diff --git a/Shorewall/Perl/Shorewall/Actions.pm b/Shorewall/Perl/Shorewall/Actions.pm index c0cd88a2d..4d75f0480 100644 --- a/Shorewall/Perl/Shorewall/Actions.pm +++ b/Shorewall/Perl/Shorewall/Actions.pm @@ -869,7 +869,7 @@ sub allowInvalid ( $$$ ) { sub forwardUPnP ( $$$ ) { my $chainref = dont_optimize 'forwardUPnP'; - add_commands( $chainref , '[ -f ${VARDIR}/forwardUPnP ] && cat ${VARDIR}/forwardUPnP >&3' ); + add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' ); } sub allowinUPnP ( $$$ ) { diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index aaaab1f11..3b86ec9f8 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -303,6 +303,56 @@ sub generate_script_2() { } +# +# Emit code to save the dynamic chains to hidden files in ${VARDIR} +# + +sub save_dynamic_chains() { + + emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = restore ]; then' ); + push_indent; + + if ( $family == F_IPV4 ) { + emit( 'local iptables_save' , + 'iptables_save=${IPTABLES}-save' ); + } else { + emit( 'local iptables_save' , + 'iptables_save=${IP6TABLES}-save' ); + } + + emit ( q(if chain_exists "UPnP -t nat"; then) , + q( $iptables_save -t nat | grep '^-A UPnP ' > ${VARDIR}/.UPnP) , + q(else) , + q( rm -f ${VARDIR}/UPnP) , + q(fi) , + '' , + q(if chain_exists forwardUPnP; then) , + q( $iptables_save -t filter | grep '^-A forwardUPnP ' > ${VARDIR}/.forwardUPnP) , + q(else) , + q( rm -f ${VARDIR}/forwardUPnP) , + q(fi) , + '' , + q(if chain_exists dynamic; then) , + q( $iptables_save -t filter | grep '^-A dynamic ' > ${VARDIR}/.dynamic) , + q(else) , + q( rm -f ${VARDIR}/dynamic) , + q(fi) + ); + + pop_indent; + emit ( 'else' ); + push_indent; + + emit ( 'rm -f ${VARDIR}/UPnP' ); + emit ( 'rm -f ${VARDIR}/forwardUPnP' ); + emit ( 'rm -f ${VARDIR}/dynamic' ); + + pop_indent; + + emit ( 'fi' , + '' ); +} + # # Final stage of script generation. # @@ -427,49 +477,8 @@ sub generate_script_3($) { ' run_init_exit', 'fi', '' ); - - emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = restore ]; then' ); - push_indent; - if ( $family == F_IPV4 ) { - emit( 'local iptables_save' , - 'iptables_save=${IPTABLES}-save' ); - } else { - emit( 'local iptables_save' , - 'iptables_save=${IP6TABLES}-save' ); - } - - emit ( q(if chain_exists "UPnP -t nat"; then) , - q( $iptables_save -t nat | grep '^-A UPnP ' > ${VARDIR}/UPnP) , - q(else) , - q( rm -f ${VARDIR}/UPnP) , - q(fi) , - '' , - q(if chain_exists forwardUPnP; then) , - q( $iptables_save -t filter | grep '^-A forwardUPnP ' > ${VARDIR}/forwardUPnP) , - q(else) , - q( rm -f ${VARDIR}/forwardUPnP) , - q(fi) , - '' , - q(if chain_exists dynamic; then) , - q( $iptables_save -t filter | grep '^-A dynamic ' > ${VARDIR}/dynamic) , - q(else) , - q( rm -f ${VARDIR}/dynamic) , - q(fi) - ); - - pop_indent; - emit ( 'else' ); - push_indent; - - emit ( 'rm -f ${VARDIR}/UPnP' ); - emit ( 'rm -f ${VARDIR}/forwardUPnP' ); - emit ( 'rm -f ${VARDIR}/dynamic' ); - - pop_indent; - - emit ( 'fi' , - '' ); + save_dynamic_chains; mark_firewall_not_started; @@ -493,6 +502,7 @@ sub generate_script_3($) { } else { emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', '' ); + save_dynamic_chains; mark_firewall_not_started; emit ''; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 4e1ddca43..5308caab9 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -443,7 +443,7 @@ sub add_common_rules() { add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ; $chainref = dont_optimize( new_standard_chain( 'dynamic' ) ); add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD ); - add_commands( $chainref, '[ -f ${VARDIR}/dynamic ] && cat ${VARDIR}/dynamic >&3' ); + add_commands( $chainref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' ); } setup_mss; @@ -650,7 +650,7 @@ sub add_common_rules() { $chainref = dont_optimize new_nat_chain( 'UPnP' ); - add_commands( $chainref, '[ -s /${VARDIR}/UPnP ] && cat ${VARDIR}/UPnP >&3' ); + add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' ); $announced = 1;