.gitignore: Add "html" directory

[people/stevee/network.git] / functions.iptables

diff --git a/functions.iptables b/functions.iptables
index 105140513bdd09f6e7253e8747ad6c82dece7abc..98658bbed02b6cec6d499d0451ec3527580e26c0 100644 (file)
--- a/functions.iptables
+++ b/functions.iptables
@@ -104,6 +104,8 @@ function iptables() {
                esac
 
                rulesfile=$(iptables_rulesfile ipv${p} ${table})
+               assert isset rulesfile
+
                print "${args:1:${#args}}" >> ${rulesfile}
        done
 }
@@ -113,7 +115,7 @@ function _iptables() {
        local iptables_cmd=$(which iptables)
        assert isset iptables_cmd
 
-       ${iptables_cmd} $@
+       cmd ${iptables_cmd} $@
 }
 
 function iptables_status() {
@@ -123,23 +125,20 @@ function iptables_status() {
 # Returns which tables exist for the given protocol.
 function iptables_tables() {
        local proto=${1}
-       local file
+       assert isset proto
 
        case "${proto}" in
                ipv6)
-                       file="/proc/net/ip6_tables_names"
+                       print "filter mangle"
                        ;;
                ipv4)
-                       file="/proc/net/ip_tables_names"
+                       print "filter mangle nat"
                        ;;
                *)
                        return ${EXIT_ERROR}
                        ;;
        esac
 
-       assert [ -r "${file}" ]
-
-       print "$(<${file})"
        return ${EXIT_OK}
 }
 
@@ -186,20 +185,26 @@ function iptables_load() {
 
        local rulesfile
 
-       # First, commit all tables.
-       _iptables_commit
-
        # Concat the table rulesets into one big file.
        local proto
        for proto in 6 4; do
                rulesfile=$(iptables_rulesfile ipv${proto})
+               assert isset rulesfile
 
                local table
                local tablefile
                for table in $(iptables_tables ipv${proto}); do
                        tablefile=$(iptables_rulesfile ipv${proto} ${table})
-                       print "$(<${tablefile})"
+
+                       fread ${tablefile}
+
+                       # Add the COMMIT statement for every table.
+                       if [ -s "${tablefile}" ]; then
+                               print "COMMIT"
+                       fi
                done > ${rulesfile}
+
+               assert [ -s "${rulesfile}" ]
        done
 
        local error="false"
@@ -208,6 +213,7 @@ function iptables_load() {
        # First check if everything is correctly formatted.
        for proto in 6 4; do
                rulesfile=$(iptables_rulesfile ipv${proto})
+               assert isset rulesfile
 
                _iptables_load ipv${proto} ${rulesfile} true
                if [ $? -ne ${EXIT_OK} ]; then
@@ -239,15 +245,6 @@ function iptables_load() {
        return ${EXIT_OK}
 }
 
-# Commit all tables.
-function _iptables_commit() {
-       iptables -t filter "COMMIT"
-       iptables -t mangle "COMMIT"
-
-       # Commit NAT chain for IPv4.
-       iptables -4 -t nat "COMMIT"
-}
-
 function _iptables_load() {
        local proto=${1}
        local file=${2}
@@ -309,8 +306,8 @@ function iptables_dump() {
                log ${log_facility} "Firewall ruleset for IPv${proto}:"
 
                counter=1
-               while read line; do
-                       line=$(print "%4d | %s" "${counter}" "${line}")
+               while read -r line; do
+                       printf -v line "%4d | %s" "${counter}" "${line}"
                        log ${log_facility} "${line}"
 
                        counter=$(( $counter + 1 ))