summaryrefslogtreecommitdiffstats
path: root/roles/common/files/usr/local/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files/usr/local/sbin')
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh12
1 files changed, 6 insertions, 6 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 84e076a..41407e8 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -151,7 +151,7 @@ run() {
# The (host-scoped) IP reserved for IPSec.
local ipsec=
- if [ -n "$ifsec" -a $f = 4 ]; then
+ if [ "$ifsec" -a $f = 4 ]; then
tables[$f]='mangle nat filter'
ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \
| sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' )
@@ -176,7 +176,7 @@ run() {
# The usual chains in filter, along with the desired default policies.
ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP
- if [ -z "$if" ]; then
+ if [ ! "$if" ]; then
# If the interface is not configured, we stop here and DROP all
# packets by default. Thanks to the pre-up hook this tight
# policy will be activated whenever the interface goes up.
@@ -193,7 +193,7 @@ run() {
grep -E -- "$fail2ban_re" "$old" || true
fi >> "$new"
- if [ -n "$ipsec" ]; then
+ if [ "$ipsec" ]; then
# (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6.
grep -E -- "$IPSec_re" "$old" >> "$new" || true
@@ -213,7 +213,7 @@ run() {
# Private-use networks (RFC 1918) and link local (RFC 3927)
local MyNetwork=$( /bin/ip -4 address show dev $if scope global \
| sed -nr 's/^\s+inet\s(\S+).*/\1/p')
- [ -n "$MyNetwork" ] && \
+ [ "$MyNetwork" ] && \
for ip in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16; do
# Don't lock us out if we are behind a NAT ;-)
[ "$ip" = "$(/usr/bin/netmask -nc $ip $MyNetwork | sed 's/ //g')" ] \
@@ -249,7 +249,7 @@ run() {
iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT
iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT
- if [ -n "$ipsec" ]; then
+ if [ "$ipsec" ]; then
# ACCEPT any, *IPSec* traffic destinating to the non-routable
# $ipsec. Also ACCEPT all traffic originating from $ipsec, as
# it is MASQUERADE'd.
@@ -318,7 +318,7 @@ run() {
########################################################################
commit
- if [ -n "$ipsec" ]; then
+ if [ "$ipsec" ]; then
# DNAT the IPSec paquets to $ipsec after decapsulation, and SNAT
# them before encapsulation. We need to do the NAT'ing before
# packets enter the IPSec stack because they are signed