#!/sbin/openrc-run # Copyright 2014 Nicholas Vinson # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 extra_commands="list panic save" extra_started_commands="reload" description="Manage nftable based firewall." description_save="Save current nftables rulesets to disk." description_list="Displays the current nftables ruleset." description_panic="Immediately drop all packets on all interfaces." description_reload="Clear current rulesets and load rulesets from the saved ruleset files." depend() { need localmount #434774 before net } start_pre() { checkkernel || return 1 checkconfig || return 1 return 0 } list() { nft list ruleset || return 1 return 0 } panic() { checkkernel || return 1 if service_started ${RC_SVCNAME}; then rc-service ${RC_SVCNAME} stop fi ebegin "Dropping all packets" nft -f /dev/stdin <<-EOF flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy drop; } } EOF eend $? } reload() { start } save() { ebegin "Saving nftables state" checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" checkpath -q -m 0600 -f "${NFTABLES_SAVE}" local tmp_save="${NFTABLES_SAVE}.tmp" echo 'flush ruleset' > ${tmp_save} nft list ruleset >> ${tmp_save} retval=$? if [ ${retval} ]; then mv ${tmp_save} ${NFTABLES_SAVE} fi return $? } start() { ebegin "Loading nftables state and starting firewall" nft -f ${NFTABLES_SAVE} eend $? } stop() { if yesno ${SAVE_ON_STOP:-yes}; then save || return 1 fi ebegin "Stopping firewall" nft flush ruleset eend $? } checkconfig() { if [ ! -f ${NFTABLES_SAVE} ]; then eerror "Not starting nftables. First create some rules then run:" eerror "rc-service nftables save" return 1 fi return 0 } checkkernel() { if ! nft list tables >/dev/null 2>&1; then eerror "Your kernel lacks nftables support, please load" eerror "appropriate modules and try again." return 1 fi return 0 }