Finish restoring the 'refresh' command

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6767 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-perl/Shorewall/Chains.pm

@@ -116,6 +116,7 @@ our @EXPORT = qw( STANDARD
 		  get_interface_addresses
 		  set_global_variables
 		  create_netfilter_load
+		  create_blacklist_reload
 
 		  @policy_chains
 		  %chain_table
@@ -300,10 +301,6 @@ sub initialize() {
     %interfaceaddrs = ();
     %interfacenets  = ();
     #
-    # State of the generator.
-    #
-    $state = NULL_STATE;
-    #
     #  When true, we've emitted a comment about global variable initialization
     #
     $emitted_comment = 0;
@@ -1886,6 +1883,8 @@ sub set_global_variables() {
 #
 sub create_netfilter_load() {
 
+    $state = NULL_STATE;
+  
     emitj( 'setup_netfilter()',
 	   '{'
 	   );
@@ -1938,8 +1937,7 @@ sub create_netfilter_load() {
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
 	    for my $rule ( @{$chainref->{rules}} ) {
-		$rule = "-A $name $rule" unless substr( $rule, 0, 1) eq '~';
+		emitr( substr( $rule, 0, 1 ) eq '~' ? $rule : "-A $name $rule" );
-		emitr $rule;
 	    }
 	}
 	#
@@ -1970,4 +1968,61 @@ sub create_netfilter_load() {
     emit "}\n";
 }
 
+#
+# Generate the netfilter input
+#
+sub create_blacklist_reload() {
+
+    $state = NULL_STATE;
+  
+    emitj( 'blacklist_reload()',
+	   '{'
+	   );
+
+    push_indent;
+
+    save_progress_message "Preparing iptables-restore input...";
+
+    emit '';
+    #
+    # We always write the input into a file then pass the file to iptables-restore. That way, if things go wrong,
+    # the user (and Shorewall support) has something to look at to determine the error
+    #
+    emit 'exec 3>${VARDIR}/.iptables-restore-input';
+
+    emitr '*filter';
+    emitr ':blacklst - [0:0]';
+
+    my $chainref = $filter_table->{blacklst};
+
+    for my $rule ( @{$chainref->{rules}} ) {
+	emitr( substr( $rule, 0, 1 ) eq '~' ? $rule : "-A blacklst $rule" );
+    }
+    #
+    # Commit the changes to the table
+    #
+    emitr 'COMMIT';
+
+    emit_unindented '__EOF__' unless $state == CMD_STATE;
+    emit '';
+    #
+    # Now generate the actual iptables-restore command
+    #
+    emitj( 'exec 3>&-',
+	   '',
+	   'progress_message2 "Running iptables-restore..."',
+	   '',
+	   'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux'
+	 );
+
+    emitj( 'if [ $? != 0 ]; then',
+	   '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
+	   "fi\n"
+	   );
+
+    pop_indent;
+
+    emit "}\n";
+}
+
 1;

Shorewall-perl/Shorewall/Compiler.pm

@@ -604,6 +604,7 @@ sub generate_script_3() {
 
     progress_message2 "Creating iptables-restore input...";
     create_netfilter_load;
+    create_blacklist_reload;
 
     emit "#\n# Start/Restart the Firewall\n#";
     emit 'define_firewall() {';
@@ -628,7 +629,10 @@ if [ $COMMAND = restore ]; then
     set_state "Started"
 else
     if [ $COMMAND = refresh ]; then
+        blacklist_reload
         run_refresh_exit
+        $IPTABLES -N shorewall
+        set_state "Started"
     else
         setup_netfilter
         restore_dynamic_rules
@@ -636,8 +640,9 @@ else
         $IPTABLES -N shorewall
         set_state "Started"
         run_started_exit
-        cp -f $(my_pathname) ${VARDIR}/.restore
     fi
+        
+    cp -f $(my_pathname) ${VARDIR}/.restore
 fi
 
 date > ${VARDIR}/restarted