mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-16 17:51:16 +01:00
Implement WORKAROUNDS option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
1bfae13f75
commit
019e49b481
@ -388,16 +388,30 @@ do_save() {
|
||||
status=0
|
||||
|
||||
if [ -f ${VARDIR}/firewall ]; then
|
||||
if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
|
||||
cp -f ${VARDIR}/firewall $g_restorepath
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
|
||||
chmod +x $g_restorepath
|
||||
echo " Currently-running Configuration Saved to $g_restorepath"
|
||||
run_user_exit save
|
||||
if [ -n "$WORKAROUNDS" ]; then
|
||||
if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
|
||||
cp -f ${VARDIR}/firewall $g_restorepath
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
|
||||
chmod +x $g_restorepath
|
||||
echo " Currently-running Configuration Saved to $g_restorepath"
|
||||
run_user_exit save
|
||||
else
|
||||
rm -f ${VARDIR}/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved" >&2
|
||||
status=1
|
||||
fi
|
||||
else
|
||||
rm -f ${VARDIR}/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved" >&2
|
||||
status=1
|
||||
if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
|
||||
cp -f ${VARDIR}/firewall $g_restorepath
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
|
||||
chmod +x $g_restorepath
|
||||
echo " Currently-running Configuration Saved to $g_restorepath"
|
||||
run_user_exit save
|
||||
else
|
||||
rm -f ${VARDIR}/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved" >&2
|
||||
status=1
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo " ERROR: ${VARDIR}/firewall does not exist" >&2
|
||||
@ -409,16 +423,25 @@ do_save() {
|
||||
resolve_arptables
|
||||
|
||||
if [ -n "$arptables" ]; then
|
||||
#
|
||||
# 'sed' command is a hack to work around broken arptables_jf
|
||||
#
|
||||
if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
|
||||
if grep -q '^-A' ${VARDIR}/restore-$$; then
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
|
||||
else
|
||||
rm -f ${VARDIR}/restore-$$
|
||||
if [ -n "$WORKAROUNDS" ]; then
|
||||
#
|
||||
# 'sed' command is a hack to work around broken arptables_jf
|
||||
#
|
||||
if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
|
||||
if grep -q '^-A' ${VARDIR}/restore-$$; then
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
|
||||
else
|
||||
rm -f ${VARDIR}/restore-$$
|
||||
fi
|
||||
fi
|
||||
else
|
||||
if ${arptables}-save > ${VARDIR}/restore-$$; then
|
||||
if grep -q '^-A' ${VARDIR}/restore-$$; then
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
|
||||
else
|
||||
rm -f ${VARDIR}/restore-$$
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
else
|
||||
case "$ARPTABLES" in
|
||||
*/*)
|
||||
@ -457,21 +480,28 @@ do_save() {
|
||||
esac
|
||||
|
||||
if [ -n "$IPSET" ]; then
|
||||
if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
|
||||
#
|
||||
# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
|
||||
#
|
||||
hack='| grep -v /31'
|
||||
else
|
||||
hack=
|
||||
fi
|
||||
if [ -n "$WORKAROUNDS" ]; then
|
||||
if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
|
||||
#
|
||||
# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
|
||||
#
|
||||
hack='| grep -v /31'
|
||||
else
|
||||
hack=
|
||||
fi
|
||||
|
||||
if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
|
||||
#
|
||||
# Don't save an 'empty' file
|
||||
#
|
||||
grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
|
||||
if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
|
||||
#
|
||||
# Don't save an 'empty' file
|
||||
#
|
||||
grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
|
||||
fi
|
||||
fi
|
||||
elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
|
||||
#
|
||||
# Don't save an 'empty' file
|
||||
#
|
||||
grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
|
||||
fi
|
||||
;;
|
||||
[Nn]o|ipv4|ipv6)
|
||||
@ -3619,6 +3649,19 @@ get_config() {
|
||||
IPSET=''
|
||||
fi
|
||||
|
||||
if [ -n "$WORKAROUNDS" ]; then
|
||||
case $WORKAROUNDS in
|
||||
[Yy]es)
|
||||
;;
|
||||
[Nn]o)
|
||||
WORKAROUNDS=''
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
TC=tc
|
||||
|
||||
IP=$(mywhich ip 2> /dev/null)
|
||||
|
||||
@ -8102,7 +8102,7 @@ sub create_save_ipsets() {
|
||||
" done" ,
|
||||
'',
|
||||
);
|
||||
} else {
|
||||
} elsif ( $config{WORKAROUNDS} ) {
|
||||
emit ( '' ,
|
||||
' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
|
||||
' #',
|
||||
@ -8116,7 +8116,13 @@ sub create_save_ipsets() {
|
||||
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
|
||||
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
|
||||
' fi' );
|
||||
}
|
||||
} else {
|
||||
emit (
|
||||
'',
|
||||
' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
|
||||
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
|
||||
' fi' );
|
||||
}
|
||||
|
||||
emit( " return 0",
|
||||
'',
|
||||
@ -8161,9 +8167,9 @@ sub load_ipsets() {
|
||||
my @ipsets = all_ipsets;
|
||||
|
||||
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
|
||||
emit ( '', );
|
||||
emit ( 'local hack' ) if $config{WORKAROUNDS};
|
||||
emit ( '',
|
||||
'local hack',
|
||||
'',
|
||||
'case $IPSET in',
|
||||
' */*)',
|
||||
' [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
|
||||
|
||||
@ -301,7 +301,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
|
||||
#
|
||||
# Config options and global settings that are to be copied to output script
|
||||
#
|
||||
our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY/;
|
||||
our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY WORKAROUNDS/;
|
||||
#
|
||||
# From parsing the capabilities file or detecting capabilities
|
||||
#
|
||||
@ -854,6 +854,7 @@ sub initialize( $;$$) {
|
||||
REJECT_ACTION => undef,
|
||||
INLINE_MATCHES => undef,
|
||||
BASIC_FILTERS => undef,
|
||||
WORKAROUNDS => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -5717,6 +5718,7 @@ sub get_configuration( $$$$$ ) {
|
||||
default_yes_no 'TRACK_RULES' , '';
|
||||
default_yes_no 'INLINE_MATCHES' , '';
|
||||
default_yes_no 'BASIC_FILTERS' , '';
|
||||
default_yes_no 'WORKAROUNDS' , '';
|
||||
|
||||
require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};
|
||||
|
||||
|
||||
@ -2404,9 +2404,10 @@ sub compile_stop_firewall( $$$ ) {
|
||||
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
||||
#
|
||||
stop_firewall() {
|
||||
local hack
|
||||
EOF
|
||||
|
||||
emit ( ' local hack' ) if $config{WORKAROUNDS};
|
||||
|
||||
$output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
|
||||
@ -324,6 +324,19 @@ get_config() {
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$WORKAROUNDS" ]; then
|
||||
case $WORKAROUNDS in
|
||||
[Yy]es)
|
||||
;;
|
||||
[Nn]o)
|
||||
WORKAROUNDS=''
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
g_loopback=$(find_loopback_interfaces)
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user