***INCOMPLETE*** Partial implementation of stop handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5550 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-08-09 15:41:19 +02:00 · 2007-03-15 23:18:58 +00:00
parent 40535515d5
commit 0628dd8593
4 changed files with 324 additions and 252 deletions
--- a/New/prog.functions
+++ b/New/prog.functions
@ -16,251 +16,6 @@ delete_proxyarp() {
    rm -f ${VARDIR}/proxyarp
 }

-#
-# Stop/restore the firewall after an error or because of a "stop" or "clear" command
-#
-stop_firewall() {
-
-    deletechain() {
-	qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
-    }
-
-    deleteallchains() {
-	$IPTABLES -F
-	$IPTABLES -X
-    }
-
-    setcontinue() {
-	$IPTABLES -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-    }
-
-    delete_nat() {
-	$IPTABLES -t nat -F
-	$IPTABLES -t nat -X
-
-	if [ -f ${VARDIR}/nat ]; then
-	    while read external interface; do
-		del_ip_addr $external $interface
-	    done < ${VARDIR}/nat
-
-	    rm -f ${VARDIR}/nat
-	fi
-    }
-
-    case $COMMAND in
-	stop|clear)
-	    ;;
-	*)
-	    set +x
-
-            case $COMMAND in
-	        start)
-	            logger -p kern.err "ERROR:$PRODUCT start failed"
-	            ;;
-	        restart)
-	            logger -p kern.err "ERROR:$PRODUCT restart failed"
-	            ;;
-	        restore)
-	            logger -p kern.err "ERROR:$PRODUCT restore failed"
-	            ;;
-            esac
-            
-            if [ "$RESTOREFILE" = NONE ]; then
-                COMMAND=clear
-                clear_firewall
-                echo "$PRODUCT Cleared"
-
-	        kill $$
-	        exit 2
-            else
-	        RESTOREPATH=${VARDIR}/$RESTOREFILE
-
-	        if [ -x $RESTOREPATH ]; then
-
-		    if [ -x ${RESTOREPATH}-ipsets ]; then
-		        progress_message2 Restoring Ipsets...
-		        #
-		        # We must purge iptables to be sure that there are no
-		        # references to ipsets
-		        #
-		        for table in mangle nat filter; do
-			    $IPTABLES -t $table -F
-			    $IPTABLES -t $table -X
-		        done
-
-		        ${RESTOREPATH}-ipsets
-		    fi
-
-		    echo Restoring ${PRODUCT:=Shorewall}...
-
-		    if $RESTOREPATH restore; then
-		        echo "$PRODUCT restored from $RESTOREPATH"
-		        set_state "Started"
-		    else
-		        set_state "Unknown"
-		    fi
-
-	            kill $$
-	            exit 2
-	        fi
-            fi
-	    ;;
-    esac
-
-    set_state "Stopping"
-
-    STOPPING="Yes"
-
-    TERMINATOR=
-
-    deletechain shorewall
-
-    determine_capabilities
-
-    run_stop_exit
-
-    if [ -n "$MANGLE_ENABLED" ]; then
-	run_iptables -t mangle -F
-	run_iptables -t mangle -X
-	for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	    qt $IPTABLES -t mangle -P $chain ACCEPT
-	done
-    fi
-
-    if [ -n "$RAW_TABLE" ]; then
-	run_iptables -t raw -F
-	run_iptables -t raw -X
-	for chain in PREROUTING OUTPUT; do
-	    qt $IPTABLES -t raw -P $chain ACCEPT
-	done
-    fi
-
-    if [ -n "$NAT_ENABLED" ]; then
-	delete_nat
-	for chain in PREROUTING POSTROUTING OUTPUT; do
-	    qt $IPTABLES -t nat -P $chain ACCEPT
-	done
-    fi
-
-    delete_proxyarp
-
-    [ -n "$CLEAR_TC" ] && delete_tc1
-
-    [ -n "$DISABLE_IPV6" ] && disable_ipv6
-
-    undo_routing
-
-    restore_default_route
-    #
-    # Fixme -- CRITICALHOSTS handling broken
-    #
-    if [ -n "$CRITICALHOSTS" ]; then
-	if [ -z "$ADMINISABSENTMINDED" ]; then
-
-	    for chain in INPUT OUTPUT; do
-		setpolicy $chain ACCEPT
-	    done
-
-	    setpolicy FORWARD DROP
-
-	    deleteallchains
-		
-	    for host in $CRITICALHOSTS; do
-		interface=${host%:*}
-		networks=${host#*:}
-		$IPTABLES -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
-		$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
-	    done
-
-	    for chain in INPUT OUTPUT; do
-		setpolicy $chain DROP
-	    done
-	else
-	    for chain in INPUT OUTPUT; do
-		setpolicy $chain ACCEPT
-	    done
-
-	    setpolicy FORWARD DROP
-
-	    deleteallchains
-
-	    for host in $CRITICALHOSTS; do
-		interface=${host%:*}
-		networks=${host#*:}
-		$IPTABLES -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
-		$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
-	    done
-
-	    setpolicy INPUT DROP
-
-	    for chain in INPUT FORWARD; do
-		setcontinue $chain
-	    done
-	fi
-    elif [ -z "$ADMINISABSENTMINDED" ]; then
-	for chain in INPUT OUTPUT FORWARD; do
-	    setpolicy $chain DROP
-	done
-
-	deleteallchains
-    else
-	for chain in INPUT FORWARD; do
-	    setpolicy $chain DROP
-	done
-
-	setpolicy OUTPUT ACCEPT
-
-	deleteallchains
-
-	for chain in INPUT FORWARD; do
-	    setcontinue $chain
-	done
-    fi
-
-    $IPTABLES -A INPUT  -i lo -j ACCEPT
-
-    [ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -o lo -j ACCEPT
-
-    for interface in $DHCP_INTERFACES; do
-	$IPTABLES -A INPUT  -p udp -i $interface --dport 67:68 -j ACCEPT
-	[ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
-	#
-	# This might be a bridge
-	#
-	$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
-    done
-
-    case "$IP_FORWARDING" in
-	On|on|ON)
-	    echo 1 > /proc/sys/net/ipv4/ip_forward
-	    progress_message2 IP Forwarding Enabled
-	    ;;
-	Off|off|OFF)
-	    echo 0 > /proc/sys/net/ipv4/ip_forward
-	    progress_message2 IP Forwarding Disabled!
-	    ;;
-    esac
-
-    run_stopped_exit
-
-    set_state "Stopped"
-
-    logger -p kern.info "$PRODUCT Stopped"
-
-    case $COMMAND in
-    stop|clear)
-	;;
-    *)
-	#
-	# The firewall is being stopped when we were trying to do something
-	# else. Remove the lock file and Kill the shell in case we're in a
-	# subshell
-	#
-	kill $$
-	;;
-    esac
-}
-
 #
 # Set policy of chain $1 to $2
 #