From 348870bbb4a804ae884280c63f9272e637788731 Mon Sep 17 00:00:00 2001 From: Danila Vershinin Date: Thu, 19 Dec 2024 23:03:48 +0800 Subject: [PATCH] Handle missing conntrack binary and clean up Dockerfile Log a warning if the conntrack binary is missing to ensure graceful handling of the error and continued execution. Additionally, remove unnecessary commented-out systemd overrides in the Dockerfile to improve clarity and maintainability. --- fds/FirewallWrapper.py | 2 ++ firewalld.Dockerfile | 8 -------- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/fds/FirewallWrapper.py b/fds/FirewallWrapper.py index 75565cf..6fd602a 100644 --- a/fds/FirewallWrapper.py +++ b/fds/FirewallWrapper.py @@ -186,6 +186,8 @@ def block_ip(self, ip, ipset_name=None, reload=True): from subprocess import CalledProcessError, check_output, STDOUT try: check_output(["/sbin/conntrack", "-D", "-s", str(ip)], stderr=STDOUT) + except FileNotFoundError: + log.warning('conntrack not found, skipping connection drop') except CalledProcessError as e: pass diff --git a/firewalld.Dockerfile b/firewalld.Dockerfile index 8c7d4d1..13c3597 100644 --- a/firewalld.Dockerfile +++ b/firewalld.Dockerfile @@ -20,12 +20,4 @@ RUN pip3 install . COPY firewalld-tests.sh firewalld-tests.sh RUN chmod +x firewalld-tests.sh -## Override systemd defaults -#RUN mkdir -p /etc/systemd/system/service.d -#RUN echo '[Service]' > /etc/systemd/system/service.d/override.conf -#RUN echo 'ExecStart=' >> /etc/systemd/system/service.d/override.conf -#RUN echo 'ExecStart=/usr/lib/systemd/systemd' >> /etc/systemd/system/service.d/override.conf -# -#VOLUME [ "/sys/fs/cgroup" ] - CMD ["/sbin/init"]