diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index a1b89ea37..b38455f9f 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3430,9 +3430,11 @@ sub generate_aux_config() { if ( -f $fn ) { emit( '', - 'cat << __EOF__ > ${VARDIR}/scfilter' ); - append_file( $fn,1,1 ) or emit_unindented "#! /bin/sh\ncat -"; - emit_unindented( "__EOF__\n" ); + 'show_connections_filter() {' ); + push_indent; + append_file( $fn,1 ) or emit 'cat -'; + pop_indent; + emit '}'; } finalize_aux_config; diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 9aa2dc808..6cfcefcb5 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -434,7 +434,10 @@ list_zone() { } # -# Show Filter +# Show Filter - For Shorewall-lite, if there was an scfilter file at compile-time, +# then the compiler generated another version of this function and +# embedded it in the firewall.conf file. That version supersedes this +# one. # show_connections_filter() { local filter @@ -443,7 +446,7 @@ show_connections_filter() { command=${SHOREWALL_SHELL} - [ "$g_product" = Shorewall ] && filter=$(find_file scfilter) || filter=${VARDIR}/scfilter + filter=$(find_file scfilter) if [ -f $filter ]; then first=$(head -n1 $filter) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7f6cd9083..f51a121e0 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -110,12 +110,11 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES which passes the output through unmodified. If you are using Shorewall-lite and/or Shorewall6-lite, the - scfilter file is kept on the administrative system and is copied + scfilter file is kept on the administrative system. The compiler + encapsulates the script into a shell function that is copied into the generated auxillary configuration file - (firewall.conf). Each time that configuration file is read, the - scfilter script is extracted into /var/lib/shorewall-lite/scfilter - (/var/lib/shorewall6-lite/scfilter) where /sbin/shorewall-lite - (/sbin/shorewall6-lite) looks for it. + (firewall.conf). That function is then invoked by the 'show + connections' command. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 850b40c1e..9294f9c5e 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -358,7 +358,10 @@ show_routing() { } # -# Show Connections Filter +# Show Filter - For Shorewall6-lite, if there was an scfilter file at compile-time, +# then the compiler generated another version of this function and +# embedded it in the firewall.conf file. That version supersedes this +# one. # show_connections_filter() { local filter @@ -367,7 +370,7 @@ show_connections_filter() { command=${SHOREWALL_SHELL} - [ "$g_product" = Shorewall6 ] && filter=$(find_file scfilter) || filter=${VARDIR}/scfilter + filter=$(find_file scfilter) if [ -f $filter ]; then first=$(head -n1 $filter) diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 69df02077..8d8884238 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -203,18 +203,19 @@ esac scfilter -- Added in Shorewall 4.4.14. - Unlike the other scripts, this script is executed by the command line + Unlike the other scripts, this script is executed by the command-line tools (/sbin/shorewall, /sbin/shorewall6, etc) and can be used to reformat the output of the show connections command. The connection information is piped through this script so that the script can drop information, add information or alter the format of the information. When using Shorewall Lite or Shorewall6 - Lite, the script is copied into the generated auxillary configuration - file (firewall.conf) and is extracted into /var/lib/shorewall-lite - (/var/lib/shorewall6-lite) where /sbin/shorewall-lite - (/sbin/shorewall6-lite) can find it. The default script is as follows - and simply pipes the output through unaltered. + Lite, the script is encapsulated in a function that is copied into the + generated auxillary configuration file. That function is invoked by + the 'show connections' command. + + The default script is as follows and simply pipes the output + through unaltered. #! /bin/sh cat -