sad
/
firehol
mirror of https://github.com/firehol/firehol.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use a regular shell file for installed config 

This simplifies the scripts somewhat and the autoconf system quite a bit.

To specify a non-default location for the config, export a directory
in FIREHOL_OVERRIDE_PROGRAM_DIR and ensure it has an install.config
and functions.common.
This commit is contained in:
Philip Whineray 2016-03-23 07:45:19 +00:00
parent d104473f33
commit caedbcd551
27 changed files with 434 additions and 753 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitattributes vendored
View File

@ -1,3 +0,0 @@
sbin/*.c ident export-subst
sbin/*.in ident export-subst
packaging/packver ident export-subst

10
.gitignore vendored
View File

@ -29,16 +29,10 @@ doc/apa*.html
doc/services-?.xml
doc/service-links
doc/tools/pandoc-post
sbin/commands.sed
sbin/firehol
sbin/firehol.in
sbin/fireqos
sbin/link-balancer
sbin/vnetbuild
sbin/iprange
sbin/install.config
sbin/install.config.in
sbin/*.o
sbin/.deps
sbin/update-ipsets
unittest/coverage
*.xz
*.gz

2
README.md
View File

@ -80,7 +80,7 @@ Since all components will go under `/usr/local`, you may prefer something
like this:
~~~~
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libexecdir=/usr/lib
make
make install
~~~~

7
autogen.sh
View File

@ -1,11 +1,4 @@
#!/bin/sh
# Update autoconf scripts after a configure.ac change
if [ ! -f .gitignore -o ! -f sbin/firehol.in ]
then
echo "Run as ./packaging/autogen.sh from a firehol git repository"
exit 1
fi
autoreconf -ivf

11
build/subst.inc Normal file
View File

@ -0,0 +1,11 @@
.in:
if sed \
-e 's#[@]datarootdir_POST[@]#$(datarootdir)#g' \
-e 's#[@]localstatedir_POST[@]#$(localstatedir)#g' \
-e 's#[@]sysconfdir_POST[@]#$(sysconfdir)#g' \
$< > $@.tmp; then \
mv "$@.tmp" "$@"; \
else \
rm -f "$@.tmp"; \
false; \
fi

44
configure.ac
View File

@ -18,22 +18,27 @@ AC_INIT([firehol],VERSION_NUMBER[]VERSION_SUFFIX,[firehol-devs@lists.firehol.org
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_AUX_DIR([autotool])
AC_CONFIG_SRCDIR([sbin/firehol.in])
AC_CONFIG_SRCDIR([sbin/fireqos.in])
AC_CONFIG_SRCDIR([sbin/link-balancer.in])
AC_CONFIG_SRCDIR([sbin/update-ipsets.in])
AC_CONFIG_SRCDIR([sbin/vnetbuild.in])
AC_CONFIG_SRCDIR([sbin/firehol])
AM_INIT_AUTOMAKE([gnu])
AM_MAINTAINER_MODE([disable])
dnl Checks for programs.
AC_PROG_MAKE_SET
dnl Check for functioning symbolic links
AC_PROG_LN_S
AM_CONDITIONAL([GIT_TREE], [test -f README.md])
AX_FIREHOL_AUTOSAVE()
AX_FIREHOL_AUTOSAVE6()
AC_ARG_ENABLE([filename-versions],
[AS_HELP_STRING([--disable-filename-versions], [no versions on executable filenames @<:@enabled@:>@])],
,
[enable_filename_versions="yes"])
AM_CONDITIONAL([FILENAME_VERSIONS],[test "${enable_filename_versions}" = "yes"])
AC_ARG_ENABLE([doc],
[AS_HELP_STRING([--disable-doc], [disable doc installation @<:@enabled@:>@])],
,
@ -147,6 +152,8 @@ if test x"$MAKEDIST_BUILD_ONLY" != xyes; then
AX_NEED_EGREP()
AX_NEED_GREP()
AX_NEED_SED()
AX_NEED_PROG([READLINK], [readlink], [])
AX_NEED_PROG([DIRNAME], [dirname], [])
if test x"$enable_firehol" = xyes; then
AC_MSG_NOTICE([Detecting commands for firehol])
AX_NEED_PROG([CAT], [cat], [])
@ -154,14 +161,14 @@ AX_NEED_PROG([CHMOD], [chmod], [])
AX_NEED_PROG([CHOWN], [chown], [])
AX_NEED_PROG([CP], [cp], [])
AX_NEED_PROG([CUT], [cut], [])
AX_CHECK_PROG([DATE], [date], [])
AX_NEED_PROG([DATE], [date], [])
AX_NEED_PROG([EXPR], [expr], [])
AX_NEED_PROG([FIND], [find], [])
AX_NEED_PROG([FLOCK], [flock], [])
AX_NEED_PROG([FOLD], [fold], [])
AX_NEED_PROG([HEAD], [head], [])
AX_CHECK_PROG([HOSTNAMECMD], [hostname], [])
AX_CHECK_PROG([IP], [ip], [])
AX_NEED_PROG([HOSTNAMECMD], [hostname], [])
AX_NEED_PROG([IP], [ip], [])
if test x"$enable_ipv6" = xyes; then
AX_CHECK_PROG([IP6TABLES], [ip6tables], [])
fi
@ -196,11 +203,17 @@ AX_NEED_PROG([MORE], [cat], [])
AX_NEED_PROG([MV], [mv], [])
AX_CHECK_PROG([NFACCT], [nfacct], [])
AX_CHECK_PROG([RENICE], [renice], [])
if test x"$RENICE" = x; then
AC_SUBST([RENICE], [:])
fi
AX_NEED_PROG([RM], [rm], [])
AX_NEED_PROG([SLEEP], [sleep], [])
AX_NEED_PROG([SORT], [sort], [])
AX_CHECK_PROG([SS], [ss], [])
AX_NEED_PROG([SS], [ss], [])
AX_CHECK_PROG([STTY], [stty], [])
if test x"$STTY" = x; then
AC_SUBST([STTY], [:])
fi
AX_NEED_PROG([SYSCTL], [sysctl], [])
AX_NEED_PROG([TAIL], [tail], [])
AX_NEED_PROG([TOUCH], [touch], [])
@ -211,7 +224,7 @@ AX_NEED_PROG([UNIQ], [uniq], [])
AX_NEED_PROG([WC], [wc], [])
AX_CHECK_PROG([ZCAT], [zcat], [])
AX_CHECK_PROG([ZCAT], [gzcat], [])
AX_CHECK_PROG([ZCAT], [gzip], [-dc])
AX_NEED_PROG([ZCAT], [gzip], [-dc])
fi
if test x"$enable_fireqos" = xyes; then
AC_MSG_NOTICE([Detecting commands for fireqos])
@ -220,7 +233,7 @@ AX_NEED_PROG([CUT], [cut], [])
AX_NEED_PROG([DATE], [date], [])
AX_NEED_PROG([FLOCK], [flock], [])
AX_CHECK_PROG([GAWK], [gawk], [])
AX_CHECK_PROG([GAWK], [awk], [])
AX_NEED_PROG([GAWK], [awk], [])
AX_NEED_PROG([IP], [ip], [])
AX_NEED_PROG([LOGGER], [logger], [])
AX_NEED_PROG([LS], [ls], [])
@ -284,7 +297,6 @@ AX_NEED_PROG([CURL], [curl], [])
AX_NEED_PROG([CUT], [cut], [])
AX_NEED_PROG([DATE], [date], [])
AX_NEED_PROG([DIFF], [diff], [])
AX_NEED_PROG([DIRNAME], [dirname], [])
AX_NEED_PROG([FIND], [find], [])
AX_NEED_PROG([FLOCK], [flock], [])
AX_NEED_PROG([FOLD], [fold], [])
@ -302,6 +314,9 @@ AX_NEED_PROG([MKDIR], [mkdir], [])
AX_NEED_PROG([MKTEMP], [mktemp], [])
AX_NEED_PROG([MV], [mv], [])
AX_CHECK_PROG([RENICE], [renice], [])
if test x"$RENICE" = x; then
AC_SUBST([RENICE], [:])
fi
AX_NEED_PROG([RM], [rm], [])
AX_NEED_PROG([SORT], [sort], [])
AX_NEED_PROG([TAIL], [tail], [])
@ -343,13 +358,12 @@ AX_CHECK_MINVER([IPRANGE_VERSION], MIN_IPRANGE_VERSION, [$IPRANGE],
[], [AC_MSG_ERROR(could not find required version of iprange - check http://firehol.org/download/iprange/)])
fi
AC_SUBST([AUTOCONF_RUN], [Y])
AC_SUBST([firehollibexecdir], ["\$(libexecdir)/firehol/\$(PACKAGE_VERSION)"])
AC_CONFIG_FILES([
Makefile
sbin/Makefile
sbin/commands.sed
sbin/firehol.in
sbin/install.config.in
m4/Makefile
doc/Makefile
doc/firehol/Makefile

4
doc/Makefile.am
View File

@ -42,9 +42,7 @@ all-local: service-links
MKSERVICELINKS = ${top_srcdir}/doc/tools/mkservicelinks
FIREHOLIN = $(top_srcdir)/sbin/firehol.in
service-links: $(FIREHOLIN) services-db.data
service-links: $(top_srcdir)/sbin/firehol services-db.data
$(MKSERVICELINKS) service-links $+
endif

4
doc/firehol/Makefile.am
View File

@ -151,9 +151,7 @@ FORMATTABLE = ${top_srcdir}/doc/tools/format-table
PANDOCPOST = ${top_srcdir}/doc/tools/pandoc-post
CHECKLINKS = ${top_srcdir}/doc/tools/check-links
FIREHOLIN = $(top_srcdir)/sbin/firehol.in
firehol-services.5.md: $(FIREHOLIN) ../services-db.data ../service-links
firehol-services.5.md: $(top_srcdir)/sbin/firehol ../services-db.data ../service-links
$(MKSERVICEMAN) firehol-services.5.md $+
contents.md: *.1.md *.5.md contents.tpl

6
doc/firehol/introduction.md
View File

@ -46,7 +46,11 @@ To build and install taking the default options:
./configure && make && sudo make install
Alternatively, just copy the `sbin/firehol.in` file to where you want it.
Since all components (including configuration files) will go
under `/usr/local`, you may prefer to configure more like this:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libexecdir=/usr/lib
All of the common SysVInit command line arguments are recognised which
makes it easy to deploy the script as a startup service.

2
doc/fireqos/Makefile.am
View File

@ -127,8 +127,6 @@ COMBINEPANDOC = ${top_srcdir}/doc/tools/combine-pandoc
PANDOCPOST = ${top_srcdir}/doc/tools/pandoc-post
CHECKLINKS = ${top_srcdir}/doc/tools/check-links
FIREHOLIN = $(top_srcdir)/sbin/firehol.in
man/man1/%.1: %.1.md
$(MKDIR_P) man/man1
$(SED) -e '/^%/s/DATE/@PACKAGE_BUILT_DATE@/' -e '/^%/s/VERSION/@PACKAGE_VERSION@/' $< > tmp-manproc

2
doc/vnetbuild/Makefile.am
View File

@ -62,8 +62,6 @@ COMBINEPANDOC = ${top_srcdir}/doc/tools/combine-pandoc
PANDOCPOST = ${top_srcdir}/doc/tools/pandoc-post
CHECKLINKS = ${top_srcdir}/doc/tools/check-links
FIREHOLIN = $(top_srcdir)/sbin/firehol.in
man/man1/%.1: %.1.md
$(MKDIR_P) man/man1
$(SED) -e '/^%/s/DATE/@PACKAGE_BUILT_DATE@/' -e '/^%/s/VERSION/@PACKAGE_VERSION@/' $< > tmp-manproc

2
packaging/firehol/detect-cmd.pl
View File

@ -12,7 +12,7 @@ use File::Basename;
if (@ARGV == 0) {
print "Usage: ./packaging/firehol/detect-cmd.pl configure.ac sbin/file.in ...\n";
print "\n";
print "Finds usages of commands which should be converted to \$COMMAND_CMD format\n";
print "Finds usages of commands which should be converted to \@COMMAND\@ format\n";
exit 0;
}

84
packaging/firehol/firehol.functions
View File

@ -11,14 +11,15 @@ firehol_check_file() {
sbin/Makefile.in)
:
;;
configure.ac|sbin/commands.sed.in)
check_commands sbin/firehol.in || status=1
check_commands sbin/fireqos.in || status=1
check_commands sbin/link-balancer.in || status=1
check_commands sbin/update-ipsets.in || status=1
check_commands sbin/vnetbuild.in || status=1
configure.ac|sbin/install.config.in.in)
check_commands sbin/firehol || status=1
check_commands sbin/fireqos || status=1
check_commands sbin/link-balancer || status=1
check_commands sbin/update-ipsets || status=1
check_commands sbin/vnetbuild || status=1
check_detection_useful sbin/firehol sbin/fireqos sbin/link-balancer sbin/update-ipsets sbin/vnetbuild || status=1
;;
sbin/*.in)
sbin/firehol|sbin/fireqos|sbin/link-balancer|sbin/update-ipsets|sbin/vnetbuild)
check_commands $filename || status=1
;;
doc/services-db.data)
@ -50,8 +51,8 @@ check_commands() {
get_staged_file $1
get_staged_file configure.ac
get_staged_file sbin/commands.sed.in
get_staged_file sbin/functions.common.sh
get_staged_file sbin/install.config.in.in
get_staged_file sbin/functions.common
# Find commands that have been enclosed in quotes and remove anything after
# if nothing matched the substitution, proceed to the next line
@ -98,40 +99,25 @@ check_commands() {
cat $MYTMP/errors
fi
sed -n -e "s/^ *[YN]|//p" $MYTMP/files/$1 > $MYTMP/commands-defined
sed -n -e 's/\(.*_CMD\)="[@]\(.*\)[@]"/\1 \2/p' $MYTMP/files/sbin/install.config.in.in > $MYTMP/commands-defined
for cmd in $(tr " " "\n" < $MYTMP/files/$1 |
sed -n -e 's/.*\(\<[A-Z0-9_]*\)_CMD.*/\1/p' | sort | uniq)
sed -n -e 's/.*\(\<[A-Z0-9_]*_CMD\).*/\1/p' | sort | uniq)
do
if ! grep -q "^${cmd}_CMD|" $MYTMP/commands-defined
autocmd=`grep "^${cmd} " $MYTMP/commands-defined | cut -f2 -d' '`
if [ ! "$autocmd" ]
then
status=1
echo "Missing definition of $cmd in $1 detection table."
echo "sbin/install.config.in.in: missing definition of $cmd (for $1)"
fi
# Hostname is a special case - configure will expand it to running host,
# overwriting the value we wanted to use.
if [ "$cmd" = "HOSTNAME" ]; then cmd="HOSTNAMECMD"; fi
if ! grep -q "_${cmd}(\|\[$cmd\]" $MYTMP/files/configure.ac
if ! grep -q "_${autocmd}(\|\[$autocmd\]" $MYTMP/files/configure.ac
then
status=1
echo "Missing detection of $cmd for $1 in configure.ac"
echo "configure.ac: missing detection of $autocmd (for $1)"
fi
done
while IFS="|" read cmd subst defaults
do
if ! grep -q "\${*$cmd" $MYTMP/files/$1 $MYTMP/files/sbin/*.sh
then
status=1
echo "$cmd detected but never used in $1 or function libraries"
fi
if ! grep -q "#$subst#" $MYTMP/files/sbin/commands.sed.in
then
status=1
echo "$cmd detected but $subst never substituted by sbin/commands.sed.in"
fi
done < $MYTMP/commands-defined
(
a=`pwd`
cd $MYTMP/files
@ -141,3 +127,37 @@ check_commands() {
return $status
}
check_detection_useful() {
local status=0
touch $MYTMP/commands-checked
if grep -q -F -z "$1" $MYTMP/commands-checked
then
# Only check a file once - an edit to some files checks multiple
return 0
else
echo "$1" >> $MYTMP/commands-checked
fi
list=
for i in "$@"
do
get_staged_file $1
list="$list $MYTMP/files/$1"
done
get_staged_file configure.ac
get_staged_file sbin/install.config.in.in
get_staged_file sbin/functions.common
sed -n -e 's/\(.*_CMD\)="[@]\(.*\)[@]"/\1 \2/p' $MYTMP/files/sbin/install.config.in.in > $MYTMP/commands-defined
while read cmd subst
do
if ! grep -q "\${*$cmd" $list $MYTMP/files/sbin/functions.*
then
status=1
echo "$cmd detected but never used in $1 or function libraries"
fi
done < $MYTMP/commands-defined
}

6
packaging/tar-compare
View File

@ -51,11 +51,7 @@ diff -r "$1" $MYTMP/unpack/* | grep "^Only" | sed \
-e '/: tmp-anchor-links$/d' \
-e '/: tmp-manproc$/d' \
-e '/: .*\.tar\.\(gz\|bz2\|xz\)$/d' \
-e '/: unittest$/d' \
-e '/: iprange$/d' \
-e '/: .*\.o$/d' \
-e '/sbin: \(firehol\|fireqos\|link-balancer\)$/d' \
-e '/sbin: \(update-ipsets\|vnetbuild\|commands.sed\)$/d' > $MYTMP/out
-e '/: unittest$/d' > $MYTMP/out
cat $MYTMP/out
test -s $MYTMP/out && exit 1

58
sbin/Makefile.am
View File

@ -1,38 +1,11 @@
# Process this file with automake to produce Makefile.in
libarchinddir = $(prefix)/lib
scriptsin = \
firehol.in \
fireqos.in \
link-balancer.in \
update-ipsets.in \
vnetbuild.in
inclibdir = @firehollibexecdir@
inclibdir = $(libarchinddir)/firehol
include $(top_srcdir)/build/subst.inc
SUFFIXES = .in
.in:
if [ "$@" = "commands.sed.in" ]; then \
true; \
elif sed \
-e '/^# Start defaults before configure/,/^# End/d' \
-e 's#[$$]prefix_POST#$(prefix)#g' \
-e 's#[$$]bindir_POST#$(bindir)#g' \
-e 's#[$$]libdir_POST#$(inclibdir)#g' \
-e 's#[$$]localstatedir_POST#$(localstatedir)#g' \
-e 's#[$$]sysconfdir_POST#$(sysconfdir)#g' \
-f commands.sed \
$< > $@.tmp; then \
mv "$@.tmp" "$@"; \
chmod 755 "$@"; \
else \
rm -f "$@.tmp"; \
false; \
fi
inclib_DATA = \
functions.common.sh
scripts =
if ENABLE_FIREHOL
@ -55,12 +28,29 @@ if ENABLE_VNETBUILD
scripts += vnetbuild
endif
sbin_SCRIPTS = $(scripts)
CLEANFILES = install.config
inclib_DATA = \
functions.common \
install.config \
$(NULL)
inclib_SCRIPTS = $(scripts)
EXTRA_DIST = \
commands.sed.in \
$(scriptsin) \
$(inclib_DATA)
functions.common \
install.config.in \
$(scripts) \
$(NULL)
uninstall-local:
install-exec-hook:
$(MKDIR_P) $(DESTDIR)$(sbindir)
for i in $(scripts); do \
$(RM) -f $(DESTDIR)$(sbindir)/$$i; \
$(LN_S) $(DESTDIR)$(inclibdir)/$$i $(DESTDIR)$(sbindir); done
uninstall-hook:
for i in $(scripts); do \
$(RM) -f $(DESTDIR)$(sbindir)/$$i; done
@-rmdir --ignore-fail-on-non-empty $(DESTDIR)$(inclibdir)
@-rmdir --ignore-fail-on-non-empty $(DESTDIR)$(sbindir)

74
sbin/commands.sed.in
View File

@ -1,74 +0,0 @@
/VERSION=/s#'[$]Id.*'#'@PACKAGE_VERSION@'#g
s#[@]BRIDGE@#@BRIDGE@#g
s#[@]CAT@#@CAT@#g
s#[@]CHMOD@#@CHMOD@#g
s#[@]CHOWN@#@CHOWN@#g
s#[@]CP@#@CP@#g
s#[@]CURL@#@CURL@#g
s#[@]CUT@#@CUT@#g
s#[@]DATE@#@DATE@#g
s#[@]DIFF@#@DIFF@#g
s#[@]DIRNAME@#@DIRNAME@#g
s#[@]EGREP@#@EGREP@#g
s#[@]ENV@#@ENV@#g
s#[@]EXPR@#@EXPR@#g
s#[@]FIND@#@FIND@#g
s#[@]FLOCK@#@FLOCK@#g
s#[@]FOLD@#@FOLD@#g
s#[@]FUNZIP@#@FUNZIP@#g
s#[@]JQ@#@JQ@#g
s#[@]GAWK@#@GAWK@#g
s#[@]GIT@#@GIT@#g
s#[@]GREP@#@GREP@#g
s#[@]HEAD@#@HEAD@#g
s#[@]HOSTNAMECMD@#@HOSTNAMECMD@#g
s#[@]IP6TABLES@#@IP6TABLES@#g
s#[@]IP6TABLES_RESTORE@#@IP6TABLES_RESTORE@#g
s#[@]IP6TABLES_SAVE@#@IP6TABLES_SAVE@#g
s#[@]IP@#@IP@#g
s#[@]IPRANGE@#@IPRANGE@#g
s#[@]IPSET@#@IPSET@#g
s#[@]IPTABLES@#@IPTABLES@#g
s#[@]IPTABLES_RESTORE@#@IPTABLES_RESTORE@#g
s#[@]IPTABLES_SAVE@#@IPTABLES_SAVE@#g
s#[@]JQ@#@JQ@#g
s#[@]LN@#@LN@#g
s#[@]LOGGER@#@LOGGER@#g
s#[@]LS@#@LS@#g
s#[@]LSMOD@#@LSMOD@#g
s#[@]MKDIR@#@MKDIR@#g
s#[@]MKTEMP@#@MKTEMP@#g
s#[@]MODPROBE@#@MODPROBE@#g
s#[@]MORE@#@MORE@#g
s#[@]MV@#@MV@#g
s#[@]NEATO@#@NEATO@#g
s#[@]NFACCT@#@NFACCT@#g
s#[@]PING6@#@PING6@#g
s#[@]PING@#@PING@#g
s#[@]RENICE@#@RENICE@#g
s#[@]RMMOD@#@RMMOD@#g
s#[@]RM@#@RM@#g
s#[@]SCREEN@#@SCREEN@#g
s#[@]SED@#@SED@#g
s#[@]SEQ@#@SEQ@#g
s#[@]SH@#@SH@#g
s#[@]SLEEP@#@SLEEP@#g
s#[@]SORT@#@SORT@#g
s#[@]SS@#@SS@#g
s#[@]STTY@#@STTY@#g
s#[@]SYSCTL@#@SYSCTL@#g
s#[@]TAIL@#@TAIL@#g
s#[@]TAR@#@TAR@#g
s#[@]TCPDUMP@#@TCPDUMP@#g
s#[@]TC@#@TC@#g
s#[@]TOUCH@#@TOUCH@#g
s#[@]TPUT@#@TPUT@#g
s#[@]TRACEROUTE@#@TRACEROUTE@#g
s#[@]TR@#@TR@#g
s#[@]UNAME@#@UNAME@#g
s#[@]UNIQ@#@UNIQ@#g
s#[@]UNZIP@#@UNZIP@#g
s#[@]WC@#@WC@#g
s#[@]WGET@#@WGET@#g
s#[@]WHOIS@#@WHOIS@#g
s#[@]ZCAT@#@ZCAT@#g

128
sbin/firehol.in.in → sbin/firehol
View File

@ -25,31 +25,28 @@
# See the file COPYING for details.
#
VERSION='$Id$'
PROGRAM_FILE="${0}"
PROGRAM_DIR="${0%/*}"
if [ "$PROGRAM_DIR" = "$0" ]; then PROGRAM_DIR="."; fi
PROGRAM_FILE="$(/bin/readlink $0)"
PROGRAM_FILE="${PROGRAM_FILE:-$0}"
if [ -d "${FIREHOL_OVERRIDE_PROGRAM_DIR}" ]
then
PROGRAM_DIR="${FIREHOL_OVERRIDE_PROGRAM_DIR}"
else
PROGRAM_DIR="$(/usr/bin/dirname "$PROGRAM_FILE")"
fi
PROGRAM_PWD="${PWD}"
declare -a PROGRAM_ORIGINAL_ARGS=("${@}")
# Start defaults before configure
prefix_POST=/usr
sysconfdir_POST=/etc
localstatedir_POST=/var
libdir_POST=$PROGRAM_DIR
# End defaults before configure
for functions_file in $libdir_POST/functions.common.sh
for functions_file in install.config functions.common
do
if [ -r $functions_file ]
if [ -r "$PROGRAM_DIR/$functions_file" ]
then
source $functions_file
source "$PROGRAM_DIR/$functions_file"
else
1>&2 echo "Cannot access $functions_file"
1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
exit 1
fi
done
FIREHOL_CONFIG_DIR="$sysconfdir_POST/firehol"
common_disable_localization || exit
common_private_umask || exit
common_require_root || exit
@ -232,16 +229,6 @@ markdef() {
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
if [ "@AUTOCONF_RUN@" = "Y" ]
then
FIREHOL_AUTOSAVE="@FIREHOL_AUTOSAVE@"
FIREHOL_AUTOSAVE6="@FIREHOL_AUTOSAVE6@"
ENABLE_IPV4="@IPV4_ENABLED@"
ENABLE_IPV6="@IPV6_ENABLED@"
else
FIREHOL_CONFIG_DIR="/etc/firehol"
fi
# --- BEGIN OF FIREHOL DEFAULTS ---
# These are the defaults for FireHOL.
@ -252,26 +239,23 @@ fi
# FireHOL config directory.
# EVEN IF YOU CHANGE THIS, THE firehol-defaults.conf FILE
# SHOULD STILL EXIST IN THE ORIGINAL $FIREHOL_CONFIG_DIR
FIREHOL_CONFIG_DIR="$FIREHOL_CONFIG_DIR"
# SHOULD STILL EXIST IN THE ORIGINAL $SYSCONFDIR/firehol
FIREHOL_CONFIG_DIR="${FIREHOL_CONFIG_DIR}"
# FireHOL services directory.
# FireHOL will look into this directory for service
# definition files (*.conf).
# Package maintainers may install their service definitions
# in this directory.
# Default: /etc/firehol/services
FIREHOL_SERVICES_DIR="${FIREHOL_CONFIG_DIR}/services"
# Default: $SYSCONFDIR/firehol/services
FIREHOL_SERVICES_DIR="${FIREHOL_SERVICES_DIR}"
# Where to permanently save state information?
# Default: /var/spool/firehol
FIREHOL_SPOOL_DIR="/var/spool/firehol"
# Default: $LOCALSTATEDIR/spool/firehol
FIREHOL_SPOOL_DIR="${FIREHOL_SPOOL_DIR}"
# Where temporary files should go?
# /var/run is usualy a ram drive, so we prefer to use
# this for temporary files.
# Default: /var/run/firehol
FIREHOL_RUN_DIR="/var/run/firehol"
FIREHOL_RUN_DIR="${FIREHOL_RUN_DIR}"
# show a spinner during processing that shows
# number of iptables statements generated
@ -780,7 +764,7 @@ IPTRAP_DEFAULT_IPSET_COUNTERS_OPTIONS="timeout 3600 counters"
# FireHOL will overwite these settings with the contents of the files with
# the same names in ${FIREHOL_CONFIG_DIR}.
#
# For example, RESERVED_IPV4 will be set from /etc/firehol/RESERVED_IPV4
# For example, RESERVED_IPV4 will be set from $SYSCONFDIR/firehol/RESERVED_IPV4
# IANA reserved address space that should never appear
RESERVED_IPV4="0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 "
@ -848,59 +832,6 @@ fi
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
common_load_commands $PROGRAM_FILE @AUTOCONF_RUN@ <<-!
Y|CAT_CMD|@CAT@|cat
Y|CUT_CMD|@CUT@|cut
Y|CHOWN_CMD|@CHOWN@|chown
Y|CHMOD_CMD|@CHMOD@|chmod
Y|EGREP_CMD|@EGREP@|egrep 'grep -E'
Y|EXPR_CMD|@EXPR@|expr
Y|FIND_CMD|@FIND@|find
Y|FOLD_CMD|@FOLD@|fold
Y|GREP_CMD|@GREP@|grep
Y|HEAD_CMD|@HEAD@|head
Y|TAIL_CMD|@TAIL@|tail
Y|LS_CMD|@LS@|ls
Y|LSMOD_CMD|@LSMOD@|lsmod
Y|MKDIR_CMD|@MKDIR@|mkdir
Y|MKTEMP_CMD|@MKTEMP@|mktemp
Y|MV_CMD|@MV@|mv
Y|RM_CMD|@RM@|rm
Y|SED_CMD|@SED@|sed
Y|SORT_CMD|@SORT@|sort
Y|SYSCTL_CMD|@SYSCTL@|sysctl
Y|TOUCH_CMD|@TOUCH@|touch
Y|TR_CMD|@TR@|tr
Y|UNAME_CMD|@UNAME@|uname
Y|UNIQ_CMD|@UNIQ@|uniq
Y|LOGGER_CMD|@LOGGER@|logger
Y|FLOCK_CMD|@FLOCK@|flock
N|NFACCT_CMD|@NFACCT@|nfacct
N|IPRANGE_CMD|@IPRANGE@|iprange
N|IPSET_CMD|@IPSET@|ipset
N|IPTABLES_CMD|@IPTABLES@|iptables
N|IP6TABLES_CMD|@IP6TABLES@|ip6tables
N|IPTABLES_SAVE_CMD|@IPTABLES_SAVE@|iptables-save
N|IP6TABLES_SAVE_CMD|@IP6TABLES_SAVE@|ip6tables-save
N|IPTABLES_RESTORE_CMD|@IPTABLES_RESTORE@|iptables-restore
N|IP6TABLES_RESTORE_CMD|@IP6TABLES_RESTORE@|ip6tables-restore
Y|MORE_CMD|@MORE@|pager less more cat
Y|RENICE_CMD|@RENICE@|renice :
Y|STTY_CMD|@STTY@|stty :
N|ZCAT_CMD|@ZCAT@|zcat gzcat "gzip -dc"
N|MODPROBE_CMD|@MODPROBE@|'modprobe -q' insmod
N|IP_CMD|@IP@|ip
N|SS_CMD|@SS@|ss
N|DATE_CMD|@DATE@|date
N|HOSTNAME_CMD|@HOSTNAMECMD@|hostname
N|TPUT_CMD|@TPUT@|tput
Y|WC_CMD|@WC@|wc
Y|CP_CMD|@CP@|cp
Y|SLEEP_CMD|@SLEEP@|sleep
!
status=$?
test $status -eq 0 || exit $status
emit_version() {
${CAT_CMD} <<EOF
@ -931,16 +862,16 @@ test ${RUNNING_ON_TERMINAL} -eq 0 && FIREHOL_ENABLE_SPINNER=0
FIREHOL_HAVE_IPRANGE=1
IPRANGE_WARNING=0
IPRANGE_REDUCE=Y
if [ ! -z "${IPRANGE_CMD}" ]
then
${IPRANGE_CMD} --has-reduce 2>/dev/null || IPRANGE_CMD=
${IPRANGE_CMD} --has-reduce 2>/dev/null || IPRANGE_REDUCE=
fi
if [ -z "${IPRANGE_CMD}" ]
if [ -z "${IPRANGE_CMD}" -o -z "$IPRANGE_REDUCE" ]
then
FIREHOL_HAVE_IPRANGE=0
IPRANGE_WARNING=1
IPRANGE_CMD=
fi
ENABLE_ACCOUNTING=1
@ -1003,6 +934,15 @@ then
fi
fi
if [ ! ${FIREHOL_LOAD_KERNEL_MODULES} -eq 0 ]
then
if [ -z "${MODPROBE_CMD}" ]
then
echo >&2 " WARNING: no modprobe command: module loading disabled"
FIREHOL_LOAD_KERNEL_MODULES=0
fi
fi
firehol_concurrent_run_lock() {
exec 200>"${FIREHOL_LOCK_FILE}"
if [ $? -ne 0 ]; then exit; fi
@ -12469,7 +12409,7 @@ then
then
# RedHat
FIREHOL_AUTOSAVE="/etc/sysconfig/iptables"
elif [ -d "/var/lib/iptables" ]
elif [ -d "$LOCALSTATEDIR/lib/iptables" ]
then
if [ -f /etc/conf.d/iptables ]
then
@ -12483,7 +12423,7 @@ then
if [ -z "${FIREHOL_AUTOSAVE}" ]
then
# Debian
FIREHOL_AUTOSAVE="/var/lib/iptables/autosave"
FIREHOL_AUTOSAVE="$LOCALSTATEDIR/lib/iptables/autosave"
fi
else
error "Cannot find where to save iptables file. Please set FIREHOL_AUTOSAVE."

61
sbin/fireqos.in → sbin/fireqos
View File

@ -25,31 +25,28 @@
# See the file COPYING for details.
#
VERSION='$Id$'
PROGRAM_FILE="${0}"
PROGRAM_DIR="${0%/*}"
if [ "$PROGRAM_DIR" = "$0" ]; then PROGRAM_DIR="."; fi
PROGRAM_FILE="$(/bin/readlink $0)"
PROGRAM_FILE="${PROGRAM_FILE:-$0}"
if [ -d "${FIREHOL_OVERRIDE_PROGRAM_DIR}" ]
then
PROGRAM_DIR="${FIREHOL_OVERRIDE_PROGRAM_DIR}"
else
PROGRAM_DIR="$(/usr/bin/dirname "$PROGRAM_FILE")"
fi
PROGRAM_PWD="${PWD}"
declare -a PROGRAM_ORIGINAL_ARGS=("${@}")
# Start defaults before configure
prefix_POST=/usr
sysconfdir_POST=/etc
localstatedir_POST=/var
libdir_POST=$PROGRAM_DIR
# End defaults before configure
for functions_file in $libdir_POST/functions.common.sh
for functions_file in install.config functions.common
do
if [ -r $functions_file ]
if [ -r "$PROGRAM_DIR/$functions_file" ]
then
source $functions_file
source "$PROGRAM_DIR/$functions_file"
else
1>&2 echo "Cannot access $functions_file"
1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
exit 1
fi
done
FIREHOL_CONFIG_DIR="$sysconfdir_POST/firehol"
common_disable_localization || exit
common_public_umask || exit
common_require_root || exit
@ -63,9 +60,9 @@ shopt -s extglob
FIREQOS_SYSLOG_FACILITY="daemon"
FIREQOS_CONFIG="${FIREHOL_CONFIG_DIR}/fireqos.conf"
FIREQOS_LOCK_FILE=/var/run/fireqos.lock
FIREQOS_LOCK_FILE="$LOCALSTATEDIR/run/fireqos.lock"
FIREQOS_LOCK_FILE_TIMEOUT=600
FIREQOS_DIR=/var/run/fireqos
FIREQOS_DIR="$LOCALSTATEDIR/run/fireqos"
FIREQOS_SAVE="${FIREQOS_DIR}/.tmp.save.$$.$RANDOM"
# Gets set to 1 if this system cannot handle sub-second resolution
@ -111,35 +108,6 @@ then
source "${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" || exit 1
fi
common_load_commands $PROGRAM_FILE @AUTOCONF_RUN@ <<-!
N|TPUT_CMD|@TPUT@|tput
Y|IP_CMD|@IP@|ip
Y|MODPROBE_CMD|@MODPROBE@|'modprobe -q' insmod
Y|RMMOD_CMD|@RMMOD@|rmmod
Y|FLOCK_CMD|@FLOCK@|flock
Y|GREP_CMD|@GREP@|grep
Y|EGREP_CMD|@EGREP@|egrep 'grep -E'
Y|CAT_CMD|@CAT@|cat
Y|CUT_CMD|@CUT@|cut
Y|SED_CMD|@SED@|sed
Y|TOUCH_CMD|@TOUCH@|touch
Y|TR_CMD|@TR@|tr
Y|MV_CMD|@MV@|mv
Y|LOGGER_CMD|@LOGGER@|logger
Y|MKDIR_CMD|@MKDIR@|mkdir
Y|SLEEP_CMD|@SLEEP@|sleep
Y|RM_CMD|@RM@|rm
Y|TC_CMD|@TC@|tc
N|GAWK_CMD|@GAWK@|gawk awk
N|TCPDUMP_CMD|@TCPDUMP@|tcpdump
Y|SEQ_CMD|@SEQ@|seq
Y|LS_CMD|@LS@|ls
Y|DATE_CMD|@DATE@|date
Y|TAIL_CMD|@TAIL@|tail
!
status=$?
test $status -eq 0 || exit $status
RUNNING_ON_TERMINAL=0
if [ "z$1" = "z-nc" ]
then
@ -277,7 +245,6 @@ declare -A MARKS_MASKS='([connmark]="0x0000003f" [usermark]="0x00001fc0" )'
declare -A MARKS_MAX='([connmark]="63" [usermark]="127" )'
declare -A MARKS_SHIFT='([connmark]="0" [usermark]="6" )'
FIREHOL_SPOOL_DIR="${FIREHOL_SPOOL_DIR-/var/spool/firehol}"
if [ -f "${FIREHOL_SPOOL_DIR}/marks.conf" ]
then
source "${FIREHOL_SPOOL_DIR}/marks.conf" || exit 1

99
sbin/functions.common Normal file
View File

@ -0,0 +1,99 @@
#
# Copyright
#
# Copyright (C) 2003-2014 Costa Tsaousis <costa@tsaousis.gr>
# Copyright (C) 2012-2014 Phil Whineray <phil@sanewall.org>
#
# See sbin/firehol.in for details
#
# This file contains functions used by the firehol suite.
# To keep the namespace clean, functions defined in functions.x.sh
# should be of the form x_whatever() if they are intended for general
# use or int_x_whatever() if they are intended as helpers to the other
# functions in the file.
#
common_require_cmd() {
local progname="$1" var="$2" val=
eval val=\$\{${var}\}
if [ "${val}" ]
then
return 0
fi
$CAT_CMD >&2 <<-__EOF__
ERROR: $progname feature requires $var
You have invoked the program requesting a feature which uses
a program which was not available when $progname was installed.
Please re-install $progname with a suitable command available.
__EOF__
exit 1
}
common_require_root() {
if [ "${UID}" != 0 ]
then
echo >&2
echo >&2 "ERROR:"
echo >&2 "Only user root can run ${1}"
echo >&2
return 1
fi
return 0
}
common_disable_localization() {
export LC_ALL=C
}
common_private_umask() {
# Make sure our generated files cannot be accessed by anyone else.
umask 077
}
common_public_umask() {
# let everyone read our status info
umask 022
}
common_setup_terminal() {
# Are stdout/stderr on the terminal? If not, then fail
test -t 2 || return 1
test -t 1 || return 1
if [ ! -z "$TPUT_CMD" ]
then
if [ $[$($TPUT_CMD colors 2>/dev/null)] -ge 8 ]
then
# Enable colors
COLOR_RESET="\e[0m"
COLOR_BLACK="\e[30m"
COLOR_RED="\e[31m"
COLOR_GREEN="\e[32m"
COLOR_YELLOW="\e[33m"
COLOR_BLUE="\e[34m"
COLOR_PURPLE="\e[35m"
COLOR_CYAN="\e[36m"
COLOR_WHITE="\e[37m"
COLOR_BGBLACK="\e[40m"
COLOR_BGRED="\e[41m"
COLOR_BGGREEN="\e[42m"
COLOR_BGYELLOW="\e[43m"
COLOR_BGBLUE="\e[44m"
COLOR_BGPURPLE="\e[45m"
COLOR_BGCYAN="\e[46m"
COLOR_BGWHITE="\e[47m"
COLOR_BOLD="\e[1m"
COLOR_DIM="\e[2m"
COLOR_UNDERLINED="\e[4m"
COLOR_BLINK="\e[5m"
COLOR_INVERTED="\e[7m"
fi
fi
return 0
}

239
sbin/functions.common.sh
View File

@ -1,239 +0,0 @@
#
# Copyright
#
# Copyright (C) 2003-2014 Costa Tsaousis <costa@tsaousis.gr>
# Copyright (C) 2012-2014 Phil Whineray <phil@sanewall.org>
#
# See sbin/firehol.in for details
#
# This file contains functions used by the firehol suite.
# To keep the namespace clean, functions defined in functions.x.sh
# should be of the form x_whatever() if they are intended for general
# use or int_x_whatever() if they are intended as helpers to the other
# functions in the file.
#
which_cmd() {
local name="$1"
shift
if [ "$1" = ":" ]
then
eval $name=":"
return 0
fi
unalias $1 >/dev/null 2>&1
local cmd=
IFS= read cmd <<-EOF
$(which $1 2> /dev/null)
EOF
if [ $? -gt 0 -o ! -x "${cmd}" ]
then
return 1
fi
shift
if [ $# -eq 0 ]
then
eval $name="'${cmd}'"
else
eval $name="'${cmd} ${@}'"
fi
return 0
}
common_require_cmd() {
local progname= var= val= block=1
progname="$1"
shift
if [ "$1" = "-n" ]
then
block=0
shift
fi
var="$1"
shift
eval val=\$\{${var}\} || return 2
if [ "${val}" ]
then
local cmd="${val/ */}"
if [ "$cmd" != ":" -a ! -x "$cmd" ]
then
echo >&2
if [ $block -eq 0 ]
then
echo >&2 "WARNING: optional command does not exist or is not executable ($cmd)"
echo >&2 "please add or correct $var in firehol-defaults.conf"
val=""
else
echo >&2 "ERROR: required command does not exist or is not executable ($cmd)"
echo >&2 "please add or correct $var in firehol-defaults.conf"
return 2
fi
fi
# link-balancer calls itself; export our findings so
# we do not repeat all of the lookups
eval export "$var"
return 0
elif [ $block -eq 0 ]
then
eval set -- "$@"
for cmd in "$@"
do
eval "NEED_${var}"="\$NEED_${var}' ${cmd/ */}'"
done
return 0
fi
if [ $# -eq 0 ]
then
eval set -- "\$NEED_${var}"
fi
echo >&2
echo >&2 "ERROR: $progname REQUIRES ONE OF THESE COMMANDS:"
echo >&2
echo >&2 " ${@}"
echo >&2
echo >&2 " You have requested the use of a $progname"
echo >&2 " feature that requires certain external programs"
echo >&2 " to be installed in the running system."
echo >&2
echo >&2 " Please consult your Linux distribution manual to"
echo >&2 " install the package(s) that provide these external"
echo >&2 " programs and retry."
echo >&2
echo >&2 " Note that you need an operational 'which' command"
echo >&2 " for $progname to find all the external programs it"
echo >&2 " needs. Check it yourself. Run:"
echo >&2
for x in "${@}"
do
echo >&2 " which $x"
done
return 2
}
int_common_which_all() {
local cmd_var="$1"
eval set -- "$2"
for cmd in "$@"
do
which_cmd $cmd_var $cmd && break
done
}
# Where required = Y, if a command is not found, FireHOL will refuse to run.
# Where required = N, the command only required when it is actually used
#
# If a command is specified in /etc/firehol/firehol-defaults.conf it will
# be used. Otherwise, if the script has been configured with ./configure
# the detected versions will be used. If the script has not been configured
# then the list of possible commands is autodetected.
common_load_commands() {
local progname="$1"
shift
local AUTOCONF_RUN="$1"
shift
while IFS="|" read required cmd_var autoconf possibles
do
if [ "$AUTOCONF_RUN" = "Y" ]
then
case "$autoconf" in
"@"*) autoconf=""; ;;
esac
fi
eval set_in_defaults=\"\$$cmd_var\"
if [ "$set_in_defaults" ]
then
:
elif [ "$AUTOCONF_RUN" = "Y" -a ! -z "$autoconf" ]
then
eval $cmd_var=\"$autoconf\"
else
dirname="${0%/*}"
if [ "$dirname" = "$0" ]; then dirname="."; fi
PATH="/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH:$dirname" int_common_which_all $cmd_var "$possibles"
fi
if [ "$required" = "Y" ]
then
common_require_cmd $progname $cmd_var $possibles || return
else
common_require_cmd $progname -n $cmd_var $possibles || return
fi
done
}
common_require_root() {
if [ "${UID}" != 0 ]
then
echo >&2
echo >&2 "ERROR:"
echo >&2 "Only user root can run ${1}"
echo >&2
return 1
fi
return 0
}
common_disable_localization() {
export LC_ALL=C
}
common_private_umask() {
# Make sure our generated files cannot be accessed by anyone else.
umask 077
}
common_public_umask() {
# let everyone read our status info
umask 022
}
common_setup_terminal() {
# Are stdout/stderr on the terminal? If not, then fail
test -t 2 || return 1
test -t 1 || return 1
if [ ! -z "$TPUT_CMD" ]
then
if [ $[$($TPUT_CMD colors 2>/dev/null)] -ge 8 ]
then
# Enable colors
COLOR_RESET="\e[0m"
COLOR_BLACK="\e[30m"
COLOR_RED="\e[31m"
COLOR_GREEN="\e[32m"
COLOR_YELLOW="\e[33m"
COLOR_BLUE="\e[34m"
COLOR_PURPLE="\e[35m"
COLOR_CYAN="\e[36m"
COLOR_WHITE="\e[37m"
COLOR_BGBLACK="\e[40m"
COLOR_BGRED="\e[41m"
COLOR_BGGREEN="\e[42m"
COLOR_BGYELLOW="\e[43m"
COLOR_BGBLUE="\e[44m"
COLOR_BGPURPLE="\e[45m"
COLOR_BGCYAN="\e[46m"
COLOR_BGWHITE="\e[47m"
COLOR_BOLD="\e[1m"
COLOR_DIM="\e[2m"
COLOR_UNDERLINED="\e[4m"
COLOR_BLINK="\e[5m"
COLOR_INVERTED="\e[7m"
fi
fi
return 0
}

89
sbin/install.config.in.in Normal file
View File

@ -0,0 +1,89 @@
VERSION=@PACKAGE_VERSION@
DATAROOTDIR="@datarootdir_POST@"
SYSCONFDIR="@sysconfdir_POST@"
LOCALSTATEDIR="@localstatedir_POST@"
# Default directories (file "${FIREHOL_CONFIG_DIR}/firehol.defaults" overrides)
FIREHOL_CONFIG_DIR="$SYSCONFDIR/firehol"
FIREHOL_SERVICES_DIR="$SYSCONFDIR/firehol/services"
FIREHOL_SHARE_DIR="$DATAROOTDIR/firehol"
FIREHOL_SPOOL_DIR="$LOCALSTATEDIR/spool/firehol"
FIREHOL_RUN_DIR="$LOCALSTATEDIR/run/firehol"
ENABLE_IPV4=@IPV4_ENABLED@
ENABLE_IPV6=@IPV6_ENABLED@
BRIDGE_CMD="@BRIDGE@"
CAT_CMD="@CAT@"
CHMOD_CMD="@CHMOD@"
CHOWN_CMD="@CHOWN@"
CP_CMD="@CP@"
CURL_CMD="@CURL@"
CUT_CMD="@CUT@"
DATE_CMD="@DATE@"
DIFF_CMD="@DIFF@"
DIRNAME_CMD="@DIRNAME@"
EGREP_CMD="@EGREP@"
ENV_CMD="@ENV@"
EXPR_CMD="@EXPR@"
FIND_CMD="@FIND@"
FLOCK_CMD="@FLOCK@"
FOLD_CMD="@FOLD@"
FUNZIP_CMD="@FUNZIP@"
JQ_CMD="@JQ@"
GAWK_CMD="@GAWK@"
GIT_CMD="@GIT@"
GREP_CMD="@GREP@"
HEAD_CMD="@HEAD@"
HOSTNAME_CMD="@HOSTNAMECMD@"
IP6TABLES_CMD="@IP6TABLES@"
IP6TABLES_RESTORE_CMD="@IP6TABLES_RESTORE@"
IP6TABLES_SAVE_CMD="@IP6TABLES_SAVE@"
IP_CMD="@IP@"
IPRANGE_CMD="@IPRANGE@"
IPSET_CMD="@IPSET@"
IPTABLES_CMD="@IPTABLES@"
IPTABLES_RESTORE_CMD="@IPTABLES_RESTORE@"
IPTABLES_SAVE_CMD="@IPTABLES_SAVE@"
JQ_CMD="@JQ@"
LN_CMD="@LN@"
LOGGER_CMD="@LOGGER@"
LS_CMD="@LS@"
LSMOD_CMD="@LSMOD@"
MKDIR_CMD="@MKDIR@"
MKTEMP_CMD="@MKTEMP@"
MODPROBE_CMD="@MODPROBE@"
MORE_CMD="@MORE@"
MV_CMD="@MV@"
NEATO_CMD="@NEATO@"
NFACCT_CMD="@NFACCT@"
PING6_CMD="@PING6@"
PING_CMD="@PING@"
RENICE_CMD="@RENICE@"
RMMOD_CMD="@RMMOD@"
RM_CMD="@RM@"
SCREEN_CMD="@SCREEN@"
SED_CMD="@SED@"
SEQ_CMD="@SEQ@"
SH_CMD="@SH@"
SLEEP_CMD="@SLEEP@"
SORT_CMD="@SORT@"
SS_CMD="@SS@"
STTY_CMD="@STTY@"
SYSCTL_CMD="@SYSCTL@"
TAIL_CMD="@TAIL@"
TAR_CMD="@TAR@"
TCPDUMP_CMD="@TCPDUMP@"
TC_CMD="@TC@"
TOUCH_CMD="@TOUCH@"
TPUT_CMD="@TPUT@"
TRACEROUTE_CMD="@TRACEROUTE@"
TR_CMD="@TR@"
UNAME_CMD="@UNAME@"
UNIQ_CMD="@UNIQ@"
UNZIP_CMD="@UNZIP@"
WC_CMD="@WC@"
WGET_CMD="@WGET@"
WHOIS_CMD="@WHOIS@"
ZCAT_CMD="@ZCAT@"

71
sbin/link-balancer.in → sbin/link-balancer
View File

@ -25,31 +25,28 @@
# See the file COPYING for details.
#
VERSION='$Id$'
PROGRAM_FILE="${0}"
PROGRAM_DIR="${0%/*}"
if [ "$PROGRAM_DIR" = "$0" ]; then PROGRAM_DIR="."; fi
PROGRAM_FILE="$(/bin/readlink $0)"
PROGRAM_FILE="${PROGRAM_FILE:-$0}"
if [ -d "${FIREHOL_OVERRIDE_PROGRAM_DIR}" ]
then
PROGRAM_DIR="${FIREHOL_OVERRIDE_PROGRAM_DIR}"
else
PROGRAM_DIR="$(/usr/bin/dirname "$PROGRAM_FILE")"
fi
PROGRAM_PWD="${PWD}"
declare -a PROGRAM_ORIGINAL_ARGS=("${@}")
# Start defaults before configure
prefix_POST=/usr
sysconfdir_POST=/etc
localstatedir_POST=/var
libdir_POST=$PROGRAM_DIR
# End defaults before configure
for functions_file in $libdir_POST/functions.common.sh
for functions_file in install.config functions.common
do
if [ -r $functions_file ]
if [ -r "$PROGRAM_DIR/$functions_file" ]
then
source $functions_file
source "$PROGRAM_DIR/$functions_file"
else
1>&2 echo "Cannot access $functions_file"
1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
exit 1
fi
done
FIREHOL_CONFIG_DIR="$sysconfdir_POST/firehol"
common_disable_localization || exit
common_private_umask || exit
common_require_root || exit
@ -63,7 +60,7 @@ if [ "$LB_DEBUGGING" ]; then set -v; set -x; fi
# link-balancer temporary directory.
# every instance of link-balancer creates a random directory
# within this one.
LB_RUN_DIR="/var/run/link-balancer"
LB_RUN_DIR="$LOCALSTATEDIR/run/link-balancer"
# If this is set to 1, no checks will be made if the gateways are available.
# All gateways will be assumed active, if their interfaces are found
@ -112,44 +109,6 @@ fi
# temporary variable (default LB_DEFAULT_IPV=4)
LB_IPV=
# Load commands link-balancer will need.
common_load_commands $PROGRAM_FILE @AUTOCONF_RUN@ <<-!
Y|IP_CMD|@IP@|ip
Y|DIFF_CMD|@DIFF@|diff
Y|FLOCK_CMD|@FLOCK@|flock
Y|GREP_CMD|@GREP@|grep
Y|EGREP_CMD|@EGREP@|egrep 'grep -E'
Y|CUT_CMD|@CUT@|cut
Y|CAT_CMD|@CAT@|cat
Y|SED_CMD|@SED@|sed
Y|TR_CMD|@TR@|tr
Y|LN_CMD|@LN@|ln
Y|LS_CMD|@LS@|ls
Y|SLEEP_CMD|@SLEEP@|sleep
Y|TOUCH_CMD|@TOUCH@|touch
Y|LOGGER_CMD|@LOGGER@|logger
Y|MKDIR_CMD|@MKDIR@|mkdir
Y|CHOWN_CMD|@CHOWN@|chown
Y|CHMOD_CMD|@CHMOD@|chmod
Y|RM_CMD|@RM@|rm
Y|PING_CMD|@PING@|ping
Y|PING6_CMD|@PING6@|ping6 'ping -6'
Y|TRACEROUTE_CMD|@TRACEROUTE@|traceroute
Y|SORT_CMD|@SORT@|sort
Y|MKTEMP_CMD|@MKTEMP@|mktemp
Y|ENV_CMD|@ENV@|env
N|WHOIS_CMD|@WHOIS@|whois
N|JQ_CMD|@JQ@|jq
N|HEAD_CMD|@HEAD@|head
N|TPUT_CMD|@TPUT@|tput
N|WGET_CMD|@WGET@|wget
N|SCREEN_CMD|@SCREEN@|screen
Y|IPRANGE_CMD|@IPRANGE@|iprange
!
status=$?
test $status -eq 0 || exit $status
RUNNING_ON_TERMINAL=0
if [ "z$1" = "z-nc" ]
then
@ -209,7 +168,7 @@ declare -A MARKS_MASKS='([connmark]="0x0000003f" [usermark]="0x00001fc0" )'
declare -A MARKS_MAX='([connmark]="63" [usermark]="127" )'
declare -A MARKS_SHIFT='([connmark]="0" [usermark]="6" )'
FIREHOL_SPOOL_DIR="${FIREHOL_SPOOL_DIR-/var/spool/firehol}"
FIREHOL_SPOOL_DIR="${FIREHOL_SPOOL_DIR-$LOCALSTATEDIR/spool/firehol}"
if [ -f "${FIREHOL_SPOOL_DIR}/marks.conf" ]
then
source "${FIREHOL_SPOOL_DIR}/marks.conf" || exit 1
@ -1888,7 +1847,7 @@ policy
# You can also have all the IPs in separate files:
# Run:
#
# ${PROGRAM_FILE} asips ONE_IP_OF_YOUR_PROVIDER_1 >$sysconfdir_POST/firehol/PROVIDER1_IPS
# ${PROGRAM_FILE} asips ONE_IP_OF_YOUR_PROVIDER_1 >$SYSCONFDIR/firehol/PROVIDER1_IPS
#
# Then:
rules dst loadfile PROVIDER1_IPS table dsl1

86
sbin/update-ipsets.in → sbin/update-ipsets
View File

@ -56,7 +56,7 @@
# - update a kernel ipset, having the same name
#
# 5. It can commit all successfully updated files to a git repository.
# Just do 'git init' in $sysconfdir_POST/firehol/ipsets to enable it.
# Just do 'git init' in $SYSCONFDIR/firehol/ipsets to enable it.
# If it is called with -g it will also push the committed changes
# to a remote git server (to have this done by cron, please set
# git to automatically push changes without human action).
@ -80,31 +80,28 @@
# -----------------------------------------------------------------------------
VERSION='$Id$'
PROGRAM_FILE="${0}"
PROGRAM_DIR="${0%/*}"
if [ "$PROGRAM_DIR" = "$0" ]; then PROGRAM_DIR="."; fi
PROGRAM_FILE="$(/bin/readlink $0)"
PROGRAM_FILE="${PROGRAM_FILE:-$0}"
if [ -d "${FIREHOL_OVERRIDE_PROGRAM_DIR}" ]
then
PROGRAM_DIR="${FIREHOL_OVERRIDE_PROGRAM_DIR}"
else
PROGRAM_DIR="$(/usr/bin/dirname "$PROGRAM_FILE")"
fi
PROGRAM_PWD="${PWD}"
declare -a PROGRAM_ORIGINAL_ARGS=("${@}")
# Start defaults before configure
prefix_POST=/usr
sysconfdir_POST=/etc
localstatedir_POST=/var
libdir_POST=$PROGRAM_DIR
# End defaults before configure
for functions_file in $libdir_POST/functions.common.sh
for functions_file in install.config functions.common
do
if [ -r $functions_file ]
if [ -r "$PROGRAM_DIR/$functions_file" ]
then
source $functions_file
source "$PROGRAM_DIR/$functions_file"
else
1>&2 echo "Cannot access $functions_file"
1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
exit 1
fi
done
FIREHOL_CONFIG_DIR="$sysconfdir_POST/firehol"
common_disable_localization || exit
common_private_umask || exit
@ -115,49 +112,6 @@ then
source "${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" || exit 1
fi
common_load_commands $PROGRAM_FILE @AUTOCONF_RUN@ <<-!
Y|IPRANGE_CMD|@IPRANGE@|iprange
Y|DIRNAME_CMD|@DIRNAME@|dirname
Y|TAIL_CMD|@TAIL@|tail
Y|RENICE_CMD|@RENICE@|renice :
Y|ZCAT_CMD|@ZCAT@|zcat gzcat "gzip -dc"
Y|DATE_CMD|@DATE@|date
Y|DIFF_CMD|@DIFF@|diff
Y|FLOCK_CMD|@FLOCK@|flock
Y|GREP_CMD|@GREP@|grep
Y|EGREP_CMD|@EGREP@|egrep 'grep -E'
Y|CUT_CMD|@CUT@|cut
Y|CAT_CMD|@CAT@|cat
Y|SED_CMD|@SED@|sed
Y|TR_CMD|@TR@|tr
Y|LN_CMD|@LN@|ln
Y|LS_CMD|@LS@|ls
Y|TOUCH_CMD|@TOUCH@|touch
Y|LOGGER_CMD|@LOGGER@|logger
Y|MKDIR_CMD|@MKDIR@|mkdir
Y|CHOWN_CMD|@CHOWN@|chown
Y|CHMOD_CMD|@CHMOD@|chmod
Y|RM_CMD|@RM@|rm
Y|SORT_CMD|@SORT@|sort
Y|GAWK_CMD|@GAWK@|gawk awk
Y|MKTEMP_CMD|@MKTEMP@|mktemp
N|TPUT_CMD|@TPUT@|tput
Y|FOLD_CMD|@FOLD@|fold
Y|CURL_CMD|@CURL@|curl
Y|FIND_CMD|@FIND@|find
Y|WC_CMD|@WC@|wc
Y|MV_CMD|@MV@|mv
Y|CP_CMD|@CP@|cp
Y|TAR_CMD|@TAR@|tar
Y|IPSET_CMD|@IPSET@|ipset
N|UNZIP_CMD|@UNZIP@|unzip
N|FUNZIP_CMD|@FUNZIP@|funzip
N|JQ_CMD|@JQ@|jq
N|GIT_CMD|@GIT@|git
!
status=$?
test $status -eq 0 || exit $status
RUNNING_ON_TERMINAL=0
if [ "z$1" = "z-nc" ]
then
@ -311,12 +265,13 @@ ipset_verbose() {
# -----------------------------------------------------------------------------
# find a working iprange command
HAVE_IPRANGE=${IPRANGE_CMD}
if [ ! -z "${IPRANGE_CMD}" ]
then
${IPRANGE_CMD} --has-reduce 2>/dev/null || IPRANGE_CMD=
${IPRANGE_CMD} --has-reduce 2>/dev/null || HAVE_IPRANGE=
fi
if [ -z "${IPRANGE_CMD}" ]
if [ -z "$HAVE_IPRANGE" ]
then
error "Cannot find a working iprange command. It should be part of FireHOL but it is not installed."
exit 1
@ -325,16 +280,13 @@ fi
# -----------------------------------------------------------------------------
# CONFIGURATION
FIREHOL_SHARE_DIR="${FIREHOL_SHARE_DIR-/usr/share/firehol}"
FIREHOL_CONFIG_DIR="${FIREHOL_CONFIG_DIR-$sysconfdir_POST/firehol}"
if [ "${UID}" = "0" -o -z "${UID}" ]
then
BASE_DIR="${BASE_DIR-${FIREHOL_CONFIG_DIR}/ipsets}"
CONFIG_FILE="${CONFIG_FILE-${FIREHOL_CONFIG_DIR}/update-ipsets.conf}"
RUN_PARENT_DIR="${RUN_PARENT_DIR-/var/run}"
CACHE_DIR="${CACHE_DIR-/var/cache/update-ipsets}"
LIB_DIR="${LIB_DIR-/var/lib/update-ipsets}"
RUN_PARENT_DIR="${RUN_PARENT_DIR-$LOCALSTATEDIR/run}"
CACHE_DIR="${CACHE_DIR-$LOCALSTATEDIR/cache/update-ipsets}"
LIB_DIR="${LIB_DIR-$LOCALSTATEDIR/lib/update-ipsets}"
IPSETS_APPLY=1
else
$MKDIR_CMD -p "${HOME}/.update-ipsets" || exit 1

43
sbin/vnetbuild.in → sbin/vnetbuild
View File

@ -25,31 +25,28 @@
# See the file COPYING for details.
#
VERSION='$Id$'
PROGRAM_FILE="${0}"
PROGRAM_DIR="${0%/*}"
if [ "$PROGRAM_DIR" = "$0" ]; then PROGRAM_DIR="."; fi
PROGRAM_FILE="$(/bin/readlink $0)"
PROGRAM_FILE="${PROGRAM_FILE:-$0}"
if [ -d "${FIREHOL_OVERRIDE_PROGRAM_DIR}" ]
then
PROGRAM_DIR="${FIREHOL_OVERRIDE_PROGRAM_DIR}"
else
PROGRAM_DIR="$(/usr/bin/dirname "$PROGRAM_FILE")"
fi
PROGRAM_PWD="${PWD}"
declare -a PROGRAM_ORIGINAL_ARGS=("${@}")
# Start defaults before configure
prefix_POST=/usr
sysconfdir_POST=/etc
localstatedir_POST=/var
libdir_POST=$PROGRAM_DIR
# End defaults before configure
for functions_file in $libdir_POST/functions.common.sh
for functions_file in install.config functions.common
do
if [ -r $functions_file ]
if [ -r "$PROGRAM_DIR/$functions_file" ]
then
source $functions_file
source "$PROGRAM_DIR/$functions_file"
else
1>&2 echo "Cannot access $functions_file"
1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
exit 1
fi
done
FIREHOL_CONFIG_DIR="$sysconfdir_POST/firehol"
common_disable_localization || exit
marksreset() { :; }
@ -59,22 +56,6 @@ then
source "${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" || exit 1
fi
common_load_commands $PROGRAM_FILE @AUTOCONF_RUN@ <<-!
Y|IP_CMD|@IP@|ip
Y|BRIDGE_CMD|@BRIDGE@|bridge
Y|GREP_CMD|@GREP@|grep
Y|FIND_CMD|@FIND@|find
Y|SH_CMD|@SH@|sh bash ksh
Y|CUT_CMD|@CUT@|cut
Y|CAT_CMD|@CAT@|cat
Y|SED_CMD|@SED@|sed
Y|TR_CMD|@TR@|tr
Y|SLEEP_CMD|@SLEEP@|sleep
Y|MKDIR_CMD|@MKDIR@|mkdir
Y|RM_CMD|@RM@|rm
Y|MKTEMP_CMD|@MKTEMP@|mktemp
N|NEATO_CMD|@NEATO@|neato
!
status=$?
test $status -eq 0 || exit $status

2
unittest/firehol/not-both/ipv4-disable-defaults.pre.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Disable IPV4
cat - >> /etc/firehol/firehol-defaults.conf <<-END-DEFAULTS
cat - >> $MYTMP/firehol/firehol-defaults.conf <<-END-DEFAULTS
ENABLE_IPV4=0
END-DEFAULTS

2
unittest/firehol/not-both/ipv6-disable-defaults.pre.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Disable IPV6
cat - >> /etc/firehol/firehol-defaults.conf <<-END-DEFAULTS
cat - >> $MYTMP/firehol/firehol-defaults.conf <<-END-DEFAULTS
ENABLE_IPV6=0
END-DEFAULTS

48
unittest/unittest
View File

@ -40,6 +40,14 @@ then
haderror="Y"
fi
if [ ! -f ../sbin/install.config.in ]
then
echo "../sbin/install.config.in missing: run configure"
echo ""
haderror="Y"
fi
if [ "$haderror" -o $# -lt 1 ]
then
if [ "$haderror" ]
@ -54,23 +62,6 @@ then
exit 1
fi
# First set up our namespace so we can write where we need to
mount -t tmpfs tmpfs /etc/firehol || exit 1
mkdir /var/run/firehol || exit 1
mkdir /var/spool/firehol || exit 1
mkdir /var/run/firehol/webdir || exit 1
# Check the files are gone
if [ -f /etc/firehol/firehol.conf \
-o -f /etc/firehol/firehol-defaults.conf \
-o -f /etc/firehol/fireqos.conf \
-o -f /etc/firehol/link-balancer.conf \
-o -d /etc/firehol/services ]
then
echo "Namespace switch failed! Aborting!"
exit 1
fi
if [ ! -r /proc/net/ip_tables_names ]
then
echo "Faking /proc/net/ip_tables_names"
@ -88,8 +79,7 @@ then
echo >&2
exit 1
fi
ETCSAVE=/etc/firehol.save$$
export MYTMP
myexit() {
rm -f /var/run/firehol.lck
@ -104,6 +94,12 @@ trap myexit 0
TESTDIR=`pwd`/
export TESTDIR
# Force the programs to find our special configuration
export FIREHOL_OVERRIDE_PROGRAM_DIR=$MYTMP/prog
mkdir -p "$FIREHOL_OVERRIDE_PROGRAM_DIR"
sed -e "s#[@].*POST[@]#$MYTMP#" ../sbin/install.config.in > "$FIREHOL_OVERRIDE_PROGRAM_DIR/install.config"
cp ../sbin/functions.* "$FIREHOL_OVERRIDE_PROGRAM_DIR"
kcov=`which kcov 2> /dev/null`
if [ "$kcov" ]
then
@ -256,7 +252,7 @@ do
then
echo "Cannot determine program for $conf"
else
script=../sbin/${program}.in
script=../sbin/${program}
export script
total=$((total + 1))
@ -266,8 +262,8 @@ do
fi
# Define our configuration directory exactly as we want it
# note: we are running in a namespace with /etc/firehol as a tmpfs
rm -rf /etc/firehol/*
rm -rf $MYTMP/firehol
mkdir $MYTMP/firehol
# Default special cases:
# - egrep because /sbin/egrep makes use of PATH to find 'grep -E'
@ -276,7 +272,7 @@ do
# - LB_RUN_DIR + FIREQOS_LOCK_FILE + FIREQOS_DIR + RUN_PARENT_DIR etc.
# keep within our mounts
# - PATH reset to ensure it is off (some programs reset it)
cat > /etc/firehol/firehol-defaults.conf <<-!
cat > $MYTMP/firehol/firehol-defaults.conf <<-!
EGREP_CMD='/bin/grep -E'
LOGGER_CMD='/bin/echo logger:'
LB_RUN_DIR=/var/run/firehol/link-balancer
@ -296,7 +292,7 @@ do
"$pre_sh" "$conf"
else
# Or just take the defaults
mkdir -p /etc/firehol/services
mkdir -p $MYTMP/firehol/services
fi
# Run the script
@ -313,7 +309,7 @@ do
status=$?
;;
link-balancer|update-ipsets)
cp "$conf" /etc/firehol/${program}.conf
cp "$conf" $MYTMP/firehol/${program}.conf
$kcov "$script" > "$runlog" 2>&1 < /dev/null
status=$?
;;
@ -332,7 +328,7 @@ do
then
errors=$((errors + 1))
echo "Unexpected run error - check $runlog"
elif grep -q '\.in: line [0-9]*:' "$runlog"
elif grep -q ': line [0-9]*:' "$runlog"
then
errors=$((errors + 1))
echo "Unexpected runtime errors - check $runlog"