Attachment #309337 for bug #412429

Lines 18-24 Link Here

(-)ufw-0.31.1.orig/doc/ufw-framework.8 (-2 / +2 lines)
18	parameters and configuration of IPv6. The framework consists of the following	18	parameters and configuration of IPv6. The framework consists of the following
19	files:	19	files:
20	.TP	20	.TP
21	#STATE_PREFIX#/ufw\-init	21	#SHARE_DIR#/ufw\-init
22	initialization script	22	initialization script
23	.TP	23	.TP
24	#CONFIG_PREFIX#/ufw/before[6].rules	24	#CONFIG_PREFIX#/ufw/before[6].rules
Lines 41-47 Link Here
41		41
42	.SH "BOOT INITIALIZATION"	42	.SH "BOOT INITIALIZATION"
43	.PP	43	.PP
44	\fBufw\fR is started on boot with #STATE_PREFIX#/ufw\-init. This script is a	44	\fBufw\fR is started on boot with #SHARE_DIR#/ufw\-init. This script is a
45	standard SysV style initscript used by the \fBufw\fR command and should not be	45	standard SysV style initscript used by the \fBufw\fR command and should not be
46	modified. It supports the following arguments:	46	modified. It supports the following arguments:
47	.TP	47	.TP




on your needs, this can be as simple as adding the following to a startup
script (eg rc.local for systems that use it):

# /usr/share/ufw/ufw-init start

For systems that use SysV initscripts, an example script is provided in
doc/initscript.example. See doc/upstart.example for an Upstart example. Consult

/etc/defaults/ufw 		high level configuration
/etc/ufw/before[6].rules 	rules evaluated before UI added rules
/etc/ufw/after[6].rules 	rules evaluated after UI added rules
/etc/ufw/user/user[6].rules		UI added rules (not to be modified)
/etc/ufw/sysctl.conf 		kernel network tunables
/usr/share/ufw/ufw-init		start script


Usage

that the primary chains don't move around other non-ufw rules and chains. To
completely flush the built-in chains with this configuration, you can use:

# /usr/share/ufw/ufw-init flush-all

Alternately, ufw may also take full control of the firewall by setting
MANAGE_BUILTINS=yes in /etc/defaults/ufw. This will flush all the built-in


Remote Management
-----------------
On /usr/share/ufw/ufw-init start and 'ufw enable' the chains are flushed, so
ssh may drop. This is needed so ufw is in a consistent state. Once the ufw is
'enabled' it will insert rules into the existing chains, and therefore not
flush the chains (but will when modifying a rule or changing the default


Distributions
-------------
While it certainly ok to use /usr/share/ufw/ufw-init as the initscript for
ufw, this script is meant to be used by ufw itself, and therefore not
particularly user friendly. See doc/initscript.example for a simple
implementation that can be adapted to your distribution.




            return

        real_confdir = os.path.join('/etc')
        # real_statedir = os.path.join('/lib', 'ufw')
        real_statedir = os.path.join('/etc', 'ufw', 'user')
        real_prefix = self.prefix
        if self.home != None:
            real_confdir = self.home + real_confdir

        self.copy_file('doc/ufw.8', manpage)
        self.copy_file('doc/ufw-framework.8', manpage_f)

        # Install state files
        statedir = real_statedir
        if self.root != None:
            statedir = self.root + real_statedir

        self.copy_file('conf/user.rules', user_rules)
        self.copy_file('conf/user6.rules', user6_rules)

        # Install helper scripts
        sharedir = real_sharedir
        if self.root != None:
            sharedir = self.root + real_sharedir
        self.mkpath(sharedir)

        init_helper = os.path.join(sharedir, 'ufw-init')
        init_helper_functions = os.path.join(sharedir, 'ufw-init-functions')
        self.copy_file('src/ufw-init', init_helper)
        self.copy_file('src/ufw-init-functions', init_helper_functions)



            subprocess.call(["sed",
                             "-i",
                             "s%#SHARE_DIR#%" + real_sharedir + "%g",
                             file])

            subprocess.call(["sed",
                             "-i",
                             "s%#VERSION#%" + ufw_version + "%g",
                             file])

        # Install pristine copies of rules files
        #sharedir = real_sharedir
        #if self.root != None:
        #    sharedir = self.root + real_sharedir
        rulesdir = os.path.join(sharedir, 'iptables')
        self.mkpath(rulesdir)
        for file in [ before_rules, after_rules, \

Lines 22-28 Link Here

(-)ufw-0.31.1.orig/src/backend_iptables.py (-2 / +2 lines)
22	import sys	22	import sys
23	import time	23	import time
24		24
25	from ufw.common import UFWError, UFWRule, config_dir, state_dir	25	from ufw.common import UFWError, UFWRule, config_dir, share_dir, state_dir, prefix_dir
26	from ufw.util import warn, debug, msg, cmd, cmd_pipe	26	from ufw.util import warn, debug, msg, cmd, cmd_pipe
27	import ufw.backend	27	import ufw.backend
28		28
Lines 40-46 Link Here
40	files['rules6'] = os.path.join(state_dir, 'user6.rules')	40	files['rules6'] = os.path.join(state_dir, 'user6.rules')
41	files['before6_rules'] = os.path.join(config_dir, 'ufw/before6.rules')	41	files['before6_rules'] = os.path.join(config_dir, 'ufw/before6.rules')
42	files['after6_rules'] = os.path.join(config_dir, 'ufw/after6.rules')	42	files['after6_rules'] = os.path.join(config_dir, 'ufw/after6.rules')
43	files['init'] = os.path.join(state_dir, 'ufw-init')	43	files['init'] = os.path.join(share_dir, 'ufw-init')
44		44
45	ufw.backend.UFWBackend.__init__(self, "iptables", d, files)	45	ufw.backend.UFWBackend.__init__(self, "iptables", d, files)
46		46

Lines 18-25 Link Here

(-)ufw-0.31.1.orig/src/ufw-init (-3 / +3 lines)
18	#	18	#
19	set -e	19	set -e
20		20
21	if [ -s "#STATE_PREFIX#/ufw-init-functions" ]; then	21	if [ -s "#SHARE_DIR#/ufw-init-functions" ]; then
22	. "#STATE_PREFIX#/ufw-init-functions"	22	. "#SHARE_DIR#/ufw-init-functions"
23	else	23	else
24	echo "Could not find $s (aborting)"	24	echo "Could not find $s (aborting)"
25	exit 1	25	exit 1
Lines 56-62 Link Here
56	flush_builtins \|\| exit "$?"	56	flush_builtins \|\| exit "$?"
57	;;	57	;;
58	*)	58	*)
59	echo "Usage: #STATE_PREFIX#/ufw-init {start\|stop\|restart\|force-reload\|force-stop\|flush-all\|status}"	59	echo "Usage: #SHARE_DIR#/ufw-init {start\|stop\|restart\|force-reload\|force-stop\|flush-all\|status}"
60	exit 1	60	exit 1
61	;;	61	;;
62	esac	62	esac

Return to bug 412429

Lines 58-64 Link Here

(-)ufw-0.31.1.orig/README (-6 / +6 lines)
58	on your needs, this can be as simple as adding the following to a startup	58	on your needs, this can be as simple as adding the following to a startup
59	script (eg rc.local for systems that use it):	59	script (eg rc.local for systems that use it):
60		60
61	# /lib/ufw/ufw-init start	61	# /usr/share/ufw/ufw-init start
62		62
63	For systems that use SysV initscripts, an example script is provided in	63	For systems that use SysV initscripts, an example script is provided in
64	doc/initscript.example. See doc/upstart.example for an Upstart example. Consult	64	doc/initscript.example. See doc/upstart.example for an Upstart example. Consult
Lines 72-80 Link Here
72	/etc/defaults/ufw high level configuration	72	/etc/defaults/ufw high level configuration
73	/etc/ufw/before[6].rules rules evaluated before UI added rules	73	/etc/ufw/before[6].rules rules evaluated before UI added rules
74	/etc/ufw/after[6].rules rules evaluated after UI added rules	74	/etc/ufw/after[6].rules rules evaluated after UI added rules
75	/lib/ufw/user[6].rules UI added rules (not to be modified)	75	/etc/ufw/user/user[6].rules UI added rules (not to be modified)
76	/etc/ufw/sysctl.conf kernel network tunables	76	/etc/ufw/sysctl.conf kernel network tunables
77	/lib/ufw/ufw-init start script	77	/usr/share/ufw/ufw-init start script
78		78
79		79
80	Usage	80	Usage
Lines 149-155 Link Here
149	that the primary chains don't move around other non-ufw rules and chains. To	149	that the primary chains don't move around other non-ufw rules and chains. To
150	completely flush the built-in chains with this configuration, you can use:	150	completely flush the built-in chains with this configuration, you can use:
151		151
152	# /lib/ufw/ufw-init flush-all	152	# /usr/share/ufw/ufw-init flush-all
153		153
154	Alternately, ufw may also take full control of the firewall by setting	154	Alternately, ufw may also take full control of the firewall by setting
155	MANAGE_BUILTINS=yes in /etc/defaults/ufw. This will flush all the built-in	155	MANAGE_BUILTINS=yes in /etc/defaults/ufw. This will flush all the built-in
Lines 247-253 Link Here
247		247
248	Remote Management	248	Remote Management
249	-----------------	249	-----------------
250	On /lib/ufw/ufw-init start and 'ufw enable' the chains are flushed, so	250	On /usr/share/ufw/ufw-init start and 'ufw enable' the chains are flushed, so
251	ssh may drop. This is needed so ufw is in a consistent state. Once the ufw is	251	ssh may drop. This is needed so ufw is in a consistent state. Once the ufw is
252	'enabled' it will insert rules into the existing chains, and therefore not	252	'enabled' it will insert rules into the existing chains, and therefore not
253	flush the chains (but will when modifying a rule or changing the default	253	flush the chains (but will when modifying a rule or changing the default
Lines 290-296 Link Here
290		290
291	Distributions	291	Distributions
292	-------------	292	-------------
293	While it certainly ok to use /lib/ufw/ufw-init as the initscript for	293	While it certainly ok to use /usr/share/ufw/ufw-init as the initscript for
294	ufw, this script is meant to be used by ufw itself, and therefore not	294	ufw, this script is meant to be used by ufw itself, and therefore not
295	particularly user friendly. See doc/initscript.example for a simple	295	particularly user friendly. See doc/initscript.example for a simple
296	implementation that can be adapted to your distribution.	296	implementation that can be adapted to your distribution.

Lines 54-60 Link Here

(-)ufw-0.31.1.orig/setup.py (-7 / +19 lines)
54	return	54	return
55		55
56	real_confdir = os.path.join('/etc')	56	real_confdir = os.path.join('/etc')
57	real_statedir = os.path.join('/lib', 'ufw')	57	# real_statedir = os.path.join('/lib', 'ufw')
		58	real_statedir = os.path.join('/etc', 'ufw', 'user')
58	real_prefix = self.prefix	59	real_prefix = self.prefix
59	if self.home != None:	60	if self.home != None:
60	real_confdir = self.home + real_confdir	61	real_confdir = self.home + real_confdir
Lines 116-122 Link Here
116	self.copy_file('doc/ufw.8', manpage)	117	self.copy_file('doc/ufw.8', manpage)
117	self.copy_file('doc/ufw-framework.8', manpage_f)	118	self.copy_file('doc/ufw-framework.8', manpage_f)
118		119
119	# Install state files and helper scripts	120	# Install state files
120	statedir = real_statedir	121	statedir = real_statedir
121	if self.root != None:	122	if self.root != None:
122	statedir = self.root + real_statedir	123	statedir = self.root + real_statedir
Lines 127-134 Link Here
127	self.copy_file('conf/user.rules', user_rules)	128	self.copy_file('conf/user.rules', user_rules)
128	self.copy_file('conf/user6.rules', user6_rules)	129	self.copy_file('conf/user6.rules', user6_rules)
129		130
130	init_helper = os.path.join(statedir, 'ufw-init')	131	# Install helper scripts
131	init_helper_functions = os.path.join(statedir, 'ufw-init-functions')	132	sharedir = real_sharedir
		133	if self.root != None:
		134	sharedir = self.root + real_sharedir
		135	self.mkpath(sharedir)
		136
		137	init_helper = os.path.join(sharedir, 'ufw-init')
		138	init_helper_functions = os.path.join(sharedir, 'ufw-init-functions')
132	self.copy_file('src/ufw-init', init_helper)	139	self.copy_file('src/ufw-init', init_helper)
133	self.copy_file('src/ufw-init-functions', init_helper_functions)	140	self.copy_file('src/ufw-init-functions', init_helper_functions)
134		141
Lines 199-211 Link Here
199		206
200	subprocess.call(["sed",	207	subprocess.call(["sed",
201	"-i",	208	"-i",
		209	"s%#SHARE_DIR#%" + real_sharedir + "%g",
		210	file])
		211
		212	subprocess.call(["sed",
		213	"-i",
202	"s%#VERSION#%" + ufw_version + "%g",	214	"s%#VERSION#%" + ufw_version + "%g",
203	file])	215	file])
204		216
205	# Install pristine copies of rules files	217	# Install pristine copies of rules files
206	sharedir = real_sharedir	218	#sharedir = real_sharedir
207	if self.root != None:	219	#if self.root != None:
208	sharedir = self.root + real_sharedir	220	# sharedir = self.root + real_sharedir
209	rulesdir = os.path.join(sharedir, 'iptables')	221	rulesdir = os.path.join(sharedir, 'iptables')
210	self.mkpath(rulesdir)	222	self.mkpath(rulesdir)
211	for file in [ before_rules, after_rules, \	223	for file in [ before_rules, after_rules, \