| 1 |
constanze 13/10/26 18:39:51 |
| 2 |
|
| 3 |
Added: 01_Remove-ipset-functionality.patch |
| 4 |
README.Gentoo.txt shorewall-init.systemd |
| 5 |
shorewall-init.initd shorewall-init.confd |
| 6 |
shorewallrc |
| 7 |
Log: |
| 8 |
Initial version of shorewall-init; Thanks to Thomas D. |
| 9 |
|
| 10 |
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key BB80F419010E3EC3) |
| 11 |
|
| 12 |
Revision Changes Path |
| 13 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/01_Remove-ipset-functionality.patch |
| 14 |
|
| 15 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/01_Remove-ipset-functionality.patch?rev=1.1&view=markup |
| 16 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/01_Remove-ipset-functionality.patch?rev=1.1&content-type=text/plain |
| 17 |
|
| 18 |
Index: 01_Remove-ipset-functionality.patch |
| 19 |
=================================================================== |
| 20 |
--- shorewall-init.old 2013-09-08 23:25:36.364924304 +0200 |
| 21 |
+++ shorewall-init 2013-09-08 23:29:27.418736392 +0200 |
| 22 |
@@ -79,10 +79,6 @@ |
| 23 |
fi |
| 24 |
done |
| 25 |
|
| 26 |
- if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then |
| 27 |
- ipset -R < "$SAVE_IPSETS" |
| 28 |
- fi |
| 29 |
- |
| 30 |
return 0 |
| 31 |
} |
| 32 |
|
| 33 |
@@ -100,13 +96,6 @@ |
| 34 |
fi |
| 35 |
done |
| 36 |
|
| 37 |
- if [ -n "$SAVE_IPSETS" ]; then |
| 38 |
- mkdir -p $(dirname "$SAVE_IPSETS") |
| 39 |
- if ipset -S > "${SAVE_IPSETS}.tmp"; then |
| 40 |
- grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" |
| 41 |
- fi |
| 42 |
- fi |
| 43 |
- |
| 44 |
return 0 |
| 45 |
} |
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/README.Gentoo.txt |
| 51 |
|
| 52 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/README.Gentoo.txt?rev=1.1&view=markup |
| 53 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/README.Gentoo.txt?rev=1.1&content-type=text/plain |
| 54 |
|
| 55 |
Index: README.Gentoo.txt |
| 56 |
=================================================================== |
| 57 |
shorewall-init from upstream offers two features (taken from [1]): |
| 58 |
|
| 59 |
1. It can 'close' the firewall before the network interfaces are |
| 60 |
brought up during boot. |
| 61 |
|
| 62 |
2. It can change the firewall state as the result of interfaces |
| 63 |
being brought up or taken down. |
| 64 |
|
| 65 |
On Gentoo we only support the first feature -- the firewall lockdown during |
| 66 |
boot. |
| 67 |
|
| 68 |
We do not support the second feature, because Gentoo doesn't support a |
| 69 |
if-{up,down}.d folder like other distributions do. If you would want to use |
| 70 |
such a feature, you would have to add a custom action to /etc/conf.d/net |
| 71 |
(please refer to the Gentoo Linux Handbook [2] for more information). |
| 72 |
If you are able to add your custom {pre,post}{up,down} action, your are |
| 73 |
also able to specify what shorewall{6,-lite,6-lite} should do, so there is |
| 74 |
no need for upstream's scripts in Gentoo. |
| 75 |
|
| 76 |
If you disagree with us, feel free to open a bug [3] and contribute your |
| 77 |
solution for Gentoo. |
| 78 |
|
| 79 |
Upstream's original init script also supports saving and restoring of |
| 80 |
ipsets. Please use the init script from net-firewall/ipset if you need |
| 81 |
such a feature. |
| 82 |
|
| 83 |
|
| 84 |
[1] http://www.shorewall.net/Shorewall-init.html |
| 85 |
[2] http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=5 |
| 86 |
[3] https://bugs.gentoo.org |
| 87 |
|
| 88 |
|
| 89 |
|
| 90 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.systemd |
| 91 |
|
| 92 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.systemd?rev=1.1&view=markup |
| 93 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.systemd?rev=1.1&content-type=text/plain |
| 94 |
|
| 95 |
Index: shorewall-init.systemd |
| 96 |
=================================================================== |
| 97 |
# |
| 98 |
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5 |
| 99 |
# |
| 100 |
[Unit] |
| 101 |
Description=shorewall-init |
| 102 |
Documentation=http://www.shorewall.net/Shorewall-init.html |
| 103 |
Before=network.target |
| 104 |
|
| 105 |
[Service] |
| 106 |
Type=oneshot |
| 107 |
RemainAfterExit=yes |
| 108 |
ExecStart=/sbin/shorewall-init start |
| 109 |
ExecStop=/sbin/shorewall-init stop |
| 110 |
|
| 111 |
[Install] |
| 112 |
WantedBy=multi-user.target |
| 113 |
|
| 114 |
|
| 115 |
|
| 116 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.initd |
| 117 |
|
| 118 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.initd?rev=1.1&view=markup |
| 119 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.initd?rev=1.1&content-type=text/plain |
| 120 |
|
| 121 |
Index: shorewall-init.initd |
| 122 |
=================================================================== |
| 123 |
#!/sbin/runscript |
| 124 |
# Copyright 1999-2013 Gentoo Foundation |
| 125 |
# Distributed under the terms of the GNU General Public License v2 |
| 126 |
# $Header: /var/cvsroot/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.initd,v 1.1 2013/10/26 18:39:51 constanze Exp $ |
| 127 |
|
| 128 |
SHOREWALLRC_FILE="@GENTOO_PORTAGE_EPREFIX@/usr/share/shorewall/shorewallrc" |
| 129 |
CONFIG_FILE="@GENTOO_PORTAGE_EPREFIX@/etc/conf.d/${SVCNAME}" |
| 130 |
|
| 131 |
description="Puts Shorewall in a safe state at boot time" |
| 132 |
description="${description} prior to bringing up the network." |
| 133 |
|
| 134 |
required_files="$SHOREWALLRC_FILE" |
| 135 |
|
| 136 |
depend() { |
| 137 |
need localmount |
| 138 |
before net |
| 139 |
after bootmisc ipset tmpfiles.setup ulogd |
| 140 |
} |
| 141 |
|
| 142 |
|
| 143 |
. $SHOREWALLRC_FILE |
| 144 |
|
| 145 |
checkconfig() { |
| 146 |
local PRODUCT= |
| 147 |
|
| 148 |
if [ -z "${VARLIB}" ]; then |
| 149 |
eerror "\"VARLIB\" isn't defined or empty! Please check" \ |
| 150 |
"\"${SHOREWALLRC_FILE}\"." |
| 151 |
|
| 152 |
|
| 153 |
return 1 |
| 154 |
fi |
| 155 |
|
| 156 |
if [ -z "${PRODUCTS}" ]; then |
| 157 |
eerror "${SVCNAME} isn't configured! Please check" \ |
| 158 |
"\"${CONFIG_FILE}\"." |
| 159 |
|
| 160 |
|
| 161 |
return 1 |
| 162 |
fi |
| 163 |
|
| 164 |
for PRODUCT in ${PRODUCTS}; do |
| 165 |
if [ ! -x ${SBINDIR}/${PRODUCT} ]; then |
| 166 |
eerror "Invalid product \"${PRODUCT}\" specified" \ |
| 167 |
"in \"${CONFIG_FILE}\"!" |
| 168 |
eerror "Maybe \"${PRODUCT}\" isn't installed?" |
| 169 |
|
| 170 |
|
| 171 |
return 1 |
| 172 |
fi |
| 173 |
done |
| 174 |
|
| 175 |
|
| 176 |
return 0 |
| 177 |
} |
| 178 |
|
| 179 |
check_firewall_script() { |
| 180 |
if [ ! -x ${STATEDIR}/firewall ]; then |
| 181 |
if [ ${PRODUCT} = shorewall -o ${PRODUCT} = shorewall6 ]; then |
| 182 |
ebegin "Creating \"${STATEDIR}/firewall\"" |
| 183 |
${SBINDIR}/${PRODUCT} compile 1>/dev/null |
| 184 |
eend $? |
| 185 |
else |
| 186 |
eerror "\"${PRODUCT}\" isn't configured!" |
| 187 |
eerror "Please go to your 'administrative system'" \ |
| 188 |
"and deploy the compiled firewall" \ |
| 189 |
"configuration for this system." |
| 190 |
|
| 191 |
|
| 192 |
return 1 |
| 193 |
fi |
| 194 |
fi |
| 195 |
|
| 196 |
|
| 197 |
return 0 |
| 198 |
} |
| 199 |
|
| 200 |
is_allowed_to_be_executed() { |
| 201 |
# This is not a real service. shorewall-init is an intermediate |
| 202 |
# script to put your Shorewall-based firewall into a safe state |
| 203 |
# at boot time prior to bringing up the network. |
| 204 |
# Please read /usr/share/doc/shorewall-init-*/README.gentoo.gz |
| 205 |
# for more information. |
| 206 |
# When your system is up, there is no need to call shorewall-init. |
| 207 |
# Please call shorewall{,6,-lite,6-lite} directly. That's the |
| 208 |
# reason why we are preventing start, stop or restart here. |
| 209 |
|
| 210 |
local PRODUCT= |
| 211 |
|
| 212 |
if [ "${RC_RUNLEVEL}" != "boot" -a "${RC_CMD}" = "start" ]; then |
| 213 |
# Starting shorewall-init is only allowed at boot time |
| 214 |
eerror "This is a boot service, which can only be started" \ |
| 215 |
"at boot." |
| 216 |
eerror "If you want to get your shorewall-based firewall" \ |
| 217 |
"into the same safe boot state again, run" |
| 218 |
eerror "" |
| 219 |
eindent |
| 220 |
for PRODUCT in ${PRODUCTS}; do |
| 221 |
eerror "/etc/init.d/${PRODUCT} stop" |
| 222 |
done |
| 223 |
eoutdent |
| 224 |
eerror "" |
| 225 |
eerror "Yes, \"stop\" and not start." |
| 226 |
eerror "" |
| 227 |
return 1 |
| 228 |
fi |
| 229 |
|
| 230 |
if [ "${RC_RUNLEVEL}" != "shutdown" -a "${RC_CMD}" = "stop" ]; then |
| 231 |
# Stopping shorewall-init is only allowed at shutdown |
| 232 |
eerror "This is a boot service, which cannot be stopped." |
| 233 |
eerror "If you really want to stop your Shorewall-based" \ |
| 234 |
"firewall the same way this service would stop" \ |
| 235 |
"Shorewall at shutdown, please run" |
| 236 |
eerror "" |
| 237 |
eindent |
| 238 |
for PRODUCT in ${PRODUCTS}; do |
| 239 |
eerror "/etc/init.d/${PRODUCT} clear" |
| 240 |
done |
| 241 |
eoutdent |
| 242 |
eerror "" |
| 243 |
eerror "Keep in mind that this will clear (=bring down)" \ |
| 244 |
"your firewall!" |
| 245 |
eerror "" |
| 246 |
return 1 |
| 247 |
fi |
| 248 |
|
| 249 |
if [ "${RC_CMD}" = "restart" ]; then |
| 250 |
eerror "This is a boot service, which cannot be restarted." |
| 251 |
eerror "If you want to restart any of your Shorewall-based" \ |
| 252 |
"firewalls, run" |
| 253 |
eerror "" |
| 254 |
eindent |
| 255 |
for PRODUCT in ${PRODUCTS}; do |
| 256 |
eerror "/etc/init.d/${PRODUCT} restart" |
| 257 |
done |
| 258 |
eoutdent |
| 259 |
eerror "" |
| 260 |
return 1 |
| 261 |
fi |
| 262 |
|
| 263 |
|
| 264 |
return 0 |
| 265 |
} |
| 266 |
|
| 267 |
set_statedir() { |
| 268 |
STATEDIR= |
| 269 |
local VARDIR= |
| 270 |
|
| 271 |
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then |
| 272 |
STATEDIR=$( . ${CONFDIR}/${PRODUCT}/vardir && echo ${VARDIR} ) |
| 273 |
fi |
| 274 |
|
| 275 |
[ ! -n "${STATEDIR}" ] && STATEDIR=${VARLIB}/${PRODUCT} |
| 276 |
} |
| 277 |
|
| 278 |
start_pre() { |
| 279 |
checkconfig || return 1 |
| 280 |
|
| 281 |
is_allowed_to_be_executed || return 1 |
| 282 |
} |
| 283 |
|
| 284 |
start() { |
| 285 |
local PRODUCT= |
| 286 |
local STATEDIR= |
| 287 |
|
| 288 |
for PRODUCT in ${PRODUCTS}; do |
| 289 |
set_statedir |
| 290 |
|
| 291 |
check_firewall_script || return 1 |
| 292 |
|
| 293 |
ebegin "Initializing \"${PRODUCT}\"" |
| 294 |
${STATEDIR}/firewall stop 1>/dev/null |
| 295 |
eend $? |
| 296 |
done |
| 297 |
} |
| 298 |
|
| 299 |
stop_pre() { |
| 300 |
checkconfig || return 1 |
| 301 |
|
| 302 |
is_allowed_to_be_executed || return 1 |
| 303 |
} |
| 304 |
|
| 305 |
stop() { |
| 306 |
local PRODUCT= |
| 307 |
local STATEDIR= |
| 308 |
|
| 309 |
for PRODUCT in ${PRODUCTS}; do |
| 310 |
set_statedir |
| 311 |
|
| 312 |
check_firewall_script || return 1 |
| 313 |
|
| 314 |
ebegin "Clearing \"${PRODUCT}\"" |
| 315 |
${STATEDIR}/firewall clear 1>/dev/null |
| 316 |
eend $? |
| 317 |
done |
| 318 |
} |
| 319 |
|
| 320 |
|
| 321 |
|
| 322 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.confd |
| 323 |
|
| 324 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.confd?rev=1.1&view=markup |
| 325 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewall-init.confd?rev=1.1&content-type=text/plain |
| 326 |
|
| 327 |
Index: shorewall-init.confd |
| 328 |
=================================================================== |
| 329 |
# List the Shorewall products that Shorewall-init is to |
| 330 |
# initialize (space-separated list). |
| 331 |
# |
| 332 |
# Sample: PRODUCTS="shorewall shorewall6-lite" |
| 333 |
# |
| 334 |
PRODUCTS="" |
| 335 |
|
| 336 |
# Startup options - set verbosity to 0 (minimal reporting) |
| 337 |
OPTIONS="-V0" |
| 338 |
|
| 339 |
|
| 340 |
|
| 341 |
1.1 net-firewall/shorewall-init/files/4.5.21.2/shorewallrc |
| 342 |
|
| 343 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewallrc?rev=1.1&view=markup |
| 344 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/shorewall-init/files/4.5.21.2/shorewallrc?rev=1.1&content-type=text/plain |
| 345 |
|
| 346 |
Index: shorewallrc |
| 347 |
=================================================================== |
| 348 |
# |
| 349 |
# Gentoo Shorewall 4.5 rc file |
| 350 |
# |
| 351 |
BUILD= #Default is to detect the build system |
| 352 |
HOST=gentoo #Gentoo GNU Linux |
| 353 |
PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc. |
| 354 |
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. |
| 355 |
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. |
| 356 |
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory |
| 357 |
CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed |
| 358 |
SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed |
| 359 |
MANDIR=${PREFIX}/share/man #Directory where manpages are installed. |
| 360 |
INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed. |
| 361 |
INITFILE=${PRODUCT} #Name of the product's installed SysV init script |
| 362 |
INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script |
| 363 |
ANNOTATED= #If non-zero, annotated configuration files are installed |
| 364 |
SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only) |
| 365 |
SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file |
| 366 |
SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR |
| 367 |
SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed |
| 368 |
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR |
| 369 |
VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored. |
| 370 |
VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored. |
Archives