Makefile

@@ -12,16 +12,31 @@ SYSTEMD_SERVICE_FILE=$(SYSTEMD_INSTALL_DIR)/$(SERVICE_FILE)
 #SysVinit installation dir
 #INSTALL_DIR=/etc/init.d
 
-install: $(INSTALL_DIR)/lfirewall config $(SYSTEMD_SERVICE_FILE)
+install: config $(INSTALL_DIR)/lfirewall $(FIREWALL_ETC_DIR)/setup $(INSTALL_DIR)/execute_lfirewall_dir $(SYSTEMD_SERVICE_FILE) examples
 
 config:
-	$(MKDIR) -p $(FIREWALL_ETC_DIR)
+	$(MKDIR) -p $(FIREWALL_ETC_DIR) $(FIREWALL_ETC_DIR)/post-start-stop.d $(FIREWALL_ETC_DIR)/post-up-down.d
 	@if [ ! -f $(FIREWALL_ETC_DIR)/$(FIREWALL_CONF) ] ; then $(CP) etc/$(FIREWALL_CONF) $(FIREWALL_ETC_DIR)/ ; else echo "The file $(FIREWALL_ETC_DIR)/$(FIREWALL_CONF) already exists" ; fi
 
+examples: $(FIREWALL_ETC_DIR)/post-start-stop.d/post-start-stop.example $(FIREWALL_ETC_DIR)/post-up-down.d/post-up-down-routing.example
+
+
 $(INSTALL_DIR)/lfirewall: scripts/lfirewall
 	$(CP) $< $@
 
+$(INSTALL_DIR)/execute_lfirewall_dir: scripts/execute_lfirewall_dir
+	$(CP) $< $@
+
+$(FIREWALL_ETC_DIR)/%: scripts/%
+	$(CP) $< $@
+
 $(SYSTEMD_SERVICE_FILE): systemd/$(SERVICE_FILE)
 	$(CP) $< $@
 
-.PHONY: config install
+$(FIREWALL_ETC_DIR)/post-start-stop.d/post-start-stop.example: etc/post-start-stop.example
+	$(CP) $< $@
+	
+$(FIREWALL_ETC_DIR)/post-up-down.d/post-up-down-routing.example: etc/post-up-down-routing.example
+	$(CP) $< $@
+
+.PHONY: config install examples

etc/post-start-stop-routing.example

@@ -0,0 +1,11 @@
+# Creates a routing rule to external interface
+if [ -z ${1:-}]
+then
+    external_if=eth0
+else
+    external_if=$1
+fi
+$do_action -t nat $IPTABLES_ADD $IT_INPUT -A $IT_POSTROUTING -s '10.1.0.0/24' -o $external_if -j MASQUERADE
+$do_action -t raw $IPTABLES_INSERT $IT_INPUT -I $IT_PREROUTING -i fwbr+ -j CT --zone 1
+$do_action -t nat $IPTABLES_INSERT $IT_INPUT -D $IT_POSTROUTING -s '10.1.0.0/24' -o $external_if -j MASQUERADE
+$do_action -t raw $IPTABLES_INSERT $IT_INPUT -D $IT_PREROUTING -i fwbr+ -j CT --zone 1

etc/post-start-stop.example

@@ -0,0 +1,6 @@
+# Blocks all IP which connect to port 22
+# BEWARE: this is to be activate ONLY
+# IF YOU CHANGED YOUR SSH DEFAULT PORT
+$do_action $IPTABLES_INSERT $IT_INPUT -m set --match-set banned_ips src -j DROP
+$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH_BLOCK --rsource
+$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 22 -m recent --update --hitcount 1 --name SSH_BLOCK --rsource -j SET --add-set banned_ips src

etc/post-up-down-routing.example

@@ -0,0 +1,11 @@
+# Creates a routing rule to external interface
+DEFAULT_NET_INTERFACE=eth0
+NETWORK_ID='10.1.0.0/24'
+if [ -z ${1:-} ]
+then
+    external_if=${DEFAULT_NET_INTERFACE}
+else
+    external_if=$1
+fi
+$do_action -t nat $IPTABLES_ADD $IT_POSTROUTING -s "$NETWORK_ID" -o $external_if -j MASQUERADE
+$do_action -t raw $IPTABLES_INSERT $IT_PREROUTING -i fwbr+ -j CT --zone 1

scripts/execute_lfirewall_dir

@@ -0,0 +1,95 @@
+#!/bin/sh
+
+if [ -z "${CONFIGURATION_DIR:-}" ]
+then
+    CONFIGURATION_DIR=/etc/lfirewall
+    . ${CONFIGURATION_DIR}/setup
+fi
+
+options=$(getopt -l "firewall-action,verbose" -o "fv" -- "$@")
+if [ $? != 0 ] ; then
+	echo "Error while checking options ($0)">&2
+	exit 1
+fi
+eval set -- "$options"
+set -eu
+
+firewall_action=no
+if [ -z ${verbose:-} ]
+then
+	verbose=0
+fi
+
+while :
+do
+	if [ ${verbose} = "1" ] ; then
+		echo "$@"
+	fi
+
+	case "$1" in
+		-f|--firewall-action)
+			firewall_action=yes
+			;;
+		-v|--verbose)
+			verbose=$(( verbose + 1 ))
+			if [ ${verbose} -gt 1 ] ; then
+				set -x
+			fi
+			if [ ${verbose} -gt 2 ] ; then
+				set -v
+			fi
+			;;
+		--)
+			shift
+			break
+			;;
+	esac
+	shift
+done
+do_log=do_not_log_action
+if [ ${verbose} -gt 0 ] ; then
+        do_log=log_action
+fi
+export do_log
+
+
+export do_action=${1:-}
+script_dir=${2:-}
+
+shift 2 # clean any arguments
+
+if [ -z "${do_action}" ] ; then
+    echo "ERROR: missing action" >&2
+    exit 2
+fi
+if [ -z "${script_dir}" ] ; then
+    echo "ERROR: missing script directory" >&2
+    exit 2
+fi
+
+if [ ${do_action} = "do_delete" ] && [ ${firewall_action} = "yes" ]
+then
+    # We do nothing in that specific case
+    # (post-up-down)
+    # just leave the script
+    # because we let post-down directive
+    # from /etc/network/interfaces
+    # do the job
+    exit
+fi
+
+cd ${script_dir}
+for script_file in `ls`
+do
+    if [ -x ${script_file} ]
+    then
+        # If file is executable
+        # we SOURCE it (because exporting function
+        # can't be done in sh)
+        set +eu # Just to avoid that a bad script crashes all others
+        . ${script_dir}/${script_file} \
+            || echo "ERROR in ${script_dir}/${script_file}" >&2
+        set -eu
+    fi
+done
+cd - > /dev/null

scripts/lfirewall

@@ -17,80 +17,17 @@
 # chkconfig: 2345 9 91
 # description: Activates/Deactivates the firewall at boot time
 #
+CONFIGURATION_DIR=/etc/lfirewall
 
-has_parent_process(){
-	local parent_to_search
-	local ppid
-	parent_to_search="${1:-}"
-	if [ -z "${parent_to_search:-}" ]
-	then
-		echo "ERROR: need parent process pid as first arg" >&2
-		return 5
-	fi
-	local pid
-	pid="${2:-}"
-	if [ -z "${pid:-}" ]
-	then
-		pid=$$
-	fi
-	if [ $parent_to_search = $pid ]
-	then
-		echo ${parent_to_search}
-		return 0
-	else if [ $pid -gt 1 ]
-		then
-			ppid=$(ps --pid ${pid} -o ppid= | xargs) || echo "OUT OF RANGE PID=${pid}" >&2
-			if [ -n "$ppid" ]
-			then
-				if [ $ppid = $pid ]
-				then
-					#echo "ERROR: pid=$pid is the same as ppid=$ppid" >&2
-					echo -1
-				else
-					has_parent_process ${parent_to_search} ${ppid}
-				fi
-			else
-				#echo "ERROR: pid='$pid' has ppid='$ppid'" >&2
-				echo -2
-			fi
-		else
-			#echo "NOT FOUND: ${parent_to_search}" >&2
-			echo 1
-		fi
-	fi
-	return 1
-}
-
-find_pid_user_of(){
-	local used_file=$1
-	local regex="$2"
-	lsof ${used_file} | awk 'NR>1 && $1 ~ /'${regex}'/ && !($2 in a){a[$2]++; print $2}'
-}
+. ${CONFIGURATION_DIR}/setup
 
-find_systemctl_pids(){
-	local shell_pid
-	local systemctl_pid
-	ps -elf | grep 'systemctl' | grep -v grep | awk '{print $13}' | sort -u | while read term
-	do
-		#echo ${shell_pid} ${systemctl_pid} >&2
-		if [ -z "${shell_pid:-}" ]
-		then
-			shell_pid=$(find_pid_user_of /dev/$term '.*sh$')
-		fi
-		if [ -z "${systemctl_pid:-}" ]
-		then
-			systemctl_pid=$(find_pid_user_of /dev/$term 'systemctl')
-		fi
-		echo ${shell_pid} ${systemctl_pid}
-	done
-}
 process_and_parent=`find_systemctl_pids`
 
 restart_mode=no
 
 if [ -n "${process_and_parent}" ]
 then
-	if has_parent_process ${process_and_parent}
+	if has_parent_process ${process_and_parent} > /dev/null
 	then
 		shell_process=`echo ${process_and_parent} | awk '{print $1}'`
 		parent_term=`readlink /proc/${shell_process}/fd/2`
@@ -99,9 +36,11 @@ then
 	# Find if systemctl is in restart mode
 	for process_id in ${process_and_parent}
 	do
-		if [ `ps -o comm= -p $process_id` = "systemctl" ]
+		if [ `ps -o comm= -p $process_id` = "systemctl" ] \
+			&& ps -o args -p $process_id | grep -v COMMAND | grep restart > /dev/null
 		then
-			restart_mode=`ps -o args -p $process_id | grep -v COMMAND | grep restart && echo yes || echo no`
+			restart_mode=yes
+			break
 		fi
 	done
 fi
@@ -151,11 +90,6 @@ fi
 
 eval set -- "$options"
 
-IT_INPUT=INPUT
-IT_INPUT_LOG=LOGINPUT
-IT_OUTPUT=OUTPUT
-IT_OUTPUT_LOG=LOGOUTPUT
-
 verbose=0
 logging=" "
 
@@ -194,35 +128,6 @@ do
 	shift
 done
 
-PATH=/bin:/sbin:/usr/bin:/usr/sbin
-
-#Defautl network interface
-NETWORK_IF=eth0
-
-# Services that the system will offer to the network
-TCP_SERVICES="22" # SSH only
-UDP_SERVICES=""
-# Services the system will use from the network
-REMOTE_TCP_SERVICES="80 443" # web browsing
-REMOTE_UDP_SERVICES="53" # DNS
-
-
-# Network that will be used for remote mgmt
-# (if undefined, no rules will be setup)
-# NETWORK_MGMT=192.168.0.0/24
-
-# Port used for the SSH service, define this is you have setup a
-# management network but remove it from TCP_SERVICES
-SSH_PORT="22"
-
-# Default IP_TABLES command path
-IP_TABLES="/sbin/iptables"
-IP_TABLES_RESTORE="/sbin/iptables-restore"
-IP_TABLES_RESTORE_6="/sbin/ip6tables-restore"
-IP_TABLES_SAVE="/sbin/iptables-save"
-IP_TABLES_SAVE_6="/sbin/ip6tables-save"
-
-
 if ! [ -x $IP_TABLES ]; then
 	echo "$IP_TABLES is not executable or not present" >&2
 	exit 1
@@ -238,13 +143,6 @@ if ! [ -x $IP_TABLES_RESTORE_6 ]; then
 	exit 6
 fi
 
-
-CONFIGURATION_DIR=/etc/lfirewall
-CONFIGURATION_FILE=${CONFIGURATION_DIR}/lfirewall.conf
-CONFIGURATION_LOCAL_FILE=${CONFIGURATION_DIR}/lfirewall.conf.local
-USER_RULES_IPTABLES=${CONFIGURATION_DIR}/iptables-user.v4
-USER_RULES_IPTABLES_6=${CONFIGURATION_DIR}/iptables-user.v6
-
 if [ -f $CONFIGURATION_FILE ] ; then
 	set +u
 	. $CONFIGURATION_FILE
@@ -264,79 +162,10 @@ then
 	exit 2
 fi
 
-export IPTABLES_CHECK=__iptables_check_action
-export IPTABLES_ADD=__iptable_add_action
-export IPTABLES_INSERT=__iptable_insert_action
-export IPTABLES_SET_POLICY=__iptable_set_policy_action
-
-export IP_TABLES
-export NETWORK_IF
-
-
-do_exec () {
-	case $1 in
-		__iptable_add_action)
-			shift
-			iptables_option=-A
-		;;
-		__iptable_insert_action)
-			shift
-			iptables_option=-I
-		;;
-		__iptable_set_policy_action)
-			shift
-			iptables_option=-P
-		;;
-		*)
-			echo "Nothing to be done for $1"
-		;;
-	esac
-	if [ ${verbose} -ge 1 ] ; then
-		echo $IP_TABLES $iptables_option $*
-	fi
-	if ! $IP_TABLES -C $* > /dev/null 2>&1
-	then
-		$IP_TABLES $iptables_option $*
-	fi
-}
-
-do_check () {
-	the_action=$1
-	shift
-	case $the_action in
-		__iptable_add_action)
-			iptables_option=-A
-		;;
-		__iptable_insert_action)
-			iptables_option=-I
-		;;
-		__iptable_set_policy_action)
-			return 0
-		;;
-		*)
-			echo "Nothing to be done for $1"
-		;;
-	esac
-	default_option=-C
-	if [ ${verbose} -ge 1 ] ; then
-		echo $do_log "$the_action:" $IP_TABLES -C $*
-		echo $IP_TABLES -C $*
-	fi
-	$do_log "$the_action:" $IP_TABLES -C $*
-	$IP_TABLES -C $*
-	global_status=$((global_status+$?))
-}
-
-log_action () {
-	echo $*
-}
-
-do_not_log_action () {
-	return 0
-}
-
 do_log=do_not_log_action
 
+export verbose
+
 ##########################
 # Drops INPUT
 ##########################
@@ -456,12 +285,34 @@ fw_execute () {
 	#**************************************************************************#
 	fw_blacklist $do_action
 
+	fw_execute_post_up_down $do_action
+	fw_execute_post_start_stop $do_action
+
 	#**************************************************************************#
 	# whitelist action
 	#**************************************************************************#
 	fw_whitelist $do_action
 }
 
+EXECUTE_LFIREWALL_DIR=`dirname $0`/execute_lfirewall_dir
+
+fw_execute_post_up_down(){
+	local do_action
+	do_action=$1
+	set +eu
+	${EXECUTE_LFIREWALL_DIR} -f ${do_action} ${POST_UP_DOWN_SCRIPTS_DIR}
+	set -eu
+}
+
+
+fw_execute_post_start_stop(){
+	local do_action
+	do_action=$1
+	set +eu
+	${EXECUTE_LFIREWALL_DIR} ${do_action} ${POST_START_STOP_SCRIPTS_DIR}
+	set -eu
+}
+
 
 warn_user_missing_ban_list() {
 	local ban_list_name
@@ -575,10 +426,6 @@ do_this(){
     $*
 }
 
-translate_iptables_rule(){
-	echo $* | sed -e 's/'$IPTABLES_ADD'/-A/g' -e 's/'$IPTABLES_INSERT'/-I/g'  -e 's/'$IPTABLES_SET_POLICY'/-P/g' 
-}
-
 ##########################
 # Backups user rules
 ##########################
@@ -603,42 +450,6 @@ fw_restore_user(){
 # Stop the Firewall rules
 ##########################
 
-do_delete () {
-	the_action=$1
-	shift
-	if [ ${verbose} -gt 1 ] ; then
-		$do_log "Trying to delete:" $(translate_iptables_rule $IP_TABLES $the_action $*)
-	fi
-	case $the_action in
-		__iptable_add_action)
-			iptables_option=-D
-		;;
-		__iptable_insert_action)
-			iptables_option=-D
-		;;
-		__iptable_set_policy_action)
-			CHAIN_NAME="$1"
-			$do_log "DELETING: $IP_TABLES -P $CHAIN_NAME DROP"
-			$IP_TABLES -P $CHAIN_NAME ACCEPT
-			return 0
-		;;
-		*)
-			echo "Nothing to be done for $1"
-		;;
-	esac
-
-
-	# Checks the rule then delete it, if it exists
-	if $IP_TABLES -C $* > /dev/null 2>&1
-	then
-		$IP_TABLES $iptables_option $* || echo "DID NOT EXIST: "$IP_TABLES $iptables_option $*
-		$do_log "DELETING:" $IP_TABLES $iptables_option $*
-	else
-		$do_log "NOT EXISTING:" $IP_TABLES $iptables_option $*
-	fi
-	global_status=$((global_status+$?))
-}
-
 fw_stop () {
 	global_status=0
 	# Start will not really start but exec the "do_delete" action
@@ -714,6 +525,8 @@ fw_test () {
 if [ ${verbose} -gt 0 ] ; then
 	do_log=log_action
 fi
+export do_log
+
 case "$1" in
 	start|restart)
 		echo -n "Starting firewall.."

scripts/setup

@@ -0,0 +1,302 @@
+
+###############################################################
+# iptables chain names
+###############################################################
+IT_INPUT=INPUT
+IT_INPUT_LOG=LOGINPUT
+IT_OUTPUT=OUTPUT
+IT_OUTPUT_LOG=LOGOUTPUT
+IT_POSTROUTING=POSTROUTING
+IT_PREROUTING=PREROUTING
+
+PATH=/bin:/sbin:/usr/bin:/usr/sbin
+
+#Defautl network interface
+NETWORK_IF=eth0
+
+# Services that the system will offer to the network
+TCP_SERVICES="22" # SSH only
+UDP_SERVICES=""
+# Services the system will use from the network
+REMOTE_TCP_SERVICES="80 443" # web browsing
+REMOTE_UDP_SERVICES="53" # DNS
+
+# Port used for the SSH service, define this is you have setup a
+# management network but remove it from TCP_SERVICES
+SSH_PORT="22"
+
+###############################################################
+# Default IP_TABLES command path
+###############################################################
+IP_TABLES="/sbin/iptables"
+IP_TABLES_RESTORE="/sbin/iptables-restore"
+IP_TABLES_RESTORE_6="/sbin/ip6tables-restore"
+IP_TABLES_SAVE="/sbin/iptables-save"
+IP_TABLES_SAVE_6="/sbin/ip6tables-save"
+
+###############################################################
+# iptables action definition
+###############################################################
+
+# -C
+export IPTABLES_CHECK=__iptables_check_action
+# -A
+export IPTABLES_ADD=__iptable_add_action
+# -I
+export IPTABLES_INSERT=__iptable_insert_action
+# -P
+export IPTABLES_SET_POLICY=__iptable_set_policy_action
+
+export IP_TABLES
+export NETWORK_IF
+
+
+###############################################################
+# File and folder paths
+###############################################################
+CONFIGURATION_FILE=${CONFIGURATION_DIR}/lfirewall.conf
+CONFIGURATION_LOCAL_FILE=${CONFIGURATION_DIR}/lfirewall.conf.local
+USER_RULES_IPTABLES=${CONFIGURATION_DIR}/iptables-user.v4
+USER_RULES_IPTABLES_6=${CONFIGURATION_DIR}/iptables-user.v6
+POST_UP_DOWN_SCRIPTS_DIR=${CONFIGURATION_DIR}/post-up-down.d
+POST_START_STOP_SCRIPTS_DIR=${CONFIGURATION_DIR}/post-start-stop.d
+
+
+###############################################################
+
+###############################################################
+# Firewall log function definition
+###############################################################
+log_action () {
+	echo $*
+}
+
+do_not_log_action () {
+	return 0
+}
+
+translate_iptables_rule(){
+	echo $* | sed -e 's/'$IPTABLES_ADD'/-A/g' -e 's/'$IPTABLES_INSERT'/-I/g'  -e 's/'$IPTABLES_SET_POLICY'/-P/g' 
+}
+
+###############################################################
+# Firewall actions function definition
+###############################################################
+get_table_information(){
+    if [ "$1" = "-t" ]
+    then
+        echo "$1 $2"
+    else
+        echo ""
+    fi
+}
+
+get_action_information(){
+    if [ "$1" = "-t" ]
+    then
+        echo "$3"
+    else
+        echo "$1"
+    fi
+}
+
+
+get_command_information(){
+    if [ "$1" = "-t" ]
+    then
+        shift 3
+    else
+        shift
+    fi
+    echo "$*"
+}
+
+get_chain_information(){
+    if [ "$1" = "-t" ]
+    then
+        shift 3
+    else
+        shift
+    fi
+    echo "$1"
+}
+
+do_exec () {
+    local it_action=`get_action_information $*`
+    local it_table=`get_table_information $*`
+    local it_command=`get_command_information $*`
+    local it_option
+	case ${it_action} in
+		__iptable_add_action)
+			shift
+			it_option=-A
+		;;
+		__iptable_insert_action)
+			shift
+			it_option=-I
+		;;
+		__iptable_set_policy_action)
+			shift
+			it_option=-P
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+	if ! $IP_TABLES $it_table -C $it_command > /dev/null 2>&1
+	then
+		if [ ${verbose} -ge 1 ] ; then
+			echo $IP_TABLES $it_table $it_option $it_command
+		fi
+		$IP_TABLES $it_table $it_option $it_command
+	fi
+}
+
+
+do_check () {
+    if [ ${verbose} -ge 1 ] ; then
+        echo "do_check params='$*'"
+    fi
+    local it_action=`get_action_information $*`
+    local it_table=`get_table_information $*`
+    local it_command=`get_command_information $*`
+    local it_option
+	case $it_action in
+		__iptable_add_action)
+			it_option=-A
+		;;
+		__iptable_insert_action)
+			it_option=-I
+		;;
+		__iptable_set_policy_action)
+			return 0
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+	default_option=-C
+	if [ ${verbose} -ge 1 ] ; then
+		echo "it_action=$it_action"
+		echo "it_table=$it_table"
+		echo "it_command=$it_command"
+		echo $do_log "$it_action:" $IP_TABLES $it_table -C $it_command
+		echo $IP_TABLES $it_table -C $it_command
+	fi
+	$do_log "$it_action:" $IP_TABLES $it_table -C $it_command
+	$IP_TABLES $it_table -C $it_command
+	global_status=$((global_status+$?))
+}
+
+
+do_delete () {
+    local it_action=`get_action_information $*`
+    local it_table=`get_table_information $*`
+    local it_command=`get_command_information $*`
+    local it_option
+	if [ ${verbose} -gt 1 ] ; then
+		$do_log "Trying to delete:" \
+         $(translate_iptables_rule $IP_TABLES $it_table $it_action $it_command)
+	fi
+	case $it_action in
+		__iptable_add_action)
+			it_option=-D
+		;;
+		__iptable_insert_action)
+			it_option=-D
+		;;
+		__iptable_set_policy_action)
+			CHAIN_NAME=`get_chain_information $*`
+			$do_log "DELETING: $IP_TABLES $it_table -P $CHAIN_NAME DROP"
+			$IP_TABLES $it_table -P $CHAIN_NAME ACCEPT
+			return 0
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+
+
+	# Checks the rule then delete it, if it exists
+	if $IP_TABLES $it_table -C $it_command > /dev/null 2>&1
+	then
+		$IP_TABLES $it_table $it_option $it_command || echo "DID NOT EXIST: "$IP_TABLES $it_option $it_command
+		$do_log "DELETING:" $IP_TABLES $it_table $it_option $it_command
+	else
+		$do_log "NOT EXISTING:" $IP_TABLES $it_table $it_option $it_command
+	fi
+	global_status=$((global_status+$?))
+}
+
+###############################################################
+# Utility functions definition
+###############################################################
+
+has_parent_process(){
+	local parent_to_search
+	local ppid
+	parent_to_search="${1:-}"
+	if [ -z "${parent_to_search:-}" ]
+	then
+		echo "ERROR: need parent process pid as first arg" >&2
+		return 5
+	fi
+	local pid
+	pid="${2:-}"
+	if [ -z "${pid:-}" ]
+	then
+		pid=$$
+	fi
+	if [ $parent_to_search = $pid ]
+	then
+		echo ${parent_to_search}
+		return 0
+	else if [ $pid -gt 1 ]
+		then
+			ppid=$(ps --pid ${pid} -o ppid= | xargs) || echo "OUT OF RANGE PID=${pid}" >&2
+			if [ -n "$ppid" ]
+			then
+				if [ $ppid = $pid ]
+				then
+					#echo "ERROR: pid=$pid is the same as ppid=$ppid" >&2
+					echo -1
+				else
+					has_parent_process ${parent_to_search} ${ppid}
+				fi
+			else
+				#echo "ERROR: pid='$pid' has ppid='$ppid'" >&2
+				echo -2
+			fi
+		else
+			#echo "NOT FOUND: ${parent_to_search}" >&2
+			echo 1
+		fi
+	fi
+	return 1
+}
+
+find_pid_user_of(){
+	local used_file=$1
+	local regex="$2"
+	lsof ${used_file} | awk 'NR>1 && $1 ~ /'${regex}'/ && !($2 in a){a[$2]++; print $2}'
+}
+
+find_systemctl_pids(){
+	local shell_pid
+	local systemctl_pid
+	ps -elf | grep 'systemctl' | grep -v grep | awk '{print $13}' | sort -u | while read term
+	do
+		#echo ${shell_pid} ${systemctl_pid} >&2
+		if [ -z "${shell_pid:-}" ]
+		then
+			shell_pid=$(find_pid_user_of /dev/$term '.*sh$')
+		fi
+		if [ -z "${systemctl_pid:-}" ]
+		then
+			systemctl_pid=$(find_pid_user_of /dev/$term 'systemctl')
+		fi
+		echo ${shell_pid} ${systemctl_pid}
+	done
+}
+
+