WebSVN – configs – Blame – /firewall/etc/rc.d/init.d/ip6tables

Rev	Author	Line No.	Line
3	-	1	`#!/bin/sh`
		2	`#`
		3	`# ip6tables Start ip6tables firewall`
		4	`#`
		5	`# chkconfig: 2345 08 92`
		6	`# description: Starts, stops and saves ip6tables firewall`
		7	`#`
		8	`# config: /etc/sysconfig/ip6tables`
		9	`# config: /etc/sysconfig/ip6tables-config`
		10	`#`
		11	`### BEGIN INIT INFO`
		12	`# Provides: ip6tables`
		13	`# Required-Start:`
		14	`# Required-Stop:`
		15	`# Default-Start: 2 3 4 5`
		16	`# Default-Stop: 0 1 6`
		17	`# Short-Description: start and stop ip6tables firewall`
		18	`# Description: Start, stop and save ip6tables firewall`
		19	`### END INIT INFO`
		20
		21	`# Source function library.`
		22	`. /etc/init.d/functions`
		23
		24	`IP6TABLES=ip6tables`
		25	`IP6TABLES_DATA=/etc/sysconfig/$IP6TABLES`
		26	`IP6TABLES_FALLBACK_DATA=${IP6TABLES_DATA}.fallback`
		27	`IP6TABLES_CONFIG=/etc/sysconfig/${IP6TABLES}-config`
		28	`IPV=${IP6TABLES%tables} # ip for ipv4 \| ip6 for ipv6`
		29	`[ "$IPV" = "ip" ] && _IPV="ipv4" \|\| _IPV="ipv6"`
		30	`PROC_IP6TABLES_NAMES=/proc/net/${IPV}_tables_names`
		31	`VAR_SUBSYS_IP6TABLES=/var/lock/subsys/$IP6TABLES`
		32
		33	`# only usable for root`
33	-	34	`if [ $EUID != 0 ]; then`
		35	`echo -n $"${IP6TABLES}: Only usable by root."; warning; echo`
		36	`exit 4`
		37	`fi`
3	-	38
		39	`if [ ! -x /sbin/$IP6TABLES ]; then`
		40	`echo -n $"${IP6TABLES}: /sbin/$IP6TABLES does not exist."; warning; echo`
		41	`exit 5`
		42	`fi`
		43
		44	`# Old or new modutils`
		45	`/sbin/modprobe --version 2>&1 \| grep -q module-init-tools \`
		46	`&& NEW_MODUTILS=1 \`
		47	`\|\| NEW_MODUTILS=0`
		48
		49	`# Default firewall configuration:`
		50	`IP6TABLES_MODULES=""`
		51	`IP6TABLES_MODULES_UNLOAD="yes"`
		52	`IP6TABLES_SAVE_ON_STOP="no"`
		53	`IP6TABLES_SAVE_ON_RESTART="no"`
		54	`IP6TABLES_SAVE_COUNTER="no"`
		55	`IP6TABLES_STATUS_NUMERIC="yes"`
		56	`IP6TABLES_STATUS_VERBOSE="no"`
		57	`IP6TABLES_STATUS_LINENUMBERS="yes"`
		58	`IP6TABLES_SYSCTL_LOAD_LIST=""`
		59
		60	`# Load firewall configuration.`
		61	`[ -f "$IP6TABLES_CONFIG" ] && . "$IP6TABLES_CONFIG"`
		62
		63	`# Netfilter modules`
		64	`NF_MODULES=($(lsmod \| awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)`
		65	`NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6`
		66
		67	`# Get active tables`
		68	`NF_TABLES=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null)`
		69
		70
		71	`rmmod_r() {`
		72	`# Unload module with all referring modules.`
		73	`# At first all referring modules will be unloaded, then the module itself.`
		74	`local mod=$1`
		75	`local ret=0`
		76	`local ref=`
		77
		78	`# Get referring modules.`
		79	`# New modutils have another output format.`
		80	`[ $NEW_MODUTILS = 1 ] \`
		81	`&& ref=$(lsmod \| awk "/^${mod}/ { print \$4; }" \| tr ',' ' ') \`
		82	`\|\| ref=$(lsmod \| grep ^${mod} \| cut -d "[" -s -f 2 \| cut -d "]" -s -f 1)`
		83
		84	`# recursive call for all referring modules`
		85	`for i in $ref; do`
		86	`rmmod_r $i`
		87	`let ret+=$?;`
		88	`done`
		89
		90	`# Unload module.`
		91	`# The extra test is for 2.6: The module might have autocleaned,`
		92	`# after all referring modules are unloaded.`
		93	`if grep -q "^${mod}" /proc/modules ; then`
		94	`modprobe -r $mod > /dev/null 2>&1`
		95	`res=$?`
		96	`[ $res -eq 0 ] \|\| echo -n " $mod"`
		97	`let ret+=$res;`
		98	`fi`
		99
		100	`return $ret`
		101	`}`
		102
		103	`flush_n_delete() {`
		104	`# Flush firewall rules and delete chains.`
		105	`[ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0`
		106
		107	`# Check if firewall is configured (has tables)`
		108	`[ -z "$NF_TABLES" ] && return 1`
		109
		110	`echo -n $"${IP6TABLES}: Flushing firewall rules: "`
		111	`ret=0`
		112	`# For all tables`
		113	`for i in $NF_TABLES; do`
		114	`# Flush firewall rules.`
		115	`$IP6TABLES -t $i -F;`
		116	`let ret+=$?;`
		117
		118	`# Delete firewall chains.`
		119	`$IP6TABLES -t $i -X;`
		120	`let ret+=$?;`
		121
		122	`# Set counter to zero.`
		123	`$IP6TABLES -t $i -Z;`
		124	`let ret+=$?;`
		125	`done`
		126
		127	`[ $ret -eq 0 ] && success \|\| failure`
		128	`echo`
		129	`return $ret`
		130	`}`
		131
		132	`set_policy() {`
		133	`# Set policy for configured tables.`
		134	`policy=$1`
		135
		136	`# Check if iptable module is loaded`
		137	`[ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0`
		138
		139	`# Check if firewall is configured (has tables)`
		140	`tables=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null)`
		141	`[ -z "$tables" ] && return 1`
		142
		143	`echo -n $"${IP6TABLES}: Setting chains to policy $policy: "`
		144	`ret=0`
		145	`for i in $tables; do`
		146	`echo -n "$i "`
		147	`case "$i" in`
		148	`raw)`
		149	`$IP6TABLES -t raw -P PREROUTING $policy \`
		150	`&& $IP6TABLES -t raw -P OUTPUT $policy \`
		151	`\|\| let ret+=1`
		152	`;;`
		153	`filter)`
		154	`$IP6TABLES -t filter -P INPUT $policy \`
		155	`&& $IP6TABLES -t filter -P OUTPUT $policy \`
		156	`&& $IP6TABLES -t filter -P FORWARD $policy \`
		157	`\|\| let ret+=1`
		158	`;;`
		159	`nat)`
		160	`$IP6TABLES -t nat -P PREROUTING $policy \`
		161	`&& $IP6TABLES -t nat -P POSTROUTING $policy \`
		162	`&& $IP6TABLES -t nat -P OUTPUT $policy \`
		163	`\|\| let ret+=1`
		164	`;;`
		165	`mangle)`
		166	`$IP6TABLES -t mangle -P PREROUTING $policy \`
		167	`&& $IP6TABLES -t mangle -P POSTROUTING $policy \`
		168	`&& $IP6TABLES -t mangle -P INPUT $policy \`
		169	`&& $IP6TABLES -t mangle -P OUTPUT $policy \`
		170	`&& $IP6TABLES -t mangle -P FORWARD $policy \`
		171	`\|\| let ret+=1`
		172	`;;`
128	-	173	`security)`
		174	`# Ignore the security table`
		175	`;;`
3	-	176	`*)`
		177	`let ret+=1`
		178	`;;`
		179	`esac`
		180	`done`
		181
		182	`[ $ret -eq 0 ] && success \|\| failure`
		183	`echo`
		184	`return $ret`
		185	`}`
		186
		187	`load_sysctl() {`
		188	`# load matched sysctl values`
		189	`if [ -n "$IP6TABLES_SYSCTL_LOAD_LIST" ]; then`
		190	`echo -n $"Loading sysctl settings: "`
		191	`ret=0`
		192	`for item in $IP6TABLES_SYSCTL_LOAD_LIST; do`
128	-	193	`fgrep -hs $item /etc/sysctl.conf /etc/sysctl.d/*.conf \| sysctl -p - >/dev/null`
3	-	194	`let ret+=$?;`
		195	`done`
		196	`[ $ret -eq 0 ] && success \|\| failure`
		197	`echo`
		198	`fi`
		199	`return $ret`
		200	`}`
		201
		202	`start() {`
		203	`# Do not start if there is no config file.`
33	-	204	`if [ ! -f "$IP6TABLES_DATA" ]; then`
		205	`echo -n $"${IP6TABLES}: No config file."; warning; echo`
		206	`return 6`
		207	`fi`
3	-	208
		209	`# check if ipv6 module load is deactivated`
		210	`if [ "${_IPV}" = "ipv6" ] \`
		211	`&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true\|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then`
		212	`echo $"${IP6TABLES}: ${_IPV} is disabled."`
		213	`return 150`
		214	`fi`
		215
		216	`echo -n $"${IP6TABLES}: Applying firewall rules: "`
		217
		218	`OPT=`
		219	`[ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"`
		220
		221	`$IP6TABLES-restore $OPT $IP6TABLES_DATA`
		222	`if [ $? -eq 0 ]; then`
		223	`success; echo`
		224	`else`
		225	`failure; echo;`
		226	`if [ -f "$IP6TABLES_FALLBACK_DATA" ]; then`
		227	`echo -n $"${IP6TABLES}: Applying firewall fallback rules: "`
		228	`$IP6TABLES-restore $OPT $IP6TABLES_FALLBACK_DATA`
		229	`if [ $? -eq 0 ]; then`
		230	`success; echo`
		231	`else`
		232	`failure; echo; return 1`
		233	`fi`
		234	`else`
		235	`return 1`
		236	`fi`
		237	`fi`
		238
		239	`# Load additional modules (helpers)`
		240	`if [ -n "$IP6TABLES_MODULES" ]; then`
		241	`echo -n $"${IP6TABLES}: Loading additional modules: "`
		242	`ret=0`
		243	`for mod in $IP6TABLES_MODULES; do`
		244	`echo -n "$mod "`
		245	`modprobe $mod > /dev/null 2>&1`
		246	`let ret+=$?;`
		247	`done`
		248	`[ $ret -eq 0 ] && success \|\| failure`
		249	`echo`
		250	`fi`
		251
		252	`# Load sysctl settings`
		253	`load_sysctl`
		254
		255	`touch $VAR_SUBSYS_IP6TABLES`
		256	`return $ret`
		257	`}`
		258
		259	`stop() {`
		260	`# Do not stop if ip6tables module is not loaded.`
		261	`[ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0`
		262
		263	`# Set default chain policy to ACCEPT, in order to not break shutdown`
		264	`# on systems where the default policy is DROP and root device is`
		265	`# network-based (i.e.: iSCSI, NFS)`
		266	`set_policy ACCEPT`
		267	`# And then, flush the rules and delete chains`
		268	`flush_n_delete`
		269
		270	`if [ "x$IP6TABLES_MODULES_UNLOAD" = "xyes" ]; then`
		271	`echo -n $"${IP6TABLES}: Unloading modules: "`
		272	`ret=0`
		273	`for mod in ${NF_MODULES[*]}; do`
		274	`rmmod_r $mod`
		275	`let ret+=$?;`
		276	`done`
		277	`# try to unload remaining netfilter modules used by ipv4 and ipv6`
		278	`# netfilter`
		279	`for mod in ${NF_MODULES_COMMON[*]}; do`
		280	`rmmod_r $mod >/dev/null`
		281	`done`
		282	`[ $ret -eq 0 ] && success \|\| failure`
		283	`echo`
		284	`fi`
		285
		286	`rm -f $VAR_SUBSYS_IP6TABLES`
		287	`return $ret`
		288	`}`
		289
		290	`save() {`
		291	`# Check if iptable module is loaded`
33	-	292	`if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then`
		293	`echo -n $"${IP6TABLES}: Nothing to save."; warning; echo`
		294	`return 0`
		295	`fi`
3	-	296
		297	`# Check if firewall is configured (has tables)`
33	-	298	`if [ -z "$NF_TABLES" ]; then`
		299	`echo -n $"${IP6TABLES}: Nothing to save."; warning; echo`
		300	`return 6`
		301	`fi`
3	-	302
		303	`echo -n $"${IP6TABLES}: Saving firewall rules to $IP6TABLES_DATA: "`
		304
		305	`OPT=`
		306	`[ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"`
		307
		308	`ret=0`
		309	`TMP_FILE=$(/bin/mktemp -q $IP6TABLES_DATA.XXXXXX) \`
		310	`&& chmod 600 "$TMP_FILE" \`
		311	`&& $IP6TABLES-save $OPT > $TMP_FILE 2>/dev/null \`
		312	`&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \`
		313	`\|\| ret=1`
		314	`if [ $ret -eq 0 ]; then`
		315	`if [ -e $IP6TABLES_DATA ]; then`
		316	`cp -f $IP6TABLES_DATA $IP6TABLES_DATA.save \`
		317	`&& chmod 600 $IP6TABLES_DATA.save \`
		318	`&& restorecon $IP6TABLES_DATA.save \`
		319	`\|\| ret=1`
		320	`fi`
		321	`if [ $ret -eq 0 ]; then`
		322	`mv -f $TMP_FILE $IP6TABLES_DATA \`
		323	`&& chmod 600 $IP6TABLES_DATA \`
		324	`&& restorecon $IP6TABLES_DATA \`
		325	`\|\| ret=1`
		326	`fi`
		327	`fi`
		328	`rm -f $TMP_FILE`
		329	`[ $ret -eq 0 ] && success \|\| failure`
		330	`echo`
		331	`return $ret`
		332	`}`
		333
		334	`status() {`
		335	`if [ ! -f "$VAR_SUBSYS_IP6TABLES" -a -z "$NF_TABLES" ]; then`
		336	`echo $"${IP6TABLES}: Firewall is not running."`
		337	`return 3`
		338	`fi`
		339
		340	`# Do not print status if lockfile is missing and ip6tables modules are not`
		341	`# loaded.`
		342	`# Check if iptable modules are loaded`
		343	`if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then`
		344	`echo $"${IP6TABLES}: Firewall modules are not loaded."`
		345	`return 3`
		346	`fi`
		347
		348	`# Check if firewall is configured (has tables)`
		349	`if [ -z "$NF_TABLES" ]; then`
		350	`echo $"${IP6TABLES}: Firewall is not configured. "`
		351	`return 3`
		352	`fi`
		353
		354	`NUM=`
		355	`[ "x$IP6TABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"`
		356	`VERBOSE=`
		357	`[ "x$IP6TABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"`
		358	`COUNT=`
		359	`[ "x$IP6TABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"`
		360
		361	`for table in $NF_TABLES; do`
		362	`echo $"Table: $table"`
		363	`$IP6TABLES -t $table --list $NUM $VERBOSE $COUNT && echo`
		364	`done`
		365
		366	`return 0`
		367	`}`
		368
		369	`reload() {`
		370	`# Do not reload if there is no config file.`
33	-	371	`if [ ! -f "$IP6TABLES_DATA" ]; then`
		372	`echo -n $"${IP6TABLES}: No config file."; warning; echo`
		373	`return 6`
		374	`fi`
3	-	375
		376	`# check if ipv6 module load is deactivated`
		377	`if [ "${_IPV}" = "ipv6" ] \`
		378	`&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true\|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then`
		379	`echo $"${IP6TABLES}: ${_IPV} is disabled."`
		380	`return 150`
		381	`fi`
		382
		383	`echo -n $"${IP6TABLES}: Trying to reload firewall rules: "`
		384
		385	`OPT=`
		386	`[ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"`
		387
		388	`$IP6TABLES-restore $OPT $IP6TABLES_DATA`
		389	`if [ $? -eq 0 ]; then`
		390	`success; echo`
		391	`else`
		392	`failure; echo; echo "Firewall rules are not changed."; return 1`
		393	`fi`
		394
		395	`# Load additional modules (helpers)`
		396	`if [ -n "$IP6TABLES_MODULES" ]; then`
		397	`echo -n $"${IP6TABLES}: Loading additional modules: "`
		398	`ret=0`
		399	`for mod in $IP6TABLES_MODULES; do`
		400	`echo -n "$mod "`
		401	`modprobe $mod > /dev/null 2>&1`
		402	`let ret+=$?;`
		403	`done`
		404	`[ $ret -eq 0 ] && success \|\| failure`
		405	`echo`
		406	`fi`
		407
		408	`# Load sysctl settings`
		409	`load_sysctl`
		410
		411	`return $ret`
		412	`}`
		413
		414	`restart() {`
		415	`[ "x$IP6TABLES_SAVE_ON_RESTART" = "xyes" ] && save`
		416	`stop`
		417	`start`
		418	`}`
		419
		420
		421	`case "$1" in`
		422	`start)`
		423	`[ -f "$VAR_SUBSYS_IP6TABLES" ] && exit 0`
		424	`start`
		425	`RETVAL=$?`
		426	`;;`
		427	`stop)`
		428	`[ "x$IP6TABLES_SAVE_ON_STOP" = "xyes" ] && save`
		429	`stop`
		430	`RETVAL=$?`
		431	`;;`
		432	`restart\|force-reload)`
		433	`restart`
		434	`RETVAL=$?`
		435	`;;`
		436	`reload)`
		437	`[ -e "$VAR_SUBSYS_IP6TABLES" ] && reload`
		438	`RETVAL=$?`
		439	`;;`
		440	`condrestart\|try-restart)`
		441	`[ ! -e "$VAR_SUBSYS_IP6TABLES" ] && exit 0`
		442	`restart`
		443	`RETVAL=$?`
		444	`;;`
		445	`status)`
		446	`status`
		447	`RETVAL=$?`
		448	`;;`
		449	`panic)`
		450	`set_policy DROP`
		451	`RETVAL=$?`
		452	`;;`
		453	`save)`
		454	`save`
		455	`RETVAL=$?`
		456	`;;`
		457	`*)`
		458	`echo $"Usage: ${IP6TABLES} {start\|stop\|reload\|restart\|condrestart\|status\|panic\|save}"`
		459	`RETVAL=2`
		460	`;;`
		461	`esac`
		462
		463	`exit $RETVAL`

Subversion Repositories configs

(root)/firewall/etc/rc.d/init.d/ip6tables – Rev 128