diff --git a/firewall/firewall-add b/firewall/firewall-add index 6b68416..d7a022b 100755 --- a/firewall/firewall-add +++ b/firewall/firewall-add @@ -20,6 +20,7 @@ NAME=$NAME COMMENT="$COMMENT" NAME="$NAME-$COMMENT" PROTOCOL=$TYPE +DELETE=$OPERATION EXTRA_OPTIONS="$2 $3 $4" @@ -245,6 +246,20 @@ if [[ -z "$TARGET_IP" ]]; then fi fi +delete_lines() { + + if [ "$1" != "" ]; then + CHAIN=$1; + fi + + if [ -n "$LINES" ] ; then + for i in $LINES; do + debug "$IPTABLES -D $CHAIN $i" + $IPTABLES -w -D $CHAIN $i + sleep 0.1 + done + fi +} prerouting() { if [ "$(set |grep -w SOURCE_IFACE)" != "" ]; then @@ -260,13 +275,7 @@ prerouting() { LINES=$($IPTABLES -w -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac) debug "Previous prerouting lines: "$LINES # DELETE UNECESSARY LINES FROM PREVIOUS RULES - if [ -n "$LINES" ] ; then - for i in $LINES; do - debug "$IPTABLES -D PREROUTING $i"; - $IPTABLES -w -D PREROUTING $i - sleep 0.1 - done - fi + delete_lines "PREROUTING"; debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment $COMMENT -j DNAT --to $TARGET_IP:$TARGET_PORT" $IPTABLES -w -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT @@ -286,13 +295,7 @@ postrouting() { debug "Previous postrouting lines: "$LINES # DELETE UNECESSARY LINES FROM PREVIOUS RULES - if [ -n "$LINES" ] ; then - for i in $LINES; do - debug "$IPTABLES -D POSTROUTING $i" - $IPTABLES -w -D POSTROUTING $i - sleep 0.1 - done - fi + delete_lines "POSTROUTING"; debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --sport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE" $IPTABLES -w -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --sport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE @@ -306,13 +309,8 @@ postrouting() { debug "Previous postrouting lines: "$LINES # DELETE UNECESSARY LINES FROM PREVIOUS RULES - if [ -n "$LINES" ] ; then - for i in $LINES; do - debug "$IPTABLES -D POSTROUTING $i" - $IPTABLES -w -D POSTROUTING $i - sleep 0.1 - done - fi + delete_lines "POSTROUTING"; + debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE" $IPTABLES -w -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE fi @@ -332,6 +330,7 @@ ip_route() { done } + if [[ "$ROUTE" == "true" ]] ; then IP_ROUTE="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- ip route"; @@ -465,18 +464,19 @@ else IPTABLES_COMMAND="$IPTABLES -w --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac"; debug "$IPTABLES_COMMAND"; LINES=$(eval $IPTABLES_COMMAND); + delete_lines; - if [ -n "$LINES" ] ; then - for i in $LINES; do - debug "$IPTABLES -D $CHAIN $i" - $IPTABLES -w -D $CHAIN $i - sleep 0.1 - done + if [ "$OPERATION" == "DELETE" ]; then + + IPTABLES_COMMAND="$IPTABLES -w --line-number -n --list $CHAIN | grep -w "$COMMENT" | awk '{print \$1}'| tac"; + debug "$IPTABLES_COMMAND"; + LINES=$(eval $IPTABLES_COMMAND); + delete_lines; + + else + debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT" + $IPTABLES -w -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT fi - - - debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT" - $IPTABLES -w -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT fi ############################# fi