===================================================================
RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v
retrieving revision 2.78
retrieving revision 2.79
diff -u -p -r2.78 -r2.79
--- scripts/shell/firewall/fw-universal.sh	2011/07/14 13:13:22	2.78
+++ scripts/shell/firewall/fw-universal.sh	2011/07/20 19:05:12	2.79
@@ -18,10 +18,11 @@
 # Licensed under terms of GNU General Public License.
 # All rights reserved.
 #
-# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.77 2011-01-24 20:26:04 rajo Exp $
+# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.78 2011-07-14 13:13:22 nepto Exp $
 #
 # Changelog:
 # 2003-10-24 - created
+# 2011-07-20 - implemented XEN_MODE
 #
 
 ### BEGIN INIT INFO
@@ -229,6 +230,7 @@ set_default_policy()
 	# Set default policy
 	for chain in INPUT OUTPUT FORWARD; do
 		if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then
+			print_info "XEN_MODE enabled: default policy for FORWARD forced to ACCEPT";
 			$IPTABLES -P $chain ACCEPT;
 			continue;
 		fi
@@ -265,11 +267,19 @@ forward_off()
 remove_chains()
 { # {{{
 
-	for table in filter nat mangle; do
-		$IPTABLES -t $table -F # clear all chains
-		$IPTABLES -t $table -X # remove all chains
-		$IPTABLES -t $table -Z # zero counts
-	done
+	if [ "X$XEN_MODE" = "Xon" ]; then
+		print_info "XEN_MODE enabled: not clearing FORWARD chain";
+		$IPTABLES --flush INPUT
+		$IPTABLES --flush OUTPUT
+		$IPTABLES --flush spoof
+		# TODO!!!
+	else
+		for table in filter nat mangle; do
+			$IPTABLES -t $table -F # clear all chains
+			$IPTABLES -t $table -X # remove all chains
+			$IPTABLES -t $table -Z # zero counts
+		done
+	fi
 
 } # }}}
 
@@ -280,9 +290,15 @@ nmap_scan_filter()
 	print_info -en "Turning on nmap scan filter "
 
 	for chain in INPUT FORWARD; do
+		if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then
+			print_info -ne " XEN_MODE ";
+			continue;
+		fi
+
 		#  Nie je nastaveny ziaden bit
 		$IPTABLES_LOG	-A $chain   -p TCP --tcp-flags ALL NONE  $LOG_LIMIT "nmap scan $chain ALL NONE: "
 		print_info -en "."
+
 		$IPTABLES		-A $chain   -p TCP --tcp-flags ALL NONE -j DROP 
 		print_info -en "."
 
@@ -290,6 +306,7 @@ nmap_scan_filter()
 		for flags in   SYN,FIN   SYN,RST   FIN,RST   ; do
 			$IPTABLES_LOG	-A $chain   -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: "
 			print_info -en "."
+
 			$IPTABLES		-A $chain   -p TCP --tcp-flags $flags $flags -j DROP 
 			print_info -en "."
 		done
@@ -298,6 +315,7 @@ nmap_scan_filter()
 		for flags in   FIN   PSH   URG   ; do
 			$IPTABLES_LOG	-A $chain   -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: "
 			print_info -en "."
+
 			$IPTABLES		-A $chain   -p TCP --tcp-flags ACK,$flags $flags -j DROP 
 			print_info -en "."
 		done
@@ -312,7 +330,12 @@ invalid_packet_filter()
 { # {{{
 	
 	print_info -en "Turning on INVALID packet filter "
+	
 	for chain in INPUT OUTPUT FORWARD; do
+		if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then
+			print_info -ne " XEN_MODE ";
+			continue;
+		fi
 		$IPTABLES_LOG	-A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: "
 		print_info -en "."
 		$IPTABLES		-A $chain -m state --state INVALID -j DROP 
@@ -369,7 +392,12 @@ anti_spoof_filter()
 
 		for iface in $ANTISPOOF_IFACE; do
 			print_info -en " $iface"
-			$IPTABLES -A FORWARD -i $iface -j spoof
+
+			if [ "X$XEN_MODE" = "Xon" ]; then
+				print_info -ne " XEN_MODE ";
+			else
+				$IPTABLES -A FORWARD -i $iface -j spoof
+			fi
 			$IPTABLES -A INPUT   -i $iface -j spoof
 		done
 		print_info " done."
@@ -417,9 +445,12 @@ mangle_output()
 
 } # }}}
 
-# Masquerade local subnet
 masquerade()
 { # {{{
+	if [ "X$XEN_MODE" = "Xon" ]; then
+		print_info "XEN_MODE enabled: masquerade is not supported in this mode";
+		return;
+	fi
 	if [ ! -z "$NAT_LAN_IFACE" ]; then
         print_info -en "NAT: Enabling packet forwarding..."
         echo 1 > /proc/sys/net/ipv4/ip_forward
@@ -431,7 +462,7 @@ masquerade()
 		localnet="$ip/${!netmask}"
 
 		lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`"
-
+		
 		# alow packets from private subnet
 		$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP
 		for client_ip in $NAT_CLIENT_DROP; do
@@ -634,7 +665,12 @@ drop_output()
 			print_info -en "$riface: Dropping outgoing packets from ports:"
 			for port in $DROP_OUTPUT_TCP; do
 				print_info -en " $port"
-				$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP
+
+				if [ "X$XEN_MODE" = "Xon" ]; then
+					print_info -ne " XEN_MODE ";
+				else
+					$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP
+				fi
 				$IPTABLES -A OUTPUT  -p TCP --sport $port -o $riface -j DROP
 			done
 			print_info " done."
@@ -644,7 +680,12 @@ drop_output()
 			print_info -en "$riface: Dropping outgoing packets from ports:"
 			for port in $DROP_OUTPUT_UDP; do
 				print_info -en " $port"
-				$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP
+
+				if [ "X$XEN_MODE" = "Xon" ]; then
+					print_info -ne " XEN_MODE ";
+				else
+					$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP
+				fi
 				$IPTABLES -A OUTPUT  -p UDP --sport $port -o $riface -j DROP
 			done
 			print_info " done."
@@ -674,7 +715,12 @@ bann_ip_adresses()
 		for banned_ip in $BANNED_IP; do
 			print_info -en " $banned_ip"
 			$IPTABLES -A INPUT		-s $banned_ip -j DROP
-			$IPTABLES -A FORWARD	-s $banned_ip -j DROP
+
+			if [ "X$XEN_MODE" = "Xon" ]; then
+					print_info -ne " XEN_MODE ";
+			else
+				$IPTABLES -A FORWARD	-s $banned_ip -j DROP
+			fi
 		done
 		print_info " done."
 	fi
@@ -687,8 +733,12 @@ allow_accept_all()
 		for iface in $IFACE_ACCEPT_ALL; do
 			print_info -en " $iface"
 			$IPTABLES -A INPUT   -i $iface -j ACCEPT
-			$IPTABLES -A FORWARD -i $iface -j ACCEPT
 			$IPTABLES -A OUTPUT  -o $iface -j ACCEPT
+			if [ "X$XEN_MODE" = "Xon" ]; then
+				print_info -ne " XEN_MODE ";
+			else
+				$IPTABLES -A FORWARD -i $iface -j ACCEPT
+			fi
 		done
 		print_info " done."
 	fi
@@ -1003,14 +1053,19 @@ allow_input()
 		ip="`get_first_ip_addr IP_$ANTISPOOF_IFACE`";
 		print_info -en "Accepting traceroute:"
 
-		$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \
-			--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \
-			-s $ip -d $ANYWHERE -j ACCEPT
-
-		for iface in $TRACEROUTE_IFACE; do
-			$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \
-				--dport $TRACEROUTE_DEST_PORTS -j ACCEPT
-		done
+		if [ "X$XEN_MODE" = "Xon" ]; then
+			print_info -ne " XEN_MODE ";
+		else
+			$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \
+				--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \
+				-s $ip -d $ANYWHERE -j ACCEPT
+
+			for iface in $TRACEROUTE_IFACE; do	
+
+				$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \
+					--dport $TRACEROUTE_DEST_PORTS -j ACCEPT
+			done
+		fi
 		print_info " done."
 	fi
 
@@ -1151,8 +1206,12 @@ do_ip_accounting()
 			$IPTABLES -I INPUT  -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME
 			$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME
 
-			$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME
-			$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME
+			if [ "X$XEN_MODE" = "Xon" ]; then
+				print_info -ne " XEN_MODE ";
+			else
+				$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME
+				$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME
+			fi
 
 			for client_ip in $IP_ACCT_CLIENTS; do
 				$IPTABLES -A $IPACCT_NAME -s $client_ip