From 8eb517c56988da4c5a4c755672ae8f99e97bb4b2 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 27 Feb 2013 14:16:44 +0100 Subject: [PATCH] add debug flag to monitor fw3_pr() calls, set policies to drop during reload --- defaults.c | 14 +++++++------- defaults.h | 3 ++- main.c | 19 ++++++++++++------- utils.c | 19 +++++++++++++++---- utils.h | 2 ++ 5 files changed, 38 insertions(+), 19 deletions(-) diff --git a/defaults.c b/defaults.c index 7f41c83..7f32728 100644 --- a/defaults.c +++ b/defaults.c @@ -318,19 +318,19 @@ fw3_set_defaults(struct fw3_state *state) } static void -reset_policy(enum fw3_table table) +reset_policy(enum fw3_table table, enum fw3_target policy) { if (table != FW3_TABLE_FILTER) return; - fw3_pr(":INPUT ACCEPT [0:0]\n"); - fw3_pr(":OUTPUT ACCEPT [0:0]\n"); - fw3_pr(":FORWARD ACCEPT [0:0]\n"); + fw3_pr(":INPUT %s [0:0]\n", fw3_flag_names[policy]); + fw3_pr(":OUTPUT %s [0:0]\n", fw3_flag_names[policy]); + fw3_pr(":FORWARD %s [0:0]\n", fw3_flag_names[policy]); } void fw3_flush_rules(enum fw3_table table, enum fw3_family family, - bool pass2, struct fw3_state *state) + bool pass2, struct fw3_state *state, enum fw3_target policy) { struct fw3_defaults *d = &state->running_defaults; uint16_t mask = ~0; @@ -343,7 +343,7 @@ fw3_flush_rules(enum fw3_table table, enum fw3_family family, if (!pass2) { - reset_policy(table); + reset_policy(table, policy); print_chains(table, family, "-D %s\n", d->flags & mask, toplevel_rules, ARRAY_SIZE(toplevel_rules)); @@ -363,7 +363,7 @@ fw3_flush_rules(enum fw3_table table, enum fw3_family family, void fw3_flush_all(enum fw3_table table) { - reset_policy(table); + reset_policy(table, FW3_TARGET_ACCEPT); fw3_pr("-F\n"); fw3_pr("-X\n"); diff --git a/defaults.h b/defaults.h index 29babd8..9547ace 100644 --- a/defaults.h +++ b/defaults.h @@ -37,7 +37,8 @@ void fw3_print_default_tail_rules(enum fw3_table table, enum fw3_family family, void fw3_set_defaults(struct fw3_state *state); void fw3_flush_rules(enum fw3_table table, enum fw3_family family, - bool pass2, struct fw3_state *state); + bool pass2, struct fw3_state *state, + enum fw3_target policy); void fw3_flush_all(enum fw3_table table); diff --git a/main.c b/main.c index 65de9f5..1135c50 100644 --- a/main.c +++ b/main.c @@ -160,15 +160,16 @@ family_set(struct fw3_state *state, enum fw3_family family, bool set) } static int -stop(struct fw3_state *state, bool complete, bool restart) +stop(struct fw3_state *state, bool complete, bool reload) { int rv = 1; enum fw3_family family; enum fw3_table table; + enum fw3_target policy = reload ? FW3_TARGET_DROP : FW3_TARGET_ACCEPT; if (!complete && !state->statefile) { - if (!restart) + if (!reload) warn("The firewall appears to be stopped. " "Use the 'flush' command to forcefully purge all rules."); @@ -202,11 +203,11 @@ stop(struct fw3_state *state, bool complete, bool restart) else { /* pass 1 */ - fw3_flush_rules(table, family, false, state); + fw3_flush_rules(table, family, false, state, policy); fw3_flush_zones(table, family, false, state); /* pass 2 */ - fw3_flush_rules(table, family, true, state); + fw3_flush_rules(table, family, true, state, policy); fw3_flush_zones(table, family, true, state); } @@ -215,13 +216,13 @@ stop(struct fw3_state *state, bool complete, bool restart) fw3_command_close(); - if (!restart) + if (!reload) family_set(state, family, false); rv = 0; } - if (!restart && fw3_command_pipe(false, "ipset", "-exist", "-")) + if (!reload && fw3_command_pipe(false, "ipset", "-exist", "-")) { fw3_destroy_ipsets(state); fw3_command_close(); @@ -366,7 +367,7 @@ int main(int argc, char **argv) struct fw3_state *state = NULL; struct fw3_defaults *defs = NULL; - while ((ch = getopt(argc, argv, "46qh")) != -1) + while ((ch = getopt(argc, argv, "46dqh")) != -1) { switch (ch) { @@ -378,6 +379,10 @@ int main(int argc, char **argv) use_family = FW3_FAMILY_V6; break; + case 'd': + fw3_pr_debug = true; + break; + case 'q': freopen("/dev/null", "w", stderr); break; diff --git a/utils.c b/utils.c index 34464ee..1b9d672 100644 --- a/utils.c +++ b/utils.c @@ -27,6 +27,9 @@ static int lock_fd = -1; static pid_t pipe_pid = -1; static FILE *pipe_fd = NULL; +bool fw3_pr_debug = false; + + static void warn_elem_section_name(struct uci_section *s, bool find_name) { @@ -250,10 +253,18 @@ __fw3_command_pipe(bool silent, const char *command, ...) void fw3_pr(const char *fmt, ...) { - va_list args; - va_start(args, fmt); - vfprintf(pipe_fd, fmt, args); - va_end(args); + va_list args; + + if (fw3_pr_debug && pipe_fd != stdout) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + va_end(args); + } + + va_start(args, fmt); + vfprintf(pipe_fd, fmt, args); + va_end(args); } void diff --git a/utils.h b/utils.h index baba9df..43f30f4 100644 --- a/utils.h +++ b/utils.h @@ -35,6 +35,8 @@ #define FW3_STATEFILE "/var/run/fw3.state" #define FW3_LOCKFILE "/var/run/fw3.lock" +extern bool fw3_pr_debug; + void warn_elem(struct uci_element *e, const char *format, ...); void warn(const char *format, ...); void error(const char *format, ...); -- 2.25.1