1 |
constanze 13/10/26 18:39:51 |
2 |
|
3 |
Added: 01_Remove-ipset-functionality.patch |
4 |
README.Gentoo.txt shorewall-init.systemd |
5 |
shorewall-init.initd shorewall-init.confd |
6 |
shorewallrc |
7 |
Log: |
8 |
Initial version of shorewall-init; Thanks to Thomas D. |
9 |
|
10 |
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key BB80F419010E3EC3) |
11 |
|
12 |
Revision Changes Path |
13 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/01_Remove-ipset-functionality.patch |
14 |
|
15 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/01_Remove-ipset-functionality.patch?rev=1.1&view=markup |
16 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/01_Remove-ipset-functionality.patch?rev=1.1&content-type=text/plain |
17 |
|
18 |
Index: 01_Remove-ipset-functionality.patch |
19 |
=================================================================== |
20 |
--- shorewall-init.old 2013-09-08 23:25:36.364924304 +0200 |
21 |
+++ shorewall-init 2013-09-08 23:29:27.418736392 +0200 |
22 |
@@ -79,10 +79,6 @@ |
23 |
fi |
24 |
done |
25 |
|
26 |
- if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then |
27 |
- ipset -R < "$SAVE_IPSETS" |
28 |
- fi |
29 |
- |
30 |
return 0 |
31 |
} |
32 |
|
33 |
@@ -100,13 +96,6 @@ |
34 |
fi |
35 |
done |
36 |
|
37 |
- if [ -n "$SAVE_IPSETS" ]; then |
38 |
- mkdir -p $(dirname "$SAVE_IPSETS") |
39 |
- if ipset -S > "${SAVE_IPSETS}.tmp"; then |
40 |
- grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" |
41 |
- fi |
42 |
- fi |
43 |
- |
44 |
return 0 |
45 |
} |
46 |
|
47 |
|
48 |
|
49 |
|
50 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/README.Gentoo.txt |
51 |
|
52 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/README.Gentoo.txt?rev=1.1&view=markup |
53 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/README.Gentoo.txt?rev=1.1&content-type=text/plain |
54 |
|
55 |
Index: README.Gentoo.txt |
56 |
=================================================================== |
57 |
shorewall-init from upstream offers two features (taken from [1]): |
58 |
|
59 |
1. It can 'close' the firewall before the network interfaces are |
60 |
brought up during boot. |
61 |
|
62 |
2. It can change the firewall state as the result of interfaces |
63 |
being brought up or taken down. |
64 |
|
65 |
On Gentoo we only support the first feature -- the firewall lockdown during |
66 |
boot. |
67 |
|
68 |
We do not support the second feature, because Gentoo doesn't support a |
69 |
if-{up,down}.d folder like other distributions do. If you would want to use |
70 |
such a feature, you would have to add a custom action to /etc/conf.d/net |
71 |
(please refer to the Gentoo Linux Handbook [2] for more information). |
72 |
If you are able to add your custom {pre,post}{up,down} action, your are |
73 |
also able to specify what shorewall{6,-lite,6-lite} should do, so there is |
74 |
no need for upstream's scripts in Gentoo. |
75 |
|
76 |
If you disagree with us, feel free to open a bug [3] and contribute your |
77 |
solution for Gentoo. |
78 |
|
79 |
Upstream's original init script also supports saving and restoring of |
80 |
ipsets. Please use the init script from net-firewall/ipset if you need |
81 |
such a feature. |
82 |
|
83 |
|
84 |
[1] http://www.shorewall.net/Shorewall-init.html |
85 |
[2] http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=5 |
86 |
[3] https://bugs.gentoo.org |
87 |
|
88 |
|
89 |
|
90 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.systemd |
91 |
|
92 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.systemd?rev=1.1&view=markup |
93 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.systemd?rev=1.1&content-type=text/plain |
94 |
|
95 |
Index: shorewall-init.systemd |
96 |
=================================================================== |
97 |
# |
98 |
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5 |
99 |
# |
100 |
[Unit] |
101 |
Description=shorewall-init |
102 |
Documentation=http://www.shorewall.net/Shorewall-init.html |
103 |
Before=network.target |
104 |
|
105 |
[Service] |
106 |
Type=oneshot |
107 |
RemainAfterExit=yes |
108 |
ExecStart=/sbin/shorewall-init start |
109 |
ExecStop=/sbin/shorewall-init stop |
110 |
|
111 |
[Install] |
112 |
WantedBy=multi-user.target |
113 |
|
114 |
|
115 |
|
116 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.initd |
117 |
|
118 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.initd?rev=1.1&view=markup |
119 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.initd?rev=1.1&content-type=text/plain |
120 |
|
121 |
Index: shorewall-init.initd |
122 |
=================================================================== |
123 |
#!/sbin/runscript |
124 |
# Copyright 1999-2013 Gentoo Foundation |
125 |
# Distributed under the terms of the GNU General Public License v2 |
126 |
# $Header: /var/cvsroot/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.initd,v 1.1 2013/10/26 18:39:51 constanze Exp $ |
127 |
|
128 |
SHOREWALLRC_FILE="@GENTOO_PORTAGE_EPREFIX@/usr/share/shorewall/shorewallrc" |
129 |
CONFIG_FILE="@GENTOO_PORTAGE_EPREFIX@/etc/conf.d/${SVCNAME}" |
130 |
|
131 |
description="Puts Shorewall in a safe state at boot time" |
132 |
description="${description} prior to bringing up the network." |
133 |
|
134 |
required_files="$SHOREWALLRC_FILE" |
135 |
|
136 |
depend() { |
137 |
need localmount |
138 |
before net |
139 |
after bootmisc ipset tmpfiles.setup ulogd |
140 |
} |
141 |
|
142 |
|
143 |
. $SHOREWALLRC_FILE |
144 |
|
145 |
checkconfig() { |
146 |
local PRODUCT= |
147 |
|
148 |
if [ -z "${VARLIB}" ]; then |
149 |
eerror "\"VARLIB\" isn't defined or empty! Please check" \ |
150 |
"\"${SHOREWALLRC_FILE}\"." |
151 |
|
152 |
|
153 |
return 1 |
154 |
fi |
155 |
|
156 |
if [ -z "${PRODUCTS}" ]; then |
157 |
eerror "${SVCNAME} isn't configured! Please check" \ |
158 |
"\"${CONFIG_FILE}\"." |
159 |
|
160 |
|
161 |
return 1 |
162 |
fi |
163 |
|
164 |
for PRODUCT in ${PRODUCTS}; do |
165 |
if [ ! -x ${SBINDIR}/${PRODUCT} ]; then |
166 |
eerror "Invalid product \"${PRODUCT}\" specified" \ |
167 |
"in \"${CONFIG_FILE}\"!" |
168 |
eerror "Maybe \"${PRODUCT}\" isn't installed?" |
169 |
|
170 |
|
171 |
return 1 |
172 |
fi |
173 |
done |
174 |
|
175 |
|
176 |
return 0 |
177 |
} |
178 |
|
179 |
check_firewall_script() { |
180 |
if [ ! -x ${STATEDIR}/firewall ]; then |
181 |
if [ ${PRODUCT} = shorewall -o ${PRODUCT} = shorewall6 ]; then |
182 |
ebegin "Creating \"${STATEDIR}/firewall\"" |
183 |
${SBINDIR}/${PRODUCT} compile 1>/dev/null |
184 |
eend $? |
185 |
else |
186 |
eerror "\"${PRODUCT}\" isn't configured!" |
187 |
eerror "Please go to your 'administrative system'" \ |
188 |
"and deploy the compiled firewall" \ |
189 |
"configuration for this system." |
190 |
|
191 |
|
192 |
return 1 |
193 |
fi |
194 |
fi |
195 |
|
196 |
|
197 |
return 0 |
198 |
} |
199 |
|
200 |
is_allowed_to_be_executed() { |
201 |
# This is not a real service. shorewall-init is an intermediate |
202 |
# script to put your Shorewall-based firewall into a safe state |
203 |
# at boot time prior to bringing up the network. |
204 |
# Please read /usr/share/doc/shorewall-init-*/README.gentoo.gz |
205 |
# for more information. |
206 |
# When your system is up, there is no need to call shorewall-init. |
207 |
# Please call shorewall{,6,-lite,6-lite} directly. That's the |
208 |
# reason why we are preventing start, stop or restart here. |
209 |
|
210 |
local PRODUCT= |
211 |
|
212 |
if [ "${RC_RUNLEVEL}" != "boot" -a "${RC_CMD}" = "start" ]; then |
213 |
# Starting shorewall-init is only allowed at boot time |
214 |
eerror "This is a boot service, which can only be started" \ |
215 |
"at boot." |
216 |
eerror "If you want to get your shorewall-based firewall" \ |
217 |
"into the same safe boot state again, run" |
218 |
eerror "" |
219 |
eindent |
220 |
for PRODUCT in ${PRODUCTS}; do |
221 |
eerror "/etc/init.d/${PRODUCT} stop" |
222 |
done |
223 |
eoutdent |
224 |
eerror "" |
225 |
eerror "Yes, \"stop\" and not start." |
226 |
eerror "" |
227 |
return 1 |
228 |
fi |
229 |
|
230 |
if [ "${RC_RUNLEVEL}" != "shutdown" -a "${RC_CMD}" = "stop" ]; then |
231 |
# Stopping shorewall-init is only allowed at shutdown |
232 |
eerror "This is a boot service, which cannot be stopped." |
233 |
eerror "If you really want to stop your Shorewall-based" \ |
234 |
"firewall the same way this service would stop" \ |
235 |
"Shorewall at shutdown, please run" |
236 |
eerror "" |
237 |
eindent |
238 |
for PRODUCT in ${PRODUCTS}; do |
239 |
eerror "/etc/init.d/${PRODUCT} clear" |
240 |
done |
241 |
eoutdent |
242 |
eerror "" |
243 |
eerror "Keep in mind that this will clear (=bring down)" \ |
244 |
"your firewall!" |
245 |
eerror "" |
246 |
return 1 |
247 |
fi |
248 |
|
249 |
if [ "${RC_CMD}" = "restart" ]; then |
250 |
eerror "This is a boot service, which cannot be restarted." |
251 |
eerror "If you want to restart any of your Shorewall-based" \ |
252 |
"firewalls, run" |
253 |
eerror "" |
254 |
eindent |
255 |
for PRODUCT in ${PRODUCTS}; do |
256 |
eerror "/etc/init.d/${PRODUCT} restart" |
257 |
done |
258 |
eoutdent |
259 |
eerror "" |
260 |
return 1 |
261 |
fi |
262 |
|
263 |
|
264 |
return 0 |
265 |
} |
266 |
|
267 |
set_statedir() { |
268 |
STATEDIR= |
269 |
local VARDIR= |
270 |
|
271 |
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then |
272 |
STATEDIR=$( . ${CONFDIR}/${PRODUCT}/vardir && echo ${VARDIR} ) |
273 |
fi |
274 |
|
275 |
[ ! -n "${STATEDIR}" ] && STATEDIR=${VARLIB}/${PRODUCT} |
276 |
} |
277 |
|
278 |
start_pre() { |
279 |
checkconfig || return 1 |
280 |
|
281 |
is_allowed_to_be_executed || return 1 |
282 |
} |
283 |
|
284 |
start() { |
285 |
local PRODUCT= |
286 |
local STATEDIR= |
287 |
|
288 |
for PRODUCT in ${PRODUCTS}; do |
289 |
set_statedir |
290 |
|
291 |
check_firewall_script || return 1 |
292 |
|
293 |
ebegin "Initializing \"${PRODUCT}\"" |
294 |
${STATEDIR}/firewall stop 1>/dev/null |
295 |
eend $? |
296 |
done |
297 |
} |
298 |
|
299 |
stop_pre() { |
300 |
checkconfig || return 1 |
301 |
|
302 |
is_allowed_to_be_executed || return 1 |
303 |
} |
304 |
|
305 |
stop() { |
306 |
local PRODUCT= |
307 |
local STATEDIR= |
308 |
|
309 |
for PRODUCT in ${PRODUCTS}; do |
310 |
set_statedir |
311 |
|
312 |
check_firewall_script || return 1 |
313 |
|
314 |
ebegin "Clearing \"${PRODUCT}\"" |
315 |
${STATEDIR}/firewall clear 1>/dev/null |
316 |
eend $? |
317 |
done |
318 |
} |
319 |
|
320 |
|
321 |
|
322 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.confd |
323 |
|
324 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.confd?rev=1.1&view=markup |
325 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.confd?rev=1.1&content-type=text/plain |
326 |
|
327 |
Index: shorewall-init.confd |
328 |
=================================================================== |
329 |
# List the Shorewall products that Shorewall-init is to |
330 |
# initialize (space-separated list). |
331 |
# |
332 |
# Sample: PRODUCTS="shorewall shorewall6-lite" |
333 |
# |
334 |
PRODUCTS="" |
335 |
|
336 |
# Startup options - set verbosity to 0 (minimal reporting) |
337 |
OPTIONS="-V0" |
338 |
|
339 |
|
340 |
|
341 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/shorewallrc |
342 |
|
343 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewallrc?rev=1.1&view=markup |
344 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewallrc?rev=1.1&content-type=text/plain |
345 |
|
346 |
Index: shorewallrc |
347 |
=================================================================== |
348 |
# |
349 |
# Gentoo Shorewall 4.5 rc file |
350 |
# |
351 |
BUILD= #Default is to detect the build system |
352 |
HOST=gentoo #Gentoo GNU Linux |
353 |
PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc. |
354 |
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. |
355 |
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. |
356 |
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory |
357 |
CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed |
358 |
SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed |
359 |
MANDIR=${PREFIX}/share/man #Directory where manpages are installed. |
360 |
INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed. |
361 |
INITFILE=${PRODUCT} #Name of the product's installed SysV init script |
362 |
INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script |
363 |
ANNOTATED= #If non-zero, annotated configuration files are installed |
364 |
SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) |
365 |
SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file |
366 |
SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR |
367 |
SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed |
368 |
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR |
369 |
VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored. |
370 |
VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored. |