Allow multiple saved configurations

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1389 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -16,6 +16,14 @@ Changes since 2.0.2
 
 7) Correct reporting of installation directory in install.sh.
 
-8) Added the 'rejectNonSyn' standard built-in action.
+8) Load kernel modules before detecting capabilities.
 
-9) Merged Tuomo Soini's patch to the install script.
+9) Added the 'rejectNonSyn' standard built-in action.
+
+10) Merged Tuomo Soini's patch to the install script.
+
+11) Correct brain-cramp in module loading fix (8 above).
+
+12) Add 'key' to sample tunnel file.
+
+13) Allow multiple saved configurations.

Shorewall2/firewall

@@ -1248,9 +1248,12 @@ stop_firewall() {
 	    ;;
 	*)
 	    set +x
-	    if [ -f /var/lib/shorewall/restore ]; then
+
+	    [ -z "$RESTOREFILE" ] && RESTOREFILE=restore
+	    
+	    if [ -f /var/lib/shorewall/$RESTOREFILE ]; then
 		echo Restoring Shorewall...
-		. /var/lib/shorewall/restore
+		. /var/lib/shorewall/$RESTOREFILE
 		echo Shorewall restored
 		my_mutex_off
 		kill $$
@@ -6052,6 +6055,8 @@ do_initialize() {
     # We load the kernel modules here to acurately determine 
     # capabilities when module autoloading isn't enabled.
     #
+
+    [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
     load_kernel_modules
     determine_capabilities
 
@@ -6167,8 +6172,6 @@ do_initialize() {
     BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
     DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
 
-    [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
-
     #
     # Strip the files that we use often
     #

Shorewall2/releasenotes.txt

@@ -28,6 +28,7 @@ Problems Corrected since 2.0.2
    capabilities will be misdetected.
 
 8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
+
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
 
@@ -38,15 +39,51 @@ Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
 -----------------------------------------------------------------------
 New Features:
 
-1) "!" is now allowed in accounting rules.
+1) Shorewall now supports multiple saved configurations.
 
-2) Interface names appearing within the configuration are now
+   a) The "save" command has been extended to be able to specify the
+      name of a saved configuration.
+
+	   shorewall save [ <file name> ]
+
+      The current state is saved to /var/lib/shorewall/<file name>. If
+      no <file name> is given, the configuration is saved to
+      /var/lib/shorewall/restore (current behavior).
+
+   b) The "restore" command has been extended to be able to specify 
+      the name of a saved configuration:
+
+	  shorewall restore [ <file name> ]
+
+      The firewall state is restored from /var/lib/shorewall/<file
+      name>. If no <file name> is given, the firewall state is
+      restored from /var/lib/shorewall/restore.
+
+   c) The "forget" command has changed. Previously, the command
+      unconditionally removed the /var/lib/shorewall/save file which
+      records the current dynamic blacklist. The "forget" command now
+      leaves that file alone.
+
+      Also, the "forget" command has been extended to be able to
+      specify the name of a saved configuration:
+
+	      shorewall forget [ <file name> ]
+
+      The file /var/lib/shorewall/<file name> is removed. If no <file
+      name> is given, the file /var/lib/shorewall/restore is removed.
+
+   d) The "shorewall -f start" command continues to restore the state
+      recorded in /var/lib/shorewall/restore.
+
+2) "!" is now allowed in accounting rules.
+
+3) Interface names appearing within the configuration are now
    verified. Interface names must match the name of an entry in
    /etc/shorewall/interfaces (or if bridging is enabled, they must
    match the name of an entry in /etc/shorewall/interfaces or the name
    of a bridge port appearing in /etc/shorewall/hosts).
 
-3) A new 'rejNonSyn' built-in standard action has been added. This
+4) A new 'rejNotSyn' built-in standard action has been added. This
    action responds to "New not SYN" packets with an RST.
 
    The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
@@ -84,7 +121,7 @@ New Features:
 
          dropNotSyn    net	  all	tcp
 
-4) Slackware users no longer have to modify the install.sh script
+5) Slackware users no longer have to modify the install.sh script
    before installation. Tuomo Soini has provided a change that allows
    the INIT and FIREWALL variables to be specified outside the script
    as in:
@@ -93,3 +130,4 @@ New Features:
 
 
  
+

Shorewall2/shorewall

@@ -963,7 +963,19 @@ case "$1" in
 	;;
     save)
     	[ -n "$debugging" ] && set -x
-	[ $# -ne 1 ] && usage 1
+
+	case $# in
+	1)
+	    RESTOREFILE=restore
+	    ;;
+	2)
+	    RESTOREFILE="$2"
+	    ;;
+	*)
+	    usage 1
+	    ;;
+	esac
+
 	mutex_on
 
 	if qt iptables -L shorewall -n; then
@@ -975,9 +987,9 @@ case "$1" in
 		    cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
 		    if iptables-save >> /var/lib/shorewall/restore-$$ ; then
 			echo __EOF__ >> /var/lib/shorewall/restore-$$
-			mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
+			mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/$RESTOREFILE
-			chmod +x /var/lib/shorewall/restore
+			chmod +x /var/lib/shorewall/$RESTOREFILE
-			echo "   Currently-running Configuration Saved"
+			echo "   Currently-running Configuration Saved to /var/lib/shorewall/$RESTOREFILE"
                     else
 			rm -f /var/lib/shorewall/restore-$$
 			echo "   ERROR: Currently-running Configuration Not Saved"
@@ -992,9 +1004,22 @@ case "$1" in
 	mutex_off
 	;;
     forget)
-	rm -f /var/lib/shorewall/restore
+	case $# in
-	rm -f /var/lib/shorewall/save
+	1)
-	echo "   Previously saved information discarded"
+	    RESTOREFILE=restore
+	    ;;
+	2)
+	    RESTOREFILE="$2"
+	    ;;
+	*)
+	    usage 1
+	    ;;
+	esac
+
+	if [ /var/lib/shorewall/$RESTOREFILE ]; then
+	    rm -f /var/lib/shorewall/$RESTOREFILE
+	    echo "    /var/lib/shorewall/$RESTOREFILE removed"
+	fi
 	;;
     ipcalc)
     	[ -n "$debugging" ] && set -x
@@ -1032,12 +1057,23 @@ case "$1" in
 	esac
 	;;
     restore)
-	if [ -f /var/lib/shorewall/restore ]; then
+	case $# in
+	1)
+	    RESTOREFILE=restore
+	    ;;
+	2)
+	    RESTOREFILE="$2"
+	    ;;
+	*)
+	    usage 1
+	    ;;
+	esac
+
+	if [ -x /var/lib/shorewall/$RESTOREFILE ]; then
 	    echo Restoring Shorewall...
-	    . /var/lib/shorewall/restore
+	    /var/lib/shorewall/$RESTOREFILE && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
-            echo Shorewall restored
 	else
-	    echo "File /var/lib/shorewall/restore: file not found"
+	    echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
             exit 2
         fi
         ;;

Shorewall2/tunnel

@@ -59,6 +59,13 @@ gateway="x.x.x.x"
 
 subnet="192.168.9.0/24"
 
+# GRE Key -- set this to a number or to a dotted quad if you want
+#            a keyed GRE tunnel. You must specify a KEY if you
+#            intend to load ip_conntrack_proto_gre on either
+#            gateway system
+
+key=
+
 PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
 
 load_modules () {
@@ -101,7 +108,7 @@ do_start() {
 
       case $tunnel_type in
       gre)
-          ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255
+          ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key)
 	  ;;
       *)
           ip tunnel add $tunnel mode ipip remote $gateway