projects / firewall-squeep / blob
? search:


781df4abe4a1471b86381ea7b79c4ab9fc54cedb
[firewall-squeep] / common.sh
1 #!/bin/sh
2
3 set -e
4
5 IPTABLES=$(which iptables)
6 IP6TABLES=$(which ip6tables)
7 IPSET=$(which ipset)
8
9 function decommentcat(){
10 sed 's/\s*#.*$//;/^\s*$/d' "$@"
11 }
12
13 function create_set(){
14 local set_name="$1"
15 shift
16 if ! $IPSET list "${set_name}" >/dev/null 2>&1
17 then
18 echo "creating set '${set_name}'"
19 $IPSET create "${set_name}" "$@"
20 fi
21 }
22
23 function insert_setmatch_rules(){
24 local ipt set_name="$1"
25 shift
26 for v in '' '6'
27 do
28 eval ipt="\$IP${v}TABLES"
29 if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1
30 then
31 echo "initializing rule '${set_name}${v}'"
32 $ipt -I INPUT -m set --match-set "${set_name}${v}" src "$@"
33 fi
34 done
35 }
36
37 function reload_cidr_sets(){
38 local set_name="$1"
39
40 # init new temporary sets
41 echo "updating set '${set_name}'"
42
43 create_set "${set_name}-tmp" hash:net
44 create_set "${set_name}6-tmp" hash:net family inet6
45
46 # populate them
47 for sfx in '' .$(hostname -s)
48 do
49 cidrfile="${set_name}.cidr${sfx}"
50 if [ -e "${cidrfile}" ]
51 then
52 for s in $(decommentcat "${cidrfile}")
53 do
54 case "${s}" in
55 *.*) table="${set_name}-tmp" ;;
56 *:*) table="${set_name}6-tmp" ;;
57 *)
58 echo "unknown entry '${s}' in '${cidrfile}'" 1>&2
59 continue
60 ;;
61 esac
62 $IPSET add "${table}" "${s}"
63 done
64 fi
65 done
66
67 # take new sets live
68 for v in '' 6
69 do
70 n="${set_name}${v}"
71 $IPSET swap "${n}-tmp" "${n}"
72 $IPSET destroy "${n}-tmp"
73 $IPSET list -t "${n}"
74 done
75 }
76
squeep firewall skeleton - very basic initialization scripts for edge servers