Remove extra logic

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-init/shorewall-init.spec

@@ -99,8 +99,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/shorewall-lite

@@ -777,14 +777,9 @@ case "$COMMAND" in
 	g_restorepath=${VARDIR}/$RESTOREFILE
 
 	if [ -x $g_restorepath ]; then
-
-	    if [ -x ${g_restorepath}-ipsets ]; then
-		rm -f ${g_restorepath}-ipsets
-		echo "    ${g_restorepath}-ipsets removed"
-	    fi
-
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
+	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall-lite/shorewall-lite.spec

@@ -102,8 +102,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall/Perl/Shorewall/Actions.pm

@@ -57,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_10';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -868,7 +868,8 @@ sub allowInvalid ( $$$ ) {
 }
 
 sub forwardUPnP ( $$$ ) {
-    dont_optimize 'forwardUPnP';
+    my $chainref = dont_optimize 'forwardUPnP';
+    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
 
 sub allowinUPnP ( $$$ ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -161,6 +161,8 @@ our %EXPORT_TAGS = (
 				       get_interface_mac
 				       have_global_variables
 				       set_global_variables
+				       save_dynamic_chains
+				       load_ipsets
 				       create_netfilter_load
 				       preview_netfilter_load
 				       create_chainlist_reload
@@ -3591,6 +3593,128 @@ sub emitr1( $$ ) {
     }
 }
 
+#
+# Emit code to save the dynamic chains to hidden files in ${VARDIR}
+#
+
+sub save_dynamic_chains() {
+
+    my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
+
+    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
+    push_indent;
+
+emit <<"EOF";
+if chain_exists 'UPnP -t nat'; then
+    $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
+else
+    rm -f \${VARDIR}/.UPnP
+fi
+
+if chain_exists forwardUPnP; then
+    $tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
+else
+    rm -f \${VARDIR}/.forwardUPnP
+fi
+
+if chain_exists dynamic; then
+    $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+else
+    rm -f \${VARDIR}/.dynamic
+fi
+EOF
+
+    pop_indent;
+    emit ( 'else' );
+    push_indent;
+
+emit <<"EOF";
+rm -f \${VARDIR}/.UPnP
+rm -f \${VARDIR}/.forwardUPnP
+
+if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then
+    if chain_exists dynamic; then
+        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+    fi
+fi
+EOF
+    pop_indent;
+
+    emit ( 'fi' ,
+	   '' );
+}
+
+sub load_ipsets() {
+
+    my @ipsets = all_ipsets;
+
+    if ( @ipsets || $config{SAVE_IPSETS} ) {
+	emit ( '',
+	       'local hack',
+	       '',
+	       'case $IPSET in',
+	       '    */*)',
+	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
+	       '        ;;',
+	       '    *)',
+	       '        IPSET="$(mywhich $IPSET)"',
+	       '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
+	       '        ;;',
+	       'esac',
+	       '',
+	       'if [ "$COMMAND" = start ]; then' ,
+	       '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+	       '        $IPSET -F' ,
+	       '        $IPSET -X' ,
+	       '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+	       '    fi' ,
+	       'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
+	       '    if [ -f $(my_pathname)-ipsets ]; then' ,
+	       '        if chain_exists shorewall; then' ,
+	       '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+	       '        else' ,
+	       '            $IPSET -F' ,
+	       '            $IPSET -X' ,
+	       '            $IPSET -R < $(my_pathname)-ipsets' ,
+	       '        fi' ,
+	       '    fi' ,
+	     );
+	
+	if ( @ipsets ) {
+	    emit '';
+
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	    emit ( '' ,
+		   'elif [ "$COMMAND" = restart ]; then' ,
+		   '' );
+
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	    emit ( '' ,
+		   '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		   '        #',
+		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		   '        #',
+		   '        hack=\'| grep -v /31\'' ,
+		   '    else' ,
+		   '        hack=' ,
+		   '    fi' ,
+		   '',
+		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		   '    fi',
+		   'elif [ "$COMMAND" = refresh ]; then' );
+
+	    emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+	}
+
+	emit ( 'fi' ,
+	       '' );
+    }
+}
+
+#
 #
 # Generate the netfilter input
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -303,7 +303,6 @@ sub generate_script_2() {
     
 }
 
-#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -354,80 +353,17 @@ sub generate_script_3($) {
     }
 
     if ( $family == F_IPV4 ) {
-	my @ipsets = all_ipsets;
-
-	if ( @ipsets || $config{SAVE_IPSETS} ) {
-	    emit ( '',
-		   'local hack',
-		   '',
-		   'case $IPSET in',
-		   '    */*)',
-		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
-		   '        ;;',
-		   '    *)',
-		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
-		   '        ;;',
-		   'esac',
-		   '',
-		   'if [ "$COMMAND" = start ]; then' ,
-		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET -F' ,
-		   '        $IPSET -X' ,
-		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
-		   '    fi' ,
-		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
-		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
-		   '        if chain_exists shorewall; then' ,
-		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
-		   '        else' ,
-		   '            $IPSET -F' ,
-		   '            $IPSET -X' ,
-		   '            $IPSET -R < $(my_pathname)-ipsets' ,
-		   '        fi' ,
-		   '    fi' ,
-		 );
-
-	    if ( @ipsets ) {
-		emit '';
-
-		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-		emit ( '' ,
-		       'elif [ "$COMMAND" = restart ]; then' ,
-		       '' );
-
-		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-		emit ( '' ,
-		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		       '        #',
-		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		       '        #',
-		       '        hack=\'| grep -v /31\'' ,
-		       '    else' ,
-		       '        hack=' ,
-		       '    fi' ,
-		       '',
-		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		       '    fi' );
-	    }
-
-	    emit ( 'fi',
-		   '' );
-	}
+	load_ipsets;
 
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' );
-
-	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	emit ( 'else' ,
+	       '   run_refresh_exit' ,
+	       'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 
+	save_dynamic_chains;
+
 	mark_firewall_not_started;
 
 	emit ('',
@@ -450,6 +386,7 @@ sub generate_script_3($) {
     } else {
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
+	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit '';
     }
@@ -520,7 +457,6 @@ EOF
         set_state "Started"
     else
         setup_netfilter
-        restore_dynamic_rules
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );

Shorewall/Perl/Shorewall/Rules.pm

@@ -443,6 +443,7 @@ sub add_common_rules() {
 	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
 	$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
 	add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
+	add_commands( $chainref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
     }
 
     setup_mss;
@@ -647,7 +648,9 @@ sub add_common_rules() {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
 
-	    dont_optimize new_nat_chain( 'UPnP' );
+	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
+
+	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
 	    $announced = 1;
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1186,6 +1186,7 @@ sub find_interfaces_by_option1( $ ) {
     for my $interface ( keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
+	next unless defined $interfaceref->{physical};
 	next if $interfaceref->{physical} =~ /\+/;
 
 	my $optionsref = $interfaceref->{options};

Shorewall/Perl/prog.footer

@@ -218,6 +218,7 @@ case "$COMMAND" in
 	else
 	    error_message "$g_product is not running"
 	    progress_message3 "Starting $g_product...."
+	    COMMAND=start
 	fi
 
 	detect_configuration

Shorewall/Perl/prog.footer6

@@ -219,6 +219,7 @@ else
 	    else
 		error_message "$g_product is not running"
 		progress_message3 "Starting $g_product...."
+		COMMAND=start
 	    fi
 
 	    detect_configuration

Shorewall/Perl/prog.header

@@ -774,34 +774,6 @@ run_tc() {
     fi
 }
 
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
 #
 # Get a list of all configured broadcast addresses on the system
 #

Shorewall/Perl/prog.header6

@@ -728,34 +728,6 @@ run_tc() {
     fi
 }
 
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #

Shorewall/lib.cli

@@ -362,17 +362,7 @@ save_config() {
 		    ;;
 		*)
 		    validate_restorefile RESTOREFILE
-
-		    if chain_exists dynamic; then
-			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
-			    echo "   Dynamic Rules Saved"
-			    do_save
-			else
-		            echo "Error Saving the Dynamic Rules" >&2
-			fi
-		    else
-			do_save && rm -f ${VARDIR}/save
-		    fi
+		    do_save && rm -f ${VARDIR}/save
 		    ;;
 	    esac
 	fi

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                       S H O R E W A L L  4 . 4 . 10
+                      S H O R E W A L L  4 . 4 . 1 0
 ----------------------------------------------------------------------------
 
 I.    RELEASE 4.4 HIGHLIGHTS
@@ -263,6 +263,8 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 
     This configuration now works correctly.
 
+5)  The 'forget' command now correctly removes saved ipsets.
+
 ----------------------------------------------------------------------------
            I V.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
@@ -410,6 +412,11 @@ None.
 	shorewall-init: 4.4.10-RC1
 	gateway:~# 
 
+3)  Beginning with this release, the 'restart' and 'refresh' commands
+    now retain the contents of the dynamic blacklist as well as the
+    current UPnP rules. The dynamic blacklist is also preserved over
+    stop/start.
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       I N   P R I O R  R E L E A S E S

Shorewall/shorewall

@@ -1829,6 +1829,7 @@ case "$COMMAND" in
 	if [ -x $g_restorepath ]; then
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
+	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall/shorewall.spec

@@ -108,8 +108,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/shorewall6-lite.spec

@@ -93,8 +93,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall6/shorewall6.spec

@@ -98,8 +98,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

docs/UPnP.xml

@@ -109,6 +109,11 @@ forwardUPnP        net     loc</programlisting>
       this route during <command>start</command> and deletes it during
       <command>stop</command>.</para>
     </note>
+
+    <caution>
+      <para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
+      added by linux-idg over a <command>shorewall restart</command>.</para>
+    </caution>
   </section>
 
   <section>

docs/blacklisting_support.xml

@@ -188,6 +188,11 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
         <para>save - save the dynamic blacklisting configuration so that it
         will be automatically restored the next time that the firewall is
         restarted.</para>
+
+        <para><emphasis role="bold">Update:</emphasis> Beginning with
+        Shorewall 4.4.10, the dynamic blacklist is automatically retained over
+        <command>stop/start</command> sequences and over
+        <command>restart</command>.</para>
       </listitem>
 
       <listitem>

docs/configuration_file_basics.xml

@@ -48,6 +48,17 @@
     before you use them with Shorewall.</para>
   </caution>
 
+  <section>
+    <title id="Intro">Introduction</title>
+
+    <para>This article offers hints about how to accomplish common tasks with
+    Shorewall. The <ulink url="Introduction.html">Introduction to
+    Shorewall</ulink> is required reading for being able to use this article
+    effectively. For information about setting up your first Shorewall-based
+    firewall, see the <ulink url="GettingStarted.html">Quickstart
+    Guides</ulink>.</para>
+  </section>
+
   <section id="Files">
     <title>Files</title>