From 4546cbaff7fc95a0f571600d82c90660cb9e2324 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 31 Oct 2014 11:36:53 -0700
Subject: [PATCH] Use chains with names derived from a digest to identify
 ruleset

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm   | 21 +++++++++++++++------
 Shorewall/Perl/Shorewall/Compiler.pm | 15 ++++++---------
 Shorewall/Perl/Shorewall/Config.pm   |  8 ++++++--
 Shorewall/Perl/prog.footer           |  8 +++++++-
 4 files changed, 34 insertions(+), 18 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index bf136745c..a5d82ccae 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -6521,7 +6521,6 @@ sub set_chain_variables() {
 
 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
-	emit( 'IPTABLES_RESTORE="$IPTABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS};
 	emit( 'g_tool=$IPTABLES' );
     } else {
 	if ( $config{IP6TABLES} ) {
@@ -6536,7 +6535,6 @@ sub set_chain_variables() {
 
 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
-	emit( 'IP6TABLES_RESTORE="$IP6TABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS};
 	emit( 'g_tool=$IP6TABLES' );
     }
 
@@ -7918,7 +7916,7 @@ sub save_dynamic_chains() {
 	my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
 
 	emit( 'if [ "$COMMAND" = restart ]; then',
-	      "    ${tool}-save --counters > \${VARDIR}/.$utility}-input",
+	      "    ${tool}-save --counters > \${VARDIR}/.${utility}-input",
 	      "fi\n" );
     }
 
@@ -8258,9 +8256,12 @@ sub create_netfilter_load( $ ) {
 
     if ( $config{SAVE_COUNTERS} ) {
 	emit( '',
-	      'if [ "$COMMAND" = restart -a -n "$g_sha1sum" -a -f ${VARDIR}/.sha1sum -a $g_sha1sum = $(cat ${VARDIR}/.sha1sum) ]; then',
+	      'if [ "$COMMAND" = restart ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
 	      '    option="--counters"',
-	      'else' 
+	      '',
+	      '    progress_message "Reusing existing ruleset..."',
+	      '',
+	      'else'
 	    );
 	push_indent;
     }
@@ -8330,7 +8331,7 @@ sub create_netfilter_load( $ ) {
 	   '' );
 
     if ( $config{SAVE_COUNTERS} ) {
-	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY . ' $option' );
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
     } else {
 	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
     }
@@ -8344,6 +8345,14 @@ sub create_netfilter_load( $ ) {
 	  "fi\n"
 	);
 
+    if ( $config{SAVE_COUNTERS} ) {
+	emit( 'if [ -z "$options" ]; then',
+	      '    $g_tool -N $g_sha1sum1',
+	      '    $g_tool -N $g_sha1sum2',
+	      'fi'
+	    );
+    }
+
     pop_indent;
 
     emit "}\n";
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index dd9e8f1d2..9d0e14c11 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -519,12 +519,11 @@ EOF
 
     emit(
 	"    set_state Started $config_dir",
-	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall');
-    emit( '    [ -n "$g_sha1sum" ] && echo "$g_sha1sum" > ${VARDIR}/.sha1sum || rm -f ${VARDIR}/.sha1sum' ) if $config{SAVE_COUNTERS};
-
-    emit( 'else',
-	  '    setup_netfilter'
+	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+        'else',
+	'    setup_netfilter'
 	);
+
     push_indent;
     emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
@@ -545,10 +544,8 @@ EOF
 
     emit( "    set_state Started $config_dir",
 	  '    my_pathname=$(my_pathname)',
-	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall' );
-
-    emit( '    [ -n "$g_sha1sum" ] && echo "$g_sha1sum" > ${VARDIR}/.sha1sum || rm -f ${VARDIR}/.sha1sum' ) if $config{SAVE_COUNTERS};
-    emit( '    run_started_exit',
+	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
+	  '    run_started_exit',
 	  "fi\n" );
 
     emit<<'EOF';
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 79744ba6b..35a1dde58 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1780,12 +1780,16 @@ sub finalize_script( $ ) {
 
     if ( $file ne '-' ) {
 	if ( $config{SAVE_COUNTERS} ) {
-	    my $sha1sum = generate_sha1;
+	    my $sha1sum  = generate_sha1;
+	    my $sha1sum1 = substr( $sha1sum, 0, 20 );
+	    my $sha1sum2 = substr( $sha1sum, -20 );
+
 	    @ARGV = ( $tempfile );
 	    $^I = '';
 
 	    while ( <> ) {
-		s/g_sha1sum=/g_sha1sum=$sha1sum/;
+		s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+		s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
 		print;
 	    }
 	}
diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer
index 772a2661a..9ecf32633 100644
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -86,7 +86,13 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
-g_sha1sum=
+#
+# These two variables contain the high-order and low-order parts respectively of
+# an SHA1 digest of this file. The digest is generated before the two following
+# lines are updated to contain the value of that digest.
+#
+g_sha1sum1=
+g_sha1sum2=
 
 initialize