mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 10:17:16 +01:00
100dca74bb
branch, running tests. Making sure rules that have firewall object in ODst and interface columnblank end up with rdr command without "on interface" clause as before.
191 lines
4.9 KiB
Bash
Executable File
191 lines
4.9 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# This is automatically generated file. DO NOT MODIFY !
|
|
#
|
|
# Firewall Builder fwb_pf v4.2.0.3480
|
|
#
|
|
# Generated Thu Feb 17 11:46:53 2011 PST by vadim
|
|
#
|
|
# files: * firewall40-1.fw /etc/firewall40-1.fw
|
|
# files: firewall40-1.conf /etc/firewall40-1.conf
|
|
# files: firewall40-1-routes.conf /etc/firewall40-1-routes.conf
|
|
#
|
|
# Compiled for pf
|
|
#
|
|
# testing Route action
|
|
# with load balancing
|
|
|
|
# firewall40-1:Policy:9: error: Only one router specified with load balancing for rule action Route: 'route_through'
|
|
# firewall40-1:Policy:10: error: Only one router specified with load balancing for rule action Route: 'route_through'
|
|
# firewall40-1:Policy:11: error: Illegal IP address for next hop
|
|
# firewall40-1:Policy:11: error: Only one router specified with load balancing for rule action Route: 'route_through'
|
|
|
|
# firewall40-1:routes:1: error: Interface specification is required for action Route.
|
|
# firewall40-1:routes:1: error: Only one router specified with load balancing for rule action Route: 'route_reply_through'
|
|
# firewall40-1:routes:2: error: Interface specification is required for action Route.
|
|
# firewall40-1:routes:2: error: Only one router specified with load balancing for rule action Route: 'route_copy_through'
|
|
# firewall40-1:routes:6: error: Interface specification is required for action Route.
|
|
# firewall40-1:routes:6: error: More than one router specified without load balancing for rule action Route: 'route_through'
|
|
# firewall40-1:routes:7: error: Interface specification is required for action Route.
|
|
# firewall40-1:routes:8: error: Interface specification is required for action Route.
|
|
# firewall40-1:routes:9: error: Interface specification is required for action Route.
|
|
# firewall40-1:routes:10: error: Interface specification is required for action Route.
|
|
|
|
|
|
|
|
FWDIR=`dirname $0`
|
|
|
|
IFCONFIG="/sbin/ifconfig"
|
|
PFCTL="/sbin/pfctl"
|
|
SYSCTL="/sbin/sysctl"
|
|
LOGGER="/usr/bin/logger"
|
|
|
|
log() {
|
|
echo "$1"
|
|
command -v "$LOGGER" &>/dev/null && $LOGGER -p info "$1"
|
|
}
|
|
|
|
diff_intf() {
|
|
func=$1
|
|
list1=$2
|
|
list2=$3
|
|
cmd=$4
|
|
for intf in $list1
|
|
do
|
|
echo $list2 | grep -q $intf || {
|
|
# $vlan is absent in list 2
|
|
$func $intf $cmd
|
|
}
|
|
done
|
|
}
|
|
|
|
|
|
missing_address() {
|
|
address=$1
|
|
cmd=$2
|
|
|
|
oldIFS=$IFS
|
|
IFS="@"
|
|
set $address
|
|
addr=$1
|
|
interface=$2
|
|
IFS=$oldIFS
|
|
|
|
if echo "$addr" | grep -q ':'
|
|
then
|
|
inet="inet6"
|
|
addr=$(echo "$addr" | sed 's!/! prefixlen !')
|
|
else
|
|
inet="inet"
|
|
addr=$(echo "$addr" | sed 's!/! netmask !')
|
|
fi
|
|
|
|
parameter=""
|
|
test "$cmd" = "add" && {
|
|
echo "# Adding ip address: $interface $addr"
|
|
parameter="alias"
|
|
}
|
|
test "$cmd" = "del" && {
|
|
echo "# Removing ip address: $interface $addr"
|
|
parameter="delete"
|
|
}
|
|
|
|
$FWBDEBUG $IFCONFIG $interface $inet $addr $parameter
|
|
$FWBDEBUG $IFCONFIG $interface up
|
|
}
|
|
|
|
list_addresses_by_scope() {
|
|
interface=$1
|
|
scope=$2
|
|
ignore_list=$3
|
|
|
|
scope_regex="1"
|
|
if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi
|
|
|
|
$IFCONFIG $interface | sed "s/%$interface//" | \
|
|
awk -v IGNORED="$ignore_list" \
|
|
"BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
|
}
|
|
(/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \
|
|
while read addr; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
|
|
}
|
|
|
|
update_addresses_of_interface() {
|
|
ignore_list=$2
|
|
set $1
|
|
interface=$1
|
|
shift
|
|
|
|
FWB_ADDRS=$(
|
|
for addr in $*; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
)
|
|
|
|
CURRENT_ADDRS_ALL_SCOPES=""
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=""
|
|
|
|
$IFCONFIG $interface >/dev/null 2>&1 && {
|
|
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list")
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list")
|
|
} || {
|
|
echo "# Interface $interface does not exist"
|
|
# Stop the script if we are not in test mode
|
|
test -z "$FWBDEBUG" && exit 1
|
|
}
|
|
|
|
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
|
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
|
}
|
|
|
|
verify_interfaces() {
|
|
:
|
|
|
|
}
|
|
|
|
set_kernel_vars() {
|
|
:
|
|
$SYSCTL -w net.inet.ip.forwarding=1
|
|
}
|
|
|
|
prolog_commands() {
|
|
:
|
|
|
|
}
|
|
|
|
epilog_commands() {
|
|
:
|
|
|
|
}
|
|
|
|
run_epilog_and_exit() {
|
|
epilog_commands
|
|
exit $1
|
|
}
|
|
|
|
configure_interfaces() {
|
|
:
|
|
update_addresses_of_interface "fxp0 192.168.1.1/0xffffff00" ""
|
|
update_addresses_of_interface "le1 192.0.2.1/0xffffff00" ""
|
|
update_addresses_of_interface "le2 192.0.3.1/0xffffff00" ""
|
|
update_addresses_of_interface "lo0 127.0.0.1/0xff000000" ""
|
|
}
|
|
|
|
log "Activating firewall script generated Thu Feb 17 11:46:53 2011 by vadim"
|
|
|
|
set_kernel_vars
|
|
configure_interfaces
|
|
prolog_commands
|
|
|
|
$PFCTL -f /etc/firewall40-1.conf || exit 1
|
|
|
|
|
|
|
|
|
|
|
|
epilog_commands |