diff --git a/el/ngcp-rtpengine-iptables-setup b/el/ngcp-rtpengine-iptables-setup new file mode 100755 index 000000000..9fde5ff6f --- /dev/null +++ b/el/ngcp-rtpengine-iptables-setup @@ -0,0 +1,101 @@ +#!/bin/sh + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +TABLE=0 +MODNAME=xt_RTPENGINE +MANAGE_IPTABLES=yes + +DEFAULTS=/etc/sysconfig/rtpengine + +# Load startup options if available +if [ -f "$DEFAULTS" ]; then + . "$DEFAULTS" || true +fi + +MODPROBE_OPTIONS="" + +# Handle requested setuid/setgid. +if ! test -z "$SET_USER"; then + PUID=$(id -u "$SET_USER" 2> /dev/null) + test -z "$PUID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_uid=$PUID" + if test -z "$SET_GROUP"; then + PGID=$(id -g "$SET_USER" 2> /dev/null) + test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID" + fi +fi + +if ! test -z "$SET_GROUP"; then + PGID=$(grep "^$SET_GROUP:" /etc/group | cut -d: -f3 2> /dev/null) + test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID" +fi + +### + +if [ -x "$(which ngcp-virt-identify 2>/dev/null)" ]; then + if ngcp-virt-identify --type container; then + VIRT="yes" + fi +fi + +firewall_setup() +{ + if [ "$TABLE" -lt 0 ] || [ "$VIRT" = "yes" ]; then + return + fi + + if [ "$MANAGE_IPTABLES" != "yes" ]; then + return + fi + + # shellcheck disable=SC2086 + modprobe $MODNAME $MODPROBE_OPTIONS + + iptables -N rtpengine 2>/dev/null + iptables -D INPUT -j rtpengine 2>/dev/null + iptables -D INPUT -p udp -j rtpengine 2>/dev/null + iptables -I INPUT -p udp -j rtpengine + iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null + iptables -I rtpengine -p udp -j RTPENGINE --id "$TABLE" + ip6tables -N rtpengine 2>/dev/null + ip6tables -D INPUT -j rtpengine 2>/dev/null + ip6tables -D INPUT -p udp -j rtpengine 2>/dev/null + ip6tables -I INPUT -p udp -j rtpengine + ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null + ip6tables -I rtpengine -p udp -j RTPENGINE --id "$TABLE" +} + +firewall_teardown() +{ + if [ "$TABLE" -lt 0 ] || [ "$VIRT" = "yes" ]; then + return + fi + + # XXX: Wait a bit to make sure the daemon has been stopped. + sleep 1 + + if [ -e /proc/rtpengine/control ]; then + echo "del $TABLE" >/proc/rtpengine/control 2>/dev/null + fi + + if [ "$MANAGE_IPTABLES" != "yes" ]; then + return + fi + + iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null + ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null +} + +case "$1" in + start) + firewall_setup + ;; + stop) + firewall_teardown + ;; + *) + echo "Usage: $0 {start|stop}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/el/rtpengine.service b/el/rtpengine.service index 64709669f..ce373da1d 100644 --- a/el/rtpengine.service +++ b/el/rtpengine.service @@ -1,17 +1,15 @@ [Unit] -Description=NGCP RtpEngine - RTP Media Proxy -Wants=network-online.target +Description=NGCP RTP/media Proxy Daemon After=network-online.target [Service] Type=forking -User=ngcp-rtpengine -Group=daemon -Environment=CFGFILE=/etc/rtpengine/rtpengine.conf EnvironmentFile=/etc/sysconfig/rtpengine +Environment=CFGFILE=/etc/rtpengine/rtpengine.conf PIDFile=/run/rtpengine.pid -ExecStart=/usr/sbin/rtpengine --config-file=${CFGFILE} --interface=${INTERFACE} --listen-ng=${LISTEN_UDP} --log-facility=${LOG_FACILITY} --log-level=${LOG_LEVEL} -Restart=on-failure +ExecStartPre=/usr/sbin/ngcp-rtpengine-iptables-setup start +ExecStart=/usr/sbin/rtpengine --no-log-timestamps --pidfile=${PIDFile} --config-file=${CFGFILE} --table=${TABLE} +ExecStopPost=/usr/sbin/ngcp-rtpengine-iptables-setup stop [Install] WantedBy=multi-user.target diff --git a/el/rtpengine.spec b/el/rtpengine.spec index 0deaa3d5b..3964248b4 100644 --- a/el/rtpengine.spec +++ b/el/rtpengine.spec @@ -124,6 +124,8 @@ install -D -p -m755 recording-daemon/%{binname}-recording %{buildroot}%{_sbindir %if 0%{?has_systemd_dirs} install -D -p -m644 el/%{binname}.service \ %{buildroot}%{_unitdir}/%{binname}.service +install -D -p -m755 el/ngcp-rtpengine-iptables-setup \ + %{buildroot}%{_sbindir}/ngcp-rtpengine-iptables-setup %else install -D -p -m755 el/%{binname}.init \ %{buildroot}%{_initrddir}/%{name} @@ -237,6 +239,8 @@ true # init.d script and configuration file %if 0%{?has_systemd_dirs} %{_unitdir}/%{binname}.service +# Systemd iptables setup +%{_sbindir}/ngcp-rtpengine-iptables-setup %else %{_initrddir}/%{name} %endif