TT#14008 Squashed commit of the following:

commit 26478c1dcfafab68fe29e9828934f0d8672ec3ed Merge: aeb0b7bc fc265e0b Author: Richard Fuchs <rfuchs@sipwise.com> Date: Wed Jun 23 14:45:32 2021 -0400 Merge branch 'el-systemd' of https://github.com/khorsmann/rtpengine into khorsmann-el-systemd Change-Id: Ide2e93d5baa1ecba97d256a48c53c106c084f9fd commit fc265e0b3d Merge: 41a9a8ae 1d845c21 Author: Karsten Horsmann <khorsmann@gmail.com> Date: Wed Jun 23 19:25:09 2021 +0200 Merge branch 'sipwise:master' into el-systemd commit 41a9a8ae6e Author: Karsten Horsmann <khorsmann@gmail.com> Date: Wed Jun 23 19:22:09 2021 +0200 iptables in ExecStart/ExecStopPost needs root privleges. Correct copy-paste error. commit 0f991f6666 Author: Karsten Horsmann <khorsmann@gmail.com> Date: Wed Jun 23 17:57:55 2021 +0200 readd User/Group and switch back to forking cause CentOS7 systemd is very old commit 11290d48b6 Author: Karsten Horsmann <khorsmann@gmail.com> Date: Tue Jun 22 12:18:38 2021 +0200 if ngcp-virt-identify not there should not break the script commit b7040ad992 Author: Karsten Horsmann <khorsmann@gmail.com> Date: Tue Jun 22 12:05:04 2021 +0200 add iptables helper for el systemd to spec file commit 6d67dc3b3a Author: Karsten Horsmann <khorsmann@gmail.com> Date: Tue Jun 22 11:21:34 2021 +0200 * add also ngcp-rtpengine-iptables-setup. So iptables rules will created like the debian packages did that. closes #1292 Change-Id: I6f31608c70b069b3584ad240b7eda10e59c94e4b
4 years ago · 82c741d88c
parent aeb0b7bcee
commit 82c741d88c
3 changed files with 110 additions and 7 deletions
--- a/el/ngcp-rtpengine-iptables-setup
+++ b/el/ngcp-rtpengine-iptables-setup
@ -0,0 +1,101 @@
+#!/bin/sh
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+TABLE=0
+MODNAME=xt_RTPENGINE
+MANAGE_IPTABLES=yes
+
+DEFAULTS=/etc/sysconfig/rtpengine
+
+# Load startup options if available
+if [ -f "$DEFAULTS" ]; then
+  . "$DEFAULTS" || true
+fi
+
+MODPROBE_OPTIONS=""
+
+# Handle requested setuid/setgid.
+if ! test -z "$SET_USER"; then
+  PUID=$(id -u "$SET_USER" 2> /dev/null)
+  test -z "$PUID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_uid=$PUID"
+  if test -z "$SET_GROUP"; then
+    PGID=$(id -g "$SET_USER" 2> /dev/null)
+    test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID"
+  fi
+fi
+
+if ! test -z "$SET_GROUP"; then
+  PGID=$(grep "^$SET_GROUP:" /etc/group | cut -d: -f3 2> /dev/null)
+  test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID"
+fi
+
+###
+
+if [ -x "$(which ngcp-virt-identify 2>/dev/null)" ]; then
+  if ngcp-virt-identify --type container; then
+    VIRT="yes"
+  fi
+fi
+
+firewall_setup()
+{
+  if [ "$TABLE" -lt 0 ] || [ "$VIRT" = "yes" ]; then
+    return
+  fi
+
+  if [ "$MANAGE_IPTABLES" != "yes" ]; then
+    return
+  fi
+
+  # shellcheck disable=SC2086
+  modprobe $MODNAME $MODPROBE_OPTIONS
+
+  iptables -N rtpengine 2>/dev/null
+  iptables -D INPUT -j rtpengine 2>/dev/null
+  iptables -D INPUT -p udp -j rtpengine 2>/dev/null
+  iptables -I INPUT -p udp -j rtpengine
+  iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
+  iptables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
+  ip6tables -N rtpengine 2>/dev/null
+  ip6tables -D INPUT -j rtpengine 2>/dev/null
+  ip6tables -D INPUT -p udp -j rtpengine 2>/dev/null
+  ip6tables -I INPUT -p udp -j rtpengine
+  ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
+  ip6tables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
+}
+
+firewall_teardown()
+{
+  if [ "$TABLE" -lt 0 ] || [ "$VIRT" = "yes" ]; then
+    return
+  fi
+
+  # XXX: Wait a bit to make sure the daemon has been stopped.
+  sleep 1
+
+  if [ -e /proc/rtpengine/control ]; then
+    echo "del $TABLE" >/proc/rtpengine/control 2>/dev/null
+  fi
+
+  if [ "$MANAGE_IPTABLES" != "yes" ]; then
+    return
+  fi
+
+  iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
+  ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
+}
+
+case "$1" in
+  start)
+    firewall_setup
+    ;;
+  stop)
+    firewall_teardown
+    ;;
+  *)
+    echo "Usage: $0 {start|stop}" >&2
+    exit 1
+    ;;
+esac
+
+exit 0
--- a/el/rtpengine.service
+++ b/el/rtpengine.service
@ -1,17 +1,15 @@
 [Unit]
-Description=NGCP RtpEngine - RTP Media Proxy
-Wants=network-online.target
+Description=NGCP RTP/media Proxy Daemon
 After=network-online.target

 [Service]
 Type=forking
-User=ngcp-rtpengine
-Group=daemon
-Environment=CFGFILE=/etc/rtpengine/rtpengine.conf
 EnvironmentFile=/etc/sysconfig/rtpengine
+Environment=CFGFILE=/etc/rtpengine/rtpengine.conf
 PIDFile=/run/rtpengine.pid
-ExecStart=/usr/sbin/rtpengine --config-file=${CFGFILE} --interface=${INTERFACE} --listen-ng=${LISTEN_UDP} --log-facility=${LOG_FACILITY} --log-level=${LOG_LEVEL}
-Restart=on-failure
+ExecStartPre=/usr/sbin/ngcp-rtpengine-iptables-setup start
+ExecStart=/usr/sbin/rtpengine --no-log-timestamps --pidfile=${PIDFile} --config-file=${CFGFILE} --table=${TABLE}
+ExecStopPost=/usr/sbin/ngcp-rtpengine-iptables-setup stop

 [Install]
 WantedBy=multi-user.target
--- a/el/rtpengine.spec
+++ b/el/rtpengine.spec
@ -124,6 +124,8 @@ install -D -p -m755 recording-daemon/%{binname}-recording %{buildroot}%{_sbindir
 %if 0%{?has_systemd_dirs}
 install -D -p -m644 el/%{binname}.service \
 	%{buildroot}%{_unitdir}/%{binname}.service
+install -D -p -m755 el/ngcp-rtpengine-iptables-setup \
+	%{buildroot}%{_sbindir}/ngcp-rtpengine-iptables-setup
 %else
 install -D -p -m755 el/%{binname}.init \
 	%{buildroot}%{_initrddir}/%{name}
@ -237,6 +239,8 @@ true
 # init.d script and configuration file
 %if 0%{?has_systemd_dirs}
 %{_unitdir}/%{binname}.service
+# Systemd iptables setup
+%{_sbindir}/ngcp-rtpengine-iptables-setup
 %else
 %{_initrddir}/%{name}
 %endif