#!/bin/sh # # Copyright (C) 2015 Vitaly Protsko <villy@sft.ru> errno=0 # get_fieldval gate src "$(/usr/sbin/ip route get $4)" # 获取字段的值,
#
# ip route get `nslookup www.xiaohuamao.top |awk 'NR == 5 {print $3}'`
# 47.100.200.1 via 192.168.254.254 dev eth5 src 192.168.254.127
# 调用这个函数就是给第一个参数赋值,找到源地址 get_fieldval() { local __data="$3" local __rest test -z "$1" && return ## 测试第一个参数是否为空 while true ; do __rest=${__data#* } test "$__rest" = "$__data" && break if [ "${__data/ *}" = "$2" ]; then ## 找他的源地址 src eval "$1=${__rest/ *}" break fi __data="$__rest" done } # 这个函数是管理防墙的
# 调用方式 manage_fw add $confIntZone $confExtZone "$remnet"
# lan wan
# config_get confExtZone "$1" ext_zone wan 获取那个配置文件的,那个option 不用管section
#
# 防火墙的规则是要分析的 manage_fw() { local cmd=/usr/sbin/iptables local mode local item if [ -z "$4" ]; then $log "Bad usage of manage_fw" errno=3; return 3 fi case "$1" in add|up|1) mode=A ;; del|down|0) mode=D ;; *) return 3 ;; esac for item in $4 ; do $cmd -$mode forwarding_$2_rule -s $item -j ACCEPT $cmd -$mode output_$3_rule -d $item -j ACCEPT $cmd -$mode forwarding_$3_rule -d $item -j ACCEPT $cmd -t nat -$mode postrouting_$3_rule -d $item -j ACCEPT done } # manage_sa add "$locnet" "$remnet" $remote # option local_net '0.0.0.0/31' # option remote_net '0.0.0.0/31' # option remote 'anonymous'
# 这个函数是管理安全通道的
# ipsec 需要定义两个局域网 192.168.1.1/24 10.10.10.0/24 你的两台主机要在这个范围内进行通信才会触发
# 除了局域网还需要两个局域网对应的网关, 就是以前的setkey -f ipsec.conf
manage_sa() { local spdcmd local rtcmd local gate local litem local ritem if [ -z "$4" ]; then $log "Bad usage of manage_sa" errno=3; return 3 fi case "$1" in add|up|1) spdcmd=add; rtcmd=add ;; del|down|0) spdcmd=delete; rtcmd=del ;; *) errno=3; return 3 ;; esac get_fieldval gate src "$(/usr/sbin/ip route get $4)" if [ -z "$gate" ]; then $log "Can not find outbound IP for $4" errno=3; return 3 fi for litem in $2 ; do for ritem in $3 ; do echo " spd$spdcmd $litem $ritem any -P out ipsec esp/tunnel/$gate-$4/require; spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require; " | /usr/sbin/setkey -c 1>&2 done done test -n "$5" && gate=$5 for ritem in $3 ; do (sleep 3; /usr/sbin/ip route $rtcmd $ritem via $gate) & done } manage_nonesa() { local spdcmd local item local cout cin if [ -z "$4" ]; then $log "Bad usage of manage_nonesa" errno=3; return 3 fi case "$1" in add|up|1) spdcmd=add ;; del|down|0) spdcmd=delete ;; *) errno=3; return 3 ;; esac case "$2" in local|remote) ;; *) errno=3; return 3 ;; esac for item in $3 ; do if [ "$2" = "local" ]; then cout="$4 $item" cin="$item $4" else cout="$item $4" cin="$4 $item" fi echo " spd$spdcmd $cout any -P out none; spd$spdcmd $cin any -P in none; " | /usr/sbin/setkey -c 1>&2 done } . /lib/functions/network.sh # 这个文件也要分析下 get_zoneiflist() { local item local data local addr item=0 data=$(uci get firewall.@zone[0].name) while [ -n "$data" ]; do test "$data" = "$1" && break let "item=$item+1" data=$(uci get firewall.@zone[$item].name) done if [ -z "$data" ]; then errno=1 return $errno fi data=$(uci get firewall.@zone[$item].network) echo "$data" } get_zoneiplist() { local item local addr local data local result data=$(get_zoneiflist $1) test $? -gt 0 -o $errno -gt 0 -o -z "$data" && return $errno for item in $data ; do if network_is_up $item ; then network_get_ipaddrs addr $item test $? -eq 0 && result="$result $addr" fi done result=$(echo $result) echo "$result" } # EOF /etc/racoon/functions.sh