#!/sbin/runscript # Copyright 1999-2012 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Id$ extra_commands="save panic" extra_started_commands="reload" ebtables_bin="/sbin/ebtables" ebtables_save=${EBTABLES_SAVE} depend() { before net use logger } ebtables_tables() { for table in filter nat broute; do if ${ebtables_bin} -t ${table} -L > /dev/null 2>&1; then echo -n "${table} " fi done } set_table_policy() { local chains table=$1 policy=$2 case ${table} in nat) chains="PREROUTING POSTROUTING OUTPUT";; broute) chains="BROUTING";; filter) chains="INPUT FORWARD OUTPUT";; *) chains="";; esac local chain for chain in ${chains} ; do ${ebtables_bin} -t ${table} -P ${chain} ${policy} done } checkconfig() { if [ ! -f ${ebtables_save} ] ; then eerror "Not starting ebtables. First create some rules then run:" eerror "/etc/init.d/ebtables save" return 1 fi return 0 } start() { checkconfig || return 1 ebegin "Loading ebtables state and starting bridge firewall" ${ebtables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${ebtables_save}" eend $? } stop() { if [ "${SAVE_ON_STOP}" = "yes" ] ; then save || return 1 fi ebegin "Stopping bridge firewall" local a for a in $(ebtables_tables); do set_table_policy $a ACCEPT ${ebtables_bin} -t $a -F ${ebtables_bin} -t $a -X done eend $? } reload() { ebegin "Flushing bridge firewall" local a for a in $(ebtables_tables); do ${ebtables_bin} -t $a -F ${ebtables_bin} -t $a -X done eend $? start } save() { ebegin "Saving ebtables state" touch "${ebtables_save}" chmod 0600 "${ebtables_save}" ${ebtables_bin}-save $(ebtables_tables) ${SAVE_RESTORE_OPTIONS} > "${ebtables_save}" eend $? } panic() { service_started ebtables && svc_stop local a ebegin "Dropping all packets forwarded on bridges" for a in $(ebtables_tables); do ${ebtables_bin} -t $a -F ${ebtables_bin} -t $a -X set_table_policy $a DROP done eend $? }