Commit 1199347f authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

main/awall: upgrade to 1.6.0

parent 726b3e13
# Contributor: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
# Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
pkgname=awall
pkgver=1.5.1
pkgver=1.6.0
pkgrel=0
pkgdesc="Alpine Wall"
url="https://git.alpinelinux.org/cgit/awall/"
......@@ -11,9 +11,10 @@ license="GPL-2.0"
replaces="awall-nat"
depends="bind-tools ip6tables ipset iptables lua$_luaver lua$_luaver-alt-getopt lua$_luaver-cjson
lua$_luaver-pc lua$_luaver-posix lua$_luaver-stringy xtables-addons"
subpackages=$pkgname-masquerade
subpackages="$pkgname-masquerade $pkgname-policies"
triggers="$pkgname.trigger=/usr/share/awall"
source="http://dev.alpinelinux.org/archive/awall/awall-$pkgver.tar.xz
setup-firewall
"
builddir=$srcdir/awall-$pkgver
......@@ -35,7 +36,6 @@ package() {
masquerade() {
depends=awall
cd "$builddir"
for file in lua/$_luaver/awall/modules/masquerade.lua awall/mandatory/masquerade.json; do
local path=usr/share/$file
install -d "$subpkgdir/$(dirname $path)"
......@@ -43,4 +43,13 @@ masquerade() {
done
}
sha512sums="562c113ff7f6e9615a66723e3fb097daf5c875dbc65b176405e9ba40e9d2321db0f4c095889ae6c015b297a6100218b2713f849ca305f4db4837ae7153a47a64 awall-1.5.1.tar.xz"
policies() {
depends=awall
local dir=usr/share/awall/optional
install -d "$subpkgdir"/$dir
mv "$pkgdir"/$dir/*.json "$subpkgdir"/$dir
install -D "$srcdir"/setup-firewall "$subpkgdir"/usr/sbin/setup-firewall
}
sha512sums="a131cf4f6cb8b17a007c05b27d43396dd702e52bb94bbfd348b86514fb374e277f1d30e706d41b79cc454ab0921fc12acb72af5e5500af91709b3254dc60587c awall-1.6.0.tar.xz
0ec166d5e57f1f3eb9be40074f794c6f603b29888fd39d6e56256d3ba853745c768e37a516c8bc6c9a062eeb7652b4de1d7ef7ef63f75cf24d725459c76395de setup-firewall"
#!/bin/sh -e
# Firewall setup script for Alpine Linux
# Copyright (C) 2018 Kaarle Ritvanen
. /lib/libalpine.sh
info() {
local obj=$1
shift
if [ "$1" ]; then
echo "Detected $obj:" $*
fi
}
is_running() {
busybox pgrep -x /usr/sbin/$1 > /dev/null
}
enable_policy() {
echo "Enabling policy $1"
awall enable $1
}
enable_if_running() {
local policy=$1
shift
for proc in $*; do
if is_running $proc; then
enable_policy $policy
return
fi
shift
done
}
list_to_json() {
local var=$1
eval set -- \$$var
echo -n "\"$var\": ["
local sep=" "
while [ "$1" ]; do
echo -n "$sep\"$1\""
sep=", "
shift
done
echo " ]"
}
WAN_IFACE=$(ip route | sed -E 's/^default .+ dev ([^ ]+)( .*)?$/\1/;ta;d;:a')
[ "$WAN_IFACE" ] || die "No default gateway"
info "WAN interface" $WAN_IFACE
DHCP_ZONES=
[ -f /var/run/udhcpc.$WAN_IFACE.pid ] && DHCP_ZONES=wan
if is_running dhcpd; then
LAN_IFACES=$(. /etc/conf.d/dhcpd && echo $DHCPD_IFACE)
if [ -z "$LAN_IFACES" ]; then
for iface in $(ip -o address | \
sed -E 's/ scope host //;ta;s/^[0-9]+: ([^ ]+) .+/\1/;tb;:a;d;:b'); do
echo "$LAN_IFACES" | grep -q " $iface " || \
LAN_IFACES="$LAN_IFACES $iface "
done
fi
elif is_running udhcpd; then
LAN_IFACES=$(sed -E $'s/^interface( |\t)+(.+)$/\\2/;ta;d;:a' /etc/udhcpd.conf)
else
LAN_IFACES=
fi
LAN_IFACES=$(echo $(echo " $LAN_IFACES " | sed "s/ $WAN_IFACE //"))
LAN_ADDRS=
LAN_PRIVATE_ADDRS=
if [ "$LAN_IFACES" ]; then
for iface in $LAN_IFACES; do
for addr in $(ip -o address list dev $iface | \
sed -E 's/^[0-9]+: [^ ]+ +[^ ]+ ([^ ]+) .+$/\1/;ta;d;:a'); do
LAN_ADDRS="$LAN_ADDRS $addr"
LAN_PRIVATE_ADDRS="$LAN_PRIVATE_ADDRS $(echo $addr | \
sed -E 's/^((10|172\.(1[6-9]|2[0-9]|3[01])|192\.168)\.)/\1/;ta;d;:a')"
done
done
info "LAN interfaces" $LAN_IFACES
info "LAN addresses" $LAN_ADDRS
info "LAN private addresses" $LAN_PRIVATE_ADDRS
DHCP_ZONES="$DHCP_ZONES lan"
enable_policy router
fi
if [ "$DHCP_ZONES" ]; then
info "DHCP zones" $DHCP_ZONES
enable_policy dhcp
fi
HTTP_REPOS=$(grep ^http:// /etc/apk/repositories) && enable_policy http-client
[ $(echo "$HTTP_REPOS" | egrep -v '^http://([.0-9]+|\[.+\])(:|/)' | wc -l) -eq 0 ] || \
enable_policy dns-client
enable_if_running ntp-client chronyd ntpd openntpd
enable_if_running ssh-server dropbear sshd
enable_policy ping
cat > /etc/awall/awall-policies.json <<EOF
{
"variable": {
$(list_to_json DHCP_ZONES),
$(list_to_json LAN_ADDRS),
$(list_to_json LAN_IFACES),
$(list_to_json LAN_PRIVATE_ADDRS)
},
"zone": { "wan": { "iface": "$WAN_IFACE" } }
}
EOF
awall translate
set_param() {
sed -Ei "s/^($2=).*\$/\\1$3/" /etc/conf.d/$1
}
enable_service() {
echo "Enabling service $1"
set_param $1 SAVE_ON_STOP no
if [ "$LAN_IFACES" ]; then
set_param IPFORWARD yes
fi
rc-update add $1
service $1 start
}
enable_service iptables
if ip -o address | egrep -q '^[0-9]+: [^ ]+ +inet6 '; then
enable_service ip6tables
fi
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment