diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2022-10-12 01:43:23 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2022-10-13 22:12:05 +0200 |
| commit | 85347041a04d17f6803100dd2cec9b489c9db47d (patch) | |
| tree | debeacab309c11d9f50a559044000a2e17371385 /roles/common/files/usr/local/sbin/update-firewall | |
| parent | ab1f9b0eb7b3cd3c14ba4722a3c85507efde1fcd (diff) | |
Port baseline to Debian 11 (codename Bullseye).
Diffstat (limited to 'roles/common/files/usr/local/sbin/update-firewall')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall index 4b3e5cf..e11e8a9 100755 --- a/roles/common/files/usr/local/sbin/update-firewall +++ b/roles/common/files/usr/local/sbin/update-firewall @@ -19,43 +19,43 @@ trap cleanup EXIT INT TERM echo "flush ruleset" >"$script" # should be included already, but... cat <"$NFTABLES" >>"$script" ip netns add "nft-dryrun" netns="nft-dryrun" declare -a INTERFACES=() for iface in /sys/class/net/*; do idx="$(< "$iface/ifindex")" INTERFACES[idx]="${iface#/sys/class/net/}" done # create dummy interfaces so we can use iif/oif in the nft rules # (we preserve indices to preserve canonical set representation) for idx in "${!INTERFACES[@]}"; do [ "${INTERFACES[idx]}" != "lo" ] || continue ip netns exec "$netns" ip link add "${INTERFACES[idx]}" index "$idx" type dummy done # clear sets in the old rules before diff'ing with the new ones -nft list ruleset -sn >"$oldrules" +nft -sn list ruleset >"$oldrules" ip netns exec "$netns" nft -f - <"$oldrules" ip netns exec "$netns" nft flush set inet filter fail2ban || true ip netns exec "$netns" nft flush set inet filter fail2ban6 || true -ip netns exec "$netns" nft list ruleset -sn >"$oldrules" +ip netns exec "$netns" nft -sn list ruleset >"$oldrules" ip netns exec "$netns" nft -f - <"$script" -ip netns exec "$netns" nft list ruleset -sn >"$newrules" +ip netns exec "$netns" nft -sn list ruleset >"$newrules" ip netns del "$netns" netns= if [ ! -t 0 ] || [ ! -t 1 ]; then diff -q -- "$oldrules" "$newrules" && exit 0 || exit 1 elif ! diff -u --color=auto --label=a/ruleset --label=b/ruleset \ -- "$oldrules" "$newrules" && nft -f - <"$script"; then read -p "Ruleset applied. Revert? [Y/n] " -r -t10 r || r="y" if [ "${r,,[a-z]}" != "n" ]; then echo "Reverting..." echo "flush ruleset" >"$script" cat <"$oldrules" >>"$script" nft -f - <"$script" fi fi |