Routers
/
gpt-2741gnac_root_files
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gpt-2741gnac_root_files/_mtdblock3.img.extracted/squashfs-root/bin/shgw_wd_dpwrap

273 lines
11 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#############################################################################
#
# MCAFEE CONFIDENTIAL
# Copyright ©2018 McAfee, LLC
#
# The source code contained or described herein and all documents related
# to the source code ("Material") are owned by McAfee or its
# suppliers or licensors. Title to the Material remains with McAfee
# or its suppliers and licensors. The Material contains trade
# secrets and proprietary and confidential information of McAfee or its
# suppliers and licensors. The Material is protected by worldwide copyright
# and trade secret laws and treaty provisions. No part of the Material may
# be used, copied, reproduced, modified, published, uploaded, posted,
# transmitted, distributed, or disclosed in any way without McAfee's prior
# express written permission.
#
# No license under any patent, copyright, trade secret or other intellectual
# property right is granted to or conferred upon you by disclosure or
# delivery of the Materials, either expressly, by implication, inducement,
# estoppel or otherwise. Any license under such intellectual property rights
# must be express and approved by McAfee in writing.
#
##############################################################################
trap fn_on_sigterm SIGTERM
. /etc/shgw/shgw.constants
. /etc/shgw/shgw.common
. /etc/shgw/shgw.env
LAN_INTERFACES=$(fn_get_lan_ifaces)
if [ -z ${LAN_INTERFACES} ]; then
${ECHO} "No Lan interfaces! Exiting from dpwrap" >> ${SHGW_STARTUP_LOG} 2>&1
exit 0
fi
SHGW_DNSPROXY_PID=0
fn_kill_dpwrap_if_running() {
if [ -f ${SHGW_DPWRAP_LOCK} ]; then
${ECHO} "[$(fn_time_now)] Pid of the previous dpwarp that is running - $(${CAT} ${SHGW_DPWRAP_LOCK}). Going to kill it!" >> ${SHGW_STARTUP_LOG} 2>&1
kill -SIGKILL $(${CAT} ${SHGW_DPWRAP_LOCK})
fi
${ECHO} $$ > ${SHGW_DPWRAP_LOCK}
${ECHO} "[$(fn_time_now)] Pid of the current dpwrap - $(${CAT} ${SHGW_DPWRAP_LOCK})]" >> ${SHGW_STARTUP_LOG} 2>&1
}
fn_shgw_ipv4_tproxy_setup() {
local _IFACE=""
${IPTABLES} -w -t mangle -N SHGW_DNS > /dev/null 2>&1
for _IFACE in ${LAN_INTERFACES}; do
${IPTABLES} -w -t mangle -A SHGW_DNS \
-i ${_IFACE} \
-p udp --dport 53 \
-j TPROXY --tproxy-mark ${SHGW_TPROXY_MARK} --on-port ${SHGW_REQ_PORT} > /dev/null 2>&1
done
${IPTABLES} -w -t mangle -I PREROUTING -j SHGW_DNS > /dev/null 2>&1
${IP} rule add fwmark ${SHGW_TPROXY_MARK} lookup ${SHGW_TABLE} ${SHGW_IPV4_RULE_PREF} > /dev/null 2>&1
${IP} route add local 0.0.0.0/0 dev lo table ${SHGW_TABLE} > /dev/null 2>&1
}
fn_shgw_ipv4_tproxy_cleanup() {
local _IFACE=""
for _IFACE in ${LAN_INTERFACES}; do
fn_run_until_failure "${IPTABLES} -w -t mangle -D SHGW_DNS \
-i ${_IFACE} \
-p udp --dport 53 \
-j TPROXY --tproxy-mark ${SHGW_TPROXY_MARK} --on-port ${SHGW_REQ_PORT}"
done
fn_run_until_failure "${IPTABLES} -w -t mangle -D PREROUTING -j SHGW_DNS"
${IPTABLES} -w -t mangle -F SHGW_DNS > /dev/null 2>&1
${IPTABLES} -w -t mangle -X SHGW_DNS > /dev/null 2>&1
${IP} route del local 0.0.0.0/0 dev lo table ${SHGW_TABLE} > /dev/null 2>&1
fn_run_until_failure "${IP} rule del fwmark ${SHGW_TPROXY_MARK} lookup ${SHGW_TABLE} ${SHGW_IPV4_RULE_PREF}"
}
fn_shgw_ipv6_tproxy_setup() {
local _IFACE=""
${IP6TABLES} -w -t mangle -N SHGW_DNS > /dev/null 2>&1
for _IFACE in ${LAN_INTERFACES}; do
${IP6TABLES} -w -t mangle -A SHGW_DNS \
-i ${_IFACE} \
-p udp --dport 53 \
-j TPROXY --tproxy-mark ${SHGW_TPROXY_MARK6} --on-port ${SHGW_REQ_PORT} > /dev/null 2>&1
done
${IP6TABLES} -w -t mangle -I PREROUTING -j SHGW_DNS > /dev/null 2>&1
${IP} -6 rule add fwmark ${SHGW_TPROXY_MARK6} lookup ${SHGW_TABLE6} ${SHGW_IPV6_RULE_PREF} > /dev/null 2>&1
${IP} -6 route add local ::/0 dev lo table ${SHGW_TABLE6} > /dev/null 2>&1
}
fn_shgw_ipv6_tproxy_cleanup() {
local _IFACE=""
for _IFACE in ${LAN_INTERFACES}; do
fn_run_until_failure "${IP6TABLES} -w -t mangle -D SHGW_DNS \
-i ${_IFACE} \
-p udp --dport 53 \
-j TPROXY --tproxy-mark ${SHGW_TPROXY_MARK6} --on-port ${SHGW_REQ_PORT}"
done
fn_run_until_failure "${IP6TABLES} -w -t mangle -D PREROUTING -j SHGW_DNS"
${IP6TABLES} -w -t mangle -F SHGW_DNS > /dev/null 2>&1
${IP6TABLES} -w -t mangle -X SHGW_DNS > /dev/null 2>&1
${IP} -6 route del local ::/0 dev lo table ${SHGW_TABLE6} > /dev/null 2>&1
fn_run_until_failure "${IP} -6 rule del fwmark ${SHGW_TPROXY_MARK6} lookup ${SHGW_TABLE6} ${SHGW_IPV6_RULE_PREF}"
}
fn_on_sigterm() {
fn_shgw_ipset_cleanup
fn_shgw_ipv6_tproxy_cleanup
fn_shgw_ipv4_tproxy_cleanup
fn_kill_if_running
${ECHO} "[$(fn_time_now)] Trap handler.Dnsproxy exited!" >> ${SHGW_STARTUP_LOG} 2>&1
exit 0
}
fn_kill_if_running() {
dp_pids=$(${PS} | ${GREP} shgw_dnsproxy | ${GREP} -v grep | ${AWK} '{ print $1 }')
if [ ! -z "$dp_pids" ]; then
for dp_pid in $dp_pids; do
${KILL} -s KILL $dp_pid
done
fi
}
fn_launch_and_wait() {
${ECHO} "[$(fn_time_now)]" >> ${SHGW_STARTUP_LOG} 2>&1
${IPTABLES} -t mangle -nvL | ${GREP} ${SHGW_REQ_PORT} >> ${SHGW_STARTUP_LOG} 2>&1
${IP6TABLES} -t mangle -nvL | ${GREP} ${SHGW_REQ_PORT} >> ${SHGW_STARTUP_LOG} 2>&1
fn_kill_if_running
${IPTABLES} -t mangle -nvL | ${GREP} ${SHGW_REQ_PORT} >> ${SHGW_STARTUP_LOG} 2>&1
${IP6TABLES} -t mangle -nvL | ${GREP} ${SHGW_REQ_PORT} >> ${SHGW_STARTUP_LOG} 2>&1
$SHGW_DNSPROXY &
SHGW_DNSPROXY_PID=$!
wait $SHGW_DNSPROXY_PID
${ECHO} "[$(fn_time_now)] Dnsproxy exited!" >> ${SHGW_STARTUP_LOG} 2>&1
}
fn_shgw_ipset_cleanup() {
## RULES UNDER NAT TABLE
${IPTABLES} -w -t nat -F SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t nat -F SHGW_PC_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -F SHGW_PC_PENDING > /dev/null 2>&1
${IPTABLES} -w -t nat -F SHGW_PC_ASK > /dev/null 2>&1
${IPTABLES} -w -t nat -F SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -F SHGW_EULA_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -F SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -F SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t nat -F SHGW_WHITELIST > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_PC_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_PC_PENDING > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_PC_ASK > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_EULA_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t nat -D SHGW_IPSET -j SHGW_WHITELIST > /dev/null 2>&1
${IPTABLES} -w -t nat -D ${SHGW_PREROUTING_CHAIN} -j SHGW_IPSET > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_PC_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_PC_PENDING > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_PC_ASK > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_EULA_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_WHITELIST > /dev/null 2>&1
${IPTABLES} -w -t nat -X SHGW_IPSET > /dev/null 2>&1
## RULES UNDER FILTER TABLE
${IPTABLES} -w -t filter -F SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t filter -F SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -F SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -F SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t filter -D SHGW_IPSET -j SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t filter -D SHGW_IPSET -j SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -D SHGW_IPSET -j SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -D SHGW_IPSET -j SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t filter -D ${SHGW_FORWARD_CHAIN} -j SHGW_IPSET > /dev/null 2>&1
${IPTABLES} -w -t filter -X SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t filter -X SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -X SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -X SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t filter -X SHGW_IPSET > /dev/null 2>&1
${IPSET} destroy SHGW_HOST_REPUTATION > /dev/null 2>&1 ##Set name and Iptable chain name are same
${IPSET} destroy SHGW_HOST_REPUTATION_DST > /dev/null 2>&1
${IPSET} destroy SHGW_PC_BLOCK > /dev/null 2>&1
${IPSET} destroy SHGW_PC_PENDING > /dev/null 2>&1
${IPSET} destroy SHGW_PC_ASK > /dev/null 2>&1
${IPSET} destroy SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPSET} destroy SHGW_EULA_BLOCK > /dev/null 2>&1
${IPSET} destroy SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPSET} destroy SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPSET} destroy SHGW_WHITELIST > /dev/null 2>&1
}
##Creating custom iptable chains for matching the shgw ipsets
fn_shgw_ipset_setup() {
## RULES UNDER NAT TABLE
${IPTABLES} -w -t nat -N SHGW_IPSET > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_WHITELIST > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_EULA_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_PC_ASK > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_PC_PENDING > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_PC_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -N SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_WHITELIST > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_EULA_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_PC_ASK > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_PC_PENDING > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_PC_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t nat -A SHGW_IPSET -j SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t nat -I ${SHGW_PREROUTING_CHAIN} -j SHGW_IPSET > /dev/null 2>&1
## RULES UNDER FILTER TABLE
${IPTABLES} -w -t filter -N SHGW_IPSET > /dev/null 2>&1
${IPTABLES} -w -t filter -N SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t filter -N SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -N SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -N SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t filter -A SHGW_IPSET -j SHGW_NETWORK_PAUSE > /dev/null 2>&1
${IPTABLES} -w -t filter -A SHGW_IPSET -j SHGW_DEVICE_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -A SHGW_IPSET -j SHGW_PC_TIME_BLOCK > /dev/null 2>&1
${IPTABLES} -w -t filter -A SHGW_IPSET -j SHGW_HOST_REPUTATION > /dev/null 2>&1
${IPTABLES} -w -t filter -I ${SHGW_FORWARD_CHAIN} -j SHGW_IPSET > /dev/null 2>&1
}
# main
${ECHO} "Starting dpwrap" >> ${SHGW_STARTUP_LOG} 2>&1
fn_trim_startup_log
fn_kill_dpwrap_if_running
fn_shgw_ipv6_tproxy_cleanup
fn_shgw_ipv6_tproxy_setup
fn_shgw_ipv4_tproxy_cleanup
fn_shgw_ipv4_tproxy_setup
fn_shgw_ipset_cleanup
fn_shgw_ipset_setup
fn_launch_and_wait
fn_shgw_ipset_cleanup
fn_shgw_ipv4_tproxy_cleanup
fn_shgw_ipv6_tproxy_cleanup
${IPTABLES} -t mangle -nvL | ${GREP} ${SHGW_REQ_PORT} >> ${SHGW_STARTUP_LOG} 2>&1
${IP6TABLES} -t mangle -nvL | ${GREP} ${SHGW_REQ_PORT} >> ${SHGW_STARTUP_LOG} 2>&1
${ECHO} "Stopping dpwrap" >> ${SHGW_STARTUP_LOG} 2>&1
Reference in New Issue View Git Blame Copy Permalink