* [PATCH] Initscripts: Fixes and updates
@ 2017-04-25 13:00 Matthias Fischer
0 siblings, 0 replies; only message in thread
From: Matthias Fischer @ 2017-04-25 13:00 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7695 bytes --]
Fixed:
Program paths for function 'killproc' in initscripts for 'dhcp', dhcrelay',
'rngd' and 'snort'.
Added:
Reload-section for 'snort'-init. 'snortctrl.c' was updated accordingly.
'snort' now can be reloaded through SIGHUP after automatic ruleset-updates,
to provide seamless traffic inspection during a configuration change.
For details, see official Snort documentation (Chapter 2.9 / Page 174) at
https://snort.org/documents/snort-users-manual
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
src/initscripts/system/dhcp | 2 +-
src/initscripts/system/dhcrelay | 2 +-
src/initscripts/system/rngd | 2 +-
src/initscripts/system/snort | 127 ++++++++++++++++++++++++----------------
src/misc-progs/snortctrl.c | 6 +-
5 files changed, 84 insertions(+), 55 deletions(-)
diff --git a/src/initscripts/system/dhcp b/src/initscripts/system/dhcp
index 2ae86db31..0462772b7 100644
--- a/src/initscripts/system/dhcp
+++ b/src/initscripts/system/dhcp
@@ -51,7 +51,7 @@ case "$1" in
flush_chains
boot_mesg "Stopping DHCP Server..."
- killproc -p /var/run/dhcpd.pid /usr/sbin/dhcpd
+ killproc -p /var/run/dhcpd.pid /usr/sbin
if [ "$(ps -A | grep " dhcpd")" != "" ] ; then
# if fail use the hard way ...
boot_mesg "Killing DHCP Server..."
diff --git a/src/initscripts/system/dhcrelay b/src/initscripts/system/dhcrelay
index 327a08465..060b94c45 100644
--- a/src/initscripts/system/dhcrelay
+++ b/src/initscripts/system/dhcrelay
@@ -31,7 +31,7 @@ case "${1}" in
stop)
boot_mesg "Stopping DHCP Relay..."
- killproc -p /var/run/dhcrelay.pid /usr/sbin/dhcrelay
+ killproc -p /var/run/dhcrelay.pid /usr/sbin
;;
restart)
diff --git a/src/initscripts/system/rngd b/src/initscripts/system/rngd
index df4aa7da2..886b6a986 100644
--- a/src/initscripts/system/rngd
+++ b/src/initscripts/system/rngd
@@ -39,7 +39,7 @@ case "${1}" in
stop)
boot_mesg "Stopping Random Number Generator Daemon..."
- killproc -p /var/run/rngd.pid /usr/sbin/rngd
+ killproc -p /var/run/rngd.pid /usr/sbin
;;
restart)
diff --git a/src/initscripts/system/snort b/src/initscripts/system/snort
index 5c4304247..3037b662d 100644
--- a/src/initscripts/system/snort
+++ b/src/initscripts/system/snort
@@ -23,7 +23,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
ALIASFILE="/var/ipfire/ethernet/aliases"
case "$1" in
- start)
+ start)
if [ "$BLUE_NETADDRESS" ]; then
BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK,"
BLUE_IP="$BLUE_ADDRESS,"
@@ -87,58 +87,85 @@ case "$1" in
echo "ipvar DNS_SERVERS $DNS1" >> /etc/snort/vars
fi
- for DEVICE in $DEVICES; do
- boot_mesg "Starting Intrusion Detection System on $DEVICE..."
- /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
- evaluate_retval
+ for DEVICE in $DEVICES; do
+ boot_mesg "Starting Intrusion Detection System on $DEVICE..."
+ /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
+ evaluate_retval
sleep 1
- chmod 644 /var/run/snort_$DEVICE.pid
- done
+ chmod 644 /var/run/snort_$DEVICE.pid
+ done
;;
- stop)
- DEVICES=""
- if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
- DEVICES+="$BLUE_DEV "
- fi
-
- if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
- DEVICES+="$GREEN_DEV "
- fi
-
- if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
- DEVICES+="$ORANGE_DEV "
- fi
-
- RED=`cat /var/ipfire/red/iface 2>/dev/null`
- if [ -r /var/run/snort_$RED.pid ]; then
- DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
- fi
-
- for DEVICE in $DEVICES; do
- boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
- killproc -p /var/run/snort_$DEVICE.pid /var/run
- done
-
- rm /var/run/snort_* >/dev/null 2>/dev/null
-
- # Don't report returncode of rm if snort was not started
- exit 0
- ;;
-
- status)
- statusproc /usr/sbin/snort
- ;;
-
- restart)
- $0 stop
- $0 start
- ;;
-
- *)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
+ stop)
+ DEVICES=""
+ if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
+ DEVICES+="$BLUE_DEV "
+ fi
+ if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
+ DEVICES+="$GREEN_DEV "
+ fi
+
+ if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
+ DEVICES+="$ORANGE_DEV "
+ fi
+
+ RED=`cat /var/ipfire/red/iface 2>/dev/null`
+ if [ -r /var/run/snort_$RED.pid ]; then
+ DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
+ fi
+
+ for DEVICE in $DEVICES; do
+ boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
+ killproc -p /var/run/snort_$DEVICE.pid /usr/sbin
+ done
+
+ rm /var/run/snort_* >/dev/null 2>/dev/null
+
+ # Don't report returncode of rm if snort was not started
+ exit 0
+ ;;
+
+ # Reloading snort through SIGHUP can be used after updating rulesets,
+ # to provide seamless traffic inspection during a configuration change.
+ reload)
+ DEVICES=""
+ if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
+ DEVICES+="$BLUE_DEV "
+ fi
+
+ if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
+ DEVICES+="$GREEN_DEV "
+ fi
+
+ if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
+ DEVICES+="$ORANGE_DEV "
+ fi
+
+ RED=`cat /var/ipfire/red/iface 2>/dev/null`
+ if [ -r /var/run/snort_$RED.pid ]; then
+ DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
+ fi
+
+ for DEVICE in $DEVICES; do
+ boot_mesg "Reloading Intrusion Detection System on $DEVICE..."
+ /bin/kill -SIGHUP `cat /var/run/snort_$DEVICE.pid`
+ evaluate_retval
+ done
+ ;;
+
+ restart)
+ $0 stop
+ $0 start
+ ;;
+
+ status)
+ statusproc /usr/sbin/snort
+ ;;
+
+ *)
+ echo "Usage: $0 {start|stop|reload|restart|status}"
+ exit 1
+ ;;
esac
chmod 644 /var/log/snort/* 2>/dev/null
diff --git a/src/misc-progs/snortctrl.c b/src/misc-progs/snortctrl.c
index 57025757c..138271dbb 100644
--- a/src/misc-progs/snortctrl.c
+++ b/src/misc-progs/snortctrl.c
@@ -19,7 +19,7 @@ int main(int argc, char *argv[]) {
exit(1);
if (argc < 2) {
- fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|restart)\n\n");
+ fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|reload|restart)\n\n");
exit(1);
}
@@ -27,10 +27,12 @@ int main(int argc, char *argv[]) {
safe_system("/etc/rc.d/init.d/snort start");
} else if (strcmp(argv[1], "stop") == 0) {
safe_system("/etc/rc.d/init.d/snort stop");
+ } else if (strcmp(argv[1], "reload") == 0) {
+ safe_system("/etc/rc.d/init.d/snort reload");
} else if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/snort restart");
} else {
- fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart)\n\n");
+ fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|reload|restart)\n\n");
exit(1);
}
--
2.11.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-04-25 13:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-25 13:00 [PATCH] Initscripts: Fixes and updates Matthias Fischer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox