Skip to content
Snippets Groups Projects
Verified Commit 30ba26e5 authored by Karel Koci's avatar Karel Koci :metal:
Browse files

sentinel-firewall: remove any preserved rules

This removes any preserved rules from firewall. Firewall3 removes any
rules in chains and tables it manages but others ignores. This is
considered as feature (as some lists survive reload) but for our use
case it is not ideal as scripts just insert rules in appropriate
location. Instead removing all rules we previously added and were
preserved is better option in this case.

There is one exception and those are our rules that are terminations for
chains created by us. We are not removing those chains and so we do not
want to remove those  rules as well. We prevent that by using slightly
different comment. We do not add additional commentary and drop colon.
Because of missing colon this rule is not matched and is not removed.
For termination rule additional comment about source is not necessary so
we are not loosing anything.
parent 89cd9537
Branches
Tags
1 merge request!429Draft: Bugfix/sentinel firewall flush
......@@ -7,6 +7,23 @@
# option family 'any'
# option reload '1'
# Remove any existing rule
# (firewall3 removes only rules in chains it knows so we have to do this to
# potentially clean after ourselves)
for table in filter nat mangle raw; do
iptables -t "$table" -S \
| grep -F ' --comment "!sentinel:' \
| while read -r operation rule; do
# Argument -A is dropped (variable 'operation' is intentionally left out)
# Note: xargs is used here because it handles quotes properly over
# just plain expansion
echo "$rule" | xargs -x iptables -t "$table" -D
done
done
# Run all sentinel firewall scripts
cd /usr/libexec/sentinel/firewall.d
for module in ./*; do
[ -x "$module" ] || continue
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment