Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[6075] branches/1.0
|
From: <abe...@us...> - 2013-05-07 17:32:29
|
Revision: 6075
http://sourceforge.net/p/astlinux/code/6075
Author: abelbeck
Date: 2013-05-07 17:32:25 +0000 (Tue, 07 May 2013)
Log Message:
-----------
arnofw, add new time-schedule-host-block plugin. Additionally upgrade-arno-firewall now supports both single and multi line variables when merging previous variables to updated configurations
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
branches/1.0/project/astlinux/target_skeleton/usr/sbin/upgrade-arno-firewall
Added Paths:
-----------
branches/1.0/package/arnofw/time-schedule-host-block/
branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh
branches/1.0/package/arnofw/time-schedule-host-block/time-schedule-host-block.conf
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2013-05-05 21:17:46 UTC (rev 6074)
+++ branches/1.0/package/arnofw/arnofw.mk 2013-05-07 17:32:25 UTC (rev 6075)
@@ -119,6 +119,13 @@
$(INSTALL) -m 0644 package/arnofw/openvpn-server/openvpn-server-astlinux.conf \
$(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/openvpn-server.conf
@echo
+ @echo "Install local version of Time Schedule Host Block plugin."
+ @echo
+ $(INSTALL) -m 0644 package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh \
+ $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/30time-schedule-host-block.plugin
+ $(INSTALL) -m 0644 package/arnofw/time-schedule-host-block/time-schedule-host-block.conf \
+ $(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/time-schedule-host-block.conf
+ @echo
@echo "Install local version of PPTP VPN plugin."
@echo
$(INSTALL) -m 0644 package/arnofw/pptp-vpn/50pptp-vpn.plugin.sh \
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2013-05-05 21:17:46 UTC (rev 6074)
+++ branches/1.0/package/arnofw/arnofw.serial 2013-05-07 17:32:25 UTC (rev 6075)
@@ -1 +1 @@
-0002~0018~0000~0000~0000~
+0002~0019~0000~0000~0000~
Added: branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh (rev 0)
+++ branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh 2013-05-07 17:32:25 UTC (rev 6075)
@@ -0,0 +1,235 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - Time Schedule Host Block plugin =-
+#
+PLUGIN_NAME="Time Schedule Host Block plugin"
+PLUGIN_VERSION="1.00"
+PLUGIN_CONF_FILE="time-schedule-host-block.conf"
+#
+# Last changed : May 06, 2013
+# Requirements : AIF 2.0.0+
+# Comments : This plugin blocks forwarded packets based on time and day-of-week.
+#
+# Author : (C) Copyright 2012-2013 by Lonnie Abelbeck & Arno van Amersfoort
+# Homepage : http://rocky.eld.leidenuniv.nl/
+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
+# (note: you must remove all spaces and substitute the @ and the .
+# at the proper locations!)
+# ------------------------------------------------------------------------------
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# ------------------------------------------------------------------------------
+
+# Plugin start function
+plugin_start()
+{
+ local rule type data addr timestart timestop weekdays i DAYS SHOWRULE IFS
+
+ IFS=$EOL
+ for rule in $TIME_SCHEDULE_HOST_BLOCK_MAC; do
+ unset IFS
+ type="$(echo "$rule" | cut -s -d'|' -f1)"
+ data="$(echo "$rule" | cut -s -d'|' -f2)"
+ addr="$(echo "$data" | cut -s -d'~' -f1)"
+ timestart="$(echo "$data" | cut -s -d'~' -f2)"
+ timestop="$(echo "$data" | cut -s -d'~' -f3)"
+ weekdays="$(echo "$data" | cut -s -d'~' -f4)"
+ if [ -z "$addr" -o -z "$timestart" -o -z "$timestop" ]; then
+ type=""
+ else
+ # Check for MAC address, if not, try from STATICHOSTS
+ case "$addr" in
+ *:*)
+ ;;
+ *)
+ if [ -n "$STATICHOSTS" ]; then
+ IFS=$EOL
+ for i in $STATICHOSTS; do
+ if [ "$(echo "$i" | cut -s -d'~' -f1)" = "$addr" ]; then
+ addr="$(echo "$i" | cut -s -d'~' -f3)"
+ break
+ fi
+ done
+ unset IFS
+ fi
+ # Still not MAC address, ignore rule
+ case "$addr" in
+ *:*) ;;
+ *) type="" ;;
+ esac
+ ;;
+ esac
+ SHOWRULE="${INDENT}Blocking $type Source MAC Addr: $addr using Schedule: $timestart to $timestop on Days:"
+ if [ -n "$weekdays" ]; then
+ DAYS="--weekdays $weekdays"
+ SHOWRULE="$SHOWRULE $weekdays"
+ else
+ DAYS=""
+ SHOWRULE="$SHOWRULE All"
+ fi
+ # Adjust time to UTC for iptables
+ timestart="$(date -u -d "@$(date -d $timestart '+%s')" '+%H:%M:%S')"
+ timestop="$(date -u -d "@$(date -d $timestop '+%s')" '+%H:%M:%S')"
+ fi
+ case $type in
+ LAN-EXT|lan-ext)
+ echo "$SHOWRULE"
+ iptables -A LAN_INET_FORWARD_CHAIN -m mac --mac-source $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
+ ;;
+ DMZ-EXT|dmz-ext)
+ echo "$SHOWRULE"
+ iptables -A DMZ_INET_FORWARD_CHAIN -m mac --mac-source $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
+ ;;
+ ANY|any)
+ echo "$SHOWRULE"
+ iptables -A FORWARD_CHAIN -m mac --mac-source $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
+ ;;
+ '#'*) # Disable rule
+ ;;
+ *)
+ echo "** WARNING: In Variable TIME_SCHEDULE_HOST_BLOCK_MAC, Rule: \"$rule\" is ignored." >&2
+ ;;
+ esac
+ done
+
+ IFS=$EOL
+ for rule in $TIME_SCHEDULE_HOST_BLOCK; do
+ unset IFS
+ type="$(echo "$rule" | cut -s -d'|' -f1)"
+ data="$(echo "$rule" | cut -s -d'|' -f2)"
+ addr="$(echo "$data" | cut -s -d'~' -f1)"
+ timestart="$(echo "$data" | cut -s -d'~' -f2)"
+ timestop="$(echo "$data" | cut -s -d'~' -f3)"
+ weekdays="$(echo "$data" | cut -s -d'~' -f4)"
+ if [ -z "$addr" -o -z "$timestart" -o -z "$timestop" ]; then
+ type=""
+ else
+ SHOWRULE="${INDENT}Blocking $type Source IP Addr: $addr using Schedule: $timestart to $timestop on Days:"
+ if [ -n "$weekdays" ]; then
+ DAYS="--weekdays $weekdays"
+ SHOWRULE="$SHOWRULE $weekdays"
+ else
+ DAYS=""
+ SHOWRULE="$SHOWRULE All"
+ fi
+ # Adjust time to UTC for iptables
+ timestart="$(date -u -d "@$(date -d $timestart '+%s')" '+%H:%M:%S')"
+ timestop="$(date -u -d "@$(date -d $timestop '+%s')" '+%H:%M:%S')"
+ fi
+ case $type in
+ LAN-EXT|lan-ext)
+ echo "$SHOWRULE"
+ iptables -A LAN_INET_FORWARD_CHAIN -s $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
+ ;;
+ DMZ-EXT|dmz-ext)
+ echo "$SHOWRULE"
+ iptables -A DMZ_INET_FORWARD_CHAIN -s $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
+ ;;
+ ANY|any)
+ echo "$SHOWRULE"
+ iptables -A FORWARD_CHAIN -s $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
+ ;;
+ '#'*) # Disable rule
+ ;;
+ *)
+ echo "** WARNING: In Variable TIME_SCHEDULE_HOST_BLOCK, Rule: \"$rule\" is ignored." >&2
+ ;;
+ esac
+ done
+
+ return 0
+}
+
+
+# Plugin restart function
+plugin_restart()
+{
+
+ # Skip plugin_stop on a restart
+ plugin_start
+
+ return 0
+}
+
+
+# Plugin stop function
+plugin_stop()
+{
+
+ return 0
+}
+
+
+# Plugin status function
+plugin_status()
+{
+ return 0
+}
+
+
+# Check sanity of eg. environment
+plugin_sanity_check()
+{
+ # Sanity check
+
+ return 0
+}
+
+
+############
+# Mainline #
+############
+
+# Check where to find the config file
+CONF_FILE=""
+if [ -n "$PLUGIN_CONF_PATH" ]; then
+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
+fi
+
+# Check if the config file exists
+if [ ! -e "$CONF_FILE" ]; then
+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
+ PLUGIN_RET_VAL=0
+else
+ # Source the plugin config file
+ . "$CONF_FILE"
+
+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
+ # Show who we are:
+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
+
+ # Increment indention
+ INDENT="$INDENT "
+
+ # Only proceed if environment ok
+ if plugin_sanity_check; then
+ case $PLUGIN_CMD in
+ start|'') plugin_start; PLUGIN_RET_VAL=$?;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
+ status ) plugin_status; PLUGIN_RET_VAL=$?;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ esac
+ fi
+ else
+ PLUGIN_RET_VAL=0
+ fi
+fi
Added: branches/1.0/package/arnofw/time-schedule-host-block/time-schedule-host-block.conf
===================================================================
--- branches/1.0/package/arnofw/time-schedule-host-block/time-schedule-host-block.conf (rev 0)
+++ branches/1.0/package/arnofw/time-schedule-host-block/time-schedule-host-block.conf 2013-05-07 17:32:25 UTC (rev 6075)
@@ -0,0 +1,49 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - Time Schedule Host Block plugin =-
+# ------------------------------------------------------------------------------
+
+# To actually enable this plugin make ENABLED=1:
+# ------------------------------------------------------------------------------
+ENABLED=0
+
+# TIME_SCHEDULE_HOST_BLOCK_MAC
+# type|mac_addr~timestart~timestop~weekdays
+#
+# TIME_SCHEDULE_HOST_BLOCK
+# type|ip_addr~timestart~timestop~weekdays
+#
+# "type" must be one of:
+# LAN-EXT: Block in LAN->EXT Forward Chain
+# DMZ-EXT: Block in DMZ->EXT Forward Chain
+# ANY: Block in any Forward Chain
+# #<type>: Leading '#' disables that line's rule without deleting it
+#
+# "mac_addr" must be of the form 00:11:22:33:44:55
+# "ip_addr" may be any IPv4, IPv6 address or CIDR
+# "timestart" and "timestop" Local times of the form HH:MM:SS (:SS optional)
+# "weekdays" (optional), a comma separated list including any of: Mon,Tue,Wed,Thu,Fri,Sat,Sun
+#
+# Note: Multi-line variables, each line is an entry.
+# Do not remove the variables' closing double-quote (") character.
+#
+
+# Block by MAC Address Source
+# Examples:
+# LAN-EXT|00:11:22:33:44:55~21:00~6:00~Mon,Tue,Wed,Thu,Fri
+# DMZ-EXT|00:11:22:33:44:aa~15:45~9:00
+# ------------------------------------------------------------------------------
+TIME_SCHEDULE_HOST_BLOCK_MAC="
+#LAN-EXT|00:11:22:33:44:55~21:00~6:00~Mon,Tue,Wed,Thu,Fri
+"
+
+# Block by IPv4 or IPv6 Address Source
+# Examples:
+# LAN-EXT|192.168.101.13~21:00~6:00~Sat,Sun
+# DMZ-EXT|192.168.1.1/24~21:00~7:00
+# DMZ-EXT|2001:db8:200::5294~15:45~22:00~Mon,Tue,Wed,Thu,Fri
+# ANY|192.168.101.23~15:45~22:00
+# ------------------------------------------------------------------------------
+TIME_SCHEDULE_HOST_BLOCK="
+#DMZ-EXT|192.168.1.1/24~21:00~7:00
+"
+
Modified: branches/1.0/project/astlinux/target_skeleton/usr/sbin/upgrade-arno-firewall
===================================================================
--- branches/1.0/project/astlinux/target_skeleton/usr/sbin/upgrade-arno-firewall 2013-05-05 21:17:46 UTC (rev 6074)
+++ branches/1.0/project/astlinux/target_skeleton/usr/sbin/upgrade-arno-firewall 2013-05-07 17:32:25 UTC (rev 6075)
@@ -36,7 +36,7 @@
merge_old_plugin_configs()
{
- local plugin plugins editname var search replace IFS
+ local plugin plugins editname var search IFS
plugins="$(grep -m1 '^ENABLED=1' /mnt/kd/arno-iptables-OLD/plugins/*.conf | sed 's/:ENABLED.*//')"
@@ -44,11 +44,38 @@
for plugin in $plugins; do
editname="$(echo $plugin | sed 's/arno-iptables-OLD/arno-iptables-firewall/')"
if [ -f "$editname" ]; then
+ IFS=$'\n'
for var in $(grep '^[A-Z][A-Z0-9_-]*[=][^$\`]*$' $plugin); do
+ unset IFS
search="$(echo $var | cut -d= -f1)"
if [ -n "$search" -a "$search" != "IFS" ]; then
- replace="$(echo $var | sed 's:/:\\/:g')"
- sed -i "/^${search}=/ s/^.*$/${replace}/" "$editname"
+ if echo $var | grep -q "^${search}=\"[^\"]*$"; then # Single double-quote (")
+ # Multi-line OLD variable
+ if grep -q "^${search}=\"[^\"]*$" "$editname"; then # Multi-Line NEW variable
+ sed -n "/^${search}=\"/,/^.*\"/ p" "$plugin" | sed -i "/^${search}=\"/,/^.*\"/ {
+r /dev/stdin
+d
+}" "$editname"
+ else
+ sed -n "/^${search}=\"/,/^.*\"/ p" "$plugin" | sed -i "/^${search}=/ {
+r /dev/stdin
+d
+}" "$editname"
+ fi
+ else
+ # Single-line OLD variable
+ if grep -q "^${search}=\"[^\"]*$" "$editname"; then # Multi-Line NEW variable
+ echo $var | sed -i "/^${search}=\"/,/^.*\"/ {
+r /dev/stdin
+d
+}" "$editname"
+ else
+ echo $var | sed -i "/^${search}=/ {
+r /dev/stdin
+d
+}" "$editname"
+ fi
+ fi
echo "Merged variable \"${search}\" in plugin: $editname" 1>&2
fi
done
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
