in detail, its this piece of code (optionsfw.cgi, line 72-95) which does the ‘Save and Restart’:
if ($settings{'ACTION'} eq $Lang::tr{'fw settings save and restart'}) {
if ($settings{'defpol'} ne '1'){
$errormessage .= $Lang::tr{'new optionsfw later'};
&General::writehash($filename, \%settings); # Save good settings
system("/usr/local/bin/firewallctrl");
}else{
if ($settings{'POLICY'} ne ''){
$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
}
if ($settings{'POLICY1'} ne ''){
$fwdfwsettings{'POLICY1'} = $settings{'POLICY1'};
}
my $MODE = $fwdfwsettings{'POLICY'};
my $MODE1 = $fwdfwsettings{'POLICY1'};
%fwdfwsettings = ();
$fwdfwsettings{'POLICY'} = "$MODE";
$fwdfwsettings{'POLICY1'} = "$MODE1";
&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
system("/usr/local/bin/firewallctrl");
system("/etc/rc.d/init.d/firewall restart >/dev/null 2>&1 "); # <=== THIS IS NOT WORKING!
}
&General::readhash($filename, \%settings); # Load good settings
}
Its nearly the same as the code from line 48-70. I added just one line:
/* This file is part of the IPFire Firewall.
*
* This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details.
*
*/
#include <stdlib.h>
#include "setuid.h"
int main(void)
{
if (!(initsetuid()))
exit(1);
safe_system("/etc/rc.d/init.d/firewall restart");
return 0;
}
Same behavior. The ‘save’ command is OK, but ‘optionsfwctrl.c’ doesn’t
run from GUI. From a root console: OK.
Second suggestion…
I’ve look at the code a few time but I am having a terrible time following it all (the existing firewall code. not your updated code).
I’m with you. It’s not easy…
The only “cheap and dirty” solution I can suggest is to copy the code segments from either this:
and have the user click Apply changes on the firewall.cgi page. It may not be the best way but it is the current and it is familiar…
The way I see it, this is not sufficient.
The problem is I can’t start a program from GUI which needs root
rights. In this case I need a complete restart of the firewall init
script, including ‘iptables’.
What I’m trying to achieve:
Open GUI, Pick your choices (Force DNS ON/OFF, whatever).
Write this settings to the settings file.
No problem until here.
Then I must run '/etc/rc.d/init.d/firewall restart, including all
kinds of ‘iptables’-commands.
And this is were the trouble begins. I’m not allowed to do this from
GUI. I must be root to do this.
Workaround could be:
The CGI writes the settings file and a signal-file while another
process looks for the existence of this file and restarts the firewall.
Could perhaps be done with a minutely (or ‘cyclic’ = every five
minutes) cron job.
Something like:
if exist FORCE_DNS_SIGNAL-file then;
restart firewall and delete FORCE_DNS_SIGNAL-file.
fi
I hadn’t much time in the last weeks, but I’m still at it…I have a few
ideas…
I think it would need a new file in src/misc-progs - there doesn’t seem to be an existing file that does the firewall restart, but it’s easy enough to add a new one.
Hi Jon,
I just got your mail. So if I understand you correctly, you need a “Restart Firewall” button (which executes system('/etc/rc.d/init.d/firewall restart >/dev/null');) added to optionsfw.cgi?
Regards, Leo