#!/bin/sh /etc/rc.common # Copyright (C) 2013 Project Gluon # # Firewall script for inserting and removing ebtables rules. # # Example format, for filtering any IPv4 multicast packets to the SSDP UDP port: # rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP # # Removing all rules: # $ ./firewall-ebtables stop # Inserting all rules: # $ ./firewall-ebtables start # Inserting a specific rule file: # $ ./firewall-ebtables start /lib/gluon/ebtables/100-mcast-chain # Removing a specific rule file: # $ ./firewall-ebtables stop /lib/gluon/ebtables/100-mcast-chain START=19 STOP=91 exec_file() { local file="$1" /usr/bin/lua -e " function rule(command, table) table = table or 'filter' os.execute($EBTABLES_RULE) end function chain(name, policy, table) table = table or 'filter' os.execute($EBTABLES_CHAIN) end " "$file" } exec_all() { local sort_arg="$1" local old_ifs="$IFS" IFS=' ' for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do exec_file "$file" done IFS="$old_ifs" } start() { ( export EBTABLES_RULE='"ebtables --concurrent -t " .. table .. " -A " .. command' export EBTABLES_CHAIN='"ebtables --concurrent -t " .. table .. " -N " .. name .. " -P " .. policy' # Contains /var/lib/ebtables/lock for '--concurrent' [ ! -d "/var/lib/ebtables" ] && \ mkdir -p /var/lib/ebtables if [ -z "$1" ]; then exec_all '' else exec_file "$1" fi ) } stop() { ( export EBTABLES_RULE='"ebtables --concurrent -t " .. table .. " -D " .. command' export EBTABLES_CHAIN='"ebtables --concurrent -t " .. table .. " -X " .. name' if [ -z "$1" ]; then exec_all '-r' else exec_file "$1" fi ) }