extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add SAVE_COUNTERS option.

Browse Source 
- Also implement recover command

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-10-30 08:57:56 -07:00
parent edc30fcc8d
commit 3454e10525
18 changed files with 153 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Shorewall-core/lib.cli
View File

@ -493,6 +493,8 @@ save_config() {
[ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
[ -n "$SAVE_COUNTERS" ] && iptables_save="$iptables_save --counters"
if product_is_started ; then if product_is_started ; then
[ -d ${VARDIR} ] || mkdir -p ${VARDIR} [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@ -1624,6 +1626,11 @@ restore_command() {
g_noroutes=Yes g_noroutes=Yes
option=${option#n} option=${option#n}
;; ;;
p*)
[ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
g_purge=Yes
option=${option%p}
;;
*) *)
usage 1 usage 1
;; ;;
@ -3576,9 +3583,10 @@ usage() # $1 = exit status
echo " logreject <address> ..." echo " logreject <address> ..."
echo " logwatch [<refresh interval>]" echo " logwatch [<refresh interval>]"
echo " reject <address> ..." echo " reject <address> ..."
echo " recover [ -n ] [ -p ]"
echo " reset [ <chain> ... ]" echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]" echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ -p ] [ <file name> ]"
echo " run <command> [ <parameter> ... ]" echo " run <command> [ <parameter> ... ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]" echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@ -3844,6 +3852,15 @@ shorewall_cli() {
shift shift
restart_command $@ restart_command $@
;; ;;
recover)
get_config Yes Yes
shift
if [ -n "$SAVE_COUNTERS" -a -f ${VARDIR}/${RESTOREFILE} ]; then
restore_command $@
else
start_command $@
fi
;;
disable|enable) disable|enable)
get_config Yes get_config Yes
if product_is_started; then if product_is_started; then

4
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -6521,7 +6521,7 @@ sub set_chain_variables() {
emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
'[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
emit( 'IPTABLES_RESTORE="$IPTABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS};
emit( 'g_tool=$IPTABLES' ); emit( 'g_tool=$IPTABLES' );
} else { } else {
if ( $config{IP6TABLES} ) { if ( $config{IP6TABLES} ) {
@ -6536,7 +6536,7 @@ sub set_chain_variables() {
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore', emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
emit( 'IP6TABLES_RESTORE="$IP6TABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS};
emit( 'g_tool=$IP6TABLES' ); emit( 'g_tool=$IP6TABLES' );
} }

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -849,6 +849,7 @@ sub initialize( $;$$) {
REJECT_ACTION => undef, REJECT_ACTION => undef,
INLINE_MATCHES => undef, INLINE_MATCHES => undef,
BASIC_FILTERS => undef, BASIC_FILTERS => undef,
SAVE_COUNTERS => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -5661,6 +5662,7 @@ sub get_configuration( $$$$$ ) {
default_yes_no 'TRACK_RULES' , ''; default_yes_no 'TRACK_RULES' , '';
default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'INLINE_MATCHES' , '';
default_yes_no 'BASIC_FILTERS' , ''; default_yes_no 'BASIC_FILTERS' , '';
default_yes_no 'SAVE_COUNTERS' , '';
require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS}; require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -214,6 +214,8 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=Internal TC_ENABLED=Internal

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -225,6 +225,8 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=Internal TC_ENABLED=Internal

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -222,6 +222,8 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=Internal TC_ENABLED=Internal

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -225,6 +225,8 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=Internal TC_ENABLED=Internal

2
Shorewall/configfiles/shorewall.conf
View File

@ -214,6 +214,8 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=Internal TC_ENABLED=Internal

3
Shorewall/lib.cli-std
View File

@ -1669,12 +1669,13 @@ usage() # $1 = exit status
echo " noiptrace <ip6tables match expression>" echo " noiptrace <ip6tables match expression>"
fi fi
echo " recover [ -n ] [ -p ]"
echo " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]" echo " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
echo " reject <address> ..." echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>" echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " reset [ <chain> ... ]" echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]" echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ -p ] [ <file name> ]"
echo " run <command> [ <parameter> ... ]" echo " run <command> [ <parameter> ... ]"
echo " safe-restart [ -t <timeout> ] [ <directory> ]" echo " safe-restart [ -t <timeout> ] [ <directory> ]"
echo " safe-start [ -t <timeout> ] [ <directory> ]" echo " safe-start [ -t <timeout> ] [ <directory> ]"

14
Shorewall/manpages/shorewall.conf.xml
View File

@ -2454,6 +2454,20 @@ INLINE - - - ; -j REJECT
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SAVE_COUNTERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.6.5.</para>
<para>When set to Yes, this option causes the <emphasis
role="bold">save</emphasis> and <emphasis
role="bold">restore</emphasis> commands to respectively save and
restore chain counters.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SAVE_ARPTABLES=</emphasis>{<emphasis <term><emphasis role="bold">SAVE_ARPTABLES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

46
Shorewall/manpages/shorewall.xml
View File

@ -357,6 +357,18 @@
expression</replaceable></arg> expression</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall</command> <command>shorewall</command>
@ -452,7 +464,8 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>restore</option></arg> <arg
choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
<arg><replaceable>filename</replaceable></arg> <arg><replaceable>filename</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
@ -1246,6 +1259,29 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">recover</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.5.</para>
<para>If SAVE_COUNTERS=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and if
the file specified by the RESTOREFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) exists
and is executable, then the command is the same as the <emphasis
role="bold">restore</emphasis> command. Otherwise, it is treated the
same as the <emphasis role="bold">start</emphasis> command.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">refresh</emphasis></term> <term><emphasis role="bold">refresh</emphasis></term>
@ -1420,6 +1456,14 @@
<emphasis>filename</emphasis> is given then Shorewall will be <emphasis>filename</emphasis> is given then Shorewall will be
restored from the file specified by the RESTOREFILE option in <ulink restored from the file specified by the RESTOREFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option, added in Shorewall 4.6.5,
causes the connection tracking table to be flushed; the
<command>conntrack</command> utility must be installed to use this
option.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -189,6 +189,8 @@ REQUIRE_INTERFACE=Yes
RESTORE_ROUTEMARKS=Yes RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=No TC_ENABLED=No

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -189,6 +189,8 @@ REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=No TC_ENABLED=No

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -189,6 +189,8 @@ REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=No TC_ENABLED=No

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -189,6 +189,8 @@ REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=No TC_ENABLED=No

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -189,6 +189,8 @@ REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=No TC_ENABLED=No

14
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -2122,6 +2122,20 @@ INLINE - - - ; -j REJECT
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SAVE_COUNTERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.6.5.</para>
<para>When set to Yes, this option causes the <emphasis
role="bold">save</emphasis> and <emphasis
role="bold">restore</emphasis> commands to respectively save and
restore chain counters.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis

36
Shorewall6/manpages/shorewall6.xml
View File

@ -308,6 +308,18 @@
expression</replaceable></arg> expression</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6</command> <command>shorewall6</command>
@ -1130,6 +1142,30 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">recover</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.5.</para>
<para>If SAVE_COUNTERS=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
if the file specified by the RESTOREFILE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
exists and is executable, then the command is the same as the
<emphasis role="bold">restore</emphasis> command. Otherwise, it is
treated the same as the <emphasis role="bold">start</emphasis>
command.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">refresh</emphasis></term> <term><emphasis role="bold">refresh</emphasis></term>