fixes for github issues #35 and #36 plus a cleanup logging change

* check for iptables-legacy and use it if found
* stop letting systemd kill anything and manually send the TERM signal

Signed-off-by: Stephen Arnold <nerdboy@gentoo.org>

README.rst

@@ -86,7 +86,10 @@ Currently all web traffic (ie, ports 80 and 443) is routed over virtual
 network links to an "exit" peer (although other ports may be added/dropped
 in future releases).  In adhoc mode, the default network rules allow all
 traffic, however, only the ports above are automatically routed over FPN
-network links.  **Do** use ``https`` for everything (*especially* anything
+network links.  In peer mode *no* other TCP/UDP traffic is allowed between
+peers *except* the routed ports above.
+
+The general advice is: **do** use ``https`` for everything (*especially* anything
 sensitive/private) and **don't** use ``http`` for anything.  At all.  Period.
 
 * adhoc mode - *you* own the network link and the peers

bin/fpn0-down.sh

@@ -19,8 +19,15 @@ exec 2> >(tee -ia /tmp/fpn0-down-${DATE}_error.log)
 
 #VERBOSE="anything"
 
-# set allowed ports
-ports_to_fwd="http https domain ntp ssh submission imaps ircs ircs-u"
+# set allowed ports (still TBD))
+ports_to_fwd="http https domain submission imaps ircs ircs-u"
+
+[[ -n $VERBOSE ]] && echo "Checking iptables binary..."
+IPTABLES=$(which iptables)
+HAS_LEGACY=$(which iptables-legacy)
+if [[ -n $HAS_LEGACY ]]; then
+    IPTABLES="${HAS_LEGACY}"
+fi
 
 [[ -n $VERBOSE ]] && echo "Checking kernel rp_filter setting..."
 RP_NEED="1"
@@ -103,11 +110,11 @@ if [[ -n $VERBOSE ]]; then
 fi
 
 [[ -n $VERBOSE ]] && echo "Deleting nat and mangle rules..."
-iptables -D POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 443 -j SNAT --to ${ZT_ADDRESS}
-iptables -D POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 80 -j SNAT --to ${ZT_ADDRESS}
+$IPTABLES -D POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 443 -j SNAT --to ${ZT_ADDRESS}
+$IPTABLES -D POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 80 -j SNAT --to ${ZT_ADDRESS}
 
-iptables -D OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 443 -j MARK --set-mark 1
-iptables -D OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 80 -j MARK --set-mark 1
+$IPTABLES -D OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 443 -j MARK --set-mark 1
+$IPTABLES -D OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 80 -j MARK --set-mark 1
 
 [[ -n $VERBOSE ]] && echo ""
 if ((failures < 1)); then

bin/fpn0-setup.sh

@@ -25,15 +25,15 @@ exec 2> >(tee -ia /tmp/fpn0-setup-${DATE}_error.log)
 
 #VERBOSE="anything"
 
-# set allowed ports
-ports_to_fwd="http https domain ntp ssh submission imaps ircs ircs-u"
-
-#ZT_UP=$(/etc/init.d/zerotier status | grep -o started)
-#if [[ $ZT_UP != "started" ]]; then
-    #echo "FPN zerotier service is not running!!"
-    #echo "Please start the zerotier service and re-run this script."
-    #exit 1
-#fi
+# set allowed ports (still TBD))
+ports_to_fwd="http https domain submission imaps ircs ircs-u"
+
+[[ -n $VERBOSE ]] && echo "Checking iptables binary..."
+IPTABLES=$(which iptables)
+HAS_LEGACY=$(which iptables-legacy)
+if [[ -n $HAS_LEGACY ]]; then
+    IPTABLES="${HAS_LEGACY}"
+fi
 
 [[ -n $VERBOSE ]] && echo "Checking kernel rp_filter setting..."
 RP_NEED="2"
@@ -122,12 +122,12 @@ ip rule add fwmark 0x1 table "${TABLE_NAME}"
 sleep 2
 
 # Mark these packets so that ip can route web traffic through fpn0
-iptables -A OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 443 -j MARK --set-mark 1
-iptables -A OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 80 -j MARK --set-mark 1
+$IPTABLES -A OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 443 -j MARK --set-mark 1
+$IPTABLES -A OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 80 -j MARK --set-mark 1
 
 # now rewrite the src-addr using snat
-iptables -A POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 443 -j SNAT --to ${ZT_ADDRESS}
-iptables -A POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 80 -j SNAT --to ${ZT_ADDRESS}
+$IPTABLES -A POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 443 -j SNAT --to ${ZT_ADDRESS}
+$IPTABLES -A POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 80 -j SNAT --to ${ZT_ADDRESS}
 
 [[ -n $VERBOSE ]] && echo ""
 if ((failures < 1)); then

bin/fpn1-down.sh

@@ -21,19 +21,15 @@ exec 2> >(tee -ia /tmp/fpn1-setup-${DATE}_error.log)
 # uncomment for more output
 #VERBOSE="anything"
 
-# set allowed ports
-ports_to_fwd="http https domain ntp ssh submission imaps ircs ircs-u"
-
-# uncomment AND set if you have a weird interface name that depends
-# on eth0 UP but null, eg, this is needed on espressobin
-#ETH0_NULL="lan1"
-
-#ZT_UP=$(/etc/init.d/zerotier status | grep -o started)
-#if [[ $ZT_UP != "started" ]]; then
-    #echo "FPN zerotier service is not running!!"
-    #echo "Please start the zerotier service and then re-run this script."
-    #exit 1
-#fi
+# set allowed ports (still TBD))
+ports_to_fwd="http https domain submission imaps ircs ircs-u"
+
+[[ -n $VERBOSE ]] && echo "Checking iptables binary..."
+IPTABLES=$(which iptables)
+HAS_LEGACY=$(which iptables-legacy)
+if [[ -n $HAS_LEGACY ]]; then
+    IPTABLES="${HAS_LEGACY}"
+fi
 
 zt_route_tgts=( $(ip route show | grep zt | cut -d" " -f3) )
 num_zt_tgts=${#zt_route_tgts[@]}
@@ -105,11 +101,11 @@ fi
 
 # setup nat/masq to forward outbound/return traffic
 [[ -n $VERBOSE ]] && echo "Deleting nat and forwarding rules..."
-iptables -D FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 80 -j ACCEPT
-iptables -D FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 443 -j ACCEPT
-iptables -D FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 80 -j ACCEPT
-iptables -D FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 443 -j ACCEPT
-iptables -t nat -D POSTROUTING -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -j SNAT --to-source "${INET_ADDRESS}"
+$IPTABLES -D FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 80 -j ACCEPT
+$IPTABLES -D FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 443 -j ACCEPT
+$IPTABLES -D FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 80 -j ACCEPT
+$IPTABLES -D FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 443 -j ACCEPT
+$IPTABLES -t nat -D POSTROUTING -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -j SNAT --to-source "${INET_ADDRESS}"
 
 #echo "Leaving FPN1 network..."
 #zerotier-cli leave "${ZT_SRC_NETID}"

bin/fpn1-setup.sh

@@ -24,25 +24,15 @@ exec 2> >(tee -ia /tmp/fpn1-setup-${DATE}_error.log)
 # uncomment for more output
 #VERBOSE="anything"
 
-# set allowed ports
-ports_to_fwd="http https domain ntp ssh submission imaps ircs ircs-u"
-
-# uncomment AND set if you have a weird interface name that depends
-# on eth0 UP but null, eg, this is needed on espressobin
-#ETH0_NULL="lan1"
-
-#DISTRO=$(cat /etc/os-release | grep ^ID= | cut -f2 -d=)
-#if [[ $DISTRO == ubuntu || $DISTRO == debian ]]; then
-    #ZT_UP=$(service zerotier-one status | grep -o active)
-#else
-    #ZT_UP=$(/etc/init.d/zerotier status | grep -o started)
-#fi
-
-#if [[ $ZT_UP != "started" ]]; then
-    #[[ -n $VERBOSE ]] && echo "FPN zerotier service is not running!!"
-    #[[ -n $VERBOSE ]] && echo "Please start the zerotier service and then re-run this script."
-    #exit 1
-#fi
+# set allowed ports (still TBD))
+ports_to_fwd="http https domain submission imaps ircs ircs-u"
+
+[[ -n $VERBOSE ]] && echo "Checking iptables binary..."
+IPTABLES=$(which iptables)
+HAS_LEGACY=$(which iptables-legacy)
+if [[ -n $HAS_LEGACY ]]; then
+    IPTABLES="${HAS_LEGACY}"
+fi
 
 zt_route_tgts=( $(ip route show | grep zt | cut -d" " -f3) )
 num_zt_tgts=${#zt_route_tgts[@]}
@@ -114,11 +104,11 @@ else
 fi
 
 # setup nat/masq to forward outbound/return traffic
-iptables -t nat -A POSTROUTING -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -j SNAT --to-source "${INET_ADDRESS}"
-iptables -A FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 80 -j ACCEPT
-iptables -A FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 443 -j ACCEPT
-iptables -A FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 80 -j ACCEPT
-iptables -A FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 443 -j ACCEPT
+$IPTABLES -t nat -A POSTROUTING -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -j SNAT --to-source "${INET_ADDRESS}"
+$IPTABLES -A FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 80 -j ACCEPT
+$IPTABLES -A FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 443 -j ACCEPT
+$IPTABLES -A FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 80 -j ACCEPT
+$IPTABLES -A FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 443 -j ACCEPT
 
 [[ -n $VERBOSE ]] && echo ""
 if ((failures < 1)); then

etc/fpnd.service

@@ -5,11 +5,12 @@ After=zerotier-one.service
 
 [Service]
 ExecStart=/usr/lib/fpnd/fpnd.py start
-ExecStop=/usr/lib/fpnd/fpnd.py stop
+ExecStop=/bin/kill -TERM $MAINPID
+KillMode=none
 PIDFile=/run/fpnd.pid
-Type=simple
-Restart=on-failure
-RestartSec=5
+Type=forking
+TimeoutStartSec=5
+TimeoutStopSec=7
 
 [Install]
 WantedBy=multi-user.target

node_tools/node_funcs.py

@@ -123,7 +123,8 @@ def do_cleanup(path=None, addr=None):
                 logger.info('CLEANUP: shutting down {}'.format(iface))
                 cmd = get_net_cmds(path, iface)
                 res = do_net_cmd(cmd)
-                logger.info('CLEANUP: leaving network ID: {}'.format(state[net]))
+                logger.info('CLEANUP: {} shutdown returned {}'.format(iface, res))
+                # logger.info('CLEANUP: leaving network ID: {}'.format(state[net]))
                 res = run_ztcli_cmd(action='leave', extra=state[net])
                 logger.debug('CLEANUP: action leave returned: {}'.format(res))