From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] Initscripts: Fixes and updates
Date: Tue, 25 Apr 2017 15:00:10 +0200 [thread overview]
Message-ID: <20170425130010.8547-1-matthias.fischer@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 7695 bytes --]
Fixed:
Program paths for function 'killproc' in initscripts for 'dhcp', dhcrelay',
'rngd' and 'snort'.
Added:
Reload-section for 'snort'-init. 'snortctrl.c' was updated accordingly.
'snort' now can be reloaded through SIGHUP after automatic ruleset-updates,
to provide seamless traffic inspection during a configuration change.
For details, see official Snort documentation (Chapter 2.9 / Page 174) at
https://snort.org/documents/snort-users-manual
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
src/initscripts/system/dhcp | 2 +-
src/initscripts/system/dhcrelay | 2 +-
src/initscripts/system/rngd | 2 +-
src/initscripts/system/snort | 127 ++++++++++++++++++++++++----------------
src/misc-progs/snortctrl.c | 6 +-
5 files changed, 84 insertions(+), 55 deletions(-)
diff --git a/src/initscripts/system/dhcp b/src/initscripts/system/dhcp
index 2ae86db31..0462772b7 100644
--- a/src/initscripts/system/dhcp
+++ b/src/initscripts/system/dhcp
@@ -51,7 +51,7 @@ case "$1" in
flush_chains
boot_mesg "Stopping DHCP Server..."
- killproc -p /var/run/dhcpd.pid /usr/sbin/dhcpd
+ killproc -p /var/run/dhcpd.pid /usr/sbin
if [ "$(ps -A | grep " dhcpd")" != "" ] ; then
# if fail use the hard way ...
boot_mesg "Killing DHCP Server..."
diff --git a/src/initscripts/system/dhcrelay b/src/initscripts/system/dhcrelay
index 327a08465..060b94c45 100644
--- a/src/initscripts/system/dhcrelay
+++ b/src/initscripts/system/dhcrelay
@@ -31,7 +31,7 @@ case "${1}" in
stop)
boot_mesg "Stopping DHCP Relay..."
- killproc -p /var/run/dhcrelay.pid /usr/sbin/dhcrelay
+ killproc -p /var/run/dhcrelay.pid /usr/sbin
;;
restart)
diff --git a/src/initscripts/system/rngd b/src/initscripts/system/rngd
index df4aa7da2..886b6a986 100644
--- a/src/initscripts/system/rngd
+++ b/src/initscripts/system/rngd
@@ -39,7 +39,7 @@ case "${1}" in
stop)
boot_mesg "Stopping Random Number Generator Daemon..."
- killproc -p /var/run/rngd.pid /usr/sbin/rngd
+ killproc -p /var/run/rngd.pid /usr/sbin
;;
restart)
diff --git a/src/initscripts/system/snort b/src/initscripts/system/snort
index 5c4304247..3037b662d 100644
--- a/src/initscripts/system/snort
+++ b/src/initscripts/system/snort
@@ -23,7 +23,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
ALIASFILE="/var/ipfire/ethernet/aliases"
case "$1" in
- start)
+ start)
if [ "$BLUE_NETADDRESS" ]; then
BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK,"
BLUE_IP="$BLUE_ADDRESS,"
@@ -87,58 +87,85 @@ case "$1" in
echo "ipvar DNS_SERVERS $DNS1" >> /etc/snort/vars
fi
- for DEVICE in $DEVICES; do
- boot_mesg "Starting Intrusion Detection System on $DEVICE..."
- /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
- evaluate_retval
+ for DEVICE in $DEVICES; do
+ boot_mesg "Starting Intrusion Detection System on $DEVICE..."
+ /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
+ evaluate_retval
sleep 1
- chmod 644 /var/run/snort_$DEVICE.pid
- done
+ chmod 644 /var/run/snort_$DEVICE.pid
+ done
;;
- stop)
- DEVICES=""
- if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
- DEVICES+="$BLUE_DEV "
- fi
-
- if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
- DEVICES+="$GREEN_DEV "
- fi
-
- if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
- DEVICES+="$ORANGE_DEV "
- fi
-
- RED=`cat /var/ipfire/red/iface 2>/dev/null`
- if [ -r /var/run/snort_$RED.pid ]; then
- DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
- fi
-
- for DEVICE in $DEVICES; do
- boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
- killproc -p /var/run/snort_$DEVICE.pid /var/run
- done
-
- rm /var/run/snort_* >/dev/null 2>/dev/null
-
- # Don't report returncode of rm if snort was not started
- exit 0
- ;;
-
- status)
- statusproc /usr/sbin/snort
- ;;
-
- restart)
- $0 stop
- $0 start
- ;;
-
- *)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
+ stop)
+ DEVICES=""
+ if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
+ DEVICES+="$BLUE_DEV "
+ fi
+ if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
+ DEVICES+="$GREEN_DEV "
+ fi
+
+ if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
+ DEVICES+="$ORANGE_DEV "
+ fi
+
+ RED=`cat /var/ipfire/red/iface 2>/dev/null`
+ if [ -r /var/run/snort_$RED.pid ]; then
+ DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
+ fi
+
+ for DEVICE in $DEVICES; do
+ boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
+ killproc -p /var/run/snort_$DEVICE.pid /usr/sbin
+ done
+
+ rm /var/run/snort_* >/dev/null 2>/dev/null
+
+ # Don't report returncode of rm if snort was not started
+ exit 0
+ ;;
+
+ # Reloading snort through SIGHUP can be used after updating rulesets,
+ # to provide seamless traffic inspection during a configuration change.
+ reload)
+ DEVICES=""
+ if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
+ DEVICES+="$BLUE_DEV "
+ fi
+
+ if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
+ DEVICES+="$GREEN_DEV "
+ fi
+
+ if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
+ DEVICES+="$ORANGE_DEV "
+ fi
+
+ RED=`cat /var/ipfire/red/iface 2>/dev/null`
+ if [ -r /var/run/snort_$RED.pid ]; then
+ DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
+ fi
+
+ for DEVICE in $DEVICES; do
+ boot_mesg "Reloading Intrusion Detection System on $DEVICE..."
+ /bin/kill -SIGHUP `cat /var/run/snort_$DEVICE.pid`
+ evaluate_retval
+ done
+ ;;
+
+ restart)
+ $0 stop
+ $0 start
+ ;;
+
+ status)
+ statusproc /usr/sbin/snort
+ ;;
+
+ *)
+ echo "Usage: $0 {start|stop|reload|restart|status}"
+ exit 1
+ ;;
esac
chmod 644 /var/log/snort/* 2>/dev/null
diff --git a/src/misc-progs/snortctrl.c b/src/misc-progs/snortctrl.c
index 57025757c..138271dbb 100644
--- a/src/misc-progs/snortctrl.c
+++ b/src/misc-progs/snortctrl.c
@@ -19,7 +19,7 @@ int main(int argc, char *argv[]) {
exit(1);
if (argc < 2) {
- fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|restart)\n\n");
+ fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|reload|restart)\n\n");
exit(1);
}
@@ -27,10 +27,12 @@ int main(int argc, char *argv[]) {
safe_system("/etc/rc.d/init.d/snort start");
} else if (strcmp(argv[1], "stop") == 0) {
safe_system("/etc/rc.d/init.d/snort stop");
+ } else if (strcmp(argv[1], "reload") == 0) {
+ safe_system("/etc/rc.d/init.d/snort reload");
} else if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/snort restart");
} else {
- fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart)\n\n");
+ fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|reload|restart)\n\n");
exit(1);
}
--
2.11.0
reply other threads:[~2017-04-25 13:00 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170425130010.8547-1-matthias.fischer@ipfire.org \
--to=matthias.fischer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox