fwbuilder/test/pf/firewall.fw.orig

#!/bin/sh
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_pf v5.0.0.3547
#
#  Generated Fri Jun  3 17:49:13 2011 PDT by vadim
#
# files: * firewall.fw /etc/pf.fw
# files:   firewall.conf /etc/pf.conf
#
# Compiled for pf 
#
# this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule

# firewall:Policy:18: error: Rule '18 (global)' shadows rule '21 (global)'  below it
# firewall:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)'  below it
# firewall:Policy:20: error: Rule '20 (global)' shadows rule '23 (global)'  below it
# firewall:Policy:3: warning: Changing rule direction due to self reference
# firewall:Policy:18: warning: Changing rule direction due to self reference



FWDIR=`dirname $0`

IFCONFIG="/sbin/ifconfig"
PFCTL="/sbin/pfctl"
SYSCTL="/sbin/sysctl"
LOGGER="/usr/bin/logger"

log() {
    echo "$1"
    command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}

diff_intf() {
    func=$1
    list1=$2
    list2=$3
    cmd=$4
    for intf in $list1
    do
        echo $list2 | grep -q $intf || {
        # $vlan is absent in list 2
            $func $intf $cmd
        }
    done
}


missing_address() {
    address=$1
    cmd=$2

    oldIFS=$IFS
    IFS="@"
    set $address
    addr=$1
    interface=$2
    IFS=$oldIFS

    if echo "$addr" | grep -q ':'
    then
        inet="inet6"
        addr=$(echo "$addr" | sed 's!/! prefixlen !')
    else
        inet="inet"
        addr=$(echo "$addr" | sed 's!/! netmask !')
    fi

    parameter=""
    test "$cmd" = "add" && {
      echo "# Adding ip address: $interface $addr"
      parameter="alias"
    }
    test "$cmd" = "del" && {
      echo "# Removing ip address: $interface $addr"
      parameter="delete"
    }

    $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1
    $FWBDEBUG $IFCONFIG $interface up
}

list_addresses_by_scope() {
    interface=$1
    scope=$2
    ignore_list=$3

    scope_regex="1"
    if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi

    $IFCONFIG $interface | sed "s/%$interface//" | \
      awk -v IGNORED="$ignore_list" \
        "BEGIN {  
           split(IGNORED,ignored_arr);
           for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
         }
         (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \
        while read addr; do
          echo "${addr}@$interface"
        done | sort
   
}

update_addresses_of_interface() {
    ignore_list=$2
    set $1 
    interface=$1 
    shift

    FWB_ADDRS=$(
      for addr in $*; do
        echo "${addr}@$interface"
      done | sort
    )

    CURRENT_ADDRS_ALL_SCOPES=""
    CURRENT_ADDRS_GLOBAL_SCOPE=""

    $IFCONFIG $interface >/dev/null 2>&1 && {
      CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list")
      CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list")
    } || {
      echo "# Interface $interface does not exist"
      # Stop the script if we are not in test mode
      test -z "$FWBDEBUG" && exit 1
    }


    echo "$interface" | grep -q carp && {
        diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
        diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
    } || {
        diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
        diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
    }
}

verify_interfaces() {
    :
    
}

set_kernel_vars() {
    :
    $SYSCTL -w net.inet.ip.directed-broadcast=0
    $SYSCTL -w net.inet.ip.forwarding=1

    $SYSCTL -w net.inet.ip.sourceroute=0
    $SYSCTL -w net.inet.ip.redirect=0
}

prolog_commands() {
    :
    echo 'This is prolog script'
}

epilog_commands() {
    :
    
}

run_epilog_and_exit() {
    epilog_commands
    exit $1
}

configure_interfaces() {
    :
    update_addresses_of_interface "eth0 192.168.1.1/0xffffff00" ""
    update_addresses_of_interface "eth1 222.222.222.222/0xffffff00" ""
    update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
}

log "Activating firewall script generated Fri Jun  3 17:49:13 2011 by vadim"

set_kernel_vars
configure_interfaces
prolog_commands

$PFCTL    -f /etc/pf.conf || exit 1





epilog_commands