From e9a69372aed3b1b5fa3cd2d721e39da132471195 Mon Sep 17 00:00:00 2001
From: Pascal Rigaux <pixel@mandriva.com>
Date: Thu, 22 Aug 2002 22:35:51 +0000
Subject: use shorewall (need testing)

---
 perl-install/standalone/drakgw | 109 +++++++++--------------------------------
 1 file changed, 23 insertions(+), 86 deletions(-)

diff --git a/perl-install/standalone/drakgw b/perl-install/standalone/drakgw
index b31721dae..6362d11fa 100755
--- a/perl-install/standalone/drakgw
+++ b/perl-install/standalone/drakgw
@@ -30,6 +30,7 @@ use network;
 use log;
 use c;
 use network::netconnect;
+use network::shorewall;
 
 $::isInstall and die "Not supported during install.\n";
 
@@ -50,8 +51,8 @@ my $rc_firewall_drakgw = "/etc/rc.d/rc.firewall.inet_sharing";
 my $rc_firewall_24 = "/etc/rc.d/rc.firewall.inet_sharing-2.4";
 my $dhcpd_conf = "/etc/dhcpd.conf";
 my $cups_conf = "/etc/cups/cupsd.conf";
-my $drakgw_setup = "/etc/sysconfig/inet_sharing";
 
+my $shorewall = network::shorewall::read();
 
 my $in = 'interactive'->vnew('su', 'default');
 
@@ -88,23 +89,19 @@ sub start_daemons ()
     sys("/etc/rc.d/init.d/network restart");
     $netmon_need_start and system("$netmon --connect --force --quiet >/dev/null");
 
-    sys("sh $rc_firewall_generic");
+    sys("/etc/init.d/shorewall start");
 
-    sys("/etc/rc.d/init.d/$_ start"), sys("/sbin/chkconfig --level 345 $_ on") foreach 'named', 'dhcpd';
+    sys("/etc/rc.d/init.d/$_ start"), sys("/sbin/chkconfig --level 345 $_ on") foreach 'named', 'dhcpd', 'shorewall';
     sys("/etc/rc.d/init.d/cups start") if $cups_used;
-
-    substInFile { s/^INET_SHARING.*\n//; $_ .= "INET_SHARING=enabled\n" if eof } $drakgw_setup;
 }
 
 sub stop_daemons ()
 {
     standalone::explanations("Stopping daemons");
-    system("/etc/rc.d/init.d/dhcpd status >/dev/null") == 0 and sys("/etc/rc.d/init.d/dhcpd stop");
-    system("/etc/rc.d/init.d/named status >/dev/null 2>/dev/null") == 0 and sys("/etc/rc.d/init.d/named stop");
-    sys("/sbin/iptables -t nat -F");
+    foreach (qw(dhcpd named shorewall)) {
+	system("/etc/rc.d/init.d/$_ status >/dev/null 2>/dev/null") == 0 and sys("/etc/rc.d/init.d/$_ stop");
+    }
     sys("/sbin/chkconfig --level 345 $_ off") foreach 'named', 'dhcpd';
-
-    substInFile { s/^INET_SHARING.*\n//; $_ .= "INET_SHARING=disabled\n" if eof } $drakgw_setup;
 }
 
 sub fatal_quit ($)
@@ -120,16 +117,15 @@ log::l("[drakgw] kernel_version $kernel_version");
 
 $kernel_version eq '2.4' or fatal_quit(_("Sorry, we support only 2.4 kernels."));
 
-
 begin:
 
 #- **********************************
 #- * 0th step: verify if we are already set up
 
-if (-f $drakgw_setup) {
+if ($shorewall && $shorewall->{masquerade}) {
     $::Wizard_no_previous = 1;
 
-    if (grep(/enabled/, cat_($drakgw_setup))) {
+    if (!$shorewall->{disabled}) {
 	my $r = $in->ask_from_list_(_("Internet Connection Sharing currently enabled"),
 _("The setup of Internet connection sharing has already been done.
 It's currently enabled.
@@ -153,7 +149,7 @@ What would you like to do?"),
 	    quit_global($in, 0);
 	}
     }
-    elsif (grep(/disabled/, cat_($drakgw_setup)))
+    else
     {
 	my $r = $in->ask_from_list_(_("Internet Connection Sharing currently disabled"),
 _("The setup of Internet connection sharing has already been done.
@@ -179,10 +175,6 @@ What would you like to do?"),
 	    quit_global($in, 0);
 	}
     }
-    else {
-	log::l("[drakgw] Warning, unrecognized config file, ignoring");
-	renamef($drakgw_setup, "$drakgw_setup.unrecognized");
-    }
 }
 
 
@@ -314,13 +306,7 @@ foreach (grep { $_ ne $device } @configured_devices)
 
 
 #- test for potential conflict with previous firewall config
-
-system('modprobe iptable_nat');
-if (-f '/etc/sysconfig/iptables' || -x '/sbin/iptables' && listlength(`/sbin/iptables -t nat -nL`) > 8) {
-    $in->ask_okcancel(_("Firewalling configuration detected!"),
-		      _("Warning! An existing firewalling configuration has been detected. You may need some manual fix after installation.")) or goto step_detectsetup;
-}
-
+network::shorewall::check_iptables($in) or goto step_detectsetup;
 
 #- **********************************
 #- * 2nd step: configure
@@ -366,64 +352,14 @@ if (grep { !-e $rpm2file{$_} } keys %rpm2file) {
     }
 }
 
+put_in_hash($shorewall ||= {}, {
+    disabled => 0,
+    net_interface => $card_netconnect,
+    if_(@cards > 1, loc_interface => [ grep { $_ ne $device } @cards ]),
+    masquerade => { interface => $device, subnet => "$lan_address.0/24" },
+});
 
-#- setup the masquerading configuration
-standalone::explanations("Modifying firewalling configuration");
-if (!-f $rc_firewall_generic) {
-    output($rc_firewall_generic, "#!/bin/sh
-#
-# Automatically generated by drakgw
-[ -x $rc_firewall_drakgw ] && $rc_firewall_drakgw
-");
-    chmod 0700, $rc_firewall_generic;
-}
-elsif (!grep(/drakgw/, cat_($rc_firewall_generic))) {
-    outpend($rc_firewall_generic, "
-# Automatically added by drakgw
-[ -x $rc_firewall_drakgw ] && $rc_firewall_drakgw
-
-");
-}
-
-output($rc_firewall_drakgw, sprintf(<<'EOF', $rc_firewall_24, $rc_firewall_24));
-#!/bin/sh
-KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
-KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
-
-if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -eq 4 ]; then
-    [ -x %s ] && %s
-fi
-EOF
-
-chmod 0700, $rc_firewall_drakgw;
-
-
-output($rc_firewall_24, qq(#!/bin/sh
-# Load the NAT module (this pulls in all the others).
-modprobe iptable_nat
-
-# Turn on IP forwarding
-echo 1 > /proc/sys/net/ipv4/ip_forward
-
-# In the NAT table (-t nat), Append a rule (-A) after routing (POSTROUTING)
-# which says to MASQUERADE the connection (-j MASQUERADE).
-/sbin/iptables -t nat -A POSTROUTING -s $lan_address.0/24 -j MASQUERADE
-
-# Allows forwarding specifically to our LAN
-/sbin/iptables -A FORWARD -s $lan_address.0/24 -j ACCEPT
-
-# Allow dhcp requests
-/sbin/iptables -A INPUT -i $device -p udp --sport bootpc --dport bootps -j ACCEPT
-/sbin/iptables -A INPUT -i $device -p tcp --sport bootpc --dport bootps -j ACCEPT
-/sbin/iptables -A INPUT -i $device -p udp --sport bootps --dport bootpc -j ACCEPT
-/sbin/iptables -A INPUT -i $device -p tcp --sport bootps --dport bootpc -j ACCEPT
-
-# Allow dns requests
-/sbin/iptables -A INPUT -i $device -p udp --dport domain -j ACCEPT
-/sbin/iptables -A INPUT -i $device -p tcp --dport domain -j ACCEPT
-));
-chmod 0700, $rc_firewall_24;
-
+network::shorewall::write($shorewall);
 
 #- be sure that FORWARD_IPV4 is enabled in /etc/sysconfig/network
 
@@ -534,7 +470,6 @@ if (-f $cups_conf) {
 
 #- start the daemons
 
-substInFile { s/^INTERFACE.*\n//; $_ .= "INTERFACE=$device\n" if eof } $drakgw_setup;
 start_daemons();
 
 
@@ -563,9 +498,11 @@ sub pur_gtk_mode
 {
     require Gtk;
     init Gtk;
-    my $setup_state = grep(/disabled/, cat_($drakgw_setup)) ? _("The setup has already been done, but it's currently disabled.") :
-                      grep(/enabled/, cat_($drakgw_setup))  ? _("The setup has already been done, and it's currently enabled.") :
-                      _("No Internet Connection Sharing has ever been configured.");
+    my $setup_state = $shorewall && $shorewall->{masquerade} ? 
+                         ($shorewall->{disabled} ? 
+			  _("The setup has already been done, but it's currently disabled.") :
+			  _("The setup has already been done, and it's currently enabled.")) :
+			 _("No Internet Connection Sharing has ever been configured.");
     
     my $window1 = $::isEmbedded ? new Gtk::Plug ($::XID) : new Gtk::Window -toplevel;
     $window1->signal_connect(delete_event => sub { Gtk->exit(0) });
-- 
cgit v1.2.1