better support for restoring postprocessed commands - any kind of command, not just kernel modules

2024-06-28 18:02:33 +00:00 · 2014-12-30 20:42:58 +02:00 · 2014-12-30 20:42:58 +02:00 · 5451641021
commit 5451641021
parent b10a8622cb
1 changed files with 58 additions and 29 deletions
--- a/sbin/firehol.in
+++ b/sbin/firehol.in
@ -321,6 +321,7 @@ modprobe_cmd() {
 	
 	if [ ! -z "${MODPROBE_CMD}" ]
 	then
+		save_for_restore "${MODPROBE_CMD}" "${@}"
 		"${MODPROBE_CMD}" "${@}"
 		status=$?
 		if [ $status -eq 17 ]
@ -590,10 +591,11 @@ fi
 # prepare the file that will hold all modules to be loaded.
 # this is needed only when we are going to save the firewall
 # with iptables-save.
-cat >"${FIREHOL_DIR}/modules_to_load.sh" <<EOFMTL
+cat >"${FIREHOL_DIR}/firewall_restore_commands.sh" <<EOFMTL
 #!/bin/sh
-# Generated by FireHOL to restore the kernel modules required
-# by the last saved FireHOL generated firewall.
+# Generated by FireHOL to execute additional actions
+# to restore the generated firewall.
+#

 EOFMTL

@ -2889,22 +2891,22 @@ tproxy_setup_ip_route() {
 	for x in inet inet6
 	do
 		# remove the existing ip rules for this mark
-		ip -f $x rule del from all fwmark $FIREHOL_TPROXY_MARK >/dev/null 2>&1
+		postprocess -ne ${IP_CMD} -f $x rule del from all fwmark $FIREHOL_TPROXY_MARK

 		# remove the existing rules from the ip route table
-		ip -f $x route flush table $FIREHOL_TPROXY_IP_ROUTE_TABLE >/dev/null 2>&1
+		postprocess -ne ${IP_CMD} -f $x route flush table $FIREHOL_TPROXY_IP_ROUTE_TABLE

 		# add the ip rule to match the mask and forward it to the proper ip route table for tproxy
-		ip -f $x rule add from all fwmark $FIREHOL_TPROXY_MARK lookup $FIREHOL_TPROXY_IP_ROUTE_TABLE || return 1
+		postprocess -warn ${IP_CMD} -f $x rule add from all fwmark $FIREHOL_TPROXY_MARK lookup $FIREHOL_TPROXY_IP_ROUTE_TABLE

 		# add the route to forward all traffic to lo, on the ip route table for tproxy
-		ip -f $x route add local default dev $FIREHOL_TPROXY_ROUTE_DEVICE table $FIREHOL_TPROXY_IP_ROUTE_TABLE || return 1
+		postprocess -warn ${IP_CMD} -f $x route add local default dev $FIREHOL_TPROXY_ROUTE_DEVICE table $FIREHOL_TPROXY_IP_ROUTE_TABLE
 	done

 	# disable the reverse path discovery for lo
-	echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
-	echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
-	echo 0 > /proc/sys/net/ipv4/conf/$FIREHOL_TPROXY_ROUTE_DEVICE/rp_filter
+	postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.default.rp_filter=0
+	postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.all.rp_filter=0
+	postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.$FIREHOL_TPROXY_ROUTE_DEVICE.rp_filter=0
 }

 tproxy_count=0
@ -2955,7 +2957,7 @@ tproxy() {
 	
 	if [ $tproxy_count -eq 1 ]
 	then
-		postprocess tproxy_setup_ip_route
+		tproxy_setup_ip_route
 	fi

 	return 0
@ -3590,13 +3592,26 @@ router46() {
 	both router "$@"
 }

+save_for_restore() {
+	printf "%q " "$@" >>"${FIREHOL_DIR}/firewall_restore_commands.sh"
+	printf "\n" >>"${FIREHOL_DIR}/firewall_restore_commands.sh"
+}
+
 postprocess() {
 #       work_realcmd_helper ${FUNCNAME} "$@"
 	
 	local check="error"
-	test "A${1}" = "A-ne"   && shift && local check="none"
-	test "A${1}" = "A-warn" && shift && local check="warn"
-	
+	local save=1
+	while [ ! "A${1}" = "A" ]
+	do
+		case "A${1}" in
+			A-ne) shift; local check="none";;
+			A-warn) shift; local check="warn";;
+			A-ns) shift; local save=0;;
+			*) break;;
+		esac
+	done
+
 	test "${FIREHOL_MODE}" = "DEBUG"   && local check="none"
 	test "${FIREHOL_MODE}" = "EXPLAIN" && local check="none"
 	
@ -3614,6 +3629,8 @@ postprocess() {
 		${RM_CMD} -f ${FIREHOL_OUTPUT}
 	fi
 	
+	test $save -eq 1 && save_for_restore "${@}"
+
 	return 0
 }

@ -3690,7 +3707,7 @@ iptables() {
 	then
 		run_fast iptables "${@}"
 	else
-		postprocess "${IPTABLES_CMD}" "$@"
+		postprocess -ns "${IPTABLES_CMD}" "$@"
 		FIREHOL_COMMAND_COUNTER=$[FIREHOL_COMMAND_COUNTER + 1]
 	fi
 	
@ -3705,7 +3722,7 @@ ip6tables() {
 	then
 		run_fast ip6tables "${@}"
 	else
-		postprocess "${IP6TABLES_CMD}" "$@"
+		postprocess -ns "${IP6TABLES_CMD}" "$@"
 		FIREHOL_COMMAND6_COUNTER=$[FIREHOL_COMMAND6_COUNTER + 1]
 	fi
 	
@ -4120,12 +4137,20 @@ check_kernel_module() {
 		ip_tables)
 			test -f /proc/net/ip_tables_names && return 0
 			check_kernel_config CONFIG_IP_NF_IPTABLES
+			test $? -ne 0 && check_kernel_config CONFIG_NF_TABLES_IPV4
+			return $?
+			;;
+
+		ip6_tables)
+			test -f /proc/net/ip6_tables_names && return 0
+			check_kernel_config CONFIG_NF_TABLES_IPV6
 			return $?
 			;;
 		
 		ip_conntrack|nf_conntrack)
 			test -f /proc/net/ip_conntrack -o -f /proc/net/nf_conntrack && return 0
 			check_kernel_config CONFIG_IP_NF_CONNTRACK
+			test $? -ne 0 && check_kernel_config CONFIG_NF_CONNTRACK_IPV4
 			return $?
 			;;
 			
@ -4150,16 +4175,23 @@ check_kernel_module() {
 }

 # activation-phase command to load a kernel module.
+LOADED_KERNEL_MODULES=
 load_kernel_module() {
 	local mod="${1}"
 	
 	if [ ! ${FIREHOL_LOAD_KERNEL_MODULES} -eq 0 ]
 	then
-		check_kernel_module ${mod}
+		local m=
+		for m in ${LOADED_KERNEL_MODULES}
+		do
+			test "${m}" = "${mod}" && return 0
+		done
+		LOADED_KERNEL_MODULES="${LOADED_KERNEL_MODULES} ${mod}"
+
+		modprobe_cmd ${mod} -q
 		if [ $? -gt 0 ]
 		then
-			runcmd warn ${FIREHOL_LINEID} modprobe_cmd ${mod} -q
-			echo >>"${FIREHOL_DIR}/modules_to_load.sh" "${MODPROBE_CMD} ${mod} -q"
+			check_kernel_module ${mod} || runtime_error warn 1 ${FIREHOL_LINEID} "${MODPROBE_CMD}" ${mod} -q
 		fi
 	fi
 	return 0
@ -7083,9 +7115,9 @@ firehol_restore_last_activated_firewall() {

 	echo -n $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"

-	if [ -x "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh" ]
+	if [ -x "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh" ]
 	then
-		"${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
+		source "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh" >/dev/null
 		if [ $? -ne 0 ]
 			then
 			failure $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
@ -8460,13 +8492,10 @@ initialize_firewall() {
 	
 	for m in ${FIREHOL_KERNEL_MODULES}
 	do
-		postprocess -ne load_kernel_module $m
+		postprocess -ne -ns load_kernel_module $m
 	done
 	
-	if [ $FIREHOL_ROUTING -eq 1 ]
-	then
-		postprocess ${SYSCTL_CMD} -w "net.ipv4.ip_forward=1"
-	fi
+	test $FIREHOL_ROUTING -eq 1 && postprocess -warn ${SYSCTL_CMD} -w "net.ipv4.ip_forward=1"
 	
 	# Find all tables supported
 	local t=
@ -8934,9 +8963,9 @@ fi
 # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # last, keep a copy of the firewall we activated, on disk

-mv "${FIREHOL_DIR}/modules_to_load.sh" "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
-chown root:root "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
-chmod 700 "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
+mv "${FIREHOL_DIR}/firewall_restore_commands.sh" "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"
+chown root:root "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"
+chmod 700 "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"

 # keep track if we do ipv4
 if [ $ENABLE_IPV4 -eq 1 ]