Merge branch 'master' of ssh://gitlab.com/shorewall/code

Merge remaining requests to the 5.2.9 path
2024-11-23 08:03:11 +01:00 · 2024-04-15 20:06:34 -07:00 · 2024-04-15 20:06:34 -07:00 · fba5847fa3
commit fba5847fa3
parent c94c3c5720 2673e6e60c
10 changed files with 72 additions and 36 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@ -324,6 +324,15 @@ install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755

 echo
 echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
+#
+# Install stop_service
+#
+if [ -n "${STOPSERVICEFILE}" ]; then
+    install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
+
+    echo
+    echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
+fi

 #
 # Install the libraries
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@ -22,3 +22,4 @@ SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
+STOPSERVICEFILE=stop_service.debian	#Name of script to stop systemd service that honours `SAFESTOP`.
--- a/Shorewall-core/stop_service.debian
+++ b/Shorewall-core/stop_service.debian
@ -0,0 +1,19 @@
+#!/bin/sh
+
+PRODUCT=$1
+
+. /etc/default/${PRODUCT}
+
+if [ "$SAFESTOP" = 1 ]; then
+  COMMAND=stop
+else
+  COMMAND=clear
+fi
+
+if [ "${PRODUCT}" = shorewall6 ]; then
+  EXEC="/sbin/shorewall -6"
+else
+  EXEC="/sbin/${PRODUCT}"
+fi
+
+exec ${EXEC} ${OPTIONS} ${COMMAND}
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall-lite
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -1533,7 +1533,7 @@ sub qt1( $ ) {
 }

 #
-# Delete the test chains
+# Delete the test chains and IP sets
 #
 sub cleanup_iptables() {
    qt1( "$iptables $iptablesw -F $sillyname" );
@ -1556,6 +1556,12 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
    }

+    my $ipset  = $config{IPSET} || 'ipset';
+    $ipset = which( $ipset ) unless $ipset =~ '/';
+    if ( $ipset && -x $ipset ) {
+	qt( "$ipset -X $sillyname" );
+    }
+
    $sillyname = $sillyname1 = '';
 }

@ -1600,7 +1606,7 @@ sub cleanup() {
    unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
    unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
    #
-    # Delete temporary chains
+    # Delete temporary chains and IP sets
    #
    cleanup_iptables if $sillyname;
 }
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@ -381,36 +381,33 @@ uptodate() {
    [ -x $1 ] || return 1

    local dir
-    local busybox
    local find
+    local quit
+    local maxdepth

    find=$(mywhich find)

    [ -n "${find}" ] || return 1
-    [ -h "${find}" ] && busybox=Yes
-    find="${find} -L"
+
+    if [ -h "${find}" ]; then
+	#
+	# 'Find' is provided by Busybox and doesn't support -quit.
+	#
+        quit=
+    else
+        quit=-quit
+    fi
+
+    if [ "$AUTOMAKE" = recursive ]; then
+	maxdepth=
+    elif [ -z "$AUTOMAKE" ]; then
+	maxdepth="-maxdepth 1"
+    else
+	maxdepth="-maxdepth $AUTOMAKE"
+    fi

    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
-	if [ -n "${busybox}" ]; then
-	    #
-	    # Busybox 'find' doesn't support -quit.
-	    #
-	    if [ $AUTOMAKE = recursive ]; then
-		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
-		    return 1;
-		fi
-	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
-		return 1;
-	    fi
-	elif [ "$AUTOMAKE" = recursive ]; then
-	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -z "$AUTOMAKE" ]; then
-	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
+	if [ -n "$(${find} -L ${dir} ${maxdepth} -newer $1 -print ${quit})" ]; then
 	    return 1;
 	fi
    done
--- a/Shorewall/shorewall.service.debian
+++ b/Shorewall/shorewall.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall6-lite
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload

 [Install]
--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@ -18,7 +18,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall6
 ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@ -206,12 +206,12 @@
  <section>
    <title>systemd</title>

-    <para>As with SysV init described in the preceeding section, the behavior
-    of systemctl commands differ from the Shorewall CLI commands on
-    Debian-based systems. To make systemctl stop shorewall[-lite] and
-    systemctl restart shorewall[-lite] behave like shorewall stop and
-    shorewall restart, use this workaround provided by J Cliff
-    Armstrong:</para>
+    <para>As with SysV init described in the preceeding section, the behavior of
+    systemctl commands differ from the Shorewall CLI commands on Debian-based
+    systems. In versions of Shorewall before 5.2.9, to make <command>systemctl
+    stop shorewall</command> and <command>systemctl restart shorewall</command>
+    behave like <command>shorewall stop</command> and <command>shorewall
+    restart</command>, use this workaround provided by J Cliff Armstrong:</para>

    <para> Type (as root):</para>

@ -231,10 +231,14 @@ ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>

    <para>to activate the changes. This change will survive future updates of
    the shorewall package from apt repositories. The override file itself will
-    be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
+    be saved to <filename>/etc/systemd/system/shorewall.service.d/</filename>.</para>

    <para>The same workaround may be applied to the other Shorewall products
    (excluding Shorewall Init).</para>
+
+    <para>From Shorewall 5.2.9 onwards, the systemd service files have been
+    updated to execute a shell script that obeys the SAFESTOP setting to stop
+    the firewall, and the workaround is no longer necessary.</para>
  </section>

  <section id="Trace">