Finish restoring the 'refresh' command

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6767 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-07-03 18:59:42 +00:00 · 2007-07-03 18:59:42 +00:00 · 3d2eca5183
commit 3d2eca5183
parent 82428d66bc
2 changed files with 67 additions and 7 deletions
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -116,6 +116,7 @@ our @EXPORT = qw( STANDARD
 		  get_interface_addresses
 		  set_global_variables
 		  create_netfilter_load
+		  create_blacklist_reload

 		  @policy_chains
 		  %chain_table
@ -300,10 +301,6 @@ sub initialize() {
    %interfaceaddrs = ();
    %interfacenets  = ();
    #
-    # State of the generator.
-    #
-    $state = NULL_STATE;
-    #
    #  When true, we've emitted a comment about global variable initialization
    #
    $emitted_comment = 0;
@ -1886,6 +1883,8 @@ sub set_global_variables() {
 #
 sub create_netfilter_load() {

+    $state = NULL_STATE;
+  
    emitj( 'setup_netfilter()',
 	   '{'
 	   );
@ -1938,8 +1937,7 @@ sub create_netfilter_load() {
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
 	    for my $rule ( @{$chainref->{rules}} ) {
-		$rule = "-A $name $rule" unless substr( $rule, 0, 1) eq '~';
-		emitr $rule;
+		emitr( substr( $rule, 0, 1 ) eq '~' ? $rule : "-A $name $rule" );
 	    }
 	}
 	#
@ -1970,4 +1968,61 @@ sub create_netfilter_load() {
    emit "}\n";
 }

+#
+# Generate the netfilter input
+#
+sub create_blacklist_reload() {
+
+    $state = NULL_STATE;
+  
+    emitj( 'blacklist_reload()',
+	   '{'
+	   );
+
+    push_indent;
+
+    save_progress_message "Preparing iptables-restore input...";
+
+    emit '';
+    #
+    # We always write the input into a file then pass the file to iptables-restore. That way, if things go wrong,
+    # the user (and Shorewall support) has something to look at to determine the error
+    #
+    emit 'exec 3>${VARDIR}/.iptables-restore-input';
+
+    emitr '*filter';
+    emitr ':blacklst - [0:0]';
+
+    my $chainref = $filter_table->{blacklst};
+
+    for my $rule ( @{$chainref->{rules}} ) {
+	emitr( substr( $rule, 0, 1 ) eq '~' ? $rule : "-A blacklst $rule" );
+    }
+    #
+    # Commit the changes to the table
+    #
+    emitr 'COMMIT';
+
+    emit_unindented '__EOF__' unless $state == CMD_STATE;
+    emit '';
+    #
+    # Now generate the actual iptables-restore command
+    #
+    emitj( 'exec 3>&-',
+	   '',
+	   'progress_message2 "Running iptables-restore..."',
+	   '',
+	   'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux'
+	 );
+
+    emitj( 'if [ $? != 0 ]; then',
+	   '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
+	   "fi\n"
+	   );
+
+    pop_indent;
+
+    emit "}\n";
+}
+
 1;
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@ -604,6 +604,7 @@ sub generate_script_3() {

    progress_message2 "Creating iptables-restore input...";
    create_netfilter_load;
+    create_blacklist_reload;

    emit "#\n# Start/Restart the Firewall\n#";
    emit 'define_firewall() {';
@ -628,7 +629,10 @@ if [ $COMMAND = restore ]; then
    set_state "Started"
 else
    if [ $COMMAND = refresh ]; then
+        blacklist_reload
        run_refresh_exit
+        $IPTABLES -N shorewall
+        set_state "Started"
    else
        setup_netfilter
        restore_dynamic_rules
@ -636,8 +640,9 @@ else
        $IPTABLES -N shorewall
        set_state "Started"
        run_started_exit
-        cp -f $(my_pathname) ${VARDIR}/.restore
    fi
+        
+    cp -f $(my_pathname) ${VARDIR}/.restore
 fi

 date > ${VARDIR}/restarted