From 78f9b76dae8b0d8fbde51c1d4fe0cd1ac13a3d01 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 Jun 2012 11:47:58 -0700 Subject: [PATCH 1/6] Move mutex handling to the main program. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 3 --- Shorewall/Perl/prog.footer | 4 +++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 15b3a47de..f88d121b3 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1236,8 +1236,6 @@ sub process_providers( $ ) { enable_provider() { g_interface=$1; - mutex_on - case $g_interface in EOF @@ -1273,7 +1271,6 @@ EOF ;; esac - mutex_off } # diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 0f1fbb004..4dde335b9 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -348,7 +348,9 @@ case "$COMMAND" in [ $# -eq 1 ] && exit 0 shift [ $# -ne 1 ] && usage 2 - updown $1 + mutex_on + ( updown $1 ) + mutex_off status=0 ;; enable) From fe5d89b243a96c5ea90fdc02c83e559582cb3d38 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 Jun 2012 11:56:48 -0700 Subject: [PATCH 2/6] Install the ifupdown script in if-down.d rather than if-post-down.d on Debian Signed-off-by: Tom Eastep --- Shorewall-init/install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 4a026c468..9fae4244f 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -312,7 +312,7 @@ fi if [ $HOST = debian ]; then if [ -n "${DESTDIR}" ]; then mkdir -p ${DESTDIR}/etc/network/if-up.d/ - mkdir -p ${DESTDIR}/etc/network/if-post-down.d/ + mkdir -p ${DESTDIR}/etc/network/if-down.d/ fi if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then @@ -359,8 +359,9 @@ fi case $HOST in debian) + rm -f ${DESTDIR}/etc/network/if-post-down.d/shorewall install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544 - install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544 + install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544 ;; suse) if [ -z "$RPM" ]; then From c823b0e41eb3f70159c7006ada709aa55c71b712 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 Jun 2012 14:01:58 -0700 Subject: [PATCH 3/6] More Shorewall-init fixes Signed-off-by: Tom Eastep --- Shorewall-init/ifupdown.sh | 6 ----- Shorewall/Perl/Shorewall/Providers.pm | 32 ++++++++++++++++----------- Shorewall/Perl/Shorewall/Zones.pm | 17 ++++++++++++++ 3 files changed, 36 insertions(+), 19 deletions(-) diff --git a/Shorewall-init/ifupdown.sh b/Shorewall-init/ifupdown.sh index 933dca20c..f58a41d09 100644 --- a/Shorewall-init/ifupdown.sh +++ b/Shorewall-init/ifupdown.sh @@ -106,12 +106,6 @@ if [ -f /etc/debian_version ]; then else exit 0 fi - - case "$PHASE" in - post-*) - exit 0 - ;; - esac ;; esac elif [ -f /etc/SuSE-release ]; then diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index f88d121b3..15d3cec67 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1539,19 +1539,25 @@ sub compile_updown() { } } - emit( "*)", - ' case $state in', - ' started)', - ' COMMAND=restart', - ' progress_message3 "$g_product attempting restart"', - ' detect_configuration', - ' define_firewall', - ' ;;', - ' *)', - ' progress_message3 "$COMMAND on interface $1 ignored"', - ' ;;', - ' esac', - ); + if ( my @plain_interfaces = all_plain_interfaces ) { + my $interfaces = join ( '|', map get_physical( $_ ), @plain_interfaces ); + + $interfaces =~ s/\+/*/g; + + emit( "$interfaces)", + ' case $state in', + ' started)', + ' COMMAND=restart', + ' progress_message3 "$g_product attempting restart"', + ' detect_configuration', + ' define_firewall', + ' ;;', + ' *)', + ' progress_message3 "$COMMAND on interface $1 ignored"', + ' ;;', + ' esac', + ); + } pop_indent; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 9eaedd5fe..188d91bed 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -62,6 +62,7 @@ our @EXPORT = qw( NOTHING validate_interfaces_file all_interfaces all_real_interfaces + all_plain_interfaces all_bridges interface_number find_interface @@ -72,6 +73,7 @@ our @EXPORT = qw( NOTHING port_to_bridge source_port_to_bridge interface_is_optional + interface_is_required find_interfaces_by_option find_interfaces_by_option1 get_interface_option @@ -1416,6 +1418,21 @@ sub interface_is_optional($) { $optionsref && $optionsref->{optional}; } +# +# Return the 'required' setting of the passed interface +# +sub interface_is_required($) { + my $optionsref = $interfaces{$_[0]}{options}; + $optionsref && $optionsref->{required}; +} + +# +# Return a list of real interfaces that are neither +# +sub all_plain_interfaces() { + grep ! ( $_ eq '%vserver%' || interface_is_optional($_) || interface_is_required($_) ), @interfaces; +} + # # Returns reference to array of interfaces with the passed option # From f7104b3d266ee50224b55ace6b7dc7362605242f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 Jun 2012 15:54:03 -0700 Subject: [PATCH 4/6] Add LOGFILE option to Shorewall-init configuration. Signed-off-by: Tom Eastep --- Shorewall-init/ifupdown.sh | 4 +++- Shorewall-init/sysconfig | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Shorewall-init/ifupdown.sh b/Shorewall-init/ifupdown.sh index f58a41d09..049251377 100644 --- a/Shorewall-init/ifupdown.sh +++ b/Shorewall-init/ifupdown.sh @@ -180,9 +180,11 @@ else esac fi +[ -n "$LOGFILE" ] || LOGFILE=/dev/null + for PRODUCT in $PRODUCTS; do if [ -x $VARDIR/$PRODUCT/firewall ]; then - ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE ) || true + ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true fi done diff --git a/Shorewall-init/sysconfig b/Shorewall-init/sysconfig index ed9627e86..24530f2d0 100644 --- a/Shorewall-init/sysconfig +++ b/Shorewall-init/sysconfig @@ -16,3 +16,8 @@ IFUPDOWN=0 # during 'start' and will save them there during 'stop'. # SAVE_IPSETS="" +# +# Where Up/Down events get logged +# +LOGFILE=/var/log/shorewall-updown.log + From 73274b9b0b6f2fd1f96c63bc00ba35741a2bcf24 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 Jun 2012 15:55:22 -0700 Subject: [PATCH 5/6] Correct progress message Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 15d3cec67..23a754429 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1451,7 +1451,7 @@ sub compile_updown() { q( detect_configuration), q( define_firewall), q(else), - q( progress_message3 "\$COMMAND on interface $1 ignored") , + q( progress_message3 "$COMMAND on interface $1 ignored") , q(fi) , q(;;) ); From b3316d755abcb18f63b17cbdcd29a45823f59709 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 Jun 2012 17:14:08 -0700 Subject: [PATCH 6/6] Correct silly typo in Providers.pm Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 23a754429..542bc9605 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1445,7 +1445,7 @@ sub compile_updown() { q( disable_provider $1) , q( fi) , q(elif [ "$COMMAND" = up ]; then) , - q( echo 0 > \${VARDIR}/${1}.state) , + q( echo 0 > ${VARDIR}/${1}.status) , q( COMMAND=start), q( progress_message3 "$g_product attempting start") , q( detect_configuration),