[iptables-helper] Simple helper scripts/service for handling iptables rules

This adds no fancy features or new syntax or anything, but merely helps
to manage a *.d directory for iptables scripts.
You simply write simple shell scripts where you issue your iptables calls
and place them in /opt/openslx/iptables/rules.d
On bootup, and whenever the contents of the directory change, all tables
will be reset and the scripts from rules.d are run. They're run in
alphabetical order, so it's wise to adhere to the XX-* naming scheme.
Also you can place any kind of script there doing really complicated
things, it's advised you keep them as simple as possible and use proper
names, that tell what the script does.
The default behaviour is set to ACCEPT on all tables/chains, but nothing
stops you from doing 'iptables -P' in one of the scripts.

8 files changed, 107 insertions, 0 deletions

diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service
new file mode 120000
index 00000000..40213361
--- /dev/null
+++ b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service
@@ -0,0 +1 @@
+../openslx-iptables.service
\ No newline at end of file
diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
new file mode 100644
index 00000000..ef88cf69
--- /dev/null
+++ b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=OpenSLX iptables helper
+
+[Service]
+ExecStart=/opt/openslx/iptables/iptables-reloader
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader
new file mode 100755
index 00000000..60ca1e2c
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader
@@ -0,0 +1,5 @@
+#!/bin/ash
+
+/opt/openslx/iptables/iptables-reloader-worker
+exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
new file mode 100755
index 00000000..350f502c
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
@@ -0,0 +1,79 @@
+#!/bin/ash
+
+# Reloads iptables rules by flushing the tables and applying everything
+# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds
+# to coalesce changes, since inotifyd can trigger dozens of events in a row.
+#
+# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service
+
+ALL_RULES="/run/iptables-reloader.cache"
+LOCK="/run/iptables-reloader.lock"
+
+# Expects $1 to be the contents of $LOCK
+reload_rules () {
+	if [ -z "$1" -o ! -s "$LOCK" ]; then
+		echo "'$1' empty or lock non-existent"
+		exit 0
+	fi
+	sleep 2
+	if [ "x$(cat "$LOCK")" != "x$1" ]; then
+		echo "Wrong lock, lost race"
+		exit 0
+	fi
+
+	rm -f -- "${ALL_RULES}.new"
+
+	for file in /opt/openslx/iptables/rules.d/*; do
+		cat "$file" >> "${ALL_RULES}.new"
+	done
+
+	# No change? Do nothing...
+	[ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0
+
+	# Reset
+	# Filter
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -t filter -P "$chain" ACCEPT
+	done
+	iptables -t filter -F
+	# NAT
+	for chain in INPUT OUTPUT PREROUTING POSTROUTING; do
+		iptables -t nat -P "$chain" ACCEPT
+	done
+	iptables -t nat -F
+	# Mangle
+	for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do
+		iptables -t mangle -P "$chain" ACCEPT
+	done
+	iptables -t mangle -F
+
+	# Apply
+	local LOGFILE=$(mktemp)
+	local DISABLED="/opt/openslx/iptables/rules.d/disabled/"
+	for file in /opt/openslx/iptables/rules.d/*; do
+		[ ! -f "$file" ] && continue
+		if [ ! -x "$file" ]; then
+			slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/"
+			mkdir -p "$DISABLED"
+			mv "$file" "$DISABLED"
+			continue
+		fi
+		if ! "$file" > "$LOGFILE" 2>&1; then
+			slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE"
+			mkdir -p "$DISABLED"
+			mv "$file" "$DISABLED"
+		fi
+	done
+
+	mv -f -- "${ALL_RULES}.new" "${ALL_RULES}"
+	echo "iptables rules successfully updated."
+	exit 0
+}
+
+
+ID="$$+$RANDOM"
+echo "$ID" > "$LOCK"
+reload_rules "$ID" &
+
+exit 0
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder
new file mode 100644
index 00000000..11b30bcc
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder
@@ -0,0 +1 @@
+# Put your iptables rules here. Full command, like "iptables ...."
diff --git a/remote/modules/iptables-helper/iptables-helper.build b/remote/modules/iptables-helper/iptables-helper.build
new file mode 100644
index 00000000..d8804784
--- /dev/null
+++ b/remote/modules/iptables-helper/iptables-helper.build
@@ -0,0 +1,13 @@
+
+fetch_source() {
+	:
+}
+
+build() {
+	:
+}
+
+post_copy() {
+	:
+}
+
diff --git a/remote/modules/iptables-helper/iptables-helper.conf b/remote/modules/iptables-helper/iptables-helper.conf
new file mode 100644
index 00000000..34103f5b
--- /dev/null
+++ b/remote/modules/iptables-helper/iptables-helper.conf
@@ -0,0 +1 @@
+# requires some rootfs that provies iptables
diff --git a/remote/targets/stage32-bwlp/iptables-helper b/remote/targets/stage32-bwlp/iptables-helper
new file mode 120000
index 00000000..e449282d
--- /dev/null
+++ b/remote/targets/stage32-bwlp/iptables-helper
@@ -0,0 +1 @@
+../../modules/iptables-helper
\ No newline at end of file