[Bug Fix] Optimize loading firewall rules (hestiacp#1858)

myrevery · jaapmarcus · web-flow · commit ea49308242e9 · 2021-05-31T13:53:58.000+02:00
* Optimize loading firewall rules * Optimize loading firewall rules * Optimize loading firewall rules * Edited for get the default interface * Edited for get the default interface * Add extra rule to 1.4.2 On v-update-firewall the iptables.rules will be rewritten/generated and If this rule is skipped it will be not created https://github.com/myrevery/hestiacp/blob/f0c7c54261c289fb10ea283618dda71b7cddd320/bin/v-update-firewall#L79-L84 Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>
diff --git a/bin/v-stop-firewall b/bin/v-stop-firewall
@@ -76,31 +76,30 @@ if [ -d "/etc/sysconfig" ]; then
     fi
 else
     /sbin/iptables-save > /etc/iptables.rules
-    if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed"; then
-        preup="/usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks"
+    if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed" && [ -d /etc/netplan ] && [ -n "$(ls -A /etc/netplan 2>/dev/null)" ]; then
+        preup="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
         if [ ! -e "$preup" ]; then
-            for iface in $(ip token | awk -F 'dev ' '{print $2}'); do 
-                if [ -z "$interfaces" ]; then
-                    interfaces=" \"\$IFACE\"==\"$iface\""
-                else
-                    interfaces="$interfaces || \"\$IFACE\"==\"$iface\" ";
-                fi
-            done
             IFS='%'
-            echo '#!/bin/bash' > $preup
+            echo '#!/bin/sh' > $preup
             echo '' >> $preup
-            echo 'if [['$interfaces']]; then' >> $preup
+            echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
+            [ -x "$(which ipset)" ] && echo "    ${HESTIA}/bin/v-update-firewall-ipset" >> $preup
             echo '    sleep 3' >> $preup
             echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
             echo 'fi' >> $preup
             echo "exit 0" >> $preup
             chmod +x $preup
         fi
     else
-        preup="/etc/network/if-pre-up.d/iptables"
+        preup="/etc/network/if-pre-up.d/hestia-iptables"
         if [ ! -e "$preup" ]; then
+            IFS='%'
             echo '#!/bin/sh' > $preup
-            echo "/sbin/iptables-restore < /etc/iptables.rules" >> $preup
+            echo '' >> $preup
+            echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
+            [ -x "$(which ipset)" ] && echo "    ${HESTIA}/bin/v-update-firewall-ipset" >> $preup
+            echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
+            echo 'fi' >> $preup
             echo "exit 0" >> $preup
             chmod +x $preup
         fi
diff --git a/bin/v-update-firewall b/bin/v-update-firewall
@@ -183,27 +183,30 @@ if [ -d "/etc/sysconfig" ]; then
     fi
 else
     /sbin/iptables-save > /etc/iptables.rules
-    if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed"; then
-        preup="/usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks"
+    if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed" && [ -d /etc/netplan ] && [ -n "$(ls -A /etc/netplan 2>/dev/null)" ]; then
+        preup="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
         if [ ! -e "$preup" ]; then
             IFS='%'
-            echo '#!/bin/bash' > $preup
-            echo '' >> $preup
-            echo "${HESTIA}/bin/v-update-firewall-ipset" >> $preup
+            echo '#!/bin/sh' > $preup
             echo '' >> $preup
-            echo 'if [ "$IFACE" == "'$(/bin/ip token | awk -F 'dev ' '{print $2}')'" ]; then' >> $preup
+            echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
+            [ -x "$(which ipset)" ] && echo "    ${HESTIA}/bin/v-update-firewall-ipset" >> $preup
             echo '    sleep 3' >> $preup
             echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
             echo 'fi' >> $preup
             echo "exit 0" >> $preup
             chmod +x $preup
         fi
     else
-        preup="/etc/network/if-pre-up.d/iptables"
+        preup="/etc/network/if-pre-up.d/hestia-iptables"
         if [ ! -e "$preup" ]; then
+            IFS='%'
             echo '#!/bin/sh' > $preup
-            echo "${HESTIA}/bin/v-update-firewall-ipset" >> $preup
-            echo "/sbin/iptables-restore < /etc/iptables.rules" >> $preup
+            echo '' >> $preup
+            echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
+            [ -x "$(which ipset)" ] && echo "    ${HESTIA}/bin/v-update-firewall-ipset" >> $preup
+            echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
+            echo 'fi' >> $preup
             echo "exit 0" >> $preup
             chmod +x $preup
         fi
diff --git a/install/upgrade/versions/1.4.2.sh b/install/upgrade/versions/1.4.2.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.4.2
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+
+# Optimize loading firewall rules
+if [ "$FIREWALL_SYSTEM" = "iptables" ]; then
+    echo "[ * ] Fix the issue of loading firewall rules..."
+    # Add rule to ensure the rule will be added when we update the firewall / /etc/iptables.rules
+    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+    rm -f /usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks /etc/network/if-pre-up.d/iptables
+    $BIN/v-update-firewall
+fi
