[PATCH] Initscripts: Fixes and updates

25 Apr 2017

Fixed:
Program paths for function 'killproc' in initscripts for 'dhcp', dhcrelay',
'rngd' and 'snort'.
Added:
Reload-section for 'snort'-init. 'snortctrl.c' was updated accordingly.
'snort' now can be reloaded through SIGHUP after automatic ruleset-updates,
to provide seamless traffic inspection during a configuration change.
For details, see official Snort documentation (Chapter 2.9 / Page 174) at
https://snort.org/documents/snort-users-manual
Best,
Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
---
 src/initscripts/system/dhcp     |   2 +-
 src/initscripts/system/dhcrelay |   2 +-
 src/initscripts/system/rngd     |   2 +-
 src/initscripts/system/snort    | 127 ++++++++++++++++++++++++----------------
 src/misc-progs/snortctrl.c      |   6 +-
 5 files changed, 84 insertions(+), 55 deletions(-)

diff --git a/src/initscripts/system/dhcp b/src/initscripts/system/dhcp
index 2ae86db31..0462772b7 100644
--- a/src/initscripts/system/dhcp
+++ b/src/initscripts/system/dhcp
@@ -51,7 +51,7 @@ case "$1" in
    	flush_chains
boot_mesg "Stopping DHCP Server..."
-		killproc -p /var/run/dhcpd.pid /usr/sbin/dhcpd
+		killproc -p /var/run/dhcpd.pid /usr/sbin
    	if [ "$(ps -A | grep " dhcpd")" != "" ] ; then
    	    # if fail use the hard way ...
    	    boot_mesg "Killing DHCP Server..."
diff --git a/src/initscripts/system/dhcrelay b/src/initscripts/system/dhcrelay
index 327a08465..060b94c45 100644
--- a/src/initscripts/system/dhcrelay
+++ b/src/initscripts/system/dhcrelay
@@ -31,7 +31,7 @@ case "${1}" in
stop)
    	boot_mesg "Stopping DHCP Relay..."
-		killproc -p /var/run/dhcrelay.pid /usr/sbin/dhcrelay
+		killproc -p /var/run/dhcrelay.pid /usr/sbin
    	;;
restart)
diff --git a/src/initscripts/system/rngd b/src/initscripts/system/rngd
index df4aa7da2..886b6a986 100644
--- a/src/initscripts/system/rngd
+++ b/src/initscripts/system/rngd
@@ -39,7 +39,7 @@ case "${1}" in
stop)
    	boot_mesg "Stopping Random Number Generator Daemon..."
-		killproc -p /var/run/rngd.pid /usr/sbin/rngd
+		killproc -p /var/run/rngd.pid /usr/sbin
    	;;
restart)
diff --git a/src/initscripts/system/snort b/src/initscripts/system/snort
index 5c4304247..3037b662d 100644
--- a/src/initscripts/system/snort
+++ b/src/initscripts/system/snort
@@ -23,7 +23,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
 ALIASFILE="/var/ipfire/ethernet/aliases"
case "$1" in
-        start)
+	start)
    	if [ "$BLUE_NETADDRESS" ]; then
    		BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK,"
    		BLUE_IP="$BLUE_ADDRESS,"
@@ -87,58 +87,85 @@ case "$1" in
    		echo "ipvar DNS_SERVERS $DNS1" >> /etc/snort/vars
    	fi
-                for DEVICE in $DEVICES; do
-                        boot_mesg "Starting Intrusion Detection System on $DEVICE..."
-                        /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
-                        evaluate_retval
+		for DEVICE in $DEVICES; do
+			boot_mesg "Starting Intrusion Detection System on $DEVICE..."
+			/usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
+			evaluate_retval
    		sleep 1
-                        chmod 644 /var/run/snort_$DEVICE.pid
-                done
+			chmod 644 /var/run/snort_$DEVICE.pid
+		done
    ;;
-        stop)
-               DEVICES=""
-               if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
-                 DEVICES+="$BLUE_DEV "
-               fi
-               
-               if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
-                 DEVICES+="$GREEN_DEV "
-              fi
-             
-              if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
-                 DEVICES+="$ORANGE_DEV "
-              fi
-      
-              RED=`cat /var/ipfire/red/iface 2>/dev/null`
-              if [ -r /var/run/snort_$RED.pid ]; then
-                 DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
-              fi
-       
-              for DEVICE in $DEVICES; do
-                 boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
-                 killproc -p /var/run/snort_$DEVICE.pid /var/run
-              done
-              
-              rm /var/run/snort_* >/dev/null 2>/dev/null
-
-		# Don't report returncode of rm if snort was not started
-		exit 0
-        ;;
-                
-        status)
-                statusproc /usr/sbin/snort
-                ;;
-                
-        restart)
-                $0 stop
-                $0 start
-                ;;
-                
-        *)
-                echo "Usage: $0 {start|stop|restart|status}"
-                exit 1
-                ;;
+	stop)
+		DEVICES=""
+		if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
+			DEVICES+="$BLUE_DEV "
+		fi
+			if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
+			DEVICES+="$GREEN_DEV "
+		fi
+
+		if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
+			DEVICES+="$ORANGE_DEV "
+		fi
+
+		RED=`cat /var/ipfire/red/iface 2>/dev/null`
+		if [ -r /var/run/snort_$RED.pid ]; then
+			DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
+		fi
+
+		for DEVICE in $DEVICES; do
+			boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
+			killproc -p /var/run/snort_$DEVICE.pid /usr/sbin
+		done
+
+			rm /var/run/snort_* >/dev/null 2>/dev/null
+
+	# Don't report returncode of rm if snort was not started
+	exit 0
+	;;
+
+	# Reloading snort through SIGHUP can be used after updating rulesets,
+	# to provide seamless traffic inspection during a configuration change.
+	reload)
+		DEVICES=""
+		if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
+			DEVICES+="$BLUE_DEV "
+		fi
+
+		if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
+			DEVICES+="$GREEN_DEV "
+		fi
+
+		if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
+			DEVICES+="$ORANGE_DEV "
+		fi
+
+		RED=`cat /var/ipfire/red/iface 2>/dev/null`
+			if [ -r /var/run/snort_$RED.pid ]; then
+				DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
+			fi
+
+		for DEVICE in $DEVICES; do
+			boot_mesg "Reloading Intrusion Detection System on $DEVICE..."
+			/bin/kill -SIGHUP `cat /var/run/snort_$DEVICE.pid`
+			evaluate_retval
+		done
+	;;
+
+	restart)
+		$0 stop
+		$0 start
+	;;
+
+	status)
+		statusproc /usr/sbin/snort
+	;;
+
+	*)
+		echo "Usage: $0 {start|stop|reload|restart|status}"
+		exit 1
+	;;
 esac
chmod 644 /var/log/snort/* 2>/dev/null
diff --git a/src/misc-progs/snortctrl.c b/src/misc-progs/snortctrl.c
index 57025757c..138271dbb 100644
--- a/src/misc-progs/snortctrl.c
+++ b/src/misc-progs/snortctrl.c
@@ -19,7 +19,7 @@ int main(int argc, char *argv[]) {
    	exit(1);
if (argc < 2) {
-		fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|restart)\n\n");
+		fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|reload|restart)\n\n");
    	exit(1);
    }
@@ -27,10 +27,12 @@ int main(int argc, char *argv[]) {
    	safe_system("/etc/rc.d/init.d/snort start");
    } else if (strcmp(argv[1], "stop") == 0) {
    	safe_system("/etc/rc.d/init.d/snort stop");
+	} else if (strcmp(argv[1], "reload") == 0) {
+		safe_system("/etc/rc.d/init.d/snort reload");
    } else if (strcmp(argv[1], "restart") == 0) {
    	safe_system("/etc/rc.d/init.d/snort restart");
    } else {
-		fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart)\n\n");
+		fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|reload|restart)\n\n");
    	exit(1);
    }
-- 
2.11.0


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[PATCH] Initscripts: Fixes and updates