mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-26 06:31:08 +01:00
Merge and massage Lorenzo's safe-[re]start patch
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2166 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3162f11617
commit
b0cf1dc06d
@ -6,6 +6,8 @@ Changes in 2.4.0-RC1
|
|||||||
|
|
||||||
1) Fix output from firewall itself vis-a-vis multiple providers.
|
1) Fix output from firewall itself vis-a-vis multiple providers.
|
||||||
|
|
||||||
|
2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch.
|
||||||
|
|
||||||
Changes in 2.3.2
|
Changes in 2.3.2
|
||||||
|
|
||||||
1) Add support for -j ROUTE
|
1) Add support for -j ROUTE
|
||||||
|
@ -212,6 +212,19 @@ restart)
|
|||||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
safe-restart)
|
||||||
|
echo "safe-restart: safe-restart
|
||||||
|
Restart the same way as a shorewall restart except that previous firewall
|
||||||
|
configuration is backed up and will be restored if you notice any anomalies
|
||||||
|
or you are not able to reach the firewall any more."
|
||||||
|
;;
|
||||||
|
|
||||||
|
safe-start)
|
||||||
|
echo "safe-start: safe-start
|
||||||
|
Start the same way as a shorewall start except that in case of anomalies
|
||||||
|
shorewall clear is issued. "
|
||||||
|
;;
|
||||||
|
|
||||||
restore)
|
restore)
|
||||||
echo "restore: restore [ <file name> ]
|
echo "restore: restore [ <file name> ]
|
||||||
Restore Shorewall to a state saved using the 'save' command
|
Restore Shorewall to a state saved using the 'save' command
|
||||||
|
@ -353,6 +353,25 @@ New Features in version 2.4.0
|
|||||||
host. When 'source' is specified in an entry, it is unnecessary to
|
host. When 'source' is specified in an entry, it is unnecessary to
|
||||||
also specify 'routeback'.
|
also specify 'routeback'.
|
||||||
|
|
||||||
|
7) This change was implemented by Lorenzo Martignoni. It provides two
|
||||||
|
new commands: "safe-start" and "safe-restart".
|
||||||
|
|
||||||
|
safe-start starts Shorewall then prompts you to ask you if
|
||||||
|
everything looks ok. If you answer "no" or if you don't answer
|
||||||
|
within 60 seconds, a "shorewall clear" is executed.
|
||||||
|
|
||||||
|
safe-restart saves your current configuration to
|
||||||
|
/var/lib/shorewall/safe-restart then issues a "shorewall restart";
|
||||||
|
It then prompts you to ask if you if you want to accept the new
|
||||||
|
configuration. If you answer "no" or if you don't answer within 60
|
||||||
|
seconds, the configuration is restored to its prior state.
|
||||||
|
|
||||||
|
These new commands require either that your /bin/sh supports the
|
||||||
|
"-t" option to the 'read' command or that you have /bin/bash
|
||||||
|
installed.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -97,6 +97,14 @@
|
|||||||
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
|
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
|
||||||
# a list of network/host addresses.
|
# a list of network/host addresses.
|
||||||
#
|
#
|
||||||
|
# shorewall safe-start Starts the firewall and promtp for a c
|
||||||
|
# confirmation to accept or reject the new
|
||||||
|
# configuration
|
||||||
|
#
|
||||||
|
# shorewall safe-restart Restarts the firewall and prompt for a
|
||||||
|
# confirmation to accept or reject the new
|
||||||
|
# configuration
|
||||||
|
#
|
||||||
# Fatal Error
|
# Fatal Error
|
||||||
#
|
#
|
||||||
fatal_error() # $@ = Message
|
fatal_error() # $@ = Message
|
||||||
@ -594,7 +602,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
|||||||
# Save currently running configuration
|
# Save currently running configuration
|
||||||
#
|
#
|
||||||
save_config() {
|
save_config() {
|
||||||
mutex_on
|
[ "$nolock" ] || mutex_on
|
||||||
|
|
||||||
if qt $IPTABLES -L shorewall -n; then
|
if qt $IPTABLES -L shorewall -n; then
|
||||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||||
@ -669,7 +677,8 @@ save_config() {
|
|||||||
else
|
else
|
||||||
echo "Shorewall isn't started"
|
echo "Shorewall isn't started"
|
||||||
fi
|
fi
|
||||||
mutex_off
|
|
||||||
|
[ "$nolock" ] || mutex_off
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# Help information
|
# Help information
|
||||||
@ -712,6 +721,8 @@ usage() # $1 = exit status
|
|||||||
echo " status"
|
echo " status"
|
||||||
echo " try <directory> [ <timeout> ]"
|
echo " try <directory> [ <timeout> ]"
|
||||||
echo " version"
|
echo " version"
|
||||||
|
echo " safe-start"
|
||||||
|
echo " safe-restart"
|
||||||
echo
|
echo
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
@ -733,6 +744,27 @@ show_proc() # $1 = name of a file
|
|||||||
[ -f $1 ] && echo " $1 = $(cat $1)"
|
[ -f $1 ] && echo " $1 = $(cat $1)"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
read_yesno_with_timeout() {
|
||||||
|
read -t 60 yn 2> /dev/null
|
||||||
|
if [ $? -eq 2 ]
|
||||||
|
then
|
||||||
|
# read doesn't support timeout
|
||||||
|
test -x /bin/bash || return 2 # bash is not installed so the feature is not available
|
||||||
|
/bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read
|
||||||
|
return $?
|
||||||
|
else
|
||||||
|
# read supports timeout
|
||||||
|
case "$yn" in
|
||||||
|
y|Y)
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Execution begins here
|
# Execution begins here
|
||||||
#
|
#
|
||||||
@ -1391,6 +1423,76 @@ case "$1" in
|
|||||||
[ $# -ne 1 ] && usage 1
|
[ $# -ne 1 ] && usage 1
|
||||||
help $@
|
help $@
|
||||||
;;
|
;;
|
||||||
|
safe-restart|safe-start)
|
||||||
|
# test is the shell supports timed read
|
||||||
|
read -t 0 2> /dev/null
|
||||||
|
if [ $? -eq 2 -a ! -x /bin/bash ]
|
||||||
|
then
|
||||||
|
echo "Your shell does not support a feature required to execute this command".
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
mutex_on
|
||||||
|
|
||||||
|
if qt $IPTABLES -L shorewall -n
|
||||||
|
then
|
||||||
|
running=0
|
||||||
|
else
|
||||||
|
running=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$1" = "safe-start" -a $running -eq 0 ]
|
||||||
|
then
|
||||||
|
# the command is safe-start but the firewall is already running
|
||||||
|
$0 nolock $debugging start
|
||||||
|
ret=$?
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$1" = "safe-start" -o $running -ne 0 ]
|
||||||
|
then
|
||||||
|
# the command is safe-start or shorewall is not started yet
|
||||||
|
command="start"
|
||||||
|
else
|
||||||
|
# the command is safe-restart and the firewall is already running |