mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Merge shorewall.conf handling changes into development path
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4282 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
220f3c41b0
commit
f5fef4526a
@ -7,3 +7,6 @@ Changes in 3.3.0
|
||||
3) Fixed modules/xmodules snafu.
|
||||
|
||||
4) Fix comments in shorewall-lite.
|
||||
|
||||
5) Merge shorewall.conf handling changes.
|
||||
|
||||
|
@ -1203,6 +1203,8 @@ else
|
||||
exit 2
|
||||
fi
|
||||
|
||||
[ -n "${LITEDIR}" -a -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf
|
||||
|
||||
ensure_config_path
|
||||
export CONFIG_PATH
|
||||
|
||||
|
@ -9,6 +9,12 @@
|
||||
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
###############################################################################
|
||||
# N 0 T E
|
||||
###############################################################################
|
||||
# Entries in this file override entries in the shorewall.conf file in the
|
||||
# configuration directory when the firewall script was compiled. Any variable
|
||||
# not set here assumes the value defined at firewall compilation time.
|
||||
###############################################################################
|
||||
# V E R B O S I T Y
|
||||
###############################################################################
|
||||
#
|
||||
@ -21,9 +27,7 @@
|
||||
# 1 -- Major progress messages displayed
|
||||
# 2 -- All progress messages displayed (old default behavior)
|
||||
#
|
||||
# If not specified, then 2 is assumed
|
||||
|
||||
VERBOSITY=1
|
||||
VERBOSITY=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
@ -32,8 +36,7 @@ VERBOSITY=1
|
||||
# LOG FILE LOCATION
|
||||
#
|
||||
# This variable tells the /sbin/shorewall-lite program where to look for Shorewall
|
||||
# Lite log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
||||
# /var/log/messages is assumed.
|
||||
# Lite log messages.
|
||||
#
|
||||
# WARNING: The LOGFILE variable simply tells the 'shorewall-lite' program where
|
||||
# to look for Shorewall messages.It does NOT control the destination for
|
||||
@ -42,7 +45,7 @@ VERBOSITY=1
|
||||
# http://www.shorewall.net/shorewall_logging.html
|
||||
#
|
||||
|
||||
LOGFILE=/var/log/messages
|
||||
LOGFILE=
|
||||
|
||||
#
|
||||
# LOG FORMAT
|
||||
@ -64,9 +67,6 @@ LOGFILE=/var/log/messages
|
||||
#
|
||||
# LOGFORMAT="fp=%s:%d a=%s "
|
||||
#
|
||||
# If not specified or specified as empty (LOGFORMAT="") then the value
|
||||
# "Shorewall:%s:%s:" is assumed.
|
||||
#
|
||||
# CAUTION: /sbin/shorewall-lite uses the leading part of the LOGFORMAT string
|
||||
# (up to but not including the first '%') to find log messages in the 'show log',
|
||||
# 'status' and 'hits' commands. This part should not be omitted (the
|
||||
@ -75,7 +75,7 @@ LOGFILE=/var/log/messages
|
||||
# messages.
|
||||
#
|
||||
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
LOGFORMAT=
|
||||
|
||||
###############################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
@ -83,9 +83,7 @@ LOGFORMAT="Shorewall:%s:%s:"
|
||||
#
|
||||
# IPTABLES
|
||||
#
|
||||
# Full path to iptables executable Shorewall uses to build the firewall. If
|
||||
# not specified or if specified with an empty value (e.g., IPTABLES="") then
|
||||
# the iptables executable located via the PATH setting below is used.
|
||||
# Full path to iptables executable Shorewall uses to build the firewall.
|
||||
#
|
||||
|
||||
IPTABLES=
|
||||
@ -95,7 +93,7 @@ IPTABLES=
|
||||
# searches directories for executable files.
|
||||
#
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
PATH=
|
||||
|
||||
#
|
||||
# SHELL
|
||||
@ -104,7 +102,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
# the shell used to interpret that script, specify the shell here.
|
||||
#
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
SHOREWALL_SHELL=
|
||||
|
||||
# SUBSYSTEM LOCK FILE
|
||||
#
|
||||
@ -113,7 +111,7 @@ SHOREWALL_SHELL=/bin/sh
|
||||
# don't use lock files, set this to "".
|
||||
#
|
||||
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall-lite
|
||||
SUBSYSLOCK=
|
||||
|
||||
# RESTORE SCRIPT
|
||||
#
|
||||
@ -126,11 +124,13 @@ SUBSYSLOCK=/var/lock/subsys/shorewall-lite
|
||||
# Failure of shorewall-lite start or shorewall-lite restart
|
||||
#
|
||||
# The value of the option must be the name of an executable file in the
|
||||
# directory /var/lib/shorewall-lite. If this option is not set or if it
|
||||
# is set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
|
||||
# assumed.
|
||||
# directory /var/lib/shorewall-lite.
|
||||
#
|
||||
|
||||
RESTOREFILE=restore
|
||||
RESTOREFILE=
|
||||
|
||||
#
|
||||
# Include the settings derived from the configuration on the administrative system
|
||||
#
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -12,6 +12,9 @@ Changes in 3.3.0
|
||||
|
||||
6) Correct handling of CONFIG_PATH when EXPORT=Yes.
|
||||
|
||||
7) Merge shorewall.conf handling changes.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -7769,8 +7769,6 @@ stop_firewall() {
|
||||
*)
|
||||
set +x
|
||||
|
||||
[ -n "\${RESTOREFILE:=restore}" ]
|
||||
|
||||
RESTOREPATH=\${VARDIR}/\$RESTOREFILE
|
||||
|
||||
if [ -x \$RESTOREPATH ]; then
|
||||
@ -8249,6 +8247,7 @@ __EOF__
|
||||
cat >&3 << __EOF__
|
||||
[ -n "\${COMMAND:=restart}" ]
|
||||
[ -n "\${VERBOSE:=0}" ]
|
||||
[ -n "\${RESTOREFILE:=$RESTOREFILE}" ]
|
||||
MODULESDIR="$MODULESDIR"
|
||||
MODULE_SUFFIX="$MODULE_SUFFIX"
|
||||
LOGLIMIT="$LOGLIMIT"
|
||||
@ -8267,7 +8266,6 @@ __EOF__
|
||||
fi
|
||||
|
||||
cat >&3 << __EOF__
|
||||
RESTOREFILE="$RESTOREFILE"
|
||||
VERSION="$VERSION"
|
||||
SUBSYSLOCK="$SUBSYSLOCK"
|
||||
PATH="$PATH"
|
||||
@ -8482,6 +8480,25 @@ __EOF__
|
||||
INDENT=
|
||||
cat $(find_file prog.header) $OUTPUT $(find_file prog.footer) > $outfile
|
||||
chmod 700 $outfile
|
||||
if [ -n "$EXPORT" ]; then
|
||||
exec 3>${outfile}.conf
|
||||
cat >&3 << __EOF__
|
||||
#
|
||||
# Shorewall auxillary configuration file created by Shorewall version $VERSION - $(date)
|
||||
#
|
||||
[ -n "\${VERBOSITY:=$VERBOSITY}" ]
|
||||
[ -n "\${LOGFILE:=$LOGFILE}" ]
|
||||
[ -n "\${LOGFORMAT:=$LOGFORMAT}" ]
|
||||
[ -n "\${IPTABLES:=$IPTABLES}" ]
|
||||
[ -n "\${PATH:=$PATH}" ]
|
||||
[ -n "\${SHOREWALL_SHELL:=$SHOREWALL_SHELL}" ]
|
||||
[ -n "\${LOGFILE:=$LOGFILE}" ]
|
||||
[ -n "\${SUBSYSLOCK:=$SUBSYSLOCK}" ]
|
||||
[ -n "\${RESTOREFILE:=$RESTOREFILE}" ]
|
||||
__EOF__
|
||||
exec 3>&-
|
||||
fi
|
||||
|
||||
progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)"
|
||||
rm -f $OUTPUT
|
||||
fi
|
||||
@ -8861,6 +8878,7 @@ do_initialize() {
|
||||
fi
|
||||
|
||||
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
|
||||
[ -n "${RESTOREFILE:=restore}" ]
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
|
@ -1299,9 +1299,9 @@ restore_command() {
|
||||
#
|
||||
# [Re]load command executor
|
||||
#
|
||||
reload_command()
|
||||
reload_command()) # $1 = directory, $2 = system
|
||||
{
|
||||
local verbose=$(make_verbose)
|
||||
local verbose=$(make_verbose) file=$(resolve_file $1/firewall)
|
||||
|
||||
[ -n "$LITEDIR" ] || { echo " ERROR: LITEDIR not defined in ${SHAREDIR}/configpath" >&2; exit 2; }
|
||||
|
||||
|
@ -204,10 +204,9 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>On the administrative system you create a separete
|
||||
'configuration directory' for each firewall system. You copy the
|
||||
contents of /usr/share/shorewall/configfiles into each configuration
|
||||
directory.</para>
|
||||
<para>On the administrative system you create a separate 'export
|
||||
directory' for each firewall system. You copy the contents of
|
||||
/usr/share/shorewall/configfiles into each export directory.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -273,9 +272,9 @@
|
||||
|
||||
<listitem>
|
||||
<para>The value of CONFIG_PATH in the
|
||||
<filename>shorewall.conf</filename> file in the configuration
|
||||
directory is used to search for configuration files during
|
||||
compilation of that configuration.</para>
|
||||
<filename>shorewall.conf</filename> file in the export directory
|
||||
is used to search for configuration files during compilation of
|
||||
that configuration.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -295,23 +294,23 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>modify the files in the corresponding configuration
|
||||
directory appropriately. It's a good idea to include the IP
|
||||
address of the administrative system in the
|
||||
<filename>routestopped</filename> file.</para>
|
||||
<para>modify the files in the corresponding export directory
|
||||
appropriately. It's a good idea to include the IP address of the
|
||||
administrative system in the <filename>routestopped</filename>
|
||||
file.</para>
|
||||
|
||||
<para>It is important to understand that with Shorewall Lite, the
|
||||
firewall's configuration directory on the administrative system
|
||||
acts as <filename class="directory">/etc/shorewall</filename> for
|
||||
that firewall. So when the Shorewall documentation gives
|
||||
instructions for placing entries in files in the firewall's
|
||||
<filename class="directory">/etc/shorewall</filename>, when using
|
||||
Shorewall Lite you make those changes in the firewall's
|
||||
configuration directory on the administrative system.</para>
|
||||
firewall's export directory on the administrative system acts as
|
||||
<filename class="directory">/etc/shorewall</filename> for that
|
||||
firewall. So when the Shorewall documentation gives instructions
|
||||
for placing entries in files in the firewall's <filename
|
||||
class="directory">/etc/shorewall</filename>, when using Shorewall
|
||||
Lite you make those changes in the firewall's export directory on
|
||||
the administrative system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<programlisting><command>cd <configuration directory></command>
|
||||
<programlisting><command>cd <export directory></command>
|
||||
<command>/sbin/shorewall load firewall</command></programlisting>
|
||||
|
||||
<para>The <ulink
|
||||
@ -330,10 +329,9 @@
|
||||
|
||||
<listitem>
|
||||
<para>If you later need to change the firewall's configuration, change
|
||||
the appropriate files in the firewall's configuration directory
|
||||
then:</para>
|
||||
the appropriate files in the firewall's export directory then:</para>
|
||||
|
||||
<programlisting><command>cd <configuration directory></command>
|
||||
<programlisting><command>cd <export directory></command>
|
||||
<command>/sbin/shorewall reload firewall</command></programlisting>
|
||||
|
||||
<para>The <ulink
|
||||
@ -391,15 +389,14 @@
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>On the administrative system, create a configuration directory
|
||||
for the firewall system.</para>
|
||||
<para>On the administrative system, create an export directory for
|
||||
the firewall system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Copy the contents of <filename
|
||||
class="directory">/etc/shorewall/</filename> from the firewall
|
||||
system to the configuration directory on the administrative
|
||||
system.</para>
|
||||
system to the export directory on the administrative system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -439,10 +436,10 @@
|
||||
administrative system in the firewall system's
|
||||
<filename>routestopped</filename> file.</para>
|
||||
|
||||
<para>Also, edit the shorewall.conf file in the firewall's
|
||||
configuration directory and change the CONFIG_PATH setting to remove
|
||||
<filename class="directory">/etc/shorewall</filename>. You can
|
||||
replace it with <filename
|
||||
<para>Also, edit the shorewall.conf file in the firewall's export
|
||||
directory and change the CONFIG_PATH setting to remove <filename
|
||||
class="directory">/etc/shorewall</filename>. You can replace it with
|
||||
<filename
|
||||
class="directory">/usr/share/shorewall/configfiles</filename> if you
|
||||
like.</para>
|
||||
|
||||
@ -459,13 +456,13 @@
|
||||
</blockquote>
|
||||
|
||||
<para>Changing CONFIG_PATH will ensure that subsequent compilations
|
||||
using the configuration directory will not include any files from
|
||||
<filename class="directory">/etc/shorewall</filename>.</para>
|
||||
using the export directory will not include any files from <filename
|
||||
class="directory">/etc/shorewall</filename>.</para>
|
||||
|
||||
<para>After having made the above changes to the firewall's
|
||||
configuration directory, execute the following commands:</para>
|
||||
<para>After having made the above changes to the firewall's export
|
||||
directory, execute the following commands:</para>
|
||||
|
||||
<programlisting><command>cd <configuration directory></command>
|
||||
<programlisting><command>cd <export directory></command>
|
||||
<command>/sbin/shorewall load <firewall system></command>
|
||||
</programlisting>
|
||||
|
||||
@ -483,10 +480,10 @@
|
||||
|
||||
<listitem>
|
||||
<para>If you later need to change the firewall's configuration,
|
||||
change the appropriate files in the firewall's configuration
|
||||
directory then:</para>
|
||||
change the appropriate files in the firewall's export directory
|
||||
then:</para>
|
||||
|
||||
<programlisting><command>cd <configuration directory></command>
|
||||
<programlisting><command>cd <export directory></command>
|
||||
<command>/sbin/shorewall reload firewall</command></programlisting>
|
||||
|
||||
<para>The <ulink
|
||||
|
Loading…
Reference in New Issue
Block a user