Support SAFESTOP under systemd

By default, in Debian and its derivatives, stopping the Shorewall service executes `/sbin/shorewall clear`. The `SAFESTOP` setting in /etc/default/shorewall is intended to stop the service by calling `/sbin/shorewall stop`. However, the systemd service files do not support this. Instead, install a shell-script that sources /etc/default/shorewall and honours `SAFESTOP` when stopping Shorewall and patch the service files to call it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
2024-11-21 15:13:10 +01:00 · 2023-01-31 21:52:42 +00:00 · 2023-01-31 21:52:42 +00:00 · badf2fc9f0
commit badf2fc9f0
parent aae5baedfd
8 changed files with 44 additions and 11 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@ -324,6 +324,15 @@ install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
 echo
 echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 #
 # Install stop_service
 #
 if [ -n "${STOPSERVICEFILE}" ]; then
    install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
    echo
    echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
 fi
 #
 # Install the libraries
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@ -22,3 +22,4 @@ SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
 STOPSERVICEFILE=stop_service.debian	#Name of script to stop systemd service that honours `SAFESTOP`.
--- a/Shorewall-core/stop_service.debian
+++ b/Shorewall-core/stop_service.debian
@ -0,0 +1,19 @@
 #!/bin/sh
 PRODUCT=$1
 . /etc/default/${PRODUCT}
 if [ "$SAFESTOP" = 1 ]; then
  COMMAND=stop
 else
  COMMAND=clear
 fi
 if [ "${PRODUCT}" = shorewall6 ]; then
  EXEC="/sbin/shorewall -6"
 else
  EXEC="/sbin/${PRODUCT}"
 fi
 exec ${EXEC} ${OPTIONS} ${COMMAND}
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall-lite
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 [Install]
--- a/Shorewall/shorewall.service.debian
+++ b/Shorewall/shorewall.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
 [Install]
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall6-lite
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload
 [Install]
--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@ -18,7 +18,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall6
 ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
 [Install]
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@ -206,12 +206,12 @@
  <section>
    <title>systemd</title>
-    <para>As with SysV init described in the preceeding section, the behavior
+    <para>As with SysV init described in the preceeding section, the behavior of
-    of systemctl commands differ from the Shorewall CLI commands on
+    systemctl commands differ from the Shorewall CLI commands on Debian-based
-    Debian-based systems. To make systemctl stop shorewall[-lite] and
+    systems. In versions of Shorewall before 5.2.9, to make <command>systemctl
-    systemctl restart shorewall[-lite] behave like shorewall stop and
+    stop shorewall</command> and <command>systemctl restart shorewall</command>
-    shorewall restart, use this workaround provided by J Cliff
+    behave like <command>shorewall stop</command> and <command>shorewall
-    Armstrong:</para>
+    restart</command>, use this workaround provided by J Cliff Armstrong:</para>
    <para> Type (as root):</para>
@ -231,10 +231,14 @@ ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>
    <para>to activate the changes. This change will survive future updates of
    the shorewall package from apt repositories. The override file itself will
-    be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
+    be saved to <filename>/etc/systemd/system/shorewall.service.d/</filename>.</para>
    <para>The same workaround may be applied to the other Shorewall products
    (excluding Shorewall Init).</para>
    <para>From Shorewall 5.2.9 onwards, the systemd service files have been
    updated to execute a shell script that obeys the SAFESTOP setting to stop
    the firewall, and the workaround is no longer necessary.</para>
  </section>
  <section id="Trace">