From afbb93ca8a1e0ba7c3df6641bb022fd2ca0aac3d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 7 Jun 2010 13:07:33 -0700 Subject: [PATCH] More changes having to do with with dynamic chains Signed-off-by: Tom Eastep --- Shorewall-lite/shorewall-lite | 7 +------ Shorewall/Perl/Shorewall/Compiler.pm | 18 ++++++++++++------ Shorewall/Perl/prog.header | 28 ---------------------------- Shorewall/Perl/prog.header6 | 28 ---------------------------- Shorewall/lib.cli | 12 +----------- Shorewall/shorewall | 1 + 6 files changed, 15 insertions(+), 79 deletions(-) diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 7c951fe12..a63e29217 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -777,14 +777,9 @@ case "$COMMAND" in g_restorepath=${VARDIR}/$RESTOREFILE if [ -x $g_restorepath ]; then - - if [ -x ${g_restorepath}-ipsets ]; then - rm -f ${g_restorepath}-ipsets - echo " ${g_restorepath}-ipsets removed" - fi - rm -f $g_restorepath rm -f ${g_restorepath}-iptables + rm -f ${g_restorepath}-ipsets echo " $g_restorepath removed" elif [ -f $g_restorepath ]; then echo " $g_restorepath exists and is not a saved Shorewall configuration" diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index fa087655b..0ff445035 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -327,7 +327,7 @@ else rm -f \${VARDIR}/.forwardUPnP fi -if chain_exists dynamic; then +if [ "\$COMMAND" = restart ] && chain_exists dynamic; then $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic else rm -f \${VARDIR}/.dynamic @@ -338,10 +338,17 @@ EOF emit ( 'else' ); push_indent; -emit <<'EOF'; -rm -f ${VARDIR}/.UPnP -rm -f ${VARDIR}/.forwardUPnP -rm -f ${VARDIR}/.dynamic +emit <<"EOF"; +rm -f \${VARDIR}/.UPnP +rm -f \${VARDIR}/.forwardUPnP + +if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then + if chain_exists dynamic; then + $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic + else + rm -f \${VARDIR}/.dynamic + fi +fi EOF pop_indent; @@ -569,7 +576,6 @@ EOF set_state "Started" else setup_netfilter - restore_dynamic_rules conditionally_flush_conntrack EOF setup_forwarding( $family , 0 ); diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 0de5a49ea..312d14a57 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -774,34 +774,6 @@ run_tc() { fi } -# -# Restore the rules generated by 'drop','reject','logdrop', etc. -# -restore_dynamic_rules() { - if [ -f ${VARDIR}/save ]; then - progress_message2 "Setting up dynamic rules..." - rangematch='source IP range' - while read target ignore1 ignore2 address ignore3 rest; do - case $target in - DROP|reject|logdrop|logreject) - case $rest in - $rangematch*) - run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target - ;; - *) - if [ -z "$rest" ]; then - run_iptables -A dynamic -s $address -j $target - else - error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\"" - fi - ;; - esac - ;; - esac - done < ${VARDIR}/save - fi -} - # # Get a list of all configured broadcast addresses on the system # diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 63adcbe18..06b9fcdd2 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -728,34 +728,6 @@ run_tc() { fi } -# -# Restore the rules generated by 'drop','reject','logdrop', etc. -# -restore_dynamic_rules() { - if [ -f ${VARDIR}/save ]; then - progress_message2 "Setting up dynamic rules..." - rangematch='source IP range' - while read target ignore1 ignore2 address ignore3 rest; do - case $target in - DROP|reject|logdrop|logreject) - case $rest in - $rangematch*) - run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target - ;; - *) - if [ -z "$rest" ]; then - run_iptables -A dynamic -s $address -j $target - else - error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\"" - fi - ;; - esac - ;; - esac - done < ${VARDIR}/save - fi -} - # # Run the .iptables_restore_input as a set of discrete iptables commands # diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index e439941ce..f96f29283 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -362,17 +362,7 @@ save_config() { ;; *) validate_restorefile RESTOREFILE - - if chain_exists dynamic; then - if $IPTABLES -L dynamic -n > ${VARDIR}/save; then - echo " Dynamic Rules Saved" - do_save - else - echo "Error Saving the Dynamic Rules" >&2 - fi - else - do_save && rm -f ${VARDIR}/save - fi + do_save && rm -f ${VARDIR}/save ;; esac fi diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 34d18ead0..e27e3c2f2 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1829,6 +1829,7 @@ case "$COMMAND" in if [ -x $g_restorepath ]; then rm -f $g_restorepath rm -f ${g_restorepath}-iptables + rm -f ${g_restorepath}-ipsets echo " $g_restorepath removed" elif [ -f $g_restorepath ]; then echo " $g_restorepath exists and is not a saved Shorewall configuration"