mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-28 17:18:49 +01:00
Merge and massage Lorenzo's safe-[re]start patch
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2166 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3162f11617
commit
b0cf1dc06d
@ -6,6 +6,8 @@ Changes in 2.4.0-RC1
|
||||
|
||||
1) Fix output from firewall itself vis-a-vis multiple providers.
|
||||
|
||||
2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch.
|
||||
|
||||
Changes in 2.3.2
|
||||
|
||||
1) Add support for -j ROUTE
|
||||
|
@ -212,6 +212,19 @@ restart)
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||
;;
|
||||
|
||||
safe-restart)
|
||||
echo "safe-restart: safe-restart
|
||||
Restart the same way as a shorewall restart except that previous firewall
|
||||
configuration is backed up and will be restored if you notice any anomalies
|
||||
or you are not able to reach the firewall any more."
|
||||
;;
|
||||
|
||||
safe-start)
|
||||
echo "safe-start: safe-start
|
||||
Start the same way as a shorewall start except that in case of anomalies
|
||||
shorewall clear is issued. "
|
||||
;;
|
||||
|
||||
restore)
|
||||
echo "restore: restore [ <file name> ]
|
||||
Restore Shorewall to a state saved using the 'save' command
|
||||
|
@ -353,6 +353,25 @@ New Features in version 2.4.0
|
||||
host. When 'source' is specified in an entry, it is unnecessary to
|
||||
also specify 'routeback'.
|
||||
|
||||
7) This change was implemented by Lorenzo Martignoni. It provides two
|
||||
new commands: "safe-start" and "safe-restart".
|
||||
|
||||
safe-start starts Shorewall then prompts you to ask you if
|
||||
everything looks ok. If you answer "no" or if you don't answer
|
||||
within 60 seconds, a "shorewall clear" is executed.
|
||||
|
||||
safe-restart saves your current configuration to
|
||||
/var/lib/shorewall/safe-restart then issues a "shorewall restart";
|
||||
It then prompts you to ask if you if you want to accept the new
|
||||
configuration. If you answer "no" or if you don't answer within 60
|
||||
seconds, the configuration is restored to its prior state.
|
||||
|
||||
These new commands require either that your /bin/sh supports the
|
||||
"-t" option to the 'read' command or that you have /bin/bash
|
||||
installed.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -97,6 +97,14 @@
|
||||
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
|
||||
# a list of network/host addresses.
|
||||
#
|
||||
# shorewall safe-start Starts the firewall and promtp for a c
|
||||
# confirmation to accept or reject the new
|
||||
# configuration
|
||||
#
|
||||
# shorewall safe-restart Restarts the firewall and prompt for a
|
||||
# confirmation to accept or reject the new
|
||||
# configuration
|
||||
#
|
||||
# Fatal Error
|
||||
#
|
||||
fatal_error() # $@ = Message
|
||||
@ -594,7 +602,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
# Save currently running configuration
|
||||
#
|
||||
save_config() {
|
||||
mutex_on
|
||||
[ "$nolock" ] || mutex_on
|
||||
|
||||
if qt $IPTABLES -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
@ -669,7 +677,8 @@ save_config() {
|
||||
else
|
||||
echo "Shorewall isn't started"
|
||||
fi
|
||||
mutex_off
|
||||
|
||||
[ "$nolock" ] || mutex_off
|
||||
}
|
||||
#
|
||||
# Help information
|
||||
@ -712,6 +721,8 @@ usage() # $1 = exit status
|
||||
echo " status"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " version"
|
||||
echo " safe-start"
|
||||
echo " safe-restart"
|
||||
echo
|
||||
exit $1
|
||||
}
|
||||
@ -733,6 +744,27 @@ show_proc() # $1 = name of a file
|
||||
[ -f $1 ] && echo " $1 = $(cat $1)"
|
||||
}
|
||||
|
||||
read_yesno_with_timeout() {
|
||||
read -t 60 yn 2> /dev/null
|
||||
if [ $? -eq 2 ]
|
||||
then
|
||||
# read doesn't support timeout
|
||||
test -x /bin/bash || return 2 # bash is not installed so the feature is not available
|
||||
/bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read
|
||||
return $?
|
||||
else
|
||||
# read supports timeout
|
||||
case "$yn" in
|
||||
y|Y)
|
||||
return 0
|
||||
;;
|
||||
*)
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Execution begins here
|
||||
#
|
||||
@ -1391,6 +1423,76 @@ case "$1" in
|
||||
[ $# -ne 1 ] && usage 1
|
||||
help $@
|
||||
;;
|
||||
safe-restart|safe-start)
|
||||
# test is the shell supports timed read
|
||||
read -t 0 2> /dev/null
|
||||
if [ $? -eq 2 -a ! -x /bin/bash ]
|
||||
then
|
||||
echo "Your shell does not support a feature required to execute this command".
|
||||
exit 2
|
||||
fi
|
||||
|
||||
mutex_on
|
||||
|
||||
if qt $IPTABLES -L shorewall -n
|
||||
then
|
||||
running=0
|
||||
else
|
||||
running=1
|
||||
fi
|
||||
|
||||
if [ "$1" = "safe-start" -a $running -eq 0 ]
|
||||
then
|
||||
# the command is safe-start but the firewall is already running
|
||||
$0 nolock $debugging start
|
||||
ret=$?
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$1" = "safe-start" -o $running -ne 0 ]
|
||||
then
|
||||
# the command is safe-start or shorewall is not started yet
|
||||
command="start"
|
||||
else
|
||||
# the command is safe-restart and the firewall is already running |