| #!/bin/sh |
| |
| [ -x /usr/sbin/ebtables-legacy ] || exit 1 |
| |
| EBTABLES_DUMPFILE_STEM=/etc/ebtables/dump |
| |
| RETVAL=0 |
| prog="ebtables" |
| desc="Ethernet bridge filtering" |
| umask 0077 |
| |
| #default configuration |
| EBTABLES_MODULES_UNLOAD="yes" |
| EBTABLES_LOAD_ON_START="no" |
| EBTABLES_SAVE_ON_STOP="no" |
| EBTABLES_SAVE_ON_RESTART="no" |
| EBTABLES_SAVE_COUNTER="no" |
| EBTABLES_BACKUP_SUFFIX="~" |
| |
| config=/etc/default/$prog |
| [ -f "$config" ] && . "$config" |
| |
| get_supported_tables() { |
| EBTABLES_SUPPORTED_TABLES= |
| /usr/sbin/ebtables-legacy -t filter -L 2>&1 1>/dev/null | grep -q permission |
| if [ $? -eq 0 ]; then |
| echo "Error: insufficient privileges to access the ebtables rulesets." |
| exit 1 |
| fi |
| for table in filter nat broute; do |
| /usr/sbin/ebtables-legacy -t $table -L &> /dev/null |
| if [ $? -eq 0 ]; then |
| EBTABLES_SUPPORTED_TABLES="${EBTABLES_SUPPORTED_TABLES} $table" |
| fi |
| done |
| } |
| |
| load() { |
| RETVAL=0 |
| get_supported_tables |
| echo -n "Restoring ebtables rulesets: " |
| for table in $EBTABLES_SUPPORTED_TABLES; do |
| echo -n "$table " |
| if [ -s ${EBTABLES_DUMPFILE_STEM}.$table ]; then |
| /usr/sbin/ebtables-legacy -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-commit |
| RET=$? |
| if [ $RET -ne 0 ]; then |
| echo -n "(failed) " |
| RETVAL=$RET |
| fi |
| else |
| echo -n "(no saved state) " |
| fi |
| done |
| if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then |
| echo -n "no kernel support. " |
| else |
| echo -n "done. " |
| fi |
| if [ $RETVAL -eq 0 ]; then |
| echo "ok" |
| else |
| echo "fail" |
| fi |
| } |
| |
| clear_rules() { |
| RETVAL=0 |
| get_supported_tables |
| echo -n "Clearing ebtables rulesets: " |
| for table in $EBTABLES_SUPPORTED_TABLES; do |
| echo -n "$table " |
| /usr/sbin/ebtables-legacy -t $table --init-table |
| done |
| |
| if [ "$EBTABLES_MODULES_UNLOAD" = "yes" ]; then |
| for mod in $(grep -E '^(ebt|ebtable)_' /proc/modules | cut -d' ' -f1) ebtables; do |
| rmmod $mod 2> /dev/null |
| done |
| fi |
| if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then |
| echo -n "no kernel support. " |
| else |
| echo -n "done. " |
| fi |
| if [ $RETVAL -eq 0 ]; then |
| echo "ok" |
| else |
| echo "fail" |
| fi |
| } |
| |
| save() { |
| RETVAL=0 |
| get_supported_tables |
| echo -n "Saving ebtables rulesets: " |
| for table in $EBTABLES_SUPPORTED_TABLES; do |
| echo -n "$table " |
| [ -n "$EBTABLES_BACKUP_SUFFIX" ] && [ -s ${EBTABLES_DUMPFILE_STEM}.$table ] && \ |
| mv ${EBTABLES_DUMPFILE_STEM}.$table ${EBTABLES_DUMPFILE_STEM}.$table$EBTABLES_BACKUP_SUFFIX |
| /usr/sbin/ebtables-legacy -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-save |
| RET=$? |
| if [ $RET -ne 0 ]; then |
| echo -n "(failed) " |
| RETVAL=$RET |
| else |
| if [ "$EBTABLES_SAVE_COUNTER" = "no" ]; then |
| /usr/sbin/ebtables-legacy -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table -Z |
| fi |
| fi |
| done |
| if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then |
| echo -n "no kernel support. " |
| else |
| echo -n "done. " |
| fi |
| if [ $RETVAL -eq 0 ]; then |
| echo "ok" |
| else |
| echo "fail" |
| fi |
| } |
| |
| case "$1" in |
| start) |
| [ "$EBTABLES_LOAD_ON_START" = "yes" ] && load |
| ;; |
| stop) |
| [ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save |
| clear_rules |
| ;; |
| restart|reload|force-reload) |
| [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save |
| clear_rules |
| [ "$EBTABLES_LOAD_ON_START" = "yes" ] && load |
| ;; |
| load) |
| load |
| ;; |
| save) |
| save |
| ;; |
| status) |
| get_supported_tables |
| if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then |
| echo "No kernel support for ebtables." |
| RETVAL=1 |
| else |
| echo -n "Ebtables support available, number of installed rules: " |
| for table in $EBTABLES_SUPPORTED_TABLES; do |
| COUNT=$(( $(/usr/sbin/ebtables-legacy -t $table -L | sed -e "/^Bridge chain/! d" -e "s/^.*entries: //" -e "s/,.*$/ +/") 0 )) |
| echo -n "$table($COUNT) " |
| done |
| echo ok |
| RETVAL=0 |
| fi |
| ;; |
| *) |
| echo "Usage: $0 {start|stop|restart|reload|force-reload|load|save|status}" >&2 |
| RETVAL=1 |
| esac |
| |
| exit $RETVAL |