* Steffen Dettmer wrote on Sat, Apr 28, 2001 at 21:01 +0200:
* Steffen Dettmer wrote on Sat, Apr 28, 2001 at 16:44 +0200:
The idea:
ssh $HOST $FIREWALL_START ssh $HOST $FIREWALL_WATCHERKILL
I implemented such a thing. It seems to be reliable and usable. First tests looked good. To share the results here some note and details (some parts [...] cut):
Some recommendations:
- first, if the same script is used to start firewalling at
bootup via rcinit (rc2.d/S04firewall or whatever), it's not a
good idea to launch the watcher.
- second, I found an easy improvement: if the firewall
"start" is finished, another signal is sent to the watcher. If
the watcher detects that the script is finished (or died)
before receiving this signal "DONE", it opens SSH immediatly
(SIGUSR1 is used to signal "DONE", SIGUSR2 is used to signal "OK".
It's surprising what modern scripting is able to do. Anyway, it would
be more nice to use perl: faster and more robust and so on...)
updated code excerpts follow:
1. check if called by rcinit (I know it's trivial, but requires some
testing, so here my version:)
BASENAME=${0##*/} #longest match ARGV[0]
RCLINK=${BASENAME%%[SK][0-9][0-9]*} #longest Match "S04*" from end
#RCLINK is empty if this matched
if [ -z "$RCLINK" ] ; then
RCLINK="yes" #called as i.e. S04firewall via init
else
RCLINK="no" #called by other name
fi
2. modified launch_watcher, following condition check inserted:
function launch_watcher()
{
[...]
#check if called via rc.d/[SK]xxfirewall (by init)
# in this case no watcher is needed
if [ "$RCLINK" = "yes" ] ; then
echo "[called by init --> no watcher session needed]"
return
fi
[...old code...]
}
3. new function watcher_done (which is like kill_watcher, but sends
SIGUSR1 and will not kill the watcher process with TERM
function watcher_done()
{
[...get PIDs via ps|awk or whatever...]
#send USR1 ("DONE")
for PID in $PIDS ; do
kill -USR1 $PID
done;
}
4. kill_watcher renamed to watcher_ok; modified:
function watcher_ok()
{
#make sure we are the onliest instance except watchers:
[...]
#serach for other instances (watchers)
[...ps|awk or whatever...]
#send USR2 ("OK")
for PID in $PIDS ; do
kill -USR2 $PID
done;
[...ps|awk or kill -0 PID or whatever...]
#send KILL if still alive
[...]
}
5. The improved watcher:
function watcher()
{
DONE="no"
function signal_handler_USR1()
{
echo "Watcher: Signal \"DONE\" caught."
DONE="yes" #remeber this state
}
function signal_handler_USR2()
{
echo "Watcher: Signal \"OK\" caught --> Exiting."
#maybe we got "OK" before "DONE"
if [ "$DONE" != "yes" ] ; then
echo "Warning, we are not DONE!"
fi
exit 0;
}
[...]
trap "signal_handler_USR1" SIGUSR1
trap "signal_handler_USR2" SIGUSR2
[...]
#give firewall some time to set up rules
for (( n=0 ; n