forked from extern/shorewall_code
Support SAFESTOP
under systemd
By default, in Debian and its derivatives, stopping the Shorewall service executes `/sbin/shorewall clear`. The `SAFESTOP` setting in /etc/default/shorewall is intended to stop the service by calling `/sbin/shorewall stop`. However, the systemd service files do not support this. Instead, install a shell-script that sources /etc/default/shorewall and honours `SAFESTOP` when stopping Shorewall and patch the service files to call it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
This commit is contained in:
parent
aae5baedfd
commit
badf2fc9f0
@ -324,6 +324,15 @@ install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
|
|||||||
|
|
||||||
echo
|
echo
|
||||||
echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
|
echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
|
||||||
|
#
|
||||||
|
# Install stop_service
|
||||||
|
#
|
||||||
|
if [ -n "${STOPSERVICEFILE}" ]; then
|
||||||
|
install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
|
||||||
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
# Install the libraries
|
# Install the libraries
|
||||||
|
@ -22,3 +22,4 @@ SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|||||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
VARLIB=/var/lib #Directory where product variable data is stored.
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||||
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
|
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
|
||||||
|
STOPSERVICEFILE=stop_service.debian #Name of script to stop systemd service that honours `SAFESTOP`.
|
||||||
|
19
Shorewall-core/stop_service.debian
Normal file
19
Shorewall-core/stop_service.debian
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
PRODUCT=$1
|
||||||
|
|
||||||
|
. /etc/default/${PRODUCT}
|
||||||
|
|
||||||
|
if [ "$SAFESTOP" = 1 ]; then
|
||||||
|
COMMAND=stop
|
||||||
|
else
|
||||||
|
COMMAND=clear
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${PRODUCT}" = shorewall6 ]; then
|
||||||
|
EXEC="/sbin/shorewall -6"
|
||||||
|
else
|
||||||
|
EXEC="/sbin/${PRODUCT}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec ${EXEC} ${OPTIONS} ${COMMAND}
|
@ -17,7 +17,7 @@ RemainAfterExit=yes
|
|||||||
EnvironmentFile=-/etc/default/shorewall-lite
|
EnvironmentFile=-/etc/default/shorewall-lite
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
|
ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
|
||||||
ExecStop=/sbin/shorewall-lite $OPTIONS clear
|
ExecStop=/usr/share/shorewall/stop_service shorewall-lite
|
||||||
ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
|
ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
@ -17,7 +17,7 @@ RemainAfterExit=yes
|
|||||||
EnvironmentFile=-/etc/default/shorewall
|
EnvironmentFile=-/etc/default/shorewall
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
|
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
|
||||||
ExecStop=/sbin/shorewall $OPTIONS clear
|
ExecStop=/usr/share/shorewall/stop_service shorewall
|
||||||
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
|
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
@ -17,7 +17,7 @@ RemainAfterExit=yes
|
|||||||
EnvironmentFile=-/etc/default/shorewall6-lite
|
EnvironmentFile=-/etc/default/shorewall6-lite
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
ExecStart=/sbin/shorewall6-lite $OPTIONS start
|
ExecStart=/sbin/shorewall6-lite $OPTIONS start
|
||||||
ExecStop=/sbin/shorewall6-lite $OPTIONS clear
|
ExecStop=/usr/share/shorewall/stop_service shorewall6-lite
|
||||||
ExecReload=/sbin/shorewall6-lite $OPTIONS reload
|
ExecReload=/sbin/shorewall6-lite $OPTIONS reload
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
@ -18,7 +18,7 @@ RemainAfterExit=yes
|
|||||||
EnvironmentFile=-/etc/default/shorewall6
|
EnvironmentFile=-/etc/default/shorewall6
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
|
ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
|
||||||
ExecStop=/sbin/shorewall -6 $OPTIONS clear
|
ExecStop=/usr/share/shorewall/stop_service shorewall6
|
||||||
ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
|
ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
@ -206,12 +206,12 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>systemd</title>
|
<title>systemd</title>
|
||||||
|
|
||||||
<para>As with SysV init described in the preceeding section, the behavior
|
<para>As with SysV init described in the preceeding section, the behavior of
|
||||||
of systemctl commands differ from the Shorewall CLI commands on
|
systemctl commands differ from the Shorewall CLI commands on Debian-based
|
||||||
Debian-based systems. To make systemctl stop shorewall[-lite] and
|
systems. In versions of Shorewall before 5.2.9, to make <command>systemctl
|
||||||
systemctl restart shorewall[-lite] behave like shorewall stop and
|
stop shorewall</command> and <command>systemctl restart shorewall</command>
|
||||||
shorewall restart, use this workaround provided by J Cliff
|
behave like <command>shorewall stop</command> and <command>shorewall
|
||||||
Armstrong:</para>
|
restart</command>, use this workaround provided by J Cliff Armstrong:</para>
|
||||||
|
|
||||||
<para> Type (as root):</para>
|
<para> Type (as root):</para>
|
||||||
|
|
||||||
@ -231,10 +231,14 @@ ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>
|
|||||||
|
|
||||||
<para>to activate the changes. This change will survive future updates of
|
<para>to activate the changes. This change will survive future updates of
|
||||||
the shorewall package from apt repositories. The override file itself will
|
the shorewall package from apt repositories. The override file itself will
|
||||||
be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
|
be saved to <filename>/etc/systemd/system/shorewall.service.d/</filename>.</para>
|
||||||
|
|
||||||
<para>The same workaround may be applied to the other Shorewall products
|
<para>The same workaround may be applied to the other Shorewall products
|
||||||
(excluding Shorewall Init).</para>
|
(excluding Shorewall Init).</para>
|
||||||
|
|
||||||
|
<para>From Shorewall 5.2.9 onwards, the systemd service files have been
|
||||||
|
updated to execute a shell script that obeys the SAFESTOP setting to stop
|
||||||
|
the firewall, and the workaround is no longer necessary.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Trace">
|
<section id="Trace">
|
||||||
|
Loading…
Reference in New Issue
Block a user