Replace mktemp's deprecated -t option by --tmpdir.

But not in the installer, as busybox's implementation of mktemp didn't
deprecate -t/-p.

1 files changed, 3 insertions, 3 deletions

diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index cfd2678..33b6ef1 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -151,42 +151,42 @@ run() {
     local ipt=/sbin/$(inet46 $f iptables ip6tables)
     tables[$f]=filter
 
     # The default interface associated with this address.
     local if=$( /bin/ip -$f route show to default scope global \
               | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )
 
     # The virtual interface reserved for IPSec.
     local ifsec=$( /bin/ip -o -$f link show \
                  | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" )
 
     # The (host-scoped) IP reserved for IPSec.
     local ipsec=
     if [ "$ifsec" -a $f = 4 ]; then
         tables[$f]='mangle nat filter'
         ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \
                | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' )
     fi
 
     # Store the old (current) ruleset
-    local old=$(mktemp -t current-rules.v$f.XXXXXX) \
-          new=$(mktemp -t new-rules.v$f.XXXXXX)
+    local old=$(mktemp --tmpdir current-rules.v$f.XXXXXX) \
+          new=$(mktemp --tmpdir new-rules.v$f.XXXXXX)
     for table in ${tables[$f]}; do
         $ipt-save -ct $table
     done > "$old"
     rss[$f]="$old"
 
     local fail2ban=0
     # XXX: As of Wheezy, fail2ban is IPv4 only.  See
     #      https://github.com/fail2ban/fail2ban/issues/39 for the current
     #      state of the art.
     if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then
         fail2ban=1
     fi
 
     # The usual chains in filter, along with the desired default policies.
     ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP
 
     if [ ! "$if" ]; then
         # If the interface is not configured, we stop here and DROP all
         # packets by default.  Thanks to the pre-up hook this tight
         # policy will be activated whenever the interface goes up.
@@ -355,41 +355,41 @@ run() {
         commit
 
         ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \
                        OUTPUT:ACCEPT POSTROUTING:ACCEPT
 
         # DNAT all marked packets after decapsulation.
         iptables -A PREROUTING \! -d "$ipsec" -i $if -m policy --dir in \
             --pol ipsec --proto $secproto -j DNAT --to "${ipsec%/*}"
 
         # Packets originating from our IPSec are SNAT'ed (MASQUERADE).
         # (And null-routed later on unless there is an xfrm
         # association.)
         iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE
         commit
     fi
 
     ########################################################################
 
 
     local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f
-    local oldz=$(mktemp -t current-rules.v$f.XXXXXX)
+    local oldz=$(mktemp --tmpdir current-rules.v$f.XXXXXX)
 
     # Reset the counters.  They are not useful for comparing and/or
     # storing persistent ruleset.  (We don't use sed -i because we want
     # to restore the counters when reverting.)
     sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \
            -e 's/^\[[0-9]+:[0-9]+\]\s+//' \
            "$old" > "$oldz"
 
     /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore || ipt-revert
 
     for table in ${tables[$f]}; do
        /bin/ip netns exec $netns $ipt-save -t $table
     done > "$new"
 
     ipt-diff "$oldz" "$new" || rv1=$?
 
     if ! [ -f "$persistent" -a -x /etc/network/if-pre-up.d/iptables ]; then
         rv2=1
     else
         ipt-trim < "$oldz" | ipt-diff - "$persistent" || rv2=$?