Browse Source

acme: switch from iptables to nft

Use nft instead of iptables to open port 80 in the firewall when getting a
cert. Since nft doesn't allow deleting a rule by its contents, capture and
save the handle when creating the rule, and use that to delete.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
(cherry picked from commit d926da5182)
lilik-openwrt-22.03
Toke Høiland-Jørgensen 3 years ago
parent
commit
3743870bc8
1 changed files with 7 additions and 8 deletions
  1. +7
    -8
      net/acme/files/run.sh

+ 7
- 8
net/acme/files/run.sh View File

@ -21,6 +21,7 @@ NGINX_WEBSERVER=0
UPDATE_NGINX=0 UPDATE_NGINX=0
UPDATE_UHTTPD=0 UPDATE_UHTTPD=0
UPDATE_HAPROXY=0 UPDATE_HAPROXY=0
NFT_HANDLE=
USER_CLEANUP= USER_CLEANUP=
. /lib/functions.sh . /lib/functions.sh
@ -126,19 +127,17 @@ pre_checks() {
esac esac
done done
iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
debug "v4 input_rule: $(iptables -nvL input_rule)"
debug "v6 input_rule: $(ip6tables -nvL input_rule)"
NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+')
ret=$?
[ "$ret" -eq "0" ] || return 1
debug "added nft rule: $NFT_HANDLE"
return 0 return 0
} }
post_checks() { post_checks() {
log "Running post checks (cleanup)." log "Running post checks (cleanup)."
# The comment ensures we only touch our own rules. If no rules exist, that
# is fine, so hide any errors
iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
[ -n "$NFT_HANDLE" ] && nft delete rule inet fw4 input $NFT_HANDLE
if [ -e /etc/init.d/uhttpd ] && { [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ]; }; then if [ -e /etc/init.d/uhttpd ] && { [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ]; }; then
if [ -n "$UHTTPD_LISTEN_HTTP" ]; then if [ -n "$UHTTPD_LISTEN_HTTP" ]; then


Loading…
Cancel
Save