netscript/0002775000000000000000000000000013732503344007767 5ustar netscript/.bzr-builddeb/0002775000000000000000000000000012362370504012410 5ustar netscript/.bzr-builddeb/default.conf0000664000000000000000000000003112362370504014673 0ustar [BUILDDEB] native = True netscript/2.4.x-kernel.config0000664000000000000000000006570112362370504013212 0ustar # # Automatically generated make config: don't edit # CONFIG_X86=y CONFIG_ISA=y # CONFIG_SBUS is not set CONFIG_UID16=y # CONFIG_GENERIC_BUST_SPINLOCK is not set CONFIG_GENERIC_ISA_DMA=y # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Loadable module support # CONFIG_MODULES=y CONFIG_MODVERSIONS=y # CONFIG_KMOD is not set # # Processor type and features # # CONFIG_M386 is not set CONFIG_M486=y # CONFIG_M586 is not set # CONFIG_M586TSC is not set # CONFIG_M586MMX is not set # CONFIG_M686 is not set # CONFIG_MPENTIUMIII is not set # CONFIG_MPENTIUM4 is not set # CONFIG_MK6 is not set # CONFIG_MK7 is not set # CONFIG_MCRUSOE is not set # CONFIG_MWINCHIPC6 is not set # CONFIG_MWINCHIP2 is not set # CONFIG_MWINCHIP3D is not set # CONFIG_MCYRIXIII is not set CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_CMPXCHG=y CONFIG_X86_XADD=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y # CONFIG_RWSEM_GENERIC_SPINLOCK is not set CONFIG_RWSEM_XCHGADD_ALGORITHM=y CONFIG_X86_L1_CACHE_SHIFT=4 CONFIG_X86_USE_STRING_486=y CONFIG_X86_ALIGNMENT_16=y CONFIG_X86_PPRO_FENCE=y # CONFIG_TOSHIBA is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set CONFIG_NOHIGHMEM=y # CONFIG_HIGHMEM4G is not set # CONFIG_HIGHMEM64G is not set CONFIG_MATH_EMULATION=y CONFIG_MTRR=y # CONFIG_SMP is not set CONFIG_X86_UP_APIC=y CONFIG_X86_UP_IOAPIC=y CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y # # General setup # CONFIG_NET=y CONFIG_PCI=y # CONFIG_PCI_GOBIOS is not set # CONFIG_PCI_GODIRECT is not set CONFIG_PCI_GOANY=y CONFIG_PCI_BIOS=y CONFIG_PCI_DIRECT=y CONFIG_PCI_NAMES=y # CONFIG_EISA is not set # CONFIG_MCA is not set CONFIG_HOTPLUG=y # # PCMCIA/CardBus support # CONFIG_PCMCIA=m CONFIG_CARDBUS=y CONFIG_I82092=y CONFIG_I82365=y # CONFIG_TCIC is not set # # PCI Hotplug Support # # CONFIG_HOTPLUG_PCI is not set # CONFIG_HOTPLUG_PCI_COMPAQ is not set # CONFIG_HOTPLUG_PCI_COMPAQ_NVRAM is not set CONFIG_SYSVIPC=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_SYSCTL=y CONFIG_KCORE_ELF=y # CONFIG_KCORE_AOUT is not set # CONFIG_BINFMT_AOUT is not set CONFIG_BINFMT_ELF=y # CONFIG_BINFMT_MISC is not set # CONFIG_PM is not set # CONFIG_ACPI is not set # CONFIG_APM is not set # # Memory Technology Devices (MTD) # # CONFIG_MTD is not set # # Parallel port support # CONFIG_PARPORT=m CONFIG_PARPORT_PC=m CONFIG_PARPORT_PC_CML1=m CONFIG_PARPORT_SERIAL=m # CONFIG_PARPORT_PC_FIFO is not set # CONFIG_PARPORT_PC_SUPERIO is not set # CONFIG_PARPORT_PC_PCMCIA is not set # CONFIG_PARPORT_AMIGA is not set # CONFIG_PARPORT_MFC3 is not set # CONFIG_PARPORT_ATARI is not set # CONFIG_PARPORT_GSC is not set # CONFIG_PARPORT_SUNBPP is not set # CONFIG_PARPORT_OTHER is not set CONFIG_PARPORT_1284=y # # Plug and Play configuration # CONFIG_PNP=y CONFIG_ISAPNP=y CONFIG_PNPBIOS=y # # Block devices # CONFIG_BLK_DEV_FD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_PARIDE is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_BLK_CPQ_CISS_DA is not set # CONFIG_CISS_SCSI_TAPE is not set # CONFIG_BLK_DEV_DAC960 is not set CONFIG_BLK_DEV_LOOP=y # CONFIG_BLK_DEV_NBD is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_SIZE=4096 CONFIG_BLK_DEV_INITRD=y # # Multi-device support (RAID and LVM) # CONFIG_MD=y CONFIG_BLK_DEV_MD=m CONFIG_MD_LINEAR=m CONFIG_MD_RAID0=m CONFIG_MD_RAID1=m CONFIG_MD_RAID5=m CONFIG_MD_MULTIPATH=m CONFIG_BLK_DEV_LVM=m # # Networking options # CONFIG_PACKET=y CONFIG_PACKET_MMAP=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_RTNETLINK=y CONFIG_NETLINK=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_LARGE_TABLES=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_IPGRE_BROADCAST=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y # CONFIG_IP_PIMSM_V2 is not set # CONFIG_ARPD is not set CONFIG_INET_ECN=y CONFIG_SYN_COOKIES=y # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_MPORT=m CONFIG_IP_NF_MATCH_TOS=m # CONFIG_IP_NF_MATCH_RANDOM is not set CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TIME=m CONFIG_IP_NF_MATCH_PSD=m CONFIG_IP_NF_MATCH_NTH=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_IPV4OPTIONS=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_REALM=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_IPLIMIT=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_NETLINK=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_FTOS=m CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_COMPAT_IPCHAINS=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_COMPAT_IPFWADM=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IPV6=m # # IPv6: Netfilter Configuration # CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_LIMIT=m CONFIG_IP6_NF_MATCH_MAC=m CONFIG_IP6_NF_MATCH_MULTIPORT=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_MARK=m CONFIG_IP6_NF_MATCH_LENGTH=m CONFIG_IP6_NF_MATCH_AGR=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_MARK=m # CONFIG_KHTTPD is not set # CONFIG_ATM is not set # # # CONFIG_IPX=m # CONFIG_IPX_INTERN is not set CONFIG_ATALK=y # CONFIG_DECNET is not set CONFIG_BRIDGE=y CONFIG_X25=m CONFIG_LAPB=m CONFIG_LLC=y # CONFIG_NET_DIVERT is not set # CONFIG_ECONET is not set CONFIG_WAN_ROUTER=m # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # # QoS and/or fair queueing # CONFIG_NET_SCHED=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NET_SCH_CBQ=m CONFIG_NET_SCH_CSZ=m CONFIG_NET_SCH_PRIO=m CONFIG_NET_SCH_RED=m CONFIG_NET_SCH_SFQ=m CONFIG_NET_SCH_TEQL=m CONFIG_NET_SCH_TBF=m CONFIG_NET_SCH_GRED=m CONFIG_NET_SCH_DSMARK=m CONFIG_NET_SCH_INGRESS=m CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m CONFIG_NET_CLS_RSVP=m CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_POLICE=y # # Telephony Support # # CONFIG_PHONE is not set # CONFIG_PHONE_IXJ is not set # CONFIG_PHONE_IXJ_PCMCIA is not set # # ATA/IDE/MFM/RLL support # CONFIG_IDE=y # # IDE, ATA and ATAPI Block devices # CONFIG_BLK_DEV_IDE=y # # Please see Documentation/ide.txt for help/info on IDE drives # # CONFIG_BLK_DEV_HD_IDE is not set # CONFIG_BLK_DEV_HD is not set CONFIG_BLK_DEV_IDEDISK=y # CONFIG_IDEDISK_MULTI_MODE is not set # CONFIG_BLK_DEV_IDEDISK_VENDOR is not set # CONFIG_BLK_DEV_IDEDISK_FUJITSU is not set # CONFIG_BLK_DEV_IDEDISK_IBM is not set # CONFIG_BLK_DEV_IDEDISK_MAXTOR is not set # CONFIG_BLK_DEV_IDEDISK_QUANTUM is not set # CONFIG_BLK_DEV_IDEDISK_SEAGATE is not set # CONFIG_BLK_DEV_IDEDISK_WD is not set # CONFIG_BLK_DEV_COMMERIAL is not set # CONFIG_BLK_DEV_TIVO is not set # CONFIG_BLK_DEV_IDECS is not set CONFIG_BLK_DEV_IDECD=m CONFIG_BLK_DEV_IDETAPE=m CONFIG_BLK_DEV_IDEFLOPPY=m CONFIG_BLK_DEV_IDESCSI=m # # IDE chipset support/bugfixes # CONFIG_BLK_DEV_CMD640=y # CONFIG_BLK_DEV_CMD640_ENHANCED is not set CONFIG_BLK_DEV_ISAPNP=y CONFIG_BLK_DEV_RZ1000=y CONFIG_BLK_DEV_IDEPCI=y CONFIG_IDEPCI_SHARE_IRQ=y CONFIG_BLK_DEV_IDEDMA_PCI=y CONFIG_BLK_DEV_ADMA=y CONFIG_BLK_DEV_OFFBOARD=y CONFIG_IDEDMA_PCI_AUTO=y CONFIG_BLK_DEV_IDEDMA=y # CONFIG_IDEDMA_PCI_WIP is not set # CONFIG_IDEDMA_NEW_DRIVE_LISTINGS is not set CONFIG_BLK_DEV_AEC62XX=y # CONFIG_AEC62XX_TUNING is not set CONFIG_BLK_DEV_ALI15X3=y # CONFIG_WDC_ALI15X3 is not set CONFIG_BLK_DEV_AMD74XX=y # CONFIG_AMD74XX_OVERRIDE is not set CONFIG_BLK_DEV_CMD64X=y # CONFIG_BLK_DEV_CY82C693 is not set CONFIG_BLK_DEV_CS5530=y CONFIG_BLK_DEV_HPT34X=y # CONFIG_HPT34X_AUTODMA is not set CONFIG_BLK_DEV_HPT366=y CONFIG_BLK_DEV_PIIX=y CONFIG_PIIX_TUNING=y # CONFIG_BLK_DEV_NS87415 is not set # CONFIG_BLK_DEV_OPTI621 is not set CONFIG_BLK_DEV_PDC202XX=y # CONFIG_PDC202XX_BURST is not set # CONFIG_PDC202XX_FORCE is not set CONFIG_BLK_DEV_SVWKS=y CONFIG_BLK_DEV_SIS5513=y CONFIG_BLK_DEV_SLC90E66=y # CONFIG_BLK_DEV_TRM290 is not set CONFIG_BLK_DEV_VIA82CXXX=y CONFIG_IDE_CHIPSETS=y # # Note: most of these also require special kernel boot parameters # CONFIG_BLK_DEV_4DRIVES=y CONFIG_BLK_DEV_ALI14XX=y CONFIG_BLK_DEV_DTC2278=y CONFIG_BLK_DEV_HT6560B=y # CONFIG_BLK_DEV_PDC4030 is not set CONFIG_BLK_DEV_QD65XX=y CONFIG_BLK_DEV_UMC8672=y CONFIG_IDEDMA_AUTO=y # CONFIG_IDEDMA_IVB is not set # CONFIG_DMA_NONPCI is not set CONFIG_BLK_DEV_IDE_MODES=y # CONFIG_BLK_DEV_ATARAID is not set # CONFIG_BLK_DEV_ATARAID_PDC is not set # CONFIG_BLK_DEV_ATARAID_HPT is not set # # SCSI support # CONFIG_SCSI=y # # SCSI support type (disk, tape, CD-ROM) # CONFIG_BLK_DEV_SD=y CONFIG_SD_EXTRA_DEVS=40 CONFIG_CHR_DEV_ST=m # CONFIG_CHR_DEV_OSST is not set CONFIG_BLK_DEV_SR=m CONFIG_BLK_DEV_SR_VENDOR=y CONFIG_SR_EXTRA_DEVS=2 CONFIG_CHR_DEV_SG=m # # Some SCSI devices (e.g. CD jukebox) support multiple LUNs # # CONFIG_SCSI_DEBUG_QUEUES is not set CONFIG_SCSI_MULTI_LUN=y CONFIG_SCSI_CONSTANTS=y # CONFIG_SCSI_LOGGING is not set # # SCSI low-level drivers # # CONFIG_BLK_DEV_3W_XXXX_RAID is not set # CONFIG_SCSI_7000FASST is not set # CONFIG_SCSI_ACARD is not set # CONFIG_SCSI_AHA152X is not set CONFIG_SCSI_AHA1542=y CONFIG_SCSI_AHA1740=y CONFIG_SCSI_AIC7XXX=y CONFIG_AIC7XXX_CMDS_PER_DEVICE=253 CONFIG_AIC7XXX_RESET_DELAY_MS=15000 # CONFIG_AIC7XXX_BUILD_FIRMWARE is not set # CONFIG_SCSI_DPT_I2O is not set # CONFIG_SCSI_ADVANSYS is not set # CONFIG_SCSI_IN2000 is not set # CONFIG_SCSI_AM53C974 is not set # CONFIG_SCSI_MEGARAID is not set CONFIG_SCSI_BUSLOGIC=y # CONFIG_SCSI_OMIT_FLASHPOINT is not set # CONFIG_SCSI_CPQFCTS is not set # CONFIG_SCSI_DMX3191D is not set # CONFIG_SCSI_DTC3280 is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_EATA_DMA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GDTH is not set # CONFIG_SCSI_GENERIC_NCR5380 is not set # CONFIG_SCSI_IPS is not set # CONFIG_SCSI_INITIO is not set # CONFIG_SCSI_INIA100 is not set # CONFIG_SCSI_PPA is not set # CONFIG_SCSI_IMM is not set # CONFIG_SCSI_NCR53C406A is not set # CONFIG_SCSI_NCR53C7xx is not set CONFIG_SCSI_NCR53C8XX=y CONFIG_SCSI_SYM53C8XX=y CONFIG_SCSI_NCR53C8XX_DEFAULT_TAGS=8 CONFIG_SCSI_NCR53C8XX_MAX_TAGS=32 CONFIG_SCSI_NCR53C8XX_SYNC=80 # CONFIG_SCSI_NCR53C8XX_PROFILE is not set # CONFIG_SCSI_NCR53C8XX_IOMAPPED is not set # CONFIG_SCSI_NCR53C8XX_PQS_PDS is not set # CONFIG_SCSI_NCR53C8XX_SYMBIOS_COMPAT is not set # CONFIG_SCSI_PAS16 is not set # CONFIG_SCSI_PCI2000 is not set # CONFIG_SCSI_PCI2220I is not set # CONFIG_SCSI_PSI240I is not set # CONFIG_SCSI_QLOGIC_FAS is not set # CONFIG_SCSI_QLOGIC_ISP is not set # CONFIG_SCSI_QLOGIC_FC is not set # CONFIG_SCSI_QLOGIC_1280 is not set # CONFIG_SCSI_SEAGATE is not set # CONFIG_SCSI_SIM710 is not set # CONFIG_SCSI_SYM53C416 is not set # CONFIG_SCSI_DC390T is not set # CONFIG_SCSI_T128 is not set # CONFIG_SCSI_U14_34F is not set # CONFIG_SCSI_ULTRASTOR is not set # CONFIG_SCSI_DEBUG is not set # # PCMCIA SCSI adapter support # # CONFIG_SCSI_PCMCIA is not set # # Fusion MPT device support # # CONFIG_FUSION is not set # CONFIG_FUSION_BOOT is not set # CONFIG_FUSION_ISENSE is not set # CONFIG_FUSION_CTL is not set # CONFIG_FUSION_LAN is not set # # IEEE 1394 (FireWire) support (EXPERIMENTAL) # # CONFIG_IEEE1394 is not set # # I2O device support # # CONFIG_I2O is not set # CONFIG_I2O_PCI is not set # CONFIG_I2O_BLOCK is not set # CONFIG_I2O_LAN is not set # CONFIG_I2O_SCSI is not set # CONFIG_I2O_PROC is not set # # Network device support # CONFIG_NETDEVICES=y # # ARCnet devices # # CONFIG_ARCNET is not set # # Appletalk devices # CONFIG_ATALK=y # CONFIG_LTPC is not set # CONFIG_COPS is not set # CONFIG_IPDDP is not set CONFIG_DUMMY=m CONFIG_BONDING=m CONFIG_EQUALIZER=m CONFIG_TUN=m CONFIG_ETHERTAP=m CONFIG_NET_SB1000=m # # Ethernet (10 or 100Mbit) # CONFIG_NET_ETHERNET=y # CONFIG_SUNLANCE is not set CONFIG_HAPPYMEAL=m # CONFIG_SUNBMAC is not set # CONFIG_SUNQE is not set # CONFIG_SUNLANCE is not set CONFIG_SUNGEM=m CONFIG_NET_VENDOR_3COM=y CONFIG_EL1=m CONFIG_EL2=m CONFIG_ELPLUS=m CONFIG_EL16=m CONFIG_EL3=m CONFIG_3C515=m # CONFIG_ELMC is not set # CONFIG_ELMC_II is not set CONFIG_VORTEX=m CONFIG_LANCE=m CONFIG_NET_VENDOR_SMC=y CONFIG_WD80x3=m # CONFIG_ULTRAMCA is not set CONFIG_ULTRA=m # CONFIG_ULTRA32 is not set CONFIG_SMC9194=m CONFIG_NET_VENDOR_RACAL=y CONFIG_NI5010=m CONFIG_NI52=m CONFIG_NI65=m CONFIG_AT1700=m CONFIG_DEPCA=m CONFIG_HP100=m CONFIG_NET_ISA=y CONFIG_E2100=m CONFIG_EWRK3=m CONFIG_EEXPRESS=m CONFIG_EEXPRESS_PRO=m CONFIG_HPLAN_PLUS=m CONFIG_HPLAN=m CONFIG_LP486E=m CONFIG_ETH16I=m CONFIG_NE2000=m CONFIG_NET_PCI=y CONFIG_PCNET32=m CONFIG_ADAPTEC_STARFIRE=m CONFIG_AC3200=m CONFIG_APRICOT=m CONFIG_CS89x0=m CONFIG_TULIP=m # CONFIG_TULIP_MWI is not set CONFIG_TULIP_MMIO=y CONFIG_DE4X5=m CONFIG_DGRS=m CONFIG_DM9102=m CONFIG_EEPRO100=m # CONFIG_LNE390 is not set CONFIG_FEALNX=m CONFIG_NATSEMI=m CONFIG_NE2K_PCI=m # CONFIG_NE3210 is not set # CONFIG_ES3210 is not set CONFIG_8139CP=m CONFIG_8139TOO=m # CONFIG_8139TOO_PIO is not set # CONFIG_8139TOO_TUNE_TWISTER is not set CONFIG_8139TOO_8129=y CONFIG_SIS900=m CONFIG_EPIC100=m CONFIG_SUNDANCE=m CONFIG_TLAN=m CONFIG_VIA_RHINE=m CONFIG_WINBOND_840=m # CONFIG_NET_POCKET is not set # # Ethernet (1000 Mbit) # # CONFIG_ACENIC is not set # CONFIG_DL2K is not set # CONFIG_MYRI_SBUS is not set # CONFIG_NS83820 is not set # CONFIG_HAMACHI is not set # CONFIG_YELLOWFIN is not set # CONFIG_SK98LIN is not set CONFIG_FDDI=y CONFIG_DEFXX=m CONFIG_SKFP=m # CONFIG_HIPPI is not set CONFIG_PLIP=m CONFIG_PPP=m CONFIG_PPP_MULTILINK=y CONFIG_PPP_FILTER=y CONFIG_PPP_ASYNC=m CONFIG_PPP_SYNC_TTY=m CONFIG_PPP_DEFLATE=m CONFIG_PPP_BSDCOMP=m CONFIG_PPPOE=m CONFIG_SLIP=m CONFIG_SLIP_COMPRESSED=y # CONFIG_SLIP_SMART is not set # CONFIG_SLIP_MODE_SLIP6 is not set # # Wireless LAN (non-hamradio) # CONFIG_NET_RADIO=y CONFIG_STRIP=m CONFIG_WAVELAN=m CONFIG_ARLAN=m CONFIG_AIRONET4500=m CONFIG_AIRONET4500_NONCS=m CONFIG_AIRONET4500_PNP=y CONFIG_AIRONET4500_PCI=y CONFIG_AIRONET4500_ISA=y CONFIG_AIRONET4500_I365=y CONFIG_AIRONET4500_PROC=m CONFIG_AIRO=m CONFIG_HERMES=m CONFIG_PLX_HERMES=m # # Wireless Pcmcia cards support # CONFIG_PCMCIA_HERMES=m CONFIG_AIRO_CS=m CONFIG_NET_WIRELESS=y # # Token Ring devices # CONFIG_TR=y CONFIG_IBMTR=m CONFIG_IBMOL=m CONFIG_IBMLS=m CONFIG_TMS380TR=m CONFIG_TMSPCI=m CONFIG_TMSISA=m CONFIG_ABYSS=m # CONFIG_MADGEMC is not set CONFIG_SMCTR=m CONFIG_NET_FC=y CONFIG_IPHASE5526=m CONFIG_RCPCI=m CONFIG_SHAPER=m # # Wan interfaces # CONFIG_WAN=y CONFIG_HOSTESS_SV11=m CONFIG_COSA=m CONFIG_COMX=m CONFIG_COMX_HW_COMX=m CONFIG_COMX_HW_LOCOMX=m CONFIG_COMX_HW_MIXCOM=m CONFIG_COMX_PROTO_PPP=m CONFIG_COMX_PROTO_LAPB=m CONFIG_COMX_PROTO_FR=m CONFIG_DSCC4=m CONFIG_FARSYNC=m CONFIG_LANMEDIA=m CONFIG_SEALEVEL_4021=m CONFIG_SYNCLINK_SYNCPPP=m CONFIG_HDLC=m CONFIG_HDLC_PPP=y CONFIG_HDLC_X25=y CONFIG_N2=m CONFIG_C101=m CONFIG_DLCI=m CONFIG_DLCI_COUNT=24 CONFIG_DLCI_MAX=8 CONFIG_SDLA=m CONFIG_WAN_ROUTER_DRIVERS=y CONFIG_VENDOR_SANGOMA=m CONFIG_WANPIPE_CHDLC=y CONFIG_WANPIPE_FR=y CONFIG_WANPIPE_X25=y CONFIG_WANPIPE_PPP=y CONFIG_WANPIPE_MULTPPP=y CONFIG_CYCLADES_SYNC=m CONFIG_CYCLOMX_X25=y CONFIG_LAPBETHER=m CONFIG_X25_ASY=m CONFIG_SBNI=m CONFIG_SBNI_MULTILINE=y # # PCMCIA network device support # CONFIG_NET_PCMCIA=y # CONFIG_PCMCIA_3C589 is not set # CONFIG_PCMCIA_3C574 is not set # CONFIG_PCMCIA_FMVJ18X is not set # CONFIG_PCMCIA_PCNET is not set # CONFIG_PCMCIA_NMCLAN is not set # CONFIG_PCMCIA_SMC91C92 is not set # CONFIG_PCMCIA_XIRC2PS is not set # CONFIG_ARCNET_COM20020_CS is not set # CONFIG_PCMCIA_IBMTR is not set # CONFIG_PCMCIA_XIRCOM is not set # CONFIG_PCMCIA_XIRTULIP is not set CONFIG_NET_PCMCIA_RADIO=y CONFIG_PCMCIA_RAYCS=m CONFIG_PCMCIA_NETWAVE=m CONFIG_PCMCIA_WAVELAN=m CONFIG_AIRONET4500_CS=m # # Amateur Radio support # # CONFIG_HAMRADIO is not set # # IrDA (infrared) support # # CONFIG_IRDA is not set # # ISDN subsystem # CONFIG_ISDN=m CONFIG_ISDN_PPP=y CONFIG_ISDN_PPP_VJ=y CONFIG_ISDN_MPP=y CONFIG_ISDN_PPP_BSDCOMP=m CONFIG_ISDN_AUDIO=y CONFIG_ISDN_TTY_FAX=y CONFIG_ISDN_X25=y # # ISDN feature submodules # CONFIG_ISDN_DRV_LOOP=m CONFIG_ISDN_DIVERSION=m # # low-level hardware drivers # # # Passive ISDN cards # CONFIG_ISDN_DRV_HISAX=m # # D-channel protocol features # CONFIG_HISAX_EURO=y # CONFIG_DE_AOC is not set # CONFIG_HISAX_NO_SENDCOMPLETE is not set # CONFIG_HISAX_NO_LLC is not set # CONFIG_HISAX_NO_KEYPAD is not set # CONFIG_HISAX_1TR6 is not set CONFIG_HISAX_NI1=y # # HiSax supported cards # CONFIG_HISAX_16_0=y CONFIG_HISAX_16_3=y CONFIG_HISAX_TELESPCI=y CONFIG_HISAX_S0BOX=y CONFIG_HISAX_AVM_A1=y CONFIG_HISAX_FRITZPCI=y CONFIG_HISAX_AVM_A1_PCMCIA=y CONFIG_HISAX_ELSA=y CONFIG_HISAX_IX1MICROR2=y CONFIG_HISAX_DIEHLDIVA=y CONFIG_HISAX_ASUSCOM=y CONFIG_HISAX_TELEINT=y CONFIG_HISAX_HFCS=y CONFIG_HISAX_SEDLBAUER=y CONFIG_HISAX_SPORTSTER=y CONFIG_HISAX_MIC=y CONFIG_HISAX_NETJET=y CONFIG_HISAX_NETJET_U=y CONFIG_HISAX_NICCY=y CONFIG_HISAX_ISURF=y CONFIG_HISAX_HSTSAPHIR=y CONFIG_HISAX_BKM_A4T=y CONFIG_HISAX_SCT_QUADRO=y CONFIG_HISAX_GAZEL=y CONFIG_HISAX_HFC_PCI=y CONFIG_HISAX_W6692=y CONFIG_HISAX_HFC_SX=y # CONFIG_HISAX_DEBUG is not set CONFIG_HISAX_SEDLBAUER_CS=m CONFIG_HISAX_ELSA_CS=m CONFIG_HISAX_ST5481=m # # Active ISDN cards # CONFIG_ISDN_DRV_ICN=m CONFIG_ISDN_DRV_PCBIT=m CONFIG_ISDN_DRV_SC=m CONFIG_ISDN_DRV_ACT2000=m CONFIG_ISDN_DRV_EICON=y CONFIG_ISDN_DRV_EICON_DIVAS=m CONFIG_ISDN_DRV_EICON_OLD=m CONFIG_ISDN_DRV_EICON_PCI=y CONFIG_ISDN_DRV_EICON_ISA=y CONFIG_ISDN_DRV_TPAM=m CONFIG_ISDN_CAPI=m CONFIG_ISDN_DRV_AVMB1_VERBOSE_REASON=y CONFIG_ISDN_CAPI_MIDDLEWARE=y CONFIG_ISDN_CAPI_CAPI20=m CONFIG_ISDN_CAPI_CAPIFS_BOOL=y CONFIG_ISDN_CAPI_CAPIFS=m CONFIG_ISDN_CAPI_CAPIDRV=m CONFIG_ISDN_DRV_AVMB1_B1ISA=m CONFIG_ISDN_DRV_AVMB1_B1PCI=m CONFIG_ISDN_DRV_AVMB1_B1PCIV4=y CONFIG_ISDN_DRV_AVMB1_T1ISA=m CONFIG_ISDN_DRV_AVMB1_B1PCMCIA=m CONFIG_ISDN_DRV_AVMB1_AVM_CS=m CONFIG_ISDN_DRV_AVMB1_T1PCI=m CONFIG_ISDN_DRV_AVMB1_C4=m CONFIG_HYSDN=m CONFIG_HYSDN_CAPI=y # # Old CD-ROM drivers (not SCSI, not IDE) # # CONFIG_CD_NO_IDESCSI is not set # # Input core support # CONFIG_INPUT=m CONFIG_INPUT_KEYBDEV=m CONFIG_INPUT_MOUSEDEV=m CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 CONFIG_INPUT_JOYDEV=m CONFIG_INPUT_EVDEV=m # # Character devices # CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_SERIAL=y CONFIG_SERIAL_CONSOLE=y CONFIG_SERIAL_EXTENDED=y CONFIG_SERIAL_MANY_PORTS=y CONFIG_SERIAL_SHARE_IRQ=y # CONFIG_SERIAL_DETECT_IRQ is not set CONFIG_SERIAL_MULTIPORT=y # CONFIG_HUB6 is not set CONFIG_SERIAL_NONSTANDARD=y CONFIG_COMPUTONE=m CONFIG_ROCKETPORT=m CONFIG_CYCLADES=m # CONFIG_CYZ_INTR is not set CONFIG_DIGIEPCA=m CONFIG_ESPSERIAL=m CONFIG_MOXA_INTELLIO=m CONFIG_MOXA_SMARTIO=m CONFIG_ISI=m CONFIG_SYNCLINK=m CONFIG_N_HDLC=m CONFIG_RISCOM8=m CONFIG_SPECIALIX=m # CONFIG_SPECIALIX_RTSCTS is not set CONFIG_SX=m CONFIG_RIO=m # CONFIG_RIO_OLDPCI is not set CONFIG_STALDRV=y CONFIG_STALLION=m CONFIG_ISTALLION=m CONFIG_UNIX98_PTYS=y CONFIG_UNIX98_PTY_COUNT=256 CONFIG_PRINTER=m # CONFIG_LP_CONSOLE is not set # CONFIG_PPDEV is not set # # I2C support # CONFIG_I2C=m CONFIG_I2C_ALGOBIT=m CONFIG_I2C_PHILIPSPAR=m CONFIG_I2C_ELV=m CONFIG_I2C_VELLEMAN=m CONFIG_I2C_ALGOPCF=m CONFIG_I2C_ELEKTOR=m CONFIG_I2C_CHARDEV=m CONFIG_I2C_PROC=m # # Mice # # CONFIG_BUSMOUSE is not set CONFIG_MOUSE=y CONFIG_PSMOUSE=y # CONFIG_82C710_MOUSE is not set # CONFIG_PC110_PAD is not set # # Joysticks # # CONFIG_INPUT_GAMEPORT is not set # CONFIG_INPUT_NS558 is not set # CONFIG_INPUT_LIGHTNING is not set # CONFIG_INPUT_PCIGAME is not set # CONFIG_INPUT_CS461X is not set # CONFIG_INPUT_EMU10K1 is not set # CONFIG_INPUT_SERIO is not set # CONFIG_INPUT_SERPORT is not set # # Joysticks # # CONFIG_INPUT_ANALOG is not set # CONFIG_INPUT_A3D is not set # CONFIG_INPUT_ADI is not set # CONFIG_INPUT_COBRA is not set # CONFIG_INPUT_GF2K is not set # CONFIG_INPUT_GRIP is not set # CONFIG_INPUT_INTERACT is not set # CONFIG_INPUT_TMDC is not set # CONFIG_INPUT_SIDEWINDER is not set # CONFIG_INPUT_IFORCE_USB is not set # CONFIG_INPUT_IFORCE_232 is not set # CONFIG_INPUT_WARRIOR is not set # CONFIG_INPUT_MAGELLAN is not set # CONFIG_INPUT_SPACEORB is not set # CONFIG_INPUT_SPACEBALL is not set # CONFIG_INPUT_STINGER is not set # CONFIG_INPUT_DB9 is not set # CONFIG_INPUT_GAMECON is not set # CONFIG_INPUT_TURBOGRAFX is not set # CONFIG_QIC02_TAPE is not set # # Watchdog Cards # CONFIG_WATCHDOG=y # CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_SOFT_WATCHDOG=y CONFIG_WDT=m CONFIG_WDTPCI=m # CONFIG_WDT_501 is not set CONFIG_PCWATCHDOG=m CONFIG_ACQUIRE_WDT=m CONFIG_ADVANTECH_WDT=m CONFIG_EUROTECH_WDT=m CONFIG_IB700_WDT=m CONFIG_I810_TCO=m CONFIG_MIXCOMWD=m CONFIG_60XX_WDT=m CONFIG_W83877F_WDT=m CONFIG_MACHZ_WDT=m CONFIG_INTEL_RNG=m # CONFIG_NVRAM is not set CONFIG_RTC=y # CONFIG_DTLK is not set # CONFIG_R3964 is not set # CONFIG_APPLICOM is not set # CONFIG_SONYPI is not set # # Ftape, the floppy tape device driver # # CONFIG_FTAPE is not set # CONFIG_AGP is not set # CONFIG_DRM is not set # # PCMCIA character devices # CONFIG_PCMCIA_SERIAL_CS=m # CONFIG_MWAVE is not set # # Multimedia devices # # CONFIG_VIDEO_DEV is not set # # File systems # # CONFIG_QUOTA is not set CONFIG_AUTOFS_FS=m CONFIG_AUTOFS4_FS=m CONFIG_REISERFS_FS=y # CONFIG_REISERFS_CHECK is not set # CONFIG_ADFS_FS is not set # CONFIG_ADFS_FS_RW is not set # CONFIG_AFFS_FS is not set # CONFIG_HFS_FS is not set # CONFIG_BFS_FS is not set # CONFIG_CMS_FS is not set CONFIG_EXT3_FS=y CONFIG_JBD=y # CONFIG_JBD_DEBUG is not set CONFIG_FAT_FS=y CONFIG_MSDOS_FS=y # CONFIG_UMSDOS_FS is not set CONFIG_VFAT_FS=y # CONFIG_EFS_FS is not set # CONFIG_JFFS_FS is not set # CONFIG_JFFS2_FS is not set CONFIG_CRAMFS=m CONFIG_TMPFS=y # CONFIG_RAMFS is not set CONFIG_ISO9660_FS=m CONFIG_JOLIET=y # CONFIG_ZISOFS is not set CONFIG_MINIX_FS=m # CONFIG_FREEVXFS_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_NTFS_RW is not set # CONFIG_HPFS_FS is not set CONFIG_PROC_FS=y # CONFIG_DEVFS_FS is not set # CONFIG_DEVFS_MOUNT is not set # CONFIG_DEVFS_DEBUG is not set CONFIG_DEVPTS_FS=y # CONFIG_QNX4FS_FS is not set # CONFIG_QNX4FS_RW is not set CONFIG_ROMFS_FS=m CONFIG_EXT2_FS=y # CONFIG_SYSV_FS is not set # CONFIG_UDF_FS is not set # CONFIG_UDF_RW is not set # CONFIG_UFS_FS is not set # CONFIG_UFS_FS_WRITE is not set # # Network File Systems # CONFIG_CODA_FS=m # CONFIG_INTERMEZZO_FS is not set CONFIG_NFS_FS=m CONFIG_NFS_V3=y # CONFIG_ROOT_NFS is not set CONFIG_NFSD=m CONFIG_NFSD_V3=y CONFIG_SUNRPC=m CONFIG_LOCKD=m CONFIG_LOCKD_V4=y CONFIG_SMB_FS=m # CONFIG_SMB_NLS_DEFAULT is not set # CONFIG_NCP_FS is not set # CONFIG_NCPFS_PACKET_SIGNING is not set # CONFIG_NCPFS_IOCTL_LOCKING is not set # CONFIG_NCPFS_STRONG is not set # CONFIG_NCPFS_NFS_NS is not set # CONFIG_NCPFS_OS2_NS is not set # CONFIG_NCPFS_SMALLDOS is not set # CONFIG_NCPFS_NLS is not set # CONFIG_NCPFS_EXTRAS is not set # CONFIG_ZISOFS_FS is not set CONFIG_ZLIB_FS_INFLATE=m # # Partition Types # # CONFIG_PARTITION_ADVANCED is not set CONFIG_MSDOS_PARTITION=y CONFIG_SMB_NLS=y CONFIG_NLS=y # # Native Language Support # CONFIG_NLS_DEFAULT="iso8859-1" CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_CODEPAGE_737=m CONFIG_NLS_CODEPAGE_775=m CONFIG_NLS_CODEPAGE_850=y CONFIG_NLS_CODEPAGE_852=m CONFIG_NLS_CODEPAGE_855=m CONFIG_NLS_CODEPAGE_857=m CONFIG_NLS_CODEPAGE_860=m CONFIG_NLS_CODEPAGE_861=m CONFIG_NLS_CODEPAGE_862=m CONFIG_NLS_CODEPAGE_863=m CONFIG_NLS_CODEPAGE_864=y CONFIG_NLS_CODEPAGE_865=m CONFIG_NLS_CODEPAGE_866=m CONFIG_NLS_CODEPAGE_869=m CONFIG_NLS_CODEPAGE_936=m CONFIG_NLS_CODEPAGE_950=m CONFIG_NLS_CODEPAGE_932=m CONFIG_NLS_CODEPAGE_949=y CONFIG_NLS_CODEPAGE_874=m CONFIG_NLS_ISO8859_8=m CONFIG_NLS_CODEPAGE_1251=m CONFIG_NLS_ISO8859_1=y CONFIG_NLS_ISO8859_2=m CONFIG_NLS_ISO8859_3=m CONFIG_NLS_ISO8859_4=m CONFIG_NLS_ISO8859_5=m CONFIG_NLS_ISO8859_6=m CONFIG_NLS_ISO8859_7=m CONFIG_NLS_ISO8859_9=m CONFIG_NLS_ISO8859_13=m CONFIG_NLS_ISO8859_14=m CONFIG_NLS_ISO8859_15=y CONFIG_NLS_KOI8_R=m CONFIG_NLS_KOI8_U=m CONFIG_NLS_UTF8=y # # Console drivers # CONFIG_VGA_CONSOLE=y CONFIG_VIDEO_SELECT=y # CONFIG_MDA_CONSOLE is not set # # Frame-buffer support # # CONFIG_FB is not set # # Sound # # CONFIG_SOUND is not set # # USB support # CONFIG_USB=m # CONFIG_USB_DEBUG is not set # # Miscellaneous USB options # CONFIG_USB_DEVICEFS=y CONFIG_USB_BANDWIDTH=y # CONFIG_USB_LONG_TIMEOUT is not set # # USB Controllers # CONFIG_USB_UHCI=m CONFIG_USB_UHCI_ALT=m CONFIG_USB_OHCI=m # # USB Device Class drivers # # CONFIG_USB_AUDIO is not set # CONFIG_USB_BLUETOOTH is not set CONFIG_USB_STORAGE=m # CONFIG_USB_STORAGE_DEBUG is not set # CONFIG_USB_STORAGE_DATAFAB is not set # CONFIG_USB_STORAGE_FREECOM is not set # CONFIG_USB_STORAGE_ISD200 is not set # CONFIG_USB_STORAGE_DPCM is not set # CONFIG_USB_STORAGE_HP8200e is not set # CONFIG_USB_STORAGE_SDDR09 is not set # CONFIG_USB_STORAGE_JUMPSHOT is not set CONFIG_USB_ACM=m CONFIG_USB_PRINTER=m # # USB Human Interface Devices (HID) # # CONFIG_USB_HID is not set # CONFIG_USB_HIDDEV is not set # CONFIG_USB_KBD is not set # CONFIG_USB_MOUSE is not set # CONFIG_USB_WACOM is not set # CONFIG_USB_AIPTEK is not set # # USB Imaging devices # # CONFIG_USB_DC2XX is not set # CONFIG_USB_MDC800 is not set # CONFIG_USB_SCANNER is not set # CONFIG_USB_MICROTEK is not set # CONFIG_USB_HPUSBSCSI is not set # # USB Multimedia devices # # # Video4Linux support is needed for USB Multimedia device support # # # USB Network adaptors # CONFIG_USB_PEGASUS=m CONFIG_USB_KAWETH=m CONFIG_USB_CATC=m CONFIG_USB_CDCETHER=m CONFIG_USB_USBNET=m # # USB port drivers # CONFIG_USB_USS720=m # # USB Serial Converter support # # CONFIG_USB_SERIAL is not set # CONFIG_USB_SERIAL_GENERIC is not set # CONFIG_USB_SERIAL_BELKIN is not set # CONFIG_USB_SERIAL_WHITEHEAT is not set # CONFIG_USB_SERIAL_DIGI_ACCELEPORT is not set # CONFIG_USB_SERIAL_EMPEG is not set # CONFIG_USB_SERIAL_FTDI_SIO is not set # CONFIG_USB_SERIAL_VISOR is not set # CONFIG_USB_SERIAL_IR is not set # CONFIG_USB_SERIAL_EDGEPORT is not set # CONFIG_USB_SERIAL_KEYSPAN_PDA is not set # CONFIG_USB_SERIAL_KEYSPAN is not set # CONFIG_USB_SERIAL_KEYSPAN_USA28 is not set # CONFIG_USB_SERIAL_KEYSPAN_USA28X is not set # CONFIG_USB_SERIAL_KEYSPAN_USA28XA is not set # CONFIG_USB_SERIAL_KEYSPAN_USA28XB is not set # CONFIG_USB_SERIAL_KEYSPAN_USA19 is not set # CONFIG_USB_SERIAL_KEYSPAN_USA18X is not set # CONFIG_USB_SERIAL_KEYSPAN_USA19W is not set # CONFIG_USB_SERIAL_KEYSPAN_USA49W is not set # CONFIG_USB_SERIAL_MCT_U232 is not set # CONFIG_USB_SERIAL_PL2303 is not set # CONFIG_USB_SERIAL_CYBERJACK is not set # CONFIG_USB_SERIAL_XIRCOM is not set # CONFIG_USB_SERIAL_OMNINET is not set # # USB Miscellaneous drivers # CONFIG_USB_RIO500=m CONFIG_USB_ID75=m # # Bluetooth support # # CONFIG_BLUEZ is not set # # Kernel hacking # # CONFIG_DEBUG_KERNEL is not set netscript/BUGS0000664000000000000000000000016612362370504010451 0ustar - It can configure my router, but not cook a pizza yet! - Debian specific, needs a little work for use on Red Hat.... netscript/COPYING0000664000000000000000000004311012362370504011015 0ustar GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. netscript/ChangeLog0000664000000000000000000003710712362370504011545 0ustar netscript-2.4 (5.1.0) unstable; urgency=low * Added initial support for laptops and whereami. -- Matthew Grant Fri, 29 Oct 2004 08:38:27 +1300 netscript-2.4 (5.0.14) unstable; urgency=medium * Merge in work down for NMU. * Get rid of startup and shutdown init calls in maintainer scripts. -- Matthew Grant Wed, 13 Oct 2004 08:40:55 +1300 netscript-2.4 (5.0.13-0.1) unstable; urgency=high * Non-maintainer upload. * High-urgency upload for (trivial,) sarge-targetted RC bugfix * Replace zebra with quagga in Recommends:, since the former is no longer available (closes: #273043). -- Steve Langasek Sat, 2 Oct 2004 03:07:00 -0700 netscript-2.4 (5.0.13) unstable; urgency=low * Added fix proposed by Bart Samwel , fixing problem with saving of filters with 'netscript ipfilter save' Local vars MANGLE and FILTER were not initialised to zero in ipv4filter_check(). Also fixed ipv6filter_check(). (Closes: #267151) -- Matthew Grant Sat, 28 Aug 2004 19:12:06 +1200 netscript-2.4 (5.0.12) unstable; urgency=low * Fix prerm script by editing out #DEBHELPER# This fixes problem where netscript closes down all interfaces on package remove or purge. Leaving proper clean up for a month to allow people to get rid of the bad prerm package maintainer scripts - will go to telling debhelper to only install /etc/rc.d startup/shutdown symlinks. (Closes: #241989) -- Matthew Grant Wed, 9 Jun 2004 12:07:49 +1200 netscript-2.4 (5.0.11) unstable; urgency=low * Add support for iptables policy match module to close new ipsec packet injection hole. * Changed ipfilter-defs(5) man page for new IPSEC interface name directives. -- Matthew Grant Fri, 23 Apr 2004 14:28:40 +1200 netscript-2.4 (5.0.10) unstable; urgency=low * Initial work to netscript to work with the 2.6 kernel. * Removed configuration samples for deprecated Free S/WAN support. Free S/WAN KLIPS is a real mess in terms of interfaces, routing and confg scripts! * Added mentions of 2.6 kernel in most places needed. Man pages may need it. * Removed suggestion for vrrpd - this was a failed experiment. * Upgraded standards version to 3.6.1. -- Matthew Grant Fri, 26 Mar 2004 08:03:43 +1200 netscript-2.4 (5.0.9) unstable; urgency=low * Fix default case in init script. -- Matthew Grant Tue, 23 Dec 2003 15:48:23 +1300 netscript-2.4 (5.0.8) unstable; urgency=low * Basically a clean up to get ready to go into unstable. * Changed 'net' command to 'netscript' to stop a clash with samba-comon in sarge and sid. * Changed 'net-compile' to 'netscript-compile to match above. * Adjusted config files and other files to match above. * Removed conffile as this results in duplicate config file lintian warnings. * Fixed lintian warning about 'Upstream Author(s)'. * Updated Debian Standards version to 3.5.7 -- Matthew Grant Mon, 15 Dec 2003 22:05:30 +0000 netscript-2.4 (5.0.7) unstable; urgency=low * Added work around for kernel crash bug with psd and limit modules. -- Matthew Grant Sun, 8 Jun 2003 00:12:04 +1200 netscript-2.4 (5.0.6) unstable; urgency=low * Added support for adjusting portscan chain psd module parameters to deal with high traffic situations. -- Matthew Grant Thu, 5 Jun 2003 16:12:25 +1200 netscript-2.4 (5.0.5) unstable; urgency=low * Previous change lost chaings in 5.0.3 with ipfilter-defs.conf. Fixed. -- Matthew Grant Tue, 3 Jun 2003 15:45:20 +1200 netscript-2.4 (5.0.4) unstable; urgency=low * Fixed problem with startup getting order of chains in iplcl and ipfwd in correct. This was due to 2 ways of adding chains into these, a simple add on start up, and then indexing for manual incremental add ins. Gone to indexing mode for all additions, and made function that returns index into iplcl and ipfwd a lot faster (O(n) instead of O(n2).). The change is only in /etc/netscript/ipfilter-defs.conf, has been tested carefully, and does nto affect the rest of the netscript system. -- Matthew Grant Tue, 3 Jun 2003 14:16:41 +1200 netscript-2.4 (5.0.3) unstable; urgency=low * Fixed problem with REJECT_UDP_NET - '-m STATE' should be '-m state'. * Added new alternative FreeS/WAN start up code for multiple interfaces. network.conf needs a cleanup for next release that is backwards compatible. * Fixed --pkt-type argmuents in ipfilter-defs.conf. Fixes dropping of BROADCAST packets for INPUT and FORWARD chains. -- Matthew Grant Thu, 29 May 2003 09:47:28 +1200 netscript-2.4 (5.0.2) unstable; urgency=low * Updated ipfilter-defs.5 manpage for new compile rules below. -- Matthew Grant Wed, 23 Apr 2003 07:58:08 +1200 netscript-2.4 (5.0.1) unstable; urgency=low * Added support for more logging targets, for each type of new coonnection, so that strings can be prepended to log messages. New compile targets are LOG_BROADCAST, LOG_PROTO, LOG_UDP, LOG_TCP, LOG_UDP_NET, LOG_TCP_NET, LOG_NET, LOG_IFACE, LOG. The new LOG_MSG and LOG_MSG_RESET are used to set the log text. * Added support for network addresses for UDP, and TCP. Targets are ACCEPT_TCP_NET, ACCEPT_UDP_NET, REJECT_TCP_NET, REJECT_UDP_NET, DROP_TCP_NET, and DROP_UDP_NET, as well as above log targets. * Fixed spelling bug with the net-compile run messages. * Fixed net-compile bug where script would compile then give up with and error exit, and not complete compiling when there where no rules defined in ipfilter-defs files. * Manpages left to next minor release as this one has to get out the door... -- Matthew Grant Tue, 15 Apr 2003 11:30:46 +1200 netscript-2.4 (5.0.0) unstable; urgency=low * Changed netscript so that it can support compiling and configuring from ipfilter-defs on start up. * Added type checking as much as practical to the net-compile command. * Updated manpages for existing commands. * Created manpages for ipfilter-defs. * Moved net-compile to /sbin from /usr/sbin. * Set permissions on install to 700 for ipfilter-defs directory as it contains security information. -- Matthew Grant Mon, 24 Mar 2003 15:09:50 +1200 netscript-2.4 (4.23) unstable; urgency=low * Added MARTIAN_BYPASS to ipf4_martians so that some source addresses can be by passed in martians check. * Fixed some of the examples in ipfilter-defs configuration. -- Matthew Grant Wed, 26 Feb 2003 15:36:08 +1300 netscript-2.4 (4.22) unstable; urgency=low * Made some corrections for missing files etc. -- Matthew Grant Tue, 25 Feb 2003 14:08:57 +1300 netscript-2.4 (4.21) unstable; urgency=low * Initial packaging of net compile functionality for IPv4. Documentation will be in next one, this is a trial build an run package. -- Matthew Grant Tue, 25 Feb 2003 13:38:46 +1300 netscript-2.4 (4.20) unstable; urgency=low * Fix bug with interface type stop functions not execuiting due to missing 'type' keyword. * Made /sbin/net work with non modular kernels, in the case where lsmod is not installed, and where it is. -- Matthew Grant Sat, 1 Feb 2003 17:03:45 +1300 netscript-2.4 (4.19) unstable; urgency=low * Install missing changelog... -- Matthew Grant Thu, 16 Jan 2003 11:43:13 +1300 netscript-2.4 (4.18) unstable; urgency=low * Removed Debian sub versioning as the debian package is maintained in parallel to the source. * Removed vrrpd code as the daemon is unstable. Included example of how to get package going with heartbeat. -- Matthew Grant Thu, 16 Jan 2003 10:53:45 +1300 netscript-2.4 (4.17-1) unstable; urgency=low * Fixed bug with /32 and /128 netmasks not being given in ethx_IPADDR. * Made VRRPD code work properly... - stopped new address code removing VRRPD IP addresses. -- Matthew Grant Wed, 8 Jan 2003 10:13:03 +1300 netscript-2.4 (4.16-1) unstable; urgency=low * Adjusted module loading for ipt_helper module in 2.4.20 * Fixed bug with deleting extraneous bridges where interfaces on running bridges were assumed to be disused bridges. -- Matthew Grant Fri, 3 Jan 2003 12:10:38 +1300 netscript-2.4 (4.15-1) unstable; urgency=low * Add support for vrrpd daemon. * Revamp the handling of the forwarding switch, and add commands to help handle it. -- Matthew Grant Mon, 30 Dec 2002 15:38:56 +1300 netscript-2.4 (4.14-1) unstable; urgency=low * Add ingress check rule and portscan chan for psd module to ipfilter.conf * Make ipfilter.conf test for and load /etc/netscript/ipfilter-local.conf if present. -- Matthew Grant Tue, 26 Nov 2002 13:12:19 +1300 netscript-2.4 (4.13-1) unstable; urgency=low * Fix ipsec modules not unloading on 'net stop'. Function call was missing in stop_mod(). -- Matthew Grant Mon, 18 Nov 2002 15:00:34 +1300 netscript-2.4 (4.12-1) unstable; urgency=low * Fixed ipsec startup to deal with Free S/WAN .pid files if the machine went off because of power failure - ipsec0 was not starting * Fixed problem with source blocking in the IPv4 inbrdr chain creation - inbound source blocking was setting the destination instead of the source address. -- Matthew Grant Sun, 10 Nov 2002 10:03:49 +1300 netscript-2.4 (4.11-1) unstable; urgency=low * Added support to load and unload Free S/WAN ipsec module, and extension modules as found in Debian Woody, and used in the Debian Router Project. -- Matthew Grant Tue, 29 Oct 2002 22:57:36 +1300 netscript-2.4 (4.10-2) unstable; urgency=low * Fixed some of the comments in the network.conf file to make things clearer. -- Matthew Grant Tue, 29 Oct 2002 06:55:51 +1300 netscript-2.4 (4.10-1) unstable; urgency=low * New Upstream Version * Fix problem with mangling set up preventing Free S/WAN from working properly - packet mangling was causing rerouting of ESP packets back into ipsec0 tunnel device... * Added support for adding static routes/static ARPs on interface start/reload. * Added support for subordinate interfaces (for controlling tunnels etc). -- Matthew Grant Mon, 28 Oct 2002 23:22:56 +1300 netscript-2.4 (4.04-2) unstable; urgency=low * Fix up Free S/WAN start up so that rp_filter can be used... -- Matthew Grant Fri, 18 Oct 2002 10:24:24 +1300 netscript-2.4 (4.04-1) unstable; urgency=low * Fix IPv4 icmp chain creation barfing because of conflict with protocol name... go figure. * Add support for Free S/WAN ipsec on one interface. * Add support for interface shutdown to chain shutdown of tunnel interfaces with manual manipulation... -- Matthew Grant Wed, 16 Oct 2002 11:28:30 +1300 netscript-2.4 (4.03-1) unstable; urgency=low * New upstream release with fix for dynamic interfaces that don't exist at boot, otherwise you cannot manually start them. * Fix minor problem with hlp output and long interface lists. -- Matthew Grant Fri, 4 Oct 2002 11:26:08 +1200 netscript-2.4 (4.02-1) unstable; urgency=low * New upstream release with tweaks and support for new 2.4.18-ac3 router kernels. * Added support for having iptables base modules compiled into the kernel by putting test into /sbin/net load_module() to test if base module is on the file system. * Added support for the following iptables 1.2.6a modules which have special dependencies: ipt_conntrack, ipt_NETMAP, ipt_SAME, ipt_POOL, ip_pool, and ipt_pool. -- Matthew Grant Tue, 26 Mar 2002 12:17:56 +1200 netscript-2.4 (4.01-1) unstable; urgency=low * Added corrected ppp interface stuff to network.conf * Corrected some documentation in network.conf about QoS -- Matthew Grant Fri, 28 Dec 2001 14:25:27 +1300 netscript-2.4 (4.0-4) unstable; urgency=low * Changed permissions of /etc/netscript/network.conf and ipfilter.conf to 0644 from 0600 as they do not contain information that is that sensitive anymore. -- Matthew Grant Mon, 10 Dec 2001 20:52:24 +1300 netscript-2.4 (4.0-3) unstable; urgency=low * Fixed problems with build depends by switching to 'Build-Depends-Indep'. -- Matthew Grant Sat, 8 Dec 2001 11:26:46 +1300 netscript-2.4 (4.0-2) unstable; urgency=low * Fixed problem with Build-Depends being in binary section of control file, and not being in the Source section as required. -- Matthew Grant Wed, 5 Dec 2001 15:05:02 +1300 netscript-2.4 (4.0-1) unstable; urgency=low * New version 4.0 with the following major changes * Converted to kernel 2.4.x, and iptables * Added IPv6 support, ip6tables and IPv6 interface configuration. * Removed filter and masquerade listing support as people should be using the iptables commands * All the old ipchains filtering scripts have been removed and replaced with shell script fragments via the ipfilter exec command. * Configuration is now saved to disk using the iptables-restore and iptables save commands (IPv4 and IPv6). * Converted output messages to Debian format * Added code to load/unload iptables and QoS modules on start and stop. -- Matthew Grant Sat, 1 Dec 2001 14:33:21 +1300 netscript-2.2 (3.03-0potato1) unstable; urgency=low * Added ability to set/override multicast fflag and mtu of interface * Added IP source IP/network specification to DMZ_OPEN_DEST and DMZ_CLOSED_DEST lists for DMZ network access control filters -- Matthew Grant Sun, 21 Jan 2001 22:54:16 +1300 netscript-2.2 (3.02-0potato1) unstable; urgency=low * Fixed problem with OSPF multicasts being blocked by the external interface filtering. The obstruction could cause problems with Zebra ospfd and other OSPF daemons in general. -- Matthew Grant Thu, 7 Dec 2000 08:35:49 +1300 netscript-2.2 (3.01-0potato1) unstable; urgency=low * Removed unused INTERN_IF variable from network.conf * Fixed QoS reload for PPP interfaces * Reworked QoS loading for PP interfaces to make it nicer -- Matthew Grant Sun, 3 Dec 2000 17:41:22 +1300 netscript-2.2 (3.0-0.9) unstable; urgency=low * Initial Release. * first release in a tar ball format. This basically a rehash of what is in LRP Eiger. * More chains used to reduce CPU load on router filtering operations, * QoS made usable b y adding reload commands and providing facility to set aside lumps of bandwidth * More options provided to net command to make it more intiuitive to use * Added ability to list individual chains * Adapted for Debian and overhauled it to increase effeciency. * As this package will change rapidly, man pages are not available but will be written when stabilised. -- Matthew Grant Fri, 24 Nov 2000 17:07:15 +1300 Local variables: mode: debian-changelog End: netscript/LICENSE0000664000000000000000000000050112362370504010764 0ustar Copyright 1995-2014 Matthew Grant Portions copyright 1998,1999 David Cinege Produced with the support of Plain Communications Ltd, htp://www.plain.co.nz You are free to distribute and use this software under the terms of the GNU General Public License. See COPYING netscript/Makefile0000664000000000000000000000306113021717271011422 0ustar # Edited for Debian GNU/Linux. DESTDIR = # # Installation Makefile for netscript-2.4 # # This is rude! FIXME! ETCDIR=/etc CONFDIR=$(DESTDIR)$(ETCDIR)/netscript NCONFDIR=$(CONFDIR)/network.conf.d SBINDIR=$(DESTDIR)/sbin USRSBINDIR=$(DESTDIR)/usr/sbin INITDIR=$(DESTDIR)/etc/init.d PPPETCDIR=$(DESTDIR)/$(ETCDIR)/ppp PPPUPDIR=$(PPPETCDIR)/ip-up.d PPPDOWNDIR=$(PPPETCDIR)/ip-down.d UDEVLIBDIR=$(DESTDIR)/lib/udev INSTALL=/usr/bin/install dummy: echo "BLeep!" install: dummy - mkdir -p $(SBINDIR) - mkdir -p $(UDEVLIBDIR) - mkdir -p $(CONFDIR) - mkdir -p $(NCONFDIR) - mkdir -p $(PPPUPDIR) - mkdir -p $(PPPDOWNDIR) - mkdir -p $(UDEVLIBDIR) $(INSTALL) -m 755 netscript $(SBINDIR)/netscript $(INSTALL) -m 755 wep.conf $(CONFDIR) $(INSTALL) -m 644 ipfilter.conf network.conf $(CONFDIR) $(INSTALL) -m 644 network.conf.d.00default-eth0-dhcp.conf $(NCONFDIR)/00default-eth0-dhcp.conf $(INSTALL) -m 644 if.conf qos.conf $(CONFDIR) $(INSTALL) -m 644 README.etc $(CONFDIR)/README $(INSTALL) -m 755 netscript-hotplug $(UDEVLIBDIR)/netscript-hotplug # touch $(CONFDIR)/iptables # touch $(CONFDIR)/ip6tables # chmod 0400 $(CONFDIR)/iptables $(CONFDIR)/ip6tables $(INSTALL) -m 755 netscript.ppp.ip-up $(PPPUPDIR)/netscript $(INSTALL) -m 755 netscript.ppp.ip-down $(PPPDOWNDIR)/netscript install-ipfilter: dummy - mkdir -p $(SBINDIR) - mkdir -p $(CONFDIR) $(INSTALL) -m 755 netscript-ipfilter $(SBINDIR)/netscript $(INSTALL) -m 644 network-ipfilter.conf $(CONFDIR)/network.conf $(INSTALL) -m 644 ipfilter.conf $(CONFDIR) $(INSTALL) -m 644 README.etc $(CONFDIR)/README netscript/README0000664000000000000000000000444512362370504010652 0ustar NETSCRIPT version 5.3 The firewall and network configuration system for advanced Linux firewalls/routers, and it is NOT meant to be used on servers! Copyright 1995-2014 Matthew Grant 1998,1999 Dave Cinege This script system for network setup has its roots in the original firewalling setup that Matthew Grant did for a firewall using kernel 1.2.x. Since then it has been evolved through firewalls/routers on Linux kernels 2.0.x, 2.2.x 2.4.x, 2.6.x, and 3.x. Version 1 was the stuff under kernel 2.0.x, version 2 on LRP 2.9.4 Kilimanjaro, Materhorn, and Eiger under 2.2, version 3.0 for Debian under kernel 2.2.x, and this one is for Debian under kernel 2.4.x and 2.6.x. You should install bridge-utils for bridging, iproute2 tools and iptables to use these scripts. Your kernel will need to be compiled for Advanced Router support and have almost the configuration options turned on. It is also recomended that routing software like zebra be installed on the system as it will make things like static routing and complex routing a lot easier to handle. A kernel configuration of what is needed can be found in 2.4.x-kernel.config It is also a good idea to add kernel patches from the iptables source tar ball, especially the IPv6 ones for logging support. The scripts will load all the neccessary modules for QoS and iptables. Documentation for this system is sparse at the moment, but more will be done when the time is found to do it. When installed, most of the configuration you will need will be found in /etc/netscript/network.conf including lower level protocol daemons/configuration programs like ciped, pppd, or wanconfig. You will have to configure the firewall using the iptables commands directly. Don't forget to save the configurations using the 'netscript ipfilter|ip6filter save' commands! Unlike the last version, the firewalling and filtering is no longer configured from network.conf. This has been done as stateful filtering obviates the need for great complexity in the firewall scripts, and more flexibility is possible. You have to get down and get dirty with iptables and learn it, which is a good thing to do if you are running this to build a network - you should understand things fully, or else you will get things wrong. netscript/README.etc0000664000000000000000000000311012362370504011410 0ustar Netscript Configuration files The files found in this directory are for an alternative network configuration and IP filtering system for kernel 2.4+ based on /bin/sh. This system is designed for use with a routing daemon like zebra. This system also uses iproute Most of what you should really have to edit is found in network.conf The files and their uses are as follows: network.conf: general network, bridging, QoS and some ptables configuration items. Comments in here contain the current documentation on the configuration items, which can even handle pppd, wanconfig, and ciped. ipfilter.conf: The shell script sused to set up the iptables filtering/masquerading etc. if.conf Lower level functions for configuring interfaces. qos.conf Functions to configure Quality of Service using /sbin/tc You should be able to do most things by editing the settings in network.conf. See below for more details on this reccomended editing policy. You will have to configure the firewall using the iptables commands directly. Don't forget to save the configurations using the 'netscript ipfilter|ip6filter save' commands! Unlike the last version, the firewalling and filtering is no longer configured from network.conf. This has been done as stateful filtering has helped obviate the need for great complexity in the firewall scripts, and more flexibility is possible. It is a good idea to get down and get dirty with iptables and learn it, which you will appreciate if you are running this to build a network - you should understand things fully, or else you will get things wrong. netscript/TODO0000664000000000000000000000013113020212161010430 0ustar - write better man pages - integrate with firm for better iptables generation/management netscript/debian/0002775000000000000000000000000013732503344011211 5ustar netscript/debian/NEWS0000664000000000000000000000127712362370504011713 0ustar netscript-2.4 (5.3.1) unstable; urgency=medium The deprecated netscript-compile functionality has been removed, along with the /etc/netscript/network.conf CONFIGURE hook. This sub system has neot been actively maintained for quite some time, and has not been updated for IPv6, so it has been removed. Users are advised to save the contents of their iptables/ip6tables filters with: # iptables-save > /etc/netscript/iptables # ip6tables-save > /etc/netscript/ip6tables before upgrade. The above commands will preserve the iptables/ip6tables configuration which will then be reloaded on upgrade/reboot. -- Matthew Grant Tue, 07 Jan 2014 17:52:28 +1300 netscript/debian/README.Debian0000664000000000000000000001151213021636552013247 0ustar netscript-2.4 for Debian ---------------------- It is designed to work best with a router software like quagga or bird. Most of the interface level configuration you will need will be found in /etc/netscript/network.conf including lower level protocol daemons/configuration programs like ciped, pppd, or wanconfig. See below for more details on this recommended editing policy. You will have to configure the firewall using the iptables commands directly. Don't forget to save the configurations using the 'netscript ipfilter|ip6filter save' commands! Unlike the last version, the firewalling and filtering is no longer configured from network.conf. This has been done as stateful filtering obviates the need for great complexity in the firewall scripts, and more flexibility is possible. You have to get down and get dirty with iptables and learn it, which is a good thing to do if you are running this to build a network - you should understand things fully, or else you will get things wrong. CONFIGURATION ------------- Sysvinit is no longer supported, thanks to some irresolvable boot order dependency loops with the ifupdown package. For systemd: systemctl mask networking systemctl mask ifupdown systemctl mask ifup\@.service Or saving /etc/network/interfaces and purging ifupdown should suffice. A lot cleaner. cp /etc/network/interfaces /tmp dpkg --purge ifupdown cp /tmp/interfaces /etc/network You may also want to mask all the NetworkManager services as well, it likes configuring things that are not in /etc/network/interfaces. You may also want to disable inetd and/or portmap from starting up, but check that you have something like ssh setup to run in daemon mode first before doing inetd! The commands would be: update-rc.d -f portmap remove update-rc.d -f inetd remove or: systemctl mask portmap systemctl mask inetd All of the above steps will integrated into a debhelper setup for this package if possible in the near future. If you want to set up static routing using this package, it would be a good idea to install the quagga or bird routing software packages as it is probably a good idea to set up a routing protocol on any network that needs static routes other than the default, and static routes are more easily setup from the routing software anyhow if they are really needed. LAPTOP SETUP ------------ This is still being developed, and I have been unable to complete the work on the wireless and starting stopping services like NFS mounts due to my laptop giving me a lot of trouble under linux. Lockups and particularly keyboards being unpredictable make development hard work. IPv6 support is there as it is an analogue of the IPv4 work but needs testing. Wireless support with waproamd still needs to be teased out. You will need to install the whereami, ifplugd, and waproamd, dnsmasq, and resolvconf. Get whereami configured to detect the network location and print it out using the --mapping switch. Then edit /etc/netscript/network.conf , you will see a section half way down the file just after the DHCP setup examples. You will have to add the following file to the /etc/ifplugd/action.d directory: #!/bin/sh set +e # case "$2" in up) /sbin/netscript ifup $1 > /dev/null 2>&1 RETVAL=$? sleep 5 exit $RETVAL ;; down) /sbin/netscript ifdown $1 > /dev/null 2>&1 exit $? ;; esac to the file netscript, chmod 0755, and comment out all lines in the ifupdown script in hte same directory. After this dnsmasq, and resolvconf will just basically work for ethernet. Waproamd setup should be similar to the above, but I have not been able to experiment yet. UPGRADE PATH FROM KERNEL 2.2.X ------------------------------ The firewall/IP filtering stuff in ipfilter.conf is the part that changed radically with the move to iptables and a far better way of setting up the IP filtering rules, however the QoS and interface startup/shutdown in if.conf have changed but are backwards compatible with the old 2.2.x ipchains version of netscript for the interface address configuration settings. You will have to set up the filtering again to use iptables by directly using the iptables commands. Also, the kernel 2.2.x version scripts are set up so that iptables is only run on a 2.4.x kernel, otherwise IP forwarding is disabled if beforehand you set IPFWDING_KERNEL to FILTER_ON in network.conf. This means that when you upgrade a box to a 2.4.x router kernel, you should then be able to reboot it and log into remotely and upgrade netscript to the version that will support 2.4.x. In this situation, if you have set old IPFWDING_KERNEL setting to FILTER_ON beforehand in network.conf, all IP forwarding through the box will also be disabled. This means that you can safely remotely upgrade a firewall. -- Matthew Grant , Sat, 30 Oct 2004 18:03:24 +1300 netscript/debian/TODO0000664000000000000000000000033212362370504011673 0ustar - create better manpages for the configuration files and the net command - add debhelper support for basic network configuration, and for removing networking, portmap, and inetd from the machine startup sequence. netscript/debian/changelog0000664000000000000000000007424013732503344013070 0ustar netscript-2.4 (5.5.5) unstable; urgency=medium * Source only upload. -- Matthew Grant Wed, 23 Sep 2020 11:21:08 +1200 netscript-2.4 (5.5.4) unstable; urgency=medium * Depend on dhcpcd5 to allow installation with renamed DHCP server package. -- Matthew Grant Wed, 16 Sep 2020 13:04:31 +1200 netscript-2.4 (5.5.3) unstable; urgency=medium * Depend on iproute2, not iproute (Closes: #753714) * Bump standards version to 4.1.3 * Remove obsolete Build-Dep on dh-systemd -- Matthew Grant Thu, 18 Jan 2018 22:23:55 +1300 netscript-2.4 (5.5.2) unstable; urgency=medium * Fix sub-string interface name clashes. -- Matthew Grant Sat, 08 Jul 2017 10:57:38 +1200 netscript-2.4 (5.5.1) unstable; urgency=medium * Don't hotplug bridges. Works around a kernel race. * Add note to not default disable IPv6 for Openstack. -- Matthew Grant Tue, 27 Dec 2016 11:12:09 +1300 netscript-2.4 (5.5.0) unstable; urgency=medium * Add /etc/netscript/network.conf.d * Add proper systemd support, and fixes * Update changelog for 5.4.12~2.gbp2c652b release * Update gbp.conf * Convert ifupdown hotplug script for netscript * Update changelog for 5.4.12~3.gbp183f7f release * Add depends on lsb-base for init scripts * Update changelog for 5.4.12~4.gbp7a776d release * Update debhelper to v6 and deb standards to 3.9.8 * Update changelog for 5.4.12~5.gbpa05941 release * Update debhelper compat version to 10. * Update changelog for 5.4.12~6.gbpe6fab5 release * Fix network.conf.d include line in network.conf * Convert inbrdr outbrdr to use ICMP RETURN chain. * Update changelog for 5.4.12~7.gbpd5fe80 release * Update changelog for 5.4.12~8.gbp323004 release * Add IPV6 DAD wait address settle time on boot. * Fix one line type in ipf6_icmphost exec function. * Make Interface functions handle - in dev names * Fix icmpv6 protocol psecfication in outbrdr * More IPv6 CIMP filter fixes for inbrdr and outbrdr * Fix IPv6 ipf6_log() icmpv6 rule * Update changelog for 5.4.12~15.gbpc73267 release -- Matthew Grant Thu, 15 Dec 2016 23:13:59 +1300 netscript-2.4 (5.4.11) unstable; urgency=medium * Fix iptables filters not bening loaded with kernel versions 4.x - 9.x * Update standards version to 3.9.6 -- Matthew Grant Sun, 11 Oct 2015 08:06:44 +1300 netscript-2.4 (5.4.10) unstable; urgency=medium * Fix /etc/init.d dependency loop with ifupdown (Closes: #717871) * Add sysvinit/insserv back in * Add /etc/iniserv.conf.d /etc/inserv.conf.d segment to correctly set up boot dependencies for above. * Update changelog for 5.4.10 release -- Matthew Grant Wed, 28 Jan 2015 22:24:09 +1300 netscript-2.4 (5.4.8) unstable; urgency=medium * Remove sysvint/inserv support for package. (Closes: #771871) Revert totally removing ifupdown emulation/Provides as this breaks too many things. This just removes the dependency loop in /etc/init.d files which is unfixable. -- Matthew Grant Tue, 23 Dec 2014 17:50:04 +1300 netscript-2.4 (5.4.7) unstable; urgency=medium * Convert '-' in interface names to '_' (Closes: #773772) -- Matthew Grant Mon, 22 Dec 2014 21:10:30 +1300 netscript-2.4 (5.4.6) unstable; urgency=medium * Remove ifupdown emulation -- Matthew Grant Mon, 22 Dec 2014 19:48:20 +1300 netscript-2.4 (5.4.5) unstable; urgency=medium * Add dependency for iproute2|iproute (for backport) (Closes: #705169) -- Matthew Grant Sat, 19 Jul 2014 16:27:58 +1200 netscript-2.4 (5.4.4) unstable; urgency=medium * Fix netscript ifrestart * Add ability to restart radvd/dnsmasq on ifup -- Matthew Grant Sun, 18 May 2014 12:58:13 +1200 netscript-2.4 (5.4.3) unstable; urgency=medium * Change back to Architecture: all (Closes: #745597) * Add missing conflicts netscript-ipfilter -- Matthew Grant Sun, 11 May 2014 08:42:01 +1200 netscript-2.4 (5.4.2) unstable; urgency=medium * Fix netscript-2.4 systemd service file * Fix netscript-ipfilter systemd service file - start up order -- Matthew Grant Sun, 13 Apr 2014 13:42:52 +1200 netscript-2.4 (5.4.0) unstable; urgency=medium * Remove filters after interface down. * Add better support for pppoe and IPv6 sit tunnels * Add systemd support - debian rules stuff * Change description for netscript-ipfilter * Fix dangling manpage symlink in netscript-ipfilter * Depend on isc-dhcp-client (Closes: #681252) * Fix email address on latest changes. * Fix dh_systemd_enable command line switch * Add gitignore file * Fix effective RUNLVL under systemd * Removed kernel module loading code as locked kernel -- Matthew Grant Sat, 12 Apr 2014 12:57:23 +1200 netscript-2.4 (5.3.2) unstable; urgency=medium * Updated documentation - copyright, rm stale stuff * Initial complete netscript-ipfilter package. -- Matthew Grant Thu, 16 Jan 2014 11:06:07 +1300 netscript-2.4 (5.3.1) unstable; urgency=medium * Add NEWS file advising of removal og netscript-compile -- Matthew Grant Tue, 07 Jan 2014 17:58:40 +1300 netscript-2.4 (5.3.0) unstable; urgency=medium * Add full IPv6 filter helper function support * Properly update ipfilter.conf * Remove netscript-compile functionality and docs. * Fix module loading/unloading on restart * Commit changelog for 5.3.0 * Update debian/control with new email address * Really update debain/control maintainer * Fix lintian warnings. -- Matthew Grant Mon, 06 Jan 2014 13:12:28 +1300 netscript-2.4 (5.2.12) unstable; urgency=low * Fix missing quotes in brg_iface up call (Closes: #681641) -- Matthew Grant Sun, 15 Jul 2012 12:27:10 +1200 netscript-2.4 (5.2.11) unstable; urgency=low * Update module loading for kernel 3.2+ * Add device to IPv6 default route command. * Add ability to not set IPv6 address from SLAC. * resolvconf option + unsetting new IPv6 RPrefix option * Removed netscript-2.4-upstart package as upstart is a moving target. * Removed netscript-2.4-upstart from debian/rules. -- Matthew Grant Wed, 23 May 2012 13:21:28 +1200 netscript-2.4 (5.2.10) unstable; urgency=low * Fix IPv6 MTU override and add IPv6 icmp-host chain. -- Matthew Grant Sun, 19 Feb 2012 10:05:01 +1300 netscript-2.4 (5.2.9) unstable; urgency=low * Made netscript depend on /bin/bash as it needs the ability to list shell script functions. Dash does not provide this. -- Matthew Grant Sun, 25 Sep 2011 20:53:28 +1300 netscript-2.4 (5.2.8) unstable; urgency=low * Fix issue with filters not being loaded on IPv6 due to kernel version not being detected. -- Matthew Grant Fri, 09 Sep 2011 08:50:02 +1200 netscript-2.4 (5.2.7) unstable; urgency=low * Module unloading/loading for linux kernel v 3.0. Includes ipi_set and ip_vs modules. -- Matthew Grant Sat, 20 Aug 2011 14:38:41 +1200 netscript-2.4 (5.2.6) unstable; urgency=low * Inital support for Linux 3.0 in terms of version checking. -- Matthew Grant Wed, 17 Aug 2011 07:40:49 +1200 netscript-2.4 (5.2.5) unstable; urgency=low * Add support for accept RA advertised routes based on mask length * Upgraded standards version to 3.9.2. * Overrode lintian errors and warnings about remote_fs - this package configures the network, which is needed for remote_fs! * Fixed problem with dh_installinit installing start up scripts on upstart version of the package. * Made netscript recognise upstart runlevel 'unknown'. * Fixed race condition in upstart /etc/init/*.conf files. * Introduced /etc/init/netscript-shutdown.conf for clean shutdown with upstart. -- Matthew Grant Sun, 24 Apr 2011 20:06:57 +1200 netscript-2.4 (5.2.4) unstable; urgency=low * Fix problems with upstart package not initialising correctly due to start up races. * Remove /32 and /128 from address deletion in if.conf -- Matthew Grant Thu, 27 Jan 2011 20:58:36 +1300 netscript-2.4 (5.2.3) unstable; urgency=low * Remove conflict with network-manager, as this can cause too much pain on laptops with wicd being unmaintained now. It is better to install netscript-2.4-upstart, configure it, and then tell network-manager to interfaces alone by setting [ifupdown]\nmanage = false. -- Matthew Grant Wed, 22 Dec 2010 15:41:03 +1300 netscript-2.4 (5.2.2) unstable; urgency=low * Fix missing quotes around script for activating 'chained' interfaces (Closes: #592340). * Add missing overrides for /etc/init.d/netscript-2.4 startup. * Added linitian overrides for errors about missing init dependencies on $remote-fs * Increased Standards Version to 3.9.1 -- Matthew Grant Wed, 18 Aug 2010 11:52:39 +1200 netscript-2.4 (5.2.1) unstable; urgency=low * Fix up netscript-interface.conf upstart file, make it ignore interface lo. * Add dependency on virtual package dhcp-client for initial system install. * Added or depends on dhcp3-client as well, and dhcp3-client does not also provide the dhcp-client virtual package. -- Matthew Grant Tue, 22 Dec 2009 13:02:34 +1300 netscript-2.4 (5.2) unstable; urgency=low * Add switch to disable IPv6 * Auto enable/disable IPv6 when adding/deleting an interface to a bridge. * Fix bug with deleting interfaces from bridges other than brg0 * Set up default for disabling IPv6 on dynamic interfaces. * Add switch to remove bridges from netfilter filtering. * Add ability to name bridges. * Install udev file correctly * Fix a few typos * Change IPv6 default route prefix to 'default' * Changed compatibility level to 5. * Fix lintin errors in man pages. * Remved empty maintainer script debian/prerm. * Updated to latest Debian Standards version 3.8.3 etc. * Added xt_cluster to correct insmod secion. * Split package to provide for different init environments * Added initial support for upstart initctl -- Matthew Grant Mon, 21 Dec 2009 22:28:25 +1300 netscript-2.4 (5.1.10) unstable; urgency=low * Fixed netscript to work better with 2.6.31. Doesn't load modules when IP_KERNEL_FILTER is set to NONE, and netscript reload adjusts loaded modules according to setting. * Recording adding of patches for nmu2. (Closes: #546459) * Recording adding of patches for nmu3. (Closes: #547509) -- Matthew Grant Tue, 20 Oct 2009 21:38:39 +1300 netscript-2.4 (5.1.9) unstable; urgency=low * Bumping version to force upload. -- Matthew Grant Sun, 04 Oct 2009 14:40:47 +1300 netscript-2.4 (5.1.8) unstable; urgency=low * Fixing module loading for kernel 2.6.31. -- Matthew Grant Thu, 01 Oct 2009 09:01:32 +1300 netscript-2.4 (5.1.7+nmu3) unstable; urgency=low * Non-maintainer upload to fix release goal. * Make ifupdown init.d scrtip dependency optional, to avoid having the package depend on ifupdown. Fixes installation problem detected by piuparts. -- Petter Reinholdtsen Sun, 20 Sep 2009 14:45:23 +0200 netscript-2.4 (5.1.7+nmu2) unstable; urgency=low * Non-maintainer upload. * Patched the wrong file in the last upload. Patch netscript.init, not debian/init. Make sure to remove the debian/init copy in the clean target of debian/rules. Last NMU is obsolete (Closes: #546457). -- Petter Reinholdtsen Sun, 13 Sep 2009 12:55:24 +0200 netscript-2.4 (5.1.7+nmu1) unstable; urgency=low * Non-maintainer upload to fix release goal. * Fix init.d script dependency headers (Closes: 542246). -- Petter Reinholdtsen Sun, 13 Sep 2009 11:58:38 +0200 netscript-2.4 (5.1.7) unstable; urgency=low * Remove suggests entry in debian/control for waproamd. (Closes: #509392) -- Matthew Grant Mon, 29 Dec 2008 17:19:53 +1300 netscript-2.4 (5.1.6) unstable; urgency=low * Fix netscript so that it will run with dash as /bin/sh. * Update my maintainer address to matthewgrant5@gmail.com -- Matthew Grant Mon, 29 Dec 2008 13:17:53 +1300 netscript-2.4 (5.1.5-0.1) unstable; urgency=low * Non-maintainer upload. * Fix bashism in netscript-compile. The problems reported in netscript by checkbashisms are false positives, it has a local definition of a source function. (Closes: #465011) -- Marc 'HE' Brockschmidt Sat, 08 Mar 2008 23:54:46 +0100 netscript-2.4 (5.1.5) unstable; urgency=low * Fix lintian warnings debian-rules-sets-DH_COMPAT, out-of-date-standards-version, init.d-script-missing-lsb-section, and package-contains-empty-directory /usr/sbin * Update to Standards Version 3.7.3 -- Matthew Grant Wed, 06 Feb 2008 04:22:55 +0000 netscript-2.4 (5.1.4) unstable; urgency=low * Fixed typos in package description in debian/control (closes: #274815) * Fixed linitian warning about standards version 3.6.2 -> 3.7.6 * Replaced Build-Depends-Indep: with Build-Depends in debian/control to fix lintian warning. -- Matthew Grant Sat, 2 Feb 2008 13:18:00 +1300 netscript-2.4 (5.1.3) unstable; urgency=low * Updated to support kernel 2.6.22 * Merged IPV4_FILTER_KERNEL and IPV6_FILTER_KERNEL switches to IP_FILTER_KERNEL switch because of merging of upstream netfilter v4 and v6 modules to enable connection tracking in IPv6 -- Matthew Grant Sat, 02 Feb 2008 12:06:44 +1300 netscript-2.4 (5.1.2) unstable; urgency=low * Add support to control sending of redirects on an interface. This is useful for use with openvpn which can route packets in and out of the VPN tun device. -- Matthew Grant Tue, 30 Jan 2007 11:55:05 +1300 netscript-2.4 (5.1.1) unstable; urgency=low * Updated to support 2.6.14 and 2.6.16 kernels. * Updated debhelper compatibility to 4 from 3. Sarge support is needed. -- Matthew Grant Sat, 18 Feb 2006 20:21:57 +0000 netscript-2.4 (5.1.0) unstable; urgency=low * Added initial support for laptops and whereami. This still needs some work, but I am getting it out there as it is now usable. * Added entries to README.Debian to document how to set above up. -- Matthew Grant Fri, 29 Oct 2004 08:38:27 +1300 netscript-2.4 (5.0.14) unstable; urgency=medium * Merge in work down for NMU. * Get rid of startup and shutdown init calls in maintainer scripts. -- Matthew Grant Wed, 13 Oct 2004 08:40:55 +1300 netscript-2.4 (5.0.13-0.1) unstable; urgency=high * Non-maintainer upload. * High-urgency upload for (trivial,) sarge-targetted RC bugfix * Replace zebra with quagga in Recommends:, since the former is no longer available (closes: #273043). -- Steve Langasek Sat, 2 Oct 2004 03:07:00 -0700 netscript-2.4 (5.0.13) unstable; urgency=low * Added fix proposed by Bart Samwel , fixing problem with saving of filters with 'netscript ipfilter save' Local vars MANGLE and FILTER were not initialised to zero in ipv4filter_check(). Also fixed ipv6filter_check(). (Closes: #267151) -- Matthew Grant Sat, 28 Aug 2004 19:12:06 +1200 netscript-2.4 (5.0.12) unstable; urgency=low * Fix prerm script by editing out #DEBHELPER# This fixes problem where netscript closes down all interfaces on package remove or purge. Leaving proper clean up for a month to allow people to get rid of the bad prerm package maintainer scripts - will go to telling debhelper to only install /etc/rc.d startup/shutdown symlinks. (Closes: #241989) -- Matthew Grant Wed, 9 Jun 2004 12:07:49 +1200 netscript-2.4 (5.0.11) unstable; urgency=low * Add support for iptables policy match module to close new ipsec packet injection hole. * Changed ipfilter-defs(5) man page for new IPSEC interface name directives. -- Matthew Grant Fri, 23 Apr 2004 14:28:40 +1200 netscript-2.4 (5.0.10) unstable; urgency=low * Initial work to netscript to work with the 2.6 kernel. * Removed configuration samples for deprecated Free S/WAN support. Free S/WAN KLIPS is a real mess in terms of interfaces, routing and confg scripts! * Added mentions of 2.6 kernel in most places needed. Man pages may need it. * Removed suggestion for vrrpd - this was a failed experiment. * Upgraded standards version to 3.6.1. -- Matthew Grant Fri, 26 Mar 2004 08:03:43 +1200 netscript-2.4 (5.0.9) unstable; urgency=low * Fix default case in init script. -- Matthew Grant Tue, 23 Dec 2003 15:48:23 +1300 netscript-2.4 (5.0.8) unstable; urgency=low * Basically a clean up to get ready to go into unstable. * Changed 'net' command to 'netscript' to stop a clash with samba-comon in sarge and sid. * Changed 'net-compile' to 'netscript-compile to match above. * Adjusted config files and other files to match above. * Removed conffile as this results in duplicate config file lintian warnings. * Fixed lintian warning about 'Upstream Author(s)'. * Updated Debian Standards version to 3.5.7 -- Matthew Grant Mon, 15 Dec 2003 22:05:30 +0000 netscript-2.4 (5.0.7) unstable; urgency=low * Added work around for kernel crash bug with psd and limit modules. -- Matthew Grant Sun, 8 Jun 2003 00:12:04 +1200 netscript-2.4 (5.0.6) unstable; urgency=low * Added support for adjusting portscan chain psd module parameters to deal with high traffic situations. -- Matthew Grant Thu, 5 Jun 2003 16:12:25 +1200 netscript-2.4 (5.0.5) unstable; urgency=low * Previous change lost chaings in 5.0.3 with ipfilter-defs.conf. Fixed. -- Matthew Grant Tue, 3 Jun 2003 15:45:20 +1200 netscript-2.4 (5.0.4) unstable; urgency=low * Fixed problem with startup getting order of chains in iplcl and ipfwd in correct. This was due to 2 ways of adding chains into these, a simple add on start up, and then indexing for manual incremental add ins. Gone to indexing mode for all additions, and made function that returns index into iplcl and ipfwd a lot faster (O(n) instead of O(n2).). The change is only in /etc/netscript/ipfilter-defs.conf, has been tested carefully, and does nto affect the rest of the netscript system. -- Matthew Grant Tue, 3 Jun 2003 14:16:41 +1200 netscript-2.4 (5.0.3) unstable; urgency=low * Fixed problem with REJECT_UDP_NET - '-m STATE' should be '-m state'. * Added new alternative FreeS/WAN start up code for multiple interfaces. network.conf needs a cleanup for next release that is backwards compatible. * Fixed --pkt-type argmuents in ipfilter-defs.conf. Fixes dropping of BROADCAST packets for INPUT and FORWARD chains. -- Matthew Grant Thu, 29 May 2003 09:47:28 +1200 netscript-2.4 (5.0.2) unstable; urgency=low * Updated ipfilter-defs.5 manpage for new compile rules below. -- Matthew Grant Wed, 23 Apr 2003 07:58:08 +1200 netscript-2.4 (5.0.1) unstable; urgency=low * Added support for more logging targets, for each type of new coonnection, so that strings can be prepended to log messages. New compile targets are LOG_BROADCAST, LOG_PROTO, LOG_UDP, LOG_TCP, LOG_UDP_NET, LOG_TCP_NET, LOG_NET, LOG_IFACE, LOG. The new LOG_MSG and LOG_MSG_RESET are used to set the log text. * Added support for network addresses for UDP, and TCP. Targets are ACCEPT_TCP_NET, ACCEPT_UDP_NET, REJECT_TCP_NET, REJECT_UDP_NET, DROP_TCP_NET, and DROP_UDP_NET, as well as above log targets. * Fixed spelling bug with the net-compile run messages. * Fixed net-compile bug where script would compile then give up with and error exit, and not complete compiling when there where no rules defined in ipfilter-defs files. * Manpages left to next minor release as this one has to get out the door... -- Matthew Grant Tue, 15 Apr 2003 11:30:46 +1200 netscript-2.4 (5.0.0) unstable; urgency=low * Changed netscript so that it can support compiling and configuring from ipfilter-defs on start up. * Added type checking as much as practical to the net-compile command. * Updated manpages for existing commands. * Created manpages for ipfilter-defs. * Moved net-compile to /sbin from /usr/sbin. * Set permissions on install to 700 for ipfilter-defs directory as it contains security information. -- Matthew Grant Mon, 24 Mar 2003 15:09:50 +1200 netscript-2.4 (4.23) unstable; urgency=low * Added MARTIAN_BYPASS to ipf4_martians so that some source addresses can be by passed in martians check. * Fixed some of the examples in ipfilter-defs configuration. -- Matthew Grant Wed, 26 Feb 2003 15:36:08 +1300 netscript-2.4 (4.22) unstable; urgency=low * Made some corrections for missing files etc. -- Matthew Grant Tue, 25 Feb 2003 14:08:57 +1300 netscript-2.4 (4.21) unstable; urgency=low * Initial packaging of net compile functionality for IPv4. Documentation will be in next one, this is a trial build an run package. -- Matthew Grant Tue, 25 Feb 2003 13:38:46 +1300 netscript-2.4 (4.20) unstable; urgency=low * Fix bug with interface type stop functions not execuiting due to missing 'type' keyword. * Made /sbin/net work with non modular kernels, in the case where lsmod is not installed, and where it is. -- Matthew Grant Sat, 1 Feb 2003 17:03:45 +1300 netscript-2.4 (4.19) unstable; urgency=low * Install missing changelog... -- Matthew Grant Thu, 16 Jan 2003 11:43:13 +1300 netscript-2.4 (4.18) unstable; urgency=low * Removed Debian sub versioning as the debian package is maintained in parallel to the source. * Removed vrrpd code as the daemon is unstable. Included example of how to get package going with heartbeat. -- Matthew Grant Thu, 16 Jan 2003 10:53:45 +1300 netscript-2.4 (4.17-1) unstable; urgency=low * Fixed bug with /32 and /128 netmasks not being given in ethx_IPADDR. * Made VRRPD code work properly... - stopped new address code removing VRRPD IP addresses. -- Matthew Grant Wed, 8 Jan 2003 10:13:03 +1300 netscript-2.4 (4.16-1) unstable; urgency=low * Adjusted module loading for ipt_helper module in 2.4.20 * Fixed bug with deleting extraneous bridges where interfaces on running bridges were assumed to be disused bridges. -- Matthew Grant Fri, 3 Jan 2003 12:10:38 +1300 netscript-2.4 (4.15-1) unstable; urgency=low * Add support for vrrpd daemon. * Revamp the handling of the forwarding switch, and add commands to help handle it. -- Matthew Grant Mon, 30 Dec 2002 15:38:56 +1300 netscript-2.4 (4.14-1) unstable; urgency=low * Add ingress check rule and portscan chan for psd module to ipfilter.conf * Make ipfilter.conf test for and load /etc/netscript/ipfilter-local.conf if present. -- Matthew Grant Tue, 26 Nov 2002 13:12:19 +1300 netscript-2.4 (4.13-1) unstable; urgency=low * Fix ipsec modules not unloading on 'net stop'. Function call was missing in stop_mod(). -- Matthew Grant Mon, 18 Nov 2002 15:00:34 +1300 netscript-2.4 (4.12-1) unstable; urgency=low * Fixed ipsec startup to deal with Free S/WAN .pid files if the machine went off because of power failure - ipsec0 was not starting * Fixed problem with source blocking in the IPv4 inbrdr chain creation - inbound source blocking was setting the destination instead of the source address. -- Matthew Grant Sun, 10 Nov 2002 10:03:49 +1300 netscript-2.4 (4.11-1) unstable; urgency=low * Added support to load and unload Free S/WAN ipsec module, and extension modules as found in Debian Woody, and used in the Debian Router Project. -- Matthew Grant Tue, 29 Oct 2002 22:57:36 +1300 netscript-2.4 (4.10-2) unstable; urgency=low * Fixed some of the comments in the network.conf file to make things clearer. -- Matthew Grant Tue, 29 Oct 2002 06:55:51 +1300 netscript-2.4 (4.10-1) unstable; urgency=low * New Upstream Version * Fix problem with mangling set up preventing Free S/WAN from working properly - packet mangling was causing rerouting of ESP packets back into ipsec0 tunnel device... * Added support for adding static routes/static ARPs on interface start/reload. * Added support for subordinate interfaces (for controlling tunnels etc). -- Matthew Grant Mon, 28 Oct 2002 23:22:56 +1300 netscript-2.4 (4.04-2) unstable; urgency=low * Fix up Free S/WAN start up so that rp_filter can be used... -- Matthew Grant Fri, 18 Oct 2002 10:24:24 +1300 netscript-2.4 (4.04-1) unstable; urgency=low * Fix IPv4 icmp chain creation barfing because of conflict with protocol name... go figure. * Add support for Free S/WAN ipsec on one interface. * Add support for interface shutdown to chain shutdown of tunnel interfaces with manual manipulation... -- Matthew Grant Wed, 16 Oct 2002 11:28:30 +1300 netscript-2.4 (4.03-1) unstable; urgency=low * New upstream release with fix for dynamic interfaces that don't exist at boot, otherwise you cannot manually start them. * Fix minor problem with hlp output and long interface lists. -- Matthew Grant Fri, 4 Oct 2002 11:26:08 +1200 netscript-2.4 (4.02-1) unstable; urgency=low * New upstream release with tweaks and support for new 2.4.18-ac3 router kernels. * Added support for having iptables base modules compiled into the kernel by putting test into /sbin/net load_module() to test if base module is on the file system. * Added support for the following iptables 1.2.6a modules which have special dependencies: ipt_conntrack, ipt_NETMAP, ipt_SAME, ipt_POOL, ip_pool, and ipt_pool. -- Matthew Grant Tue, 26 Mar 2002 12:17:56 +1200 netscript-2.4 (4.01-1) unstable; urgency=low * Added corrected ppp interface stuff to network.conf * Corrected some documentation in network.conf about QoS -- Matthew Grant Fri, 28 Dec 2001 14:25:27 +1300 netscript-2.4 (4.0-4) unstable; urgency=low * Changed permissions of /etc/netscript/network.conf and ipfilter.conf to 0644 from 0600 as they do not contain information that is that sensitive anymore. -- Matthew Grant Mon, 10 Dec 2001 20:52:24 +1300 netscript-2.4 (4.0-3) unstable; urgency=low * Fixed problems with build depends by switching to 'Build-Depends-Indep'. -- Matthew Grant Sat, 8 Dec 2001 11:26:46 +1300 netscript-2.4 (4.0-2) unstable; urgency=low * Fixed problem with Build-Depends being in binary section of control file, and not being in the Source section as required. -- Matthew Grant Wed, 5 Dec 2001 15:05:02 +1300 netscript-2.4 (4.0-1) unstable; urgency=low * New version 4.0 with the following major changes * Converted to kernel 2.4.x, and iptables * Added IPv6 support, ip6tables and IPv6 interface configuration. * Removed filter and masquerade listing support as people should be using the iptables commands * All the old ipchains filtering scripts have been removed and replaced with shell script fragments via the ipfilter exec command. * Configuration is now saved to disk using the iptables-restore and iptables save commands (IPv4 and IPv6). * Converted output messages to Debian format * Added code to load/unload iptables and QoS modules on start and stop. -- Matthew Grant Sat, 1 Dec 2001 14:33:21 +1300 netscript-2.2 (3.03-0potato1) unstable; urgency=low * Added ability to set/override multicast fflag and mtu of interface * Added IP source IP/network specification to DMZ_OPEN_DEST and DMZ_CLOSED_DEST lists for DMZ network access control filters -- Matthew Grant Sun, 21 Jan 2001 22:54:16 +1300 netscript-2.2 (3.02-0potato1) unstable; urgency=low * Fixed problem with OSPF multicasts being blocked by the external interface filtering. The obstruction could cause problems with Zebra ospfd and other OSPF daemons in general. -- Matthew Grant Thu, 7 Dec 2000 08:35:49 +1300 netscript-2.2 (3.01-0potato1) unstable; urgency=low * Removed unused INTERN_IF variable from network.conf * Fixed QoS reload for PPP interfaces * Reworked QoS loading for PP interfaces to make it nicer -- Matthew Grant Sun, 3 Dec 2000 17:41:22 +1300 netscript-2.2 (3.0-0.9) unstable; urgency=low * Initial Release. * first release in a tar ball format. This basically a rehash of what is in LRP Eiger. * More chains used to reduce CPU load on router filtering operations, * QoS made usable b y adding reload commands and providing facility to set aside lumps of bandwidth * More options provided to net command to make it more intiuitive to use * Added ability to list individual chains * Adapted for Debian and overhauled it to increase effeciency. * As this package will change rapidly, man pages are not available but will be written when stabilised. -- Matthew Grant Fri, 24 Nov 2000 17:07:15 +1300 Local variables: mode: debian-changelog End: netscript/debian/compat0000664000000000000000000000000313021720740012376 0ustar 10 netscript/debian/control0000664000000000000000000000510013730261744012611 0ustar Source: netscript-2.4 Section: net Priority: optional Maintainer: Matthew Grant Standards-Version: 4.1.3 Build-Depends: debhelper (>= 10) Package: netscript-2.4 Architecture: all Depends: iproute2, bridge-utils (>= 0.9.3), iptables, netbase, bash (>= 2.03), isc-dhcp-client | dhcpcd | dhcpcd5 | pump, lsb-base, ${misc:Depends} Provides: netscript, ifupdown Conflicts: netscript, netscript-2.2, ifupdown, netscript-ipfilter Replaces: netscript, ifupdown Suggests: whereami, dnsmasq, resolvconf, wpasupplicant, wicd, quagga, radvd, bird Description: Linux 2.4/2.6/3.x router/firewall/VM host network config system. This is a router and firewall network configuration system. It is specific to the 2.4.x and 2.6.x kernel series. This system is in production use, even though this is an experimental version. . It offers much finer grained control of the network setup than the standard system in netbase, with support for bridge configuration, iptables, ip route and tc traffic control. It is optimised for use on high traffic routers with interfaces being reconfigured individually while the rest of the machine is routing traffic 24x7. Common boiler plate filter creation functions are provided to ease the task of constructing iptables filters in the context of operation within an ISP network. . Since this package is designed for a heavy duty network router, it is designed to work in conjunction with a routing daemon as found in the quagga package. . DON'T use this on a pure server - it is VERY useful for a Virtual Machine server with complex networking needs. This is because of its comprehensive network configuration capabilities. Thus it is a tempting replacement when you have to rip out NetworkManager on a server. . It was originally designed for dedicated routers and firewalls, and hence its lightweight scripting footprint. When it comes to firewall configuration though, have a look at the mason package if you are faint of heart. Package: netscript-ipfilter Architecture: all Depends: iptables, netbase, bash (>= 2.03), lsb-base, ${misc:Depends} Provides: netscript-ipfilter Conflicts: netscript-2.4 Description: Linux 2.6/3.x iptables management system. This is a cut down version of netscript-2.4, which is just the ipfilter iptables/ip6tables management implementation. This provides iptables and ip6tables management with a cyclic backup history, via iptables-restore and iptables-save. . This is designed to work with ifupdown, and is better than iptables-persistent as you can roll back filter changes if you have made a mistake. netscript/debian/copyright0000664000000000000000000000170513021636501013136 0ustar This package was debianized by Matthew Grant on Thu, 23 Nov 2000 17:01:55 +1300. Upstream Authors: Matthew Grant (send patches here) David Cinege Copyright: Copyright 1995-2000 Matthew Grant Portions copyright 1998,1999 David Cinege 1999-2009 Anthony Towns 2010-2015 Andrew Shadura 2015 Guus Sliepen License: GPL-2 Produced with the support of Plain Communications Ltd, htp://www.plain.co.nz . You are free to distribute and use this software under the terms of the GNU General Public License. . Systemd setup and udev scripts copied and adapted from ifupdown 0.18.6, which is licensed GPL 2+ . On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL file. netscript/debian/docs0000664000000000000000000000006012362370504012054 0ustar BUGS README README.etc TODO 2.4.x-kernel.config netscript/debian/gbp.conf0000664000000000000000000000025113021640706012617 0ustar [DEFAULT] #upstream-branch=master #debian-branch=deb-package [buildpackage] #upstream-tag = v%(version)s #submodules = True [dch] spawn-editor = always commit = True netscript/debian/netscript-2.4-upstart.dirs0000664000000000000000000000001112362370504016074 0ustar etc/init netscript/debian/netscript-2.4-upstart.netscript-interface.upstart0000664000000000000000000000155512362370504022623 0ustar # network-interface - configure network device # # This service causes network devices to be brought up or down as a result # of hardware being added or removed, including that which isn't ordinarily # removable. # # Based on work by # Scott James Remnant Tue, 15 Sep 2009 03:30:29 +0100 # copyright 2009 Canonical Limited. License GPL v2 # changes for netscript-2.4 # copyright 2011 Matthew Alexander Grant License GPL V2 # Matthew Grant description "configure network device" start on stopped rc RUNLEVEL=[2345] and net-device-added stop on runlevel [2345] and net-device-removed INTERFACE=$INTERFACE instance $INTERFACE pre-start script if [ "$INTERFACE" != "lo" ]; then exec netscript ifup $INTERFACE fi end script post-stop script if [ "$INTERFACE" != "lo" ]; then exec netscript ifdown $INTERFACE fi end script netscript/debian/netscript-2.4-upstart.netscript-shutdown.upstart0000664000000000000000000000042412362370504022530 0ustar # netscript shutdown - shutdown system networking controlled by netscript # # This task stops all the network daemons and interfaces controlled by # netscript description "shutdown system networking controlled by netscript" start on runlevel [06] task exec netscript stop netscript/debian/netscript-2.4-upstart.netscript.upstart0000664000000000000000000000070112362370504020655 0ustar # netscript - configure network devices controlled by netscript # # # # Based on work by # Scott James Remnant Tue, 15 Sep 2009 03:30:29 +0100 # copyright 2009 Canonical Limited. License GPL v2 # Adaptation for netscript-2.4 # copyright 2011 Matthew Alexander Grant description "configure virtual network devices" start on (local-filesystems and stopped udevtrigger) task exec netscript start netscript/debian/netscript-2.4.dirs0000664000000000000000000000001312362370504014376 0ustar etc/init.d netscript/debian/netscript-2.4.insserv0000664000000000000000000000010712457756601015145 0ustar # # Low level networking (ethernet card) # $network +netscript netscript/debian/netscript-2.4.links0000664000000000000000000000075412452134557014577 0ustar usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/network.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/if.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/qos.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/ipfilter.conf.5.gz usr/share/man/man8/netscript.8.gz usr/share/man/man8/ifup.8.gz usr/share/man/man8/netscript.8.gz usr/share/man/man8/ifdown.8.gz sbin/netscript sbin/ifup sbin/netscript sbin/ifdown netscript/debian/netscript-2.4.lintian-overrides0000664000000000000000000000044212362370504017101 0ustar netscript-2.4 binary: init.d-script-missing-dependency-on-remote_fs etc/init.d/netscript: required-start netscript-2.4 binary: init.d-script-missing-dependency-on-remote_fs etc/init.d/netscript: required-stop netscript-2.4 binary: init.d-script-possible-missing-stop etc/init.d/netscript 1 netscript/debian/netscript-2.4.manpages0000664000000000000000000000004112362370504015231 0ustar netscript-2.4.conf.5 netscript.8 netscript/debian/netscript-2.4.netscript.init0000775000000000000000000000215712462120770016427 0ustar #! /bin/sh -e ### BEGIN INIT INFO # Provides: netscript # Required-Start: mountkernfs $local_fs # Required-Stop: $local_fs # Default-Start: S # Default-Stop: 0 6 # Short-Description: Raise network interfaces, and setup iptables. # Description: Raise network interfaces, starting any required networking # daemons like pppd, DHCP client or openvpn, and setup iptables. ### END INIT INFO # # netscript script to fire up netscript network configuration system # # Written by Miquel van Smoorenburg . # Modified for Debian GNU/Linux # by Ian Murdock . # Modified from /etc/init.d/skeleton # by Matthew Grant # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/sbin/netscript NAME=netscript DESC="netscript" test -f $DAEMON || exit 0 . /lib/lsb/init-functions # The /sbin/netscript command complies with Debian Policy so just do this: # NB the following can make lintian happy case "$1" in start|reload|force-reload|restart) $DAEMON $* ;; stop) $DAEMON $* ;; *) $DAEMON $* ;; esac netscript/debian/netscript-2.4.netscript.service0000664000000000000000000000137013021634664017121 0ustar [Unit] Description=Netscript network interfaces and iptables Documentation=man:netscript(8) DefaultDependencies=no Wants=network.target After=local-fs.target network-pre.target apparmor.service systemd-sysctl.service systemd-modules-load.service #If you want to run openvswitch for software switching underneath # primary networking #After=openvswitch-switch.service Before=network.target shutdown.target network-online.target Conflicts=shutdown.target [Install] WantedBy=multi-user.target WantedBy=network-online.target [Service] Type=oneshot EnvironmentFile=-/etc/netscript/network.conf ExecStartPre=-/bin/sh -c '[ -n "$IF_AUTO" ] && udevadm settle' ExecStart=/sbin/netscript start ExecStop=/sbin/netscript stop RemainAfterExit=true TimeoutStartSec=5min netscript/debian/netscript-2.4.netscript.udev0000664000000000000000000000057313021717642016426 0ustar # This file causes network devices to be brought up or down as a result # of hardware being added or removed, including that which isn't ordinarily # removable. # See udev(7) for syntax. # Allow rfkill for users in the netdev group KERNEL=="rfkill", MODE="0664", GROUP="netdev" # Handle allow-hotplug interfaces SUBSYSTEM=="net", ACTION=="add|remove", RUN+="netscript-hotplug" netscript/debian/netscript-2.4.netscript@.service0000644000000000000000000000077113021635060017212 0ustar [Unit] Description=Netscript ifup for %I After=local-fs.target network-pre.target apparmor.service systemd-sysctl.service Before=network.target shutdown.target network-online.target Conflicts=shutdown.target BindsTo=sys-subsystem-net-devices-%i.device DefaultDependencies=no IgnoreOnIsolate=yes [Service] # avoid stopping on shutdown via stopping system-ifup.slice Slice=system.slice ExecStart=/bin/sh -ec 'netscript ifup %I' ExecStop=/sbin/netscript ifdown %I RemainAfterExit=true TimeoutStartSec=5min netscript/debian/netscript-ipfilter.dirs0000664000000000000000000000001312362370504015711 0ustar etc/init.d netscript/debian/netscript-ipfilter.links0000664000000000000000000000037012362370504016076 0ustar usr/share/man/man5/netscript-ipfilter.conf.5.gz usr/share/man/man5/network.conf.5.gz usr/share/man/man5/netscript-ipfilter.conf.5.gz usr/share/man/man5/ipfilter.conf.5.gz usr/share/man/man8/netscript-ipfilter.8.gz usr/share/man/man8/netscript.8.gz netscript/debian/netscript-ipfilter.lintian-overrides0000664000000000000000000000046112362370504020415 0ustar netscript-ipfilter binary: init.d-script-missing-dependency-on-remote_fs etc/init.d/netscript: required-start netscript-ipfilter binary: init.d-script-missing-dependency-on-remote_fs etc/init.d/netscript: required-stop netscript-ipfilter binary: init.d-script-possible-missing-stop etc/init.d/netscript 1 netscript/debian/netscript-ipfilter.manpages0000664000000000000000000000005712362370504016553 0ustar netscript-ipfilter.conf.5 netscript-ipfilter.8 netscript/debian/netscript-ipfilter.netscript.init0000775000000000000000000000227212362370504017741 0ustar #! /bin/sh -e ### BEGIN INIT INFO # Provides: netscript # Required-Start: mountkernfs $local_fs # Required-Stop: $local_fs # Should-Start: openvswitch-switch # X-Start-Before: networking # X-Stop-After: networking # Default-Start: S # Default-Stop: 0 6 # Short-Description: Raise network interfaces, and setup iptables. # Description: Raise network interfaces, starting any required networking # daemons like pppd, DHCP client or openvpn, and setup iptables. ### END INIT INFO # # netscript script to fire up netscript network configuration system # # Written by Miquel van Smoorenburg . # Modified for Debian GNU/Linux # by Ian Murdock . # Modified from /etc/init.d/skeleton # by Matthew Grant # PATH="/sbin:/bin:/usr/sbin:/usr/bin" DAEMON=/sbin/netscript NAME=netscript DESC="netscript" test -f $DAEMON || exit 0 . /lib/lsb/init-functions # The /sbin/netscript command complies with Debian Policy so just do this: # NB the following can make lintian happy case "$1" in start|reload|force-reload|restart) $DAEMON $* ;; stop) $DAEMON $* ;; *) $DAEMON $* ;; esac netscript/debian/netscript-ipfilter.netscript.service0000664000000000000000000000031112362370504020423 0ustar [Unit] Description=IP tables for system Before=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/sbin/netscript start ExecStop=/sbin/netscript stop [Install] WantedBy=basic.target netscript/debian/postinst0000664000000000000000000000247212362370504013020 0ustar #! /bin/sh # postinst script for netscript-2.2 # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ # # quoting from the policy: # Any necessary prompting should almost always be confined to the # post-installation script, and should be protected with a conditional # so that unnecessary prompting doesn't happen if a package's # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. case "$1" in configure) ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# file1=/etc/netscript/wep.conf if [ -d "$file1" ]; then chmod 0600 "$file1" || true fi exit 0 netscript/debian/postrm0000664000000000000000000000174112362370504012457 0ustar #! /bin/sh # postrm script for netscript-2.2 # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ case "$1" in purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) # update the menu system # if [ -x /usr/bin/update-menus ]; then update-menus; fi ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 0 esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# netscript/debian/readme0000664000000000000000000000075312362370504012372 0ustar This package is still experimental, and under rapid evolution so it does not come with much documentation. Install a router flavour kernel, or one generated from the accompanying kernel configuration. To configure kernel run: make mrproper cp /usr/share/doc/netscript-2.4/2.4.x-kernel.config .config make menuconfig and configure your kernel, save configuration, make dep; make bzImage; make modules as usual. The scripts now automatically load all needed netfilter and QoS modules. netscript/debian/rules0000775000000000000000000000370113230064210012253 0ustar #!/usr/bin/make -f # Sample debian/rules that uses debhelper. # GNU copyright 1997 to 1999 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 build: build-stamp build-stamp: dh_testdir # Add here commands to compile the package. #$(MAKE) touch build-stamp clean: dh_testdir dh_testroot rm -f build-stamp -rm -rf debian/.debhelper # Add here commands to clean up after the build process. # -$(MAKE) clean dh_clean install: build dh_testdir dh_testroot dh_prep dh_installdirs # Add here commands to install the package into debian/. $(MAKE) install DESTDIR=`pwd`/debian/netscript-2.4 $(MAKE) install-ipfilter DESTDIR=`pwd`/debian/netscript-ipfilter # Build architecture-independent files here. binary-indep: DH_OPTIONS=-i binary-indep: DESTDIR=`pwd`/debian/netscript-2.4 binary-indep: build install dh_testdir dh_testroot # dh_installdebconf dh_installdocs --all # dh_installexamples dh_systemd_enable --package=netscript-2.4 --name=netscript dh_systemd_enable --package=netscript-2.4 --name=netscript\@ --no-enable dh_systemd_enable --package=netscript-ipfilter --name=netscript dh_installinit --package=netscript-2.4 --name=netscript --no-start -- start 35 0 6 . start 40 S . dh_installinit --package=netscript-ipfilter --name=netscript --no-start -- start 35 0 6 . start 40 S . dh_installudev --package=netscript-2.4 --name=netscript --priority=85 dh_installman # Fix insserv $network issues install -d debian/netscript-2.4/etc/insserv.conf.d install -m 00644 debian/netscript-2.4.insserv debian/netscript-2.4/etc/insserv.conf.d/netscript dh_lintian dh_installchangelogs dh_link dh_compress dh_fixperms dh_installdeb dh_gencontrol dh_md5sums dh_builddeb # Build architecture-dependent files here. binary-arch: build install # package is a bunch of shell scripts binary: binary-indep binary-arch build-arch: true build-indep: true .PHONY: build clean binary-indep binary-arch binary install netscript/debian/suid0000664000000000000000000000011112362370504012065 0ustar /etc/netscript/ipfilter.conf /etc/netscript/network.conf /sbin/netscript netscript/if.conf0000664000000000000000000002272413024204573011235 0ustar ############################################################################### # Interface activation/deactivation functions # Here so that special interface commands can be called and daemons started # # Arps can be set up here, network/host routes and so forth. # # This appears to be a little messy but is needed to achieve maximum # functionality and flexibility. # ############################################################################### SED_IFSTR='s/\([-A-Za-z]*\)[0-9]*$/\1/' SED_IPV4STR='s/^.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+[/0-9]\+\) .*$/\1/' SED_IPV6STR='s/^.*inet6 \([0-9a-f]\+\:.*\:[0-9a-f]\+[/0-9]\+\) .*$/\1/' SED_IPV6ADDR="sed -e 's/:0\+\([0-9a-fA-F]\+\)/:\1/g' | sed -e 's/^0\+\([0-9a-fA-F]\+\)/\1/'| sed -e 's/\(:0\)\+:\(:0\)*\|\(:0\)*:\(:0\)\+/:/'" SED_IPV4ADDR="sed -e 's/\.0\+\([0-9a-fA-F]\+\)/.\1/g' | sed -e 's/^0\+\([0-9a-fA-F]\+\)/\1/'" if_addr_start () { local IPADDR2 ADDR ADDR2 local ADDRS local ANS local OIFS local IFACE=$1 # Glue stuff if [ -n "$MASKLEN" ]; then IPADDR="${IPADDR}/${MASKLEN}" fi if [ -n "$PTPADDR" ]; then IPADDR="${IPADDR}_peer_${PTPADDR}" fi if [ -n "$BROADCAST" ]; then IPADDR="${IPADDR}_brd_${BROADCAST}" fi if [ -n "$IP_EXTRA_ADDRS" ]; then IPADDR="$IPADDR $IP_EXTRA_ADDRS" fi # Take care of leading zeroes in supplied addresses for ADDR in $IPADDR; do if echo $ADDR | grep -q ':'; then #IPv6 ADDR2=`echo $ADDR | eval $SED_IPV6ADDR` IPADDR2="$IPADDR2 $ADDR2" else #IPv4 ADDR2=`echo $ADDR | eval $SED_IPV4ADDR` IPADDR2="$IPADDR2 $ADDR2" fi done IPADDR="$IPADDR2" # Set up link MTU etc ip link set $1 $IFCFG_MULTICAST $IFCFG_MTU # Set up IPv6 Interface sysctl here before interface goes up ifv6_setproc $1 accept_redirects $IPV6_ACCEPT_REDIRECTS ifv6_setproc $1 accept_ra $IPV6_ACCEPT_RA ifv6_setproc $1 accept_ra_pinfo $IPV6_ACCEPT_RA_PINFO ifv6_setproc $1 accept_ra_rt_info_max_plen $IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN ifv6_setproc $1 disable_ipv6 $IPV6_DISABLE ifv6_setproc $1 forwarding $IPV6_FWDING ifv6_setproc $1 router_solicitations $IPV6_ROUTER_SOLICITATIONS ifv6_setproc $1 use_tempaddr $IPV6_PRIVACY # Bring the interface up ip link set dev $1 up # This one has to be set after interface up ifv6_setproc $1 mtu $IPV6_MTU # Set up the addresses on the interface ADDRS=`ip addr show dev $IFACE | grep '^.*inet[ 46]' \ | sed -e "$SED_IPV4STR" | sed -e "$SED_IPV6STR"` for ADDR in $IPADDR; do for ADDR2 in $ADDRS; do ADDR2=`echo $ADDR2 | sed -e 's/\/32\|\/128//'` ANS=${ADDR#$ADDR2} if [ "$ANS" != "$ADDR" ]; then continue 2 fi done OIFS=$IFS IFS="${IFS}_" ip addr add $ADDR dev $IFACE IFS=$OIFS done # Strip out addresses that should not be there for ADDR in $ADDRS; do # Don't delete IPv6 link local addresses if echo $ADDR | grep -q -i '^fe[89ab]'; then continue fi ANS=`echo $IPADDR | grep $ADDR` if [ -z "$ANS" ]; then ip addr del $ADDR dev $IFACE fi done return 0 } if_addr_stop () { local FILE qt ip link set $1 down qt ip addr flush dev $1 } if_up () { local ADDR local IF_NODASH=`echo "$1" | sed -e 's/\-/_/g'` # sort out a few things to make life easier - here so that you # can see what is done and so that you can add anything if needed eval IPADDR=\${"${IF_NODASH}"_IPADDR:-""} # I am also a good genius eval MASKLEN=\${"${IF_NODASH}"_MASKLEN:-""} eval BROADCAST=\${"${IF_NODASH}"_BROADCAST:-""} eval PTPADDR=\${"${IF_NODASH}"_PTPADDR:-""} eval IP_EXTRA_ADDRS=\${"${IF_NODASH}"_IP_EXTRA_ADDRS:-""} eval MTU=\${"${IF_NODASH}"_MTU:-""} eval MULTICAST=\${"${IF_NODASH}"_MULTICAST:-""} eval HB_TICKLE=\${"${IF_NODASH}"_HB_TICKLE:-""} eval BRIDGE=\${"${IF_NODASH}"_BRIDGE:-""} eval RESOLVCONF=\${"${IF_NODASH}"_RESOLVCONF:-""} eval local DEFAULT_GW=\${"${IF_NODASH}"_DEFAULT_GW:-""} eval local FAIRQ=\${"${IF_NODASH}"_FAIRQ:-""} eval local TXQLEN=\${"${IF_NODASH}"_TXQLEN:-""} eval local IP_SPOOF=\${"${IF_NODASH}"_IP_SPOOF:-""} eval local IP_KRNL_LOGMARTIANS=\${"${IF_NODASH}"_IP_KRNL_LOGMARTIANS:-""} eval local IP_SHARED_MEDIA=\${"${IF_NODASH}"_IP_SHARED_MEDIA:-""} eval local IP_SEND_REDIRECTS=\${"${IF_NODASH}"_IP_SEND_REDIRECTS:-""} eval local PROXY_ARP=\${"${IF_NODASH}"_PROXY_ARP:-""} eval IPV6_ACCEPT_REDIRECTS=\${"${IF_NODASH}"_IPV6_ACCEPT_REDIRECTS:-""} eval IPV6_ACCEPT_RA=\${"${IF_NODASH}"_IPV6_ACCEPT_RA:-""} eval IPV6_ACCEPT_RA_PINFO=\${"${IF_NODASH}"_IPV6_ACCEPT_RA_PINFO:-""} eval IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=\${"${IF_NODASH}"_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN:-""} eval IPV6_DISABLE=\${"${IF_NODASH}"_IPV6_DISABLE:-""} eval IPV6_FWDING=\${"${IF_NODASH}"_IPV6_FWDING:-""} eval IPV6_PRIVACY=\${"${IF_NODASH}"_IPV6_PRIVACY:-""} eval IPV6_ROUTER_SOLICITATIONS=\${"${IF_NODASH}"_IPV6_ROUTER_SOLICITATIONS:-""} eval IPV6_MTU=\${"${IF_NODASH}"_IPV6_MTU:-""} if [ -n "DEFAULT_GW" -a -z "$IPV4_DEFAULT_GW" ]; then IPV4_DEFAULT_GW="$DEFAULT_GW" IPV4_DEFAULT_GWDEV="$1" fi unset IFCFG_BROADCAST IFCFG_MULTICAST IFCFG_MTU if [ -n "$BROADCAST" ] ; then IFCFG_BROADCAST="broadcast $BROADCAST" fi if [ -n "$MTU" ] ; then IFCFG_MTU="mtu $MTU" fi if [ -n "$MULTICAST" ] ; then case $MULTICAST in No|no|NO|off|Off|OFF) IFCFG_MULTICAST="multicast off" ;; Yes|YES|yes|on|On|ON) IFCFG_MULTICAST="multicast on" ;; *) unset IFCFG_MUTLICAST ;; esac fi local IFTYPE=`echo $1 | sed -e $SED_IFSTR` local IFTYPE_NODASH=`echo "$IFTYPE" | sed -e 's/\-/_/g'` # Do dee global bridge stuff brg_global # Set default interface flags here - used for PPP and WAN interfaces # IPv4 ifv4_setproc default rp_filter $DEF_IP_SPOOF ifv4_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS ifv4_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS # Set up each interface if qt type ${IF_NODASH}_start ; then # execute user supplied individual interface start up ${IF_NODASH}_start $1 elif qt type ${IFTYPE_NODASH}_start ; then # execute user supplied typed interface start up ${IFTYPE_NODASH}_start $1 else # default interface startup brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE" # Start interface if_addr_start $1 fi # Do universal interface config items here # QoS setup ip_QoSclear $1 ip_QoS $1 # Set the TX Queue Length [ -n "$TXQLEN" ] \ && ip link set $1 txqlen $TXQLEN # Default route support ipv4_default_route $1 ipv6_default_route $1 # Set up routes and ARP etc if qt type ${IF_NODASH}_network ; then ${IF_NODASH}_network $1 fi # Resolvconf support if [ -n "$RESOLVCONF" ]; then if_resolvconf_up $1 "$RESOLVCONF" fi # Interface sysctl stuff here # IPv4 # Spoof protection ifv4_setproc $1 rp_filter $IP_SPOOF # Kernel logging of martians on this interface ifv4_setproc $1 log_martians $IP_KRNL_LOGMARTIANS # Shared Media stuff ifv4_setproc $1 shared_media $IP_SHARED_MEDIA # Sending of Redirects ifv4_setproc $1 send_redirects $IP_SEND_REDIRECTS # Proxy ARP support ifv4_setproc $1 proxy_arp $PROXY_ARP # Emit required upstart event - this can be adjusted iface_upstart_emit 'net-device-up' "IFACE=${1}" 'LOGICAL=${1}' \ 'ADDRFAM=inet' 'METHOD=static' unset IPADDR MASKLEN BROADCAST PTPADDR IP_EXTRA_ADDRS MTU MULTICAST unset BROADCAST RESOLVCONF unset IPV6_ACCEPT_REDIRECTS IPV6_ACCEPT_RA IPV6_FWDING IPV6_MTU unset IPV6_ROUTER_SOLICITATIONS IPV6_PRIVACY IPV6_ACCEPT_RA_PINFO unset IPV6_DISABLE unset IFCFG_BROADCAST IFCFG_MULTICAST IFCFG_MTU return 0 } if_down () { local IF_NODASH=`echo "$1" | sed -e 's/\-/_/g'` local IFTYPE=`echo $1 | sed -e $SED_IFSTR` local IFTYPE_NODASH=`echo "$IFTYPE" | sed -e 's/\-/_/g'` # Clean up any resolvconf stuff if_resolvconf_down $1 # Do Dee global bridge stuff brg_global if qt type ${IF_NODASH}_stop ; then # execute user supplied individual interface shutdown ${IF_NODASH}_stop $1 elif qt type ${IFTYPE_NODASH}_stop ; then # execute user supplied typed interface shutdown ${IFTYPE_NODASH}_stop $1 else # default action brg_iface $1 down $IPV6_DISABLE if_addr_stop $1 fi # Clean up any QoS/fair queuing stuff ip_QoSclear $1 # Clean up IPv6 stuff if [ -d ${IPV6_PROC}/conf/${1} ]; then for FILE in accept_redirects accept_ra forwarding \ router_solicitations use_tempaddr; do echo `cat $IPV6_PROC/conf/default/$FILE` \ > $IPV6_PROC/conf/$1/$FILE done fi # Emit required upstart event - this can be adjusted iface_upstart_emit 'net-device-down' "IFACE=${1}" "LOGICAL=${1}" \ 'ADDRFAM=inet' 'METHOD=static' true } #END if_down if_lo_up () { # Bring up interface lo case "$IPV4_DISABLE" in YES|Yes|yes) ;; *) qt ip addr add 127.0.0.1/8 broadcast 127.255.255.255 dev lo ;; esac ip link set lo up \ && iface_upstart_emit 'net-device-up' 'IFACE=lo' 'LOGICAL=lo' \ 'ADDRFAM=inet' 'METHOD=static' } if_resolvconf_up () { if [ $# != 2 -a $# != 3 ]; then echo " Usage: `basename $0`: fn if_resolvconf_up " 1>&2 echo " `basename $0`: fn if_resolvconf_up " 1>&2 return 1; fi ! qt type resolvconf && return 1 if [ $# = 3 ]; then echo -ne "search ${2}\nnameserver ${3}\n" | resolvconf -a $1 else echo -ne "$2" | resolvconf -a $1 fi } if_resolvconf_down () { if [ $# != 1 ]; then echo " Usage: `basename $0`: fn if_resolvconf_down " 1>&2 return 1; fi ! qt type resolvconf && return 1 # Go and do it... resolvconf -d $1 } netscript/if.conf.50000664000000000000000000000003112362370504011365 0ustar .so netscript-2.4.conf.5 netscript/ipfilter.conf0000664000000000000000000007506513024462074012465 0ustar # # # ipfilter.conf This file contains the functions that contain the firewall # and ipfilter configuration. This is an example setup for # IP masquearding # # set -x # Uncomment for script debug # DONT change this! LOCAL_NET=127.0.0.0/8 LOCAL_IP=127.0.0.1 # Source local ipfilter definitions IPFILTER_LOCAL="/etc/netscript/ipfilter-local.conf" [ -f $IPFILTER_LOCAL ] && source $IPFILTER_LOCAL # Some functions to handle Protocol IP Port tuples echoParam () { local format="$1" local IFS='_' set -- $2 eval "echo \"$format\"" } echoIpPort () { local format1="$1" local format2="$2" local testpar="$3" local IFS='_' set -- $4 eval "echo -n \"$format1\"" eval "if [ -n \"$testpar\" ]; then echo \" $format2\" fi" } # Check and see if a chain exists or not ipv4_checkChain () { if qt $IPTBL -N $1; then return 1 fi return 0 } ipv6_checkChain () { if qt $IP6TBL -N $1; then return 1 fi return 0 } # If a chain does not exist, create it # First arg is the chain name, all the rest are the args and name of the # creation function ipv4_createChain () { local CHAIN=$1 local FN=$2 shift 2 if ipv4_checkChain $CHAIN; then return 0 fi ipf4_${FN} "$@" } ipv6_createChain () { local CHAIN=$1 local FN=$2 shift 2 if ipv6_checkChain $CHAIN; then return 0 fi ipf6_${FN} "$@" } # A function to build a logging chain ( NB: This does not process timber # products ) ipf4_log () { local NET local LOG_MSG="Def log: $CHAIN" local NO_TARG=0 local F OPTIND=1 while getopts nl: F; do case $F in n) NO_TARG=1;; l) LOG_MSG="$3";; esac done shift $(($OPTIND - 1)) local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=log fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null $IPTBL -A $CHAIN -j LOG --log-level $LOG_LEVEL \ --log-prefix "$LOG_MSG - " \ --log-tcp-options --log-ip-options \ -m limit --limit $LOG_MAXRATE/second if [ $NO_TARG -eq 0 ]; then # Catch all packets and DROP/REJECT them # DROP all ICMP packets as it does not make sense # to reply to these $IPTBL -A $CHAIN -p icmp -j DROP if [ -z "$2" ]; then $IPTBL -A $CHAIN -j $LOG_TARGET else $IPTBL -A $CHAIN -j $2 fi fi return 0 } # A function to filter out Martian source addresses ipf4_martians () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=martians fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Make sure the log chain exists with drop policy ipv4_createChain droplog log droplog DROP # The source addresses listed here are conservatively # invalid as they are either used as broadcast/multicast # destation addresses, a special value in IP stacks, loopback # networks and illegal/ambiguous Classed IP addressing networks. # # You can add your 'martian/invalid' source address blocks to the # MARTIAN_NETS list in /etc/netscript/network.conf # Bypass checks for certain netblocks that are internal. for NET in $MARTIAN_BYPASS; do $IPTBL -A $CHAIN -j RETURN -s $NET done case $LOG_NOISE in yes|YES|Yes) # RFC 1918/1627/1597 blocks $IPTBL -A $CHAIN -j droplog -p all -s 10.0.0.0/8 -d 0/0 $IPTBL -A $CHAIN -j droplog -p all -s 172.16.0.0/12 -d 0/0 $IPTBL -A $CHAIN -j droplog -p all -s 192.168.0.0/16 -d 0/0 $IPTBL -A $CHAIN -j droplog -p all -s 169.254.0.0/16 -d 0/0 ;; *) # Block all DHCP/BOOTP queries without logging $IPTBL -A $CHAIN -j DROP -p udp -s 0.0.0.0 -d 0/0 --dport bootps # RFC 1918/1627/1597 blocks $IPTBL -A $CHAIN -j DROP -p all -s 10.0.0.0/8 -d 0/0 $IPTBL -A $CHAIN -j DROP -p all -s 172.16.0.0/12 -d 0/0 $IPTBL -A $CHAIN -j DROP -p all -s 192.168.0.0/16 -d 0/0 $IPTBL -A $CHAIN -j DROP -p all -s 169.254.0.0/16 -d 0/0 ;; esac # All ones, all zeroes $IPTBL -A $CHAIN -j droplog -p all -s 0.0.0.0 -d 0/0 $IPTBL -A $CHAIN -j droplog -p all -s 255.255.255.255 -d 0/0 # Loop back addresses $IPTBL -A $CHAIN -j droplog -p all -s 127.0.0.0/8 -d 0/0 # Multicast source addresses $IPTBL -A $CHAIN -j droplog -p all -s 224.0.0.0/4 -d 0/0 # RFC 3468 6to4 anycast relays you may want to route to this ! #$IPTBL -A $CHAIN -j droplog -p all -s 192.88.99.0/24 -d 0/0 # IANA reserved blocks (Martians from the gated restricted list # - actually impossible/ambiguous classed networks) $IPTBL -A $CHAIN -j droplog -p all -s 0.0.0.0/8 -d 0/0 # RFC 5736 $IPTBL -A $CHAIN -j droplog -p all -s 192.0.0.0/24 -d 0/0 # RFC 5737 TEST-NET-1 $IPTBL -A $CHAIN -j droplog -p all -s 192.0.2.0/24 -d 0/0 # RFC 2544 Device Bench mark testing $IPTBL -A $CHAIN -j droplog -p all -s 198.18.0.0/15 -d 0/0 # RFC 5737 TEST-NET-2 $IPTBL -A $CHAIN -j droplog -p all -s 198.51.100.0/24 -d 0/0 # RFC 5737 TEST-NET-3 $IPTBL -A $CHAIN -j droplog -p all -s 203.0.113.0/24 -d 0/0 # RFC 1112, Section 4 Reserved for furture $IPTBL -A $CHAIN -j droplog -p all -s 240.0.0.0/4 -d 0/0 # Addtions/other IANA reserved blocks for NET in $MARTIAN_NETS; do $IPTBL -A $CHAIN -j droplog -p all -s $NET -d 0/0 done; unset NET return 0 } # A function to assist with spoof protection when rp_filter is turned # off. Very useful with Free S/WAN IPSEC. ipf4_ingress () { local CHAIN=$1 local IP if [ -z "$CHAIN" ]; then CHAIN=ingress fi # Clean out any existing chain qt $IPTBL -F $CHAIN qt $IPTBL -N $CHAIN # Make sure the log chain exists with drop policy ipv4_createChain droplog log droplog DROP for IP in $INGRESS_IPS; do iptables -A $CHAIN -j droplog -s $IP done } # Another function to assist with spoof protection when rp_filter is turned # off. Very useful with Free S/WAN IPSEC. ipf4_ingrssfwd () { local CHAIN=$1 local NET if [ -z "$CHAIN" ]; then CHAIN=ingrssfwd fi # Clean out any existing chain qt $IPTBL -F $CHAIN qt $IPTBL -N $CHAIN # Make sure the log chain exists with drop policy ipv4_createChain droplog log droplog DROP for NET in $INGRESS_FWD_NETS; do iptables -A $CHAIN -j droplog \ -s `echoIpPort '$1' '-i $2' '$2' $NET` done } ## Create a target for handling portscans as detected by psd module ## ## Not a good idea to drop packets, as psd says everything is a portscan ## when active. #ipf4_portscan () { # # local CHAIN=$1 # # if [ -z "$CHAIN" ]; then # CHAIN=portscan # fi # # # Clean out any existing chain # qt $IPTBL -F $CHAIN # qt $IPTBL -N $CHAIN # # # Make sure the log chain exists with drop policy # ipv4_createChain logprtscn log -n -l "PORTSCAN DETECTED" logprtscn DROP # # [ -n "$PORTSCAN_WEIGHT_THRESHOLD" ] \ # && local OPT_PWT="--psd-weight-threshold $PORTSCAN_WEIGHT_THRESHOLD" # [ -n "$PORTSCAN_DELAY_THRESHOLD" ] \ # && local OPT_PDT="--psd-delay-threshold $PORTSCAN_DELAY_THRESHOLD" # [ -n "$PORTSCAN_LOPORTS_WEIGHT" ] \ # && local OPT_PLPW="--psd-lo-ports-weight $PORTSCAN_LOPORTS_WEIGHT" # [ -n "$PORTSCAN_HIPORTS_WEIGHT" ] \ # && local OPT_PHPW="--psd-hi-ports-weight $PORTSCAN_HIPORTS_WEIGHT" # # $IPTBL -A portscan -j logprtscn -m psd \ # $OPT_PWT $OPT_PDT $OPT_PLPW $OPT_PHPW #} ipf4_smb () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=smb fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Block SMB/Windows networking to protect Windows boxes and to stop # Windows NT doing braindead things with mail, www, etc # This also prevents Internet Explorer spraying user logins # and passwords everywhere # SMB port also blocked for security reasons. # If you need to do this, set up IPSEC between windows clients. $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport netbios-ns:netbios-ssn $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport 135 $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport netbios-ns:netbios-ssn $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport 135 $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport microsoft-ds $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport microsoft-ds $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport netbios-ns:netbios-ssn -d 0/0 $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport 135 -d 0/0 $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport netbios-ns:netbios-ssn -d 0/0 $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport 135 -d 0/0 $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport microsoft-ds -d 0/0 $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport microsoft-ds -d 0/0 } # A function to control SNMP access on a network ipf4_snmp () { local LOG_CHAIN=$2 local CHAIN=$1 local SNMP_IP if [ -z "$LOG_CHAIN" ]; then LOG_CHAIN=log fi if [ -z "$CHAIN" ]; then CHAIN=snmp fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create log chain with default target ipv4_createChain log log $LOG_CHAIN if [ -z "$SNMP_BLOCK_DEST" ]; then local SNMP_BLOCK_DEST="0/0" fi for SNMP_IP in $SNMP_MANAGER_IPS; do $IPTBL -A $CHAIN -j ACCEPT -p udp -s $SNMP_IP -d $SNMP_BLOCK_DEST --dport 161:162 done; $IPTBL -A $CHAIN -j $LOG_CHAIN -p udp -s 0/0 -d $SNMP_BLOCK_DEST --dport 161:162 } ipf4_icmphost () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=icmphost fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create log chain with default target ipv4_createChain log log # ICMP - we don't want these # Stop ICMP time stamp messages - don't need these $IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-request $IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-reply $IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-request $IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-reply } ipf4_icmpfwd () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=icmpfwd fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create log chain with default target ipv4_createChain log log # ICMP - we don't want these # Stop ICMP time stamp messages and redirects - don't need these $IPTBL -A $CHAIN -j log -p icmp --icmp-type redirect $IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-request $IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-reply $IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-request $IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-reply } ipf4_inbrdr () { local CHAIN=$1 local IP DEST SRC if [ -z "$CHAIN" ]; then CHAIN=inbrdr fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create chains if they do not exsist ipv4_createChain log log log REJECT ipv4_createChain droplog log droplog DROP ipv4_createChain icmpfwd icmpfwd ipv4_createChain martians martians # Source blocking for SRC in $BLOCKED_INSRC; do $IPTBL -A $CHAIN -j DROP -p `echoParam '$1' $SRC` \ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC for SRC in $LOGGED_BLOCKED_INSRC; do $IPTBL -A $CHAIN -j droplog -p `echoParam '$1' $SRC` \ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC # Get rid of incoming Martians $IPTBL -A $CHAIN -j martians # Prevent RFC 1918/1627/1597 IP packets from coming in # Bypass checks for certain netblocks that are internal. for NET in $MARTIAN_BYPASS; do $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 10.0.0.0/8 $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 192.168.0.0/16 $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 172.16.0.0/12 done if [ -z "$MARTIAN_BYPASS" ]; then $IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8 $IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16 $IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12 fi # Allow icmp/BGP in on out link net if [ -n "$LINK_NET" ]; then $IPTBL -A $CHAIN -j ACCEPT -p icmp -s $LINK_NET $IPTBL -A $CHAIN -j ACCEPT -p tcp -s $LINK_NET \ -d $LINK_NET --dport bgp $IPTBL -A $CHAIN -j ACCEPT -p tcp -s $LINK_NET --sport bgp \ -d $LINK_NET --dport 1024:65535 ! --syn #$IPTBL -A $CHAIN -j ACCEPT -p udp -s $LINK_NET \ # -d $LINK_NET --dport egp #$IPTBL -A $CHAIN -j ACCEPT -p udp -s $LINK_NET --sport egp \ # -d $LINK_NET --dport 1024:65535 fi # Get rid of fake packets from our internal source addresses for IP in $IP_BLOCKS; do $IPTBL -A $CHAIN -j droplog -s $IP done; unset IP # Destination blocking for DEST in $BLOCKED_INDEST; do $IPTBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST for DEST in $LOGGED_BLOCKED_INDEST; do $IPTBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST # Get rid of unwanted ICMP packets $IPTBL -A $CHAIN -j icmpfwd # SNMP control - Prevent SNMP access to our network if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \ -o "$SNMP_BLOCK" = "yes" ] ; then $IPTBL -A $CHAIN -j log -p udp --dport 161:162 fi # Block SMB stuff on input interface if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \ "$SMB_BLOCK" = "yes" ]; then ipv4_createChain smb smb $IPTBL -A $CHAIN -j smb fi # DNS control - only allow certain machines to do zone transfers if [ -n "$DNS_IPS" ]; then for IP in $DNS_IPS; do $IPTBL -A $CHAIN -j ACCEPT -p tcp -s $IP --dport domain done; unset IP $IPTBL -A $CHAIN -j log -p tcp --dport domain fi return 0 } ipf4_outbrdr () { local CHAIN=$1 local IP DEST SRC if [ -z "$CHAIN" ]; then CHAIN=outbrdr fi # Clean out any existing chain $IPTBL -F $CHAIN >& /dev/null $IPTBL -N $CHAIN >& /dev/null # Create chains if they do not exsist ipv4_createChain log log log REJECT ipv4_createChain droplog log droplog DROP ipv4_createChain martians martians # Stop outgoing RFC 1918/1627/1597 packets # Bypass checks for certain netblocks that are internal. for NET in $MARTIAN_BYPASS; do $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 10.0.0.0/8 $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 192.168.0.0/16 $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 172.16.0.0/12 done if [ -z "$MARTIAN_BYPASS" ]; then $IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8 $IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16 $IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12 fi # Log and stop certain outgoing traffic for DEST in $BLOCKED_OUTDEST; do $IPTBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' '--dport $3' '$3' $DEST` done; unset DEST for DEST in $LOGGED_BLOCKED_OUTDEST; do $IPTBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' '--dport $3' '$3' $DEST` done; unset DEST # Block SMB stuff on output interface if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \ "$SMB_BLOCK" = "yes" ]; then ipv4_createChain smb smb $IPTBL -A $CHAIN -j smb fi # Control Outgoing Source addresses local TARGET=${OUT_TARGET:='ACCEPT'} for IP in $IP_BLOCKS; do $IPTBL -A $CHAIN -j $TARGET -s $IP done; unset IP $IPTBL -A $CHAIN -j droplog return 0 } ipf4_laptopfw () { local USAGE="netscript fN ipv4_laptop_fwadj() [-f] [in-chain [out-chain]]" local FLUSH=0 local F OPTIND=1 while getopts f F; do case $F in f) FLUSH=1 ;; h\?) echo 1>&2 echo "$USAGE" 1>&2 echo 1>&2 return 1 esac done shift $(($OPTIND - 1)) local CHAIN_IN="$1" local CHAIN_OUT="$2" local IN='' local OUT='' if [ -z "$CHAIN_IN" ]; then CHAIN_IN=laptopin fi if [ -z "$CHAIN_OUT" ]; then CHAIN_OUT=laptopout fi # Clean out any existing chain qt $IPTBL -F $CHAIN_IN qt $IPTBL -F $CHAIN_OUT qt $IPTBL -X $CHAIN_IN qt $IPTBL -X $CHAIN_OUT # Set global variables based on what whereami has found out if ! qt type if_laptop_fwdata; then return 1 fi if ! if_laptop_fwdata; then return 0 fi # Don't do any more if we are just cleaning up if [ $FLUSH -gt 0 ]; then return 0 fi [ -n "$LAPTOP_IN" ] && qt $IPTBL -N $CHAIN_IN [ -n "$LAPTOP_OUT" ] && qt $IPTBL -N $CHAIN_OUT # Fill in the chains for IN in $LAPTOP_IN; do $IPTBL -A $CHAIN_IN -j ACCEPT -m state --state NEW \ -p `echoParam '$1' "$IN"` \ -s `echoIpPort '$2' '--dport $3' '$3' "$IN"` done for OUT in $LAPTOP_OUT; do $IPTBL -A $CHAIN_OUT -j ACCEPT -m state --state NEW \ -p `echoParam '$1' "$OUT"` \ -d `echoIpPort '$2' '--dport $3' '$3' "$OUT"` done } # IPv6 Functions # A function to build a logging chain ( NB: This does not process timber # products ) ipf6_log () { local NET local LOG_MSG="Def log: $CHAIN" local NO_TARG=0 local F OPTIND=1 while getopts nl: F; do case $F in n) NO_TARG=1;; l) LOG_MSG="$3";; esac done shift $(($OPTIND - 1)) local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=log fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null $IP6TBL -A $CHAIN -j LOG --log-level $LOG_LEVEL \ --log-prefix "$LOG_MSG - " \ --log-tcp-options --log-ip-options \ -m limit --limit $LOG_MAXRATE/second if [ $NO_TARG -eq 0 ]; then # Catch all packets and DROP/REJECT them # DROP all ICMP packets as it does not make sense # to reply to these $IP6TBL -A $CHAIN -p icmpv6 -j DROP if [ -z "$2" ]; then $IP6TBL -A $CHAIN -j $IPV6_LOG_TARGET else $IP6TBL -A $CHAIN -j $2 fi fi return 0 } ipf6_icmphost () { local CHAIN=$1 local TARGET=$2 if [ -z "$CHAIN" ]; then CHAIN=icmphost fi if [ -z "$TARGET" ]; then TARGET=${IPV6_ICMPHOST_TARGET:='ACCEPT'} fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create log chain with default target ipv6_createChain log log # ICMP - we want these From RFC 4980 Section 4.4 local TYPE # These should be accepted from local network for TYPE in destination-unreachable \ packet-too-big \ time-exceeded \ parameter-problem \ echo-request \ echo-reply \ neighbour-solicitation \ neighbour-advertisement \ 141 \ 142 \ router-solicitation \ router-advertisement \ 130 131 132 143 \ 148 149 \ 151 152 153 do $IP6TBL -A $CHAIN -j $TARGET -m limit \ --limit $IPV6_ICMPHOST_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # ICMPv6 - Things we optionally want for TYPE in $IPV6_ICMPHOST_OPTIONAL do $IP6TBL -A $CHAIN -j $TARGET -m limit \ --limit $IPV6_ICMPHOST_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # Accept local DHCPv6 replies $IP6TBL -A $CHAIN -j $TARGET -s fe80::/10 \ -p udp --dport 546 # Log ICMP we don't want $IP6TBL -A $CHAIN -p icmpv6 -j log } ipf6_icmpfwd () { local CHAIN=$1 local TARGET=$2 if [ -z "$CHAIN" ]; then CHAIN=icmpfwd fi if [ -z "$TARGET" ]; then TARGET=${IPV6_ICMPFWD_TARGET:='RETURN'} fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create log chain with default target ipv6_createChain log log # ICMP - we want these From RFC 4980 Section 4.4 local TYPE for TYPE in destination-unreachable \ packet-too-big \ time-exceeded \ parameter-problem \ echo-request \ echo-reply; do $IP6TBL -A $CHAIN -j $TARGET -m limit \ --limit $IPV6_ICMPFWD_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # ICMPv6 - Things we optionally want to forward for TYPE in $IPV6_ICMPFWD_OPTIONAL do $IP6TBL -A $CHAIN -j $TARGET -m limit \ --limit $IPV6_ICMPFWD_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # ICMP - we don't want these # Also stops ICMP time stamp messages and redirects - don't need these $IP6TBL -A $CHAIN -j log -p icmpv6 } # A function to filter out Martian source addresses ipf6_martians () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=martians fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Make sure the log chain exists with drop policy ipv6_createChain droplog log droplog DROP # The source addresses listed here are conservatively # invalid as they are either used as broadcast/multicast # destation addresses, a special value in IP stacks, loopback # networks and illegal/ambiguous Classed IP addressing networks. # # You can add your 'martian/invalid' source address blocks to the # MARTIAN_NETS list in /etc/netscript/network.conf # Bypass checks for certain netblocks that are internal. for NET in $IPV6_MARTIAN_BYPASS; do $IP6TBL -A $CHAIN -j RETURN -s $NET done case $IPV6_LOG_NOISE in yes|YES|Yes) # RFC 4193 Unique Local Addresses $IP6TBL -A $CHAIN -j droplog -p all -s fc00::/7 -d ::/0 # Link local addresses $IP6TBL -A $CHAIN -j droplog -p all -s fe80::/10 -d ::/0 ;; *) # RFC 4193 Unique Local Addresses $IP6TBL -A $CHAIN -j DROP -p all -s fc00::/7 -d ::/0 # Link local addresses $IP6TBL -A $CHAIN -j DROP -p all -s fe80::/10 -d ::/0 ;; esac # All zeroes $IP6TBL -A $CHAIN -j droplog -p all -s :: -d ::/0 # Loop back address $IP6TBL -A $CHAIN -j droplog -p all -s ::1 -d ::/0 # Multicast source addresses $IP6TBL -A $CHAIN -j droplog -p all -s ff00::/8 -d ::/0 # IPv4 Mapped addresses $IP6TBL -A $CHAIN -j droplog -p all -s ::ffff:0:0/96 -d ::/0 # Documentation addresses $IP6TBL -A $CHAIN -j droplog -p all -s 2001:db8::/32 -d ::/0 # ORCHID - Overlay Routable Cryptographic Hash Identifiers $IP6TBL -A $CHAIN -j droplog -p all -s 2001:10::/28 -d ::/0 # Addtions/other IANA reserved blocks for NET in $IPV6_MARTIAN_NETS; do $IP6TBL -A $CHAIN -j droplog -p all -s $NET -d ::/0 done; unset NET return 0 } ipf6_mrtnshost () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=mrtnshost fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Make sure the martians chain exists ipv6_createChain martians martians # Divert localhost traffic back to calling chain $IP6TBL -A $CHAIN -s fe80::/10 -j RETURN $IP6TBL -A $CHAIN -j martians } # A function to assist with spoof protection when rp_filter is turned # off. Very useful with Free S/WAN IPSEC. ipf6_ingress () { local CHAIN=$1 local IP if [ -z "$CHAIN" ]; then CHAIN=ingress fi # Clean out any existing chain qt $IP6TBL -F $CHAIN qt $IP6TBL -N $CHAIN # Make sure the log chain exists with drop policy ipv6_createChain droplog log droplog DROP for IP in $IPV6_INGRESS_IPS; do $IP6TBL -A $CHAIN -j droplog -s $IP done } # Another function to assist with spoof protection when rp_filter is turned # off. Early Linux IPv6 does not have rp_filter ipf6_ingrssfwd () { local CHAIN=$1 local NET if [ -z "$CHAIN" ]; then CHAIN=ingrssfwd fi # Clean out any existing chain qt $IP6TBL -F $CHAIN qt $IP6TBL -N $CHAIN # Make sure the log chain exists with drop policy ipv6_createChain droplog log droplog DROP for NET in $IPV6_INGRESS_FWD_NETS; do $IP6TBL -A $CHAIN -j droplog \ -s `echoIpPort '$1' '-i $2' '$2' $NET` done } ipf6_smb () { local CHAIN=$1 if [ -z "$CHAIN" ]; then CHAIN=smb fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Block SMB/Windows networking to protect Windows boxes and to stop # Windows NT doing braindead things with mail, www, etc # Block CIFS/SMB ports as they are vulnerable # If this is needed, configure IPSEC for the connection $IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 --sport netbios-ssn -d ::/0 $IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 --sport netbios-ssn -d ::/0 $IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 -d ::/0 --dport netbios-ssn $IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 -d ::/0 --dport netbios-ssn $IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 --sport microsoft-ds -d ::/0 $IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 --sport microsoft-ds -d ::/0 $IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 -d ::/0 --dport microsoft-ds $IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 -d ::/0 --dport microsoft-ds } # A function to control SNMP access on a network ipf6_snmp () { local LOG_CHAIN=$2 local CHAIN=$1 local SNMP_IP if [ -z "$LOG_CHAIN" ]; then LOG_CHAIN=log fi if [ -z "$CHAIN" ]; then CHAIN=snmp fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create log chain with default target ipv6_createChain log log $LOG_CHAIN if [ -z "$IPV6_SNMP_BLOCK_DEST" ]; then local IPV6_SNMP_BLOCK_DEST="::/0" fi for SNMP_IP in $IPV6_SNMP_MANAGER_IPS; do $IP6TBL -A $CHAIN -j ACCEPT -p udp -s $SNMP_IP -d $IPV6_SNMP_BLOCK_DEST --dport 161:162 done; $IP6TBL -A $CHAIN -j $LOG_CHAIN -p udp -s 0/0 -d $IPV6_SNMP_BLOCK_DEST --dport 161:162 } ipf6_inbrdr () { local CHAIN=$1 local IP DEST SRC if [ -z "$CHAIN" ]; then CHAIN=inbrdr fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create chains if they do not exsist ipv6_createChain log log log REJECT ipv6_createChain droplog log droplog DROP ipv6_createChain icmpbrdr icmpfwd icmpbrdr RETURN ipv6_createChain martians martians # Source blocking for SRC in $IPV6_BLOCKED_INSRC; do $IP6TBL -A $CHAIN -j DROP -p `echoParam '$1' $SRC` \ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC for SRC in $IPV6_LOGGED_BLOCKED_INSRC; do $IP6TBL -A $CHAIN -j droplog -p `echoParam '$1' $SRC` \ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC # Get rid of incoming Martians $IP6TBL -A $CHAIN -j martians # Prevent ULA IP packets from coming in # Bypass checks for certain netblocks that are internal. for NET in $IPV6_MARTIAN_BYPASS; do $IP6TBL -A $CHAIN -j DROP \! -s "$NET" -d fc00::/7 done if [ -z "$IPV6_MARTIAN_BYPASS" ]; then $IP6TBL -A $CHAIN -j DROP -d fc00::/7 fi # Allow icmp/BGP in on our link net if [ -n "$IPV6_LINK_NET" ]; then # Get rid of unwanted ICMP packets $IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6 -s $IPV6_LINK_NET # Handle icmpfwd target being RETURN. This also works # when target is ACCEPT as chain finishes with a deny # log rule $IP6TBL -A $CHAIN -j ACCEPT -p icmpv6 -s $IPV6_LINK_NET $IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IPV6_LINK_NET \ -d $IPV6_LINK_NET --dport bgp $IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IPV6_LINK_NET \ --sport bgp -d $IPV6_LINK_NET --dport 1024:65535 \ ! --syn fi # Get rid of fake packets from our internal source addresses for IP in $IPV6_IP_BLOCKS; do $IP6TBL -A $CHAIN -j droplog -s $IP done; unset IP # Destination blocking for DEST in $IPV6_BLOCKED_INDEST; do $IP6TBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST for DEST in $IPV6_LOGGED_BLOCKED_INDEST; do $IP6TBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST # Get rid of unwanted ICMP packets $IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6 # SNMP control - Prevent SNMP access to our network if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \ -o "$SNMP_BLOCK" = "yes" ] ; then $IP6TBL -A $CHAIN -j log -p udp --dport 161:162 fi # Block SMB stuff on input interface if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \ "$SMB_BLOCK" = "yes" ]; then ipv6_createChain smb smb $IP6TBL -A $CHAIN -j smb fi # DNS control - only allow certain machines to do zone transfers if [ -n "$IPV6_DNS_IPS" ]; then for IP in $IPV6_DNS_IPS; do $IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IP --dport domain done; unset IP $IP6TBL -A $CHAIN -j log -p tcp --dport domain fi return 0 } ipf6_outbrdr () { local CHAIN=$1 local IP DEST SRC if [ -z "$CHAIN" ]; then CHAIN=outbrdr fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null # Create chains if they do not exsist ipv6_createChain log log log REJECT ipv6_createChain droplog log droplog DROP ipv6_createChain icmpbrdr icmpfwd icmpbrdr RETURN ipv6_createChain martians martians # Stop outgoing ULA # Bypass checks for certain netblocks that are internal. for NET in $IPV6_MARTIAN_BYPASS; do $IP6TBL -A $CHAIN -j DROP \! -s "$NET" -d fc00::/7 done if [ -z "$IPV6_MARTIAN_BYPASS" ]; then $IP6TBL -A $CHAIN -j DROP -d fc00::/7 fi # Drop unwanted outgoing ICMP $IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6 # Log and stop certain outgoing traffic for DEST in $IPV6_BLOCKED_OUTDEST; do $IP6TBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' '--dport $3' '$3' $DEST` done; unset DEST for DEST in $IPV6_LOGGED_BLOCKED_OUTDEST; do $IP6TBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \ -d `echoIpPort '$2' '--dport $3' '$3' $DEST` done; unset DEST # Block SMB stuff on output interface if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \ "$SMB_BLOCK" = "yes" ]; then ipv6_createChain smb smb $IP6TBL -A $CHAIN -j smb fi # Control Outgoing Source addresses local TARGET=${IPV6_OUT_TARGET:="ACCEPT"} for IP in $IPV6_IP_BLOCKS; do $IP6TBL -A $CHAIN -j $TARGET -s $IP done; unset IP $IP6TBL -A $CHAIN -j droplog return 0 } ipf6_laptopfw () { local USAGE="netscript fN ipv6_laptop_fwadj() [-f] [in-chain [out-chain]]" local FLUSH=0 local F OPTIND=1 while getopts f F; do case $F in f) FLUSH=1 ;; h\?) echo 1>&2 echo "$USAGE" 1>&2 echo 1>&2 return 1 esac done shift $(($OPTIND - 1)) local CHAIN_IN="$1" local CHAIN_OUT="$2" local IN='' local OUT='' if [ -z "$CHAIN_IN" ]; then CHAIN_IN=laptopin fi if [ -z "$CHAIN_OUT" ]; then CHAIN_OUT=laptopout fi # Clean out any existing chain qt $IP6TBL -F $CHAIN_IN qt $IP6TBL -F $CHAIN_OUT qt $IP6TBL -X $CHAIN_IN qt $IP6TBL -X $CHAIN_OUT # Set global variables based on what whereami has found out if ! qt type if_laptop_fwdata; then return 1 fi if ! if_laptop_fwdata; then return 0 fi # Don't do any more if we are just cleaning up if [ $FLUSH -gt 0 ]; then return 0 fi [ -n "$IPV6_LAPTOP_IN" ] && qt $IP6TBL -N $CHAIN_IN [ -n "$IPV6_LAPTOP_OUT" ] && qt $IP6TBL -N $CHAIN_OUT # Fill in the chains for IN in $IPV6_LAPTOP_IN; do $IP6TBL -A $CHAIN_IN -j ACCEPT -m state --state NEW \ -p `echoParam '$1' "$IN"` \ -s `echoIpPort '$2' '--dport $3' '$3' "$IN"` done for OUT in $IPV6_LAPTOP_OUT; do $IP6TBL -A $CHAIN_OUT -j ACCEPT -m state --state NEW \ -p `echoParam '$1' "$OUT"` \ -d `echoIpPort '$2' '--dport $3' '$3' "$OUT"` done } netscript/ipfilter.conf.50000664000000000000000000000003112362370504012605 0ustar .so netscript-2.4.conf.5 netscript/netscript0000775000000000000000000010152113127543564011734 0ustar #!/bin/bash # # LRP/Debian network configuration system # # Ring a ding ding, my dang a lang dong Dave 'Kill a Cop' Cinege GPL2 # Ding Dong Dell, Pussy's in the well Matthew 'Network Cowboy' Grant GPL2 # # start) # Depending on the auto config portions in /etc/network.conf, it auto- # generates hosts, resolv.conf, sets the hostname, starts up interfaces, # configures the IP filter/firewall and sets up routes (not necessarily # in that order). # # stop) # brings down all interfaces listed in /proc/net/dev, and their associated # routes. Flushes all rules for iptables. # # bail out if we are not root if [ "`id -un`" != "root" ] ; then echo 1>&2 echo " `basename $0`: you must be root to run this command." 1>&2 echo 1>&2 exit 1 fi TARGET_KERNEL1="2.4" TARGET_KERNEL2="2.6" TARGET_KERNEL3="3" #DEBUG=1 SP=' ' qt () { "$@" >/dev/null 2>&1 ; } vb () { "$@" ; } source () { . $1 ; } include () { local F; for F in "$@"; do . "$F"; done; } basename () { echo "${1##*/}"; } BANNER="# This file was generated by $0. It may be overwritten!" #Default safe settings VERBOSE=YES IPV6_MODULE=NO IPV4_FWDING_KERNEL=NO IPV6_FWDING_KERNEL=NO IP_FILTER_KERNEL=PACKET IF_AUTO="" BRG_SWITCH=NO IPV4_DISABLE=NO IPV6_DISABLE=NO IPV6_DAD_WAIT_TIME=10 BASE_MODPATH="/lib/modules/`uname -r`/kernel" MODPATH="${BASE_MODPATH}/net" KERN_VERSION=`uname -r | cut -d . -f 1,2` if echo "$KERN_VERSION" | grep '^[3-9]\..*' -q; then KERN_VERSION='3' fi [ "$KERN_VERSION" = "$TARGET_KERNEL1" ] && MODEXT="o" [ "$KERN_VERSION" = "$TARGET_KERNEL2" ] && MODEXT="ko" [ "$KERN_VERSION" = "$TARGET_KERNEL3" ] && MODEXT="ko" LIB_MODPATH="${BASE_MODPATH}/lib" SCHED_MODPATH="${MODPATH}/sched" NETFILTER_XMODPATH="${MODPATH}/netfilter" NETFILTER_V4MODPATH="${MODPATH}/ipv4/netfilter" NETFILTER_V6MODPATH="${MODPATH}/ipv6/netfilter" NETFILTER_IPSETMODPATH="${NETFILTER_XMODPATH}/ipset" NETFILTER_IPVSMODPATH="${NETFILTER_XMODPATH}/ipvs" QOS_MODULES="sch_cbq sch_sfq sch_red sch_gred cls_fw" NETFILTER_CONF="/etc/netscript" IPTBL_FILE="$NETFILTER_CONF/iptables" IPTBL_FILE_BACKUP="$IPTBL_FILE.backup" IP6TBL_FILE="$NETFILTER_CONF/ip6tables" IP6TBL_FILE_BACKUP="$IP6TBL_FILE.backup" IPTBL="/sbin/iptables" IPTBL_RESTORE="/sbin/iptables-restore" IPTBL_SAVE="/sbin/iptables-save" IP6TBL="/sbin/ip6tables" IP6TBL_RESTORE="/sbin/ip6tables-restore" IP6TBL_SAVE="/sbin/ip6tables-save" MODULE_PROC="/proc/modules" IPTBL_V4PROC="/proc/net/ip_tables_names" IPTBL_V6PROC="/proc/net/ip6_tables_names" IPV4_PROC="/proc/sys/net/ipv4" IPV6_PROC="/proc/sys/net/ipv6" IPFWD_V4PROC="${IPV4_PROC}/ip_forward" IPFWD_V6PROC="${IPV6_PROC}/conf/all/forwarding" IPV6_MODPATH=${MODPATH}/ipv6/ipv6.${MODEXT} IPV6_DEFAULT_PREFIX=default DEFAULT_METRIC=999999999 IPSPEC_MODULE=NO IPSEC_MODPATH="${MODPATH}/ipsec/ipsec.${MODEXT}" IPSEC_EXTMODPATH="${MODPATH}/ipsec/ext" BACKUP_LEVELS=2 BRG_NETFILTER_REMOVE="YES" BRG_LIST="brg0" IF_DEFAULT_IPV6_DISABLE="NO" INITCTL="/sbin/initctl" #==============================================================================# # Read in configuration files # - these ones can be changed by users [ -f $NETFILTER_CONF/network.conf ] \ && source $NETFILTER_CONF/network.conf IPFILTER=0 [ -f $NETFILTER_CONF/ipfilter.conf ] \ && source $NETFILTER_CONF/ipfilter.conf && IPFILTER=1 [ -f $NETFILTER_CONF/srvfilter.conf ] \ && source $NETFILTER_CONF/srvfilter.conf [ -f $NETFILTER_CONF/if.conf ] \ && source $NETFILTER_CONF/if.conf [ -f $NETFILTER_CONF/qos.conf ] \ && source $NETFILTER_CONF/qos.conf [ "$DEBUG" ] && qt () { "$@" ; } [ "$VERBOSE" = "NO" ] && vb () { qt "$@" ; } [ -f /proc/net/ip_fwchains ] && IPCHAINS=1 [ -f /proc/net/ip_masq/autofw ] && IPAUTOFW=1 [ -f /proc/net/ip_masq/portfw ] && IPPORTFW=1 [ -f /proc/net/ip_masq/mfw ] && IPMFW=1 GDC_PATH=/usr/bin/gdc IF_LIST="$IF_AUTO" IFDEVLIST=`cat /proc/net/dev | grep '^[ _a-zA-Z0-9\-]\+:' | sed -e 's/^ *\([a-zA-Z0-9_\-]\+\):.*$/\1/'` IFDEVLIST="$IFDEVLIST $IF_DYNAMIC" for DEV in $IFDEVLIST; do if [ "$DEV" = "lo" ]; then continue fi ANS=`echo "$IF_LIST" | grep "\<${DEV}\>"` if [ -z "$ANS" ]; then IF_LIST="$IF_LIST $DEV" fi done unset DEV IFDEVLIST ANS IFLIST="`echo $IF_LIST | sed 's/ /|/g'`|all" for IF in $IF_LIST; do REV_IF_LIST="$IF $REV_IF_LIST" done unset IF # determine if running under systemd UNDER_SYSTEMD=0 [ -x /bin/systemctl ] && systemctl status default.target > /dev/null 2>&1 \ && UNDER_SYSTEMD=1 # determine runlevel for disabling functionality in parallel boot environment [ -x /sbin/runlevel ] && RUNLVL=`/sbin/runlevel | sed -e 's/^. \(.\)$/\1/'` # Handle systemd parallel boot environment if [ $UNDER_SYSTEMD -gt 0 ]; then (! systemctl is-active --quiet netscript \ || ps -C netscript ho args | grep -q '^start\|stop\|restart$') \ && RUNLVL=0 fi # Setup stuff for IPv6 IPV6_KRNL=0 [ -d $IPV6_PROC ] && IPV6_KRNL=1 ############################################################################# # Code to set up function lists for filtering ############################################################################# get_fns () { local STR="s/^.* ${1}\([^ ]\+\)$/\1/" if [ -n "$BASH_VERSION" ]; then declare -F | grep $1 | sed -e "$STR" else hash | grep "^function $1" | sed -e "$STR" fi } for FN in `get_fns ipf4_`; do if [ -z "$IPF4_FNS" ]; then IPF4_FNS="$FN" else IPF4_FNS="${IPF4_FNS}|$FN" fi done; unset FN for FN in `get_fns ipf6_`; do if [ -z "$IPF6_FNS" ]; then IPF6_FNS="$FN" else IPF6_FNS="${IPF6_FNS}|$FN" fi done; unset FN ############################################################################### #IP kernel option loading for global kernel switches ############################################################################### read_sysctl () { local PROCFILE PROCVAL COMMENT ANS while read PROCFILE PROCVAL COMMENT; do if [ -z "$PROCFILE" -o -z "$PROCVAL" ]; then continue fi if [ "$PROCFILE" = "#" -o "$PROCVAL" = "#" ]; then continue fi case "$PROCVAL" in YES|Yes|yes) PROCVAL=1 ;; NO|No|no) PROCVAL=0 ;; esac [ ! -f $1/$PROCFILE ] && continue echo $PROCVAL > $1/$PROCFILE done } read_gbl_sysctl () { echo "$NET_GLOBAL_SYSCTL" | read_sysctl /proc/sys/net return 0 } ############################################################################### #IP Forwarding configuration ############################################################################### start_auto_ipkrnlswch () { local DIR # read in the global sysctl settings read_gbl_sysctl # Turn on global RP filter switch - this is ANDed with # the per interface ones echo 1 > ${IPV4_PROC}/conf/all/rp_filter # Fix the Shared Media Mess echo 0 > ${IPV4_PROC}/conf/all/shared_media echo 0 > ${IPV4_PROC}/conf/default/shared_media if [ "$IPV4_FWDING_KERNEL" = "YES" ]; then vb echo -n "Enabling IPv4 packet forwarding..." echo "1" >$IPFWD_V4PROC && vb echo "done." elif [ "$IPV4_FWDING_KERNEL" != "FILTER_ON" ]; then vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC && vb echo "done." fi # IPv6 if [ $IPV6_KRNL -lt 1 ]; then return 0 fi # Most hardened servers and routers need defaults like these # for interface host mode for DIR in ${IPV6_PROC}/conf/*; do # Don't allow ICMP redirect by default echo 0 > $DIR/accept_redirects done # This is here just to do the printing when IPv6 IS disabled. case "$IPV6_DISABLE" in YES|Yes|yes) vb echo -n "Disabling IPv6 protocol..." ifv6_setproc all disable_ipv6 "$IPV6_DISABLE" && echo "done." ;; *) ifv6_setproc all disable_ipv6 "$IPV6_DISABLE" ;; esac # Set this flag as required for creation of dynamic bridged # interfaces ifv6_setproc default disable_ipv6 "$IF_DEFAULT_IPV6_DISABLE" if [ "$IPV6_FWDING_KERNEL" = "YES" ]; then vb echo -n "Enabling IPv6 packet forwarding..." echo "1" >$IPFWD_V6PROC && vb echo "done." elif [ "$IPV6_FWDING_KERNEL" != "FILTER_ON" ]; then vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC && vb echo "done." fi } ############################################################################### #Interface configuration ############################################################################### start_auto_if () { if [ $UNDER_SYSTEMD -le 0 ]; then ### #localhost interface #################### vb echo -n "Configuring loopback interface lo..." if_lo_up && vb echo "done." fi # Do the rest of the interfaces iface_up all } ############################################################################## # Interface stuff iface_up, iface_down, iface_reset, iface_upstart_emit ############################################################################## iface_up () { local IF vb echo -n "Configuring interface:" if [ "$1" = "all" ] ; then for IF in $IF_AUTO; do if_up $IF && vb echo -n " $IF" done unset IF # Wait for IPv6 DAD to happen case "$IPV6_DISABLE" in YES|Yes|yes) ;; *) if [ $IPV6_DAD_WAIT_TIME -gt 0 ]; then sleep "$IPV6_DAD_WAIT_TIME" fi ;; esac else # Don't do anything during boot or shutdown case "$RUNLVL" in unknown|0|1|6) vb echo "." return 0 ;; esac local IF_NODASH=`echo "$1" | sed -e 's/\-/_/g'` eval local IF_CHAIN_AUTO=\"\${"${IF_NODASH}"_IF_CHAIN_AUTO:-""}\" if_up $1 && vb echo -n " $1" for IF in $IF_CHAIN_AUTO; do if_up $IF && vb echo -n " $IF" done unset IF fi vb echo "." # Don't do anything more during boot or shutdown case "$RUNLVL" in unknown|0|1|6) return 0 ;; esac # If DHCP/radvd is around, tell it all about this! if [ -n "$DHCP_RA_STROKE_CMD" ]; then vb echo -n "Stroking DHCP/RA..." sleep 5 && $DHCP_RA_STROKE_CMD vb echo "done." fi } iface_down () { local IF vb echo -n "Stopping interface:" if [ "$1" = "all" ] ; then for IF in $REV_IF_LIST; do if_down $IF && vb echo -n " $IF" done unset IF else # Don't do anything during boot or shutdown case "$RUNLVL" in unknown|0|1|6) vb echo "." return 0 ;; esac local REV_IF_CHAIN local IF_NODASH=`echo "$1" | sed -e 's/\-/_/g'` eval local IF_CHAIN=\"\${"${IF_NODASH}"_IF_CHAIN:-""}\" eval local IF_CHAIN_AUTO=\"\${"${IF_NODASH}"_IF_CHAIN_AUTO:-""}\" IF_CHAIN="$IF_CHAIN_AUTO $IF_CHAIN" for IF in $IF_CHAIN; do REV_IF_CHAIN="$REV_IF_CHAIN $IF" done unset IF for IF in $REV_IF_CHAIN; do if_down $IF && vb echo -n " $IF" done unset IF if_down $1 && vb echo -n " $1" fi vb echo "." } iface_reset () { iface_down $1 sleep 2 iface_up $1 } iface_qos () { vb echo -n "Reloading QoS for interface: " if [ "$1" = "all" ] ; then for IF in $IF_AUTO; do ip_QoSppp $IF ip_QoSclear $IF && ip_QoS $IF && vb echo -n " $IF" done unset IF else ip_QoSppp $1 ip_QoSclear $1 && ip_QoS $1 && vb echo -n " $1" fi vb echo "." return 0 } iface_upstart_emit () { if ! [ -x "$INITCTL" ]; then return 0 fi $INITCTL emit --no-wait "$@" } ############################################################################## # Functions to set 2.4 kernel interface parameters # ifv4_setproc ( YES|NO # ifv6_setproc ( YES|NO ############################################################################## ifv4_setproc () { if [ -z "$3" ]; then return 0; fi [ ! -f ${IPV4_PROC}/conf/$1/$2 ] && return 1 case "$3" in YES|Yes|yes) echo 1 > ${IPV4_PROC}/conf/$1/$2 return 0; ;; NO|No|no) echo 0 > ${IPV4_PROC}/conf/$1/$2 return 0; ;; *) if echo $3 | grep -q '^[0-9]\+$'; then echo $3 > ${IPV4_PROC}/conf/$1/$2 return 0 fi return 1; ;; esac return 0; } ifv6_setproc () { if [ -z "$3" ]; then return 0; fi [ $IPV6_KRNL -lt 1 ] && return 1 [ ! -f ${IPV6_PROC}/conf/$1/$2 ] && return 1 case "$3" in YES|Yes|yes) echo 1 > ${IPV6_PROC}/conf/$1/$2 return 0; ;; NO|No|no) echo 0 > ${IPV6_PROC}/conf/$1/$2 return 0; ;; *) if echo $3 | grep -q '^[0-9]\+$'; then echo $3 > ${IPV6_PROC}/conf/$1/$2 return 0 fi return 1; ;; esac return 0; } ############################################################################## # Functions to configure the bridge # brg_global() ############################################################################## brg_unbind_netfilter () { local STUFF # Unbind bridges from Netfilter if [ "$BRG_NETFILTER_REMOVE" != "NO" \ -a "$BRG_NETFILTER_REMOVE" != "No" \ -a "$BRG_NETFILTER_REMOVE" != "no" ]; then STUFF=" # Disable netfilter in bridge(s) - useful when not # doing bridge filtering. bridge/bridge-nf-call-ip6tables NO bridge/bridge-nf-call-iptables NO bridge/bridge-nf-call-arptables NO bridge/bridge-nf-filter-pppoe-tagged NO bridge/bridge-nf-filter-vlan-tagged NO " echo "$STUFF" | read_sysctl /proc/sys/net else STUFF=" # Disable netfilter in bridge(s) - useful when not # doing bridge filtering. bridge/bridge-nf-call-ip6tables YES bridge/bridge-nf-call-iptables YES bridge/bridge-nf-call-arptables YES bridge/bridge-nf-filter-pppoe-tagged YES bridge/bridge-nf-filter-vlan-tagged YES " echo "$STUFF" | read_sysctl /proc/sys/net fi return 0 } brg_global() { local INT BRG ANS local BRG_DEVLIST case "$BRG_SWITCH" in YES|Yes|yes) BRG_LIST="$BRG_LIST" ;; NO|No|no) unset BRG_LIST ;; 0|1|2|3|4|5|6|7|8|9|10) INT=0 while [ $INT -lt $BRG_SWITCH ]; do BRG_LIST="$BRG_LIST brg${INT}" INT=$(( $INT + 1 )) done ;; esac BRG_DEVLIST=`brctl show | sed -e '1d' | grep '^[-a-zA-Z0-9_]' | sed -e 's/^\([a-zA-Z0-9_\-]\+\)[ ].*$/\1/'` for BRG in $BRG_DEVLIST; do ANS=`echo "$BRG_LIST" | grep "$BRG"` if [ -z "$ANS" ]; then qt ip link set dev "$BRG" down brctl delbr "$BRG" fi done for BRG in $BRG_LIST; do brctl addbr "$BRG" > /dev/null 2>&1 done brg_unbind_netfilter return 0 } brg_iface () { local BRG ANS case $2 in up) if [ "$3" = "NO" -o "$3" = "No" -o "$3" = "no" ]; then return 0 fi if [ "$3" = "YES" -o "$3" = "Yes" -o "$3" = "yes" ]; then BRG=brg0 else BRG=$3 fi [ -z "$BRG" ] && return 0 ANS=`echo "$BRG_LIST" | grep "$BRG"` if [ -n "$ANS" ]; then brctl addif "$BRG" $1 > /dev/null 2>&1 [ -z "$4" ] && ifv6_setproc $1 disable_ipv6 YES fi ;; down) BRG=`brctl show | sed -e '1d' | grep "${1}\$" | sed -e 's/^\([a-zA-Z]\+[0-9]\+\)[ ]\+.*$/\1/'` [ -z "$BRG" ] && BRG=brg0 brctl delif $BRG $1 > /dev/null 2>&1 [ -z "$3" ] && ifv6_setproc $1 disable_ipv6 NO ;; esac return 0 } ############################################################################## # Functions to set the default route ############################################################################## ipv4_default_route () { if [ "$1" != "$IPV4_DEFAULT_GWDEV" ]; then return 0 fi # Default route support case "$IPV4_DEFAULT_GW" in OTHER|Other|other|OFF|Off|off|NO|No|no) ;; "") ip route del default metric $DEFAULT_METRIC > /dev/null 2>&1 ;; *) ip route replace default via $IPV4_DEFAULT_GW \ metric $DEFAULT_METRIC ;; esac return 0 } ipv6_default_route () { if [ "$1" != "$IPV6_DEFAULT_GWDEV" ]; then return 0 fi # IPv6 default route - this could be better case "$IPV6_DEFAULT_GW" in OTHER|Other|other|OFF|Off|off|NO|No|no) ;; "") ip -6 route del $IPV6_DEFAULT_PREFIX metric $DEFAULT_METRIC \ > /dev/null 2>&1 ;; *) local IPV6_ZERO_GW=`echo $IPV6_DEFAULT_GW \ | eval $SED_IPV6ADDR` if ! ip -6 route list $IPV6_DEFAULT_PREFIX \ | grep -q "$IPV6_ZERO_GW.*metric $DEFAULT_METRIC"; then ip -6 route del $IPV6_DEFAULT_PREFIX \ metric $DEFAULT_METRIC > /dev/null 2>&1 ip -6 route add $IPV6_DEFAULT_PREFIX \ metric $DEFAULT_METRIC via $IPV6_DEFAULT_GW \ dev $IPV6_DEFAULT_GWDEV fi ;; esac } ############################################################################## # checkarg() a function to check interface arguments ############################################################################## checkarg() { eval "case \"$*\" in $IFLIST) ;; *) echo \"Usage: `basename $0` ifup|ifdown|ifqos|ifreload\" echo \" ${SP} {$IFLIST}\" exit 1 ;; esac" } ############################################################################## # functions to handle filter stuff ############################################################################## # # backup_rotate # backup_rotate () { local MAX="$2" [ $MAX -lt 2 ] && MAX=2 local COUNT=$(($MAX - 1)) local PREV="$MAX" while [ $COUNT -gt 0 ]; do [ -f "${1}.${COUNT}" ] && mv "${1}.${COUNT}" "${1}.${PREV}" PREV=$COUNT COUNT=$(( $COUNT - 1 )) done [ -f "$1" ] && mv "$1" "${1}.1" return 0 } ipv4filter_kernfwd () { local OVERRIDE="$2" if [ "$OVERRIDE" != "YES" -a "$OVERRIDE" != "Yes" \ -a "$OVERRIDE" != "yes" \ -a "$IPV4_FWDING_KERNEL" != "FILTER_ON" ]; then return 0; fi case $1 in on) vb echo -n "Enabling IPv4 packet forwarding..." echo "1" >$IPFWD_V4PROC \ && vb echo "done." ;; off) vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC \ && vb echo "done." ;; *) echo "AAARGGHH - wrong argument given to ipv4filter_kernfwd: $1" exit 1 ;; esac } # Check and see if filtering and mangling are available ipv4filter_check () { local TBL MANGLE FILTER MANGLE=0 FILTER=0 [ ! -f "$IPTBL_V4PROC" ] && return 1 for TBL in `cat $IPTBL_V4PROC`; do case $TBL in mangle) MANGLE=1 ;; filter) FILTER=1 ;; esac done if [ $MANGLE -ne 1 -a $FILTER -ne 1 ]; then return 1 fi return 0 } # A function to flush the filters (for internal use) ipv4filter_flush () { local TBL # Flush the IPV4 filters out, and user defined chains [ ! -f $IPTBL_V4PROC ] && return 0 for TBL in `cat $IPTBL_V4PROC`; do if [ "$TBL" = "$1" ]; then continue fi $IPTBL -t $TBL -F $IPTBL -t $TBL -X done return 0 } ipv4filter_policy () { local TBL [ ! -f $IPTBL_V4PROC ] && return 0 for TBL in `cat $IPTBL_V4PROC`; do if [ "$TBL" = "$2" ]; then continue fi case $TBL in mangle) $IPTBL -t $TBL -P PREROUTING $1 $IPTBL -t $TBL -P OUTPUT $1 ;; filter) $IPTBL -t $TBL -P INPUT $1 $IPTBL -t $TBL -P FORWARD $1 $IPTBL -t $TBL -P OUTPUT $1 ;; nat) $IPTBL -t $TBL -P PREROUTING $1 $IPTBL -t $TBL -P POSTROUTING $1 $IPTBL -t $TBL -P OUTPUT $1 ;; esac done return 0 } # function to set the filter default policies ipv4filter_clear () { ipv4filter_flush $1 ipv4filter_policy ACCEPT $1 return 0 } # Selects basic filter type configuration function ipv4filter_iptbl_cfg () { if [ ! -f $1 ] ; then echo echo "IPv4 filters: no $1 file." echo return 1 fi echo -n "Loading IPv4 filters..." if $IPTBL_RESTORE < $1; then ipv4filter_fairq ipf4_laptopfw vb echo "done." ipv4filter_kernfwd on else return 1 fi return 0 } ipv4filter_iptbl_save () { local OLD_UMASK echo -n "Saving IPv4 filters..." backup_rotate "$IPTBL_FILE" "$BACKUP_LEVELS" OLD_UMASK=`umask` umask 0277 if $IPTBL_SAVE > $IPTBL_FILE; then umask $OLD_UMASK chmod 0400 $IPTBL_FILE vb echo "done." else umask $OLD_UMASK vb echo return 1 fi vb echo return 0 } # Some functions to handle Protocol IP Port tuples ipfilter_echoParam () { local format="$1" local IFS='_' set -- $2 eval "echo \"$format\"" } ipfilter_echoIpPort () { local format1="$1" local format2="$2" local testpar="$3" local IFS='_' set -- $4 eval "echo -n \"$format1\"" eval "if [ -n \"$testpar\" ]; then echo \" $format2\" fi" } ipv4filter_delTie () { local CHAIN="$1" shift qt $IPTBL -t mangle -D "$CHAIN" $* qt $IPTBL -t mangle -D "$CHAIN" -s 0/0 $* qt $IPTBL -t mangle -D "$CHAIN" -d 0/0 $* qt $IPTBL -t mangle -D "$CHAIN" -d 0/0 -s 0/0 $* return 0 } # A function to mark packets for classification ipv4filter_fairq () { local CLS local TNL [ -z "$MANGLE_OUTPUT_BYPASS" ] && [ -z "$CLS_FAIRQ" ] && return 0 qt $IPTBL -t mangle -F nomangle qt $IPTBL -t mangle -N nomangle # Accept IPv4 tunnel traffic - any changes on # OUTPUT chain will cause rerouting, and Free S/WAN problems for TNL in $MANGLE_OUTPUT_BYPASS; do $IPTBL -t mangle -A nomangle -j ACCEPT \ -p `ipfilter_echoParam '$1' $TNL` \ -d `ipfilter_echoIpPort '$2' ' --dport $3' '$3' $TNL` done # Add the nomangle chain to the OUTPUT chain # NOTE position this is inserted. ipv4filter_delTie OUTPUT -j nomangle $IPTBL -t mangle -I OUTPUT 1 -j nomangle [ -z "$CLS_FAIRQ" ] && return 0 # Clear chain if it already exists qt $IPTBL -t mangle -F fairq # Create new chain qt $IPTBL -t mangle -N fairq # Populate chains for CLS in $CLS_FAIRQ; do $IPTBL -t mangle -A fairq -j MARK \ --set-mark `ipfilter_echoParam '$1' $CLS` \ -p `ipfilter_echoParam '$2' $CLS` \ `ipfilter_echoIpPort '-d $3' ' --dport $4' '$4' $CLS` $IPTBL -t mangle -A fairq -j MARK \ --set-mark `ipfilter_echoParam '$1' $CLS` \ -p `ipfilter_echoParam '$2' $CLS` \ `ipfilter_echoIpPort '-s $3' ' --sport $4' '$4' $CLS` done; # Add fairq chain to OUTPUT and PREROUTING chains ipv4filter_delTie OUTPUT -j fairq $IPTBL -t mangle -I OUTPUT 2 -j fairq # NOTE postion this is inserted. ipv4filter_delTie PREROUTING -j fairq $IPTBL -t mangle -I PREROUTING 1 -j fairq return 0 } ipv4filter_exec () { local RES local FN="$1" shift eval "case \"$FN\" in $IPF4_FNS) case \$1 in -r|remove) vb echo -n \"Removing IPv4 filter $FN...\" ;; *) vb echo -n \"Loading IPv4 filter $FN...\" ;; esac if ipf4_${FN} $*; then echo \"done.\" exit 0 fi exit 1 ;; *) echo \" `basename $0` ipfilter exec $IPF4_FNS\" echo \" [chain p1 p2 ...]\" exit 1 ;; esac" return 0 } ipv4filter_cmd () { if [ "$KERN_VERSION" != "$TARGET_KERNEL1" \ -a "$KERN_VERSION" != "$TARGET_KERNEL2" \ -a "$KERN_VERSION" != "$TARGET_KERNEL3" ] ; then echo echo "IPv4 filters: kernel not version ${TARGET_KERNEL1}.x, ${TARGET_KERNEL2}.x, or ${TARGET_KERNEL3}.x." if [ "$IPV4_FWDING_KERNEL" = "FILTER_ON" ]; then # Keep the output pretty.. echo fi ipv4filter_kernfwd off echo return 1 fi if ! [ -x $IPTBL ] ; then echo echo "IPv4 filters: $IPTBL not found." echo return 1 fi case $1 in load|reload|restart|reset) ipv4filter_iptbl_cfg $IPTBL_FILE ;; usebackup) local BKUP_NUM=1 [ -n "$2" ] && BKUP_NUM="$2" ipv4filter_iptbl_cfg "${IPTBL_FILE}.${BKUP_NUM}" ;; save) ipv4filter_iptbl_save ;; fairq) echo -n "Reloading IPv4 fairq filters..." if ipv4filter_fairq; then echo "done." else echo "netfilter kernel modules not loaded." fi ;; clear|flush) ipv4filter_kernfwd off vb echo -n "Flushing IPv4 filters..." ipv4filter_clear ipv4filter_fairq vb echo "done." ;; exec) shift ipv4filter_exec $* ;; forward|fwd) ipv4filter_kernfwd on yes ;; noforward|nofwd) ipv4filter_kernfwd off yes ;; *) echo "Usage: `basename $0` ipfilter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ipfilter exec $IPF4_FNS" echo " [chain p1 p2 ...]" exit 1 ;; esac } # IPv6 filters ipv6filter_kernfwd () { local OVERRIDE="$2" if [ "$OVERRIDE" != "YES" -a "$OVERRIDE" != "Yes" \ -a "$OVERRIDE" != "yes" \ -a "$IPV6_FWDING_KERNEL" != "FILTER_ON" ]; then return 0; fi case $1 in on) vb echo -n "Enabling IPv6 packet forwarding..." echo "1" >$IPFWD_V6PROC \ && vb echo "done." ;; off) vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC \ && vb echo "done." ;; *) echo "AAARGGHH - wrong argument given to ipv6filter_kernfwd: $1" exit 1 ;; esac } # Check and see if filtering and mangling are available ipv6filter_check () { local TBL MANGLE FILTER MANGLE=0 FILTER=0 [ ! -f "$IPTBL_V6PROC" ] && return 1 for TBL in `cat $IPTBL_V6PROC`; do case $TBL in mangle) MANGLE=1 ;; filter) FILTER=1 ;; esac done if [ $MANGLE -ne 1 -a $FILTER -ne 1 ]; then return 1 fi return 0 } # A function to flush the filters (for internal use) ipv6filter_flush () { local TBL # Flush the IPV6 filters out, and user defined chains [ ! -f $IPTBL_V6PROC ] && return 0 for TBL in `cat $IPTBL_V6PROC`; do if [ "$TBL" = "$1" ]; then continue fi $IP6TBL -t $TBL -F $IP6TBL -t $TBL -X done return 0 } ipv6filter_policy () { local TBL [ ! -f $IPTBL_V6PROC ] && return 0 for TBL in `cat $IPTBL_V6PROC`; do if [ "$TBL" = "$2" ]; then continue fi case $TBL in mangle) $IP6TBL -t $TBL -P PREROUTING $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; filter) $IP6TBL -t $TBL -P INPUT $1 $IP6TBL -t $TBL -P FORWARD $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; nat) $IP6TBL -t $TBL -P PREROUTING $1 $IP6TBL -t $TBL -P POSTROUTING $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; esac done return 0 } # function to set the filter default policies ipv6filter_clear () { ipv6filter_flush $1 ipv6filter_policy ACCEPT $1 return 0 } # Selects basic filter type configuration function ipv6filter_iptbl_cfg () { if [ ! -f $1 ] ; then echo echo "IPv6 filters: no $1 file." echo return 1 fi echo -n "Loading IPv6 filters..." if $IP6TBL_RESTORE < $1; then ipv6filter_fairq ipf6_laptopfw vb echo "done." ipv6filter_kernfwd on else return 1 fi return 0 } ipv6filter_iptbl_save () { local OLD_UMASK echo -n "Saving IPv6 filters..." backup_rotate "$IP6TBL_FILE" "$BACKUP_LEVELS" OLD_UMASK=`umask` umask 0277 if $IP6TBL_SAVE > $IP6TBL_FILE; then umask $OLD_UMASK chmod 0400 $IP6TBL_FILE vb echo "done." else umask $OLD_UMASK vb echo return 1 fi vb echo return 0 } ipv6filter_delTie () { local CHAIN="$1" shift qt $IP6TBL -t mangle -D "$CHAIN" $* qt $IP6TBL -t mangle -D "$CHAIN" -s ::/0 $* qt $IP6TBL -t mangle -D "$CHAIN" -d ::/0 $* qt $IP6TBL -t mangle -D "$CHAIN" -s ::/0 -d ::/0 $* return 0 } # A function to mark packets for classification ipv6filter_fairq () { local CLS local TNL [ -z "$IPV6_MANGLE_OUTPUT_BYPASS" ] && [ -z "$IPV6_CLS_FAIRQ" ] \ && return 0 qt $IP6TBL -t mangle -F nomangle qt $IP6TBL -t mangle -N nomangle # Accept IPv6 tunnel traffic - any changes on # OUTPUT chain will cause rerouting, and Free S/WAN problems for TNL in $IPV6_MANGLE_OUTPUT_BYPASS; do $IP6TBL -t mangle -A nomangle -j ACCEPT \ -p `ipfilter_echoParam '$1' $TNL` \ -d `ipfilter_echoIpPort '$2' ' --dport $3' '$3' $TNL` done # Add the nomangle chain to the OUTPUT chain # NOTE position this is inserted. ipv6filter_delTie OUTPUT -j nomangle $IP6TBL -t mangle -I OUTPUT 1 -j nomangle [ -z "$IPV6_CLS_FAIRQ" ] && return 0 # Clear chain if it already exists qt $IP6TBL -t mangle -F fairq # Create new chain qt $IP6TBL -t mangle -N fairq # Populate chains for CLS in $IPV6_CLS_FAIRQ; do $IP6TBL -t mangle -A fairq -j MARK \ --set-mark `ipfilter_echoParam '$1' $CLS` \ -p `ipfilter_echoParam '$2' $CLS` \ `ipfilter_echoIpPort '-d $3' ' --dport $4' '$4' $CLS` $IP6TBL -t mangle -A fairq -j MARK \ --set-mark `ipfilter_echoParam '$1' $CLS` \ -p `ipfilter_echoParam '$2' $CLS` \ `ipfilter_echoIpPort '-s $3' ' --sport $4' '$4' $CLS` done; # Add fairq chain to OUTPUT and PREROUTING chains ipv6filter_delTie OUTPUT -j fairq $IP6TBL -t mangle -I OUTPUT 2 -j fairq # NOTE postion this is inserted. ipv6filter_delTie PREROUTING -j fairq $IP6TBL -t mangle -I PREROUTING 1 -j fairq return 0 } ipv6filter_exec () { local RES local FN="$1" shift eval "case \"$FN\" in $IPF6_FNS) case \$1 in -r|remove) vb echo -n \"Removing IPv6 filter $FN...\" ;; *) vb echo -n \"Loading IPv6 filter $FN...\" ;; esac if ipf6_${FN} $*; then echo \"done.\" exit 0 fi exit 1 ;; *) echo \" `basename $0` ip6filter exec $IPF6_FNS\" echo \" [chain p1 p2 ...]\" exit 1 ;; esac" return 0 } ipv6filter_cmd () { if [ $IPV6_KRNL -lt 1 ]; then return 0 fi if [ "$KERN_VERSION" != "$TARGET_KERNEL1" \ -a "$KERN_VERSION" != "$TARGET_KERNEL2" \ -a "$KERN_VERSION" != "$TARGET_KERNEL3" ] ; then echo echo "IPv6 filters: kernel not version ${TARGET_KERNEL1}.x, ${TARGET_KERNEL2}.x, or ${TARGET_KERNEL3}.x." if [ "$IPV6_FWDING_KERNEL" = "FILTER_ON" ]; then # Keep the output pretty.. echo fi ipv6filter_kernfwd off echo return 1 fi if ! [ -x $IP6TBL ] ; then echo echo "IPv6 filters: $IP6TBL not found." echo return 1 fi case $1 in load|reload|restart|reset) ipv6filter_iptbl_cfg $IP6TBL_FILE ;; usebackup) local BKUP_NUM=1 [ -n "$2" ] && BKUP_NUM="$2" ipv6filter_iptbl_cfg "${IP6TBL_FILE}.${BKUP_NUM}" ;; save) ipv6filter_iptbl_save ;; fairq) echo -n "Reloading IPv6 fairq filters..." if ipv6filter_fairq; then echo "done." else echo "netfilter IPv6 kernel modules not loaded." fi ;; clear|flush) ipv6filter_kernfwd off vb echo -n "Flushing IPv6 filters..." ipv6filter_clear ipv6filter_fairq vb echo "done." ;; exec) shift ipv6filter_exec $* ;; forward|fwd) ipv6filter_kernfwd on yes ;; noforward|nofwd) ipv6filter_kernfwd off yes ;; *) echo "Usage: `basename $0` ip6filter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ip6filter exec $IPF6_FNS" echo " [chain p1 p2 ...]" exit 1 ;; esac } ############################################################################## # Start and stop ############################################################################## start () { start_auto_ipkrnlswch ipv4filter_cmd load if [ $IPV6_KRNL -ge 1 ]; then ipv6filter_cmd load fi start_auto_if } #END start () stop () { iface_down all vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC \ && vb echo "done." vb echo -n "Flushing IPv4 filters..." ipv4filter_clear && vb echo "done." if [ $IPV6_KRNL -ge 1 ]; then vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC \ && vb echo "done." vb echo -n "Flushing IPv6 filters..." ipv6filter_clear && vb echo "done." fi } #END stop () ############################################################################# # Debian compatibility hooks ############################################################################# ifupdown_usage () { echo "Usage: `basename $0` -a|$IFLIST" 1>&2 echo " Use the netscript command instead as it a lot better." 1>&2 exit 1 } ifupdown () { local OPTA local OPTIND OPTA=0 OPTIND=1 while getopts :ah F; do case $F in a) OPTA=1 ;; h) ifupdown_usage exit 1 ;; \?) ;; esac done shift $(( $OPTIND - 1 )) case "$RUNLVL" in unknown|0|1|6) # Do nothing exit 0 ;; *) if [ "`basename $0`" = "ifup" -a $OPTA -gt 0 ]; then iface_up all > /dev/null exit 0 elif [ "`basename $0`" = "ifdown" -a $OPTA -gt 0 ]; then iface_down all > /dev/null exit 0 fi ;; esac if [ $# -eq 1 ]; then eval "case \"$*\" in $IFLIST) ;; *) ifupdown_usage exit 1 ;; esac" case "`basename $0`" in ifup) iface_up $1 > /dev/null exit 0 ;; ifdown) iface_down $1 > /dev/null exit 0 ;; esac fi ifupdown_usage exit 1 } ############################################################################# # Main - Down to business ############################################################################# # Handle symlinked ifup and ifdown commands if [ "`basename $0`" = "ifup" -o "`basename $0`" = "ifdown" ]; then ifupdown $* fi case "$1" in start) start ;; stop) stop ;; reload) start reload ;; restart|force-reload) $0 stop sleep 1 $0 start ;; ifup|ifreload) shift checkarg $* iface_up $1 ;; ifdown) shift checkarg $* iface_down $1 ;; ifqos) shift checkarg $* iface_qos $1 ;; ifreset|ifrestart) shift checkarg $* iface_reset $1 ;; ipfilter) shift if ! ipv4filter_cmd $*; then exit 1 fi ;; *) if [ $IPV6_KRNL -ge 1 -a "$1" = "ip6filter" ]; then shift if ! ipv6filter_cmd $*; then exit 1 fi exit 0 fi echo "Usage: `basename $0` start|stop|reload|restart" echo " `basename $0` ifup|ifdown|ifqos|ifreload" echo " ${SP} {$IFLIST}" echo "Usage: `basename $0` ipfilter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ipfilter exec $IPF4_FNS" echo " [chain p1 p2 ...]" if [ $IPV6_KRNL -ge 1 ]; then echo "Usage: `basename $0` ip6filter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ip6filter exec $IPF6_FNS" echo " [chain p1 p2 ...]" fi exit 1 ;; esac exit 0 netscript/netscript-2.4.conf.50000664000000000000000000000355712362370504013323 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH NETSCRIPT-2.4.CONF 5 "January 16, 2014" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME /etc/netscript/network.conf \- interface, firewalling, and QoS configuration file. /etc/netscript/if.conf \- interface setup shell script file /etc/netscript/qos.conf \- QoS setup shell script file /etc/netscript/ipfilter.conf \- IP iptables filtering shell script file .SH DESCRIPTION This manpage is a place holder until something better is written when the netscript itself has stopped changing rapidly. Please see the README file in the /etc/netscript directory, and READ the configuration files if you need to change them. Apart from network.conf, all of them contain .B sh (1) shell script functions which are there so that various things can be altered or hooked in at the right place. Network.conf contains the full network setup details, including special interface setup for the likes of ciped/pppd/wanconfig, and is fully commented with examples given. .SH SEE ALSO .BR netscript (8), .BR iptables (8), .BR ip6tables (8), .BR iproute (8), .BR brcfg (8). .br .SH AUTHOR This manual page was written by Matthew Grant , for the Debian GNU/Linux system (but may be used by others). .SH BUGS The author is lazy. He needs to write btter man pages... netscript/netscript-hotplug0000755000000000000000000000677413030312163013406 0ustar #!/bin/sh -e # # run /sbin/netscript for hotplug operations # # Taken from ifupdown package PATH='/sbin:/bin:/usr/sbin:/usr/bin' if [ -x /usr/bin/logger ]; then LOGGER=/usr/bin/logger elif [ -x /bin/logger ]; then LOGGER=/bin/logger else unset LOGGER fi # for diagnostics if [ -t 1 -a -z "$LOGGER" ] || [ ! -e '/dev/log' ]; then mesg() { echo "$@" >&2 } elif [ -t 1 ]; then mesg() { echo "$@" $LOGGER -t "${0##*/}[$$]" "$@" } else mesg() { $LOGGER -t "${0##*/}[$$]" "$@" } fi if [ -z "$INTERFACE" ]; then mesg "Bad netscript udev helper invocation: \$INTERFACE is not set" exit 1 fi check_program() { [ -x $1 ] && return 0 mesg "ERROR: $1 not found. You need to install the netscript-2.4 package." mesg "netscript udev helper $ACTION event for $INTERFACE not handled." exit 1 } wait_for_interface() { local interface=$1 local state while :; do read state /sys/class/net/$interface/operstate 2>/dev/null || true if [ "$state" != down ]; then return 0 fi sleep 1 done } net_ifup() { check_program /sbin/netscript # Don't bring up bridge interfaces under hotplug! Can cause issues with openstack local BRG_DEVLIST=`brctl show | sed -e '1d' | grep '^[-a-zA-Z0-9_]' | sed -e 's/^\([a-zA-Z0-9_\-]\+\)[ ].*$/\1/'` if echo "$BRG_DEVLIST" | fgrep "$INTERFACE"; then exit 0 fi if [ -d /run/systemd/system ]; then exec systemctl --no-block start $(systemd-escape --template netscript@.service $INTERFACE) fi #local out=$(ps -C ifup ho args) #if [ "${out%$INTERFACE*}" != "$out" ]; then # mesg "Already ifup-ing interface $INTERFACE" # exit 0 #fi #wait_for_interface lo exec netscript ifup $INTERFACE } net_ifdown() { check_program /sbin/netscript # Don't bring down bridge interfaces under hotplug! Can cause issues with openstack local BRG_DEVLIST=`brctl show | sed -e '1d' | grep '^[-a-zA-Z0-9_]' | sed -e 's/^\([a-zA-Z0-9_\-]\+\)[ ].*$/\1/'` if echo "$BRG_DEVLIST" | fgrep "$INTERFACE"; then exit 0 fi # systemd will automatically ifdown the interface on device # removal by binding the instanced service to the network device if [ -d /run/systemd/system ]; then exit 0 fi #local out=$(ps -C ifdown ho args) #if [ "${out%$INTERFACE*}" != "$out" ]; then # mesg "Already ifdown-ing interface $INTERFACE" # exit 0 #fi exec netscript ifdown $INTERFACE } do_everything() { case "$ACTION" in add) # these interfaces generate hotplug events *after* they are brought up case $INTERFACE in ppp*|ippp*|isdn*|plip*|lo|irda*|ipsec*) exit 0 ;; esac net_ifup ;; remove) # the pppd persist option may have been used, so it should not be killed #case $INTERFACE in # ppp*) # exit 0 ;; #esac net_ifdown ;; *) mesg "NET $ACTION event not supported" exit 1 ;; esac } # under systemd we don't do synchronous operations, so we can run in the # foreground; we also need to, as forked children get killed right away under # systemd if [ -d /run/systemd/system ]; then do_everything else # under sysvinit/upstart we need to fork as we start the long-running # "ifup". but there, forked processes won't get killed. # When udev_log="debug" stdout and stderr are pipes connected to udevd. # They need to be closed or udevd will wait for this process which will # deadlock with udevsettle until the timeout. exec > /dev/null 2> /dev/null do_everything & fi netscript/netscript-ipfilter0000775000000000000000000005061312606261002013536 0ustar #!/bin/bash # # LRP/Debian network configuration system # # Ring a ding ding, my dang a lang dong Dave 'Kill a Cop' Cinege GPL2 # Ding Dong Dell, Pussy's in the well Matthew 'Network Cowboy' Grant GPL2 # # start) # Depending on the auto config portions in /etc/network.conf, it auto- # generates hosts, resolv.conf, sets the hostname, starts up interfaces, # configures the IP filter/firewall and sets up routes (not necessarily # in that order). # # stop) # brings down all interfaces listed in /proc/net/dev, and their associated # routes. Flushes all rules for iptables. # # bail out if we are not root if [ "`id -un`" != "root" ] ; then echo 1>&2 echo " `basename $0`: you must be root to run this command." 1>&2 echo 1>&2 exit 1 fi TARGET_KERNEL1="2.4" TARGET_KERNEL2="2.6" TARGET_KERNEL3="3" #DEBUG=1 SP=' ' qt () { "$@" >/dev/null 2>&1 ; } vb () { "$@" ; } source () { . $1 ; } basename () { echo "${1##*/}"; } BANNER="# This file was generated by $0. It may be overwritten!" #Default safe settings VERBOSE=YES IPV6_MODULE=NO IPV4_FWDING_KERNEL=NO IPV6_FWDING_KERNEL=NO IP_FILTER_KERNEL=PACKET IF_AUTO="eth0" IPV4_DISABLE=NO IPV6_DISABLE=NO BASE_MODPATH="/lib/modules/`uname -r`/kernel" MODPATH="${BASE_MODPATH}/net" KERN_VERSION=`uname -r | cut -d . -f 1,2` if echo "$KERN_VERSION" | grep '^[3-9]\..*' -q; then KERN_VERSION='3' fi [ "$KERN_VERSION" = "$TARGET_KERNEL1" ] && MODEXT="o" [ "$KERN_VERSION" = "$TARGET_KERNEL2" ] && MODEXT="ko" [ "$KERN_VERSION" = "$TARGET_KERNEL3" ] && MODEXT="ko" NETFILTER_CONF="/etc/netscript" IPTBL_FILE="$NETFILTER_CONF/iptables" IPTBL_FILE_BACKUP="$IPTBL_FILE.backup" IP6TBL_FILE="$NETFILTER_CONF/ip6tables" IP6TBL_FILE_BACKUP="$IP6TBL_FILE.backup" # test for OpenWRT if type -f iptables | grep -q '/usr/sbin'; then IPTBL_PREFIX="/usr/sbin" else IPTBL_PREFIX="/sbin" fi IPTBL="$IPTBL_PREFIX/iptables" IPTBL_RESTORE="$IPTBL_PREFIX/iptables-restore" IPTBL_SAVE="$IPTBL_PREFIX/iptables-save" IP6TBL="$IPTBL_PREFIX/ip6tables" IP6TBL_RESTORE="$IPTBL_PREFIX/ip6tables-restore" IP6TBL_SAVE="$IPTBL_PREFIX/ip6tables-save" IPTBL_V4PROC="/proc/net/ip_tables_names" IPTBL_V6PROC="/proc/net/ip6_tables_names" IPV4_PROC="/proc/sys/net/ipv4" IPV6_PROC="/proc/sys/net/ipv6" IPFWD_V4PROC="${IPV4_PROC}/ip_forward" IPFWD_V6PROC="${IPV6_PROC}/conf/all/forwarding" IPV6_DEFAULT_PREFIX=default DEFAULT_METRIC=999999999 BACKUP_LEVELS=2 IF_DEFAULT_IPV6_DISABLE="NO" #==============================================================================# # Read in configuration files # - these ones can be changed by users [ -f $NETFILTER_CONF/network.conf ] \ && source $NETFILTER_CONF/network.conf IPFILTER=0 [ -f $NETFILTER_CONF/ipfilter.conf ] \ && source $NETFILTER_CONF/ipfilter.conf && IPFILTER=1 [ -f $NETFILTER_CONF/srvfilter.conf ] \ && source $NETFILTER_CONF/srvfilter.conf [ "$DEBUG" ] && qt () { "$@" ; } [ "$VERBOSE" = "NO" ] && vb () { qt "$@" ; } [ -f /proc/net/ip_fwchains ] && IPCHAINS=1 [ -f /proc/net/ip_masq/autofw ] && IPAUTOFW=1 [ -f /proc/net/ip_masq/portfw ] && IPPORTFW=1 [ -f /proc/net/ip_masq/mfw ] && IPMFW=1 # translate old values for compatibility if [ -n "$IPFWDING_KERNEL" ]; then IPV4_FWDING_KERNEL="$IPFWDING_KERNEL" fi # Setup stuff for IPv6 IPV6_KRNL=0 [ -d $IPV6_PROC ] && IPV6_KRNL=1 ############################################################################# # Code to set up function lists for filtering ############################################################################# get_fns () { local STR="s/^.* ${1}\([^ ]\+\)$/\1/" if [ -n "$BASH_VERSION" ]; then declare -F | grep $1 | sed -e "$STR" else hash | grep "^function $1" | sed -e "$STR" fi } for FN in `get_fns ipf4_`; do if [ -z "$IPF4_FNS" ]; then IPF4_FNS="$FN" else IPF4_FNS="${IPF4_FNS}|$FN" fi done; unset FN for FN in `get_fns ipf6_`; do if [ -z "$IPF6_FNS" ]; then IPF6_FNS="$FN" else IPF6_FNS="${IPF6_FNS}|$FN" fi done; unset FN ############################################################################### #IP kernel option loading for global kernel switches ############################################################################### read_sysctl () { local PROCFILE PROCVAL COMMENT ANS while read PROCFILE PROCVAL COMMENT; do if [ -z "$PROCFILE" -o -z "$PROCVAL" ]; then continue fi if [ "$PROCFILE" = "#" -o "$PROCVAL" = "#" ]; then continue fi case "$PROCVAL" in YES|Yes|yes) PROCVAL=1 ;; NO|No|no) PROCVAL=0 ;; esac [ ! -f $1/$PROCFILE ] && continue echo $PROCVAL > $1/$PROCFILE done } read_gbl_sysctl () { echo "$NET_GLOBAL_SYSCTL" | read_sysctl /proc/sys/net return 0 } ############################################################################### #IP Forwarding configuration ############################################################################### start_auto_ipkrnlswch () { local DIR # read in the global sysctl settings #read_gbl_sysctl # Turn on global RP filter switch - this is ANDed with # the per interface ones #echo 1 > ${IPV4_PROC}/conf/all/rp_filter # Fix the Shared Media Mess #echo 0 > ${IPV4_PROC}/conf/all/shared_media #echo 0 > ${IPV4_PROC}/conf/default/shared_media if [ "$IPV4_FWDING_KERNEL" = "YES" ]; then vb echo -n "Enabling IPv4 packet forwarding..." echo "1" >$IPFWD_V4PROC && vb echo "done." elif [ "$IPV4_FWDING_KERNEL" != "FILTER_ON" ]; then vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC && vb echo "done." fi # IPv6 if [ $IPV6_KRNL -lt 1 ]; then return 0 fi # Most hardened servers and routers need defaults like these # for interface host mode #for DIR in ${IPV6_PROC}/conf/*; do # # Don't allow ICMP redirect by default # #echo 0 > $DIR/accept_redirects #done # This is here just to do the printing when IPv6 IS disabled. case "$IPV6_DISABLE" in YES|Yes|yes) vb echo -n "Disabling IPv6 protocol..." ifv6_setproc all disable_ipv6 "$IPV6_DISABLE" && echo "done." ;; *) ifv6_setproc all disable_ipv6 "$IPV6_DISABLE" ;; esac # Set this flag as required for creation of dynamic bridged # interfaces #ifv6_setproc default disable_ipv6 "$IF_DEFAULT_IPV6_DISABLE" if [ "$IPV6_FWDING_KERNEL" = "YES" ]; then vb echo -n "Enabling IPv6 packet forwarding..." echo "1" >$IPFWD_V6PROC && vb echo "done." elif [ "$IPV6_FWDING_KERNEL" != "FILTER_ON" ]; then vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC && vb echo "done." fi } ############################################################################## # Functions to set 2.4 kernel interface parameters # ifv4_setproc ( YES|NO # ifv6_setproc ( YES|NO ############################################################################## ifv4_setproc () { if [ -z "$3" ]; then return 0; fi [ ! -f ${IPV4_PROC}/conf/$1/$2 ] && return 1 case "$3" in YES|Yes|yes) echo 1 > ${IPV4_PROC}/conf/$1/$2 return 0; ;; NO|No|no) echo 0 > ${IPV4_PROC}/conf/$1/$2 return 0; ;; *) if echo $3 | grep -q '^[0-9]\+$'; then echo $3 > ${IPV4_PROC}/conf/$1/$2 return 0 fi return 1; ;; esac return 0; } ifv6_setproc () { if [ -z "$3" ]; then return 0; fi [ $IPV6_KRNL -lt 1 ] && return 1 [ ! -f ${IPV6_PROC}/conf/$1/$2 ] && return 1 case "$3" in YES|Yes|yes) echo 1 > ${IPV6_PROC}/conf/$1/$2 return 0; ;; NO|No|no) echo 0 > ${IPV6_PROC}/conf/$1/$2 return 0; ;; *) if echo $3 | grep -q '^[0-9]\+$'; then echo $3 > ${IPV6_PROC}/conf/$1/$2 return 0 fi return 1; ;; esac return 0; } ############################################################################## # checkarg() a function to check interface arguments ############################################################################## checkarg() { eval "case \"$*\" in $IFLIST) ;; *) echo \"Usage: `basename $0` ifup|ifdown|ifqos|ifreload\" echo \" ${SP} {$IFLIST}\" exit 1 ;; esac" } ############################################################################## # functions to handle filter stuff ############################################################################## # # backup_rotate # backup_rotate () { local MAX="$2" [ $MAX -lt 2 ] && MAX=2 local COUNT=$(($MAX - 1)) local PREV="$MAX" while [ $COUNT -gt 0 ]; do [ -f "${1}.${COUNT}" ] && mv "${1}.${COUNT}" "${1}.${PREV}" PREV=$COUNT COUNT=$(( $COUNT - 1 )) done [ -f "$1" ] && mv "$1" "${1}.1" return 0 } ipv4filter_kernfwd () { local OVERRIDE="$2" if [ "$OVERRIDE" != "YES" -a "$OVERRIDE" != "Yes" \ -a "$OVERRIDE" != "yes" \ -a "$IPV4_FWDING_KERNEL" != "FILTER_ON" ]; then return 0; fi case $1 in on) vb echo -n "Enabling IPv4 packet forwarding..." echo "1" >$IPFWD_V4PROC \ && vb echo "done." ;; off) vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC \ && vb echo "done." ;; *) echo "AAARGGHH - wrong argument given to ipv4filter_kernfwd: $1" exit 1 ;; esac } # Check and see if filtering and mangling are available ipv4filter_check () { local TBL MANGLE FILTER MANGLE=0 FILTER=0 [ ! -f "$IPTBL_V4PROC" ] && return 1 for TBL in `cat $IPTBL_V4PROC`; do case $TBL in mangle) MANGLE=1 ;; filter) FILTER=1 ;; esac done if [ $MANGLE -ne 1 -a $FILTER -ne 1 ]; then return 1 fi return 0 } # A function to flush the filters (for internal use) ipv4filter_flush () { local TBL # Flush the IPV4 filters out, and user defined chains [ ! -f $IPTBL_V4PROC ] && return 0 for TBL in `cat $IPTBL_V4PROC`; do if [ "$TBL" = "$1" ]; then continue fi $IPTBL -t $TBL -F $IPTBL -t $TBL -X done return 0 } ipv4filter_policy () { local TBL [ ! -f $IPTBL_V4PROC ] && return 0 for TBL in `cat $IPTBL_V4PROC`; do if [ "$TBL" = "$2" ]; then continue fi case $TBL in mangle) $IPTBL -t $TBL -P PREROUTING $1 $IPTBL -t $TBL -P OUTPUT $1 ;; filter) $IPTBL -t $TBL -P INPUT $1 $IPTBL -t $TBL -P FORWARD $1 $IPTBL -t $TBL -P OUTPUT $1 ;; nat) $IPTBL -t $TBL -P PREROUTING $1 $IPTBL -t $TBL -P POSTROUTING $1 $IPTBL -t $TBL -P OUTPUT $1 ;; rawpost) $IPTBL -t $TBL -P POSTROUTING $1 ;; raw) $IPTBL -t $TBL -P PREROUTING $1 $IPTBL -t $TBL -P OUTPUT $1 ;; security) $IPTBL -t $TBL -P INPUT $1 $IPTBL -t $TBL -P FORWARD $1 $IPTBL -t $TBL -P OUTPUT $1 ;; esac done return 0 } # function to set the filter default policies ipv4filter_clear () { ipv4filter_flush $1 ipv4filter_policy ACCEPT $1 return 0 } # Selects basic filter type configuration function ipv4filter_iptbl_cfg () { if ! ipv4filter_check && ! $IPTBL -L &> /dev/null; then echo echo "IPv4 filters: netfilter kernel modules not present." echo return 1 fi if [ ! -f $1 ] ; then echo echo "IPv4 filters: no $1 file." echo return 1 fi echo -n "Loading IPv4 filters..." if $IPTBL_RESTORE < $1; then ipf4_laptopfw vb echo "done." ipv4filter_kernfwd on else return 1 fi return 0 } ipv4filter_iptbl_save () { local OLD_UMASK if ! ipv4filter_check; then echo echo "IPv4 filters: netfilter kernel modules not loaded." echo return 1 fi echo -n "Saving IPv4 filters..." backup_rotate "$IPTBL_FILE" "$BACKUP_LEVELS" OLD_UMASK=`umask` umask 0277 if $IPTBL_SAVE > $IPTBL_FILE; then umask $OLD_UMASK chmod 0400 $IPTBL_FILE vb echo "done." else umask $OLD_UMASK vb echo return 1 fi vb echo return 0 } # Some functions to handle Protocol IP Port tuples ipfilter_echoParam () { local format="$1" local IFS='_' set -- $2 eval "echo \"$format\"" } ipfilter_echoIpPort () { local format1="$1" local format2="$2" local testpar="$3" local IFS='_' set -- $4 eval "echo -n \"$format1\"" eval "if [ -n \"$testpar\" ]; then echo \" $format2\" fi" } ipv4filter_exec () { local RES if ! ipv4filter_check && ! $IPTBL -L &> /dev/null; then echo echo "IPv4 filters: netfilter kernel modules not present." echo return 1 fi local FN="$1" shift eval "case \"$FN\" in $IPF4_FNS) case \$1 in -r|remove) vb echo -n \"Removing IPv4 filter $FN...\" ;; *) vb echo -n \"Loading IPv4 filter $FN...\" ;; esac if ipf4_${FN} $*; then echo \"done.\" exit 0 fi exit 1 ;; *) echo \" `basename $0` ipfilter exec $IPF4_FNS\" echo \" [chain p1 p2 ...]\" exit 1 ;; esac" return 0 } ipv4filter_cmd () { if [ "$KERN_VERSION" != "$TARGET_KERNEL1" \ -a "$KERN_VERSION" != "$TARGET_KERNEL2" \ -a "$KERN_VERSION" != "$TARGET_KERNEL3" ] ; then echo echo "IPv4 filters: kernel not version ${TARGET_KERNEL1}.x, ${TARGET_KERNEL2}.x, or ${TARGET_KERNEL3}.x." if [ "$IPV4_FWDING_KERNEL" = "FILTER_ON" ]; then # Keep the output pretty.. echo fi ipv4filter_kernfwd off echo return 1 fi if ! [ -x $IPTBL ] ; then echo echo "IPv4 filters: $IPTBL not found." echo return 1 fi case $1 in load|reload|restart|reset) ipv4filter_iptbl_cfg $IPTBL_FILE ;; usebackup) local BKUP_NUM=1 [ -n "$2" ] && BKUP_NUM="$2" ipv4filter_iptbl_cfg "${IPTBL_FILE}.${BKUP_NUM}" ;; save) ipv4filter_iptbl_save ;; clear|flush) ipv4filter_kernfwd off vb echo -n "Flushing IPv4 filters..." ipv4filter_clear vb echo "done." ;; exec) shift ipv4filter_exec $* ;; forward|fwd) ipv4filter_kernfwd on yes ;; noforward|nofwd) ipv4filter_kernfwd off yes ;; *) echo "Usage: `basename $0` ipfilter load|clear|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ipfilter exec $IPF4_FNS" echo " [chain p1 p2 ...]" exit 1 ;; esac } # IPv6 filters ipv6filter_kernfwd () { local OVERRIDE="$2" if [ "$OVERRIDE" != "YES" -a "$OVERRIDE" != "Yes" \ -a "$OVERRIDE" != "yes" \ -a "$IPV6_FWDING_KERNEL" != "FILTER_ON" ]; then return 0; fi case $1 in on) vb echo -n "Enabling IPv6 packet forwarding..." echo "1" >$IPFWD_V6PROC \ && vb echo "done." ;; off) vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC \ && vb echo "done." ;; *) echo "AAARGGHH - wrong argument given to ipv6filter_kernfwd: $1" exit 1 ;; esac } # Check and see if filtering and mangling are available ipv6filter_check () { local TBL MANGLE FILTER MANGLE=0 FILTER=0 [ ! -f "$IPTBL_V6PROC" ] && return 1 for TBL in `cat $IPTBL_V6PROC`; do case $TBL in mangle) MANGLE=1 ;; filter) FILTER=1 ;; esac done if [ $MANGLE -ne 1 -a $FILTER -ne 1 ]; then return 1 fi return 0 } # A function to flush the filters (for internal use) ipv6filter_flush () { local TBL # Flush the IPV6 filters out, and user defined chains [ ! -f $IPTBL_V6PROC ] && return 0 for TBL in `cat $IPTBL_V6PROC`; do if [ "$TBL" = "$1" ]; then continue fi $IP6TBL -t $TBL -F $IP6TBL -t $TBL -X done return 0 } ipv6filter_policy () { local TBL [ ! -f $IPTBL_V6PROC ] && return 0 for TBL in `cat $IPTBL_V6PROC`; do if [ "$TBL" = "$2" ]; then continue fi case $TBL in mangle) $IP6TBL -t $TBL -P PREROUTING $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; filter) $IP6TBL -t $TBL -P INPUT $1 $IP6TBL -t $TBL -P FORWARD $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; nat) $IP6TBL -t $TBL -P PREROUTING $1 $IP6TBL -t $TBL -P POSTROUTING $1 $IP6TBL -t $TBL -P OUTPUT $1 ;; esac done return 0 } # function to set the filter default policies ipv6filter_clear () { ipv6filter_flush $1 ipv6filter_policy ACCEPT $1 return 0 } # Selects basic filter type configuration function ipv6filter_iptbl_cfg () { if ! ipv6filter_check && ! $IP6TBL -L &> /dev/null; then echo echo "IPv6 filters: netfilter kernel modules not present." echo return 1 fi if [ ! -f $1 ] ; then echo echo "IPv6 filters: no $1 file." echo return 1 fi echo -n "Loading IPv6 filters..." if $IP6TBL_RESTORE < $1; then ipf6_laptopfw vb echo "done." ipv6filter_kernfwd on else return 1 fi return 0 } ipv6filter_iptbl_save () { local OLD_UMASK if ! ipv6filter_check; then echo echo "IPv6 filters: netfilter kernel modules not loaded." echo return 1 fi echo -n "Saving IPv6 filters..." backup_rotate "$IP6TBL_FILE" "$BACKUP_LEVELS" OLD_UMASK=`umask` umask 0277 if $IP6TBL_SAVE > $IP6TBL_FILE; then umask $OLD_UMASK chmod 0400 $IP6TBL_FILE vb echo "done." else umask $OLD_UMASK vb echo return 1 fi vb echo return 0 } ipv6filter_exec () { local RES if ! ipv6filter_check && ! $IP6TBL -L &> /dev/null; then echo echo "IPv6 filters: netfilter kernel modules not present." echo return 1 fi local FN="$1" shift eval "case \"$FN\" in $IPF6_FNS) case \$1 in -r|remove) vb echo -n \"Removing IPv6 filter $FN...\" ;; *) vb echo -n \"Loading IPv6 filter $FN...\" ;; esac if ipf6_${FN} $*; then echo \"done.\" exit 0 fi exit 1 ;; *) echo \" `basename $0` ip6filter exec $IPF6_FNS\" echo \" [chain p1 p2 ...]\" exit 1 ;; esac" return 0 } ipv6filter_cmd () { if [ $IPV6_KRNL -lt 1 ]; then return 0 fi if [ "$KERN_VERSION" != "$TARGET_KERNEL1" \ -a "$KERN_VERSION" != "$TARGET_KERNEL2" \ -a "$KERN_VERSION" != "$TARGET_KERNEL3" ] ; then echo echo "IPv6 filters: kernel not version ${TARGET_KERNEL1}.x, ${TARGET_KERNEL2}.x, or ${TARGET_KERNEL3}.x." if [ "$IPV6_FWDING_KERNEL" = "FILTER_ON" ]; then # Keep the output pretty.. echo fi ipv6filter_kernfwd off echo return 1 fi if ! [ -x $IP6TBL ] ; then echo echo "IPv6 filters: $IP6TBL not found." echo return 1 fi case $1 in load|reload|restart|reset) ipv6filter_iptbl_cfg $IP6TBL_FILE ;; usebackup) local BKUP_NUM=1 [ -n "$2" ] && BKUP_NUM="$2" ipv6filter_iptbl_cfg "${IP6TBL_FILE}.${BKUP_NUM}" ;; save) ipv6filter_iptbl_save ;; clear|flush) ipv6filter_kernfwd off vb echo -n "Flushing IPv6 filters..." ipv6filter_clear vb echo "done." ;; exec) shift ipv6filter_exec $* ;; forward|fwd) ipv6filter_kernfwd on yes ;; noforward|nofwd) ipv6filter_kernfwd off yes ;; *) echo "Usage: `basename $0` ip6filter load|clear|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ip6filter exec $IPF6_FNS" echo " [chain p1 p2 ...]" exit 1 ;; esac } ############################################################################## # Start and stop ############################################################################## start () { start_auto_ipkrnlswch ipv4filter_cmd load if [ $IPV6_KRNL -ge 1 ]; then ipv6filter_cmd load fi } #END start () stop () { vb echo -n "Disabling IPv4 packet forwarding..." echo "0" >$IPFWD_V4PROC \ && vb echo "done." vb echo -n "Flushing IPv4 filters..." ipv4filter_clear && vb echo "done." if [ $IPV6_KRNL -ge 1 ]; then vb echo -n "Disabling IPv6 packet forwarding..." echo "0" >$IPFWD_V6PROC \ && vb echo "done." vb echo -n "Flushing IPv6 filters..." ipv6filter_clear && vb echo "done." fi } #END stop () ############################################################################# # Main - Down to business ############################################################################# # Handle symlinked ifup and ifdown commands if [ "`basename $0`" = "ifup" -o "`basename $0`" = "ifdown" ]; then ifupdown $* fi case "$1" in start) start ;; stop) stop ;; reload) start reload ;; restart|force-reload) $0 stop sleep 1 $0 start ;; ipfilter) shift if ! ipv4filter_cmd $*; then exit 1 fi ;; *) if [ $IPV6_KRNL -ge 1 -a "$1" = "ip6filter" ]; then shift if ! ipv6filter_cmd $*; then exit 1 fi exit 0 fi echo "Usage: `basename $0` start|stop|reload|restart" echo "Usage: `basename $0` ipfilter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ipfilter exec $IPF4_FNS" echo " [chain p1 p2 ...]" if [ $IPV6_KRNL -ge 1 ]; then echo "Usage: `basename $0` ip6filter load|clear|fairq|flush|fwd|nofwd|reload|save" echo " usebackup [backup-number]" echo " `basename $0` ip6filter exec $IPF6_FNS" echo " [chain p1 p2 ...]" fi exit 1 ;; esac exit 0 netscript/netscript-ipfilter.80000664000000000000000000001321212362370504013702 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH NETSCRIPT 8 "January 24, 2014" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME netscript \- netscript network configuration command .SH SYNOPSIS .B netscript start|stop|reload|restart .br .B netscript ipfilter load|clear|fairq|flush|reload|save .br .BI netscript\ ipfilter\ usebackup\ [ \ backup-number\ ] .br .B netscript ipfilter exec .I | [chain p1 p2 ...] .br .B netscript ip6filter load|clear|fairq|flush|reload|save .br .BI netscript\ ip6filter\ usebackup\ [ \ backup-number\ ] .br .B netscript ip6filter exec .I | [chain p1 p2 ...] .br .SH DESCRIPTION This manual page documents briefly the .B netscript command from the netscript router/firewall network configuration package. This command is used to configure/reconfigure the iptables filter setup, that are configured in netscript's configuration files. .SH IPTABLES CONFIGURATION Configuration saving is done by .BR iptables-save (8) and .BR iptables-restore (8). .SH OPTIONS .TP .B start Set up networking configruation by loading ipcahins filters, setting up bridge, configuring interfaces and running any configured lower layer protocol daemons or commands. For use from a startup script. .TP .B stop Shut everything down. For use from a startup script. .TP .B reload Refresh the setup of netscript from the configuration files in /etc/netscript .TP .B restart|force-reload Stop everthing and then start everything again. For use from a startup script. .TP .B ipfilter load|reload Load/reload the IPv4 iptables filters and reconfigure the firewalling, from that saved in .I /etc/netscript/iptables (via .B iptables-restore(8) ), and the QoS fair queuing setup. .TP .B ipfilter save Save the IPv4 iptables configuration to /etc/netscript/iptables via .B iptables-save(8) , after backing it up to .I /etc/netscript/iptables.1 and cycling the previous backup files down through the configuration history. .TP .BI ipfilter\ usebackup\ [ \ backup-number\ ] Restore setup from the IPv4 iptables backup configuration from .I /etc/netscript/iptables.n ( default 1 ) via .B iptables-restore(8). .TP .B ipfilter clear|flush Remove iptables and any firewall setup, and if IPV4_FWDING_KERNEL is set to FILTER_ON (see .B network.conf(5) ), disables all IPv4 packet forwarding on the router. Very useful for debugging protocol problems on a firewall by enabling a reasonably safe check to be made with the filtering down. .TP .B ipfilter forward|fwd Turns on the IPv4 kernel forwarding switch manually. This is irrespective of the setting of IPV4_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will allow traffic through the box. .TP .B ipfilter noforward|nofwd Turns off the IPv4 kernel forwarding switch manually. This is irrespective of the setting of IPV4_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will cut off reachability. .TP .B ipfilter fairq Reload the IPv4 .I fairq chain that marks the packets for the .B QoS interface transmit queues. .TP .B ip6filter load|reload Load/reload the IPv6 iptables filters and reconfigure the firewalling, from that saved in .I /etc/netscript/ip6tables (via .B ip6tables-restore(8) ), and the QoS fair queuing setup. .TP .B ip6filter save Save the IPv6 iptables configuration to /etc/netscript/iptables via .B ip6tables-save(8) , after backing it up to .I /etc/netscript/ip6tables.1 and cycling the previous backup files down through the configuration history. .TP .BI ip6filter\ usebackup\ [ \ backup-number\ ] Restore setup from the IPv6 iptables backup configuration from .I /etc/netscript/ip6tables.n ( default 1 ) via .B ip6tables-restore(8). .TP .B ip6filter clear|flush Remove IPv6 iptables setup, and if IPV6_FWDING_KERNEL is set to FILTER_ON (see .B network.conf(5) ), disables all IPv6 packet forwarding on the router. Very useful for debugging protocol problems on a firewall by enabling a reasonably safe check to be made with the filtering down. .TP .B ip6filter forward|fwd Turns on the IPv6 kernel forwarding switch manually. This is irrespective of the setting of IPV6_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will allow traffic through the box. .TP .B ip6filter noforward|nofwd Turns off the IPv6 kernel forwarding switch manually. This is irrespective of the setting of IPV6_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will affect reachability. .TP .B ip6filter fairq Reload the IPv6 .I fairq chain that marks the packets for the .B QoS interface transmit queues. .SH FILES .I /etc/netscript/ipfilter.conf, /etc/netscript/network.conf, .br .I /etc/netscript/iptables, /etc/netscript/ip6tables, .br .SH SEE ALSO .BR ipfilter.conf (5), .BR network.conf (5), .BR ip (8), .BR tc (8), .BR iptables (8), .BR iptables-restore (8), .BR iptables-save (8), .BR ip6tables (8), .BR ip6tables-restore (8), .BR ip6tables-save (8), .BR brcfg (8). .br .SH AUTHOR This manual page was written by Matthew Grant , for the Debian GNU/Linux system (but may be used by others). .SH BUGS I wrote this manpage when I was half asleep... netscript/netscript-ipfilter.conf.50000664000000000000000000000323612362370504014630 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH NETSCRIPT.CONF 5 "January 16, 2014" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME /etc/netscript/network.conf \- firewalling configuration file. /etc/netscript/ipfilter.conf \- IP iptables filtering shell script file .SH DESCRIPTION This manpage is a place holder until something better is written when the netscript itself has stopped changing rapidly. Please see the README file in the /etc/netscript directory, and READ the configuration files if you need to change them. Apart from network.conf, all of them contain .B sh (1) shell script functions which are there so that various things can be altered or hooked in at the right place. Network.conf contains the various firewall helper chain set up settings, as well as control of kernel packet forwarding for IPv4 and IPv6. .SH SEE ALSO .BR netscript (8), .BR iptables (8), .BR ip6tables (8), .br .SH AUTHOR This manual page was written by Matthew Grant , for the Debian GNU/Linux system (but may be used by others). .SH BUGS The author is lazy. He needs to write btter man pages... netscript/netscript.80000664000000000000000000001545212362370504012076 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH NETSCRIPT 8 "January 9, 2014" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME netscript \- netscript network configuration command .SH SYNOPSIS .B netscript start|stop|reload|restart .br .B netscript ifup|ifdown|ifqos|ifreload .I |all .br .B netscript ipfilter load|clear|fairq|flush|reload|save .br .BI netscript\ ipfilter\ usebackup\ [ \ backup-number\ ] .br .B netscript ipfilter exec .I | [chain p1 p2 ...] .br .B netscript ip6filter load|clear|fairq|flush|reload|save .br .BI netscript\ ip6filter\ usebackup\ [ \ backup-number\ ] .br .B netscript ip6filter exec .I | [chain p1 p2 ...] .br .SH DESCRIPTION This manual page documents briefly the .B netscript command from the netscript router/firewall network configuration package. This command is used to configure/reconfigure the interface configuration, ipchains filter setup, and ip route service ( .B QoS ) setup that are configured in netscript's configuration files. It can manipulate individual interfaces, and reconfigure the iptables filter contents and firewall setup, or reconfigure the .B QoS setup. It is rather incomplete as it does not describe fully the finely tuned manipulations that happen due to netscript's design which enables a Linux box to serve as a high availability heavy-duty mission-critcial network router or firewall. .SH IPTABLES CONFIGURATION Configuration saving is done by .BR iptables-save (8) and .BR iptables-restore (8). .SH OPTIONS .TP .B start Set up networking configuration by loading iptables filters, setting up bridge, configuring interfaces and running any configured lower layer protocol daemons or commands. For use from a startup script. .TP .B stop Shut everything down. For use from a startup script. .TP .B reload Refresh the setup of netscript (except for kernel modules) from the configuration files in /etc/netscript .TP .B restart|force-reload Stop everything and then start everything again. For use from a startup script. .TP .BI ifup \ |all Bring interfaces(s) up by starting any protocol daemons, and configuring interfaces. .TP .BI ifdown \ |all Shutdown said interface(s) by doing reverse of ifdown. .TP .BI ifqos \ |all Reload QoS configuration for interface(s). .TP .BI ifreload \ |all Refresh the interface setup and implement any configuration changes. .TP .BI ifreset \ |all Shutdown and then restart interface(s), reloading configuration from lower layer up to the network layer. .TP .B ipfilter load|reload Load/reload the IPv4 iptables filters and reconfigure the firewalling, from that saved in .I /etc/netscript/iptables (via .B iptables-restore(8) ), and the QoS fair queuing setup. .TP .B ipfilter save Save the IPv4 iptables configuration to /etc/netscript/iptables via .B iptables-save(8) , after backing it up to .I /etc/netscript/iptables.1 and cycling the previous backup files down through the configuration history. .TP .BI ipfilter\ usebackup\ [ \ backup-number\ ] Restore setup from the IPv4 iptables backup configuration from .I /etc/netscript/iptables.n ( default 1 ) via .B iptables-restore(8). .TP .B ipfilter clear|flush Remove iptables and any firewall setup, and if IPV4_FWDING_KERNEL is set to FILTER_ON (see .B network.conf(5) ), disables all IPv4 packet forwarding on the router. Very useful for debugging protocol problems on a firewall by enabling a reasonably safe check to be made with the filtering down. .TP .B ipfilter forward|fwd Turns on the IPv4 kernel forwarding switch manually. This is irrespective of the setting of IPV4_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will allow traffic through the box. .TP .B ipfilter noforward|nofwd Turns off the IPv4 kernel forwarding switch manually. This is irrespective of the setting of IPV4_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will cut off reachability. .TP .B ipfilter fairq Reload the IPv4 .I fairq chain that marks the packets for the .B QoS interface transmit queues. .TP .B ip6filter load|reload Load/reload the IPv6 iptables filters and reconfigure the firewalling, from that saved in .I /etc/netscript/ip6tables (via .B ip6tables-restore(8) ), and the QoS fair queuing setup. .TP .B ip6filter save Save the IPv6 iptables configuration to /etc/netscript/iptables via .B ip6tables-save(8) , after backing it up to .I /etc/netscript/ip6tables.1 and cycling the previous backup files down through the configuration history. .TP .BI ip6filter\ usebackup\ [ \ backup-number\ ] Restore setup from the IPv6 iptables backup configuration from .I /etc/netscript/ip6tables.n ( default 1 ) via .B ip6tables-restore(8). .TP .B ip6filter clear|flush Remove IPv6 iptables setup, and if IPV6_FWDING_KERNEL is set to FILTER_ON (see .B network.conf(5) ), disables all IPv6 packet forwarding on the router. Very useful for debugging protocol problems on a firewall by enabling a reasonably safe check to be made with the filtering down. .TP .B ip6filter forward|fwd Turns on the IPv6 kernel forwarding switch manually. This is irrespective of the setting of IPV6_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will allow traffic through the box. .TP .B ip6filter noforward|nofwd Turns off the IPv6 kernel forwarding switch manually. This is irrespective of the setting of IPV6_FWDING_KERNEL (see .B network.conf(5) ). Use with .I caution as it will affect reachability. .TP .B ip6filter fairq Reload the IPv6 .I fairq chain that marks the packets for the .B QoS interface transmit queues. .SH FILES .I /etc/netscript/if.conf, /etc/netscript/ipfilter.conf, .br .I /etc/netscript/network.conf, /etc/netscript/qos.conf, .br .I /etc/netscript/iptables, /etc/netscript/ip6tables, .br .SH SEE ALSO .BR if.conf (5), .BR ipfilter.conf (5), .BR network.conf (5), .BR qos.conf (5), .BR ip (8), .BR tc (8), .BR iptables (8), .BR iptables-restore (8), .BR iptables-save (8), .BR ip6tables (8), .BR ip6tables-restore (8), .BR ip6tables-save (8), .BR brcfg (8). .br .SH AUTHOR This manual page was written by Matthew Grant , for the Debian GNU/Linux system (but may be used by others). .SH BUGS I wrote this manpage when I was half asleep... netscript/netscript.ppp.ip-down0000775000000000000000000000123212445750443014102 0ustar #!/bin/bash [ ! -x /bin/ip ] && exit 0 [ ! -x /sbin/netscript ] && exit 0 qt () { "$@" >/dev/null 2>&1 ; } vb () { "$@" ; } source () { . $1 ; } basename () { echo "${1##*/}"; } . /etc/netscript/if.conf . /etc/netscript/network.conf . /etc/netscript/qos.conf REV_PPP_CHAIN='' IF_NODASH=`echo "$PPP_IFACE" | sed -e 's/\-/_/g'` eval PPP_CHAIN=\"\${"${IF_NODASH}"_PPP_CHAIN:-""}\" eval PPP_CHAIN_AUTO=\"\${"${IF_NODASH}"_PPP_CHAIN_AUTO:-""}\" PPP_CHAIN="$PPP_CHAIN_AUTO $PPP_CHAIN" for IF in $PPP_CHAIN; do REV_PPP_CHAIN="$REV_PPP_CHAIN $IF" done unset IF for IF in $REV_PPP_CHAIN; do if_down $IF done unset IF [ ! -x /sbin/tc ] && exit 0 ip_QoSclear $PPP_IFACE netscript/netscript.ppp.ip-up0000775000000000000000000000144712445750443013567 0ustar #!/bin/bash [ ! -x /bin/ip ] && exit 0 [ ! -x /sbin/netscript ] && exit 0 qt () { "$@" >/dev/null 2>&1 ; } vb () { "$@" ; } source () { . $1 ; } basename () { echo "${1##*/}"; } . /etc/netscript/if.conf . /etc/netscript/network.conf . /etc/netscript/qos.conf if [ -x /sbin/tc ]; then ip_QoSppp $PPP_IFACE ip_QoS $PPP_IFACE fi IF_NODASH=`echo "$PPP_IFACE" | sed -e 's/\-/_/g'` eval TXQLEN=\${"${IF_NODASH}"_TXQLEN:-""} [ -z "$TXQLEN" ] && eval TXQLEN=\${ppp_TXQLEN:-""} [ -n "$TXQLEN" ] \ && ip link set dev $PPP_IFACE txqlen $TXQLEN # Set up routes and ARP etc qt () { "$@" >/dev/null 2>&1 ; } if qt type ${PPP_IFACE}_network_ppp ; then ${PPP_IFACE}_network_ppp $PPP_IFACE fi eval PPP_CHAIN_AUTO=\"\${"${IF_NODASH}"_PPP_CHAIN_AUTO:-""}\" for IF in $PPP_CHAIN_AUTO; do if_up $IF done netscript/network-ipfilter.conf0000664000000000000000000001344013022136562014137 0ustar ############################################################################### # General Settings ############################################################################### # # VERBOSE=(YES/NO) Default: Yes # Be verbose about settings. VERBOSE=YES # IPV4_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # IPV6_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # Enable IP forwarding in the kernel. FILTER_ON means forwarding will # only happen when IP filtering rules are loaded IPV4_FWDING_KERNEL=YES IPV6_FWDING_KERNEL=YES ########################### # Backups and compilation # ########################### # # BACKUP_LEVELS - maximum level of back up kept. This is done by appending # the number 0 to the setting below to the file name, and rotating them. # Suggested minumum for this is 2, for 5 lots of backup. Can't be set # any lower than 2. BACKUP_LEVELS=3 # ############################################################################ # This set of variables is used with the bolierplate chain creation commands ############################################################################ # HINT: Create the log and rejectlog chains before any of the others # # with the 'netscript ipfilter exec log|rejectlog' command. ################################## # log chain - for IPv4 and IPv6 # ################################## # Syslog level for IP tables kernel messages - v4 and v6 LOG_LEVEL=warning # Maximum log message rate - v4 and v6 LOG_MAXRATE=3 # messages per second # Log target - DROP/REJECT LOG_TARGET=REJECT IPV6_LOG_TARGET=REJECT ######################################### ## IPv6 ICMP chains - chain output targets ########################################## # icmphost output target - Default ACCEPT or RETURN #IPV6_ICMPHOST_TARGET=ACCEPT # icmpfwd output target - ACCEPT or default RETURN # This has to be RETURN if using the outbrdr chain #IPV6_ICMPFWD_TARGET=RETURN ################################ # IPv6 ICMP chains - limit rates ################################ # NOTE - icmphost target rulle will generate martians chain and hook it in # appropriately # ICMP rate limit for this host IPV6_ICMPHOST_MAXRATE=200 # messages per second IPV6_ICMPFWD_MAXRATE=1000 # messages per second # ICMPv6 we optionally want to accept of forward. All other ICMPv6 is logged # droped See RFC 4980 and tail of 'ip6tables -p icmpv6 -h' output. # MIPv6 ICMP messages are ICMP types 144, 145, 146, and 147 # MIPv6 is really useful when tunnelled via IPSEC # Router Renumbering is type 138 IPV6_ICMPHOST_OPTIONAL="redirect 144 145 146 147" IPV6_ICMPFWD_OPTIONAL="144 145 146 147" ################### # martians chains # ################### # Net blocks to bypass martians checking on - useful for internal # RFC 1918 netblocks. #MARTIAN_BYPASS="10.0.0.0/8 192.168.1.0/24" #IPV6_MARTIAN_BYPASS="fd13::123:456::/48" # Extra blocks for the martian chain MARTIAN_NETS="" # List of additional martian/invalid # IP source addresses - network/mask IPV6_MARTIAN_NETS="" # Logging of private networks - mostly 'noise' # default is NO LOG_NOISE="NO" IPV6_LOG_NOISE="NO" ########################################### # ingress chain - for IP spoof protection # ########################################### # List of IP numbers common to the box - this is to protect against # spoofing of the interface addresses on the machine when using Free S/WAN # IPSEC. Insert your interface IPs here, and tie the chain in where # appropriate on the INPUT and FORWARD chains #INGRESS_IPS="127.0.0.1 192.168.1.1 192.168.2.1" INGRESS_IPS="127.0.0.1 203.79.116.183 192.168.110.254 172.31.10.254" IPV6_INGRESS_IPS="fd14:828:ba69:1::254 2001:470:f012::254 fd14:828:ba69:2::254 2001:470:f012:2::254 2001:470:c:2e6::2" # Same as above but for use in the ingrssfwd chain for FORWARD chain # Note interface name can be added to end #INGRESS_FWD_NETS="127.0.0.0/8 192.168.1.0/24_eth0 192.168.2.1_eth1" #IPV6_INGRESS_FWD_NETS="fd14:828:ba69::/48" ############## # snmp chain # ############## # List of IP Nos used for SNMP management #SNMP_MANAGER_IPS="192.168.1.1" #IPV6_SNMP_MANAGER_IPS="::1" # Destination block for SNMP blocking - set this to the address containing your # routers #SNMP_DEST_BLOCK=0/0 #IPV6_SNMP_DEST_BLOCK=::/0 ######################## # Border router chains # ######################## # This set of variables is used with the inbrdr and outbrdr border # router chains # The Link network # - Use these if your network link to the outside is in one of your # IP Number Blocks #LINK_NET="192.168.1.0/30" #IPV6_LINK_NET="2001:db8:1:1::/64" # Our IP number blocks #IP_BLOCKS="192.0.2.145/32" #IPV6_IP_BLOCKS="2001:db8:1:2::/48" # Block incoming/outgoing SMB/Netbios - YES/NO (v4 and v6) SMB_BLOCK=YES # Block incoming SNMP, - YES/NO (v4 and v6) SNMP_BLOCK=YES # Blocked inbound source addresses #BLOCKED_INSRC="all_192.0.2.1" #IPV6_BLOCKED_INSRC="all_2001:db8::1" BLOCKED_INSRC="" IPV6_BLOCKED_INSRC="" # Logged blocked inbound source addresses #LOGGED_BLOCKED_INSRC="all_192.0.2.1" #IPV6_LOGGED_BLOCKED_INSRC="all_2001:db8::2" # Blocked inbound destinations #BLOCKED_INDEST="tcp_10.0.2.1_23 udp_10.0.3.4_domain" #IPV6_BLOCKED_INDEST="tcp_2001:db8::1_23 udp_2001:db8::2_domain" # Logged blocked inbound dests #LOGGED_BLOCKED_INDEST="tcp_192.0.2.6_smtp" #IPV6_LOGGED_BLOCKED_INDEST="tcp_2001:db8::23_smtp" # The DNS servers that are to do zone trasfers #DNS_IPS="192.0.2.45" #IPV6_DNS_IPS="2001:db8::4" # Blocked outbound destinations #BLOCKED_OUTDEST="tcp_10.0.0.1_23 udp_10.0.0.2_domain" #IPV6_BLOCKED_OUTDEST="tcp_2001:db8::1_23 udp_2001:db8::2_domain" # Logged blocked outbound dests #LOGGED_BLOCKED_OUTDEST="tcp_10.0.0.1_smtp" #IPV6_LOGGED_BLOCKED_OUTDEST="tcp_2001:db8::45_smtp" # outbrdr output target - RETURN or ACCEPT # RETURN is usefull with IPv6 CPE for SOHO / geek domestic #OUT_TARGET=ACCEPT #IPV6_OUT_TARGET=ACCEPT IPV6_OUT_TARGET=RETURN netscript/network-ipfilter.conf.50000664000000000000000000000002512362370504014277 0ustar .so netscript.conf.5 netscript/network.conf0000664000000000000000000006501213030312427012320 0ustar # # Source /etc/netscript/network.conf.d/*.conf # include /etc/netscript/network.conf.d/*.conf ############################################################################### # General Settings ############################################################################### # # VERBOSE=(YES/NO) Default: Yes # Be verbose about settings. #VERBOSE=YES # IPV6_MODULE=(YES/NO) Default: NO # If kernel is modular, enable IPv6 support by loading module. Once loaded, # it cannot be unloaded due to kernel internal dependencies. #IPV6_MODULE=NO # IPV6_DISABLE=(YES/NO) Default: NO # Disable IPv6 protocol on all interfaces including lo #IPV6_DISABLE=NO # IPV4_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # IPV6_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # Enable IP forwarding in the kernel. FILTER_ON means forwarding will # only happen when IP filtering rules are loaded IPV4_FWDING_KERNEL=FILTER_ON IPV6_FWDING_KERNEL=FILTER_ON # IPV4_DEFAULT_GW=nnn.nnn.nnn.nnn|OTHER|OFF|NO|NONE # IPV4_DEFAULT_GWDEV=eth0 # IPV6_DEFAULT_GW=nnnn:nnnn:nnnn::n|OTHER|OFF|NO|NONE # IPV6_DEFAULT_GWDEV=eth0 # IPV6_DEFAULT_PREFIX=2000::/3 # Default value # DEFAULT_METRIC=999999999 # Default value # # Default Route Setup # Use this to set the default route if required - ONLY one to be set. # routed or gated could be used to set this so only use if not running these. # These routes are installed at metric DEFAULT_METRIC so that netscript # can identify its own routes. This means that it can delete them if these # if the IPVn_DEFAULT_GW variables are not set. You can also specify a # Default prefix for IPv6 as the kernel does some funny things around # default IPv6 routes. Also, later kernels will only route if next hop is # an fe80 link local address... # OTHER|OFF|NO|NONE - stop netscript doing ANYTHING with default routes # Use if you are going to run a routing daemon such as # bird, gated, mrtd, routed, or zebra. #IPV4_DEFAULT_GW=192.0.2.11 #IPV4_DEFAULT_GWDEV=eth0 #IPV6_DEFAULT_GW=fe80::1:11 #IPV6_DEFAULT_GWDEV=eth0 # IPV6_DAD_WAIT_TIME="10" # # Wait time in seconds for DAD to happen on netscript start. This is to help # boot sequencing and make sure interface address assignment has happened so # network daemons can bind to static addresses. Set to 0 if you don't want # to wait. # IPV6_DAD_WAIT_TIME="7" # DHCP_RA_STROKE_CMD="" # # DHCP/IPv6 RA restart/reload commmand # Use this to restart DHCP or radvd on any interface up. Works round # issues with special broadcast address routing and multicast listening # Otherwise, under IPv6, Default route can dissapear! # DHCP_RA_STROKE_CMD="service dnsmasq restart" #DHCP_RA_STROKE_CMD="systemctl restart dnsmasq" NET_GLOBAL_SYSCTL=" # This section is set up so that various network global variables can be set. # Please refrain from trying to set interface variables using this, and # use the switches provided in this file. It is very easy to configure # the interfaces insecurely. # Set whether programs can bind to non local IP addresses. Useful for wierd # NAT work ipv4/ip_nonlocal_bind NO # Set up the kernel to work with dynamic addressing on diald ipv4/ip_dynaddr NO # Control response to ICMP echo requests. the broadcast one also controls # the response to multicast packets. ipv4/icmp_echo_ignore_all NO ipv4/icmp_echo_ignore_broadcasts YES # Turn off ecn - a good idea for most situations ipv4/tcp_ecn NO " ########################### # Backups and compilation # ########################### # # BACKUP_LEVELS - maximum level of back up kept. This is done by appending # the number 0 to the setting below to the file name, and rotating them. # Suggested minumum for this is 2, for 5 lots of backup. Can't be set # any lower than 2. BACKUP_LEVELS=3 ############################################################################### # Interfaces ############################################################################### # IF_AUTO Default: "eth0" # A space seperated list of interfaces that get started on boot. Tunneling # interfaces like CIPE should be after the raw interfaces they depend on. # The interfaces are started in the order they occur on the list, and are # shutdown in the reverse order of IF_LIST. IF_AUTO="$IF_AUTO" # IF_DYNAMIC Default: "" # A space seperated list of dyanmic interfaces that are not created by # the loading of a hardware driver etc. Examples are ppp0 et al. # Insert an interface in here if it does not exist until the software # program creates it. This is so that you can start these dynamic interfaces # manually. #IF_DYNAMIC="ppp0" IF_DYNAMIC="$IF_DYNAMIC" # IPv4 global proc flags # # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO # IPv6 global proc flags # # IF_DEFAULT_IPV6_DISABLE Default: NO - YES/NO # Disable IPv6 on new interfaces by default. Useful when machine # is a Virtual Machine server, heavily using bridges for network # connections. # WARNING: Don't turn on for openstack. It messes up its # IPv6 detection as it uses this sysctl when it should use the 'all' one, # rather than /proc/sys/net/ipv6/conf/default/ipv6_disable... #IF_DEFAULT_IPV6_DISABLE=NO # Need these both for interfaces run by daemons - ie PPP, CIPE, Sangoma # WAN interfaces # IPv4 spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES # Kernel logging of spoofed packets by default for interfaces - YES/NO DEF_IP_KRNL_LOGMARTIANS=YES ############################# # Bridge Setup - Global stuff ############################# # Enable bridging - YES/NO/number of bridges #BRG_SWITCH=no # # AND Additional named bridges to add #BRG_LIST="brg0 inet0 dmz0 dbase0 admin0" # # Remove Bridges from Nefilter - default YES YES/NO # Only need to turn this off if creating a transparent # firewall! #BRG_NETFILTER_REMOVE=YES ############################# # Individual Interfaces setup ############################# # eth0 stuff # ---------- # ADDRESSING # # NB: WATCH LEADING ZEROES - address will not be added to interface! # # Use the old style: #eth0_IPADDR=192.0.2.7 #eth0_MASKLEN=24 #eth0_BROADCAST=192.0.2.255 # # Secondary IP addresses/networks on same wire - add them here #eth0_IP_EXTRA_ADDRS="192.0.2.193 192.0.2.1/24" # # -OR- the new style which also supports IPv6... # #eth0_IPADDR="0192.0.002.07/24_brd_192.0.2.255 2001:db8:010a:0001::000:007/64" # # IP spoofing protection on this interface - YES/NO #eth0_IP_SPOOF=YES # # Kernel logging of spoofed packets on this interface - YES/NO #eth0_IP_KRNL_LOGMARTIANS=YES # # This setting affects the processing of ICMP redirects. Setting it to NO # makes this more secure. Don't turn this off if you have two IP # networks/subnets on the same media - YES/NO #eth0_IP_SHARED_MEDIA=NO # # This setting configures the interface to either send redirects or not # This is useful for use with openvpn, due to the fact it can route packets # out the same interface they came in on! - YES/NO #eth0_IP_SEND_REDIRECTS=NO # # Interface IPv6 MTU - set to 1280 (minimum) so that tunnelling works # well without packet fragmentation #eth0_IPV6_MTU=1500 # # Disable IPv6 on this interface - default NO - YES/NO #eth0_IPV6_DISABLE=NO # # Set the interface up in forwarding/non-forwarding configuration modes. This # setting does not control the forwarding of packets via this interface. Use # iptables for this. In host mode allows the acceptance of ICMP redirects and # router advertisement packets (overridden by above flags in host mode), as # well as setting the IsRouter bit in Neighbour advertisements, and whether # router solicitation packets are sent - YES/NO #eth0_IPV6_FWDING=YES # # Accept ICMP IPv6 redirects in host mode on this interface - YES/NO #eth0_IPV6_ACCEPT_REDIRECTS=NO # # Accept IPv6 Router Adverstisement packets in host mode default YES - YES/NO #eth0_IPV6_ACCEPT_RA=YES # # Accept Prefix for SLAC addressing in IPv6 Router Adverstisement packets # in host mode default YES - YES/NO #eth0_IPV6_ACCEPT_RA_PINFO=YES # # Accept routes advertised by Router Advertisements. Debian Kernel 2.6.32+ # This is the threshhold for the bit length of the prefixes accepted. Kernel # defaults to zero, which means accept none. 64 will accept normal IPv6 routes #eth0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64 # # Send router solicitations, gives number to send default 3 - YES/NO/0-9 #eth0_IPV6_ROUTER_SOLICITATIONS=0 # # Enable IPV6 privacy extensions, default NO - YES/N0/0-2 # 1 enables privacy MAC addresses for global addressing, excluding ULA # prefixes. 2 enables it for all ULA and global addresses, not recomended #eth0_IPV6_PRIVACY=NO # # Set resolvconf details here. It takes /etc/resolv.conf settings as per # resolv.conf(5) Note that you have to uncomment whole string below! Will take # \n as well #eth0_RESOLVCONF="options edns0 inet6\nsearch internal.foo.org foo.org\nnameserver 192.0.2.1" # # Automatically start/stop these interfaces if this interface is manually # started/stopped. Interfaces started in order of list, shutdown in reverse # order. #eth0_IF_CHAIN_AUTO="tun0" # #Same as above, except for PPP interface. #ppp0_PPP_CHAIN_AUTO="he0" # # Automatically stop these interfaces if this interface is manually stopped. # Interfaces stopped in reverse order of this list before those in # IF_CHAIN_AUTO #eth0_IF_CHAIN="" # # Bridge this interface - YES/NO/bridge interface #eth0_BRIDGE=yes # # Proxy-arp from this interface, no other config required to turn on proxy ARP! # - YES/NO #eth0_PROXY_ARP=NO # # Protocol MTU for interface # - Set to override default interface value #eth0_MTU=1500 # # Multicast setting for interface # Set to override configuration default - YES/NO|on/off #eth0_MULTICAST=YES # # Simple QoS/fair queueing support # Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO #eth0_FAIRQ=NO # # Ethernet Transmit Queue Length #eth0_TXQLEN=100 # # Complex QoS - Enable all of these + above to turn it on # Device Bandwidth #eth0_BNDWIDTH=10Mbit # # Queue Handles - both must be unique # Use for running tunnel daemons or other dynamic inverfaces that # can be here and gone very rapidly - not needed for async PPP # eth0_HNDL1=1 # eth0_HNDL2=2 # # Interactive Burst parameters - bandwidth and number of packets #eth0_IABURST=100 # packets #eth0_IARATE=1Mbit # # Device Physical MTU - includes link layer header # NB FR has 8 bytes LL header, ethernet 14 #eth0_PXMTU=1514 # # Committed Access Rate # - if using FR, set to CIR, else to total combined bulk data # through put (ie eth0_BULKRATE + sum of special queue rates) #eth0_CARATE=3Mbit # # Optional parameters for Complex QoS # # Peak Rate # Use this to set FR Burst capacity #eth0_PEAKRATE=4MBit # # Parameters for Bulk Data bandwidth shaping # Bulk Rate - set for ordinary traffic. # MUST MUST MUST be used with special queues # to indicate the ordinary traffic load. Has to satisfy # BULKRATE <= (CARATE - total_special_queue_bandwidth) #eth0_BULKRATE=2MBit # Special Queues - see further down in fair queuing section # as this needs unique mark values #eth0_SPQUEUE # eth1_IPADDR="192.0.2.1/29_brd_192.0.2.7" # eth1_IP_SPOOF=YES # eth1_IP_KRNL_LOGMARTIANS=YES # eth1_FAIRQ=NO # eth1_TXQLEN=100 # eth1_BNDWIDTH=10Mbit # eth1_CARATE=7Mbit # eth1_HNDL1=3 # eth1_HNDL2=4 # eth1_IABURST=100 # eth1_IARATE=1Mbit # eth1_PXMTU=1514 # eth1_PEAKRATE=8Mbit # eth1_BULKRATE=6Mbit #ppp1_IPADDR=192.0.2.1 #chdlc0_IPADDR=192.0.2.1_peer_192.0.2.2 # PPP interface stuff - these apply to all ASYNC ppp interfaces ppp_FAIRQ=YES ppp_TXQLEN=30 # Complex stuff ppp_BNDWIDTH=30Kbit ppp_IABURST=20 ppp_CARATE=20Kbit ppp_IARATE=10Kbit ppp_PXMTU=1500 ############################ # Special Interface Handling ############################ # If the interface requires the running of a daemon or configuration program # two functions must be supplied taking the interface name as the first # and only argument. Both of these functions have names of the form # _start and _stop, with the former # starting the interface and the latter shutting it down and deconfiguring it. # The following global variables will be set for the _start # function if they are configured. # # IPADDR - interface IP address/mask -OR- the new form as above # BROADCAST - interface broadcast address # PTPADDR - PTP address of interface # IP_EXTRA_ADDRS - Extra IP addesses/networks bound to interface # # The if_addr_start function in if.conf should be used to set the addresses on # the interface once it is created. It also sets the interface sysctl # /proc flags, and brings the interface up, as well as enabling the use # of multiple addresses on the interface. The if_addr_stop compleimentary # function should be used to down the itnerface and clear the addresses off it. # # BOTH A START AND A STOP FUNCTIONS SHOULD PROBABLY DEFINED if you use them. # # The if-type of an interface name is given by the first alpha-numerics # of the name excluding the instance number on the end - ie the type of "eth1" # is "eth" and the type of "wan1a2" is "wan1a". # # The code in if.conf first of checks for an individual interface function, # then a typed interface function, and then uses the default which is for # ethernet type interfaces # # If you are starting a tunneling interface that is dependent on another # interface being up to continue to function correctly, use the intX_IF_CHAIN # and intX_IF_CHAIN_AUTO interface variables for the hardware interfaces to # start and stop the tunneled interfaces. Also add the tunnel interface to # IF_AUTO AFTER the hardware interface so that it is started on boot. # # Static routes and other network setup can be handled by using the # _network functions or those above, but the recomendation is to # run the zebra routing daemons as this has problems with clearing # unwanted routes etc. # # Here are some example functions, some of which are actually used # # PPP - interface ppp0 # #ppp0_start () { # # don't run pppd if link already exists... # [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0 # sleep 5 # # call ISP # pppd call provider updetach > /dev/null #} #ppp1_start () { # # don't run pppd if link already exists... # [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0 # pppd ttyS2 19200 passive local noauth ${IPADDR}: #} # # NB Stop function is provided as a type function as it can cover all # analogue ppp interface instances. #ppp_stop () { # [ ! -f /var/run/$1.pid ] && return 0 # qt kill `cat /var/run/$1.pid` # sleep 5 # Wait for pppd to die #} #ppp0_network_ppp () { # ip route replace 192.168.34.0/24 via 192.168.23.1 #} # # DHCP interface setup # # Comment out or add change 'eth_' to 'eth0_' #eth_start () { # if [ -x /sbin/dhclient ]; then # qt /sbin/dhclient $1 # elif [ -x /sbin/dhcpcd ]; then # qt /sbin/dhcpcd -R -N $1 # elif [ -x /sbin/pump ]; then # /sbin/pump -i $1 -h `cat /etc/hostname` # fi #} # #eth_stop () { # if [ -f /var/run/dhclient.pid ]; then # qt kill `cat /var/run/dhclient.pid` # elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then # qt /sbin/dhcpcd -k $1 # elif [ -e /var/run/pump.sock ]; then # /sbin/pump -i $1 -r # fi # if_addr_stop $1 #} # Openvpn setup #tun_start () { # local PIDFILE="/var/run/openvpn.${1}.pid" # # don't run openvpn if link already exists... # [ -f $PIDFILE ] && kill -0 `cat $PIDFILE` && return 0 # openvpn --config /etc/openvpn/$1.netscript \ # --writepid $PIDFILE \ # --cd /etc/openvpn \ # --daemon openvpn.$1 # #} # #tun_stop () { # local PIDFILE="/var/run/openvpn.${1}.pid" # [ ! -f $PIDFILE ] && return 0 # qt kill `cat $PIDFILE` # [ -f $PIDFILE ] && rm $PIDFILE # sleep 5 # Wait for openvpn to die #} # #tap_start () { # tun_start "$@" #} # #tap_stop () { # tun_stop "$@" #} # # # Interesting example showing how to set # resolvconf nameserver details #brg1_start () { # # default interface startup # brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE" # # Start interface # if_addr_start $1 # local NS=" #nameserver 192.0.2.254 #" # echo "$NS" | resolvconf -a $1 #} # #brg1_stop () { # resolvconf -d $1 # # default action # brg_iface $1 down $IPV6_DISABLE # if_addr_stop $1 #} # More examples... # inet0_start () { # if_addr_start $1 # echo | resolvconf -a $1 < /dev/null 2>&1 ; then return 0 fi ! [ -f /var/run/${1}.pid ] && return 0 if ! kill -0 `cat /var/run/${1}.pid` > /dev/null 2>&1 ; then return 0 fi # Get Unit number PPP_UNIT=`echo $1 | sed 's/^ppp\(.*\)$/\1/'` # Transform variables eval "$1"_HNDL1=$(( $PPP_UNIT + 8000 )) eval "$1"_HNDL2=$(( $PPP_UNIT + 9000 )) eval "$1"_FAIRQ=${ppp_FAIRQ:-} eval "$1"_BNDWIDTH=${ppp_BNDWIDTH:-} eval "$1"_PXMTU=${ppp_PXMTU:-} eval "$1"_CARATE=${ppp_CARATE:-} eval "$1"_IARATE=${ppp_IARATE:-} eval "$1"_IABURST=${ppp_IABURST:-} return 0 } ip_QoSclear () { [ -x /sbin/tc ] \ && qt tc qdisc del dev $1 root return 0 } ip_QoS () { local IF_NODASH=`echo "$1" | sed -e 's/\-/_/g'` # Set some vaiables eval local HNDL1=\${"${IF_NODASH}"_HNDL1:-""} eval local HNDL2=\${"${IF_NODASH}"_HNDL2:-""} eval local FAIRQ=\${"${IF_NODASH}"_FAIRQ:-""} eval local BNDWIDTH=\${"${IF_NODASH}"_BNDWIDTH:-""} eval local PXMTU=\${"${IF_NODASH}"_PXMTU:-""} eval local CARATE=\${"${IF_NODASH}"_CARATE:-""} eval local IARATE=\${"${IF_NODASH}"_IARATE:-""} eval local IABURST=\${"${IF_NODASH}"_IABURST:-""} eval local SPQUEUE=\${"${IF_NODASH}"_SPQUEUE:-""} eval local PEAKRATE=\${"${IF_NODASH}"_PEAKRATE:-"$BNDWIDTH"} eval local BULKRATE=\${"${IF_NODASH}"_BULKRATE:-"$CARATE"} if [ ! -x /sbin/tc ]; then return 1 fi if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ] then return 1 fi if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" \ -o -z "$PXMTU" -o -z "$CARATE" ]; then tc qdisc replace dev $1 root sfq return 0 fi local IF_INDEX=`ip link | grep $1 | sed -e "s/^\([0-9]\+\): $1.*$/\1/"` if [ -z "$HNDL1" ]; then HNDL1=$(( $IF_INDEX * 10 + 1001 )) fi if [ -z "$HNDL2" ]; then HNDL2=$(( $IF_INDEX * 10 + 1002 )) fi # Attach CBQ to device tc qdisc add dev $1 root handle $HNDL1: cbq \ bandwidth $BNDWIDTH allot 1514 \ avpkt 1000 # Set up classes # Root class tc class add dev $1 parent $HNDL1:0 classid :1 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $PEAKRATE \ allot $PXMTU avpkt 1000 bounded # Bulk class tc class add dev $1 parent $HNDL1:1 classid :2 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $CARATE \ allot $PXMTU avpkt 1000 bounded prio 6 \ split $HNDL1:0 defmap ff7f # Interactive class tc class add dev $1 parent $HNDL1:1 classid :3 est 2sec 16sec \ cbq bandwidth $BNDWIDTH rate $IARATE maxburst $IABURST \ allot $PXMTU avpkt 1000 bounded isolated \ prio 2 split $HNDL1:0 defmap 80 # Priority class tc class add dev $1 parent $HNDL1:1 classid :4 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $PEAKRATE \ allot $PXMTU avpkt 1000 bounded prio 1 # Attach queue disciplines tc qdisc add dev $1 parent $HNDL1:3 sfq perturb 15 tc qdisc add dev $1 parent $HNDL1:4 pfifo # Add filters tc filter add dev $1 parent $HNDL1:0 protocol ip \ priority 50 handle $MRK_CRIT fw classid $HNDL1:4 tc filter add dev $1 parent $HNDL1:0 protocol ip \ priority 60 handle $MRK_IA fw classid $HNDL1:3 # Set up bulk queue tc qdisc add dev $1 parent $HNDL1:2 handle $HNDL2: cbq \ bandwidth $CARATE allot 1514 avpkt 1000 tc class add dev $1 parent $HNDL2:0 classid :1 est 1sec 8sec \ cbq bandwidth $CARATE rate $BULKRATE \ allot $PXMTU avpkt 1000 prio 6 \ split $HNDL2:0 defmap ffff tc qdisc add dev $1 parent $HNDL2:1 sfq perturb 15 # tc qdisc add dev $1 parent $HNDL2:1 red min 10000 max 30000 limit 75000 avpkt 1000 burst 16 ecn probability 0.02 bandwidth $CARATE # Build special queueing local ID=2 for QUEUE in $SPQUEUE; do local BOUNDED=`echoAddParm $QUEUE` # Add class and queue tc class add dev $1 parent $HNDL2:0 classid :$ID \ est 1sec 8sec cbq bandwidth $BNDWIDTH \ rate `echoRate $QUEUE` allot $PXMTU \ $BOUNDED prio 6 \ avpkt 1000 tc qdisc add dev $1 parent $HNDL2:$ID sfq perturb 15 #tc qdisc add dev $1 parent $HNDL2:$ID red ecn min 10000 max 30000 limit 75000 avpkt 1000 burst 16 ecn probability 0.02 bandwidth $BNDWIDTH # Add the filter tc filter add dev $1 parent $HNDL2:0 protocol ip \ priority 70 handle `echoMark $QUEUE` fw \ classid $HNDL2:$ID ID=$(($ID+1)) done return 0 } ############################################################################### # End ############################################################################### netscript/qos.conf.50000664000000000000000000000003112362370504011571 0ustar .so netscript-2.4.conf.5 netscript/wep.conf0000775000000000000000000000134112362370504011427 0ustar #!/bin/sh [ "$1" != "eth2" ] && exit 0 case $2 in #cmonline-rf) # /sbin/iwconfig $1 essid cmonline # /sbin/iwconfig $1 enc restricted # I=1 # #Apply WEP keys. 128 bit WEP key are 13 bytes long! # # That is 26 heax digits. # # Anything longer than this can crash prism54 firmware # # with weird gummy outcomes for the wifi interface # # (No hardware damage, just doesn't work in weird # # and mysterious ways.) # for KEY in DEADBEEF1 DEADBEEF2 DEADBEEF3 DEADBEEF4; do # /sbin/iwconfig $1 enc "[${I}]" "$KEY" # I=$(( $I + 1 )) # done # ;; *) /sbin/iwconfig $1 essid any /sbin/iwconfig $1 ap any /sbin/iwconfig $1 enc off ;; esac