Minor cleanup of generated commands

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4769 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-27 10:03:41 +01:00 · 2006-10-31 00:41:32 +00:00 · 2006-10-31 00:41:32 +00:00 · ca04149c07
commit ca04149c07
parent 63ab99a28e
4 changed files with 69 additions and 58 deletions
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -783,40 +783,44 @@ setup_ecn() # $1 = file name

    strip_file ecn $1

-    progress_message2 "$DOING $1..."
+    if [ -s ${TMP_DIR}/ecn ]; then
+	save_progress_message "Setting up ECN..."

-    while read interface host; do
-	expandv interface host
-	list_search  $interface $ALL_INTERFACES || \
-	    fatal_error "Unknown interface $interface"
-	list_search $interface $interfaces || \
-	    interfaces="$interfaces $interface"
-	[ "x$host" = "x-" ] && host=
-	for h in $(separate_list ${host:-0.0.0.0/0}); do
-	    hosts="$hosts $interface:$h"
-	done
-    done < $TMP_DIR/ecn
+	progress_message2 "$DOING $1..."

-    if [ -n "$interfaces" ]; then
-	progress_message "$DOING ECN control on${interfaces}..."
+	while read interface host; do
+	    expandv interface host
+	    list_search  $interface $ALL_INTERFACES || \
+		fatal_error "Unknown interface $interface"
+	    list_search $interface $interfaces || \
+		interfaces="$interfaces $interface"
+	    [ "x$host" = "x-" ] && host=
+	    for h in $(separate_list ${host:-0.0.0.0/0}); do
+		hosts="$hosts $interface:$h"
+	    done
+	done < $TMP_DIR/ecn

-	for interface in $interfaces; do
-	    chain=$(ecn_chain $interface)
-	    if havemanglechain $chain; then
-		flushmangle $chain
-	    else
-		createmanglechain $chain
-		run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
-		run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
-	    fi
-	done
-
-	for host in $hosts; do
-	    interface=${host%:*}
-	    h=${host#*:}
-	    run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove
-	    progress_message_and_save "   ECN Disabled to $h through $interface"
-	done
+	if [ -n "$interfaces" ]; then
+	    progress_message "$DOING ECN control on${interfaces}..."
+	    
+	    for interface in $interfaces; do
+		chain=$(ecn_chain $interface)
+		    if havemanglechain $chain; then
+			flushmangle $chain
+		    else
+			createmanglechain $chain
+			run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
+			run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
+		    fi
+	    done
+	    
+	    for host in $hosts; do
+		interface=${host%:*}
+		h=${host#*:}
+		run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove
+		    progress_message_and_save "   ECN Disabled to $h through $interface"
+	    done
+	fi
    fi
 }

@ -872,6 +876,8 @@ setup_tc1() {
    # Process the TC Rules File
    #
    if strip_file_and_lib_load tcrules tcrules; then
+	save_progress_message "Setting up TC Rules..."
+
 	while read mark sources dests proto ports sports user testval length tos; do
 	    expandv mark sources dests proto ports sports user testval length tos
 	    if [ "x$mark" = xCOMMENT ]; then
@ -1062,7 +1068,6 @@ compile_refresh_firewall()
    ecn=$(find_file ecn)

    if [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ]; then
-	save_progress_message "Refreshing ECN"
 	setup_ecn $ecn
    fi
    #
@ -3118,6 +3123,8 @@ process_tos() # $1 = name of tos file

    if [ -s $TMP_DIR/tos ] ; then
 	
+	save_progress_message "Setting up TOS..."
+
 	progress_message2 "$DOING $1..."

 	createmanglechain $chain
@ -5449,8 +5456,6 @@ __EOF__

    setup_syn_flood_chains

-    save_progress_message "Setting up IPSEC management..."
-
    setup_ipsec

    maclist_hosts=$(find_hosts_by_option maclist)
@ -5502,18 +5507,11 @@ __EOF__

    if [ -n "$MANGLE_ENABLED" ]; then
 	tos=$(find_file tos)
-	if [ -f $tos ]; then
-	    save_progress_message "Setting up TOS..."
-	    process_tos $tos
-	fi
+	[ -f $tos ] && process_tos $tos

 	ecn=$(find_file ecn)
-	if [ -f $ecn ]; then
-	    save_progress_message "Setting up ECN..."
-	    setup_ecn $ecn
-	fi
+	[ -f $ecn ] && setup_ecn $ecn

-	save_progress_message "Setting up TC Rules..."
 	setup_tc
    fi

--- a/Shorewall/lib.config
+++ b/Shorewall/lib.config
@ -505,12 +505,16 @@ setup_ipsec() {
 	zones)
 	    f=zones
 	    progress_message2 "$DOING IPSEC..."
+	    [ -n "$IPSEC_ZONES" ] && save_progress_message "Setting up IPSEC management..."
 	    ;;
 	*)
 	    f=$IPSECFILE
 	    strip_file $f
-	    progress_message2 "$DOING $f..."
 	    using_ipsec=Yes
+	    if [ -s ${TMP_DIR}/$f ]; then
+		progress_message2 "$DOING $f..."
+		save_progress_message "Setting up IPSEC management..."
+	    fi
 	    ;;
    esac

--- a/Shorewall/lib.maclist
+++ b/Shorewall/lib.maclist
@ -227,20 +227,19 @@ setup_mac_lists() # $1 = Phase Number
 		if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
 		    indent >&3 << __EOF__

-blob=\$(ip link show $interface 2> /dev/null)
+if interface_is_up $interface && [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then
+    ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
+        address=\${address%/*}
+        if [ -n "\$broadcast" ]; then
+            run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
+        fi

-[ -z "\$blob" ] && \
+        run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 255.255.255.255 -j RETURN
+        run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 224.0.0.0/4     -j RETURN
+    done
+else
    fatal_error "Interface $interface must be up before Shorewall can start"
-
-ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
-    address=\${address%/*}
-    if [ -n "\$broadcast" ]; then
-        run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
-    fi
-
-    run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 255.255.255.255 -j RETURN
-    run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 224.0.0.0/4     -j RETURN
-done
+fi

 __EOF__
 		fi
--- a/Shorewall/lib.providers
+++ b/Shorewall/lib.providers
@ -325,14 +325,20 @@ __EOF__
    INDENT="$INDENT    "
    indent >&3 << __EOF__
 #
-# Undo any changes made the last time that we [re]started
+# Undo any changes made since the last time that we [re]started -- this will not restore the default route
 #
 undo_routing
 #
-# Save current routing state so that it can be restored later
+# Save current routing table database so that it can be restored later
 #
 cp /etc/iproute2/rt_tables \${VARDIR}/
+#
+# Capture the default route(s) if we don't have it (them) already.
+#
 [ -f \${VARDIR}/default_route ] || ip route ls | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route
+#
+# Initialize the file that holds 'undo' commands
+#
 > \${VARDIR}/undo_routing
 __EOF__
    save_progress_message "Adding Providers..."
@ -353,9 +359,13 @@ __EOF__
 	    save_command "    progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\""
 	    save_command "else"
 	    save_command "    error_message \"WARNING: No Default route added (all 'balance' providers are down)\""
+	    save_command "    restore_default_route"
 	    save_command "fi"
 	    save_command
 	else
+	    save_command "#"
+	    save_command "# We don't have any 'balance' providers so we retore any default route that we've saved"
+	    save_command "#"
 	    save_command restore_default_route
 	fi