X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=common.sh;h=312ecdb0c75e10ce793857cd92c41484615f1264;hb=7d8df9591bffec6168521f59b40fab44097ca9b7;hp=f2a7f549dfaf4122dfacbdcb7ce489ef7ae31e71;hpb=cbf5f59efcf5d0ead93b3796840f68f4e163b8e0;p=firewall-squeep diff --git a/common.sh b/common.sh index f2a7f54..312ecdb 100644 --- a/common.sh +++ b/common.sh @@ -5,6 +5,18 @@ set -e IPTABLES=$(which iptables) IP6TABLES=$(which ip6tables) IPSET=$(which ipset) +TC=$(which tc) + +err(){ + echo "$@" 1>&2 +} + +die(){ + local status=$1 + shift + err "$@" + exit ${status} +} function decommentcat(){ sed 's/\s*#.*$//;/^\s*$/d' "$@" @@ -20,6 +32,28 @@ function create_set(){ fi } +function create_drop_chain(){ + local chain="$1" + + if ! $IPTABLES -L "${chain}" >/dev/null 2>&1 + then + echo "initializing chain '${chain}'" + $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}" + $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN + $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable + $IPTABLES -v -L "${chain}" + fi + + if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1 + then + echo "initializing chain '${chain}' ipv6" + $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}" + $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN + $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable + $IP6TABLES -v -L "${chain}" + fi +} + function insert_setmatch_rules(){ local single=0 if [ "x$1" = "x-single-set" ] @@ -46,12 +80,13 @@ function insert_setmatch_rules(){ function reload_cidr_sets(){ local set_name="$1" + shift # init new temporary sets echo "updating set '${set_name}'" - create_set "${set_name}-tmp" hash:net - create_set "${set_name}6-tmp" hash:net family inet6 + create_set "${set_name}-tmp" hash:net "$@" + create_set "${set_name}6-tmp" hash:net "$@" family inet6 # populate them for sfx in '' .$(hostname -s) @@ -92,7 +127,7 @@ function add_service_entry(){ } function allow_services(){ - local s proto port + local s for s in "$@" do case "${s}" in