minifirewall: upstream release 23.07
This commit is contained in:
parent
fb184a0ecf
commit
e347b6eca8
|
@ -27,6 +27,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* all: change syntax "become: [yes,no]" → "become: [true,false]"
|
* all: change syntax "become: [yes,no]" → "become: [true,false]"
|
||||||
* elasticsearch: improve networking configuration
|
* elasticsearch: improve networking configuration
|
||||||
* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
|
* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
|
||||||
|
* minifirewall: upstream release 23.07
|
||||||
* mysql: improve shell syntax for mysql_skip script
|
* mysql: improve shell syntax for mysql_skip script
|
||||||
* pbbouncer: minor fixes
|
* pbbouncer: minor fixes
|
||||||
* varnish: Allow the systemd template to be overriden with a template outside of the role
|
* varnish: Allow the systemd template to be overriden with a template outside of the role
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
||||||
# See https://gitea.evolix.org/evolix/minifirewall
|
# See https://gitea.evolix.org/evolix/minifirewall
|
||||||
|
|
||||||
# Copyright (c) 2007-2022 Evolix
|
# Copyright (c) 2007-2023 Evolix
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU General Public License
|
# modify it under the terms of the GNU General Public License
|
||||||
# as published by the Free Software Foundation; either version 3
|
# as published by the Free Software Foundation; either version 3
|
||||||
|
@ -29,14 +29,19 @@
|
||||||
# Description: Firewall designed for standalone server
|
# Description: Firewall designed for standalone server
|
||||||
### END INIT INFO
|
### END INIT INFO
|
||||||
|
|
||||||
VERSION="23.02"
|
VERSION="23.07"
|
||||||
|
|
||||||
NAME="minifirewall"
|
PROGNAME="minifirewall"
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
DESC="Firewall designed for standalone server"
|
DESC="Firewall designed for standalone server"
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
|
if [ "$(id -u)" -ne "0" ] ; then
|
||||||
|
echo "${PROGNAME} must be run as root." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# Variables configuration
|
# Variables configuration
|
||||||
#########################
|
#########################
|
||||||
|
|
||||||
|
@ -103,6 +108,9 @@ STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
|
||||||
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
|
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
|
||||||
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
||||||
|
|
||||||
|
ACTIVE_CONFIG='/var/run/minifirewall_active_config'
|
||||||
|
ACTIVE_CONFIG_DIFF="${ACTIVE_CONFIG}.diff"
|
||||||
|
|
||||||
LOGGER_BIN=$(command -v logger)
|
LOGGER_BIN=$(command -v logger)
|
||||||
|
|
||||||
# No colors by default
|
# No colors by default
|
||||||
|
@ -152,12 +160,12 @@ remove_colors() {
|
||||||
}
|
}
|
||||||
syslog_info() {
|
syslog_info() {
|
||||||
if [ -x "${LOGGER_BIN}" ]; then
|
if [ -x "${LOGGER_BIN}" ]; then
|
||||||
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
|
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
syslog_error() {
|
syslog_error() {
|
||||||
if [ -x "${LOGGER_BIN}" ]; then
|
if [ -x "${LOGGER_BIN}" ]; then
|
||||||
${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1"
|
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
sort_values() {
|
sort_values() {
|
||||||
|
@ -254,14 +262,91 @@ source_configuration() {
|
||||||
source_file_or_error "${config_file}"
|
source_file_or_error "${config_file}"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
include_files() {
|
||||||
|
if [ -d "${includes_dir}" ]; then
|
||||||
|
find ${includes_dir} -type f -readable -not -name '*.*' | sort -h
|
||||||
|
else
|
||||||
|
echo ""
|
||||||
|
fi
|
||||||
|
}
|
||||||
source_includes() {
|
source_includes() {
|
||||||
if [ -d "${includes_dir}" ]; then
|
if [ -d "${includes_dir}" ]; then
|
||||||
include_files=$(find ${includes_dir} -type f -readable -not -name '*.*' | sort -h)
|
for include_file in $(include_files); do
|
||||||
for include_file in ${include_files}; do
|
|
||||||
source_file_or_error "${include_file}"
|
source_file_or_error "${include_file}"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
filter_config_file() {
|
||||||
|
# Remove lines with:
|
||||||
|
# * empty or only whitespaces
|
||||||
|
# * comments
|
||||||
|
grep --extended-regexp --invert-match -e "^(\s*#)" -e "^\s*$" "${1}"
|
||||||
|
}
|
||||||
|
save_active_configuration() {
|
||||||
|
dest_file=${1}
|
||||||
|
rm -f "${dest_file}"
|
||||||
|
|
||||||
|
echo "# ${config_file}" >> "${dest_file}"
|
||||||
|
filter_config_file "${config_file}" >> "${dest_file}"
|
||||||
|
|
||||||
|
found_include_files=$(include_files)
|
||||||
|
if [ -n "${found_include_files}" ]; then
|
||||||
|
for include_file in ${found_include_files}; do
|
||||||
|
echo "# ${include_file}" >> "${dest_file}"
|
||||||
|
filter_config_file "${include_file}" >> "${dest_file}"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
check_active_configuration() {
|
||||||
|
# NRPE-compatible return codes
|
||||||
|
# 0: OK
|
||||||
|
# 1: WARNING
|
||||||
|
# 2: CRITICAL
|
||||||
|
# 3: UNKNOWN
|
||||||
|
rc=0
|
||||||
|
|
||||||
|
if [ -f "${ACTIVE_CONFIG}" ]; then
|
||||||
|
cmp_bin=$(command -v cmp)
|
||||||
|
diff_bin=$(command -v diff)
|
||||||
|
|
||||||
|
if [ -z "${cmp_bin}" ]; then
|
||||||
|
printf "${YELLOW}WARNING: Skipped active configuration check (Can't find cmp(1) command)${RESET}\n"
|
||||||
|
rc=1
|
||||||
|
elif [ -z "${diff_bin}" ]; then
|
||||||
|
printf "${YELLOW}WARNING: Skipped active configuration check (Can't find diff(1) command)${RESET}\n"
|
||||||
|
rc=1
|
||||||
|
else
|
||||||
|
rm -f "${ACTIVE_CONFIG_DIFF}"
|
||||||
|
|
||||||
|
tmp_config_file=$(mktemp --tmpdir=/tmp minifirewall.XXX)
|
||||||
|
save_active_configuration "${tmp_config_file}"
|
||||||
|
|
||||||
|
cmp_result=$(cmp "${ACTIVE_CONFIG}" "${tmp_config_file}" 2>&1)
|
||||||
|
cmp_rc=$?
|
||||||
|
|
||||||
|
if [ ${cmp_rc} -eq 0 ]; then
|
||||||
|
# echo " config has not changed since latest start"
|
||||||
|
printf "${GREEN}OK: Active configuration is up-to-date.${RESET}\n"
|
||||||
|
rc=0
|
||||||
|
elif [ ${cmp_rc} -eq 1 ]; then
|
||||||
|
diff -u "${ACTIVE_CONFIG}" "${tmp_config_file}" > "${ACTIVE_CONFIG_DIFF}"
|
||||||
|
|
||||||
|
printf "${RED}CRITICAL: Active configuration is not up-to-date (minifirewall not restarted after config change?), check %s${RESET}\n" "${ACTIVE_CONFIG_DIFF}"
|
||||||
|
rc=2
|
||||||
|
else
|
||||||
|
printf "${RED}CRITICAL: Error while comparing rules:${RESET}\n"
|
||||||
|
printf "${cmp_result}\n"
|
||||||
|
rc=2
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f "${tmp_config_file}"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
printf "${YELLOW}WARNING: Skipped active configuration check (missing file ${ACTIVE_CONFIG})${RESET}\n"
|
||||||
|
rc=1
|
||||||
|
fi
|
||||||
|
exit ${rc}
|
||||||
|
}
|
||||||
check_unpersisted_state() {
|
check_unpersisted_state() {
|
||||||
cmp_bin=$(command -v cmp)
|
cmp_bin=$(command -v cmp)
|
||||||
diff_bin=$(command -v diff)
|
diff_bin=$(command -v diff)
|
||||||
|
@ -279,7 +364,7 @@ check_unpersisted_state() {
|
||||||
rm -f "${STATE_FILE_DIFF}"
|
rm -f "${STATE_FILE_DIFF}"
|
||||||
|
|
||||||
if [ -f "${STATE_FILE_LATEST}" ]; then
|
if [ -f "${STATE_FILE_LATEST}" ]; then
|
||||||
cmp_result=$(cmp "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}")
|
cmp_result=$(cmp "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" 2>&1)
|
||||||
cmp_rc=$?
|
cmp_rc=$?
|
||||||
|
|
||||||
if [ ${cmp_rc} -eq 0 ]; then
|
if [ ${cmp_rc} -eq 0 ]; then
|
||||||
|
@ -320,7 +405,7 @@ report_state_changes() {
|
||||||
# But if there is a previous known state
|
# But if there is a previous known state
|
||||||
# let's compare with the new known state
|
# let's compare with the new known state
|
||||||
if [ -f "${STATE_FILE_PREVIOUS}" ]; then
|
if [ -f "${STATE_FILE_PREVIOUS}" ]; then
|
||||||
cmp_result=$(cmp "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}")
|
cmp_result=$(cmp "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}" 2>&1)
|
||||||
cmp_rc=$?
|
cmp_rc=$?
|
||||||
|
|
||||||
if [ ${cmp_rc} -eq 0 ]; then
|
if [ ${cmp_rc} -eq 0 ]; then
|
||||||
|
@ -339,11 +424,11 @@ report_state_changes() {
|
||||||
|
|
||||||
start() {
|
start() {
|
||||||
syslog_info "starting"
|
syslog_info "starting"
|
||||||
printf "${BOLD}${NAME} starting${RESET}\n"
|
printf "${BOLD}${PROGNAME} starting${RESET}\n"
|
||||||
|
|
||||||
# Stop and warn if error!
|
# Stop and warn if error!
|
||||||
set -e
|
set -e
|
||||||
trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
|
trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
|
||||||
|
|
||||||
# sysctl network security settings
|
# sysctl network security settings
|
||||||
##################################
|
##################################
|
||||||
|
@ -909,17 +994,20 @@ start() {
|
||||||
trap - INT TERM EXIT
|
trap - INT TERM EXIT
|
||||||
|
|
||||||
syslog_info "started"
|
syslog_info "started"
|
||||||
printf "${GREEN}${BOLD}${NAME} started${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n"
|
||||||
|
|
||||||
# No need to exit on error anymore
|
# No need to exit on error anymore
|
||||||
set +e
|
set +e
|
||||||
|
|
||||||
|
# save active configuration
|
||||||
|
save_active_configuration "${ACTIVE_CONFIG}"
|
||||||
|
|
||||||
report_state_changes
|
report_state_changes
|
||||||
}
|
}
|
||||||
|
|
||||||
stop() {
|
stop() {
|
||||||
syslog_info "stopping"
|
syslog_info "stopping"
|
||||||
printf "${BOLD}${NAME} stopping${RESET}\n"
|
printf "${BOLD}${PROGNAME} stopping${RESET}\n"
|
||||||
|
|
||||||
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
||||||
|
|
||||||
|
@ -1000,10 +1088,10 @@ stop() {
|
||||||
${IPT6} -X NEEDRESTRICT
|
${IPT6} -X NEEDRESTRICT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
|
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" "${ACTIVE_CONFIG}"
|
||||||
|
|
||||||
syslog_info "stopped"
|
syslog_info "stopped"
|
||||||
printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
status() {
|
status() {
|
||||||
|
@ -1038,7 +1126,7 @@ status_without_numbers() {
|
||||||
|
|
||||||
reset() {
|
reset() {
|
||||||
syslog_info "resetting"
|
syslog_info "resetting"
|
||||||
printf "${BOLD}${NAME} resetting${RESET}\n"
|
printf "${BOLD}${PROGNAME} resetting${RESET}\n"
|
||||||
|
|
||||||
${IPT} -Z
|
${IPT} -Z
|
||||||
if is_ipv6_enabled; then
|
if is_ipv6_enabled; then
|
||||||
|
@ -1053,21 +1141,43 @@ reset() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
syslog_info "reset"
|
syslog_info "reset"
|
||||||
printf "${GREEN}${BOLD}${NAME} reset${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
|
||||||
}
|
}
|
||||||
show_version() {
|
show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
${NAME} version ${VERSION}
|
${PROGNAME} version ${VERSION}
|
||||||
|
|
||||||
Copyright 2007-2022 Evolix <info@evolix.fr>.
|
Copyright 2007-2023 Evolix <info@evolix.fr>.
|
||||||
|
|
||||||
${NAME} comes with ABSOLUTELY NO WARRANTY.
|
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.
|
||||||
This program is free software; you can redistribute it and/or
|
This program is free software; you can redistribute it and/or
|
||||||
modify it under the terms of the GNU General Public License
|
modify it under the terms of the GNU General Public License
|
||||||
as published by the Free Software Foundation; either version 3
|
as published by the Free Software Foundation; either version 3
|
||||||
of the License.
|
of the License.
|
||||||
END
|
END
|
||||||
}
|
}
|
||||||
|
show_help() {
|
||||||
|
cat <<END
|
||||||
|
${PROGNAME} ${DESC}
|
||||||
|
|
||||||
|
END
|
||||||
|
show_usage
|
||||||
|
}
|
||||||
|
show_usage() {
|
||||||
|
cat <<END
|
||||||
|
Usage: ${PROGNAME} [COMMAND]
|
||||||
|
|
||||||
|
Commands
|
||||||
|
start Start minifirewall
|
||||||
|
stop Stop minifirewall
|
||||||
|
restart Stop then start minifirewall
|
||||||
|
status Print minifirewall status
|
||||||
|
reset Reset iptables tables
|
||||||
|
check-active-config Check if active config is up-to-date with stored config
|
||||||
|
version Print version and exit
|
||||||
|
help Print this message and exit
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
case "${1:-''}" in
|
case "${1:-''}" in
|
||||||
start)
|
start)
|
||||||
|
@ -1106,13 +1216,22 @@ case "${1:-''}" in
|
||||||
start
|
start
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
check-active-config)
|
||||||
|
check_active_configuration
|
||||||
|
;;
|
||||||
|
|
||||||
version)
|
version)
|
||||||
show_version
|
show_version
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
help)
|
||||||
|
show_help
|
||||||
|
;;
|
||||||
|
|
||||||
*)
|
*)
|
||||||
echo "Usage: $0 {start|stop|restart|status|reset|version}"
|
printf "%s: %s: unknown option\n" "${PROGNAME}" "${1}"
|
||||||
exit 1
|
show_usage
|
||||||
|
exit 128
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue