From 9f4e7726ec7df3a4388541a66895ed8495548dd1 Mon Sep 17 00:00:00 2001 From: Vladimir Kochnev Date: Wed, 1 Oct 2025 20:48:01 +0300 Subject: [PATCH] acme-common: support listen_port option listen_port option allows to redefine the default 80/443 port used in standalone/alpn challenges. It's also useful for other types of challenges which require accepting a connection on some TCP port so we need to expose it via nft as well. Signed-off-by: Vladimir Kochnev --- net/acme-common/Makefile | 2 +- net/acme-common/files/acme.init | 37 +++++++++++++++++++++++++++------ 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile index f8f4898143..6484e26a68 100644 --- a/net/acme-common/Makefile +++ b/net/acme-common/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme-common -PKG_VERSION:=1.4.4 +PKG_VERSION:=1.4.5 PKG_MAINTAINER:=Toke Høiland-Jørgensen PKG_LICENSE:=GPL-3.0-only diff --git a/net/acme-common/files/acme.init b/net/acme-common/files/acme.init index 594e320087..be29631917 100644 --- a/net/acme-common/files/acme.init +++ b/net/acme-common/files/acme.init @@ -5,6 +5,7 @@ USE_PROCD=1 run_dir=/var/run/acme export CHALLENGE_DIR=$run_dir/challenge export CERT_DIR=/etc/ssl/acme +LAST_LISTEN_PORT= NFT_HANDLE= HOOK=/usr/lib/acme/hook LOG_TAG=acme @@ -14,14 +15,19 @@ LOG_TAG=acme extra_command "renew" "Start a certificate renew" -cleanup() { - log debug "cleaning up" +delete_nft_rule() { if [ "$NFT_HANDLE" ]; then # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft nft delete rule inet fw4 input $NFT_HANDLE + NFT_HANDLE= fi } +cleanup() { + log debug "cleaning up" + delete_nft_rule +} + load_options() { section=$1 @@ -79,6 +85,19 @@ load_options() { log warn "Please set \"option validation_method $validation_method\"." fi export validation_method + + case "$validation_method" in + standalone) + config_get listen_port "$section" listen_port 80 + ;; + alpn) + config_get listen_port "$section" listen_port 443 + ;; + *) + config_get listen_port "$section" listen_port + ;; + esac + export listen_port } first_arg() { @@ -96,11 +115,17 @@ get_cert() { mkdir -p "$CHALLENGE_DIR" fi - if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then - if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then - return 1 + if [ "$listen_port" != "$LAST_LISTEN_PORT" ]; then + delete_nft_rule + + if [ "$listen_port" ]; then + if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport "$listen_port" counter accept comment ACME | grep -o 'handle [0-9]\+'); then + return 1 + fi + log debug "added nft rule: $NFT_HANDLE" fi - log debug "added nft rule: $NFT_HANDLE" + + LAST_LISTEN_PORT="$listen_port" fi load_credentials() { -- 2.30.2