From 3903fe5fd9b82d66705c3190556073019610b8d8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 7 Feb 2018 12:20:04 -0800 Subject: [PATCH] Remove the 'refresh' command Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 2 - Shorewall-core/manpages/shorewall.xml | 75 +--------- Shorewall/Perl/Shorewall/Chains.pm | 155 +-------------------- Shorewall/Perl/Shorewall/Compiler.pm | 50 +------ Shorewall/Perl/Shorewall/Config.pm | 2 - Shorewall/Perl/Shorewall/Misc.pm | 3 - Shorewall/Perl/Shorewall/Providers.pm | 2 +- Shorewall/Perl/Shorewall/Zones.pm | 2 +- Shorewall/lib.cli-std | 131 +---------------- Shorewall/manpages/shorewall-tcdevices.xml | 2 +- Shorewall/manpages/shorewall.conf.xml | 15 +- 11 files changed, 20 insertions(+), 419 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index bd5de17b8..240a2d3f1 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -4293,7 +4293,6 @@ usage() # $1 = exit status echo " open [ [ ] ]" echo " reenable " - ecko " refresh [ -d ] [ -n ] [ -T ] [ -D ] [ ... ]" echo " reject
..." if [ -n "$g_lite" ]; then @@ -4397,7 +4396,6 @@ shorewall_cli() { g_use_verbosity= g_debug= g_export= - g_refreshchains=:none: g_confess= g_update= g_annotate= diff --git a/Shorewall-core/manpages/shorewall.xml b/Shorewall-core/manpages/shorewall.xml index 8e13084e9..17aff8762 100644 --- a/Shorewall-core/manpages/shorewall.xml +++ b/Shorewall-core/manpages/shorewall.xml @@ -405,20 +405,6 @@ provider } - - shorewall[6] - - | - - options - - - - directory chain - - shorewall[6][-lite] @@ -1316,7 +1302,7 @@ by the compiled script that executed the last successful start, restart or refresh command if that script exists. + role="bold">reload command if that script exists. @@ -1773,63 +1759,6 @@ - - refresh [-] - [-] [-] [-i] [-directory ] [ - chain... ] - - - Not available with Shorewall[6]-lite. - - All steps performed by restart are - performed by refresh with the exception that - refresh only recreates the chains specified in - the command while restart recreates the entire - Netfilter ruleset. If no chain is given, - the static blacklisting chain blacklst is assumed. - - The listed chains are assumed to be in the filter table. You - can refresh chains in other tables by prefixing the chain name with - the table name followed by ":" (e.g., nat:net_dnat). Chain names - which follow are assumed to be in that table until the end of the - list or until an entry in the list names another table. Built-in - chains such as FORWARD may not be refreshed. - - The option was added in Shorewall 4.5.3 - causes Shorewall to avoid updating the routing table(s). - - The option was added in Shorewall 4.5.3 - causes the compiler to run under the Perl debugger. - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall.conf(5). - - The option was added in Shorewall 4.5.3 - and causes Shorewall to look in the given - directory first for configuration files. - - Example:shorewall refresh net2fw nat:net_dnat #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table - - The refresh command has - slightly different behavior. When no chain name is given to the - refresh command, the mangle table - is refreshed along with the blacklist chain (if any). This allows - you to modify /etc/shorewall/tcrules and - install the changes using refresh. - - - reject address @@ -2921,7 +2850,7 @@ by the compiled script that executed the last successful start, restart or refresh command if that script exists. + role="bold">reload command if that script exists. diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 4a8fd2ada..b25ed9b23 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8519,7 +8519,7 @@ sub save_dynamic_chains() { my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}'; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; - emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' ); + emit ( 'if [ "$COMMAND" = reload ]; then' ); push_indent; emit( 'if [ -n "$g_counters" ]; then' , @@ -8884,9 +8884,6 @@ sub create_load_ipsets() { emit ( 'elif [ "$COMMAND" = reload ]; then' ); ################### Reload Command #################### ensure_ipsets( @ipsets ); - - emit( 'elif [ "$COMMAND" = refresh ]; then' ); ################### Refresh Command ################### - ensure_ipsets( @ipsets ); }; emit ( 'fi' ); @@ -9161,156 +9158,6 @@ sub preview_netfilter_load() { print "\n"; } -# -# Generate the netfilter input for refreshing a list of chains -# -sub create_chainlist_reload($) { - - my $chains = $_[0]; - - my @chains; - - unless ( $chains eq ':none:' ) { - if ( $chains eq ':refresh:' ) { - $chains = ''; - } else { - @chains = split_list $chains, 'chain'; - } - - unless ( @chains ) { - @chains = qw( blacklst ) if $filter_table->{blacklst}; - push @chains, 'blackout' if $filter_table->{blackout}; - - for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) { - push @chains, $_->{name} if $_->{blacklistsection}; - } - - push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; - $chains = join( ',', @chains ) if @chains; - } - } - - $mode = NULL_MODE; - - emit( 'chainlist_reload()', - '{' - ); - - push_indent; - - if ( @chains ) { - my $word = @chains == 1 ? 'chain' : 'chains'; - - progress_message2 "Compiling iptables-restore input for $word @chains..."; - save_progress_message "Preparing iptables-restore input for $word @chains..."; - - emit ''; - - my $table = 'filter'; - - my %chains; - - my %tables; - - for my $chain ( @chains ) { - ( $table , $chain ) = split ':', $chain if $chain =~ /:/; - - fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/; - - $chains{$table} = {} unless $chains{$table}; - - if ( $chain ) { - my $chainref; - fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain}; - fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin}; - - if ( $chainseq{$table} && @{$chainref->{rules}} ) { - $tables{$table} = 1; - } else { - $chains{$table}{$chain} = $chainref; - } - } else { - $tables{$table} = 1; - } - } - - for $table ( keys %tables ) { - while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) { - $chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin}; - } - } - - emit 'exec 3>${VARDIR}/.iptables-restore-input'; - - enter_cat_mode; - - for $table ( qw(raw nat mangle filter) ) { - my $tableref=$chains{$table}; - - next unless $tableref; - - @chains = sort keys %$tableref; - - emit_unindented "*$table"; - - for my $chain ( @chains ) { - my $chainref = $tableref->{$chain}; - emit_unindented ":$chainref->{name} - [0:0]"; - } - - for my $chain ( @chains ) { - my $chainref = $tableref->{$chain}; - my @rules = @{$chainref->{rules}}; - my $name = $chainref->{name}; - - @rules = () unless @rules; - # - # Emit the chain rules - # - emitr($chainref, $_) for @rules; - } - # - # Commit the changes to the table - # - enter_cat_mode unless $mode == CAT_MODE; - - emit_unindented 'COMMIT'; - } - - enter_cmd_mode; - - # - # Now generate the actual ip[6]tables-restore command - # - emit( 'exec 3>&-', - '' ); - - if ( $family == F_IPV4 ) { - emit ( 'progress_message2 "Running iptables-restore..."', - '', - 'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', - "fi\n" - ); - } else { - emit ( 'progress_message2 "Running ip6tables-restore..."', - '', - 'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', - "fi\n" - ); - } - } else { - emit('true'); - } - - pop_indent; - - emit "}\n"; -} - # # Generate the netfilter input to stop the firewall # diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 25b15229d..6c48fd753 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -109,7 +109,7 @@ sub generate_script_1( $ ) { ################################################################################ EOF - for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) { + for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) { emit "\nrun_${exit}_exit() {"; push_indent; append_file $exit or emit 'true'; @@ -366,7 +366,6 @@ sub generate_script_3($) { create_netfilter_load( $test ); create_arptables_load( $test ) if $have_arptables; - create_chainlist_reload( $_[0] ); create_save_ipsets; create_load_ipsets; @@ -398,16 +397,10 @@ sub generate_script_3($) { emit 'load_kernel_modules Yes'; } - emit ''; - - emit ( 'if [ "$COMMAND" = refresh ]; then' , - ' run_refresh_exit' , - 'else' , - ' run_init_exit', - 'fi', - '' ); - - emit( 'load_ipsets' , + emit( '' , + 'run_init_exit', + '' , + 'load_ipsets' , '' ); create_nfobjects; @@ -465,11 +458,6 @@ sub generate_script_3($) { dump_proxy_arp; emit_unindented '__EOF__'; - emit( '', - 'if [ "$COMMAND" != refresh ]; then' ); - - push_indent; - emit 'cat > ${VARDIR}/zones << __EOF__'; dump_zone_contents; emit_unindented '__EOF__'; @@ -482,10 +470,6 @@ sub generate_script_3($) { dump_mark_layout; emit_unindented '__EOF__'; - pop_indent; - - emit "fi\n"; - emit '> ${VARDIR}/nat'; add_addresses; @@ -527,26 +511,9 @@ sub generate_script_3($) { emithd <<"EOF"; set_state Started $config_dir run_restored_exit -elif [ \$COMMAND = refresh ]; then - chainlist_reload +else + setup_netfilter EOF - push_indent; - setup_load_distribution; - setup_forwarding( $family , 0 ); - pop_indent; - # - # Use a parameter list rather than 'here documents' to avoid an extra blank line - # - emit( ' run_refreshed_exit', - ' do_iptables -N shorewall' ); - - emit( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH'; - - emit( " set_state Started $config_dir", - ' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall', - 'else', - ' setup_netfilter' ); - push_indent; emit 'setup_arptables' if $have_arptables; setup_load_distribution; @@ -581,9 +548,6 @@ case $COMMAND in reload) mylogger kern.info "$g_product reloaded" ;; - refresh) - mylogger kern.info "$g_product refreshed" - ;; restore) mylogger kern.info "$g_product restored" ;; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5477ad410..29a71f0a2 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -591,8 +591,6 @@ our %config_files = ( #accounting => 1, policy => 1, providers => 1, proxyarp => 1, - refresh => 1, - refreshed => 1, restored => 1, rawnat => 1, route_rules => 1, diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index b94c35a0f..90038589b 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2554,9 +2554,6 @@ EOF reload) mylogger kern.err "ERROR:$g_product reload failed" ;; - refresh) - mylogger kern.err "ERROR:$g_product refresh failed" - ;; enable) mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed" ;; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 630992103..c8d83780b 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -2368,7 +2368,7 @@ sub handle_optional_interfaces() { emit( '', 'if [ -z "$HAVE_INTERFACE" ]; then' , ' case "$COMMAND" in', - ' start|reload|restore|refresh)' + ' start|reload|restore)' ); if ( $family == F_IPV4 ) { diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index fde6876f1..74bfacfba 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -2031,7 +2031,7 @@ sub verify_required_interfaces( $ ) { if ( $generate_case ) { emit( 'case "$COMMAND" in' ); push_indent; - emit( 'start|reload|restore|refresh)' ); + emit( 'start|reload|restore)' ); push_indent; } diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 37969b945..0b37e3721 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -445,7 +445,7 @@ compiler() { get_config Yes case $COMMAND in - *start|try|refresh|reload|restart|safe-*) + *start|try|reload|restart|safe-*) ;; *) STARTUP_LOG= @@ -487,7 +487,6 @@ compiler() { [ -n "$g_test" ] && options="$options --test" [ -n "$g_preview" ] && options="$options --preview" [ "$g_debugging" = trace ] && options="$options --debug" - [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains" [ -n "$g_confess" ] && options="$options --confess" [ -n "$g_update" ] && options="$options --update" [ -n "$g_annotate" ] && options="$options --annotate" @@ -1067,128 +1066,6 @@ restart_command() { return $rc } -# -# Refresh Command Executor -# -refresh_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - d*) - g_debug=Yes - option=${option#d} - ;; - n*) - g_noroutes=Yes - option=${option#n} - ;; - T*) - g_confess=Yes - option=${option#T} - ;; - i*) - g_inline=Yes - option=${option#i} - ;; - D) - if [ $# -gt 1 ]; then - g_shorewalldir="$2" - option= - shift - else - fatal_error "The -D option requires a directory name" - fi - ;; - *) - option_error $option - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - if [ $# -gt 0 ]; then - g_refreshchains=$1 - shift - - while [ $# -gt 0 ]; do - g_refreshchains="$g_refreshchains,$1" - shift - done - else - g_refreshchains=:refresh: - fi - - product_is_started || fatal_error "$g_product is not running" - - [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" - - g_file="${VARDIR}/.refresh" - - if compiler $g_debugging $nolock compile "$g_file"; then - [ -n "$nolock" ] || mutex_on - run_it ${VARDIR}/.refresh $g_debugging refresh - rc=$? - [ -n "$nolock" ] || mutex_off - else - rc=$? - fi - - return $rc -} - -read_yesno_with_timeout() { - local timeout - timeout=${1:-60} - - case $timeout in - *s) - ;; - *m) - timeout=$((${timeout%m} * 60)) - ;; - *h) - timeout=$((${timeout%h} * 3600)) - ;; - esac - - read -t $timeout yn 2> /dev/null - if [ $? -eq 2 ] - then - # read doesn't support timeout - test -x /bin/bash || return 2 # bash is not installed so the feature is not available - /bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read - return $? - else - # read supports timeout - case "$yn" in - y|Y) - return 0 - ;; - *) - return 1 - ;; - esac - fi -} - # # Safe-start/safe-reload/safe-restart Command Executor # @@ -1792,12 +1669,6 @@ compiler_command() { shift compile_command $@ ;; - refresh) - only_root - get_config Yes Yes - shift - refresh_command $@ - ;; check|ck) shift check_command $@ diff --git a/Shorewall/manpages/shorewall-tcdevices.xml b/Shorewall/manpages/shorewall-tcdevices.xml index d6b9a8730..3a5198456 100644 --- a/Shorewall/manpages/shorewall-tcdevices.xml +++ b/Shorewall/manpages/shorewall-tcdevices.xml @@ -112,7 +112,7 @@ ppp interfaces, you need to put them all in here! If the device doesn't exist, a warning message will be issued - during "shorewall [re]start" and "shorewall refresh" and traffic + during "shorewall [re]start" and "shorewall reload" and traffic shaping configuration will be skipped for that device. Shorewall assigns a sequential interface diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index f1ca66fec..84d2fb3c3 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -1348,10 +1348,9 @@ net all DROP infothen the chain name is 'net-all' running, you should remove the file /var/lib/shorewall/rt_tables (/var/lib/shorewall-lite/rt_tables) before - your next stop, refresh, - restore, reload or restart - command. + your next stop, restore, + reload or + restart command. IPv6: @@ -1365,10 +1364,9 @@ net all DROP infothen the chain name is 'net-all' is running, you should remove the file /var/lib/shorewall6/rt_tables (/var/lib/shorewall6-lite/rt_tables) before - your next stop, refresh, - restore, reload or restart - command. + your next stop, restore, + reload or + restart command. @@ -2760,7 +2758,6 @@ INLINE - - - ;; -j REJECT of each start, reload, restart, refresh, try, and safe-* command. Logging verbosity is determined by the setting of LOG_VERBOSITY above.