From 415dbaaf1987fcca404aab9436559210cddb4e65 Mon Sep 17 00:00:00 2001 From: bbruns Date: Thu, 25 Nov 2010 18:50:55 +0000 Subject: [PATCH] Begin support of rule cache for quicker loading --- ChangeLog | 3 +++ bin/firewall-sosdg | 24 +++++++++++++++--------- include/functions | 5 +++++ include/static | 3 +++ 4 files changed, 26 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0a11ca6..7f5e169 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ now going to be in conf/ - Beginning work on configuration tool. If it ever gets completed is a whole different story. :) + - Option to use state or conntrack module for state tracking. + By default, use conntrack. + - After some research, we seem to not need NEW state match in FORWARD 0.9.10 - Brielle Bruns - Move clamp mss up earlier in the rules to possibly diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 6a87319..7c9ed68 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -62,6 +62,9 @@ while [ $# -gt 0 ]; do show_help exit 0 ;; + --generate-cache) + GEN_CACHE="force" + ;; esac shift done @@ -136,6 +139,18 @@ else C_STATE="--ctstate" fi +if [ "$GEN_CACHE" ]; then + case $GEN_CACHE in + force) + IPTABLES="write_out_rules" + if [ "$IPV6" ]; then + IP6TABLES="write_out_rules" + fi + rm -f "${RULE_CACHE}" &>/dev/null + ;; + esac +fi + $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT @@ -161,15 +176,6 @@ if [ "$CLAMPMSS" ]; then --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 - # This is necessary to make sure that PMTU works - #$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \ - # -o $i -j ACCEPT - #$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \ - # -i $i -j ACCEPT - #$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ - # -o $i -j ACCEPT - #$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \ - # -i $i -j ACCEPT done echo -en "\n" fi diff --git a/include/functions b/include/functions index 02455ec..60c2560 100755 --- a/include/functions +++ b/include/functions @@ -162,4 +162,9 @@ function apply_ipv4_hack { shift done echo -en "\n" +} + +# write_out_rules +function write_out_rules { + echo "$*" >> "$RULE_CACHE" } \ No newline at end of file diff --git a/include/static b/include/static index ed34c5b..31e6151 100755 --- a/include/static +++ b/include/static @@ -59,3 +59,6 @@ RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" # By default, use conntrack instead of state STATE_TYPE="conntrack" + +# Where we store output of cached rules +RULE_CACHE=$BASEDIR/cache/ipt-rules