IPTABLES=$(which iptables)
IP6TABLES=$(which ip6tables)
IPSET=$(which ipset)
+TC=$(which tc)
+
+err(){
+ echo "$@" 1>&2
+}
+
+die(){
+ local status=$1
+ shift
+ err "$@"
+ exit ${status}
+}
function decommentcat(){
sed 's/\s*#.*$//;/^\s*$/d' "$@"
fi
}
+function create_drop_chain(){
+ local chain="$1"
+
+ if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
+ then
+ echo "initializing chain '${chain}'"
+ $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+ $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+ $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+ $IPTABLES -v -L "${chain}"
+ fi
+
+ if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1
+ then
+ echo "initializing chain '${chain}' ipv6"
+ $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
+ $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+ $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable
+ $IP6TABLES -v -L "${chain}"
+ fi
+}
+
function insert_setmatch_rules(){
local single=0
if [ "x$1" = "x-single-set" ]
function reload_cidr_sets(){
local set_name="$1"
+ shift
# init new temporary sets
echo "updating set '${set_name}'"
- create_set "${set_name}-tmp" hash:net
- create_set "${set_name}6-tmp" hash:net family inet6
+ create_set "${set_name}-tmp" hash:net "$@"
+ create_set "${set_name}6-tmp" hash:net "$@" family inet6
# populate them
for sfx in '' .$(hostname -s)
}
function allow_services(){
- local s proto port
+ local s
for s in "$@"
do
case "${s}" in
projects / firewall-squeep / blobdiff