/usr/share/fwbuilder-5.1.0.3599/configlets/linux24/update_addresses is in fwbuilder-common 5.1.0-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 | ## -*- mode: shell-script; -*-
##
## Lines that start with "##" will be removed before this code is
## added to the generated script. Regular shell comments can be added
## using single "#", these will appear in the script.
##
############ add or remove ip addresses of interfaces #######################
P2P_INTERFACE_WARNING=""
missing_address() {
address=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $address
addr=$1
interface=$2
IFS=$oldIFS
## as of v4.0 we do not manage addresses of point-to-point
## interfaces. The output of "ip addr show" command for these inetrfaces has
## word "POINTOPOINT".
## Since the user can not define interface address without netmask in
## fwbuilder GUI, the script always assumes the address of p2p
## interface has one. It is therefore something like 1.2.3.4/32. The
## address in the output of "ip addr show" command does not have any
## netmask, like in
##
## 10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
## link/[65534]
## inet 10.0.0.100 peer 10.0.0.200 scope global tun0
##
## This means, we always have a discrepancy and the script will always
## want to update the address, even if the address defined in the GUI
## matches the one on the interface, the only difference being the
## missing netmask. This leads to many repetitive warnings. We get two
## warnings even if there is only one p2p interface. Using global
## variable to suppress redundant warnings. This means the user will
## see only one warning, citing the name of the first p2p interface
## even if they have many.
$IP addr show dev $interface | grep -q POINTOPOINT && {
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
P2P_INTERFACE_WARNING="yes"
return
}
test "$cmd" = "add" && {
echo "# Adding ip address: $interface $addr"
## Use "broadcast +" syntax to make ip assign broadcast automatically,
## but only for ipv4 addresses
echo $addr | grep -q ':' && {
$FWBDEBUG $IP addr $cmd $addr dev $interface
} || {
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
}
}
test "$cmd" = "del" && {
echo "# Removing ip address: $interface $addr"
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
}
$FWBDEBUG $IP link set $interface up
}
##
## The list of current addresses is taken using "ip addr show" command.
## Second argument defines address scrope; it should be in the form
## of the matching regex such as "scope global" or "scope .*".
##
list_addresses_by_scope() {
interface=$1
scope=$2
ignore_list=$3
$IP addr ls dev $interface | \
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
while read addr; do
echo "${addr}@$interface"
done | sort
}
## arg 1 is like "eth1 1.1.1.1/24 2.2.2.2/24 fe80::20c:29ff:fef6:bea0/64"
## arg 2 is "3.3.3.3/24 4.4.4.4/24" - list of addresses we should ignore
## Using arg2 to provide list of addresses managed by heartbeat, so that
## incremental update does not delete them.
##
## Only "scope global" addreses are managed because fwbuilder script
## should not try to delete addresses configured for tunnels and IPv6
## link scope addresses (fe80::) ("scope link" or "scope host" addresses)
##
## Addresses we should ignore are dropped from the list.
##
update_addresses_of_interface() {
ignore_list=$2
set $1
interface=$1
shift
FWB_ADDRS=$(
for addr in $*; do
echo "${addr}@$interface"
done | sort
)
CURRENT_ADDRS_ALL_SCOPES=""
CURRENT_ADDRS_GLOBAL_SCOPE=""
$IP link show dev $interface >/dev/null 2>&1 && {
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
} || {
echo "# Interface $interface does not exist"
# Stop the script if we are not in test mode
test -z "$FWBDEBUG" && exit 1
}
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}
## this function removes addresses from interfaces that do not exist in
## fwbuilder config.
##
## Usage:
## remove_unconfigured_addresses lo eth0 eth1 eth2.100 vlan20 br0
##
## Arguments are all interfaces that have addresses in
## fwbuilder. Addresses will be removed from all other interfaces with
## addresses found on the firewall.
##
clear_addresses_except_known_interfaces() {
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
while read intf; do
echo "# Removing addresses not configured in fwbuilder from interface $intf"
$FWBDEBUG $IP addr flush dev $intf scope global
$FWBDEBUG $IP link set $intf down
done
}
|