forked from extern/shorewall_code
Remove sensless synonyms from command set
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3424 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
97eaf708d3
commit
7085f1d417
@ -9047,7 +9047,7 @@ do_initialize() {
|
||||
# Give Usage Information
|
||||
#
|
||||
usage() {
|
||||
echo "Usage: $0 [debug] check|{generate|compile} <filename>}"
|
||||
echo "Usage: $0 [debug] check|compile <filename>}"
|
||||
exit 1
|
||||
}
|
||||
|
||||
@ -9075,10 +9075,9 @@ case "$COMMAND" in
|
||||
compile_firewall
|
||||
;;
|
||||
|
||||
compile|generate)
|
||||
compile)
|
||||
[ $# -ne 2 ] && usage
|
||||
do_initialize
|
||||
COMMAND=compile
|
||||
compile_firewall $2
|
||||
;;
|
||||
|
||||
|
@ -97,8 +97,6 @@ compile)
|
||||
other than where the compiled script will run. This option disables
|
||||
certain configuration options that require the script to be compiled
|
||||
where it is to be run.
|
||||
|
||||
'generate' is a synonym for 'compile'."
|
||||
;;
|
||||
|
||||
debug)
|
||||
@ -169,19 +167,6 @@ forget)
|
||||
See also \"help save\""
|
||||
;;
|
||||
|
||||
generate)
|
||||
echo "generate: generate [ -e ] [ <directory name> ] <file name>
|
||||
Compiles the current configuration into the executable file
|
||||
/var/lib/shorewall/<file name>
|
||||
|
||||
When -e is specified, the compilation is being performed on a system
|
||||
other than where the compiled script will run. This option disables
|
||||
certain configuration options that require the script to be compiled
|
||||
where it is to be run.
|
||||
|
||||
'compile' is a synonym for 'generate'."
|
||||
;;
|
||||
|
||||
help)
|
||||
echo "help: help [<command> | host | address ]
|
||||
Display helpful information about the shorewall commands."
|
||||
@ -235,17 +220,6 @@ reject)
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
reload)
|
||||
echo "reload: reload [ -q ] [ -n ] [ <directory name> ]
|
||||
|
||||
Causes Shorewall to generate a new compiled restore file using the named directory
|
||||
as the first search directory for configuration file. If that generation is error-free,
|
||||
the generated restore file is executed.
|
||||
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings
|
||||
If \"-n\" is specified, no changes to routing will be made"
|
||||
;;
|
||||
|
||||
reset)
|
||||
echo "reset: reset
|
||||
All the packet and byte counters in the firewall are reset."
|
||||
|
@ -32,6 +32,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall reload Reload the firewall
|
||||
# (same as restart)
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
#
|
||||
@ -75,9 +76,13 @@ case "$command" in
|
||||
start)
|
||||
exec /sbin/shorewall $OPTIONS $@
|
||||
;;
|
||||
stop|restart|status|reload)
|
||||
stop|restart|status)
|
||||
exec /sbin/shorewall $@
|
||||
;;
|
||||
reload)
|
||||
shift
|
||||
exec /sbin/shorewall restart $@
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
|
@ -2,7 +2,7 @@
|
||||
# Give Usage Information
|
||||
#
|
||||
usage() {
|
||||
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reload|restart|status|version ]"
|
||||
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|restart|status|version ]"
|
||||
exit $1
|
||||
}
|
||||
################################################################################
|
||||
@ -79,18 +79,6 @@ case "$COMMAND" in
|
||||
progress_message3 "Starting Shorewall...."
|
||||
fi
|
||||
|
||||
define_firewall
|
||||
status=$?
|
||||
progress_message3 "done."
|
||||
;;
|
||||
reload)
|
||||
if shorewall_is_started; then
|
||||
progress_message3 "Reloading Shorewall...."
|
||||
else
|
||||
echo "Shorewall is not running" >&2
|
||||
progress_message3 "Starting Shorewall...."
|
||||
fi
|
||||
|
||||
define_firewall
|
||||
status=$?
|
||||
progress_message3 "done."
|
||||
|
@ -74,9 +74,9 @@ Migration Considerations:
|
||||
|
||||
New Features:
|
||||
|
||||
1) A new 'shorewall generate' command has been added.
|
||||
1) A new 'shorewall compile' command has been added.
|
||||
|
||||
shorewall generate [ -v ] [ -q ] [ -e ] [ <config directory> ] <script
|
||||
shorewall compile [ -v ] [ -q ] [ -e ] [ <config directory> ] <script
|
||||
file>
|
||||
|
||||
where:
|
||||
@ -85,7 +85,7 @@ file>
|
||||
-e Generates an error if the configuration uses
|
||||
an option that would prevent the generated
|
||||
script from running on a system other than
|
||||
where the 'generate' command is running (see
|
||||
where the 'compile' command is running (see
|
||||
additional consideration a) below).
|
||||
Also allows the generated script to run
|
||||
on a system without Shorewall installed.
|
||||
@ -95,14 +95,10 @@ file>
|
||||
/etc/shorewall/shorewall.conf.
|
||||
<script file> Is the name of the output file.
|
||||
|
||||
The 'generate' command processes the configuration and writes a script
|
||||
file which may then be executed (either directly or using the
|
||||
The 'compile' command processes the configuration and generates a
|
||||
script file which may then be executed (either directly or using the
|
||||
'shorewall restore' command) to configure the firewall.
|
||||
|
||||
'compile' is a synonym for 'generate':
|
||||
|
||||
shorewall compile [ -v ] [ -q ] [ -e ] [ <config directory> ] <script file>
|
||||
|
||||
The generated script contains error checking and will terminate if an
|
||||
important command fails. Before terminating:
|
||||
|
||||
@ -115,8 +111,8 @@ file>
|
||||
|
||||
Some additional considerations:
|
||||
|
||||
a) It is possible to run 'generate' ('compile') on one system and then
|
||||
run the generated script on another system but there are certain
|
||||
a) It is possible to run 'compile' on one system and then run the
|
||||
generated script on another system but there are certain
|
||||
limitations.
|
||||
|
||||
1) The same version of Shorewall must be running on the remote system
|
||||
@ -187,53 +183,12 @@ file>
|
||||
|
||||
__EOF__
|
||||
|
||||
In addition to 'generate', a 'shorewall reload' command has been added.
|
||||
|
||||
shorewall reload [ -v ] [ -q ] [ <config directory> ]
|
||||
|
||||
where -v, -q and <config directory> are as above.
|
||||
|
||||
The 'reload' command creates a script using 'generate' and if there are
|
||||
no errors, it then restores that script. It is equivalent to:
|
||||
|
||||
if shorewall generate /var/lib/shorewall/.reload; then
|
||||
restore .reload;
|
||||
fi
|
||||
|
||||
The advantage of using reload over restart is that reload results in new
|
||||
connections being dropped for a much shorter time. Here are the results
|
||||
of tests that I conducted on my own firewall:
|
||||
|
||||
A) shorewall restart (Shorewall 3.0.4)
|
||||
|
||||
real 0m17.540s
|
||||
user 0m5.956s
|
||||
sys 0m10.737s
|
||||
|
||||
B) ./foo restart # foo created using "shorewall compile"
|
||||
|
||||
real 0m3.505s
|
||||
user 0m1.332s
|
||||
sys 0m2.164s
|
||||
|
||||
|
||||
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
|
||||
# "shorewall save"
|
||||
|
||||
real 0m1.164s
|
||||
user 0m0.556s
|
||||
sys 0m0.608s
|
||||
|
||||
The time difference between B and C reflects the difference between
|
||||
"iptables-restore" and multiple executions of "iptables". The system is
|
||||
a 1.4Ghz Celeron with 512MB RAM.
|
||||
|
||||
Compilation generates a complete program. This program is suitable for
|
||||
installation into /etc/init.d and, when generated with the "-e" option,
|
||||
can serve as your firewall on a system that doesn't even have Shorewall
|
||||
installed.
|
||||
|
||||
The program supports the following commands:
|
||||
The generated program supports the following commands:
|
||||
|
||||
<program> [ -q ] [ -v ] [ -n ] start
|
||||
<program> [ -q ] [ -v ] [ -n ] stop
|
||||
@ -246,13 +201,49 @@ file>
|
||||
rewritten to use compilation. They both compile a temporary program
|
||||
then run it. This results in a slightly longer elapsed time than the
|
||||
similar commands required under earlier versions of Shorewall but new
|
||||
connections are blocked for a much smaller percentage of that time as
|
||||
shown by the numbers above. Under Shorewall 3.1.4, "shorewall restart"
|
||||
takes roughly 18.5 seconds on my firewall:
|
||||
connections are blocked for a much smaller percentage of that time.
|
||||
|
||||
real 0m18.529s
|
||||
user 0m6.240s
|
||||
sys 0m10.165s
|
||||
Under Shorewall 3.1.5, "shorewall restart" takes roughly 16.5 seconds
|
||||
on my firewall:
|
||||
|
||||
real 0m16.599s
|
||||
user 0m6.292s
|
||||
sys 0m9.885s
|
||||
|
||||
Of the elapsed 16.5 seconds, new connections are disabled less than
|
||||
3.5 seconds. Here are some numbers for comparison:
|
||||
|
||||
A) shorewall restart (Shorewall 3.0.4)
|
||||
|
||||
real 0m17.540s
|
||||
user 0m5.956s
|
||||
sys 0m10.737s
|
||||
|
||||
B) ./foo restart # foo created using "shorewall compile"
|
||||
|
||||
real 0m3.297s
|
||||
user 0m1.444s
|
||||
sys 0m1.728s
|
||||
|
||||
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
|
||||
# "shorewall save"
|
||||
|
||||
real 0m1.164s
|
||||
user 0m0.556s
|
||||
sys 0m0.608s
|
||||
|
||||
D) shorewall restore (shorewall 3.1.5)
|
||||
|
||||
real 0m1.637s
|
||||
user 0m0.728s
|
||||
sys 0m0.584s
|
||||
|
||||
The time difference between B and C reflects the difference between
|
||||
"iptables-restore" and multiple executions of "iptables". The time
|
||||
difference between C and D results from the fact that the "restore"
|
||||
command in Shorewall 3.1 runs the compiled program in a way that
|
||||
turns all iptables commands into no-ops then invokes
|
||||
iptables-restore. The system is a 1.4Ghz Celeron with 512MB RAM.
|
||||
|
||||
As a final part of this change, the "check" command now compiles the
|
||||
current configuration then discards the generated script. So "check"
|
||||
|
@ -110,10 +110,8 @@
|
||||
# confirmation to accept or reject the new
|
||||
# configuration
|
||||
#
|
||||
# shorewall {generate|compile} [ <directory> ] ]<filename>
|
||||
# Compile a pseudo restore file.
|
||||
#
|
||||
# shorewall reload [ <directory name> ] Safe reload
|
||||
# shorewall compile [ <directory> ] ]<filename>
|
||||
# Compile a firewall program file.
|
||||
#
|
||||
# Fatal Error
|
||||
#
|
||||
@ -690,7 +688,7 @@ compile_command() {
|
||||
|
||||
export EXPORT
|
||||
|
||||
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging generate $file
|
||||
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging compile $file
|
||||
}
|
||||
#
|
||||
# Check Command Executor
|
||||
@ -758,84 +756,6 @@ check_command() {
|
||||
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock check
|
||||
}
|
||||
|
||||
#
|
||||
# Reload Command Executor
|
||||
#
|
||||
reload_command() {
|
||||
local finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
case $option in
|
||||
-*)
|
||||
option=${option#-}
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
-)
|
||||
finished=1
|
||||
option=
|
||||
;;
|
||||
q*)
|
||||
VERBOSE=$(($VERBOSE - 1 ))
|
||||
option=${option#q}
|
||||
;;
|
||||
v*)
|
||||
VERBOSE=$(($VERBOSE + 1 ))
|
||||
option=${option#v}
|
||||
;;
|
||||
n*)
|
||||
NOROUTES=Yes
|
||||
option=${option#n}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
finished=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
case $# in
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
echo "$1 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $1 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$1
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
export NOROUTES
|
||||
|
||||
[ -n "$nolock" ] || mutex_on
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.reload; then
|
||||
/var/lib/shorewall/.reload reload
|
||||
fi
|
||||
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
}
|
||||
|
||||
#
|
||||
# Restart Command Executor
|
||||
#
|
||||
@ -1375,7 +1295,6 @@ usage() # $1 = exit status
|
||||
echo " drop <address> ..."
|
||||
echo " dump"
|
||||
echo " forget [ <file name> ]"
|
||||
echo " generate [ -e ] [ <directory name> ] <path name>"
|
||||
echo " help [ <command > | host | address ]"
|
||||
echo " hits"
|
||||
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
||||
@ -1385,7 +1304,6 @@ usage() # $1 = exit status
|
||||
echo " refresh"
|
||||
echo " reject <address> ..."
|
||||
echo " reset"
|
||||
echo " reload [ <directory> ]"
|
||||
echo " restart [ <directory> ]"
|
||||
echo " restore [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
@ -1660,7 +1578,7 @@ case "$COMMAND" in
|
||||
export NOROUTES
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
|
||||
;;
|
||||
compile|generate)
|
||||
compile)
|
||||
shift
|
||||
|
||||
compile_command $@
|
||||
@ -1677,12 +1595,6 @@ case "$COMMAND" in
|
||||
|
||||
check_command $@
|
||||
|
||||
;;
|
||||
reload)
|
||||
shift
|
||||
|
||||
reload_command $@
|
||||
|
||||
;;
|
||||
add|delete)
|
||||
[ $# -lt 3 ] && usage 1
|
||||
|
Loading…
Reference in New Issue
Block a user