extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-09 01:04:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use chains with names derived from a digest to identify ruleset

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-10-31 11:36:53 -07:00
parent a83c146636
commit 4546cbaff7
4 changed files with 34 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -6521,7 +6521,6 @@ sub set_chain_variables() {
emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
'[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
emit( 'IPTABLES_RESTORE="$IPTABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS};
emit( 'g_tool=$IPTABLES' ); emit( 'g_tool=$IPTABLES' );
} else { } else {
if ( $config{IP6TABLES} ) { if ( $config{IP6TABLES} ) {
@ -6536,7 +6535,6 @@ sub set_chain_variables() {
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore', emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
emit( 'IP6TABLES_RESTORE="$IP6TABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS};
emit( 'g_tool=$IP6TABLES' ); emit( 'g_tool=$IP6TABLES' );
} }
@ -7918,7 +7916,7 @@ sub save_dynamic_chains() {
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
emit( 'if [ "$COMMAND" = restart ]; then', emit( 'if [ "$COMMAND" = restart ]; then',
" ${tool}-save --counters > \${VARDIR}/.$utility}-input", " ${tool}-save --counters > \${VARDIR}/.${utility}-input",
"fi\n" ); "fi\n" );
} }
@ -8258,9 +8256,12 @@ sub create_netfilter_load( $ ) {
if ( $config{SAVE_COUNTERS} ) { if ( $config{SAVE_COUNTERS} ) {
emit( '', emit( '',
'if [ "$COMMAND" = restart -a -n "$g_sha1sum" -a -f ${VARDIR}/.sha1sum -a $g_sha1sum = $(cat ${VARDIR}/.sha1sum) ]; then', 'if [ "$COMMAND" = restart ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
' option="--counters"', ' option="--counters"',
'else' '',
' progress_message "Reusing existing ruleset..."',
'',
'else'
); );
push_indent; push_indent;
} }
@ -8330,7 +8331,7 @@ sub create_netfilter_load( $ ) {
'' ); '' );
if ( $config{SAVE_COUNTERS} ) { if ( $config{SAVE_COUNTERS} ) {
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY . ' $option' ); emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
} else { } else {
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY ); emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
} }
@ -8344,6 +8345,14 @@ sub create_netfilter_load( $ ) {
"fi\n" "fi\n"
); );
if ( $config{SAVE_COUNTERS} ) {
emit( 'if [ -z "$options" ]; then',
' $g_tool -N $g_sha1sum1',
' $g_tool -N $g_sha1sum2',
'fi'
);
}
pop_indent; pop_indent;
emit "}\n"; emit "}\n";

15
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -519,12 +519,11 @@ EOF
emit( emit(
" set_state Started $config_dir", " set_state Started $config_dir",
' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall'); ' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
emit( ' [ -n "$g_sha1sum" ] && echo "$g_sha1sum" > ${VARDIR}/.sha1sum || rm -f ${VARDIR}/.sha1sum' ) if $config{SAVE_COUNTERS}; 'else',
' setup_netfilter'
emit( 'else',
' setup_netfilter'
); );
push_indent; push_indent;
emit 'setup_arptables' if $have_arptables; emit 'setup_arptables' if $have_arptables;
setup_load_distribution; setup_load_distribution;
@ -545,10 +544,8 @@ EOF
emit( " set_state Started $config_dir", emit( " set_state Started $config_dir",
' my_pathname=$(my_pathname)', ' my_pathname=$(my_pathname)',
' [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall' ); ' [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
' run_started_exit',
emit( ' [ -n "$g_sha1sum" ] && echo "$g_sha1sum" > ${VARDIR}/.sha1sum || rm -f ${VARDIR}/.sha1sum' ) if $config{SAVE_COUNTERS};
emit( ' run_started_exit',
"fi\n" ); "fi\n" );
emit<<'EOF'; emit<<'EOF';

8
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1780,12 +1780,16 @@ sub finalize_script( $ ) {
if ( $file ne '-' ) { if ( $file ne '-' ) {
if ( $config{SAVE_COUNTERS} ) { if ( $config{SAVE_COUNTERS} ) {
my $sha1sum = generate_sha1; my $sha1sum = generate_sha1;
my $sha1sum1 = substr( $sha1sum, 0, 20 );
my $sha1sum2 = substr( $sha1sum, -20 );
@ARGV = ( $tempfile ); @ARGV = ( $tempfile );
$^I = ''; $^I = '';
while ( <> ) { while ( <> ) {
s/g_sha1sum=/g_sha1sum=$sha1sum/; s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
print; print;
} }
} }

8
Shorewall/Perl/prog.footer
View File

@ -86,7 +86,13 @@ g_purge=$PURGE
g_noroutes=$NOROUTES g_noroutes=$NOROUTES
g_timestamp=$TIMESTAMP g_timestamp=$TIMESTAMP
g_recovering=$RECOVERING g_recovering=$RECOVERING
g_sha1sum= #
# These two variables contain the high-order and low-order parts respectively of
# an SHA1 digest of this file. The digest is generated before the two following
# lines are updated to contain the value of that digest.
#
g_sha1sum1=
g_sha1sum2=
initialize initialize