--- iptables.orig 2007-01-08 14:31:15.000000000 +0000 +++ iptables 2007-02-02 15:34:17.000000000 +0000 @@ -13,6 +13,8 @@ IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_SAVED=/etc/sysconfig/$IPTABLES-saved +IPTABLES_DIR=/etc/sysconfig/$IPTABLES.d/ IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names @@ -106,19 +108,25 @@ set_policy() { # Set policy for configured tables. - policy=$1 + policy=$1; shift + tables=$@ - # Check if iptable module is loaded - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + if [ -z "$tables" ] ; then + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 - # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` - [ -z "$tables" ] && return 1 + echo -n $"Setting chains to policy $policy: " + else + keepquiet="yes" + fi - echo -n $"Setting chains to policy $policy: " ret=0 for i in $tables; do - echo -n "$i " + [ -z "$keepquiet" ] && echo -n "$i " case "$i" in raw) $IPTABLES -t raw -P PREROUTING $policy \ @@ -151,25 +159,65 @@ esac done - [ $ret -eq 0 ] && success || failure - echo + if [ -z "$keepquiet" ] ; then + [ $ret -eq 0 ] && success || failure + echo + fi return $ret } -start() { - # Do not start if there is no config file. - [ -f "$IPTABLES_DATA" ] || return 1 +load_tables() { + if [ "$1" = "-c" ]; then + OPT="-c"; shift + fi + tables=$@ + + ret=0 + + set_policy ACCEPT $tables || ret+=1 + for table in $tables; do + for path in $IPTABLES_DIR/$table/*.chain; do + [ ! -f "$path" ] || is_ignored_file "$path" && continue + chain=$(basename "${path%.chain}") + $IPTABLES -t $table -N "$chain" || ret+=1 + while read line ; do + iptables -t $table -A "${chain}" ${line} || ret+=1 + done < "$path" + done + done + + for chain in $IPTABLES_FILTER_INPUT_CHAINS ; do + $IPTABLES -t filter -A INPUT -j $chain || ret+=1 + done + for chain in $IPTABLES_FILTER_FORWARD_CHAINS ; do + $IPTABLES -t filter -A FORWARD -j $chain || ret+=1 + done + for chain in $IPTABLES_NAT_PREROUTING_CHAINS ; do + $IPTABLES -t nat -A PREROUTING -j $chain || ret+=1 + done + for chain in $IPTABLES_NAT_POSTROUTING_CHAINS ; do + $IPTABLES -t nat -A POSTROUTING -j $chain || ret+=1 + done + + [ $ret -eq 0 ] && success || failure +} + +start() { echo -n $"Applying $IPTABLES firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" - $IPTABLES-restore $OPT $IPTABLES_DATA - if [ $? -eq 0 ]; then - success; echo + if [ -f "$IPTABLES_DATA" ] ; then + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi else - failure; echo; return 1 + load_tables $OPT filter nat fi # Load additional modules (helpers) @@ -211,6 +259,23 @@ return $ret } +iptables_save() { + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + IGNORE_OPTS="" + for chain in $IPTABLES_FILTER_INPUT_CHAINS \ + $IPTABLES_FILTER_FORWARD_CHAINS \ + $IPTABLES_NAT_PREROUTING_CHAINS \ + $IPTABLES_NAT_POSTROUTING_CHAINS ; do + # FIXME: we'd need to implement this + # IGNORE_OPTS="--ignore $chain " + IGNORE_OPTS="" + done + + $IPTABLES-save $OPT $IGNORE_OPTS +} + save() { # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 @@ -219,26 +284,28 @@ tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 - echo -n $"Saving firewall rules to $IPTABLES_DATA: " - - OPT= - [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + echo -n $"Saving firewall rules to $IPTABLES_SAVED: " ret=0 TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ && chmod 600 "$TMP_FILE" \ - && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && iptables_save > $TMP_FILE 2>/dev/null \ && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then - cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + mv -f $IPTABLES_DATA $IPTABLES_DATA.save \ && chmod 600 $IPTABLES_DATA.save \ || ret=1 fi + if [ $ret -eq 0 -a -e $IPTABLES_SAVED ]; then + cp -f $IPTABLES_SAVED $IPTABLES_SAVED.save \ + && chmod 600 $IPTABLES_SAVED.save \ + || ret=1 + fi if [ $ret -eq 0 ]; then - cp -f $TMP_FILE $IPTABLES_DATA \ - && chmod 600 $IPTABLES_DATA \ + cp -f $TMP_FILE $IPTABLES_SAVED \ + && chmod 600 $IPTABLES_SAVED \ || ret=1 fi fi