/usr/share/fwbuilder-5.1.0.3599/configlets/linux24/run_time_address_tables is in fwbuilder-common 5.1.0-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | ## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/linux24/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
## this function checks if ipset actually can work on the system note
## that we check if it is present separately in check_utilities
## configlet By this time, it is assumed the utility is installed and
## is available, but we still need to check if it works properly
## because it also depends on the kernel module.
##
## ipset -V checks the version of ipset utility and kernel module and
## is a good way to check if the utility can communicate with the module.
## Unfortunately "ipset -V" returns 0 return code even in the case of
## an error. Will use "ipset --list" which fails when it can't talk to
## the module and then use ipset -V to get diagnostics.
{{if using_ipset}}
check_module_ipset() {
$IPSET --list > /dev/null 2>&1 || {
echo "Detected an error with ipset utility :"
$IPSET -V
exit 1
}
}
## reloads ipset from the data file. The file must have one address
## per line. The difficulty with ipset is that no set type accepts a
## mix of individual ip addresses and CIDR blocks. Set type iphash
## takes only ip addresses and type nethash takes only CIDR blocks
## with netmask between 1 and 31 bits (no 32 bits). Using a setlist
## set with two sub-sets, one for addresses and another for subnets.
##
reload_address_table() {
addrtbl_name=$1
data_file=$2
test -z "$addrtbl_name" -o -z "$data_file" && {
echo "Usage: reload_address_table address_table_object_name file_name"
exit 1
}
$IPSET -X tmp_fwb_set:ip -q
$IPSET -X tmp_fwb_set:net -q
$IPSET -N tmp_fwb_set:ip iphash
$IPSET -N tmp_fwb_set:net nethash
grep -Ev '^#|^;|^\s*$' $data_file | while read L ; do
set $L
addr=$1
if echo $addr | grep -q "/"
then
$IPSET -A tmp_fwb_set:net $addr
else
$IPSET -A tmp_fwb_set:ip $addr
fi
done
$IPSET --list ${addrtbl_name}:ip >/dev/null || $IPSET -N ${addrtbl_name}:ip iphash
$IPSET --list ${addrtbl_name}:net >/dev/null || $IPSET -N ${addrtbl_name}:net nethash
$IPSET -W ${addrtbl_name}:ip tmp_fwb_set:ip
$IPSET -W ${addrtbl_name}:net tmp_fwb_set:net
$IPSET --list ${addrtbl_name} >/dev/null || {
$IPSET -N ${addrtbl_name} setlist
}
$IPSET --list ${addrtbl_name} | grep -q ${addrtbl_name}:ip || {
$IPSET -A ${addrtbl_name} ${addrtbl_name}:ip
}
$IPSET --list ${addrtbl_name} | grep -q ${addrtbl_name}:net || {
$IPSET -A ${addrtbl_name} ${addrtbl_name}:net
}
$IPSET -X tmp_fwb_set:ip
$IPSET -X tmp_fwb_set:net
}
add_to_address_table() {
addrtbl_name=$1
data_file=$2
address=$3
test -z "$addrtbl_name" -o -z "$data_file" -o -z "$address" && {
echo "Usage: add_to_address_table address_table_object_name file_name address"
exit 1
}
echo $address >> $data_file
if echo $address | grep -q "/"
then
$IPSET -A ${addrtbl_name}:net $address
else
$IPSET -A ${addrtbl_name}:ip $address
fi
}
remove_from_address_table() {
addrtbl_name=$1
data_file=$2
address=$3
test -z "$addrtbl_name" -o -z "$data_file" -o -z "$address" && {
echo "Usage: remove_from_address_table address_table_object_name file_name address"
exit 1
}
## note that $address may contain "/"
escaped_addr=$(echo $address | sed 's!/!\\/!')
sed -i "/^ *$escaped_addr *\$/d" $data_file
if echo $address | grep -q "/"
then
$IPSET -D ${addrtbl_name}:net $address
else
$IPSET -D ${addrtbl_name}:ip $address
fi
}
test_address_table() {
addrtbl_name=$1
address=$2
test -z "$addrtbl_name" -o -z "$address" && {
echo "Usage: test_address_table address_table_object_name address"
exit 1
}
if echo $address | grep -q "/"
then
$IPSET -T ${addrtbl_name}:net $address
else
$IPSET -T ${addrtbl_name}:ip $address
fi
}
load_run_time_address_table_files() {
:
{{$load_files_commands}}
}
{{endif}}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by address table object $1"
exit 1
}
}
## function to check if the data file is available. This is done
## regardless of whether we use module ipset or not.
## Since macro language does not support loops at this time, whole
## code for the body of this function is generated in
## OSConfigurator_linux24::printRunTimeAddressTablesCode()
check_run_time_address_table_files() {
:
{{$check_files_commands}}
}
|