mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
better support for restoring postprocessed commands - any kind of command, not just kernel modules
This commit is contained in:
parent
b10a8622cb
commit
5451641021
@ -321,6 +321,7 @@ modprobe_cmd() {
|
||||
|
||||
if [ ! -z "${MODPROBE_CMD}" ]
|
||||
then
|
||||
save_for_restore "${MODPROBE_CMD}" "${@}"
|
||||
"${MODPROBE_CMD}" "${@}"
|
||||
status=$?
|
||||
if [ $status -eq 17 ]
|
||||
@ -590,10 +591,11 @@ fi
|
||||
# prepare the file that will hold all modules to be loaded.
|
||||
# this is needed only when we are going to save the firewall
|
||||
# with iptables-save.
|
||||
cat >"${FIREHOL_DIR}/modules_to_load.sh" <<EOFMTL
|
||||
cat >"${FIREHOL_DIR}/firewall_restore_commands.sh" <<EOFMTL
|
||||
#!/bin/sh
|
||||
# Generated by FireHOL to restore the kernel modules required
|
||||
# by the last saved FireHOL generated firewall.
|
||||
# Generated by FireHOL to execute additional actions
|
||||
# to restore the generated firewall.
|
||||
#
|
||||
|
||||
EOFMTL
|
||||
|
||||
@ -2889,22 +2891,22 @@ tproxy_setup_ip_route() {
|
||||
for x in inet inet6
|
||||
do
|
||||
# remove the existing ip rules for this mark
|
||||
ip -f $x rule del from all fwmark $FIREHOL_TPROXY_MARK >/dev/null 2>&1
|
||||
postprocess -ne ${IP_CMD} -f $x rule del from all fwmark $FIREHOL_TPROXY_MARK
|
||||
|
||||
# remove the existing rules from the ip route table
|
||||
ip -f $x route flush table $FIREHOL_TPROXY_IP_ROUTE_TABLE >/dev/null 2>&1
|
||||
postprocess -ne ${IP_CMD} -f $x route flush table $FIREHOL_TPROXY_IP_ROUTE_TABLE
|
||||
|
||||
# add the ip rule to match the mask and forward it to the proper ip route table for tproxy
|
||||
ip -f $x rule add from all fwmark $FIREHOL_TPROXY_MARK lookup $FIREHOL_TPROXY_IP_ROUTE_TABLE || return 1
|
||||
postprocess -warn ${IP_CMD} -f $x rule add from all fwmark $FIREHOL_TPROXY_MARK lookup $FIREHOL_TPROXY_IP_ROUTE_TABLE
|
||||
|
||||
# add the route to forward all traffic to lo, on the ip route table for tproxy
|
||||
ip -f $x route add local default dev $FIREHOL_TPROXY_ROUTE_DEVICE table $FIREHOL_TPROXY_IP_ROUTE_TABLE || return 1
|
||||
postprocess -warn ${IP_CMD} -f $x route add local default dev $FIREHOL_TPROXY_ROUTE_DEVICE table $FIREHOL_TPROXY_IP_ROUTE_TABLE
|
||||
done
|
||||
|
||||
# disable the reverse path discovery for lo
|
||||
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
|
||||
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
echo 0 > /proc/sys/net/ipv4/conf/$FIREHOL_TPROXY_ROUTE_DEVICE/rp_filter
|
||||
postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.default.rp_filter=0
|
||||
postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.all.rp_filter=0
|
||||
postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.$FIREHOL_TPROXY_ROUTE_DEVICE.rp_filter=0
|
||||
}
|
||||
|
||||
tproxy_count=0
|
||||
@ -2955,7 +2957,7 @@ tproxy() {
|
||||
|
||||
if [ $tproxy_count -eq 1 ]
|
||||
then
|
||||
postprocess tproxy_setup_ip_route
|
||||
tproxy_setup_ip_route
|
||||
fi
|
||||
|
||||
return 0
|
||||
@ -3590,12 +3592,25 @@ router46() {
|
||||
both router "$@"
|
||||
}
|
||||
|
||||
save_for_restore() {
|
||||
printf "%q " "$@" >>"${FIREHOL_DIR}/firewall_restore_commands.sh"
|
||||
printf "\n" >>"${FIREHOL_DIR}/firewall_restore_commands.sh"
|
||||
}
|
||||
|
||||
postprocess() {
|
||||
# work_realcmd_helper ${FUNCNAME} "$@"
|
||||
|
||||
local check="error"
|
||||
test "A${1}" = "A-ne" && shift && local check="none"
|
||||
test "A${1}" = "A-warn" && shift && local check="warn"
|
||||
local save=1
|
||||
while [ ! "A${1}" = "A" ]
|
||||
do
|
||||
case "A${1}" in
|
||||
A-ne) shift; local check="none";;
|
||||
A-warn) shift; local check="warn";;
|
||||
A-ns) shift; local save=0;;
|
||||
*) break;;
|
||||
esac
|
||||
done
|
||||
|
||||
test "${FIREHOL_MODE}" = "DEBUG" && local check="none"
|
||||
test "${FIREHOL_MODE}" = "EXPLAIN" && local check="none"
|
||||
@ -3614,6 +3629,8 @@ postprocess() {
|
||||
${RM_CMD} -f ${FIREHOL_OUTPUT}
|
||||
fi
|
||||
|
||||
test $save -eq 1 && save_for_restore "${@}"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -3690,7 +3707,7 @@ iptables() {
|
||||
then
|
||||
run_fast iptables "${@}"
|
||||
else
|
||||
postprocess "${IPTABLES_CMD}" "$@"
|
||||
postprocess -ns "${IPTABLES_CMD}" "$@"
|
||||
FIREHOL_COMMAND_COUNTER=$[FIREHOL_COMMAND_COUNTER + 1]
|
||||
fi
|
||||
|
||||
@ -3705,7 +3722,7 @@ ip6tables() {
|
||||
then
|
||||
run_fast ip6tables "${@}"
|
||||
else
|
||||
postprocess "${IP6TABLES_CMD}" "$@"
|
||||
postprocess -ns "${IP6TABLES_CMD}" "$@"
|
||||
FIREHOL_COMMAND6_COUNTER=$[FIREHOL_COMMAND6_COUNTER + 1]
|
||||
fi
|
||||
|
||||
@ -4120,12 +4137,20 @@ check_kernel_module() {
|
||||
ip_tables)
|
||||
test -f /proc/net/ip_tables_names && return 0
|
||||
check_kernel_config CONFIG_IP_NF_IPTABLES
|
||||
test $? -ne 0 && check_kernel_config CONFIG_NF_TABLES_IPV4
|
||||
return $?
|
||||
;;
|
||||
|
||||
ip6_tables)
|
||||
test -f /proc/net/ip6_tables_names && return 0
|
||||
check_kernel_config CONFIG_NF_TABLES_IPV6
|
||||
return $?
|
||||
;;
|
||||
|
||||
ip_conntrack|nf_conntrack)
|
||||
test -f /proc/net/ip_conntrack -o -f /proc/net/nf_conntrack && return 0
|
||||
check_kernel_config CONFIG_IP_NF_CONNTRACK
|
||||
test $? -ne 0 && check_kernel_config CONFIG_NF_CONNTRACK_IPV4
|
||||
return $?
|
||||
;;
|
||||
|
||||
@ -4150,16 +4175,23 @@ check_kernel_module() {
|
||||
}
|
||||
|
||||
# activation-phase command to load a kernel module.
|
||||
LOADED_KERNEL_MODULES=
|
||||
load_kernel_module() {
|
||||
local mod="${1}"
|
||||
|
||||
if [ ! ${FIREHOL_LOAD_KERNEL_MODULES} -eq 0 ]
|
||||
then
|
||||
check_kernel_module ${mod}
|
||||
local m=
|
||||
for m in ${LOADED_KERNEL_MODULES}
|
||||
do
|
||||
test "${m}" = "${mod}" && return 0
|
||||
done
|
||||
LOADED_KERNEL_MODULES="${LOADED_KERNEL_MODULES} ${mod}"
|
||||
|
||||
modprobe_cmd ${mod} -q
|
||||
if [ $? -gt 0 ]
|
||||
then
|
||||
runcmd warn ${FIREHOL_LINEID} modprobe_cmd ${mod} -q
|
||||
echo >>"${FIREHOL_DIR}/modules_to_load.sh" "${MODPROBE_CMD} ${mod} -q"
|
||||
check_kernel_module ${mod} || runtime_error warn 1 ${FIREHOL_LINEID} "${MODPROBE_CMD}" ${mod} -q
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
@ -7083,9 +7115,9 @@ firehol_restore_last_activated_firewall() {
|
||||
|
||||
echo -n $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
|
||||
|
||||
if [ -x "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh" ]
|
||||
if [ -x "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh" ]
|
||||
then
|
||||
"${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
|
||||
source "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh" >/dev/null
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
failure $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
|
||||
@ -8460,13 +8492,10 @@ initialize_firewall() {
|
||||
|
||||
for m in ${FIREHOL_KERNEL_MODULES}
|
||||
do
|
||||
postprocess -ne load_kernel_module $m
|
||||
postprocess -ne -ns load_kernel_module $m
|
||||
done
|
||||
|
||||
if [ $FIREHOL_ROUTING -eq 1 ]
|
||||
then
|
||||
postprocess ${SYSCTL_CMD} -w "net.ipv4.ip_forward=1"
|
||||
fi
|
||||
test $FIREHOL_ROUTING -eq 1 && postprocess -warn ${SYSCTL_CMD} -w "net.ipv4.ip_forward=1"
|
||||
|
||||
# Find all tables supported
|
||||
local t=
|
||||
@ -8934,9 +8963,9 @@ fi
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# last, keep a copy of the firewall we activated, on disk
|
||||
|
||||
mv "${FIREHOL_DIR}/modules_to_load.sh" "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
|
||||
chown root:root "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
|
||||
chmod 700 "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
|
||||
mv "${FIREHOL_DIR}/firewall_restore_commands.sh" "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"
|
||||
chown root:root "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"
|
||||
chmod 700 "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"
|
||||
|
||||
# keep track if we do ipv4
|
||||
if [ $ENABLE_IPV4 -eq 1 ]
|
||||
|
Loading…
Reference in New Issue
Block a user