1
|
#!/bin/sh
|
2
|
|
3
|
COMMAND=$(basename $0 .sh)
|
4
|
WLDIR=/var/tmp/univnautes-sp-whitelists/
|
5
|
|
6
|
# lock to avoid concurrent updates
|
7
|
LOCK=/var/run/univnautes-sp-$COMMAND.lock
|
8
|
if [ -r $LOCK ]
|
9
|
then
|
10
|
PID=`cat $LOCK`
|
11
|
echo "$COMMAND locked by $LOCK"
|
12
|
ps waux | grep "$PID" | grep $COMMAND | grep -vq grep && exit
|
13
|
echo "... but PID $PID is not a $COMMAND, continue"
|
14
|
fi
|
15
|
unlock() {
|
16
|
rm -f $LOCK
|
17
|
exit
|
18
|
}
|
19
|
trap unlock INT TERM EXIT
|
20
|
echo $$ > $LOCK
|
21
|
|
22
|
## real start
|
23
|
|
24
|
log() {
|
25
|
logger -p local4.info -t sp/update-whitelists "$*"
|
26
|
}
|
27
|
|
28
|
rm -rf $WLDIR
|
29
|
|
30
|
cd /usr/local/univnautes/sp
|
31
|
./manage.py prepare-whitelists
|
32
|
|
33
|
cd $WLDIR
|
34
|
for wl in *
|
35
|
do
|
36
|
. ${wl}/conf.sh
|
37
|
log "download whitelist $CODENAME from $URL"
|
38
|
if [ -r ${wl}/cacert.pem ]
|
39
|
then
|
40
|
CHECK="--ca-certificate=${WLDIR}/${wl}/cacert.pem"
|
41
|
else
|
42
|
CHECK="--no-check-certificate"
|
43
|
log "warn: --no-check-certificate for whitelist $CODENAME"
|
44
|
fi
|
45
|
wget --quiet --tries=1 --timeout=10 $CHECK -O ${wl}/whitelist $URL
|
46
|
RET=$?
|
47
|
if [ $RET -ne 0 ]
|
48
|
then
|
49
|
rm -f ${wl}/whitelist
|
50
|
log "warn: ERROR while downloading $URL"
|
51
|
fi
|
52
|
done
|
53
|
|
54
|
# concat all whitelists
|
55
|
cat $WLDIR/*/whitelist | \
|
56
|
grep -v "\(^[[:space:]]*#\)\|\(^[[:space:]]*$\)" | \
|
57
|
tr -d '
|
58
|
' | \
|
59
|
sed 's#\(^[^/]*$\)#\1/32#' | \
|
60
|
sort -u > $WLDIR/all
|
61
|
|
62
|
# computes differences between the whitelist and the actual ipfw table
|
63
|
for ctx in $(/usr/local/sbin/ipfw_context -l | tail -n +2 | cut -f1 -d:); do
|
64
|
WL=/var/tmp/ipfw-table42-$ctx
|
65
|
/sbin/ipfw -x $ctx table 42 list | cut -f1 -d" " | sort -u > $WL-actual
|
66
|
cat $WLDIR/all $WL-actual | sort | uniq -d > $WL-common
|
67
|
cat $WLDIR/all $WL-common | sort | uniq -u > $WL-add
|
68
|
cat $WL-actual $WL-common | sort | uniq -u > $WL-delete
|
69
|
for i in `cat $WL-add`
|
70
|
do
|
71
|
log "$ctx: add $i"
|
72
|
/sbin/ipfw -x $ctx -q table 42 add $i
|
73
|
done
|
74
|
for i in `cat $WL-delete`
|
75
|
do
|
76
|
log "$ctx: delete $i"
|
77
|
/sbin/ipfw -x $ctx -q table 42 delete $i
|
78
|
done
|
79
|
done
|