garywill / linux-router

Oooa~ There hadn't been a developer's manual for this project.

I'm posting some Linux-router's News & Developer Notes on this post.

++++++++++++++++++++++++++++

Bilibili (中) | Youtube (en)

Stay away from 996. Everyone lives a healthy life! 🌱

Give ability to Bash script to easily undo iptables changes

(让Bash脚本能够轻松复原iptables更改)

Writing shell commands to add iptables rules is a HeadACHe.

Then having to undo iptables changes is double HHeadACHHe.

Each -I or -A needs a -D.

Each -N needs -F+-X.

I wrote a new function iptb() for linux-router to reduce the double headache to be single headache.

Usage syntax is almost same with iptables:

iptb 4 v nat I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE || die
iptb 4 v filter I FORWARD  -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
iptb 4 v filter I FORWARD  -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT || die

Undoing iptables changes is mush easier now -- use clean_iptables()

clean_iptables() {
    bash $CONFDIR/undo_iptables.sh
    [[ -f $CONFDIR/undo_iptables_2.sh ]] && bash $CONFDIR/undo_iptables_2.sh
}

undo_iptables.sh was automatically generated.

Hope that can make potential contributors fear less about the code :)

See the code of function iptb():

linux-router/lnxrouter

Lines 829 to 902 in 15a2e0c

    
           iptb()  
        
           { 
        
               local FoS=$1 # 4 | 6 
        
               shift 
        
               local Vis=$1 # 'v' | 'n' 
        
               shift 
        
               local T=$1 # table 
        
               shift 
        
               local ACT=$1 # action: I | A | N  .  On undo: I or A -> D , N -> F+X 
        
               shift 
        
               local CH=$1 # chain 
        
               shift 
        
               [[ "$IPV6" -ne 1 && "$FoS" == "6" ]] && return 
        
               local CMD_HEAD="" 
        
               local MOUTH="" 
        
               local NECK="" 
        
               local HAND_UN_NC=0 
        
               local TAIL="" 
        
               local FULL="" 
        
               local ADD_TO_UNDO=1 
        
               for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat 
        
               do 
        
                   local arr_content 
        
                   eval arr_content=\"\${$arr_name}\" 
        
                   #echo $arr_content 
        
                   for w in  $arr_content 
        
                   do 
        
                       if [[ "$arr_name" =~ "$FoS" && "$arr_name" =~ "$T" && "$w" == "$CH" ]]; then 
        
                           ADD_TO_UNDO=0 
        
                       fi 
        
                   done 
        
               done 
        
               [[ "$FoS" == "4" ]] && CMD_HEAD="iptables -w " 
        
               [[ "$FoS" == "6" ]] && CMD_HEAD="ip6tables -w " 
        
               [[ "$Vis" == 'v' ]] && MOUTH="-v" 
        
               NECK="-t ${T}" 
        
               if [[ "$ACT" == "N" ]]; then 
        
                   eval CUSTOM_CHAINS_${FoS}_${T}=\"\${CUSTOM_CHAINS_${FoS}_${T}} ${CH}\" 
        
                   HAND_UN_NC=1 
        
               fi 
        
               [[ ! "$NETFILTER_XT_MATCH_COMMENT" == "0" ]] && TAIL="-m comment --comment lrt${$}${SUBNET_IFACE}" 
        
               if [[ "$ADD_TO_UNDO" -eq 1 ]]; then 
        
                   if [[ "$ACT" == "I" || "$ACT" == "A" ]]; then 
        
                       echo "$CMD_HEAD $NECK -D ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables.sh  
        
                   fi 
        
                   if [[ "$HAND_UN_NC" -eq 1 ]]; then 
        
                       echo "$CMD_HEAD $NECK -F ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh 
        
                       echo "$CMD_HEAD $NECK -X ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh 
        
                   fi 
        
               fi 
        
               FULL="$CMD_HEAD $MOUTH $NECK -${ACT} ${CH} $@ $TAIL" 
        
               #echo $FULL 
        
               $FULL 
        
               return $? 
        
           }

	iptb()
	{
	local FoS=$1 # 4 \| 6
	shift
	local Vis=$1 # 'v' \| 'n'
	shift
	local T=$1 # table
	shift
	local ACT=$1 # action: I \| A \| N . On undo: I or A -> D , N -> F+X
	shift
	local CH=$1 # chain
	shift

	[[ "$IPV6" -ne 1 && "$FoS" == "6" ]] && return

	local CMD_HEAD=""
	local MOUTH=""
	local NECK=""
	local HAND_UN_NC=0
	local TAIL=""

	local FULL=""
	local ADD_TO_UNDO=1

	for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat
	do
	local arr_content
	eval arr_content=\"\${$arr_name}\"
	#echo $arr_content

	for w in $arr_content
	do
	if [[ "$arr_name" =~ "$FoS" && "$arr_name" =~ "$T" && "$w" == "$CH" ]]; then
	ADD_TO_UNDO=0
	fi
	done
	done


	[[ "$FoS" == "4" ]] && CMD_HEAD="iptables -w "
	[[ "$FoS" == "6" ]] && CMD_HEAD="ip6tables -w "

	[[ "$Vis" == 'v' ]] && MOUTH="-v"

	NECK="-t ${T}"

	if [[ "$ACT" == "N" ]]; then
	eval CUSTOM_CHAINS_${FoS}_${T}=\"\${CUSTOM_CHAINS_${FoS}_${T}} ${CH}\"
	HAND_UN_NC=1
	fi



	[[ ! "$NETFILTER_XT_MATCH_COMMENT" == "0" ]] && TAIL="-m comment --comment lrt${$}${SUBNET_IFACE}"

	if [[ "$ADD_TO_UNDO" -eq 1 ]]; then
	if [[ "$ACT" == "I" \|\| "$ACT" == "A" ]]; then
	echo "$CMD_HEAD $NECK -D ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables.sh
	fi

	if [[ "$HAND_UN_NC" -eq 1 ]]; then
	echo "$CMD_HEAD $NECK -F ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh
	echo "$CMD_HEAD $NECK -X ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh
	fi
	fi




	FULL="$CMD_HEAD $MOUTH $NECK -${ACT} ${CH} $@ $TAIL"
	#echo $FULL
	$FULL
	return $?
	}

Linux-router News & Developer Blog

Give ability to Bash script to easily undo iptables changes