moved from centos 7 to debian-bookworm

includes modifications in install.py and router.py

router.py

@@ -11,6 +11,7 @@ from serial import serial_for_url
 from subprocess import Popen, PIPE, check_output, call, DEVNULL
 from configparser import ConfigParser
 
+FIREWALL_CONF = '/etc/nftables.conf'
 
 class Log:
     DEBUG = 0
@@ -187,7 +188,7 @@ class Router(IoHandler):
             pass
         except Exception as e:
             msg = f'error in reply: {e!r}'
-            service.failures[service.port] = msg
+            self.service.failures[self.service.port] = msg
         self.close()
 
     def close(self):
@@ -330,7 +331,7 @@ class InfoHandler(IoHandler):
 
 class Service:
     """service handler
-    
+
     :param: port offered port for routing
     :param: addr where to route (or None for InfoHandler)
     :param: iocls the io handler class, currently TcpHandler, SerialHandler, InfoHandler
@@ -344,6 +345,7 @@ class Service:
     pending_connects = {}
     routes = {}
     failures = {}
+    firewall_ports = set()
     tmo = 5
 
     def __init__(self, port, addr, iocls, maxcount=None, handler_args=()):
@@ -358,6 +360,7 @@ class Service:
         self.handler_args = handler_args
         self.readers[s.fileno()] = self.accept
         self.port = port
+        self.firewall_ports.add(port)
         if addr:
             self.routes[port] = self  # not for InfoHandler
         if maxcount is None:
@@ -399,23 +402,38 @@ class Service:
             self.handlers[handler.fno] = handler
 
     @classmethod
-    def run(cls, routes, restrict=None):
-        if restrict is not None:
-            lines = BASIC % dict(accept='DROP' if restrict else 'ACCEPT')
-            unix_cmd('iptables -F')
-            for line in lines.split('\n'):
-                if line.strip():
-                    unix_cmd(line)
-            if restrict:
-                unix_cmd(FILTER % 22)
+    def change_firewall(cls):
+        pattern = re.compile('(tcp dport ({.*}) ct state new accept)', re.MULTILINE | re.DOTALL)
 
+        with open(FIREWALL_CONF) as f:
+            content = f.read()
+
+        try:
+            ((prevline, prevports),) = pattern.findall(content)
+        except TypeError:
+            raise ValueError(f'{FIREWALL_CONF} does not contain expected pattern for open ports')
+
+        # parse previous port set
+        prevportset = {int(p) for p in prevports[1:-1].split(',')}
+        # keep port numbers below 1024
+        ports = {p for p in prevportset if p < 1024} | set(cls.firewall_ports)
+        line = prevline.replace(prevports, '{ %s }' % ', '.join((str(p) for  p in sorted(ports))))
+        if prevportset != ports:
+            if os.geteuid() == 0:
+                with open('f{FIREWALL_CONF}.tmp', 'w') as f:
+                    f.write(content.replace(prevline, line))
+                os.rename('f{FIREWALL_CONF}.tmp', FIREWALL_CONF)
+                unix_cmd('systemctl enable --now nftables')
+            else:
+                print('need sudo rights to modify firewall')
+
+    @classmethod
+    def run(cls, routes):
         Service(1110, None, InfoHandler, 5, handler_args=(log.DEBUG,))
         Service(1111, None, InfoHandler, 5, handler_args=(log.INFO,))
         Service(1112, None, InfoHandler, 5, handler_args=(log.WARN,))
         for port, dest in routes.items():
             port = int(port)
-            if restrict:
-                unix_cmd(FILTER % port)
             if '/' in dest:
                 Service(port, dest, SerialHandler)
             else:
@@ -425,6 +443,7 @@ class Service:
                 else:
                     remoteport = port
                 Service(port, (host, remoteport), TcpHandler)
+        cls.change_firewall()
         while True:
             try:
                 # log.debug('select %r', list(cls.readers))
@@ -458,7 +477,7 @@ class Service:
 
 if __name__ == '__main__':
     parser = ConfigParser()
-    cfgfiles = glob('/root/aputools/servercfg/%s_*.cfg' % socket.gethostname())
+    cfgfiles = glob('/home/l_samenv/boxtools/cfg/%s_*.cfg' % socket.gethostname())
     if len(cfgfiles) != 1:
         raise ValueError('there must be one and only one single cfgfile %r' % cfgfiles)
     parser.read(cfgfiles[0])