aboutsummaryrefslogtreecommitdiffstats
path: root/main/nftables
diff options
context:
space:
mode:
authorJakub Jirutka <jakub@jirutka.cz>2018-04-01 17:54:14 +0200
committerJakub Jirutka <jakub@jirutka.cz>2018-04-01 19:03:36 +0200
commit09d5ae0cd26007718bd77c5a5a866a094fae61a9 (patch)
treec2fa6d9a13bfcb7384585acb8416dc38b5a1e532 /main/nftables
parent6947566f1bf220466c0836ca542daab845cab9ce (diff)
main/nftables: improve runscript, fix code-style, rename vars
Diffstat (limited to 'main/nftables')
-rw-r--r--main/nftables/APKBUILD5
-rw-r--r--main/nftables/nftables.confd16
-rw-r--r--main/nftables/nftables.initd115
3 files changed, 72 insertions, 64 deletions
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index 9aa0fb726ec..8838c02847f 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -1,4 +1,5 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=nftables
pkgver=0.8.3
@@ -44,5 +45,5 @@ package() {
}
sha512sums="d3d97be10c2dcd1f15b9998e01254ff11438a2d83922e8b5207b641375ea12bb86ecbe4f9cb21cdf5998ddeb7c42b9e424dcb40a359cf42e06b9437a5ce4f72c nftables-0.8.3.tar.bz2
-f709e203d949380dce8ffdaed616c047280d3fe7448bb024a6f6c01a17c11bf7caaa5f67b412bc90c9bff4ce91a6fd5e5270d259dc30fdcda81dd2f6221ad0d8 nftables.confd
-2bb551522fb2c61f4cab3a2ab1d9c84696403007a13521ca08a89fe79a9ae8867357d5664315c97ef09c49c3cdf7c76066f8226153f8c6fcd8b265ba4fbf3826 nftables.initd"
+a0a3e67272cc344d28c5a3eebee9fd8361371a53c2960c1b96acbc02845caffcd58a59b6f08d90b4aa831bbb1322f673d61c1035b937c06f9ac4a98bee1e40f4 nftables.confd
+c63b3026af68dc03b49f0fc25ef6c5f0a5fbd398dcb0af0870c9342a9095dd57dea2e7025f0cc0762f1640c825465c8b3824cb126dc5d6b70ec35471972d690b nftables.initd"
diff --git a/main/nftables/nftables.confd b/main/nftables/nftables.confd
index 8048a2ad8eb..fd7caab9cc8 100644
--- a/main/nftables/nftables.confd
+++ b/main/nftables/nftables.confd
@@ -1,14 +1,14 @@
-# /etc/conf.d/nftables
+# Configuration for /etc/init.d/nftables
-# Location in which nftables initscript will save set rules on
-# service shutdown
-NFTABLES_SAVE="/var/lib/nftables/rules-save"
+# Location of file with nftables rules to restore on service start,
+# and save rules to on service stop when $save_on_stop is enabled.
+#rules_file="/var/lib/nftables/rules-save"
-# Options to pass to nft on save
-SAVE_OPTIONS="-n"
+# Options to pass to nft on save.
+#save_options="-n"
-# Save state on stopping nftables
-SAVE_ON_STOP="yes"
+# Save state on stopping nftables.
+#save_on_stop="yes"
# If you need to log nftables messages as soon as nftables starts,
# AND your logger does NOT depend on the network, then you may wish
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 689c9b04b02..6035d1a7bcc 100644
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -12,88 +12,95 @@ description_list="Displays the current nftables ruleset."
description_panic="Immediately drop all packets on all interfaces."
description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
+# Uppercase variables are there for backward compatibility.
+: ${rules_file:=${NFTABLES_SAVE:="/var/lib/nftables/rules-save"}}
+: ${save_options:=${SAVE_OPTIONS:="-n"}}
+: ${save_on_stop:=${SAVE_ON_STOP:="yes"}}
+
depend() {
- need localmount #434774
- before net
+ need localmount
+ before net
+ provide firewall
}
start_pre() {
- checkkernel || return 1
- checkconfig || return 1
- return 0
+ checkkernel && checkconfig
}
list() {
- nft list ruleset || return 1
- return 0
+ nft list ruleset
}
panic() {
- checkkernel || return 1
- if service_started ${RC_SVCNAME}; then
- rc-service ${RC_SVCNAME} stop
- fi
-
- ebegin "Dropping all packets"
- nft -f /dev/stdin <<-EOF
- flush ruleset
- table inet filter {
- chain input { type filter hook input priority 0; policy drop; }
- chain forward { type filter hook forward priority 0; policy drop; }
- chain output { type filter hook output priority 0; policy drop; }
- }
+ checkkernel || return 1
+
+ if service_started "$RC_SVCNAME"; then
+ rc-service "$RC_SVCNAME" stop
+ fi
+
+ ebegin "Dropping all packets"
+ nft -f /dev/stdin <<-EOF
+ flush ruleset
+ table inet filter {
+ chain input { type filter hook input priority 0; policy drop; }
+ chain forward { type filter hook forward priority 0; policy drop; }
+ chain output { type filter hook output priority 0; policy drop; }
+ }
EOF
- eend $?
+ eend $?
}
reload() {
- start
+ start
}
save() {
- ebegin "Saving nftables state"
- checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
- checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
- local tmp_save="${NFTABLES_SAVE}.tmp"
- echo 'flush ruleset' > ${tmp_save}
- nft list ruleset >> ${tmp_save}
- retval=$?
- if [ ${retval} ]; then
- mv ${tmp_save} ${NFTABLES_SAVE}
- fi
- return $retval
+ ebegin "Saving nftables state"
+
+ checkpath -q -d "${rules_file%/*}"
+ checkpath -q -m 0600 -f "$rules_file"
+
+ local tmp_save="$rules_file.tmp"
+
+ echo 'flush ruleset' > "$tmp_save"
+ nft list ruleset >> "$tmp_save"; local retval=$?
+
+ [ $retval -eq 0 ] && mv "$tmp_save" "$rules_file"
+
+ return $retval
}
start() {
- ebegin "Loading nftables state and starting firewall"
- nft -f ${NFTABLES_SAVE}
- eend $?
+ ebegin "Loading nftables state and starting firewall"
+
+ nft -f "$rules_file"
+ eend $?
}
stop() {
- if yesno ${SAVE_ON_STOP:-yes}; then
- save || return 1
- fi
+ if yesno "$save_on_stop"; then
+ save || return 1
+ fi
- ebegin "Stopping firewall"
- nft flush ruleset
- eend $?
+ ebegin "Stopping firewall"
+ nft flush ruleset
+ eend $?
}
checkconfig() {
- if [ ! -f ${NFTABLES_SAVE} ]; then
- eerror "Not starting nftables. First create some rules then run:"
- eerror "rc-service nftables save"
- return 1
- fi
- return 0
+ if [ ! -f "$rules_file" ]; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror " rc-service nftables save"
+ return 1
+ fi
+ return 0
}
checkkernel() {
- if ! nft list tables >/dev/null 2>&1; then
- eerror "Your kernel lacks nftables support, please load"
- eerror "appropriate modules and try again."
- return 1
- fi
- return 0
+ if ! nft list tables >/dev/null 2>&1; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
}