forked from bkartel1/packetd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
update_rules
executable file
·111 lines (85 loc) · 3.14 KB
/
update_rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/dash
PACKETD_QUEUE_NUM=1818
IPTABLES=${IPTABLES:-iptables}
CHAIN_NAME=untangle-packetd
TABLE_NAME=mangle
TABLE_HOOK=POSTROUTING
debug()
{
echo "[DEBUG:`date`] $*"
}
is_queue_open()
{
local t_packetd_pid
local t_queue_pid
t_packetd_pid="invalid"
if [ ! -f /proc/net/netfilter/nfnetlink_queue ]; then
echo "[`date`] The netfilter nfnetlink_queue does not exist - not inserting rules for packetd"
return 1
fi
t_queue_pid=`awk -v queue=${PACKETD_QUEUE_NUM} '{ if ( $1 == queue ) print $2 }' /proc/net/netfilter/nfnetlink_queue`
if [ -z "${t_queue_pid}" ]; then
echo "[`date`] The packetd netfilter queue is not open - not inserting rules for packetd"
return 1
fi
t_packetd_pid=${t_queue_pid}
t_packetd_cmd=`grep -c packetd /proc/${t_packetd_pid}/cmdline 2>| /dev/null`
if [ $((t_packetd_cmd)) -eq 0 ]; then
echo "[`date`] Something other than packetd seems to own the queue: `cat /proc/${t_packetd_pid}/cmdline`"
return 1
fi
return 0
}
remove_packetd_iptables_rules()
{
# remove previous rules to call our chain if they exist
${IPTABLES} -t ${TABLE_NAME} -D ${TABLE_HOOK} -j ${CHAIN_NAME} >/dev/null 2>&1
# flush and remove our chain
${IPTABLES} -t ${TABLE_NAME} -F ${CHAIN_NAME} >/dev/null 2>&1
${IPTABLES} -t ${TABLE_NAME} -X ${CHAIN_NAME} >/dev/null 2>&1
}
insert_packetd_iptables_rules()
{
# create and flush the chain for our traffic
${IPTABLES} -t ${TABLE_NAME} -N ${CHAIN_NAME} >/dev/null 2>&1
${IPTABLES} -t ${TABLE_NAME} -F ${CHAIN_NAME}
# we don't care about traffic to or from loopback addresses
${IPTABLES} -t ${TABLE_NAME} -A ${CHAIN_NAME} -s 127.0.0.0/8 -j RETURN
${IPTABLES} -t ${TABLE_NAME} -A ${CHAIN_NAME} -d 127.0.0.0/8 -j RETURN
# special hook to allow bypass of a development machine or network
if [ ! -z ${PACKETD_DEV_NETWORK} ]; then
${IPTABLES} -t ${TABLE_NAME} -A ${CHAIN_NAME} -s ${PACKETD_DEV_NETWORK} -j RETURN
${IPTABLES} -t ${TABLE_NAME} -A ${CHAIN_NAME} -d ${PACKETD_DEV_NETWORK} -j RETURN
fi
# all other TCP and UDP traffic will be handed off to our netfilter queue
${IPTABLES} -t ${TABLE_NAME} -A ${CHAIN_NAME} -p tcp -j NFQUEUE --queue-num ${PACKETD_QUEUE_NUM} --queue-bypass
${IPTABLES} -t ${TABLE_NAME} -A ${CHAIN_NAME} -p udp -j NFQUEUE --queue-num ${PACKETD_QUEUE_NUM} --queue-bypass
# insert rule to send traffic to our capture chain
${IPTABLES} -t ${TABLE_NAME} -I ${TABLE_HOOK} -j ${CHAIN_NAME}
return 0
}
##### Start of script
## make sure we are called as root
USERVAL=`id -u`
if test ${USERVAL} -ne 0
then
printf "\n ERROR: You must be root to run this script\n\n"
exit
fi
## Source the configuration file if available
if [ -f /etc/default/untangle-packetd ]; then
. /etc/default/untangle-packetd
fi
## Remove the existing rules
remove_packetd_iptables_rules
case $1 in
*del)
echo "[`date`] The packetd daemon rules have been removed."
exit 0
;;
esac
## If the queue is open generate the new rules
is_queue_open && {
echo "[`date`] The packetd daemon is running. Inserting rules."
insert_packetd_iptables_rules
}