Use chains with names derived from a digest to identify ruleset

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-10-31 11:36:53 -07:00
parent a83c146636
commit 4546cbaff7
4 changed files with 34 additions and 18 deletions

View File

@ -6521,7 +6521,6 @@ sub set_chain_variables() {
emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
'[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
emit( 'IPTABLES_RESTORE="$IPTABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS};
emit( 'g_tool=$IPTABLES' );
} else {
if ( $config{IP6TABLES} ) {
@ -6536,7 +6535,6 @@ sub set_chain_variables() {
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
emit( 'IP6TABLES_RESTORE="$IP6TABLES_RESTORE --counters"' ) if $config{SAVE_COUNTERS};
emit( 'g_tool=$IP6TABLES' );
}
@ -7918,7 +7916,7 @@ sub save_dynamic_chains() {
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
emit( 'if [ "$COMMAND" = restart ]; then',
" ${tool}-save --counters > \${VARDIR}/.$utility}-input",
" ${tool}-save --counters > \${VARDIR}/.${utility}-input",
"fi\n" );
}
@ -8258,8 +8256,11 @@ sub create_netfilter_load( $ ) {
if ( $config{SAVE_COUNTERS} ) {
emit( '',
'if [ "$COMMAND" = restart -a -n "$g_sha1sum" -a -f ${VARDIR}/.sha1sum -a $g_sha1sum = $(cat ${VARDIR}/.sha1sum) ]; then',
'if [ "$COMMAND" = restart ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
' option="--counters"',
'',
' progress_message "Reusing existing ruleset..."',
'',
'else'
);
push_indent;
@ -8330,7 +8331,7 @@ sub create_netfilter_load( $ ) {
'' );
if ( $config{SAVE_COUNTERS} ) {
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY . ' $option' );
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
} else {
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
}
@ -8344,6 +8345,14 @@ sub create_netfilter_load( $ ) {
"fi\n"
);
if ( $config{SAVE_COUNTERS} ) {
emit( 'if [ -z "$options" ]; then',
' $g_tool -N $g_sha1sum1',
' $g_tool -N $g_sha1sum2',
'fi'
);
}
pop_indent;
emit "}\n";

View File

@ -519,12 +519,11 @@ EOF
emit(
" set_state Started $config_dir",
' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall');
emit( ' [ -n "$g_sha1sum" ] && echo "$g_sha1sum" > ${VARDIR}/.sha1sum || rm -f ${VARDIR}/.sha1sum' ) if $config{SAVE_COUNTERS};
emit( 'else',
' setup_netfilter'
' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
'else',
' setup_netfilter'
);
push_indent;
emit 'setup_arptables' if $have_arptables;
setup_load_distribution;
@ -545,10 +544,8 @@ EOF
emit( " set_state Started $config_dir",
' my_pathname=$(my_pathname)',
' [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall' );
emit( ' [ -n "$g_sha1sum" ] && echo "$g_sha1sum" > ${VARDIR}/.sha1sum || rm -f ${VARDIR}/.sha1sum' ) if $config{SAVE_COUNTERS};
emit( ' run_started_exit',
' [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
' run_started_exit',
"fi\n" );
emit<<'EOF';

View File

@ -1780,12 +1780,16 @@ sub finalize_script( $ ) {
if ( $file ne '-' ) {
if ( $config{SAVE_COUNTERS} ) {
my $sha1sum = generate_sha1;
my $sha1sum = generate_sha1;
my $sha1sum1 = substr( $sha1sum, 0, 20 );
my $sha1sum2 = substr( $sha1sum, -20 );
@ARGV = ( $tempfile );
$^I = '';
while ( <> ) {
s/g_sha1sum=/g_sha1sum=$sha1sum/;
s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
print;
}
}

View File

@ -86,7 +86,13 @@ g_purge=$PURGE
g_noroutes=$NOROUTES
g_timestamp=$TIMESTAMP
g_recovering=$RECOVERING
g_sha1sum=
#
# These two variables contain the high-order and low-order parts respectively of
# an SHA1 digest of this file. The digest is generated before the two following
# lines are updated to contain the value of that digest.
#
g_sha1sum1=
g_sha1sum2=
initialize