mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

bbfdm: cleanup and update

Browse source 
- move firewall related scripts to firewallmngr
- removed old unused uci-default scripts
This commit is contained in:
Vivek Kumar Dutta 2024-07-09 11:47:03 +05:30
parent 8794818492
commit 42e23d0162
7 changed files with 1 additions and 320 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
bbfdm/Makefile
View file

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=bbfdm PKG_NAME:=bbfdm
PKG_VERSION:=1.9.5 PKG_VERSION:=1.9.6
USE_LOCAL:=0 USE_LOCAL:=0
ifneq ($(USE_LOCAL),1) ifneq ($(USE_LOCAL),1)
@ -117,13 +117,7 @@ define Package/libbbfdm/install
$(INSTALL_DIR) $(1)/usr/share/bbfdm/ $(INSTALL_DIR) $(1)/usr/share/bbfdm/
$(CP) $(PKG_BUILD_DIR)/libbbfdm/libbbfdm.so $(1)/usr/share/bbfdm/libbbfdm.so $(CP) $(PKG_BUILD_DIR)/libbbfdm/libbbfdm.so $(1)/usr/share/bbfdm/libbbfdm.so
$(INSTALL_DATA) ./files/lib/upgrade/keep.d/bbf $(1)/lib/upgrade/keep.d/bbf $(INSTALL_DATA) ./files/lib/upgrade/keep.d/bbf $(1)/lib/upgrade/keep.d/bbf
$(INSTALL_BIN) ./files/etc/uci-defaults/95-portmap-firewall $(1)/etc/uci-defaults/95-portmap-firewall
$(INSTALL_BIN) ./files/etc/uci-defaults/97-firewall-service $(1)/etc/uci-defaults/97-firewall-service
$(INSTALL_BIN) ./files/etc/uci-defaults/99-link-core-plugins $(1)/etc/uci-defaults/99-link-core-plugins
$(INSTALL_BIN) ./files/etc/uci-defaults/90-remove-nonexisting-microservices $(1)/etc/uci-defaults/
$(INSTALL_BIN) ./files/etc/uci-defaults/91-fix-bbfdmd-enabled-option $(1)/etc/uci-defaults/ $(INSTALL_BIN) ./files/etc/uci-defaults/91-fix-bbfdmd-enabled-option $(1)/etc/uci-defaults/
$(INSTALL_BIN) ./files/etc/firewall.portmap $(1)/etc/firewall.portmap
$(INSTALL_BIN) ./files/etc/firewall.service $(1)/etc/firewall.service
ifeq ($(findstring iopsys,$(CONFIG_BBF_VENDOR_LIST)),iopsys) ifeq ($(findstring iopsys,$(CONFIG_BBF_VENDOR_LIST)),iopsys)
$(BBFDM_INSTALL_CORE_PLUGIN) $(PKG_BUILD_DIR)/libbbfdm/dmtree/vendor/iopsys/libbbfdm_iopsys_ext.so $(1) $(BBFDM_INSTALL_CORE_PLUGIN) $(PKG_BUILD_DIR)/libbbfdm/dmtree/vendor/iopsys/libbbfdm_iopsys_ext.so $(1)
endif endif

74
bbfdm/files/etc/firewall.portmap
View file

@ -1,74 +0,0 @@
#!/bin/sh
. /lib/functions.sh
log() {
echo "${@}"|logger -t firewall.dnat -p info
}
exec_cmd() {
if ! eval "$*"; then
log "Failed to run [$*]"
fi
}
reorder_dnat_rules() {
nat_chains=$(iptables -t nat -S | grep -E "^-N zone[a-zA-Z0-9_]+prerouting$" | cut -d' ' -f 2)
for chain in ${nat_chains}; do
# Collect empty remote host & empty dport rules
EMPTY_HOST_PORT=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep -v "\-s ")
if [ -n "${EMPTY_HOST_PORT}" ]; then
echo "${EMPTY_HOST_PORT}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
exec_cmd $cmd1
done
fi
# Collect empty remote host but non empty dport rules
EMPTY_HOST=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep "\-\-dport" | grep -v "\-s ")
if [ -n "${EMPTY_HOST}" ]; then
echo "${EMPTY_HOST}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
exec_cmd $cmd1
done
fi
# Collect non empty remote host but empty dport rules
EMPTY_PORT=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep "\-s ")
if [ -n "${EMPTY_PORT}" ]; then
echo "${EMPTY_PORT}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
exec_cmd $cmd1
done
fi
# Now add rules as per datamodel precedence shown below
## Non empty remote host, empty dport
## empty remote host, non empty dport
## empty remote host, empty dport
if [ -n "${EMPTY_PORT}" ]; then
echo "${EMPTY_PORT}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd)"
exec_cmd $cmd1
done
fi
if [ -n "${EMPTY_HOST}" ]; then
echo "${EMPTY_HOST}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd)"
exec_cmd $cmd1
done
fi
if [ -n "${EMPTY_HOST_PORT}" ]; then
echo "${EMPTY_HOST_PORT}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd)"
exec_cmd $cmd1
done
fi
done
}
# Re-order portmapping rules according to precedence hierarchy
reorder_dnat_rules

163
bbfdm/files/etc/firewall.service
View file

@ -1,163 +0,0 @@
#!/bin/sh
. /lib/functions.sh
log() {
echo "${@}"|logger -t firewall.service -p info
}
exec_cmd() {
if ! eval "$*"; then
log "Failed to run [$*]"
echo "-1"
return 0
fi
echo "0"
return 0
}
add_iptable_rule() {
chain_name=$1
protocol=$2
dest_port=$3
icmp_type=$4
family=$5
src_prefix=$6
action=$7
res=-1
cmd="-I ${chain_name}"
if [ -n "${protocol}" ]; then
cmd="${cmd} -p $protocol"
if [ "${protocol}" -eq 41 ] || [ "${protocol}" -eq 43 ] || [ "${protocol}" -eq 44 ] ||
[ "${protocol}" -eq 58 ] || [ "${protocol}" -eq 59 ] || [ "${protocol}" -eq 60 ]; then
# Explicit v6 protocols
if [ "${family}" = "ipv4" ]; then
echo $res
return 0
else
family="ipv6"
fi
elif [ "${protocol}" -eq 1 ]; then
# Explicit v4 protocols
if [ "${family}" = "ipv6" ]; then
echo $res
return 0
else
family="ipv4"
fi
fi
# Limitation:: iptables do not accept dport without specific protocol
count=$(echo "${dest_port}" | sed -n "/-1/p" | wc -l)
if [ "${count}" -eq 0 ]; then
# dest_port not contains -1 so need to have this match criteria
count=$(echo "${dest_port}" | wc -w)
if [ "${count}" -gt 1 ]; then
# multiple ports present
port=$(echo "${dest_port}" | sed "s/ /,/g")
cmd="${cmd} -m multiport --dports ${port}"
else
cmd="${cmd} --dport ${dest_port}"
fi
fi
fi
if [ "${family}" = "ipv4" ] || [ "${family}" = "-1" ]; then
if [ "${protocol}" -eq 1 ] && [ "${icmp_type}" -ge 0 ]; then
cmd="${cmd} --icmp-type ${icmp_type}"
fi
if [ -z "${src_prefix}" ]; then
res=$(exec_cmd "iptables ${cmd} -m comment --comment IPtables_service_rule -j ${action}")
else
#Add ipv4 sources if any
src_list=""
for src in $src_prefix; do
ret=$(echo $src | grep ":" | wc -l)
if [ "${ret}" -eq 0 ]; then
src_list="$src,$src_list"
fi
done
if [ -n "$src_list" ]; then
src_list=$(echo "${src_list}" | sed "s/,$//")
res=$(exec_cmd "iptables -s $src_list ${cmd} -m comment --comment IPtables_service_rule -j ${action}")
fi
fi
fi
if [ "${family}" = "ipv6" ] || [ "${family}" = "-1" ]; then
if [ "${protocol}" -eq 58 ] && [ "${icmp_type}" -ge 0 ]; then
cmd="${cmd} --icmpv6-type ${icmp_type}"
fi
if [ -z "${src_prefix}" ]; then
res=$(exec_cmd "ip6tables ${cmd} -m comment --comment IP6tables_service_rule -j ${action}")
else
#Add ipv6 sources if any
src_list=""
for src in $src_prefix; do
ret=$(echo $src | grep ":" | wc -l)
if [ "${ret}" -eq 1 ]; then
src_list="$src,$src_list"
fi
done
if [ -n "$src_list" ]; then
src_list=$(echo "${src_list}" | sed "s/,$//")
res=$(exec_cmd "ip6tables -s $src_list ${cmd} -m comment --comment IP6tables_service_rule -j ${action}")
fi
fi
fi
echo $res
}
add_service() {
local enable proto family dest_port interface target icmp_type
config_get enable "$1" enable "0"
config_get icmp_type "$1" icmp_type "-1"
config_get target "$1" target "Accept"
config_get interface "$1" interface ""
config_get family "$1" family "-1"
config_get dest_port "$1" dest_port "-1"
config_get proto "$1" proto "-1"
config_get src_prefix "$1" src_prefix ""
if [ "${enable}" -eq 0 ] || [ -z "${interface}" ]; then
return 0
fi
action=$(echo "${target}" | tr a-z A-Z)
chain_name="zone_${interface}_input"
res=0
count=$(echo "${proto}" | sed -n "/-1/p" | wc -l)
if [ "${count}" -eq 0 ]; then
# proto not contains -1 so need to have this match criteria
for protocol in $proto; do
res=$(add_iptable_rule "$chain_name" "$protocol" "$dest_port" "$icmp_type" "$family" "$src_prefix" "$action")
done
else
# proto contains -1 so no need to have this match criteria
res=$(add_iptable_rule "$chain_name" "" "$dest_port" "$icmp_type" "$family" "$src_prefix" "$action")
fi
if [ "${res}" -ne 0 ]; then
uci -q set firewall."${1}".status="Error"
else
uci -q set firewall."${1}".status=""
fi
uci commit firewall
}
config_load firewall
config_foreach add_service "service"

18
bbfdm/files/etc/uci-defaults/90-remove-nonexisting-microservices
View file

@ -1,18 +0,0 @@
#!/bin/sh
. /lib/functions.sh
remove_nonexisting_microservice() {
local input_json
config_get input_json "$1" input_json ""
if [ -z "${input_json}" ]; then
uci_remove bbfdm "${1}"
fi
}
config_load bbfdm
config_foreach remove_nonexisting_microservice "micro_service"
exit 0

12
bbfdm/files/etc/uci-defaults/95-portmap-firewall
View file

@ -1,12 +0,0 @@
#!/bin/sh
uci -q batch <<-EOT
delete firewall.port_hook
set firewall.port_hook=include
set firewall.port_hook.path=/etc/firewall.portmap
set firewall.port_hook.reload=1
commit firewall
EOT
exit 0

12
bbfdm/files/etc/uci-defaults/97-firewall-service
View file

@ -1,12 +0,0 @@
#!/bin/sh
uci -q batch <<-EOT
delete firewall.service_hook
set firewall.service_hook=include
set firewall.service_hook.path=/etc/firewall.service
set firewall.service_hook.reload=1
commit firewall
EOT
exit 0

34
bbfdm/files/etc/uci-defaults/99-link-core-plugins
View file

@ -1,34 +0,0 @@
#!/bin/sh
UNIFIED_PATH="/usr/share/bbfdm/plugins/"
log() {
echo "$@" | logger -t bbfdm.uci-default -p info
}
# Link JSON plugins
for f in `ls -1 /etc/bbfdm/json/*.json`; do
log "# BBFDM JSON plugin ${f} not aligned #"
ln -s ${f} "${UNIFIED_PATH}"
done
# Link DotSo plugins
for f in `ls -1 /usr/lib/bbfdm/*.so`; do
log "# BBFDM DotSO plugin ${f} not aligned #"
ln -s ${f} "${UNIFIED_PATH}"
done
# Link JSON plugins
for f in `ls -1 /etc/bbfdm/plugins/*.json`; do
log "# BBFDM JSON plugin ${f} not aligned #"
ln -s ${f} "${UNIFIED_PATH}"
done
# Link DotSo plugins
for f in `ls -1 /etc/bbfdm/plugins/*.so`; do
log "# BBFDM DotSO plugin ${f} not aligned #"
ln -s ${f} "${UNIFIED_PATH}"
done
exit 0