tomwij 14/06/12 14:13:48
Added: 01_Remove-ipset-functionality.patch
shorewall-init.systemd shorewall-init.initd
shorewall-init.confd shorewallrc README.Gentoo.txt
Log:
Version bump to 4.5.21.10; fixes bug #509258 and bug #509258, proxied commit
for Thomas D. (whissi).
(Portage version: 2.2.10_p125/cvs/Linux x86_64, signed Manifest commit with
key 6D34E57D)
Revision Changes Path
1.1
net-firewall/shorewall-init/files/4.5.21.10/01_Remove-ipset-functionality.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/01_Remove-ipset-functionality.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/01_Remove-ipset-functionality.patch?rev=1.1&content-type=text/plain
Index: 01_Remove-ipset-functionality.patch
===================================================================
--- shorewall-init.old 2013-09-08 23:25:36.364924304 +0200
+++ shorewall-init 2013-09-08 23:29:27.418736392 +0200
@@ -79,10 +79,6 @@
fi
done
- if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
- ipset -R < "$SAVE_IPSETS"
- fi
-
return 0
}
@@ -100,13 +96,6 @@
fi
done
- if [ -n "$SAVE_IPSETS" ]; then
- mkdir -p $(dirname "$SAVE_IPSETS")
- if ipset -S > "${SAVE_IPSETS}.tmp"; then
- grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f
"${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
- fi
- fi
-
return 0
}
1.1
net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.systemd
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.systemd?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.systemd?rev=1.1&content-type=text/plain
Index: shorewall-init.systemd
===================================================================
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
#
[Unit]
Description=shorewall-init
Documentation=http://www.shorewall.net/Shorewall-init.html
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/shorewall-init start
ExecStop=/sbin/shorewall-init stop
[Install]
WantedBy=multi-user.target
1.1
net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.initd
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.initd?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.initd?rev=1.1&content-type=text/plain
Index: shorewall-init.initd
===================================================================
#!/sbin/runscript
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header:
/var/cvsroot/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.initd,v
1.1 2014/06/12 14:13:48 tomwij Exp $
SHOREWALLRC_FILE="@GENTOO_PORTAGE_EPREFIX@/usr/share/shorewall/shorewallrc"
CONFIG_FILE="@GENTOO_PORTAGE_EPREFIX@/etc/conf.d/${SVCNAME}"
description="Puts Shorewall in a safe state at boot time"
description="${description} prior to bringing up the network."
required_files="$SHOREWALLRC_FILE"
depend() {
need localmount
before net
after bootmisc ipset tmpfiles.setup ulogd
}
. $SHOREWALLRC_FILE
checkconfig() {
local PRODUCT=
if [ -z "${VARLIB}" ]; then
eerror "\"VARLIB\" isn't defined or empty! Please check" \
"\"${SHOREWALLRC_FILE}\"."
return 1
fi
if [ -z "${PRODUCTS}" ]; then
eerror "${SVCNAME} isn't configured! Please check" \
"\"${CONFIG_FILE}\"."
return 1
fi
for PRODUCT in ${PRODUCTS}; do
if [ ! -x ${SBINDIR}/${PRODUCT} ]; then
eerror "Invalid product \"${PRODUCT}\" specified" \
"in \"${CONFIG_FILE}\"!"
eerror "Maybe \"${PRODUCT}\" isn't installed?"
return 1
fi
done
return 0
}
check_firewall_script() {
if [ ! -x ${STATEDIR}/firewall ]; then
if [ ${PRODUCT} = shorewall -o ${PRODUCT} = shorewall6 ]; then
ebegin "Creating \"${STATEDIR}/firewall\""
${SBINDIR}/${PRODUCT} compile 1>/dev/null
eend $?
else
eerror "\"${PRODUCT}\" isn't configured!"
eerror "Please go to your 'administrative system'" \
"and deploy the compiled firewall" \
"configuration for this system."
return 1
fi
fi
return 0
}
is_allowed_to_be_executed() {
# This is not a real service. shorewall-init is an intermediate
# script to put your Shorewall-based firewall into a safe state
# at boot time prior to bringing up the network.
# Please read /usr/share/doc/shorewall-init-*/README.gentoo.gz
# for more information.
# When your system is up, there is no need to call shorewall-init.
# Please call shorewall{,6,-lite,6-lite} directly. That's the
# reason why we are preventing start, stop or restart here.
local PRODUCT=
if [ "${RC_RUNLEVEL}" != "boot" -a "${RC_CMD}" = "start" ]; then
# Starting shorewall-init is only allowed at boot time
eerror "This is a boot service, which can only be started" \
"at boot."
eerror "If you want to get your shorewall-based firewall" \
"into the same safe boot state again, run"
eerror ""
eindent
for PRODUCT in ${PRODUCTS}; do
eerror "/etc/init.d/${PRODUCT} stop"
done
eoutdent
eerror ""
eerror "Yes, \"stop\" and not start."
eerror ""
return 1
fi
if [ "${RC_RUNLEVEL}" != "shutdown" -a "${RC_CMD}" = "stop" ]; then
# Stopping shorewall-init is only allowed at shutdown
eerror "This is a boot service, which cannot be stopped."
eerror "If you really want to stop your Shorewall-based" \
"firewall the same way this service would stop" \
"Shorewall at shutdown, please run"
eerror ""
eindent
for PRODUCT in ${PRODUCTS}; do
eerror "/etc/init.d/${PRODUCT} clear"
done
eoutdent
eerror ""
eerror "Keep in mind that this will clear (=bring down)" \
"your firewall!"
eerror ""
return 1
fi
if [ "${RC_CMD}" = "restart" ]; then
eerror "This is a boot service, which cannot be restarted."
eerror "If you want to restart any of your Shorewall-based" \
"firewalls, run"
eerror ""
eindent
for PRODUCT in ${PRODUCTS}; do
eerror "/etc/init.d/${PRODUCT} restart"
done
eoutdent
eerror ""
return 1
fi
return 0
}
set_statedir() {
STATEDIR=
local VARDIR=
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
STATEDIR=$( . ${CONFDIR}/${PRODUCT}/vardir && echo ${VARDIR} )
fi
[ ! -n "${STATEDIR}" ] && STATEDIR=${VARLIB}/${PRODUCT}
}
start_pre() {
checkconfig || return 1
is_allowed_to_be_executed || return 1
}
start() {
local PRODUCT=
local STATEDIR=
for PRODUCT in ${PRODUCTS}; do
set_statedir
check_firewall_script || return 1
ebegin "Initializing \"${PRODUCT}\""
${STATEDIR}/firewall stop 1>/dev/null
eend $?
done
}
stop_pre() {
checkconfig || return 1
is_allowed_to_be_executed || return 1
}
stop() {
local PRODUCT=
local STATEDIR=
for PRODUCT in ${PRODUCTS}; do
set_statedir
check_firewall_script || return 1
ebegin "Clearing \"${PRODUCT}\""
${STATEDIR}/firewall clear 1>/dev/null
eend $?
done
}
1.1
net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.confd
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.confd?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.confd?rev=1.1&content-type=text/plain
Index: shorewall-init.confd
===================================================================
# List the Shorewall products that Shorewall-init is to
# initialize (space-separated list).
#
# Sample: PRODUCTS="shorewall shorewall6-lite"
#
PRODUCTS=""
# Startup options - set verbosity to 0 (minimal reporting)
OPTIONS="-V0"
1.1 net-firewall/shorewall-init/files/4.5.21.10/shorewallrc
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewallrc?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewallrc?rev=1.1&content-type=text/plain
Index: shorewallrc
===================================================================
#
# Gentoo Shorewall 4.5 rc file
#
BUILD= #Default is to detect the build system
HOST=gentoo #Gentoo GNU Linux
PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level
directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl
module directory
CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory
where subsystem configurations are installed
SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory
where system administration programs are installed
MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are
installed.
INITFILE=${PRODUCT} #Name of the product's installed SysV
init script
INITSOURCE=init.gentoo.sh #Name of the distributed file to be
installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration
files are installed
SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory
where .service files are installed (systems running systemd only)
SERVICEFILE=gentoo.service #Name of the distributed file to be
installed as systemd service file
SYSCONFFILE=default.gentoo #Name of the distributed file to be
installed in $SYSCONFDIR
SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter
files are installed
SPARSE= #If non-empty, only install
$PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory
where product variable data is stored.
VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data
is stored.
1.1
net-firewall/shorewall-init/files/4.5.21.10/README.Gentoo.txt
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/README.Gentoo.txt?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/README.Gentoo.txt?rev=1.1&content-type=text/plain
Index: README.Gentoo.txt
===================================================================
shorewall-init from upstream offers two features (taken from [1]):
1. It can 'close' the firewall before the network interfaces are
brought up during boot.
2. It can change the firewall state as the result of interfaces
being brought up or taken down.
On Gentoo we only support the first feature -- the firewall lockdown during
boot.
We do not support the second feature, because Gentoo doesn't support a
if-{up,down}.d folder like other distributions do. If you would want to use
such a feature, you would have to add a custom action to /etc/conf.d/net
(please refer to the Gentoo Linux Handbook [2] for more information).
If you are able to add your custom {pre,post}{up,down} action, your are
also able to specify what shorewall{6,-lite,6-lite} should do, so there is
no need for upstream's scripts in Gentoo.
If you disagree with us, feel free to open a bug [3] and contribute your
solution for Gentoo.
Upstream's original init script also supports saving and restoring of
ipsets. Please use the init script from net-firewall/ipset if you need
such a feature.
[1] http://www.shorewall.net/Shorewall-init.html
[2] http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=5
[3] https://bugs.gentoo.org
