| 1 |
williamh 14/08/28 13:25:47 |
| 2 |
|
| 3 |
Modified: nftables.init |
| 4 |
Log: |
| 5 |
revision bump for bug #521232 approved by Manuel Rueger |
| 6 |
|
| 7 |
(Portage version: 2.2.12/cvs/Linux x86_64, signed Manifest commit with key 0x30C46538) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.3 net-firewall/nftables/files/nftables.init |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?rev=1.3&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?rev=1.3&content-type=text/plain |
| 14 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?r1=1.2&r2=1.3 |
| 15 |
|
| 16 |
Index: nftables.init |
| 17 |
=================================================================== |
| 18 |
RCS file: /var/cvsroot/gentoo-x86/net-firewall/nftables/files/nftables.init,v |
| 19 |
retrieving revision 1.2 |
| 20 |
retrieving revision 1.3 |
| 21 |
diff -u -r1.2 -r1.3 |
| 22 |
--- nftables.init 26 Aug 2014 17:53:54 -0000 1.2 |
| 23 |
+++ nftables.init 28 Aug 2014 13:25:47 -0000 1.3 |
| 24 |
@@ -3,21 +3,17 @@ |
| 25 |
# Copyright 1999-2014 Gentoo Foundation |
| 26 |
# Distributed under the terms of the GNU General Public License v2 |
| 27 |
|
| 28 |
-extra_commands="check clear list panic save" |
| 29 |
+extra_commands="clear list panic save" |
| 30 |
extra_started_commands="reload" |
| 31 |
|
| 32 |
-nftables_name=nftables |
| 33 |
-nft_bin=/sbin/nft |
| 34 |
- |
| 35 |
depend() { |
| 36 |
need localmount #434774 |
| 37 |
before net |
| 38 |
} |
| 39 |
|
| 40 |
checkkernel() { |
| 41 |
- ${nft_bin} list tables &>/dev/null |
| 42 |
- if [ $? -ne 0 ]; then |
| 43 |
- eerror "Your kernel lacks ${nftables_name} support, please load" |
| 44 |
+ if ! nft list tables >/dev/null 2>&1; then |
| 45 |
+ eerror "Your kernel lacks nftables support, please load" |
| 46 |
eerror "appropriate modules and try again." |
| 47 |
return 1 |
| 48 |
fi |
| 49 |
@@ -26,57 +22,39 @@ |
| 50 |
|
| 51 |
checkconfig() { |
| 52 |
if [ ! -f ${NFTABLES_SAVE} ]; then |
| 53 |
- eerror "Not starting ${nftables_name}. First create some rules then run:" |
| 54 |
- eerror "/etc/init.d/${nftables_name} save" |
| 55 |
+ eerror "Not starting nftables. First create some rules then run:" |
| 56 |
+ eerror "rc-service nftables save" |
| 57 |
return 1 |
| 58 |
fi |
| 59 |
return 0 |
| 60 |
} |
| 61 |
|
| 62 |
-checkfamilies() { |
| 63 |
- if [ -n "${families+set}" ]; then |
| 64 |
- return |
| 65 |
- fi |
| 66 |
- |
| 67 |
- families=() |
| 68 |
+getfamilies() { |
| 69 |
+ local families |
| 70 |
for l3f in ip arp ip6 bridge inet; do |
| 71 |
- ${nft_bin} list tables ${l3f} &> /dev/null |
| 72 |
- if [ $? -eq 0 ]; then |
| 73 |
- families+=($l3f) |
| 74 |
- fi |
| 75 |
- done |
| 76 |
-} |
| 77 |
- |
| 78 |
-havefamily() { |
| 79 |
- local i tfamily=$1 |
| 80 |
- checkfamilies |
| 81 |
- |
| 82 |
- for i in ${families[@]}; do |
| 83 |
- if [ $i == $tfamily ]; then |
| 84 |
- return 0 |
| 85 |
+ if nft list tables ${l3f} > /dev/null 2>&1; then |
| 86 |
+ families="${families}${l3f} " |
| 87 |
fi |
| 88 |
done |
| 89 |
- return 1 |
| 90 |
+ echo ${families} |
| 91 |
} |
| 92 |
|
| 93 |
clearNFT() { |
| 94 |
- checkfamilies |
| 95 |
- |
| 96 |
local l3f line table chain |
| 97 |
|
| 98 |
- for l3f in ${families[@]}; do |
| 99 |
- ${nft_bin} list tables ${l3f} | while read line; do |
| 100 |
+ for l3f in $(getfamilies); do |
| 101 |
+ nft list tables ${l3f} | while read line; do |
| 102 |
table=$(echo ${line} | sed "s/table[ \t]*//") |
| 103 |
- ${nft_bin} flush table ${l3f} ${table} |
| 104 |
- ${nft_bin} list table ${l3f} ${table} | while read l; do |
| 105 |
+ nft flush table ${l3f} ${table} |
| 106 |
+ nft list table ${l3f} ${table} | while read l; do |
| 107 |
chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\ |
| 108 |
cut -d ' ' -f2) |
| 109 |
if [ -n "${chain}" ]; then |
| 110 |
- ${nft_bin} flush chain ${l3f} ${table} ${chain} |
| 111 |
- ${nft_bin} delete chain ${l3f} ${table} ${chain} |
| 112 |
+ nft flush chain ${l3f} ${table} ${chain} |
| 113 |
+ nft delete chain ${l3f} ${table} ${chain} |
| 114 |
fi |
| 115 |
done |
| 116 |
- ${nft_bin} delete table ${l3f} ${table} |
| 117 |
+ nft delete table ${l3f} ${table} |
| 118 |
done |
| 119 |
done |
| 120 |
} |
| 121 |
@@ -92,22 +70,21 @@ |
| 122 |
nft add rule ${l3f} panic forward drop |
| 123 |
} |
| 124 |
|
| 125 |
-checkrules() { |
| 126 |
- ewarn "Rules not checked as ${nftables_name} does not support this feature." |
| 127 |
- return 0 |
| 128 |
+start_pre() { |
| 129 |
+ checkkernel || return 1 |
| 130 |
+ checkconfig || return 1 |
| 131 |
+ return 0 |
| 132 |
} |
| 133 |
|
| 134 |
start() { |
| 135 |
- checkkernel || return 1 |
| 136 |
- checkconfig || return 1 |
| 137 |
- ebegin "Loading ${nftables_name} state and starting firewall" |
| 138 |
+ ebegin "Loading nftables state and starting firewall" |
| 139 |
clearNFT |
| 140 |
- ${nft_bin} -f ${NFTABLES_SAVE} |
| 141 |
+ nft -f ${NFTABLES_SAVE} |
| 142 |
eend $? |
| 143 |
} |
| 144 |
|
| 145 |
stop() { |
| 146 |
- if [ "${SAVE_ON_STOP}" = "yes" ] ; then |
| 147 |
+ if yesno ${SAVE_ON_STOP:-yes}; then |
| 148 |
save || return 1 |
| 149 |
fi |
| 150 |
|
| 151 |
@@ -125,39 +102,31 @@ |
| 152 |
start |
| 153 |
} |
| 154 |
|
| 155 |
-check() { |
| 156 |
- # Short name for users of init.d script |
| 157 |
- checkrules |
| 158 |
-} |
| 159 |
- |
| 160 |
clear() { |
| 161 |
clearNFT |
| 162 |
} |
| 163 |
|
| 164 |
list() { |
| 165 |
- checkfamilies |
| 166 |
local l3f |
| 167 |
|
| 168 |
- for l3f in ${families[@]}; do |
| 169 |
- ${nft_bin} list tables ${l3f} | while read line; do |
| 170 |
+ for l3f in $(getfamilies); do |
| 171 |
+ nft list tables ${l3f} | while read line; do |
| 172 |
line=$(echo ${line} | sed "s/table/table ${l3f}/") |
| 173 |
- echo "$(${nft_bin} list ${line})" |
| 174 |
+ echo "$(nft list ${line})" |
| 175 |
done |
| 176 |
done |
| 177 |
} |
| 178 |
|
| 179 |
save() { |
| 180 |
- checkfamilies |
| 181 |
- |
| 182 |
- ebegin "Saving ${nftables_name} state" |
| 183 |
+ ebegin "Saving nftables state" |
| 184 |
checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" |
| 185 |
checkpath -q -m 0600 -f "${NFTABLES_SAVE}" |
| 186 |
|
| 187 |
local l3f line tmp_save="${NFTABLES_SAVE}.tmp" |
| 188 |
|
| 189 |
touch "${tmp_save}" |
| 190 |
- for l3f in ${families[@]}; do |
| 191 |
- ${nft_bin} list tables ${l3f} | while read line; do |
| 192 |
+ for l3f in $(getfamilies); do |
| 193 |
+ nft list tables ${l3f} | while read line; do |
| 194 |
line=$(echo ${line} | sed "s/table/table ${l3f}/") |
| 195 |
# The below substitution fixes an issue where nft -n output may not |
| 196 |
# always be parsable by nft -f. For example, nft -n might print |
| 197 |
@@ -171,7 +140,7 @@ |
| 198 |
# Invalid argument |
| 199 |
# table ip6 filter { |
| 200 |
# ^^ |
| 201 |
- echo "$(${nft_bin} ${SAVE_OPTIONS} list ${line} |\ |
| 202 |
+ echo "$(nft ${SAVE_OPTIONS} list ${line} |\ |
| 203 |
sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" |
| 204 |
done |
| 205 |
done |
| 206 |
@@ -180,15 +149,15 @@ |
| 207 |
|
| 208 |
panic() { |
| 209 |
checkkernel || return 1 |
| 210 |
- if service_started ${nftables_name}; then |
| 211 |
- rc-service ${nftables_name} stop |
| 212 |
+ if service_started ${RC_SVCNAME}; then |
| 213 |
+ rc-service ${RC_SVCNAME} stop |
| 214 |
fi |
| 215 |
|
| 216 |
ebegin "Dropping all packets" |
| 217 |
clearNFT |
| 218 |
|
| 219 |
local l3f |
| 220 |
- for l3f in ${families[@]}; do |
| 221 |
+ for l3f in $(getfamilies); do |
| 222 |
case ${l3f} in |
| 223 |
ip) addpanictable ${l3f} ;; |
| 224 |
ip6) addpanictable ${l3f} ;; |
Archives