📄 lib.base
字号:
if [ -n "$MANGLE_ENABLED" ]; then qt $IPTABLES -t mangle -N $chain if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then MARK=Yes qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes fi if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then CONNMARK=Yes qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes fi qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes qt $IPTABLES -t mangle -F $chain qt $IPTABLES -t mangle -X $chain qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes fi qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time if qt ipset -N $chain iphash ; then if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT IPSET_MATCH=Yes fi qt ipset -X $chain fi fi qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IPTABLES -F $chain qt $IPTABLES -X $chain qt $IPTABLES -F $chain1 qt $IPTABLES -X $chain1 CAPVERSION=$SHOREWALL_CAPVERSION}report_capabilities() { report_capability() # $1 = Capability Description , $2 Capability Setting (if any) { local setting setting= [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" echo " " $1: $setting } if [ $VERBOSE -gt 1 ]; then echo "Shorewall has detected the following iptables/netfilter capabilities:" report_capability "NAT" $NAT_ENABLED report_capability "Packet Mangling" $MANGLE_ENABLED report_capability "Multi-port Match" $MULTIPORT [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT report_capability "Connection Tracking Match" $CONNTRACK_MATCH if [ -n "$CONNTRACK_MATCH" ]; then report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH fi report_capability "Packet Type Match" $USEPKTTYPE report_capability "Policy Match" $POLICY_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE report_capability "Packet length Match" $LENGTH_MATCH report_capability "IP range Match" $IPRANGE_MATCH report_capability "Recent Match" $RECENT_MATCH report_capability "Owner Match" $OWNER_MATCH report_capability "Ipset Match" $IPSET_MATCH report_capability "CONNMARK Target" $CONNMARK [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK report_capability "Connmark Match" $CONNMARK_MATCH [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH report_capability "Raw Table" $RAW_TABLE report_capability "IPP2P Match" $IPP2P_MATCH [ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH report_capability "CLASSIFY Target" $CLASSIFY_TARGET report_capability "Extended REJECT" $ENHANCED_REJECT report_capability "Repeat match" $KLUDGEFREE report_capability "MARK Target" $MARK [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD report_capability "Comments" $COMMENTS report_capability "Address Type Match" $ADDRTYPE report_capability "TCPMSS Match" $TCPMSS_MATCH report_capability "Hashlimit Match" $HASHLIMIT_MATCH report_capability "NFQUEUE Target" $NFQUEUE_TARGET report_capability "Realm Match" $REALM_MATCH report_capability "Helper Match" $HELPER_MATCH report_capability "Connlimit Match" $CONNLIMIT_MATCH report_capability "Time Match" $TIME_MATCH report_capability "Goto Support" $GOTO_TARGET fi [ -n "$PKTTYPE" ] || USEPKTTYPE=}report_capabilities1() { report_capability1() # $1 = Capability { eval echo $1=\$$1 } echo "#" echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" echo "#" report_capability1 NAT_ENABLED report_capability1 MANGLE_ENABLED report_capability1 MULTIPORT report_capability1 XMULTIPORT report_capability1 CONNTRACK_MATCH report_capability1 NEW_CONNTRACK_MATCH report_capability1 OLD_CONNTRACK_MATCH report_capability1 USEPKTTYPE report_capability1 POLICY_MATCH report_capability1 PHYSDEV_MATCH report_capability1 PHYSDEV_BRIDGE report_capability1 LENGTH_MATCH report_capability1 IPRANGE_MATCH report_capability1 RECENT_MATCH report_capability1 OWNER_MATCH report_capability1 IPSET_MATCH report_capability1 CONNMARK report_capability1 XCONNMARK report_capability1 CONNMARK_MATCH report_capability1 XCONNMARK_MATCH report_capability1 RAW_TABLE report_capability1 IPP2P_MATCH report_capability1 OLD_IPP2P_MATCH report_capability1 CLASSIFY_TARGET report_capability1 ENHANCED_REJECT report_capability1 KLUDGEFREE report_capability1 MARK report_capability1 XMARK report_capability1 MANGLE_FORWARD report_capability1 COMMENTS report_capability1 ADDRTYPE report_capability1 TCPMSS_MATCH report_capability1 HASHLIMIT_MATCH report_capability1 NFQUEUE_TARGET report_capability1 REALM_MATCH report_capability1 HELPER_MATCH report_capability1 CONNLIMIT_MATCH report_capability1 TIME_MATCH report_capability1 GOTO_TARGET echo CAPVERSION=$SHOREWALL_CAPVERSION}## Delete IP address#del_ip_addr() # $1 = address, $2 = interface{ [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2}# Add IP Aliases#add_ip_aliases() # $* = List of addresses{ local addresses local external local interface local inet local cidr local rest local val1 local arping arping=$(mywhich arping) address_details() { # # Folks feel uneasy if they don't see all of the same # decoration on these IP addresses that they see when their # distro's net config tool adds them. In an attempt to reduce # the anxiety level, we have the following code which sets # the VLSM and BRD from an existing address in the same networks # # Get all of the lines that contain inet addresses with broadcast # ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do case $cidr in */*) if in_network $external $cidr; then echo "/${cidr#*/} brd $(broadcastaddress $cidr)" break fi ;; esac done } do_one() { val=$(address_details) ip addr add ${external}${val} dev $interface $label [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external echo "$external $interface" >> $VARDIR/nat [ -n "$label" ] && label="with $label" progress_message " IP Address $external added to interface $interface $label" } progress_message "Adding IP Addresses..." while [ $# -gt 0 ]; do external=$1 interface=$2 label= if [ "$interface" != "${interface%:*}" ]; then label="${interface#*:}" interface="${interface%:*}" label="label $interface:$label" fi shift 2 list_search $external $(find_interface_addresses $interface) || do_one done}detect_gateway() # $1 = interface{ local interface interface=$1 # # First assume that this is some sort of point-to-point interface # gateway=$( find_peer $(ip addr list $interface ) ) # # Maybe there's a default route through this gateway already # [ -n "$gateway" ] || gateway=$(find_gateway $(ip route list dev $interface)) # # Last hope -- is there a load-balancing route through the interface? # [ -n "$gateway" ] || gateway=$(find_nexthop $interface) # # Be sure we found one # [ -n "$gateway" ] && echo $gateway}## Disable IPV6#disable_ipv6() { local foo foo="$(ip -f inet6 addr list 2> /dev/null)" if [ -n "$foo" ]; then if qt mywhich ip6tables; then ip6tables -P FORWARD DROP ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -F ip6tables -X ip6tables -A OUTPUT -o lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT else error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" fi fi}# Function to truncate a string -- It uses 'cut -b -<n>'# rather than ${v:first:last} because light-weight shells like ash and# dash do not support that form of expansion.#truncate() # $1 = length{ cut -b -${1}}## Add a logging rule.#do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule{ local level level=$1 local chain chain=$2 local displayChain displayChain=$3 local disposition disposition=$4 local rulenum rulenum= local limit limit= local tag tag= local command command= local prefix local base base=$(chain_base $displayChain) local pf limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. tag=${6:+$6 } command=${7:--A} shift 7 if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then displayChain=$tag tag= fi if [ -n "$LOGRULENUMBERS" ]; then # # Hack for broken printf on some lightweight shells # [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf) eval rulenum=\$${base}_logrules rulenum=${rulenum:-1} prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" rulenum=$(($rulenum + 1)) eval ${base}_logrules=$rulenum else prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" fi if [ ${#prefix} -gt 29 ]; then prefix="`echo "$prefix" | truncate 28` " error_message "WARNING: Log Prefix shortened to \"$prefix\"" fi case $level in ULOG) $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ;; *) $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" ;; esac if [ $? -ne 0 ] ; then [ -z "$STOPPING" ] && { stop_firewall; exit 2; } fi}do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule{ local level level=$1 local chain chain=$2 local disposition disposition=$3 shift 3 do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@}delete_tc1(){ clear_one_tc() { tc qdisc del dev $1 root 2> /dev/null tc qdisc del dev $1 ingress 2> /dev/null } run_user_exit tcclear run_ip link list | \ while read inx interface details; do case $inx in [0-9]*) clear_one_tc ${interface%:} ;; *) ;; esac done}## Detect a device's MTU -- echos the passed device's MTU#get_device_mtu() # $1 = device{ local output output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash if [ -n "$output" ]; then echo $(find_mtu $output) else echo 1500 fi}## Version of the above that doesn't generate any output for MTU 1500.# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100#get_device_mtu1() # $1 = device{ local output output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash local mtu if [ -n "$output" ]; then mtu=$(find_mtu $output) if [ -n "$mtu" ]; then [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) fi fi}## Undo changes to routing#undo_routing() { if [ -z "$NOROUTES" ]; then # # Restore rt_tables database # if [ -f ${VARDIR}/rt_tables ]; then [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" rm -f ${VARDIR}/rt_tables fi # # Restore the rest of the routing table # if [ -f ${VARDIR}/undo_routing ]; then . ${VARDIR}/undo_routing progress_message "Shorewall-generated routing tables and routing rules removed" rm -f ${VARDIR}/undo_routing fi fi}restore_default_route() { if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then local default_route default_route= local route while read route ; do case $route in default*) if [ -n "$default_route" ]; then case "$default_route" in *metric*) # # Don't restore a route with a metric -- we only replace the one with metric == 0 # qt ip route delete default metric 0 && \ progress_message "Default Route with metric 0 deleted" ;; *) qt ip route replace $default_route && \ progress_message "Default Route (${default_route# }) restored" ;; esac break fi default_route="$default_route $route" ;; *) default_route="$default_route $route" ;; esac done < ${VARDIR}/default_route rm -f ${VARDIR}/default_route fi}## Determine how to do "echo -e"#find_echo() { local result result=$(echo "a\tb") [ ${#result} -eq 3 ] && { echo echo; return; } result=$(echo -e "a\tb") [ ${#result} -eq 3 ] && { echo "echo -e"; return; } result=$(which echo) [ -n "$result" ] && { echo "$result -e"; return; } echo echo }# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:## None - No mktemp# BSD - BSD mktemp (Mandrake)# STD - mktemp.org mktemp#find_mktemp() { local mktemp mktemp=`mywhich mktemp 2> /dev/null` if [ -n "$mktemp" ]; then if qt mktemp -V ; then MKTEMP=STD else MKTEMP=BSD fi else MKTEMP=None fi}## create a temporary file. If a directory name is passed, the file will be created in# that directory. Otherwise, it will be created in a temporary directory.#mktempfile() { [ -z "$MKTEMP" ] && find_mktemp if [ $# -gt 0 ]; then case "$MKTEMP" in BSD) mktemp $1/shorewall.XXXXXX ;; STD) mktemp -p $1 shorewall.XXXXXX ;; None) > $1/shorewall-$$ && echo $1/shorewall-$$ ;; *) error_message "ERROR:Internal error in mktempfile" ;; esac else case "$MKTEMP" in BSD) mktemp /tmp/shorewall.XXXXXX ;; STD) mktemp -t shorewall.XXXXXX ;; None) rm -f /tmp/shorewall-$$ > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ ;; *) error_message "ERROR:Internal error in mktempfile" ;; esac fi}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -