diff options
Diffstat (limited to 'main/nftables/nftables.initd')
-rw-r--r-- | main/nftables/nftables.initd | 152 |
1 files changed, 91 insertions, 61 deletions
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd index c763b395dda..5d639d56014 100644 --- a/main/nftables/nftables.initd +++ b/main/nftables/nftables.initd @@ -1,23 +1,36 @@ #!/sbin/openrc-run -# Copyright 2014 Nicholas Vinson -# Copyright 1999-2014 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -extra_commands="list panic save" -extra_started_commands="reload" +extra_commands="checkconfig panic save" +extra_started_commands="reload reset" description="Manage nftable based firewall." -description_save="Save current nftables rulesets to disk." -description_list="Displays the current nftables ruleset." +description_checkconfig="Check validity of rulesets on disk without applying changes." description_panic="Immediately drop all packets on all interfaces." -description_reload="Clear current rulesets and load rulesets from the saved ruleset files." - -# Uppercase variables are there for backward compatibility. -: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}} -: ${save_options:=${SAVE_OPTIONS:="-n"}} -: ${save_on_stop:=${SAVE_ON_STOP:="yes"}} +description_reload="Clear current rulesets and load rulesets from the ruleset files." +description_save="Save nftables state or ruleset to disk." +description_reset="Reset stateful objects (counters and quotas)." + +# Uppercase variables are there for backward compatibility (Alpine <3.8). +: ${rules_file:=${NFTABLES_SAVE:-"/etc/nftables.nft"}} +: ${save_objects:="ruleset"} # "ruleset" is for backward compatibility (Alpine <3.17) +: ${save_options:=${SAVE_OPTIONS:-}} +: ${save_on_stop:=${SAVE_ON_STOP:-"no"}} : ${enable_forwarding:="no"} +if [ "$save_objects" = 'ruleset' ]; then + : ${save_file:="$rules_file"} +else + : ${save_file:="/var/lib/nftables/state.nft"} +fi + +nft=nft + +# Add ip netns if configured to run in a netns namespace +if [ -n "$netns" ]; then + test -e /run/netns/$netns || ip netns add $netns + nft="ip netns exec $netns $nft" +fi + depend() { need localmount after sysctl @@ -29,8 +42,41 @@ start_pre() { checkkernel && checkconfig } -list() { - nft list ruleset +start() { + ebegin "Loading nftables rules and starting firewall" + + $nft -f "$rules_file" + eend $? || return 1 + + if yesno "$enable_forwarding"; then + ebegin "Enabling forwarding" + forwarding 1 + eend $? || return 1 + fi +} + +stop() { + if yesno "$save_on_stop"; then + save || return 1 + fi + + if yesno "$enable_forwarding"; then + ebegin "Disabling forwarding" + forwarding 0 + eend $? + fi + + ebegin "Stopping firewall" + $nft flush ruleset + eend $? +} + +reload() { + # This condition is mainly for backward compatibility (Alpine <3.17). + if yesno "$save_on_stop" && [ "$save_objects" != 'ruleset' ]; then + save || return 1 + fi + start } panic() { @@ -41,7 +87,7 @@ panic() { fi ebegin "Dropping all packets" - nft -f /dev/stdin <<-EOF + $nft -f /dev/stdin <<-EOF flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; } @@ -52,66 +98,46 @@ panic() { eend $? } -reload() { - start -} - save() { - ebegin "Saving nftables state" - - checkpath -q -d "${rules_file%/*}" - checkpath -q -m 0600 -f "$rules_file" - - local tmp_save="$rules_file.tmp" + [ "$RC_CMD" = 'save' ] && ebegin "Saving nftables state" - echo 'flush ruleset' > "$tmp_save" - nft list ruleset >> "$tmp_save"; local retval=$? + checkpath -q -d "${save_file%/*}" + checkpath -q -m 0600 -F -f "$save_file.tmp" - [ $retval -eq 0 ] && mv "$tmp_save" "$rules_file" + local rc=0 + local type; for type in $save_objects; do + [ "$type" = 'ruleset' ] && echo 'flush ruleset' >> "$save_file.tmp" + $nft $save_options list $type >> "$save_file.tmp" || rc=$? + done - return $retval -} - -start() { - ebegin "Loading nftables state and starting firewall" + [ $rc -eq 0 ] && mv "$save_file.tmp" "$save_file" - nft -f "$rules_file" - eend $? || return 1 + [ "$RC_CMD" = 'save' ] && eend $rc - if yesno "$enable_forwarding"; then - ebegin "Enabling forwarding" - forwarding 1 - eend $? || return 1 - fi + return $rc } -stop() { - if yesno "$save_on_stop"; then - save || return 1 - fi +reset() { + ebegin "Resetting stateful objects" - if yesno "$enable_forwarding"; then - ebegin "Disabling forwarding" - forwarding 0 - eend $? - fi + local rc=0 type + for type in counters quotas; do + $nft reset $type >/dev/null || rc=$? + done - ebegin "Stopping firewall" - nft flush ruleset - eend $? + eend $rc } checkconfig() { if [ ! -f "$rules_file" ]; then - eerror "Not starting nftables. First create some rules then run:" - eerror " rc-service nftables save" + eerror "Rules files $rules_file does not exist!" return 1 fi - return 0 + $nft -c -f "$rules_file" } checkkernel() { - if ! nft list tables >/dev/null 2>&1; then + if ! $nft list tables >/dev/null 2>&1; then eerror "Your kernel lacks nftables support, please load" eerror "appropriate modules and try again." return 1 @@ -120,8 +146,12 @@ checkkernel() { } forwarding() { - /sbin/sysctl -qw \ - net.ipv4.ip_forward=$1 \ - net.ipv6.conf.default.forwarding=$1 \ - net.ipv6.conf.all.forwarding=$1 + /sbin/sysctl -qw net.ipv4.ip_forward=$1 || return 1 + + if /sbin/sysctl -eq net.ipv6.conf.all.forwarding >/dev/null; then + /sbin/sysctl -qw \ + net.ipv6.conf.default.forwarding=$1 \ + net.ipv6.conf.all.forwarding=$1 || return 1 + fi + return 0 } |