From 8e31255c9b20497215c1679a874e3384f0630f7e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 24 Jul 2015 13:41:09 -0700 Subject: [PATCH 1/4] Correct Shorewall6-lite manpage - Caution moved from the restart description to the restore restriction where it belonged Signed-off-by: Tom Eastep --- Shorewall6-lite/manpages/shorewall6-lite.xml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index a411fd08e..aaa894c3a 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -1024,14 +1024,6 @@ except that it assumes that the firewall is already started. Existing connections are maintained. - - If your ip6tables ruleset depends on variables that are - detected at run-time, either in your params file or by - Shorewall-generated code, restore will use the - values that were current when the ruleset was saved, which may be - different from the current values. - - The option causes shorewall6-lite to avoid updating the routing table(s). @@ -1064,6 +1056,14 @@ in shorewall6.conf(5). + + If your ip6tables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, restore will use the + values that were current when the ruleset was saved, which may be + different from the current values. + + The option was added in Shorewall 4.6.5. If the option was specified during shorewall7-lite save, then the counters saved by From 954f8b57906fe075c46fbb7072ea4ef9b86893ad Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 29 Jul 2015 09:44:20 -0700 Subject: [PATCH 2/4] Install both SysV init script and .service file on Debian Signed-off-by: Tom Eastep --- Shorewall-core/shorewallrc.debian | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall-core/shorewallrc.debian b/Shorewall-core/shorewallrc.debian index 209096891..f648d58e3 100644 --- a/Shorewall-core/shorewallrc.debian +++ b/Shorewall-core/shorewallrc.debian @@ -15,9 +15,9 @@ INITFILE=$PRODUCT #Name of the product's installed SysV in INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR -SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SERVICEFILE=shorewall-init.service.214 #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed -SERVICEDIR= #Directory where .service files are installed (systems running systemd only) +SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. From 8bcee0ee01b791cb3ae190f4a86f4d347364e6b4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 30 Jul 2015 14:17:36 -0700 Subject: [PATCH 3/4] Add Debian .service files - Install both .service files and SysV init scripts on Debian. Signed-off-by: Tom Eastep --- Shorewall-core/shorewallrc.debian | 3 ++- .../shorewall-init.service.214.debian | 18 ++++++++++++++++++ Shorewall-init/shorewall-init.service.debian | 17 +++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 Shorewall-init/shorewall-init.service.214.debian create mode 100644 Shorewall-init/shorewall-init.service.debian diff --git a/Shorewall-core/shorewallrc.debian b/Shorewall-core/shorewallrc.debian index f648d58e3..3e33930d1 100644 --- a/Shorewall-core/shorewallrc.debian +++ b/Shorewall-core/shorewallrc.debian @@ -15,7 +15,8 @@ INITFILE=$PRODUCT #Name of the product's installed SysV in INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR -SERVICEFILE=shorewall-init.service.214 #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SERVICEFILE=shorewall-init.service.214.debian + #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR diff --git a/Shorewall-init/shorewall-init.service.214.debian b/Shorewall-init/shorewall-init.service.214.debian new file mode 100644 index 000000000..bcf363cae --- /dev/null +++ b/Shorewall-init/shorewall-init.service.214.debian @@ -0,0 +1,18 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood +# +[Unit] +Description=Shorewall firewall (bootup security) +Before=network-pre.target +Wants=network-pre.target +Conflicts=iptables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall-init +StandardOutput=syslog +ExecStart=/sbin/shorewall-init start +ExecStop=/sbin/shorewall-init stop diff --git a/Shorewall-init/shorewall-init.service.debian b/Shorewall-init/shorewall-init.service.debian new file mode 100644 index 000000000..eaaa92556 --- /dev/null +++ b/Shorewall-init/shorewall-init.service.debian @@ -0,0 +1,17 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood +# +[Unit] +Description=Shorewall firewall (bootup security) +Before=network.target +Conflicts=iptables.service ip6tables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall-init +StandardOutput=syslog +ExecStart=/sbin/shorewall-init start +ExecStop=/sbin/shorewall-init stop From 97881bb683f737da93500f73a1f77bc5b80a16b7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 31 Jul 2015 14:57:59 -0700 Subject: [PATCH 4/4] Create separate shorewallrc files for Debian systemd and sysvinit Signed-off-by: Tom Eastep --- Shorewall-core/configure | 4 ++-- Shorewall-core/configure.pl | 10 ++++---- Shorewall-core/shorewallrc.debian.systemd | 24 +++++++++++++++++++ ...lrc.debian => shorewallrc.debian.sysvinit} | 5 ++-- 4 files changed, 34 insertions(+), 9 deletions(-) create mode 100644 Shorewall-core/shorewallrc.debian.systemd rename Shorewall-core/{shorewallrc.debian => shorewallrc.debian.sysvinit} (87%) diff --git a/Shorewall-core/configure b/Shorewall-core/configure index 37f71d39d..47c63d564 100755 --- a/Shorewall-core/configure +++ b/Shorewall-core/configure @@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then vendor=redhat ;; debian|ubuntu) - vendor=debian + ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit ;; opensuse) vendor=suse @@ -130,7 +130,7 @@ if [ -z "$vendor" ]; then *) if [ -f /etc/debian_version ]; then params[HOST]=debian - rcfile=shorewallrc.debian + rcfile=shorewallrc.debian.sysvinit elif [ -f /etc/redhat-release ]; then params[HOST]=redhat rcfile=shorewallrc.redhat diff --git a/Shorewall-core/configure.pl b/Shorewall-core/configure.pl index f83afa03c..fd2856704 100755 --- a/Shorewall-core/configure.pl +++ b/Shorewall-core/configure.pl @@ -68,14 +68,16 @@ unless ( defined $vendor ) { $vendor = 'redhat'; } elsif ( $id eq 'opensuse' ) { $vendor = 'suse'; - } elsif ( $id eq 'ubuntu' ) { - $vendor = 'debian'; + } elsif ( $id eq 'ubuntu' || $id eq 'debian' ) { + my $init = `ls -l /sbin/init`; + $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit'; } else { $vendor = $id; } } $params{HOST} = $vendor; + $params{HOST} =~ s/\..*//; } if ( defined $vendor ) { @@ -84,7 +86,7 @@ if ( defined $vendor ) { } else { if ( -f '/etc/debian_version' ) { $vendor = 'debian'; - $rcfilename = 'shorewallrc.debian'; + $rcfilename = 'shorewallrc.debian.sysvinit'; } elsif ( -f '/etc/redhat-release' ){ $vendor = 'redhat'; $rcfilename = 'shorewallrc.redhat'; @@ -117,7 +119,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ); if ( $vendor eq 'linux' ) { printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; } else { - printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; + printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];; } open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!"; diff --git a/Shorewall-core/shorewallrc.debian.systemd b/Shorewall-core/shorewallrc.debian.systemd new file mode 100644 index 000000000..0a5c84c2e --- /dev/null +++ b/Shorewall-core/shorewallrc.debian.systemd @@ -0,0 +1,24 @@ +# +# Debian Shorewall 4.5 rc file +# +BUILD= #Default is to detect the build system +HOST=debian +PREFIX=/usr #Top-level directory for shared files, libraries, etc. +SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. +LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. +PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory +CONFDIR=/etc #Directory where subsystem configurations are installed +SBINDIR=/sbin #Directory where system administration programs are installed +MANDIR=${PREFIX}/share/man #Directory where manpages are installed. +INITDIR= #Directory where SysV init scripts are installed. +INITFILE= #Name of the product's installed SysV init script +INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script +ANNOTATED= #If non-zero, annotated configuration files are installed +SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR +SERVICEFILE=shorewall-init.service.debian + #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed +SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR +VARLIB=/var/lib #Directory where product variable data is stored. +VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. diff --git a/Shorewall-core/shorewallrc.debian b/Shorewall-core/shorewallrc.debian.sysvinit similarity index 87% rename from Shorewall-core/shorewallrc.debian rename to Shorewall-core/shorewallrc.debian.sysvinit index 3e33930d1..0bd9e5a48 100644 --- a/Shorewall-core/shorewallrc.debian +++ b/Shorewall-core/shorewallrc.debian.sysvinit @@ -15,10 +15,9 @@ INITFILE=$PRODUCT #Name of the product's installed SysV in INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR -SERVICEFILE=shorewall-init.service.214.debian - #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed -SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) +SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.