Remove braindead code; prevent 'stop' when 'start' is disabled

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@680 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -8,3 +8,7 @@ Changes since 1.4.6
 3) Fixed MAC address handling in the SOURCE column of tcrules.
 
 4) Merged and corrected Steve Herber's command-specific help patch.
+
+5) Removed some undocumented/braindead code from setup_masq()
+
+6) Don't allow 'stop' when startup is disabled

Shorewall/firewall

@@ -2960,23 +2960,12 @@ setup_masq()
 	fi
 
 	chain=`masq_chain $interface`
-	iface=
 
 	source="$subnet"
 
 	case $subnet in
 	*.*.*)
 	    ;;
-	-)
-	    #
-	    # Note: This only works if you have the LOCAL NAT patches in the
-	    #	    kernel and in the iptables utility
-	    #
-	    chain=OUTPUT
-	    subnet=
-	    source=$FW
-	    iface="-o $interface"
-	    ;;
 	*)
 	    subnets=`get_routed_subnets $subnet`
 	    [ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet"
@@ -3005,16 +2994,15 @@ setup_masq()
 
 	    if [ -n "$subnet" ]; then
 		for s in $subnet; do
-		    addnatrule $chain -d $destnet $iface -s $s -j $newchain
+		    addnatrule $chain -d $destnet -s $s -j $newchain
 		done
 	    else
-		addnatrule $chain -d $destnet $iface -j $newchain
+		addnatrule $chain -d $destnet -j $newchain
 	    fi
 
 	    masq_seq=$(($masq_seq + 1))
 	    chain=$newchain
 	    subnet=
-	    iface=
 	    destnet=
 
 	    for addr in `separate_list $nomasq`; do
@@ -3029,18 +3017,18 @@ setup_masq()
 	if [ -n "$subnet" ]; then
 	    for s in $subnet; do
 		if [ -n "$address" ]; then
-		    addnatrule $chain -s $s $destnet $iface -j SNAT --to-source $address
+		    addnatrule $chain -s $s $destnet -j SNAT --to-source $address
 		    echo "   To $destination from $s through ${interface} using $address"
 		else
-		    addnatrule $chain -s $s $destnet $iface -j MASQUERADE
+		    addnatrule $chain -s $s $destnet -j MASQUERADE
 		    echo "   To $destination from $s through ${interface}"
 		fi
 	    done
 	elif [ -n "$address" ]; then
-	    addnatrule $chain $destnet $iface -j SNAT --to-source $address
+	    addnatrule $chain $destnet -j SNAT --to-source $address
 	    echo "   To $destination from $source through ${interface} using $address"
 	else
-	    addnatrule $chain $destnet $iface -j MASQUERADE
+	    addnatrule $chain $destnet -j MASQUERADE
 	    echo "   To $destination from $source through ${interface}"
 	fi
 
@@ -4016,10 +4004,9 @@ activate_rules()
 }
 
 #
-# Start/Restart the Firewall
+# Check for disabled startup
 #
-define_firewall() # $1 = Command (Start or Restart)
+check_disabled_startup() {
-{
     if [ -f /etc/shorewall/startup_disabled ]; then
 	echo "   Shorewall Startup is disabled -- to enable startup"
 	echo "   after you have completed Shorewall configuration,"
@@ -4029,6 +4016,14 @@ define_firewall() # $1 = Command (Start or Restart)
 	my_mutex_off
 	exit 2
     fi
+}
+
+#
+# Start/Restart the Firewall
+#
+define_firewall() # $1 = Command (Start or Restart)
+{
+    check_disabled_startup
 
     echo "${1}ing Shorewall..."
 
@@ -4780,6 +4775,10 @@ case "$command" in
 	[ $# -ne 1 ] && usage
 	do_initialize
 	my_mutex_on
+	#
+	# Don't want to do a 'stop' when startup is disabled
+	#
+	check_disabled_startup 
 	echo -n "Stopping Shorewall..."
 	stop_firewall
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK

Shorewall/releasenotes.txt

@@ -30,5 +30,11 @@ New Features:
    that do what 'drop' and 'reject' used to do; namely, when an address
    is blacklisted using these new commands, it will be blacklisted on
    all of your firewall's interfaces.
+
 2) Thanks to Steve Herber, the help command can now give
    command-specific help.
+
+3) The "shorewall stop" command is now disabled when
+   /etc/shorewall/startup_disabled exists. This prevents people from
+   shooting themselves in the foot prior to having configured
+   Shorewall.