diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 83f08dbcd..2f7d4e918 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,209 +1,5 @@ -Changes in 3.4.2 - -1) Update modules file for 2.6.20 module madness. - -2) Update /sbin/shorewall[-lite] to account for mindless renaming of - /proc/net/ip_conntrack to /proc/net/nf_conntrack. - -3) Fix 'none[!]' and built-in actions. - -4) Fix 'ipsecnat' tunnels. - -Changes in 3.4.1 - -1) Add rest of proxy arp fix. - -2) Fix two problems with log-prefix handling. - -3) Nested Zones produced shell errors. - -4) CONTINUE policies generated invalid iptables input. - -6) Fix CRITICALHOSTS bug in 'stop_firewall()' - -Changes in 3.4.0 Final - -1) Add missing logic for "!" rules. - -2) Restore missing function merge_macro_source_dest. - -3) Fix obscure bug in rule activation logic. - -4) Don't clear proxy arp unconditionally. - -Changes in 3.4.0 RC 3 - -1) Add warning about 'loose' and 'balance' - -2) Fix route_rules processing. - -3) Fix restoration of ip range dynamic entries. - -4) Fix exit status problem with 'restart' - -5) Dump SPD and SAD in the dump command. - -Changes in 3.4.0 RC 2 - -1) No longer include params file in compiled output. - -Changes in 3.4.0 RC 1 - -1) LITEDIR option in shorewall.conf - -2) Add some hacks for Shorewall Lite on OpenWRT - -3) Add macro for SixXS. - -4) Allow ranges and ipset names in the ADDRESSES column of maclist - file. - -5) Add helpers for SIP to the modules file. - -6) Only copy /etc/shorewall/params to output if non-export. - -7) Add EXPORTPARAMS option - -Changes in 3.4.0 Beta 3 - -1) Handle VLAN interface names like vlanX@ethY. - -2) Fix ipp2p:udp handling in action body. - -3) Be more careful about converting pre-3.2 maclist records. - -4) 'noah' is implied by ipsecnat in /etc/shorewall/tunnels. - -5) Reduce the number of rules in the 'blacklst' chain when - BLACKLIST_LOGLEVEL is specified. - -Changes in 3.4.0 Beta 2 - -1) Fix for empty blacklist file. - -2) Don't copy files from /usr/share/shorewall into the compiled - script. - -3) Add wait4ifup. - -4) Rename the shorewall.conf to shorewall-lite.conf. - -Changes in 3.4.0 Beta 1 - -1) Correct handling of masq file. - -2) Simplify log record processing and remove more noise from the - displayed record. - -Changes in 3.3.6 - -1) Remove /etc/shorewall/Documentation. - -2) Remove /usr/share/shorewall/help. - -3) Use export directory's modules file with -e. - -4) Use fwmark tc filter with unknown interfaces. - -5) Use multiport match in tcrules. - -6) Fix safe- commands. - -7) Remove 'try' command. - -8) Make colon after system optional in the 'export' command. - -9) Restore 'try' command and improve 'safe-' commands. - -10) Allow capabilities file to be used with Shorewall as well as - Shorewall Lite. - -11) Allow in-memory circular buffer for system log. - -12) Add ":T" qualifier in tcrules. - -13) Log start/restart/restore failures. - -Changes in 3.3.5 - -1) Restore default route when there are no 'balance' providers. - -2) Fixes to change 1. - -3) Many changed to improve the readability, appearance and effeciency - of the generated script. - -4) Turn off POLICY_MATCH if no IPSEC. - -5) Only compile traffic shaping once. - -6) Move config file documentary comments to a separate file. - -7) Fix whitespace in LOGFORMAT. - -8) Move DNAT/REDIRECT code to lib.base. - -9) Implement -c option to [re]load command. - -10) Don't create ingress qdisc if IN-BANDWIDTH = 0. - -11) Return success if start of running config. - -12) Add Makefile especially for /usr/share/shorewall/configfiles/ - -13) Add man pages. - -Changes in 3.3.4 - -1) Make exclusion work with "show zones" - -2) Add 'show ip' and 'show routing' commands. - -3) Add COMBINE_JUMPS option. - -4) Add an output chain for each interface. - -5) Rename COMBINE_JUMPS to OPTIMIZE and make its value numeric. - -6) Suppress superfluous wildcard rules under OPTIMIZE > 0. - -7) Support ip ranges in the drop, logdrop, reject, and allow commands. - -8) Add lib.cli. - -9) Attempt to undo routing changes. - -Changes in 3.3.3 - -1) Fix excluding in SUBNET column. - -2) Add logical AND and OR support for tcrules. - -3) Make the maximum zone name length dependent on LOGFORMAT. - -4) Clear provider marks in POSTROUTING when HIGH_ROUTE_MARKS=Yes. - -5) Add COMMENT support. - -6) Add macro.RDP. - -7) Add maclog extension file. - -8) Rename SUBNET column in the masq file. - -9) Allow exclusion in /etc/shorewall/hosts. - -10) Eliminate extra jumps to policy chains - -Changes in 3.3.1 - -1) Load the proxyarp lib when 'proxyarp' option is specified. - -2) Implement default action/macros at the individual policy level. - -3) Add logfile name to output of "shorewall show log" and "shorewall - logwatch". - - +Changes in 3.9.2 +1) Implement '-C {shell|perl}'. +2) Implement LOCKFILE diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base index bb2f45dba..63aa0dd32 100644 --- a/Shorewall-common/lib.base +++ b/Shorewall-common/lib.base @@ -300,7 +300,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR mutex_on() { local try=0 - local lockf=${VARDIR}/lock + local lockf=${LOCKFILE:=${VARDIR}/lock} MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} @@ -331,7 +331,7 @@ mutex_on() # mutex_off() { - rm -f ${VARDIR}/lock + rm -f ${LOCKFILE:=${VARDIR}/lock} } # diff --git a/Shorewall-common/lib.config b/Shorewall-common/lib.config index 39a485644..c934c9227 100644 --- a/Shorewall-common/lib.config +++ b/Shorewall-common/lib.config @@ -1691,6 +1691,7 @@ do_initialize() { #CONFIG_PATH is inherited RESTOREFILE= IPSECFILE= + LOCKFILE= # # Default Actions/Macros # @@ -2039,6 +2040,10 @@ do_initialize() { startup_error "Invalid OPTIMIZE value ($OPTIMIZE)" ;; esac + + if [ -n "$LOCKFILE" ]; then + [ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist" + fi # # Check out the user's shell # diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 0b1b9c91a..cb92db956 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -24,6 +24,16 @@ Problems corrected in Shorewall 3.9.2 2) The params file was being copied into the generated script independent of the setting of EXPORTPARAMS. +Other changes in Shorewall 3.9.2 + +1) A LOCKFILE option has been added to shorewall.conf. This file is + used to serialize updates to the active firewall configuration. + + If not specified, the defaults are: + + Shorewall - /var/lib/shorewall/lock + Shorewall Lite - /var/lib/shorewall-lite/lock + Migration Considerations: 1) You cannot simply upgrade your existing Shorewall package. You must diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf index 14b59b39d..6a178aac7 100644 --- a/Shorewall-common/shorewall.conf +++ b/Shorewall-common/shorewall.conf @@ -79,6 +79,8 @@ RESTOREFILE= IPSECFILE=zones +LOCKFILE= + ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 69db9ea4b..bb77a17be 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -26,6 +26,7 @@ package Shorewall::Config; use strict; use warnings; use Shorewall::Common; +use File::Basename; our @ISA = qw(Exporter); our @EXPORT = qw( @@ -100,6 +101,7 @@ our %config = CONFIG_PATH => undef, RESTOREFILE => undef, IPSECFILE => undef, + LOCKFILE => undef, # # Default Actions/Macros # @@ -153,7 +155,7 @@ our %config = # # Config options and global settings that are to be copied to object # -my @propagateconfig = qw/ CLEAR_TC DISABLE_IPV6 ADMINISABSENTMINDED IP_FORWARDING MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK/; +my @propagateconfig = qw/ CLEAR_TC DISABLE_IPV6 ADMINISABSENTMINDED IP_FORWARDING MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE/; my @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /; # @@ -910,6 +912,20 @@ sub get_configuration( $ ) { $globals{LOGFORMAT}='Shorewall:%s:%s:'; $globals{MAXZONENAMELENGTH} = 5; } + + if ( $config{LOCKFILE} ) { + my ( $file, $dir, $suffix ); + + eval { + ( $file, $dir, $suffix ) = fileparse( $config{LOCKFILE} ); + }; + + die $@ if $@; + + fatal_error "LOCKFILE=$config{LOCKFILE}: Directory $dir does not exist" unless -d $dir; + } else { + $config{LOCKFILE} = ''; + } } sub propagateconfig() { @@ -974,7 +990,7 @@ sub generate_aux_config() { emit join ( '', "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version ", $globals{VERSION}, ' - ' , localtime , "\n#" ); - for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS) { + for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { conditionally_add_option $option; } diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index 06854e800..91f846b85 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -5079,6 +5079,7 @@ __EOF__ cat >&3 << __EOF__ VERSION="$VERSION" SUBSYSLOCK="$SUBSYSLOCK" + LOCKFILE="$LOCKFILE" PATH="$PATH" TERMINATOR=fatal_error @@ -5600,7 +5601,7 @@ __EOF__ # Shorewall auxiliary configuration file created by Shorewall version $VERSION - $(date) # __EOF__ - for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS; do + for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE LOCKFILE SAVE_IPSETS; do conditionally_add_option $option done