diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index fa74d8754..479986dd8 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -5571,12 +5571,37 @@ sub emitr1( $$ ) { sub save_dynamic_chains() { - my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save'; + my $tool; emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' ); push_indent; -emit <<"EOF"; + if ( have_capability 'IPTABLES_S' ) { + $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}'; + + emit <<"EOF"; +if chain_exists 'UPnP -t nat'; then + $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP +else + rm -f \${VARDIR}/.UPnP +fi + +if chain_exists forwardUPnP; then + $tool -S forwardUPnP | tail -n +2 > \${VARDIR}/.forwardUPnP +else + rm -f \${VARDIR}/.forwardUPnP +fi + +if chain_exists dynamic; then + $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic +else + rm -f \${VARDIR}/.dynamic +fi +EOF + } else { + $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save'; + + emit <<"EOF"; if chain_exists 'UPnP -t nat'; then $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP else @@ -5595,6 +5620,7 @@ else rm -f \${VARDIR}/.dynamic fi EOF + } pop_indent; emit ( 'else' ); @@ -5603,13 +5629,23 @@ EOF emit <<"EOF"; rm -f \${VARDIR}/.UPnP rm -f \${VARDIR}/.forwardUPnP +EOF -if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then - if chain_exists dynamic; then - $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic + if ( have_capability 'IPTABLES_S' ) { + emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then), + qq( if chain_exists dynamic; then), + qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) ); + } else { + emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then), + qq( if chain_exists dynamic; then), + qq( $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) ); + } + +emit <<"EOF"; fi fi EOF + pop_indent; emit ( 'fi' , diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 03f82f11a..bf3b4e75c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -281,6 +281,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT', AUDIT_TARGET => 'AUDIT Target', RAWPOST_TABLE => 'Rawpost Table', CONDITION_MATCH => 'Condition Match', + IPTABLES_S => 'iptables -S', CAPVERSION => 'Capability Version', KERNELVERSION => 'Kernel Version', ); @@ -666,6 +667,7 @@ sub initialize( $ ) { ACCOUNT_TARGET => undef, AUDIT_TARGET => undef, CONDITION_MATCH => undef, + IPTABLES_S => undef, CAPVERSION => undef, KERNELVERSION => undef, ); @@ -2715,6 +2717,10 @@ sub Audit_Target() { qt1( "$iptables -A $sillyname -j AUDIT --type drop" ); } +sub Iptables_S() { + qt1( "$iptables -S INPUT" ) +} + our %detect_capability = ( ACCOUNT_TARGET =>\&Account_Target, AUDIT_TARGET => \&Audit_Target, @@ -2740,6 +2746,7 @@ our %detect_capability = IPSET_MATCH => \&IPSet_Match, OLD_IPSET_MATCH => \&Old_IPSet_Match, IPSET_V5 => \&IPSET_V5, + IPTABLES_S => \&Iptables_S, KLUDGEFREE => \&Kludgefree, LENGTH_MATCH => \&Length_Match, LOGMARK_TARGET => \&Logmark_Target, @@ -2895,6 +2902,7 @@ sub determine_capabilities() { $capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' ); $capabilities{IPSET_V5} = detect_capability( 'IPSET_V5' ); $capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' ); + $capabilities{IPTABLES_S} = detect_capability( 'IPTABLES_S' ); qt1( "$iptables -F $sillyname" ); diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index a3356e2db..1029cb336 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1732,6 +1732,7 @@ determine_capabilities() { ACCOUNT_TARGET= AUDIT_TARGET= CONDITION_MATCH= + IPTABLES_S= chain=fooX$$ @@ -1883,6 +1884,7 @@ determine_capabilities() { qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes + qt $IPTABLES -S INPUT && IPTABLES_S=Yes qt $IPTABLES -F $chain qt $IPTABLES -X $chain qt $IPTABLES -F $chain1 @@ -1978,6 +1980,7 @@ report_capabilities() { report_capability "AUDIT Target" $AUDIT_TARGET report_capability "ipset V5" $IPSET_V5 report_capability "Condition Match" $CONDITION_MATCH + report_capability "iptables -S" $IPTABLES_S fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -2049,6 +2052,7 @@ report_capabilities1() { report_capability1 AUDIT_TARGET report_capability1 IPSET_V5 report_capability1 CONDITION_MATCH + report_capability1 IPTABLES_S echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 6b4848b22..c2db44fd0 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1559,6 +1559,7 @@ determine_capabilities() { AUDIT_TARGET= IPSET_V5= CONDITION_MATCH= + IPTABLES_S= chain=fooX$$ @@ -1711,6 +1712,7 @@ determine_capabilities() { qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes + qt $IP6TABLES -S INPUT && IPTABLES_S=Yes qt $IP6TABLES -F $chain @@ -1805,6 +1807,7 @@ report_capabilities() { report_capability "AUDIT Target" $AUDIT_TARGET report_capability "ipset V5" $IPSET_V5 report_capability "Condition Match" $CONDITION_MATCH + report_capability "ip6tables -S" $IPTABLES_S fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1873,6 +1876,7 @@ report_capabilities1() { report_capability1 AUDIT_TARGET report_capability1 IPSET_V5 report_capability1 CONDITION_MATCH + report_capability1 IPTABLES_S echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION