summaryrefslogtreecommitdiffstats
path: root/remote
diff options
context:
space:
mode:
Diffstat (limited to 'remote')
l---------remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service1
-rw-r--r--remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service6
-rwxr-xr-xremote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader5
-rwxr-xr-xremote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker79
-rw-r--r--remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder1
-rw-r--r--remote/modules/iptables-helper/iptables-helper.build13
-rw-r--r--remote/modules/iptables-helper/iptables-helper.conf1
l---------remote/targets/stage32-bwlp/iptables-helper1
8 files changed, 107 insertions, 0 deletions
diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service
new file mode 120000
index 00000000..40213361
--- /dev/null
+++ b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service
@@ -0,0 +1 @@
+../openslx-iptables.service \ No newline at end of file
diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
new file mode 100644
index 00000000..ef88cf69
--- /dev/null
+++ b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=OpenSLX iptables helper
+
+[Service]
+ExecStart=/opt/openslx/iptables/iptables-reloader
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader
new file mode 100755
index 00000000..60ca1e2c
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader
@@ -0,0 +1,5 @@
+#!/bin/ash
+
+/opt/openslx/iptables/iptables-reloader-worker
+exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
new file mode 100755
index 00000000..350f502c
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
@@ -0,0 +1,79 @@
+#!/bin/ash
+
+# Reloads iptables rules by flushing the tables and applying everything
+# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds
+# to coalesce changes, since inotifyd can trigger dozens of events in a row.
+#
+# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service
+
+ALL_RULES="/run/iptables-reloader.cache"
+LOCK="/run/iptables-reloader.lock"
+
+# Expects $1 to be the contents of $LOCK
+reload_rules () {
+ if [ -z "$1" -o ! -s "$LOCK" ]; then
+ echo "'$1' empty or lock non-existent"
+ exit 0
+ fi
+ sleep 2
+ if [ "x$(cat "$LOCK")" != "x$1" ]; then
+ echo "Wrong lock, lost race"
+ exit 0
+ fi
+
+ rm -f -- "${ALL_RULES}.new"
+
+ for file in /opt/openslx/iptables/rules.d/*; do
+ cat "$file" >> "${ALL_RULES}.new"
+ done
+
+ # No change? Do nothing...
+ [ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0
+
+ # Reset
+ # Filter
+ for chain in INPUT FORWARD OUTPUT; do
+ iptables -t filter -P "$chain" ACCEPT
+ done
+ iptables -t filter -F
+ # NAT
+ for chain in INPUT OUTPUT PREROUTING POSTROUTING; do
+ iptables -t nat -P "$chain" ACCEPT
+ done
+ iptables -t nat -F
+ # Mangle
+ for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do
+ iptables -t mangle -P "$chain" ACCEPT
+ done
+ iptables -t mangle -F
+
+ # Apply
+ local LOGFILE=$(mktemp)
+ local DISABLED="/opt/openslx/iptables/rules.d/disabled/"
+ for file in /opt/openslx/iptables/rules.d/*; do
+ [ ! -f "$file" ] && continue
+ if [ ! -x "$file" ]; then
+ slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/"
+ mkdir -p "$DISABLED"
+ mv "$file" "$DISABLED"
+ continue
+ fi
+ if ! "$file" > "$LOGFILE" 2>&1; then
+ slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE"
+ mkdir -p "$DISABLED"
+ mv "$file" "$DISABLED"
+ fi
+ done
+
+ mv -f -- "${ALL_RULES}.new" "${ALL_RULES}"
+ echo "iptables rules successfully updated."
+ exit 0
+}
+
+
+ID="$$+$RANDOM"
+echo "$ID" > "$LOCK"
+reload_rules "$ID" &
+
+exit 0
+
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder
new file mode 100644
index 00000000..11b30bcc
--- /dev/null
+++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder
@@ -0,0 +1 @@
+# Put your iptables rules here. Full command, like "iptables ...."
diff --git a/remote/modules/iptables-helper/iptables-helper.build b/remote/modules/iptables-helper/iptables-helper.build
new file mode 100644
index 00000000..d8804784
--- /dev/null
+++ b/remote/modules/iptables-helper/iptables-helper.build
@@ -0,0 +1,13 @@
+
+fetch_source() {
+ :
+}
+
+build() {
+ :
+}
+
+post_copy() {
+ :
+}
+
diff --git a/remote/modules/iptables-helper/iptables-helper.conf b/remote/modules/iptables-helper/iptables-helper.conf
new file mode 100644
index 00000000..34103f5b
--- /dev/null
+++ b/remote/modules/iptables-helper/iptables-helper.conf
@@ -0,0 +1 @@
+# requires some rootfs that provies iptables
diff --git a/remote/targets/stage32-bwlp/iptables-helper b/remote/targets/stage32-bwlp/iptables-helper
new file mode 120000
index 00000000..e449282d
--- /dev/null
+++ b/remote/targets/stage32-bwlp/iptables-helper
@@ -0,0 +1 @@
+../../modules/iptables-helper \ No newline at end of file