mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update iptables rules to use proper locking.

Browse source
This commit is contained in:
Markus Gothe 2025-02-20 16:49:34 +01:00 committed by Erik Karlsson
parent 85818a7778
commit f5ad0195bc
6 changed files with 23 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hostmngr/files/scripts/hosts_acl.sh
View file

@ -271,14 +271,14 @@ touch $ACL_FILE
echo "iptables -w -F hosts_forward" >> $ACL_FILE echo "iptables -w -F hosts_forward" >> $ACL_FILE
echo "ip6tables -w -F hosts_forward" >> $ACL_FILE echo "ip6tables -w -F hosts_forward" >> $ACL_FILE
hosts_ipv4_forward=$(iptables -t filter --list -n | grep hosts_forward) hosts_ipv4_forward=$(iptables -w -t filter --list -n | grep hosts_forward)
if [ -z "$hosts_ipv4_forward" ]; then if [ -z "$hosts_ipv4_forward" ]; then
echo "iptables -w -t filter -N hosts_forward" >> $ACL_FILE echo "iptables -w -t filter -N hosts_forward" >> $ACL_FILE
ret=$? ret=$?
[ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j hosts_forward" >> $ACL_FILE [ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j hosts_forward" >> $ACL_FILE
fi fi
hosts_ipv6_forward=$(ip6tables -t filter --list -n | grep hosts_forward) hosts_ipv6_forward=$(ip6tables -w -t filter --list -n | grep hosts_forward)
if [ -z "$hosts_ipv6_forward" ]; then if [ -z "$hosts_ipv6_forward" ]; then
echo "ip6tables -w -t filter -N hosts_forward" >> $ACL_FILE echo "ip6tables -w -t filter -N hosts_forward" >> $ACL_FILE
ret=$? ret=$?

2
mcastmngr/files/linux/etc/firewall.mcast
View file

@ -1,2 +1,2 @@
# Forward multicast packets from wan to lan # Forward multicast packets from wan to lan
iptables -t filter -A zone_wan_forward -p udp -d 224.0.0.0/240.0.0.0 -m comment --comment "!fw3: Allow-Multicast-UDP" -j zone_lan_dest_ACCEPT iptables -w -t filter -A zone_wan_forward -p udp -d 224.0.0.0/240.0.0.0 -m comment --comment "!fw3: Allow-Multicast-UDP" -j zone_lan_dest_ACCEPT

4
parental-control/files/lib/parentalcontrol/parentalcontrol.sh
View file

@ -412,14 +412,14 @@ add_internet_schedule_rules() {
echo "iptables -w -F parentalcontrol_forward" >> $ACL_FILE echo "iptables -w -F parentalcontrol_forward" >> $ACL_FILE
echo "ip6tables -w -F parentalcontrol_forward" >> $ACL_FILE echo "ip6tables -w -F parentalcontrol_forward" >> $ACL_FILE
parentalcontrol_ipv4_forward=$(iptables -t filter --list -n | grep parentalcontrol_forward) parentalcontrol_ipv4_forward=$(iptables -w -t filter --list -n | grep parentalcontrol_forward)
if [ -z "$parentalcontrol_ipv4_forward" ]; then if [ -z "$parentalcontrol_ipv4_forward" ]; then
echo "iptables -w -t filter -N parentalcontrol_forward" >> $ACL_FILE echo "iptables -w -t filter -N parentalcontrol_forward" >> $ACL_FILE
ret=$? ret=$?
[ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j parentalcontrol_forward" >> $ACL_FILE [ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j parentalcontrol_forward" >> $ACL_FILE
fi fi
parentalcontrol_ipv6_forward=$(ip6tables -t filter --list -n | grep parentalcontrol_forward) parentalcontrol_ipv6_forward=$(ip6tables -w -t filter --list -n | grep parentalcontrol_forward)
if [ -z "$parentalcontrol_ipv6_forward" ]; then if [ -z "$parentalcontrol_ipv6_forward" ]; then
echo "ip6tables -w -t filter -N parentalcontrol_forward" >> $ACL_FILE echo "ip6tables -w -t filter -N parentalcontrol_forward" >> $ACL_FILE
ret=$? ret=$?

12
qosmngr/files/common/lib/qos/iptables.sh
View file

@ -279,17 +279,17 @@ create_iptables_chains() {
ret=$? ret=$?
[ $ret -eq 0 ] && iptables -w -t mangle -I OUTPUT -j qos_output [ $ret -eq 0 ] && iptables -w -t mangle -I OUTPUT -j qos_output
ip6tables -t mangle -N qos_forward 2> /dev/null ip6tables -w -t mangle -N qos_forward 2> /dev/null
ret=$? ret=$?
[ $ret -eq 0 ] && ip6tables -t mangle -I FORWARD -j qos_forward [ $ret -eq 0 ] && ip6tables -w -t mangle -I FORWARD -j qos_forward
ip6tables -t mangle -N qos_prerouting 2> /dev/null ip6tables -w -t mangle -N qos_prerouting 2> /dev/null
ret=$? ret=$?
[ $ret -eq 0 ] && ip6tables -t mangle -I PREROUTING -j qos_prerouting [ $ret -eq 0 ] && ip6tables -w -t mangle -I PREROUTING -j qos_prerouting
ip6tables -t mangle -N qos_output 2> /dev/null ip6tables -w -t mangle -N qos_output 2> /dev/null
ret=$? ret=$?
[ $ret -eq 0 ] && ip6tables -t mangle -I OUTPUT -j qos_output [ $ret -eq 0 ] && ip6tables -w -t mangle -I OUTPUT -j qos_output
} }
flush_iptables_chains() { flush_iptables_chains() {

16
udpecho/files/etc/init.d/udpechoserverd
View file

@ -19,12 +19,12 @@ start_service() {
if [ "${enable_udpechoserver}" -eq "1" ] && [ "$port_udpechoserver" -ne "0" ]; then if [ "${enable_udpechoserver}" -eq "1" ] && [ "$port_udpechoserver" -ne "0" ]; then
if [ -z "$address_udpechoserver" ]; then if [ -z "$address_udpechoserver" ]; then
iptables -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port" iptables -w -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
ip6tables -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port" ip6tables -w -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
elif [[ "$address_udpechoserver" =~ .*:.* ]]; then elif [[ "$address_udpechoserver" =~ .*:.* ]]; then
ip6tables -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port" ip6tables -w -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
else else
iptables -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port" iptables -w -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
fi fi
procd_open_instance procd_open_instance
@ -36,12 +36,12 @@ start_service() {
stop_service() { stop_service() {
# Remove the USPechoserver ports created earlier # Remove the USPechoserver ports created earlier
while iptables -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" > /dev/null; do while iptables -w -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" > /dev/null; do
iptables -D zone_wan_input "$(iptables -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" | head -1|awk '{print $1}')"; iptables -w -D zone_wan_input "$(iptables -w -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" | head -1|awk '{print $1}')";
done done
while ip6tables -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" > /dev/null; do while ip6tables -w -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" > /dev/null; do
ip6tables -D zone_wan_input "$(ip6tables -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" | head -1|awk '{print $1}')"; ip6tables -w -D zone_wan_input "$(ip6tables -w -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" | head -1|awk '{print $1}')";
done done
plus_enable="$(uci -q -c /var/state get udpechoserver.udpechoserver.plus)" plus_enable="$(uci -q -c /var/state get udpechoserver.udpechoserver.plus)"

8
userinterface/files/etc/firewall.userinterface
View file

@ -19,8 +19,8 @@ exec_cmd() {
} }
delete_ui_firewall_rules() { delete_ui_firewall_rules() {
input_chains=$(iptables -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2) input_chains=$(iptables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
output_chains=$(iptables -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2) output_chains=$(iptables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
for chain in ${input_chains}; do for chain in ${input_chains}; do
CMD="iptables -w 1 -t filter -nL ${chain} --line-numbers" CMD="iptables -w 1 -t filter -nL ${chain} --line-numbers"
@ -42,8 +42,8 @@ delete_ui_firewall_rules() {
done done
done done
input6_chains=$(ip6tables -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2) input6_chains=$(ip6tables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
output6_chains=$(ip6tables -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2) output6_chains=$(ip6tables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
for chain in ${input6_chains}; do for chain in ${input6_chains}; do
CMD="ip6tables -w 1 -t filter -nL ${chain} --line-numbers" CMD="ip6tables -w 1 -t filter -nL ${chain} --line-numbers"