~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
2 2

[alpine-aports] [PATCH] main/nftables: Update init script

Ben Allen <bensallen@me.com>
Details
Message ID
<1452228294-12662-1-git-send-email-bensallen@me.com>
Sender timestamp
1452228294
DKIM signature
missing
Download raw message
Patch: +96 -109
Updating main/nftables init script. Based on the newer Gentoo init script: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2. Merged nftables.sh from Gentoo's version into the init script itself, and removed the legacy functionality. Adding descriptions for each action as well.
---
 main/nftables/APKBUILD       |   8 +-
 main/nftables/nftables.initd | 197 ++++++++++++++++++++-----------------------
 2 files changed, 96 insertions(+), 109 deletions(-)

diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 2c93939..ffb62ff 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=nftables
pkgver=0.5
pkgrel=0
pkgrel=1
pkgdesc="Netfilter tables userspace tools"
url="http://netfilter.org/projects/nftables/"
arch="all"
@@ -57,10 +57,10 @@ package() {

md5sums="94bfe1c54bcb9f6ed974835f2fca8069  nftables-0.5.tar.bz2
52273a548f7cbfe17ba9ba97b10cf685  nftables.confd
63e330d514aed839ce9985c3cb918e2c  nftables.initd"
005e931051e354b8d73ef0a731b30fbe  nftables.initd"
sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6  nftables-0.5.tar.bz2
8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff  nftables.confd
787873899c07c74e8d26731922df2d26ecb98e1c2e2ca9cdf2450f85621730ff  nftables.initd"
b88517ebe23a60c4b030d0f21d2c80760ba658ea4151e8ec4fbc62085d9104a4  nftables.initd"
sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342  nftables-0.5.tar.bz2
f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8  nftables.confd
c99ecc03b19615aa53c6b8dbec2b2006b28b8f44817e08a30a48970c100f40877cfb6c214eb6b36b6cd0517a0e07d07f1157d930661a31ac46fbc2ec0d3a502d  nftables.initd"
8269aacf40dbcae7063cbcc5d3be7e3544f98ad848c6c5bd2d8ec59767dc9d5d931b58d5c9bd90f5b1ce24a1b553193576c593ba5cdb915c1cb25b31edda25ac  nftables.initd"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 211ed73..51083b8 100644
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -1,4 +1,4 @@
#!/sbin/openrc-run
#!/sbin/runscript
# Copyright 2014 Nicholas Vinson
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
@@ -6,63 +6,104 @@
extra_commands="clear list panic save"
extra_started_commands="reload"

description="Manage nftable based firewall."
description_save="Save current nftables rulesets to disk."
description_list="Displays the current nftables ruleset."
description_clear="Flush current rulesets."
description_panic="Immediately drop all packets on all interfaces."
description_reload="Clear current rulesets and load rulesets from the saved ruleset files."

depend() {
    need localmount #434774
    before net
}

checkkernel() {
    if ! nft list tables >/dev/null 2>&1; then
        eerror "Your kernel lacks nftables support, please load"
        eerror "appropriate modules and try again."
        return 1
    fi
start_pre() {
    checkkernel || return 1
    checkconfig || return 1
    return 0
}

checkconfig() {
    if [ ! -f ${NFTABLES_SAVE} ]; then
        eerror "Not starting nftables.  First create some rules then run:"
        eerror "rc-service nftables save"
        return 1
    fi
clear() {
    ebegin "Flushing current rulesets"
    nft flush ruleset || return 1
    return 0
}

getfamilies() {
    local families
    for l3f in ip arp ip6 bridge inet; do
        if nft list tables ${l3f} > /dev/null 2>&1; then
            families="${families}${l3f} "
        fi
    done
    echo ${families}
list() {
    nft list ruleset || return 1
    return 0
}

clearNFT() {
    nft flush ruleset
}
panic() {
    checkkernel || return 1
    if service_started ${RC_SVCNAME}; then
        rc-service ${RC_SVCNAME} stop
    fi

addpanictable() {
    local l3f=$1
    nft add table ${l3f} panic
    nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
    nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
    nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
    nft add rule ${l3f} panic input drop
    nft add rule ${l3f} panic output drop
    nft add rule ${l3f} panic forward drop
    ebegin "Dropping all packets"
    clear
    if nft create table ip filter >/dev/null 2>&1; then
	nft -f /dev/stdin <<-EOF
	    table ip filter {
	                    chain input {
	                                    type filter hook input priority 0;
	                                    drop
	                    }
	                    chain forward {
	                                    type filter hook forward priority 0;
	                                    drop
	                    }
	                    chain output {
	                                    type filter hook output priority 0;
	                                    drop
	                    }
	    }
	EOF
    fi
    if nft create table ip6 filter >/dev/null 2>&1; then
	nft -f /dev/stdin <<-EOF
	    table ip6 filter {
	                    chain input {
	                                    type filter hook input priority 0;
	                                    drop
	                    }
	                    chain forward {
	                                    type filter hook forward priority 0;
	                                    drop
	                    }
	                    chain output {
	                                    type filter hook output priority 0;
	                                    drop
	                    }
	    }
	EOF
    fi
}

start_pre() {
reload() {
    checkkernel || return 1
    checkconfig || return 1
	return 0
    ebegin "Flushing firewall"
    clear
    start
}

save() {
    ebegin "Saving nftables state"
    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
    local tmp_save="${NFTABLES_SAVE}.tmp"
    nft list ruleset > ${tmp_save}
    retval=$?
    if [ ${retval} ]; then
       mv ${tmp_save} ${NFTABLES_SAVE}
    fi
    return $?
}

start() {
    ebegin "Loading nftables state and starting firewall"
    clearNFT
    clear
    nft -f ${NFTABLES_SAVE}
    eend $?
}
@@ -73,78 +114,24 @@ stop() {
    fi

    ebegin "Stopping firewall"
    clearNFT
    clear
    eend $?
}

reload() {
    checkkernel || return 1
    # checkrules || return 1
    ebegin "Flushing firewall"
    clearNFT

    start
}

clear() {
    clearNFT
}

list() {
    local l3f

    for l3f in $(getfamilies); do
        nft list tables ${l3f} | while read line; do
            line=$(echo ${line} | sed "s/table/table ${l3f}/")
            echo "$(nft list ${line})"
        done
    done
}

save() {
    ebegin "Saving nftables state"
    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"

    local l3f line tmp_save="${NFTABLES_SAVE}.tmp"

    touch "${tmp_save}"
    for l3f in $(getfamilies); do
        nft list tables ${l3f} | while read line; do
            line=$(echo ${line} | sed "s/table/table ${l3f}/")
            # The below substitution fixes an issue where nft -n output may not
            # always be parsable by nft -f.  For example, nft -n might print
            #
            #     ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
            #
            # but nft -f refuses to parse that string with error:
            #
            #     In file included from internal:0:0-0:
            #     /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
            #     Invalid argument
            #     table ip6 filter {
            #     ^^
            echo "$(nft ${SAVE_OPTIONS} list ${line} |\
                    sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
        done
    done
    mv "${tmp_save}" "${NFTABLES_SAVE}"
checkconfig() {
    if [ ! -f ${NFTABLES_SAVE} ]; then
        eerror "Not starting nftables. First create some rules then run:"
        eerror "rc-service nftables save"
        return 1
    fi
    return 0
}

panic() {
    checkkernel || return 1
    if service_started ${RC_SVCNAME}; then
        rc-service ${RC_SVCNAME} stop
checkkernel() {
    if ! nft list tables >/dev/null 2>&1; then
        eerror "Your kernel lacks nftables support, please load"
        eerror "appropriate modules and try again."
        return 1
    fi

    ebegin "Dropping all packets"
    clearNFT

    local l3f
    for l3f in $(getfamilies); do
        case ${l3f} in
            ip) addpanictable ${l3f} ;;
            ip6) addpanictable ${l3f} ;;
        esac
    done
    return 0
}
-- 
2.7.0



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Details
Message ID
<20160109153500.GA23691@francium.lan>
In-Reply-To
<1452228294-12662-1-git-send-email-bensallen@me.com> (view parent)
Sender timestamp
1452353700
DKIM signature
missing
Download raw message
On 08.01.16, Ben Allen wrote:
> Updating main/nftables init script. Based on the newer Gentoo init
> script:
> https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2.
> Merged nftables.sh from Gentoo's version into the init script itself,
> and removed the legacy functionality. Adding descriptions for each
> action as well.

I was actually considering to write a custom service for nftables since
I believe that the Gentoo service is too complicated. Simply invoking
`nft -f ${some_configuration_file}` on start and `nft flush ruleset`
should be good enough, shouldn't it?

Sören.


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH v2] main/nftables: Update init script

Ben Allen <bensallen@me.com>
Details
Message ID
<1452373460-3759-1-git-send-email-bensallen@me.com>
In-Reply-To
<1452228294-12662-1-git-send-email-bensallen@me.com> (view parent)
Sender timestamp
1452373460
DKIM signature
missing
Download raw message
Patch: +91 -109
Updating main/nftables init script. Based on the newer Gentoo init script: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2. Merged nftables.sh from Gentoo's version into the init script itself, and removed the legacy functionality. Adding descriptions for each action as well.
---
Changes v1 -> v2:
 - Don't expose clear as a command. Stop provides the same functionality, and removing the ebegin in clear makes messaging cleaner.
 - Simplify reload to just call start since it they do the same thing.
 - Fix #! line to be /sbin/openrc-run.

 main/nftables/APKBUILD       |   8 +-
 main/nftables/nftables.initd | 192 ++++++++++++++++++++-----------------------
 2 files changed, 91 insertions(+), 109 deletions(-)
 mode change 100644 => 100755 main/nftables/nftables.initd

diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 2c93939..c125398 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=nftables
pkgver=0.5
pkgrel=0
pkgrel=1
pkgdesc="Netfilter tables userspace tools"
url="http://netfilter.org/projects/nftables/"
arch="all"
@@ -57,10 +57,10 @@ package() {

md5sums="94bfe1c54bcb9f6ed974835f2fca8069  nftables-0.5.tar.bz2
52273a548f7cbfe17ba9ba97b10cf685  nftables.confd
63e330d514aed839ce9985c3cb918e2c  nftables.initd"
128977c1bb6c17c8af00430f66ba8029  nftables.initd"
sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6  nftables-0.5.tar.bz2
8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff  nftables.confd
787873899c07c74e8d26731922df2d26ecb98e1c2e2ca9cdf2450f85621730ff  nftables.initd"
1081fc9804bd3db9f7bc8c204519715fdbaa1e3819fd67c9a2dad469a8ec1702  nftables.initd"
sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342  nftables-0.5.tar.bz2
f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8  nftables.confd
c99ecc03b19615aa53c6b8dbec2b2006b28b8f44817e08a30a48970c100f40877cfb6c214eb6b36b6cd0517a0e07d07f1157d930661a31ac46fbc2ec0d3a502d  nftables.initd"
ebea10e684fd6e253c334dc997e7fe02459c385b3dcdd80fb6840475f5b59786f98de06f449024233185aabde04a77c70925535b8da0c0a0572d1c487f6d4504  nftables.initd"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
old mode 100644
new mode 100755
index 211ed73..6ff5dc0
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -3,66 +3,102 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

extra_commands="clear list panic save"
extra_commands="list panic save"
extra_started_commands="reload"

description="Manage nftable based firewall."
description_save="Save current nftables rulesets to disk."
description_list="Displays the current nftables ruleset."
description_panic="Immediately drop all packets on all interfaces."
description_reload="Clear current rulesets and load rulesets from the saved ruleset files."

depend() {
    need localmount #434774
    before net
}

checkkernel() {
    if ! nft list tables >/dev/null 2>&1; then
        eerror "Your kernel lacks nftables support, please load"
        eerror "appropriate modules and try again."
        return 1
    fi
start_pre() {
    checkkernel || return 1
    checkconfig || return 1
    return 0
}

checkconfig() {
    if [ ! -f ${NFTABLES_SAVE} ]; then
        eerror "Not starting nftables.  First create some rules then run:"
        eerror "rc-service nftables save"
        return 1
    fi
clear() {
    nft flush ruleset || return 1
    return 0
}

getfamilies() {
    local families
    for l3f in ip arp ip6 bridge inet; do
        if nft list tables ${l3f} > /dev/null 2>&1; then
            families="${families}${l3f} "
        fi
    done
    echo ${families}
list() {
    nft list ruleset || return 1
    return 0
}

clearNFT() {
    nft flush ruleset
panic() {
    checkkernel || return 1
    if service_started ${RC_SVCNAME}; then
        rc-service ${RC_SVCNAME} stop
    fi

    ebegin "Dropping all packets"
    clear
    if nft create table ip filter >/dev/null 2>&1; then
	nft -f /dev/stdin <<-EOF
	    table ip filter {
	                    chain input {
	                                    type filter hook input priority 0;
	                                    drop
	                    }
	                    chain forward {
	                                    type filter hook forward priority 0;
	                                    drop
	                    }
	                    chain output {
	                                    type filter hook output priority 0;
	                                    drop
	                    }
	    }
	EOF
    fi
    if nft create table ip6 filter >/dev/null 2>&1; then
	nft -f /dev/stdin <<-EOF
	    table ip6 filter {
	                    chain input {
	                                    type filter hook input priority 0;
	                                    drop
	                    }
	                    chain forward {
	                                    type filter hook forward priority 0;
	                                    drop
	                    }
	                    chain output {
	                                    type filter hook output priority 0;
	                                    drop
	                    }
	    }
	EOF
    fi
}

addpanictable() {
    local l3f=$1
    nft add table ${l3f} panic
    nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
    nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
    nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
    nft add rule ${l3f} panic input drop
    nft add rule ${l3f} panic output drop
    nft add rule ${l3f} panic forward drop
reload() {
    start
}

start_pre() {
    checkkernel || return 1
    checkconfig || return 1
	return 0
save() {
    ebegin "Saving nftables state"
    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
    local tmp_save="${NFTABLES_SAVE}.tmp"
    nft list ruleset > ${tmp_save}
    retval=$?
    if [ ${retval} ]; then
       mv ${tmp_save} ${NFTABLES_SAVE}
    fi
    return $?
}

start() {
    clear
    ebegin "Loading nftables state and starting firewall"
    clearNFT
    nft -f ${NFTABLES_SAVE}
    eend $?
}
@@ -73,78 +109,24 @@ stop() {
    fi

    ebegin "Stopping firewall"
    clearNFT
    clear
    eend $?
}

reload() {
    checkkernel || return 1
    # checkrules || return 1
    ebegin "Flushing firewall"
    clearNFT

    start
}

clear() {
    clearNFT
}

list() {
    local l3f

    for l3f in $(getfamilies); do
        nft list tables ${l3f} | while read line; do
            line=$(echo ${line} | sed "s/table/table ${l3f}/")
            echo "$(nft list ${line})"
        done
    done
}

save() {
    ebegin "Saving nftables state"
    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"

    local l3f line tmp_save="${NFTABLES_SAVE}.tmp"

    touch "${tmp_save}"
    for l3f in $(getfamilies); do
        nft list tables ${l3f} | while read line; do
            line=$(echo ${line} | sed "s/table/table ${l3f}/")
            # The below substitution fixes an issue where nft -n output may not
            # always be parsable by nft -f.  For example, nft -n might print
            #
            #     ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
            #
            # but nft -f refuses to parse that string with error:
            #
            #     In file included from internal:0:0-0:
            #     /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
            #     Invalid argument
            #     table ip6 filter {
            #     ^^
            echo "$(nft ${SAVE_OPTIONS} list ${line} |\
                    sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
        done
    done
    mv "${tmp_save}" "${NFTABLES_SAVE}"
checkconfig() {
    if [ ! -f ${NFTABLES_SAVE} ]; then
        eerror "Not starting nftables. First create some rules then run:"
        eerror "rc-service nftables save"
        return 1
    fi
    return 0
}

panic() {
    checkkernel || return 1
    if service_started ${RC_SVCNAME}; then
        rc-service ${RC_SVCNAME} stop
checkkernel() {
    if ! nft list tables >/dev/null 2>&1; then
        eerror "Your kernel lacks nftables support, please load"
        eerror "appropriate modules and try again."
        return 1
    fi

    ebegin "Dropping all packets"
    clearNFT

    local l3f
    for l3f in $(getfamilies); do
        case ${l3f} in
            ip) addpanictable ${l3f} ;;
            ip6) addpanictable ${l3f} ;;
        esac
    done
    return 0
}
-- 
2.7.0



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)