diff -r d3b0cd061f26 -r 5b59ba9c9113 insertRules --- a/insertRules Fri Jan 16 21:10:58 2009 +0100 +++ b/insertRules Mon Aug 26 16:03:33 2013 +0200 @@ -19,13 +19,19 @@ #use constant O => { chain => "ipac~o", parent => "INPUT", iface => "--out" }; my %TARGETS = ( - "ipac~fi" => { chain => "ipac~fi", parent => "FORWARD", iface => "--in-interface" }, - "ipac~fo" => { chain => "ipac~fo", parent => "FORWARD", iface => "--out-interface" }, - "ipac~i" => { chain => "ipac~i", parent => "OUTPUT", iface => "--out-interface" }, - "ipac~o" => { chain => "ipac~o", parent => "INPUT", iface => "--in-interface" }, + "ipac~fi" => + { chain => "ipac~fi", parent => "FORWARD", iface => "--in-interface" }, + "ipac~fo" => + { chain => "ipac~fo", parent => "FORWARD", iface => "--out-interface" }, + "ipac~i" => + { chain => "ipac~i", parent => "OUTPUT", iface => "--out-interface" }, + "ipac~o" => + { chain => "ipac~o", parent => "INPUT", iface => "--in-interface" }, ); -use constant FILE => $ENV{IPAC_RULES} ? $ENV{IPAC_RULES} : "/etc/ipac-ng/rules.conf"; +use constant FILE => $ENV{IPAC_RULES} + ? $ENV{IPAC_RULES} + : "/etc/ipac-ng/rules.conf"; use constant CONFIG => ( { CASE => 1 }, @@ -34,7 +40,7 @@ ); my $Cf = new AppConfig CONFIG or die; - $Cf->getopt or die; +$Cf->getopt or die; sub checkTarget($); sub insertTarget($); @@ -43,108 +49,108 @@ sub expand($); MAIN: { - my @cmds; + my @cmds; # Check, if our rules exist foreach (keys %TARGETS) { - checkTarget($TARGETS{$_}) - or push @cmds, insertTarget($TARGETS{$_}); + checkTarget($TARGETS{$_}) + or push @cmds, insertTarget($TARGETS{$_}); - push @cmds, cleanTarget($TARGETS{$_}); + push @cmds, cleanTarget($TARGETS{$_}); } - - + my ($iptables, $rules) = parseConfig(FILE); push @cmds, @$iptables; - foreach (@cmds) { - print "@$_\n" if $Cf->verbose or $Cf->nothing; - next if $Cf->nothing; - system @$_ and do { - warn "FAILED: @$_\n" if not $Cf->verbose; - }; + print "@$_\n" if $Cf->verbose or $Cf->nothing; + next if $Cf->nothing; + system @$_ and do { + warn "FAILED: @$_\n" if not $Cf->verbose; + }; } if (!$Cf->nothing) { - open(RUNFILE, $_ = ">/var/run/ipac.rules") or die "Can't open $_: $!\n"; - print RUNFILE join "\n", @$rules; - close(RUNFILE); + open(RUNFILE, $_ = ">/var/run/ipac.rules") or die "Can't open $_: $!\n"; + print RUNFILE join "\n", @$rules; + close(RUNFILE); } } { my $dump; -sub checkTarget($) { - my $target = shift; + + sub checkTarget($) { + my $target = shift; - if (!$dump) { - open(X, "iptables-save|") or die "Can't open iptables-save: $!\n"; - $dump = join "", grep /^:/, ; - close(X); + if (!$dump) { + open(X, "iptables-save|") or die "Can't open iptables-save: $!\n"; + $dump = join "", grep /^:/, ; + close(X); + } + + return $dump =~ /^:$target->{chain}/m + } - - return $dump =~ /^:$target->{chain}/m - -} } +} sub insertTarget($) { my $target = shift; return ( - ["iptables", "--new-chain" => $target->{chain}], - ["iptables", - "--insert" => $target->{parent}, - "--jump" => $target->{chain}] - ); + ["iptables", "--new-chain" => $target->{chain}], + [ + "iptables", + "--insert" => $target->{parent}, + "--jump" => $target->{chain} + ] + ); } sub cleanTarget($) { my $target = shift; - return ["iptables", - "--flush" => $target->{chain}]; + return ["iptables", "--flush" => $target->{chain}]; } sub parseConfig($) { my (@iptables, @rules); my $file = shift; - local(@ARGV) = ($file); + local (@ARGV) = ($file); - die ME.": Can't open $file: $!\n" if not -r $file; + die ME . ": Can't open $file: $!\n" if not -r $file; @ARGV = ($file); # Read the config file and create the iptables statements while (<>) { - s/#.*//; - s/^\s*$//; - next unless $_; + s/#.*//; + s/^\s*$//; + next unless $_; - chomp; - + chomp; - my (%src, %dst); - (my ($name, $target, $iface, $proto), $src{ip}, $dst{ip}) - = split /\s*\|\s*/, $_; + my (%src, %dst); + (my ($name, $target, $iface, $proto), $src{ip}, $dst{ip}) = + split /\s*\|\s*/, $_; - # $src / $dst - foreach (\%src, \%dst) { - @{$_}{qw/ip port/} = split /[:\s]/, $_->{ip}; - } - + # $src / $dst + foreach (\%src, \%dst) { + @{$_}{qw/ip port/} = split /[:\s]/, $_->{ip}; + } - my @cmd = ("iptables", - "--append" => $target, - $TARGETS{$target}->{iface} => $iface, - "--src" => expand($src{ip}), - "--dst" => expand($dst{ip}), - "--proto" => expand($proto), - $src{port} ? ("--sport" => $src{port}) : (), - $dst{port} ? ("--dport" => $dst{port}) : (), - ); + my @cmd = ( + "iptables", + "--append" => $target, + $TARGETS{$target}->{iface} => $iface, + "--src" => expand($src{ip}), + "--dst" => expand($dst{ip}), + "--proto" => expand($proto), + $src{port} ? ("--sport" => $src{port}) : (), + $dst{port} ? ("--dport" => $dst{port}) : (), + ); - push @iptables, \@cmd; - push @rules, "$target|$name"; + push @iptables, \@cmd; + push @rules, "$target|$name"; } return \@iptables, \@rules;