Integrate iptables-save/iptables-restore

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1286 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -28,3 +28,6 @@ Changes since 2.0.1
 13) Fix init.debian.sh.
 
 14) Implement the -q option.
+
+15) Add saved configuration support (iptables-save/iptables-restore
+    integration).

Shorewall2/firewall

@@ -99,6 +99,14 @@ report () { # $* = message
     logger "$@"
 }
 
+#
+# Write the passed args to /var/lib/shorewall/restore-$$
+#
+save_command() 
+{
+    echo "$@" >> /var/lib/shorewall/restore-$$
+}
+
 #
 # Run iptables and if an error occurs, stop the firewall and quit
 #
@@ -509,6 +517,7 @@ match_dest_hosts()
 	echo -d $1
     fi
 }
+
 #
 # Similarly, the source or destination in a rule can be qualified by a device name. If 
 # the device is defined in /etc/shorewall/interfaces then a normal interface match is
@@ -1152,9 +1161,9 @@ setup_forwarding() {
 #
 disable_ipv6() {
     if qt which ip6tables; then
-	ip6tables -P FORWARD DROP
-	ip6tables -P INPUT DROP
-	ip6tables -P OUTPUT DROP
+	ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
+	ip6tables -P INPUT DROP   && save_command ip6tables -P INPUT DROP
+	ip6tables -P OUTPUT DROP  && save_command ip6tables -P OUTPUT DROP
     else
 	error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
     fi
@@ -1176,6 +1185,14 @@ stop_firewall() {
 	    ;;
 	*)
 	    set +x
+	    if [ -f /var/lib/shorewall/restore -a -f /var/lib/shorewall/iptsave ]; then
+		echo Restoring Shorewall...
+		. /var/lib/shorewall/restore
+		echo Shorewall restored
+		my_mutex_off
+		kill $$
+		exit 2
+	    fi
 	    ;;
     esac
 
@@ -1563,6 +1580,7 @@ setup_proxy_arp() {
 
 	if [ -z "$haveroute" ]; then
 	    run_ip route replace $address dev $interface
+	    save_command ip route replace $address dev $interface
 	    [ -n "$persistent" ] && haveroute=yes
 	fi
 
@@ -1571,6 +1589,10 @@ setup_proxy_arp() {
 	echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
 	echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
 
+	save_command arp -i $external -Ds $address $external pub
+	eval save_command echo 1 '\>' /proc/sys/net/ipv4/conf/$interface/proxy_arp
+	eval save_command echo 0 '\>' /proc/sys/net/ipv4/conf/$external/proxy_arp
+
 	echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp
 
 	progress_message "   Host $address connected to $interface added to ARP on $external"
@@ -1784,6 +1806,7 @@ setup_nat() {
 
 	if [ -n "$ADD_IP_ALIASES" ]; then
 	    qt ip addr del $external dev $iface
+	    save_command qt ip addr del $external dev $iface
 	fi
 
 	if [ "x$allints" = "xYes" -o "$xallints" = "xyes" ]; then
@@ -4055,8 +4078,9 @@ setup_masq()
 	    for address in $(separate_list $addresses); do
 		for addr in $(ip_range_explicit $address) ; do
 		    if ! list_search $addr $aliases_to_add; then
+			save_command qt ip addr del $addr dev $interface 
 			aliases_to_add="$aliases_to_add $addr $fullinterface"
-			case $fullinterface in
+			case $fullinterface in 
 			    *:*)
 				fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 ))
 				;;
@@ -4383,6 +4407,7 @@ add_ip_aliases()
     {
 	val=$(address_details)
 	run_ip addr add ${external}${val} dev $interface $label
+	save_command ip addr add ${external}${val} dev $interface $label
 	echo "$external $interface" >> ${STATEDIR}/nat
 	[ -n "$label" ] && label="with $label"
 	progress_message "   IP Address $external added to interface $interface $label"
@@ -4925,6 +4950,7 @@ add_common_rules() {
 	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
 	[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
 	run_ip route flush cache
+	save_command ip route flush cache
     fi
 
     if [ -n "$DYNAMIC_ZONES" ]; then
@@ -5309,6 +5335,12 @@ define_firewall() # $1 = Command (Start or Restart)
     report "Shorewall ${1}ed"
 
     rm -rf $TMP_DIR
+
+    save_command "iptables-restore < /var/lib/shorewall/iptsave"
+    
+    mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-new
+
+    chmod +x /var/lib/shorewall/restore-new
 }
 
 #
@@ -5908,6 +5940,9 @@ do_initialize() {
     fi
 
     rm -f $TMP_DIR/physdev
+
+    echo '#bin/sh' > /var/lib/shorewall/restore-$$
+    echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
 }
 
 #

Shorewall2/help

@@ -185,6 +185,12 @@ restart)
     If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
 	;;
 
+Restore)
+	echo "restore: restore
+    Restore Shorewall to it's last state saved using the 'save' command
+    Existing connections are maintained.
+	;;
+
 save)
 	echo "save: save
     The dynamic data is stored in /var/lib/shorewall/save
@@ -215,11 +221,12 @@ show)
 	;;
 
 start)
-	echo "start: [ -q ] [ -c <configuration-directory> ] start
+	echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
     Start shorewall.  Existing connections through shorewall managed
     interfaces are untouched.  New connections will be allowed only
     if they are allowed by the firewall rules or policies.
     If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
+    If \"-f\" is specified, the last saved configuraton if any will be restored"
 	;;
 
 stop)

Shorewall2/init.debian.sh

@@ -83,7 +83,7 @@ wait_for_pppd () {
 shorewall_start () {
   echo -n "Starting \"Shorewall firewall\": "
   wait_for_pppd
-  $SRWL start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall2/init.sh

@@ -62,7 +62,12 @@ command="$1"
 
 case "$command" in
 
-    stop|start|restart|status)
+    start)
+	
+	exec /sbin/shorewall -f start
+	;;
+
+    stop|restart|status)
 
 	exec /sbin/shorewall $@
 	;;

Shorewall2/releasenotes.txt

@@ -23,12 +23,40 @@ Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
 
 New Features:
 
-1) The previous implementation of dynamic zones was difficult to
+1) Shorewall has now been integrated with
+   iptables-save/iptables-restore to provide very fast start and
+   restart. The elements of this integration are as follows:
+
+   a) The 'shorewall save' command now saved the current configuration
+      in addition to the current dynamic blacklist. If you have
+      dynamic zones, you will want to issue 'shorewall save' when the
+      zones are empty or the current contents of the zones will be
+      restored by the 'shorewall restore' and 'shorewall -f start'
+      commands.
+
+   b) The 'shorewall restore' command has been added. This command
+      restores the configuration at the time of the last 'save'.
+
+   c) The -f (fast) option has been added to 'shorewall start'. When
+      specified (e.g. 'shorewall -f start'), shorewall will perform a
+      'shorewall restore' if there is a saved configuration. If there
+      is no saved configuration, a normal 'shorewall start' is
+      performed.
+
+   d) The /etc/init.d/shorewall script now translates the 'start'
+      command into 'shorewall -f start' so that fast restart is
+      possible.
+
+   WARNING: iptables 1.2.9 is broken with respect to iptables-save;
+   you must patch iptables with the iptables patch availale from the
+   Shorewall errata page.
+
+2) The previous implementation of dynamic zones was difficult to
    maintain. I have changed the code to make dynamic zones optional
    under the control of the DYNAMIC_ZONES option in
    /etc/shorewall/shorewall.conf.
 
-2) In earlier Shorewall 2.0 releases, Shorewall searches in order the
+3) In earlier Shorewall 2.0 releases, Shorewall searches in order the
    following directories for configuration files.
 
    a) The directory specified in a 'try' command or specified using
@@ -60,19 +88,19 @@ New Features:
    /usr/share/shorewall/configpath. You can customize this file to
    have a default that differs from mine.
 
-3) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
+4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
    would only take effect if the ALL INTERFACES column also contained
    Yes or yes. Now, the LOCAL columns contents are treated
    independently of the contents of the ALL INTERFACES column.
 
-4) The folks at Mandrake have created yet another kernel module
+5) The folks at Mandrake have created yet another kernel module
    naming convention (module names end in "ko.gz"). As a consequence,
    beginning with this release, if MODULE_PREFIX isn't specified in
    shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
 
-5) An updated bogons file is included in this release.
+7) An updated bogons file is included in this release.
 
-6) In /etc/shorewall/rules and in action files generated from
+7) In /etc/shorewall/rules and in action files generated from
    /usr/share/shorewall/action.template, rules that perform logging can
    specify an optional "log tag". A log tag is a string of alphanumeric
    characters and is specified by following the log level with ":" and
@@ -90,7 +118,7 @@ New Features:
    characters; if a larger prefix is generated, Shorewall will issue a
    warning message and will truncate the prefix to 29 characters.
 
- 7) A new "-q" option has been added to /sbin/shorewall commands. It
+ 8) A new "-q" option has been added to /sbin/shorewall commands. It
     causes the start, restart, check and refresh commands to produce
     much less output so that warning messages are more visible (when
     testing this change, I discovered a bug where a bogus warning

Shorewall2/shorewall

@@ -549,6 +549,7 @@ usage() # $1 = exit status
     echo "   reject <address> ..."
     echo "   reset"
     echo "   restart"
+    echo "   restore"
     echo "   save"
     echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
     echo "   start"
@@ -588,6 +589,8 @@ fi
 SHOREWALL_DIR=
 QUIET=
 IPT_OPTIONS="-nv"
+FAST=
+
 done=0
 
 while [ $done -eq 0 ]; do
@@ -624,6 +627,10 @@ while [ $done -eq 0 ]; do
 			QUIET=Yes
 			option=${option#q}
 			;;
+		    f*)
+			FAST=Yes
+			option=${option#f}
+			;;
 		    *)
 			usage 1
 			;;
@@ -719,7 +726,18 @@ case $(echo -n "Testing") in
 esac
 
 case "$1" in
-    start|stop|restart|reset|clear|refresh|check)
+    start)
+	[ $# -ne 1 ] && usage 1
+	get_config
+	if [ -f /var/lib/shorewall/restore -a -f /var/lib/shorewall/iptsave ]; then
+	    echo Restoring Shorewall...
+	    . /var/lib/shorewall/restore
+            echo Shorewall restored
+	else
+	    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
+	fi
+	;;
+    stop|restart|reset|clear|refresh|check)
 	[ $# -ne 1 ] && usage 1
 	get_config
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
@@ -937,11 +955,16 @@ case "$1" in
     	[ -n "$debugging" ] && set -x
 	[ $# -ne 1 ] && usage 1
 	mutex_on
+
 	if qt iptables -L shorewall -n; then
 	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
 
 	    if iptables -L dynamic -n > /var/lib/shorewall/save; then
 		echo "Dynamic Rules Saved"
+		if iptables-save > /var/lib/shorewall/iptsave; then
+		    mv -f /var/lib/shorewall/restore-new /var/lib/shorewall/restore
+		    echo "Last Started Configuration Saved"
+		fi
 	    else
 		echo "Error Saving the Dynamic Rules"
 	    fi
@@ -985,6 +1008,16 @@ case "$1" in
 		;;
 	esac
 	;;
+    restore)
+	if [ -f /var/lib/shorewall/restore ]; then
+	    echo Restoring Shorewall...
+	    . /var/lib/shorewall/restore
+            echo Shorewall restored
+	else
+	    echo "File /var/lib/shorewall/restore: file not found"
+            exit 2
+        fi
+        ;;
     call) 
     	[ -n "$debugging" ] && set -x
 	#