Now it always saves the activated firewall to /var/spool/firehol and can quickly restore it at boot with the restore argument. Also, when calling stop is saves the firewall again, with their packet and bytes counters, so that when restored it continues where it left. So at boot it should be called with "restore" and at shutdown it should be called with "stop"

2024-06-28 18:02:33 +00:00 · 2014-12-19 23:46:53 +02:00 · 2014-12-19 23:46:53 +02:00 · b10a8622cb
commit b10a8622cb
parent 6c005c3c07
1 changed files with 187 additions and 47 deletions
--- a/sbin/firehol.in
+++ b/sbin/firehol.in
@ -3460,7 +3460,7 @@ version() {
 		FIREHOL_NS_CURR=$FIREHOL_DEFAULT_NAMESPACE
 		FIREHOL_NS_STACK=
 		FIREHOL_NS_PREP=
-		softwarning "Running version 5 config. Update configuration to version 6 for IPv6 support. See http://firehol.org/upgrade/#config-version-${FIREHOL_VERSION}"
+		warning "Running version 5 config. Update configuration to version 6 for IPv6 support. See http://firehol.org/upgrade/#config-version-${FIREHOL_VERSION}"
 	fi
 }

@ -6589,6 +6589,13 @@ rule() {
 	return 0
 }

+warning() {
+	echo >&2
+	echo >&2
+	echo >&2 "WARNING: " "$@"
+	
+	return 0
+}

 softwarning() {
 	echo >&2
@ -6982,6 +6989,135 @@ wait_for_interface() {
 }


+# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# keep a copy of the running firewall on disk for fast restoration
+
+fixed_save() {
+	local command="$1"
+	local tmp="${FIREHOL_DIR}/iptables-save-$$"
+	local err=
+	
+	load_kernel_module ip_tables
+	${command} -c >$tmp
+	err=$?
+	if [ ! $err -eq 0 ]
+	then
+		${RM_CMD} -f $tmp >/dev/null 2>&1
+		return $err
+	fi
+	
+	${CAT_CMD} ${tmp} |\
+		${SED_CMD} \
+			-e "s/--uid-owner !/! --uid-owner /g"	\
+			-e "s/--gid-owner !/! --gid-owner /g"	\
+			-e "s/--pid-owner !/! --pid-owner /g"	\
+			-e "s/--sid-owner !/! --sid-owner /g"	\
+			-e "s/--cmd-owner !/! --cmd-owner /g"
+	err=$?
+	
+	${RM_CMD} -f $tmp >/dev/null 2>&1
+	return $err
+}
+
+firehol_save_activated_firewall() {
+	echo -n $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
+	
+	if [ -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" ]
+	then
+		fixed_save ${IPTABLES_SAVE_CMD} >"${FIREHOL_SPOOL_DIR}/ipv4.rules"
+		if [ ! $? -eq 0 ]
+		then
+			failure $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
+			echo
+			return 1
+		fi
+		
+		chown root:root "${FIREHOL_SPOOL_DIR}/ipv4.rules"
+		chmod 600 "${FIREHOL_SPOOL_DIR}/ipv4.rules"
+	else
+		test -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" && rm "${FIREHOL_SPOOL_DIR}/ipv4.rules"
+	fi
+	
+	if [ -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" ]
+	then
+		fixed_save ${IP6TABLES_SAVE_CMD} >"${FIREHOL_SPOOL_DIR}/ipv6.rules"
+		if [ ! $? -eq 0 ]
+		then
+			failure $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
+			echo
+			return 1
+		fi
+		
+		chown root:root "${FIREHOL_SPOOL_DIR}/ipv6.rules"
+		chmod 600 "${FIREHOL_SPOOL_DIR}/ipv6.rules"
+	else
+		test -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" && rm "${FIREHOL_SPOOL_DIR}/ipv6.rules"
+	fi
+	
+	success $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
+	echo
+	
+	return 0
+}
+
+firehol_restore_last_activated_firewall() {
+	local do_ipv4=0
+	local do_ipv6=0
+
+	test -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" && local do_ipv4=1
+	test -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" && local do_ipv6=1
+	if [ "${do_ipv4}${do_ipv6}" = "00" ]
+	then
+		warning "There is no saved firewall to restore."
+		return 1
+	fi
+
+	local config_older=1
+	test ${do_ipv4} -eq 1 -a "${FIREHOL_SPOOL_DIR}/ipv4.rules" -ot "${FIREHOL_CONFIG}" && local config_older=0
+	test ${do_ipv6} -eq 1 -a "${FIREHOL_SPOOL_DIR}/ipv6.rules" -ot "${FIREHOL_CONFIG}" && local config_older=0
+	if [ ${config_older} -eq 0 ]
+	then
+		warning "${FIREHOL_CONFIG} is newer than saved files."
+		return 2
+	fi
+
+	echo -n $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
+
+	if [ -x "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh" ]
+	then
+		"${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
+		if [ $? -ne 0 ]
+			then
+			failure $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
+			return 3
+		fi
+	fi
+
+	if [ -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" ]
+		then
+		${IPTABLES_RESTORE_CMD} <"${FIREHOL_SPOOL_DIR}/ipv4.rules"
+		if [ $? -ne 0 ]
+			then
+			failure $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
+			return 3
+		fi
+	fi
+
+	if [ -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" ]
+		then
+		${IP6TABLES_RESTORE_CMD} <"${FIREHOL_SPOOL_DIR}/ipv6.rules"
+		if [ $? -ne 0 ]
+			then
+			failure $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
+			return 3
+		fi
+	fi
+
+	success $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
+	echo
+	return 0
+}
+
 # ------------------------------------------------------------------------------
 # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # ------------------------------------------------------------------------------
@ -7078,6 +7214,9 @@ case "${arg}" in
 		test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol"
 		test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables"
 		
+		# keep the currently active rules
+		firehol_save_activated_firewall
+		
 		echo -n $"FireHOL: Clearing Firewall:"
 		if [ $ENABLE_IPV4 -eq 1 ]; then
 			load_kernel_module ip_tables
@ -7119,6 +7258,13 @@ case "${arg}" in
 		exit 0
 		;;
 	
+	restore)
+		firehol_restore_last_activated_firewall
+		test $? -eq 0 && exit 0
+		warning "Activating ${FIREHOL_CONFIG}..."
+		FIREHOL_MODE="START"
+		;;
+
 	restart|force-reload)
 		test ! -z "${1}" && test ${1} != "--" && softwarning "Arguments after parameter '${arg}' are ignored."
 		FIREHOL_MODE="START"
@ -7337,6 +7483,10 @@ FireHOL supports the following command line arguments (only one of them):
 			
 	panic		will block all IP communication.
 	
+	restore		will restore the last activated firewall.
+			Useful for quickly restoring at boot the last
+			successfully activated FireHOL firewall.
+
 	save		to start the firewall and then save it to the
 			place where /etc/init.d/iptables looks for it.
 			
@ -7344,6 +7494,9 @@ FireHOL supports the following command line arguments (only one of them):
 			restored with:
 			/etc/init.d/iptables start
 			
+			The fastest way to restore a FireHOL firewall
+			at boot is the 'restore' feature.
+
 	debug		to parse the configuration file but instead of
 			activating it, to show the generated iptables
 			statements.
@ -8263,33 +8416,6 @@ firehol_concurrent_run_lock

 # --- Initialization -----------------------------------------------------------

-fixed_save() {
-	local command="$1"
-	local tmp="${FIREHOL_DIR}/iptables-save-$$"
-	local err=
-	
-	load_kernel_module ip_tables
-	${command} -c >$tmp
-	err=$?
-	if [ ! $err -eq 0 ]
-	then
-		${RM_CMD} -f $tmp >/dev/null 2>&1
-		return $err
-	fi
-	
-	${CAT_CMD} ${tmp} |\
-		${SED_CMD} "s/--uid-owner !/! --uid-owner /g"	|\
-		${SED_CMD} "s/--gid-owner !/! --gid-owner /g"	|\
-		${SED_CMD} "s/--pid-owner !/! --pid-owner /g"	|\
-		${SED_CMD} "s/--sid-owner !/! --sid-owner /g"	|\
-		${SED_CMD} "s/--cmd-owner !/! --cmd-owner /g"
-	
-	err=$?
-	
-	${RM_CMD} -f $tmp >/dev/null 2>&1
-	return $err
-}
-
 echo -n $"FireHOL: Saving your old firewall to a temporary file:"
 if [ $ENABLE_IPV4 -eq 1 ]
 then
@ -8805,6 +8931,37 @@ then
 fi


+# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# last, keep a copy of the firewall we activated, on disk
+
+mv "${FIREHOL_DIR}/modules_to_load.sh" "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
+chown root:root "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
+chmod 700 "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
+
+# keep track if we do ipv4
+if [ $ENABLE_IPV4 -eq 1 ]
+then
+	touch "${FIREHOL_SPOOL_DIR}/ipv4.enable"
+	chown root:root "${FIREHOL_SPOOL_DIR}/ipv4.enable"
+	chmod 600 "${FIREHOL_SPOOL_DIR}/ipv4.enable"
+else
+	test -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" && rm "${FIREHOL_SPOOL_DIR}/ipv4.enable"
+fi
+
+# keep track if we do ipv6
+if [ $ENABLE_IPV6 -eq 1 ]
+then
+	touch "${FIREHOL_SPOOL_DIR}/ipv6.enable"
+	chown root:root "${FIREHOL_SPOOL_DIR}/ipv6.enable"
+	chmod 600 "${FIREHOL_SPOOL_DIR}/ipv6.enable"
+else
+	test -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" && rm "${FIREHOL_SPOOL_DIR}/ipv6.enable"
+fi
+
+# save the rules to ${FIREHOL_SPOOL_DIR}
+firehol_save_activated_firewall
+
+
 # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 if [ ${FIREHOL_SAVE} -eq 1 ]
@ -8848,8 +9005,7 @@ then
 	then
 		echo -n $"FireHOL: Saving firewall to ${FIREHOL_AUTOSAVE}:"
 	
-		fixed_save ${IPTABLES_SAVE_CMD} >${FIREHOL_AUTOSAVE}
-	
+		cat "${FIREHOL_SPOOL_DIR}/ipv4.rules" >${FIREHOL_AUTOSAVE}
 		if [ ! $? -eq 0 ]
 		then
 			syslog err "Failed to save new firewall to '${FIREHOL_AUTOSAVE}'."
@ -8867,8 +9023,7 @@ then
 	then
 		echo -n $"FireHOL: Saving IPv6 firewall to ${FIREHOL_AUTOSAVE6}:"
 	
-		fixed_save ${IP6TABLES_SAVE_CMD} >${FIREHOL_AUTOSAVE6}
-	
+		cat "${FIREHOL_SPOOL_DIR}/ipv6.rules" >${FIREHOL_AUTOSAVE6}
 		if [ ! $? -eq 0 ]
 		then
 			syslog err "Failed to save new IPv6 firewall to '${FIREHOL_AUTOSAVE6}'."
@ -8882,20 +9037,5 @@ then
 		echo
 	fi
 	
-	# Save the list of modules we need to run to restore the firewall.
-	if [ -f "${FIREHOL_SPOOL_DIR}/last_save_modules.sh" ]
-	then
-		mv "${FIREHOL_SPOOL_DIR}/last_save_modules.sh" "${FIREHOL_SPOOL_DIR}/last_save_modules.sh.old"
-	fi
-	
-	mv "${FIREHOL_DIR}/modules_to_load.sh" "${FIREHOL_SPOOL_DIR}/last_save_modules.sh"
-	if [ $? -gt 0 ]
-	then
-		error "Cannot save modules restoration script to '${FIREHOL_SPOOL_DIR}/last_save_modules.sh'."
-	else
-		chown root:root "${FIREHOL_SPOOL_DIR}/last_save_modules.sh"
-		chmod 700 "${FIREHOL_SPOOL_DIR}/last_save_modules.sh"
-	fi
-	
 	exit 0
 fi