From 7e3521e2215ad704a93763deaa1972cbae647824 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 13 Aug 2017 17:53:59 -0700 Subject: [PATCH] RESTORE_WAIT_OPTION Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 10 ++++++++-- Shorewall/Perl/Shorewall/Chains.pm | 24 +++++++++++++++++++----- Shorewall/Perl/Shorewall/Config.pm | 13 +++++++++++-- 3 files changed, 38 insertions(+), 9 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 35fe1a008..0ef4e19f1 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=50105 +SHOREWALL_CAPVERSION=50106 if [ -z "$g_basedir" ]; then # @@ -2804,6 +2804,7 @@ determine_capabilities() { CPU_FANOUT= NETMAP_TARGET= NFLOG_SIZE= + RESTORE_WAIT_OPTION= AMANDA_HELPER= FTP_HELPER= @@ -2827,9 +2828,11 @@ determine_capabilities() { qt $arptables -L OUT && ARPTABLESJF=Yes fi + [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes + if qt $g_tool --wait -t filter -L INPUT -n -v; then WAIT_OPTION=Yes - tool="$tool --wait" + g_tool="$g_tool --wait" fi chain=fooX$$ @@ -3299,9 +3302,11 @@ report_capabilities_unsorted() { if [ $g_family -eq 4 ]; then report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION + report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION else report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION + report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION fi report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER @@ -3417,6 +3422,7 @@ report_capabilities_unsorted1() { report_capability1 CPU_FANOUT report_capability1 NETMAP_TARGET report_capability1 NFLOG_SIZE + report_capability1 RESTORE_WAIT_OPTION report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 4fbe5c826..c709671a8 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8913,9 +8913,15 @@ sub create_netfilter_load( $ ) { my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE'; emit( '', - 'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then', - ' option="--counters"', - '', + 'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' ); + + if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) { + emit( ' option="--counters --wait"' ); + } else { + emit( ' option="--counters"' ); + } + + emit( '', ' progress_message "Reusing existing ruleset..."', '', 'else' @@ -8923,7 +8929,11 @@ sub create_netfilter_load( $ ) { push_indent; - emit 'option='; + if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) { + emit 'option="--wait"'; + } else { + emit 'option='; + } save_progress_message "Preparing $utility input..."; @@ -9338,7 +9348,11 @@ sub create_stop_load( $ ) { enter_cmd_mode; - emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY ); + if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) { + emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY . ' --wait' ); + } else { + emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY ); + } emit( '', 'progress_message2 "Running $command..."', diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 314b72db5..5bc4aee11 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -414,7 +414,8 @@ our %capdesc = ( NAT_ENABLED => 'NAT', CPU_FANOUT => 'NFQUEUE CPU Fanout', NETMAP_TARGET => 'NETMAP Target', NFLOG_SIZE => '--nflog-size support', - + RESTORE_WAIT_OPTION + => 'iptables-restore --wait option', AMANDA_HELPER => 'Amanda Helper', FTP_HELPER => 'FTP Helper', FTP0_HELPER => 'FTP-0 Helper', @@ -752,7 +753,7 @@ sub initialize( $;$$) { EXPORT => 0, KLUDGEFREE => '', VERSION => "5.1.5-RC1", - CAPVERSION => 50105 , + CAPVERSION => 50106 , BLACKLIST_LOG_TAG => '', RELATED_LOG_TAG => '', MACLIST_LOG_TAG => '', @@ -1046,6 +1047,7 @@ sub initialize( $;$$) { CPU_FANOUT => undef, NETMAP_TARGET => undef, NFLOG_SIZE => undef, + RESTORE_WAIT_OPTION => undef, AMANDA_HELPER => undef, FTP_HELPER => undef, @@ -4948,6 +4950,10 @@ sub Cpu_Fanout() { have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" ); } +sub Restore_Wait_Option() { + length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0; +} + our %detect_capability = ( ACCOUNT_TARGET =>\&Account_Target, AMANDA_HELPER => \&Amanda_Helper, @@ -5028,6 +5034,7 @@ our %detect_capability = REALM_MATCH => \&Realm_Match, REAP_OPTION => \&Reap_Option, RECENT_MATCH => \&Recent_Match, + RESTORE_WAIT_OPTION => \&Restore_Wait_Option, RPFILTER_MATCH => \&RPFilter_Match, SANE_HELPER => \&SANE_Helper, SANE0_HELPER => \&SANE0_Helper, @@ -5195,6 +5202,8 @@ sub determine_capabilities() { $capabilities{CPU_FANOUT} = detect_capability( 'CPU_FANOUT' ); $capabilities{NETMAP_TARGET} = detect_capability( 'NETMAP_TARGET' ); $capabilities{NFLOG_SIZE} = detect_capability( 'NFLOG_SIZE' ); + $capabilities{RESTORE_WAIT_OPTION} + = detect_capability( 'RESTORE_WAIT_OPTION' ); unless ( have_capability 'CT_TARGET' ) { $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';