Mail archive
alpine-aports

[alpine-aports] [PATCH v2] main/nftables: Update init script

From: Ben Allen <bensallen_at_me.com>
Date: Sat, 09 Jan 2016 21:04:20 +0000

Updating main/nftables init script. Based on the newer Gentoo init script: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2. Merged nftables.sh from Gentoo's version into the init script itself, and removed the legacy functionality. Adding descriptions for each action as well.
---
Changes v1 -> v2:
 - Don't expose clear as a command. Stop provides the same functionality, and removing the ebegin in clear makes messaging cleaner.
 - Simplify reload to just call start since it they do the same thing.
 - Fix #! line to be /sbin/openrc-run.
 main/nftables/APKBUILD       |   8 +-
 main/nftables/nftables.initd | 192 ++++++++++++++++++++-----------------------
 2 files changed, 91 insertions(+), 109 deletions(-)
 mode change 100644 => 100755 main/nftables/nftables.initd
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 2c93939..c125398 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
_at_@ -2,7 +2,7 @@
 # Maintainer: Sören Tempel <soeren+alpine_at_soeren-tempel.net>
 pkgname=nftables
 pkgver=0.5
-pkgrel=0
+pkgrel=1
 pkgdesc="Netfilter tables userspace tools"
 url="http://netfilter.org/projects/nftables/"
 arch="all"
_at_@ -57,10 +57,10 @@ package() {
 
 md5sums="94bfe1c54bcb9f6ed974835f2fca8069  nftables-0.5.tar.bz2
 52273a548f7cbfe17ba9ba97b10cf685  nftables.confd
-63e330d514aed839ce9985c3cb918e2c  nftables.initd"
+128977c1bb6c17c8af00430f66ba8029  nftables.initd"
 sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6  nftables-0.5.tar.bz2
 8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff  nftables.confd
-787873899c07c74e8d26731922df2d26ecb98e1c2e2ca9cdf2450f85621730ff  nftables.initd"
+1081fc9804bd3db9f7bc8c204519715fdbaa1e3819fd67c9a2dad469a8ec1702  nftables.initd"
 sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342  nftables-0.5.tar.bz2
 f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8  nftables.confd
-c99ecc03b19615aa53c6b8dbec2b2006b28b8f44817e08a30a48970c100f40877cfb6c214eb6b36b6cd0517a0e07d07f1157d930661a31ac46fbc2ec0d3a502d  nftables.initd"
+ebea10e684fd6e253c334dc997e7fe02459c385b3dcdd80fb6840475f5b59786f98de06f449024233185aabde04a77c70925535b8da0c0a0572d1c487f6d4504  nftables.initd"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
old mode 100644
new mode 100755
index 211ed73..6ff5dc0
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
_at_@ -3,66 +3,102 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-extra_commands="clear list panic save"
+extra_commands="list panic save"
 extra_started_commands="reload"
 
+description="Manage nftable based firewall."
+description_save="Save current nftables rulesets to disk."
+description_list="Displays the current nftables ruleset."
+description_panic="Immediately drop all packets on all interfaces."
+description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
+
 depend() {
     need localmount #434774
     before net
 }
 
-checkkernel() {
-    if ! nft list tables >/dev/null 2>&1; then
-        eerror "Your kernel lacks nftables support, please load"
-        eerror "appropriate modules and try again."
-        return 1
-    fi
+start_pre() {
+    checkkernel || return 1
+    checkconfig || return 1
     return 0
 }
 
-checkconfig() {
-    if [ ! -f ${NFTABLES_SAVE} ]; then
-        eerror "Not starting nftables.  First create some rules then run:"
-        eerror "rc-service nftables save"
-        return 1
-    fi
+clear() {
+    nft flush ruleset || return 1
     return 0
 }
 
-getfamilies() {
-    local families
-    for l3f in ip arp ip6 bridge inet; do
-        if nft list tables ${l3f} > /dev/null 2>&1; then
-            families="${families}${l3f} "
-        fi
-    done
-    echo ${families}
+list() {
+    nft list ruleset || return 1
+    return 0
 }
 
-clearNFT() {
-    nft flush ruleset
+panic() {
+    checkkernel || return 1
+    if service_started ${RC_SVCNAME}; then
+        rc-service ${RC_SVCNAME} stop
+    fi
+
+    ebegin "Dropping all packets"
+    clear
+    if nft create table ip filter >/dev/null 2>&1; then
+	nft -f /dev/stdin <<-EOF
+	    table ip filter {
+	                    chain input {
+	                                    type filter hook input priority 0;
+	                                    drop
+	                    }
+	                    chain forward {
+	                                    type filter hook forward priority 0;
+	                                    drop
+	                    }
+	                    chain output {
+	                                    type filter hook output priority 0;
+	                                    drop
+	                    }
+	    }
+	EOF
+    fi
+    if nft create table ip6 filter >/dev/null 2>&1; then
+	nft -f /dev/stdin <<-EOF
+	    table ip6 filter {
+	                    chain input {
+	                                    type filter hook input priority 0;
+	                                    drop
+	                    }
+	                    chain forward {
+	                                    type filter hook forward priority 0;
+	                                    drop
+	                    }
+	                    chain output {
+	                                    type filter hook output priority 0;
+	                                    drop
+	                    }
+	    }
+	EOF
+    fi
 }
 
-addpanictable() {
-    local l3f=$1
-    nft add table ${l3f} panic
-    nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
-    nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
-    nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
-    nft add rule ${l3f} panic input drop
-    nft add rule ${l3f} panic output drop
-    nft add rule ${l3f} panic forward drop
+reload() {
+    start
 }
 
-start_pre() {
-    checkkernel || return 1
-    checkconfig || return 1
-	return 0
+save() {
+    ebegin "Saving nftables state"
+    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+    local tmp_save="${NFTABLES_SAVE}.tmp"
+    nft list ruleset > ${tmp_save}
+    retval=$?
+    if [ ${retval} ]; then
+       mv ${tmp_save} ${NFTABLES_SAVE}
+    fi
+    return $?
 }
 
 start() {
+    clear
     ebegin "Loading nftables state and starting firewall"
-    clearNFT
     nft -f ${NFTABLES_SAVE}
     eend $?
 }
_at_@ -73,78 +109,24 @@ stop() {
     fi
 
     ebegin "Stopping firewall"
-    clearNFT
+    clear
     eend $?
 }
 
-reload() {
-    checkkernel || return 1
-    # checkrules || return 1
-    ebegin "Flushing firewall"
-    clearNFT
-
-    start
-}
-
-clear() {
-    clearNFT
-}
-
-list() {
-    local l3f
-
-    for l3f in $(getfamilies); do
-        nft list tables ${l3f} | while read line; do
-            line=$(echo ${line} | sed "s/table/table ${l3f}/")
-            echo "$(nft list ${line})"
-        done
-    done
-}
-
-save() {
-    ebegin "Saving nftables state"
-    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
-    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
-
-    local l3f line tmp_save="${NFTABLES_SAVE}.tmp"
-
-    touch "${tmp_save}"
-    for l3f in $(getfamilies); do
-        nft list tables ${l3f} | while read line; do
-            line=$(echo ${line} | sed "s/table/table ${l3f}/")
-            # The below substitution fixes an issue where nft -n output may not
-            # always be parsable by nft -f.  For example, nft -n might print
-            #
-            #     ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
-            #
-            # but nft -f refuses to parse that string with error:
-            #
-            #     In file included from internal:0:0-0:
-            #     /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
-            #     Invalid argument
-            #     table ip6 filter {
-            #     ^^
-            echo "$(nft ${SAVE_OPTIONS} list ${line} |\
-                    sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
-        done
-    done
-    mv "${tmp_save}" "${NFTABLES_SAVE}"
+checkconfig() {
+    if [ ! -f ${NFTABLES_SAVE} ]; then
+        eerror "Not starting nftables. First create some rules then run:"
+        eerror "rc-service nftables save"
+        return 1
+    fi
+    return 0
 }
 
-panic() {
-    checkkernel || return 1
-    if service_started ${RC_SVCNAME}; then
-        rc-service ${RC_SVCNAME} stop
+checkkernel() {
+    if ! nft list tables >/dev/null 2>&1; then
+        eerror "Your kernel lacks nftables support, please load"
+        eerror "appropriate modules and try again."
+        return 1
     fi
-
-    ebegin "Dropping all packets"
-    clearNFT
-
-    local l3f
-    for l3f in $(getfamilies); do
-        case ${l3f} in
-            ip) addpanictable ${l3f} ;;
-            ip6) addpanictable ${l3f} ;;
-        esac
-    done
+    return 0
 }
-- 
2.7.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Sat Jan 09 2016 - 21:04:20 GMT