Persistent interface option (#1), finish hook

Added option to make interface persistent on container restarts and firewall rules are called once (no iptables mess). Added finish hooks to examples, added more debug output to scripts added a note on how to access container environment variables.

Author: SloCompTech

CHANGELOG.md

@@ -1,8 +1,10 @@
 # Changelog
 
-### 1.0.5 - Bugfix
+### 1.0.5 - Bugfix, finish hook
 
 - Fixed bug when running hooks (#3)
+- Added **finish** hook (which runs just before container exit)
+- Added **persistent interface** option, so interface is persistently present on device (if using host networking mode) and firewall setup rules are executed **only once** (no ip tables mess) (#1)
 
 ### 1.0.4 - IPv6 docs, improved wizards
 

README.md

@@ -70,6 +70,7 @@ services:
 |:-----------:|:----------:|
 |`-e PUID=1000`|for UserID - see below for explanation|
 |`-e PGID=1000`|for GroupID - see below for explanation|
+|`-o OVPN_PERINT=false`|Disable persistent TUN interface|
 |`-v /config`|All the config files including OpenVPNs reside here|
 
 See also: [EasyRSA](https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md)  

root/app/lib/settings

@@ -0,0 +1,30 @@
+#!/usr/bin/with-contenv bash
+
+#
+#   Settings functions
+#
+
+#
+#   Checks if TUN interface is supposed to be persistant
+#   @return 1 if persistant, 0 if not
+#
+function intPersistant() {
+    if [ ! -n "$OVPN_PERINT" ] || ([ "$OVPN_PERINT" != "true" ] && [ "$OVPN_PERINT" != "1" ]); then
+        return 0 # Not persistant by default
+    else
+        return 1 # Persistant
+    fi
+}
+
+#
+#   Checks if TUN interface exists already
+#   @return 0 if found, 1 if not found
+#
+function intTunExists() {
+    RES=`cat /proc/net/dev | grep tun0`
+    if [ -n "$RES" ]; then
+        return 0 # Found
+    else
+        return 1 # Not found
+    fi
+}

root/app/lib/utils

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
 
 #
 #   Additional functions
@@ -45,4 +45,16 @@ function arrayContains() {
 
     # Element not found
     return 0
+}
+
+#
+#   Function that makes sure, that script runs only once
+#   @param $1 ID
+#
+function run_once() {
+    if [ -f "$1" ]; then # Check if file (as flag) exists
+        exit 0
+    fi
+    touch $1 # Create flag
+    chown abc:abc $1 # Change permission
 }

root/defaults/example/README.md

@@ -41,6 +41,7 @@ config
 - **DO NOT** use any script running directives, because they are probably already set in `system.conf` (except `auth-user-pass-verify` is commented out), but use hooks directory.
 - **DO NOT** use log directives, because they are already set for `log` directory.
 - Please name your hooks as `<number>-<name>` to ensure order of execution.
+- If your hooks need access to container environment variables add `#!/usr/bin/with-contenv bash` at the top of the file.
 
 ### Wizard
 

root/defaults/example/config/basic_nat/hooks/down/10-network.sh

@@ -1,8 +1,18 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Don't run if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    exit 0
+fi
 
 #
 #   Network clear
 #
+echo "Clearing OpenVPN releated firewall rules"
 
 # Close OpenVPN port to outside
 ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"

root/defaults/example/config/basic_nat/hooks/finish/10-network.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Don't run if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    exit 0
+fi
+
+#
+#   Network clear
+#
+echo "Clearing up basic firewall rules"
+
+# Accept everything from input
+ovpn-iptables -P INPUT ACCEPT
+
+# Delete: Allow established connection 
+ovpn-iptables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+
+# Delete: Allow ICMP ping request
+ovpn-iptables -D INPUT -p icmp --icmp-type 8 -j ACCEPT
+
+# Accept all forwarded traffic
+ovpn-iptables -P FORWARD ACCEPT

root/defaults/example/config/basic_nat/hooks/init/10-network.sh

@@ -1,8 +1,18 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Run only once if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    run_once "/config/hooks/init/10-network"
+fi
 
 #
 #   Network initialization
 #
+echo "Setting up basic firewall rules"
 
 #
 # Because default iptables rules are set to ACCEPT all connection, we need to put some

root/defaults/example/config/basic_nat/hooks/up/10-network.sh

@@ -1,8 +1,18 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Run only once if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    run_once "/config/hooks/up/10-network"
+fi
 
 #
 #   Network initialization
 #
+echo "Setting up OpenVPN related firewall rules"
 
 # Open OpenVPN port to outside
 ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"

root/defaults/example/config/basic_nat_wlp/hooks/down/10-network.sh

@@ -1,8 +1,18 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Don't run if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    exit 0
+fi
 
 #
 #   Network clear
 #
+echo "Clearing OpenVPN releated firewall rules"
 
 # Close OpenVPN port to outside
 ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"