#!/bin/sh # vim: syntax=sh ts=4 sw=4 sts=4 sr noet # postinst script for arno-iptables-firewall # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package # start up debconf here. # why? see https://manpages.debian.org/testing/debconf-doc/debconf-devel.7.en.html, paragraph HACKS. . /usr/share/debconf/confmodule db_version 2.0 # configuration specific to arno-iptables-firewall encapsulated in a function. aif_configure () { # store debconf generated configuration here CFG=/etc/arno-iptables-firewall/conf.d/00debconf.conf # query all vars from debconf # most important: is debconf management requested db_get arno-iptables-firewall/debconf-wanted if [ "$RET" = "true" ]; then # debconf is welcome: look whether there is a config file and # recreate the config file if missing if [ ! -e $CFG ]; then cat <<- EOT > $CFG ####################################################################### # Feel free to edit this file. However, be aware that debconf writes # # to (and reads from) this file too. In case of doubt, only use # # 'dpkg-reconfigure -plow arno-iptables-firewall' to edit this file. # # If you really don't want to use debconf, or if you have specific # # needs, you're likely better off using placing an additional # # configuration snippet into/etc/arno-iptables-firewall/conf.d/. # # Also see README.Debian. # ####################################################################### EXT_IF="" EXT_IF_DHCP_IP=0 OPEN_TCP="" OPEN_UDP="" INT_IF="" NAT=0 INTERNAL_NET="" NAT_INTERNAL_NET="" OPEN_ICMP=0 EOT fi # query the names of the external interfaces from debconf db_get arno-iptables-firewall/config-ext-if ; DC_EXT_IF="$RET" # query the DHCP status from debconf db_get arno-iptables-firewall/dynamic-ip if [ "$RET" = "true" ]; then DC_EXT_IF_DHCP_IP=1 else DC_EXT_IF_DHCP_IP=0 fi # query the external services from debconf db_get arno-iptables-firewall/services-tcp ; DC_OPEN_TCP="$RET" db_get arno-iptables-firewall/services-udp ; DC_OPEN_UDP="$RET" # query the NAT status from debconf db_get arno-iptables-firewall/nat if [ "$RET" = "true" ]; then DC_NAT=1 else DC_NAT=0 fi # query the internal network interfaces from debconf db_get arno-iptables-firewall/config-int-if ; DC_INT_IF="$RET" # query the internal networks from debconf db_get arno-iptables-firewall/config-int-net ; DC_INTERNAL_NET="$RET" # query the internal networks with access to the external world from debconf db_get arno-iptables-firewall/config-int-nat-net ; DC_NAT_INTERNAL_NET="$RET" # allow the whole internal net for NAT if this was left empty if [ -z "$DC_NAT_INTERNAL_NET" ] && [ "$DC_NAT" = "1" ]; then DC_NAT_INTERNAL_NET="$DC_INTERNAL_NET" fi # query the 'pingable' status from debconf db_get arno-iptables-firewall/icmp-echo if [ "$RET" = "true" ]; then DC_OPEN_ICMP=1 else DC_OPEN_ICMP=0 fi # make a backup conf file cp -dpf $CFG $CFG.tmp # check that all vars are in the debconf file # If the admin deleted or commented some variables but then set # them via debconf, (re-)add them to the conffile. test -z "$DC_EXT_IF" || grep -Eq '^ *EXT_IF=' $CFG.tmp || echo "EXT_IF=" >> $CFG.tmp test -z "$DC_EXT_IF_DHCP_IP" || grep -Eq '^ *EXT_IF_DHCP_IP=' $CFG.tmp || echo "EXT_IF_DHCP_IP=" >> $CFG.tmp test -z "$DC_OPEN_TCP" || grep -Eq '^ *OPEN_TCP=' $CFG.tmp || echo "OPEN_TCP=" >> $CFG.tmp test -z "$DC_OPEN_UDP" || grep -Eq '^ *OPEN_UDP=' $CFG.tmp || echo "OPEN_UDP=" >> $CFG.tmp test -z "$DC_NAT" || grep -Eq '^ *NAT=' $CFG.tmp || echo "NAT=" >> $CFG.tmp test -z "$DC_INT_IF" || grep -Eq '^ *INT_IF=' $CFG.tmp || echo "INT_IF=" >> $CFG.tmp test -z "$DC_INTERNAL_NET" || grep -Eq '^ *INTERNAL_NET=' $CFG.tmp || echo "INTERNAL_NET=" >> $CFG.tmp test -z "$DC_NAT_INTERNAL_NET" || grep -Eq '^ *NAT_INTERNAL_NET=' $CFG.tmp || echo "NAT_INTERNAL_NET=" >> $CFG.tmp test -z "$DC_OPEN_ICMP" || grep -Eq '^ *OPEN_ICMP=' $CFG.tmp || echo "OPEN_ICMP=" >> $CFG.tmp # now set the value from the debconf database # write values to config file. # use s### instead of s/// as *_NET variables may contain slashes sed -e "s#^ *EXT_IF=.*#EXT_IF=\"$DC_EXT_IF\"#" \ -e "s#^ *EXT_IF_DHCP_IP=.*#EXT_IF_DHCP_IP=$DC_EXT_IF_DHCP_IP#" \ -e "s#^ *OPEN_TCP=.*#OPEN_TCP=\"$DC_OPEN_TCP\"#" \ -e "s#^ *OPEN_UDP=.*#OPEN_UDP=\"$DC_OPEN_UDP\"#" \ -e "s#^ *NAT=.*#NAT=$DC_NAT#" \ -e "s#^ *INT_IF=.*#INT_IF=\"$DC_INT_IF\"#" \ -e "s#^ *INTERNAL_NET=.*#INTERNAL_NET=\"$DC_INTERNAL_NET\"#" \ -e "s#^ *NAT_INTERNAL_NET=.*#NAT_INTERNAL_NET=\"$DC_NAT_INTERNAL_NET\"#" \ -e "s#^ *OPEN_ICMP=.*#OPEN_ICMP=$DC_OPEN_ICMP#" \ < $CFG.tmp > $CFG # drop the working copy rm -f $CFG.tmp fi # debconf wanted } # (re-)start the firewall via systemd or sysvinit. # start with new configuration if wanted, else no service is (re-)started # and an already active service keeps running with its original configuration. aif_restart () { db_get arno-iptables-firewall/restart if [ "$RET" = "true" ]; then if [ -d /run/systemd/system ]; then deb-systemd-invoke restart arno-iptables-firewall.service >/dev/null || true else invoke-rc.d arno-iptables-firewall restart >/dev/null || true fi fi } case "$1" in configure) aif_configure $@ update-rc.d arno-iptables-firewall defaults >/dev/null ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. # Automatically added by dh_installsystemd/12 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'arno-iptables-firewall.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'arno-iptables-firewall.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'arno-iptables-firewall.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'arno-iptables-firewall.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/12 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'arno-iptables-firewall.service' >/dev/null || true fi fi # End automatically added section case "$1" in configure) # 'deb-systemd-invoke restart ...' requires the automatically # generated systemd related scripts already did their job. That's # why the re-starting is done here. aif_restart $@ ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac exit 0