Package: ipmasq
Version: 4.0.8-4
Followup-For: Bug #438580
The proposed scripts for netfilter:
/etc/ipmasq/rules/A03flush.rul
/etc/ipmasq/ipmasq-down/A03flush.rul
are wrong in the sense that flush and set default policy on all
available tables and not only on kernel's loaded tables.
The side effect of this is that if a table are unused, for example
"raw", then the relative kernel module is loaded also if useless.
The lines:
ls -1 /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_*.ko |
sed -n -e 's,^.*/iptable_\([^/]\+\)\.ko$,\1,p'
are wrong, the correct form is:
lsmod | sed -n -e '/^iptable_/s,^iptable_\(\S\+\)\>.*,\1,p'
To better understand my whishlist I attach the two proposed scripts for
ipmasq start and stop (only netfilter section):
/etc/ipmasq/rules/A03flush.rul:
#: Flush all and set default policy of deny.
case $MASQMETHOD in
netfilter)
for table in $(
lsmod | sed -n -e '/^iptable_/s,^iptable_\(\S\+\)\>.*,\1,p' )
do
unset userchain
for chain_polref in $( iptables -t $table -nL |
sed -n '/^Chain \S\+ (/s/^Chain \(\S\+\) (\(\S\+\) .*/\1:\2/p' )
do
chain="${chain_polref%:*}"
if [ "${chain_polref##*:}" == "policy" ];then
if [ "$table" == filter ]
then $IPTABLES -t $table -P $chain DROP
else $IPTABLES -t $table -P $chain ACCEPT
fi
$IPTABLES -t $table -F $chain
else
$IPTABLES -t $table -F $chain
userchain="$chain $userchain"
fi
done
for chain in $userchain ; do
$IPTABLES -t $table -X $chain 2>/dev/null ||
echo "Error: deleting user-defined chain $chain on table $table" >&2
done
done
;;
esac
/etc/ipmasq/ipmasq-down/A03flush.rul:
#: Flush all and set default policy of deny on forward, and accept input
#: and output.
case $MASQMETHOD in
netfilter)
for table in $(
lsmod | sed -n -e '/^iptable_/s,^iptable_\(\S\+\)\>.*,\1,p' )
do
unset userchain
for chain_polref in $( iptables -t $table -nL |
sed -n '/^Chain \S\+ (/s/^Chain \(\S\+\) (\(\S\+\) .*/\1:\2/p' )
do
chain="${chain_polref%:*}"
if [ "${chain_polref##*:}" == "policy" ];then
if [ "$table" == filter ] && [ $chain == FORWARD ]
then $IPTABLES -t $table -P $chain DROP
else $IPTABLES -t $table -P $chain ACCEPT
fi
$IPTABLES -t $table -F $chain
else
$IPTABLES -t $table -F $chain
userchain="$chain $userchain"
fi
done
for chain in $userchain ; do
$IPTABLES -t $table -X $chain 2>/dev/null ||
echo "Error: deleting user-defined chain $chain on table $table" >&2
done
done
;;
esac
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (560, 'testing'), (550, 'testing'), (540,
'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240,
'proposed-updates'), (50, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1)
(ignored: LC_ALL set to it_IT)
Shell: /bin/sh linked to /bin/bash
Versions of packages ipmasq depends on:
ii debconf [debconf-2.0] 1.5.16 Debian configuration management sy
ii iptables 1.3.8.0debian1-1 administration tools for packet fi
ipmasq recommends no packages.
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
