Preserve counts on 'restart' without compilation.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-10-30 18:38:45 -07:00
parent b7ab82dba4
commit f08803e293
5 changed files with 84 additions and 37 deletions

View File

@ -7909,14 +7909,21 @@ sub emitr1( $$ ) {
sub save_dynamic_chains() { sub save_dynamic_chains() {
my $tool; my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' ); emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
push_indent; push_indent;
if ( have_capability 'IPTABLES_S' ) { if ( $config{SAVE_COUNTERS} ) {
$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}'; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
emit( 'if [ "$COMMAND" = restart; then',
" ${tool}-save --counters > \${VARDIR}/.$utility}-input",
"fi\n" );
}
if ( have_capability 'IPTABLES_S' ) {
emit <<"EOF"; emit <<"EOF";
if chain_exists 'UPnP -t nat'; then if chain_exists 'UPnP -t nat'; then
$tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@ -7936,6 +7943,7 @@ else
rm -f \${VARDIR}/.dynamic rm -f \${VARDIR}/.dynamic
fi fi
EOF EOF
} else { } else {
$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save'; $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
@ -8240,14 +8248,24 @@ sub create_netfilter_load( $ ) {
'# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility', '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
'#', '#',
'setup_netfilter()', 'setup_netfilter()',
'{' '{' );
);
emit( ' local option' ) if $config{SAVE_COUNTERS};
push_indent; push_indent;
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE'; my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
if ( $config{SAVE_COUNTERS} ) {
emit( '',
'if [ "$COMMAND" = restart -a -n "$g_sha1sum" -a -f ${VARDIR}/.sha1sum -a $g_sha1sum = $(cat ${VARDIR}/.sha1sum) ]; then',
' option="--counters"',
'else'
);
push_indent;
}
save_progress_message "Preparing $utility input..."; save_progress_message "Preparing $utility input...";
emit ''; emit '';
@ -8304,20 +8322,28 @@ sub create_netfilter_load( $ ) {
} }
enter_cmd_mode; enter_cmd_mode;
pop_indent, emit "fi\n" if $config{SAVE_COUNTERS};
# #
# Now generate the actual ip[6]tables-restore command # Now generate the actual ip[6]tables-restore command
# #
emit( 'exec 3>&-', emit( 'exec 3>&-',
'', '' );
'[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
'', if ( $config{SAVE_COUNTERS} ) {
'progress_message2 "Running $command..."', emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY . ' $option' );
'', } else {
"cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux", emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
'if [ $? != 0 ]; then', }
qq( fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
"fi\n" emit( '',
); 'progress_message2 "Running $command..."',
'',
"cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
'if [ $? != 0 ]; then',
qq( fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
"fi\n"
);
pop_indent; pop_indent;

View File

@ -512,45 +512,44 @@ EOF
# #
# Use a parameter list rather than 'here documents' to avoid an extra blank line # Use a parameter list rather than 'here documents' to avoid an extra blank line
# #
emit( emit( ' run_refreshed_exit',
' run_refreshed_exit', ' do_iptables -N shorewall' );
' do_iptables -N shorewall' );
emit ( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH'; emit ( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
emit( emit(
" set_state Started $config_dir", " set_state Started $config_dir",
' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall', ' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall');
'else', emit( ' [ -n "$g_sha1sum" ] && echo "$g_sha1sum" > ${VARDIR}/.sha1sum || rm -f ${VARDIR}/.sha1sum' ) if $config{SAVE_COUNTERS};
' setup_netfilter'
emit( 'else',
' setup_netfilter'
); );
push_indent; push_indent;
emit 'setup_arptables' if $have_arptables; emit 'setup_arptables' if $have_arptables;
setup_load_distribution; setup_load_distribution;
pop_indent; pop_indent;
emit<<'EOF'; emit( " conditionally_flush_conntrack\n" );
conditionally_flush_conntrack
EOF
push_indent; push_indent;
initialize_switches; initialize_switches;
setup_forwarding( $family , 0 ); setup_forwarding( $family , 0 );
pop_indent; pop_indent;
emit<<"EOF"; emit( ' run_start_exit',
run_start_exit ' do_iptables -N shorewall',
do_iptables -N shorewall '' );
EOF
emit ( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH'; emit( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
emit<<"EOF"; emit( " set_state Started $config_dir",
set_state Started $config_dir ' my_pathname=$(my_pathname)',
my_pathname=\$(my_pathname) ' [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall' );
[ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
run_started_exit emit( ' [ -n "$g_sha1sum" ] && echo "$g_sha1sum" > ${VARDIR}/.sha1sum || rm -f ${VARDIR}/.sha1sum' ) if $config{SAVE_COUNTERS};
fi emit( ' run_started_exit',
EOF "fi\n" );
emit<<'EOF'; emit<<'EOF';
date > ${VARDIR}/restarted date > ${VARDIR}/restarted

View File

@ -40,6 +40,7 @@ use Cwd qw(abs_path getcwd);
use autouse 'Carp' => qw(longmess confess); use autouse 'Carp' => qw(longmess confess);
use Scalar::Util 'reftype'; use Scalar::Util 'reftype';
use FindBin; use FindBin;
use Digest::SHA qw(sha1_hex);
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
# #
@ -88,6 +89,7 @@ our @EXPORT = qw(
our @EXPORT_OK = qw( $shorewall_dir initialize shorewall); our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
our %EXPORT_TAGS = ( internal => [ qw( create_temp_script our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
generate_sha1
finalize_script finalize_script
enable_script enable_script
disable_script disable_script
@ -1761,6 +1763,13 @@ sub create_temp_script( $$ ) {
} }
# Generate the SHA1 digest of the (incomplete script)
#
sub generate_sha1() {
my $data = `cat $tempfile`;
sha1_hex $data;
}
# #
# Finalize the script file # Finalize the script file
# #
@ -1770,6 +1779,17 @@ sub finalize_script( $ ) {
$script = 0; $script = 0;
if ( $file ne '-' ) { if ( $file ne '-' ) {
if ( $config{SAVE_COUNTERS} ) {
my $sha1sum = generate_sha1;
@ARGV = ( $tempfile );
$^I = '';
while ( <> ) {
s/g_sha1sum=/g_sha1sum=$sha1sum/;
print;
}
}
rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!"; rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
chmod 0700, $file or fatal_error "Cannot secure $file for execute access"; chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
progress_message3 "Shorewall configuration compiled to $file" unless $export; progress_message3 "Shorewall configuration compiled to $file" unless $export;

View File

@ -86,6 +86,7 @@ g_purge=$PURGE
g_noroutes=$NOROUTES g_noroutes=$NOROUTES
g_timestamp=$TIMESTAMP g_timestamp=$TIMESTAMP
g_recovering=$RECOVERING g_recovering=$RECOVERING
g_sha1sum=
initialize initialize

View File

@ -332,6 +332,7 @@ if [ $PRODUCT = shorewall ]; then
if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
if perl -e 'use Digest::SHA1;' 2> /dev/null ; then if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
DIGEST=SHA1 DIGEST=SHA1
else else
echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2 echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2