sysv init : separate daemon launch and firewall

6 years ago · b0f0cd1c75
3 changed files with 187 additions and 134 deletions
--- a/docs/readme.txt
+++ b/docs/readme.txt
@ -307,14 +307,27 @@ IFACE_WAN=eth1
 Параметр INIT_APPLY_FW=1 разрешает init скрипту самостоятельно применять правила iptables.
 При иных значениях или если параметр закомментирован, правила применены не будут.
 Это полезно, если у вас есть система управления фаерволом, в настройки которой и следует прикрутить правила.
+
+Прикручивание к системе управления фаерволом или своей системе запуска
+----------------------------------------------------------------------
+
+Не всегда желательно, чтобы init скрипт или служба systemd применяли правила фаервола.
 Хелпер-функции для настройки фаервола вынесены в отдельный shell include
 Чтобы не копировать текст и не изобретать велосипед можно подключить include из ваших скриптов.
-В своем скрипте необходимо выставить переменную APPLY_FW=1, чтобы принудительно разрешить применение правил iptales
-вне зависимости от параметра INIT_APPLY_FW.
-Пример :
+
 . /opt/zapret/init.d/sysv/functions
-APPLY_FW=1
-fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
+
+Есть 2 простые функции, которые позволят добавить и удалить правила firewall от zapret :
+
+zapret_apply_firewall
+zapret_unapply_firewall
+
+И 2 простых функции для запуска и остановки демонов :
+
+zapret_run_daemons
+zapret_stop_daemons
+
+Посмотрите init скрипт /opt/zapret/init.d/sysv/zapret и все поймете сами.

 Пример установки на debian-подобную систему
 -------------------------------------------
--- a/init.d/sysv/functions
+++ b/init.d/sysv/functions
@ -28,8 +28,6 @@ TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS"
 [ -n "$IFACE_WAN" ] && IPT_IWAN="-i $IFACE_WAN"
 [ -n "$IFACE_LAN" ] && IPT_ILAN="-i $IFACE_LAN"

-[ -n "$APPLY_FW" ] || APPLY_FW=$INIT_APPLY_FW
-
 exists()
 {
 	which $1 >/dev/null 2>/dev/null
@ -88,14 +86,14 @@ fw_tpws_add()
 	# $1 - iptable filter for ipv4
 	# $2 - iptable filter for ipv6
 	# $3 - tpws port
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
+	[ "$DISABLE_IPV4" != "1" ] && {
 		echo "Adding iptables rule for tpws : $1"
 		[ -n "$IFACE_LAN" ] && {
 			ipt PREROUTING -t nat $IPT_ILAN -p tcp $1 -j DNAT --to 127.0.0.1:$3
 	 	}
 		ipt OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$3
 	}
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
+	[ "$DISABLE_IPV6" != "1" ] && {
 		echo "Adding ip6tables rule for tpws : $2"
 		[ -n "$IFACE_LAN" ] && {
 			dnat6_target
@ -109,14 +107,14 @@ fw_tpws_del()
 	# $1 - iptable filter for ipv4
 	# $2 - iptable filter for ipv6
 	# $3 - tpws port
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
+	[ "$DISABLE_IPV4" != "1" ] && {
 		echo "Deleting iptables rule for tpws : $1"
 		[ -n "$IFACE_LAN" ] && {
 			ipt_del PREROUTING -t nat $IPT_ILAN -p tcp $1 -j DNAT --to 127.0.0.1:$3
 		}
 		ipt_del OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$3
 	}
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
+	[ "$DISABLE_IPV6" != "1" ] && {
 		echo "Deleting ip6tables rule for tpws : $2"
 		[ -n "$IFACE_LAN" ] && {
 			dnat6_target
@ -130,11 +128,11 @@ fw_nfqws_add_pre()
 {
 	# $1 - iptable filter for ipv4
 	# $2 - iptable filter for ipv6
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
+	[ "$DISABLE_IPV4" != "1" ] && {
 		echo "Adding iptables rule for nfqws prerouting : $1"
 		ipt PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
+	[ "$DISABLE_IPV6" != "1" ] && {
 		echo "Adding ip6tables rule for nfqws prerouting : $2"
 		ipt6 PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
@ -143,11 +141,11 @@ fw_nfqws_del_pre()
 {
 	# $1 - iptable filter for ipv4
 	# $2 - iptable filter for ipv6
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
+	[ "$DISABLE_IPV4" != "1" ] && {
 		echo "Deleting iptables rule for nfqws prerouting : $1"
 		ipt_del PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
+	[ "$DISABLE_IPV6" != "1" ] && {
 		echo "Deleting ip6tables rule for nfqws prerouting : $2"
 		ipt6_del PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
@ -156,11 +154,11 @@ fw_nfqws_add_post()
 {
 	# $1 - iptable filter for ipv4
 	# $2 - iptable filter for ipv6
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
+	[ "$DISABLE_IPV4" != "1" ] && {
 		echo "Adding iptables rule for nfqws postrouting : $1"
 		ipt POSTROUTING -t mangle $IPT_OWAN -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
+	[ "$DISABLE_IPV6" != "1" ] && {
 		echo "Adding ip6tables rule for nfqws postrouting : $2"
 		ipt6 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
@ -169,11 +167,11 @@ fw_nfqws_del_post()
 {
 	# $1 - iptable filter for ipv4
 	# $2 - iptable filter for ipv6
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
+	[ "$DISABLE_IPV4" != "1" ] && {
 		echo "Deleting iptables rule for nfqws postrouting : $1"
 		ipt_del POSTROUTING -t mangle $IPT_OWAN -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
-	[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
+	[ "$DISABLE_IPV6" != "1" ] && {
 		echo "Deleting ip6tables rule for nfqws postrouting : $2"
 		ipt6_del POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
@ -240,6 +238,7 @@ prepare_tpws()

 run_tpws()
 {
+	prepare_tpws
 	[ "$DISABLE_IPV4" != "1" ] && run_daemon $1 $TPWS "$TPWS_OPT_BASE $2"
 	[ "$DISABLE_IPV6" != "1" ] && {
 		run_daemon $((60+$1)) $TPWS "$TPWS_OPT_BASE6 $2"
@ -261,3 +260,155 @@ create_ipset()
 	echo "Creating ipset"
 	"$IPSET_CR"
 }
+
+
+zapret_apply_firewall()
+{
+	case "${MODE}" in
+	    tpws_hostlist)
+			prepare_tpws
+			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
+			;;
+	    tpws_ipset)
+			create_ipset
+			prepare_tpws
+			fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
+			;;
+	    tpws_ipset_https)
+			create_ipset
+			prepare_tpws
+			fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
+			fw_tpws_add "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
+			;;
+	    tpws_all)
+			prepare_tpws
+			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
+			;;
+	    tpws_all_https)
+			prepare_tpws
+			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
+			fw_tpws_add "--dport 443" "--dport 443" $TPPORT_HTTPS
+			;;
+	    nfqws_ipset)
+			create_ipset
+			fw_nfqws_add_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
+			fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
+			;;
+	    nfqws_ipset_https)
+			create_ipset
+			fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
+			fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
+			;;
+	    nfqws_all)
+			fw_nfqws_add_pre "--sport 80" "--sport 80"
+			fw_nfqws_add_post "--dport 80" "--dport 80"
+			;;
+	    nfqws_all_https)
+			fw_nfqws_add_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443"
+			fw_nfqws_add_post "--dport 80" "--dport 80"
+			;;
+	    ipset)
+			create_ipset
+			;;
+	    custom)
+			# PLACEHOLDER
+			echo !!! NEED ATTENTION !!!
+			echo Configure iptables for required actions
+			echo Study how other sections work
+			;;
+	esac
+}
+zapret_run_daemons()
+{
+	case "${MODE}" in
+	    tpws_hostlist)
+			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
+			;;
+	    tpws_ipset)
+			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+			;;
+	    tpws_ipset_https|tpws_all_https)
+			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+			run_tpws 2 "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
+			;;
+	    tpws_all)
+			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+			;;
+	    nfqws_ipset|nfqws_ipset_https|nfqws_all|nfqws_all_https)
+			run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
+			;;
+	    ipset)
+			create_ipset
+			;;
+	    custom)
+			# PLACEHOLDER
+			echo !!! NEED ATTENTION !!!
+			echo Start daemon\(s\)
+			echo Study how other sections work
+			run_daemon 1 /bin/sleep 20
+			;;
+	esac
+}
+
+zapret_unapply_firewall()
+{
+	case "${MODE}" in
+	    tpws_hostlist|tpws_all)
+			fw_tpws_del "--dport 80" "--dport 80" $TPPORT_HTTP
+			;;
+	    tpws_ipset)
+			fw_tpws_del "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
+			;;
+	    tpws_ipset_https)
+			fw_tpws_del "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
+			fw_tpws_del "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
+			;;
+	    tpws_all_https)
+			fw_tpws_del "--dport 80" "--dport 80" $TPPORT_HTTP
+			fw_tpws_del "--dport 443" "--dport 443" $TPPORT_HTTPS
+			;;
+	    nfqws_ipset)
+			fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
+			fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
+			;;
+	    nfqws_ipset_https)
+			fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
+			fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
+			;;
+	    nfqws_all)
+			fw_nfqws_del_pre "--sport 80" "--sport 80"
+			fw_nfqws_del_post "--dport 80" "--dport 80"
+			;;
+	    nfqws_all_https)
+			fw_nfqws_del_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443"
+			fw_nfqws_del_post "--dport 80" "--dport 80"
+			;;
+	    custom)
+			# PLACEHOLDER
+			echo !!! NEED ATTENTION !!!
+			echo Clear firewall rules here. Remove iptables changes made previously.
+			echo Study how other sections work.
+			;;
+	esac
+}
+zapret_stop_daemons()
+{
+	case "${MODE}" in
+	    tpws_hostlist|tpws_all|tpws_ipset)
+			stop_tpws 1
+			;;
+	    tpws_ipset_https|tpws_all_https)
+			stop_tpws 1
+			stop_tpws 2
+			;;
+	    nfqws_ipset|nfqws_ipset_https|nfqws_all|nfqws_all_https)
+			stop_daemon 1 $NFQWS
+			;;
+	    custom)
+			# PLACEHOLDER
+			echo !!! NEED ATTENTION !!!
+			echo Stop daemon\(s\) previously started.
+			echo Study how other sections work.
+			;;
+	esac
+}
--- a/init.d/sysv/zapret
+++ b/init.d/sysv/zapret
@ -15,124 +15,13 @@ DESC=anti-zapret

 case "$1" in
  start)
-	case "${MODE}" in
-	    tpws_hostlist)
-			prepare_tpws
-			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
-			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
-			;;
-	    tpws_ipset)
-			create_ipset
-			prepare_tpws
-			fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
-			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
-			;;
-	    tpws_ipset_https)
-			create_ipset
-			prepare_tpws
-			fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
-			fw_tpws_add "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
-			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
-			run_tpws 2 "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
-			;;
-	    tpws_all)
-			prepare_tpws
-			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
-			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
-			;;
-	    tpws_all_https)
-			prepare_tpws
-			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
-			fw_tpws_add "--dport 443" "--dport 443" $TPPORT_HTTPS
-			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
-			run_tpws 2 "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
-			;;
-	    nfqws_ipset)
-			create_ipset
-			fw_nfqws_add_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
-			fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
-			run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
-			;;
-	    nfqws_ipset_https)
-			create_ipset
-			fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
-			fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
-			run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
-			;;
-	    nfqws_all)
-			fw_nfqws_add_pre "--sport 80" "--sport 80"
-			fw_nfqws_add_post "--dport 80" "--dport 80"
-			run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
-			;;
-	    nfqws_all_https)
-			fw_nfqws_add_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443"
-			fw_nfqws_add_post "--dport 80" "--dport 80"
-			run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
-			;;
-	    ipset)
-			create_ipset
-			;;
-	    custom)
-			# PLACEHOLDER
-			echo !!! NEED ATTENTION !!!
-			echo Configure iptables for required actions
-			echo Start daemon\(s\)
-			echo Study how other sections work
-			run_daemon 1 /bin/sleep 20
-			;;
-	esac
+  	zapret_run_daemons
+  	[ "$INIT_APPLY_FW" = "1" ] && zapret_apply_firewall
 	;;

  stop)
-	case "${MODE}" in
-	    tpws_hostlist|tpws_all)
-			fw_tpws_del "--dport 80" "--dport 80" $TPPORT_HTTP
-			stop_tpws 1
-			;;
-	    tpws_ipset)
-			fw_tpws_del "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
-			stop_tpws 1
-			;;
-	    tpws_ipset_https)
-			fw_tpws_del "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
-			fw_tpws_del "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
-			stop_tpws 1
-			stop_tpws 2
-			;;
-	    tpws_all_https)
-			fw_tpws_del "--dport 80" "--dport 80" $TPPORT_HTTP
-			fw_tpws_del "--dport 443" "--dport 443" $TPPORT_HTTPS
-			stop_tpws 1
-			stop_tpws 2
-			;;
-	    nfqws_ipset)
-			fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
-			fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
-			stop_daemon 1 $NFQWS
-			;;
-	    nfqws_ipset_https)
-			fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
-			fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
-			stop_daemon 1 $NFQWS
-			;;
-	    nfqws_all)
-			fw_nfqws_del_pre "--sport 80" "--sport 80"
-			fw_nfqws_del_post "--dport 80" "--dport 80"
-			stop_daemon 1 $NFQWS
-			;;
-	    nfqws_all_https)
-			fw_nfqws_del_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443"
-			fw_nfqws_del_post "--dport 80" "--dport 80"
-			stop_daemon 1 $NFQWS
-			;;
-	    custom)
-			# PLACEHOLDER
-			echo !!! NEED ATTENTION !!!
-			echo Clear firewall rules here. Remove iptables changes made previously.
-			echo Stop daemon\(s\) previously started.
-			echo Study how other sections work.
-			;;
-	esac
+  	zapret_stop_daemons
+  	[ "$INIT_APPLY_FW" = "1" ] && zapret_unapply_firewall
 	;;

  *)