Mail archive
alpine-aports

[alpine-aports] [PATCH] main/nftables: Updating init script

From: Ben Allen <bensallen_at_me.com>
Date: Tue, 12 Jan 2016 15:50:32 +0000

- Tidy up panic function to a single inet (combined ip and ipv6) table.
- Use policy drop for each chain in the panic function instead of a drop rule. This way a user could manually add in rules later allowing explicit access.
- Instead of a clear function, include 'flush ruleset' in the output of the save function. This way loading the saved rulesets is fully atomic, instead of two commands.
- Stop is the only function that needs to be able to flush ruleset, so run 'nft flush ruleset' directly, and remove the clear function.
---
 main/nftables/APKBUILD       |  8 +++----
 main/nftables/nftables.initd | 55 +++++++++-----------------------------------
 2 files changed, 15 insertions(+), 48 deletions(-)
 mode change 100755 => 100644 main/nftables/nftables.initd
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index c125398..6250b67 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
_at_@ -2,7 +2,7 @@
 # Maintainer: Sören Tempel <soeren+alpine_at_soeren-tempel.net>
 pkgname=nftables
 pkgver=0.5
-pkgrel=1
+pkgrel=2
 pkgdesc="Netfilter tables userspace tools"
 url="http://netfilter.org/projects/nftables/"
 arch="all"
_at_@ -57,10 +57,10 @@ package() {
 
 md5sums="94bfe1c54bcb9f6ed974835f2fca8069  nftables-0.5.tar.bz2
 52273a548f7cbfe17ba9ba97b10cf685  nftables.confd
-128977c1bb6c17c8af00430f66ba8029  nftables.initd"
+15a168de8e5aa18cb1d2a84c90850ad7  nftables.initd"
 sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6  nftables-0.5.tar.bz2
 8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff  nftables.confd
-1081fc9804bd3db9f7bc8c204519715fdbaa1e3819fd67c9a2dad469a8ec1702  nftables.initd"
+3b51a516d419f0d003c7a0131525ce1cec33793eb13d3afafb9b61060fbaf62e  nftables.initd"
 sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342  nftables-0.5.tar.bz2
 f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8  nftables.confd
-ebea10e684fd6e253c334dc997e7fe02459c385b3dcdd80fb6840475f5b59786f98de06f449024233185aabde04a77c70925535b8da0c0a0572d1c487f6d4504  nftables.initd"
+40a91ef2cff9a8fd5b88888fc601cfbdf30ab0d16bb37997ebee53b7b528de7adc26eca1adfd885fa5b17cc7abf7d4fd30a40385002042d6796aea9c820c3bc6  nftables.initd"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
old mode 100755
new mode 100644
index 6ff5dc0..0c11d37
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
_at_@ -23,11 +23,6 @@ start_pre() {
     return 0
 }
 
-clear() {
-    nft flush ruleset || return 1
-    return 0
-}
-
 list() {
     nft list ruleset || return 1
     return 0
_at_@ -40,43 +35,15 @@ panic() {
     fi
 
     ebegin "Dropping all packets"
-    clear
-    if nft create table ip filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
+    nft -f /dev/stdin <<-EOF
+        flush ruleset
+        table inet filter {
+            chain input   { type filter hook input priority 0; policy drop; }
+            chain forward { type filter hook forward priority 0; policy drop; }
+            chain output  { type filter hook output priority 0; policy drop; }
+        }
 	EOF
-    fi
-    if nft create table ip6 filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip6 filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
-	EOF
-    fi
+    eend $?
 }
 
 reload() {
_at_@ -88,7 +55,8 @@ save() {
     checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
     checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
     local tmp_save="${NFTABLES_SAVE}.tmp"
-    nft list ruleset > ${tmp_save}
+    echo 'flush ruleset' > ${tmp_save}
+    nft list ruleset >> ${tmp_save}
     retval=$?
     if [ ${retval} ]; then
        mv ${tmp_save} ${NFTABLES_SAVE}
_at_@ -97,7 +65,6 @@ save() {
 }
 
 start() {
-    clear
     ebegin "Loading nftables state and starting firewall"
     nft -f ${NFTABLES_SAVE}
     eend $?
_at_@ -109,7 +76,7 @@ stop() {
     fi
 
     ebegin "Stopping firewall"
-    clear
+    nft flush ruleset
     eend $?
 }
 
-- 
2.7.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Tue Jan 12 2016 - 15:50:32 GMT