IPTABLES=$(which iptables)
IP6TABLES=$(which ip6tables)
IPSET=$(which ipset)
+TC=$(which tc)
err(){
echo "$@" 1>&2
}
function decommentcat(){
- sed 's/\s*#.*$//;/^\s*$/d' "$@"
+ cat "$@" | sed 's/\s*#.*$//;/^\s*$/d'
}
function create_set(){
done
}
+# try to recreate sets faster than one-at-a-time by generating restore rules
+function ipset_restore_from_cidr(){
+ local vmatch
+ local set_name="$1"
+
+ for v in '' '6'
+ do
+ case "$v" in
+ 6) vmatch=':';;
+ *) vmatch='\.';;
+ esac
+ # extract existing set configuration to create temporary set
+ (set -o pipefail; $IPSET save "${set_name}${v}" 2>/dev/null | grep -m 1 '^create ' | sed "s/\(create ${set_name}${v}\)/\1-tmp/") || continue
+ # populate with new data
+ decommentcat "${set_name}.cidr" "${set_name}.cidr.$(hostname -s)" 2>/dev/null | sed -n 's/\(.*'"${vmatch}"'.*\)/add '"${set_name}${v}-tmp"' \1/p' | sort -n | uniq
+ done
+}
+
function reload_cidr_sets(){
+ local v n
+ local set_name="$1"
+
+ ipset_restore_from_cidr "${set_name}" | ipset restore
+ for v in '' 6
+ do
+ n="${set_name}${v}"
+ $IPSET swap "${n}-tmp" "${n}"
+ $IPSET destroy "${n}-tmp"
+ $IPSET list -t "${n}"
+ done
+}
+
+function _old_reload_cidr_sets(){
+ local sfx n s v
local set_name="$1"
+ shift
# init new temporary sets
echo "updating set '${set_name}'"
- create_set "${set_name}-tmp" hash:net
- create_set "${set_name}6-tmp" hash:net family inet6
+ create_set "${set_name}-tmp" hash:net "$@"
+ create_set "${set_name}6-tmp" hash:net "$@" family inet6
# populate them
for sfx in '' .$(hostname -s)
}
function allow_services(){
- local s proto port
+ local s
for s in "$@"
do
case "${s}" in
*/*) add_service_entry "${s}"
;;
- *) for svc in $(getent services "${s}" | awk '{print $2}')
+ *) for svc in $(egrep "^${s}\s+" /etc/services | decommentcat | awk '{print $2}')
do
add_service_entry "${svc}"
done
projects / firewall-squeep / blobdiff