diff options
Diffstat (limited to 'testing/nftables/nftables.initd')
| -rw-r--r-- | testing/nftables/nftables.initd | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/testing/nftables/nftables.initd b/testing/nftables/nftables.initd new file mode 100644 index 0000000000..c726393056 --- /dev/null +++ b/testing/nftables/nftables.initd @@ -0,0 +1,166 @@ +#!/sbin/runscript +# Copyright 2014 Nicholas Vinson +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="clear list panic save" +extra_started_commands="reload" + +depend() { + need localmount #434774 + before net +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ ! -f ${NFTABLES_SAVE} ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 + fi + return 0 +} + +getfamilies() { + local families + for l3f in ip arp ip6 bridge inet; do + if nft list tables ${l3f} > /dev/null 2>&1; then + families="${families}${l3f} " + fi + done + echo ${families} +} + +clearNFT() { + local l3f line table chain + + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + table=$(echo ${line} | sed "s/table[ \t]*//") + nft flush table ${l3f} ${table} + nft list table ${l3f} ${table} | while read l; do + chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\ + cut -d ' ' -f2) + if [ -n "${chain}" ]; then + nft flush chain ${l3f} ${table} ${chain} + nft delete chain ${l3f} ${table} ${chain} + fi + done + nft delete table ${l3f} ${table} + done + done +} + +addpanictable() { + local l3f=$1 + nft add table ${l3f} panic + nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \} + nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \} + nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \} + nft add rule ${l3f} panic input drop + nft add rule ${l3f} panic output drop + nft add rule ${l3f} panic forward drop +} + +start_pre() { + checkkernel || return 1 + checkconfig || return 1 + return 0 +} + +start() { + ebegin "Loading nftables state and starting firewall" + clearNFT + nft -f ${NFTABLES_SAVE} + eend $? +} + +stop() { + if yesno ${SAVE_ON_STOP:-yes}; then + save || return 1 + fi + + ebegin "Stopping firewall" + clearNFT + eend $? +} + +reload() { + checkkernel || return 1 + # checkrules || return 1 + ebegin "Flushing firewall" + clearNFT + + start +} + +clear() { + clearNFT +} + +list() { + local l3f + + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + echo "$(nft list ${line})" + done + done +} + +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + + local l3f line tmp_save="${NFTABLES_SAVE}.tmp" + + touch "${tmp_save}" + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + # The below substitution fixes an issue where nft -n output may not + # always be parsable by nft -f. For example, nft -n might print + # + # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept + # + # but nft -f refuses to parse that string with error: + # + # In file included from internal:0:0-0: + # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule: + # Invalid argument + # table ip6 filter { + # ^^ + echo "$(nft ${SAVE_OPTIONS} list ${line} |\ + sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" + done + done + mv "${tmp_save}" "${NFTABLES_SAVE}" +} + +panic() { + checkkernel || return 1 + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop + fi + + ebegin "Dropping all packets" + clearNFT + + local l3f + for l3f in $(getfamilies); do + case ${l3f} in + ip) addpanictable ${l3f} ;; + ip6) addpanictable ${l3f} ;; + esac + done +} |