extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-12 18:54:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Run extension scripts at run-time as always

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3509 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-02-20 22:28:47 +00:00
parent ddb1b95ae7
commit adfbc8434c
3 changed files with 78 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/changelog.txt
View File

@ -82,3 +82,8 @@ Changes in 3.1.x.
36) Restore log messages.
37) Fix "shorewall capabilities" with VERBOSITY < 2.
-------------------------------------------------------------------------------
3.1.7
38) Remove compile-time running of extension scripts.

69
Shorewall/compiler
View File

@ -100,9 +100,12 @@ progress_message_and_save()
#
append_file() # $1 = File Name
{
save_command "cat > /var/lib/shorewall/$1 << __EOF__"
cat $STATEDIR/$1 >&3
save_command_unindented __EOF__
local user_exit=$(find_file $1)
if [ -f $user_exit ]; then
save_progress_message "Processing $user_exit ..."
eval sed \'s\/^/"$INDENT"\/\' $user_exit >&3
fi
}
#
@ -3335,11 +3338,8 @@ setup_tc1() {
run_iptables -t mangle -A POSTROUTING -j tcpost
if [ -n "$TC_SCRIPT" ]; then
run_user_exit $TC_SCRIPT
save_progress_message "Setting up Traffic Control..."
save_command . $TC_SCRIPT
append_file $TC_SCRIPT
elif [ -n "$TC_ENABLED" ]; then
setup_traffic_shaping
fi
@ -3365,7 +3365,7 @@ delete_tc()
save_progress_message "Clearing Traffic Control/QOS"
run_user_exit tcclear
append_file tcclear
cat >&3 << __EOF__
${INDENT}ip link list | while read inx interface details; do
@ -4048,6 +4048,23 @@ process_action() # $1 = chain (Chain to add the rules to)
save_progress_message_short " Rule \"$rule\" added."
}
#
# Append a file in /var/lib/shorewall to $OUTPUT
#
append_action_file() # $1 = File Name
{
local user_exit=$(find_file $1)
if [ -f $user_exit ]; then
save_progress_message "Processing $user_exit ..."
save_command "CHAIN=$CHAIN"
save_command "LEVEL=$LEVEL"
save_command "TAG=$TAG"
eval sed \'s\/^/"$INDENT"\/\' $user_exit >&3
fi
}
#
# Create and record a log action chain -- Log action chains have names
# that are formed from the action name by prepending a "%" and appending
@ -4101,7 +4118,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
[ none = "${LEVEL%\!}" ] && LEVEL=
run_user_exit $1
append_action_file $1
eval ${action}_chains=\"\$${action}_chains $level $CHAIN\"
@ -4130,7 +4147,8 @@ createactionchain() # $1 = Action, including log level and tag if any
LEVEL=
TAG=
createchain $CHAIN no
run_user_exit $CHAIN
append_action_file $CHAIN
;;
esac
}
@ -6381,7 +6399,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
local loglevel=
local policychain=
run_user_exit $1
append_file $1
eval policychain=\$${2}2${3}_policychain
@ -7080,7 +7098,7 @@ initialize_netfilter () {
determine_interfaces
determine_hosts
run_user_exit init
append_file init
#
# Some files might be large so strip them while the firewall is still running
@ -7182,7 +7200,7 @@ initialize_netfilter () {
save_command "ipset -R < $f"
fi
run_user_exit continue
append_file continue
f=$(find_file routestopped)
@ -7331,7 +7349,7 @@ __EOF__
createactionchain $action
done
run_user_exit initdone
append_file initdone
#
# Process Black List
@ -7765,7 +7783,7 @@ apply_policy_rules() {
for zone1 in $FW $ZONES; do
chain=${zone}2${zone1}
if havechain $chain; then
run_user_exit $chain
append_file $chain
default_policy $zone $zone1
fi
done
@ -8146,7 +8164,11 @@ stop_firewall() {
determine_capabilities
run_user_exit stop
__EOF__
append_file stop
cat >&3 << __EOF__
if [ -n "\$MANGLE_ENABLED" ]; then
run_iptables -t mangle -F
@ -8297,9 +8319,9 @@ __EOF__
;;
esac
cat >&3 << __EOF__
append_file stopped
run_user_exit stopped
cat >&3 << __EOF__
set_state "Stopped"
@ -8419,8 +8441,9 @@ __EOF__
__EOF__
fi
append_file clear
cat >&3 << __EOF__
run_user_exit clear
set_state "Cleared"
@ -8639,7 +8662,9 @@ __EOF__
fi
for file in chains nat proxyarp zones; do
append_file $file
save_command "cat > /var/lib/shorewall/$file << __EOF__"
cat $STATEDIR/$file >&3
save_command_unindented __EOF__
done
cat >&3 << __EOF__
@ -8651,7 +8676,7 @@ __EOF__
__EOF__
save_command "date > /var/lib/shorewall/restarted"
run_user_exit start
append_file start
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
@ -8659,7 +8684,7 @@ __EOF__
save_command set_state "Started"
run_user_exit started
append_file started
cat >&3 << __EOF__

121
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.1.7
Shorewall 3.1.8
Note to users upgrading from Shorewall 2.x or 3.0
@ -27,38 +27,19 @@ Note to users upgrading from Shorewall 2.x or 3.0
Please see the "Migration Considerations" below for additional upgrade
information.
Problems Corrected in 3.1.7
Problems Corrected in 3.1.8
1) Extra rules in maclist verification have been removed. The superfluous
rules were present when MACLIST_DISPOSITION=ACCEPT and
MACLIST_LOG_LEVEL="".
None.
2) The Makefile installed in /etc/shorewall/ was incorrect so that
a re-compilation always occured even if the restore file was
current.
Other changes in 3.1.8
3) Log messages for "started", "restarted" and "restored" are once again
generated.
1) The sillyness having to do with running certain extension scripts at
compile time has been eliminated. When a configuration is compiled,
the scripts are copied unmodified (except for indentation) into the
compiled program.
4) If VERBOSITY was set to a value less than 2, then "shorewall show
capabilities" produced no output.
Other changes in 3.1.7
1) 'tcpsyn' has been changed to 'tcp:syn' (tcpsyn was added in 3.1.6).
This new syntax is easier to extend in the future than was the old.
2) /sbin/shorewall now supports a "-t" option that causes all progress
messages to be timestamped.
Example (VERBOSITY=0 in shorewall.conf):
gateway:/etc/shorewall # shorewall -t restart
07:08:51 Compiling...
07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart
07:09:05 Restarting Shorewall....
07:09:08 done.
gateway:/etc/shorewall #
Note: The /etc/shorewall/params file is still processed at
compile-time.
Migration Considerations:
@ -170,31 +151,11 @@ New Features:
file included in this release includes instructions for its
use.
b) If you have extension scripts, they may need modification. Some of
the scripts will be run at compile time, rather than when the
generated script is executed. The standard functions like
'run_iptables' and 'log_rule_limit' will write the iptables command
to the script file rather than executing the command. As always, you
can check $COMMAND to determine which shorewall command is being
executed.
Extension Scripts that are run at compile time rather than at
run-time are:
- params
- init
- continue
- initdone
- start
- started
- All scripts associated with a given chain such as Action
chains
c) If you run the "shorewall compile" or "shorewall check" commands under
b) If you run the "shorewall compile" or "shorewall check" commands under
a user other than 'root', then you must supply
/etc/shorewall/capabilities.
d) To aid in building /etc/shorewall/capabilities, a 'shorecap' program
c) To aid in building /etc/shorewall/capabilities, a 'shorecap' program
is provided. The RPM installs the program in the documentation
directory. The install.sh script does not install the program.
@ -206,50 +167,6 @@ New Features:
For instructions about running shorecap, see the comments at the
top of the program file (it's a simple shell script).
If you need to interject run-time code into the generated script then
you need to write it to file descriptor 3. Here is an example of creating
tap device tap0 and adding it to bridge xenbr0; the text will be indented
to line up with the surrounding text:
cat >&3 << __EOF__
${INDENT}if ! qt /sbin/ip link ls dev tap0; then
${INDENT} /usr/sbin/openvpn --mktun --dev tap0
${INDENT} /sbin/ip link set dev tap0 up
${INDENT} /sbin/brctl addif xenbr0 tap0
${INDENT}fi
__EOF__
This results in the following code in the script:
if ! qt /sbin/ip link ls dev tap0; then
/usr/sbin/openvpn --mktun --dev tap0
/sbin/ip link set dev tap0 up
/sbin/brctl addif xenbr0 tap0
fi
(Yes -- there is an extra blank line at the end)
If you need to expand variables in the generated text, be sure to escape
the '$' symbol.
Example:
cat >&3 << __EOF__
${INDENT}addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
${INDENT}if [ -n "\$addr" ]; then
${INDENT} addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
${INDENT} for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do
${INDENT} if in_network \$addr \$network; then
${INDENT} startup_error "The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface"
${INDENT} fi
${INDENT} done
${INDENT}fi
__EOF__
Compilation generates a complete program. This program is suitable for
installation into /etc/init.d and, when generated with the "-e" option,
can serve as your firewall on a system that doesn't even have Shorewall
@ -389,3 +306,17 @@ New Features:
As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target.
6) /sbin/shorewall now supports a "-t" option that causes all progress
messages to be timestamped.
Example (VERBOSITY=0 in shorewall.conf):
gateway:/etc/shorewall # shorewall -t restart
07:08:51 Compiling...
07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart
07:09:05 Restarting Shorewall....
07:09:08 done.
gateway:/etc/shorewall #