SHOREWALL_SHELL parameter

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@621 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -23,4 +23,5 @@ Changes since 1.4.5
    parameters and replaced them with code that detects these
    capabilities.
 
+10) Added the SHOREWALL_SHELL configuraiton parameter.
 

Shorewall/firewall

@@ -2025,9 +2025,12 @@ add_a_rule()
     servport=$serverport
     multiport=
 
+    [ x$port  = x- ] && port=
+    [ x$cport = x- ] && cport=
+
     case $proto in
 	tcp|udp|TCP|UDP|6|17)
-	    if [ -n "$port" -a "x${port}" != "x-" ]; then
+	    if [ -n "$port" ]; then
 		dports="--dport"
 		if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
 		    multiport="$multioption"
@@ -2036,7 +2039,7 @@ add_a_rule()
 		dports="$dports $port"
 	    fi
 
-	    if [ -n "$cport" -a "x${cport}" != "x-" ]; then
+	    if [ -n "$cport" ]; then
 		sports="--sport"
 		if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
 		    multiport="$multioption"
@@ -2046,18 +2049,17 @@ add_a_rule()
 	    fi
 		;;
 	icmp|ICMP|1)
-	    [ -n "$port" ] && [ "x${port}" != "x-" ] && \
-		dports="--icmp-type $port"
+	    [ -n "$port" ]  && 	dports="--icmp-type $port"
 	    state=
 	    ;;
 	all|ALL)
-	    [ -n "$port" ] && [ "x${port}" != "x-" ] && \
+	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with \"all\"; rule: \"$rule\""
 	    proto=
 	    ;;
 	*)
 	    state=
-	    [ -n "$port" ] && [ "x${port}" != "x-" ] && \
+	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
 	    ;;
     esac

Shorewall/releasenotes.txt

@@ -83,3 +83,7 @@ New Features:
       Tracking Match Extension is available, the rule in the filter table
       is extended to check that the original destination address was the
       same as specified (or defaulted to) in the DNAT rule.
+
+7) The shell used to interpret the firewall script
+   (/usr/share/shorewall/firewall) may now be specified using the
+   SHOREWALL_SHELL parameter in shorewall.conf.

Shorewall/shorewall

@@ -138,6 +138,13 @@ get_config() {
     [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
 
     [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
+
+    if [ -n "$SHOREWALL_SHELL" ]; then
+	if [ ! -e "$SHOREWALL_SHELL" ]; then
+	    echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
+	    exit 2
+	fi
+    fi
 }
 
 #
@@ -653,11 +660,13 @@ esac
 case "$1" in
     start|stop|restart|reset|clear|refresh|check)
 	[ $# -ne 1 ] && usage 1
-	exec $FIREWALL $debugging $nolock $1
+	get_config
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
 	;;
     add|delete)
 	[ $# -ne 3 ] && usage 1
-	exec $FIREWALL $debugging $nolock $1 $2 $3
+	get_config
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
 	;;
     show|list)
 	[ $# -gt 2 ] && usage 1

Shorewall/shorewall.conf

@@ -191,6 +191,14 @@ RFC1918_LOG_LEVEL=info
 #
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
+#
+# SHELL
+#
+# The firewall script is normally interpreted by /bin/sh. If you wish to change
+# the shell used to interpret that script, specify the shell here.
+
+SHOREWALL_SHELL=/bin/sh
+
 # SUBSYSTEM LOCK FILE
 #
 # Set this to the name of the lock file expected by your init scripts. For