diff --git a/Shorewall2/firewall b/Shorewall2/firewall index fae8207a9..7cba20408 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1251,10 +1251,10 @@ stop_firewall() { [ -z "$RESTOREFILE" ] && RESTOREFILE=restore - if [ -f /var/lib/shorewall/$RESTOREFILE ]; then + if [ -x /var/lib/shorewall/$RESTOREFILE ]; then echo Restoring Shorewall... - . /var/lib/shorewall/$RESTOREFILE - echo Shorewall restored + /var/lib/shorewall/$RESTOREFILE + echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" my_mutex_off kill $$ exit 2 diff --git a/Shorewall2/help b/Shorewall2/help index af39ec8e7..09e61e179 100644 --- a/Shorewall2/help +++ b/Shorewall2/help @@ -117,9 +117,9 @@ drop) ;; forget) - echo "forget: forget - Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those - files are created by the 'shorewall save' command + echo "forget: forget [ ] + Deletes /var/lib/shorewall/. If no is given then + the file specified by RESTOREFILE in shorewall.conf is removed. See also \"help save\"" ;; @@ -194,18 +194,22 @@ restart) ;; restore) - echo "restore: restore - Restore Shorewall to its last state saved using the 'save' command - Existing connections are maintained. + echo "restore: restore [ ] + Restore Shorewall to a state saved using the 'save' command + Existing connections are maintained. The names a restore file in + /var/lib/shorewall created using "shorewall save"; if no is given + then Shorewall will be restored from the file specified by the RESTOREFILE + option in shorewall.conf. See also \"help save\" and \"help forget\"" ;; save) - echo "save: save + echo "save: save [ ] The dynamic data is stored in /var/lib/shorewall/save. The state of the - firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore' - and 'shorewall -f start' commands. + firewall is stored in /var/lib/shorewall/ for use by the 'shorewall restore' + and 'shorewall -f start' commands. If is not given then the state is saved + in the file specified by the RESTOREFILE option in shorewall.conf. Shorewall allow, drop, rejct and save implement dynamic blacklisting. @@ -240,8 +244,9 @@ start) Start shorewall. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. - If \"-q\" is specified, less detain is displayed making it easier to spot warnings - If \"-f\" is specified, the last saved configuraton if any will be restored" + If \"-q\" is specified, less detail is displayed making it easier to spot warnings + If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option + in shorewall.conf will be restored if that saved configuration exists" ;; stop) diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index e08b0436c..ae27947a5 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -76,14 +76,17 @@ # listed address(es) # shorewall allow
... Reenable address(es) previously # disabled with "drop" or "reject" -# shorewall save Save the list of "rejected" and +# shorewall save [ ] Save the list of "rejected" and # "dropped" addresses so that it will # be automatically reinstated the # next time that Shorewall starts. # Save the current state so that 'shorewall # restore' can be used. # -# shorewall forget Discard the data saved by 'shorewall save' +# shorewall forget [ ] Discard the data saved by 'shorewall save' +# +# shorewall restore [ ] Restore the state of the firewall from +# previously saved information. # # shorewall ipaddr [
/ |
] # @@ -165,6 +168,8 @@ get_config() { fi fi + [ -n "$RESTOREFILE" ] || RESTOREFILE=restore + } # @@ -535,7 +540,7 @@ help() # usage() # $1 = exit status { - echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] " + echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] [ -f ] " echo "where is one of:" echo " add [:] " echo " allow
..." @@ -543,7 +548,7 @@ usage() # $1 = exit status echo " clear" echo " delete [:] " echo " drop
..." - echo " forget" + echo " forget [ ]" echo " help [ | host | address ]" echo " hits" echo " ipcalc [
/ |
]" @@ -554,8 +559,8 @@ usage() # $1 = exit status echo " reject
..." echo " reset" echo " restart" - echo " restore" - echo " save" + echo " restore [ ]" + echo " save [ ]" echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos]" echo " start" echo " stop" @@ -735,11 +740,11 @@ case "$1" in [ $# -ne 1 ] && usage 1 get_config if [ -n "$FAST" ]; then - if [ -f /var/lib/shorewall/restore ]; then + if [ -x /var/lib/shorewall/$RESTOREFILE ]; then echo Restoring Shorewall... - . /var/lib/shorewall/restore + /var/lib/shorewall/$RESTOREFILE date > $STATEDIR/restarted - echo Shorewall restored + echo Shorewall restored from /var/lib/shorewall/$RESTOREFILE else exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi @@ -964,9 +969,10 @@ case "$1" in save) [ -n "$debugging" ] && set -x + get_config + case $# in 1) - RESTOREFILE=restore ;; 2) RESTOREFILE="$2" @@ -1004,9 +1010,9 @@ case "$1" in mutex_off ;; forget) + get_config case $# in 1) - RESTOREFILE=restore ;; 2) RESTOREFILE="$2" @@ -1016,9 +1022,11 @@ case "$1" in ;; esac - if [ /var/lib/shorewall/$RESTOREFILE ]; then + if [ -x /var/lib/shorewall/$RESTOREFILE ]; then rm -f /var/lib/shorewall/$RESTOREFILE echo " /var/lib/shorewall/$RESTOREFILE removed" + elif [ -f /var/lib/shorewall/$RESTOREFILE ]; then + echo " ERROR: /var/lib/shorewall/$RESTOREFILE is not a restore script" fi ;; ipcalc) @@ -1057,9 +1065,9 @@ case "$1" in esac ;; restore) + get_config case $# in 1) - RESTOREFILE=restore ;; 2) RESTOREFILE="$2" diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index e99a0e4ba..9dd047999 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -258,6 +258,22 @@ MODULESDIR= # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. CONFIG_PATH=/etc/shorewall:/usr/share/shorewall + +# +# RESTORE SCRIPT +# +# This option determines the script to be run in the following cases: +# +# shorewall -f start +# shorewall restore +# Failure of shorewall start or shorewall restart +# +# The value of the option must be the name of an executable file in the +# directory /var/lib/shorewall. If this option is not set or if it is +# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is +# assumed. + +RESTOREFILE= ################################################################################ # F I R E W A L L O P T I O N S ################################################################################