0000328: iptables.bak should be saved and restored when a restart is run too - PacketFence

Bug Tracking System

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0000328

PacketFence 1.7

public

2008-05-28 15:16

2008-06-02 11:51

Reporter

jsnapp

Assigned To

user4

Priority

normal

Severity

minor

Reproducibility

always

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

Fixed in Version

Summary

0000328: iptables.bak should be saved and restored when a restart is run too

Description

While troubleshooting an issue I reported in http://www.packetfence.org/mantis/view.php?id=327 [^]
I found what IMHO was some convoluted code in pf/bin/pfcmd, pf/bin/start and pf/bin/stop.

The "control" function code is identical in each of these three files.

The main issue I have is that the "control" function code doesn't do anything in terms of saving or restoring iptables when "control" receives the "restart" command. I also think that even when it does decide whether to do a "save_iptables" or a "restore_iptables" it does an inefficient job of it.

I believe that when a "restart" command is sent to "control" function the function should effectively call itself again with a "stop" command and then again with a "start" command. This way we can have a full restart that includes restarting iptables.

I also think it is important to move the restore_iptables test after the call to "service_ctl" since that way we can know for sure whether any services are still running before we restore_iptables.

I know it may be a long shot but I have attached a rewrite of the code for the "control" function that belongs in pf/bin/pfcmd, pf/bin/start and pf/bin/stop.

Tags

No tags attached.

fixed in mtn revision

Attached Files

PFCMD_Control_Function.txt [^] (1,403 bytes) 2008-05-28 15:16 [Show Content] [Hide Content]

sub control {
  my $service = $cmd{command}[1];
  my $command = $cmd{command}[2];
  my @all_services=('pfdhcplistener','pfmon','pfdetect','pfredirect','snort','httpd');

  if ($command =~ /^restart$/i) {
    local $cmd{command}[2] = "stop";
    control();
    local $cmd{command}[2] = "start";
    control();
    return;
  }

  my @services;
  if ($service !~ /^pf$/) {
    push @services, $service;
  } else {
    @services = service_list();
  }

  if ($command =~ /^start$/i) {
    sanity_check(@services);
    my $running_services = 0;
    foreach my $srv (@all_services) {$running_services++ if (service_ctl($srv, "status"))}
    if (!$running_services) {save_iptables($install_dir.'/var/iptables.bak');}
  }

  print "service|command\n";
  if ($command !~ /^stop$/){
    print "config files|$command\n";
    read_dhcp_fingerprints_conf();
    read_violations_conf();
    print "iptables|$command\n";
    generate_iptables();
    generate_sysctl_conf();
    `/sbin/sysctl -p $install_dir/conf/sysctl.conf`;
  }

  foreach my $srv (@services){
    service_ctl($srv, $command);
    print "$srv|$command\n";
  }

  if ($command =~ /^stop$/i) {
    my $running_services = 0;
    foreach my $srv (@all_services) {$running_services++ if (service_ctl($srv, "status"))}
    if (!$running_services) {restore_iptables($install_dir.'/var/iptables.bak');}
  }
}

Relationships

Notes
(0000730) user4 2008-06-02 11:48	Thanks a lot for the suggested fix. I agree with it, with one minor modification. I added a test that restart calls stop/start only in the case when the service is 'pf' (i.e. all services). This way, a given daemon can have are more specific restart handling ...

(0000731) user4 2008-06-02 11:51	fixed in mtn revision 00e115ceb83b5686bcbbfc98ff12ca7352dd1d13

Issue History
Date Modified	Username	Field	Change
2008-05-28 15:16	jsnapp	New Issue
2008-05-28 15:16	jsnapp	File Added: PFCMD_Control_Function.txt
2008-05-28 23:08	user4	Status	new => assigned
2008-05-28 23:08	user4	Assigned To	=> user4
2008-06-02 11:48	user4	Note Added: 0000730
2008-06-02 11:51	user4	Status	assigned => closed
2008-06-02 11:51	user4	Note Added: 0000731
2008-06-02 11:51	user4	Resolution	open => fixed