Skip to content
Permalink
Browse files

Issue #374: Fix iptables issue. Use systemd service instead of ifupdo…

…wn. (#376)

Issue #374: Fix iptables issue. Use systemd service instead of ifupdown.
  • Loading branch information...
votdev committed May 15, 2019
2 parents a539f0e + 6c4f599 commit 12ef589c3f970aa0a6b0a267cf3fc4e5cc3874b2
@@ -4,6 +4,7 @@ openmediavault (5.0.2-1) unstable; urgency=low
* Enable TLS 1.3 in WebGUI.
* Fix proftpd error raised by erroneous PID file permissions.
* Issue #371: Fix issues with PHP version.
* Issue #374: Fix iptables issue. Use systemd service instead of ifupdown.

-- Volker Theile <volker.theile@openmediavault.org> Fri, 10 May 2019 07:50:36 +0200

@@ -31,11 +31,11 @@
'conf.system.network.iptables.rule',
{'operator': 'stringEquals', 'arg0': 'family', 'arg1': 'inet6'}) | length %}

configure_ifupdown_iptables_rules:
configure_firewall_script:
file.managed:
- name: "/etc/network/if-pre-up.d/openmediavault-iptables"
- name: "/etc/iptables/openmediavault-firewall.sh"
- source:
- salt://{{ slspath }}/files/ifupdown.j2
- salt://{{ slspath }}/files/etc_iptables_openmediavault-firewall.j2
- template: jinja
- context:
rules: {{ rules | json }}
@@ -44,9 +44,40 @@ configure_ifupdown_iptables_rules:
- user: root
- group: root
- mode: 750
- makedirs: True

apply_ifupdown_iptables_rules:
cmd.run:
- name: "/etc/network/if-pre-up.d/openmediavault-iptables"
- onchanges:
- file: configure_ifupdown_iptables_rules
configure_firewall_unit_file:
file.managed:
- name: "/etc/systemd/system/openmediavault-firewall.service"
- contents: |
{{ pillar['headers']['auto_generated'] }}
{{ pillar['headers']['warning'] }}
[Unit]
Description=openmediavault iptables firewall service
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/iptables/openmediavault-firewall.sh start
ExecStop=/etc/iptables/openmediavault-firewall.sh stop

[Install]
WantedBy=multi-user.target
- user: root
- group: root
- mode: 644

iptables_systemctl_daemon_reload:
module.run:
- name: service.systemctl_reload

enable_firewall_service:
service.enabled:
- name: openmediavault-firewall.service
- enable: True

restart_firewall_service:
module.run:
- service.restart:
- name: openmediavault-firewall.service
@@ -0,0 +1,80 @@
{%- set separator = ' ' -%}
#!/bin/sh
{{ pillar['headers']['multiline'] }}
set -e

# Make sure that only one instance of this shell script is running at
# the same time.
LOCK_FILE=/run/openmediavault-iptables.lock
if ! mkdir ${LOCK_FILE} >/dev/null 2>&1; then
exit
fi

trap "rm -rf ${LOCK_FILE}" 0 1 2 3 5 15

case "$1" in
start)
{% if num_inet_rules > 0 -%}
iptables -t filter -F
iptables -X
{% endif -%}
{%- if num_inet6_rules > 0 -%}
ip6tables -t filter -F
ip6tables -X
{% endif -%}

{%- for rule in rules | sort(attribute='family') | sort(attribute='rulenum') %}
{%- if rule.family == 'inet' %}iptables{% endif -%}
{%- if rule.family == 'inet6' %}ip6tables{% endif -%}
{{ separator }}-A {{ rule.chain }}
{%- if rule.protocol.startswith('!') %} !{% endif %} -p {{ rule.protocol | replace('!', '') }}

{%- if rule.source | length > 0 -%}
{%- if '-' in rule.source -%}
{{ separator }}--match iprange {% if rule.source.startswith('!') %}!{% endif %} --src-range {{ rule.source | replace('!', '') }}
{%- else %}
{%- if rule.source.startswith('!') %} !{% endif %} --source {{ rule.source | replace('!', '') }}
{%- endif %}
{%- endif %}

{%- if rule.sport | length > 0 -%}
{%- if rule.sport.startswith('!') %} !{% endif %} --sport {{ rule.sport | replace('!', '') | replace('-', ':') }}
{%- endif %}

{%- if rule.destination | length > 0 -%}
{%- if '-' in rule.destination -%}
{{ separator }}--match iprange {% if rule.destination.startswith('!') %}!{% endif %} --dst-range {{ rule.destination | replace('!', '') }}
{%- else %}
{%- if rule.destination.startswith('!') %} !{% endif %} --destination {{ rule.destination | replace('!', '') }}
{%- endif %}
{%- endif %}

{%- if rule.dport | length > 0 -%}
{%- if rule.dport.startswith('!') %} !{% endif %} --dport {{ rule.dport | replace('!', '') | replace('-', ':') }}
{%- endif %}

{%- if rule.action | length > 0 -%}
{{ separator }}-j {{ rule.action }}
{%- endif %}

{%- if rule.extraoptions | length > 0 -%}
{{ separator }}{{ rule.extraoptions }}
{%- endif %}
{% endfor %}
;;

stop)
iptables -t filter -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -t filter -F
ip6tables -X
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
;;
esac

exit 0

This file was deleted.

Oops, something went wrong.

0 comments on commit 12ef589

Please sign in to comment.
You can’t perform that action at this time.