3 ### Failsafe prologue for firewall scripts
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 ###--------------------------------------------------------------------------
26 ### Failsafe prologue.
30 ## Report a firewall script failure and retreat to a safe place.
32 echo "$2! Retreating to safe version..."
33 if [ -f /var/run/firewall.save ] && [ -f /var/run/firewall6.save ]; then
34 echo "Trying to loading saved firewall state..."
35 if iptables-restore </var/run/firewall.save &&
36 ip6tables-restore </var/run/firewall6.save; then
37 echo "Previous firewall state restored."
40 echo "Failed! Falling back to plan B."
43 if ! "$1" revert; then
44 echo >&2 "Safe firewall failed. You're screwed. Good luck."
47 echo >&2 "Phew! Fallback to safe version successful."
58 ## Install the NEW firewall rules. If it fails, revert to the OLD ones.
59 ## Updating firewall rules can fail spectacularly, so be careful. Leave a
60 ## timebomb in the form of NEW.errors: if this isn't removed in 10 seconds
61 ## after the NEW rules complete successfully, then revert. Write errors to
64 ## Make sure we have an escape route.
65 iptables-save >/var/run/firewall.save.new
66 ip6tables-save >/var/run/firewall6.save.new
67 mv /var/run/firewall.save.new /var/run/firewall.save
68 mv /var/run/firewall6.save.new /var/run/firewall6.save
70 ## Clear the air and make the errors file.
71 rm -f "$new.errors" "$new.timebomb" "$new.grabbed"
72 exec >"$new.errors" 2>&1
74 ## Now try to install the new firewall.
75 "$new" install || revert "$old" "Failed"
77 ## Set up the time bomb. Leave the errors file there if we failed.
79 if [ -f "$new.errors" ]; then
80 mv "$new.errors" "$new.timebomb"
81 revert "$old" "Time bomb"
87 ## Report successful installation of the script.
89 if mv "$new.errors" "$new.grabbed" 2>/dev/null; then
93 mv "$new.timebomb" "$new.grabbed"
94 echo "Timebomb went off."
97 cat "$new.grabbed" >&2
102 exit_after_clearing=:
103 export FWCOOKIE=magical
104 case "$#,${1-update}" in
105 1,start | 1,restart | 1,reload | 1,force-reload)
106 echo -n "Starting up firewall... "
107 "$firewall_script" install || revert "$firewall_failsafe" "Failed"
111 echo -n "Shutting down firewall... "
112 exit_after_clearing=finished
115 echo -n "Running new firewall... "
116 if ! (try "$firewall_script" "$0"); then
122 echo "Can you hear me?"
123 (trap 'exit 127' TERM
125 if [ -f "$0.timebomb" ]; then
127 echo "Timebomb went off!"
137 replace,y* | replace,Y*)
138 install -m755 "$0" "$firewall_script"
139 echo "Cool. Firewall script replaced."
143 echo "Cool. Everything seems good."
147 revert "$firewall_script" "Bogus"
152 try "$firewall_script" "$0"
157 install -m755 "$0" "$firewall_script"
160 1,install | 1,revert)
165 $0 start|stop|reload|restart|force-reload
166 $0 replace|test|remote-prepare|remote-commit
173 ###----- That's all, folks --------------------------------------------------