Allow switch initialization.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2012-11-27 16:17:43 -08:00 · 2012-11-27 16:17:43 -08:00 · 8006d150f1
commit 8006d150f1
parent e44acdc6af
8 changed files with 64 additions and 5 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -248,6 +248,7 @@ our %EXPORT_TAGS = (
 				       preview_netfilter_load
 				       create_chainlist_reload
 				       create_stop_load
+				       initialize_switches
 				       %targets
 				       %dscpmap
 				       %nfobjects
@ -603,6 +604,8 @@ my %isocodes;

 use constant { ISODIR => '/usr/share/xt_geoip/LE' };

+my %switches;
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@ -663,6 +666,7 @@ sub initialize( $$$ ) {

    %isocodes  = ();
    %nfobjects = ();
+    %switches  = ();

    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@ -4644,6 +4648,10 @@ sub do_condition( $$ ) {

    my $invert = $condition =~ s/^!// ? '! ' : '';

+    my $initialize;
+
+    $initialize = $1 if $condition =~ s/(?:=([01]))?$//;
+
    require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';

    if ( $condition =~ /@/ ) {
@ -4653,7 +4661,16 @@ sub do_condition( $$ ) {

    fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;

+    if ( defined $initialize ) {
+	if ( my $switchref = $switches{$condition} ) {
+	    fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize;
+	} else {
+	    $switches{$condition} = { setting => $initialize, where => currentlineinfo };
+	}
+    }
+
    "-m condition ${invert}--condition $condition "
+	
 }

 #
@ -7464,4 +7481,16 @@ sub create_stop_load( $ ) {

 }

+sub initialize_switches() {
+    if ( keys %switches ) {
+	emit( '        if [ $COMMAND = start ]; then' );
+	push_indent;
+	while ( my ( $switch, $setting ) = each %switches ) {
+	    emit "        echo $setting->{setting} > /proc/net/nf_condition/$switch";
+	}
+	pop_indent;
+	emit "        fi\n";
+    }
+}
+
 1;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -487,6 +487,7 @@ EOF
    emit<<"EOF";
        conditionally_flush_conntrack
 EOF
+    initialize_switches;
    setup_forwarding( $family , 0 );

    emit<<"EOF";
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -47,6 +47,7 @@ our @EXPORT = qw(
 		 warning_message
 		 fatal_error
 		 assert
+		 currentlineinfo

 		 progress_message
 		 progress_message_nocompress
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@ -386,7 +386,7 @@

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.5.10 and allows enabling and disabling
@ -419,6 +419,11 @@

          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
+
+          <para>When the <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the start command. Other
+          commands do not affect the switch setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@ -461,7 +461,7 @@

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
@ -493,6 +493,12 @@

          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the start command. Other
+          commands do not affect the switch setting.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@ -1369,7 +1369,7 @@

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.24 and allows enabling and disabling
@ -1402,6 +1402,12 @@

          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the start command. Other
+          commands do not affect the switch setting.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@ -282,7 +282,7 @@

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>

        <listitem>
          <para>Added in Shorewall6 4.5.10 and allows enabling and disabling
@ -315,6 +315,11 @@

          <para>Switch settings are retained over <command>shorewall6
          restart</command>.</para>
+
+          <para>When the <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the start command. Other
+          commands do not affect the switch setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@ -1244,7 +1244,7 @@

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>

        <listitem>
          <para>Added in Shorewall6 4.4.24 and allows enabling and disabling
@ -1277,6 +1277,12 @@

          <para>Switch settings are retained over <command>shorewall6
          restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the start command. Other
+          commands do not affect the switch setting.</para>
        </listitem>
      </varlistentry>