mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
Now it always saves the activated firewall to /var/spool/firehol and can quickly restore it at boot with the restore argument. Also, when calling stop is saves the firewall again, with their packet and bytes counters, so that when restored it continues where it left. So at boot it should be called with "restore" and at shutdown it should be called with "stop"
This commit is contained in:
parent
6c005c3c07
commit
b10a8622cb
234
sbin/firehol.in
234
sbin/firehol.in
@ -3460,7 +3460,7 @@ version() {
|
||||
FIREHOL_NS_CURR=$FIREHOL_DEFAULT_NAMESPACE
|
||||
FIREHOL_NS_STACK=
|
||||
FIREHOL_NS_PREP=
|
||||
softwarning "Running version 5 config. Update configuration to version 6 for IPv6 support. See http://firehol.org/upgrade/#config-version-${FIREHOL_VERSION}"
|
||||
warning "Running version 5 config. Update configuration to version 6 for IPv6 support. See http://firehol.org/upgrade/#config-version-${FIREHOL_VERSION}"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -6589,6 +6589,13 @@ rule() {
|
||||
return 0
|
||||
}
|
||||
|
||||
warning() {
|
||||
echo >&2
|
||||
echo >&2
|
||||
echo >&2 "WARNING: " "$@"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
softwarning() {
|
||||
echo >&2
|
||||
@ -6982,6 +6989,135 @@ wait_for_interface() {
|
||||
}
|
||||
|
||||
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# keep a copy of the running firewall on disk for fast restoration
|
||||
|
||||
fixed_save() {
|
||||
local command="$1"
|
||||
local tmp="${FIREHOL_DIR}/iptables-save-$$"
|
||||
local err=
|
||||
|
||||
load_kernel_module ip_tables
|
||||
${command} -c >$tmp
|
||||
err=$?
|
||||
if [ ! $err -eq 0 ]
|
||||
then
|
||||
${RM_CMD} -f $tmp >/dev/null 2>&1
|
||||
return $err
|
||||
fi
|
||||
|
||||
${CAT_CMD} ${tmp} |\
|
||||
${SED_CMD} \
|
||||
-e "s/--uid-owner !/! --uid-owner /g" \
|
||||
-e "s/--gid-owner !/! --gid-owner /g" \
|
||||
-e "s/--pid-owner !/! --pid-owner /g" \
|
||||
-e "s/--sid-owner !/! --sid-owner /g" \
|
||||
-e "s/--cmd-owner !/! --cmd-owner /g"
|
||||
err=$?
|
||||
|
||||
${RM_CMD} -f $tmp >/dev/null 2>&1
|
||||
return $err
|
||||
}
|
||||
|
||||
firehol_save_activated_firewall() {
|
||||
echo -n $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
|
||||
|
||||
if [ -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" ]
|
||||
then
|
||||
fixed_save ${IPTABLES_SAVE_CMD} >"${FIREHOL_SPOOL_DIR}/ipv4.rules"
|
||||
if [ ! $? -eq 0 ]
|
||||
then
|
||||
failure $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
|
||||
echo
|
||||
return 1
|
||||
fi
|
||||
|
||||
chown root:root "${FIREHOL_SPOOL_DIR}/ipv4.rules"
|
||||
chmod 600 "${FIREHOL_SPOOL_DIR}/ipv4.rules"
|
||||
else
|
||||
test -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" && rm "${FIREHOL_SPOOL_DIR}/ipv4.rules"
|
||||
fi
|
||||
|
||||
if [ -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" ]
|
||||
then
|
||||
fixed_save ${IP6TABLES_SAVE_CMD} >"${FIREHOL_SPOOL_DIR}/ipv6.rules"
|
||||
if [ ! $? -eq 0 ]
|
||||
then
|
||||
failure $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
|
||||
echo
|
||||
return 1
|
||||
fi
|
||||
|
||||
chown root:root "${FIREHOL_SPOOL_DIR}/ipv6.rules"
|
||||
chmod 600 "${FIREHOL_SPOOL_DIR}/ipv6.rules"
|
||||
else
|
||||
test -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" && rm "${FIREHOL_SPOOL_DIR}/ipv6.rules"
|
||||
fi
|
||||
|
||||
success $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
|
||||
echo
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
firehol_restore_last_activated_firewall() {
|
||||
local do_ipv4=0
|
||||
local do_ipv6=0
|
||||
|
||||
test -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" && local do_ipv4=1
|
||||
test -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" && local do_ipv6=1
|
||||
if [ "${do_ipv4}${do_ipv6}" = "00" ]
|
||||
then
|
||||
warning "There is no saved firewall to restore."
|
||||
return 1
|
||||
fi
|
||||
|
||||
local config_older=1
|
||||
test ${do_ipv4} -eq 1 -a "${FIREHOL_SPOOL_DIR}/ipv4.rules" -ot "${FIREHOL_CONFIG}" && local config_older=0
|
||||
test ${do_ipv6} -eq 1 -a "${FIREHOL_SPOOL_DIR}/ipv6.rules" -ot "${FIREHOL_CONFIG}" && local config_older=0
|
||||
if [ ${config_older} -eq 0 ]
|
||||
then
|
||||
warning "${FIREHOL_CONFIG} is newer than saved files."
|
||||
return 2
|
||||
fi
|
||||
|
||||
echo -n $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
|
||||
|
||||
if [ -x "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh" ]
|
||||
then
|
||||
"${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
failure $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
|
||||
return 3
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" ]
|
||||
then
|
||||
${IPTABLES_RESTORE_CMD} <"${FIREHOL_SPOOL_DIR}/ipv4.rules"
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
failure $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
|
||||
return 3
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" ]
|
||||
then
|
||||
${IP6TABLES_RESTORE_CMD} <"${FIREHOL_SPOOL_DIR}/ipv6.rules"
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
failure $"FireHOL: Restoring last activated firewall from ${FIREHOL_SPOOL_DIR}:"
|
||||
return 3
|
||||
fi
|
||||
fi
|
||||
|
||||
success $"FireHOL: Saving activated firewall to ${FIREHOL_SPOOL_DIR}:"
|
||||
echo
|
||||
return 0
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# ------------------------------------------------------------------------------
|
||||
@ -7078,6 +7214,9 @@ case "${arg}" in
|
||||
test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol"
|
||||
test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables"
|
||||
|
||||
# keep the currently active rules
|
||||
firehol_save_activated_firewall
|
||||
|
||||
echo -n $"FireHOL: Clearing Firewall:"
|
||||
if [ $ENABLE_IPV4 -eq 1 ]; then
|
||||
load_kernel_module ip_tables
|
||||
@ -7119,6 +7258,13 @@ case "${arg}" in
|
||||
exit 0
|
||||
;;
|
||||
|
||||
restore)
|
||||
firehol_restore_last_activated_firewall
|
||||
test $? -eq 0 && exit 0
|
||||
warning "Activating ${FIREHOL_CONFIG}..."
|
||||
FIREHOL_MODE="START"
|
||||
;;
|
||||
|
||||
restart|force-reload)
|
||||
test ! -z "${1}" && test ${1} != "--" && softwarning "Arguments after parameter '${arg}' are ignored."
|
||||
FIREHOL_MODE="START"
|
||||
@ -7337,6 +7483,10 @@ FireHOL supports the following command line arguments (only one of them):
|
||||
|
||||
panic will block all IP communication.
|
||||
|
||||
restore will restore the last activated firewall.
|
||||
Useful for quickly restoring at boot the last
|
||||
successfully activated FireHOL firewall.
|
||||
|
||||
save to start the firewall and then save it to the
|
||||
place where /etc/init.d/iptables looks for it.
|
||||
|
||||
@ -7344,6 +7494,9 @@ FireHOL supports the following command line arguments (only one of them):
|
||||
restored with:
|
||||
/etc/init.d/iptables start
|
||||
|
||||
The fastest way to restore a FireHOL firewall
|
||||
at boot is the 'restore' feature.
|
||||
|
||||
debug to parse the configuration file but instead of
|
||||
activating it, to show the generated iptables
|
||||
statements.
|
||||
@ -8263,33 +8416,6 @@ firehol_concurrent_run_lock
|
||||
|
||||
# --- Initialization -----------------------------------------------------------
|
||||
|
||||
fixed_save() {
|
||||
local command="$1"
|
||||
local tmp="${FIREHOL_DIR}/iptables-save-$$"
|
||||
local err=
|
||||
|
||||
load_kernel_module ip_tables
|
||||
${command} -c >$tmp
|
||||
err=$?
|
||||
if [ ! $err -eq 0 ]
|
||||
then
|
||||
${RM_CMD} -f $tmp >/dev/null 2>&1
|
||||
return $err
|
||||
fi
|
||||
|
||||
${CAT_CMD} ${tmp} |\
|
||||
${SED_CMD} "s/--uid-owner !/! --uid-owner /g" |\
|
||||
${SED_CMD} "s/--gid-owner !/! --gid-owner /g" |\
|
||||
${SED_CMD} "s/--pid-owner !/! --pid-owner /g" |\
|
||||
${SED_CMD} "s/--sid-owner !/! --sid-owner /g" |\
|
||||
${SED_CMD} "s/--cmd-owner !/! --cmd-owner /g"
|
||||
|
||||
err=$?
|
||||
|
||||
${RM_CMD} -f $tmp >/dev/null 2>&1
|
||||
return $err
|
||||
}
|
||||
|
||||
echo -n $"FireHOL: Saving your old firewall to a temporary file:"
|
||||
if [ $ENABLE_IPV4 -eq 1 ]
|
||||
then
|
||||
@ -8805,6 +8931,37 @@ then
|
||||
fi
|
||||
|
||||
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# last, keep a copy of the firewall we activated, on disk
|
||||
|
||||
mv "${FIREHOL_DIR}/modules_to_load.sh" "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
|
||||
chown root:root "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
|
||||
chmod 700 "${FIREHOL_SPOOL_DIR}/firewall_required_kernel_modules.sh"
|
||||
|
||||
# keep track if we do ipv4
|
||||
if [ $ENABLE_IPV4 -eq 1 ]
|
||||
then
|
||||
touch "${FIREHOL_SPOOL_DIR}/ipv4.enable"
|
||||
chown root:root "${FIREHOL_SPOOL_DIR}/ipv4.enable"
|
||||
chmod 600 "${FIREHOL_SPOOL_DIR}/ipv4.enable"
|
||||
else
|
||||
test -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" && rm "${FIREHOL_SPOOL_DIR}/ipv4.enable"
|
||||
fi
|
||||
|
||||
# keep track if we do ipv6
|
||||
if [ $ENABLE_IPV6 -eq 1 ]
|
||||
then
|
||||
touch "${FIREHOL_SPOOL_DIR}/ipv6.enable"
|
||||
chown root:root "${FIREHOL_SPOOL_DIR}/ipv6.enable"
|
||||
chmod 600 "${FIREHOL_SPOOL_DIR}/ipv6.enable"
|
||||
else
|
||||
test -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" && rm "${FIREHOL_SPOOL_DIR}/ipv6.enable"
|
||||
fi
|
||||
|
||||
# save the rules to ${FIREHOL_SPOOL_DIR}
|
||||
firehol_save_activated_firewall
|
||||
|
||||
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
|
||||
if [ ${FIREHOL_SAVE} -eq 1 ]
|
||||
@ -8848,8 +9005,7 @@ then
|
||||
then
|
||||
echo -n $"FireHOL: Saving firewall to ${FIREHOL_AUTOSAVE}:"
|
||||
|
||||
fixed_save ${IPTABLES_SAVE_CMD} >${FIREHOL_AUTOSAVE}
|
||||
|
||||
cat "${FIREHOL_SPOOL_DIR}/ipv4.rules" >${FIREHOL_AUTOSAVE}
|
||||
if [ ! $? -eq 0 ]
|
||||
then
|
||||
syslog err "Failed to save new firewall to '${FIREHOL_AUTOSAVE}'."
|
||||
@ -8867,8 +9023,7 @@ then
|
||||
then
|
||||
echo -n $"FireHOL: Saving IPv6 firewall to ${FIREHOL_AUTOSAVE6}:"
|
||||
|
||||
fixed_save ${IP6TABLES_SAVE_CMD} >${FIREHOL_AUTOSAVE6}
|
||||
|
||||
cat "${FIREHOL_SPOOL_DIR}/ipv6.rules" >${FIREHOL_AUTOSAVE6}
|
||||
if [ ! $? -eq 0 ]
|
||||
then
|
||||
syslog err "Failed to save new IPv6 firewall to '${FIREHOL_AUTOSAVE6}'."
|
||||
@ -8882,20 +9037,5 @@ then
|
||||
echo
|
||||
fi
|
||||
|
||||
# Save the list of modules we need to run to restore the firewall.
|
||||
if [ -f "${FIREHOL_SPOOL_DIR}/last_save_modules.sh" ]
|
||||
then
|
||||
mv "${FIREHOL_SPOOL_DIR}/last_save_modules.sh" "${FIREHOL_SPOOL_DIR}/last_save_modules.sh.old"
|
||||
fi
|
||||
|
||||
mv "${FIREHOL_DIR}/modules_to_load.sh" "${FIREHOL_SPOOL_DIR}/last_save_modules.sh"
|
||||
if [ $? -gt 0 ]
|
||||
then
|
||||
error "Cannot save modules restoration script to '${FIREHOL_SPOOL_DIR}/last_save_modules.sh'."
|
||||
else
|
||||
chown root:root "${FIREHOL_SPOOL_DIR}/last_save_modules.sh"
|
||||
chmod 700 "${FIREHOL_SPOOL_DIR}/last_save_modules.sh"
|
||||
fi
|
||||
|
||||
exit 0
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user