* FIX script aborts if nonexistent devices are in the script argument

 * setfilter
   * set network filters with iptables from custom rule files in /etc/ufw/*

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@9 7d2118f6-f56c-43e7-95a2-4bb3031d96e7

diff --git a/iptables/setfilter b/iptables/setfilter
new file mode 100644 (file)
index 0000000..4b31e85
--- /dev/null
+++ b/iptables/setfilter
@@ -0,0 +1,105 @@
+#!/bin/sh -e
+
+### BEGIN INIT INFO
+# Provides:          setfilter
+# Required-Start:    ufw
+# Required-Stop:     
+# Default-Start:     S
+# Default-Stop:      
+# Short-Description: set network filters with iptables
+### END INIT INFO
+
+PATH="/sbin:/bin:/usr/sbin:/usr/bin"
+
+. /lib/lsb/init-functions
+
+if [ -s /etc/ufw/ufw.conf ]; then
+    . /etc/ufw/ufw.conf
+else
+    log_failure_msg "Could not find /etc/ufw/ufw.conf (aborting)"
+    exit 1
+fi
+
+RULES_PATH="/etc/ufw"
+
+case "$1" in
+start)
+    if iptables -L LOG_ICMP -t raw -n >/dev/null 2>&1 ; then
+        # if firewall loaded, tell to reload instead
+        log_action_msg "Network filter already started, use 'force-reload'"
+        exit 0
+    fi
+    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
+        log_action_begin_msg "Setting network filter"
+        error=""
+        
+        tables="raw mangle"
+        for table in $tables
+        do
+            RULES="$RULES_PATH/$table.rules"
+            
+            #flush the chains
+            iptables -F -t $table || error="yes"
+            iptables -X -t $table || error="yes"
+            
+            if [ -s "$RULES" ]; then
+                if ! iptables-restore -n < $RULES ; then
+                    log_action_cont_msg "Problem running '$RULES'"
+                    error="yes"
+                fi
+            else
+                log_action_cont_msg "Couldn't find '$RULES'"
+            fi
+        done
+    
+        if [ "$error" = "yes" ]; then
+            log_action_end_msg 1
+            exit 1
+        else
+            log_action_end_msg 0
+        fi
+    else
+        log_action_begin_msg "Skipping network filter (not enabled)"
+        log_action_end_msg 0
+    fi
+    ;;
+stop)
+    if [ "$ENABLED" != "yes" ] && [ "$ENABLED" != "YES" ]; then
+        log_action_begin_msg "Skipping network filter (not enabled)"
+        log_action_end_msg 0
+        exit 0
+    fi
+    
+    log_action_begin_msg "Stopping network filter"
+    error=""
+    
+    tables="raw mangle"
+    for table in $tables
+    do
+        iptables -F -t $table || error="yes"
+        iptables -X -t $table || error="yes"
+    done
+    
+    if [ "$error" = "yes" ]; then
+        log_action_end_msg 1
+        exit 1
+    else
+        log_action_end_msg 0
+    fi
+    ;;
+restart|force-reload)
+    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
+        $0 stop
+        $0 start
+    else
+        log_warning_msg "Skipping $1 (not enabled)"
+    fi
+    ;;
+*)
+    echo "Usage: /etc/init.d/setfilter {start|stop|restart|force-reload}"
+    exit 1
+    ;;
+esac
+
+exit 0
+

diff --git a/iptables/setnapt.sh b/iptables/setnapt.sh
index d34ba37..6093f6d 100644 (file)
--- a/iptables/setnapt.sh
+++ b/iptables/setnapt.sh
@@ -42,7 +42,7 @@ for GW in ${GATEWAYS}; do
     IPADDR=`/sbin/ip addr show dev ${GW} | grep -w inet | cut -d t -f 2 | cut -d ' ' -f 2 | cut -d / -f 1`
     if [ -z "${IPADDR}" ]; then
         # device doesn't seem to have an IP address
-        break
+        continue
     fi
     
     ## set masquerade rule to all devices