diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 225007fd5..3bf84b938 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -3,3 +3,7 @@ Changes since 2.0.1 1) Reformat the code in define_firewall(). 2) Reimplement dynamic zones. + +3) Tweak new dynamic zone implementation. + +4) Implement CONFIG_PATH. \ No newline at end of file diff --git a/Shorewall2/firewall b/Shorewall2/firewall index a48c1b2dd..4b9795d68 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -5057,8 +5057,6 @@ activate_rules() for zone in $zones; do eval source_hosts=\$${zone}_hosts - echo $zone $source_hosts >> ${STATEDIR}/zones - chain1=$(rules_chain $FW $zone) chain2=$(rules_chain $zone $FW) @@ -5069,8 +5067,11 @@ activate_rules() createchain $frwd_chain No fi - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains + if [ -n "$DYNAMIC_CHAINS" ]; then + echo $zone $source_hosts >> ${STATEDIR}/zones + echo "$FW $zone $chain1" >> ${STATEDIR}/chains + echo "$zone $FW $chain2" >> ${STATEDIR}/chains + fi need_broadcast= @@ -5118,7 +5119,7 @@ activate_rules() chain="$(rules_chain $zone $zone1)" - echo "$zone $zone1 $chain" >> ${STATEDIR}/chains + [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains if [ $zone = $zone1 ]; then # @@ -5709,6 +5710,7 @@ do_initialize() { DISABLE_IPV6= BRIDGING= DYNAMIC_ZONES= + CONFIG_PATH=/etc/shorewall:/usr/share/shorewall stopping= have_mutex= @@ -5738,6 +5740,8 @@ do_initialize() { run_user_exit params + [ -n "$SHOREWALL_DIR" ] && CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH + config=$(find_file shorewall.conf) if [ -f $config ]; then @@ -5748,6 +5752,11 @@ do_initialize() { exit 2 fi # + # Restore CONFIG_PATH if the shorewall.conf file cleared it + # + [ -n "$CONFIG_PATH"] || CONFIG_PATH=/etc/shorewall:/usr/share/shorewall + [ -n "$SHOREWALL_DIR" ] && CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH + # # Determine the capabilities of the installed iptables/netfilter # determine_capabilities diff --git a/Shorewall2/functions b/Shorewall2/functions index c96f9c5bd..d05cc6623 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -87,20 +87,26 @@ fix_bang() { # find_file() { + local saveifs= directory + case $1 in /*) echo $1 ;; *) - if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then - echo $SHOREWALL_DIR/$1 - elif [ -f /etc/shorewall/$1 ]; then - echo /etc/shorewall/$1 - elif [ -f /usr/share/shorewall/$1 ]; then - echo /usr/share/shorewall/$1 - else - echo /etc/shorewall/$1 - fi + saveifs=$IFS + IFS=: + for directory in $CONFIG_PATH; do + if [ -f $directory/$1 ]; then + echo $directory/$1 + IFS=$saveifs + return + fi + done + + IFS=$saveifs + + echo /etc/shorewall/$1 ;; esac } diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index cb1693a89..4970d3062 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -21,3 +21,30 @@ New Features: under the control of the DYNAMIC_ZONES option in /etc/shorewall/shorewall.conf. +2) In earlier Shorewall 2.0 releases, Shorewall searches in order the + following directories for configuration files. + + a) The directory specified in a 'try' command or specified using + the -c option. + + b) /etc/shorewall + + c) /usr/share/shorewall + + In this release, the CONFIG_PATH option is added to shorewall.conf. + CONFIG_PATH contains a list of directory names separated by colons + (":"). If not set or set to a null value (e.g., CONFIG_PATH="") then + "CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. + + Now Shorewall searches for shorewall.conf according to the old + rules and for other configuration files as follows: + + a) The directory specified in a 'try' command or specified using + the -c option. + + b) Each directory in $CONFIG_PATH is searched in sequence. + + For those of you who are logic-challenged, your CONFIG_PATH should + include both /etc/shorewall and /usr/share/shorewall (in that + order, although there may be intervening directories). + diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index 90185f2d9..2f3fbdf28 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -160,6 +160,7 @@ get_config() { exit 2 fi fi + } # @@ -630,6 +631,8 @@ FIREWALL=$SHARED_DIR/firewall FUNCTIONS=$SHARED_DIR/functions VERSION_FILE=$SHARED_DIR/version HELP=$SHARED_DIR/help +CONFIG_PATH=/etc/shorewall:/usr/share/shorewall +[ -n "$SHOREWALL_DIR" ] && CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH if [ -f $FUNCTIONS ]; then . $FUNCTIONS @@ -647,6 +650,11 @@ else exit 2 fi +if [ -z "$CONFIG_PATH" ]; then + CONFIG_PATH=/etc/shorewall:/usr/share/shorewall + [ -n "$SHOREWALL_DIR" ] && CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH +fi + [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall if [ ! -f $FIREWALL ]; then diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index 7d2ab20e7..be538d3bc 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -236,6 +236,19 @@ STATEDIR=/var/lib/shorewall MODULESDIR= +# +# CONFIGURATION SEARCH PATH +# +# This option holds a list of directory names separated by colons +# (":"). Shorewall will search each directory in turn when looking for a +# configuration file. When processing a 'try' command or a command +# containing the "-c" option, Shorewall will automatically add the +# directory specified in the command to the front of this list. +# +# If not specified or specified as null ("CONFIG_PATH=""), +# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. + +CONFIG_PATH=/etc/shorewall:/usr/share/shorewall ################################################################################ # F I R E W A L L O P T I O N S ################################################################################