- allow build with -O0

[packages/iptables.git] / ip6tables.init

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/ip6tables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with ip6tables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author:        Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/ip6tables

# Source 'em up
. /etc/rc.d/init.d/functions

IPTABLES_CONFIG=/etc/sysconfig/ip6tables

if [ ! -x /usr/sbin/ip6tables ]; then
        exit 0
fi

KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
        exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
        exit 0
fi



if  /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
        # Don't do both
        exit 0
fi

iftable() {
        if fgrep -qsx $1 /proc/net/ip6_tables_names; then
                ip6tables -t "$@"
        fi
}

start() {
        # don't do squat if we don't have the config file
        if [ -f $IPTABLES_CONFIG ]; then
            # If we don't clear these first, we might be adding to
            #  pre-existing rules.
            chains=`cat /proc/net/ip6_tables_names 2>/dev/null`
            show "Flushing all current rules and user defined chains:"
            let ret=0
            for i in $chains; do ip6tables -t $i -F; let ret+=$?; done
            ip6tables -F
            let ret+=$?
            if [ $ret -eq 0 ]; then
              ok
            else
              fail
            fi
            show "Clearing all current rules and user defined chains:"
            let ret=0
            for i in $chains; do ip6tables -t $i -X; let ret+=$?; done
            ip6tables -X
            let ret+=$?
            if [ $ret -eq 0 ]; then
              ok
            else
              fail
            fi

            for i in $chains; do ip6tables -t $i -Z; done

            show "Applying ip6tables firewall rules:"
                grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore -c && \
                    ok || \
                    fail
            touch /var/lock/subsys/ip6tables
        fi
}

stop() {
        chains=`cat /proc/net/ip6_tables_names 2>/dev/null`
        show "Flushing all chains:"
        let ret=0
        for i in $chains; do ip6tables -t $i -F; let ret+=$?; done
        ip6tables -F; let ret+=$?
        if [ $ret -eq 0 ]; then
                ok
        else
                fail
        fi

        show "Removing user defined chains:"
        let ret=0
        for i in $chains; do ip6tables -t $i -X; let ret+=$?; done
        ip6tables -X; let ret+=$?
        if [ $ret -eq 0 ]; then
                ok
        else
                fail
        fi
        show "Resetting built-in chains to the default ACCEPT policy:"
        iftable filter -P INPUT ACCEPT && \
           iftable filter -P OUTPUT ACCEPT && \
           iftable filter -P FORWARD ACCEPT && \
           iftable nat -P PREROUTING ACCEPT && \
           iftable nat -P POSTROUTING ACCEPT && \
           iftable nat -P OUTPUT ACCEPT && \
           iftable mangle -P PREROUTING ACCEPT && \
           iftable mangle -P OUTPUT ACCEPT && \
           ok || \
           fail
        rm -f /var/lock/subsys/ip6tables
}

case "$1" in
  start)
        start
        ;;

  stop)
        stop
        ;;

  restart|force-reload)
        # "restart" is really just "start" as this isn't a daemon,
        #  and "start" clears any pre-defined rules anyway.
        #  This is really only here to make those who expect it happy
        start
        ;;

#  condrestart)
#       [ -e /var/lock/subsys/ip6tables ] && start
#       ;;

  status)
        tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
        for table in $tables; do
                echo "Table: $table"
                ip6tables -t $table -n --list
        done
        ;;

  panic)
        show "Changing target policies to DROP: "       
        iftable filter -P INPUT DROP && \
            iftable filter -P FORWARD DROP && \
            iftable filter -P OUTPUT DROP && \
            iftable nat -P PREROUTING DROP && \
            iftable nat -P POSTROUTING DROP && \
            iftable nat -P OUTPUT DROP && \
            iftable mangle -P PREROUTING DROP && \
            iftable mangle -P OUTPUT DROP && \
            ok "Changing target policies to DROP" || \
            fail "Changing target policies to DROP"
        iftable filter -F INPUT && \
                iftable filter -F FORWARD && \
                iftable filter -F OUTPUT && \
                iftable nat -F PREROUTING && \
                iftable nat -F POSTROUTING && \
                iftable nat -F OUTPUT && \
                iftable mangle -F PREROUTING && \
                iftable mangle -F OUTPUT && \
                ok "Flushing all chains:" || \
                fail "Flushing all chains:"
        iftable filter -X INPUT && \
                iftable filter -X FORWARD && \
                iftable filter -X OUTPUT && \
                iftable nat -X PREROUTING && \
                iftable nat -X POSTROUTING && \
                iftable nat -X OUTPUT && \
                iftable mangle -X PREROUTING && \
                iftable mangle -X OUTPUT && \
                ok "Removing user defined chains:" || \
                fail "Removing user defined chains:"
        ;;

  save)
        show "Saving current rules to $IPTABLES_CONFIG: "
        touch $IPTABLES_CONFIG
        chmod 600 $IPTABLES_CONFIG
        /usr/sbin/ip6tables-save -c > $IPTABLES_CONFIG  2>/dev/null && \
          ok "Saving current rules to $IPTABLES_CONFIG" || \
          fail "Saving current rules to $IPTABLES_CONFIG"
        ;;

  *)
        echo "Usage: $0 {start|stop|restart|force-reload|status|panic|save}"
        exit 3
esac

exit 0