mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 19:01:19 +01:00
Reincarnation of Dynamic Zones -- Phase II
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9611 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3795f02f70
commit
f788e4ecb3
@ -300,21 +300,6 @@ EOF
|
||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
progress_message2 Restoring Ipsets...
|
||||
#
|
||||
# We must purge iptables to be sure that there are no
|
||||
# references to ipsets
|
||||
#
|
||||
for table in mangle nat filter; do
|
||||
do_iptables -t $table -F
|
||||
do_iptables -t $table -X
|
||||
done
|
||||
|
||||
${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring ${PRODUCT:=Shorewall}...
|
||||
|
||||
if $RESTOREPATH restore; then
|
||||
@ -549,11 +534,24 @@ EOF
|
||||
}
|
||||
}
|
||||
|
||||
emit 'run_stopped_exit';
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit '
|
||||
run_stopped_exit';
|
||||
|
||||
my @ipsets = all_ipsets;
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit <<EOF
|
||||
if [ -n "$(which ipset)" ]; then
|
||||
if ipset -S > ${VARDIR}/ipsets.tmp; then
|
||||
mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
|
||||
fi
|
||||
fi
|
||||
EOF
|
||||
}
|
||||
|
||||
emit '
|
||||
set_state "Stopped"
|
||||
|
||||
logger -p kern.info "$PRODUCT Stopped"
|
||||
@ -648,6 +646,26 @@ sub generate_script_2($) {
|
||||
"fi\n" );
|
||||
}
|
||||
|
||||
my @ipsets = all_ipsets;
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit ( 'if "$COMMAND" = start; then' ,
|
||||
' if [ -n "$(which ipset)"; then' ,
|
||||
' ipset -U :all: :all:' ,
|
||||
' ipset -U :all: :default:' ,
|
||||
' ipset -F' ,
|
||||
' ipset -X' ,
|
||||
' ipset -R < ${VARDIR}/ipsets.save' );
|
||||
|
||||
emit ( " qt ipset -L $_ || ipset -N $_ iphash" ) for @ipsets;
|
||||
|
||||
emit ( ' fi' ,
|
||||
'else' ,
|
||||
' fatal_error "The ipset utility cannot be located"' ,
|
||||
'fi',
|
||||
'' );
|
||||
}
|
||||
|
||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||
'',
|
||||
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
|
||||
@ -925,10 +943,6 @@ sub compiler {
|
||||
|
||||
unless ( $command eq 'check' ) {
|
||||
generate_script_1;
|
||||
# S T O P _ F I R E W A L L
|
||||
# (Writes the stop_firewall() function to the compiled script)
|
||||
#
|
||||
compile_stop_firewall;
|
||||
#
|
||||
# C O M M O N _ R U L E S
|
||||
# (Writes the setup_common_rules() function to the compiled script)
|
||||
@ -1075,11 +1089,15 @@ sub compiler {
|
||||
progress_message3 "Shorewall6 configuration verified";
|
||||
}
|
||||
} else {
|
||||
enable_object;
|
||||
# S T O P _ F I R E W A L L
|
||||
# (Writes the stop_firewall() function to the compiled script)
|
||||
#
|
||||
compile_stop_firewall;
|
||||
#
|
||||
# N E T F I L T E R L O A D
|
||||
# (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
|
||||
#
|
||||
enable_object;
|
||||
generate_script_2( $chains );
|
||||
#
|
||||
# Close, rename and secure the object
|
||||
|
@ -64,6 +64,7 @@ our @EXPORT = qw( NOTHING
|
||||
set_interface_option
|
||||
validate_hosts_file
|
||||
find_hosts_by_option
|
||||
all_ipsets
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
@ -141,6 +142,7 @@ our %reservedName = ( all => 1,
|
||||
our @interfaces;
|
||||
our %interfaces;
|
||||
our @bport_zones;
|
||||
our %ipsets;
|
||||
our $family;
|
||||
|
||||
#
|
||||
@ -161,6 +163,7 @@ sub initialize( $ ) {
|
||||
@interfaces = ();
|
||||
%interfaces = ();
|
||||
@bport_zones = ();
|
||||
%ipsets = ();
|
||||
}
|
||||
|
||||
INIT {
|
||||
@ -803,6 +806,7 @@ sub validate_interfaces_file( $ )
|
||||
require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
|
||||
$value = "+${zone}_${interface}";
|
||||
$hostoptions{dynamic} = 1;
|
||||
$ipsets{$value} = 1;
|
||||
}
|
||||
#
|
||||
# Convert into a Perl array reference
|
||||
@ -1122,6 +1126,8 @@ sub validate_hosts_file()
|
||||
require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
|
||||
$hosts = "+${zone}_${interface}";
|
||||
$optionsref->{dynamic} = 1;
|
||||
$ipsets{$hosts} = 1;
|
||||
|
||||
}
|
||||
|
||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
|
||||
@ -1163,4 +1169,8 @@ sub find_hosts_by_option( $ ) {
|
||||
\@hosts;
|
||||
}
|
||||
|
||||
sub all_ipsets() {
|
||||
sort keys %ipsets;
|
||||
}
|
||||
|
||||
1;
|
||||
|
Loading…
Reference in New Issue
Block a user