extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-08-09 07:31:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Retry return status 4 from iptables

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7765 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
2007-11-26 22:34:36 +00:00
parent c300f63de7
commit 43b00fbe35
5 changed files with 64 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -2,6 +2,10 @@ Changes in 4.1.2
1) Enhanced Operational Logging 1) Enhanced Operational Logging
2) Fix undefined value when config file missing.
3) Handle exit status 4 from iptables.
Changes in 4.1.1 Changes in 4.1.1
1) Fix ULOG/NFLOG output. 1) Fix ULOG/NFLOG output.

4
Shorewall-common/releasenotes.txt
View File

@ -12,7 +12,9 @@ Shorewall 4.1 Patch Release 2.
Problems corrected in Shorewall 4.1.2. Problems corrected in Shorewall 4.1.2.
None. 1) The iptables utility doesn't retry operations that fail due to
resource shortage. Beginning with this release, Shorewall reruns
iptables when such a failure occurs.
Other changes in Shorewall 4.1.2. Other changes in Shorewall 4.1.2.

92
Shorewall-perl/Shorewall/Config.pm
View File

@ -901,7 +901,10 @@ sub split_line2( $$$ ) {
my $columns = $no_pad{$first}; my $columns = $no_pad{$first};
if ( defined $columns ) { if ( defined $columns ) {
fatal_error "Invalid $first entry" if $columns && @line != $columns; if ( $columns ) {
fatal_error "Invalid $first entry" if @line != $columns;
}
return @line return @line
} }
@ -1469,6 +1472,11 @@ sub qt( $ ) {
system( "@_ > /dev/null 2>&1" ) == 0; system( "@_ > /dev/null 2>&1" ) == 0;
} }
sub qt1( $ ) {
1 while system( "@_ > /dev/null 2>&1" ) == 4;
$? == 0;
}
# #
# Determine which optional facilities are supported by iptables/netfilter # Determine which optional facilities are supported by iptables/netfilter
# #
@ -1478,77 +1486,77 @@ sub determine_capabilities( $ ) {
my $pid = $$; my $pid = $$;
my $sillyname = "fooX$pid"; my $sillyname = "fooX$pid";
$capabilities{NAT_ENABLED} = qt( "$iptables -t nat -L -n" ); $capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" );
$capabilities{MANGLE_ENABLED} = qt( "$iptables -t mangle -L -n" ); $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
qt( "$iptables -N $sillyname" ); qt1( "$iptables -N $sillyname" );
$capabilities{CONNTRACK_MATCH} = qt( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
if ( qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
$capabilities{MULTIPORT} = 1; $capabilities{MULTIPORT} = 1;
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
} }
$capabilities{XMULTIPORT} = qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" ); $capabilities{XMULTIPORT} = qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
$capabilities{POLICY_MATCH} = qt( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" ); $capabilities{POLICY_MATCH} = qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) { if ( qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
$capabilities{PHYSDEV_MATCH} = 1; $capabilities{PHYSDEV_MATCH} = 1;
$capabilities{PHYSDEV_BRIDGE} = qt( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" ); $capabilities{PHYSDEV_BRIDGE} = qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
unless ( $capabilities{KLUDGEFREE} ) { unless ( $capabilities{KLUDGEFREE} ) {
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
} }
} }
if ( qt( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) { if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
$capabilities{IPRANGE_MATCH} = 1; $capabilities{IPRANGE_MATCH} = 1;
unless ( $capabilities{KLUDGEFREE} ) { unless ( $capabilities{KLUDGEFREE} ) {
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" ); $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
} }
} }
$capabilities{RECENT_MATCH} = qt( "$iptables -A $sillyname -m recent --update -j ACCEPT" ); $capabilities{RECENT_MATCH} = qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" );
$capabilities{OWNER_MATCH} = qt( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" ); $capabilities{OWNER_MATCH} = qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
if ( qt( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" )) { if ( qt1( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" )) {
$capabilities{CONNMARK_MATCH} = 1; $capabilities{CONNMARK_MATCH} = 1;
$capabilities{XCONNMARK_MATCH} = qt( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); $capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
} }
$capabilities{IPP2P_MATCH} = qt( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ); $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" );
$capabilities{LENGTH_MATCH} = qt( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
$capabilities{ENHANCED_REJECT} = qt( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" ); $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
$capabilities{COMMENTS} = qt( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
if ( $capabilities{MANGLE_ENABLED} ) { if ( $capabilities{MANGLE_ENABLED} ) {
qt( "$iptables -t mangle -N $sillyname" ); qt1( "$iptables -t mangle -N $sillyname" );
if ( qt( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) { if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) {
$capabilities{MARK} = 1; $capabilities{MARK} = 1;
$capabilities{XMARK} = qt( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" ); $capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
} }
if ( qt( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) { if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) {
$capabilities{CONNMARK} = 1; $capabilities{CONNMARK} = 1;
$capabilities{XCONNMARK} = qt( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); $capabilities{XCONNMARK} = qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" );
} }
$capabilities{CLASSIFY_TARGET} = qt( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); $capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
qt( "$iptables -t mangle -F $sillyname" ); qt1( "$iptables -t mangle -F $sillyname" );
qt( "$iptables -t mangle -X $sillyname" ); qt1( "$iptables -t mangle -X $sillyname" );
$capabilities{MANGLE_FORWARD} = qt( "$iptables -t mangle -L FORWARD -n" ); $capabilities{MANGLE_FORWARD} = qt1( "$iptables -t mangle -L FORWARD -n" );
} }
$capabilities{RAW_TABLE} = qt( "$iptables -t raw -L -n" ); $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
if ( which 'ipset' ) { if ( which 'ipset' ) {
qt( "ipset -X $sillyname" ); qt( "ipset -X $sillyname" );
if ( qt( "ipset -N $sillyname iphash" ) ) { if ( qt( "ipset -N $sillyname iphash" ) ) {
if ( qt( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
qt( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
$capabilities{IPSET_MATCH} = 1; $capabilities{IPSET_MATCH} = 1;
} }
@ -1556,16 +1564,16 @@ sub determine_capabilities( $ ) {
} }
} }
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" ); $capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" ); $capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); $capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
$capabilities{HASHLIMIT_MATCH} = qt( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" ); $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
$capabilities{NFQUEUE_TARGET} = qt( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
$capabilities{REALM_MATCH} = qt( "$iptables -A $sillyname -m realm --realm 1" ); $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
qt( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
qt( "$iptables -X $sillyname" ); qt1( "$iptables -X $sillyname" );
$capabilities{CAPVERSION} = $globals{CAPVERSION}; $capabilities{CAPVERSION} = $globals{CAPVERSION};
} }

7
Shorewall-perl/prog.functions
View File

@ -103,7 +103,12 @@ startup_error() # $* = Error Message
# #
run_iptables() run_iptables()
{ {
if ! $IPTABLES $@; then while [ 1 ]; do
$IPTABLES $@
[ $? -ne 4 ] && break
done
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed" error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2

2
tools/web/publish
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl #STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl
STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl
WEBSITE=/home/teastep/Shorewall/Website WEBSITE=/home/teastep/Shorewall/Website
HTMFILES=" HTMFILES="
6to4.htm 6to4.htm