extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 04:04:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reincarnation of Dynamic Zones -- Phase II

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9611 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-03-06 04:08:07 +00:00
parent 3795f02f70
commit f788e4ecb3
2 changed files with 50 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -300,21 +300,6 @@ EOF
RESTOREPATH=${VARDIR}/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
progress_message2 Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
for table in mangle nat filter; do
do_iptables -t $table -F
do_iptables -t $table -X
done
${RESTOREPATH}-ipsets
fi
echo Restoring ${PRODUCT:=Shorewall}...
if $RESTOREPATH restore; then
@ -549,11 +534,24 @@ EOF
}
}
emit 'run_stopped_exit';
pop_indent;
emit '
run_stopped_exit';
my @ipsets = all_ipsets;
if ( @ipsets ) {
emit <<EOF
if [ -n "$(which ipset)" ]; then
if ipset -S > ${VARDIR}/ipsets.tmp; then
mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
fi
fi
EOF
}
emit '
set_state "Stopped"
logger -p kern.info "$PRODUCT Stopped"
@ -648,6 +646,26 @@ sub generate_script_2($) {
"fi\n" );
}
my @ipsets = all_ipsets;
if ( @ipsets ) {
emit ( 'if "$COMMAND" = start; then' ,
' if [ -n "$(which ipset)"; then' ,
' ipset -U :all: :all:' ,
' ipset -U :all: :default:' ,
' ipset -F' ,
' ipset -X' ,
' ipset -R < ${VARDIR}/ipsets.save' );
emit ( " qt ipset -L $_ || ipset -N $_ iphash" ) for @ipsets;
emit ( ' fi' ,
'else' ,
' fatal_error "The ipset utility cannot be located"' ,
'fi',
'' );
}
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
@ -925,10 +943,6 @@ sub compiler {
unless ( $command eq 'check' ) {
generate_script_1;
# S T O P _ F I R E W A L L
# (Writes the stop_firewall() function to the compiled script)
#
compile_stop_firewall;
#
# C O M M O N _ R U L E S
# (Writes the setup_common_rules() function to the compiled script)
@ -1075,11 +1089,15 @@ sub compiler {
progress_message3 "Shorewall6 configuration verified";
}
} else {
enable_object;
# S T O P _ F I R E W A L L
# (Writes the stop_firewall() function to the compiled script)
#
compile_stop_firewall;
#
# N E T F I L T E R L O A D
# (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
#
enable_object;
generate_script_2( $chains );
#
# Close, rename and secure the object

10
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -64,6 +64,7 @@ our @EXPORT = qw( NOTHING
set_interface_option
validate_hosts_file
find_hosts_by_option
all_ipsets
);
our @EXPORT_OK = qw( initialize );
@ -141,6 +142,7 @@ our %reservedName = ( all => 1,
our @interfaces;
our %interfaces;
our @bport_zones;
our %ipsets;
our $family;
#
@ -161,6 +163,7 @@ sub initialize( $ ) {
@interfaces = ();
%interfaces = ();
@bport_zones = ();
%ipsets = ();
}
INIT {
@ -803,6 +806,7 @@ sub validate_interfaces_file( $ )
require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
$value = "+${zone}_${interface}";
$hostoptions{dynamic} = 1;
$ipsets{$value} = 1;
}
#
# Convert into a Perl array reference
@ -1122,6 +1126,8 @@ sub validate_hosts_file()
require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
$hosts = "+${zone}_${interface}";
$optionsref->{dynamic} = 1;
$ipsets{$hosts} = 1;
}
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
@ -1163,4 +1169,8 @@ sub find_hosts_by_option( $ ) {
\@hosts;
}
sub all_ipsets() {
sort keys %ipsets;
}
1;