lib.base

sharewall is very good

#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.base
#
#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
#	Complete documentation is available at http://shorewall.net
#
#	This program is free software; you can redistribute it and/or modify
#	it under the terms of Version 2 of the GNU General Public License
#	as published by the Free Software Foundation.
#
#	This program is distributed in the hope that it will be useful,
#	but WITHOUT ANY WARRANTY; without even the implied warranty of
#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#	GNU General Public License for more details.
#
#	You should have received a copy of the GNU General Public License
#	along with this program; if not, write to the Free Software
#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library contains the code common to all Shorewall components.
#
# - It is copied into the compiled script with the -e compiler flag is specified to
#   shorewall-shell.
# - It is loaded by /sbin/shorewall.
# - It is loaded by /usr/share/shorewall/firewall.
# - It is loaded by /usr/share/shorewall-shell/compiler.
# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
#   and /usr/share/shorewall-lite/shorecap.
# - It is released as part of Shorewall Perl where it is copied into the compiled script
#   by the compiler.
#

SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40205

[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
[ -n "${CONFDIR:=/etc/shorewall}" ]
SHELLSHAREDIR=/usr/share/shorewall-shell
PERLSHAREDIR=/usr/share/shorewall-perl

#
# Message to stderr
#
error_message() # $* = Error Message
{
   echo "   $@" >&2
}

#
# Conditionally produce message
#
progress_message() # $* = Message
{
    local timestamp
    timestamp=

    if [ $VERBOSE -gt 1 ]; then
	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
	echo "${timestamp}$@"
    fi
}

progress_message2() # $* = Message
{
    local timestamp
    timestamp=

    if [ $VERBOSE -gt 0 ]; then
	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
	echo "${timestamp}$@"
    fi
}

progress_message3() # $* = Message
{
    local timestamp
    timestamp=

    if [ $VERBOSE -ge 0 ]; then
	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
	echo "${timestamp}$@"
    fi
}

#
# Split a colon-separated list into a space-separated list
#
split() {
    local ifs
    ifs=$IFS
    IFS=:
    echo $*
    IFS=$ifs
}

#
# Search a list looking for a match -- returns zero if a match found
# 1 otherwise
#
list_search() # $1 = element to search for , $2-$n = list
{
    local e
    e=$1

    while [ $# -gt 1 ]; do
	shift
	[ "x$e" = "x$1" ] && return 0
    done

    return 1
}

#
# Undo the effect of 'separate_list()'
#
combine_list()
{
    local f
    local o
    o=

    for f in $* ; do
        o="${o:+$o,}$f"
    done

    echo $o
}

#
# Suppress all output for a command
#
qt()
{
    "$@" >/dev/null 2>&1
}

#
# Determine if Shorewall is "running"
#
shorewall_is_started() {
    qt $IPTABLES -L shorewall -n
}

#
# Echos the fully-qualified name of the calling shell program
#
my_pathname() {
    cd $(dirname $0)
    echo $PWD/$(basename $0)
}

#
# Source a user exit file if it exists
#
run_user_exit() # $1 = file name
{
    local user_exit
    user_exit=$(find_file $1)

    if [ -f $user_exit ]; then
	progress_message "Processing $user_exit ..."
	. $user_exit
    fi
}

#
# Set a standard chain's policy
#
setpolicy() # $1 = name of chain, $2 = policy
{
    run_iptables -P $1 $2
}

#
# Set a standard chain to enable established and related connections
#
setcontinue() # $1 = name of chain
{
    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
}

#
# Flush one of the NAT table chains
#
flushnat() # $1 = name of chain
{
    run_iptables -t nat -F $1
}

#
# Flush one of the Mangle table chains
#
flushmangle() # $1 = name of chain
{
    run_iptables -t mangle -F $1
}

#
# Flush and delete all user-defined chains in the filter table
#
deleteallchains() {
    run_iptables -F
    run_iptables -X
}

#
# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
#                         a space-separated list of directories to search for
#                         the module and that 'moduleloader' contains the
#                         module loader command.
#
loadmodule() # $1 = module name, $2 - * arguments
{
    local modulename
    modulename=$1
    local modulefile
    local suffix

    if ! list_search $modulename $MODULES $DONT_LOAD ; then
	shift

	for suffix in $MODULE_SUFFIX ; do
	    for directory in $moduledirectories; do
		modulefile=$directory/${modulename}.${suffix}

		if [ -f $modulefile ]; then
		    case $moduleloader in
			insmod)
			    insmod $modulefile $*
			    ;;
			*)
			    modprobe $modulename $*
			    ;;
		    esac
		    break 2
		fi
	    done
	done
    fi
}

#
# Reload the Modules
#
reload_kernel_modules() {

    local save_modules_dir
    save_modules_dir=$MODULESDIR
    local directory
    local moduledirectories
    moduledirectories=
    local moduleloader
    moduleloader=modprobe
    local uname

    if ! qt mywhich modprobe; then
	moduleloader=insmod
    fi

    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]


    [ -z "$MODULESDIR" ] && \
	uname=$(uname -r) && \
	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    MODULES=$(lsmod | cut -d ' ' -f1)

    for directory in $(split $MODULESDIR); do
	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
    done

    [ -n "$moduledirectories" ] && while read command; do
	eval $command
    done

    MODULESDIR=$save_modules_dir
}

#
# Load kernel modules required for Shorewall
#
load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
{
    local save_modules_dir
    save_modules_dir=$MODULESDIR
    local directory
    local moduledirectories
    moduledirectories=
    local moduleloader
    moduleloader=modprobe
    local savemoduleinfo
    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
    local uname

    if ! qt mywhich modprobe; then
	moduleloader=insmod
    fi

    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

    [ -z "$MODULESDIR" ] && \
	uname=$(uname -r) && \
	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    for directory in $(split $MODULESDIR); do
	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
    done

    modules=$(find_file modules)

    if [ -f $modules -a -n "$moduledirectories" ]; then
	MODULES=$(lsmod | cut -d ' ' -f1)
	progress_message "Loading Modules..."
	. $modules
	if [ $savemoduleinfo = Yes ]; then
	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
	    cp -f $modules ${VARDIR}/.modules
	fi
    elif [ $savemoduleinfo = Yes ]; then
	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
	> ${VARDIR}/.modulesdir	
	> ${VARDIR}/.modules
    fi

    MODULESDIR=$save_modules_dir
}

#
# Call this function to assert mutual exclusion with Shorewall. If you invoke the
# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
# the first argument. Example "shorewall nolock refresh"
#
# This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
# behavior of lockfile.
#
mutex_on()
{
    local try
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

    if [ $MUTEX_TIMEOUT -gt 0 ]; then

	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

	if qt mywhich lockfile; then
	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
	else
	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
		sleep 1
		try=$((${try} + 1))
	    done

	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
	        # Create the lockfile
		echo $$ > ${lockf}
	    else
		echo "Giving up on lock file ${lockf}" >&2
	    fi
	fi
    fi
}

#
# Call this function to release mutual exclusion
#
mutex_off()
{
    rm -f ${LOCKFILE:=${VARDIR}/lock}
}

#
# Load an optional library
#
lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found
{
    local lib
    lib=${SHAREDIR}/lib.$1
    local loaded

    eval loaded=\$LIB_${1}_LOADED

    if [ -z "$loaded" ]; then
	[ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
	
	if [ -f $lib ]; then
	    progress_message "Loading library $lib..."
	    . $lib
	    eval LIB_${1}_LOADED=Yes
	else
	    startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed"
	fi
    fi
}

#
# Determine if an optional library is available
#
lib_avail() # $1 = Name of the Library
{
    [ -f ${SHAREDIR}/lib.$1 ]
}

#
#  Note: The following set of IP address manipulation functions have anomalous
#        behavior when the shell only supports 32-bit signed arithmetic and
#        the IP address is 128.0.0.0 or 128.0.0.1.
#

LEFTSHIFT='<<'

#
# Validate an IP address
#
valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS

    IFS=.

    for x in $1; do
	case $x in
	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
	    *)
	        IFS=$ifs
		return 2
		;;
	esac
    done
    
    IFS=$ifs

    return 0
}

#
# Convert an IP address in dot quad format to an integer
#
decodeaddr() {
    local x
    local temp
    temp=0
    local ifs
    ifs=$IFS

    IFS=.

    for x in $1; do
	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
    done

    echo $temp

    IFS=$ifs
}

#
# convert an integer to dot quad format
#
encodeaddr() {
    addr=$1
    local x
    local y
    y=$(($addr & 255))

    for x in 1 2 3 ; do
	addr=$(($addr >> 8))
	y=$(($addr & 255)).$y
    done

    echo $y
}

#
# Miserable Hack to work around broken BusyBox ash in OpenWRT
#
addr_comp() {
    test $(bc <<EOF
$1 > $2
EOF
) -eq 1

}

#
# Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
#
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
#              the range.
#
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm

    case $1 in
	!*)
	    #
	    # Let iptables complain if it's a range
	    #
	    echo $1
	    return
	    ;;
	[0-9]*.*.*.*-*.*.*.*)
            ;;
	*)
	    echo $1
	    return
	    ;;
    esac

    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})

    if addr_comp $first $last; then
	fatal_error "Invalid IP address range: $1"
    fi

    l=$(( $last + 1 ))

    while addr_comp $l $first; do
	vlsm=
	x=31
	y=2
	z=1

	while [ $(( $first % $y )) -eq 0 ] && addr_comp $l $(( $first + $y )) ; do
	    vlsm=/$x
	    x=$(( $x - 1 ))
	    z=$y
	    y=$(( $y * 2 ))
	done

	echo $(encodeaddr $first)$vlsm
	first=$(($first + $z))
    done
}

ip_range_explicit() {
    local first
    local last

    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
	;;
    *)
	echo $1
	return
	;;
    esac

    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})

    if addr_comp $first $last; then
	fatal_error "Invalid IP address range: $1"
    fi

    while ! addr_comp $first $last; do
	echo $(encodeaddr $first)
	first=$(($first + 1))