forked from extern/shorewall_code
Make dynamic chain saving work with IPv6
Also, use hidden files to save the chain contents. Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
0d101799ec
commit
a77abaf694
@ -869,7 +869,7 @@ sub allowInvalid ( $$$ ) {
|
|||||||
|
|
||||||
sub forwardUPnP ( $$$ ) {
|
sub forwardUPnP ( $$$ ) {
|
||||||
my $chainref = dont_optimize 'forwardUPnP';
|
my $chainref = dont_optimize 'forwardUPnP';
|
||||||
add_commands( $chainref , '[ -f ${VARDIR}/forwardUPnP ] && cat ${VARDIR}/forwardUPnP >&3' );
|
add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowinUPnP ( $$$ ) {
|
sub allowinUPnP ( $$$ ) {
|
||||||
|
@ -303,6 +303,56 @@ sub generate_script_2() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Emit code to save the dynamic chains to hidden files in ${VARDIR}
|
||||||
|
#
|
||||||
|
|
||||||
|
sub save_dynamic_chains() {
|
||||||
|
|
||||||
|
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = restore ]; then' );
|
||||||
|
push_indent;
|
||||||
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
emit( 'local iptables_save' ,
|
||||||
|
'iptables_save=${IPTABLES}-save' );
|
||||||
|
} else {
|
||||||
|
emit( 'local iptables_save' ,
|
||||||
|
'iptables_save=${IP6TABLES}-save' );
|
||||||
|
}
|
||||||
|
|
||||||
|
emit ( q(if chain_exists "UPnP -t nat"; then) ,
|
||||||
|
q( $iptables_save -t nat | grep '^-A UPnP ' > ${VARDIR}/.UPnP) ,
|
||||||
|
q(else) ,
|
||||||
|
q( rm -f ${VARDIR}/UPnP) ,
|
||||||
|
q(fi) ,
|
||||||
|
'' ,
|
||||||
|
q(if chain_exists forwardUPnP; then) ,
|
||||||
|
q( $iptables_save -t filter | grep '^-A forwardUPnP ' > ${VARDIR}/.forwardUPnP) ,
|
||||||
|
q(else) ,
|
||||||
|
q( rm -f ${VARDIR}/forwardUPnP) ,
|
||||||
|
q(fi) ,
|
||||||
|
'' ,
|
||||||
|
q(if chain_exists dynamic; then) ,
|
||||||
|
q( $iptables_save -t filter | grep '^-A dynamic ' > ${VARDIR}/.dynamic) ,
|
||||||
|
q(else) ,
|
||||||
|
q( rm -f ${VARDIR}/dynamic) ,
|
||||||
|
q(fi)
|
||||||
|
);
|
||||||
|
|
||||||
|
pop_indent;
|
||||||
|
emit ( 'else' );
|
||||||
|
push_indent;
|
||||||
|
|
||||||
|
emit ( 'rm -f ${VARDIR}/UPnP' );
|
||||||
|
emit ( 'rm -f ${VARDIR}/forwardUPnP' );
|
||||||
|
emit ( 'rm -f ${VARDIR}/dynamic' );
|
||||||
|
|
||||||
|
pop_indent;
|
||||||
|
|
||||||
|
emit ( 'fi' ,
|
||||||
|
'' );
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Final stage of script generation.
|
# Final stage of script generation.
|
||||||
#
|
#
|
||||||
@ -428,48 +478,7 @@ sub generate_script_3($) {
|
|||||||
'fi',
|
'fi',
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = restore ]; then' );
|
save_dynamic_chains;
|
||||||
push_indent;
|
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
emit( 'local iptables_save' ,
|
|
||||||
'iptables_save=${IPTABLES}-save' );
|
|
||||||
} else {
|
|
||||||
emit( 'local iptables_save' ,
|
|
||||||
'iptables_save=${IP6TABLES}-save' );
|
|
||||||
}
|
|
||||||
|
|
||||||
emit ( q(if chain_exists "UPnP -t nat"; then) ,
|
|
||||||
q( $iptables_save -t nat | grep '^-A UPnP ' > ${VARDIR}/UPnP) ,
|
|
||||||
q(else) ,
|
|
||||||
q( rm -f ${VARDIR}/UPnP) ,
|
|
||||||
q(fi) ,
|
|
||||||
'' ,
|
|
||||||
q(if chain_exists forwardUPnP; then) ,
|
|
||||||
q( $iptables_save -t filter | grep '^-A forwardUPnP ' > ${VARDIR}/forwardUPnP) ,
|
|
||||||
q(else) ,
|
|
||||||
q( rm -f ${VARDIR}/forwardUPnP) ,
|
|
||||||
q(fi) ,
|
|
||||||
'' ,
|
|
||||||
q(if chain_exists dynamic; then) ,
|
|
||||||
q( $iptables_save -t filter | grep '^-A dynamic ' > ${VARDIR}/dynamic) ,
|
|
||||||
q(else) ,
|
|
||||||
q( rm -f ${VARDIR}/dynamic) ,
|
|
||||||
q(fi)
|
|
||||||
);
|
|
||||||
|
|
||||||
pop_indent;
|
|
||||||
emit ( 'else' );
|
|
||||||
push_indent;
|
|
||||||
|
|
||||||
emit ( 'rm -f ${VARDIR}/UPnP' );
|
|
||||||
emit ( 'rm -f ${VARDIR}/forwardUPnP' );
|
|
||||||
emit ( 'rm -f ${VARDIR}/dynamic' );
|
|
||||||
|
|
||||||
pop_indent;
|
|
||||||
|
|
||||||
emit ( 'fi' ,
|
|
||||||
'' );
|
|
||||||
|
|
||||||
mark_firewall_not_started;
|
mark_firewall_not_started;
|
||||||
|
|
||||||
@ -493,6 +502,7 @@ sub generate_script_3($) {
|
|||||||
} else {
|
} else {
|
||||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||||
'' );
|
'' );
|
||||||
|
save_dynamic_chains;
|
||||||
mark_firewall_not_started;
|
mark_firewall_not_started;
|
||||||
emit '';
|
emit '';
|
||||||
}
|
}
|
||||||
|
@ -443,7 +443,7 @@ sub add_common_rules() {
|
|||||||
add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
|
add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
|
||||||
$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
|
$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
|
||||||
add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
|
add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
|
||||||
add_commands( $chainref, '[ -f ${VARDIR}/dynamic ] && cat ${VARDIR}/dynamic >&3' );
|
add_commands( $chainref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
|
||||||
}
|
}
|
||||||
|
|
||||||
setup_mss;
|
setup_mss;
|
||||||
@ -650,7 +650,7 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
$chainref = dont_optimize new_nat_chain( 'UPnP' );
|
$chainref = dont_optimize new_nat_chain( 'UPnP' );
|
||||||
|
|
||||||
add_commands( $chainref, '[ -s /${VARDIR}/UPnP ] && cat ${VARDIR}/UPnP >&3' );
|
add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
|
||||||
|
|
||||||
$announced = 1;
|
$announced = 1;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user