⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 lib.cli

📁 sharewall is very good
💻 CLI
📖 第 1 页 / 共 2 页
字号:
🔍
12 
#!/bin/sh## Shorewall 4.2 -- /usr/share/shorewall/lib.cli.##     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]##     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)##	Complete documentation is available at http://shorewall.net##	This program is free software; you can redistribute it and/or modify#	it under the terms of Version 2 of the GNU General Public License#	as published by the Free Software Foundation.##	This program is distributed in the hope that it will be useful,#	but WITHOUT ANY WARRANTY; without even the implied warranty of#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the#	GNU General Public License for more details.##	You should have received a copy of the GNU General Public License#	along with this program; if not, write to the Free Software#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.## This library contains the command processing code common to /sbin/shorewall and# /sbin/shorewall-lite.### Fatal Error#fatal_error() # $@ = Message{    echo "   $@" >&2    exit 2}# Display a chain if it exists#showfirstchain() # $1 = name of chain{    awk \    'BEGIN	 {prnt=0; rslt=1; }; \    /^$/	 { next; };\    /^Chain/	 {if ( prnt == 1 ) { rslt=0; exit 0; }; };\    /Chain '$1'/ { prnt=1; }; \		 { if (prnt == 1)  print; };\    END		 { exit rslt; }' $TMPFILE}showchain() # $1 = name of chain{    if [ "$firstchain" = "Yes" ]; then	if showfirstchain $1; then	    firstchain=	fi    else	awk \	'BEGIN	     {prnt=0;};\	/^$|^ pkts/  { next; };\	/^Chain/     {if ( prnt == 1 ) exit; };\	/Chain '$1'/ { prnt=1; };\		     { if (prnt == 1)  print; }' $TMPFILE    fi}## The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).#iptablesbug(){    if qt mywhich awk ; then	awk 'BEGIN           { sline=""; };\             /^-j/           { print sline $0; next };\             /-m policy.*-j/ { print $0; next };\             /-m policy/     { sline=$0; next };\             /--mask ff/     { sub( /--mask ff/, "--mask 0xff" ) };\                             { print ; sline="" }'    else	echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2	cat    fi}## Validate the value of RESTOREFILE#validate_restorefile() # $* = label{    case $RESTOREFILE in	*/*)	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"	    exit 2	    ;;	.safe|.try)	    ;;	.*|NONE)	    error_message "ERROR: Reserved File Name: $RESTOREFILE"	    exit 2	    ;;    esac}## Clear descriptor 1 if it is a terminal#clear_term() {    [ -t 1 ] && clear}## Delay $timeout seconds -- if we're running on a recent bash2 then allow# <enter> to terminate the delay#timed_read (){    read -t $timeout foo 2> /dev/null    test $? -eq 2 && sleep $timeout}## Determine if 'syslog -C' is running#syslog_circular_buffer() {    local pid    local tty    local flags    local cputime    local path    local args    local arg    ps ax 2> /dev/null | while read pid tty flags cputime path args; do	case $path in	    syslogd|*/syslogd)		for arg in $args; do		    if [ x$arg = x-C ]; then			echo Yes			return		    fi		done		;;	esac    done}## Display the last $1 packets logged#packet_log() # $1 = number of messages{    local options    if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then	$LOGREAD | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/    else	$LOGREAD | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/    fi}## Show traffic control information#show_tc() {    show_one_tc() {	local device	device=${1%@*}	qdisc=$(tc qdisc list dev $device)	if [ -n "$qdisc" ]; then	    echo Device $device:	    tc -s -d qdisc show dev $device	    echo	    tc -s -d class show dev $device	    echo	fi    }    ip -o link list | while read inx interface details; do	show_one_tc ${interface%:}    done}## Show classifier information#show_classifiers() {    show_one_classifier() {	local device	device=${1%@*}	qdisc=$(tc qdisc list dev $device)	if [ -n "$qdisc" ]; then	    echo Device $device:	    tc -s filter ls dev $device	    echo	fi    }    ip -o link list | while read inx interface details; do	show_one_classifier ${interface%:}    done}## Watch the Firewall Log#logwatch() # $1 = timeout -- if negative, prompt each time that	   #		     an 'interesting' packet count changes{    host=$(echo $HOSTNAME | sed 's/\..*$//')    oldrejects=$($IPTABLES -L -v -n | grep 'LOG')    if [ $1 -lt 0 ]; then	timeout=$((- $1))	pause="Yes"    else	pause="No"	timeout=$1    fi    qt mywhich awk && haveawk=Yes || haveawk=    while true; do	clear_term	echo "$banner $(date)"	echo	echo "Dropped/Rejected Packet Log ($LOGFILE)"	echo	show_reset	rejects=$($IPTABLES -L -v -n | grep 'LOG')	if [ "$rejects" != "$oldrejects" ]; then	    oldrejects="$rejects"	    $RING_BELL	    packet_log 40	    if [ "$pause" = "Yes" ]; then		echo		echo $ECHO_N 'Enter any character to continue: '		read foo	    else		timed_read	    fi	else	    echo	    packet_log 40	    timed_read	fi    done}## Save currently running configuration#save_config() {    local result    result=1        iptables_save=${IPTABLES}-save    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2    if shorewall_is_started ; then	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}	if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then	    echo "   ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" >&2	else	    case $RESTOREFILE in		capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)		    echo "   ERROR: Reserved file name: $RESTOREFILE" >&2		    ;;		*)		    validate_restorefile RESTOREFILE		    if $IPTABLES -L dynamic -n > ${VARDIR}/save; then			echo "   Dynamic Rules Saved"			if [ -f ${VARDIR}/.restore ]; then			    if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then				cp -f ${VARDIR}/.restore $RESTOREPATH				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables				chmod +x $RESTOREPATH				echo "   Currently-running Configuration Saved to $RESTOREPATH"				rm -f ${RESTOREPATH}-ipsets				case ${SAVE_IPSETS:-No} in				    [Yy][Ee][Ss])					RESTOREPATH=${RESTOREPATH}-ipsets					f=${VARDIR}/restore-$$					echo "#!/bin/sh" > $f					echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f					echo  >> $f					echo ". ${SHAREDIR}/lib.base" >> $f					echo  >> $f					cat ${VARDIR}/.modulesdir >> $f					echo  >> $f					echo "reload_kernel_modules << __EOF__" >> $f					grep 'loadmodule ip_set' ${VARDIR}/.modules >> $f					echo "__EOF__" >> $f					echo  >> $f					echo "ipset -U :all: :all:" >> $f					echo "ipset -U :all: :default:" >> $f					echo "ipset -F" >> $f					echo "ipset -X" >> $f					echo "ipset -R << __EOF__" >> $f					ipset -S >> $f					echo "__EOF__" >> $f					mv -f $f $RESTOREPATH					chmod +x $RESTOREPATH					echo "   Current Ipset Contents Saved to $RESTOREPATH"					result=0					;;				    [Nn][Oo])					;;				    *)					echo "   WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" >&2					;;				esac				run_user_exit save			    else			        rm -f ${VARDIR}/restore-$$				echo "   ERROR: Currently-running Configuration Not Saved" >&2			    fi			else			    echo "   ERROR: ${VARDIR}/.restore does not exist" >&2			fi		    else		        echo "Error Saving the Dynamic Rules" >&2		    fi		    ;;	    esac	fi    else	echo "Shorewall isn't started" >&2    fi    return 0}## Show routing configuration#show_routing() {    if [ -n "$(ip rule list)" ]; then	heading "Routing Rules"	ip rule list	ip rule list | while read rule; do	    echo ${rule##* }	done | sort -u | while read table; do	    heading "Table $table:"	    ip route list table $table	done    else	heading "Routing Table"	ip route list    fi}## Show Command Executor#show_command() {    local finished    finished=0    local table    table=filter    local table_given    table_given=    show_macro() {	foo=`grep 'This macro' $macro | sed 's/This macro //'`	if [ -n "$foo" ]; then	    macro=${macro#*.}	    foo=${foo%.*}	    if [ ${#macro} -gt 10 ]; then		echo "   $macro  ${foo#\#}"	    else		$ECHO_E "   $macro  \t${foo#\#}"	    fi	fi    }    while [ $finished -eq 0 -a $# -gt 0 ]; do	option=$1	case $option in	    -*)		option=${option#-}		while [ -n "$option" ]; do		    case $option in			-)			    finished=1			    option=			    ;;			v*)			    VERBOSE=$(($VERBOSE + 1 ))			    option=${option#v}			    ;;			x*)			    IPT_OPTIONS="-xnv"			    option=${option#x}			    ;;			m*)			    SHOWMACS=Yes			    option=${option#m}			    ;;			f*)			    FILEMODE=Yes			    option=${option#f}			    ;;			t)			    [ $# -eq 1 ] && usage 1			    case $2 in				mangle|nat|filter|raw)				    table=$2				    table_given=Yes				    ;;				*)				    fatal_error "Invalid table name ($s)"				    ;;			    esac			    			    option=			    shift			    ;;			*)			    usage 1			    ;;		    esac		done		shift		;;	    *)		finished=1		;;	esac    done    [ -n "$debugging" ] && set -x    case "$1" in	connections)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"	    echo	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack	    ;;	nat)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version NAT Table at $HOSTNAME - $(date)"	    echo	    show_reset	    $IPTABLES -t nat -L $IPT_OPTIONS	    ;;	raw)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version RAW Table at $HOSTNAME - $(date)"	    echo	    show_reset	    $IPTABLES -t raw -L $IPT_OPTIONS	    ;;	tos|mangle)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)"	    echo	    show_reset	    $IPTABLES -t mangle -L $IPT_OPTIONS	    ;;	log)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)"	    echo	    show_reset	    host=$(echo $HOSTNAME | sed 's/\..*$//')	    packet_log 20	    ;;	tc)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"	    echo	    show_tc	    ;;	classifiers|filters)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)"	    echo	    show_classifiers	    ;;	zones)	    [ $# -gt 1 ] && usage 1	    if [ -f ${VARDIR}/zones ]; then		echo "$PRODUCT $version Zones at $HOSTNAME - $(date)"		echo		while read zone type hosts; do		    echo "$zone ($type)"		    for host in $hosts; do			case $host in			    exclude)				echo "  exclude:"				;;			    *)				echo "   $host"				;;			esac		    done		done < ${VARDIR}/zones		echo	    else		echo "   ERROR: ${VARDIR}/zones does not exist" >&2		exit 1	    fi	    ;;	capabilities)	    [ $# -gt 1 ] && usage 1	    determine_capabilities	    VERBOSE=2	    if [ -n "$FILEMODE" ]; then		report_capabilities1	    else		report_capabilities	    fi	    ;;	ip)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version IP at $HOSTNAME - $(date)"	    echo	    ip -4 addr list	    ;;	routing)	    [ $# -gt 1 ] && usage 1	    echo "$PRODUCT $version Routing at $HOSTNAME - $(date)"	    echo	    show_routing	    ;;	config)	    . ${SHAREDIR}/configpath	    echo "Default CONFIG_PATH is $CONFIG_PATH"	    [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"	    ;;	chain)	    shift	    echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)"	    echo	    show_reset	    if [ $# -gt 0 ]; then		for chain in $*; do		    $IPTABLES -t $table -L $chain $IPT_OPTIONS		done	    else		$IPTABLES -t $table -L $IPT_OPTIONS	    fi	    ;;	vardir)	    echo $VARDIR;	    ;;	*)	    if [ "$PRODUCT" = Shorewall ]; then		case $1 in		    actions)			[ $# -gt 1 ] && usage 1			echo "allowBcast          # Silently Allow Broadcast/multicast"
12

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -