From dd00cd04c5b57e3845db75839088edfb0a4c7a15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antti=20Sepp=C3=A4l=C3=A4?= Date: Tue, 29 Nov 2022 13:41:36 +0200 Subject: [PATCH] uacme: Use UCI to configure firewall instead of iptables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use UCI to add temporary incoming firewall rule to accept http traffic for challenge verification. This should make uacme compatible with OpenWrt's fw3/4 implementation. Signed-off-by: Antti Seppälä --- net/uacme/files/run.sh | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) mode change 100644 => 100755 net/uacme/files/run.sh diff --git a/net/uacme/files/run.sh b/net/uacme/files/run.sh old mode 100644 new mode 100755 index 556bcc2f9f..98871d4ba7 --- a/net/uacme/files/run.sh +++ b/net/uacme/files/run.sh @@ -37,6 +37,7 @@ NGINX_WEBSERVER=0 UPDATE_NGINX=0 UPDATE_UHTTPD=0 UPDATE_HAPROXY=0 +FW_RULE= USER_CLEANUP= . /lib/functions.sh @@ -135,24 +136,30 @@ pre_checks() esac done - iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1 - debug "v4 input_rule: $(iptables -nvL input_rule)" - if [ -e "/usr/sbin/ip6tables" ]; then - ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1 - debug "v6 input_rule: $(ip6tables -nvL input_rule)" - fi + FW_RULE=$(uci add firewall rule) || return 1 + uci set firewall."$FW_RULE".name='uacme: temporarily allow incoming http' + uci set firewall."$FW_RULE".enabled='1' + uci set firewall."$FW_RULE".target='ACCEPT' + uci set firewall."$FW_RULE".src='wan' + uci set firewall."$FW_RULE".proto='tcp' + uci set firewall."$FW_RULE".dest_port='80' + uci commit firewall + /etc/init.d/firewall reload + + debug "added firewall rule: $FW_RULE" return 0 } post_checks() { log "Running post checks (cleanup)." - # The comment ensures we only touch our own rules. If no rules exist, that - # is fine, so hide any errors - iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null - if [ -e "/usr/sbin/ip6tables" ]; then - ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null + # $FW_RULE contains the string to identify firewall rule created earlier + if [ -n "$FW_RULE" ]; then + uci delete firewall."$FW_RULE" + uci commit firewall + /etc/init.d/firewall reload fi + if [ -e /etc/init.d/uhttpd ] && [ "$UPDATE_UHTTPD" -eq 1 ]; then uci commit uhttpd /etc/init.d/uhttpd reload