#!/bin/sh # # Shorewall Lite Packet Filtering Firewall Capabilities Detector # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 2006 - Tom Eastep (teastep@shorewall.net) # # This file should be placed in /sbin/shorewall. # # Shorewall documentation is available at http://shorewall.sourceforge.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # # # This program may be used to create a /etc/shorewall/capabilities file for # use in compiling Shorewall firewalls on another system. # # On the target system (the system where the firewall program is to run): # # [ IPTABLES= ] [ MODULESDIR= ] shorecap > capabilities # # Now move the capabilities file to the compilation system. The file must # be placed in a directory on the CONFIG_PATH to be used when compiling firewalls # for the target system. # # Default values for the two variables are: # # IPTABLES - iptables # MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter # # Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is # used during firewall compilation, then the generated firewall program will likewise not # require Shorewall to be installed. . /usr/share/shorewall-lite/functions . /usr/share/shorewall-lite/configpath . /etc/shorewall-lite/shorewall.conf VERSION=$(cat /usr/share/shorewall-lite/version) report_capability() # $1 = Capability { eval echo $1=\$$1 } report_capabilities() { echo "#" echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" echo "#" report_capability NAT_ENABLED report_capability MANGLE_ENABLED report_capability MULTIPORT report_capability XMULTIPORT report_capability CONNTRACK_MATCH report_capability USEPKTTYPE report_capability POLICY_MATCH report_capability PHYSDEV_MATCH report_capability LENGTH_MATCH report_capability IPRANGE_MATCH report_capability RECENT_MATCH report_capability OWNER_MATCH report_capability IPSET_MATCH report_capability CONNMARK report_capability XCONNMARK report_capability CONNMARK_MATCH report_capability XCONNMARK_MATCH report_capability RAW_TABLE report_capability IPP2P_MATCH report_capability CLASSIFY_TARGET report_capability ENHANCED_REJECT report_capability KLUDGEFREE report_capability MARK report_capability XMARK report_capability MANGLE_FORWARD } [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables) VERBOSE=0 load_kernel_modules determine_capabilities report_capabilities