forked from extern/shorewall_code
Compare commits
5 Commits
5.0.12-Bet
...
5.0.8.2
| Author | SHA1 | Date | |
|---|---|---|---|
|
5fbc5f1430 | ||
|
|
cae7c5d300 | ||
|
|
bba851117a | ||
|
91702f094d | ||
|
|
49c94bc5ec |
@@ -191,8 +191,6 @@ setup_logread() {
|
||||
else
|
||||
g_logread="logread"
|
||||
fi
|
||||
elif [ "$LOGFILE" = "systemd" ]; then
|
||||
g_logread="journalctl -r"
|
||||
elif [ -r $LOGFILE ]; then
|
||||
if qt mywhich tac; then
|
||||
g_logread="tac $LOGFILE"
|
||||
@@ -733,29 +731,12 @@ list_zone() {
|
||||
done
|
||||
}
|
||||
|
||||
option_error() {
|
||||
fatal_error "The $COMMAND command does not accept this option: -$1"
|
||||
}
|
||||
|
||||
too_many_arguments() {
|
||||
fatal_error "Too many arguments: $1"
|
||||
}
|
||||
|
||||
missing_argument() {
|
||||
fatal_error "Missing argument"
|
||||
}
|
||||
|
||||
missing_option_value() {
|
||||
fatal_error "The $1 option requires a value"
|
||||
}
|
||||
|
||||
version_command() {
|
||||
local finished
|
||||
finished=0
|
||||
local all
|
||||
all=
|
||||
local product
|
||||
local compiletime
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@@ -774,7 +755,7 @@ version_command() {
|
||||
option=${option#a}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -786,7 +767,7 @@ version_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -gt 0 ] && too_many_arguments
|
||||
[ $# -gt 0 ] && usage 1
|
||||
|
||||
if [ -n "$all" ]; then
|
||||
echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
|
||||
@@ -798,16 +779,8 @@ version_command() {
|
||||
done
|
||||
|
||||
if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
|
||||
compiletime=$(run_it $g_firewall info 2>/dev/null)
|
||||
|
||||
case $compiletime in
|
||||
compiled\ *)
|
||||
echo "$g_firewall was $compiletime"
|
||||
;;
|
||||
*)
|
||||
echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
|
||||
;;
|
||||
esac
|
||||
echo $g_echo_n "$g_firewall was compiled by Shorewall version "
|
||||
$g_firewall version
|
||||
fi
|
||||
else
|
||||
echo $SHOREWALL_VERSION
|
||||
@@ -1092,7 +1065,7 @@ show_connections() {
|
||||
shift
|
||||
conntrack -f ipv4 -L $@ | show_connections_filter
|
||||
else
|
||||
[ $# -gt 1 ] && too_many_arguments
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f /proc/net/ip_conntrack ]; then
|
||||
cat /proc/net/ip_conntrack | show_connections_filter
|
||||
else
|
||||
@@ -1105,7 +1078,7 @@ show_connections() {
|
||||
echo
|
||||
conntrack -f ipv6 -L $@ | show_connections_filter
|
||||
else
|
||||
[ $# -gt 1 ] && too_many_arguments
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
|
||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
@@ -1226,7 +1199,7 @@ show_command() {
|
||||
option=${option#f}
|
||||
;;
|
||||
t)
|
||||
[ $# -eq 1 ] && missing_option_value -t
|
||||
[ $# -eq 1 ] && usage 1
|
||||
|
||||
case $2 in
|
||||
mangle|nat|filter|raw|rawpost)
|
||||
@@ -1254,7 +1227,7 @@ show_command() {
|
||||
option=${option#b}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1276,37 +1249,37 @@ show_command() {
|
||||
eval show_connections $@ $g_pager
|
||||
;;
|
||||
nat)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_nat $g_pager
|
||||
;;
|
||||
raw)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_raw $g_pager
|
||||
;;
|
||||
rawpost)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_rawpost $g_pager
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_mangle $g_pager
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && too_many_arguments $2
|
||||
[ $# -gt 2 ] && usage 1
|
||||
|
||||
setup_logread
|
||||
eval show_log $g_pager
|
||||
;;
|
||||
tc)
|
||||
[ $# -gt 2 ] && too_many_arguments $2
|
||||
[ $# -gt 2 ] && usage 1
|
||||
eval show_tc $@ $g_pager
|
||||
;;
|
||||
classifiers|filters)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_classifiers_command $g_pager
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f ${VARDIR}/zones ]; then
|
||||
echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
|
||||
echo
|
||||
@@ -1329,7 +1302,7 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
capabilities)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
determine_capabilities
|
||||
VERBOSITY=2
|
||||
if [ -n "$g_filemode" ]; then
|
||||
@@ -1339,11 +1312,11 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
ip)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_ip_addresses $g_pager
|
||||
;;
|
||||
routing)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_routing_command $g_pager
|
||||
;;
|
||||
config)
|
||||
@@ -1372,26 +1345,26 @@ show_command() {
|
||||
echo $VARDIR;
|
||||
;;
|
||||
policies)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_policies $g_pager
|
||||
;;
|
||||
ipa)
|
||||
[ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $g_family -eq 4 ] || usage 1
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_ipa $g_pager
|
||||
;;
|
||||
marks)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
|
||||
echo
|
||||
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
|
||||
;;
|
||||
nfacct)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_nfacct_command $g_pager
|
||||
;;
|
||||
arptables)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
resolve_arptables
|
||||
if [ -n "$arptables" -a -x $arptables ]; then
|
||||
eval show_arptables $g_pager
|
||||
@@ -1400,22 +1373,22 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
event)
|
||||
[ $# -gt 1 ] || too_many_arguments $2
|
||||
[ $# -gt 1 ] || usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
|
||||
echo
|
||||
shift
|
||||
show_events $@
|
||||
;;
|
||||
events)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_events_command $g_pager
|
||||
;;
|
||||
bl|blacklists)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_blacklists $g_pager
|
||||
;;
|
||||
opens)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
|
||||
|
||||
if chain_exists dynamic; then
|
||||
@@ -1431,12 +1404,12 @@ show_command() {
|
||||
*)
|
||||
case $1 in
|
||||
actions)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_actions_sorted $g_pager
|
||||
return
|
||||
;;
|
||||
macro)
|
||||
[ $# -ne 2 ] && too_many_arguments $2
|
||||
[ $# -ne 2 ] && usage 1
|
||||
for directory in $(split $CONFIG_PATH); do
|
||||
if [ -f ${directory}/macro.$2 ]; then
|
||||
echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
|
||||
@@ -1448,7 +1421,7 @@ show_command() {
|
||||
return
|
||||
;;
|
||||
macros)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
[ $# -gt 1 ] && usage 1
|
||||
eval show_macros $g_pager
|
||||
return
|
||||
;;
|
||||
@@ -1459,7 +1432,7 @@ show_command() {
|
||||
if [ $# -gt 0 ]; then
|
||||
if [ $1 = dynamic -a $# -gt 1 ]; then
|
||||
shift
|
||||
[ $# -eq 1 ] || too_many_arguments $2
|
||||
[ $# -eq 1 ] || usage 1
|
||||
list_zone $1
|
||||
return;
|
||||
fi
|
||||
@@ -1534,49 +1507,6 @@ dump_filter_wrapper() {
|
||||
eval dump_filter $g_pager
|
||||
}
|
||||
|
||||
show_status() {
|
||||
local compiletime
|
||||
local state
|
||||
|
||||
if product_is_started ; then
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
|
||||
status=0
|
||||
else
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
Stopped*|Closed*|Clear*)
|
||||
status=3
|
||||
;;
|
||||
esac
|
||||
else
|
||||
state=Unknown
|
||||
fi
|
||||
|
||||
if [ $VERBOSITY -ge 1 ]; then
|
||||
if [ -f $g_firewall ]; then
|
||||
compiletime=$(run_it $g_firewall info 2>/dev/null)
|
||||
|
||||
case $compiletime in
|
||||
compiled\ *)
|
||||
state="$state ($g_firewall $compiletime)"
|
||||
;;
|
||||
*)
|
||||
state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
echo "State:$state"
|
||||
echo
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Dump Command Executor
|
||||
#
|
||||
@@ -1616,7 +1546,7 @@ do_dump_command() {
|
||||
option=${option#c}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1635,7 +1565,7 @@ do_dump_command() {
|
||||
[ $VERBOSITY -lt 2 ] && VERBOSITY=2
|
||||
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 0 ] || too_many_arguments $1
|
||||
[ $# -eq 0 ] || usage 1
|
||||
clear_term
|
||||
echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
|
||||
echo
|
||||
@@ -1830,7 +1760,7 @@ restore_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1850,7 +1780,7 @@ restore_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -2456,7 +2386,7 @@ hits_command() {
|
||||
option=${option#t}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -2468,7 +2398,7 @@ hits_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -eq 0 ] || too_many_arguments $1
|
||||
[ $# -eq 0 ] || usage 1
|
||||
|
||||
clear_term
|
||||
echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
|
||||
@@ -2524,46 +2454,21 @@ hits_command() {
|
||||
# 'allow' command executor
|
||||
#
|
||||
allow_command() {
|
||||
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
|
||||
[ $# -eq 1 ] && usage 1
|
||||
if product_is_started ; then
|
||||
local allowed
|
||||
local which
|
||||
which='-s'
|
||||
local range
|
||||
range='--src-range'
|
||||
local dynexists
|
||||
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
|
||||
case ${IPSET:=ipset} in
|
||||
*/*)
|
||||
if [ ! -x "$IPSET" ]; then
|
||||
fatal_error "IPSET=$IPSET does not exist or is not executable"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
IPSET="$(mywhich $IPSET)"
|
||||
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if chain_exists dynamic; then
|
||||
dynexists=Yes
|
||||
elif [ -z "$g_blacklistipset" ]; then
|
||||
if ! chain_exists dynamic; then
|
||||
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
|
||||
fi
|
||||
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
||||
allowed=''
|
||||
|
||||
case $1 in
|
||||
from)
|
||||
which='-s'
|
||||
@@ -2576,48 +2481,29 @@ allow_command() {
|
||||
continue
|
||||
;;
|
||||
*-*)
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
if qt $IPSET -D $g_blacklistipset $1; then
|
||||
allowed=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$dynexists" ]; then
|
||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||
then
|
||||
allowed=Yes
|
||||
fi
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
if qt $IPSET -D $g_blacklistipset $1; then
|
||||
allowed=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$dynexists" ]; then
|
||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logreject
|
||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logreject
|
||||
then
|
||||
allowed=Yes
|
||||
fi
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$allowed" ]; then
|
||||
progress_message2 "$1 Allowed"
|
||||
else
|
||||
error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
|
||||
fi
|
||||
done
|
||||
|
||||
[ -n "$g_nolock" ] || mutex_off
|
||||
else
|
||||
error_message "ERROR: $g_product is not started"
|
||||
@@ -2639,6 +2525,8 @@ logwatch_command() {
|
||||
-*)
|
||||
option=${option#-}
|
||||
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
v*)
|
||||
@@ -2658,7 +2546,7 @@ logwatch_command() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -2677,7 +2565,7 @@ logwatch_command() {
|
||||
elif [ $# -eq 0 ]; then
|
||||
logwatch 30
|
||||
else
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -3421,6 +3309,36 @@ report_capabilities1() {
|
||||
report_capabilities_unsorted1 | sort
|
||||
}
|
||||
|
||||
show_status() {
|
||||
if product_is_started ; then
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
|
||||
status=0
|
||||
else
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
Stopped*|Closed*|Clear*)
|
||||
status=3
|
||||
;;
|
||||
esac
|
||||
else
|
||||
state=Unknown
|
||||
fi
|
||||
|
||||
if [ $VERBOSITY -ge 1 ]; then
|
||||
if [ -f $g_firewall ]; then
|
||||
state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
|
||||
fi
|
||||
echo "State:$state"
|
||||
echo
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
interface_status() {
|
||||
case $(cat $1) in
|
||||
0)
|
||||
@@ -3474,7 +3392,7 @@ status_command() {
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -3486,7 +3404,7 @@ status_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -eq 0 ] || missing_argument
|
||||
[ $# -eq 0 ] || usage 1
|
||||
|
||||
[ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
|
||||
show_status
|
||||
@@ -3553,7 +3471,7 @@ blacklist_command() {
|
||||
;;
|
||||
esac
|
||||
|
||||
$IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -3580,7 +3498,7 @@ save_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -3600,7 +3518,7 @@ save_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -3619,9 +3537,6 @@ save_command() {
|
||||
|
||||
forget_command() {
|
||||
case $# in
|
||||
0)
|
||||
missing_argument
|
||||
;;
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
@@ -3629,7 +3544,7 @@ forget_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $3
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -3651,7 +3566,7 @@ ipcalc_command() {
|
||||
local address
|
||||
local vlsm
|
||||
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
|
||||
if [ $# -eq 2 ]; then
|
||||
address=${2%/*}
|
||||
@@ -3659,15 +3574,13 @@ ipcalc_command() {
|
||||
elif [ $# -eq 3 ]; then
|
||||
address=$2
|
||||
vlsm=$(ip_vlsm $3)
|
||||
elif [ $# -eq 0 ]; then
|
||||
missing_argument
|
||||
else
|
||||
too_many_arguments $4
|
||||
usage 1
|
||||
fi
|
||||
|
||||
valid_address $address || fatal_error "Invalid IP address: $address"
|
||||
[ -z "$vlsm" ] && fatal_error "Missing VLSM"
|
||||
[ "x$address" = "x$vlsm" ] && "Invalid VLSM"
|
||||
[ -z "$vlsm" ] && usage 2
|
||||
[ "x$address" = "x$vlsm" ] && usage 2
|
||||
[ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
|
||||
|
||||
address=$address/$vlsm
|
||||
@@ -3681,7 +3594,7 @@ ipcalc_command() {
|
||||
iprange_command() {
|
||||
local range
|
||||
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
|
||||
range=''
|
||||
|
||||
@@ -3699,19 +3612,15 @@ iprange_command() {
|
||||
ip_range $range
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid ip range: $range"
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
ipdecimal_command() {
|
||||
if [ $# eq 1 ]; then
|
||||
missing_argument
|
||||
else
|
||||
[ $# -eq 2 ] || too_many_arguments $3
|
||||
fi
|
||||
[ $# -eq 2 ] || usage 1
|
||||
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
|
||||
case $2 in
|
||||
*.*.*.*)
|
||||
@@ -4019,7 +3928,7 @@ start_command() {
|
||||
option=${option%p}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -4035,7 +3944,7 @@ start_command() {
|
||||
0)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $1
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -4079,7 +3988,7 @@ restart_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -4095,7 +4004,7 @@ restart_command() {
|
||||
0)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $1
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -4311,8 +4220,7 @@ shorewall_cli() {
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
c)
|
||||
[ $# -eq 1 ] && missing_option_value -c
|
||||
[ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
|
||||
[ $# -eq 1 -o -n "$g_lite" ] && usage 1
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
@@ -4327,7 +4235,7 @@ shorewall_cli() {
|
||||
shift
|
||||
;;
|
||||
e*)
|
||||
[ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
|
||||
[ -n "$g_lite" ] && usage 1
|
||||
g_export=Yes
|
||||
option=${option#e}
|
||||
;;
|
||||
@@ -4389,7 +4297,7 @@ shorewall_cli() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -4454,7 +4362,7 @@ shorewall_cli() {
|
||||
start_command $@
|
||||
;;
|
||||
stop|clear)
|
||||
[ $# -ne 1 ] && too_many_arguments $2
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
@@ -4511,7 +4419,7 @@ shorewall_cli() {
|
||||
dump_command $@
|
||||
;;
|
||||
hits)
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
get_config Yes No Yes
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
shift
|
||||
@@ -4529,19 +4437,19 @@ shorewall_cli() {
|
||||
drop)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
[ $# -eq 1 ] && usage 1
|
||||
drop_command $@
|
||||
;;
|
||||
logdrop)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
[ $# -eq 1 ] && usage 1
|
||||
logdrop_command $@
|
||||
;;
|
||||
reject|logreject)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
[ $# -eq 1 ] && usage 1
|
||||
reject_command $@
|
||||
;;
|
||||
open|close)
|
||||
@@ -4606,11 +4514,6 @@ shorewall_cli() {
|
||||
# It's a shell function -- call it
|
||||
#
|
||||
$@
|
||||
elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
|
||||
#
|
||||
# It's a shell function -- call it
|
||||
#
|
||||
$@
|
||||
else
|
||||
#
|
||||
# It isn't a function visible to this script -- try
|
||||
@@ -4619,7 +4522,7 @@ shorewall_cli() {
|
||||
run_it $g_firewall $g_debugging call $@
|
||||
fi
|
||||
else
|
||||
missing_argument
|
||||
usage 1
|
||||
fi
|
||||
;;
|
||||
help)
|
||||
@@ -4637,7 +4540,7 @@ shorewall_cli() {
|
||||
noiptrace_command $@
|
||||
;;
|
||||
savesets)
|
||||
[ $# -eq 1 ] || too_many_arguments $2
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
savesets1
|
||||
@@ -4646,7 +4549,7 @@ shorewall_cli() {
|
||||
if [ -z "$g_lite" ]; then
|
||||
compiler_command $@
|
||||
else
|
||||
fatal_error "Invalid command: $COMMAND"
|
||||
usage 1
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -712,9 +712,9 @@ find_file()
|
||||
set_state () # $1 = state
|
||||
{
|
||||
if [ $# -gt 1 ]; then
|
||||
echo "$1 $(date) from $2" > ${VARDIR}/state
|
||||
echo "$1 ($(date)) from $2" > ${VARDIR}/state
|
||||
else
|
||||
echo "$1 $(date)" > ${VARDIR}/state
|
||||
echo "$1 ($(date))" > ${VARDIR}/state
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -776,7 +776,7 @@ mutex_on()
|
||||
error_message "WARNING: Stale lockfile ${lockf} removed"
|
||||
elif [ $lockpid -eq $$ ]; then
|
||||
return 0
|
||||
elif ! ps | grep -v grep | qt grep ${lockpid}; then
|
||||
elif ! qt ps p ${lockpid}; then
|
||||
rm -f ${lockf}
|
||||
error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
|
||||
fi
|
||||
@@ -788,8 +788,10 @@ mutex_on()
|
||||
echo $$ > ${lockf}
|
||||
chmod u-w ${lockf}
|
||||
elif qt mywhich lock; then
|
||||
lock ${lockf}
|
||||
chmod u=r ${lockf}
|
||||
lock -${MUTEX_TIMEOUT} -r1 ${lockf}
|
||||
chmod u+w ${lockf}
|
||||
echo $$ > ${lockf}
|
||||
chmod u-w ${lockf}
|
||||
else
|
||||
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
||||
sleep 1
|
||||
@@ -811,7 +813,6 @@ mutex_on()
|
||||
#
|
||||
mutex_off()
|
||||
{
|
||||
[ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
|
||||
rm -f ${LOCKFILE:=${VARDIR}/lock}
|
||||
}
|
||||
|
||||
|
||||
@@ -7,15 +7,15 @@ PREFIX=/usr #Top-level directory for s
|
||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
||||
LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts.
|
||||
PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory
|
||||
PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory
|
||||
SBINDIR=/usr/sbin #Directory where system administration programs are installed
|
||||
MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed.
|
||||
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
||||
INITFILE= #Name of the product's SysV init script
|
||||
INITFILE=$PRODUCT #Name of the product's SysV init script
|
||||
INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script
|
||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
||||
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
||||
SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
||||
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
|
||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
||||
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
|
||||
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
|
||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
# Required-Stop: $local_fs
|
||||
# X-Stop-After: $network
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Initialize the firewall at boot time
|
||||
# Description: Place the firewall in a safe state at boot time prior to
|
||||
# bringing up the network
|
||||
|
||||
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
|
||||
|
||||
if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
|
||||
if [ -n "${DESTDIR}" ]; then
|
||||
mkdir -p ${DESTDIR}${ETC}/default
|
||||
mkdir ${DESTDIR}${ETC}/default
|
||||
fi
|
||||
|
||||
[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
|
||||
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
|
||||
fi
|
||||
else
|
||||
if [ $configure -eq 1 -a -n "$first_install" ]; then
|
||||
if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -n "${DESTDIR}" ]; then
|
||||
mkdir -p ${DESTDIR}/etc/rcS.d
|
||||
fi
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall-lite
|
||||
@@ -92,11 +92,10 @@ shorewall_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall_stop () {
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall Lite firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
|
||||
fi
|
||||
|
||||
install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
|
||||
echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||
echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||
fi
|
||||
|
||||
if [ ${SHAREDIR} != /usr/share ]; then
|
||||
|
||||
@@ -702,9 +702,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
|
||||
|
||||
emit "exec 3>\${VARDIR}/.arptables-input";
|
||||
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
unless ( $test ) {
|
||||
emit_unindented '#';
|
||||
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
|
||||
#
|
||||
sub preview_arptables_load() {
|
||||
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||
|
||||
|
||||
@@ -337,7 +337,7 @@ our $VERSION = 'MODULEVERSION';
|
||||
# digest => SHA1 digest of the string representation of the chain's rules for use in optimization
|
||||
# level 8.
|
||||
# complete => The last rule in the chain is a -g or a simple -j to a terminating target
|
||||
# Suppresses adding additional rules to the end of the chain
|
||||
# Suppresses adding additional rules to the chain end of the chain
|
||||
# sections => { <section> = 1, ... } - Records sections that have been completed.
|
||||
# chainnumber => Numeric enumeration of the builtin chains (mangle table only).
|
||||
# allowedchains
|
||||
@@ -1337,14 +1337,7 @@ sub push_rule( $$ ) {
|
||||
push @{$chainref->{rules}}, $ruleref;
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
|
||||
|
||||
if ( $debug ) {
|
||||
if ( $ruleref->{comment} ) {
|
||||
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
|
||||
} else {
|
||||
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
|
||||
}
|
||||
}
|
||||
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
|
||||
|
||||
$chainref->{complete} = 1 if $complete;
|
||||
|
||||
@@ -2935,13 +2928,13 @@ sub initialize_chain_table($) {
|
||||
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
|
||||
#
|
||||
%targets = ('ACCEPT' => STANDARD,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT!' => STANDARD,
|
||||
'ADD' => STANDARD + SET,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'A_DROP' => STANDARD + AUDIT,
|
||||
'A_DROP!' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
@@ -3001,13 +2994,13 @@ sub initialize_chain_table($) {
|
||||
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
|
||||
#
|
||||
%targets = ('ACCEPT' => STANDARD,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT!' => STANDARD,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'DROP' => STANDARD,
|
||||
'DROP!' => STANDARD,
|
||||
'A_DROP' => STANDARD + AUDIT,
|
||||
@@ -3186,17 +3179,17 @@ sub delete_references( $ ) {
|
||||
#
|
||||
sub calculate_digest( $ ) {
|
||||
my $chainref = shift;
|
||||
my $rules = '';
|
||||
my $digest = '';
|
||||
|
||||
for ( @{$chainref->{rules}} ) {
|
||||
if ( $rules ) {
|
||||
$rules .= ' |' . format_rule( $chainref, $_, 1 );
|
||||
if ( $digest ) {
|
||||
$digest .= ' |' . format_rule( $chainref, $_, 1 );
|
||||
} else {
|
||||
$rules = format_rule( $chainref, $_, 1 );
|
||||
$digest = format_rule( $chainref, $_, 1 );
|
||||
}
|
||||
}
|
||||
|
||||
$chainref->{digest} = sha1_hex $rules;
|
||||
$chainref->{digest} = sha1_hex $digest;
|
||||
}
|
||||
|
||||
#
|
||||
@@ -3485,7 +3478,7 @@ sub optimize_level4( $$ ) {
|
||||
$progress = 1;
|
||||
} elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
|
||||
#
|
||||
# This case requires a new rule merging algorithm. Ignore this chain from
|
||||
# This case requires a new rule merging algorithm. Ignore this chain for
|
||||
# now on.
|
||||
#
|
||||
$chainref->{optflags} |= DONT_OPTIMIZE;
|
||||
@@ -3493,7 +3486,7 @@ sub optimize_level4( $$ ) {
|
||||
#
|
||||
# Replace references to this chain with the target and add the matches
|
||||
#
|
||||
$progress = 1 if replace_references1( $chainref, $firstrule );
|
||||
$progress = 1 if replace_references1 $chainref, $firstrule;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -3539,7 +3532,7 @@ sub optimize_level4( $$ ) {
|
||||
#empty builtin chain -- change it's policy
|
||||
#
|
||||
$chainref->{policy} = $target;
|
||||
trace( $chainref, 'P', undef, $target ) if $debug;
|
||||
trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
|
||||
$count++;
|
||||
}
|
||||
|
||||
@@ -3693,12 +3686,7 @@ sub optimize_level8( $$$ ) {
|
||||
if ( $chainref->{digest} eq $chainref1->{digest} ) {
|
||||
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
|
||||
$progress = 1;
|
||||
replace_references( $chainref1,
|
||||
$chainref->{name},
|
||||
undef, # Target Opts
|
||||
'', # Comment
|
||||
'', # Origin
|
||||
1 ); # Recalculate digests of modified chains
|
||||
replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
|
||||
|
||||
unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
|
||||
#
|
||||
@@ -4024,7 +4012,7 @@ sub delete_duplicates {
|
||||
my $docheck;
|
||||
my $duplicate = 0;
|
||||
|
||||
if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
|
||||
if ( $baseref->{mode} == CAT_MODE ) {
|
||||
my $ports1;
|
||||
my @keys1 = sort( grep ! $skip{$_}, keys( %$baseref ) );
|
||||
my $rulenum = @_;
|
||||
@@ -5232,8 +5220,6 @@ sub do_user( $ ) {
|
||||
|
||||
if ( supplied $2 ) {
|
||||
$user = $2;
|
||||
$user =~ s/:$//;
|
||||
|
||||
if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
|
||||
if ( supplied $2 ) {
|
||||
fatal_error "Invalid User Range ($user)" unless $3 >= $1;
|
||||
@@ -8589,7 +8575,7 @@ sub create_netfilter_load( $ ) {
|
||||
|
||||
enter_cat_mode;
|
||||
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
unless ( $test ) {
|
||||
emit_unindented '#';
|
||||
@@ -8697,7 +8683,7 @@ sub preview_netfilter_load() {
|
||||
|
||||
enter_cat_mode1;
|
||||
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||
|
||||
@@ -8933,7 +8919,7 @@ sub create_stop_load( $ ) {
|
||||
enter_cat_mode;
|
||||
|
||||
unless ( $test ) {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
emit_unindented '#';
|
||||
emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
|
||||
emit_unindented '#';
|
||||
|
||||
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
|
||||
#
|
||||
# First stage of script generation.
|
||||
#
|
||||
# Copy lib.runtime and lib.common to the generated script.
|
||||
# Copy lib.core and lib.common to the generated script.
|
||||
# Generate the various user-exit jacket functions.
|
||||
#
|
||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
||||
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
|
||||
if ( $test ) {
|
||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
|
||||
} else {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
|
||||
|
||||
copy $globals{SHAREDIRPL} . '/lib.runtime', 0;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
|
||||
copy $globals{SHAREDIRPL} . '/lib.core', 0;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
|
||||
}
|
||||
|
||||
}
|
||||
@@ -596,21 +596,6 @@ EOF
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Generate info_command()
|
||||
#
|
||||
sub compile_info_command() {
|
||||
my $date = compiletime;
|
||||
|
||||
emit( "\n",
|
||||
"#",
|
||||
"# Echo the date and time when this script was compiled along with the Shorewall version",
|
||||
"#",
|
||||
"info_command() {" ,
|
||||
qq( echo "compiled $date by Shorewall version $globals{VERSION}") ,
|
||||
"}\n" );
|
||||
}
|
||||
|
||||
#
|
||||
# The Compiler.
|
||||
#
|
||||
@@ -937,10 +922,6 @@ sub compiler {
|
||||
#
|
||||
compile_updown;
|
||||
#
|
||||
# Echo the compilation time and date
|
||||
#
|
||||
compile_info_command unless $test;
|
||||
#
|
||||
# Copy the footer to the script
|
||||
#
|
||||
copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
|
||||
|
||||
@@ -84,8 +84,6 @@ our @EXPORT = qw(
|
||||
require_capability
|
||||
report_used_capabilities
|
||||
kernel_version
|
||||
|
||||
compiletime
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
|
||||
@@ -165,7 +163,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
directive_callback
|
||||
add_ipset
|
||||
all_ipsets
|
||||
transfer_permissions
|
||||
|
||||
$product
|
||||
$Product
|
||||
@@ -577,7 +574,6 @@ our $max_format; # Max format value
|
||||
our $comment; # Current COMMENT
|
||||
our $comments_allowed; # True if [?]COMMENT is allowed in the current file
|
||||
our $nocomment; # When true, ignore [?]COMMENT in the current file
|
||||
our $sr_comment; # When true, $comment should only be applied to the current rule
|
||||
our $warningcount; # Used to suppress duplicate warnings about missing COMMENT support
|
||||
our $checkinline; # The -i option to check/compile/etc.
|
||||
our $directive_callback; # Function to call in compiler_directive
|
||||
@@ -685,8 +681,6 @@ our %ipsets; # All required IPsets
|
||||
#
|
||||
our %filecache;
|
||||
|
||||
our $compiletime;
|
||||
|
||||
sub process_shorewallrc($$);
|
||||
sub add_variables( \% );
|
||||
#
|
||||
@@ -732,7 +726,6 @@ sub initialize( $;$$) {
|
||||
# Contents of last COMMENT line.
|
||||
#
|
||||
$comment = '';
|
||||
$sr_comment = '';
|
||||
$warningcount = 0;
|
||||
#
|
||||
# Misc Globals
|
||||
@@ -744,7 +737,7 @@ sub initialize( $;$$) {
|
||||
TC_SCRIPT => '',
|
||||
EXPORT => 0,
|
||||
KLUDGEFREE => '',
|
||||
VERSION => "5.0.9-Beta2",
|
||||
VERSION => "5.0.1",
|
||||
CAPVERSION => 50004 ,
|
||||
BLACKLIST_LOG_TAG => '',
|
||||
RELATED_LOG_TAG => '',
|
||||
@@ -896,7 +889,6 @@ sub initialize( $;$$) {
|
||||
DOCKER => undef ,
|
||||
PAGER => undef ,
|
||||
MINIUPNPD => undef ,
|
||||
VERBOSE_MESSAGES => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@@ -1179,12 +1171,6 @@ sub initialize( $;$$) {
|
||||
%shorewallrc1 = %shorewallrc unless $shorewallrc1;
|
||||
|
||||
add_variables %shorewallrc1;
|
||||
|
||||
$compiletime = `date`;
|
||||
|
||||
chomp $compiletime;
|
||||
|
||||
$compiletime =~ s/ +/ /g;
|
||||
}
|
||||
|
||||
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
|
||||
@@ -1197,10 +1183,6 @@ sub all_ipsets() {
|
||||
sort keys %ipsets;
|
||||
}
|
||||
|
||||
sub compiletime() {
|
||||
$compiletime;
|
||||
}
|
||||
|
||||
#
|
||||
# Create 'currentlineinfo'
|
||||
#
|
||||
@@ -2158,47 +2140,6 @@ sub split_list3( $$ ) {
|
||||
@list2;
|
||||
}
|
||||
|
||||
#
|
||||
# This version spits a list on white-space with optional leading comma. It prevents double-quoted
|
||||
# strings from being split.
|
||||
#
|
||||
sub split_list4( $ ) {
|
||||
my ($list ) = @_;
|
||||
my @list1 = split( /,?\s+/, $list );
|
||||
my @list2;
|
||||
my $element = '';
|
||||
my $opencount = 0;
|
||||
|
||||
return @list1 unless $list =~ /"/;
|
||||
|
||||
@list1 = split( /(,?\s+)/, $list );
|
||||
|
||||
for ( my $i = 0; $i < @list1; $i += 2 ) {
|
||||
my $e = $list1[$i];
|
||||
|
||||
if ( $e =~ /[^\\]"/ ) {
|
||||
if ( $e =~ /[^\\]".*[^\\]"/ ) {
|
||||
fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
|
||||
push @list2, $e;
|
||||
} elsif ( $element ne '' ) {
|
||||
fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
|
||||
push @list2, join( $list1[$i - 1], $element, $e );
|
||||
$element = '';
|
||||
} else {
|
||||
$element = $e;
|
||||
}
|
||||
} elsif ( $element ne '' ) {
|
||||
$element = join( $list1[$i - 1], $element, $e );
|
||||
} else {
|
||||
push @list2, $e;
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error "Mismatched_quotes ($list)" if $element ne '';
|
||||
|
||||
@list2;
|
||||
}
|
||||
|
||||
#
|
||||
# Splits the columns of a config file record
|
||||
#
|
||||
@@ -2268,8 +2209,6 @@ sub passed( $ ) {
|
||||
defined $val && $val ne '' && $val ne '-';
|
||||
}
|
||||
|
||||
sub clear_comment();
|
||||
|
||||
#
|
||||
# Pre-process a line from a configuration file.
|
||||
|
||||
@@ -2293,8 +2232,6 @@ sub split_line2( $$;$$$ ) {
|
||||
}
|
||||
|
||||
$inline_matches = '';
|
||||
|
||||
clear_comment if $sr_comment;
|
||||
#
|
||||
# First, see if there are double semicolons on the line; what follows will be raw iptables input
|
||||
#
|
||||
@@ -2401,37 +2338,18 @@ sub split_line2( $$;$$$ ) {
|
||||
$pairs =~ s/^\s*//;
|
||||
$pairs =~ s/\s*$//;
|
||||
|
||||
my @pairs = split_list4( $pairs );
|
||||
my @pairs = split( /,?\s+/, $pairs );
|
||||
|
||||
for ( @pairs ) {
|
||||
fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
|
||||
my ( $column, $value ) = ( lc( $1 ), $2 );
|
||||
|
||||
if ( $value =~ /"$/ ) {
|
||||
fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
|
||||
$value = $1;
|
||||
}
|
||||
|
||||
if ( $column eq 'comment' ) {
|
||||
if ( $comments_allowed ) {
|
||||
if ( have_capability( 'COMMENTS' ) ) {
|
||||
$comment = $value;
|
||||
$sr_comment = 1;
|
||||
} else {
|
||||
warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
|
||||
}
|
||||
} else {
|
||||
fatal_error '"comment" is not allowed in this file';
|
||||
}
|
||||
} else {
|
||||
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
|
||||
$column = $columnsref->{$column};
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
$value = $1 if $value =~ /^"([^"]+)"$/;
|
||||
$value =~ s/\\"/"/g;
|
||||
fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
|
||||
$line[$column] = $value;
|
||||
}
|
||||
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
|
||||
$column = $columnsref->{$column};
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
$value = $1 if $value =~ /^"([^"]+)"$/;
|
||||
fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
|
||||
fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
|
||||
$line[$column] = $value;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2461,7 +2379,6 @@ sub no_comment() {
|
||||
sub clear_comment() {
|
||||
$comment = '';
|
||||
$nocomment = 0;
|
||||
$sr_comment = '';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2557,8 +2474,7 @@ sub push_include() {
|
||||
$max_format,
|
||||
$comment,
|
||||
$nocomment,
|
||||
$section_function,
|
||||
$sr_comment ];
|
||||
$section_function ];
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2582,8 +2498,7 @@ sub pop_include() {
|
||||
$max_format,
|
||||
$comment,
|
||||
$nocomment,
|
||||
$section_function,
|
||||
$sr_comment ) = @$arrayref;
|
||||
$section_function ) = @$arrayref;
|
||||
} else {
|
||||
$currentfile = undef;
|
||||
$currentlinenumber = 'EOF';
|
||||
@@ -2628,54 +2543,18 @@ sub directive_error( $$$ ) {
|
||||
fatal_error $_[0];
|
||||
}
|
||||
|
||||
sub directive_warning( $$$$ ) {
|
||||
if ( shift ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $warning, $currentfilename, $currentlinenumber ) = @_;
|
||||
warning_message $warning;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
} else {
|
||||
our @localtime;
|
||||
|
||||
handle_first_entry if $first_entry;
|
||||
|
||||
$| = 1; #Reset output buffering (flush any partially filled buffers).
|
||||
|
||||
if ( $log ) {
|
||||
@localtime = localtime;
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log " WARNING: $_[0]\n";
|
||||
}
|
||||
|
||||
print STDERR " WARNING: $_[0]\n";
|
||||
|
||||
$| = 0; #Re-allow output buffering
|
||||
}
|
||||
sub directive_warning( $$$ ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $warning, $currentfilename, $currentlinenumber ) = @_;
|
||||
warning_message $warning;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
}
|
||||
|
||||
sub directive_info( $$$$ ) {
|
||||
if ( shift ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $info, $currentfilename, $currentlinenumber ) = @_;
|
||||
info_message $info;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
} else {
|
||||
our @localtime;
|
||||
|
||||
handle_first_entry if $first_entry;
|
||||
|
||||
$| = 1; #Reset output buffering (flush any partially filled buffers).
|
||||
|
||||
if ( $log ) {
|
||||
@localtime = localtime;
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log " INFO: $_[0]\n";
|
||||
}
|
||||
|
||||
print STDERR " INFO: $_[0]\n";
|
||||
|
||||
$| = 0; #Re-allow output buffering
|
||||
}
|
||||
sub directive_info( $$$ ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $info, $currentfilename, $currentlinenumber ) = @_;
|
||||
info_message $info;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2824,7 +2703,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
|
||||
print "CD===> $line\n" if $debug;
|
||||
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
|
||||
|
||||
my ($keyword, $expression) = ( uc $1, $2 );
|
||||
|
||||
@@ -2932,14 +2811,14 @@ sub process_compiler_directive( $$$$ ) {
|
||||
delete $actparams{$var}
|
||||
}
|
||||
} else {
|
||||
directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
}
|
||||
|
||||
} else {
|
||||
if ( exists $variables{$2} ) {
|
||||
delete $variables{$2};
|
||||
} else {
|
||||
directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
|
||||
directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2952,9 +2831,8 @@ sub process_compiler_directive( $$$$ ) {
|
||||
if ( have_capability( 'COMMENTS' ) ) {
|
||||
( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
|
||||
$comment =~ s/\s*$//;
|
||||
$sr_comment = '';
|
||||
} else {
|
||||
directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
|
||||
directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -2973,8 +2851,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
} ,
|
||||
|
||||
WARNING => sub() {
|
||||
directive_warning( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
directive_warning( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
@@ -2983,28 +2860,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
} ,
|
||||
|
||||
INFO => sub() {
|
||||
directive_info( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
|
||||
'WARNING!' => sub() {
|
||||
directive_warning( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
|
||||
'INFO!' => sub() {
|
||||
directive_info( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
directive_info( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
@@ -3306,7 +3162,6 @@ sub push_open( $;$$$$ ) {
|
||||
push @openstack, \@a;
|
||||
@includestack = ();
|
||||
$currentfile = undef;
|
||||
$sr_comment = '';
|
||||
open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
|
||||
}
|
||||
|
||||
@@ -3966,10 +3821,9 @@ my %logoptions = ( tcp_sequence => '--log-tcp-sequence',
|
||||
|
||||
sub validate_level( $;$ ) {
|
||||
my ( $rawlevel, $option ) = @_;
|
||||
my $level;
|
||||
my $level = uc $rawlevel;
|
||||
|
||||
if ( supplied ( $rawlevel ) ) {
|
||||
$level = uc $rawlevel;
|
||||
if ( supplied ( $level ) ) {
|
||||
$level =~ s/!$//;
|
||||
my $value = $level;
|
||||
my $qualifier;
|
||||
@@ -5161,19 +5015,6 @@ sub update_default($$) {
|
||||
$config{$var} = $val unless defined $config{$var};
|
||||
}
|
||||
|
||||
#
|
||||
# Transfer the permissions from an old .bak file to a newly-created file
|
||||
#
|
||||
sub transfer_permissions( $$ ) {
|
||||
my ( $old, $new ) = @_;
|
||||
|
||||
my @stat = stat $old;
|
||||
|
||||
if ( @stat ) {
|
||||
fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
|
||||
}
|
||||
}
|
||||
|
||||
sub update_config_file( $ ) {
|
||||
my ( $annotate ) = @_;
|
||||
|
||||
@@ -5323,7 +5164,6 @@ EOF
|
||||
|
||||
if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
|
||||
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
|
||||
transfer_permissions( "$configfile.bak", $configfile );
|
||||
} else {
|
||||
if ( rename "$configfile.bak", $configfile ) {
|
||||
progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
|
||||
@@ -5838,24 +5678,6 @@ sub get_configuration( $$$$ ) {
|
||||
$ENV{PATH} = $default_path;
|
||||
}
|
||||
|
||||
fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
|
||||
|
||||
fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
|
||||
|
||||
close_file;
|
||||
|
||||
warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
|
||||
|
||||
if ( $family == F_IPV6 ) {
|
||||
open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
|
||||
|
||||
fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
|
||||
|
||||
close_file;
|
||||
|
||||
warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
|
||||
}
|
||||
|
||||
my $have_capabilities;
|
||||
|
||||
if ( $export || $> != 0 ) {
|
||||
@@ -6271,10 +6093,8 @@ sub get_configuration( $$$$ ) {
|
||||
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
||||
|
||||
} else {
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST' , 'Yes' );
|
||||
}
|
||||
} else {
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||
}
|
||||
|
||||
default_yes_no 'REQUIRE_INTERFACE' , '';
|
||||
@@ -6289,7 +6109,6 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'WARNOLDCAPVERSION' , 'Yes';
|
||||
default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes';
|
||||
default_yes_no 'MINIUPNPD' , '';
|
||||
default_yes_no 'VERBOSE_MESSAGES' , 'Yes';
|
||||
|
||||
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
|
||||
|
||||
|
||||
@@ -200,7 +200,6 @@ sub remove_blacklist( $ ) {
|
||||
if ( $changed ) {
|
||||
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
|
||||
transfer_permissions( "$fn.bak", $fn );
|
||||
progress_message2 "\u$file file $fn saved in $fn.bak"
|
||||
}
|
||||
}
|
||||
@@ -303,13 +302,12 @@ sub convert_blacklist() {
|
||||
if ( @rules ) {
|
||||
my $fn1 = find_writable_file( 'blrules' );
|
||||
my $blrules;
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
if ( -f $fn1 ) {
|
||||
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
} else {
|
||||
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
print $blrules <<'EOF';
|
||||
#
|
||||
# Shorewall version 5.0 - Blacklist Rules File
|
||||
@@ -395,7 +393,7 @@ sub convert_routestopped() {
|
||||
my ( @allhosts, %source, %dest , %notrack, @rule );
|
||||
|
||||
my $seq = 0;
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
|
||||
my ( $stoppedrules, $fn1 );
|
||||
|
||||
@@ -403,7 +401,6 @@ sub convert_routestopped() {
|
||||
open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
} else {
|
||||
open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
print $stoppedrules <<'EOF';
|
||||
#
|
||||
# Shorewall version 5 - Stopped Rules File
|
||||
@@ -424,7 +421,7 @@ EOF
|
||||
|
||||
first_entry(
|
||||
sub {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
progress_message2 "$doing $fn...";
|
||||
print( $stoppedrules
|
||||
"#\n" ,
|
||||
@@ -652,15 +649,9 @@ sub create_docker_rules() {
|
||||
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
|
||||
add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
|
||||
decr_cmd_level( $chainref );
|
||||
add_commands( $chainref, 'fi' );
|
||||
|
||||
my $outputref;
|
||||
add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
|
||||
incr_cmd_level( $outputref );
|
||||
add_ijump( $outputref, j => 'DOCKER' );
|
||||
decr_cmd_level( $outputref );
|
||||
add_commands( $outputref, 'fi' );
|
||||
}
|
||||
|
||||
add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
|
||||
@@ -869,30 +860,13 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
|
||||
|
||||
my ( $in, $out ) = split /:/, $setting;
|
||||
|
||||
if ( $in == 1 ) {
|
||||
#
|
||||
# src
|
||||
#
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
} elsif ( $in == 2 ) {
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
|
||||
if ( $out == 2 ) {
|
||||
#
|
||||
# dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
}
|
||||
|
||||
for ( option_chains( $interface ) ) {
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
|
||||
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -686,7 +686,6 @@ sub process_a_provider( $ ) {
|
||||
interface => $interface ,
|
||||
physical => $physical ,
|
||||
optional => $optional ,
|
||||
wildcard => $interfaceref->{wildcard} || 0,
|
||||
gateway => $gateway ,
|
||||
gatewaycase => $gatewaycase ,
|
||||
shared => $shared ,
|
||||
@@ -2114,31 +2113,9 @@ sub provider_realm( $ ) {
|
||||
#
|
||||
sub handle_optional_interfaces( $ ) {
|
||||
|
||||
my @interfaces;
|
||||
my $wildcards;
|
||||
my ( $interfaces, $wildcards ) = find_interfaces_by_option1 'optional';
|
||||
|
||||
#
|
||||
# First do the provider interfacess. Those that are real providers will never have wildcard physical
|
||||
# names but they might derive from wildcard interface entries. Optional interfaces which do not have
|
||||
# wildcard physical names are also included in the providers table.
|
||||
#
|
||||
for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
|
||||
push @interfaces, $providerref->{interface};
|
||||
$wildcards ||= $providerref->{wildcard};
|
||||
}
|
||||
|
||||
#
|
||||
# Now do the optional wild interfaces
|
||||
#
|
||||
for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
|
||||
push@interfaces, $interface;
|
||||
unless ( $wildcards ) {
|
||||
my $interfaceref = find_interface($interface);
|
||||
$wildcards = 1 if $interfaceref->{wildcard};
|
||||
}
|
||||
}
|
||||
|
||||
if ( @interfaces ) {
|
||||
if ( @$interfaces ) {
|
||||
my $require = $config{REQUIRE_INTERFACE};
|
||||
my $gencase = shift;
|
||||
|
||||
@@ -2149,7 +2126,7 @@ sub handle_optional_interfaces( $ ) {
|
||||
#
|
||||
# Clear the '_IS_USABLE' variables
|
||||
#
|
||||
emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
|
||||
emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
|
||||
|
||||
if ( $wildcards ) {
|
||||
#
|
||||
@@ -2166,76 +2143,74 @@ sub handle_optional_interfaces( $ ) {
|
||||
emit '';
|
||||
}
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
if ( my $provider = $provider_interfaces{ $interface } ) {
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc var_base( $physical );
|
||||
my $providerref = $providers{$provider};
|
||||
my $interfaceref = known_interface( $interface );
|
||||
my $wildbase = uc $interfaceref->{base};
|
||||
for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
|
||||
my $provider = $provider_interfaces{$interface};
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc var_base( $physical );
|
||||
my $providerref = $providers{$provider};
|
||||
|
||||
emit( "$physical)" ), push_indent if $wildcards;
|
||||
emit( "$physical)" ), push_indent if $wildcards;
|
||||
|
||||
if ( $provider eq $physical ) {
|
||||
#
|
||||
# Just an optional interface, or provider and interface are the same
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
} else {
|
||||
#
|
||||
# Provider
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
}
|
||||
|
||||
push_indent;
|
||||
if ( $providerref->{gatewaycase} eq 'detect' ) {
|
||||
emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
|
||||
} else {
|
||||
emit qq(if interface_is_usable $physical; then);
|
||||
}
|
||||
|
||||
emit( ' HAVE_INTERFACE=Yes' ) if $require;
|
||||
|
||||
emit( " SW_${base}_IS_USABLE=Yes" );
|
||||
emit( " SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
|
||||
emit( 'fi' );
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit( "fi\n" );
|
||||
|
||||
emit( ';;' ), pop_indent if $wildcards;
|
||||
if ( $provider eq $physical ) {
|
||||
#
|
||||
# Just an optional interface, or provider and interface are the same
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
} else {
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc var_base( $physical );
|
||||
my $case = $physical;
|
||||
my $wild = $case =~ s/\+$/*/;
|
||||
#
|
||||
# Provider
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
}
|
||||
|
||||
if ( $wildcards ) {
|
||||
emit( "$case)" );
|
||||
push_indent;
|
||||
if ( $providerref->{gatewaycase} eq 'detect' ) {
|
||||
emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
|
||||
} else {
|
||||
emit qq(if interface_is_usable $physical; then);
|
||||
}
|
||||
|
||||
emit( ' HAVE_INTERFACE=Yes' ) if $require;
|
||||
|
||||
emit( " SW_${base}_IS_USABLE=Yes" ,
|
||||
'fi' );
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit( "fi\n" );
|
||||
|
||||
emit( ';;' ), pop_indent if $wildcards;
|
||||
}
|
||||
|
||||
for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc var_base( $physical );
|
||||
my $case = $physical;
|
||||
my $wild = $case =~ s/\+$/*/;
|
||||
|
||||
if ( $wildcards ) {
|
||||
emit( "$case)" );
|
||||
push_indent;
|
||||
|
||||
if ( $wild ) {
|
||||
emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
|
||||
push_indent;
|
||||
|
||||
if ( $wild ) {
|
||||
emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
|
||||
push_indent;
|
||||
emit ( 'if interface_is_usable $interface; then' );
|
||||
} else {
|
||||
emit ( "if interface_is_usable $physical; then" );
|
||||
}
|
||||
emit ( 'if interface_is_usable $interface; then' );
|
||||
} else {
|
||||
emit ( "if interface_is_usable $physical; then" );
|
||||
}
|
||||
} else {
|
||||
emit ( "if interface_is_usable $physical; then" );
|
||||
}
|
||||
|
||||
emit ( ' HAVE_INTERFACE=Yes' ) if $require;
|
||||
emit ( " SW_${base}_IS_USABLE=Yes" ,
|
||||
'fi' );
|
||||
emit ( ' HAVE_INTERFACE=Yes' ) if $require;
|
||||
emit ( " SW_${base}_IS_USABLE=Yes" ,
|
||||
'fi' );
|
||||
|
||||
if ( $wildcards ) {
|
||||
pop_indent, emit( 'fi' ) if $wild;
|
||||
emit( ';;' );
|
||||
pop_indent;
|
||||
}
|
||||
if ( $wildcards ) {
|
||||
pop_indent, emit( 'fi' ) if $wild;
|
||||
emit( ';;' );
|
||||
pop_indent;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -368,19 +368,12 @@ sub setup_conntrack($) {
|
||||
if ( $convert ) {
|
||||
my $conntrack;
|
||||
my $empty = 1;
|
||||
my $date = compiletime;
|
||||
my $fn1 = find_writable_file 'conntrack';
|
||||
my $date = localtime;
|
||||
|
||||
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
||||
|
||||
if ( -f $fn1 ) {
|
||||
open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
if ( $fn ) {
|
||||
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
} else {
|
||||
open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
#
|
||||
# Transfer permissions from the existing notrack file
|
||||
#
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
|
||||
print $conntrack <<'EOF';
|
||||
#
|
||||
@@ -403,6 +396,8 @@ EOF
|
||||
"# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
|
||||
"#\n" );
|
||||
|
||||
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
||||
|
||||
while ( read_a_line( PLAIN_READ ) ) {
|
||||
#
|
||||
# Don't copy the header comments from the old notrack file
|
||||
|
||||
@@ -295,7 +295,7 @@ our %validstates = ( NEW => 0,
|
||||
# known until the compiler has started.
|
||||
#
|
||||
# 2. The compiler can run multiple times in the same process so it has to be
|
||||
# able to re-initialize the state of its dependent modules.
|
||||
# able to re-initialize its dependent modules' state.
|
||||
#
|
||||
sub initialize( $ ) {
|
||||
$family = shift;
|
||||
@@ -345,11 +345,11 @@ sub initialize( $ ) {
|
||||
#
|
||||
$macro_nest_level = 0;
|
||||
#
|
||||
# All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
|
||||
# All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions
|
||||
#
|
||||
%actions = ();
|
||||
#
|
||||
# Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
|
||||
# Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
|
||||
#
|
||||
%usedactions = ();
|
||||
|
||||
@@ -628,20 +628,29 @@ sub handle_nfqueue( $$ ) {
|
||||
#
|
||||
# Process an entry in the policy file.
|
||||
#
|
||||
sub process_a_policy1($$$$$$$) {
|
||||
sub process_a_policy() {
|
||||
|
||||
our %validpolicies;
|
||||
our @zonelist;
|
||||
|
||||
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
|
||||
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
|
||||
split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
|
||||
|
||||
$loglevel = '' if $loglevel eq '-';
|
||||
$synparams = '' if $synparams eq '-';
|
||||
$connlimit = '' if $connlimit eq '-';
|
||||
|
||||
fatal_error 'SOURCE must be specified' if $client eq '-';
|
||||
fatal_error 'DEST must be specified' if $server eq '-';
|
||||
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
|
||||
|
||||
my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
|
||||
$intrazone = $clientwild && $1;
|
||||
my $intrazone = $clientwild && $1;
|
||||
|
||||
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
|
||||
|
||||
my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
|
||||
$intrazone ||= ( $serverwild && $1 );
|
||||
$intrazone ||= $serverwild && $1;
|
||||
|
||||
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
|
||||
|
||||
@@ -749,40 +758,6 @@ sub process_a_policy1($$$$$$$) {
|
||||
}
|
||||
}
|
||||
|
||||
sub process_a_policy() {
|
||||
|
||||
our %validpolicies;
|
||||
our @zonelist;
|
||||
|
||||
my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
|
||||
split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
|
||||
|
||||
$loglevel = '' if $loglevel eq '-';
|
||||
$synparams = '' if $synparams eq '-';
|
||||
$connlimit = '' if $connlimit eq '-';
|
||||
|
||||
my $intrazone;
|
||||
|
||||
if ( $intrazone = $clients =~ /.*,.*\+$/) {
|
||||
$clients =~ s/\+$//;
|
||||
}
|
||||
|
||||
if ( $servers =~ /.*,.*\+$/ ) {
|
||||
$servers =~ s/\+$//;
|
||||
$intrazone = 1;
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE must be specified' if $clients eq '-';
|
||||
fatal_error 'DEST must be specified' if $servers eq '-';
|
||||
fatal_error 'POLICY must be specified' if $policy eq '-';
|
||||
|
||||
for my $client ( split_list( $clients, 'zone' ) ) {
|
||||
for my $server ( split_list( $servers, 'zone' ) ) {
|
||||
process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
|
||||
#
|
||||
@@ -1377,7 +1352,7 @@ sub new_action( $$$$$ ) {
|
||||
# Create and record a log action chain -- Log action chains have names
|
||||
# that are formed from the action name by prepending a "%" and appending
|
||||
# a 1- or 2-digit sequence number. In the functions that follow,
|
||||
# the $chain, $level and $tag variables serve as arguments to the user's
|
||||
# the $chain, $level and $tag variable serves as arguments to the user's
|
||||
# exit. We call the exit corresponding to the name of the action but we
|
||||
# set $chain to the name of the iptables chain where rules are to be added.
|
||||
# Similarly, $level and $tag contain the log level and log tag respectively.
|
||||
@@ -1558,7 +1533,7 @@ sub find_macro( $ )
|
||||
{
|
||||
my $macro = $_[0];
|
||||
|
||||
$macro =~ s/^macro\.//;
|
||||
$macro =~ s/^macro.//;
|
||||
|
||||
my $macrofile = find_file "macro.$macro";
|
||||
|
||||
@@ -2982,63 +2957,65 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
# And we need the dest zone for local/loopback/off-firewall/destonly checks
|
||||
#
|
||||
$destref = find_zone( $chainref->{destzone} ) if $chainref->{destzone};
|
||||
} elsif ( ! ( $actiontype & NATONLY ) ) {
|
||||
#
|
||||
# Check for illegal bridge port rule
|
||||
#
|
||||
if ( $destref->{type} & BPORT ) {
|
||||
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
|
||||
} else {
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
#
|
||||
# Check for illegal bridge port rule
|
||||
#
|
||||
if ( $destref->{type} & BPORT ) {
|
||||
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
|
||||
return 0 if $wildcard;
|
||||
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
|
||||
}
|
||||
}
|
||||
|
||||
$chain = rules_chain( ${sourcezone}, ${destzone} );
|
||||
#
|
||||
# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
|
||||
#
|
||||
( $chainref = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
|
||||
$chainref->{destzone} = $destzone;
|
||||
|
||||
my $policy = $chainref->{policy};
|
||||
|
||||
if ( $policy eq 'NONE' ) {
|
||||
return 0 if $wildcard;
|
||||
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
|
||||
fatal_error "Rules may not override a NONE policy";
|
||||
}
|
||||
}
|
||||
|
||||
$chain = rules_chain( ${sourcezone}, ${destzone} );
|
||||
#
|
||||
# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
|
||||
#
|
||||
( $chainref = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
|
||||
$chainref->{destzone} = $destzone;
|
||||
|
||||
my $policy = $chainref->{policy};
|
||||
|
||||
if ( $policy eq 'NONE' ) {
|
||||
return 0 if $wildcard;
|
||||
fatal_error "Rules may not override a NONE policy";
|
||||
}
|
||||
#
|
||||
# Handle Optimization level 1 when specified alone
|
||||
#
|
||||
if ( $optimize == 1 && $section == NEW_SECTION ) {
|
||||
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
|
||||
if ( $loglevel ne '' ) {
|
||||
return 0 if $target eq "${policy}:${loglevel}";
|
||||
} else {
|
||||
return 0 if $basictarget eq $policy;
|
||||
#
|
||||
# Handle Optimization level 1 when specified alone
|
||||
#
|
||||
if ( $optimize == 1 && $section == NEW_SECTION ) {
|
||||
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
|
||||
if ( $loglevel ne '' ) {
|
||||
return 0 if $target eq "${policy}:${loglevel}";
|
||||
} else {
|
||||
return 0 if $basictarget eq $policy;
|
||||
}
|
||||
}
|
||||
}
|
||||
#
|
||||
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
||||
#
|
||||
$chainref = ensure_rules_chain $chain;
|
||||
#
|
||||
# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
|
||||
#
|
||||
if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
|
||||
my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
|
||||
my $auxref = $filter_table->{$auxchain};
|
||||
#
|
||||
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
||||
#
|
||||
$chainref = ensure_rules_chain $chain;
|
||||
#
|
||||
# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
|
||||
#
|
||||
if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
|
||||
my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
|
||||
my $auxref = $filter_table->{$auxchain};
|
||||
|
||||
unless ( $auxref ) {
|
||||
my $save_comment = push_comment;
|
||||
$auxref = new_chain 'filter', $auxchain;
|
||||
$auxref->{blacklistsection} = 1 if $blacklist;
|
||||
unless ( $auxref ) {
|
||||
my $save_comment = push_comment;
|
||||
$auxref = new_chain 'filter', $auxchain;
|
||||
$auxref->{blacklistsection} = 1 if $blacklist;
|
||||
|
||||
add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
|
||||
pop_comment( $save_comment );
|
||||
add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
|
||||
pop_comment( $save_comment );
|
||||
}
|
||||
|
||||
$chain = $auxchain;
|
||||
$chainref = $auxref;
|
||||
}
|
||||
|
||||
$chain = $auxchain;
|
||||
$chainref = $auxref;
|
||||
}
|
||||
}
|
||||
#
|
||||
@@ -3056,7 +3033,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
# Handle actions
|
||||
#
|
||||
my $actionchain; # Name of the action chain
|
||||
my $actionchain; #Name of the action chain
|
||||
|
||||
if ( $actiontype & ACTION ) {
|
||||
#
|
||||
@@ -3585,7 +3562,7 @@ sub perl_action_tcp_helper($$) {
|
||||
sub process_section ($) {
|
||||
my $sect = shift;
|
||||
#
|
||||
# split_line2 has already verified that there are exactly two tokens on the line
|
||||
# split_line1 has already verified that there are exactly two tokens on the line
|
||||
#
|
||||
fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
|
||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||
@@ -3729,7 +3706,7 @@ sub process_raw_rule ( ) {
|
||||
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
|
||||
|
||||
if ( @protos > 1 ) {
|
||||
fatal_error "Inversion not allowed in a PROTO list" if $protos =~ /!/;
|
||||
fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
|
||||
}
|
||||
|
||||
for $source ( @source ) {
|
||||
@@ -4322,7 +4299,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
},
|
||||
|
||||
DSCP => {
|
||||
defaultchain => POSTROUTING,
|
||||
defaultchain => 0,
|
||||
allowedchains => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
|
||||
minparams => 1,
|
||||
maxparams => 1,
|
||||
@@ -4487,16 +4464,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
},
|
||||
},
|
||||
|
||||
NFLOG => {
|
||||
defaultchain => 0,
|
||||
allowedchains => ALLCHAINS,
|
||||
minparams => 0,
|
||||
maxparams => 3,
|
||||
function => sub () {
|
||||
$target = validate_level( "NFLOG($params)" );
|
||||
}
|
||||
},
|
||||
|
||||
RESTORE => {
|
||||
defaultchain => 0,
|
||||
allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
|
||||
@@ -4772,6 +4739,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
unless ( ( $chain || $default_chain ) == OUTPUT ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
|
||||
if ( $dest ne '-' ) {
|
||||
if ( $dest eq $fw ) {
|
||||
fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
|
||||
@@ -4814,7 +4785,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
fatal_error "Duplicate STATE ($_)" if $state{$_}++;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Call the command's processing function
|
||||
#
|
||||
@@ -4825,23 +4795,12 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
if ( $chain == ACTIONCHAIN ) {
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
|
||||
$chainref->{allowedchains} &= $commandref->{allowedchains};
|
||||
$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
|
||||
} else {
|
||||
#
|
||||
# Inline within one of the standard chains
|
||||
#
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
||||
unless ( $chain == OUTPUT || $chain == POSTROUTING ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$resolve_chain->();
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
||||
unless ( $chain == OUTPUT || $chain == POSTROUTING ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
|
||||
$chainref = ensure_chain( 'mangle', $chainnames{$chain} );
|
||||
}
|
||||
|
||||
@@ -5007,13 +4966,6 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
$mark = $rest;
|
||||
} elsif ( supplied $2 ) {
|
||||
$mark = $2;
|
||||
if ( supplied $mark && $command eq 'IPMARK' ) {
|
||||
my @params = split ',', $mark;
|
||||
$params[1] = '0xff' unless supplied $params[1];
|
||||
$params[2] = '0x00' unless supplied $params[2];
|
||||
$params[3] = '0' unless supplied $params[3];
|
||||
$mark = join ',', @params;
|
||||
}
|
||||
} else {
|
||||
$mark = '';
|
||||
}
|
||||
@@ -5024,7 +4976,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
|
||||
$command = ( $command ? "$command($mark)" : $mark ) . $designator;
|
||||
my $line = ( $family == F_IPV6 ?
|
||||
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
|
||||
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );
|
||||
|
||||
@@ -350,10 +350,9 @@ sub process_simple_device() {
|
||||
|
||||
for ( my $i = 1; $i <= 3; $i++ ) {
|
||||
my $prio = 16 | $i;
|
||||
my $j = $i + 3;
|
||||
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
||||
emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
|
||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||
emit '';
|
||||
}
|
||||
|
||||
@@ -2167,7 +2166,7 @@ sub convert_tos($$) {
|
||||
if ( my $fn = open_file 'tos' ) {
|
||||
first_entry(
|
||||
sub {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
progress_message2 "Converting $fn...";
|
||||
print( $mangle
|
||||
"#\n" ,
|
||||
@@ -2235,19 +2234,13 @@ sub convert_tos($$) {
|
||||
}
|
||||
}
|
||||
|
||||
sub open_mangle_for_output( $ ) {
|
||||
my ($fn ) = @_;
|
||||
sub open_mangle_for_output() {
|
||||
my ( $mangle, $fn1 );
|
||||
|
||||
if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
|
||||
open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
||||
} else {
|
||||
open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
||||
#
|
||||
# Transfer permissions from the existing tcrules file to the new mangle file
|
||||
#
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
|
||||
print $mangle <<'EOF';
|
||||
#
|
||||
# Shorewall version 4 - Mangle File
|
||||
@@ -2333,13 +2326,13 @@ sub setup_tc( $ ) {
|
||||
#
|
||||
# We are going to convert this tcrules file to the equivalent mangle file
|
||||
#
|
||||
( $mangle, $fn1 ) = open_mangle_for_output( $fn );
|
||||
( $mangle, $fn1 ) = open_mangle_for_output;
|
||||
|
||||
directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
|
||||
|
||||
first_entry(
|
||||
sub {
|
||||
my $date = compiletime;
|
||||
my $date = localtime;
|
||||
progress_message2 "Converting $fn...";
|
||||
print( $mangle
|
||||
"#\n" ,
|
||||
@@ -2383,7 +2376,7 @@ sub setup_tc( $ ) {
|
||||
#
|
||||
# We are going to convert this tosfile to the equivalent mangle file
|
||||
#
|
||||
( $mangle, $fn1 ) = open_mangle_for_output( $fn );
|
||||
( $mangle, $fn1 ) = open_mangle_for_output;
|
||||
convert_tos( $mangle, $fn1 );
|
||||
close $mangle;
|
||||
}
|
||||
|
||||
@@ -337,7 +337,6 @@ sub initialize( $$ ) {
|
||||
arp_ignore => ENUM_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dbl => ENUM_IF_OPTION,
|
||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
detectnets => OBSOLETE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
@@ -388,7 +387,6 @@ sub initialize( $$ ) {
|
||||
%validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dbl => ENUM_IF_OPTION,
|
||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
@@ -1193,7 +1191,6 @@ sub process_interface( $$ ) {
|
||||
my %options;
|
||||
|
||||
$options{port} = 1 if $port;
|
||||
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
||||
|
||||
my $hostoptionsref = {};
|
||||
|
||||
@@ -1237,8 +1234,6 @@ sub process_interface( $$ ) {
|
||||
} else {
|
||||
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
|
||||
}
|
||||
} elsif ( $option eq 'nodbl' ) {
|
||||
$options{dbl} = '0:0';
|
||||
} else {
|
||||
$options{$option} = 1;
|
||||
$hostoptions{$option} = 1 if $hostopt;
|
||||
@@ -1261,11 +1256,6 @@ sub process_interface( $$ ) {
|
||||
} else {
|
||||
$options{arp_ignore} = 1;
|
||||
}
|
||||
} elsif ( $option eq 'dbl' ) {
|
||||
my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
|
||||
|
||||
fatal_error q(The 'dbl' option requires a value) unless defined $value;
|
||||
fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
|
||||
} else {
|
||||
assert( 0 );
|
||||
}
|
||||
@@ -1587,7 +1577,7 @@ sub known_interface($)
|
||||
name => $i ,
|
||||
number => $interfaceref->{number} ,
|
||||
physical => $physical ,
|
||||
base => $interfaceref->{base} ,
|
||||
base => var_base( $physical ) ,
|
||||
wildcard => $interfaceref->{wildcard} ,
|
||||
zones => $interfaceref->{zones} ,
|
||||
};
|
||||
@@ -1916,7 +1906,7 @@ sub verify_required_interfaces( $ ) {
|
||||
|
||||
my $returnvalue = 0;
|
||||
|
||||
my $interfaces = find_interfaces_by_option( 'wait');
|
||||
my $interfaces = find_interfaces_by_option 'wait';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
my $first = 1;
|
||||
@@ -1982,7 +1972,7 @@ sub verify_required_interfaces( $ ) {
|
||||
|
||||
}
|
||||
|
||||
$interfaces = find_interfaces_by_option( 'required' );
|
||||
$interfaces = find_interfaces_by_option 'required';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
|
||||
@@ -2170,7 +2160,7 @@ sub process_host( ) {
|
||||
#
|
||||
$interface = '%vserver%' if $type & VSERVER;
|
||||
|
||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
|
||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
|
||||
|
||||
progress_message " Host \"$currentline\" validated";
|
||||
|
||||
|
||||
@@ -41,7 +41,10 @@
|
||||
# --shorewallrc1=<path> # Path to export shorewallrc file.
|
||||
# --config_path=<path-list> # Search path for config files
|
||||
# --inline # Update alternative column specifications
|
||||
# --update # Update configuration to current release
|
||||
# --update # Update configuration to this release
|
||||
# --tcrules # Create mangle from tcrules
|
||||
# --routestopped # Create stoppedrules from routestopped
|
||||
# --notrack # Create conntrack from notrack
|
||||
#
|
||||
use strict;
|
||||
use FindBin;
|
||||
|
||||
@@ -49,7 +49,7 @@
|
||||
# generated this program
|
||||
#
|
||||
################################################################################
|
||||
# Functions imported from /usr/share/shorewall/lib.runtime
|
||||
# Functions imported from /usr/share/shorewall/lib.core
|
||||
################################################################################
|
||||
# Address family-neutral Functions
|
||||
################################################################################
|
||||
@@ -25,7 +25,6 @@ usage() {
|
||||
echo " savesets <file>"
|
||||
echo " call <function> [ <parameter> ... ]"
|
||||
echo " version"
|
||||
echo " info"
|
||||
echo
|
||||
echo "Options are:"
|
||||
echo
|
||||
@@ -470,10 +469,6 @@ case "$COMMAND" in
|
||||
echo $SHOREWALL_VERSION
|
||||
status=0
|
||||
;;
|
||||
info)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
info_command
|
||||
;;
|
||||
help)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
usage 0
|
||||
|
||||
@@ -136,7 +136,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -242,8 +242,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -253,8 +253,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -144,7 +144,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -250,8 +250,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -253,8 +253,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -242,8 +242,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall
|
||||
@@ -97,11 +97,10 @@ shorewall_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall_stop () {
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
@@ -146,7 +145,7 @@ case "$1" in
|
||||
restart)
|
||||
shorewall_restart
|
||||
;;
|
||||
force-reload|reload)
|
||||
force0reload|reload)
|
||||
shorewall_reload
|
||||
;;
|
||||
status)
|
||||
|
||||
@@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
|
||||
fi
|
||||
|
||||
run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
|
||||
echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||
echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||
fi
|
||||
|
||||
if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
|
||||
|
||||
@@ -493,13 +493,13 @@ compiler() {
|
||||
|
||||
case "$g_doing" in
|
||||
Compiling|Checking)
|
||||
progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
|
||||
progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
|
||||
;;
|
||||
Updating)
|
||||
progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
|
||||
;;
|
||||
*)
|
||||
[ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
|
||||
[ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
|
||||
;;
|
||||
esac
|
||||
#
|
||||
@@ -604,7 +604,7 @@ start_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -620,8 +620,7 @@ start_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_fast" ] && fatal_error "Directory may not be specified with the -f option"
|
||||
[ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -635,7 +634,7 @@ start_command() {
|
||||
AUTOMAKE=
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -664,6 +663,8 @@ compile_command() {
|
||||
shift
|
||||
option=${option#-}
|
||||
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
e*)
|
||||
@@ -700,7 +701,7 @@ compile_command() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -722,7 +723,7 @@ compile_command() {
|
||||
[ -d "$g_file" ] && fatal_error "$g_file is a directory"
|
||||
;;
|
||||
2)
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -736,7 +737,7 @@ compile_command() {
|
||||
g_file=$2
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $3
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -790,7 +791,7 @@ check_command() {
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -806,7 +807,7 @@ check_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -819,7 +820,7 @@ check_command() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -882,7 +883,7 @@ update_command() {
|
||||
option=${option#A}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -898,7 +899,7 @@ update_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -911,7 +912,7 @@ update_command() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -976,7 +977,7 @@ restart_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -992,7 +993,7 @@ restart_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1007,7 +1008,7 @@ restart_command() {
|
||||
AUTOMAKE=
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1085,7 +1086,7 @@ refresh_command() {
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1168,7 +1169,7 @@ safe_commands() {
|
||||
shift;
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1184,7 +1185,7 @@ safe_commands() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1197,7 +1198,7 @@ safe_commands() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $2
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1285,7 +1286,7 @@ try_command() {
|
||||
timeout=
|
||||
|
||||
handle_directory() {
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1315,7 +1316,7 @@ try_command() {
|
||||
option=${option#n}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1329,7 +1330,7 @@ try_command() {
|
||||
|
||||
case $# in
|
||||
0)
|
||||
missing_argument
|
||||
usage 1
|
||||
;;
|
||||
1)
|
||||
handle_directory $1
|
||||
@@ -1340,7 +1341,7 @@ try_command() {
|
||||
timeout=$2
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $3
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1479,7 +1480,7 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
option_error $option
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1492,9 +1493,6 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
done
|
||||
|
||||
case $# in
|
||||
0)
|
||||
missing_argument
|
||||
;;
|
||||
1)
|
||||
g_shorewalldir="."
|
||||
system=$1
|
||||
@@ -1504,7 +1502,7 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
system=$2
|
||||
;;
|
||||
*)
|
||||
too_many_arguments $3
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1744,7 +1742,7 @@ compiler_command() {
|
||||
safe_commands $@
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid command: $COMMAND"
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
@@ -306,72 +306,6 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.10. This option defined whether
|
||||
or not dynamic blacklisting is applied to packets entering the
|
||||
firewall through this interface and whether the source address
|
||||
and/or destination address is to be compared against the
|
||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||
<ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
|
||||
The default is determine by the setting of
|
||||
DYNAMIC_BLACKLIST:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=No</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">none</emphasis>
|
||||
(e.g., no dynamic blacklist checking).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=Yes</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">src</emphasis>
|
||||
(e.g., the source IP address is checked).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src-dst</emphasis> (e.g., the source IP
|
||||
addresses in checked against the ipset on input and the
|
||||
destination IP address is checked against the ipset on
|
||||
packets originating from the firewall and leaving
|
||||
through this interface).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The normal setting for this option will be <emphasis
|
||||
role="bold">dst</emphasis> or <emphasis
|
||||
role="bold">none</emphasis> for internal interfaces and
|
||||
<emphasis role="bold">src</emphasis> or <emphasis
|
||||
role="bold">src-dst</emphasis> for Internet-facing
|
||||
interfaces.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">destonly</emphasis></term>
|
||||
|
||||
@@ -414,7 +348,7 @@ loc eth2 -</programlisting>
|
||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
||||
firewall/bridging</ulink>, then you need to include
|
||||
DHCP-specific rules in <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||
DHCP uses UDP ports 67 and 68.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@@ -446,7 +380,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">loopback</emphasis></term>
|
||||
<term>loopback</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||
@@ -517,8 +451,8 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold"><emphasis
|
||||
role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
|
||||
<term><emphasis
|
||||
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
||||
@@ -559,10 +493,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||
blacklisting is disabled on the interface. Beginning with
|
||||
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
|
||||
equivalent to <emphasis
|
||||
role="bold">dbl=none</emphasis>.</para>
|
||||
blacklisting is disabled on the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -355,8 +355,7 @@ DIVERTHA - - tcp</programlisting>
|
||||
EF => 0x2e</programlisting>
|
||||
|
||||
<para>To indicate more than one class, add their hex values
|
||||
together and specify the result. By default, DSCP rules are
|
||||
placed in the POSTROUTING chain.</para>
|
||||
together and specify the result.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -599,36 +598,6 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. Logs matching packets using
|
||||
NFLOG. The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>This file determines what to do with a new connection request if
|
||||
we don't get a match from the /etc/shorewall/rules file . For each
|
||||
source/destination pair, the file is processed in order until a match is
|
||||
found ("all" will match any source or destination).</para>
|
||||
found ("all" will match any client or server).</para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
@@ -61,7 +61,7 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
||||
<emphasis>zone</emphasis>[,...[+]]|<emphasis
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
@@ -74,18 +74,12 @@
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
|
||||
separated by commas. As above, if '+' is specified after two or more
|
||||
zone names, then the policy overrides the implicit intra-zone ACCEPT
|
||||
policy if the same <replaceable>zone</replaceable> appears in both
|
||||
the SOURCE and DEST columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
<emphasis>zone</emphasis>[,...[+]]|<emphasis
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
@@ -101,12 +95,6 @@
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
|
||||
separated by commas. As above, if '+' is specified after two or more
|
||||
zone names, then the policy overrides the implicit intra-zone ACCEPT
|
||||
policy if the same <replaceable>zone</replaceable> appears in both
|
||||
the SOURCE and DEST columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -595,32 +595,9 @@
|
||||
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
||||
back end logging daemon via a netlink socket then continues to
|
||||
the next rule. See <ulink
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
||||
</para>
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>NFLOG is similar to<emphasis role="bold">
|
||||
<para>Similar to<emphasis role="bold">
|
||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||
except that the log level is not changed when this ACTION is
|
||||
used in an action or macro body and the invocation of that
|
||||
|
||||
@@ -307,9 +307,6 @@
|
||||
that were active when Shorewall stopped continue to work and
|
||||
all new connections from the firewall system itself are
|
||||
allowed.</para>
|
||||
|
||||
<para>Note that the routestopped file is not supported in
|
||||
Shorewall 5.0 and later versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -484,8 +481,8 @@
|
||||
|
||||
<para>ALL sends all packets through the blacklist chains.</para>
|
||||
|
||||
<para>Note: The ESTABLISHED state may not be specified if
|
||||
FASTACCEPT=Yes is specified.</para>
|
||||
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
|
||||
is specified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -580,14 +577,13 @@
|
||||
<listitem>
|
||||
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
||||
then Shorewall won't clear the current traffic control rules during
|
||||
[<command>re</command>]<command>start</command> or
|
||||
<command>reload</command>. This setting is intended for use by
|
||||
people who prefer to configure traffic shaping when the network
|
||||
interfaces come up rather than when the firewall is started. If that
|
||||
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
|
||||
not supply an /etc/shorewall/tcstart file. That way, your traffic
|
||||
shaping rules can still use the “fwmark” classifier based on packet
|
||||
marking defined in <ulink
|
||||
[re]start. This setting is intended for use by people who prefer to
|
||||
configure traffic shaping when the network interfaces come up rather
|
||||
than when the firewall is started. If that is what you want to do,
|
||||
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
||||
/etc/shorewall/tcstart file. That way, your traffic shaping rules
|
||||
can still use the “fwmark” classifier based on packet marking
|
||||
defined in <ulink
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
||||
If not specified, CLEAR_TC=Yes is assumed.</para>
|
||||
</listitem>
|
||||
@@ -681,8 +677,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>If set to Yes (the default value), entries in the
|
||||
/etc/shorewall/rtrules files cause an 'ip rule del' command to be
|
||||
generated in addition to an 'ip rule add' command. Setting this
|
||||
/etc/shorewall/route_stopped files cause an 'ip rule del' command to
|
||||
be generated in addition to an 'ip rule add' command. Setting this
|
||||
option to No, causes the 'ip rule del' command to be omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -833,7 +829,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
helpers file from the administrative system into the script. When
|
||||
set to No or not specified, the compiler will not copy the modules
|
||||
or helpers file from <filename>/usr/share/shorewall</filename> but
|
||||
will copy those found in another location on the CONFIG_PATH.</para>
|
||||
will copy the found in another location on the CONFIG_PATH.</para>
|
||||
|
||||
<para>When compiling for direct use by Shorewall, causes the
|
||||
contents of the local module or helpers file to be copied into the
|
||||
@@ -867,7 +863,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
|
||||
<para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
|
||||
cleared the packet mark in the first rule in the mangle FORWARD
|
||||
chain. This behavior is maintained with the default setting of this
|
||||
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
|
||||
@@ -1358,7 +1354,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter tells the /sbin/shorewall program where to look
|
||||
@@ -1368,10 +1364,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||
If not assigned or if assigned an empty value, /var/log/messages is
|
||||
assumed. For further information, see <ulink
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
||||
Beginning with Shorewall 5.0.10.1, you may specify
|
||||
<option>systemd</option> to use <command>journelctl -r</command> to
|
||||
read the log.</para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2198,18 +2191,18 @@ LOG:info:,bar net fw</programlisting>
|
||||
#TARGET SOURCE DEST PROTO
|
||||
Broadcast(DROP) - - -
|
||||
DROP - - 2
|
||||
INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
|
||||
INLINE - - 6 ; -j REJECT --reject-with tcp-reset
|
||||
?if __ENHANCED_REJECT
|
||||
INLINE - - 17 ;; -j REJECT
|
||||
INLINE - - 17 ; -j REJECT
|
||||
?if __IPV4
|
||||
INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
|
||||
INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
|
||||
INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
|
||||
INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
|
||||
?else
|
||||
INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
|
||||
INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
|
||||
INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
|
||||
INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
|
||||
?endif
|
||||
?else
|
||||
INLINE - - - ;; -j REJECT
|
||||
INLINE - - - ; -j REJECT
|
||||
?endif</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -2279,7 +2272,7 @@ INLINE - - - ;; -j REJECT
|
||||
restored unconditionally at the top of the mangle OUTPUT and
|
||||
PREROUTING chains, even if the saved mark is zero. When this option
|
||||
is set to <emphasis role="bold">No</emphasis>, the mark is restored
|
||||
only if it is non-zero. If you have problems with IPSEC ESP packets
|
||||
even when it is zero. If you have problems with IPSEC ESP packets
|
||||
not being routed correctly on output, try setting this option to
|
||||
<emphasis role="bold">No</emphasis>.</para>
|
||||
</listitem>
|
||||
@@ -2455,9 +2448,10 @@ INLINE - - - ;; -j REJECT
|
||||
|
||||
<listitem>
|
||||
<para>This option is used to specify the shell program to be used to
|
||||
interpret the compiled script. If not specified or specified as a
|
||||
null value, /bin/sh is assumed. Using a light-weight shell such as
|
||||
ash or dash can significantly improve performance.</para>
|
||||
run the Shorewall compiler and to interpret the compiled script. If
|
||||
not specified or specified as a null value, /bin/sh is assumed.
|
||||
Using a light-weight shell such as ash or dash can significantly
|
||||
improve performance.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2514,7 +2508,7 @@ INLINE - - - ;; -j REJECT
|
||||
role="bold">refresh</emphasis>, <emphasis
|
||||
role="bold">try</emphasis>, and <emphasis
|
||||
role="bold">safe-</emphasis>* command. Logging verbosity is
|
||||
determined by the setting of LOG_VERBOSITY above.</para>
|
||||
determined by the setting of LOG_VERBOSITY above. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2870,20 +2864,6 @@ INLINE - - - ;; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. When Yes (the default), messages
|
||||
produced by the ?INFO and ?WARNING directives include the filename
|
||||
and linenumber of the directive. When set to No, that additional
|
||||
information is omitted. The setting may be overridden on a directive
|
||||
by directive basis by following ?INFO or ?WARNING with '!' (no
|
||||
intervening white space).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
|
||||
|
||||
@@ -964,9 +964,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
|
||||
rm -rf ${SHAREDIR}/shorewall/Samples/
|
||||
rm -rf ${SHAREDIR}/shorewall/Shorewall/
|
||||
rm -f ${SHAREDIR}/shorewall/lib.cli-std
|
||||
rm -f ${SHAREDIR}/shorewall/lib.runtime
|
||||
rm -f ${SHAREDIR}/shorewall/lib.core
|
||||
rm -f ${SHAREDIR}/shorewall/compiler.pl
|
||||
rm -f ${SHAREDIR}/shorewall/prog.*
|
||||
rm -f ${SHAREDIR}/shorewall/module*
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall6-lite
|
||||
@@ -92,11 +92,10 @@ shorewall6_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall6_stop () {
|
||||
echo -n "Stopping \"Shorewall6 Lite firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall6 Lite firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -679,9 +679,7 @@
|
||||
<para>Re-enables receipt of packets from hosts previously
|
||||
blacklisted by a <command>drop</command>,
|
||||
<command>logdrop</command>, <command>reject</command>, or
|
||||
<command>logreject</command> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
<command>logreject</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -130,7 +130,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -214,8 +214,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall6
|
||||
@@ -97,11 +97,10 @@ shorewall6_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall6_stop () {
|
||||
echo -n "Stopping \"Shorewall6 firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall6 firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall6 firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -83,7 +83,7 @@ case "$command" in
|
||||
exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
|
||||
;;
|
||||
status|stop)
|
||||
exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
|
||||
exec ${SBINDIR}/shorewall6 $OPTIONS $command
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
|
||||
@@ -237,66 +237,6 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.10. This option defined whether
|
||||
or not dynamic blacklisting is applied to packets entering the
|
||||
firewall through this interface and whether the source address
|
||||
and/or destination address is to be compared against the
|
||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||
<ulink
|
||||
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
|
||||
The default is determine by the setting of
|
||||
DYNAMIC_BLACKLIST:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=No</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">none</emphasis>
|
||||
(e.g., no dynamic blacklist checking).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=Yes</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">src</emphasis>
|
||||
(e.g., the source IP address is checked against the
|
||||
ipset).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src-dst</emphasis> (e.g., the source IP
|
||||
addresses in checked against the ipset on input and the
|
||||
destination IP address is checked against the ipset on
|
||||
packets originating from the firewall and leaving
|
||||
through this interface).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">destonly</emphasis></term>
|
||||
|
||||
@@ -381,7 +321,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">loopback</emphasis></term>
|
||||
<term>loopback</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||
@@ -430,10 +370,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||
blacklisting is disabled on the interface. Beginning with
|
||||
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
|
||||
equivalent to <emphasis
|
||||
role="bold">dbl=none</emphasis>.</para>
|
||||
blacklisting is disabled on the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -356,8 +356,7 @@ DIVERTHA - - tcp</programlisting>
|
||||
EF => 0x2e</programlisting>
|
||||
|
||||
<para>To indicate more than one class, add their hex values
|
||||
together and specify the result. By default, DSCP rules are
|
||||
placed in the POSTROUTING chain.</para>
|
||||
together and specify the result.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -610,36 +609,6 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. Logs matching packets using
|
||||
NFLOG. The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>This file determines what to do with a new connection request if
|
||||
we don't get a match from the /etc/shorewall6/rules file . For each
|
||||
source/destination pair, the file is processed in order until a match is
|
||||
found ("all" will match any source or destination).</para>
|
||||
found ("all" will match any client or server).</para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
@@ -61,7 +61,7 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
||||
<emphasis>zone</emphasis>[,...[+]]|<emphasis
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
@@ -74,18 +74,12 @@
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
|
||||
separated by commas. As above, if '+' is specified after two or more
|
||||
zone names, then the policy overrides the implicit intra-zone ACCEPT
|
||||
policy if the same <replaceable>zone</replaceable> appears in both
|
||||
the SOURCE and DEST columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
<emphasis>zone</emphasis>[,...[+]]|<emphasis
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
@@ -101,12 +95,6 @@
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
|
||||
separated by commas. As above, if '+' is specified after two or more
|
||||
zone names, then the policy overrides the implicit intra-zone ACCEPT
|
||||
policy if the same <replaceable>zone</replaceable> appears in both
|
||||
the SOURCE and DEST columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -574,29 +574,7 @@
|
||||
the next rule. See <ulink
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>NFLOG is similar to<emphasis role="bold">
|
||||
<para>Similar to<emphasis role="bold">
|
||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||
except that the log level is not changed when this ACTION is
|
||||
used in an action or macro and the invocation of that action
|
||||
@@ -1658,7 +1636,7 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">route</emphasis>, <emphasis
|
||||
role="bold">ipv6-route</emphasis> or <emphasis
|
||||
role="bold">43</emphasis></term>
|
||||
role="bold">41</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 Route extension header.</para>
|
||||
|
||||
@@ -239,9 +239,6 @@
|
||||
that were active when Shorewall stopped continue to work and
|
||||
all new connections from the firewall system itself are
|
||||
allowed.</para>
|
||||
|
||||
<para>Note that the routestopped file is not supported in
|
||||
Shorewall 5.0 and later versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -500,14 +497,13 @@
|
||||
<listitem>
|
||||
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
||||
then Shorewall6 won't clear the current traffic control rules during
|
||||
[<command>re</command>]<command>start</command> or
|
||||
<command>reload</command>. This setting is intended for use by
|
||||
people that prefer to configure traffic shaping when the network
|
||||
interfaces come up rather than when the firewall is started. If that
|
||||
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
|
||||
not supply an /etc/shorewall6/tcstart file. That way, your traffic
|
||||
shaping rules can still use the “fwmark” classifier based on packet
|
||||
marking defined in <ulink
|
||||
[re]start. This setting is intended for use by people that prefer to
|
||||
configure traffic shaping when the network interfaces come up rather
|
||||
than when the firewall is started. If that is what you want to do,
|
||||
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
||||
/etc/shorewall6/tcstart file. That way, your traffic shaping rules
|
||||
can still use the “fwmark” classifier based on packet marking
|
||||
defined in <ulink
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
||||
If not specified, CLEAR_TC=No is assumed.</para>
|
||||
|
||||
@@ -608,9 +604,10 @@
|
||||
|
||||
<listitem>
|
||||
<para>If set to Yes (the default value), entries in the
|
||||
/etc/shorewall6/rtrules file cause an 'ip rule del' command to be
|
||||
generated in addition to an 'ip rule add' command. Setting this
|
||||
option to No, causes the 'ip rule del' command to be omitted.</para>
|
||||
/etc/shorewall6/route_stopped files cause an 'ip rule del' command
|
||||
to be generated in addition to an 'ip rule add' command. Setting
|
||||
this option to No, causes the 'ip rule del' command to be
|
||||
omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -694,7 +691,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
helpers file from the administrative system into the script. When
|
||||
set to No or not specified, the compiler will not copy the modules
|
||||
or helpers file from <filename>/usr/share/shorewall6</filename> but
|
||||
will copy those found in another location on the CONFIG_PATH.</para>
|
||||
will copy the found in another location on the CONFIG_PATH.</para>
|
||||
|
||||
<para>When compiling for direct use by Shorewall6, causes the
|
||||
contents of the local module or helpers file to be copied into the
|
||||
@@ -728,7 +725,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
|
||||
<para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
|
||||
cleared the packet mark in the first rule in the mangle FORWARD
|
||||
chain. This behavior is maintained with the default setting of this
|
||||
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
|
||||
@@ -1169,7 +1166,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter tells the /sbin/shorewall6 program where to
|
||||
@@ -1178,9 +1175,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">logwatch</emphasis>, <emphasis role="bold">show
|
||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||
If not assigned or if assigned an empty value, /var/log/messages is
|
||||
assumed. Beginning with Shorewall 5.0.10.1, you may specify
|
||||
<option>systemd</option> to use <command>journelctl -r</command> to
|
||||
read the log.</para>
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1925,18 +1920,18 @@ LOG:info:,bar net fw</programlisting>
|
||||
#TARGET SOURCE DEST PROTO
|
||||
Broadcast(DROP) - - -
|
||||
DROP - - 2
|
||||
INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
|
||||
INLINE - - 6 ; -j REJECT --reject-with tcp-reset
|
||||
?if __ENHANCED_REJECT
|
||||
INLINE - - 17 ;; -j REJECT
|
||||
INLINE - - 17 ; -j REJECT
|
||||
?if __IPV4
|
||||
INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
|
||||
INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
|
||||
INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
|
||||
INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
|
||||
?else
|
||||
INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
|
||||
INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
|
||||
INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
|
||||
INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
|
||||
?endif
|
||||
?else
|
||||
INLINE - - - ;; -j REJECT
|
||||
INLINE - - - ; -j REJECT
|
||||
?endif</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1985,7 +1980,7 @@ INLINE - - - ;; -j REJECT
|
||||
restored unconditionally at the top of the mangle OUTPUT and
|
||||
PREROUTING chains, even if the saved mark is zero. When this option
|
||||
is set to <emphasis role="bold">No</emphasis>, the mark is restored
|
||||
only if it is non-zero. If you have problems with IPSEC ESP packets
|
||||
even when it is zero. If you have problems with IPSEC ESP packets
|
||||
not being routed correctly on output, try setting this option to
|
||||
<emphasis role="bold">No</emphasis>.</para>
|
||||
</listitem>
|
||||
@@ -2511,20 +2506,6 @@ INLINE - - - ;; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. When Yes (the default), messages
|
||||
produced by the ?INFO and ?WARNING directives include the filename
|
||||
and linenumber of the directive. When set to No, that additional
|
||||
information is omitted. The setting may be overridden on a directive
|
||||
by directive basis by following ?INFO or ?WARNING with '!' (no
|
||||
intervening white space).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
|
||||
|
||||
@@ -932,9 +932,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -61,7 +61,7 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall6</emphasis>. This package
|
||||
requires the Shorewall package and adds those components needed to
|
||||
create an IPv6 firewall.</para>
|
||||
create an IPv6 fireawall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -95,11 +95,6 @@ rsyncok eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
|
||||
<para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
|
||||
specified, a single ipset is created; the ipset has the same name as the
|
||||
zone.</para>
|
||||
|
||||
<para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
|
||||
a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
|
||||
Making a dynamic zone a sub-zone of multiple other zones is also
|
||||
supported.</para>
|
||||
</section>
|
||||
|
||||
<section id="Adding">
|
||||
|
||||
@@ -26,8 +26,6 @@
|
||||
|
||||
<year>2011</year>
|
||||
|
||||
<year>2016</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@@ -91,9 +89,7 @@
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
|
||||
acting as a firewall/router for a small local network. For
|
||||
Redhat-specific install/configure information, see <ulink url="???">this
|
||||
article </ulink>contributed by Digimer.</para>
|
||||
acting as a firewall/router for a small local network</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -398,7 +398,7 @@ ACCEPT net $FW tcp 22</programlisting>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall6</emphasis>. This package
|
||||
requires the Shorewall package and adds those components needed to
|
||||
create an IPv6 firewall.</para>
|
||||
create an IPv6 fireawall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -301,8 +301,8 @@
|
||||
|
||||
<para>COMMENT, FORMAT and SECTION Lines now require the leading question
|
||||
mark ("?"). In earlier releases, the question mark was optional. The
|
||||
<command>shorewall[6] update -D</command> command in Shorewall 4.6 will
|
||||
insert the question marks for you.</para>
|
||||
<command>shorewall[6] update -D</command> command will insert the
|
||||
question marks for you.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -359,7 +359,7 @@
|
||||
|
||||
<para>It is strongly recommended that you first upgrade your installation
|
||||
to a 4.6 release that supports the <option>-A</option> option to the
|
||||
<command>update</command> command; 4.6.13.2 or later is preferred.</para>
|
||||
<command>update</command> command; 4.6.13 is preferred.</para>
|
||||
|
||||
<para>Once you are on that release, execute the <command>shorewall update
|
||||
-A</command> command (and <command>shorewall6 update -A</command> if you
|
||||
@@ -374,11 +374,11 @@
|
||||
likely won't start or work correctly until you do.</para>
|
||||
|
||||
<para>The <command>update</command> command in Shorewall 5 has many fewer
|
||||
options. The <option>-b</option>, <option>-t</option>,
|
||||
<option>-n</option>, <option>-D</option> and <option>-s </option>options
|
||||
have been removed -- the updates triggered by those options are now
|
||||
performed unconditionally. The <option>-i </option>and <option>-A
|
||||
</option>options have been retained - both enable checking for issues that
|
||||
could result if INLINE_MATCHES were to be set to Yes.</para>
|
||||
options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
|
||||
and <option>-s </option>options have been removed -- the updates triggered
|
||||
by those options are now performed unconditionally. The <option>-i
|
||||
</option>and <option>-A </option>options have been retained - both enable
|
||||
checking for issues that could result if INLINE_MATCHES were to be set to
|
||||
Yes.</para>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@@ -48,7 +48,7 @@
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Shorewall supports two different types of blacklisting; rule-based,
|
||||
<para>Shorewall supports two different types of blackliisting; rule-based,
|
||||
static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
|
||||
controls the degree of blacklist filtering.</para>
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2016</year>
|
||||
<year>2001-2013</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@@ -35,9 +35,9 @@
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 5.0 and
|
||||
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
5.0.0 then please see the documentation for that
|
||||
4.3.5 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
@@ -774,17 +774,6 @@ DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</pro
|
||||
<programlisting>{ action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
|
||||
; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
|
||||
DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
|
||||
to individual rules using the <option>comment</option> keyword.</para>
|
||||
|
||||
<para>Example from the rules file:</para>
|
||||
|
||||
<programlisting> ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
|
||||
|
||||
<para> As shown in that example, when the comment contains whitespace, it
|
||||
must be enclosed in double quotes and any embedded double quotes must be
|
||||
escaped using a backslash ("\").</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@@ -1382,10 +1371,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
?COMMENT line in the rules file and the generated rule will show <emphasis
|
||||
role="bold">/* Allow SSH from home */</emphasis> when displayed through
|
||||
the Shorewall show and dump commands.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.11, the <link linkend="Pairs">alternate
|
||||
input format </link>allows attaching comments to individual rules in the
|
||||
files listed above.</para>
|
||||
</section>
|
||||
|
||||
<section id="CONFIG_PATH">
|
||||
|
||||
@@ -293,7 +293,7 @@ gateway:/etc/shorewall# </programl
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group (0-65535). If
|
||||
<para>The first number specifies the netlink group (0-32). If
|
||||
omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
|
||||
@@ -297,8 +297,8 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Post the <filename>/tmp/shorewall_dump.txt</filename> file
|
||||
as an attachment compressed with gzip or bzip2.</para>
|
||||
<para>Post the <filename>/tmp/status.txt</filename> file as an
|
||||
attachment compressed with gzip or bzip2.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
Reference in New Issue
Block a user