1 |
commit: 5340dc96865d410a32ab4cb9f900bcb88e035600 |
2 |
Author: Francisco Blas (klondike) Izquierdo Riera <klondike <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Jan 15 23:13:18 2019 +0000 |
4 |
Commit: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jan 15 23:20:42 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5340dc96 |
7 |
|
8 |
net-firewall/nftables: Minor fixes on the script closes #675188 |
9 |
|
10 |
* Use printf instead of echo for better shell compatibility. |
11 |
* Use an include instead of concatenating the ruleset. |
12 |
(Note that this is likely to fail is the ruleset path contains |
13 |
special characters). |
14 |
* Empty the table first when executing panic actions. |
15 |
|
16 |
Fixes: https://bugs.gentoo.org/675188 |
17 |
|
18 |
Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike <AT> gentoo.org> |
19 |
Package-Manager: Portage-2.3.51, Repoman-2.3.11 |
20 |
Signed-off-by: Matthew Thode <prometheanfire <AT> gentoo.org> |
21 |
|
22 |
net-firewall/nftables/files/libexec/nftables-mk.sh | 7 ++++--- |
23 |
.../{nftables-0.9.0-r2.ebuild => nftables-0.9.0-r3.ebuild} | 0 |
24 |
2 files changed, 4 insertions(+), 3 deletions(-) |
25 |
|
26 |
diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh |
27 |
index b6ad37867b6..b3d7db60d7f 100644 |
28 |
--- a/net-firewall/nftables/files/libexec/nftables-mk.sh |
29 |
+++ b/net-firewall/nftables/files/libexec/nftables-mk.sh |
30 |
@@ -13,7 +13,8 @@ main() { |
31 |
nft ${SAVE_OPTIONS} list ruleset |
32 |
;; |
33 |
"load") |
34 |
- ( echo "flush ruleset;"; cat "${NFTABLES_SAVE}" ) | nft -f - |
35 |
+ # We use an include because cat fails with long rulesets see #675188 |
36 |
+ printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f - |
37 |
;; |
38 |
"panic") |
39 |
panic hard | nft -f - |
40 |
@@ -25,8 +26,7 @@ main() { |
41 |
local tmp_save="${NFTABLES_SAVE}.tmp" |
42 |
umask 600; |
43 |
( |
44 |
- echo "#!/sbin/nft -f" |
45 |
- echo "flush ruleset;" |
46 |
+ printf '#!/sbin/nft -f\nflush ruleset\n' |
47 |
nft ${SAVE_OPTIONS} list ruleset |
48 |
) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE} |
49 |
;; |
50 |
@@ -37,6 +37,7 @@ panic() { |
51 |
local erule; |
52 |
[ "$1" = soft ] && erule="ct state established,related accept;" || erule=""; |
53 |
cat <<EOF |
54 |
+flush ruleset |
55 |
table inet filter { |
56 |
chain input { |
57 |
type filter hook input priority 0; |
58 |
|
59 |
diff --git a/net-firewall/nftables/nftables-0.9.0-r2.ebuild b/net-firewall/nftables/nftables-0.9.0-r3.ebuild |
60 |
similarity index 100% |
61 |
rename from net-firewall/nftables/nftables-0.9.0-r2.ebuild |
62 |
rename to net-firewall/nftables/nftables-0.9.0-r3.ebuild |