--- a/insertRules Fri Jan 16 21:10:58 2009 +0100
+++ b/insertRules Mon Aug 26 16:03:33 2013 +0200
@@ -19,13 +19,19 @@
#use constant O => { chain => "ipac~o", parent => "INPUT", iface => "--out" };
my %TARGETS = (
- "ipac~fi" => { chain => "ipac~fi", parent => "FORWARD", iface => "--in-interface" },
- "ipac~fo" => { chain => "ipac~fo", parent => "FORWARD", iface => "--out-interface" },
- "ipac~i" => { chain => "ipac~i", parent => "OUTPUT", iface => "--out-interface" },
- "ipac~o" => { chain => "ipac~o", parent => "INPUT", iface => "--in-interface" },
+ "ipac~fi" =>
+ { chain => "ipac~fi", parent => "FORWARD", iface => "--in-interface" },
+ "ipac~fo" =>
+ { chain => "ipac~fo", parent => "FORWARD", iface => "--out-interface" },
+ "ipac~i" =>
+ { chain => "ipac~i", parent => "OUTPUT", iface => "--out-interface" },
+ "ipac~o" =>
+ { chain => "ipac~o", parent => "INPUT", iface => "--in-interface" },
);
-use constant FILE => $ENV{IPAC_RULES} ? $ENV{IPAC_RULES} : "/etc/ipac-ng/rules.conf";
+use constant FILE => $ENV{IPAC_RULES}
+ ? $ENV{IPAC_RULES}
+ : "/etc/ipac-ng/rules.conf";
use constant CONFIG => (
{ CASE => 1 },
@@ -34,7 +40,7 @@
);
my $Cf = new AppConfig CONFIG or die;
- $Cf->getopt or die;
+$Cf->getopt or die;
sub checkTarget($);
sub insertTarget($);
@@ -43,108 +49,108 @@
sub expand($);
MAIN: {
- my @cmds;
+ my @cmds;
# Check, if our rules exist
foreach (keys %TARGETS) {
- checkTarget($TARGETS{$_})
- or push @cmds, insertTarget($TARGETS{$_});
+ checkTarget($TARGETS{$_})
+ or push @cmds, insertTarget($TARGETS{$_});
- push @cmds, cleanTarget($TARGETS{$_});
+ push @cmds, cleanTarget($TARGETS{$_});
}
-
-
+
my ($iptables, $rules) = parseConfig(FILE);
push @cmds, @$iptables;
-
foreach (@cmds) {
- print "@$_\n" if $Cf->verbose or $Cf->nothing;
- next if $Cf->nothing;
- system @$_ and do {
- warn "FAILED: @$_\n" if not $Cf->verbose;
- };
+ print "@$_\n" if $Cf->verbose or $Cf->nothing;
+ next if $Cf->nothing;
+ system @$_ and do {
+ warn "FAILED: @$_\n" if not $Cf->verbose;
+ };
}
if (!$Cf->nothing) {
- open(RUNFILE, $_ = ">/var/run/ipac.rules") or die "Can't open $_: $!\n";
- print RUNFILE join "\n", @$rules;
- close(RUNFILE);
+ open(RUNFILE, $_ = ">/var/run/ipac.rules") or die "Can't open $_: $!\n";
+ print RUNFILE join "\n", @$rules;
+ close(RUNFILE);
}
}
{
my $dump;
-sub checkTarget($) {
- my $target = shift;
+
+ sub checkTarget($) {
+ my $target = shift;
- if (!$dump) {
- open(X, "iptables-save|") or die "Can't open iptables-save: $!\n";
- $dump = join "", grep /^:/, <X>;
- close(X);
+ if (!$dump) {
+ open(X, "iptables-save|") or die "Can't open iptables-save: $!\n";
+ $dump = join "", grep /^:/, <X>;
+ close(X);
+ }
+
+ return $dump =~ /^:$target->{chain}/m
+
}
-
- return $dump =~ /^:$target->{chain}/m
-
-} }
+}
sub insertTarget($) {
my $target = shift;
return (
- ["iptables", "--new-chain" => $target->{chain}],
- ["iptables",
- "--insert" => $target->{parent},
- "--jump" => $target->{chain}]
- );
+ ["iptables", "--new-chain" => $target->{chain}],
+ [
+ "iptables",
+ "--insert" => $target->{parent},
+ "--jump" => $target->{chain}
+ ]
+ );
}
sub cleanTarget($) {
my $target = shift;
- return ["iptables",
- "--flush" => $target->{chain}];
+ return ["iptables", "--flush" => $target->{chain}];
}
sub parseConfig($) {
my (@iptables, @rules);
my $file = shift;
- local(@ARGV) = ($file);
+ local (@ARGV) = ($file);
- die ME.": Can't open $file: $!\n" if not -r $file;
+ die ME . ": Can't open $file: $!\n" if not -r $file;
@ARGV = ($file);
# Read the config file and create the iptables statements
while (<>) {
- s/#.*//;
- s/^\s*$//;
- next unless $_;
+ s/#.*//;
+ s/^\s*$//;
+ next unless $_;
- chomp;
-
+ chomp;
- my (%src, %dst);
- (my ($name, $target, $iface, $proto), $src{ip}, $dst{ip})
- = split /\s*\|\s*/, $_;
+ my (%src, %dst);
+ (my ($name, $target, $iface, $proto), $src{ip}, $dst{ip}) =
+ split /\s*\|\s*/, $_;
- # $src / $dst
- foreach (\%src, \%dst) {
- @{$_}{qw/ip port/} = split /[:\s]/, $_->{ip};
- }
-
+ # $src / $dst
+ foreach (\%src, \%dst) {
+ @{$_}{qw/ip port/} = split /[:\s]/, $_->{ip};
+ }
- my @cmd = ("iptables",
- "--append" => $target,
- $TARGETS{$target}->{iface} => $iface,
- "--src" => expand($src{ip}),
- "--dst" => expand($dst{ip}),
- "--proto" => expand($proto),
- $src{port} ? ("--sport" => $src{port}) : (),
- $dst{port} ? ("--dport" => $dst{port}) : (),
- );
+ my @cmd = (
+ "iptables",
+ "--append" => $target,
+ $TARGETS{$target}->{iface} => $iface,
+ "--src" => expand($src{ip}),
+ "--dst" => expand($dst{ip}),
+ "--proto" => expand($proto),
+ $src{port} ? ("--sport" => $src{port}) : (),
+ $dst{port} ? ("--dport" => $dst{port}) : (),
+ );
- push @iptables, \@cmd;
- push @rules, "$target|$name";
+ push @iptables, \@cmd;
+ push @rules, "$target|$name";
}
return \@iptables, \@rules;