From f5fef4526adc3a3b0732d2797fdd927d0372c5b4 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 26 Jul 2006 22:15:28 +0000 Subject: [PATCH] Merge shorewall.conf handling changes into development path git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4282 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-lite/changelog.txt | 3 ++ Shorewall-lite/shorewall-lite | 2 + Shorewall-lite/shorewall.conf | 40 +++++++++---------- Shorewall/changelog.txt | 3 ++ Shorewall/compiler | 24 ++++++++++-- Shorewall/shorewall | 4 +- docs/CompiledPrograms.xml | 73 +++++++++++++++++------------------ 7 files changed, 86 insertions(+), 63 deletions(-) diff --git a/Shorewall-lite/changelog.txt b/Shorewall-lite/changelog.txt index d8f01b5de..d701012c4 100644 --- a/Shorewall-lite/changelog.txt +++ b/Shorewall-lite/changelog.txt @@ -7,3 +7,6 @@ Changes in 3.3.0 3) Fixed modules/xmodules snafu. 4) Fix comments in shorewall-lite. + +5) Merge shorewall.conf handling changes. + diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 141a57f97..02cab9f1a 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -1203,6 +1203,8 @@ else exit 2 fi +[ -n "${LITEDIR}" -a -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf + ensure_config_path export CONFIG_PATH diff --git a/Shorewall-lite/shorewall.conf b/Shorewall-lite/shorewall.conf index 252de29f4..5f4b4057f 100644 --- a/Shorewall-lite/shorewall.conf +++ b/Shorewall-lite/shorewall.conf @@ -9,6 +9,12 @@ # (c) 2006 - Tom Eastep (teastep@shorewall.net) # ############################################################################### +# N 0 T E +############################################################################### +# Entries in this file override entries in the shorewall.conf file in the +# configuration directory when the firewall script was compiled. Any variable +# not set here assumes the value defined at firewall compilation time. +############################################################################### # V E R B O S I T Y ############################################################################### # @@ -21,9 +27,7 @@ # 1 -- Major progress messages displayed # 2 -- All progress messages displayed (old default behavior) # -# If not specified, then 2 is assumed - -VERBOSITY=1 +VERBOSITY= ############################################################################### # L O G G I N G @@ -32,8 +36,7 @@ VERBOSITY=1 # LOG FILE LOCATION # # This variable tells the /sbin/shorewall-lite program where to look for Shorewall -# Lite log messages. If not set or set to an empty string (e.g., LOGFILE="") then -# /var/log/messages is assumed. +# Lite log messages. # # WARNING: The LOGFILE variable simply tells the 'shorewall-lite' program where # to look for Shorewall messages.It does NOT control the destination for @@ -42,7 +45,7 @@ VERBOSITY=1 # http://www.shorewall.net/shorewall_logging.html # -LOGFILE=/var/log/messages +LOGFILE= # # LOG FORMAT @@ -64,9 +67,6 @@ LOGFILE=/var/log/messages # # LOGFORMAT="fp=%s:%d a=%s " # -# If not specified or specified as empty (LOGFORMAT="") then the value -# "Shorewall:%s:%s:" is assumed. -# # CAUTION: /sbin/shorewall-lite uses the leading part of the LOGFORMAT string # (up to but not including the first '%') to find log messages in the 'show log', # 'status' and 'hits' commands. This part should not be omitted (the @@ -75,7 +75,7 @@ LOGFILE=/var/log/messages # messages. # -LOGFORMAT="Shorewall:%s:%s:" +LOGFORMAT= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S @@ -83,9 +83,7 @@ LOGFORMAT="Shorewall:%s:%s:" # # IPTABLES # -# Full path to iptables executable Shorewall uses to build the firewall. If -# not specified or if specified with an empty value (e.g., IPTABLES="") then -# the iptables executable located via the PATH setting below is used. +# Full path to iptables executable Shorewall uses to build the firewall. # IPTABLES= @@ -95,7 +93,7 @@ IPTABLES= # searches directories for executable files. # -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +PATH= # # SHELL @@ -104,7 +102,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # the shell used to interpret that script, specify the shell here. # -SHOREWALL_SHELL=/bin/sh +SHOREWALL_SHELL= # SUBSYSTEM LOCK FILE # @@ -113,7 +111,7 @@ SHOREWALL_SHELL=/bin/sh # don't use lock files, set this to "". # -SUBSYSLOCK=/var/lock/subsys/shorewall-lite +SUBSYSLOCK= # RESTORE SCRIPT # @@ -126,11 +124,13 @@ SUBSYSLOCK=/var/lock/subsys/shorewall-lite # Failure of shorewall-lite start or shorewall-lite restart # # The value of the option must be the name of an executable file in the -# directory /var/lib/shorewall-lite. If this option is not set or if it -# is set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is -# assumed. +# directory /var/lib/shorewall-lite. # -RESTOREFILE=restore +RESTOREFILE= + +# +# Include the settings derived from the configuration on the administrative system +# #LAST LINE -- DO NOT REMOVE diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 329182c74..98e4c0cf9 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,6 +12,9 @@ Changes in 3.3.0 6) Correct handling of CONFIG_PATH when EXPORT=Yes. +7) Merge shorewall.conf handling changes. + + diff --git a/Shorewall/compiler b/Shorewall/compiler index 44da7e9fa..a6ff19410 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -7769,8 +7769,6 @@ stop_firewall() { *) set +x - [ -n "\${RESTOREFILE:=restore}" ] - RESTOREPATH=\${VARDIR}/\$RESTOREFILE if [ -x \$RESTOREPATH ]; then @@ -8249,6 +8247,7 @@ __EOF__ cat >&3 << __EOF__ [ -n "\${COMMAND:=restart}" ] [ -n "\${VERBOSE:=0}" ] + [ -n "\${RESTOREFILE:=$RESTOREFILE}" ] MODULESDIR="$MODULESDIR" MODULE_SUFFIX="$MODULE_SUFFIX" LOGLIMIT="$LOGLIMIT" @@ -8267,7 +8266,6 @@ __EOF__ fi cat >&3 << __EOF__ - RESTOREFILE="$RESTOREFILE" VERSION="$VERSION" SUBSYSLOCK="$SUBSYSLOCK" PATH="$PATH" @@ -8482,6 +8480,25 @@ __EOF__ INDENT= cat $(find_file prog.header) $OUTPUT $(find_file prog.footer) > $outfile chmod 700 $outfile + if [ -n "$EXPORT" ]; then + exec 3>${outfile}.conf + cat >&3 << __EOF__ +# +# Shorewall auxillary configuration file created by Shorewall version $VERSION - $(date) +# +[ -n "\${VERBOSITY:=$VERBOSITY}" ] +[ -n "\${LOGFILE:=$LOGFILE}" ] +[ -n "\${LOGFORMAT:=$LOGFORMAT}" ] +[ -n "\${IPTABLES:=$IPTABLES}" ] +[ -n "\${PATH:=$PATH}" ] +[ -n "\${SHOREWALL_SHELL:=$SHOREWALL_SHELL}" ] +[ -n "\${LOGFILE:=$LOGFILE}" ] +[ -n "\${SUBSYSLOCK:=$SUBSYSLOCK}" ] +[ -n "\${RESTOREFILE:=$RESTOREFILE}" ] +__EOF__ + exec 3>&- + fi + progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)" rm -f $OUTPUT fi @@ -8861,6 +8878,7 @@ do_initialize() { fi [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" + [ -n "${RESTOREFILE:=restore}" ] # # Strip the files that we use often diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 587e860cd..481ede948 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1299,9 +1299,9 @@ restore_command() { # # [Re]load command executor # -reload_command() +reload_command()) # $1 = directory, $2 = system { - local verbose=$(make_verbose) + local verbose=$(make_verbose) file=$(resolve_file $1/firewall) [ -n "$LITEDIR" ] || { echo " ERROR: LITEDIR not defined in ${SHAREDIR}/configpath" >&2; exit 2; } diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index 13dda32c9..a29e367bd 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -204,10 +204,9 @@ - On the administrative system you create a separete - 'configuration directory' for each firewall system. You copy the - contents of /usr/share/shorewall/configfiles into each configuration - directory. + On the administrative system you create a separate 'export + directory' for each firewall system. You copy the contents of + /usr/share/shorewall/configfiles into each export directory. @@ -273,9 +272,9 @@ The value of CONFIG_PATH in the - shorewall.conf file in the configuration - directory is used to search for configuration files during - compilation of that configuration. + shorewall.conf file in the export directory + is used to search for configuration files during compilation of + that configuration. @@ -295,23 +294,23 @@ - modify the files in the corresponding configuration - directory appropriately. It's a good idea to include the IP - address of the administrative system in the - routestopped file. + modify the files in the corresponding export directory + appropriately. It's a good idea to include the IP address of the + administrative system in the routestopped + file. It is important to understand that with Shorewall Lite, the - firewall's configuration directory on the administrative system - acts as /etc/shorewall for - that firewall. So when the Shorewall documentation gives - instructions for placing entries in files in the firewall's - /etc/shorewall, when using - Shorewall Lite you make those changes in the firewall's - configuration directory on the administrative system. + firewall's export directory on the administrative system acts as + /etc/shorewall for that + firewall. So when the Shorewall documentation gives instructions + for placing entries in files in the firewall's /etc/shorewall, when using Shorewall + Lite you make those changes in the firewall's export directory on + the administrative system. - cd <configuration directory> + cd <export directory> /sbin/shorewall load firewall The If you later need to change the firewall's configuration, change - the appropriate files in the firewall's configuration directory - then: + the appropriate files in the firewall's export directory then: - cd <configuration directory> + cd <export directory> /sbin/shorewall reload firewall The - On the administrative system, create a configuration directory - for the firewall system. + On the administrative system, create an export directory for + the firewall system. Copy the contents of /etc/shorewall/ from the firewall - system to the configuration directory on the administrative - system. + system to the export directory on the administrative system. @@ -439,10 +436,10 @@ administrative system in the firewall system's routestopped file. - Also, edit the shorewall.conf file in the firewall's - configuration directory and change the CONFIG_PATH setting to remove - /etc/shorewall. You can - replace it with Also, edit the shorewall.conf file in the firewall's export + directory and change the CONFIG_PATH setting to remove /etc/shorewall. You can replace it with + /usr/share/shorewall/configfiles if you like. @@ -459,13 +456,13 @@ Changing CONFIG_PATH will ensure that subsequent compilations - using the configuration directory will not include any files from - /etc/shorewall. + using the export directory will not include any files from /etc/shorewall. - After having made the above changes to the firewall's - configuration directory, execute the following commands: + After having made the above changes to the firewall's export + directory, execute the following commands: - cd <configuration directory> + cd <export directory> /sbin/shorewall load <firewall system> @@ -483,10 +480,10 @@ If you later need to change the firewall's configuration, - change the appropriate files in the firewall's configuration - directory then: + change the appropriate files in the firewall's export directory + then: - cd <configuration directory> + cd <export directory> /sbin/shorewall reload firewall The