holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More RTC changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9336 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-24 23:57:10 +00:00
parent 0d87cecbad
commit 88c57231ac
3 changed files with 110 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -318,43 +318,45 @@ EOF
;;
esac
if [ "$RESTOREFILE" = NONE ]; then
COMMAND=clear
clear_firewall
echo "$PRODUCT Cleared"
kill $$
exit 2
else
RESTOREPATH=${VARDIR}/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
progress_message2 Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
for table in mangle nat filter; do
do_iptables -t $table -F
do_iptables -t $table -X
done
${RESTOREPATH}-ipsets
fi
echo Restoring ${PRODUCT:=Shorewall}...
if $RESTOREPATH restore; then
echo "$PRODUCT restored from $RESTOREPATH"
set_state "Started"
else
set_state "Unknown"
fi
if [ -z "$RTCONLY" ]; then
if [ "$RESTOREFILE" = NONE ]; then
COMMAND=clear
clear_firewall
echo "$PRODUCT Cleared"
kill $$
exit 2
else
RESTOREPATH=${VARDIR}/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
progress_message2 Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
for table in mangle nat filter; do
do_iptables -t $table -F
do_iptables -t $table -X
done
${RESTOREPATH}-ipsets
fi
echo Restoring ${PRODUCT:=Shorewall}...
if $RESTOREPATH restore; then
echo "$PRODUCT restored from $RESTOREPATH"
set_state "Started"
else
set_state "Unknown"
fi
kill $$
exit 2
fi
fi
fi
;;
@ -365,66 +367,78 @@ EOF
STOPPING="Yes"
TERMINATOR=
EOF
emit ' if [ -n "$RTCONLY" ]; then';
deletechain shorewall
push_indent;
emit( ' delete_tc1' ) if $config{CLEAR_TC};
run_stop_exit
emit( ' undo_routing',
' restore_default_route'
);
pop_indent;
emit <<'EOF';
else
deletechain shorewall
run_stop_exit
EOF
if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
emit <<'EOF';
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt1 $IPTABLES -t mangle -P $chain ACCEPT
done
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt1 $IPTABLES -t mangle -P $chain ACCEPT
done
EOF
}
if ( $capabilities{RAW_TABLE} ) {
if ( $family == F_IPV4 ) {
emit <<'EOF';
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IPTABLES -t raw -P $chain ACCEPT
done
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IPTABLES -t raw -P $chain ACCEPT
done
EOF
} else {
emit <<'EOF';
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IP6TABLES -t raw -P $chain ACCEPT
done
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt1 $IP6TABLES -t raw -P $chain ACCEPT
done
EOF
}
}
if ( $capabilities{NAT_ENABLED} ) {
emit <<'EOF';
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt1 $IPTABLES -t nat -P $chain ACCEPT
done
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt1 $IPTABLES -t nat -P $chain ACCEPT
done
EOF
}
if ( $family == F_IPV4 ) {
emit <<'EOF';
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NORTC}" ] && qt ip route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
fi
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NORTC}" ] && qt ip route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
fi
rm -f ${VARDIR}/proxyarp
rm -f ${VARDIR}/proxyarp
EOF
}
push_indent;
push_indent;
emit 'delete_tc1' if $config{CLEAR_TC};
@ -578,12 +592,14 @@ EOF
}
}
emit 'run_stopped_exit';
emit( '',
'run_stopped_exit' ,
'set_state "Stopped"' );
pop_indent;
pop_indent;
emit '
set_state "Stopped"
emit ' fi
logger -p kern.info "$PRODUCT Stopped"

32
Shorewall-perl/prog.functions
View File

@ -20,26 +20,28 @@ delete_proxyarp() {
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
if [ -z "$RTCONLY" ]; then
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then
if qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then
if qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
fi
fi
run_clear_exit
set_state "Cleared"
fi
run_clear_exit
set_state "Cleared"
logger -p kern.info "$PRODUCT Cleared"
}

18
Shorewall-perl/prog.functions6
View File

@ -4,17 +4,19 @@
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
if [ -z "$RTCONLY" ]; then
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
run_iptables -F
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
run_clear_exit
run_clear_exit
set_state "Cleared"
set_state "Cleared"
fi
logger -p kern.info "$PRODUCT Cleared"
}