onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/pf/firewall91.fw.orig
Vadim Kurland 100dca74bb * NATCompiler_pf.cpp (processNext): see #133. MErged code from the 
branch, running tests. Making sure rules that have firewall
object in ODst and interface columnblank end up with rdr command
without "on interface" clause as before.
2011-02-17 11:50:14 -08:00

256 lines
5.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3480
#
# Generated Thu Feb 17 11:47:01 2011 PST by vadim
#
# files: * firewall91.fw /etc/fw/pf.fw
# files: firewall91.conf /etc/fw/pf.conf
#
# Compiled for pf
#
FWDIR=`dirname $0`
IFCONFIG="/sbin/ifconfig"
PFCTL="/sbin/pfctl"
SYSCTL="/sbin/sysctl"
LOGGER="/usr/bin/logger"
log() {
echo "$1"
command -v "$LOGGER" &>/dev/null && $LOGGER -p info "$1"
}
diff_intf() {
func=$1
list1=$2
list2=$3
cmd=$4
for intf in $list1
do
echo $list2 | grep -q $intf || {
# $vlan is absent in list 2
$func $intf $cmd
}
done
}
missing_address() {
address=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $address
addr=$1
interface=$2
IFS=$oldIFS
if echo "$addr" | grep -q ':'
then
inet="inet6"
addr=$(echo "$addr" | sed 's!/! prefixlen !')
else
inet="inet"
addr=$(echo "$addr" | sed 's!/! netmask !')
fi
parameter=""
test "$cmd" = "add" && {
echo "# Adding ip address: $interface $addr"
parameter="alias"
}
test "$cmd" = "del" && {
echo "# Removing ip address: $interface $addr"
parameter="delete"
}
$FWBDEBUG $IFCONFIG $interface $inet $addr $parameter
$FWBDEBUG $IFCONFIG $interface up
}
list_addresses_by_scope() {
interface=$1
scope=$2
ignore_list=$3
scope_regex="1"
if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi
$IFCONFIG $interface | sed "s/%$interface//" | \
awk -v IGNORED="$ignore_list" \
"BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \
while read addr; do
echo "${addr}@$interface"
done | sort
}
update_addresses_of_interface() {
ignore_list=$2
set $1
interface=$1
shift
FWB_ADDRS=$(
for addr in $*; do
echo "${addr}@$interface"
done | sort
)
CURRENT_ADDRS_ALL_SCOPES=""
CURRENT_ADDRS_GLOBAL_SCOPE=""
$IFCONFIG $interface >/dev/null 2>&1 && {
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list")
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list")
} || {
echo "# Interface $interface does not exist"
# Stop the script if we are not in test mode
test -z "$FWBDEBUG" && exit 1
}
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}
missing_vlan() {
vlan=$1
cmd=$2
oldIFS=$IFS
IFS="@:"
set $vlan
subint=$1
vlan_id=$2
parent=$3
IFS=$oldIFS
test "$cmd" = "add" && {
echo "# Adding VLAN interface $subint (vlan id: $vlan_id parent: $parent)"
$FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1
$FWBDEBUG $IFCONFIG $subint up || exit 1
}
test "$cmd" = "rem" && {
echo "# Removing VLAN interface $subint (vlan id: $vlan_id parent: $parent)"
$FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1
$FWBDEBUG $IFCONFIG $subint destroy || exit 1
}
}
parse_fwb_vlans() {
set $1
vlan_parent=$1
shift
FWB_VLANS=$(
for subint in $*; do
echo "${subint}@$vlan_parent"
done | sort
)
echo $FWB_VLANS
}
parse_current_vlans() {
vlan_parent=$1
$IFCONFIG -A | grep -E 'vlan[^ ]*:' | paste - - | \
sed 's/flags=.*vlan://;s/://g;s/parent interface//' | \
while read vlan_subint vlan_id parent
do
test "$parent" = "$vlan_parent" && echo "$vlan_subint:$vlan_id@$parent"
done | sort
}
update_vlans_of_interface() {
args="$1"
set $1
vlan_parent=$1
FWB_VLANS=$(parse_fwb_vlans "$args")
CURRENT_VLANS=$(parse_current_vlans $vlan_parent)
$IFCONFIG $vlan_parent up || exit 1
diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add
diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem
}
sync_vlan_interfaces() {
$IFCONFIG -A | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
}
($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
while read intf; do
echo "# Deleting vlan interface $intf"
$FWBDEBUG $IFCONFIG $intf destroy || exit 1
done
for intf in $*; do
$IFCONFIG $intf >/dev/null 2>&1 || {
echo "# Creating vlan interface $intf"
$FWBDEBUG $IFCONFIG $intf create || exit 1
}
done
}
verify_interfaces() {
:
}
set_kernel_vars() {
:
$SYSCTL -w net.inet.ip.forwarding=1
}
prolog_commands() {
:
}
epilog_commands() {
:
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
:
sync_vlan_interfaces vlan101 vlan103
update_vlans_of_interface "em0 vlan101:101 vlan103:103"
update_addresses_of_interface "em0 10.1.1.50/0xffffff00" ""
update_addresses_of_interface "pcn0 10.3.14.50/0xffffff00" ""
update_addresses_of_interface "vlan101 10.100.101.1/0xffffff00" ""
update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" ""
}
log "Activating firewall script generated Thu Feb 17 11:47:01 2011 by vadim"
set_kernel_vars
configure_interfaces
prolog_commands
$PFCTL -f /etc/fw/pf.conf || exit 1
epilog_commands
Reference in New Issue View Git Blame Copy Permalink