mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 10:18:58 +02:00
More RTC changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9336 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0d87cecbad
commit
88c57231ac
@ -318,43 +318,45 @@ EOF
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if [ "$RESTOREFILE" = NONE ]; then
|
if [ -z "$RTCONLY" ]; then
|
||||||
COMMAND=clear
|
if [ "$RESTOREFILE" = NONE ]; then
|
||||||
clear_firewall
|
COMMAND=clear
|
||||||
echo "$PRODUCT Cleared"
|
clear_firewall
|
||||||
|
echo "$PRODUCT Cleared"
|
||||||
kill $$
|
|
||||||
exit 2
|
|
||||||
else
|
|
||||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
|
||||||
|
|
||||||
if [ -x $RESTOREPATH ]; then
|
|
||||||
|
|
||||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
|
||||||
progress_message2 Restoring Ipsets...
|
|
||||||
#
|
|
||||||
# We must purge iptables to be sure that there are no
|
|
||||||
# references to ipsets
|
|
||||||
#
|
|
||||||
for table in mangle nat filter; do
|
|
||||||
do_iptables -t $table -F
|
|
||||||
do_iptables -t $table -X
|
|
||||||
done
|
|
||||||
|
|
||||||
${RESTOREPATH}-ipsets
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo Restoring ${PRODUCT:=Shorewall}...
|
|
||||||
|
|
||||||
if $RESTOREPATH restore; then
|
|
||||||
echo "$PRODUCT restored from $RESTOREPATH"
|
|
||||||
set_state "Started"
|
|
||||||
else
|
|
||||||
set_state "Unknown"
|
|
||||||
fi
|
|
||||||
|
|
||||||
kill $$
|
kill $$
|
||||||
exit 2
|
exit 2
|
||||||
|
else
|
||||||
|
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
||||||
|
|
||||||
|
if [ -x $RESTOREPATH ]; then
|
||||||
|
|
||||||
|
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||||
|
progress_message2 Restoring Ipsets...
|
||||||
|
#
|
||||||
|
# We must purge iptables to be sure that there are no
|
||||||
|
# references to ipsets
|
||||||
|
#
|
||||||
|
for table in mangle nat filter; do
|
||||||
|
do_iptables -t $table -F
|
||||||
|
do_iptables -t $table -X
|
||||||
|
done
|
||||||
|
|
||||||
|
${RESTOREPATH}-ipsets
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo Restoring ${PRODUCT:=Shorewall}...
|
||||||
|
|
||||||
|
if $RESTOREPATH restore; then
|
||||||
|
echo "$PRODUCT restored from $RESTOREPATH"
|
||||||
|
set_state "Started"
|
||||||
|
else
|
||||||
|
set_state "Unknown"
|
||||||
|
fi
|
||||||
|
|
||||||
|
kill $$
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -365,66 +367,78 @@ EOF
|
|||||||
STOPPING="Yes"
|
STOPPING="Yes"
|
||||||
|
|
||||||
TERMINATOR=
|
TERMINATOR=
|
||||||
|
EOF
|
||||||
|
emit ' if [ -n "$RTCONLY" ]; then';
|
||||||
|
|
||||||
deletechain shorewall
|
push_indent;
|
||||||
|
emit( ' delete_tc1' ) if $config{CLEAR_TC};
|
||||||
|
|
||||||
run_stop_exit
|
emit( ' undo_routing',
|
||||||
|
' restore_default_route'
|
||||||
|
);
|
||||||
|
pop_indent;
|
||||||
|
emit <<'EOF';
|
||||||
|
else
|
||||||
|
deletechain shorewall
|
||||||
|
|
||||||
|
run_stop_exit
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
|
if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
|
||||||
emit <<'EOF';
|
emit <<'EOF';
|
||||||
run_iptables -t mangle -F
|
run_iptables -t mangle -F
|
||||||
run_iptables -t mangle -X
|
run_iptables -t mangle -X
|
||||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||||
qt1 $IPTABLES -t mangle -P $chain ACCEPT
|
qt1 $IPTABLES -t mangle -P $chain ACCEPT
|
||||||
done
|
done
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $capabilities{RAW_TABLE} ) {
|
if ( $capabilities{RAW_TABLE} ) {
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
emit <<'EOF';
|
emit <<'EOF';
|
||||||
run_iptables -t raw -F
|
run_iptables -t raw -F
|
||||||
run_iptables -t raw -X
|
run_iptables -t raw -X
|
||||||
for chain in PREROUTING OUTPUT; do
|
for chain in PREROUTING OUTPUT; do
|
||||||
qt1 $IPTABLES -t raw -P $chain ACCEPT
|
qt1 $IPTABLES -t raw -P $chain ACCEPT
|
||||||
done
|
done
|
||||||
EOF
|
EOF
|
||||||
} else {
|
} else {
|
||||||
emit <<'EOF';
|
emit <<'EOF';
|
||||||
run_iptables -t raw -F
|
run_iptables -t raw -F
|
||||||
run_iptables -t raw -X
|
run_iptables -t raw -X
|
||||||
for chain in PREROUTING OUTPUT; do
|
for chain in PREROUTING OUTPUT; do
|
||||||
qt1 $IP6TABLES -t raw -P $chain ACCEPT
|
qt1 $IP6TABLES -t raw -P $chain ACCEPT
|
||||||
done
|
done
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $capabilities{NAT_ENABLED} ) {
|
if ( $capabilities{NAT_ENABLED} ) {
|
||||||
emit <<'EOF';
|
emit <<'EOF';
|
||||||
delete_nat
|
delete_nat
|
||||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||||
qt1 $IPTABLES -t nat -P $chain ACCEPT
|
qt1 $IPTABLES -t nat -P $chain ACCEPT
|
||||||
done
|
done
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
emit <<'EOF';
|
emit <<'EOF';
|
||||||
if [ -f ${VARDIR}/proxyarp ]; then
|
if [ -f ${VARDIR}/proxyarp ]; then
|
||||||
while read address interface external haveroute; do
|
while read address interface external haveroute; do
|
||||||
qt arp -i $external -d $address pub
|
qt arp -i $external -d $address pub
|
||||||
[ -z "${haveroute}${NORTC}" ] && qt ip route del $address dev $interface
|
[ -z "${haveroute}${NORTC}" ] && qt ip route del $address dev $interface
|
||||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||||
[ -f $f ] && echo 0 > $f
|
[ -f $f ] && echo 0 > $f
|
||||||
done < ${VARDIR}/proxyarp
|
done < ${VARDIR}/proxyarp
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f ${VARDIR}/proxyarp
|
rm -f ${VARDIR}/proxyarp
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
push_indent;
|
||||||
push_indent;
|
push_indent;
|
||||||
|
|
||||||
emit 'delete_tc1' if $config{CLEAR_TC};
|
emit 'delete_tc1' if $config{CLEAR_TC};
|
||||||
@ -578,12 +592,14 @@ EOF
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
emit 'run_stopped_exit';
|
emit( '',
|
||||||
|
'run_stopped_exit' ,
|
||||||
|
'set_state "Stopped"' );
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
|
pop_indent;
|
||||||
|
|
||||||
emit '
|
emit ' fi
|
||||||
set_state "Stopped"
|
|
||||||
|
|
||||||
logger -p kern.info "$PRODUCT Stopped"
|
logger -p kern.info "$PRODUCT Stopped"
|
||||||
|
|
||||||
|
@ -20,26 +20,28 @@ delete_proxyarp() {
|
|||||||
clear_firewall() {
|
clear_firewall() {
|
||||||
stop_firewall
|
stop_firewall
|
||||||
|
|
||||||
setpolicy INPUT ACCEPT
|
if [ -z "$RTCONLY" ]; then
|
||||||
setpolicy FORWARD ACCEPT
|
setpolicy INPUT ACCEPT
|
||||||
setpolicy OUTPUT ACCEPT
|
setpolicy FORWARD ACCEPT
|
||||||
|
setpolicy OUTPUT ACCEPT
|
||||||
|
|
||||||
run_iptables -F
|
run_iptables -F
|
||||||
|
|
||||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
if [ -n "$DISABLE_IPV6" ]; then
|
if [ -n "$DISABLE_IPV6" ]; then
|
||||||
if qt mywhich ip6tables; then
|
if qt mywhich ip6tables; then
|
||||||
ip6tables -P INPUT ACCEPT 2> /dev/null
|
ip6tables -P INPUT ACCEPT 2> /dev/null
|
||||||
ip6tables -P OUTPUT ACCEPT 2> /dev/null
|
ip6tables -P OUTPUT ACCEPT 2> /dev/null
|
||||||
ip6tables -P FORWARD ACCEPT 2> /dev/null
|
ip6tables -P FORWARD ACCEPT 2> /dev/null
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
run_clear_exit
|
||||||
|
|
||||||
|
set_state "Cleared"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_clear_exit
|
|
||||||
|
|
||||||
set_state "Cleared"
|
|
||||||
|
|
||||||
logger -p kern.info "$PRODUCT Cleared"
|
logger -p kern.info "$PRODUCT Cleared"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -4,17 +4,19 @@
|
|||||||
clear_firewall() {
|
clear_firewall() {
|
||||||
stop_firewall
|
stop_firewall
|
||||||
|
|
||||||
setpolicy INPUT ACCEPT
|
if [ -z "$RTCONLY" ]; then
|
||||||
setpolicy FORWARD ACCEPT
|
setpolicy INPUT ACCEPT
|
||||||
setpolicy OUTPUT ACCEPT
|
setpolicy FORWARD ACCEPT
|
||||||
|
setpolicy OUTPUT ACCEPT
|
||||||
|
|
||||||
run_iptables -F
|
run_iptables -F
|
||||||
|
|
||||||
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
|
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
|
||||||
|
|
||||||
run_clear_exit
|
run_clear_exit
|
||||||
|
|
||||||
set_state "Cleared"
|
set_state "Cleared"
|
||||||
|
fi
|
||||||
|
|
||||||
logger -p kern.info "$PRODUCT Cleared"
|
logger -p kern.info "$PRODUCT Cleared"
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user