"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "share/arno-iptables-firewall/environment" between
aif-2.1.0.tar.gz and aif-2.1.1.tar.gz

About: Arno’s iptables firewall is a stateful firewall script for both single and multi-homed machines with DSL/ADSL support.

environment  (aif-2.1.0):environment  (aif-2.1.1)
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# -= Arno's Iptables Firewall(AIF) =- # -= Arno's Iptables Firewall(AIF) =-
# Single- & multi-homed firewall script with DSL/ADSL support # Single- & multi-homed firewall script with DSL/ADSL support
# #
# ~ In memory of my dear father ~ # ~ In memory of my dear father ~
# #
# (C) Copyright 2001-2019 by Arno van Amersfoort & Lonnie Abelbeck # (C) Copyright 2001-2020 by Arno van Amersfoort & Lonnie Abelbeck
# Homepage : https://rocky.eld.leidenuniv.nl/ # Homepage : https://rocky.eld.leidenuniv.nl/
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the . # (note: you must remove all spaces and substitute the @ and the .
# at the proper locations!) # at the proper locations!)
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License # modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation. # version 2 as published by the Free Software Foundation.
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
skipping to change at line 313 skipping to change at line 313
else else
# #
# Only call ip4tables since IPv6 filtering is disabled. # Only call ip4tables since IPv6 filtering is disabled.
# #
ip4tables "$@" ip4tables "$@"
fi fi
} }
ip4tables() ip4tables()
{ {
local result retval IFS=' ' local err_result retval IFS=' '
# Create extra FD
exec 3>&1
result=`$IP4TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" 2>&1` err_result=`$IP4TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" 2>&1 1>&3`
retval=$? retval=$?
# Release extra FD
exec 3>&-
if [ $retval -ne 0 ]; then if [ $retval -ne 0 ]; then
# Show any (error) messages in red # Show any (error) messages in red
printf "\033[40m\033[1;31m${IP4TABLES} $*\nERROR ($retval): ${result}\033[0m printf "\033[40m\033[1;31m${IP4TABLES} $*\nERROR ($retval): ${err_result}\n\
\n" >&2 033[0m" >&2
if note_iptables_error "$@"; then if note_iptables_error "$@"; then
RULE_WARNING=$((RULE_WARNING + 1)) RULE_WARNING=$((RULE_WARNING + 1))
fi fi
elif [ -n "$result" ]; then elif [ -n "$err_result" ]; then
# Filter successful, informational results # ip4tables returned success, so normal output of stderr but filter some mes
case "$result" in sages
'WARNING: '*' match is obsolete'*) echo "$err_result" |grep -v -e 'WARNING:.*match is obsolete' -e 'iptables-le
;; gacy tables present' >&2
*'iptables-legacy tables present'*)
;;
*) echo "${INDENT}$result"
;;
esac
fi fi
return $retval return $retval
} }
ip6tables() ip6tables()
{ {
local result retval IFS=' ' local err_result retval IFS=' '
# Create extra FD
exec 3>&1
result=`$IP6TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" 2>&1` err_result=`$IP6TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" 2>&1 1>&3`
retval=$? retval=$?
# Release extra FD
exec 3>&-
if [ $retval -ne 0 ]; then if [ $retval -ne 0 ]; then
# Show any (error) messages in red # Show any (error) messages in red
printf "\033[40m\033[1;31m${IP6TABLES} $*\nERROR ($retval): ${result}\033[0m printf "\033[40m\033[1;31m${IP6TABLES} $*\nERROR ($retval): ${err_result}\n\
\n" >&2 033[0m" >&2
if note_iptables_error "$@"; then if note_iptables_error "$@"; then
RULE_WARNING=$((RULE_WARNING + 1)) RULE_WARNING=$((RULE_WARNING + 1))
fi fi
elif [ -n "$result" ]; then elif [ -n "$err_result" ]; then
# Filter successful, informational results # ip6tables returned success, so normal output of stderr but filter some mes
case "$result" in sages
'WARNING: '*' match is obsolete'*) echo "$err_result" |grep -v -e 'WARNING:.*match is obsolete' -e 'iptables-le
;; gacy tables present' >&2
*'iptables-legacy tables present'*)
;;
*) echo "${INDENT}$result"
;;
esac
fi fi
return $retval return $retval
} }
ip4tables_save() ip4tables_save()
{ {
local retval IFS=' ' local retval IFS=' '
$IP4TABLES_SAVE "$@" $IP4TABLES_SAVE "$@"
skipping to change at line 385 skipping to change at line 385
# Show any (error) messages in red # Show any (error) messages in red
printf "\033[40m\033[1;31m${IP4TABLES_SAVE} $*\nERROR ($retval)\033[0m\n" >& 2 printf "\033[40m\033[1;31m${IP4TABLES_SAVE} $*\nERROR ($retval)\033[0m\n" >& 2
RULE_WARNING=$((RULE_WARNING + 1)) RULE_WARNING=$((RULE_WARNING + 1))
fi fi
return $retval return $retval
} }
ip4tables_restore() ip4tables_restore()
{ {
local result retval IFS=' ' local err_result retval IFS=' '
result=`$IP4TABLES_RESTORE "$@" 2>&1` # Create extra FD
exec 3>&1
err_result=`$IP4TABLES_RESTORE "$@" 2>&1 1>&3`
retval=$? retval=$?
# Release extra FD
exec 3>&-
if [ $retval -ne 0 ]; then if [ $retval -ne 0 ]; then
# Show any (error) messages in red # Show any (error) messages in red
printf "\033[40m\033[1;31m${IP4TABLES_RESTORE} $*\nERROR ($retval): ${result printf "\033[40m\033[1;31m${IP4TABLES_RESTORE} $*\nERROR ($retval): ${err_re
}\033[0m\n" >&2 sult}\n\033[0m" >&2
RULE_WARNING=$((RULE_WARNING + 1)) RULE_WARNING=$((RULE_WARNING + 1))
elif [ -n "$result" ]; then elif [ -n "$err_result" ]; then
echo "${INDENT}$result" # ip4tables_restore returned success, so normal output of stderr
echo "$err_result" >&2
fi fi
return $retval return $retval
} }
ip6tables_save() ip6tables_save()
{ {
local retval IFS=' ' local retval IFS=' '
$IP6TABLES_SAVE "$@" $IP6TABLES_SAVE "$@"
skipping to change at line 419 skipping to change at line 427
# Show any (error) messages in red # Show any (error) messages in red
printf "\033[40m\033[1;31m${IP6TABLES_SAVE} $*\nERROR ($retval)\033[0m\n" >& 2 printf "\033[40m\033[1;31m${IP6TABLES_SAVE} $*\nERROR ($retval)\033[0m\n" >& 2
RULE_WARNING=$((RULE_WARNING + 1)) RULE_WARNING=$((RULE_WARNING + 1))
fi fi
return $retval return $retval
} }
ip6tables_restore() ip6tables_restore()
{ {
local result retval IFS=' ' local err_result retval IFS=' '
result=`$IP6TABLES_RESTORE "$@" 2>&1` # Create extra FD
exec 3>&1
err_result=`$IP6TABLES_RESTORE "$@" 2>&1 1>&3`
retval=$? retval=$?
# Release extra FD
exec 3>&-
if [ $retval -ne 0 ]; then if [ $retval -ne 0 ]; then
# Show any (error) messages in red # Show any (error) messages in red
printf "\033[40m\033[1;31m${IP6TABLES_RESTORE} $*\nERROR ($retval): ${result printf "\033[40m\033[1;31m${IP6TABLES_RESTORE} $*\nERROR ($retval): ${err_re
}\033[0m\n" >&2 sult}\n\033[0m" >&2
RULE_WARNING=$((RULE_WARNING + 1)) RULE_WARNING=$((RULE_WARNING + 1))
elif [ -n "$result" ]; then elif [ -n "$err_result" ]; then
echo "${INDENT}$result" # ip6tables_restore returned success, so normal output of stderr
echo "$err_result" >&2
fi fi
return $retval return $retval
} }
try_ip4tables() try_ip4tables()
{ {
local IFS=' ' local IFS=' '
$IP4TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" >/dev/null 2>&1 $IP4TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" >/dev/null 2>&1
skipping to change at line 871 skipping to change at line 887
destips=$(get_ips "$rule") destips=$(get_ips "$rule")
hosts=$(get_hosts_ihp "$rule") hosts=$(get_hosts_ihp "$rule")
ports=$(get_ports_ihp "$rule") ports=$(get_ports_ihp "$rule")
if [ -z "$hosts" -o -z "$ports" ]; then if [ -z "$hosts" -o -z "$ports" ]; then
parse_rule_warning "$rule" parse_rule_warning "$rule"
return 1 return 1
fi fi
protos="$ports" protos="$ports"
;; ;;
shosts:ANYHOST-dhosts-ports:ANYPORT|shosts:ANYHOST-dhosts-protos) shosts:ANYHOST-dhosts-ports:ANYPORT|shosts:ANYHOST-dhosts-ports|shosts:ANYHOST -dhosts-protos)
left_rule=$(echo "$rule" |cut -s -d'>' -f1) left_rule=$(echo "$rule" |cut -s -d'>' -f1)
right_rule=$(echo "$rule" |cut -s -d'>' -f2) right_rule=$(echo "$rule" |cut -d'>' -f2)
shosts=$(get_hosts_ih "$left_rule" "$ANYHOST") shosts=$(get_hosts_ih "$left_rule" "$ANYHOST")
dhosts=$(get_hosts_hp "$right_rule") dhosts=$(get_hosts_hp "$right_rule")
if [ "$type" = "shosts:ANYHOST-dhosts-ports:ANYPORT" ]; then if [ "$type" = "shosts:ANYHOST-dhosts-ports:ANYPORT" ]; then
ports=$(get_ports_hp "$right_rule" "$ANYPORT") ports=$(get_ports_hp "$right_rule" "$ANYPORT")
else else
ports=$(get_ports_hp "$right_rule") ports=$(get_ports_hp "$right_rule")
fi fi
if [ -z "$dhosts" -o -z "$ports" ]; then if [ -z "$dhosts" -o -z "$ports" ]; then
parse_rule_warning "$rule" parse_rule_warning "$rule"
return 1 return 1
fi fi
protos="$ports" protos="$ports"
;; ;;
interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT|interfaces-shosts:ANYHOST-dhost s-protos) interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT|interfaces-shosts:ANYHOST-dhost s-protos)
left_rule=$(echo "$rule" |cut -s -d'>' -f1) left_rule=$(echo "$rule" |cut -s -d'>' -f1)
right_rule=$(echo "$rule" |cut -s -d'>' -f2) right_rule=$(echo "$rule" |cut -d'>' -f2)
interfaces=$(get_ifs "$left_rule") interfaces=$(get_ifs "$left_rule")
shosts=$(get_hosts_ih "$left_rule" "$ANYHOST") shosts=$(get_hosts_ih "$left_rule" "$ANYHOST")
dhosts=$(get_hosts_hp "$right_rule") dhosts=$(get_hosts_hp "$right_rule")
if [ "$type" = "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT" ]; then if [ "$type" = "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT" ]; then
ports=$(get_ports_hp "$right_rule" "$ANYPORT") ports=$(get_ports_hp "$right_rule" "$ANYPORT")
else else
ports=$(get_ports_hp "$right_rule") ports=$(get_ports_hp "$right_rule")
fi fi
if [ -z "$dhosts" -o -z "$ports" ]; then if [ -z "$dhosts" -o -z "$ports" ]; then
skipping to change at line 998 skipping to change at line 1014
dhost_dport="$right_rule" dhost_dport="$right_rule"
if [ -z "$shosts" -o -z "$ports" ]; then if [ -z "$shosts" -o -z "$ports" ]; then
parse_rule_warning "$rule" parse_rule_warning "$rule"
return 1 return 1
fi fi
protos="$ports" protos="$ports"
dhost="$dhost_dport" dhost="$dhost_dport"
;; ;;
shosts:ANYHOST-dhosts)
left_rule=$(echo "$rule" |cut -s -d'>' -f1)
right_rule=$(echo "$rule" |cut -d'>' -f2)
shosts=$(get_hosts_ih "$left_rule" "$ANYHOST")
dhosts=$(get_hosts_hp "$right_rule")
if [ -z "$dhosts" ]; then
parse_rule_warning "$rule"
return 1
fi
;;
shosts-dhosts:ANYHOST)
left_rule=$(echo "$rule" |cut -d'>' -f1)
right_rule=$(echo "$rule" |cut -s -d'>' -f2)
shosts=$(get_hosts_ih "$left_rule")
dhosts=$(get_hosts_hp "$right_rule" "$ANYHOST")
if [ -z "$shosts" ]; then
parse_rule_warning "$rule"
return 1
fi
;;
*) *)
echo "** ERROR: Invalid rule parse type! **" >&2 echo "** ERROR: Invalid rule parse type \"$type\"!" >&2
return 1 return 1
;; ;;
esac esac
return 0 return 0
} }
parse_rule_warning() parse_rule_warning()
{ {
local rule="$1" local rule="$1"
RULE_WARNING=$((RULE_WARNING + 1)) RULE_WARNING=$((RULE_WARNING + 1))
echo "** WARNING: In Variable $var, Rule: \"$rule\" is ignored." >&2 echo "** WARNING: In variable $var, Rule: \"$rule\" is ignored." >&2
} }
# Helper function to work around non working + wildcard in some versions of ipta bles # Helper function to work around non working + wildcard in some versions of ipta bles
ipt_if() ipt_if()
{ {
if [ -n "$2" -a "$2" != "+" ]; then if [ -n "$2" -a "$2" != "+" ]; then
echo "$1${IFS:- }$2" echo "$1${IFS:- }$2"
fi fi
} }
skipping to change at line 1179 skipping to change at line 1221
return 4 return 4
;; ;;
[0-9]*.*/*[0-9]|[0-9]/*[0-9]|[1-9][0-9]/*[0-9]|[12][0-9][0-9]/*[0-9]) [0-9]*.*/*[0-9]|[0-9]/*[0-9]|[1-9][0-9]/*[0-9]|[12][0-9][0-9]/*[0-9])
return 4 return 4
;; ;;
*:*) *:*)
return 6 return 6
;; ;;
esac esac
return 0 return 0 # Unknown, possibly a hostname
} }
# Is argument IPv4 numeric? # Is argument IPv4 numeric?
is_numeric_ipv4() is_numeric_ipv4()
{ {
if [ "$1" = "0/0" ]; then
return 0 # Consider 0/0 also as numeric
fi
get_numeric_ip_version "$1" get_numeric_ip_version "$1"
if [ $? -eq 4 ]; then if [ $? -eq 4 ]; then
return 0 return 0
fi fi
return 1 return 1
} }
# Is argument IPv6 numeric? # Is argument IPv6 numeric?
is_numeric_ipv6() is_numeric_ipv6()
{ {
if [ "$1" = "0/0" ]; then
return 0 # Consider 0/0 also as numeric
fi
get_numeric_ip_version "$1" get_numeric_ip_version "$1"
if [ $? -eq 6 ]; then if [ $? -eq 6 ]; then
return 0 return 0
fi fi
return 1 return 1
} }
# Is argument a (numeric) IP? # Is argument a (numeric) IP?
is_numeric_ip() is_numeric_ip()
{ {
if [ "$1" = "0/0" ]; then
return 0 # Consider 0/0 also as numeric
fi
get_numeric_ip_version "$1" get_numeric_ip_version "$1"
if [ $? -eq 0 ]; then if [ $? -ne 0 ]; then
return 1 return 0
fi fi
return 0 return 1
} }
# Helper function to resolve an IP to a DNS name # Helper function to resolve an IP to a DNS name
# $1 = IP. $2 (optional) = Additional arguments for dig. stdout = DNS name # $1 = IP. $2 (optional) = Additional arguments for dig. stdout = DNS name
gethostbyaddr() gethostbyaddr()
{ {
local host="$1" result retval=0 local host="$1" result retval=0
# We can't resolve addresses with a subnet mask # We can't resolve addresses with a subnet mask
case "$host" in case "$host" in
skipping to change at line 1435 skipping to change at line 1489
sed -i "s/^$host[[:blank:]].*/$host $store_ip $cache_time $fail_count/" "${H OST_CACHE_FILE}" sed -i "s/^$host[[:blank:]].*/$host $store_ip $cache_time $fail_count/" "${H OST_CACHE_FILE}"
else else
# Add new entry # Add new entry
echo "$host $store_ip $(($(date +'%s') / 60)) $fail_count" >>"${HOST_CACHE_F ILE}" echo "$host $store_ip $(($(date +'%s') / 60)) $fail_count" >>"${HOST_CACHE_F ILE}"
fi fi
return $retval return $retval
} }
# Leave lock function to release lock # Leave lock function to release lock
# $1 = Lock (file) name
lock_leave() lock_leave()
{ {
local LOCK_FILE RETVAL=0 local LOCK_FILE RETVAL=0
if [ -z "$1" ]; then if [ -z "$1" ]; then
echo "ERROR: Exception due to missing lock argument" >&2 echo "ERROR: Exception due to missing lock argument" >&2
return 1 # Failure return 1 # Failure
fi fi
LOCK_FILE="/var/lock/aif_$1.lock" LOCK_FILE="/var/lock/aif_$1.lock"
skipping to change at line 1466 skipping to change at line 1521
} }
lock_ctrl_handler() lock_ctrl_handler()
{ {
lock_leave "$1" lock_leave "$1"
stty intr ^C # Back to normal stty intr ^C # Back to normal
exit # Yep, I meant to do that... Kill/hang the shell. exit # Yep, I meant to do that... Kill/hang the shell.
} }
# Internal lock_enter() function. Only to be used by lock_enter_single() and loc
k_enter() (below)
# $1 = Lock (file) name
lock_enter_internal()
{
local LOCK_FILE="$1"
local PID
# Check lock PID:
# If cat isn't able to read the file, another instance is probably
# about to remove the lock -- exit, we're *still* locked
# Thanks to Grzegorz Wierzowiecki for pointing out this race condition on
# http://wiki.grzegorz.wierzowiecki.pl/code:mutex-in-bash
PID="$(cat "$LOCK_FILE" 2>/dev/null)"
if [ $? -eq 0 ]; then
if ! kill -0 "$PID" 2>/dev/null; then
# lock is stale, remove it and restart
echo "WARNING: Removing stale lockfile \"$LOCK_FILE\" of nonexistant PID \
"$PID\"" >&2
rm -f "$LOCK_FILE"
fi
fi
# Acquire lock
if ( set -o noclobber; echo "$$" > "$LOCK_FILE") 2> /dev/null; then
# Setup int handler
trap "lock_ctrl_handler $LOCK_FILE" INT TERM EXIT
return 0 # Lock success
fi
return 1 # Lock failure
}
# Lock enter function to acquire a single lock. Prevents running of multiple ins tances # Lock enter function to acquire a single lock. Prevents running of multiple ins tances
# When an instance is already running, this (new) instance will be aborted # When an instance is already running, this (new) instance will be aborted
# $1 = Lock (file) name # $1 = Lock (file) name
# $2 = Amount of retries (optional, defaults to 5) # $2 = Amount of retries (optional, defaults to 5)
lock_enter_single() lock_enter_single()
{ {
local LOCK_FILE="/var/lock/aif_$1.lock" local LOCK_FILE="/var/lock/aif_$1.lock"
if [ -z "$1" ]; then if [ -z "$1" ]; then
echo "ERROR: Exception due to missing lock argument" >&2 echo "ERROR: Exception due to missing lock argument" >&2
return 1 # Failure return 1 # Failure
fi fi
if ( set -o noclobber; echo "$$" > "$LOCK_FILE") 2> /dev/null; then if lock_enter_internal "$LOCK_FILE"; then
# Setup int handler
trap "lock_ctrl_handler $LOCK_FILE" INT TERM EXIT
return 0 # Lock success return 0 # Lock success
fi fi
echo "NOTE: Another instance is already running for lock \"$1\". Held by PID $ echo "NOTE: Another instance is already running for lockfile \"$LOCK_FILE\". H
(cat $LOCK_FILE)" >&2 eld by PID $(cat $LOCK_FILE)" >&2
return 1 # Lock failed return 1 # Lock failed
} }
# Lock enter function to acquire lock. Prevents running of multiple instances # Lock enter function to acquire lock. Prevents running of multiple instances
# When an instance is already running, a new instance will wait until the lock i s released (in case a timeout is reached, it will be aborted) # When an instance is already running, a new instance will wait until the lock i s released (in case a timeout is reached, it will be aborted)
# $1 = Lock (file) name # $1 = Lock (file) name
# $2 = Amount of retries (optional, defaults to 5) # $2 = Amount of retries (optional, defaults to 5)
lock_enter() lock_enter()
{ {
local LOCK_FILE="/var/lock/aif_$1.lock" local LOCK_FILE="/var/lock/aif_$1.lock"
local MAX_RETRIES="${2:-5}" local MAX_RETRIES="${2:-5}"
local FAIL_COUNT=0 local FAIL_COUNT=0
if [ -z "$1" ]; then if [ -z "$1" ]; then
echo "ERROR: Exception due to missing lock argument" >&2 echo "ERROR: Exception due to missing lock argument" >&2
return 1 # Failure return 1 # Failure
fi fi
while [ $FAIL_COUNT -lt $MAX_RETRIES ]; do while [ $FAIL_COUNT -lt $MAX_RETRIES ]; do
if ( set -o noclobber; echo "$$" > "$LOCK_FILE") 2> /dev/null; then if lock_enter_internal "$LOCK_FILE"; then
# Setup int handler
trap "lock_ctrl_handler $LOCK_FILE" INT TERM EXIT
return 0 # Lock success return 0 # Lock success
fi fi
FAIL_COUNT=$((FAIL_COUNT + 1)) FAIL_COUNT=$((FAIL_COUNT + 1))
# lock failed, check if the process is dead
local PID="$(cat "${LOCK_FILE}")"
# if cat isn't able to read the file, another instance is probably
# about to remove the lock -- exit, we're *still* locked
# Thanks to Grzegorz Wierzowiecki for pointing out this race condition on
# http://wiki.grzegorz.wierzowiecki.pl/code:mutex-in-bash
if [ $? -eq 0 ]; then
if ! kill -0 "$PID" 2>/dev/null; then
# lock is stale, remove it and restart
echo "WARNING: Removing stale lock of nonexistant PID ${PID}" >&2
rm -f "$LOCK_FILE"
continue # Immediately retry
fi
fi
# Sleep between retries # Sleep between retries
sleep 1 sleep 1
done done
echo "ERROR: Failed to acquire lockfile: $LOCK_FILE. Held by PID $(cat $LOCK_F ILE)" >&2 echo "ERROR: Failed to acquire lockfile \"$LOCK_FILE\". Held by PID $(cat $LOC K_FILE)" >&2
return 1 # Lock failed return 1 # Lock failed
} }
# $1 = Optional wait time in seconds (default = 5 seconds) # Function to wait for lock to be released
# $1 = Lock (file) name
# $2 = Optional wait time in seconds (default = 5 seconds)
lock_wait() lock_wait()
{ {
local LOCK_FILE="/var/lock/aif_$1.lock" local LOCK_FILE="/var/lock/aif_$1.lock"
local cnt="${2:-5}" # Default to 5 seconds local cnt="${2:-5}" # Default to 5 seconds
if [ -z "$1" ]; then if [ -z "$1" ]; then
echo "ERROR: Exception due to missing lock argument" >&2 echo "ERROR: Exception due to missing lock argument" >&2
return 1 # Failure return 1 # Failure
fi fi
skipping to change at line 1565 skipping to change at line 1631
return 0 # Lock wait success return 0 # Lock wait success
fi fi
cnt=$((cnt - 1)) cnt=$((cnt - 1))
sleep 1 sleep 1
done done
return 1 # Lock wait failed return 1 # Lock wait failed
} }
# $1 = Lock (file) name
lock_remove()
{
local LOCK_FILE="/var/lock/aif_$1.lock"
if [ -z "$1" ]; then
echo "ERROR: Exception due to missing lock argument" >&2
return 1 # Failure
fi
rm -f "$LOCK_FILE"
}
# Helper function to show interfaces / ips in front of verbose line # Helper function to show interfaces / ips in front of verbose line
# $1 = interfaces. $2 = ips # $1 = interfaces. $2 = ips
show_if_ip() show_if_ip()
{ {
# Only show interfaces if not empty: # Only show interfaces if not empty:
if [ -n "$1" -a "$1" != "+" ]; then if [ -n "$1" -a "$1" != "+" ]; then
printf "($1) " printf "($1) "
fi fi
# Only show destination IPs if not empty: # Only show destination IPs if not empty:
skipping to change at line 1777 skipping to change at line 1830
# Log message function. Message is read from stdin # Log message function. Message is read from stdin
# $1 = Optional prefix # $1 = Optional prefix
log_msg() log_msg()
{ {
local PREFIX="$1" local PREFIX="$1"
# Get message from stdin # Get message from stdin
IFS=$EOL IFS=$EOL
while read LINE; do while read LINE; do
# Have sed remove any colouring # Have sed remove any colouring
echo "${PREFIX}${LINE}" |sed 's/\x1B\[[0-9;]\+[A-Za-z]//g' |logger -t firewa ll -p kern.info echo "${PREFIX}${LINE}" |sed 's/\x1B\[[0-9;]\+[A-Za-z]//g' |logger -t firewa ll -p user.info
done done
} }
# Display progress bar, 0% to 100% in 2% increments # Display progress bar, 0% to 100% in 2% increments
progress_bar() progress_bar()
{ {
# Args: cur_cnt total_cnt # Args: cur_cnt total_cnt
local prev local prev
if [ $2 -gt 0 ]; then if [ $2 -gt 0 ]; then
skipping to change at line 1908 skipping to change at line 1961
IP4TABLES_BATCH_FILE="/var/tmp/aif_ip4tables_batch" IP4TABLES_BATCH_FILE="/var/tmp/aif_ip4tables_batch"
IP6TABLES_BATCH_FILE="/var/tmp/aif_ip6tables_batch" IP6TABLES_BATCH_FILE="/var/tmp/aif_ip6tables_batch"
# Set file to store which plugins are loaded # Set file to store which plugins are loaded
PLUGIN_LOAD_FILE="/var/tmp/aif_active_plugins" PLUGIN_LOAD_FILE="/var/tmp/aif_active_plugins"
PLUGIN_LOAD_FILE_RESTART="/var/tmp/aif_active_plugins_restart" PLUGIN_LOAD_FILE_RESTART="/var/tmp/aif_active_plugins_restart"
# (Dynamic) host cache. Used by compatible plugins # (Dynamic) host cache. Used by compatible plugins
HOST_CACHE_FILE="/var/tmp/aif_host_cache" HOST_CACHE_FILE="/var/tmp/aif_host_cache"
# Check whether we also need to drop messages in a dedicated firewall log file
if [ -z "$FIREWALL_LOG" ]; then
FIREWALL_LOG="/dev/null"
fi
# Check for a local/global config file # Check for a local/global config file
###################################### ######################################
if [ -e "$LOCAL_CONFIG_FILE" ]; then if [ -f "$LOCAL_CONFIG_FILE" ]; then
. "$LOCAL_CONFIG_FILE" . "$LOCAL_CONFIG_FILE"
fi fi
# Source config directory (conf.d) # Source config directory (conf.d)
################################## ##################################
if [ -z "$LOCAL_CONFIG_DIR" ]; then if [ -z "$LOCAL_CONFIG_DIR" ]; then
LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d" LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"
fi fi
if [ -d "$LOCAL_CONFIG_DIR" ] && ls "$LOCAL_CONFIG_DIR"/*.conf >/dev/null 2>&1; then if [ -d "$LOCAL_CONFIG_DIR" ] && ls "$LOCAL_CONFIG_DIR"/*.conf >/dev/null 2>&1; then
unset IFS unset IFS
skipping to change at line 2009 skipping to change at line 2057
# IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810) # IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810)
###################################################################### ######################################################################
ICMPV6_MLD_TYPES="130 131 132 143" ICMPV6_MLD_TYPES="130 131 132 143"
# Default conntrack match method, if needed the main script will # Default conntrack match method, if needed the main script will
# fallback to an older method after the conntrack modules are loaded. # fallback to an older method after the conntrack modules are loaded.
###################################################################### ######################################################################
NF_CONNTRACK_STATE="-m conntrack --ctstate" NF_CONNTRACK_STATE="-m conntrack --ctstate"
# Check plugin bin path and fallback in case it's empty
#######################################################
if [ -z "$PLUGIN_BIN_PATH" ]; then
if [ -d "/usr/local/share/arno-iptables-firewall/plugins" ]; then
PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins"
elif [ -d "/usr/share/arno-iptables-firewall/plugins" ]; then
PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins"
fi
fi
# Set system wide share path # Set system wide share path
############################ ############################
if [ -z "$USR_SHARE_PATH" ]; then if [ -z "$USR_SHARE_PATH" ]; then
# FIXME: For now we simply retrieve the path from what is specified for USR_SHARE_PATH="/usr/local/share/arno-iptables-firewall"
# our plugin path. Perhaps there's a smarter way? if [ ! -d "$USR_SHARE_PATH" ]; then
USR_SHARE_PATH="$(dirname "$PLUGIN_BIN_PATH")" USR_SHARE_PATH="/usr/share/arno-iptables-firewall"
if [ ! -d "$USR_SHARE_PATH" ]; then
echo "** ERROR: Unable to determine USR_SHARE_PATH!" >&2
fi
fi
fi
# Check plugin bin path and fallback in case it's empty
#######################################################
if [ -z "$PLUGIN_BIN_PATH" ]; then
PLUGIN_BIN_PATH="$USR_SHARE_PATH/plugins"
fi fi
# File containing (background) jobs to run # File containing (background) jobs to run
JOBS_FILE="/var/tmp/aif_jobs" JOBS_FILE="/var/tmp/aif_jobs"
# Lock file for accessing the JOBS_FILE # Lock file for accessing the JOBS_FILE
JOBS_LOCK_NAME="aif_jobs" JOBS_LOCK_NAME="jobs"
# Jobs process (file) name # Jobs process (file) name
JOB_PROCESSOR="$USR_SHARE_PATH/aif-job-processor" JOB_PROCESSOR="$USR_SHARE_PATH/aif-job-processor"
JOB_EXECUTER="$USR_SHARE_PATH/aif-job-execute" JOB_EXECUTER="$USR_SHARE_PATH/aif-job-execute"
# Check plugin bin path and fallback in case it's empty # Check plugin bin path and fallback in case it's empty
####################################################### #######################################################
if [ -z "$PLUGIN_CONF_PATH" ]; then if [ -z "$PLUGIN_CONF_PATH" ]; then
if [ -d "/etc/arno-iptables-firewall/plugins" ]; then if [ -d "/etc/arno-iptables-firewall/plugins" ]; then
 End of changes. 48 change blocks. 
114 lines changed or deleted 168 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)