By default, in Debian and its derivatives, stopping the Shorewall
service executes `/sbin/shorewall clear`.
The `SAFESTOP` setting in /etc/default/shorewall is intended to stop the
service by calling `/sbin/shorewall stop`.
However, the systemd service files do not support this. Instead,
install a shell-script that sources /etc/default/shorewall and honours
`SAFESTOP` when stopping Shorewall and patch the service files to call
it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
If `AUTOMAKE` is set to `no` in the config file, it is normalized to the
empty string.
This leads to two errors if `find` is provided by Busybox.
There is a conditional where `$AUTOMAKE` is not quoted when compared to
`recursive` leading to the following error:
/usr/share/shorewall/lib.cli-std: line 398: [: =: unary operator expected
In contrast to the non-Busybox case, we don't check for an empty
`$AUTOMAKE` before passing it as an argument to `-maxdepth`, leading to:
/usr/bin/find: Expected a positive decimal integer argument to -maxdepth, but got -type
Refactor the conditionals to eliminate code duplication and fix these two
bugs.
Link: https://gitlab.com/shorewall/code/-/issues/10
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
In the IP set capability tests, there is a race condition which
might prevent the removal of the temporary IP set immediately
after flushing the chain that uses this IP set: even though the
rules which used the IP set were deleted, the IP set might still
appear to be “in use by a kernel component.”
In case this happens, we add an extra call to `ipset -X` in the
`cleanup_iptables()` function, just to be sure that the temporary
IP set is indeed destroyed when the compiler exits.
Only check for iptables --wait option if we don't already have existing
capabilities. If we have some and they're not up2date / don't match,
it will issue a warning anyway.
If a valid capabilities file exists, it will already cover whether we
can use --wait or not, that's what WAIT_OPTION is for.
Signed-off-by: Christian Ruppert <idl0r@qasl.de>
The iptablesw check, that's just looking for whether -w is supported or
not, previousely caused iptables to list all rules, each time you do
a shorewall check or shorewall start/reload. That might be quite
a lot, depending on the amount of rules you have. It is also no
necessary to parse each rule just to check for -w. Let's switch to the
usually much smaller INPUT chain, to reduce the overhead
- Delete incorrect statement about a list of addresses in SNAT()
- Replace IPv4 Example 6 with one that uses the PROBABILITY column
Signed-off-by: Tom Eastep <teastep@shorewall.net>
