extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add 'load' command; together with the 'reload' command, this allows users to operate shorewall/shorewall-lite without caring where the 'firewall' script is stored

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4132 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-17 17:17:45 +00:00
parent a44268bf87
commit 6fdd96fddb
7 changed files with 161 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall-lite/releasenotes.txt
View File

@ -69,17 +69,14 @@ e) On the administrative system, for each firewall system you:
2) (this may be done as a non-root user) 2) (this may be done as a non-root user)
cd <configuration directory> cd <configuration directory>
/sbin/shorewall compile -e . firewall /sbin/shorewall load . <firewall system>
scp firewall root@<firewall system>:/var/lib/shorewall-lite/
Note : The 'firewall' script is in /var/lib/shorewall-lite in 3) If you need to change the configuration, after you
packages from shorewall.net. The package maintainers for the have modified the configuration:
various distributions are free to choose the directory where the
script will be stored under their distribution. You can look in cd <configuration directory>
your /usr/share/shorewall-lite/configpath file to see what your /sbin/shorewall reload . <firewall system>
distribution defines for the value of LITEDIR.
3) On the firewall system, 'shorewall-lite start'.
It is possible to have both shorewall and Shorewall Lite It is possible to have both shorewall and Shorewall Lite
installed on the same system. installed on the same system.

13
Shorewall/help
View File

@ -202,6 +202,19 @@ iprange)
equivalent list of network/host addresses." equivalent list of network/host addresses."
;; ;;
load)
echo "load: load [ <directory> ] <system>
If <directory> is omitted, then the current working directory is assumed.
Requires that Shorewall Lite be installed on the named <system>.
Causes the shorewall configuration in <directory> to be compiled into a
program called '<directory>/firewall'. If compilation is successful,
the '<directory>/firewall' script is copied via scp to the
${LITEDIR} directory on <system>. If the script is copied
successfully, Shorewall Lite on <system> is started via ssh."
;;
logdrop) logdrop)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored and loged. Causes packets from the specified <address> to be ignored and loged.

16
Shorewall/releasenotes.txt
View File

@ -47,14 +47,14 @@ Other changes in 3.2.0 RC 4
installed on your administrative system(s) and Shorewall Lite RC4 installed on your administrative system(s) and Shorewall Lite RC4
on the firewall system(s). on the firewall system(s).
2) A "reload" command has been added. This command allows a non-root 2) "load" and "reload" commands have been added. These commands allow
user with ssh access to a remote system to compile a firewall a non-root user with ssh access to a remote system to compile a
script on the local system and to install that script on the remote firewall script on the local system and to install that script on
system. the remote system.
Syntax is: Syntax is:
shorewall reload [ <directory> ] <system> shorewall [re]load [ <directory> ] <system>
If <directory> is omitted, the current working directory is If <directory> is omitted, the current working directory is
assumed. assumed.
@ -63,13 +63,15 @@ Other changes in 3.2.0 RC 4
/sbin/shorewall compile -e . firewall &&\ /sbin/shorewall compile -e . firewall &&\
scp firewall root@<system>:/var/lib/shorewall-lite/ &&\ scp firewall root@<system>:/var/lib/shorewall-lite/ &&\
ssh root@<system> '/sbin/shorewall-lite restart' # Note 1 ssh root@<system> '/sbin/shorewall-lite [re]start' # Note 1
In other words, the configuration in the specified (or defaulted) In other words, the configuration in the specified (or defaulted)
directory is compiled to a file called firewall in that directory is compiled to a file called firewall in that
directory. If compilation succeeds, then 'firewall' is copied to the directory. If compilation succeeds, then 'firewall' is copied to the
(usually remote) <system> using scp. If the copy succeeds, (usually remote) <system> using scp. If the copy succeeds,
Shorewall Lite on <system> is restarted via ssh. Shorewall Lite on <system> is started or restarted via ssh (
load causes Shorewall Lite to be started and 'reload' causes
Shorewall Lite to be re-started)
Note 1: In Shorewall Lite 3.2.0 RC4, the 'firewall' script has moved Note 1: In Shorewall Lite 3.2.0 RC4, the 'firewall' script has moved
from /usr/share/shorewall-lite/ to /var/lib/shorewall-lite in from /usr/share/shorewall-lite/ to /var/lib/shorewall-lite in

21
Shorewall/shorewall
View File

@ -49,6 +49,9 @@
# compensate for a change of # compensate for a change of
# broadcast address on any "detect" # broadcast address on any "detect"
# interface. # interface.
# shorewall [re]load [ <directory> ] <system>
# Compile a script and install it on a
# remote Shorewall Lite system.
# shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed # shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed
# shorewall show actions Displays the available actions # shorewall show actions Displays the available actions
# shorewall show log Print the last 20 log messages # shorewall show log Print the last 20 log messages
@ -1299,18 +1302,25 @@ restore_command() {
fi fi
} }
# #
# Reload command executor # [Re]load command executor
# #
reload_command() reload_command()
{ {
local verbose=$(make_verbose) local verbose=$(make_verbose)
shorewall $debugging $verbose compile -e $1 $1/firewall && \ if shorewall $debugging $verbose compile -e $1 $1/firewall && \
echo "Copying ${1}/firewall to ${2}:${LITEDIR}..." && \ echo "Copying ${1}/firewall to ${2}:${LITEDIR}..." && \
scp $1/firewall root@${2}:${LITEDIR}/ && \ scp $1/firewall root@${2}:${LITEDIR}
echo "Copy complete" && \ then
echo "Copy complete"
if [ $COMMAND = reload ]; then
ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \ ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
progress_message3 "System $2 reloaded" progress_message3 "System $2 reloaded"
else
ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
progress_message3 "System $2 reloaded"
fi
fi
} }
# #
# Help information # Help information
@ -1342,6 +1352,7 @@ usage() # $1 = exit status
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }" echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }" echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>" echo " iprange <address>-<address>"
echo " load [ <directory> ] <system>"
echo " logdrop <address> ..." echo " logdrop <address> ..."
echo " logreject <address> ..." echo " logreject <address> ..."
echo " logwatch [<refresh interval>]" echo " logwatch [<refresh interval>]"
@ -1653,7 +1664,7 @@ case "$COMMAND" in
shift shift
show_command $@ show_command $@
;; ;;
reload) load|reload)
shift shift
case $# in case $# in
1) 1)

119
docs/CompiledPrograms.xml
View File

@ -214,6 +214,51 @@
<programlisting><command>/usr/share/shorewall-lite/shorecap &gt; capabilities</command> <programlisting><command>/usr/share/shorewall-lite/shorecap &gt; capabilities</command>
<command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting> <command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
<para>If you are running Debian or one of its derivatives like Ubuntu
then edit /etc/default/shorewall-lite and set startup=1.</para>
<para>Shorewall Lite includes a very limited version of
<filename>shorewall.conf
</filename>(<filename>/etc/shorewall-lite/shorewall.conf</filename>).
It includes the following options which have the same meaning as in a
full Shorewall installation except as noted below:</para>
<blockquote>
<simplelist>
<member>VERBOSITY</member>
<member>LOGFILE</member>
<member>LOGFORMAT — used by <filename>/sbin/shorewall</filename>
for finding 'Shorewall' log messages. If LOGFORMAT was specified
in the shorewall.conf file used at compile time on the
administrative system, then the format of the messages themselves
is defined by that value. If LOGFORMAT was not specified at
compile time then the firewall script will use the value from
<filename>/etc/shorewall-lite/shorewall.conf</filename> on the
firewall system.</member>
<member>IPTABLES — determines the iptables binary to be used by
<filename>/sbin/shorewall</filename>. The compiled firewall script
will use the IPTABLES specified in
<filename>shorewall.conf</filename> at compile time on the
administrative system, if any; if IPTABLES was not specified at
compile time then the IPTABLES value from
<filename>/etc/shorewall-lite/shorewall.conf</filename> on the
firewall system will be used by the firewall script.</member>
<member>PATH</member>
<member>SHOREWALL_SHELL</member>
<member>SUBSYSLOCK</member>
<member>RESTOREFILE</member>
</simplelist>
</blockquote>
<para>Edit the shorewall.conf file as required.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -239,81 +284,17 @@
<listitem> <listitem>
<programlisting><command>cd &lt;configuration directory&gt;</command> <programlisting><command>cd &lt;configuration directory&gt;</command>
<command>/sbin/shorewall compile -e . firewall</command> <command>/sbin/shorewall load . firewall</command></programlisting>
<command>scp firewall root@&lt;firewall system&gt;:/var/lib/shorewall-lite/</command></programlisting>
<note> <para>The load command compiles a firewall script from the
<para>The 'firewall' script is in <filename configuration files in the current working directory, copies that
class="directory">/var/lib/shorewall-lite</filename> in packages file to the remote system via scp and starts Shorewall Lite on the
from shorewall.net. The package maintainers for the various remote system via ssh.</para>
distributions are free to choose the directory where the script
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
<listitem>
<para>On each firewall system:</para>
<para>Modify <filename>/etc/shorewall-lite/shorewall.conf</filename>
as needed.</para>
<para>If you are running Debian or one of its derivatives like Ubuntu
then edit /etc/default/shorewall-lite and set startup=1.</para>
<programlisting><command>shorewall-lite start</command></programlisting>
</listitem>
</orderedlist> </orderedlist>
<para>Shorewall Lite includes a very limited version of
<filename>shorewall.conf
</filename>(<filename>/etc/shorewall-lite/shorewall.conf</filename>). It
includes the following options which have the same meaning as in a full
Shorewall installation except as noted below:</para>
<blockquote>
<simplelist>
<member>VERBOSITY</member>
<member>LOGFILE</member>
<member>LOGFORMAT — used by <filename>/sbin/shorewall</filename> for
finding 'Shorewall' log messages. If LOGFORMAT was specified in the
shorewall.conf file used at compile time on the administrative system,
then the format of the messages themselves is defined by that value.
If LOGFORMAT was not specified at compile time then the firewall
script will use the value from
<filename>/etc/shorewall-lite/shorewall.conf</filename> on the
firewall system.</member>
<member>IPTABLES — determines the iptables binary to be used by
<filename>/sbin/shorewall</filename>. The compiled firewall script
will use the IPTABLES specified in <filename>shorewall.conf</filename>
at compile time on the administrative system, if any; if IPTABLES was
not specified at compile time then the IPTABLES value from
<filename>/etc/shorewall-lite/shorewall.conf</filename> on the
firewall system will be used by the firewall script.</member>
<member>PATH</member>
<member>SHOREWALL_SHELL</member>
<member>SUBSYSLOCK</member>
<member>RESTOREFILE</member>
</simplelist>
</blockquote>
<para>The <filename>/sbin/shorewall-lite</filename> program included with <para>The <filename>/sbin/shorewall-lite</filename> program included with
Shorewall Lite supports the same set of commands as the Shorewall Lite supports the same set of commands as the
<filename>/sbin/shorewall</filename> program in a full Shorewall <filename>/sbin/shorewall</filename> program in a full Shorewall

55
docs/starting_and_stopping_shorewall.xml
View File

@ -889,6 +889,61 @@ gateway:~ #</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry id="Reload">
<term>load (Added in Shorewall 3.2.0 RC4 -- not supported by Shorewall
Lite)</term>
<listitem>
<para><command>load [ &lt;directory&gt; ]
&lt;system&gt;</command></para>
<para>If &lt;directory&gt; is omitted, the current working directory
is assumed.</para>
<para>Allows a non-root user to compile a shorewall script and
install it on a system (provided that the user has root access to
the system via ssh). The command is equivalent to:</para>
<simplelist>
<member><command>/sbin/shorewall compile -e &lt;directory&gt;
&lt;directory&gt;/firewall &amp;&amp;\</command></member>
<member><command>scp &lt;directory&gt;/firewall
root@&lt;system&gt;:/var/lib/shorewall-lite/
&amp;&amp;\</command></member>
<member><command>ssh root@&lt;system&gt; '/sbin/shorewall-lite
start'</command></member>
</simplelist>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called
<filename>firewall</filename> in that directory. If compilation
succeeds, then <filename>firewall</filename> is copied to
&lt;system&gt; using scp. If the copy succeeds, Shorewall Lite on
&lt;system&gt; is started via ssh.</para>
<note>
<para>The 'firewall' script is in <filename
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
<para>Example: <command>shorewall reload gateway</command></para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>logdrop</term> <term>logdrop</term>

2
tools/build/makeshorewall
View File

@ -59,7 +59,7 @@ DIR=$PWD
# #
# location and options for GnuPG # location and options for GnuPG
# #
GPG="/usr/bin/gpg -ab --no-use-agent --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
################################################################################ ################################################################################
# V A R I A B L E S # V A R I A B L E S
################################################################################ ################################################################################