main/nftables: Updating init script

- Tidy up panic function to a single inet (combined ip and ipv6) table. - Use policy drop for each chain in the panic function instead of a drop rule. This way a user could manually add in rules later allowing explicit access. - Instead of a clear function, include 'flush ruleset' in the output of the save function. This way loading the saved rulesets is fully atomic, instead of two commands. - Stop is the only function that needs to be able to flush ruleset, so run 'nft flush ruleset' directly, and remove the clear function.
author: Ben Allen <bensallen@me.com> 2016-01-12 15:50:32 +0000
committer: Timo Teräs <timo.teras@iki.fi> 2016-01-19 09:57:21 +0000
commit: 438f7d4f57b1116c57c3053ee76644918cc8b6fd (patch)
tree: 02ada84db0af7a76d4b3539b546c725ea96e6738 /main/nftables
parent: 0f476cad13b5a183c977a83aa6504a96fb6b4bbd (diff)
download: aports-438f7d4f57b1116c57c3053ee76644918cc8b6fd.tar.bz2
aports-438f7d4f57b1116c57c3053ee76644918cc8b6fd.tar.xz
2 files changed, 15 insertions, 48 deletions
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index c125398d18..6250b674af 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
 pkgname=nftables
 pkgver=0.5
-pkgrel=1
+pkgrel=2
 pkgdesc="Netfilter tables userspace tools"
 url="http://netfilter.org/projects/nftables/"
 arch="all"
@@ -57,10 +57,10 @@ package() {
 
 md5sums="94bfe1c54bcb9f6ed974835f2fca8069  nftables-0.5.tar.bz2
 52273a548f7cbfe17ba9ba97b10cf685  nftables.confd
-128977c1bb6c17c8af00430f66ba8029  nftables.initd"
+15a168de8e5aa18cb1d2a84c90850ad7  nftables.initd"
 sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6  nftables-0.5.tar.bz2
 8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff  nftables.confd
-1081fc9804bd3db9f7bc8c204519715fdbaa1e3819fd67c9a2dad469a8ec1702  nftables.initd"
+3b51a516d419f0d003c7a0131525ce1cec33793eb13d3afafb9b61060fbaf62e  nftables.initd"
 sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342  nftables-0.5.tar.bz2
 f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8  nftables.confd
-ebea10e684fd6e253c334dc997e7fe02459c385b3dcdd80fb6840475f5b59786f98de06f449024233185aabde04a77c70925535b8da0c0a0572d1c487f6d4504  nftables.initd"
+40a91ef2cff9a8fd5b88888fc601cfbdf30ab0d16bb37997ebee53b7b528de7adc26eca1adfd885fa5b17cc7abf7d4fd30a40385002042d6796aea9c820c3bc6  nftables.initd"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 6ff5dc0e6c..0c11d374bd 100755..100644
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -23,11 +23,6 @@ start_pre() {
     return 0
 }
 
-clear() {
-    nft flush ruleset || return 1
-    return 0
-}
-
 list() {
     nft list ruleset || return 1
     return 0
@@ -40,43 +35,15 @@ panic() {
     fi
 
     ebegin "Dropping all packets"
-    clear
-    if nft create table ip filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
+    nft -f /dev/stdin <<-EOF
+        flush ruleset
+        table inet filter {
+            chain input   { type filter hook input priority 0; policy drop; }
+            chain forward { type filter hook forward priority 0; policy drop; }
+            chain output  { type filter hook output priority 0; policy drop; }
+        }
 	EOF
-    fi
-    if nft create table ip6 filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip6 filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
-	EOF
-    fi
+    eend $?
 }
 
 reload() {
@@ -88,7 +55,8 @@ save() {
     checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
     checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
     local tmp_save="${NFTABLES_SAVE}.tmp"
-    nft list ruleset > ${tmp_save}
+    echo 'flush ruleset' > ${tmp_save}
+    nft list ruleset >> ${tmp_save}
     retval=$?
     if [ ${retval} ]; then
        mv ${tmp_save} ${NFTABLES_SAVE}
@@ -97,7 +65,6 @@ save() {
 }
 
 start() {
-    clear
     ebegin "Loading nftables state and starting firewall"
     nft -f ${NFTABLES_SAVE}
     eend $?
@@ -109,7 +76,7 @@ stop() {
     fi
 
     ebegin "Stopping firewall"
-    clear
+    nft flush ruleset
     eend $?
 }
author	Ben Allen <bensallen@me.com>	2016-01-12 15:50:32 +0000
committer	Timo Teräs <timo.teras@iki.fi>	2016-01-19 09:57:21 +0000
commit	438f7d4f57b1116c57c3053ee76644918cc8b6fd (patch)
tree	02ada84db0af7a76d4b3539b546c725ea96e6738 /main/nftables
parent	0f476cad13b5a183c977a83aa6504a96fb6b4bbd (diff)
download	aports-438f7d4f57b1116c57c3053ee76644918cc8b6fd.tar.bz2 aports-438f7d4f57b1116c57c3053ee76644918cc8b6fd.tar.xz