From 82c741d88c70e9460ae6335698e37f1184c97868 Mon Sep 17 00:00:00 2001 From: Karsten Horsmann Date: Wed, 23 Jun 2021 14:45:51 -0400 Subject: [PATCH] TT#14008 Squashed commit of the following: commit 26478c1dcfafab68fe29e9828934f0d8672ec3ed Merge: aeb0b7bc fc265e0b Author: Richard Fuchs Date: Wed Jun 23 14:45:32 2021 -0400 Merge branch 'el-systemd' of https://github.com/khorsmann/rtpengine into khorsmann-el-systemd Change-Id: Ide2e93d5baa1ecba97d256a48c53c106c084f9fd commit fc265e0b3d6d0315f6b55ffa4e5bb262c6432540 Merge: 41a9a8ae 1d845c21 Author: Karsten Horsmann Date: Wed Jun 23 19:25:09 2021 +0200 Merge branch 'sipwise:master' into el-systemd commit 41a9a8ae6e3a7980f320a8925fff2f51994d06a1 Author: Karsten Horsmann Date: Wed Jun 23 19:22:09 2021 +0200 iptables in ExecStart/ExecStopPost needs root privleges. Correct copy-paste error. commit 0f991f666611a84e1905be8f6721cfae7dd40736 Author: Karsten Horsmann Date: Wed Jun 23 17:57:55 2021 +0200 readd User/Group and switch back to forking cause CentOS7 systemd is very old commit 11290d48b6ef105fb6d52797277911066dd0297c Author: Karsten Horsmann Date: Tue Jun 22 12:18:38 2021 +0200 if ngcp-virt-identify not there should not break the script commit b7040ad992aae53dab1d142c874a037c22c988dc Author: Karsten Horsmann Date: Tue Jun 22 12:05:04 2021 +0200 add iptables helper for el systemd to spec file commit 6d67dc3b3a9792bd577541e0f838ce1f583d4866 Author: Karsten Horsmann Date: Tue Jun 22 11:21:34 2021 +0200 * add also ngcp-rtpengine-iptables-setup. So iptables rules will created like the debian packages did that. closes #1292 Change-Id: I6f31608c70b069b3584ad240b7eda10e59c94e4b --- el/ngcp-rtpengine-iptables-setup | 101 +++++++++++++++++++++++++++++++ el/rtpengine.service | 12 ++-- el/rtpengine.spec | 4 ++ 3 files changed, 110 insertions(+), 7 deletions(-) create mode 100755 el/ngcp-rtpengine-iptables-setup diff --git a/el/ngcp-rtpengine-iptables-setup b/el/ngcp-rtpengine-iptables-setup new file mode 100755 index 000000000..9fde5ff6f --- /dev/null +++ b/el/ngcp-rtpengine-iptables-setup @@ -0,0 +1,101 @@ +#!/bin/sh + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +TABLE=0 +MODNAME=xt_RTPENGINE +MANAGE_IPTABLES=yes + +DEFAULTS=/etc/sysconfig/rtpengine + +# Load startup options if available +if [ -f "$DEFAULTS" ]; then + . "$DEFAULTS" || true +fi + +MODPROBE_OPTIONS="" + +# Handle requested setuid/setgid. +if ! test -z "$SET_USER"; then + PUID=$(id -u "$SET_USER" 2> /dev/null) + test -z "$PUID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_uid=$PUID" + if test -z "$SET_GROUP"; then + PGID=$(id -g "$SET_USER" 2> /dev/null) + test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID" + fi +fi + +if ! test -z "$SET_GROUP"; then + PGID=$(grep "^$SET_GROUP:" /etc/group | cut -d: -f3 2> /dev/null) + test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID" +fi + +### + +if [ -x "$(which ngcp-virt-identify 2>/dev/null)" ]; then + if ngcp-virt-identify --type container; then + VIRT="yes" + fi +fi + +firewall_setup() +{ + if [ "$TABLE" -lt 0 ] || [ "$VIRT" = "yes" ]; then + return + fi + + if [ "$MANAGE_IPTABLES" != "yes" ]; then + return + fi + + # shellcheck disable=SC2086 + modprobe $MODNAME $MODPROBE_OPTIONS + + iptables -N rtpengine 2>/dev/null + iptables -D INPUT -j rtpengine 2>/dev/null + iptables -D INPUT -p udp -j rtpengine 2>/dev/null + iptables -I INPUT -p udp -j rtpengine + iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null + iptables -I rtpengine -p udp -j RTPENGINE --id "$TABLE" + ip6tables -N rtpengine 2>/dev/null + ip6tables -D INPUT -j rtpengine 2>/dev/null + ip6tables -D INPUT -p udp -j rtpengine 2>/dev/null + ip6tables -I INPUT -p udp -j rtpengine + ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null + ip6tables -I rtpengine -p udp -j RTPENGINE --id "$TABLE" +} + +firewall_teardown() +{ + if [ "$TABLE" -lt 0 ] || [ "$VIRT" = "yes" ]; then + return + fi + + # XXX: Wait a bit to make sure the daemon has been stopped. + sleep 1 + + if [ -e /proc/rtpengine/control ]; then + echo "del $TABLE" >/proc/rtpengine/control 2>/dev/null + fi + + if [ "$MANAGE_IPTABLES" != "yes" ]; then + return + fi + + iptables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null + ip6tables -D rtpengine -p udp -j RTPENGINE --id "$TABLE" 2>/dev/null +} + +case "$1" in + start) + firewall_setup + ;; + stop) + firewall_teardown + ;; + *) + echo "Usage: $0 {start|stop}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/el/rtpengine.service b/el/rtpengine.service index 64709669f..ce373da1d 100644 --- a/el/rtpengine.service +++ b/el/rtpengine.service @@ -1,17 +1,15 @@ [Unit] -Description=NGCP RtpEngine - RTP Media Proxy -Wants=network-online.target +Description=NGCP RTP/media Proxy Daemon After=network-online.target [Service] Type=forking -User=ngcp-rtpengine -Group=daemon -Environment=CFGFILE=/etc/rtpengine/rtpengine.conf EnvironmentFile=/etc/sysconfig/rtpengine +Environment=CFGFILE=/etc/rtpengine/rtpengine.conf PIDFile=/run/rtpengine.pid -ExecStart=/usr/sbin/rtpengine --config-file=${CFGFILE} --interface=${INTERFACE} --listen-ng=${LISTEN_UDP} --log-facility=${LOG_FACILITY} --log-level=${LOG_LEVEL} -Restart=on-failure +ExecStartPre=/usr/sbin/ngcp-rtpengine-iptables-setup start +ExecStart=/usr/sbin/rtpengine --no-log-timestamps --pidfile=${PIDFile} --config-file=${CFGFILE} --table=${TABLE} +ExecStopPost=/usr/sbin/ngcp-rtpengine-iptables-setup stop [Install] WantedBy=multi-user.target diff --git a/el/rtpengine.spec b/el/rtpengine.spec index 0deaa3d5b..3964248b4 100644 --- a/el/rtpengine.spec +++ b/el/rtpengine.spec @@ -124,6 +124,8 @@ install -D -p -m755 recording-daemon/%{binname}-recording %{buildroot}%{_sbindir %if 0%{?has_systemd_dirs} install -D -p -m644 el/%{binname}.service \ %{buildroot}%{_unitdir}/%{binname}.service +install -D -p -m755 el/ngcp-rtpengine-iptables-setup \ + %{buildroot}%{_sbindir}/ngcp-rtpengine-iptables-setup %else install -D -p -m755 el/%{binname}.init \ %{buildroot}%{_initrddir}/%{name} @@ -237,6 +239,8 @@ true # init.d script and configuration file %if 0%{?has_systemd_dirs} %{_unitdir}/%{binname}.service +# Systemd iptables setup +%{_sbindir}/ngcp-rtpengine-iptables-setup %else %{_initrddir}/%{name} %endif