From patchwork Mon Mar 25 17:44:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7679 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4V3L1J6gvDz3wv4 for ; Mon, 25 Mar 2024 17:45:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4V3L1H02VFz5Vk; Mon, 25 Mar 2024 17:45:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4V3L1G5KzZz30Cq; Mon, 25 Mar 2024 17:45:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4V3L1D3h4Gz2xm7 for ; Mon, 25 Mar 2024 17:45:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4V3L1C40yrz10R; Mon, 25 Mar 2024 17:45:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1711388703; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/DtE2fY++RlIXIwOh6AO+DGgBlv/FDjJ/HZuaDMwikQ=; b=+jHKIEg5rSaP0dhr9WG9t8emjgb+GQOQs7cdAEd7Tv+FvGhfoZ921l6tJMqjNSRle6wY5O l9vczXOiaCdKKxBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1711388703; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/DtE2fY++RlIXIwOh6AO+DGgBlv/FDjJ/HZuaDMwikQ=; b=BSAk2/LPj37hGmnghUAbUN8CCUAkxpdLLHl5WZjLzMs4mye/yK4ySU34gM6d454PVu+4WN TdN4XeTMehzumy5VPbkDliqevKpeW5PpVvVwvhkeJtDpXwZjlBJB2CpBK5zL5Za0i+IWby HOoOf9MloSZcs+RIbT+E/bwe8q3EhxKPDPLUyNe+luKTUk5L2yBPiZrfSiPIZbokxgjgkS 7hG5HiIvCWimvpQR2pLMrH8tRtd9uywTl5+RjZ+dvqjfe/QTe3+QKCk4Z4nQRcI41xK6ol bXP93x////B3qw/xI2NbyS6GOjOMpB1E/DLT5OE75b1rGDzS3DiPE5cXgtC3ng== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v2] CU185-update.sh: Add drop hostile in & out logging entries if not already present Date: Mon, 25 Mar 2024 18:44:56 +0100 Message-ID: <20240325174456.35715-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: V2YSAJULSIHNZQLGXCAQD26GMTFQSDQQ X-Message-ID-Hash: V2YSAJULSIHNZQLGXCAQD26GMTFQSDQQ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This v2 patch corrects that the previous script was looking for =on. If a user had modified the preferences to change it to =off then the script would have resulted in both =on and =off versions being in the settings file. - This patch ensures that those people who updated to CU184 before the CU184-update.sh patch fix to add the logging entries was added will get their optionsfw settings file correctly updated with CU185 - This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do not already exist in the optionsfw settings file. - This change also does the check for LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT as two separate checks and then runs the firewall update command Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/rootfiles/core/185/update.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh index ec4d8ab82..002f92bbb 100644 --- a/config/rootfiles/core/185/update.sh +++ b/config/rootfiles/core/185/update.sh @@ -117,11 +117,17 @@ chown nobody:nobody /var/ipfire/ovpn/ovpnconfig # Check if the drop hostile in and out logging options need to be added # into the optionsfw settings file and apply to firewall -if ! [ $(grep "LOGDROPHOSTILEIN=on" /var/ipfire/optionsfw/settings) ] && \ - ! [ $(grep "LOGDROPHOSTILEOUT=on" /var/ipfire/optionsfw/settings) ]; then - sed -i '$ a\LOGDROPHOSTILEIN=on' /var/ipfire/optionsfw/settings - sed -i '$ a\LOGDROPHOSTILEOUT=on' /var/ipfire/optionsfw/settings - /usr/local/bin/firewallctrl +optionsfw="" +if ! [ $(grep "^LOGDROPHOSTILEIN=" /var/ipfire/optionsfw/settings) ]; then + sed -i '$ a\LOGDROPHOSTILEIN=on' /var/ipfire/optionsfw/settings + optionsfw="updated" +fi +if ! [ $(grep "^LOGDROPHOSTILEOUT=" /var/ipfire/optionsfw/settings) ]; then + sed -i '$ a\LOGDROPHOSTILEOUT=on' /var/ipfire/optionsfw/settings + optionsfw="updated" +fi +if ! [ -z "$optionsfw" ]; then + /usr/local/bin/firewallctrl fi # Rebuild initial ramdisks