Make creation of iptables chain optional

iptables might be managed via different tools by an administrator. In such a setup, insertion and deletion of rules in the INPUT chain as well as creation of new chains by an application is not wanted. By setting the corresponding configuration parameter in the config file, the init-script will not touch the INPUT queue nor will it create the rtpengine chain. It will still attempt to create a rule in the rtpengine chain, but will refuse to start if that chain does not exist.
10 years ago · ca04c9636f
parent df2126f4e5
commit ca04c9636f
2 changed files with 37 additions and 22 deletions
--- a/debian/ngcp-rtpengine-daemon.default
+++ b/debian/ngcp-rtpengine-daemon.default
@ -32,3 +32,4 @@ TABLE=0
 # GRAPHITE_INTERVAL=60
 # GRAPHITE_PREFIX=myownprefix
 # MAX_SESSIONS=5000
+# CREATE_IPTABLES_CHAIN=no
--- a/debian/ngcp-rtpengine-daemon.init
+++ b/debian/ngcp-rtpengine-daemon.init
@ -126,16 +126,24 @@ case "$1" in
 		ip6tables -X mediaproxy 2> /dev/null
 		rmmod xt_MEDIAPROXY 2>/dev/null

-		iptables -N rtpengine 2> /dev/null
-		iptables -D INPUT -j rtpengine 2> /dev/null
-		iptables -I INPUT -j rtpengine
-		iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
-		iptables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
-		ip6tables -N rtpengine 2> /dev/null
-		ip6tables -D INPUT -j rtpengine 2> /dev/null
-		ip6tables -I INPUT -j rtpengine
-		ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
-		ip6tables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
+		if [ "$CREATE_IPTABLES_CHAIN" != "no" ]; then
+			iptables -N rtpengine 2> /dev/null
+			iptables -D INPUT -j rtpengine 2> /dev/null
+			iptables -I INPUT -j rtpengine
+			ip6tables -N rtpengine 2> /dev/null
+			ip6tables -D INPUT -j rtpengine 2> /dev/null
+			ip6tables -I INPUT -j rtpengine
+		fi
+		if iptables -C INPUT -j rtpengine 1> /dev/null 2> /dev/null && iptables -n --list rtpengine 1> /dev/null 2> /dev/null; then
+			iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
+			iptables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
+			ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
+			ip6tables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
+		else
+			echo ""
+			echo "Missing rtpengine iptables chain - not starting"
+			exit 0
+		fi
 		set -e
 	fi
 	start-stop-daemon --start --quiet --pidfile $PIDFILE \
@ -213,20 +221,26 @@ case "$1" in
 		ip6tables -F mediaproxy 2> /dev/null
 		ip6tables -X mediaproxy 2> /dev/null
 		rmmod xt_MEDIAPROXY 2>/dev/null
-
-		iptables -D INPUT -j rtpengine 2> /dev/null
-		iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
-		ip6tables -D INPUT -j rtpengine 2> /dev/null
-		ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
 		rmmod xt_RTPENGINE 2>/dev/null
-
 		modprobe xt_RTPENGINE
-		iptables -N rtpengine 2> /dev/null
-		iptables -I INPUT -j rtpengine
-		iptables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
-		ip6tables -N rtpengine 2> /dev/null
-		ip6tables -I INPUT -j rtpengine
-		ip6tables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
+		if [ "$CREATE_IPTABLES_CHAIN" != "no" ]; then
+			iptables -D INPUT -j rtpengine 2> /dev/null
+			ip6tables -D INPUT -j rtpengine 2> /dev/null
+			iptables -N rtpengine 2> /dev/null
+			iptables -I INPUT -j rtpengine
+			ip6tables -N rtpengine 2> /dev/null
+			ip6tables -I INPUT -j rtpengine
+		fi
+		if iptables -C INPUT -j rtpengine 1> /dev/null 2> /dev/null && iptables -n --list rtpengine 1> /dev/null 2> /dev/null; then
+			ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
+			iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null
+			iptables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
+			ip6tables -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
+		else
+			echo ""
+                        echo "Missing rtpengine iptables chain - not starting"
+                        exit 0
+		fi
 		set -e
 	fi
 	start-stop-daemon --start --quiet --pidfile \