||||
#
|
||||
@@ -937,10 +922,6 @@ sub compiler {
|
||||
#
|
||||
compile_updown;
|
||||
#
|
||||
# Echo the compilation time and date
|
||||
#
|
||||
compile_info_command unless $test;
|
||||
#
|
||||
# Copy the footer to the script
|
||||
#
|
||||
copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
|
||||
|
||||
@@ -84,8 +84,6 @@ our @EXPORT = qw(
|
||||
require_capability
|
||||
report_used_capabilities
|
||||
kernel_version
|
||||
|
||||
compiletime
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
|
||||
@@ -683,8 +681,6 @@ our %ipsets; # All required IPsets
|
||||
#
|
||||
our %filecache;
|
||||
|
||||
our $compiletime;
|
||||
|
||||
sub process_shorewallrc($$);
|
||||
sub add_variables( \% );
|
||||
#
|
||||
@@ -741,7 +737,7 @@ sub initialize( $;$$) {
|
||||
TC_SCRIPT => '',
|
||||
EXPORT => 0,
|
||||
KLUDGEFREE => '',
|
||||
VERSION => "5.0.9-Beta2",
|
||||
VERSION => "5.0.1",
|
||||
CAPVERSION => 50004 ,
|
||||
BLACKLIST_LOG_TAG => '',
|
||||
RELATED_LOG_TAG => '',
|
||||
@@ -893,7 +889,6 @@ sub initialize( $;$$) {
|
||||
DOCKER => undef ,
|
||||
PAGER => undef ,
|
||||
MINIUPNPD => undef ,
|
||||
VERBOSE_MESSAGES => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@@ -1176,12 +1171,6 @@ sub initialize( $;$$) {
|
||||
%shorewallrc1 = %shorewallrc unless $shorewallrc1;
|
||||
|
||||
add_variables %shorewallrc1;
|
||||
|
||||
$compiletime = `date`;
|
||||
|
||||
chomp $compiletime;
|
||||
|
||||
$compiletime =~ s/ +/ /g;
|
||||
}
|
||||
|
||||
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
|
||||
@@ -1194,10 +1183,6 @@ sub all_ipsets() {
|
||||
sort keys %ipsets;
|
||||
}
|
||||
|
||||
sub compiletime() {
|
||||
$compiletime;
|
||||
}
|
||||
|
||||
#
|
||||
# Create 'currentlineinfo'
|
||||
#
|
||||
@@ -2558,54 +2543,18 @@ sub directive_error( $$$ ) {
|
||||
fatal_error $_[0];
|
||||
}
|
||||
|
||||
sub directive_warning( $$$$ ) {
|
||||
if ( shift ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $warning, $currentfilename, $currentlinenumber ) = @_;
|
||||
warning_message $warning;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
} else {
|
||||
our @localtime;
|
||||
|
||||
handle_first_entry if $first_entry;
|
||||
|
||||
$| = 1; #Reset output buffering (flush any partially filled buffers).
|
||||
|
||||
if ( $log ) {
|
||||
@localtime = localtime;
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log " WARNING: $_[0]\n";
|
||||
}
|
||||
|
||||
print STDERR " WARNING: $_[0]\n";
|
||||
|
||||
$| = 0; #Re-allow output buffering
|
||||
}
|
||||
sub directive_warning( $$$ ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $warning, $currentfilename, $currentlinenumber ) = @_;
|
||||
warning_message $warning;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
}
|
||||
|
||||
sub directive_info( $$$$ ) {
|
||||
if ( shift ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $info, $currentfilename, $currentlinenumber ) = @_;
|
||||
info_message $info;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
} else {
|
||||
our @localtime;
|
||||
|
||||
handle_first_entry if $first_entry;
|
||||
|
||||
$| = 1; #Reset output buffering (flush any partially filled buffers).
|
||||
|
||||
if ( $log ) {
|
||||
@localtime = localtime;
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log " INFO: $_[0]\n";
|
||||
}
|
||||
|
||||
print STDERR " INFO: $_[0]\n";
|
||||
|
||||
$| = 0; #Re-allow output buffering
|
||||
}
|
||||
sub directive_info( $$$ ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $info, $currentfilename, $currentlinenumber ) = @_;
|
||||
info_message $info;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2754,7 +2703,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
|
||||
print "CD===> $line\n" if $debug;
|
||||
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
|
||||
|
||||
my ($keyword, $expression) = ( uc $1, $2 );
|
||||
|
||||
@@ -2862,14 +2811,14 @@ sub process_compiler_directive( $$$$ ) {
|
||||
delete $actparams{$var}
|
||||
}
|
||||
} else {
|
||||
directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
}
|
||||
|
||||
} else {
|
||||
if ( exists $variables{$2} ) {
|
||||
delete $variables{$2};
|
||||
} else {
|
||||
directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
|
||||
directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2883,7 +2832,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
|
||||
$comment =~ s/\s*$//;
|
||||
} else {
|
||||
directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
|
||||
directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -2902,8 +2851,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
} ,
|
||||
|
||||
WARNING => sub() {
|
||||
directive_warning( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
directive_warning( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
@@ -2912,28 +2860,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
} ,
|
||||
|
||||
INFO => sub() {
|
||||
directive_info( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
|
||||
'WARNING!' => sub() {
|
||||
directive_warning( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
|
||||
'INFO!' => sub() {
|
||||
directive_info( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
directive_info( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
@@ -3894,10 +3821,9 @@ my %logoptions = ( tcp_sequence => '--log-tcp-sequence',
|
||||
|
||||
sub validate_level( $;$ ) {
|
||||
my ( $rawlevel, $option ) = @_;
|
||||
my $level;
|
||||
my $level = uc $rawlevel;
|
||||
|
||||
if ( supplied ( $rawlevel ) ) {
|
||||
$level = uc $rawlevel;
|
||||
if ( supplied ( $level ) ) {
|
||||
$level =~ s/!$//;
|
||||
my $value = $level;
|
||||
my $qualifier;
|
||||
@@ -5752,24 +5678,6 @@ sub get_configuration( $$$$ ) {
|
||||
$ENV{PATH} = $default_path;
|
||||
}
|
||||
|
||||
fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
|
||||
|
||||
fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
|
||||
|
||||
close_file;
|
||||
|
||||
warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
|
||||
|
||||
if ( $family == F_IPV6 ) {
|
||||
open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
|
||||
|
||||
fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
|
||||
|
||||
close_file;
|
||||
|
||||
warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
|
||||
}
|
||||
|
||||
my $have_capabilities;
|
||||
|
||||
if ( $export || $> != 0 ) {
|
||||
@@ -6201,7 +6109,6 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'WARNOLDCAPVERSION' , 'Yes';
|
||||
default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes';
|
||||
default_yes_no 'MINIUPNPD' , '';
|
||||
default_yes_no 'VERBOSE_MESSAGES' , 'Yes';
|
||||
|
||||
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
|
||||
|
||||
|
||||
@@ -302,7 +302,7 @@ sub convert_blacklist() {
|
||||
if ( @rules ) {
|
||||
my $fn1 = find_writable_file( 'blrules' );
|
||||
my $blrules;
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
if ( -f $fn1 ) {
|
||||
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
@@ -393,7 +393,7 @@ sub convert_routestopped() {
|
||||
my ( @allhosts, %source, %dest , %notrack, @rule );
|
||||
|
||||
my $seq = 0;
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
my ( $stoppedrules, $fn1 );
|
||||
|
||||
@@ -421,7 +421,7 @@ EOF
|
||||
|
||||
first_entry(
|
||||
sub {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
progress_message2 "$doing $fn...";
|
||||
print( $stoppedrules
|
||||
"#\n" ,
|
||||
@@ -649,15 +649,9 @@ sub create_docker_rules() {
|
||||
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
|
||||
add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
|
||||
decr_cmd_level( $chainref );
|
||||
add_commands( $chainref, 'fi' );
|
||||
|
||||
my $outputref;
|
||||
add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
|
||||
incr_cmd_level( $outputref );
|
||||
add_ijump( $outputref, j => 'DOCKER' );
|
||||
decr_cmd_level( $outputref );
|
||||
add_commands( $outputref, 'fi' );
|
||||
}
|
||||
|
||||
add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
|
||||
@@ -867,10 +861,8 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
|
||||
if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
}
|
||||
|
||||
for ( option_chains( $interface ) ) {
|
||||
|
||||
@@ -368,7 +368,7 @@ sub setup_conntrack($) {
|
||||
if ( $convert ) {
|
||||
my $conntrack;
|
||||
my $empty = 1;
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
if ( $fn ) {
|
||||
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
|
||||
@@ -4464,16 +4464,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
},
|
||||
},
|
||||
|
||||
NFLOG => {
|
||||
defaultchain => 0,
|
||||
allowedchains => ALLCHAINS,
|
||||
minparams => 0,
|
||||
maxparams => 3,
|
||||
function => sub () {
|
||||
$target = validate_level( "NFLOG($params)" );
|
||||
}
|
||||
},
|
||||
|
||||
RESTORE => {
|
||||
defaultchain => 0,
|
||||
allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
|
||||
|
||||
@@ -352,7 +352,7 @@ sub process_simple_device() {
|
||||
my $prio = 16 | $i;
|
||||
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
||||
emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
|
||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||
emit '';
|
||||
}
|
||||
|
||||
@@ -2166,7 +2166,7 @@ sub convert_tos($$) {
|
||||
if ( my $fn = open_file 'tos' ) {
|
||||
first_entry(
|
||||
sub {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
progress_message2 "Converting $fn...";
|
||||
print( $mangle
|
||||
"#\n" ,
|
||||
@@ -2332,7 +2332,7 @@ sub setup_tc( $ ) {
|
||||
|
||||
first_entry(
|
||||
sub {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
progress_message2 "Converting $fn...";
|
||||
print( $mangle
|
||||
"#\n" ,
|
||||
|
||||
@@ -49,7 +49,7 @@
|
||||
# generated this program
|
||||
#
|
||||
################################################################################
|
||||
# Functions imported from /usr/share/shorewall/lib.runtime
|
||||
# Functions imported from /usr/share/shorewall/lib.core
|
||||
################################################################################
|
||||
# Address family-neutral Functions
|
||||
################################################################################
|
||||
@@ -25,7 +25,6 @@ usage() {
|
||||
echo " savesets <file>"
|
||||
echo " call <function> [ <parameter> ... ]"
|
||||
echo " version"
|
||||
echo " info"
|
||||
echo
|
||||
echo "Options are:"
|
||||
echo
|
||||
@@ -470,10 +469,6 @@ case "$COMMAND" in
|
||||
echo $SHOREWALL_VERSION
|
||||
status=0
|
||||
;;
|
||||
info)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
info_command
|
||||
;;
|
||||
help)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
usage 0
|
||||
|
||||
@@ -136,7 +136,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -242,8 +242,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -253,8 +253,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -144,7 +144,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -250,8 +250,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -253,8 +253,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -242,8 +242,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
|
||||
fi
|
||||
|
||||
run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
|
||||
echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||
echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||
fi
|
||||
|
||||
if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
|
||||
|
||||
@@ -493,13 +493,13 @@ compiler() {
|
||||
|
||||
case "$g_doing" in
|
||||
Compiling|Checking)
|
||||
progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
|
||||
progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
|
||||
;;
|
||||
Updating)
|
||||
progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
|
||||
;;
|
||||
*)
|
||||
[ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
|
||||
[ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
|
||||
;;
|
||||
esac
|
||||
#
|
||||
@@ -604,7 +604,7 @@ start_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -620,8 +620,7 @@ start_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_fast" ] && fatal_error "Directory may not be specified with the -f option"
|
||||
[ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -635,7 +634,7 @@ start_command() {
|
||||
AUTOMAKE=
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -664,6 +663,8 @@ compile_command() {
|
||||
shift
|
||||
option=${option#-}
|
||||
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
e*)
|
||||
@@ -700,7 +701,7 @@ compile_command() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -722,7 +723,7 @@ compile_command() {
|
||||
[ -d "$g_file" ] && fatal_error "$g_file is a directory"
|
||||
;;
|
||||
2)
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -736,7 +737,7 @@ compile_command() {
|
||||
g_file=$2
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $3
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -790,7 +791,7 @@ check_command() {
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -806,7 +807,7 @@ check_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -819,7 +820,7 @@ check_command() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -882,7 +883,7 @@ update_command() {
|
||||
option=${option#A}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -898,7 +899,7 @@ update_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -911,7 +912,7 @@ update_command() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -976,7 +977,7 @@ restart_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -992,7 +993,7 @@ restart_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1007,7 +1008,7 @@ restart_command() {
|
||||
AUTOMAKE=
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1085,7 +1086,7 @@ refresh_command() {
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1168,7 +1169,7 @@ safe_commands() {
|
||||
shift;
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1184,7 +1185,7 @@ safe_commands() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1197,7 +1198,7 @@ safe_commands() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1285,7 +1286,7 @@ try_command() {
|
||||
timeout=
|
||||
|
||||
handle_directory() {
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1315,7 +1316,7 @@ try_command() {
|
||||
option=${option#n}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1329,7 +1330,7 @@ try_command() {
|
||||
|
||||
case $# in
|
||||
0)
|
||||
missing_argument
|
||||
usage 1
|
||||
;;
|
||||
1)
|
||||
handle_directory $1
|
||||
@@ -1340,7 +1341,7 @@ try_command() {
|
||||
timeout=$2
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $3
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1479,7 +1480,7 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1492,9 +1493,6 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
done
|
||||
|
||||
case $# in
|
||||
0)
|
||||
missing_argument
|
||||
;;
|
||||
1)
|
||||
g_shorewalldir="."
|
||||
system=$1
|
||||
@@ -1504,7 +1502,7 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
system=$2
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $3
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1744,7 +1742,7 @@ compiler_command() {
|
||||
safe_commands $@
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid command: $COMMAND"
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
@@ -380,7 +380,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">loopback</emphasis></term>
|
||||
<term>loopback</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||
@@ -451,8 +451,8 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold"><emphasis
|
||||
role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
|
||||
<term><emphasis
|
||||
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
||||
|
||||
@@ -598,36 +598,6 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. Logs matching packets using
|
||||
NFLOG. The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
|
||||
|
||||
@@ -595,32 +595,9 @@
|
||||
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
||||
back end logging daemon via a netlink socket then continues to
|
||||
the next rule. See <ulink
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
||||
</para>
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>NFLOG is similar to<emphasis role="bold">
|
||||
<para>Similar to<emphasis role="bold">
|
||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||
except that the log level is not changed when this ACTION is
|
||||
used in an action or macro body and the invocation of that
|
||||
|
||||
@@ -2508,7 +2508,7 @@ INLINE - - - ; -j REJECT
|
||||
role="bold">refresh</emphasis>, <emphasis
|
||||
role="bold">try</emphasis>, and <emphasis
|
||||
role="bold">safe-</emphasis>* command. Logging verbosity is
|
||||
determined by the setting of LOG_VERBOSITY above.</para>
|
||||
determined by the setting of LOG_VERBOSITY above. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2864,20 +2864,6 @@ INLINE - - - ; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. When Yes (the default), messages
|
||||
produced by the ?INFO and ?WARNING directives include the filename
|
||||
and linenumber of the directive. When set to No, that additional
|
||||
information is omitted. The setting may be overridden on a directive
|
||||
by directive basis by following ?INFO or ?WARNING with '!' (no
|
||||
intervening white space).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
|
||||
|
||||
@@ -964,9 +964,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
|
||||
rm -rf ${SHAREDIR}/shorewall/Samples/
|
||||
rm -rf ${SHAREDIR}/shorewall/Shorewall/
|
||||
rm -f ${SHAREDIR}/shorewall/lib.cli-std
|
||||
rm -f ${SHAREDIR}/shorewall/lib.runtime
|
||||
rm -f ${SHAREDIR}/shorewall/lib.core
|
||||
rm -f ${SHAREDIR}/shorewall/compiler.pl
|
||||
rm -f ${SHAREDIR}/shorewall/prog.*
|
||||
rm -f ${SHAREDIR}/shorewall/module*
|
||||
|
||||
@@ -679,9 +679,7 @@
|
||||
<para>Re-enables receipt of packets from hosts previously
|
||||
blacklisted by a <command>drop</command>,
|
||||
<command>logdrop</command>, <command>reject</command>, or
|
||||
<command>logreject</command> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
<command>logreject</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -130,7 +130,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -214,8 +214,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -83,7 +83,7 @@ case "$command" in
|
||||
exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
|
||||
;;
|
||||
status|stop)
|
||||
exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
|
||||
exec ${SBINDIR}/shorewall6 $OPTIONS $command
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
|
||||
@@ -321,7 +321,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">loopback</emphasis></term>
|
||||
<term>loopback</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||
|
||||
@@ -609,36 +609,6 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. Logs matching packets using
|
||||
NFLOG. The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1. </para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
|
||||
|
||||
@@ -574,29 +574,7 @@
|
||||
the next rule. See <ulink
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>NFLOG is similar to<emphasis role="bold">
|
||||
<para>Similar to<emphasis role="bold">
|
||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||
except that the log level is not changed when this ACTION is
|
||||
used in an action or macro and the invocation of that action
|
||||
@@ -1658,7 +1636,7 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">route</emphasis>, <emphasis
|
||||
role="bold">ipv6-route</emphasis> or <emphasis
|
||||
role="bold">43</emphasis></term>
|
||||
role="bold">41</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 Route extension header.</para>
|
||||
|
||||
@@ -2506,20 +2506,6 @@ INLINE - - - ; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. When Yes (the default), messages
|
||||
produced by the ?INFO and ?WARNING directives include the filename
|
||||
and linenumber of the directive. When set to No, that additional
|
||||
information is omitted. The setting may be overridden on a directive
|
||||
by directive basis by following ?INFO or ?WARNING with '!' (no
|
||||
intervening white space).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
|
||||
|
||||
@@ -932,9 +932,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -95,11 +95,6 @@ rsyncok eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
|
||||
<para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
|
||||
specified, a single ipset is created; the ipset has the same name as the
|
||||
zone.</para>
|
||||
|
||||
<para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
|
||||
a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
|
||||
Making a dynamic zone a sub-zone of multiple other zones is also
|
||||
supported.</para>
|
||||
</section>
|
||||
|
||||
<section id="Adding">
|
||||
|
||||
@@ -301,8 +301,8 @@
|
||||
|
||||
<para>COMMENT, FORMAT and SECTION Lines now require the leading question
|
||||
mark ("?"). In earlier releases, the question mark was optional. The
|
||||
<command>shorewall[6] update -D</command> command in Shorewall 4.6 will
|
||||
insert the question marks for you.</para>
|
||||
<command>shorewall[6] update -D</command> command will insert the
|
||||
question marks for you.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -359,7 +359,7 @@
|
||||
|
||||
<para>It is strongly recommended that you first upgrade your installation
|
||||
to a 4.6 release that supports the <option>-A</option> option to the
|
||||
<command>update</command> command; 4.6.13.2 or later is preferred.</para>
|
||||
<command>update</command> command; 4.6.13 is preferred.</para>
|
||||
|
||||
<para>Once you are on that release, execute the <command>shorewall update
|
||||
-A</command> command (and <command>shorewall6 update -A</command> if you
|
||||
@@ -374,11 +374,11 @@
|
||||
likely won't start or work correctly until you do.</para>
|
||||
|
||||
<para>The <command>update</command> command in Shorewall 5 has many fewer
|
||||
options. The <option>-b</option>, <option>-t</option>,
|
||||
<option>-n</option>, <option>-D</option> and <option>-s </option>options
|
||||
have been removed -- the updates triggered by those options are now
|
||||
performed unconditionally. The <option>-i </option>and <option>-A
|
||||
</option>options have been retained - both enable checking for issues that
|
||||
could result if INLINE_MATCHES were to be set to Yes.</para>
|
||||
options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
|
||||
and <option>-s </option>options have been removed -- the updates triggered
|
||||
by those options are now performed unconditionally. The <option>-i
|
||||
</option>and <option>-A </option>options have been retained - both enable
|
||||
checking for issues that could result if INLINE_MATCHES were to be set to
|
||||
Yes.</para>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@@ -48,7 +48,7 @@
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Shorewall supports two different types of blacklisting; rule-based,
|
||||
<para>Shorewall supports two different types of blackliisting; rule-based,
|
||||
static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
|
||||
controls the degree of blacklist filtering.</para>
|
||||
|
||||
|
||||
@@ -293,7 +293,7 @@ gateway:/etc/shorewall# </programl
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group (0-65535). If
|
||||
<para>The first number specifies the netlink group (0-32). If
|
||||
omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user