Re: [Shorewall-users] dynamically adding rules when hosts connect

[Brian J. Murrell]

On Mon, 2008-09-08 at 20:01 -0400, Brian J. Murrell wrote:
> 
> I will try to write some combination of extension scripts to do this
> part automatically.  If all else fails, I will just list my ipsets in a
> simple extension script.

Again, for the current and future followers of this thread here is the
compile script (for Shorewall-perl) that will discover any ipsets used
in the hosts file and create empty ipsets for them if they don't already
exist.

---- cut ----
use File::Temp qw/ tempfile tempdir /;

print "Finding used ipsets\n";

my @ipsets;

open(HOSTS, "hosts") || die "failed to open hosts file: $!";
while (<HOSTS>) {
        s/#.*//;
        /^$/ && next;
        my ($zone, $hosts, $options ) = split(' ');
        if ($hosts =~ /^.+:\+([a-zA-Z]\w*)$/) {
                push(@ipsets, $1);
        }
}
close(HOSTS);


print "Creating init rules to create undefined ipsets\n";
my $fh;
my $filename;
if (open(INIT, "init")) {
        ($fh, $filename) = tempfile("initXXXXXX");
        while (<INIT>) {
                # skip any old ipset creation commands
                if (/#START IPSET CREATION -- DO NOT REMOVE$/) {
                        while (<INIT>) {
                            /#END IPSET CREATION -- DO NOT REMOVE$/ && last;
                        }
                        $_ = <INIT>;
                }

                if (/^#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT 
REMOVE$/) {
                        print $fh "#START IPSET CREATION -- DO NOT REMOVE\n";
                        print $fh "/bin/echo -e \"Creating any undefined 
ipsets...\\c\"\n";
                        foreach my $ipset (@ipsets) {
                                print $fh "ipset -L $ipset >/dev/null 2>&1 || { 
/bin/echo -e \"$ipset...\\c\"; ipset -N $ipset iphash; }\n"
                        }
                        print $fh "echo\n";
                        print $fh "#END IPSET CREATION -- DO NOT REMOVE\n";
                }
                print $fh $_;
        }
        close($fh);
} else {
        die "failed to open init script: $!"
}

close(INIT);

# now replace init with the newly created file
unlink("init");
link($filename, "init");
unlink($filename);
---- cut ----

Prints out a few nice messages as it works.

Cheers,
b.

signature.asc
Description: This is a digitally signed message part

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users