uruk-20160219/0000755000175000017500000000000012661613117007753 500000000000000uruk-20160219/Makefile.am0000644000175000017500000000315712566620545011744 00000000000000## Process this file with automake to produce Makefile.in ## this file maintained at http://git.mdcc.cx/uruk.git # This script is free software; you can distribute it and/or modify it # under the terms of the GNU GPL. See the file COPYING. ## Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org ## Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/ ## Copyright (C) 2003, 2004, 2005 Joost van Baal ## Copyright (C) 2013 Joost van Baal-Ilić ## see booststrap for git2cl ## authors: joostvb,cgielen,wsl. DO display message id's. ChangeLog: NEWS git log --pretty --numstat --summary | git2cl | sed 's/<[jcw][^>][^>]*>//g' >ChangeLog VERSION.m4 VERSION stamp.year stamp.month stamp.day: ChangeLog ./setversion CONFIGURE_DEPENDENCIES = VERSION.m4 ## Hook `dist-bzip2' to `dist'. ## AUTOMAKE_OPTIONS = dist-bzip2 check-news AUTOMAKE_OPTIONS = dist-xz check-news ## used in make dist[check] VERSION = @PACKAGE_VERSION@ PACKAGE = @PACKAGE_TARNAME@ SUBDIRS = script man doc contrib init lsb docdir = $(datadir)/doc/$(PACKAGE) doc_DATA = AUTHORS COPYING ChangeLog ChangeLog.2003 README THANKS TODO ## local targets MY_RDIR = beskar.mdcc.cx:www/mdcc.cx/pub/uruk/ sign: for i in $(DIST_ARCHIVES); do echo "gpg --armor --detach-sign $$i"; gpg --armor --detach-sign $$i; done publish: for i in $(DIST_ARCHIVES); do echo "scp $$i $$i.asc $(MY_RDIR)"; scp $$i $$i.asc $(MY_RDIR); done @echo now run: ssh beskar update-tar-symlinks uruk @echo '( or: ssh beskar.mdcc.cx ./bin/update-tar-symlinks uruk )' EXTRA_DIST = bootstrap ChangeLog.2003 setversion stamp.month stamp.year \ stamp.day VERSION.m4 VERSION uruk-20160219/configure0000755000175000017500000031571112661613102011604 00000000000000#! /bin/sh # From configure.ac 20160219. # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69 for Uruk 20160219. # # Report bugs to . # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. # # # Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org # Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/ # Copyright (C) 2003, 2004, 2005 Joost van Baal # ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 as_fn_exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi test x\$exitcode = x0 || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1" if (eval "$as_required") 2>/dev/null; then : as_have_required=yes else as_have_required=no fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir/$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : CONFIG_SHELL=$as_shell as_have_required=yes if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : break 2 fi fi done;; esac as_found=false done $as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : CONFIG_SHELL=$SHELL as_have_required=yes fi; } IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno; then : $as_echo "$0: This script requires a shell more modern than all" $as_echo "$0: the shells that I found on your system." if test x${ZSH_VERSION+set} = xset ; then $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and $0: joostvb-uruk@mdcc.cx about your system, including any $0: error possibly output before this message. Then install $0: a modern shell, or manually run the script under such a $0: shell if you do have one." fi exit 1 fi fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='Uruk' PACKAGE_TARNAME='uruk' PACKAGE_VERSION='20160219' PACKAGE_STRING='Uruk 20160219' PACKAGE_BUGREPORT='joostvb-uruk@mdcc.cx' PACKAGE_URL='' ac_subst_vars='LTLIBOBJS LIBOBJS AM_BACKSLASH AM_DEFAULT_VERBOSITY AM_DEFAULT_V AM_V am__untar am__tar AMTAR am__leading_dot SET_MAKE AWK mkdir_p MKDIR_P INSTALL_STRIP_PROGRAM STRIP install_sh MAKEINFO AUTOHEADER AUTOMAKE AUTOCONF ACLOCAL VERSION PACKAGE CYGPATH_W am__isrc INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking enable_silent_rules ' ac_precious_vars='build_alias host_alias target_alias' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac # Accept the important Cygnus configure options, so we can diagnose typos. case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: \`$ac_option' Try \`$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures Uruk 20160219 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print \`checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or \`..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify an installation prefix other than \`$ac_default_prefix' using \`--prefix', for instance \`--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/uruk] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF Program names: --program-prefix=PREFIX prepend PREFIX to installed program names --program-suffix=SUFFIX append SUFFIX to installed program names --program-transform-name=PROGRAM run sed PROGRAM on installed program names _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of Uruk 20160219:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-silent-rules less verbose build output (undo: "make V=1") --disable-silent-rules verbose build output (undo: "make V=0") Report bugs to . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for guested configure. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF Uruk configure 20160219 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/ Copyright (C) 2003, 2004, 2005 Joost van Baal _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by Uruk $as_me 20160219, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. $as_echo "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Save into config.log some information that might help in debugging. { echo $as_echo "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo $as_echo "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then $as_echo "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then $as_echo "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && $as_echo "$as_me: caught signal $ac_signal" $as_echo "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h $as_echo "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_URL "$PACKAGE_URL" _ACEOF # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. ac_site_file1=NONE ac_site_file2=NONE if test -n "$CONFIG_SITE"; then # We do not want a PATH search for config.site. case $CONFIG_SITE in #(( -*) ac_site_file1=./$CONFIG_SITE;; */*) ac_site_file1=$CONFIG_SITE;; *) ac_site_file1=./$CONFIG_SITE;; esac elif test "x$prefix" != xNONE; then ac_site_file1=$prefix/share/config.site ac_site_file2=$prefix/etc/config.site else ac_site_file1=$ac_default_prefix/share/config.site ac_site_file2=$ac_default_prefix/etc/config.site fi for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See \`config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 $as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu am__api_version='1.15' ac_aux_dir= for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break elif test -f "$ac_dir/install.sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install.sh -c" break elif test -f "$ac_dir/shtool"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/shtool install -c" break fi done if test -z "$ac_aux_dir"; then as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5 fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if ${ac_cv_path_install+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. # Account for people who put trailing slashes in PATH elements. case $as_dir/ in #(( ./ | .// | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir fi if test "${ac_cv_path_install+set}" = set; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5 $as_echo_n "checking whether build environment is sane... " >&6; } # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' ' case `pwd` in *[\\\"\#\$\&\'\`$am_lf]*) as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;; esac case $srcdir in *[\\\"\#\$\&\'\`$am_lf\ \ ]*) as_fn_error $? "unsafe srcdir value: '$srcdir'" "$LINENO" 5;; esac # Do 'set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( am_has_slept=no for am_try in 1 2; do echo "timestamp, slept: $am_has_slept" > conftest.file set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$*" = "X"; then # -L didn't work. set X `ls -t "$srcdir/configure" conftest.file` fi if test "$*" != "X $srcdir/configure conftest.file" \ && test "$*" != "X conftest.file $srcdir/configure"; then # If neither matched, then we have a broken ls. This can happen # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". as_fn_error $? "ls -t appears to fail. Make sure there is not a broken alias in your environment" "$LINENO" 5 fi if test "$2" = conftest.file || test $am_try -eq 2; then break fi # Just in case. sleep 1 am_has_slept=yes done test "$2" = conftest.file ) then # Ok. : else as_fn_error $? "newly created file is older than distributed files! Check your system clock" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } # If we didn't sleep, we still need to ensure time stamps of config.status and # generated files are strictly newer. am_sleep_pid= if grep 'slept: no' conftest.file >/dev/null 2>&1; then ( sleep 1 ) & am_sleep_pid=$! fi rm -f conftest.file test "$program_prefix" != NONE && program_transform_name="s&^&$program_prefix&;$program_transform_name" # Use a double $ so make ignores it. test "$program_suffix" != NONE && program_transform_name="s&\$&$program_suffix&;$program_transform_name" # Double any \ or $. # By default was `s,x,x', remove it if useless. ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` # Expand $ac_aux_dir to an absolute path. am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in *\ * | *\ *) MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; *) MISSING="\${SHELL} $am_aux_dir/missing" ;; esac fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then am_missing_run="$MISSING " else am_missing_run= { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: 'missing' script is too old or missing" >&5 $as_echo "$as_me: WARNING: 'missing' script is too old or missing" >&2;} fi if test x"${install_sh+set}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi # Installed binaries are usually stripped using 'strip' when the user # run "make install-strip". However 'strip' might not be the right # tool to use in cross-compilation environments, therefore Automake # will honor the 'STRIP' environment variable to overrule this program. if test "$cross_compiling" != no; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then ac_cv_prog_STRIP="$STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_STRIP"; then ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_STRIP" = x; then STRIP=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac STRIP=$ac_ct_STRIP fi else STRIP="$ac_cv_prog_STRIP" fi fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; } if test -z "$MKDIR_P"; then if ${ac_cv_path_mkdir+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( 'mkdir (GNU coreutils) '* | \ 'mkdir (coreutils) '* | \ 'mkdir (fileutils) '4.1*) ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext break 3;; esac done done done IFS=$as_save_IFS fi test -d ./--version && rmdir ./--version if test "${ac_cv_path_mkdir+set}" = set; then MKDIR_P="$ac_cv_path_mkdir -p" else # As a last resort, use the slow shell script. Don't cache a # value for MKDIR_P within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. MKDIR_P="$ac_install_sh -d" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 $as_echo "$MKDIR_P" >&6; } for ac_prog in gawk mawk nawk awk do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_AWK+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AWK"; then ac_cv_prog_AWK="$AWK" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AWK="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi AWK=$ac_cv_prog_AWK if test -n "$AWK"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 $as_echo "$AWK" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$AWK" && break done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi rm -rf .tst 2>/dev/null mkdir .tst 2>/dev/null if test -d .tst; then am__leading_dot=. else am__leading_dot=_ fi rmdir .tst 2>/dev/null # Check whether --enable-silent-rules was given. if test "${enable_silent_rules+set}" = set; then : enableval=$enable_silent_rules; fi case $enable_silent_rules in # ((( yes) AM_DEFAULT_VERBOSITY=0;; no) AM_DEFAULT_VERBOSITY=1;; *) AM_DEFAULT_VERBOSITY=1;; esac am_make=${MAKE-make} { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5 $as_echo_n "checking whether $am_make supports nested variables... " >&6; } if ${am_cv_make_support_nested_variables+:} false; then : $as_echo_n "(cached) " >&6 else if $as_echo 'TRUE=$(BAR$(V)) BAR0=false BAR1=true V=1 am__doit: @$(TRUE) .PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then am_cv_make_support_nested_variables=yes else am_cv_make_support_nested_variables=no fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5 $as_echo "$am_cv_make_support_nested_variables" >&6; } if test $am_cv_make_support_nested_variables = yes; then AM_V='$(V)' AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' else AM_V=$AM_DEFAULT_VERBOSITY AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY fi AM_BACKSLASH='\' if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." am__isrc=' -I$(srcdir)' # test to see if srcdir already configured if test -f $srcdir/config.status; then as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5 fi fi # test whether we have cygpath if test -z "$CYGPATH_W"; then if (cygpath --version) >/dev/null 2>/dev/null; then CYGPATH_W='cygpath -w' else CYGPATH_W=echo fi fi # Define the identity of the package. PACKAGE='uruk' VERSION='20160219' cat >>confdefs.h <<_ACEOF #define PACKAGE "$PACKAGE" _ACEOF cat >>confdefs.h <<_ACEOF #define VERSION "$VERSION" _ACEOF # Some tools Automake needs. ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} # For better backward compatibility. To be removed once Automake 1.9.x # dies out for good. For more background, see: # # mkdir_p='$(MKDIR_P)' # We need awk for the "check" target (and possibly the TAP driver). The # system "awk" is bad on some platforms. # Always define AMTAR for backward compatibility. Yes, it's still used # in the wild :-( We should find a proper way to deprecate it ... AMTAR='$${TAR-tar}' # We'll loop over all known methods to create a tar archive until one works. _am_tools='gnutar pax cpio none' am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -' # POSIX will say in a future version that running "rm -f" with no argument # is OK; and we want to be able to make that assumption in our Makefile # recipes. So use an aggressive probe to check that the usage we want is # actually supported "in the wild" to an acceptable degree. # See automake bug#10828. # To make any issue more visible, cause the running configure to be aborted # by default if the 'rm' program in use doesn't match our expectations; the # user can still override this though. if rm -f && rm -fr && rm -rf; then : OK; else cat >&2 <<'END' Oops! Your 'rm' program seems unable to run without file operands specified on the command line, even when the '-f' option is present. This is contrary to the behaviour of most rm programs out there, and not conforming with the upcoming POSIX standard: Please tell bug-automake@gnu.org about your system, including the value of your $PATH and any error possibly output before this message. This can help us improve future automake versions. END if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then echo 'Configuration will proceed anyway, since you have set the' >&2 echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 echo >&2 else cat >&2 <<'END' Aborting the configuration process, to ensure you take notice of the issue. You can download and install GNU coreutils to get an 'rm' implementation that behaves properly: . If you want to complete the configuration process using your problematic 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM to "yes", and re-run configure. END as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 fi fi ## AC_CHECK_PROG(HASZOEM, zoem, yes, no) ## if test "xno" = "x$HASZOEM" ## then ## AC_MSG_ERROR([cannot find zoem ( http://micans.org/zoem ) in your PATH ]) ## fi ## AC_CHECK_PROG(HASGROFF, groff, yes, no) ## AC_CHECK_PROG(HASGROFF, col, yes, no) ac_config_files="$ac_config_files Makefile contrib/Makefile doc/Makefile init/Makefile man/Makefile man/include.zmm script/Makefile lsb/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # `ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* `ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # `set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # `set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' # Transform confdefs.h into DEFS. # Protect against shell expansion while executing Makefile rules. # Protect against Makefile macro expansion. # # If the first sed substitution is executed (which looks for macros that # take arguments), then branch to the quote section. Otherwise, # look for a macro that doesn't take arguments. ac_script=' :mline /\\$/{ N s,\\\n,, b mline } t clear :clear s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g t quote s/^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)/-D\1=\2/g t quote b any :quote s/[ `~#$^&*(){}\\|;'\''"<>?]/\\&/g s/\[/\\&/g s/\]/\\&/g s/\$/$$/g H :any ${ g s/^\n// s/\n/ /g p } ' DEFS=`sed -n "$ac_script" confdefs.h` ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs { $as_echo "$as_me:${as_lineno-$LINENO}: checking that generated files are newer than configure" >&5 $as_echo_n "checking that generated files are newer than configure... " >&6; } if test -n "$am_sleep_pid"; then # Hide warnings about reused PIDs. wait $am_sleep_pid 2>/dev/null fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: done" >&5 $as_echo "done" >&6; } : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by Uruk $as_me 20160219, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ \`$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE Configuration files: $config_files Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ Uruk config.status 20160219 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Copyright (C) 2012 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' MKDIR_P='$MKDIR_P' AWK='$AWK' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --he | --h | --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: \`$1' Try \`$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX $as_echo "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "contrib/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/Makefile" ;; "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; "init/Makefile") CONFIG_FILES="$CONFIG_FILES init/Makefile" ;; "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;; "man/include.zmm") CONFIG_FILES="$CONFIG_FILES man/include.zmm" ;; "script/Makefile") CONFIG_FILES="$CONFIG_FILES script/Makefile" ;; "lsb/Makefile") CONFIG_FILES="$CONFIG_FILES lsb/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to `$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with `./config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" eval set X " :F $CONFIG_FILES " shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`$as_echo "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac ac_MKDIR_P=$MKDIR_P case $MKDIR_P in [\\/$]* | ?:[\\/]* ) ;; */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when `$srcdir' = `.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi uruk-20160219/VERSION.m40000644000175000017500000000004512661613100011251 00000000000000m4_define([AD1_VERSION], [20160219]) uruk-20160219/configure.ac0000644000175000017500000000360412033563141012156 00000000000000# Based upon autoscan(1) output. # this file maintained at http://git.mdcc.cx/uruk.git # Process this file with autoconf to produce a configure script. # This script is free software; you can distribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This script is distributed WITHOUT ANY WARRANTY. # # You should have received a copy of the GNU GPL along with this script # (e.g. in the file COPYING). If not, see . # We have to use m4_include here: autoconf doesn't do includes natively # we can't use aclocal.m4 / acinclude.m4 (which is added to aclocal.m4 by # aclocal) neither: # "Every `configure' script must call `AC_INIT' before doing anything # else." m4_include([VERSION.m4])dnl # Initializing `configure' # # It is preferable that the arguments of `AC_INIT' be static, i.e., # there should not be any shell computation, but they can be # computed by M4. AC_INIT([Uruk], [AD1_VERSION], [joostvb-uruk@mdcc.cx], [uruk]) AC_PREREQ(2.67) AM_INIT_AUTOMAKE AC_COPYRIGHT([ Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/ Copyright (C) 2003, 2004, 2005 Joost van Baal ]) AC_REVISION([AD1_VERSION]) ## AC_CHECK_PROG(HASZOEM, zoem, yes, no) ## if test "xno" = "x$HASZOEM" ## then ## AC_MSG_ERROR([cannot find zoem ( http://micans.org/zoem ) in your PATH ]) ## fi ## AC_CHECK_PROG(HASGROFF, groff, yes, no) ## AC_CHECK_PROG(HASGROFF, col, yes, no) AC_CONFIG_FILES([Makefile contrib/Makefile doc/Makefile init/Makefile man/Makefile man/include.zmm script/Makefile lsb/Makefile]) AC_OUTPUT uruk-20160219/aclocal.m40000644000175000017500000006525312661613101011537 00000000000000# generated automatically by aclocal 1.15 -*- Autoconf -*- # Copyright (C) 1996-2014 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],, [m4_warning([this file was generated for autoconf 2.69. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) # Copyright (C) 2002-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_AUTOMAKE_VERSION(VERSION) # ---------------------------- # Automake X.Y traces this macro to ensure aclocal.m4 has been # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.15' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. m4_if([$1], [1.15], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) # _AM_AUTOCONF_VERSION(VERSION) # ----------------------------- # aclocal traces this macro to find the Autoconf version. # This is a private macro too. Using m4_define simplifies # the logic in aclocal, which can simply ignore this definition. m4_define([_AM_AUTOCONF_VERSION], []) # AM_SET_CURRENT_AUTOMAKE_VERSION # ------------------------------- # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], [AM_AUTOMAKE_VERSION([1.15])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- # Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets # $ac_aux_dir to '$srcdir/foo'. In other projects, it is set to # '$srcdir', '$srcdir/..', or '$srcdir/../..'. # # Of course, Automake must honor this variable whenever it calls a # tool from the auxiliary directory. The problem is that $srcdir (and # therefore $ac_aux_dir as well) can be either absolute or relative, # depending on how configure is run. This is pretty annoying, since # it makes $ac_aux_dir quite unusable in subdirectories: in the top # source directory, any form will work fine, but in subdirectories a # relative path needs to be adjusted first. # # $ac_aux_dir/missing # fails when called from a subdirectory if $ac_aux_dir is relative # $top_srcdir/$ac_aux_dir/missing # fails if $ac_aux_dir is absolute, # fails when called from a subdirectory in a VPATH build with # a relative $ac_aux_dir # # The reason of the latter failure is that $top_srcdir and $ac_aux_dir # are both prefixed by $srcdir. In an in-source build this is usually # harmless because $srcdir is '.', but things will broke when you # start a VPATH build or use an absolute $srcdir. # # So we could use something similar to $top_srcdir/$ac_aux_dir/missing, # iff we strip the leading $srcdir from $ac_aux_dir. That would be: # am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"` # and then we would define $MISSING as # MISSING="\${SHELL} $am_aux_dir/missing" # This will work as long as MISSING is not called from configure, because # unfortunately $(top_srcdir) has no meaning in configure. # However there are other variables, like CC, which are often used in # configure, and could therefore not use this "fixed" $ac_aux_dir. # # Another solution, used here, is to always expand $ac_aux_dir to an # absolute PATH. The drawback is that using absolute paths prevent a # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], [AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl # Expand $ac_aux_dir to an absolute path. am_aux_dir=`cd "$ac_aux_dir" && pwd` ]) # Do all the work for Automake. -*- Autoconf -*- # Copyright (C) 1996-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O. m4_define([AC_PROG_CC], m4_defn([AC_PROG_CC]) [_AM_PROG_CC_C_O ]) # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) # AM_INIT_AUTOMAKE([OPTIONS]) # ----------------------------------------------- # The call with PACKAGE and VERSION arguments is the old style # call (pre autoconf-2.50), which is being phased out. PACKAGE # and VERSION should now be passed to AC_INIT and removed from # the call to AM_INIT_AUTOMAKE. # We support both call styles for the transition. After # the next Automake release, Autoconf can make the AC_INIT # arguments mandatory, and then we can depend on a new Autoconf # release and drop the old call support. AC_DEFUN([AM_INIT_AUTOMAKE], [AC_PREREQ([2.65])dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl AC_REQUIRE([AC_PROG_INSTALL])dnl if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl # test to see if srcdir already configured if test -f $srcdir/config.status; then AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) fi fi # test whether we have cygpath if test -z "$CYGPATH_W"; then if (cygpath --version) >/dev/null 2>/dev/null; then CYGPATH_W='cygpath -w' else CYGPATH_W=echo fi fi AC_SUBST([CYGPATH_W]) # Define the identity of the package. dnl Distinguish between old-style and new-style calls. m4_ifval([$2], [AC_DIAGNOSE([obsolete], [$0: two- and three-arguments forms are deprecated.]) m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl AC_SUBST([PACKAGE], [$1])dnl AC_SUBST([VERSION], [$2])], [_AM_SET_OPTIONS([$1])dnl dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. m4_if( m4_ifdef([AC_PACKAGE_NAME], [ok]):m4_ifdef([AC_PACKAGE_VERSION], [ok]), [ok:ok],, [m4_fatal([AC_INIT should be called with package and version arguments])])dnl AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl _AM_IF_OPTION([no-define],, [AC_DEFINE_UNQUOTED([PACKAGE], ["$PACKAGE"], [Name of package]) AC_DEFINE_UNQUOTED([VERSION], ["$VERSION"], [Version number of package])])dnl # Some tools Automake needs. AC_REQUIRE([AM_SANITY_CHECK])dnl AC_REQUIRE([AC_ARG_PROGRAM])dnl AM_MISSING_PROG([ACLOCAL], [aclocal-${am__api_version}]) AM_MISSING_PROG([AUTOCONF], [autoconf]) AM_MISSING_PROG([AUTOMAKE], [automake-${am__api_version}]) AM_MISSING_PROG([AUTOHEADER], [autoheader]) AM_MISSING_PROG([MAKEINFO], [makeinfo]) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl # For better backward compatibility. To be removed once Automake 1.9.x # dies out for good. For more background, see: # # AC_SUBST([mkdir_p], ['$(MKDIR_P)']) # We need awk for the "check" target (and possibly the TAP driver). The # system "awk" is bad on some platforms. AC_REQUIRE([AC_PROG_AWK])dnl AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AM_SET_LEADING_DOT])dnl _AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], [_AM_PROG_TAR([v7])])]) _AM_IF_OPTION([no-dependencies],, [AC_PROVIDE_IFELSE([AC_PROG_CC], [_AM_DEPENDENCIES([CC])], [m4_define([AC_PROG_CC], m4_defn([AC_PROG_CC])[_AM_DEPENDENCIES([CC])])])dnl AC_PROVIDE_IFELSE([AC_PROG_CXX], [_AM_DEPENDENCIES([CXX])], [m4_define([AC_PROG_CXX], m4_defn([AC_PROG_CXX])[_AM_DEPENDENCIES([CXX])])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJC], [_AM_DEPENDENCIES([OBJC])], [m4_define([AC_PROG_OBJC], m4_defn([AC_PROG_OBJC])[_AM_DEPENDENCIES([OBJC])])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJCXX], [_AM_DEPENDENCIES([OBJCXX])], [m4_define([AC_PROG_OBJCXX], m4_defn([AC_PROG_OBJCXX])[_AM_DEPENDENCIES([OBJCXX])])])dnl ]) AC_REQUIRE([AM_SILENT_RULES])dnl dnl The testsuite driver may need to know about EXEEXT, so add the dnl 'am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below. AC_CONFIG_COMMANDS_PRE(dnl [m4_provide_if([_AM_COMPILER_EXEEXT], [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl # POSIX will say in a future version that running "rm -f" with no argument # is OK; and we want to be able to make that assumption in our Makefile # recipes. So use an aggressive probe to check that the usage we want is # actually supported "in the wild" to an acceptable degree. # See automake bug#10828. # To make any issue more visible, cause the running configure to be aborted # by default if the 'rm' program in use doesn't match our expectations; the # user can still override this though. if rm -f && rm -fr && rm -rf; then : OK; else cat >&2 <<'END' Oops! Your 'rm' program seems unable to run without file operands specified on the command line, even when the '-f' option is present. This is contrary to the behaviour of most rm programs out there, and not conforming with the upcoming POSIX standard: Please tell bug-automake@gnu.org about your system, including the value of your $PATH and any error possibly output before this message. This can help us improve future automake versions. END if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then echo 'Configuration will proceed anyway, since you have set the' >&2 echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 echo >&2 else cat >&2 <<'END' Aborting the configuration process, to ensure you take notice of the issue. You can download and install GNU coreutils to get an 'rm' implementation that behaves properly: . If you want to complete the configuration process using your problematic 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM to "yes", and re-run configure. END AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) fi fi dnl The trailing newline in this macro's definition is deliberate, for dnl backward compatibility and to allow trailing 'dnl'-style comments dnl after the AM_INIT_AUTOMAKE invocation. See automake bug#16841. ]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further dnl mangled by Autoconf and run in a shell conditional statement. m4_define([_AC_COMPILER_EXEEXT], m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) # When config.status generates a header, we must update the stamp-h file. # This file resides in the same directory as the config header # that is generated. The stamp files are numbered to have different names. # Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the # loop where config.status creates the headers, so we can generate # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. _am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) # Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_INSTALL_SH # ------------------ # Define $install_sh. AC_DEFUN([AM_PROG_INSTALL_SH], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl if test x"${install_sh+set}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi AC_SUBST([install_sh])]) # Copyright (C) 2003-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # Check whether the underlying file-system supports filenames # with a leading dot. For instance MS-DOS doesn't. AC_DEFUN([AM_SET_LEADING_DOT], [rm -rf .tst 2>/dev/null mkdir .tst 2>/dev/null if test -d .tst; then am__leading_dot=. else am__leading_dot=_ fi rmdir .tst 2>/dev/null AC_SUBST([am__leading_dot])]) # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- # Copyright (C) 1997-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_MISSING_PROG(NAME, PROGRAM) # ------------------------------ AC_DEFUN([AM_MISSING_PROG], [AC_REQUIRE([AM_MISSING_HAS_RUN]) $1=${$1-"${am_missing_run}$2"} AC_SUBST($1)]) # AM_MISSING_HAS_RUN # ------------------ # Define MISSING if not defined so far and test if it is modern enough. # If it is, set am_missing_run to use it, otherwise, to nothing. AC_DEFUN([AM_MISSING_HAS_RUN], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl if test x"${MISSING+set}" != xset; then case $am_aux_dir in *\ * | *\ *) MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; *) MISSING="\${SHELL} $am_aux_dir/missing" ;; esac fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then am_missing_run="$MISSING " else am_missing_run= AC_MSG_WARN(['missing' script is too old or missing]) fi ]) # Helper functions for option handling. -*- Autoconf -*- # Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_MANGLE_OPTION(NAME) # ----------------------- AC_DEFUN([_AM_MANGLE_OPTION], [[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])]) # _AM_SET_OPTION(NAME) # -------------------- # Set option NAME. Presently that only means defining a flag for this option. AC_DEFUN([_AM_SET_OPTION], [m4_define(_AM_MANGLE_OPTION([$1]), [1])]) # _AM_SET_OPTIONS(OPTIONS) # ------------------------ # OPTIONS is a space-separated list of Automake options. AC_DEFUN([_AM_SET_OPTIONS], [m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) # _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) # ------------------------------------------- # Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) # Check to make sure that the build environment is sane. -*- Autoconf -*- # Copyright (C) 1996-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_SANITY_CHECK # --------------- AC_DEFUN([AM_SANITY_CHECK], [AC_MSG_CHECKING([whether build environment is sane]) # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' ' case `pwd` in *[[\\\"\#\$\&\'\`$am_lf]]*) AC_MSG_ERROR([unsafe absolute working directory name]);; esac case $srcdir in *[[\\\"\#\$\&\'\`$am_lf\ \ ]]*) AC_MSG_ERROR([unsafe srcdir value: '$srcdir']);; esac # Do 'set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( am_has_slept=no for am_try in 1 2; do echo "timestamp, slept: $am_has_slept" > conftest.file set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$[*]" = "X"; then # -L didn't work. set X `ls -t "$srcdir/configure" conftest.file` fi if test "$[*]" != "X $srcdir/configure conftest.file" \ && test "$[*]" != "X conftest.file $srcdir/configure"; then # If neither matched, then we have a broken ls. This can happen # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken alias in your environment]) fi if test "$[2]" = conftest.file || test $am_try -eq 2; then break fi # Just in case. sleep 1 am_has_slept=yes done test "$[2]" = conftest.file ) then # Ok. : else AC_MSG_ERROR([newly created file is older than distributed files! Check your system clock]) fi AC_MSG_RESULT([yes]) # If we didn't sleep, we still need to ensure time stamps of config.status and # generated files are strictly newer. am_sleep_pid= if grep 'slept: no' conftest.file >/dev/null 2>&1; then ( sleep 1 ) & am_sleep_pid=$! fi AC_CONFIG_COMMANDS_PRE( [AC_MSG_CHECKING([that generated files are newer than configure]) if test -n "$am_sleep_pid"; then # Hide warnings about reused PIDs. wait $am_sleep_pid 2>/dev/null fi AC_MSG_RESULT([done])]) rm -f conftest.file ]) # Copyright (C) 2009-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_SILENT_RULES([DEFAULT]) # -------------------------- # Enable less verbose build rules; with the default set to DEFAULT # ("yes" being less verbose, "no" or empty being verbose). AC_DEFUN([AM_SILENT_RULES], [AC_ARG_ENABLE([silent-rules], [dnl AS_HELP_STRING( [--enable-silent-rules], [less verbose build output (undo: "make V=1")]) AS_HELP_STRING( [--disable-silent-rules], [verbose build output (undo: "make V=0")])dnl ]) case $enable_silent_rules in @%:@ ((( yes) AM_DEFAULT_VERBOSITY=0;; no) AM_DEFAULT_VERBOSITY=1;; *) AM_DEFAULT_VERBOSITY=m4_if([$1], [yes], [0], [1]);; esac dnl dnl A few 'make' implementations (e.g., NonStop OS and NextStep) dnl do not support nested variable expansions. dnl See automake bug#9928 and bug#10237. am_make=${MAKE-make} AC_CACHE_CHECK([whether $am_make supports nested variables], [am_cv_make_support_nested_variables], [if AS_ECHO([['TRUE=$(BAR$(V)) BAR0=false BAR1=true V=1 am__doit: @$(TRUE) .PHONY: am__doit']]) | $am_make -f - >/dev/null 2>&1; then am_cv_make_support_nested_variables=yes else am_cv_make_support_nested_variables=no fi]) if test $am_cv_make_support_nested_variables = yes; then dnl Using '$V' instead of '$(V)' breaks IRIX make. AM_V='$(V)' AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' else AM_V=$AM_DEFAULT_VERBOSITY AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY fi AC_SUBST([AM_V])dnl AM_SUBST_NOTMAKE([AM_V])dnl AC_SUBST([AM_DEFAULT_V])dnl AM_SUBST_NOTMAKE([AM_DEFAULT_V])dnl AC_SUBST([AM_DEFAULT_VERBOSITY])dnl AM_BACKSLASH='\' AC_SUBST([AM_BACKSLASH])dnl _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) # Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_INSTALL_STRIP # --------------------- # One issue with vendor 'install' (even GNU) is that you can't # specify the program used to strip binaries. This is especially # annoying in cross-compiling environments, where the build's strip # is unlikely to handle the host's binaries. # Fortunately install-sh will honor a STRIPPROG variable, so we # always use install-sh in "make install-strip", and initialize # STRIPPROG with the value of the STRIP variable (set by the user). AC_DEFUN([AM_PROG_INSTALL_STRIP], [AC_REQUIRE([AM_PROG_INSTALL_SH])dnl # Installed binaries are usually stripped using 'strip' when the user # run "make install-strip". However 'strip' might not be the right # tool to use in cross-compilation environments, therefore Automake # will honor the 'STRIP' environment variable to overrule this program. dnl Don't test for $cross_compiling = yes, because it might be 'maybe'. if test "$cross_compiling" != no; then AC_CHECK_TOOL([STRIP], [strip], :) fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) # Copyright (C) 2006-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- # Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. # This macro is traced by Automake. AC_DEFUN([_AM_SUBST_NOTMAKE]) # AM_SUBST_NOTMAKE(VARIABLE) # -------------------------- # Public sister of _AM_SUBST_NOTMAKE. AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Check how to create a tarball. -*- Autoconf -*- # Copyright (C) 2004-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_PROG_TAR(FORMAT) # -------------------- # Check how to create a tarball in format FORMAT. # FORMAT should be one of 'v7', 'ustar', or 'pax'. # # Substitute a variable $(am__tar) that is a command # writing to stdout a FORMAT-tarball containing the directory # $tardir. # tardir=directory && $(am__tar) > result.tar # # Substitute a variable $(am__untar) that extract such # a tarball read from stdin. # $(am__untar) < result.tar # AC_DEFUN([_AM_PROG_TAR], [# Always define AMTAR for backward compatibility. Yes, it's still used # in the wild :-( We should find a proper way to deprecate it ... AC_SUBST([AMTAR], ['$${TAR-tar}']) # We'll loop over all known methods to create a tar archive until one works. _am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none' m4_if([$1], [v7], [am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'], [m4_case([$1], [ustar], [# The POSIX 1988 'ustar' format is defined with fixed-size fields. # There is notably a 21 bits limit for the UID and the GID. In fact, # the 'pax' utility can hang on bigger UID/GID (see automake bug#8343 # and bug#13588). am_max_uid=2097151 # 2^21 - 1 am_max_gid=$am_max_uid # The $UID and $GID variables are not portable, so we need to resort # to the POSIX-mandated id(1) utility. Errors in the 'id' calls # below are definitely unexpected, so allow the users to see them # (that is, avoid stderr redirection). am_uid=`id -u || echo unknown` am_gid=`id -g || echo unknown` AC_MSG_CHECKING([whether UID '$am_uid' is supported by ustar format]) if test $am_uid -le $am_max_uid; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) _am_tools=none fi AC_MSG_CHECKING([whether GID '$am_gid' is supported by ustar format]) if test $am_gid -le $am_max_gid; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) _am_tools=none fi], [pax], [], [m4_fatal([Unknown tar format])]) AC_MSG_CHECKING([how to create a $1 tar archive]) # Go ahead even if we have the value already cached. We do so because we # need to set the values for the 'am__tar' and 'am__untar' variables. _am_tools=${am_cv_prog_tar_$1-$_am_tools} for _am_tool in $_am_tools; do case $_am_tool in gnutar) for _am_tar in tar gnutar gtar; do AM_RUN_LOG([$_am_tar --version]) && break done am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"' am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"' am__untar="$_am_tar -xf -" ;; plaintar) # Must skip GNU tar: if it does not support --format= it doesn't create # ustar tarball either. (tar --version) >/dev/null 2>&1 && continue am__tar='tar chf - "$$tardir"' am__tar_='tar chf - "$tardir"' am__untar='tar xf -' ;; pax) am__tar='pax -L -x $1 -w "$$tardir"' am__tar_='pax -L -x $1 -w "$tardir"' am__untar='pax -r' ;; cpio) am__tar='find "$$tardir" -print | cpio -o -H $1 -L' am__tar_='find "$tardir" -print | cpio -o -H $1 -L' am__untar='cpio -i -H $1 -d' ;; none) am__tar=false am__tar_=false am__untar=false ;; esac # If the value was cached, stop now. We just wanted to have am__tar # and am__untar set. test -n "${am_cv_prog_tar_$1}" && break # tar/untar a dummy directory, and stop if the command works. rm -rf conftest.dir mkdir conftest.dir echo GrepMe > conftest.dir/file AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar]) rm -rf conftest.dir if test -s conftest.tar; then AM_RUN_LOG([$am__untar /dev/null 2>&1 && break fi done rm -rf conftest.dir AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool]) AC_MSG_RESULT([$am_cv_prog_tar_$1])]) AC_SUBST([am__tar]) AC_SUBST([am__untar]) ]) # _AM_PROG_TAR uruk-20160219/Makefile.in0000644000175000017500000006423512661613101011743 00000000000000# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # This script is free software; you can distribute it and/or modify it # under the terms of the GNU GPL. See the file COPYING. VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ false; \ elif test -n '$(MAKE_HOST)'; then \ true; \ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ true; \ else \ false; \ fi; \ } am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : subdir = . ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/VERSION.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \ $(am__configure_deps) $(am__DIST_COMMON) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(docdir)" DATA = $(doc_DATA) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ cscope distdir dist dist-all distcheck am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags CSCOPE = cscope DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in AUTHORS COPYING ChangeLog \ INSTALL NEWS README THANKS TODO install-sh missing DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) am__remove_distdir = \ if test -d "$(distdir)"; then \ find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ && rm -rf "$(distdir)" \ || { sleep 5 && rm -rf "$(distdir)"; }; \ else :; fi am__post_remove_distdir = $(am__remove_distdir) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" DIST_ARCHIVES = $(distdir).tar.gz $(distdir).tar.xz GZIP_ENV = --best DIST_TARGETS = dist-xz dist-gzip distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' distcleancheck_listfiles = find . -type f -print ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ PACKAGE = @PACKAGE_TARNAME@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @PACKAGE_VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ am__leading_dot = @am__leading_dot@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build_alias = @build_alias@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = $(datadir)/doc/$(PACKAGE) dvidir = @dvidir@ exec_prefix = @exec_prefix@ host_alias = @host_alias@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CONFIGURE_DEPENDENCIES = VERSION.m4 AUTOMAKE_OPTIONS = dist-xz check-news SUBDIRS = script man doc contrib init lsb doc_DATA = AUTHORS COPYING ChangeLog ChangeLog.2003 README THANKS TODO MY_RDIR = beskar.mdcc.cx:www/mdcc.cx/pub/uruk/ EXTRA_DIST = bootstrap ChangeLog.2003 setversion stamp.month stamp.year \ stamp.day VERSION.m4 VERSION all: all-recursive .SUFFIXES: am--refresh: Makefile @: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ echo ' cd $(srcdir) && $(AUTOMAKE) --gnu'; \ $(am__cd) $(srcdir) && $(AUTOMAKE) --gnu \ && exit 0; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ echo ' $(SHELL) ./config.status'; \ $(SHELL) ./config.status;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) $(SHELL) ./config.status --recheck $(top_srcdir)/configure: $(am__configure_deps) $(am__cd) $(srcdir) && $(AUTOCONF) $(ACLOCAL_M4): $(am__aclocal_m4_deps) $(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) $(am__aclocal_m4_deps): install-docDATA: $(doc_DATA) @$(NORMAL_INSTALL) @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-docDATA: @$(NORMAL_UNINSTALL) @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscope: cscope.files test ! -s cscope.files \ || $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS) clean-cscope: -rm -f cscope.files cscope.files: clean-cscope cscopelist cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -rm -f cscope.out cscope.in.out cscope.po.out cscope.files distdir: $(DISTFILES) @case `sed 15q $(srcdir)/NEWS` in \ *"$(VERSION)"*) : ;; \ *) \ echo "NEWS not updated; not releasing" 1>&2; \ exit 1;; \ esac $(am__remove_distdir) test -d "$(distdir)" || mkdir "$(distdir)" @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done -test -n "$(am__skip_mode_fix)" \ || find "$(distdir)" -type d ! -perm -755 \ -exec chmod u+rwx,go+rx {} \; -o \ ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ || chmod -R a+r "$(distdir)" dist-gzip: distdir tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz $(am__post_remove_distdir) dist-bzip2: distdir tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 $(am__post_remove_distdir) dist-lzip: distdir tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz $(am__post_remove_distdir) dist-xz: distdir tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz $(am__post_remove_distdir) dist-tarZ: distdir @echo WARNING: "Support for distribution archives compressed with" \ "legacy program 'compress' is deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__post_remove_distdir) dist-shar: distdir @echo WARNING: "Support for shar distribution archives is" \ "deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz $(am__post_remove_distdir) dist-zip: distdir -rm -f $(distdir).zip zip -rq $(distdir).zip $(distdir) $(am__post_remove_distdir) dist dist-all: $(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:' $(am__post_remove_distdir) # This target untars the dist file and tries a VPATH configuration. Then # it guarantees that the distribution is self-contained by making another # tarfile. distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ *.tar.lz*) \ lzip -dc $(distdir).tar.lz | $(am__untar) ;;\ *.tar.xz*) \ xz -dc $(distdir).tar.xz | $(am__untar) ;;\ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac chmod -R a-w $(distdir) chmod u+w $(distdir) mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst chmod a-w $(distdir) test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ && $(am__cd) $(distdir)/_build/sub \ && ../../configure \ $(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ && $(MAKE) $(AM_MAKEFLAGS) uninstall \ && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \ distuninstallcheck \ && chmod -R a-w "$$dc_install_base" \ && ({ \ (cd ../.. && umask 077 && mkdir "$$dc_destdir") \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \ distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \ } || { rm -rf "$$dc_destdir"; exit 1; }) \ && rm -rf "$$dc_destdir" \ && $(MAKE) $(AM_MAKEFLAGS) dist \ && rm -rf $(DIST_ARCHIVES) \ && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ && cd "$$am__cwd" \ || exit 1 $(am__post_remove_distdir) @(echo "$(distdir) archives ready for distribution: "; \ list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' distuninstallcheck: @test -n '$(distuninstallcheck_dir)' || { \ echo 'ERROR: trying to run $@ with an empty' \ '$$(distuninstallcheck_dir)' >&2; \ exit 1; \ }; \ $(am__cd) '$(distuninstallcheck_dir)' || { \ echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \ exit 1; \ }; \ test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \ || { echo "ERROR: files left after uninstall:" ; \ if test -n "$(DESTDIR)"; then \ echo " (check DESTDIR support)"; \ fi ; \ $(distuninstallcheck_listfiles) ; \ exit 1; } >&2 distcleancheck: distclean @if test '$(srcdir)' = . ; then \ echo "ERROR: distcleancheck can only run from a VPATH build" ; \ exit 1 ; \ fi @test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ || { echo "ERROR: files left in build directory after distclean:" ; \ $(distcleancheck_listfiles) ; \ exit 1; } >&2 check-am: all-am check: check-recursive all-am: Makefile $(DATA) installdirs: installdirs-recursive installdirs-am: for dir in "$(DESTDIR)$(docdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive clean-am: clean-generic mostlyclean-am distclean: distclean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-docDATA install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -rf $(top_srcdir)/autom4te.cache -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: uninstall-docDATA .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ am--refresh check check-am clean clean-cscope clean-generic \ cscope cscopelist-am ctags ctags-am dist dist-all dist-bzip2 \ dist-gzip dist-lzip dist-shar dist-tarZ dist-xz dist-zip \ distcheck distclean distclean-generic distclean-tags \ distcleancheck distdir distuninstallcheck dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-docDATA install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs installdirs-am \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic pdf pdf-am ps ps-am tags tags-am uninstall \ uninstall-am uninstall-docDATA .PRECIOUS: Makefile ChangeLog: NEWS git log --pretty --numstat --summary | git2cl | sed 's/<[jcw][^>][^>]*>//g' >ChangeLog VERSION.m4 VERSION stamp.year stamp.month stamp.day: ChangeLog ./setversion sign: for i in $(DIST_ARCHIVES); do echo "gpg --armor --detach-sign $$i"; gpg --armor --detach-sign $$i; done publish: for i in $(DIST_ARCHIVES); do echo "scp $$i $$i.asc $(MY_RDIR)"; scp $$i $$i.asc $(MY_RDIR); done @echo now run: ssh beskar update-tar-symlinks uruk @echo '( or: ssh beskar.mdcc.cx ./bin/update-tar-symlinks uruk )' # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: uruk-20160219/AUTHORS0000644000175000017500000000035612476343253010754 00000000000000# this file maintained at http://git.mdcc.cx/uruk.git Uruk was written by Joost van Baal-Ilić, Wessel Dankers and various contributors, see THANKS. The Uruk init script was written by Laurence J. Lane for the Debian iptables package. uruk-20160219/COPYING0000644000175000017500000010451310642030347010725 00000000000000 GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . uruk-20160219/ChangeLog0000644000175000017500000027123712661613100011451 000000000000002016-02-19 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20160219 - The Speurgt Release 2016-02-19 Joost van Baal-Ilić * uruk/NEWS: record changes 2016-02-19 Joost van Baal-Ilić * uruk/script/uruk.in: Fix bug: when uruk-save is enabled, loading saved active ruleset fails with Loading iptables ruleset: load "active"Bad argument `REASON=invalid' Patch contributed by Wessel Dankers. 2016-02-18 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20160218 - The Snijders-Chaam Release 2016-02-18 Joost van Baal-Ilić * uruk/NEWS, uruk/bootstrap: upgrade from automake 1.14 to 1.15 2016-02-18 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: record changes 2016-02-18 Joost van Baal-Ilić * uruk/doc/default, uruk/script/urukctl: doc/default: set enable_uruk_save to true. script/urukctl: no longer assign obsolete variable enable_uruk_save_warning, get rid of warn_uruk_save() function. 2016-02-18 Joost van Baal-Ilić * uruk/NEWS: start next release 2015-12-09 Joost van Baal-Ilić * uruk/TODO: test-case 2015-12-09 Joost van Baal-Ilić * uruk/TODO: more to do 2015-11-18 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20151118 - The Āne-wātak Release 2015-11-18 Joost van Baal-Ilić * uruk/TODO, uruk/script/uruk.in: bugreport: "ip6tables logs IPv6 packets with ACK bit set" was invalid; closed. also: uruk is now more verbose when logging blocking of INVALID packets. Thanks Casper Gielen and Wessel Dankers. 2015-11-18 Joost van Baal-Ilić * uruk/TODO: tnx caspar for bugreport: ip6tables logs IPv6 packets with ACK bit set 2015-09-21 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20150921 - The Prishtinë Release. Dedicated to DJ Esad from Eindhoven 2015-09-21 Joost van Baal-Ilić * uruk/NEWS: a name for the upcoming release 2015-09-20 Joost van Baal-Ilić * uruk/NEWS: dedication 2015-09-19 Joost van Baal-Ilić * uruk/NEWS: systemd? 2015-09-18 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/init/uruk.service: add Service section to .service file 2015-09-18 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/init/Makefile.am, uruk/init/uruk.service: systemd stuff (WiP) 2015-09-18 Joost van Baal-Ilić * uruk/init/uruk.service: systemd support 2015-09-18 Joost van Baal-Ilić * uruk/NEWS: layout 2015-09-17 Joost van Baal-Ilić * uruk/NEWS: record changes by Wessel Dankers 2015-09-17 Wessel Dankers * uruk/script/uruk.in: Add missing conntrack statements For some reason uruk created conntrack entries for outgoing IPv4 traffic but not for IPv6. Fixed by adding entries for IPv6 as well. And even though conntrack entries were created in the output chain, these were not used. Fixed by adding "--ctstate ESTABLISHED,RELATED" rules, just like in the INPUT chain. 2015-09-17 Wessel Dankers * uruk/script/uruk.in: Always treat IPv6 as a multiple-IPs-per-interface case Even if you do not explicitly configure multiple IPv6 addresses, you still have to deal with the fact that an interface has at least a link-local and a global address. That means you can't simply drop traffic that isn't directed at the primary global address because that will interfere with things like router advertisements. Likewise, in the output chain you have to provide for the fact that sometimes the source address on outgoing traffic will not be the primary global address. This patch removes the code path that would block all traffic not directed at the primary global address as well as outgoing traffic with something other than that primary global address. It will just always apply the simple bogon network range filtering that it used for the explicit multiple address case. 2015-09-16 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: ship it: version 20150916 - The ᎠᏍᎦᏯ ᎩᎦᎨᏱ; Release 2015-09-16 Joost van Baal-Ilić * uruk/NEWS: prepare uruk version 20150916 for release 2015-09-11 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/script/urukctl: fix bug: [ ok ] Checking uruk (): uruk not running. 2015-09-02 Joost van Baal-Ilić * uruk/TODO: ... 2015-09-02 Joost van Baal-Ilić * uruk/TODO: another debian bug reported 2015-08-25 Joost van Baal-Ilić * uruk/NEWS: start next release 2015-08-25 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20150825 - The Прибој Release 2015-08-24 Joost van Baal-Ilić * uruk/NEWS: record changes 2015-08-24 Joost van Baal-Ilić * uruk/script/uruk.in: Apply patch contributed by Wessel Dankers: "Fix two cases where $ip6_defined was used without being set." Relevant in cases where more than one IPv6 address is defined on an interface. 2015-08-10 Joost van Baal-Ilić * uruk/NEWS: start next release 2015-08-10 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20150810 - The Гoрњи Милановац Release 2015-08-10 Joost van Baal-Ilić * uruk/NEWS: named this release, after chopped down oak tree near planned Koridor 11 2015-08-07 Joost van Baal-Ilić * uruk/NEWS, uruk/init/uruk: no longer inspect obsolete variable $status_active. Now "service uruk status" will no longer report _both_ 'active uruk rules loaded' _and_ 'active ruleset not loaded' when uruk is running. Thanks Casper Gielen for bugreport. 2015-06-08 Joost van Baal-Ilić * uruk/Makefile.am, uruk/NEWS: deprecate bz2, introduce .xz for tar releases 2015-06-08 Joost van Baal-Ilić * uruk/TODO: meer ideeen 2015-06-08 Joost van Baal-Ilić * uruk/TODO: new bug found in rpm on old RHEL 2015-06-08 Joost van Baal-Ilić * uruk/NEWS: start next release 2015-06-08 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20150608 - The Oude Leije Release 2015-06-08 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: stuff is fixed, prepare release 2015-06-08 Joost van Baal-Ilić * uruk/NEWS, uruk/init/autodetect-ips: bash 3.2 issue: document 2015-06-08 Joost van Baal-Ilić * uruk/NEWS, uruk/init/autodetect-ips: make sure it no longer gives syntax error with bash 3.2. thanks Casper Gielen and Wessel Dankers 2015-05-13 Joost van Baal-Ilić * uruk/TODO: snap r niks van...: bug found on Red Hat Enterprise Linux Server release 5.11 (Tikanga) running uruk-20141120-1 rpm, tnx Jeroen Egmond 2015-04-03 Joost van Baal-Ilić * uruk/TODO: record Bug#705687 Provide "uruk diff" 2015-04-03 Joost van Baal-Ilić * uruk/TODO: reprioritization 2015-04-03 Joost van Baal-Ilić * uruk/TODO: bug: enable uruk-save by default: higher prio now 2015-04-03 Joost van Baal-Ilić * uruk/TODO: stuff 2015-04-03 Joost van Baal-Ilić * uruk/TODO: suggested solution of dealing with "service uruk reload" 2015-04-02 Joost van Baal-Ilić * uruk/NEWS: start next release 2015-04-02 Joost van Baal-Ilić * uruk/TODO: another showstopper 2015-04-02 Wessel Dankers * uruk/script/uruk.in: script/uruk.in: fix whitespace 2015-04-01 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20150401 - The Gorp en Roovert Release 2015-04-01 Joost van Baal-Ilić * uruk/Makefile.am: wsl is an author: deal with email address stripping 2015-03-30 Wessel Dankers * uruk/script/uruk.in: Don't drop all traffic when multiple addresses are used In uruk there is a bit of code that drops incoming packets for unknown destinations. In the case where there are multiple IP addresses on an interface, it falls back to just restricting the destination address to non-bogon ranges. In theory it could restrict these packets to the set of configured IP addresses, but this would require creating an extra filter chain (something which uruk has avoided so far). In commit 4b2dd0f71bf38dbf1e759d3b078c8c8692328dee the code for handling multiple IP addresses on an interface was changed, which also touched the code mentioned above. In this commit a logic bug was introduced, which caused packets to be dropped unless they had ALL destinations (instead of ANY). Since packets by design only have a single destination address, that meant all packets were dropped on that interface. This patch fixes this showstopper issue by fixing the logic bug, properly keeping track of the number of addresses on an interface, and separating the filters for local and remote addresses. 2015-03-30 Wessel Dankers * uruk/init/uruk: fix improper parameter passing (and typo) 2015-03-30 Joost van Baal-Ilić * uruk/TODO: moar bugs 2015-03-30 Joost van Baal-Ilić * uruk/TODO: tnx Fruit bugreport 2015-03-25 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20150325 - The De Drie Zwaantjes Release 2015-03-25 Joost van Baal-Ilić * uruk/TODO: updated 2015-03-06 Joost van Baal-Ilić * uruk/AUTHORS, uruk/NEWS, uruk/THANKS: Welcome aboard Wessel Dankers 2015-03-06 Wessel Dankers * uruk/NEWS, uruk/script/uruk-save, uruk/script/uruk.in: unify net_* and net6_* Unifies the net_* and net6_ variables just like sources_* and sources6_* (and ip_* and ip6_*). As a nice side-effect this finally allows multiple networks to be specified in net_* (and net6_*). Also expanded the list of bogon networks, based on RFC 6890: 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3 64:ff9b::/96 ::ffff:0:0/96 100::/64 200::/7 2001:2::/48 2001:db8::/32 2001:10::/28 fc00::/7 fec0::/10 3ffe::/16 5f00::/8 ::1/128 ::/128 Improved uruk_save() option snooping to accept other syntax variants (-tnat, --table=nat). Made the syntax of uruk-save consistent with that of the main uruk script. Signed-off-by: Joost van Baal-Ilić 2015-03-06 Wessel Dankers * uruk/NEWS, uruk/man/uruk-rc.azm, uruk/script/uruk.in: unify ip_* and ip6_* Just like sources_* and sources6_*, it would be nice if you didn't have to worry about whether addresses on your interfaces are IPv4 or IPv6. This change effects that (backwards compatible, of course). As a side effect this introduces the somewhat peculiar (but useful) feature that you can assign multiple addresses to a {interface}_{name} that will all be treated the same. In effect the name no longer describes a single address but a class of addresses that all get the same rules. This can greatly reduce duplication in configurations with large numbers of addresses (something not unheard of with IPv6). This patch also makes some formatting/style choices more consistent/uniform: * use case statements wherever possible (to reduce quoting issues); * deobfuscate eval statements by removing redundant escaped quotes; * always use short option syntax (when possible) for single-line iptables invocations; * always use long option syntax for iptables invocations that are spread out over multiple lines. Signed-off-by: Joost van Baal-Ilić 2015-02-13 Joost van Baal-Ilić * uruk/NEWS, uruk/doc/rc, uruk/man/uruk-rc.azm: Preparing The De Drie Zwaantjes Release, near Galder 2014-11-20 Joost van Baal-Ilić * uruk/TODO: tnx Fruit 2014-11-20 Joost van Baal-Ilić * uruk/NEWS, uruk/script/Makefile.am: ship it: uruk version 20141120 - The Јадар Release / http://sr.wikipedia.org/wiki/Jадар (притока Дрине) 2014-11-20 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/script/uruk.in: less warnings which are likely bogus (dccp and sctp proto) 2014-11-20 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/script/Makefile.am, uruk/script/uruk, uruk/script/uruk.in: uruk offers $uruk_version to rc file now 2014-11-20 Joost van Baal-Ilić * uruk/TODO: another wishlist bug 2014-08-05 Joost van Baal-Ilić * uruk/TODO: patch van Fruit 2014-08-05 Joost van Baal-Ilić * uruk/TODO: tnx Fruit, thijs voor feedback: warning is loos 2014-06-27 Joost van Baal-Ilić * uruk/NEWS: ship it: uruk version 20140627 - The Vlook Release 2014-06-27 Joost van Baal-Ilić * uruk/TODO: another nice thing for upcoming release. tnx Wessel 2014-06-27 Joost van Baal-Ilić * uruk/TODO: tnx casper 2014-06-27 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: cosmetics in NEWS 2014-06-26 Joost van Baal-Ilić * uruk/NEWS: releasing, step 1 of N 2014-06-04 Joost van Baal-Ilić * uruk/NEWS: stuff 2014-06-02 Joost van Baal-Ilić * uruk/NEWS: status of new proto support 2014-05-19 Joost van Baal-Ilić * uruk/NEWS: dccp, sctp docs 2014-05-19 Joost van Baal-Ilić * uruk/NEWS: seems we would have to modprobe for that 2014-05-19 Joost van Baal-Ilić * uruk/NEWS: refer to rfc for dccp and sctp 2014-05-19 Joost van Baal-Ilić * uruk/doc/DCCP.html, uruk/doc/SCTP.html: from http://en.wikipedia.org/wiki/SCTP and http://en.wikipedia.org/wiki/DCCP 2014-05-18 Joost van Baal-Ilić * uruk/TODO: reorder items cf stuff for upcoming release 2014-05-18 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: sctp 2014-05-18 Joost van Baal-Ilić * uruk/NEWS, uruk/script/uruk: uruk: add new protocols dccp sctp to supported ones tcp udp. not yet tested, needs more code. 2014-05-17 Joost van Baal-Ilić * uruk/TODO: ... 2014-05-17 Joost van Baal-Ilić * uruk/TODO: sctp research 2014-05-17 Joost van Baal-Ilić * uruk/TODO: sctp-plan 2014-05-16 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: update NEWS 2014-05-16 Joost van Baal-Ilić * uruk/TODO, uruk/man/uruk-rc.azm: add section IPv4 and IPv6 to uruk-rc(5), about sources_ vs obsolete sources6_ 2014-05-16 Joost van Baal-Ilić * uruk/bootstrap: update from automake 1.11 to 1.14 2014-05-16 Joost van Baal-Ilić * uruk/man/uruk-rc.azm: documenting new-style ipv6 handling 2014-05-16 Joost van Baal-Ilić * uruk/doc/rc: fixed FIXME about ipv6 2014-05-16 Joost van Baal-Ilić * uruk/TODO, uruk/doc/rc: examples/rc now uses new-style way to specify IPv6 sources 2014-05-16 Joost van Baal-Ilić * uruk/TODO: stuff to check on current status: documentation 2014-05-16 Joost van Baal-Ilić * uruk/TODO: some hints on heirloom-mailx usage 2014-05-16 Joost van Baal-Ilić * uruk/TODO: administrativia: how to read bugreports in mails when mutt is not available 2014-04-06 Joost van Baal-Ilić * uruk/NEWS: new release name. Waar nu De Vloek is 2014-03-19 Joost van Baal-Ilić * uruk/NEWS: start next release 2014-03-19 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20140319 - The Alfama Release 2014-03-19 Joost van Baal-Ilić * uruk/NEWS: use IPv6 example range, to be used in documentation, in our documentation. Thanks Wessel Dankers 2014-03-19 Joost van Baal-Ilić * uruk/NEWS: finish NEWS-item 2014-03-15 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: more to do 2014-03-15 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: cosmetics 2014-03-15 Joost van Baal-Ilić * uruk/NEWS: more documentation 2014-03-15 Joost van Baal-Ilić * uruk/NEWS: start documenting new behaviour 2014-03-15 Joost van Baal-Ilić * uruk/doc/uruk-auto.msg, uruk/init/autodetect-ips: Apply patch contributed by Wessel Dankers at Fri, 7 Mar 2014 17:00:20 +0100 in Message-Id: <1394208020-164526-1-git-send-email-wsl@fruit.je>: "[PATCH] autodetect-ips: debian inet6 stanzas default to netmask=64" 2014-03-15 Joost van Baal-Ilić * uruk/doc/uruk-ipv6.msg: patch is applied 2014-03-15 Joost van Baal-Ilić * uruk/script/uruk: Apply patch contributed by Wessel Dankers at Fri, 7 Mar 2014 14:39:00 +0100 in Subject: [PATCH] Use sources_${iface}_${proto}_${service} for IPv6; Message-Id: <1394199540-133252-1-git-send-email-wsl@fruit.je>: "Before this change, uruk required seperate sources_* and sources6_* variables to configure access for v4/v6 sources. With this patch the rules are as follows: 1) If both sources_* and sources6_* are defined (even if they're just empty), each is used for its respective address family. This ensures backwards compatibility. 2) If sources6_* is undefined, sources_* is used for both v4 and v6. 3) In either case, v4 literals in v6 context and v6 literals in v4 context are silently ignored. This patch also fixes the detection of undefined variables, which was broken." 2014-03-15 Joost van Baal-Ilić * uruk/doc/uruk-auto.msg, uruk/doc/uruk-ipv6.msg: 2 patches by Wessel 2014-02-08 Joost van Baal-Ilić * uruk/NEWS: tnx Jelena for choosing this release's name 2014-02-08 Joost van Baal-Ilić * uruk/TODO: some stuff is fixed 2014-02-07 Joost van Baal-Ilić * uruk/NEWS, uruk/bootstrap, uruk/doc/debian-bug-704807.mbox, uruk/doc/debian-bug-720306.mbox, uruk/man/Makefile.am: ERROR: files left in build directory after distclean: ./man/uruk-save.ps ./man/uruk-save.txt ./man/uruk.ps ./man/uruk.txt make[1]: *** [distcleancheck] Gre#ka 1 2014-02-07 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: bugfix documented 2014-02-07 Joost van Baal-Ilić * uruk/TODO, uruk/doc/debian-bug-704807.mbox, uruk/doc/debian-bug-705687.mbox, uruk/doc/debian-bug-720306.mbox: keep some debian bug reports in git, for offline work 2014-02-07 Joost van Baal-Ilić * uruk/TODO: this bug should be fixed now 2014-02-07 Joost van Baal-Ilić * uruk/TODO, uruk/init/uruk: no longer abort script if call "urukctl status" fails. this causes "service uruk force-reload" to fail bad in case uruk "not running" 2014-02-05 Joost van Baal-Ilić * uruk/TODO: the plot thickens 2014-02-05 Joost van Baal-Ilić * uruk/TODO: one bug is fixed 2014-02-05 Joost van Baal-Ilić * uruk/TODO: investigating upgrade-bug 2014-02-05 Joost van Baal-Ilić * uruk/TODO: reproduceer 2014-02-05 Joost van Baal-Ilić * uruk/TODO: tnx Wessel for bugreport 2013-12-15 Joost van Baal-Ilić * uruk/NEWS: start next release 2013-12-13 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20131213 - The Gweek Release 2013-12-13 Joost van Baal-Ilić * uruk/init/uruk: actually _do_ perform a reload when called as "service uruk force-reload" 2013-11-20 Joost van Baal-Ilić * uruk/TODO: tnx fruit 2013-11-20 Joost van Baal-Ilić * uruk/TODO: nog meer ideeen 2013-11-20 Joost van Baal-Ilić * uruk/TODO: tnx Fruit 2013-09-17 Joost van Baal-Ilić * uruk/TODO: init... 2013-09-16 Joost van Baal-Ilić * uruk/TODO: some update-rc.d issues in current debian sid (and jessie) 2013-09-16 Joost van Baal-Ilić * uruk/TODO: cosmetics 2013-09-16 Joost van Baal-Ilić * uruk/TODO: Bug#712869 was fixed in uruk version 20130809 (The Corbeşti Release) with "init/autodetect-ips, man/uruk-rc.azm: detect IPs currently assigned to [...]". 2013-09-16 Joost van Baal-Ilić * uruk/TODO: a bug is fixed 2013-09-15 Joost van Baal-Ilić * uruk/script/urukctl: fix warning about enable_uruk_save_warning is no longer supported 2013-09-15 Joost van Baal-Ilić * uruk/TODO: lintian systemd lsb init hassle 2013-09-13 Joost van Baal-Ilić * uruk/NEWS: start next release 2013-09-13 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: ship it: version 20130913 - The Clochán na bhFomhórach Release 2013-09-13 Joost van Baal-Ilić * uruk/NEWS, uruk/script/urukctl: script/urukctl: don't test running iptables when called with argument "save", enable running "urukctl save active" as non-root, using uruk-save. 2013-09-12 Joost van Baal-Ilić * uruk/TODO: investigating another wishlist bug 2013-09-12 Joost van Baal-Ilić * uruk/TODO: another bug squashed 2013-09-12 Joost van Baal-Ilić * uruk/NEWS: cosmetics 2013-09-12 Joost van Baal-Ilić * uruk/TODO: one bug squashed 2013-09-12 Joost van Baal-Ilić * uruk/NEWS, uruk/doc/default, uruk/script/urukctl: doc/default, script/urukctl: default: explicitly add /sbin to PATH. urukctl: check command line args earlier in execution. Now "urukctl --help" and "urukctl help" e.a. behave better when called as non-root. 2013-09-12 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: fatal bug found 2013-09-12 Joost van Baal-Ilić * uruk/TODO: designing better tests 2013-09-07 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: found another bug: urukctl usage info 2013-09-07 Joost van Baal-Ilić * uruk/NEWS: record changes 2013-09-03 Joost van Baal-Ilić * uruk/NEWS: we have got a name 2013-09-03 Joost van Baal-Ilić * uruk/TODO: more insight in "nf_conntrack: table full, dropping packet" 2013-09-03 Joost van Baal-Ilić * uruk/TODO: tnx jhoeke 2013-09-03 Joost van Baal-Ilić * uruk/bootstrap: bootstrap: upgrade from automake 1.11 to 1.13 2013-09-02 Joost van Baal-Ilić * uruk/script/urukctl: use just initd_status to decide upon status; do not inspect $status_active 2013-08-30 Joost van Baal-Ilić * : commit c2f808ed7491a90c1fc972b834263e004153bcfd Author: Joost van Baal-Ilić Date: Fri Aug 30 20:01:21 2013 +0200 2013-08-30 Joost van Baal-Ilić * uruk/TODO: broken! 2013-08-30 Joost van Baal-Ilić * uruk/NEWS: start next release 2013-08-30 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20130830 - The Dr Syntax's Head Release 2013-08-30 Joost van Baal-Ilić * uruk/NEWS: the release has a name: http://www.esmerel.com/circle/britain/syntax.html 2013-08-21 Joost van Baal-Ilić * uruk/NEWS, uruk/script/uruk: deal with Bug#720306: uruk: incorrectly blocks and logs tcp RSET packets 2013-08-09 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20130809 - The Corbeşti Release 2013-08-09 Joost van Baal-Илић * uruk/NEWS: record changes 2013-08-07 Joost van Baal-Ilić * uruk/init/autodetect-ips: Apply patch contributed by Wessel Dankers: commit 34aee39ea25bcb90c4a6e0463455f59549bcf782 "accept debian interfaces entries that include the netmask". 2013-08-02 Joost van Baal-Ilić * uruk/TODO: stuff is done 2013-08-02 Joost van Baal-Ilić * uruk/script/uruk: update copyright 2013-08-02 Joost van Baal-Ilić * uruk/TODO, uruk/man/include.zmm.in, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm, uruk/man/uruk.azm, uruk/man/urukctl.azm: introduce zoem macro \gplheader, update copyright of all manpages 2013-08-02 Joost van Baal-Ilić * uruk/AUTHORS, uruk/THANKS: update and reshuffle 2013-07-31 Joost van Baal-Ilić * uruk/TODO: more to do. for this release? 2013-07-31 Joost van Baal-Ilić * uruk/man/uruk-rc.azm: cosmetics 2013-07-31 Joost van Baal-Ilić * uruk/man/uruk-save.azm: refer to urukctl, not init script 2013-07-31 Joost van Baal-Ilić * uruk/doc/rc, uruk/man/uruk-rc.azm: use ips_eth0 and ..._eth0_default_... ; one IP per NIC-mode is being phased out 2013-07-31 Joost van Baal-Ilić * uruk/NEWS, uruk/man/uruk.azm: cosmetics 2013-07-31 Joost van Baal-Ilić * uruk/init/autodetect-ips: cosmetics 2013-07-31 Joost van Baal-Ilić * uruk/NEWS, uruk/init/autodetect-ips: add cgielen to copyright owners 2013-07-30 Joost van Baal-Ilić * uruk/man/uruk-rc.azm: fix typo 2013-07-30 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: list changes 2013-07-30 Joost van Baal-Ilić * uruk/man/urukctl.azm: finished urukctl(8) manpage 2013-07-30 Joost van Baal-Ilić * uruk/doc/default, uruk/man/urukctl.azm: urukctl config file: update documentation 2013-07-30 Joost van Baal-Ilić * uruk/NEWS: cosmetics 2013-07-30 Joost van Baal-Ilić * uruk/init/autodetect-ips: cosmetics 2013-07-30 Joost van Baal-Ilić * uruk/init/autodetect-ips: fix serbian 2013-07-29 Joost van Baal-Ilić * uruk/NEWS: english 2013-07-29 Joost van Baal-Ilić * uruk/TODO: cosmetics 2013-07-29 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: cosmetics 2013-07-29 Joost van Baal-Ilić * uruk/script/urukctl: remove useless comments 2013-07-29 Joost van Baal-Ilić * uruk/NEWS: cosmetics 2013-07-28 Joost van Baal-Ilić * uruk/init/autodetect-ips: refer to documentation 2013-07-28 Joost van Baal-Ilić * uruk/man/uruk-rc.azm: document new autodetec-ips features 2013-07-28 Joost van Baal-Ilić * uruk/NEWS, uruk/init/autodetect-ips: only use scope global IPv6 addresses 2013-07-28 Joost van Baal-Ilić * uruk/man/uruk-rc.azm: start documenting new autodetect-ips features 2013-07-28 Joost van Baal-Ilić * uruk/init/autodetect-ips: update copyright 2013-07-28 Joost van Baal-Ilić * uruk/TODO, uruk/init/autodetect-ips: fix typo 2013-07-28 Joost van Baal-Ilić * uruk/init/autodetect-ips: detect IPs currently assigned to interfaces, not listed in config files 2013-07-27 Joost van Baal-Ilić * uruk/NEWS, uruk/init/autodetect-ips: Corbeşti near Petriş 2013-07-27 Joost van Baal-Ilić * uruk/TODO, uruk/init/autodetect-ips: working on improving autodetect-ips: use ip(1) if needed. in progress 2013-07-27 Joost van Baal-Ilić * uruk/NEWS: cosmetics 2013-07-27 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/init/autodetect-ips: working on improving autodetect-ips: use ip(1) if needed, found more bugs in autodetect-ips 2013-07-27 Joost van Baal-Ilić * uruk/TODO, uruk/init/autodetect-ips: working on improving autodetect-ips: use ip(1) if needed 2013-07-26 Joost van Baal-Ilić * uruk/TODO: improved todo-item, tnx Wessel 2013-07-26 Joost van Baal-Ilić * uruk/TODO: verduidiljk 2013-07-26 Joost van Baal-Ilić * uruk/TODO: idee: check soms niet op destination-ip 2013-06-28 Joost van Baal-Илић * : commit be0e4385d2c97734bb7000d9beff745d11ce91b5 Author: Joost van Baal-Илић Date: Fri Jun 28 12:38:02 2013 +0200 2013-06-28 Joost van Baal-Ilić * uruk/TODO: discussion irl 2013-06-28 Joost van Baal-Илић * uruk/TODO: [...] 2013-06-27 Joost van Baal-Илић * uruk/man/urukctl.azm: urukctl(8) 2013-06-27 Joost van Baal-Илић * uruk/NEWS: more stuff to add to NEWS 2013-06-27 Joost van Baal-Илић * uruk/man/urukctl.azm: still improving urukctl manpage 2013-06-27 Joost van Baal-Илић * uruk/NEWS: record changes 2013-06-25 Joost van Baal-Ilić * uruk/TODO: record debian Bug#712869, tnx Casper and Wessel 2013-06-19 Joost van Baal-Илић * uruk/TODO, uruk/man/urukctl.azm: syntax urukctl(8) manpage 2013-06-19 Joost van Baal-Илић * uruk/doc/default, uruk/man/urukctl.azm: moving documentation for /etc/default/uruk to proper manpage 2013-06-19 Joost van Baal-Илић * uruk/NEWS, uruk/TODO: found a bug in git 2013-06-19 Joost van Baal-Илић * uruk/NEWS: tnx wessel 2013-06-18 Joost van Baal-Илић * uruk/init/uruk, uruk/script/urukctl: source /etc/default/uruk in urukctl, not in init script 2013-06-18 Joost van Baal-Илић * uruk/README: minor improvement 2013-06-18 Joost van Baal-Илић * uruk/man/urukctl.azm: minor improvements 2013-06-18 Joost van Baal-Илић * uruk/man/uruk.azm: suggest to use urukctl, one no longer should call /etc/init.d/uruk 2013-06-18 Joost van Baal-Илић * uruk/README: fix some minor typos 2013-06-18 Joost van Baal-Ilić * uruk/TODO: another bug in urukctl? 2013-06-18 Joost van Baal-Ilić * uruk/NEWS, uruk/script/urukctl: Fix bug in urukctl, introduced 2013-05-29: be sure to assign variables ($libdir e.a.) on time. No longer fails with "mkdir: cannot create directory `': No such file or directory". Thanks Casper Gielen for bugreport. 2013-06-18 Joost van Baal-Ilić * uruk/man/include.zmm.in, uruk/man/urukctl.azm: layout urukctl(8) 2013-06-18 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20130619 - The Het De Siptenpad Release 2013-06-18 Joost van Baal-Ilić * uruk/NEWS, uruk/man/urukctl.azm: urukctl(8) no longer alpha but beta 2013-06-18 Joost van Baal-Ilić * uruk/init/uruk: bugfix: change DAEMON from /usr/sbin/uruk to /sbin/uruk 2013-06-18 Joost van Baal-Илић * uruk/NEWS, uruk/TODO, uruk/man/urukctl.azm: ship it: uruk version 20130618 - The Sterreke Release 2013-06-18 Joost van Baal-Илић * uruk/NEWS, uruk/TODO, uruk/man/urukctl.azm: fixing urukctl.azm syntax, part 1 2013-06-18 Joost van Baal-Илић * uruk/NEWS, uruk/TODO: more ideas, more to do 2013-06-18 Joost van Baal-Илић * uruk/NEWS, uruk/TODO, uruk/bootstrap: make sure no email addresses show up in ChangeLog (really) 2013-06-18 Joost van Baal-Илић * uruk/NEWS, uruk/TODO: tweak 2013-06-18 Joost van Baal-Илић * uruk/NEWS: state rationale of changes 2013-05-31 Joost van Baal-Илић * uruk/init/uruk: fix "start", "stop" and "status" by calling urukctl 2013-05-31 Joost van Baal-Илић * uruk/NEWS: tweak 2013-05-31 Joost van Baal-Илић * uruk/NEWS: document changes, first shot at it 2013-05-31 Joost van Baal-Илић * uruk/Makefile.am: (again) make sure no email adresses show up in ChangeLog 2013-05-29 Joost van Baal-Илић * uruk/TODO, uruk/init/uruk: calling initscript with arg save|create|load|reload|clear|halt|flush is deprecated (but still supported for now) 2013-05-29 Joost van Baal-Илић * uruk/TODO, uruk/init/uruk: init script is borken in case wrong argument passed 2013-05-29 Joost van Baal-Илић * uruk/script/urukctl: no longer requires root-access always 2013-05-29 Joost van Baal-Илић * uruk/init/uruk, uruk/man/urukctl.azm, uruk/script/urukctl: move usage info to manpage 2013-05-29 Joost van Baal-Илић * uruk/script/urukctl: s/log_failure_msg/echo/ 2013-05-29 Joost van Baal-Илић * uruk/init/uruk: $iptables_command not available in init-script: remove call 2013-05-29 Joost van Baal-Илић * uruk/init/uruk, uruk/script/urukctl: source lsb/init-functions, /etc/default/uruk in init script 2013-05-29 Joost van Baal-Илић * uruk/init/uruk, uruk/script/urukctl: move some log_failure_msg log_success_msg calls from urukctl to init/uruk. add "start", "stop", "restart", "force-reload" to init/uruk. 2013-05-25 Joost van Baal-Илић * uruk/init/urukctl, uruk/man/Makefile.am, uruk/man/urukctl.azm, uruk/script/Makefile.am, uruk/script/urukctl: start work on new urukctl(8) manpage, urukctl now in SCRIPTS 2013-05-25 Joost van Baal-Илић * uruk/TODO, uruk/init/uruk, uruk/init/urukctl: new script: urukctl. it will be the main interface for "save", "create", "load", "clear", "halt" and "flush" actions. the init script will call urukctl 2013-05-25 Joost van Baal-Илић * uruk/TODO, uruk/init/uruk: cosmetics; move init/purge bugreport to TODO 2013-05-24 Joost van Baal-Илић * uruk/init/uruk: update comments about lsb specs 2013-05-22 Joost van Baal-Ilić * uruk/init/uruk: more facts about removed-uruk behaviour 2013-05-22 Joost van Baal-Ilić * uruk/init/uruk: Wessel reported a bug: uruk init script behaves weird in case uruk package is removed from debian (not purged). draft plan for fix 2013-04-13 Joost van Baal-Илић * uruk/NEWS: start next release 2013-04-11 Joost van Baal-Илић * uruk/NEWS: ship it: version 20130426 - The Sy Release (10th anniversary release) 2013-04-11 Joost van Baal-Илић * uruk/NEWS: document changes 2013-04-11 Joost van Baal-Ilić * uruk/script/uruk: do 11 11:04 < joostvb> vertel hier maar ff wat je in ip6_noroute_ranges wilt hebben do 11 11:04 < casper> ip6_noroute_ranges='::1/128 ::ffff:0:0/96 fc00::/7 fec0::/10 0200::/7 2001:0db8::/32' do 11 11:04 < casper> dus ::ffff:0:0/96 met de puntjes voorop do 11 11:04 < joostvb> zeker? do 11 11:04 < casper> ja closes: #705202 2013-04-10 Joost van Baal-Илић * uruk/NEWS: tweak NEWS 2013-04-10 Joost van Baal-Илић * uruk/NEWS, uruk/TODO: prepare migrating to new meaning for enable_ipv6 2013-04-10 Joost van Baal-Илић * uruk/NEWS, uruk/TODO: uruk-save no longer considered experimental 2013-04-10 Joost van Baal-Илић * uruk/doc/default, uruk/init/uruk, uruk/man/uruk.azm: The enable_uruk_save_warning variable (set in e.g. /etc/default/uruk) is deprecated. The uruk init script will display a warning if it finds it. 2013-03-22 Joost van Baal-Ilić * uruk/TODO: 1ste amandement 2013-03-22 Joost van Baal-Ilić * uruk/TODO: idea from Wessel for blocking ipv6-traffic 2013-03-22 Joost van Baal-Ilić * uruk/TODO: 2 more things to do before release 2013-03-17 Joost van Baal-Илић * uruk/NEWS: name upcoming release 2013-03-14 Joost van Baal-Ilić * uruk/NEWS: refer to debian bug number 2013-03-14 Joost van Baal-Ilić * uruk/NEWS, uruk/README, uruk/man/uruk.azm, uruk/script/uruk: apply patch contributed by Thijs Kinkhorst, 1 Mar 2013, in <1362140354-7012-1-git-send-email-thijs@uvt.nl>: "Replace obsolete 'state' module usage with 'conntrack'." 2013-02-26 Joost van Baal-Ilić * uruk/NEWS: start next release 2013-02-26 Joost van Baal-Ilić * uruk/NEWS: ship it: uruk version 20130226 - The Vlist Release 2013-02-26 Joost van Baal-Ilić * uruk/NEWS: record changes 2013-02-16 Joost van Baal-Ilić * uruk/init/autodetect-ips: Apply patch contributed by Wessel Dankers in Message-Id: <20130215160813.18E6312F3E@homsar.uvt.nl>, Fri, 15 Feb 2013: "typo in autodetect-ips breekt situaties met eth0:0" 2012-12-06 Joost van Baal-Илић * uruk/man/uruk-rc.azm: fix spelling error, tnx Debian lintian 2012-12-06 Joost van Baal-Илић * uruk/man/uruk-rc.azm: escape -: do not output as hyphen but as minus sign. first shot. 2012-12-05 Joost van Baal-Ilić * uruk/NEWS: start next release 2012-12-05 Joost van Baal-Ilić * uruk/NEWS: ship it 2012-12-05 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/man/uruk-save.azm: document uruk-save patch; some stuff is done 2012-12-04 Joost van Baal-Илић * uruk/TODO: some stuff is done 2012-12-04 Joost van Baal-Илић * uruk/TODO: some stuff is done 2012-12-04 Joost van Baal-Илић * uruk/TODO, uruk/init/uruk: cleanup: consistent way of testing booleans (variables enable_foo) in shell 2012-12-04 Joost van Baal-Илић * uruk/man/uruk-rc.azm: tweak manpage more 2012-12-04 Joost van Baal-Илић * uruk/man/uruk-rc.azm: tweak manpage 2012-12-04 Joost van Baal-Илић * uruk/man/uruk-rc.azm: 2nd shot at documenting autodetect-ips in uruk-rc(5) 2012-12-04 Joost van Baal-Илић * uruk/man/uruk-rc.azm: first shot at documenting autodetect-ips in uruk-rc(5) 2012-12-03 Joost van Baal-Илић * uruk/NEWS, uruk/init/autodetect-ips, uruk/init/enable-ipv6: add shell shbang 2012-11-30 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: ship it 2012-11-30 Joost van Baal-Ilić * uruk/NEWS: preparing the Вршац Release 2012-11-30 Joost van Baal-Ilić * uruk/TODO: some stuff is done 2012-11-30 Joost van Baal-Ilić * uruk/doc/default, uruk/doc/rc, uruk/init/Makefile.am, uruk/init/autodetect-ips: doc/default: call helper enable-ipv6; doc/rc: add example /lib/uruk/init/autodetect-ips usage; init/Makefile.am: install autodetect-ips and enable-ipv6 in /lib/uruk/init/ 2012-11-30 Joost van Baal-Ilić * uruk/init/autodetect-ips, uruk/init/enable-ipv6: my preferred indent style 2012-11-30 Joost van Baal-Ilić * uruk/init/autodetect-ips, uruk/init/enable-ipv6: more usage info, tweaking interface 2012-11-30 Joost van Baal-Ilić * uruk/init/autodetect-ips, uruk/script/autodetect-ips: to be installed in /usr/share/uruk/init/autodetect-ips 2012-11-30 Joost van Baal-Ilić * uruk/init/enable-ipv6, uruk/script/autodetect-ips, uruk/script/uruk-ipv6: © 2012-11-30 Joost van Baal-Ilić * uruk/TODO: ideas from coffee meeting with Wessel 2012-11-29 Joost van Baal-Ilić * uruk/TODO: usage 2012-11-29 Joost van Baal-Ilić * uruk/TODO: do 29 17:39 < joostvb> Fruit: rc-experimental: "GPL-3 of later" ? do 29 17:39 < Fruit> ook ok 2012-11-29 Joost van Baal-Ilić * uruk/TODO: one more nice hack by Wessel 2012-11-29 Joost van Baal-Ilić * uruk/script/uruk-ipv6: helper for /etc/default/uruk, by Wessel Dankers 2012-11-29 Joost van Baal-Ilić * uruk/script/uruk: bugfix, by Wessel Dankers in <20121128162113.38CA411E2C@homsar.uvt.nl> 2012-11-29 Joost van Baal-Ilić * uruk/script/uruk-save: update copyright 2012-11-29 Joost van Baal-Ilić * uruk/script/uruk, uruk/script/uruk-save: Apply patch contributed by Wessel Dankers in <1354116979-10246-1-git-send-email-wsl@fruit.je>: "allow access to different tables (nat, mangle, raw) in uruk-save". Thanks. 2012-11-29 Joost van Baal-Илић * uruk/script/uruk-save: replace obsolete note about arch.gna.org with note about git. thanks Wessel Dankers 2012-10-26 Joost van Baal-Илић * uruk/NEWS: fix typo in NEWS entry, thanks Adam D. Barratt 2012-10-23 Joost van Baal-Ilić * uruk/TODO: tnx Fruit for bugreport 2012-10-23 Joost van Baal-Ilić * uruk/man/uruk.azm: di 23 15:48 < Fruit> joostvb: However, if you don't use any hooks in your rc file, you're save. di 23 15:48 < Fruit> typo 2012-10-23 Joost van Baal-Илић * uruk/TODO: another issue found 2012-10-23 Joost van Baal-Ilić * uruk/NEWS: ship it 2012-10-23 Joost van Baal-Ilić * uruk/NEWS: record changes 2012-10-22 Joost van Baal-Ilić * uruk/THANKS: tnx Thijs 2012-10-22 Joost van Baal-Ilić * uruk/script/uruk: Apply patch contributed by Thijs Kinkhorst in Message-Id: <1350907287-15481-1-git-send-email-thijs@uvt.nl>: Uruk implemented RFC 4890 section 4.3: Recommendations for ICMPv6 Transit Traffic. However uruk is used in some (many?) cases not as a transit firewall but as a host firewall for destination entities. Therefore, also the recommentations from section 4.4: Recommendations for ICMPv6 Local Configuration Traffic need to be added. 2012-10-17 Joost van Baal-Илић * uruk/TODO: more to do 2012-10-09 Joost van Baal-Илић * uruk/TODO: some stuff is done 2012-10-05 Joost van Baal-Ilić * uruk/NEWS: start next release 2012-10-05 Joost van Baal-Ilić * uruk/NEWS: ship it (really) 2012-10-05 Joost van Baal-Ilić * uruk/Makefile.am: fix syntax error in private target "publish" 2012-10-05 Joost van Baal-Ilić * uruk/NEWS: ship it 2012-10-05 Joost van Baal-Ilić * uruk/NEWS: record changes 2012-10-05 Joost van Baal-Ilić * uruk/init/uruk: remove "mountkernfs" from "Required-Start: mountkernfs $local_fs". Add "Required-Stop: $local_fs". We need /var in both start and stop. (We don't need /usr (i.e. remote_fs)). 2012-09-18 Joost van Baal-Илић * uruk/man/include.zmm.in: uruk generally is installed in /sbin/uruk, not /usr/sbin/uruk. (and update my name) 2012-09-17 Joost van Baal-Илић * uruk/TODO: plan for dealing with init script /var issue 2012-09-17 Joost van Baal-Илић * uruk/Makefile.am: workaround in ChangeLog email address stripping 2012-09-17 Joost van Baal-Илић * uruk/TODO: tested fix for "uruk init-script dependency's zijn 72 MB" as reported Fri, 23 Mar 2012 11:00:06 +0100 by Thijs Kinkhorst in <201203231100.09625@incagijs.uvt.nl> 2012-09-17 Joost van Baal-Илић * uruk/NEWS, uruk/configure.ac: include lsb/ in dist 2012-09-17 Joost van Baal-Илић * uruk/NEWS: credit 2012-09-17 Joost van Baal-Илић * uruk/NEWS, uruk/TODO: record changes 2012-09-16 Joost van Baal-Илић * uruk/NEWS: NEWS: fixme 2012-09-16 Joost van Baal-Илић * uruk/Makefile.am, uruk/init/uruk, uruk/lsb/Makefile.am: install lsb stuff, load it from init script 2012-09-16 Joost van Baal-Илић * uruk/TODO, uruk/init/uruk, uruk/lsb/init-functions: uruk/lsb/init-functions: uruk compliant. init/uruk: fixme 2012-09-16 Joost van Baal-Илић * uruk/lsb/init-functions: use uruk implementation if Red Hat one is not available 2012-09-16 Joost van Baal-Илић * uruk/TODO, uruk/lsb/init-functions: copy from /lib/lsb/init-functions as shipped with redhat-lsb-4.0-3.el6.x86_64, by Lawrence Lim e.a. 2012-09-16 Joost van Baal-Илић * uruk/NEWS: a name for this release 2012-09-15 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: started reimplementing lsb for RHEL machines 2012-09-15 Joost van Baal-Ilić * uruk/lsb/lsb_killproc, uruk/lsb/lsb_log_message, uruk/lsb/lsb_pidofproc, uruk/lsb/lsb_start_daemon: copy from /etc/redhat-lsb/* as shipped with redhat-lsb-4.0-3.el6.x86_64 2012-09-14 Joost van Baal-Илић * uruk/TODO: ... 2012-09-14 Joost van Baal-Илић * uruk/TODO: omlossing, tnx Fruit 2012-09-14 Joost van Baal-Ilić * uruk/TODO: grrr 2012-09-14 Joost van Baal-Ilić * uruk/TODO: todo: try to be more nice on RHEL. tnx Thijs 2012-09-14 Joost van Baal-Ilić * uruk/Makefile.am, uruk/NEWS: start next release, fix private target "publish" 2012-09-14 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: ship it 2012-09-14 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/init/uruk: stop uruk when switching to single-user mode (runlevel 1), not just when rebooting the system (runlevel 6) or halting the system (runlevel 0). 2012-09-14 Joost van Baal-Ilić * uruk/NEWS, uruk/man/uruk-rc.azm: fix zoem syntax 2012-09-14 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/man/uruk-rc.azm, uruk/script/uruk: document allowing proto 41 2012-09-14 Joost van Baal-Ilić * uruk/NEWS, uruk/init/uruk: be nice to people calling e.g. awk when starting uruk (and relying on /usr/bin being in the PATH) 2012-09-14 Joost van Baal-Ilić * uruk/script/uruk: Fix bug: vr 14 15:21 < Fruit> ip6tables v1.4.8: unknown option `--tcp-flags' 2012-09-14 Joost van Baal-Ilić * uruk/NEWS: we got a name for this release 2012-09-14 Joost van Baal-Ilić * uruk/NEWS, uruk/script/uruk: fix for http://bugs.debian.org/687621 : FIN ACK incorrectly blocked 2012-06-12 Joost van Baal-Ilić * uruk/NEWS, uruk/init/uruk: more strict init requirements 2012-06-12 Joost van Baal-Ilić * : merge NEWS 2012-06-08 Joost van Baal-Ilić * uruk/NEWS: start next releae 2012-06-08 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20120608 - The Hooidonk Release 2012-06-08 Joost van Baal-Ilić * uruk/TODO, uruk/script/uruk: No longer block, but allow ICMPv6 type 137 Redirect Message [RFC4861]. These are needed for Duplicate Address Detection in IPv6 autoconfiguration: RFC 4429 says: "the router should [...] provide the ON with an ICMP Redirect, which may include a Target Link-Layer Address Option (TLLAO)." Thanks Casper Gielen. 2012-06-08 Joost van Baal-Ilić * uruk/init/uruk: Apply patch for uruk init script: -# Required-Start: $network $remote_fs -# Required-Stop: $network $remote_fs +# Required-Start: mountkernfs $local_fs +# Required-Stop: -# Default-Stop: 0 1 6 +# Default-Stop: 0 6 +# X-Start-Before: networking +# X-Stop-Before: Contributed by Wessel Dankers in Message-ID: <20120606170607.GA2280837@fruit.je>. Thank! 2012-06-08 Joost van Baal-Ilić * uruk/TODO: tnx cgielen 2012-06-05 Joost van Baal-Ilić * uruk/NEWS: start next release 2012-06-05 Joost van Baal-Ilić * uruk/NEWS: ship it: version 20120605 - The Pickensteeg Release 2012-06-05 Joost van Baal-Ilić * uruk/configure.ac: no longer die if zoem, col and/or groff are not found. require autoconf 2.67 (was: 2.53) 2012-06-05 Joost van Baal-Ilić * uruk/NEWS: record some changes 2012-05-31 Joost van Baal-Ilić * uruk/TODO: etc/network/if-up.d/uruk shipped by debian package 2012-05-30 Joost van Baal-Ilić * uruk/Makefile.am, uruk/NEWS: start next release 2012-05-30 Joost van Baal-Ilić * uruk/NEWS: ship it: release 20120530 2012-05-30 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO: document changes 2012-05-30 Joost van Baal-Ilić * uruk/README: document: zoem generally no longer needed 2012-05-30 Joost van Baal-Ilić * uruk/init/Makefile.am, uruk/man/Makefile.am, uruk/script/Makefile.am: installing from tarball no longer builds docs: now shipped with tarball. no longer needs zoem on buildhost (just on maintainer-host) 2012-05-30 Joost van Baal-Ilić * uruk/init/uruk: got rid of some more AC_DEFINE_DIR expansions 2012-05-30 Joost van Baal-Ilić * uruk/bootstrap, uruk/configure.ac: we no longer rely upon expansion of BIN_PATH SBIN_PATH DATA_PATH SYSCONF_PATH LOCALSTATE_PATH using AC_DEFINE_DIR, as defined in GNU Autoconf Macro Archive's ac_define_dir.m4: remove obsolete code 2012-05-30 Joost van Baal-Ilić * uruk/man/include.zmm.in: no longer expand @SBIN_PATH@ @SYSCONF_PATH@ @PACKAGE_TARNAME@ @LOCALSTATE_PATH@ @DATA_PATH@. due to AC_DEFINE_DIR macro being obsolete 2012-05-30 Joost van Baal-Ilić * uruk/configure.ac, uruk/script/uruk, uruk/script/uruk-save, uruk/script/uruk-save.in, uruk/script/uruk.in: no longer expand @SYSCONF_PATH@ and @PACKAGE_TARNAME@ in uruk scripts: hardcode /etc/ and uruk. due to AC_DEFINE_DIR macro being obsolete 2012-05-30 Joost van Baal-Ilić * uruk/configure.ac, uruk/init/Makefile.am, uruk/init/uruk, uruk/init/uruk.in: no longer expand @SYSCONF_PATH@ and @PACKAGE_TARNAME@ in uruk init script: hardcode /etc/ and uruk. due to AC_DEFINE_DIR macro being obsolete 2012-02-02 Joost van Baal-Ilić * uruk/TODO: found "the right way" to deal with ac_define_dir issue 2012-02-02 Joost van Baal-Ilić * uruk/TODO: more TODO: bootstrap fails on debian wheezy due to autoconf-archive 20111221-1 changes 2012-02-02 Joost van Baal-Ilić * uruk/script/uruk.in: icmpv6: DROP some. based upon rfc4890-icmpv6-firewall.sh 2011-12-30 Joost van Baal-Ilić * uruk/doc/Makefile.am: ship and install rfc4890-icmpv6-firewall.sh, contributed by Suresh Krishnan 2011-12-30 Joost van Baal-Ilić * uruk/doc/rfc4890-icmpv6-firewall.sh, uruk/doc/rfc4890.license.msg: rfc4890-icmpv6-firewall.sh is free software. thanks a lot Suresh Krishnan! 2011-12-30 Joost van Baal-Ilić * uruk/doc/rfc4890.txt: http://www.rfc-editor.org/rfc/rfc4890.txt 2011-12-29 Joost van Baal-Ilić * uruk/TODO: should we fork? 2011-12-29 Joost van Baal-Ilić * uruk/TODO: use rfc 4890 for icmp v6 filtering 2011-12-07 Joost van Baal-Ilić * uruk/TODO: major overhaul needed 2011-12-07 Joost van Baal-Ilić * uruk/TODO: progress on ifup/ifdown support in debian package 2011-08-31 Joost van Baal-Ilić * uruk/NEWS: ship it: uruk version 20110831 2011-08-31 Joost van Baal-Ilić * uruk/Makefile.am: uruk homepage now hosted at beskar.soleus.nu 2011-08-31 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/man/Makefile.am: get rid of hardcoded ZOEMSEARCHPATH=/usr/share/aephea 2011-06-08 Joost van Baal-Ilić * uruk/NEWS: ship it! The IPv6 Day release! 2011-06-07 Joost van Baal-Ilić * uruk/TODO, uruk/doc/default: change examples in default file to display non-default value: just uncomment the line to change behaviour. tnx Thijs Kinkhorst for sharing ideas 2011-06-07 Joost van Baal-Ilić * uruk/TODO: thijs found a bug. tnx 2011-06-04 Joost van Baal-Ilić * uruk/TODO: document test-procedure 2011-06-04 Joost van Baal-Ilić * uruk/NEWS, uruk/TODO, uruk/man/include.zmm.in, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm, uruk/man/uruk.azm: Fix some more zoem >= 10-265-1 (cosmetic) issues. 2011-06-02 Joost van Baal-Ilić * uruk/NEWS: ship it: uruk 20110602 2011-05-20 Joost van Baal-Ilić * uruk/NEWS, uruk/script/uruk.in: fix bug in generating warning about suspicious rc file 2011-05-19 Joost van Baal * uruk/NEWS, uruk/TODO, uruk/script/uruk.in: first shot at behaving more gracefully on suspicious rc file 2011-05-16 Joost van Baal-Ilić * uruk/NEWS, uruk/bootstrap: newer automake 2011-05-16 Joost van Baal-Ilić * uruk/man/uruk-save.azm: more zoem conversion 2011-05-16 Joost van Baal-Ilić * uruk/NEWS: document changes, preparing next release 2011-05-16 Joost van Baal-Ilić * uruk/man/Makefile.am, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm, uruk/man/uruk.azm: convert manpages to zoem >= 10-265-1 format 2011-05-12 Joost van Baal * uruk/man/uruk.azm: converting to zoem >= 10-265-1 + aephea >= 10.008-1. needs ZOEMSEARCHPATH=/usr/share/aephea/pud:/usr/share/aephea 2011-02-15 Joost van Baal * uruk/TODO: add hint on how to improve flushing rules. tnx Wessel 2011-02-13 Joost van Baal * uruk/NEWS: ship it: release 20110213 2011-02-13 Joost van Baal * uruk/man/uruk.azm, uruk/script/uruk.in: ipv6 filtering enabled by default: update docs 2011-02-13 Joost van Baal * uruk/README, uruk/TODO: added upgrade instructions to README file 2011-02-13 Joost van Baal * uruk/TODO: cleanup 2011-02-13 Joost van Baal * uruk/NEWS, uruk/TODO, uruk/doc/default, uruk/init/uruk.in: IPv6 packet filtering now enabled by default 2011-02-13 Joost van Baal * uruk/TODO: more stuff to do about ipv6. Thanks Wessel 2010-10-08 Joost van Baal * uruk/script/uruk.in: assume we have ip6tables connection tracking support. iptables as shipped with debian etch has it 2010-08-31 Joost van Baal * uruk/NEWS: version 20100831: ship it 2010-08-31 Joost van Baal * uruk/NEWS, uruk/TODO, uruk/doc/rc, uruk/script/uruk.in: fix example rc file. Thanks ﻢﻫﺪﻳ ﺎﻟﺩڤﻱ at http://lists.debian.org/debian-release/2010/08/msg01587.html 2010-08-23 Joost van Baal * uruk/NEWS, uruk/TODO, uruk/script/uruk.in: new iptables syntax, and another 20100823 release 2010-08-23 Joost van Baal * uruk/TODO: found another issue which should be fixed before uploading 2010-08-23 Joost van Baal * uruk/NEWS, uruk/README: oops, fix bug in upgrade instructions 2010-08-23 Joost van Baal * uruk/README: add upgrade instructions now that IPv6 is enabled by default 2010-08-22 Joost van Baal * uruk/script/uruk.in: some layout fixes, update copyright statement 2010-08-21 Joost van Baal * uruk/NEWS: ship it: 20100821 2010-08-21 Joost van Baal * uruk/TODO: add a suggestion by Casper Gielen, send in Date: Fri, 20 Aug 2010 17:27:18 +0200, Message-ID: <4C6E9ED6.9070400@uvt.nl>, From 4e6b6a2ac6451369945e710f62a0b5d750b6657e Mon Sep 17 00:00:00 2001, Date: Fri, 20 Aug 2010 17:14:37 +0200, Subject: [PATCH 7/8] Move IPv6 multicast comment to TODO 2010-08-21 Joost van Baal * uruk/NEWS, uruk/TODO, uruk/script/uruk.in: bugfix: fatal syntax error in /usr/sbin/uruk 2010-08-20 Joost van Baal * uruk/NEWS, uruk/script/uruk.in: Use connection tracking for IPv6 If support for IPv6 connection tracking is available use it to restrict full processing to IP packets with the NEW flag set. Packets that are part of an established connection (or related to one) get a free pass. Patch contributed by Casper Gielen in Date: Fri, 20 Aug 2010 16:56:55 +0200, Message-Id: <1282316215-21616-1-git-send-email-cgielen@uvt.nl> 2010-08-20 Joost van Baal * uruk/NEWS: ship it: 20100820 2010-08-20 Joost van Baal * uruk/script/uruk.in: Drop unroutable IPv6 traffic Patch supplied by Casper Gielen in Message-Id: <1282308925-17493-1-git-send-email-cgielen@uvt.nl>, Date: Fri, 20 Aug 2010 14:55:25 +0200 2010-08-20 Joost van Baal * uruk/TODO: one more issue tackled 2010-08-20 Joost van Baal * uruk/NEWS, uruk/init/uruk.in: require $remote_fs for init scripts 2010-08-20 Joost van Baal * uruk/NEWS, uruk/TODO, uruk/init/uruk.in: no need to special case runlevel 1 2010-08-20 Joost van Baal * uruk/TODO: found out more problems with lsb headers. thanks Debian lintian 2010-08-20 Joost van Baal * uruk/README, uruk/TODO: update README: instructions about git, not arch 2010-08-20 Joost van Baal * uruk/AUTHORS, uruk/Makefile.am, uruk/README, uruk/TODO, uruk/bootstrap, uruk/configure.ac, uruk/contrib/Makefile.am, uruk/doc/Makefile.am, uruk/doc/default, uruk/doc/rc, uruk/init/Makefile.am, uruk/man/Makefile.am, uruk/man/include.zmm.in, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm, uruk/man/uruk.azm, uruk/script/Makefile.am, uruk/script/uruk.in, uruk/setversion: replace arch headers by commented note about git 2010-08-20 Casper Gielen * uruk/script/uruk.in: Drop traffic that is not to/from us Signed-off-by: Joost van Baal 2010-08-20 Casper Gielen * uruk/script/uruk.in: Reject unwanted IPv6 traffic with a proper reset package. Signed-off-by: Joost van Baal 2010-08-20 Joost van Baal * uruk/NEWS, uruk/TODO, uruk/doc/rc, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm, uruk/man/uruk.azm, uruk/script/uruk.in: IPv6-support is no longer considered experimental 2010-08-20 Joost van Baal * uruk/init/uruk.in: No longer mention obsolete Red Hat EL AS rel 2.1. Update arch-header to git. 2010-08-20 Joost van Baal * uruk/NEWS, uruk/TODO, uruk/init/uruk.in: Fix LSB init header. Partially closes http://bugs.debian.org/581659. Thanks Petter Reinholdtsen 2010-07-27 Joost van Baal * uruk/TODO: fixed homepage at http://mdcc.cx/uruk : now talks about git (not GNU Arch) 2010-07-17 Joost van Baal * uruk/TODO: another bug to fix 2010-07-17 Joost van Baal * uruk/Makefile.am, uruk/NEWS: some tweaking of buildsystem 2010-07-17 Joost van Baal * uruk/NEWS: release 20100717 2010-07-17 Joost van Baal * uruk/TODO: set prios for upcoming release 2010-07-17 Joost van Baal * uruk/bootstrap: adjust to updated autoconf-archive debian package layout 2010-07-17 Joost van Baal * uruk/script/uruk.in: and now finally apply Casper's patch 2010-07-17 Joost van Baal * uruk/THANKS, uruk/TODO: updated 2010-07-17 Joost van Baal * uruk/TODO: new plans 2010-07-17 Joost van Baal * uruk/Makefile.am, uruk/README, uruk/bootstrap: generate ChangeLog from git commit messages 2010-06-24 Joost van Baal * uruk/ChangeLog, uruk/ChangeLog.2004: convert from arch to git; move ChangeLog from arch era out of the way 2010-03-02 Joost van Baal * uruk/ChangeLog, uruk/NEWS: record changes record changes git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-179 2010-03-02 Joost van Baal * uruk/ChangeLog: use IPv6 connection tracking if available. patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl> use IPv6 connection tracking if available. patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl> git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-178 2010-03-02 Joost van Baal * uruk/ChangeLog: use IPv6 connection tracking if available. patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl> use IPv6 connection tracking if available. patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl> git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-177 2010-03-02 Joost van Baal * uruk/ChangeLog: use IPv6 connection tracking if available. patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl> use IPv6 connection tracking if available. patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl> git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-176 2010-03-02 Joost van Baal * uruk/ChangeLog: use IPv6 connection tracking if available. patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl> use IPv6 connection tracking if available. patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl> git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-175 2009-09-08 Joost van Baal * uruk/ChangeLog: tnx Fruit tnx Fruit git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-174 2009-09-04 Joost van Baal * uruk/ChangeLog: a better way to fix this a better way to fix this git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-173 2009-09-04 Joost van Baal * uruk/ChangeLog, uruk/TODO: a better way to fix this a better way to fix this git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-172 2009-09-04 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/doc/rc, uruk/script/uruk.in: first shot at using abbreviated notation for IP addresses first shot at using abbreviated notation for IP addresses git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-171 2009-08-29 Joost van Baal * uruk/ChangeLog, uruk/TODO: tnx fvos for wishlist bug tnx fvos for wishlist bug git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-170 2009-08-29 Joost van Baal * uruk/ChangeLog, uruk/TODO: another feature request, tnx Wessel another feature request, tnx Wessel git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-169 2009-08-29 Joost van Baal * uruk/ChangeLog: s/tla/git/ s/tla/git/ git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-168 2009-08-29 Joost van Baal * uruk/ChangeLog, uruk/TODO: s/tla/git/ s/tla/git/ git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-167 2008-11-24 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm: fix typo: its vs it's fix typo: its vs it's git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-166 2008-10-13 Joost van Baal * uruk/ChangeLog, uruk/TODO: tnx Fruit for tips on if-up.d usage tnx Fruit for tips on if-up.d usage git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-165 2008-04-17 Joost van Baal * uruk/ChangeLog, uruk/TODO: found another design bug :( found another design bug :( git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-164 2008-03-30 Joost van Baal * uruk/ChangeLog, uruk/NEWS: release 20080330 release 20080330 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-163 2008-03-29 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO: document changes document changes git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-162 2008-03-28 Joost van Baal * uruk/ChangeLog, uruk/script/uruk.in: bugfix Be very sure we _never_ trigger ip6tables v1.3.6: Unknown arg `--destination' Try `ip6tables -h' or 'ip6tables --help' for more information. by running /sbin/ip6tables -A INPUT -j LOG --log-level debug --log-prefix 'ip6tables: ' -i eth0 --destination . git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-161 2008-03-08 Joost van Baal * uruk/ChangeLog, uruk/TODO: did some testing did some testing git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-160 2008-03-08 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-159 2008-03-07 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO: release 20080307: this is a prerelease release 20080307: this is a prerelease git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-158 2008-03-07 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/script/uruk.in: implement support for multiple rc_a files implement support for multiple rc_a files git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-157 2008-03-07 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm, uruk/man/uruk.azm: document upcoming support for multiple rc_a files document upcoming support for multiple rc_a files git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-156 2008-03-07 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm: workaround zoem typesetting issue in "allowing any traffic on an interface" heading workaround zoem typesetting issue in "allowing any traffic on an interface" heading git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-155 2008-03-07 Joost van Baal * uruk/ChangeLog, uruk/TODO: another wishlist bug by Wessel Dankers: multiple rc_a's another wishlist bug by Wessel Dankers: multiple rc_a's git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-154 2008-03-07 Joost van Baal * uruk/ChangeLog, uruk/script/uruk.in: fix bug showing up when loglevel between 20 and 40 and ipv6 enabled: it caused errors like "ip6tables v1.3.6: host/network 10.1.2.3 not found". these did NOT compromise the firewall rules, btw fix bug showing up when loglevel between 20 and 40 and ipv6 enabled: it caused errors like "ip6tables v1.3.6: host/network 10.1.2.3 not found". these did NOT compromise the firewall rules, btw git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-153 2008-03-07 Joost van Baal * uruk/ChangeLog, uruk/TODO: one bug has been squashed earlier. another was reported one bug has been squashed earlier. another was reported git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-152 2008-01-20 Joost van Baal * uruk/ChangeLog, uruk/TODO: more bugs found git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-151 2008-01-18 Joost van Baal * uruk/ChangeLog, uruk/TODO: Tnx Fruit for another wishlist bug git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-150 2007-11-26 Joost van Baal * uruk/ChangeLog, uruk/TODO: another idea for improvement: urukconfig git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-149 2007-11-04 Joost van Baal * uruk/ChangeLog, uruk/TODO: upload to Debian done. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-148 2007-11-04 Joost van Baal * uruk/ChangeLog, uruk/TODO: another test done git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-147 2007-11-03 Joost van Baal * uruk/ChangeLog, uruk/TODO: adjusted test plan git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-146 2007-11-03 Joost van Baal * uruk/ChangeLog, uruk/man/uruk.azm: mention $interfaces_unprotect in section on Debian ifupdown: we now offer better support. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-145 2007-11-03 Joost van Baal * uruk/ChangeLog, uruk/TODO: did another test-install and a fresh test-install, found two more bugs git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-144 2007-11-03 Joost van Baal * uruk/ChangeLog, uruk/TODO: did another test-install, found a possible bug git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-143 2007-11-03 Joost van Baal * uruk/ChangeLog, uruk/TODO: did another test-install, found a bug git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-142 2007-11-02 Joost van Baal * uruk/ChangeLog, uruk/contrib/fw_2007-10.xsd, uruk/contrib/sample.xml: minor fixes by Fred Vos git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-141 2007-11-02 Joost van Baal * uruk/ChangeLog: fix permissions in VC repo: world-readable please git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-140 2007-11-02 Joost van Baal * uruk/ChangeLog, uruk/TODO: plan for tests git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-139 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/NEWS: release 20071101 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-138 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: cosmetics in printed messages git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-137 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/NEWS: recorded some changes git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-136 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: always clean up tmpfiles: use trap git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-135 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: fix behaviour of "reload" in case uruk not running git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-134 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: LSB compliancy: consider stopping a stopped uruk as success. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-133 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: made force-reload a no-op in case uruk not running git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-132 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: removed some dead and obfuscating code git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-131 2007-11-01 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: Found out this: root@nagy:~# invoke-rc.d uruk stop Autosaving iptables ruleset: save "active" with counters. Loading iptables ruleset: load "inactive". Shutting down uruk (iptables) root@nagy:~# invoke-rc.d uruk status; echo $? Checking uruk (iptables): uruk not running invoke-rc.d: initscript uruk, action "status" failed. 3 is LSB-compliant behaviour. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-130 2007-10-31 Joost van Baal * uruk/ChangeLog, uruk/contrib/Makefile.am: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-129 2007-10-31 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-128 2007-10-31 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: add description for status when printing help git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-127 2007-10-31 Joost van Baal * uruk/ChangeLog, uruk/contrib/README, uruk/contrib/fw2dot.xsl: Added another contribution from Fred Vos: fw2dot.xsl: generating a dot file (for graphiz) from an XML-ed uruk rc file. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-126 2007-10-30 Joost van Baal * uruk/ChangeLog, uruk/contrib/README: Refer to Fred Vos's website on his Uruk XML stuff. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-125 2007-10-30 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/doc/rc: release 20071030 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-124 2007-10-30 Joost van Baal * uruk/ChangeLog, uruk/Makefile.am, uruk/configure.ac, uruk/contrib/Makefile.am: make sure stuff in contrib/ gets distributed and installed git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-123 2007-10-30 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/contrib/README, uruk/contrib/fw2urukrc.xsl, uruk/contrib/fw_2007-10.xsd, uruk/contrib/fw_firewall_2007-10.xsd, uruk/contrib/sample.xml: Add XML stuff contributed by Fred Vos, including some preliminary documentation (in Dutch). Could be used to transform an XML-file describing uruk rules to an uruk rc file. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-122 2007-10-21 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: fixed some bugs in "status" argument git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-121 2007-10-20 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: found a bug git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-120 2007-10-20 Joost van Baal * uruk/ChangeLog, uruk/NEWS: layout git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-119 2007-10-20 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO: document LSB-stuff in init script in NEWS git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-118 2007-10-20 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: exit with LSB-compliant status code in case "status" was requested git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-117 2007-10-20 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: implemented "status" argument git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-116 2007-10-20 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: more ideas for "status" git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-115 2007-10-20 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: LSB compliancy: exit with status code 2 in case wrong arguments are passed. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-114 2007-10-19 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-113 2007-10-19 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: use exit 5 and exit 6 if required by LSB git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-112 2007-10-19 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in, uruk/script/uruk.in: Work on support for Linux Standard Base Specification 3.1 in uruk init script: Added LSB comments (for LSB's install_initd and remove_initd), source /lib/lsb/init-functions. call LSB's log_success_msg and log_warning_msg, add support for finegrained exit code (not yet completed), start working on support for argument "status". git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-111 2007-09-26 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/man/uruk-rc.azm, uruk/man/uruk.azm: Documented support for unprotecting an interface git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-110 2007-09-26 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/doc/rc, uruk/script/uruk.in: Added support for unprotecting an interface: introduced variable interfaces_unprotect. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-109 2007-09-25 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/script/uruk.in: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-108 2007-09-25 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/man/uruk.azm: documented "ACCEPT traffic on lo earlier in the uruk ruleset". Thanks to Wessel Dankers for the idea. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-107 2007-09-25 Joost van Baal * uruk/ChangeLog, uruk/script/uruk.in: moved accepting packets on lo to beginning of rules, before rc_a is sourced: that's more efficient. (it used to be between the sourcing of rc_d and rc_e.) if you'd like to add rules at the absolute beginning, stick these in your rc file (not in rc_a). traffic on lo is accepted _before_ rc_a is sourced. if your loglevel is fascist, traffic on lo will no longer be logged. rc_e is now obsolete. use rc_d instead. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-106 2007-09-23 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/man/uruk-rc.azm, uruk/man/uruk.azm: finished documenting "uruk internals: the gory details" in uruk(8). git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-105 2007-09-23 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/man/uruk.azm: started documenting uruk internals: the gory details in uruk(8) git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-104 2007-09-23 Joost van Baal * uruk/ChangeLog, uruk/NEWS: started documenting the rescheduling of handling lo traffic git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-103 2007-09-23 Joost van Baal * uruk/ChangeLog, uruk/NEWS: in sync with current ChangeLog git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-102 2007-09-23 Joost van Baal * uruk/ChangeLog, uruk/TODO: reprioritized stuff to do for upcoming release git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-101 2007-09-22 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/bootstrap, uruk/configure.ac, uruk/doc/rc, uruk/init/uruk.in, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm, uruk/man/uruk.azm, uruk/script/uruk.in: Uruk is now licensed under GPLv3 (or any later version). git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-100 2007-09-21 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-99 2007-09-20 Joost van Baal * uruk/ChangeLog, uruk/TODO: prioritized todo-items for upcoming release git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-98 2007-09-20 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-97 2007-09-20 Joost van Baal * uruk/ChangeLog, uruk/TODO: added wishlist bug reported by Fred Vos. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-96 2007-09-14 Joost van Baal * uruk/ChangeLog, uruk/man/Makefile.am: no longer try to support non-ascii characters in .txt manpages. col, as shipped with bsdutils 1:2.13-2 Debian packages chokes on output of groff, as shipped with 1.18.1.1-12 Debian package. See also Debian bug Bug#441659. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-95 2006-03-11 Joost van Baal * uruk/ChangeLog, uruk/TODO: added some more received wishlist bugs git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-94 2006-01-16 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm: improved way to unprotect an interface, thanks Wessel Dankers git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-93 2006-01-10 Joost van Baal * uruk/ChangeLog, uruk/TODO: add idea for a better way to unsupport an interface. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-92 2006-01-10 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm: add note on how to unprotect an interface git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-91 2006-01-10 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm: Finetuning of manpage. Thanks Wessel Dankers. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-90 2006-01-06 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: force-reload breaks when nat or mangle table are used. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-89 2005-12-21 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-88 2005-11-30 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/man/uruk-rc.azm, uruk/man/uruk.azm: maintenance on manpages, mainly cosmetic git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-87 2005-11-29 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/man/uruk-rc.azm: release 20051129 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-86 2005-11-29 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-85 2005-11-27 Joost van Baal * uruk/ChangeLog, uruk/README, uruk/man/include.zmm.in: build-depend upon zoem >= 05-328 : new tr semantics and better 'make distcheck' behaviour. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-84 2005-11-27 Joost van Baal * uruk/ChangeLog, uruk/NEWS: release 20051127 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-83 2005-11-27 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/init/uruk.in: document bug: window of opportunity during system boot. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-82 2005-11-27 Joost van Baal * uruk/ChangeLog, uruk/TODO: more issues with init-script git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-81 2005-11-25 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: on Red Hat, run start uruk initscript _after_ /etc/init.d/network (and stop before /etc/init.d/network). network has S10network and K90network. This is needed since we build our rules from the uruk rc file (not the saved rules files). Building rules from an rc file might need a configured network interface: some users like to invoke /sbin/ip to learn about the current IP. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-80 2005-11-24 Joost van Baal * uruk/ChangeLog, uruk/TODO: found new referral to lsb stuff git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-79 2005-10-27 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/README: release 20051027 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-78 2005-10-27 Joost van Baal * uruk/ChangeLog, uruk/script/uruk.in: fix bug in version check in uruk script: if version was unset, and /bin/sh is not bash, it would give: Loading IPv4 uruk rules/usr/sbin/uruk: line 51: test: : integer expression expected . git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-77 2005-10-26 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/man/uruk-rc.azm: uruk-rc html manpage now holds link to uruk html manpage git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-76 2005-10-26 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/doc/rc, uruk/man/include.zmm.in: release 20051026 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-75 2005-10-23 Joost van Baal * uruk/ChangeLog, uruk/man/include.zmm.in, uruk/man/uruk-rc.azm: improved notes on debugging git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-74 2005-10-23 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-save.azm: fix zoem syntax errors in uruk-save(8) git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-73 2005-10-23 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-72 2005-10-23 Joost van Baal * uruk/ChangeLog, uruk/README, uruk/init/uruk.in, uruk/man/uruk.azm: move quick setup guide from README to uruk(8) git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-71 2005-10-23 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/doc/rc: add some IPv6 examples git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-70 2005-10-22 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/README, uruk/TODO, uruk/man/uruk.azm, uruk/script/uruk.in: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-69 2005-10-22 Joost van Baal * uruk/ChangeLog, uruk/README, uruk/man/include.zmm.in, uruk/man/uruk.azm: add quick setup guide to README, and refer to it. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-68 2005-10-21 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-67 2005-10-21 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in, uruk/script/uruk.in: init script somewhat more verbose git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-66 2005-10-21 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/script/uruk.in: poor man's connection tracking for IPv6 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-65 2005-10-20 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO: more to do git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-64 2005-10-18 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/doc/default, uruk/init/uruk.in: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-63 2005-10-16 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-62 2005-10-16 Joost van Baal * uruk/ChangeLog, uruk/script/uruk.in: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-61 2005-10-16 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO: updated NEWS file git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-60 2005-10-16 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/doc/Makefile.am, uruk/doc/default, uruk/script/uruk.in: deal sane with ipv6 logging. ship /etc/default/uruk example file. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-59 2005-10-16 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: add reload option to init script git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-58 2005-10-16 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/man/uruk-rc.azm, uruk/man/uruk.azm: adjusted uruk(8) to new init script git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-57 2005-10-15 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/doc/rc, uruk/man/uruk-rc.azm, uruk/script/uruk.in: Implemented version variable. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-56 2005-10-15 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: we cannot support "reload": we generally can't atomically load new rc file. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-55 2005-10-15 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in, uruk/man/uruk-save.azm: display warning before calling uruk-save git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-54 2005-10-15 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/init/uruk.in: reimplemented init script. Thanks to Wessel Dankers for suggestions. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-53 2005-10-15 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/init/uruk.in: get rid of Debianism: /etc/default/uruk git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-52 2005-10-15 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/README, uruk/TODO: started thinking about init script: upgrade-plans git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-51 2005-10-14 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-50 2005-10-14 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/bootstrap: use autoreconf in bootstrap git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-49 2005-10-14 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm, uruk/man/uruk.azm: fixed FSF address. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-48 2005-10-14 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/man/uruk-save.azm, uruk/script/uruk-save.in: uruk-save is now IPv6 aware git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-47 2005-10-11 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO: new stuff to do git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-46 2005-10-11 Joost van Baal * uruk/ChangeLog, uruk/etc/rc_d_ipv6, uruk/etc/rc_g_ipv6, uruk/etc/rc_h_ipv6, uruk/etc/rc_i_ipv6: moved to uruk proper git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-45 2005-10-11 Joost van Baal * uruk/ChangeLog, uruk/script/uruk.in: move IPv6 stuff in etc/ to uruk proper. By default, ip6tables is disabled. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-44 2005-10-10 Joost van Baal * uruk/ChangeLog, uruk/etc/rc_g_ipv6, uruk/etc/rc_h_ipv6, uruk/etc/rc_i_ipv6: this is enough to get limited ipv6 working. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-43 2005-10-10 Joost van Baal * uruk/ChangeLog, uruk/etc/rc_d_ipv6, uruk/etc/rc_i_ipv6: default reject for ipv6 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-42 2005-10-10 Joost van Baal * uruk/ChangeLog, uruk/etc/rc_d_ipv6: typo fix, some start of documentation of this ipv6 stuff git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-41 2005-10-10 Joost van Baal * uruk/ChangeLog, uruk/etc/rc_d_ipv6: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-40 2005-10-09 Joost van Baal * uruk/ChangeLog, uruk/TODO: more to do git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-39 2005-09-03 Joost van Baal * uruk/ChangeLog, uruk/NEWS: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-38 2005-09-03 Joost van Baal * uruk/ChangeLog, uruk/man/include.zmm.in, uruk/man/uruk-rc.azm, uruk/man/uruk.azm: fix typo, add example for NAT git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-37 2005-08-25 Joost van Baal * uruk/ChangeLog, uruk/README: found out about yet another alternative tool git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-36 2005-08-01 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-35 2005-08-01 Joost van Baal * uruk/ChangeLog, uruk/TODO: git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-34 2005-07-26 Joost van Baal * uruk/ChangeLog, uruk/man/uruk.azm: when using uruk-save, use it atomically git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-33 2005-07-26 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm: yet another way to debug git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-32 2005-07-26 Joost van Baal * uruk/ChangeLog: remove some leftover cruft from manpage. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-31 2005-07-22 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm: be more clear on how to set loglevel in rc file. Thanks Wessel Dankers for bugreport. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-30 2005-07-18 Joost van Baal * uruk/ChangeLog, uruk/script/uruk.in: fix sh bugs git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-29 2005-07-18 Joost van Baal * uruk/ChangeLog, uruk/man/uruk-rc.azm: fix zoem bug: ui change. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-28 2005-07-18 Joost van Baal * uruk/ChangeLog, uruk/NEWS: release 20050718 release 20050718 git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-27 2005-07-18 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/doc/rc, uruk/man/uruk-rc.azm, uruk/man/uruk.azm, uruk/script/uruk.in: loglevel implemented and documented loglevel variable. Thanks to Wessel Dankers for the bugreport about uruk's too enthousiastic logging behaviour. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-26 2005-05-26 Joost van Baal * uruk/ChangeLog, uruk/TODO: another idea on how to implement better (less spammy) logging git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-25 2005-05-25 Joost van Baal * uruk/ChangeLog, uruk/TODO: plan for implementing more granular logging. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-24 2005-04-16 Joost van Baal * uruk/ChangeLog, uruk/TODO: some more pending issues git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-23 2005-04-15 Joost van Baal * uruk/ChangeLog: this stuff is moved git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-22 2005-04-15 Joost van Baal * packages/debian.log, packages/debian/README, packages/debian/TODO, packages/debian/changelog, packages/debian/conffiles, packages/debian/control, packages/debian/copyright, packages/debian/dirs, packages/debian/postinst, packages/debian/postrm, packages/debian/prerm, packages/debian/rc, packages/debian/rules, packages/rpm.log, packages/rpm/uruk-source.1.README.RPM, packages/rpm/uruk-source.2.TODO.RPM, packages/rpm/uruk.spec, uruk/ChangeLog: moved to new archive maintained in http://arch.gna.org/uruk/archive-2005-uruk-pkg/ now git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-21 2005-04-15 Joost van Baal * uruk/ChangeLog, uruk/TODO: bug fixed, bug opened git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-20 2005-04-14 Joost van Baal * uruk/ChangeLog, uruk/TODO: uruk-save could need more attention git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-19 2005-04-14 Joost van Baal * uruk/ChangeLog, uruk/Makefile.am, uruk/README, uruk/init/uruk.in, uruk/man/uruk.azm: some minor tweaks to sneak in the 20050414 release Makefile.am: ship ChangeLog.2003. README: zoem is distributed with Debian now. init/uruk.in: warn about uruk-save unsafeness. man/uruk.azm: _finally_ fix the zoem bug, so that this manpage is completely typesetted again. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-18 2005-04-14 Joost van Baal * uruk/ChangeLog, uruk/Makefile.am, uruk/NEWS: release 20050414: this is a prerelease git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-17 2005-04-14 Joost van Baal * uruk/ChangeLog, uruk/NEWS, uruk/TODO, uruk/configure.ac, uruk/doc/rc, uruk/init/uruk.in, uruk/man/Makefile.am, uruk/man/include.zmm.in, uruk/man/uruk-rc.azm, uruk/man/uruk.azm, uruk/script/Makefile.am, uruk/script/uruk.in: almost ready for next release Fixed wishlist bug from 2004-05-26, Wessel Dankers (might need more testing though). Ship and install uruk-save(8) script and manpage. init script behaves more sane when saved state files are missing: we are now able to generate these on the fly. Minor improvement of uruk-rc(5) manpage. Document URUK_CONFIG and URUK_IPTABLES in uruk(8) manpage. Document one way of using uruk-save in uruk(8) manpage. In the uruk script itself, only some typos in comments have been fixed. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-16 2005-04-14 Joost van Baal * uruk/ChangeLog, uruk/script/uruk.in: don't test wether $iptables is executable: it might be set to 'echo foo' git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-15 2005-04-14 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/script/uruk-save.in: adding a hook to save uruk's rc directly to iptables-save file: more flexibility git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-14 2005-04-14 Joost van Baal * uruk/ChangeLog, uruk/TODO: bugreports bugs submitted by Wessel Dankers git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-13 2005-03-10 Joost van Baal * packages/rpm/uruk.spec, uruk/ChangeLog, uruk/bootstrap: autoconf archive is moved. Thanks Anton Sluijtman git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-12 2004-11-20 Joost van Baal * uruk/ChangeLog, uruk/init/uruk.in: new file /etc/default/uruk can overrule variable enable_uruk_check, enable_ipv6, enable_autosave, enable_save_counters and PATH git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-11 2004-11-17 Joost van Baal * uruk/ChangeLog, uruk/TODO, uruk/script/uruk.in: uruk now honors environment variables URUK_IPTABLES and URUK_CONFIG git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-10 2004-11-02 Joost van Baal * uruk/ChangeLog, uruk/TODO: found another bug git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-9 2004-09-27 Joost van Baal * uruk/ChangeLog: hrm, would this get me an autogenerated ChangeLog? git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-8 2004-09-27 Joost van Baal * uruk/bootstrap: no longer using cvs2cl, but tla changelog git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-7 2004-09-27 Joost van Baal * uruk/doc/Makefile.am, uruk/doc/rc, uruk/init/Makefile.am, uruk/init/uruk.in, uruk/man/Makefile.am, uruk/man/include.zmm.in, uruk/man/uruk-rc.azm, uruk/man/uruk.azm, uruk/script/Makefile.am, uruk/script/uruk.in: getting rid of even more cvs id tags git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-6 2004-09-27 Joost van Baal * uruk/ChangeLog.2003: ChangeLog as build using cvs2cl: changes done via CVS git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-5 2004-09-27 Joost van Baal * uruk/AUTHORS, uruk/Makefile.am, uruk/NEWS, uruk/THANKS, uruk/TODO, uruk/bootstrap, uruk/configure.ac, uruk/setversion: get rid of CVS-style Id tags git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-4 2004-09-27 Joost van Baal * uruk/README: added note about new version control system git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-3 2004-09-27 Joost van Baal * packages/debian.log, packages/debian/README, packages/debian/TODO, packages/debian/changelog, packages/debian/conffiles, packages/debian/control, packages/debian/copyright, packages/debian/dirs, packages/debian/postinst, packages/debian/postrm, packages/debian/prerm, packages/debian/rc, packages/debian/rules, packages/rpm.log, packages/rpm/uruk-source.1.README.RPM, packages/rpm/uruk-source.2.TODO.RPM, packages/rpm/uruk.spec: importing packaging stuff from cvs rpm and .deb stuff git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-2 2004-09-27 Joost van Baal * : importing old cvs history ,v files the tar.gz is taken from old cvsroot on topaz.conuropsis.org. You might want to convert it to a GNU Arch changeset. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--patch-1 2004-09-27 Joost van Baal * initial import Importing stuff as it is in CVS on topaz.conuropsis.org today, omitting the CVS history. git-archimport-id: joostvb-arch@mdcc.cx--2004-uruk/uruk--mainline--0.1--base-0 uruk-20160219/INSTALL0000644000175000017500000003661012657715017010741 00000000000000Installation Instructions ************************* Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, Inc. Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without warranty of any kind. Basic Installation ================== Briefly, the shell command `./configure && make && make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. Some packages provide this `INSTALL' file but do not implement all of the features documented below. The lack of an optional feature in a given package is not necessarily a bug. More recommendations for GNU packages can be found in *note Makefile Conventions: (standards)Makefile Conventions. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package, generally using the just-built uninstalled binaries. 4. Type `make install' to install the programs and any data files and documentation. When installing into a prefix owned by root, it is recommended that the package be configured and built as a regular user, and only the `make install' phase executed with root privileges. 5. Optionally, type `make installcheck' to repeat any self-tests, but this time using the binaries in their final installed location. This target does not install anything. Running this target as a regular user, particularly if the prior `make install' required root privileges, verifies that the installation completed correctly. 6. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. 7. Often, you can also type `make uninstall' to remove the installed files again. In practice, not all packages have tested that uninstallation works correctly, even though it is required by the GNU Coding Standards. 8. Some packages, particularly those that use Automake, provide `make distcheck', which can by used by developers to test that all other targets like `make install' and `make uninstall' work correctly. This target is generally not run by end users. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. This is known as a "VPATH" build. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. On MacOS X 10.5 and later systems, you can create libraries and executables that work on multiple system types--known as "fat" or "universal" binaries--by specifying multiple `-arch' options to the compiler but only a single `-arch' option to the preprocessor. Like this: ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CPP="gcc -E" CXXCPP="g++ -E" This is not guaranteed to produce working output in all cases, you may have to build one architecture at a time and combine the results using the `lipo' tool if you have problems. Installation Names ================== By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX', where PREFIX must be an absolute file name. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you pass the option `--exec-prefix=PREFIX' to `configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. In general, the default for these options is expressed in terms of `${prefix}', so that specifying just `--prefix' will affect all of the other directory specifications that were not explicitly provided. The most portable way to affect installation locations is to pass the correct locations to `configure'; however, many packages provide one or both of the following shortcuts of passing variable assignments to the `make install' command line to change installation locations without having to reconfigure or recompile. The first method involves providing an override variable for each affected directory. For example, `make install prefix=/alternate/directory' will choose an alternate location for all directory configuration variables that were expressed in terms of `${prefix}'. Any directories that were specified during `configure', but not in terms of `${prefix}', must each be overridden at install time for the entire installation to be relocated. The approach of makefile variable overrides for each directory variable is required by the GNU Coding Standards, and ideally causes no recompilation. However, some platforms have known limitations with the semantics of shared libraries that end up requiring recompilation when using this method, particularly noticeable in packages that use GNU Libtool. The second method involves providing the `DESTDIR' variable. For example, `make install DESTDIR=/alternate/directory' will prepend `/alternate/directory' before all installation names. The approach of `DESTDIR' overrides is not required by the GNU Coding Standards, and does not work on platforms that have drive letters. On the other hand, it does better at avoiding recompilation issues, and works well even when some directory options were not specified in terms of `${prefix}' at `configure' time. Optional Features ================= If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Some packages offer the ability to configure how verbose the execution of `make' will be. For these packages, running `./configure --enable-silent-rules' sets the default to minimal output, which can be overridden with `make V=1'; while running `./configure --disable-silent-rules' sets the default to verbose, which can be overridden with `make V=0'. Particular systems ================== On HP-UX, the default C compiler is not ANSI C compatible. If GNU CC is not installed, it is recommended to use the following options in order to use an ANSI C compiler: ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" and if that doesn't work, install pre-built binaries of GCC for HP-UX. HP-UX `make' updates targets which have the same time stamps as their prerequisites, which makes it generally unusable when shipped generated files such as `configure' are involved. Use GNU `make' instead. On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot parse its `' header file. The option `-nodtk' can be used as a workaround. If GNU CC is not installed, it is therefore recommended to try ./configure CC="cc" and if that doesn't work, try ./configure CC="cc -nodtk" On Solaris, don't put `/usr/ucb' early in your `PATH'. This directory contains several dysfunctional programs; working variants of these programs are available in `/usr/bin'. So, if you need `/usr/ucb' in your `PATH', put it _after_ `/usr/bin'. On Haiku, software installed for all users goes in `/boot/common', not `/usr/local'. It is recommended to use the following options: ./configure --prefix=/boot/common Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). Unfortunately, this technique does not work for `CONFIG_SHELL' due to an Autoconf limitation. Until the limitation is lifted, you can use this workaround: CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of all of the options to `configure', and exit. `--help=short' `--help=recursive' Print a summary of the options unique to this package's `configure', and exit. The `short' variant lists options used only in the top level, while the `recursive' variant lists options also present in any nested packages. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `--prefix=DIR' Use DIR as the installation prefix. *note Installation Names:: for more details, including other options available for fine-tuning the installation locations. `--no-create' `-n' Run the configure checks, but stop before creating any output files. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details. uruk-20160219/NEWS0000644000175000017500000011135112661612743010400 00000000000000Uruk NEWS - user visible changes (and some other changes also.) Refer to ChangeLog for detailed per-file info. uruk version 20160219 - The Speurgt Release [ changes by Wessel Dankers ] - script/uruk.in: Fix bug which was introduced in version 20151118: when uruk-save is enabled, loading saved active ruleset fails with Loading iptables ruleset: load "active"Bad argument `REASON=invalid' . uruk version 20160218 - The Snijders-Chaam Release [ changes by Joost van Baal-Ilić ] - Set enable_uruk_save to true in example configuration file doc/default. If this variable is unset or false, uruk-save(8) is by default (still) not used. No longer warn when obsolete (since 2013-04) variable enable_uruk_save_warning is found in /etc/default/uruk (or /etc/sysconfig/uruk): + doc/default: set enable_uruk_save to true. + script/urukctl: no longer assign obsolete variable enable_uruk_save_warning, get rid of warn_uruk_save() function. - bootstrap: upgrade from automake 1.14 to 1.15. uruk version 20151118 - The Āne-wātak Release [ changes by Joost van Baal-Ilić ] - script/uruk.in: uruk is now more verbose when logging the blocking packets with an INVALID connection tracking state. uruk version 20150921 - The Prishtinë Release [ changes by Wessel Dankers ] - script/uruk.in: Add missing conntrack statements: For some reason uruk created conntrack entries for outgoing IPv4 traffic but not for IPv6. Fixed by adding entries for IPv6 as well. And even though conntrack entries were created in the output chain, these were not used. Fixed by adding "--ctstate ESTABLISHED,RELATED" rules, just like in the INPUT chain. - script/uruk.in: Always treat IPv6 as a multiple-IPs-per-interface case: Even if you do not explicitly configure multiple IPv6 addresses, you still have to deal with the fact that an interface has at least a link-local and a global address. That means you can't simply drop traffic that isn't directed at the primary global address because that will interfere with things like router advertisements. Likewise, in the output chain you have to provide for the fact that sometimes the source address on outgoing traffic will not be the primary global address. This change removes the code path that would block all traffic not directed at the primary global address as well as outgoing traffic with something other than that primary global address. It will just always apply the simple bogon network range filtering that it used for the explicit multiple address case. [ changes by Joost van Baal-Ilić ] - init/{uruk.service,Makefile.am}: ship and install new file /lib/systemd/system/uruk.service, for systems using the systemd system and service manager by Lennart Poettering, Kay Sievers e.a. NB: this is untested experimental code. It is interesting for developers only. Do not use. uruk version 20150916 - The ᎠᏍᎦᏯ ᎩᎦᎨᏱ; Release [ changes by Joost van Baal-Ilić ] - script/urukctl: Behave sane after reboot. Under some circumstances, after a reboot, one would end up with files like -rw-r--r-- 1 root root 17658 Sep 11 13:00 iptables/active -rw-r--r-- 1 root root 0 Sep 11 13:00 iptables/inactive -rw-r--r-- 1 root root 0 Sep 11 13:00 iptables/autosave -rw-r--r-- 1 root root 4060 Sep 11 13:00 ip6tables/active -rw-r--r-- 1 root root 0 Sep 11 13:00 ip6tables/inactive -rw-r--r-- 1 root root 0 Sep 11 13:00 ip6tables/autosave in /var/lib/uruk . Running "sudo service uruk status" would yield Checking uruk (iptables): active uruk rules loaded Checking uruk (ip6tables): active uruk rules loaded [ ok ] Checking uruk (): uruk not running. . However, uruk _is_ running. We now no longer ignore zero-sized files in /var/lib/uruk/*/ , but regard them as valid rulesets. This fixes this bug. uruk version 20150825 - The Прибој Release [ changes by Wessel Dankers ] - script/uruk.in: Fix two cases where $ip6_defined was used without being set. uruk was unusable in cases where more than one IPv6 address is defined on an interface. uruk version 20150810 - The Гoрњи Милановац Release [ changes by Joost van Baal-Ilić ] - init/uruk: no longer inspect obsolete variable $status_active. Now "service uruk status" will no longer report _both_ 'active uruk rules loaded' _and_ 'active ruleset not loaded' when uruk is running. Thanks Casper Gielen for bugreport. uruk version 20150608 - The Oude Leije Release [ changes by Joost van Baal-Ilić ] - init/autodetect-ips: make sure it no longer gives "autodetect-ips: command substitution: line 106: syntax error near unexpected token `newline' [...]" when running under bash 3.2. The old Red Hat Enterprise Linux 5.11 ships bash-3.2-33.el5_11.4. Also, bash 3.2-4.2 is shipped with Debian GNU/Linux 5.0.10 (lenny) (a currently unsupported old Debian release). Debian releases 6.0 Squeeze and later install with dash as /bin/sh so on these platforms, uruk does not suffer from this issue with bash. Thanks Casper Gielen for report and initial patch. - Makefile.am: no longer ship uruk-VERSION.tar.bz2, do ship uruk-VERSION.tar.xz (next to .tar.gz). uruk version 20150401 - The Gorp en Roovert Release [ changes by Wessel Dankers ] - script/uruk.in: Don't drop all traffic when multiple addresses are used: In uruk there is a bit of code that drops incoming packets for unknown destinations. In the case where there are multiple IP addresses on an interface, it falls back to just restricting the destination address to non-bogon ranges. In theory it could restrict these packets to the set of configured IP addresses, but this would require creating an extra filter chain (something which uruk has avoided so far). In commit 4b2dd0f71bf38dbf1e759d3b078c8c8692328dee the code for handling multiple IP addresses on an interface was changed, which also touched the code mentioned above. In this commit a logic bug was introduced, which caused packets to be dropped unless they had ALL destinations (instead of ANY). Since packets by design only have a single destination address, that meant all packets were dropped on that interface. This patch fixes this showstopper issue by fixing the logic bug, properly keeping track of the number of addresses on an interface, and separating the filters for local and remote addresses. - init/uruk: fix improper parameter passing (and typo) uruk version 20150325 - The De Drie Zwaantjes Release Uruk is no longer a one man show: Since this release, Wessel Dankers joined the uruk maintainers. Welcome aboard! [ changes by Joost van Baal-Ilić ] - man/uruk-rc.azm doc/rc: Things like interfaces_nocast="eth0" are now deprecated in favor of bcasts_eth1="local" : use the multiple-IP-per-nic style if you want full control over which broadcast and multicast-traffic gets dropped. (The old syntax is still supported; for now it's just no longer documented.) [ changes by Wessel Dankers ] - script/uruk.in man/uruk-rc.azm: ip_* and ip6_* are now unified in the same way as sources_* and sources6_*. As a bonus you can now mention multiple addresses in each ip "name". Example: ips_eth0='admin service' ip_eth0_admin='192.0.2.2 2001:db8::2' ip_eth0_public='192.0.2.3 192.0.2.4 2001:db8::3 2001:db8::4' services_eth0_admin_tcp='ssh' ports_eth0_admin_tcp_admin='22' sources_eth0_admin_tcp_admin='192.0.2.0/24 2001:db8::/32' services_eth0_public_tcp='www' ports_eth0_public_tcp_www='80 443' sources_eth0_public_tcp_www='0/0 ::/0' - script/uruk.in script/uruk-save: net_* and net6_ are now unified as well, and accept multiple networks. The list of bogon networks is significantly expanded and now contains: 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3 64:ff9b::/96 ::ffff:0:0/96 100::/64 200::/7 2001:2::/48 2001:db8::/32 2001:10::/28 fc00::/7 fec0::/10 3ffe::/16 5f00::/8 ::1/128 ::/128 uruk version 20141120 - The Јадар Release - script/uruk.in: make uruk_version available to rc files. One can use that to handle unsupported uruk versions gracefully in rc files. Thanks Wessel Dankers for suggestion. - script/uruk.in: no longer warn if services_${iface}_${proto} is undefined for proto in udp, dccp or sctp. To reduce useless warnings, we now only warn for undefined services_${iface}_tcp. Thanks Wessel Dankers, Thijs Kinkhorst and Casper Gielen for suggestion. uruk version 20140627 - The Vlook Release - script/uruk: next to protocols tcp and udp, uruk now has preliminary experimental support for dccp and sctp. Stream Control Transmission Protocol (needs iptables >= 1.2.9) is defined in RFC 4960; Datagram Congestion Control Protocol is defined in RFC 4340. These protocols are implemented in the sctp.ko and dccp.ko Linux kernel modules. Beware! For TCP, we do inspect "tcp --tcp-flags SYN,ACK,FIN,RST [...]". However, for DCCP or SCTP, we don't do anything specific yet with respect to the state of the DCCP or SCTP connections! You'll have to take measures yourself to deal sanely with open connections. Untested code. - doc/rc, man/uruk-rc.azm: document new semantics of sources_${iface}_${proto}_${service} vs sources6_${iface}_${proto}_${service} - bootstrap: update to automake 1.14. uruk version 20140319 - The Alfama Release - init/uruk: no longer abort on failed commands. This fixes a bug: upgrading a "not running" uruk from 20130426 to 20131213 on Debian systems would fail with "invoke-rc.d: initscript uruk, action "force-reload" failed. dpkg: error processing uruk (--install): subprocess installed post-installation script returned error exit status 3". Indeed, calling /etc/init.d/uruk force-reload on a "not running" uruk would give error exit status 3, and would not give any output. - init/autodetect-ips: make sure Debian inet6 stanzas default to netmask=64. Patch contributed by Wessel Dankers. - script/uruk: Simplify semantics of sources_${iface}_${proto}_${service} vs sources6_${iface}_${proto}_${service}. sources6_* is no longer needed; just list both IPv4 and IPv6 addresses in sources_*. Before this change, uruk required seperate sources_* and sources6_* variables to configure access for v4/v6 sources. To be precise, the semantics now is: 1) If both sources_* and sources6_* are defined (even if they're just empty), each is used for its respective address family. (This ensures backwards compatibility.) 2) If sources6_* is undefined, sources_* is used for both v4 and v6. 3) In either case, v4 literals in v6 context and v6 literals in v4 context are silently (!) ignored. The patch also fixes the detection of undefined variables, which was broken. Patch contributed by Wessel Dankers. uruk version 20131213 - The Gweek Release - init/uruk: actually _do_ perform a reload when called as "service uruk force-reload". - script/urukctl: fix warning about "enable_uruk_save_warning is no longer supported". uruk version 20130913 - The Clochán na bhFomhórach Release - script/urukctl: use just initd_status to decide upon status; do not inspect $status_active. This fixes a severe bug, which made the Dr Syntax's Head release unusable: running "# urukctl start && service uruk force-reload" would give "Nothing to do for reloading uruk: uruk is not running [ OK ]". Thanks Casper Gielen for reporting this issue. - doc/default, script/urukctl: default: explicitly add /sbin to PATH. urukctl: check command line args earlier in execution. Now "urukctl --help" and "urukctl help" e.a. behave better when called as non-root. - script/urukctl: don't test running iptables when called with argument "save", enable running "urukctl save active" as non-root, using uruk-save. - bootstrap: bootstrap: upgrade from automake 1.11 to 1.13 uruk version 20130830 - The Dr Syntax's Head Release - script/uruk: work around possible bug in conntrack, found when: we are client and initialize outgoing tcp session. Return traffic gets allowed since matching state. Incoming rset packet gets received, apparently kernel doesn't recognize it as belonging to a tcp-session being shut down, and can't match the state. Uruk then blocks and logs it. Now it explictly allows such RSET packets. This closes Debian Bug#720306 (http://bugs.debian.org/720306). uruk version 20130809 - The Corbeşti Release - script/urukctl: Fix bug in urukctl, introduced 2013-05-29. (Previous uruk versions 20130619 and 20130618 are unusable.) Be sure to assign variables ($libdir e.a.) on time. No longer fails with "mkdir: cannot create directory `': No such file or directory". Thanks Casper Gielen for bugreport. - script/urukctl: no longer strictly requires root-access when called as "urukctl create active". - init/autodetect-ips, man/uruk-rc.azm: detect IPs currently assigned to interfaces, which are not listed in config files /etc/network/interfaces or /etc/sysconfig/network-scripts/ifcfg-*, by calling ip(8) if needed. Useful in case e.g. udev is used to assign IPs to interfaces. This closes Debian Bug#712869 (http://bugs.debian.org/712869). - init/autodetect-ips: Apply patch contributed by Wessel Dankers: "accept debian interfaces entries that include the netmask". - man/{uruk,urukctl}.azm: Various improvements in uruk(8) and urukctl(8) manpages. - man/include.zmm.in, man/uruk*.azm: introduce zoem macro \gplheader, update copyright of all manpages - Special thanks to Wessel Dankers for recovering my git repo: it didn't really like a sudden powerfailure. And thanks for lending me an Ubuntu EeePC to replace mine which died after an encounter with my bicycle's wheel spokes. - Thanks Jelena for teaching me how to spell četiri. uruk version 20130619 - The Het De Siptenpad Release - init/uruk: bugfix: change DAEMON from /usr/sbin/uruk to /sbin/uruk. - man/urukctl.azm: various improvements. uruk version 20130618 - The Sterreke Release - A part of the uruk init script's functionality is now delivered by the new script urukctl (with manpage urukctl(8)). Calling the init script with arguments "save", "create", "load", "reload", "clear", "halt" and "flush" is deprecated (but still supported for now; the init script calls urukctl). Only the arguments "start", "stop", "restart", "force-reload" are still (and will continue to be) fully supported in /etc/init.d/uruk. When the uruk software is removed from a system, but one chooses to keep the uruk configuration files, /etc/init.d/uruk could be kept (e.g. on a Debian system when removing (not purging) the uruk package; /etc/init.d/uruk is considered to be a configuration file on Debian). When one boots such a system, the LSB standards require the init script to exit with error 5 ("program is not installed"). Such an error causes the boot process to fail. The revised uruk init script now exits succesfully when the uruk program is not installed, like any init script on Debian systems. uruk version 20130426 - The Sy Release - 10th anniversary release \o/ - Currently, setting enable_ipv6=false in /etc/{default,sysconfig}/uruk means: uruk should never call ip6tables, i.e. uruk won't change or set any ip6tables rule. In an upcoming uruk release (not this one), setting enable_ipv6=false will mean: block all IPv6 traffic. So, if you don't use any IPv6 networking functionality, you're advised to now make sure you have set enable_ipv6=false. If you have some IPv6 filtering rules but are managing them NOT using uruk, and therefore have set enable_ipv6=false, you should start thinking about migration now. You can either decide to start managing your IPv6 rules with uruk, and set enable_ipv6=true, or stop using uruk. In all other cases, things will just continue to work. - The uruk-save script (managed by setting enable_uruk_save in /etc/{default,sysconfig}/uruk) is now no longer considered experimental, but fully supported. It is still disabled by default, though. - README, man/uruk.azm, script/uruk: apply patch contributed by Thijs Kinkhorst, 1 Mar 2013, in <1362140354-7012-1-git-send-email-thijs@uvt.nl>: "Replace obsolete 'state' module usage with 'conntrack'.": The iptables 'state' module has been obsoleted and produces warnings in current Debian sid. The modern form to express this is with the 'conntrack' module. Change uruk's iptables commands to make use of the newer syntax. As according to the README uruk already depended on the conntrack module being present, this introduces no higher minimum iptables version. The change has been tested against Debian Lenny, Squeeze, Wheezy and Sid. Thanks Thijs! This closes bug http://bugs.debian.org/702064 . - script/uruk: apply patch contibuted by Casper Gielen, fixing typo in the ip6_noroute_ranges value. Thanks Casper! This closes bug http://bugs.debian.org/705202 . uruk version 20130226 - The Vlist Release - init/autodetect-ips: Apply patch contributed by Wessel Dankers, 2013-02-15: "typo in autodetect-ips breekt situaties met eth0:0" - man/uruk-rc.azm: cosmetic fixes. uruk version 20121205 - The Zes Blokskes Release - init/autodetect-ips init/enable-ipv6: add missing #!/bin/sh. - man/uruk-rc.azm: documented autodetect-ips in uruk-rc(5). - man/uruk-save.azm: documented changes in 20121130 in uruk-save(8). uruk version 20121130 - The Вршац Release - experimental release. - init/autodetect-ips, init/enable-ipv6: Added new helpers for uruk rc and for uruk/default, contributed by Wessel Dankers. - script/uruk, script/uruk-save: Apply patch contributed by Wessel Dankers in <1354116979-10246-1-git-send-email-wsl@fruit.je>: "allow access to different tables (nat, mangle, raw) in uruk-save". uruk version 20121023 - The Grafwegen Release - uruk/script/uruk: Fix IPv6 firewalling in case uruk is used on a host (not transit) firewall by applying patch contributed by Thijs Kinkhorst: "Uruk implemented RFC 4890 section 4.3: Recommendations for ICMPv6 Transit Traffic. However uruk is used in some (many?) cases not as a transit firewall but as a host firewall for destination entities. Therefore, also the recommendations from section 4.4: Recommendations for ICMPv6 Local Configuration Traffic need to be added." uruk version 20121005 - The Onze-Lieve-Vrouw-Waver Release - lsb/init-functions, lsb/lsb_killproc, lsb/lsb_log_message, lsb/lsb_pidofproc, lsb/lsb_start_daemon: added. By default installed in /usr/local/libexec/uruk/lsb/; RPM packages should install these in /lib/uruk/lsb/. On a non-LSB-system, uruk tries to use /etc/init.d/functions. This file is installed by the initscripts RPM package (e.g. with version 9.03.31-2.el6.x86_64 for Red Hat Enterprise Linux). Rationale for shipping /lib/uruk/lsb/: In order to supply a RHEL 6 system with the LSB init interface, one has to install the redhat-lsb RPM package (e.g. version 4.0-3.el6.x86_64). This package pulls in massive amounts of dependencies. (70 MBs, we've been told, thanks Thijs Kinkhorst for reporting this issue.) Using the initscripts RPM package and /lib/uruk/lsb/ keeps the system small and lean. - uruk/init/uruk: add missing $local_fs (for /var) to Required-Stop LSB header. uruk version 20120914 - The Sankt Goar Release - uruk/init/uruk: init script should now work without /usr being mounted. (It still needs /var though.) It no longer sets PATH. (It used to set it to include /usr{,/local}/{,s}bin.) This init script should work on systems using our Debian package, as well as on systems using our RPM package. If you run uruk on another system you likely have to make sure /usr/sbin and/or /usr/local/sbin are in your PATH when executing the init script. - uruk/init/uruk: stop uruk when switching to single-user mode (runlevel 1), not just when rebooting the system (runlevel 6) or halting the system (runlevel 0). - Linux kernel behaves in ways which makes iptables incorrectly block final FIN-ACK packets. Workaround implemented. Uruk now explicitly allows these, and no longer logs them. See http://bugs.debian.org/687621. Thanks Wessel Dankers. - uruk/man/uruk-rc.azm: document how to allow IPv6 tunneling by ACCEPTing IP protocol 41. uruk version 20120608 - The Hooidonk Release - uruk/script/uruk: No longer block, but allow ICMPv6 type 137 Redirect Message [RFC4861]. These are needed for Duplicate Address Detection in IPv6 autoconfiguration: RFC 4429 says: "the router should [...] provide the ON with an ICMP Redirect, which may include a Target Link-Layer Address Option (TLLAO)." Thanks Casper Gielen. - uruk/init/uruk: Apply patch for uruk init script, in order to make sure uruk starts early enough in boot sequence: -# Required-Start: $network $remote_fs -# Required-Stop: $network $remote_fs +# Required-Start: mountkernfs $local_fs +# Required-Stop: -# Default-Stop: 0 1 6 +# Default-Stop: 0 6 +# X-Start-Before: networking +# X-Stop-Before: contributed by Wessel Dankers. Thanks! uruk version 20120605 - The Pickensteeg Release - configure.ac: no longer die if programs zoem, col and/or groff are not found. uruk version 20120530 - uruk/script/uruk.in: icmpv6: DROP some. Based upon suggestions found in rfc4890-icmpv6-firewall.sh. A.o., the following ICMPv6 packets are now dropped by default: Redirect messages: redirect; Multicast Listener queries (MLDv1 and MLDv2): 130; Multicast Listener reports (MLDv1): 131; Multicast Listener Done messages (MLDv1): 132; Multicast Listener reports (MLDv2): 143; Router renumbering messages: 138; and Node information queries (139) and replies (140): 139 140. - uruk/doc/rfc4890-icmpv6-firewall.sh, uruk/doc/rfc4890.license.msg: ship example ICMP v6 script from RFC 4890, by Suresh Krishnan. It is available under a BSD-style license. - zoem no longer needed to build from this tarball: pretypeset documentation is shipped. - we no longer rely upon expansion of BIN_PATH SBIN_PATH DATA_PATH SYSCONF_PATH LOCALSTATE_PATH using AC_DEFINE_DIR, as defined in GNU Autoconf Macro Archive's ac_define_dir.m4. These are now hardcoded to /usr/bin, /usr/sbin, /var, /etc and /usr/share. (Package autoconf-archive >= 20111221-1 (and possible also older ones) no longer ships ac_define_dir. From changelog: 2011-09-16 "AX_DEFINE_DIR: Obsolete: it doesn't comply with the GCS." See http://lists.gnu.org/archive/html/bug-autoconf/2011-09/msg00013.html for discussion.) uruk version 20110831 - uruk/man/Makefile.am: assume zoem knows where to find aephea; get rid of hardcoded ZOEMSEARCHPATH=/usr/share/aephea. You need zoem >= 11-166 to build this uruk. uruk version 20110608 - The IPv6 Day release! (Today is ISOC's World IPv6 Day, see http://www.worldipv6day.org/) - Fix some more zoem >= 10-265-1 (cosmetic) issues. - doc/default: examples now more useful: just uncomment the line to change behaviour. tnx Thijs Kinkhorst for sharing ideas. uruk version 20110602 - bootstap: now builds with automake 1.11 (no longer 1.9) - uruk/man/Makefile.am, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm, uruk/man/uruk.azm: converted manpages to zoem >= 10-265-1 + aephea >= 10.008-1 format. - script/uruk.in: behave more gracefully on suspicious rc file: issue a warning in case of undefined variable. Thanks Wessel Dankers for bringing this up & supplying a first implementation. uruk version 20110213 - init/uruk.in: Support for IPv6 packet filtering has been enabled by default. It is no longer required to edit /etc/default/uruk to enable it: if you'd like to use IPv6 packet filtering, you now can remove any setting of enable_ipv6 in /etc/default/uruk. If you'd prefer NOT to use IPv6 packet filtering, be sure your /etc/default/uruk has "enable_ipv6=false". uruk version 20100831 - Fix example rc file: found out /sbin/ip6tables (as shipped with e.g. iptables 1.4.8-2) understands both full and abbreviated IPv6 names, while the shipped /sbin/iptables understands full names only. Thanks ﻢﻫﺪﻳ ﺎﻟﺩڤﻱ. uruk version 20100823 - README: added upgrade instructions for releases <= 20100717. - script/uruk.in: Update to new iptables syntax: Get rid of warning "Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`)." uruk version 20100821 - script/uruk.in: fix bug introduced in version 20100820: uruk: 391: Syntax error: Unterminated quoted string. uruk version 20100820 - Enable support for IPv6 packet filtering. See the README file for upgrade instructions. + script/uruk.in: ip6tables is now enabled in the uruk script by default. However, if you interact with uruk using the init script, you still have to add "enable_ipv6=true" to /etc/default/uruk to fully enable it. + man/uruk*.azm, doc/rc: manpages and example rc file updated to reflect IPv6-support is no longer considered experimental. + script/uruk.in: Drop unroutable IPv6 traffic. Use connection tracking for IPv6. Patch supplied by Casper Gielen. - init/uruk.in: Fix bugs in support for dependency based boot sequencing + We want to start early in boot sequence (on entering runlevel S). LSB init.d header however had "Default-Start: 2 3 5". Fix this to S. Thanks Petter Reinholdtsen for the patch in http://bugs.debian.org/581659. + Furthermore, change Default-Stop: "0 6" to "0 1 6": no need to special case runlevel 1 (thanks Debian's lintian). + Finally, added "$remote_fs" to Required-Start: and Required-Stop: since obviously we need /usr/sbin/uruk to be available (thanks again Debian's lintian). - Makefile.am, bootstrap: some tweaking of buildsystem. uruk version 20100717 - The uruk code is no longer maintained using GNU Arch, but using the git version control system. - Use IPv6 connection tracking if supported by kernel. Patch contributed by Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl>. uruk version 20080330 - Make behaviour more robust when uruk loglevel is set between 20 and 40 and IPv6 is enabled. In case not all IPv6 adresses were explicitly specified, uruk would give an error: ip6tables v1.3.6: Unknown arg `--destination' Try `ip6tables -h' or 'ip6tables --help' for more information. (it would try to run /sbin/ip6tables -A INPUT -j LOG --log-level debug --log-prefix 'ip6tables: ' -i eth0 --destination in this situation.) These errors these did NOT compromise the firewall rules, btw. When adresses are missing, uruk does no longer try to log the traffic. uruk version 20080307 - Fix a bug showing up when uruk loglevel is set between 20 and 40 and IPv6 is enabled: it caused errors like "ip6tables v1.3.6: host/network 10.1.2.3 not found". These errors these did NOT compromise the firewall rules, btw. - Added support for multiple hook files (like rc_a) working at one entry point. See uruk-rc(5) and uruk(8). Thanks Wessel Dankers for the suggestion and for a first implementation. uruk version 20071101 - Added another contribution from Fred Vos to contrib/: fw2dot.xsl: generating a dot file (for graphiz) from an XML-ed uruk rc file. - Various fixes in uruk init script. Among others: fix behaviour of "reload" and "force-reload" in case uruk not running. uruk version 20071030 - We ACCEPT traffic on lo earlier in the uruk ruleset: that's more efficient. Traffic on lo will no longer be delayed by our ruleset. Uruk <= 20051129 built it's rule like: 1 rc is sourced as a shell script 2 $rc_a is sourced as a shell script [...] 8 $rc_d is sourced 9 Traffic on lo is trusted 10 $rc_e is sourced 11 Don't answer broadcast and multicast packets [...] Uruk >= FIXME builds it's rule as: 1 rc is sourced as a shell script 2 Traffic on lo is trusted 3 $rc_a is sourced as a shell script [...] 9 $rc_d is sourced 10 Don't answer broadcast and multicast packets [...] see uruk(5) If you've done tricks with lo in any of the rc_ hook scripts, you risk being hit by incompatibilities. Study the uruk source to find out how to fix your hook. If you're not using any hook scripts, you are save: your uruk configuration will still work fine. If you're using hook scripts, but don't do anything specific with lo in your scripts, you are likely save: your configuration will likely still work. If you were using rc_a to add rules to the absolute beginning of the ruleset, you might have to move these to the rc-file: traffic on lo is now accepted _before_ rc_a is sourced. If you rely on traffic on lo to be logged, and your loglevel was "fascist", you should craft some hack: this traffic will no longer be logged by default with this loglevel. rc_e is now obsolete. You should move your rc_e stuff to rc_d. (rc_e for now will still work, though.) - The uruk init script now is (should be) Linux Standards Base v 3.1.0 compliant. Added extra supported argument "status". The script now _requires_ the file /lib/lsb/init-functions to be present, and to define the shell functions log_success_msg, log_failure_msg and log_warning_msg. LSB compliant systems (recent releases of Debian GNU/Linux, Red Hat Enterprise Linux, Ubuntu Linux, a.o.) supply this. - Introduced new variables interfaces_unprotect and URUK_INTERFACES_UNPROTECT. - Add XML stuff contributed by Fred Vos, including some preliminary documentation (in Dutch). Could be used to transform an XML-file describing uruk rules to an uruk rc file. Shipped in contrib/, installed in .../doc/uruk/contrib/. - Uruk is now licensed under GPLv3 (or any later version). - man/Makefile.am: no longer try to support non-ascii characters in .txt manpages. col, as shipped with the bsdutils 1:2.13-2 Debian package chokes on output of groff, as shipped with the 1.18.1.1-12 Debian package. See also Debian bug Bug#441659. - TODO: added some more received wishlist bugs (thanks Wessel Dankers and Fred Vos) - Minor fixes in uruk(8) manpage. - uruk-rc(5): documented improved way to unprotect an interface, thanks Wessel Dankers. - TODO, init/uruk.in: found and documented bug: /etc/init.d/uruk force-reload breaks when nat or mangle table are used. Thanks Wessel Dankers for spotting this. uruk version 20051129 - On Red Hat, run start uruk initscript _after_ network interfaces are configured. (We have always been doing this in the Debian package.) This is needed in order to support usage where the rc file queries the operating system to learn about current IP adresses. With uruk 20051026 and 20051027, such usage was not possible. See TODO for notes on pending issues related to this. - Build-depend upon zoem >= 05-328. uruk version 20051027 - Fixed bug in uruk script. Reported to pop up when /bin/sh is bash and $version is not set in /etc/uruk/rc. uruk version 20051026 - More examples in uruk-rc(5) manpage. Thanks Roland van Hout for suggestion. - Experimental ip6tables support added to uruk(8) and uruk-save(8). See comments in the uruk script. New option "-6" for uruk-save(8). - The uruk init script now sources both /etc/default/uruk and /etc/sysconfig/uruk (if present, of course). An example file for /etc/{default,sysconfig}/uruk is now shipped and gets installed in /usr/[local/]share/doc/uruk/examples/. - Major overhaul of the uruk init script. This script now is more integrated in the uruk framework. + The pre-uruk situation is now saved and restorable. + Optionally calls uruk-save (and displays a warning by default). + Calls uruk if applicable. + Improved options: start, stop, force-reload, reload. These now behave more intuitive. + The saved active and inactive rules now no longer get out of sync with the uruk rc file. (O.t.o.h.: one can no longer maintain part of the firewall configuration outside the uruk rc file.) + New option: create See README on what the implications are if you're upgrading. Thanks to Wessel Dankers for his ideas about an improved uruk init script. - uruk(8) now checks for the Uruk version the rc file was created for. This will allow for more sane behaviour in case of future incompatible upgrades. - Buildsystem: ./bootstrap now uses autoreconf(1). uruk version 20050718 - This is a pre-release. - Added support for loglevel, see uruk-rc(5). Some people were annoyed by uruk's syslog spamming. If you're one of these, set loglevel=30 (or 10) in your rc-file. uruk version 20050414 - This is a pre-release. - Uruk now is maintained using GNU Arch on http://arch.gna.org/uruk/ . See README. - ChangeLog entries from 2003 split off in ChangeLog.2003. - Uruk(8) now honors environment variables URUK_IPTABLES (/sbin/iptables by default) and URUK_CONFIG (/etc/uruk/rc by default). - Now ships new script uruk-save(8); which saves /etc/uruk/rc in iptables-{save,restore} format, without invoking iptables. You could use it e.g. when loading a new rc file. See the updated uruk(8) manpage. - The uruk init script now honors /etc/default/uruk. See comments in the code. - The uruk init script acts more sane when passed {stop,start} while no saved rules files are present: it tries to generate these in such circumstances. It will warn you it's doing so. uruk version 20040625 - Fixed bug in multiple IP per network interface mode. Uruk was unusable in such a setup. - Some tweaking of build system. uruk version 20040216 - Fixed severe bugs in uruk script: 20040213 was unusable. - init script now supports chkconfig: Red Hat is now better supported. uruk version 20040213 - Support for multiple IP adresses on one network interface added. New variables ips_ and bcasts_ introduced. See uruk-rc(5). Don't worry: your old rc file will still behave as it used to. uruk version 20040210 - Allow more ICMP types by default. Tnx Wessel Dankers for suggestion. - The Uruk init script is now more helpful when often-encountered errors occur. - Added warning to uruk(8) manpage: uruk does no sanity checking. uruk version 20031111 - We no longer create our own ``block'' chain: the built-in INPUT and OUTPUT chains suffice for our purposes. This makes uruk's rule setup much more simple. Thanks to Wessel Dankers. - rc_1, ... , rc_10 are NO LONGER SUPPORTED. We use rc_a, rc_b, rc_c, ... now. In the future, rc_aa, rc_aab, ... might get added. You'll HAVE TO rewrite your rc_ style stuff MANUALLY. See the notes on UPGRADE in the README file. (Your uruk/rc file will still work fine. No other changes in the configuration file syntax are introduced in this release.) - If you have saved your rules using iptables-save or the uruk init script, you'll have to rebuild them. The old-style rules are not supported by this uruk release. uruk version 20031026 - Fixed bug which made "/etc/init.d/uruk stop" to fail. - Documented more of uruk's features. uruk version 20031008 - Init script more robust, especially on fresh installs. (We still suffer from at least one bug though, see TODO.) - Started documenting rc_ hooks. - Various minor and cosmetic cleanups in documentation. uruk version 20031004 - ad1810-firewall is now called uruk. - big changes in build system and documentation system: - manpages have been converted from Perl's pod format to zoem format. See README for details. - now build-depends on zoem: documentation depends on configure-time settings. - ad1810-firewall under some circumstances was not reboot-resistent: I've missed a change in the Debian iptables package behaviour. The Debian iptables package >= 1.2.7-8 (7 Dec 2002) will not call /etc/init.d/iptables on boot by default. We now ship our own init script to deal with this (thanks to Laurence J. Lane). ad1810-firewall version 20030829 - ad1810-firewall-rc manpage converted from pod to zoem ( http://micans.org/zoem ). - rc_1, rc_2, .... rc_10 feature supported by ad1810-firewall script: set e.g. rc_1=/usr/local/etc/ad1810-firewall/rc_1 in your ad1810-firewall-rc(5). This file should contain shell code. This is executed early in the ad1810-firewall routine, allowing finegrained tweaking of rules, for systems with special demands. For now, see the ad1810-firewall shell code for more details. More documentation will follow. ad1810-firewall version 20030512 - Moving manpage format from pod to zoem. - Fixed automatic version numbering in build system; no more wacky vyyyymmdd versions. Thanks Raja R Harinath on the autoconf list. - rc should no longer define e.g. sources_eth0_tcp_www, where www is a port, but e.g. sources_eth0_tcp_public, where public is a symbolic name for a (set of) services. Furthermore, the new variable ports_eth0_tcp_public should be defined as e.g. "www". ad1810-firewall version v20030427 - rc File location now depends on sysconfdir, as set during configure. - Various documentation updates. ad1810-firewall version v20030426 - First public alpha release. Untested! uruk-20160219/README0000644000175000017500000002204312162331213010542 00000000000000INTRODUCTION Uruk is a simple shell script (uruk(5)) which calls Linux iptables. It uses a template file to get lists of source addresses, allowed to use specific network services. REQUIREMENTS Uruk is useful only on Linux systems. However, the rc file (see uruk-rc(5)) could be used by other packet filtering engine wrappers too. For this script to work, your Linux kernel needs stuff from the netfilter/iptables project ( http://www.netfilter.org/ ). The specific needed settings are .config variable module name description in ``make config'' CONFIG_IP_NF_IPTABLES ip_tables.o (``IP tables support'') CONFIG_IP_NF_TARGET_LOG ipt_LOG.o (``LOG target support'') CONFIG_IP_NF_TARGET_REJECT ipt_REJECT.o (``REJECT target support'') CONFIG_IP_NF_CONNTRACK (``Connection tracking'') . Furthermore, you need the iptables(8) command, as shipped with the iptables package from the netfilter project. For retypesetting the documentation (the uruk(8), uruk-rc(5) and uruk-save(8) manpages), you'll need zoem >= 05-328. Zoem is a an interpretive macro language, for creating mark-up languages, by Stijn van Dongen. Information about zoem, as well as tarballs for download, can be found on the zoem webpage at http://micans.org/zoem/ . Binary zoem packages are shipped with Debian GNU/Linux. However, pretypesetted uruk docs are shipped with the tarball, you likely don't need zoem. INSTALL If you use the uruk Debian package or the uruk RPM, use your package manager to take care of installation; skip this section. If you'd prefer to install using the uruk .tar.gz release however, do read on. See the INSTALL file for generic installation instructions. The Uruk init script, in init/uruk, gets installed in /usr/local/etc/init.d/ by default. Symlinks are _not_ created. You'll have to create them yourself, after running 'make install'. E.g. do: # cd /etc/init.d && ln -s /usr/local/etc/init.d/uruk # update-rc.d uruk defaults . (If you lack update-rc.d, do something like # cd /etc/ # ln -s ../init.d/uruk rc0.d/K92uruk # ln -s ../init.d/uruk rc1.d/K92uruk # ln -s ../init.d/uruk rc2.d/S20uruk # ln -s ../init.d/uruk rc3.d/S20uruk # ln -s ../init.d/uruk rc4.d/S20uruk # ln -s ../init.d/uruk rc5.d/S08uruk # ln -s ../init.d/uruk rc6.d/K92uruk ) UPGRADE For upgrades from any version: run /etc/init.d/uruk force-reload after installation. Read the NEWS file. * upgrading from uruk <= 20100831 Support for IPv6 packet filtering has been enabled by default in the uruk init script. If you'd like to start using IPv6 filtering now, and you interact with uruk using the init script, you don't have to change anything. You might however like to do some janitoring on your file /etc/default/uruk: you now can remove any setting of enable_ipv6 in this file. If you run /usr/sbin/uruk directly, you don't have to edit any special configuration file. In both cases, if you want to block/allow specific IPv6 traffic, you'll have to adjust the uruk rc file of course. See /usr/share/doc/uruk/examples/rc for hints on how to do that. If you don't want to use any IPv6 filtering, and you interact with uruk using the init script, be sure your /etc/default/uruk has "enable_ipv6=false". If you run /usr/sbin/uruk directly, add URUK_IP6TABLES=':' to the top of your uruk rc file. If you have been using IPv6 filtering, and want to continue to do so, you don't have to change anything. You might however like to do some janitoring on your file /etc/default/uruk: you now can remove any setting of enable_ipv6 in this file. * upgrading from uruk <= 20100717 IPv6 support is now blessed mature. It is enabled by default in the uruk script. If you'd like to start using IPv6 filtering now, and you interact with uruk using the init script, you have to add "enable_ipv6=true" to /etc/default/uruk to enable IPv6 filtering. If you run /usr/sbin/uruk directly, you don't have to edit any special configuration file. In both cases, if you want to block/allow specific IPv6 traffic, you'll have to adjust the uruk rc file of course. See /usr/share/doc/uruk/examples/rc for hints on how to do that. If you don't want to use any IPv6 filtering, and you interact with uruk using the init script, you're safe. If you run /usr/sbin/uruk directly, add URUK_IP6TABLES=':' to the top of your uruk rc file. If you have been using IPv6 filtering, and want to continue to do so, you don't have to change anything. You might however like to do some janitoring on your rc file: a statement like ip6tables=${URUK_IP6TABLES:-/sbin/ip6tables} is no longer needed: you no longer need to override the $ip6tables variable. (The statement "enable_ipv6=true" in /etc/default/uruk is still needed.) * upgrading from uruk <= 20050718 You might like to use the experimental IPv6 support. See the NEWS file. Behaviour of the uruk init script has changed. Before 20050718, you were advised to run /etc/init.d/uruk stop; uruk; /etc/init.d/uruk save active . This has changed. One now should run /etc/init.d/uruk force-reload after changing the uruk rc file. Some details: To understand this, consider the uruk states: Iptables rules are kept in: liverules inactivestatefile activestatefile uruk-rc . Actions on copying rules from one to the other are: init.d/uruk stop init.d/uruk start init.d/uruk reload sbin/uruk uruk-save The actions perform the following copies: sbin/uruk : uruk-rc -> liverules uruk-save : uruk-rc -> activestatefile Uruk's init behaviour <= 20050718: init.d/uruk stop : inactivestatefile -> liverules [1] init.d/uruk start : activestatefile -> liverules [1] init.d/uruk reload: activestatefile -> liverules [1] Uruk's init behaviour > 20050718: init.d/uruk stop : inactivestatefile -> liverules [1] init.d/uruk start : liverules -> inactivestatefile; uruk-rc -> activestatefile ; uruk-rc -> liverules init.d/uruk force-reload: uruk-rc -> activestatefile ; uruk-rc -> liverules [1] depends on wether or not inactivestatefile and activestatefile are present. * upgrading from uruk < 20031026 After uruk version 20031026, the hooks are no longer called rc_1, rc_2, .... rc_10, but rc_a, ... rc_i. rc_1 is taken over by rc_a; rc_9 and rc_10 are taken over by rc_i. For most situations, replacing ``-A block'' with ``-A INPUT'' suffices to translate rc_ to rc_. However, please take a look at the uruk script itself to find out. uruk-rc(5) is updated and contains some examples. POST INSTALLATION STUFF Uruk will _not_ "just work" out of the box. It needs manual configuration. See the uruk(8) manpage for quick setup instructions. HACKING Uruk version control is handled using git. You can get a fresh copy by running git clone http://git.mdcc.cx/uruk.git See http://git-scm.com/ for information about git. (Until june 2010, the uruk code was maintained using GNU Arch.) MORE INFORMATION, SIMILAR TOOLS The uruk(8), uruk-rc(5) and uruk-save(8) manpages are available in HTML format too. By default, they're installed in /usr/local/share/doc/uruk/html/ . The Uruk webpage is at http://mdcc.cx/uruk/ . See also http://www.openbsd.org/faq/faq6.html#6.2 and pf.conf(5) (online on http://resin.csoft.net/cgi-bin/man.cgi?section=5&topic=pf.conf ) for general ideas on packet filtering. Tools doing similar stuff as this script are Auke Kok's ``ferm'', available from http://www.geo.vu.nl/~koka/ferm/ and Arno van Amersfoort's ``arno-iptables-firewall'', available from http://rocky.eld.leidenuniv.nl/page/iptables/iptframe.htm . Other tools, with varying levels of userfriendlyness (or bloatedness) are: ipmasq, shorewall, firestarter, ipmenu, fireflier, firewall-easy, fwbuilder, fwctl, gfcc, lokkit, gnome-lokkit, gshield, guarddog, hlfl, knetfilter, mason and gshield. Another list of alternatives is in the "Securing Debian Manual", http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-pack ; this howto is also available via the Debian harden-doc package. TRIVIA Uruk is named after the city of Uruk in Mesopotamia (now Iraq), that Gilgamesh ruled in the Epic of Gilgamesh. This epic reads something like: View its strong walls, for which there is no equal. (I only have access to a Dutch translation here, which reads: De muren van Oeroek, het Oeroek van de schaapskooien, liet hij bouwen. ... Bekijk zijn onvergelijkelijke borstwering. ... Bestijg de muren van Oeroek, loop erop. Beproef de fundering, bekijk het tichelwerk. Is zijn tichelwerk niet van baksteen? .) The city of Uruk is known under the name Erech in the bible: 9 He was a mighty hunter before the LORD: wherefore it is said, Even as Nimrod the mighty hunter before the LORD. 10 And the beginning of his kingdom was Babel, and Erech, and Accad, and Calneh, in the land of Shinar. Gen 10:9-10, KJV It has nothing to do with http://www.uruk.org/ , where Erich Boleyn's Home Page is. # this file maintained at http://git.mdcc.cx/uruk.git uruk-20160219/THANKS0000644000175000017500000000064512476343307010620 00000000000000Uruk THANKS file Thanks go to Tilburg University and Stichting Logreport Foundation, for supporting this and other Free Software. Thanks to Laurence J. Lane for creating the Debian iptables package, giving inspiration for the Uruk init script. Thanks to Wessel Dankers for giving valuable feedback, and willingness to accept commit rights. Thanks to Fred Vos, Casper Gielen and Thijs Kinkhorst for contributing code. uruk-20160219/TODO0000644000175000017500000005717012661605702010376 00000000000000 - init/{uruk.service,Makefile.am}: ship and install /lib/systemd/system/uruk.service. FIXME probably doesn't work!! init/uruk.service : incomplete ---- fix in RPM: #796700 - uruk: Has init script in runlevel S but no matching service file Thanks fsateler@debian.org ---- do not ship rpm package until this is fixed: root@v:~# rpm -q --list iptables-ipv6 | grep lib /lib64/iptables/libip6t_CONNMARK.so /lib64/iptables/libip6t_DSCP.so /lib64/iptables/libip6t_HL.so /lib64/iptables/libip6t_LOG.so /lib64/iptables/libip6t_MARK.so /lib64/iptables/libip6t_NFQUEUE.so /lib64/iptables/libip6t_REJECT.so /lib64/iptables/libip6t_TRACE.so /lib64/iptables/libip6t_ah.so /lib64/iptables/libip6t_connmark.so /lib64/iptables/libip6t_dscp.so /lib64/iptables/libip6t_dst.so /lib64/iptables/libip6t_eui64.so /lib64/iptables/libip6t_frag.so /lib64/iptables/libip6t_hbh.so /lib64/iptables/libip6t_hl.so /lib64/iptables/libip6t_icmpv6.so /lib64/iptables/libip6t_ipv6header.so /lib64/iptables/libip6t_length.so /lib64/iptables/libip6t_limit.so /lib64/iptables/libip6t_mac.so /lib64/iptables/libip6t_mark.so /lib64/iptables/libip6t_multiport.so /lib64/iptables/libip6t_owner.so /lib64/iptables/libip6t_physdev.so /lib64/iptables/libip6t_policy.so /lib64/iptables/libip6t_rt.so /lib64/iptables/libip6t_standard.so /lib64/iptables/libip6t_state.so /lib64/iptables/libip6t_tcp.so /lib64/iptables/libip6t_udp.so root@v:~# service uruk force-reload Checking uruk (iptables): active uruk rules loaded Checking uruk (ip6tables): active uruk rules loaded Flushing all current iptables rules. Loading IPv4 uruk rules. Saving iptables ruleset: save "active" with counters. Flushing all current ip6tables rules. Loading IPv6 uruk rulesip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory root@v:~# rpm -q iptables-ipv6 iptables-ipv6-1.3.5-9.2.el5_8 Description: Red Hat Enterprise Linux Server release 5.11 (Tikanga) not supported by kernel? users of these system should explicitly disable IPv6 support in uruk? ---------- do not ship debian package until this is fixed: init script is buggy: - force-reload does not behave according to specs - reload should be supported ( restart stop and restart the service if it's already running, otherwise start the service reload cause the configuration of the service to be reloaded without actually stopping and restarting the service, force-reload cause the configuration to be reloaded if the service supports this, otherwise restart the service. The start, stop, restart, and force-reload options should be supported by all scripts in /etc/init.d, the reload option is optional. чет 02 10:16 < casper> https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.3.2 ) one possible solution: enforce running uruk in uruk_save-mode; no longer support setups having enable_uruk_save=false. reload and force-reload should act the same ----- enable uruk-save by default ------ Wessel fixt dit: пон 30 11:34 < joostvb_thuis> we weten nog niet of r n uruk-bug is, wel? пон 30 11:34 < joostvb_thuis> met dat gedoe met uruk is not running пон 30 11:34 < Fruit> volgens mij is het een transitieprobleem пон 30 11:35 < Fruit> maar dat weet ik niet 100% zeker пон 30 11:35 < joostvb_thuis> en dus niet 100% zeker of dat transitieprobleem in uruk zit пон 30 11:35 < joostvb_thuis> of in de debian packaging пон 30 11:35 < joostvb_thuis> of in onze zut пон 30 11:35 < Fruit> combi пон 30 11:36 < Fruit> mijn hypothese is dat als je overschakelt naar uruk_save en er draaide al een uruk, dat-ie dat dan niet doorheeft пон 30 11:36 < joostvb_thuis> klinkt best aannemelijk пон 30 11:36 < Fruit> want hij is gestart zonder uruk_save пон 30 11:36 < Fruit> dus geen save-file aangemaakt пон 30 11:36 * joostvb_thuis gaat t tot de bodem uitzoeken пон 30 11:37 < Fruit> ik heb wel de nieuwe uruk draaien op pichu пон 30 11:37 < Fruit> fwiw пон 30 11:37 < joostvb_thuis> die .deb prerelease? пон 30 11:37 < Fruit> ja ========================== somewhat less urgent issues ---- пон 30 11:38 < Fruit> ik heb trouwens opeens een file /etc/uruk/extra.d/version пон 30 11:39 < Fruit> terwijl ik me niet kan herinneren die ooit aangemaakt te hebben пон 30 11:39 < Fruit> er zit een datum in de toekomst in пон 30 11:39 < Fruit> version=20160319 пон 30 11:41 < joostvb_thuis> zou n bug in uruk/NEWS kunnen zijn пон 30 11:41 < joostvb_thuis> dat dat niet gemeld wordt ------ think about systemd (and runit, while we're at it) ship a systemd (or go with lsb hack firing of systemd stuff via traditional init script) and a daemontools init thingie ------- document $uruk_version ------ document this: сре 20 16:41 < Fruit> joostvb: sctp-support in uruk zou handig zijn сре 20 16:46 < Fruit> joostvb: misschien ook meteen dccp dan maar --protocol protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the spe‐ cial keyword "all", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. "all" will match with all protocols and is taken as default when this option is omitted. Note that, in ip6tables, IPv6 extension headers except esp are not allowed. esp and ipv6-nonext can be used with Kernel version 2.6.11 or later. in script/uruk, see "for proto in tcp udp" and "--tcp-flags" see also iptables-extensions(8) - for proto in tcp udp + for proto in dccp sctp tcp udp sctp: find out about --chunk-types (vs --tcp-flags in tcp-case) --------------- phase out sources6 in uruk? is there still a use-case? ----- if uruk is configured for ipv4, but not for ipv6, it should block all ipv6 traffic. if uruk is configured for ipv6, but not for ipv4, it should block all ipv4 traffic. if uruk is not configured for ipv4 and not for ipv6, it should do nothing (as it currently does). fix bugs: querybts --mbox 705687 >debian-bug-705687.mbox doc/debian-bug-704807.mbox doc/debian-bug-705687.mbox doc/debian-bug-720306.mbox joostvb@arrr:ding% mailx -f ./doc/debian-bug-720306.mbox then give 'v' or 'p' or ~v or ~p #704807 [n|+u| ] [uruk] uruk: autodetect non-routable nets #720306 [n| | ] [uruk] uruk: incorrectly blocks and logs tcp RSET packets чет 20 11:06 < joostvb> Fruit: heb alleen https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720306 nog, geloof ik чет 20 11:07 < joostvb> Fruit: ik weet niet hoe ik doe moet fixen, en ook niet of die bug er eigenlijk nog wel in zit.... чет 20 11:11 < Fruit> gewoon die RST-dingen niet loggen ofzo чет 20 11:20 < Fruit> ik zie ze iig nog steeds чет 20 14:47 < joostvb> niet loggen voelt niet goed чет 20 14:55 < Fruit> hoger loglevel dan? чет 20 14:55 < Fruit> zodat je ze kunt loggen als je da per se wil чет 20 14:55 < Fruit> net als broadcastcrap чет 20 15:22 < joostvb> broadcastcrap krijg je nu ook automagisch in je logs чет 20 15:22 < joostvb> das ook n bug dan чет 20 15:22 * joostvb noteert t --------------- #705687 [w| | ] [uruk] Provide "uruk diff" showing diff between running and config From: Thijs Kinkhorst Subject: Provide "uruk diff" showing diff between running and config Please provide an "uruk diff". When uruk config has been changed, this will output the difference between the currently installed firewall rules and the result of the config that would be installed when force-reload is used. This can be used to check whether any applied changes indeed have the desired effect, and just the desired effect. -------------- support for iptables-opvolger: niet netfilter maar .... ---- пон 16 16:04 < joostvb> http://mdcc.cx/tmp/uruk/uruk_20130913-1_all.deb <- klaar voor testen пон 16 16:20 < thijs> joostvb: update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults пон 16 16:21 < thijs> sid пон 16 16:22 < Fruit> ja logisch, gaat via dependencies nu toch пон 16 16:23 < joostvb> thijs: sysv-rc 2.88dsf-43 zie ik, zo zo en zie ook insserv package пон 16 16:24 < joostvb> thijs: maar t werkt verder wel, als je die warnign laat voor wat ie is? пон 16 16:24 < thijs> inderdaad, hij valt terug naar de defaults пон 16 16:25 < joostvb> ok, tnx voor testen See insserv(8) for lsb header descriptions likely removing # Default-Start: S # Default-Stop: 0 1 6 will fix that ------ lintian complains init.d-script-does-not-source-init-functions . Either change /etc/init.d/uruk's . $lsb_init_functions in . /lib/lsb/init-functions , add lintian override or fix /usr/share/lintian/checks/systemd.pm as shipped with lintian 2.5.17 ---------- stick in documentation somewhere: уто 03 09:24 < joostvb> hrm, "conntrack_max = (ram/16384) / (arch/32)" уто 03 09:24 < joostvb> waarom is dat? уто 03 09:24 < joostvb> omdat linus t zo wil? уто 03 09:39 < joostvb> t zou wel mooi zijn als t nog te overrulen is +Sep 2 14:04:21 tsingou kernel: [3459743.665364] nf_conntrack: table full, dropping packet. +root@tsingou:~# cat /proc/sys/net/nf_conntrack_maxnntrack_max +65536 +root@tsingou:~# wc -l /proc/net/ip_conntrack +63453 /proc/net/ip_conntrack +dus aardig vol ja +maar conntrack_max = (ram/16384) / (arch/32) = 64336 dus verhogen heeft geen zin. уто 03 09:54 < Fruit> joostvb: je kunt het overrulen уто 03 09:56 < casper> joostvb: afaik heb ik die formule op tory gebruikt уто 03 09:56 < casper> om uit te rekenen hoe hoog ik conntrack_max kon zetten уто 03 09:57 < casper> ik geloof niet dat het de default is -------- urukctl: document how to set up file access permissions in order to be able to run "urukctl create active" as non-root user. ------ Als lokale ip ongespecifeerd is, check verkeer dan niet op destination ip, maar alleen op source, port, etc. Handig bij dhcp en dynamische ipv6. Tnx Wessel voor idee. Bv. als ip_eth0_failover='', dan daar niet op checken. ------------------------------------------------------------------- kijk in /sys om netwerkinterfaces te vinden. via ip(1): is niet-standaard op red hat. mogelijk fijn voor niet-debian/niet-rh; bv. gentoo oid. ------- git should do "write to tempfile; fsync(); rename" when updating HEAD ref. due to powerfailure my HEAD ref file was empty. occured with git 1:1.7.10.4-1+wheezy1 ------ metagross# chmod a+x /tmp/urukctl metagross# /tmp/urukctl start Flushing all current iptables rules. Loading IPv4 uruk rules. Saving iptables ruleset: save "active" with counters. Flushing all current ip6tables rules. Loading IPv6 uruk rulesip6tables: Protocol wrong type for socket. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. . Saving ip6tables ruleset: save "active" with counters. metagross# ------------ - fix copyright in .azm: use template. - The revised uruk init script now exits succesfully when the uruk program is not installed, like any init script on Debian systems. FIXME Red Hat? ------------- FIXME: this is probably / partially fixed (as of < 2013-09) : plan: hernoem dit script naar uruk-ctl, schrijf nieuw sane init-script dat wel een configfile is, en dan is dit oude script geen debian config file meer. wo 22 10:51 < joostvb> Fruit: log_failure_msg "Aborting uruk initd: missing executable $i" wo 22 10:52 < Fruit> service uruk start wo 22 10:52 < Fruit> exit 0 wo 22 10:52 < joostvb> exit 5 wo 22 10:52 < joostvb> das fout? wo 22 10:52 < Fruit> root@fry:~# facedin wo 22 10:52 < Fruit> service uruk force-reload exited with status 5 wo 22 10:53 < Fruit> snmpd:test -x /usr/sbin/snmpd || exit 0 als je n /e/d/uruk hebt met enable-ipv6 call, en je doet dpkg --remove uruk: wo 22 16:40 /etc/init.d/uruk: 17: /etc/default/uruk: enable-ipv6: not found en als je n /e/d/uruk hebt zionder enable-ipv6 call: wo 22 16:41 root@bender:~# facedin wo 22 16:41 service uruk force-reload exited with status 5 ------------- init/enable-ipv6 doc/default : currently enable_ipv6=false means: do not call ip6tables. it should mean: block all ipv6 traffic. see NEWS. vr 22 10:16 <@Fruit> joostvb: als IPv6 disabled is in uruk, misschien gewoon alle IPv6-verkeer blokkeren? vr 22 10:17 <@Fruit> alle tables wissen en de policy op DROP zetten? vr 22 10:17 <@Fruit> ik kan wel ff een mooie autistische ruleset in elkaar zetten vr 22 10:22 < joostvb> ja, graag zo'n autistische ruleset voor ipv6 Date: Fri, 22 Mar 2013 11:00:13 +0100 From: Wessel Dankers To: Joost Subject: autistische IPv6-rulebase Message-ID: <20130322100013.GN2849@homsar.uvt.nl> Om te voeren aan ip6tables-restore: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] COMMIT *raw :PREROUTING DROP [0:0] :OUTPUT DROP [0:0] COMMIT *mangle :PREROUTING DROP [0:0] :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :POSTROUTING DROP [0:0] COMMIT Zonder ip6tables-restore: ip6tables -F ip6tables -t raw -F ip6tables -t mangle -F ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP ip6tables -t raw -P PREROUTING DROP ip6tables -t raw -P OUTPUT DROP ip6tables -t mangle -P PREROUTING DROP ip6tables -t mangle -P INPUT DROP ip6tables -t mangle -P FORWARD DROP ip6tables -t mangle -P OUTPUT DROP ip6tables -t mangle -P POSTROUTING DROP Dit gaat er trouwens wel vanuit dat je in uruk de policies op ACCEPT instelt, iets wat sowieso zou moeten gebeuren (anders kun je niet robuust een ruleset laden). ----------- later: reimplement uruk-save in perl, be sure to run it only when /usr is mounted, not in init-script during boot. from group/uruk/etc/uruk/rc-experimental by Wessel Dankers, 2012: ------------------- di 23 15:50 < Fruit> joostvb: Saving iptables ruleset: save "inactive". di 23 15:50 < Fruit> joostvb: dat probeer ik te voorkomen, met enable_autosave=false en enable_save_counters=false di 23 15:51 < Fruit> joostvb: maar dat blijft-ie doen - enable ip-not-yet-known. for roaming users, for fast-chagnging ipv6 adresses,for interfaces for which ip is not yet known. optionally: allow specifying range as local adress. tnx Wessel for reporting issue. - init script *** /var issue 2 init scripts eentje doet deny alles tweede doet stuff alternatief: ifupdown /etc/network/interfaces en vooral /etc/init.d/networking /run is cleared during reboot. we'd prefer to be able to load from saved state during boot. therefore, first block everything. later, when /var etc. are available, run uruk. what to do before halt? *** rh issue /etc/redhat-lsb/lsb_* geleverd door redhat-lsb-4.0-3.el6.x86_64 License GPL, by Lawrence Lim e.a., 2011, for Red Hat, Inc. -------------- - decide: fork this package, get new name, don't bother about migration scenario, use dedicated named chains and tables. - major overhaul: use different chains, optimise behaviour when dealing with ipv6. we deal with private ip ranges in a braindead way; improve that. - test on dijkstra, rolle, bruhat, freitag root@janacopoulos:/tmp# wget http://mdcc.cx/tmp/uruk/uruk_20110602-1_all.deb && dpkg -i uruk_20110602-1_all.deb ------------- - add a full IPv6 example to uruk-rc manpage (we now only have the example rc-file). - 28 14:11 < joostvb> ip6_noroute_ranges='::1/128 ffff:0:0::/96 fc00::/7 fec0::/10 0200::/7 2001:0db8::/32' vr 28 14:14 < Fruit> joostvb: overigens kun je in IPv6 veel beter over *routable* spreken dan unroutable vr 28 14:14 < Fruit> 2000::/3 is gewoon de enige die routeerbaar is, de rest is lokaal vr 28 14:26 < Fruit> 2001:0DB8::/32 has been assigned as a NON-ROUTABLE range to be used for documentation purpose [RFC3849]. vr 28 14:26 < Fruit> daar gaat de mooie 2000::/3 regel :( -------------------------------------------------- - improve flush: Subject: Re: uruk Re: iptables leegflikkeren: lelijk maar robuust Wessel Dankers In-Reply-To: <20110114092236.GA14988@dijkstra.uvt.nl> > Op Fri 14 Jan 2011 om 10:17:10 +0100 schreef Wessel Dankers: > > iptables-save | > > sed -rn 's/^:([A-Z]+) [A-Z]+ \[[0-9]+:[0-9]+\]$/:\1 ACCEPT [0:0]/p; /^(\*|COMMIT$)/p' | > > iptables-restore - gebruik voor net_foo strings als privnet-10 privnet-0 privnet-172 - 29 15:16 < fvos> joostvb: misschien kan het al, maar op de eee wil ik dat het ook kan werken als er per verbinding een ander ip-adres is za 29 15:18 < fvos> checking van de rc-file is er niet, zoals je zelf aangeeft, maar met de xml+xsl-aanvulling van mij kun je de instelling-documenten valideren tegen een xsd en het bestand opdelen in logische bestanden die je met xinclude samenvoegt za 29 19:29 < joostvb> fvos: valideren tegen een xsd: patches welkom :) za 29 19:29 < joostvb> fvos: maar ik denk niet dat ik dat de default ga maken, dat ie dat doet - localhost is 0000:0000:0000:0000:0000:0000:0000:0001 aka Fri 18 10:36 < Fruit> ::1 000:0000:0000:0000:0000:0000:0000:0000/0 is ::/0 s/(^|:)(0+($|:))+/::/ rijen van woorden kun je afkorten tot :: Tnx Wessel http://www.faqs.org/rfcs/rfc3330.html - Suggested by Casper Gielen: enable broadcast/multicast filtering for IPv6 Carefull, this part is very different from IPv4. IPv6 does not support broadcast (at all) while support for multicast is mandatory. Do not block without a proper understanding of what you are blocking. Very likely needs to get implemented in script/uruk.in near "# Don't answer broadcast and multicast packets" ----------------------------------------------------- RSN: write urukconfig : generate uruk rc file based upon currently offered network services. all services will be available for _all_ IPs (or perhaps just local network?) Packages could run this to generate a first rc file. ----------------------------------- - use ip{,6}tables-apply by Martin Krafft: safe testing of new rules on remote host. - get rid of duplicated code in init-script: if test "$found_active" -a "$found_inactive"; then eval found_$rule=1 - dpkg --remove uruk does not remove symlinks in /etc/rcS.d/; init-script fails hard if binary gone. - dpkg --purge uruk does not remove /var/lib/uruk/iptables/active. - "status" is borken in case IPv6 is enabled (found on yosida): root@yosida:~# invoke-rc.d uruk start Saving IPv4 uruk rules as active ruleset. Loading iptables ruleset: load "active". Starting uruk (iptables) Saving IPv6 uruk rules as active ruleset. Loading ip6tables ruleset: load "active". Starting uruk (ip6tables) root@yosida:~# /etc/init.d/uruk status * Checking uruk (iptables): both active and inactive rulesets present, but active ruleset not loaded * Checking uruk (ip6tables): both active and inactive rulesets present, but active ruleset not loaded - "start" when uruk is running flushes and reloads current active ruleset. Should it do this? Or should it rather be a no-op? check lsb. - add a "dump-status" option to init-script: dump details about status, keep tmpfiles. usefull for debugging. - /etc/init.d/uruk flush does not flush nat nor mangle table. This means force-reload breaks when these tables are in use. See comment near initd_flush. Fix this, and accept the introduced cruft. Tnx Wessel. - Phase out support for services_eth0_udp, but enforce ipS_eth0; warn for obsolete syntax ----------------- end of candidates for some upcoming release ------------- ----------------- stuff which just might happen one day ------------------- - improve documentation on usage with non-fixed IPs, refer to /etc/network/if-up.d/uruk. - using names of interfaces in names of variables is dumb. the characters @ : . occur in interface names, but are not allowed in variable names. E.g. eth0.54@eth0 and vif6.0 and eth0:3 - use functions log_daemon_msg log_end_msg log_action_msg in init-script, see e.g. firehol init script - Thu 20 23:13 < fvos> joostvb: ik zou de huidige rc graag gesplitst zien in meerdere losse bestanden, bijvoorbeeld 'networks', 'sources' en zo. Daardoor kunnen de entries in die bestanden ook eenvoudiger namen hebben en is misschien kwaliteitscontrole op missende verwijzingen ook eenvoudiger. Fri 21 05:37 < joostvb> fvos: een syntax-checker zou inderdaad wel handig zijn ja - Phase out support for rc_e - Debian package: S40uruk could better be S41uruk: explicitly start after networking (which is S40networking). - We setup firewall rules only _after_ the network interfaces are configured. This is dumb: we are vulnerable for bugs in the kernel's IP stack. One solution for this: Create an /etc/init.d/uruk-pre script, which is run as early as possible, and _before_ network interfaces are configured. It should disable all networktraffic (except for traffic on loopbackinterface). Only later, networkinterfaces are configured, /etc/init.d/uruk is run and networkservices are started. (N.B.: so even with the current setup we _do_ protect our services). - In uruk-rc manpage, include example rc-file verbatim. - Create "upload" target in /Makefile.am - Improve examples in documentation: joostvb: ik geloof dat ":" een leuke shorthand is voor "alle poorten" - Fix bugs in uruk script: (force-)reload should do something sane when uruk not running. - Check documentation: uruk-rc manpage needs more stuff. - Write a wrapper for OpenBSD's pf and FreeBSD's ipfilter, so that these tools can use the same rc file format. We'd also have to make sure init-script works on non-LSB-systems, then. - Reimplement uruk-save: make it more robust. See http://www.faqs.org/docs/iptables/iptables-save.html for example of file format. Use logic from iptables-save.c. - Think about alternative for uruk-save: create a chain, and enable it once it's fully build by doing just one iptables call. This would allow truly atomical loading of new rulesets. - Is it sane to allow all traffic in default inactive rule? - Check save_counters support in init script. It's likely broken. - Date: Wed, 9 Feb 2005 15:09:16 +0100 Message-ID: <20050209140916.GZ1487@trogdor.uvt.nl> Herken broadcasts (misschien aan destination MAC-adres?) en log ze niet. . alternative implementation: near code-snippet: # supporting this for multiple-ips would need multiple chains # or, perhaps, some iptables extension. This log-spamming happens only in multiple-ip-per-nic mode. Do DROP stuff just before log, would that work? (No, we really can't do something like "--dest !(ip1 or ip2 or ip3)".) . yet to implement: loglevel "high". Document multiple ip per nic logspamming bug. # this file maintained at http://git.mdcc.cx/uruk.git uruk-20160219/install-sh0000755000175000017500000003546312657715017011721 00000000000000#!/bin/sh # install - install a program, script, or datafile scriptversion=2014-09-12.12; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the # following copyright and license. # # Copyright (C) 1994 X Consortium # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to # deal in the Software without restriction, including without limitation the # rights to use, copy, modify, merge, publish, distribute, sublicense, and/or # sell copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN # AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- # TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # # Except as contained in this notice, the name of the X Consortium shall not # be used in advertising or otherwise to promote the sale, use or other deal- # ings in this Software without prior written authorization from the X Consor- # tium. # # # FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # 'make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. tab=' ' nl=' ' IFS=" $tab$nl" # Set DOITPROG to "echo" to test this script. doit=${DOITPROG-} doit_exec=${doit:-exec} # Put in absolute file names if you don't have them in your path; # or use environment vars. chgrpprog=${CHGRPPROG-chgrp} chmodprog=${CHMODPROG-chmod} chownprog=${CHOWNPROG-chown} cmpprog=${CMPPROG-cmp} cpprog=${CPPROG-cp} mkdirprog=${MKDIRPROG-mkdir} mvprog=${MVPROG-mv} rmprog=${RMPROG-rm} stripprog=${STRIPPROG-strip} posix_mkdir= # Desired mode of installed file. mode=0755 chgrpcmd= chmodcmd=$chmodprog chowncmd= mvcmd=$mvprog rmcmd="$rmprog -f" stripcmd= src= dst= dir_arg= dst_arg= copy_on_change=false is_target_a_directory=possibly usage="\ Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE or: $0 [OPTION]... SRCFILES... DIRECTORY or: $0 [OPTION]... -t DIRECTORY SRCFILES... or: $0 [OPTION]... -d DIRECTORIES... In the 1st form, copy SRCFILE to DSTFILE. In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. In the 4th, create DIRECTORIES. Options: --help display this help and exit. --version display version info and exit. -c (ignored) -C install only if different (preserve the last data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. -s $stripprog installed files. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG " while test $# -ne 0; do case $1 in -c) ;; -C) copy_on_change=true;; -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" shift;; --help) echo "$usage"; exit $?;; -m) mode=$2 case $mode in *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*) echo "$0: invalid mode: $mode" >&2 exit 1;; esac shift;; -o) chowncmd="$chownprog $2" shift;; -s) stripcmd=$stripprog;; -t) is_target_a_directory=always dst_arg=$2 # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac shift;; -T) is_target_a_directory=never;; --version) echo "$0 $scriptversion"; exit $?;; --) shift break;; -*) echo "$0: invalid option: $1" >&2 exit 1;; *) break;; esac shift done # We allow the use of options -d and -T together, by making -d # take the precedence; this is for compatibility with GNU install. if test -n "$dir_arg"; then if test -n "$dst_arg"; then echo "$0: target directory not allowed when installing a directory." >&2 exit 1 fi fi if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. # Otherwise, the last argument is the destination. Remove it from $@. for arg do if test -n "$dst_arg"; then # $@ is not empty: it contains at least $arg. set fnord "$@" "$dst_arg" shift # fnord fi shift # arg dst_arg=$arg # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac done fi if test $# -eq 0; then if test -z "$dir_arg"; then echo "$0: no input file specified." >&2 exit 1 fi # It's OK to call 'install-sh -d' without argument. # This can happen when creating conditional directories. exit 0 fi if test -z "$dir_arg"; then if test $# -gt 1 || test "$is_target_a_directory" = always; then if test ! -d "$dst_arg"; then echo "$0: $dst_arg: Is not a directory." >&2 exit 1 fi fi fi if test -z "$dir_arg"; then do_exit='(exit $ret); exit $ret' trap "ret=129; $do_exit" 1 trap "ret=130; $do_exit" 2 trap "ret=141; $do_exit" 13 trap "ret=143; $do_exit" 15 # Set umask so as not to create temps with too-generous modes. # However, 'strip' requires both read and write access to temps. case $mode in # Optimize common cases. *644) cp_umask=133;; *755) cp_umask=22;; *[0-7]) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac fi for src do # Protect names problematic for 'test' and other utilities. case $src in -* | [=\(\)!]) src=./$src;; esac if test -n "$dir_arg"; then dst=$src dstdir=$dst test -d "$dstdir" dstdir_status=$? else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if test ! -f "$src" && test ! -d "$src"; then echo "$0: $src does not exist." >&2 exit 1 fi if test -z "$dst_arg"; then echo "$0: no destination specified." >&2 exit 1 fi dst=$dst_arg # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. if test -d "$dst"; then if test "$is_target_a_directory" = never; then echo "$0: $dst_arg: Is a directory" >&2 exit 1 fi dstdir=$dst dst=$dstdir/`basename "$src"` dstdir_status=0 else dstdir=`dirname "$dst"` test -d "$dstdir" dstdir_status=$? fi fi obsolete_mkdir_used=false if test $dstdir_status != 0; then case $posix_mkdir in '') # Create intermediate dirs using mode 755 as modified by the umask. # This is like FreeBSD 'install' as of 1997-10-28. umask=`umask` case $stripcmd.$umask in # Optimize common cases. *[2367][2367]) mkdir_umask=$umask;; .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; *[0-7]) mkdir_umask=`expr $umask + 22 \ - $umask % 100 % 40 + $umask % 20 \ - $umask % 10 % 4 + $umask % 2 `;; *) mkdir_umask=$umask,go-w;; esac # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then mkdir_mode=-m$mode else mkdir_mode= fi posix_mkdir=false case $umask in *[123567][0-7][0-7]) # POSIX mkdir -p sets u+wx bits regardless of umask, which # is incompatible with FreeBSD 'install' when (umask & 300) != 0. ;; *) # $RANDOM is not portable (e.g. dash); use it when possible to # lower collision chance tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 # As "mkdir -p" follows symlinks and we work in /tmp possibly; so # create the $tmpdir first (and fail if unsuccessful) to make sure # that nobody tries to guess the $tmpdir name. if (umask $mkdir_umask && $mkdirprog $mkdir_mode "$tmpdir" && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. test_tmpdir="$tmpdir/a" ls_ld_tmpdir=`ls -ld "$test_tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null fi trap '' 0;; esac;; esac if $posix_mkdir && ( umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else # The umask is ridiculous, or mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. case $dstdir in /*) prefix='/';; [-=\(\)!]*) prefix='./';; *) prefix='';; esac oIFS=$IFS IFS=/ set -f set fnord $dstdir shift set +f IFS=$oIFS prefixes= for d do test X"$d" = X && continue prefix=$prefix$d if test -d "$prefix"; then prefixes= else if $posix_mkdir; then (umask=$mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 else case $prefix in *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; *) qprefix=$prefix;; esac prefixes="$prefixes '$qprefix'" fi fi prefix=$prefix/ done if test -n "$prefixes"; then # Don't fail if two instances are running concurrently. (umask $mkdir_umask && eval "\$doit_exec \$mkdirprog $prefixes") || test -d "$dstdir" || exit 1 obsolete_mkdir_used=true fi fi fi if test -n "$dir_arg"; then { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 else # Make a couple of temp file names in the proper directory. dsttmp=$dstdir/_inst.$$_ rmtmp=$dstdir/_rm.$$_ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $cpprog $src $dsttmp" command. # { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && # If -C, don't bother to copy if it wouldn't change the file. if $copy_on_change && old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && set -f && set X $old && old=:$2:$4:$5:$6 && set X $new && new=:$2:$4:$5:$6 && set +f && test "$old" = "$new" && $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 then rm -f "$dsttmp" else # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || # The rename failed, perhaps because mv can't rename something else # to itself, or perhaps because mv is so ancient that it does not # support -f. { # Now remove or move aside any old file at destination location. # We try this two ways since rm can't unlink itself on some # systems and the destination file might be busy for other # reasons. In this case, the final cleanup might fail but the new # file should still install successfully. { test ! -f "$dst" || $doit $rmcmd -f "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 } } && # Now rename the file to the real destination. $doit $mvcmd "$dsttmp" "$dst" } fi || exit 1 trap '' 0 fi done # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: uruk-20160219/missing0000755000175000017500000001533012657715017011303 00000000000000#! /bin/sh # Common wrapper for a few potentially missing GNU programs. scriptversion=2013-10-28.13; # UTC # Copyright (C) 1996-2014 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. if test $# -eq 0; then echo 1>&2 "Try '$0 --help' for more information" exit 1 fi case $1 in --is-lightweight) # Used by our autoconf macros to check whether the available missing # script is modern enough. exit 0 ;; --run) # Back-compat with the calling convention used by older automake. shift ;; -h|--h|--he|--hel|--help) echo "\ $0 [OPTION]... PROGRAM [ARGUMENT]... Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due to PROGRAM being missing or too old. Options: -h, --help display this help and exit -v, --version output version information and exit Supported PROGRAM values: aclocal autoconf autoheader autom4te automake makeinfo bison yacc flex lex help2man Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and 'g' are ignored when checking the name. Send bug reports to ." exit $? ;; -v|--v|--ve|--ver|--vers|--versi|--versio|--version) echo "missing $scriptversion (GNU Automake)" exit $? ;; -*) echo 1>&2 "$0: unknown '$1' option" echo 1>&2 "Try '$0 --help' for more information" exit 1 ;; esac # Run the given program, remember its exit status. "$@"; st=$? # If it succeeded, we are done. test $st -eq 0 && exit 0 # Also exit now if we it failed (or wasn't found), and '--version' was # passed; such an option is passed most likely to detect whether the # program is present and works. case $2 in --version|--help) exit $st;; esac # Exit code 63 means version mismatch. This often happens when the user # tries to use an ancient version of a tool on a file that requires a # minimum version. if test $st -eq 63; then msg="probably too old" elif test $st -eq 127; then # Program was missing. msg="missing on your system" else # Program was found and executed, but failed. Give up. exit $st fi perl_URL=http://www.perl.org/ flex_URL=http://flex.sourceforge.net/ gnu_software_URL=http://www.gnu.org/software program_details () { case $1 in aclocal|automake) echo "The '$1' program is part of the GNU Automake package:" echo "<$gnu_software_URL/automake>" echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:" echo "<$gnu_software_URL/autoconf>" echo "<$gnu_software_URL/m4/>" echo "<$perl_URL>" ;; autoconf|autom4te|autoheader) echo "The '$1' program is part of the GNU Autoconf package:" echo "<$gnu_software_URL/autoconf/>" echo "It also requires GNU m4 and Perl in order to run:" echo "<$gnu_software_URL/m4/>" echo "<$perl_URL>" ;; esac } give_advice () { # Normalize program name to check for. normalized_program=`echo "$1" | sed ' s/^gnu-//; t s/^gnu//; t s/^g//; t'` printf '%s\n' "'$1' is $msg." configure_deps="'configure.ac' or m4 files included by 'configure.ac'" case $normalized_program in autoconf*) echo "You should only need it if you modified 'configure.ac'," echo "or m4 files included by it." program_details 'autoconf' ;; autoheader*) echo "You should only need it if you modified 'acconfig.h' or" echo "$configure_deps." program_details 'autoheader' ;; automake*) echo "You should only need it if you modified 'Makefile.am' or" echo "$configure_deps." program_details 'automake' ;; aclocal*) echo "You should only need it if you modified 'acinclude.m4' or" echo "$configure_deps." program_details 'aclocal' ;; autom4te*) echo "You might have modified some maintainer files that require" echo "the 'autom4te' program to be rebuilt." program_details 'autom4te' ;; bison*|yacc*) echo "You should only need it if you modified a '.y' file." echo "You may want to install the GNU Bison package:" echo "<$gnu_software_URL/bison/>" ;; lex*|flex*) echo "You should only need it if you modified a '.l' file." echo "You may want to install the Fast Lexical Analyzer package:" echo "<$flex_URL>" ;; help2man*) echo "You should only need it if you modified a dependency" \ "of a man page." echo "You may want to install the GNU Help2man package:" echo "<$gnu_software_URL/help2man/>" ;; makeinfo*) echo "You should only need it if you modified a '.texi' file, or" echo "any other file indirectly affecting the aspect of the manual." echo "You might want to install the Texinfo package:" echo "<$gnu_software_URL/texinfo/>" echo "The spurious makeinfo call might also be the consequence of" echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might" echo "want to install GNU make:" echo "<$gnu_software_URL/make/>" ;; *) echo "You might have modified some files without having the proper" echo "tools for further handling them. Check the 'README' file, it" echo "often tells you about the needed prerequisites for installing" echo "this package. You may also peek at any GNU archive site, in" echo "case some other package contains this missing '$1' program." ;; esac } give_advice "$1" | sed -e '1s/^/WARNING: /' \ -e '2,$s/^/ /' >&2 # Propagate the correct exit status (expected to be 127 for a program # not found, 63 for a program that failed due to version mismatch). exit $st # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: uruk-20160219/bootstrap0000755000175000017500000000222212661605702011635 00000000000000#!/bin/sh -e # this file maintained at http://git.mdcc.cx/uruk.git # bootstrap - script to bootstrap the distribution rolling engine # usage: # ./bootstrap && ./configure && make distcheck # # this yields a tarball which one can install doing # # $ tar zxf PACKAGENAME-*.tar.gz # $ cd PACKAGENAME-* # $ ./configure # $ make # # make install # requirements: # GNU autoconf, from e.g. ftp.gnu.org:/pub/gnu/autoconf/autoconf-2.50.tar.gz # GNU automake, from e.g. ftp.cygnus.com:/pub/tromey # git2cl, from e.g. http://josefsson.org/git2cl/, and git set -x test -f ChangeLog || { # we want no unprotected emailadresses in the cl git log --pretty --numstat --summary | git2cl | \ sed 's/<[jc][^>][^>]*>//g' >ChangeLog } test -f VERSION.m4 || ./setversion # Override automake 1.9 default: automake1.9 version 1.9.6+nogfdl-3 # creates symlink to /usr/share/automake-1.9/COPYING which is GPL v2. # We want v3. test -f COPYING || { ln -s /usr/share/common-licenses/GPL-3 COPYING } AUTOMAKE=automake-1.15 ACLOCAL=aclocal-1.15 autoreconf --install \ --symlink --make # aclocal \ # && automake --add-missing --verbose --gnu \ # && autoconf uruk-20160219/ChangeLog.20030000644000175000017500000002717711712513436012045 000000000000002004-09-10 09:00 joostvb * script/uruk.in: ouch, _lots_ of RFCs talk about ICMP... 2004-09-10 08:39 joostvb * script/uruk.in: comment about icmp types updated 2004-08-18 09:02 joostvb * README: bible quote about uruk added to trivia section 2004-07-03 19:15 joostvb * TODO.local: obsolete by now 2004-06-25 10:34 joostvb * NEWS: release 20040625: this is a prerelease 2004-06-25 10:08 joostvb * man/uruk-rc.azm: fix bug in example for multiple-ip-per-nic setup 2004-03-18 17:40 joostvb * man/uruk.azm: added note about default FORWARD policy. Thanks Wessel Dankers 2004-03-11 10:02 joostvb * bootstrap, configure.ac: use AC_DEFINE_DIR as shipped with autoconf-archive; do not fork 2004-02-17 16:41 joostvb * script/uruk.in: added comment: we should deal more sane with dropping private and thus probably spoofed packets in multiple-ip mode 2004-02-17 15:42 joostvb * script/uruk.in: revert back to dropping input packets with destination other than our IP 2004-02-17 13:09 joostvb * script/uruk.in: uruk failed in multiple IP-per-nic mode. workaround enabled: be less strict on possibly spoofed packets 2004-02-17 11:10 joostvb * man/uruk-rc.azm: added note on debugging as non-priviliged user 2004-02-16 14:37 joostvb * NEWS: release 20040216 2004-02-16 14:29 joostvb * init/uruk.in: uruk init script now has some chkconfig stuff in, to easy maintenance for people on systems using this init system (red hat, e.g.) 2004-02-16 14:28 joostvb * script/uruk.in: fixed some pretty fatal typos 2004-02-13 17:03 joostvb * NEWS: release 20040213 2004-02-13 17:01 joostvb * NEWS, TODO, man/uruk-rc.azm: documented multiple IP-per-nic setup 2004-02-13 17:01 joostvb * script/uruk.in: handle dropping broadcasts in multiple-ip-per nic setup 2004-02-10 18:08 joostvb * Makefile.am, configure.ac, doc/Makefile.am, doc/rc, init/Makefile.am, init/uruk.in, man/Makefile.am, man/include.zmm.in, man/uruk-rc.azm, man/uruk.azm, script/Makefile.am: update copyright statements: 2004 2004-02-10 18:08 joostvb * TODO: documented plan on how to get multiple-IP-per-interface support 2004-02-10 18:01 joostvb * script/uruk.in: first shot at allowing more than one IP assigned to one physical NIC 2004-02-10 14:54 joostvb * NEWS, TODO: release 20040210 2004-02-10 14:53 joostvb * NEWS, man/uruk.azm: warn users 2004-02-10 14:45 joostvb * init/uruk.in: be more helpful in case of errors 2004-01-16 16:40 joostvb * man/uruk.azm: updated manpage to reflect new icmp policy 2004-01-16 16:33 joostvb * script/uruk.in: allow more icmp stuff, as suggested by Wessel Dankers 2004-01-06 13:43 joostvb * TODO.local: moving to savannah 2003-11-28 13:30 joostvb * script/uruk.in: peek sheet added 2003-11-13 12:46 joostvb * script/uruk.in: shell code cleanup 2003-11-11 13:40 joostvb * NEWS: release 20031111 2003-11-11 13:38 joostvb * script/uruk.in: finetuning of dealing with packets with bogus dest/source addresses 2003-11-11 13:12 joostvb * man/Makefile.am: handle non-ascii stuff slightly better 2003-11-11 12:02 joostvb * README: notes on upgrading 2003-11-11 11:58 joostvb * TODO, script/uruk.in: no longer use block chain, replace rc_ by rc_, dont keep state for lo traffic 2003-11-11 11:56 joostvb * man/: uruk-rc.azm, uruk.azm: no longer use block chain, replace rc_ by rc_ 2003-10-27 17:20 joostvb * README, man/uruk.azm: minor improvements 2003-10-26 16:41 joostvb * NEWS: release 20031026 2003-10-26 16:28 joostvb * init/uruk.in: fixed bug: /etc/init.d/uruk stop did NOT load inactive ruleset. now it does. 2003-10-26 13:04 joostvb * man/: uruk-rc.azm, uruk.azm: documented default policy, gave some hello-world-style rc examples 2003-10-08 22:05 joostvb * TODO, man/include.zmm.in: preparing centered header in manpage, awaiting zoem release 2003-10-08 21:32 joostvb * Makefile.am: fix small bug in version handling 2003-10-08 20:43 joostvb * NEWS: release 20031008 2003-10-08 20:38 joostvb * man/: include.zmm.in, uruk.azm: zoem syntax finetuning 2003-10-08 20:35 joostvb * man/uruk-rc.azm: added some notes about rc_ hooks 2003-10-05 20:33 joostvb * configure.ac, man/.cvsignore, man/uruk-rc.azm, man/uruk-rc.azm.in, man/uruk.azm, man/uruk.azm.in: move zoem defines to single file: cleanup 2003-10-05 20:24 joostvb * init/uruk.in: act sanely when var/lib/uruk directory not yet present on system 2003-10-05 20:19 joostvb * init/uruk.in: init script acts sanely when present on systems with borken uruk setup 2003-10-05 18:31 joostvb * TODO: another wishlist bug 2003-10-05 16:03 joostvb * TODO: wishlist bug added 2003-10-05 16:03 joostvb * doc/rc, script/uruk.in: added copyright statement 2003-10-04 22:26 joostvb * NEWS: release 20031004 2003-10-04 22:24 joostvb * TODO: found a BUG 2003-10-04 22:24 joostvb * doc/rc, man/uruk-rc.azm.in, man/uruk.azm.in: documentation updated and improved 2003-10-04 22:20 joostvb * README: more notes on zoem 2003-10-04 18:06 joostvb * README, configure.ac, man/Makefile.am: we build-depend on zoem (and groff and col) now. check wether these programs are available 2003-10-04 17:30 joostvb * configure.ac, man/uruk-rc.azm, man/uruk-rc.azm.in: expand pathnames in uruk-rc manpage 2003-10-04 17:24 joostvb * configure.ac, init/.cvsignore, init/uruk.in, man/.cvsignore, man/uruk.azm, man/uruk.azm.in, script/uruk.in: use hacked AC_DEFINE_DIR from autoconf macro archive, for flexible expansion of pathnames in scripts and docs 2003-10-04 14:20 joostvb * README, configure.ac, init/uruk, init/uruk.in, man/uruk.azm: sane default statedir for init script 2003-10-04 13:59 joostvb * AUTHORS, Makefile.am, NEWS, README, TODO, configure.ac, init/.cvsignore, init/Makefile.am, man/uruk.azm: integrated init script in build environement, started documenting usage of init script 2003-10-04 12:29 joostvb * init/uruk: changed default autosave behaviour 2003-10-04 12:25 joostvb * init/uruk: added copyright statement 2003-10-04 12:13 joostvb * init/uruk: /usr/share/doc/iptables/examples/oldinitdscript.gz as shipped with Debian iptables 1.2.8-4, used to be used as /etc/init.d/iptables 2003-10-04 11:55 joostvb * man/: Makefile.am, uruk.azm: next step in converting from pod to zoem syntax 2003-10-04 11:29 joostvb * man/Makefile.am, script/Makefile.am: renamed ad1810-firewall script to uruk, renamed manpages 2003-10-04 11:24 joostvb * .cvsignore, AUTHORS, NEWS, README, THANKS, TODO, configure.ac, doc/rc, man/include.zmm, man/uruk-rc.azm, man/uruk.azm, script/.cvsignore: changed name from ad1810-firewall to uruk 2003-10-04 10:54 joostvb * README, man/uruk.azm: more pointers to alternative tools 2003-09-04 11:54 joostvb * man/uruk.azm: ifupdown integration 2003-09-04 11:34 joostvb * man/uruk.azm: warning for deprecated Debian integration added 2003-09-04 11:31 joostvb * man/: ad1810-firewall.pod, uruk.azm: first shot at converting to zoem 2003-08-29 16:43 joostvb * NEWS: release 20030829 2003-08-29 16:33 joostvb * Makefile.am, man/Makefile.am, man/include.zmm, man/uruk-rc.azm: zoem finetuning 2003-08-29 16:19 joostvb * configure.ac, man/ad1810-firewall.pod, man/uruk-rc.azm: new author email adress 2003-08-29 16:15 joostvb * man/ad1810-firewall-rc.pod: ad1810-firewall-rc zoemized 2003-08-29 16:12 joostvb * setversion, man/include.zmm, man/uruk-rc.azm: autozoemization 2003-08-29 15:50 joostvb * TODO: bugreport by Wessel Dankers 2003-08-29 15:41 joostvb * doc/rc: fixed inconsistencies, improved documentation. Tnx Fruit 2003-08-24 13:56 joostvb * script/uruk.in: minor tweak 2003-08-14 10:51 joostvb * man/Makefile.am: migrating to zoem manpages sources, phase 2 2003-08-14 10:35 joostvb * script/uruk.in: more robust by better quoting, tnx Fruit 2003-06-01 14:39 joostvb * script/uruk.in: enable injecting homebrew rules and scripts 2003-05-28 11:41 joostvb * man/ad1810-firewall.pod: more notes on debian iptables package 2003-05-25 17:41 joostvb * man/ad1810-firewall.pod: added extra note on working with Debian iptables package 2003-05-25 17:14 joostvb * doc/rc: even more explicit 2003-05-12 13:57 joostvb * script/uruk.in: fixed new sources_ usage bug 2003-05-12 13:06 joostvb * NEWS: release 20030512 2003-05-12 13:04 joostvb * man/uruk-rc.azm: zoem-ized manpage 2003-05-11 14:31 joostvb * man/Makefile.am: trying out zoem. its _FAST_ 2003-05-06 19:01 joostvb * NEWS, doc/rc, script/uruk.in: more flex 2003-04-27 16:44 joostvb * TODO, configure.ac, setversion: fixed autoversion stuff, tnx Raja R Harinath 2003-04-27 16:11 joostvb * NEWS: version v20030427 released 2003-04-27 16:06 joostvb * TODO: added referer to post to autoconf list: version numbering generating issues 2003-04-27 16:04 joostvb * bootstrap: bugfix in ChangeLog generating code 2003-04-27 16:04 joostvb * README: moved some stuff from ad1810-firewall manpage to README 2003-04-27 16:02 joostvb * man/Makefile.am: fixed bug in manpage section numbering 2003-04-27 16:01 joostvb * man/ad1810-firewall.pod: getting started notes added 2003-04-27 16:00 joostvb * Makefile.am, configure.ac, script/Makefile.am, script/uruk.in: rc file location now depends on sysconfdir, as set during configure 2003-04-27 14:24 joostvb * script/: ad1810-firewall, uruk.in: rc file location now depends on sysconfdir 2003-04-26 19:35 joostvb * Makefile.am, bootstrap, configure.ac, setversion: compatibility: created old-style VERSION file 2003-04-26 19:28 joostvb * NEWS, README, TODO, doc/.cvsignore: some loose ends remain... 2003-04-26 19:24 joostvb * doc/: Makefile.am, rc: separate example rc file 2003-04-26 19:23 joostvb * Makefile.am, THANKS, TODO, configure.ac, man/Makefile.am, man/ad1810-firewall-rc.pod, man/ad1810-firewall.pod, script/Makefile.am: moved example to doc/examples/rc, moved script to sbin 2003-04-26 18:54 joostvb * AUTHORS, README, TODO, configure.ac, man/Makefile.am, man/ad1810-firewall.pod, script/Makefile.am: generate manpages in html format too 2003-04-26 18:39 joostvb * Makefile.am, README, configure.ac, setversion, man/Makefile.am, man/ad1810-firewall-rc.pod, man/ad1810-firewall.pod, script/Makefile, script/Makefile.am, script/ad1810-firewall: separated manpages, set up manpage for rc file format 2003-04-26 17:48 joostvb * configure.ac: autoconf 2.53 is fine too: we can use the Debian woody devel environment 2003-04-26 17:33 joostvb * script/Makefile.am: autoconfiscated 2003-04-26 17:32 joostvb * Makefile.am, configure.ac, setversion: automatic release version number generating 2003-04-26 11:04 joostvb * AUTHORS, Makefile.am, NEWS, README, THANKS, TODO, bootstrap, configure.ac, setversion: autotoolized 2003-03-28 13:02 joostvb * script/ad1810-firewall: Corno Vromas said: yes, open source is ok (fr mar 28, 2003, 13:00, UvT kantine) 2003-03-27 22:08 joostvb * script/ad1810-firewall: no longer in debug mode 2003-03-27 21:41 joostvb * script/ad1810-firewall: more comments 2003-03-27 19:37 joostvb * include/install.mk: hibou uses it too 2003-03-27 18:51 joostvb * include/install.mk: casparized 2003-03-27 18:50 joostvb * script/ad1810-firewall: comments, syntax 2003-03-27 12:34 joostvb * script/firewall: renamed 2003-03-27 12:34 joostvb * script/ad1810-firewall: enable config sourcing 2003-03-27 12:30 joostvb * script/firewall: support for public vs private interfaces 2003-03-27 12:07 joostvb * script/firewall: from cvs/perlharbor/syst_netw/systems/unique/bolzano/usr/local/sbin uruk-20160219/setversion0000755000175000017500000000120711712513436012021 00000000000000# this file maintained at http://git.mdcc.cx/uruk.git # This script is free software; you can distribute it and/or modify it # under the terms of the GNU GPL. See the file COPYING. # thanks Raja R Harinath, see the post # Subject: Re: how to automatically generate package version, calling AC_INIT # From: Raja R Harinath # Date: Sun, 27 Apr 2003 09:33:02 -0500 # Message-ID: # on autoconf@gnu.org echo 'm4_define([AD1_VERSION], ['`date +%Y%m%d`'])' > VERSION.m4 # compatibility with other ad1810 packages date +%Y%m%d > VERSION # zoem stuff date +%e > stamp.day date +%b > stamp.month date +%Y > stamp.year uruk-20160219/stamp.month0000644000175000017500000000000712661613100012053 00000000000000феб uruk-20160219/stamp.year0000644000175000017500000000000512661613100011664 000000000000002016 uruk-20160219/stamp.day0000644000175000017500000000000312661613100011477 0000000000000019 uruk-20160219/VERSION0000644000175000017500000000001112661613100010723 0000000000000020160219 uruk-20160219/script/0000755000175000017500000000000012661613117011257 500000000000000uruk-20160219/script/Makefile.am0000644000175000017500000000037612436027776013253 00000000000000## Process this file with automake to produce Makefile.in ## this file maintained at http://git.mdcc.cx/uruk.git sbin_SCRIPTS = uruk urukctl uruk-save EXTRA_DIST = $(sbin_SCRIPTS) uruk.in uruk: uruk.in sed 's/@URUK_VERSION@/@PACKAGE_VERSION@/' $< >$@ uruk-20160219/script/Makefile.in0000644000175000017500000003261412661613102013244 00000000000000# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ false; \ elif test -n '$(MAKE_HOST)'; then \ true; \ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ true; \ else \ false; \ fi; \ } am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : subdir = script ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/VERSION.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(sbindir)" SCRIPTS = $(sbin_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ am__leading_dot = @am__leading_dot@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build_alias = @build_alias@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host_alias = @host_alias@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ sbin_SCRIPTS = uruk urukctl uruk-save EXTRA_DIST = $(sbin_SCRIPTS) uruk.in all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu script/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu script/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-sbinSCRIPTS: $(sbin_SCRIPTS) @$(NORMAL_INSTALL) @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n' \ -e 'h;s|.*|.|' \ -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) { files[d] = files[d] " " $$1; \ if (++n[d] == $(am__install_max)) { \ print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ else { print "f", d "/" $$4, $$1 } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ } \ ; done uninstall-sbinSCRIPTS: @$(NORMAL_UNINSTALL) @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 's,.*/,,;$(transform)'`; \ dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(SCRIPTS) installdirs: for dir in "$(DESTDIR)$(sbindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-generic mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-sbinSCRIPTS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-sbinSCRIPTS .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic cscopelist-am \ ctags-am distclean distclean-generic distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-sbinSCRIPTS install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags-am uninstall uninstall-am \ uninstall-sbinSCRIPTS .PRECIOUS: Makefile uruk: uruk.in sed 's/@URUK_VERSION@/@PACKAGE_VERSION@/' $< >$@ # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: uruk-20160219/script/uruk0000644000175000017500000005020412661613103012104 00000000000000#! /bin/sh # vim:syntax=sh # this file maintained at http://git.mdcc.cx/uruk.git # Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org # Copyright (C) 2003, 2004, 2010 Tilburg University http://www.uvt.nl/ # Copyright (C) 2003, 2004, 2005, 2007, 2010 Joost van Baal # Copyright (C) 2012, 2013 Joost van Baal-Ilić # Copyright © 2014,2015 Wessel Dankers # # This file is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) # any later version. # # This file is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. # # You should have received a copy of the GNU GPL along with this file, see # e.g. the file named COPYING. If not, see . # # peeksheet: iptables predefined chains: # # - INPUT - - localhost - - OUTPUT - # / \ # PREROUTING - - - - - - - - FORWARD - - - - - - - - POSTROUTING # iptables=${URUK_IPTABLES:-/sbin/iptables} ip6tables=${URUK_IP6TABLES:-/sbin/ip6tables} # Variables used: ip6_<...>, sources6_<...>, ip6tables. interfaces_unprotect=${URUK_INTERFACES_UNPROTECT:-lo} etcdir="/etc/uruk" config=${URUK_CONFIG:-${etcdir}/rc} # IPv4 ranges that should not send or receive packets unless specifically permitted # See RFC 6890. ip4_noroute_ranges='0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3' # IPv6 ranges that should not send or receive packets # see http://www.iana.org/assignments/ipv6-address-space/ # and http://www.iana.org/assignments/ipv6-unicast-address-assignments/ # and RFC 6890. # All IPv6 addresses in their canonical form. ip6_noroute_ranges='64:ff9b::/96 ::ffff:0:0/96 100::/64 200::/7 2001:2::/48 2001:db8::/32 2001:10::/28 fc00::/7 fec0::/10 3ffe::/16 5f00::/8 ::1/128 ::/128' uruk_version="20160219" test -r $config || { echo >&2 "No readable rc file $config found. Please create one." && exit 1 } . $config case $version in ?*) case $((version < 20040210)) in 1) cat >&2 <&2 esac if test -f $uruk_save_dir/$table then space= for arg do case $arg in -[a-zA-Z0-9]) echo -n "$space-" echo -n "${arg#-}" ;; *[!a-zA-Z0-9_!+,./:=@-]*) echo -n "$space\"" echo -n "$arg" | sed 's/[\\\"'\'']/\\&/g' echo -n \" ;; *) echo -n "$space$arg" esac space=' ' done >>$uruk_save_dir/$table echo >>$uruk_save_dir/$table else echo "Unknown table '$table'; skipping rule '" -t $table $* "'" >&2 fi } # # bootstrap these rules # # 40 < 60 ( 50) medium: log denied non-broadcasts (default) test -z "$loglevel" && loglevel=50 # # traffic on interfaces_unprotect (lo, per default) is trusted for iface in ${interfaces_unprotect} do $iptables -A INPUT -i $iface -j ACCEPT $iptables -A OUTPUT -o $iface -j ACCEPT $ip6tables -A INPUT -i $iface -j ACCEPT $ip6tables -A OUTPUT -o $iface -j ACCEPT done uruk_hook "$rc_a" if test $loglevel -ge 80 then # 80 < 99 ( 90) fascist: log all packets uruk_log uruk6_log fi $iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # workaround bug(?) in linux kernel, see also # http://serverfault.com/questions/309691/why-is-our-firewall-ubuntu-8-04-rejecting-the-final-packet-fin-ack-psh-wit # first argument is the flags which we should examine, the second argument is # the flags which must be set $iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST FIN,ACK -j ACCEPT $ip6tables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST FIN,ACK -j ACCEPT $iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT $ip6tables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT uruk_hook "$rc_b" # # protect interfaces_public agains spoofing # for iface in ${interfaces} do # # don't allow anyone to spoof non-routeable addresses # eval "is=\$ips_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac # set of all addresses on this (physical) interface blockips= blockips6= # set of all permitted "special" nets for this (physical) interface eval "blocknet=\$net_${iface}" eval "blocknet6=\$net6_${iface}" for iface_x in $interfaces_x do eval "ips=\$ip_${iface_x}" eval "ips6_defined=\${ip6_${iface_x}+DEFINED}" case $ips6_defined in '') ips6=$ips ;; *) eval "ips6=\$ip6_${iface_x}" esac eval "net=\$net_${iface_x}" eval "net6=\$net6_${iface_x}" blocknet="$blocknet $net" blocknet6="$blocknet6 $net6" for ip in $ips do case $ip in *:*) ;; *) # if it doesn't look like an IPv6 address/range for no_route_ip in $ip4_noroute_ranges do case " $net " in *[$IFS]$no_route_ip[$IFS]*) ;; *) $iptables -A INPUT -i $iface -s $no_route_ip -d $ip -j DROP $iptables -A OUTPUT -o $iface -s $ip -d $no_route_ip -j DROP esac done blockips="$blockips $ip" esac done for ip6 in $ips6 do case $ip6 in *[!0-9/.]*) # if it doesn't look like an IPv4 address/range for no_route_ip in $ip6_noroute_ranges do case " $net $net6 " in *[$IFS]$no_route_ip[$IFS]*) ;; *) $ip6tables -A INPUT -i $iface -s $no_route_ip -d $ip6 -j DROP $ip6tables -A OUTPUT -o $iface -s $ip6 -d $no_route_ip -j DROP esac done blockips6="$blockips6 $ip6" esac done done case $blockips in *[!$IFS][$IFS]*[!$IFS]*) # in multiple ip mode, we have to drop only if source is # not _one_ of the nic's IPs # supporting this for multiple ips would need multiple chains # or, perhaps, some iptables extension. # for now, we just block "known bad" addresses for no_route_ip in $ip4_noroute_ranges do case " $blocknet " in *[$IFS]$no_route_ip[$IFS]*) ;; *) $iptables -A INPUT -i $iface -d $no_route_ip -j DROP $iptables -A OUTPUT -o $iface -s $no_route_ip -j DROP esac done ;; *) # block outgoing packets that don't have our address as source, # they are either spoofed or something is misconfigured (NAT disabled, # for instance), we want to be nice and don't send out garbage. for ip in $blockips do # drop all outgoing packets which don't have us as a source $iptables -A OUTPUT -o $iface ! -s "$ip" -j DROP # drop all incoming packets which don't have us as destination $iptables -A INPUT -i $iface ! -d "$ip" -j DROP done esac # in IPv6 we always have a multiple IP mode, because an interface # always has a link-local address as well # in multiple ip mode, we have to drop only if source is # not _one_ of the nic's IPs # supporting this for multiple ips would need multiple chains # or, perhaps, some iptables extension. # for now, we just block "known bad" addresses for no_route_ip in $ip6_noroute_ranges do case " $blocknet $blocknet6 " in *[$IFS]$no_route_ip[$IFS]*) ;; *) $ip6tables -A INPUT -i $iface -d $no_route_ip -j DROP $ip6tables -A OUTPUT -o $iface -s $no_route_ip -j DROP esac done # Always allow outgoing connections $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface -j ACCEPT $ip6tables -A OUTPUT -m conntrack --ctstate NEW -o $iface -j ACCEPT done uruk_hook "$rc_c" # # allow traffic to offered services, from trusted sources # for iface in $interfaces do eval "is=\$ips_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac for iface_x in $interfaces_x do # tcp is special eval "services_defined=\${services_${iface_x}_tcp+DEFINED}" case $services_defined in '') cat >&2 <&2 <&2 "WARNING: sources_${iface_x}_${proto}_${service} is undefined. (Processing uruk rc file nevertheless.)" esac eval "sources6_defined=\${sources6_${iface_x}_${proto}_${service}+DEFINED}" eval "sources6=\$sources6_${iface_x}_${proto}_${service}" case $sources6_defined in '') eval "sources6=\$sources_${iface_x}_${proto}_${service}" esac eval "ports_defined=\${ports_${iface_x}_${proto}_${service}+DEFINED}" eval "ports=\$ports_${iface_x}_${proto}_${service}" case $ports_defined in '') echo >&2 "WARNING: ports_${iface_x}_${proto}_${service} is undefined. (Processing uruk rc file nevertheless.)" ;; *) for port in $ports do # port is e.g. www or 1023 for source in $sources do case $source in *:*) ;; *) # if it doesn't look like an IPv6 address/range # source is e.g. 10.56.0.10/32 for ip in $ips do case $ip in *:*) ;; *) # if it doesn't look like an IPv6 address/range $iptables \ --append INPUT \ --match conntrack \ --ctstate NEW \ --in-interface $iface \ --protocol $proto \ --source "$source" \ --destination "$ip" \ --destination-port "$port" \ --jump ACCEPT esac done esac done for source6 in $sources6 do case $source6 in *[!0-9/.]*) # if it doesn't look like an IPv4 address/range for ip6 in $ips6 do case $ip6 in *[!0-9/.]*) # if it doesn't look like an IPv4 address/range $ip6tables \ --append INPUT \ --match conntrack \ --ctstate NEW \ --in-interface $iface \ --protocol $proto \ --source "$source6" \ --destination "$ip6" \ --destination-port "$port" \ --jump ACCEPT esac done esac done done esac done esac done done done uruk_hook "$rc_d" # # rc_e: backwards compatibility. should be removed one day. # uruk_hook "$rc_e" # # Don't answer broadcast and multicast packets # for iface in $interfaces_nocast do eval "is=\$bcasts_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac for iface_x in $interfaces_x do eval "bcast=\$bcast_${iface_x}" $iptables -A INPUT -i $iface -d "$bcast" -j DROP done $iptables -A INPUT -i $iface -d 255.255.255.255 -j DROP done uruk_hook "$rc_f" # # icmp stuff. See RFC 1122 and also RFC 792, RFC 950, RFC 1812, RFC 1349, # RFC 2474 and Stevens' TCP/IP Illustrated Chapter 6, p 69. # The icmp types are even in %num2icmp_type in Lire::Firewall. # Running "iptables -p icmp -h" gives iptables's idea of icmp types # # # By default, we disallow # # source-quench # redirect ( # network-redirect # host-redirect # TOS-network-redirect # TOS-host-redirect # ) # router-advertisement # router-solicitation # # You might want to allow just # # echo-request echo-reply ttl-zero-during-transit \ # ttl-zero-during-reassembly ip-header-bad required-option-missing # # This makes pings succeed, as well as traceroute. However # debugging network problems might be _much_ more difficult when disallowing # lots of other icmp types. If you really want to do this, use rc_g. # for type in \ address-mask-reply \ address-mask-request \ destination-unreachable \ echo-reply \ echo-request \ parameter-problem \ timestamp-reply \ timestamp-request \ ttl-zero-during-reassembly \ ttl-zero-during-transit do $iptables -A INPUT -p icmp --icmp-type $type -j ACCEPT done # Drop echo replies which have a multicast address as a # destination. See rfc4890-icmpv6-firewall.sh. $ip6tables -A INPUT --protocol icmpv6 -d ff00::/8 \ --icmpv6-type echo-reply -j DROP # See http://www.iana.org/assignments/icmpv6-parameters for ICMPv6 types # Or run # ip6tables -p ipv6-icmp -h for type in \ echo-request \ echo-reply \ destination-unreachable \ packet-too-big \ ttl-zero-during-transit \ ttl-zero-during-reassembly \ unknown-header-type \ unknown-option \ bad-header \ redirect \ 144 \ 145 \ 146 \ 147 \ router-solicitation \ router-advertisement \ neighbour-solicitation \ neighbour-advertisement \ 141 \ 142 \ 130 \ 131 \ 132 \ 143 \ 148 \ 149 \ 151 \ 152 \ 153 do $ip6tables -A INPUT --protocol icmpv6 --icmpv6-type $type -j ACCEPT done # Type 144 - Home Agent Address Discovery [RFC3775] # Type 145 - Home Agent Address Discovery [RFC3775] # Type 146 - Mobile Prefix Solicitation [RFC3775] # Type 147 - Mobile Prefix Advertisement [RFC3775] # We DROP, a.o.: # Router renumbering messages: 138 # Node information queries (139) and replies (140): 139 140 # $ip6tables -A INPUT --protocol icmpv6 -j DROP uruk_hook "$rc_g" # # log packets which make it till here: denied packets (not denied broadcasts # or spoofed stuff). take loglevel into account. # if test $loglevel -lt 20 then # be silent : elif test $loglevel -lt 40 then # log denied packets, targetted at our IPs # INVALID: The packet is associated with no known connection. See iptables-extensions(8) # may be due to the system running out of memory or ICMP error messages that do not # respond to any known connections. It is helpfull to log these with explicitly # mentioning reason of logging (and dropping). $iptables -A INPUT -j LOG --log-level debug -m state --state INVALID --log-prefix 'iptables: REASON=invalid ' $ip6tables -A INPUT -j LOG --log-level debug -m state --state INVALID --log-prefix 'ip6tables: REASON=invalid ' for iface in $interfaces do eval "is=\$ips_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac for iface_x in $interfaces_x do eval "ip=\$ip_${iface_x}" eval "ips6_defined=\${ip6_${iface_x}+DEFINED}" case $ips6_defined in '') ips6=$ips ;; *) eval "ips6=\$ip6_${iface_x}" esac for ip in $ips do case $ip in *:*) ;; *) # if it doesn't look like an IPv6 address/range uruk_log -i $iface -d $ip esac done for ip6 in $ips6 do case $ip6 in *[!0-9/.]*) # if it doesn't look like an IPv4 address/range uruk6_log -i $iface -d $ip6 esac done done done elif test $loglevel -lt 60 then # 40 < 60 ( 50) medium: log denied non-broadcasts (default) uruk_log uruk6_log fi # FIXME : yet to implement: # 60 < 80 ( 70) high: log denied packets uruk_hook "$rc_h" # # reject all others # $iptables -A INPUT -j REJECT --reject-with tcp-reset -p tcp $iptables -A INPUT -j REJECT # These ip6tables flags are supported since 2.4.5; we don't support older kernels $ip6tables -A INPUT -j REJECT --reject-with tcp-reset -p tcp $ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited uruk_hook "$rc_i" # make sure we exit 0, even if last test failed exit 0 uruk-20160219/script/urukctl0000644000175000017500000002567212661605702012630 00000000000000#!/bin/sh # # this file maintained at http://git.mdcc.cx/uruk.git # # Uruk control script. # Copyright (C) 2002, 2003 Laurence J. Lane # Copyright (C) 2003, 2004, 2005, 2007, 2010 Joost van Baal # Copyright (C) 2013 Joost van Baal-Ilić # # This file is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) # any later version. # # This file is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. # # You should have received a copy of the GNU GPL along with this file, see # e.g. the file named COPYING. If not, see . # Based upon /etc/init.d/iptables as shipped with the Debian iptables # package by Laurence J. Lane set -e # do sanity check on uruk environment. enable_uruk_check=true ## enable_uruk_check=false # enable ipv6 support enable_ipv6=true # enable calling the unstable uruk-save script enable_uruk_save=false # set enable_autosave to "true" to autosave the active ruleset # when going from start to stop enable_autosave=true # set enable_save_counters to "true" to save table counters with # rulesets enable_save_counters=true # /etc/default/uruk can overrule # enable_uruk_check, enable_ipv6, enable_autosave, enable_save_counters and PATH # On Debian systems, configuration for init scripts is in /etc/default/ test -f /etc/default/uruk && . /etc/default/uruk # On Red Hat systems, configuration for init scripts is in /etc/sysconfig/ test -f /etc/sysconfig/uruk && . /etc/sysconfig/uruk # exit code STATUS=0 initd="$0" initd_abort_wrong_arg () { cmd=$1 shift echo "Aborting urukctl $cmd: wrong argument: $@" exit 2 } initd_have_a_cow_man () { for i in $@; do if ! command -v "$i" >/dev/null 2>&1; then echo "Aborting urukctl: missing executable $i" exit 5 fi done } initd_clear () { rm -f "$autosave" echo -n "Clearing ${iptables_command} ruleset: default ACCEPT policy" $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore echo "." } initd_halt () { rm -f $autosave echo -n "Clearing ${iptables_command} ruleset: default DROP policy" $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore echo "." } initd_flush () { # This will NOT flush the mangle or nat table. If we wanna do that, we'd have to do # something like # # while read -r table;do iptables -t $table -F;done "$ruleset" STATUS=$? else $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset" STATUS=$? fi } initd_save () { rm -f $autosave ruleset="$libdir/$@" echo -n "Saving ${iptables_command} ruleset: save \"$@\"" initd_counters echo "." } initd_autosave () { if $enable_autosave && test -f $autosave; then ruleset="$libdir/active" echo -n "Autosaving ${iptables_command} ruleset: save \"active\"" initd_counters echo "." fi } initd_active_uruk_save () { if test $iptables_command = ip6tables; then echo -n "Saving IPv6 uruk rules as active ruleset" uruk-save -6 > "$libdir/active" STATUS=$? echo "." else echo -n "Saving IPv4 uruk rules as active ruleset" uruk-save > "$libdir/active" STATUS=$? echo "." fi initd_load active dummy=$? test "$STATUS" = 0 && STATUS=$dummy } initd_active () { if $enable_uruk_save; then initd_active_uruk_save else initd_flush if test $iptables_command = ip6tables; then echo -n "Loading IPv6 uruk rules" # skip all iptables commands in uruk URUK_IPTABLES=':' uruk STATUS=$? echo "." else echo -n "Loading IPv4 uruk rules" # skip all ip6tables commands in uruk URUK_IP6TABLES=':' uruk STATUS=$? echo "." fi initd_save active dummy=$? test "$STATUS" = 0 && STATUS=$dummy fi } initd_start () { if ! test -e "$libdir/inactive"; then initd_save inactive fi initd_active if $enable_autosave; then touch $autosave fi } initd_stop () { # act sane if inactive state file missing ruleset="$libdir/inactive" if test -e $ruleset; then initd_load inactive rm $ruleset else echo "Uruk not running (no inactive file found)" STATUS=0 fi } initd_status() { initd_preload tmpdir=`mktemp -d /tmp/uruk.$iptables_command.XXXXXXXXXX` trap 'rm -rf $tmpdir' 0 # grep possibly matches nothing, force succesfull exit $iptables_save | grep '^-' >$tmpdir/kernel || true for rule in active inactive; do eval status_$rule= eval found_$rule= if test -e $libdir/$rule; then sed -n 's/^\[[0-9]\{1,\}:[0-9]\{1,\}\] //p' $libdir/$rule >$tmpdir/ruleset if diff $tmpdir/ruleset $tmpdir/kernel >/dev/null; then echo "Checking uruk ($iptables_command): $rule uruk rules loaded" eval status_$rule=1 fi eval found_$rule=1 fi done rm -r $tmpdir # if running, active loaded; then rulesets existing as file: active inactive # if "not running", inactive loaded; then active if test "$found_active"; then if test "$found_inactive"; then # uruk is running, STATUS=0 STATUS=0 else # uruk is not running STATUS=3 fi else # uruk not running, unconfigured: "unknown" STATUS=4 fi } usage () { cat << END $initd options: start save create load reload force-reload stop restart status clear halt flush See the urukctl(8) manpage for details. END } initd_main () { initd_vars case "$1" in start) initd_start ;; stop) initd_stop ;; restart) # Restart service (if running) or start service $initd stop $initd start ;; force-reload) for rule in active inactive; do eval found_$rule= if test -e $libdir/$rule; then eval found_$rule=1 fi done if test "$found_active" -a "$found_inactive"; then # uruk is running initd_active else echo "Uruk is not running" STATUS=0 fi ;; status) # If the status action is requested, the init script will # return the following exit status codes. # # 0 program is running or service is OK #(1 program is dead and /var/run pid file exists) #(2 program is dead and /var/lock lock file exists) # 3 program is not running # 4 program or service status is unknown # will set STATUS, used as exit code initd_status ;; # end of LSB required init arguments reload) for rule in active inactive; do eval found_$rule= if test -e $libdir/$rule; then eval found_$rule=1 fi done if test "$found_active" -a "$found_inactive"; then if $enable_uruk_save; then initd_active_uruk_save else cat < "$libdir/active" echo "." else echo -n "Saving IPv4 uruk rules as active ruleset" uruk-save > "$libdir/active" echo "." fi else cat </dev/null; then echo "Fails to run ${iptables_command}." exit 4 fi } check_uruk() { initd_have_a_cow_man uruk >/dev/null uruk_config="/etc/uruk/rc" # check for existence of uruk rc file. if ! test -r $uruk_config; then echo "No file $uruk_config present." exit 6 fi # check for sanity of uruk rc file. if grep -q URUK_IS_UNCONFIGURED $uruk_config; then echo "Uruk is unconfigured. Please create a sane file $uruk_config. See uruk(8)." exit 6 fi } # check command line args case "$1" in start|stop|restart|force-reload|status|reload|clear|halt|flush|save|create|load) # pass ;; *) usage initd_abort_wrong_arg "$*" ;; esac if $enable_uruk_check; then check_uruk fi iptables_command=iptables initd_main $* if $enable_ipv6; then iptables_command=ip6tables initd_main $* fi exit $STATUS uruk-20160219/script/uruk-save0000644000175000017500000000232112476343033013043 00000000000000#! /bin/sh # uruk-save - directly dump /etc/uruk/rc to an iptables-save style # file, without invoking iptables # this file maintained at http://git.mdcc.cx/uruk.git # Copyright © 2005 Joost van Baal # Copyright © 2012,2015 Wessel Dankers # # This file is part of Uruk. Uruk is free software; you can redistribute # it and/or modify it under the terms of the GNU GPL, see the file named # COPYING. echo "# Generated by uruk-save on $(date)" echo export uruk_save_dir=$(mktemp -d) trap 'rm -rf -- "$uruk_save_dir"' EXIT INT HUP QUIT TERM echo "*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]" >$uruk_save_dir/filter echo "*raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0]" >$uruk_save_dir/raw echo "*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]" >$uruk_save_dir/mangle case $1 in -6) URUK_IPTABLES=: URUK_IP6TABLES=uruk_save uruk ;; *) echo "*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0]" >$uruk_save_dir/nat URUK_IPTABLES=uruk_save URUK_IP6TABLES=: uruk esac for f in $uruk_save_dir/* do cat $f echo COMMIT echo done echo "# Completed on $(date)" uruk-20160219/script/uruk.in0000644000175000017500000005021212661606273012522 00000000000000#! /bin/sh # vim:syntax=sh # this file maintained at http://git.mdcc.cx/uruk.git # Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org # Copyright (C) 2003, 2004, 2010 Tilburg University http://www.uvt.nl/ # Copyright (C) 2003, 2004, 2005, 2007, 2010 Joost van Baal # Copyright (C) 2012, 2013 Joost van Baal-Ilić # Copyright © 2014,2015 Wessel Dankers # # This file is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) # any later version. # # This file is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. # # You should have received a copy of the GNU GPL along with this file, see # e.g. the file named COPYING. If not, see . # # peeksheet: iptables predefined chains: # # - INPUT - - localhost - - OUTPUT - # / \ # PREROUTING - - - - - - - - FORWARD - - - - - - - - POSTROUTING # iptables=${URUK_IPTABLES:-/sbin/iptables} ip6tables=${URUK_IP6TABLES:-/sbin/ip6tables} # Variables used: ip6_<...>, sources6_<...>, ip6tables. interfaces_unprotect=${URUK_INTERFACES_UNPROTECT:-lo} etcdir="/etc/uruk" config=${URUK_CONFIG:-${etcdir}/rc} # IPv4 ranges that should not send or receive packets unless specifically permitted # See RFC 6890. ip4_noroute_ranges='0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3' # IPv6 ranges that should not send or receive packets # see http://www.iana.org/assignments/ipv6-address-space/ # and http://www.iana.org/assignments/ipv6-unicast-address-assignments/ # and RFC 6890. # All IPv6 addresses in their canonical form. ip6_noroute_ranges='64:ff9b::/96 ::ffff:0:0/96 100::/64 200::/7 2001:2::/48 2001:db8::/32 2001:10::/28 fc00::/7 fec0::/10 3ffe::/16 5f00::/8 ::1/128 ::/128' uruk_version="@URUK_VERSION@" test -r $config || { echo >&2 "No readable rc file $config found. Please create one." && exit 1 } . $config case $version in ?*) case $((version < 20040210)) in 1) cat >&2 <&2 esac if test -f $uruk_save_dir/$table then space= for arg do case $arg in -[a-zA-Z0-9]) echo -n "$space-" echo -n "${arg#-}" ;; *[!a-zA-Z0-9_!+,./:=@-]*) echo -n "$space\"" echo -n "$arg" | sed 's/[\\\"'\'']/\\&/g' echo -n \" ;; *) echo -n "$space$arg" esac space=' ' done >>$uruk_save_dir/$table echo >>$uruk_save_dir/$table else echo "Unknown table '$table'; skipping rule '" -t $table $* "'" >&2 fi } # # bootstrap these rules # # 40 < 60 ( 50) medium: log denied non-broadcasts (default) test -z "$loglevel" && loglevel=50 # # traffic on interfaces_unprotect (lo, per default) is trusted for iface in ${interfaces_unprotect} do $iptables -A INPUT -i $iface -j ACCEPT $iptables -A OUTPUT -o $iface -j ACCEPT $ip6tables -A INPUT -i $iface -j ACCEPT $ip6tables -A OUTPUT -o $iface -j ACCEPT done uruk_hook "$rc_a" if test $loglevel -ge 80 then # 80 < 99 ( 90) fascist: log all packets uruk_log uruk6_log fi $iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # workaround bug(?) in linux kernel, see also # http://serverfault.com/questions/309691/why-is-our-firewall-ubuntu-8-04-rejecting-the-final-packet-fin-ack-psh-wit # first argument is the flags which we should examine, the second argument is # the flags which must be set $iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST FIN,ACK -j ACCEPT $ip6tables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST FIN,ACK -j ACCEPT $iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT $ip6tables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT uruk_hook "$rc_b" # # protect interfaces_public agains spoofing # for iface in ${interfaces} do # # don't allow anyone to spoof non-routeable addresses # eval "is=\$ips_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac # set of all addresses on this (physical) interface blockips= blockips6= # set of all permitted "special" nets for this (physical) interface eval "blocknet=\$net_${iface}" eval "blocknet6=\$net6_${iface}" for iface_x in $interfaces_x do eval "ips=\$ip_${iface_x}" eval "ips6_defined=\${ip6_${iface_x}+DEFINED}" case $ips6_defined in '') ips6=$ips ;; *) eval "ips6=\$ip6_${iface_x}" esac eval "net=\$net_${iface_x}" eval "net6=\$net6_${iface_x}" blocknet="$blocknet $net" blocknet6="$blocknet6 $net6" for ip in $ips do case $ip in *:*) ;; *) # if it doesn't look like an IPv6 address/range for no_route_ip in $ip4_noroute_ranges do case " $net " in *[$IFS]$no_route_ip[$IFS]*) ;; *) $iptables -A INPUT -i $iface -s $no_route_ip -d $ip -j DROP $iptables -A OUTPUT -o $iface -s $ip -d $no_route_ip -j DROP esac done blockips="$blockips $ip" esac done for ip6 in $ips6 do case $ip6 in *[!0-9/.]*) # if it doesn't look like an IPv4 address/range for no_route_ip in $ip6_noroute_ranges do case " $net $net6 " in *[$IFS]$no_route_ip[$IFS]*) ;; *) $ip6tables -A INPUT -i $iface -s $no_route_ip -d $ip6 -j DROP $ip6tables -A OUTPUT -o $iface -s $ip6 -d $no_route_ip -j DROP esac done blockips6="$blockips6 $ip6" esac done done case $blockips in *[!$IFS][$IFS]*[!$IFS]*) # in multiple ip mode, we have to drop only if source is # not _one_ of the nic's IPs # supporting this for multiple ips would need multiple chains # or, perhaps, some iptables extension. # for now, we just block "known bad" addresses for no_route_ip in $ip4_noroute_ranges do case " $blocknet " in *[$IFS]$no_route_ip[$IFS]*) ;; *) $iptables -A INPUT -i $iface -d $no_route_ip -j DROP $iptables -A OUTPUT -o $iface -s $no_route_ip -j DROP esac done ;; *) # block outgoing packets that don't have our address as source, # they are either spoofed or something is misconfigured (NAT disabled, # for instance), we want to be nice and don't send out garbage. for ip in $blockips do # drop all outgoing packets which don't have us as a source $iptables -A OUTPUT -o $iface ! -s "$ip" -j DROP # drop all incoming packets which don't have us as destination $iptables -A INPUT -i $iface ! -d "$ip" -j DROP done esac # in IPv6 we always have a multiple IP mode, because an interface # always has a link-local address as well # in multiple ip mode, we have to drop only if source is # not _one_ of the nic's IPs # supporting this for multiple ips would need multiple chains # or, perhaps, some iptables extension. # for now, we just block "known bad" addresses for no_route_ip in $ip6_noroute_ranges do case " $blocknet $blocknet6 " in *[$IFS]$no_route_ip[$IFS]*) ;; *) $ip6tables -A INPUT -i $iface -d $no_route_ip -j DROP $ip6tables -A OUTPUT -o $iface -s $no_route_ip -j DROP esac done # Always allow outgoing connections $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface -j ACCEPT $ip6tables -A OUTPUT -m conntrack --ctstate NEW -o $iface -j ACCEPT done uruk_hook "$rc_c" # # allow traffic to offered services, from trusted sources # for iface in $interfaces do eval "is=\$ips_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac for iface_x in $interfaces_x do # tcp is special eval "services_defined=\${services_${iface_x}_tcp+DEFINED}" case $services_defined in '') cat >&2 <&2 <&2 "WARNING: sources_${iface_x}_${proto}_${service} is undefined. (Processing uruk rc file nevertheless.)" esac eval "sources6_defined=\${sources6_${iface_x}_${proto}_${service}+DEFINED}" eval "sources6=\$sources6_${iface_x}_${proto}_${service}" case $sources6_defined in '') eval "sources6=\$sources_${iface_x}_${proto}_${service}" esac eval "ports_defined=\${ports_${iface_x}_${proto}_${service}+DEFINED}" eval "ports=\$ports_${iface_x}_${proto}_${service}" case $ports_defined in '') echo >&2 "WARNING: ports_${iface_x}_${proto}_${service} is undefined. (Processing uruk rc file nevertheless.)" ;; *) for port in $ports do # port is e.g. www or 1023 for source in $sources do case $source in *:*) ;; *) # if it doesn't look like an IPv6 address/range # source is e.g. 10.56.0.10/32 for ip in $ips do case $ip in *:*) ;; *) # if it doesn't look like an IPv6 address/range $iptables \ --append INPUT \ --match conntrack \ --ctstate NEW \ --in-interface $iface \ --protocol $proto \ --source "$source" \ --destination "$ip" \ --destination-port "$port" \ --jump ACCEPT esac done esac done for source6 in $sources6 do case $source6 in *[!0-9/.]*) # if it doesn't look like an IPv4 address/range for ip6 in $ips6 do case $ip6 in *[!0-9/.]*) # if it doesn't look like an IPv4 address/range $ip6tables \ --append INPUT \ --match conntrack \ --ctstate NEW \ --in-interface $iface \ --protocol $proto \ --source "$source6" \ --destination "$ip6" \ --destination-port "$port" \ --jump ACCEPT esac done esac done done esac done esac done done done uruk_hook "$rc_d" # # rc_e: backwards compatibility. should be removed one day. # uruk_hook "$rc_e" # # Don't answer broadcast and multicast packets # for iface in $interfaces_nocast do eval "is=\$bcasts_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac for iface_x in $interfaces_x do eval "bcast=\$bcast_${iface_x}" $iptables -A INPUT -i $iface -d "$bcast" -j DROP done $iptables -A INPUT -i $iface -d 255.255.255.255 -j DROP done uruk_hook "$rc_f" # # icmp stuff. See RFC 1122 and also RFC 792, RFC 950, RFC 1812, RFC 1349, # RFC 2474 and Stevens' TCP/IP Illustrated Chapter 6, p 69. # The icmp types are even in %num2icmp_type in Lire::Firewall. # Running "iptables -p icmp -h" gives iptables's idea of icmp types # # # By default, we disallow # # source-quench # redirect ( # network-redirect # host-redirect # TOS-network-redirect # TOS-host-redirect # ) # router-advertisement # router-solicitation # # You might want to allow just # # echo-request echo-reply ttl-zero-during-transit \ # ttl-zero-during-reassembly ip-header-bad required-option-missing # # This makes pings succeed, as well as traceroute. However # debugging network problems might be _much_ more difficult when disallowing # lots of other icmp types. If you really want to do this, use rc_g. # for type in \ address-mask-reply \ address-mask-request \ destination-unreachable \ echo-reply \ echo-request \ parameter-problem \ timestamp-reply \ timestamp-request \ ttl-zero-during-reassembly \ ttl-zero-during-transit do $iptables -A INPUT -p icmp --icmp-type $type -j ACCEPT done # Drop echo replies which have a multicast address as a # destination. See rfc4890-icmpv6-firewall.sh. $ip6tables -A INPUT --protocol icmpv6 -d ff00::/8 \ --icmpv6-type echo-reply -j DROP # See http://www.iana.org/assignments/icmpv6-parameters for ICMPv6 types # Or run # ip6tables -p ipv6-icmp -h for type in \ echo-request \ echo-reply \ destination-unreachable \ packet-too-big \ ttl-zero-during-transit \ ttl-zero-during-reassembly \ unknown-header-type \ unknown-option \ bad-header \ redirect \ 144 \ 145 \ 146 \ 147 \ router-solicitation \ router-advertisement \ neighbour-solicitation \ neighbour-advertisement \ 141 \ 142 \ 130 \ 131 \ 132 \ 143 \ 148 \ 149 \ 151 \ 152 \ 153 do $ip6tables -A INPUT --protocol icmpv6 --icmpv6-type $type -j ACCEPT done # Type 144 - Home Agent Address Discovery [RFC3775] # Type 145 - Home Agent Address Discovery [RFC3775] # Type 146 - Mobile Prefix Solicitation [RFC3775] # Type 147 - Mobile Prefix Advertisement [RFC3775] # We DROP, a.o.: # Router renumbering messages: 138 # Node information queries (139) and replies (140): 139 140 # $ip6tables -A INPUT --protocol icmpv6 -j DROP uruk_hook "$rc_g" # # log packets which make it till here: denied packets (not denied broadcasts # or spoofed stuff). take loglevel into account. # if test $loglevel -lt 20 then # be silent : elif test $loglevel -lt 40 then # log denied packets, targetted at our IPs # INVALID: The packet is associated with no known connection. See iptables-extensions(8) # may be due to the system running out of memory or ICMP error messages that do not # respond to any known connections. It is helpfull to log these with explicitly # mentioning reason of logging (and dropping). $iptables -A INPUT -j LOG --log-level debug -m state --state INVALID --log-prefix 'iptables: REASON=invalid ' $ip6tables -A INPUT -j LOG --log-level debug -m state --state INVALID --log-prefix 'ip6tables: REASON=invalid ' for iface in $interfaces do eval "is=\$ips_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac for iface_x in $interfaces_x do eval "ip=\$ip_${iface_x}" eval "ips6_defined=\${ip6_${iface_x}+DEFINED}" case $ips6_defined in '') ips6=$ips ;; *) eval "ips6=\$ip6_${iface_x}" esac for ip in $ips do case $ip in *:*) ;; *) # if it doesn't look like an IPv6 address/range uruk_log -i $iface -d $ip esac done for ip6 in $ips6 do case $ip6 in *[!0-9/.]*) # if it doesn't look like an IPv4 address/range uruk6_log -i $iface -d $ip6 esac done done done elif test $loglevel -lt 60 then # 40 < 60 ( 50) medium: log denied non-broadcasts (default) uruk_log uruk6_log fi # FIXME : yet to implement: # 60 < 80 ( 70) high: log denied packets uruk_hook "$rc_h" # # reject all others # $iptables -A INPUT -j REJECT --reject-with tcp-reset -p tcp $iptables -A INPUT -j REJECT # These ip6tables flags are supported since 2.4.5; we don't support older kernels $ip6tables -A INPUT -j REJECT --reject-with tcp-reset -p tcp $ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited uruk_hook "$rc_i" # make sure we exit 0, even if last test failed exit 0 uruk-20160219/man/0000755000175000017500000000000012661613117010526 500000000000000uruk-20160219/man/Makefile.am0000644000175000017500000000440312312254645012503 00000000000000## Process this file with automake to produce Makefile.in ## this file maintained at http://git.mdcc.cx/uruk.git ## Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org ## Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/ ## Copyright (C) 2003, 2004, 2005 Joost van Baal ## zoem hacks based upon work by Stijn van Dongen. # This script is free software; you can distribute it and/or modify it # under the terms of the GNU GPL. See the file COPYING. TROFF = groff COL = col ## Zoem is a an interpretive macro language, for creating mark-up languages, by ## Stijn van Dongen. Information about zoem can be found on the zoem webpage at ## http://micans.org/zoem/ . ZOEM = zoem ## tidy is a HTML syntax checker and reformatter, available from ## http://www.w3.org/People/Raggett/tidy/ , by Dave Raggett TIDY = tidy -quiet ## http://w3m.sourceforge.net/ ## w3m is a text-based web browser, which can be used as a text formatting tool ## which typesets HTML into plain text. W3M = w3m azms = uruk-rc.azm uruk-save.azm uruk.azm urukctl.azm typetargets = uruk-rc.html uruk-rc.ps uruk-rc.txt \ uruk-save.html uruk-save.ps uruk-save.txt uruk.html uruk.ps uruk.txt \ urukctl.html urukctl.ps urukctl.txt tmpfiles = uruk-rc.zmt uruk-rc.zmr uruk-save.zmt uruk-save.zmr \ uruk.zmt uruk.zmr urukctl.zmt urukctl.zmr doc_DATA = $(typetargets) $(azms) man_MANS = uruk.8 uruk-rc.5 uruk-save.8 urukctl.8 EXTRA_DIST = $(doc_DATA) $(man_MANS) ## DISTCLEANFILES = $(man_MANS) $(typetargets) $(tmpfiles) VERSION = @PACKAGE_VERSION@ PACKAGE = @PACKAGE_TARNAME@ docdir = $(datadir)/doc/$(PACKAGE) SUFFIXES = .5 .8 .html .azm .ps .txt .azm.5: $(ZOEM) -d roff -i $< -o $@ $(ZOEM) -d roff -i $< -o $@ .azm.8: $(ZOEM) -d roff -i $< -o $@ $(ZOEM) -d roff -i $< -o $@ .5.ps: $(TROFF) -man $< > $@ .8.ps: $(TROFF) -man $< > $@ .azm.html: $(ZOEM) -d html -i $< -o $@ $(ZOEM) -d html -i $< -o $@ ## - $(TIDY) -e $@ ## .html.txt: ## $(W3M) -dump $< > $@ ## -Tlatin1 causes col to choke ## use -Tuft8 if you really need non-ascii characters .5.txt: $(TROFF) -t -e -mandoc -Tascii $< | $(COL) -bxp > $@ .8.txt: $(TROFF) -t -e -mandoc -Tascii $< | $(COL) -bxp > $@ MAINTAINERCLEANFILES = $(manazms) $(typetargets) $(tmpfiles) DISTCLEANFILES = $(typetargets) uruk-20160219/man/Makefile.in0000644000175000017500000004300512661613102012507 00000000000000# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # This script is free software; you can distribute it and/or modify it # under the terms of the GNU GPL. See the file COPYING. VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ false; \ elif test -n '$(MAKE_HOST)'; then \ true; \ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ true; \ else \ false; \ fi; \ } am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : subdir = man ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/VERSION.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = include.zmm CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } man5dir = $(mandir)/man5 am__installdirs = "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \ "$(DESTDIR)$(docdir)" man8dir = $(mandir)/man8 NROFF = nroff MANS = $(man_MANS) DATA = $(doc_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/include.zmm.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ PACKAGE = @PACKAGE_TARNAME@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @PACKAGE_VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ am__leading_dot = @am__leading_dot@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build_alias = @build_alias@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = $(datadir)/doc/$(PACKAGE) dvidir = @dvidir@ exec_prefix = @exec_prefix@ host_alias = @host_alias@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ TROFF = groff COL = col ZOEM = zoem TIDY = tidy -quiet W3M = w3m azms = uruk-rc.azm uruk-save.azm uruk.azm urukctl.azm typetargets = uruk-rc.html uruk-rc.ps uruk-rc.txt \ uruk-save.html uruk-save.ps uruk-save.txt uruk.html uruk.ps uruk.txt \ urukctl.html urukctl.ps urukctl.txt tmpfiles = uruk-rc.zmt uruk-rc.zmr uruk-save.zmt uruk-save.zmr \ uruk.zmt uruk.zmr urukctl.zmt urukctl.zmr doc_DATA = $(typetargets) $(azms) man_MANS = uruk.8 uruk-rc.5 uruk-save.8 urukctl.8 EXTRA_DIST = $(doc_DATA) $(man_MANS) SUFFIXES = .5 .8 .html .azm .ps .txt MAINTAINERCLEANFILES = $(manazms) $(typetargets) $(tmpfiles) DISTCLEANFILES = $(typetargets) all: all-am .SUFFIXES: .SUFFIXES: .5 .8 .html .azm .ps .txt $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu man/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu man/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): include.zmm: $(top_builddir)/config.status $(srcdir)/include.zmm.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ install-man5: $(man_MANS) @$(NORMAL_INSTALL) @list1=''; \ list2='$(man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ { for i in $$list1; do echo "$$i"; done; \ if test -n "$$list2"; then \ for i in $$list2; do echo "$$i"; done \ | sed -n '/\.5[a-z]*$$/p'; \ fi; \ } | while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ done | \ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ sed 'N;N;s,\n, ,g' | { \ list=; while read file base inst; do \ if test "$$base" = "$$inst"; then list="$$list $$file"; else \ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ fi; \ done; \ for i in $$list; do echo "$$i"; done | $(am__base_list) | \ while read files; do \ test -z "$$files" || { \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ done; } uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) install-man8: $(man_MANS) @$(NORMAL_INSTALL) @list1=''; \ list2='$(man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ { for i in $$list1; do echo "$$i"; done; \ if test -n "$$list2"; then \ for i in $$list2; do echo "$$i"; done \ | sed -n '/\.8[a-z]*$$/p'; \ fi; \ } | while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ done | \ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ sed 'N;N;s,\n, ,g' | { \ list=; while read file base inst; do \ if test "$$base" = "$$inst"; then list="$$list $$file"; else \ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ fi; \ done; \ for i in $$list; do echo "$$i"; done | $(am__base_list) | \ while read files; do \ test -z "$$files" || { \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ done; } uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) install-docDATA: $(doc_DATA) @$(NORMAL_INSTALL) @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-docDATA: @$(NORMAL_UNINSTALL) @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(MANS) $(DATA) installdirs: for dir in "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-docDATA install-man install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-man5 install-man8 install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-docDATA uninstall-man uninstall-man: uninstall-man5 uninstall-man8 .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic cscopelist-am \ ctags-am distclean distclean-generic distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-docDATA install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-man5 \ install-man8 install-pdf install-pdf-am install-ps \ install-ps-am install-strip installcheck installcheck-am \ installdirs maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags-am \ uninstall uninstall-am uninstall-docDATA uninstall-man \ uninstall-man5 uninstall-man8 .PRECIOUS: Makefile .azm.5: $(ZOEM) -d roff -i $< -o $@ $(ZOEM) -d roff -i $< -o $@ .azm.8: $(ZOEM) -d roff -i $< -o $@ $(ZOEM) -d roff -i $< -o $@ .5.ps: $(TROFF) -man $< > $@ .8.ps: $(TROFF) -man $< > $@ .azm.html: $(ZOEM) -d html -i $< -o $@ $(ZOEM) -d html -i $< -o $@ .5.txt: $(TROFF) -t -e -mandoc -Tascii $< | $(COL) -bxp > $@ .8.txt: $(TROFF) -t -e -mandoc -Tascii $< | $(COL) -bxp > $@ # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: uruk-20160219/man/include.zmm.in0000644000175000017500000000417612200455502013222 00000000000000\: this file maintained at http://git.mdcc.cx/uruk.git \: This file is free software; you can distribute it and/or modify it \: under the terms of the GNU GPL. See the file COPYING. \: \: based upon mac/zoem.zmm in the zoem sources and man/include.zmm.in in the \: draai sources. \: Copyright (C) 2003, 2004, 2005 Joost van Baal, \: Copyright (C) 2002, 2003, 2011 Stijn van Dongen \setx{"man::year"}{\zinsert{@top_srcdir@/stamp.year}} \setx{"man::month"}{\zinsert{@top_srcdir@/stamp.month}} \setx{"man::day"}{\zinsert{@top_srcdir@/stamp.day}} \setx{"man::tag"}{\zinsert{@top_srcdir@/VERSION}} \setx{"man::year"}{\tr{{delete}{[:space:]}}{\"man::year"}} \setx{"man::month"}{\tr{{delete}{[:space:]}}{\"man::month"}} \setx{"man::day"}{\tr{{delete}{[:space:]}}{\"man::day"}} \setx{"man::tag"}{\tr{{delete}{[:space:]}}{\"man::tag"}} \set{"man::author"}{Joost van Baal-Ilić } \setx{man_share}{ {year} {\"man::year"} {month} {\"man::month"} {day} {\"man::day"} {tag} {\"man::tag"} {author} {\"man::author"} {synstyle}{long} {defstyle}{long} } \def{uruk}{\bf{uruk}} \def{uruk_save}{\bf{uruk-save}} \def{urukctl}{\bf{urukctl}} \def{rc}{\it{rc}} \def{sbinpath}{/sbin} \def{sysconfpath}{/etc} \def{rcpath}{/etc/uruk/rc} \def{statepath}{/var/lib/uruk} \def{initpath}{/etc/init.d/uruk} \def{expath}{/usr/share/doc/uruk/examples/rc} \def{defpath}{/usr/share/doc/uruk/examples/default} \def{ttrcpath}{\tt{\rcpath}} \def{ttinitpath}{\tt{\initpath}} \def{ttexpath}{\tt{\expath}} \def{gplheader}{ \par{ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. } \par{ This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. } \par{ You should have received a copy of the GNU General Public License along with this program. If not, see \httpref{http://www.gnu.org/licenses/}. } } uruk-20160219/man/uruk-rc.html0000644000175000017500000004667012535264244012744 00000000000000 Uruk rc file

8 Jun 2015    uruk-rc 20150608

1.
NAME
2.
SYNOPSIS
3.
DESCRIPTION
4.
EXAMPLES
5.
IPv4 AND IPv6
6.
HOOKS
7.
NETWORK INTERFACES WITH MULTIPLE IP ADDRESSES
8.
LOGGING AND DEBUGGING
9.
VARIABLES
10.
ENVIRONMENT VARIABLES
11.
FILES
12.
SEE ALSO
13.
COPYRIGHT
14.
AUTHOR

NAME

uruk-rc — uruk resource file, defining access policy

SYNOPSIS

/etc/uruk/rc

DESCRIPTION

rc is a shell script snippet, sourced in uruk by /bin/sh.

rc lists IP addresses, allowed to use services.

EXAMPLES

default
The simplest valid rc file is the empty file. This rc file blocks all TCP and UDP connection attempts to services on our host: this is the default behaviour.

simplest
The simplest rc file which does allow traffic to our services looks like e.g.:

interfaces=eth0 ips_eth0=default ip_eth0_default=192.168.26.27 net_eth0_default=192.168.0.0/16 ip6_eth0_default=2001:db8::1/64 net6_eth0_default=2001:db8::/32 services_eth0_default_tcp=local ports_eth0_default_tcp_local="0:65535" sources_eth0_default_tcp_local="0.0.0.0/0 ::/0" services_eth0_default_udp=local ports_eth0_default_udp_local="0:65535" sources_eth0_default_udp_local="0.0.0.0/0"
This rc file allows all IPv4 and IPv6 UDP and TCP traffic from publicly routable IPs to eth0's IP.

realistic
If you'd like to block traffic on wlan0 and allow traffic to ssh on your wired interface, and don't like to explicitly set your IPs in rc:

# list of interfaces you'd like uruk to protect interfaces=eth0 wlan0 # set variables ip{,6}_eth0_default and net{,6}_eth0_default . /lib/uruk/init/autodetect-ips # names for eth0's 2 IPv4 addresses ips_eth0="default dhcp" # allow access to our sshd on eth0's primary IP on tcp port 443 # from anywhere services_eth0_default_tcp=ssh ports_eth0_default_tcp_ssh=443 sources_eth0_default_tcp_ssh="0.0.0.0/0 ::/0" # we get a static IPv4 via dhcp ip_eth0_dhcp=10.0.0.3 net_eth0_dhcp=10./8 services_eth0_dhcp_tcp=http ports_eth0_dhcp_tcp_http=http sources_eth0_dhcp_tcp_http=$net_eth0_dhcp # we leave services_wlan0_default_{tcp,udp} unset: don't allow any # incoming connections on wlan0's default IP

autodetect-ips
The script autodetect-ips --as used in the previous example-- looks for files /etc/sysconfig/network-scripts/ifcfg-* (commonly found at e.g. Red Hat and Fedora systems) and /etc/network/interfaces (as found at e.g. Debian and Ubuntu systems), and, for each interface nic, and each found IPv4 and IPv6 address and network, sets variables ip_nic_default, ip6_nic_default, net_nic_default and net6_nic_default . Then it calls ip(8) and adds any other found nic, ip and net triplets (for IPv4 and, for IPv6, only addresses in scope "global").

The script autodetect-ips is useful if you'd like to share your rc file among different hosts.

another example
For an even more reasonable rc file, look at the well-commented example rc file in /usr/share/doc/uruk/examples/rc.

IPv4 AND IPv6

You can mix IPv4 and IPv6-addresses in sources_*. E.g.:

ips_eth0='default private' ip_eth0_default=1.2.3.4 ip6_eth0_default= services_eth0_default_tcp='mail local' sources_eth0_default_tcp_mail='10.0.0.0/24 192.0.32.0/24 192.168.6.26' sources_eth0_default_tcp_local='192.0.32.0/24 svejk.example.com 2001:db8::/32' ports_eth0_default_tcp_mail=smtp ports_eth0_default_tcp_local='ssh ftp'

If svejk.example.com has both an IPv4 PTR record in DNS, as well as an IPv6 PTR record, connection attempts from svejk to the ssh and ftp TCP ports are allowed, via both IPv4 and IPv6.

Uruk used to require variables sources6_* to be set to support ip6tables. Since uruk version 20140319 (The Alfama Release), this is no longer needed; setting sources_* suffices. To be precise, the semantics since uruk version 20140319 is: 1) If both sources_* and sources6_* are defined (even if they're just empty), each is used for its respective address family. (This ensures backwards compatibility.) 2) If sources6_* is undefined, sources_* is used for both v4 and v6. 3) In either case, v4 literals in v6 context and v6 literals in v4 context are silently (!) ignored.

HOOKS

Uruk offers hooks for inserting your own code between iptables invocations. Examples will show the usefulness of these hooks.

allowing broadcasts
In rc, there is:

rc_b=$etcdir/bootp
while the file bootp reads
iptables —A INPUT —m state ——state NEW —i eth0 \ ——protocol udp ——destination-port bootps —j ACCEPT
. This enables one to add rules for packets with broadcast addresses in their destination. (Uruk has no support for this in its regular rc.)

allowing non-matching returntraffic
In rc there is:

rc_d=$etcdir/dns
while the file dns reads
for source in 10.5.0.27 10.56.0.40 do $iptables -A INPUT -i eth0 --protocol udp \ --source "$source" --source-port domain \ --destination "$ip_eth0" \ --destination-port 30000: -j ACCEPT done
This allows one to allow (return)traffic, disregarding the state. (Uruk has no support for this in its regular rc.)

allowing NAT
In rc there is:

rc_a=${etcdir}/nat
while the file nat reads
$iptables -t nat -A POSTROUTING \ --out-interface eth0 -j SNAT \ --to-source $ip_eth0
This allows Network Address Translation. However, beware! Like all extensive use of hooks, this will break the uruk-save script. If you make sure your active iptables rules are wiped, and invoke uruk manually to load new rules, you're safe. Using the init script with its default settings is safe too.

allowing IPv6 tunneling
In rc there is:

rc_b=${etcdir}/proto_41
while the file proto_41 reads
$iptables -A INPUT -i ppp0 --protocol 41 --destination $ip_ppp0 -j ACCEPT
This allows IP protocol 41, typically used for this kind of tunneling.

allowing any traffic on an interface
In rc there is:

interfaces_unprotect="lo eth2"
This allows any traffic on eth2 (and on lo, the default), including any ICMP packets and packets from any source address.

using multiple hooks at one entry point in the main uruk process
In case rc_a, rc_b, ... , or rc_i does not have a file as its value, but a directory, all files matching "$rc_x"/*.rc will get sourced. This helps configuration management in complex situations involving lots of uruk configuration files for lots of hosts.

See the section "THE GORY DETAILS: uruk INTERNALS" in uruk(8) (or the uruk source) to find out which hook (there are hooks rc_a, rc_b, ... , rc_i) to use.

NETWORK INTERFACES WITH MULTIPLE IP ADDRESSES

Uruk supports situations where a network interface has more than one IP address attached. Variables ips_nic and bcasts_nic are used for this.

If ips_nic is set, e.g. like

ips_eth0="ip0 ip1 ip2"
we assume multiple (three in this example) IPs are assigned to eth0. If this variable is not set only one IP is supported on eth0.

In multiple-IP mode, IP addresses are listed as e.g.

ip_eth0_ip0="137.56.247.16"
(If you're used to the Linux ifconfig(8) output, you could use the name ip for eth0, and ip0 for eth0:0.) The ports, services and sources variables look like e.g.
services_eth0_ip2_tcp=local ports_eth0_ip2_tcp_local=smtp sources_eth0_ip2_tcp_local=$localnet
and, similarly,
net_eth0_ip1=192.168.0.0/16
Furthermore, for dropping broadcast packets, specify e.g.
bcasts_eth0="ip0 ip2" # yes, possibly a subset of ips_eth0 bcast_eth0_ip0="10.0.0.255" bcast_eth0_ip2="10.0.255.255"

As an additional feature, if you have multiple IP addresses that all need to get the same rules, you can assign them to a single name:
ip_eth0_ip0="137.56.247.16 137.56.247.17 137.56.247.18"

LOGGING AND DEBUGGING

Uruk has support for logging network packets, and for debugging the uruk script.

Logging
By default, uruk logs denied packets. This is adjustable using the loglevel variable. The settings are:

"zero": be silent; do not log any packet. rc file features loglevel=10.
"low": log denied packets, which are targeted at one of our IPs. rc file features loglevel=30.
"medium": log denied non-broadcast packets. This is the default: loglevel is unset or rc file features loglevel=50.
"fascist": log all packets. rc file features loglevel=90.

Debugging
To debug the uruk script, invoke uruk as

sh -x /sbin/uruk
this shows what is done, along with executing it. (Like an uruk '-v' option.)

If you'd rather prefer not to execute, but just watch what would've been done, invoke uruk as

URUK_IPTABLES='echo iptables' URUK_IP6TABLES='echo ip6tables' uruk
(Like an uruk '-n' option.) If you have this statement set, you can run uruk under a non-priviliged user account.

If you'd like to test a new rc file before installing it, run something like:

URUK_CONFIG=/path/to/new/uruk/rc/file uruk

Of course, all these tweaks can be combined.

VARIABLES

The uruk script honors the following variables in rc files:
"version" Uruk version compatibility of this rc file
"loglevel"
"iptables" Full pathname of iptables executable.
"ip6tables" Full pathname of ip6tables executable.
"interfaces" List of network interfaces.
More variables are available. For now, you'll have to take a look at the example rc file in /usr/share/doc/uruk/examples/rc for more details.

ENVIRONMENT VARIABLES

See uruk(8) for a list of honored environment variables.

FILES

/etc/uruk/rc

SEE ALSO

A well-commented example rc file is in /usr/share/doc/uruk/examples/rc. And see uruk(8), uruk-save(8).

COPYRIGHT

Copyright (C) 2005, 2007, 2008, 2010, 2011, 2012, 2013 Joost van Baal-Ilić <joostvb-uruk@mdcc.cx>

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

AUTHOR

Joost van Baal-Ilić <joostvb-uruk@mdcc.cx> uruk-20160219/man/uruk-rc.ps0000644000175000017500000006215312535264244012414 00000000000000%!PS-Adobe-3.0 %%Creator: groff version 1.22.3 %%CreationDate: Mon Jun 8 12:04:20 2015 %%DocumentNeededResources: font Times-Roman %%+ font Times-Bold %%+ font Courier %%+ font Times-Italic %%DocumentSuppliedResources: procset grops 1.22 3 %%Pages: 6 %%PageOrder: Ascend %%DocumentMedia: Default 595 842 0 () () %%Orientation: Portrait %%EndComments %%BeginDefaults %%PageMedia: Default %%EndDefaults %%BeginProlog %%BeginResource: procset grops 1.22 3 %!PS-Adobe-3.0 Resource-ProcSet /setpacking where{ pop currentpacking true setpacking }if /grops 120 dict dup begin /SC 32 def /A/show load def /B{0 SC 3 -1 roll widthshow}bind def /C{0 exch ashow}bind def /D{0 exch 0 SC 5 2 roll awidthshow}bind def /E{0 rmoveto show}bind def /F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def /G{0 rmoveto 0 exch ashow}bind def /H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /I{0 exch rmoveto show}bind def /J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def /K{0 exch rmoveto 0 exch ashow}bind def /L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /M{rmoveto show}bind def /N{rmoveto 0 SC 3 -1 roll widthshow}bind def /O{rmoveto 0 exch ashow}bind def /P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /Q{moveto show}bind def /R{moveto 0 SC 3 -1 roll widthshow}bind def /S{moveto 0 exch ashow}bind def /T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def /SF{ findfont exch [exch dup 0 exch 0 exch neg 0 0]makefont dup setfont [exch/setfont cvx]cvx bind def }bind def /MF{ findfont [5 2 roll 0 3 1 roll neg 0 0]makefont dup setfont [exch/setfont cvx]cvx bind def }bind def /level0 0 def /RES 0 def /PL 0 def /LS 0 def /MANUAL{ statusdict begin/manualfeed true store end }bind def /PLG{ gsave newpath clippath pathbbox grestore exch pop add exch pop }bind def /BP{ /level0 save def 1 setlinecap 1 setlinejoin DEFS/BPhook known{DEFS begin BPhook end}if 72 RES div dup scale LS{ 90 rotate }{ 0 PL translate }ifelse 1 -1 scale }bind def /EP{ level0 restore showpage }def /DA{ newpath arcn stroke }bind def /SN{ transform .25 sub exch .25 sub exch round .25 add exch round .25 add exch itransform }bind def /DL{ SN moveto SN lineto stroke }bind def /DC{ newpath 0 360 arc closepath }bind def /TM matrix def /DE{ TM currentmatrix pop translate scale newpath 0 0 .5 0 360 arc closepath TM setmatrix }bind def /RC/rcurveto load def /RL/rlineto load def /ST/stroke load def /MT/moveto load def /CL/closepath load def /Fr{ setrgbcolor fill }bind def /setcmykcolor where{ pop /Fk{ setcmykcolor fill }bind def }if /Fg{ setgray fill }bind def /FL/fill load def /LW/setlinewidth load def /Cr/setrgbcolor load def /setcmykcolor where{ pop /Ck/setcmykcolor load def }if /Cg/setgray load def /RE{ findfont dup maxlength 1 index/FontName known not{1 add}if dict begin { 1 index/FID ne 2 index/UniqueID ne and {def}{pop pop}ifelse }forall /Encoding exch def dup/FontName exch def currentdict end definefont pop }bind def /DEFS 0 def /EBEGIN{ moveto DEFS begin }bind def /EEND/end load def /CNT 0 def /level1 0 def /PBEGIN{ /level1 save def translate div 3 1 roll div exch scale neg exch neg exch translate 0 setgray 0 setlinecap 1 setlinewidth 0 setlinejoin 10 setmiterlimit []0 setdash /setstrokeadjust where{ pop false setstrokeadjust }if /setoverprint where{ pop false setoverprint }if newpath /CNT countdictstack def userdict begin /showpage{}def /setpagedevice{}def mark }bind def /PEND{ cleartomark countdictstack CNT sub{end}repeat level1 restore }bind def end def /setpacking where{ pop setpacking }if %%EndResource %%EndProlog %%BeginSetup %%BeginFeature: *PageSize Default << /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice %%EndFeature %%IncludeResource: font Times-Roman %%IncludeResource: font Times-Bold %%IncludeResource: font Courier %%IncludeResource: font Times-Italic grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72 def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron /Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef /.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent /ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen /period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon /semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O /P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex /underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y /z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft /guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl /endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut /dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash /quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen /brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft /logicalnot/minus/registered/macron/degree/plusminus/twosuperior /threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior /ordmasculine/guilsinglright/onequarter/onehalf/threequarters /questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE /Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex /Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis /multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn /germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla /egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis /eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash /ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def /Times-Italic@0 ENC0/Times-Italic RE/Courier@0 ENC0/Courier RE /Times-Bold@0 ENC0/Times-Bold RE/Times-Roman@0 ENC0/Times-Roman RE %%EndSetup %%Page: 1 1 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 154.295(uruk-rc\(5\) FILE)20 48 R(FORMA)2.5 E 156.795(TS uruk-rc\(5\))-1.11 F/F1 10.95/Times-Bold@0 SF -.219(NA)20 84 S(ME).219 E F0 (uruk-rc \255 uruk resource \214le, de\214ning access polic)100 96 Q(y) -.15 E F1(SYNOPSIS)20 112.8 Q/F2 10/Courier@0 SF(/etc/uruk/rc)100 124.8 Q F1(DESCRIPTION)20 141.6 Q/F3 10/Times-Italic@0 SF -.37(rc)100 153.6 S F0(is a shell script snippet, sourced in)2.87 E/F4 10/Times-Bold@0 SF (uruk)2.5 E F0(by /bin/sh.)2.5 E F3 -.37(rc)100 177.6 S F0 (lists IP addresses, allo)2.87 E(wed to use services.)-.25 E F1 (EXAMPLES)20 194.4 Q F4(default)100 206.4 Q F0 1.51(The simplest v)100 218.4 R(alid)-.25 E F3 -.37(rc)4.01 G F0 1.51 (\214le is the empty \214le. This)4.38 F F3 -.37(rc)4.009 G F0 1.509 (\214le blocks all TCP and UDP connection)4.379 F (attempts to services on our host: this is the def)100 230.4 Q (ault beha)-.1 E(viour.)-.2 E F4(simplest)100 254.4 Q F0(The simplest) 100 266.4 Q F3 -.37(rc)2.5 G F0(\214le which does allo)2.87 E 2.5(wt) -.25 G(raf)-2.5 E(\214c to our services looks lik)-.25 E 2.5(ee)-.1 G (.g.:)-2.5 E F2(interfaces=eth0)106 290.4 Q(ips_eth0=default)106 314.4 Q (ip_eth0_default=192.168.26.27)106 326.4 Q (net_eth0_default=192.168.0.0/16)106 338.4 Q (ip6_eth0_default=2001:db8::1/64)106 362.4 Q (net6_eth0_default=2001:db8::/32)106 374.4 Q (services_eth0_default_tcp=local)106 398.4 Q (ports_eth0_default_tcp_local="0:65535")106 410.4 Q (sources_eth0_default_tcp_local="0.0.0.0/0 ::/0")106 422.4 Q (services_eth0_default_udp=local)106 446.4 Q (ports_eth0_default_udp_local="0:65535")106 458.4 Q (sources_eth0_default_udp_local="0.0.0.0/0")106 470.4 Q F0(This)100 494.4 Q F3 -.37(rc)3.267 G F0 .767(\214le allo)3.637 F .768 (ws all IPv4 and IPv6 UDP and TCP traf)-.25 F .768 (\214c from publicly routable IPs to eth0')-.25 F(s)-.55 E(IP.)100 506.4 Q F4 -.18(re)100 530.4 S(alistic).18 E F0 .339(If you')100 542.4 R 2.839 (dl)-.5 G(ik)-2.839 E 2.839(et)-.1 G 2.839(ob)-2.839 G .339(lock traf) -2.839 F .338(\214c on wlan0 and allo)-.25 F 2.838(wt)-.25 G(raf)-2.838 E .338(\214c to ssh on your wired interf)-.25 F .338(ace, and don')-.1 F (t)-.18 E(lik)100 554.4 Q 2.5(et)-.1 G 2.5(oe)-2.5 G (xplicitly set your IPs in)-2.65 E F3 -.37(rc)2.5 G F0(:).37 E (uruk-rc 20150608)20 768 Q 2.5(8J)140.125 G(un 2015)-2.5 E(1)207.055 E 0 Cg EP %%Page: 2 2 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 154.295(uruk-rc\(5\) FILE)20 48 R(FORMA)2.5 E 156.795(TS uruk-rc\(5\))-1.11 F/F1 10/Courier@0 SF 6(#l)106 84 S (ist of interfaces you'd like uruk to protect)-6 E (interfaces=eth0 wlan0)106 96 Q 6(#s)106 120 S (et variables ip{,6}_eth0_default and net{,6}_eth0_default)-6 E 6(./)106 132 S(lib/uruk/init/autodetect-ips)-6 E 6(#n)106 156 S (ames for eth0's 2 IPv4 addresses)-6 E(ips_eth0="default dhcp")106 168 Q 6(#a)106 192 S (llow access to our sshd on eth0's primary IP on tcp port 443)-6 E 6(#f) 106 204 S(rom anywhere)-6 E(services_eth0_default_tcp=ssh)106 216 Q (ports_eth0_default_tcp_ssh=443)106 228 Q (sources_eth0_default_tcp_ssh="0.0.0.0/0 ::/0")106 240 Q 6(#w)106 264 S 6(eg)-6 G(et a static IPv4 via dhcp)-6 E(ip_eth0_dhcp=10.0.0.3)106 276 Q (net_eth0_dhcp=10./8)106 288 Q(services_eth0_dhcp_tcp=http)106 312 Q (ports_eth0_dhcp_tcp_http=http)106 324 Q (sources_eth0_dhcp_tcp_http=$net_eth0_dhcp)106 336 Q 6(#w)106 360 S 6 (el)-6 G(eave services_wlan0_default_{tcp,udp} unset: don't allow any)-6 E 6(#i)106 372 S(ncoming connections on wlan0's default IP)-6 E/F2 10 /Times-Bold@0 SF(autodetect-ips)100 396 Q F0 1.075 (The script autodetect-ips --as used in the pre)100 408 R 1.075(vious e) -.25 F 1.075(xample-- looks for \214les /etc/syscon\214g/net-)-.15 F -.1 (wo)100 420 S 3.141(rk-scripts/ifcfg-* \(commonly found at e.g. Red Hat\ and Fedora systems\) and /etc/net-).1 F -.1(wo)100 432 S(rk/interf).1 E .912(aces \(as found at e.g. Debian and Ub)-.1 F .912 (untu systems\), and, for each interf)-.2 F(ace)-.1 E/F3 10 /Times-Italic@0 SF(nic)3.413 E F0 3.413(,a)C(nd)-3.413 E 5.796 (each found IPv4 and IPv6 address and netw)100 444 R 5.796(ork, sets v) -.1 F(ariables)-.25 E F1(ip_)8.296 E F3(nic)A F1(_default)A F0(,)A F1 (ip6_)100 456 Q F3(nic)A F1(_default)A F0(,)A F1(net_)3.508 E F3(nic)A F1(_default)A F0(and)3.509 E F1(net6_)3.509 E F3(nic)A F1(_default)A F0 3.509(.T)3.509 G 1.009(hen it calls ip\(8\) and)-3.509 F .679(adds an) 100 468 R 3.179(yo)-.15 G .679(ther found)-3.179 F F3(nic)3.179 E F0(,)A F1(ip)3.179 E F0(and)3.179 E F1(net)3.179 E F0 .679 (triplets \(for IPv4 and, for IPv6, only addresses in scope)3.179 F ("global"\).)100 480 Q(The script autodetect-ips is useful if you')100 504 Q 2.5(dl)-.5 G(ik)-2.5 E 2.5(et)-.1 G 2.5(os)-2.5 G(hare your)-2.5 E F3 -.37(rc)2.5 G F0(\214le among dif)2.87 E(ferent hosts.)-.25 E F2 (another example)100 528 Q F0 -.15(Fo)100 540 S 6.65(ra).15 G 6.65(ne) -6.65 G -.15(ve)-6.9 G 6.65(nm).15 G 4.15(ore reasonable)-6.65 F F3 -.37 (rc)6.651 G F0 4.151(\214le, look at the well-commented e)7.021 F (xample)-.15 E F3 -.37(rc)6.651 G F0 4.151(\214le in)7.021 F F1 (/usr/share/doc/uruk/examples/rc)100 552 Q F0(.)A/F4 10.95/Times-Bold@0 SF(IPv4 AND IPv6)20 568.8 Q F0 -1.1(Yo)100 580.8 S 2.5(uc)1.1 G (an mix IPv4 and IPv6-addresses in sources_*. E.g.:)-2.5 E (uruk-rc 20150608)20 768 Q 2.5(8J)140.125 G(un 2015)-2.5 E(2)207.055 E 0 Cg EP %%Page: 3 3 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 154.295(uruk-rc\(5\) FILE)20 48 R(FORMA)2.5 E 156.795(TS uruk-rc\(5\))-1.11 F/F1 10/Courier@0 SF (ips_eth0='default private')106 84 Q(ip_eth0_default=1.2.3.4)106 96 Q (ip6_eth0_default=)106 108 Q(services_eth0_default_tcp='mail local')106 132 Q (sources_eth0_default_tcp_mail='10.0.0.0/24 192.0.32.0/24 192.168.6.26') 106 156 Q(sources_eth0_default_tcp_local='192.0.32.0/24 svejk.example.c\ om 2001:db8::/32')106 168 Q(ports_eth0_default_tcp_mail=smtp)106 192 Q (ports_eth0_default_tcp_local='ssh ftp')106 204 Q F0 .116(If sv)100 228 R(ejk.e)-.15 E .116(xample.com has both an IPv4 PTR record in DNS, as w\ ell as an IPv6 PTR record, con-)-.15 F(nection attempts from sv)100 240 Q(ejk to the ssh and ftp TCP ports are allo)-.15 E (wed, via both IPv4 and IPv6.)-.25 E 1.437(Uruk used to require v)100 264 R 1.437(ariables sources6_* to be set to support ip6tables.)-.25 F 1.438(Since uruk v)6.437 F(ersion)-.15 E .302(20140319 \(The Alf)100 276 R .301(ama Release\), this is no longer needed; setting sources_* suf) -.1 F .301(\214ces. T)-.25 F 2.801(ob)-.8 G 2.801(ep)-2.801 G(re-)-2.801 E 1.519(cise, the semantics since uruk v)100 288 R 1.519 (ersion 20140319 is: 1\) If both sources_* and sources6_* are)-.15 F .402(de\214ned \(e)100 300 R -.15(ve)-.25 G 2.902(ni).15 G 2.902(ft) -2.902 G(he)-2.902 E(y')-.15 E .401 (re just empty\), each is used for its respecti)-.5 F .701 -.15(ve a) -.25 H .401(ddress f).15 F .401(amily. \(This ensures)-.1 F(backw)100 312 Q .025(ards compatibility.\) 2\) If sources6_* is unde\214ned, sour\ ces_* is used for both v4 and v6. 3\))-.1 F (In either case, v4 literals in v6 conte)100 324 Q (xt and v6 literals in v4 conte)-.15 E(xt are silently \(!\) ignored.) -.15 E/F2 10.95/Times-Bold@0 SF(HOOKS)20 340.8 Q F0 1.643(Uruk of)100 352.8 R 1.643(fers hooks for inserting your o)-.25 F 1.642 (wn code between iptables in)-.25 F -.2(vo)-.4 G 4.142 (cations. Examples).2 F(will)4.142 E(sho)100 364.8 Q 2.5(wt)-.25 G (he usefulness of these hooks.)-2.5 E/F3 10/Times-Bold@0 SF(allo)100 388.8 Q(wing br)-.1 E(oadcasts)-.18 E F0(In)100 400.8 Q/F4 10 /Times-Italic@0 SF -.37(rc)2.5 G F0 2.5(,t).37 G(here is:)-2.5 E F1 (rc_b=$etcdir/bootp)106 424.8 Q F0(while the \214le)100 448.8 Q F1 (bootp)2.5 E F0(reads)2.5 E F1 (iptables \255A INPUT \255m state \255\255state NEW \255i eth0 \\)106 472.8 Q (\255\255protocol udp \255\255destination-port bootps \255j ACCEPT)118 484.8 Q F0 5.618(.T)100 508.8 S .618 (his enables one to add rules for pack)-5.618 F .619 (ets with broadcast addresses in their destination. \(Uruk)-.1 F (has no support for this in its re)100 520.8 Q(gular)-.15 E F4 -.37(rc) 2.5 G F0(.\)).37 E F3(allo)100 544.8 Q(wing non-matching r)-.1 E(etur) -.18 E(ntraf\214c)-.15 E F0(In)100 556.8 Q F4 -.37(rc)2.5 G F0 (there is:)2.87 E F1(rc_d=$etcdir/dns)106 580.8 Q F0(while the \214le) 100 604.8 Q F1(dns)2.5 E F0(reads)2.5 E F1 (for source in 10.5.0.27 10.56.0.40)112 628.8 Q(do)112 640.8 Q ($iptables -A INPUT -i eth0 --protocol udp \\)124 652.8 Q (--source "$source" --source-port domain \\)136 664.8 Q (--destination "$ip_eth0" \\)136 676.8 Q (--destination-port 30000: -j ACCEPT)136 688.8 Q(done)112 700.8 Q F0 .007(This allo)100 724.8 R .007(ws one to allo)-.25 F 2.507(w\()-.25 G (return\)traf)-2.507 E .007(\214c, disre)-.25 F -.05(ga)-.15 G .007 (rding the state. \(Uruk has no support for this in its).05 F (uruk-rc 20150608)20 768 Q 2.5(8J)140.125 G(un 2015)-2.5 E(3)207.055 E 0 Cg EP %%Page: 4 4 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 154.295(uruk-rc\(5\) FILE)20 48 R(FORMA)2.5 E 156.795(TS uruk-rc\(5\))-1.11 F(re)100 84 Q(gular)-.15 E/F1 10 /Times-Italic@0 SF -.37(rc)2.5 G F0(.\)).37 E/F2 10/Times-Bold@0 SF (allo)100 108 Q(wing N)-.1 E -.95(AT)-.2 G F0(In)100 120 Q F1 -.37(rc) 2.5 G F0(there is:)2.87 E/F3 10/Courier@0 SF(rc_a=${etcdir}/nat)106 144 Q F0(while the \214le)100 168 Q F3(nat)2.5 E F0(reads)2.5 E F3 ($iptables -t nat -A POSTROUTING \\)112 192 Q (--out-interface eth0 -j SNAT \\)124 204 Q(--to-source $ip_eth0)124 216 Q F0 1.295(This allo)100 240 R 1.295(ws Netw)-.25 F 1.296(ork Address T) -.1 F 1.296(ranslation. Ho)-.35 F(we)-.25 E -.15(ve)-.25 G 2.096 -.4 (r, b).15 H -2.1 -.25(ew a).4 H 1.296(re! Lik).25 F 3.796(ea)-.1 G 1.296 (ll e)-3.796 F(xtensi)-.15 E 1.596 -.15(ve u)-.25 H 1.296(se of hooks,) .15 F .662(this will break the)100 252 R F2(uruk-sa)3.162 E -.1(ve)-.25 G F0 .661(script. If you mak)3.261 F 3.161(es)-.1 G .661(ure your acti) -3.161 F .961 -.15(ve i)-.25 H .661(ptables rules are wiped, and).15 F (in)100 264 Q -.2(vo)-.4 G -.1(ke).2 G F2(uruk)3.511 E F0 .911 (manually to load ne)3.411 F 3.411(wr)-.25 G .911(ules, you')-3.411 F .911(re safe. Using the init script with its def)-.5 F .912(ault set-) -.1 F(tings is safe too.)100 276 Q F2(allo)100 300 Q (wing IPv6 tunneling)-.1 E F0(In)100 312 Q F1 -.37(rc)2.5 G F0 (there is:)2.87 E F3(rc_b=${etcdir}/proto_41)106 336 Q F0 (while the \214le)100 360 Q F3(proto_41)2.5 E F0(reads)2.5 E F3($iptabl\ es -A INPUT -i ppp0 --protocol 41 --destination $ip_ppp0 -j ACCEPT)106 384 Q F0(This allo)100 408 Q (ws IP protocol 41, typically used for this kind of tunneling.)-.25 E F2 (allo)100 432 Q(wing any traf\214c on an interface)-.1 E F0(In)100 444 Q F1 -.37(rc)2.5 G F0(there is:)2.87 E F3(interfaces_unprotect="lo eth2") 106 468 Q F0 .087(This allo)100 492 R .087(ws an)-.25 F 2.587(yt)-.15 G (raf)-2.587 E .087(\214c on)-.25 F F3(eth2)2.587 E F0 .087(\(and on) 2.587 F F3(lo)2.587 E F0 2.587(,t)C .087(he def)-2.587 F .087 (ault\), including an)-.1 F 2.587(yI)-.15 G .087(CMP pack)-2.587 F .086 (ets and pack-)-.1 F(ets from an)100 504 Q 2.5(ys)-.15 G(ource address.) -2.5 E F2(using multiple hooks at one entry point in the main uruk pr) 100 528 Q(ocess)-.18 E F0 .414 (In case rc_a, rc_b, ... , or rc_i does not ha)100 540 R .714 -.15 (ve a \214)-.2 H .414(le as its v).15 F .414(alue, b)-.25 F .414 (ut a directory)-.2 F 2.914(,a)-.65 G .414(ll \214les matching)-2.914 F 2.891("$rc_x"/*.rc will get sourced. This helps con\214guration managem\ ent in comple)100 552 R 5.391(xs)-.15 G(ituations)-5.391 E(in)100 564 Q -.2(vo)-.4 G (lving lots of uruk con\214guration \214les for lots of hosts.).2 E .208 (See the section "THE GOR)100 588 R 2.708(YD)-.65 G(ET)-2.708 E .208 (AILS: uruk INTERN)-.93 F .209(ALS" in)-.35 F F2(uruk\(8\))2.709 E F0 .209(\(or the)2.709 F F2(uruk)2.709 E F0 .209(source\) to)2.709 F(\214n\ d out which hook \(there are hooks rc_a, rc_b, ... , rc_i\) to use.)100 600 Q/F4 10.95/Times-Bold@0 SF(NETW)20 616.8 Q(ORK INTERF)-.11 E -.602 (AC)-.986 G(ES WITH MUL).602 E(TIPLE IP ADDRESSES)-1.007 E F0 .255 (Uruk supports situations where a netw)100 628.8 R .255(ork interf)-.1 F .255(ace has more than one IP address attached. V)-.1 F(ari-)-1.11 E (ables)100 640.8 Q F3(ips_)2.5 E F1(nic)A F0(and)2.5 E F3(bcasts_)2.5 E F1(nic)A F0(are used for this.)2.5 E(If)100 664.8 Q F3(ips_)2.5 E F1 (nic)A F0(is set, e.g. lik)2.5 E(e)-.1 E F3(ips_eth0="ip0 ip1 ip2")106 688.8 Q F0 .653(we assume multiple \(three in this e)100 712.8 R .653 (xample\) IPs are assigned to)-.15 F F3(eth0)3.154 E F0 3.154(.I)C 3.154 (ft)-3.154 G .654(his v)-3.154 F .654(ariable is not set)-.25 F (only one IP is supported on)100 724.8 Q F3(eth0)2.5 E F0(.)A (uruk-rc 20150608)20 768 Q 2.5(8J)140.125 G(un 2015)-2.5 E(4)207.055 E 0 Cg EP %%Page: 5 5 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 154.295(uruk-rc\(5\) FILE)20 48 R(FORMA)2.5 E 156.795(TS uruk-rc\(5\))-1.11 F (In multiple-IP mode, IP addresses are listed as e.g.)100 84 Q/F1 10 /Courier@0 SF(ip_eth0_ip0="137.56.247.16")106 108 Q F0 .579(\(If you') 100 132 R .578 (re used to the Linux ifcon\214g\(8\) output, you could use the name)-.5 F F1(ip)3.078 E F0(for)3.078 E F1(eth0)3.078 E F0 3.078(,a)C(nd)-3.078 E F1(ip0)3.078 E F0(for)100 144 Q F1(eth0:0)2.5 E F0 2.5(.\) The)B/F2 10 /Times-Italic@0 SF(ports)2.5 E F0(,)A F2(services)2.5 E F0(and)2.5 E F2 (sour)2.5 E(ces)-.37 E F0 -.25(va)2.5 G(riables look lik).25 E 2.5(ee) -.1 G(.g.)-2.5 E F1(services_eth0_ip2_tcp=local)106 168 Q (ports_eth0_ip2_tcp_local=smtp)106 180 Q (sources_eth0_ip2_tcp_local=$localnet)106 192 Q F0(and, similarly)100 216 Q(,)-.65 E F1(net_eth0_ip1=192.168.0.0/16)106 240 Q F0 (Furthermore, for dropping broadcast pack)100 264 Q(ets, specify e.g.) -.1 E F1(bcasts_eth0="ip0 ip2")106 288 Q 6(#y)30 G (es, possibly a subset of ips_eth0)-6 E(bcast_eth0_ip0="10.0.0.255")106 300 Q(bcast_eth0_ip2="10.0.255.255")106 312 Q F0 .936 (As an additional feature, if you ha)100 336 R 1.236 -.15(ve m)-.2 H .936(ultiple IP addresses that all need to get the same rules,).15 F (you can assign them to a single name:)100 348 Q F1 (ip_eth0_ip0="137.56.247.16 137.56.247.17 137.56.247.18")106 372 Q/F3 10.95/Times-Bold@0 SF(LOGGING AND DEB)20 400.8 Q(UGGING)-.11 E F0 (Uruk has support for logging netw)100 412.8 Q(ork pack)-.1 E (ets, and for deb)-.1 E(ugging the uruk script.)-.2 E/F4 10/Times-Bold@0 SF(Logging)100 436.8 Q F0 .446(By def)100 448.8 R .446 (ault, uruk logs denied pack)-.1 F .446 (ets. This is adjustable using the)-.1 F F2(lo)2.945 E(gle)-.1 E(vel) -.15 E F0 -.25(va)2.945 G .445(riable. The settings).25 F(are:)100 460.8 Q<83>100 484.8 Q("zero": be silent; do not log an)120 496.8 Q 2.5(yp) -.15 G(ack)-2.5 E(et.)-.1 E F2 -.37(rc)2.5 G F0(\214le features)2.87 E F1(loglevel=10)2.5 E F0(.)A<83>100 508.8 Q("lo)120 520.8 Q 3.807 (w": log denied pack)-.25 F 3.808(ets, which are tar)-.1 F 3.808 (geted at one of our IPs.)-.18 F F2 -.37(rc)8.808 G F0 3.808 (\214le features)6.678 F F1(loglevel=30)120 532.8 Q F0(.)A<83>100 544.8 Q .388("medium": log denied non-broadcast pack)120 556.8 R .387 (ets. This is the def)-.1 F(ault:)-.1 E F2(lo)2.887 E(gle)-.1 E(vel)-.15 E F0 .387(is unset or)2.887 F F2 -.37(rc)2.887 G F0(\214le)3.257 E (features)120 568.8 Q F1(loglevel=50)2.5 E F0(.)A<83>100 580.8 Q("f)120 592.8 Q(ascist": log all pack)-.1 E(ets.)-.1 E F2 -.37(rc)2.5 G F0 (\214le features)2.87 E F1(loglevel=90)2.5 E F0(.)A F4(Deb)100 616.8 Q (ugging)-.2 E F0 1.6 -.8(To d)100 628.8 T(eb).8 E(ug the)-.2 E F4(uruk) 2.5 E F0(script, in)2.5 E -.2(vo)-.4 G .2 -.1(ke u).2 H(ruk as).1 E F1 (sh -x /sbin/uruk)106 652.8 Q F0(this sho)100 676.8 Q (ws what is done, along with e)-.25 E -.15(xe)-.15 G(cuting it. \(Lik) .15 E 2.5(ea)-.1 G 2.5(nu)-2.5 G(ruk '-v' option.\))-2.5 E(If you')100 700.8 Q 2.5(dr)-.5 G(ather prefer not to e)-2.5 E -.15(xe)-.15 G (cute, b).15 E(ut just w)-.2 E(atch what w)-.1 E(ould')-.1 E .3 -.15 (ve b)-.5 H(een done, in).15 E -.2(vo)-.4 G .2 -.1(ke u).2 H(ruk as).1 E (uruk-rc 20150608)20 768 Q 2.5(8J)140.125 G(un 2015)-2.5 E(5)207.055 E 0 Cg EP %%Page: 6 6 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 154.295(uruk-rc\(5\) FILE)20 48 R(FORMA)2.5 E 156.795(TS uruk-rc\(5\))-1.11 F/F1 10/Courier@0 SF (URUK_IPTABLES='echo iptables' URUK_IP6TABLES='echo ip6tables' uruk)106 84 Q F0(\(Lik)100 108 Q 3.391(ea)-.1 G 3.391(nu)-3.391 G .891 (ruk '-n' option.\) If you ha)-3.391 F 1.191 -.15(ve t)-.2 H .891 (his statement set, you can run).15 F/F2 10/Times-Bold@0 SF(uruk)3.391 E F0 .892(under a non-pri)3.392 F(v-)-.25 E(iliged user account.)100 120 Q (If you')100 144 Q 2.5(dl)-.5 G(ik)-2.5 E 2.5(et)-.1 G 2.5(ot)-2.5 G (est a ne)-2.5 E(w)-.25 E/F3 10/Times-Italic@0 SF -.37(rc)2.5 G F0 (\214le before installing it, run something lik)2.87 E(e:)-.1 E F1 (URUK_CONFIG=/path/to/new/uruk/rc/file uruk)112 180 Q F0 (Of course, all these tweaks can be combined.)100 204 Q/F4 10.95 /Times-Bold@0 SF -1.478(VA)20 220.8 S(RIABLES)1.478 E F0 (The uruk script honors the follo)100 232.8 Q(wing v)-.25 E(ariables in) -.25 E F3 -.37(rc)2.5 G F0(\214les:)2.87 E<83>100 256.8 Q("v)120 268.8 Q (ersion" Uruk v)-.15 E(ersion compatibility of this)-.15 E F3 -.37(rc) 2.5 G F0(\214le)2.87 E<83>100 280.8 Q("logle)120 292.8 Q -.15(ve)-.25 G (l").15 E<83>100 304.8 Q("iptables" Full pathname of iptables e)120 316.8 Q -.15(xe)-.15 G(cutable.).15 E<83>100 328.8 Q ("ip6tables" Full pathname of ip6tables e)120 340.8 Q -.15(xe)-.15 G (cutable.).15 E<83>100 352.8 Q("interf)120 364.8 Q(aces" List of netw) -.1 E(ork interf)-.1 E(aces.)-.1 E 2.03(More v)100 376.8 R 2.03 (ariables are a)-.25 F -.25(va)-.2 G 2.03(ilable. F).25 F 2.03(or no) -.15 F 3.33 -.65(w, y)-.25 H(ou').65 E 2.03(ll ha)-.1 F 2.329 -.15(ve t) -.2 H 4.529(ot).15 G(ak)-4.529 E 4.529(eal)-.1 G 2.029(ook at the e) -4.529 F(xample)-.15 E F3 -.37(rc)4.529 G F0 2.029(\214le in)4.899 F F1 (/usr/share/doc/uruk/examples/rc)100 388.8 Q F0(for more details.)2.5 E F4(ENVIR)20 405.6 Q(ONMENT V)-.329 E(ARIABLES)-1.478 E F0(See)100 417.6 Q F2(uruk\(8\))2.5 E F0(for a list of honored en)2.5 E(vironment v)-.4 E (ariables.)-.25 E F4(FILES)20 434.4 Q F1(/etc/uruk/rc)100 446.4 Q F4 (SEE ALSO)20 463.2 Q F0 2.628(Aw)100 475.2 S .129(ell-commented e)-2.628 F(xample)-.15 E F3 -.37(rc)2.629 G F0 .129(\214le is in)2.999 F F1 (/usr/share/doc/uruk/examples/rc)2.629 E F0 5.129(.A)C .129(nd see) -5.129 F F2(uruk\(8\))100 487.2 Q F0(,)A F2(uruk-sa)2.5 E -.1(ve)-.25 G (\(8\)).1 E F0(.)A F4(COPYRIGHT)20 504 Q F0(Cop)100 516 Q 3.189 (yright \(C\) 2005, 2007, 2008, 2010, 2011, 2012, 2013 Joost v)-.1 F 3.189(an Baal-Ili\304 )100 528 Q 1.216 (This program is free softw)100 552 R 1.217(are: you can redistrib)-.1 F 1.217(ute it and/or modify it under the terms of the)-.2 F .466 (GNU General Public License as published by the Free Softw)100 564 R .466(are F)-.1 F .465(oundation, either v)-.15 F .465(ersion 3 of)-.15 F (the License, or \(at your option\) an)100 576 Q 2.5(yl)-.15 G(ater v) -2.5 E(ersion.)-.15 E 2.086(This program is distrib)100 600 R 2.087 (uted in the hope that it will be useful, b)-.2 F 2.087 (ut WITHOUT ANY W)-.2 F(AR-)-1.2 E(RANTY)100 612 Q 4.227(;w)-.92 G 1.727 (ithout e)-4.227 F -.15(ve)-.25 G 4.227(nt).15 G 1.727(he implied w) -4.227 F 1.726(arranty of MERCHANT)-.1 F 1.726(ABILITY or FITNESS FOR A) -.93 F -.92(PA)100 624 S -.6(RT).92 G (ICULAR PURPOSE. See the GNU General Public License for more details.).6 E -1.1(Yo)100 648 S 2.588(us)1.1 G .088(hould ha)-2.588 F .388 -.15 (ve r)-.2 H(ecei).15 E -.15(ve)-.25 G -5.087 2.588(da c).15 H(op)-2.588 E 2.589(yo)-.1 G 2.589(ft)-2.589 G .089 (he GNU General Public License along with this program. If)-2.589 F (not, see http://www.gnu.or)100 660 Q(g/licenses/.)-.18 E F4 -.548(AU)20 676.8 S(THOR).548 E F0(Joost v)100 688.8 Q (an Baal-Ili\304 )-.25 E(uruk-rc 20150608)20 768 Q 2.5(8J)140.125 G(un 2015)-2.5 E(6)207.055 E 0 Cg EP %%Trailer end %%EOF uruk-20160219/man/uruk-rc.txt0000644000175000017500000002640512535264244012611 00000000000000uruk-rc(5) FILE FORMATS uruk-rc(5) NAME uruk-rc - uruk resource file, defining access policy SYNOPSIS /etc/uruk/rc DESCRIPTION rc is a shell script snippet, sourced in uruk by /bin/sh. rc lists IP addresses, allowed to use services. EXAMPLES default The simplest valid rc file is the empty file. This rc file blocks all TCP and UDP connection attempts to services on our host: this is the default behaviour. simplest The simplest rc file which does allow traffic to our services looks like e.g.: interfaces=eth0 ips_eth0=default ip_eth0_default=192.168.26.27 net_eth0_default=192.168.0.0/16 ip6_eth0_default=2001:db8::1/64 net6_eth0_default=2001:db8::/32 services_eth0_default_tcp=local ports_eth0_default_tcp_local="0:65535" sources_eth0_default_tcp_local="0.0.0.0/0 ::/0" services_eth0_default_udp=local ports_eth0_default_udp_local="0:65535" sources_eth0_default_udp_local="0.0.0.0/0" This rc file allows all IPv4 and IPv6 UDP and TCP traffic from publicly routable IPs to eth0's IP. realistic If you'd like to block traffic on wlan0 and allow traffic to ssh on your wired interface, and don't like to explicitly set your IPs in rc: # list of interfaces you'd like uruk to protect interfaces=eth0 wlan0 # set variables ip{,6}_eth0_default and net{,6}_eth0_default . /lib/uruk/init/autodetect-ips # names for eth0's 2 IPv4 addresses ips_eth0="default dhcp" # allow access to our sshd on eth0's primary IP on tcp port 443 # from anywhere services_eth0_default_tcp=ssh ports_eth0_default_tcp_ssh=443 sources_eth0_default_tcp_ssh="0.0.0.0/0 ::/0" # we get a static IPv4 via dhcp ip_eth0_dhcp=10.0.0.3 net_eth0_dhcp=10./8 services_eth0_dhcp_tcp=http ports_eth0_dhcp_tcp_http=http sources_eth0_dhcp_tcp_http=$net_eth0_dhcp # we leave services_wlan0_default_{tcp,udp} unset: don't allow any # incoming connections on wlan0's default IP autodetect-ips The script autodetect-ips --as used in the previous example-- looks for files /etc/sysconfig/network-scripts/ifcfg-* (commonly found at e.g. Red Hat and Fedora systems) and /etc/network/interfaces (as found at e.g. Debian and Ubuntu systems), and, for each interface nic, and each found IPv4 and IPv6 address and network, sets variables ip_nic_default, ip6_nic_default, net_nic_default and net6_nic_default . Then it calls ip(8) and adds any other found nic, ip and net triplets (for IPv4 and, for IPv6, only addresses in scope "global"). The script autodetect-ips is useful if you'd like to share your rc file among different hosts. another example For an even more reasonable rc file, look at the well-commented example rc file in /usr/share/doc/uruk/examples/rc. IPv4 AND IPv6 You can mix IPv4 and IPv6-addresses in sources_*. E.g.: ips_eth0='default private' ip_eth0_default=1.2.3.4 ip6_eth0_default= services_eth0_default_tcp='mail local' sources_eth0_default_tcp_mail='10.0.0.0/24 192.0.32.0/24 192.168.6.26' sources_eth0_default_tcp_local='192.0.32.0/24 svejk.example.com 2001:db8::/32' ports_eth0_default_tcp_mail=smtp ports_eth0_default_tcp_local='ssh ftp' If svejk.example.com has both an IPv4 PTR record in DNS, as well as an IPv6 PTR record, connection attempts from svejk to the ssh and ftp TCP ports are allowed, via both IPv4 and IPv6. Uruk used to require variables sources6_* to be set to support ip6tables. Since uruk version 20140319 (The Alfama Release), this is no longer needed; setting sources_* suffices. To be precise, the semantics since uruk version 20140319 is: 1) If both sources_* and sources6_* are defined (even if they're just empty), each is used for its respective address family. (This ensures backwards compatibility.) 2) If sources6_* is undefined, sources_* is used for both v4 and v6. 3) In either case, v4 literals in v6 context and v6 literals in v4 context are silently (!) ignored. HOOKS Uruk offers hooks for inserting your own code between iptables invoca- tions. Examples will show the usefulness of these hooks. allowing broadcasts In rc, there is: rc_b=$etcdir/bootp while the file bootp reads iptables -A INPUT -m state --state NEW -i eth0 \ --protocol udp --destination-port bootps -j ACCEPT . This enables one to add rules for packets with broadcast addresses in their destination. (Uruk has no support for this in its regular rc.) allowing non-matching returntraffic In rc there is: rc_d=$etcdir/dns while the file dns reads for source in 10.5.0.27 10.56.0.40 do $iptables -A INPUT -i eth0 --protocol udp \ --source "$source" --source-port domain \ --destination "$ip_eth0" \ --destination-port 30000: -j ACCEPT done This allows one to allow (return)traffic, disregarding the state. (Uruk has no support for this in its regular rc.) allowing NAT In rc there is: rc_a=${etcdir}/nat while the file nat reads $iptables -t nat -A POSTROUTING \ --out-interface eth0 -j SNAT \ --to-source $ip_eth0 This allows Network Address Translation. However, beware! Like all extensive use of hooks, this will break the uruk-save script. If you make sure your active iptables rules are wiped, and invoke uruk manually to load new rules, you're safe. Using the init script with its default settings is safe too. allowing IPv6 tunneling In rc there is: rc_b=${etcdir}/proto_41 while the file proto_41 reads $iptables -A INPUT -i ppp0 --protocol 41 --destination $ip_ppp0 -j ACCEPT This allows IP protocol 41, typically used for this kind of tunneling. allowing any traffic on an interface In rc there is: interfaces_unprotect="lo eth2" This allows any traffic on eth2 (and on lo, the default), including any ICMP packets and packets from any source address. using multiple hooks at one entry point in the main uruk process In case rc_a, rc_b, ... , or rc_i does not have a file as its value, but a directory, all files matching "$rc_x"/*.rc will get sourced. This helps configuration management in complex situations involving lots of uruk configuration files for lots of hosts. See the section "THE GORY DETAILS: uruk INTERNALS" in uruk(8) (or the uruk source) to find out which hook (there are hooks rc_a, rc_b, ... , rc_i) to use. NETWORK INTERFACES WITH MULTIPLE IP ADDRESSES Uruk supports situations where a network interface has more than one IP address attached. Variables ips_nic and bcasts_nic are used for this. If ips_nic is set, e.g. like ips_eth0="ip0 ip1 ip2" we assume multiple (three in this example) IPs are assigned to eth0. If this variable is not set only one IP is supported on eth0. In multiple-IP mode, IP addresses are listed as e.g. ip_eth0_ip0="137.56.247.16" (If you're used to the Linux ifconfig(8) output, you could use the name ip for eth0, and ip0 for eth0:0.) The ports, services and sources vari- ables look like e.g. services_eth0_ip2_tcp=local ports_eth0_ip2_tcp_local=smtp sources_eth0_ip2_tcp_local=$localnet and, similarly, net_eth0_ip1=192.168.0.0/16 Furthermore, for dropping broadcast packets, specify e.g. bcasts_eth0="ip0 ip2" # yes, possibly a subset of ips_eth0 bcast_eth0_ip0="10.0.0.255" bcast_eth0_ip2="10.0.255.255" As an additional feature, if you have multiple IP addresses that all need to get the same rules, you can assign them to a single name: ip_eth0_ip0="137.56.247.16 137.56.247.17 137.56.247.18" LOGGING AND DEBUGGING Uruk has support for logging network packets, and for debugging the uruk script. Logging By default, uruk logs denied packets. This is adjustable using the loglevel variable. The settings are: o "zero": be silent; do not log any packet. rc file features loglevel=10. o "low": log denied packets, which are targeted at one of our IPs. rc file features loglevel=30. o "medium": log denied non-broadcast packets. This is the default: loglevel is unset or rc file features loglevel=50. o "fascist": log all packets. rc file features loglevel=90. Debugging To debug the uruk script, invoke uruk as sh -x /sbin/uruk this shows what is done, along with executing it. (Like an uruk '-v' option.) If you'd rather prefer not to execute, but just watch what would've been done, invoke uruk as URUK_IPTABLES='echo iptables' URUK_IP6TABLES='echo ip6tables' uruk (Like an uruk '-n' option.) If you have this statement set, you can run uruk under a non-priviliged user account. If you'd like to test a new rc file before installing it, run something like: URUK_CONFIG=/path/to/new/uruk/rc/file uruk Of course, all these tweaks can be combined. VARIABLES The uruk script honors the following variables in rc files: o "version" Uruk version compatibility of this rc file o "loglevel" o "iptables" Full pathname of iptables executable. o "ip6tables" Full pathname of ip6tables executable. o "interfaces" List of network interfaces. More variables are available. For now, you'll have to take a look at the example rc file in /usr/share/doc/uruk/examples/rc for more details. ENVIRONMENT VARIABLES See uruk(8) for a list of honored environment variables. FILES /etc/uruk/rc SEE ALSO A well-commented example rc file is in /usr/share/doc/uruk/examples/rc. And see uruk(8), uruk-save(8). COPYRIGHT Copyright (C) 2005, 2007, 2008, 2010, 2011, 2012, 2013 Joost van Baal- Ili This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABIL- ITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/. AUTHOR Joost van Baal-Ili uruk-rc 20150608 8 Jun 2015 uruk-rc(5) uruk-20160219/man/uruk-save.html0000644000175000017500000001603612201162772013260 00000000000000 uruk-save

9 авг 2013    uruk-save 20130809

1.
NAME
2.
SYNOPSIS
3.
OPTIONS
4.
DESCRIPTION
5.
WARNING
6.
SEE ALSO
7.
COPYRIGHT
8.
AUTHOR

NAME

uruk-save — save uruk rc configuration in iptables-save-style format

SYNOPSIS

uruk-save [-6]

OPTIONS

-6
Don't save iptables rules but save ip6tables rules, for IPv6 filtering.

DESCRIPTION

uruk-save saves the IPv4 rules (for all of the filter, raw, mangle and nat tables) in /etc/uruk/rc in iptables-save(5)-style format, without invoking iptables(8). If the -6 option is given, the IPv6 rules (if any) in /etc/uruk/rc are saved, in ip6tables-save(5)-style format. It prints output to stdout; suggested invocation therefore is
# uruk-save > /var/lib/uruk/iptables/active
or
# uruk-save -6 > /var/lib/uruk/ip6tables/active
. This script is useful if you don't like the default behaviour of the uruk init script, and would like it to load the current uruk rc file instead of the current active file. Please note: generally you don't need to invoke this script manually: the script urukctl which comes with uruk is suitable for most cases, it invokes uruk-save if needed.

WARNING

Just as uruk, in order to keep the uruk-save script small and simple, the script does very little error handling. It does not check the contents of the rc file in any way before executing it. When your rc file contains bogus stuff, uruk-save will very likely behave in unexpected ways. Caveat emptor.

Things will likely break if you do very fancy stuff in an rc hook file. If your rc file is in verbose mode (i.e. it features set -x) or in no-act mode (i.e. it features a hardcoded iptables='echo iptables'), uruk-save fails.

SEE ALSO

uruk(8), uruk-rc(5) .

COPYRIGHT

Copyright (C) 2005, 2007, 2010, 2011, 2012, 2013 Joost van Baal-Ilić <joostvb-uruk@mdcc.cx>

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

AUTHOR

Joost van Baal-Ilić <joostvb-uruk@mdcc.cx> uruk-20160219/man/uruk-save.ps0000644000175000017500000002606412201162772012740 00000000000000%!PS-Adobe-3.0 %%Creator: groff version 1.21 %%CreationDate: Fri Aug 9 14:52:10 2013 %%DocumentNeededResources: font Times-Roman %%+ font Times-Bold %%+ font Courier %%+ font Times-Italic %%DocumentSuppliedResources: procset grops 1.21 0 %%Pages: 1 %%PageOrder: Ascend %%DocumentMedia: Default 595 842 0 () () %%Orientation: Portrait %%EndComments %%BeginDefaults %%PageMedia: Default %%EndDefaults %%BeginProlog %%BeginResource: procset grops 1.21 0 %!PS-Adobe-3.0 Resource-ProcSet /setpacking where{ pop currentpacking true setpacking }if /grops 120 dict dup begin /SC 32 def /A/show load def /B{0 SC 3 -1 roll widthshow}bind def /C{0 exch ashow}bind def /D{0 exch 0 SC 5 2 roll awidthshow}bind def /E{0 rmoveto show}bind def /F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def /G{0 rmoveto 0 exch ashow}bind def /H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /I{0 exch rmoveto show}bind def /J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def /K{0 exch rmoveto 0 exch ashow}bind def /L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /M{rmoveto show}bind def /N{rmoveto 0 SC 3 -1 roll widthshow}bind def /O{rmoveto 0 exch ashow}bind def /P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /Q{moveto show}bind def /R{moveto 0 SC 3 -1 roll widthshow}bind def /S{moveto 0 exch ashow}bind def /T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def /SF{ findfont exch [exch dup 0 exch 0 exch neg 0 0]makefont dup setfont [exch/setfont cvx]cvx bind def }bind def /MF{ findfont [5 2 roll 0 3 1 roll neg 0 0]makefont dup setfont [exch/setfont cvx]cvx bind def }bind def /level0 0 def /RES 0 def /PL 0 def /LS 0 def /MANUAL{ statusdict begin/manualfeed true store end }bind def /PLG{ gsave newpath clippath pathbbox grestore exch pop add exch pop }bind def /BP{ /level0 save def 1 setlinecap 1 setlinejoin DEFS/BPhook known{DEFS begin BPhook end}if 72 RES div dup scale LS{ 90 rotate }{ 0 PL translate }ifelse 1 -1 scale }bind def /EP{ level0 restore showpage }def /DA{ newpath arcn stroke }bind def /SN{ transform .25 sub exch .25 sub exch round .25 add exch round .25 add exch itransform }bind def /DL{ SN moveto SN lineto stroke }bind def /DC{ newpath 0 360 arc closepath }bind def /TM matrix def /DE{ TM currentmatrix pop translate scale newpath 0 0 .5 0 360 arc closepath TM setmatrix }bind def /RC/rcurveto load def /RL/rlineto load def /ST/stroke load def /MT/moveto load def /CL/closepath load def /Fr{ setrgbcolor fill }bind def /setcmykcolor where{ pop /Fk{ setcmykcolor fill }bind def }if /Fg{ setgray fill }bind def /FL/fill load def /LW/setlinewidth load def /Cr/setrgbcolor load def /setcmykcolor where{ pop /Ck/setcmykcolor load def }if /Cg/setgray load def /RE{ findfont dup maxlength 1 index/FontName known not{1 add}if dict begin { 1 index/FID ne 2 index/UniqueID ne and {def}{pop pop}ifelse }forall /Encoding exch def dup/FontName exch def currentdict end definefont pop }bind def /DEFS 0 def /EBEGIN{ moveto DEFS begin }bind def /EEND/end load def /CNT 0 def /level1 0 def /PBEGIN{ /level1 save def translate div 3 1 roll div exch scale neg exch neg exch translate 0 setgray 0 setlinecap 1 setlinewidth 0 setlinejoin 10 setmiterlimit []0 setdash /setstrokeadjust where{ pop false setstrokeadjust }if /setoverprint where{ pop false setoverprint }if newpath /CNT countdictstack def userdict begin /showpage{}def /setpagedevice{}def mark }bind def /PEND{ cleartomark countdictstack CNT sub{end}repeat level1 restore }bind def end def /setpacking where{ pop setpacking }if %%EndResource %%EndProlog %%BeginSetup %%BeginFeature: *PageSize Default << /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice %%EndFeature %%IncludeResource: font Times-Roman %%IncludeResource: font Times-Bold %%IncludeResource: font Courier %%IncludeResource: font Times-Italic grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72 def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron /Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef /.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent /ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen /period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon /semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O /P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex /underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y /z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft /guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl /endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut /dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash /quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen /brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft /logicalnot/minus/registered/macron/degree/plusminus/twosuperior /threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior /ordmasculine/guilsinglright/onequarter/onehalf/threequarters /questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE /Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex /Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis /multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn /germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla /egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis /eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash /ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def /Times-Italic@0 ENC0/Times-Italic RE/Courier@0 ENC0/Courier RE /Times-Bold@0 ENC0/Times-Bold RE/Times-Roman@0 ENC0/Times-Roman RE %%EndSetup %%Page: 1 1 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF(uruk-sa)20 48 Q -.15(ve)-.2 G 115.765 (\(8\) SYSTEM).15 F(ADMINISTRA)2.5 E 118.265(TION uruk-sa)-1.11 F -.15 (ve)-.2 G(\(8\)).15 E/F1 10.95/Times-Bold@0 SF -.219(NA)20 84 S(ME).219 E F0(uruk-sa)100 96 Q .3 -.15(ve \255 s)-.2 H -2.25 -.2(av e).15 H (uruk rc con\214guration in iptables-sa)2.7 E -.15(ve)-.2 G (-style format).15 E F1(SYNOPSIS)20 112.8 Q/F2 10/Times-Bold@0 SF (uruk-sa)100 124.8 Q .2 -.1(ve [)-.25 H F0(-6).1 E F2(])A F1(OPTIONS)20 141.6 Q F0(-6)100 153.6 Q(Don')120 165.6 Q 2.5(ts)-.18 G -2.25 -.2(av e) -2.5 H(iptables rules b)2.7 E(ut sa)-.2 E .3 -.15(ve i)-.2 H (p6tables rules, for IPv6 \214ltering.).15 E F1(DESCRIPTION)20 182.4 Q F2(uruk-sa)100 194.4 Q -.1(ve)-.25 G F0(sa)6.764 E -.15(ve)-.2 G 6.664 (st).15 G 4.163(he IPv4 rules \(for all of the \214lter)-6.664 F 6.663 (,r)-.4 G -.15(aw)-6.663 G 6.663(,m)-.5 G 4.163 (angle and nat tables\) in)-6.663 F/F3 10/Courier@0 SF(/etc/uruk/rc)100 206.4 Q F0(in)5.588 E F2(iptables-sa)5.589 E -.1(ve)-.25 G(\(5\)).1 E F0 3.089(-style format, without in)B -.2(vo)-.4 G(king).2 E F2 (iptables\(8\))5.589 E F0 5.589(.I)C 5.589(ft)-5.589 G(he)-5.589 E F2 (-6)5.589 E F0 .24(option is gi)100 218.4 R -.15(ve)-.25 G .24 (n, the IPv6 rules \(if an).15 F .24(y\) in)-.15 F F3(/etc/uruk/rc)2.74 E F0 .24(are sa)2.74 F -.15(ve)-.2 G .24(d, in).15 F F2(ip6tables-sa) 2.74 E -.1(ve)-.25 G(\(5\)).1 E F0(-style)A (format. It prints output to stdout; suggested in)100 230.4 Q -.2(vo)-.4 G(cation therefore is).2 E F3 6(#u)106 254.4 S (ruk-save > /var/lib/uruk/iptables/active)-6 E F0(or)100 278.4 Q F3 6 (#u)106 302.4 S(ruk-save -6 > /var/lib/uruk/ip6tables/active)-6 E F0 3.416(.T)100 326.4 S .916(his script is useful if you don')-3.416 F 3.416(tl)-.18 G(ik)-3.416 E 3.416(et)-.1 G .916(he def)-3.416 F .916 (ault beha)-.1 F .916(viour of the uruk init script, and w)-.2 F(ould) -.1 E(lik)100 338.4 Q 2.745(ei)-.1 G 2.745(tt)-2.745 G 2.745(ol)-2.745 G .245(oad the current uruk rc \214le instead of the current acti)-2.745 F .544 -.15(ve \214)-.25 H .244(le. Please note: generally you).15 F(don') 100 350.4 Q 3.148(tn)-.18 G .648(eed to in)-3.148 F -.2(vo)-.4 G .848 -.1(ke t).2 H .649(his script manually: the script).1 F F2(urukctl)3.149 E F0 .649(which comes with uruk is suitable)3.149 F (for most cases, it in)100 362.4 Q -.2(vo)-.4 G -.1(ke).2 G(s).1 E F2 (uruk-sa)2.5 E -.1(ve)-.25 G F0(if needed.)2.6 E F1 -1.314(WA)20 379.2 S (RNING)1.314 E F0 .687(Just as)100 391.2 R F2(uruk)3.187 E F0 3.187(,i)C 3.187(no)-3.187 G .687(rder to k)-3.187 F .687(eep the)-.1 F F2(uruk-sa) 3.187 E -.1(ve)-.25 G F0 .686 (script small and simple, the script does v)3.286 F .686(ery little)-.15 F .222(error handling. It does not check the contents of the)100 403.2 R /F4 10/Times-Italic@0 SF -.37(rc)2.722 G F0 .222(\214le in an)3.092 F 2.722(yw)-.15 G .223(ay before e)-2.822 F -.15(xe)-.15 G .223 (cuting it. When).15 F(your)100 415.2 Q F4 -.37(rc)2.953 G F0 .452 (\214le contains bogus stuf)3.323 F(f,)-.25 E F2(uruk-sa)2.952 E -.1(ve) -.25 G F0 .452(will v)3.052 F .452(ery lik)-.15 F .452(ely beha)-.1 F .752 -.15(ve i)-.2 H 2.952(nu).15 G(ne)-2.952 E .452(xpected w)-.15 F .452(ays. Ca)-.1 F -.15(ve)-.2 G(at).15 E(emptor.)100 427.2 Q .329 (Things will lik)100 451.2 R .329(ely break if you do v)-.1 F .329 (ery f)-.15 F(anc)-.1 E 2.829(ys)-.15 G(tuf)-2.829 E 2.829(fi)-.25 G 2.829(na)-2.829 G(n)-2.829 E F4 -.37(rc)2.829 G F0 .329 (hook \214le. If your)3.199 F F4 -.37(rc)2.829 G F0 .329(\214le is in v) 3.199 F(erbose)-.15 E 3.102(mode \(i.e. it features)100 463.2 R F3 3.102 (set -x)5.602 F F0 5.601(\)o)C 5.601(ri)-5.601 G 5.601(nn)-5.601 G 3.101 (o-act mode \(i.e. it features a hardcoded)-5.601 F F3(ipta-)5.601 E (bles='echo iptables')100 475.2 Q F0(\),)A F2(uruk-sa)2.5 E -.1(ve)-.25 G F0 -.1(fa)2.6 G(ils.).1 E F1(SEE ALSO)20 492 Q F2(uruk\(8\))100 504 Q F0(,)A F2(uruk-r)2.5 E(c\(5\))-.18 E F0(.)2.5 E F1(COPYRIGHT)20 520.8 Q F0(Cop)100 532.8 Q 5.752 (yright \(C\) 2005, 2007, 2010, 2011, 2012, 2013 Joost v)-.1 F 5.752 (an Baal-Ili\304 )100 544.8 Q 1.217 (This program is free softw)100 568.8 R 1.217(are: you can redistrib)-.1 F 1.217(ute it and/or modify it under the terms of the)-.2 F .466 (GNU General Public License as published by the Free Softw)100 580.8 R .466(are F)-.1 F .466(oundation, either v)-.15 F .466(ersion 3 of)-.15 F (the License, or \(at your option\) an)100 592.8 Q 2.5(yl)-.15 G(ater v) -2.5 E(ersion.)-.15 E 2.087(This program is distrib)100 616.8 R 2.087 (uted in the hope that it will be useful, b)-.2 F 2.086 (ut WITHOUT ANY W)-.2 F(AR-)-1.2 E(RANTY)100 628.8 Q 4.226(;w)-.92 G 1.726(ithout e)-4.226 F -.15(ve)-.25 G 4.226(nt).15 G 1.726 (he implied w)-4.226 F 1.726(arranty of MERCHANT)-.1 F 1.727 (ABILITY or FITNESS FOR A)-.93 F -.92(PA)100 640.8 S -.6(RT).92 G (ICULAR PURPOSE. See the GNU General Public License for more details.).6 E -1.1(Yo)100 664.8 S 2.589(us)1.1 G .089(hould ha)-2.589 F .389 -.15 (ve r)-.2 H(ecei).15 E -.15(ve)-.25 G 2.589(dac).15 G(op)-2.589 E 2.589 (yo)-.1 G 2.589(ft)-2.589 G .089 (he GNU General Public License along with this program. If)-2.589 F (not, see http://www.gnu.or)100 676.8 Q(g/licenses/.)-.18 E F1 -.548(AU) 20 693.6 S(THOR).548 E F0(Joost v)100 705.6 Q (an Baal-Ili\304 )-.25 E(uruk-sa)20 768 Q .3 -.15 (ve 2)-.2 H 119.09(0130809 9).15 F2.5 E(1)198.17 E 0 Cg EP %%Trailer end %%EOF uruk-20160219/man/uruk-save.txt0000644000175000017500000000536512201162772013136 00000000000000uruk-save(8) SYSTEM ADMINISTRATION uruk-save(8) NAME uruk-save - save uruk rc configuration in iptables-save-style format SYNOPSIS uruk-save [-6] OPTIONS -6 Don't save iptables rules but save ip6tables rules, for IPv6 filter- ing. DESCRIPTION uruk-save saves the IPv4 rules (for all of the filter, raw, mangle and nat tables) in /etc/uruk/rc in iptables-save(5)-style format, without invoking iptables(8). If the -6 option is given, the IPv6 rules (if any) in /etc/uruk/rc are saved, in ip6tables-save(5)-style format. It prints output to stdout; suggested invocation therefore is # uruk-save > /var/lib/uruk/iptables/active or # uruk-save -6 > /var/lib/uruk/ip6tables/active . This script is useful if you don't like the default behaviour of the uruk init script, and would like it to load the current uruk rc file instead of the current active file. Please note: generally you don't need to invoke this script manually: the script urukctl which comes with uruk is suitable for most cases, it invokes uruk-save if needed. WARNING Just as uruk, in order to keep the uruk-save script small and simple, the script does very little error handling. It does not check the con- tents of the rc file in any way before executing it. When your rc file contains bogus stuff, uruk-save will very likely behave in unexpected ways. Caveat emptor. Things will likely break if you do very fancy stuff in an rc hook file. If your rc file is in verbose mode (i.e. it features set -x) or in no- act mode (i.e. it features a hardcoded iptables='echo iptables'), uruk- save fails. SEE ALSO uruk(8), uruk-rc(5) . COPYRIGHT Copyright (C) 2005, 2007, 2010, 2011, 2012, 2013 Joost van Baal-Ili This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABIL- ITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/. AUTHOR Joost van Baal-Ili uruk-save 20130809 9 2013 uruk-save(8) uruk-20160219/man/uruk.html0000644000175000017500000005375612201162772012336 00000000000000 uruk

9 авг 2013    uruk 20130809

1.
NAME
2.
SYNOPSIS
3.
DESCRIPTION
4.
QUICK SETUP GUIDE
5.
GETTING STARTED
6.
LOADING A NEW rc FILE
7.
THE GORY DETAILS: uruk INTERNALS
8.
USING uruk-save AS THE INITSCRIPT BACKEND
9.
DEFAULT POLICY
10.
WARNING
11.
ENVIRONMENT
12.
SEE ALSO
13.
COPYRIGHT
14.
AUTHOR

NAME

uruk — wrapper for Linux iptables, for managing firewall rules

SYNOPSIS

uruk

DESCRIPTION

uruk loads an rc file (see uruk-rc(5)) which defines network service access policy, and invokes iptables(8) to set up firewall rules implementing this policy. By default the file /etc/uruk/rc is used; one can overrule this by specifying another file in the URUK_CONFIG environment variable. Under some circumstances, it's useful to use another command for iptables; this can be achieved by setting the URUK_IPTABLES (and/or URUK_IP6TABLES) environment variables. See uruk-rc(5) for details.

QUICK SETUP GUIDE

Uruk will not "just work" out of the box. It needs manual configuration. For those of you who don't like reading lots of documentation:
# cp /usr/share/doc/uruk/examples/rc \ /etc/uruk/rc # vi /etc/uruk/rc # urukctl start

GETTING STARTED

Once the uruk script is installed, you want to go use it, of course. We'll give a detailed description of what to do here.

First, create an rc file. See uruk-rc(5) for info on how to do this. Once this file is created and installed (this script looks in /etc/uruk/rc by default), you're ready to run uruk. You might want to test your rc file by running uruk in debug mode, see uruk-rc(5). There are at least 3 ways to load your rc file. We'll first describe a low level one: using vanilla iptables.

Vanilla iptables
After editing rc, load your rules like this. First flush your current rules:

# iptables -F # ip6tables -F
Then enable your rc rules
# uruk
. Inspect the rules by doing:
# iptables -L # ip6tables -L
. If you want to make these changes survive a reboot, use the init script as shipped with this package. If you'd rather write your own init script, the iptables-restore(8) and iptables-save(8) commands from the iptables package might be helpful.

Using the Uruk init script
Assumed is the Uruk init script is installed as explained in the README file. Optionally, install /etc/default/uruk (or /etc/sysconfig/uruk) and tweak it. An example file is in /usr/share/doc/uruk/examples/default (You might like to enable support for uruk-save.) Now activate uruk by doing:

# urukctl start
Now your pre-uruk iptables rules (if any) are saved as the "inactive" ruleset. While executing urukctl start, your box is open during a short while. If you don't like this, read below about uruk-save.

When rebooting, everything will be fine: /etc/init.d/uruk stores state in /var/lib/uruk/iptables, using iptables-save(8), which comes with Linux iptables.

Using Debian ifupdown
In case you have just one network interface which should get protected, you could use interfaces(5) from the Debian ifupdown package instead of the init script. Suppose you'd like to protect ppp0, and would like not to interfere with traffic on eth0: your other network interface. First write an rc file. Be sure it features

interfaces_unprotect="lo eth0"
Then run:
# mkdir -p /var/lib/uruk/iptables # iptables -F # iptables-save -c > /var/lib/uruk/iptables/down # uruk # iptables-save -c > /var/lib/uruk/iptables/up
Add
pre-up iptables-restore < /var/lib/uruk/iptables/up post-down iptables-restore < /var/lib/uruk/iptables/down
to your interfaces stanza, in your /etc/network/interfaces .

Similar tricks might be possible on GNU/Linux systems from other distributions. The author is interested.

LOADING A NEW rc FILE

Need to change your rules?

Using the Uruk init script
Do

# vi /etc/uruk/rc # urukctl force-reload
While executing urukctl force-reload, your box is open during a short while. If you don't like this, read below about uruk-save.

THE GORY DETAILS: uruk INTERNALS

The uruk script works like (and looks like) the list of statements below. Of course, take a look at /sbin/uruk for the final word on the workings.
1
rc is sourced as a shell script
2
Traffic on $interfaces_unprotect (just lo per default) is trusted:
$iptables -A INPUT -i $iface -j ACCEPT
3
$rc_a is sourced as a shell script, or, in case $rc_a is a directory, all files matching $rc_a/*.rc are sourced as shell scripts
4
ESTABLISHED and RELATED packets are ACCEPT-ed:
$iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \ -j ACCEPT
5
$rc_b is sourced
6
$interfaces gets protected against spoofing: we don't allow anyone to spoof non-routeable addresses. We block outgoing packets that don't have our address as source: they are either spoofed or something is misconfigured (NAT disabled, for instance). We want to be nice and don't send out garbage.
$iptables -A INPUT -i $iface --source $no_route_ip \ -j DROP
We drop all incoming packets which don't have us as destination:
$iptables -A OUTPUT -o $iface --source ! "$ip" \ -j DROP
And we always allow outgoing connections:
$iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface \ -j ACCEPT
7
$rc_c is sourced
8
Allow traffic to offered services, from trusted sources:
$iptables -A INPUT -m conntrack --ctstate NEW \ -i $iface --protocol $proto --source "$source" \ --destination "$ip" --destination-port "$port" \ -j ACCEPT
9
$rc_d is sourced
10
Don't answer broadcast and multicast packets:
$iptables -A INPUT -i $iface --destination "$bcast" \ -j DROP
11
$rc_f is sourced
12
Explicitly allow a subset of the ICMP types. (We disallow all other traffic later.)
$iptables -A INPUT --protocol icmp --icmp-type $type \ -j ACCEPT
13
$rc_g is sourced
14
Log packets (which make it till here)
$iptables -A INPUT -j LOG --log-level debug \ --log-prefix 'iptables: '
15
$rc_h is sourced
16
Reject all other packets
$iptables -A INPUT -j REJECT
17
$rc_i is sourced

USING uruk-save AS THE INITSCRIPT BACKEND

By default, uruk-save is not used by the uruk init script. You might want to use it, though. The uruk-save script is faster and when using uruk-save, your box won't be open while loading new rules. But beware: uruk-save is not as robust as using uruk itself.

The script urukctl (and thus the uruk init script) will use uruk-save only if asked to do so in /etc/default/uruk (or /etc/sysconfig/uruk). If this file features

enable_uruk_save=true
uruk-save is used whenever appropriate. See uruk-save(8) for more details.

DEFAULT POLICY

By default, uruk drops packets which have unknown RFC 1918 private network addresses in their source or destination.

It rejects packets with source nor destination for one of our IPs.

Packets belonging to locally initiated sessions are allowed: we match state; the local host can act as a client for any remote service.

By default, uruk drops all ICMP packets (except those for interfaces in $interfaces_unprotect) with type other than

address-mask-reply
address-mask-request
destination-unreachable (this is a catch-all for a lot of types)
echo-request
echo-reply
parameter-problem (catch-all for ip-header-bad and required-option-missing)
timestamp-reply
timestamp-request
ttl-zero-during-transit
ttl-zero-during-reassembly

By default, the FORWARD chain is left untouched, so has policy ACCEPT. (This won't do much harm, since packet forwarding is disabled by default in the Linux kernel. However, if you don't mind being paranoid, you might want to add a

iptables --policy FORWARD REJECT
to your $rc_a uruk hook. See uruk-rc(5).)

By default, uruk logs all UDP and TCP packets which are blocked by the user defined policies. Loglevel is debug, logprefix is "iptables:". See also the notes on loglevel in uruk-rc(5).

Blocked TCP packets are answered with a tcp-reset.

WARNING

In order to keep the uruk script small and simple, the script does very little error handling. It does not check the contents of the rc file in any way before executing it. When your rc file contains bogus stuff, uruk will very likely behave in unexpected ways. Caveat emptor.

ENVIRONMENT

You can override some defaults in the shell before executing the uruk script. uruk honors the following variables:
"URUK_CONFIG" Full pathname of rc file; /etc/uruk/rc by default.
"URUK_IPTABLES" Full pathname of iptables executable. /sbin/iptables by default. Overrides iptables.
"URUK_IP6TABLES" Full pathname of ip6tables executable, for IPv6 support. Overrides ip6tables.
"URUK_INTERFACES_UNPROTECT" Default list of unprotected interfaces. Overrides interfaces_unprotect. The default default is lo.

SEE ALSO

uruk-rc(5), uruk-save(8). The Uruk homepage is at http://mdcc.cx/uruk/ .

iptables(8), iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8), http://www.netfilter.org/

interfaces(5), http://packages.debian.org/ifupdown.

COPYRIGHT

Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org; Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/; Copyright (C) 2003-2013 Joost van Baal-Ilić <joostvb-uruk@mdcc.cx>

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

AUTHOR

Joost van Baal-Ilić <joostvb-uruk@mdcc.cx> uruk-20160219/man/uruk.ps0000644000175000017500000006421212201162772012001 00000000000000%!PS-Adobe-3.0 %%Creator: groff version 1.21 %%CreationDate: Fri Aug 9 14:52:10 2013 %%DocumentNeededResources: font Times-Roman %%+ font Times-Bold %%+ font Times-Italic %%+ font Courier %%DocumentSuppliedResources: procset grops 1.21 0 %%Pages: 6 %%PageOrder: Ascend %%DocumentMedia: Default 595 842 0 () () %%Orientation: Portrait %%EndComments %%BeginDefaults %%PageMedia: Default %%EndDefaults %%BeginProlog %%BeginResource: procset grops 1.21 0 %!PS-Adobe-3.0 Resource-ProcSet /setpacking where{ pop currentpacking true setpacking }if /grops 120 dict dup begin /SC 32 def /A/show load def /B{0 SC 3 -1 roll widthshow}bind def /C{0 exch ashow}bind def /D{0 exch 0 SC 5 2 roll awidthshow}bind def /E{0 rmoveto show}bind def /F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def /G{0 rmoveto 0 exch ashow}bind def /H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /I{0 exch rmoveto show}bind def /J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def /K{0 exch rmoveto 0 exch ashow}bind def /L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /M{rmoveto show}bind def /N{rmoveto 0 SC 3 -1 roll widthshow}bind def /O{rmoveto 0 exch ashow}bind def /P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /Q{moveto show}bind def /R{moveto 0 SC 3 -1 roll widthshow}bind def /S{moveto 0 exch ashow}bind def /T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def /SF{ findfont exch [exch dup 0 exch 0 exch neg 0 0]makefont dup setfont [exch/setfont cvx]cvx bind def }bind def /MF{ findfont [5 2 roll 0 3 1 roll neg 0 0]makefont dup setfont [exch/setfont cvx]cvx bind def }bind def /level0 0 def /RES 0 def /PL 0 def /LS 0 def /MANUAL{ statusdict begin/manualfeed true store end }bind def /PLG{ gsave newpath clippath pathbbox grestore exch pop add exch pop }bind def /BP{ /level0 save def 1 setlinecap 1 setlinejoin DEFS/BPhook known{DEFS begin BPhook end}if 72 RES div dup scale LS{ 90 rotate }{ 0 PL translate }ifelse 1 -1 scale }bind def /EP{ level0 restore showpage }def /DA{ newpath arcn stroke }bind def /SN{ transform .25 sub exch .25 sub exch round .25 add exch round .25 add exch itransform }bind def /DL{ SN moveto SN lineto stroke }bind def /DC{ newpath 0 360 arc closepath }bind def /TM matrix def /DE{ TM currentmatrix pop translate scale newpath 0 0 .5 0 360 arc closepath TM setmatrix }bind def /RC/rcurveto load def /RL/rlineto load def /ST/stroke load def /MT/moveto load def /CL/closepath load def /Fr{ setrgbcolor fill }bind def /setcmykcolor where{ pop /Fk{ setcmykcolor fill }bind def }if /Fg{ setgray fill }bind def /FL/fill load def /LW/setlinewidth load def /Cr/setrgbcolor load def /setcmykcolor where{ pop /Ck/setcmykcolor load def }if /Cg/setgray load def /RE{ findfont dup maxlength 1 index/FontName known not{1 add}if dict begin { 1 index/FID ne 2 index/UniqueID ne and {def}{pop pop}ifelse }forall /Encoding exch def dup/FontName exch def currentdict end definefont pop }bind def /DEFS 0 def /EBEGIN{ moveto DEFS begin }bind def /EEND/end load def /CNT 0 def /level1 0 def /PBEGIN{ /level1 save def translate div 3 1 roll div exch scale neg exch neg exch translate 0 setgray 0 setlinecap 1 setlinewidth 0 setlinejoin 10 setmiterlimit []0 setdash /setstrokeadjust where{ pop false setstrokeadjust }if /setoverprint where{ pop false setoverprint }if newpath /CNT countdictstack def userdict begin /showpage{}def /setpagedevice{}def mark }bind def /PEND{ cleartomark countdictstack CNT sub{end}repeat level1 restore }bind def end def /setpacking where{ pop setpacking }if %%EndResource %%EndProlog %%BeginSetup %%BeginFeature: *PageSize Default << /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice %%EndFeature %%IncludeResource: font Times-Roman %%IncludeResource: font Times-Bold %%IncludeResource: font Times-Italic %%IncludeResource: font Courier grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72 def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron /Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef /.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent /ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen /period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon /semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O /P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex /underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y /z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft /guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl /endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut /dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash /quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen /brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft /logicalnot/minus/registered/macron/degree/plusminus/twosuperior /threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior /ordmasculine/guilsinglright/onequarter/onehalf/threequarters /questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE /Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex /Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis /multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn /germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla /egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis /eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash /ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def /Courier@0 ENC0/Courier RE/Times-Italic@0 ENC0/Times-Italic RE /Times-Bold@0 ENC0/Times-Bold RE/Times-Roman@0 ENC0/Times-Roman RE %%EndSetup %%Page: 1 1 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 136.515(uruk\(8\) SYSTEM)20 48 R(ADMINISTRA)2.5 E 139.015(TION uruk\(8\))-1.11 F/F1 10.95/Times-Bold@0 SF -.219(NA)20 84 S(ME).219 E F0 (uruk \255 wrapper for Linux iptables, for managing \214re)100 96 Q -.1 (wa)-.25 G(ll rules).1 E F1(SYNOPSIS)20 112.8 Q/F2 10/Times-Bold@0 SF (uruk)100 124.8 Q F1(DESCRIPTION)20 141.6 Q F2(uruk)100 153.6 Q F0 .393 (loads an)2.893 F/F3 10/Times-Italic@0 SF -.37(rc)2.893 G F0 .393 (\214le \(see)3.263 F F2(uruk-r)2.893 E(c\(5\))-.18 E F0 2.893(\)w)C .393(hich de\214nes netw)-2.893 F .393(ork service access polic)-.1 F 1.692 -.65(y, a)-.15 H .392(nd in).65 F -.2(vo)-.4 G -.1(ke).2 G(s).1 E F2(iptables\(8\))100 165.6 Q F0 6.064(to set up \214re)8.564 F -.1(wa) -.25 G 6.064(ll rules implementing this polic).1 F 6.064(y. By def)-.15 F 6.065(ault the \214le)-.1 F/F4 10/Courier@0 SF(/etc/uruk/rc)100 177.6 Q F0 .626(is used; one can o)3.126 F -.15(ve)-.15 G .625 (rrule this by specifying another \214le in the UR).15 F(UK_CON-)-.4 E 1.096(FIG en)100 189.6 R 1.096(vironment v)-.4 F 1.096 (ariable. Under some circumstances, it')-.25 F 3.597(su)-.55 G 1.097 (seful to use another command for)-3.597 F 1.276 (iptables; this can be achie)100 201.6 R -.15(ve)-.25 G 3.776(db).15 G 3.776(ys)-3.776 G 1.276(etting the UR)-3.776 F(UK_IPT)-.4 E 1.276 (ABLES \(and/or UR)-.93 F(UK_IP6T)-.4 E(ABLES\))-.93 E(en)100 213.6 Q (vironment v)-.4 E(ariables. See)-.25 E F2(uruk-r)2.5 E(c\(5\))-.18 E F0 (for details.)2.5 E F1 -.11(QU)20 230.4 S(ICK SETUP GUIDE).11 E F0 .627 (Uruk will)100 242.4 R F3(not)3.127 E F0 .627("just w)3.127 F .628 (ork" out of the box. It needs manual con\214guration.)-.1 F -.15(Fo) 5.628 G 3.128(rt).15 G .628(hose of you who)-3.128 F(don')100 254.4 Q 2.5(tl)-.18 G(ik)-2.5 E 2.5(er)-.1 G(eading lots of documentation:)-2.5 E F4 6(#c)106 278.4 S 6(p/)-6 G(usr/share/doc/uruk/examples/rc \\)-6 E (/etc/uruk/rc)130 290.4 Q 6(#v)106 302.4 S 6(i/)-6 G(etc/uruk/rc)-6 E 6 (#u)106 314.4 S(rukctl start)-6 E F1(GETTING ST)20 343.2 Q(AR)-.986 E (TED)-.438 E F0 .325(Once the)100 355.2 R F2(uruk)2.825 E F0 .325 (script is installed, you w)2.825 F .324(ant to go use it, of course. W) -.1 F(e')-.8 E .324(ll gi)-.1 F .624 -.15(ve a d)-.25 H .324 (etailed descrip-).15 F(tion of what to do here.)100 367.2 Q .846 (First, create an)100 391.2 R F3 -.37(rc)3.346 G F0 .846(\214le. See) 3.716 F F2(uruk-r)3.346 E(c\(5\))-.18 E F0 .846(for info on ho)3.346 F 3.346(wt)-.25 G 3.346(od)-3.346 G 3.346(ot)-3.346 G .847 (his. Once this \214le is created and)-3.346 F .155 (installed \(this script looks in)100 403.2 R F4(/etc/uruk/rc)2.654 E F0 .154(by def)2.654 F .154(ault\), you')-.1 F .154(re ready to run)-.5 F F2(uruk)2.654 E F0 2.654(.Y)C .154(ou might)-3.754 F -.1(wa)100 415.2 S .849(nt to test your).1 F F3 -.37(rc)3.349 G F0 .849(\214le by running) 3.719 F F2(uruk)3.349 E F0 .849(in deb)3.349 F .85(ug mode, see)-.2 F F2 (uruk-r)3.35 E(c\(5\))-.18 E F0 5.85(.T)C .85(here are at least 3)-5.85 F -.1(wa)100 427.2 S(ys to load your).1 E F3 -.37(rc)2.5 G F0(\214le. W) 2.87 E(e')-.8 E(ll \214rst describe a lo)-.1 E 2.5(wl)-.25 G -2.15 -.25 (ev e)-2.5 H 2.5(lo).25 G(ne: using v)-2.5 E(anilla iptables.)-.25 E F2 -.92(Va)100 451.2 S(nilla iptables).92 E F0(After editing)100 463.2 Q F3 -.37(rc)2.5 G F0 2.5(,l).37 G(oad your rules lik)-2.5 E 2.5(et)-.1 G (his. First \215ush your current rules:)-2.5 E F4 6(#i)106 487.2 S (ptables -F)-6 E 6(#i)106 499.2 S(p6tables -F)-6 E F0(Then enable your) 100 523.2 Q F3 -.37(rc)2.5 G F0(rules)2.87 E F4 6(#u)106 547.2 S(ruk)-6 E F0 2.5(.I)100 571.2 S(nspect the rules by doing:)-2.5 E F4 6(#i)106 595.2 S(ptables -L)-6 E 6(#i)106 607.2 S(p6tables -L)-6 E F0 6.144(.I) 100 631.2 S 3.644(fy)-6.144 G 1.144(ou w)-3.644 F 1.144(ant to mak)-.1 F 3.644(et)-.1 G 1.144(hese changes survi)-3.644 F 1.444 -.15(ve a r)-.25 H 1.144(eboot, use the init script as shipped with this).15 F .425 (package. If you')100 643.2 R 2.925(dr)-.5 G .425(ather write your o) -2.925 F .425(wn init script, the)-.25 F F2(iptables-r)2.925 E(estor) -.18 E(e\(8\))-.18 E F0(and)2.925 E F2(iptables-sa)2.925 E -.1(ve)-.25 G (\(8\)).1 E F0(commands from the iptables package might be helpful.)100 655.2 Q F2(Using the Uruk init script)100 679.2 Q F0 .106 (Assumed is the Uruk init script is installed as e)100 691.2 R .105 (xplained in the README \214le.)-.15 F(Optionally)5.105 E 2.605(,i)-.65 G(nstall)-2.605 E F4(/etc/default/uruk)100 703.2 Q F0(\(or)3.745 E F4 (/etc/sysconfig/uruk)3.745 E F0 3.745(\)a)C 1.245(nd tweak it. An e) -3.745 F 1.245(xample \214le is in)-.15 F F4 (/usr/share/doc/uruk/examples/default)100 715.2 Q F0(\(Y)5.539 E 3.039 (ou might lik)-1.1 F 5.539(et)-.1 G 5.538(oe)-5.539 G 3.038 (nable support for)-5.538 F F2(uruk-sa)100 727.2 Q -.1(ve)-.25 G F0 (.\) No).1 E 2.5(wa)-.25 G(cti)-2.5 E -.25(va)-.25 G(te uruk by doing:) .25 E(uruk 20130809)20 768 Q 2.5<39d0>142.34 G-2.5 E(1)198.17 E 0 Cg EP %%Page: 2 2 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 136.515(uruk\(8\) SYSTEM)20 48 R(ADMINISTRA)2.5 E 139.015(TION uruk\(8\))-1.11 F/F1 10/Courier@0 SF 6(#u)106 84 S (rukctl start)-6 E F0(No)100 108 Q 3.511(wy)-.25 G 1.011 (our pre-uruk iptables rules \(if an)-3.511 F 1.011(y\) are sa)-.15 F -.15(ve)-.2 G 3.512(da).15 G 3.512(st)-3.512 G 1.012(he "inacti)-3.512 F -.15(ve)-.25 G 3.512("r).15 G 3.512(uleset. While)-3.512 F -.15(exe) 3.512 G(cuting).15 E F1 1.06(urukctl start)100 120 R F0 3.56(,y)C 1.06 (our box is open during a short while.)-3.56 F 1.059(If you don')6.059 F 3.559(tl)-.18 G(ik)-3.559 E 3.559(et)-.1 G 1.059(his, read belo)-3.559 F (w)-.25 E(about)100 132 Q/F2 10/Times-Bold@0 SF(uruk-sa)2.5 E -.1(ve) -.25 G F0(.).1 E 7.8(When rebooting, e)100 156 R -.15(ve)-.25 G 7.8 (rything will be \214ne:).15 F F1(/etc/init.d/uruk)10.3 E F0 7.8 (stores state in)10.3 F F1(/var/lib/uruk/iptables)100 168 Q F0 2.5(,u)C (sing iptables-sa)-2.5 E -.15(ve)-.2 G (\(8\), which comes with Linux iptables.).15 E F2(Using Debian ifupdo) 100 192 Q(wn)-.1 E F0 1.193(In case you ha)100 204 R 1.493 -.15(ve j)-.2 H 1.193(ust one netw).15 F 1.193(ork interf)-.1 F 1.192 (ace which should get protected, you could use)-.1 F F2(inter)3.692 E(-) -.37 E(faces\(5\))100 216 Q F0 .224(from the Debian ifupdo)2.724 F .224 (wn package instead of the init script. Suppose you')-.25 F 2.724(dl)-.5 G(ik)-2.724 E 2.724(et)-.1 G 2.724(op)-2.724 G(ro-)-2.724 E(tect)100 228 Q F1(ppp0)3.87 E F0 3.87(,a)C 1.37(nd w)-3.87 F 1.37(ould lik)-.1 F 3.87 (en)-.1 G 1.37(ot to interfere with traf)-3.87 F 1.37 (\214c on eth0: your other netw)-.25 F 1.37(ork interf)-.1 F(ace.)-.1 E (First write an)100 240 Q/F3 10/Times-Italic@0 SF -.37(rc)2.5 G F0 (\214le. Be sure it features)2.87 E F1(interfaces_unprotect="lo eth0") 106 264 Q F0(Then run:)100 288 Q F1 6(#m)106 312 S (kdir -p /var/lib/uruk/iptables)-6 E 6(#i)106 336 S(ptables -F)-6 E 6 (#i)106 360 S(ptables-save -c > /var/lib/uruk/iptables/down)-6 E 6(#u) 106 372 S(ruk)-6 E 6(#i)106 384 S (ptables-save -c > /var/lib/uruk/iptables/up)-6 E F0(Add)100 408 Q F1 (pre-up iptables-restore < /var/lib/uruk/iptables/up)106 432 Q (post-down iptables-restore < /var/lib/uruk/iptables/down)106 444 Q F0 (to your interf)100 468 Q(aces stanza, in your)-.1 E F1 (/etc/network/interfaces)2.5 E F0(.)2.5 E .438(Similar tricks might be \ possible on GNU/Linux systems from other distrib)100 492 R 2.939 (utions. The)-.2 F .439(author is)2.939 F(interested.)100 504 Q/F4 10.95 /Times-Bold@0 SF(LO)20 520.8 Q(ADING A NEW)-.438 E/F5 10.95 /Times-Italic@0 SF -.405(rc)2.738 G F4(FILE)3.143 E F0 (Need to change your rules?)100 532.8 Q F2(Using the Uruk init script) 100 556.8 Q F0(Do)100 568.8 Q F1 6(#v)106 592.8 S 6(i/)-6 G(etc/uruk/rc) -6 E 6(#u)106 604.8 S(rukctl force-reload)-6 E F0 1.24(While e)100 628.8 R -.15(xe)-.15 G(cuting).15 E F1 1.24(urukctl force-reload)3.74 F F0 3.739(,y)C 1.239(our box is open during a short while. If you)-3.739 F (don')100 640.8 Q 2.5(tl)-.18 G(ik)-2.5 E 2.5(et)-.1 G(his, read belo) -2.5 E 2.5(wa)-.25 G(bout)-2.5 E F2(uruk-sa)2.5 E -.1(ve)-.25 G F0(.).1 E F4(THE GOR)20 657.6 Q 2.738(YD)-.383 G(ET)-2.738 E(AILS: uruk INTERN) -.986 E(ALS)-.219 E F0(The)100 669.6 Q F2(uruk)2.52 E F0 .02(script w) 2.52 F .02(orks lik)-.1 F 2.52(e\()-.1 G .02(and looks lik)-2.52 F .02 (e\) the list of statements belo)-.1 F .02(w. Of course, tak)-.25 F 2.52 (eal)-.1 G .02(ook at)-2.52 F F1(/sbin/uruk)100 681.6 Q F0 (for the \214nal w)2.5 E(ord on the w)-.1 E(orkings.)-.1 E(1)100 705.6 Q F3 -.37(rc)120 717.6 S F0(is sourced as a shell script)2.87 E(2)100 729.6 Q(uruk 20130809)20 768 Q 2.5<39d0>142.34 G -2.5 E(2)198.17 E 0 Cg EP %%Page: 3 3 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 136.515(uruk\(8\) SYSTEM)20 48 R(ADMINISTRA)2.5 E 139.015(TION uruk\(8\))-1.11 F -.35(Tr)120 84 S(af).35 E (\214c on $interf)-.25 E(aces_unprotect \(just lo per def)-.1 E (ault\) is trusted:)-.1 E/F1 10/Courier@0 SF ($iptables -A INPUT -i $iface -j ACCEPT)126 108 Q F0(3)100 132 Q 2.567 ($rc_a is sourced as a shell script, or)120 144 R 5.066(,i)-.4 G 5.066 (nc)-5.066 G 2.566(ase $rc_a is a directory)-5.066 F 5.066(,a)-.65 G 2.566(ll \214les matching)-5.066 F ($rc_a/*.rc are sourced as shell scripts)120 156 Q(4)100 168 Q(EST)120 180 Q(ABLISHED and RELA)-.93 E(TED pack)-1.11 E(ets are A)-.1 E(CCEPT) -.4 E(-ed:)-.92 E F1 ($iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \\)126 204 Q(-j ACCEPT)132 216 Q F0(5)100 240 Q($rc_b is sourced)120 252 Q(6) 100 264 Q($interf)120 276 Q .824(aces gets protected ag)-.1 F .824 (ainst spoo\214ng: we don')-.05 F 3.325(ta)-.18 G(llo)-3.325 E 3.325(wa) -.25 G -.15(ny)-3.325 G .825(one to spoof non-routeable).15 F .314 (addresses. W)120 288 R 2.814(eb)-.8 G .314(lock outgoing pack)-2.814 F .314(ets that don')-.1 F 2.814(th)-.18 G -2.25 -.2(av e)-2.814 H .313 (our address as source: the)3.014 F 2.813(ya)-.15 G .313(re either) -2.813 F 1.164(spoofed or something is miscon\214gured \(N)120 300 R 3.385 -1.11(AT d)-.35 H 1.165(isabled, for instance\). W)1.11 F 3.665 (ew)-.8 G 1.165(ant to be nice)-3.765 F(and don')120 312 Q 2.5(ts)-.18 G (end out g)-2.5 E(arbage.)-.05 E F1 ($iptables -A INPUT -i $iface --source $no_route_ip \\)126 336 Q (-j DROP)132 348 Q F0 1.6 -.8(We d)120 372 T(rop all incoming pack).8 E (ets which don')-.1 E 2.5(th)-.18 G -2.25 -.2(av e)-2.5 H (us as destination:)2.7 E F1 ($iptables -A OUTPUT -o $iface --source ! "$ip" \\)126 396 Q(-j DROP)132 408 Q F0(And we al)120 432 Q -.1(wa)-.1 G(ys allo).1 E 2.5(wo)-.25 G (utgoing connections:)-2.5 E F1 ($iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface \\)126 456 Q (-j ACCEPT)132 468 Q F0(7)100 492 Q($rc_c is sourced)120 504 Q(8)100 516 Q(Allo)120 528 Q 2.5(wt)-.25 G(raf)-2.5 E(\214c to of)-.25 E (fered services, from trusted sources:)-.25 E F1 ($iptables -A INPUT -m conntrack --ctstate NEW \\)126 552 Q (-i $iface --protocol $proto --source "$source" \\)132 564 Q (--destination "$ip" --destination-port "$port" \\)132 576 Q(-j ACCEPT) 132 588 Q F0(9)100 612 Q($rc_d is sourced)120 624 Q(10)100 636 Q(Don') 120 648 Q 2.5(ta)-.18 G(nswer broadcast and multicast pack)-2.5 E(ets:) -.1 E F1($iptables -A INPUT -i $iface --destination "$bcast" \\)126 672 Q(-j DROP)132 684 Q F0(11)100 708 Q($rc_f is sourced)120 720 Q (uruk 20130809)20 768 Q 2.5<39d0>142.34 G-2.5 E(3) 198.17 E 0 Cg EP %%Page: 4 4 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 136.515(uruk\(8\) SYSTEM)20 48 R(ADMINISTRA)2.5 E 139.015(TION uruk\(8\))-1.11 F(12)100 84 Q(Explicitly allo)120 96 Q 2.5(was)-.25 G(ubset of the ICMP types. \(W)-2.5 E 2.5(ed)-.8 G(isallo) -2.5 E 2.5(wa)-.25 G(ll other traf)-2.5 E(\214c later.\))-.25 E/F1 10 /Courier@0 SF($iptables -A INPUT --protocol icmp --icmp-type $type \\) 126 120 Q(-j ACCEPT)132 132 Q F0(13)100 156 Q($rc_g is sourced)120 168 Q (14)100 180 Q(Log pack)120 192 Q(ets \(which mak)-.1 E 2.5(ei)-.1 G 2.5 (tt)-2.5 G(ill here\))-2.5 E F1 ($iptables -A INPUT -j LOG --log-level debug \\)126 216 Q (--log-prefix 'iptables: ')132 228 Q F0(15)100 252 Q($rc_h is sourced) 120 264 Q(16)100 276 Q(Reject all other pack)120 288 Q(ets)-.1 E F1 ($iptables -A INPUT -j REJECT)126 312 Q F0(17)100 336 Q ($rc_i is sourced)120 348 Q/F2 10.95/Times-Bold@0 SF(USING uruk-sa)20 364.8 Q .22 -.11(ve A)-.274 H 2.738(ST).11 G(HE INITSCRIPT B)-2.738 E -.602(AC)-.329 G(KEND).602 E F0 .475(By def)100 376.8 R(ault,)-.1 E/F3 10/Times-Bold@0 SF(uruk-sa)2.975 E -.1(ve)-.25 G F0 .475 (is not used by the uruk init script. Y)3.075 F .474(ou might w)-1.1 F .474(ant to use it, though. The)-.1 F F3(uruk-sa)100 388.8 Q -.1(ve)-.25 G F0 .032(script is f)2.632 F .032(aster and when using)-.1 F F3 (uruk-sa)2.532 E -.1(ve)-.25 G F0 2.532(,y).1 G .032(our box w)-2.532 F (on')-.1 E 2.532(tb)-.18 G 2.532(eo)-2.532 G .032(pen while loading ne) -2.532 F(w)-.25 E(rules. But be)100 400.8 Q -.1(wa)-.25 G(re:).1 E F3 (uruk-sa)2.5 E -.1(ve)-.25 G F0(is not as rob)2.6 E(ust as using)-.2 E F3(uruk)2.5 E F0(itself.)2.5 E .964(The script)100 424.8 R F3(urukctl) 3.464 E F0 .964(\(and thus the uruk init script\) will use)3.464 F F3 (uruk-sa)3.464 E -.1(ve)-.25 G F0 .964(only if ask)3.564 F .964 (ed to do so in)-.1 F F1(/etc/default/uruk)100 436.8 Q F0(\(or)2.5 E F1 (/etc/sysconfig/uruk)2.5 E F0(\). If this \214le features)A F1 (enable_uruk_save=true)106 472.8 Q F3(uruk-sa)100 496.8 Q -.1(ve)-.25 G F0(is used whene)2.6 E -.15(ve)-.25 G 2.5(ra).15 G 2.5(ppropriate. See) -2.5 F F3(uruk-sa)2.5 E -.1(ve)-.25 G(\(8\)).1 E F0(for more details.) 2.5 E F2(DEF)20 513.6 Q -.548(AU)-.986 G 2.014 -1.007(LT P).548 H(OLICY) 1.007 E F0 1.196(By def)100 525.6 R(ault,)-.1 E F3(uruk)3.696 E F0 1.196 (drops pack)3.696 F 1.196(ets which ha)-.1 F 1.496 -.15(ve u)-.2 H(nkno) .15 E 1.196(wn RFC 1918 pri)-.25 F -.25(va)-.25 G 1.196(te netw).25 F 1.197(ork addresses in)-.1 F(their source or destination.)100 537.6 Q (It rejects pack)100 561.6 Q (ets with source nor destination for one of our IPs.)-.1 E -.15(Pa)100 585.6 S(ck).15 E .144 (ets belonging to locally initiated sessions are allo)-.1 F .144 (wed: we match state; the local host can act)-.25 F(as a client for an) 100 597.6 Q 2.5(yr)-.15 G(emote service.)-2.5 E .834(By def)100 621.6 R (ault,)-.1 E F3(uruk)3.334 E F0 .834(drops all ICMP pack)3.334 F .834 (ets \(e)-.1 F .834(xcept those for interf)-.15 F .835(aces in $interf) -.1 F(aces_unprotect\))-.1 E(with type other than)100 633.6 Q<83>100 657.6 Q(address-mask-reply)120 669.6 Q<83>100 681.6 Q (address-mask-request)120 693.6 Q<83>100 705.6 Q (destination-unreachable \(this is a catch-all for a lot of types\))120 717.6 Q<83>100 729.6 Q(uruk 20130809)20 768 Q 2.5<39d0>142.34 G -2.5 E(4)198.17 E 0 Cg EP %%Page: 5 5 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 136.515(uruk\(8\) SYSTEM)20 48 R(ADMINISTRA)2.5 E 139.015(TION uruk\(8\))-1.11 F(echo-request)120 84 Q<83>100 96 Q (echo-reply)120 108 Q<83>100 120 Q(parameter)120 132 Q (-problem \(catch-all for ip-header)-.2 E (-bad and required-option-missing\))-.2 E<83>100 144 Q(timestamp-reply) 120 156 Q<83>100 168 Q(timestamp-request)120 180 Q<83>100 192 Q (ttl-zero-during-transit)120 204 Q<83>100 216 Q (ttl-zero-during-reassembly)120 228 Q 1.658(By def)100 252 R 1.658 (ault, the FOR)-.1 F -1.2(WA)-.55 G 1.657 (RD chain is left untouched, so has polic)1.2 F 4.157(yA)-.15 G 1.657 (CCEPT. \(This w)-4.557 F(on')-.1 E 4.157(td)-.18 G(o)-4.157 E .412 (much harm, since pack)100 264 R .412(et forw)-.1 F .413 (arding is disabled by def)-.1 F .413(ault in the Linux k)-.1 F .413 (ernel. Ho)-.1 F(we)-.25 E -.15(ve)-.25 G 1.213 -.4(r, i).15 H 2.913(fy) .4 G(ou)-2.913 E(don')100 276 Q 2.5(tm)-.18 G (ind being paranoid, you might w)-2.5 E(ant to add a)-.1 E/F1 10 /Courier@0 SF(iptables --policy FORWARD REJECT)106 300 Q F0 (to your $rc_a uruk hook. See)100 324 Q/F2 10/Times-Bold@0 SF(uruk-r)2.5 E(c\(5\))-.18 E F0(.\))A .348(By def)100 348 R(ault,)-.1 E F2(uruk)2.848 E F0 .348(logs all UDP and TCP pack)2.848 F .347(ets which are block)-.1 F .347(ed by the user de\214ned policies.)-.1 F(Logle)100 360 Q -.15(ve) -.25 G 2.5(li).15 G 2.5(sd)-2.5 G(eb)-2.5 E (ug, logpre\214x is "iptables:". See also the notes on)-.2 E/F3 10 /Times-Italic@0 SF(lo)2.5 E(gle)-.1 E(vel)-.15 E F0(in)2.5 E F2(uruk-r) 2.5 E(c\(5\))-.18 E F0(.)A(Block)100 384 Q(ed TCP pack)-.1 E (ets are answered with a tcp-reset.)-.1 E/F4 10.95/Times-Bold@0 SF -1.314(WA)20 400.8 S(RNING)1.314 E F0 .994(In order to k)100 412.8 R .994(eep the)-.1 F F2(uruk)3.494 E F0 .994 (script small and simple, the script does v)3.494 F .994 (ery little error handling. It)-.15 F .406 (does not check the contents of the)100 424.8 R F3 -.37(rc)2.905 G F0 .405(\214le in an)3.275 F 2.905(yw)-.15 G .405(ay before e)-3.005 F -.15 (xe)-.15 G .405(cuting it. When your).15 F F3 -.37(rc)2.905 G F0 .405 (\214le con-)3.275 F(tains bogus stuf)100 436.8 Q(f,)-.25 E F2(uruk)2.5 E F0(will v)2.5 E(ery lik)-.15 E(ely beha)-.1 E .3 -.15(ve i)-.2 H 2.5 (nu).15 G(ne)-2.5 E(xpected w)-.15 E(ays. Ca)-.1 E -.15(ve)-.2 G (at emptor.).15 E F4(ENVIR)20 453.6 Q(ONMENT)-.329 E F0 -1.1(Yo)100 465.6 S 3.398(uc)1.1 G .898(an o)-3.398 F -.15(ve)-.15 G .898 (rride some def).15 F .898(aults in the shell before e)-.1 F -.15(xe) -.15 G .898(cuting the uruk script.).15 F F2(uruk)5.898 E F0 .898 (honors the)3.398 F(follo)100 477.6 Q(wing v)-.25 E(ariables:)-.25 E<83> 100 501.6 Q("UR)120 513.6 Q(UK_CONFIG" Full pathname of)-.4 E F3 -.37 (rc)2.5 G F0(\214le;)2.87 E F1(/etc/uruk/rc)2.5 E F0(by def)2.5 E(ault.) -.1 E<83>100 525.6 Q("UR)120 537.6 Q(UK_IPT)-.4 E 3.967 (ABLES" Full pathname of iptables e)-.93 F -.15(xe)-.15 G(cutable.).15 E F1(/sbin/iptables)8.967 E F0(by)6.467 E(def)120 549.6 Q(ault. Ov)-.1 E (errides)-.15 E F3(iptables)2.5 E F0(.)A<83>100 561.6 Q("UR)120 573.6 Q (UK_IP6T)-.4 E .771(ABLES" Full pathname of ip6tables e)-.93 F -.15(xe) -.15 G .771(cutable, for IPv6 support. Ov).15 F(errides)-.15 E F3 (ip6tables)120 585.6 Q F0(.)A<83>100 597.6 Q("UR)120 609.6 Q(UK_INTERF) -.4 E -.4(AC)-.74 G(ES_UNPR).4 E -.4(OT)-.4 G 1.449(ECT" Def).4 F 1.448 (ault list of unprotected interf)-.1 F 3.948(aces. Ov)-.1 F(errides)-.15 E F3(interfaces_unpr)120 621.6 Q(otect)-.45 E F0 2.5(.T)C(he def)-2.5 E (ault def)-.1 E(ault is)-.1 E F1(lo)2.5 E F0(.)A F4(SEE ALSO)20 638.4 Q F2(uruk-r)100 650.4 Q(c\(5\))-.18 E F0(,)A F2(uruk-sa)2.5 E -.1(ve)-.25 G(\(8\)).1 E F0 2.5(.T)C(he Uruk homepage is at http://mdcc.cx/uruk/ .) -2.5 E F2(iptables\(8\))100 674.4 Q F0(,)A F2(iptables-sa)4.652 E -.1 (ve)-.25 G(\(8\)).1 E F0(,)A F2(iptables-r)4.652 E(estor)-.18 E(e\(8\)) -.18 E F0(,)A F2(ip6tables\(8\))4.652 E F0(,)A F2(ip6tables-sa)4.652 E -.1(ve)-.25 G(\(8\)).1 E F0(,)A F2(ip6tables-)4.652 E -.18(re)100 686.4 S(stor).18 E(e\(8\))-.18 E F0 2.5(,h)C(ttp://www.net\214lter.or)-2.5 E (g/)-.18 E F2(interfaces\(5\))100 710.4 Q F0 2.5(,h)C (ttp://packages.debian.or)-2.5 E(g/ifupdo)-.18 E(wn.)-.25 E (uruk 20130809)20 768 Q 2.5<39d0>142.34 G-2.5 E(5) 198.17 E 0 Cg EP %%Page: 6 6 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 136.515(uruk\(8\) SYSTEM)20 48 R(ADMINISTRA)2.5 E 139.015(TION uruk\(8\))-1.11 F/F1 10.95/Times-Bold@0 SF(COPYRIGHT)20 84 Q F0(Cop)100 96 Q 1.825(yright \(C\) 2003 Stichting LogReport F)-.1 F 1.825(oundation logreport@logreport.or)-.15 F 1.825(g; Cop)-.18 F 1.825 (yright \(C\))-.1 F .309(2003, 2004 T)100 108 R(ilb)-.35 E(ur)-.2 E 2.809(gU)-.18 G(ni)-2.809 E -.15(ve)-.25 G .309 (rsity http://www.uvt.nl/; Cop).15 F .309 (yright \(C\) 2003-2013 Joost v)-.1 F .309(an Baal-Ili\304)-.25 F ()100 120 Q 1.217(This program is free softw)100 144 R 1.217(are: you can redistrib)-.1 F 1.217 (ute it and/or modify it under the terms of the)-.2 F .466 (GNU General Public License as published by the Free Softw)100 156 R .466(are F)-.1 F .466(oundation, either v)-.15 F .466(ersion 3 of)-.15 F (the License, or \(at your option\) an)100 168 Q 2.5(yl)-.15 G(ater v) -2.5 E(ersion.)-.15 E 2.087(This program is distrib)100 192 R 2.087 (uted in the hope that it will be useful, b)-.2 F 2.086 (ut WITHOUT ANY W)-.2 F(AR-)-1.2 E(RANTY)100 204 Q 4.226(;w)-.92 G 1.726 (ithout e)-4.226 F -.15(ve)-.25 G 4.226(nt).15 G 1.726(he implied w) -4.226 F 1.726(arranty of MERCHANT)-.1 F 1.727(ABILITY or FITNESS FOR A) -.93 F -.92(PA)100 216 S -.6(RT).92 G (ICULAR PURPOSE. See the GNU General Public License for more details.).6 E -1.1(Yo)100 240 S 2.589(us)1.1 G .089(hould ha)-2.589 F .389 -.15 (ve r)-.2 H(ecei).15 E -.15(ve)-.25 G 2.589(dac).15 G(op)-2.589 E 2.589 (yo)-.1 G 2.589(ft)-2.589 G .089 (he GNU General Public License along with this program. If)-2.589 F (not, see http://www.gnu.or)100 252 Q(g/licenses/.)-.18 E F1 -.548(AU)20 268.8 S(THOR).548 E F0(Joost v)100 280.8 Q (an Baal-Ili\304 )-.25 E(uruk 20130809)20 768 Q 2.5<39d0>142.34 G-2.5 E(6)198.17 E 0 Cg EP %%Trailer end %%EOF uruk-20160219/man/uruk.txt0000644000175000017500000002612412201162772012176 00000000000000uruk(8) SYSTEM ADMINISTRATION uruk(8) NAME uruk - wrapper for Linux iptables, for managing firewall rules SYNOPSIS uruk DESCRIPTION uruk loads an rc file (see uruk-rc(5)) which defines network service access policy, and invokes iptables(8) to set up firewall rules imple- menting this policy. By default the file /etc/uruk/rc is used; one can overrule this by specifying another file in the URUK_CONFIG environment variable. Under some circumstances, it's useful to use another command for iptables; this can be achieved by setting the URUK_IPTABLES (and/or URUK_IP6TABLES) environment variables. See uruk-rc(5) for details. QUICK SETUP GUIDE Uruk will not "just work" out of the box. It needs manual configuration. For those of you who don't like reading lots of documentation: # cp /usr/share/doc/uruk/examples/rc \ /etc/uruk/rc # vi /etc/uruk/rc # urukctl start GETTING STARTED Once the uruk script is installed, you want to go use it, of course. We'll give a detailed description of what to do here. First, create an rc file. See uruk-rc(5) for info on how to do this. Once this file is created and installed (this script looks in /etc/uruk/rc by default), you're ready to run uruk. You might want to test your rc file by running uruk in debug mode, see uruk-rc(5). There are at least 3 ways to load your rc file. We'll first describe a low level one: using vanilla iptables. Vanilla iptables After editing rc, load your rules like this. First flush your current rules: # iptables -F # ip6tables -F Then enable your rc rules # uruk . Inspect the rules by doing: # iptables -L # ip6tables -L . If you want to make these changes survive a reboot, use the init script as shipped with this package. If you'd rather write your own init script, the iptables-restore(8) and iptables-save(8) commands from the iptables package might be helpful. Using the Uruk init script Assumed is the Uruk init script is installed as explained in the README file. Optionally, install /etc/default/uruk (or /etc/sysconfig/uruk) and tweak it. An example file is in /usr/share/doc/uruk/examples/default (You might like to enable support for uruk-save.) Now activate uruk by doing: # urukctl start Now your pre-uruk iptables rules (if any) are saved as the "inactive" ruleset. While executing urukctl start, your box is open during a short while. If you don't like this, read below about uruk-save. When rebooting, everything will be fine: /etc/init.d/uruk stores state in /var/lib/uruk/iptables, using iptables-save(8), which comes with Linux iptables. Using Debian ifupdown In case you have just one network interface which should get protected, you could use interfaces(5) from the Debian ifupdown package instead of the init script. Suppose you'd like to protect ppp0, and would like not to interfere with traffic on eth0: your other network interface. First write an rc file. Be sure it features interfaces_unprotect="lo eth0" Then run: # mkdir -p /var/lib/uruk/iptables # iptables -F # iptables-save -c > /var/lib/uruk/iptables/down # uruk # iptables-save -c > /var/lib/uruk/iptables/up Add pre-up iptables-restore < /var/lib/uruk/iptables/up post-down iptables-restore < /var/lib/uruk/iptables/down to your interfaces stanza, in your /etc/network/interfaces . Similar tricks might be possible on GNU/Linux systems from other distri- butions. The author is interested. LOADING A NEW rc FILE Need to change your rules? Using the Uruk init script Do # vi /etc/uruk/rc # urukctl force-reload While executing urukctl force-reload, your box is open during a short while. If you don't like this, read below about uruk-save. THE GORY DETAILS: uruk INTERNALS The uruk script works like (and looks like) the list of statements below. Of course, take a look at /sbin/uruk for the final word on the workings. 1 rc is sourced as a shell script 2 Traffic on $interfaces_unprotect (just lo per default) is trusted: $iptables -A INPUT -i $iface -j ACCEPT 3 $rc_a is sourced as a shell script, or, in case $rc_a is a directory, all files matching $rc_a/*.rc are sourced as shell scripts 4 ESTABLISHED and RELATED packets are ACCEPT-ed: $iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \ -j ACCEPT 5 $rc_b is sourced 6 $interfaces gets protected against spoofing: we don't allow anyone to spoof non-routeable addresses. We block outgoing packets that don't have our address as source: they are either spoofed or something is misconfigured (NAT disabled, for instance). We want to be nice and don't send out garbage. $iptables -A INPUT -i $iface --source $no_route_ip \ -j DROP We drop all incoming packets which don't have us as destination: $iptables -A OUTPUT -o $iface --source ! "$ip" \ -j DROP And we always allow outgoing connections: $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface \ -j ACCEPT 7 $rc_c is sourced 8 Allow traffic to offered services, from trusted sources: $iptables -A INPUT -m conntrack --ctstate NEW \ -i $iface --protocol $proto --source "$source" \ --destination "$ip" --destination-port "$port" \ -j ACCEPT 9 $rc_d is sourced 10 Don't answer broadcast and multicast packets: $iptables -A INPUT -i $iface --destination "$bcast" \ -j DROP 11 $rc_f is sourced 12 Explicitly allow a subset of the ICMP types. (We disallow all other traffic later.) $iptables -A INPUT --protocol icmp --icmp-type $type \ -j ACCEPT 13 $rc_g is sourced 14 Log packets (which make it till here) $iptables -A INPUT -j LOG --log-level debug \ --log-prefix 'iptables: ' 15 $rc_h is sourced 16 Reject all other packets $iptables -A INPUT -j REJECT 17 $rc_i is sourced USING uruk-save AS THE INITSCRIPT BACKEND By default, uruk-save is not used by the uruk init script. You might want to use it, though. The uruk-save script is faster and when using uruk-save, your box won't be open while loading new rules. But beware: uruk-save is not as robust as using uruk itself. The script urukctl (and thus the uruk init script) will use uruk-save only if asked to do so in /etc/default/uruk (or /etc/sysconfig/uruk). If this file features enable_uruk_save=true uruk-save is used whenever appropriate. See uruk-save(8) for more details. DEFAULT POLICY By default, uruk drops packets which have unknown RFC 1918 private net- work addresses in their source or destination. It rejects packets with source nor destination for one of our IPs. Packets belonging to locally initiated sessions are allowed: we match state; the local host can act as a client for any remote service. By default, uruk drops all ICMP packets (except those for interfaces in $interfaces_unprotect) with type other than o address-mask-reply o address-mask-request o destination-unreachable (this is a catch-all for a lot of types) o echo-request o echo-reply o parameter-problem (catch-all for ip-header-bad and required-option- missing) o timestamp-reply o timestamp-request o ttl-zero-during-transit o ttl-zero-during-reassembly By default, the FORWARD chain is left untouched, so has policy ACCEPT. (This won't do much harm, since packet forwarding is disabled by default in the Linux kernel. However, if you don't mind being paranoid, you might want to add a iptables --policy FORWARD REJECT to your $rc_a uruk hook. See uruk-rc(5).) By default, uruk logs all UDP and TCP packets which are blocked by the user defined policies. Loglevel is debug, logprefix is "iptables:". See also the notes on loglevel in uruk-rc(5). Blocked TCP packets are answered with a tcp-reset. WARNING In order to keep the uruk script small and simple, the script does very little error handling. It does not check the contents of the rc file in any way before executing it. When your rc file contains bogus stuff, uruk will very likely behave in unexpected ways. Caveat emptor. ENVIRONMENT You can override some defaults in the shell before executing the uruk script. uruk honors the following variables: o "URUK_CONFIG" Full pathname of rc file; /etc/uruk/rc by default. o "URUK_IPTABLES" Full pathname of iptables executable. /sbin/iptables by default. Overrides iptables. o "URUK_IP6TABLES" Full pathname of ip6tables executable, for IPv6 sup- port. Overrides ip6tables. o "URUK_INTERFACES_UNPROTECT" Default list of unprotected interfaces. Overrides interfaces_unprotect. The default default is lo. SEE ALSO uruk-rc(5), uruk-save(8). The Uruk homepage is at http://mdcc.cx/uruk/ . iptables(8), iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8), http://www.netfilter.org/ interfaces(5), http://packages.debian.org/ifupdown. COPYRIGHT Copyright (C) 2003 Stichting LogReport Foundation logreport@logre- port.org; Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/; Copyright (C) 2003-2013 Joost van Baal-Ili This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABIL- ITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/. AUTHOR Joost van Baal-Ili uruk 20130809 9 2013 uruk(8) uruk-20160219/man/urukctl.html0000644000175000017500000003161612201162773013031 00000000000000 urukctl

9 авг 2013    urukctl 20130809

1.
NAME
2.
SYNOPSIS
3.
DESCRIPTION
4.
SEE ALSO
5.
COPYRIGHT
6.
AUTHOR

NAME

urukctl — uruk control script

SYNOPSIS

urukctl command [argument]

DESCRIPTION

urukctl is the user interface for the uruk system. It is used to create or change saved iptables rulesets, to change the current loaded rulesets and to report on uruk's status.

See uruk(8) for information on how to get started with the Uruk system, and for a tutorial. This manpage gives just the details on urukctl.

The urukctl script calls uruk to process /etc/uruk/rc. (The uruk init script calls urukctl.)

These 4 ruleset pairs (for both IPv4 and IPv6) exist in a system using uruk:

the ruleset as expressed in the uruk configuration /etc/uruk/rc,
the 2 saved rulesets in /var/lib/{iptables,ip6tables}/{active,inactive}
the ruleset as currently loaded in the running kernel
optional: more rulesets saved in /var/lib/{iptables,ip6tables}

arguments
urukctl should be called as either urukctl argument or urukctl argument option. Possible values are:

start

If not yet done, save current iptables status in "inactive" ruleset. (Re)build and load the "active" ruleset.

 
save ruleset

Save the current iptables status in given ruleset.

 
create <active|inactive>

Create an "active" or "inactive" ruleset with sane defaults: "active" will be based upon the uruk rc file. "inactive" will allow all traffic.

 
load ruleset

Load a saved ruleset

 
reload

(Re)build and load the "active" ruleset, without temporarily clearing the current iptables status.

 
force-reload

(Re)build and load the "active" ruleset, in case uruk is running.

 
stop

Load the "inactive" ruleset.

 
restart

Perform stop-actions followed by start-actions.

 
status

Print the current status of the service: show which ruleset is loaded, and wether uruk is "running".

 
clear

Remove all rules and user-defined chains, set default policy to ACCEPT.

 
halt

Remove all rules and user-defined chains, set default policy to DROP.

 
flush

Flush all rules from the current iptables status.

configuration
urukctl uses the file /etc/default/uruk (on Debian, Ubuntu and related systems) or /etc/sysconfig/uruk (on Red Hat, Fedora and related systems) for configuration. Variables used in this file are:

enable_uruk_check

wether to check for existence and sanity of uruk rc file; set to false if you don't like this, e.g. when using the uruk initscript for managing saved rulesets only (i.e. not for calling uruk or uruk-save).

 
enable_ipv6

set to false to disable IPv6 support. Set to $(enable-ipv6) to dynamically decide wether to filter IPv6 traffic.

 
enable_uruk_save

enable calling the unstable uruk-save script.

 
enable_autosave

set to "false" to disable autosaving the active ruleset when going from start to stop.

 
enable_save_counters

set to "false" to disable saving table counters with rulesets.

SEE ALSO

uruk(8), uruk-rc(5), uruk-save(8). The Uruk homepage is at http://mdcc.cx/uruk/ .

iptables(8), iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8), http://www.netfilter.org/

interfaces(5), http://packages.debian.org/ifupdown.

COPYRIGHT

Copyright (C) 2013 Joost van Baal-Ilić <joostvb-uruk@mdcc.cx>

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

AUTHOR

Joost van Baal-Ilić <joostvb-uruk@mdcc.cx> uruk-20160219/man/urukctl.ps0000644000175000017500000003363312201162773012510 00000000000000%!PS-Adobe-3.0 %%Creator: groff version 1.21 %%CreationDate: Fri Aug 9 14:52:11 2013 %%DocumentNeededResources: font Times-Roman %%+ font Times-Bold %%+ font Times-Italic %%+ font Courier %%DocumentSuppliedResources: procset grops 1.21 0 %%Pages: 3 %%PageOrder: Ascend %%DocumentMedia: Default 595 842 0 () () %%Orientation: Portrait %%EndComments %%BeginDefaults %%PageMedia: Default %%EndDefaults %%BeginProlog %%BeginResource: procset grops 1.21 0 %!PS-Adobe-3.0 Resource-ProcSet /setpacking where{ pop currentpacking true setpacking }if /grops 120 dict dup begin /SC 32 def /A/show load def /B{0 SC 3 -1 roll widthshow}bind def /C{0 exch ashow}bind def /D{0 exch 0 SC 5 2 roll awidthshow}bind def /E{0 rmoveto show}bind def /F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def /G{0 rmoveto 0 exch ashow}bind def /H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /I{0 exch rmoveto show}bind def /J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def /K{0 exch rmoveto 0 exch ashow}bind def /L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /M{rmoveto show}bind def /N{rmoveto 0 SC 3 -1 roll widthshow}bind def /O{rmoveto 0 exch ashow}bind def /P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def /Q{moveto show}bind def /R{moveto 0 SC 3 -1 roll widthshow}bind def /S{moveto 0 exch ashow}bind def /T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def /SF{ findfont exch [exch dup 0 exch 0 exch neg 0 0]makefont dup setfont [exch/setfont cvx]cvx bind def }bind def /MF{ findfont [5 2 roll 0 3 1 roll neg 0 0]makefont dup setfont [exch/setfont cvx]cvx bind def }bind def /level0 0 def /RES 0 def /PL 0 def /LS 0 def /MANUAL{ statusdict begin/manualfeed true store end }bind def /PLG{ gsave newpath clippath pathbbox grestore exch pop add exch pop }bind def /BP{ /level0 save def 1 setlinecap 1 setlinejoin DEFS/BPhook known{DEFS begin BPhook end}if 72 RES div dup scale LS{ 90 rotate }{ 0 PL translate }ifelse 1 -1 scale }bind def /EP{ level0 restore showpage }def /DA{ newpath arcn stroke }bind def /SN{ transform .25 sub exch .25 sub exch round .25 add exch round .25 add exch itransform }bind def /DL{ SN moveto SN lineto stroke }bind def /DC{ newpath 0 360 arc closepath }bind def /TM matrix def /DE{ TM currentmatrix pop translate scale newpath 0 0 .5 0 360 arc closepath TM setmatrix }bind def /RC/rcurveto load def /RL/rlineto load def /ST/stroke load def /MT/moveto load def /CL/closepath load def /Fr{ setrgbcolor fill }bind def /setcmykcolor where{ pop /Fk{ setcmykcolor fill }bind def }if /Fg{ setgray fill }bind def /FL/fill load def /LW/setlinewidth load def /Cr/setrgbcolor load def /setcmykcolor where{ pop /Ck/setcmykcolor load def }if /Cg/setgray load def /RE{ findfont dup maxlength 1 index/FontName known not{1 add}if dict begin { 1 index/FID ne 2 index/UniqueID ne and {def}{pop pop}ifelse }forall /Encoding exch def dup/FontName exch def currentdict end definefont pop }bind def /DEFS 0 def /EBEGIN{ moveto DEFS begin }bind def /EEND/end load def /CNT 0 def /level1 0 def /PBEGIN{ /level1 save def translate div 3 1 roll div exch scale neg exch neg exch translate 0 setgray 0 setlinecap 1 setlinewidth 0 setlinejoin 10 setmiterlimit []0 setdash /setstrokeadjust where{ pop false setstrokeadjust }if /setoverprint where{ pop false setoverprint }if newpath /CNT countdictstack def userdict begin /showpage{}def /setpagedevice{}def mark }bind def /PEND{ cleartomark countdictstack CNT sub{end}repeat level1 restore }bind def end def /setpacking where{ pop setpacking }if %%EndResource %%EndProlog %%BeginSetup %%BeginFeature: *PageSize Default << /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice %%EndFeature %%IncludeResource: font Times-Roman %%IncludeResource: font Times-Bold %%IncludeResource: font Times-Italic %%IncludeResource: font Courier grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72 def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron /Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef /.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef /.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent /ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen /period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon /semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O /P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex /underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y /z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft /guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl /endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut /dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash /quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen /brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft /logicalnot/minus/registered/macron/degree/plusminus/twosuperior /threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior /ordmasculine/guilsinglright/onequarter/onehalf/threequarters /questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE /Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex /Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis /multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn /germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla /egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis /eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash /ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def /Courier@0 ENC0/Courier RE/Times-Italic@0 ENC0/Times-Italic RE /Times-Bold@0 ENC0/Times-Bold RE/Times-Roman@0 ENC0/Times-Roman RE %%EndSetup %%Page: 1 1 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 126.515(urukctl\(8\) SYSTEM)20 48 R(ADMINISTRA) 2.5 E 129.015(TION urukctl\(8\))-1.11 F/F1 10.95/Times-Bold@0 SF -.219 (NA)20 84 S(ME).219 E F0(urukctl \255 uruk control script)100 96 Q F1 (SYNOPSIS)20 112.8 Q/F2 10/Times-Bold@0 SF(urukctl)100 124.8 Q/F3 10 /Times-Italic@0 SF(command)2.5 E F2([)2.5 E F3(ar)A(gument)-.37 E F2(])A F1(DESCRIPTION)20 141.6 Q F2(urukctl)100 153.6 Q F0 1.057 (is the user interf)3.558 F 1.057 (ace for the uruk system. It is used to create or change sa)-.1 F -.15 (ve)-.2 G 3.557(di).15 G(ptables)-3.557 E (rulesets, to change the current loaded rulesets and to report on uruk') 100 165.6 Q 2.5(ss)-.55 G(tatus.)-2.5 E(See)100 189.6 Q F2(uruk\(8\)) 2.807 E F0 .307(for information on ho)2.807 F 2.807(wt)-.25 G 2.808(og) -2.807 G .308(et started with the Uruk system, and for a tutorial. This) -2.808 F(manpage gi)100 201.6 Q -.15(ve)-.25 G 2.5(sj).15 G (ust the details on)-2.5 E F2(urukctl)2.5 E F0(.)A(The)100 225.6 Q F2 (urukctl)2.5 E F0(script calls)2.5 E F2(uruk)2.5 E F0 (to process /etc/uruk/rc. \(The uruk init script calls)2.5 E F2(urukctl) 2.5 E F0(.\))A(These 4 ruleset pairs \(for both IPv4 and IPv6\) e)100 249.6 Q(xist in a system using uruk:)-.15 E<83>100 273.6 Q (the ruleset as e)120 285.6 Q (xpressed in the uruk con\214guration /etc/uruk/rc,)-.15 E<83>100 297.6 Q 3.906(the 2 sa)120 309.6 R -.15(ve)-.2 G 6.406(dr).15 G 3.906 (ulesets in)-6.406 F/F4 10/Courier@0 SF (/var/lib/{iptables,ip6tables}/{active,inac-)6.406 E(tive})120 321.6 Q F0<83>100 333.6 Q(the ruleset as currently loaded in the running k)120 345.6 Q(ernel)-.1 E<83>100 357.6 Q(optional: more rulesets sa)120 369.6 Q -.15(ve)-.2 G 2.5(di).15 G(n)-2.5 E F4(/var/lib/{iptables,ip6tables}) 2.5 E F2(ar)100 393.6 Q(guments)-.1 E(urukctl)100 405.6 Q F0 .466 (should be called as either)2.965 F F4(urukctl)2.966 E F3(ar)2.966 E (gument)-.37 E F0(or)2.966 E F4(urukctl)2.966 E F3(ar)2.966 E .466 (gument option)-.37 F F0 2.966(.P)C(ossible)-2.966 E -.25(va)100 417.6 S (lues are:).25 E F2(start)100 441.6 Q F0 1.35(If not yet done, sa)120 453.6 R 1.65 -.15(ve c)-.2 H 1.35(urrent iptables status in "inacti).15 F -.15(ve)-.25 G 3.85("r).15 G 3.85(uleset. \(Re\)b)-3.85 F 1.35 (uild and load the)-.2 F("acti)120 465.6 Q -.15(ve)-.25 G 2.5("r).15 G (uleset.)-2.5 E F2(sa)100 489.6 Q -.1(ve)-.25 G F3(ruleset)2.6 E F0(Sa) 120 501.6 Q .3 -.15(ve t)-.2 H(he current iptables status in gi).15 E -.15(ve)-.25 G 2.5(nr).15 G(uleset.)-2.5 E F2(cr)100 525.6 Q(eate)-.18 E F0(<)2.5 E F4(active)A F0(|)A F4(inactive)A F0(>)A .706(Create an "acti) 120 537.6 R -.15(ve)-.25 G 3.206("o).15 G 3.206(r")-3.206 G(inacti) -3.206 E -.15(ve)-.25 G 3.206("r).15 G .706(uleset with sane def)-3.206 F .707(aults: "acti)-.1 F -.15(ve)-.25 G 3.207("w).15 G .707 (ill be based upon the)-3.207 F(uruk rc \214le. "inacti)120 549.6 Q -.15 (ve)-.25 G 2.5("w).15 G(ill allo)-2.5 E 2.5(wa)-.25 G(ll traf)-2.5 E (\214c.)-.25 E F2(load)100 573.6 Q F3(ruleset)2.5 E F0(Load a sa)120 585.6 Q -.15(ve)-.2 G 2.5(dr).15 G(uleset)-2.5 E F2 -.18(re)100 609.6 S (load).18 E F0(\(Re\)b)120 621.6 Q 1.51(uild and load the "acti)-.2 F -.15(ve)-.25 G 4.01("r).15 G 1.51 (uleset, without temporarily clearing the current iptables)-4.01 F (status.)120 633.6 Q F2 -.25(fo)100 657.6 S -.18(rc).25 G(e-r).18 E (eload)-.18 E F0(\(Re\)b)120 669.6 Q(uild and load the "acti)-.2 E -.15 (ve)-.25 G 2.5("r).15 G(uleset, in case uruk is running.)-2.5 E F2(stop) 100 693.6 Q F0(Load the "inacti)120 705.6 Q -.15(ve)-.25 G 2.5("r).15 G (uleset.)-2.5 E F2 -.18(re)100 729.6 S(start).18 E F0(urukctl 20130809) 20 768 Q 2.5<39d0>132.34 G-2.5 E(1)198.17 E 0 Cg EP %%Page: 2 2 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 126.515(urukctl\(8\) SYSTEM)20 48 R(ADMINISTRA) 2.5 E 129.015(TION urukctl\(8\))-1.11 F(Perform stop-actions follo)120 84 Q(wed by start-actions.)-.25 E/F1 10/Times-Bold@0 SF(status)100 108 Q F0 1.442(Print the current status of the service: sho)120 120 R 3.943 (ww)-.25 G 1.443(hich ruleset is loaded, and wether uruk is)-3.943 F ("running".)120 132 Q F1(clear)100 156 Q F0(Remo)120 168 Q .3 -.15(ve a) -.15 H(ll rules and user).15 E(-de\214ned chains, set def)-.2 E (ault polic)-.1 E 2.5(yt)-.15 G 2.5(oA)-2.5 G(CCEPT.)-2.9 E F1(halt)100 192 Q F0(Remo)120 204 Q .3 -.15(ve a)-.15 H(ll rules and user).15 E (-de\214ned chains, set def)-.2 E(ault polic)-.1 E 2.5(yt)-.15 G 2.5(oD) -2.5 G -.4(RO)-2.5 G(P.).4 E F1(\215ush)100 228 Q F0 (Flush all rules from the current iptables status.)120 240 Q F1 (con\214guration)100 264 Q(urukctl)100 276 Q F0 .904 (uses the \214le /etc/def)3.405 F .904(ault/uruk \(on Debian, Ub)-.1 F .904(untu and related systems\) or /etc/syscon-)-.2 F .892(\214g/uruk \ \(on Red Hat, Fedora and related systems\) for con\214guration. V)100 288 R .892(ariables used in this \214le)-1.11 F(are:)100 300 Q (enable_uruk_check)100 324 Q .894(wether to check for e)120 336 R .894 (xistence and sanity of uruk rc \214le; set to f)-.15 F .894 (alse if you don')-.1 F 3.393(tl)-.18 G(ik)-3.393 E 3.393(et)-.1 G(his,) -3.393 E 1.433(e.g. when using the uruk initscript for managing sa)120 348 R -.15(ve)-.2 G 3.933(dr).15 G 1.433 (ulesets only \(i.e. not for calling)-3.933 F(uruk or uruk-sa)120 360 Q -.15(ve)-.2 G(\).).15 E(enable_ipv6)100 384 Q 2.08(set to f)120 396 R 2.079(alse to disable IPv6 support. Set to)-.1 F/F2 10/Courier@0 SF ($\(enable-ipv6\))4.579 E F0 2.079(to dynamically decide)4.579 F (wether to \214lter IPv6 traf)120 408 Q(\214c.)-.25 E(enable_uruk_sa)100 432 Q -.15(ve)-.2 G(enable calling the unstable uruk-sa)120 444 Q .3 -.15(ve s)-.2 H(cript.).15 E(enable_autosa)100 468 Q -.15(ve)-.2 G (set to "f)120 480 Q(alse" to disable autosa)-.1 E(ving the acti)-.2 E .3 -.15(ve r)-.25 H(uleset when going from start to stop.).15 E (enable_sa)100 504 Q -.15(ve)-.2 G(_counters).15 E(set to "f)120 516 Q (alse" to disable sa)-.1 E(ving table counters with rulesets.)-.2 E/F3 10.95/Times-Bold@0 SF(SEE ALSO)20 532.8 Q F1(uruk\(8\))100 544.8 Q F0(,) A F1(uruk-r)2.5 E(c\(5\))-.18 E F0(,)A F1(uruk-sa)2.5 E -.1(ve)-.25 G (\(8\)).1 E F0 2.5(.T)C(he Uruk homepage is at http://mdcc.cx/uruk/ .) -2.5 E F1(iptables\(8\))100 568.8 Q F0(,)A F1(iptables-sa)4.652 E -.1 (ve)-.25 G(\(8\)).1 E F0(,)A F1(iptables-r)4.652 E(estor)-.18 E(e\(8\)) -.18 E F0(,)A F1(ip6tables\(8\))4.652 E F0(,)A F1(ip6tables-sa)4.652 E -.1(ve)-.25 G(\(8\)).1 E F0(,)A F1(ip6tables-)4.652 E -.18(re)100 580.8 S(stor).18 E(e\(8\))-.18 E F0 2.5(,h)C(ttp://www.net\214lter.or)-2.5 E (g/)-.18 E F1(interfaces\(5\))100 604.8 Q F0 2.5(,h)C (ttp://packages.debian.or)-2.5 E(g/ifupdo)-.18 E(wn.)-.25 E F3 (COPYRIGHT)20 621.6 Q F0(Cop)100 633.6 Q(yright \(C\) 2013 Joost v)-.1 E (an Baal-Ili\304 )-.25 E 1.217 (This program is free softw)100 657.6 R 1.217(are: you can redistrib)-.1 F 1.217(ute it and/or modify it under the terms of the)-.2 F .466 (GNU General Public License as published by the Free Softw)100 669.6 R .466(are F)-.1 F .466(oundation, either v)-.15 F .466(ersion 3 of)-.15 F (the License, or \(at your option\) an)100 681.6 Q 2.5(yl)-.15 G(ater v) -2.5 E(ersion.)-.15 E 2.087(This program is distrib)100 705.6 R 2.087 (uted in the hope that it will be useful, b)-.2 F 2.086 (ut WITHOUT ANY W)-.2 F(AR-)-1.2 E(RANTY)100 717.6 Q 4.226(;w)-.92 G 1.726(ithout e)-4.226 F -.15(ve)-.25 G 4.226(nt).15 G 1.726 (he implied w)-4.226 F 1.726(arranty of MERCHANT)-.1 F 1.727 (ABILITY or FITNESS FOR A)-.93 F -.92(PA)100 729.6 S -.6(RT).92 G (ICULAR PURPOSE. See the GNU General Public License for more details.).6 E(urukctl 20130809)20 768 Q 2.5<39d0>132.34 G-2.5 E(2)198.17 E 0 Cg EP %%Page: 3 3 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF 126.515(urukctl\(8\) SYSTEM)20 48 R(ADMINISTRA) 2.5 E 129.015(TION urukctl\(8\))-1.11 F -1.1(Yo)100 84 S 2.589(us)1.1 G .089(hould ha)-2.589 F .389 -.15(ve r)-.2 H(ecei).15 E -.15(ve)-.25 G 2.589(dac).15 G(op)-2.589 E 2.589(yo)-.1 G 2.589(ft)-2.589 G .089 (he GNU General Public License along with this program. If)-2.589 F (not, see http://www.gnu.or)100 96 Q(g/licenses/.)-.18 E/F1 10.95 /Times-Bold@0 SF -.548(AU)20 112.8 S(THOR).548 E F0(Joost v)100 124.8 Q (an Baal-Ili\304 )-.25 E(urukctl 20130809)20 768 Q 2.5<39d0>132.34 G-2.5 E(3)198.17 E 0 Cg EP %%Trailer end %%EOF uruk-20160219/man/urukctl.txt0000644000175000017500000001100012201162773012665 00000000000000urukctl(8) SYSTEM ADMINISTRATION urukctl(8) NAME urukctl - uruk control script SYNOPSIS urukctl command [argument] DESCRIPTION urukctl is the user interface for the uruk system. It is used to create or change saved iptables rulesets, to change the current loaded rulesets and to report on uruk's status. See uruk(8) for information on how to get started with the Uruk system, and for a tutorial. This manpage gives just the details on urukctl. The urukctl script calls uruk to process /etc/uruk/rc. (The uruk init script calls urukctl.) These 4 ruleset pairs (for both IPv4 and IPv6) exist in a system using uruk: o the ruleset as expressed in the uruk configuration /etc/uruk/rc, o the 2 saved rulesets in /var/lib/{iptables,ip6tables}/{active,inac- tive} o the ruleset as currently loaded in the running kernel o optional: more rulesets saved in /var/lib/{iptables,ip6tables} arguments urukctl should be called as either urukctl argument or urukctl argument option. Possible values are: start If not yet done, save current iptables status in "inactive" ruleset. (Re)build and load the "active" ruleset. save ruleset Save the current iptables status in given ruleset. create Create an "active" or "inactive" ruleset with sane defaults: "active" will be based upon the uruk rc file. "inactive" will allow all traf- fic. load ruleset Load a saved ruleset reload (Re)build and load the "active" ruleset, without temporarily clearing the current iptables status. force-reload (Re)build and load the "active" ruleset, in case uruk is running. stop Load the "inactive" ruleset. restart Perform stop-actions followed by start-actions. status Print the current status of the service: show which ruleset is loaded, and wether uruk is "running". clear Remove all rules and user-defined chains, set default policy to ACCEPT. halt Remove all rules and user-defined chains, set default policy to DROP. flush Flush all rules from the current iptables status. configuration urukctl uses the file /etc/default/uruk (on Debian, Ubuntu and related systems) or /etc/sysconfig/uruk (on Red Hat, Fedora and related systems) for configuration. Variables used in this file are: enable_uruk_check wether to check for existence and sanity of uruk rc file; set to false if you don't like this, e.g. when using the uruk initscript for manag- ing saved rulesets only (i.e. not for calling uruk or uruk-save). enable_ipv6 set to false to disable IPv6 support. Set to $(enable-ipv6) to dynami- cally decide wether to filter IPv6 traffic. enable_uruk_save enable calling the unstable uruk-save script. enable_autosave set to "false" to disable autosaving the active ruleset when going from start to stop. enable_save_counters set to "false" to disable saving table counters with rulesets. SEE ALSO uruk(8), uruk-rc(5), uruk-save(8). The Uruk homepage is at http://mdcc.cx/uruk/ . iptables(8), iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8), http://www.netfilter.org/ interfaces(5), http://packages.debian.org/ifupdown. COPYRIGHT Copyright (C) 2013 Joost van Baal-Ili This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABIL- ITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/. AUTHOR Joost van Baal-Ili urukctl 20130809 9 2013 urukctl(8) uruk-20160219/man/uruk-rc.azm0000644000175000017500000002676712476342754012603 00000000000000\: vim:syntax=tex \: this file maintained at http://git.mdcc.cx/uruk.git \: this is a manpage in zoem format. see http://micans.org/zoem/ and man_zmm(7) \import{pud/man.zmm} \import{./include.zmm} \begin{pud::man}{ {name}{uruk-rc} {html_title}{Uruk rc file} {section}{5} \man_share } \${html}{\"pud::man::maketoc"} \sec{name}{NAME} \NAME{uruk-rc}{uruk resource file, defining access policy} \sec{synopsis}{SYNOPSIS} \par{\tt{\rcpath}} \sec{description}{DESCRIPTION} \rc is a shell script snippet, sourced in \uruk by /bin/sh. \par{\rc lists IP addresses, allowed to use services.} \sec{examples}{EXAMPLES} \cpar{default}{ The simplest valid \rc file is the empty file. This \rc file blocks all TCP and UDP connection attempts to services on our host: this is the default behaviour. } \cpar{simplest}{ The simplest \rc file which does allow traffic to our services looks like e.g.: \verbatim{\ interfaces=eth0 ips_eth0=default ip_eth0_default=192.168.26.27 net_eth0_default=192.168.0.0/16 ip6_eth0_default=2001:db8::1/64 net6_eth0_default=2001:db8::/32 services_eth0_default_tcp=local ports_eth0_default_tcp_local="0:65535" sources_eth0_default_tcp_local="0.0.0.0/0 ::/0" services_eth0_default_udp=local ports_eth0_default_udp_local="0:65535" sources_eth0_default_udp_local="0.0.0.0/0"} This \rc file allows all IPv4 and IPv6 UDP and TCP traffic from publicly routable IPs to eth0's IP. } \cpar{realistic}{ If you'd like to block traffic on wlan0 and allow traffic to ssh on your wired interface, and don't like to explicitly set your IPs in \rc: } \verbatim{\ # list of interfaces you'd like uruk to protect interfaces=eth0 wlan0 # set variables ip{,6}_eth0_default and net{,6}_eth0_default . /lib/uruk/init/autodetect-ips # names for eth0's 2 IPv4 addresses ips_eth0="default dhcp" # allow access to our sshd on eth0's primary IP on tcp port 443 # from anywhere services_eth0_default_tcp=ssh ports_eth0_default_tcp_ssh=443 sources_eth0_default_tcp_ssh="0.0.0.0/0 ::/0" # we get a static IPv4 via dhcp ip_eth0_dhcp=10.0.0.3 net_eth0_dhcp=10./8 services_eth0_dhcp_tcp=http ports_eth0_dhcp_tcp_http=http sources_eth0_dhcp_tcp_http=$net_eth0_dhcp # we leave services_wlan0_default_{tcp,udp} unset: don't allow any # incoming connections on wlan0's default IP } \cpar{autodetect-ips}{ The script autodetect-ips --as used in the previous example-- looks for files /etc/sysconfig/network-scripts/ifcfg-* (commonly found at e.g. Red Hat and Fedora systems) and /etc/network/interfaces (as found at e.g. Debian and Ubuntu systems), and, for each interface \it{nic}, and each found IPv4 and IPv6 address and network, sets variables \v{ip_}\it{nic}\v{_default}, \v{ip6_}\it{nic}\v{_default}, \v{net_}\it{nic}\v{_default} and \v{net6_}\it{nic}\v{_default} . Then it calls ip(8) and adds any other found \it{nic}, \v{ip} and \v{net} triplets (for IPv4 and, for IPv6, only addresses in scope "global"). } \par{ The script autodetect-ips is useful if you'd like to share your \rc file among different hosts. } \cpar{another example}{ For an even more reasonable \rc file, look at the well-commented example \rc file in \ttexpath. } \sec{IPv4 and IPv6}{IPv4 AND IPv6} \par{You can mix IPv4 and IPv6-addresses in sources_*. E.g.:} \verbatim{\ ips_eth0='default private' ip_eth0_default=1.2.3.4 ip6_eth0_default= services_eth0_default_tcp='mail local' sources_eth0_default_tcp_mail='10.0.0.0/24 192.0.32.0/24 192.168.6.26' sources_eth0_default_tcp_local='192.0.32.0/24 svejk.example.com 2001:db8::/32' ports_eth0_default_tcp_mail=smtp ports_eth0_default_tcp_local='ssh ftp'} \par{If svejk.example.com has both an IPv4 PTR record in DNS, as well as an IPv6 PTR record, connection attempts from svejk to the ssh and ftp TCP ports are allowed, via both IPv4 and IPv6.} \par{Uruk used to require variables sources6_* to be set to support ip6tables. Since uruk version 20140319 (The Alfama Release), this is no longer needed; setting sources_* suffices. To be precise, the semantics since uruk version 20140319 is: 1) If both sources_* and sources6_* are defined (even if they're just empty), each is used for its respective address family. (This ensures backwards compatibility.) 2) If sources6_* is undefined, sources_* is used for both v4 and v6. 3) In either case, v4 literals in v6 context and v6 literals in v4 context are silently (!) ignored.} \sec{Hooks}{HOOKS} Uruk offers hooks for inserting your own code between iptables invocations. Examples will show the usefulness of these hooks. \cpar{allowing broadcasts}{ In \rc, there is: \verbatim{\ rc_b=$etcdir/bootp} while the file \tt{bootp} reads \verbatim{\ iptables \-A INPUT \-m state \-\-state NEW \-i eth0 \\ \-\-protocol udp \-\-destination-port bootps \-j ACCEPT } . This enables one to add rules for packets with broadcast addresses in their destination. (Uruk has no support for this in its regular \rc.) } \cpar{allowing non-matching returntraffic}{ In \rc there is: \verbatim{\ rc_d=$etcdir/dns} while the file \tt{dns} reads \verbatim{\ for source in 10.5.0.27 10.56.0.40 do $iptables -A INPUT -i eth0 --protocol udp \\ --source "$source" --source-port domain \\ --destination "$ip_eth0" \\ --destination-port 30000: -j ACCEPT done} This allows one to allow (return)traffic, disregarding the state. (Uruk has no support for this in its regular \rc.) } \cpar{allowing NAT}{ In \rc there is: \verbatim{\ rc_a=${etcdir}/nat} while the file \tt{nat} reads \verbatim{\ $iptables -t nat -A POSTROUTING \\ --out-interface eth0 -j SNAT \\ --to-source $ip_eth0} This allows Network Address Translation. However, beware! Like all extensive use of hooks, this will break the \uruk_save script. If you make sure your active iptables rules are wiped, and invoke \uruk manually to load new rules, you're safe. Using the init script with its default settings is safe too. } \cpar{allowing IPv6 tunneling}{ In \rc there is: \verbatim{\ rc_b=${etcdir}/proto_41} while the file \tt{proto_41} reads \verbatim{\ $iptables -A INPUT -i ppp0 --protocol 41 --destination $ip_ppp0 -j ACCEPT} This allows IP protocol 41, typically used for this kind of tunneling. } \cpar{allowing any traffic on an interface}{ In \rc there is: \verbatim{\ interfaces_unprotect="lo eth2"} This allows any traffic on \tt{eth2} (and on \tt{lo}, the default), including any ICMP packets and packets from any source address. } \cpar{using multiple hooks at one entry point in the main uruk process}{ In case rc_a, rc_b, ... , or rc_i does not have a file as its value, but a directory, all files matching "$rc_x"/*.rc will get sourced. This helps configuration management in complex situations involving lots of uruk configuration files for lots of hosts. } \par{ See the section "THE GORY DETAILS: uruk INTERNALS" in \sibref{uruk}{uruk(8)} (or the \uruk source) to find out which hook (there are hooks rc_a, rc_b, ... , rc_i) to use. } \sec{Network interfaces with multiple IP addresses}{NETWORK INTERFACES WITH MULTIPLE IP ADDRESSES} Uruk supports situations where a network interface has more than one IP address attached. Variables \v{ips_}\it{nic} and \v{bcasts_}\it{nic} are used for this. \par{ If \v{ips_}\it{nic} is set, e.g. like \verbatim{\ ips_eth0="ip0 ip1 ip2"} we assume multiple (three in this example) IPs are assigned to \v{eth0}. If this variable is not set only one IP is supported on \v{eth0}. } \par{ In multiple-IP mode, IP addresses are listed as e.g. \verbatim{\ ip_eth0_ip0="137.56.247.16"} (If you're used to the Linux ifconfig(8) output, you could use the name \v{ip} for \v{eth0}, and \v{ip0} for \v{eth0:0}.) The \it{ports}, \it{services} and \it{sources} variables look like e.g. \verbatim{\ services_eth0_ip2_tcp=local ports_eth0_ip2_tcp_local=smtp sources_eth0_ip2_tcp_local=$localnet} and, similarly, \verbatim{\ net_eth0_ip1=192.168.0.0/16} Furthermore, for dropping broadcast packets, specify e.g. \verbatim{\ bcasts_eth0="ip0 ip2" # yes, possibly a subset of ips_eth0 bcast_eth0_ip0="10.0.0.255" bcast_eth0_ip2="10.0.255.255"} } As an additional feature, if you have multiple IP addresses that all need to get the same rules, you can assign them to a single name: \verbatim{\ ip_eth0_ip0="137.56.247.16 137.56.247.17 137.56.247.18"} \sec{logging and debugging}{LOGGING AND DEBUGGING} Uruk has support for logging network packets, and for debugging the uruk script. \cpar{Logging}{ By default, uruk logs denied packets. This is adjustable using the \it{loglevel} variable. The settings are: \begin{itemize}{ {contiguous}{1} {compact}{1} {type}{mark} } \item "zero": be silent; do not log any packet. \rc file features \v{loglevel=10}. \item "low": log denied packets, which are targeted at one of our IPs. \rc file features \v{loglevel=30}. \item "medium": log denied non-broadcast packets. This is the default: \it{loglevel} is unset or \rc file features \v{loglevel=50}. \item "fascist": log all packets. \rc file features \v{loglevel=90}. \end{itemize} \: \item "zero": be silent; do not log any packet. \it{loglevel} is greater than \: -1 and less than 20. \: \: \item "low": log denied packets, which are targeted at one of our IPs. \: \it{loglevel} is greater than 19 and less than 40. \: \: \item "medium": log denied non-broadcast packets. This is the default: \: \it{loglevel} is unset or \it{loglevel} is set and greater than 39 and less \: than 60. \: \: \item "high": log all denied packets. \: \: \item "fascist": log all packets. \it{loglevel} is greater than 80 and less than 99. \: \: loglevel= 0 < 20 (suggest: 10) zero: be silent \: 20 < 40 (suggest: 30) low: log denied packets, targeted at our IPs (wsl-mode) \: 40 < 60 ( 50) medium: log denied non-broadcasts (default) \: 60 < 80 ( 70) high: log denied packets \: 80 < 99 ( 90) fascist: log all packets } \cpar{Debugging}{ To debug the \uruk script, invoke uruk as \verbatim{\ sh -x /sbin/uruk} this shows what is done, along with executing it. (Like an uruk '-v' option.) } \par{ If you'd rather prefer not to execute, but just watch what would've been done, invoke uruk as \verbatim{\ URUK_IPTABLES='echo iptables' URUK_IP6TABLES='echo ip6tables' uruk} (Like an uruk '-n' option.) If you have this statement set, you can run \uruk under a non-priviliged user account. } \par{ If you'd like to test a new \rc file before installing it, run something like: \verbatim{\ URUK_CONFIG=/path/to/new/uruk/rc/file uruk} } \par{ Of course, all these tweaks can be combined. } \sec{variables}{VARIABLES} The uruk script honors the following variables in \rc files: \begin{itemize}{ {contiguous}{1} {compact}{1} {type}{mark} } \item "version" Uruk version compatibility of this \rc file \item "loglevel" \item "iptables" Full pathname of iptables executable. \item "ip6tables" Full pathname of ip6tables executable. \item "interfaces" List of network interfaces. \end{itemize} More variables are available. For now, you'll have to take a look at the example \rc file in \ttexpath for more details. \sec{environment variables}{ENVIRONMENT VARIABLES} See \sibref{uruk}{uruk(8)} for a list of honored environment variables. \sec{files}{FILES} \tt{\rcpath} \sec{see also}{SEE ALSO} A well-commented example \rc file is in \ttexpath. And see \sibref{uruk}{uruk(8)}, \sibref{uruk-save}{uruk-save(8)}. \sec{copyright}{COPYRIGHT} Copyright (C) 2005, 2007, 2008, 2010, 2011, 2012, 2013 \"man::author" \gplheader \sec{author}{AUTHOR} \"man::author" \end{pud::man} uruk-20160219/man/uruk-save.azm0000644000175000017500000000440112200455502013067 00000000000000\: vim:syntax=tex \: this file maintained at http://git.mdcc.cx/uruk.git \: this is a manpage in zoem format. see http://micans.org/zoem/ and man_zmm(7) \import{pud/man.zmm} \import{./include.zmm} \begin{pud::man}{ {name}{uruk-save} {html_title}{uruk-save} {section}{8} \man_share } \${html}{\"pud::man::maketoc"} \sec{name}{NAME} \NAME{uruk-save}{save uruk rc configuration in iptables-save-style format} \sec{synopsis}{SYNOPSIS} \par{\uruk_save \bf{[}-6\bf{]}} \sec{options}{OPTIONS} \begin{itemize} \item{-6} Don't save iptables rules but save ip6tables rules, for IPv6 filtering. \end{itemize} \sec{description}{DESCRIPTION} \uruk_save saves the IPv4 rules (for all of the filter, raw, mangle and nat tables) in \ttrcpath in \bf{iptables-save(5)}-style format, without invoking \bf{iptables(8)}. If the \bf{-6} option is given, the IPv6 rules (if any) in \ttrcpath are saved, in \bf{ip6tables-save(5)}-style format. It prints output to stdout; suggested invocation therefore is \verbatim{\ # uruk-save > \statepath/iptables/active} or \verbatim{\ # uruk-save -6 > \statepath/ip6tables/active} . This script is useful if you don't like the default behaviour of the uruk init script, and would like it to load the current uruk rc file instead of the current active file. Please note: generally you don't need to invoke this script manually: the script \urukctl which comes with uruk is suitable for most cases, it invokes \uruk_save if needed. \sec{warning}{WARNING} Just as \uruk, in order to keep the \uruk_save script small and simple, the script does very little error handling. It does not check the contents of the \rc file in any way before executing it. When your \rc file contains bogus stuff, \uruk_save will very likely behave in unexpected ways. Caveat emptor. \par{ Things will likely break if you do very fancy stuff in an \rc hook file. If your \rc file is in verbose mode (i.e. it features \tt{set -x}) or in no-act mode (i.e. it features a hardcoded \tt{iptables='echo iptables'}), \uruk_save fails. } \sec{see also}{SEE ALSO} \sibref{uruk}{uruk(8)}, \sibref{uruk-rc}{uruk-rc(5)} . \sec{copyright}{COPYRIGHT} Copyright (C) 2005, 2007, 2010, 2011, 2012, 2013 \"man::author" \gplheader \sec{author}{AUTHOR} \"man::author" \end{pud::man} uruk-20160219/man/uruk.azm0000644000175000017500000002477112200455502012147 00000000000000\: vim:syntax=tex \: this file maintained at http://git.mdcc.cx/uruk.git \: this is a manpage in zoem format. see http://micans.org/zoem/ and man_zmm(7) \import{pud/man.zmm} \import{./include.zmm} \begin{pud::man}{ {name}{uruk} {html_title}{uruk} {section}{8} \man_share } \${html}{\"pud::man::maketoc"} \sec{name}{NAME} \NAME{uruk}{wrapper for Linux iptables, for managing firewall rules} \sec{synopsis}{SYNOPSIS} \uruk \sec{description}{DESCRIPTION} \uruk loads an \rc file (see \sibref{uruk-rc}{uruk-rc(5)}) which defines network service access policy, and invokes \bf{iptables(8)} to set up firewall rules implementing this policy. By default the file \ttrcpath is used; one can overrule this by specifying another file in the URUK_CONFIG environment variable. Under some circumstances, it's useful to use another command for iptables; this can be achieved by setting the URUK_IPTABLES (and/or URUK_IP6TABLES) environment variables. See \sibref{uruk-rc}{uruk-rc(5)} for details. \sec{quick setup guide}{QUICK SETUP GUIDE} Uruk will \it{not} "just work" out of the box. It needs manual configuration. For those of you who don't like reading lots of documentation: \verbatim{\ # cp \expath \\ \rcpath # vi \rcpath # urukctl start} \sec{getting started}{GETTING STARTED} Once the \uruk script is installed, you want to go use it, of course. We'll give a detailed description of what to do here. \par{ First, create an \rc file. See \sibref{uruk-rc}{uruk-rc(5)} for info on how to do this. Once this file is created and installed (this script looks in \ttrcpath by default), you're ready to run \uruk. You might want to test your \rc file by running \uruk in debug mode, see \sibref{uruk-rc}{uruk-rc(5)}. There are at least 3 ways to load your \rc file. We'll first describe a low level one: using vanilla iptables. } \cpar{Vanilla iptables}{ After editing \rc, load your rules like this. First flush your current rules: \verbatim{\ # iptables -F # ip6tables -F} Then enable your \rc rules \verbatim{\ # uruk} . Inspect the rules by doing: \verbatim{\ # iptables -L # ip6tables -L} . If you want to make these changes survive a reboot, use the init script as shipped with this package. If you'd rather write your own init script, the \bf{iptables-restore(8)} and \bf{iptables-save(8)} commands from the iptables package might be helpful. } \cpar{Using the Uruk init script}{ Assumed is the Uruk init script is installed as explained in the README file. Optionally, install \tt{/etc/default/uruk} (or \tt{/etc/sysconfig/uruk}) and tweak it. An example file is in \tt{\defpath} (You might like to enable support for \uruk_save.) Now activate uruk by doing: \verbatim{\ # urukctl start} Now your pre-uruk iptables rules (if any) are saved as the "inactive" ruleset. While executing \tt{urukctl start}, your box is open during a short while. If you don't like this, read below about \uruk_save. } \par{ When rebooting, everything will be fine: \ttinitpath stores state in \tt{\statepath/iptables}, using iptables-save(8), which comes with Linux iptables. } \cpar{Using Debian ifupdown}{ In case you have just one network interface which should get protected, you could use \bf{interfaces(5)} from the Debian ifupdown package instead of the init script. Suppose you'd like to protect \tt{ppp0}, and would like not to interfere with traffic on eth0: your other network interface. First write an \rc file. Be sure it features \verbatim{\ interfaces_unprotect="lo eth0"} Then run: \verbatim{\ # mkdir -p \statepath/iptables # iptables -F # iptables-save -c > \statepath/iptables/down # uruk # iptables-save -c > \statepath/iptables/up} Add \verbatim{\ pre-up iptables-restore < \statepath/iptables/up post-down iptables-restore < \statepath/iptables/down} to your interfaces stanza, in your \tt{/etc/network/interfaces} . } \par{ Similar tricks might be possible on GNU/Linux systems from other distributions. The author is interested. } \sec{loading a new rc file}{LOADING A NEW \rc FILE} Need to change your rules? \cpar{Using the Uruk init script}{ Do \verbatim{\ # vi \rcpath # urukctl force-reload} While executing \tt{urukctl force-reload}, your box is open during a short while. If you don't like this, read below about \uruk_save. } \sec{the gory details uruk internals}{THE GORY DETAILS: uruk INTERNALS} The \uruk script works like (and looks like) the list of statements below. Of course, take a look at \tt{\sbinpath/uruk} for the final word on the workings. \begin{itemize}{ {contiguous}{1} {compact}{1} {type}{arabic} } \item \rc is sourced as a shell script \item Traffic on $interfaces_unprotect (just lo per default) is trusted: \verbatim{\ $iptables -A INPUT -i $iface -j ACCEPT} \item $rc_a is sourced as a shell script, or, in case $rc_a is a directory, all files matching $rc_a/*.rc are sourced as shell scripts \item ESTABLISHED and RELATED packets are ACCEPT-ed: \verbatim{\ $iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \\ -j ACCEPT} \item $rc_b is sourced \item $interfaces gets protected against spoofing: we don't allow anyone to spoof non-routeable addresses. We block outgoing packets that don't have our address as source: they are either spoofed or something is misconfigured (NAT disabled, for instance). We want to be nice and don't send out garbage. \verbatim{\ $iptables -A INPUT -i $iface --source $no_route_ip \\ -j DROP} We drop all incoming packets which don't have us as destination: \verbatim{\ $iptables -A OUTPUT -o $iface --source ! "$ip" \\ -j DROP} And we always allow outgoing connections: \verbatim{\ $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface \\ -j ACCEPT} \item $rc_c is sourced \item Allow traffic to offered services, from trusted sources: \verbatim{\ $iptables -A INPUT -m conntrack --ctstate NEW \\ -i $iface --protocol $proto --source "$source" \\ --destination "$ip" --destination-port "$port" \\ -j ACCEPT} \item $rc_d is sourced \item Don't answer broadcast and multicast packets: \verbatim{\ $iptables -A INPUT -i $iface --destination "$bcast" \\ -j DROP} \item $rc_f is sourced \item Explicitly allow a subset of the ICMP types. (We disallow all other traffic later.) \verbatim{\ $iptables -A INPUT --protocol icmp --icmp-type $type \\ -j ACCEPT} \item $rc_g is sourced \item Log packets (which make it till here) \verbatim{\ $iptables -A INPUT -j LOG --log-level debug \\ --log-prefix 'iptables: '} \item $rc_h is sourced \item Reject all other packets \verbatim{\ $iptables -A INPUT -j REJECT} \item $rc_i is sourced \end{itemize} \sec{using uruk-save as the initscript backend}{USING uruk-save AS THE INITSCRIPT BACKEND} By default, \uruk_save is not used by the uruk init script. You might want to use it, though. The \uruk_save script is faster and when using \uruk_save, your box won't be open while loading new rules. But beware: \uruk_save is not as robust as using \uruk itself. \par{ The script \urukctl (and thus the uruk init script) will use \uruk_save only if asked to do so in \tt{/etc/default/uruk} (or \tt{/etc/sysconfig/uruk}). If this file features \verbatim{\ enable_uruk_save=true} \uruk_save is used whenever appropriate. See \sibref{uruk-save}{uruk-save(8)} for more details. } \sec{policy}{DEFAULT POLICY} By default, \uruk drops packets which have unknown RFC 1918 private network addresses in their source or destination. \par{ It rejects packets with source nor destination for one of our IPs. } \par{ Packets belonging to locally initiated sessions are allowed: we match state; the local host can act as a client for any remote service. } \par{ By default, \uruk drops all ICMP packets (except those for interfaces in $interfaces_unprotect) with type other than \begin{itemize}{ {contiguous}{1} {compact}{1} {type}{mark} } \item address-mask-reply \item address-mask-request \item destination-unreachable (this is a catch-all for a lot of types) \item echo-request \item echo-reply \item parameter-problem (catch-all for ip-header-bad and required-option-missing) \item timestamp-reply \item timestamp-request \item ttl-zero-during-transit \item ttl-zero-during-reassembly \end{itemize} } \par{ By default, the FORWARD chain is left untouched, so has policy ACCEPT. (This won't do much harm, since packet forwarding is disabled by default in the Linux kernel. However, if you don't mind being paranoid, you might want to add a \verbatim{\ iptables --policy FORWARD REJECT} to your $rc_a uruk hook. See \sibref{uruk-rc}{uruk-rc(5)}.) } \par{ By default, \uruk logs all UDP and TCP packets which are blocked by the user defined policies. Loglevel is debug, logprefix is "iptables:". See also the notes on \it{loglevel} in \sibref{uruk-rc}{uruk-rc(5)}. } \par{ Blocked TCP packets are answered with a tcp-reset. } \sec{warning}{WARNING} In order to keep the \uruk script small and simple, the script does very little error handling. It does not check the contents of the \rc file in any way before executing it. When your \rc file contains bogus stuff, \uruk will very likely behave in unexpected ways. Caveat emptor. \sec{environment}{ENVIRONMENT} You can override some defaults in the shell before executing the uruk script. \uruk honors the following variables: \begin{itemize}{ {contiguous}{1} {compact}{1} {type}{mark} } \item "URUK_CONFIG" Full pathname of \rc file; \ttrcpath by default. \item "URUK_IPTABLES" Full pathname of iptables executable. \tt{/sbin/iptables} by default. Overrides \it{iptables}. \item "URUK_IP6TABLES" Full pathname of ip6tables executable, for IPv6 support. Overrides \it{ip6tables}. \item "URUK_INTERFACES_UNPROTECT" Default list of unprotected interfaces. Overrides \it{interfaces_unprotect}. The default default is \v{lo}. \end{itemize} \sec{see also}{SEE ALSO} \sibref{uruk-rc}{uruk-rc(5)}, \sibref{uruk-save}{uruk-save(8)}. The Uruk homepage is at \httpref{http://mdcc.cx/uruk/} . \par{ \bf{iptables(8)}, \bf{iptables-save(8)}, \bf{iptables-restore(8)}, \bf{ip6tables(8)}, \bf{ip6tables-save(8)}, \bf{ip6tables-restore(8)}, \httpref{http://www.netfilter.org/} \: (no manpage online :( ) } \par{ \bf{interfaces(5)}, \httpref{http://packages.debian.org/ifupdown}. } \sec{copyright}{COPYRIGHT} Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org; Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/; Copyright (C) 2003-2013 \"man::author" \gplheader \sec{author}{AUTHOR} \"man::author" \end{pud::man} uruk-20160219/man/urukctl.azm0000644000175000017500000001045612200455502012645 00000000000000\: vim:syntax=tex \: this file maintained at http://git.mdcc.cx/uruk.git \: this is a manpage in zoem format. see http://micans.org/zoem/ and man_zmm(7) \import{pud/man.zmm} \import{./include.zmm} \begin{pud::man}{ {name}{urukctl} {html_title}{urukctl} {section}{8} \man_share } \${html}{\"pud::man::maketoc"} \sec{name}{NAME} \NAME{urukctl}{uruk control script} \sec{synopsis}{SYNOPSIS} \urukctl \it{command} \bf{[}\it{argument}\bf{]} \sec{description}{DESCRIPTION} \par{ \urukctl is the user interface for the uruk system. It is used to create or change saved iptables rulesets, to change the current loaded rulesets and to report on uruk's status. } \par{ See \sibref{uruk}{uruk(8)} for information on how to get started with the Uruk system, and for a tutorial. This manpage gives just the details on \urukctl. } \par{ The \urukctl script calls \uruk to process \rcpath. (The uruk init script calls \urukctl.) } \par{ These 4 ruleset pairs (for both IPv4 and IPv6) exist in a system using uruk: \begin{itemize}{ {contiguous}{1} {compact}{1} {type}{mark} } \item the ruleset as expressed in the uruk configuration \rcpath, \item the 2 saved rulesets in \tt{/var/lib/{iptables,ip6tables}/{active,inactive}} \item the ruleset as currently loaded in the running kernel \item optional: more rulesets saved in \tt{/var/lib/{iptables,ip6tables}} \end{itemize} } \cpar{arguments}{ \urukctl should be called as either \tt{urukctl} \it{argument} or \tt{urukctl} \it{argument} \it{option}. Possible values are: \'begin{itemize}{{interitem}{1}} \item{\bf{start}} \car{ If not yet done, save current iptables status in "inactive" ruleset. (Re)build and load the "active" ruleset. } \item{\bf{save} \it{ruleset}} \car{ Save the current iptables status in given ruleset. } \item{\bf{create} <\tt{active}|\tt{inactive}>} \car{ Create an "active" or "inactive" ruleset with sane defaults: "active" will be based upon the uruk rc file. "inactive" will allow all traffic. } \item{\bf{load} \it{ruleset}} \car{ Load a saved ruleset } \item{\bf{reload}} \car{ (Re)build and load the "active" ruleset, without temporarily clearing the current iptables status. } \item{\bf{force-reload}} \car{ (Re)build and load the "active" ruleset, in case uruk is running. } \item{\bf{stop}} \car{ Load the "inactive" ruleset. } \item{\bf{restart}} \car{ Perform stop-actions followed by start-actions. } \item{\bf{status}} \car{ Print the current status of the service: show which ruleset is loaded, and wether uruk is "running". } \item{\bf{clear}} \car{ Remove all rules and user-defined chains, set default policy to ACCEPT. } \item{\bf{halt}} \car{ Remove all rules and user-defined chains, set default policy to DROP. } \item{\bf{flush}} \car{ Flush all rules from the current iptables status. } \'end{itemize} } \cpar{configuration}{ \urukctl uses the file /etc/default/uruk (on Debian, Ubuntu and related systems) or /etc/sysconfig/uruk (on Red Hat, Fedora and related systems) for configuration. Variables used in this file are: \'begin{itemize}{{interitem}{1}} \item{enable_uruk_check} \car{wether to check for existence and sanity of uruk rc file; set to false if you don't like this, e.g. when using the uruk initscript for managing saved rulesets only (i.e. not for calling uruk or uruk-save).} \item{enable_ipv6} \car{set to false to disable IPv6 support. Set to \tt{$(enable-ipv6)} to dynamically decide wether to filter IPv6 traffic.} \item{enable_uruk_save} \car{enable calling the unstable uruk-save script.} \item{enable_autosave} \car{set to "false" to disable autosaving the active ruleset when going from start to stop.} \item{enable_save_counters} \car{set to "false" to disable saving table counters with rulesets.} \'end{itemize} } \sec{see also}{SEE ALSO} \sibref{uruk}{uruk(8)}, \sibref{uruk-rc}{uruk-rc(5)}, \sibref{uruk-save}{uruk-save(8)}. The Uruk homepage is at \httpref{http://mdcc.cx/uruk/} . \par{ \bf{iptables(8)}, \bf{iptables-save(8)}, \bf{iptables-restore(8)}, \bf{ip6tables(8)}, \bf{ip6tables-save(8)}, \bf{ip6tables-restore(8)}, \httpref{http://www.netfilter.org/} \: (no manpage online :( ) } \par{ \bf{interfaces(5)}, \httpref{http://packages.debian.org/ifupdown}. } \sec{copyright}{COPYRIGHT} Copyright (C) 2013 \"man::author" \gplheader \sec{author}{AUTHOR} \"man::author" \end{pud::man} uruk-20160219/man/uruk.80000644000175000017500000003122112201162772011520 00000000000000.\" Copyright (c) 2013 Joost van Baal-Ilić .TH "uruk" 8 "9 авг 2013" "uruk 20130809" "SYSTEM ADMINISTRATION " .po 2m .de ZI .\" Zoem Indent/Itemize macro I. .br 'in +\\$1 .nr xa 0 .nr xa -\\$1 .nr xb \\$1 .nr xb -\\w'\\$2' \h'|\\n(xau'\\$2\h'\\n(xbu'\\ .. .de ZJ .br .\" Zoem Indent/Itemize macro II. 'in +\\$1 'in +\\$2 .nr xa 0 .nr xa -\\$2 .nr xa -\\w'\\$3' .nr xb \\$2 \h'|\\n(xau'\\$3\h'\\n(xbu'\\ .. .if n .ll -2m .am SH .ie n .in 4m .el .in 8m .. .SH NAME uruk \- wrapper for Linux iptables, for managing firewall rules .SH SYNOPSIS \fBuruk\fP .SH DESCRIPTION \fBuruk\fP loads an \fIrc\fP file (see \fBuruk-rc(5)\fP) which defines network service access policy, and invokes \fBiptables(8)\fP to set up firewall rules implementing this policy\&. By default the file \fC/etc/uruk/rc\fP is used; one can overrule this by specifying another file in the URUK_CONFIG environment variable\&. Under some circumstances, it\&'s useful to use another command for iptables; this can be achieved by setting the URUK_IPTABLES (and/or URUK_IP6TABLES) environment variables\&. See \fBuruk-rc(5)\fP for details\&. .SH QUICK SETUP GUIDE Uruk will \fInot\fP "just work" out of the box\&. It needs manual configuration\&. For those of you who don\&'t like reading lots of documentation: .di ZV .in 0 .nf \fC # cp /usr/share/doc/uruk/examples/rc \e /etc/uruk/rc # vi /etc/uruk/rc # urukctl start .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .SH GETTING STARTED Once the \fBuruk\fP script is installed, you want to go use it, of course\&. We\&'ll give a detailed description of what to do here\&. First, create an \fIrc\fP file\&. See \fBuruk-rc(5)\fP for info on how to do this\&. Once this file is created and installed (this script looks in \fC/etc/uruk/rc\fP by default), you\&'re ready to run \fBuruk\fP\&. You might want to test your \fIrc\fP file by running \fBuruk\fP in debug mode, see \fBuruk-rc(5)\fP\&. There are at least 3 ways to load your \fIrc\fP file\&. We\&'ll first describe a low level one: using vanilla iptables\&. \fBVanilla iptables\fP .br After editing \fIrc\fP, load your rules like this\&. First flush your current rules: .di ZV .in 0 .nf \fC # iptables -F # ip6tables -F .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR Then enable your \fIrc\fP rules .di ZV .in 0 .nf \fC # uruk .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR \&. Inspect the rules by doing: .di ZV .in 0 .nf \fC # iptables -L # ip6tables -L .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR \&. If you want to make these changes survive a reboot, use the init script as shipped with this package\&. If you\&'d rather write your own init script, the \fBiptables-restore(8)\fP and \fBiptables-save(8)\fP commands from the iptables package might be helpful\&. \fBUsing the Uruk init script\fP .br Assumed is the Uruk init script is installed as explained in the README file\&. Optionally, install \fC/etc/default/uruk\fP (or \fC/etc/sysconfig/uruk\fP) and tweak it\&. An example file is in \fC/usr/share/doc/uruk/examples/default\fP (You might like to enable support for \fBuruk-save\fP\&.) Now activate uruk by doing: .di ZV .in 0 .nf \fC # urukctl start .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR Now your pre-uruk iptables rules (if any) are saved as the "inactive" ruleset\&. While executing \fCurukctl start\fP, your box is open during a short while\&. If you don\&'t like this, read below about \fBuruk-save\fP\&. When rebooting, everything will be fine: \fC/etc/init\&.d/uruk\fP stores state in \fC/var/lib/uruk/iptables\fP, using iptables-save(8), which comes with Linux iptables\&. \fBUsing Debian ifupdown\fP .br In case you have just one network interface which should get protected, you could use \fBinterfaces(5)\fP from the Debian ifupdown package instead of the init script\&. Suppose you\&'d like to protect \fCppp0\fP, and would like not to interfere with traffic on eth0: your other network interface\&. First write an \fIrc\fP file\&. Be sure it features .di ZV .in 0 .nf \fC interfaces_unprotect="lo eth0" .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR Then run: .di ZV .in 0 .nf \fC # mkdir -p /var/lib/uruk/iptables # iptables -F # iptables-save -c > /var/lib/uruk/iptables/down # uruk # iptables-save -c > /var/lib/uruk/iptables/up .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR Add .di ZV .in 0 .nf \fC pre-up iptables-restore < /var/lib/uruk/iptables/up post-down iptables-restore < /var/lib/uruk/iptables/down .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR to your interfaces stanza, in your \fC/etc/network/interfaces\fP \&. Similar tricks might be possible on GNU/Linux systems from other distributions\&. The author is interested\&. .SH LOADING A NEW \fIrc\fP FILE Need to change your rules? \fBUsing the Uruk init script\fP .br Do .di ZV .in 0 .nf \fC # vi /etc/uruk/rc # urukctl force-reload .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR While executing \fCurukctl force-reload\fP, your box is open during a short while\&. If you don\&'t like this, read below about \fBuruk-save\fP\&. .SH THE GORY DETAILS: uruk INTERNALS The \fBuruk\fP script works like (and looks like) the list of statements below\&. Of course, take a look at \fC/sbin/uruk\fP for the final word on the workings\&. .ZI 2m "1" \& .br \fIrc\fP is sourced as a shell script .in -2m .ZI 2m "2" \& .br Traffic on $interfaces_unprotect (just lo per default) is trusted: .di ZV .in 0 .nf \fC $iptables -A INPUT -i $iface -j ACCEPT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .in -2m .ZI 2m "3" \& .br $rc_a is sourced as a shell script, or, in case $rc_a is a directory, all files matching $rc_a/*\&.rc are sourced as shell scripts .in -2m .ZI 2m "4" \& .br ESTABLISHED and RELATED packets are ACCEPT-ed: .di ZV .in 0 .nf \fC $iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \e -j ACCEPT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .in -2m .ZI 2m "5" \& .br $rc_b is sourced .in -2m .ZI 2m "6" \& .br $interfaces gets protected against spoofing: we don\&'t allow anyone to spoof non-routeable addresses\&. We block outgoing packets that don\&'t have our address as source: they are either spoofed or something is misconfigured (NAT disabled, for instance)\&. We want to be nice and don\&'t send out garbage\&. .di ZV .in 0 .nf \fC $iptables -A INPUT -i $iface --source $no_route_ip \e -j DROP .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR We drop all incoming packets which don\&'t have us as destination: .di ZV .in 0 .nf \fC $iptables -A OUTPUT -o $iface --source ! "$ip" \e -j DROP .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR And we always allow outgoing connections: .di ZV .in 0 .nf \fC $iptables -A OUTPUT -m conntrack --ctstate NEW -o $iface \e -j ACCEPT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .in -2m .ZI 2m "7" \& .br $rc_c is sourced .in -2m .ZI 2m "8" \& .br Allow traffic to offered services, from trusted sources: .di ZV .in 0 .nf \fC $iptables -A INPUT -m conntrack --ctstate NEW \e -i $iface --protocol $proto --source "$source" \e --destination "$ip" --destination-port "$port" \e -j ACCEPT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .in -2m .ZI 2m "9" \& .br $rc_d is sourced .in -2m .ZI 2m "10" \& .br Don\&'t answer broadcast and multicast packets: .di ZV .in 0 .nf \fC $iptables -A INPUT -i $iface --destination "$bcast" \e -j DROP .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .in -2m .ZI 2m "11" \& .br $rc_f is sourced .in -2m .ZI 2m "12" \& .br Explicitly allow a subset of the ICMP types\&. (We disallow all other traffic later\&.) .di ZV .in 0 .nf \fC $iptables -A INPUT --protocol icmp --icmp-type $type \e -j ACCEPT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .in -2m .ZI 2m "13" \& .br $rc_g is sourced .in -2m .ZI 2m "14" \& .br Log packets (which make it till here) .di ZV .in 0 .nf \fC $iptables -A INPUT -j LOG --log-level debug \e --log-prefix \&'iptables: \&' .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .in -2m .ZI 2m "15" \& .br $rc_h is sourced .in -2m .ZI 2m "16" \& .br Reject all other packets .di ZV .in 0 .nf \fC $iptables -A INPUT -j REJECT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .in -2m .ZI 2m "17" \& .br $rc_i is sourced .in -2m .SH USING uruk-save AS THE INITSCRIPT BACKEND By default, \fBuruk-save\fP is not used by the uruk init script\&. You might want to use it, though\&. The \fBuruk-save\fP script is faster and when using \fBuruk-save\fP, your box won\&'t be open while loading new rules\&. But beware: \fBuruk-save\fP is not as robust as using \fBuruk\fP itself\&. The script \fBurukctl\fP (and thus the uruk init script) will use \fBuruk-save\fP only if asked to do so in \fC/etc/default/uruk\fP (or \fC/etc/sysconfig/uruk\fP)\&. If this file features .di ZV .in 0 .nf \fC enable_uruk_save=true .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR \fBuruk-save\fP is used whenever appropriate\&. See \fBuruk-save(8)\fP for more details\&. .SH DEFAULT POLICY By default, \fBuruk\fP drops packets which have unknown RFC 1918 private network addresses in their source or destination\&. It rejects packets with source nor destination for one of our IPs\&. Packets belonging to locally initiated sessions are allowed: we match state; the local host can act as a client for any remote service\&. By default, \fBuruk\fP drops all ICMP packets (except those for interfaces in $interfaces_unprotect) with type other than .ZI 2m "\(bu" \& .br address-mask-reply .in -2m .ZI 2m "\(bu" \& .br address-mask-request .in -2m .ZI 2m "\(bu" \& .br destination-unreachable (this is a catch-all for a lot of types) .in -2m .ZI 2m "\(bu" \& .br echo-request .in -2m .ZI 2m "\(bu" \& .br echo-reply .in -2m .ZI 2m "\(bu" \& .br parameter-problem (catch-all for ip-header-bad and required-option-missing) .in -2m .ZI 2m "\(bu" \& .br timestamp-reply .in -2m .ZI 2m "\(bu" \& .br timestamp-request .in -2m .ZI 2m "\(bu" \& .br ttl-zero-during-transit .in -2m .ZI 2m "\(bu" \& .br ttl-zero-during-reassembly .in -2m By default, the FORWARD chain is left untouched, so has policy ACCEPT\&. (This won\&'t do much harm, since packet forwarding is disabled by default in the Linux kernel\&. However, if you don\&'t mind being paranoid, you might want to add a .di ZV .in 0 .nf \fC iptables --policy FORWARD REJECT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR to your $rc_a uruk hook\&. See \fBuruk-rc(5)\fP\&.) By default, \fBuruk\fP logs all UDP and TCP packets which are blocked by the user defined policies\&. Loglevel is debug, logprefix is "iptables:"\&. See also the notes on \fIloglevel\fP in \fBuruk-rc(5)\fP\&. Blocked TCP packets are answered with a tcp-reset\&. .SH WARNING In order to keep the \fBuruk\fP script small and simple, the script does very little error handling\&. It does not check the contents of the \fIrc\fP file in any way before executing it\&. When your \fIrc\fP file contains bogus stuff, \fBuruk\fP will very likely behave in unexpected ways\&. Caveat emptor\&. .SH ENVIRONMENT You can override some defaults in the shell before executing the uruk script\&. \fBuruk\fP honors the following variables: .ZI 2m "\(bu" \& .br "URUK_CONFIG" Full pathname of \fIrc\fP file; \fC/etc/uruk/rc\fP by default\&. .in -2m .ZI 2m "\(bu" \& .br "URUK_IPTABLES" Full pathname of iptables executable\&. \fC/sbin/iptables\fP by default\&. Overrides \fIiptables\fP\&. .in -2m .ZI 2m "\(bu" \& .br "URUK_IP6TABLES" Full pathname of ip6tables executable, for IPv6 support\&. Overrides \fIip6tables\fP\&. .in -2m .ZI 2m "\(bu" \& .br "URUK_INTERFACES_UNPROTECT" Default list of unprotected interfaces\&. Overrides \fIinterfaces_unprotect\fP\&. The default default is \fClo\fP\&. .in -2m .SH SEE ALSO \fBuruk-rc(5)\fP, \fBuruk-save(8)\fP\&. The Uruk homepage is at http://mdcc\&.cx/uruk/ \&. \fBiptables(8)\fP, \fBiptables-save(8)\fP, \fBiptables-restore(8)\fP, \fBip6tables(8)\fP, \fBip6tables-save(8)\fP, \fBip6tables-restore(8)\fP, http://www\&.netfilter\&.org/ \fBinterfaces(5)\fP, http://packages\&.debian\&.org/ifupdown\&. .SH COPYRIGHT Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport\&.org; Copyright (C) 2003, 2004 Tilburg University http://www\&.uvt\&.nl/; Copyright (C) 2003-2013 Joost van Baal-Ilić This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. You should have received a copy of the GNU General Public License along with this program\&. If not, see http://www\&.gnu\&.org/licenses/\&. .SH AUTHOR Joost van Baal-Ilić uruk-20160219/man/uruk-rc.50000644000175000017500000003143612535264244012136 00000000000000.\" Copyright (c) 2015 Joost van Baal-Ilić .TH "uruk-rc" 5 "8 Jun 2015" "uruk-rc 20150608" "FILE FORMATS " .po 2m .de ZI .\" Zoem Indent/Itemize macro I. .br 'in +\\$1 .nr xa 0 .nr xa -\\$1 .nr xb \\$1 .nr xb -\\w'\\$2' \h'|\\n(xau'\\$2\h'\\n(xbu'\\ .. .de ZJ .br .\" Zoem Indent/Itemize macro II. 'in +\\$1 'in +\\$2 .nr xa 0 .nr xa -\\$2 .nr xa -\\w'\\$3' .nr xb \\$2 \h'|\\n(xau'\\$3\h'\\n(xbu'\\ .. .if n .ll -2m .am SH .ie n .in 4m .el .in 8m .. .SH NAME uruk-rc \- uruk resource file, defining access policy .SH SYNOPSIS \fC/etc/uruk/rc\fP .SH DESCRIPTION \fIrc\fP is a shell script snippet, sourced in \fBuruk\fP by /bin/sh\&. \fIrc\fP lists IP addresses, allowed to use services\&. .SH EXAMPLES \fBdefault\fP .br The simplest valid \fIrc\fP file is the empty file\&. This \fIrc\fP file blocks all TCP and UDP connection attempts to services on our host: this is the default behaviour\&. \fBsimplest\fP .br The simplest \fIrc\fP file which does allow traffic to our services looks like e\&.g\&.: .di ZV .in 0 .nf \fC interfaces=eth0 ips_eth0=default ip_eth0_default=192\&.168\&.26\&.27 net_eth0_default=192\&.168\&.0\&.0/16 ip6_eth0_default=2001:db8::1/64 net6_eth0_default=2001:db8::/32 services_eth0_default_tcp=local ports_eth0_default_tcp_local="0:65535" sources_eth0_default_tcp_local="0\&.0\&.0\&.0/0 ::/0" services_eth0_default_udp=local ports_eth0_default_udp_local="0:65535" sources_eth0_default_udp_local="0\&.0\&.0\&.0/0" .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR This \fIrc\fP file allows all IPv4 and IPv6 UDP and TCP traffic from publicly routable IPs to eth0\&'s IP\&. \fBrealistic\fP .br If you\&'d like to block traffic on wlan0 and allow traffic to ssh on your wired interface, and don\&'t like to explicitly set your IPs in \fIrc\fP: .di ZV .in 0 .nf \fC # list of interfaces you\&'d like uruk to protect interfaces=eth0 wlan0 # set variables ip{,6}_eth0_default and net{,6}_eth0_default \&. /lib/uruk/init/autodetect-ips # names for eth0\&'s 2 IPv4 addresses ips_eth0="default dhcp" # allow access to our sshd on eth0\&'s primary IP on tcp port 443 # from anywhere services_eth0_default_tcp=ssh ports_eth0_default_tcp_ssh=443 sources_eth0_default_tcp_ssh="0\&.0\&.0\&.0/0 ::/0" # we get a static IPv4 via dhcp ip_eth0_dhcp=10\&.0\&.0\&.3 net_eth0_dhcp=10\&./8 services_eth0_dhcp_tcp=http ports_eth0_dhcp_tcp_http=http sources_eth0_dhcp_tcp_http=$net_eth0_dhcp # we leave services_wlan0_default_{tcp,udp} unset: don\&'t allow any # incoming connections on wlan0\&'s default IP .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR \fBautodetect-ips\fP .br The script autodetect-ips --as used in the previous example-- looks for files /etc/sysconfig/network-scripts/ifcfg-* (commonly found at e\&.g\&. Red Hat and Fedora systems) and /etc/network/interfaces (as found at e\&.g\&. Debian and Ubuntu systems), and, for each interface \fInic\fP, and each found IPv4 and IPv6 address and network, sets variables \fCip_\fP\fInic\fP\fC_default\fP, \fCip6_\fP\fInic\fP\fC_default\fP, \fCnet_\fP\fInic\fP\fC_default\fP and \fCnet6_\fP\fInic\fP\fC_default\fP \&. Then it calls ip(8) and adds any other found \fInic\fP, \fCip\fP and \fCnet\fP triplets (for IPv4 and, for IPv6, only addresses in scope "global")\&. The script autodetect-ips is useful if you\&'d like to share your \fIrc\fP file among different hosts\&. \fBanother example\fP .br For an even more reasonable \fIrc\fP file, look at the well-commented example \fIrc\fP file in \fC/usr/share/doc/uruk/examples/rc\fP\&. .SH IPv4 AND IPv6 You can mix IPv4 and IPv6-addresses in sources_*\&. E\&.g\&.: .di ZV .in 0 .nf \fC ips_eth0=\&'default private\&' ip_eth0_default=1\&.2\&.3\&.4 ip6_eth0_default= services_eth0_default_tcp=\&'mail local\&' sources_eth0_default_tcp_mail=\&'10\&.0\&.0\&.0/24 192\&.0\&.32\&.0/24 192\&.168\&.6\&.26\&' sources_eth0_default_tcp_local=\&'192\&.0\&.32\&.0/24 svejk\&.example\&.com 2001:db8::/32\&' ports_eth0_default_tcp_mail=smtp ports_eth0_default_tcp_local=\&'ssh ftp\&' .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR If svejk\&.example\&.com has both an IPv4 PTR record in DNS, as well as an IPv6 PTR record, connection attempts from svejk to the ssh and ftp TCP ports are allowed, via both IPv4 and IPv6\&. Uruk used to require variables sources6_* to be set to support ip6tables\&. Since uruk version 20140319 (The Alfama Release), this is no longer needed; setting sources_* suffices\&. To be precise, the semantics since uruk version 20140319 is: 1) If both sources_* and sources6_* are defined (even if they\&'re just empty), each is used for its respective address family\&. (This ensures backwards compatibility\&.) 2) If sources6_* is undefined, sources_* is used for both v4 and v6\&. 3) In either case, v4 literals in v6 context and v6 literals in v4 context are silently (!) ignored\&. .SH HOOKS Uruk offers hooks for inserting your own code between iptables invocations\&. Examples will show the usefulness of these hooks\&. \fBallowing broadcasts\fP .br In \fIrc\fP, there is: .di ZV .in 0 .nf \fC rc_b=$etcdir/bootp .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR while the file \fCbootp\fP reads .di ZV .in 0 .nf \fC iptables \-A INPUT \-m state \-\-state NEW \-i eth0 \e \-\-protocol udp \-\-destination-port bootps \-j ACCEPT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR \&. This enables one to add rules for packets with broadcast addresses in their destination\&. (Uruk has no support for this in its regular \fIrc\fP\&.) \fBallowing non-matching returntraffic\fP .br In \fIrc\fP there is: .di ZV .in 0 .nf \fC rc_d=$etcdir/dns .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR while the file \fCdns\fP reads .di ZV .in 0 .nf \fC for source in 10\&.5\&.0\&.27 10\&.56\&.0\&.40 do $iptables -A INPUT -i eth0 --protocol udp \e --source "$source" --source-port domain \e --destination "$ip_eth0" \e --destination-port 30000: -j ACCEPT done .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR This allows one to allow (return)traffic, disregarding the state\&. (Uruk has no support for this in its regular \fIrc\fP\&.) \fBallowing NAT\fP .br In \fIrc\fP there is: .di ZV .in 0 .nf \fC rc_a=${etcdir}/nat .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR while the file \fCnat\fP reads .di ZV .in 0 .nf \fC $iptables -t nat -A POSTROUTING \e --out-interface eth0 -j SNAT \e --to-source $ip_eth0 .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR This allows Network Address Translation\&. However, beware! Like all extensive use of hooks, this will break the \fBuruk-save\fP script\&. If you make sure your active iptables rules are wiped, and invoke \fBuruk\fP manually to load new rules, you\&'re safe\&. Using the init script with its default settings is safe too\&. \fBallowing IPv6 tunneling\fP .br In \fIrc\fP there is: .di ZV .in 0 .nf \fC rc_b=${etcdir}/proto_41 .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR while the file \fCproto_41\fP reads .di ZV .in 0 .nf \fC $iptables -A INPUT -i ppp0 --protocol 41 --destination $ip_ppp0 -j ACCEPT .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR This allows IP protocol 41, typically used for this kind of tunneling\&. \fBallowing any traffic on an interface\fP .br In \fIrc\fP there is: .di ZV .in 0 .nf \fC interfaces_unprotect="lo eth2" .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR This allows any traffic on \fCeth2\fP (and on \fClo\fP, the default), including any ICMP packets and packets from any source address\&. \fBusing multiple hooks at one entry point in the main uruk process\fP .br In case rc_a, rc_b, \&.\&.\&. , or rc_i does not have a file as its value, but a directory, all files matching "$rc_x"/*\&.rc will get sourced\&. This helps configuration management in complex situations involving lots of uruk configuration files for lots of hosts\&. See the section "THE GORY DETAILS: uruk INTERNALS" in \fBuruk(8)\fP (or the \fBuruk\fP source) to find out which hook (there are hooks rc_a, rc_b, \&.\&.\&. , rc_i) to use\&. .SH NETWORK INTERFACES WITH MULTIPLE IP ADDRESSES Uruk supports situations where a network interface has more than one IP address attached\&. Variables \fCips_\fP\fInic\fP and \fCbcasts_\fP\fInic\fP are used for this\&. If \fCips_\fP\fInic\fP is set, e\&.g\&. like .di ZV .in 0 .nf \fC ips_eth0="ip0 ip1 ip2" .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR we assume multiple (three in this example) IPs are assigned to \fCeth0\fP\&. If this variable is not set only one IP is supported on \fCeth0\fP\&. In multiple-IP mode, IP addresses are listed as e\&.g\&. .di ZV .in 0 .nf \fC ip_eth0_ip0="137\&.56\&.247\&.16" .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR (If you\&'re used to the Linux ifconfig(8) output, you could use the name \fCip\fP for \fCeth0\fP, and \fCip0\fP for \fCeth0:0\fP\&.) The \fIports\fP, \fIservices\fP and \fIsources\fP variables look like e\&.g\&. .di ZV .in 0 .nf \fC services_eth0_ip2_tcp=local ports_eth0_ip2_tcp_local=smtp sources_eth0_ip2_tcp_local=$localnet .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR and, similarly, .di ZV .in 0 .nf \fC net_eth0_ip1=192\&.168\&.0\&.0/16 .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR Furthermore, for dropping broadcast packets, specify e\&.g\&. .di ZV .in 0 .nf \fC bcasts_eth0="ip0 ip2" # yes, possibly a subset of ips_eth0 bcast_eth0_ip0="10\&.0\&.0\&.255" bcast_eth0_ip2="10\&.0\&.255\&.255" .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR As an additional feature, if you have multiple IP addresses that all need to get the same rules, you can assign them to a single name: .di ZV .in 0 .nf \fC ip_eth0_ip0="137\&.56\&.247\&.16 137\&.56\&.247\&.17 137\&.56\&.247\&.18" .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR .SH LOGGING AND DEBUGGING Uruk has support for logging network packets, and for debugging the uruk script\&. \fBLogging\fP .br By default, uruk logs denied packets\&. This is adjustable using the \fIloglevel\fP variable\&. The settings are: .ZI 2m "\(bu" \& .br "zero": be silent; do not log any packet\&. \fIrc\fP file features \fCloglevel=10\fP\&. .in -2m .ZI 2m "\(bu" \& .br "low": log denied packets, which are targeted at one of our IPs\&. \fIrc\fP file features \fCloglevel=30\fP\&. .in -2m .ZI 2m "\(bu" \& .br "medium": log denied non-broadcast packets\&. This is the default: \fIloglevel\fP is unset or \fIrc\fP file features \fCloglevel=50\fP\&. .in -2m .ZI 2m "\(bu" \& .br "fascist": log all packets\&. \fIrc\fP file features \fCloglevel=90\fP\&. .in -2m \fBDebugging\fP .br To debug the \fBuruk\fP script, invoke uruk as .di ZV .in 0 .nf \fC sh -x /sbin/uruk .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR this shows what is done, along with executing it\&. (Like an uruk \&'-v\&' option\&.) If you\&'d rather prefer not to execute, but just watch what would\&'ve been done, invoke uruk as .di ZV .in 0 .nf \fC URUK_IPTABLES=\&'echo iptables\&' URUK_IP6TABLES=\&'echo ip6tables\&' uruk .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR (Like an uruk \&'-n\&' option\&.) If you have this statement set, you can run \fBuruk\fP under a non-priviliged user account\&. If you\&'d like to test a new \fIrc\fP file before installing it, run something like: .di ZV .in 0 .nf \fC URUK_CONFIG=/path/to/new/uruk/rc/file uruk .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR Of course, all these tweaks can be combined\&. .SH VARIABLES The uruk script honors the following variables in \fIrc\fP files: .ZI 2m "\(bu" \& .br "version" Uruk version compatibility of this \fIrc\fP file .in -2m .ZI 2m "\(bu" \& .br "loglevel" .in -2m .ZI 2m "\(bu" \& .br "iptables" Full pathname of iptables executable\&. .in -2m .ZI 2m "\(bu" \& .br "ip6tables" Full pathname of ip6tables executable\&. .in -2m .ZI 2m "\(bu" \& .br "interfaces" List of network interfaces\&. .in -2m More variables are available\&. For now, you\&'ll have to take a look at the example \fIrc\fP file in \fC/usr/share/doc/uruk/examples/rc\fP for more details\&. .SH ENVIRONMENT VARIABLES See \fBuruk(8)\fP for a list of honored environment variables\&. .SH FILES \fC/etc/uruk/rc\fP .SH SEE ALSO A well-commented example \fIrc\fP file is in \fC/usr/share/doc/uruk/examples/rc\fP\&. And see \fBuruk(8)\fP, \fBuruk-save(8)\fP\&. .SH COPYRIGHT Copyright (C) 2005, 2007, 2008, 2010, 2011, 2012, 2013 Joost van Baal-Ilić This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. You should have received a copy of the GNU General Public License along with this program\&. If not, see http://www\&.gnu\&.org/licenses/\&. .SH AUTHOR Joost van Baal-Ilić uruk-20160219/man/uruk-save.80000644000175000017500000000620212201162772012455 00000000000000.\" Copyright (c) 2013 Joost van Baal-Ilić .TH "uruk-save" 8 "9 авг 2013" "uruk-save 20130809" "SYSTEM ADMINISTRATION " .po 2m .de ZI .\" Zoem Indent/Itemize macro I. .br 'in +\\$1 .nr xa 0 .nr xa -\\$1 .nr xb \\$1 .nr xb -\\w'\\$2' \h'|\\n(xau'\\$2\h'\\n(xbu'\\ .. .de ZJ .br .\" Zoem Indent/Itemize macro II. 'in +\\$1 'in +\\$2 .nr xa 0 .nr xa -\\$2 .nr xa -\\w'\\$3' .nr xb \\$2 \h'|\\n(xau'\\$3\h'\\n(xbu'\\ .. .if n .ll -2m .am SH .ie n .in 4m .el .in 8m .. .SH NAME uruk-save \- save uruk rc configuration in iptables-save-style format .SH SYNOPSIS \fBuruk-save\fP \fB[\fP-6\fB]\fP .SH OPTIONS .ZI 2m "-6" \& .br Don\&'t save iptables rules but save ip6tables rules, for IPv6 filtering\&. .in -2m .SH DESCRIPTION \fBuruk-save\fP saves the IPv4 rules (for all of the filter, raw, mangle and nat tables) in \fC/etc/uruk/rc\fP in \fBiptables-save(5)\fP-style format, without invoking \fBiptables(8)\fP\&. If the \fB-6\fP option is given, the IPv6 rules (if any) in \fC/etc/uruk/rc\fP are saved, in \fBip6tables-save(5)\fP-style format\&. It prints output to stdout; suggested invocation therefore is .di ZV .in 0 .nf \fC # uruk-save > /var/lib/uruk/iptables/active .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR or .di ZV .in 0 .nf \fC # uruk-save -6 > /var/lib/uruk/ip6tables/active .fi \fR .in .di .ne \n(dnu .nf \fC .ZV .fi \fR \&. This script is useful if you don\&'t like the default behaviour of the uruk init script, and would like it to load the current uruk rc file instead of the current active file\&. Please note: generally you don\&'t need to invoke this script manually: the script \fBurukctl\fP which comes with uruk is suitable for most cases, it invokes \fBuruk-save\fP if needed\&. .SH WARNING Just as \fBuruk\fP, in order to keep the \fBuruk-save\fP script small and simple, the script does very little error handling\&. It does not check the contents of the \fIrc\fP file in any way before executing it\&. When your \fIrc\fP file contains bogus stuff, \fBuruk-save\fP will very likely behave in unexpected ways\&. Caveat emptor\&. Things will likely break if you do very fancy stuff in an \fIrc\fP hook file\&. If your \fIrc\fP file is in verbose mode (i\&.e\&. it features \fCset -x\fP) or in no-act mode (i\&.e\&. it features a hardcoded \fCiptables=\&'echo iptables\&'\fP), \fBuruk-save\fP fails\&. .SH SEE ALSO \fBuruk(8)\fP, \fBuruk-rc(5)\fP \&. .SH COPYRIGHT Copyright (C) 2005, 2007, 2010, 2011, 2012, 2013 Joost van Baal-Ilić This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. You should have received a copy of the GNU General Public License along with this program\&. If not, see http://www\&.gnu\&.org/licenses/\&. .SH AUTHOR Joost van Baal-Ilić uruk-20160219/man/urukctl.80000644000175000017500000001211012201162773012220 00000000000000.\" Copyright (c) 2013 Joost van Baal-Ilić .TH "urukctl" 8 "9 авг 2013" "urukctl 20130809" "SYSTEM ADMINISTRATION " .po 2m .de ZI .\" Zoem Indent/Itemize macro I. .br 'in +\\$1 .nr xa 0 .nr xa -\\$1 .nr xb \\$1 .nr xb -\\w'\\$2' \h'|\\n(xau'\\$2\h'\\n(xbu'\\ .. .de ZJ .br .\" Zoem Indent/Itemize macro II. 'in +\\$1 'in +\\$2 .nr xa 0 .nr xa -\\$2 .nr xa -\\w'\\$3' .nr xb \\$2 \h'|\\n(xau'\\$3\h'\\n(xbu'\\ .. .if n .ll -2m .am SH .ie n .in 4m .el .in 8m .. .SH NAME urukctl \- uruk control script .SH SYNOPSIS \fBurukctl\fP \fIcommand\fP \fB[\fP\fIargument\fP\fB]\fP .SH DESCRIPTION \fBurukctl\fP is the user interface for the uruk system\&. It is used to create or change saved iptables rulesets, to change the current loaded rulesets and to report on uruk\&'s status\&. See \fBuruk(8)\fP for information on how to get started with the Uruk system, and for a tutorial\&. This manpage gives just the details on \fBurukctl\fP\&. The \fBurukctl\fP script calls \fBuruk\fP to process /etc/uruk/rc\&. (The uruk init script calls \fBurukctl\fP\&.) These 4 ruleset pairs (for both IPv4 and IPv6) exist in a system using uruk: .ZI 2m "\(bu" \& .br the ruleset as expressed in the uruk configuration /etc/uruk/rc, .in -2m .ZI 2m "\(bu" \& .br the 2 saved rulesets in \fC/var/lib/{iptables,ip6tables}/{active,inactive}\fP .in -2m .ZI 2m "\(bu" \& .br the ruleset as currently loaded in the running kernel .in -2m .ZI 2m "\(bu" \& .br optional: more rulesets saved in \fC/var/lib/{iptables,ip6tables}\fP .in -2m \fBarguments\fP .br \fBurukctl\fP should be called as either \fCurukctl\fP \fIargument\fP or \fCurukctl\fP \fIargument\fP \fIoption\fP\&. Possible values are: .ZI 2m "\fBstart\fP" \& .br If not yet done, save current iptables status in "inactive" ruleset\&. (Re)build and load the "active" ruleset\&. .in -2m .ZI 2m "\fBsave\fP \fIruleset\fP" \& .br Save the current iptables status in given ruleset\&. .in -2m .ZI 2m "\fBcreate\fP <\fCactive\fP|\fCinactive\fP>" \& .br Create an "active" or "inactive" ruleset with sane defaults: "active" will be based upon the uruk rc file\&. "inactive" will allow all traffic\&. .in -2m .ZI 2m "\fBload\fP \fIruleset\fP" \& .br Load a saved ruleset .in -2m .ZI 2m "\fBreload\fP" \& .br (Re)build and load the "active" ruleset, without temporarily clearing the current iptables status\&. .in -2m .ZI 2m "\fBforce-reload\fP" \& .br (Re)build and load the "active" ruleset, in case uruk is running\&. .in -2m .ZI 2m "\fBstop\fP" \& .br Load the "inactive" ruleset\&. .in -2m .ZI 2m "\fBrestart\fP" \& .br Perform stop-actions followed by start-actions\&. .in -2m .ZI 2m "\fBstatus\fP" \& .br Print the current status of the service: show which ruleset is loaded, and wether uruk is "running"\&. .in -2m .ZI 2m "\fBclear\fP" \& .br Remove all rules and user-defined chains, set default policy to ACCEPT\&. .in -2m .ZI 2m "\fBhalt\fP" \& .br Remove all rules and user-defined chains, set default policy to DROP\&. .in -2m .ZI 2m "\fBflush\fP" \& .br Flush all rules from the current iptables status\&. .in -2m \fBconfiguration\fP .br \fBurukctl\fP uses the file /etc/default/uruk (on Debian, Ubuntu and related systems) or /etc/sysconfig/uruk (on Red Hat, Fedora and related systems) for configuration\&. Variables used in this file are: .ZI 2m "enable_uruk_check" \& .br wether to check for existence and sanity of uruk rc file; set to false if you don\&'t like this, e\&.g\&. when using the uruk initscript for managing saved rulesets only (i\&.e\&. not for calling uruk or uruk-save)\&. .in -2m .ZI 2m "enable_ipv6" \& .br set to false to disable IPv6 support\&. Set to \fC$(enable-ipv6)\fP to dynamically decide wether to filter IPv6 traffic\&. .in -2m .ZI 2m "enable_uruk_save" \& .br enable calling the unstable uruk-save script\&. .in -2m .ZI 2m "enable_autosave" \& .br set to "false" to disable autosaving the active ruleset when going from start to stop\&. .in -2m .ZI 2m "enable_save_counters" \& .br set to "false" to disable saving table counters with rulesets\&. .in -2m .SH SEE ALSO \fBuruk(8)\fP, \fBuruk-rc(5)\fP, \fBuruk-save(8)\fP\&. The Uruk homepage is at http://mdcc\&.cx/uruk/ \&. \fBiptables(8)\fP, \fBiptables-save(8)\fP, \fBiptables-restore(8)\fP, \fBip6tables(8)\fP, \fBip6tables-save(8)\fP, \fBip6tables-restore(8)\fP, http://www\&.netfilter\&.org/ \fBinterfaces(5)\fP, http://packages\&.debian\&.org/ifupdown\&. .SH COPYRIGHT Copyright (C) 2013 Joost van Baal-Ilić This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. You should have received a copy of the GNU General Public License along with this program\&. If not, see http://www\&.gnu\&.org/licenses/\&. .SH AUTHOR Joost van Baal-Ilić uruk-20160219/doc/0000755000175000017500000000000012661613117010520 500000000000000uruk-20160219/doc/Makefile.am0000644000175000017500000000107711712513436012500 00000000000000## Process this file with automake to produce Makefile.in ## this file maintained at http://git.mdcc.cx/uruk.git ## Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org ## Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/ ## Copyright (C) 2003, 2004, 2005 Joost van Baal # This script is free software; you can distribute it and/or modify it # under the terms of the GNU GPL. See the file COPYING. exampledir = $(datadir)/doc/@PACKAGE_TARNAME@/examples example_DATA = rc default rfc4890-icmpv6-firewall.sh EXTRA_DIST = $(example_DATA) uruk-20160219/doc/Makefile.in0000644000175000017500000003156712661613101012512 00000000000000# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # This script is free software; you can distribute it and/or modify it # under the terms of the GNU GPL. See the file COPYING. VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ false; \ elif test -n '$(MAKE_HOST)'; then \ true; \ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ true; \ else \ false; \ fi; \ } am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : subdir = doc ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/VERSION.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(exampledir)" DATA = $(example_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ am__leading_dot = @am__leading_dot@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build_alias = @build_alias@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host_alias = @host_alias@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ exampledir = $(datadir)/doc/@PACKAGE_TARNAME@/examples example_DATA = rc default rfc4890-icmpv6-firewall.sh EXTRA_DIST = $(example_DATA) all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-exampleDATA: $(example_DATA) @$(NORMAL_INSTALL) @list='$(example_DATA)'; test -n "$(exampledir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(exampledir)'"; \ $(MKDIR_P) "$(DESTDIR)$(exampledir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(exampledir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(exampledir)" || exit $$?; \ done uninstall-exampleDATA: @$(NORMAL_UNINSTALL) @list='$(example_DATA)'; test -n "$(exampledir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(exampledir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(DATA) installdirs: for dir in "$(DESTDIR)$(exampledir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-generic mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-exampleDATA install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-exampleDATA .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic cscopelist-am \ ctags-am distclean distclean-generic distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exampleDATA \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags-am uninstall uninstall-am \ uninstall-exampleDATA .PRECIOUS: Makefile # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: uruk-20160219/doc/rc0000644000175000017500000001144712476342646011010 00000000000000# this file maintained at http://git.mdcc.cx/uruk.git # Sample Uruk rc file # Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org # Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/ # Copyright (C) 2003, 2004, 2005, 2010 Joost van Baal # Copyright (C) 2012, 2013, 2014 Joost van Baal-Ilić # # This file is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) # any later version. # # This file is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. # # You should have received a copy of the GNU GPL along with this file, see # e.g. the file named COPYING. If not, see . ########## # preamble ########## # Uruk version compatibility of this rc file # (actually, likely works with version=20071030 too) version=20140319 # Log denied packets, which are targetted at one of our IPs. Do not log # blocked broadcasts. loglevel=30 ############################### # define our network interfaces ############################### # List of network interfaces. lo should not be in this list (see below). For # every interface , variables ip_, bcast_ and net_ should be # defined. interfaces="eth0 eth1" # List of network interfaces we want uruk to leave alone: all traffic on these # interfaces will be trusted and accepted. By default, interfaces_unprotect=lo # interfaces_unprotect="lo sit0 eth3" ############################################### # assign IPs and networks to network interfaces ############################################### # this helper sets ip_ and net_ . /lib/uruk/init/autodetect-ips # alternatively, explicitly list adresses manually, by setting ip_, # ip6_, net_ and net6_, like this: ips_eth0=default # For each interface in interfaces, ip_ and net_ should be # defined ip_eth0_default=10.56.0.201 # Supply IPv6 addresses like this: ip6_eth0_default=2006:488:1a9b::4a54:e8ff:fe2b:f25c # (aka 2006:488:1a9b:0:4a54:e8ff:fe2b:f25c) # NB: /sbin/ip6tables (as shipped with e.g. iptables 1.4.8-2) understands # both full and abbreviated IPv6 names. ips_eth1="default local" ip_eth1_default=192.168.0.4 ip_eth1_local=10.0.0.1 # To which network does this interface belong? Should be one of # 0.0.0.0/0 (aka 0/0) 10.0.0.0/8 (aka 10./8) 172.16.0.0/12 (aka 172.16./12) # 192.168.0.0/16 (aka 192.168./16) . Used to decide wether a # packet for this interface is spoofed, and therefore should get dropped. # NB: /sbin/iptables (as shipped with e.g. iptables 1.4.8-2) understands # full names only. net_eth0_default=0.0.0.0/0 net_eth1_default=192.168.0.0/16 net_eth1_local=10.0.0.0/8 # Subset of named IPs per interface, which should drop broadcast and multicast packets bcasts_eth1="local" bcast_eth1_local="10.255.255.255" # For each interface in interfaces_nocast, bcast_ should be defined bcast_eth0_default=10.56.255.255 ######################################### # optionally, define some shell variables ######################################### # You can define any shell variable, and reference it later on localnet="10.56.0.0/16" all4=0.0.0.0/0 ##################################################### # finally, define allowed services, sources and ports ##################################################### # For each interface, and for both tcp and udp, symbolic names of (sets of) # services could be defined, in variables services__{tcp,udp}. services_eth0_default_tcp="mail local public" # For every servicesetname , every interface , and tcp and/or udp, a # list of allowed source addresses should be defined in a variable # sources__{tcp,udp}_ . Furthermore a list of ports should be defined # in a variable ports__{tcp,udp}_ . # A valid source is 192.168.6.26, another valid source is 192.168.6.0/24. # One can add DNS domainnames like gandalf.example.com too: iptables will # perform a DNS lookup # Supply IPv6 addresses like e.g. this: # "::/0" # aka 0000:0000:0000:0000:0000:0000:0000:0000/0 sources_eth0_default_tcp_mail="10.0.0.0/24 192.0.32.0/24 192.168.6.26" sources_eth0_default_tcp_local="$localnet gandalf.example.com" sources_eth0_default_tcp_public="$all4 ::/0" # Symbolic port names are fine. ports_eth0_default_tcp_mail=smtp ports_eth0_default_tcp_local="ssh ftp" ports_eth0_default_tcp_public=www services_eth0_default_udp="syslog local" sources_eth0_default_udp_syslog="10.56.0.10/32 2001:db8::/32" sources_eth0_default_udp_local=$localnet ports_eth0_default_udp_syslog="syslog" # Port ranges are allowed too ports_eth0_default_udp_local="ntp 605:608 853:876" uruk-20160219/doc/default0000644000175000017500000000157312661605702012016 00000000000000# this file maintained at http://git.mdcc.cx/uruk.git # # configuration for urukctl(8) as called by /etc/init.d/uruk. Install in # /etc/default/uruk (Debian) or /etc/sysconfig/uruk (Red Hat) # Some helpers are installed in /lib/uruk/init # /sbin might be lacking from PATH when running as non-root PATH=/lib/uruk/init:/sbin:$PATH # enable_uruk_check - wether to check for existence and sanity of uruk rc # file ## enable_uruk_check=false # enable_ipv6 - set to false to disable IPv6 support. ## enable_ipv6=false enable_ipv6=$(enable-ipv6) # enable calling the unstable uruk-save script ## enable_uruk_save=false enable_uruk_save=true # set enable_autosave to "false" to disable autosaving the active ruleset # when going from start to stop ## enable_autosave=false # # set enable_save_counters to "false" to disable saving table counters with # rulesets ## enable_save_counters=false uruk-20160219/doc/rfc4890-icmpv6-firewall.sh0000644000175000017500000003006111712513436015077 00000000000000#!/bin/bash # Copyright (c) 2006, Suresh Krishnan. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # - Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Message-ID: <4EE7D463.3030907@ericsson.com> # Date: Tue, 13 Dec 2011 17:40:35 -0500 # From: Suresh Krishnan # To: Joost van Baal-Ilić # Subject: Re: script for icmpv6 firewall rules, rfc 4890, software license # References: <20111213132226.GY10269@dijkstra.uvt.nl> # # Hi Joost, # I release the example script to configure icmpv6 firewall rules as # published in rfc 4890 under the 2-clause BSD license. # # Thanks # Suresh # rfc4890-icmpv6-firewall.sh - Example Script to Configure ICMPv6 Firewall Rules # # This is an example script to implement most of the rules suggested in RFC 4890 # when using the Netfilter packet filtering system for Linux. The script is # targeted at a simple enterprise site that may or may not support Mobile IPv6. # Set of prefixes on the trusted ("inner") side of the firewall export INNER_PREFIXES="2001:DB8:85::/60" # Set of hosts providing services so that they can be made pingable export PINGABLE_HOSTS="2001:DB8:85::/64" # Configuration option: Change this to 1 if errors allowed only for # existing sessions export STATE_ENABLED=0 # Configuration option: Change this to 1 if messages to/from link # local addresses should be filtered. # Do not use this if the firewall is a bridge. # Optional for firewalls that are routers. export FILTER_LINK_LOCAL_ADDRS=0 # Configuration option: Change this to 0 if the site does not support # Mobile IPv6 Home Agents - see Appendix A.14 export HOME_AGENTS_PRESENT=1 # Configuration option: Change this to 0 if the site does not support # Mobile IPv6 mobile nodes being present on the site - # see Appendix A.14 export MOBILE_NODES_PRESENT=1 ip6tables -N icmpv6-filter ip6tables -A FORWARD -p icmpv6 -j icmpv6-filter # Match scope of src and dest else deny # This capability is not provided for in base ip6tables functionality # An extension (agr) exists which may support it. #@TODO@ # ECHO REQUESTS AND RESPONSES # =========================== # Allow outbound echo requests from prefixes which belong to the site for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type echo-request -j ACCEPT done # Allow inbound echo requests towards only predetermined hosts for pingable_host in $PINGABLE_HOSTS do ip6tables -A icmpv6-filter -p icmpv6 -d $pingable_host \ --icmpv6-type echo-request -j ACCEPT done if [ "$STATE_ENABLED" -eq "1" ] then # Allow incoming and outgoing echo reply messages # only for existing sessions ip6tables -A icmpv6-filter -m state -p icmpv6 \ --state ESTABLISHED,RELATED --icmpv6-type \ echo-reply -j ACCEPT else # Allow both incoming and outgoing echo replies for pingable_host in $PINGABLE_HOSTS do # Outgoing echo replies from pingable hosts ip6tables -A icmpv6-filter -p icmpv6 -s $pingable_host \ --icmpv6-type echo-reply -j ACCEPT done # Incoming echo replies to prefixes which belong to the site for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type echo-reply -j ACCEPT done fi # Deny icmps to/from link local addresses # If the firewall is a router: # These rules should be redundant as routers should not forward # link local addresses but to be sure... # DO NOT ENABLE these rules if the firewall is a bridge if [ "$FILTER_LINK_LOCAL_ADDRS" -eq "1" ] then ip6tables -A icmpv6-filter -p icmpv6 -s fe80::/10 -j DROP fi # Drop echo replies which have a multicast address as a # destination ip6tables -A icmpv6-filter -p icmpv6 -d ff00::/8 \ --icmpv6-type echo-reply -j DROP # DESTINATION UNREACHABLE ERROR MESSAGES # ====================================== if [ "$STATE_ENABLED" -eq "1" ] then # Allow incoming destination unreachable messages # only for existing sessions for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -m state -p icmpv6 \ -d $inner_prefix \ --state ESTABLISHED,RELATED --icmpv6-type \ destination-unreachable -j ACCEPT done else # Allow incoming destination unreachable messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type destination-unreachable -j ACCEPT done fi # Allow outgoing destination unreachable messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type destination-unreachable -j ACCEPT done # PACKET TOO BIG ERROR MESSAGES # ============================= if [ "$STATE_ENABLED" -eq "1" ] then # Allow incoming Packet Too Big messages # only for existing sessions for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -m state -p icmpv6 \ -d $inner_prefix \ --state ESTABLISHED,RELATED \ --icmpv6-type packet-too-big \ -j ACCEPT done else # Allow incoming Packet Too Big messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type packet-too-big -j ACCEPT done fi # Allow outgoing Packet Too Big messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type packet-too-big -j ACCEPT done # TIME EXCEEDED ERROR MESSAGES # ============================ if [ "$STATE_ENABLED" -eq "1" ] then # Allow incoming time exceeded code 0 messages # only for existing sessions for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -m state -p icmpv6 \ -d $inner_prefix \ --state ESTABLISHED,RELATED --icmpv6-type packet-too-big \ -j ACCEPT done else # Allow incoming time exceeded code 0 messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type ttl-zero-during-transit -j ACCEPT done fi #@POLICY@ # Allow incoming time exceeded code 1 messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type ttl-zero-during-reassembly -j ACCEPT done # Allow outgoing time exceeded code 0 messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type ttl-zero-during-transit -j ACCEPT done #@POLICY@ # Allow outgoing time exceeded code 1 messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type ttl-zero-during-reassembly -j ACCEPT done # PARAMETER PROBLEM ERROR MESSAGES # ================================ if [ "$STATE_ENABLED" -eq "1" ] then # Allow incoming parameter problem code 1 and 2 messages # for an existing session for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -m state -p icmpv6 \ -d $inner_prefix \ --state ESTABLISHED,RELATED --icmpv6-type \ unknown-header-type \ -j ACCEPT ip6tables -A icmpv6-filter -m state -p icmpv6 \ -d $inner_prefix \ --state ESTABLISHED,RELATED \ --icmpv6-type unknown-option \ -j ACCEPT done fi # Allow outgoing parameter problem code 1 and code 2 messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type unknown-header-type -j ACCEPT ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type unknown-option -j ACCEPT done #@POLICY@ # Allow incoming and outgoing parameter # problem code 0 messages for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 \ --icmpv6-type bad-header \ -j ACCEPT done # NEIGHBOR DISCOVERY MESSAGES # =========================== # Drop NS/NA messages both incoming and outgoing ip6tables -A icmpv6-filter -p icmpv6 \ --icmpv6-type neighbor-solicitation -j DROP ip6tables -A icmpv6-filter -p icmpv6 \ --icmpv6-type neighbor-advertisement -j DROP # Drop RS/RA messages both incoming and outgoing ip6tables -A icmpv6-filter -p icmpv6 \ --icmpv6-type router-solicitation -j DROP ip6tables -A icmpv6-filter -p icmpv6 \ --icmpv6-type router-advertisement -j DROP # Drop Redirect messages both incoming and outgoing ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type redirect -j DROP # MLD MESSAGES # ============ # Drop incoming and outgoing # Multicast Listener queries (MLDv1 and MLDv2) ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 130 -j DROP # Drop incoming and outgoing Multicast Listener reports (MLDv1) ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 131 -j DROP # Drop incoming and outgoing Multicast Listener Done messages (MLDv1) ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 132 -j DROP # Drop incoming and outgoing Multicast Listener reports (MLDv2) ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 143 -j DROP # ROUTER RENUMBERING MESSAGES # =========================== # Drop router renumbering messages ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 138 -j DROP # NODE INFORMATION QUERIES # ======================== # Drop node information queries (139) and replies (140) ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 139 -j DROP ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 140 -j DROP # MOBILE IPv6 MESSAGES # ==================== # If there are mobile ipv6 home agents present on the # trusted side allow if [ "$HOME_AGENTS_PRESENT" -eq "1" ] then for inner_prefix in $INNER_PREFIXES do #incoming Home Agent address discovery request ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type 144 -j ACCEPT #outgoing Home Agent address discovery reply ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type 145 -j ACCEPT #incoming Mobile prefix solicitation ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type 146 -j ACCEPT #outgoing Mobile prefix advertisement ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type 147 -j ACCEPT done fi # If there are roaming mobile nodes present on the # trusted side allow if [ "$MOBILE_NODES_PRESENT" -eq "1" ] then for inner_prefix in $INNER_PREFIXES do #outgoing Home Agent address discovery request ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type 144 -j ACCEPT #incoming Home Agent address discovery reply ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type 145 -j ACCEPT #outgoing Mobile prefix solicitation ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \ --icmpv6-type 146 -j ACCEPT #incoming Mobile prefix advertisement ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \ --icmpv6-type 147 -j ACCEPT done fi # DROP EVERYTHING ELSE # ==================== ip6tables -A icmpv6-filter -p icmpv6 -j DROP uruk-20160219/contrib/0000755000175000017500000000000012661613117011413 500000000000000uruk-20160219/contrib/Makefile.am0000644000175000017500000000073011712513436013366 00000000000000## Process this file with automake to produce Makefile.in ## this file maintained at http://git.mdcc.cx/uruk.git ## Copyright (C) 2007 Joost van Baal ## ## This script is free software; you can distribute it and/or modify it ## under the terms of the GNU GPL. See the file COPYING. contribdir = $(datadir)/doc/@PACKAGE_TARNAME@/contrib contrib_DATA = fw_2007-10.xsd fw2dot.xsl fw2urukrc.xsl \ fw_firewall_2007-10.xsd README sample.xml EXTRA_DIST = $(contrib_DATA) uruk-20160219/contrib/Makefile.in0000644000175000017500000003147212661613101013400 00000000000000# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ false; \ elif test -n '$(MAKE_HOST)'; then \ true; \ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ true; \ else \ false; \ fi; \ } am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : subdir = contrib ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/VERSION.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(contribdir)" DATA = $(contrib_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) am__DIST_COMMON = $(srcdir)/Makefile.in README DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ am__leading_dot = @am__leading_dot@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build_alias = @build_alias@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host_alias = @host_alias@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ contribdir = $(datadir)/doc/@PACKAGE_TARNAME@/contrib contrib_DATA = fw_2007-10.xsd fw2dot.xsl fw2urukrc.xsl \ fw_firewall_2007-10.xsd README sample.xml EXTRA_DIST = $(contrib_DATA) all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu contrib/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu contrib/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-contribDATA: $(contrib_DATA) @$(NORMAL_INSTALL) @list='$(contrib_DATA)'; test -n "$(contribdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(contribdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(contribdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(contribdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(contribdir)" || exit $$?; \ done uninstall-contribDATA: @$(NORMAL_UNINSTALL) @list='$(contrib_DATA)'; test -n "$(contribdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(contribdir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(DATA) installdirs: for dir in "$(DESTDIR)$(contribdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-generic mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-contribDATA install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-contribDATA .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic cscopelist-am \ ctags-am distclean distclean-generic distdir dvi dvi-am html \ html-am info info-am install install-am install-contribDATA \ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags-am uninstall uninstall-am \ uninstall-contribDATA .PRECIOUS: Makefile # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: uruk-20160219/contrib/README0000644000175000017500000000361511712513436012217 00000000000000 The files here include an XML configuration schema for a firewall and software to transform this XML configuration into an Uruk configuration file. See http://www.mokolo.org/fwxml/introduction.html for more details. The rest of this README is in Dutch. Fred wrote me: Date: Fri, 21 Sep 2007 16:19:39 +0200 From: Fred Vos To: Joost van Baal Subject: XML voor uruk Message-ID: <20070921141939.GQ29157@africa.uvt.nl> % xsltproc uruk2dot.xsl uruk.xml > firewall.dot % dot -Tpng -o firewall.png firewall.dot dot is shipped with graphviz. and: Date: Sun, 30 Sep 2007 20:05:01 +0200 From: Fred Vos To: Joost van Baal Subject: Re: XML voor uruk Message-ID: <20070930180501.GD6032@africa.uvt.nl> [...] sample.xml is een voorbeeld van een firewall beschrijving. Deze bevat alles behalve de uruk specifieke zaken. Zie daarvoor verderop. De *.xsd files kun je gebruiken om een firewall.xml file (bijvoorbeeld sample.xml) te testen op validiteit. Ze komen van mijn site, maar een 'gebruiker' kan ze het beste lokaal hebben. Probeer bijvoorbeeld xmllint of een andere tool voor dat doel. Voor xmllint: % xmllint --schema /path/to/fw_firewall_2007-10.xsd /path/to/firewall.xml xmllint zit dacht ik in package libxml2-utils. Bestand fw_2007-10.xsd wordt geinclude door fw_firewall_2007-10.xsd en dient in dezelfde directory te staan. fw2urukrc.xsl is een conversiescript dat het firewall specifieke deel van de rc maakt. Converteer de firewall met een xslt processor, bijvoorbeeld xsltproc. Voor xsltproc: % xsltproc /path/to/fw2urukrc.xsl /path/to/firewall.xml Dit stuurt de tekst naar stdout. Te redirecten naar een bestand, uiteraard. xsltproc zit in een package met dezelfde naam. Maken van een rc file: Ik denk aan het volgende: Zet de uruk specifieke dingen in 'uruk.conf' en de firewall in 'firewall.xml'. Dan iets als: % cp uruk.conf rc % echo >> rc % xsltproc /path/to/fw2urukrc.xsl firewall.xml >> rc [...] uruk-20160219/contrib/fw_2007-10.xsd0000644000175000017500000002225011712513436013355 00000000000000 Allows a named source access to a named service. An external interface. The name is the real name of the interface. A reference to a named network. A network is a named ip-address or ip-range. A port number can either be a positive integer, like '22' for ssh or '80' for www, but also a name of a service, like 'ssh' or 'sunrpc'. If a service name is used, the system must be able to translate the string into a positive integer. See http://en.wikipedia.org/wiki/TCP_and_UDP_port for information on ports. A service is a named collection of ports, related to a service. A port can, for this setup, be a member in more than one service, but usually this is not the case. Usually there's one port associated with a single service. To distinguish this named service from services as used to represent ports, please start the name with an upper case character, for instance 'WWW' for the service and 'www' for the port or 'Telnet' for the service and 'telnet' for port 23. For service 'WWW' you could associate both ports 80 ('www') and 443 ('https'). A named collection of networks. uruk-20160219/contrib/fw2dot.xsl0000644000175000017500000001077711712513436013303 00000000000000 digraph firewall { rankdir=LR; graph [bgcolor=transparent]; node [shape=ellipse style=filled fontname=Arial fontsize=12]; /* default */ edge [arrowhead=none]; /* default */ subgraph cluster_0 { label="Ports"; node [color=green]; port_ [label=""]; } subgraph cluster_1 { label="Services"; node [color=yellow]; service_ [label=""]; } subgraph cluster_2 { label="Sources"; node [color=orange]; source_ [label=""]; } subgraph cluster_3 { label="Networks"; node [shape=record color=lightblue]; network_ [label="|{}"]; } port_ -> service_ ; service_ -> source_ [taillabel= headlabel= ]; source_ -> network_ ; } uruk-20160219/contrib/fw2urukrc.xsl0000644000175000017500000002325611712513436014024 00000000000000 tcp udp tcp udp tcp udp interfaces=" " interfaces_nocast=" " ip_ = net_ = bcast_ = source_ =" " services_ _ =" " sources_ _ _ =" $source_ " ports_ _ _ =" " uruk-20160219/contrib/fw_firewall_2007-10.xsd0000644000175000017500000000304511712513436015243 00000000000000 uruk-20160219/contrib/sample.xml0000644000175000017500000000542711712513436013345 00000000000000 uruk-20160219/init/0000755000175000017500000000000012661613117010716 500000000000000uruk-20160219/init/Makefile.am0000644000175000017500000000125712577731326012710 00000000000000## Process this file with automake to produce Makefile.in ## this file maintained at http://git.mdcc.cx/uruk.git ## Copyright (C) 2003, 2004 Joost van Baal ## Copyright (C) 2012, 2015 Joost van Baal-Ilić ## This script is free software; you can distribute it and/or modify it ## under the terms of the GNU GPL. See the file COPYING. initdir = $(sysconfdir)/init.d init_SCRIPTS = uruk ## /lib/uruk/init/ initlibdir = $(libexecdir)/$(PACKAGE)/init initlib_SCRIPTS = autodetect-ips enable-ipv6 # to be installed as /lib/systemd/system/uruk.service systemddir = $(libexecdir)/systemd/system systemd_DATA = uruk.service EXTRA_DIST = $(init_SCRIPTS) $(initlib_SCRIPTS) $(systemd_DATA) uruk-20160219/init/Makefile.in0000644000175000017500000004017012661613102012677 00000000000000# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ false; \ elif test -n '$(MAKE_HOST)'; then \ true; \ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ true; \ else \ false; \ fi; \ } am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : subdir = init ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/VERSION.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(initdir)" "$(DESTDIR)$(initlibdir)" \ "$(DESTDIR)$(systemddir)" SCRIPTS = $(init_SCRIPTS) $(initlib_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac DATA = $(systemd_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ am__leading_dot = @am__leading_dot@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build_alias = @build_alias@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host_alias = @host_alias@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ initdir = $(sysconfdir)/init.d init_SCRIPTS = uruk initlibdir = $(libexecdir)/$(PACKAGE)/init initlib_SCRIPTS = autodetect-ips enable-ipv6 # to be installed as /lib/systemd/system/uruk.service systemddir = $(libexecdir)/systemd/system systemd_DATA = uruk.service EXTRA_DIST = $(init_SCRIPTS) $(initlib_SCRIPTS) $(systemd_DATA) all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu init/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu init/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-initSCRIPTS: $(init_SCRIPTS) @$(NORMAL_INSTALL) @list='$(init_SCRIPTS)'; test -n "$(initdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(initdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(initdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n' \ -e 'h;s|.*|.|' \ -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) { files[d] = files[d] " " $$1; \ if (++n[d] == $(am__install_max)) { \ print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ else { print "f", d "/" $$4, $$1 } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(initdir)$$dir'"; \ $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(initdir)$$dir" || exit $$?; \ } \ ; done uninstall-initSCRIPTS: @$(NORMAL_UNINSTALL) @list='$(init_SCRIPTS)'; test -n "$(initdir)" || exit 0; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 's,.*/,,;$(transform)'`; \ dir='$(DESTDIR)$(initdir)'; $(am__uninstall_files_from_dir) install-initlibSCRIPTS: $(initlib_SCRIPTS) @$(NORMAL_INSTALL) @list='$(initlib_SCRIPTS)'; test -n "$(initlibdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(initlibdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(initlibdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n' \ -e 'h;s|.*|.|' \ -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) { files[d] = files[d] " " $$1; \ if (++n[d] == $(am__install_max)) { \ print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ else { print "f", d "/" $$4, $$1 } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(initlibdir)$$dir'"; \ $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(initlibdir)$$dir" || exit $$?; \ } \ ; done uninstall-initlibSCRIPTS: @$(NORMAL_UNINSTALL) @list='$(initlib_SCRIPTS)'; test -n "$(initlibdir)" || exit 0; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 's,.*/,,;$(transform)'`; \ dir='$(DESTDIR)$(initlibdir)'; $(am__uninstall_files_from_dir) install-systemdDATA: $(systemd_DATA) @$(NORMAL_INSTALL) @list='$(systemd_DATA)'; test -n "$(systemddir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(systemddir)'"; \ $(MKDIR_P) "$(DESTDIR)$(systemddir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemddir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(systemddir)" || exit $$?; \ done uninstall-systemdDATA: @$(NORMAL_UNINSTALL) @list='$(systemd_DATA)'; test -n "$(systemddir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(systemddir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(SCRIPTS) $(DATA) installdirs: for dir in "$(DESTDIR)$(initdir)" "$(DESTDIR)$(initlibdir)" "$(DESTDIR)$(systemddir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-generic mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-initSCRIPTS install-initlibSCRIPTS \ install-systemdDATA install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-initSCRIPTS uninstall-initlibSCRIPTS \ uninstall-systemdDATA .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic cscopelist-am \ ctags-am distclean distclean-generic distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-initSCRIPTS install-initlibSCRIPTS \ install-man install-pdf install-pdf-am install-ps \ install-ps-am install-strip install-systemdDATA installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ pdf-am ps ps-am tags-am uninstall uninstall-am \ uninstall-initSCRIPTS uninstall-initlibSCRIPTS \ uninstall-systemdDATA .PRECIOUS: Makefile # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: uruk-20160219/init/uruk0000644000175000017500000001510112566620545011554 00000000000000#!/bin/sh # # this file maintained at http://git.mdcc.cx/uruk.git # # Uruk init script. # chkconfig: 2345 11 89 # description: starts, stops and saves iptables state, as created by uruk # beware! above two lines are parsed by chkconfig(8), as commonly found on # (old? << 2013 ?) RPM based systems ### BEGIN INIT INFO # Provides: uruk # Required-Start: $local_fs # Required-Stop: $local_fs # Default-Start: S # Default-Stop: 0 1 6 # X-Start-Before: networking # X-Stop-Before: # Description: Starts uruk firewall configuration # short-description: uruk firewall configuration ### END INIT INFO # Copyright (C) 2002, 2003 Laurence J. Lane # Copyright (C) 2003, 2004, 2005, 2007, 2010 Joost van Baal # Copyright (C) 2013 Joost van Baal-Ilić # # This file is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) # any later version. # # This file is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. # # You should have received a copy of the GNU GPL along with this file, see # e.g. the file named COPYING. If not, see . # Based upon /etc/init.d/iptables as shipped with the Debian iptables # package by Laurence J. Lane NAME=uruk DAEMON=/sbin/uruk SCRIPTNAME=/etc/init.d/"$NAME" initd="$0" # Debian-ism? Not exit 5 but exit 0. test -f $DAEMON || exit 0 ############################################################################### # # This script should be LSB 3.1.0 compliant. In particular, # http://refspecs.freestandards.org/LSB_3.1.0/LSB-generic/LSB-generic/initscrcomconv.html # and # http://refspecs.freestandards.org/LSB_3.1.0/LSB-generic/LSB-generic/iniscrptact.html # should be adhered to: # # Error and status messages should be printed with the logging functions (see # Init Script Functions) log_success_msg(), log_failure_msg() and # log_warning_msg(). Scripts may write to standard error or standard output, but # implementations need not present text written to standard error/output to the # user or do anything else with it. # # LSB required: # start start the service # stop stop the service # restart stop and restart the service if the service is already running, # otherwise start the service # force-reload cause the configuration to be reloaded if the service supports # this, otherwise restart the service if it is running # status print the current status of the service # # In case of an error while processing any init-script action except for status, # the init script shall print an error message and exit with a non-zero status # code: # # 1 generic or unspecified error (current practice) # 2 invalid or excess argument(s) # 3 unimplemented feature (for example, "reload") # 4 user had insufficient privilege # 5 program is not installed # 6 program is not configured # 7 program is not running # # # Note that those situation shall also be regarded as success: # * restarting a service (instead of reloading it) # with the "force-reload" argument # * running "start" on a service already running # * running "stop" on a service already stopped or not running # * running "restart" on a service already stopped or not running # * running "try-restart" on a service already stopped or not running # ############################################################################### # /lib/lsb/init-functions # Red Hat EL AS rel 3 Yes # # Debian GNU/Linux >= Sarge Yes, in lsb-base package # # See /usr/share/doc/lsb-core/examples/init-skeleton.gz for sample lsb init # script. # # include lsb functions lsb_init_functions=/lib/lsb/init-functions uruk_lsb_init_functions=/lib/uruk/lsb/init-functions if test -f $lsb_init_functions; then . $lsb_init_functions elif test -f $uruk_lsb_init_functions; then . $uruk_lsb_init_functions else cat << END File $lsb_init_functions nor file $uruk_lsb_init_functions found. Exiting. END exit 1 fi usage () { cat <_default and # net{,6}__default. see uruk-rc(5) and the sample uruk rc file # as shipped with uruk in doc/rc. # Copyright © 2012 Wessel Dankers # Copyright © 2013 Casper Gielen # Copyright © 2013 Joost van Baal-Ilić # This file is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) # any later version. # # This file is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. # # You should have received a copy of the GNU GPL along with this file, see # e.g. the file named COPYING. If not, see . # Usage: make sure your /etc/uruk/rc has leading line # ". /lib/uruk/init/autodetect-ips", e.g. by running # # sed -i '1i. /lib/uruk/init/autodetect-ips' /etc/uruk/rc # ############################################### # assign IPs and networks to network interfaces ############################################### # FIXME # set $interfaces dynamically too? # For each interface in interfaces, ip_ should be defined. # First try Red Hat's init scripts # This works fine with dash. (As long as you don't have a file called # 'ifcfg-*'.) Other non-strict shells (zsh, e.g.) might print an error "no # matches found: /etc/sysconfig/network-scripts/ifcfg-*" for f in /etc/sysconfig/network-scripts/ifcfg-* do test -e $f || continue iface=${f#/etc/sysconfig/network-scripts/ifcfg-} case $iface in *[!a-zA-Z0-9_]*|[!a-zA-Z_]*) continue esac eval "$( . $f echo ip_${iface}_default=$IPADDR echo net_${iface}_default=$IPADDR/$NETMASK echo ip6_${iface}_default=${IPV6ADDR%/*} echo net6_${iface}_default=$IPV6ADDR )" done # Second, Debian's init scripts if test -f /etc/network/interfaces then # bash 3.2 FIXME : change ` ` back to $( ) (twice), and change # eval ip="\"\\$ip_${iface}_default\"" back to # eval ip="\"\$ip_${iface}_default\"" : we are working around a bug in # bash 3.2, since june 2015. Revert this stuff after dec 2015, eval "` while read -r key val val1 rest do case $key in iface) case $val in *[!a-zA-Z0-9_]*|[!a-zA-Z_]*) iface= type= ;; *) iface=$val type=$val1 esac address= netmask= case $type in inet6) netmask=64 esac ;; address) address=$val case $address in */*) netmask=${address##*/} address=${address%/*} esac ;; netmask) netmask=$val esac case $iface,$address,$netmask in ?*,?*,?*) case $type in inet) echo ip_${iface}_default=$address echo net_${iface}_default=$address/$netmask ;; inet6) echo ip6_${iface}_default=$address echo net6_${iface}_default=$address/$netmask esac iface= type= address= netmask= esac done /dev/null 2>&1 then # bash 3.2 FIXME eval "` iface= # jeden dva tri četiri pet ostalo ip a | \ while read -r jeden dva tri cetiri ostalo do case $jeden in [0-9]*:) iface=${dva%:} ;; inet) # if ip_${iface}_default unset, assign to it # nested eval. would that work? # bash 3.2 FIXME eval ip="\"\\$ip_${iface}_default\"" if test -z "$ip" then address=${dva%/*} netmask=${dva#*/} echo ip_${iface}_default=$address echo net_${iface}_default=$address/$netmask fi ;; inet6) # bash 3.2 FIXME eval ip6="\"\\$ip6_${iface}_default\"" if test -z "$ip6" -a global=$cetiri then # test scope? # inet6 fe80::250:56ff:fe31:3831/64 scope link # inet 192.168.1.3/24 brd 192.168.1.255 scope global wlan0 address=${dva%/*} netmask=${dva#*/} echo ip6_${iface}_default=$address echo net6_${iface}_default=$address/$netmask fi ;; esac done `" else cat <&2 autodetecs-ips: command 'ip' not found. might have missed to autodetect some IPs. please install the iproute package. EOT fi #(if we want to depend upon awk: # ip a | awk '/^[0-9]:/ { print $2; exit }' #) uruk-20160219/init/enable-ipv60000644000175000017500000000142212057413456012673 00000000000000#!/bin/sh # this file maintained at http://git.mdcc.cx/uruk.git # uruk/init/enable-ipv6 - should uruk run ip6tables too? # Copyright © 2012 Wessel Dankers # Copyright © 2012 Joost van Baal-Ilić # usage: in /etc/default/uruk, write: # # enable_ipv6=$(enable-ipv6) # if $enable_ipv6; then dostuff; fi # based upon "group/uruk/etc/default" by Wessel Dankers, 2012 enable_ipv6=false for f in /etc/sysconfig/network-scripts/ifcfg-* do test -f "$f" || continue case $(unset IPV6INIT; . $f && echo $IPV6INIT) in yes) enable_ipv6=true esac done if test -f /etc/network/interfaces then while read -r verb iface family mode do case $verb,$family in iface,inet6) enable_ipv6=true esac done &2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : subdir = lsb ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/VERSION.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(lsbdir)" "$(DESTDIR)$(lsbdir)" SCRIPTS = $(lsb_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac DATA = $(lsb_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ PACKAGE = @PACKAGE_TARNAME@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ am__leading_dot = @am__leading_dot@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build_alias = @build_alias@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host_alias = @host_alias@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ # /lib/uruk/lsb/ lsbdir = $(libexecdir)/$(PACKAGE)/lsb lsb_DATA = init-functions lsb_SCRIPTS = lsb_killproc lsb_log_message lsb_pidofproc lsb_start_daemon EXTRA_DIST = $(lsb_SCRIPTS) $(lsb_DATA) all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu lsb/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu lsb/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-lsbSCRIPTS: $(lsb_SCRIPTS) @$(NORMAL_INSTALL) @list='$(lsb_SCRIPTS)'; test -n "$(lsbdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(lsbdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(lsbdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n' \ -e 'h;s|.*|.|' \ -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) { files[d] = files[d] " " $$1; \ if (++n[d] == $(am__install_max)) { \ print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ else { print "f", d "/" $$4, $$1 } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(lsbdir)$$dir'"; \ $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(lsbdir)$$dir" || exit $$?; \ } \ ; done uninstall-lsbSCRIPTS: @$(NORMAL_UNINSTALL) @list='$(lsb_SCRIPTS)'; test -n "$(lsbdir)" || exit 0; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 's,.*/,,;$(transform)'`; \ dir='$(DESTDIR)$(lsbdir)'; $(am__uninstall_files_from_dir) install-lsbDATA: $(lsb_DATA) @$(NORMAL_INSTALL) @list='$(lsb_DATA)'; test -n "$(lsbdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(lsbdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(lsbdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(lsbdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(lsbdir)" || exit $$?; \ done uninstall-lsbDATA: @$(NORMAL_UNINSTALL) @list='$(lsb_DATA)'; test -n "$(lsbdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(lsbdir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(SCRIPTS) $(DATA) installdirs: for dir in "$(DESTDIR)$(lsbdir)" "$(DESTDIR)$(lsbdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-generic mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-lsbDATA install-lsbSCRIPTS install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-lsbDATA uninstall-lsbSCRIPTS .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic cscopelist-am \ ctags-am distclean distclean-generic distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-lsbDATA install-lsbSCRIPTS install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \ uninstall-am uninstall-lsbDATA uninstall-lsbSCRIPTS .PRECIOUS: Makefile # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: uruk-20160219/lsb/lsb_killproc0000755000175000017500000000010612033554063013052 00000000000000#!/bin/bash . /etc/init.d/functions LSB=LSB-1.1 killproc $* exit $? uruk-20160219/lsb/lsb_log_message0000755000175000017500000000036312033554063013525 00000000000000#!/bin/bash . /etc/init.d/functions ACTION=$1 shift case "$ACTION" in success) echo -n $* success "$*" echo ;; failure) echo -n $* failure "$*" echo ;; warning) echo -n $* warning "$*" echo ;; *) ;; esac exit 0 uruk-20160219/lsb/lsb_pidofproc0000755000175000017500000000007312033554063013223 00000000000000#!/bin/bash . /etc/init.d/functions pidofproc $* exit $? uruk-20160219/lsb/lsb_start_daemon0000755000175000017500000000121212033554063013712 00000000000000#!/bin/bash . /etc/init.d/functions nice= force= pidfile= user= check= RETVAL= while [ "$1" != "${1##[-+]}" ]; do case $1 in -f) force="--force" shift ;; -n) nice=$2 shift 2 ;; -p) pidfile="--pidfile $2" shift 2 ;; -u) user="--user $2" shift 2 ;; -c) check="--check $2" shift 2 ;; *) echo "Unknown Option $1" echo "Options are:" echo "-f" echo "-p {pidfile}" echo "-n [+/-nicelevel]" echo "-u {user}" echo "-c {base}" exit 1;; esac done LSB=LSB-1.1 daemon ${force:-} ${nice:-} ${pidfile:-} ${user:-} ${check:-} $* exit $? uruk-20160219/lsb/init-functions0000644000175000017500000000246112033554063013347 00000000000000#!/bin/sh # LSB initscript functions, as defined in the LSB Spec 1.1.0 # # Lawrence Lim - Tue, 26 June 2007 # Updated to the latest LSB 3.1 spec # http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic_lines.txt # Modified by Joost van Baal-Ilić for uruk. PATH=$PATH:/etc/redhat-lsb:/lib/uruk/lsb # both Red Hat's and our implementation of lsb_start_daemon e.a. # rely on file /etc/init.d/functions if ! test -f /etc/init.d/functions ; then cat <