diff options
| author | Jakub Jirutka <jakub@jirutka.cz> | 2018-04-01 18:51:39 +0200 |
|---|---|---|
| committer | Jakub Jirutka <jakub@jirutka.cz> | 2018-04-01 19:03:36 +0200 |
| commit | 2221432434ddd269048e71a34cda6ebafbddcc9c (patch) | |
| tree | 772b5c0aaacde5ab3be853f9659be6516dde483c /main/nftables | |
| parent | 09d5ae0cd26007718bd77c5a5a866a094fae61a9 (diff) | |
| download | aports-2221432434ddd269048e71a34cda6ebafbddcc9c.tar.bz2 aports-2221432434ddd269048e71a34cda6ebafbddcc9c.tar.xz | |
main/nftables: add support for enabling forwarding to runscript
Diffstat (limited to 'main/nftables')
| -rw-r--r-- | main/nftables/APKBUILD | 4 | ||||
| -rw-r--r-- | main/nftables/nftables.confd | 5 | ||||
| -rw-r--r-- | main/nftables/nftables.initd | 23 |
3 files changed, 29 insertions, 3 deletions
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD index 8838c02847..f8166c3412 100644 --- a/main/nftables/APKBUILD +++ b/main/nftables/APKBUILD @@ -45,5 +45,5 @@ package() { } sha512sums="d3d97be10c2dcd1f15b9998e01254ff11438a2d83922e8b5207b641375ea12bb86ecbe4f9cb21cdf5998ddeb7c42b9e424dcb40a359cf42e06b9437a5ce4f72c nftables-0.8.3.tar.bz2 -a0a3e67272cc344d28c5a3eebee9fd8361371a53c2960c1b96acbc02845caffcd58a59b6f08d90b4aa831bbb1322f673d61c1035b937c06f9ac4a98bee1e40f4 nftables.confd -c63b3026af68dc03b49f0fc25ef6c5f0a5fbd398dcb0af0870c9342a9095dd57dea2e7025f0cc0762f1640c825465c8b3824cb126dc5d6b70ec35471972d690b nftables.initd" +a13e8b55b2ef6df2255e0b190f8dd5b2deb0ab49f8f303b1f11a3df550de41cd71e76cbfd7184d031a24a1d3387262c5d01a8cb8e4a981c8a85d8eb7753be39a nftables.confd +a4a9b07f7389f7c66d42af71e6d76b55e940a60f823323344ebe3c2939667c21834c5e52f3fc59b37ea7e234144d48262bd07c86db8aa4195f59f98111548330 nftables.initd" diff --git a/main/nftables/nftables.confd b/main/nftables/nftables.confd index fd7caab9cc..41ca06cf05 100644 --- a/main/nftables/nftables.confd +++ b/main/nftables/nftables.confd @@ -10,6 +10,11 @@ # Save state on stopping nftables. #save_on_stop="yes" +# Enable IPv4/IPv6 forwarding with the rules? +# Note: If you want to enable forwarding only on selected interfaces, +# keep this disabled and enable forwarding using /etc/sysctl.conf. +#enable_forwarding="no" + # If you need to log nftables messages as soon as nftables starts, # AND your logger does NOT depend on the network, then you may wish # to uncomment the next line. diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd index 6035d1a7bc..56d31c3bba 100644 --- a/main/nftables/nftables.initd +++ b/main/nftables/nftables.initd @@ -16,9 +16,11 @@ description_reload="Clear current rulesets and load rulesets from the saved rule : ${rules_file:=${NFTABLES_SAVE:="/var/lib/nftables/rules-save"}} : ${save_options:=${SAVE_OPTIONS:="-n"}} : ${save_on_stop:=${SAVE_ON_STOP:="yes"}} +: ${enable_forwarding:="no"} depend() { need localmount + after sysctl before net provide firewall } @@ -74,7 +76,13 @@ start() { ebegin "Loading nftables state and starting firewall" nft -f "$rules_file" - eend $? + eend $? || return 1 + + if yesno "$ip_forward"; then + ebegin "Enabling forwarding" + forwarding 1 + eend $? || return 1 + fi } stop() { @@ -82,6 +90,12 @@ stop() { save || return 1 fi + if yesno "$enable_forwarding"; then + ebegin "Disabling forwarding" + forwarding 0 + eend $? + fi + ebegin "Stopping firewall" nft flush ruleset eend $? @@ -104,3 +118,10 @@ checkkernel() { fi return 0 } + +forwarding() { + /sbin/sysctl -qw \ + net.ipv4.ip_forward=$1 \ + net.ipv6.conf.default.forwarding=$1 \ + net.ipv6.conf.all.forwarding=$1 +} |