diff options
Diffstat (limited to 'core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker')
-rwxr-xr-x | core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker new file mode 100755 index 00000000..43e35eca --- /dev/null +++ b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -0,0 +1,112 @@ +#!/bin/ash + +# Reloads iptables rules by flushing the tables and applying everything +# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds +# to coalesce changes, since inotifyd can trigger dozens of events in a row. +# +# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service + +ALL_RULES="/run/iptables-reloader.cache" +LOCK="/run/iptables-reloader.lock" + +# Expects $1 to be the contents of $LOCK +reload_rules () { + if [ -z "$1" -o ! -s "$LOCK" ]; then + echo "'$1' empty or lock non-existent" + exit 0 + fi + sleep 2 + if [ "x$(cat "$LOCK")" != "x$1" ]; then + echo "Wrong lock, lost race" + exit 0 + fi + + rm -f -- "${ALL_RULES}.new" + + for file in /opt/openslx/iptables/rules.d/*; do + [ -f "$file" ] || continue + cat "$file" >> "${ALL_RULES}.new" + done + + # No change? Do nothing... + [ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0 + + # Reset + # Filter + for chain in INPUT FORWARD OUTPUT; do + iptables -w -t filter -P "$chain" ACCEPT + iptables -w -t filter -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t filter -F "ipt-helper-$chain" + iptables -w -t filter -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t filter -I "$chain" 1 -j "ipt-helper-$chain" + done + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -w -t nat -P "$chain" ACCEPT + iptables -w -t nat -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t nat -F "ipt-helper-$chain" + iptables -w -t nat -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t nat -I "$chain" 1 -j "ipt-helper-$chain" + done + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -w -t mangle -P "$chain" ACCEPT + iptables -w -t mangle -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t mangle -F "ipt-helper-$chain" + iptables -w -t mangle -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t mangle -I "$chain" 1 -j "ipt-helper-$chain" + done + + # Apply + local LOGFILE=$(mktemp) + local DISABLED="/opt/openslx/iptables/rules.d/disabled/" + for file in /opt/openslx/iptables/rules.d/*; do + [ -f "$file" ] || continue + if [ ! -x "$file" ]; then + slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + continue + fi + # patch chain names, add "-w" + sed -i -r 's/ (-A|--append|-I|--insert|-D|--delete) +(PREROUTING|INPUT|FORWARD|OUTPUT|POSTROUTING) / \1 ipt-helper-\2 /g;s/iptables +-/iptables -w -/g' "$file" + if ! "$file" > "$LOGFILE" 2>&1; then + slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + fi + done + + # Add default rule + for chain in INPUT FORWARD OUTPUT; do + iptables -w -t filter -A "ipt-helper-$chain" -j RETURN + done + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -w -t nat -A "ipt-helper-$chain" -j RETURN + done + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -w -t mangle -A "ipt-helper-$chain" -j RETURN + done + + # Do not just move file from above, as we sed'ed above and contents might have changed + rm -f -- "${ALL_RULES}.new" + for file in /opt/openslx/iptables/rules.d/*; do + [ -f "$file" ] || continue + cat "$file" >> "${ALL_RULES}.new" + done + mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" + + echo "iptables rules successfully updated." + rm -f -- "$LOCK" + exit 0 +} + + +ID="$$+$RANDOM" +echo "$ID" > "$LOCK" +reload_rules "$ID" & + +exit 0 + |