summaryrefslogtreecommitdiffstats
path: root/roles/common/files
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files')
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh1
1 files changed, 1 insertions, 0 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 207eada..36c12c6 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -310,40 +310,41 @@ run() {
*,*|*:*) optsNew="--match multiport --dports $dport"
optsEst="--match multiport --sports $dport";;
?*) optsNew="--dport $dport"
optsEst="--sport $dport";;
esac
case "$sport" in
*,*|*:*) optsNew+=" --match multiport --sports $sport"
optsEst+=" --match multiport --dports $sport";;
?*) optsNew+=" --sport $sport"
optsEst+=" --dport $sport";;
esac
case "$dir" in
in|inout) iptNew="-A INPUT -i"; iptEst="-A OUTPUT -o";;
out) iptNew="-A OUTPUT -o"; iptEst="-A INPUT -i";;
*) fatal "Error: Unknown direction: '$dir'."
esac
iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT
iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT
done
+ iptables -A OUTPUT -o $if -j REJECT
########################################################################
commit
local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f
local oldz=$(mktemp --tmpdir current-rules.v$f.XXXXXX)
# Reset the counters. They are not useful for comparing and/or
# storing persistent ruleset. (We don't use sed -i because we want
# to restore the counters when reverting.)
sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \
-e 's/^\[[0-9]+:[0-9]+\]\s+//' \
"$old" >"$oldz"
ip netns exec $netns $ipt-restore <"$new" || ipt-revert
for table in ${tables[$f]}; do
ip netns exec $netns $ipt-save -t $table
done >"$new"
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-18 21:32:25 +0000