diff options
Diffstat (limited to 'remote')
8 files changed, 107 insertions, 0 deletions
diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service new file mode 120000 index 00000000..40213361 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/basic.target.wants/openslx-iptables.service @@ -0,0 +1 @@ +../openslx-iptables.service
\ No newline at end of file diff --git a/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service new file mode 100644 index 00000000..ef88cf69 --- /dev/null +++ b/remote/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=OpenSLX iptables helper + +[Service] +ExecStart=/opt/openslx/iptables/iptables-reloader + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader new file mode 100755 index 00000000..60ca1e2c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader @@ -0,0 +1,5 @@ +#!/bin/ash + +/opt/openslx/iptables/iptables-reloader-worker +exec /opt/openslx/sbin/inotifyd /opt/openslx/iptables/iptables-reloader-worker /opt/openslx/iptables/rules.d:cndmy + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker new file mode 100755 index 00000000..350f502c --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -0,0 +1,79 @@ +#!/bin/ash + +# Reloads iptables rules by flushing the tables and applying everything +# in /opt/openslx/iptables/rules.d again. Actions are delayed by 5 seconds +# to coalesce changes, since inotifyd can trigger dozens of events in a row. +# +# This scriptis triggered by inotifyd, see openslx-iptables_reloader.service + +ALL_RULES="/run/iptables-reloader.cache" +LOCK="/run/iptables-reloader.lock" + +# Expects $1 to be the contents of $LOCK +reload_rules () { + if [ -z "$1" -o ! -s "$LOCK" ]; then + echo "'$1' empty or lock non-existent" + exit 0 + fi + sleep 2 + if [ "x$(cat "$LOCK")" != "x$1" ]; then + echo "Wrong lock, lost race" + exit 0 + fi + + rm -f -- "${ALL_RULES}.new" + + for file in /opt/openslx/iptables/rules.d/*; do + cat "$file" >> "${ALL_RULES}.new" + done + + # No change? Do nothing... + [ -s "${ALL_RULES}" -a -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new" && exit 0 + + # Reset + # Filter + for chain in INPUT FORWARD OUTPUT; do + iptables -t filter -P "$chain" ACCEPT + done + iptables -t filter -F + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -t nat -P "$chain" ACCEPT + done + iptables -t nat -F + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -t mangle -P "$chain" ACCEPT + done + iptables -t mangle -F + + # Apply + local LOGFILE=$(mktemp) + local DISABLED="/opt/openslx/iptables/rules.d/disabled/" + for file in /opt/openslx/iptables/rules.d/*; do + [ ! -f "$file" ] && continue + if [ ! -x "$file" ]; then + slxlog "firewall-script-exec" "The firewall script '$file' is not executable (+x), moving to disabled/" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + continue + fi + if ! "$file" > "$LOGFILE" 2>&1; then + slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" + mkdir -p "$DISABLED" + mv "$file" "$DISABLED" + fi + done + + mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" + echo "iptables rules successfully updated." + exit 0 +} + + +ID="$$+$RANDOM" +echo "$ID" > "$LOCK" +reload_rules "$ID" & + +exit 0 + diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder new file mode 100644 index 00000000..11b30bcc --- /dev/null +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/rules.d/.placeholder @@ -0,0 +1 @@ +# Put your iptables rules here. Full command, like "iptables ...." diff --git a/remote/modules/iptables-helper/iptables-helper.build b/remote/modules/iptables-helper/iptables-helper.build new file mode 100644 index 00000000..d8804784 --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.build @@ -0,0 +1,13 @@ + +fetch_source() { + : +} + +build() { + : +} + +post_copy() { + : +} + diff --git a/remote/modules/iptables-helper/iptables-helper.conf b/remote/modules/iptables-helper/iptables-helper.conf new file mode 100644 index 00000000..34103f5b --- /dev/null +++ b/remote/modules/iptables-helper/iptables-helper.conf @@ -0,0 +1 @@ +# requires some rootfs that provies iptables diff --git a/remote/targets/stage32-bwlp/iptables-helper b/remote/targets/stage32-bwlp/iptables-helper new file mode 120000 index 00000000..e449282d --- /dev/null +++ b/remote/targets/stage32-bwlp/iptables-helper @@ -0,0 +1 @@ +../../modules/iptables-helper
\ No newline at end of file |