diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-03-13 16:46:06 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:44 +0200 |
| commit | 0cc50082b05575597d72c08bb6f7e8f9145f8c68 (patch) | |
| tree | 8255285b922577beae467bc415f33330abc6b671 /roles/common/files/usr/local/sbin | |
| parent | d72d516f2647a3e03b5e11d891c6ec4e9ddcf9cf (diff) | |
Replace mktemp's deprecated -t option by --tmpdir.
But not in the installer, as busybox's implementation of mktemp didn't
deprecate -t/-p.
Diffstat (limited to 'roles/common/files/usr/local/sbin')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index cfd2678..33b6ef1 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -151,42 +151,42 @@ run() { local ipt=/sbin/$(inet46 $f iptables ip6tables) tables[$f]=filter # The default interface associated with this address. local if=$( /bin/ip -$f route show to default scope global \ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' ) # The virtual interface reserved for IPSec. local ifsec=$( /bin/ip -o -$f link show \ | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" ) # The (host-scoped) IP reserved for IPSec. local ipsec= if [ "$ifsec" -a $f = 4 ]; then tables[$f]='mangle nat filter' ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \ | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' ) fi # Store the old (current) ruleset - local old=$(mktemp -t current-rules.v$f.XXXXXX) \ - new=$(mktemp -t new-rules.v$f.XXXXXX) + local old=$(mktemp --tmpdir current-rules.v$f.XXXXXX) \ + new=$(mktemp --tmpdir new-rules.v$f.XXXXXX) for table in ${tables[$f]}; do $ipt-save -ct $table done > "$old" rss[$f]="$old" local fail2ban=0 # XXX: As of Wheezy, fail2ban is IPv4 only. See # https://github.com/fail2ban/fail2ban/issues/39 for the current # state of the art. if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then fail2ban=1 fi # The usual chains in filter, along with the desired default policies. ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP if [ ! "$if" ]; then # If the interface is not configured, we stop here and DROP all # packets by default. Thanks to the pre-up hook this tight # policy will be activated whenever the interface goes up. @@ -355,41 +355,41 @@ run() { commit ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \ OUTPUT:ACCEPT POSTROUTING:ACCEPT # DNAT all marked packets after decapsulation. iptables -A PREROUTING \! -d "$ipsec" -i $if -m policy --dir in \ --pol ipsec --proto $secproto -j DNAT --to "${ipsec%/*}" # Packets originating from our IPSec are SNAT'ed (MASQUERADE). # (And null-routed later on unless there is an xfrm # association.) iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE commit fi ######################################################################## local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f - local oldz=$(mktemp -t current-rules.v$f.XXXXXX) + local oldz=$(mktemp --tmpdir current-rules.v$f.XXXXXX) # Reset the counters. They are not useful for comparing and/or # storing persistent ruleset. (We don't use sed -i because we want # to restore the counters when reverting.) sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \ -e 's/^\[[0-9]+:[0-9]+\]\s+//' \ "$old" > "$oldz" /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore || ipt-revert for table in ${tables[$f]}; do /bin/ip netns exec $netns $ipt-save -t $table done > "$new" ipt-diff "$oldz" "$new" || rv1=$? if ! [ -f "$persistent" -a -x /etc/network/if-pre-up.d/iptables ]; then rv2=1 else ipt-trim < "$oldz" | ipt-diff - "$persistent" || rv2=$? |