Verified Commit 4f3812c1 authored by Michal 'vorner' Vaner's avatar Michal 'vorner' Vaner

Merge branch 'master' of gitlab.labs.nic.cz:turris/pakon-guts

parents 6707e036 5446fc1a
Pipeline #3172 passed with stage
in 1 minute and 21 seconds
config config 'daemon'
list 'networks' 'lan'
#!/bin/sh
# Copyright (C) 2017 CZ.NIC z.s.p.o. (http://www.nic.cz/)
IPTABLES_RULES="/tmp/pakon/pakond.fw"
IP6TABLES_RULES="/tmp/pakon/pakond.fw6"
iptables_insert_once() {
COMMAND="$1"
ARGS="$2"
shift 2
$COMMAND -C $ARGS >/dev/null 2>&1 || $COMMAND -I $ARGS >/dev/null 2>&1
}
check_references() {
#verify that all the references to pakon_filter chain are on the right places
iptables_insert_once iptables "forwarding_rule -j pakon_filter"
iptables_insert_once ip6tables "forwarding_rule -j pakon_filter"
iptables_insert_once iptables "input_rule -j pakon_filter"
iptables_insert_once ip6tables "input_rule -j pakon_filter"
iptables_insert_once iptables "output_rule -j pakon_filter"
iptables_insert_once ip6tables "output_rule -j pakon_filter"
}
/etc/init.d/pakond status || exit 0 #don't insert iptables rules if pakond is not running
[-f $IPTABLES_RULES] || exit 1
iptables-restore --noflush < $IPTABLES_RULES
[-f $IP6TABLES_RULES] || exit 1
ip6tables-restore --noflush < $IP6TABLES_RULES
check_references
#!/bin/sh /etc/rc.common
# Copyright (C) 2017 CZ.NIC z.s.p.o. (http://www.nic.cz/)
USE_PROCD=1
EXTRA_COMMANDS="status"
EXTRA_HELP=" status Get pakond status (as exit code)"
ACTUAL_CONFIG="/tmp/pakon/pakond.lua"
IPTABLES_RULES="/tmp/pakon/pakond.fw"
IP6TABLES_RULES="/tmp/pakon/pakond.fw6"
PID_FILE="/var/run/pakond.pid"
START=50
build_config_iptables() {
# builds configuration and prepare iptables chain. The chain is not referenced yet.
mkdir -p $(dirname $ACTUAL_CONFIG)
rm -f $ACTUAL_CONFIG
echo "*filter" > $IPTABLES_RULES
echo "*filter" > $IP6TABLES_RULES
echo ":pakon_filter - [0:0]" >> $IPTABLES_RULES
echo ":pakon_filter - [0:0]" >> $IP6TABLES_RULES
IFACES=""
IFACES_CNT=0
NETS=$(uci -q get pakon.daemon.networks) || { echo >&2 "Networks not set in configuration (configuration file might be missing)."; exit 1; }
for NET in $NETS; do
IFACE=$(uci -P/var/state get network.$NET.ifname) || exit 1
IFACES="${IFACES} ${IFACE}"
IFACES_CNT=$((IFACES_CNT+1))
done
# we want to ignore traffic being forwarded from one local (watched) interface to another
# if we have multiple interfaces, we add new chain pakon_filter_ignore, to which we redirect traffic originating from all watched interface
# in pakon_filter_ignore we immediately ACCEPT all traffic to watched interfaces and RETURN to packet_filter for the rest
# this has the effect that traffic from watched interface to another watched interface is accepted (not passed to NFQUEUE)
# the rest RETURNs to pakon_filter and matches some NFQUEUE rule
if [ "$IFACES_CNT" -gt 1 ]; then
echo ":pakon_filter_ignore - [0:0]" >> $IPTABLES_RULES
echo ":pakon_filter_ignore - [0:0]" >> $IP6TABLES_RULES
for IFACE in $IFACES; do
echo "-A pakon_filter -i $IFACE -j pakon_filter_ignore" >> $IPTABLES_RULES
echo "-A pakon_filter -i $IFACE -j pakon_filter_ignore" >> $IP6TABLES_RULES
echo "-A pakon_filter_ignore -o $IFACE -j ACCEPT" >> $IPTABLES_RULES
echo "-A pakon_filter_ignore -o $IFACE -j ACCEPT" >> $IP6TABLES_RULES
done
# return is default policy, so it's not needed to add it explicitly to pakon_filter_ignore
fi
I=0
for IFACE in $IFACES; do
echo "queue({src=\"$IFACE\", dir=\"out\"}, \"v4\", 500, $((I)), 4, \"out\");" >> $ACTUAL_CONFIG
echo "-A pakon_filter -i $IFACE -j NFQUEUE --queue-num $((I++))" >> $IPTABLES_RULES
echo "queue({src=\"$IFACE\", dir=\"out\"}, \"v6\", 500, $((I)), 6, \"out\");" >> $ACTUAL_CONFIG
echo "-A pakon_filter -i $IFACE -j NFQUEUE --queue-num $((I++))" >> $IP6TABLES_RULES
echo "queue({src=\"$IFACE\", dir=\"in\"}, \"v4\", 500, $((I)), 4, \"in\");" >> $ACTUAL_CONFIG
echo "-A pakon_filter -o $IFACE -j NFQUEUE --queue-num $((I++))" >> $IPTABLES_RULES
echo "queue({src=\"$IFACE\", dir=\"in\"}, \"v6\", 500, $((I)), 6, \"in\");" >> $ACTUAL_CONFIG
echo "-A pakon_filter -o $IFACE -j NFQUEUE --queue-num $((I++))" >> $IP6TABLES_RULES
done
echo "COMMIT" >> $IPTABLES_RULES
echo "COMMIT" >> $IP6TABLES_RULES
echo "listen(\"/tmp/pakon/socket\")" >> $ACTUAL_CONFIG
iptables-restore --noflush < $IPTABLES_RULES
ip6tables-restore --noflush < $IP6TABLES_RULES
}
status() {
if [ -s $PID_FILE ]; then
busybox ps | awk '{print $1;}' | grep `cat $PID_FILE` &> /dev/null
if [ $? -eq 0 ]; then
# echo "Running."
return 0
else
# echo "Not running."
return 1
fi
else
# echo "Stopped."
return 2
fi
}
start_service() {
if status ; then
echo "Running already (`cat $PID_FILE`)"
exit 1;
else
build_config_iptables
procd_open_instance
procd_set_param command /usr/bin/pakon_wrapper.sh $ACTUAL_CONFIG $PID_FILE
procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-3}
procd_close_instance
fi
}
stop_service(){
rm -f $PID_FILE
}
reload_service() {
if status; then
iptables_deactivate
build_config_iptables
kill -HUP $(cat $PID_FILE)
iptables_activate
else
stop_service
start_service
fi
}
#!/bin/sh
# Copyright (C) 2017 CZ.NIC z.s.p.o. (http://www.nic.cz/)
# wrapper script to make sure that iptables NFQUEUE rules dies with pakond
if [ "$#" -ne 2 ];then
echo >&2 "arguments: config_name pid_file"
exit 1
fi
#workaround to get pid: run in background, get pid and wait for child
/usr/bin/pakond $1 &
iptables -I forwarding_rule -j pakon_filter
ip6tables -I forwarding_rule -j pakon_filter
iptables -I input_rule -j pakon_filter
ip6tables -I input_rule -j pakon_filter
iptables -I output_rule -j pakon_filter
ip6tables -I output_rule -j pakon_filter
pid=$!
echo $pid > $2
#wait does not deliver signals to child, I had to do it manually
trap "iptables -F pakon_filter; ip6tables -F pakon_filter; kill $pid" SIGTERM SIGINT
trap "kill -HUP $pid" SIGHUP
wait $pid
iptables -D forwarding_rule -j pakon_filter
ip6tables -D forwarding_rule -j pakon_filter
iptables -D input_rule -j pakon_filter
ip6tables -D input_rule -j pakon_filter
iptables -D output_rule -j pakon_filter
ip6tables -D output_rule -j pakon_filter
iptables -X pakon_filter
ip6tables -X pakon_filter
iptables -F pakon_filter_ignore 2>/dev/null
ip6tables -F pakon_filter_ignore 2>/dev/null
iptables -X pakon_filter_ignore 2>/dev/null
ip6tables -X pakon_filter_ignore 2>/dev/null
......@@ -68,7 +68,7 @@ void loggingInitialize() {
uint64_t timeMsec(clockid_t id) {
struct timespec ts;
CHECK(clock_gettime(id, &ts) != -1);
return ts.tv_sec * 1000 + ts.tv_nsec / 1000000;
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
uint64_t timeGrab(clockid_t id) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment