diff options
-rw-r--r-- | main/nftables/APKBUILD | 4 | ||||
-rw-r--r-- | main/nftables/nftables.confd | 6 | ||||
-rw-r--r-- | main/nftables/nftables.initd | 4 | ||||
-rw-r--r-- | main/nftables/nftables.post-upgrade | 18 |
4 files changed, 24 insertions, 8 deletions
diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD index 3e1b803663a..dcd4703a692 100644 --- a/main/nftables/APKBUILD +++ b/main/nftables/APKBUILD @@ -56,6 +56,6 @@ package() { } sha512sums="d264f6fc75c95510e29fe7d5b82ae418d502f40437b098ba6117ffb1374d9989d70a7296e2e58c5fb25142145a987bb9c160902637899f892589809f9541db43 nftables-0.9.3.tar.bz2 -4eb1adf003dfcaad65c91af6ca88d91b7904c471aefae67e7d3c2f8e053e1ac196d3437a45d1fed5a855b876a0f1fc58a724e381d2acf1164d9120cadee73eef nftables.confd -58daafb012b7cd0248a7db6e10f6a667e683347aaea7eaa78cb88780272f334e00913cea3fd39a22a4a72acc27fabd101944b40916f4b534ddeb509bd0232017 nftables.initd +cca875473bbd7b2326afcaeec84b1f9826afb70fc67381a64f3ad104a13a314bd2c352e0fac1f602b9980edb2818bf6242373aa1634ce17bcc1d82eeb8b05b39 nftables.confd +8bb5781fcccf64c6fd074c5fccf8a4aa93b7cb69fc8e58c6cf359e2367a6627e9cf616df1e8bf80171b09f4a9aab1b7296e2edfda0dac138c1cc6201b8d2da8b nftables.initd 059e0920517ff9f9c564bdfda6a06e8392a2755c01f8d0331a8577fd027713948d3f1e2cbe9da5077870181dc9e425d8c69e4c82ea6ee261fced4ab61aff3ad4 nftables.nft" diff --git a/main/nftables/nftables.confd b/main/nftables/nftables.confd index 87fa8f2eaef..f01275947fc 100644 --- a/main/nftables/nftables.confd +++ b/main/nftables/nftables.confd @@ -2,13 +2,13 @@ # Location of file with nftables rules to restore on service start, # and save rules to on service stop when $save_on_stop is enabled. -#rules_file="/etc/firewall.nft" +#rules_file="/etc/nftables.nft" # Options to pass to nft on save. #save_options="-n" -# Save state on stopping nftables. -#save_on_stop="yes" +# Save state on stopping nftables (this will overwrite $rules_file). +#save_on_stop="no" # Enable IPv4/IPv6 forwarding with the rules? # Note: If you want to enable forwarding only on selected interfaces, diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd index c763b395dda..62d0e8496e5 100644 --- a/main/nftables/nftables.initd +++ b/main/nftables/nftables.initd @@ -13,9 +13,9 @@ description_panic="Immediately drop all packets on all interfaces." description_reload="Clear current rulesets and load rulesets from the saved ruleset files." # Uppercase variables are there for backward compatibility. -: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}} +: ${rules_file:=${NFTABLES_SAVE:="/etc/nftables.nft"}} : ${save_options:=${SAVE_OPTIONS:="-n"}} -: ${save_on_stop:=${SAVE_ON_STOP:="yes"}} +: ${save_on_stop:=${SAVE_ON_STOP:="no"}} : ${enable_forwarding:="no"} depend() { diff --git a/main/nftables/nftables.post-upgrade b/main/nftables/nftables.post-upgrade index c360ec44f39..8ab77c096d1 100644 --- a/main/nftables/nftables.post-upgrade +++ b/main/nftables/nftables.post-upgrade @@ -14,6 +14,22 @@ if [ "$(apk version -t "$ver_old" "0.8.3-r1")" = "<" ]; then fi fi +# I made a mistake before, the new default location was /etc/firewall.nft, not +# /etc/nftables.nft. Now I changed it to /etc/nftables.nft (same as Arch Linux), +# so if /etc/firewall.nft exists and /etc/nftables.nft didn't exist, copy +# /etc/firewall.nft to /etc/nftables.nft to not break existing setup. if [ "$(apk version -t "$ver_old" "0.9.3-r2")" = "<" ]; then - echo '* Note that /etc/nftables/ was moved to /usr/share/nftables/.' >&2 + old_file='/etc/firewall.nft' + new_file='/etc/nftables.nft' + + cat >&2 <<-EOF + * The default rules_file was changed to $new_file and + * save_on_stop disabled! + * Also note that /etc/nftables/ was moved to /usr/share/nftables/. + EOF + + if [ -f "$old_file" ] && [ ! -f "$new_file.apk-new" ]; then + echo "* Copying $old_file to $new_file" >&2 + cp -a "$old_file" "$new_file" + fi fi |