acme: switch from iptables to nft
Use nft instead of iptables to open port 80 in the firewall when getting a cert. Since nft doesn't allow deleting a rule by its contents, capture and save the handle when creating the rule, and use that to delete. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This commit is contained in:
parent
1d54defb0f
commit
d926da5182
|
@ -21,6 +21,7 @@ NGINX_WEBSERVER=0
|
||||||
UPDATE_NGINX=0
|
UPDATE_NGINX=0
|
||||||
UPDATE_UHTTPD=0
|
UPDATE_UHTTPD=0
|
||||||
UPDATE_HAPROXY=0
|
UPDATE_HAPROXY=0
|
||||||
|
NFT_HANDLE=
|
||||||
USER_CLEANUP=
|
USER_CLEANUP=
|
||||||
|
|
||||||
. /lib/functions.sh
|
. /lib/functions.sh
|
||||||
|
@ -126,19 +127,17 @@ pre_checks() {
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
|
NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+')
|
||||||
ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
|
ret=$?
|
||||||
debug "v4 input_rule: $(iptables -nvL input_rule)"
|
[ "$ret" -eq "0" ] || return 1
|
||||||
debug "v6 input_rule: $(ip6tables -nvL input_rule)"
|
debug "added nft rule: $NFT_HANDLE"
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
post_checks() {
|
post_checks() {
|
||||||
log "Running post checks (cleanup)."
|
log "Running post checks (cleanup)."
|
||||||
# The comment ensures we only touch our own rules. If no rules exist, that
|
# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
|
||||||
# is fine, so hide any errors
|
[ -n "$NFT_HANDLE" ] && nft delete rule inet fw4 input $NFT_HANDLE
|
||||||
iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
|
|
||||||
ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
|
|
||||||
|
|
||||||
if [ -e /etc/init.d/uhttpd ] && { [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ]; }; then
|
if [ -e /etc/init.d/uhttpd ] && { [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ]; }; then
|
||||||
if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
|
if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
|
||||||
|
|
Loading…
Reference in New Issue