CONFIG_PATH

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1254 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -3,3 +3,7 @@ Changes since 2.0.1
 1) Reformat the code in define_firewall().
 
 2) Reimplement dynamic zones.
+
+3) Tweak new dynamic zone implementation.
+
+4) Implement CONFIG_PATH.

Shorewall2/firewall

@@ -5057,8 +5057,6 @@ activate_rules()
     for zone in $zones; do
 	eval source_hosts=\$${zone}_hosts
 
-	echo $zone $source_hosts >> ${STATEDIR}/zones
-
 	chain1=$(rules_chain $FW $zone)
 	chain2=$(rules_chain $zone $FW)
 
@@ -5069,8 +5067,11 @@ activate_rules()
 	    createchain $frwd_chain No
 	fi
 
-	echo "$FW $zone $chain1" >> ${STATEDIR}/chains
+	if [ -n "$DYNAMIC_CHAINS" ]; then
-	echo "$zone $FW $chain2" >> ${STATEDIR}/chains
+	    echo $zone $source_hosts >> ${STATEDIR}/zones
+	    echo "$FW $zone $chain1" >> ${STATEDIR}/chains
+	    echo "$zone $FW $chain2" >> ${STATEDIR}/chains
+	fi
 
 	need_broadcast=
 
@@ -5118,7 +5119,7 @@ activate_rules()
 
 	    chain="$(rules_chain $zone $zone1)"
 
-	    echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
+	    [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
 
 	    if [ $zone = $zone1 ]; then
 		#
@@ -5709,6 +5710,7 @@ do_initialize() {
     DISABLE_IPV6=
     BRIDGING=
     DYNAMIC_ZONES=
+    CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 
     stopping=
     have_mutex=
@@ -5738,6 +5740,8 @@ do_initialize() {
 
     run_user_exit params
 
+    [ -n "$SHOREWALL_DIR" ] && CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
+
     config=$(find_file shorewall.conf)
 
     if [ -f $config ]; then
@@ -5748,6 +5752,11 @@ do_initialize() {
 	exit 2
     fi
     #
+    # Restore CONFIG_PATH if the shorewall.conf file cleared it
+    #
+    [ -n "$CONFIG_PATH"] || CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+    [ -n "$SHOREWALL_DIR" ] && CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
+    #
     # Determine the capabilities of the installed iptables/netfilter
     #
     determine_capabilities

Shorewall2/functions

@@ -87,20 +87,26 @@ fix_bang() {
 #
 find_file()
 {
+    local saveifs= directory
+
     case $1 in
 	/*)
 	    echo $1
 	    ;;
 	*)
-	    if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
+	    saveifs=$IFS
-		echo $SHOREWALL_DIR/$1
+	    IFS=:
-	    elif [ -f /etc/shorewall/$1 ]; then
+	    for directory in $CONFIG_PATH; do
-		echo /etc/shorewall/$1
+	        if [ -f $directory/$1 ]; then
-	    elif [ -f /usr/share/shorewall/$1 ]; then
+		    echo $directory/$1
-		echo /usr/share/shorewall/$1
+		    IFS=$saveifs
-	    else
+		    return
-		echo /etc/shorewall/$1
+		fi
-	    fi
+	    done
+		
+	    IFS=$saveifs
+			
+	    echo /etc/shorewall/$1
 	    ;;
     esac
 }

Shorewall2/releasenotes.txt

@@ -21,3 +21,30 @@ New Features:
    under the control of the DYNAMIC_ZONES option in
    /etc/shorewall/shorewall.conf.
 
+2) In earlier Shorewall 2.0 releases, Shorewall searches in order the
+   following directories for configuration files.
+
+   a) The directory specified in a 'try' command or specified using
+      the -c option.
+
+   b) /etc/shorewall
+
+   c) /usr/share/shorewall
+
+   In this release, the CONFIG_PATH option is added to shorewall.conf.
+   CONFIG_PATH contains a list of directory names separated by colons
+   (":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
+   "CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed.
+
+   Now Shorewall searches for shorewall.conf according to the old
+   rules and for other configuration files as follows:
+
+   a) The directory specified in a 'try' command or specified using
+      the -c option.
+
+   b) Each directory in $CONFIG_PATH is searched in sequence.
+
+   For those of you who are logic-challenged, your CONFIG_PATH should
+   include both /etc/shorewall and /usr/share/shorewall (in that
+   order, although there may be intervening directories).
+

Shorewall2/shorewall

@@ -160,6 +160,7 @@ get_config() {
 	    exit 2
 	fi
     fi
+
 }
 
 #
@@ -630,6 +631,8 @@ FIREWALL=$SHARED_DIR/firewall
 FUNCTIONS=$SHARED_DIR/functions
 VERSION_FILE=$SHARED_DIR/version
 HELP=$SHARED_DIR/help
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+[ -n "$SHOREWALL_DIR" ] && CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
 
 if [ -f $FUNCTIONS ]; then
     . $FUNCTIONS
@@ -647,6 +650,11 @@ else
     exit 2
 fi
 
+if [ -z "$CONFIG_PATH" ]; then
+    CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+    [ -n "$SHOREWALL_DIR" ] && CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
+fi
+
 [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 
 if [ ! -f $FIREWALL ]; then

Shorewall2/shorewall.conf

@@ -236,6 +236,19 @@ STATEDIR=/var/lib/shorewall
 
 MODULESDIR=
 
+#
+# CONFIGURATION SEARCH PATH
+#
+# This option holds a list of directory names separated by colons
+# (":"). Shorewall will search each directory in turn when looking for a
+# configuration file. When processing a 'try' command or a command
+# containing the "-c" option, Shorewall will automatically add the
+# directory specified in the command to the front of this list.
+#
+# If not specified or specified as null ("CONFIG_PATH=""),
+# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 ################################################################################
 #                       F I R E W A L L   O P T I O N S
 ################################################################################