minifirewall: add safe-restart and safe-start commands
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2594|3|2591|3|:-1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/286//ansiblelint">Evolix » ansible-roles » unstable #286</a>
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2594|3|2591|3|:-1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/286//ansiblelint">Evolix » ansible-roles » unstable #286</a>
gitea/ansible-roles/pipeline/head This commit looks good
This commit is contained in:
parent
0331c23ad6
commit
d747ee0f83
|
@ -106,6 +106,7 @@ main() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
append_details "minifirewall is stopped"
|
||||||
summary_critical "minifirewall is stopped, but enabled in alert5 or systemd"
|
summary_critical "minifirewall is stopped, but enabled in alert5 or systemd"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
@ -131,10 +132,6 @@ main() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ "${return}" -ge 0 ] && header="OK"
|
|
||||||
[ "${return}" -ge 1 ] && header="WARNING"
|
|
||||||
[ "${return}" -ge 2 ] && header="CRITICAL"
|
|
||||||
|
|
||||||
printf "%s\n\n%s\n" "${summary}" "${details}"
|
printf "%s\n\n%s\n" "${summary}" "${details}"
|
||||||
|
|
||||||
exit "${return}"
|
exit "${return}"
|
||||||
|
|
|
@ -111,6 +111,10 @@ STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
||||||
ACTIVE_CONFIG='/var/run/minifirewall_active_config'
|
ACTIVE_CONFIG='/var/run/minifirewall_active_config'
|
||||||
ACTIVE_CONFIG_DIFF="${ACTIVE_CONFIG}.diff"
|
ACTIVE_CONFIG_DIFF="${ACTIVE_CONFIG}.diff"
|
||||||
|
|
||||||
|
SAFETY_LOCK='/var/run/minifirewall_safety.lock'
|
||||||
|
SAFETY_OUTPUT='/var/run/minifirewall_safety.out'
|
||||||
|
SAFETY_TIMER=30
|
||||||
|
|
||||||
LOGGER_BIN=$(command -v logger)
|
LOGGER_BIN=$(command -v logger)
|
||||||
|
|
||||||
# No colors by default
|
# No colors by default
|
||||||
|
@ -123,8 +127,10 @@ CYAN=''
|
||||||
WHITE=''
|
WHITE=''
|
||||||
BOLD=''
|
BOLD=''
|
||||||
RESET=''
|
RESET=''
|
||||||
|
|
||||||
# check if stdout is a terminal...
|
# check if stdout is a terminal...
|
||||||
if [ -t 1 ]; then
|
if [ -t 1 ]; then
|
||||||
|
INTERACTIVE=1
|
||||||
|
|
||||||
# see if it supports colors...
|
# see if it supports colors...
|
||||||
ncolors=$(tput colors)
|
ncolors=$(tput colors)
|
||||||
|
@ -141,7 +147,10 @@ if [ -t 1 ]; then
|
||||||
BOLD=$(tput bold)
|
BOLD=$(tput bold)
|
||||||
RESET='\e[m'
|
RESET='\e[m'
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
INTERACTIVE=0
|
||||||
fi
|
fi
|
||||||
|
readonly INTERACTIVE
|
||||||
|
|
||||||
## pseudo dry-run :
|
## pseudo dry-run :
|
||||||
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
||||||
|
@ -155,6 +164,9 @@ fi
|
||||||
# }
|
# }
|
||||||
## Beware that commands executed from included files are not modified by this trick.
|
## Beware that commands executed from included files are not modified by this trick.
|
||||||
|
|
||||||
|
is_interactive() {
|
||||||
|
test "${INTERACTIVE}" = "1"
|
||||||
|
}
|
||||||
remove_colors() {
|
remove_colors() {
|
||||||
sed -r 's/\x1B\[(;?[0-9]{1,3})+[mGK]//g'
|
sed -r 's/\x1B\[(;?[0-9]{1,3})+[mGK]//g'
|
||||||
}
|
}
|
||||||
|
@ -1143,6 +1155,58 @@ reset() {
|
||||||
syslog_info "reset"
|
syslog_info "reset"
|
||||||
printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
stop_if_locked() {
|
||||||
|
count=0
|
||||||
|
|
||||||
|
while [ ${count} -lt ${SAFETY_TIMER} ] && [ -f "${SAFETY_LOCK}" ]; do
|
||||||
|
count=$(( count + 1 ))
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f "${SAFETY_LOCK}" ]; then
|
||||||
|
syslog_error "safety lock is still here after ${SAFETY_TIMER} seconds, we need to stop"
|
||||||
|
|
||||||
|
stop
|
||||||
|
|
||||||
|
syslog_info "remove safety lock"
|
||||||
|
rm -f "${SAFETY_LOCK}"
|
||||||
|
else
|
||||||
|
syslog_info "safety lock is not there anymore, life goes on"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
safe_start() {
|
||||||
|
# start the firewall
|
||||||
|
start
|
||||||
|
|
||||||
|
# create the lock file
|
||||||
|
syslog_info "add safety lock"
|
||||||
|
touch "${SAFETY_LOCK}"
|
||||||
|
|
||||||
|
# run the special background command
|
||||||
|
nohup "${0}" stop-if-locked > "${SAFETY_OUTPUT}" 2>&1 &
|
||||||
|
|
||||||
|
if is_interactive; then
|
||||||
|
syslog_info "safe-restart in interactive mode ; if safety lock (${SAFETY_LOCK}) is not removed in the next ${SAFETY_TIMER} seconds, minifirewall will be stopped."
|
||||||
|
# Ask for input
|
||||||
|
confirm_default="I'm locked out, please stop the firewall"
|
||||||
|
# printf "If the restart has locked you out you might see this but you shouldn't be able to type anything.\n"
|
||||||
|
printf "Minifirewall will be stopped in ${SAFETY_TIMER} seconds if you do nothing.\n"
|
||||||
|
printf "Remove \`${SAFETY_LOCK}' or type anything to keep minifirewall started: "
|
||||||
|
|
||||||
|
read -r confirm
|
||||||
|
|
||||||
|
if [ ! -f "${SAFETY_LOCK}" ]; then
|
||||||
|
printf "Safety lock is not there anymore.\nYou've probably been rescued by the safety checks.\n"
|
||||||
|
elif [ "${confirm}" != "${confirm_default}" ]; then
|
||||||
|
rm -f "${SAFETY_LOCK}" && printf "OK. Safety lock is removed.\n"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
syslog_info "safe-restart in non-interactive mode ; if safety lock (${SAFETY_LOCK}) is not removed in the next ${SAFETY_TIMER} seconds, minifirewall will be stopped."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
show_version() {
|
show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
${PROGNAME} version ${VERSION}
|
${PROGNAME} version ${VERSION}
|
||||||
|
@ -1169,8 +1233,10 @@ Usage: ${PROGNAME} [COMMAND]
|
||||||
|
|
||||||
Commands
|
Commands
|
||||||
start Start minifirewall
|
start Start minifirewall
|
||||||
|
safe-start Start minifirewall, with baground safety checks
|
||||||
stop Stop minifirewall
|
stop Stop minifirewall
|
||||||
restart Stop then start minifirewall
|
restart Stop then start minifirewall
|
||||||
|
safe-restart Restart minifirewall, with background safety checks
|
||||||
status Print minifirewall status
|
status Print minifirewall status
|
||||||
reset Reset iptables tables
|
reset Reset iptables tables
|
||||||
check-active-config Check if active config is up-to-date with stored config
|
check-active-config Check if active config is up-to-date with stored config
|
||||||
|
@ -1187,6 +1253,13 @@ case "${1:-''}" in
|
||||||
start
|
start
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
safe-start)
|
||||||
|
source_configuration
|
||||||
|
check_unpersisted_state
|
||||||
|
|
||||||
|
safe_start
|
||||||
|
;;
|
||||||
|
|
||||||
stop)
|
stop)
|
||||||
source_configuration
|
source_configuration
|
||||||
check_unpersisted_state
|
check_unpersisted_state
|
||||||
|
@ -1216,6 +1289,20 @@ case "${1:-''}" in
|
||||||
start
|
start
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
safe-restart)
|
||||||
|
source_configuration
|
||||||
|
check_unpersisted_state
|
||||||
|
|
||||||
|
stop
|
||||||
|
safe_start
|
||||||
|
;;
|
||||||
|
|
||||||
|
stop-if-locked)
|
||||||
|
source_configuration
|
||||||
|
|
||||||
|
stop_if_locked
|
||||||
|
;;
|
||||||
|
|
||||||
check-active-config)
|
check-active-config)
|
||||||
check_active_configuration
|
check_active_configuration
|
||||||
;;
|
;;
|
||||||
|
|
Loading…
Reference in a new issue