📄 lib.config

📁 sharewall is very good
💻 CONFIG
📖 第 1 页 / 共 4 页
字号:
	echo -o $1    elif [ -n "$PHYSDEV_MATCH" ]; then	physdev_echo "--physdev-out $1"    else	echo -o $1    fi}verify_interface(){    known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; }}## Determine if communication to/from a host is encrypted using IPSEC#is_ipsec_host() # $1 = zone, $2 = host{    local is_ipsec    eval is_ipsec=\$${1}_is_ipsec    local hosts    eval hosts=\"\$${1}_ipsec_hosts\"    test -n "$is_ipsec" || list_search $2 $hosts}## Generate a match for decrypted packets#match_ipsec_in() # $1 = zone, $2 = host{    if is_ipsec_host $1 $2 ; then	local options	eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"	echo "-m policy --pol ipsec --dir in $options"    elif [ -n "$POLICY_MATCH" ]; then	echo "-m policy --pol none --dir in"    fi}## Generate a match for packets that will be encrypted#match_ipsec_out() # $1 = zone, $2 = host{    if is_ipsec_host $1 $2 ; then	local options	eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"	echo "-m policy --pol ipsec --dir out $options"    elif [ -n "$POLICY_MATCH" ]; then	echo "-m policy --pol none --dir out"    fi}## Jacket for ip_range() that takes care of iprange match#firewall_ip_range() # $1 = IP address or range{    [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1}### Find hosts in a given zone## Read hosts file and for each record matching the passed ZONE,# echo the expanded contents of the "HOST(S)" column#find_hosts() # $1 = host zone{    local hosts    local interface    local address    local addresses    while read z hosts options; do	if [ "x$(expand $z)" = "x$1" ]; then	    interface=${hosts%%:*}	    addresses=${hosts#*:}	    case $addresses in		!*)		    echo $interface:0.0.0.0/0		    ;;		*)		    for address in $(separate_list ${addresses%%!*}); do			echo $interface:$address		    done		    ;;	    esac	fi    done < $TMP_DIR/hosts}### Find exclusions in a given zone## Read hosts file and for each record matching the passed ZONE,# echo any exclusions#find_exclusions() # $1 = host zone{    local hosts    local interface    local address    local addresses    while read z hosts options; do	if [ "x$z" = "x$1" ]; then	    interface=${hosts%%:*}	    addresses=${hosts#*:}	    case $addresses in		*!*)		    for address in $(separate_list ${addresses#*!}); do			echo $interface:$address		    done		    ;;	    esac	fi    done < $TMP_DIR/hosts}## Determine the interfaces on the firewall## For each zone, create a variable called ${zone}_interfaces. This# variable contains a space-separated list of interfaces to the zone#determine_interfaces() {    for zone in $ZONES; do	interfaces=$(find_interfaces $zone)	interfaces=$(echo $interfaces) # Remove extra trash	eval ${zone}_interfaces=\"\$interfaces\"    done}## Determine if an interface has a given option#interface_has_option() # $1 = interface, #2 = option{    local options    eval options=\$$(chain_base $1)_options    list_search $2 $options}## Determine the defined hosts in each zone#determine_hosts() {    for zone in $ZONES; do	hosts=$(find_hosts $zone)	hosts=$(echo $hosts) # Remove extra trash	exclusions=$(find_exclusions $zone)	exclusions=$(echo $exclusions) # Remove extra trash	eval interfaces=\$${zone}_interfaces	for interface in $interfaces; do	    if interface_has_option $interface detectnets; then		networks=$(get_routed_networks $interface "detectnets not allowed on interface with default route - $interface" )	    else		networks=0.0.0.0/0	    fi	    for network in $networks; do		if [ -z "$hosts" ]; then		    hosts=$interface:$network		else		    hosts="$hosts $interface:$network"		fi		if interface_has_option $interface routeback; then		    eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\"		fi	    done	done	interfaces=	for host in $hosts; do	    interface=${host%:*}	    if list_search $interface $interfaces; then		list_search $interface:0.0.0.0/0 $hosts && \		    startup_error "Invalid zone definition for zone $zone"		list_search $interface:0/0 $hosts && \		    startup_error "Invalid zone definition for zone $zone"		eval ${zone}_is_complex=Yes	    else		if [ -z "$interfaces" ]; then		    interfaces=$interface		else		    interfaces="$interfaces $interface"		fi	    fi	done	eval ${zone}_exclusions="\$exclusions"	eval ${zone}_interfaces="\$interfaces"	eval ${zone}_hosts="\$hosts"	if [ -n "$hosts" ]; then	    if [ $VERBOSE -ge 1 ]; then		[ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts	    fi	else	    error_message "WARNING: Zone $zone is empty"	fi    done}## Ensure that the passed zone is defined in the zones file or is the firewall#validate_zone() # $1 = zone{    list_search $1 $ZONES $FW}## Ensure that the passed zone is defined in the zones file.#validate_zone1() # $1 = zone{    list_search $1 $ZONES}## Format a match by the passed MAC address# The passed address begins with "~" and uses "-" as a separator between bytes# Example: ~01-02-03-04-05-06#mac_match() # $1 = MAC address formated as described above{    echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')"}## Find interfaces that have the passed option specified#find_interfaces_by_option() # $1 = option{    for interface in $ALL_INTERFACES; do	eval options=\$$(chain_base $interface)_options	list_search $1 $options && echo $interface    done}## This slightly slower version is used to find both the option and option followed# by equal sign ("=") and a value#find_interfaces_by_option1() # $1 = option{    local options    local option    for interface in $ALL_INTERFACES; do	eval options=\$$(chain_base $interface)_options	for option in $options; do	    if [ "${option%=*}" = "$1" ]; then		echo $interface		break	    fi	done    done}## Find hosts with the passed option#find_hosts_by_option() # $1 = option{    local ignore    local hosts    local interface    local address    local addresses    local options    local ipsec    ipsec=    local list    while read ignore hosts options; do	list=$(separate_list $options)	if list_search $1 $list; then	    list_search ipsec $list && ipsec=ipsec || ipsec=none	    interface=${hosts%%:*}	    addresses=${hosts#*:}	    for address in $(separate_list $addresses); do		echo ${ipsec}^$interface:$address	    done	fi    done < $TMP_DIR/hosts    for interface in $ALL_INTERFACES; do	interface_has_option $interface $1 && \	    echo none^${interface}:0.0.0.0/0    done}## Process the routestopped file either adding or deleting rules#process_routestopped() # $1 = command{    local hosts    hosts=    local interface    local host    local host1    local options    local networks    local source    source=    local dest    dest=    local matched    while read interface host options; do	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0	for h in $(separate_list $host); do	    hosts="$hosts $interface:$h"	done	routeback=	if [ -n "$options" ]; then	    for option in $(separate_list $options); do		case $option in		    routeback)			if [ -n "$routeback" ]; then			    error_message "WARNING: Duplicate routestopped option ignored: routeback"			else			    routeback=Yes			    for h in $(separate_list $host); do				run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT			    done			fi			;;		    source)			for h in $(separate_list $host); do			    source="$source $interface:$h"			done			;;		    dest)			for h in $(separate_list $host); do			    dest="$dest $interface:$h"			done			;;		    critical)			;;		    *)			error_message "WARNING: Unknown routestopped option ignored: $option"			;;		esac	    done	fi    done < $TMP_DIR/routestopped    for host in $hosts; do	interface=${host%:*}	networks=${host#*:}	source_range=$(source_ip_range $networks)	dest_range=$(dest_ip_range $networks)	run_iptables $1 INPUT  -i $interface $source_range -j ACCEPT	[ -z "$ADMINISABSENTMINDED" ] && \	    run_iptables $1 OUTPUT -o $interface $dest_range -j ACCEPT	matched=	if list_search $host $source ; then	    run_iptables $1 FORWARD -i $interface $source_range -j ACCEPT	    matched=Yes	fi	if list_search $host $dest ; then	    run_iptables $1 FORWARD -o $interface $dest_range -j ACCEPT	    matched=Yes	fi	if [ -z "$matched" ]; then	    for host1 in $hosts; do		[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT	    done	fi    done}process_criticalhosts(){    local hosts    hosts=    local interface    local host    local h    local options    local networks    local criticalhosts    criticalhosts=    while read interface host options; do	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)	if [ -n "$options" ]; then	    for option in $(separate_list $options); do		case $option in		    routeback|source|dest)			;;		    critical)			for h in $host; do			    criticalhosts="$criticalhosts $interface:$h"			done			;;		    *)			error_message "WARNING: Unknown routestopped option ignored: $option"			;;		esac	    done	fi    done < $TMP_DIR/routestopped    if [ -n "$criticalhosts" ]; then	CRITICALHOSTS=$criticalhosts	progress_message "Critical Hosts are:$CRITICALHOSTS"    fi}## create a temporary directory#mktempdir() {    [ -z "$MKTEMP" ] && find_mktemp    case "$MKTEMP" in	STD)	    mktemp -td shorewall.XXXXXX	    ;;	None|BSD)	    #	    # Not all versions of the BSD mktemp support the -d option under Linux	    #	    qt rm -rf /tmp/shorewall-$$	    mkdir -p /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$	    ;;	*)	    error_message "ERROR:Internal error in mktempdir"	    ;;	esac}## Read a file and handle "INCLUDE" directives#read_file() # $1 = file name, $2 = nest count{    local first    local rest    if [ -f $1 ]; then	while read first rest; do	    if [ "x$first"  = "xINCLUDE" ]; then		if [ $2 -lt 4 ]; then		    read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))		else		    error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)"		fi	    else		echo "$first $rest"	    fi	done < $1    else	[ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1"	echo "WARNING -- No such file: $1"    fi}## Strip comments and blank lines from a file and place the result in the# temporary directory#strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional){    local fname    if [ ! -f $TMP_DIR/$1 ]; then	[ $# = 1 ] && fname=$(find_file $1) || fname=$2	if [ -f $fname ]; then	    read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1	else	    > $TMP_DIR/$1	fi    fi}## Strip the passed file.## Return success if#     a) the stripped file is non-empty and the library was successfully loaded; or#     b) the stripped file is empty but the library had been loaded previously#strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty{    local f    f=$(find_file $1)    strip_file $1 $f    if [ -s $TMP_DIR/$1 ]; then	lib_load $2 "A non-empty $1 file ($f)"	return 0    fi    eval test -n \"\$LIB_${2}_LOADED\"}## Check that a mark value or mask is less that 256 or that it is less than 65536 and# that it's lower 8 bits are zero.#verify_mark() # $1 = value to test{    verify_mark2()    {	case $1 in	    0*)		[ $(($1)) -lt 256 ] && return 0		[ -n "$HIGH_ROUTE_MARKS" ] || return 1		[ $(($1)) -gt 65535 ] && return 1		return $(($1 & 0xFF))		;;	    [1-9]*)		[ $1 -lt 256 ] && return 0		[ -n "$HIGH_ROUTE_MARKS" ] || return 1		[ $1 -gt 65535 ] && return 1		return $(($1 & 0xFF))		;;	    *)		return 2		;;	esac    }    verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1"}## Determine the value for a parameter that defaults to Yes#added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value{    local val    val="$2"    if [ -z "$val" ]; then	echo "Yes"    else case $val in	[Yy][Ee][Ss])	    echo "Yes"	    ;;	[Nn][Oo])	    echo ""	    ;;	*)	    startup_error "Invalid value ($val) for $1"
💿 文件大小 203 K
👤 上传用户 zhangpeng
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#sharewall #good #very #is
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -