]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/backup/backup.pl
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
24 NOW
="$(date "+%Y-%m-%d-%H:%M")"
28 for file
in /var/ipfire
/backup/addons
/includes/*; do
29 if [ -f
"${file}" ]; then
41 while read -r file
; do
42 # Skip any empty line (which will include /)
43 [ -n
"${file}" ] || continue
45 for file
in /${file
}; do
46 if [ -e
"${file}" ]; then
58 # Backup all addons first
60 for addon
in $(list_addons
); do
61 make_addon_backup
"${addon}"
64 # Backup using global exclude/include definitions
65 tar cvfz
"${filename}" -C
/ \
66 --exclude
-from
="/var/ipfire/backup/exclude" \
67 --exclude
-from
="/var/ipfire/backup/exclude.user" \
68 $(process_includes
"/var/ipfire/backup/include") \
69 $(process_includes
"/var/ipfire/backup/include.user") \
78 # remove all openvpn certs to prevent old unusable
79 # certificates being left in directory after a restore
80 rm
-f
/var/ipfire
/ovpn/certs
/*
83 if ! tar xvzpf
"${filename}" -C
/ \
84 --exclude
-from
="/var/ipfire/backup/exclude" \
85 --exclude
-from
="/var/ipfire/backup/exclude.user"; then
86 echo
"Could not extract backup" >&2
90 # Restart syslogd, httpd and suricata in case we've just loaded old logs
92 /bin/kill -HUP
`cat /var/run/suricata.pid 2> /dev/null` 2> /dev
/null
93 /bin/kill -HUP
`cat /var/run/syslogd.pid 2> /dev/null` 2> /dev
/null
95 # remove wrong vnstat tag file
96 rm
-f
/var/log/vnstat/tag
100 useradd
-c
'dhcpcd privsep user' \
101 -d
/run/dhcpcd
/chroot \
109 if [ -d
"/var/ipfire/outgoing" ]; then
112 for file
in /var/ipfire
/firewall/{config
,outgoing
} \
113 /var/ipfire
/fwhosts/custo
m{hosts,groups,networks}; do
115 chown nobody
:nobody
"${file}"
121 # Remove old configuration
122 rm
-rf
"/var/ipfire/outgoing"
126 if [ -d
"/var/ipfire/xtaccess" ]; then
127 : > /var/ipfire
/firewall/config
128 chown nobody
:nobody
"/var/ipfire/firewall/config"
133 # Remove old configuration
134 rm
-rf
"/var/ipfire/xtaccess"
138 if [ -d
"/var/ipfire/dmzholes" ] || [ -d
"/var/ipfire/portfw" ]; then
139 : > /var/ipfire
/firewall/config
140 chown nobody
:nobody
"/var/ipfire/firewall/config"
145 # Remove old configuration
146 rm
-rf
"/var/ipfire/dmzholes"
150 if [ -d
"/var/ipfire/portfw" ]; then
154 # Remove old configuration
155 rm
-rf
"/var/ipfire/portfw"
164 # Snort to suricata converter.
165 if [ -d
"/var/ipfire/snort" ]; then
169 # Remove old configuration directory.
170 rm
-rf
"/var/ipfire/snort"
173 # IDS multiple providers converter.
174 if [ -e
"/var/ipfire/suricata/rules-settings" ]; then
176 convert
-ids
-multiple
-providers
179 # IDS backend converter.
180 if [ -e
"/var/ipfire/suricata/oinkmaster.conf" ]; then
182 convert
-ids
-backend
-files
185 # Convert DNS settings
188 # move nobeeps if exist
189 [ -e
"/var/ipfire/ppp/nobeeps" ] && mv
/var/ipfire
/ppp/nobeeps
/var/ipfire
/red/nobeeps
191 # Replace previously used OpenVPN Diffie-Hellman parameter by ffdhe4096
192 sed
-i
's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire
/ovpn/server
.conf
/var/ipfire
/ovpn/n2nconf
/*/*.conf
195 /etc/fcron
.daily
/openvpn
-crl
-updater
197 # Update OpenVPN N2N Client Configs
198 ## Add providers legacy default line to n2n client config files
199 # Check if ovpnconfig exists and is not empty
200 if [ -s
/var/ipfire
/ovpn/ovpnconfig
]; then
201 # Identify all n2n connections
202 for y
in $(awk
-F
',' '/net/ { print $3 }' /var/ipfire
/ovpn/ovpnconfig
); do
203 # Add the legacy option to all N2N client conf files if it does not already exist
204 if [ $(grep -c
"Open VPN Client Config" /var/ipfire
/ovpn/n2nconf
/${y}/${y
}.conf
) -eq 1 ] ; then
205 if [ $(grep -c
"providers legacy default" /var/ipfire
/ovpn/n2nconf
/${y}/${y
}.conf
) -eq 0 ] ; then
206 echo
"providers legacy default" >> /var/ipfire
/ovpn/n2nconf
/${y}/${y
}.conf
212 #Update ovpnconfig to include pass or no-pass for old backup versions missing the entry
213 # Check if ovpnconfig exists and is not empty
214 if [ -s
/var/ipfire
/ovpn/ovpnconfig
]; then
215 # Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update
216 awk
'NR==1{print ""}1' /var/ipfire
/ovpn/ovpnconfig
> /var/ipfire
/ovpn/tmp_file
&& mv
/var/ipfire
/ovpn/tmp_file
/var/ipfire
/ovpn/ovpnconfig
217 # Make all N2N connections 'no-pass' since they do not use encryption
218 awk
'{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire
/ovpn/ovpnconfig
>> /var/ipfire
/ovpn/ovpnconfig
.new
219 # Evaluate roadwarrior connection names for *.p12 files
220 for y
in $(awk
-F
',' '/host/ { print $3 }' /var/ipfire
/ovpn/ovpnconfig
); do
221 # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index
222 if [[ -n
$(openssl pkcs12
-info
-in /var/ipfire
/ovpn/certs
/${y
}.p12
-noout
-password pass
:'' 2>&1 | grep 'Encrypted data') ]]; then
223 awk
-v var
="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire
/ovpn/ovpnconfig
>> /var/ipfire
/ovpn/ovpnconfig
.new
225 # Sort all encrypted roadwarriors out and set 'pass' in [43] index
226 if [[ -n
$(openssl pkcs12
-info
-in /var/ipfire
/ovpn/certs
/${y
}.p12
-noout
-password pass
:'' 2>&1 | grep 'verify error') ]]; then
227 awk
-v var
="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire
/ovpn/ovpnconfig
>> /var/ipfire
/ovpn/ovpnconfig
.new
231 # Replace existing ovpnconfig with updated index
232 mv
/var/ipfire
/ovpn/ovpnconfig
.new
/var/ipfire
/ovpn/ovpnconfig
233 # Set correct ownership
234 chown nobody
:nobody
/var/ipfire
/ovpn/ovpnconfig
236 # Generate new HTTPS RSA key if the existing is too small
237 KEYSIZE
=$(openssl rsa
-in /etc/httpd
/server.key -text -noout | sed -n 's/Private
-Key
:\
(\
(.*\
)\ bit
.*/\1/p')
238 if [ $KEYSIZE \< 2048 ]; then
239 openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
240 chmod 600 /etc/httpd/server.key
241 sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
242 openssl req -new -key /etc/httpd/server.key \
243 -out /etc/httpd/server.csr &>/dev/null
244 openssl x509 -req -days 999999 -sha256 \
245 -in /etc/httpd/server.csr \
246 -signkey /etc/httpd/server.key \
247 -out /etc/httpd/server.crt &>/dev/null
253 local filelist=( /var/log/logwatch/* /var/log/messages* /var/log/*.log /var/log/**/*.log )
255 echo "${filelist[@]}"
258 make_addon_backup() {
262 if [ ! -f "/var/ipfire/backup/addons/includes/${name}" ]; then
263 echo "${name} does not have any backup includes" >&2
267 local filename="/var/ipfire/backup/addons/backup/${name}.ipf"
269 tar cvzf "${filename}" \
270 $(process_includes "/var/ipfire/backup/addons/includes/${name}")
273 restore_addon_backup() {
276 if [ -d "/tmp/${name}.ipf" ]; then
277 mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf"
281 if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then
282 echo "Could not extract backup" >&2
293 local filename="${1}"
295 if [ -z "${filename}" ]; then
296 filename="/var/ipfire/backup/${NOW}.ipf"
299 make_backup "${filename}" $(find_logfiles)
303 local filename="${1}"
305 if [ -z "${filename}" ]; then
306 filename="/var/ipfire/backup/${NOW}.ipf"
309 make_backup "${filename}"
313 local filename="${1}"
315 if [ -z "${filename}" ]; then
316 filename="/tmp/restore.ipf"
319 restore_backup "${filename}"
323 make_addon_backup "$@"
327 restore_addon_backup "${1/.ipf/}"
331 # Desired backup filename
332 local filename="/var/ipfire/backup/${NOW}.ipf"
334 if make_backup "${filename}"; then
335 /usr/local/bin/backupiso "${NOW}"
340 mkdir -p /var/ipfire/backup/addons/{backup,includes}
344 process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user"
347 /var/ipfire/backup/*.ipf|/var/ipfire/backup/addons/backup/*.ipf|/var/tmp/backupiso/*.iso)
352 echo "${0}: [include|exclude|restore|addonbackup <addon>|restoreaddon <addon>|iso]" >&2