1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
#!/bin/bash
#
# rtpengine Startup script for NGCP rtpengine
#
# chkconfig: 345 84 16
# description: NGCP rtpengine
#
# processname: rtpengine
# config: /etc/sysconfig/rtpengine
# pidfile: /run/rtpengine.pid
#
### BEGIN INIT INFO
# Provides: rtpengine
# Required-Start: $local_fs $network
# Short-Description: NGCP rtpengine
# Description: NGCP rtpengine
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
# defaults
if [ -f /etc/sysconfig/rtpengine ]
then
. /etc/sysconfig/rtpengine
else
echo "Error: /etc/sysconfig/rtpengine not present" >&2
exit 6
fi
rtpengine=/usr/bin/rtpengine
prog=rtpengine
pidfile=${PIDFILE-/run/rtpengine.pid}
lockfile=${LOCKFILE-/var/lock/subsys/rtpengine}
cachefile=/var/lib/ngcp-rtpengine/rtpengine.cfg
TABLE=$(/usr/sbin/rtpengine-get-table --config-file="${CONFIG_FILE-/etc/rtpengine/rtpengine.conf}")
PIDFILE=${pidfile}
RETVAL=0
OPTS=""
build_opts() {
# kernel table
MODULE=0
# the variable from the config is the source of truth
if [[ -n "$TABLE" ]];then
if [[ $TABLE -ge 0 ]];then
MODULE=1
fi
fi
# options
[[ "$FORK" == "no" ]] && OPTS+=" --foreground"
[ -z "$CONFIG_FILE" ] || OPTS+=" --config-file=$CONFIG_FILE"
[ -z "$CONFIG_SECTION" ] || OPTS+=" --config-section=$CONFIG_SECTION"
[ -z "$PIDFILE" ] || OPTS+=" --pidfile=$PIDFILE"
}
start() {
build_opts
if [[ $MODULE == 1 ]];then
echo "Loading module for in-kernel packet forwarding"
rmmod xt_RTPENGINE 2> /dev/null
if [[ -n "$SET_USER" ]];then
if [[ -n "$SET_GROUP" ]];then
proc_gid="$(grep "^$SET_GROUP:" /etc/group | cut -f3 -d:)"
else
proc_gid="$(id "$SET_USER" -g)"
fi
modprobe xt_RTPENGINE proc_uid="$(id "$SET_USER" -u)" proc_gid="$proc_gid"
else
modprobe xt_RTPENGINE
fi
if firewall-cmd --state 2>/dev/null ; then
# Using firewalld
# Need to check if the INPUT_prefilter chain is present (permanently)
if ! firewall-cmd --permanent --direct --query-chain ipv4 filter INPUT_prefilter > /dev/null; then
firewall-cmd --permanent --direct --add-chain ipv4 filter INPUT_prefilter
firewall-cmd --permanent --direct --passthrough ipv4 -t filter -I INPUT -j INPUT_prefilter
firewall-cmd --reload
fi
firewall-cmd --direct --add-chain ipv4 filter rtpengine
firewall-cmd --direct --add-rule ipv4 filter INPUT_prefilter 0 -j rtpengine
firewall-cmd --direct --add-rule ipv4 filter rtpengine 0 -p udp -j RTPENGINE --id "$TABLE"
firewall-cmd --direct --add-rule ipv6 filter rtpengine 0 -p udp -j RTPENGINE --id "$TABLE"
firewall-cmd --reload
else
for fw in iptables ip6tables;do
# We insert the rtpengine rule at the top of the input chain
if ! $fw -t filter -C INPUT -j rtpengine 2> /dev/null; then
$fw -N rtpengine
$fw -t filter -I INPUT -j rtpengine
fi
if ! $fw -I rtpengine -p udp -j RTPENGINE --id "$TABLE" 2> /dev/null; then
$fw -I rtpengine -p udp -j RTPENGINE --id "$TABLE"
fi
done
fi
cat <<EOF > "$cachefile"
CUR_TABLE=$TABLE
EOF
fi
echo -n $"Starting $prog: "
if [[ -n "$SET_USER" ]];then
# shellcheck disable=SC2086
daemon --user "$SET_USER" --pidfile="${pidfile}" "$rtpengine" $OPTS
else
# shellcheck disable=SC2086
daemon --pidfile="${pidfile}" "$rtpengine" $OPTS
fi
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch "${lockfile}"
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc -p "${pidfile}" "$rtpengine"
RETVAL=$?
echo
if [ -f "$cachefile" ];then
. "$cachefile"
echo "Unloading module for in-kernel packet forwarding"
echo "del $TABLE" > /proc/rtpengine/control
if firewall-cmd --state 2>/dev/null; then
firewall-cmd --direct --remove-rules ipv4 filter rtpengine
firewall-cmd --direct --remove-rules ipv6 filter rtpengine
firewall-cmd --direct --remove-rule ipv4 filter INPUT_prefilter 0 -j rtpengine
firewall-cmd --direct --remove-chain ipv4 filter rtpengine
firewall-cmd --reload
else
for fw in iptables ip6tables;do
$fw -D rtpengine -p udp -j RTPENGINE --id "$CUR_TABLE"
$fw -t filter -D INPUT -j rtpengine
$fw -X rtpengine
done
fi
rmmod xt_RTPENGINE
rm -f "$cachefile"
fi
[ $RETVAL = 0 ] && rm -f "${lockfile}" "${pidfile}"
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p "${pidfile}" "$rtpengine"
RETVAL=$?
;;
restart)
stop
start
;;
condrestart|try-restart)
if status -p "${pidfile}" "$rtpengine" >&/dev/null; then
stop
start
fi
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|try-restart|status}"
RETVAL=2
esac
exit $RETVAL
|
