mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-19 09:47:20 +01:00
a58445ed16
generated scritpt in such order that bridge and carp interfaces are configured after all other interfaces are done.
403 lines
9.8 KiB
Bash
Executable File
403 lines
9.8 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# This is automatically generated file. DO NOT MODIFY !
|
|
#
|
|
# Firewall Builder fwb_pf v4.2.0.3479
|
|
#
|
|
# Generated Wed Feb 16 14:33:12 2011 PST by vadim
|
|
#
|
|
# files: * firewall104-1.fw /etc/fw/pf.fw
|
|
# files: firewall104-1.conf /etc/fw/path\ with\ space/pf.conf
|
|
#
|
|
# Compiled for pf 4.7
|
|
#
|
|
# bridge interface, dynamic address, shell script format, OpenBSD 4.7
|
|
|
|
|
|
|
|
|
|
|
|
FWDIR=`dirname $0`
|
|
|
|
IFCONFIG="/sbin/ifconfig"
|
|
PFCTL="/sbin/pfctl"
|
|
SYSCTL="/sbin/sysctl"
|
|
LOGGER="/usr/bin/logger"
|
|
|
|
log() {
|
|
echo "$1"
|
|
command -v "$LOGGER" &>/dev/null && $LOGGER -p info "$1"
|
|
}
|
|
|
|
diff_intf() {
|
|
func=$1
|
|
list1=$2
|
|
list2=$3
|
|
cmd=$4
|
|
for intf in $list1
|
|
do
|
|
echo $list2 | grep -q $intf || {
|
|
# $vlan is absent in list 2
|
|
$func $intf $cmd
|
|
}
|
|
done
|
|
}
|
|
|
|
|
|
missing_address() {
|
|
address=$1
|
|
cmd=$2
|
|
|
|
oldIFS=$IFS
|
|
IFS="@"
|
|
set $address
|
|
addr=$1
|
|
interface=$2
|
|
IFS=$oldIFS
|
|
|
|
if echo "$addr" | grep -q ':'
|
|
then
|
|
inet="inet6"
|
|
addr=$(echo "$addr" | sed 's!/! prefixlen !')
|
|
else
|
|
inet="inet"
|
|
addr=$(echo "$addr" | sed 's!/! netmask !')
|
|
fi
|
|
|
|
parameter=""
|
|
test "$cmd" = "add" && {
|
|
echo "# Adding ip address: $interface $addr"
|
|
parameter="alias"
|
|
}
|
|
test "$cmd" = "del" && {
|
|
echo "# Removing ip address: $interface $addr"
|
|
parameter="delete"
|
|
}
|
|
|
|
$FWBDEBUG $IFCONFIG $interface $inet $addr $parameter
|
|
$FWBDEBUG $IFCONFIG $interface up
|
|
}
|
|
|
|
list_addresses_by_scope() {
|
|
interface=$1
|
|
scope=$2
|
|
ignore_list=$3
|
|
|
|
scope_regex="1"
|
|
if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi
|
|
|
|
$IFCONFIG $interface | sed "s/%$interface//" | \
|
|
awk -v IGNORED="$ignore_list" \
|
|
"BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
|
}
|
|
(/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \
|
|
while read addr; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
|
|
}
|
|
|
|
update_addresses_of_interface() {
|
|
ignore_list=$2
|
|
set $1
|
|
interface=$1
|
|
shift
|
|
|
|
FWB_ADDRS=$(
|
|
for addr in $*; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
)
|
|
|
|
CURRENT_ADDRS_ALL_SCOPES=""
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=""
|
|
|
|
$IFCONFIG $interface >/dev/null 2>&1 && {
|
|
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list")
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list")
|
|
} || {
|
|
echo "# Interface $interface does not exist"
|
|
# Stop the script if we are not in test mode
|
|
test -z "$FWBDEBUG" && exit 1
|
|
}
|
|
|
|
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
|
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
|
}
|
|
|
|
missing_vlan() {
|
|
vlan=$1
|
|
cmd=$2
|
|
|
|
oldIFS=$IFS
|
|
IFS="@"
|
|
set $vlan
|
|
subint=$1
|
|
parent=$2
|
|
IFS=$oldIFS
|
|
|
|
vlan_id=$(echo $subint | sed 's/vlan//')
|
|
test "$cmd" = "add" && {
|
|
echo "# Adding VLAN interface $subint (parent: $parent)"
|
|
$FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1
|
|
$FWBDEBUG $IFCONFIG $subint up || exit 1
|
|
}
|
|
test "$cmd" = "rem" && {
|
|
echo "# Removing VLAN interface $subint (parent: $parent)"
|
|
$FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1
|
|
$FWBDEBUG $IFCONFIG $subint destroy || exit 1
|
|
}
|
|
}
|
|
|
|
parse_fwb_vlans() {
|
|
set $1
|
|
vlan_parent_interface=$1
|
|
shift
|
|
|
|
FWB_VLANS=$(
|
|
for subint in $*; do
|
|
echo "${subint}@$vlan_parent_interface"
|
|
done | sort
|
|
)
|
|
echo $FWB_VLANS
|
|
}
|
|
|
|
parse_current_vlans() {
|
|
vlan_parent_interface=$1
|
|
$IFCONFIG -A | grep 'vlan: ' | sed 's/parent interface://' | \
|
|
while read x vlan_id parent
|
|
do
|
|
test "$parent" = "$vlan_parent_interface" && echo "vlan$vlan_id@$parent"
|
|
done | sort
|
|
}
|
|
|
|
update_vlans_of_interface() {
|
|
args="$1"
|
|
set $1
|
|
vlan_parent_interface=$1
|
|
|
|
FWB_VLANS=$(parse_fwb_vlans "$args")
|
|
CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface)
|
|
|
|
$IFCONFIG $vlan_parent_interface up || exit 1
|
|
diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add
|
|
diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem
|
|
}
|
|
|
|
sync_vlan_interfaces() {
|
|
$IFCONFIG -A | awk -v IGNORED="$*" \
|
|
'BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
|
|
}
|
|
($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
|
|
while read intf; do
|
|
echo "# Deleting vlan interface $intf"
|
|
$FWBDEBUG $IFCONFIG $intf destroy || exit 1
|
|
done
|
|
|
|
for intf in $*; do
|
|
$IFCONFIG $intf >/dev/null 2>&1 || {
|
|
echo "# Creating vlan interface $intf"
|
|
$FWBDEBUG $IFCONFIG $intf create || exit 1
|
|
}
|
|
done
|
|
}
|
|
|
|
|
|
|
|
BRCONFIG="$IFCONFIG"
|
|
|
|
|
|
|
|
|
|
missing_port() {
|
|
intf=$1
|
|
cmd=$2
|
|
|
|
oldIFS=$IFS
|
|
IFS="@"
|
|
set $intf
|
|
port=$1
|
|
bridge_interface=$2
|
|
IFS=$oldIFS
|
|
|
|
echo "# Updating bridge configuration: $bridge_interface $cmd $port"
|
|
$FWBDEBUG $BRCONFIG $bridge_interface $cmd $port
|
|
test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up
|
|
}
|
|
|
|
update_bridge_interface() {
|
|
bridge_interface=$1
|
|
shift
|
|
|
|
FWB_PORTS=""
|
|
CURRENT_PORTS=""
|
|
|
|
FWB_PORTS=$(
|
|
for subint in $*; do
|
|
echo "${subint}@$bridge_interface"
|
|
done | sort
|
|
)
|
|
|
|
# this is really redundant because we create missing bridge
|
|
# interfaces in sync_bridge_interfaces. However will leave this
|
|
# here so that function update_bridge can be used without prior
|
|
# call to sync_bridge_interfaces The difference is that
|
|
# sync_bridge_interfaces also deletes bridge interfaces that exist
|
|
# on the machine but are missing in fwbuilder confgiuration. The
|
|
# update_bridge function can only add bridge interfaces.
|
|
$BRCONFIG $bridge_interface >/dev/null 2>&1 || {
|
|
echo "# Creating bridge interface $bridge_interface"
|
|
$FWBDEBUG $IFCONFIG $bridge_interface create
|
|
$FWBDEBUG $IFCONFIG $bridge_interface up
|
|
}
|
|
|
|
PORTS=$(
|
|
$BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }'
|
|
)
|
|
|
|
test -n "$PORTS" && {
|
|
CURRENT_PORTS=$(
|
|
for subint in $PORTS; do
|
|
echo "${subint}@$bridge_interface"
|
|
done | sort
|
|
)
|
|
}
|
|
|
|
# first delete bridge ports, then add. This way, if an interface
|
|
# moves from one bridge to another, we remove it first and then
|
|
# add. It would not work if we tried to add it first, brctl issues
|
|
# an error:
|
|
# device eth2 is already a member of a bridge; can't enslave it to bridge br1.
|
|
#
|
|
diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem
|
|
diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm
|
|
}
|
|
|
|
|
|
sync_bridge_interfaces() {
|
|
$BRCONFIG -a | awk -F: -v IGNORED="$*" \
|
|
'BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
|
}
|
|
($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \
|
|
while read brintf; do
|
|
echo "# Deleting bridge interface $brintf"
|
|
$FWBDEBUG $IFCONFIG $brintf down
|
|
$FWBDEBUG $IFCONFIG $brintf destroy
|
|
done
|
|
|
|
for brint in $*; do
|
|
$BRCONFIG $brint >/dev/null 2>&1 || {
|
|
echo "# Creating bridge interface $brintf"
|
|
$FWBDEBUG $IFCONFIG $brint create
|
|
$FWBDEBUG $IFCONFIG $brint up
|
|
}
|
|
done
|
|
}
|
|
|
|
|
|
sync_carp_interfaces() {
|
|
$IFCONFIG -A | awk -v IGNORED="$*" \
|
|
'BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
|
|
}
|
|
($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
|
|
while read intf; do
|
|
echo "# Deleting carp interface $intf"
|
|
$FWBDEBUG $IFCONFIG $intf destroy
|
|
done
|
|
|
|
for intf in $*; do
|
|
$IFCONFIG $intf >/dev/null 2>&1 || {
|
|
echo "# Creating carp interface $intf"
|
|
$SYSCTL -w net.inet.carp.allow=1
|
|
$FWBDEBUG $IFCONFIG $intf create || {
|
|
echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?"
|
|
exit 1
|
|
}
|
|
}
|
|
done
|
|
}
|
|
|
|
|
|
sync_pfsync_interfaces() {
|
|
$IFCONFIG -A | awk -v IGNORED="$*" \
|
|
'BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
|
|
}
|
|
($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
|
|
while read intf; do
|
|
echo "# Deleting pfsync interface $intf"
|
|
$FWBDEBUG $IFCONFIG $intf destroy
|
|
done
|
|
|
|
for intf in $*; do
|
|
$IFCONFIG $intf >/dev/null 2>&1 || {
|
|
echo "# Creating pfsync interface $intf"
|
|
$FWBDEBUG $IFCONFIG $intf create
|
|
}
|
|
done
|
|
}
|
|
|
|
verify_interfaces() {
|
|
:
|
|
|
|
}
|
|
|
|
set_kernel_vars() {
|
|
:
|
|
$SYSCTL -w net.inet.ip.forwarding=1
|
|
}
|
|
|
|
prolog_commands() {
|
|
:
|
|
|
|
}
|
|
|
|
epilog_commands() {
|
|
:
|
|
|
|
}
|
|
|
|
run_epilog_and_exit() {
|
|
epilog_commands
|
|
exit $1
|
|
}
|
|
|
|
configure_interfaces() {
|
|
:
|
|
sync_vlan_interfaces
|
|
sync_bridge_interfaces bridge0
|
|
sync_carp_interfaces
|
|
sync_pfsync_interfaces
|
|
update_addresses_of_interface "em0 10.3.14.81/0xffffff00" ""
|
|
update_addresses_of_interface "em1 10.1.1.81/0xffffff00" ""
|
|
update_addresses_of_interface "em2" ""
|
|
update_addresses_of_interface "em3" ""
|
|
update_bridge_interface bridge0 "em2 em3"
|
|
$IFCONFIG bridge0 -stp em2
|
|
$IFCONFIG bridge0 -stp em3
|
|
}
|
|
|
|
log "Activating firewall script generated Wed Feb 16 14:33:12 2011 by vadim"
|
|
|
|
set_kernel_vars
|
|
configure_interfaces
|
|
prolog_commands
|
|
|
|
$PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
epilog_commands |