Allow alternative rsh/rcp implementations

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6175 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 08:03:11 +01:00 · 2007-05-01 17:21:14 +00:00 · 2007-05-01 17:21:14 +00:00 · ae925d06e1
commit ae925d06e1
parent d5b278a969
3 changed files with 75 additions and 22 deletions
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 3.9.5
+Shorewall 3.9.6
 ----------------------------------------------------------------------------
                   R E L E A S E  H I G H L I G H T S
 ----------------------------------------------------------------------------
@ -15,28 +15,58 @@ Shorewall 3.9.5
 You must install Shorewall and at least one of the compiler packages
 (you may install them both).

-Problems corrected in 3.9.5.
+Problems corrected in 3.9.6.

-1)  Setting DYNAMIC_ZONES=Yes produced lots of Perl run-time errors in
-    some configurations.
+1)  Placing 'ipp2p' in the PROTOCOL column of configuration files now
+    works.

-2)  Invalid rules were generated by LOGALLNEW.
+2)  Previously, '!' in the TEST column of the tcrules file was not
+    handled correctly.

-3)  Setting MACLIST_LOG_LEVEL="" and MACLIST_DISPOSITION=ACCEPT or
-    MACLIST_DISPOSITION=REJECT resulted in Perl run-time errors.
+3)  The code generated for copying routing tables from provider file
+    entries was previously incorrect, resulting in run-time errors.

-4)  Many more .... (I gave up trying to document them all; check the
-    SVN history if you are interested).
+4)  Previously, using an ipset in a rule would generate invalid
+    iptables-restore input.
+
+5)  Previously, use of CONTINUE in the tcrules file would cause
+    generation of invalid iptables-restore input.
    
-Other changes in Shorewall 3.9.5
+Other changes in Shorewall 3.9.6.

-1)  The Shorewall-perl compiler now validates all log levels. It also
-    validates all protocol names against /etc/protocols and all service
-    names against /etc/services.
+1)  Eariler generations of Shorewall Lite required that remote root
+    login via ssh be enabled in order to use the 'load' and 'reload'
+    commands.

-    In all cases, the iptables-restore input will include the numeric
-    values associated with log level, protocols and services so that
-    iptables-restore doesn't have to convert these names.
+    Beginning with this release, you may define an alternative means
+    for accessing the remote firewall system.
+
+    Two new options have been added to shorewall.conf:
+
+	RSH_COMMAND
+	RCP_COMMAND
+
+    The default values for these are as follows:
+
+	RSH_COMMAND: ssh ${root}@${system} ${command}
+	RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
+
+    Shell variables that will be set when the commands are envoked are
+    as follows:
+
+       root  - root user. Normally 'root' but may be overridden using
+               the '-r' option.
+
+       system - The name/IP address of the remote firewall system.
+
+       command - For RSH_COMMAND, the command to be executed on the 
+                 firewall system.
+
+       files   - For RCP_COMMAND, a space-separated list of files to
+                 be copied to the remote firewall system.
+
+       destination - The directory on the remote system that the files 
+                     are to be copied into. 

 Migration Considerations:

--- a/Shorewall-common/shorewall
+++ b/Shorewall-common/shorewall
@ -240,6 +240,9 @@ get_config() {

    [ -n "${HOSTNAME:=$(hostname)}" ]

+    [ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}'
+    [ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' 
+
 }

 #
@ -1033,6 +1036,19 @@ try_command() {
    return 0
 }

+rsh_command() {
+    command="$*"
+
+    eval $RSH_COMMAND
+}
+
+rcp_command() {
+    files="$1"
+    destination=$2
+    
+    eval $SCP_COMMAND
+}
+
 #
 # [Re]load command executor
 #
@ -1101,7 +1117,7 @@ reload_command() # $* = original arguments less the command.
 	    ;;
    esac

-    litedir=$(ssh ${root}@${system} /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    litedir=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')

    [ -n "$litedir" ] && LITEDIR=$litedir

@ -1119,7 +1135,7 @@ reload_command() # $* = original arguments less the command.
 	fi

 	progress_message "Getting Capabilities on system $system..."
-	if ! ssh ${root}@${system} "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
 	fi
    fi
@ -1128,19 +1144,19 @@ reload_command() # $* = original arguments less the command.

    if shorewall $debugging $verbose compile -e $directory $directory/firewall && \
 	progress_message "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \
-	scp $directory/firewall $directory/firewall.conf ${root}@${system}:${LITEDIR}
+	rcp_command "$directory/firewall $directory/firewall.conf" ${LITEDIR}
    then
 	echo "Copy complete"
 	if [ $COMMAND = reload ]; then
-	    ssh ${root}@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \
+	    rsh_command "/sbin/shorewall-lite $debugging $verbose restart" && \
 	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    ssh ${root}@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \
+	    rsh_command "/sbin/shorewall-lite $debugging $verbose restart" && \
 	    progress_message3 "System $system reloaded" || saveit=
 	fi

 	if [ -n "$saveit" ]; then
-	    ssh ${root}@${system} "/sbin/shorewall-lite $debugging $verbose save" && \
+	    rsh_command "/sbin/shorewall-lite $debugging $verbose save" && \
 	    progress_message3 "Configuration on system $system saved"
 	fi
    fi
--- a/Shorewall-common/shorewall.conf
+++ b/Shorewall-common/shorewall.conf
@ -90,6 +90,13 @@ REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"

+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################