From 1fcbc04fa250f924b258cf0f40b30cbcf511e634 Mon Sep 17 00:00:00 2001
From: aquarius <aquarius@251d49ef-1d17-4917-a970-b30cf55b089b>
Date: Sun, 13 May 2012 16:10:52 +0000
Subject: [PATCH] Revert make-iptables-restore to r167 (previous revert has
 gone too far)

git-svn-id: https://dev.arachne.cz/repos/prometheus/trunk@172 251d49ef-1d17-4917-a970-b30cf55b089b
---
 optional-tools/make-iptables-restore | 150 +++++++++++++++------------
 1 file changed, 86 insertions(+), 64 deletions(-)

diff --git a/optional-tools/make-iptables-restore b/optional-tools/make-iptables-restore
index 50abb1a..c4c0ce4 100755
--- a/optional-tools/make-iptables-restore
+++ b/optional-tools/make-iptables-restore
@@ -5,6 +5,7 @@ iptablesrestore="/sbin/iptables-restore"
 ifconfig="/sbin/ifconfig"
 grep="/bin/grep"
 cut="/usr/bin/cut"
+ipcalc="/usr/bin/ipcalc"
 
 #pimp files must be generated by optional-tools/make-pimp utility
 pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp"
@@ -22,6 +23,7 @@ czfthirdbitmask="25"
 czffourthbitmask="28"
 pubfirstbitmask="26"
 pubsecondbitmask="29"
+chaintrack="_"
 
 echo "*nat" > $restoretmp
 echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp
@@ -31,71 +33,82 @@ echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp
 # ===============================================================
 #  Symetrical SNAT-DNAT using indexed iptables
 # ===============================================================
-
 echo -n "Generating new iptables-restore data - two way SNAT/DNAT "
 
 for czfip in `$grep -v ^# $pimp_2way_nat|$cut -f 1 -d " "`
 do
  pubip=`$grep "$czfip " $pimp_2way_nat|$cut -f 2 -d " "`
- czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
- czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
- czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
- czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
- pubfirstindex=pub_`ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
- pubsecondindex=pub_`ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
-
- if ! $grep $czffirstindex $restoretmp > /dev/null
+ czffirstindex=priv_`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ czfsecondindex=priv_`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ czfthirdindex=priv_`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ czffourthindex=priv_`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ pubfirstindex=pub_`$ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ pubsecondindex=pub_`$ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+
+ if ! [[ "$chaintrack" == *"$czffirstindex"* ]]
  then
   echo :$czffirstindex "- [0:0]" >> $restoretmp
-  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp
-  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp
-  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp
-  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp
+  s=`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp
+  chaintrack=\ ${czffirstindex}\ ${chaintrack}
  fi
 
- if ! $grep $czfsecondindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$czfsecondindex"* ]]
  then
   echo :$czfsecondindex "- [0:0]" >> $restoretmp
-  echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp
-  echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp
-  echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp
-  echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp
+  s=`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp
+  echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp
+  echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp
+  echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp
+  chaintrack=\ ${czfsecondindex}\ ${chaintrack}
  fi
 
- if ! $grep $czfthirdindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$czfthirdindex"* ]]
  then
   echo :$czfthirdindex "- [0:0]" >> $restoretmp
-  echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp
-  echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp
-  echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp
-  echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp
+  s=`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp
+  echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp
+  echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp
+  echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp
+  chaintrack=\ ${czfthirdindex}\ ${chaintrack}
  fi
 
- if ! $grep $czffourthindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$czffourthindex"* ]]
  then
   echo :$czffourthindex "- [0:0]" >> $restoretmp
-  echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp
-  echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp
-  echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp
-  echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp
+  s=`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp
+  echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp
+  echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp
+  echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp
+  chaintrack=\ ${czffourthindex}\ ${chaintrack}
  fi
 
- if ! $grep $pubfirstindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$pubfirstindex"* ]]
  then
   echo :$pubfirstindex "- [0:0]" >> $restoretmp
-  echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
-  echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
-  echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
-  echo -A PREROUTING -i $wan4 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
+  s=`$ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A PREROUTING -i $wan1 -d $s -j $pubfirstindex >> $restoretmp
+  echo -A PREROUTING -i $wan2 -d $s -j $pubfirstindex >> $restoretmp
+  echo -A PREROUTING -i $wan3 -d $s -j $pubfirstindex >> $restoretmp
+  echo -A PREROUTING -i $wan4 -d $s -j $pubfirstindex >> $restoretmp
+  chaintrack=\ ${pubfirstindex}\ ${chaintrack}
  fi
 
- if ! $grep $pubsecondindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$pubsecondindex"* ]]
  then
   echo :$pubsecondindex "- [0:0]" >> $restoretmp
-  echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
-  echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
-  echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
-  echo -A $pubfirstindex -i $wan4 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
+  s=`$ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A $pubfirstindex -i $wan1 -d $s -j $pubsecondindex >> $restoretmp
+  echo -A $pubfirstindex -i $wan2 -d $s -j $pubsecondindex >> $restoretmp
+  echo -A $pubfirstindex -i $wan3 -d $s -j $pubsecondindex >> $restoretmp
+  echo -A $pubfirstindex -i $wan4 -d $s -j $pubsecondindex >> $restoretmp
+  chaintrack=\ ${pubsecondindex}\ ${chaintrack}
  fi
 
  echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
@@ -109,57 +122,65 @@ do
  echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp
 
  echo -n .
+
 done
 echo " done."
 
-echo -n "Generating new iptables-restore data - one way SNAT "
-
 # ===============================================================
 #  SNAT only using indexed iptables (should be rather function, hmm)
 # ===============================================================
+echo -n "Generating new iptables-restore data - one way SNAT "
 
 for czfip in `$grep -v ^# $pimp_snat|$cut -f 1 -d " "`
 do
  pubip=`$grep "$czfip " $pimp_snat|$cut -f 2 -d " "`
- czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
- czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
- czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
- czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ czffirstindex=priv_`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ czfsecondindex=priv_`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ czfthirdindex=priv_`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
+ czffourthindex=priv_`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
 
- if ! $grep $czffirstindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$czffirstindex"* ]]
  then
   echo :$czffirstindex "- [0:0]" >> $restoretmp
-  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp
-  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp
-  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp
-  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp
+  s=`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp
+  chaintrack=\ ${czffirstindex}\ ${chaintrack}
  fi
 
- if ! $grep $czfsecondindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$czfsecondindex"* ]]
  then
   echo :$czfsecondindex "- [0:0]" >> $restoretmp
-  echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp
-  echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp
-  echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp
-  echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp
+  s=`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp
+  echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp
+  echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp
+  echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp
+  chaintrack=\ ${czfsecondindex}\ ${chaintrack}
  fi
 
- if ! $grep $czfthirdindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$czfthirdindex"* ]]
  then
   echo :$czfthirdindex "- [0:0]" >> $restoretmp
-  echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp
-  echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp
-  echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp
-  echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp
+  s=`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp
+  echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp
+  echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp
+  echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp
+  chaintrack=\ ${czfthirdindex}\ ${chaintrack}
  fi
 
- if ! $grep $czffourthindex $restoretmp > /dev/null
+ if ! [[ "$chaintrack" == *"$czffourthindex"* ]]
  then
   echo :$czffourthindex "- [0:0]" >> $restoretmp
-  echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp
-  echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp
-  echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp
-  echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp
+  s=`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ `
+  echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp
+  echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp
+  echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp
+  echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp
+  chaintrack=\ ${czffourthindex}\ ${chaintrack}
  fi
 
  echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp
@@ -172,4 +193,5 @@ done
 echo " done."
 
 echo COMMIT >> $restoretmp
+echo -n "Writing $restoredata"
 mv $restoretmp $restoredata
-- 
2.30.2