Add SAFESTOP setting to /etc/default/shorewall*.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-lite/default.debian

@@ -26,4 +26,11 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
+#
+# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
+# a safe state rather than to open it
+#
+
+SAFESTOP=0
+
 # EOF

Shorewall-lite/init.debian.sh

@@ -88,7 +88,11 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  if [ "$SAFESTOP" = 1 ]; then
+      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  else
+      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  fi
   return 0
 }
 

Shorewall/default.debian

@@ -26,4 +26,11 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
+#
+# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
+# a safe state rather than to open it
+#
+
+SAFESTOP=0
+
 # EOF

Shorewall/init.debian.sh

@@ -93,7 +93,11 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  if [ "$SAFESTOP" = 1 ]; then
+      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  else
+      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  fi
   return 0
 }
 
@@ -120,7 +124,7 @@ case "$1" in
      ;;
   refresh)
      shorewall_refresh
-  	  ;;
+     ;;
   force-reload|restart)
      shorewall_restart
      ;;

Shorewall/releasenotes.txt

@@ -358,6 +358,13 @@ None.
     Shorewall-init may be installed on Debian-based systems, SuSE-based
     systems and RedHat-based systems.
 
+    On Debian-based systems, during system shutdown the firewall is
+    opened prior to network shutdown (/etc/init.d/shorewall stop
+    performs a 'clear' operation rather than a 'stop'). This is
+    required by Debian standards. You can change this default behavior
+    by setting SAFESTOP=1 in /etc/default/shorewall
+    (/etc/default/shorewall6, ...).
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       I N   P R I O R  R E L E A S E S

Shorewall6-lite/default.debian

@@ -26,4 +26,11 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
+#
+# Set this to 1 to cause '/etc/init.d/shorewall6-lite stop' to place the firewall in
+# a safe state rather than to open it
+#
+
+SAFESTOP=0
+
 # EOF

Shorewall6-lite/init.debian.sh

@@ -88,7 +88,11 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   echo -n "Stopping \"Shorewall6 Lite firewall\": "
-  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  if [ "$SAFESTOP" = 1 ]; then
+      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  else
+      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  fi
   return 0
 }
 

Shorewall6/default.debian

@@ -21,4 +21,16 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
+#
+# Set this to 1 to cause '/etc/init.d/shorewall6 stop' to place the firewall in
+# a safe state rather than to open it
+#
+
+SAFESTOP=0
+
 # EOF

Shorewall6/init.debian.sh

@@ -93,7 +93,11 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   echo -n "Stopping \"Shorewall6 firewall\": "
-  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  if [ "$SAFESTOP" = 1 ]; then
+      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  else
+      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  fi
   return 0
 }