shorewall_code/Shorewall/Perl/prog.header
2012-03-19 07:22:51 -07:00

403 lines
9.6 KiB
Plaintext

# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
#
# Options are:
#
# -n Don't alter Routing
# -v and -q Standard Shorewall Verbosity control
# -t Timestamp progress messages
# -p Purge conntrack table
# -r Recover from failed start/restart
# -V <verbosity> Set verbosity level explicitly
# -R <restore> Overrides RESTOREFILE setting
#
# Commands are:
#
# start Starts the firewall
# refresh Refresh the firewall
# restart Restarts the firewall
# reload Reload the firewall
# clear Removes all firewall rules
# stop Stops the firewall
# status Displays firewall status
# version Displays the version of Shorewall that
# generated this program
#
################################################################################
# Functions imported from /usr/share/shorewall/prog.header
################################################################################
#
# Find the value 'weight' in the passed arguments then echo the next value
#
find_weight() {
while [ $# -gt 1 ]; do
[ "x$1" = xweight ] && echo $2 && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#
find_rt_interface() {
$IP -4 route list | while read addr rest; do
case $addr in
*/*)
in_network ${1%/*} $addr && echo $(find_device $rest)
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo $(find_device $rest)
fi
;;
esac
done
}
#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#
find_interface_by_address() {
local dev
dev="$(find_rt_interface $1)"
local first
local rest
[ -z "$dev" ] && dev=$(find_default_interface)
[ -n "$dev" ] && echo $dev
}
#
# echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name, $2-n = Fatal error message
{
local address
local rest
$IP -4 route show dev $1 2> /dev/null |
while read address rest; do
case "$address" in
default)
if [ $# -gt 1 ]; then
shift
fatal_error "$@"
else
echo "WARNING: default route ignored on interface $1" >&2
fi
;;
multicast|broadcast|prohibit|nat|throw|nexthop)
;;
*)
[ "$address" = "${address%/*}" ] && address="${address}/32"
echo $address
;;
esac
done
}
#
# Get the broadcast addresses associated with an interface
#
get_interface_bcasts() # $1 = interface
{
local addresses
addresses=
$IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
#
# Delete IP address
#
del_ip_addr() # $1 = address, $2 = interface
{
[ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
}
# Add IP Aliases
#
add_ip_aliases() # $* = List of addresses
{
local local
local addresses
local external
local interface
local inet
local cidr
local rest
local val
local arping
arping=$(mywhich arping)
address_details()
{
#
# Folks feel uneasy if they don't see all of the same
# decoration on these IP addresses that they see when their
# distro's net config tool adds them. In an attempt to reduce
# the anxiety level, we have the following code which sets
# the VLSM and BRD from an existing address in the same networks
#
# Get all of the lines that contain inet addresses with broadcast
#
$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
case $cidr in
*/*)
if in_network $external $cidr; then
echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
break
fi
;;
esac
done
}
do_one()
{
val=$(address_details)
$IP addr add ${external}${val} dev $interface $label
[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
echo "$external $interface" >> $VARDIR/nat
[ -n "$label" ] && label="with $label"
progress_message " IP Address $external added to interface $interface $label"
}
progress_message "Adding IP Addresses..."
while [ $# -gt 0 ]; do
external=$1
interface=$2
label=
if [ "$interface" != "${interface%:*}" ]; then
label="${interface#*:}"
interface="${interface%:*}"
label="label $interface:$label"
fi
shift 2
list_search $external $(find_interface_addresses $interface) || do_one
done
}
#
# Detect the gateway through a PPP or DHCP-configured interface
#
detect_dynamic_gateway() { # $1 = interface
local interface
interface=$1
local GATEWAYS
GATEWAYS=
local gateway
gateway=$(run_findgw_exit $1);
if [ -z "$gateway" ]; then
gateway=$( find_peer $($IP addr list $interface ) )
fi
if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
eval $(grep ^GATEWAYS= /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
fi
if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
fi
[ -n "$gateway" ] && echo $gateway
}
#
# Detect the gateway through an interface
#
detect_gateway() # $1 = interface
{
local interface
interface=$1
local gateway
#
# First assume that this is some sort of dynamic interface
#
gateway=$( detect_dynamic_gateway $interface )
#
# Maybe there's a default route through this gateway already
#
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
#
# Last hope -- is there a load-balancing route through the interface?
#
[ -n "$gateway" ] || gateway=$(find_nexthop $interface)
#
# Be sure we found one
#
[ -n "$gateway" ] && echo $gateway
}
#
# Disable IPV6
#
disable_ipv6() {
local foo
foo="$($IP -f inet6 addr list 2> /dev/null)"
if [ -n "$foo" ]; then
if [ -x "$IP6TABLES" ]; then
$IP6TABLES -P FORWARD DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -F
$IP6TABLES -X
$IP6TABLES -A OUTPUT -o lo -j ACCEPT
$IP6TABLES -A INPUT -i lo -j ACCEPT
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
fi
}
#
# Add an additional gateway to the default route
#
add_gateway() # $1 = Delta $2 = Table Number
{
local route
local weight
local delta
local dev
route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
if [ -z "$route" ]; then
run_ip route add default scope global table $2 $1
else
delta=$1
if ! echo $route | fgrep -q ' nexthop '; then
route=`echo $route | sed 's/via/nexthop via/'`
dev=$(find_device $route)
if [ -f ${VARDIR}/${dev}_weight ]; then
weight=`cat ${VARDIR}/${dev}_weight`
route="$route weight $weight"
fi
fi
run_ip route replace default scope global table $2 $route $delta
fi
}
#
# Remove a gateway from the default route
#
delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
{
local route
local gateway
local dev
route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
gateway=$1
if [ -n "$route" ]; then
if echo $route | fgrep -q ' nexthop '; then
gateway="nexthop $gateway"
eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
run_ip route replace table $2 $route
else
dev=$(find_device $route)
[ "$dev" = "$3" ] && run_ip route delete default table $2
fi
fi
}
#
# Determine the MAC address of the passed IP through the passed interface
#
find_mac() # $1 = IP address, $2 = interface
{
if interface_is_usable $2 ; then
qt ping -nc 1 -t 2 -I $2 $1
local result
result=$($IP neigh list | awk "/^$1 / {print \$5}")
case $result in
\<*\>)
;;
*)
[ -n "$result" ] && echo $result
;;
esac
fi
}
#
# Clear Proxy Arp
#
delete_proxyarp() {
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qtnoin $IP -4 neigh del proxy $address dev $external
[ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
rm -f ${VARDIR}/proxyarp
fi
}
#
# Remove all Shorewall-added rules
#
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
qt $IPTABLES -t raw -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then
if [ -x $IP6TABLES ]; then
$IP6TABLES -P INPUT ACCEPT 2> /dev/null
$IP6TABLES -P OUTPUT ACCEPT 2> /dev/null
$IP6TABLES -P FORWARD ACCEPT 2> /dev/null
fi
fi
run_clear_exit
set_state "Cleared"
logger -p kern.info "$g_product Cleared"
}
#
# Get a list of all configured broadcast addresses on the system
#
get_all_bcasts()
{
$IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
################################################################################
# End of functions in /usr/share/shorewall/prog.header
################################################################################