[Bug fix] The potential issue of loading firewall rules (hestiacp#2064)

myrevery · jaapmarcus · web-flow · commit 05d0a7c421ea · 2021-08-20T22:10:15.000+02:00
* Add 1.4.11.sh for update firewall loading script
* Fix the potential issue of loading firewall rules
* Fix the potential issue of loading firewall rules
* Loading firewall rules by Systemd instead
* Loading firewall rules by Systemd instead
* Delete the old version loading script
* Update changelog
Co-authored-by: Jaap Marcus &lt;9754650+jaapmarcus@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file.
 
 ### Features
 
+- Replace old firewall system with systemd service / startup script #2064 @myrevery
 - Add Quick installers for GravCMS, Docuwiki and Mediawiki (#2002) @PsychotherapistSam
 
 ### Bugfixes
diff --git a/bin/v-stop-firewall b/bin/v-stop-firewall
@@ -76,29 +76,25 @@ if [ -d "/etc/sysconfig" ]; then
     fi
 else
     /sbin/iptables-save > /etc/iptables.rules
-    routable="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
-    preup="/etc/network/if-pre-up.d/hestia-iptables"
-    # Recreate the Hestia iptables rules loading script
-    rm -f $routable $preup
-    if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed" && [ -d /etc/netplan ] && [ -n "$(ls -A /etc/netplan 2>/dev/null)" ]; then
-        echo '#!/bin/sh' > $routable
-        echo '' >> $routable
-        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $routable
-        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $routable
-        echo 'fi' >> $routable
-        echo '' >> $routable
-        echo "exit 0" >> $routable
-        chmod +x $routable
-    else
-        echo '#!/bin/sh' > $preup
-        echo '' >> $preup
-        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
-        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
-        echo 'fi' >> $preup
-        echo '' >> $preup
-        echo "exit 0" >> $preup
-        chmod +x $preup
+    sd_unit="/lib/systemd/system/hestia-iptables.service"
+    if [ ! -e "$sd_unit" ]; then
+        echo "[Unit]" >> $sd_unit
+        echo "Description=Loading Hestia firewall rules" >> $sd_unit
+        echo "DefaultDependencies=no" >> $sd_unit
+        echo "Wants=network-pre.target local-fs.target" >> $sd_unit
+        echo "Before=network-pre.target" >> $sd_unit
+        echo "After=local-fs.target" >> $sd_unit
+        echo "" >> $sd_unit
+        echo "[Service]" >> $sd_unit
+        echo "Type=oneshot" >> $sd_unit
+        echo "RemainAfterExit=yes" >> $sd_unit
+        echo "ExecStartPre=-${HESTIA}/bin/v-update-firewall-ipset" >> $sd_unit
+        echo "ExecStart=/sbin/iptables-restore /etc/iptables.rules" >> $sd_unit
+        echo "" >> $sd_unit
+        echo "[Install]" >> $sd_unit
+        echo "WantedBy=multi-user.target" >> $sd_unit
     fi
+    systemctl is-enabled hestia-iptables >/dev/null 2>&1 && systemctl disable hestia-iptables >/dev/null 2>&1
 fi
 
 
diff --git a/bin/v-update-firewall b/bin/v-update-firewall
@@ -69,7 +69,7 @@ if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22"  ]; then
 fi
 
 # Load ipset lists before adding Hestia iptables rules
-[ -x "$(which ipset)" ] && $BIN/v-update-firewall-ipset
+$BIN/v-update-firewall-ipset
 
 # Creating temporary file
 tmp=$(mktemp)
@@ -185,31 +185,25 @@ if [ -d "/etc/sysconfig" ]; then
     fi
 else
     /sbin/iptables-save > /etc/iptables.rules
-    routable="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
-    preup="/etc/network/if-pre-up.d/hestia-iptables"
-    # Recreate the Hestia iptables rules loading script
-    rm -f $routable $preup
-    if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed" && [ -d /etc/netplan ] && [ -n "$(ls -A /etc/netplan 2>/dev/null)" ]; then
-        echo '#!/bin/sh' > $routable
-        echo '' >> $routable
-        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $routable
-        echo '    [ -x "'$(which ipset)'" ] && '"${HESTIA}/bin/v-update-firewall-ipset" >> $routable
-        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $routable
-        echo 'fi' >> $routable
-        echo '' >> $routable
-        echo "exit 0" >> $routable
-        chmod +x $routable
-    else
-        echo '#!/bin/sh' > $preup
-        echo '' >> $preup
-        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
-        echo '    [ -x "'$(which ipset)'" ] && '"${HESTIA}/bin/v-update-firewall-ipset" >> $preup
-        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
-        echo 'fi' >> $preup
-        echo '' >> $preup
-        echo "exit 0" >> $preup
-        chmod +x $preup
+    sd_unit="/lib/systemd/system/hestia-iptables.service"
+    if [ ! -e "$sd_unit" ]; then
+        echo "[Unit]" >> $sd_unit
+        echo "Description=Loading Hestia firewall rules" >> $sd_unit
+        echo "DefaultDependencies=no" >> $sd_unit
+        echo "Wants=network-pre.target local-fs.target" >> $sd_unit
+        echo "Before=network-pre.target" >> $sd_unit
+        echo "After=local-fs.target" >> $sd_unit
+        echo "" >> $sd_unit
+        echo "[Service]" >> $sd_unit
+        echo "Type=oneshot" >> $sd_unit
+        echo "RemainAfterExit=yes" >> $sd_unit
+        echo "ExecStartPre=-${HESTIA}/bin/v-update-firewall-ipset" >> $sd_unit
+        echo "ExecStart=/sbin/iptables-restore /etc/iptables.rules" >> $sd_unit
+        echo "" >> $sd_unit
+        echo "[Install]" >> $sd_unit
+        echo "WantedBy=multi-user.target" >> $sd_unit
     fi
+    systemctl is-enabled hestia-iptables >/dev/null 2>&1 || systemctl enable hestia-iptables >/dev/null 2>&1
 fi
 
 
diff --git a/install/upgrade/versions/1.4.10.sh b/install/upgrade/versions/1.4.10.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.4.10
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+
+
diff --git a/install/upgrade/versions/1.4.11.sh b/install/upgrade/versions/1.4.11.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.4.11
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+
+# Fix the potential issue of loading firewall rules
+if [ "$FIREWALL_SYSTEM" = "iptables" ]; then
+    echo "[ * ] Fix the potential issue of loading firewall rules..."
+    # Just in case, delete the legacy version loading script again to prevent any residue
+    rm -f /usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks /etc/network/if-pre-up.d/iptables
+    # The firewall rules are loading by Systemd, the old loading script is no longer needed
+    rm -f /usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables /etc/network/if-pre-up.d/hestia-iptables
+    $BIN/v-update-firewall
+fi
