diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-10-29 09:57:12 +0200 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2019-02-02 19:55:31 +0200 |
| commit | a58b2bc80e32c662ee90d7f813c997c05cbc9987 (patch) | |
| tree | 1314aba3e90ea1bfc3570a8001233077725d59d6 | |
| parent | 9c932a749e28eb8d68f14234f35c5fdbde02d124 (diff) | |
| download | awall-a58b2bc80e32c662ee90d7f813c997c05cbc9987.tar.bz2 awall-a58b2bc80e32c662ee90d7f813c997c05cbc9987.tar.xz | |
early detection of missing kernel support
| -rwxr-xr-x | awall-cli | 7 | ||||
| -rw-r--r-- | awall/iptables.lua | 50 |
2 files changed, 33 insertions, 24 deletions
@@ -152,6 +152,7 @@ end uerror = require('awall.uerror') call = uerror.call +raise = uerror.raise if not call( function() @@ -194,7 +195,7 @@ if not call( repeat local name = arg[opind] local policy = policyset.policies[name] - if not policy then uerror.raise('No such policy: '..name) end + if not policy then raise('No such policy: '..name) end policy[mode](policy) opind = opind + 1 until opind > #arg @@ -320,6 +321,10 @@ if not call( elseif mode == 'activate' then + if not iptables.isenabled() then + raise('Firewall not enabled in kernel') + end + iptables.backup() local pid, interrupted diff --git a/awall/iptables.lua b/awall/iptables.lua index 662a7d9..7c6d329 100644 --- a/awall/iptables.lua +++ b/awall/iptables.lua @@ -1,11 +1,12 @@ --[[ Iptables file dumper for Alpine Wall -Copyright (C) 2012-2016 Kaarle Ritvanen +Copyright (C) 2012-2019 Kaarle Ritvanen See LICENSE file for license details ]]-- local class = require('awall.class') +local ACTIVE = require('awall.family').ACTIVE local raise = require('awall.uerror').raise local util = require('awall.util') @@ -13,8 +14,8 @@ local printmsg = util.printmsg local sortedkeys = util.sortedkeys -local mkdir = require('posix').mkdir local lpc = require('lpc') +local posix = require('posix') local M = {} @@ -37,6 +38,21 @@ M.builtin = { local backupdir = '/var/run/awall' +local _actfamilies +local function actfamilies() + if _actfamilies then return _actfamilies end + _actfamilies = {} + for _, family in ipairs(ACTIVE) do + if posix.stat(families[family].procfile) then + table.insert(_actfamilies, family) + else printmsg('Warning: firewall not enabled for '..family) end + end + return _actfamilies +end + +function M.isenabled() return #actfamilies() > 0 end + + local BaseIPTables = class() function BaseIPTables:print() @@ -55,27 +71,15 @@ function BaseIPTables:dump(dir) end function BaseIPTables:restore(test) - local disabled = true - - for family, params in pairs(families) do - local file = io.open(params.procfile) - if file then - io.close(file) - - local pid, stdin, stdout = lpc.run( - params.cmd..'-restore', table.unpack{test and '-t' or nil} - ) - stdout:close() - self:dumpfile(family, stdin) - stdin:close() - assert(lpc.wait(pid) == 0) - - disabled = false - - elseif test then printmsg('Warning: '..family..' rules not tested') end + for _, family in ipairs(actfamilies()) do + local pid, stdin, stdout = lpc.run( + families[family].cmd..'-restore', table.unpack{test and '-t' or nil} + ) + stdout:close() + self:dumpfile(family, stdin) + stdin:close() + assert(lpc.wait(pid) == 0) end - - if disabled then raise('Firewall not enabled in kernel') end end function BaseIPTables:activate() @@ -142,7 +146,7 @@ end function M.backup() - mkdir(backupdir) + posix.mkdir(backupdir) Current():dump(backupdir) end |