extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove sensless synonyms from command set

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3424 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-02-03 15:10:46 +00:00
parent 97eaf708d3
commit 7085f1d417
6 changed files with 63 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/compiler
View File

@ -9047,7 +9047,7 @@ do_initialize() {
# Give Usage Information
#
usage() {
echo "Usage: $0 [debug] check|{generate|compile} <filename>}"
echo "Usage: $0 [debug] check|compile <filename>}"
exit 1
}
@ -9075,10 +9075,9 @@ case "$COMMAND" in
compile_firewall
;;
compile|generate)
compile)
[ $# -ne 2 ] && usage
do_initialize
COMMAND=compile
compile_firewall $2
;;

26
Shorewall/help
View File

@ -97,8 +97,6 @@ compile)
other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled
where it is to be run.
'generate' is a synonym for 'compile'."
;;
debug)
@ -169,19 +167,6 @@ forget)
See also \"help save\""
;;
generate)
echo "generate: generate [ -e ] [ <directory name> ] <file name>
Compiles the current configuration into the executable file
/var/lib/shorewall/<file name>
When -e is specified, the compilation is being performed on a system
other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled
where it is to be run.
'compile' is a synonym for 'generate'."
;;
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
@ -235,17 +220,6 @@ reject)
See also \"help address\""
;;
reload)
echo "reload: reload [ -q ] [ -n ] [ <directory name> ]
Causes Shorewall to generate a new compiled restore file using the named directory
as the first search directory for configuration file. If that generation is error-free,
the generated restore file is executed.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings
If \"-n\" is specified, no changes to routing will be made"
;;
reset)
echo "reset: reset
All the packet and byte counters in the firewall are reset."

7
Shorewall/init.sh
View File

@ -32,6 +32,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall reload Reload the firewall
# (same as restart)
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
#
@ -75,9 +76,13 @@ case "$command" in
start)
exec /sbin/shorewall $OPTIONS $@
;;
stop|restart|status|reload)
stop|restart|status)
exec /sbin/shorewall $@
;;
reload)
shift
exec /sbin/shorewall restart $@
;;
*)
usage
;;

14
Shorewall/prog.footer
View File

@ -2,7 +2,7 @@
# Give Usage Information
#
usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reload|restart|status|version ]"
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|restart|status|version ]"
exit $1
}
################################################################################
@ -79,18 +79,6 @@ case "$COMMAND" in
progress_message3 "Starting Shorewall...."
fi
define_firewall
status=$?
progress_message3 "done."
;;
reload)
if shorewall_is_started; then
progress_message3 "Reloading Shorewall...."
else
echo "Shorewall is not running" >&2
progress_message3 "Starting Shorewall...."
fi
define_firewall
status=$?
progress_message3 "done."

109
Shorewall/releasenotes.txt
View File

@ -74,9 +74,9 @@ Migration Considerations:
New Features:
1) A new 'shorewall generate' command has been added.
1) A new 'shorewall compile' command has been added.
shorewall generate [ -v ] [ -q ] [ -e ] [ <config directory> ] <script
shorewall compile [ -v ] [ -q ] [ -e ] [ <config directory> ] <script
file>
where:
@ -85,7 +85,7 @@ file>
-e Generates an error if the configuration uses
an option that would prevent the generated
script from running on a system other than
where the 'generate' command is running (see
where the 'compile' command is running (see
additional consideration a) below).
Also allows the generated script to run
on a system without Shorewall installed.
@ -95,14 +95,10 @@ file>
/etc/shorewall/shorewall.conf.
<script file> Is the name of the output file.
The 'generate' command processes the configuration and writes a script
file which may then be executed (either directly or using the
The 'compile' command processes the configuration and generates a
script file which may then be executed (either directly or using the
'shorewall restore' command) to configure the firewall.
'compile' is a synonym for 'generate':
shorewall compile [ -v ] [ -q ] [ -e ] [ <config directory> ] <script file>
The generated script contains error checking and will terminate if an
important command fails. Before terminating:
@ -115,8 +111,8 @@ file>
Some additional considerations:
a) It is possible to run 'generate' ('compile') on one system and then
run the generated script on another system but there are certain
a) It is possible to run 'compile' on one system and then run the
generated script on another system but there are certain
limitations.
1) The same version of Shorewall must be running on the remote system
@ -187,53 +183,12 @@ file>
__EOF__
In addition to 'generate', a 'shorewall reload' command has been added.
shorewall reload [ -v ] [ -q ] [ <config directory> ]
where -v, -q and <config directory> are as above.
The 'reload' command creates a script using 'generate' and if there are
no errors, it then restores that script. It is equivalent to:
if shorewall generate /var/lib/shorewall/.reload; then
restore .reload;
fi
The advantage of using reload over restart is that reload results in new
connections being dropped for a much shorter time. Here are the results
of tests that I conducted on my own firewall:
A) shorewall restart (Shorewall 3.0.4)
real    0m17.540s
user    0m5.956s
sys     0m10.737s
B) ./foo restart # foo created using "shorewall compile"
real    0m3.505s
user    0m1.332s
sys     0m2.164s
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
# "shorewall save"
real    0m1.164s
user    0m0.556s
sys     0m0.608s
The time difference between B and C reflects the difference between
"iptables-restore" and multiple executions of "iptables". The system is
a 1.4Ghz Celeron with 512MB RAM.
Compilation generates a complete program. This program is suitable for
installation into /etc/init.d and, when generated with the "-e" option,
can serve as your firewall on a system that doesn't even have Shorewall
installed.
The program supports the following commands:
The generated program supports the following commands:
<program> [ -q ] [ -v ] [ -n ] start
<program> [ -q ] [ -v ] [ -n ] stop
@ -246,13 +201,49 @@ file>
rewritten to use compilation. They both compile a temporary program
then run it. This results in a slightly longer elapsed time than the
similar commands required under earlier versions of Shorewall but new
connections are blocked for a much smaller percentage of that time as
shown by the numbers above. Under Shorewall 3.1.4, "shorewall restart"
takes roughly 18.5 seconds on my firewall:
connections are blocked for a much smaller percentage of that time.
real 0m18.529s
user 0m6.240s
sys 0m10.165s
Under Shorewall 3.1.5, "shorewall restart" takes roughly 16.5 seconds
on my firewall:
real 0m16.599s
user 0m6.292s
sys 0m9.885s
Of the elapsed 16.5 seconds, new connections are disabled less than
3.5 seconds. Here are some numbers for comparison:
A) shorewall restart (Shorewall 3.0.4)
real    0m17.540s
user    0m5.956s
sys     0m10.737s
B) ./foo restart # foo created using "shorewall compile"
real 0m3.297s
user 0m1.444s
sys 0m1.728s
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
# "shorewall save"
real    0m1.164s
user    0m0.556s
sys     0m0.608s
D) shorewall restore (shorewall 3.1.5)
real 0m1.637s
user 0m0.728s
sys 0m0.584s
The time difference between B and C reflects the difference between
"iptables-restore" and multiple executions of "iptables". The time
difference between C and D results from the fact that the "restore"
command in Shorewall 3.1 runs the compiled program in a way that
turns all iptables commands into no-ops then invokes
iptables-restore. The system is a 1.4Ghz Celeron with 512MB RAM.
As a final part of this change, the "check" command now compiles the
current configuration then discards the generated script. So "check"

96
Shorewall/shorewall
View File

@ -110,10 +110,8 @@
# confirmation to accept or reject the new
# configuration
#
# shorewall {generate|compile} [ <directory> ] ]<filename>
# Compile a pseudo restore file.
#
# shorewall reload [ <directory name> ] Safe reload
# shorewall compile [ <directory> ] ]<filename>
# Compile a firewall program file.
#
# Fatal Error
#
@ -690,7 +688,7 @@ compile_command() {
export EXPORT
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging generate $file
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging compile $file
}
#
# Check Command Executor
@ -758,84 +756,6 @@ check_command() {
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock check
}
#
# Reload Command Executor
#
reload_command() {
local finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
q*)
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
v*)
VERBOSE=$(($VERBOSE + 1 ))
option=${option#v}
;;
n*)
NOROUTES=Yes
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$1
export SHOREWALL_DIR
;;
*)
usage 1
;;
esac
export NOROUTES
[ -n "$nolock" ] || mutex_on
progress_message3 "Compiling..."
if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.reload; then
/var/lib/shorewall/.reload reload
fi
[ -n "$nolock" ] || mutex_off
}
#
# Restart Command Executor
#
@ -1375,7 +1295,6 @@ usage() # $1 = exit status
echo " drop <address> ..."
echo " dump"
echo " forget [ <file name> ]"
echo " generate [ -e ] [ <directory name> ] <path name>"
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
@ -1385,7 +1304,6 @@ usage() # $1 = exit status
echo " refresh"
echo " reject <address> ..."
echo " reset"
echo " reload [ <directory> ]"
echo " restart [ <directory> ]"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
@ -1660,7 +1578,7 @@ case "$COMMAND" in
export NOROUTES
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
;;
compile|generate)
compile)
shift
compile_command $@
@ -1677,12 +1595,6 @@ case "$COMMAND" in
check_command $@
;;
reload)
shift
reload_command $@
;;
add|delete)
[ $# -lt 3 ] && usage 1