IPTABLES=$(which iptables)
IP6TABLES=$(which ip6tables)
IPSET=$(which ipset)
+TC=$(which tc)
+
+err(){
+ echo "$@" 1>&2
+}
+
+die(){
+ local status=$1
+ shift
+ err "$@"
+ exit ${status}
+}
function decommentcat(){
sed 's/\s*#.*$//;/^\s*$/d' "$@"
fi
}
+function create_drop_chain(){
+ local chain="$1"
+
+ if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
+ then
+ echo "initializing chain '${chain}'"
+ $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+ $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+ $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+ $IPTABLES -v -L "${chain}"
+ fi
+
+ if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1
+ then
+ echo "initializing chain '${chain}' ipv6"
+ $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
+ $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+ $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable
+ $IP6TABLES -v -L "${chain}"
+ fi
+}
+
function insert_setmatch_rules(){
local single=0
if [ "x$1" = "x-single-set" ]
}
function add_service_entry(){
- local port/proto
- port=$(echo "${s}" | cut -d/ -f1)
- proto=$(echo "${s}" | cut -d/ -f2)
+ local port proto
+ port=$(echo "$1" | cut -d/ -f1)
+ proto=$(echo "$1" | cut -d/ -f2)
$IPSET -exist add allowed_${proto} ${port}
}