holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Run extension scripts at run-time as always

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3509 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-02-20 22:28:47 +00:00
parent ddb1b95ae7
commit adfbc8434c
3 changed files with 78 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/changelog.txt
View File

@ -82,3 +82,8 @@ Changes in 3.1.x.
36) Restore log messages. 36) Restore log messages.
37) Fix "shorewall capabilities" with VERBOSITY < 2. 37) Fix "shorewall capabilities" with VERBOSITY < 2.
-------------------------------------------------------------------------------
3.1.7
38) Remove compile-time running of extension scripts.

69
Shorewall/compiler
View File

@ -100,9 +100,12 @@ progress_message_and_save()
# #
append_file() # $1 = File Name append_file() # $1 = File Name
{ {
save_command "cat > /var/lib/shorewall/$1 << __EOF__" local user_exit=$(find_file $1)
cat $STATEDIR/$1 >&3
save_command_unindented __EOF__ if [ -f $user_exit ]; then
save_progress_message "Processing $user_exit ..."
eval sed \'s\/^/"$INDENT"\/\' $user_exit >&3
fi
} }
# #
@ -3335,11 +3338,8 @@ setup_tc1() {
run_iptables -t mangle -A POSTROUTING -j tcpost run_iptables -t mangle -A POSTROUTING -j tcpost
if [ -n "$TC_SCRIPT" ]; then if [ -n "$TC_SCRIPT" ]; then
run_user_exit $TC_SCRIPT
save_progress_message "Setting up Traffic Control..." save_progress_message "Setting up Traffic Control..."
save_command . $TC_SCRIPT append_file $TC_SCRIPT
elif [ -n "$TC_ENABLED" ]; then elif [ -n "$TC_ENABLED" ]; then
setup_traffic_shaping setup_traffic_shaping
fi fi
@ -3365,7 +3365,7 @@ delete_tc()
save_progress_message "Clearing Traffic Control/QOS" save_progress_message "Clearing Traffic Control/QOS"
run_user_exit tcclear append_file tcclear
cat >&3 << __EOF__ cat >&3 << __EOF__
${INDENT}ip link list | while read inx interface details; do ${INDENT}ip link list | while read inx interface details; do
@ -4048,6 +4048,23 @@ process_action() # $1 = chain (Chain to add the rules to)
save_progress_message_short " Rule \"$rule\" added." save_progress_message_short " Rule \"$rule\" added."
} }
#
# Append a file in /var/lib/shorewall to $OUTPUT
#
append_action_file() # $1 = File Name
{
local user_exit=$(find_file $1)
if [ -f $user_exit ]; then
save_progress_message "Processing $user_exit ..."
save_command "CHAIN=$CHAIN"
save_command "LEVEL=$LEVEL"
save_command "TAG=$TAG"
eval sed \'s\/^/"$INDENT"\/\' $user_exit >&3
fi
}
# #
# Create and record a log action chain -- Log action chains have names # Create and record a log action chain -- Log action chains have names
# that are formed from the action name by prepending a "%" and appending # that are formed from the action name by prepending a "%" and appending
@ -4101,7 +4118,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
[ none = "${LEVEL%\!}" ] && LEVEL= [ none = "${LEVEL%\!}" ] && LEVEL=
run_user_exit $1 append_action_file $1
eval ${action}_chains=\"\$${action}_chains $level $CHAIN\" eval ${action}_chains=\"\$${action}_chains $level $CHAIN\"
@ -4130,7 +4147,8 @@ createactionchain() # $1 = Action, including log level and tag if any
LEVEL= LEVEL=
TAG= TAG=
createchain $CHAIN no createchain $CHAIN no
run_user_exit $CHAIN
append_action_file $CHAIN
;; ;;
esac esac
} }
@ -6381,7 +6399,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
local loglevel= local loglevel=
local policychain= local policychain=
run_user_exit $1 append_file $1
eval policychain=\$${2}2${3}_policychain eval policychain=\$${2}2${3}_policychain
@ -7080,7 +7098,7 @@ initialize_netfilter () {
determine_interfaces determine_interfaces
determine_hosts determine_hosts
run_user_exit init append_file init
# #
# Some files might be large so strip them while the firewall is still running # Some files might be large so strip them while the firewall is still running
@ -7182,7 +7200,7 @@ initialize_netfilter () {
save_command "ipset -R < $f" save_command "ipset -R < $f"
fi fi
run_user_exit continue append_file continue
f=$(find_file routestopped) f=$(find_file routestopped)
@ -7331,7 +7349,7 @@ __EOF__
createactionchain $action createactionchain $action
done done
run_user_exit initdone append_file initdone
# #
# Process Black List # Process Black List
@ -7765,7 +7783,7 @@ apply_policy_rules() {
for zone1 in $FW $ZONES; do for zone1 in $FW $ZONES; do
chain=${zone}2${zone1} chain=${zone}2${zone1}
if havechain $chain; then if havechain $chain; then
run_user_exit $chain append_file $chain
default_policy $zone $zone1 default_policy $zone $zone1
fi fi
done done
@ -8146,7 +8164,11 @@ stop_firewall() {
determine_capabilities determine_capabilities
run_user_exit stop __EOF__
append_file stop
cat >&3 << __EOF__
if [ -n "\$MANGLE_ENABLED" ]; then if [ -n "\$MANGLE_ENABLED" ]; then
run_iptables -t mangle -F run_iptables -t mangle -F
@ -8297,9 +8319,9 @@ __EOF__
;; ;;
esac esac
cat >&3 << __EOF__ append_file stopped
run_user_exit stopped cat >&3 << __EOF__
set_state "Stopped" set_state "Stopped"
@ -8419,8 +8441,9 @@ __EOF__
__EOF__ __EOF__
fi fi
append_file clear
cat >&3 << __EOF__ cat >&3 << __EOF__
run_user_exit clear
set_state "Cleared" set_state "Cleared"
@ -8639,7 +8662,9 @@ __EOF__
fi fi
for file in chains nat proxyarp zones; do for file in chains nat proxyarp zones; do
append_file $file save_command "cat > /var/lib/shorewall/$file << __EOF__"
cat $STATEDIR/$file >&3
save_command_unindented __EOF__
done done
cat >&3 << __EOF__ cat >&3 << __EOF__
@ -8651,7 +8676,7 @@ __EOF__
__EOF__ __EOF__
save_command "date > /var/lib/shorewall/restarted" save_command "date > /var/lib/shorewall/restarted"
run_user_exit start append_file start
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist [ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
@ -8659,7 +8684,7 @@ __EOF__
save_command set_state "Started" save_command set_state "Started"
run_user_exit started append_file started
cat >&3 << __EOF__ cat >&3 << __EOF__

121
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.1.7 Shorewall 3.1.8
Note to users upgrading from Shorewall 2.x or 3.0 Note to users upgrading from Shorewall 2.x or 3.0
@ -27,38 +27,19 @@ Note to users upgrading from Shorewall 2.x or 3.0
Please see the "Migration Considerations" below for additional upgrade Please see the "Migration Considerations" below for additional upgrade
information. information.
Problems Corrected in 3.1.7 Problems Corrected in 3.1.8
1) Extra rules in maclist verification have been removed. The superfluous None.
rules were present when MACLIST_DISPOSITION=ACCEPT and
MACLIST_LOG_LEVEL="".
2) The Makefile installed in /etc/shorewall/ was incorrect so that Other changes in 3.1.8
a re-compilation always occured even if the restore file was
current.
3) Log messages for "started", "restarted" and "restored" are once again 1) The sillyness having to do with running certain extension scripts at
generated. compile time has been eliminated. When a configuration is compiled,
the scripts are copied unmodified (except for indentation) into the
compiled program.
4) If VERBOSITY was set to a value less than 2, then "shorewall show Note: The /etc/shorewall/params file is still processed at
capabilities" produced no output. compile-time.
Other changes in 3.1.7
1) 'tcpsyn' has been changed to 'tcp:syn' (tcpsyn was added in 3.1.6).
This new syntax is easier to extend in the future than was the old.
2) /sbin/shorewall now supports a "-t" option that causes all progress
messages to be timestamped.
Example (VERBOSITY=0 in shorewall.conf):
gateway:/etc/shorewall # shorewall -t restart
07:08:51 Compiling...
07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart
07:09:05 Restarting Shorewall....
07:09:08 done.
gateway:/etc/shorewall #
Migration Considerations: Migration Considerations:
@ -170,31 +151,11 @@ New Features:
file included in this release includes instructions for its file included in this release includes instructions for its
use. use.
b) If you have extension scripts, they may need modification. Some of b) If you run the "shorewall compile" or "shorewall check" commands under
the scripts will be run at compile time, rather than when the
generated script is executed. The standard functions like
'run_iptables' and 'log_rule_limit' will write the iptables command
to the script file rather than executing the command. As always, you
can check $COMMAND to determine which shorewall command is being
executed.
Extension Scripts that are run at compile time rather than at
run-time are:
- params
- init
- continue
- initdone
- start
- started
- All scripts associated with a given chain such as Action
chains
c) If you run the "shorewall compile" or "shorewall check" commands under
a user other than 'root', then you must supply a user other than 'root', then you must supply
/etc/shorewall/capabilities. /etc/shorewall/capabilities.
d) To aid in building /etc/shorewall/capabilities, a 'shorecap' program c) To aid in building /etc/shorewall/capabilities, a 'shorecap' program
is provided. The RPM installs the program in the documentation is provided. The RPM installs the program in the documentation
directory. The install.sh script does not install the program. directory. The install.sh script does not install the program.
@ -206,50 +167,6 @@ New Features:
For instructions about running shorecap, see the comments at the For instructions about running shorecap, see the comments at the
top of the program file (it's a simple shell script). top of the program file (it's a simple shell script).
If you need to interject run-time code into the generated script then
you need to write it to file descriptor 3. Here is an example of creating
tap device tap0 and adding it to bridge xenbr0; the text will be indented
to line up with the surrounding text:
cat >&3 << __EOF__
${INDENT}if ! qt /sbin/ip link ls dev tap0; then
${INDENT} /usr/sbin/openvpn --mktun --dev tap0
${INDENT} /sbin/ip link set dev tap0 up
${INDENT} /sbin/brctl addif xenbr0 tap0
${INDENT}fi
__EOF__
This results in the following code in the script:
if ! qt /sbin/ip link ls dev tap0; then
/usr/sbin/openvpn --mktun --dev tap0
/sbin/ip link set dev tap0 up
/sbin/brctl addif xenbr0 tap0
fi
(Yes -- there is an extra blank line at the end)
If you need to expand variables in the generated text, be sure to escape
the '$' symbol.
Example:
cat >&3 << __EOF__
${INDENT}addr=\$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
${INDENT}if [ -n "\$addr" ]; then
${INDENT} addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
${INDENT} for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do
${INDENT} if in_network \$addr \$network; then
${INDENT} startup_error "The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface"
${INDENT} fi
${INDENT} done
${INDENT}fi
__EOF__
Compilation generates a complete program. This program is suitable for Compilation generates a complete program. This program is suitable for
installation into /etc/init.d and, when generated with the "-e" option, installation into /etc/init.d and, when generated with the "-e" option,
can serve as your firewall on a system that doesn't even have Shorewall can serve as your firewall on a system that doesn't even have Shorewall
@ -389,3 +306,17 @@ New Features:
As part of this change, Shorewall no longer adds the "--syn" option As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target. to TCP rules that specify QUEUE as their target.
6) /sbin/shorewall now supports a "-t" option that causes all progress
messages to be timestamped.
Example (VERBOSITY=0 in shorewall.conf):
gateway:/etc/shorewall # shorewall -t restart
07:08:51 Compiling...
07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart
07:09:05 Restarting Shorewall....
07:09:08 done.
gateway:/etc/shorewall #