Merge branch 'busybox-shell-fixes/v1' into 'master'

lib.cli-std: fix two shell errors when AUTOMAKE is false See merge request shorewall/code!14
Merge branch 'support-SAFESTOP-under-systemd-in-debian/v1' into 'master'
2024-04-16 03:05:57 +00:00 · 2024-04-16 02:59:32 +00:00 · 2024-04-16 02:46:50 +00:00 · 2024-04-15 22:57:24 +00:00 · 2024-04-15 21:33:14 +00:00 · 2023-09-09 12:48:07 +01:00
11 changed files with 109 additions and 64 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@ -324,6 +324,15 @@ install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755

 echo
 echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
+#
+# Install stop_service
+#
+if [ -n "${STOPSERVICEFILE}" ]; then
+    install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
+
+    echo
+    echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
+fi

 #
 # Install the libraries
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@ -22,3 +22,4 @@ SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
+STOPSERVICEFILE=stop_service.debian	#Name of script to stop systemd service that honours `SAFESTOP`.
--- a/Shorewall-core/stop_service.debian
+++ b/Shorewall-core/stop_service.debian
@ -0,0 +1,19 @@
+#!/bin/sh
+
+PRODUCT=$1
+
+. /etc/default/${PRODUCT}
+
+if [ "$SAFESTOP" = 1 ]; then
+  COMMAND=stop
+else
+  COMMAND=clear
+fi
+
+if [ "${PRODUCT}" = shorewall6 ]; then
+  EXEC="/sbin/shorewall -6"
+else
+  EXEC="/sbin/${PRODUCT}"
+fi
+
+exec ${EXEC} ${OPTIONS} ${COMMAND}
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall-lite
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -1507,7 +1507,7 @@ sub qt1( $ ) {
 }

 #
-# Delete the test chains
+# Delete the test chains and IP sets
 #
 sub cleanup_iptables() {
    qt1( "$iptables $iptablesw -F $sillyname" );
@ -1530,6 +1530,12 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
    }

+    my $ipset  = $config{IPSET} || 'ipset';
+    $ipset = which( $ipset ) unless $ipset =~ '/';
+    if ( $ipset && -x $ipset ) {
+	qt( "$ipset -X $sillyname" );
+    }
+
    $sillyname = $sillyname1 = '';
 }

@ -1574,7 +1580,7 @@ sub cleanup() {
    unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
    unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
    #
-    # Delete temporary chains
+    # Delete temporary chains and IP sets
    #
    cleanup_iptables if $sillyname;
 }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@ -149,14 +149,13 @@ sub validate_4address( $$ ) {

    unless ( valid_4address $addr ) {
 	fatal_error "Invalid IP Address ($addr)" unless $allow_name;
-	fatal_error "Unknown Host ($addr)" unless  @addrs = gethostbyname( $addr );
+	my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
+	    family => Socket::AF_INET,
+	    protocol => Socket::IPPROTO_TCP,
+	} );
+	fatal_error "Unknown Host ($addr)" if $err != 0;

-	if ( defined wantarray ) {
-	    shift @addrs for (1..4);
-	    for ( @addrs ) {
-		$_ = ( inet_ntoa( $_ ) );
-	    }
-	}
+	@addrs = translate_addr_structs( @addr_structs );
    }

    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
@ -164,14 +163,14 @@ sub validate_4address( $$ ) {

 sub resolve_4dnsname( $ ) {
    my $net = $_[0];
-    my @addrs;

-    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
+    my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
+	family => Socket::AF_INET,
+	protocol => Socket::IPPROTO_TCP,
+    } );
+    fatal_error "Unknown Host ($net)" if $err != 0;

-    shift @addrs for (1..4);
-    for ( @addrs ) {
-	$_ = ( inet_ntoa( $_ ) );
-    }
+    my @addrs = translate_addr_structs( @addr_structs );

    @addrs;
 } 
@ -508,15 +507,13 @@ sub validate_6address( $$ ) {

    unless ( valid_6address $addr ) {
 	fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
-	require Socket6;
-	fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6()));
+	my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
+	    family => Socket::AF_INET6,
+	    protocol => Socket::IPPROTO_TCP,
+	} );
+	fatal_error "Unknown Host ($addr)" if $err != 0;

-	if ( defined wantarray ) {
-	    shift @addrs for (1..4);
-	    for ( @addrs ) {
-		$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-	    }
-	}
+	@addrs = translate_addr_structs( @addr_structs );
    }

    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
@ -524,15 +521,14 @@ sub validate_6address( $$ ) {

 sub resolve_6dnsname( $ ) {
    my $net = $_[0];
-    my @addrs;
    
-    require Socket6;
-    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
+    my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
+	family => Socket::AF_INET6,
+	protocol => Socket::IPPROTO_TCP,
+    } );
+    fatal_error "Unknown Host ($net)" if $err != 0;

-    shift @addrs for (1..4);
-    for ( @addrs ) {
-	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-    }
+    my @addrs = translate_addr_structs( @addr_structs );

    @addrs;
 }
@ -661,6 +657,19 @@ sub validate_6host( $$ ) {
    }
 }

+sub translate_addr_structs {
+    my @addr_structs = @_;
+
+    my @addrs;
+    foreach my $addr_struct ( @addr_structs ) {
+	my ( $err, $ip_addr ) = Socket::getnameinfo( $addr_struct->{addr},
+	    Socket::NI_NUMERICHOST, Socket::NIx_NOSERV );
+        push @addrs, $ip_addr if $err == 0;
+    }
+
+    return @addrs;
+}
+
 my %ipv6_icmp_types = ( any                          => 'any',
 			'destination-unreachable'    => 1,
 			'no-route'                   => '1/0',
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@ -381,36 +381,33 @@ uptodate() {
    [ -x $1 ] || return 1

    local dir
-    local busybox
    local find
+    local quit
+    local maxdepth

    find=$(mywhich find)

    [ -n "${find}" ] || return 1
-    [ -h "${find}" ] && busybox=Yes
-    find="${find} -L"
+
+    if [ -h "${find}" ]; then
+	#
+	# 'Find' is provided by Busybox and doesn't support -quit.
+	#
+        quit=
+    else
+        quit=-quit
+    fi
+
+    if [ "$AUTOMAKE" = recursive ]; then
+	maxdepth=
+    elif [ -z "$AUTOMAKE" ]; then
+	maxdepth="-maxdepth 1"
+    else
+	maxdepth="-maxdepth $AUTOMAKE"
+    fi

    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
-	if [ -n "${busybox}" ]; then
-	    #
-	    # Busybox 'find' doesn't support -quit.
-	    #
-	    if [ $AUTOMAKE = recursive ]; then
-		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
-		    return 1;
-		fi
-	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
-		return 1;
-	    fi
-	elif [ "$AUTOMAKE" = recursive ]; then
-	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -z "$AUTOMAKE" ]; then
-	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
+	if [ -n "$(${find} -L ${dir} ${maxdepth} -newer $1 -print ${quit})" ]; then
 	    return 1;
 	fi
    done
--- a/Shorewall/shorewall.service.debian
+++ b/Shorewall/shorewall.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@ -17,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall6-lite
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload

 [Install]
--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@ -18,7 +18,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall6
 ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@ -206,12 +206,12 @@
  <section>
    <title>systemd</title>

-    <para>As with SysV init described in the preceeding section, the behavior
-    of systemctl commands differ from the Shorewall CLI commands on
-    Debian-based systems. To make systemctl stop shorewall[-lite] and
-    systemctl restart shorewall[-lite] behave like shorewall stop and
-    shorewall restart, use this workaround provided by J Cliff
-    Armstrong:</para>
+    <para>As with SysV init described in the preceeding section, the behavior of
+    systemctl commands differ from the Shorewall CLI commands on Debian-based
+    systems. In versions of Shorewall before 5.2.9, to make <command>systemctl
+    stop shorewall</command> and <command>systemctl restart shorewall</command>
+    behave like <command>shorewall stop</command> and <command>shorewall
+    restart</command>, use this workaround provided by J Cliff Armstrong:</para>

    <para> Type (as root):</para>

@ -231,10 +231,14 @@ ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>

    <para>to activate the changes. This change will survive future updates of
    the shorewall package from apt repositories. The override file itself will
-    be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
+    be saved to <filename>/etc/systemd/system/shorewall.service.d/</filename>.</para>

    <para>The same workaround may be applied to the other Shorewall products
    (excluding Shorewall Init).</para>
+
+    <para>From Shorewall 5.2.9 onwards, the systemd service files have been
+    updated to execute a shell script that obeys the SAFESTOP setting to stop
+    the firewall, and the workaround is no longer necessary.</para>
  </section>

  <section id="Trace">
Author	SHA1	Message	Date
Tom Eastep	2673e6e60c	Merge branch 'busybox-shell-fixes/v1' into 'master' lib.cli-std: fix two shell errors when AUTOMAKE is false See merge request shorewall/code!14	2024-04-16 03:05:57 +00:00
Tom Eastep	d1a8c19712	Merge branch 'support-SAFESTOP-under-systemd-in-debian/v1' into 'master' Support `SAFESTOP` under systemd in Debian See merge request shorewall/code!11	2024-04-16 02:59:32 +00:00
Tom Eastep	3c77d83260	Merge branch 'clean-test-ipset' into 'master' Destroy the temporary IP set in the cleanup function See merge request shorewall/code!13	2024-04-16 02:46:50 +00:00
Tom Eastep	d8e43cee2b	Merge branch 'master' into 'master' Rewrite gethostbyname2 and inet_ntop to newer getaddrinfo and getnameinfo See merge request shorewall/code!5	2024-04-15 22:57:24 +00:00
Tom Eastep	b0839c30b2	Merge branch '11-update-always-allowed-ipv6-icmp-rules-according-rfc4890' into 'master' Update always allowed ipv6-icmp rules according RFC4890 Closes #11 See merge request shorewall/code!16	2024-04-15 21:33:14 +00:00
Jeremy Sowden	badf2fc9f0	Support `SAFESTOP` under systemd By default, in Debian and its derivatives, stopping the Shorewall service executes `/sbin/shorewall clear`. The `SAFESTOP` setting in /etc/default/shorewall is intended to stop the service by calling `/sbin/shorewall stop`. However, the systemd service files do not support this. Instead, install a shell-script that sources /etc/default/shorewall and honours `SAFESTOP` when stopping Shorewall and patch the service files to call it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net>	2023-09-09 12:48:07 +01:00
Jeremy Sowden	5e8ce7d073	lib.cli-std: fix two shell errors when AUTOMAKE is false If `AUTOMAKE` is set to `no` in the config file, it is normalized to the empty string. This leads to two errors if `find` is provided by Busybox. There is a conditional where `$AUTOMAKE` is not quoted when compared to `recursive` leading to the following error: /usr/share/shorewall/lib.cli-std: line 398: [: =: unary operator expected In contrast to the non-Busybox case, we don't check for an empty `$AUTOMAKE` before passing it as an argument to `-maxdepth`, leading to: /usr/bin/find: Expected a positive decimal integer argument to -maxdepth, but got -type Refactor the conditionals to eliminate code duplication and fix these two bugs. Link: https://gitlab.com/shorewall/code/-/issues/10 Signed-off-by: Jeremy Sowden <jeremy@azazel.net>	2023-09-04 21:06:30 +01:00
Glop	450a16f730	Destroy the temporary IP set in the cleanup function In the IP set capability tests, there is a race condition which might prevent the removal of the temporary IP set immediately after flushing the chain that uses this IP set: even though the rules which used the IP set were deleted, the IP set might still appear to be “in use by a kernel component.” In case this happens, we add an extra call to `ipset -X` in the `cleanup_iptables()` function, just to be sure that the temporary IP set is indeed destroyed when the compiler exits.	2023-03-03 16:12:04 +01:00
Michal Josef Špaček	e9e73a259b	Rewrite gethostbyname2 and inet_ntop to newer getaddrinfo and getnameinfo We don't need Socket6, because Socket has IPv6 implementation now	2022-02-08 00:45:27 +01:00