extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-18 18:51:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow alternative rsh/rcp implementations

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6175 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-01 17:21:14 +00:00
parent d5b278a969
commit ae925d06e1
3 changed files with 75 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.9.5 Shorewall 3.9.6
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S R E L E A S E H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -15,28 +15,58 @@ Shorewall 3.9.5
You must install Shorewall and at least one of the compiler packages You must install Shorewall and at least one of the compiler packages
(you may install them both). (you may install them both).
Problems corrected in 3.9.5. Problems corrected in 3.9.6.
1) Setting DYNAMIC_ZONES=Yes produced lots of Perl run-time errors in 1) Placing 'ipp2p' in the PROTOCOL column of configuration files now
some configurations. works.
2) Invalid rules were generated by LOGALLNEW. 2) Previously, '!' in the TEST column of the tcrules file was not
handled correctly.
3) Setting MACLIST_LOG_LEVEL="" and MACLIST_DISPOSITION=ACCEPT or 3) The code generated for copying routing tables from provider file
MACLIST_DISPOSITION=REJECT resulted in Perl run-time errors. entries was previously incorrect, resulting in run-time errors.
4) Many more .... (I gave up trying to document them all; check the 4) Previously, using an ipset in a rule would generate invalid
SVN history if you are interested). iptables-restore input.
Other changes in Shorewall 3.9.5 5) Previously, use of CONTINUE in the tcrules file would cause
generation of invalid iptables-restore input.
1) The Shorewall-perl compiler now validates all log levels. It also Other changes in Shorewall 3.9.6.
validates all protocol names against /etc/protocols and all service
names against /etc/services.
In all cases, the iptables-restore input will include the numeric 1) Eariler generations of Shorewall Lite required that remote root
values associated with log level, protocols and services so that login via ssh be enabled in order to use the 'load' and 'reload'
iptables-restore doesn't have to convert these names. commands.
Beginning with this release, you may define an alternative means
for accessing the remote firewall system.
Two new options have been added to shorewall.conf:
RSH_COMMAND
RCP_COMMAND
The default values for these are as follows:
RSH_COMMAND: ssh ${root}@${system} ${command}
RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
Shell variables that will be set when the commands are envoked are
as follows:
root - root user. Normally 'root' but may be overridden using
the '-r' option.
system - The name/IP address of the remote firewall system.
command - For RSH_COMMAND, the command to be executed on the
firewall system.
files - For RCP_COMMAND, a space-separated list of files to
be copied to the remote firewall system.
destination - The directory on the remote system that the files
are to be copied into.
Migration Considerations: Migration Considerations:

28
Shorewall-common/shorewall
View File

@ -240,6 +240,9 @@ get_config() {
[ -n "${HOSTNAME:=$(hostname)}" ] [ -n "${HOSTNAME:=$(hostname)}" ]
[ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}'
[ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
} }
# #
@ -1033,6 +1036,19 @@ try_command() {
return 0 return 0
} }
rsh_command() {
command="$*"
eval $RSH_COMMAND
}
rcp_command() {
files="$1"
destination=$2
eval $SCP_COMMAND
}
# #
# [Re]load command executor # [Re]load command executor
# #
@ -1101,7 +1117,7 @@ reload_command() # $* = original arguments less the command.
;; ;;
esac esac
litedir=$(ssh ${root}@${system} /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') litedir=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
[ -n "$litedir" ] && LITEDIR=$litedir [ -n "$litedir" ] && LITEDIR=$litedir
@ -1119,7 +1135,7 @@ reload_command() # $* = original arguments less the command.
fi fi
progress_message "Getting Capabilities on system $system..." progress_message "Getting Capabilities on system $system..."
if ! ssh ${root}@${system} "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
fatal_error "ERROR: Capturing capabilities on system $system failed" fatal_error "ERROR: Capturing capabilities on system $system failed"
fi fi
fi fi
@ -1128,19 +1144,19 @@ reload_command() # $* = original arguments less the command.
if shorewall $debugging $verbose compile -e $directory $directory/firewall && \ if shorewall $debugging $verbose compile -e $directory $directory/firewall && \
progress_message "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \ progress_message "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \
scp $directory/firewall $directory/firewall.conf ${root}@${system}:${LITEDIR} rcp_command "$directory/firewall $directory/firewall.conf" ${LITEDIR}
then then
echo "Copy complete" echo "Copy complete"
if [ $COMMAND = reload ]; then if [ $COMMAND = reload ]; then
ssh ${root}@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \ rsh_command "/sbin/shorewall-lite $debugging $verbose restart" && \
progress_message3 "System $system reloaded" || saveit= progress_message3 "System $system reloaded" || saveit=
else else
ssh ${root}@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \ rsh_command "/sbin/shorewall-lite $debugging $verbose restart" && \
progress_message3 "System $system reloaded" || saveit= progress_message3 "System $system reloaded" || saveit=
fi fi
if [ -n "$saveit" ]; then if [ -n "$saveit" ]; then
ssh ${root}@${system} "/sbin/shorewall-lite $debugging $verbose save" && \ rsh_command "/sbin/shorewall-lite $debugging $verbose save" && \
progress_message3 "Configuration on system $system saved" progress_message3 "Configuration on system $system saved"
fi fi
fi fi

7
Shorewall-common/shorewall.conf
View File

@ -90,6 +90,13 @@ REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none" ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none" QUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
############################################################################### ###############################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
############################################################################### ###############################################################################