holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove sensless synonyms from command set

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3424 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-02-03 15:10:46 +00:00
parent 97eaf708d3
commit 7085f1d417
6 changed files with 63 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/compiler
View File

@ -9047,7 +9047,7 @@ do_initialize() {
# Give Usage Information # Give Usage Information
# #
usage() { usage() {
echo "Usage: $0 [debug] check|{generate|compile} <filename>}" echo "Usage: $0 [debug] check|compile <filename>}"
exit 1 exit 1
} }
@ -9075,10 +9075,9 @@ case "$COMMAND" in
compile_firewall compile_firewall
;; ;;
compile|generate) compile)
[ $# -ne 2 ] && usage [ $# -ne 2 ] && usage
do_initialize do_initialize
COMMAND=compile
compile_firewall $2 compile_firewall $2
;; ;;

26
Shorewall/help
View File

@ -97,8 +97,6 @@ compile)
other than where the compiled script will run. This option disables other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled certain configuration options that require the script to be compiled
where it is to be run. where it is to be run.
'generate' is a synonym for 'compile'."
;; ;;
debug) debug)
@ -169,19 +167,6 @@ forget)
See also \"help save\"" See also \"help save\""
;; ;;
generate)
echo "generate: generate [ -e ] [ <directory name> ] <file name>
Compiles the current configuration into the executable file
/var/lib/shorewall/<file name>
When -e is specified, the compilation is being performed on a system
other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled
where it is to be run.
'compile' is a synonym for 'generate'."
;;
help) help)
echo "help: help [<command> | host | address ] echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands." Display helpful information about the shorewall commands."
@ -235,17 +220,6 @@ reject)
See also \"help address\"" See also \"help address\""
;; ;;
reload)
echo "reload: reload [ -q ] [ -n ] [ <directory name> ]
Causes Shorewall to generate a new compiled restore file using the named directory
as the first search directory for configuration file. If that generation is error-free,
the generated restore file is executed.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings
If \"-n\" is specified, no changes to routing will be made"
;;
reset) reset)
echo "reset: reset echo "reset: reset
All the packet and byte counters in the firewall are reset." All the packet and byte counters in the firewall are reset."

7
Shorewall/init.sh
View File

@ -32,6 +32,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall reload Reload the firewall # shorewall reload Reload the firewall
# (same as restart)
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall status Displays firewall status # shorewall status Displays firewall status
# #
@ -75,9 +76,13 @@ case "$command" in
start) start)
exec /sbin/shorewall $OPTIONS $@ exec /sbin/shorewall $OPTIONS $@
;; ;;
stop|restart|status|reload) stop|restart|status)
exec /sbin/shorewall $@ exec /sbin/shorewall $@
;; ;;
reload)
shift
exec /sbin/shorewall restart $@
;;
*) *)
usage usage
;; ;;

14
Shorewall/prog.footer
View File

@ -2,7 +2,7 @@
# Give Usage Information # Give Usage Information
# #
usage() { usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reload|restart|status|version ]" echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|restart|status|version ]"
exit $1 exit $1
} }
################################################################################ ################################################################################
@ -79,18 +79,6 @@ case "$COMMAND" in
progress_message3 "Starting Shorewall...." progress_message3 "Starting Shorewall...."
fi fi
define_firewall
status=$?
progress_message3 "done."
;;
reload)
if shorewall_is_started; then
progress_message3 "Reloading Shorewall...."
else
echo "Shorewall is not running" >&2
progress_message3 "Starting Shorewall...."
fi
define_firewall define_firewall
status=$? status=$?
progress_message3 "done." progress_message3 "done."

109
Shorewall/releasenotes.txt
View File

@ -74,9 +74,9 @@ Migration Considerations:
New Features: New Features:
1) A new 'shorewall generate' command has been added. 1) A new 'shorewall compile' command has been added.
shorewall generate [ -v ] [ -q ] [ -e ] [ <config directory> ] <script shorewall compile [ -v ] [ -q ] [ -e ] [ <config directory> ] <script
file> file>
where: where:
@ -85,7 +85,7 @@ file>
-e Generates an error if the configuration uses -e Generates an error if the configuration uses
an option that would prevent the generated an option that would prevent the generated
script from running on a system other than script from running on a system other than
where the 'generate' command is running (see where the 'compile' command is running (see
additional consideration a) below). additional consideration a) below).
Also allows the generated script to run Also allows the generated script to run
on a system without Shorewall installed. on a system without Shorewall installed.
@ -95,14 +95,10 @@ file>
/etc/shorewall/shorewall.conf. /etc/shorewall/shorewall.conf.
<script file> Is the name of the output file. <script file> Is the name of the output file.
The 'generate' command processes the configuration and writes a script The 'compile' command processes the configuration and generates a
file which may then be executed (either directly or using the script file which may then be executed (either directly or using the
'shorewall restore' command) to configure the firewall. 'shorewall restore' command) to configure the firewall.
'compile' is a synonym for 'generate':
shorewall compile [ -v ] [ -q ] [ -e ] [ <config directory> ] <script file>
The generated script contains error checking and will terminate if an The generated script contains error checking and will terminate if an
important command fails. Before terminating: important command fails. Before terminating:
@ -115,8 +111,8 @@ file>
Some additional considerations: Some additional considerations:
a) It is possible to run 'generate' ('compile') on one system and then a) It is possible to run 'compile' on one system and then run the
run the generated script on another system but there are certain generated script on another system but there are certain
limitations. limitations.
1) The same version of Shorewall must be running on the remote system 1) The same version of Shorewall must be running on the remote system
@ -187,53 +183,12 @@ file>
__EOF__ __EOF__
In addition to 'generate', a 'shorewall reload' command has been added.
shorewall reload [ -v ] [ -q ] [ <config directory> ]
where -v, -q and <config directory> are as above.
The 'reload' command creates a script using 'generate' and if there are
no errors, it then restores that script. It is equivalent to:
if shorewall generate /var/lib/shorewall/.reload; then
restore .reload;
fi
The advantage of using reload over restart is that reload results in new
connections being dropped for a much shorter time. Here are the results
of tests that I conducted on my own firewall:
A) shorewall restart (Shorewall 3.0.4)
real    0m17.540s
user    0m5.956s
sys     0m10.737s
B) ./foo restart # foo created using "shorewall compile"
real    0m3.505s
user    0m1.332s
sys     0m2.164s
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
# "shorewall save"
real    0m1.164s
user    0m0.556s
sys     0m0.608s
The time difference between B and C reflects the difference between
"iptables-restore" and multiple executions of "iptables". The system is
a 1.4Ghz Celeron with 512MB RAM.
Compilation generates a complete program. This program is suitable for Compilation generates a complete program. This program is suitable for
installation into /etc/init.d and, when generated with the "-e" option, installation into /etc/init.d and, when generated with the "-e" option,
can serve as your firewall on a system that doesn't even have Shorewall can serve as your firewall on a system that doesn't even have Shorewall
installed. installed.
The program supports the following commands: The generated program supports the following commands:
<program> [ -q ] [ -v ] [ -n ] start <program> [ -q ] [ -v ] [ -n ] start
<program> [ -q ] [ -v ] [ -n ] stop <program> [ -q ] [ -v ] [ -n ] stop
@ -246,13 +201,49 @@ file>
rewritten to use compilation. They both compile a temporary program rewritten to use compilation. They both compile a temporary program
then run it. This results in a slightly longer elapsed time than the then run it. This results in a slightly longer elapsed time than the
similar commands required under earlier versions of Shorewall but new similar commands required under earlier versions of Shorewall but new
connections are blocked for a much smaller percentage of that time as connections are blocked for a much smaller percentage of that time.
shown by the numbers above. Under Shorewall 3.1.4, "shorewall restart"
takes roughly 18.5 seconds on my firewall:
real 0m18.529s Under Shorewall 3.1.5, "shorewall restart" takes roughly 16.5 seconds
user 0m6.240s on my firewall:
sys 0m10.165s
real 0m16.599s
user 0m6.292s
sys 0m9.885s
Of the elapsed 16.5 seconds, new connections are disabled less than
3.5 seconds. Here are some numbers for comparison:
A) shorewall restart (Shorewall 3.0.4)
real    0m17.540s
user    0m5.956s
sys     0m10.737s
B) ./foo restart # foo created using "shorewall compile"
real 0m3.297s
user 0m1.444s
sys 0m1.728s
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
# "shorewall save"
real    0m1.164s
user    0m0.556s
sys     0m0.608s
D) shorewall restore (shorewall 3.1.5)
real 0m1.637s
user 0m0.728s
sys 0m0.584s
The time difference between B and C reflects the difference between
"iptables-restore" and multiple executions of "iptables". The time
difference between C and D results from the fact that the "restore"
command in Shorewall 3.1 runs the compiled program in a way that
turns all iptables commands into no-ops then invokes
iptables-restore. The system is a 1.4Ghz Celeron with 512MB RAM.
As a final part of this change, the "check" command now compiles the As a final part of this change, the "check" command now compiles the
current configuration then discards the generated script. So "check" current configuration then discards the generated script. So "check"

96
Shorewall/shorewall
View File

@ -110,10 +110,8 @@
# confirmation to accept or reject the new # confirmation to accept or reject the new
# configuration # configuration
# #
# shorewall {generate|compile} [ <directory> ] ]<filename> # shorewall compile [ <directory> ] ]<filename>
# Compile a pseudo restore file. # Compile a firewall program file.
#
# shorewall reload [ <directory name> ] Safe reload
# #
# Fatal Error # Fatal Error
# #
@ -690,7 +688,7 @@ compile_command() {
export EXPORT export EXPORT
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging generate $file exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging compile $file
} }
# #
# Check Command Executor # Check Command Executor
@ -758,84 +756,6 @@ check_command() {
exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock check exec $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock check
} }
#
# Reload Command Executor
#
reload_command() {
local finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
q*)
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
v*)
VERBOSE=$(($VERBOSE + 1 ))
option=${option#v}
;;
n*)
NOROUTES=Yes
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$1
export SHOREWALL_DIR
;;
*)
usage 1
;;
esac
export NOROUTES
[ -n "$nolock" ] || mutex_on
progress_message3 "Compiling..."
if $SHOREWALL_SHELL /usr/share/shorewall/compiler $debugging $nolock compile /var/lib/shorewall/.reload; then
/var/lib/shorewall/.reload reload
fi
[ -n "$nolock" ] || mutex_off
}
# #
# Restart Command Executor # Restart Command Executor
# #
@ -1375,7 +1295,6 @@ usage() # $1 = exit status
echo " drop <address> ..." echo " drop <address> ..."
echo " dump" echo " dump"
echo " forget [ <file name> ]" echo " forget [ <file name> ]"
echo " generate [ -e ] [ <directory name> ] <path name>"
echo " help [ <command > | host | address ]" echo " help [ <command > | host | address ]"
echo " hits" echo " hits"
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }" echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
@ -1385,7 +1304,6 @@ usage() # $1 = exit status
echo " refresh" echo " refresh"
echo " reject <address> ..." echo " reject <address> ..."
echo " reset" echo " reset"
echo " reload [ <directory> ]"
echo " restart [ <directory> ]" echo " restart [ <directory> ]"
echo " restore [ <file name> ]" echo " restore [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
@ -1660,7 +1578,7 @@ case "$COMMAND" in
export NOROUTES export NOROUTES
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
;; ;;
compile|generate) compile)
shift shift
compile_command $@ compile_command $@
@ -1677,12 +1595,6 @@ case "$COMMAND" in
check_command $@ check_command $@
;;
reload)
shift
reload_command $@
;; ;;
add|delete) add|delete)
[ $# -lt 3 ] && usage 1 [ $# -lt 3 ] && usage 1