# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 1999-2012 - Tom Eastep (teastep@shorewall.net) # # Options are: # # -n Don't alter Routing # -v and -q Standard Shorewall Verbosity control # -t Timestamp progress messages # -p Purge conntrack table # -r Recover from failed start/restart # -V <verbosity> Set verbosity level explicitly # -R <restore> Overrides RESTOREFILE setting # # Commands are: # # start Starts the firewall # refresh Refresh the firewall # restart Restarts the firewall # reload Reload the firewall # clear Removes all firewall rules # stop Stops the firewall # status Displays firewall status # version Displays the version of Shorewall that # generated this program # ################################################################################ # Functions imported from /usr/share/shorewall/lib.core ################################################################################ # Address family-neutral Functions ################################################################################ # # Conditionally produce message # progress_message() # $* = Message { local timestamp timestamp= if [ $VERBOSITY -gt 1 ]; then [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " echo "${timestamp}$@" fi if [ $LOG_VERBOSITY -gt 1 ]; then timestamp="$(date +'%b %_d %T') " echo "${timestamp}$@" >> $STARTUP_LOG fi } progress_message2() # $* = Message { local timestamp timestamp= if [ $VERBOSITY -gt 0 ]; then [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " echo "${timestamp}$@" fi if [ $LOG_VERBOSITY -gt 0 ]; then timestamp="$(date +'%b %_d %T') " echo "${timestamp}$@" >> $STARTUP_LOG fi } progress_message3() # $* = Message { local timestamp timestamp= if [ $VERBOSITY -ge 0 ]; then [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) " echo "${timestamp}$@" fi if [ $LOG_VERBOSITY -ge 0 ]; then timestamp="$(date +'%b %_d %T') " echo "${timestamp}$@" >> $STARTUP_LOG fi } # # Set a standard chain's policy # setpolicy() # $1 = name of chain, $2 = policy { run_iptables -P $1 $2 } # # Generate a list of all network interfaces on the system # find_all_interfaces() { ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//' } # # Generate a list of all network interfaces on the system that have an ipvX address # find_all_interfaces1() { ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//' } # # Find the value 'dev' in the passed arguments then echo the next value # find_device() { while [ $# -gt 1 ]; do [ "x$1" = xdev ] && echo $2 && return shift done } # # Find the value 'via' in the passed arguments then echo the next value # find_gateway() { while [ $# -gt 1 ]; do [ "x$1" = xvia ] && echo $2 && return shift done } # # Find the value 'mtu' in the passed arguments then echo the next value # find_mtu() { while [ $# -gt 1 ]; do [ "x$1" = xmtu ] && echo $2 && return shift done } # # Find the value 'peer' in the passed arguments then echo the next value up to # "/" # find_peer() { while [ $# -gt 1 ]; do [ "x$1" = xpeer ] && echo ${2%/*} && return shift done } # # Try to find the gateway through an interface looking for 'nexthop' find_nexthop() # $1 = interface { echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`) } # # Find the default route's interface # find_default_interface() { $IP -$g_family route list | while read first rest; do [ "$first" = default ] && echo $(find_device $rest) && return done } # # Determine if Interface is up # interface_is_up() { [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] } # # echo the list of networks routed out of a given interface # get_routed_networks() # $1 = interface name, $2-n = Fatal error message { local address local rest local mask [ $g_family -eq 4 ] && mask=32 || mask=128 $IP -$g_family route show dev $1 2> /dev/null | while read address rest; do case "$address" in default) if [ $# -gt 1 ]; then shift fatal_error "$@" else echo "WARNING: default route ignored on interface $1" >&2 fi ;; multicast|broadcast|prohibit|nat|throw|nexthop) ;; [2-3]*) [ "$address" = "${address%/*}" ] && address="${address}/${mask}" echo $address ;; *) if [ $g_family -eq 4 ]; then [ "$address" = "${address%/*}" ] && address="${address}/${mask}" echo $address fi ;; esac done } # # Clear the current traffic shaping configuration # delete_tc1() { clear_one_tc() { $TC qdisc del dev $1 root 2> /dev/null $TC qdisc del dev $1 ingress 2> /dev/null } run_tcclear_exit run_ip link list | \ while read inx interface details; do case $inx in [0-9]*) clear_one_tc ${interface%:} ;; *) ;; esac done } # # Detect a device's MTU -- echos the passed device's MTU # get_device_mtu() # $1 = device { local output output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash if [ -n "$output" ]; then echo $(find_mtu $output) else echo 1500 fi } # # Version of the above that doesn't generate any output for MTU 1500. # Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100 # get_device_mtu1() # $1 = device { local output output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash local mtu if [ -n "$output" ]; then mtu=$(find_mtu $output) if [ -n "$mtu" ]; then [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) fi fi } # # Undo changes to routing # undo_routing() { local undofiles local f if [ -z "$g_noroutes" ]; then # # Restore rt_tables database # if [ -f ${VARDIR}/rt_tables ]; then [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" rm -f ${VARDIR}/rt_tables fi # # Restore the rest of the routing table # undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)" if [ -n "$undofiles" ]; then for f in $undofiles; do . $f done rm -f $undofiles progress_message "Shorewall-generated routing tables and routing rules removed" fi fi } # # Save the default route # save_default_route() { awk \ 'BEGIN {defroute=0;}; /^default / {defroute=1; print; next}; /nexthop/ {if (defroute == 1 ) {print ; next} }; { defroute=0; };' } # # Restore the default route that was in place before the initial 'shorewall start' # replace_default_route() # $1 = USE_DEFAULT_RT { # # default_route and result are inherited from the caller # if [ -n "$default_route" ]; then case "$default_route" in *metric*) # # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0 # [ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored" default_route= ;; *) qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored" result=0 default_route= ;; esac fi } restore_default_route() # $1 = USE_DEFAULT_RT { local result result=1 if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then local default_route default_route= local route while read route ; do case $route in default*) replace_default_route $1 default_route="$default_route $route" ;; *) default_route="$default_route $route" ;; esac done < ${VARDIR}/default_route replace_default_route $1 if [ $result = 1 ]; then # # We didn't restore a default route with metric 0 # if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then # # But we added a default route with metric 0 # qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted" fi fi rm -f ${VARDIR}/default_route fi return $result } # # Flush the conntrack table if $g_purge is non-empty # conditionally_flush_conntrack() { if [ -n "$g_purge" ]; then if [ -n $(mywhich conntrack) ]; then conntrack -F else error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system" fi fi } # # Issue a message and stop/restore the firewall. # fatal_error() { echo " ERROR: $@" >&2 if [ $LOG_VERBOSITY -ge 0 ]; then timestamp="$(date +'%_b %d %T') " echo "${timestamp} ERROR: $@" >> $STARTUP_LOG fi stop_firewall [ -n "$TEMPFILE" ] && rm -f $TEMPFILE exit 2 } # # Run iptables/ip6tables and if an error occurs, stop/restore the firewall # run_iptables() { local status while [ 1 ]; do $g_tool $@ status=$? [ $status -ne 4 ] && break done if [ $status -ne 0 ]; then error_message "ERROR: Command \"$g_tool $@\" Failed" stop_firewall exit 2 fi } # # Run iptables/ip6tables retrying exit status 4 # do_iptables() { local status while [ 1 ]; do $g_tool $@ status=$? [ $status -ne 4 ] && return $status; done } # # Run ip and if an error occurs, stop/restore the firewall # run_ip() { if ! $IP -$g_family $@; then error_message "ERROR: Command \"$IP -$g_family $@\" Failed" stop_firewall exit 2 fi } # # Run tc and if an error occurs, stop/restore the firewall # run_tc() { if ! $TC $@ ; then error_message "ERROR: Command \"$TC $@\" Failed" stop_firewall exit 2 fi } # # Run the .iptables_restore_input as a set of discrete iptables commands # debug_restore_input() { local first second rest table chain # # Clear the ruleset # qt1 $g_tool -t mangle -F qt1 $g_tool -t mangle -X for chain in PREROUTING INPUT FORWARD POSTROUTING; do qt1 $g_tool -t mangle -P $chain ACCEPT done qt1 $g_tool -t raw -F qt1 $g_tool -t raw -X for chain in PREROUTING OUTPUT; do qt1 $g_tool -t raw -P $chain ACCEPT done qt1 $g_tool -t rawpost -F qt1 $g_tool -t rawpost -X for chain in POSTROUTING; do qt1 $g_tool -t rawpost -P $chain ACCEPT done qt1 $g_tool -t nat -F qt1 $g_tool -t nat -X for chain in PREROUTING POSTROUTING; do qt1 $g_tool -t nat -P $chain ACCEPT done qt1 $g_tool -t filter -F qt1 $g_tool -t filter -X for chain in INPUT FORWARD OUTPUT; do qt1 $g_tool -t filter -P $chain -P ACCEPT done while read first second rest; do case $first in -*) # # We can't call run_iptables() here because the rules may contain quoted strings # eval $g_tool -t $table $first $second $rest if [ $? -ne 0 ]; then error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed" stop_firewall exit 2 fi ;; :*) chain=${first#:} if [ "x$second" = x- ]; then do_iptables -t $table -N $chain else do_iptables -t $table -P $chain $second fi if [ $? -ne 0 ]; then error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed" stop_firewall exit 2 fi ;; # # This grotesque hack with the table names works around a bug/feature with ash # '*'raw) table=raw ;; '*'rawpost) table=rawpost ;; '*'mangle) table=mangle ;; '*'nat) table=nat ;; '*'filter) table=filter ;; esac done } interface_up() { return $(cat ${VARDIR}/$1.status) } distribute_load() { local interface local totalload local load local mark local maxload maxload=$1 shift totalload=0 for interface in $@; do if interface_up $interface; then load=$(cat ${VARDIR}/${interface}_load) eval ${interface}_load=$load mark=$(cat ${VARDIR}/${interface}_mark) eval ${interface}_mark=$mark totalload=$( bc <<EOF scale=8 $totalload + $load EOF ) fi done if [ $totalload ]; then for interface in $@; do qt $g_tool -t mangle -F ~$interface eval load=\$${interface}_load eval mark=\$${interface}_mark if [ -n "$load" ]; then load=$(bc <<EOF scale=8 ( $load / $totalload ) * $maxload EOF ) totalload=$(bc <<EOF scale=8 $totalload - $load EOF ) run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark fi done fi } ?IF __IPV4 ################################################################################# # IPv4-specific Functions ################################################################################# # # Determine if interface is usable from a Netfilter perspective # interface_is_usable() # $1 = interface { local status; status=0 if [ "$1" != lo ]; then if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then [ "$COMMAND" = enable ] || run_isusable_exit $1 status=$? else status=1 fi fi return $status } # # Find interface addresses--returns the set of addresses assigned to the passed device # find_interface_addresses() # $1 = interface { $IP -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' } # # Find the value 'weight' in the passed arguments then echo the next value # find_weight() { while [ $# -gt 1 ]; do [ "x$1" = xweight ] && echo $2 && return shift done } # # Find the interfaces that have a route to the passed address - the default # route is not used. # find_rt_interface() { $IP -4 route list | while read addr rest; do case $addr in */*) in_network ${1%/*} $addr && echo $(find_device $rest) ;; default) ;; *) if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then echo $(find_device $rest) fi ;; esac done } # # Echo the name of the interface(s) that will be used to send to the # passed address # find_interface_by_address() { local dev dev="$(find_rt_interface $1)" local first local rest [ -z "$dev" ] && dev=$(find_default_interface) [ -n "$dev" ] && echo $dev } # # echo the list of networks routed out of a given interface # get_routed_networks() # $1 = interface name, $2-n = Fatal error message { local address local rest $IP -4 route show dev $1 2> /dev/null | while read address rest; do case "$address" in default) if [ $# -gt 1 ]; then shift fatal_error "$@" else echo "WARNING: default route ignored on interface $1" >&2 fi ;; multicast|broadcast|prohibit|nat|throw|nexthop) ;; *) [ "$address" = "${address%/*}" ] && address="${address}/32" echo $address ;; esac done } # # Get the broadcast addresses associated with an interface # get_interface_bcasts() # $1 = interface { local addresses addresses= $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u } # # Delete IP address # del_ip_addr() # $1 = address, $2 = interface { [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2 } # Add IP Aliases # add_ip_aliases() # $* = List of addresses { local local local addresses local external local interface local inet local cidr local rest local val local arping arping=$(mywhich arping) address_details() { # # Folks feel uneasy if they don't see all of the same # decoration on these IP addresses that they see when their # distro's net config tool adds them. In an attempt to reduce # the anxiety level, we have the following code which sets # the VLSM and BRD from an existing address in the same network # # Get all of the lines that contain inet addresses with broadcast # $IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do case $cidr in */*) if in_network $external $cidr; then echo "/${cidr#*/} brd $(broadcastaddress $cidr)" break fi ;; esac done } do_one() { val=$(address_details) $IP addr add ${external}${val} dev $interface $label [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external echo "$external $interface" >> $VARDIR/nat [ -n "$label" ] && label="with $label" progress_message " IP Address $external added to interface $interface $label" } progress_message "Adding IP Addresses..." while [ $# -gt 0 ]; do external=$1 interface=$2 label= if [ "$interface" != "${interface%:*}" ]; then label="${interface#*:}" interface="${interface%:*}" label="label $interface:$label" fi shift 2 list_search $external $(find_interface_addresses $interface) || do_one done } # # Detect the gateway through a PPP or DHCP-configured interface # detect_dynamic_gateway() { # $1 = interface local interface interface=$1 local GATEWAYS GATEWAYS= local gateway gateway=$(run_findgw_exit $1); if [ -z "$gateway" ]; then gateway=$( find_peer $($IP addr list $interface ) ) fi if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then eval $(grep ^GATEWAYS= /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null) [ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS fi if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done) fi [ -n "$gateway" ] && echo $gateway } # # Detect the gateway through an interface # detect_gateway() # $1 = interface { local interface interface=$1 local gateway # # First assume that this is some sort of dynamic interface # gateway=$( detect_dynamic_gateway $interface ) # # Maybe there's a default route through this gateway already # [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default)) # # Last hope -- is there a load-balancing route through the interface? # [ -n "$gateway" ] || gateway=$(find_nexthop $interface) # # Be sure we found one # [ -n "$gateway" ] && echo $gateway } # # Disable IPV6 # disable_ipv6() { local foo foo="$($IP -f inet6 addr list 2> /dev/null)" if [ -n "$foo" ]; then if [ -x "$IP6TABLES" ]; then $IP6TABLES -P FORWARD DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P OUTPUT DROP $IP6TABLES -F $IP6TABLES -X $IP6TABLES -A OUTPUT -o lo -j ACCEPT $IP6TABLES -A INPUT -i lo -j ACCEPT else error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" fi fi } # # Add an additional gateway to the default route # add_gateway() # $1 = Delta $2 = Table Number { local route local weight local delta local dev route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'` if [ -z "$route" ]; then run_ip route add default scope global table $2 $1 else delta=$1 if ! echo $route | fgrep -q ' nexthop '; then route=`echo $route | sed 's/via/nexthop via/'` dev=$(find_device $route) if [ -f ${VARDIR}/${dev}_weight ]; then weight=`cat ${VARDIR}/${dev}_weight` route="$route weight $weight" fi fi run_ip route replace default scope global table $2 $route $delta fi } # # Remove a gateway from the default route # delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device { local route local gateway local dev route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'` gateway=$1 if [ -n "$route" ]; then if echo $route | fgrep -q ' nexthop '; then gateway="nexthop $gateway" eval route=\`echo $route \| sed \'s/$gateway/ /\'\` run_ip route replace table $2 $route else dev=$(find_device $route) [ "$dev" = "$3" ] && run_ip route delete default table $2 fi fi } # # Determine the MAC address of the passed IP through the passed interface # find_mac() # $1 = IP address, $2 = interface { if interface_is_usable $2 ; then qt ping -nc 1 -t 2 -I $2 $1 local result result=$($IP neigh list | awk "/^$1 / {print \$5}") case $result in \<*\>) ;; *) [ -n "$result" ] && echo $result ;; esac fi } # # Clear Proxy Arp # delete_proxyarp() { if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qtnoin $IP -4 neigh del proxy $address dev $external [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp rm -f ${VARDIR}/proxyarp fi } # # Remove all Shorewall-added rules # clear_firewall() { stop_firewall setpolicy INPUT ACCEPT setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT run_iptables -F qt $IPTABLES -t raw -F echo 1 > /proc/sys/net/ipv4/ip_forward if [ -n "$DISABLE_IPV6" ]; then if [ -x $IP6TABLES ]; then $IP6TABLES -P INPUT ACCEPT 2> /dev/null $IP6TABLES -P OUTPUT ACCEPT 2> /dev/null $IP6TABLES -P FORWARD ACCEPT 2> /dev/null fi fi run_clear_exit set_state "Cleared" logger -p kern.info "$g_product Cleared" } # # Get a list of all configured broadcast addresses on the system # get_all_bcasts() { $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u } ?ELSE ################################################################################# # IPv6-specific Functions ################################################################################# # # Determine if interface is usable from a Netfilter perspective # interface_is_usable() # $1 = interface { local status; status=0 if [ "$1" != lo ]; then if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then [ "$COMMAND" = enable ] || run_isusable_exit $1 status=$? else status=1 fi fi return $status } # # Find interface addresses--returns the set of addresses assigned to the passed device # find_interface_addresses() # $1 = interface { $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' } # # Get all interface addresses with VLSMs # find_interface_full_addresses() # $1 = interface { $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//' } # # Normalize an IPv6 Address by compressing out consecutive zero elements # normalize_address() # $1 = valid IPv6 Address { local address address=$1 local j while true; do case $address in ::*) address=0$address ;; *::*) list_count $(split $address) j=$? if [ $j -eq 7 ]; then address=${address%::*}:0:${address#*::} elif [ $j -eq 8 ]; then $address=${address%::*}:${address#*::} break 2 else address=${address%::*}:0::${address#*::} fi ;; *) echo $address break 2 ;; esac done } # # Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each # that defines a /120 or larger network, it sends to STDOUT: # # The corresponding subnet-router anycast address (all host address bits are zero) # The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet) # convert_to_anycast() { local address local badress local vlsm local host local o local m m= local z z=65535 local l while read address; do case $address in 2*|3*) vlsm=${address#*/} vlsm=${vlsm:=128} if [ $vlsm -le 120 ]; then # # Defines a viable subnet -- first get the subnet-router anycast address # host=$((128 - $vlsm)) address=$(normalize_address ${address%/*}) while [ $host -ge 16 ]; do address=${address%:*} host=$(($host - 16)) done if [ $host -gt 0 ]; then # # VLSM is not a multiple of 16 # host=$((16 - $host)) o=$((0x${address##*:})) m=0 while [ $host -gt 0 ]; do m=$((($m >> 1) | 0x8000)) z=$(($z >> 1)) host=$(($host - 1)) done o=$(($o & $m)) badress=${address%:*} address=$badress:$(printf %04x $o) z=$(($o | $z)) if [ $vlsm -gt 112 ]; then z=$(($z & 0xff80)) fi badress=$badress:$(printf %04x $z) else badress=$address fi # # Note: at this point $address and $badress are the same except possibly for # the contents of the last half-word # list_count $(split $address) l=$? # # Now generate the anycast addresses defined by RFC 2526 # if [ $l -lt 8 ]; then # # The subnet-router address # echo $address:: while [ $l -lt 8 ]; do badress=$badress:ffff l=$(($l + 1 )) done else # # The subnet-router address # echo $address fi # # And the RFC 2526 addresses # echo $badress/121 fi ;; esac done } # # Generate a list of anycast addresses for a given interface # get_interface_acasts() # $1 = interface { local addresses addresses= find_interface_full_addresses $1 | convert_to_anycast | sort -u } # # Get a list of all configured anycast addresses on the system # get_all_acasts() { find_interface_full_addresses | convert_to_anycast | sort -u } # # Detect the gateway through an interface # detect_gateway() # $1 = interface { local interface interface=$1 # # First assume that this is some sort of point-to-point interface # gateway=$( find_peer $($IP -6 addr list $interface ) ) # # Maybe there's a default route through this gateway already # [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default')) # # Last hope -- is there a load-balancing route through the interface? # [ -n "$gateway" ] || gateway=$(find_nexthop $interface) # # Be sure we found one # [ -n "$gateway" ] && echo $gateway } # # Add an additional gateway to the default route # add_gateway() # $1 = Delta $2 = Table Number { local route local weight local delta local dev run_ip route add default scope global table $2 $1 } # # Remove a gateway from the default route # delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device { local route local gateway local dev route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'` gateway=$1 dev=$(find_device $route) [ "$dev" = "$3" ] && run_ip route delete default table $2 } # # Clear Proxy NDP # delete_proxyndp() { if [ -f ${VARDIR}/proxyndp ]; then while read address interface external haveroute; do qt $IP -6 neigh del proxy $address dev $external [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyndp rm -f ${VARDIR}/proxyndp fi } # # Remove all Shorewall-added rules # clear_firewall() { stop_firewall setpolicy INPUT ACCEPT setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT run_iptables -F qt $IP6TABLES -t raw -F echo 1 > /proc/sys/net/ipv6/conf/all/forwarding run_clear_exit set_state "Cleared" logger -p kern.info "$g_product Cleared" } ?ENDIF