Remove all workarounds

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -388,30 +388,16 @@ do_save() {
     status=0
 
     if [ -f ${VARDIR}/firewall ]; then
-	if [ -n "$WORKAROUNDS" ]; then
+	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
+	    cp -f ${VARDIR}/firewall $g_restorepath
-		cp -f ${VARDIR}/firewall $g_restorepath
+	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+	    chmod +x $g_restorepath
-		chmod +x $g_restorepath
+	    echo "   Currently-running Configuration Saved to $g_restorepath"
-		echo "   Currently-running Configuration Saved to $g_restorepath"
+	    run_user_exit save
-		run_user_exit save
-	    else
-		rm -f ${VARDIR}/restore-$$
-		echo "   ERROR: Currently-running Configuration Not Saved" >&2
-		status=1
-	    fi
 	else
-	    if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
+	    rm -f ${VARDIR}/restore-$$
-		cp -f ${VARDIR}/firewall $g_restorepath
+	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
-		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+	    status=1
-		chmod +x $g_restorepath
-		echo "   Currently-running Configuration Saved to $g_restorepath"
-		run_user_exit save
-	    else
-		rm -f ${VARDIR}/restore-$$
-		echo "   ERROR: Currently-running Configuration Not Saved" >&2
-		status=1
-	    fi
 	fi
     else
 	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
@@ -423,24 +409,11 @@ do_save() {
 	    resolve_arptables
 
 	    if [ -n "$arptables" ]; then
-		if [ -n "$WORKAROUNDS" ]; then
+		if ${arptables}-save > ${VARDIR}/restore-$$; then
-	            #
+		    if grep -q '^-A' ${VARDIR}/restore-$$; then
-	            # 'sed' command is a hack to work around broken arptables_jf
+			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-	            #
+		    else
-		    if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
+			rm -f ${VARDIR}/restore-$$
-			if grep -q '^-A' ${VARDIR}/restore-$$; then
-			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-			else
-			    rm -f ${VARDIR}/restore-$$
-			fi
-		    fi
-		else
-		    if ${arptables}-save > ${VARDIR}/restore-$$; then
-			if grep -q '^-A' ${VARDIR}/restore-$$; then
-			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-			else
-			    rm -f ${VARDIR}/restore-$$
-			fi
 		    fi
 		fi
 	    else
@@ -481,24 +454,7 @@ do_save() {
 		esac
 
 		if [ -n "$IPSET" ]; then
-		    if [ -n "$WORKAROUNDS" ]; then
+		    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
-			if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-			    #
-			    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-			    #
-			    hack='| grep -v /31'
-			else
-			    hack=
-			fi
-
-			if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-			    #
-			    # Don't save an 'empty' file
-			    #
-			    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-			fi
-		    fi
-		elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
 		    #
 		    # Don't save an 'empty' file
 		    #

Shorewall-core/lib.common

@@ -89,108 +89,35 @@ not_configured_error() # $@ = Message
 }
 
 #
-# Get the Shorewall version of the passed script
+# Create the required option string and run the passed script using
-#
-get_script_version() { # $1 = script
-    local temp
-    local version
-    local ifs
-    local digits
-    local verbosity
-
-    if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then
-	#
-	# Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE
-	# determined that re-compilation wasn't needed
-	#
-	temp="$SHOREWALL_VERSION"
-    else
-	verbosity="$VERBOSITY"
-	VERBOSITY=0
-
-	temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 )
-    fi
-
-    if [ -z "$temp" ]; then
-	version=0
-    else
-	temp=${temp%-*}
-	ifs=$IFS
-	IFS=.
-	temp=$(echo $temp)
-	IFS=$ifs
-	digits=0
-
-	for temp in $temp; do
-	    version=${version}$(printf '%02d' $temp)
-	    digits=$(($digits + 1))
-	    [ $digits -eq 3 ] && break
-	done
-    fi
-
-    echo $version
-
-    VERBOSITY="$verbosity"
-}
-
-#
-# Do required exports or create the required option string and run the passed script using
 # $SHOREWALL_SHELL
 #
 run_it() {
     local script
     local options
-    local version
 
     export VARDIR
 
     script=$1
     shift
 
-    version=$(get_script_version $script)
+    if [ x$1 = xtrace -o x$1 = xdebug ]; then
-
+	options="$1 -"
-    if [ $version -lt 040408 ]; then
+	shift;
-	#
-	# Old script that doesn't understand 4.4.8 script options
-	#
-	export RESTOREFILE
-	export VERBOSITY
-	export NOROUTES=$g_noroutes
-	export PURGE=$g_purge
-	export TIMESTAMP=$g_timestamp
-	export RECOVERING=$g_recovering
-
-	case "$g_program" in
-	    *-lite)
-		#
-		# Shorewall Lite
-		#
-		export LOGFORMAT
-		export IPTABLES
-		;;
-	esac
     else
-	#
+	options='-'
-	# 4.4.8 or later -- no additional exports required
-	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
-	    options='-'
-	fi
-
-	[ -n "$g_noroutes" ]   && options=${options}n
-	[ -n "$g_timestamp" ]  && options=${options}t
-	[ -n "$g_purge" ]      && options=${options}p
-	[ -n "$g_recovering" ] && options=${options}r
-	[ -n "$g_counters" ]   && options=${options}c
-
-	options="${options}V $VERBOSITY"
-
-	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
     fi
 
+    [ -n "$g_noroutes" ]   && options=${options}n
+    [ -n "$g_timestamp" ]  && options=${options}t
+    [ -n "$g_purge" ]      && options=${options}p
+    [ -n "$g_recovering" ] && options=${options}r
+    [ -n "$g_counters" ]   && options=${options}c
+
+    options="${options}V $VERBOSITY"
+
+    [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
+
     $SHOREWALL_SHELL $script $options $@
 }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -8109,20 +8109,6 @@ sub create_save_ipsets() {
 		      "    done" ,
 		      '',
 		    );
-	    } elsif ( $config{WORKAROUNDS} ) {
-		emit ( '' ,
-		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		       '        #',
-		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		       '        #',
-		       '        hack=\'| grep -v /31\'' ,
-		       '    else' ,
-		       '        hack=' ,
-		       '    fi' ,
-		       '',
-		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
-		       '    fi' );
 	    } else {
 		emit ( 
 		       '',
@@ -8175,7 +8161,6 @@ sub load_ipsets() {
 
     if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '', );
-	emit ( 'local hack' ) if $config{WORKAROUNDS};
 	emit ( '',
 	       'case $IPSET in',
 	       '    */*)',

Shorewall/Perl/Shorewall/Misc.pm

@@ -2415,16 +2415,7 @@ sub compile_stop_firewall( $$$ ) {
     my $output  = $filter_table->{OUTPUT};
     my $forward = $filter_table->{FORWARD};
 
-    if ( $config{WORKAROUNDS} ) {
+    emit <<'EOF';
-	emit <<'EOF';
-#
-# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
-#
-stop_firewall() {
-    local hack
-EOF
-    } else {
-	emit <<'EOF';
 #
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #