adding example runit-style service directory

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

examples/var_service/fw/conf/11.22.33.44.ipconf--

@@ -0,0 +1,10 @@
+#!/bin/sh
+# If we have simple static address...
+#
+let cfg=cfg+1
+if[$cfg]=if
+ip[$cfg]=11.22.33.44
+ipmask[$cfg]=11.22.33.44/24
+gw[$cfg]=11.22.33.1
+net[$cfg]=0/0
+dns[$cfg]='11.22.33.2 11.22.33.3'

examples/var_service/fw/conf/192.168.0.1.ipconf

@@ -0,0 +1,11 @@
+#!/bin/sh
+# A small network with no routers
+# (maybe *we* are their router)
+#
+let cfg=cfg+1
+if[$cfg]=if
+ip[$cfg]=192.168.0.1
+ipmask[$cfg]=192.168.0.1/24
+### gw[$cfg]=
+### net[$cfg]=0/0
+### dns[$cfg]=''

examples/var_service/fw/conf/lo.ipconf

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Mostly redundant except when you need dns[]=your_static_dns_srv
+#
+let cfg=cfg+1
+if[$cfg]=lo
+ip[$cfg]=127.0.0.1
+ipmask[$cfg]=127.0.0.1/8
+gw[$cfg]=''
+net[$cfg]=''
+#dns[$cfg]=127.0.0.1

examples/var_service/fw/etc/hosts

@@ -0,0 +1,21 @@
+#!/bin/sh
+echo "\
+# This file is automagically regenerated
+# Note! /etc/nsswitch.conf may override this!
+
+# For loopbacking
+127.0.0.1 localhost
+
+# Our local IPs"
+
+hostname=`hostname`
+test "$hostname" || hostname=localhost
+domain=`(. /boot.conf; echo "$DNSDOMAINNAME")`
+test "$domain" && hostname="$hostname $hostname.$domain"
+
+ip -o a l \
+| grep -F 'inet ' \
+| sed -e 's/^.*inet //' -e 's:[ /].*$: '"$hostname"':'
+
+echo
+echo "# End of /etc/hosts"

examples/var_service/fw/etc/resolv.conf

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+domain=`(. /boot.conf; echo "$DNSDOMAINNAME") 2>/dev/null`
+
+echo "# This file is automagically regenerated with each boot"
+echo
+test "$domain" && echo "domain $domain"
+test "$domain" && echo "search $domain"
+echo
+echo "# Note that nslookup can choke on DNS server which itself"
+echo "# does NOT have domain name. Other things can work fine."
+echo
+# # If we run DNS cache:
+# echo "nameserver 127.0.0.1"
+# exit
+
+prio=0
+i=0; while test "${if[$i]}"; do
+    test x"${dns_prio[$i]}" != x"" \
+    && test "${dns_prio[$i]}" -gt "$prio" \
+    && prio="${dns_prio[$i]}"
+let i++; done
+
+i=0; while test "${if[$i]}"; do
+    for d in ${dns[$i]}; do
+	p="${dns_prio[$i]}"
+	test x"$p" == x"" && p=0
+	test x"$p" == x"$prio" || continue
+	echo "nameserver $d"
+    done
+let i++; done

examples/var_service/fw/run

@@ -0,0 +1,211 @@
+#!/bin/bash
+# (using bashisms: "function", arrays)
+
+user=root
+extif=if
+ext_open_tcp="21 22 80" # space-separated
+
+# Make ourself one-shot
+sv o .
+# Debug
+#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
+
+service=`basename "$PWD"`
+rundir="/var/run/service/$service"
+
+### filter This is the default table (if no -t option is passed).  It contains
+###        the  built-in chains INPUT (for packets coming into the box itself),
+###        FORWARD (for packets being routed through the box), and OUTPUT (for
+###        locally-generated packets).
+###
+### nat    This table is consulted when a packet that creates a new connection
+###        is encountered.  It consists of three built-ins: PREROUTING (for
+###        altering packets as soon as they come in), OUTPUT (for altering
+###        locally-generated packets before routing), and POSTROUTING (for
+###        altering packets as they are about to go out).
+###
+### mangle It had two built-in chains: PREROUTING (for altering incoming
+###        packets before routing) and OUTPUT (for altering locally-generated
+###        packets before routing).  Recently three other built-in
+###        chains are added: INPUT (for packets coming into the box
+###        itself), FORWARD (for altering packets being routed through the
+###        box), and POSTROUTING (for altering packets as they are about to go
+###        out).
+###
+###       ...iface...                              ...iface...
+###          |                                        ^
+###          v                                        |
+### -mangle,NAT-               -mangle,filter-   -mangle,NAT--
+### |PREROUTING|-->[Routing]-->|FORWARD      |-->|POSTROUTING|
+### ------------    |    ^     ---------------   -------------
+###                 |    |                           ^
+###                 |    +--if NATed------------+    |
+###                 v                           |    |
+###      -mangle,filter-                -mangle,NAT,filter-
+###      |INPUT        |  +->[Routing]->|OUTPUT           |
+###      ---------------  |             -------------------
+###                 |     |
+###                 v     |
+###         ... Local Process...
+
+doit() {
+    echo "# $*"
+    "$@"
+}
+
+#exec >/dev/null
+exec >"$0.out"
+exec 2>&1
+exec </dev/null
+
+umask 077
+
+# Make sure rundir/ exists
+mkdir -p "$rundir" 2>/dev/null
+chown -R "$user:" "$rundir"
+chmod -R a=rX "$rundir"
+rm -rf rundir 2>/dev/null
+ln -s "$rundir" rundir
+
+# Timestamping
+date '+%Y-%m-%d %H:%M:%S'
+
+
+echo; echo "* Reading IP config"
+cfg=-1
+#             static cfg    dhcp,zeroconf etc
+for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
+	if test -f "$ipconf"; then
+		echo "+ $ipconf"
+		. "$ipconf"
+	fi
+done
+
+echo; echo "* Configuring hardware"
+#doit ethtool -s if autoneg off speed 100 duplex full
+#doit ethtool -K if rx off tx off sg off tso off
+
+echo; echo "* Resetting address and routing info"
+doit ip a f dev lo
+i=0; while test "${if[$i]}"; do
+    doit ip a f dev "${if[$i]}"
+    doit ip r f dev "${if[$i]}" root 0/0
+let i++; done
+
+echo; echo "* Configuring addresses"
+doit ip a a dev lo 127.0.0.1/8 scope host
+doit ip a a dev lo ::1/128 scope host
+i=0; while test "${if[$i]}"; do
+    if test "${ipmask[$i]}"; then
+        doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
+        doit ip l set dev "${if[$i]}" up
+    fi
+let i++; done
+
+echo; echo "* Configuring routes"
+i=0; while test "${if[$i]}"; do
+    if test "${net[$i]}" && test "${gw[$i]}"; then
+        doit ip r a "${net[$i]}" via "${gw[$i]}"
+    fi
+let i++; done
+
+echo; echo "* Recreating /etc/* files reflecting new network configuration:"
+for i in etc/*; do
+	n=`basename "$i"`
+	echo "+ $n"
+	(. "$i") >"/etc/$n"
+	chmod 644 "/etc/$n"
+done
+
+
+# Usage: new_chain <chain> [<table>]
+new_chain() {
+	local t=""
+	test x"$2" != x"" && t="-t $2"
+	doit iptables $t -N $1
+	ipt="iptables $t -A $1"
+}
+
+echo; echo "* Reset iptables"
+doit iptables           --flush
+doit iptables           --delete-chain
+doit iptables           --zero
+doit iptables -t nat    --flush
+doit iptables -t nat    --delete-chain
+doit iptables -t nat    --zero
+doit iptables -t mangle --flush
+doit iptables -t mangle --delete-chain
+doit iptables -t mangle --zero
+
+echo; echo "* Configure iptables"
+doit modprobe nf_nat_ftp
+doit modprobe nf_nat_tftp
+doit modprobe nf_conntrack_ftp
+doit modprobe nf_conntrack_tftp
+
+#       *** nat ***
+#       INCOMING TRAFFIC
+ipt="iptables -t nat -A PREROUTING"
+# nothing here
+
+#       LOCALLY ORIGINATED TRAFFIC
+ipt="iptables -t nat -A OUTPUT"
+# nothing here
+
+#       OUTGOING TRAFFIC
+ipt="iptables -t nat -A POSTROUTING"
+# Masquerade boxes on my private net
+doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
+
+#       *** mangle ***
+### DEBUG
+### ipt="iptables -t mangle -A PREROUTING"
+### doit $ipt -s 192.168.0.0/24 -j RETURN
+### ipt="iptables -t mangle -A FORWARD"
+### doit $ipt -s 192.168.0.0/24 -j RETURN
+### ipt="iptables -t mangle -A POSTROUTING"
+### doit $ipt -s 192.168.0.0/24 -j RETURN
+# nothing here
+
+#       *** filter ***
+#
+new_chain iext filter
+#doit $ipt -s 203.177.104.72 -j DROP	# Some idiot probes my ssh
+#doit $ipt -d 203.177.104.72 -j DROP	# Some idiot probes my ssh
+doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN  # FTP data etc is ok
+if test "$ext_open_tcp"; then
+	portlist="${ext_open_tcp// /,}"
+	doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
+fi
+doit $ipt -p tcp -j REJECT	# Anything else isn't ok. REJECT = irc opens faster
+				# (it probes proxy ports, DROP will incur timeout delays)
+ipt="iptables -t filter -A INPUT"
+doit $ipt -i $extif -j iext
+
+
+echo; echo "* Enabling forwarding"
+echo 1 >/proc/sys/net/ipv4/ip_forward
+echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
+
+
+# Signal everybody that firewall is up
+date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
+
+# Ok, spew out gobs of info and disable ourself
+echo; echo "* IP:"
+ip a l
+echo; echo "* Routing:"
+ip r l
+echo; echo "* Firewall:"
+{
+echo '---FILTER--';
+iptables -v -L -x -n;
+echo '---NAT-----';
+iptables -t nat -v -L -x -n;
+echo '---MANGLE--';
+iptables -t mangle -v -L -x -n;
+} \
+| grep -v '^$' | grep -Fv 'bytes target'
+echo
+
+echo "* End of firewall configuration"

examples/var_service/fw/stat

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+echo; echo "* Firewall:"
+{
+echo '---FILTER--';
+iptables -v -L -x -n;
+echo '---NAT-----';
+iptables -t nat -v -L -x -n;
+echo '---MANGLE--';
+iptables -t mangle -v -L -x -n;
+} \
+| grep -v '^$' | grep -Fv 'bytes target' | $PAGER