From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] Initscripts: Fixes and updates Date: Tue, 25 Apr 2017 15:00:10 +0200 Message-ID: <20170425130010.8547-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7386052061716299050==" List-Id: --===============7386052061716299050== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Fixed: Program paths for function 'killproc' in initscripts for 'dhcp', dhcrelay', 'rngd' and 'snort'. Added: Reload-section for 'snort'-init. 'snortctrl.c' was updated accordingly. 'snort' now can be reloaded through SIGHUP after automatic ruleset-updates, to provide seamless traffic inspection during a configuration change. For details, see official Snort documentation (Chapter 2.9 / Page 174) at https://snort.org/documents/snort-users-manual Best, Matthias Signed-off-by: Matthias Fischer --- src/initscripts/system/dhcp | 2 +- src/initscripts/system/dhcrelay | 2 +- src/initscripts/system/rngd | 2 +- src/initscripts/system/snort | 127 ++++++++++++++++++++++++--------------= -- src/misc-progs/snortctrl.c | 6 +- 5 files changed, 84 insertions(+), 55 deletions(-) diff --git a/src/initscripts/system/dhcp b/src/initscripts/system/dhcp index 2ae86db31..0462772b7 100644 --- a/src/initscripts/system/dhcp +++ b/src/initscripts/system/dhcp @@ -51,7 +51,7 @@ case "$1" in flush_chains =20 boot_mesg "Stopping DHCP Server..." - killproc -p /var/run/dhcpd.pid /usr/sbin/dhcpd + killproc -p /var/run/dhcpd.pid /usr/sbin if [ "$(ps -A | grep " dhcpd")" !=3D "" ] ; then # if fail use the hard way ... boot_mesg "Killing DHCP Server..." diff --git a/src/initscripts/system/dhcrelay b/src/initscripts/system/dhcrelay index 327a08465..060b94c45 100644 --- a/src/initscripts/system/dhcrelay +++ b/src/initscripts/system/dhcrelay @@ -31,7 +31,7 @@ case "${1}" in =20 stop) boot_mesg "Stopping DHCP Relay..." - killproc -p /var/run/dhcrelay.pid /usr/sbin/dhcrelay + killproc -p /var/run/dhcrelay.pid /usr/sbin ;; =20 restart) diff --git a/src/initscripts/system/rngd b/src/initscripts/system/rngd index df4aa7da2..886b6a986 100644 --- a/src/initscripts/system/rngd +++ b/src/initscripts/system/rngd @@ -39,7 +39,7 @@ case "${1}" in =20 stop) boot_mesg "Stopping Random Number Generator Daemon..." - killproc -p /var/run/rngd.pid /usr/sbin/rngd + killproc -p /var/run/rngd.pid /usr/sbin ;; =20 restart) diff --git a/src/initscripts/system/snort b/src/initscripts/system/snort index 5c4304247..3037b662d 100644 --- a/src/initscripts/system/snort +++ b/src/initscripts/system/snort @@ -23,7 +23,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/snort/settings) ALIASFILE=3D"/var/ipfire/ethernet/aliases" =20 case "$1" in - start) + start) if [ "$BLUE_NETADDRESS" ]; then BLUE_NET=3D"$BLUE_NETADDRESS/$BLUE_NETMASK," BLUE_IP=3D"$BLUE_ADDRESS," @@ -87,58 +87,85 @@ case "$1" in echo "ipvar DNS_SERVERS $DNS1" >> /etc/snort/vars fi =20 - for DEVICE in $DEVICES; do - boot_mesg "Starting Intrusion Detection System on $D= EVICE..." - /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE = -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run - evaluate_retval + for DEVICE in $DEVICES; do + boot_mesg "Starting Intrusion Detection System on $DEVICE..." + /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort = --create-pidfile --nolock-pidfile --pid-path /var/run + evaluate_retval sleep 1 - chmod 644 /var/run/snort_$DEVICE.pid - done + chmod 644 /var/run/snort_$DEVICE.pid + done ;; =20 - stop) - DEVICES=3D"" - if [ -r /var/run/snort_$BLUE_DEV.pid ]; then - DEVICES+=3D"$BLUE_DEV " - fi - =20 - if [ -r /var/run/snort_$GREEN_DEV.pid ]; then - DEVICES+=3D"$GREEN_DEV " - fi - =20 - if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then - DEVICES+=3D"$ORANGE_DEV " - fi - =20 - RED=3D`cat /var/ipfire/red/iface 2>/dev/null` - if [ -r /var/run/snort_$RED.pid ]; then - DEVICES+=3D`cat /var/ipfire/red/iface 2>/dev/null` - fi - =20 - for DEVICE in $DEVICES; do - boot_mesg "Stopping Intrusion Detection System on $DEVICE..= ." - killproc -p /var/run/snort_$DEVICE.pid /var/run - done - =20 - rm /var/run/snort_* >/dev/null 2>/dev/null - - # Don't report returncode of rm if snort was not started - exit 0 - ;; - =20 - status) - statusproc /usr/sbin/snort - ;; - =20 - restart) - $0 stop - $0 start - ;; - =20 - *) - echo "Usage: $0 {start|stop|restart|status}" - exit 1 - ;; + stop) + DEVICES=3D"" + if [ -r /var/run/snort_$BLUE_DEV.pid ]; then + DEVICES+=3D"$BLUE_DEV " + fi + if [ -r /var/run/snort_$GREEN_DEV.pid ]; then + DEVICES+=3D"$GREEN_DEV " + fi + + if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then + DEVICES+=3D"$ORANGE_DEV " + fi + + RED=3D`cat /var/ipfire/red/iface 2>/dev/null` + if [ -r /var/run/snort_$RED.pid ]; then + DEVICES+=3D`cat /var/ipfire/red/iface 2>/dev/null` + fi + + for DEVICE in $DEVICES; do + boot_mesg "Stopping Intrusion Detection System on $DEVICE..." + killproc -p /var/run/snort_$DEVICE.pid /usr/sbin + done + + rm /var/run/snort_* >/dev/null 2>/dev/null + + # Don't report returncode of rm if snort was not started + exit 0 + ;; + + # Reloading snort through SIGHUP can be used after updating rulesets, + # to provide seamless traffic inspection during a configuration change. + reload) + DEVICES=3D"" + if [ -r /var/run/snort_$BLUE_DEV.pid ]; then + DEVICES+=3D"$BLUE_DEV " + fi + + if [ -r /var/run/snort_$GREEN_DEV.pid ]; then + DEVICES+=3D"$GREEN_DEV " + fi + + if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then + DEVICES+=3D"$ORANGE_DEV " + fi + + RED=3D`cat /var/ipfire/red/iface 2>/dev/null` + if [ -r /var/run/snort_$RED.pid ]; then + DEVICES+=3D`cat /var/ipfire/red/iface 2>/dev/null` + fi + + for DEVICE in $DEVICES; do + boot_mesg "Reloading Intrusion Detection System on $DEVICE..." + /bin/kill -SIGHUP `cat /var/run/snort_$DEVICE.pid` + evaluate_retval + done + ;; + + restart) + $0 stop + $0 start + ;; + + status) + statusproc /usr/sbin/snort + ;; + + *) + echo "Usage: $0 {start|stop|reload|restart|status}" + exit 1 + ;; esac =20 chmod 644 /var/log/snort/* 2>/dev/null diff --git a/src/misc-progs/snortctrl.c b/src/misc-progs/snortctrl.c index 57025757c..138271dbb 100644 --- a/src/misc-progs/snortctrl.c +++ b/src/misc-progs/snortctrl.c @@ -19,7 +19,7 @@ int main(int argc, char *argv[]) { exit(1); =20 if (argc < 2) { - fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|restart)\n\= n"); + fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|reload|rest= art)\n\n"); exit(1); } =20 @@ -27,10 +27,12 @@ int main(int argc, char *argv[]) { safe_system("/etc/rc.d/init.d/snort start"); } else if (strcmp(argv[1], "stop") =3D=3D 0) { safe_system("/etc/rc.d/init.d/snort stop"); + } else if (strcmp(argv[1], "reload") =3D=3D 0) { + safe_system("/etc/rc.d/init.d/snort reload"); } else if (strcmp(argv[1], "restart") =3D=3D 0) { safe_system("/etc/rc.d/init.d/snort restart"); } else { - fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart)\n= \n"); + fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|reload|res= tart)\n\n"); exit(1); } =20 --=20 2.11.0 --===============7386052061716299050==--