On 5/6/13 2:18 PM, "Tom Eastep" <[email protected]> wrote:
>On 05/06/2013 11:22 AM, Dash Four wrote:
>>
>> Tom Eastep wrote:
>>>> I see your point and is a good one.
>>>>
>>>> Perhaps another alternative could be implemented since the problem
>>>> arises only on reboot. Currently, I have shorewall-init as a service
>>>> disabled, simply because ifupdown-local usually takes care of
>>>> everything. However, if you implement "shorewall check-update" (or
>>>>any
>>>> other suitable alternative) which produces a "yes/no" result when
>>>> recompilation is needed (even if it is through the exit code), then
>>>>the
>>>> shorewall-init startup script/service could use that to see whether
>>>> "shorewall compile" needs to be executed (that would be in addition
>>>>to
>>>> the usual checks for the "firewall" executable) and do so accordingly.
>>>>
>>>> Since shorewall-init (as a service) usually starts before anything
>>>>(even
>>>> before any of the network devices have been brought up), then it can
>>>> detect whether changes were made and recompile the firewall file,
>>>> ifupdown-local then picks it up and - voila, job done. How's that?
>>>>
>>>
>>> That could be done. How about an option on the 'compile' command that
>>> 'compiles if needed'? That way, the SysV init scripts could
>>> unconditionally compile with that option.
>>>
>> Nope, that won't do. The shorewall-init script check for the existence
>> of "firewall" and, if present, it then starts "unconditional" compile.
>> So, there must be, in my view, another command (I suggested "shorewall
>> check-update", but it could be anything suitable really), which
>>precedes
>> that check, regardless of whether or not "firewall" exists and it is
>> executable - another "if" statement branch. Something like this:
>>
>> retval=0
>> product="${SBINDIR}/$PRODUCT $OPTIONS"
>> if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
>> $product check-update # or any other 'suitable' option
>> retval=${PIPESTATUS[0]}
>> fi
>> if [ $retval -ne 0 ]; then
>> # config directory has been updated, unconditional recompile
>> $product compile
>> elif [ ! -x "${STATEDIR}/firewall" ]; then
>> if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
>
>What I'm suggesting is to replace all of that with:
>
>if [ $PRODUCT == shorewall -o $PRODUCT == shoreawll6 ]; then
> ${SBINDIR}/$PRODUCT compile -c
>fi
>
>'compile -c' will compile ${VARDIR}/${PRODUCT}/firewall if it doesn't
>exist or if the config has changed since it was last compiled. If it
>exists and the config hasn't changed, the command exists with status 0.
'exits'.
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
