main/nftables: improve runscript, fix code-style, rename vars

3 files changed, 72 insertions, 64 deletions

diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 9aa0fb726e..8838c02847 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -1,4 +1,5 @@
 # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=nftables
 pkgver=0.8.3
@@ -44,5 +45,5 @@ package() {
 }
 
 sha512sums="d3d97be10c2dcd1f15b9998e01254ff11438a2d83922e8b5207b641375ea12bb86ecbe4f9cb21cdf5998ddeb7c42b9e424dcb40a359cf42e06b9437a5ce4f72c  nftables-0.8.3.tar.bz2
-f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8  nftables.confd
-2bb551522fb2c61f4cab3a2ab1d9c84696403007a13521ca08a89fe79a9ae8867357d5664315c97ef09c49c3cdf7c76066f8226153f8c6fcd8b265ba4fbf3826  nftables.initd"
+a0a3e67272cc344d28c5a3eebee9fd8361371a53c2960c1b96acbc02845caffcd58a59b6f08d90b4aa831bbb1322f673d61c1035b937c06f9ac4a98bee1e40f4  nftables.confd
+c63b3026af68dc03b49f0fc25ef6c5f0a5fbd398dcb0af0870c9342a9095dd57dea2e7025f0cc0762f1640c825465c8b3824cb126dc5d6b70ec35471972d690b  nftables.initd"
diff --git a/main/nftables/nftables.confd b/main/nftables/nftables.confd
index 8048a2ad8e..fd7caab9cc 100644
--- a/main/nftables/nftables.confd
+++ b/main/nftables/nftables.confd
@@ -1,14 +1,14 @@
-# /etc/conf.d/nftables
+# Configuration for /etc/init.d/nftables
 
-# Location in which nftables initscript will save set rules on
-# service shutdown
-NFTABLES_SAVE="/var/lib/nftables/rules-save"
+# Location of file with nftables rules to restore on service start,
+# and save rules to on service stop when $save_on_stop is enabled.
+#rules_file="/var/lib/nftables/rules-save"
 
-# Options to pass to nft on save
-SAVE_OPTIONS="-n"
+# Options to pass to nft on save.
+#save_options="-n"
 
-# Save state on stopping nftables
-SAVE_ON_STOP="yes"
+# Save state on stopping nftables.
+#save_on_stop="yes"
 
 # If you need to log nftables messages as soon as nftables starts,
 # AND your logger does NOT depend on the network, then you may wish
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 689c9b04b0..6035d1a7bc 100644
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -12,88 +12,95 @@ description_list="Displays the current nftables ruleset."
 description_panic="Immediately drop all packets on all interfaces."
 description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
 
+# Uppercase variables are there for backward compatibility.
+: ${rules_file:=${NFTABLES_SAVE:="/var/lib/nftables/rules-save"}}
+: ${save_options:=${SAVE_OPTIONS:="-n"}}
+: ${save_on_stop:=${SAVE_ON_STOP:="yes"}}
+
 depend() {
-    need localmount #434774
-    before net
+	need localmount
+	before net
+	provide firewall
 }
 
 start_pre() {
-    checkkernel || return 1
-    checkconfig || return 1
-    return 0
+	checkkernel && checkconfig
 }
 
 list() {
-    nft list ruleset || return 1
-    return 0
+	nft list ruleset
 }
 
 panic() {
-    checkkernel || return 1
-    if service_started ${RC_SVCNAME}; then
-        rc-service ${RC_SVCNAME} stop
-    fi
-
-    ebegin "Dropping all packets"
-    nft -f /dev/stdin <<-EOF
-        flush ruleset
-        table inet filter {
-            chain input   { type filter hook input priority 0; policy drop; }
-            chain forward { type filter hook forward priority 0; policy drop; }
-            chain output  { type filter hook output priority 0; policy drop; }
-        }
+	checkkernel || return 1
+
+	if service_started "$RC_SVCNAME"; then
+		rc-service "$RC_SVCNAME" stop
+	fi
+
+	ebegin "Dropping all packets"
+	nft -f /dev/stdin <<-EOF
+		flush ruleset
+		table inet filter {
+		    chain input { type filter hook input priority 0; policy drop; }
+		    chain forward { type filter hook forward priority 0; policy drop; }
+		    chain output { type filter hook output priority 0; policy drop; }
+		}
 	EOF
-    eend $?
+	eend $?
 }
 
 reload() {
-    start
+	start
 }
 
 save() {
-    ebegin "Saving nftables state"
-    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
-    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
-    local tmp_save="${NFTABLES_SAVE}.tmp"
-    echo 'flush ruleset' > ${tmp_save}
-    nft list ruleset >> ${tmp_save}
-    retval=$?
-    if [ ${retval} ]; then
-       mv ${tmp_save} ${NFTABLES_SAVE}
-    fi
-    return $retval
+	ebegin "Saving nftables state"
+
+	checkpath -q -d "${rules_file%/*}"
+	checkpath -q -m 0600 -f "$rules_file"
+
+	local tmp_save="$rules_file.tmp"
+
+	echo 'flush ruleset' > "$tmp_save"
+	nft list ruleset >> "$tmp_save"; local retval=$?
+
+	[ $retval -eq 0 ] && mv "$tmp_save" "$rules_file"
+
+	return $retval
 }
 
 start() {
-    ebegin "Loading nftables state and starting firewall"
-    nft -f ${NFTABLES_SAVE}
-    eend $?
+	ebegin "Loading nftables state and starting firewall"
+
+	nft -f "$rules_file"
+	eend $?
 }
 
 stop() {
-    if yesno ${SAVE_ON_STOP:-yes}; then
-        save || return 1
-    fi
+	if yesno "$save_on_stop"; then
+		save || return 1
+	fi
 
-    ebegin "Stopping firewall"
-    nft flush ruleset
-    eend $?
+	ebegin "Stopping firewall"
+	nft flush ruleset
+	eend $?
 }
 
 checkconfig() {
-    if [ ! -f ${NFTABLES_SAVE} ]; then
-        eerror "Not starting nftables. First create some rules then run:"
-        eerror "rc-service nftables save"
-        return 1
-    fi
-    return 0
+	if [ ! -f "$rules_file" ]; then
+		eerror "Not starting nftables. First create some rules then run:"
+		eerror "  rc-service nftables save"
+		return 1
+	fi
+	return 0
 }
 
 checkkernel() {
-    if ! nft list tables >/dev/null 2>&1; then
-        eerror "Your kernel lacks nftables support, please load"
-        eerror "appropriate modules and try again."
-        return 1
-    fi
-    return 0
+	if ! nft list tables >/dev/null 2>&1; then
+		eerror "Your kernel lacks nftables support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
 }