1 |
commit: bbee7c12baa2b1d85c23f83f2ec18ac535179f43 |
2 |
Author: Nicholas Vinson <nvinson234 <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Nov 3 06:00:22 2015 +0000 |
4 |
Commit: Ian Delaney <idella4 <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Nov 3 06:11:22 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbee7c12 |
7 |
|
8 |
net-firewall/nftables: update nftables.init to use new libexec/nftables.sh |
9 |
|
10 |
Package-Manager: portage-2.2.23 |
11 |
|
12 |
net-firewall/nftables/files/nftables.init-r2 | 123 +++++++++++++++++++++++++++ |
13 |
1 file changed, 123 insertions(+) |
14 |
|
15 |
diff --git a/net-firewall/nftables/files/nftables.init-r2 b/net-firewall/nftables/files/nftables.init-r2 |
16 |
new file mode 100644 |
17 |
index 0000000..c86d2e3 |
18 |
--- /dev/null |
19 |
+++ b/net-firewall/nftables/files/nftables.init-r2 |
20 |
@@ -0,0 +1,123 @@ |
21 |
+#!/sbin/runscript |
22 |
+# Copyright 2014 Nicholas Vinson |
23 |
+# Copyright 1999-2014 Gentoo Foundation |
24 |
+# Distributed under the terms of the GNU General Public License v2 |
25 |
+ |
26 |
+extra_commands="clear list panic save" |
27 |
+extra_started_commands="reload" |
28 |
+depend() { |
29 |
+ need localmount #434774 |
30 |
+ before net |
31 |
+} |
32 |
+ |
33 |
+start_pre() { |
34 |
+ checkkernel || return 1 |
35 |
+ checkconfig || return 1 |
36 |
+ return 0 |
37 |
+} |
38 |
+ |
39 |
+clear() { |
40 |
+ /usr/libexec/nftables/nftables.sh clear || return 1 |
41 |
+ return 0 |
42 |
+} |
43 |
+ |
44 |
+list() { |
45 |
+ /usr/libexec/nftables/nftables.sh list || return 1 |
46 |
+ return 0 |
47 |
+} |
48 |
+ |
49 |
+panic() { |
50 |
+ checkkernel || return 1 |
51 |
+ if service_started ${RC_SVCNAME}; then |
52 |
+ rc-service ${RC_SVCNAME} stop |
53 |
+ fi |
54 |
+ |
55 |
+ ebegin "Dropping all packets" |
56 |
+ clear |
57 |
+ if nft create table ip filter >/dev/null 2>&1; then |
58 |
+ nft -f /dev/stdin <<-EOF |
59 |
+ table ip filter { |
60 |
+ chain input { |
61 |
+ type filter hook input priority 0; |
62 |
+ drop |
63 |
+ } |
64 |
+ chain forward { |
65 |
+ type filter hook forward priority 0; |
66 |
+ drop |
67 |
+ } |
68 |
+ chain output { |
69 |
+ type filter hook output priority 0; |
70 |
+ drop |
71 |
+ } |
72 |
+ } |
73 |
+ EOF |
74 |
+ fi |
75 |
+ if nft create table ip6 filter >/dev/null 2>&1; then |
76 |
+ nft -f /dev/stdin <<-EOF |
77 |
+ table ip6 filter { |
78 |
+ chain input { |
79 |
+ type filter hook input priority 0; |
80 |
+ drop |
81 |
+ } |
82 |
+ chain forward { |
83 |
+ type filter hook forward priority 0; |
84 |
+ drop |
85 |
+ } |
86 |
+ chain output { |
87 |
+ type filter hook output priority 0; |
88 |
+ drop |
89 |
+ } |
90 |
+ } |
91 |
+ EOF |
92 |
+ fi |
93 |
+} |
94 |
+ |
95 |
+reload() { |
96 |
+ checkkernel || return 1 |
97 |
+ ebegin "Flushing firewall" |
98 |
+ clear |
99 |
+ start |
100 |
+} |
101 |
+ |
102 |
+save() { |
103 |
+ ebegin "Saving nftables state" |
104 |
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" |
105 |
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}" |
106 |
+ /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE} |
107 |
+ return $? |
108 |
+} |
109 |
+ |
110 |
+start() { |
111 |
+ ebegin "Loading nftables state and starting firewall" |
112 |
+ clear |
113 |
+ /usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE} |
114 |
+ eend $? |
115 |
+} |
116 |
+ |
117 |
+stop() { |
118 |
+ if yesno ${SAVE_ON_STOP:-yes}; then |
119 |
+ save || return 1 |
120 |
+ fi |
121 |
+ |
122 |
+ ebegin "Stopping firewall" |
123 |
+ clear |
124 |
+ eend $? |
125 |
+} |
126 |
+ |
127 |
+checkconfig() { |
128 |
+ if [ ! -f ${NFTABLES_SAVE} ]; then |
129 |
+ eerror "Not starting nftables. First create some rules then run:" |
130 |
+ eerror "rc-service nftables save" |
131 |
+ return 1 |
132 |
+ fi |
133 |
+ return 0 |
134 |
+} |
135 |
+ |
136 |
+checkkernel() { |
137 |
+ if ! nft list tables >/dev/null 2>&1; then |
138 |
+ eerror "Your kernel lacks nftables support, please load" |
139 |
+ eerror "appropriate modules and try again." |
140 |
+ return 1 |
141 |
+ fi |
142 |
+ return 0 |
143 |
+} |