Implement WORKAROUNDS option

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -388,16 +388,30 @@ do_save() {
     status=0
 
     if [ -f ${VARDIR}/firewall ]; then
-	if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
+	if [ -n "$WORKAROUNDS" ]; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
+	    if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+		cp -f ${VARDIR}/firewall $g_restorepath
-	    chmod +x $g_restorepath
+		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-	    echo "   Currently-running Configuration Saved to $g_restorepath"
+		chmod +x $g_restorepath
-	    run_user_exit save
+		echo "   Currently-running Configuration Saved to $g_restorepath"
+		run_user_exit save
+	    else
+		rm -f ${VARDIR}/restore-$$
+		echo "   ERROR: Currently-running Configuration Not Saved" >&2
+		status=1
+	    fi
 	else
-	    rm -f ${VARDIR}/restore-$$
+	    if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
+		cp -f ${VARDIR}/firewall $g_restorepath
-	    status=1
+		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+		chmod +x $g_restorepath
+		echo "   Currently-running Configuration Saved to $g_restorepath"
+		run_user_exit save
+	    else
+		rm -f ${VARDIR}/restore-$$
+		echo "   ERROR: Currently-running Configuration Not Saved" >&2
+		status=1
+	    fi
 	fi
     else
 	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
@@ -409,16 +423,25 @@ do_save() {
 	    resolve_arptables
 
 	    if [ -n "$arptables" ]; then
-	        #
+		if [ -n "$WORKAROUNDS" ]; then
-	        # 'sed' command is a hack to work around broken arptables_jf
+	            #
-	        #
+	            # 'sed' command is a hack to work around broken arptables_jf
-		if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
+	            #
-		    if grep -q '^-A' ${VARDIR}/restore-$$; then
+		    if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
-			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+			if grep -q '^-A' ${VARDIR}/restore-$$; then
-		    else
+			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-			rm -f ${VARDIR}/restore-$$
+			else
+			    rm -f ${VARDIR}/restore-$$
+			fi
+		    fi
+		else
+		    if ${arptables}-save > ${VARDIR}/restore-$$; then
+			if grep -q '^-A' ${VARDIR}/restore-$$; then
+			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+			else
+			    rm -f ${VARDIR}/restore-$$
+			fi
 		    fi
-		fi
 	    else
 		case "$ARPTABLES" in
 		    */*)
@@ -457,21 +480,28 @@ do_save() {
 		esac
 
 		if [ -n "$IPSET" ]; then
-		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+		    if [ -n "$WORKAROUNDS" ]; then
-			#
+			if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			    #
-			#
+			    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-			hack='| grep -v /31'
+			    #
-		    else
+			    hack='| grep -v /31'
-			hack=
+			else
-		    fi
+			    hack=
+			fi
 
-		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+			if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-			#
+			    #
-			# Don't save an 'empty' file
+			    # Don't save an 'empty' file
-			#
+			    #
-			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			fi
 		    fi
+		elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
+		    #
+		    # Don't save an 'empty' file
+		    #
+		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 		;;
 	    [Nn]o|ipv4|ipv6)
@@ -3619,6 +3649,19 @@ get_config() {
 	IPSET=''
     fi
 
+    if [ -n "$WORKAROUNDS" ]; then
+	case $WORKAROUNDS in
+	    [Yy]es)
+	        ;;
+	    [Nn]o)
+		WORKAROUNDS=''
+		;;
+	    *)
+		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
+		;;
+	esac
+    fi
+
     TC=tc
 
     IP=$(mywhich ip 2> /dev/null)

Shorewall/Perl/Shorewall/Chains.pm

@@ -8102,7 +8102,7 @@ sub create_save_ipsets() {
 		      "    done" ,
 		      '',
 		    );
-	    } else {
+	    } elsif ( $config{WORKAROUNDS} ) {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
@@ -8116,7 +8116,13 @@ sub create_save_ipsets() {
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
- 	    }
+	    } else {
+		emit ( 
+		       '',
+		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
+		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
+		       '    fi' );
+	    }
 
 	    emit( "    return 0",
 		  '',
@@ -8161,9 +8167,9 @@ sub load_ipsets() {
     my @ipsets = all_ipsets;
 
     if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit ( '', );
+	emit ( 'local hack' ) if $config{WORKAROUNDS};
 	emit ( '',
-	       'local hack',
-	       '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',

Shorewall/Perl/Shorewall/Config.pm

@@ -301,7 +301,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY WORKAROUNDS/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -854,6 +854,7 @@ sub initialize( $;$$) {
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
+	  WORKAROUNDS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -5717,6 +5718,7 @@ sub get_configuration( $$$$$ ) {
     default_yes_no 'TRACK_RULES'                , '';
     default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
+    default_yes_no 'WORKAROUNDS'                , '';
 
     require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -2404,9 +2404,10 @@ sub compile_stop_firewall( $$$ ) {
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
-    local hack
 EOF
 
+    emit ( '    local hack' ) if $config{WORKAROUNDS};
+
     $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
 
     if ( $family == F_IPV4 ) {

Shorewall/lib.cli-std

@@ -324,6 +324,19 @@ get_config() {
 	    ;;
     esac
 
+    if [ -n "$WORKAROUNDS" ]; then
+	case $WORKAROUNDS in
+	    [Yy]es)
+	        ;;
+	    [Nn]o)
+		WORKAROUNDS=''
+		;;
+	    *)
+		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
+		;;
+	esac
+    fi
+
     g_loopback=$(find_loopback_interfaces)
 }