1
0
shorewall_code/Shorewall-shell/diff-3.4-compiler

837 lines
19 KiB
Plaintext

--- ../../3.4/Shorewall/compiler 2007-10-26 19:10:45.000000000 -0400
+++ compiler 2008-03-09 16:00:16.000000000 -0400
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.4
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
@@ -35,6 +35,11 @@
# SHOREWALL_DIR A directory name was passed to /sbin/shorewall
# VERBOSE Standard Shorewall verbosity control.
+BASE_VERSION=40000
+BASE_VERSION_PRINTABLE=4.0.0
+CONFIG_VERSION=40000
+CONFIG_VERSION_PRINTABLE=4.0.0
+
#
# Fatal error -- stops the compiler after issuing the error message
#
@@ -128,7 +133,8 @@
#
append_file() # $1 = File Name
{
- local user_exit=$(find_file $1)
+ local user_exit
+ user_exit=$(find_file $1)
case $user_exit in
$SHAREDIR/*)
@@ -210,7 +216,8 @@
#
finish_chain_section() # $1 = canonical chain $2 = state list
{
- local policy policychain
+ local policy
+ local policychain
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
@@ -241,7 +248,9 @@
finish_section() # $1 = Section(s)
{
- local zone zone1 chain
+ local zone
+ local zone1
+ local chain
for zone in $ZONES $FW; do
for zone1 in $ZONES $FW; do
@@ -263,7 +272,8 @@
#
createchain() # $1 = chain name, $2 = If "yes", do section-end processing
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
run_iptables -N $1
@@ -286,7 +296,8 @@
#
createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
ensurechain $1
@@ -313,7 +324,8 @@
#
havechain() # $1 = name of chain
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
eval test \"\$exists_${c}\" = Yes
}
@@ -675,11 +687,11 @@
progress_message2 "Compiling IP Forwarding..."
case "$IP_FORWARDING" in
- On|on)
+ On|on|ON|Yes|yes|YES)
save_progress_message "IP Forwarding Enabled"
save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
;;
- Off|off)
+ Off|off|OFF|No|no|NO)
save_progress_message "IP Forwarding Disabled!"
save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
;;
@@ -719,16 +731,25 @@
#
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{
- local level=$1
- local chain=$2
- local displayChain=$3
- local disposition=$4
- local rulenum=
- local limit=
- local tag=$6
- local command=${7:--A}
+ local level
+ level=$1
+ local chain
+ chain=$2
+ local displayChain
+ displayChain=$3
+ local disposition
+ disposition=$4
+ local rulenum
+ rulenum=
+ local limit
+ limit=
+ local tag
+ tag=$6
+ local command
+ command=${7:--A}
local prefix
- local base=$(chain_base $displayChain)
+ local base
+ base=$(chain_base $displayChain)
limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
@@ -739,9 +760,12 @@
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
- local level=$1
- local chain=$2
- local disposition=$3
+ local level
+ level=$1
+ local chain
+ chain=$2
+ local disposition
+ disposition=$3
shift 3
@@ -756,9 +780,12 @@
# $2 = synparams
# $3 = loglevel
{
- local chain=@$1
- local limit=$2
- local limit_burst=
+ local chain
+ chain=@$1
+ local limit
+ limit=$2
+ local limit_burst
+ limit_burst=
case $limit in
*:*)
@@ -837,8 +864,10 @@
#
setup_ecn() # $1 = file name
{
- local interfaces=""
- local hosts=
+ local interfaces
+ interfaces=""
+ local hosts
+ hosts=
local h
if [ -s ${TMP_DIR}/ecn ]; then
@@ -886,7 +915,8 @@
#
build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
{
- local c=excl_${EXCLUSION_SEQ} net
+ local c
+ c=excl_${EXCLUSION_SEQ} net
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
@@ -916,7 +946,10 @@
# Setup queuing and classes
#
setup_tc1() {
- local mark_part= comment=
+ local mark_part
+ mark_part=
+ local comment
+ comment=
#
# Create the TC mangle chains
#
@@ -1025,7 +1058,8 @@
#
refresh_tc() {
- local comment=
+ local comment
+ comment=
if [ -n "$CLEAR_TC" ]; then
delete_tc
@@ -1089,9 +1123,12 @@
#
compile_refresh_firewall()
{
- local INDENT=""
- local DOING="Compiling Refresh of"
- local DONE="Compiled"
+ local INDENT
+ INDENT=""
+ local DOING
+ DOING="Compiling Refresh of"
+ local DONE
+ DONE="Compiled"
local indent
save_command "refresh_firewall()"
@@ -1142,7 +1179,8 @@
process_action_file() # $1 = File Name
{
if ! list_search $1 $BUILTIN_ACTIONS; then
- local user_exit=$(find_file $1)
+ local user_exit
+ user_exit=$(find_file $1)
if [ -f $user_exit ]; then
progress_message "Processing $user_exit ..."
@@ -1173,7 +1211,12 @@
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
{
- local actchain= action=$1 level=$2
+ local actchain
+ actchain=
+ local action
+ action=$1
+ local level
+ level=$2
eval actchain=\${${action}_actchain}
@@ -1259,7 +1302,14 @@
#
find_logactionchain() # $1 = Action, including log level and tag if any
{
- local fullaction=$1 action=${1%%:*} level= chains=
+ local fullaction
+ fullaction=$1
+ local action
+ action=${1%%:*}
+ local level
+ level=
+ local chains
+ chains=
find_simpleaction() {
havechain $action || fatal_error "Fatal error in find_logactionchain"
@@ -1302,7 +1352,10 @@
#
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
{
- local superior=$1 subordinate=$2
+ local superior
+ superior=$1
+ local subordinate
+ subordinate=$2
set -- $(split $1)
@@ -1379,7 +1432,9 @@
#
map_old_action() # $1 = Potential Old Action
{
- local macro= aktion
+ local macro
+ macro=
+ local aktion
if [ -n "$MAPOLDACTIONS" ]; then
case $1 in
@@ -1432,7 +1487,8 @@
#
substitute_action() # $1 = parameter, $2 = action
{
- local logpart=${2#*:}
+ local logpart
+ logpart=${2#*:}
case $2 in
*:*)
@@ -1630,7 +1686,8 @@
# policy = Applicable Policy
#
add_a_rule() {
- local natrule=
+ local natrule
+ natrule=
do_ports() {
if [ -n "$port" ]; then
@@ -2118,19 +2175,32 @@
# $9 = userspec
# $10= mark
{
- local target="$1"
- local clients="$2"
- local servers="$3"
- local protocol="$4"
- local ports="$5"
- local cports="$6"
- local address="$7"
- local ratelimit="$8"
- local userspec="$9"
- local mark="${10}"
- local userandgroup=
- local logtag=
- local nonat=
+ local target
+ target="$1"
+ local clients
+ clients="$2"
+ local servers
+ servers="$3"
+ local protocol
+ protocol="$4"
+ local ports
+ ports="$5"
+ local cports
+ cports="$6"
+ local address
+ address="$7"
+ local ratelimit
+ ratelimit="$8"
+ local userspec
+ userspec="$9"
+ local mark
+ mark="${10}"
+ local userandgroup
+ userandgroup=
+ local logtag
+ logtag=
+ local nonat
+ nonat=
# # # # # F u n c t i o n B o d y # # # # #
@@ -2483,21 +2553,35 @@
# $9 = userspec
# $10= mark
{
- local itarget="$1"
- local param="$2"
- local iclients="$3"
- local iservers="$4"
- local iprotocol="$5"
- local iports="$6"
- local icports="$7"
- local iaddress="$8"
- local iratelimit="$9"
- local iuserspec="${10}"
- local imark="${11}"
+ local itarget
+ itarget="$1"
+ local param
+ param="$2"
+ local iclients
+ iclients="$3"
+ local iservers
+ iservers="$4"
+ local iprotocol
+ iprotocol="$5"
+ local iports
+ iports="$6"
+ local icports
+ icports="$7"
+ local iaddress
+ iaddress="$8"
+ local iratelimit
+ iratelimit="$9"
+ local iuserspec
+ iuserspec="${10}"
+ local imark
+ imark="${11}"
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
+
+ [ $mtarget = COMMENT ] && continue
+
mtarget=$(merge_levels $itarget $mtarget)
case $mtarget in
@@ -2575,13 +2659,19 @@
#
process_rules()
{
- local comment= optimize
+ local comment
+ comment=
+ local optimize
#
# Process a rule where the source or destination is "all"
#
process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
{
- local yclients yservers ysourcezone ydestzone ypolicy
+ local yclients
+ local yservers
+ local ysourcezone
+ local ydestzone
+ local ypolicy
for yclients in $xclients; do
for yservers in $xservers; do
@@ -2614,7 +2704,8 @@
do_it() # $1 = "Yes" if the target is a macro.
{
- local intrazone=
+ local intrazone
+ intrazone=
if [ -z "$SECTIONS" ]; then
finish_section ESTABLISHED,RELATED
@@ -2794,17 +2885,35 @@
#
process_default_macro() # $1 = macro name
{
- local macro=$1
- local address=
- local multioption=
- local servport=
- local chain=$1
- local logchain=$1
- local userandgroup=
- local logtag=
- local excludesource=
- local target client server protocol port cport ratelimit userspec rule
- local f=$(find_file macro.${macro})
+ local macro
+ macro=$1
+ local address
+ address=
+ local multioption
+ multioption=
+ local servport
+ servport=
+ local chain
+ chain=$1
+ local logchain
+ logchain=$1
+ local userandgroup
+ userandgroup=
+ local logtag
+ logtag=
+ local excludesource
+ excludesource=
+ local target
+ local client
+ local server
+ local protocol
+ local port
+ local cport
+ local ratelimit
+ local userspec
+ local rule
+ local f
+ f=$(find_file macro.${macro})
havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
@@ -3062,7 +3171,10 @@
#
process_tos() # $1 = name of tos file
{
- local chain=pretos stdchain=PREROUTING
+ local chain
+ chain=pretos
+ local stdchain
+ stdchain=PREROUTING
if [ -n "$MANGLE_FORWARD" ]; then
chain=fortos
@@ -3093,8 +3205,10 @@
# $3 = loglevel
# $4 = Default Action/Macro
{
- local target="$2"
- local default="$4"
+ local target
+ target="$2"
+ local default
+ default="$4"
if [ -n "$default" ]; then
[ "$default" = none ] || run_iptables -A $1 -j $default
@@ -3131,9 +3245,12 @@
#
default_policy() # $1 = client $2 = server
{
- local chain="${1}2${2}"
- local policy=
- local loglevel=
+ local chain
+ chain="${1}2${2}"
+ local policy
+ policy=
+ local loglevel
+ loglevel=
local chain1
jump_to_policy_chain() {
@@ -3235,14 +3352,18 @@
#
complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
{
- local policy=
- local loglevel=
- local policychain=
- local default=
+ local policy
+ policy=
+ local loglevel
+ loglevel=
+ local policychain
+ policychain=
+ local default
+ default=
run_user_exit $1
- run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
eval policychain=\$${2}2${3}_policychain
@@ -3267,7 +3388,8 @@
#
rules_chain() # $1 = source zone, $2 = destination zone
{
- local chain=${1}2${2} local policy
+ local chain
+ chain=${1}2${2} local policy
havechain $chain && { echo $chain; return; }
@@ -3376,8 +3498,10 @@
process_blacklist()
{
- local disposition=$BLACKLIST_DISPOSITION
- local f=$(find_file blacklist)
+ local disposition
+ disposition=$BLACKLIST_DISPOSITION
+ local f
+ f=$(find_file blacklist)
local target
if [ -s $TMP_DIR/blacklist ]; then
@@ -3411,8 +3535,10 @@
# Setup the Black List
#
setup_blacklist() {
- local hosts="$(find_hosts_by_option blacklist)"
- local ipsec policy
+ local hosts
+ hosts="$(find_hosts_by_option blacklist)"
+ local ipsec
+ local policy
if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
progress_message2 "$DOING Blacklisting..."
@@ -3457,8 +3583,10 @@
# Construct zone-independent rules
#
add_common_rules() {
- local savelogparms="$LOGPARMS"
- local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
+ local savelogparms
+ savelogparms="$LOGPARMS"
+ local broadcasts
+ broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
#
# Populate the smurf chain
#
@@ -3788,7 +3916,7 @@
save_progress_message "Setting up Route Filtering..."
- if [ -z "$ROUTE_FILTER" ]; then
+ if [ "$ROUTE_FILTER" = no ]; then
indent >&3 << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
@@ -3812,8 +3940,10 @@
save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
- if [ -n "$ROUTE_FILTER" ]; then
+ if [ "$ROUTE_FILTER" = yes ]; then
save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter"
+ elif [ "$ROUTE_FILTER" = no ]; then
+ save_command "echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter"
fi
save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache"
@@ -3829,7 +3959,7 @@
save_progress_message "Setting up Martian Logging..."
- if [ -z "$LOG_MARTIANS" ]; then
+ if [ "$LOG_MARTIANS" = no ]; then
indent >&3 << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
@@ -3852,9 +3982,12 @@
__EOF__
done
- if [ -n "$LOG_MARTIANS" ]; then
+ if [ "$LOG_MARTIANS" = yes ]; then
save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians"
+ elif [ "$LOG_MARTIANS" = no ]; then
+ save_command "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians"
+ save_command "echo 0 > /proc/sys/net/ipv4/conf/default/log_martians"
fi
fi
@@ -3984,14 +4117,19 @@
#
activate_rules()
{
- local PREROUTING_rule=1
- local POSTROUTING_rule=1
+ local PREROUTING_rule
+ PREROUTING_rule=1
+ local POSTROUTING_rule
+ POSTROUTING_rule=1
#
# Jump to a NAT chain from one of the builtin nat chains
#
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
- local sourcechain=$1 destchain=$2
+ local sourcechain
+ sourcechain=$1
+ local destchain
+ destchain=$2
shift
shift
@@ -4009,7 +4147,10 @@
#
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
- local sourcechain=$1 destchain=$2
+ local sourcechain
+ sourcechain=$1
+ local destchain
+ destchain=$2
shift
shift
@@ -4037,7 +4178,15 @@
#
insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
{
- local t=$1 c=$2 num=0 host1 interface1 networks1
+ local t
+ t=$1
+ local c
+ c=$2
+ local num
+ num=0
+ local host1
+ local interface1
+ local networks1
shift 2
@@ -4053,7 +4202,13 @@
#
add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
{
- local t=$1 c=$2 host1 interface1 networks1
+ local t
+ t=$1
+ local c
+ c=$2
+ local host1
+ local interface1
+ local networks1
shift 2
@@ -4101,7 +4256,8 @@
eval exclusions=\"\$${zone}_exclusions\"
if [ -n "$exclusions" ]; then
- local num=1
+ local num
+ num=1
in_chain=${zone}_input
out_chain=${zone}_output
createchain $in_chain No
@@ -4549,8 +4705,10 @@
# from that script are available here
#
compile_stop_firewall() {
- local IPTABLES_COMMAND="\$IPTABLES"
- local INDENT=" "
+ local IPTABLES_COMMAND
+ IPTABLES_COMMAND="\$IPTABLES"
+ local INDENT
+ INDENT=" "
cat >&3 << __EOF__
@@ -4894,10 +5052,18 @@
#
compile_firewall() # $1 = File Name
{
- local IPTABLES_COMMAND=run_iptables
- local INDENT=""
- local checking= outfile=$1 dir=
- local match=
+ local IPTABLES_COMMAND
+ IPTABLES_COMMAND=run_iptables
+ local INDENT
+ INDENT=""
+ local checking
+ checking=
+ local outfile
+ outfile=$1
+ local dir
+ dir=
+ local match
+ match=
setup_mss()
{
@@ -4951,7 +5117,7 @@
cat >&3 << __EOF__
#
-# Compiled firewall script generated by Shorewall $VERSION - $(date)"
+# Compiled firewall script generated by Shorewall-shell $VERSION - $(date)"
#
__EOF__
@@ -4959,7 +5125,10 @@
cat >&3 << __EOF__
SHAREDIR=/usr/share/shorewall-lite
CONFDIR=/etc/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
+
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
+
+[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ]
__EOF__
@@ -4976,7 +5145,10 @@
cat >&3 << __EOF__
SHAREDIR=/usr/share/shorewall
CONFDIR=/etc/shorewall
-VARDIR=/var/lib/shorewall
+
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
+
+[ -n "\${VARDIR:=/var/lib/shorewall}" ]
. \${SHAREDIR}/lib.base
__EOF__
@@ -5139,7 +5311,8 @@
fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
fi
- local version=\$(cat \${SHAREDIR}/version)
+ local version
+ version=\$(cat \${SHAREDIR}/version)
if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
@@ -5178,6 +5351,7 @@
LOCKFILE="$LOCKFILE"
PATH="$PATH"
TERMINATOR=fatal_error
+ DONT_LOAD="$DONT_LOAD"
__EOF__
if [ -n "$IPTABLES" ]; then
@@ -5278,7 +5452,8 @@
# Start/Restart/Reload the firewall
#
define_firewall() {
- local restore_file=\$1
+ local restore_file
+ restore_file=\$1
__EOF__
INDENT=" "
@@ -5727,9 +5902,9 @@
# E X E C U T I O N B E G I N S H E R E
#
#
-# Start trace if first arg is "debug"
+# Start trace if first arg is "debug" or "trace"
#
-[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
+[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; }
NOLOCK=
@@ -5754,6 +5929,11 @@
fi
done
+VERSION=$(cat $SHELLSHAREDIR/version)
+
+[ "$SHOREWALL_LIBVERSION" -eq $BASE_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.base version $BASE_VERSION_PRINTABLE"
+[ "$SHOREWALL_CONFIGVERSION" -eq $CONFIG_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.config version $CONFIG_VERSION_PRINTABLE"
+
PROGRAM=compiler
COMMAND="$1"