Git-Mirrors/shaker
1
0
Fork 0
mirror of https://github.com/unman/shaker.git synced 2024-10-01 01:25:41 -04:00
Code Issues Packages Projects Releases Wiki Activity

Syncthing - update for 4.2

Browse Source 
Move to nftables.
This commit is contained in:
unman 2024-02-03 06:45:00 +00:00
parent 28ac365875
commit 8dba49428f
No known key found for this signature in database
GPG Key ID: FDD1B8244731B36C
2 changed files with 9 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
syncthing/clone.sls
View File

@ -1,14 +1,14 @@
syncthing_precursor: syncthing_precursor:
qvm.template_installed: qvm.template_installed:
- name: debian-11-minimal - name: debian-12-minimal
syncthing_clone: syncthing_clone:
qvm.clone: qvm.clone:
- name: template-syncthing - name: template-syncthing
- source: debian-11-minimal - source: debian-12-minimal
echo -e 'syncthing-start.desktop\nsyncthing-ui.desktop\nxterm.desktop' | qvm-appmenus --set-whitelist=- --update template-syncthing: echo -e 'syncthing-start.desktop\nsyncthing-ui.desktop\nxterm.desktop' | qvm-appmenus --set-whitelist=- --update template-syncthing:
cmd.run: cmd.run:
- runas: user - runas: user
- requires: - require:
- qvm: template-syncthing - qvm: template-syncthing

49
syncthing/in.sh
View File

@ -94,23 +94,12 @@ do
if [ $i -eq $lasthop ]; then if [ $i -eq $lasthop ]; then
iface=$external_iface iface=$external_iface
fi fi
# Is it nft or iptables? qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target
local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null ) qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept
if [[ x$found == 'x' ]]; then if [ $permanent -eq 1 ]; then
qvm-run -q -u root ${my_netvms[$i]} -- "iptables -I QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT" qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
qvm-run -q -u root ${my_netvms[$i]} -- "iptables -t nat -I PR-QBS-SERVICES -i $iface -p $proto --dport $portnum_used -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target" qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept >> /rw/config/rc.local"
if [ $permanent -eq 1 ]; then fi
qvm-run -q -u root ${my_netvms[$i]} -- "echo iptables -I QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT >> /rw/config/rc.local"
qvm-run -q -u root ${my_netvms[$i]} -- "echo iptables -t nat -I PR-QBS-SERVICES -i $iface -p $proto --dport $portnum_used -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
fi
else
qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target
qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept
if [ $permanent -eq 1 ]; then
qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept >> /rw/config/rc.local"
fi
fi
((i++)) ((i++))
done done
} }
@ -135,17 +124,6 @@ do
portnum_used=$external_portnum portnum_used=$external_portnum
portnum_target=$external_portnum portnum_target=$external_portnum
fi fi
# Is it nft or iptables?
echo "${my_netvms[$i]}"
local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- "nft list table nat 2>/dev/null" )
if [[ x$found == 'x' ]]; then
qvm-run -q -u root ${my_netvms[$i]} -- "iptables -D QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT"
qvm-run -q -u root ${my_netvms[$i]} -- "iptables -t nat -D PR-QBS-SERVICES -i $iface -p $proto --dport $external_portnum -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target"
if [ $permanent -eq 1 ]; then
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/iptables -D QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT/d' /rw/config/rc.local"
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/iptables -t nat -D PR-QBS-SERVICES -i $iface -p $proto --dport $external_portnum -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target/d' /rw/config/rc.local"
fi
else
local handle=$( get_handle ${my_netvms[$i]} nat "dport $external_portnum " 1 ) local handle=$( get_handle ${my_netvms[$i]} nat "dport $external_portnum " 1 )
qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule nat PR-QBS-SERVICES handle $handle" qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule nat PR-QBS-SERVICES handle $handle"
local handle=$( get_handle ${my_netvms[$i]} filter "dport $external_portnum " 1 ) local handle=$( get_handle ${my_netvms[$i]} filter "dport $external_portnum " 1 )
@ -154,16 +132,11 @@ do
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target/d' /rw/config/rc.local" qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target/d' /rw/config/rc.local"
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept/d' /rw/config/rc.local" qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept/d' /rw/config/rc.local"
fi fi
fi
((i--)) ((i--))
done done
local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null ) local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null )
if [[ x$found == 'x' ]]; then
qvm-run -q -u root ${my_netvms[$i]} " iptables -D INPUT -p $proto --dport $external_portnum -j ACCEPT"
else
handle=$( get_handle ${my_netvms[$i]} filter "dport $portnum " 1 ) handle=$( get_handle ${my_netvms[$i]} filter "dport $portnum " 1 )
qvm-run -q -u root ${my_netvms[$i]} -- nft delete rule filter INPUT handle $handle qvm-run -q -u root ${my_netvms[$i]} -- nft delete rule filter INPUT handle $handle
fi
exit exit
} }
@ -277,16 +250,6 @@ elif [ $1 == "add" ]; then
# Create tunnel # Create tunnel
found=$( qvm-run -p -q -u root $qube_name -- nft list table nat 2>/dev/null ) found=$( qvm-run -p -q -u root $qube_name -- nft list table nat 2>/dev/null )
if [[ x$found == 'x' ]]; then
found=$(qvm-run -p -u root $qube_name "iptables -L -nv |grep -c '.*ACCEPT.*$proto dpt:$portnum' ")
if [ "$found" -gt 0 ]; then
echo "Input rule in $qube_name already exists"
echo "Please check configuration - exiting now."
exit
else
qvm-run -q -u root $qube_name "iptables -I INPUT -p $proto --dport $portnum -j ACCEPT "
fi
else
qvm-run -q -u root $qube_name "nft list table filter|grep '$proto dport $portnum accept' " qvm-run -q -u root $qube_name "nft list table filter|grep '$proto dport $portnum accept' "
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "Input rule in $qube_name already exists" echo "Input rule in $qube_name already exists"