RESTORE_WAIT_OPTION

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-02-02 10:59:27 +01:00 · 2017-08-13 17:53:59 -07:00 · 2017-08-13 17:53:59 -07:00 · 7e3521e221
commit 7e3521e221
parent 0603f8e355
3 changed files with 38 additions and 9 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50105
+SHOREWALL_CAPVERSION=50106

 if [ -z "$g_basedir" ]; then
    #
@ -2804,6 +2804,7 @@ determine_capabilities() {
    CPU_FANOUT=
    NETMAP_TARGET=
    NFLOG_SIZE=
+    RESTORE_WAIT_OPTION=

    AMANDA_HELPER=
    FTP_HELPER=
@ -2827,9 +2828,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi

+    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
+
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
    fi

    chain=fooX$$
@ -3299,9 +3302,11 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi

    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@ -3417,6 +3422,7 @@ report_capabilities_unsorted1() {
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
    report_capability1 NFLOG_SIZE
+    report_capability1 RESTORE_WAIT_OPTION

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -8913,9 +8913,15 @@ sub create_netfilter_load( $ ) {
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';

    emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
-	  '    option="--counters"',
-	  '',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
+
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '    option="--counters --wait"' );
+    } else {
+	emit( '    option="--counters"' );
+    }
+
+    emit( '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@ -8923,7 +8929,11 @@ sub create_netfilter_load( $ ) {

    push_indent;

-    emit 'option=';
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit 'option="--wait"';
+    } else {
+	emit 'option=';
+    }

    save_progress_message "Preparing $utility input...";

@ -9338,7 +9348,11 @@ sub create_stop_load( $ ) {

    enter_cmd_mode;

-    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY . ' --wait' );
+    } else {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    }

    emit( '',
 	  'progress_message2 "Running $command..."',
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -414,7 +414,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
                 NFLOG_SIZE      => '--nflog-size support',
-
+		 RESTORE_WAIT_OPTION
+				 => 'iptables-restore --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@ -752,7 +753,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.1.5-RC1",
-		    CAPVERSION              => 50105 ,
+		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@ -1046,6 +1047,7 @@ sub initialize( $;$$) {
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
+	       RESTORE_WAIT_OPTION => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@ -4948,6 +4950,10 @@ sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }

+sub Restore_Wait_Option() {
+    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@ -5028,6 +5034,7 @@ our %detect_capability =
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
+      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
      RPFILTER_MATCH => \&RPFilter_Match,
      SANE_HELPER => \&SANE_Helper,
      SANE0_HELPER => \&SANE0_Helper,
@ -5195,6 +5202,8 @@ sub determine_capabilities() {
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
+	$capabilities{RESTORE_WAIT_OPTION}
+				       = detect_capability( 'RESTORE_WAIT_OPTION' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';