From a00bf196a31e24bfcc0256f91ea0aee57016e889 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Jul 2015 10:27:30 -0700 Subject: [PATCH] Remove all workarounds Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 74 +++++---------------- Shorewall-core/lib.common | 103 +++++------------------------ Shorewall/Perl/Shorewall/Chains.pm | 15 ----- Shorewall/Perl/Shorewall/Misc.pm | 11 +-- 4 files changed, 31 insertions(+), 172 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index fbe372e5c..2d8da585a 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -388,30 +388,16 @@ do_save() { status=0 if [ -f ${VARDIR}/firewall ]; then - if [ -n "$WORKAROUNDS" ]; then - if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/firewall $g_restorepath - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables - chmod +x $g_restorepath - echo " Currently-running Configuration Saved to $g_restorepath" - run_user_exit save - else - rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" >&2 - status=1 - fi + if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then + cp -f ${VARDIR}/firewall $g_restorepath + mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables + chmod +x $g_restorepath + echo " Currently-running Configuration Saved to $g_restorepath" + run_user_exit save else - if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/firewall $g_restorepath - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables - chmod +x $g_restorepath - echo " Currently-running Configuration Saved to $g_restorepath" - run_user_exit save - else - rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" >&2 - status=1 - fi + rm -f ${VARDIR}/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" >&2 + status=1 fi else echo " ERROR: ${VARDIR}/firewall does not exist" >&2 @@ -423,24 +409,11 @@ do_save() { resolve_arptables if [ -n "$arptables" ]; then - if [ -n "$WORKAROUNDS" ]; then - # - # 'sed' command is a hack to work around broken arptables_jf - # - if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then - if grep -q '^-A' ${VARDIR}/restore-$$; then - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables - else - rm -f ${VARDIR}/restore-$$ - fi - fi - else - if ${arptables}-save > ${VARDIR}/restore-$$; then - if grep -q '^-A' ${VARDIR}/restore-$$; then - mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables - else - rm -f ${VARDIR}/restore-$$ - fi + if ${arptables}-save > ${VARDIR}/restore-$$; then + if grep -q '^-A' ${VARDIR}/restore-$$; then + mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables + else + rm -f ${VARDIR}/restore-$$ fi fi else @@ -481,24 +454,7 @@ do_save() { esac if [ -n "$IPSET" ]; then - if [ -n "$WORKAROUNDS" ]; then - if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then - # - # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny - # - hack='| grep -v /31' - else - hack= - fi - - if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then - # - # Don't save an 'empty' file - # - grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets - fi - fi - elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then + if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then # # Don't save an 'empty' file # diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index e1d29ae64..85ff740cd 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -89,108 +89,35 @@ not_configured_error() # $@ = Message } # -# Get the Shorewall version of the passed script -# -get_script_version() { # $1 = script - local temp - local version - local ifs - local digits - local verbosity - - if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then - # - # Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE - # determined that re-compilation wasn't needed - # - temp="$SHOREWALL_VERSION" - else - verbosity="$VERBOSITY" - VERBOSITY=0 - - temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 ) - fi - - if [ -z "$temp" ]; then - version=0 - else - temp=${temp%-*} - ifs=$IFS - IFS=. - temp=$(echo $temp) - IFS=$ifs - digits=0 - - for temp in $temp; do - version=${version}$(printf '%02d' $temp) - digits=$(($digits + 1)) - [ $digits -eq 3 ] && break - done - fi - - echo $version - - VERBOSITY="$verbosity" -} - -# -# Do required exports or create the required option string and run the passed script using +# Create the required option string and run the passed script using # $SHOREWALL_SHELL # run_it() { local script local options - local version export VARDIR script=$1 shift - version=$(get_script_version $script) - - if [ $version -lt 040408 ]; then - # - # Old script that doesn't understand 4.4.8 script options - # - export RESTOREFILE - export VERBOSITY - export NOROUTES=$g_noroutes - export PURGE=$g_purge - export TIMESTAMP=$g_timestamp - export RECOVERING=$g_recovering - - case "$g_program" in - *-lite) - # - # Shorewall Lite - # - export LOGFORMAT - export IPTABLES - ;; - esac + if [ x$1 = xtrace -o x$1 = xdebug ]; then + options="$1 -" + shift; else - # - # 4.4.8 or later -- no additional exports required - # - if [ x$1 = xtrace -o x$1 = xdebug ]; then - options="$1 -" - shift; - else - options='-' - fi - - [ -n "$g_noroutes" ] && options=${options}n - [ -n "$g_timestamp" ] && options=${options}t - [ -n "$g_purge" ] && options=${options}p - [ -n "$g_recovering" ] && options=${options}r - [ -n "$g_counters" ] && options=${options}c - - options="${options}V $VERBOSITY" - - [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE" + options='-' fi + [ -n "$g_noroutes" ] && options=${options}n + [ -n "$g_timestamp" ] && options=${options}t + [ -n "$g_purge" ] && options=${options}p + [ -n "$g_recovering" ] && options=${options}r + [ -n "$g_counters" ] && options=${options}c + + options="${options}V $VERBOSITY" + + [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE" + $SHOREWALL_SHELL $script $options $@ } diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 5cec5f784..1abd4580f 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8109,20 +8109,6 @@ sub create_save_ipsets() { " done" , '', ); - } elsif ( $config{WORKAROUNDS} ) { - emit ( '' , - ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , - ' #', - ' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' , - ' #', - ' hack=\'| grep -v /31\'' , - ' else' , - ' hack=' , - ' fi' , - '', - ' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' , - " grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" , - ' fi' ); } else { emit ( '', @@ -8175,7 +8161,6 @@ sub load_ipsets() { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { emit ( '', ); - emit ( 'local hack' ) if $config{WORKAROUNDS}; emit ( '', 'case $IPSET in', ' */*)', diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 1ca292ddd..d9f807bf1 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2415,16 +2415,7 @@ sub compile_stop_firewall( $$$ ) { my $output = $filter_table->{OUTPUT}; my $forward = $filter_table->{FORWARD}; - if ( $config{WORKAROUNDS} ) { - emit <<'EOF'; -# -# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command -# -stop_firewall() { - local hack -EOF - } else { - emit <<'EOF'; + emit <<'EOF'; # # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command #