1 |
commit: 4fd0650ed9ef4cec5477038fcfb2e59db2cf2b93 |
2 |
Author: Patrick McLean <patrick.mclean <AT> sony <DOT> com> |
3 |
AuthorDate: Sat May 9 02:21:40 2020 +0000 |
4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat May 9 02:22:21 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/eselect.git/commit/?id=4fd0650e |
7 |
|
8 |
modules/iptables.eselect: Complete rewrite, solve issues in bug #721578 |
9 |
|
10 |
Signed-off-by: Patrick McLean <patrick.mclean <AT> sony.com> |
11 |
|
12 |
modules/iptables.eselect | 320 +++++++++++++++++++++++++++++++---------------- |
13 |
1 file changed, 214 insertions(+), 106 deletions(-) |
14 |
|
15 |
diff --git a/modules/iptables.eselect b/modules/iptables.eselect |
16 |
index f94b25c..e3e5906 100644 |
17 |
--- a/modules/iptables.eselect |
18 |
+++ b/modules/iptables.eselect |
19 |
@@ -2,43 +2,128 @@ |
20 |
# Copyright 2005-2020 Gentoo Authors |
21 |
# Distributed under the terms of the GNU GPL version 2 or later |
22 |
|
23 |
-DESCRIPTION="Manage the iptables and ip6tables symlink" |
24 |
-AUTHOR="chris@×××××××××××××××××××××××.uk" |
25 |
+inherit package-manager |
26 |
+ |
27 |
+DESCRIPTION="Manage the iptables/arptables/ebtables symlinks" |
28 |
MAINTAINER="base-system@g.o" |
29 |
-VERSION="20200319" |
30 |
+VERSION="20200508" |
31 |
+ |
32 |
+# a simple list of symlinks does for iptables |
33 |
+IPTABLES_SYMLINKS=( |
34 |
+ "iptables-xml" |
35 |
+ "iptables" "iptables-restore" "iptables-save" |
36 |
+) |
37 |
+IP6TABLES_SYMLINKS=( |
38 |
+ "ip6tables" "ip6tables-restore" "ip6tables-save" |
39 |
+) |
40 |
+ |
41 |
+# for arptables and ebtables we map names to legacy targets |
42 |
+ARPTABLES_TARGETS=( |
43 |
+ "arptables-legacy" |
44 |
+ "xtables-nft-multi" |
45 |
+) |
46 |
+declare -A ARPTABLES_SYMLINKS=( |
47 |
+ [arptables]="arptables-legacy" |
48 |
+ [arptables-restore]="arptables-legacy-restore" |
49 |
+ [arptables-save]="arptables-legacy-save" |
50 |
+) |
51 |
+ |
52 |
+EBTABLES_TARGETS=( |
53 |
+ "ebtables-legacy" |
54 |
+ "xtables-nft-multi" |
55 |
+) |
56 |
+declare -A EBTABLES_SYMLINKS=( |
57 |
+ [ebtables]="ebtables-legacy" |
58 |
+ [ebtables-restore]="ebtables-legacy-restore" |
59 |
+ [ebtables-save]="ebtables-legacy-save" |
60 |
+) |
61 |
|
62 |
-IPTABLES_TARGETS=("iptables" "iptables-restore" "iptables-save") |
63 |
-IP6TABLES_TARGETS=("ip6tables" "ip6tables-restore" "ip6tables-save") |
64 |
+# get which module is running |
65 |
+get_module() { |
66 |
+ local module |
67 |
+ module="${BASH_SOURCE[0]##*/}" |
68 |
|
69 |
-# find a list of xtables symlink targets |
70 |
+ printf -- '%s\n' "${module%.eselect}" |
71 |
+} |
72 |
+ |
73 |
+# find a list of symlink targets for the current module |
74 |
find_targets() { |
75 |
- local f |
76 |
- for f in "${EROOT}"/sbin/xtables-*-multi; do |
77 |
- [[ -f ${f} ]] && basename "${f}" |
78 |
- done |
79 |
+ local module target |
80 |
+ |
81 |
+ module="$(get_module)" |
82 |
+ case "${module}" in |
83 |
+ iptables) |
84 |
+ for target in "${EROOT}"/sbin/xtables-*-multi; do |
85 |
+ [[ -x ${target} ]] && printf -- '%s\n' "${target##*/}" |
86 |
+ done |
87 |
+ ;; |
88 |
+ arptables) |
89 |
+ for target in "${ARPTABLES_TARGETS[@]}"; do |
90 |
+ [[ -x ${EROOT}/sbin/${target} ]] && printf -- '%s\n' "${target}" |
91 |
+ done |
92 |
+ ;; |
93 |
+ ebtables) |
94 |
+ for target in "${EBTABLES_TARGETS[@]}"; do |
95 |
+ [[ -x ${EROOT}/sbin/${target} ]] && printf -- '%s\n' "${target}" |
96 |
+ done |
97 |
+ ;; |
98 |
+ *) die "Invalid module name ${module}" |
99 |
+ esac |
100 |
} |
101 |
|
102 |
-# remove the iptables symlink |
103 |
-remove_symlinks() { |
104 |
- local ipt |
105 |
- for ipt in "${IPTABLES_TARGETS[@]}"; do |
106 |
- rm -f "${EROOT}/sbin/${ipt}" &>/dev/null |
107 |
- done |
108 |
- if [[ -n ${ipv6} && -n ${ipv6_remove} ]]; then |
109 |
- local ip6t |
110 |
- for ip6t in "${IP6TABLES_TARGETS[@]}"; do |
111 |
- rm -f "${EROOT}/sbin/${ip6t}" &>/dev/null |
112 |
- done |
113 |
- fi |
114 |
+# get the list of symlinks for the current module |
115 |
+get_symlinks_list() { |
116 |
+ local module |
117 |
+ module="$(get_module)" |
118 |
+ |
119 |
+ case "${module}" in |
120 |
+ iptables) |
121 |
+ printf -- '%s\n' "${IPTABLES_SYMLINKS[@]}" |
122 |
+ |
123 |
+ if [[ ${1} == -a ]] || has_version 'net-firewall/iptables[ipv6]' |
124 |
+ then |
125 |
+ printf -- '%s\n' "${IP6TABLES_SYMLINKS[@]}" |
126 |
+ fi |
127 |
+ ;; |
128 |
+ arptables) printf -- '%s\n' "${!ARPTABLES_SYMLINKS[@]}";; |
129 |
+ ebtables) printf -- '%s\n' "${!EBTABLES_SYMLINKS[@]}";; |
130 |
+ *) die "Invalid module name ${module}" |
131 |
+ esac |
132 |
+} |
133 |
+ |
134 |
+# get the symlink target given a symlink name and the target implementation |
135 |
+get_symlink_target() { |
136 |
+ local link="${1}" target="${2}" module |
137 |
+ module="$(get_module)" |
138 |
+ |
139 |
+ case "${module}" in |
140 |
+ iptables) printf -- '%s\n' "${target}";; |
141 |
+ arptables) |
142 |
+ if [[ ${target} == *-legacy ]]; then |
143 |
+ printf -- '%s\n' "${ARPTABLES_SYMLINKS[${link}]}" |
144 |
+ else |
145 |
+ printf -- '%s\n' "${target}" |
146 |
+ fi |
147 |
+ ;; |
148 |
+ ebtables) |
149 |
+ if [[ ${target} == *-legacy ]]; then |
150 |
+ printf -- '%s\n' "${EBTABLES_SYMLINKS[${link}]}" |
151 |
+ else |
152 |
+ printf -- '%s\n' "${target}" |
153 |
+ fi |
154 |
+ ;; |
155 |
+ *) die "Invalid module name ${module}" |
156 |
+ esac |
157 |
} |
158 |
|
159 |
-# set the iptables symlink |
160 |
+# set the symlinks for the current target |
161 |
set_symlinks() { |
162 |
local target="${1}" |
163 |
+ local retval=0 |
164 |
|
165 |
if is_number "${target}" && [[ ${target} -ge 1 ]]; then |
166 |
local -a targets |
167 |
- readarray -t targets <<< "$(find_targets)" |
168 |
+ readarray -t targets < <(find_targets) |
169 |
target=${targets[$((target-1))]} |
170 |
fi |
171 |
|
172 |
@@ -46,130 +131,153 @@ set_symlinks() { |
173 |
die -q "Target \"${target}\" doesn't appear to be valid!" |
174 |
fi |
175 |
|
176 |
- local ipt |
177 |
- for ipt in "${IPTABLES_TARGETS[@]}"; do |
178 |
- ln -s "${target}" "${EROOT}/sbin/${ipt}" |
179 |
- done |
180 |
+ # create an array of symlinks to be created, then create them |
181 |
+ # in a separate pass, it's done this way in an attempt to be atomic |
182 |
+ # either all symlinks get updated, or none |
183 |
+ local -a symlinks_list |
184 |
+ readarray -t symlinks_list < <(get_symlinks_list) |
185 |
+ |
186 |
+ local symlink |
187 |
+ local -A do_symlinks |
188 |
+ for symlink in "${symlinks_list[@]}"; do |
189 |
+ local symlink_path="${EROOT}/sbin/${symlink}" |
190 |
+ |
191 |
+ if [[ -L ${symlink_path} || ! -e ${symlink_path} ]]; then |
192 |
+ do_symlinks["${symlink_path}"]="$(get_symlink_target "${symlink}" "${target}")" |
193 |
|
194 |
- if [[ -n ${ipv6} ]]; then |
195 |
- local ip6t |
196 |
- for ip6t in "${IP6TABLES_TARGETS[@]}"; do |
197 |
- ln -s "${target}" "${EROOT}/sbin/${ip6t}" |
198 |
- done |
199 |
- fi |
200 |
+ else |
201 |
+ die -q "Could not create symlink at ${symlink_path}:" \ |
202 |
+ "path exits and is not a symlink" |
203 |
+ fi |
204 |
+ done |
205 |
+ |
206 |
+ for symlink in "${!do_symlinks[@]}"; do |
207 |
+ if ! ln -sfn "${do_symlinks["${symlink}"]}" "${symlink}"; then |
208 |
+ write_error_message "Failed to create symlink at ${symlink}" |
209 |
+ retval=1 |
210 |
+ fi |
211 |
+ done |
212 |
+ |
213 |
+ return "${retval}" |
214 |
} |
215 |
|
216 |
### show action ### |
217 |
|
218 |
describe_show() { |
219 |
- echo "Show the current iptables symlink" |
220 |
+ printf -- 'Show the current %s symlink\n' "$(get_module)" |
221 |
} |
222 |
|
223 |
do_show() { |
224 |
- local ipv6 |
225 |
- if [[ -d ${EROOT}/var/lib/ip6tables ]]; then |
226 |
- ipv6=1 |
227 |
- fi |
228 |
- write_list_start "Current iptables symlinks:" |
229 |
- local ipt all_unset=1 |
230 |
- for ipt in "${IPTABLES_TARGETS[@]}"; do |
231 |
- if [[ -L ${EROOT}/sbin/${ipt} ]]; then |
232 |
- local ipta |
233 |
- ipta=$(canonicalise "${EROOT}/sbin/${ipt}") |
234 |
- write_kv_list_entry "${ipt}" "${ipta%/}" |
235 |
+ local -a symlinks_list |
236 |
+ readarray -t symlinks_list < <(get_symlinks_list) |
237 |
+ |
238 |
+ local all_unset=1 symlink |
239 |
+ write_list_start "Current $(get_module) symlinks:" |
240 |
+ for symlink in "${symlinks_list[@]}"; do |
241 |
+ symlink_path="${EROOT}/sbin/${symlink}" |
242 |
+ |
243 |
+ if [[ -L ${symlink_path} ]]; then |
244 |
+ local symlink_target |
245 |
+ symlink_target=$(canonicalise "${symlink_path}") |
246 |
+ write_kv_list_entry "${symlink}" "${symlink_target%/}" |
247 |
all_unset=0 |
248 |
- else |
249 |
- write_kv_list_entry "${ipt}" "(unset)" |
250 |
+ elif [[ ! -f ${symlink_path} ]]; then |
251 |
+ write_kv_list_entry "${symlink}" "(unset)" |
252 |
fi |
253 |
done |
254 |
- if [[ ${ipv6} -eq 1 ]]; then |
255 |
- write_list_start "Current ip6tables symlinks:" |
256 |
- local ip6t |
257 |
- for ip6t in "${IP6TABLES_TARGETS[@]}"; do |
258 |
- if [[ -L ${EROOT}/sbin/${ip6t} ]]; then |
259 |
- local ipta |
260 |
- ipta=$(canonicalise "${EROOT}/sbin/${ip6t}") |
261 |
- write_kv_list_entry "${ip6t}" "${ipta%/}" |
262 |
- all_unset=0 |
263 |
- else |
264 |
- write_kv_list_entry "${ip6t}" "(unset)" |
265 |
- fi |
266 |
- done |
267 |
- fi |
268 |
+ |
269 |
return "${all_unset}" |
270 |
} |
271 |
### list action ### |
272 |
|
273 |
describe_list() { |
274 |
- echo "List available iptables symlink targets" |
275 |
+ printf -- 'List available %s symlink targets\n' "$(get_module)" |
276 |
} |
277 |
|
278 |
do_list() { |
279 |
- local ipv6 |
280 |
- local -a targets |
281 |
- readarray -t targets <<< "$(find_targets)" |
282 |
- if [[ -L ${EROOT}/var/lib/ip6tables ]]; then |
283 |
- ipv6=1 |
284 |
- fi |
285 |
- write_list_start "Available iptables symlink targets:" |
286 |
- local i |
287 |
- for (( i = 0; i < ${#targets[@]}; i++ )); do |
288 |
- # highlight the target where the symlink is pointing to |
289 |
- [[ ${targets[i]} = \ |
290 |
- $(basename "$(canonicalise "${EROOT}/sbin/iptables")") ]] \ |
291 |
- && targets[i]=$(highlight_marker "${targets[i]}") |
292 |
+ local module |
293 |
+ module="$(get_module)" |
294 |
+ |
295 |
+ local -a targets_list symlinks_list |
296 |
+ readarray -t targets_list < <(find_targets) |
297 |
+ readarray -t symlinks_list < <(get_symlinks_list) |
298 |
+ |
299 |
+ local -a targets_output |
300 |
+ |
301 |
+ write_list_start "Available ${module} symlink targets:" |
302 |
+ local symlink current_target |
303 |
+ for symlink in "${symlinks_list[@]}"; do |
304 |
+ local symlink_path="${EROOT}/sbin/${symlink}" |
305 |
+ local target |
306 |
+ for target in "${targets_list[@]}"; do |
307 |
+ local symlink_target resolved_target |
308 |
+ symlink_target="$(get_symlink_target "${symlink}" "${target}")" |
309 |
+ resolved_target="$(basename "$(canonicalise "${symlink_path}")")" |
310 |
+ |
311 |
+ if [[ ${resolved_target} == "${symlink_target}" ]]; then |
312 |
+ if [[ -z ${current_target} ]]; then |
313 |
+ current_target="${target}" |
314 |
+ break |
315 |
+ elif [[ ${current_target} != "${target}" ]]; then |
316 |
+ write_warning_msg "Target mismatch" |
317 |
+ unset current_target |
318 |
+ break 2 |
319 |
+ fi |
320 |
+ fi |
321 |
+ done |
322 |
+ done |
323 |
+ for target in "${targets_list[@]}"; do |
324 |
+ if [[ ${target} == "${current_target}" ]]; then |
325 |
+ targets_output+=("$(highlight_marker "${target}")") |
326 |
+ else |
327 |
+ targets_output+=("${target}") |
328 |
+ fi |
329 |
done |
330 |
- write_numbered_list -m "(none found)" "${targets[@]}" |
331 |
+ |
332 |
+ write_numbered_list -m "(none found)" "${targets_output[@]}" |
333 |
} |
334 |
|
335 |
### set action ### |
336 |
|
337 |
describe_set() { |
338 |
- echo "Set a new iptables symlink target" |
339 |
-} |
340 |
- |
341 |
-describe_set_parameters() { |
342 |
- echo "[--ipv6] <target>" |
343 |
+ printf "Set a new $(get_module) symlink target\\n" |
344 |
} |
345 |
|
346 |
describe_set_options() { |
347 |
- echo "--ipv6: Forces creation of ip6tables symlinks" |
348 |
- echo "target : Target name or number (from 'list' action)" |
349 |
+ printf -- "target : Target name or number (from 'list' action)\\n" |
350 |
} |
351 |
|
352 |
do_set() { |
353 |
- local ipv6 ipv6_remove |
354 |
- if [[ ${1} == "--ipv6" ]]; then |
355 |
- ipv6=1 |
356 |
- shift |
357 |
- fi |
358 |
local target="${1}" |
359 |
|
360 |
[[ -z ${target} ]] && die -q "You didn't tell me what to set the symlink to" |
361 |
- [[ ${#} -gt 2 ]] && die -q "Too many parameters" |
362 |
+ [[ ${#} -gt 1 ]] && die -q "Too many parameters" |
363 |
|
364 |
- if [[ -d ${EROOT}/var/lib/ip6tables ]]; then |
365 |
- ipv6=1 |
366 |
- [[ -L ${EROOT}/sbin/ip6tables ]] && ipv6_remove=1 |
367 |
- fi |
368 |
- if [[ -L ${EROOT}/sbin/iptables ]]; then |
369 |
- # existing symlink |
370 |
- remove_symlinks || die -q "Couldn't remove existing symlink" |
371 |
- set_symlinks "${target}" || die -q "Couldn't set a new symlink" |
372 |
- elif [[ -e ${EROOT}/sbin/iptables ]]; then |
373 |
- # we have something strange |
374 |
- die -q "${EROOT}/sbin/iptables exists but is not a symlink" |
375 |
- else |
376 |
- set_symlinks "${target}" || die -q "Couldn't set a new symlink" |
377 |
- fi |
378 |
+ set_symlinks "${target}" || die -q "Couldn't set symlinks" |
379 |
} |
380 |
|
381 |
### unset action ### |
382 |
|
383 |
describe_unset() { |
384 |
- echo "Unset iptables symlink targets" |
385 |
+ printf -- 'Unset %s symlink targets\n' "$(get_module)" |
386 |
} |
387 |
|
388 |
do_unset() { |
389 |
- remove_symlinks |
390 |
+ local retval=0 |
391 |
+ |
392 |
+ local -a symlinks_list |
393 |
+ readarray -t symlinks_list < <(get_symlinks_list -a) |
394 |
+ |
395 |
+ local symlink |
396 |
+ for symlink in "${symlinks_list[@]}"; do |
397 |
+ local symlink_path="${EROOT}/sbin/${symlink}" |
398 |
+ if [[ -L ${symlink_path} ]]; then |
399 |
+ unlink "${symlink_path}" || retval=${?} |
400 |
+ elif [[ -e ${symlink_path} ]]; then |
401 |
+ write_error_msg "Not removing non-symlink \"${symlink_path}\"" |
402 |
+ retval=1 |
403 |
+ fi |
404 |
+ done |
405 |
+ |
406 |
+ return ${retval} |
407 |
} |