From: Ian Jackson Date: Sun, 9 Apr 2017 12:03:22 +0000 (+0100) Subject: initscript: check firewall X-Git-Tag: hippotat/1.0.0~55^2~64 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=hippotat.git;a=commitdiff_plain;h=a60dab5b3221357bcf1926253fda0b3649c99834;hp=25367ad4963b246ac77028f07ecbedf393e30b66 initscript: check firewall Signed-off-by: Ian Jackson --- diff --git a/debian/control b/debian/control index 5274837..518905b 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Maintainer: Ian Jackson Package: hippotat Depends: python3, ${python3:Depends} -Recommends: authbind +Recommends: userv, authbind Architecture: all Description: IP Over HTTP (Asinine) IP-over-HTTP client and server. diff --git a/debian/hippotat.init b/debian/hippotat.init index 51495e9..640bd8f 100644 --- a/debian/hippotat.init +++ b/debian/hippotat.init @@ -15,7 +15,9 @@ MASTER_CONFIG=/etc/hippotat/master.cfg USER=Debian-hippotat PIDFILE=/var/run/hippotat/hippotatd.pid LOGFACILITY=daemon +CHECK_FIREWALL=true # HIPPOTATD_ARGS +AS_USER=as_user_userv DESCRIPTION='Asinine IP over HTTP server' if type -p authbind >/dev/null 2>&1; then AUTHBIND=authbind; fi @@ -26,6 +28,13 @@ egrep '^[^ #]' $MASTER_CONFIG >/dev/null 2>&1 || exit 0 . /lib/lsb/init-functions +as_user_userv () { + userv --override ' + execute-from-path + no-suppress-args + ' $USER "$@" +} + ssd () { set +e start-stop-daemon --start --quiet --user $USER --pidfile=$PIDFILE "$@" @@ -39,7 +48,25 @@ ensure_dirs () { chown $USER $pidfiledir } +dump_firewall () { + iptables -L -v -n +} + +print_config () { + $AS_USER $DAEMON $HIPPOTATD_ARGS --print-config "$1" +} + +check_firewall () { + vnetwork=$(print_config vnetwork) + if dump_firewall | fgrep " $vnetwork " >/dev/null; then :; else + log_failure_msg \ + "no entry in firewall for insecure vnetwork $vnetwork" + exit 1 + fi +} + do_start () { + check_firewall ensure_dirs ssd --chuid $USER --startas \ $AUTHBIND $DAEMON --daemon --pidfile=$PIDFILE \