forked from extern/shorewall_code
More unification of prog.header and prog.header6
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
4216d80c12
commit
7d756f51ac
@ -36,42 +36,6 @@ SHOREWALL_CAPVERSION=40427
|
||||
[ -n "${CONFDIR:=/etc/$g_program}" ]
|
||||
[ -n "${g_family:=4}" ]
|
||||
|
||||
#
|
||||
# Conditionally produce message
|
||||
#
|
||||
progress_message() # $* = Message
|
||||
{
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSITY -gt 1 ]; then
|
||||
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
|
||||
echo "${timestamp}$@"
|
||||
fi
|
||||
}
|
||||
|
||||
progress_message2() # $* = Message
|
||||
{
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSITY -gt 0 ]; then
|
||||
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
|
||||
echo "${timestamp}$@"
|
||||
fi
|
||||
}
|
||||
|
||||
progress_message3() # $* = Message
|
||||
{
|
||||
local timestamp
|
||||
timestamp=
|
||||
|
||||
if [ $VERBOSITY -ge 0 ]; then
|
||||
[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
|
||||
echo "${timestamp}$@"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Undo the effect of 'separate_list()'
|
||||
#
|
||||
@ -151,32 +115,6 @@ mutex_off()
|
||||
rm -f ${LOCKFILE:=${VARDIR}/lock}
|
||||
}
|
||||
|
||||
#
|
||||
# Find the interface with the passed MAC address
|
||||
#
|
||||
|
||||
find_interface_by_mac() {
|
||||
local mac
|
||||
mac=$1
|
||||
local first
|
||||
local second
|
||||
local rest
|
||||
local dev
|
||||
|
||||
$IP link list | while read first second rest; do
|
||||
case $first in
|
||||
*:)
|
||||
dev=$second
|
||||
;;
|
||||
*)
|
||||
if [ "$second" = $mac ]; then
|
||||
echo ${dev%:}
|
||||
return
|
||||
fi
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
|
||||
|
||||
#
|
||||
|
@ -92,7 +92,7 @@ find_all_interfaces() {
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a list of all network interfaces on the system that have an ipv4 address
|
||||
# Generate a list of all network interfaces on the system that have an ipvX address
|
||||
#
|
||||
find_all_interfaces1() {
|
||||
${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
|
||||
@ -168,7 +168,7 @@ interface_is_up() {
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if interface is usable from a Netfilter prespective
|
||||
# Determine if interface is usable from a Netfilter perspective
|
||||
#
|
||||
interface_is_usable() # $1 = interface
|
||||
{
|
||||
@ -210,7 +210,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
|
||||
;;
|
||||
multicast|broadcast|prohibit|nat|throw|nexthop)
|
||||
;;
|
||||
[2-9]*)
|
||||
[2-3]*)
|
||||
[ "$address" = "${address%/*}" ] && address="${address}/128"
|
||||
echo $address
|
||||
;;
|
||||
@ -403,7 +403,7 @@ conditionally_flush_conntrack() {
|
||||
|
||||
if [ -n "$g_purge" ]; then
|
||||
if [ -n $(mywhich conntrack) ]; then
|
||||
conntrack -f ipv$_family -F
|
||||
conntrack -f ipv$g_family -F
|
||||
else
|
||||
error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
|
||||
fi
|
||||
@ -411,7 +411,7 @@ conditionally_flush_conntrack() {
|
||||
}
|
||||
|
||||
#
|
||||
# Issue a message and stop/restore the firewall
|
||||
# Issue a message and stop/restore the firewall -- In the CLI, this function is overloaded by the one in lib.cli.
|
||||
#
|
||||
fatal_error()
|
||||
{
|
||||
@ -472,7 +472,7 @@ startup_error() # $* = Error Message
|
||||
}
|
||||
|
||||
#
|
||||
# Run iptables and if an error occurs, stop/restore the firewall
|
||||
# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
|
||||
#
|
||||
run_iptables()
|
||||
{
|
||||
@ -492,7 +492,7 @@ run_iptables()
|
||||
}
|
||||
|
||||
#
|
||||
# Run iptables retrying exit status 4
|
||||
# Run iptables/ip6tables retrying exit status 4
|
||||
#
|
||||
do_iptables()
|
||||
{
|
||||
@ -506,7 +506,7 @@ do_iptables()
|
||||
}
|
||||
|
||||
#
|
||||
# Run iptables and if an error occurs, stop/restore the firewall
|
||||
# Run ip and if an error occurs, stop/restore the firewall
|
||||
#
|
||||
run_ip()
|
||||
{
|
||||
@ -528,6 +528,86 @@ run_tc() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Run the .iptables_restore_input as a set of discrete iptables commands
|
||||
#
|
||||
debug_restore_input() {
|
||||
local first second rest table chain
|
||||
#
|
||||
# Clear the ruleset
|
||||
#
|
||||
qt1 $g_tool -t mangle -F
|
||||
qt1 $g_tool -t mangle -X
|
||||
|
||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||
qt1 $g_tool -t mangle -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $g_tool -t raw -F
|
||||
qt1 $g_tool -t raw -X
|
||||
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $g_tool -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $g_tool -t filter -F
|
||||
qt1 $g_tool -t filter -X
|
||||
|
||||
for chain in INPUT FORWARD OUTPUT; do
|
||||
qt1 $g_tool -t filter -P $chain -P ACCEPT
|
||||
done
|
||||
|
||||
while read first second rest; do
|
||||
case $first in
|
||||
-*)
|
||||
#
|
||||
# We can't call run_iptables() here because the rules may contain quoted strings
|
||||
#
|
||||
eval $g_tool -t $table $first $second $rest
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
:*)
|
||||
chain=${first#:}
|
||||
|
||||
if [ "x$second" = x- ]; then
|
||||
do_iptables -t $table -N $chain
|
||||
else
|
||||
do_iptables -t $table -P $chain $second
|
||||
fi
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
#
|
||||
# This grotesque hack with the table names works around a bug/feature with ash
|
||||
#
|
||||
'*'raw)
|
||||
table=raw
|
||||
;;
|
||||
'*'rawpost)
|
||||
table=rawpost
|
||||
;;
|
||||
'*'mangle)
|
||||
table=mangle
|
||||
;;
|
||||
'*'nat)
|
||||
table=nat
|
||||
;;
|
||||
'*'filter)
|
||||
table=filter
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Get the Shorewall version of the passed script
|
||||
#
|
||||
@ -1046,7 +1126,7 @@ find_first_interface_address() # $1 = interface
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
#
|
||||
addr=$(${IP:-ip} -$g_family addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||
addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||
#
|
||||
# If there wasn't one, bail out now
|
||||
#
|
||||
@ -1176,4 +1256,3 @@ truncate() # $1 = length
|
||||
{
|
||||
cut -b -${1}
|
||||
}
|
||||
|
||||
|
@ -397,97 +397,6 @@ get_all_bcasts()
|
||||
$IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
}
|
||||
|
||||
#
|
||||
# Run the .iptables_restore_input as a set of discrete iptables commands
|
||||
#
|
||||
debug_restore_input() {
|
||||
local first second rest table chain
|
||||
#
|
||||
# Clear the ruleset
|
||||
#
|
||||
qt1 $IPTABLES -t mangle -F
|
||||
qt1 $IPTABLES -t mangle -X
|
||||
|
||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||
qt1 $IPTABLES -t mangle -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $IPTABLES -t raw -F
|
||||
qt1 $IPTABLES -t raw -X
|
||||
qt1 $IPTABLES -t rawpost -F
|
||||
qt1 $IPTABLES -t rawpost -X
|
||||
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
|
||||
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t nat -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $IPTABLES -t filter -F
|
||||
qt1 $IPTABLES -t filter -X
|
||||
|
||||
for chain in INPUT FORWARD OUTPUT; do
|
||||
qt1 $IPTABLES -t filter -P $chain -P ACCEPT
|
||||
done
|
||||
|
||||
while read first second rest; do
|
||||
case $first in
|
||||
-*)
|
||||
#
|
||||
# We can't call run_iptables() here because the rules may contain quoted strings
|
||||
#
|
||||
eval $IPTABLES -t $table $first $second $rest
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
:*)
|
||||
chain=${first#:}
|
||||
|
||||
if [ "x$second" = x- ]; then
|
||||
do_iptables -t $table -N $chain
|
||||
else
|
||||
do_iptables -t $table -P $chain $second
|
||||
fi
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
#
|
||||
# This grotesque hack with the table names works around a bug/feature with ash
|
||||
#
|
||||
'*'raw)
|
||||
table=raw
|
||||
;;
|
||||
'*'rawpost)
|
||||
table=rawpost
|
||||
;;
|
||||
'*'mangle)
|
||||
table=mangle
|
||||
;;
|
||||
'*'nat)
|
||||
table=nat
|
||||
;;
|
||||
'*'filter)
|
||||
table=filter
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# End of functions in /usr/share/shorewall/prog.header
|
||||
################################################################################
|
||||
|
@ -306,86 +306,6 @@ clear_firewall() {
|
||||
logger -p kern.info "$g_product Cleared"
|
||||
}
|
||||
|
||||
#
|
||||
# Run the .iptables_restore_input as a set of discrete iptables commands
|
||||
#
|
||||
debug_restore_input() {
|
||||
local first second rest table chain
|
||||
#
|
||||
# Clear the ruleset
|
||||
#
|
||||
qt1 $IP6TABLES -t mangle -F
|
||||
qt1 $IP6TABLES -t mangle -X
|
||||
|
||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||
qt1 $IP6TABLES -t mangle -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $IP6TABLES -t raw -F
|
||||
qt1 $IP6TABLES -t raw -X
|
||||
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $IP6TABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $IP6TABLES -t filter -F
|
||||
qt1 $IP6TABLES -t filter -X
|
||||
|
||||
for chain in INPUT FORWARD OUTPUT; do
|
||||
qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
|
||||
done
|
||||
|
||||
while read first second rest; do
|
||||
case $first in
|
||||
-*)
|
||||
#
|
||||
# We can't call run_iptables() here because the rules may contain quoted strings
|
||||
#
|
||||
eval $IP6TABLES -t $table $first $second $rest
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
:*)
|
||||
chain=${first#:}
|
||||
|
||||
if [ "x$second" = x- ]; then
|
||||
do_iptables -t $table -N $chain
|
||||
else
|
||||
do_iptables -t $table -P $chain $second
|
||||
fi
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
#
|
||||
# This grotesque hack with the table names works around a bug/feature with ash
|
||||
#
|
||||
'*'raw)
|
||||
table=raw
|
||||
;;
|
||||
'*'rawpost)
|
||||
table=rawpost
|
||||
;;
|
||||
'*'mangle)
|
||||
table=mangle
|
||||
;;
|
||||
'*'nat)
|
||||
table=nat
|
||||
;;
|
||||
'*'filter)
|
||||
table=filter
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# End of functions imported from /usr/share/shorewall/prog.header6
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user