git.squeep.com Git - firewall-squeep/blob - common.sh

   1 #!/bin/sh
   2
   3 set -e
   4
   5 IPTABLES=$(which iptables)
   6 IP6TABLES=$(which ip6tables)
   7 IPSET=$(which ipset)
   8
   9 function decommentcat(){
  10         sed 's/\s*#.*$//;/^\s*$/d' "$@"
  11 }
  12
  13 function create_set(){
  14         local set_name="$1"
  15         shift
  16         if ! $IPSET list "${set_name}" >/dev/null 2>&1
  17         then
  18                 echo "creating set '${set_name}'"
  19                 $IPSET create "${set_name}" "$@"
  20         fi
  21 }
  22
  23 function insert_setmatch_rules(){
  24         local single=0
  25         if [ "x$1" = "x-single-set" ]
  26         then
  27                 single=1
  28                 shift
  29         fi
  30         local ipt set_name="$1"
  31         shift
  32         for v in '' '6'
  33         do
  34                 eval ipt="\$IP${v}TABLES"
  35                 if [ $single -eq 1 ]
  36                 then
  37                         v=''
  38                 fi
  39                 if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1
  40                 then
  41                         echo "initializing rule '${set_name}${v}'"
  42                         $ipt -I INPUT -m set --match-set "${set_name}${v}" src "$@"
  43                 fi
  44         done
  45 }
  46
  47 function reload_cidr_sets(){
  48         local set_name="$1"
  49
  50         # init new temporary sets
  51         echo "updating set '${set_name}'"
  52
  53         create_set "${set_name}-tmp" hash:net
  54         create_set "${set_name}6-tmp" hash:net family inet6
  55
  56         # populate them
  57         for sfx in '' .$(hostname -s)
  58         do
  59                 cidrfile="${set_name}.cidr${sfx}"
  60                 if [ -e "${cidrfile}" ]
  61                 then
  62                         for s in $(decommentcat "${cidrfile}")
  63                         do
  64                                 case "${s}" in
  65                                         *.*) table="${set_name}-tmp" ;;
  66                                         *:*) table="${set_name}6-tmp" ;;
  67                                         *)
  68                                                 echo "unknown entry '${s}' in '${cidrfile}'" 1>&2
  69                                                 continue
  70                                         ;;
  71                                 esac
  72                                 $IPSET add "${table}" "${s}"
  73                         done
  74                 fi
  75         done
  76
  77         # take new sets live
  78         for v in '' 6
  79         do
  80                 n="${set_name}${v}"
  81                 $IPSET swap "${n}-tmp" "${n}"
  82                 $IPSET destroy "${n}-tmp"
  83                 $IPSET list -t "${n}"
  84         done
  85 }
  86
  87 function add_service_entry(){
  88         local port/proto
  89         port=$(echo "${s}" | cut -d/ -f1)
  90         proto=$(echo "${s}" | cut -d/ -f2)
  91         $IPSET -exist add allowed_${proto} ${port}
  92 }
  93
  94 function allow_services(){
  95         local s proto port
  96         for s in "$@"
  97         do
  98                 case "${s}" in
  99                 */*)    add_service_entry "${s}"
 100                         ;;
 101                 *)      for svc in $(getent services "${s}" | awk '{print $2}')
 102                         do
 103                                 add_service_entry "${svc}"
 104                         done
 105                         ;;
 106                 esac
 107         done
 108 }
 109