From d8a733aac0794e30f551dd2ce9ce60c475c886a4 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 2 Aug 2004 21:48:40 +0000 Subject: [PATCH] Bring forward some changes from 2.0.8; Improve error messages; Implement STARTUP_ENABLED git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1519 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 15 ++--- Shorewall2/firewall | 120 +++++++++++++++++------------------- Shorewall2/install.sh | 11 +--- Shorewall2/releasenotes.txt | 11 ++++ Shorewall2/shorewall.conf | 8 +++ Shorewall2/shorewall.spec | 16 +---- 6 files changed, 85 insertions(+), 96 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 382132a72..bb66ce209 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -14,23 +14,12 @@ Changes since 2.0.3 7) Add PKTTYPE option. - firewall - shorewall.conf - 8) Enhancements to /etc/shorewall/masq - masq - firewall - 8) Allow overriding ADD_IP_ALIASES=Yes - nat - firewall - 9) Fix syntax error in setup_nat() - firewall - 10) Port "shorewall status" changes from 2.0.7. 11) All config files are now empty. @@ -39,3 +28,7 @@ Changes since 2.0.3 13) Pass rule chain and display chain separately to log_rule_limit. Prep work for action logging. + +14) Show the iptables/ip/tc command that failed when failure is fatal. + +15) Implement STARTUP_ENABLED. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 5e5884aeb..db9785fc2 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -156,7 +156,11 @@ run_iptables() { [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev if ! iptables $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } + if [ -z "$stopping" ]; then + error_message "ERROR: Command \"$@\" Failed" + stop_firewall + exit 2 + fi fi } @@ -183,7 +187,11 @@ run_iptables2() { # run_ip() { if ! ip $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } + if [ -z "$stopping" ]; then + error_message "ERROR: Command \"$@\" Failed" + stop_firewall + exit 2 + fi fi } @@ -192,7 +200,11 @@ run_ip() { # run_tc() { if ! tc $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } + if [ -z "$stopping" ]; then + error_message "ERROR: Command \"$@\" Failed" + stop_firewall + exit 2 + fi fi } @@ -2784,7 +2796,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] [ "$COMMAND" != check ] && \ while havechain %${CHAIN}${actchain}; do - actchain=$((${actchain-0} + 1)) + actchain=$(($actchain + 1)) [ $actchain -eq 10 -a ${#CHAIN} -eq 9 ] && CHAIN=$(echo $CHAIN | cut -b -8) done @@ -2865,6 +2877,9 @@ find_logactionchain() # $1 = Action, including log level and tag if any } +# +# This function determines the logging for a subordinate action or a rule within a subordinate action +# merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called { local superior=$1 subordinate=$2 @@ -2925,13 +2940,33 @@ merge_levels() # $1=level at which superior action is called, $2=level at which ;; esac } - - -# -# Read /etc/shorewall/actions and /usr/share/shorewall/actions.std and for each defined , pre-process -# /etc/shorewall/action. -# +# +# The next two functions implement the two phases of action processing. +# +# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std +# and /etc/shorewall/actions are scanned (in that order) and for each action: +# +# a) The related action definition file is located and scanned. +# b) Forward and unresolved action references are trapped as errors. +# c) A dependency graph is created. For each , the variable 'requiredby_' lists the +# action[:level[:tag]] of each action invoked by . +# d) All actions are listed in the global variable ACTIONS. +# e) Common actions are recorded (in variables of the name _common) and are added to the global +# USEDACTIONS list and their action chain is created. +# +# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an +# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name +# %n is used where the name is truncated on the right where necessary to ensure that the total +# length of the chain name does not exceed 11 characters. +# +# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of +# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created. +# +# The final step is to traverse the USEDACTIONS list populating each chain appropriately by reading the +# action definition files and creating rules. Note that a given action definition file is processed once for +# each unique [:level[:tag]] applied to an invocation of the action. +# process_actions1() { ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid" @@ -3003,53 +3038,8 @@ process_actions1() { done < $TMP_DIR/$inputfile done } -# -# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then -# process the associated action files. -# + process_actions2() { - # - # Process a rule where the source or destination is "all" - # - process_wildcard_rule() { - local yclients yservers ysourcezone ydestzone ypolicy - - for yclients in $xclients; do - for yservers in $xservers; do - ysourcezone=${yclients%%:*} - ydestzone=${yservers%%:*} - if [ "${ysourcezone}" != "${ydestzone}" ] ; then - eval ypolicy=\$${ysourcezone}2${ydestzone}_policy - if [ "$ypolicy" != NONE ] ; then - rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - process_action $xchain $xaction1 $xaction2 $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec - fi - fi - done - done - } - - do_it() { - expandv xclients xservers xprotocol xports xcports xratelimit xuserspec - - if [ "x$xclients" = xall ]; then - xclients="$zones $FW" - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - fi - process_wildcard_rule - continue - fi - - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule - continue - fi - - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec - } drop_broadcasts() { for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do @@ -3065,9 +3055,7 @@ process_actions2() { run_iptables -A $xchain -d $address -j DROP done } - # - # B O D Y S T A R T S H E R E - # + progress_message " Generating Transitive Closure of Used-action List..." changed=Yes @@ -3179,7 +3167,7 @@ process_actions2() { echo "Processing $fn for Chain $xchain..." - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do + while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do expandv xtarget # # Generate the target:level:tag to pass to process_action() @@ -3204,7 +3192,11 @@ process_actions2() { ;; esac - do_it + expandv xclients xservers xprotocol xports xcports xratelimit xuserspec + + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" + process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec + done < $TMP_DIR/$f ;; esac @@ -5819,10 +5811,11 @@ activate_rules() # Check for disabled startup # check_disabled_startup() { - if [ -f /etc/shorewall/startup_disabled ]; then + if [ -z "$STARTUP_ENABLED" ]; then echo " Shorewall Startup is disabled -- to enable startup" echo " after you have completed Shorewall configuration," - echo " remove the file /etc/shorewall/startup_disabled" + echo " change the setting of STARTUP_ENABLED to Yes in" + echo " /etc/shorewall/shorewall.conf" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off @@ -6509,6 +6502,7 @@ do_initialize() { BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) + STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) # # Strip the files that we use often diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index 9c4b19f95..5235922b4 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -551,7 +551,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then if insserv /etc/init.d/shorewall ; then echo echo "shorewall will start automatically at boot" - echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" else cant_autostart fi @@ -559,7 +559,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then if chkconfig --add shorewall ; then echo echo "shorewall will start automatically in run levels as follows:" - echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" chkconfig --list shorewall else cant_autostart @@ -568,18 +568,13 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then if rc-update add shorewall default; then echo echo "shorewall will start automatically at boot" - echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" else cant_autostart fi elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically cant_autostart fi - - echo \ -"######################################################################## -# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL # -########################################################################" > /etc/shorewall/startup_disabled fi fi diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 3db9d1c6d..12efd50ab 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -161,3 +161,14 @@ New Features: $LEVEL="info" $TAG="test" +6) The /etc/shorewall/startup_disabled file is no longer created when + Shorewall is first installed. Rather, the variable STARTUP_ENABLED + is set to 'No' in /etc/shorewall/shorewall.conf. In order to get + Shorewall to start, that variable's value must be set to + 'Yes'. This change accomplishes two things: + + a) It prevents Shorewall from being started prematurely by the + user's initialization scripts. + + b) It causes /etc/shorewall/shorewall.conf to be modified so that + it won't be replaced by upgrades using RPM. diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index 2ab95a28d..a66101827 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -7,6 +7,14 @@ # This file should be placed in /etc/shorewall # # (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +############################################################################## +# S T A R T U P E N A B L E D +############################################################################## +# Once you have configured Shorewall, you may change the setting of +# this variable to 'Yes' + +STARTUP_ENABLED=No + ############################################################################## # L O G G I N G ############################################################################## diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index 2e0e8aa7c..9ca0fc749 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -40,20 +40,6 @@ rm -rf $RPM_BUILD_ROOT %post -if [ $1 -eq 1 ]; then - echo \ -"######################################################################## -# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL # -########################################################################" \ - > /etc/shorewall/startup_disabled - - if [ -x /sbin/insserv ]; then - /sbin/insserv /etc/rc.d/shorewall - elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --add shorewall; - fi -fi - %preun if [ $1 = 0 ]; then @@ -141,6 +127,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Mon Aug 02 2004 Tom Eastep tom@shorewall.net +- Remove startup_disabled. * Thu Jul 29 2004 Tom Eastep tom@shorewall.net - Updated to 2.1.2-1 * Mon Jul 12 2004 Tom Eastep tom@shorewall.net