From adfbc8434c58a47b201ed6babd670a7d9cbd653a Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 20 Feb 2006 22:28:47 +0000 Subject: [PATCH] Run extension scripts at run-time as always git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3509 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 5 ++ Shorewall/compiler | 69 ++++++++++++++------- Shorewall/releasenotes.txt | 121 ++++++++----------------------------- 3 files changed, 78 insertions(+), 117 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b3c036f94..27497ef84 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -82,3 +82,8 @@ Changes in 3.1.x. 36) Restore log messages. 37) Fix "shorewall capabilities" with VERBOSITY < 2. + +------------------------------------------------------------------------------- +3.1.7 + +38) Remove compile-time running of extension scripts. diff --git a/Shorewall/compiler b/Shorewall/compiler index 291383673..47e5b0b7f 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -100,9 +100,12 @@ progress_message_and_save() # append_file() # $1 = File Name { - save_command "cat > /var/lib/shorewall/$1 << __EOF__" - cat $STATEDIR/$1 >&3 - save_command_unindented __EOF__ + local user_exit=$(find_file $1) + + if [ -f $user_exit ]; then + save_progress_message "Processing $user_exit ..." + eval sed \'s\/^/"$INDENT"\/\' $user_exit >&3 + fi } # @@ -3335,11 +3338,8 @@ setup_tc1() { run_iptables -t mangle -A POSTROUTING -j tcpost if [ -n "$TC_SCRIPT" ]; then - - run_user_exit $TC_SCRIPT - save_progress_message "Setting up Traffic Control..." - save_command . $TC_SCRIPT + append_file $TC_SCRIPT elif [ -n "$TC_ENABLED" ]; then setup_traffic_shaping fi @@ -3365,7 +3365,7 @@ delete_tc() save_progress_message "Clearing Traffic Control/QOS" - run_user_exit tcclear + append_file tcclear cat >&3 << __EOF__ ${INDENT}ip link list | while read inx interface details; do @@ -4048,6 +4048,23 @@ process_action() # $1 = chain (Chain to add the rules to) save_progress_message_short " Rule \"$rule\" added." } +# +# Append a file in /var/lib/shorewall to $OUTPUT +# +append_action_file() # $1 = File Name +{ + local user_exit=$(find_file $1) + + if [ -f $user_exit ]; then + save_progress_message "Processing $user_exit ..." + save_command "CHAIN=$CHAIN" + save_command "LEVEL=$LEVEL" + save_command "TAG=$TAG" + + eval sed \'s\/^/"$INDENT"\/\' $user_exit >&3 + fi +} + # # Create and record a log action chain -- Log action chains have names # that are formed from the action name by prepending a "%" and appending @@ -4101,7 +4118,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] [ none = "${LEVEL%\!}" ] && LEVEL= - run_user_exit $1 + append_action_file $1 eval ${action}_chains=\"\$${action}_chains $level $CHAIN\" @@ -4130,7 +4147,8 @@ createactionchain() # $1 = Action, including log level and tag if any LEVEL= TAG= createchain $CHAIN no - run_user_exit $CHAIN + + append_action_file $CHAIN ;; esac } @@ -6381,7 +6399,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone local loglevel= local policychain= - run_user_exit $1 + append_file $1 eval policychain=\$${2}2${3}_policychain @@ -7080,7 +7098,7 @@ initialize_netfilter () { determine_interfaces determine_hosts - run_user_exit init + append_file init # # Some files might be large so strip them while the firewall is still running @@ -7182,7 +7200,7 @@ initialize_netfilter () { save_command "ipset -R < $f" fi - run_user_exit continue + append_file continue f=$(find_file routestopped) @@ -7331,7 +7349,7 @@ __EOF__ createactionchain $action done - run_user_exit initdone + append_file initdone # # Process Black List @@ -7765,7 +7783,7 @@ apply_policy_rules() { for zone1 in $FW $ZONES; do chain=${zone}2${zone1} if havechain $chain; then - run_user_exit $chain + append_file $chain default_policy $zone $zone1 fi done @@ -8146,7 +8164,11 @@ stop_firewall() { determine_capabilities - run_user_exit stop +__EOF__ + + append_file stop + + cat >&3 << __EOF__ if [ -n "\$MANGLE_ENABLED" ]; then run_iptables -t mangle -F @@ -8297,9 +8319,9 @@ __EOF__ ;; esac - cat >&3 << __EOF__ + append_file stopped - run_user_exit stopped + cat >&3 << __EOF__ set_state "Stopped" @@ -8419,8 +8441,9 @@ __EOF__ __EOF__ fi + append_file clear + cat >&3 << __EOF__ - run_user_exit clear set_state "Cleared" @@ -8639,7 +8662,9 @@ __EOF__ fi for file in chains nat proxyarp zones; do - append_file $file + save_command "cat > /var/lib/shorewall/$file << __EOF__" + cat $STATEDIR/$file >&3 + save_command_unindented __EOF__ done cat >&3 << __EOF__ @@ -8651,7 +8676,7 @@ __EOF__ __EOF__ save_command "date > /var/lib/shorewall/restarted" - run_user_exit start + append_file start [ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist @@ -8659,7 +8684,7 @@ __EOF__ save_command set_state "Started" - run_user_exit started + append_file started cat >&3 << __EOF__ diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index df02368cf..6abb6a5a5 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.1.7 +Shorewall 3.1.8 Note to users upgrading from Shorewall 2.x or 3.0 @@ -27,38 +27,19 @@ Note to users upgrading from Shorewall 2.x or 3.0 Please see the "Migration Considerations" below for additional upgrade information. -Problems Corrected in 3.1.7 +Problems Corrected in 3.1.8 -1) Extra rules in maclist verification have been removed. The superfluous - rules were present when MACLIST_DISPOSITION=ACCEPT and - MACLIST_LOG_LEVEL="". +None. -2) The Makefile installed in /etc/shorewall/ was incorrect so that - a re-compilation always occured even if the restore file was - current. +Other changes in 3.1.8 -3) Log messages for "started", "restarted" and "restored" are once again - generated. +1) The sillyness having to do with running certain extension scripts at + compile time has been eliminated. When a configuration is compiled, + the scripts are copied unmodified (except for indentation) into the + compiled program. -4) If VERBOSITY was set to a value less than 2, then "shorewall show - capabilities" produced no output. - -Other changes in 3.1.7 - -1) 'tcpsyn' has been changed to 'tcp:syn' (tcpsyn was added in 3.1.6). - This new syntax is easier to extend in the future than was the old. - -2) /sbin/shorewall now supports a "-t" option that causes all progress - messages to be timestamped. - - Example (VERBOSITY=0 in shorewall.conf): - - gateway:/etc/shorewall # shorewall -t restart - 07:08:51 Compiling... - 07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart - 07:09:05 Restarting Shorewall.... - 07:09:08 done. - gateway:/etc/shorewall # + Note: The /etc/shorewall/params file is still processed at + compile-time. Migration Considerations: @@ -170,31 +151,11 @@ New Features: file included in this release includes instructions for its use. - b) If you have extension scripts, they may need modification. Some of - the scripts will be run at compile time, rather than when the - generated script is executed. The standard functions like - 'run_iptables' and 'log_rule_limit' will write the iptables command - to the script file rather than executing the command. As always, you - can check $COMMAND to determine which shorewall command is being - executed. - - Extension Scripts that are run at compile time rather than at - run-time are: - - - params - - init - - continue - - initdone - - start - - started - - All scripts associated with a given chain such as Action - chains - - c) If you run the "shorewall compile" or "shorewall check" commands under + b) If you run the "shorewall compile" or "shorewall check" commands under a user other than 'root', then you must supply /etc/shorewall/capabilities. - d) To aid in building /etc/shorewall/capabilities, a 'shorecap' program + c) To aid in building /etc/shorewall/capabilities, a 'shorecap' program is provided. The RPM installs the program in the documentation directory. The install.sh script does not install the program. @@ -206,50 +167,6 @@ New Features: For instructions about running shorecap, see the comments at the top of the program file (it's a simple shell script). - If you need to interject run-time code into the generated script then - you need to write it to file descriptor 3. Here is an example of creating - tap device tap0 and adding it to bridge xenbr0; the text will be indented - to line up with the surrounding text: - - cat >&3 << __EOF__ - ${INDENT}if ! qt /sbin/ip link ls dev tap0; then - ${INDENT} /usr/sbin/openvpn --mktun --dev tap0 - ${INDENT} /sbin/ip link set dev tap0 up - ${INDENT} /sbin/brctl addif xenbr0 tap0 - ${INDENT}fi - - __EOF__ - - This results in the following code in the script: - - if ! qt /sbin/ip link ls dev tap0; then - /usr/sbin/openvpn --mktun --dev tap0 - /sbin/ip link set dev tap0 up - /sbin/brctl addif xenbr0 tap0 - fi - - - (Yes -- there is an extra blank line at the end) - - If you need to expand variables in the generated text, be sure to escape - the '$' symbol. - - Example: - - cat >&3 << __EOF__ - - ${INDENT}addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) - ${INDENT}if [ -n "\$addr" ]; then - ${INDENT} addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//') - ${INDENT} for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do - ${INDENT} if in_network \$addr \$network; then - ${INDENT} startup_error "The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface" - ${INDENT} fi - ${INDENT} done - ${INDENT}fi - - __EOF__ - Compilation generates a complete program. This program is suitable for installation into /etc/init.d and, when generated with the "-e" option, can serve as your firewall on a system that doesn't even have Shorewall @@ -389,3 +306,17 @@ New Features: As part of this change, Shorewall no longer adds the "--syn" option to TCP rules that specify QUEUE as their target. +6) /sbin/shorewall now supports a "-t" option that causes all progress + messages to be timestamped. + + Example (VERBOSITY=0 in shorewall.conf): + + gateway:/etc/shorewall # shorewall -t restart + 07:08:51 Compiling... + 07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart + 07:09:05 Restarting Shorewall.... + 07:09:08 done. + gateway:/etc/shorewall # + + +