Executable scripts are sourced from execute_dir

etc/post-start-stop.example

@@ -0,0 +1,6 @@
+# Blocks all IP which connect to port 22
+# BEWARE: this is to be activate ONLY
+# IF YOU CHANGED YOUR SSH DEFAULT PORT
+$do_action $IPTABLES_INSERT $IT_INPUT -m set --match-set banned_ips src -j DROP
+$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH_BLOCK --rsource
+$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 22 -m recent --update --hitcount 1 --name SSH_BLOCK --rsource -j SET --add-set banned_ips src

scripts/execute_dir

@@ -43,7 +43,7 @@ do
 	esac
 	shift
 done
-do_action=${1:-}
+export do_action=${1:-}
 script_dir=${2:-}
 
 if [ -z "${do_action}" ] ; then
@@ -66,16 +66,18 @@ then
     exit
 fi
 
-set -x
 cd ${script_dir}
 for script_file in `ls`
 do
     if [ -x ${script_file} ]
     then
         # If file is executable
-        ./${script_file} ${do_action}
-        echo "${script_dir}/${script_file} ${do_action} done"
+        # we SOURCE it (because exporting function
+        # can't be done in sh)
+        set +eu # Just to avoid that a bad script crashes all others
+        . ${script_dir}/${script_file} \
+            || echo "ERROR in ${script_dir}/${script_file}" >&2
+        set -eu
     fi
 done
-set +x
 cd - > /dev/null

scripts/lfirewall

@@ -27,7 +27,7 @@ restart_mode=no
 
 if [ -n "${process_and_parent}" ]
 then
-	if has_parent_process ${process_and_parent}
+	if has_parent_process ${process_and_parent} > /dev/null
 	then
 		shell_process=`echo ${process_and_parent} | awk '{print $1}'`
 		parent_term=`readlink /proc/${shell_process}/fd/2`
@@ -36,7 +36,8 @@ then
 	# Find if systemctl is in restart mode
 	for process_id in ${process_and_parent}
 	do
-		if [ `ps -o comm= -p $process_id` = "systemctl" && ps -o args -p $process_id | grep -v COMMAND | grep restart ]
+		if [ `ps -o comm= -p $process_id` = "systemctl" ] \
+			&& ps -o args -p $process_id | grep -v COMMAND | grep restart > /dev/null
 		then
 			restart_mode=yes
 			break
@@ -161,68 +162,6 @@ then
 	exit 2
 fi
 
-do_exec () {
-	case $1 in
-		__iptable_add_action)
-			shift
-			iptables_option=-A
-		;;
-		__iptable_insert_action)
-			shift
-			iptables_option=-I
-		;;
-		__iptable_set_policy_action)
-			shift
-			iptables_option=-P
-		;;
-		*)
-			echo "Nothing to be done for $1"
-		;;
-	esac
-	if [ ${verbose} -ge 1 ] ; then
-		echo $IP_TABLES $iptables_option $*
-	fi
-	if ! $IP_TABLES -C $* > /dev/null 2>&1
-	then
-		$IP_TABLES $iptables_option $*
-	fi
-}
-
-do_check () {
-	the_action=$1
-	shift
-	case $the_action in
-		__iptable_add_action)
-			iptables_option=-A
-		;;
-		__iptable_insert_action)
-			iptables_option=-I
-		;;
-		__iptable_set_policy_action)
-			return 0
-		;;
-		*)
-			echo "Nothing to be done for $1"
-		;;
-	esac
-	default_option=-C
-	if [ ${verbose} -ge 1 ] ; then
-		echo $do_log "$the_action:" $IP_TABLES -C $*
-		echo $IP_TABLES -C $*
-	fi
-	$do_log "$the_action:" $IP_TABLES -C $*
-	$IP_TABLES -C $*
-	global_status=$((global_status+$?))
-}
-
-log_action () {
-	echo $*
-}
-
-do_not_log_action () {
-	return 0
-}
-
 do_log=do_not_log_action
 
 ##########################
@@ -512,42 +451,6 @@ fw_restore_user(){
 # Stop the Firewall rules
 ##########################
 
-do_delete () {
-	the_action=$1
-	shift
-	if [ ${verbose} -gt 1 ] ; then
-		$do_log "Trying to delete:" $(translate_iptables_rule $IP_TABLES $the_action $*)
-	fi
-	case $the_action in
-		__iptable_add_action)
-			iptables_option=-D
-		;;
-		__iptable_insert_action)
-			iptables_option=-D
-		;;
-		__iptable_set_policy_action)
-			CHAIN_NAME="$1"
-			$do_log "DELETING: $IP_TABLES -P $CHAIN_NAME DROP"
-			$IP_TABLES -P $CHAIN_NAME ACCEPT
-			return 0
-		;;
-		*)
-			echo "Nothing to be done for $1"
-		;;
-	esac
-
-
-	# Checks the rule then delete it, if it exists
-	if $IP_TABLES -C $* > /dev/null 2>&1
-	then
-		$IP_TABLES $iptables_option $* || echo "DID NOT EXIST: "$IP_TABLES $iptables_option $*
-		$do_log "DELETING:" $IP_TABLES $iptables_option $*
-	else
-		$do_log "NOT EXISTING:" $IP_TABLES $iptables_option $*
-	fi
-	global_status=$((global_status+$?))
-}
-
 fw_stop () {
 	global_status=0
 	# Start will not really start but exec the "do_delete" action
@@ -623,6 +526,8 @@ fw_test () {
 if [ ${verbose} -gt 0 ] ; then
 	do_log=log_action
 fi
+export do_log
+
 case "$1" in
 	start|restart)
 		echo -n "Starting firewall.."

scripts/setup

@@ -62,9 +62,115 @@ POST_UP_DOWN_SCRIPTS_DIR=${CONFIGURATION_DIR}/post-up-down.d
 POST_START_STOP_SCRIPTS_DIR=${CONFIGURATION_DIR}/post-start-stop.d
 
 
+###############################################################
 
 ###############################################################
+# Firewall log function definition
+###############################################################
+log_action () {
+	echo $*
+}
 
+do_not_log_action () {
+	return 0
+}
+
+###############################################################
+# Firewall actions function definition
+###############################################################
+do_exec () {
+	case $1 in
+		__iptable_add_action)
+			shift
+			iptables_option=-A
+		;;
+		__iptable_insert_action)
+			shift
+			iptables_option=-I
+		;;
+		__iptable_set_policy_action)
+			shift
+			iptables_option=-P
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+	if [ ${verbose} -ge 1 ] ; then
+		echo $IP_TABLES $iptables_option $*
+	fi
+	if ! $IP_TABLES -C $* > /dev/null 2>&1
+	then
+		$IP_TABLES $iptables_option $*
+	fi
+}
+
+
+do_check () {
+	local the_action
+	the_action=$1
+	shift
+	case $the_action in
+		__iptable_add_action)
+			iptables_option=-A
+		;;
+		__iptable_insert_action)
+			iptables_option=-I
+		;;
+		__iptable_set_policy_action)
+			return 0
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+	default_option=-C
+	if [ ${verbose} -ge 1 ] ; then
+		echo $do_log "$the_action:" $IP_TABLES -C $*
+		echo $IP_TABLES -C $*
+	fi
+	$do_log "$the_action:" $IP_TABLES -C $*
+	$IP_TABLES -C $*
+	global_status=$((global_status+$?))
+}
+
+
+do_delete () {
+	local the_action
+	the_action=$1
+	shift
+	if [ ${verbose} -gt 1 ] ; then
+		$do_log "Trying to delete:" $(translate_iptables_rule $IP_TABLES $the_action $*)
+	fi
+	case $the_action in
+		__iptable_add_action)
+			iptables_option=-D
+		;;
+		__iptable_insert_action)
+			iptables_option=-D
+		;;
+		__iptable_set_policy_action)
+			CHAIN_NAME="$1"
+			$do_log "DELETING: $IP_TABLES -P $CHAIN_NAME DROP"
+			$IP_TABLES -P $CHAIN_NAME ACCEPT
+			return 0
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+
+
+	# Checks the rule then delete it, if it exists
+	if $IP_TABLES -C $* > /dev/null 2>&1
+	then
+		$IP_TABLES $iptables_option $* || echo "DID NOT EXIST: "$IP_TABLES $iptables_option $*
+		$do_log "DELETING:" $IP_TABLES $iptables_option $*
+	else
+		$do_log "NOT EXISTING:" $IP_TABLES $iptables_option $*
+	fi
+	global_status=$((global_status+$?))
+}
 
 ###############################################################
 # Utility functions definition
@@ -136,3 +242,5 @@ find_systemctl_pids(){
 		echo ${shell_pid} ${systemctl_pid}
 	done
 }
+
+