From: aquarius Date: Sun, 13 May 2012 12:00:40 +0000 (+0000) Subject: Major rework of make-iptables-restore - uses internal ipcalc (works in redhat too... X-Git-Url: https://git.harvie.cz/?p=svn%2FPrometheus-QoS%2F.git;a=commitdiff_plain;h=f1bba845e16fd073d1b5e05aacb85c4e82ca717f;hp=143c9a45519eac0098099a0920a6d1d4f3e6d787 Major rework of make-iptables-restore - uses internal ipcalc (works in redhat too), should be bit faster. Untested so far. Use at your own risk. git-svn-id: https://dev.arachne.cz/repos/prometheus/trunk@168 251d49ef-1d17-4917-a970-b30cf55b089b --- diff --git a/optional-tools/make-iptables-restore b/optional-tools/make-iptables-restore index bc047d9..449534f 100755 --- a/optional-tools/make-iptables-restore +++ b/optional-tools/make-iptables-restore @@ -1,10 +1,7 @@ #!/bin/bash +# $Id$ iptables="/sbin/iptables" iptablesrestore="/sbin/iptables-restore" -ifconfig="/sbin/ifconfig" -grep="/bin/grep" -cut="/usr/bin/cut" -ipcalc="/usr/bin/ipcalc" #pimp files must be generated by optional-tools/make-pimp utility pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp" @@ -24,6 +21,33 @@ pubfirstbitmask="26" pubsecondbitmask="29" chaintrack="_" +# =============================================================== +# ipcalc rewrite +# =============================================================== + +gen_ipt_string() { +eval `echo $1 | awk -F\/ '{printf "IP=%s; CIDRMASK=%s; \n", $1, $2}'` + +MASK_FULL_OCTETS=$(($CIDRMASK/8)) +MASK_PART_OCTETS=$(($CIDRMASK%8)) +for i in `seq 0 3`; do + if [ "$i" -lt "$MASK_FULL_OCTETS" ]; then + MASK+="255" + elif [ "$i" -eq "$MASK_FULL_OCTETS" ]; then + MASK+=$((256 - 2**(8-$MASK_PART_OCTETS))) + else + MASK+="0" + fi + [ "$i" -lt "3" ] && MASK+="." +done + +eval `echo $IP | awk -F\. '{printf "IPBYTE1=%s; IPBYTE2=%s; IPBYTE3=%s; IPBYTE4=%s; \n", $1, $2, $3, $4}'` +eval `echo $MASK | awk -F\. '{printf "MASKBYTE1=%s; MASKBYTE2=%s; MASKBYTE3=%s; MASKBYTE4=%s; \n", $1, $2, $3, $4}'` + +IPT_STRING="$(($IPBYTE1 & $MASKBYTE1))_$(($IPBYTE2 & $MASKBYTE2))_$(($IPBYTE3 & $MASKBYTE3))_$(($IPBYTE4 & $MASKBYTE4))_$CIDRMASK" +echo $IPT_STRING +} + echo "*nat" > $restoretmp echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp @@ -34,20 +58,20 @@ echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp # =============================================================== echo -n "Generating new iptables-restore data - two way SNAT/DNAT " -for czfip in `$grep -v ^# $pimp_2way_nat|$cut -f 1 -d " "` -do - pubip=`$grep "$czfip " $pimp_2way_nat|$cut -f 2 -d " "` - czffirstindex=priv_`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` - czfsecondindex=priv_`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` - czfthirdindex=priv_`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` - czffourthindex=priv_`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` - pubfirstindex=pub_`$ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` - pubsecondindex=pub_`$ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` + +while read LINE; do + eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'` + czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask` + czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask` + czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask` + czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask` + pubfirstindex=pub_`gen_ipt_string $pubip/$pubfirstbitmask` + pubsecondindex=pub_`gen_ipt_string $pubip/$pubsecondbitmask` if ! [[ "$chaintrack" == *"$czffirstindex"* ]] then echo :$czffirstindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp @@ -58,7 +82,7 @@ do if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] then echo :$czfsecondindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp @@ -69,7 +93,7 @@ do if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] then echo :$czfthirdindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp @@ -80,7 +104,7 @@ do if ! [[ "$chaintrack" == *"$czffourthindex"* ]] then echo :$czffourthindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp @@ -91,7 +115,7 @@ do if ! [[ "$chaintrack" == *"$pubfirstindex"* ]] then echo :$pubfirstindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $pubip/$pubfirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A PREROUTING -i $wan1 -d $s -j $pubfirstindex >> $restoretmp echo -A PREROUTING -i $wan2 -d $s -j $pubfirstindex >> $restoretmp echo -A PREROUTING -i $wan3 -d $s -j $pubfirstindex >> $restoretmp @@ -102,7 +126,7 @@ do if ! [[ "$chaintrack" == *"$pubsecondindex"* ]] then echo :$pubsecondindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $pubip/$pubsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $pubfirstindex -i $wan1 -d $s -j $pubsecondindex >> $restoretmp echo -A $pubfirstindex -i $wan2 -d $s -j $pubsecondindex >> $restoretmp echo -A $pubfirstindex -i $wan3 -d $s -j $pubsecondindex >> $restoretmp @@ -122,7 +146,7 @@ do echo -n . -done +done < $pimp_2way_nat echo " done." # =============================================================== @@ -130,18 +154,17 @@ echo " done." # =============================================================== echo -n "Generating new iptables-restore data - one way SNAT " -for czfip in `$grep -v ^# $pimp_snat|$cut -f 1 -d " "` -do - pubip=`$grep "$czfip " $pimp_snat|$cut -f 2 -d " "` - czffirstindex=priv_`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` - czfsecondindex=priv_`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` - czfthirdindex=priv_`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` - czffourthindex=priv_`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` +while read LINE; do + eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'` + czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask` + czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask` + czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask` + czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask` if ! [[ "$chaintrack" == *"$czffirstindex"* ]] then echo :$czffirstindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp @@ -152,7 +175,7 @@ do if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] then echo :$czfsecondindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp @@ -163,7 +186,7 @@ do if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] then echo :$czfthirdindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp @@ -174,7 +197,7 @@ do if ! [[ "$chaintrack" == *"$czffourthindex"* ]] then echo :$czffourthindex "- [0:0]" >> $restoretmp - s=`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` + s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp @@ -188,7 +211,7 @@ do echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp echo -n . -done +done < $pimp_snat echo " done." echo COMMIT >> $restoretmp