forked from extern/shorewall_code
c7237e5c8e
This reverts commit f9f557e1c6
.
312 lines
6.9 KiB
Plaintext
312 lines
6.9 KiB
Plaintext
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
#
|
|
# (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
|
|
#
|
|
# Options are:
|
|
#
|
|
# -n Don't alter Routing
|
|
# -v and -q Standard Shorewall Verbosity control
|
|
# -t Timestamp progress messages
|
|
# -p Purge conntrack table
|
|
# -r Recover from failed start/restart
|
|
# -V <verbosity> Set verbosity level explicitly
|
|
# -R <restore> Overrides RESTOREFILE setting
|
|
#
|
|
# Commands are:
|
|
#
|
|
# start Starts the firewall
|
|
# refresh Refresh the firewall
|
|
# restart Restarts the firewall
|
|
# reload Reload the firewall
|
|
# clear Removes all firewall rules
|
|
# stop Stops the firewall
|
|
# status Displays firewall status
|
|
# version Displays the version of Shorewall that
|
|
# generated this program
|
|
#
|
|
################################################################################
|
|
# Functions imported from /usr/share/shorewall/prog.header6
|
|
################################################################################
|
|
#
|
|
# Get all interface addresses with VLSMs
|
|
#
|
|
|
|
find_interface_full_addresses() # $1 = interface
|
|
{
|
|
$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
|
|
}
|
|
|
|
#
|
|
# Normalize an IPv6 Address by compressing out consecutive zero elements
|
|
#
|
|
normalize_address() # $1 = valid IPv6 Address
|
|
{
|
|
local address
|
|
address=$1
|
|
local j
|
|
|
|
while true; do
|
|
case $address in
|
|
::*)
|
|
address=0$address
|
|
;;
|
|
*::*)
|
|
list_count $(split $address)
|
|
|
|
j=$?
|
|
|
|
if [ $j -eq 7 ]; then
|
|
address=${address%::*}:0:${address#*::}
|
|
elif [ $j -eq 8 ]; then
|
|
$address=${address%::*}:${address#*::}
|
|
break 2
|
|
else
|
|
address=${address%::*}:0::${address#*::}
|
|
fi
|
|
;;
|
|
*)
|
|
echo $address
|
|
break 2
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
#
|
|
# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
|
|
# that defines a /120 or larger network, it sends to STDOUT:
|
|
#
|
|
# The corresponding subnet-router anycast address (all host address bits are zero)
|
|
# The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
|
|
#
|
|
convert_to_anycast() {
|
|
local address
|
|
local badress
|
|
local vlsm
|
|
local host
|
|
local o
|
|
local m
|
|
m=
|
|
local z
|
|
z=65535
|
|
local l
|
|
|
|
while read address; do
|
|
case $address in
|
|
2*|3*)
|
|
vlsm=${address#*/}
|
|
vlsm=${vlsm:=128}
|
|
|
|
if [ $vlsm -le 120 ]; then
|
|
#
|
|
# Defines a viable subnet -- first get the subnet-router anycast address
|
|
#
|
|
host=$((128 - $vlsm))
|
|
|
|
address=$(normalize_address ${address%/*})
|
|
|
|
while [ $host -ge 16 ]; do
|
|
address=${address%:*}
|
|
host=$(($host - 16))
|
|
done
|
|
|
|
if [ $host -gt 0 ]; then
|
|
#
|
|
# VLSM is not a multiple of 16
|
|
#
|
|
host=$((16 - $host))
|
|
o=$((0x${address##*:}))
|
|
m=0
|
|
while [ $host -gt 0 ]; do
|
|
m=$((($m >> 1) | 0x8000))
|
|
z=$(($z >> 1))
|
|
host=$(($host - 1))
|
|
done
|
|
|
|
o=$(($o & $m))
|
|
|
|
badress=${address%:*}
|
|
|
|
address=$badress:$(printf %04x $o)
|
|
|
|
z=$(($o | $z))
|
|
|
|
if [ $vlsm -gt 112 ]; then
|
|
z=$(($z & 0xff80))
|
|
fi
|
|
|
|
badress=$badress:$(printf %04x $z)
|
|
else
|
|
badress=$address
|
|
fi
|
|
#
|
|
# Note: at this point $address and $badress are the same except possibly for
|
|
# the contents of the last half-word
|
|
#
|
|
list_count $(split $address)
|
|
|
|
l=$?
|
|
#
|
|
# Now generate the anycast addresses defined by RFC 2526
|
|
#
|
|
if [ $l -lt 8 ]; then
|
|
#
|
|
# The subnet-router address
|
|
#
|
|
echo $address::
|
|
|
|
while [ $l -lt 8 ]; do
|
|
badress=$badress:ffff
|
|
l=$(($l + 1 ))
|
|
done
|
|
else
|
|
#
|
|
# The subnet-router address
|
|
#
|
|
echo $address
|
|
fi
|
|
#
|
|
# And the RFC 2526 addresses
|
|
#
|
|
echo $badress/121
|
|
fi
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
#
|
|
# Generate a list of anycast addresses for a given interface
|
|
#
|
|
|
|
get_interface_acasts() # $1 = interface
|
|
{
|
|
local addresses
|
|
addresses=
|
|
|
|
find_interface_full_addresses $1 | convert_to_anycast | sort -u
|
|
}
|
|
|
|
#
|
|
# Get a list of all configured anycast addresses on the system
|
|
#
|
|
get_all_acasts()
|
|
{
|
|
find_interface_full_addresses | convert_to_anycast | sort -u
|
|
}
|
|
|
|
#
|
|
# Detect the gateway through an interface
|
|
#
|
|
detect_gateway() # $1 = interface
|
|
{
|
|
local interface
|
|
interface=$1
|
|
#
|
|
# First assume that this is some sort of point-to-point interface
|
|
#
|
|
gateway=$( find_peer $($IP -6 addr list $interface ) )
|
|
#
|
|
# Maybe there's a default route through this gateway already
|
|
#
|
|
[ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
|
|
#
|
|
# Last hope -- is there a load-balancing route through the interface?
|
|
#
|
|
[ -n "$gateway" ] || gateway=$(find_nexthop $interface)
|
|
#
|
|
# Be sure we found one
|
|
#
|
|
[ -n "$gateway" ] && echo $gateway
|
|
}
|
|
|
|
#
|
|
# Add an additional gateway to the default route
|
|
#
|
|
add_gateway() # $1 = Delta $2 = Table Number
|
|
{
|
|
local route
|
|
local weight
|
|
local delta
|
|
local dev
|
|
|
|
run_ip route add default scope global table $2 $1
|
|
}
|
|
|
|
#
|
|
# Remove a gateway from the default route
|
|
#
|
|
delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
|
|
{
|
|
local route
|
|
local gateway
|
|
local dev
|
|
|
|
route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
|
|
gateway=$1
|
|
|
|
dev=$(find_device $route)
|
|
[ "$dev" = "$3" ] && run_ip route delete default table $2
|
|
}
|
|
|
|
#
|
|
# Determine how to do "echo -e"
|
|
#
|
|
|
|
find_echo() {
|
|
local result
|
|
|
|
result=$(echo "a\tb")
|
|
[ ${#result} -eq 3 ] && { echo echo; return; }
|
|
|
|
result=$(echo -e "a\tb")
|
|
[ ${#result} -eq 3 ] && { echo "echo -e"; return; }
|
|
|
|
result=$(which echo)
|
|
[ -n "$result" ] && { echo "$result -e"; return; }
|
|
|
|
echo echo
|
|
}
|
|
|
|
#
|
|
# Clear Proxy NDP
|
|
#
|
|
delete_proxyndp() {
|
|
if [ -f ${VARDIR}/proxyndp ]; then
|
|
while read address interface external haveroute; do
|
|
qt $IP -6 neigh del proxy $address dev $external
|
|
[ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
|
|
f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
|
|
[ -f $f ] && echo 0 > $f
|
|
done < ${VARDIR}/proxyndp
|
|
|
|
rm -f ${VARDIR}/proxyndp
|
|
fi
|
|
}
|
|
|
|
#
|
|
# Remove all Shorewall-added rules
|
|
#
|
|
clear_firewall() {
|
|
stop_firewall
|
|
|
|
setpolicy INPUT ACCEPT
|
|
setpolicy FORWARD ACCEPT
|
|
setpolicy OUTPUT ACCEPT
|
|
|
|
run_iptables -F
|
|
qt $IP6TABLES -t raw -F
|
|
|
|
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
|
|
|
|
run_clear_exit
|
|
|
|
set_state "Cleared"
|
|
|
|
logger -p kern.info "$g_product Cleared"
|
|
}
|
|
|
|
################################################################################
|
|
# End of functions imported from /usr/share/shorewall/prog.header6
|
|
################################################################################
|