diff --git a/Shorewall/compiler b/Shorewall/compiler index 61f05761c..62941caf9 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -8081,7 +8081,7 @@ stop_firewall() { echo Restoring Shorewall... - if \$RESTOREPATH; then + if \$RESTOREPATH restore; then echo "Shorewall restored from \$RESTOREPATH" set_state "Started" else diff --git a/Shorewall/firewall b/Shorewall/firewall index ed5ef0f17..3226096a1 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1134,7 +1134,7 @@ stop_firewall() { echo Restoring Shorewall... - if $RESTOREPATH; then + if $RESTOREPATH restore; then echo "Shorewall restored from $RESTOREPATH" set_state "Started" else diff --git a/Shorewall/prog.footer b/Shorewall/prog.footer index 66a33ab0f..eb75bd586 100644 --- a/Shorewall/prog.footer +++ b/Shorewall/prog.footer @@ -2,7 +2,7 @@ # Give Usage Information # usage() { - echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reload|restart|status|restore|version ]" + echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reload|restart|status|version ]" exit $1 } ################################################################################ @@ -47,9 +47,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do esac done -if [ $# -eq 0 ]; then - COMMAND=restore -elif [ $# -gt 1 ]; then +if [ $# -ne 1 ]; then usage 2 else COMMAND="$1" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 06ce2527a..d083586e6 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -82,15 +82,13 @@ New Features: where: -v and -q are described elsewhere in this document. - -e Generates an error if the configuration used + -e Generates an error if the configuration uses an option that would prevent the generated script from running on a system other than where the 'generate' command is running (see additional consideration a) below). Also allows the generated script to run on a system without Shorewall installed. - -p Generate a complete program that can start, - stop, restart, clear and status the firewall Is an optional directory to be searched for configuration files prior to those listed in CONFIG_DIR in /etc/shorewall/shorewall.conf. @@ -124,13 +122,24 @@ New Features: unless you use the "-e" option when you compile the script. 2) The 'detectnets' interface option is not allowed. - b) If you have extension scripts, they may need modification. The scripts - will be run at generation time, rather than when the generated script - is executed. The standard functions like 'run_iptables' and + b) If you have extension scripts, they may need modification. Some of + the scripts will be run at compile time, rather than when the generated + script is executed. The standard functions like 'run_iptables' and 'log_rule_limit' will write the iptables command to the script file rather than executing the command. As always, you can check $COMMAND to determine which shorewall command is being executed. + Extension Scripts that are run at compile time rather than at run-time + are: + + - params + - init + - continue + - initdone + - start + - started + - All scripts associated with a given chain such as Action chains + In addition to 'generate', a 'shorewall reload' command has been added. shorewall reload [ -v ] [ -q ] [ ] @@ -146,30 +155,52 @@ New Features: connections being dropped for a much shorter time. Here are the results of tests that I conducted on my own firewall: - A) shorewall restart + A) shorewall restart (Shorewall 3.0.4) real    0m17.540s user    0m5.956s sys     0m10.737s - B) ./foo # foo created using "shorewall compile" + B) ./foo restart # foo created using "shorewall compile" real    0m3.505s user    0m1.332s sys     0m2.164s - C) shorewall restore # Restores from file generated by "shorewall save" + C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by + # "shorewall save" real    0m1.164s user    0m0.556s sys     0m0.608s - The time difference from B to C reflects the difference between + The time difference between B and C reflects the difference between "iptables-restore" and multiple executions of "iptables". The system is a 1.4Ghz Celeron with 512MB RAM. - The "-p' option creates a complete program. This program is suitable for + Compilation generates a complete program This program is suitable for installation into /etc/init.d and, when generated with the "-e" option, can serve as your firewall on a system that doesn't even have Shorewall - installed. \ No newline at end of file + installed. + + The program supports the following commands: + + [ -q ] [ -v ] [ -n ] start + [ -q ] [ -v ] [ -n ] stop + [ -q ] [ -v ] [ -n ] clear + [ -q ] [ -v ] [ -n ] {restart|reload} + [ -q ] [ -v ] [ -n ] status + [ -q ] [ -v ] [ -n ] version + + The "shorewall start" and "shorewall restart" commands have been rewritten + to use compilation. They both compile a temporary program then run it. This + results in a slightly longer elapsed time than the similar commands required + under earlier versions of Shorewall but new connections are blocked for a + much smaller percentage of that time as shown by the numbers above. Under + Shorewall 3.1.4, "shorewall restart" takes roughly 20.5 seconds on my + firewall: + + real 0m20.206s + user 0m7.412s + sys 0m12.773s diff --git a/Shorewall/shorewall b/Shorewall/shorewall index c28e7fc2c..352da421e 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -598,7 +598,7 @@ start_command() { fi echo Restoring Shorewall... - $RESTOREPATH + $RESTOREPATH restore date > /var/lib/shorewall/restarted echo Shorewall restored from $RESTOREPATH else @@ -1240,6 +1240,7 @@ safe_commands() { exit $status fi + RESTOREFILE=.safe RESTOREPATH=/var/lib/shorewall/.safe save_config @@ -1252,7 +1253,7 @@ safe_commands() { echo "New configuration has been accepted" else if [ "$command" = "restart" ]; then - /var/lib/shorewall/.safe + /var/lib/shorewall/.safe restore else /var/lib/shorewall/.$command clear fi @@ -1336,7 +1337,7 @@ restore_command() { fi echo Restoring Shorewall... - $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" + $RESTOREPATH restore && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" [ -n "$nolock" ] || mutex_off else echo "File /var/lib/shorewall/$RESTOREFILE: file not found" @@ -1362,29 +1363,29 @@ usage() # $1 = exit status echo "where is one of:" echo " add [:] ... " echo " allow
..." - echo " check [ -q ] [ ]" + echo " check [ ]" echo " clear" - echo " compile [ -e ] [ -v ] [ -q ] [ ] " + echo " compile [ -e ] [ ] " echo " delete [:] ... " echo " drop
..." - echo " dump [ -q ] [ -v ]" + echo " dump" echo " forget [ ]" - echo " generate [ -e ] [-v ] [ -q ] [ ] " + echo " generate [ -e ] [ ] " echo " help [ | host | address ]" echo " hits" echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" - echo " logwatch [ -v ] []" + echo " logwatch []" echo " refresh" echo " reject
..." echo " reset" - echo " reload [ -n ] [ -q ] [ -v ] [ ]" - echo " restart [ -n ] [ -q ] [ -v ] [ ]" - echo " restore [ -n ] [ -q ] [ ]" + echo " reload [ ]" + echo " restart [ ]" + echo " restore [ ]" echo " save [ ]" - echo " show [ -v ] [ [ ... ]|actions|capabilities|classifiers|connections|log|macros|mangle|nat|tc|zones]" - echo " start [ -f ] [ -n ] [ -q ] [ ]" + echo " show [ [ ... ]|actions|capabilities|classifiers|connections|log|macros|mangle|nat|tc|zones]" + echo " start [ -f ] [ ]" echo " stop" echo " status" echo " try [ ]" @@ -1787,8 +1788,7 @@ case "$COMMAND" in finished=0 - while [ $finished -eq 0 ]; do - [ $# -eq 0 ] && usage 1 + while [ $finished -eq 0 -a $# -ne 0 ]; do option=$1 case $option in -*)