diff options
author | Ben Allen <bensallen@me.com> | 2016-01-09 21:04:20 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-01-11 21:24:24 +0000 |
commit | 703ea9bdff97ff8dbde04b4656df88418afb5f7e (patch) | |
tree | 65684f32b6d857e1944573524d30162c6b669557 /main/nftables | |
parent | 09eaae2dd1957aaad5bbc95aa958d75ddec0a1f9 (diff) | |
download | aports-703ea9bdff97ff8dbde04b4656df88418afb5f7e.tar.bz2 aports-703ea9bdff97ff8dbde04b4656df88418afb5f7e.tar.xz |
main/nftables: Update init script
Updating main/nftables init script. Based on the newer Gentoo init script: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2. Merged nftables.sh from Gentoo's version into the init script itself, and removed the legacy functionality. Adding descriptions for each action as well.
Diffstat (limited to 'main/nftables')
-rw-r--r-- | main/nftables/APKBUILD | 8 | ||||
-rwxr-xr-x[-rw-r--r--] | main/nftables/nftables.initd | 192 |
2 files changed, 91 insertions, 109 deletions
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD index 2c939392e4..c125398d18 100644 --- a/main/nftables/APKBUILD +++ b/main/nftables/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net> pkgname=nftables pkgver=0.5 -pkgrel=0 +pkgrel=1 pkgdesc="Netfilter tables userspace tools" url="http://netfilter.org/projects/nftables/" arch="all" @@ -57,10 +57,10 @@ package() { md5sums="94bfe1c54bcb9f6ed974835f2fca8069 nftables-0.5.tar.bz2 52273a548f7cbfe17ba9ba97b10cf685 nftables.confd -63e330d514aed839ce9985c3cb918e2c nftables.initd" +128977c1bb6c17c8af00430f66ba8029 nftables.initd" sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6 nftables-0.5.tar.bz2 8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff nftables.confd -787873899c07c74e8d26731922df2d26ecb98e1c2e2ca9cdf2450f85621730ff nftables.initd" +1081fc9804bd3db9f7bc8c204519715fdbaa1e3819fd67c9a2dad469a8ec1702 nftables.initd" sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342 nftables-0.5.tar.bz2 f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8 nftables.confd -c99ecc03b19615aa53c6b8dbec2b2006b28b8f44817e08a30a48970c100f40877cfb6c214eb6b36b6cd0517a0e07d07f1157d930661a31ac46fbc2ec0d3a502d nftables.initd" +ebea10e684fd6e253c334dc997e7fe02459c385b3dcdd80fb6840475f5b59786f98de06f449024233185aabde04a77c70925535b8da0c0a0572d1c487f6d4504 nftables.initd" diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd index 211ed73ee3..6ff5dc0e6c 100644..100755 --- a/main/nftables/nftables.initd +++ b/main/nftables/nftables.initd @@ -3,66 +3,102 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -extra_commands="clear list panic save" +extra_commands="list panic save" extra_started_commands="reload" +description="Manage nftable based firewall." +description_save="Save current nftables rulesets to disk." +description_list="Displays the current nftables ruleset." +description_panic="Immediately drop all packets on all interfaces." +description_reload="Clear current rulesets and load rulesets from the saved ruleset files." + depend() { need localmount #434774 before net } -checkkernel() { - if ! nft list tables >/dev/null 2>&1; then - eerror "Your kernel lacks nftables support, please load" - eerror "appropriate modules and try again." - return 1 - fi +start_pre() { + checkkernel || return 1 + checkconfig || return 1 return 0 } -checkconfig() { - if [ ! -f ${NFTABLES_SAVE} ]; then - eerror "Not starting nftables. First create some rules then run:" - eerror "rc-service nftables save" - return 1 - fi +clear() { + nft flush ruleset || return 1 return 0 } -getfamilies() { - local families - for l3f in ip arp ip6 bridge inet; do - if nft list tables ${l3f} > /dev/null 2>&1; then - families="${families}${l3f} " - fi - done - echo ${families} +list() { + nft list ruleset || return 1 + return 0 } -clearNFT() { - nft flush ruleset +panic() { + checkkernel || return 1 + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop + fi + + ebegin "Dropping all packets" + clear + if nft create table ip filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi + if nft create table ip6 filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip6 filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi } -addpanictable() { - local l3f=$1 - nft add table ${l3f} panic - nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \} - nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \} - nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \} - nft add rule ${l3f} panic input drop - nft add rule ${l3f} panic output drop - nft add rule ${l3f} panic forward drop +reload() { + start } -start_pre() { - checkkernel || return 1 - checkconfig || return 1 - return 0 +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + local tmp_save="${NFTABLES_SAVE}.tmp" + nft list ruleset > ${tmp_save} + retval=$? + if [ ${retval} ]; then + mv ${tmp_save} ${NFTABLES_SAVE} + fi + return $? } start() { + clear ebegin "Loading nftables state and starting firewall" - clearNFT nft -f ${NFTABLES_SAVE} eend $? } @@ -73,78 +109,24 @@ stop() { fi ebegin "Stopping firewall" - clearNFT + clear eend $? } -reload() { - checkkernel || return 1 - # checkrules || return 1 - ebegin "Flushing firewall" - clearNFT - - start -} - -clear() { - clearNFT -} - -list() { - local l3f - - for l3f in $(getfamilies); do - nft list tables ${l3f} | while read line; do - line=$(echo ${line} | sed "s/table/table ${l3f}/") - echo "$(nft list ${line})" - done - done -} - -save() { - ebegin "Saving nftables state" - checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" - checkpath -q -m 0600 -f "${NFTABLES_SAVE}" - - local l3f line tmp_save="${NFTABLES_SAVE}.tmp" - - touch "${tmp_save}" - for l3f in $(getfamilies); do - nft list tables ${l3f} | while read line; do - line=$(echo ${line} | sed "s/table/table ${l3f}/") - # The below substitution fixes an issue where nft -n output may not - # always be parsable by nft -f. For example, nft -n might print - # - # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept - # - # but nft -f refuses to parse that string with error: - # - # In file included from internal:0:0-0: - # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule: - # Invalid argument - # table ip6 filter { - # ^^ - echo "$(nft ${SAVE_OPTIONS} list ${line} |\ - sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" - done - done - mv "${tmp_save}" "${NFTABLES_SAVE}" +checkconfig() { + if [ ! -f ${NFTABLES_SAVE} ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 + fi + return 0 } -panic() { - checkkernel || return 1 - if service_started ${RC_SVCNAME}; then - rc-service ${RC_SVCNAME} stop +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 fi - - ebegin "Dropping all packets" - clearNFT - - local l3f - for l3f in $(getfamilies); do - case ${l3f} in - ip) addpanictable ${l3f} ;; - ip6) addpanictable ${l3f} ;; - esac - done + return 0 } |