Integrate iptables-save/iptables-restore

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1286 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-04-29 03:27:47 +00:00
parent 6e51b83380
commit 53fb6f1b4c
7 changed files with 126 additions and 15 deletions

View File

@ -28,3 +28,6 @@ Changes since 2.0.1
13) Fix init.debian.sh.
14) Implement the -q option.
15) Add saved configuration support (iptables-save/iptables-restore
integration).

View File

@ -99,6 +99,14 @@ report () { # $* = message
logger "$@"
}
#
# Write the passed args to /var/lib/shorewall/restore-$$
#
save_command()
{
echo "$@" >> /var/lib/shorewall/restore-$$
}
#
# Run iptables and if an error occurs, stop the firewall and quit
#
@ -509,6 +517,7 @@ match_dest_hosts()
echo -d $1
fi
}
#
# Similarly, the source or destination in a rule can be qualified by a device name. If
# the device is defined in /etc/shorewall/interfaces then a normal interface match is
@ -1152,9 +1161,9 @@ setup_forwarding() {
#
disable_ipv6() {
if qt which ip6tables; then
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
@ -1176,6 +1185,14 @@ stop_firewall() {
;;
*)
set +x
if [ -f /var/lib/shorewall/restore -a -f /var/lib/shorewall/iptsave ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
my_mutex_off
kill $$
exit 2
fi
;;
esac
@ -1563,6 +1580,7 @@ setup_proxy_arp() {
if [ -z "$haveroute" ]; then
run_ip route replace $address dev $interface
save_command ip route replace $address dev $interface
[ -n "$persistent" ] && haveroute=yes
fi
@ -1571,6 +1589,10 @@ setup_proxy_arp() {
echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
save_command arp -i $external -Ds $address $external pub
eval save_command echo 1 '\>' /proc/sys/net/ipv4/conf/$interface/proxy_arp
eval save_command echo 0 '\>' /proc/sys/net/ipv4/conf/$external/proxy_arp
echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp
progress_message " Host $address connected to $interface added to ARP on $external"
@ -1784,6 +1806,7 @@ setup_nat() {
if [ -n "$ADD_IP_ALIASES" ]; then
qt ip addr del $external dev $iface
save_command qt ip addr del $external dev $iface
fi
if [ "x$allints" = "xYes" -o "$xallints" = "xyes" ]; then
@ -4055,6 +4078,7 @@ setup_masq()
for address in $(separate_list $addresses); do
for addr in $(ip_range_explicit $address) ; do
if ! list_search $addr $aliases_to_add; then
save_command qt ip addr del $addr dev $interface
aliases_to_add="$aliases_to_add $addr $fullinterface"
case $fullinterface in
*:*)
@ -4383,6 +4407,7 @@ add_ip_aliases()
{
val=$(address_details)
run_ip addr add ${external}${val} dev $interface $label
save_command ip addr add ${external}${val} dev $interface $label
echo "$external $interface" >> ${STATEDIR}/nat
[ -n "$label" ] && label="with $label"
progress_message " IP Address $external added to interface $interface $label"
@ -4925,6 +4950,7 @@ add_common_rules() {
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
run_ip route flush cache
save_command ip route flush cache
fi
if [ -n "$DYNAMIC_ZONES" ]; then
@ -5309,6 +5335,12 @@ define_firewall() # $1 = Command (Start or Restart)
report "Shorewall ${1}ed"
rm -rf $TMP_DIR
save_command "iptables-restore < /var/lib/shorewall/iptsave"
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-new
chmod +x /var/lib/shorewall/restore-new
}
#
@ -5908,6 +5940,9 @@ do_initialize() {
fi
rm -f $TMP_DIR/physdev
echo '#bin/sh' > /var/lib/shorewall/restore-$$
echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
}
#

View File

@ -185,6 +185,12 @@ restart)
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
Restore)
echo "restore: restore
Restore Shorewall to it's last state saved using the 'save' command
Existing connections are maintained.
;;
save)
echo "save: save
The dynamic data is stored in /var/lib/shorewall/save
@ -215,11 +221,12 @@ show)
;;
start)
echo "start: [ -q ] [ -c <configuration-directory> ] start
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
If \"-f\" is specified, the last saved configuraton if any will be restored"
;;
stop)

View File

@ -83,7 +83,7 @@ wait_for_pppd () {
shorewall_start () {
echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd
$SRWL start >> $INITLOG 2>&1 && echo "done." || echo_notdone
$SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}

View File

@ -62,7 +62,12 @@ command="$1"
case "$command" in
stop|start|restart|status)
start)
exec /sbin/shorewall -f start
;;
stop|restart|status)
exec /sbin/shorewall $@
;;

View File

@ -23,12 +23,40 @@ Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
New Features:
1) The previous implementation of dynamic zones was difficult to
1) Shorewall has now been integrated with
iptables-save/iptables-restore to provide very fast start and
restart. The elements of this integration are as follows:
a) The 'shorewall save' command now saved the current configuration
in addition to the current dynamic blacklist. If you have
dynamic zones, you will want to issue 'shorewall save' when the
zones are empty or the current contents of the zones will be
restored by the 'shorewall restore' and 'shorewall -f start'
commands.
b) The 'shorewall restore' command has been added. This command
restores the configuration at the time of the last 'save'.
c) The -f (fast) option has been added to 'shorewall start'. When
specified (e.g. 'shorewall -f start'), shorewall will perform a
'shorewall restore' if there is a saved configuration. If there
is no saved configuration, a normal 'shorewall start' is
performed.
d) The /etc/init.d/shorewall script now translates the 'start'
command into 'shorewall -f start' so that fast restart is
possible.
WARNING: iptables 1.2.9 is broken with respect to iptables-save;
you must patch iptables with the iptables patch availale from the
Shorewall errata page.
2) The previous implementation of dynamic zones was difficult to
maintain. I have changed the code to make dynamic zones optional
under the control of the DYNAMIC_ZONES option in
/etc/shorewall/shorewall.conf.
2) In earlier Shorewall 2.0 releases, Shorewall searches in order the
3) In earlier Shorewall 2.0 releases, Shorewall searches in order the
following directories for configuration files.
a) The directory specified in a 'try' command or specified using
@ -60,19 +88,19 @@ New Features:
/usr/share/shorewall/configpath. You can customize this file to
have a default that differs from mine.
3) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
would only take effect if the ALL INTERFACES column also contained
Yes or yes. Now, the LOCAL columns contents are treated
independently of the contents of the ALL INTERFACES column.
4) The folks at Mandrake have created yet another kernel module
5) The folks at Mandrake have created yet another kernel module
naming convention (module names end in "ko.gz"). As a consequence,
beginning with this release, if MODULE_PREFIX isn't specified in
shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
5) An updated bogons file is included in this release.
7) An updated bogons file is included in this release.
6) In /etc/shorewall/rules and in action files generated from
7) In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and
@ -90,7 +118,7 @@ New Features:
characters; if a larger prefix is generated, Shorewall will issue a
warning message and will truncate the prefix to 29 characters.
7) A new "-q" option has been added to /sbin/shorewall commands. It
8) A new "-q" option has been added to /sbin/shorewall commands. It
causes the start, restart, check and refresh commands to produce
much less output so that warning messages are more visible (when
testing this change, I discovered a bug where a bogus warning

View File

@ -549,6 +549,7 @@ usage() # $1 = exit status
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " restore"
echo " save"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
@ -588,6 +589,8 @@ fi
SHOREWALL_DIR=
QUIET=
IPT_OPTIONS="-nv"
FAST=
done=0
while [ $done -eq 0 ]; do
@ -624,6 +627,10 @@ while [ $done -eq 0 ]; do
QUIET=Yes
option=${option#q}
;;
f*)
FAST=Yes
option=${option#f}
;;
*)
usage 1
;;
@ -719,7 +726,18 @@ case $(echo -n "Testing") in
esac
case "$1" in
start|stop|restart|reset|clear|refresh|check)
start)
[ $# -ne 1 ] && usage 1
get_config
if [ -f /var/lib/shorewall/restore -a -f /var/lib/shorewall/iptsave ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
;;
stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1
get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
@ -937,11 +955,16 @@ case "$1" in
[ -n "$debugging" ] && set -x
[ $# -ne 1 ] && usage 1
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved"
if iptables-save > /var/lib/shorewall/iptsave; then
mv -f /var/lib/shorewall/restore-new /var/lib/shorewall/restore
echo "Last Started Configuration Saved"
fi
else
echo "Error Saving the Dynamic Rules"
fi
@ -985,6 +1008,16 @@ case "$1" in
;;
esac
;;
restore)
if [ -f /var/lib/shorewall/restore ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
else
echo "File /var/lib/shorewall/restore: file not found"
exit 2
fi
;;
call)
[ -n "$debugging" ] && set -x
#