2010-03-04 18:12:48 +01:00
|
|
|
#
|
2012-01-02 23:13:19 +01:00
|
|
|
# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
|
2010-03-04 18:12:48 +01:00
|
|
|
#
|
2014-01-04 18:48:27 +01:00
|
|
|
# (c) 2010-2014 - Tom Eastep (teastep@shorewall.net)
|
2010-03-04 18:12:48 +01:00
|
|
|
#
|
|
|
|
# Complete documentation is available at http://shorewall.net
|
|
|
|
#
|
2014-01-04 18:48:27 +01:00
|
|
|
# This program is part of Shorewall.
|
|
|
|
#
|
2010-03-04 18:12:48 +01:00
|
|
|
# This program is free software; you can redistribute it and/or modify
|
2014-01-04 18:48:27 +01:00
|
|
|
# it under the terms of the GNU General Public License as published by the
|
|
|
|
# Free Software Foundation, either version 2 of the license or, at your
|
|
|
|
# option, any later version.
|
2010-03-04 18:12:48 +01:00
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
2014-01-04 18:48:27 +01:00
|
|
|
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
2010-03-04 18:12:48 +01:00
|
|
|
#
|
2010-03-16 16:49:17 +01:00
|
|
|
# The purpose of this library is to hold those functions used by both the CLI and by the
|
2010-03-04 21:38:02 +01:00
|
|
|
# generated firewall scripts. To avoid versioning issues, it is copied into generated
|
|
|
|
# scripts rather than loaded at run-time.
|
2010-03-04 18:12:48 +01:00
|
|
|
#
|
2012-01-02 23:13:19 +01:00
|
|
|
#########################################################################################
|
|
|
|
#
|
|
|
|
# Issue a message and stop
|
|
|
|
#
|
|
|
|
startup_error() # $* = Error Message
|
|
|
|
{
|
|
|
|
echo " ERROR: $@: Firewall state not changed" >&2
|
|
|
|
|
|
|
|
if [ $LOG_VERBOSITY -ge 0 ]; then
|
|
|
|
timestamp="$(date +'%_b %d %T') "
|
|
|
|
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
|
|
|
|
fi
|
|
|
|
|
|
|
|
case $COMMAND in
|
|
|
|
start)
|
|
|
|
logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
|
|
|
|
;;
|
|
|
|
restart)
|
|
|
|
logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
|
|
|
|
;;
|
|
|
|
restore)
|
|
|
|
logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
if [ $LOG_VERBOSITY -ge 0 ]; then
|
|
|
|
timestamp="$(date +'%_b %d %T') "
|
|
|
|
|
|
|
|
case $COMMAND in
|
|
|
|
start)
|
|
|
|
echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
|
|
|
|
;;
|
|
|
|
restart)
|
|
|
|
echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
|
|
|
|
;;
|
|
|
|
restore)
|
|
|
|
echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
2013-05-09 18:57:09 +02:00
|
|
|
mutex_off
|
2012-01-02 23:13:19 +01:00
|
|
|
kill $$
|
|
|
|
exit 2
|
|
|
|
}
|
|
|
|
|
2015-05-21 19:38:35 +02:00
|
|
|
#
|
|
|
|
# Fatal Error
|
|
|
|
#
|
|
|
|
fatal_error() # $@ = Message
|
|
|
|
{
|
|
|
|
echo " ERROR: $@" >&2
|
|
|
|
exit 2
|
|
|
|
}
|
|
|
|
|
2015-06-08 21:18:01 +02:00
|
|
|
#
|
|
|
|
# Not configured Error
|
|
|
|
#
|
2015-06-09 19:29:45 +02:00
|
|
|
not_configured_error() # $@ = Message
|
2015-06-08 21:18:01 +02:00
|
|
|
{
|
|
|
|
echo " ERROR: $@" >&2
|
|
|
|
exit 6
|
|
|
|
}
|
|
|
|
|
2010-03-04 18:12:48 +01:00
|
|
|
#
|
2015-07-26 19:27:30 +02:00
|
|
|
# Create the required option string and run the passed script using
|
2010-03-04 18:12:48 +01:00
|
|
|
# $SHOREWALL_SHELL
|
|
|
|
#
|
|
|
|
run_it() {
|
|
|
|
local script
|
|
|
|
local options
|
|
|
|
|
|
|
|
export VARDIR
|
2010-06-07 18:16:56 +02:00
|
|
|
|
2010-03-04 18:12:48 +01:00
|
|
|
script=$1
|
|
|
|
shift
|
|
|
|
|
2015-07-26 19:27:30 +02:00
|
|
|
if [ x$1 = xtrace -o x$1 = xdebug ]; then
|
|
|
|
options="$1 -"
|
|
|
|
shift;
|
2010-03-04 18:12:48 +01:00
|
|
|
else
|
2015-07-26 19:27:30 +02:00
|
|
|
options='-'
|
2010-03-04 18:12:48 +01:00
|
|
|
fi
|
2010-06-07 18:16:56 +02:00
|
|
|
|
2015-07-26 19:27:30 +02:00
|
|
|
[ -n "$g_noroutes" ] && options=${options}n
|
|
|
|
[ -n "$g_timestamp" ] && options=${options}t
|
|
|
|
[ -n "$g_purge" ] && options=${options}p
|
|
|
|
[ -n "$g_recovering" ] && options=${options}r
|
|
|
|
[ -n "$g_counters" ] && options=${options}c
|
|
|
|
|
|
|
|
options="${options}V $VERBOSITY"
|
|
|
|
|
|
|
|
[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
|
|
|
|
|
2010-03-04 18:12:48 +01:00
|
|
|
$SHOREWALL_SHELL $script $options $@
|
|
|
|
}
|
2010-03-04 21:38:02 +01:00
|
|
|
|
|
|
|
#
|
|
|
|
# Message to stderr
|
|
|
|
#
|
|
|
|
error_message() # $* = Error Message
|
|
|
|
{
|
|
|
|
echo " $@" >&2
|
2014-07-29 20:35:32 +02:00
|
|
|
return 1
|
2010-03-04 21:38:02 +01:00
|
|
|
}
|
|
|
|
|
2011-12-04 18:19:48 +01:00
|
|
|
#
|
|
|
|
# Undo the effect of 'split()'
|
|
|
|
#
|
|
|
|
join()
|
|
|
|
{
|
|
|
|
local f
|
|
|
|
local o
|
|
|
|
o=
|
|
|
|
|
|
|
|
for f in $* ; do
|
|
|
|
o="${o:+$o:}$f"
|
|
|
|
done
|
|
|
|
|
|
|
|
echo $o
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Return the number of elements in a list
|
|
|
|
#
|
|
|
|
list_count() # $* = list
|
|
|
|
{
|
|
|
|
return $#
|
|
|
|
}
|
|
|
|
|
2010-03-04 21:38:02 +01:00
|
|
|
#
|
|
|
|
# Split a colon-separated list into a space-separated list
|
|
|
|
#
|
|
|
|
split() {
|
|
|
|
local ifs
|
|
|
|
ifs=$IFS
|
|
|
|
IFS=:
|
|
|
|
echo $*
|
|
|
|
IFS=$ifs
|
|
|
|
}
|
|
|
|
|
2015-05-02 16:54:01 +02:00
|
|
|
#
|
|
|
|
# Split a comma-separated list into a space-separated list
|
|
|
|
#
|
|
|
|
split_list() {
|
|
|
|
local ifs
|
|
|
|
ifs=$IFS
|
|
|
|
IFS=,
|
|
|
|
echo $*
|
|
|
|
IFS=$ifs
|
|
|
|
}
|
|
|
|
|
2010-03-04 21:38:02 +01:00
|
|
|
#
|
|
|
|
# Search a list looking for a match -- returns zero if a match found
|
|
|
|
# 1 otherwise
|
|
|
|
#
|
|
|
|
list_search() # $1 = element to search for , $2-$n = list
|
|
|
|
{
|
|
|
|
local e
|
|
|
|
e=$1
|
|
|
|
|
|
|
|
while [ $# -gt 1 ]; do
|
|
|
|
shift
|
|
|
|
[ "x$e" = "x$1" ] && return 0
|
|
|
|
done
|
|
|
|
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Suppress all output for a command
|
|
|
|
#
|
|
|
|
qt()
|
|
|
|
{
|
|
|
|
"$@" >/dev/null 2>&1
|
|
|
|
}
|
|
|
|
|
2011-08-03 01:51:49 +02:00
|
|
|
#
|
|
|
|
# Suppress all output and input - mainly for preventing leaked file descriptors
|
|
|
|
# to avoid SELinux denials
|
|
|
|
#
|
|
|
|
qtnoin()
|
|
|
|
{
|
|
|
|
"$@" </dev/null >/dev/null 2>&1
|
|
|
|
}
|
|
|
|
|
2010-03-07 20:50:54 +01:00
|
|
|
qt1()
|
|
|
|
{
|
|
|
|
local status
|
|
|
|
|
|
|
|
while [ 1 ]; do
|
2011-08-03 01:51:49 +02:00
|
|
|
"$@" </dev/null >/dev/null 2>&1
|
2010-03-07 20:50:54 +01:00
|
|
|
status=$?
|
|
|
|
[ $status -ne 4 ] && return $status
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
2010-03-04 21:38:02 +01:00
|
|
|
#
|
2011-12-04 18:19:48 +01:00
|
|
|
# Determine if Shorewall[6] is "running"
|
2010-03-04 21:38:02 +01:00
|
|
|
#
|
2011-12-04 18:19:48 +01:00
|
|
|
product_is_started() {
|
|
|
|
qt1 $g_tool -L shorewall -n
|
|
|
|
}
|
|
|
|
|
2010-03-04 21:38:02 +01:00
|
|
|
shorewall_is_started() {
|
2011-08-03 01:51:49 +02:00
|
|
|
qt1 $IPTABLES -L shorewall -n
|
2010-03-04 21:38:02 +01:00
|
|
|
}
|
|
|
|
|
2011-12-04 18:19:48 +01:00
|
|
|
shorewall6_is_started() {
|
|
|
|
qt1 $IP6TABLES -L shorewall -n
|
|
|
|
}
|
|
|
|
|
2010-03-04 21:38:02 +01:00
|
|
|
#
|
|
|
|
# Echos the fully-qualified name of the calling shell program
|
|
|
|
#
|
|
|
|
my_pathname() {
|
2013-05-06 18:22:16 +02:00
|
|
|
local pwd
|
|
|
|
pwd=$PWD
|
2010-03-04 21:38:02 +01:00
|
|
|
cd $(dirname $0)
|
|
|
|
echo $PWD/$(basename $0)
|
2013-05-06 18:22:16 +02:00
|
|
|
cd $pwd
|
2010-03-04 21:38:02 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Source a user exit file if it exists
|
|
|
|
#
|
|
|
|
run_user_exit() # $1 = file name
|
|
|
|
{
|
|
|
|
local user_exit
|
|
|
|
user_exit=$(find_file $1)
|
|
|
|
|
|
|
|
if [ -f $user_exit ]; then
|
|
|
|
progress_message "Processing $user_exit ..."
|
|
|
|
. $user_exit
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
|
|
|
|
# a space-separated list of directories to search for
|
|
|
|
# the module and that 'moduleloader' contains the
|
|
|
|
# module loader command.
|
|
|
|
#
|
|
|
|
loadmodule() # $1 = module name, $2 - * arguments
|
|
|
|
{
|
|
|
|
local modulename
|
|
|
|
modulename=$1
|
|
|
|
local modulefile
|
|
|
|
local suffix
|
|
|
|
|
2011-09-03 20:49:31 +02:00
|
|
|
if [ -d /sys/module/ ]; then
|
2011-09-13 16:42:26 +02:00
|
|
|
if ! list_search $modulename $DONT_LOAD; then
|
|
|
|
if [ ! -d /sys/module/$modulename ]; then
|
|
|
|
shift
|
|
|
|
|
|
|
|
for suffix in $MODULE_SUFFIX ; do
|
|
|
|
for directory in $moduledirectories; do
|
|
|
|
modulefile=$directory/${modulename}.${suffix}
|
|
|
|
|
|
|
|
if [ -f $modulefile ]; then
|
|
|
|
case $moduleloader in
|
|
|
|
insmod)
|
|
|
|
insmod $modulefile $*
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
modprobe $modulename $*
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
break 2
|
|
|
|
fi
|
|
|
|
done
|
2011-09-03 20:49:31 +02:00
|
|
|
done
|
2011-09-13 16:42:26 +02:00
|
|
|
fi
|
2011-09-03 20:49:31 +02:00
|
|
|
fi
|
|
|
|
elif ! list_search $modulename $DONT_LOAD $MODULES; then
|
2010-03-04 21:38:02 +01:00
|
|
|
shift
|
|
|
|
|
|
|
|
for suffix in $MODULE_SUFFIX ; do
|
|
|
|
for directory in $moduledirectories; do
|
|
|
|
modulefile=$directory/${modulename}.${suffix}
|
|
|
|
|
|
|
|
if [ -f $modulefile ]; then
|
|
|
|
case $moduleloader in
|
|
|
|
insmod)
|
|
|
|
insmod $modulefile $*
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
modprobe $modulename $*
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
break 2
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Reload the Modules
|
|
|
|
#
|
|
|
|
reload_kernel_modules() {
|
|
|
|
|
|
|
|
local save_modules_dir
|
|
|
|
save_modules_dir=$MODULESDIR
|
|
|
|
local directory
|
|
|
|
local moduledirectories
|
|
|
|
moduledirectories=
|
|
|
|
local moduleloader
|
|
|
|
moduleloader=modprobe
|
|
|
|
local uname
|
|
|
|
|
|
|
|
if ! qt mywhich modprobe; then
|
|
|
|
moduleloader=insmod
|
|
|
|
fi
|
|
|
|
|
2015-01-27 21:43:42 +01:00
|
|
|
[ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
|
2010-03-04 21:38:02 +01:00
|
|
|
|
|
|
|
[ -z "$MODULESDIR" ] && \
|
|
|
|
uname=$(uname -r) && \
|
2011-12-04 18:19:48 +01:00
|
|
|
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
2010-03-04 21:38:02 +01:00
|
|
|
|
2011-09-03 22:58:05 +02:00
|
|
|
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
2010-03-04 21:38:02 +01:00
|
|
|
|
|
|
|
for directory in $(split $MODULESDIR); do
|
|
|
|
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
|
|
|
done
|
|
|
|
|
|
|
|
[ -n "$moduledirectories" ] && while read command; do
|
|
|
|
eval $command
|
|
|
|
done
|
|
|
|
|
|
|
|
MODULESDIR=$save_modules_dir
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Load kernel modules required for Shorewall
|
|
|
|
#
|
|
|
|
load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
|
|
|
{
|
|
|
|
local save_modules_dir
|
|
|
|
save_modules_dir=$MODULESDIR
|
|
|
|
local directory
|
|
|
|
local moduledirectories
|
|
|
|
moduledirectories=
|
|
|
|
local moduleloader
|
|
|
|
moduleloader=modprobe
|
|
|
|
local savemoduleinfo
|
|
|
|
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
|
|
|
local uname
|
|
|
|
|
|
|
|
if ! qt mywhich modprobe; then
|
|
|
|
moduleloader=insmod
|
|
|
|
fi
|
|
|
|
|
2015-01-27 21:43:42 +01:00
|
|
|
[ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
|
2010-03-04 21:38:02 +01:00
|
|
|
|
|
|
|
[ -z "$MODULESDIR" ] && \
|
|
|
|
uname=$(uname -r) && \
|
2011-12-04 18:19:48 +01:00
|
|
|
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
2010-03-04 21:38:02 +01:00
|
|
|
|
|
|
|
for directory in $(split $MODULESDIR); do
|
|
|
|
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
|
|
|
done
|
|
|
|
|
|
|
|
[ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
|
|
|
|
|
|
|
|
if [ -f $modules -a -n "$moduledirectories" ]; then
|
2011-09-03 22:58:05 +02:00
|
|
|
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
2010-03-04 21:38:02 +01:00
|
|
|
progress_message "Loading Modules..."
|
|
|
|
. $modules
|
|
|
|
if [ $savemoduleinfo = Yes ]; then
|
|
|
|
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
|
|
|
echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
|
|
|
|
cp -f $modules ${VARDIR}/.modules
|
|
|
|
fi
|
|
|
|
elif [ $savemoduleinfo = Yes ]; then
|
|
|
|
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
|
|
|
> ${VARDIR}/.modulesdir
|
|
|
|
> ${VARDIR}/.modules
|
|
|
|
fi
|
|
|
|
|
|
|
|
MODULESDIR=$save_modules_dir
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Note: The following set of IP address manipulation functions have anomalous
|
|
|
|
# behavior when the shell only supports 32-bit signed arithmetic and
|
|
|
|
# the IP address is 128.0.0.0 or 128.0.0.1.
|
|
|
|
#
|
|
|
|
|
|
|
|
LEFTSHIFT='<<'
|
|
|
|
|
|
|
|
#
|
|
|
|
# Convert an IP address in dot quad format to an integer
|
|
|
|
#
|
|
|
|
decodeaddr() {
|
|
|
|
local x
|
|
|
|
local temp
|
|
|
|
temp=0
|
|
|
|
local ifs
|
|
|
|
ifs=$IFS
|
|
|
|
|
|
|
|
IFS=.
|
|
|
|
|
|
|
|
for x in $1; do
|
|
|
|
temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
|
|
|
|
done
|
|
|
|
|
|
|
|
echo $temp
|
|
|
|
|
|
|
|
IFS=$ifs
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# convert an integer to dot quad format
|
|
|
|
#
|
|
|
|
encodeaddr() {
|
|
|
|
addr=$1
|
|
|
|
local x
|
|
|
|
local y
|
|
|
|
y=$(($addr & 255))
|
|
|
|
|
|
|
|
for x in 1 2 3 ; do
|
|
|
|
addr=$(($addr >> 8))
|
|
|
|
y=$(($addr & 255)).$y
|
|
|
|
done
|
|
|
|
|
|
|
|
echo $y
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Netmask from CIDR
|
|
|
|
#
|
|
|
|
ip_netmask() {
|
|
|
|
local vlsm
|
|
|
|
vlsm=${1#*/}
|
|
|
|
|
|
|
|
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Network address from CIDR
|
|
|
|
#
|
|
|
|
ip_network() {
|
|
|
|
local decodedaddr
|
|
|
|
decodedaddr=$(decodeaddr ${1%/*})
|
|
|
|
local netmask
|
|
|
|
netmask=$(ip_netmask $1)
|
|
|
|
|
|
|
|
echo $(encodeaddr $(($decodedaddr & $netmask)))
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# The following hack is supplied to compensate for the fact that many of
|
|
|
|
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
|
|
|
|
#
|
|
|
|
ip_broadcast() {
|
|
|
|
local x
|
|
|
|
x=$(( 32 - ${1#*/} ))
|
|
|
|
|
|
|
|
[ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Calculate broadcast address from CIDR
|
|
|
|
#
|
|
|
|
broadcastaddress() {
|
|
|
|
local decodedaddr
|
|
|
|
decodedaddr=$(decodeaddr ${1%/*})
|
|
|
|
local netmask
|
|
|
|
netmask=$(ip_netmask $1)
|
|
|
|
local broadcast
|
|
|
|
broadcast=$(ip_broadcast $1)
|
|
|
|
|
|
|
|
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Test for network membership
|
|
|
|
#
|
|
|
|
in_network() # $1 = IP address, $2 = CIDR network
|
|
|
|
{
|
|
|
|
local netmask
|
|
|
|
netmask=$(ip_netmask $2)
|
|
|
|
#
|
|
|
|
# Use string comparison to work around a broken BusyBox ash in OpenWRT
|
|
|
|
#
|
|
|
|
test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
|
|
|
|
}
|
|
|
|
|
2011-12-04 18:19:48 +01:00
|
|
|
#
|
|
|
|
# Query NetFilter about the existence of a filter chain
|
|
|
|
#
|
|
|
|
chain_exists() # $1 = chain name
|
|
|
|
{
|
2011-12-05 16:01:16 +01:00
|
|
|
qt1 $g_tool -L $1 -n
|
2011-12-04 18:19:48 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Find the interface with the passed MAC address
|
|
|
|
#
|
|
|
|
|
|
|
|
find_interface_by_mac() {
|
|
|
|
local mac
|
|
|
|
mac=$1
|
|
|
|
local first
|
|
|
|
local second
|
|
|
|
local rest
|
|
|
|
local dev
|
|
|
|
|
|
|
|
$IP link list | while read first second rest; do
|
|
|
|
case $first in
|
|
|
|
*:)
|
|
|
|
dev=$second
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
if [ "$second" = $mac ]; then
|
|
|
|
echo ${dev%:}
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
2010-03-04 21:38:02 +01:00
|
|
|
#
|
|
|
|
# Find interface address--returns the first IP address assigned to the passed
|
|
|
|
# device
|
|
|
|
#
|
|
|
|
find_first_interface_address() # $1 = interface
|
|
|
|
{
|
2011-12-04 18:19:48 +01:00
|
|
|
if [ $g_family -eq 4 ]; then
|
|
|
|
#
|
|
|
|
# get the line of output containing the first IP address
|
|
|
|
#
|
2012-01-03 17:39:18 +01:00
|
|
|
addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
2011-12-04 18:19:48 +01:00
|
|
|
#
|
|
|
|
# If there wasn't one, bail out now
|
|
|
|
#
|
|
|
|
[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
|
|
|
|
#
|
2012-04-24 23:52:57 +02:00
|
|
|
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
2011-12-04 18:19:48 +01:00
|
|
|
# along with everything else on the line
|
|
|
|
#
|
|
|
|
echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
|
|
|
|
else
|
|
|
|
#
|
|
|
|
# get the line of output containing the first IP address
|
|
|
|
#
|
2013-10-14 16:15:08 +02:00
|
|
|
addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
|
2011-12-04 18:19:48 +01:00
|
|
|
#
|
|
|
|
# If there wasn't one, bail out now
|
|
|
|
#
|
|
|
|
[ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
|
|
|
|
#
|
|
|
|
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
|
|
|
# along with everything else on the line
|
|
|
|
#
|
|
|
|
echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
|
|
|
|
fi
|
2010-03-04 21:38:02 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
find_first_interface_address_if_any() # $1 = interface
|
|
|
|
{
|
2011-12-04 18:19:48 +01:00
|
|
|
if [ $g_family -eq 4 ]; then
|
|
|
|
#
|
|
|
|
# get the line of output containing the first IP address
|
|
|
|
#
|
|
|
|
addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
|
|
|
#
|
|
|
|
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
|
|
|
# along with everything else on the line
|
|
|
|
#
|
|
|
|
[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
|
|
|
|
else
|
|
|
|
#
|
|
|
|
# get the line of output containing the first IP address
|
|
|
|
#
|
2013-10-14 16:15:08 +02:00
|
|
|
addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
|
2011-12-04 18:19:48 +01:00
|
|
|
#
|
|
|
|
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
|
|
|
# along with everything else on the line
|
|
|
|
#
|
|
|
|
[ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
|
|
|
|
fi
|
2010-03-04 21:38:02 +01:00
|
|
|
}
|
|
|
|
|
2015-01-02 17:49:38 +01:00
|
|
|
#
|
|
|
|
#Determines if the passed interface is a loopback interface
|
|
|
|
#
|
|
|
|
loopback_interface() { #$1 = Interface name
|
|
|
|
[ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Find Loopback Interfaces
|
|
|
|
#
|
|
|
|
find_loopback_interfaces() {
|
|
|
|
local interfaces
|
|
|
|
|
2015-01-09 21:20:51 +01:00
|
|
|
[ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
|
2015-01-02 17:49:38 +01:00
|
|
|
|
|
|
|
[ -n "$interfaces" ] && echo $interfaces || echo lo
|
|
|
|
}
|
|
|
|
|
2010-03-04 21:38:02 +01:00
|
|
|
#
|
|
|
|
# Internal version of 'which'
|
|
|
|
#
|
|
|
|
mywhich() {
|
|
|
|
local dir
|
|
|
|
|
|
|
|
for dir in $(split $PATH); do
|
|
|
|
if [ -x $dir/$1 ]; then
|
|
|
|
echo $dir/$1
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
|
|
|
|
#
|
|
|
|
find_file()
|
|
|
|
{
|
|
|
|
local saveifs
|
|
|
|
saveifs=
|
|
|
|
local directory
|
|
|
|
|
|
|
|
case $1 in
|
|
|
|
/*)
|
|
|
|
echo $1
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
for directory in $(split $CONFIG_PATH); do
|
|
|
|
if [ -f $directory/$1 ]; then
|
|
|
|
echo $directory/$1
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
2013-02-13 16:45:24 +01:00
|
|
|
if [ -n "$g_shorewalldir" ]; then
|
|
|
|
echo ${g_shorewalldir}/$1
|
|
|
|
else
|
|
|
|
echo ${g_confdir}/$1
|
|
|
|
fi
|
2010-03-04 21:38:02 +01:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Set the Shorewall state
|
|
|
|
#
|
2011-12-04 18:19:48 +01:00
|
|
|
set_state () # $1 = state
|
2010-03-04 21:38:02 +01:00
|
|
|
{
|
2010-08-13 02:54:07 +02:00
|
|
|
if [ $# -gt 1 ]; then
|
|
|
|
echo "$1 ($(date)) from $2" > ${VARDIR}/state
|
|
|
|
else
|
|
|
|
echo "$1 ($(date))" > ${VARDIR}/state
|
|
|
|
fi
|
2010-03-04 21:38:02 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Perform variable substitution on the passed argument and echo the result
|
|
|
|
#
|
|
|
|
expand() # $@ = contents of variable which may be the name of another variable
|
|
|
|
{
|
|
|
|
eval echo \"$@\"
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Function for including one file into another
|
|
|
|
#
|
|
|
|
INCLUDE() {
|
|
|
|
. $(find_file $(expand $@))
|
|
|
|
}
|
|
|
|
|
|
|
|
# Function to truncate a string -- It uses 'cut -b -<n>'
|
|
|
|
# rather than ${v:first:last} because light-weight shells like ash and
|
|
|
|
# dash do not support that form of expansion.
|
|
|
|
#
|
|
|
|
|
|
|
|
truncate() # $1 = length
|
|
|
|
{
|
|
|
|
cut -b -${1}
|
|
|
|
}
|
2012-06-01 20:27:57 +02:00
|
|
|
|
|
|
|
#
|
|
|
|
# Call this function to assert mutual exclusion with Shorewall. If you invoke the
|
|
|
|
# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
|
|
|
|
# the first argument. Example "shorewall nolock refresh"
|
|
|
|
#
|
|
|
|
# This function uses the lockfile utility from procmail if it exists.
|
|
|
|
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
|
|
|
|
# behavior of lockfile.
|
|
|
|
#
|
|
|
|
mutex_on()
|
|
|
|
{
|
|
|
|
local try
|
|
|
|
try=0
|
|
|
|
local lockf
|
|
|
|
lockf=${LOCKFILE:=${VARDIR}/lock}
|
|
|
|
local lockpid
|
|
|
|
|
|
|
|
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
|
|
|
|
|
|
|
|
if [ $MUTEX_TIMEOUT -gt 0 ]; then
|
|
|
|
|
|
|
|
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
|
|
|
|
|
|
|
if [ -f $lockf ]; then
|
|
|
|
lockpid=`cat ${lockf} 2> /dev/null`
|
|
|
|
if [ -z "$lockpid" -o $lockpid = 0 ]; then
|
|
|
|
rm -f ${lockf}
|
|
|
|
error_message "WARNING: Stale lockfile ${lockf} removed"
|
|
|
|
elif [ $lockpid -eq $$ ]; then
|
|
|
|
return 0
|
|
|
|
elif ! qt ps p ${lockpid}; then
|
|
|
|
rm -f ${lockf}
|
|
|
|
error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if qt mywhich lockfile; then
|
2012-09-12 19:03:09 +02:00
|
|
|
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
|
2012-06-01 20:27:57 +02:00
|
|
|
chmod u+w ${lockf}
|
|
|
|
echo $$ > ${lockf}
|
|
|
|
chmod u-w ${lockf}
|
|
|
|
else
|
|
|
|
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
|
|
|
sleep 1
|
|
|
|
try=$((${try} + 1))
|
|
|
|
done
|
|
|
|
|
|
|
|
if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
|
|
|
|
# Create the lockfile
|
|
|
|
echo $$ > ${lockf}
|
|
|
|
else
|
|
|
|
echo "Giving up on lock file ${lockf}" >&2
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Call this function to release mutual exclusion
|
|
|
|
#
|
|
|
|
mutex_off()
|
|
|
|
{
|
|
|
|
rm -f ${LOCKFILE:=${VARDIR}/lock}
|
|
|
|
}
|
|
|
|
|