diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 9b50fc1da..46cc29602 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -6,6 +6,8 @@ Changes in 2.4.0-RC1 1) Fix output from firewall itself vis-a-vis multiple providers. +2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch. + Changes in 2.3.2 1) Add support for -j ROUTE diff --git a/Shorewall2/help b/Shorewall2/help index 96f0f8dad..c71258134 100644 --- a/Shorewall2/help +++ b/Shorewall2/help @@ -212,6 +212,19 @@ restart) If \"-q\" is specified, less detain is displayed making it easier to spot warnings" ;; +safe-restart) + echo "safe-restart: safe-restart + Restart the same way as a shorewall restart except that previous firewall + configuration is backed up and will be restored if you notice any anomalies + or you are not able to reach the firewall any more." + ;; + +safe-start) + echo "safe-start: safe-start + Start the same way as a shorewall start except that in case of anomalies + shorewall clear is issued. " + ;; + restore) echo "restore: restore [ ] Restore Shorewall to a state saved using the 'save' command diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index a8f1303a8..d06f56046 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -353,6 +353,25 @@ New Features in version 2.4.0 host. When 'source' is specified in an entry, it is unnecessary to also specify 'routeback'. +7) This change was implemented by Lorenzo Martignoni. It provides two + new commands: "safe-start" and "safe-restart". + + safe-start starts Shorewall then prompts you to ask you if + everything looks ok. If you answer "no" or if you don't answer + within 60 seconds, a "shorewall clear" is executed. + + safe-restart saves your current configuration to + /var/lib/shorewall/safe-restart then issues a "shorewall restart"; + It then prompts you to ask if you if you want to accept the new + configuration. If you answer "no" or if you don't answer within 60 + seconds, the configuration is restored to its prior state. + + These new commands require either that your /bin/sh supports the + "-t" option to the 'read' command or that you have /bin/bash + installed. + + + diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index f97f4e5d0..2b3301a79 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -97,6 +97,14 @@ # shorewall iprange
-
Decomposes a range of IP addresses into # a list of network/host addresses. # +# shorewall safe-start Starts the firewall and promtp for a c +# confirmation to accept or reject the new +# configuration +# +# shorewall safe-restart Restarts the firewall and prompt for a +# confirmation to accept or reject the new +# configuration +# # Fatal Error # fatal_error() # $@ = Message @@ -594,7 +602,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that # Save currently running configuration # save_config() { - mutex_on + [ "$nolock" ] || mutex_on if qt $IPTABLES -L shorewall -n; then [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall @@ -669,7 +677,8 @@ save_config() { else echo "Shorewall isn't started" fi - mutex_off + + [ "$nolock" ] || mutex_off } # # Help information @@ -712,6 +721,8 @@ usage() # $1 = exit status echo " status" echo " try [ ]" echo " version" + echo " safe-start" + echo " safe-restart" echo exit $1 } @@ -733,6 +744,27 @@ show_proc() # $1 = name of a file [ -f $1 ] && echo " $1 = $(cat $1)" } +read_yesno_with_timeout() { + read -t 60 yn 2> /dev/null + if [ $? -eq 2 ] + then + # read doesn't support timeout + test -x /bin/bash || return 2 # bash is not installed so the feature is not available + /bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read + return $? + else + # read supports timeout + case "$yn" in + y|Y) + return 0 + ;; + *) + return 1 + ;; + esac + fi +} + # # Execution begins here # @@ -1391,6 +1423,76 @@ case "$1" in [ $# -ne 1 ] && usage 1 help $@ ;; + safe-restart|safe-start) + # test is the shell supports timed read + read -t 0 2> /dev/null + if [ $? -eq 2 -a ! -x /bin/bash ] + then + echo "Your shell does not support a feature required to execute this command". + exit 2 + fi + + mutex_on + + if qt $IPTABLES -L shorewall -n + then + running=0 + else + running=1 + fi + + if [ "$1" = "safe-start" -a $running -eq 0 ] + then + # the command is safe-start but the firewall is already running + $0 nolock $debugging start + ret=$? + exit 0 + fi + + if [ "$1" = "safe-start" -o $running -ne 0 ] + then + # the command is safe-start or shorewall is not started yet + command="start" + else + # the command is safe-restart and the firewall is already running + command="restart" + fi + + if [ "$command" = "restart" ] + then + # save previous configuration + $0 nolock $debugging save "safe-start-restart" + fi + + $0 nolock $debugging $command + + echo -n "Do you want to accept the new firewall configuration? [y/n] " + read_yesno_with_timeout + if [ $? -eq 0 ] + then + echo "New configuration has been accepted" + if [ "$command" = "restart" ] + then + # removed previous configuration + rm /var/lib/shorewall/safe-start-restart + fi + else + if [ "$command" = "restart" ] + then + $0 nolock $debugging restore "safe-start-restart" + rm /var/lib/shorewall/safe-start-restart + else + $0 nolock $debugging clear + fi + + mutex_off + echo "New configuration has been rejected and the old one restored" + exit 2 + fi + + mutex_off + [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + ;; *) usage 1 ;;