forked from extern/shorewall_code
Compare commits
19 Commits
5.0.8-base
...
5.0.9-Beta
| Author | SHA1 | Date | |
|---|---|---|---|
|
590243a787 | ||
|
|
9dd0346987 | ||
|
|
ccfa181a6d | ||
|
|
d959fd4445 | ||
|
|
b7de785396 | ||
|
|
24d40f4cc2 | ||
|
|
244f2cefe5 | ||
|
|
ec23ca67f8 | ||
|
|
a2345325dd | ||
|
|
1308560aba | ||
|
|
41923cb80e | ||
|
|
2a40012fc4 | ||
|
05a15c6f8b | ||
|
|
a92d10f19c | ||
|
|
47edfaf093 | ||
|
|
67c2587890 | ||
|
|
f6b7eb4ea0 | ||
|
|
200ad3f874 | ||
|
|
800c06e8c9 |
@@ -731,12 +731,29 @@ list_zone() {
|
||||
done
|
||||
}
|
||||
|
||||
option_error() {
|
||||
fatal_error "The $COMMAND command does not accept this option: -$1"
|
||||
}
|
||||
|
||||
too_many_arguments() {
|
||||
fatal_error "Too many arguments: $1"
|
||||
}
|
||||
|
||||
missing_argument() {
|
||||
fatal_error "Missing argument"
|
||||
}
|
||||
|
||||
missing_option_value() {
|
||||
fatal_error "The $1 option requires a value"
|
||||
}
|
||||
|
||||
version_command() {
|
||||
local finished
|
||||
finished=0
|
||||
local all
|
||||
all=
|
||||
local product
|
||||
local compiletime
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@@ -755,7 +772,7 @@ version_command() {
|
||||
option=${option#a}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -767,7 +784,7 @@ version_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -gt 0 ] && usage 1
|
||||
[ $# -gt 0 ] && too_many_arguments
|
||||
|
||||
if [ -n "$all" ]; then
|
||||
echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
|
||||
@@ -779,8 +796,16 @@ version_command() {
|
||||
done
|
||||
|
||||
if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
|
||||
echo $g_echo_n "$g_firewall was compiled by Shorewall version "
|
||||
$g_firewall version
|
||||
compiletime=$(run_it $g_firewall info 2>/dev/null)
|
||||
|
||||
case $compiletime in
|
||||
compiled\ *)
|
||||
echo "$g_firewall was $compiletime"
|
||||
;;
|
||||
*)
|
||||
echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
else
|
||||
echo $SHOREWALL_VERSION
|
||||
@@ -1065,7 +1090,7 @@ show_connections() {
|
||||
shift
|
||||
conntrack -f ipv4 -L $@ | show_connections_filter
|
||||
else
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments
|
||||
if [ -f /proc/net/ip_conntrack ]; then
|
||||
cat /proc/net/ip_conntrack | show_connections_filter
|
||||
else
|
||||
@@ -1078,7 +1103,7 @@ show_connections() {
|
||||
echo
|
||||
conntrack -f ipv6 -L $@ | show_connections_filter
|
||||
else
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments
|
||||
if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
|
||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
@@ -1199,7 +1224,7 @@ show_command() {
|
||||
option=${option#f}
|
||||
;;
|
||||
t)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
[ $# -eq 1 ] && missing_option_value -t
|
||||
|
||||
case $2 in
|
||||
mangle|nat|filter|raw|rawpost)
|
||||
@@ -1227,7 +1252,7 @@ show_command() {
|
||||
option=${option#b}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1249,37 +1274,37 @@ show_command() {
|
||||
eval show_connections $@ $g_pager
|
||||
;;
|
||||
nat)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_nat $g_pager
|
||||
;;
|
||||
raw)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_raw $g_pager
|
||||
;;
|
||||
rawpost)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_rawpost $g_pager
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_mangle $g_pager
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
[ $# -gt 2 ] && too_many_arguments $2
|
||||
|
||||
setup_logread
|
||||
eval show_log $g_pager
|
||||
;;
|
||||
tc)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
[ $# -gt 2 ] && too_many_arguments $2
|
||||
eval show_tc $@ $g_pager
|
||||
;;
|
||||
classifiers|filters)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_classifiers_command $g_pager
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
if [ -f ${VARDIR}/zones ]; then
|
||||
echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
|
||||
echo
|
||||
@@ -1302,7 +1327,7 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
capabilities)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
determine_capabilities
|
||||
VERBOSITY=2
|
||||
if [ -n "$g_filemode" ]; then
|
||||
@@ -1312,11 +1337,11 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
ip)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_ip_addresses $g_pager
|
||||
;;
|
||||
routing)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_routing_command $g_pager
|
||||
;;
|
||||
config)
|
||||
@@ -1345,26 +1370,26 @@ show_command() {
|
||||
echo $VARDIR;
|
||||
;;
|
||||
policies)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_policies $g_pager
|
||||
;;
|
||||
ipa)
|
||||
[ $g_family -eq 4 ] || usage 1
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_ipa $g_pager
|
||||
;;
|
||||
marks)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
|
||||
echo
|
||||
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
|
||||
;;
|
||||
nfacct)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_nfacct_command $g_pager
|
||||
;;
|
||||
arptables)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
resolve_arptables
|
||||
if [ -n "$arptables" -a -x $arptables ]; then
|
||||
eval show_arptables $g_pager
|
||||
@@ -1373,22 +1398,22 @@ show_command() {
|
||||
fi
|
||||
;;
|
||||
event)
|
||||
[ $# -gt 1 ] || usage 1
|
||||
[ $# -gt 1 ] || too_many_arguments $2
|
||||
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
|
||||
echo
|
||||
shift
|
||||
show_events $@
|
||||
;;
|
||||
events)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_events_command $g_pager
|
||||
;;
|
||||
bl|blacklists)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_blacklists $g_pager
|
||||
;;
|
||||
opens)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
|
||||
|
||||
if chain_exists dynamic; then
|
||||
@@ -1404,12 +1429,12 @@ show_command() {
|
||||
*)
|
||||
case $1 in
|
||||
actions)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_actions_sorted $g_pager
|
||||
return
|
||||
;;
|
||||
macro)
|
||||
[ $# -ne 2 ] && usage 1
|
||||
[ $# -ne 2 ] && too_many_arguments $2
|
||||
for directory in $(split $CONFIG_PATH); do
|
||||
if [ -f ${directory}/macro.$2 ]; then
|
||||
echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
|
||||
@@ -1421,7 +1446,7 @@ show_command() {
|
||||
return
|
||||
;;
|
||||
macros)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_macros $g_pager
|
||||
return
|
||||
;;
|
||||
@@ -1432,7 +1457,7 @@ show_command() {
|
||||
if [ $# -gt 0 ]; then
|
||||
if [ $1 = dynamic -a $# -gt 1 ]; then
|
||||
shift
|
||||
[ $# -eq 1 ] || usage 1
|
||||
[ $# -eq 1 ] || too_many_arguments $2
|
||||
list_zone $1
|
||||
return;
|
||||
fi
|
||||
@@ -1507,6 +1532,49 @@ dump_filter_wrapper() {
|
||||
eval dump_filter $g_pager
|
||||
}
|
||||
|
||||
show_status() {
|
||||
local compiletime
|
||||
local state
|
||||
|
||||
if product_is_started ; then
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
|
||||
status=0
|
||||
else
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
Stopped*|Closed*|Clear*)
|
||||
status=3
|
||||
;;
|
||||
esac
|
||||
else
|
||||
state=Unknown
|
||||
fi
|
||||
|
||||
if [ $VERBOSITY -ge 1 ]; then
|
||||
if [ -f $g_firewall ]; then
|
||||
compiletime=$(run_it $g_firewall info 2>/dev/null)
|
||||
|
||||
case $compiletime in
|
||||
compiled\ *)
|
||||
state="$state ($g_firewall $compiletime)"
|
||||
;;
|
||||
*)
|
||||
state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
echo "State:$state"
|
||||
echo
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Dump Command Executor
|
||||
#
|
||||
@@ -1546,7 +1614,7 @@ do_dump_command() {
|
||||
option=${option#c}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1565,7 +1633,7 @@ do_dump_command() {
|
||||
[ $VERBOSITY -lt 2 ] && VERBOSITY=2
|
||||
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 0 ] || usage 1
|
||||
[ $# -eq 0 ] || too_many_arguments $1
|
||||
clear_term
|
||||
echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
|
||||
echo
|
||||
@@ -1760,7 +1828,7 @@ restore_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1780,7 +1848,7 @@ restore_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $2
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -2386,7 +2454,7 @@ hits_command() {
|
||||
option=${option#t}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -2398,7 +2466,7 @@ hits_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -eq 0 ] || usage 1
|
||||
[ $# -eq 0 ] || too_many_arguments $1
|
||||
|
||||
clear_term
|
||||
echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
|
||||
@@ -2455,7 +2523,7 @@ hits_command() {
|
||||
#
|
||||
allow_command() {
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
if product_is_started ; then
|
||||
local which
|
||||
which='-s'
|
||||
@@ -2525,8 +2593,6 @@ logwatch_command() {
|
||||
-*)
|
||||
option=${option#-}
|
||||
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
v*)
|
||||
@@ -2546,7 +2612,7 @@ logwatch_command() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -2565,7 +2631,7 @@ logwatch_command() {
|
||||
elif [ $# -eq 0 ]; then
|
||||
logwatch 30
|
||||
else
|
||||
usage 1
|
||||
too_many_arguments $2
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -3309,36 +3375,6 @@ report_capabilities1() {
|
||||
report_capabilities_unsorted1 | sort
|
||||
}
|
||||
|
||||
show_status() {
|
||||
if product_is_started ; then
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
|
||||
status=0
|
||||
else
|
||||
[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
Stopped*|Closed*|Clear*)
|
||||
status=3
|
||||
;;
|
||||
esac
|
||||
else
|
||||
state=Unknown
|
||||
fi
|
||||
|
||||
if [ $VERBOSITY -ge 1 ]; then
|
||||
if [ -f $g_firewall ]; then
|
||||
state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
|
||||
fi
|
||||
echo "State:$state"
|
||||
echo
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
interface_status() {
|
||||
case $(cat $1) in
|
||||
0)
|
||||
@@ -3392,7 +3428,7 @@ status_command() {
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -3404,7 +3440,7 @@ status_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
[ $# -eq 0 ] || usage 1
|
||||
[ $# -eq 0 ] || missing_argument
|
||||
|
||||
[ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
|
||||
show_status
|
||||
@@ -3498,7 +3534,7 @@ save_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -3518,7 +3554,7 @@ save_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $2
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -3537,6 +3573,9 @@ save_command() {
|
||||
|
||||
forget_command() {
|
||||
case $# in
|
||||
0)
|
||||
missing_argument
|
||||
;;
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
@@ -3544,7 +3583,7 @@ forget_command() {
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $3
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -3566,7 +3605,7 @@ ipcalc_command() {
|
||||
local address
|
||||
local vlsm
|
||||
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
|
||||
|
||||
if [ $# -eq 2 ]; then
|
||||
address=${2%/*}
|
||||
@@ -3574,13 +3613,15 @@ ipcalc_command() {
|
||||
elif [ $# -eq 3 ]; then
|
||||
address=$2
|
||||
vlsm=$(ip_vlsm $3)
|
||||
elif [ $# -eq 0 ]; then
|
||||
missing_argument
|
||||
else
|
||||
usage 1
|
||||
too_many_arguments $4
|
||||
fi
|
||||
|
||||
valid_address $address || fatal_error "Invalid IP address: $address"
|
||||
[ -z "$vlsm" ] && usage 2
|
||||
[ "x$address" = "x$vlsm" ] && usage 2
|
||||
[ -z "$vlsm" ] && fatal_error "Missing VLSM"
|
||||
[ "x$address" = "x$vlsm" ] && "Invalid VLSM"
|
||||
[ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
|
||||
|
||||
address=$address/$vlsm
|
||||
@@ -3594,7 +3635,7 @@ ipcalc_command() {
|
||||
iprange_command() {
|
||||
local range
|
||||
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
|
||||
|
||||
range=''
|
||||
|
||||
@@ -3612,15 +3653,19 @@ iprange_command() {
|
||||
ip_range $range
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
fatal_error "Invalid ip range: $range"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
ipdecimal_command() {
|
||||
[ $# -eq 2 ] || usage 1
|
||||
if [ $# eq 1 ]; then
|
||||
missing_argument
|
||||
else
|
||||
[ $# -eq 2 ] || too_many_arguments $3
|
||||
fi
|
||||
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
|
||||
|
||||
case $2 in
|
||||
*.*.*.*)
|
||||
@@ -3928,7 +3973,7 @@ start_command() {
|
||||
option=${option%p}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -3944,7 +3989,7 @@ start_command() {
|
||||
0)
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -3988,7 +4033,7 @@ restart_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -4004,7 +4049,7 @@ restart_command() {
|
||||
0)
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $1
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -4220,7 +4265,8 @@ shorewall_cli() {
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
c)
|
||||
[ $# -eq 1 -o -n "$g_lite" ] && usage 1
|
||||
[ $# -eq 1 ] && missing_option_value -c
|
||||
[ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
@@ -4235,7 +4281,7 @@ shorewall_cli() {
|
||||
shift
|
||||
;;
|
||||
e*)
|
||||
[ -n "$g_lite" ] && usage 1
|
||||
[ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
|
||||
g_export=Yes
|
||||
option=${option#e}
|
||||
;;
|
||||
@@ -4297,7 +4343,7 @@ shorewall_cli() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -4362,7 +4408,7 @@ shorewall_cli() {
|
||||
start_command $@
|
||||
;;
|
||||
stop|clear)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
[ $# -ne 1 ] && too_many_arguments $2
|
||||
get_config
|
||||
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
@@ -4419,7 +4465,7 @@ shorewall_cli() {
|
||||
dump_command $@
|
||||
;;
|
||||
hits)
|
||||
[ $g_family -eq 6 ] && usage 1
|
||||
[ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
|
||||
get_config Yes No Yes
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
shift
|
||||
@@ -4437,19 +4483,19 @@ shorewall_cli() {
|
||||
drop)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
drop_command $@
|
||||
;;
|
||||
logdrop)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
logdrop_command $@
|
||||
;;
|
||||
reject|logreject)
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
reject_command $@
|
||||
;;
|
||||
open|close)
|
||||
@@ -4522,7 +4568,7 @@ shorewall_cli() {
|
||||
run_it $g_firewall $g_debugging call $@
|
||||
fi
|
||||
else
|
||||
usage 1
|
||||
missing_argument
|
||||
fi
|
||||
;;
|
||||
help)
|
||||
@@ -4540,7 +4586,7 @@ shorewall_cli() {
|
||||
noiptrace_command $@
|
||||
;;
|
||||
savesets)
|
||||
[ $# -eq 1 ] || usage 1
|
||||
[ $# -eq 1 ] || too_many_arguments $2
|
||||
get_config
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
savesets1
|
||||
@@ -4549,7 +4595,7 @@ shorewall_cli() {
|
||||
if [ -z "$g_lite" ]; then
|
||||
compiler_command $@
|
||||
else
|
||||
usage 1
|
||||
fatal_error "Invalid command: $COMMAND"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -712,9 +712,9 @@ find_file()
|
||||
set_state () # $1 = state
|
||||
{
|
||||
if [ $# -gt 1 ]; then
|
||||
echo "$1 ($(date)) from $2" > ${VARDIR}/state
|
||||
echo "$1 $(date) from $2" > ${VARDIR}/state
|
||||
else
|
||||
echo "$1 ($(date))" > ${VARDIR}/state
|
||||
echo "$1 $(date)" > ${VARDIR}/state
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@@ -117,6 +117,7 @@ fi
|
||||
echo "Uninstalling Shorewall Core $VERSION"
|
||||
|
||||
rm -rf ${SHAREDIR}/shorewall
|
||||
rm -f ~/.shorewallrc
|
||||
|
||||
echo "Shorewall Core Uninstalled"
|
||||
|
||||
|
||||
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
|
||||
/etc/init.d/shorewall-inir enable
|
||||
/etc/init.d/$PRODUCT enable
|
||||
if /etc/init.d/shorewall-init enabled; then
|
||||
echo "Shorrewall Init will start automatically at boot"
|
||||
echo "$Product will start automatically at boot"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
|
||||
@@ -495,7 +495,7 @@ done
|
||||
# Install the Man Pages
|
||||
#
|
||||
|
||||
if [ -d manpages ]; then
|
||||
if [ -d manpages -a -n "$MANDIR" ]; then
|
||||
cd manpages
|
||||
|
||||
mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
|
||||
|
||||
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
|
||||
#
|
||||
# First stage of script generation.
|
||||
#
|
||||
# Copy lib.core and lib.common to the generated script.
|
||||
# Copy lib.runtime and lib.common to the generated script.
|
||||
# Generate the various user-exit jacket functions.
|
||||
#
|
||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
||||
@@ -94,8 +94,8 @@ sub generate_script_1( $ ) {
|
||||
|
||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
|
||||
|
||||
copy $globals{SHAREDIRPL} . '/lib.core', 0;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
|
||||
copy $globals{SHAREDIRPL} . '/lib.runtime', 0;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
|
||||
}
|
||||
|
||||
}
|
||||
@@ -596,6 +596,21 @@ EOF
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Generate info_command()
|
||||
#
|
||||
sub compile_info_command() {
|
||||
my $date = localtime;
|
||||
|
||||
emit( "\n",
|
||||
"#",
|
||||
"# Echo the date and time when this script was compiled along with the Shorewall version",
|
||||
"#",
|
||||
"info_command() {" ,
|
||||
qq( echo "compiled $date by Shorewall version $globals{VERSION}") ,
|
||||
"}\n" );
|
||||
}
|
||||
|
||||
#
|
||||
# The Compiler.
|
||||
#
|
||||
@@ -922,6 +937,10 @@ sub compiler {
|
||||
#
|
||||
compile_updown;
|
||||
#
|
||||
# Echo the compilation time and date
|
||||
#
|
||||
compile_info_command unless $test;
|
||||
#
|
||||
# Copy the footer to the script
|
||||
#
|
||||
copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
|
||||
|
||||
@@ -889,6 +889,7 @@ sub initialize( $;$$) {
|
||||
DOCKER => undef ,
|
||||
PAGER => undef ,
|
||||
MINIUPNPD => undef ,
|
||||
VERBOSE_MESSAGES => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@@ -2543,18 +2544,54 @@ sub directive_error( $$$ ) {
|
||||
fatal_error $_[0];
|
||||
}
|
||||
|
||||
sub directive_warning( $$$ ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $warning, $currentfilename, $currentlinenumber ) = @_;
|
||||
warning_message $warning;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
sub directive_warning( $$$$ ) {
|
||||
if ( shift ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $warning, $currentfilename, $currentlinenumber ) = @_;
|
||||
warning_message $warning;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
} else {
|
||||
our @localtime;
|
||||
|
||||
handle_first_entry if $first_entry;
|
||||
|
||||
$| = 1; #Reset output buffering (flush any partially filled buffers).
|
||||
|
||||
if ( $log ) {
|
||||
@localtime = localtime;
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log " WARNING: $_[0]\n";
|
||||
}
|
||||
|
||||
print STDERR " WARNING: $_[0]\n";
|
||||
|
||||
$| = 0; #Re-allow output buffering
|
||||
}
|
||||
}
|
||||
|
||||
sub directive_info( $$$ ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $info, $currentfilename, $currentlinenumber ) = @_;
|
||||
info_message $info;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
sub directive_info( $$$$ ) {
|
||||
if ( shift ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $info, $currentfilename, $currentlinenumber ) = @_;
|
||||
info_message $info;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
} else {
|
||||
our @localtime;
|
||||
|
||||
handle_first_entry if $first_entry;
|
||||
|
||||
$| = 1; #Reset output buffering (flush any partially filled buffers).
|
||||
|
||||
if ( $log ) {
|
||||
@localtime = localtime;
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log " INFO: $_[0]\n";
|
||||
}
|
||||
|
||||
print STDERR " INFO: $_[0]\n";
|
||||
|
||||
$| = 0; #Re-allow output buffering
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2703,7 +2740,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
|
||||
print "CD===> $line\n" if $debug;
|
||||
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
|
||||
|
||||
my ($keyword, $expression) = ( uc $1, $2 );
|
||||
|
||||
@@ -2811,14 +2848,14 @@ sub process_compiler_directive( $$$$ ) {
|
||||
delete $actparams{$var}
|
||||
}
|
||||
} else {
|
||||
directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
}
|
||||
|
||||
} else {
|
||||
if ( exists $variables{$2} ) {
|
||||
delete $variables{$2};
|
||||
} else {
|
||||
directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
|
||||
directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2832,7 +2869,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
|
||||
$comment =~ s/\s*$//;
|
||||
} else {
|
||||
directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
|
||||
directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -2851,7 +2888,8 @@ sub process_compiler_directive( $$$$ ) {
|
||||
} ,
|
||||
|
||||
WARNING => sub() {
|
||||
directive_warning( evaluate_expression( $expression ,
|
||||
directive_warning( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
@@ -2860,7 +2898,28 @@ sub process_compiler_directive( $$$$ ) {
|
||||
} ,
|
||||
|
||||
INFO => sub() {
|
||||
directive_info( evaluate_expression( $expression ,
|
||||
directive_info( $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
|
||||
'WARNING!' => sub() {
|
||||
directive_warning( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
|
||||
'INFO!' => sub() {
|
||||
directive_info( ! $config{VERBOSE_MESSAGES} ,
|
||||
evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
@@ -6109,6 +6168,7 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'WARNOLDCAPVERSION' , 'Yes';
|
||||
default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes';
|
||||
default_yes_no 'MINIUPNPD' , '';
|
||||
default_yes_no 'VERBOSE_MESSAGES' , 'Yes';
|
||||
|
||||
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
|
||||
|
||||
|
||||
@@ -1096,7 +1096,7 @@ CEOF
|
||||
|
||||
if ( $optional ) {
|
||||
if ( $persistent ) {
|
||||
emit( "persistent_${what}_${table}\n" );
|
||||
emit( "do_persistent_${what}_${table}\n" );
|
||||
}
|
||||
|
||||
if ( $shared ) {
|
||||
|
||||
@@ -4464,6 +4464,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
},
|
||||
},
|
||||
|
||||
NFLOG => {
|
||||
defaultchain => 0,
|
||||
allowedchains => ALLCHAINS,
|
||||
minparams => 0,
|
||||
maxparams => 3,
|
||||
function => sub () {
|
||||
$target = validate_level( "NFLOG($params)" );
|
||||
}
|
||||
},
|
||||
|
||||
RESTORE => {
|
||||
defaultchain => 0,
|
||||
allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
|
||||
|
||||
@@ -49,7 +49,7 @@
|
||||
# generated this program
|
||||
#
|
||||
################################################################################
|
||||
# Functions imported from /usr/share/shorewall/lib.core
|
||||
# Functions imported from /usr/share/shorewall/lib.runtime
|
||||
################################################################################
|
||||
# Address family-neutral Functions
|
||||
################################################################################
|
||||
@@ -1110,7 +1110,7 @@ interface_is_usable() # $1 = interface
|
||||
#
|
||||
find_interface_addresses() # $1 = interface
|
||||
{
|
||||
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
|
||||
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
|
||||
}
|
||||
|
||||
#
|
||||
@@ -1119,7 +1119,7 @@ find_interface_addresses() # $1 = interface
|
||||
|
||||
find_interface_full_addresses() # $1 = interface
|
||||
{
|
||||
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
|
||||
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
|
||||
}
|
||||
|
||||
#
|
||||
@@ -25,6 +25,7 @@ usage() {
|
||||
echo " savesets <file>"
|
||||
echo " call <function> [ <parameter> ... ]"
|
||||
echo " version"
|
||||
echo " info"
|
||||
echo
|
||||
echo "Options are:"
|
||||
echo
|
||||
@@ -469,6 +470,10 @@ case "$COMMAND" in
|
||||
echo $SHOREWALL_VERSION
|
||||
status=0
|
||||
;;
|
||||
info)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
info_command
|
||||
;;
|
||||
help)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
usage 0
|
||||
|
||||
@@ -242,6 +242,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -253,6 +253,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -250,6 +250,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -253,6 +253,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -242,6 +242,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -514,7 +514,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
|
||||
# Install the Standard Actions file
|
||||
#
|
||||
install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
|
||||
echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
|
||||
echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"
|
||||
|
||||
cd configfiles
|
||||
|
||||
@@ -1177,6 +1177,8 @@ fi
|
||||
# Install the Man Pages
|
||||
#
|
||||
|
||||
if [ -n "$MANDIR" ]; then
|
||||
|
||||
cd manpages
|
||||
|
||||
[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
|
||||
@@ -1196,6 +1198,7 @@ done
|
||||
cd ..
|
||||
|
||||
echo "Man Pages Installed"
|
||||
fi
|
||||
|
||||
if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
|
||||
run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
|
||||
|
||||
@@ -604,7 +604,7 @@ start_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -620,7 +620,8 @@ start_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
[ -n "$g_fast" ] && fatal_error "Directory may not be specified with the -f option"
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -634,7 +635,7 @@ start_command() {
|
||||
AUTOMAKE=
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $2
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -663,8 +664,6 @@ compile_command() {
|
||||
shift
|
||||
option=${option#-}
|
||||
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
e*)
|
||||
@@ -701,7 +700,7 @@ compile_command() {
|
||||
option=
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -723,7 +722,7 @@ compile_command() {
|
||||
[ -d "$g_file" ] && fatal_error "$g_file is a directory"
|
||||
;;
|
||||
2)
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -737,7 +736,7 @@ compile_command() {
|
||||
g_file=$2
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $3
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -791,7 +790,7 @@ check_command() {
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -807,7 +806,7 @@ check_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
|
||||
[ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -820,7 +819,7 @@ check_command() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $2
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -883,7 +882,7 @@ update_command() {
|
||||
option=${option#A}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -899,7 +898,7 @@ update_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -912,7 +911,7 @@ update_command() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $2
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -977,7 +976,7 @@ restart_command() {
|
||||
option=${option#C}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -993,7 +992,7 @@ restart_command() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1008,7 +1007,7 @@ restart_command() {
|
||||
AUTOMAKE=
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $2
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1086,7 +1085,7 @@ refresh_command() {
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1169,7 +1168,7 @@ safe_commands() {
|
||||
shift;
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1185,7 +1184,7 @@ safe_commands() {
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1198,7 +1197,7 @@ safe_commands() {
|
||||
g_shorewalldir=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $2
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1286,7 +1285,7 @@ try_command() {
|
||||
timeout=
|
||||
|
||||
handle_directory() {
|
||||
[ -n "$g_shorewalldir" ] && usage 2
|
||||
[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
@@ -1316,7 +1315,7 @@ try_command() {
|
||||
option=${option#n}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1330,7 +1329,7 @@ try_command() {
|
||||
|
||||
case $# in
|
||||
0)
|
||||
usage 1
|
||||
missing_argument
|
||||
;;
|
||||
1)
|
||||
handle_directory $1
|
||||
@@ -1341,7 +1340,7 @@ try_command() {
|
||||
timeout=$2
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $3
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1480,7 +1479,7 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
option=${option#i}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
option_error $option
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@@ -1493,6 +1492,9 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
done
|
||||
|
||||
case $# in
|
||||
0)
|
||||
missing_argument
|
||||
;;
|
||||
1)
|
||||
g_shorewalldir="."
|
||||
system=$1
|
||||
@@ -1502,7 +1504,7 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
system=$2
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
too_many_arguments $3
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -1742,7 +1744,7 @@ compiler_command() {
|
||||
safe_commands $@
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
fatal_error "Invalid command: $COMMAND"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
@@ -504,7 +504,7 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
|
||||
<member>0xc0a80403 LAND 0xFF = 0x03</member>
|
||||
|
||||
<member>0x03 LOR 0x0x10100 = 0x10103 or class ID
|
||||
<member>0x03 LOR 0x10100 = 0x10103 or class ID
|
||||
1:103</member>
|
||||
</simplelist>
|
||||
</blockquote>
|
||||
@@ -598,6 +598,36 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. Logs matching packets using
|
||||
NFLOG. The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
|
||||
|
||||
@@ -595,9 +595,32 @@
|
||||
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
||||
back end logging daemon via a netlink socket then continues to
|
||||
the next rule. See <ulink
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
||||
</para>
|
||||
|
||||
<para>Similar to<emphasis role="bold">
|
||||
<para>The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>NFLOG is similar to<emphasis role="bold">
|
||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||
except that the log level is not changed when this ACTION is
|
||||
used in an action or macro body and the invocation of that
|
||||
|
||||
@@ -2508,7 +2508,7 @@ INLINE - - - ; -j REJECT
|
||||
role="bold">refresh</emphasis>, <emphasis
|
||||
role="bold">try</emphasis>, and <emphasis
|
||||
role="bold">safe-</emphasis>* command. Logging verbosity is
|
||||
determined by the setting of LOG_VERBOSITY above. </para>
|
||||
determined by the setting of LOG_VERBOSITY above.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2864,6 +2864,20 @@ INLINE - - - ; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. When Yes (the default), messages
|
||||
produced by the ?INFO and ?WARNING directives include the filename
|
||||
and linenumber of the directive. When set to No, that additional
|
||||
information is omitted. The setting may be overridden on a directive
|
||||
by directive basis by following ?INFO or ?WARNING with '!' (no
|
||||
intervening white space).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
|
||||
|
||||
@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
|
||||
rm -rf ${SHAREDIR}/shorewall/Samples/
|
||||
rm -rf ${SHAREDIR}/shorewall/Shorewall/
|
||||
rm -f ${SHAREDIR}/shorewall/lib.cli-std
|
||||
rm -f ${SHAREDIR}/shorewall/lib.core
|
||||
rm -f ${SHAREDIR}/shorewall/lib.runtime
|
||||
rm -f ${SHAREDIR}/shorewall/compiler.pl
|
||||
rm -f ${SHAREDIR}/shorewall/prog.*
|
||||
rm -f ${SHAREDIR}/shorewall/module*
|
||||
|
||||
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -214,6 +214,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
||||
VERBOSE_MESSAGES=Yes
|
||||
|
||||
WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
@@ -515,7 +515,7 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
|
||||
<member>0xc0a80403 LAND 0xFF = 0x03</member>
|
||||
|
||||
<member>0x03 LOR 0x0x10100 = 0x10103 or class ID
|
||||
<member>0x03 LOR 0x10100 = 0x10103 or class ID
|
||||
1:103</member>
|
||||
</simplelist>
|
||||
</blockquote>
|
||||
@@ -609,6 +609,36 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. Logs matching packets using
|
||||
NFLOG. The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1. </para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
|
||||
|
||||
@@ -574,7 +574,29 @@
|
||||
the next rule. See <ulink
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>Similar to<emphasis role="bold">
|
||||
<para>The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group
|
||||
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
|
||||
0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The second number specifies the maximum number of
|
||||
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>NFLOG is similar to<emphasis role="bold">
|
||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||
except that the log level is not changed when this ACTION is
|
||||
used in an action or macro and the invocation of that action
|
||||
|
||||
@@ -2506,6 +2506,20 @@ INLINE - - - ; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.9. When Yes (the default), messages
|
||||
produced by the ?INFO and ?WARNING directives include the filename
|
||||
and linenumber of the directive. When set to No, that additional
|
||||
information is omitted. The setting may be overridden on a directive
|
||||
by directive basis by following ?INFO or ?WARNING with '!' (no
|
||||
intervening white space).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
|
||||
|
||||
@@ -74,7 +74,7 @@
|
||||
<section>
|
||||
<title>Documentation for Earlier Versions</title>
|
||||
|
||||
<para><ulink url="4.2/Documentation_Index.html">Shorewall 4.4/4.6
|
||||
<para><ulink url="4.6/Documentation_Index.html">Shorewall 4.4/4.6
|
||||
Documentation</ulink></para>
|
||||
|
||||
<para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2
|
||||
|
||||
@@ -204,7 +204,7 @@
|
||||
<para>If the <replaceable>action</replaceable> involves logging,
|
||||
then this parameter specifies the disposition that will appear in
|
||||
the log entry prefix. If no <replaceable>disposition</replaceable>
|
||||
is given, the log prefix is determines normally. The default is
|
||||
is given, the log prefix is determined normally. The default is
|
||||
ACCEPT.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -258,7 +258,7 @@
|
||||
<para>If the <replaceable>action</replaceable> involves logging,
|
||||
then this parameter specifies the disposition that will appear in
|
||||
the log entry prefix. If no <replaceable>disposition</replaceable>
|
||||
is given, the log prefix is determines normally.</para>
|
||||
is given, the log prefix is determined normally.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@@ -404,7 +404,7 @@
|
||||
<para>If the <replaceable>action</replaceable> involves logging,
|
||||
then this parameter specifies the disposition that will appear in
|
||||
the log entry prefix. If no <replaceable>disposition</replaceable>
|
||||
is given, the log prefix is determines normally.</para>
|
||||
is given, the log prefix is determined normally.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -293,7 +293,7 @@ gateway:/etc/shorewall# </programl
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The first number specifies the netlink group (0-32). If
|
||||
<para>The first number specifies the netlink group (0-65535). If
|
||||
omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user