Tidying gnusocial utils

src/freedombone-utils-dns

@@ -131,7 +131,7 @@ function create_freedns_updater {
 }
 
 function add_ddns_domain {
-    if [ ! $1 ]; then
+    if [ ! "$1" ]; then
         echo $'ddns domain not specified'
         exit 5638
     fi
@@ -147,10 +147,10 @@ function add_ddns_domain {
         exit 5745
     fi
     if ! grep -q "$DDNS_PROVIDER" /etc/inadyn.conf; then
-        echo '' >> /etc/inadyn.conf
-        echo "system $DDNS_PROVIDER" >> /etc/inadyn.conf
-        echo '  ssl' >> /etc/inadyn.conf
-        echo "  checkip-url $GET_IP_ADDRESS_URL /" >> /etc/inadyn.conf
+        { echo '';
+          echo "system $DDNS_PROVIDER";
+          echo '  ssl';
+          echo "  checkip-url $GET_IP_ADDRESS_URL /"; } >> /etc/inadyn.conf
         if [ $DDNS_USERNAME ]; then
             echo "  username $DDNS_USERNAME" >> /etc/inadyn.conf
         fi
@@ -168,7 +168,7 @@ function add_ddns_domain {
 }
 
 function remove_ddns_domain {
-    if [ ! $1 ]; then
+    if [ ! "$1" ]; then
         echo $'ddns domain not specified'
         exit 5638
     fi
@@ -203,14 +203,14 @@ function configure_dns {
     # allow changes to resolv.conf
     chattr -i $resolvconf
 
-    echo 'domain localdomain' > $resolvconf
-    echo 'search localdomain' >> $resolvconf
-    echo "nameserver $NAMESERVER1" >> $resolvconf
-    echo "nameserver $NAMESERVER2" >> $resolvconf
-    echo "nameserver $NAMESERVER3" >> $resolvconf
-    echo "nameserver $NAMESERVER4" >> $resolvconf
-    echo "nameserver $NAMESERVER5" >> $resolvconf
-    echo "nameserver $NAMESERVER6" >> $resolvconf
+    { echo 'domain localdomain';
+      echo 'search localdomain';
+      echo "nameserver $NAMESERVER1";
+      echo "nameserver $NAMESERVER2";
+      echo "nameserver $NAMESERVER3";
+      echo "nameserver $NAMESERVER4";
+      echo "nameserver $NAMESERVER5";
+      echo "nameserver $NAMESERVER6"; } > $resolvconf
 
     # prevent resolv.conf from changing
     resolvconf -u
@@ -222,7 +222,7 @@ function set_hostname {
     DEFAULT_DOMAIN_NAME="$1"
 
     echo "$DEFAULT_DOMAIN_NAME" > /etc/hostname
-    hostname $DEFAULT_DOMAIN_NAME
+    hostname "$DEFAULT_DOMAIN_NAME"
     echo "$DEFAULT_DOMAIN_NAME" > /etc/mailname
 
     if grep -q "127.0.1.1" /etc/hosts; then
@@ -238,7 +238,7 @@ function set_your_domain_name {
     fi
 
     function_check set_hostname
-    set_hostname $DEFAULT_DOMAIN_NAME
+    set_hostname "$DEFAULT_DOMAIN_NAME"
 
     mark_completed "${FUNCNAME[0]}"
 }

src/freedombone-utils-filesystem

@@ -32,44 +32,45 @@ TOMB_REPO="https://github.com/dyne/Tomb"
 TOMB_COMMIT='c80ebd6d6ed77980eb5b559757e03ea13a29bdd1'
 
 function mesh_install_tomb {
-    chroot ${rootdir} apt-get -yq install cryptsetup zsh pinentry-curses
+    # shellcheck disable=SC2154
+    chroot "${rootdir}" apt-get -yq install cryptsetup zsh pinentry-curses
 
-    if [ ! -d ${rootdir}/$INSTALL_DIR ]; then
-        mkdir -p ${rootdir}/$INSTALL_DIR
+    if [ ! -d "${rootdir}/$INSTALL_DIR" ]; then
+        mkdir -p "${rootdir}/$INSTALL_DIR"
     fi
 
     if [ -d /repos/tomb ]; then
-        mkdir ${rootdir}/$INSTALL_DIR/tomb
-        cp -r -p /repos/tomb/. ${rootdir}/$INSTALL_DIR/tomb
-        cd ${rootdir}/$INSTALL_DIR/tomb
+        mkdir "${rootdir}/$INSTALL_DIR/tomb"
+        cp -r -p /repos/tomb/. "${rootdir}/$INSTALL_DIR/tomb"
+        cd "${rootdir}/$INSTALL_DIR/tomb" || exit 3648368
         git pull
     else
-        git_clone $TOMB_REPO ${rootdir}/$INSTALL_DIR/tomb
+        git_clone "$TOMB_REPO" "${rootdir}/$INSTALL_DIR/tomb"
     fi
 
-    cd ${rootdir}/$INSTALL_DIR/tomb
+    cd "${rootdir}/$INSTALL_DIR/tomb" || exit 7346384
 
     git checkout $TOMB_COMMIT -b $TOMB_COMMIT
 
-    chroot ${rootdir} /bin/bash -x <<EOF
+    chroot "${rootdir}" /bin/bash -x <<EOF
 cd $INSTALL_DIR/tomb
 make install
 EOF
-    if [ ! -f ${rootdir}/usr/local/bin/tomb ]; then
+    if [ ! -f "${rootdir}/usr/local/bin/tomb" ]; then
         exit 93462
     fi
 }
 
 function install_tomb {
-    if [ $INSTALLING_MESH ]; then
+    if [ "$INSTALLING_MESH" ]; then
         mesh_install_tomb
         return
     fi
 
     function_check set_repo_commit
-    set_repo_commit $INSTALL_DIR/tomb "tomb commit" "$TOMB_COMMIT" $TOMB_REPO
+    set_repo_commit "$INSTALL_DIR/tomb" "tomb commit" "$TOMB_COMMIT" "$TOMB_REPO"
 
-    if [ -f $COMPLETION_FILE ]; then
+    if [ -f "$COMPLETION_FILE" ]; then
         if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
             return
         fi
@@ -77,22 +78,22 @@ function install_tomb {
 
     apt-get -yq install cryptsetup zsh pinentry-curses
 
-    if [ ! -d $INSTALL_DIR ]; then
-        mkdir -p $INSTALL_DIR
+    if [ ! -d "$INSTALL_DIR" ]; then
+        mkdir -p "$INSTALL_DIR"
     fi
 
     if [ -d /repos/tomb ]; then
-        mkdir $INSTALL_DIR/tomb
-        cp -r -p /repos/tomb/. $INSTALL_DIR/tomb
-        cd $INSTALL_DIR/tomb
+        mkdir "$INSTALL_DIR/tomb"
+        cp -r -p /repos/tomb/. "$INSTALL_DIR/tomb"
+        cd "$INSTALL_DIR/tomb" || exit 7684638
         git pull
     else
-        git_clone $TOMB_REPO $INSTALL_DIR/tomb
+        git_clone "$TOMB_REPO" "$INSTALL_DIR/tomb"
     fi
 
-    cd $INSTALL_DIR/tomb
+    cd "$INSTALL_DIR/tomb" || exit 364863463
 
-    git checkout $TOMB_COMMIT -b $TOMB_COMMIT
+    git checkout "$TOMB_COMMIT" -b "$TOMB_COMMIT"
     set_completion_param "tomb commit" "$TOMB_COMMIT"
 
     make install

src/freedombone-utils-final

@@ -33,9 +33,9 @@ function install_final {
         return
     fi
     # unmount any attached usb drive
-    if [ -d $USB_MOUNT ]; then
-        umount $USB_MOUNT
-        rm -rf $USB_MOUNT
+    if [ -d "$USB_MOUNT" ]; then
+        umount "$USB_MOUNT"
+        rm -rf "$USB_MOUNT"
     fi
     function_check split_gpg_key_into_fragments
     split_gpg_key_into_fragments
@@ -63,32 +63,32 @@ $(get_ssh_server_key)
     echo ''
 
     # add user menu on ssh login
-    if ! grep -q 'controluser' /home/$MY_USERNAME/.bashrc; then
-        echo 'controluser' >> /home/$MY_USERNAME/.bashrc
+    if ! grep -q 'controluser' "/home/$MY_USERNAME/.bashrc"; then
+        echo 'controluser' >> "/home/$MY_USERNAME/.bashrc"
     fi
-    if [ ! -f $IMAGE_PASSWORD_FILE ]; then
-        if [ -f /root/${PROJECT_NAME}-wifi.cfg ]; then
+    if [ ! -f "$IMAGE_PASSWORD_FILE" ]; then
+        if [ -f "/root/${PROJECT_NAME}-wifi.cfg" ]; then
             create_wifi_startup_script
             echo ''
             echo $'Shutting down the system. Detatch the ethernet cable, attach wifi dongle, then power on again.'
             echo ''
-            ${PROJECT_NAME}-logging off --restart
+            "${PROJECT_NAME}-logging" off --restart
             systemctl poweroff
             return
         fi
         echo $'Turning off logging'
-        ${PROJECT_NAME}-logging off --restart
+        "${PROJECT_NAME}-logging" off --restart
         echo $'Rebooting the system'
         systemctl reboot -i
     fi
     echo $'Turning off logging'
-    ${PROJECT_NAME}-logging off --restart
+    "${PROJECT_NAME}-logging" off --restart
 }
 
 function update_installed_apps_list {
     # Why does this secondary file exist, apart from COMPLETION_FILE ?
     # It's so that it is visible to unprivileged users from the user control panel
-    cat $COMPLETION_FILE | grep "install_" > /usr/share/${PROJECT_NAME}/installed.txt
+    grep "install_" "$COMPLETION_FILE" > "/usr/share/${PROJECT_NAME}/installed.txt"
 }
 
 function create_default_user_removal_daemon {
@@ -96,31 +96,31 @@ function create_default_user_removal_daemon {
 
     first_start_daemon_filename=/etc/systemd/system/firststart.service
     first_start_script=/usr/local/bin/firststart
-    echo '#!/bin/bash' > $first_start_script
-    echo 'if [ -d /home/fbone]; then' >> $first_start_script
-    echo '    userdel -r fbone' >> $first_start_script
-    echo '    if [ -d /home/fbone]; then' >> $first_start_script
-    echo '        rm -rf /home/fbone' >> $first_start_script
-    echo '    fi' >> $first_start_script
-    echo 'fi' >> $first_start_script
-    echo 'systemctl disable firststart' >> $first_start_script
-    echo "rm $first_start_daemon_filename" >> $first_start_script
+    { echo '#!/bin/bash';
+      echo 'if [ -d /home/fbone]; then';
+      echo '    userdel -r fbone';
+      echo '    if [ -d /home/fbone]; then';
+      echo '        rm -rf /home/fbone';
+      echo '    fi';
+      echo 'fi';
+      echo 'systemctl disable firststart';
+      echo "rm $first_start_daemon_filename"; } > $first_start_script
     chmod +x $first_start_script
 
-    echo '[Unit]' > $first_start_daemon_filename
-    echo 'Description=Daemon run on first boot' >> $first_start_daemon_filename
-    echo 'After=syslog.target' >> $first_start_daemon_filename
-    echo 'After=network.target' >> $first_start_daemon_filename
-    echo '' >> $first_start_daemon_filename
-    echo '[Service]' >> $first_start_daemon_filename
-    echo 'User=root' >> $first_start_daemon_filename
-    echo 'Group=root' >> $first_start_daemon_filename
-    echo "ExecStart=$first_start_script" >> $first_start_daemon_filename
-    echo 'StandardOutput=syslog' >> $first_start_daemon_filename
-    echo 'StandardError=syslog' >> $first_start_daemon_filename
-    echo '' >> $first_start_daemon_filename
-    echo '[Install]' >> $first_start_daemon_filename
-    echo 'WantedBy=multi-user.target' >> $first_start_daemon_filename
+    { echo '[Unit]';
+      echo 'Description=Daemon run on first boot';
+      echo 'After=syslog.target';
+      echo 'After=network.target';
+      echo '';
+      echo '[Service]';
+      echo 'User=root';
+      echo 'Group=root';
+      echo "ExecStart=$first_start_script";
+      echo 'StandardOutput=syslog';
+      echo 'StandardError=syslog';
+      echo '';
+      echo '[Install]';
+      echo 'WantedBy=multi-user.target'; } > $first_start_daemon_filename
     systemctl enable firststart
 }
 

src/freedombone-utils-firewall

@@ -47,7 +47,7 @@ function save_firewall_settings {
 }
 
 function firewall_block_bad_ip_ranges {
-    if [ $INSTALLING_MESH ]; then
+    if [ "$INSTALLING_MESH" ]; then
         return
     fi
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
@@ -135,13 +135,13 @@ function firewall_enable_vpn {
 }
 
 function configure_firewall {
-    if [ $INSTALLING_MESH ]; then
+    if [ "$INSTALLING_MESH" ]; then
         mesh_firewall
         return
     fi
     if grep -q "RELATED" /etc/firewall.conf; then
         # recreate the firewall to remove RELATED
-        sed -i "/firewall/d" $COMPLETION_FILE
+        sed -i "/firewall/d" "$COMPLETION_FILE"
     fi
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
         return
@@ -276,10 +276,10 @@ function configure_internet_protocol {
         echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
     fi
     if ! grep -q "keepalive" /etc/sysctl.conf; then
-        echo '# keepalive' >> /etc/sysctl.conf
-        echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
-        echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
-        echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
+        { echo '# keepalive';
+          echo 'net.ipv4.tcp_keepalive_probes = 9';
+          echo 'net.ipv4.tcp_keepalive_intvl = 75';
+          echo 'net.ipv4.tcp_keepalive_time = 7200'; } >> /etc/sysctl.conf
     fi
     if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then
         echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
@@ -335,103 +335,100 @@ function configure_internet_protocol {
 }
 
 function mesh_firewall {
-    FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service
+    # shellcheck disable=SC2154
+    FIREWALL_FILENAME="${rootdir}/etc/systemd/system/meshfirewall.service"
     MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
 
-    echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT
-    echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
-    echo '' >> $MESH_FIREWALL_SCRIPT
-    echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo '' >> $MESH_FIREWALL_SCRIPT
-    echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo '' >> $MESH_FIREWALL_SCRIPT
-    echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo '' >> $MESH_FIREWALL_SCRIPT
-    echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
-    echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
-    echo '' >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    chmod +x $MESH_FIREWALL_SCRIPT
-
-    echo '[Unit]' > $FIREWALL_FILENAME
-    echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
-    echo '' >> $FIREWALL_FILENAME
-    echo '[Service]' >> $FIREWALL_FILENAME
-    echo 'Type=oneshot' >> $FIREWALL_FILENAME
-    echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME
-    echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
-    echo '' >> $FIREWALL_FILENAME
-    echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
-    echo '' >> $FIREWALL_FILENAME
-    echo '[Install]' >> $FIREWALL_FILENAME
-    echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
-    chmod +x $FIREWALL_FILENAME
+    { echo '#!/bin/bash';
+      echo 'iptables -P INPUT ACCEPT';
+      echo 'ip6tables -P INPUT ACCEPT';
+      echo 'iptables -F';
+      echo 'ip6tables -F';
+      echo 'iptables -t nat -F';
+      echo 'ip6tables -t nat -F';
+      echo 'iptables -X';
+      echo 'ip6tables -X';
+      echo 'iptables -P INPUT DROP';
+      echo 'ip6tables -P INPUT DROP';
+      echo 'iptables -A INPUT -i lo -j ACCEPT';
+      echo 'ip6tables -A INPUT -i lo -j ACCEPT';
+      echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT';
+      echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT';
+      echo '';
+      echo '# Make sure incoming tcp connections are SYN packets';
+      echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP';
+      echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP';
+      echo '';
+      echo '# Drop packets with incoming fragments';
+      echo 'iptables -A INPUT -f -j DROP';
+      echo 'ip6tables -A INPUT -f -j DROP';
+      echo '';
+      echo '# Drop bogons';
+      echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP';
+      echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP';
+      echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP';
+      echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP';
+      echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP';
+      echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP';
+      echo '';
+      echo '# Incoming malformed NULL packets:';
+      echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP';
+      echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP';
+      echo '';
+      echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT";
+      echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT";
+      echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT";
+      echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT";
+      echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT";
+      echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT";
+      echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT";
+      echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT";
+      echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
+      echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
+      echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT";
+      echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT"; } > "$MESH_FIREWALL_SCRIPT"
+    chmod +x "$MESH_FIREWALL_SCRIPT"
+
+    { echo '[Unit]';
+      echo 'Description=Mesh Firewall';
+      echo '';
+      echo '[Service]';
+      echo 'Type=oneshot';
+      echo 'ExecStart=/usr/bin/mesh-firewall';
+      echo 'RemainAfterExit=no';
+      echo '';
+      echo 'TimeoutSec=30';
+      echo '';
+      echo '[Install]';
+      echo 'WantedBy=multi-user.target'; } > "$FIREWALL_FILENAME"
+    chmod +x "$FIREWALL_FILENAME"
     chroot "$rootdir" systemctl enable meshfirewall
 }
 
 function firewall_add {
-    firewall_name=$(echo "$1" | sed "s| |-|g")
+    firewall_name=$(string="$1" ; echo "${string// /-}")
     firewall_port=$2
     firewall_protocol="$3"
 
-    if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then
-        echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG
-        if [ ! ${firewall_protocol} ]; then
-            iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
-            if [ ! "$?" = "0" ]; then
-                iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
+    if ! grep -q "${firewall_name}=${firewall_port}" "$FIREWALL_CONFIG"; then
+        echo "${firewall_name}=${firewall_port}" >> "$FIREWALL_CONFIG"
+        if [ ! "${firewall_protocol}" ]; then
+            if ! iptables -C INPUT -p udp --dport "${firewall_port}" -j ACCEPT; then
+                iptables -A INPUT -p udp --dport "${firewall_port}" -j ACCEPT
             fi
 
-            iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
-            if [ ! "$?" = "0" ]; then
-                iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
+            if ! iptables -C INPUT -p tcp --dport "${firewall_port}" -j ACCEPT; then
+                iptables -A INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
             fi
         else
             if [[ "${firewall_protocol}" == *"udp"* ]]; then
-                iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
-                if [ ! "$?" = "0" ]; then
-                    iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
+                if ! iptables -C INPUT -p udp --dport "${firewall_port}" -j ACCEPT; then
+                    iptables -A INPUT -p udp --dport "${firewall_port}" -j ACCEPT
                 fi
             fi
             if [[ "${firewall_protocol}" == *"tcp"* ]]; then
-                iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
-                if [ ! "$?" = "0" ]; then
-                    iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
+                if ! iptables -C INPUT -p tcp --dport "${firewall_port}" -j ACCEPT; then
+                    iptables -A INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
                 fi
             fi
         fi
@@ -440,33 +437,29 @@ function firewall_add {
 }
 
 function firewall_add_range {
-    firewall_name=$(echo "$1" | sed "s| |-|g")
+    firewall_name=$(string="$1" ; echo "${string// /-}")
     firewall_port_start=$2
     firewall_port_end=$3
     firewall_protocol="$4"
 
-    if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then
-        echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG
-        if [ ! ${firewall_protocol} ]; then
-            iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
-            if [ ! "$?" = "0" ]; then
-                iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
+    if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" "$FIREWALL_CONFIG"; then
+        echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> "$FIREWALL_CONFIG"
+        if [ ! "${firewall_protocol}" ]; then
+            if ! iptables -C INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
+                iptables -A INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
             fi
-            iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
-            if [ ! "$?" = "0" ]; then
-                iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
+            if ! iptables -C INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
+                iptables -A INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
             fi
         else
             if [[ "${firewall_protocol}" == *"udp"* ]]; then
-                iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
-                if [ ! "$?" = "0" ]; then
-                    iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
+                if ! iptables -C INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
+                    iptables -A INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
                 fi
             fi
             if [[ "${firewall_protocol}" == *"tcp"* ]]; then
-                iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
-                if [ ! "$?" = "0" ]; then
-                    iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
+                if ! iptables -C INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
+                    iptables -A INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
                 fi
             fi
         fi
@@ -479,23 +472,23 @@ function firewall_remove {
     firewall_port=$1
     firewall_protocol="$2"
 
-    if [ ! -f $FIREWALL_CONFIG ]; then
+    if [ ! -f "$FIREWALL_CONFIG" ]; then
         return
     fi
 
-    if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then
-        if [ ! ${firewall_protocol} ]; then
-            iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
-            iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
+    if grep -q "=${firewall_port}" "$FIREWALL_CONFIG"; then
+        if [ ! "${firewall_protocol}" ]; then
+            iptables -D INPUT -p udp --dport "${firewall_port}" -j ACCEPT
+            iptables -D INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
         else
             if [[ "${firewall_protocol}" == *"udp"* ]]; then
-                iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
+                iptables -D INPUT -p udp --dport "${firewall_port}" -j ACCEPT
             fi
             if [[ "${firewall_protocol}" == *"tcp"* ]]; then
-                iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
+                iptables -D INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
             fi
         fi
-        sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG
+        sed -i "/=${firewall_port}/d" "$FIREWALL_CONFIG"
         save_firewall_settings
     fi
 }
@@ -509,7 +502,7 @@ function domain_to_hex_string {
         characters=$(echo -n "$segment" | wc -c)
         hexnum=$(echo "obase=16; $characters" | bc)
         echo -n "|"
-        if [ $(echo -n "$hexnum" | wc -c) -lt 2 ]; then
+        if [ "$(echo -n "$hexnum" | wc -c)" -lt 2 ]; then
             echo -n "0"
         fi
         echo -n "$hexnum|$segment"
@@ -523,20 +516,19 @@ function firewall_block_domain {
     blocked_domain="$1"
     if [[ "$blocked_domain" == *'@'* ]]; then
         # Don't try to block email/microblog addresses
-        echo "${blocked_domain}" >> $FIREWALL_DOMAINS
+        echo "${blocked_domain}" >> "$FIREWALL_DOMAINS"
         return
     fi
-    if ! grep -q "$blocked_domain" $FIREWALL_DOMAINS; then
-        hexstr=$(domain_to_hex_string $blocked_domain)
-        iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
-        if [ ! "$?" = "0" ]; then
+    if ! grep -q "$blocked_domain" "$FIREWALL_DOMAINS"; then
+        hexstr=$(domain_to_hex_string "$blocked_domain")
+        if ! iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP; then
             iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
             iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
             iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
             iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
             iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
             iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
-            echo "${blocked_domain}" >> $FIREWALL_DOMAINS
+            echo "${blocked_domain}" >> "$FIREWALL_DOMAINS"
             save_firewall_settings
         fi
 
@@ -559,13 +551,12 @@ function firewall_block_ip {
         # Don't try to block email/microblog addresses
         return
     fi
-    if ! grep -q "$blocked_ip" $FIREWALL_DOMAINS; then
-        iptables -C INPUT -s $blocked_ip -j DROP
-        if [ ! "$?" = "0" ]; then
-            iptables -A INPUT -s $blocked_ip -j DROP
-            iptables -A OUTPUT -s $blocked_ip -j DROP
+    if ! grep -q "$blocked_ip" "$FIREWALL_DOMAINS"; then
+        if ! iptables -C INPUT -s "$blocked_ip" -j DROP; then
+            iptables -A INPUT -s "$blocked_ip" -j DROP
+            iptables -A OUTPUT -s "$blocked_ip" -j DROP
 
-            echo "${blocked_ip}" >> $FIREWALL_DOMAINS
+            echo "${blocked_ip}" >> "$FIREWALL_DOMAINS"
             save_firewall_settings
         fi
     fi
@@ -577,31 +568,31 @@ function firewall_unblock_ip {
         # Don't try to block email/microblog addresses
         return
     fi
-    if grep -q "$blocked_ip" $FIREWALL_DOMAINS; then
-        iptables -D INPUT -s $blocked_ip -j DROP
-        iptables -D OUTPUT -s $blocked_ip -j DROP
+    if grep -q "$blocked_ip" "$FIREWALL_DOMAINS"; then
+        iptables -D INPUT -s "$blocked_ip" -j DROP
+        iptables -D OUTPUT -s "$blocked_ip" -j DROP
 
-        sed -i '/$blocked_ip/d' $FIREWALL_DOMAINS
-        echo "${blocked_ip}" >> $FIREWALL_DOMAINS
+        sed -i "/$blocked_ip/d" "$FIREWALL_DOMAINS"
+        echo "${blocked_ip}" >> "$FIREWALL_DOMAINS"
         save_firewall_settings
     fi
 }
 
 function firewall_refresh_blocklist {
-    if [ ! -f /root/${PROJECT_NAME}-firewall-domains.cfg ]; then
+    if [ ! -f "/root/${PROJECT_NAME}-firewall-domains.cfg" ]; then
         return
     fi
 
-    while read blocked_domain; do
-        firewall_block_domain $blocked_domain
-    done </root/${PROJECT_NAME}-firewall-domains.cfg
+    while read -r blocked_domain; do
+        firewall_block_domain "$blocked_domain"
+    done <"/root/${PROJECT_NAME}-firewall-domains.cfg"
 }
 
 function firewall_unblock_domain {
     unblocked_domain="$1"
-    if grep -q "${unblocked_domain}" $FIREWALL_DOMAINS; then
+    if grep -q "${unblocked_domain}" "$FIREWALL_DOMAINS"; then
         if [[ "${unblocked_domain}" != *'@'* ]]; then
-            hexstr=$(domain_to_hex_string $unblocked_domain)
+            hexstr=$(domain_to_hex_string "$unblocked_domain")
             iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
             iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
             iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
@@ -610,7 +601,7 @@ function firewall_unblock_domain {
             iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
             save_firewall_settings
         fi
-        sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS
+        sed -i "/${unblocked_domain}/d" "$FIREWALL_DOMAINS"
     fi
 }
 

src/freedombone-utils-git

@@ -37,22 +37,21 @@ function git_clone {
 }
 
 function git_pull {
-    if [ ! $1 ]; then
+    if [ ! "$1" ]; then
         echo $'git_pull no repo specified'
     fi
 
     git merge --abort
     git stash
-    git remote set-url origin $1
+    git remote set-url origin "$1"
     git checkout master
     git pull
 
-    if [ $2 ]; then
+    if [ "$2" ]; then
         # delete any existing branch
-        git branch -D $2
+        git branch -D "$2"
         # check out the new branch
-        git checkout $2 -b $2
-        if [ ! "$?" = "0" ]; then
+        if ! git checkout "$2" -b "$2"; then
             echo $"Unable to checkout $1 $2"
             exit 72357
         fi
@@ -63,8 +62,8 @@ function commit_has_changed {
     repo_dir=$1
     repo_commit_name=$2
     repo_commit=$3
-    if [ -d $repo_dir ]; then
-        if grep -q "$repo_commit_name" $COMPLETION_FILE; then
+    if [ -d "$repo_dir" ]; then
+        if grep -q "$repo_commit_name" "$COMPLETION_FILE"; then
             CURRENT_REPO_COMMIT=$(get_completion_param "$repo_commit_name")
             if [[ "$CURRENT_REPO_COMMIT" != "$repo_commit" ]]; then
                 echo "1"
@@ -86,13 +85,13 @@ function set_repo_commit {
     repo_commit=$3
     repo_url=$4
 
-    if [[ $(commit_has_changed $repo_dir $repo_commit_name $repo_commit) == "1" ]]; then
-        cd $repo_dir
-        git_pull $repo_url $repo_commit
+    if [[ $(commit_has_changed "$repo_dir" "$repo_commit_name" "$repo_commit") == "1" ]]; then
+        cd "$repo_dir" || exit 3856835
+        git_pull "$repo_url" "$repo_commit"
 
         # application specific stuff after updating the repo
         if [[ $repo_dir == *"www"* ]]; then
-            chown -R www-data:www-data $repo_dir
+            chown -R www-data:www-data "$repo_dir"
         fi
         if [[ $repo_dir == *"gpgit" ]]; then
             if [ ! -f /usr/bin/gpgit.pl ]; then
@@ -107,12 +106,12 @@ function set_repo_commit {
         fi
         if [[ $repo_dir == *"cleanup-maildir" ]]; then
             if [ ! -f /usr/bin/cleanup-maildir ]; then
-                cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
+                cp "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" /usr/bin
             else
-                HASH1=$(sha256sum $INSTALL_DIR/cleanup-maildir/cleanup-maildir | awk -F ' ' '{print $1}')
+                HASH1=$(sha256sum "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" | awk -F ' ' '{print $1}')
                 HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}')
                 if [[ "$HASH1" != "$HASH2" ]]; then
-                    cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
+                    cp "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" /usr/bin
                 fi
             fi
         fi