diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 1656b4310..e02268f9b 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -248,6 +248,7 @@ our %EXPORT_TAGS = (
preview_netfilter_load
create_chainlist_reload
create_stop_load
+ initialize_switches
%targets
%dscpmap
%nfobjects
@@ -603,6 +604,8 @@ my %isocodes;
use constant { ISODIR => '/usr/share/xt_geoip/LE' };
+my %switches;
+
#
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
@@ -663,6 +666,7 @@ sub initialize( $$$ ) {
%isocodes = ();
%nfobjects = ();
+ %switches = ();
#
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -4644,6 +4648,10 @@ sub do_condition( $$ ) {
my $invert = $condition =~ s/^!// ? '! ' : '';
+ my $initialize;
+
+ $initialize = $1 if $condition =~ s/(?:=([01]))?$//;
+
require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
if ( $condition =~ /@/ ) {
@@ -4653,7 +4661,16 @@ sub do_condition( $$ ) {
fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;
+ if ( defined $initialize ) {
+ if ( my $switchref = $switches{$condition} ) {
+ fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize;
+ } else {
+ $switches{$condition} = { setting => $initialize, where => currentlineinfo };
+ }
+ }
+
"-m condition ${invert}--condition $condition "
+
}
#
@@ -7464,4 +7481,16 @@ sub create_stop_load( $ ) {
}
+sub initialize_switches() {
+ if ( keys %switches ) {
+ emit( ' if [ $COMMAND = start ]; then' );
+ push_indent;
+ while ( my ( $switch, $setting ) = each %switches ) {
+ emit " echo $setting->{setting} > /proc/net/nf_condition/$switch";
+ }
+ pop_indent;
+ emit " fi\n";
+ }
+}
+
1;
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index efa8697ec..ec8cf9e7c 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -487,6 +487,7 @@ EOF
emit<<"EOF";
conditionally_flush_conntrack
EOF
+ initialize_switches;
setup_forwarding( $family , 0 );
emit<<"EOF";
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index ddd36ae48..c32b4b5a3 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -47,6 +47,7 @@ our @EXPORT = qw(
warning_message
fatal_error
assert
+ currentlineinfo
progress_message
progress_message_nocompress
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index 949bb954a..62522ce26 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -386,7 +386,7 @@
SWITCH -
- [!]switch-name
+ [!]switch-name[={0|1}]
Added in Shorewall 4.5.10 and allows enabling and disabling
@@ -419,6 +419,11 @@
Switch settings are retained over shorewall
restart.
+
+ When the switch-name is followed by
+ or , then the switch is
+ initialized to off or on respectively by the start command. Other
+ commands do not affect the switch setting.
diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml
index 536bc184f..25479a248 100644
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -461,7 +461,7 @@
SWITCH -
- [!]switch-name
+ [!]switch-name[={0|1}]
Added in Shorewall 4.5.1 and allows enabling and disabling the
@@ -493,6 +493,12 @@
Switch settings are retained over shorewall
restart.
+
+ Beginning with Shoreawll 4.5.10, when the
+ switch-name is followed by
+ or , then the switch is
+ initialized to off or on respectively by the start command. Other
+ commands do not affect the switch setting.
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 3302dec49..6319a2357 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -1369,7 +1369,7 @@
SWITCH -
- [!]switch-name
+ [!]switch-name[={0|1}]
Added in Shorewall 4.4.24 and allows enabling and disabling
@@ -1402,6 +1402,12 @@
Switch settings are retained over shorewall
restart.
+
+ Beginning with Shoreawll 4.5.10, when the
+ switch-name is followed by
+ or , then the switch is
+ initialized to off or on respectively by the start command. Other
+ commands do not affect the switch setting.
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index 1d44b13df..3b41144f6 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -282,7 +282,7 @@
SWITCH -
- [!]switch-name
+ [!]switch-name[={0|1}]
Added in Shorewall6 4.5.10 and allows enabling and disabling
@@ -315,6 +315,11 @@
Switch settings are retained over shorewall6
restart.
+
+ When the switch-name is followed by
+ or , then the switch is
+ initialized to off or on respectively by the start command. Other
+ commands do not affect the switch setting.
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index cd381cb75..682e6ea0f 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -1244,7 +1244,7 @@
SWITCH -
- [!]switch-name
+ [!]switch-name[={0|1}]
Added in Shorewall6 4.4.24 and allows enabling and disabling
@@ -1277,6 +1277,12 @@
Switch settings are retained over shorewall6
restart.
+
+ Beginning with Shoreawll 4.5.10, when the
+ switch-name is followed by
+ or , then the switch is
+ initialized to off or on respectively by the start command. Other
+ commands do not affect the switch setting.