(0000716)
|
jsnapp
|
2008-05-21 15:56
(edited on: 2008-05-21 16:57) |
|
Sorry, I just realized there are three other times the "restore_iptables" function gets called. It's called from pf/bin/start, pf/bin/stop and pf/bin/pfcmd. These calls are used to restore_iptables($install_dir.'/var/iptables.bak');
These calls need to flush iptables which means the fix I suggested above won't work.
However, it doesn't seem like it would be very complicated to get iptables.post to work since restore_iptables function is called 4 times for flushing requests and 1 time for non-flushing.
Can we simply add a parameter to restore_iptables such as $noflush and set it true or false as needed?
The following code seems to work fine on my install:
--- iptables.pm.old 2008-05-21 16:50:39.000000000 -0400
+++ iptables.pm 2008-05-21 16:40:31.000000000 -0400
@@ -566,7 +566,7 @@
die "IPTables filter table commit error: $!n";
}
if (-r $post_file) {
- restore_iptables($post_file);
+ restore_iptables($post_file, 1);
}
}
@@ -678,10 +678,16 @@
}
sub restore_iptables {
- my ($restore_file) = @_;
+ my ($restore_file, $noflush) = @_;
if (-r $restore_file) {
- pflogger("restoring iptables from ".$restore_file, 8);
+ if (defined $noflush && $noflush) {
+ `/sbin/iptables-restore -n < $restore_file`;
+ pflogger("restoring iptables without flush from ".$restore_file, 8);
+ }
+ else {
`/sbin/iptables-restore < $restore_file`;
+ pflogger("restoring iptables with flush from ".$restore_file, 8);
+ }
}
}
|
|
(0000717)
|
user4
|
2008-05-22 07:52
|
|
--- pf/lib/pf/iptables.pm 654ee434232839303af5867a6ae1abbaa7205dab
+++ pf/lib/pf/iptables.pm 080d3ba2f71c1aff5d059bf741611e787cc660e9
@@ -566,7 +566,7 @@ sub generate_iptables {
die "IPTables filter table commit error: $!n";
}
if (-r $post_file) {
- restore_iptables($post_file);
+ restore_iptables_noflush($post_file);
}
}
@@ -685,4 +685,11 @@ sub restore_iptables {
}
}
+sub restore_iptables_noflush {
+ my ($restore_file) = @_;
+ if (-r $restore_file) {
+ pflogger("restoring iptables (no flush) from ".$restore_file, 8);
+ `/sbin/iptables-restore -n < $restore_file`;
+ }
+}
1 |
|