|
- #!/bin/sh
-
- # This file is part of netfilter-persistent
- # (was iptables-persistent)
- # Copyright (C) 2009, Simon Richter <sjr@debian.org>
- # Copyright (C) 2010, 2014 Jonathan Wiltshire <jmw@debian.org>
- #
- # This program is free software; you can redistribute it and/or
- # modify it under the terms of the GNU General Public License
- # as published by the Free Software Foundation, either version 3
- # of the License, or (at your option) any later version.
-
- rc=0
-
- load_rules()
- {
- #load IPv6 rules
- if [ ! -f /etc/iptables/rules.v6 ]; then
- echo "Warning: skipping IPv6 (no rules to load)"
- else
- {%- if provider == 'iptables-restore' %}
- ip6tables-restore --test < /etc/iptables/rules.v6 2> /dev/null
- if [ $? -ne 0 ]; then
- rc=1
- else
- ip6tables-save > /etc/iptables/rules.v6.bak
- grep -v __saltstack__ /etc/iptables/rules.v6.bak | ip6tables-restore 2> /dev/null
- ip6tables-restore --noflush < /etc/iptables/rules.v6 2> /dev/null
- if [ $? -ne 0 ]; then
- rc=1
- ip6tables-restore < /etc/iptables/rules.v6.bak 2> /dev/null
- fi
- fi
- {%- else %}
- ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
- if [ $? -ne 0 ]; then
- rc=1
- fi
- {%- endif %}
- fi
- }
-
- save_rules()
- {
- #save IPv6 rules
- #need at least ip6table_filter loaded:
- /sbin/modprobe -q ip6table_filter
- if [ ! -f /proc/net/ip6_tables_names ]; then
- log_action_cont_msg "Warning: skipping IPv6 (no modules loaded)"
- elif [ -x /sbin/ip6tables-save ]; then
- touch /etc/iptables/rules.v6
- chmod 0640 /etc/iptables/rules.v6
- ip6tables-save > /etc/iptables/rules.v6
- if [ $? -ne 0 ]; then
- rc=1
- fi
- fi
- }
-
- flush_rules()
- {
- if [ ! -f /proc/net/ip6_tables_names ]; then
- echo "Warning: skipping IPv6 (no module loaded)"
- elif [ -x /sbin/ip6tables ]; then
- for param in F Z X; do /sbin/ip6tables -$param; done
- for table in $(cat /proc/net/ip6_tables_names)
- do
- /sbin/ip6tables -t $table -F
- /sbin/ip6tables -t $table -Z
- /sbin/ip6tables -t $table -X
- done
- for chain in INPUT FORWARD OUTPUT
- do
- /sbin/ip6tables -P $chain ACCEPT
- done
- fi
- }
-
- case "$1" in
- start|restart|reload|force-reload)
- load_rules
- ;;
- save)
- save_rules
- ;;
- stop)
- # Why? because if stop is used, the firewall gets flushed for a variable
- # amount of time during package upgrades, leaving the machine vulnerable
- # It's also not always desirable to flush during purge
- echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
- ;;
- flush)
- flush_rules
- ;;
- *)
- echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
- exit 1
- ;;
- esac
-
- exit $rc
|