From nobody Thu Mar 28 22:54:01 2024 X-Original-To: alpine-aports@mail.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id ADFA2DC1E8D for ; Sat, 9 Jan 2016 16:09:53 +0000 (UTC) Received: from st11p01im-asmtp001.me.com (st11p01im-asmtp001.me.com [17.172.204.151]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 8B4F6DC00B1 for ; Sat, 9 Jan 2016 16:09:52 +0000 (UTC) Received: from st11p01im-spool001.me.com ([17.172.204.153]) by st11p01im-asmtp001.me.com (Oracle Communications Messaging Server 7.0.5.36.0 64bit (built Sep 8 2015)) with ESMTP id <0O0P00KWA0W7DA00@st11p01im-asmtp001.me.com> for alpine-aports@lists.alpinelinux.org; Sat, 09 Jan 2016 16:09:45 +0000 (GMT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-01-09_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1011 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1510270003 definitions=main-1601090302 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-version: 1.0 Content-type: multipart/alternative; boundary="Boundary_(ID_1B5QjdxgUz9cfVg2tF2AXw)" Received: from localhost ([17.172.204.222]) by st11p01im-spool001.mac.com (Oracle Communications Messaging Server 7.0.5.36.0 64bit (built Sep 8 2015)) with ESMTP id <0O0P00LRE0W78160@st11p01im-spool001.mac.com>; Sat, 09 Jan 2016 16:09:43 +0000 (GMT) To: =?utf-8?B?U8O2cmVuIFRlbXBlbA==?= Cc: alpine-aports@lists.alpinelinux.org From: Benjamin Allen Subject: [alpine-aports] =?utf-8?B?UmU6IFthbHBpbmUtYXBvcnRzXSBbUEFUQ0hdIG1haW4vbmZ0YWJsZXM6IFVw?= =?utf-8?B?ZGF0ZSBpbml0IHNjcmlwdA==?= Date: Sat, 09 Jan 2016 16:09:43 +0000 (GMT) X-Mailer: iCloud MailClient15G78 MailServer15G46.24152-NewcastleMail15G46-0-dc3f3d35ab7d X-Originating-IP: [98.226.153.66] Message-id: <2512351b-8f6a-42ba-9f61-828605b2b3b8@me.com> X-Virus-Scanned: ClamAV using ClamSMTP --Boundary_(ID_1B5QjdxgUz9cfVg2tF2AXw) Content-type: text/plain; charset=utf-8; format=flowed Content-transfer-encoding: quoted-printable Hi=C2=A0S=C3=B6ren,=0A=0AI agree on Gentoo's initd being overly complicate= d. That is why I stripped out the legacy functions and merged it all into = a single file. This patch is basically doing as you suggest:=0A=0A`nft -f = ${some_configuration_file}` on start=0A=0A`nft ruleset flush` would be the= equivalent of this patch's "clear" function. You also need the save funct= ion which is `nft list ruleset > ${NFTABLES_SAVE}`. This patch checks the = return code of `nft list ruleset` before overwriting the existing save fil= e, which I think is a safer approach. Just in case.=0A=0AThe panic functio= n while lengthy is atomic when loaded by nft. I'm not sure how useful havi= ng this function is, but I carried it over from Gentoo's initd.=0A=0AI als= o like having the checkkernel and checkconfig functions in place, as they = give the user pretty clear guidance on whats wrong with their configuratio= n when they fail.=0A=0AOne thing we should change, I copied over the=C2=A0= #!/sbin/runscript and didn't change it to=C2=A0#!/sbin/openrc-run.=0A=0ATh= anks,=0A=0ABen=0A=0AOn Jan 09, 2016, at 08:35 AM, S=C3=B6ren Tempel wrote:=0A=0AOn 08.01.16, Ben Allen wrote:=0AUpdating = main/nftables init script. Based on the newer Gentoo init=0Ascript:=0Ahttp= s://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nft= ables.init-r2.=0AMerged nftables.sh from Gentoo's version into the init sc= ript itself,=0Aand removed the legacy functionality. Adding descriptions f= or each=0Aaction as well.=0A=0AI was actually considering to write a custo= m service for nftables since=0AI believe that the Gentoo service is too co= mplicated. Simply invoking=0A`nft -f ${some_configuration_file}` on start = and `nft flush ruleset`=0Ashould be good enough, shouldn't it?=0A=0AS=C3=B6= ren.=0A= --Boundary_(ID_1B5QjdxgUz9cfVg2tF2AXw) Content-type: multipart/related; boundary="Boundary_(ID_SYFRQz4wgoX8/cq42R4e7Q)"; type="text/html" --Boundary_(ID_SYFRQz4wgoX8/cq42R4e7Q) Content-type: text/html; charset=utf-8 Content-transfer-encoding: quoted-printable
Hi S=C3=B6ren,

I a= gree on Gentoo's initd being overly complicated. That is why I stripped ou= t the legacy functions and merged it all into a single file. This patch is= basically doing as you suggest:

=
`nft -f ${some_configuration_file}= ` on start

`nft ruleset flush` would be the equival= ent of this patch's "clear" function. You also need the save function whic= h is `nft list ruleset > ${NFTABLES_SAVE}`. This patch checks th= e return code of `nft list ruleset` before overwriting the existing save f= ile, which I think is a safer approach. Just in case.

The panic function while lengthy is atomic when = loaded by nft. I'm not sure how useful having this function is, but I carr= ied it over from Gentoo's initd.

=
I also like having the checkkernel and checkconfig functions in place= , as they give the user pretty clear guidance on whats wrong with their co= nfiguration when they fail.

= One thing we should change, I copied over the #!/sbin/runscript and d= idn't change it to #!/sbin/openrc-run.

Thanks,

Ben

On Jan 09, 2016, at 08:35 AM, S=C3=B6ren Tempel <soeren@so= eren-tempel.net> wrote:

On 08.01.16, Ben Allen wrote:
Updating main/nftables init script. Based on the newer = Gentoo init
script:
http= s://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nft= ables.init-r2.
Merged nftables.sh from Gentoo's version into the init script i= tself,
a= nd removed the legacy functionality. Adding descriptions for each
action as well.<= /blockquote>
I was actually considering to write a custom service for n= ftables since
I believe that the Gentoo service is too complicated. Sim= ply invoking
`nft -f ${some_configuration_file}` on start and `nft flus= h ruleset`
should be good enough, shouldn't it?

S=C3=B6ren.
<= /span>
= --Boundary_(ID_SYFRQz4wgoX8/cq42R4e7Q)-- --Boundary_(ID_1B5QjdxgUz9cfVg2tF2AXw)-- --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---