From 0390782e22885a797aaad24fb8ac83a000b6ead9 Mon Sep 17 00:00:00 2001 From: Damian Ivereigh Date: Mon, 24 Aug 2015 01:45:31 +1000 Subject: [PATCH] Now works with firewalld - creates a permanent chain called INPUT_prefilter which is before the conntrack stuff in the INPUT tables. We then create our temporary rtpengine chain from that. Also brought in some of the IPv6 stuff from the standard Centos init script --- el/rtpengine.init | 92 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 75 insertions(+), 17 deletions(-) diff --git a/el/rtpengine.init b/el/rtpengine.init index cf3ff51c1..85c130779 100644 --- a/el/rtpengine.init +++ b/el/rtpengine.init @@ -36,6 +36,7 @@ RETVAL=0 OPTS="--pidfile $pidfile" MODULE=0 +IP6=0 build_opts() { shopt -s nocasematch @@ -55,13 +56,26 @@ build_opts() { fi shopt -u nocasematch - if [[ -n "$RTP_IP" ]] - then - for IP in "${RTP_IP[@]}" - do - OPTS+=" --interface=$IP" - done - fi + if [[ -n "$RTP_IP" ]] + then + OPTS+=" --interface=$RTP_IP" + fi + + if [[ -n "$RTP_ADV_IP" ]] + then + OPTS+="!$RTP_ADV_IP" + fi + + if [[ -n "$RTP_IP6" ]] + then + OPTS+=" --interface=$RTP_IP6" + IP6=1 + fi + + if [[ -n "$RTP_ADV_IP6" ]] + then + OPTS+="!$RTP_ADV_IP6" + fi if [[ -n "$LISTEN_TCP" ]] then @@ -179,15 +193,43 @@ start() { if [[ $MODULE == 1 ]] then echo "Loading module for in-kernel packet forwarding" - rmmod xt_MEDIAPROXY 2> /dev/null + rmmod xt_RTPENGINE 2> /dev/null modprobe xt_RTPENGINE - iptables -N rtpengine - iptables -t filter -A INPUT -j rtpengine - iptables -I rtpengine -p udp -j RTPENGINE --id $TABLE - ip6tables -I rtpengine -p udp -j RTPENGINE --id $TABLE + temp=`firewall-cmd --state 2>/dev/null` + if [[ $? == 0 ]] + then + # Using firewalld + # Need to check if the INPUT_prefilter chain is present (permanently) + firewall-cmd --permanent --direct --query-chain ipv4 filter INPUT_prefilter > /dev/null + if [[ $? != 0 ]] + then + firewall-cmd --permanent --direct --add-chain ipv4 filter INPUT_prefilter + firewall-cmd --permanent --direct --passthrough ipv4 -t filter -I INPUT -j INPUT_prefilter + firewall-cmd --reload + fi + + firewall-cmd --direct --add-chain ipv4 filter rtpengine + firewall-cmd --direct --add-rule ipv4 filter INPUT_prefilter 0 -j rtpengine + firewall-cmd --direct --add-rule ipv4 filter rtpengine 0 -p udp -j RTPENGINE --id $TABLE + if [[ $IP6 == 1 ]] + then + firewall-cmd --direct --add-rule ipv6 filter rtpengine 0 -p udp -j RTPENGINE --id $TABLE + fi + firewall-cmd --reload + else + iptables -N rtpengine + # We insert the rtpengine rule at the top of the input chain + iptables -t filter -I INPUT_prefilter -j rtpengine + iptables -I rtpengine -p udp -j RTPENGINE --id $TABLE + if [[ $IP6 == 1 ]] + then + ip6tables -I rtpengine -p udp -j RTPENGINE --id $TABLE + fi + fi cat < "$cachefile" CUR_TABLE=$TABLE +CUR_IP6=$IP6 EOF fi echo -n $"Starting $prog: " @@ -208,11 +250,27 @@ stop() { . "$cachefile" echo "Unloading module for in-kernel packet forwarding" echo "del $TABLE" > /proc/rtpengine/control - iptables -D rtpengine -p udp -j RTPENGINE --id $CUR_TABLE - ip6tables -D rtpengine -p udp -j RTPENGINE --id $CUR_TABLE - iptables -t filter -D INPUT -j rtpengine - iptables -X rtpengine -# rmmod xt_RTPENGINE + temp=`firewall-cmd --state 2>/dev/null` + if [[ $? == 0 ]] + then + firewall-cmd --direct --remove-rules ipv4 filter rtpengine + if [[ $CUR_IP6 == 1 ]] + then + firewall-cmd --direct --remove-rules ipv6 filter rtpengine + fi + firewall-cmd --direct --remove-rule ipv4 filter INPUT_prefilter 0 -j rtpengine + firewall-cmd --direct --remove-chain ipv4 filter rtpengine + firewall-cmd --reload + else + iptables -D rtpengine -p udp -j RTPENGINE --id $CUR_TABLE + if [[ $CUR_IP6 == 1 ]] + then + ip6tables -D rtpengine -p udp -j RTPENGINE --id $CUR_TABLE + fi + iptables -t filter -D INPUT -j rtpengine + iptables -X rtpengine + fi + rmmod xt_RTPENGINE rm -f $cachefile fi