}
static void
-reset_policy(enum fw3_table table)
+reset_policy(enum fw3_table table, enum fw3_target policy)
{
if (table != FW3_TABLE_FILTER)
return;
- fw3_pr(":INPUT ACCEPT [0:0]\n");
- fw3_pr(":OUTPUT ACCEPT [0:0]\n");
- fw3_pr(":FORWARD ACCEPT [0:0]\n");
+ fw3_pr(":INPUT %s [0:0]\n", fw3_flag_names[policy]);
+ fw3_pr(":OUTPUT %s [0:0]\n", fw3_flag_names[policy]);
+ fw3_pr(":FORWARD %s [0:0]\n", fw3_flag_names[policy]);
}
void
fw3_flush_rules(enum fw3_table table, enum fw3_family family,
- bool pass2, struct fw3_state *state)
+ bool pass2, struct fw3_state *state, enum fw3_target policy)
{
struct fw3_defaults *d = &state->running_defaults;
uint16_t mask = ~0;
if (!pass2)
{
- reset_policy(table);
+ reset_policy(table, policy);
print_chains(table, family, "-D %s\n", d->flags & mask,
toplevel_rules, ARRAY_SIZE(toplevel_rules));
void
fw3_flush_all(enum fw3_table table)
{
- reset_policy(table);
+ reset_policy(table, FW3_TARGET_ACCEPT);
fw3_pr("-F\n");
fw3_pr("-X\n");
void fw3_set_defaults(struct fw3_state *state);
void fw3_flush_rules(enum fw3_table table, enum fw3_family family,
- bool pass2, struct fw3_state *state);
+ bool pass2, struct fw3_state *state,
+ enum fw3_target policy);
void fw3_flush_all(enum fw3_table table);
}
static int
-stop(struct fw3_state *state, bool complete, bool restart)
+stop(struct fw3_state *state, bool complete, bool reload)
{
int rv = 1;
enum fw3_family family;
enum fw3_table table;
+ enum fw3_target policy = reload ? FW3_TARGET_DROP : FW3_TARGET_ACCEPT;
if (!complete && !state->statefile)
{
- if (!restart)
+ if (!reload)
warn("The firewall appears to be stopped. "
"Use the 'flush' command to forcefully purge all rules.");
else
{
/* pass 1 */
- fw3_flush_rules(table, family, false, state);
+ fw3_flush_rules(table, family, false, state, policy);
fw3_flush_zones(table, family, false, state);
/* pass 2 */
- fw3_flush_rules(table, family, true, state);
+ fw3_flush_rules(table, family, true, state, policy);
fw3_flush_zones(table, family, true, state);
}
fw3_command_close();
- if (!restart)
+ if (!reload)
family_set(state, family, false);
rv = 0;
}
- if (!restart && fw3_command_pipe(false, "ipset", "-exist", "-"))
+ if (!reload && fw3_command_pipe(false, "ipset", "-exist", "-"))
{
fw3_destroy_ipsets(state);
fw3_command_close();
struct fw3_state *state = NULL;
struct fw3_defaults *defs = NULL;
- while ((ch = getopt(argc, argv, "46qh")) != -1)
+ while ((ch = getopt(argc, argv, "46dqh")) != -1)
{
switch (ch)
{
use_family = FW3_FAMILY_V6;
break;
+ case 'd':
+ fw3_pr_debug = true;
+ break;
+
case 'q':
freopen("/dev/null", "w", stderr);
break;
static pid_t pipe_pid = -1;
static FILE *pipe_fd = NULL;
+bool fw3_pr_debug = false;
+
+
static void
warn_elem_section_name(struct uci_section *s, bool find_name)
{
void
fw3_pr(const char *fmt, ...)
{
- va_list args;
- va_start(args, fmt);
- vfprintf(pipe_fd, fmt, args);
- va_end(args);
+ va_list args;
+
+ if (fw3_pr_debug && pipe_fd != stdout)
+ {
+ va_start(args, fmt);
+ vfprintf(stderr, fmt, args);
+ va_end(args);
+ }
+
+ va_start(args, fmt);
+ vfprintf(pipe_fd, fmt, args);
+ va_end(args);
}
void
#define FW3_STATEFILE "/var/run/fw3.state"
#define FW3_LOCKFILE "/var/run/fw3.lock"
+extern bool fw3_pr_debug;
+
void warn_elem(struct uci_element *e, const char *format, ...);
void warn(const char *format, ...);
void error(const char *format, ...);
projects / project / firewall3.git / commitdiff