-
Notifications
You must be signed in to change notification settings - Fork 2
/
iptables.init
executable file
·94 lines (82 loc) · 2 KB
/
iptables.init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/bin/sh /etc/rc.common
# Copyright 2013-2017 Josh Cepek <josh.cepek AT usa.net>
# Licensed under the GPL version 3
NAME=iptables
BIN_RESTORE4=/usr/sbin/iptables-restore
BIN_RESTORE6=/usr/sbin/ip6tables-restore
START=19
warn() { echo "$1" >&2; }
restore_rules() {
local cfg="$1"
local bin_restore="$2"
[ -x "$bin_restore" ] || {
warn "No restore executable: $bin_restore"
return 0
}
config_get_bool enabled "$cfg" enabled 1
[ "$enabled" -eq 1 ] || return 0
config_get legacy_rules "$cfg" save
config_get format "$cfg" format "raw"
config_get rules "$cfg" rules "$legacy_rules"
config_get prescript "$cfg" pre_script
config_get upscript "$cfg" up_script
config_get_bool destroy "$cfg" destroy 1
config_get_bool counters "$cfg" counters 0
local args=""
[ "$destroy" -eq 0 ] && args="$args -n"
[ "$counters" -eq 1 ] && args="$args -c"
case "$format" in
raw|gz|xz)
;;
cmd)
[ -x "$rules" ] || {
warn "Skipping section due to non-executable command rules: $rules"
return 0
}
;;
*)
warn "No rules specified; skipping this section"
return 0
esac
if [ ! -r "$rules" ]; then
warn "Skipping section due to rules file not readable: $rules"
return 0
fi
export rules format prescript upscript destroy counters
script_run "$prescript" "prescript" || return 0
{
case "$format" in
gz) gzip -dc "$rules" ;;
xz) xz -dc "$rules" ;;
raw) cat "$rules" ;;
cmd) "$rules" ;;
esac
} | "$bin_restore" $args || {
warn "Failed to restore rules from: $rules"
}
script_run "$upscript" "upscript"
return 0
}
script_run() {
local _script="$1"
local _name="$2"
[ -x "$_script" ] || return 0
"$_script" || {
warn "$_name failed: $_script"
return 1
}
return 0
}
start() {
echo "$NAME init: loading Netfilter rulesets"
config_load iptables
config_foreach restore_rules iptables "$BIN_RESTORE4"
config_foreach restore_rules ip6tables "$BIN_RESTORE6"
}
stop() {
echo "$NAME init: WARNING: there is no built-in stop feature. This is a no-op."
return 1
}
restart() {
start
}