mirror of
https://dev.iopsys.eu/feed/iopsys.git
synced 2025-12-10 07:44:50 +01:00
Update iptables rules to use proper locking.
This commit is contained in:
Markus Gothe
Erik Karlsson
parent
85818a7778
commit
f5ad0195bc
6 changed files with 23 additions and 23 deletions
|
|
@ -271,14 +271,14 @@ touch $ACL_FILE
|
|||
echo "iptables -w -F hosts_forward" >> $ACL_FILE
|
||||
echo "ip6tables -w -F hosts_forward" >> $ACL_FILE
|
||||
|
||||
hosts_ipv4_forward=$(iptables -t filter --list -n | grep hosts_forward)
|
||||
hosts_ipv4_forward=$(iptables -w -t filter --list -n | grep hosts_forward)
|
||||
if [ -z "$hosts_ipv4_forward" ]; then
|
||||
echo "iptables -w -t filter -N hosts_forward" >> $ACL_FILE
|
||||
ret=$?
|
||||
[ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j hosts_forward" >> $ACL_FILE
|
||||
fi
|
||||
|
||||
hosts_ipv6_forward=$(ip6tables -t filter --list -n | grep hosts_forward)
|
||||
hosts_ipv6_forward=$(ip6tables -w -t filter --list -n | grep hosts_forward)
|
||||
if [ -z "$hosts_ipv6_forward" ]; then
|
||||
echo "ip6tables -w -t filter -N hosts_forward" >> $ACL_FILE
|
||||
ret=$?
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
# Forward multicast packets from wan to lan
|
||||
iptables -t filter -A zone_wan_forward -p udp -d 224.0.0.0/240.0.0.0 -m comment --comment "!fw3: Allow-Multicast-UDP" -j zone_lan_dest_ACCEPT
|
||||
iptables -w -t filter -A zone_wan_forward -p udp -d 224.0.0.0/240.0.0.0 -m comment --comment "!fw3: Allow-Multicast-UDP" -j zone_lan_dest_ACCEPT
|
||||
|
|
|
|||
|
|
@ -412,14 +412,14 @@ add_internet_schedule_rules() {
|
|||
echo "iptables -w -F parentalcontrol_forward" >> $ACL_FILE
|
||||
echo "ip6tables -w -F parentalcontrol_forward" >> $ACL_FILE
|
||||
|
||||
parentalcontrol_ipv4_forward=$(iptables -t filter --list -n | grep parentalcontrol_forward)
|
||||
parentalcontrol_ipv4_forward=$(iptables -w -t filter --list -n | grep parentalcontrol_forward)
|
||||
if [ -z "$parentalcontrol_ipv4_forward" ]; then
|
||||
echo "iptables -w -t filter -N parentalcontrol_forward" >> $ACL_FILE
|
||||
ret=$?
|
||||
[ $ret -eq 0 ] && echo "iptables -w -t filter -I FORWARD -j parentalcontrol_forward" >> $ACL_FILE
|
||||
fi
|
||||
|
||||
parentalcontrol_ipv6_forward=$(ip6tables -t filter --list -n | grep parentalcontrol_forward)
|
||||
parentalcontrol_ipv6_forward=$(ip6tables -w -t filter --list -n | grep parentalcontrol_forward)
|
||||
if [ -z "$parentalcontrol_ipv6_forward" ]; then
|
||||
echo "ip6tables -w -t filter -N parentalcontrol_forward" >> $ACL_FILE
|
||||
ret=$?
|
||||
|
|
|
|||
|
|
@ -279,17 +279,17 @@ create_iptables_chains() {
|
|||
ret=$?
|
||||
[ $ret -eq 0 ] && iptables -w -t mangle -I OUTPUT -j qos_output
|
||||
|
||||
ip6tables -t mangle -N qos_forward 2> /dev/null
|
||||
ip6tables -w -t mangle -N qos_forward 2> /dev/null
|
||||
ret=$?
|
||||
[ $ret -eq 0 ] && ip6tables -t mangle -I FORWARD -j qos_forward
|
||||
[ $ret -eq 0 ] && ip6tables -w -t mangle -I FORWARD -j qos_forward
|
||||
|
||||
ip6tables -t mangle -N qos_prerouting 2> /dev/null
|
||||
ip6tables -w -t mangle -N qos_prerouting 2> /dev/null
|
||||
ret=$?
|
||||
[ $ret -eq 0 ] && ip6tables -t mangle -I PREROUTING -j qos_prerouting
|
||||
[ $ret -eq 0 ] && ip6tables -w -t mangle -I PREROUTING -j qos_prerouting
|
||||
|
||||
ip6tables -t mangle -N qos_output 2> /dev/null
|
||||
ip6tables -w -t mangle -N qos_output 2> /dev/null
|
||||
ret=$?
|
||||
[ $ret -eq 0 ] && ip6tables -t mangle -I OUTPUT -j qos_output
|
||||
[ $ret -eq 0 ] && ip6tables -w -t mangle -I OUTPUT -j qos_output
|
||||
}
|
||||
|
||||
flush_iptables_chains() {
|
||||
|
|
|
|||
|
|
@ -19,12 +19,12 @@ start_service() {
|
|||
|
||||
if [ "${enable_udpechoserver}" -eq "1" ] && [ "$port_udpechoserver" -ne "0" ]; then
|
||||
if [ -z "$address_udpechoserver" ]; then
|
||||
iptables -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
|
||||
ip6tables -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
|
||||
iptables -w -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
|
||||
ip6tables -w -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
|
||||
elif [[ "$address_udpechoserver" =~ .*:.* ]]; then
|
||||
ip6tables -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
|
||||
ip6tables -w -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
|
||||
else
|
||||
iptables -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
|
||||
iptables -w -I zone_wan_input -p udp --dport "$port_udpechoserver" -j ACCEPT -m comment --comment "Open UDPechoserver port"
|
||||
fi
|
||||
|
||||
procd_open_instance
|
||||
|
|
@ -36,12 +36,12 @@ start_service() {
|
|||
|
||||
stop_service() {
|
||||
# Remove the USPechoserver ports created earlier
|
||||
while iptables -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" > /dev/null; do
|
||||
iptables -D zone_wan_input "$(iptables -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" | head -1|awk '{print $1}')";
|
||||
while iptables -w -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" > /dev/null; do
|
||||
iptables -w -D zone_wan_input "$(iptables -w -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" | head -1|awk '{print $1}')";
|
||||
done
|
||||
|
||||
while ip6tables -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" > /dev/null; do
|
||||
ip6tables -D zone_wan_input "$(ip6tables -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" | head -1|awk '{print $1}')";
|
||||
while ip6tables -w -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" > /dev/null; do
|
||||
ip6tables -w -D zone_wan_input "$(ip6tables -w -nL zone_wan_input --line-numbers | grep "Open UDPechoserver port" | head -1|awk '{print $1}')";
|
||||
done
|
||||
|
||||
plus_enable="$(uci -q -c /var/state get udpechoserver.udpechoserver.plus)"
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@ exec_cmd() {
|
|||
}
|
||||
|
||||
delete_ui_firewall_rules() {
|
||||
input_chains=$(iptables -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
|
||||
output_chains=$(iptables -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
|
||||
input_chains=$(iptables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
|
||||
output_chains=$(iptables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
|
||||
|
||||
for chain in ${input_chains}; do
|
||||
CMD="iptables -w 1 -t filter -nL ${chain} --line-numbers"
|
||||
|
|
@ -42,8 +42,8 @@ delete_ui_firewall_rules() {
|
|||
done
|
||||
done
|
||||
|
||||
input6_chains=$(ip6tables -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
|
||||
output6_chains=$(ip6tables -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
|
||||
input6_chains=$(ip6tables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
|
||||
output6_chains=$(ip6tables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
|
||||
|
||||
for chain in ${input6_chains}; do
|
||||
CMD="ip6tables -w 1 -t filter -nL ${chain} --line-numbers"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue