From eca8a37f42c6c04d1f26a728cbf85cdc6d41ef64 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 25 Jan 2006 17:33:38 +0000 Subject: [PATCH] Finish implementation of save/restore/forget git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3378 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 53 ++++++++++++++++++++++++++--- Shorewall/functions | 8 +++++ Shorewall/prog.footer | 28 ---------------- Shorewall/shorewall | 77 +++++++++++++++++++++++-------------------- 4 files changed, 99 insertions(+), 67 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index be184138f..19978f397 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -8497,7 +8497,7 @@ __EOF__ # # Start/Restart/Reload the firewall # -define_firewall() {} +define_firewall() { __EOF__ INDENT=" " @@ -8593,6 +8593,14 @@ __EOF__ append_file $file done + cat >> $OUTPUT << __EOF__ + + if [ \$COMMAND = restore ]; then + iptables-restore < + \$1 + fi + +__EOF__ save_command "date > /var/lib/shorewall/restarted" run_user_exit start @@ -8605,14 +8613,51 @@ __EOF__ run_user_exit started - save_command "cp -f \$SCRIPT /var/lib/shorewall/.restore" + cat >> $OUTPUT << __EOF__ + + cp -f \$(my_pathname) /var/lib/shorewall/.restore + +} + +# +# Silently efine Firewall and ignore errors +# +restore_firewall() +{ + iptables_save_file=/var/lib/shorewall/\$(basename \$0)-iptables + + fatal_error() + { + echo " ERROR: \$@" >&2 + } + + startup_error() # \$@ = Error Message + { + echo " ERROR: \$@" >&2 + } + + run_iptables() { return 0; } + + VERBOSE=-1 + + IPTABLES=run_iptables + + if [ -f \$iptables_save_file ]; then + { + define_firewall \$iptables_save_file + } + else + fatal_error "\$iptables_save_file does not exist" + exit 2 + fi +} + +__EOF__ if [ $COMMAND = check ]; then echo "Shorewall configuration verified" else INDENT= - save_command "}" - save_command "" cat $(find_file prog.header) $OUTPUT $(find_file prog.footer) > $outfile chmod 700 $outfile progress_message2 "Shorewall configuration compiled to $outfile" diff --git a/Shorewall/functions b/Shorewall/functions index 5eef91996..6c5914cb7 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -136,6 +136,14 @@ fix_bang() { done } +# +# Echos the fully-qualified name of the calling shell program +# +my_pathname() { + cd $(dirname $0) + echo $PWD/$(basename $0) +} + # # Set default config path # diff --git a/Shorewall/prog.footer b/Shorewall/prog.footer index 427cefff9..66a33ab0f 100644 --- a/Shorewall/prog.footer +++ b/Shorewall/prog.footer @@ -1,29 +1,3 @@ -# -# Define Firewall and ignore errors -# -restore_firewall() -{ - fatal_error() - { - echo " ERROR: $@" >&2 - } - - startup_error() # foo = Error Message - { - echo " ERROR: $@" >&2 - } - - define_firewall -} - -# -# Returns the fully-qualified name of this script -# -current_command() { - cd $(dirname $0) - echo $PWD/$(basename $0) -} - # # Give Usage Information # @@ -34,8 +8,6 @@ usage() { ################################################################################ # E X E C U T I O N B E G I N S H E R E # ################################################################################ -SCRIPT=$(current_command) - initialize finished=0 diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 3cef73a67..c28e7fc2c 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -430,46 +430,52 @@ save_config() { if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then echo " Dynamic Rules Saved" if [ -f /var/lib/shorewall/.restore ]; then - cp -f /var/lib/shorewall/.restore $RESTOREPATH - chmod +x $RESTOREPATH - echo " Currently-running Configuration Saved to $RESTOREPATH" + if iptables-save | iptablesbug > /var/lib/shorewall/restore-$$; then + cp -f /var/lib/shorewall/.restore $RESTOREPATH + mv -f /var/lib/shorewall/restore-$$ ${RESTOREPATH}-iptables + chmod +x $RESTOREPATH + echo " Currently-running Configuration Saved to $RESTOREPATH" - rm -f ${RESTOREPATH}-ipsets + rm -f ${RESTOREPATH}-ipsets - case ${SAVE_IPSETS:-No} in - [Yy][Ee][Ss]) - RESTOREPATH=${RESTOREPATH}-ipsets + case ${SAVE_IPSETS:-No} in + [Yy][Ee][Ss]) + RESTOREPATH=${RESTOREPATH}-ipsets - f=/var/lib/shorewall/restore-$$ + f=/var/lib/shorewall/restore-$$ - echo "#!/bin/sh" > $f - echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f - echo >> $f - echo ". /usr/share/shorewall/functions" >> $f - echo >> $f - grep '^MODULE' /var/lib/shorewall/restore-base >> $f - echo "reload_kernel_modules << __EOF__" >> $f - grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f - echo "__EOF__" >> $f - echo >> $f - echo "ipset -U :all: :all:" >> $f - echo "ipset -F" >> $f - echo "ipset -X" >> $f - echo "ipset -R << __EOF__" >> $f - ipset -S >> $f - echo "__EOF__" >> $f - mv -f $f $RESTOREPATH - chmod +x $RESTOREPATH - echo " Current Ipset Contents Saved to $RESTOREPATH" - ;; - [Nn][Oo]) - ;; - *) - echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" - ;; - esac + echo "#!/bin/sh" > $f + echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f + echo >> $f + echo ". /usr/share/shorewall/functions" >> $f + echo >> $f + grep '^MODULE' /var/lib/shorewall/restore-base >> $f + echo "reload_kernel_modules << __EOF__" >> $f + grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f + echo "__EOF__" >> $f + echo >> $f + echo "ipset -U :all: :all:" >> $f + echo "ipset -F" >> $f + echo "ipset -X" >> $f + echo "ipset -R << __EOF__" >> $f + ipset -S >> $f + echo "__EOF__" >> $f + mv -f $f $RESTOREPATH + chmod +x $RESTOREPATH + echo " Current Ipset Contents Saved to $RESTOREPATH" + ;; + [Nn][Oo]) + ;; + *) + echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" + ;; + esac + else + rm -f /var/lib/shorewall/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" + fi else - echo " ERROR: /var/lib/shorewall/.restoredoes not exist" + echo " ERROR: /var/lib/shorewall/.restored oes not exist" fi else echo "Error Saving the Dynamic Rules" @@ -1910,6 +1916,7 @@ case "$COMMAND" in fi rm -f $RESTOREPATH + rm -f ${RESTOREPATH}-iptables echo " $RESTOREPATH removed" elif [ -f $RESTOREPATH ]; then echo " $RESTOREPATH exists and is not a saved Shorewall configuration"