|
Packit |
7b22a4 |
#!/bin/bash
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
have_nft=false
|
|
Packit |
7b22a4 |
nft -v > /dev/null && have_nft=true
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
dumpfile=""
|
|
Packit |
7b22a4 |
tmpfile=""
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
set -e
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
clean()
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
$XT_MULTI iptables -t filter -F
|
|
Packit |
7b22a4 |
$XT_MULTI iptables -t filter -X
|
|
Packit |
7b22a4 |
$have_nft && nft flush ruleset
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
clean_tempfile()
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
[ -n "${tmpfile}" ] && rm -f "${tmpfile}"
|
|
Packit |
7b22a4 |
[ -n "${dumpfile}" ] && rm -f "${dumpfile}"
|
|
Packit |
7b22a4 |
clean
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
trap clean_tempfile EXIT
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
ENTRY_NUM=$((RANDOM%10))
|
|
Packit |
7b22a4 |
UCHAIN_NUM=$((RANDOM%10))
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
get_target()
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
if [ $UCHAIN_NUM -eq 0 ]; then
|
|
Packit |
7b22a4 |
echo -n "ACCEPT"
|
|
Packit |
7b22a4 |
return
|
|
Packit |
7b22a4 |
fi
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
x=$((RANDOM%2))
|
|
Packit |
7b22a4 |
if [ $x -eq 0 ];then
|
|
Packit |
7b22a4 |
echo -n "ACCEPT"
|
|
Packit |
7b22a4 |
else
|
|
Packit |
7b22a4 |
printf -- "UC-%x" $((RANDOM%UCHAIN_NUM))
|
|
Packit |
7b22a4 |
fi
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
make_dummy_rules()
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
echo "*filter"
|
|
Packit |
7b22a4 |
echo ":INPUT ACCEPT [0:0]"
|
|
Packit |
7b22a4 |
echo ":FORWARD ACCEPT [0:0]"
|
|
Packit |
7b22a4 |
echo ":OUTPUT ACCEPT [0:0]"
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
if [ $UCHAIN_NUM -gt 0 ]; then
|
|
Packit |
7b22a4 |
for i in $(seq 0 $UCHAIN_NUM); do
|
|
Packit |
7b22a4 |
printf -- ":UC-%x - [0:0]\n" $i
|
|
Packit |
7b22a4 |
done
|
|
Packit |
7b22a4 |
fi
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
for proto in tcp udp sctp; do
|
|
Packit |
7b22a4 |
for i in $(seq 0 $ENTRY_NUM); do
|
|
Packit |
7b22a4 |
t=$(get_target)
|
|
Packit |
7b22a4 |
printf -- "-A INPUT -i lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
|
|
Packit |
7b22a4 |
t=$(get_target)
|
|
Packit |
7b22a4 |
printf -- "-A FORWARD -i lo -o lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
|
|
Packit |
7b22a4 |
t=$(get_target)
|
|
Packit |
7b22a4 |
printf -- "-A OUTPUT -o lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
|
|
Packit |
7b22a4 |
[ $UCHAIN_NUM -gt 0 ] && printf -- "-A UC-%x -j ACCEPT\n" $((RANDOM%UCHAIN_NUM))
|
|
Packit |
7b22a4 |
done
|
|
Packit |
7b22a4 |
done
|
|
Packit |
7b22a4 |
echo COMMIT
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
tmpfile=$(mktemp) || exit 1
|
|
Packit |
7b22a4 |
dumpfile=$(mktemp) || exit 1
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
make_dummy_rules > $dumpfile
|
|
Packit |
7b22a4 |
$XT_MULTI iptables-restore -w < $dumpfile
|
|
Packit |
7b22a4 |
LINES1=$(wc -l < $dumpfile)
|
|
Packit |
7b22a4 |
$XT_MULTI iptables-save | grep -v '^#' > $dumpfile
|
|
Packit |
7b22a4 |
LINES2=$(wc -l < $dumpfile)
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
if [ $LINES1 -ne $LINES2 ]; then
|
|
Packit |
7b22a4 |
echo "Original dump has $LINES1, not $LINES2" 1>&2
|
|
Packit |
7b22a4 |
exit 111
|
|
Packit |
7b22a4 |
fi
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
case "$XT_MULTI" in
|
|
Packit Service |
ca9024 |
*xtables-nft-multi)
|
|
Packit |
7b22a4 |
attempts=$((RANDOM%10))
|
|
Packit |
7b22a4 |
attempts=$((attempts+1))
|
|
Packit |
7b22a4 |
;;
|
|
Packit |
7b22a4 |
*)
|
|
Packit |
7b22a4 |
attempts=1
|
|
Packit |
7b22a4 |
;;
|
|
Packit |
7b22a4 |
esac
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
while [ $attempts -gt 0 ]; do
|
|
Packit |
7b22a4 |
attempts=$((attempts-1))
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
clean
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
for i in $(seq 1 10); do
|
|
Packit |
7b22a4 |
$XT_MULTI iptables-restore -w 15 < $dumpfile &
|
|
Packit |
7b22a4 |
done
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
for i in $(seq 1 10); do
|
|
Packit |
7b22a4 |
# causes exit in case ipt-restore failed (runs with set -e)
|
|
Packit |
7b22a4 |
wait %$i
|
|
Packit |
7b22a4 |
done
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
$XT_MULTI iptables-save | grep -v '^#' > $tmpfile
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
clean
|
|
Packit |
7b22a4 |
cmp $tmpfile $dumpfile
|
|
Packit |
7b22a4 |
done
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
exit 0
|