Merge "firewall: periodically re-resolve NTP servers"
diff --git a/fs/skeleton/bin/update-ntp-filters b/fs/skeleton/bin/update-ntp-filters
new file mode 100755
index 0000000..9625b78
--- /dev/null
+++ b/fs/skeleton/bin/update-ntp-filters
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+. /etc/utils.sh
+
+FAILURE_DELAY="30"
+SUCCESS_DELAY="900"
+
+while :; do
+ ip46tables -F captive-portal-ntp
+
+ code="0"
+ for dst in $@; do
+ echo "Updating ntp server: $dst"
+ ip46tables -A captive-portal-ntp -p udp -d "$dst" --dport ntp -j ACCEPT
+ code=$(( $code | $? ))
+ done
+
+ if [ "$code" -eq "0" ]; then
+ echo "Success. Next update in $SUCCESS_DELAY s."
+ sleep "$SUCCESS_DELAY"
+ else
+ echo "Failure! Trying again in $FAILURE_DELAY s."
+ sleep "$FAILURE_DELAY"
+ fi
+done
diff --git a/fs/skeleton/etc/init.d/S41portal_firewall b/fs/skeleton/etc/init.d/S41portal_firewall
index eb0f706..bce1c8c 100755
--- a/fs/skeleton/etc/init.d/S41portal_firewall
+++ b/fs/skeleton/etc/init.d/S41portal_firewall
@@ -4,17 +4,17 @@
# Servers used by CPE on the other side of the captive portal.
IP4_DNS="8.8.8.8 8.8.4.4"
IP6_DNS="2001:4860:4860::8888 2001:4860:4860::8844"
-# TODO(b/29131559): allow NTP servers to be dynamically updated
-NTP="216.239.32.15 216.239.34.15 216.239.36.15 216.239.38.15"
+NTP_SERVERS="time1.google.com time2.google.com time3.google.com time4.google.com"
has_iptables() {
runnable iptables && iptables -L 2>/dev/null
}
flush() {
- ip46tables -F captive-portal-input
- ip46tables -F captive-portal-filter
ip46tables -F captive-portal-guests
+ ip46tables -F captive-portal-filter
+ ip46tables -F captive-portal-ntp
+ ip46tables -F captive-portal-input
}
case "$1" in
@@ -59,13 +59,12 @@
ip6tables -A captive-portal-filter -p icmpv6 -d $dst --icmpv6-type echo-request -j ACCEPT
done
- for dst in $NTP; do
- iptables -A captive-portal-filter -p udp -d $dst --dport ntp -j ACCEPT
- done
+ nice babysit 60 update-ntp-filters $NTP_SERVERS 2>&1 | logos update-ntp-filters &
fi
;;
stop)
if has_iptables && is-network-box; then
+ pkillwait -x update-ntp-filters
flush
fi
;;
diff --git a/fs/skeleton/etc/init.d/firewall b/fs/skeleton/etc/init.d/firewall
index 8261889..f4d718a 100755
--- a/fs/skeleton/etc/init.d/firewall
+++ b/fs/skeleton/etc/init.d/firewall
@@ -149,6 +149,7 @@
# what services we're trying to provide with it.
ip46tables -N captive-portal-guests
ip46tables -N captive-portal-filter
+ ip46tables -N captive-portal-ntp
ip46tables -N captive-portal-input
ip46tables -N acs-captive-portal-input
ip46tables -N sniproxy-input
@@ -177,6 +178,7 @@
ip46tables -A FORWARD -i br1 -o wan0+ -j captive-portal-guests
ip46tables -A FORWARD -i br1 -o wan0+ -j captive-portal-filter
+ ip46tables -A FORWARD -i br1 -o wan0+ -j captive-portal-ntp
for ifc in lo br0; do
ip46tables -A INPUT -i "$ifc" -j ACCEPT