Re: [Shorewall-users] dynamically adding rules when hosts connect

Mon, 08 Sep 2008 20:30:02 -0700 

On Mon, 2008-09-08 at 23:14 -0400, Brian J. Murrell wrote:
> here is the
> compile script (for Shorewall-perl)

I hate it when I do this, but here's the cleaned up version...

---- cut ----
use File::Temp qw/ tempfile tempdir /;

print "Finding used ipsets\n";

my @ipsets;

open(HOSTS, "hosts") || die "failed to open hosts file: $!";
while (<HOSTS>) {
        s/#.*//;
        /^$/ && next;
        my ($zone, $hosts, $options ) = split(' ');
        if ($hosts =~ /^.+:\+([a-zA-Z]\w*)$/) {
                push(@ipsets, $1);
        }
}
close(HOSTS);

print "Creating init rules to create undefined ipsets\n";

open(INIT, "init") || die "failed to open init script: $!";

my ($fh, $filename) = tempfile("initXXXXXX");
while (<INIT>) {
        # skip any old ipset creation commands
        if (/#START IPSET CREATION -- DO NOT REMOVE$/) {
                while (<INIT>) {
                    /#END IPSET CREATION -- DO NOT REMOVE$/ && last;
                }
                $_ = <INIT>;
        }

        if (/^#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT 
REMOVE$/) {
                print $fh "#START IPSET CREATION -- DO NOT REMOVE\n";
                print $fh "new_ipset() {
        local NAME=\"\$1\"
        ipset -L \"\$NAME\" >/dev/null 2>&1 || {
                /bin/echo -e \"\$NAME...\\c\"
                ipset -N \"\$NAME\" iphash
        }
}\n\n";
                print $fh "/bin/echo -e \"Creating any undefined 
ipsets...\\c\"\n";
                foreach my $ipset (@ipsets) {
                        #print $fh "ipset -L $ipset >/dev/null 2>&1 || { 
/bin/echo -e \"$ipset...\\c\"; ipset -N $ipset iphash; }\n"
                        print $fh "new_ipset \"$ipset\"\n";
                }
                print $fh "echo\n";
                print $fh "#END IPSET CREATION -- DO NOT REMOVE\n";
        }
        print $fh $_;
}
close($fh);

close(INIT);

# now replace init with the newly created file
unlink("init");
link($filename, "init");
unlink($filename);
---- cut ----

Cheers again,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to