tomwij 14/06/12 14:13:48 Added: 01_Remove-ipset-functionality.patch shorewall-init.systemd shorewall-init.initd shorewall-init.confd shorewallrc README.Gentoo.txt Log: Version bump to 4.5.21.10; fixes bug #509258 and bug #509258, proxied commit for Thomas D. (whissi). (Portage version: 2.2.10_p125/cvs/Linux x86_64, signed Manifest commit with key 6D34E57D)
Revision Changes Path 1.1 net-firewall/shorewall-init/files/4.5.21.10/01_Remove-ipset-functionality.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/01_Remove-ipset-functionality.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/01_Remove-ipset-functionality.patch?rev=1.1&content-type=text/plain Index: 01_Remove-ipset-functionality.patch =================================================================== --- shorewall-init.old 2013-09-08 23:25:36.364924304 +0200 +++ shorewall-init 2013-09-08 23:29:27.418736392 +0200 @@ -79,10 +79,6 @@ fi done - if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then - ipset -R < "$SAVE_IPSETS" - fi - return 0 } @@ -100,13 +96,6 @@ fi done - if [ -n "$SAVE_IPSETS" ]; then - mkdir -p $(dirname "$SAVE_IPSETS") - if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" - fi - fi - return 0 } 1.1 net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.systemd file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.systemd?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.systemd?rev=1.1&content-type=text/plain Index: shorewall-init.systemd =================================================================== # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5 # [Unit] Description=shorewall-init Documentation=http://www.shorewall.net/Shorewall-init.html Before=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/sbin/shorewall-init start ExecStop=/sbin/shorewall-init stop [Install] WantedBy=multi-user.target 1.1 net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.initd file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.initd?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.initd?rev=1.1&content-type=text/plain Index: shorewall-init.initd =================================================================== #!/sbin/runscript # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.initd,v 1.1 2014/06/12 14:13:48 tomwij Exp $ SHOREWALLRC_FILE="@GENTOO_PORTAGE_EPREFIX@/usr/share/shorewall/shorewallrc" CONFIG_FILE="@GENTOO_PORTAGE_EPREFIX@/etc/conf.d/${SVCNAME}" description="Puts Shorewall in a safe state at boot time" description="${description} prior to bringing up the network." required_files="$SHOREWALLRC_FILE" depend() { need localmount before net after bootmisc ipset tmpfiles.setup ulogd } . $SHOREWALLRC_FILE checkconfig() { local PRODUCT= if [ -z "${VARLIB}" ]; then eerror "\"VARLIB\" isn't defined or empty! Please check" \ "\"${SHOREWALLRC_FILE}\"." return 1 fi if [ -z "${PRODUCTS}" ]; then eerror "${SVCNAME} isn't configured! Please check" \ "\"${CONFIG_FILE}\"." return 1 fi for PRODUCT in ${PRODUCTS}; do if [ ! -x ${SBINDIR}/${PRODUCT} ]; then eerror "Invalid product \"${PRODUCT}\" specified" \ "in \"${CONFIG_FILE}\"!" eerror "Maybe \"${PRODUCT}\" isn't installed?" return 1 fi done return 0 } check_firewall_script() { if [ ! -x ${STATEDIR}/firewall ]; then if [ ${PRODUCT} = shorewall -o ${PRODUCT} = shorewall6 ]; then ebegin "Creating \"${STATEDIR}/firewall\"" ${SBINDIR}/${PRODUCT} compile 1>/dev/null eend $? else eerror "\"${PRODUCT}\" isn't configured!" eerror "Please go to your 'administrative system'" \ "and deploy the compiled firewall" \ "configuration for this system." return 1 fi fi return 0 } is_allowed_to_be_executed() { # This is not a real service. shorewall-init is an intermediate # script to put your Shorewall-based firewall into a safe state # at boot time prior to bringing up the network. # Please read /usr/share/doc/shorewall-init-*/README.gentoo.gz # for more information. # When your system is up, there is no need to call shorewall-init. # Please call shorewall{,6,-lite,6-lite} directly. That's the # reason why we are preventing start, stop or restart here. local PRODUCT= if [ "${RC_RUNLEVEL}" != "boot" -a "${RC_CMD}" = "start" ]; then # Starting shorewall-init is only allowed at boot time eerror "This is a boot service, which can only be started" \ "at boot." eerror "If you want to get your shorewall-based firewall" \ "into the same safe boot state again, run" eerror "" eindent for PRODUCT in ${PRODUCTS}; do eerror "/etc/init.d/${PRODUCT} stop" done eoutdent eerror "" eerror "Yes, \"stop\" and not start." eerror "" return 1 fi if [ "${RC_RUNLEVEL}" != "shutdown" -a "${RC_CMD}" = "stop" ]; then # Stopping shorewall-init is only allowed at shutdown eerror "This is a boot service, which cannot be stopped." eerror "If you really want to stop your Shorewall-based" \ "firewall the same way this service would stop" \ "Shorewall at shutdown, please run" eerror "" eindent for PRODUCT in ${PRODUCTS}; do eerror "/etc/init.d/${PRODUCT} clear" done eoutdent eerror "" eerror "Keep in mind that this will clear (=bring down)" \ "your firewall!" eerror "" return 1 fi if [ "${RC_CMD}" = "restart" ]; then eerror "This is a boot service, which cannot be restarted." eerror "If you want to restart any of your Shorewall-based" \ "firewalls, run" eerror "" eindent for PRODUCT in ${PRODUCTS}; do eerror "/etc/init.d/${PRODUCT} restart" done eoutdent eerror "" return 1 fi return 0 } set_statedir() { STATEDIR= local VARDIR= if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then STATEDIR=$( . ${CONFDIR}/${PRODUCT}/vardir && echo ${VARDIR} ) fi [ ! -n "${STATEDIR}" ] && STATEDIR=${VARLIB}/${PRODUCT} } start_pre() { checkconfig || return 1 is_allowed_to_be_executed || return 1 } start() { local PRODUCT= local STATEDIR= for PRODUCT in ${PRODUCTS}; do set_statedir check_firewall_script || return 1 ebegin "Initializing \"${PRODUCT}\"" ${STATEDIR}/firewall stop 1>/dev/null eend $? done } stop_pre() { checkconfig || return 1 is_allowed_to_be_executed || return 1 } stop() { local PRODUCT= local STATEDIR= for PRODUCT in ${PRODUCTS}; do set_statedir check_firewall_script || return 1 ebegin "Clearing \"${PRODUCT}\"" ${STATEDIR}/firewall clear 1>/dev/null eend $? done } 1.1 net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.confd file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.confd?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewall-init.confd?rev=1.1&content-type=text/plain Index: shorewall-init.confd =================================================================== # List the Shorewall products that Shorewall-init is to # initialize (space-separated list). # # Sample: PRODUCTS="shorewall shorewall6-lite" # PRODUCTS="" # Startup options - set verbosity to 0 (minimal reporting) OPTIONS="-V0" 1.1 net-firewall/shorewall-init/files/4.5.21.10/shorewallrc file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewallrc?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/shorewallrc?rev=1.1&content-type=text/plain Index: shorewallrc =================================================================== # # Gentoo Shorewall 4.5 rc file # BUILD= #Default is to detect the build system HOST=gentoo #Gentoo GNU Linux PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed MANDIR=${PREFIX}/share/man #Directory where manpages are installed. INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed. INITFILE=${PRODUCT} #Name of the product's installed SysV init script INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored. 1.1 net-firewall/shorewall-init/files/4.5.21.10/README.Gentoo.txt file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/README.Gentoo.txt?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.10/README.Gentoo.txt?rev=1.1&content-type=text/plain Index: README.Gentoo.txt =================================================================== shorewall-init from upstream offers two features (taken from [1]): 1. It can 'close' the firewall before the network interfaces are brought up during boot. 2. It can change the firewall state as the result of interfaces being brought up or taken down. On Gentoo we only support the first feature -- the firewall lockdown during boot. We do not support the second feature, because Gentoo doesn't support a if-{up,down}.d folder like other distributions do. If you would want to use such a feature, you would have to add a custom action to /etc/conf.d/net (please refer to the Gentoo Linux Handbook [2] for more information). If you are able to add your custom {pre,post}{up,down} action, your are also able to specify what shorewall{6,-lite,6-lite} should do, so there is no need for upstream's scripts in Gentoo. If you disagree with us, feel free to open a bug [3] and contribute your solution for Gentoo. Upstream's original init script also supports saving and restoring of ipsets. Please use the init script from net-firewall/ipset if you need such a feature. [1] http://www.shorewall.net/Shorewall-init.html [2] http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=5 [3] https://bugs.gentoo.org