netscript-2.4-5.3.0ubuntu1/0000775000000000000000000000000012262426366012260 5ustar netscript-2.4-5.3.0ubuntu1/README.etc0000664000000000000000000000531212262426365013712 0ustar Netscript Configuration files The files found in this directory are for an alternative network configuration and IP filtering system for kernel 2.4 based on /bin/sh. This system is designed for use with a routing daemon like zebra. This system also uses iproute Most of what you should really have to edit is found in network.conf The files and their uses are as follows: network.conf: general network, bridging, QoS and some ptables configuration items. Comments in here contain the current documentation on the configuration items, which can even handle pppd, wanconfig, and ciped. ipfilter.conf: The shell script sused to set up the iptables filtering/masquerading etc. if.conf Lower level functions for configuring interfaces. qos.conf Functions to configure Quality of Service using /sbin/tc You should be able to do most things by editing the settings in network.conf. See below for more details on this reccomended editing policy. You will have to configure the firewall using the iptables commands directly. Don't forget to save the configurations using the 'netscript ipfilter|ip6filter save' commands! Unlike the last version, the firewalling and filtering is no longer configured from network.conf. This has been done as stateful filtering has helped obviate the need for great complexity in the firewall scripts, and more flexibility is possible. It is a good idea to get down and get dirty with iptables and learn it, which you will appreciate if you are running this to build a network - you should understand things fully, or else you will get things wrong. UPGRADE PATH FROM KERNEL 2.4.X ------------------------------ The firewall/IP filtering stuff in ipfilter.conf is the part that changed radically with the move to iptables and a far better way of setting up the IP filtering rules, however the QoS and interface startup/shutdown in if.conf have changed but are backwards compatible with the old 2.2.x ipchains version of netscript for the interface address configuration settings. You will have to set up the filtering again to use iptables by directly using the iptables commands. Also, the kernel 2.2.x version scripts are set up so that iptables is only run on a 2.4.x kernel, otherwise IP forwarding is disabled if beforehand you set IPFWDING_KERNEL to FILTER_ON in network.conf. This means that when you upgrade a box to a 2.4.x router kernel, you should then be able to reboot it and log into remotely and upgrade netscript to the version that will support 2.4.x. In this situation, if you have set old IPFWDING_KERNEL setting to FILTER_ON beforehand in network.conf, all IP forwarding through the box will also be disabled. This means that you can safely remotely upgrade a firewall. netscript-2.4-5.3.0ubuntu1/if.conf0000664000000000000000000002164312262426365013532 0ustar ############################################################################### # Interface activation/deactivation functions # Here so that special interface commands can be called and daemons started # # Arps can be set up here, network/host routes and so forth. # # This appears to be a little messy but is needed to achieve maximum # functionality and flexibility. # ############################################################################### SED_IFSTR='s/\([A-Za-z]*\)[0-9]*$/\1/' SED_IPV4STR='s/^.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+[/0-9]\+\) .*$/\1/' SED_IPV6STR='s/^.*inet6 \([0-9a-f]\+\:.*\:[0-9a-f]\+[/0-9]\+\) .*$/\1/' SED_IPV6ADDR="sed -e 's/:0\+\([0-9a-fA-F]\+\)/:\1/g' | sed -e 's/^0\+\([0-9a-fA-F]\+\)/\1/'| sed -e 's/\(:0\)\+:\(:0\)*\|\(:0\)*:\(:0\)\+/:/'" SED_IPV4ADDR="sed -e 's/\.0\+\([0-9a-fA-F]\+\)/.\1/g' | sed -e 's/^0\+\([0-9a-fA-F]\+\)/\1/'" if_addr_start () { local IPADDR2 ADDR ADDR2 local ADDRS local ANS local OIFS local IFACE=$1 # Glue stuff if [ -n "$MASKLEN" ]; then IPADDR="${IPADDR}/${MASKLEN}" fi if [ -n "$PTPADDR" ]; then IPADDR="${IPADDR}_peer_${PTPADDR}" fi if [ -n "$BROADCAST" ]; then IPADDR="${IPADDR}_brd_${BROADCAST}" fi if [ -n "$IP_EXTRA_ADDRS" ]; then IPADDR="$IPADDR $IP_EXTRA_ADDRS" fi # Take care of leading zeroes in supplied addresses for ADDR in $IPADDR; do if echo $ADDR | grep -q ':'; then #IPv6 ADDR2=`echo $ADDR | eval $SED_IPV6ADDR` IPADDR2="$IPADDR2 $ADDR2" else #IPv4 ADDR2=`echo $ADDR | eval $SED_IPV4ADDR` IPADDR2="$IPADDR2 $ADDR2" fi done IPADDR="$IPADDR2" # Set up link MTU etc ip link set $1 $IFCFG_MULTICAST $IFCFG_MTU # Set up IPv6 Interface sysctl here before interface goes up ifv6_setproc $1 accept_redirects $IPV6_ACCEPT_REDIRECTS ifv6_setproc $1 accept_ra $IPV6_ACCEPT_RA ifv6_setproc $1 accept_ra_pinfo $IPV6_ACCEPT_RA_PINFO ifv6_setproc $1 accept_ra_rt_info_max_plen $IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN ifv6_setproc $1 disable_ipv6 $IPV6_DISABLE ifv6_setproc $1 forwarding $IPV6_FWDING ifv6_setproc $1 router_solicitations $IPV6_ROUTER_SOLICITATIONS ifv6_setproc $1 use_tempaddr $IPV6_PRIVACY # Bring the interface up ip link set dev $1 up # This one has to be set after interface up ifv6_setproc $1 mtu $IPV6_MTU # Set up the addresses on the interface ADDRS=`ip addr show dev $IFACE | grep '^.*inet[ 46]' \ | sed -e "$SED_IPV4STR" | sed -e "$SED_IPV6STR"` for ADDR in $IPADDR; do for ADDR2 in $ADDRS; do ADDR2=`echo $ADDR2 | sed -e 's/\/32\|\/128//'` ANS=${ADDR#$ADDR2} if [ "$ANS" != "$ADDR" ]; then continue 2 fi done OIFS=$IFS IFS="${IFS}_" ip addr add $ADDR dev $IFACE IFS=$OIFS done # Strip out addresses that should not be there for ADDR in $ADDRS; do # Don't delete IPv6 link local addresses if echo $ADDR | grep -q -i '^fe[89ab]'; then continue fi ANS=`echo $IPADDR | grep $ADDR` if [ -z "$ANS" ]; then ip addr del $ADDR dev $IFACE fi done return 0 } if_addr_stop () { local FILE qt ip link set $1 down qt ip addr flush dev $1 } if_up () { local ADDR # sort out a few things to make life easier - here so that you # can see what is done and so that you can add anything if needed eval IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius eval MASKLEN=\${"$1"_MASKLEN:-""} eval BROADCAST=\${"$1"_BROADCAST:-""} eval PTPADDR=\${"$1"_PTPADDR:-""} eval IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""} eval MTU=\${"$1"_MTU:-""} eval MULTICAST=\${"$1"_MULTICAST:-""} eval HB_TICKLE=\${"$1"_HB_TICKLE:-""} eval BRIDGE=\${"$1"_BRIDGE:-""} eval RESOLVCONF=\${"$1"_RESOLVCONF:-""} eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""} eval local FAIRQ=\${"$1"_FAIRQ:-""} eval local TXQLEN=\${"$1"_TXQLEN:-""} eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""} eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""} eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""} eval local IP_SEND_REDIRECTS=\${"$1"_IP_SEND_REDIRECTS:-""} eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""} eval IPV6_ACCEPT_REDIRECTS=\${"$1"_IPV6_ACCEPT_REDIRECTS:-""} eval IPV6_ACCEPT_RA=\${"$1"_IPV6_ACCEPT_RA:-""} eval IPV6_ACCEPT_RA_PINFO=\${"$1"_IPV6_ACCEPT_RA_PINFO:-""} eval IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=\${"$1"_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN:-""} eval IPV6_DISABLE=\${"$1"_IPV6_DISABLE:-""} eval IPV6_FWDING=\${"$1"_IPV6_FWDING:-""} eval IPV6_PRIVACY=\${"$1"_IPV6_PRIVACY:-""} eval IPV6_ROUTER_SOLICITATIONS=\${"$1"_IPV6_ROUTER_SOLICITATIONS:-""} eval IPV6_MTU=\${"$1"_IPV6_MTU:-""} if [ -n "DEFAULT_GW" -a -z "$IPV4_DEFAULT_GW" ]; then IPV4_DEFAULT_GW="$DEFAULT_GW" IPV4_DEFAULT_GWDEV="$1" fi unset IFCFG_BROADCAST IFCFG_MULTICAST IFCFG_MTU if [ -n "$BROADCAST" ] ; then IFCFG_BROADCAST="broadcast $BROADCAST" fi if [ -n "$MTU" ] ; then IFCFG_MTU="mtu $MTU" fi if [ -n "$MULTICAST" ] ; then case $MULTICAST in No|no|NO|off|Off|OFF) IFCFG_MULTICAST="multicast off" ;; Yes|YES|yes|on|On|ON) IFCFG_MULTICAST="multicast on" ;; *) unset IFCFG_MUTLICAST ;; esac fi local IFTYPE=`echo $1 | sed -e $SED_IFSTR` # Do dee global bridge stuff brg_global # Set default interface flags here - used for PPP and WAN interfaces # IPv4 ifv4_setproc default rp_filter $DEF_IP_SPOOF ifv4_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS ifv4_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS # Set up each interface if qt type ${1}_start ; then # execute user supplied individual interface start up ${1}_start $1 elif qt type ${IFTYPE}_start ; then # execute user supplied typed interface start up ${IFTYPE}_start $1 else # default interface startup brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE" # Start interface if_addr_start $1 fi # Do universal interface config items here # QoS setup ip_QoSclear $1 ip_QoS $1 # Set the TX Queue Length [ -n "$TXQLEN" ] \ && ip link set $1 txqlen $TXQLEN # Default route support ipv4_default_route $1 ipv6_default_route $1 # Set up routes and ARP etc if qt type ${1}_network ; then ${1}_network $1 fi # Resolvconf support if [ -n "$RESOLVCONF" ]; then if_resolvconf_up $1 "$RESOLVCONF" fi # Interface sysctl stuff here # IPv4 # Spoof protection ifv4_setproc $1 rp_filter $IP_SPOOF # Kernel logging of martians on this interface ifv4_setproc $1 log_martians $IP_KRNL_LOGMARTIANS # Shared Media stuff ifv4_setproc $1 shared_media $IP_SHARED_MEDIA # Sending of Redirects ifv4_setproc $1 send_redirects $IP_SEND_REDIRECTS # Proxy ARP support ifv4_setproc $1 proxy_arp $PROXY_ARP # Emit required upstart event - this can be adjusted iface_upstart_emit 'net-device-up' "IFACE=${1}" 'LOGICAL=${1}' \ 'ADDRFAM=inet' 'METHOD=static' unset IPADDR MASKLEN BROADCAST PTPADDR IP_EXTRA_ADDRS MTU MULTICAST unset BROADCAST RESOLVCONF unset IPV6_ACCEPT_REDIRECTS IPV6_ACCEPT_RA IPV6_FWDING IPV6_MTU unset IPV6_ROUTER_SOLICITATIONS IPV6_PRIVACY IPV6_ACCEPT_RA_PINFO unset IPV6_DISABLE unset IFCFG_BROADCAST IFCFG_MULTICAST IFCFG_MTU return 0 } if_down () { local IFTYPE=`echo $1 | sed -e $SED_IFSTR` # Clean up any resolvconf stuff if_resolvconf_down $1 # Do Dee global bridge stuff brg_global if qt type ${1}_stop ; then # execute user supplied individual interface shutdown ${1}_stop $1 elif qt type ${IFTYPE}_stop ; then # execute user supplied typed interface shutdown ${IFTYPE}_stop $1 else # default action brg_iface $1 down $IPV6_DISABLE if_addr_stop $1 fi # Clean up any QoS/fair queuing stuff ip_QoSclear $1 # Clean up IPv6 stuff if [ -d ${IPV6_PROC}/conf/${1} ]; then for FILE in accept_redirects accept_ra forwarding \ router_solicitations use_tempaddr; do echo `cat $IPV6_PROC/conf/default/$FILE` \ > $IPV6_PROC/conf/$1/$FILE done fi # Emit required upstart event - this can be adjusted iface_upstart_emit 'net-device-down' "IFACE=${1}" "LOGICAL=${1}" \ 'ADDRFAM=inet' 'METHOD=static' true } #END if_down if_lo_up () { # Bring up interface lo case "$IPV4_DISABLE" in YES|Yes|yes) ;; *) qt ip addr add 127.0.0.1/8 broadcast 127.255.255.255 dev lo ;; esac ip link set lo up \ && iface_upstart_emit 'net-device-up' 'IFACE=lo' 'LOGICAL=lo' \ 'ADDRFAM=inet' 'METHOD=static' } if_resolvconf_up () { if [ $# != 2 -a $# != 3 ]; then echo " Usage: `basename $0`: fn if_resolvconf_up " 1>&2 echo " `basename $0`: fn if_resolvconf_up " 1>&2 return 1; fi ! qt type resolvconf && return 1 if [ $# = 3 ]; then echo -ne "search ${2}\nnameserver ${3}\n" | resolvconf -a $1 else echo -ne "$2" | resolvconf -a $1 fi } if_resolvconf_down () { if [ $# != 1 ]; then echo " Usage: `basename $0`: fn if_resolvconf_down " 1>&2 return 1; fi ! qt type resolvconf && return 1 # Go and do it... resolvconf -d $1 } netscript-2.4-5.3.0ubuntu1/Makefile0000664000000000000000000000202312262426365013714 0ustar # Edited for Debian GNU/Linux. DESTDIR = # # Installation Makefile for netscript-2.4 # # This is rude! FIXME! ETCDIR=/etc CONFDIR=$(DESTDIR)$(ETCDIR)/netscript SBINDIR=$(DESTDIR)/sbin USRSBINDIR=$(DESTDIR)/usr/sbin INITDIR=$(DESTDIR)/etc/init.d PPPETCDIR=$(DESTDIR)/$(ETCDIR)/ppp PPPUPDIR=$(PPPETCDIR)/ip-up.d PPPDOWNDIR=$(PPPETCDIR)/ip-down.d INSTALL=/usr/bin/install dummy: echo "BLeep!" install: dummy - mkdir -p $(SBINDIR) # - mkdir -p $(USRSBINDIR) - mkdir -p $(UDEVLIBDIR) - mkdir -p $(CONFDIR) - mkdir -p $(PPPUPDIR) - mkdir -p $(PPPDOWNDIR) $(INSTALL) -m 755 netscript $(SBINDIR)/netscript $(INSTALL) -m 755 wep.conf $(CONFDIR) $(INSTALL) -m 644 ipfilter.conf network.conf $(CONFDIR) $(INSTALL) -m 644 if.conf qos.conf $(CONFDIR) $(INSTALL) -m 644 README.etc $(CONFDIR)/README # touch $(CONFDIR)/iptables # touch $(CONFDIR)/ip6tables # chmod 0400 $(CONFDIR)/iptables $(CONFDIR)/ip6tables $(INSTALL) -m 755 netscript.ppp.ip-up $(PPPUPDIR)/netscript $(INSTALL) -m 755 netscript.ppp.ip-down $(PPPDOWNDIR)/netscript netscript-2.4-5.3.0ubuntu1/ChangeLog0000664000000000000000000003710712262426365014041 0ustar netscript-2.4 (5.1.0) unstable; urgency=low * Added initial support for laptops and whereami. -- Matthew Grant Fri, 29 Oct 2004 08:38:27 +1300 netscript-2.4 (5.0.14) unstable; urgency=medium * Merge in work down for NMU. * Get rid of startup and shutdown init calls in maintainer scripts. -- Matthew Grant Wed, 13 Oct 2004 08:40:55 +1300 netscript-2.4 (5.0.13-0.1) unstable; urgency=high * Non-maintainer upload. * High-urgency upload for (trivial,) sarge-targetted RC bugfix * Replace zebra with quagga in Recommends:, since the former is no longer available (closes: #273043). -- Steve Langasek Sat, 2 Oct 2004 03:07:00 -0700 netscript-2.4 (5.0.13) unstable; urgency=low * Added fix proposed by Bart Samwel , fixing problem with saving of filters with 'netscript ipfilter save' Local vars MANGLE and FILTER were not initialised to zero in ipv4filter_check(). Also fixed ipv6filter_check(). (Closes: #267151) -- Matthew Grant Sat, 28 Aug 2004 19:12:06 +1200 netscript-2.4 (5.0.12) unstable; urgency=low * Fix prerm script by editing out #DEBHELPER# This fixes problem where netscript closes down all interfaces on package remove or purge. Leaving proper clean up for a month to allow people to get rid of the bad prerm package maintainer scripts - will go to telling debhelper to only install /etc/rc.d startup/shutdown symlinks. (Closes: #241989) -- Matthew Grant Wed, 9 Jun 2004 12:07:49 +1200 netscript-2.4 (5.0.11) unstable; urgency=low * Add support for iptables policy match module to close new ipsec packet injection hole. * Changed ipfilter-defs(5) man page for new IPSEC interface name directives. -- Matthew Grant Fri, 23 Apr 2004 14:28:40 +1200 netscript-2.4 (5.0.10) unstable; urgency=low * Initial work to netscript to work with the 2.6 kernel. * Removed configuration samples for deprecated Free S/WAN support. Free S/WAN KLIPS is a real mess in terms of interfaces, routing and confg scripts! * Added mentions of 2.6 kernel in most places needed. Man pages may need it. * Removed suggestion for vrrpd - this was a failed experiment. * Upgraded standards version to 3.6.1. -- Matthew Grant Fri, 26 Mar 2004 08:03:43 +1200 netscript-2.4 (5.0.9) unstable; urgency=low * Fix default case in init script. -- Matthew Grant Tue, 23 Dec 2003 15:48:23 +1300 netscript-2.4 (5.0.8) unstable; urgency=low * Basically a clean up to get ready to go into unstable. * Changed 'net' command to 'netscript' to stop a clash with samba-comon in sarge and sid. * Changed 'net-compile' to 'netscript-compile to match above. * Adjusted config files and other files to match above. * Removed conffile as this results in duplicate config file lintian warnings. * Fixed lintian warning about 'Upstream Author(s)'. * Updated Debian Standards version to 3.5.7 -- Matthew Grant Mon, 15 Dec 2003 22:05:30 +0000 netscript-2.4 (5.0.7) unstable; urgency=low * Added work around for kernel crash bug with psd and limit modules. -- Matthew Grant Sun, 8 Jun 2003 00:12:04 +1200 netscript-2.4 (5.0.6) unstable; urgency=low * Added support for adjusting portscan chain psd module parameters to deal with high traffic situations. -- Matthew Grant Thu, 5 Jun 2003 16:12:25 +1200 netscript-2.4 (5.0.5) unstable; urgency=low * Previous change lost chaings in 5.0.3 with ipfilter-defs.conf. Fixed. -- Matthew Grant Tue, 3 Jun 2003 15:45:20 +1200 netscript-2.4 (5.0.4) unstable; urgency=low * Fixed problem with startup getting order of chains in iplcl and ipfwd in correct. This was due to 2 ways of adding chains into these, a simple add on start up, and then indexing for manual incremental add ins. Gone to indexing mode for all additions, and made function that returns index into iplcl and ipfwd a lot faster (O(n) instead of O(n2).). The change is only in /etc/netscript/ipfilter-defs.conf, has been tested carefully, and does nto affect the rest of the netscript system. -- Matthew Grant Tue, 3 Jun 2003 14:16:41 +1200 netscript-2.4 (5.0.3) unstable; urgency=low * Fixed problem with REJECT_UDP_NET - '-m STATE' should be '-m state'. * Added new alternative FreeS/WAN start up code for multiple interfaces. network.conf needs a cleanup for next release that is backwards compatible. * Fixed --pkt-type argmuents in ipfilter-defs.conf. Fixes dropping of BROADCAST packets for INPUT and FORWARD chains. -- Matthew Grant Thu, 29 May 2003 09:47:28 +1200 netscript-2.4 (5.0.2) unstable; urgency=low * Updated ipfilter-defs.5 manpage for new compile rules below. -- Matthew Grant Wed, 23 Apr 2003 07:58:08 +1200 netscript-2.4 (5.0.1) unstable; urgency=low * Added support for more logging targets, for each type of new coonnection, so that strings can be prepended to log messages. New compile targets are LOG_BROADCAST, LOG_PROTO, LOG_UDP, LOG_TCP, LOG_UDP_NET, LOG_TCP_NET, LOG_NET, LOG_IFACE, LOG. The new LOG_MSG and LOG_MSG_RESET are used to set the log text. * Added support for network addresses for UDP, and TCP. Targets are ACCEPT_TCP_NET, ACCEPT_UDP_NET, REJECT_TCP_NET, REJECT_UDP_NET, DROP_TCP_NET, and DROP_UDP_NET, as well as above log targets. * Fixed spelling bug with the net-compile run messages. * Fixed net-compile bug where script would compile then give up with and error exit, and not complete compiling when there where no rules defined in ipfilter-defs files. * Manpages left to next minor release as this one has to get out the door... -- Matthew Grant Tue, 15 Apr 2003 11:30:46 +1200 netscript-2.4 (5.0.0) unstable; urgency=low * Changed netscript so that it can support compiling and configuring from ipfilter-defs on start up. * Added type checking as much as practical to the net-compile command. * Updated manpages for existing commands. * Created manpages for ipfilter-defs. * Moved net-compile to /sbin from /usr/sbin. * Set permissions on install to 700 for ipfilter-defs directory as it contains security information. -- Matthew Grant Mon, 24 Mar 2003 15:09:50 +1200 netscript-2.4 (4.23) unstable; urgency=low * Added MARTIAN_BYPASS to ipf4_martians so that some source addresses can be by passed in martians check. * Fixed some of the examples in ipfilter-defs configuration. -- Matthew Grant Wed, 26 Feb 2003 15:36:08 +1300 netscript-2.4 (4.22) unstable; urgency=low * Made some corrections for missing files etc. -- Matthew Grant Tue, 25 Feb 2003 14:08:57 +1300 netscript-2.4 (4.21) unstable; urgency=low * Initial packaging of net compile functionality for IPv4. Documentation will be in next one, this is a trial build an run package. -- Matthew Grant Tue, 25 Feb 2003 13:38:46 +1300 netscript-2.4 (4.20) unstable; urgency=low * Fix bug with interface type stop functions not execuiting due to missing 'type' keyword. * Made /sbin/net work with non modular kernels, in the case where lsmod is not installed, and where it is. -- Matthew Grant Sat, 1 Feb 2003 17:03:45 +1300 netscript-2.4 (4.19) unstable; urgency=low * Install missing changelog... -- Matthew Grant Thu, 16 Jan 2003 11:43:13 +1300 netscript-2.4 (4.18) unstable; urgency=low * Removed Debian sub versioning as the debian package is maintained in parallel to the source. * Removed vrrpd code as the daemon is unstable. Included example of how to get package going with heartbeat. -- Matthew Grant Thu, 16 Jan 2003 10:53:45 +1300 netscript-2.4 (4.17-1) unstable; urgency=low * Fixed bug with /32 and /128 netmasks not being given in ethx_IPADDR. * Made VRRPD code work properly... - stopped new address code removing VRRPD IP addresses. -- Matthew Grant Wed, 8 Jan 2003 10:13:03 +1300 netscript-2.4 (4.16-1) unstable; urgency=low * Adjusted module loading for ipt_helper module in 2.4.20 * Fixed bug with deleting extraneous bridges where interfaces on running bridges were assumed to be disused bridges. -- Matthew Grant Fri, 3 Jan 2003 12:10:38 +1300 netscript-2.4 (4.15-1) unstable; urgency=low * Add support for vrrpd daemon. * Revamp the handling of the forwarding switch, and add commands to help handle it. -- Matthew Grant Mon, 30 Dec 2002 15:38:56 +1300 netscript-2.4 (4.14-1) unstable; urgency=low * Add ingress check rule and portscan chan for psd module to ipfilter.conf * Make ipfilter.conf test for and load /etc/netscript/ipfilter-local.conf if present. -- Matthew Grant Tue, 26 Nov 2002 13:12:19 +1300 netscript-2.4 (4.13-1) unstable; urgency=low * Fix ipsec modules not unloading on 'net stop'. Function call was missing in stop_mod(). -- Matthew Grant Mon, 18 Nov 2002 15:00:34 +1300 netscript-2.4 (4.12-1) unstable; urgency=low * Fixed ipsec startup to deal with Free S/WAN .pid files if the machine went off because of power failure - ipsec0 was not starting * Fixed problem with source blocking in the IPv4 inbrdr chain creation - inbound source blocking was setting the destination instead of the source address. -- Matthew Grant Sun, 10 Nov 2002 10:03:49 +1300 netscript-2.4 (4.11-1) unstable; urgency=low * Added support to load and unload Free S/WAN ipsec module, and extension modules as found in Debian Woody, and used in the Debian Router Project. -- Matthew Grant Tue, 29 Oct 2002 22:57:36 +1300 netscript-2.4 (4.10-2) unstable; urgency=low * Fixed some of the comments in the network.conf file to make things clearer. -- Matthew Grant Tue, 29 Oct 2002 06:55:51 +1300 netscript-2.4 (4.10-1) unstable; urgency=low * New Upstream Version * Fix problem with mangling set up preventing Free S/WAN from working properly - packet mangling was causing rerouting of ESP packets back into ipsec0 tunnel device... * Added support for adding static routes/static ARPs on interface start/reload. * Added support for subordinate interfaces (for controlling tunnels etc). -- Matthew Grant Mon, 28 Oct 2002 23:22:56 +1300 netscript-2.4 (4.04-2) unstable; urgency=low * Fix up Free S/WAN start up so that rp_filter can be used... -- Matthew Grant Fri, 18 Oct 2002 10:24:24 +1300 netscript-2.4 (4.04-1) unstable; urgency=low * Fix IPv4 icmp chain creation barfing because of conflict with protocol name... go figure. * Add support for Free S/WAN ipsec on one interface. * Add support for interface shutdown to chain shutdown of tunnel interfaces with manual manipulation... -- Matthew Grant Wed, 16 Oct 2002 11:28:30 +1300 netscript-2.4 (4.03-1) unstable; urgency=low * New upstream release with fix for dynamic interfaces that don't exist at boot, otherwise you cannot manually start them. * Fix minor problem with hlp output and long interface lists. -- Matthew Grant Fri, 4 Oct 2002 11:26:08 +1200 netscript-2.4 (4.02-1) unstable; urgency=low * New upstream release with tweaks and support for new 2.4.18-ac3 router kernels. * Added support for having iptables base modules compiled into the kernel by putting test into /sbin/net load_module() to test if base module is on the file system. * Added support for the following iptables 1.2.6a modules which have special dependencies: ipt_conntrack, ipt_NETMAP, ipt_SAME, ipt_POOL, ip_pool, and ipt_pool. -- Matthew Grant Tue, 26 Mar 2002 12:17:56 +1200 netscript-2.4 (4.01-1) unstable; urgency=low * Added corrected ppp interface stuff to network.conf * Corrected some documentation in network.conf about QoS -- Matthew Grant Fri, 28 Dec 2001 14:25:27 +1300 netscript-2.4 (4.0-4) unstable; urgency=low * Changed permissions of /etc/netscript/network.conf and ipfilter.conf to 0644 from 0600 as they do not contain information that is that sensitive anymore. -- Matthew Grant Mon, 10 Dec 2001 20:52:24 +1300 netscript-2.4 (4.0-3) unstable; urgency=low * Fixed problems with build depends by switching to 'Build-Depends-Indep'. -- Matthew Grant Sat, 8 Dec 2001 11:26:46 +1300 netscript-2.4 (4.0-2) unstable; urgency=low * Fixed problem with Build-Depends being in binary section of control file, and not being in the Source section as required. -- Matthew Grant Wed, 5 Dec 2001 15:05:02 +1300 netscript-2.4 (4.0-1) unstable; urgency=low * New version 4.0 with the following major changes * Converted to kernel 2.4.x, and iptables * Added IPv6 support, ip6tables and IPv6 interface configuration. * Removed filter and masquerade listing support as people should be using the iptables commands * All the old ipchains filtering scripts have been removed and replaced with shell script fragments via the ipfilter exec command. * Configuration is now saved to disk using the iptables-restore and iptables save commands (IPv4 and IPv6). * Converted output messages to Debian format * Added code to load/unload iptables and QoS modules on start and stop. -- Matthew Grant Sat, 1 Dec 2001 14:33:21 +1300 netscript-2.2 (3.03-0potato1) unstable; urgency=low * Added ability to set/override multicast fflag and mtu of interface * Added IP source IP/network specification to DMZ_OPEN_DEST and DMZ_CLOSED_DEST lists for DMZ network access control filters -- Matthew Grant Sun, 21 Jan 2001 22:54:16 +1300 netscript-2.2 (3.02-0potato1) unstable; urgency=low * Fixed problem with OSPF multicasts being blocked by the external interface filtering. The obstruction could cause problems with Zebra ospfd and other OSPF daemons in general. -- Matthew Grant Thu, 7 Dec 2000 08:35:49 +1300 netscript-2.2 (3.01-0potato1) unstable; urgency=low * Removed unused INTERN_IF variable from network.conf * Fixed QoS reload for PPP interfaces * Reworked QoS loading for PP interfaces to make it nicer -- Matthew Grant Sun, 3 Dec 2000 17:41:22 +1300 netscript-2.2 (3.0-0.9) unstable; urgency=low * Initial Release. * first release in a tar ball format. This basically a rehash of what is in LRP Eiger. * More chains used to reduce CPU load on router filtering operations, * QoS made usable b y adding reload commands and providing facility to set aside lumps of bandwidth * More options provided to net command to make it more intiuitive to use * Added ability to list individual chains * Adapted for Debian and overhauled it to increase effeciency. * As this package will change rapidly, man pages are not available but will be written when stabilised. -- Matthew Grant Fri, 24 Nov 2000 17:07:15 +1300 Local variables: mode: debian-changelog End: netscript-2.4-5.3.0ubuntu1/netscript.ppp.ip-up0000775000000000000000000000044412262426365016051 0ustar #!/bin/sh [ ! -x /sbin/tc ] && exit 0 . /etc/netscript/network.conf . /etc/netscript/qos.conf ip_QoSppp $PPP_IFACE ip_QoS $PPP_IFACE eval TXQLEN=\${"$PPP_IFACE"_TXQLEN:-""} [ -z "$TXQLEN" ] && eval TXQLEN=\${ppp_TXQLEN:-""} [ -n "$TXQLEN" ] \ && ip link set dev $PPP_IFACE txqlen $TXQLEN netscript-2.4-5.3.0ubuntu1/LICENSE0000664000000000000000000000050312262426365013262 0ustar Copyright 1995-2000 Matthew Grant Portions copyright 1998,1999 David Cinege Produced with the support of Plain Communications Ltd, htp://www.plain.co.nz You are free to distribute and use this software under the terms of the GNU General Public License. See COPYING netscript-2.4-5.3.0ubuntu1/ipfilter.conf.50000664000000000000000000000003112262426365015101 0ustar .so netscript-2.4.conf.5 netscript-2.4-5.3.0ubuntu1/netscript.ppp.ip-down0000775000000000000000000000016612262426365016375 0ustar #!/bin/sh [ ! -x /sbin/tc ] && exit 0 . /etc/netscript/network.conf . /etc/netscript/qos.conf ip_QoSclear $PPP_IFACE netscript-2.4-5.3.0ubuntu1/README0000664000000000000000000000665512262426365013153 0ustar NETSCRIPT version 4.0 The firewall and network configuration system for advanced Linux firewalls/routers, and it is NOT meant to be used on servers! Copyright 1995-2001 Matthew Grant 1998,1999 Dave Cinege This script system for network setup has its roots in the original firewalling setup that Matthew Grant did for a firewall using kernel 1.2.x. Since then it has been evolved through firewalls/routers on Linux kernels 2.0.x, 2.2.x 2.4.x, and 2.6.x. Version 1 was the stuff under kernel 2.0.x, version 2 on LRP 2.9.4 Kilimanjaro, Materhorn, and Eiger under 2.2, version 3.0 for Debian under kernel 2.2.x, and this one is for Debian under kernel 2.4.x and 2.6.x. You should install bridge-utils for bridging, iproute2 tools and iptables to use these scripts. Your kernel will need to be compiled for Advanced Router support and have almost the configuration options turned on. It is also recomended that routing software like zebra be installed on the system as it will make things like static routing and complex routing a lot easier to handle. A kernel configuration of what is needed can be found in 2.4.x-kernel.config It is also a good idea to add kernel patches from the iptables source tar ball, especially the IPv6 ones for logging support. The scripts will load all the neccessary modules for QoS and iptables. Documentation for this system is sparse at the moment, but more will be written as further development takes place. When installed, most of the configuration you will need will be found in /etc/netscript/network.conf including lower level protocol daemons/configuration programs like ciped, pppd, or wanconfig. You will have to configure the firewall using the iptables commands directly. Don't forget to save the configurations using the 'netscript ipfilter|ip6filter save' commands! Unlike the last version, the firewalling and filtering is no longer configured from network.conf. This has been done as stateful filtering obviates the need for great complexity in the firewall scripts, and more flexibility is possible. You have to get down and get dirty with iptables and learn it, which is a good thing to do if you are running this to build a network - you should understand things fully, or else you will get things wrong. UPGRADE PATH FROM KERNEL 2.2.X ------------------------------ The firewall/IP filtering stuff in ipfilter.conf is the part that changed radically with the move to iptables and a far better way of setting up the IP filtering rules, however the QoS and interface startup/shutdown in if.conf have changed but are backwards compatible with the old 2.2.x ipchains version of netscript for the interface address configuration settings. You will have to set up the filtering again to use iptables by directly using the iptables commands. Also, the kernel 2.2.x version scripts are set up so that iptables is only run on a 2.4.x kernel, otherwise IP forwarding is disabled if beforehand you set IPFWDING_KERNEL to FILTER_ON in network.conf. This means that when you upgrade a box to a 2.4.x router kernel, you should then be able to reboot it and log into remotely and upgrade netscript to the version that will support 2.4.x. In this situation, if you have set old IPFWDING_KERNEL setting to FILTER_ON beforehand in network.conf, all IP forwarding through the box will also be disabled. This means that you can safely remotely upgrade a firewall. netscript-2.4-5.3.0ubuntu1/network.conf0000664000000000000000000006526412262426365014634 0ustar ############################################################################### # General Settings ############################################################################### # # VERBOSE=(YES/NO) Default: Yes # Be verbose about settings. VERBOSE=YES # IPV6_MODULE=(YES/NO) Default: NO # If kernel is modular, enable IPv6 support by loading module. Once loaded, # it cannot be unloaded due to kernel internal dependencies. IPV6_MODULE=NO # IPV6_DISABLE=(YES/NO) Default: NO # Disable IPv6 protocol on all interfaces including lo IPV6_DISABLE=NO # IPV4_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # IPV6_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # Enable IP forwarding in the kernel. FILTER_ON means forwarding will # only happen when IP filtering rules are loaded IPV4_FWDING_KERNEL=FILTER_ON IPV6_FWDING_KERNEL=FILTER_ON # IPV4_DEFAULT_GW=nnn.nnn.nnn.nnn|OTHER|OFF|NO|NONE # IPV4_DEFAULT_GWDEV=eth0 # IPV6_DEFAULT_GW=nnnn:nnnn:nnnn::n|OTHER|OFF|NO|NONE # IPV6_DEFAULT_GWDEV=eth0 # IPV6_DEFAULT_PREFIX=2000::/3 # Default value # DEFAULT_METRIC=999999999 # Default value # # Default Route Setup # Use this to set the default route if required - ONLY one to be set. # routed or gated could be used to set this so only use if not running these. # These routes are installed at metric DEFAULT_METRIC so that netscript # can identify its own routes. This means that it can delete them if these # if the IPVn_DEFAULT_GW variables are not set. You can also specify a # Default prefix for IPv6 as the kernel does some funny things around # default IPv6 routes. Also, later kernels will only route if next hop is # an fe80 link local address... # OTHER|OFF|NO|NONE - stop netscript doing ANYTHING with default routes # Use if you are going to run a routing daemon such as # bird, gated, mrtd, routed, or zebra. #IPV4_DEFAULT_GW=192.0.2.11 #IPV4_DEFAULT_GWDEV=eth0 #IPV6_DEFAULT_GW=fe80::1:11 #IPV6_DEFAULT_GWDEV=eth0 # IP_FILTER_KERNEL=(NONE/PACKET/STATEFUL/NAT) Default: PACKET # Set the level of NetFilter/IP Filtering in the kernel by controlling # which classes of NetFilter modules get loaded. # # NONE - don't load IP NetFilter modules. Gives fastest packet forwarding # at expense of disabling QoS and any protection. Use when speed # is an absolute necessity. # # PACKET - Normal operation as a router. This satisfies most operational # routing conditions. QoS works as filter chains are used to # classify the packets. # # STATEFUL/NAT - Turns on full connection tracking stateful filtering and NAT. # # **WARNING** - If this was set to STATEFUL everywhere in a network # of routers, it can result in TCP connections failing and TCP connection # resets. # # ONLY set this to STATEFUL/NAT if the box is a firewall or the single point of # entry for a network, or an endpoint for port forwarding or a load # balancer for a WWW server farm. DO NOT switch to STATEFUL/NAT if the box # is a conventional router as it breaks the TCP/IP RFCes. This option is # needed when using IP NAT, IP masquerading, IP auto firewalling, IP port # forwarding, transperent proxying or other kernel operations that intercept a # packet flow and redirect it. # # It is a usful tool when using a packet filtering router to protect # directly attached ethernet networks of servers as it stops fragment # attacks on the servers in behind the router. Another use is packet # filtering router to protect dial-in Internet users on NASes # (Portmasters, TC racks etc) from various SMB and fragment attacks # and to redirect all WWW connections into a WWW proxy-caching server. IP_FILTER_KERNEL=PACKET NET_GLOBAL_SYSCTL=" # This section is set up so that various network global variables can be set. # Please refrain from trying to set interface variables using this, and # use the switches provided in this file. It is very easy to configure # the interfaces insecurely. # Set whether programs can bind to non local IP addresses. Useful for wierd # NAT work ipv4/ip_nonlocal_bind NO # Set up the kernel to work with dynamic addressing on diald ipv4/ip_dynaddr NO # Control response to ICMP echo requests. the broadcast one also controls # the response to multicast packets. ipv4/icmp_echo_ignore_all NO ipv4/icmp_echo_ignore_broadcasts YES # Turn off ecn - a good idea for most situations ipv4/tcp_ecn NO " ########################### # Backups and compilation # ########################### # # BACKUP_LEVELS - maximum level of back up kept. This is done by appending # the number 0 to the setting below to the file name, and rotating them. # Suggested minumum for this is 2, for 5 lots of backup. Can't be set # any lower than 2. BACKUP_LEVELS=3 ############################################################################### # Interfaces ############################################################################### # IF_AUTO Default: "eth0" # A space seperated list of interfaces that get started on boot. Tunneling # interfaces like CIPE should be after the raw interfaces they depend on. # The interfaces are started in the order they occur on the list, and are # shutdown in the reverse order of IF_LIST. IF_AUTO="eth0" # IF_DYNAMIC Default: "" # A space seperated list of dyanmic interfaces that are not created by # the loading of a hardware driver etc. Examples are ppp0 et al. # Insert an interface in here if it does not exist until the software # program creates it. This is so that you can start these dynamic interfaces # manually. #IF_DYNAMIC="ppp0" # IPv4 global proc flags # # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO # IPv6 global proc flags # # IF_DEFAULT_IPV6_DISABLE Default: NO - YES/NO # Disable IPv6 on new interfaces by default. Useful when machine # is a Virtual Machine server, heavily using bridges for network # connections. #IF_DEFAULT_IPV6_DISABLE=NO # Need these both for interfaces run by daemons - ie PPP, CIPE, Sangoma # WAN interfaces # IPv4 spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES # Kernel logging of spoofed packets by default for interfaces - YES/NO DEF_IP_KRNL_LOGMARTIANS=YES ############################# # Bridge Setup - Global stuff ############################# # Enable bridging - YES/NO/number of bridges BRG_SWITCH=no # # AND Additional named bridges to add #BRG_LIST="brg0 inet0 dmz0 dbase0 admin0" # # Remove Bridges from Nefilter - default YES YES/NO # Only need to turn this off if creating a transparent # firewall! #BRG_NETFILTER_REMOVE=YES ############################# # Individual Interfaces setup ############################# # eth0 stuff # ---------- # ADDRESSING # # NB: WATCH LEADING ZEROES - address will not be added to interface! # # Use the old style: #eth0_IPADDR=192.0.2.7 #eth0_MASKLEN=24 #eth0_BROADCAST=192.0.2.255 # # Secondary IP addresses/networks on same wire - add them here #eth0_IP_EXTRA_ADDRS="192.0.2.193 192.0.2.1/24" # # -OR- the new style which also supports IPv6... # #eth0_IPADDR="0192.0.002.07/24_brd_192.0.2.255 2001:db8:010a:0001::000:007/64" # # IP spoofing protection on this interface - YES/NO eth0_IP_SPOOF=YES # # Kernel logging of spoofed packets on this interface - YES/NO eth0_IP_KRNL_LOGMARTIANS=YES # # This setting affects the processing of ICMP redirects. Setting it to NO # makes this more secure. Don't turn this off if you have two IP # networks/subnets on the same media - YES/NO #eth0_IP_SHARED_MEDIA=NO # # This setting configures the interface to either send redirects or not # This is useful for use with openvpn, due to the fact it can route packets # out the same interface they came in on! - YES/NO #eth0_IP_SEND_REDIRECTS=NO # # Interface IPv6 MTU - set to 1280 (minimum) so that tunnelling works # well without packet fragmentation #eth0_IPV6_MTU=1500 # # Disable IPv6 on this interface - default NO - YES/NO #eth0_IPV6_DISABLE=NO # # Set the interface up in forwarding/non-forwarding configuration modes. This # setting does not control the forwarding of packets via this interface. Use # iptables for this. In host mode allows the acceptance of ICMP redirects and # router advertisement packets (overridden by above flags in host mode), as # well as setting the IsRouter bit in Neighbour advertisements, and whether # router solicitation packets are sent - YES/NO #eth0_IPV6_FWDING=YES # # Accept ICMP IPv6 redirects in host mode on this interface - YES/NO #eth0_IPV6_ACCEPT_REDIRECTS=NO # # Accept IPv6 Router Adverstisement packets in host mode default YES - YES/NO #eth0_IPV6_ACCEPT_RA=YES # # Accept Prefix for SLAC addressing in IPv6 Router Adverstisement packets # in host mode default YES - YES/NO #eth0_IPV6_ACCEPT_RA_PINFO=YES # # Accept routes advertised by Router Advertisements. Debian Kernel 2.6.32+ # This is the threshhold for the bit length of the prefixes accepted. Kernel # defaults to zero, which means accept none. 64 will accept normal IPv6 routes #eth0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64 # # Send router solicitations, gives number to send default 3 - YES/NO/0-9 #eth0_IPV6_ROUTER_SOLICITATIONS=0 # # Enable IPV6 privacy extensions, default NO - YES/N0/0-2 # 1 enables privacy MAC addresses for global addressing, excluding ULA # prefixes. 2 enables it for all ULA and global addresses, not recomended #eth0_IPV6_PRIVACY=NO # # Set resolvconf details here. It takes /etc/resolv.conf settings as per # resolv.conf(5) Note that you have to uncomment whole string below! Will take # \n as well #eth0_RESOLVCONF="options edns0 inet6\nsearch internal.foo.org foo.org\nnameserver 192.0.2.1" # Automatically start/stop these interfaces if this interface is manually # started/stopped. Interfaces started in order of list, shutdown in reverse # order. #eth0_IF_CHAIN_AUTO="tun0" # # Automatically stop these interfaces if this interface is manually stopped. # Interfaces stopped in reverse order of this list before those in # IF_CHAIN_AUTO #eth0_IF_CHAIN="" # # Bridge this interface - YES/NO/bridge interface #eth0_BRIDGE=yes # # Proxy-arp from this interface, no other config required to turn on proxy ARP! # - YES/NO #eth0_PROXY_ARP=NO # # Protocol MTU for interface # - Set to override default interface value #eth0_MTU=1500 # # Multicast setting for interface # Set to override configuration default - YES/NO|on/off #eth0_MULTICAST=YES # # Simple QoS/fair queueing support # Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO #eth0_FAIRQ=NO # # Ethernet Transmit Queue Length #eth0_TXQLEN=100 # # Complex QoS - Enable all of these + above to turn it on # Device Bandwidth #eth0_BNDWIDTH=10Mbit # # Queue Handles - both must be unique # Use for running tunnel daemons or other dynamic inverfaces that # can be here and gone very rapidly - not needed for async PPP # eth0_HNDL1=1 # eth0_HNDL2=2 # # Interactive Burst parameters - bandwidth and number of packets #eth0_IABURST=100 # packets #eth0_IARATE=1Mbit # # Device Physical MTU - includes link layer header # NB FR has 8 bytes LL header, ethernet 14 #eth0_PXMTU=1514 # # Committed Access Rate # - if using FR, set to CIR, else to total combined bulk data # through put (ie eth0_BULKRATE + sum of special queue rates) #eth0_CARATE=3Mbit # # Optional parameters for Complex QoS # # Peak Rate # Use this to set FR Burst capacity #eth0_PEAKRATE=4MBit # # Parameters for Bulk Data bandwidth shaping # Bulk Rate - set for ordinary traffic. # MUST MUST MUST be used with special queues # to indicate the ordinary traffic load. Has to satisfy # BULKRATE <= (CARATE - total_special_queue_bandwidth) #eth0_BULKRATE=2MBit # Special Queues - see further down in fair queuing section # as this needs unique mark values #eth0_SPQUEUE # eth1_IPADDR="192.0.2.1/29_brd_192.0.2.7" # eth1_IP_SPOOF=YES # eth1_IP_KRNL_LOGMARTIANS=YES # eth1_FAIRQ=NO # eth1_TXQLEN=100 # eth1_BNDWIDTH=10Mbit # eth1_CARATE=7Mbit # eth1_HNDL1=3 # eth1_HNDL2=4 # eth1_IABURST=100 # eth1_IARATE=1Mbit # eth1_PXMTU=1514 # eth1_PEAKRATE=8Mbit # eth1_BULKRATE=6Mbit #ppp1_IPADDR=192.0.2.1 #chdlc0_IPADDR=192.0.2.1_peer_192.0.2.2 # PPP interface stuff - these apply to all ASYNC ppp interfaces ppp_FAIRQ=YES ppp_TXQLEN=30 # Complex stuff ppp_BNDWIDTH=30Kbit ppp_IABURST=20 ppp_CARATE=20Kbit ppp_IARATE=10Kbit ppp_PXMTU=1500 ############################ # Special Interface Handling ############################ # If the interface requires the running of a daemon or configuration program # two functions must be supplied taking the interface name as the first # and only argument. Both of these functions have names of the form # _start and _stop, with the former # starting the interface and the latter shutting it down and deconfiguring it. # The following global variables will be set for the _start # function if they are configured. # # IPADDR - interface IP address/mask -OR- the new form as above # BROADCAST - interface broadcast address # PTPADDR - PTP address of interface # IP_EXTRA_ADDRS - Extra IP addesses/networks bound to interface # # The if_addr_start function in if.conf should be used to set the addresses on # the interface once it is created. It also sets the interface sysctl # /proc flags, and brings the interface up, as well as enabling the use # of multiple addresses on the interface. The if_addr_stop compleimentary # function should be used to down the itnerface and clear the addresses off it. # # BOTH A START AND A STOP FUNCTIONS SHOULD PROBABLY DEFINED if you use them. # # The if-type of an interface name is given by the first alpha-numerics # of the name excluding the instance number on the end - ie the type of "eth1" # is "eth" and the type of "wan1a2" is "wan1a". # # The code in if.conf first of checks for an individual interface function, # then a typed interface function, and then uses the default which is for # ethernet type interfaces # # If you are starting a tunneling interface that is dependent on another # interface being up to continue to function correctly, use the intX_IF_CHAIN # and intX_IF_CHAIN_AUTO interface variables for the hardware interfaces to # start and stop the tunneled interfaces. Also add the tunnel interface to # IF_AUTO AFTER the hardware interface so that it is started on boot. # # Static routes and other network setup can be handled by using the # _network functions or those above, but the recomendation is to # run the zebra routing daemons as this has problems with clearing # unwanted routes etc. # # Here are some example functions, some of which are actually used # # PPP - interface ppp0 # ppp0_start () { # don't run pppd if link already exists... [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0 # call ISP pppd call provider } #ppp1_start () { # # don't run pppd if link already exists... # [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0 # pppd ttyS2 19200 passive local noauth ${IPADDR}: #} # # NB Stop function is provided as a type function as it can cover all # analogue ppp interface instances. ppp_stop () { [ ! -f /var/run/$1.pid ] && return 0 qt kill `cat /var/run/$1.pid` sleep 5 # Wait for pppd to die } # # DHCP interface setup # # Comment out or add change 'eth_' to 'eth0_' eth_start () { if [ -x /sbin/dhclient ]; then qt /sbin/dhclient $1 elif [ -x /sbin/dhcpcd ]; then qt /sbin/dhcpcd -R -N $1 elif [ -x /sbin/pump ]; then /sbin/pump -i $1 -h `cat /etc/hostname` fi } # eth_stop () { if [ -f /var/run/dhclient.pid ]; then qt kill `cat /var/run/dhclient.pid` elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then qt /sbin/dhcpcd -k $1 elif [ -e /var/run/pump.sock ]; then /sbin/pump -i $1 -r fi if_addr_stop $1 } # Openvpn setup #tun_start () { # local PIDFILE="/var/run/openvpn.${1}.pid" # # don't run openvpn if link already exists... # [ -f $PIDFILE ] && kill -0 `cat $PIDFILE` && return 0 # openvpn --config /etc/openvpn/$1.netscript \ # --writepid $PIDFILE \ # --cd /etc/openvpn \ # --daemon openvpn.$1 # #} # #tun_stop () { # local PIDFILE="/var/run/openvpn.${1}.pid" # [ ! -f $PIDFILE ] && return 0 # qt kill `cat $PIDFILE` # [ -f $PIDFILE ] && rm $PIDFILE # sleep 5 # Wait for openvpn to die #} # #tap_start () { # tun_start "$@" #} # #tap_stop () { # tun_stop "$@" #} # # # Interesting example showing how to set # resolvconf nameserver details #brg1_start () { # # default interface startup # brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE" # # Start interface # if_addr_start $1 # local NS=" #nameserver 192.0.2.254 #" # echo "$NS" | resolvconf -a $1 #} # #brg1_stop () { # resolvconf -d $1 # # default action # brg_iface $1 down $IPV6_DISABLE # if_addr_stop $1 #} # More examples... # inet0_start () { # if_addr_start $1 # echo | resolvconf -a $1 <&2 echo " `basename $0`: you must be root to run this command." 1>&2 echo 1>&2 exit 1 fi TARGET_KERNEL1="2.4" TARGET_KERNEL2="2.6" TARGET_KERNEL3="3" #DEBUG=1 SP=' ' qt () { "$@" >/dev/null 2>&1 ; } vb () { "$@" ; } source () { . $1 ; } basename () { echo "${1##*/}"; } BANNER="# This file was generated by $0. It may be overwritten!" #Default safe settings VERBOSE=YES IPV6_MODULE=NO IPV4_FWDING_KERNEL=NO IPV6_FWDING_KERNEL=NO IP_FILTER_KERNEL=PACKET IF_AUTO="eth0" IPV4_DISABLE=NO IPV6_DISABLE=NO BASE_MODPATH="/lib/modules/`uname -r`/kernel" MODPATH="${BASE_MODPATH}/net" KERN_VERSION=`uname -r | cut -d . -f 1,2` if echo "$KERN_VERSION" | grep '^3\..*' -q; then KERN_VERSION='3' fi [ "$KERN_VERSION" = "$TARGET_KERNEL1" ] && MODEXT="o" [ "$KERN_VERSION" = "$TARGET_KERNEL2" ] && MODEXT="ko" [ "$KERN_VERSION" = "$TARGET_KERNEL3" ] && MODEXT="ko" LIB_MODPATH="${BASE_MODPATH}/lib" SCHED_MODPATH="${MODPATH}/sched" NETFILTER_XMODPATH="${MODPATH}/netfilter" NETFILTER_V4MODPATH="${MODPATH}/ipv4/netfilter" NETFILTER_V6MODPATH="${MODPATH}/ipv6/netfilter" NETFILTER_IPSETMODPATH="${NETFILTER_XMODPATH}/ipset" NETFILTER_IPVSMODPATH="${NETFILTER_XMODPATH}/ipvs" QOS_MODULES="sch_cbq sch_sfq sch_red sch_gred cls_fw" NETFILTER_CONF="/etc/netscript" IPTBL_FILE="$NETFILTER_CONF/iptables" IPTBL_FILE_BACKUP="$IPTBL_FILE.backup" IP6TBL_FILE="$NETFILTER_CONF/ip6tables" IP6TBL_FILE_BACKUP="$IP6TBL_FILE.backup" IPTBL="/sbin/iptables" IPTBL_RESTORE="/sbin/iptables-restore" IPTBL_SAVE="/sbin/iptables-save" IP6TBL="/sbin/ip6tables" IP6TBL_RESTORE="/sbin/ip6tables-restore" IP6TBL_SAVE="/sbin/ip6tables-save" MODULE_PROC="/proc/modules" IPTBL_V4PROC="/proc/net/ip_tables_names" IPTBL_V6PROC="/proc/net/ip6_tables_names" IPV4_PROC="/proc/sys/net/ipv4" IPV6_PROC="/proc/sys/net/ipv6" IPFWD_V4PROC="${IPV4_PROC}/ip_forward" IPFWD_V6PROC="${IPV6_PROC}/conf/all/forwarding" IPV6_MODPATH=${MODPATH}/ipv6/ipv6.${MODEXT} IPV6_DEFAULT_PREFIX=default DEFAULT_METRIC=999999999 IPSPEC_MODULE=NO IPSEC_MODPATH="${MODPATH}/ipsec/ipsec.${MODEXT}" IPSEC_EXTMODPATH="${MODPATH}/ipsec/ext" BACKUP_LEVELS=2 BRG_NETFILTER_REMOVE="YES" BRG_LIST="brg0" IF_DEFAULT_IPV6_DISABLE="NO" INITCTL="/sbin/initctl" #==============================================================================# # Read in configuration files # - these ones can be changed by users [ -f $NETFILTER_CONF/network.conf ] \ && source $NETFILTER_CONF/network.conf IPFILTER=0 [ -f $NETFILTER_CONF/ipfilter.conf ] \ && source $NETFILTER_CONF/ipfilter.conf && IPFILTER=1 [ -f $NETFILTER_CONF/srvfilter.conf ] \ && source $NETFILTER_CONF/srvfilter.conf [ -f $NETFILTER_CONF/if.conf ] \ && source $NETFILTER_CONF/if.conf [ -f $NETFILTER_CONF/qos.conf ] \ && source $NETFILTER_CONF/qos.conf [ "$DEBUG" ] && qt () { "$@" ; } [ "$VERBOSE" = "NO" ] && vb () { qt "$@" ; } [ -f /proc/net/ip_fwchains ] && IPCHAINS=1 [ -f /proc/net/ip_masq/autofw ] && IPAUTOFW=1 [ -f /proc/net/ip_masq/portfw ] && IPPORTFW=1 [ -f /proc/net/ip_masq/mfw ] && IPMFW=1 GDC_PATH=/usr/bin/gdc IF_LIST="$IF_AUTO" IFDEVLIST=`cat /proc/net/dev | grep '^[ _a-zA-Z0-9\-]\+:' | sed -e 's/^ *\([a-zA-Z0-9_\-]\+\):.*$/\1/'` IFDEVLIST="$IFDEVLIST $IF_DYNAMIC" for DEV in $IFDEVLIST; do if [ "$DEV" = "lo" ]; then continue fi ANS=`echo "$IF_LIST" | grep $DEV` if [ -z "$ANS" ]; then IF_LIST="$IF_LIST $DEV" fi done unset DEV IFDEVLIST ANS IFLIST="`echo $IF_LIST | sed 's/ /|/g'`|all" for IF in $IF_LIST; do REV_IF_LIST="$IF $REV_IF_LIST" done unset IF # determine runlevel for disabling functionality in parallel boot environment [ -x /sbin/runlevel ] && RUNLVL=`/sbin/runlevel | sed -e 's/^. \(.\)$/\1/'` # translate old values for compatibility if [ -n "$IPFWDING_KERNEL" ]; then IPV4_FWDING_KERNEL="$IPFWDING_KERNEL" fi if [ -n "$IPALWAYSDEFRAG_KERNEL" ]; then case "$IPALWAYSDEFRAG_KERNEL" in YES|Yes|yes) IP_FILTER_KERNEL=NAT ;; NO|No|no) IP_FILTER_KERNEL=PACKET ;; esac fi if [ -n "$IPV4_FILTER_KERNEL" ]; then IP_FILTER_KERNEL="$IPV4_FILTER_KERNEL" fi # Setup stuff for IPv6 IPV6_KRNL=0 [ -d $IPV6_PROC ] && IPV6_KRNL=1 ############################################################################# # Code to set up function lists for filtering ############################################################################# get_fns () { local STR="s/^.* ${1}\([^ ]\+\)$/\1/" if [ -n "$BASH_VERSION" ]; then declare -F | grep $1 | sed -e "$STR" else hash | grep "^function $1" | sed -e "$STR" fi } for FN in `get_fns ipf4_`; do if [ -z "$IPF4_FNS" ]; then IPF4_FNS="$FN" else IPF4_FNS="${IPF4_FNS}|$FN" fi done; unset FN for FN in `get_fns ipf6_`; do if [ -z "$IPF6_FNS" ]; then IPF6_FNS="$FN" else IPF6_FNS="${IPF6_FNS}|$FN" fi done; unset FN ############################################################################### #Module loading on start up for iptables and QoS ############################################################################### ls_mod () { if qt type lsmod && [ -f "$MODULE_PROC" ] && [ -z "$LS_MOD" ]; then LS_MOD=`lsmod | sed -e 's/^\([a-zA-Z0-9_\-]\+\) .*$/\1/'` fi echo "$LS_MOD" return 0 } check_mod () { local MOD for MOD in `ls_mod`; do if [ "$MOD" = "$1" ]; then return 0 fi done return 1 } load_mod () { local MODNAME MODNAME="${1##*/}" MODNAME="${MODNAME%.$MODEXT}" # Check that the kernel supports modules if [ ! -f "$MODULE_PROC" ]; then return 0 fi if [ ! -f $1 ]; then return 0 fi if ! check_mod $MODNAME; then /sbin/insmod $1 fi } unload_mod () { local MODNAME MODNAME="${1##*/}" MODNAME="${MODNAME%.$MODEXT}" check_mod $MODNAME && /sbin/rmmod $MODNAME > /dev/null 2>&1 } IPSEC_EXTMOD_EXCLUDE="aes-opt" ipsec_start_mod () { local I ANS if [ "$IPSEC_MODULE" != "YES" -a "$IPSEC_MODULE" != "Yes" \ -a "$IPSEC_MODULE" != "yes" ]; then ipsec_stop_mod return 0 fi if [ ! -f "$IPSEC_MODPATH" ]; then return 0 fi load_mod "$IPSEC_MODPATH" if [ -d $IPSEC_EXTMODPATH ]; then for I in ${IPSEC_EXTMODPATH}/ipsec_*; do ANS="${I##*_}" ANS="${ANS%.$MODEXT}" eval "case \"$ANS\" in $IPSEC_EXTMOD_EXCLUDE) continue; ;; esac" load_mod $I done fi return 0 } ipsec_stop_mod () { local I if [ -d $IPSEC_EXTMODPATH ]; then for I in ${IPSEC_EXTMODPATH}/ipsec_*; do unload_mod $I done fi unload_mod "$IPSEC_MODPATH" return 0 } ipv6_start_mod () { if [ "$IPV6_MODULE" != "YES" -a "$IPV6_MODULE" != "Yes" \ -a "$IPV6_MODULE" != "yes" ]; then ipv6_stop_mod return 0 fi if [ $IPV6_KRNL -eq 1 ]; then return 0 fi if [ ! -f "$IPV6_MODPATH" ]; then return 0 fi load_mod "$IPV6_MODPATH" # Enable IPv6 IPV6_KRNL=1 return 1 } ipv6_stop_mod () { unload_mod "$IPV6_MODPATH" } qos_start_mod () { local I if [ -d $SCHED_MODPATH ] ; then for I in $QOS_MODULES; do load_mod "$SCHED_MODPATH/${I}.${MODEXT}" done fi } qos_stop_mod () { local I if [ -d $SCHED_MODPATH ] ; then for I in $SCHED_MODPATH/cls_* $SCHED_MODPATH/sch_*; do unload_mod $I done fi } # These exist to make the following code easier to understand X_BASE_MODS="x_tables nfnetlink nfnetlink_log nfnetlink_queue nfnetlink_acct xt_nfacct xt_RATEEST" X_BASE_MODS_REV="xt_RATEEST xt_nfacct nfnetlink_acct nfnetlink_queue nfnetlink_log nfnetlink x_tables" X_STATE_MODS_CASE="state|helper|connbytes|connlimit|conntrack|connmark|cluster|CONNMARK|NOTRACK|CONNSECMARK|hashlimit|CT|TEE|socket|TPROXY|ipvs|NETMAP|REDIRECT|connlabel|nat|nfacct" X_STATE_MODS="xt_state xt_helper xt_connbytes xt_connlimit xt_conntrack xt_connmark xt_cluster xt_CONNMARK xt_NOTRACK xt_CONNSECMARK xt_CT xt_TEE xt_NETMAP xt_REDIRECT xt_connlabel xt_nat xt_nfacct" x_nfbase_start_mod () { local I ANS case "$IP_FILTER_KERNEL" in PACKET|Packet|packet|NAT|Nat|nat|STATEFUL|Stateful|stateful) # load the base netfilter modules for I in $X_BASE_MODS; do load_mod $NETFILTER_XMODPATH/${I}.${MODEXT} done # Load all the ipset modules for I in $NETFILTER_IPSETMODPATH/ip_set.${MODEXT} \ $NETFILTER_IPSETMODPATH/ip_set_*; do load_mod $I done # Load all the x_ modules save stateful ones for I in $NETFILTER_XMODPATH/xt_*; do ANS="${I##*_}" ANS="${ANS%.$MODEXT}" eval "case \"$ANS\" in $X_STATE_MODS_CASE) continue; ;; esac" load_mod $I done return 2 ;; *|NONE|None|none) return 1 ;; esac } x_nfbase_stop_mod () { local I ANS # Unload all the xt_ modules save stateful ones for I in $NETFILTER_XMODPATH/xt_*; do ANS="${I##*_}" ANS="${ANS%.$MODEXT}" eval "case \"$ANS\" in $X_STATE_MODS_CASE) continue; ;; esac" unload_mod $I done # Unload all the ipset modules for I in $NETFILTER_IPSETMODPATH/ip_set_* \ $NETFILTER_IPSETMODPATH/ip_set.${MODEXT}; do unload_mod $I done # Unload the base netfilter modules for I in $X_BASE_MODS_REV; do unload_mod $NETFILTER_XMODPATH/${I}.${MODEXT} done return 0 } # These exist to make the following code easier to understand IPV4_BASE_MODS="ip_tables iptable_filter iptable_mangle ip_queue ip_pool" IPV4_BASE_MODS_REV="iptable_filter iptable_mangle ip_queue ip_pool ip_tables" IPV4_STATE_MODS_CASE="defrag_ipv4|helper|state|iplimit|REDIRECT|MASQUERADE|conntrack|NETMAP|SAME|nat|CLUSTERIP" IPV4_STATE_MODS="ipt_helper ipt_state ipt_iplimit ipt_REDIRECT ipt_MASQUERADE ipt_conntrack ipt_NETMAP ipt_SAME ipt_CLUSTERIP xt_ipvs" ipv4_nfbase_start_mod () { local I ANS # load the base netfilter modules for I in $IPV4_BASE_MODS; do load_mod $NETFILTER_V4MODPATH/${I}.${MODEXT} done # Load all the ipt_ modules save ipt_helper, ipt_state, # ipt_REDIRECT, ipt_MASQUERADE and ipt_iplimit for I in $NETFILTER_V4MODPATH/ipt_*; do ANS="${I##*_}" ANS="${ANS%.$MODEXT}" eval "case \"$ANS\" in $IPV4_STATE_MODS_CASE) continue; ;; esac" load_mod $I done return 0 } ipv4_nfnat_start_mod () { local I # Load conection tracking for I in $NETFILTER_V4MODPATH/ip_conntrack.${MODEXT} \ $NETFILTER_V4MODPATH/nf_defrag_ipv4.${MODEXT} \ $NETFILTER_XMODPATH/nf_conntrack.${MODEXT} \ $NETFILTER_XMODPATH/nf_conntrack_proto_gre.${MODEXT} \ $NETFILTER_XMODPATH/nf_conntrack_* \ $NETFILTER_XMODPATH/nf_tproxy_* \ $NETFILTER_V4MODPATH/nf_conntrack_* \ $NETFILTER_V4MODPATH/ip_conntrack_*; do ANS="${I##*/}" ANS="${ANS%.$MODEXT}" case $ANS in nf_conntrack_netlink) continue; ;; esac load_mod $I done # Load NAT modules for I in $NETFILTER_V4MODPATH/ip_nat.${MODEXT} \ $NETFILTER_V4MODPATH/nf_nat.${MODEXT} \ $NETFILTER_XMODPATH/nf_nat.${MODEXT} \ $NETFILTER_V4MODPATH/nf_nat_ipv4.${MODEXT} \ $NETFILTER_V4MODPATH/nf_conntrack_netlink.${MODEXT} \ $NETFILTER_V4MODPATH/iptable_nat.${MODEXT} \ $NETFILTER_V4MODPATH/ip_nat*.${MODEXT}; do load_mod $I done # Load virtual server modules load_mod $LIB_MODPATH/libcrc32c.${MODEXT} for I in $NETFILTER_IPVSMODPATH/ip_vs.${MODEXT} \ $NETFILTER_IPVSMODPATH/ip_vs_*; do load_mod $I done # Load rest of xt_ modules for I in $X_STATE_MODS; do load_mod $NETFILTER_XMODPATH/${I}.${MODEXT} done # Load rest of ipt_ modules for I in $IPV4_STATE_MODS; do load_mod $NETFILTER_V4MODPATH/${I}.${MODEXT} done return 0 } ipv4_nfnat_stop_mod () { local I # Unload rest of ipt_ modules for I in $IPV4_STATE_MODS; do unload_mod $NETFILTER_V4MODPATH/${I}.${MODEXT} done # Unload rest of xt_ modules for I in $X_STATE_MODS; do unload_mod $NETFILTER_XMODPATH/${I}.${MODEXT} done # Unoad virtual server modules for I in $NETFILTER_IPVSMODPATH/ip_vs_* \ $NETFILTER_IPVSMODPATH/ip_vs.${MODEXT}; do unload_mod $I done unload_mod libcrc32c # Unload NAT modules for I in $NETFILTER_V4MODPATH/ip_nat*.${MODEXT} \ $NETFILTER_V4MODPATH/iptable_nat.${MODEXT} \ $NETFILTER_V4MODPATH/nf_conntrack_netlink.${MODEXT} \ $NETFILTER_V4MODPATH/nf_nat_ipv4.${MODEXT} \ $NETFILTER_V4MODPATH/nf_nat.${MODEXT} \ $NETFILTER_V4MODPATH/ip_nat.${MODEXT}; do unload_mod $I done # Unload conection tracking for I in $NETFILTER_V4MODPATH/ip_conntrack_* \ $NETFILTER_V4MODPATH/nf_conntrack_* \ $NETFILTER_V4MODPATH/nf_defrag_ipv4 \ $NETFILTER_XMODPATH/nf_conntrack_pptp.${MODEXT} \ $NETFILTER_XMODPATH/nf_tproxy_* \ $NETFILTER_XMODPATH/nf_conntrack_* \ $NETFILTER_XMODPATH/nf_conntrack_broadcast.${MODEXT} \ $NETFILTER_XMODPATH/nf_conntrack.${MODEXT} \ $NETFILTER_V4MODPATH/ip_conntrack.${MODEXT}; do unload_mod $I done return 0 } ipv4_nf_stop_mod () { local I ANS # Unload all nat and connection tracking modules ipv4_nfnat_stop_mod # Unload all the ipt_ modules save ipt_state, ipt_REDIRECT # ipt_iplimit and ipt_MASQUERADE for I in $NETFILTER_V4MODPATH/ipt_*; do ANS="${I##*_}" ANS="${ANS%.$MODEXT}" eval "case \"$ANS\" in $IPV4_STATE_MODS_CASE) continue; ;; esac" unload_mod $I done # Unload the core netfilter modules for I in $IPV4_BASE_MODS_REV; do unload_mod $NETFILTER_V4MODPATH/${I}.${MODEXT} done return 0 } ipv4_nf_start_mod () { case "$IP_FILTER_KERNEL" in PACKET|Packet|packet) # Stop NAT level modules to provide packet reasembly switch # functionality ipv4_nfnat_stop_mod # Load Netfilter base modules ipv4_nfbase_start_mod return 2 ;; NAT|Nat|nat|STATEFUL|Stateful|stateful) ipv4_nfbase_start_mod ipv4_nfnat_start_mod return 3 ;; *|NONE|None|none) return 1 ;; esac } # IPv6 Module strings - adjust these to suite as needed IPV6_BASE_MODS="ip6_tables ip6table_filter ip6table_mangle" IPV6_BASE_MODS_REV="ip6table_filter ip6table_mangle ip6_tables" IPV6_STATE_MODS_CASE='"MASQUERADE"' IPV6_STATE_MODS="ip6t_MASQUERADE" ipv6_nfbase_start_mod () { local I ANS # load the base netfilter modules for I in $IPV6_BASE_MODS; do load_mod $NETFILTER_V6MODPATH/${I}.${MODEXT} done # Load all the ipt_ modules save ip6t_state, ip6t_REDIRECT # ip6t_MASQUERADE and ip6t_iplimit for I in $NETFILTER_V6MODPATH/ip6t_*; do ANS="${I##*_}" ANS="${ANS%.$MODEXT}" eval "case \"$ANS\" in $IPV6_STATE_MODS_CASE) continue; ;; esac" load_mod $I done load_mod $NETFILTER_XMODPATH/xt_hashlimit.${MODEXT} return 0 } ipv6_nfnat_start_mod () { local I # Load conection tracking for I in $NETFILTER_V6MODPATH/ip6_conntrack.${MODEXT} \ $NETFILTER_V6MODPATH/ip6_conntrack_* \ $NETFILTER_V6MODPATH/nf_defrag_ipv6.${MODEXT} \ $NETFILTER_V6MODPATH/nf_conntrack_ipv6.${MODEXT}; do load_mod $I done # Load NAT modules for I in $NETFILTER_V6MODPATH/nf_nat_ipv6.${MODEXT} \ $NETFILTER_V6MODPATH/ip6table_nat.${MODEXT} \ $NETFILTER_V6MODPATH/ip6_nat*.${MODEXT}; do load_mod $I done # Load xt_socket and xt_TPROXY load_mod $NETFILTER_XMODPATH/xt_socket.${MODEXT} load_mod $NETFILTER_XMODPATH/xt_TPROXY.${MODEXT} # Load rest of ip6t_ modules for I in $IPV6_STATE_MODS; do load_mod $NETFILTER_V6MODPATH/${I}.${MODEXT} done return 0 } ipv6_nfnat_stop_mod () { local I # Unload rest of ip6t_ modules for I in $IPV6_STATE_MODS; do unload_mod $NETFILTER_V6MODPATH/${I}.${MODEXT} done # Unload xt_socket and xt_TPROXY unload_mod $NETFILTER_XMODPATH/xt_TPROXY.${MODEXT} unload_mod $NETFILTER_XMODPATH/xt_socket.${MODEXT} # Unload NAT modules for I in $NETFILTER_V6MODPATH/ip6_nat*.${MODEXT} \ $NETFILTER_V6MODPATH/ip6table_nat.${MODEXT} \ $NETFILTER_V6MODPATH/nf_nat_ipv6.${MODEXT}; do unload_mod $I done # Unload conection tracking for I in $NETFILTER_V6MODPATH/nf_conntrack_ipv6.${MODEXT} \ $NETFILTER_V6MODPATH/nf_defrag_ipv6.${MODEXT} \ $NETFILTER_XMODPATH/nf_conntrack_broadcast.${MODEXT} \ $NETFILTER_XMODPATH/nf_conntrack.${MODEXT} \ $NETFILTER_V6MODPATH/ip6_conntrack_* \ $NETFILTER_V6MODPATH/ip6_conntrack.${MODEXT}; do unload_mod $I done return 0 } ipv6_nf_stop_mod () { local I ANS # Unload all nat and connection traking modules ipv6_nfnat_stop_mod unload_mod $NETFILTER_XMODPATH/xt_hashlimit.${MODEXT} # Unload all the ipt_ modules save ipt_state, ipt_REDIRECT # ipt_iplimit and ipt_MASQUERADE for I in $NETFILTER_V6MODPATH/ip6t_*; do ANS="${I##*_}" ANS="${ANS%.$MODEXT}" eval "case \"$ANS\" in $IPV6_STATE_MODS_CASE) continue; ;; esac" unload_mod $I done # Unload the core netfilter modules for I in $IPV6_BASE_MODS_REV; do unload_mod $NETFILTER_V6MODPATH/${I}.${MODEXT} done return 0 } ipv6_nf_start_mod () { if [ $IPV6_KRNL -lt 1 ]; then return 0 fi case "$IP_FILTER_KERNEL" in PACKET|Packet|packet) # Stop NAT level modules to provide packet reasembly switch # functionality ipv6_nfnat_stop_mod # Load Netfilter base modules ipv6_nfbase_start_mod return 2 ;; NAT|Nat|nat|STATEFUL|Stateful|stateful) ipv6_nfbase_start_mod ipv6_nfnat_start_mod return 3 ;; *|NONE|None|none) return 1 ;; esac } start_mod () { local NFXRES NFV4RES NFV6RES V6RES vb echo "Loading networking modules..." # Load QoS modules qos_start_mod # Load Free S/WAN ipsec modules ipsec_start_mod # Load IPv6 ipv6_start_mod V6RES=$? # Load X Netfilter modules x_nfbase_start_mod NFXRES=$? # Load IPv4 NetFilter ipv4_nf_start_mod NFV4RES=$? # Load IPv6 Netfilter ipv6_nf_start_mod NFV6RES=$? vb echo "Networking modules loaded." case "$NFV4RES" in 3) vb echo "IPv4 filtering level is \`STATEFUL/NAT'." ;; 2) vb echo "IPv4 filtering level is \`PACKET'." ;; 1) vb echo "IPv4 filtering level is \`NONE'." ;; esac case "$V6RES" in 1) vb echo "IPv6 protocol module is loaded." ;; esac case "$NFV6RES" in 3) vb echo "IPv6 filtering level is \`STATEFUL/NAT'." ;; 2) vb echo "IPv6 filtering level is \`PACKET'." ;; 1) vb echo "IPv6 filtering level is \`NONE'." ;; esac return 0 } stop_mod () { # Unload IPv6 Netfilter ipv6_nf_stop_mod # Unload all IPv4 Netfilter modules ipv4_nf_stop_mod # Unload all X Netfilter modules x_nfbase_stop_mod # Unload IPv6 ipv6_stop_mod # Unload Free S/WAN ipsec modules ipsec_stop_mod # Unload QoS modules qos_stop_mod return 0 } ############################################################################### #IP kernel option loading for global kernel switches ############################################################################### read_sysctl () { local PROCFILE PROCVAL COMMENT ANS while read PROCFILE PROCVAL COMMENT; do if [ -z "$PROCFILE" -o -z "$PROCVAL" ]; then continue fi if [ "$PROCFILE" = "#" -o "$PROCVAL" = "#" ]; then continue fi case "$PROCVAL" in YES|Yes|yes) PROCVAL=1 ;; NO|No|no) PROCVAL=0 ;; esac [ ! -f $1/$PROCFILE ] && continue echo $PROCVAL > $1/$PROCFILE done } read_gbl_sysctl () { echo "$NET_GLOBAL_SYSCTL" | read_sysctl /proc/sys/net return 0 } ############################################################################### #IP Forwarding configuration ############################################################################### start_auto_ipkrnlswch () { local DIR # read in the global sysctl settings read_gbl_sysctl # Turn on global RP filter switch - this is ANDed with # the per interface ones echo 1 > ${IPV4_PROC}/conf/all/rp_filter # Fix the Shared Media Mess echo 0 > ${IPV4_PROC}/conf/all/shared_media echo 0 > ${IPV4_PROC}/conf/default/shared_media if [ "$IPV4_FWDING_KERNEL" = "YES" ]; then vb echo -n "Enabling IPv4 packet forwarding..." echo "1" >$IPFWD_V4PROC && vb echo "done." elif [ "$IPV4_FWDING_KERNEL" != "FILTER_ON" ]; then vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC && vb echo "done." fi # IPv6 if [ $IPV6_KRNL -lt 1 ]; then return 0 fi # Most hardened servers and routers need defaults like these # for interface host mode for DIR in ${IPV6_PROC}/conf/*; do # Don't allow ICMP redirect by default echo 0 > $DIR/accept_redirects done # This is here just to do the printing when IPv6 IS disabled. case "$IPV6_DISABLE" in YES|Yes|yes) vb echo -n "Disabling IPv6 protocol..." ifv6_setproc all disable_ipv6 "$IPV6_DISABLE" && echo "done." ;; *) ifv6_setproc all disable_ipv6 "$IPV6_DISABLE" ;; esac # Set this flag as required for creation of dynamic bridged # interfaces ifv6_setproc default disable_ipv6 "$IF_DEFAULT_IPV6_DISABLE" if [ "$IPV6_FWDING_KERNEL" = "YES" ]; then vb echo -n "Enabling IPv6 packet forwarding..." echo "1" >$IPFWD_V6PROC && vb echo "done." elif [ "$IPV6_FWDING_KERNEL" != "FILTER_ON" ]; then vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC && vb echo "done." fi } ############################################################################### #Interface configuration ############################################################################### start_auto_if () { ### #localhost interface #################### vb echo -n "Configuring loopback interface lo..." if_lo_up && vb echo "done." # Do the rest of the interfaces iface_up all } ############################################################################## # Interface stuff iface_up, iface_down, iface_reset, iface_upstart_emit ############################################################################## iface_up () { local IF vb echo -n "Configuring interface:" if [ "$1" = "all" ] ; then for IF in $IF_AUTO; do if_up $IF && vb echo -n " $IF" done unset IF else # Don't do anything during boot or shutdown case "$RUNLVL" in unknown|0|1|6) vb echo "." return 0 ;; esac eval local IF_CHAIN_AUTO=\"\${"$1"_IF_CHAIN_AUTO:-""}\" if_up $1 && vb echo -n " $1" for IF in $IF_CHAIN_AUTO; do if_up $IF && vb echo -n " $IF" done unset IF fi vb echo "." } iface_down () { local IF vb echo -n "Stopping interface:" if [ "$1" = "all" ] ; then for IF in $REV_IF_LIST; do if_down $IF && vb echo -n " $IF" done unset IF else # Don't do anything during boot or shutdown case "$RUNLVL" in unknown|0|1|6) vb echo "." return 0 ;; esac local REV_IF_CHAIN eval local IF_CHAIN=\"\${"$1"_IF_CHAIN:-""}\" eval local IF_CHAIN_AUTO=\"\${"$1"_IF_CHAIN_AUTO:-""}\" IF_CHAIN="$IF_CHAIN_AUTO $IF_CHAIN" for IF in $IF_CHAIN; do REV_IF_CHAIN="$REV_IF_CHAIN $IF" done unset IF for IF in $REV_IF_CHAIN; do if_down $IF && vb echo -n " $IF" done unset IF if_down $1 && vb echo -n " $1" fi vb echo "." } iface_reset () { iface_down $1 sleep 2 iface_up $1 # If gated is around, tell it all about this! [ -f $GDC_PATH ] && vb echo -n "Telling gated..." [ -f $GDC_PATH ] && sleep 5 && $GDC_PATH interface [ -f $GDC_PATH ] && vb echo "done." } iface_qos () { vb echo -n "Reloading QoS for interface: " if [ "$1" = "all" ] ; then for IF in $IF_AUTO; do ip_QoSppp $IF ip_QoSclear $IF && ip_QoS $IF && vb echo -n " $IF" done unset IF else ip_QoSppp $1 ip_QoSclear $1 && ip_QoS $1 && vb echo -n " $1" fi vb echo "." return 0 } iface_upstart_emit () { if ! [ -x "$INITCTL" ]; then return 0 fi $INITCTL emit --no-wait "$@" } ############################################################################## # Functions to set 2.4 kernel interface parameters # ifv4_setproc ( YES|NO # ifv6_setproc ( YES|NO ############################################################################## ifv4_setproc () { if [ -z "$3" ]; then return 0; fi [ ! -f ${IPV4_PROC}/conf/$1/$2 ] && return 1 case "$3" in YES|Yes|yes) echo 1 > ${IPV4_PROC}/conf/$1/$2 return 0; ;; NO|No|no) echo 0 > ${IPV4_PROC}/conf/$1/$2 return 0; ;; *) if echo $3 | grep -q '^[0-9]\+$'; then echo $3 > ${IPV4_PROC}/conf/$1/$2 return 0 fi return 1; ;; esac return 0; } ifv6_setproc () { if [ -z "$3" ]; then return 0; fi [ $IPV6_KRNL -lt 1 ] && return 1 [ ! -f ${IPV6_PROC}/conf/$1/$2 ] && return 1 case "$3" in YES|Yes|yes) echo 1 > ${IPV6_PROC}/conf/$1/$2 return 0; ;; NO|No|no) echo 0 > ${IPV6_PROC}/conf/$1/$2 return 0; ;; *) if echo $3 | grep -q '^[0-9]\+$'; then echo $3 > ${IPV6_PROC}/conf/$1/$2 return 0 fi return 1; ;; esac return 0; } ############################################################################## # Functions to configure the bridge # brg_global() ############################################################################## brg_unbind_netfilter () { local STUFF # Unbind bridges from Netfilter if [ "$BRG_NETFILTER_REMOVE" != "NO" \ -a "$BRG_NETFILTER_REMOVE" != "No" \ -a "$BRG_NETFILTER_REMOVE" != "no" ]; then STUFF=" # Disable netfilter in bridge(s) - useful when not # doing bridge filtering. bridge/bridge-nf-call-ip6tables NO bridge/bridge-nf-call-iptables NO bridge/bridge-nf-call-arptables NO bridge/bridge-nf-filter-pppoe-tagged NO bridge/bridge-nf-filter-vlan-tagged NO " echo "$STUFF" | read_sysctl /proc/sys/net else STUFF=" # Disable netfilter in bridge(s) - useful when not # doing bridge filtering. bridge/bridge-nf-call-ip6tables YES bridge/bridge-nf-call-iptables YES bridge/bridge-nf-call-arptables YES bridge/bridge-nf-filter-pppoe-tagged YES bridge/bridge-nf-filter-vlan-tagged YES " echo "$STUFF" | read_sysctl /proc/sys/net fi return 0 } brg_global() { local INT BRG ANS local BRG_DEVLIST case "$BRG_SWITCH" in YES|Yes|yes) BRG_LIST="$BRG_LIST" ;; NO|No|no) unset BRG_LIST ;; 0|1|2|3|4|5|6|7|8|9|10) INT=0 while [ $INT -lt $BRG_SWITCH ]; do BRG_LIST="$BRG_LIST brg${INT}" INT=$(( $INT + 1 )) done ;; esac BRG_DEVLIST=`brctl show | sed -e '1d' | grep '^[-a-zA-Z0-9_]' | sed -e 's/^\([a-zA-Z0-9_\-]\+\)[ ].*$/\1/'` for BRG in $BRG_DEVLIST; do ANS=`echo $BRG_LIST | grep $BRG` if [ -z "$ANS" ]; then qt ip link set dev $BRG down brctl delbr $BRG fi done for BRG in $BRG_LIST; do brctl addbr $BRG > /dev/null 2>&1 done brg_unbind_netfilter return 0 } brg_iface () { local BRG ANS case $2 in up) if [ "$3" = "NO" -o "$3" = "No" -o "$3" = "no" ]; then return 0 fi if [ "$3" = "YES" -o "$3" = "Yes" -o "$3" = "yes" ]; then BRG=brg0 else BRG=$3 fi [ -z "$BRG" ] && return 0 ANS="echo $BRG_LIST | grep $BRG" if [ -n "$ANS" ]; then brctl addif $BRG $1 > /dev/null 2>&1 [ -z "$4" ] && ifv6_setproc $1 disable_ipv6 YES fi ;; down) BRG=`brctl show | sed -e '1d' | grep "${1}\$" | sed -e 's/^\([a-zA-Z]\+[0-9]\+\)[ ]\+.*$/\1/'` [ -z "$BRG" ] && BRG=brg0 brctl delif $BRG $1 > /dev/null 2>&1 [ -z "$3" ] && ifv6_setproc $1 disable_ipv6 NO ;; esac return 0 } ############################################################################## # Functions to set the default route ############################################################################## ipv4_default_route () { if [ "$1" != "$IPV4_DEFAULT_GWDEV" ]; then return 0 fi # Default route support case "$IPV4_DEFAULT_GW" in OTHER|Other|other|OFF|Off|off|NO|No|no) ;; "") ip route del default metric $DEFAULT_METRIC > /dev/null 2>&1 ;; *) ip route replace default via $IPV4_DEFAULT_GW \ metric $DEFAULT_METRIC ;; esac return 0 } ipv6_default_route () { if [ "$1" != "$IPV6_DEFAULT_GWDEV" ]; then return 0 fi # IPv6 default route - this could be better case "$IPV6_DEFAULT_GW" in OTHER|Other|other|OFF|Off|off|NO|No|no) ;; "") ip -6 route del $IPV6_DEFAULT_PREFIX metric $DEFAULT_METRIC \ > /dev/null 2>&1 ;; *) local IPV6_ZERO_GW=`echo $IPV6_DEFAULT_GW \ | eval $SED_IPV6ADDR` if ! ip -6 route list $IPV6_DEFAULT_PREFIX \ | grep -q "$IPV6_ZERO_GW.*metric $DEFAULT_METRIC"; then ip -6 route del $IPV6_DEFAULT_PREFIX \ metric $DEFAULT_METRIC > /dev/null 2>&1 ip -6 route add $IPV6_DEFAULT_PREFIX \ metric $DEFAULT_METRIC via $IPV6_DEFAULT_GW \ dev $IPV6_DEFAULT_GWDEV fi ;; esac } ############################################################################## # checkarg() a function to check interface arguments ############################################################################## checkarg() { eval "case \"$*\" in $IFLIST) ;; *) echo \"Usage: `basename $0` ifup|ifdown|ifqos|ifreload\" echo \" ${SP} {$IFLIST}\" exit 1 ;; esac" } ############################################################################## # functions to handle filter stuff ############################################################################## # # backup_rotate # backup_rotate () { local MAX="$2" [ $MAX -lt 2 ] && MAX=2 local COUNT=$(($MAX - 1)) local PREV="$MAX" while [ $COUNT -gt 0 ]; do [ -f "${1}.${COUNT}" ] && mv "${1}.${COUNT}" "${1}.${PREV}" PREV=$COUNT COUNT=$(( $COUNT - 1 )) done [ -f "$1" ] && mv "$1" "${1}.1" return 0 } ipv4filter_kernfwd () { local OVERRIDE="$2" if [ "$OVERRIDE" != "YES" -a "$OVERRIDE" != "Yes" \ -a "$OVERRIDE" != "yes" \ -a "$IPV4_FWDING_KERNEL" != "FILTER_ON" ]; then return 0; fi case $1 in on) vb echo -n "Enabling IPv4 packet forwarding..." echo "1" >$IPFWD_V4PROC \ && vb echo "done." ;; off) vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC \ && vb echo "done." ;; *) echo "AAARGGHH - wrong argument given to ipv4filter_kernfwd: $1" exit 1 ;; esac } # Check and see if filtering and mangling are available ipv4filter_check () { local TBL MANGLE FILTER MANGLE=0 FILTER=0 [ ! -f "$IPTBL_V4PROC" ] && return 1 for TBL in `cat $IPTBL_V4PROC`; do case $TBL in mangle) MANGLE=1 ;; filter) FILTER=1 ;; esac done if [ $MANGLE -ne 1 -a $FILTER -ne 1 ]; then return 1 fi return 0 } # A function to flush the filters (for internal use) ipv4filter_flush () { local TBL # Flush the IPV4 filters out, and user defined chains [ ! -f $IPTBL_V4PROC ] && return 0 for TBL in `cat $IPTBL_V4PROC`; do if [ "$TBL" = "$1" ]; then continue fi $IPTBL -t $TBL -F $IPTBL -t $TBL -X done return 0 } ipv4filter_policy () { local TBL [ ! -f $IPTBL_V4PROC ] && return 0 for TBL in `cat $IPTBL_V4PROC`; do if [ "$TBL" = "$2" ]; then continue fi case $TBL in mangle) $IPTBL -t $TBL -P PREROUTING $1 $IPTBL -t $TBL -P OUTPUT $1 ;; filter) $IPTBL -t $TBL -P INPUT $1 $IPTBL -t $TBL -P FORWARD $1 $IPTBL -t $TBL -P OUTPUT $1 ;; nat) $IPTBL -t $TBL -P PREROUTING $1 $IPTBL -t $TBL -P POSTROUTING $1 $IPTBL -t $TBL -P OUTPUT $1 ;; esac done return 0 } # function to set the filter default policies ipv4filter_clear () { ipv4filter_flush $1 ipv4filter_policy ACCEPT $1 return 0 } # Selects basic filter type configuration function ipv4filter_iptbl_cfg () { if ! ipv4filter_check; then echo echo "IPv4 filters: netfilter kernel modules not loaded." echo return 1 fi if [ ! -f $1 ] ; then echo echo "IPv4 filters: no $1 file." echo return 1 fi echo -n "Loading IPv4 filters..." if $IPTBL_RESTORE < $1; then ipv4filter_fairq ipf4_laptopfw vb echo "done." ipv4filter_kernfwd on else return 1 fi return 0 } ipv4filter_iptbl_save () { local OLD_UMASK if ! ipv4filter_check; then echo echo "IPv4 filters: netfilter kernel modules not loaded." echo return 1 fi echo -n "Saving IPv4 filters..." backup_rotate "$IPTBL_FILE" "$BACKUP_LEVELS" OLD_UMASK=`umask` umask 0277 if $IPTBL_SAVE > $IPTBL_FILE; then umask $OLD_UMASK chmod 0400 $IPTBL_FILE vb echo "done." else umask $OLD_UMASK vb echo return 1 fi vb echo return 0 } # Some functions to handle Protocol IP Port tuples ipfilter_echoParam () { local format="$1" local IFS='_' set -- $2 eval "echo \"$format\"" } ipfilter_echoIpPort () { local format1="$1" local format2="$2" local testpar="$3" local IFS='_' set -- $4 eval "echo -n \"$format1\"" eval "if [ -n \"$testpar\" ]; then echo \" $format2\" fi" } ipv4filter_delTie () { local CHAIN="$1" shift qt $IPTBL -t mangle -D "$CHAIN" $* qt $IPTBL -t mangle -D "$CHAIN" -s 0/0 $* qt $IPTBL -t mangle -D "$CHAIN" -d 0/0 $* qt $IPTBL -t mangle -D "$CHAIN" -d 0/0 -s 0/0 $* return 0 } # A function to mark packets for classification ipv4filter_fairq () { local CLS local TNL if ! ipv4filter_check; then return 1 fi [ -z "$MANGLE_OUTPUT_BYPASS" ] && [ -z "$CLS_FAIRQ" ] && return 0 qt $IPTBL -t mangle -F nomangle qt $IPTBL -t mangle -N nomangle # Accept IPv4 tunnel traffic - any changes on # OUTPUT chain will cause rerouting, and Free S/WAN problems for TNL in $MANGLE_OUTPUT_BYPASS; do $IPTBL -t mangle -A nomangle -j ACCEPT \ -p `ipfilter_echoParam '$1' $TNL` \ -d `ipfilter_echoIpPort '$2' ' --dport $3' '$3' $TNL` done # Add the nomangle chain to the OUTPUT chain # NOTE position this is inserted. ipv4filter_delTie OUTPUT -j nomangle $IPTBL -t mangle -I OUTPUT 1 -j nomangle [ -z "$CLS_FAIRQ" ] && return 0 # Clear chain if it already exists qt $IPTBL -t mangle -F fairq # Create new chain qt $IPTBL -t mangle -N fairq # Populate chains for CLS in $CLS_FAIRQ; do $IPTBL -t mangle -A fairq -j MARK \ --set-mark `ipfilter_echoParam '$1' $CLS` \ -p `ipfilter_echoParam '$2' $CLS` \ `ipfilter_echoIpPort '-d $3' ' --dport $4' '$4' $CLS` $IPTBL -t mangle -A fairq -j MARK \ --set-mark `ipfilter_echoParam '$1' $CLS` \ -p `ipfilter_echoParam '$2' $CLS` \ `ipfilter_echoIpPort '-s $3' ' --sport $4' '$4' $CLS` done; # Add fairq chain to OUTPUT and PREROUTING chains ipv4filter_delTie OUTPUT -j fairq $IPTBL -t mangle -I OUTPUT 2 -j fairq # NOTE postion this is inserted. ipv4filter_delTie PREROUTING -j fairq $IPTBL -t mangle -I PREROUTING 1 -j fairq return 0 } ipv4filter_exec () { local RES if ! ipv4filter_check; then return 1 fi local FN="$1" shift eval "case \"$FN\" in $IPF4_FNS) case \$1 in -r|remove) vb echo -n \"Removing IPv4 filter $FN...\" ;; *) vb echo -n \"Loading IPv4 filter $FN...\" ;; esac if ipf4_${FN} $*; then echo \"done.\" exit 0 fi exit 1 ;; *) echo \" `basename $0` ipfilter exec $IPF4_FNS\" echo \" [chain p1 p2 ...]\" exit 1 ;; esac" return 0 } ipv4filter_cmd () { if [ "$KERN_VERSION" != "$TARGET_KERNEL1" \ -a "$KERN_VERSION" != "$TARGET_KERNEL2" \ -a "$KERN_VERSION" != "$TARGET_KERNEL3" ] ; then echo echo "IPv4 filters: kernel not version ${TARGET_KERNEL1}.x, ${TARGET_KERNEL2}.x, or ${TARGET_KERNEL3}.x." if [ "$IPV4_FWDING_KERNEL" = "FILTER_ON" ]; then # Keep the output pretty.. echo fi ipv4filter_kernfwd off echo return 1 fi if ! [ -x $IPTBL ] ; then echo echo "IPv4 filters: $IPTBL not found." echo return 1 fi case $1 in load|reload|restart|reset) ipv4filter_iptbl_cfg $IPTBL_FILE ;; usebackup) local BKUP_NUM=1 [ -n "$2" ] && BKUP_NUM="$2" ipv4filter_iptbl_cfg "${IPTBL_FILE}.${BKUP_NUM}" ;; save) ipv4filter_iptbl_save ;; fairq) echo -n "Reloading IPv4 fairq filters..." if ipv4filter_fairq; then echo "done." else echo "netfilter kernel modules not loaded." fi ;; clear|flush) ipv4filter_kernfwd off vb echo -n "Flushing IPv4 filters..." ipv4filter_clear ipv4filter_fairq vb echo "done." ;; exec) shift ipv4filter_exec $* ;; forward|fwd) ipv4filter_kernfwd on yes ;; noforward|nofwd) ipv4filter_kernfwd off yes ;; *) echo "Usage: `basename $0` ipfilter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ipfilter exec $IPF4_FNS" echo " [chain p1 p2 ...]" exit 1 ;; esac } # IPv6 filters ipv6filter_kernfwd () { local OVERRIDE="$2" if [ "$OVERRIDE" != "YES" -a "$OVERRIDE" != "Yes" \ -a "$OVERRIDE" != "yes" \ -a "$IPV6_FWDING_KERNEL" != "FILTER_ON" ]; then return 0; fi case $1 in on) vb echo -n "Enabling IPv6 packet forwarding..." echo "1" >$IPFWD_V6PROC \ && vb echo "done." ;; off) vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC \ && vb echo "done." ;; *) echo "AAARGGHH - wrong argument given to ipv6filter_kernfwd: $1" exit 1 ;; esac } # Check and see if filtering and mangling are available ipv6filter_check () { local TBL MANGLE FILTER MANGLE=0 FILTER=0 [ ! -f "$IPTBL_V6PROC" ] && return 1 for TBL in `cat $IPTBL_V6PROC`; do case $TBL in mangle) MANGLE=1 ;; filter) FILTER=1 ;; esac done if [ $MANGLE -ne 1 -a $FILTER -ne 1 ]; then return 1 fi return 0 } # A function to flush the filters (for internal use) ipv6filter_flush () { local TBL # Flush the IPV6 filters out, and user defined chains [ ! -f $IPTBL_V6PROC ] && return 0 for TBL in `cat $IPTBL_V6PROC`; do if [ "$TBL" = "$1" ]; then continue fi $IP6TBL -t $TBL -F $IP6TBL -t $TBL -X done return 0 } ipv6filter_policy () { local TBL [ ! -f $IPTBL_V6PROC ] && return 0 for TBL in `cat $IPTBL_V6PROC`; do if [ "$TBL" = "$2" ]; then continue fi case $TBL in mangle) $IP6TBL -t $TBL -P PREROUTING $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; filter) $IP6TBL -t $TBL -P INPUT $1 $IP6TBL -t $TBL -P FORWARD $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; nat) $IP6TBL -t $TBL -P PREROUTING $1 $IP6TBL -t $TBL -P POSTROUTING $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; esac done return 0 } # function to set the filter default policies ipv6filter_clear () { ipv6filter_flush $1 ipv6filter_policy ACCEPT $1 return 0 } # Selects basic filter type configuration function ipv6filter_iptbl_cfg () { if ! ipv6filter_check; then echo echo "IPv6 filters: netfilter kernel modules not loaded." echo return 1 fi if [ ! -f $1 ] ; then echo echo "IPv6 filters: no $1 file." echo return 1 fi echo -n "Loading IPv6 filters..." if $IP6TBL_RESTORE < $1; then ipv6filter_fairq ipf6_laptopfw vb echo "done." ipv6filter_kernfwd on else return 1 fi return 0 } ipv6filter_iptbl_save () { local OLD_UMASK if ! ipv6filter_check; then echo echo "IPv6 filters: netfilter kernel modules not loaded." echo return 1 fi echo -n "Saving IPv6 filters..." backup_rotate "$IP6TBL_FILE" "$BACKUP_LEVELS" OLD_UMASK=`umask` umask 0277 if $IP6TBL_SAVE > $IP6TBL_FILE; then umask $OLD_UMASK chmod 0400 $IP6TBL_FILE vb echo "done." else umask $OLD_UMASK vb echo return 1 fi vb echo return 0 } ipv6filter_delTie () { local CHAIN="$1" shift qt $IP6TBL -t mangle -D "$CHAIN" $* qt $IP6TBL -t mangle -D "$CHAIN" -s ::/0 $* qt $IP6TBL -t mangle -D "$CHAIN" -d ::/0 $* qt $IP6TBL -t mangle -D "$CHAIN" -s ::/0 -d ::/0 $* return 0 } # A function to mark packets for classification ipv6filter_fairq () { local CLS local TNL if ! ipv6filter_check; then return 1 fi [ -z "$IPV6_MANGLE_OUTPUT_BYPASS" ] && [ -z "$IPV6_CLS_FAIRQ" ] \ && return 0 qt $IP6TBL -t mangle -F nomangle qt $IP6TBL -t mangle -N nomangle # Accept IPv6 tunnel traffic - any changes on # OUTPUT chain will cause rerouting, and Free S/WAN problems for TNL in $IPV6_MANGLE_OUTPUT_BYPASS; do $IP6TBL -t mangle -A nomangle -j ACCEPT \ -p `ipfilter_echoParam '$1' $TNL` \ -d `ipfilter_echoIpPort '$2' ' --dport $3' '$3' $TNL` done # Add the nomangle chain to the OUTPUT chain # NOTE position this is inserted. ipv6filter_delTie OUTPUT -j nomangle $IP6TBL -t mangle -I OUTPUT 1 -j nomangle [ -z "$IPV6_CLS_FAIRQ" ] && return 0 # Clear chain if it already exists qt $IP6TBL -t mangle -F fairq # Create new chain qt $IP6TBL -t mangle -N fairq # Populate chains for CLS in $IPV6_CLS_FAIRQ; do $IP6TBL -t mangle -A fairq -j MARK \ --set-mark `ipfilter_echoParam '$1' $CLS` \ -p `ipfilter_echoParam '$2' $CLS` \ `ipfilter_echoIpPort '-d $3' ' --dport $4' '$4' $CLS` $IP6TBL -t mangle -A fairq -j MARK \ --set-mark `ipfilter_echoParam '$1' $CLS` \ -p `ipfilter_echoParam '$2' $CLS` \ `ipfilter_echoIpPort '-s $3' ' --sport $4' '$4' $CLS` done; # Add fairq chain to OUTPUT and PREROUTING chains ipv6filter_delTie OUTPUT -j fairq $IP6TBL -t mangle -I OUTPUT 2 -j fairq # NOTE postion this is inserted. ipv6filter_delTie PREROUTING -j fairq $IP6TBL -t mangle -I PREROUTING 1 -j fairq return 0 } ipv6filter_exec () { local RES if ! ipv6filter_check; then return 1 fi local FN="$1" shift eval "case \"$FN\" in $IPF6_FNS) case \$1 in -r|remove) vb echo -n \"Removing IPv6 filter $FN...\" ;; *) vb echo -n \"Loading IPv6 filter $FN...\" ;; esac if ipf6_${FN} $*; then echo \"done.\" exit 0 fi exit 1 ;; *) echo \" `basename $0` ip6filter exec $IPF6_FNS\" echo \" [chain p1 p2 ...]\" exit 1 ;; esac" return 0 } ipv6filter_cmd () { if [ $IPV6_KRNL -lt 1 ]; then return 0 fi if [ "$KERN_VERSION" != "$TARGET_KERNEL1" \ -a "$KERN_VERSION" != "$TARGET_KERNEL2" \ -a "$KERN_VERSION" != "$TARGET_KERNEL3" ] ; then echo echo "IPv6 filters: kernel not version ${TARGET_KERNEL1}.x, ${TARGET_KERNEL2}.x, or ${TARGET_KERNEL3}.x." if [ "$IPV6_FWDING_KERNEL" = "FILTER_ON" ]; then # Keep the output pretty.. echo fi ipv6filter_kernfwd off echo return 1 fi if ! [ -x $IP6TBL ] ; then echo echo "IPv6 filters: $IP6TBL not found." echo return 1 fi case $1 in load|reload|restart|reset) ipv6filter_iptbl_cfg $IP6TBL_FILE ;; usebackup) local BKUP_NUM=1 [ -n "$2" ] && BKUP_NUM="$2" ipv6filter_iptbl_cfg "${IP6TBL_FILE}.${BKUP_NUM}" ;; save) ipv6filter_iptbl_save ;; fairq) echo -n "Reloading IPv6 fairq filters..." if ipv6filter_fairq; then echo "done." else echo "netfilter IPv6 kernel modules not loaded." fi ;; clear|flush) ipv6filter_kernfwd off vb echo -n "Flushing IPv6 filters..." ipv6filter_clear ipv6filter_fairq vb echo "done." ;; exec) shift ipv6filter_exec $* ;; forward|fwd) ipv6filter_kernfwd on yes ;; noforward|nofwd) ipv6filter_kernfwd off yes ;; *) echo "Usage: `basename $0` ip6filter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ip6filter exec $IPF6_FNS" echo " [chain p1 p2 ...]" exit 1 ;; esac } ############################################################################## # Start and stop ############################################################################## start () { start_mod start_auto_ipkrnlswch if [ "$1" != "reload" ]; then ipv4filter_cmd load else ipv4filter_fairq fi if [ $IPV6_KRNL -ge 1 ]; then if [ "$1" != "reload" ]; then ipv6filter_cmd load else ipv6filter_fairq fi fi start_auto_if } #END start () stop () { iface_down all vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC \ && vb echo "done." vb echo -n "Flushing IPv4 filters..." ipv4filter_clear && vb echo "done." if [ $IPV6_KRNL -ge 1 ]; then vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC \ && vb echo "done." vb echo -n "Flushing IPv6 filters..." ipv6filter_clear && vb echo "done." fi # Deal with modules do kernel printk stuff... vb echo "Unloading networking modules..." stop_mod && vb echo "Networking modules unloaded." } #END stop () ############################################################################# # Debian compatibility hooks ############################################################################# ifupdown_usage () { echo "Usage: `basename $0` -a|$IFLIST" 1>&2 echo " Use the netscript command instead as it a lot better." 1>&2 exit 1 } ifupdown () { local OPTA local OPTIND OPTA=0 OPTIND=1 while getopts :ah F; do case $F in a) OPTA=1 ;; h) ifupdown_usage exit 1 ;; \?) ;; esac done shift $(( $OPTIND - 1 )) case "$RUNLVL" in unknown|0|1|6) # Do nothing exit 0 ;; *) if [ "`basename $0`" = "ifup" -a $OPTA -gt 0 ]; then iface_up all > /dev/null exit 0 elif [ "`basename $0`" = "ifdown" -a $OPTA -gt 0 ]; then iface_down all > /dev/null exit 0 fi ;; esac if [ $# -eq 1 ]; then eval "case \"$*\" in $IFLIST) ;; *) ifupdown_usage exit 1 ;; esac" case "`basename $0`" in ifup) iface_up $1 > /dev/null exit 0 ;; ifdown) iface_down $1 > /dev/null exit 0 ;; esac fi ifupdown_usage exit 1 } ############################################################################# # Main - Down to business ############################################################################# # Handle symlinked ifup and ifdown commands if [ "`basename $0`" = "ifup" -o "`basename $0`" = "ifdown" ]; then ifupdown $* fi case "$1" in start) start ;; stop) stop ;; reload) start reload ;; restart|force-reload) $0 stop sleep 1 $0 start ;; ifup|ifreload) shift checkarg $* iface_up $1 ;; ifdown) shift checkarg $* iface_down $1 ;; ifqos) shift checkarg $* iface_qos $1 ;; ifreset|ifrestart) shift checkarg $* iface_reset $1 ;; ipfilter) shift if ! ipv4filter_cmd $*; then exit 1 fi ;; *) if [ $IPV6_KRNL -ge 1 -a "$1" = "ip6filter" ]; then shift if ! ipv6filter_cmd $*; then exit 1 fi exit 0 fi echo "Usage: `basename $0` start|stop|reload|restart" echo " `basename $0` ifup|ifdown|ifqos|ifreload" echo " ${SP} {$IFLIST}" echo "Usage: `basename $0` ipfilter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ipfilter exec $IPF4_FNS" echo " [chain p1 p2 ...]" if [ $IPV6_KRNL -ge 1 ]; then echo "Usage: `basename $0` ip6filter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ip6filter exec $IPF6_FNS" echo " [chain p1 p2 ...]" fi exit 1 ;; esac exit 0 netscript-2.4-5.3.0ubuntu1/netscript-2.4.conf.50000664000000000000000000000601312262426365015605 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH NETSCRIPT-2.2.conf 5 "November 23, 2000" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME /etc/netscript/network.conf \- interface, firewalling, and QoS configuration file. /etc/netscript/if.conf \- interface setup shell script file /etc/netscript/qos.conf \- QoS setup shell script file /etc/netscript/ipfilter.conf \- IP chains filtering shell script file /etc/netscript/srvfilter.conf \- server IP filter shell script file .SH DESCRIPTION This manpage is a place holder until something better is written when the netscript itself has stopped changing rapidly. Please see the README file in the /etc/netscript directory, and READ the configuration files if you need to change them. Apart from network.conf, all of them contain .B sh (1) shell script functions which are there so that various things can be altered or hooked in at the right place. Network.conf contains the full network setup details, including special interface setup for the likes of ciped/pppd/wanconfig, and is fully commented with examples given. .SH UPGRADE PATH FROM KERNEL 2.2.X The firewall/IP filtering stuff in ipfilter.conf is the part that changed radically with the move to iptables and a far better way of setting up the IP filtering rules, however the QoS and interface startup/shutdown in if.conf have changed but are backwards compatible with the old 2.2.x ipchains version of netscript for the interface address configuration settings. You will have to set up the filtering again to use iptables by directly using the iptables commands. Also, the kernel 2.2.x version scripts are set up so that iptables is only run on a 2.4.x kernel, otherwise IP forwarding is disabled if beforehand you set IPFWDING_KERNEL to FILTER_ON in network.conf. This means that when you upgrade a box to a 2.4.x router kernel, you should then be able to reboot it and log into remotely and upgrade netscript to the version that will support 2.4.x. In this situation, if you have set old IPFWDING_KERNEL setting to FILTER_ON beforehand in network.conf, all IP forwarding through the box will also be disabled. This means that you can safely remotely upgrade a firewall. .SH SEE ALSO .BR netscript (8), .BR ipchains (8), .BR iproute (8), .BR brcfg (8). .br .SH AUTHOR This manual page was written by Matthew Grant , for the Debian GNU/Linux system (but may be used by others). .SH BUGS The author is lazy. He needs to write btter man pages... netscript-2.4-5.3.0ubuntu1/2.4.x-kernel.config0000664000000000000000000006570112262426365015506 0ustar # # Automatically generated make config: don't edit # CONFIG_X86=y CONFIG_ISA=y # CONFIG_SBUS is not set CONFIG_UID16=y # CONFIG_GENERIC_BUST_SPINLOCK is not set CONFIG_GENERIC_ISA_DMA=y # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Loadable module support # CONFIG_MODULES=y CONFIG_MODVERSIONS=y # CONFIG_KMOD is not set # # Processor type and features # # CONFIG_M386 is not set CONFIG_M486=y # CONFIG_M586 is not set # CONFIG_M586TSC is not set # CONFIG_M586MMX is not set # CONFIG_M686 is not set # CONFIG_MPENTIUMIII is not set # CONFIG_MPENTIUM4 is not set # CONFIG_MK6 is not set # CONFIG_MK7 is not set # CONFIG_MCRUSOE is not set # CONFIG_MWINCHIPC6 is not set # CONFIG_MWINCHIP2 is not set # CONFIG_MWINCHIP3D is not set # CONFIG_MCYRIXIII is not set CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_CMPXCHG=y CONFIG_X86_XADD=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y # CONFIG_RWSEM_GENERIC_SPINLOCK is not set CONFIG_RWSEM_XCHGADD_ALGORITHM=y CONFIG_X86_L1_CACHE_SHIFT=4 CONFIG_X86_USE_STRING_486=y CONFIG_X86_ALIGNMENT_16=y CONFIG_X86_PPRO_FENCE=y # CONFIG_TOSHIBA is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set CONFIG_NOHIGHMEM=y # CONFIG_HIGHMEM4G is not set # CONFIG_HIGHMEM64G is not set CONFIG_MATH_EMULATION=y CONFIG_MTRR=y # CONFIG_SMP is not set CONFIG_X86_UP_APIC=y CONFIG_X86_UP_IOAPIC=y CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y # # General setup # CONFIG_NET=y CONFIG_PCI=y # CONFIG_PCI_GOBIOS is not set # CONFIG_PCI_GODIRECT is not set CONFIG_PCI_GOANY=y CONFIG_PCI_BIOS=y CONFIG_PCI_DIRECT=y CONFIG_PCI_NAMES=y # CONFIG_EISA is not set # CONFIG_MCA is not set CONFIG_HOTPLUG=y # # PCMCIA/CardBus support # CONFIG_PCMCIA=m CONFIG_CARDBUS=y CONFIG_I82092=y CONFIG_I82365=y # CONFIG_TCIC is not set # # PCI Hotplug Support # # CONFIG_HOTPLUG_PCI is not set # CONFIG_HOTPLUG_PCI_COMPAQ is not set # CONFIG_HOTPLUG_PCI_COMPAQ_NVRAM is not set CONFIG_SYSVIPC=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_SYSCTL=y CONFIG_KCORE_ELF=y # CONFIG_KCORE_AOUT is not set # CONFIG_BINFMT_AOUT is not set CONFIG_BINFMT_ELF=y # CONFIG_BINFMT_MISC is not set # CONFIG_PM is not set # CONFIG_ACPI is not set # CONFIG_APM is not set # # Memory Technology Devices (MTD) # # CONFIG_MTD is not set # # Parallel port support # CONFIG_PARPORT=m CONFIG_PARPORT_PC=m CONFIG_PARPORT_PC_CML1=m CONFIG_PARPORT_SERIAL=m # CONFIG_PARPORT_PC_FIFO is not set # CONFIG_PARPORT_PC_SUPERIO is not set # CONFIG_PARPORT_PC_PCMCIA is not set # CONFIG_PARPORT_AMIGA is not set # CONFIG_PARPORT_MFC3 is not set # CONFIG_PARPORT_ATARI is not set # CONFIG_PARPORT_GSC is not set # CONFIG_PARPORT_SUNBPP is not set # CONFIG_PARPORT_OTHER is not set CONFIG_PARPORT_1284=y # # Plug and Play configuration # CONFIG_PNP=y CONFIG_ISAPNP=y CONFIG_PNPBIOS=y # # Block devices # CONFIG_BLK_DEV_FD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_PARIDE is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_BLK_CPQ_CISS_DA is not set # CONFIG_CISS_SCSI_TAPE is not set # CONFIG_BLK_DEV_DAC960 is not set CONFIG_BLK_DEV_LOOP=y # CONFIG_BLK_DEV_NBD is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_SIZE=4096 CONFIG_BLK_DEV_INITRD=y # # Multi-device support (RAID and LVM) # CONFIG_MD=y CONFIG_BLK_DEV_MD=m CONFIG_MD_LINEAR=m CONFIG_MD_RAID0=m CONFIG_MD_RAID1=m CONFIG_MD_RAID5=m CONFIG_MD_MULTIPATH=m CONFIG_BLK_DEV_LVM=m # # Networking options # CONFIG_PACKET=y CONFIG_PACKET_MMAP=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_RTNETLINK=y CONFIG_NETLINK=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_LARGE_TABLES=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_IPGRE_BROADCAST=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y # CONFIG_IP_PIMSM_V2 is not set # CONFIG_ARPD is not set CONFIG_INET_ECN=y CONFIG_SYN_COOKIES=y # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_MPORT=m CONFIG_IP_NF_MATCH_TOS=m # CONFIG_IP_NF_MATCH_RANDOM is not set CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TIME=m CONFIG_IP_NF_MATCH_PSD=m CONFIG_IP_NF_MATCH_NTH=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_IPV4OPTIONS=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_REALM=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_IPLIMIT=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_NETLINK=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_FTOS=m CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_COMPAT_IPCHAINS=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_COMPAT_IPFWADM=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IPV6=m # # IPv6: Netfilter Configuration # CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_LIMIT=m CONFIG_IP6_NF_MATCH_MAC=m CONFIG_IP6_NF_MATCH_MULTIPORT=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_MARK=m CONFIG_IP6_NF_MATCH_LENGTH=m CONFIG_IP6_NF_MATCH_AGR=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_MARK=m # CONFIG_KHTTPD is not set # CONFIG_ATM is not set # # # CONFIG_IPX=m # CONFIG_IPX_INTERN is not set CONFIG_ATALK=y # CONFIG_DECNET is not set CONFIG_BRIDGE=y CONFIG_X25=m CONFIG_LAPB=m CONFIG_LLC=y # CONFIG_NET_DIVERT is not set # CONFIG_ECONET is not set CONFIG_WAN_ROUTER=m # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # # QoS and/or fair queueing # CONFIG_NET_SCHED=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NET_SCH_CBQ=m CONFIG_NET_SCH_CSZ=m CONFIG_NET_SCH_PRIO=m CONFIG_NET_SCH_RED=m CONFIG_NET_SCH_SFQ=m CONFIG_NET_SCH_TEQL=m CONFIG_NET_SCH_TBF=m CONFIG_NET_SCH_GRED=m CONFIG_NET_SCH_DSMARK=m CONFIG_NET_SCH_INGRESS=m CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m CONFIG_NET_CLS_RSVP=m CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_POLICE=y # # Telephony Support # # CONFIG_PHONE is not set # CONFIG_PHONE_IXJ is not set # CONFIG_PHONE_IXJ_PCMCIA is not set # # ATA/IDE/MFM/RLL support # CONFIG_IDE=y # # IDE, ATA and ATAPI Block devices # CONFIG_BLK_DEV_IDE=y # # Please see Documentation/ide.txt for help/info on IDE drives # # CONFIG_BLK_DEV_HD_IDE is not set # CONFIG_BLK_DEV_HD is not set CONFIG_BLK_DEV_IDEDISK=y # CONFIG_IDEDISK_MULTI_MODE is not set # CONFIG_BLK_DEV_IDEDISK_VENDOR is not set # CONFIG_BLK_DEV_IDEDISK_FUJITSU is not set # CONFIG_BLK_DEV_IDEDISK_IBM is not set # CONFIG_BLK_DEV_IDEDISK_MAXTOR is not set # CONFIG_BLK_DEV_IDEDISK_QUANTUM is not set # CONFIG_BLK_DEV_IDEDISK_SEAGATE is not set # CONFIG_BLK_DEV_IDEDISK_WD is not set # CONFIG_BLK_DEV_COMMERIAL is not set # CONFIG_BLK_DEV_TIVO is not set # CONFIG_BLK_DEV_IDECS is not set CONFIG_BLK_DEV_IDECD=m CONFIG_BLK_DEV_IDETAPE=m CONFIG_BLK_DEV_IDEFLOPPY=m CONFIG_BLK_DEV_IDESCSI=m # # IDE chipset support/bugfixes # CONFIG_BLK_DEV_CMD640=y # CONFIG_BLK_DEV_CMD640_ENHANCED is not set CONFIG_BLK_DEV_ISAPNP=y CONFIG_BLK_DEV_RZ1000=y CONFIG_BLK_DEV_IDEPCI=y CONFIG_IDEPCI_SHARE_IRQ=y CONFIG_BLK_DEV_IDEDMA_PCI=y CONFIG_BLK_DEV_ADMA=y CONFIG_BLK_DEV_OFFBOARD=y CONFIG_IDEDMA_PCI_AUTO=y CONFIG_BLK_DEV_IDEDMA=y # CONFIG_IDEDMA_PCI_WIP is not set # CONFIG_IDEDMA_NEW_DRIVE_LISTINGS is not set CONFIG_BLK_DEV_AEC62XX=y # CONFIG_AEC62XX_TUNING is not set CONFIG_BLK_DEV_ALI15X3=y # CONFIG_WDC_ALI15X3 is not set CONFIG_BLK_DEV_AMD74XX=y # CONFIG_AMD74XX_OVERRIDE is not set CONFIG_BLK_DEV_CMD64X=y # CONFIG_BLK_DEV_CY82C693 is not set CONFIG_BLK_DEV_CS5530=y CONFIG_BLK_DEV_HPT34X=y # CONFIG_HPT34X_AUTODMA is not set CONFIG_BLK_DEV_HPT366=y CONFIG_BLK_DEV_PIIX=y CONFIG_PIIX_TUNING=y # CONFIG_BLK_DEV_NS87415 is not set # CONFIG_BLK_DEV_OPTI621 is not set CONFIG_BLK_DEV_PDC202XX=y # CONFIG_PDC202XX_BURST is not set # CONFIG_PDC202XX_FORCE is not set CONFIG_BLK_DEV_SVWKS=y CONFIG_BLK_DEV_SIS5513=y CONFIG_BLK_DEV_SLC90E66=y # CONFIG_BLK_DEV_TRM290 is not set CONFIG_BLK_DEV_VIA82CXXX=y CONFIG_IDE_CHIPSETS=y # # Note: most of these also require special kernel boot parameters # CONFIG_BLK_DEV_4DRIVES=y CONFIG_BLK_DEV_ALI14XX=y CONFIG_BLK_DEV_DTC2278=y CONFIG_BLK_DEV_HT6560B=y # CONFIG_BLK_DEV_PDC4030 is not set CONFIG_BLK_DEV_QD65XX=y CONFIG_BLK_DEV_UMC8672=y CONFIG_IDEDMA_AUTO=y # CONFIG_IDEDMA_IVB is not set # CONFIG_DMA_NONPCI is not set CONFIG_BLK_DEV_IDE_MODES=y # CONFIG_BLK_DEV_ATARAID is not set # CONFIG_BLK_DEV_ATARAID_PDC is not set # CONFIG_BLK_DEV_ATARAID_HPT is not set # # SCSI support # CONFIG_SCSI=y # # SCSI support type (disk, tape, CD-ROM) # CONFIG_BLK_DEV_SD=y CONFIG_SD_EXTRA_DEVS=40 CONFIG_CHR_DEV_ST=m # CONFIG_CHR_DEV_OSST is not set CONFIG_BLK_DEV_SR=m CONFIG_BLK_DEV_SR_VENDOR=y CONFIG_SR_EXTRA_DEVS=2 CONFIG_CHR_DEV_SG=m # # Some SCSI devices (e.g. CD jukebox) support multiple LUNs # # CONFIG_SCSI_DEBUG_QUEUES is not set CONFIG_SCSI_MULTI_LUN=y CONFIG_SCSI_CONSTANTS=y # CONFIG_SCSI_LOGGING is not set # # SCSI low-level drivers # # CONFIG_BLK_DEV_3W_XXXX_RAID is not set # CONFIG_SCSI_7000FASST is not set # CONFIG_SCSI_ACARD is not set # CONFIG_SCSI_AHA152X is not set CONFIG_SCSI_AHA1542=y CONFIG_SCSI_AHA1740=y CONFIG_SCSI_AIC7XXX=y CONFIG_AIC7XXX_CMDS_PER_DEVICE=253 CONFIG_AIC7XXX_RESET_DELAY_MS=15000 # CONFIG_AIC7XXX_BUILD_FIRMWARE is not set # CONFIG_SCSI_DPT_I2O is not set # CONFIG_SCSI_ADVANSYS is not set # CONFIG_SCSI_IN2000 is not set # CONFIG_SCSI_AM53C974 is not set # CONFIG_SCSI_MEGARAID is not set CONFIG_SCSI_BUSLOGIC=y # CONFIG_SCSI_OMIT_FLASHPOINT is not set # CONFIG_SCSI_CPQFCTS is not set # CONFIG_SCSI_DMX3191D is not set # CONFIG_SCSI_DTC3280 is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_EATA_DMA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GDTH is not set # CONFIG_SCSI_GENERIC_NCR5380 is not set # CONFIG_SCSI_IPS is not set # CONFIG_SCSI_INITIO is not set # CONFIG_SCSI_INIA100 is not set # CONFIG_SCSI_PPA is not set # CONFIG_SCSI_IMM is not set # CONFIG_SCSI_NCR53C406A is not set # CONFIG_SCSI_NCR53C7xx is not set CONFIG_SCSI_NCR53C8XX=y CONFIG_SCSI_SYM53C8XX=y CONFIG_SCSI_NCR53C8XX_DEFAULT_TAGS=8 CONFIG_SCSI_NCR53C8XX_MAX_TAGS=32 CONFIG_SCSI_NCR53C8XX_SYNC=80 # CONFIG_SCSI_NCR53C8XX_PROFILE is not set # CONFIG_SCSI_NCR53C8XX_IOMAPPED is not set # CONFIG_SCSI_NCR53C8XX_PQS_PDS is not set # CONFIG_SCSI_NCR53C8XX_SYMBIOS_COMPAT is not set # CONFIG_SCSI_PAS16 is not set # CONFIG_SCSI_PCI2000 is not set # CONFIG_SCSI_PCI2220I is not set # CONFIG_SCSI_PSI240I is not set # CONFIG_SCSI_QLOGIC_FAS is not set # CONFIG_SCSI_QLOGIC_ISP is not set # CONFIG_SCSI_QLOGIC_FC is not set # CONFIG_SCSI_QLOGIC_1280 is not set # CONFIG_SCSI_SEAGATE is not set # CONFIG_SCSI_SIM710 is not set # CONFIG_SCSI_SYM53C416 is not set # CONFIG_SCSI_DC390T is not set # CONFIG_SCSI_T128 is not set # CONFIG_SCSI_U14_34F is not set # CONFIG_SCSI_ULTRASTOR is not set # CONFIG_SCSI_DEBUG is not set # # PCMCIA SCSI adapter support # # CONFIG_SCSI_PCMCIA is not set # # Fusion MPT device support # # CONFIG_FUSION is not set # CONFIG_FUSION_BOOT is not set # CONFIG_FUSION_ISENSE is not set # CONFIG_FUSION_CTL is not set # CONFIG_FUSION_LAN is not set # # IEEE 1394 (FireWire) support (EXPERIMENTAL) # # CONFIG_IEEE1394 is not set # # I2O device support # # CONFIG_I2O is not set # CONFIG_I2O_PCI is not set # CONFIG_I2O_BLOCK is not set # CONFIG_I2O_LAN is not set # CONFIG_I2O_SCSI is not set # CONFIG_I2O_PROC is not set # # Network device support # CONFIG_NETDEVICES=y # # ARCnet devices # # CONFIG_ARCNET is not set # # Appletalk devices # CONFIG_ATALK=y # CONFIG_LTPC is not set # CONFIG_COPS is not set # CONFIG_IPDDP is not set CONFIG_DUMMY=m CONFIG_BONDING=m CONFIG_EQUALIZER=m CONFIG_TUN=m CONFIG_ETHERTAP=m CONFIG_NET_SB1000=m # # Ethernet (10 or 100Mbit) # CONFIG_NET_ETHERNET=y # CONFIG_SUNLANCE is not set CONFIG_HAPPYMEAL=m # CONFIG_SUNBMAC is not set # CONFIG_SUNQE is not set # CONFIG_SUNLANCE is not set CONFIG_SUNGEM=m CONFIG_NET_VENDOR_3COM=y CONFIG_EL1=m CONFIG_EL2=m CONFIG_ELPLUS=m CONFIG_EL16=m CONFIG_EL3=m CONFIG_3C515=m # CONFIG_ELMC is not set # CONFIG_ELMC_II is not set CONFIG_VORTEX=m CONFIG_LANCE=m CONFIG_NET_VENDOR_SMC=y CONFIG_WD80x3=m # CONFIG_ULTRAMCA is not set CONFIG_ULTRA=m # CONFIG_ULTRA32 is not set CONFIG_SMC9194=m CONFIG_NET_VENDOR_RACAL=y CONFIG_NI5010=m CONFIG_NI52=m CONFIG_NI65=m CONFIG_AT1700=m CONFIG_DEPCA=m CONFIG_HP100=m CONFIG_NET_ISA=y CONFIG_E2100=m CONFIG_EWRK3=m CONFIG_EEXPRESS=m CONFIG_EEXPRESS_PRO=m CONFIG_HPLAN_PLUS=m CONFIG_HPLAN=m CONFIG_LP486E=m CONFIG_ETH16I=m CONFIG_NE2000=m CONFIG_NET_PCI=y CONFIG_PCNET32=m CONFIG_ADAPTEC_STARFIRE=m CONFIG_AC3200=m CONFIG_APRICOT=m CONFIG_CS89x0=m CONFIG_TULIP=m # CONFIG_TULIP_MWI is not set CONFIG_TULIP_MMIO=y CONFIG_DE4X5=m CONFIG_DGRS=m CONFIG_DM9102=m CONFIG_EEPRO100=m # CONFIG_LNE390 is not set CONFIG_FEALNX=m CONFIG_NATSEMI=m CONFIG_NE2K_PCI=m # CONFIG_NE3210 is not set # CONFIG_ES3210 is not set CONFIG_8139CP=m CONFIG_8139TOO=m # CONFIG_8139TOO_PIO is not set # CONFIG_8139TOO_TUNE_TWISTER is not set CONFIG_8139TOO_8129=y CONFIG_SIS900=m CONFIG_EPIC100=m CONFIG_SUNDANCE=m CONFIG_TLAN=m CONFIG_VIA_RHINE=m CONFIG_WINBOND_840=m # CONFIG_NET_POCKET is not set # # Ethernet (1000 Mbit) # # CONFIG_ACENIC is not set # CONFIG_DL2K is not set # CONFIG_MYRI_SBUS is not set # CONFIG_NS83820 is not set # CONFIG_HAMACHI is not set # CONFIG_YELLOWFIN is not set # CONFIG_SK98LIN is not set CONFIG_FDDI=y CONFIG_DEFXX=m CONFIG_SKFP=m # CONFIG_HIPPI is not set CONFIG_PLIP=m CONFIG_PPP=m CONFIG_PPP_MULTILINK=y CONFIG_PPP_FILTER=y CONFIG_PPP_ASYNC=m CONFIG_PPP_SYNC_TTY=m CONFIG_PPP_DEFLATE=m CONFIG_PPP_BSDCOMP=m CONFIG_PPPOE=m CONFIG_SLIP=m CONFIG_SLIP_COMPRESSED=y # CONFIG_SLIP_SMART is not set # CONFIG_SLIP_MODE_SLIP6 is not set # # Wireless LAN (non-hamradio) # CONFIG_NET_RADIO=y CONFIG_STRIP=m CONFIG_WAVELAN=m CONFIG_ARLAN=m CONFIG_AIRONET4500=m CONFIG_AIRONET4500_NONCS=m CONFIG_AIRONET4500_PNP=y CONFIG_AIRONET4500_PCI=y CONFIG_AIRONET4500_ISA=y CONFIG_AIRONET4500_I365=y CONFIG_AIRONET4500_PROC=m CONFIG_AIRO=m CONFIG_HERMES=m CONFIG_PLX_HERMES=m # # Wireless Pcmcia cards support # CONFIG_PCMCIA_HERMES=m CONFIG_AIRO_CS=m CONFIG_NET_WIRELESS=y # # Token Ring devices # CONFIG_TR=y CONFIG_IBMTR=m CONFIG_IBMOL=m CONFIG_IBMLS=m CONFIG_TMS380TR=m CONFIG_TMSPCI=m CONFIG_TMSISA=m CONFIG_ABYSS=m # CONFIG_MADGEMC is not set CONFIG_SMCTR=m CONFIG_NET_FC=y CONFIG_IPHASE5526=m CONFIG_RCPCI=m CONFIG_SHAPER=m # # Wan interfaces # CONFIG_WAN=y CONFIG_HOSTESS_SV11=m CONFIG_COSA=m CONFIG_COMX=m CONFIG_COMX_HW_COMX=m CONFIG_COMX_HW_LOCOMX=m CONFIG_COMX_HW_MIXCOM=m CONFIG_COMX_PROTO_PPP=m CONFIG_COMX_PROTO_LAPB=m CONFIG_COMX_PROTO_FR=m CONFIG_DSCC4=m CONFIG_FARSYNC=m CONFIG_LANMEDIA=m CONFIG_SEALEVEL_4021=m CONFIG_SYNCLINK_SYNCPPP=m CONFIG_HDLC=m CONFIG_HDLC_PPP=y CONFIG_HDLC_X25=y CONFIG_N2=m CONFIG_C101=m CONFIG_DLCI=m CONFIG_DLCI_COUNT=24 CONFIG_DLCI_MAX=8 CONFIG_SDLA=m CONFIG_WAN_ROUTER_DRIVERS=y CONFIG_VENDOR_SANGOMA=m CONFIG_WANPIPE_CHDLC=y CONFIG_WANPIPE_FR=y CONFIG_WANPIPE_X25=y CONFIG_WANPIPE_PPP=y CONFIG_WANPIPE_MULTPPP=y CONFIG_CYCLADES_SYNC=m CONFIG_CYCLOMX_X25=y CONFIG_LAPBETHER=m CONFIG_X25_ASY=m CONFIG_SBNI=m CONFIG_SBNI_MULTILINE=y # # PCMCIA network device support # CONFIG_NET_PCMCIA=y # CONFIG_PCMCIA_3C589 is not set # CONFIG_PCMCIA_3C574 is not set # CONFIG_PCMCIA_FMVJ18X is not set # CONFIG_PCMCIA_PCNET is not set # CONFIG_PCMCIA_NMCLAN is not set # CONFIG_PCMCIA_SMC91C92 is not set # CONFIG_PCMCIA_XIRC2PS is not set # CONFIG_ARCNET_COM20020_CS is not set # CONFIG_PCMCIA_IBMTR is not set # CONFIG_PCMCIA_XIRCOM is not set # CONFIG_PCMCIA_XIRTULIP is not set CONFIG_NET_PCMCIA_RADIO=y CONFIG_PCMCIA_RAYCS=m CONFIG_PCMCIA_NETWAVE=m CONFIG_PCMCIA_WAVELAN=m CONFIG_AIRONET4500_CS=m # # Amateur Radio support # # CONFIG_HAMRADIO is not set # # IrDA (infrared) support # # CONFIG_IRDA is not set # # ISDN subsystem # CONFIG_ISDN=m CONFIG_ISDN_PPP=y CONFIG_ISDN_PPP_VJ=y CONFIG_ISDN_MPP=y CONFIG_ISDN_PPP_BSDCOMP=m CONFIG_ISDN_AUDIO=y CONFIG_ISDN_TTY_FAX=y CONFIG_ISDN_X25=y # # ISDN feature submodules # CONFIG_ISDN_DRV_LOOP=m CONFIG_ISDN_DIVERSION=m # # low-level hardware drivers # # # Passive ISDN cards # CONFIG_ISDN_DRV_HISAX=m # # D-channel protocol features # CONFIG_HISAX_EURO=y # CONFIG_DE_AOC is not set # CONFIG_HISAX_NO_SENDCOMPLETE is not set # CONFIG_HISAX_NO_LLC is not set # CONFIG_HISAX_NO_KEYPAD is not set # CONFIG_HISAX_1TR6 is not set CONFIG_HISAX_NI1=y # # HiSax supported cards # CONFIG_HISAX_16_0=y CONFIG_HISAX_16_3=y CONFIG_HISAX_TELESPCI=y CONFIG_HISAX_S0BOX=y CONFIG_HISAX_AVM_A1=y CONFIG_HISAX_FRITZPCI=y CONFIG_HISAX_AVM_A1_PCMCIA=y CONFIG_HISAX_ELSA=y CONFIG_HISAX_IX1MICROR2=y CONFIG_HISAX_DIEHLDIVA=y CONFIG_HISAX_ASUSCOM=y CONFIG_HISAX_TELEINT=y CONFIG_HISAX_HFCS=y CONFIG_HISAX_SEDLBAUER=y CONFIG_HISAX_SPORTSTER=y CONFIG_HISAX_MIC=y CONFIG_HISAX_NETJET=y CONFIG_HISAX_NETJET_U=y CONFIG_HISAX_NICCY=y CONFIG_HISAX_ISURF=y CONFIG_HISAX_HSTSAPHIR=y CONFIG_HISAX_BKM_A4T=y CONFIG_HISAX_SCT_QUADRO=y CONFIG_HISAX_GAZEL=y CONFIG_HISAX_HFC_PCI=y CONFIG_HISAX_W6692=y CONFIG_HISAX_HFC_SX=y # CONFIG_HISAX_DEBUG is not set CONFIG_HISAX_SEDLBAUER_CS=m CONFIG_HISAX_ELSA_CS=m CONFIG_HISAX_ST5481=m # # Active ISDN cards # CONFIG_ISDN_DRV_ICN=m CONFIG_ISDN_DRV_PCBIT=m CONFIG_ISDN_DRV_SC=m CONFIG_ISDN_DRV_ACT2000=m CONFIG_ISDN_DRV_EICON=y CONFIG_ISDN_DRV_EICON_DIVAS=m CONFIG_ISDN_DRV_EICON_OLD=m CONFIG_ISDN_DRV_EICON_PCI=y CONFIG_ISDN_DRV_EICON_ISA=y CONFIG_ISDN_DRV_TPAM=m CONFIG_ISDN_CAPI=m CONFIG_ISDN_DRV_AVMB1_VERBOSE_REASON=y CONFIG_ISDN_CAPI_MIDDLEWARE=y CONFIG_ISDN_CAPI_CAPI20=m CONFIG_ISDN_CAPI_CAPIFS_BOOL=y CONFIG_ISDN_CAPI_CAPIFS=m CONFIG_ISDN_CAPI_CAPIDRV=m CONFIG_ISDN_DRV_AVMB1_B1ISA=m CONFIG_ISDN_DRV_AVMB1_B1PCI=m CONFIG_ISDN_DRV_AVMB1_B1PCIV4=y CONFIG_ISDN_DRV_AVMB1_T1ISA=m CONFIG_ISDN_DRV_AVMB1_B1PCMCIA=m CONFIG_ISDN_DRV_AVMB1_AVM_CS=m CONFIG_ISDN_DRV_AVMB1_T1PCI=m CONFIG_ISDN_DRV_AVMB1_C4=m CONFIG_HYSDN=m CONFIG_HYSDN_CAPI=y # # Old CD-ROM drivers (not SCSI, not IDE) # # CONFIG_CD_NO_IDESCSI is not set # # Input core support # CONFIG_INPUT=m CONFIG_INPUT_KEYBDEV=m CONFIG_INPUT_MOUSEDEV=m CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 CONFIG_INPUT_JOYDEV=m CONFIG_INPUT_EVDEV=m # # Character devices # CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_SERIAL=y CONFIG_SERIAL_CONSOLE=y CONFIG_SERIAL_EXTENDED=y CONFIG_SERIAL_MANY_PORTS=y CONFIG_SERIAL_SHARE_IRQ=y # CONFIG_SERIAL_DETECT_IRQ is not set CONFIG_SERIAL_MULTIPORT=y # CONFIG_HUB6 is not set CONFIG_SERIAL_NONSTANDARD=y CONFIG_COMPUTONE=m CONFIG_ROCKETPORT=m CONFIG_CYCLADES=m # CONFIG_CYZ_INTR is not set CONFIG_DIGIEPCA=m CONFIG_ESPSERIAL=m CONFIG_MOXA_INTELLIO=m CONFIG_MOXA_SMARTIO=m CONFIG_ISI=m CONFIG_SYNCLINK=m CONFIG_N_HDLC=m CONFIG_RISCOM8=m CONFIG_SPECIALIX=m # CONFIG_SPECIALIX_RTSCTS is not set CONFIG_SX=m CONFIG_RIO=m # CONFIG_RIO_OLDPCI is not set CONFIG_STALDRV=y CONFIG_STALLION=m CONFIG_ISTALLION=m CONFIG_UNIX98_PTYS=y CONFIG_UNIX98_PTY_COUNT=256 CONFIG_PRINTER=m # CONFIG_LP_CONSOLE is not set # CONFIG_PPDEV is not set # # I2C support # CONFIG_I2C=m CONFIG_I2C_ALGOBIT=m CONFIG_I2C_PHILIPSPAR=m CONFIG_I2C_ELV=m CONFIG_I2C_VELLEMAN=m CONFIG_I2C_ALGOPCF=m CONFIG_I2C_ELEKTOR=m CONFIG_I2C_CHARDEV=m CONFIG_I2C_PROC=m # # Mice # # CONFIG_BUSMOUSE is not set CONFIG_MOUSE=y CONFIG_PSMOUSE=y # CONFIG_82C710_MOUSE is not set # CONFIG_PC110_PAD is not set # # Joysticks # # CONFIG_INPUT_GAMEPORT is not set # CONFIG_INPUT_NS558 is not set # CONFIG_INPUT_LIGHTNING is not set # CONFIG_INPUT_PCIGAME is not set # CONFIG_INPUT_CS461X is not set # CONFIG_INPUT_EMU10K1 is not set # CONFIG_INPUT_SERIO is not set # CONFIG_INPUT_SERPORT is not set # # Joysticks # # CONFIG_INPUT_ANALOG is not set # CONFIG_INPUT_A3D is not set # CONFIG_INPUT_ADI is not set # CONFIG_INPUT_COBRA is not set # CONFIG_INPUT_GF2K is not set # CONFIG_INPUT_GRIP is not set # CONFIG_INPUT_INTERACT is not set # CONFIG_INPUT_TMDC is not set # CONFIG_INPUT_SIDEWINDER is not set # CONFIG_INPUT_IFORCE_USB is not set # CONFIG_INPUT_IFORCE_232 is not set # CONFIG_INPUT_WARRIOR is not set # CONFIG_INPUT_MAGELLAN is not set # CONFIG_INPUT_SPACEORB is not set # CONFIG_INPUT_SPACEBALL is not set # CONFIG_INPUT_STINGER is not set # CONFIG_INPUT_DB9 is not set # CONFIG_INPUT_GAMECON is not set # CONFIG_INPUT_TURBOGRAFX is not set # CONFIG_QIC02_TAPE is not set # # Watchdog Cards # CONFIG_WATCHDOG=y # CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_SOFT_WATCHDOG=y CONFIG_WDT=m CONFIG_WDTPCI=m # CONFIG_WDT_501 is not set CONFIG_PCWATCHDOG=m CONFIG_ACQUIRE_WDT=m CONFIG_ADVANTECH_WDT=m CONFIG_EUROTECH_WDT=m CONFIG_IB700_WDT=m CONFIG_I810_TCO=m CONFIG_MIXCOMWD=m CONFIG_60XX_WDT=m CONFIG_W83877F_WDT=m CONFIG_MACHZ_WDT=m CONFIG_INTEL_RNG=m # CONFIG_NVRAM is not set CONFIG_RTC=y # CONFIG_DTLK is not set # CONFIG_R3964 is not set # CONFIG_APPLICOM is not set # CONFIG_SONYPI is not set # # Ftape, the floppy tape device driver # # CONFIG_FTAPE is not set # CONFIG_AGP is not set # CONFIG_DRM is not set # # PCMCIA character devices # CONFIG_PCMCIA_SERIAL_CS=m # CONFIG_MWAVE is not set # # Multimedia devices # # CONFIG_VIDEO_DEV is not set # # File systems # # CONFIG_QUOTA is not set CONFIG_AUTOFS_FS=m CONFIG_AUTOFS4_FS=m CONFIG_REISERFS_FS=y # CONFIG_REISERFS_CHECK is not set # CONFIG_ADFS_FS is not set # CONFIG_ADFS_FS_RW is not set # CONFIG_AFFS_FS is not set # CONFIG_HFS_FS is not set # CONFIG_BFS_FS is not set # CONFIG_CMS_FS is not set CONFIG_EXT3_FS=y CONFIG_JBD=y # CONFIG_JBD_DEBUG is not set CONFIG_FAT_FS=y CONFIG_MSDOS_FS=y # CONFIG_UMSDOS_FS is not set CONFIG_VFAT_FS=y # CONFIG_EFS_FS is not set # CONFIG_JFFS_FS is not set # CONFIG_JFFS2_FS is not set CONFIG_CRAMFS=m CONFIG_TMPFS=y # CONFIG_RAMFS is not set CONFIG_ISO9660_FS=m CONFIG_JOLIET=y # CONFIG_ZISOFS is not set CONFIG_MINIX_FS=m # CONFIG_FREEVXFS_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_NTFS_RW is not set # CONFIG_HPFS_FS is not set CONFIG_PROC_FS=y # CONFIG_DEVFS_FS is not set # CONFIG_DEVFS_MOUNT is not set # CONFIG_DEVFS_DEBUG is not set CONFIG_DEVPTS_FS=y # CONFIG_QNX4FS_FS is not set # CONFIG_QNX4FS_RW is not set CONFIG_ROMFS_FS=m CONFIG_EXT2_FS=y # CONFIG_SYSV_FS is not set # CONFIG_UDF_FS is not set # CONFIG_UDF_RW is not set # CONFIG_UFS_FS is not set # CONFIG_UFS_FS_WRITE is not set # # Network File Systems # CONFIG_CODA_FS=m # CONFIG_INTERMEZZO_FS is not set CONFIG_NFS_FS=m CONFIG_NFS_V3=y # CONFIG_ROOT_NFS is not set CONFIG_NFSD=m CONFIG_NFSD_V3=y CONFIG_SUNRPC=m CONFIG_LOCKD=m CONFIG_LOCKD_V4=y CONFIG_SMB_FS=m # CONFIG_SMB_NLS_DEFAULT is not set # CONFIG_NCP_FS is not set # CONFIG_NCPFS_PACKET_SIGNING is not set # CONFIG_NCPFS_IOCTL_LOCKING is not set # CONFIG_NCPFS_STRONG is not set # CONFIG_NCPFS_NFS_NS is not set # CONFIG_NCPFS_OS2_NS is not set # CONFIG_NCPFS_SMALLDOS is not set # CONFIG_NCPFS_NLS is not set # CONFIG_NCPFS_EXTRAS is not set # CONFIG_ZISOFS_FS is not set CONFIG_ZLIB_FS_INFLATE=m # # Partition Types # # CONFIG_PARTITION_ADVANCED is not set CONFIG_MSDOS_PARTITION=y CONFIG_SMB_NLS=y CONFIG_NLS=y # # Native Language Support # CONFIG_NLS_DEFAULT="iso8859-1" CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_CODEPAGE_737=m CONFIG_NLS_CODEPAGE_775=m CONFIG_NLS_CODEPAGE_850=y CONFIG_NLS_CODEPAGE_852=m CONFIG_NLS_CODEPAGE_855=m CONFIG_NLS_CODEPAGE_857=m CONFIG_NLS_CODEPAGE_860=m CONFIG_NLS_CODEPAGE_861=m CONFIG_NLS_CODEPAGE_862=m CONFIG_NLS_CODEPAGE_863=m CONFIG_NLS_CODEPAGE_864=y CONFIG_NLS_CODEPAGE_865=m CONFIG_NLS_CODEPAGE_866=m CONFIG_NLS_CODEPAGE_869=m CONFIG_NLS_CODEPAGE_936=m CONFIG_NLS_CODEPAGE_950=m CONFIG_NLS_CODEPAGE_932=m CONFIG_NLS_CODEPAGE_949=y CONFIG_NLS_CODEPAGE_874=m CONFIG_NLS_ISO8859_8=m CONFIG_NLS_CODEPAGE_1251=m CONFIG_NLS_ISO8859_1=y CONFIG_NLS_ISO8859_2=m CONFIG_NLS_ISO8859_3=m CONFIG_NLS_ISO8859_4=m CONFIG_NLS_ISO8859_5=m CONFIG_NLS_ISO8859_6=m CONFIG_NLS_ISO8859_7=m CONFIG_NLS_ISO8859_9=m CONFIG_NLS_ISO8859_13=m CONFIG_NLS_ISO8859_14=m CONFIG_NLS_ISO8859_15=y CONFIG_NLS_KOI8_R=m CONFIG_NLS_KOI8_U=m CONFIG_NLS_UTF8=y # # Console drivers # CONFIG_VGA_CONSOLE=y CONFIG_VIDEO_SELECT=y # CONFIG_MDA_CONSOLE is not set # # Frame-buffer support # # CONFIG_FB is not set # # Sound # # CONFIG_SOUND is not set # # USB support # CONFIG_USB=m # CONFIG_USB_DEBUG is not set # # Miscellaneous USB options # CONFIG_USB_DEVICEFS=y CONFIG_USB_BANDWIDTH=y # CONFIG_USB_LONG_TIMEOUT is not set # # USB Controllers # CONFIG_USB_UHCI=m CONFIG_USB_UHCI_ALT=m CONFIG_USB_OHCI=m # # USB Device Class drivers # # CONFIG_USB_AUDIO is not set # CONFIG_USB_BLUETOOTH is not set CONFIG_USB_STORAGE=m # CONFIG_USB_STORAGE_DEBUG is not set # CONFIG_USB_STORAGE_DATAFAB is not set # CONFIG_USB_STORAGE_FREECOM is not set # CONFIG_USB_STORAGE_ISD200 is not set # CONFIG_USB_STORAGE_DPCM is not set # CONFIG_USB_STORAGE_HP8200e is not set # CONFIG_USB_STORAGE_SDDR09 is not set # CONFIG_USB_STORAGE_JUMPSHOT is not set CONFIG_USB_ACM=m CONFIG_USB_PRINTER=m # # USB Human Interface Devices (HID) # # CONFIG_USB_HID is not set # CONFIG_USB_HIDDEV is not set # CONFIG_USB_KBD is not set # CONFIG_USB_MOUSE is not set # CONFIG_USB_WACOM is not set # CONFIG_USB_AIPTEK is not set # # USB Imaging devices # # CONFIG_USB_DC2XX is not set # CONFIG_USB_MDC800 is not set # CONFIG_USB_SCANNER is not set # CONFIG_USB_MICROTEK is not set # CONFIG_USB_HPUSBSCSI is not set # # USB Multimedia devices # # # Video4Linux support is needed for USB Multimedia device support # # # USB Network adaptors # CONFIG_USB_PEGASUS=m CONFIG_USB_KAWETH=m CONFIG_USB_CATC=m CONFIG_USB_CDCETHER=m CONFIG_USB_USBNET=m # # USB port drivers # CONFIG_USB_USS720=m # # USB Serial Converter support # # CONFIG_USB_SERIAL is not set # CONFIG_USB_SERIAL_GENERIC is not set # CONFIG_USB_SERIAL_BELKIN is not set # CONFIG_USB_SERIAL_WHITEHEAT is not set # CONFIG_USB_SERIAL_DIGI_ACCELEPORT is not set # CONFIG_USB_SERIAL_EMPEG is not set # CONFIG_USB_SERIAL_FTDI_SIO is not set # CONFIG_USB_SERIAL_VISOR is not set # CONFIG_USB_SERIAL_IR is not set # CONFIG_USB_SERIAL_EDGEPORT is not set # CONFIG_USB_SERIAL_KEYSPAN_PDA is not set # CONFIG_USB_SERIAL_KEYSPAN is not set # CONFIG_USB_SERIAL_KEYSPAN_USA28 is not set # CONFIG_USB_SERIAL_KEYSPAN_USA28X is not set # CONFIG_USB_SERIAL_KEYSPAN_USA28XA is not set # CONFIG_USB_SERIAL_KEYSPAN_USA28XB is not set # CONFIG_USB_SERIAL_KEYSPAN_USA19 is not set # CONFIG_USB_SERIAL_KEYSPAN_USA18X is not set # CONFIG_USB_SERIAL_KEYSPAN_USA19W is not set # CONFIG_USB_SERIAL_KEYSPAN_USA49W is not set # CONFIG_USB_SERIAL_MCT_U232 is not set # CONFIG_USB_SERIAL_PL2303 is not set # CONFIG_USB_SERIAL_CYBERJACK is not set # CONFIG_USB_SERIAL_XIRCOM is not set # CONFIG_USB_SERIAL_OMNINET is not set # # USB Miscellaneous drivers # CONFIG_USB_RIO500=m CONFIG_USB_ID75=m # # Bluetooth support # # CONFIG_BLUEZ is not set # # Kernel hacking # # CONFIG_DEBUG_KERNEL is not set netscript-2.4-5.3.0ubuntu1/COPYING0000664000000000000000000004311012262426365013311 0ustar GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. netscript-2.4-5.3.0ubuntu1/debian/0000775000000000000000000000000012262534341013473 5ustar netscript-2.4-5.3.0ubuntu1/debian/compat0000664000000000000000000000000212262426366014700 0ustar 5 netscript-2.4-5.3.0ubuntu1/debian/control0000664000000000000000000001020012262533726015075 0ustar Source: netscript-2.4 Section: net Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Matthew Grant Standards-Version: 3.9.5 Build-Depends: debhelper (>= 7) Package: netscript-2.4 Architecture: all Depends: iproute (>= 20001007), bridge-utils (>= 0.9.3), iptables, netbase, bash (>= 2.03), dhcp3-client | dhcpcd | pump | isc-dhcp-client, ${misc:Depends} Provides: netscript, ifupdown Conflicts: netscript, netscript-2.2, ifupdown Replaces: netscript, ifupdown Recommends: quagga | radvd Suggests: whereami, dnsmasq, resolvconf, wpasupplicant, wicd, quagga Description: Linux 2.4/2.6 router/firewall/VM host network config. system. This is a router and firewall network configuration system. It is specific to the 2.4.x and 2.6.x kernel series. This system is in production use, even though this is an experimental version. . It offers much finer grained control of the network setup than the standard system in netbase, with support for bridge configuration, iptables, ip route and tc traffic control. It is optimised for use on high traffic routers with interfaces being reconfigured individually while the rest of the machine is routing traffic 24x7. Common boiler plate filter creation functions are provided to ease the task of constructing iptables filters in the context of operation within an ISP network. . Since this package is designed for a heavy duty network router, it is designed to work in conjunction with a routing daemon as found in the quagga package. . DON'T use this on a pure server - it is VERY useful for a Virtual Machine server with complex networking needs. This is because of its comprehensive network configuration capabilities. Thus it is a tempting replacement when you have to rip out NetworkManager on a server. . It was originally designed for dedicated routers and firewalls, and hence its lightweight scripting footprint. When it comes to firewall configuration though, have a look at the mason package if you are faint of heart. Package: netscript-2.4-upstart Architecture: all Depends: iproute (>= 20001007), bridge-utils (>= 0.9.3), iptables | iptables-router (>= 1.2.3), netbase, bash (>= 2.03), dhcp3-client | dhcpcd | pump | isc-dhcp-client, upstart, ${misc:Depends} Provides: netscript, ifupdown Conflicts: netscript, netscript-2.2, ifupdown Replaces: netscript, netscript-2.4, ifupdown Recommends: quagga | radvd Suggests: whereami, dnsmasq, resolvconf, dhclient | pump | dhcpcd, wpasupplicant, wicd, quagga Description: Linux 2.4/2.6 router/firewall/VM host network config. system. This is a router and firewall network configuration system. It is specific to the 2.4.x and 2.6.x kernel series. This system is in production use, even though this is an experimental version. This is the version of the package to use with the native upstart init program. Ir replaces ifupdown, and removes network-manager as the latters interface control 'greediness' causes lots of issues. . It offers much finer grained control of the network setup than the standard system in netbase, with support for bridge configuration, iptables, ip route and tc traffic control. It is optimised for use on high traffic routers with interfaces being reconfigured individually while the rest of the machine is routing traffic 24x7. Common boiler plate filter creation functions are provided to ease the task of constructing iptables filters in the context of operation within an ISP network. . Since this package is designed for a heavy duty network router, it is designed to work in conjunction with a routing daemon as found in the quagga package. . DON'T use this on a pure server - it is VERY useful for a Virtual Machine server with complex networking needs. This is because of its comprehensive network configuration capabilities. Thus it is a tempting replacement when you have to rip out NetworkManager on a server. . It was originally designed for dedicated routers and firewalls, and hence its lightweight scripting footprint. When it comes to firewall configuration though, have a look at the mason package if you are faint of heart. netscript-2.4-5.3.0ubuntu1/debian/docs0000664000000000000000000000006012262426365014350 0ustar BUGS README README.etc TODO 2.4.x-kernel.config netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4.netscript.udev0000664000000000000000000000135212262426366020716 0ustar # This file causes network devices to be brought up or down as a result # of hardware being added or removed, including that which isn't ordinarily # removable. # See udev(7) for syntax. SUBSYSTEM=="net", DRIVERS=="?*", GOTO="netscript_start" GOTO="netscript_end" LABEL="netscript_start" # Bring devices up and down. # Use start-stop-daemon so we don't wait on any network daemons that are invoked. ACTION=="add", RUN+="/sbin/start-stop-daemon --start --background --pidfile /var/run/network/bogus --startas /sbin/netscript -- ifup $env{INTERFACE}" ACTION=="remove", RUN+="/sbin/start-stop-daemon --start --background --pidfile /var/run/network/bogus --startas /sbin/netscript -- ifdown $env{INTERFACE}" LABEL="netscript_end" netscript-2.4-5.3.0ubuntu1/debian/suid0000664000000000000000000000011112262426366014362 0ustar /etc/netscript/ipfilter.conf /etc/netscript/network.conf /sbin/netscript netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4.dirs0000664000000000000000000000001312262426365016672 0ustar etc/init.d netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4.links0000664000000000000000000000075412262426365017065 0ustar usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/network.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/if.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/qos.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/ipfilter.conf.5.gz usr/share/man/man8/netscript.8.gz usr/share/man/man8/ifup.8.gz usr/share/man/man8/netscript.8.gz usr/share/man/man8/ifdown.8.gz sbin/netscript sbin/ifup sbin/netscript sbin/ifdown netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4-upstart.netscript-shutdown.upstart0000664000000000000000000000042412262426366025025 0ustar # netscript shutdown - shutdown system networking controlled by netscript # # This task stops all the network daemons and interfaces controlled by # netscript description "shutdown system networking controlled by netscript" start on runlevel [06] task exec netscript stop netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4.netscript.init0000775000000000000000000000225512262426365020723 0ustar #! /bin/sh -e ### BEGIN INIT INFO # Provides: netscript # Required-Start: mountkernfs $local_fs # Required-Stop: $local_fs # Should-Start: ifupdown # X-Start-Before: networking # Default-Start: S # Default-Stop: 0 6 # Short-Description: Raise network interfaces, and setup iptables. # Description: Raise network interfaces, starting any required networking # daemons like pppd, DHCP client or openvpn, and setup iptables. ### END INIT INFO # # netscript script to fire up netscript network configuration system # # Written by Miquel van Smoorenburg . # Modified for Debian GNU/Linux # by Ian Murdock . # Modified from /etc/init.d/skeleton # by Matthew Grant # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/sbin/netscript NAME=netscript DESC="netscript" test -f $DAEMON || exit 0 . /lib/lsb/init-functions # The /sbin/netscript command complies with Debian Policy so just do this: # NB the following can make lintian happy case "$1" in start|reload|force-reload|restart) $DAEMON $* ;; stop) $DAEMON $* ;; *) $DAEMON $* ;; esac netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4.lintian-overrides0000664000000000000000000000044212262426366021376 0ustar netscript-2.4 binary: init.d-script-missing-dependency-on-remote_fs etc/init.d/netscript: required-start netscript-2.4 binary: init.d-script-missing-dependency-on-remote_fs etc/init.d/netscript: required-stop netscript-2.4 binary: init.d-script-possible-missing-stop etc/init.d/netscript 1 netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4-upstart.netscript.upstart0000664000000000000000000000072012262426365023152 0ustar # netscript - configure network devices controlled by netscript # # # # Based on work by # Scott James Remnant Tue, 15 Sep 2009 03:30:29 +0100 # copyright 2009 Canonical Limited. License GPL v2 # Adaptation for netscript-2.4 # copyright 2011 Matthew Alexander Grant description "configure virtual network devices" start on (local-filesystems and (stopped udevtrigger or container)) task exec netscript start netscript-2.4-5.3.0ubuntu1/debian/README.Debian0000664000000000000000000001150512262426365015544 0ustar netscript-2.4 for Debian ---------------------- This package is still experimental, and under rapid evolution so it does not come with much documentation. It is designed to work best with a router software like zebra. Install a router flavour kernel, or one generated from the accompanying kernel configuration. To configure kernel run: make mrproper cp /usr/share/doc/2.2.x-kernel.config .config make menuconfig and configure your kernel, save configuration, make dep; make bzImage; make modules as usual. Most of the interface level configuration you will need will be found in /etc/netscript/network.conf including lower level protocol daemons/configuration programs like ciped, pppd, or wanconfig. See below for more details on this recommended editing policy. You will have to configure the firewall using the iptables commands directly. Don't forget to save the configurations using the 'netscript ipfilter|ip6filter save' commands! Unlike the last version, the firewalling and filtering is no longer configured from network.conf. This has been done as stateful filtering obviates the need for great complexity in the firewall scripts, and more flexibility is possible. You have to get down and get dirty with iptables and learn it, which is a good thing to do if you are running this to build a network - you should understand things fully, or else you will get things wrong. CONFIGURATION ------------- NB: To get this package working, you will HAVE to edit /etc/netscript/network.conf, and edit /etc/init.d/networking by inserting 'exit 0' near the top before the first commands in the file. You may also want to disable inetd and/or portmap from starting up, but check that you have something like ssh setup to run in daemon mode first before doing inetd! The commands would be: update-rc.d -f portmap remove update-rc.d -f inetd remove All of the above steps will integrated into a debhelper setup for this package in the near future. If you want to set up static routing using this package, it would be a good idea to install the zebra routing software package as it is probably a good idea to set up a routing protocol on any network that needs static routes other than the default, and static routes are more easily setup from the routing software anyhow if they are really needed. LAPTOP SETUP ------------ This is still being developed, and I have been unable to complete the work on the wireless and starting stopping services like NFS mounts due to my laptop giving me a lot of trouble under linux. Lockups and particularly keyboards being unpredictable make development hard work. IPv6 support is there as it is an analogue of the IPv4 work but needs testing. Wireless support with waproamd still needs to be teased out. You will need to install the whereami, ifplugd, and waproamd, dnsmasq, and resolvconf. Get whereami configured to detect the network location and print it out using the --mapping switch. Then edit /etc/netscript/network.conf , you will see a section half way down the file just after the DHCP setup examples. You will have to add the following file to the /etc/ifplugd/action.d directory: #!/bin/sh set +e # case "$2" in up) /sbin/netscript ifup $1 > /dev/null 2>&1 RETVAL=$? sleep 5 exit $RETVAL ;; down) /sbin/netscript ifdown $1 > /dev/null 2>&1 exit $? ;; esac to the file netscript, chmod 0755, and comment out all lines in the ifupdown script in hte same directory. After this dnsmasq, and resolvconf will just basically work for ethernet. Waproamd setup should be similar to the above, but I have not been able to experiment yet. UPGRADE PATH FROM KERNEL 2.2.X ------------------------------ The firewall/IP filtering stuff in ipfilter.conf is the part that changed radically with the move to iptables and a far better way of setting up the IP filtering rules, however the QoS and interface startup/shutdown in if.conf have changed but are backwards compatible with the old 2.2.x ipchains version of netscript for the interface address configuration settings. You will have to set up the filtering again to use iptables by directly using the iptables commands. Also, the kernel 2.2.x version scripts are set up so that iptables is only run on a 2.4.x kernel, otherwise IP forwarding is disabled if beforehand you set IPFWDING_KERNEL to FILTER_ON in network.conf. This means that when you upgrade a box to a 2.4.x router kernel, you should then be able to reboot it and log into remotely and upgrade netscript to the version that will support 2.4.x. In this situation, if you have set old IPFWDING_KERNEL setting to FILTER_ON beforehand in network.conf, all IP forwarding through the box will also be disabled. This means that you can safely remotely upgrade a firewall. -- Matthew Grant , Sat, 30 Oct 2004 18:03:24 +1300 netscript-2.4-5.3.0ubuntu1/debian/rules0000775000000000000000000000333212262426365014562 0ustar #!/usr/bin/make -f # Sample debian/rules that uses debhelper. # GNU copyright 1997 to 1999 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 build: build-stamp build-stamp: dh_testdir # Add here commands to compile the package. #$(MAKE) touch build-stamp clean: dh_testdir dh_testroot rm -f build-stamp # Add here commands to clean up after the build process. # -$(MAKE) clean dh_clean install: build dh_testdir dh_testroot dh_prep dh_installdirs # Add here commands to install the package into debian/. $(MAKE) install DESTDIR=`pwd`/debian/netscript-2.4 $(MAKE) install DESTDIR=`pwd`/debian/netscript-2.4-upstart # Build architecture-independent files here. binary-indep: DH_OPTIONS=-i binary-indep: DESTDIR=`pwd`/debian/netscript-2.4 binary-indep: build install dh_testdir dh_testroot # dh_installdebconf dh_installdocs --all # dh_installexamples dh_installinit --package=netscript-2.4 --name=netscript --no-start -- start 35 0 6 . start 40 S . dh_installinit --package=netscript-2.4-upstart --name=netscript --noscripts dh_installinit --package=netscript-2.4-upstart --name=netscript-interface --noscripts dh_installinit --package=netscript-2.4-upstart --name=netscript-shutdown --noscripts dh_installudev --package=netscript-2.4 --name=netscript --priority=85 dh_installman -A netscript-2.4.conf.5 netscript.8 dh_lintian dh_installchangelogs dh_link dh_compress dh_fixperms dh_installdeb dh_gencontrol dh_md5sums dh_builddeb # Build architecture-dependent files here. binary-arch: build install # package is a bunch of shell scripts binary: binary-indep binary-arch build-arch: true build-indep: true .PHONY: build clean binary-indep binary-arch binary install netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4-upstart.dirs0000664000000000000000000000001112262426365020370 0ustar etc/init netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4-upstart.netscript-interface.upstart0000664000000000000000000000155512262426366025120 0ustar # network-interface - configure network device # # This service causes network devices to be brought up or down as a result # of hardware being added or removed, including that which isn't ordinarily # removable. # # Based on work by # Scott James Remnant Tue, 15 Sep 2009 03:30:29 +0100 # copyright 2009 Canonical Limited. License GPL v2 # changes for netscript-2.4 # copyright 2011 Matthew Alexander Grant License GPL V2 # Matthew Grant description "configure network device" start on stopped rc RUNLEVEL=[2345] and net-device-added stop on runlevel [2345] and net-device-removed INTERFACE=$INTERFACE instance $INTERFACE pre-start script if [ "$INTERFACE" != "lo" ]; then exec netscript ifup $INTERFACE fi end script post-stop script if [ "$INTERFACE" != "lo" ]; then exec netscript ifdown $INTERFACE fi end script netscript-2.4-5.3.0ubuntu1/debian/gbp.conf0000664000000000000000000000026112257117605015115 0ustar [DEFAULT] #upstream-branch=master #debian-branch=deb-package [git-buildpackage] #upstream-tag = v%(version)s #submodules = True [git-dch] spawn-editor = always commit = True netscript-2.4-5.3.0ubuntu1/debian/TODO0000664000000000000000000000033212262426365014167 0ustar - create better manpages for the configuration files and the net command - add debhelper support for basic network configuration, and for removing networking, portmap, and inetd from the machine startup sequence. netscript-2.4-5.3.0ubuntu1/debian/postrm0000664000000000000000000000174112262426365014753 0ustar #! /bin/sh # postrm script for netscript-2.2 # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ case "$1" in purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) # update the menu system # if [ -x /usr/bin/update-menus ]; then update-menus; fi ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 0 esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# netscript-2.4-5.3.0ubuntu1/debian/netscript-2.4-upstart.links0000664000000000000000000000075412050727546020565 0ustar usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/network.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/if.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/qos.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/ipfilter.conf.5.gz usr/share/man/man8/netscript.8.gz usr/share/man/man8/ifup.8.gz usr/share/man/man8/netscript.8.gz usr/share/man/man8/ifdown.8.gz sbin/netscript sbin/ifup sbin/netscript sbin/ifdown netscript-2.4-5.3.0ubuntu1/debian/postinst0000664000000000000000000000247212262426366015315 0ustar #! /bin/sh # postinst script for netscript-2.2 # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ # # quoting from the policy: # Any necessary prompting should almost always be confined to the # post-installation script, and should be protected with a conditional # so that unnecessary prompting doesn't happen if a package's # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. case "$1" in configure) ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# file1=/etc/netscript/wep.conf if [ -d "$file1" ]; then chmod 0600 "$file1" || true fi exit 0 netscript-2.4-5.3.0ubuntu1/debian/readme0000664000000000000000000000075312262426366014667 0ustar This package is still experimental, and under rapid evolution so it does not come with much documentation. Install a router flavour kernel, or one generated from the accompanying kernel configuration. To configure kernel run: make mrproper cp /usr/share/doc/netscript-2.4/2.4.x-kernel.config .config make menuconfig and configure your kernel, save configuration, make dep; make bzImage; make modules as usual. The scripts now automatically load all needed netfilter and QoS modules. netscript-2.4-5.3.0ubuntu1/debian/changelog0000664000000000000000000006402012262534341015347 0ustar netscript-2.4 (5.3.0ubuntu1) trusty; urgency=low * Merge from Debian unstable. Remaining changes: - debian/control: add isc-dhcp-client to Depends: - debian/rules: reinstate the netscript-2.4-upstart support - upstart: start netscript on 'or container', to let us optimize the udevtrigger job. -- Andy Whitcroft Mon, 06 Jan 2014 14:08:24 +0000 netscript-2.4 (5.3.0) unstable; urgency=medium * Add full IPv6 filter helper function support * Properly update ipfilter.conf * Remove netscript-compile functionality and docs. * Fix module loading/unloading on restart * Commit changelog for 5.3.0 * Update debian/control with new email address * Really update debain/control maintainer * Fix lintian warnings. -- Matthew Grant Mon, 06 Jan 2014 13:12:28 +1300 netscript-2.4 (5.2.12ubuntu1) raring; urgency=low * Merge from Debian unstable. Remaining changes: - debian/control: add isc-dhcp-client to Depends: - debian/rules: reinstate the netscript-2.4-upstart support - upstart: start netscript on 'or container', to let us optimize the udevtrigger job. -- Andy Whitcroft Wed, 14 Nov 2012 13:18:34 +0000 netscript-2.4 (5.2.12) unstable; urgency=low * Fix missing quotes in brg_iface up call (Closes: #681641) -- Matthew Grant Sun, 15 Jul 2012 12:27:10 +1200 netscript-2.4 (5.2.11) unstable; urgency=low * Update module loading for kernel 3.2+ * Add device to IPv6 default route command. * Add ability to not set IPv6 address from SLAC. * resolvconf option + unsetting new IPv6 RPrefix option * Removed netscript-2.4-upstart package as upstart is a moving target. * Removed netscript-2.4-upstart from debian/rules. -- Matthew Grant Wed, 23 May 2012 13:21:28 +1200 netscript-2.4 (5.2.10) unstable; urgency=low * Fix IPv6 MTU override and add IPv6 icmp-host chain. -- Matthew Grant Sun, 19 Feb 2012 10:05:01 +1300 netscript-2.4 (5.2.9ubuntu2) quantal; urgency=low * Switch dependancies from the now obsolete transitional package dhcp3-client to the replacement isc-dhcp-client. -- Andy Whitcroft Wed, 11 Jul 2012 10:13:23 +0100 netscript-2.4 (5.2.9ubuntu1) precise; urgency=low * Start netscript on 'or container', to let us optimize the udevtrigger job. -- Steve Langasek Wed, 04 Apr 2012 17:52:53 -0700 netscript-2.4 (5.2.9) unstable; urgency=low * Made netscript depend on /bin/bash as it needs the ability to list shell script functions. Dash does not provide this. -- Matthew Grant Sun, 25 Sep 2011 20:53:28 +1300 netscript-2.4 (5.2.8) unstable; urgency=low * Fix issue with filters not being loaded on IPv6 due to kernel version not being detected. -- Matthew Grant Fri, 09 Sep 2011 08:50:02 +1200 netscript-2.4 (5.2.7) unstable; urgency=low * Module unloading/loading for linux kernel v 3.0. Includes ipi_set and ip_vs modules. -- Matthew Grant Sat, 20 Aug 2011 14:38:41 +1200 netscript-2.4 (5.2.6) unstable; urgency=low * Inital support for Linux 3.0 in terms of version checking. -- Matthew Grant Wed, 17 Aug 2011 07:40:49 +1200 netscript-2.4 (5.2.5) unstable; urgency=low * Add support for accept RA advertised routes based on mask length * Upgraded standards version to 3.9.2. * Overrode lintian errors and warnings about remote_fs - this package configures the network, which is needed for remote_fs! * Fixed problem with dh_installinit installing start up scripts on upstart version of the package. * Made netscript recognise upstart runlevel 'unknown'. * Fixed race condition in upstart /etc/init/*.conf files. * Introduced /etc/init/netscript-shutdown.conf for clean shutdown with upstart. -- Matthew Grant Sun, 24 Apr 2011 20:06:57 +1200 netscript-2.4 (5.2.4) unstable; urgency=low * Fix problems with upstart package not initialising correctly due to start up races. * Remove /32 and /128 from address deletion in if.conf -- Matthew Grant Thu, 27 Jan 2011 20:58:36 +1300 netscript-2.4 (5.2.3) unstable; urgency=low * Remove conflict with network-manager, as this can cause too much pain on laptops with wicd being unmaintained now. It is better to install netscript-2.4-upstart, configure it, and then tell network-manager to interfaces alone by setting [ifupdown]\nmanage = false. -- Matthew Grant Wed, 22 Dec 2010 15:41:03 +1300 netscript-2.4 (5.2.2) unstable; urgency=low * Fix missing quotes around script for activating 'chained' interfaces (Closes: #592340). * Add missing overrides for /etc/init.d/netscript-2.4 startup. * Added linitian overrides for errors about missing init dependencies on $remote-fs * Increased Standards Version to 3.9.1 -- Matthew Grant Wed, 18 Aug 2010 11:52:39 +1200 netscript-2.4 (5.2.1) unstable; urgency=low * Fix up netscript-interface.conf upstart file, make it ignore interface lo. * Add dependency on virtual package dhcp-client for initial system install. * Added or depends on dhcp3-client as well, and dhcp3-client does not also provide the dhcp-client virtual package. -- Matthew Grant Tue, 22 Dec 2009 13:02:34 +1300 netscript-2.4 (5.2) unstable; urgency=low * Add switch to disable IPv6 * Auto enable/disable IPv6 when adding/deleting an interface to a bridge. * Fix bug with deleting interfaces from bridges other than brg0 * Set up default for disabling IPv6 on dynamic interfaces. * Add switch to remove bridges from netfilter filtering. * Add ability to name bridges. * Install udev file correctly * Fix a few typos * Change IPv6 default route prefix to 'default' * Changed compatibility level to 5. * Fix lintin errors in man pages. * Remved empty maintainer script debian/prerm. * Updated to latest Debian Standards version 3.8.3 etc. * Added xt_cluster to correct insmod secion. * Split package to provide for different init environments * Added initial support for upstart initctl -- Matthew Grant Mon, 21 Dec 2009 22:28:25 +1300 netscript-2.4 (5.1.10) unstable; urgency=low * Fixed netscript to work better with 2.6.31. Doesn't load modules when IP_KERNEL_FILTER is set to NONE, and netscript reload adjusts loaded modules according to setting. * Recording adding of patches for nmu2. (Closes: #546459) * Recording adding of patches for nmu3. (Closes: #547509) -- Matthew Grant Tue, 20 Oct 2009 21:38:39 +1300 netscript-2.4 (5.1.9) unstable; urgency=low * Bumping version to force upload. -- Matthew Grant Sun, 04 Oct 2009 14:40:47 +1300 netscript-2.4 (5.1.8) unstable; urgency=low * Fixing module loading for kernel 2.6.31. -- Matthew Grant Thu, 01 Oct 2009 09:01:32 +1300 netscript-2.4 (5.1.7+nmu3) unstable; urgency=low * Non-maintainer upload to fix release goal. * Make ifupdown init.d scrtip dependency optional, to avoid having the package depend on ifupdown. Fixes installation problem detected by piuparts. -- Petter Reinholdtsen Sun, 20 Sep 2009 14:45:23 +0200 netscript-2.4 (5.1.7+nmu2) unstable; urgency=low * Non-maintainer upload. * Patched the wrong file in the last upload. Patch netscript.init, not debian/init. Make sure to remove the debian/init copy in the clean target of debian/rules. Last NMU is obsolete (Closes: #546457). -- Petter Reinholdtsen Sun, 13 Sep 2009 12:55:24 +0200 netscript-2.4 (5.1.7+nmu1) unstable; urgency=low * Non-maintainer upload to fix release goal. * Fix init.d script dependency headers (Closes: 542246). -- Petter Reinholdtsen Sun, 13 Sep 2009 11:58:38 +0200 netscript-2.4 (5.1.7) unstable; urgency=low * Remove suggests entry in debian/control for waproamd. (Closes: #509392) -- Matthew Grant Mon, 29 Dec 2008 17:19:53 +1300 netscript-2.4 (5.1.6) unstable; urgency=low * Fix netscript so that it will run with dash as /bin/sh. * Update my maintainer address to matthewgrant5@gmail.com -- Matthew Grant Mon, 29 Dec 2008 13:17:53 +1300 netscript-2.4 (5.1.5-0.1) unstable; urgency=low * Non-maintainer upload. * Fix bashism in netscript-compile. The problems reported in netscript by checkbashisms are false positives, it has a local definition of a source function. (Closes: #465011) -- Marc 'HE' Brockschmidt Sat, 08 Mar 2008 23:54:46 +0100 netscript-2.4 (5.1.5) unstable; urgency=low * Fix lintian warnings debian-rules-sets-DH_COMPAT, out-of-date-standards-version, init.d-script-missing-lsb-section, and package-contains-empty-directory /usr/sbin * Update to Standards Version 3.7.3 -- Matthew Grant Wed, 06 Feb 2008 04:22:55 +0000 netscript-2.4 (5.1.4) unstable; urgency=low * Fixed typos in package description in debian/control (closes: #274815) * Fixed linitian warning about standards version 3.6.2 -> 3.7.6 * Replaced Build-Depends-Indep: with Build-Depends in debian/control to fix lintian warning. -- Matthew Grant Sat, 2 Feb 2008 13:18:00 +1300 netscript-2.4 (5.1.3) unstable; urgency=low * Updated to support kernel 2.6.22 * Merged IPV4_FILTER_KERNEL and IPV6_FILTER_KERNEL switches to IP_FILTER_KERNEL switch because of merging of upstream netfilter v4 and v6 modules to enable connection tracking in IPv6 -- Matthew Grant Sat, 02 Feb 2008 12:06:44 +1300 netscript-2.4 (5.1.2) unstable; urgency=low * Add support to control sending of redirects on an interface. This is useful for use with openvpn which can route packets in and out of the VPN tun device. -- Matthew Grant Tue, 30 Jan 2007 11:55:05 +1300 netscript-2.4 (5.1.1) unstable; urgency=low * Updated to support 2.6.14 and 2.6.16 kernels. * Updated debhelper compatibility to 4 from 3. Sarge support is needed. -- Matthew Grant Sat, 18 Feb 2006 20:21:57 +0000 netscript-2.4 (5.1.0) unstable; urgency=low * Added initial support for laptops and whereami. This still needs some work, but I am getting it out there as it is now usable. * Added entries to README.Debian to document how to set above up. -- Matthew Grant Fri, 29 Oct 2004 08:38:27 +1300 netscript-2.4 (5.0.14) unstable; urgency=medium * Merge in work down for NMU. * Get rid of startup and shutdown init calls in maintainer scripts. -- Matthew Grant Wed, 13 Oct 2004 08:40:55 +1300 netscript-2.4 (5.0.13-0.1) unstable; urgency=high * Non-maintainer upload. * High-urgency upload for (trivial,) sarge-targetted RC bugfix * Replace zebra with quagga in Recommends:, since the former is no longer available (closes: #273043). -- Steve Langasek Sat, 2 Oct 2004 03:07:00 -0700 netscript-2.4 (5.0.13) unstable; urgency=low * Added fix proposed by Bart Samwel , fixing problem with saving of filters with 'netscript ipfilter save' Local vars MANGLE and FILTER were not initialised to zero in ipv4filter_check(). Also fixed ipv6filter_check(). (Closes: #267151) -- Matthew Grant Sat, 28 Aug 2004 19:12:06 +1200 netscript-2.4 (5.0.12) unstable; urgency=low * Fix prerm script by editing out #DEBHELPER# This fixes problem where netscript closes down all interfaces on package remove or purge. Leaving proper clean up for a month to allow people to get rid of the bad prerm package maintainer scripts - will go to telling debhelper to only install /etc/rc.d startup/shutdown symlinks. (Closes: #241989) -- Matthew Grant Wed, 9 Jun 2004 12:07:49 +1200 netscript-2.4 (5.0.11) unstable; urgency=low * Add support for iptables policy match module to close new ipsec packet injection hole. * Changed ipfilter-defs(5) man page for new IPSEC interface name directives. -- Matthew Grant Fri, 23 Apr 2004 14:28:40 +1200 netscript-2.4 (5.0.10) unstable; urgency=low * Initial work to netscript to work with the 2.6 kernel. * Removed configuration samples for deprecated Free S/WAN support. Free S/WAN KLIPS is a real mess in terms of interfaces, routing and confg scripts! * Added mentions of 2.6 kernel in most places needed. Man pages may need it. * Removed suggestion for vrrpd - this was a failed experiment. * Upgraded standards version to 3.6.1. -- Matthew Grant Fri, 26 Mar 2004 08:03:43 +1200 netscript-2.4 (5.0.9) unstable; urgency=low * Fix default case in init script. -- Matthew Grant Tue, 23 Dec 2003 15:48:23 +1300 netscript-2.4 (5.0.8) unstable; urgency=low * Basically a clean up to get ready to go into unstable. * Changed 'net' command to 'netscript' to stop a clash with samba-comon in sarge and sid. * Changed 'net-compile' to 'netscript-compile to match above. * Adjusted config files and other files to match above. * Removed conffile as this results in duplicate config file lintian warnings. * Fixed lintian warning about 'Upstream Author(s)'. * Updated Debian Standards version to 3.5.7 -- Matthew Grant Mon, 15 Dec 2003 22:05:30 +0000 netscript-2.4 (5.0.7) unstable; urgency=low * Added work around for kernel crash bug with psd and limit modules. -- Matthew Grant Sun, 8 Jun 2003 00:12:04 +1200 netscript-2.4 (5.0.6) unstable; urgency=low * Added support for adjusting portscan chain psd module parameters to deal with high traffic situations. -- Matthew Grant Thu, 5 Jun 2003 16:12:25 +1200 netscript-2.4 (5.0.5) unstable; urgency=low * Previous change lost chaings in 5.0.3 with ipfilter-defs.conf. Fixed. -- Matthew Grant Tue, 3 Jun 2003 15:45:20 +1200 netscript-2.4 (5.0.4) unstable; urgency=low * Fixed problem with startup getting order of chains in iplcl and ipfwd in correct. This was due to 2 ways of adding chains into these, a simple add on start up, and then indexing for manual incremental add ins. Gone to indexing mode for all additions, and made function that returns index into iplcl and ipfwd a lot faster (O(n) instead of O(n2).). The change is only in /etc/netscript/ipfilter-defs.conf, has been tested carefully, and does nto affect the rest of the netscript system. -- Matthew Grant Tue, 3 Jun 2003 14:16:41 +1200 netscript-2.4 (5.0.3) unstable; urgency=low * Fixed problem with REJECT_UDP_NET - '-m STATE' should be '-m state'. * Added new alternative FreeS/WAN start up code for multiple interfaces. network.conf needs a cleanup for next release that is backwards compatible. * Fixed --pkt-type argmuents in ipfilter-defs.conf. Fixes dropping of BROADCAST packets for INPUT and FORWARD chains. -- Matthew Grant Thu, 29 May 2003 09:47:28 +1200 netscript-2.4 (5.0.2) unstable; urgency=low * Updated ipfilter-defs.5 manpage for new compile rules below. -- Matthew Grant Wed, 23 Apr 2003 07:58:08 +1200 netscript-2.4 (5.0.1) unstable; urgency=low * Added support for more logging targets, for each type of new coonnection, so that strings can be prepended to log messages. New compile targets are LOG_BROADCAST, LOG_PROTO, LOG_UDP, LOG_TCP, LOG_UDP_NET, LOG_TCP_NET, LOG_NET, LOG_IFACE, LOG. The new LOG_MSG and LOG_MSG_RESET are used to set the log text. * Added support for network addresses for UDP, and TCP. Targets are ACCEPT_TCP_NET, ACCEPT_UDP_NET, REJECT_TCP_NET, REJECT_UDP_NET, DROP_TCP_NET, and DROP_UDP_NET, as well as above log targets. * Fixed spelling bug with the net-compile run messages. * Fixed net-compile bug where script would compile then give up with and error exit, and not complete compiling when there where no rules defined in ipfilter-defs files. * Manpages left to next minor release as this one has to get out the door... -- Matthew Grant Tue, 15 Apr 2003 11:30:46 +1200 netscript-2.4 (5.0.0) unstable; urgency=low * Changed netscript so that it can support compiling and configuring from ipfilter-defs on start up. * Added type checking as much as practical to the net-compile command. * Updated manpages for existing commands. * Created manpages for ipfilter-defs. * Moved net-compile to /sbin from /usr/sbin. * Set permissions on install to 700 for ipfilter-defs directory as it contains security information. -- Matthew Grant Mon, 24 Mar 2003 15:09:50 +1200 netscript-2.4 (4.23) unstable; urgency=low * Added MARTIAN_BYPASS to ipf4_martians so that some source addresses can be by passed in martians check. * Fixed some of the examples in ipfilter-defs configuration. -- Matthew Grant Wed, 26 Feb 2003 15:36:08 +1300 netscript-2.4 (4.22) unstable; urgency=low * Made some corrections for missing files etc. -- Matthew Grant Tue, 25 Feb 2003 14:08:57 +1300 netscript-2.4 (4.21) unstable; urgency=low * Initial packaging of net compile functionality for IPv4. Documentation will be in next one, this is a trial build an run package. -- Matthew Grant Tue, 25 Feb 2003 13:38:46 +1300 netscript-2.4 (4.20) unstable; urgency=low * Fix bug with interface type stop functions not execuiting due to missing 'type' keyword. * Made /sbin/net work with non modular kernels, in the case where lsmod is not installed, and where it is. -- Matthew Grant Sat, 1 Feb 2003 17:03:45 +1300 netscript-2.4 (4.19) unstable; urgency=low * Install missing changelog... -- Matthew Grant Thu, 16 Jan 2003 11:43:13 +1300 netscript-2.4 (4.18) unstable; urgency=low * Removed Debian sub versioning as the debian package is maintained in parallel to the source. * Removed vrrpd code as the daemon is unstable. Included example of how to get package going with heartbeat. -- Matthew Grant Thu, 16 Jan 2003 10:53:45 +1300 netscript-2.4 (4.17-1) unstable; urgency=low * Fixed bug with /32 and /128 netmasks not being given in ethx_IPADDR. * Made VRRPD code work properly... - stopped new address code removing VRRPD IP addresses. -- Matthew Grant Wed, 8 Jan 2003 10:13:03 +1300 netscript-2.4 (4.16-1) unstable; urgency=low * Adjusted module loading for ipt_helper module in 2.4.20 * Fixed bug with deleting extraneous bridges where interfaces on running bridges were assumed to be disused bridges. -- Matthew Grant Fri, 3 Jan 2003 12:10:38 +1300 netscript-2.4 (4.15-1) unstable; urgency=low * Add support for vrrpd daemon. * Revamp the handling of the forwarding switch, and add commands to help handle it. -- Matthew Grant Mon, 30 Dec 2002 15:38:56 +1300 netscript-2.4 (4.14-1) unstable; urgency=low * Add ingress check rule and portscan chan for psd module to ipfilter.conf * Make ipfilter.conf test for and load /etc/netscript/ipfilter-local.conf if present. -- Matthew Grant Tue, 26 Nov 2002 13:12:19 +1300 netscript-2.4 (4.13-1) unstable; urgency=low * Fix ipsec modules not unloading on 'net stop'. Function call was missing in stop_mod(). -- Matthew Grant Mon, 18 Nov 2002 15:00:34 +1300 netscript-2.4 (4.12-1) unstable; urgency=low * Fixed ipsec startup to deal with Free S/WAN .pid files if the machine went off because of power failure - ipsec0 was not starting * Fixed problem with source blocking in the IPv4 inbrdr chain creation - inbound source blocking was setting the destination instead of the source address. -- Matthew Grant Sun, 10 Nov 2002 10:03:49 +1300 netscript-2.4 (4.11-1) unstable; urgency=low * Added support to load and unload Free S/WAN ipsec module, and extension modules as found in Debian Woody, and used in the Debian Router Project. -- Matthew Grant Tue, 29 Oct 2002 22:57:36 +1300 netscript-2.4 (4.10-2) unstable; urgency=low * Fixed some of the comments in the network.conf file to make things clearer. -- Matthew Grant Tue, 29 Oct 2002 06:55:51 +1300 netscript-2.4 (4.10-1) unstable; urgency=low * New Upstream Version * Fix problem with mangling set up preventing Free S/WAN from working properly - packet mangling was causing rerouting of ESP packets back into ipsec0 tunnel device... * Added support for adding static routes/static ARPs on interface start/reload. * Added support for subordinate interfaces (for controlling tunnels etc). -- Matthew Grant Mon, 28 Oct 2002 23:22:56 +1300 netscript-2.4 (4.04-2) unstable; urgency=low * Fix up Free S/WAN start up so that rp_filter can be used... -- Matthew Grant Fri, 18 Oct 2002 10:24:24 +1300 netscript-2.4 (4.04-1) unstable; urgency=low * Fix IPv4 icmp chain creation barfing because of conflict with protocol name... go figure. * Add support for Free S/WAN ipsec on one interface. * Add support for interface shutdown to chain shutdown of tunnel interfaces with manual manipulation... -- Matthew Grant Wed, 16 Oct 2002 11:28:30 +1300 netscript-2.4 (4.03-1) unstable; urgency=low * New upstream release with fix for dynamic interfaces that don't exist at boot, otherwise you cannot manually start them. * Fix minor problem with hlp output and long interface lists. -- Matthew Grant Fri, 4 Oct 2002 11:26:08 +1200 netscript-2.4 (4.02-1) unstable; urgency=low * New upstream release with tweaks and support for new 2.4.18-ac3 router kernels. * Added support for having iptables base modules compiled into the kernel by putting test into /sbin/net load_module() to test if base module is on the file system. * Added support for the following iptables 1.2.6a modules which have special dependencies: ipt_conntrack, ipt_NETMAP, ipt_SAME, ipt_POOL, ip_pool, and ipt_pool. -- Matthew Grant Tue, 26 Mar 2002 12:17:56 +1200 netscript-2.4 (4.01-1) unstable; urgency=low * Added corrected ppp interface stuff to network.conf * Corrected some documentation in network.conf about QoS -- Matthew Grant Fri, 28 Dec 2001 14:25:27 +1300 netscript-2.4 (4.0-4) unstable; urgency=low * Changed permissions of /etc/netscript/network.conf and ipfilter.conf to 0644 from 0600 as they do not contain information that is that sensitive anymore. -- Matthew Grant Mon, 10 Dec 2001 20:52:24 +1300 netscript-2.4 (4.0-3) unstable; urgency=low * Fixed problems with build depends by switching to 'Build-Depends-Indep'. -- Matthew Grant Sat, 8 Dec 2001 11:26:46 +1300 netscript-2.4 (4.0-2) unstable; urgency=low * Fixed problem with Build-Depends being in binary section of control file, and not being in the Source section as required. -- Matthew Grant Wed, 5 Dec 2001 15:05:02 +1300 netscript-2.4 (4.0-1) unstable; urgency=low * New version 4.0 with the following major changes * Converted to kernel 2.4.x, and iptables * Added IPv6 support, ip6tables and IPv6 interface configuration. * Removed filter and masquerade listing support as people should be using the iptables commands * All the old ipchains filtering scripts have been removed and replaced with shell script fragments via the ipfilter exec command. * Configuration is now saved to disk using the iptables-restore and iptables save commands (IPv4 and IPv6). * Converted output messages to Debian format * Added code to load/unload iptables and QoS modules on start and stop. -- Matthew Grant Sat, 1 Dec 2001 14:33:21 +1300 netscript-2.2 (3.03-0potato1) unstable; urgency=low * Added ability to set/override multicast fflag and mtu of interface * Added IP source IP/network specification to DMZ_OPEN_DEST and DMZ_CLOSED_DEST lists for DMZ network access control filters -- Matthew Grant Sun, 21 Jan 2001 22:54:16 +1300 netscript-2.2 (3.02-0potato1) unstable; urgency=low * Fixed problem with OSPF multicasts being blocked by the external interface filtering. The obstruction could cause problems with Zebra ospfd and other OSPF daemons in general. -- Matthew Grant Thu, 7 Dec 2000 08:35:49 +1300 netscript-2.2 (3.01-0potato1) unstable; urgency=low * Removed unused INTERN_IF variable from network.conf * Fixed QoS reload for PPP interfaces * Reworked QoS loading for PP interfaces to make it nicer -- Matthew Grant Sun, 3 Dec 2000 17:41:22 +1300 netscript-2.2 (3.0-0.9) unstable; urgency=low * Initial Release. * first release in a tar ball format. This basically a rehash of what is in LRP Eiger. * More chains used to reduce CPU load on router filtering operations, * QoS made usable b y adding reload commands and providing facility to set aside lumps of bandwidth * More options provided to net command to make it more intiuitive to use * Added ability to list individual chains * Adapted for Debian and overhauled it to increase effeciency. * As this package will change rapidly, man pages are not available but will be written when stabilised. -- Matthew Grant Fri, 24 Nov 2000 17:07:15 +1300 Local variables: mode: debian-changelog End: netscript-2.4-5.3.0ubuntu1/debian/copyright0000664000000000000000000000127512262426366015442 0ustar This package was debianized by Matthew Grant on Thu, 23 Nov 2000 17:01:55 +1300. Upstream Authors: Matthew Grant (send patches here) David Cinege Copyright: Copyright 1995-2000 Matthew Grant Portions copyright 1998,1999 David Cinege Produced with the support of Plain Communications Ltd, htp://www.plain.co.nz You are free to distribute and use this software under the terms of the GNU General Public License. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL file. netscript-2.4-5.3.0ubuntu1/qos.conf.50000664000000000000000000000003112262426365014065 0ustar .so netscript-2.4.conf.5 netscript-2.4-5.3.0ubuntu1/qos.conf0000664000000000000000000001173512262426365013737 0ustar ############################################################################## # QoS/Fair queuing functions ############################################################################### QOS_MODULES="sch_sfq sch_red sch_gred sch_cbq cls_fw" echoMark () { local IFS='_' set -- $1 echo $1 } echoRate () { local IFS='_' set -- $1 echo $2 } echoAddParm () { local IFS='_' set -- $1 shift 2 echo "$@" } ip_QoSppp () { # establish esistence of ppp Iface if ! echo $1 | grep '^ppp' > /dev/null 2>&1 ; then return 0 fi ! [ -f /var/run/${1}.pid ] && return 0 if ! kill -0 `cat /var/run/${1}.pid` > /dev/null 2>&1 ; then return 0 fi # Get Unit number PPP_UNIT=`echo $1 | sed 's/^ppp\(.*\)$/\1/'` # Transform variables eval "$1"_HNDL1=$(( $PPP_UNIT + 8000 )) eval "$1"_HNDL2=$(( $PPP_UNIT + 9000 )) eval "$1"_FAIRQ=${ppp_FAIRQ:-} eval "$1"_BNDWIDTH=${ppp_BNDWIDTH:-} eval "$1"_PXMTU=${ppp_PXMTU:-} eval "$1"_CARATE=${ppp_CARATE:-} eval "$1"_IARATE=${ppp_IARATE:-} eval "$1"_IABURST=${ppp_IABURST:-} return 0 } ip_QoSclear () { [ -x /sbin/tc ] \ && qt tc qdisc del dev $1 root return 0 } ip_QoS () { # Set some vaiables eval local HNDL1=\${"$1"_HNDL1:-""} eval local HNDL2=\${"$1"_HNDL2:-""} eval local FAIRQ=\${"$1"_FAIRQ:-""} eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""} eval local PXMTU=\${"$1"_PXMTU:-""} eval local CARATE=\${"$1"_CARATE:-""} eval local IARATE=\${"$1"_IARATE:-""} eval local IABURST=\${"$1"_IABURST:-""} eval local SPQUEUE=\${"$1"_SPQUEUE:-""} eval local PEAKRATE=\${"$1"_PEAKRATE:-"$BNDWIDTH"} eval local BULKRATE=\${"$1"_BULKRATE:-"$CARATE"} if [ ! -x /sbin/tc ]; then return 1 fi if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ] then return 1 fi if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" \ -o -z "$PXMTU" -o -z "$CARATE" ]; then tc qdisc replace dev $1 root sfq return 0 fi local IF_INDEX=`ip link | grep $1 | sed -e "s/^\([0-9]\+\): $1.*$/\1/"` if [ -z "$HNDL1" ]; then HNDL1=$(( $IF_INDEX * 10 + 1001 )) fi if [ -z "$HNDL2" ]; then HNDL2=$(( $IF_INDEX * 10 + 1002 )) fi # Attach CBQ to device tc qdisc add dev $1 root handle $HNDL1: cbq \ bandwidth $BNDWIDTH allot 1514 \ avpkt 1000 # Set up classes # Root class tc class add dev $1 parent $HNDL1:0 classid :1 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $PEAKRATE \ allot $PXMTU avpkt 1000 bounded # Bulk class tc class add dev $1 parent $HNDL1:1 classid :2 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $CARATE \ allot $PXMTU avpkt 1000 bounded prio 6 \ split $HNDL1:0 defmap ff7f # Interactive class tc class add dev $1 parent $HNDL1:1 classid :3 est 2sec 16sec \ cbq bandwidth $BNDWIDTH rate $IARATE maxburst $IABURST \ allot $PXMTU avpkt 1000 bounded isolated \ prio 2 split $HNDL1:0 defmap 80 # Priority class tc class add dev $1 parent $HNDL1:1 classid :4 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $PEAKRATE \ allot $PXMTU avpkt 1000 bounded prio 1 # Attach queue disciplines tc qdisc add dev $1 parent $HNDL1:3 sfq perturb 15 tc qdisc add dev $1 parent $HNDL1:4 pfifo # Add filters tc filter add dev $1 parent $HNDL1:0 protocol ip \ priority 50 handle $MRK_CRIT fw classid $HNDL1:4 tc filter add dev $1 parent $HNDL1:0 protocol ip \ priority 60 handle $MRK_IA fw classid $HNDL1:3 # Set up bulk queue tc qdisc add dev $1 parent $HNDL1:2 handle $HNDL2: cbq \ bandwidth $CARATE allot 1514 avpkt 1000 tc class add dev $1 parent $HNDL2:0 classid :1 est 1sec 8sec \ cbq bandwidth $CARATE rate $BULKRATE \ allot $PXMTU avpkt 1000 prio 6 \ split $HNDL2:0 defmap ffff tc qdisc add dev $1 parent $HNDL2:1 sfq perturb 15 # tc qdisc add dev $1 parent $HNDL2:1 red min 10000 max 30000 limit 75000 avpkt 1000 burst 16 ecn probability 0.02 bandwidth $CARATE # Build special queueing local ID=2 for QUEUE in $SPQUEUE; do local BOUNDED=`echoAddParm $QUEUE` # Add class and queue tc class add dev $1 parent $HNDL2:0 classid :$ID \ est 1sec 8sec cbq bandwidth $BNDWIDTH \ rate `echoRate $QUEUE` allot $PXMTU \ $BOUNDED prio 6 \ avpkt 1000 tc qdisc add dev $1 parent $HNDL2:$ID sfq perturb 15 #tc qdisc add dev $1 parent $HNDL2:$ID red ecn min 10000 max 30000 limit 75000 avpkt 1000 burst 16 ecn probability 0.02 bandwidth $BNDWIDTH # Add the filter tc filter add dev $1 parent $HNDL2:0 protocol ip \ priority 70 handle `echoMark $QUEUE` fw \ classid $HNDL2:$ID ID=$(($ID+1)) done return 0 } ############################################################################### # End ############################################################################### netscript-2.4-5.3.0ubuntu1/network.conf.50000664000000000000000000000003112262426365014754 0ustar .so netscript-2.4.conf.5 netscript-2.4-5.3.0ubuntu1/TODO0000664000000000000000000000030012262426365012740 0ustar - write better man pages - create a Makefile to install this stuff on any system - make protable to Linux Distrubtions other than Debian - add Makefile options to set install directories etc. netscript-2.4-5.3.0ubuntu1/if.conf.50000664000000000000000000000003112262426365013661 0ustar .so netscript-2.4.conf.5 netscript-2.4-5.3.0ubuntu1/wep.conf0000775000000000000000000000134112262426365013723 0ustar #!/bin/sh [ "$1" != "eth2" ] && exit 0 case $2 in #cmonline-rf) # /sbin/iwconfig $1 essid cmonline # /sbin/iwconfig $1 enc restricted # I=1 # #Apply WEP keys. 128 bit WEP key are 13 bytes long! # # That is 26 heax digits. # # Anything longer than this can crash prism54 firmware # # with weird gummy outcomes for the wifi interface # # (No hardware damage, just doesn't work in weird # # and mysterious ways.) # for KEY in DEADBEEF1 DEADBEEF2 DEADBEEF3 DEADBEEF4; do # /sbin/iwconfig $1 enc "[${I}]" "$KEY" # I=$(( $I + 1 )) # done # ;; *) /sbin/iwconfig $1 essid any /sbin/iwconfig $1 ap any /sbin/iwconfig $1 enc off ;; esac netscript-2.4-5.3.0ubuntu1/ipfilter.conf0000664000000000000000000007162512262426365014757 0ustar # # # ipfilter.conf This file contains the functions that contain the firewall # and ipfilter configuration. This is an example setup for # IP masquearding # # set -x # Uncomment for script debug # DONT change this! LOCAL_NET=127.0.0.0/8 LOCAL_IP=127.0.0.1 # Source local ipfilter definitions IPFILTER_LOCAL="/etc/netscript/ipfilter-local.conf" [ -f $IPFILTER_LOCAL ] && source $IPFILTER_LOCAL # Some functions to handle Protocol IP Port tuples echoParam () { local format="$1" local IFS='_' set -- $2 eval "echo \"$format\"" } echoIpPort () { local format1="$1" local format2="$2" local testpar="$3" local IFS='_' set -- $4 eval "echo -n \"$format1\"" eval "if [ -n \"$testpar\" ]; then echo \" $format2\" fi" } # Check and see if a chain exists or not ipv4_checkChain () { if qt $IPTBL -N $1; then return 1 fi return 0 } ipv6_checkChain () { if qt $IP6TBL -N $1; then return 1 fi return 0 } # If a chain does not exist, create it # First arg is the chain name, all the rest are the args and name of the # creation function ipv4_createChain () { local CHAIN=$1 local FN=$2 shift 2 if ipv4_checkChain $CHAIN; then return 0 fi ipf4_${FN} "$@" } ipv6_createChain () { local CHAIN=$1 local FN=$2 shift 2 if ipv6_checkChain $CHAIN; then return 0 fi ipf6_${FN} "$@" } # A function to build a logging chain ( NB: This does not process timber # products ) ipf4_log () { local NET local LOG_MSG="Def log: $CHAIN" local NO_TARG=0 local F OPTIND=1 while getopts nl: F; do case $F in n) NO_TARG=1;; l) LOG_MSG="$3";; esac done shift $(($OPTIND - 1)) local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=log fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null $IPTBL -A $CHAIN -j LOG --log-level $LOG_LEVEL \ --log-prefix "$LOG_MSG - " \ --log-tcp-options --log-ip-options \ -m limit --limit $LOG_MAXRATE/second if [ $NO_TARG -eq 0 ]; then # Catch all packets and DROP/REJECT them # DROP all ICMP packets as it does not make sense # to reply to these $IPTBL -A $CHAIN -p icmp -j DROP if [ -z "$2" ]; then $IPTBL -A $CHAIN -j $LOG_TARGET else $IPTBL -A $CHAIN -j $2 fi fi return 0 } # A function to filter out Martian source addresses ipf4_martians () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=martians fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Make sure the log chain exists with drop policy ipv4_createChain droplog log droplog DROP # The source addresses listed here are conservatively # invalid as they are either used as broadcast/multicast # destation addresses, a special value in IP stacks, loopback # networks and illegal/ambiguous Classed IP addressing networks. # # You can add your 'martian/invalid' source address blocks to the # MARTIAN_NETS list in /etc/netscript/network.conf # Bypass checks for certain netblocks that are internal. for NET in $MARTIAN_BYPASS; do $IPTBL -A $CHAIN -j RETURN -s $NET done case $LOG_NOISE in yes|YES|Yes) # RFC 1918/1627/1597 blocks $IPTBL -A $CHAIN -j droplog -p all -s 10.0.0.0/8 -d 0/0 $IPTBL -A $CHAIN -j droplog -p all -s 172.16.0.0/12 -d 0/0 $IPTBL -A $CHAIN -j droplog -p all -s 192.168.0.0/16 -d 0/0 $IPTBL -A $CHAIN -j droplog -p all -s 169.254.0.0/16 -d 0/0 ;; *) # Block all DHCP/BOOTP queries without logging $IPTBL -A $CHAIN -j DROP -p udp -s 0.0.0.0 -d 0/0 --dport bootps # RFC 1918/1627/1597 blocks $IPTBL -A $CHAIN -j DROP -p all -s 10.0.0.0/8 -d 0/0 $IPTBL -A $CHAIN -j DROP -p all -s 172.16.0.0/12 -d 0/0 $IPTBL -A $CHAIN -j DROP -p all -s 192.168.0.0/16 -d 0/0 $IPTBL -A $CHAIN -j DROP -p all -s 169.254.0.0/16 -d 0/0 ;; esac # All ones, all zeroes $IPTBL -A $CHAIN -j droplog -p all -s 0.0.0.0 -d 0/0 $IPTBL -A $CHAIN -j droplog -p all -s 255.255.255.255 -d 0/0 # Loop back addresses $IPTBL -A $CHAIN -j droplog -p all -s 127.0.0.0/8 -d 0/0 # Multicast source addresses $IPTBL -A $CHAIN -j droplog -p all -s 224.0.0.0/4 -d 0/0 # RFC 3468 6to4 anycast relays you may want to route to this ! #$IPTBL -A $CHAIN -j droplog -p all -s 192.88.99.0/24 -d 0/0 # IANA reserved blocks (Martians from the gated restricted list # - actually impossible/ambiguous classed networks) $IPTBL -A $CHAIN -j droplog -p all -s 0.0.0.0/8 -d 0/0 # RFC 5736 $IPTBL -A $CHAIN -j droplog -p all -s 192.0.0.0/24 -d 0/0 # RFC 5737 TEST-NET-1 $IPTBL -A $CHAIN -j droplog -p all -s 192.0.2.0/24 -d 0/0 # RFC 2544 Device Bench mark testing $IPTBL -A $CHAIN -j droplog -p all -s 198.18.0.0/15 -d 0/0 # RFC 5737 TEST-NET-2 $IPTBL -A $CHAIN -j droplog -p all -s 198.51.100.0/24 -d 0/0 # RFC 5737 TEST-NET-3 $IPTBL -A $CHAIN -j droplog -p all -s 203.0.113.0/24 -d 0/0 # RFC 1112, Section 4 Reserved for furture $IPTBL -A $CHAIN -j droplog -p all -s 240.0.0.0/4 -d 0/0 # Addtions/other IANA reserved blocks for NET in $MARTIAN_NETS; do $IPTBL -A $CHAIN -j droplog -p all -s $NET -d 0/0 done; unset NET return 0 } # A function to assist with spoof protection when rp_filter is turned # off. Very useful with Free S/WAN IPSEC. ipf4_ingress () { local CHAIN=$1 local IP if [ -z "$CHAIN" ]; then CHAIN=ingress fi # Clean out any existing chain qt $IPTBL -F $CHAIN qt $IPTBL -N $CHAIN # Make sure the log chain exists with drop policy ipv4_createChain droplog log droplog DROP for IP in $INGRESS_IPS; do iptables -A $CHAIN -j droplog -s $IP done } # Another function to assist with spoof protection when rp_filter is turned # off. Very useful with Free S/WAN IPSEC. ipf4_ingrssfwd () { local CHAIN=$1 local NET if [ -z "$CHAIN" ]; then CHAIN=ingrssfwd fi # Clean out any existing chain qt $IPTBL -F $CHAIN qt $IPTBL -N $CHAIN # Make sure the log chain exists with drop policy ipv4_createChain droplog log droplog DROP for NET in $INGRESS_FWD_NETS; do iptables -A $CHAIN -j droplog \ -s `echoIpPort '$1' '-i $2' '$2' $NET` done } ## Create a target for handling portscans as detected by psd module ## ## Not a good idea to drop packets, as psd says everything is a portscan ## when active. #ipf4_portscan () { # # local CHAIN=$1 # # if [ -z "$CHAIN" ]; then # CHAIN=portscan # fi # # # Clean out any existing chain # qt $IPTBL -F $CHAIN # qt $IPTBL -N $CHAIN # # # Make sure the log chain exists with drop policy # ipv4_createChain logprtscn log -n -l "PORTSCAN DETECTED" logprtscn DROP # # [ -n "$PORTSCAN_WEIGHT_THRESHOLD" ] \ # && local OPT_PWT="--psd-weight-threshold $PORTSCAN_WEIGHT_THRESHOLD" # [ -n "$PORTSCAN_DELAY_THRESHOLD" ] \ # && local OPT_PDT="--psd-delay-threshold $PORTSCAN_DELAY_THRESHOLD" # [ -n "$PORTSCAN_LOPORTS_WEIGHT" ] \ # && local OPT_PLPW="--psd-lo-ports-weight $PORTSCAN_LOPORTS_WEIGHT" # [ -n "$PORTSCAN_HIPORTS_WEIGHT" ] \ # && local OPT_PHPW="--psd-hi-ports-weight $PORTSCAN_HIPORTS_WEIGHT" # # $IPTBL -A portscan -j logprtscn -m psd \ # $OPT_PWT $OPT_PDT $OPT_PLPW $OPT_PHPW #} ipf4_smb () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=smb fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Block SMB/Windows networking to protect Windows boxes and to stop # Windows NT doing braindead things with mail, www, etc # This also prevents Internet Explorer spraying user logins # and passwords everywhere # SMB port also blocked for security reasons. # If you need to do this, set up IPSEC between windows clients. $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport netbios-ns:netbios-ssn $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport 135 $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport netbios-ns:netbios-ssn $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport 135 $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport microsoft-ds $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport microsoft-ds $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport netbios-ns:netbios-ssn -d 0/0 $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport 135 -d 0/0 $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport netbios-ns:netbios-ssn -d 0/0 $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport 135 -d 0/0 $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport microsoft-ds -d 0/0 $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport microsoft-ds -d 0/0 } # A function to control SNMP access on a network ipf4_snmp () { local LOG_CHAIN=$2 local CHAIN=$1 local SNMP_IP if [ -z "$LOG_CHAIN" ]; then LOG_CHAIN=log fi if [ -z "$CHAIN" ]; then CHAIN=snmp fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create log chain with default target ipv4_createChain log log $LOG_CHAIN if [ -z "$SNMP_BLOCK_DEST" ]; then local SNMP_BLOCK_DEST="0/0" fi for SNMP_IP in $SNMP_MANAGER_IPS; do $IPTBL -A $CHAIN -j ACCEPT -p udp -s $SNMP_IP -d $SNMP_BLOCK_DEST --dport 161:162 done; $IPTBL -A $CHAIN -j $LOG_CHAIN -p udp -s 0/0 -d $SNMP_BLOCK_DEST --dport 161:162 } ipf4_icmphost () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=icmphost fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create log chain with default target ipv4_createChain log log # ICMP - we don't want these # Stop ICMP time stamp messages - don't need these $IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-request $IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-reply $IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-request $IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-reply } ipf4_icmpfwd () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=icmpfwd fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create log chain with default target ipv4_createChain log log # ICMP - we don't want these # Stop ICMP time stamp messages and redirects - don't need these $IPTBL -A $CHAIN -j log -p icmp --icmp-type redirect $IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-request $IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-reply $IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-request $IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-reply } ipf4_inbrdr () { local CHAIN=$1 local IP DEST SRC if [ -z "$CHAIN" ]; then CHAIN=inbrdr fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create chains if they do not exsist ipv4_createChain log log log REJECT ipv4_createChain droplog log droplog DROP ipv4_createChain icmpfwd icmpfwd ipv4_createChain martians martians # Source blocking for SRC in $BLOCKED_INSRC; do $IPTBL -A $CHAIN -j DROP -p `echoParam '$1' $SRC` \ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC for SRC in $LOGGED_BLOCKED_INSRC; do $IPTBL -A $CHAIN -j droplog -p `echoParam '$1' $SRC` \ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC # Get rid of unwanted ICMP packets $IPTBL -A $CHAIN -j icmpfwd # Get rid of incoming Martians $IPTBL -A $CHAIN -j martians # Prevent RFC 1918/1627/1597 IP packets from coming in $IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8 $IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16 $IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12 # Allow icmp/BGP in on out link net if [ -n "$LINK_NET" ]; then $IPTBL -A $CHAIN -j ACCEPT -p icmp -s $LINK_NET $IPTBL -A $CHAIN -j ACCEPT -p tcp -s $LINK_NET \ -d $LINK_NET --dport bgp $IPTBL -A $CHAIN -j ACCEPT -p tcp -s $LINK_NET --sport bgp \ -d $LINK_NET --dport 1024:65535 ! --syn #$IPTBL -A $CHAIN -j ACCEPT -p udp -s $LINK_NET \ # -d $LINK_NET --dport egp #$IPTBL -A $CHAIN -j ACCEPT -p udp -s $LINK_NET --sport egp \ # -d $LINK_NET --dport 1024:65535 fi # Get rid of fake packets from our internal source addresses for IP in $IP_BLOCKS; do $IPTBL -A $CHAIN -j droplog -s $IP done; unset IP # Destination blocking for DEST in $BLOCKED_INDEST; do $IPTBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST for DEST in $LOGGED_BLOCKED_INDEST; do $IPTBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST # SNMP control - Prevent SNMP access to our network if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \ -o "$SNMP_BLOCK" = "yes" ] ; then $IPTBL -A $CHAIN -j log -p udp --dport 161:162 fi # Block SMB stuff on input interface if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \ "$SMB_BLOCK" = "yes" ]; then ipv4_createChain smb smb $IPTBL -A $CHAIN -j smb fi # DNS control - only allow certain machines to do zone transfers if [ -n "$DNS_IPS" ]; then for IP in $DNS_IPS; do $IPTBL -A $CHAIN -j ACCEPT -p tcp -s $IP --dport domain done; unset IP $IPTBL -A $CHAIN -j log -p tcp --dport domain fi return 0 } ipf4_outbrdr () { local CHAIN=$1 local IP DEST SRC if [ -z "$CHAIN" ]; then CHAIN=outbrdr fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create chains if they do not exsist ipv4_createChain log log log REJECT ipv4_createChain droplog log droplog DROP ipv4_createChain martians martians # Stop outgoing RFC 1918/1627/1597 packets $IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8 $IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16 $IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12 # Log and stop certain outgoing traffic for DEST in $BLOCKED_OUTDEST; do $IPTBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' '--dport $3' '$3' $DEST` done; unset DEST for DEST in $LOGGED_BLOCKED_OUTDEST; do $IPTBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' '--dport $3' '$3' $DEST` done; unset DEST # Block SMB stuff on output interface if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \ "$SMB_BLOCK" = "yes" ]; then ipv4_createChain smb smb $IPTBL -A $CHAIN -j smb fi # Control Outgoing Source addresses local TARGET=${OUT_TARGET:='ACCEPT'} for IP in $IP_BLOCKS; do $IPTBL -A $CHAIN -j $TARGET -s $IP done; unset IP $IPTBL -A $CHAIN -j droplog return 0 } ipf4_laptopfw () { local USAGE="netscript fN ipv4_laptop_fwadj() [-f] [in-chain [out-chain]]" local FLUSH=0 local F OPTIND=1 while getopts f F; do case $F in f) FLUSH=1 ;; h\?) echo 1>&2 echo "$USAGE" 1>&2 echo 1>&2 return 1 esac done shift $(($OPTIND - 1)) local CHAIN_IN="$1" local CHAIN_OUT="$2" local IN='' local OUT='' if [ -z "$CHAIN_IN" ]; then CHAIN_IN=laptopin fi if [ -z "$CHAIN_OUT" ]; then CHAIN_OUT=laptopout fi # Clean out any existing chain qt $IPTBL -F $CHAIN_IN qt $IPTBL -F $CHAIN_OUT qt $IPTBL -X $CHAIN_IN qt $IPTBL -X $CHAIN_OUT # Set global variables based on what whereami has found out if ! qt type if_laptop_fwdata; then return 1 fi if ! if_laptop_fwdata; then return 0 fi # Don't do any more if we are just cleaning up if [ $FLUSH -gt 0 ]; then return 0 fi [ -n "$LAPTOP_IN" ] && qt $IPTBL -N $CHAIN_IN [ -n "$LAPTOP_OUT" ] && qt $IPTBL -N $CHAIN_OUT # Fill in the chains for IN in $LAPTOP_IN; do $IPTBL -A $CHAIN_IN -j ACCEPT -m state --state NEW \ -p `echoParam '$1' "$IN"` \ -s `echoIpPort '$2' '--dport $3' '$3' "$IN"` done for OUT in $LAPTOP_OUT; do $IPTBL -A $CHAIN_OUT -j ACCEPT -m state --state NEW \ -p `echoParam '$1' "$OUT"` \ -d `echoIpPort '$2' '--dport $3' '$3' "$OUT"` done } # IPv6 Functions # A function to build a logging chain ( NB: This does not process timber # products ) ipf6_log () { local NET local LOG_MSG="Def log: $CHAIN" local NO_TARG=0 local F OPTIND=1 while getopts nl: F; do case $F in n) NO_TARG=1;; l) LOG_MSG="$3";; esac done shift $(($OPTIND - 1)) local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=log fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null $IP6TBL -A $CHAIN -j LOG --log-level $LOG_LEVEL \ --log-prefix "$LOG_MSG - " \ --log-tcp-options --log-ip-options \ -m limit --limit $LOG_MAXRATE/second if [ $NO_TARG -eq 0 ]; then # Catch all packets and DROP/REJECT them # DROP all ICMP packets as it does not make sense # to reply to these $IP6TBL -A $CHAIN -p icmp -j DROP if [ -z "$2" ]; then $IP6TBL -A $CHAIN -j $IPV6_LOG_TARGET else $IP6TBL -A $CHAIN -j $2 fi fi return 0 } ipf6_icmphost () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=icmphost fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create log chain with default target ipv6_createChain log log # ICMP - we want these From RFC 4980 Section 4.4 local TYPE # These should be accepted from local network for TYPE in destination-unreachable \ packet-too-big \ time-exceeded \ parameter-problem \ echo-request \ echo-reply \ neighbour-solicitation \ neighbour-advertisement \ 141 \ 142 \ router-solicitation \ router-advertisement \ 130 131 132 143 \ 148 149 \ 151 152 153 do $IP6TBL -A $CHAIN -j ACCEPT -m limit \ --limit $IPV6_ICMPHOST_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # ICMPv6 - Things we optionally want for TYPE in $IPV6_ICMPHOST_OPTIONAL do $IP6TBL -A $CHAIN -j ACCEPT -m limit \ --limit $IPV6_ICMPHOST_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # Accept local DHCPv6 replies $IP6TBL -A $CHAIN -j ACCEPT -s fe80::/10 \ -p udp --dport 546 # Log ICMP we don't want $IP6TBL -A $CHAIN -p icmpv6 -j log } ipf6_icmpfwd () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=icmpfwd fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create log chain with default target ipv6_createChain log log # ICMP - we want these From RFC 4980 Section 4.4 local TYPE for TYPE in destination-unreachable \ packet-too-big \ time-exceeded \ parameter-problem \ echo-request \ echo-reply; do $IP6TBL -A $CHAIN -j ACCEPT -m limit \ --limit $IPV6_ICMPFWD_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # ICMPv6 - Things we optionally want to forward for TYPE in $IPV6_ICMPFWD_OPTIONAL do $IP6TBL -A $CHAIN -j ACCEPT -m limit \ --limit $IPV6_ICMPFWD_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # ICMP - we don't want these # Also stops ICMP time stamp messages and redirects - don't need these $IP6TBL -A $CHAIN -j log -p icmpv6 } # A function to filter out Martian source addresses ipf6_martians () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=martians fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Make sure the log chain exists with drop policy ipv6_createChain droplog log droplog DROP # The source addresses listed here are conservatively # invalid as they are either used as broadcast/multicast # destation addresses, a special value in IP stacks, loopback # networks and illegal/ambiguous Classed IP addressing networks. # # You can add your 'martian/invalid' source address blocks to the # MARTIAN_NETS list in /etc/netscript/network.conf # Bypass checks for certain netblocks that are internal. for NET in $IPV6_MARTIAN_BYPASS; do $IP6TBL -A $CHAIN -j RETURN -s $NET done case $IPV6_LOG_NOISE in yes|YES|Yes) # RFC 4193 Unique Local Addresses $IP6TBL -A $CHAIN -j droplog -p all -s fc00::/7 -d ::/0 # Link local addresses $IP6TBL -A $CHAIN -j droplog -p all -s fe80::/10 -d ::/0 ;; *) # RFC 4193 Unique Local Addresses $IP6TBL -A $CHAIN -j DROP -p all -s fc00::/7 -d ::/0 # Link local addresses $IP6TBL -A $CHAIN -j DROP -p all -s fe80::/10 -d ::/0 ;; esac # All zeroes $IP6TBL -A $CHAIN -j droplog -p all -s :: -d ::/0 # Loop back address $IP6TBL -A $CHAIN -j droplog -p all -s ::1 -d ::/0 # Multicast source addresses $IP6TBL -A $CHAIN -j droplog -p all -s ff00::/8 -d ::/0 # IPv4 Mapped addresses $IP6TBL -A $CHAIN -j droplog -p all -s ::ffff:0:0/96 -d ::/0 # Documentation addresses $IP6TBL -A $CHAIN -j droplog -p all -s 2001:db8::/32 -d ::/0 # ORCHID - Overlay Routable Cryptographic Hash Identifiers $IP6TBL -A $CHAIN -j droplog -p all -s 2001:10::/28 -d ::/0 # Addtions/other IANA reserved blocks for NET in $IPV6_MARTIAN_NETS; do $IP6TBL -A $CHAIN -j droplog -p all -s $NET -d ::/0 done; unset NET return 0 } ipf6_mrtnshost () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=mrtnshost fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Make sure the martians chain exists ipv6_createChain martians martians # Divert localhost traffic back to calling chain $IP6TBL -A $CHAIN -s fe80::/10 -j RETURN $IP6TBL -A $CHAIN -j martians } # A function to assist with spoof protection when rp_filter is turned # off. Very useful with Free S/WAN IPSEC. ipf6_ingress () { local CHAIN=$1 local IP if [ -z "$CHAIN" ]; then CHAIN=ingress fi # Clean out any existing chain qt $IP6TBL -F $CHAIN qt $IP6TBL -N $CHAIN # Make sure the log chain exists with drop policy ipv6_createChain droplog log droplog DROP for IP in $IPV6_INGRESS_IPS; do $IP6TBL -A $CHAIN -j droplog -s $IP done } # Another function to assist with spoof protection when rp_filter is turned # off. Early Linux IPv6 does not have rp_filter ipf6_ingrssfwd () { local CHAIN=$1 local NET if [ -z "$CHAIN" ]; then CHAIN=ingrssfwd fi # Clean out any existing chain qt $IP6TBL -F $CHAIN qt $IP6TBL -N $CHAIN # Make sure the log chain exists with drop policy ipv6_createChain droplog log droplog DROP for NET in $IPV6_INGRESS_FWD_NETS; do $IP6TBL -A $CHAIN -j droplog \ -s `echoIpPort '$1' '-i $2' '$2' $NET` done } ipf6_smb () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=smb fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Block SMB/Windows networking to protect Windows boxes and to stop # Windows NT doing braindead things with mail, www, etc # Block CIFS/SMB ports as they are vulnerable # If this is needed, configure IPSEC for the connection $IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 --sport netbios-ssn -d ::/0 $IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 --sport netbios-ssn -d ::/0 $IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 -d ::/0 --dport netbios-ssn $IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 -d ::/0 --dport netbios-ssn $IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 --sport microsoft-ds -d ::/0 $IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 --sport microsoft-ds -d ::/0 $IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 -d ::/0 --dport microsoft-ds $IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 -d ::/0 --dport microsoft-ds } # A function to control SNMP access on a network ipf6_snmp () { local LOG_CHAIN=$2 local CHAIN=$1 local SNMP_IP if [ -z "$LOG_CHAIN" ]; then LOG_CHAIN=log fi if [ -z "$CHAIN" ]; then CHAIN=snmp fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create log chain with default target ipv6_createChain log log $LOG_CHAIN if [ -z "$IPV6_SNMP_BLOCK_DEST" ]; then local IPV6_SNMP_BLOCK_DEST="::/0" fi for SNMP_IP in $IPV6_SNMP_MANAGER_IPS; do $IP6TBL -A $CHAIN -j ACCEPT -p udp -s $SNMP_IP -d $IPV6_SNMP_BLOCK_DEST --dport 161:162 done; $IP6TBL -A $CHAIN -j $LOG_CHAIN -p udp -s 0/0 -d $IPV6_SNMP_BLOCK_DEST --dport 161:162 } ipf6_inbrdr () { local CHAIN=$1 local IP DEST SRC if [ -z "$CHAIN" ]; then CHAIN=inbrdr fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create chains if they do not exsist ipv6_createChain log log log REJECT ipv6_createChain droplog log droplog DROP ipv6_createChain icmpfwd icmpfwd ipv6_createChain martians martians # Source blocking for SRC in $IPV6_BLOCKED_INSRC; do $IP6TBL -A $CHAIN -j DROP -p `echoParam '$1' $SRC` \ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC for SRC in $IPV6_LOGGED_BLOCKED_INSRC; do $IP6TBL -A $CHAIN -j droplog -p `echoParam '$1' $SRC` \ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC # Get rid of unwanted ICMP packets $IP6TBL -A $CHAIN -j icmpfwd # Get rid of incoming Martians $IP6TBL -A $CHAIN -j martians # Prevent ULA IP packets from coming in $IP6TBL -A $CHAIN -j DROP -d fc00::/7 # Allow icmp/BGP in on our link net if [ -n "$IPV6_LINK_NET" ]; then $IP6TBL -A $CHAIN -j ACCEPT -p icmp -s $IPV6_LINK_NET $IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IPV6_LINK_NET \ -d $IPV6_LINK_NET --dport bgp $IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IPV6_LINK_NET \ --sport bgp -d $IPV6_LINK_NET --dport 1024:65535 \ ! --syn fi # Get rid of fake packets from our internal source addresses for IP in $IPV6_IP_BLOCKS; do $IP6TBL -A $CHAIN -j droplog -s $IP done; unset IP # Destination blocking for DEST in $IPV6_BLOCKED_INDEST; do $IP6TBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST for DEST in $IPV6_LOGGED_BLOCKED_INDEST; do $IP6TBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST # SNMP control - Prevent SNMP access to our network if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \ -o "$SNMP_BLOCK" = "yes" ] ; then $IP6TBL -A $CHAIN -j log -p udp --dport 161:162 fi # Block SMB stuff on input interface if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \ "$SMB_BLOCK" = "yes" ]; then ipv6_createChain smb smb $IP6TBL -A $CHAIN -j smb fi # DNS control - only allow certain machines to do zone transfers if [ -n "$IPV6_DNS_IPS" ]; then for IP in $IPV6_DNS_IPS; do $IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IP --dport domain done; unset IP $IP6TBL -A $CHAIN -j log -p tcp --dport domain fi return 0 } ipf6_outbrdr () { local CHAIN=$1 local IP DEST SRC if [ -z "$CHAIN" ]; then CHAIN=outbrdr fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create chains if they do not exsist ipv6_createChain log log log REJECT ipv6_createChain droplog log droplog DROP ipv6_createChain martians martians # Stop outgoing ULA $IP6TBL -A $CHAIN -j DROP -d fc00::/7 # Log and stop certain outgoing traffic for DEST in $IPV6_BLOCKED_OUTDEST; do $IP6TBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' '--dport $3' '$3' $DEST` done; unset DEST for DEST in $IPV6_LOGGED_BLOCKED_OUTDEST; do $IP6TBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' '--dport $3' '$3' $DEST` done; unset DEST # Block SMB stuff on output interface if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \ "$SMB_BLOCK" = "yes" ]; then ipv6_createChain smb smb $IP6TBL -A $CHAIN -j smb fi # Control Outgoing Source addresses local TARGET=${IPV6_OUT_TARGET:="ACCEPT"} for IP in $IPV6_IP_BLOCKS; do $IP6TBL -A $CHAIN -j $TARGET -s $IP done; unset IP $IP6TBL -A $CHAIN -j droplog return 0 } ipf6_laptopfw () { local USAGE="netscript fN ipv6_laptop_fwadj() [-f] [in-chain [out-chain]]" local FLUSH=0 local F OPTIND=1 while getopts f F; do case $F in f) FLUSH=1 ;; h\?) echo 1>&2 echo "$USAGE" 1>&2 echo 1>&2 return 1 esac done shift $(($OPTIND - 1)) local CHAIN_IN="$1" local CHAIN_OUT="$2" local IN='' local OUT='' if [ -z "$CHAIN_IN" ]; then CHAIN_IN=laptopin fi if [ -z "$CHAIN_OUT" ]; then CHAIN_OUT=laptopout fi # Clean out any existing chain qt $IP6TBL -F $CHAIN_IN qt $IP6TBL -F $CHAIN_OUT qt $IP6TBL -X $CHAIN_IN qt $IP6TBL -X $CHAIN_OUT # Set global variables based on what whereami has found out if ! qt type if_laptop_fwdata; then return 1 fi if ! if_laptop_fwdata; then return 0 fi # Don't do any more if we are just cleaning up if [ $FLUSH -gt 0 ]; then return 0 fi [ -n "$IPV6_LAPTOP_IN" ] && qt $IP6TBL -N $CHAIN_IN [ -n "$IPV6_LAPTOP_OUT" ] && qt $IP6TBL -N $CHAIN_OUT # Fill in the chains for IN in $IPV6_LAPTOP_IN; do $IP6TBL -A $CHAIN_IN -j ACCEPT -m state --state NEW \ -p `echoParam '$1' "$IN"` \ -s `echoIpPort '$2' '--dport $3' '$3' "$IN"` done for OUT in $IPV6_LAPTOP_OUT; do $IP6TBL -A $CHAIN_OUT -j ACCEPT -m state --state NEW \ -p `echoParam '$1' "$OUT"` \ -d `echoIpPort '$2' '--dport $3' '$3' "$OUT"` done } netscript-2.4-5.3.0ubuntu1/netscript.80000664000000000000000000001543512262426365014373 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH NET 8 "January 24, 2003" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME netscript \- netscript network configuration command .SH SYNOPSIS .B netscript start|stop|reload|restart .br .B netscript ifup|ifdown|ifqos|ifreload .I |all .br .B netscript ipfilter load|clear|fairq|flush|reload|save .br .BI netscript\ ipfilter\ usebackup\ [ \ backup-number\ ] .br .B netscript ipfilter exec .I | [chain p1 p2 ...] .br .B netscript ip6filter load|clear|fairq|flush|reload|save .br .BI netscript\ ip6filter\ usebackup\ [ \ backup-number\ ] .br .B netscript ip6filter exec .I | [chain p1 p2 ...] .br .SH DESCRIPTION This manual page documents briefly the .B netscript command from the netscript router/firewall network configuration package. This command is used to configure/reconfigure the interface configuration, ipchains filter setup, and ip route service ( .B QoS ) setup that are configured in netscript's configuration files. It can manipulate individual interfaces, and reconfigure the iptables filter contents and firewall setup, or reconfigure the .B QoS setup. It is rather incomplete as it does not describe fully the finely tuned manipulations that happen due to netscript's design which enables a Linux box to serve as a high availability heavy-duty mission-critcial network router or firewall. .SH IPTABLES CONFIGURATION Configuration saving is done by .BR iptables-save (8) and .BR iptables-restore (8). .SH OPTIONS .TP .B start Set up networking configruation by loading ipcahins filters, setting up bridge, configuring interfaces and running any configured lower layer protocol daemons or commands. For use from a startup script. .TP .B stop Shut everything down. For use from a startup script. .TP .B reload Refresh the setup of netscript except for iptables from the configuration files in /etc/netscript .TP .B restart|force-reload Stop everthing and then start everything again. For use from a startup script. .TP .BI ifup \ |all Bring interfaces(s) up by starting any protocol daemons, and configuring interfaces. .TP .BI ifdown \ |all Shutdown said interface(s) by doing reverse of ifdown. .TP .BI ifqos \ |all Reload QoS configuration for interface(s). .TP .BI ifreload \ |all Refresh the interface setup and implement any configuration changes. .TP .BI ifreset \ |all Shutdown and then restart interface(s), reloading configuration from lower layer up to the network layer. .TP .B ipfilter load|reload Load/reload the IPv4 iptables filters and reconfigure the firewalling, from that saved in .I /etc/netscript/iptables (via .B iptables-restore(8) ), and the QoS fair queuing setup. .TP .B ipfilter save Save the IPv4 iptables configuration to /etc/netscript/iptables via .B iptables-save(8) , after backing it up to .I /etc/netscript/iptables.1 and cycling the previous backup files down through the configuration history. .TP .BI ipfilter\ usebackup\ [ \ backup-number\ ] Restore setup from the IPv4 iptables backup configuration from .I /etc/netscript/iptables.n ( default 1 ) via .B iptables-restore(8). .TP .B ipfilter clear|flush Remove iptables and any firewall setup, and if IPV4_FWDING_KERNEL is set to FILTER_ON (see .B network.conf(5) ), disables all IPv4 packet forwarding on the router. Very useful for debugging protocol problems on a firewall by enabling a reasonably safe check to be made with the filtering down. .TP .B ipfilter forward|fwd Turns on the IPv4 kernel forwarding switch manually. This is irrespective of the setting of IPV4_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will allow traffic through the box. .TP .B ipfilter noforward|nofwd Turns off the IPv4 kernel forwarding switch manually. This is irrespective of the setting of IPV4_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will cut off reachability. .TP .B ipfilter fairq Reload the IPv4 .I fairq chain that marks the packets for the .B QoS interface transmit queues. .TP .B ip6filter load|reload Load/reload the IPv6 iptables filters and reconfigure the firewalling, from that saved in .I /etc/netscript/ip6tables (via .B ip6tables-restore(8) ), and the QoS fair queuing setup. .TP .B ip6filter save Save the IPv6 iptables configuration to /etc/netscript/iptables via .B ip6tables-save(8) , after backing it up to .I /etc/netscript/ip6tables.1 and cycling the previous backup files down through the configuration history. .TP .BI ip6filter\ usebackup\ [ \ backup-number\ ] Restore setup from the IPv6 iptables backup configuration from .I /etc/netscript/ip6tables.n ( default 1 ) via .B ip6tables-restore(8). .TP .B ip6filter clear|flush Remove IPv6 iptables setup, and if IPV6_FWDING_KERNEL is set to FILTER_ON (see .B network.conf(5) ), disables all IPv6 packet forwarding on the router. Very useful for debugging protocol problems on a firewall by enabling a reasonably safe check to be made with the filtering down. .TP .B ip6filter forward|fwd Turns on the IPv6 kernel forwarding switch manually. This is irrespective of the setting of IPV6_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will allow traffic through the box. .TP .B ip6filter noforward|nofwd Turns off the IPv6 kernel forwarding switch manually. This is irrespective of the setting of IPV6_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will affect reachability. .TP .B ip6filter fairq Reload the IPv6 .I fairq chain that marks the packets for the .B QoS interface transmit queues. .SH FILES .I /etc/netscript/if.conf, /etc/netscript/ipfilter.conf, .br .I /etc/netscript/network.conf, /etc/netscript/qos.conf, .br .I /etc/netscript/iptables, /etc/netscript/ip6tables, .br .SH SEE ALSO .BR if.conf (5), .BR ipfilter.conf (5), .BR network.conf (5), .BR qos.conf (5), .BR ip (8), .BR tc (8), .BR iptables (8), .BR iptables-restore (8), .BR iptables-save (8), .BR ip6tables (8), .BR ip6tables-restore (8), .BR ip6tables-save (8), .BR brcfg (8). .br .SH AUTHOR This manual page was written by Matthew Grant , for the Debian GNU/Linux system (but may be used by others). .SH BUGS I wrote this manpage when I was half asleep... netscript-2.4-5.3.0ubuntu1/BUGS0000664000000000000000000000016612262426365012745 0ustar - It can configure my router, but not cook a pizza yet! - Debian specific, needs a little work for use on Red Hat....