blob: 26220f97c0d0133cadf709b49e8e48edf53d2d3a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
#!/bin/bash
export PATH=$PATH:${0%/*}/../../lib
die()
{
echo "$0:${BASH_LINENO[0]}: $*" >&2
exit 1
}
fail()
{
echo "FAIL: $0:${BASH_LINENO[0]}: $*" > "$outfile"
exit 1
}
do_or_fail()
{
local failmsg="$1" output
shift
output="$(eval $@ 2>&1)" ||
fail "$failmsg: $output"
}
do_start_ipt()
{
[ -f "$statefile" ] && die "state file $statefile aleady exists"
do_or_fail "can't install a state match" \
iptables -A INPUT \
-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
do_or_fail "can't list the loaded iptables" \
iptables -L \> "$statefile"
}
do_stop_ipt()
{
do_or_fail "can't compare the iptables" \
iptables -L \| diff -u "$statefile" -
rm -f "$statefile"
echo "PASS" > $outfile
}
do_start_nft()
{
[ -f "$statefile" ] && die "state file $statefile aleady exists"
do_or_fail "can't install a state match" \
nft add rule filter INPUT \
ct state related,established accept
do_or_fail "can't list the loaded nftables" \
nft list ruleset \> "$statefile"
}
do_stop_nft()
{
do_or_fail "can't compare the nftables" \
nft list ruleset \| diff -u "$statefile" -
rm -f "$statefile"
echo "PASS" > $outfile
}
do_start()
{
[ -x "$(command -v nft)" ] && do_start_nft || do_start_ipt
}
do_stop()
{
[ -x "$(command -v nft)" ] && do_stop_nft || do_stop_ipt
}
tmpargs="$(../lib/parseargs.sh --name=$0 \
--flags-req=statefile,outfile \
--flags-opt="start,stop" -- "$@")" ||
die "can't parse command line"
eval "$tmpargs"
[ -f "$outfile" ] && die "out file $outfile aleady exists"
# expect "start" or "stop"
do_$1
|
