acme-common: support listen_port option

listen_port option allows to redefine the default 80/443 port
used in standalone/alpn challenges.

It's also useful for other types of challenges which require
accepting a connection on some TCP port so we need to expose
it via nft as well.

Signed-off-by: Vladimir Kochnev <[email protected]>

diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile
index f8f4898143e370a197965e4806a636a197015e1a..6484e26a68245de296660ab07840f0d9a4534f19 100644 (file)
--- a/net/acme-common/Makefile
+++ b/net/acme-common/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-common
-PKG_VERSION:=1.4.4
+PKG_VERSION:=1.4.5
 
 PKG_MAINTAINER:=Toke Høiland-Jørgensen <[email protected]>
 PKG_LICENSE:=GPL-3.0-only

diff --git a/net/acme-common/files/acme.init b/net/acme-common/files/acme.init
index 594e320087aeca4700329a35d6521637f719a284..be29631917b78ad42ce20a04ef9b09f5a0acca28 100644 (file)
--- a/net/acme-common/files/acme.init
+++ b/net/acme-common/files/acme.init
@@ -5,6 +5,7 @@ USE_PROCD=1
 run_dir=/var/run/acme
 export CHALLENGE_DIR=$run_dir/challenge
 export CERT_DIR=/etc/ssl/acme
+LAST_LISTEN_PORT=
 NFT_HANDLE=
 HOOK=/usr/lib/acme/hook
 LOG_TAG=acme
@@ -14,14 +15,19 @@ LOG_TAG=acme
 
 extra_command "renew" "Start a certificate renew"
 
-cleanup() {
-       log debug "cleaning up"
+delete_nft_rule() {
        if [ "$NFT_HANDLE" ]; then
                # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
                nft delete rule inet fw4 input $NFT_HANDLE
+               NFT_HANDLE=
        fi
 }
 
+cleanup() {
+       log debug "cleaning up"
+       delete_nft_rule
+}
+
 load_options() {
        section=$1
 
@@ -79,6 +85,19 @@ load_options() {
                log warn "Please set \"option validation_method $validation_method\"."
        fi
        export validation_method
+
+       case "$validation_method" in
+       standalone)
+               config_get listen_port "$section" listen_port 80
+               ;;
+       alpn)
+               config_get listen_port "$section" listen_port 443
+               ;;
+       *)
+               config_get listen_port "$section" listen_port
+               ;;
+       esac
+       export listen_port
 }
 
 first_arg() {
@@ -96,11 +115,17 @@ get_cert() {
                mkdir -p "$CHALLENGE_DIR"
        fi
 
-       if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then
-               if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
-                       return 1
+       if [ "$listen_port" != "$LAST_LISTEN_PORT" ]; then
+               delete_nft_rule
+
+               if [ "$listen_port" ]; then
+                       if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport "$listen_port" counter accept comment ACME | grep -o 'handle [0-9]\+'); then
+                               return 1
+                       fi
+                       log debug "added nft rule: $NFT_HANDLE"
                fi
-               log debug "added nft rule: $NFT_HANDLE"
+
+               LAST_LISTEN_PORT="$listen_port"
        fi
 
        load_credentials() {