aboutsummaryrefslogtreecommitdiffstats
path: root/main/nftables
diff options
context:
space:
mode:
authorBen Allen <bensallen@me.com>2016-01-09 21:04:20 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2016-01-11 21:24:24 +0000
commit703ea9bdff97ff8dbde04b4656df88418afb5f7e (patch)
tree65684f32b6d857e1944573524d30162c6b669557 /main/nftables
parent09eaae2dd1957aaad5bbc95aa958d75ddec0a1f9 (diff)
downloadaports-703ea9bdff97ff8dbde04b4656df88418afb5f7e.tar.bz2
aports-703ea9bdff97ff8dbde04b4656df88418afb5f7e.tar.xz
main/nftables: Update init script
Updating main/nftables init script. Based on the newer Gentoo init script: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2. Merged nftables.sh from Gentoo's version into the init script itself, and removed the legacy functionality. Adding descriptions for each action as well.
Diffstat (limited to 'main/nftables')
-rw-r--r--main/nftables/APKBUILD8
-rwxr-xr-x[-rw-r--r--]main/nftables/nftables.initd192
2 files changed, 91 insertions, 109 deletions
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 2c939392e4..c125398d18 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=nftables
pkgver=0.5
-pkgrel=0
+pkgrel=1
pkgdesc="Netfilter tables userspace tools"
url="http://netfilter.org/projects/nftables/"
arch="all"
@@ -57,10 +57,10 @@ package() {
md5sums="94bfe1c54bcb9f6ed974835f2fca8069 nftables-0.5.tar.bz2
52273a548f7cbfe17ba9ba97b10cf685 nftables.confd
-63e330d514aed839ce9985c3cb918e2c nftables.initd"
+128977c1bb6c17c8af00430f66ba8029 nftables.initd"
sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6 nftables-0.5.tar.bz2
8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff nftables.confd
-787873899c07c74e8d26731922df2d26ecb98e1c2e2ca9cdf2450f85621730ff nftables.initd"
+1081fc9804bd3db9f7bc8c204519715fdbaa1e3819fd67c9a2dad469a8ec1702 nftables.initd"
sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342 nftables-0.5.tar.bz2
f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8 nftables.confd
-c99ecc03b19615aa53c6b8dbec2b2006b28b8f44817e08a30a48970c100f40877cfb6c214eb6b36b6cd0517a0e07d07f1157d930661a31ac46fbc2ec0d3a502d nftables.initd"
+ebea10e684fd6e253c334dc997e7fe02459c385b3dcdd80fb6840475f5b59786f98de06f449024233185aabde04a77c70925535b8da0c0a0572d1c487f6d4504 nftables.initd"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 211ed73ee3..6ff5dc0e6c 100644..100755
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -3,66 +3,102 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-extra_commands="clear list panic save"
+extra_commands="list panic save"
extra_started_commands="reload"
+description="Manage nftable based firewall."
+description_save="Save current nftables rulesets to disk."
+description_list="Displays the current nftables ruleset."
+description_panic="Immediately drop all packets on all interfaces."
+description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
+
depend() {
need localmount #434774
before net
}
-checkkernel() {
- if ! nft list tables >/dev/null 2>&1; then
- eerror "Your kernel lacks nftables support, please load"
- eerror "appropriate modules and try again."
- return 1
- fi
+start_pre() {
+ checkkernel || return 1
+ checkconfig || return 1
return 0
}
-checkconfig() {
- if [ ! -f ${NFTABLES_SAVE} ]; then
- eerror "Not starting nftables. First create some rules then run:"
- eerror "rc-service nftables save"
- return 1
- fi
+clear() {
+ nft flush ruleset || return 1
return 0
}
-getfamilies() {
- local families
- for l3f in ip arp ip6 bridge inet; do
- if nft list tables ${l3f} > /dev/null 2>&1; then
- families="${families}${l3f} "
- fi
- done
- echo ${families}
+list() {
+ nft list ruleset || return 1
+ return 0
}
-clearNFT() {
- nft flush ruleset
+panic() {
+ checkkernel || return 1
+ if service_started ${RC_SVCNAME}; then
+ rc-service ${RC_SVCNAME} stop
+ fi
+
+ ebegin "Dropping all packets"
+ clear
+ if nft create table ip filter >/dev/null 2>&1; then
+ nft -f /dev/stdin <<-EOF
+ table ip filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
+ if nft create table ip6 filter >/dev/null 2>&1; then
+ nft -f /dev/stdin <<-EOF
+ table ip6 filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
}
-addpanictable() {
- local l3f=$1
- nft add table ${l3f} panic
- nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
- nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
- nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
- nft add rule ${l3f} panic input drop
- nft add rule ${l3f} panic output drop
- nft add rule ${l3f} panic forward drop
+reload() {
+ start
}
-start_pre() {
- checkkernel || return 1
- checkconfig || return 1
- return 0
+save() {
+ ebegin "Saving nftables state"
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+ local tmp_save="${NFTABLES_SAVE}.tmp"
+ nft list ruleset > ${tmp_save}
+ retval=$?
+ if [ ${retval} ]; then
+ mv ${tmp_save} ${NFTABLES_SAVE}
+ fi
+ return $?
}
start() {
+ clear
ebegin "Loading nftables state and starting firewall"
- clearNFT
nft -f ${NFTABLES_SAVE}
eend $?
}
@@ -73,78 +109,24 @@ stop() {
fi
ebegin "Stopping firewall"
- clearNFT
+ clear
eend $?
}
-reload() {
- checkkernel || return 1
- # checkrules || return 1
- ebegin "Flushing firewall"
- clearNFT
-
- start
-}
-
-clear() {
- clearNFT
-}
-
-list() {
- local l3f
-
- for l3f in $(getfamilies); do
- nft list tables ${l3f} | while read line; do
- line=$(echo ${line} | sed "s/table/table ${l3f}/")
- echo "$(nft list ${line})"
- done
- done
-}
-
-save() {
- ebegin "Saving nftables state"
- checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
- checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
-
- local l3f line tmp_save="${NFTABLES_SAVE}.tmp"
-
- touch "${tmp_save}"
- for l3f in $(getfamilies); do
- nft list tables ${l3f} | while read line; do
- line=$(echo ${line} | sed "s/table/table ${l3f}/")
- # The below substitution fixes an issue where nft -n output may not
- # always be parsable by nft -f. For example, nft -n might print
- #
- # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
- #
- # but nft -f refuses to parse that string with error:
- #
- # In file included from internal:0:0-0:
- # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
- # Invalid argument
- # table ip6 filter {
- # ^^
- echo "$(nft ${SAVE_OPTIONS} list ${line} |\
- sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
- done
- done
- mv "${tmp_save}" "${NFTABLES_SAVE}"
+checkconfig() {
+ if [ ! -f ${NFTABLES_SAVE} ]; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror "rc-service nftables save"
+ return 1
+ fi
+ return 0
}
-panic() {
- checkkernel || return 1
- if service_started ${RC_SVCNAME}; then
- rc-service ${RC_SVCNAME} stop
+checkkernel() {
+ if ! nft list tables >/dev/null 2>&1; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
fi
-
- ebegin "Dropping all packets"
- clearNFT
-
- local l3f
- for l3f in $(getfamilies); do
- case ${l3f} in
- ip) addpanictable ${l3f} ;;
- ip6) addpanictable ${l3f} ;;
- esac
- done
+ return 0
}