diff -up arptables_jf-0.0.8/arptables.init.initscript arptables_jf-0.0.8/arptables.init --- arptables_jf-0.0.8/arptables.init.initscript 2003-06-27 18:10:15.000000000 +0200 +++ arptables_jf-0.0.8/arptables.init 2010-03-24 09:26:03.629793534 +0100 @@ -1,8 +1,20 @@ #!/bin/sh # +### BEGIN INIT INFO +# Provides: arptables_jf +# Required-Start: $local_fs $network +# Required-Stop: $local_fs $network +# Short-Description: userspace control program for the arptables network filter +# Description: The arptables_jf utility controls the arpfilter network packet filtering +# code in the Linux kernel. You do not need this program for normal +# network firewalling. If you need to manually control which arp +# requests and/or replies this machine accepts and sends, you should +# install this package. +### END INIT INFO + # Startup script to implement /etc/sysconfig/arptables pre-defined rules. # -# chkconfig: 2345 08 92 +# chkconfig: - 08 92 # # description: Automates a packet filtering firewall with arptables. # @@ -20,20 +32,6 @@ ARPTABLES_CONFIG=/etc/sysconfig/arptables -if [ ! -x /sbin/arptables ]; then - exit 0 -fi - -KERNELMAJ=`uname -r | sed -e 's,\..*,,'` -KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` - -if [ "$KERNELMAJ" -lt 2 ] ; then - exit 0 -fi -if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then - exit 0 -fi - arp_table() { if fgrep -qsx $1 /proc/net/arp_tables_names; then arptables -t "$@" @@ -41,98 +39,121 @@ arp_table() { } start() { + if [ ! -x /sbin/arptables ]; then + exit 4 + fi + + KERNELMAJ=`uname -r | sed -e 's,\..*,,'` + KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` + + if [ "$KERNELMAJ" -lt 2 ] ; then + echo "Not supported for kernel $KERNELMAJ.$KERNELMIN" + exit 1 + fi + if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then + echo "Not supported for kernel $KERNELMAJ.$KERNELMIN" + exit 1 + fi + # don't do squat if we don't have the config file + echo -n $"Starting arptables_jf" if [ -f $ARPTABLES_CONFIG ]; then - # If we don't clear these first, we might be adding to - # pre-existing rules. - chains=`cat /proc/net/arp_tables_names 2>/dev/null` - echo -n $"Flushing all current rules and user defined chains:" - let ret=0 - for i in $chains; do arptables -t $i -F; let ret+=$?; done - arptables -F - let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo - echo -n $"Clearing all current rules and user defined chains:" - let ret=0 - for i in $chains; do arptables -t $i -X; let ret+=$?; done - arptables -X - let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo + success + # If we don't clear these first, we might be adding to + # pre-existing rules. + chains=`cat /proc/net/arp_tables_names 2>/dev/null` + echo -n $"Flushing all current rules and user defined chains:" + let ret=0 + for i in $chains; do arptables -t $i -F; let ret+=$?; done + arptables -F + let ret+=$? + if [ $ret -eq 0 ]; then + success + else + failure + fi + echo + echo -n $"Clearing all current rules and user defined chains:" + let ret=0 + for i in $chains; do arptables -t $i -X; let ret+=$?; done + arptables -X + let ret+=$? + if [ $ret -eq 0 ]; then + success + else + failure + fi + echo - for i in $chains; do arptables -t $i -Z; done + for i in $chains; do arptables -t $i -Z; done - echo -n $"Applying arptables firewall rules: " + echo -n $"Applying arptables firewall rules: " grep -v "^[[:space:]]*#" $ARPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/arptables-restore -c && \ - success || \ - failure - echo - touch /var/lock/subsys/arptables + success || \ + failure + echo + touch /var/lock/subsys/arptables + else + failure + echo + echo $"Configuration file /etc/sysconfig/arptables missing" + exit 6 fi } stop() { chains=`cat /proc/net/arp_tables_names 2>/dev/null` - echo -n $"Flushing all chains:" - let ret=0 - for i in $chains; do arptables -t $i -F; let ret+=$?; done - arptables -F; let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo - - echo -n $"Removing user defined chains:" - let ret=0 - for i in $chains; do arptables -t $i -X; let ret+=$?; done - arptables -X; let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo - echo -n $"Resetting built-in chains to the default ACCEPT policy:" + echo -n $"Flushing all chains:" + let ret=0 + for i in $chains; do arptables -t $i -F; let ret+=$?; done + arptables -F; let ret+=$? + if [ $ret -eq 0 ]; then + success + else + failure + fi + echo + + echo -n $"Removing user defined chains:" + let ret=0 + for i in $chains; do arptables -t $i -X; let ret+=$?; done + arptables -X; let ret+=$? + if [ $ret -eq 0 ]; then + success + else + failure + fi + echo + echo -n $"Resetting built-in chains to the default ACCEPT policy:" arp_table filter -P IN ACCEPT && \ - arp_table filter -P OUT ACCEPT && \ - success || \ - failure + arp_table filter -P OUT ACCEPT && \ + success || \ + failure echo rm -f /var/lock/subsys/arptables } case "$1" in - start) +start) start ;; - stop) +stop) stop ;; - restart) +restart|reload) # "restart" is really just "start" as this isn't a daemon, - # and "start" clears any pre-defined rules anyway. - # This is really only here to make those who expect it happy + # and "start" clears any pre-defined rules anyway. + # This is really only here to make those who expect it happy start ;; - condrestart) +condrestart|try-restart|force-reload) [ -e /var/lock/subsys/arptables ] && start ;; - status) +status) tables=`cat /proc/net/arp_tables_names 2>/dev/null` for table in $tables; do echo $"Table: $table" @@ -140,24 +161,24 @@ case "$1" in done ;; - panic) - echo -n $"Changing target policies to DROP: " +panic) + echo -n $"Changing target policies to DROP: " arp_table filter -P IN DROP && \ - arp_table filter -P OUT DROP && \ - success || failure + arp_table filter -P OUT DROP && \ + success || failure echo - echo -n "Flushing all chains:" - arp_table filter -F IN && \ - arp_table filter -F OUT && \ - success || failure - echo - echo -n "Removing user defined chains:" - arp_table filter -X && \ - success || failure - echo - ;; + echo -n "Flushing all chains:" + arp_table filter -F IN && \ + arp_table filter -F OUT && \ + success || failure + echo + echo -n "Removing user defined chains:" + arp_table filter -X && \ + success || failure + echo + ;; - save) +save) echo -n $"Saving current rules to $ARPTABLES_CONFIG: " touch $ARPTABLES_CONFIG chmod 600 $ARPTABLES_CONFIG @@ -167,10 +188,9 @@ case "$1" in echo ;; - *) - echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" - exit 1 +*) + echo $"Usage: $0 {start|stop|restart|try-restart|force-reload|status|panic|save}" + exit 2 esac exit 0 -