forked from extern/shorewall_code
Make all references to directories indirect
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4033 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1605f6d9bd
commit
6f073f6cfd
@ -40,6 +40,10 @@
|
||||
# SHOREWALL_DIR A directory name was passed to /sbin/shorewall
|
||||
# VERBOSE Standard Shorewall verbosity control.
|
||||
|
||||
SHAREDIR=/usr/share/shorewall
|
||||
VARDIR=/var/lib/shorewall
|
||||
CONFDIR=/etc/shorewall
|
||||
|
||||
# Fatal error -- stops the compiler after issuing the error message
|
||||
#
|
||||
fatal_error() # $* = Error Message
|
||||
@ -783,11 +787,11 @@ match_dest_hosts()
|
||||
|
||||
#
|
||||
# Similarly, the source or destination in a rule can be qualified by a device name. If
|
||||
# the device is defined in /etc/shorewall/interfaces then a normal interface match is
|
||||
# the device is defined in ${CONFDIR}/interfaces then a normal interface match is
|
||||
# generated (-i or -o); otherwise, a physdev match is generated.
|
||||
#-------------------------------------------------------------------------------------
|
||||
#
|
||||
# loosely match the passed interface with those in /etc/shorewall/interfaces.
|
||||
# loosely match the passed interface with those in ${CONFDIR}/interfaces.
|
||||
#
|
||||
known_interface() # $1 = interface name
|
||||
{
|
||||
@ -1466,7 +1470,7 @@ validate_hosts_file() {
|
||||
case $host in
|
||||
*:*)
|
||||
known_interface ${host%:*} && \
|
||||
fatal_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
||||
fatal_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host"
|
||||
check_bridge_port ${host%%:*}
|
||||
;;
|
||||
*.*.*)
|
||||
@ -1476,7 +1480,7 @@ validate_hosts_file() {
|
||||
;;
|
||||
*)
|
||||
known_interface $host && \
|
||||
fatal_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
||||
fatal_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host"
|
||||
check_bridge_port $host
|
||||
;;
|
||||
esac
|
||||
@ -2692,13 +2696,13 @@ setup_syn_flood_chains()
|
||||
#
|
||||
delete_proxy_arp() {
|
||||
indent >&3 << __EOF__
|
||||
if [ -f /var/lib/shorewall/proxyarp ]; then
|
||||
if [ -f \${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i \$external -d \$address pub
|
||||
[ -z "\$haveroute" -a -z "\$NOROUTE" ] && qt ip route del \$address dev \$interface
|
||||
done < /var/lib/shorewall/proxyarp
|
||||
done < \${VARDIR}/proxyarp
|
||||
|
||||
rm -f {/var/lib/shorewall}/nat
|
||||
rm -f ${VARDIR}/nat
|
||||
fi
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
@ -2800,12 +2804,12 @@ delete_nat() {
|
||||
|
||||
indent >&3 << __EOF__
|
||||
|
||||
if [ -f /var/lib/shorewall/nat ]; then
|
||||
if [ -f \${VARDIR}/nat ]; then
|
||||
while read external interface; do
|
||||
ip_addr_del \$external \$interface
|
||||
done < /var/lib/shorewall/nat
|
||||
done < \${VARDIR}/nat
|
||||
|
||||
rm -f {/var/lib/shorewall}/nat
|
||||
rm -f \${VARDIR}/nat
|
||||
fi
|
||||
|
||||
__EOF__
|
||||
@ -3689,7 +3693,7 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
}
|
||||
|
||||
#
|
||||
# Append a file in /var/lib/shorewall to $OUTPUT
|
||||
# Append a file in ${VARDIR} to $OUTPUT
|
||||
#
|
||||
append_action_file() # $1 = File Name
|
||||
{
|
||||
@ -3987,8 +3991,8 @@ merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest f
|
||||
#
|
||||
# The next three functions implement the three phases of action processing.
|
||||
#
|
||||
# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std
|
||||
# and /etc/shorewall/actions are scanned (in that order) and for each action:
|
||||
# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
|
||||
# and ${CONFDIR}/actions are scanned (in that order) and for each action:
|
||||
#
|
||||
# a) The related action definition file is located and scanned.
|
||||
# b) Forward and unresolved action references are trapped as errors.
|
||||
@ -4018,7 +4022,7 @@ process_actions1() {
|
||||
|
||||
strip_file actions
|
||||
|
||||
strip_file actions.std /usr/share/shorewall/actions.std
|
||||
strip_file actions.std ${SHAREDIR}/actions.std
|
||||
|
||||
for inputfile in actions.std actions; do
|
||||
while read xaction rest; do
|
||||
@ -4486,7 +4490,7 @@ add_nat_rule() {
|
||||
# Parse SNAT address if any
|
||||
|
||||
if [ "$addr" != "${addr%:*}" ]; then
|
||||
fatal_error "SNAT may no longer be specified in a DNAT rule; use /etc/shorewall/masq instead"
|
||||
fatal_error "SNAT may no longer be specified in a DNAT rule; use ${CONFDIR}/masq instead"
|
||||
fi
|
||||
|
||||
# Set original destination address
|
||||
@ -6908,7 +6912,7 @@ initialize_netfilter () {
|
||||
|
||||
indent >&3 << __EOF__
|
||||
|
||||
if [ -f /var/lib/shorewall/save ]; then
|
||||
if [ -f \${VARDIR}/save ]; then
|
||||
progress_message2 "Setting up dynamic rules..."
|
||||
while read target ignore1 ignore2 address rest; do
|
||||
case \$target in
|
||||
@ -6916,7 +6920,7 @@ if [ -f /var/lib/shorewall/save ]; then
|
||||
run_iptables -A dynamic -s \$address -j \$target
|
||||
;;
|
||||
esac
|
||||
done < /var/lib/shorewall/save
|
||||
done < \${VARDIR}/save
|
||||
fi
|
||||
__EOF__
|
||||
|
||||
@ -7785,12 +7789,12 @@ stop_firewall() {
|
||||
\$IPTABLES -t nat -F
|
||||
\$IPTABLES -t nat -X
|
||||
|
||||
if [ -f /var/lib/shorewall/nat ]; then
|
||||
if [ -f \${VARDIR}/nat ]; then
|
||||
while read external interface; do
|
||||
ip_addr_del \$external dev \$interface
|
||||
done < /var/lib/shorewall/nat
|
||||
done < \${VARDIR}/nat
|
||||
|
||||
rm -f /var/lib/shorewall/nat
|
||||
rm -f \${VARDIR}/nat
|
||||
fi
|
||||
}
|
||||
|
||||
@ -7802,7 +7806,7 @@ stop_firewall() {
|
||||
|
||||
[ -n "\${RESTOREFILE:=restore}" ]
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/\$RESTOREFILE
|
||||
RESTOREPATH=\${VARDIR}/\$RESTOREFILE
|
||||
|
||||
if [ -x \$RESTOREPATH ]; then
|
||||
|
||||
@ -7874,11 +7878,11 @@ __EOF__
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -f /var/lib/shorewall/proxyarp ]; then
|
||||
if [ -f \${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i \$external -d \$address pub
|
||||
[ -z "\${haveroute}\${NOROUTES}" ] && qt ip route del \$address dev \$interface
|
||||
done < /var/lib/shorewall/proxyarp
|
||||
done < \${VARDIR}/proxyarp
|
||||
fi
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
@ -8081,9 +8085,23 @@ compile_firewall() # $1 = File Name
|
||||
#
|
||||
__EOF__
|
||||
|
||||
if [ -n "$EXPORT" ]; then
|
||||
cat >&3 << __EOF__
|
||||
SHAREDIR=/usr/share/shorewall
|
||||
CONFDIR=/etc/shorewall
|
||||
VARDIR=/var/lib/shorewall
|
||||
__EOF__
|
||||
else
|
||||
cat >&3 << __EOF__
|
||||
SHAREDIR=/usr/share/shorewall
|
||||
CONFDIR=/etc/shorewall
|
||||
VARDIR=/var/lib/shorewall
|
||||
__EOF__
|
||||
fi
|
||||
|
||||
cat >&3 << __EOF__
|
||||
|
||||
. /usr/share/shorewall/functions
|
||||
. \${SHAREDIR}/functions
|
||||
__EOF__
|
||||
|
||||
compile_stop_firewall
|
||||
@ -8211,11 +8229,11 @@ __EOF__
|
||||
INDENT=" "
|
||||
|
||||
cat >&3 << __EOF__
|
||||
if [ ! -f /usr/share/shorewall/version ]; then
|
||||
if [ ! -f \${SHAREDIR}/version ]; then
|
||||
fatal_error "This script requires Shorewall or Shorewall Lite which do not appear to be installed on this system"
|
||||
fi
|
||||
|
||||
local version=\$(cat /usr/share/shorewall/version)
|
||||
local version=\$(cat \${SHAREDIR}/version)
|
||||
|
||||
if [ \${LIBVERSION:-0} -lt 30191 ]; then
|
||||
fatal_error "This script requires Shorewall [Lite] version 3.2.0-Beta7 or later; current version is \$version"
|
||||
@ -8275,9 +8293,9 @@ __EOF__
|
||||
|
||||
STOPPING=
|
||||
#
|
||||
# The library requires that /var/lib/shorewall exist
|
||||
# The library requires that ${VARDIR} exist
|
||||
#
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
[ -d \${VARDIR} ] || mkdir -p \${VARDIR}
|
||||
|
||||
}
|
||||
|
||||
@ -8378,7 +8396,7 @@ __EOF__
|
||||
fi
|
||||
|
||||
for file in chains nat proxyarp zones; do
|
||||
save_command "cat > /var/lib/shorewall/$file $LEFTSHIFT __EOF__"
|
||||
save_command "cat > \${VARDIR}/$file $LEFTSHIFT __EOF__"
|
||||
cat $STATEDIR/$file >&3
|
||||
save_command_unindented __EOF__
|
||||
done
|
||||
@ -8390,7 +8408,7 @@ __EOF__
|
||||
fi
|
||||
|
||||
__EOF__
|
||||
save_command "date > /var/lib/shorewall/restarted"
|
||||
save_command "date > \${VARDIR}/restarted"
|
||||
|
||||
append_file start
|
||||
|
||||
@ -8404,7 +8422,7 @@ __EOF__
|
||||
|
||||
cat >&3 << __EOF__
|
||||
|
||||
cp -f \$(my_pathname) /var/lib/shorewall/.restore
|
||||
cp -f \$(my_pathname) \${VARDIR}/.restore
|
||||
|
||||
case \$COMMAND in
|
||||
start)
|
||||
@ -8425,7 +8443,7 @@ __EOF__
|
||||
#
|
||||
restore_firewall()
|
||||
{
|
||||
iptables_save_file=/var/lib/shorewall/\$(basename \$0)-iptables
|
||||
iptables_save_file=\${VARDIR}/\$(basename \$0)-iptables
|
||||
|
||||
fatal_error()
|
||||
{
|
||||
@ -8565,7 +8583,7 @@ do_initialize() {
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
SHARED_DIR=/usr/share/shorewall
|
||||
SHARED_DIR=${SHAREDIR}
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
LOGFORMAT=
|
||||
@ -8905,7 +8923,7 @@ case "$COMMAND" in
|
||||
|
||||
call)
|
||||
#
|
||||
# Undocumented way to call functions in /usr/share/shorewall/compiler directly
|
||||
# Undocumented way to call functions in ${SHAREDIR}/compiler directly
|
||||
#
|
||||
shift
|
||||
do_initialize
|
||||
|
@ -40,6 +40,9 @@
|
||||
# and rules/policies.
|
||||
# shorewall refresh . Rebuild the common chain
|
||||
#
|
||||
SHAREDIR=/usr/share/shorewall
|
||||
VARDIR=/var/lib/shorewall
|
||||
CONFDIR=/etc/shorewall
|
||||
# Mutual exclusion -- These functions are jackets for the mutual exclusion
|
||||
# routines in $FUNCTIONS. They invoke
|
||||
# the corresponding function in that file if the user did
|
||||
@ -551,11 +554,11 @@ match_dest_hosts()
|
||||
|
||||
#
|
||||
# Similarly, the source or destination in a rule can be qualified by a device name. If
|
||||
# the device is defined in /etc/shorewall/interfaces then a normal interface match is
|
||||
# the device is defined in ${CONFDIR}/interfaces then a normal interface match is
|
||||
# generated (-i or -o); otherwise, a physdev match is generated.
|
||||
#-------------------------------------------------------------------------------------
|
||||
#
|
||||
# loosely match the passed interface with those in /etc/shorewall/interfaces.
|
||||
# loosely match the passed interface with those in ${CONFDIR}/interfaces.
|
||||
#
|
||||
known_interface() # $1 = interface name
|
||||
{
|
||||
@ -1126,7 +1129,7 @@ stop_firewall() {
|
||||
|
||||
[ -n "${RESTOREFILE:=restore}" ]
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
@ -1422,7 +1425,7 @@ setup_ipsec() {
|
||||
# Delete existing Proxy ARP
|
||||
#
|
||||
delete_proxy_arp() {
|
||||
if [ -f /var/lib/shorewall/proxyarp ]; then
|
||||
if [ -f ${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
case $COMMAND in
|
||||
stop|clear)
|
||||
@ -1442,9 +1445,9 @@ delete_proxy_arp() {
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
done < /var/lib/shorewall/proxyarp
|
||||
done < ${VARDIR}/proxyarp
|
||||
|
||||
rm -f /var/lib/shorewall/proxyarp
|
||||
rm -f ${VARDIR}/proxyarp
|
||||
fi
|
||||
|
||||
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp
|
||||
@ -1476,12 +1479,12 @@ delete_nat() {
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
if [ -f /var/lib/shorewall/nat ]; then
|
||||
if [ -f ${VARDIR}/nat ]; then
|
||||
while read external interface; do
|
||||
qt ip addr del $external dev $interface
|
||||
done < /var/lib/shorewall/nat
|
||||
done < ${VARDIR}/nat
|
||||
|
||||
rm -f {/var/lib/shorewall}/nat
|
||||
rm -f ${VARDIR}/nat
|
||||
fi
|
||||
|
||||
[ -d $STATEDIR ] && touch $STATEDIR/nat
|
||||
@ -1734,7 +1737,7 @@ check_disabled_startup() {
|
||||
echo " Shorewall Startup is disabled -- to enable startup"
|
||||
echo " after you have completed Shorewall configuration,"
|
||||
echo " change the setting of STARTUP_ENABLED to Yes in"
|
||||
echo " /etc/shorewall/shorewall.conf"
|
||||
echo " ${CONFDIR}/shorewall.conf"
|
||||
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
@ -1921,12 +1924,12 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
|
||||
#
|
||||
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
|
||||
#
|
||||
[ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found"
|
||||
[ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found"
|
||||
[ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
|
||||
[ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
|
||||
#
|
||||
# Check for duplicates and create a new zone state file
|
||||
#
|
||||
> /var/lib/shorewall/zones_$$
|
||||
> ${VARDIR}/zones_$$
|
||||
|
||||
while read z type hosts; do
|
||||
if [ "$z" = "$zone" ]; then
|
||||
@ -1944,10 +1947,10 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
|
||||
|
||||
eval ${z}_hosts=\"$hosts\"
|
||||
|
||||
echo "$z $type $hosts" >> /var/lib/shorewall/zones_$$
|
||||
done < /var/lib/shorewall/zones
|
||||
echo "$z $type $hosts" >> ${VARDIR}/zones_$$
|
||||
done < ${VARDIR}/zones
|
||||
|
||||
mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones
|
||||
mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
|
||||
|
||||
TERMINATOR=fatal_error
|
||||
#
|
||||
@ -2017,7 +2020,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done < /var/lib/shorewall/chains
|
||||
done < ${VARDIR}/chains
|
||||
|
||||
progress_message "$newhost added to zone $zone"
|
||||
|
||||
@ -2093,12 +2096,12 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
|
||||
#
|
||||
[ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found"
|
||||
[ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found"
|
||||
[ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
|
||||
[ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
|
||||
#
|
||||
# Delete the passed hosts from the zone state file
|
||||
#
|
||||
> /var/lib/shorewall/zones_$$
|
||||
> ${VARDIR}/zones_$$
|
||||
|
||||
while read z hosts; do
|
||||
if [ "$z" = "$zone" ]; then
|
||||
@ -2132,10 +2135,10 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
|
||||
eval ${z}_hosts=\"$hosts\"
|
||||
|
||||
echo "$z $hosts" >> /var/lib/shorewall/zones_$$
|
||||
done < /var/lib/shorewall/zones
|
||||
echo "$z $hosts" >> ${VARDIR}/zones_$$
|
||||
done < ${VARDIR}/zones
|
||||
|
||||
mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones
|
||||
mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
|
||||
|
||||
TERMINATOR=fatal_error
|
||||
|
||||
@ -2192,7 +2195,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done < /var/lib/shorewall/chains
|
||||
done < ${VARDIR}/chains
|
||||
|
||||
progress_message "$delhost removed from zone $zone"
|
||||
|
||||
@ -2295,7 +2298,7 @@ do_initialize() {
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
SHARED_DIR=/usr/share/shorewall
|
||||
SHARED_DIR=${SHAREDIR}
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
LOGFORMAT=
|
||||
@ -2399,7 +2402,7 @@ do_initialize() {
|
||||
fi
|
||||
determine_capabilities
|
||||
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
||||
|
||||
else
|
||||
f=$(find_file capabilities)
|
||||
@ -2640,7 +2643,7 @@ case "$COMMAND" in
|
||||
$IPTABLES -t nat -Z
|
||||
$IPTABLES -t mangle -Z
|
||||
report "Shorewall Counters Reset"
|
||||
date > /var/lib/shorewall/restarted
|
||||
date > ${VARDIR}/restarted
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
@ -2701,7 +2704,7 @@ case "$COMMAND" in
|
||||
|
||||
call)
|
||||
#
|
||||
# Undocumented way to call functions in /usr/share/shorewall/firewall directly
|
||||
# Undocumented way to call functions in ${SHAREDIR}/firewall directly
|
||||
#
|
||||
shift
|
||||
do_initialize
|
||||
|
@ -28,6 +28,10 @@
|
||||
|
||||
LIBVERSION=30191
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
[ -n "${CONFDIR:=/etc/shorewall}" ]
|
||||
|
||||
#
|
||||
# Message to stderr
|
||||
#
|
||||
@ -210,7 +214,7 @@ my_pathname() {
|
||||
# Set default config path
|
||||
#
|
||||
ensure_config_path() {
|
||||
local F=/usr/share/shorewall/configpath
|
||||
local F=${SHAREDIR}/configpath
|
||||
if [ -z "$CONFIG_PATH" ]; then
|
||||
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
|
||||
. $F
|
||||
@ -218,7 +222,7 @@ ensure_config_path() {
|
||||
}
|
||||
|
||||
#
|
||||
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
|
||||
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in ${CONFDIR}
|
||||
#
|
||||
find_file()
|
||||
{
|
||||
@ -244,7 +248,7 @@ find_file()
|
||||
|
||||
IFS=$saveifs
|
||||
|
||||
echo /etc/shorewall/$1
|
||||
echo ${CONFDIR}/$1
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -445,13 +449,13 @@ load_kernel_modules()
|
||||
mutex_on()
|
||||
{
|
||||
local try=0
|
||||
local lockf=/var/lib/shorewall/lock
|
||||
local lockf=${VARDIR}/lock
|
||||
|
||||
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
|
||||
|
||||
if [ $MUTEX_TIMEOUT -gt 0 ]; then
|
||||
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
||||
|
||||
if qt mywhich lockfile; then
|
||||
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
|
||||
@ -476,7 +480,7 @@ mutex_on()
|
||||
#
|
||||
mutex_off()
|
||||
{
|
||||
rm -f /var/lib/shorewall/lock
|
||||
rm -f ${VARDIR}/lock
|
||||
}
|
||||
|
||||
#
|
||||
@ -1161,7 +1165,7 @@ mywhich() {
|
||||
#
|
||||
set_state () # $1 = state
|
||||
{
|
||||
echo "$1 ($(date))" > /var/lib/shorewall/state
|
||||
echo "$1 ($(date))" > ${VARDIR}/state
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -113,6 +113,10 @@
|
||||
# shorewall compile [ <directory> ] ]<filename>
|
||||
# Compile a firewall program file.
|
||||
#
|
||||
SHAREDIR=/usr/share/shorewall
|
||||
VARDIR=/var/lib/shorewall
|
||||
CONFDIR=/etc/shorewall
|
||||
|
||||
# Fatal Error
|
||||
#
|
||||
fatal_error() # $@ = Message
|
||||
@ -246,7 +250,7 @@ get_config() {
|
||||
|
||||
case $STARTUP_ENABLED in
|
||||
[Nn][Oo])
|
||||
echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf" >&2
|
||||
echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2
|
||||
STARTUP_ENABLED=
|
||||
;;
|
||||
[Yy][Ee][Ss])
|
||||
@ -432,7 +436,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
#
|
||||
save_config() {
|
||||
if shorewall_is_started ; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
||||
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
@ -442,12 +446,12 @@ save_config() {
|
||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||
;;
|
||||
*)
|
||||
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
|
||||
if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/.restore ]; then
|
||||
if iptables-save | iptablesbug > /var/lib/shorewall/restore-$$; then
|
||||
cp -f /var/lib/shorewall/.restore $RESTOREPATH
|
||||
mv -f /var/lib/shorewall/restore-$$ ${RESTOREPATH}-iptables
|
||||
if [ -f ${VARDIR}/.restore ]; then
|
||||
if iptables-save | iptablesbug > ${VARDIR}/restore-$$; then
|
||||
cp -f ${VARDIR}/.restore $RESTOREPATH
|
||||
mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
|
||||
@ -457,16 +461,16 @@ save_config() {
|
||||
[Yy][Ee][Ss])
|
||||
RESTOREPATH=${RESTOREPATH}-ipsets
|
||||
|
||||
f=/var/lib/shorewall/restore-$$
|
||||
f=${VARDIR}/restore-$$
|
||||
|
||||
echo "#!/bin/sh" > $f
|
||||
echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f
|
||||
echo >> $f
|
||||
echo ". /usr/share/shorewall/functions" >> $f
|
||||
echo ". ${SHAREDIR}/functions" >> $f
|
||||
echo >> $f
|
||||
grep '^MODULE' /var/lib/shorewall/restore-base >> $f
|
||||
grep '^MODULE' ${VARDIR}/restore-base >> $f
|
||||
echo "reload_kernel_modules << __EOF__" >> $f
|
||||
grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f
|
||||
grep 'loadmodule ip_set' ${VARDIR}/restore-base >> $f
|
||||
echo "__EOF__" >> $f
|
||||
echo >> $f
|
||||
echo "ipset -U :all: :all:" >> $f
|
||||
@ -486,11 +490,11 @@ save_config() {
|
||||
;;
|
||||
esac
|
||||
else
|
||||
rm -f /var/lib/shorewall/restore-$$
|
||||
rm -f ${VARDIR}/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved"
|
||||
fi
|
||||
else
|
||||
echo " ERROR: /var/lib/shorewall/.restored oes not exist"
|
||||
echo " ERROR: ${VARDIR}/.restored oes not exist"
|
||||
fi
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
@ -515,8 +519,8 @@ start_command() {
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.start; then
|
||||
/var/lib/shorewall/.start $debugging start
|
||||
if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then
|
||||
${VARDIR}/.start $debugging start
|
||||
fi
|
||||
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
@ -590,12 +594,12 @@ start_command() {
|
||||
#
|
||||
# RESTOREFILE is exported by get_config()
|
||||
#
|
||||
make -qf /etc/shorewall/Makefile || FAST=
|
||||
make -qf ${CONFDIR}/Makefile || FAST=
|
||||
fi
|
||||
|
||||
if [ -n "$FAST" ]; then
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
@ -611,7 +615,7 @@ start_command() {
|
||||
|
||||
echo Restoring Shorewall...
|
||||
$SHOREWALL_SHELL $RESTOREPATH restore
|
||||
date > /var/lib/shorewall/restarted
|
||||
date > ${VARDIR}/restarted
|
||||
progress_message3 Shorewall restored from $RESTOREPATH
|
||||
else
|
||||
do_it
|
||||
@ -691,7 +695,7 @@ compile_command() {
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging compile $file
|
||||
exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging compile $file
|
||||
}
|
||||
#
|
||||
# Check Command Executor
|
||||
@ -754,7 +758,7 @@ check_command() {
|
||||
|
||||
progress_message3 "Checking..."
|
||||
|
||||
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock check
|
||||
exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock check
|
||||
}
|
||||
|
||||
#
|
||||
@ -825,8 +829,8 @@ restart_command() {
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.restart; then
|
||||
$SHOREWALL_SHELL /var/lib/shorewall/.restart $debugging restart
|
||||
if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then
|
||||
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
|
||||
fi
|
||||
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
@ -919,7 +923,7 @@ show_command() {
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f /var/lib/shorewall/zones ]; then
|
||||
if [ -f ${VARDIR}/zones ]; then
|
||||
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
|
||||
echo
|
||||
while read zone type hosts; do
|
||||
@ -927,10 +931,10 @@ show_command() {
|
||||
for host in $hosts; do
|
||||
echo " $host"
|
||||
done
|
||||
done < /var/lib/shorewall/zones
|
||||
done < ${VARDIR}/zones
|
||||
echo
|
||||
else
|
||||
echo " ERROR: /var/lib/shorewall/zones does not exist" >&2
|
||||
echo " ERROR: ${VARDIR}/zones does not exist" >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
@ -951,11 +955,11 @@ show_command() {
|
||||
echo "allowoutUPnP # Allow traffic from local command 'upnpd'"
|
||||
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
|
||||
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
|
||||
cat /usr/share/shorewall/actions.std /etc/shorewall/actions | grep -Ev '^\#|^$'
|
||||
cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
|
||||
;;
|
||||
macros)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
for macro in /usr/share/shorewall/macro.*; do
|
||||
for macro in ${SHAREDIR}/macro.*; do
|
||||
foo=`grep 'This macro' $macro | head -n 1`
|
||||
if [ -n "$foo" ]; then
|
||||
macro=${macro#*.}
|
||||
@ -1164,14 +1168,14 @@ safe_commands() {
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
if ! $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging nolock compile /var/lib/shorewall/.$command; then
|
||||
if ! $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging nolock compile ${VARDIR}/.$command; then
|
||||
status=$?
|
||||
mutex_off
|
||||
exit $status
|
||||
fi
|
||||
|
||||
RESTOREFILE=.safe
|
||||
RESTOREPATH=/var/lib/shorewall/.safe
|
||||
RESTOREPATH=${VARDIR}/.safe
|
||||
|
||||
save_config
|
||||
|
||||
@ -1184,7 +1188,7 @@ safe_commands() {
|
||||
;;
|
||||
esac
|
||||
|
||||
/var/lib/shorewall/.$command $command
|
||||
${VARDIR}/.$command $command
|
||||
|
||||
echo -n "Do you want to accept the new firewall configuration? [y/n] "
|
||||
|
||||
@ -1192,9 +1196,9 @@ safe_commands() {
|
||||
echo "New configuration has been accepted"
|
||||
else
|
||||
if [ "$command" = "restart" ]; then
|
||||
/var/lib/shorewall/.safe restore
|
||||
${VARDIR}/.safe restore
|
||||
else
|
||||
/var/lib/shorewall/.$command clear
|
||||
${VARDIR}/.$command clear
|
||||
fi
|
||||
|
||||
mutex_off
|
||||
@ -1258,7 +1262,7 @@ restore_command() {
|
||||
exit 2
|
||||
fi
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
||||
|
||||
export NOROUTES
|
||||
|
||||
@ -1273,10 +1277,10 @@ restore_command() {
|
||||
fi
|
||||
|
||||
progress_message3 "Restoring Shorewall..."
|
||||
$SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
|
||||
$SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "Shorewall restored from ${VARDIR}/$RESTOREFILE"
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
else
|
||||
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
|
||||
echo "File ${VARDIR}/$RESTOREFILE: file not found"
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
exit 2
|
||||
fi
|
||||
@ -1336,8 +1340,8 @@ usage() # $1 = exit status
|
||||
# Display the time that the counters were last reset
|
||||
#
|
||||
show_reset() {
|
||||
[ -f /var/lib/shorewall/restarted ] && \
|
||||
echo "Counters reset $(cat /var/lib/shorewall/restarted)" && \
|
||||
[ -f ${VARDIR}/restarted ] && \
|
||||
echo "Counters reset $(cat ${VARDIR}/restarted)" && \
|
||||
echo
|
||||
}
|
||||
|
||||
@ -1512,7 +1516,7 @@ fi
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
MUTEX_TIMEOUT=
|
||||
|
||||
SHARED_DIR=/usr/share/shorewall
|
||||
SHARED_DIR=${SHAREDIR}
|
||||
FIREWALL=$SHARED_DIR/firewall
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
VERSION_FILE=$SHARED_DIR/version
|
||||
@ -1630,8 +1634,8 @@ case "$COMMAND" in
|
||||
status=4
|
||||
fi
|
||||
|
||||
if [ -f /var/lib/shorewall/state ]; then
|
||||
state="$(cat /var/lib/shorewall/state)"
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
Stopped*|Clear*)
|
||||
status=3
|
||||
@ -1862,7 +1866,7 @@ case "$COMMAND" in
|
||||
;;
|
||||
esac
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
||||
|
||||
[ "$nolock" ] || mutex_on
|
||||
|
||||
@ -1884,7 +1888,7 @@ case "$COMMAND" in
|
||||
esac
|
||||
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
@ -1899,7 +1903,7 @@ case "$COMMAND" in
|
||||
elif [ -f $RESTOREPATH ]; then
|
||||
echo " $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
fi
|
||||
rm -f /var/lib/shorewall/save
|
||||
rm -f ${VARDIR}/save
|
||||
;;
|
||||
ipcalc)
|
||||
[ -n "$debugging" ] && set -x
|
||||
@ -1954,7 +1958,7 @@ case "$COMMAND" in
|
||||
call)
|
||||
[ -n "$debugging" ] && set -x
|
||||
#
|
||||
# Undocumented way to call functions in /usr/share/shorewall/functions directly
|
||||
# Undocumented way to call functions in ${SHAREDIR}/functions directly
|
||||
#
|
||||
shift
|
||||
$@
|
||||
|
Loading…
Reference in New Issue
Block a user