diff options
| author | Simon Rettberg | 2014-03-10 15:20:53 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2014-03-10 15:20:53 +0100 |
| commit | 82d786ed7830ccd9c656e8d29bbd48f7655aa05a (patch) | |
| tree | 69f0eeede4d6250780a600c9297ffe19e3cf9b0b /remote/modules/iptables-helper | |
| parent | Merge branch 'master' of git.openslx.org:openslx-ng/tm-scripts (diff) | |
| download | tm-scripts-82d786ed7830ccd9c656e8d29bbd48f7655aa05a.tar.gz tm-scripts-82d786ed7830ccd9c656e8d29bbd48f7655aa05a.tar.xz tm-scripts-82d786ed7830ccd9c656e8d29bbd48f7655aa05a.zip | |
[iptables-helper] Use -w everywhere to prevent race conditions
Diffstat (limited to 'remote/modules/iptables-helper')
| -rwxr-xr-x | remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker | 51 |
1 files changed, 30 insertions, 21 deletions
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker index 3ca0a014..43e35eca 100755 --- a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -24,6 +24,7 @@ reload_rules () { rm -f -- "${ALL_RULES}.new" for file in /opt/openslx/iptables/rules.d/*; do + [ -f "$file" ] || continue cat "$file" >> "${ALL_RULES}.new" done @@ -33,42 +34,42 @@ reload_rules () { # Reset # Filter for chain in INPUT FORWARD OUTPUT; do - iptables -t filter -P "$chain" ACCEPT - iptables -t filter -N "ipt-helper-$chain" 2>/dev/null - iptables -t filter -F "ipt-helper-$chain" - iptables -t filter -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one - iptables -t filter -I "$chain" 1 -j "ipt-helper-$chain" + iptables -w -t filter -P "$chain" ACCEPT + iptables -w -t filter -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t filter -F "ipt-helper-$chain" + iptables -w -t filter -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t filter -I "$chain" 1 -j "ipt-helper-$chain" done # NAT for chain in INPUT OUTPUT PREROUTING POSTROUTING; do - iptables -t nat -P "$chain" ACCEPT - iptables -t nat -N "ipt-helper-$chain" 2>/dev/null - iptables -t nat -F "ipt-helper-$chain" - iptables -t nat -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one - iptables -t nat -I "$chain" 1 -j "ipt-helper-$chain" + iptables -w -t nat -P "$chain" ACCEPT + iptables -w -t nat -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t nat -F "ipt-helper-$chain" + iptables -w -t nat -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t nat -I "$chain" 1 -j "ipt-helper-$chain" done # Mangle for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do - iptables -t mangle -P "$chain" ACCEPT - iptables -t mangle -N "ipt-helper-$chain" 2>/dev/null - iptables -t mangle -F "ipt-helper-$chain" - iptables -t mangle -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one - iptables -t mangle -I "$chain" 1 -j "ipt-helper-$chain" + iptables -w -t mangle -P "$chain" ACCEPT + iptables -w -t mangle -N "ipt-helper-$chain" 2>/dev/null + iptables -w -t mangle -F "ipt-helper-$chain" + iptables -w -t mangle -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -w -t mangle -I "$chain" 1 -j "ipt-helper-$chain" done # Apply local LOGFILE=$(mktemp) local DISABLED="/opt/openslx/iptables/rules.d/disabled/" for file in /opt/openslx/iptables/rules.d/*; do - [ ! -f "$file" ] && continue + [ -f "$file" ] || continue if [ ! -x "$file" ]; then slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/" mkdir -p "$DISABLED" mv "$file" "$DISABLED" continue fi - # patch chain names - sed -i -r 's/ (-A|--append|-I|--insert|-D|--delete) +(PREROUTING|INPUT|FORWARD|OUTPUT|POSTROUTING) / \1 ipt-helper-\2 /g' "$file" + # patch chain names, add "-w" + sed -i -r 's/ (-A|--append|-I|--insert|-D|--delete) +(PREROUTING|INPUT|FORWARD|OUTPUT|POSTROUTING) / \1 ipt-helper-\2 /g;s/iptables +-/iptables -w -/g' "$file" if ! "$file" > "$LOGFILE" 2>&1; then slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" mkdir -p "$DISABLED" @@ -78,19 +79,27 @@ reload_rules () { # Add default rule for chain in INPUT FORWARD OUTPUT; do - iptables -t filter -A "ipt-helper-$chain" -j RETURN + iptables -w -t filter -A "ipt-helper-$chain" -j RETURN done # NAT for chain in INPUT OUTPUT PREROUTING POSTROUTING; do - iptables -t nat -A "ipt-helper-$chain" -j RETURN + iptables -w -t nat -A "ipt-helper-$chain" -j RETURN done # Mangle for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do - iptables -t mangle -A "ipt-helper-$chain" -j RETURN + iptables -w -t mangle -A "ipt-helper-$chain" -j RETURN done + # Do not just move file from above, as we sed'ed above and contents might have changed + rm -f -- "${ALL_RULES}.new" + for file in /opt/openslx/iptables/rules.d/*; do + [ -f "$file" ] || continue + cat "$file" >> "${ALL_RULES}.new" + done mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" + echo "iptables rules successfully updated." + rm -f -- "$LOCK" exit 0 } |