From 5acda3eaeabae9045609539303a8c12c4ce401f1 Mon Sep 17 00:00:00 2001 From: Sebastian Date: Mon, 25 Apr 2016 12:01:08 +0200 Subject: merge with latest dev version --- .../basic.target.wants/openslx-iptables.service | 1 + .../etc/systemd/system/openslx-iptables.service | 6 ++ .../data/opt/openslx/iptables/iptables-reloader | 5 + .../opt/openslx/iptables/iptables-reloader-worker | 112 +++++++++++++++++++++ .../data/opt/openslx/iptables/rules.d/.placeholder | 1 + core/modules/iptables-helper/module.build | 13 +++ core/modules/iptables-helper/module.conf | 1 + 7 files changed, 139 insertions(+) create mode 120000 core/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service create mode 100644 core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service create mode 100755 core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader create mode 100755 core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker create mode 100644 core/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder create mode 100644 core/modules/iptables-helper/module.build create mode 100644 core/modules/iptables-helper/module.conf (limited to 'core/modules/iptables-helper') diff --git a/core/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/core/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service new file mode 120000 index 00000000..40213361 --- /dev/null +++ b/core/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service @@ -0,0 +1 @@ +../openslx-iptables.service \ No newline at end of file diff --git a/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service new file mode 100644 index 00000000..ef88cf69 --- /dev/null +++ b/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=OpenSLX iptables helper + +[Service] +ExecStart=/opt/openslx/iptables/iptables-reloader + diff --git a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader new file mode 100755 index 00000000..60ca1e2c --- /dev/null +++ b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader @@ -0,0 +1,5 @@ +#!/bin/ash + +/opt/openslx/iptables/iptables-reloader-worker +exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy + diff --git a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker new file mode 100755 index 00000000..43e35eca --- /dev/null +++ b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -0,0 +1,112 @@ +#!/bin/ash + +# Reloads iptables rules by flushing the tables and applying everything +# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds +# to coalesce changes, since inotifyd can trigger dozens of events in a row. +# +# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service + +ALL_RULES="/run/iptables-reloader.cache" +LOCK="/run/iptables-reloader.lock" + +# Expects $1 to be the contents of $LOCK +reload_rules () { + if [ -z "$1" -o ! -s "$LOCK" ]; then + echo "'$1' empty or lock non-existent" + exit 0 + fi + sleep 2 + if [ "x$(cat "$LOCK")" != "x$1" ]; then + echo "Wrong lock, lost race" + exit 0 + fi + + rm -f -- "${ALL_RULES}.new" + + for file in /opt/openslx/iptables/rules.d/*; do + [ -f "$file" ] || continue + cat "$file" >> "${ALL_RULES}.new" + done + + # No change? Do nothing... + [ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0 + + # Reset + # Filter + for chain in INPUT FORWARD OUTPUT; do + iptables -w -t filter -P "$chain" ACCEPT + iptables -w -t filter -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t filter -F "ipt-helper-$chain" + iptables -w -t filter -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t filter -I "$chain" 1 -j "ipt-helper-$chain" + done + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -w -t nat -P "$chain" ACCEPT + iptables -w -t nat -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t nat -F "ipt-helper-$chain" + iptables -w -t nat -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t nat -I "$chain" 1 -j "ipt-helper-$chain" + done + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -w -t mangle -P "$chain" ACCEPT + iptables -w -t mangle -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t mangle -F "ipt-helper-$chain" + iptables -w -t mangle -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t mangle -I "$chain" 1 -j "ipt-helper-$chain" + done + + # Apply + local LOGFILE=$(mktemp) + local DISABLED="/opt/openslx/iptables/rules.d/disabled/" + for file in /opt/openslx/iptables/rules.d/*; do + [ -f "$file" ] || continue + if [ ! -x "$file" ]; then + slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + continue + fi + # patch chain names, add "-w" + sed -i -r 's/ (-A|--append|-I|--insert|-D|--delete) +(PREROUTING|INPUT|FORWARD|OUTPUT|POSTROUTING) / \1 ipt-helper-\2 /g;s/iptables +-/iptables -w -/g' "$file" + if ! "$file" > "$LOGFILE" 2>&1; then + slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + fi + done + + # Add default rule + for chain in INPUT FORWARD OUTPUT; do + iptables -w -t filter -A "ipt-helper-$chain" -j RETURN + done + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -w -t nat -A "ipt-helper-$chain" -j RETURN + done + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -w -t mangle -A "ipt-helper-$chain" -j RETURN + done + + # Do not just move file from above, as we sed'ed above and contents might have changed + rm -f -- "${ALL_RULES}.new" + for file in /opt/openslx/iptables/rules.d/*; do + [ -f "$file" ] || continue + cat "$file" >> "${ALL_RULES}.new" + done + mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" + + echo "iptables rules successfully updated." + rm -f -- "$LOCK" + exit 0 +} + + +ID="$$+$RANDOM" +echo "$ID" > "$LOCK" +reload_rules "$ID" & + +exit 0 + diff --git a/core/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/core/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder new file mode 100644 index 00000000..11b30bcc --- /dev/null +++ b/core/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder @@ -0,0 +1 @@ +# Put your iptables rules here. Full command, like "iptables ...." diff --git a/core/modules/iptables-helper/module.build b/core/modules/iptables-helper/module.build new file mode 100644 index 00000000..d8804784 --- /dev/null +++ b/core/modules/iptables-helper/module.build @@ -0,0 +1,13 @@ + +fetch_source() { + : +} + +build() { + : +} + +post_copy() { + : +} + diff --git a/core/modules/iptables-helper/module.conf b/core/modules/iptables-helper/module.conf new file mode 100644 index 00000000..34103f5b --- /dev/null +++ b/core/modules/iptables-helper/module.conf @@ -0,0 +1 @@ +# requires some rootfs that provies iptables -- cgit v1.2.3-55-g7522