More save fixes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1299 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/firewall

@@ -107,6 +107,30 @@ save_command()
     echo "$@" >> /var/lib/shorewall/restore-$$
 }
 
+#
+# Save the passed command in the restore script then run it -- returns the status of the command
+# If the command involves file redirection then it must be enclosed in quotes as in:
+#
+#     run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
+#
+run_and_save_command() 
+{
+    echo "$@" >> /var/lib/shorewall/restore-$$
+    eval $*
+}
+
+#
+# Run the passed command and if it succeeds, save it in the restore script. If it fails, stop the firewall and die
+#
+ensure_and_save_command() 
+{
+    if eval $* ; then
+	echo "$@" >> /var/lib/shorewall/restore-$$
+    else
+	[ -z "$stopping" ] && { stop_firewall; exit 2; }
+    fi
+}
+    
 #
 # Append a file to /var/lib/shorewall/restore-$$
 #
@@ -1155,13 +1179,11 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
 setup_forwarding() {
     case "$IP_FORWARDING" in
     [Oo][Nn])
-	echo 1 > /proc/sys/net/ipv4/ip_forward
+	run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
-	save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
 	echo "IP Forwarding Enabled"
 	;;
     [Oo][Ff][Ff])
-	echo 0 > /proc/sys/net/ipv4/ip_forward
+	run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
-	save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
 	echo "IP Forwarding Disabled!"
 	;;
     esac
@@ -1594,19 +1616,14 @@ setup_proxy_arp() {
 	esac
 
 	if [ -z "$haveroute" ]; then
-	    run_ip route replace $address dev $interface
+	    ensure_and_save_command ip route replace $address dev $interface
-	    save_command ip route replace $address dev $interface
 	    [ -n "$persistent" ] && haveroute=yes
 	fi
 
-	run_arp -i $external -Ds $address $external pub
+	ensure_and_save_command arp -i $external -Ds $address $external pub
 
-	echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
+	run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
-	echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
+	run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp"
-
-	save_command arp -i $external -Ds $address $external pub
-	save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
-	save_command "echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp"
 
 	echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp
 
@@ -1821,8 +1838,7 @@ setup_nat() {
 	iface=${interface%:*}
 
 	if [ -n "$ADD_IP_ALIASES" ]; then
-	    qt ip addr del $external dev $iface
+	    run_and_save_command qt ip addr del $external dev $iface
-	    save_command qt ip addr del $external dev $iface
 	fi
 
 	if [ "x$allints" = "xYes" -o "$xallints" = "xyes" ]; then
@@ -2071,6 +2087,7 @@ setup_tc1() {
     run_iptables -t mangle -A OUTPUT     -j tcout
 
     run_user_exit tcstart
+    save_command . $(find_file tcstart)
 
 }
 
@@ -2088,8 +2105,9 @@ delete_tc()
 {
 
     clear_one_tc() {
-	tc qdisc del dev $1 root    2> /dev/null
+	run_and_save_command "tc qdisc del dev $1 root 2> /dev/null"
-	tc qdisc del dev $1 ingress 2> /dev/null
+	run_and_save_command "tc qdisc del dev $1 ingress 2> /dev/null" 
+
     }
 
     run_user_exit tcclear
@@ -4435,8 +4453,7 @@ add_ip_aliases()
     do_one()
     {
 	val=$(address_details)
-	run_ip addr add ${external}${val} dev $interface $label
+	ensure_and_save_command ip addr add ${external}${val} dev $interface $label
-	save_command ip addr add ${external}${val} dev $interface $label
 	echo "$external $interface" >> ${STATEDIR}/nat
 	[ -n "$label" ] && label="with $label"
 	progress_message "   IP Address $external added to interface $interface $label"
@@ -4936,8 +4953,7 @@ add_common_rules() {
     # ARP Filtering
     #
     for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
-	echo 0 > $f
+	run_and_save_command "echo 0 > $f"
-	save_command "echo 0 > $f"
     done
 
     interfaces=$(find_interfaces_by_option arp_filter)
@@ -4948,8 +4964,7 @@ add_common_rules() {
 	for interface in $interfaces; do
 	    file=/proc/sys/net/ipv4/conf/$interface/arp_filter
 	    if [ -f $file ]; then
-		echo 1 > $file
+		run_and_save_command "echo 1 > $file"
-		save_command "echo 1 > $file"
 	    else
 		error_message \
 		    "Warning: Cannot set ARP filtering on $interface"
@@ -4965,31 +4980,26 @@ add_common_rules() {
 	echo "Setting up Kernel Route Filtering..."
 
 	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
-	    echo 0 > $f
+	    run_and_save_command "echo 0 > $f"
-	    save_command "echo 0 > $f"
 	done
 
 	for interface in $interfaces; do
 	    file=/proc/sys/net/ipv4/conf/$interface/rp_filter
 	    if [ -f $file ]; then
-		echo 1 > $file
+		run_and_save_command "echo 1 > $file"
-		save_command "echo 1 > $file"
 	    else
 		error_message \
 		    "Warning: Cannot set route filtering on $interface"
 	    fi
 	done
 	
-	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+	run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
-	save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
 
 	if [ -n "$ROUTE_FILTER" ]; then
-	    echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
+	    run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter"
-	    save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter"
 	fi
 
-	run_ip route flush cache
+	run_and_save_command ip route flush cache
-	save_command ip route flush cache
     fi
 
     if [ -n "$DYNAMIC_ZONES" ]; then

Shorewall2/masq

@@ -94,6 +94,6 @@
 #
 #			eth0:0	192.168.1.0/24	206.124.146.176
 #
-##############################################################################
+###############################################################################
-#INTERFACE	        SUBNET		ADDRESS
+#INTERFACE	        SUBNET		ADDRESS		PROTO		PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall2/releasenotes.txt

@@ -15,7 +15,46 @@ Problems Corrected since 2.0.1
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
 
-1) Dynamic Zone support.
+1) Extension Scripts
+
+   In order for extension scripts to work properly with the new
+   iptables-save/restore integration (see New Feature 1 below), some
+   change may be required to your extension scripts.
+
+   If your extension scripts are executing commands other than iptables
+   then those commands must also be written to the restore file (a
+   temporary file in /var/lib/shorewall that is renamed
+   /var/lib/shorewall/restore-base at the end of the operation).
+
+   The following functions should be of help:
+
+   A. save_command() -- saves the passed command to the restore file.
+
+   Example:
+
+      save_command echo Operation Complete
+
+   That command would simple write "echo Operation Complete" to the
+   restore file.
+
+   B. run_and_save_command() -- saves the passed command to the restore
+   file then executes it. The return value is the exit status of the
+   command.
+
+   Example: 
+
+      run_and_save "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
+
+   Note that as in this example, when the command involves file
+   redirection then the entire command must be enclosed in quotes. This
+   applies to all of the functions described here.
+
+   C. ensure_and_save_command() -- runs the passed command. If the
+   command fails, the firewall is restored to it's prior saved state
+   and the operation is terminated. If the command succeeds, the
+   command is written to the restore file.
+
+2) Dynamic Zone support.
 
    If you don't need to use the "shorewall add" and "shorewall delete"
    commands, you should set DYNAMIC_ZONES=No in