Add LOCKFILE option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5938 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-23 05:01:34 +01:00 · 2007-04-15 23:41:13 +00:00 · 2007-04-15 23:41:13 +00:00 · f2455933a8
commit f2455933a8
parent d643b8e167
7 changed files with 42 additions and 212 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -1,209 +1,5 @@
-Changes in 3.4.2
-
-1)  Update modules file for 2.6.20 module madness.
-
-2)  Update /sbin/shorewall[-lite] to account for mindless renaming of
-    /proc/net/ip_conntrack to /proc/net/nf_conntrack.
-
-3)  Fix 'none[!]' and built-in actions.
-
-4)  Fix 'ipsecnat' tunnels.
-
-Changes in 3.4.1
-
-1)  Add rest of proxy arp fix.
-
-2)  Fix two problems with log-prefix handling.
-
-3)  Nested Zones produced shell errors.
-
-4)  CONTINUE policies generated invalid iptables input.
-
-6)  Fix CRITICALHOSTS bug in 'stop_firewall()'
-
-Changes in 3.4.0 Final
-
-1)  Add missing logic for "!" rules.
-
-2)  Restore missing function merge_macro_source_dest.
-
-3)  Fix obscure bug in rule activation logic.
-
-4)  Don't clear proxy arp unconditionally.
-
-Changes in 3.4.0 RC 3
-
-1)  Add warning about 'loose' and 'balance'
-
-2)  Fix route_rules processing.
-
-3)  Fix restoration of ip range dynamic entries.
-
-4)  Fix exit status problem with 'restart'
-
-5)  Dump SPD and SAD in the dump command.
-
-Changes in 3.4.0 RC 2
-
-1)  No longer include params file in compiled output.
-
-Changes in 3.4.0 RC 1
-
-1)  LITEDIR option in shorewall.conf
-
-2)  Add some hacks for Shorewall Lite on OpenWRT
-
-3)  Add macro for SixXS.
-
-4)  Allow ranges and ipset names in the ADDRESSES column of maclist
-    file.
-
-5)  Add helpers for SIP to the modules file.
-
-6)  Only copy /etc/shorewall/params to output if non-export.
-
-7)  Add EXPORTPARAMS option
-
-Changes in 3.4.0 Beta 3
-
-1)  Handle VLAN interface names like vlanX@ethY.
-
-2)  Fix ipp2p:udp handling in action body.
-
-3)  Be more careful about converting pre-3.2 maclist records.
-
-4)  'noah' is implied by ipsecnat in /etc/shorewall/tunnels.
-
-5)  Reduce the number of rules in the 'blacklst' chain when
-    BLACKLIST_LOGLEVEL is specified.
-
-Changes in 3.4.0 Beta 2
-
-1)  Fix for empty blacklist file.
-
-2)  Don't copy files from /usr/share/shorewall into the compiled
-    script.
-
-3)  Add wait4ifup.
-
-4)  Rename the shorewall.conf to shorewall-lite.conf.
-
-Changes in 3.4.0 Beta 1
-
-1)  Correct handling of masq file.
-
-2)  Simplify log record processing and remove more noise from the
-    displayed record.
-
-Changes in 3.3.6
-
-1)  Remove /etc/shorewall/Documentation.
-
-2)  Remove /usr/share/shorewall/help.
-
-3)  Use export directory's modules file with -e.
-
-4)  Use fwmark tc filter with unknown interfaces.
-
-5)  Use multiport match in tcrules.
-
-6)  Fix safe- commands.
-
-7)  Remove 'try' command.
-
-8)  Make colon after system optional in the 'export' command.
-
-9)  Restore 'try' command and improve 'safe-' commands.
-
-10) Allow capabilities file to be used with Shorewall as well as
-    Shorewall Lite.
-
-11) Allow in-memory circular buffer for system log.
-
-12) Add ":T" qualifier in tcrules.
-
-13) Log start/restart/restore failures.
-
-Changes in 3.3.5
-
-1)  Restore default route when there are no 'balance' providers.
-
-2)  Fixes to change 1.
-
-3)  Many changed to improve the readability, appearance and effeciency
-    of the generated script.
-
-4)  Turn off POLICY_MATCH if no IPSEC.
-
-5)  Only compile traffic shaping once.
-
-6)  Move config file documentary comments to a separate file.
-
-7)  Fix whitespace in LOGFORMAT.
-
-8)  Move DNAT/REDIRECT code to lib.base.
-
-9)  Implement -c option to [re]load command.
-
-10) Don't create ingress qdisc if IN-BANDWIDTH = 0.
-
-11) Return success if start of running config.
-
-12) Add Makefile especially for /usr/share/shorewall/configfiles/
-
-13) Add man pages.
-
-Changes in 3.3.4
-
-1)  Make exclusion work with "show zones"
-
-2)  Add 'show ip' and 'show routing' commands.
-
-3)  Add COMBINE_JUMPS option.
-
-4)  Add an output chain for each interface.
-
-5)  Rename COMBINE_JUMPS to OPTIMIZE and make its value numeric.
-
-6)  Suppress superfluous wildcard rules under OPTIMIZE > 0.
-
-7)  Support ip ranges in the drop, logdrop, reject, and allow commands.
-
-8)  Add lib.cli.
-
-9)  Attempt to undo routing changes.
-
-Changes in 3.3.3
-
-1)  Fix excluding in SUBNET column.
-
-2)  Add logical AND and OR support for tcrules.
-
-3)  Make the maximum zone name length dependent on LOGFORMAT.
-
-4)  Clear provider marks in POSTROUTING when HIGH_ROUTE_MARKS=Yes.
-
-5)  Add COMMENT support.
-
-6)  Add macro.RDP.
-
-7)  Add maclog extension file.
-
-8)  Rename SUBNET column in the masq file.
-
-9)  Allow exclusion in /etc/shorewall/hosts.
-
-10) Eliminate extra jumps to policy chains
-
-Changes in 3.3.1
-
-1)  Load the proxyarp lib when 'proxyarp' option is specified.
-
-2)  Implement default action/macros at the individual policy level.
-
-3)  Add logfile name to output of "shorewall show log" and "shorewall
-    logwatch".
-
-
+Changes in 3.9.2

+1)  Implement '-C {shell|perl}'.

+2)  Implement LOCKFILE
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@ -300,7 +300,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 mutex_on()
 {
    local try=0
-    local lockf=${VARDIR}/lock
+    local lockf=${LOCKFILE:=${VARDIR}/lock}

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

@ -331,7 +331,7 @@ mutex_on()
 #
 mutex_off()
 {
-    rm -f ${VARDIR}/lock
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

 #
--- a/Shorewall-common/lib.config
+++ b/Shorewall-common/lib.config
@ -1691,6 +1691,7 @@ do_initialize() {
    #CONFIG_PATH is inherited
    RESTOREFILE=
    IPSECFILE=
+    LOCKFILE=
    #
    # Default Actions/Macros
    #
@ -2039,6 +2040,10 @@ do_initialize() {
 	    startup_error "Invalid OPTIMIZE value ($OPTIMIZE)"
 	    ;;
    esac
+
+    if [ -n "$LOCKFILE" ]; then
+	[ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist"
+    fi
    #
    # Check out the user's shell
    #
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -24,6 +24,16 @@ Problems corrected in Shorewall 3.9.2
 2)  The params file was being copied into the generated script
    independent of the setting of EXPORTPARAMS. 

+Other changes in Shorewall 3.9.2
+
+1)  A LOCKFILE option has been added to shorewall.conf. This file is
+    used to serialize updates to the active firewall configuration.
+
+    If not specified, the defaults are:
+
+       Shorewall - /var/lib/shorewall/lock
+       Shorewall Lite - /var/lib/shorewall-lite/lock
+
 Migration Considerations:

 1)  You cannot simply upgrade your existing Shorewall package. You must
--- a/Shorewall-common/shorewall.conf
+++ b/Shorewall-common/shorewall.conf
@ -79,6 +79,8 @@ RESTOREFILE=

 IPSECFILE=zones

+LOCKFILE=
+
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@ -26,6 +26,7 @@ package Shorewall::Config;
 use strict;
 use warnings;
 use Shorewall::Common;
+use File::Basename;

 our @ISA = qw(Exporter);
 our @EXPORT = qw(
@ -100,6 +101,7 @@ our %config =
 		CONFIG_PATH => undef,
 		RESTOREFILE => undef,
 		IPSECFILE => undef,
+		LOCKFILE => undef,
 		#
 		# Default Actions/Macros
 		#
@ -153,7 +155,7 @@ our %config =
 #
 # Config options and global settings that are to be copied to object
 #
-my @propagateconfig = qw/ CLEAR_TC DISABLE_IPV6 ADMINISABSENTMINDED IP_FORWARDING MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK/;
+my @propagateconfig = qw/ CLEAR_TC DISABLE_IPV6 ADMINISABSENTMINDED IP_FORWARDING MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE/;
 my @propagateenv    = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;

 #
@ -910,6 +912,20 @@ sub get_configuration( $ ) {
 	$globals{LOGFORMAT}='Shorewall:%s:%s:';
 	$globals{MAXZONENAMELENGTH} = 5;
    }
+
+    if ( $config{LOCKFILE} ) {
+	my ( $file, $dir, $suffix );
+
+	eval {
+	    ( $file, $dir, $suffix ) = fileparse( $config{LOCKFILE} );
+	};
+
+	die $@ if $@;
+
+	fatal_error "LOCKFILE=$config{LOCKFILE}: Directory $dir does not exist" unless -d $dir;
+    } else {
+	$config{LOCKFILE} = '';
+    }
 }

 sub propagateconfig() {
@ -974,7 +990,7 @@ sub generate_aux_config() {

    emit join ( '', "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version ", $globals{VERSION}, ' - ' , localtime , "\n#" );

-    for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS) {
+    for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
 	conditionally_add_option $option;
    }

--- a/Shorewall-shell/compiler
+++ b/Shorewall-shell/compiler
@ -5079,6 +5079,7 @@ __EOF__
    cat >&3 << __EOF__
    VERSION="$VERSION"
    SUBSYSLOCK="$SUBSYSLOCK"
+    LOCKFILE="$LOCKFILE"
    PATH="$PATH"
    TERMINATOR=fatal_error

@ -5600,7 +5601,7 @@ __EOF__
 # Shorewall auxiliary configuration file created by Shorewall version $VERSION - $(date)
 #
 __EOF__
-	    for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS; do
+	    for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE LOCKFILE SAVE_IPSETS; do
 		conditionally_add_option $option
 	    done