Hi all, I have a patch that is in my opinion an ugly hack, but I wanted to show because it solves a problem that at least two packages have. That is, miniupnpd and, IIRC, strongswan create firewall rules on-the-fly. Without this patch, when the firewall is restarted the rules are lost. In the case of miniupnpd this causes miniupnpd to stop functioning at all.
The patch is based on the initial work by an IRC particpant for
strongswan (sorry, I've forgotten who), and greatly hacked upon by me
to get it to work with miniupnpd.
It adds a new config section to /etc/config/firewall that looks like
config save
option table filter
option chain MINIUPNPD
where table is optional if is filter (can be any iptables table, such
as nat, filter, mangle, raw, etc).
The patch saves all rules that have the specified chain named (for the
given table, or filter if no table is given).
When the firewall is restarted those rules are saved during stop, and on
the start the chain is recreated and the rules are added to the
firewall.
Use of this feature requires that the iptables-utils package be
installed.
The patch is against backfire as this is not intended to be final
version and I was testing on a couple of production routers.
Any suggestion on how to achieve the save goal without an ugly hack
would be appreciated.
Regards,
Daniel
--
And that's my crabbing done for the day. Got it out of the way early,
now I have the rest of the afternoon to sniff fragrant tea-roses or
strangle cute bunnies or something. -- Michael Devore
GnuPG Key Fingerprint 86 F5 81 A5 D4 2E 1F 1C http://gnupg.org
The C Shore (Daniel Dickinson's Website) http://cshore.is-a-geek.com
Index: package/firewall/files/uci_firewall.sh
===================================================================
--- package/firewall/files/uci_firewall.sh (revision 21263)
+++ package/firewall/files/uci_firewall.sh (working copy)
@@ -407,6 +407,56 @@
[ -e $path ] && . $path
}
+fw_print_table_chain() {
+ local table="$1"
+ local chain="$2"
+ local fsave="$3"
+ local fsavetmp="$fsave"".tmp"
+ local next_table_line
+ local cur_table_line
+ local table_line
+ table_line="$(($(grep -n "^*$table" "$fsave" | cut -f1 -d: ) + 1))"
+ tail -n+$table_line $fsave >"$fsavetmp"
+ for cur_table_line in $(grep -n "^*" "$fsavetmp"); do
+ [ -z "$next_table_line" ] && {
+ local lineno="$(echo $cur_table_line | cut -f1 -d:)"
+ [ -n "$lineno" ] && [ "$lineno" -gt $(($table_line - 1)) ] && {
+ next_table_line=$lineno
+ }
+ }
+ done
+ [ -z "$next_table_line" ] && {
+ next_table_line="$(cat $fsavetmp|wc -l)"
+ }
+ next_table_line=$(($next_table_line - 1))
+ head -n $next_table_line "$fsave.tmp" | grep $chain | grep -Ev "^:$chain"
+ rm -f "$fsavetmp"
+}
+
+fw_save_chain() {
+ local chain
+ local fsave="/tmp/.firewall/save"
+ config_get chain $1 chain
+ config_get table $1 table filter
+ [ -z "$chain" ] && return 0
+ mkdir -p /tmp/.firewall
+ iptables-save >"$fsave"
+ fw_print_table_chain $table $chain "$fsave" > /tmp/.firewall/save-$table-$chain
+}
+
+fw_load_chain() {
+ local chain
+ config_get chain $1 chain
+ config_get table $1 table filter
+ [ -e /tmp/.firewall/save-$table-$chain ] && [ "$(cat /tmp/.firewall/save-$table-$chain | wc -l)" -ge 1 ] && {
+ $IPTABLES -t $table -N $chain
+ while read line; do
+ sh -c "$IPTABLES -t $table $line"
+ done < /tmp/.firewall/save-$table-$chain
+# rm /tmp/.firewall/save-$table-$chain
+ }
+}
+
get_interface_zones() {
local interface="$2"
local name
@@ -506,6 +556,8 @@
config_foreach fw_rule rule
echo "Loading includes"
config_foreach fw_include include
+ echo "Loading saved chains"
+ config_foreach fw_load_chain save
echo "Loading zone defaults"
config_foreach fw_zone_defaults zone
uci_set_state firewall core loaded 1
@@ -522,6 +574,7 @@
}
fw_stop() {
+ config_foreach fw_save_chain save
fw_clear
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
