From f08532e194c43b79b872dd7593b3ca7de9477c8e Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 15 Mar 2005 16:55:13 +0000 Subject: [PATCH] Add 'continue' extension script git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2004 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 4 ++++ Shorewall2/continue | 6 ++++++ Shorewall2/firewall | 12 +++++++----- Shorewall2/releasenotes.txt | 15 ++++++++++++++- 4 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 Shorewall2/continue diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index b9219ae00..ec80768a1 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -1,3 +1,7 @@ +Changes in 2.2.3 + +1) Added the 'continue' extension script. + Changes in 2.2.2 1) The 'check' command disclaimer is toned down further and only diff --git a/Shorewall2/continue b/Shorewall2/continue new file mode 100644 index 000000000..e608ca4ed --- /dev/null +++ b/Shorewall2/continue @@ -0,0 +1,6 @@ +############################################################################ +# Shorewall 2.2 -- /etc/shorewall/continue +# +# Add commands below that you want to be executed after shorewall has +# cleared any existing Netfilter rules and has enabled existing connections. +# diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 38569020d..197aa9f0c 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -5678,7 +5678,7 @@ initialize_netfilter () { run_user_exit init # - # The some files might be large so strip them while the firewall is still running + # Some files might be large so strip them while the firewall is still running # (restart command). This reduces the length of time that the firewall isn't # accepting new connections. # @@ -5721,6 +5721,8 @@ initialize_netfilter () { setcontinue INPUT setcontinue OUTPUT + run_user_exit continue + [ -n "$DISABLE_IPV6" ] && disable_ipv6 # @@ -5729,10 +5731,6 @@ initialize_netfilter () { run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT - accounting_file=$(find_file accounting) - - [ -f $accounting_file ] && setup_accounting $accounting_file - # # Allow DNS lookups during startup for FQDNs # @@ -5756,6 +5754,10 @@ initialize_netfilter () { run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option fi + accounting_file=$(find_file accounting) + + [ -f $accounting_file ] && setup_accounting $accounting_file + if [ -z "$NEWNOTSYN" ]; then createchain newnotsyn no diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 4149777f0..08292f010 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,5 +1,18 @@ -Shorewall 2.2.2 +Shorewall 2.2.3 +----------------------------------------------------------------------- +Problems corrected in version 2.2.3 +----------------------------------------------------------------------- +New Features in version 2.2.3 + +1) A new extension script "continue" has been added. This script is + invoked after Shorewall has set the built-in filter chains' + policy to DROP, deleted any existing Netfilter rules and user + chains and has enabled existing connections. + + It is useful for enabling certain communication while Shorewall is + being [re]started. Be sure to delete any rules that you add here in + your /etc/shorewall/start file. ----------------------------------------------------------------------- Problems corrected in version 2.2.2