diff options
| author | Antti Seppälä <a.seppala@gmail.com> | 2022-11-29 13:41:36 +0200 |
|---|---|---|
| committer | Tianling Shen <cnsztl@gmail.com> | 2022-12-22 09:52:01 +0800 |
| commit | dd00cd04c5b57e3845db75839088edfb0a4c7a15 (patch) | |
| tree | 5d6ba6d98530823a6ed74190e05c815f9a9c5ab1 /net | |
| parent | 4c58d6d288f303a7a729e88d82496d0f1afd5301 (diff) | |
uacme: Use UCI to configure firewall instead of iptables
Use UCI to add temporary incoming firewall rule to accept http traffic for
challenge verification.
This should make uacme compatible with OpenWrt's fw3/4 implementation.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
Diffstat (limited to 'net')
| -rwxr-xr-x[-rw-r--r--] | net/uacme/files/run.sh | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/net/uacme/files/run.sh b/net/uacme/files/run.sh index 556bcc2f9..98871d4ba 100644..100755 --- a/net/uacme/files/run.sh +++ b/net/uacme/files/run.sh @@ -37,6 +37,7 @@ NGINX_WEBSERVER=0 UPDATE_NGINX=0 UPDATE_UHTTPD=0 UPDATE_HAPROXY=0 +FW_RULE= USER_CLEANUP= . /lib/functions.sh @@ -135,24 +136,30 @@ pre_checks() esac done - iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1 - debug "v4 input_rule: $(iptables -nvL input_rule)" - if [ -e "/usr/sbin/ip6tables" ]; then - ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1 - debug "v6 input_rule: $(ip6tables -nvL input_rule)" - fi + FW_RULE=$(uci add firewall rule) || return 1 + uci set firewall."$FW_RULE".name='uacme: temporarily allow incoming http' + uci set firewall."$FW_RULE".enabled='1' + uci set firewall."$FW_RULE".target='ACCEPT' + uci set firewall."$FW_RULE".src='wan' + uci set firewall."$FW_RULE".proto='tcp' + uci set firewall."$FW_RULE".dest_port='80' + uci commit firewall + /etc/init.d/firewall reload + + debug "added firewall rule: $FW_RULE" return 0 } post_checks() { log "Running post checks (cleanup)." - # The comment ensures we only touch our own rules. If no rules exist, that - # is fine, so hide any errors - iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null - if [ -e "/usr/sbin/ip6tables" ]; then - ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null + # $FW_RULE contains the string to identify firewall rule created earlier + if [ -n "$FW_RULE" ]; then + uci delete firewall."$FW_RULE" + uci commit firewall + /etc/init.d/firewall reload fi + if [ -e /etc/init.d/uhttpd ] && [ "$UPDATE_UHTTPD" -eq 1 ]; then uci commit uhttpd /etc/init.d/uhttpd reload |