From 386fd08d93cf1fe84c07a8b692bb840b551bce65 Mon Sep 17 00:00:00 2001 From: AnsibleGuy Date: Sat, 22 Jul 2023 22:49:03 +0200 Subject: [PATCH] updated readme-example and lint-script --- README.md | 10 ++++ templates/usr/lib/nftables/_lint/util.py | 63 ++++++++++++++++++++---- 2 files changed, 64 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 80bedac..b0ce8db 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,16 @@ nftables_addons: # cron: false # update addons using a cron-job # include: true # disable auto-include of addons in /etc/nftables.conf + config: + iplists: + iplist_tor_exit_nodes: # var-name + urls: ['https://check.torproject.org/torbulkexitlist'] + separator: "\n" + comment: '#' + dns_records: + ntp_servers: ['0.europe.pool.ntp.org', '1.europe.pool.ntp.org'] + repo_debian: ['deb.debian.org', 'debian.map.fastlydns.net', 'security.debian.org'] + path: base_config: '/etc/nftables.conf' addon: diff --git a/templates/usr/lib/nftables/_lint/util.py b/templates/usr/lib/nftables/_lint/util.py index 06ac054..f51f44e 100644 --- a/templates/usr/lib/nftables/_lint/util.py +++ b/templates/usr/lib/nftables/_lint/util.py @@ -55,6 +55,7 @@ def _exec(cmd: (str, list)) -> int: def _reload() -> bool: + print('INFO: Reloading NFTables!') return _exec(CMD_RELOAD) == 0 @@ -64,23 +65,67 @@ def _validate(file: str) -> bool: def _write(file: str, content: str): with open(file, 'w', encoding='utf-8') as config: - config.write(content + '\n') + config.write(content + '\n\n') + + +def _file_hash(file: str) -> str: + if Path(file).exists(): + with open(file, 'rb') as _c: + return md5_hash(_c.read()).hexdigest() + + else: + return md5_hash(b'').hexdigest() def validate_and_write(key: str, lines: list, file: str): - file_tmp = f'{FILE_TMP_PREFIX}{key}.nft' - content = FILE_HEADER + '\n'.join(lines) + file_out = f'{file}.nft' + file_out_path = f'{ADDON_DIR}/{file}' + file_tmp = f'{FILE_TMP_PREFIX}{key}_{time()}.nft' + file_tmp_main = f'{FILE_TMP_PREFIX}main_{time()}.nft' + content = FILE_HEADER + '\n'.join(lines) + '\n' _write(file=file_tmp, content=content) - if _validate(file=file_tmp): - _write(file=file, content=content) + config_hash = dict( + before=_file_hash(file=file_out), + after=_file_hash(file=file_tmp), + ) + config_changed = config_hash['before'] != config_hash['after'] + + if config_changed: + # create config to include existing main-config; must be valid in combination with new one + addon_includes = '' + + for inc in listdir(ADDON_DIR): + if inc.endswith('.nft') and inc != file_out: + addon_includes += f'include "{inc}"\n' - if _validate(file=CONFIG): - _reload() + _write( + file=file_tmp_main, + content=f'include "{file_tmp}"\n' + f'{addon_includes}' + 'include "/etc/nftables/*.nft"\n' + # NOTE: could be a problem if other file-endings are used.. + ) + + if _validate(file=file_tmp_main): + print('INFO: Test-config validated successfully!') + _write(file=file_out_path, content=content) + + if _validate(file=CONFIG): + print('INFO: Real-config validated successfully!') + _reload() + + else: + raise SystemExit('ERROR: Failed to validate real-config!') else: - raise SystemExit(f"Failed to validate config: '{CONFIG}'!") + raise SystemExit('WARN: Failed to validate test-config!') + + _exec(['rm', file_tmp_main]) else: - raise SystemExit(f"Failed to validate test-config: '{file_tmp}'!") + print('INFO: Config unchanged - nothing to do.') + + _exec(['rm', file_tmp]) +