Option to disable iptable REJECT target

New UFW_DISABLE_IPTABLES_REJECT option that hacks ufw to allow the prevention of the use of the REJECT iptables target, as this is not available on some NAS platforms (such as the Synology).
2018-07-17 17:00:29 +10:00
parent da0efcdfd3
commit cec73f96dd
6 changed files with 14 additions and 0 deletions
--- a/openvpn/start.sh
+++ b/openvpn/start.sh
@@ -92,9 +92,18 @@ function ufwAllowPortLong {
 }

 if [[ "${ENABLE_UFW,,}" == "true" ]]; then
+  if [[ "${UFW_DISABLE_IPTABLES_REJECT,,}" == "true" ]]; then
+    # A horrible hack to ufw to prevent it detecting the ability to limit and REJECT traffic
+    sed -i 's/return caps/return []/g' /usr/lib/python3/dist-packages/ufw/util.py
+    # force a rewrite on the enable below
+    echo "Disable and blank firewall"
+    ufw disable
+    echo "" > /etc/ufw/user.rules
+  fi
  # Enable firewall
  echo "enabling firewall"
  sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw
+  sed -i -e s/MANAGE_BUILTINS=no/MANAGE_BUILTINS=yes/ /etc/default/ufw
  ufw enable

  if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then