⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 lib.config

📁 sharewall is very good
💻 CONFIG
📖 第 1 页 / 共 4 页
字号:
🔍
1234 
	    do_options "_out" $out_options	fi    done < $TMP_DIR/$f}## Validate the zone names and options in the hosts file#validate_hosts_file() {   local z   local hosts   local options   local r   local interface   local host   local option   local zports   local ipsec   ipsec=   check_bridge_port()   {       list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"       list_search $1 $ALL_PORTS || ALL_PORTS="$ALL_PORTS $1"   }   while read z hosts options; do       r="$z $hosts $options"       validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""       case $hosts in	   *:*)	       interface=${hosts%%:*}	       iface=$(chain_base $interface)	       list_search  $interface $ALL_INTERFACES || \		   startup_error "Unknown interface ($interface) in record \"$r\""	       hosts=${hosts#*:}	       ;;	   *)	       startup_error "Invalid HOST(S) column contents: $hosts"	       ;;       esac       eval zports=\$${z}_ports       if [ -z "$BRIDGING" ]; then	   case $hosts in	       *!*!*)		   startup_error "Invalid hosts file entry: \"$r\""		   ;;	       !*)		   hosts=0.0.0.0/0		   eval ${z}_is_complex=Yes		   ;;	       *!*)		   hosts=${hosts%%!*}		   eval ${z}_is_complex=Yes		   ;;	   esac       fi       for host in $(separate_list $hosts); do	    if [ -n "$BRIDGING" ]; then		case $host in		   *:*)		       known_interface ${host%:*} && \			   startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host"		       check_bridge_port ${host%%:*}		       ;;		   *.*.*)		       ;;		   *+|+*|*!*)		       eval ${z}_is_complex=Yes		       ;;		   *)		       known_interface $host && \			   startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host"		       check_bridge_port $host		       ;;	       esac	   else		case $host in		    *.*.*)			;;		    +*)			eval ${z}_is_complex=Yes			;;		    *)			startup_error "BRIDGING=Yes is needed for this zone definition: $r"			;;		esac	    fi	    for option in $(separate_list $options) ; do		case $option in		    norfc1918|blacklist|tcpflags|nosmurfs|-)			;;		    maclist)		       	[ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option"			;;		    ipsec)			[ -n "$POLICY_MATCH" ] || \			    startup_error "Your kernel and/or iptables does not support policy match: ipsec"			eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"			eval ${z}_is_complex=Yes			ipsec=Yes			;;		   routeback)			eval ${z}_routeback=\"$interface:$host \$${z}_routeback\"			;;		   *)		       error_message "WARNING: Invalid option ($option) in record \"$r\""		       ;;	       esac	   done       done       [ -n "$zports" ]  && eval ${z}_ports=\"$zports\"   done < $TMP_DIR/hosts   [ -n "$ALL_PORTS" ] && progress_message2 "   Bridge ports are: $ALL_PORTS"   [ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH=}## Find interfaces to a given zone## Search the variables representing the contents of the interfaces file and# for each record matching the passed ZONE, echo the expanded contents of# the "INTERFACE" column#find_interfaces() # $1 = interface zone{    local zne    zne=$1    local z    local interface    for interface in $ALL_INTERFACES; do	eval z=\$$(chain_base $interface)_zone	[ "x${z}" = x${zne} ] && echo $interface    done}## Forward Chain for an interface#forward_chain() # $1 = interface{   echo $(chain_base $1)_fwd}## Input Chain for an interface#input_chain() # $1 = interface{   echo $(chain_base $1)_in}## Output Chain for an interface#output_chain() # $1 = interface{   echo $(chain_base $1)_out}## Masquerade Chain for an interface#masq_chain() # $1 = interface{   echo $(chain_base $1)_masq}## MAC Verification Chain for an interface#mac_chain() # $1 = interface{   echo $(chain_base $1)_mac}macrecent_target() # $1 - interface{    [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN}## Functions for creating dynamic zone rules#dynamic_fwd() # $1 = interface{   echo $(chain_base $1)_dynf}dynamic_in() # $1 = interface{   echo $(chain_base $1)_dyni}dynamic_out() # $1 = interface{   echo $(chain_base $1)_dyno}dynamic_chains() #$1 = interface{   local c   c=$(chain_base $1)   echo ${c}_dyni ${c}_dynf ${c}_dyno}## DNAT Chain from a zone#dnat_chain() # $1 = zone{   echo ${1}_dnat}## SNAT Chain to an interface#snat_chain() # $1 = interface{   echo $(chain_base $1)_snat}## ECN Chain to an interface#ecn_chain() # $1 = interface{   echo $(chain_base $1)_ecn}## First chains for an interface#first_chains() #$1 = interface{   local c   c=$(chain_base $1)   echo ${c}_fwd ${c}_in}## Out Chain to an interface#out_chain() # $1 = interface{   echo $(chain_base $1)_out}## Horrible hack to work around an iptables limitation#iprange_echo(){    if [ -n "$KLUDGEFREE" ]; then	echo "-m iprange $@"    elif [ -f $TMP_DIR/iprange ]; then	echo $@    else	echo "-m iprange $@"	> $TMP_DIR/iprange    fi}## Get set flags (ipsets).#get_set_flags() # $1 = set name and optional [levels], $2 = src or dst{    local temp    local setname    setname=$1    local options    options=$2    [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"    case $1 in	*\[[1-6]\])	    temp=${1#*\[}	    temp=${temp%\]}	    setname=${1%\[*}	    while [ $temp -gt 1 ]; do	       options="$options,$2"	       temp=$(($temp - 1))	    done	    ;;	*\[*\])	    options=${1#*\[}	    options=${options%\]}	    setname=${1%\[*}	    ;;	*)	    ;;    esac    echo "--set ${setname#+} $options"}## Horrible hack to work around an iptables limitation#physdev_echo(){    if [ -n "$KLUDGEFREE" ]; then	echo -m physdev $@    elif [ -f $TMP_DIR/physdev ]; then	echo $@    else	echo -m physdev $@	> $TMP_DIR/physdev    fi}## Source IP range#source_ip_range() # $1 = Address or Address Range{    [ $# -gt 0 ] && case $1 in	*.*.*.*-*.*.*.*)	    case $1 in		!*)		    iprange_echo "! --src-range ${1#!}"		    ;;		*)		    iprange_echo "--src-range $1"		    ;;	    esac	    ;;	!+*)	    echo "-m set ! $(get_set_flags ${1#!} src)"	    ;;	+*)	    echo "-m set $(get_set_flags $1 src)"	    ;;	*)	    echo "-s $1"	    ;;    esac}## Destination IP range#dest_ip_range() # $1 = Address or Address Range{    [ $# -gt 0 ] && case $1 in	*.*.*.*-*.*.*.*)	    case $1 in		!*)		    iprange_echo "! --dst-range ${1#!}"		    ;;		*)		    iprange_echo "--dst-range $1"		    ;;	    esac	    ;;	!+*)	    echo "-m set ! $(get_set_flags ${1#!} dst)"	    ;;	+*)	    echo "-m set $(get_set_flags $1 dst)"	    ;;	*)	    echo "-d $1"	    ;;    esac}both_ip_ranges() # $1 = Source address or range, $2 = dest address or range{    local rangeprefix    rangeprefix=    local setprefix    setprefix=    local rangematch    rangematch=    local setmatch    setmatch=    case $1 in	*.*.*.*-*.*.*.*)	    rangeprefix="-m iprange"	    rangematch="--src-range $1"	    ;;	!+*)	    setprefix="-m set"	    setmatch="! $(get_set_flags ${1#!} src)"	    ;;	+*)	    setprefix="-m set"	    setmatch="$(get_set_flags $1 src)"	    ;;	*)	    rangematch="-s $1"	    ;;    esac    case $2 in	*.*.*.*-*.*.*.*)	    rangeprefix="-m iprange"	    rangematch="$rangematch --dst-range $2"	    ;;	!+*)	    setprefix="-m set"	    match="$setmatch ! $(get_set_flags ${2#!} dst)"	    ;;	+*)	    setprefix="-m set"	    setmatch="$setmatch $(get_set_flags $2 dst)"	    ;;	*)	    rangematch="$rangematch -d $2"	    ;;    esac    echo "$rangeprefix $rangematch $setprefix $setmatch"}## Loosly Match the name of an interface#if_match() # $1 = Name in interfaces file - may end in "+"           # $2 = Full interface name - may also end in "+"{    local pattern    pattern=${1%+}    case $1 in	*+)	    test  "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"	    ;;	*)	    test "x$1" = "x$2"	    ;;    esac}## We allow hosts to be specified by IP address or by physdev. These two functions# are used to produce the proper match in a netfilter rule.#match_source_hosts(){    if [ -n "$BRIDGING" ]; then	case $1 in	    *:*)		physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})"		;;	    *.*.*.*|+*|!+*)		echo $(source_ip_range $1)		;;	    *)		physdev_echo "--physdev-in $1"		;;	esac    else	echo $(source_ip_range $1)    fi}match_dest_hosts(){    if [ -n "$BRIDGING" ]; then	case $1 in	    *:*)		physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})"		;;	    *.*.*.*|+*|!+*)		echo $(dest_ip_range $1)		;;	    *)		physdev_echo "--physdev-out $1"		;;	esac    else	echo $(dest_ip_range $1)    fi}## Matches for either <address-range> or <interface>:<address range>#match_source(){    case "$1" in	*:*)	    echo "-i ${1%%:*} $(match_source_hosts ${1#*:})"	    ;;	*)	    echo $(dest_ip_range $1)	    ;;    esac}match_dest(){    case "$1" in	*:*)	    echo "-o ${1%%:*} $(match_dest_hosts ${1#*:})"	    ;;	*)	    echo $(dest_ip_range $1)	    ;;    esac}## Similarly, the source or destination in a rule can be qualified by a device name. If# the device is defined in ${CONFDIR}/interfaces then a normal interface match is# generated (-i or -o); otherwise, a physdev match is generated.#-------------------------------------------------------------------------------------## loosely match the passed interface with those in ${CONFDIR}/interfaces.#known_interface() # $1 = interface name{    local iface    for iface in $ALL_INTERFACES ; do	if if_match $iface $1 ; then	    return 0	fi    done    return 1}known_port() # $1 = port name{    local port    for port in $ALL_PORTS ; do	if if_match $port $1 ; then	    return 0	fi    done    return 1}match_source_dev(){    if [ -n "$BRIDGING" ]; then	known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1    elif known_interface $1; then	echo -i $1    elif [ -n "$PHYSDEV_MATCH" ]; then	physdev_echo "--physdev-in $1"    else	echo -i $1    fi}match_dest_dev(){    if [ -n "$BRIDGING" ]; then	known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1    elif known_interface $1; then
1234

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -