~alpine/aports

testing/nftables: new aport v1 PROPOSED

Sören Tempel: 1
 testing/nftables: new aport

 4 files changed, 305 insertions(+), 0 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/1145/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH] testing/nftables: new aport Export this patch

Might need some additional testing. Especially the OpenRC service wasn't
tested to extensively by myself.
---
 .../nftables/01-fix-object-order-via-nft--f.patch  |  50 +++++++
 testing/nftables/APKBUILD                          |  70 +++++++++
 testing/nftables/nftables.confd                    |  19 +++
 testing/nftables/nftables.initd                    | 166 +++++++++++++++++++++
 4 files changed, 305 insertions(+)
 create mode 100644 testing/nftables/01-fix-object-order-via-nft--f.patch
 create mode 100644 testing/nftables/APKBUILD
 create mode 100644 testing/nftables/nftables.confd
 create mode 100644 testing/nftables/nftables.initd

diff --git a/testing/nftables/01-fix-object-order-via-nft--f.patch b/testing/nftables/01-fix-object-order-via-nft--f.patch
new file mode 100644
index 0000000..6092032
--- /dev/null
+++ b/testing/nftables/01-fix-object-order-via-nft--f.patch
@@ -0,0 +1,50 @@
From 454ffab9cc695b9618324a6a0a4dead6d5289f8d Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 14 Feb 2015 21:41:23 +0100
Subject: rule: fix object order via nft -f

The objects need to be loaded in the following order:

	#1 tables
	#2 chains
	#3 sets
	#4 rules

We have to make sure that chains are in place by when we add rules with
jumps/gotos. Similarly, we have to make sure that the sets are in place
by when rules reference them.

Without this patch, you may hit ENOENT errors depending on your ruleset
configuration.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/rule.c b/src/rule.c
index feafe26..8d76fd0 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -658,14 +658,19 @@ static int do_add_table(struct netlink_ctx *ctx, const struct handle *h,
 	if (netlink_add_table(ctx, h, loc, table, excl) < 0)
 		return -1;
 	if (table != NULL) {
+		list_for_each_entry(chain, &table->chains, list) {
+			if (netlink_add_chain(ctx, &chain->handle,
+					      &chain->location, chain,
+					      excl) < 0)
+				return -1;
+		}
 		list_for_each_entry(set, &table->sets, list) {
 			handle_merge(&set->handle, &table->handle);
 			if (do_add_set(ctx, &set->handle, set) < 0)
 				return -1;
 		}
 		list_for_each_entry(chain, &table->chains, list) {
-			if (do_add_chain(ctx, &chain->handle, &chain->location,
-					 chain, excl) < 0)
+			if (netlink_add_rule_list(ctx, h, &chain->rules) < 0)
 				return -1;
 		}
 	}
-- 
cgit v0.10.2

diff --git a/testing/nftables/APKBUILD b/testing/nftables/APKBUILD
new file mode 100644
index 0000000..0679b5b
--- /dev/null
+++ b/testing/nftables/APKBUILD
@@ -0,0 +1,70 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=nftables
pkgver=0.4
pkgrel=0
pkgdesc="Netfilter tables userspace tools"
url="http://netfilter.org/projects/nftables/"
arch="all"
license="GPL2"
depends=""
depends_dev="libmnl-dev libnftnl-dev gmp-dev readline-dev ncurses-dev"
makedepends="$depends_dev bison flex"
install=""
subpackages="" # -doc would require docbook2x which isn't packaged yet
source="http://netfilter.org/projects/$pkgname/files/$pkgname-$pkgver.tar.bz2
	nftables.confd
	nftables.initd
	01-fix-object-order-via-nft--f.patch"

_builddir="$srcdir"/$pkgname-$pkgver
prepare() {
	cd "$_builddir"

	update_config_sub || return 1
	sed -i '1i#include "config.h"' src/proto.c

	local i=
	for i in $source; do
		case $i in
		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
		esac
	done
}

build() {
	cd "$_builddir"
	./configure \
		--build=$CBUILD \
		--host=$CHOST \
		--prefix=/usr \
		--sysconfdir=/etc \
		--mandir=/usr/share/man \
		--infodir=/usr/share/info \
		--localstatedir=/var \
		|| return 1
	make || return 1
}

package() {
	cd "$_builddir"
	make DESTDIR="$pkgdir" install || return 1

	install -Dm755 "$srcdir"/$pkgname.initd \
		"$pkgdir"/etc/init.d/$pkgname || return 1
	install -Dm644 "$srcdir"/$pkgname.confd \
		"$pkgdir"/etc/conf.d/$pkgname || return 1
}

md5sums="09b686c489ff10db670ca60dbed7ff43  nftables-0.4.tar.bz2
00f7dc61bcc1f7c2e48ebeaeb8b6b6b5  nftables.confd
f5703f86eb2129cdece8c230cc036bd7  nftables.initd
c0a18f43a5ce02cb61c9e0071725529a  01-fix-object-order-via-nft--f.patch"
sha256sums="f6ca69b75c68915f9f3a3972274ec68354dfbbcfc0b9fc55c813a0525c351d3c  nftables-0.4.tar.bz2
d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd  nftables.confd
293d5a0ef687c69fffdce912a833cf5812272c0baae9f59d603ada8efa5828a6  nftables.initd
ab5068a30e4a0df72b589aec500a4a6a1c3a5ab50ee73fad034eee676eabe9bb  01-fix-object-order-via-nft--f.patch"
sha512sums="0932cf987da602285fbf7c7f61328b0d74d687889c2d4a5bd2bd7fe11e8b99433bc5ee53ebbddadf2c90e40acdcb28f6babf07e11feedff815c571c3b782dffc  nftables-0.4.tar.bz2
8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144  nftables.confd
ec43cc630b45ea2726044b30925e04f16fdb48ff2ee1871c112fde5b406f47c75b53ce05db4dfab8558156da96e9bf484ebab1f00f5cda20bbe8597c63b178fe  nftables.initd
9b7b51c55681fc25bb53fef6bf38e125377a3b32bdf6e9c8c7056a72deb7f24b7b6e2dcccb3065645e69675848585c6051e8992d9179f1609fbe1d873cb3bddf  01-fix-object-order-via-nft--f.patch"
diff --git a/testing/nftables/nftables.confd b/testing/nftables/nftables.confd
new file mode 100644
index 0000000..e83a4b9
--- /dev/null
+++ b/testing/nftables/nftables.confd
@@ -0,0 +1,19 @@
# /etc/conf.d/nftables

# Location in which nftables initscript will save set rules on 
# service shutdown
NFTABLES_SAVE="/var/lib/nftables/rules-save"

# Options to pass to nft on save
SAVE_OPTIONS="-n"

# Save state on stopping nftables
SAVE_ON_STOP="yes"

# If you need to log nftables messages as soon as nftables starts,
# AND your logger does NOT depend on the network, then you may wish
# to uncomment the next line.
# If your logger depends on the network, and you uncomment this line
# you will create an unresolvable circular dependency during startup.
# After commenting or uncommenting this line, you must run 'rc-update -u'.
#rc_use="logger"
diff --git a/testing/nftables/nftables.initd b/testing/nftables/nftables.initd
new file mode 100644
index 0000000..c726393
--- /dev/null
+++ b/testing/nftables/nftables.initd
@@ -0,0 +1,166 @@
#!/sbin/runscript
# Copyright 2014 Nicholas Vinson
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

extra_commands="clear list panic save"
extra_started_commands="reload"

depend() {
    need localmount #434774
    before net
}

checkkernel() {
    if ! nft list tables >/dev/null 2>&1; then
        eerror "Your kernel lacks nftables support, please load"
        eerror "appropriate modules and try again."
        return 1
    fi
    return 0
}

checkconfig() {
    if [ ! -f ${NFTABLES_SAVE} ]; then
        eerror "Not starting nftables.  First create some rules then run:"
        eerror "rc-service nftables save"
        return 1
    fi
    return 0
}

getfamilies() {
    local families
    for l3f in ip arp ip6 bridge inet; do
        if nft list tables ${l3f} > /dev/null 2>&1; then
            families="${families}${l3f} "
        fi
    done
    echo ${families}
}

clearNFT() {
    local l3f line table chain

    for l3f in $(getfamilies); do
        nft list tables ${l3f} | while read line; do
            table=$(echo ${line} | sed "s/table[ \t]*//")
            nft flush table ${l3f} ${table}
            nft list table ${l3f} ${table} | while read l; do
                chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\
                        cut -d ' ' -f2)
                if [ -n "${chain}" ]; then
                    nft flush chain ${l3f} ${table} ${chain}
                    nft delete chain ${l3f} ${table} ${chain}
                fi
            done
            nft delete table ${l3f} ${table}
        done
    done
}

addpanictable() {
    local l3f=$1
    nft add table ${l3f} panic
    nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
    nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
    nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
    nft add rule ${l3f} panic input drop
    nft add rule ${l3f} panic output drop
    nft add rule ${l3f} panic forward drop
}

start_pre() {
    checkkernel || return 1
    checkconfig || return 1
	return 0
}

start() {
    ebegin "Loading nftables state and starting firewall"
    clearNFT
    nft -f ${NFTABLES_SAVE}
    eend $?
}

stop() {
    if yesno ${SAVE_ON_STOP:-yes}; then
        save || return 1
    fi

    ebegin "Stopping firewall"
    clearNFT
    eend $?
}

reload() {
    checkkernel || return 1
    # checkrules || return 1
    ebegin "Flushing firewall"
    clearNFT

    start
}

clear() {
    clearNFT
}

list() {
    local l3f

    for l3f in $(getfamilies); do
        nft list tables ${l3f} | while read line; do
            line=$(echo ${line} | sed "s/table/table ${l3f}/")
            echo "$(nft list ${line})"
        done
    done
}

save() {
    ebegin "Saving nftables state"
    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"

    local l3f line tmp_save="${NFTABLES_SAVE}.tmp"

    touch "${tmp_save}"
    for l3f in $(getfamilies); do
        nft list tables ${l3f} | while read line; do
            line=$(echo ${line} | sed "s/table/table ${l3f}/")
            # The below substitution fixes an issue where nft -n output may not
            # always be parsable by nft -f.  For example, nft -n might print
            #
            #     ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
            #
            # but nft -f refuses to parse that string with error:
            #
            #     In file included from internal:0:0-0:
            #     /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
            #     Invalid argument
            #     table ip6 filter {
            #     ^^
            echo "$(nft ${SAVE_OPTIONS} list ${line} |\
                    sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
        done
    done
    mv "${tmp_save}" "${NFTABLES_SAVE}"
}

panic() {
    checkkernel || return 1
    if service_started ${RC_SVCNAME}; then
        rc-service ${RC_SVCNAME} stop
    fi

    ebegin "Dropping all packets"
    clearNFT

    local l3f
    for l3f in $(getfamilies); do
        case ${l3f} in
            ip) addpanictable ${l3f} ;;
            ip6) addpanictable ${l3f} ;;
        esac
    done
}
-- 
2.5.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---