diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-08-06 17:35:32 +0300 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-08-06 17:53:04 +0300 |
| commit | 1199347f09cff74a034f007fabc3b0d7f8432dfa (patch) | |
| tree | e54e183344d3f4e0345bdf188ade6862519ed15a /main/awall | |
| parent | 726b3e131a24e9fa990c1c2e6202e8164639852f (diff) | |
| download | aports-1199347f09cff74a034f007fabc3b0d7f8432dfa.tar.bz2 aports-1199347f09cff74a034f007fabc3b0d7f8432dfa.tar.xz | |
main/awall: upgrade to 1.6.0
Diffstat (limited to 'main/awall')
| -rw-r--r-- | main/awall/APKBUILD | 17 | ||||
| -rwxr-xr-x | main/awall/setup-firewall | 142 |
2 files changed, 155 insertions, 4 deletions
diff --git a/main/awall/APKBUILD b/main/awall/APKBUILD index 0be03124fd..9dcce06f12 100644 --- a/main/awall/APKBUILD +++ b/main/awall/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> # Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> pkgname=awall -pkgver=1.5.1 +pkgver=1.6.0 pkgrel=0 pkgdesc="Alpine Wall" url="https://git.alpinelinux.org/cgit/awall/" @@ -11,9 +11,10 @@ license="GPL-2.0" replaces="awall-nat" depends="bind-tools ip6tables ipset iptables lua$_luaver lua$_luaver-alt-getopt lua$_luaver-cjson lua$_luaver-pc lua$_luaver-posix lua$_luaver-stringy xtables-addons" -subpackages=$pkgname-masquerade +subpackages="$pkgname-masquerade $pkgname-policies" triggers="$pkgname.trigger=/usr/share/awall" source="http://dev.alpinelinux.org/archive/awall/awall-$pkgver.tar.xz + setup-firewall " builddir=$srcdir/awall-$pkgver @@ -35,7 +36,6 @@ package() { masquerade() { depends=awall - cd "$builddir" for file in lua/$_luaver/awall/modules/masquerade.lua awall/mandatory/masquerade.json; do local path=usr/share/$file install -d "$subpkgdir/$(dirname $path)" @@ -43,4 +43,13 @@ masquerade() { done } -sha512sums="562c113ff7f6e9615a66723e3fb097daf5c875dbc65b176405e9ba40e9d2321db0f4c095889ae6c015b297a6100218b2713f849ca305f4db4837ae7153a47a64 awall-1.5.1.tar.xz" +policies() { + depends=awall + local dir=usr/share/awall/optional + install -d "$subpkgdir"/$dir + mv "$pkgdir"/$dir/*.json "$subpkgdir"/$dir + install -D "$srcdir"/setup-firewall "$subpkgdir"/usr/sbin/setup-firewall +} + +sha512sums="a131cf4f6cb8b17a007c05b27d43396dd702e52bb94bbfd348b86514fb374e277f1d30e706d41b79cc454ab0921fc12acb72af5e5500af91709b3254dc60587c awall-1.6.0.tar.xz +0ec166d5e57f1f3eb9be40074f794c6f603b29888fd39d6e56256d3ba853745c768e37a516c8bc6c9a062eeb7652b4de1d7ef7ef63f75cf24d725459c76395de setup-firewall" diff --git a/main/awall/setup-firewall b/main/awall/setup-firewall new file mode 100755 index 0000000000..796413cff8 --- /dev/null +++ b/main/awall/setup-firewall @@ -0,0 +1,142 @@ +#!/bin/sh -e + +# Firewall setup script for Alpine Linux +# Copyright (C) 2018 Kaarle Ritvanen + +. /lib/libalpine.sh + +info() { + local obj=$1 + shift + if [ "$1" ]; then + echo "Detected $obj:" $* + fi +} + +is_running() { + busybox pgrep -x /usr/sbin/$1 > /dev/null +} + +enable_policy() { + echo "Enabling policy $1" + awall enable $1 +} + +enable_if_running() { + local policy=$1 + shift + + for proc in $*; do + if is_running $proc; then + enable_policy $policy + return + fi + shift + done +} + +list_to_json() { + local var=$1 + eval set -- \$$var + + echo -n "\"$var\": [" + local sep=" " + while [ "$1" ]; do + echo -n "$sep\"$1\"" + sep=", " + shift + done + echo " ]" +} + +WAN_IFACE=$(ip route | sed -E 's/^default .+ dev ([^ ]+)( .*)?$/\1/;ta;d;:a') +[ "$WAN_IFACE" ] || die "No default gateway" +info "WAN interface" $WAN_IFACE + +DHCP_ZONES= +[ -f /var/run/udhcpc.$WAN_IFACE.pid ] && DHCP_ZONES=wan + +if is_running dhcpd; then + LAN_IFACES=$(. /etc/conf.d/dhcpd && echo $DHCPD_IFACE) + if [ -z "$LAN_IFACES" ]; then + for iface in $(ip -o address | \ + sed -E 's/ scope host //;ta;s/^[0-9]+: ([^ ]+) .+/\1/;tb;:a;d;:b'); do + + echo "$LAN_IFACES" | grep -q " $iface " || \ + LAN_IFACES="$LAN_IFACES $iface " + done + fi +elif is_running udhcpd; then + LAN_IFACES=$(sed -E $'s/^interface( |\t)+(.+)$/\\2/;ta;d;:a' /etc/udhcpd.conf) +else + LAN_IFACES= +fi +LAN_IFACES=$(echo $(echo " $LAN_IFACES " | sed "s/ $WAN_IFACE //")) + +LAN_ADDRS= +LAN_PRIVATE_ADDRS= +if [ "$LAN_IFACES" ]; then + for iface in $LAN_IFACES; do + for addr in $(ip -o address list dev $iface | \ + sed -E 's/^[0-9]+: [^ ]+ +[^ ]+ ([^ ]+) .+$/\1/;ta;d;:a'); do + + LAN_ADDRS="$LAN_ADDRS $addr" + LAN_PRIVATE_ADDRS="$LAN_PRIVATE_ADDRS $(echo $addr | \ + sed -E 's/^((10|172\.(1[6-9]|2[0-9]|3[01])|192\.168)\.)/\1/;ta;d;:a')" + done + done + info "LAN interfaces" $LAN_IFACES + info "LAN addresses" $LAN_ADDRS + info "LAN private addresses" $LAN_PRIVATE_ADDRS + DHCP_ZONES="$DHCP_ZONES lan" + enable_policy router +fi + +if [ "$DHCP_ZONES" ]; then + info "DHCP zones" $DHCP_ZONES + enable_policy dhcp +fi + +HTTP_REPOS=$(grep ^http:// /etc/apk/repositories) && enable_policy http-client +[ $(echo "$HTTP_REPOS" | egrep -v '^http://([.0-9]+|\[.+\])(:|/)' | wc -l) -eq 0 ] || \ + enable_policy dns-client + +enable_if_running ntp-client chronyd ntpd openntpd +enable_if_running ssh-server dropbear sshd + +enable_policy ping + +cat > /etc/awall/awall-policies.json <<EOF +{ + "variable": { + $(list_to_json DHCP_ZONES), + $(list_to_json LAN_ADDRS), + $(list_to_json LAN_IFACES), + $(list_to_json LAN_PRIVATE_ADDRS) + }, + "zone": { "wan": { "iface": "$WAN_IFACE" } } +} +EOF + +awall translate + +set_param() { + sed -Ei "s/^($2=).*\$/\\1$3/" /etc/conf.d/$1 +} + +enable_service() { + echo "Enabling service $1" + + set_param $1 SAVE_ON_STOP no + if [ "$LAN_IFACES" ]; then + set_param IPFORWARD yes + fi + + rc-update add $1 + service $1 start +} + +enable_service iptables +if ip -o address | egrep -q '^[0-9]+: [^ ]+ +inet6 '; then + enable_service ip6tables +fi |