[Server-devel] iptables generation

Mon Aug 24 01:29:24 EDT 2009

On Tue, Aug 11, 2009 at 10:15:39PM +0530, Joshua N Pritikin wrote:
> On Tue, Aug 11, 2009 at 11:45:15AM +0530, Joshua N Pritikin wrote:
> > +     if re.match('@@MASQ@@', line):
> > +          print '-A POSTROUTING -o %s -j MASQUERADE' % wan
> 
> This is dumb. I'll try to fix the patch tomorrow to substitute only 
> @@WAN@@. Or do you really want this written in sed? (I never even 
> learned sed.)

---
 sysconfig/iptables-config             |    7 +----
 sysconfig/olpc-scripts/gen-iptables   |   37 +++++++++++++++++++++++++++++++++
 sysconfig/olpc-scripts/iptables-xs.in |   12 ++++++++++
 sysconfig/xs_wan_device               |    1 +
 4 files changed, 52 insertions(+), 5 deletions(-)
 create mode 100755 sysconfig/olpc-scripts/gen-iptables
 create mode 100644 sysconfig/olpc-scripts/iptables-xs.in
 create mode 100644 sysconfig/xs_wan_device

diff --git a/sysconfig/iptables-config b/sysconfig/iptables-config
index 819d809..f22076e 100755
--- a/sysconfig/iptables-config
+++ b/sysconfig/iptables-config
@@ -7,11 +7,8 @@
 ## config settings
 SERVER_NUM=`cat /etc/sysconfig/xs_server_number`
 if [ $SERVER_NUM=1 ];then
-    if [ -e /etc/sysconfig/xs_httpcache_on ]; then
-	IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal.cache
-    else
-	IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal
-    fi
+    IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables-xs
+    /etc/sysconfig/olpc-scripts/gen-iptables > $IPTABLES_DATA
 fi
 
 # Load additional iptables modules (nat helpers)
diff --git a/sysconfig/olpc-scripts/gen-iptables b/sysconfig/olpc-scripts/gen-iptables
new file mode 100755
index 0000000..91b3ade
--- /dev/null
+++ b/sysconfig/olpc-scripts/gen-iptables
@@ -0,0 +1,37 @@
+#!/usr/bin/python
+
+import re;
+import os;
+import logging;
+
+#sysconfig = './'   # for testing
+sysconfig = '/etc/sysconfig/'
+
+wan = 'eth0'
+try:
+     conf = sysconfig + 'xs_wan_device'
+     file = open(conf)
+     wan = file.readline()
+     wan = re.sub(r'\s$', '', wan)
+except IOError:
+     logging.warning(conf + " not found, assuming "+wan)
+     
+try:
+     conf = sysconfig + 'xs_httpcache_on'
+     os.stat(conf)
+     squid = 1
+except OSError:
+     squid = 0
+
+#print("wan="+wan+" squid=%i" % squid)
+
+template = open(sysconfig + 'olpc-scripts/iptables-xs.in')
+for line in template:
+     if (re.match('@@SQUID@@', line)):
+          if squid:
+              for inf in ('lanbond0', 'mshbond0', 'mshbond1', 'mshbond2'):
+                  print '-A PREROUTING -i %s -p tcp --dport 80 -j REDIRECT --to-ports 3128' % inf
+     else:
+          line = line.rstrip()
+          line = re.sub(r'\@\@WAN\@\@', wan, line)
+          print(line)
diff --git a/sysconfig/olpc-scripts/iptables-xs.in b/sysconfig/olpc-scripts/iptables-xs.in
new file mode 100644
index 0000000..610fbe4
--- /dev/null
+++ b/sysconfig/olpc-scripts/iptables-xs.in
@@ -0,0 +1,12 @@
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+@@SQUID@@
+-A POSTROUTING -o @@WAN@@ -j MASQUERADE
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
diff --git a/sysconfig/xs_wan_device b/sysconfig/xs_wan_device
new file mode 100644
index 0000000..d4398d5
--- /dev/null
+++ b/sysconfig/xs_wan_device
@@ -0,0 +1 @@
+ppp0
-- 
1.6.0.6

