diff options
| author | Eivind Uggedal <eivind@uggedal.com> | 2015-09-15 15:42:22 +0000 |
|---|---|---|
| committer | Eivind Uggedal <eivind@uggedal.com> | 2015-09-15 15:48:25 +0000 |
| commit | 1ab972294e757a1e38b1123f023e96a94cb409fb (patch) | |
| tree | 348debb9b0f043e49c62bfc209b96eab19ef4e15 /testing | |
| parent | 2a866db42b298ebc0b7d3b5640619e9788d4d135 (diff) | |
| download | aports-1ab972294e757a1e38b1123f023e96a94cb409fb.tar.bz2 aports-1ab972294e757a1e38b1123f023e96a94cb409fb.tar.xz | |
main/nftables: moved from testing
Since linux 3.18 the elaborate clear logic is no longer needed. Replace
it with the safer:
nft flush ruleset
Diffstat (limited to 'testing')
| -rw-r--r-- | testing/nftables/01-fix-object-order-via-nft--f.patch | 50 | ||||
| -rw-r--r-- | testing/nftables/APKBUILD | 70 | ||||
| -rw-r--r-- | testing/nftables/nftables.confd | 19 | ||||
| -rw-r--r-- | testing/nftables/nftables.initd | 166 |
4 files changed, 0 insertions, 305 deletions
diff --git a/testing/nftables/01-fix-object-order-via-nft--f.patch b/testing/nftables/01-fix-object-order-via-nft--f.patch deleted file mode 100644 index 6092032c5a..0000000000 --- a/testing/nftables/01-fix-object-order-via-nft--f.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 454ffab9cc695b9618324a6a0a4dead6d5289f8d Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Sat, 14 Feb 2015 21:41:23 +0100 -Subject: rule: fix object order via nft -f - -The objects need to be loaded in the following order: - - #1 tables - #2 chains - #3 sets - #4 rules - -We have to make sure that chains are in place by when we add rules with -jumps/gotos. Similarly, we have to make sure that the sets are in place -by when rules reference them. - -Without this patch, you may hit ENOENT errors depending on your ruleset -configuration. - -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> - -diff --git a/src/rule.c b/src/rule.c -index feafe26..8d76fd0 100644 ---- a/src/rule.c -+++ b/src/rule.c -@@ -658,14 +658,19 @@ static int do_add_table(struct netlink_ctx *ctx, const struct handle *h, - if (netlink_add_table(ctx, h, loc, table, excl) < 0) - return -1; - if (table != NULL) { -+ list_for_each_entry(chain, &table->chains, list) { -+ if (netlink_add_chain(ctx, &chain->handle, -+ &chain->location, chain, -+ excl) < 0) -+ return -1; -+ } - list_for_each_entry(set, &table->sets, list) { - handle_merge(&set->handle, &table->handle); - if (do_add_set(ctx, &set->handle, set) < 0) - return -1; - } - list_for_each_entry(chain, &table->chains, list) { -- if (do_add_chain(ctx, &chain->handle, &chain->location, -- chain, excl) < 0) -+ if (netlink_add_rule_list(ctx, h, &chain->rules) < 0) - return -1; - } - } --- -cgit v0.10.2 - diff --git a/testing/nftables/APKBUILD b/testing/nftables/APKBUILD deleted file mode 100644 index 0679b5bac2..0000000000 --- a/testing/nftables/APKBUILD +++ /dev/null @@ -1,70 +0,0 @@ -# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> -# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net> -pkgname=nftables -pkgver=0.4 -pkgrel=0 -pkgdesc="Netfilter tables userspace tools" -url="http://netfilter.org/projects/nftables/" -arch="all" -license="GPL2" -depends="" -depends_dev="libmnl-dev libnftnl-dev gmp-dev readline-dev ncurses-dev" -makedepends="$depends_dev bison flex" -install="" -subpackages="" # -doc would require docbook2x which isn't packaged yet -source="http://netfilter.org/projects/$pkgname/files/$pkgname-$pkgver.tar.bz2 - nftables.confd - nftables.initd - 01-fix-object-order-via-nft--f.patch" - -_builddir="$srcdir"/$pkgname-$pkgver -prepare() { - cd "$_builddir" - - update_config_sub || return 1 - sed -i '1i#include "config.h"' src/proto.c - - local i= - for i in $source; do - case $i in - *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; - esac - done -} - -build() { - cd "$_builddir" - ./configure \ - --build=$CBUILD \ - --host=$CHOST \ - --prefix=/usr \ - --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --infodir=/usr/share/info \ - --localstatedir=/var \ - || return 1 - make || return 1 -} - -package() { - cd "$_builddir" - make DESTDIR="$pkgdir" install || return 1 - - install -Dm755 "$srcdir"/$pkgname.initd \ - "$pkgdir"/etc/init.d/$pkgname || return 1 - install -Dm644 "$srcdir"/$pkgname.confd \ - "$pkgdir"/etc/conf.d/$pkgname || return 1 -} - -md5sums="09b686c489ff10db670ca60dbed7ff43 nftables-0.4.tar.bz2 -00f7dc61bcc1f7c2e48ebeaeb8b6b6b5 nftables.confd -f5703f86eb2129cdece8c230cc036bd7 nftables.initd -c0a18f43a5ce02cb61c9e0071725529a 01-fix-object-order-via-nft--f.patch" -sha256sums="f6ca69b75c68915f9f3a3972274ec68354dfbbcfc0b9fc55c813a0525c351d3c nftables-0.4.tar.bz2 -d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd nftables.confd -293d5a0ef687c69fffdce912a833cf5812272c0baae9f59d603ada8efa5828a6 nftables.initd -ab5068a30e4a0df72b589aec500a4a6a1c3a5ab50ee73fad034eee676eabe9bb 01-fix-object-order-via-nft--f.patch" -sha512sums="0932cf987da602285fbf7c7f61328b0d74d687889c2d4a5bd2bd7fe11e8b99433bc5ee53ebbddadf2c90e40acdcb28f6babf07e11feedff815c571c3b782dffc nftables-0.4.tar.bz2 -8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 nftables.confd -ec43cc630b45ea2726044b30925e04f16fdb48ff2ee1871c112fde5b406f47c75b53ce05db4dfab8558156da96e9bf484ebab1f00f5cda20bbe8597c63b178fe nftables.initd -9b7b51c55681fc25bb53fef6bf38e125377a3b32bdf6e9c8c7056a72deb7f24b7b6e2dcccb3065645e69675848585c6051e8992d9179f1609fbe1d873cb3bddf 01-fix-object-order-via-nft--f.patch" diff --git a/testing/nftables/nftables.confd b/testing/nftables/nftables.confd deleted file mode 100644 index e83a4b9620..0000000000 --- a/testing/nftables/nftables.confd +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/conf.d/nftables - -# Location in which nftables initscript will save set rules on -# service shutdown -NFTABLES_SAVE="/var/lib/nftables/rules-save" - -# Options to pass to nft on save -SAVE_OPTIONS="-n" - -# Save state on stopping nftables -SAVE_ON_STOP="yes" - -# If you need to log nftables messages as soon as nftables starts, -# AND your logger does NOT depend on the network, then you may wish -# to uncomment the next line. -# If your logger depends on the network, and you uncomment this line -# you will create an unresolvable circular dependency during startup. -# After commenting or uncommenting this line, you must run 'rc-update -u'. -#rc_use="logger" diff --git a/testing/nftables/nftables.initd b/testing/nftables/nftables.initd deleted file mode 100644 index c726393056..0000000000 --- a/testing/nftables/nftables.initd +++ /dev/null @@ -1,166 +0,0 @@ -#!/sbin/runscript -# Copyright 2014 Nicholas Vinson -# Copyright 1999-2014 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -extra_commands="clear list panic save" -extra_started_commands="reload" - -depend() { - need localmount #434774 - before net -} - -checkkernel() { - if ! nft list tables >/dev/null 2>&1; then - eerror "Your kernel lacks nftables support, please load" - eerror "appropriate modules and try again." - return 1 - fi - return 0 -} - -checkconfig() { - if [ ! -f ${NFTABLES_SAVE} ]; then - eerror "Not starting nftables. First create some rules then run:" - eerror "rc-service nftables save" - return 1 - fi - return 0 -} - -getfamilies() { - local families - for l3f in ip arp ip6 bridge inet; do - if nft list tables ${l3f} > /dev/null 2>&1; then - families="${families}${l3f} " - fi - done - echo ${families} -} - -clearNFT() { - local l3f line table chain - - for l3f in $(getfamilies); do - nft list tables ${l3f} | while read line; do - table=$(echo ${line} | sed "s/table[ \t]*//") - nft flush table ${l3f} ${table} - nft list table ${l3f} ${table} | while read l; do - chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\ - cut -d ' ' -f2) - if [ -n "${chain}" ]; then - nft flush chain ${l3f} ${table} ${chain} - nft delete chain ${l3f} ${table} ${chain} - fi - done - nft delete table ${l3f} ${table} - done - done -} - -addpanictable() { - local l3f=$1 - nft add table ${l3f} panic - nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \} - nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \} - nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \} - nft add rule ${l3f} panic input drop - nft add rule ${l3f} panic output drop - nft add rule ${l3f} panic forward drop -} - -start_pre() { - checkkernel || return 1 - checkconfig || return 1 - return 0 -} - -start() { - ebegin "Loading nftables state and starting firewall" - clearNFT - nft -f ${NFTABLES_SAVE} - eend $? -} - -stop() { - if yesno ${SAVE_ON_STOP:-yes}; then - save || return 1 - fi - - ebegin "Stopping firewall" - clearNFT - eend $? -} - -reload() { - checkkernel || return 1 - # checkrules || return 1 - ebegin "Flushing firewall" - clearNFT - - start -} - -clear() { - clearNFT -} - -list() { - local l3f - - for l3f in $(getfamilies); do - nft list tables ${l3f} | while read line; do - line=$(echo ${line} | sed "s/table/table ${l3f}/") - echo "$(nft list ${line})" - done - done -} - -save() { - ebegin "Saving nftables state" - checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" - checkpath -q -m 0600 -f "${NFTABLES_SAVE}" - - local l3f line tmp_save="${NFTABLES_SAVE}.tmp" - - touch "${tmp_save}" - for l3f in $(getfamilies); do - nft list tables ${l3f} | while read line; do - line=$(echo ${line} | sed "s/table/table ${l3f}/") - # The below substitution fixes an issue where nft -n output may not - # always be parsable by nft -f. For example, nft -n might print - # - # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept - # - # but nft -f refuses to parse that string with error: - # - # In file included from internal:0:0-0: - # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule: - # Invalid argument - # table ip6 filter { - # ^^ - echo "$(nft ${SAVE_OPTIONS} list ${line} |\ - sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" - done - done - mv "${tmp_save}" "${NFTABLES_SAVE}" -} - -panic() { - checkkernel || return 1 - if service_started ${RC_SVCNAME}; then - rc-service ${RC_SVCNAME} stop - fi - - ebegin "Dropping all packets" - clearNFT - - local l3f - for l3f in $(getfamilies); do - case ${l3f} in - ip) addpanictable ${l3f} ;; - ip6) addpanictable ${l3f} ;; - esac - done -} |