This thread contains a patchset. You're looking at the original emails,
but you may wish to use the patch review UI.
Review patch
2
2
[alpine-aports] [PATCH] main/nftables: Update init script
Updating main/nftables init script. Based on the newer Gentoo init script: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2. Merged nftables.sh from Gentoo's version into the init script itself, and removed the legacy functionality. Adding descriptions for each action as well.
---
main/nftables/APKBUILD | 8 + -
main/nftables/nftables.initd | 197 ++++++++++++++++++++ -----------------------
2 files changed, 96 insertions(+), 109 deletions(-)
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 2c93939..ffb62ff 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=nftables
pkgver=0.5
- pkgrel=0
+ pkgrel=1
pkgdesc="Netfilter tables userspace tools"
url="http://netfilter.org/projects/nftables/"
arch="all"
@@ -57,10 +57,10 @@ package() {
md5sums="94bfe1c54bcb9f6ed974835f2fca8069 nftables-0.5.tar.bz2
52273a548f7cbfe17ba9ba97b10cf685 nftables.confd
- 63e330d514aed839ce9985c3cb918e2c nftables.initd"
+ 005e931051e354b8d73ef0a731b30fbe nftables.initd"
sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6 nftables-0.5.tar.bz2
8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff nftables.confd
- 787873899c07c74e8d26731922df2d26ecb98e1c2e2ca9cdf2450f85621730ff nftables.initd"
+ b88517ebe23a60c4b030d0f21d2c80760ba658ea4151e8ec4fbc62085d9104a4 nftables.initd"
sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342 nftables-0.5.tar.bz2
f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8 nftables.confd
- c99ecc03b19615aa53c6b8dbec2b2006b28b8f44817e08a30a48970c100f40877cfb6c214eb6b36b6cd0517a0e07d07f1157d930661a31ac46fbc2ec0d3a502d nftables.initd"
+ 8269aacf40dbcae7063cbcc5d3be7e3544f98ad848c6c5bd2d8ec59767dc9d5d931b58d5c9bd90f5b1ce24a1b553193576c593ba5cdb915c1cb25b31edda25ac nftables.initd"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 211ed73..51083b8 100644
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -1,4 +1,4 @@
- #!/sbin/openrc-run
+ #!/sbin/runscript
# Copyright 2014 Nicholas Vinson
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
@@ -6,63 +6,104 @@
extra_commands="clear list panic save"
extra_started_commands="reload"
+ description="Manage nftable based firewall."
+ description_save="Save current nftables rulesets to disk."
+ description_list="Displays the current nftables ruleset."
+ description_clear="Flush current rulesets."
+ description_panic="Immediately drop all packets on all interfaces."
+ description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
+
depend() {
need localmount #434774
before net
}
- checkkernel() {
- if ! nft list tables >/dev/null 2>&1; then
- eerror "Your kernel lacks nftables support, please load"
- eerror "appropriate modules and try again."
- return 1
- fi
+ start_pre() {
+ checkkernel || return 1
+ checkconfig || return 1
return 0
}
- checkconfig() {
- if [ ! -f ${NFTABLES_SAVE} ]; then
- eerror "Not starting nftables. First create some rules then run:"
- eerror "rc-service nftables save"
- return 1
- fi
+ clear() {
+ ebegin "Flushing current rulesets"
+ nft flush ruleset || return 1
return 0
}
- getfamilies() {
- local families
- for l3f in ip arp ip6 bridge inet; do
- if nft list tables ${l3f} > /dev/null 2>&1; then
- families="${families}${l3f} "
- fi
- done
- echo ${families}
+ list() {
+ nft list ruleset || return 1
+ return 0
}
- clearNFT() {
- nft flush ruleset
- }
+ panic() {
+ checkkernel || return 1
+ if service_started ${RC_SVCNAME}; then
+ rc-service ${RC_SVCNAME} stop
+ fi
- addpanictable() {
- local l3f=$1
- nft add table ${l3f} panic
- nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
- nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
- nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
- nft add rule ${l3f} panic input drop
- nft add rule ${l3f} panic output drop
- nft add rule ${l3f} panic forward drop
+ ebegin "Dropping all packets"
+ clear
+ if nft create table ip filter >/dev/null 2>&1; then
+ nft -f /dev/stdin <<-EOF
+ table ip filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
+ if nft create table ip6 filter >/dev/null 2>&1; then
+ nft -f /dev/stdin <<-EOF
+ table ip6 filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
}
- start_pre() {
+ reload() {
checkkernel || return 1
- checkconfig || return 1
- return 0
+ ebegin "Flushing firewall"
+ clear
+ start
+ }
+
+ save() {
+ ebegin "Saving nftables state"
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+ local tmp_save="${NFTABLES_SAVE}.tmp"
+ nft list ruleset > ${tmp_save}
+ retval=$?
+ if [ ${retval} ]; then
+ mv ${tmp_save} ${NFTABLES_SAVE}
+ fi
+ return $?
}
start() {
ebegin "Loading nftables state and starting firewall"
- clearNFT
+ clear
nft -f ${NFTABLES_SAVE}
eend $?
}
@@ -73,78 +114,24 @@ stop() {
fi
ebegin "Stopping firewall"
- clearNFT
+ clear
eend $?
}
- reload() {
- checkkernel || return 1
- # checkrules || return 1
- ebegin "Flushing firewall"
- clearNFT
-
- start
- }
-
- clear() {
- clearNFT
- }
-
- list() {
- local l3f
-
- for l3f in $(getfamilies); do
- nft list tables ${l3f} | while read line; do
- line=$(echo ${line} | sed "s/table/table ${l3f}/")
- echo "$(nft list ${line})"
- done
- done
- }
-
- save() {
- ebegin "Saving nftables state"
- checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
- checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
-
- local l3f line tmp_save="${NFTABLES_SAVE}.tmp"
-
- touch "${tmp_save}"
- for l3f in $(getfamilies); do
- nft list tables ${l3f} | while read line; do
- line=$(echo ${line} | sed "s/table/table ${l3f}/")
- # The below substitution fixes an issue where nft -n output may not
- # always be parsable by nft -f. For example, nft -n might print
- #
- # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
- #
- # but nft -f refuses to parse that string with error:
- #
- # In file included from internal:0:0-0:
- # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
- # Invalid argument
- # table ip6 filter {
- # ^^
- echo "$(nft ${SAVE_OPTIONS} list ${line} |\
- sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
- done
- done
- mv "${tmp_save}" "${NFTABLES_SAVE}"
+ checkconfig() {
+ if [ ! -f ${NFTABLES_SAVE} ]; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror "rc-service nftables save"
+ return 1
+ fi
+ return 0
}
- panic() {
- checkkernel || return 1
- if service_started ${RC_SVCNAME}; then
- rc-service ${RC_SVCNAME} stop
+ checkkernel() {
+ if ! nft list tables >/dev/null 2>&1; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
fi
-
- ebegin "Dropping all packets"
- clearNFT
-
- local l3f
- for l3f in $(getfamilies); do
- case ${l3f} in
- ip) addpanictable ${l3f} ;;
- ip6) addpanictable ${l3f} ;;
- esac
- done
+ return 0
}
--
2.7.0
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---
[alpine-aports] [PATCH v2] main/nftables: Update init script
Updating main/nftables init script. Based on the newer Gentoo init script: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2. Merged nftables.sh from Gentoo's version into the init script itself, and removed the legacy functionality. Adding descriptions for each action as well.
---
Changes v1 -> v2:
- Don't expose clear as a command. Stop provides the same functionality, and removing the ebegin in clear makes messaging cleaner.
- Simplify reload to just call start since it they do the same thing.
- Fix #! line to be /sbin/openrc-run.
main/nftables/APKBUILD | 8 + -
main/nftables/nftables.initd | 192 ++++++++++++++++++++ -----------------------
2 files changed, 91 insertions(+), 109 deletions(-)
mode change 100644 => 100755 main/nftables/nftables.initd
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 2c93939..c125398 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=nftables
pkgver=0.5
- pkgrel=0
+ pkgrel=1
pkgdesc="Netfilter tables userspace tools"
url="http://netfilter.org/projects/nftables/"
arch="all"
@@ -57,10 +57,10 @@ package() {
md5sums="94bfe1c54bcb9f6ed974835f2fca8069 nftables-0.5.tar.bz2
52273a548f7cbfe17ba9ba97b10cf685 nftables.confd
- 63e330d514aed839ce9985c3cb918e2c nftables.initd"
+ 128977c1bb6c17c8af00430f66ba8029 nftables.initd"
sha256sums="1fb6dff333d8a4fc347cbbe273bf905a2634b27a8c39df0d3a45d5a3fde10ad6 nftables-0.5.tar.bz2
8f09ab3f86f326d3b78dca50db0bfdde2d8bf5e5d45e3495a836edebe99ec2ff nftables.confd
- 787873899c07c74e8d26731922df2d26ecb98e1c2e2ca9cdf2450f85621730ff nftables.initd"
+ 1081fc9804bd3db9f7bc8c204519715fdbaa1e3819fd67c9a2dad469a8ec1702 nftables.initd"
sha512sums="d5ac46bada26522e59461e36d793a2f4dbf42e070d71ac33259d86b343c0d7436975988b7e7878c340f9d81479a11a66518f1307384635ae0229b2f969f8f342 nftables-0.5.tar.bz2
f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8 nftables.confd
- c99ecc03b19615aa53c6b8dbec2b2006b28b8f44817e08a30a48970c100f40877cfb6c214eb6b36b6cd0517a0e07d07f1157d930661a31ac46fbc2ec0d3a502d nftables.initd"
+ ebea10e684fd6e253c334dc997e7fe02459c385b3dcdd80fb6840475f5b59786f98de06f449024233185aabde04a77c70925535b8da0c0a0572d1c487f6d4504 nftables.initd"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
old mode 100644
new mode 100755
index 211ed73..6ff5dc0
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -3,66 +3,102 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
- extra_commands="clear list panic save"
+ extra_commands="list panic save"
extra_started_commands="reload"
+ description="Manage nftable based firewall."
+ description_save="Save current nftables rulesets to disk."
+ description_list="Displays the current nftables ruleset."
+ description_panic="Immediately drop all packets on all interfaces."
+ description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
+
depend() {
need localmount #434774
before net
}
- checkkernel() {
- if ! nft list tables >/dev/null 2>&1; then
- eerror "Your kernel lacks nftables support, please load"
- eerror "appropriate modules and try again."
- return 1
- fi
+ start_pre() {
+ checkkernel || return 1
+ checkconfig || return 1
return 0
}
- checkconfig() {
- if [ ! -f ${NFTABLES_SAVE} ]; then
- eerror "Not starting nftables. First create some rules then run:"
- eerror "rc-service nftables save"
- return 1
- fi
+ clear() {
+ nft flush ruleset || return 1
return 0
}
- getfamilies() {
- local families
- for l3f in ip arp ip6 bridge inet; do
- if nft list tables ${l3f} > /dev/null 2>&1; then
- families="${families}${l3f} "
- fi
- done
- echo ${families}
+ list() {
+ nft list ruleset || return 1
+ return 0
}
- clearNFT() {
- nft flush ruleset
+ panic() {
+ checkkernel || return 1
+ if service_started ${RC_SVCNAME}; then
+ rc-service ${RC_SVCNAME} stop
+ fi
+
+ ebegin "Dropping all packets"
+ clear
+ if nft create table ip filter >/dev/null 2>&1; then
+ nft -f /dev/stdin <<-EOF
+ table ip filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
+ if nft create table ip6 filter >/dev/null 2>&1; then
+ nft -f /dev/stdin <<-EOF
+ table ip6 filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
}
- addpanictable() {
- local l3f=$1
- nft add table ${l3f} panic
- nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
- nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
- nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
- nft add rule ${l3f} panic input drop
- nft add rule ${l3f} panic output drop
- nft add rule ${l3f} panic forward drop
+ reload() {
+ start
}
- start_pre() {
- checkkernel || return 1
- checkconfig || return 1
- return 0
+ save() {
+ ebegin "Saving nftables state"
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+ local tmp_save="${NFTABLES_SAVE}.tmp"
+ nft list ruleset > ${tmp_save}
+ retval=$?
+ if [ ${retval} ]; then
+ mv ${tmp_save} ${NFTABLES_SAVE}
+ fi
+ return $?
}
start() {
+ clear
ebegin "Loading nftables state and starting firewall"
- clearNFT
nft -f ${NFTABLES_SAVE}
eend $?
}
@@ -73,78 +109,24 @@ stop() {
fi
ebegin "Stopping firewall"
- clearNFT
+ clear
eend $?
}
- reload() {
- checkkernel || return 1
- # checkrules || return 1
- ebegin "Flushing firewall"
- clearNFT
-
- start
- }
-
- clear() {
- clearNFT
- }
-
- list() {
- local l3f
-
- for l3f in $(getfamilies); do
- nft list tables ${l3f} | while read line; do
- line=$(echo ${line} | sed "s/table/table ${l3f}/")
- echo "$(nft list ${line})"
- done
- done
- }
-
- save() {
- ebegin "Saving nftables state"
- checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
- checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
-
- local l3f line tmp_save="${NFTABLES_SAVE}.tmp"
-
- touch "${tmp_save}"
- for l3f in $(getfamilies); do
- nft list tables ${l3f} | while read line; do
- line=$(echo ${line} | sed "s/table/table ${l3f}/")
- # The below substitution fixes an issue where nft -n output may not
- # always be parsable by nft -f. For example, nft -n might print
- #
- # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
- #
- # but nft -f refuses to parse that string with error:
- #
- # In file included from internal:0:0-0:
- # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
- # Invalid argument
- # table ip6 filter {
- # ^^
- echo "$(nft ${SAVE_OPTIONS} list ${line} |\
- sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
- done
- done
- mv "${tmp_save}" "${NFTABLES_SAVE}"
+ checkconfig() {
+ if [ ! -f ${NFTABLES_SAVE} ]; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror "rc-service nftables save"
+ return 1
+ fi
+ return 0
}
- panic() {
- checkkernel || return 1
- if service_started ${RC_SVCNAME}; then
- rc-service ${RC_SVCNAME} stop
+ checkkernel() {
+ if ! nft list tables >/dev/null 2>&1; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
fi
-
- ebegin "Dropping all packets"
- clearNFT
-
- local l3f
- for l3f in $(getfamilies); do
- case ${l3f} in
- ip) addpanictable ${l3f} ;;
- ip6) addpanictable ${l3f} ;;
- esac
- done
+ return 0
}
--
2.7.0
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---