Merge shorewall.conf handling changes into development path

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4282 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-07-26 22:15:28 +00:00
parent 220f3c41b0
commit f5fef4526a
7 changed files with 86 additions and 63 deletions

View File

@ -7,3 +7,6 @@ Changes in 3.3.0
3) Fixed modules/xmodules snafu.
4) Fix comments in shorewall-lite.
5) Merge shorewall.conf handling changes.

View File

@ -1203,6 +1203,8 @@ else
exit 2
fi
[ -n "${LITEDIR}" -a -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf
ensure_config_path
export CONFIG_PATH

View File

@ -9,6 +9,12 @@
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
###############################################################################
# N 0 T E
###############################################################################
# Entries in this file override entries in the shorewall.conf file in the
# configuration directory when the firewall script was compiled. Any variable
# not set here assumes the value defined at firewall compilation time.
###############################################################################
# V E R B O S I T Y
###############################################################################
#
@ -21,9 +27,7 @@
# 1 -- Major progress messages displayed
# 2 -- All progress messages displayed (old default behavior)
#
# If not specified, then 2 is assumed
VERBOSITY=1
VERBOSITY=
###############################################################################
# L O G G I N G
@ -32,8 +36,7 @@ VERBOSITY=1
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall-lite program where to look for Shorewall
# Lite log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
# Lite log messages.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall-lite' program where
# to look for Shorewall messages.It does NOT control the destination for
@ -42,7 +45,7 @@ VERBOSITY=1
# http://www.shorewall.net/shorewall_logging.html
#
LOGFILE=/var/log/messages
LOGFILE=
#
# LOG FORMAT
@ -64,9 +67,6 @@ LOGFILE=/var/log/messages
#
# LOGFORMAT="fp=%s:%d a=%s "
#
# If not specified or specified as empty (LOGFORMAT="") then the value
# "Shorewall:%s:%s:" is assumed.
#
# CAUTION: /sbin/shorewall-lite uses the leading part of the LOGFORMAT string
# (up to but not including the first '%') to find log messages in the 'show log',
# 'status' and 'hits' commands. This part should not be omitted (the
@ -75,7 +75,7 @@ LOGFILE=/var/log/messages
# messages.
#
LOGFORMAT="Shorewall:%s:%s:"
LOGFORMAT=
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
@ -83,9 +83,7 @@ LOGFORMAT="Shorewall:%s:%s:"
#
# IPTABLES
#
# Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
# Full path to iptables executable Shorewall uses to build the firewall.
#
IPTABLES=
@ -95,7 +93,7 @@ IPTABLES=
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
PATH=
#
# SHELL
@ -104,7 +102,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# the shell used to interpret that script, specify the shell here.
#
SHOREWALL_SHELL=/bin/sh
SHOREWALL_SHELL=
# SUBSYSTEM LOCK FILE
#
@ -113,7 +111,7 @@ SHOREWALL_SHELL=/bin/sh
# don't use lock files, set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall-lite
SUBSYSLOCK=
# RESTORE SCRIPT
#
@ -126,11 +124,13 @@ SUBSYSLOCK=/var/lock/subsys/shorewall-lite
# Failure of shorewall-lite start or shorewall-lite restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall-lite. If this option is not set or if it
# is set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
# directory /var/lib/shorewall-lite.
#
RESTOREFILE=restore
RESTOREFILE=
#
# Include the settings derived from the configuration on the administrative system
#
#LAST LINE -- DO NOT REMOVE

View File

@ -12,6 +12,9 @@ Changes in 3.3.0
6) Correct handling of CONFIG_PATH when EXPORT=Yes.
7) Merge shorewall.conf handling changes.

View File

@ -7769,8 +7769,6 @@ stop_firewall() {
*)
set +x
[ -n "\${RESTOREFILE:=restore}" ]
RESTOREPATH=\${VARDIR}/\$RESTOREFILE
if [ -x \$RESTOREPATH ]; then
@ -8249,6 +8247,7 @@ __EOF__
cat >&3 << __EOF__
[ -n "\${COMMAND:=restart}" ]
[ -n "\${VERBOSE:=0}" ]
[ -n "\${RESTOREFILE:=$RESTOREFILE}" ]
MODULESDIR="$MODULESDIR"
MODULE_SUFFIX="$MODULE_SUFFIX"
LOGLIMIT="$LOGLIMIT"
@ -8267,7 +8266,6 @@ __EOF__
fi
cat >&3 << __EOF__
RESTOREFILE="$RESTOREFILE"
VERSION="$VERSION"
SUBSYSLOCK="$SUBSYSLOCK"
PATH="$PATH"
@ -8482,6 +8480,25 @@ __EOF__
INDENT=
cat $(find_file prog.header) $OUTPUT $(find_file prog.footer) > $outfile
chmod 700 $outfile
if [ -n "$EXPORT" ]; then
exec 3>${outfile}.conf
cat >&3 << __EOF__
#
# Shorewall auxillary configuration file created by Shorewall version $VERSION - $(date)
#
[ -n "\${VERBOSITY:=$VERBOSITY}" ]
[ -n "\${LOGFILE:=$LOGFILE}" ]
[ -n "\${LOGFORMAT:=$LOGFORMAT}" ]
[ -n "\${IPTABLES:=$IPTABLES}" ]
[ -n "\${PATH:=$PATH}" ]
[ -n "\${SHOREWALL_SHELL:=$SHOREWALL_SHELL}" ]
[ -n "\${LOGFILE:=$LOGFILE}" ]
[ -n "\${SUBSYSLOCK:=$SUBSYSLOCK}" ]
[ -n "\${RESTOREFILE:=$RESTOREFILE}" ]
__EOF__
exec 3>&-
fi
progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)"
rm -f $OUTPUT
fi
@ -8861,6 +8878,7 @@ do_initialize() {
fi
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
[ -n "${RESTOREFILE:=restore}" ]
#
# Strip the files that we use often

View File

@ -1299,9 +1299,9 @@ restore_command() {
#
# [Re]load command executor
#
reload_command()
reload_command()) # $1 = directory, $2 = system
{
local verbose=$(make_verbose)
local verbose=$(make_verbose) file=$(resolve_file $1/firewall)
[ -n "$LITEDIR" ] || { echo " ERROR: LITEDIR not defined in ${SHAREDIR}/configpath" >&2; exit 2; }

View File

@ -204,10 +204,9 @@
</listitem>
<listitem>
<para>On the administrative system you create a separete
'configuration directory' for each firewall system. You copy the
contents of /usr/share/shorewall/configfiles into each configuration
directory.</para>
<para>On the administrative system you create a separate 'export
directory' for each firewall system. You copy the contents of
/usr/share/shorewall/configfiles into each export directory.</para>
</listitem>
<listitem>
@ -273,9 +272,9 @@
<listitem>
<para>The value of CONFIG_PATH in the
<filename>shorewall.conf</filename> file in the configuration
directory is used to search for configuration files during
compilation of that configuration.</para>
<filename>shorewall.conf</filename> file in the export directory
is used to search for configuration files during compilation of
that configuration.</para>
</listitem>
<listitem>
@ -295,23 +294,23 @@
<orderedlist>
<listitem>
<para>modify the files in the corresponding configuration
directory appropriately. It's a good idea to include the IP
address of the administrative system in the
<filename>routestopped</filename> file.</para>
<para>modify the files in the corresponding export directory
appropriately. It's a good idea to include the IP address of the
administrative system in the <filename>routestopped</filename>
file.</para>
<para>It is important to understand that with Shorewall Lite, the
firewall's configuration directory on the administrative system
acts as <filename class="directory">/etc/shorewall</filename> for
that firewall. So when the Shorewall documentation gives
instructions for placing entries in files in the firewall's
<filename class="directory">/etc/shorewall</filename>, when using
Shorewall Lite you make those changes in the firewall's
configuration directory on the administrative system.</para>
firewall's export directory on the administrative system acts as
<filename class="directory">/etc/shorewall</filename> for that
firewall. So when the Shorewall documentation gives instructions
for placing entries in files in the firewall's <filename
class="directory">/etc/shorewall</filename>, when using Shorewall
Lite you make those changes in the firewall's export directory on
the administrative system.</para>
</listitem>
<listitem>
<programlisting><command>cd &lt;configuration directory&gt;</command>
<programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall load firewall</command></programlisting>
<para>The <ulink
@ -330,10 +329,9 @@
<listitem>
<para>If you later need to change the firewall's configuration, change
the appropriate files in the firewall's configuration directory
then:</para>
the appropriate files in the firewall's export directory then:</para>
<programlisting><command>cd &lt;configuration directory&gt;</command>
<programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall reload firewall</command></programlisting>
<para>The <ulink
@ -391,15 +389,14 @@
<orderedlist numeration="loweralpha">
<listitem>
<para>On the administrative system, create a configuration directory
for the firewall system.</para>
<para>On the administrative system, create an export directory for
the firewall system.</para>
</listitem>
<listitem>
<para>Copy the contents of <filename
class="directory">/etc/shorewall/</filename> from the firewall
system to the configuration directory on the administrative
system.</para>
system to the export directory on the administrative system.</para>
</listitem>
<listitem>
@ -439,10 +436,10 @@
administrative system in the firewall system's
<filename>routestopped</filename> file.</para>
<para>Also, edit the shorewall.conf file in the firewall's
configuration directory and change the CONFIG_PATH setting to remove
<filename class="directory">/etc/shorewall</filename>. You can
replace it with <filename
<para>Also, edit the shorewall.conf file in the firewall's export
directory and change the CONFIG_PATH setting to remove <filename
class="directory">/etc/shorewall</filename>. You can replace it with
<filename
class="directory">/usr/share/shorewall/configfiles</filename> if you
like.</para>
@ -459,13 +456,13 @@
</blockquote>
<para>Changing CONFIG_PATH will ensure that subsequent compilations
using the configuration directory will not include any files from
<filename class="directory">/etc/shorewall</filename>.</para>
using the export directory will not include any files from <filename
class="directory">/etc/shorewall</filename>.</para>
<para>After having made the above changes to the firewall's
configuration directory, execute the following commands:</para>
<para>After having made the above changes to the firewall's export
directory, execute the following commands:</para>
<programlisting><command>cd &lt;configuration directory&gt;</command>
<programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall load &lt;firewall system&gt;</command>
</programlisting>
@ -483,10 +480,10 @@
<listitem>
<para>If you later need to change the firewall's configuration,
change the appropriate files in the firewall's configuration
directory then:</para>
change the appropriate files in the firewall's export directory
then:</para>
<programlisting><command>cd &lt;configuration directory&gt;</command>
<programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall reload firewall</command></programlisting>
<para>The <ulink