In order to do some custom stuff after starting shorewall, I found that I wanted a "started" hook, as well as the "start" one. This small patch adds it to the firewall script. I didn''t include a started script in the patch but it can be copied from /etc/shorewall/start. I hope this is useful to you, Nick
On Fri, Apr 08, 2005 at 03:08:29PM +0100, Nick Leverton wrote:> In order to do some custom stuff after starting shorewall, I found that > I wanted a "started" hook, as well as the "start" one. This small patch > adds it to the firewall script. I didn''t include a started script in > the patch but it can be copied from /etc/shorewall/start.And here''s the patch. Nick (d''oh) -------------- next part -------------- --- firewall.orig Tue Jan 25 21:25:43 2005 +++ firewall Wed Feb 16 00:29:24 2005 @@ -6609,6 +6609,8 @@ mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base mv -f $RESTOREBASE /var/lib/shorewall/restore-tail + run_user_exit started + } #
Nick Leverton wrote:> On Fri, Apr 08, 2005 at 03:08:29PM +0100, Nick Leverton wrote: >>In order to do some custom stuff after starting shorewall, I found that >>I wanted a "started" hook, as well as the "start" one. This small patch >>adds it to the firewall script. I didn''t include a started script in >>the patch but it can be copied from /etc/shorewall/start. > > And here''s the patch. >I''m curious what need this hook serves that the existing ''start'' hook does not. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, Apr 08, 2005 at 07:30:16AM -0700, Tom Eastep wrote:> I''m curious what need this hook serves that the existing ''start'' hook > does not.I''m manipulating the new dynamic zones (a very handy feature). ''start'' was my first approach but the start hook is too early for that: the firewall is up but shorewall is still deep in its own internals, and the zones aren''t yet initialised. I want to make calls back to shorewall, to setup the dynamic zones from a database. At the ''started'' location I can do that, if I use the ''nolock'' flag which I discovered whilst debugging my first attempt. I submitted it because I thought other people may also have a use for a hook after shorewall is absolutely completely started. I chose to do this rather than writing a wrapper script because it seemed neater - I can still say "shorewall stop" and "shorewall start" on that system just like I do elsewhere. I''ve got so many assorted wrapper scripts already, that I lose track of when I''m supposed to use one rather than calling the programs directly ! Nick
Nick Leverton wrote:> On Fri, Apr 08, 2005 at 07:30:16AM -0700, Tom Eastep wrote: > >>I''m curious what need this hook serves that the existing ''start'' hook >>does not. > > I''m manipulating the new dynamic zones (a very handy feature). ''start'' > was my first approach but the start hook is too early for that: the > firewall is up but shorewall is still deep in its own internals, and > the zones aren''t yet initialised.Nonsense.> > I want to make calls back to shorewall, to setup the dynamic zones from > a database. At the ''started'' location I can do that, if I use the > ''nolock'' flag which I discovered whilst debugging my first attempt. > I submitted it because I thought other people may also have a use for > a hook after shorewall is absolutely completely started. >But the patch you sent invokes the ''started'' script just a few lines after the ''start'' script and: a) Nothing significant about the firewall state has changed in those few lines (the "shorewall" chain has been added is all -- that''s what allows subsequent ''shorewall add'' commands to sort of work). b) The lock file is still owned by the current shell so I suspect that each of your ''add'' commands is taking a long time. So at the point where you added your code is ever bit as "deep in its own internals" as where the "start" script is called. If you really want to add entries to dynamic zones, then I think that you should: a) Use the ''start'' hook. b) call "add_to_zone" directly. add_to_zone eth0:1.2.3.4 z1 add_to_zone eth0:2.3.4.5 z1 ... That''s much cleaner. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Nick Leverton wrote: >>On Fri, Apr 08, 2005 at 07:30:16AM -0700, Tom Eastep wrote: > >>I want to make calls back to shorewall, to setup the dynamic zones from >>a database. At the ''started'' location I can do that, if I use the >>''nolock'' flag which I discovered whilst debugging my first attempt. >>I submitted it because I thought other people may also have a use for >>a hook after shorewall is absolutely completely started. >> > > b) The lock file is still owned by the current shell so I suspect that > each of your ''add'' commands is taking a long time. >I misread your first post -- you already discovered the locking problem and are using ''nolock'' to get around it. I''ll include the patch in the next release (need to provide a skeleton file and put it in the install.sh and shorewall.spec files). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, Apr 08, 2005 at 12:53:30PM -0700, Tom Eastep wrote:> I misread your first post -- you already discovered the locking problem > and are using ''nolock'' to get around it. > > I''ll include the patch in the next release (need to provide a skeleton > file and put it in the install.sh and shorewall.spec files).Thanks Tom. Re the location of the call, calling add from ''start'' failed with "Shorewall not started". Still if it''s safe to call add_to_zone directly it does sound cleaner, so I''ll have a go. That might also speed up the dynamic maintenance when hosts come and go. Thanks. Nick
Nick Leverton wrote:> On Fri, Apr 08, 2005 at 12:53:30PM -0700, Tom Eastep wrote: > >>I misread your first post -- you already discovered the locking problem >>and are using ''nolock'' to get around it. >> >>I''ll include the patch in the next release (need to provide a skeleton >>file and put it in the install.sh and shorewall.spec files). > > Thanks Tom. Re the location of the call, calling add from ''start'' > failed with "Shorewall not started". > > Still if it''s safe to call add_to_zone directly it does sound cleaner, > so I''ll have a go. That might also speed up the dynamic maintenance > when hosts come and go. Thanks.add_to_zone may only be called from within hooks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, Apr 08, 2005 at 02:30:00PM -0700, Tom Eastep wrote:> Nick Leverton wrote:>> > Still if it''s safe to call add_to_zone directly it does sound cleaner, > > so I''ll have a go. That might also speed up the dynamic maintenance > > when hosts come and go. Thanks. > > > add_to_zone may only be called from within hooks.Noted, thanks again. Nick