From 3454e105255902a6268123abe1a3a56c61c91bfa Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 30 Oct 2014 08:57:56 -0700 Subject: [PATCH] Add SAVE_COUNTERS option. - Also implement recover command Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 19 +++++++- Shorewall/Perl/Shorewall/Chains.pm | 4 +- Shorewall/Perl/Shorewall/Config.pm | 2 + Shorewall/Samples/Universal/shorewall.conf | 2 + .../Samples/one-interface/shorewall.conf | 2 + .../Samples/three-interfaces/shorewall.conf | 2 + .../Samples/two-interfaces/shorewall.conf | 2 + Shorewall/configfiles/shorewall.conf | 2 + Shorewall/lib.cli-std | 3 +- Shorewall/manpages/shorewall.conf.xml | 14 ++++++ Shorewall/manpages/shorewall.xml | 46 ++++++++++++++++++- Shorewall6/Samples6/Universal/shorewall6.conf | 2 + .../Samples6/one-interface/shorewall6.conf | 2 + .../Samples6/three-interfaces/shorewall6.conf | 2 + .../Samples6/two-interfaces/shorewall6.conf | 2 + Shorewall6/configfiles/shorewall6.conf | 2 + Shorewall6/manpages/shorewall6.conf.xml | 14 ++++++ Shorewall6/manpages/shorewall6.xml | 36 +++++++++++++++ 18 files changed, 153 insertions(+), 5 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 6b7ad6e5a..5667807c0 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -493,6 +493,8 @@ save_config() { [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 + [ -n "$SAVE_COUNTERS" ] && iptables_save="$iptables_save --counters" + if product_is_started ; then [ -d ${VARDIR} ] || mkdir -p ${VARDIR} @@ -1624,6 +1626,11 @@ restore_command() { g_noroutes=Yes option=${option#n} ;; + p*) + [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" + g_purge=Yes + option=${option%p} + ;; *) usage 1 ;; @@ -3576,9 +3583,10 @@ usage() # $1 = exit status echo " logreject
..." echo " logwatch []" echo " reject
..." + echo " recover [ -n ] [ -p ]" echo " reset [ ... ]" echo " restart [ -n ] [ -p ] [ -f ] [ ]" - echo " restore [ -n ] [ ]" + echo " restore [ -n ] [ -p ] [ ]" echo " run [ ... ]" echo " save [ ]" echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]" @@ -3844,6 +3852,15 @@ shorewall_cli() { shift restart_command $@ ;; + recover) + get_config Yes Yes + shift + if [ -n "$SAVE_COUNTERS" -a -f ${VARDIR}/${RESTOREFILE} ]; then + restore_command $@ + else + start_command $@ + fi + ;; disable|enable) get_config Yes if product_is_started; then diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index d3ad1747e..2f435d828 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -6521,7 +6521,7 @@ sub set_chain_variables() { emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); - + emit( 'IPTABLES_RESTORE="$IPTABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS}; emit( 'g_tool=$IPTABLES' ); } else { if ( $config{IP6TABLES} ) { @@ -6536,7 +6536,7 @@ sub set_chain_variables() { emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore', '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); - + emit( 'IP6TABLES_RESTORE="$IP6TABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS}; emit( 'g_tool=$IP6TABLES' ); } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 6eb9a90bd..88a510561 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -849,6 +849,7 @@ sub initialize( $;$$) { REJECT_ACTION => undef, INLINE_MATCHES => undef, BASIC_FILTERS => undef, + SAVE_COUNTERS => undef, # # Packet Disposition # @@ -5661,6 +5662,7 @@ sub get_configuration( $$$$$ ) { default_yes_no 'TRACK_RULES' , ''; default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'BASIC_FILTERS' , ''; + default_yes_no 'SAVE_COUNTERS' , ''; require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS}; diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 80db37da5..2bd7cdd41 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -214,6 +214,8 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 033a1323c..92452ef72 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -225,6 +225,8 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index b2877a3b2..a184fd443 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -222,6 +222,8 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index b28975409..b211c46a2 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -225,6 +225,8 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index ceae87b3b..c00b664ec 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -214,6 +214,8 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 0226105d5..8c4769fb3 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -1669,12 +1669,13 @@ usage() # $1 = exit status echo " noiptrace " fi + echo " recover [ -n ] [ -p ]" echo " refresh [ -d ] [ -n ] [ -T ] [ -D ] [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " echo " reset [ ... ]" echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ ]" - echo " restore [ -n ] [ ]" + echo " restore [ -n ] [ -p ] [ ]" echo " run [ ... ]" echo " safe-restart [ -t ] [ ]" echo " safe-start [ -t ] [ ]" diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 0a1325b31..3c3323217 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -2454,6 +2454,20 @@ INLINE - - - ; -j REJECT + + SAVE_COUNTERS=[Yes|No] + + + Added in Shorewall 4.6.5. + + When set to Yes, this option causes the save and restore commands to respectively save and + restore chain counters. + + + SAVE_ARPTABLES={Yes|No} diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 5377c6547..75784394c 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -357,6 +357,18 @@ expression + + shorewall + + | + + -options + + + + shorewall @@ -452,7 +464,8 @@ -options - + filename @@ -1246,6 +1259,29 @@ + + recover + + + Added in Shorewall 4.6.5. + + If SAVE_COUNTERS=Yes in shorewall.conf(5) and if + the file specified by the RESTOREFILE option in shorewall.conf(5) exists + and is executable, then the command is the same as the restore command. Otherwise, it is treated the + same as the start command. + + The option causes Shorewall to avoid + updating the routing table(s). + + The option causes the connection tracking + table to be flushed; the conntrack utility must + be installed to use this option. + + + refresh @@ -1420,6 +1456,14 @@ filename is given then Shorewall will be restored from the file specified by the RESTOREFILE option in shorewall.conf(5). + + The option causes Shorewall to avoid + updating the routing table(s). + + The option, added in Shorewall 4.6.5, + causes the connection tracking table to be flushed; the + conntrack utility must be installed to use this + option. diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index d870d8341..c8eb7ded2 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -189,6 +189,8 @@ REQUIRE_INTERFACE=Yes RESTORE_ROUTEMARKS=Yes +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 03a3954da..409ff9807 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -189,6 +189,8 @@ REQUIRE_INTERFACE=No RESTORE_ROUTEMARKS=Yes +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 5df52bc59..d50fe1ecc 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -189,6 +189,8 @@ REQUIRE_INTERFACE=No RESTORE_ROUTEMARKS=Yes +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 59763bf2e..6d6e70d6e 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -189,6 +189,8 @@ REQUIRE_INTERFACE=No RESTORE_ROUTEMARKS=Yes +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index d02ad3658..afebc9e70 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -189,6 +189,8 @@ REQUIRE_INTERFACE=No RESTORE_ROUTEMARKS=Yes +SAVE_COUNTERS=No + SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index be535f1e4..2942ea93e 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -2122,6 +2122,20 @@ INLINE - - - ; -j REJECT + + SAVE_COUNTERS=[Yes|No] + + + Added in Shorewall 4.6.5. + + When set to Yes, this option causes the save and restore commands to respectively save and + restore chain counters. + + + SAVE_IPSETS={Yes| + + shorewall6 + + | + + -options + + + + shorewall6 @@ -1130,6 +1142,30 @@ + + recover + + + Added in Shorewall 4.6.5. + + If SAVE_COUNTERS=Yes in shorewall6.conf(5) and + if the file specified by the RESTOREFILE option in shorewall6.conf(5) + exists and is executable, then the command is the same as the + restore command. Otherwise, it is + treated the same as the start + command. + + The option causes Shorewall to avoid + updating the routing table(s). + + The option causes the connection tracking + table to be flushed; the conntrack utility must + be installed to use this option. + + + refresh