diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-05-16 02:52:55 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-05-16 05:45:59 +0200 |
| commit | bac7811d2b35252b7a83a45d75bb344b4b1776a9 (patch) | |
| tree | 02176a15d570cab6dbd55b52b6df5c7b7b0538b1 /roles/common/files/usr/local | |
| parent | c4f24043baeccc95556fb9c3c032505ecadb5fbd (diff) | |
Upgrade baseline to Debian 10.
Diffstat (limited to 'roles/common/files/usr/local')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall index 957bdc1..4b3e5cf 100755 --- a/roles/common/files/usr/local/sbin/update-firewall +++ b/roles/common/files/usr/local/sbin/update-firewall @@ -5,57 +5,57 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin export PATH NFTABLES="/etc/nftables.conf" script="$(mktemp --tmpdir=/dev/shm)" oldrules="$(mktemp --tmpdir=/dev/shm)" newrules="$(mktemp --tmpdir=/dev/shm)" netns= cleanup(){ rm -f -- "$script" "$oldrules" "$newrules" [ -z "$netns" ] || ip netns del "$netns" } trap cleanup EXIT INT TERM echo "flush ruleset" >"$script" # should be included already, but... cat <"$NFTABLES" >>"$script" ip netns add "nft-dryrun" netns="nft-dryrun" -# clear sets in the old rules before diff'ing with the new ones -nft list ruleset -sn >"$oldrules" -ip netns exec "$netns" nft -f - <"$oldrules" -ip netns exec "$netns" nft flush set inet filter fail2ban -ip netns exec "$netns" nft flush set inet filter fail2ban6 -ip netns exec "$netns" nft list ruleset -sn >"$oldrules" - declare -a INTERFACES=() for iface in /sys/class/net/*; do idx="$(< "$iface/ifindex")" INTERFACES[idx]="${iface#/sys/class/net/}" done # create dummy interfaces so we can use iif/oif in the nft rules # (we preserve indices to preserve canonical set representation) for idx in "${!INTERFACES[@]}"; do [ "${INTERFACES[idx]}" != "lo" ] || continue ip netns exec "$netns" ip link add "${INTERFACES[idx]}" index "$idx" type dummy done +# clear sets in the old rules before diff'ing with the new ones +nft list ruleset -sn >"$oldrules" +ip netns exec "$netns" nft -f - <"$oldrules" +ip netns exec "$netns" nft flush set inet filter fail2ban || true +ip netns exec "$netns" nft flush set inet filter fail2ban6 || true +ip netns exec "$netns" nft list ruleset -sn >"$oldrules" + ip netns exec "$netns" nft -f - <"$script" ip netns exec "$netns" nft list ruleset -sn >"$newrules" ip netns del "$netns" netns= if [ ! -t 0 ] || [ ! -t 1 ]; then diff -q -- "$oldrules" "$newrules" && exit 0 || exit 1 elif ! diff -u --color=auto --label=a/ruleset --label=b/ruleset \ -- "$oldrules" "$newrules" && nft -f - <"$script"; then read -p "Ruleset applied. Revert? [Y/n] " -r -t10 r || r="y" if [ "${r,,[a-z]}" != "n" ]; then echo "Reverting..." echo "flush ruleset" >"$script" cat <"$oldrules" >>"$script" nft -f - <"$script" fi fi |