forked from extern/shorewall_code
cc78073ce7
Signed-off-by: Tom Eastep <teastep@shorewall.net>
422 lines
7.6 KiB
Bash
Executable File
422 lines
7.6 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# Shorewall Packet Filtering Firewall Control Program - V4.4
|
|
#
|
|
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
#
|
|
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
|
|
# Tom Eastep (teastep@shorewall.net)
|
|
#
|
|
# Shorewall documentation is available at http://www.shorewall.net
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
#
|
|
# For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
|
|
#
|
|
################################################################################################
|
|
|
|
g_debugging=
|
|
|
|
if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
|
|
g_debugging=$1
|
|
shift
|
|
fi
|
|
|
|
nolock=
|
|
|
|
if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
|
|
nolock=nolock
|
|
shift
|
|
fi
|
|
|
|
SHOREWALL_DIR=
|
|
g_noroutes=
|
|
g_purge=
|
|
|
|
g_ipt_options="-nv"
|
|
g_fast=
|
|
g_verbose_offset=0
|
|
g_use_verbosity=
|
|
g_debug=
|
|
g_export=
|
|
g_refreshchains=:none:
|
|
g_confess=
|
|
g_update=
|
|
g_convert=
|
|
g_annotate=
|
|
|
|
#
|
|
# Make sure that these variables are cleared
|
|
#
|
|
VERBOSE=
|
|
VERBOSITY=
|
|
|
|
g_program=$(basename $0)
|
|
|
|
if [ $g_program = shorewall6 ]; then
|
|
SHAREDIR=/usr/share/shorewall6
|
|
CONFDIR=/etc/shorewall6
|
|
g_product="Shorewall6"
|
|
g_family=6
|
|
g_tool=
|
|
g_basedir=/usr/share/shorewall
|
|
g_lite=
|
|
elif [ $g_program = shorewall6-lite ]; then
|
|
SHAREDIR=/usr/share/shorewall6-lite
|
|
CONFDIR=/etc/shorewall6-lite
|
|
g_product="Shorewall6 Lite"
|
|
g_family=6
|
|
g_base=shorewall6
|
|
g_tool=ip6tables
|
|
g_basedir=/usr/share/shorewall6-lite
|
|
g_lite=Yes
|
|
elif [ $g_program = shorewall-lite ]; then
|
|
SHAREDIR=/usr/share/shorewall-lite
|
|
CONFDIR=/etc/shorewall-lite
|
|
g_product="Shorewall Lite"
|
|
g_family=4
|
|
g_base=shorewall
|
|
g_tool=iptables
|
|
g_basedir=/usr/share/shorewall-lite
|
|
g_lite=Yes
|
|
else
|
|
g_program=shorewall
|
|
SHAREDIR=/usr/share/shorewall
|
|
CONFDIR=/etc/shorewall
|
|
g_product="Shorewall"
|
|
g_family=4
|
|
g_tool=
|
|
g_basedir=/usr/share/shorewall
|
|
g_lite=
|
|
fi
|
|
|
|
finished=0
|
|
|
|
while [ $finished -eq 0 ]; do
|
|
[ $# -eq 0 ] && usage 1
|
|
option=$1
|
|
case $option in
|
|
-)
|
|
finished=1
|
|
;;
|
|
-*)
|
|
option=${option#-}
|
|
|
|
while [ -n "$option" ]; do
|
|
case $option in
|
|
c)
|
|
[ $# -eq 1 -o -n "$g_lite" ] && usage 1
|
|
|
|
if [ ! -d $2 ]; then
|
|
if [ -e $2 ]; then
|
|
echo "$2 is not a directory" >&2 && exit 2
|
|
else
|
|
echo "Directory $2 does not exist" >&2 && exit 2
|
|
fi
|
|
fi
|
|
|
|
SHOREWALL_DIR=$(resolve_file $2)
|
|
option=
|
|
shift
|
|
;;
|
|
e*)
|
|
[ -n "$g_lite" ] && usage 1
|
|
g_export=Yes
|
|
option=${option#e}
|
|
;;
|
|
x*)
|
|
g_ipt_options="-xnv"
|
|
option=${option#x}
|
|
;;
|
|
q*)
|
|
g_verbose_offset=$(($g_verbose_offset - 1 ))
|
|
option=${option#q}
|
|
;;
|
|
f*)
|
|
g_fast=Yes
|
|
option=${option#f}
|
|
;;
|
|
v*)
|
|
option=${option#v}
|
|
case $option in
|
|
-1*)
|
|
g_use_verbosity=-1
|
|
option=${option#-1}
|
|
;;
|
|
0*)
|
|
g_use_verbosity=0
|
|
option=${option#0}
|
|
;;
|
|
1*)
|
|
g_use_verbosity=1
|
|
option=${option#1}
|
|
;;
|
|
2*)
|
|
g_use_verbosity=2
|
|
option=${option#2}
|
|
;;
|
|
*)
|
|
g_verbose_offset=$(($g_verbose_offset + 1 ))
|
|
g_use_verbosity=
|
|
;;
|
|
esac
|
|
;;
|
|
n*)
|
|
g_noroutes=Yes
|
|
option=${option#n}
|
|
;;
|
|
t*)
|
|
g_timestamp=Yes
|
|
option=${option#t}
|
|
;;
|
|
-)
|
|
finished=1
|
|
option=
|
|
;;
|
|
*)
|
|
usage 1
|
|
;;
|
|
esac
|
|
done
|
|
shift
|
|
;;
|
|
*)
|
|
finished=1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ $# -eq 0 ]; then
|
|
usage 1
|
|
fi
|
|
|
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
MUTEX_TIMEOUT=
|
|
|
|
g_recovering=
|
|
g_timestamp=
|
|
g_libexec=/usr/share
|
|
g_perllib=/usr/share/shorewall
|
|
|
|
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
|
|
|
[ -n "${VARDIR:=/var/lib/$g_program}" ]
|
|
|
|
if [ ! -f ${VARDIR}/firewall ]; then
|
|
[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.rstore ${VARDIR}/firewall
|
|
fi
|
|
|
|
g_firewall=${VARDIR}/firewall
|
|
|
|
if [ -z "$g_lite" ]; then
|
|
for library in base cli cli-std; do
|
|
. /usr/share/shorewall/lib.$library
|
|
done
|
|
else
|
|
for library in base cli; do
|
|
. ${SHAREDIR}/lib.$library
|
|
done
|
|
fi
|
|
|
|
version_file=$SHAREDIR/version
|
|
if [ -f $version_file ]; then
|
|
SHOREWALL_VERSION=$(cat $version_file)
|
|
else
|
|
echo " ERROR: $g_product is not properly installed" >&2
|
|
echo " The file $version_file does not exist" >&2
|
|
exit 1
|
|
fi
|
|
|
|
banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
|
|
|
|
case $(echo -e) in
|
|
-e*)
|
|
g_ring_bell="echo \a"
|
|
g_echo_e="echo"
|
|
;;
|
|
*)
|
|
g_ring_bell="echo -e \a"
|
|
g_echo_e="echo -e"
|
|
;;
|
|
esac
|
|
|
|
case $(echo -n "Testing") in
|
|
-n*)
|
|
g_echo_n=
|
|
;;
|
|
*)
|
|
g_echo_n=-n
|
|
;;
|
|
esac
|
|
|
|
COMMAND=$1
|
|
|
|
case "$COMMAND" in
|
|
start)
|
|
get_config Yes Yes
|
|
shift
|
|
start_command $@
|
|
;;
|
|
stop|clear)
|
|
[ $# -ne 1 ] && usage 1
|
|
get_config
|
|
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
|
|
[ -n "$nolock" ] || mutex_on
|
|
run_it $g_firewall $g_debugging $COMMAND
|
|
[ -n "$nolock" ] || mutex_off
|
|
;;
|
|
reset)
|
|
get_config
|
|
shift
|
|
[ -n "$nolock" ] || mutex_on
|
|
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
|
|
run_it $g_firewall $g_debugging reset $@
|
|
[ -n "$nolock" ] || mutex_off
|
|
;;
|
|
restart)
|
|
get_config Yes Yes
|
|
shift
|
|
restart_command $@
|
|
;;
|
|
disable|enable)
|
|
get_config Yes
|
|
if product_is_started; then
|
|
run_it ${VARDIR}/firewall $g_debugging $@
|
|
else
|
|
fatal_error "Shorewall is not running"
|
|
fi
|
|
;;
|
|
show|list)
|
|
get_config Yes No Yes
|
|
shift
|
|
show_command $@
|
|
;;
|
|
status)
|
|
[ $# -eq 1 ] || usage 1
|
|
[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
|
|
get_config
|
|
status_command
|
|
;;
|
|
dump)
|
|
get_config Yes No Yes
|
|
shift
|
|
dump_command $@
|
|
;;
|
|
hits)
|
|
[ $g_family -eq 6 ] && usage 1
|
|
get_config Yes No Yes
|
|
[ -n "$g_debugging" ] && set -x
|
|
shift
|
|
hits_command $@
|
|
;;
|
|
version)
|
|
shift
|
|
version_command $@
|
|
;;
|
|
logwatch)
|
|
get_config Yes Yes Yes
|
|
banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
|
|
logwatch_command $@
|
|
;;
|
|
drop)
|
|
get_config
|
|
[ -n "$g_debugging" ] && set -x
|
|
[ $# -eq 1 ] && usage 1
|
|
drop_command $@
|
|
;;
|
|
logdrop)
|
|
get_config
|
|
[ -n "$g_debugging" ] && set -x
|
|
[ $# -eq 1 ] && usage 1
|
|
logdrop_command $@
|
|
;;
|
|
reject|logreject)
|
|
get_config
|
|
[ -n "$g_debugging" ] && set -x
|
|
[ $# -eq 1 ] && usage 1
|
|
reject_command $@
|
|
;;
|
|
allow)
|
|
get_config
|
|
allow_command $@
|
|
;;
|
|
add)
|
|
get_config
|
|
shift
|
|
add_command $@
|
|
;;
|
|
delete)
|
|
get_config
|
|
shift
|
|
delete_command $@
|
|
;;
|
|
save)
|
|
get_config
|
|
[ -n "$g_debugging" ] && set -x
|
|
save_command $@
|
|
;;
|
|
forget)
|
|
get_config
|
|
forget_command $@
|
|
;;
|
|
ipcalc)
|
|
[ -n "$g_debugging" ] && set -x
|
|
ipcalc_command $@
|
|
;;
|
|
|
|
iprange)
|
|
[ -n "$g_debugging" ] && set -x
|
|
iprange_command $@
|
|
;;
|
|
ipdecimal)
|
|
[ -n "$g_debugging" ] && set -x
|
|
ipdecimal_command $@
|
|
;;
|
|
restore)
|
|
get_config
|
|
shift
|
|
restore_command $@
|
|
;;
|
|
call)
|
|
get_config
|
|
[ -n "$g_debugging" ] && set -x
|
|
#
|
|
# Undocumented way to call functions in the libraries directly
|
|
#
|
|
shift
|
|
$@
|
|
;;
|
|
help)
|
|
shift
|
|
usage
|
|
;;
|
|
iptrace)
|
|
get_config
|
|
shift
|
|
iptrace_command $@
|
|
;;
|
|
noiptrace)
|
|
get_config
|
|
shift
|
|
noiptrace_command $@
|
|
;;
|
|
*)
|
|
if [ -z "$g_lite" ]; then
|
|
compiler_command $@
|
|
else
|
|
usage 1
|
|
fi
|
|
;;
|
|
esac
|