Bring forward some changes from 2.0.8; Improve error messages; Implement STARTUP_ENABLED

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1519 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -14,23 +14,12 @@ Changes since 2.0.3
 
 7) Add PKTTYPE option.
 
-       firewall
-       shorewall.conf
-
 8) Enhancements to /etc/shorewall/masq
 
-       masq
-       firewall
-
 8) Allow overriding ADD_IP_ALIASES=Yes
 
-       nat
-       firewall
-
 9) Fix syntax error in setup_nat()
 
-       firewall
-
 10) Port "shorewall status" changes from 2.0.7.
 
 11) All config files are now empty.
@@ -39,3 +28,7 @@ Changes since 2.0.3
 
 13) Pass rule chain and display chain separately to log_rule_limit.
     Prep work for action logging.
+
+14) Show the iptables/ip/tc command that failed when failure is fatal.
+
+15) Implement STARTUP_ENABLED.

Shorewall2/firewall

@@ -156,7 +156,11 @@ run_iptables() {
     [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
 
     if ! iptables $@ ; then
-	[ -z "$stopping" ] && { stop_firewall; exit 2; }
+	if [ -z "$stopping" ]; then
+	    error_message "ERROR: Command \"$@\" Failed"
+	    stop_firewall
+	    exit 2
+	fi
     fi
 }
 
@@ -183,7 +187,11 @@ run_iptables2() {
 #
 run_ip() {
     if ! ip $@ ; then
-	[ -z "$stopping" ] && { stop_firewall; exit 2; }
+	if [ -z "$stopping" ]; then
+	    error_message "ERROR: Command \"$@\" Failed"
+	    stop_firewall
+	    exit 2
+	fi
     fi
 }
 
@@ -192,7 +200,11 @@ run_ip() {
 #
 run_tc() {
     if ! tc $@ ; then
-	[ -z "$stopping" ] && { stop_firewall; exit 2; }
+	if [ -z "$stopping" ]; then
+	    error_message "ERROR: Command \"$@\" Failed"
+	    stop_firewall
+	    exit 2
+	fi
     fi
 }
 
@@ -2784,7 +2796,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
     
     [ "$COMMAND" != check ] && \
 	while havechain %${CHAIN}${actchain}; do
-	    actchain=$((${actchain-0} + 1))
+	    actchain=$(($actchain + 1))
 	    [ $actchain -eq 10 -a ${#CHAIN} -eq 9 ] && CHAIN=$(echo $CHAIN | cut -b -8)
         done
 
@@ -2865,6 +2877,9 @@ find_logactionchain() # $1 = Action, including log level and tag if any
 
 }
 
+#
+# This function determines the logging for a subordinate action or a rule within a subordinate action
+# 
 merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
 {
     local superior=$1 subordinate=$2
@@ -2925,13 +2940,33 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
 	    ;;
     esac
 }
-	    
-	    
-#
-# Read /etc/shorewall/actions and /usr/share/shorewall/actions.std and for each defined <action>, pre-process 
-# /etc/shorewall/action.<action>
-#
 
+#
+# The next two functions implement the two phases of action processing.
+#
+# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std
+# and /etc/shorewall/actions are scanned (in that order) and for each action:
+#
+#      a) The related action definition file is located and scanned.
+#      b) Forward and unresolved action references are trapped as errors.
+#      c) A dependency graph is created. For each <action>, the variable 'requiredby_<action>' lists the 
+#         action[:level[:tag]] of each action invoked by <action>.
+#      d) All actions are listed in the global variable ACTIONS.	    
+#      e) Common actions are recorded (in variables of the name <policy>_common) and are added to the global
+#         USEDACTIONS list and their action chain is created.
+#
+# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an <action> 
+# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name
+# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
+# length of the chain name does not exceed 11 characters.
+#
+# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of 
+# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created.
+#
+# The final step is to traverse the USEDACTIONS list populating each chain appropriately by reading the
+# action definition files and creating rules. Note that a given action definition file is processed once for
+# each unique [:level[:tag]] applied to an invocation of the action.
+#
 process_actions1() {
 	
     ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
@@ -3003,53 +3038,8 @@ process_actions1() {
 	done < $TMP_DIR/$inputfile
     done
 }
-#
-# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then
-# process the associated action files.
-#
+
 process_actions2() {
-    #
-    # Process a rule where the source or destination is "all"
-    #
-    process_wildcard_rule() {
-	local yclients yservers ysourcezone ydestzone ypolicy
-	
-	for yclients in $xclients; do
-	    for yservers in $xservers; do
-		ysourcezone=${yclients%%:*}
-		ydestzone=${yservers%%:*}
-		if [ "${ysourcezone}" != "${ydestzone}" ] ; then
-		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
-		    if [ "$ypolicy" != NONE ] ; then
-			rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
-			process_action $xchain $xaction1 $xaction2 $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec
-		    fi
-		fi
-	    done
-	done
-    }
-
-    do_it() {
-	expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
-
-	if [ "x$xclients" = xall ]; then
-	    xclients="$zones $FW"
-	    if [ "x$xservers" = xall ]; then
-		xservers="$zones $FW"
-	    fi
-	    process_wildcard_rule
-	    continue
-	fi
-
-	if [ "x$xservers" = xall ]; then
-	    xservers="$zones $FW"
-	    process_wildcard_rule
-	    continue
-	fi
-
-	rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
-	process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
-    }
 
     drop_broadcasts() {
 	for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
@@ -3065,9 +3055,7 @@ process_actions2() {
 	    run_iptables -A $xchain -d $address -j DROP
 	done
     }
-    #
-    # B O D Y   S T A R T S   H E R E
-    #
+    
     progress_message "   Generating Transitive Closure of Used-action List..."
 
     changed=Yes
@@ -3179,7 +3167,7 @@ process_actions2() {
 				
 		echo "Processing $fn for Chain $xchain..."
 		
-		while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
+		while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
 		    expandv xtarget
 		    #
 		    # Generate the target:level:tag to pass to process_action()
@@ -3204,7 +3192,11 @@ process_actions2() {
 			    ;;
 		    esac
 
-		    do_it
+		    expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
+
+		    rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
+		    process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
+
 		done < $TMP_DIR/$f
 		;;
 	esac
@@ -5819,10 +5811,11 @@ activate_rules()
 # Check for disabled startup
 #
 check_disabled_startup() {
-    if [ -f /etc/shorewall/startup_disabled ]; then
+    if [ -z "$STARTUP_ENABLED" ]; then
 	echo "   Shorewall Startup is disabled -- to enable startup"
 	echo "   after you have completed Shorewall configuration,"
-	echo "   remove the file /etc/shorewall/startup_disabled"
+	echo "   change the setting of STARTUP_ENABLED to Yes in"
+        echo "   /etc/shorewall/shorewall.conf"
 
 	[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
 	my_mutex_off
@@ -6509,6 +6502,7 @@ do_initialize() {
     BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
     DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
     PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
+    STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
 
     #
     # Strip the files that we use often

Shorewall2/install.sh

@@ -551,7 +551,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
 	    if insserv /etc/init.d/shorewall ; then
 		echo
 		echo "shorewall will start automatically at boot"
-		echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
+		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
 	    else
 		cant_autostart
 	    fi
@@ -559,7 +559,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
 	    if chkconfig --add shorewall ; then
 		echo
 		echo "shorewall will start automatically in run levels as follows:"
-		echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
+		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
 		chkconfig --list shorewall
 	    else
 		cant_autostart
@@ -568,18 +568,13 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
 	    if rc-update add shorewall default; then
 		echo
 		echo "shorewall will start automatically at boot"
-		echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
+		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
 	    else
 		cant_autostart
 	    fi
 	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 	    cant_autostart
 	fi
-
-	echo \
-"########################################################################
-#      REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL            #
-########################################################################" > /etc/shorewall/startup_disabled
     fi
 fi
 

Shorewall2/releasenotes.txt

@@ -161,3 +161,14 @@ New Features:
 	 $LEVEL="info"
 	 $TAG="test"
 
+6)  The /etc/shorewall/startup_disabled file is no longer created when 
+    Shorewall is first installed. Rather, the variable STARTUP_ENABLED
+    is set to 'No' in /etc/shorewall/shorewall.conf. In order to get 
+    Shorewall to start, that variable's value must be set to
+    'Yes'. This change accomplishes two things:
+
+    a) It prevents Shorewall from being started prematurely by the
+    user's initialization scripts.
+
+    b) It causes /etc/shorewall/shorewall.conf to be modified so that
+    it won't be replaced by upgrades using RPM.

Shorewall2/shorewall.conf

@@ -7,6 +7,14 @@
 #  This file should be placed in /etc/shorewall
 #
 #  (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+##############################################################################
+#                      S T A R T U P   E N A B L E D
+##############################################################################
+# Once you have configured Shorewall, you may change the setting of
+# this variable to 'Yes'
+
+STARTUP_ENABLED=No
+
 ##############################################################################
 #                              L O G G I N G
 ##############################################################################

Shorewall2/shorewall.spec

@@ -40,20 +40,6 @@ rm -rf $RPM_BUILD_ROOT
 
 %post
 
-if [ $1 -eq 1 ]; then
-    	echo \
-"########################################################################
-#      REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL            #
-########################################################################" \
-	> /etc/shorewall/startup_disabled
-
-	if [ -x /sbin/insserv ]; then
-		/sbin/insserv /etc/rc.d/shorewall
-	elif [ -x /sbin/chkconfig ]; then
-		/sbin/chkconfig --add shorewall;
-	fi
-fi
-
 %preun
 
 if [ $1 = 0 ]; then
@@ -141,6 +127,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Mon Aug 02 2004 Tom Eastep tom@shorewall.net
+- Remove startup_disabled.
 * Thu Jul 29 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.1.2-1
 * Mon Jul 12 2004 Tom Eastep tom@shorewall.net