1 |
williamh 14/08/28 13:25:47 |
2 |
|
3 |
Modified: nftables.init |
4 |
Log: |
5 |
revision bump for bug #521232 approved by Manuel Rueger |
6 |
|
7 |
(Portage version: 2.2.12/cvs/Linux x86_64, signed Manifest commit with key 0x30C46538) |
8 |
|
9 |
Revision Changes Path |
10 |
1.3 net-firewall/nftables/files/nftables.init |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?rev=1.3&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?rev=1.3&content-type=text/plain |
14 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?r1=1.2&r2=1.3 |
15 |
|
16 |
Index: nftables.init |
17 |
=================================================================== |
18 |
RCS file: /var/cvsroot/gentoo-x86/net-firewall/nftables/files/nftables.init,v |
19 |
retrieving revision 1.2 |
20 |
retrieving revision 1.3 |
21 |
diff -u -r1.2 -r1.3 |
22 |
--- nftables.init 26 Aug 2014 17:53:54 -0000 1.2 |
23 |
+++ nftables.init 28 Aug 2014 13:25:47 -0000 1.3 |
24 |
@@ -3,21 +3,17 @@ |
25 |
# Copyright 1999-2014 Gentoo Foundation |
26 |
# Distributed under the terms of the GNU General Public License v2 |
27 |
|
28 |
-extra_commands="check clear list panic save" |
29 |
+extra_commands="clear list panic save" |
30 |
extra_started_commands="reload" |
31 |
|
32 |
-nftables_name=nftables |
33 |
-nft_bin=/sbin/nft |
34 |
- |
35 |
depend() { |
36 |
need localmount #434774 |
37 |
before net |
38 |
} |
39 |
|
40 |
checkkernel() { |
41 |
- ${nft_bin} list tables &>/dev/null |
42 |
- if [ $? -ne 0 ]; then |
43 |
- eerror "Your kernel lacks ${nftables_name} support, please load" |
44 |
+ if ! nft list tables >/dev/null 2>&1; then |
45 |
+ eerror "Your kernel lacks nftables support, please load" |
46 |
eerror "appropriate modules and try again." |
47 |
return 1 |
48 |
fi |
49 |
@@ -26,57 +22,39 @@ |
50 |
|
51 |
checkconfig() { |
52 |
if [ ! -f ${NFTABLES_SAVE} ]; then |
53 |
- eerror "Not starting ${nftables_name}. First create some rules then run:" |
54 |
- eerror "/etc/init.d/${nftables_name} save" |
55 |
+ eerror "Not starting nftables. First create some rules then run:" |
56 |
+ eerror "rc-service nftables save" |
57 |
return 1 |
58 |
fi |
59 |
return 0 |
60 |
} |
61 |
|
62 |
-checkfamilies() { |
63 |
- if [ -n "${families+set}" ]; then |
64 |
- return |
65 |
- fi |
66 |
- |
67 |
- families=() |
68 |
+getfamilies() { |
69 |
+ local families |
70 |
for l3f in ip arp ip6 bridge inet; do |
71 |
- ${nft_bin} list tables ${l3f} &> /dev/null |
72 |
- if [ $? -eq 0 ]; then |
73 |
- families+=($l3f) |
74 |
- fi |
75 |
- done |
76 |
-} |
77 |
- |
78 |
-havefamily() { |
79 |
- local i tfamily=$1 |
80 |
- checkfamilies |
81 |
- |
82 |
- for i in ${families[@]}; do |
83 |
- if [ $i == $tfamily ]; then |
84 |
- return 0 |
85 |
+ if nft list tables ${l3f} > /dev/null 2>&1; then |
86 |
+ families="${families}${l3f} " |
87 |
fi |
88 |
done |
89 |
- return 1 |
90 |
+ echo ${families} |
91 |
} |
92 |
|
93 |
clearNFT() { |
94 |
- checkfamilies |
95 |
- |
96 |
local l3f line table chain |
97 |
|
98 |
- for l3f in ${families[@]}; do |
99 |
- ${nft_bin} list tables ${l3f} | while read line; do |
100 |
+ for l3f in $(getfamilies); do |
101 |
+ nft list tables ${l3f} | while read line; do |
102 |
table=$(echo ${line} | sed "s/table[ \t]*//") |
103 |
- ${nft_bin} flush table ${l3f} ${table} |
104 |
- ${nft_bin} list table ${l3f} ${table} | while read l; do |
105 |
+ nft flush table ${l3f} ${table} |
106 |
+ nft list table ${l3f} ${table} | while read l; do |
107 |
chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\ |
108 |
cut -d ' ' -f2) |
109 |
if [ -n "${chain}" ]; then |
110 |
- ${nft_bin} flush chain ${l3f} ${table} ${chain} |
111 |
- ${nft_bin} delete chain ${l3f} ${table} ${chain} |
112 |
+ nft flush chain ${l3f} ${table} ${chain} |
113 |
+ nft delete chain ${l3f} ${table} ${chain} |
114 |
fi |
115 |
done |
116 |
- ${nft_bin} delete table ${l3f} ${table} |
117 |
+ nft delete table ${l3f} ${table} |
118 |
done |
119 |
done |
120 |
} |
121 |
@@ -92,22 +70,21 @@ |
122 |
nft add rule ${l3f} panic forward drop |
123 |
} |
124 |
|
125 |
-checkrules() { |
126 |
- ewarn "Rules not checked as ${nftables_name} does not support this feature." |
127 |
- return 0 |
128 |
+start_pre() { |
129 |
+ checkkernel || return 1 |
130 |
+ checkconfig || return 1 |
131 |
+ return 0 |
132 |
} |
133 |
|
134 |
start() { |
135 |
- checkkernel || return 1 |
136 |
- checkconfig || return 1 |
137 |
- ebegin "Loading ${nftables_name} state and starting firewall" |
138 |
+ ebegin "Loading nftables state and starting firewall" |
139 |
clearNFT |
140 |
- ${nft_bin} -f ${NFTABLES_SAVE} |
141 |
+ nft -f ${NFTABLES_SAVE} |
142 |
eend $? |
143 |
} |
144 |
|
145 |
stop() { |
146 |
- if [ "${SAVE_ON_STOP}" = "yes" ] ; then |
147 |
+ if yesno ${SAVE_ON_STOP:-yes}; then |
148 |
save || return 1 |
149 |
fi |
150 |
|
151 |
@@ -125,39 +102,31 @@ |
152 |
start |
153 |
} |
154 |
|
155 |
-check() { |
156 |
- # Short name for users of init.d script |
157 |
- checkrules |
158 |
-} |
159 |
- |
160 |
clear() { |
161 |
clearNFT |
162 |
} |
163 |
|
164 |
list() { |
165 |
- checkfamilies |
166 |
local l3f |
167 |
|
168 |
- for l3f in ${families[@]}; do |
169 |
- ${nft_bin} list tables ${l3f} | while read line; do |
170 |
+ for l3f in $(getfamilies); do |
171 |
+ nft list tables ${l3f} | while read line; do |
172 |
line=$(echo ${line} | sed "s/table/table ${l3f}/") |
173 |
- echo "$(${nft_bin} list ${line})" |
174 |
+ echo "$(nft list ${line})" |
175 |
done |
176 |
done |
177 |
} |
178 |
|
179 |
save() { |
180 |
- checkfamilies |
181 |
- |
182 |
- ebegin "Saving ${nftables_name} state" |
183 |
+ ebegin "Saving nftables state" |
184 |
checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" |
185 |
checkpath -q -m 0600 -f "${NFTABLES_SAVE}" |
186 |
|
187 |
local l3f line tmp_save="${NFTABLES_SAVE}.tmp" |
188 |
|
189 |
touch "${tmp_save}" |
190 |
- for l3f in ${families[@]}; do |
191 |
- ${nft_bin} list tables ${l3f} | while read line; do |
192 |
+ for l3f in $(getfamilies); do |
193 |
+ nft list tables ${l3f} | while read line; do |
194 |
line=$(echo ${line} | sed "s/table/table ${l3f}/") |
195 |
# The below substitution fixes an issue where nft -n output may not |
196 |
# always be parsable by nft -f. For example, nft -n might print |
197 |
@@ -171,7 +140,7 @@ |
198 |
# Invalid argument |
199 |
# table ip6 filter { |
200 |
# ^^ |
201 |
- echo "$(${nft_bin} ${SAVE_OPTIONS} list ${line} |\ |
202 |
+ echo "$(nft ${SAVE_OPTIONS} list ${line} |\ |
203 |
sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" |
204 |
done |
205 |
done |
206 |
@@ -180,15 +149,15 @@ |
207 |
|
208 |
panic() { |
209 |
checkkernel || return 1 |
210 |
- if service_started ${nftables_name}; then |
211 |
- rc-service ${nftables_name} stop |
212 |
+ if service_started ${RC_SVCNAME}; then |
213 |
+ rc-service ${RC_SVCNAME} stop |
214 |
fi |
215 |
|
216 |
ebegin "Dropping all packets" |
217 |
clearNFT |
218 |
|
219 |
local l3f |
220 |
- for l3f in ${families[@]}; do |
221 |
+ for l3f in $(getfamilies); do |
222 |
case ${l3f} in |
223 |
ip) addpanictable ${l3f} ;; |
224 |
ip6) addpanictable ${l3f} ;; |