X-Git-Url: http://git.archive.openwrt.org/?a=blobdiff_plain;f=main.c;h=79d3b0b37acc7b2b33e4ff4ecf1373e5d9807a21;hb=c79bb766d587799bbe012defc00ed70644ceb7f5;hp=e5848276f420432cadf2d8c05a76d3c1f5a55a4e;hpb=bd574af529c0661c125336bdd9d0d1f2e09287c3;p=project%2Ffirewall3.git diff --git a/main.c b/main.c index e584827..79d3b0b 100644 --- a/main.c +++ b/main.c @@ -40,6 +40,9 @@ build_state(void) struct fw3_state *state = NULL; struct uci_package *p = NULL; + if (!fw3_ubus_connect()) + error("Failed to connect to ubus"); + state = malloc(sizeof(*state)); if (!state) @@ -157,15 +160,18 @@ family_set(struct fw3_state *state, enum fw3_family family, bool set) } static int -stop(struct fw3_state *state, bool complete, bool restart) +stop(struct fw3_state *state, bool complete, bool reload) { + FILE *ct; + int rv = 1; enum fw3_family family; enum fw3_table table; + enum fw3_target policy = reload ? FW3_TARGET_DROP : FW3_TARGET_ACCEPT; if (!complete && !state->statefile) { - if (!restart) + if (!reload) warn("The firewall appears to be stopped. " "Use the 'flush' command to forcefully purge all rules."); @@ -199,11 +205,11 @@ stop(struct fw3_state *state, bool complete, bool restart) else { /* pass 1 */ - fw3_flush_rules(table, family, false, state); + fw3_flush_rules(table, family, false, state, policy); fw3_flush_zones(table, family, false, state); /* pass 2 */ - fw3_flush_rules(table, family, true, state); + fw3_flush_rules(table, family, true, state, policy); fw3_flush_zones(table, family, true, state); } @@ -212,18 +218,26 @@ stop(struct fw3_state *state, bool complete, bool restart) fw3_command_close(); - if (!restart) + if (!reload) family_set(state, family, false); rv = 0; } - if (!restart && fw3_command_pipe(false, "ipset", "-exist", "-")) + if (!reload && fw3_command_pipe(false, "ipset", "-exist", "-")) { fw3_destroy_ipsets(state); fw3_command_close(); } + if (complete && (ct = fopen("/proc/net/nf_conntrack", "w")) != NULL) + { + info("Flushing conntrack table ..."); + + fwrite("f\n", 2, 1, ct); + fclose(ct); + } + if (!rv) fw3_write_statefile(state); @@ -231,17 +245,21 @@ stop(struct fw3_state *state, bool complete, bool restart) } static int -start(struct fw3_state *state, bool restart) +start(struct fw3_state *state, bool reload) { int rv = 1; enum fw3_family family; enum fw3_table table; - if (!print_rules && !restart && - fw3_command_pipe(false, "ipset", "-exist", "-")) + if (!print_rules && !reload) { - fw3_create_ipsets(state); - fw3_command_close(); + fw3_set_defaults(state); + + if (fw3_command_pipe(false, "ipset", "-exist", "-")) + { + fw3_create_ipsets(state); + fw3_command_close(); + } } for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++) @@ -249,7 +267,7 @@ start(struct fw3_state *state, bool restart) if (!family_used(family)) continue; - if (!print_rules && !restart && family_running(state, family)) + if (!print_rules && !reload && family_running(state, family)) { warn("The %s firewall appears to be started already. " "If it is indeed empty, remove the %s file and retry.", @@ -282,12 +300,18 @@ start(struct fw3_state *state, bool restart) fw3_pr("COMMIT\n"); } + if (!reload) + fw3_print_includes(family, state); + fw3_command_close(); family_set(state, family, true); rv = 0; } + if (!reload && !print_rules) + fw3_run_includes(state); + if (!rv && !print_rules) fw3_write_statefile(state); @@ -339,7 +363,7 @@ lookup_device(struct fw3_state *state, const char *dev) static int usage(void) { - fprintf(stderr, "fw3 [-4] [-6] [-q] {start|stop|flush|restart|print}\n"); + fprintf(stderr, "fw3 [-4] [-6] [-q] {start|stop|flush|reload|restart|print}\n"); fprintf(stderr, "fw3 [-q] network {net}\n"); fprintf(stderr, "fw3 [-q] device {dev}\n"); @@ -353,7 +377,7 @@ int main(int argc, char **argv) struct fw3_state *state = NULL; struct fw3_defaults *defs = NULL; - while ((ch = getopt(argc, argv, "46qh")) != -1) + while ((ch = getopt(argc, argv, "46dqh")) != -1) { switch (ch) { @@ -365,6 +389,10 @@ int main(int argc, char **argv) use_family = FW3_FAMILY_V6; break; + case 'd': + fw3_pr_debug = true; + break; + case 'q': freopen("/dev/null", "w", stderr); break; @@ -375,9 +403,6 @@ int main(int argc, char **argv) } } - if (!fw3_ubus_connect()) - error("Failed to connect to ubus"); - state = build_state(); defs = &state->defaults; @@ -419,6 +444,14 @@ int main(int argc, char **argv) } else if (!strcmp(argv[optind], "restart")) { + stop(state, true, false); + free_state(state); + + state = build_state(); + rv = start(state, false); + } + else if (!strcmp(argv[optind], "reload")) + { rv = stop(state, false, true); rv = start(state, !rv); }