From 6f073f6cfde6f576dacce48c44a4cfd17a17fd3e Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 9 Jun 2006 16:35:55 +0000 Subject: [PATCH] Make all references to directories indirect git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4033 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 86 +++++++++++++++++++++++++----------------- Shorewall/firewall | 59 +++++++++++++++-------------- Shorewall/functions | 18 +++++---- Shorewall/shorewall | 92 +++++++++++++++++++++++---------------------- 4 files changed, 142 insertions(+), 113 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 5b2325009..053334c62 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -40,6 +40,10 @@ # SHOREWALL_DIR A directory name was passed to /sbin/shorewall # VERBOSE Standard Shorewall verbosity control. +SHAREDIR=/usr/share/shorewall +VARDIR=/var/lib/shorewall +CONFDIR=/etc/shorewall + # Fatal error -- stops the compiler after issuing the error message # fatal_error() # $* = Error Message @@ -783,11 +787,11 @@ match_dest_hosts() # # Similarly, the source or destination in a rule can be qualified by a device name. If -# the device is defined in /etc/shorewall/interfaces then a normal interface match is +# the device is defined in ${CONFDIR}/interfaces then a normal interface match is # generated (-i or -o); otherwise, a physdev match is generated. #------------------------------------------------------------------------------------- # -# loosely match the passed interface with those in /etc/shorewall/interfaces. +# loosely match the passed interface with those in ${CONFDIR}/interfaces. # known_interface() # $1 = interface name { @@ -1466,7 +1470,7 @@ validate_hosts_file() { case $host in *:*) known_interface ${host%:*} && \ - fatal_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" + fatal_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" check_bridge_port ${host%%:*} ;; *.*.*) @@ -1476,7 +1480,7 @@ validate_hosts_file() { ;; *) known_interface $host && \ - fatal_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" + fatal_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" check_bridge_port $host ;; esac @@ -2692,13 +2696,13 @@ setup_syn_flood_chains() # delete_proxy_arp() { indent >&3 << __EOF__ -if [ -f /var/lib/shorewall/proxyarp ]; then +if [ -f \${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i \$external -d \$address pub [ -z "\$haveroute" -a -z "\$NOROUTE" ] && qt ip route del \$address dev \$interface - done < /var/lib/shorewall/proxyarp + done < \${VARDIR}/proxyarp - rm -f {/var/lib/shorewall}/nat + rm -f ${VARDIR}/nat fi for f in /proc/sys/net/ipv4/conf/*; do @@ -2800,12 +2804,12 @@ delete_nat() { indent >&3 << __EOF__ -if [ -f /var/lib/shorewall/nat ]; then +if [ -f \${VARDIR}/nat ]; then while read external interface; do ip_addr_del \$external \$interface - done < /var/lib/shorewall/nat + done < \${VARDIR}/nat - rm -f {/var/lib/shorewall}/nat + rm -f \${VARDIR}/nat fi __EOF__ @@ -3689,7 +3693,7 @@ process_action() # $1 = chain (Chain to add the rules to) } # -# Append a file in /var/lib/shorewall to $OUTPUT +# Append a file in ${VARDIR} to $OUTPUT # append_action_file() # $1 = File Name { @@ -3987,8 +3991,8 @@ merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest f # # The next three functions implement the three phases of action processing. # -# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std -# and /etc/shorewall/actions are scanned (in that order) and for each action: +# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std +# and ${CONFDIR}/actions are scanned (in that order) and for each action: # # a) The related action definition file is located and scanned. # b) Forward and unresolved action references are trapped as errors. @@ -4018,7 +4022,7 @@ process_actions1() { strip_file actions - strip_file actions.std /usr/share/shorewall/actions.std + strip_file actions.std ${SHAREDIR}/actions.std for inputfile in actions.std actions; do while read xaction rest; do @@ -4486,7 +4490,7 @@ add_nat_rule() { # Parse SNAT address if any if [ "$addr" != "${addr%:*}" ]; then - fatal_error "SNAT may no longer be specified in a DNAT rule; use /etc/shorewall/masq instead" + fatal_error "SNAT may no longer be specified in a DNAT rule; use ${CONFDIR}/masq instead" fi # Set original destination address @@ -6908,7 +6912,7 @@ initialize_netfilter () { indent >&3 << __EOF__ -if [ -f /var/lib/shorewall/save ]; then +if [ -f \${VARDIR}/save ]; then progress_message2 "Setting up dynamic rules..." while read target ignore1 ignore2 address rest; do case \$target in @@ -6916,7 +6920,7 @@ if [ -f /var/lib/shorewall/save ]; then run_iptables -A dynamic -s \$address -j \$target ;; esac - done < /var/lib/shorewall/save + done < \${VARDIR}/save fi __EOF__ @@ -7785,12 +7789,12 @@ stop_firewall() { \$IPTABLES -t nat -F \$IPTABLES -t nat -X - if [ -f /var/lib/shorewall/nat ]; then + if [ -f \${VARDIR}/nat ]; then while read external interface; do ip_addr_del \$external dev \$interface - done < /var/lib/shorewall/nat + done < \${VARDIR}/nat - rm -f /var/lib/shorewall/nat + rm -f \${VARDIR}/nat fi } @@ -7802,7 +7806,7 @@ stop_firewall() { [ -n "\${RESTOREFILE:=restore}" ] - RESTOREPATH=/var/lib/shorewall/\$RESTOREFILE + RESTOREPATH=\${VARDIR}/\$RESTOREFILE if [ -x \$RESTOREPATH ]; then @@ -7874,11 +7878,11 @@ __EOF__ done fi - if [ -f /var/lib/shorewall/proxyarp ]; then + if [ -f \${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i \$external -d \$address pub [ -z "\${haveroute}\${NOROUTES}" ] && qt ip route del \$address dev \$interface - done < /var/lib/shorewall/proxyarp + done < \${VARDIR}/proxyarp fi for f in /proc/sys/net/ipv4/conf/*; do @@ -8081,9 +8085,23 @@ compile_firewall() # $1 = File Name # __EOF__ + if [ -n "$EXPORT" ]; then + cat >&3 << __EOF__ +SHAREDIR=/usr/share/shorewall +CONFDIR=/etc/shorewall +VARDIR=/var/lib/shorewall +__EOF__ + else + cat >&3 << __EOF__ +SHAREDIR=/usr/share/shorewall +CONFDIR=/etc/shorewall +VARDIR=/var/lib/shorewall +__EOF__ + fi + cat >&3 << __EOF__ -. /usr/share/shorewall/functions +. \${SHAREDIR}/functions __EOF__ compile_stop_firewall @@ -8211,11 +8229,11 @@ __EOF__ INDENT=" " cat >&3 << __EOF__ - if [ ! -f /usr/share/shorewall/version ]; then + if [ ! -f \${SHAREDIR}/version ]; then fatal_error "This script requires Shorewall or Shorewall Lite which do not appear to be installed on this system" fi - local version=\$(cat /usr/share/shorewall/version) + local version=\$(cat \${SHAREDIR}/version) if [ \${LIBVERSION:-0} -lt 30191 ]; then fatal_error "This script requires Shorewall [Lite] version 3.2.0-Beta7 or later; current version is \$version" @@ -8275,9 +8293,9 @@ __EOF__ STOPPING= # - # The library requires that /var/lib/shorewall exist + # The library requires that ${VARDIR} exist # - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall + [ -d \${VARDIR} ] || mkdir -p \${VARDIR} } @@ -8378,7 +8396,7 @@ __EOF__ fi for file in chains nat proxyarp zones; do - save_command "cat > /var/lib/shorewall/$file $LEFTSHIFT __EOF__" + save_command "cat > \${VARDIR}/$file $LEFTSHIFT __EOF__" cat $STATEDIR/$file >&3 save_command_unindented __EOF__ done @@ -8390,7 +8408,7 @@ __EOF__ fi __EOF__ - save_command "date > /var/lib/shorewall/restarted" + save_command "date > \${VARDIR}/restarted" append_file start @@ -8404,7 +8422,7 @@ __EOF__ cat >&3 << __EOF__ - cp -f \$(my_pathname) /var/lib/shorewall/.restore + cp -f \$(my_pathname) \${VARDIR}/.restore case \$COMMAND in start) @@ -8425,7 +8443,7 @@ __EOF__ # restore_firewall() { - iptables_save_file=/var/lib/shorewall/\$(basename \$0)-iptables + iptables_save_file=\${VARDIR}/\$(basename \$0)-iptables fatal_error() { @@ -8565,7 +8583,7 @@ do_initialize() { TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= MARK_IN_FORWARD_CHAIN= - SHARED_DIR=/usr/share/shorewall + SHARED_DIR=${SHAREDIR} FUNCTIONS= VERSION_FILE= LOGFORMAT= @@ -8905,7 +8923,7 @@ case "$COMMAND" in call) # - # Undocumented way to call functions in /usr/share/shorewall/compiler directly + # Undocumented way to call functions in ${SHAREDIR}/compiler directly # shift do_initialize diff --git a/Shorewall/firewall b/Shorewall/firewall index 068dde859..f7d22246c 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -40,6 +40,9 @@ # and rules/policies. # shorewall refresh . Rebuild the common chain # +SHAREDIR=/usr/share/shorewall +VARDIR=/var/lib/shorewall +CONFDIR=/etc/shorewall # Mutual exclusion -- These functions are jackets for the mutual exclusion # routines in $FUNCTIONS. They invoke # the corresponding function in that file if the user did @@ -551,11 +554,11 @@ match_dest_hosts() # # Similarly, the source or destination in a rule can be qualified by a device name. If -# the device is defined in /etc/shorewall/interfaces then a normal interface match is +# the device is defined in ${CONFDIR}/interfaces then a normal interface match is # generated (-i or -o); otherwise, a physdev match is generated. #------------------------------------------------------------------------------------- # -# loosely match the passed interface with those in /etc/shorewall/interfaces. +# loosely match the passed interface with those in ${CONFDIR}/interfaces. # known_interface() # $1 = interface name { @@ -1126,7 +1129,7 @@ stop_firewall() { [ -n "${RESTOREFILE:=restore}" ] - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + RESTOREPATH=${VARDIR}/$RESTOREFILE if [ -x $RESTOREPATH ]; then @@ -1422,7 +1425,7 @@ setup_ipsec() { # Delete existing Proxy ARP # delete_proxy_arp() { - if [ -f /var/lib/shorewall/proxyarp ]; then + if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do case $COMMAND in stop|clear) @@ -1442,9 +1445,9 @@ delete_proxy_arp() { fi ;; esac - done < /var/lib/shorewall/proxyarp + done < ${VARDIR}/proxyarp - rm -f /var/lib/shorewall/proxyarp + rm -f ${VARDIR}/proxyarp fi [ -d $STATEDIR ] && touch $STATEDIR/proxyarp @@ -1476,12 +1479,12 @@ delete_nat() { run_iptables -t nat -F run_iptables -t nat -X - if [ -f /var/lib/shorewall/nat ]; then + if [ -f ${VARDIR}/nat ]; then while read external interface; do qt ip addr del $external dev $interface - done < /var/lib/shorewall/nat + done < ${VARDIR}/nat - rm -f {/var/lib/shorewall}/nat + rm -f ${VARDIR}/nat fi [ -d $STATEDIR ] && touch $STATEDIR/nat @@ -1734,7 +1737,7 @@ check_disabled_startup() { echo " Shorewall Startup is disabled -- to enable startup" echo " after you have completed Shorewall configuration," echo " change the setting of STARTUP_ENABLED to Yes in" - echo " /etc/shorewall/shorewall.conf" + echo " ${CONFDIR}/shorewall.conf" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off @@ -1921,12 +1924,12 @@ add_to_zone() # $1...${n-1} = [:] $n = zone # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # - [ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found" - [ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found" + [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" + [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" # # Check for duplicates and create a new zone state file # - > /var/lib/shorewall/zones_$$ + > ${VARDIR}/zones_$$ while read z type hosts; do if [ "$z" = "$zone" ]; then @@ -1944,10 +1947,10 @@ add_to_zone() # $1...${n-1} = [:] $n = zone eval ${z}_hosts=\"$hosts\" - echo "$z $type $hosts" >> /var/lib/shorewall/zones_$$ - done < /var/lib/shorewall/zones + echo "$z $type $hosts" >> ${VARDIR}/zones_$$ + done < ${VARDIR}/zones - mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones + mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones TERMINATOR=fatal_error # @@ -2017,7 +2020,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone done fi fi - done < /var/lib/shorewall/chains + done < ${VARDIR}/chains progress_message "$newhost added to zone $zone" @@ -2093,12 +2096,12 @@ delete_from_zone() # $1 = [:] $2 = zone # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # - [ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found" - [ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found" + [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" + [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" # # Delete the passed hosts from the zone state file # - > /var/lib/shorewall/zones_$$ + > ${VARDIR}/zones_$$ while read z hosts; do if [ "$z" = "$zone" ]; then @@ -2132,10 +2135,10 @@ delete_from_zone() # $1 = [:] $2 = zone eval ${z}_hosts=\"$hosts\" - echo "$z $hosts" >> /var/lib/shorewall/zones_$$ - done < /var/lib/shorewall/zones + echo "$z $hosts" >> ${VARDIR}/zones_$$ + done < ${VARDIR}/zones - mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones + mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones TERMINATOR=fatal_error @@ -2192,7 +2195,7 @@ delete_from_zone() # $1 = [:] $2 = zone done fi fi - done < /var/lib/shorewall/chains + done < ${VARDIR}/chains progress_message "$delhost removed from zone $zone" @@ -2295,7 +2298,7 @@ do_initialize() { TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= MARK_IN_FORWARD_CHAIN= - SHARED_DIR=/usr/share/shorewall + SHARED_DIR=${SHAREDIR} FUNCTIONS= VERSION_FILE= LOGFORMAT= @@ -2399,7 +2402,7 @@ do_initialize() { fi determine_capabilities - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} else f=$(find_file capabilities) @@ -2640,7 +2643,7 @@ case "$COMMAND" in $IPTABLES -t nat -Z $IPTABLES -t mangle -Z report "Shorewall Counters Reset" - date > /var/lib/shorewall/restarted + date > ${VARDIR}/restarted my_mutex_off ;; @@ -2701,7 +2704,7 @@ case "$COMMAND" in call) # - # Undocumented way to call functions in /usr/share/shorewall/firewall directly + # Undocumented way to call functions in ${SHAREDIR}/firewall directly # shift do_initialize diff --git a/Shorewall/functions b/Shorewall/functions index 4a167e912..8db8113a1 100644 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -28,6 +28,10 @@ LIBVERSION=30191 +[ -n "${VARDIR:=/var/lib/shorewall}" ] +[ -n "${SHAREDIR:=/usr/share/shorewall}" ] +[ -n "${CONFDIR:=/etc/shorewall}" ] + # # Message to stderr # @@ -210,7 +214,7 @@ my_pathname() { # Set default config path # ensure_config_path() { - local F=/usr/share/shorewall/configpath + local F=${SHAREDIR}/configpath if [ -z "$CONFIG_PATH" ]; then [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } . $F @@ -218,7 +222,7 @@ ensure_config_path() { } # -# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall +# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in ${CONFDIR} # find_file() { @@ -244,7 +248,7 @@ find_file() IFS=$saveifs - echo /etc/shorewall/$1 + echo ${CONFDIR}/$1 fi ;; esac @@ -445,13 +449,13 @@ load_kernel_modules() mutex_on() { local try=0 - local lockf=/var/lib/shorewall/lock + local lockf=${VARDIR}/lock MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} if [ $MUTEX_TIMEOUT -gt 0 ]; then - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} if qt mywhich lockfile; then lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} @@ -476,7 +480,7 @@ mutex_on() # mutex_off() { - rm -f /var/lib/shorewall/lock + rm -f ${VARDIR}/lock } # @@ -1161,7 +1165,7 @@ mywhich() { # set_state () # $1 = state { - echo "$1 ($(date))" > /var/lib/shorewall/state + echo "$1 ($(date))" > ${VARDIR}/state } # diff --git a/Shorewall/shorewall b/Shorewall/shorewall index e8eaf2b94..076379a45 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -113,6 +113,10 @@ # shorewall compile [ ] ] # Compile a firewall program file. # +SHAREDIR=/usr/share/shorewall +VARDIR=/var/lib/shorewall +CONFDIR=/etc/shorewall + # Fatal Error # fatal_error() # $@ = Message @@ -246,7 +250,7 @@ get_config() { case $STARTUP_ENABLED in [Nn][Oo]) - echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf" >&2 + echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2 STARTUP_ENABLED= ;; [Yy][Ee][Ss]) @@ -432,7 +436,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that # save_config() { if shorewall_is_started ; then - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" @@ -442,12 +446,12 @@ save_config() { echo " ERROR: Reserved file name: $RESTOREFILE" ;; *) - if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then + if $IPTABLES -L dynamic -n > ${VARDIR}/save; then echo " Dynamic Rules Saved" - if [ -f /var/lib/shorewall/.restore ]; then - if iptables-save | iptablesbug > /var/lib/shorewall/restore-$$; then - cp -f /var/lib/shorewall/.restore $RESTOREPATH - mv -f /var/lib/shorewall/restore-$$ ${RESTOREPATH}-iptables + if [ -f ${VARDIR}/.restore ]; then + if iptables-save | iptablesbug > ${VARDIR}/restore-$$; then + cp -f ${VARDIR}/.restore $RESTOREPATH + mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" @@ -457,16 +461,16 @@ save_config() { [Yy][Ee][Ss]) RESTOREPATH=${RESTOREPATH}-ipsets - f=/var/lib/shorewall/restore-$$ + f=${VARDIR}/restore-$$ echo "#!/bin/sh" > $f echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f echo >> $f - echo ". /usr/share/shorewall/functions" >> $f + echo ". ${SHAREDIR}/functions" >> $f echo >> $f - grep '^MODULE' /var/lib/shorewall/restore-base >> $f + grep '^MODULE' ${VARDIR}/restore-base >> $f echo "reload_kernel_modules << __EOF__" >> $f - grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f + grep 'loadmodule ip_set' ${VARDIR}/restore-base >> $f echo "__EOF__" >> $f echo >> $f echo "ipset -U :all: :all:" >> $f @@ -486,11 +490,11 @@ save_config() { ;; esac else - rm -f /var/lib/shorewall/restore-$$ + rm -f ${VARDIR}/restore-$$ echo " ERROR: Currently-running Configuration Not Saved" fi else - echo " ERROR: /var/lib/shorewall/.restored oes not exist" + echo " ERROR: ${VARDIR}/.restored oes not exist" fi else echo "Error Saving the Dynamic Rules" @@ -515,8 +519,8 @@ start_command() { progress_message3 "Compiling..." - if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.start; then - /var/lib/shorewall/.start $debugging start + if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then + ${VARDIR}/.start $debugging start fi [ -n "$nolock" ] || mutex_off @@ -590,12 +594,12 @@ start_command() { # # RESTOREFILE is exported by get_config() # - make -qf /etc/shorewall/Makefile || FAST= + make -qf ${CONFDIR}/Makefile || FAST= fi if [ -n "$FAST" ]; then - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + RESTOREPATH=${VARDIR}/$RESTOREFILE if [ -x $RESTOREPATH ]; then if [ -x ${RESTOREPATH}-ipsets ]; then @@ -611,7 +615,7 @@ start_command() { echo Restoring Shorewall... $SHOREWALL_SHELL $RESTOREPATH restore - date > /var/lib/shorewall/restarted + date > ${VARDIR}/restarted progress_message3 Shorewall restored from $RESTOREPATH else do_it @@ -691,7 +695,7 @@ compile_command() { progress_message3 "Compiling..." - exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging compile $file + exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging compile $file } # # Check Command Executor @@ -754,7 +758,7 @@ check_command() { progress_message3 "Checking..." - exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock check + exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock check } # @@ -825,8 +829,8 @@ restart_command() { progress_message3 "Compiling..." - if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.restart; then - $SHOREWALL_SHELL /var/lib/shorewall/.restart $debugging restart + if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then + $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart fi [ -n "$nolock" ] || mutex_off @@ -919,7 +923,7 @@ show_command() { ;; zones) [ $# -gt 1 ] && usage 1 - if [ -f /var/lib/shorewall/zones ]; then + if [ -f ${VARDIR}/zones ]; then echo "Shorewall-$version Zones at $HOSTNAME - $(date)" echo while read zone type hosts; do @@ -927,10 +931,10 @@ show_command() { for host in $hosts; do echo " $host" done - done < /var/lib/shorewall/zones + done < ${VARDIR}/zones echo else - echo " ERROR: /var/lib/shorewall/zones does not exist" >&2 + echo " ERROR: ${VARDIR}/zones does not exist" >&2 exit 1 fi ;; @@ -951,11 +955,11 @@ show_command() { echo "allowoutUPnP # Allow traffic from local command 'upnpd'" echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" echo "forwardUPnP # Allow traffic that upnpd has redirected from" - cat /usr/share/shorewall/actions.std /etc/shorewall/actions | grep -Ev '^\#|^$' + cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' ;; macros) [ $# -gt 1 ] && usage 1 - for macro in /usr/share/shorewall/macro.*; do + for macro in ${SHAREDIR}/macro.*; do foo=`grep 'This macro' $macro | head -n 1` if [ -n "$foo" ]; then macro=${macro#*.} @@ -1164,14 +1168,14 @@ safe_commands() { progress_message3 "Compiling..." - if ! $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging nolock compile /var/lib/shorewall/.$command; then + if ! $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging nolock compile ${VARDIR}/.$command; then status=$? mutex_off exit $status fi RESTOREFILE=.safe - RESTOREPATH=/var/lib/shorewall/.safe + RESTOREPATH=${VARDIR}/.safe save_config @@ -1184,7 +1188,7 @@ safe_commands() { ;; esac - /var/lib/shorewall/.$command $command + ${VARDIR}/.$command $command echo -n "Do you want to accept the new firewall configuration? [y/n] " @@ -1192,9 +1196,9 @@ safe_commands() { echo "New configuration has been accepted" else if [ "$command" = "restart" ]; then - /var/lib/shorewall/.safe restore + ${VARDIR}/.safe restore else - /var/lib/shorewall/.$command clear + ${VARDIR}/.$command clear fi mutex_off @@ -1258,7 +1262,7 @@ restore_command() { exit 2 fi - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + RESTOREPATH=${VARDIR}/$RESTOREFILE export NOROUTES @@ -1273,10 +1277,10 @@ restore_command() { fi progress_message3 "Restoring Shorewall..." - $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" + $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "Shorewall restored from ${VARDIR}/$RESTOREFILE" [ -n "$nolock" ] || mutex_off else - echo "File /var/lib/shorewall/$RESTOREFILE: file not found" + echo "File ${VARDIR}/$RESTOREFILE: file not found" [ -n "$nolock" ] || mutex_off exit 2 fi @@ -1336,8 +1340,8 @@ usage() # $1 = exit status # Display the time that the counters were last reset # show_reset() { - [ -f /var/lib/shorewall/restarted ] && \ - echo "Counters reset $(cat /var/lib/shorewall/restarted)" && \ + [ -f ${VARDIR}/restarted ] && \ + echo "Counters reset $(cat ${VARDIR}/restarted)" && \ echo } @@ -1512,7 +1516,7 @@ fi PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MUTEX_TIMEOUT= -SHARED_DIR=/usr/share/shorewall +SHARED_DIR=${SHAREDIR} FIREWALL=$SHARED_DIR/firewall FUNCTIONS=$SHARED_DIR/functions VERSION_FILE=$SHARED_DIR/version @@ -1630,8 +1634,8 @@ case "$COMMAND" in status=4 fi - if [ -f /var/lib/shorewall/state ]; then - state="$(cat /var/lib/shorewall/state)" + if [ -f ${VARDIR}/state ]; then + state="$(cat ${VARDIR}/state)" case $state in Stopped*|Clear*) status=3 @@ -1862,7 +1866,7 @@ case "$COMMAND" in ;; esac - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + RESTOREPATH=${VARDIR}/$RESTOREFILE [ "$nolock" ] || mutex_on @@ -1884,7 +1888,7 @@ case "$COMMAND" in esac - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + RESTOREPATH=${VARDIR}/$RESTOREFILE if [ -x $RESTOREPATH ]; then @@ -1899,7 +1903,7 @@ case "$COMMAND" in elif [ -f $RESTOREPATH ]; then echo " $RESTOREPATH exists and is not a saved Shorewall configuration" fi - rm -f /var/lib/shorewall/save + rm -f ${VARDIR}/save ;; ipcalc) [ -n "$debugging" ] && set -x @@ -1954,7 +1958,7 @@ case "$COMMAND" in call) [ -n "$debugging" ] && set -x # - # Undocumented way to call functions in /usr/share/shorewall/functions directly + # Undocumented way to call functions in ${SHAREDIR}/functions directly # shift $@