📄 lib.base

📁 sharewall is very good
💻 BASE
📖 第 1 页 / 共 3 页
字号:
    done}## Netmask from CIDR#ip_netmask() {    local vlsm    vlsm=${1#*/}    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))}## Network address from CIDR#ip_network() {    local decodedaddr    decodedaddr=$(decodeaddr ${1%/*})    local netmask    netmask=$(ip_netmask $1)    echo $(encodeaddr $(($decodedaddr & $netmask)))}## The following hack is supplied to compensate for the fact that many of# the popular light-weight Bourne shell derivatives don't support XOR ("^").#ip_broadcast() {    local x    x=$(( 32 - ${1#*/} ))    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))}## Calculate broadcast address from CIDR#broadcastaddress() {    local decodedaddr    decodedaddr=$(decodeaddr ${1%/*})    local netmask    netmask=$(ip_netmask $1)    local broadcast    broadcast=$(ip_broadcast $1)    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))}## Test for network membership#in_network() # $1 = IP address, $2 = CIDR network{    local netmask    netmask=$(ip_netmask $2)    #    # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT    #    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))}## Netmask to VLSM#ip_vlsm() {    local mask    mask=$(decodeaddr $1)    local vlsm    vlsm=0    local x    x=$(( 128 << 24 )) # 0x80000000    while [ $(( $x & $mask )) -ne 0 ]; do	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.	vlsm=$(($vlsm + 1))    done    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff	echo "Invalid net mask: $1" >&2    else	echo $vlsm    fi}## Chain name base for an interface -- replace all periods with underscores in the passed name.#                                     The result is echoed (less trailing "+").#chain_base() #$1 = interface{    local c    c=${1%%+}    while true; do	case $c in	    @*)               c=at_${c#@}	       ;;               	    *.*)		c="${c%.*}_${c##*.}"		;;	    *-*)		c="${c%-*}_${c##*-}"		;;	    *%*)		c="${c%\%*}_${c##*%}"		;;	    *@*)		c="${c%@*}_${c##*@}"		;;	    *)		echo ${c:=common}		return		;;	esac    done}## Query NetFilter about the existence of a filter chain#chain_exists() # $1 = chain name{    qt $IPTABLES -L $1 -n}## Find the value 'dev' in the passed arguments then echo the next value#find_device() {    while [ $# -gt 1 ]; do	[ "x$1" = xdev ] && echo $2 && return	shift    done}## Find the value 'via' in the passed arguments then echo the next value#find_gateway() {    while [ $# -gt 1 ]; do	[ "x$1" = xvia ] && echo $2 && return	shift    done}## Find the value 'mtu' in the passed arguments then echo the next value#find_mtu() {    while [ $# -gt 1 ]; do	[ "x$1" = xmtu ] && echo $2 && return	shift    done}## Find the value 'peer' in the passed arguments then echo the next value up to# "/"#find_peer() {    while [ $# -gt 1 ]; do	[ "x$1" = xpeer ] && echo ${2%/*} && return	shift    done}## Find the interfaces that have a route to the passed address - the default# route is not used.#find_rt_interface() {    ip route list | while read addr rest; do	case $addr in	    */*)		in_network ${1%/*} $addr && echo $(find_device $rest)		;;	    default)		;;	    *)		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then		    echo $(find_device $rest)		fi		;;	esac    done}## Try to find the gateway through an interface looking for 'nexthop'find_nexthop() # $1 = interface{    echo $(find_gateway `ip route list | grep "[[:space:]]nexthop.* $1"`)}## Find the default route's interface#find_default_interface() {    ip route list | while read first rest; do	[ "$first" = default ] && echo $(find_device $rest) && return    done}## Echo the name of the interface(s) that will be used to send to the# passed address#find_interface_by_address() {    local dev    dev="$(find_rt_interface $1)"    local first    local rest    [ -z "$dev" ] && dev=$(find_default_interface)    [ -n "$dev" ] && echo $dev}## Find the interface with the passed MAC address#find_interface_by_mac() {    local mac    mac=$1     local first     local second    local rest    local dev    ip link list | while read first second rest; do	case $first in	    *:)                dev=$second		;;	    *)	        if [ "$second" = $mac ]; then		    echo ${dev%:}		    return		fi	esac    done}## Determine if Interface is up#interface_is_up() {    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]}## Find interface address--returns the first IP address assigned to the passed# device#find_first_interface_address() # $1 = interface{    #    # get the line of output containing the first IP address    #    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)    #    # If there wasn't one, bail out now    #    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"    #    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)    # along with everything else on the line    #    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'}find_first_interface_address_if_any() # $1 = interface{    #    # get the line of output containing the first IP address    #    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)    #    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)    # along with everything else on the line    #    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0}## Determine if interface is usable from a Netfilter prespective#interface_is_usable() # $1 = interface{    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]}## Find interface addresses--returns the set of addresses assigned to the passed# device#find_interface_addresses() # $1 = interface{    ip -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'}##  echo the list of networks routed out of a given interface#get_routed_networks() # $1 = interface name, $2-n = Fatal error message{    local address    local rest    ip route show dev $1 2> /dev/null |	while read address rest; do	    case "$address" in		default)		    if [ $# -gt 1 ]; then			shift			fatal_error "$@"		    else			echo "WARNING: default route ignored on interface $1" >&2		    fi		    ;;		multicast|broadcast|prohibit|nat|throw|nexthop)		    ;;		*)		    [ "$address" = "${address%/*}" ] && address="${address}/32"		    echo $address		    ;;	    esac        done}get_interface_bcasts() # $1 = interface{    ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u }## Internal version of 'which'#mywhich() {    local dir    for dir in $(split $PATH); do	if [ -x $dir/$1 ]; then	    echo $dir/$1	    return 0	fi    done    return 2}## Set default config path#ensure_config_path() {    local F    F=${SHAREDIR}/configpath    if [ -z "$CONFIG_PATH" ]; then	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }	. $F    fi    if [ -n "$SHOREWALL_DIR" ]; then	[ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH    fi}## Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}#find_file(){    local saveifs    saveifs=     local directory    case $1 in	/*)	    echo $1	    ;;	*)	    for directory in $(split $CONFIG_PATH); do		if [ -f $directory/$1 ]; then		    echo $directory/$1		    return		fi	    done	    echo ${CONFDIR}/$1	    ;;    esac}## Get fully-qualified name of file#resolve_file() # $1 = file name{    local pwd    pwd=$PWD    case $1 in	/*)	    echo $1	    ;;	.)	    echo $pwd	    ;;	./*)	    echo ${pwd}${1#.}	    ;;	..)	    cd ..	    echo $PWD	    cd $pwd	    ;;	../*)	    cd ..	    resolve_file ${1#../}	    cd $pwd	    ;;	*)	    echo $pwd/$1	    ;;    esac}## Perform variable substitution on the passed argument and echo the result#expand() # $@ = contents of variable which may be the name of another variable{    eval echo \"$@\"}## Function for including one file into another#INCLUDE() {    . $(find_file $(expand $@))}## Set the Shorewall state#set_state () # $1 = state{    echo "$1 ($(date))" > ${VARDIR}/state}## Determine which optional facilities are supported by iptables/netfilter#determine_capabilities() {    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=    CONNTRACK_MATCH=    NEW_CONNTRACK_MATCH=    OLD_CONNTRACK_MATCH=    MULTIPORT=    XMULTIPORT=    POLICY_MATCH=    PHYSDEV_MATCH=    PHYSDEV_BRIDGE=    IPRANGE_MATCH=    RECENT_MATCH=    OWNER_MATCH=    IPSET_MATCH=    CONNMARK=    XCONNMARK=    CONNMARK_MATCH=    XCONNMARK_MATCH=    RAW_TABLE=    IPP2P_MATCH=    OLD_IPP2P_MATCH=    LENGTH_MATCH=    CLASSIFY_TARGET=    ENHANCED_REJECT=    USEPKTTYPE=    KLUDGEFREE=    MARK=    XMARK=    MANGLE_FORWARD=    COMMENTS=    ADDRTYPE=    TCPMSS_MATCH=    HASHLIMIT_MATCH=    NFQUEUE_TARGET=    REALM_MATCH=    HELPER_MATCH=    CONNLIMIT_MATCH=    TIME_MATCH=    GOTO_TARGET=    chain=fooX$$    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)    if [ -z "$IPTABLES" ]; then	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2	exit 1    fi    qt $IPTABLES -F $chain    qt $IPTABLES -X $chain    if ! $IPTABLES -N $chain; then	echo "   ERROR: The command \"$IPTABLES -N $chain\" failed" >&2	exit 1    fi    chain1=${chain}1    qt $IPTABLES -F $chain1    qt $IPTABLES -X $chain1    if ! $IPTABLES -N $chain1; then	echo "   ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2	exit 1    fi    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2	exit 1    fi    qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes    if [ -n "$CONNTRACK_MATCH" ]; then	qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes	qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes    fi    if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then	MULTIPORT=Yes	qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes    fi    qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes    qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes    if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then	PHYSDEV_MATCH=Yes	qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes	if [ -z "${KLUDGEFREE}" ]; then	    qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes	fi    fi    if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then	IPRANGE_MATCH=Yes	if [ -z "${KLUDGEFREE}" ]; then	    qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes	fi    fi    qt $IPTABLES -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes    qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes    if qt $IPTABLES -A $chain -m connmark --mark 2  -j ACCEPT; then	CONNMARK_MATCH=Yes	qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes    fi    qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes    if [ -n "$IPP2P_MATCH" ]; then	qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes    fi    qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes    qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes    qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
💿 文件大小 203 K
👤 上传用户 zhangpeng
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#sharewall #good #very #is
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -