fix receiving DNS packages

2018-11-23 16:46:19 +08:00 · 2018-11-23 16:46:19 +08:00 · 766aa9c727
commit 766aa9c727
parent 34e84c01b3
1 changed files with 39 additions and 28 deletions
--- a/67
+++ b/67
@ -257,39 +257,50 @@ function ufw-docker--raw-command() {
 }

 function ufw-docker--install() {
-	if ! ufw-docker--is-installed; then
-		err "Back up /etc/ufw/after.rules"
-		cp /etc/ufw/after.rules /etc/ufw/after.rules-ufw-docker~"$(date '+%Y-%m-%d-%H%M%S').bak"
-		cat <<-\EOF | tee -a /etc/ufw/after.rules
-		# BEGIN UFW AND DOCKER
-		*filter
-		:ufw-user-forward - [0:0]
-		:DOCKER-USER - [0:0]
-		-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-		-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-		-A DOCKER-USER -j RETURN -s 192.168.0.0/16
+	after_rules="/etc/ufw/after.rules"

-		-A DOCKER-USER -j ufw-user-forward
+	after_rules_tmp="$(mktemp)"
+	sed "/^# BEGIN UFW AND DOCKER/,/^# END UFW AND DOCKER/d" "$after_rules" > "$after_rules_tmp"
+	>> "${after_rules_tmp}" cat <<-\EOF
+	# BEGIN UFW AND DOCKER
+	*filter
+	:ufw-user-forward - [0:0]
+	:DOCKER-USER - [0:0]
+	-A DOCKER-USER -j RETURN -s 10.0.0.0/8
+	-A DOCKER-USER -j RETURN -s 172.16.0.0/12
+	-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-		-A DOCKER-USER -j DROP -d 192.168.0.0/16 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-		-A DOCKER-USER -j DROP -d 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-		-A DOCKER-USER -j DROP -d 172.16.0.0/12 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-		-A DOCKER-USER -j DROP -d 192.168.0.0/16 -p udp -m udp --dport 0:32767
-		-A DOCKER-USER -j DROP -d 10.0.0.0/8 -p udp -m udp --dport 0:32767
-		-A DOCKER-USER -j DROP -d 172.16.0.0/12 -p udp -m udp --dport 0:32767
+	-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-		-A DOCKER-USER -j RETURN
-		COMMIT
-		# END UFW AND DOCKER
-		EOF
-		err "Please restart UFW service manually."
+	-A DOCKER-USER -j ufw-user-forward
+
+	-A DOCKER-USER -j DROP -d 192.168.0.0/16 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
+	-A DOCKER-USER -j DROP -d 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
+	-A DOCKER-USER -j DROP -d 172.16.0.0/12 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
+	-A DOCKER-USER -j DROP -d 192.168.0.0/16 -p udp -m udp --dport 0:32767
+	-A DOCKER-USER -j DROP -d 10.0.0.0/8 -p udp -m udp --dport 0:32767
+	-A DOCKER-USER -j DROP -d 172.16.0.0/12 -p udp -m udp --dport 0:32767
+
+	-A DOCKER-USER -j RETURN
+	COMMIT
+	# END UFW AND DOCKER
+	EOF
+
+	if ! diff -u --color=auto "$after_rules" "$after_rules_tmp"; then
+	  after_rules_bak="${after_rules}-ufw-docker~$(date '+%Y-%m-%d-%H%M%S')~"
+	  err "\nBacking up $after_rules to $after_rules_bak"
+	  cp "$after_rules" "$after_rules_bak"
+	  cat "$after_rules_tmp" > "$after_rules"
+
+	  err "Please restart UFW service manually by using the following command:"
+	  if type systemctl &>/dev/null; then
+	    err "    sudo systemctl restart ufw"
+	  else
+	    err "    sudo service ufw restart"
+	  fi
 	fi
 }

-function ufw-docker--is-installed() {
-    grep "^# BEGIN UFW AND DOCKER\$" /etc/ufw/after.rules &>/dev/null
-}
-
 function ufw-docker--help() {
 	cat <<-EOF >&2
 	Usage:
@ -329,7 +340,7 @@ function remove_blank_lines() {
 }

 function err() {
-    echo "$@" >&2
+    echo -e "$@" >&2
 }

 function die() {