shorewall-core-5.1.12.2/0000775000000000000000000000000013243350235013366 5ustar rootrootshorewall-core-5.1.12.2/lib.uninstaller0000664000000000000000000000441413243347103016421 0ustar rootroot# # # Shorewall 5.1 -- /usr/share/shorewall/lib.installer. # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) # # Complete documentation is available at http://shorewall.net # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # The purpose of this library is to hold those functions used by the products uninstaller. # ######################################################################################### fatal_error() { echo " ERROR: $@" >&2 exit 1 } split() { local ifs ifs=$IFS IFS=: set -- $1 echo $* IFS=$ifs } qt() { "$@" >/dev/null 2>&1 } mywhich() { local dir for dir in $(split $PATH); do if [ -x $dir/$1 ]; then return 0 fi done return 2 } remove_file() # $1 = file to remove { if [ -n "$1" ] ; then if [ -f $1 -o -L $1 ] ; then rm -f $1 echo "$1 Removed" fi fi } remove_directory() # $1 = directory to remove { if [ -n "$1" ] ; then if [ -d $1 ] ; then rm -rf $1 echo "$1 Removed" fi fi } remove_file_with_wildcard() # $1 = file with wildcard to remove { if [ -n "$1" ] ; then for f in $1; do if [ -d $f ] ; then rm -rf $f echo "$f Removed" elif [ -f $f -o -L $f ] ; then rm -f $f echo "$f Removed" fi done fi } restore_file() # $1 = file to restore { if [ -f ${1}-shorewall.bkout ]; then if (mv -f ${1}-shorewall.bkout $1); then echo echo "$1 restored" else exit 1 fi fi } shorewall-core-5.1.12.2/lib.installer0000664000000000000000000000361613243347103016061 0ustar rootroot# # # Shorewall 5.1 -- /usr/share/shorewall/lib.installer. # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) # # Complete documentation is available at http://shorewall.net # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # The purpose of this library is to hold those functions used by the products installer. # ######################################################################################### fatal_error() { echo " ERROR: $@" >&2 exit 1 } split() { local ifs ifs=$IFS IFS=: set -- $1 echo $* IFS=$ifs } qt() { "$@" >/dev/null 2>&1 } mywhich() { local dir for dir in $(split $PATH); do if [ -x $dir/$1 ]; then return 0 fi done return 2 } delete_file() # $1 = file to delete { rm -f $1 } require() { eval [ -n "\$$1" ] || fatal_error "Required option $1 not set" } make_directory() # $1 = directory , $2 = mode { mkdir $1 chmod $2 $1 [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1 } make_parent_directory() # $1 = directory , $2 = mode { mkdir -p $1 chmod $2 $1 [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1 } cant_autostart() { echo echo "WARNING: Unable to configure $Product to start automatically at boot" >&2 } shorewall-core-5.1.12.2/shorewallrc.debian.systemd0000664000000000000000000000310013243347103020540 0ustar rootroot# # Debian Shorewall 5.0 rc file # BUILD= #Default is to detect the build system HOST=debian PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${PREFIX}/share/man #Directory where manpages are installed. INITDIR= #Directory where SysV init scripts are installed. INITFILE= #Name of the product's installed SysV init script INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFFILE=default.debian.systemd #Name of the distributed file to be installed in $SYSCONFDIR SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf shorewall-core-5.1.12.2/INSTALL0000664000000000000000000000171113243347103014417 0ustar rootrootShoreline Firewall (Shorewall) Version 5 ----- ---- ----------------------------------------------------------------------------- This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --------------------------------------------------------------------------- Please see http://www.shorewall.net/Install.htm for installation instructions. shorewall-core-5.1.12.2/changelog.txt0000664000000000000000000003111113243350235016053 0ustar rootrootChanges in 5.1.12.2 1) Update release documents. 2) Alter documentation to prefer ';;' over ';' in INLINE and IP[6]TABLES rules. 3) Make 'update' convert ';' to ';;' in INLINE, IPTABLES and IP6TABLES rules. 4) Correct typo that resulted in an "unknown function" Perl diagnostic. 4) Correct "Invalid policy" message. 5) Fix omitted SYN limiting. Changes in 5.1.12.1 1) Update release documents. 2) Replace macro.SSDPServer with corrected macro.SSDPserver. Changes in 5.1.12 Final 1) Update release documents. 2) Add INLINE_MATCHES=Yes to the deprecated list. Changes in 5.1.12 RC 1 1) Update release documents. 2) Minor performance enhancements to Optimize Category 8. 3) Always report IPSET_MATCH. Changes in 5.1.12 Beta 2 1) Update release documents. 2) Delete undocumented OPTIMIZE_USE_FIRST option. 3) Merge 5.1.11. 4) Suppress trailing whitespace. 5) Avoid awkward blank lines. Changes in 5.1.12 Beta 1 1) Update release documents. 2) Code and manpage cleanup. 3) Allow SNAT in the INPUT chain. Changes in 5.1.11 Final 1) Update release documents. Changes in 5.1.11 RC 1 1) Update release documents. 2) Update versions and copyrights. 3) Clear the connection mark on forwarded IPSEC tunneled connections. 4) Make TRACK_PROVIDERS=Yes the default. Changes in 5.1.11 Beta 2 1) Update release documents. 2) Be selective about verification of the conntrack utility when DYNAMIC_BLACKLIST=ipset,disconnect... 3) Don't require shorewall to be started for 'allow' with ipset-based DBL. 4) Make address variables play nice with the 'clear' command. 5) Don't unconditionally enable forwarding during 'clear'. Changes in 5.1.11 Beta 1 1) Update release documents. 2) Allow non-root to run some 'show' commands. 3) Use synchain name in log messages rather than base chain name. 3) Assume :syn for TCP CT entries in the conntrack file and HELPER. 4) Limit depth of 'find' search when AUTOMAKE=Yes. Changes in 5.1.10.2 1) Update release documents. 2) Limit 'find' to depth 1. 3) Don't run find in an empty entry in $CONFIG_PATH Changes in 5.1.10.1 1) Update release documents. 2) Fix Shorewall-core installer for sandbox case. 3) Make /etc and /configfiles the same. Changes in 5.1.10 Final 1) Update release documents. Changes in 5.1.10 RC 2 1) Update release documents. 2) Add warning re wildcard and OPTIONS. 3) Correct IPv6 Universal interfaces file. Changes in 5.1.10 RC 1 1) Update release documents. 2) Correct ingress policing. 3) Fix Shorewall-init recompilation problem. Changes in 5.1.10 Beta 2 1) Update release documents. 2) Allow a protocol to be associated with a regular action. 3) Remove the PSH flag from the FIN action. Changes in 5.1.10 Beta 1 1) Update release documents. 2) Allow CONFIG_PATH setting to begin with ':' to allow dropping the first directory by non-root. 3) Correct several typos in the manpages (Roberto Sánchez). 4) Correct typo in 'dump' processing. 5) Reset all table counters during 'reset'. Changes in 5.1.9 Final 1) Update release documents. 2) Use logical interface names in the Sample configs. Changes in 5.1.9 RC 1 1) Update release documents. 2) Apply W Van den Akker's OpenWRT/Lede patches. 3) Don't verify IP and SHOREWALL_SHELL paths when compiling for export. 4) Support for Redfish remote console in macro.IPMI Changes in 5.1.9 Beta 2 1) Update release documents. 2) Merge content from 5.1.8. Changes in 5.1.9 Beta 1 1) Update release documents. 2) Add TCPMSS action in the mangle file. 3) Inline the Broadcast action when ADDRTYPE match is available. 4) Support logging in the snat file. 5) Add shorewall-logging(5). Changes in 5.1.8 Final 1) Update release documents. Changes in 5.1.8 RC 1 1) Update release documents. 2) Correct 'delete_default_routes()'. 3) Delete default routes from 'main' when a fallback provider is successfully enabled. 4) Don't restore default route when a fallback provider is enabled. 5) Issue a warning when 'persistent' is used with RESTORE_DEFAULT_ROUTE=Yes. 6) Don't dump SPD entries for the other address family. Changes in 5.1.8 Beta 2 1) Update release documents. 2) Fix 'persistent' provider issues. Changes in 5.1.8 Beta 1 1) Update release documents. 2) Treat LOG_TARGET the same as all other capabilities. 3) Allow merging of rules with IPSEC policies Changes in 5.1.7.1 1) Update release documents. 2) Correct 'reenable' logic for persistent providers. 3) Align progress messages produced by 'reenable'. Changes in 5.1.7 Final 1) Update release documents. Changes in 5.1.7 RC 2 1) Update release documents. 2) Correct module loading. 3) Add DOCKER-INGRESS support. Changes in 5.1.7 RC 1 1) Update release documents. 2) Correct handling of ipsets in the DEST column of the snat file. 3) Allow NAT rules to be passed to perl_action_helper() 4) Split NAT and ACCEPT rules in the Event actions. 5) Correct VLSM verification logic in the 'ipcalc' command. 6) Fix ADD_IP_ALIASES default. 7) Remove empty/useless .tmp files created during shorewall-init stop. Changes in 5.1.7 Beta 2 1) Update release documents. 2) Improve dynamic gateway detection. Changes in 5.1.7 Beta 1 1) Update release documents. 2) Simplify Module Loading (Tuomo Soini) 3) Eliminate MODULE_SUFFIX. Changes in 5.1.6 Final 1) Update release documents. 2) Allow port variables as server port in DNAT rules. 3) Change MODULE_SUFFIX standard default to "ko ko.xz" 4) Added UDP rule to macro.RDP. Changes in 5.1.6 RC 2 1) Update release documents. 2) Use MUTEX_TIMEOUT for ip[6]tables-restore --wait interval Changes in 5.1.6 RC 1 1) Update release documents. 2) Make Shorewall's handling of '+' consistent with Netfilter's. 3) Verify that parent and child zones have an interface in common. 4) Allow runtime address variables as the DNAT server address. 5) Prevent IPv4 and IPv6 firewalls from starting simultaneously under systemd. 6) Use the ip[6]-tables --wait option, if available. Changes in 5.1.6 Beta 2 1) Update release documents. 2) Pass arguments to the enable and disable user exit functions 3) Export CONFDIR and SHAREDIR to the generated script. 4) Correct handling of combining a policy chain with a normal chain. Changes in 5.1.6 Beta 1 1) Update release documents. 2) Apply Bernhard M. Wiedemann's patch for reproducible builds. 3) Patch configure.pl to support reproducible builds. 4) Merge content from 5.1.5.1. Changes in 5.1.5.2 1) Update release documents. 2) Correct source port handling when BASIC_FILTERS=Yes. 3) Correct handling of USER/GROUP in the OUTPUT section of the accounting file. 4) Correct handling of MAC addresses in the accounting file. Changes in 5.1.5.1 1) Update release documents. 2) Process the snat file if the masq file is empty. 3) Apply Bernhard Wiedemann's configure change. 4) Make a similar change to configure.pl. Changes in 5.1.5 Final 1) Update release documents. 2) Include IPv6 annotated config files. 3) Add RESTORE_DEFAULT_ROUTE to shorewall6.conf. Changes in 5.1.5 RC 1 1) Update release documents. 2) USE_NFLOG_SIZE option. 3) Improve editing of port numbers/service names. 4) Add dropBcasts action. Changes in 5.1.5 Beta 2 1) Update release documents. 2) Consolidate Shorewall/Shorewall6 manpages. Changes in 5.1.5 Beta 1 1) Update release documents. 2) Add defect repair through 5.1.4.2. 3) Implement runtime port variables. Changes in 5.1.4.4 1) Update release documents. 2) Correct handling of two or more fallback providers Changes in 5.1.4.3 1) Update release documents. 2) Don't generate multihop routes unnecessarily Changes in 5.1.4.2 1) Update release documents. 2) Correct many broken links in the manpages. 3) Correct NFQUEUE without the 'c' option. Changes in 5.1.4.1 1) Update release documents. 2) Update shorewall-rules(5). 3) Expand LOGFORMAT documentation. 4) Restore the BLACKLIST action in Shorewall6. Changes in 5.1.4 Final 1) Update release documents. Changes in 5.1.4 RC 1 1) Update release documents. 2) Add PERL_HASH_SEED option. Changes in 5.1.4 Beta 2 1) Update release documents. 2) Correct validation of string interface options. 3) Correct handling of IPv6 tunnel-src and tunnel-dst. 4) Documentation cleanup. Changes in 5.1.4 Beta 1 1) Update release documents. 2) Unify Actions 3) Report invocation site when generating ?info and ?warning messages 4) Add IPv6 UPnP support. 5) ?reset of action variable now sets $parmsmodified. 6) Clean up column/value pair editing. Changes in 5.1.3.1 1) Update release documents. 2) Correct typo in BLACKLIST_DEFAULT settings 3) Fix 'add+' handling. 4) Correct two-interface snat file. Changes in 5.1.3 Final 1) Update release documents. 2) Quote 'none' AND SMURF_LOG_LEVEL in _DEFAULT settings. 3) Correct IPv6 Multicast action. 4) Tabify new actions. 5) Add Multicast to the deprecated A_Drop and A_Reject actions. 6) Correct log message from IPv6 Multicast action. Changes in 5.1.3 RC 2 1) Update release documents. 2) Enclose _LEVEL and _DEFAULT settings in quotes during update. 3) Expand variables during .conf processing except when updating. Changes in 5.1.3 RC 1 1) Update release documents. 2) Re-add Multicast to IPv6 samples. 3) Add dropInvalid to IPv6 samples. Changes in 5.1.3 Beta 2 1) Update release documents. 2) Clear firewall on Debian systemd 'stop'. 3) Correct tcp-reset handling. 4) Implement PROTO=tcp:!syn. 5) Quote "$LOG_LEVEL" in shorewall[6].conf samples. 6) Modify rejNotSyn and dropNotSyn to use the two preceding changes. 7) Merge 5.1.2.2/3 fixes. 8) Quote $LOG_LEVEL in shorewall[6].conf samples. 9) 'reload' documentation corrections. 10) Set TC_ENABLED=Shared in IPv6 samples. 11) Remove Multicast from IPv6 policy actions. Changes in 5.1.3 Beta 1 1) Update release documents. 2) Installer/uninstaller changes from Matt Darfeuille. 3) Replace determinism sorts with PERL_HASH_SEED. 4) Correct recent compiler directives WRT omitting 5) Eliminate builtin actions. Changes in 5.1.2.1 1) Update release documents. 2) Document fix for 'show action allowinUPdP'. 3) Document fix for logging in BLACKLIST. Changes in 5.1.2 1) Update release documents. Changes in 5.1.2 RC 1 1) Update release documents. 2) Fix LOG_LEVEL 3) Fix allowMcast 4) Make 'show action' work (sort of) with builtin actions. Changes in 5.1.2 Beta 2 1) Update release documents. 2) Change policy actions. 3) Fix IPv6 dropBcasts. 4) Add LOG_LEVEL option. 5) Separate broadcast and multicast handling Changes in 5.1.2 Beta 1 1) Update release documents. 2) Implement default action lists. 3) Manpage updates. Changes in 5.1.0 Final. 1) Update release documents. Changes in 5.1.1 RC 1 1) Update release documents. 2) Make BALANCE_PROVIDERS default the setting of USE_DEFAULT_RT. 3) Add BLACKLIST policy 4) Add BLACKLIST action 5) Implement ?REQUIRE 6) Implement 'show action ' 7) Implement 'section' action option 8) Embed BLACKLIST macro logic into the BLACKLIST action. Changes in 5.1.1 Beta 2 1) Update release documents. 2) Replace USE_DEFAULT_RT=Exact with BALANCE_PROVIDERS=No. 3) Handle optional interfaces correctly in process_a_provider(). Changes in 5.1.1 Beta 1 1) Update release documents. 2) Catch routefilter/provider conflicts. 3) Set 'logmartians' along with 'routefilter'. 4) Implement USE_DEFAULT_RT=Exact. Changes in 5.1.0.1 1) Update release documents. 2) Correct Shorewall6-lite .service file 3) Propagate PAGER setting to -lite systems. Changes in 5.1.0 Final 1) Update release documents. 2) Ignore SUBSYSLOCK when $SERVICEDIR is non-empty 3) Correct splitting of IP(6)TABLES options. 4) Allow compact IPv6 addresses in IP6TABLES() parameters. Changes in 5.1.0 RC 2 1) Update release documents. 2) Eliminate use of 'echo' escape sequences 3) Update kernel module files Changes in 5.1.0 RC 1 1) Update release documents. 2) Move the action files into their own directory. 3) Add the 'show ipsec' command. 4) Remove rawpost support. 5) Add Stateful IPv6 netmapping Changes in 5.1.0 Beta 2 1) Update release documents. 2) Fatal error on empty action file and presense of a file with the same name as the action. 3) Use 'ip xfrm' to dump SPD and SAD 4) Create CLI symlinks 5) Correct intra-zone processing in policies. Changes in 5.1.0 Beta 1 1) Update release documents. 2) Unify the CLI 3) Extend SOURCE/DEST syntax in the rules files 4) Remove CHAIN_SCRIPT support. 5) Avoid needless duplicate action chains. 6) Implement support for NFQUEUE CPU Fanout. shorewall-core-5.1.12.2/lib.core0000664000000000000000000001756513243347103015024 0ustar rootroot# # Shorewall 5.1 -- /usr/share/shorewall/lib.core # # (c) 1999-2017 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # This library contains the code common to all Shorewall components except the # generated scripts. # SHOREWALL_LIBVERSION=50108 # # Fatal Error # fatal_error() # $@ = Message { echo " ERROR: $@" >&2 exit 2 } setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product g_basedir=${SHAREDIR}/shorewall g_sharedir="$SHAREDIR"/$PRODUCT g_confdir="$CONFDIR"/$PRODUCT case $PRODUCT in shorewall) g_product="Shorewall" g_family=4 g_tool=iptables g_lite= ;; shorewall6) g_product="Shorewall6" g_family=6 g_tool=ip6tables g_lite= ;; shorewall-lite) g_product="Shorewall Lite" g_family=4 g_tool=iptables g_lite=Yes ;; shorewall6-lite) g_product="Shorewall6 Lite" g_family=6 g_tool=ip6tables g_lite=Yes ;; *) fatal_error "Unknown PRODUCT ($PRODUCT)" ;; esac [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system" # # We need to do this again, now that we have the correct product # [ -n "$1" ] && . ${g_basedir}/shorewallrc if [ -z "${VARLIB}" ]; then VARLIB=${VARDIR} VARDIR=${VARLIB}/${PRODUCT} elif [ -z "${VARDIR}" ]; then VARDIR="${VARLIB}/${PRODUCT}" fi } set_default_product() { case $(basename $0) in shorewall6) PRODUCT=shorewall6 ;; shorewall4) PRODUCT=shorewall ;; shorewall-lite) PRODUCT=shorewall-lite ;; shorewall6-lite) PRODUCT=shorewall6-lite ;; *) if [ -f ${g_basedir}/version ]; then PRODUCT=shorewall elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then PRODUCT=shorewall-lite elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then PRODUCT=shorewall6-lite else fatal_error "No Shorewall firewall product is installed" fi ;; esac } # Not configured Error # not_configured_error() # $@ = Message { echo " ERROR: $@" >&2 exit 6 } # # Conditionally produce message # progress_message() # $* = Message { local timestamp timestamp= if [ $VERBOSITY -gt 1 ]; then [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " echo "${timestamp}$@" fi } progress_message2() # $* = Message { local timestamp timestamp= if [ $VERBOSITY -gt 0 ]; then [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " echo "${timestamp}$@" fi } progress_message3() # $* = Message { local timestamp timestamp= if [ $VERBOSITY -ge 0 ]; then [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " echo "${timestamp}$@" fi } # # Undo the effect of 'separate_list()' # combine_list() { local f local o o= for f in $* ; do o="${o:+$o,}$f" done echo $o } # # Validate an IP address # valid_address() { local x local y local ifs ifs=$IFS IFS=. for x in $1; do case $x in [0-9]|[0-9][0-9]|[1-2][0-9][0-9]) [ $x -lt 256 ] || { IFS=$ifs; return 2; } ;; *) IFS=$ifs return 2 ;; esac done IFS=$ifs return 0 } # # Miserable Hack to work around broken BusyBox ash in OpenWRT # addr_comp() { test $(bc < $2 EOF ) -eq 1 } # # Enumerate the members of an IP range -- When using a shell supporting only # 32-bit signed arithmetic, the range cannot span 128.0.0.0. # # Comes in two flavors: # # ip_range() - produces a mimimal list of network/host addresses that spans # the range. # # ip_range_explicit() - explicitly enumerates the range. # ip_range() { local first local last local l local x local y local z local vlsm case $1 in !*) # # Let iptables complain if it's a range # echo $1 return ;; [0-9]*.*.*.*-*.*.*.*) ;; *) echo $1 return ;; esac first=$(decodeaddr ${1%-*}) last=$(decodeaddr ${1#*-}) if addr_comp $first $last; then fatal_error "Invalid IP address range: $1" fi l=$(( $last + 1 )) while addr_comp $l $first; do vlsm= x=31 y=2 z=1 while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do vlsm=/$x x=$(( $x - 1 )) z=$y y=$(( $y * 2 )) done echo $(encodeaddr $first)$vlsm first=$(($first + $z)) done } ip_range_explicit() { local first local last case $1 in [0-9]*.*.*.*-*.*.*.*) ;; *) echo $1 return ;; esac first=$(decodeaddr ${1%-*}) last=$(decodeaddr ${1#*-}) if addr_comp $first $last; then fatal_error "Invalid IP address range: $1" fi while ! addr_comp $first $last; do echo $(encodeaddr $first) first=$(($first + 1)) done } [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common # # Netmask to VLSM # ip_vlsm() { local mask mask=$(decodeaddr $1) local vlsm vlsm=0 local x x=$(( 128 << 24 )) # 0x80000000 while [ $(( $x & $mask )) -ne 0 ]; do [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. vlsm=$(($vlsm + 1)) done if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff echo "Invalid net mask: $1" >&2 else echo $vlsm fi } # # Set default config path # ensure_config_path() { local F F=${g_sharedir}/configpath if [ -z "$CONFIG_PATH" ]; then [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } . $F fi if [ -n "$g_shorewalldir" ]; then [ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH fi } # # Get fully-qualified name of file # resolve_file() # $1 = file name { local pwd pwd=$PWD case $1 in /*) echo $1 ;; .) echo $pwd ;; ./*) echo ${pwd}${1#.} ;; ..) cd .. echo $PWD cd $pwd ;; ../*) cd .. resolve_file ${1#../} cd $pwd ;; *) echo $pwd/$1 ;; esac } # Determine which version of mktemp is present (if any) and set MKTEMP accortingly: # # None - No mktemp # BSD - BSD mktemp (Mandrake) # STD - mktemp.org mktemp # find_mktemp() { local mktemp mktemp=`mywhich mktemp 2> /dev/null` if [ -n "$mktemp" ]; then if qt mktemp -V ; then MKTEMP=STD else MKTEMP=BSD fi else MKTEMP=None fi } # # create a temporary file. If a directory name is passed, the file will be created in # that directory. Otherwise, it will be created in a temporary directory. # mktempfile() { [ -z "$MKTEMP" ] && find_mktemp if [ $# -gt 0 ]; then case "$MKTEMP" in BSD) mktemp $1/shorewall.XXXXXX ;; STD) mktemp -p $1 shorewall.XXXXXX ;; None) > $1/shorewall-$$ && echo $1/shorewall-$$ ;; *) error_message "ERROR:Internal error in mktempfile" ;; esac else case "$MKTEMP" in BSD) mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX ;; STD) mktemp -t shorewall.XXXXXX ;; None) rm -f ${TMPDIR:-/tmp}/shorewall-$$ > ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$ ;; *) error_message "ERROR:Internal error in mktempfile" ;; esac fi } shorewall-core-5.1.12.2/shorewallrc.apple0000664000000000000000000000237713243347103016747 0ustar rootroot# # Apple OS X Shorewall 5.0 rc file # BUILD=apple HOST=apple PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. INITDIR= #Unused on OS X INITFILE= #Unused on OS X INITSOURCE= #Unused on OS X ANNOTATED= #Unused on OS X SERVICEDIR= #Unused on OS X SERVICEFILE= #Unused on OS X SYSCONFDIR= #Unused on OS X SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. VARLIB=/var/lib #Unused on OS X DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf shorewall-core-5.1.12.2/install.sh0000775000000000000000000002243513243350235015401 0ustar rootroot#!/bin/sh # # Script to install Shoreline Firewall Core Modules # # (c) 2000-2018 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://shorewall.net # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # VERSION=5.1.12.2 PRODUCT=shorewall-core Product="Shorewall Core" usage() # $1 = exit status { ME=$(basename $0) echo "usage: $ME [