shorewall_code/Shorewall/Perl/prog.header6
2010-09-23 06:48:29 -07:00

796 lines
16 KiB
Bash

#!/bin/sh
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
#
# Options are:
#
# -n Don't alter Routing
# -v and -q Standard Shorewall Verbosity control
# -t Timestamp progress messages
# -p Purge conntrack table
# -r Recover from failed start/restart
# -V <verbosity> Set verbosity level explicitly
# -R <restore> Overrides RESTOREFILE setting
#
# Commands are:
#
# start Starts the firewall
# refresh Refresh the firewall
# restart Restarts the firewall
# reload Reload the firewall
# clear Removes all firewall rules
# stop Stops the firewall
# status Displays firewall status
# version Displays the version of Shorewall that
# generated this program
#
################################################################################
# Functions imported from /usr/share/shorewall/prog.header6
################################################################################
#
# Conditionally produce message
#
progress_message() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -gt 1 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -gt 1 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message2() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -gt 0 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -gt 0 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message3() # $* = Message
{
local timestamp
timestamp=
if [ $VERBOSITY -ge 0 ]; then
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%b %_d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
#
# Set a standard chain's policy
#
setpolicy() # $1 = name of chain, $2 = policy
{
run_iptables -P $1 $2
}
#
# Generate a list of all network interfaces on the system
#
find_all_interfaces() {
${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}
#
# Generate a list of all network interfaces on the system that have an ipv6 address
#
find_all_interfaces1() {
${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the value 'via' in the passed arguments then echo the next value
#
find_gateway() {
while [ $# -gt 1 ]; do
[ "x$1" = xvia ] && echo $2 && return
shift
done
}
#
# Find the value 'mtu' in the passed arguments then echo the next value
#
find_mtu() {
while [ $# -gt 1 ]; do
[ "x$1" = xmtu ] && echo $2 && return
shift
done
}
#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#
find_peer() {
while [ $# -gt 1 ]; do
[ "x$1" = xpeer ] && echo ${2%/*} && return
shift
done
}
#
# Try to find the gateway through an interface looking for 'nexthop'
find_nexthop() # $1 = interface
{
echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
}
#
# Find the default route's interface
#
find_default_interface() {
$IP -6 route list | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
#
# Determine if Interface is up
#
interface_is_up() {
[ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
}
#
# Determine if interface is usable from a Netfilter prespective
#
interface_is_usable() # $1 = interface
{
[ "$1" = lo ] && return 0
interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
}
#
# Get all interface addresses with VLSMs
#
find_interface_full_addresses() # $1 = interface
{
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
}
#
# echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name, $2-n = Fatal error message
{
local address
local rest
$IP -6 route show dev $1 2> /dev/null |
while read address rest; do
case "$address" in
default)
if [ $# -gt 1 ]; then
shift
fatal_error "$@"
else
echo "WARNING: default route ignored on interface $1" >&2
fi
;;
multicast|broadcast|prohibit|nat|throw|nexthop)
;;
2*)
[ "$address" = "${address%/*}" ] && address="${address}/128"
echo $address
;;
esac
done
}
#
# Normalize an IPv6 Address by compressing out consecutive zero elements
#
normalize_address() # $1 = valid IPv6 Address
{
local address
address=$1
local j
while true; do
case $address in
::*)
address=0$address
;;
*::*)
list_count $(split $address)
j=$?
if [ $j -eq 7 ]; then
address=${address%::*}:0:${address#*::}
elif [ $j -eq 8 ]; then
$address=${address%::*}:${address#*::}
break 2
else
address=${address%::*}:0::${address#*::}
fi
;;
*)
echo $address
break 2
;;
esac
done
}
#
# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
# that defines a /120 or larger network, it sends to STDOUT:
#
# The corresponding subnet-router anycast address (all host address bits are zero)
# The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
#
convert_to_anycast() {
local address
local badress
local vlsm
local host
local o
local m
m=
local z
z=65535
local l
while read address; do
case $address in
2*|3*)
vlsm=${address#*/}
vlsm=${vlsm:=128}
if [ $vlsm -le 120 ]; then
#
# Defines a viable subnet -- first get the subnet-router anycast address
#
host=$((128 - $vlsm))
address=$(normalize_address ${address%/*})
while [ $host -ge 16 ]; do
address=${address%:*}
host=$(($host - 16))
done
if [ $host -gt 0 ]; then
#
# VLSM is not a multiple of 16
#
host=$((16 - $host))
o=$((0x${address##*:}))
m=0
while [ $host -gt 0 ]; do
m=$((($m >> 1) | 0x8000))
z=$(($z >> 1))
host=$(($host - 1))
done
o=$(($o & $m))
badress=${address%:*}
address=$badress:$(printf %04x $o)
z=$(($o | $z))
if [ $vlsm -gt 112 ]; then
z=$(($z & 0xff80))
fi
badress=$badress:$(printf %04x $z)
else
badress=$address
fi
#
# Note: at this point $address and $badress are the same except possibly for
# the contents of the last half-word
#
list_count $(split $address)
l=$?
#
# Now generate the anycast addresses defined by RFC 2526
#
if [ $l -lt 8 ]; then
#
# The subnet-router address
#
echo $address::
while [ $l -lt 8 ]; do
badress=$badress:ffff
l=$(($l + 1 ))
done
else
#
# The subnet-router address
#
echo $address
fi
#
# And the RFC 2526 addresses
#
echo $badress/121
fi
;;
esac
done
}
#
# Generate a list of anycast addresses for a given interface
#
get_interface_acasts() # $1 = interface
{
local addresses
addresses=
find_interface_full_addresses $1 | convert_to_anycast | sort -u
}
#
# Get a list of all configured anycast addresses on the system
#
get_all_acasts()
{
find_interface_full_addresses | convert_to_anycast | sort -u
}
#
# Detect the gateway through an interface
#
detect_gateway() # $1 = interface
{
local interface
interface=$1
#
# First assume that this is some sort of point-to-point interface
#
gateway=$( find_peer $($IP -6 addr list $interface ) )
#
# Maybe there's a default route through this gateway already
#
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
#
# Last hope -- is there a load-balancing route through the interface?
#
[ -n "$gateway" ] || gateway=$(find_nexthop $interface)
#
# Be sure we found one
#
[ -n "$gateway" ] && echo $gateway
}
delete_tc1()
{
clear_one_tc() {
$TC qdisc del dev $1 root 2> /dev/null
$TC qdisc del dev $1 ingress 2> /dev/null
}
run_tcclear_exit
run_ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
clear_one_tc ${interface%:}
;;
*)
;;
esac
done
}
#
# Detect a device's MTU -- echos the passed device's MTU
#
get_device_mtu() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
if [ -n "$output" ]; then
echo $(find_mtu $output)
else
echo 1500
fi
}
#
# Version of the above that doesn't generate any output for MTU 1500.
# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
#
get_device_mtu1() # $1 = device
{
local output
output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
mtu=$(find_mtu $output)
if [ -n "$mtu" ]; then
[ $mtu = 1500 ] || echo mtu $(($mtu + 100))
fi
fi
}
#
# Undo changes to routing
#
undo_routing() {
if [ -z "$g_noroutes" ]; then
#
# Restore rt_tables database
#
if [ -f ${VARDIR}/rt_tables ]; then
[ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
rm -f ${VARDIR}/rt_tables
fi
#
# Restore the rest of the routing table
#
if [ -f ${VARDIR}/undo_routing ]; then
. ${VARDIR}/undo_routing
progress_message "Shorewall-generated routing tables and routing rules removed"
rm -f ${VARDIR}/undo_routing
fi
fi
}
#
# Restore the default route that was in place before the initial 'shorewall start'
#
restore_default_route() {
local result
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route
default_route=
local route
result=1
while read route ; do
case $route in
default)
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a route with a metric -- we only replace the one with metric == 0
#
qt $IP -6 route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted"
;;
*)
qt $IP -6 route replace $default_route && \
result=0 && \
progress_message "Default Route (${default_route# }) restored"
;;
esac
break
fi
default_route="$default_route $route"
;;
*)
default_route="$default_route $route"
;;
esac
done < ${VARDIR}/default_route
rm -f ${VARDIR}/default_route
fi
return $result
}
#
# Determine how to do "echo -e"
#
find_echo() {
local result
result=$(echo "a\tb")
[ ${#result} -eq 3 ] && { echo echo; return; }
result=$(echo -e "a\tb")
[ ${#result} -eq 3 ] && { echo "echo -e"; return; }
result=$(which echo)
[ -n "$result" ] && { echo "$result -e"; return; }
echo echo
}
#
# Flush the conntrack table if $g_purge is non-empty
#
conditionally_flush_conntrack() {
if [ -n "$g_purge" ]; then
if [ -n $(which conntrack) ]; then
conntrack -F
else
error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
fi
fi
}
#
# Remove all Shorewall-added rules
#
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
qt $IP6TABLES -t raw -F
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
run_clear_exit
set_state "Cleared"
logger -p kern.info "$g_product Cleared"
}
#
# Issue a message and stop/restore the firewall
#
fatal_error()
{
echo " ERROR: $@" >&2
if [ $LOG_VERBOSITY -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
stop_firewall
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
exit 2
}
#
# Issue a message and stop
#
startup_error() # $* = Error Message
{
echo " ERROR: $@: Firewall state not changed" >&2
if [ $LOG_VERBOSITY -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
case $COMMAND in
start)
logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
;;
restart)
logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
;;
restore)
logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
;;
esac
if [ $LOG_VERBOSITY -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
case $COMMAND in
start)
echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
;;
restart)
echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
;;
restore)
echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
;;
esac
fi
kill $$
exit 2
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_iptables()
{
local status
while [ 1 ]; do
$IP6TABLES $@
status=$?
[ $status -ne 4 ] && break
done
if [ $status -ne 0 ]; then
error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run iptables retrying exit status 4
#
do_iptables()
{
local status
while [ 1 ]; do
$IP6TABLES $@
status=$?
[ $status -ne 4 ] && return $status;
done
}
#
# Run iptables and if an error occurs, stop/restore the firewall
#
run_ip()
{
if ! $IP -6 $@; then
error_message "ERROR: Command \"$IP -6 $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
if ! $TC $@ ; then
error_message "ERROR: Command \"$TC $@\" Failed"
stop_firewall
exit 2
fi
}
#
# Run the .iptables_restore_input as a set of discrete iptables commands
#
debug_restore_input() {
local first second rest table chain
#
# Clear the ruleset
#
qt1 $IP6TABLES -t mangle -F
qt1 $IP6TABLES -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt1 $IP6TABLES -t mangle -P $chain ACCEPT
done
qt1 $IP6TABLES -t raw -F
qt1 $IP6TABLES -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IP6TABLES -t raw -P $chain ACCEPT
done
qt1 $IP6TABLES -t filter -F
qt1 $IP6TABLES -t filter -X
for chain in INPUT FORWARD OUTPUT; do
qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
done
while read first second rest; do
case $first in
-*)
#
# We can't call run_iptables() here because the rules may contain quoted strings
#
eval $IP6TABLES -t $table $first $second $rest
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
;;
:*)
chain=${first#:}
if [ "x$second" = x- ]; then
do_iptables -t $table -N $chain
else
do_iptables -t $table -P $chain $second
fi
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
;;
#
# This grotesque hack with the table names works around a bug/feature with ash
#
'*'raw)
table=raw
;;
'*'mangle)
table=mangle
;;
'*'nat)
table=nat
;;
'*'filter)
table=filter
;;
esac
done
}
################################################################################
# End of functions imported from /usr/share/shorewall/prog.header6
################################################################################