|
Lines 28-64
checkconfig() {
Link Here
|
| 28 |
fi |
28 |
fi |
| 29 |
return 0 |
29 |
return 0 |
| 30 |
} |
30 |
} |
| 31 |
|
31 |
|
| 32 |
getfamilies() { |
32 |
getfamilies() { |
| 33 |
local families |
33 |
echo "ip arp ip6 bridge inet" |
| 34 |
for l3f in ip arp ip6 bridge inet; do |
34 |
} |
| 35 |
if nft list tables ${l3f} > /dev/null 2>&1; then |
35 |
|
| 36 |
families="${families}${l3f} " |
36 |
manualwalk() { |
|
|
37 |
nft list tables | read line |
| 38 |
if [ $(echo $line | wc -w) -lt 3 ]; then |
| 39 |
true |
| 40 |
fi |
| 41 |
false |
| 42 |
} |
| 43 |
|
| 44 |
deletetable() { |
| 45 |
# family is $1 |
| 46 |
# table name is $2 |
| 47 |
nft flush table $1 $2 |
| 48 |
nft list table $1 $2 | while read l; do |
| 49 |
chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2) |
| 50 |
if [ -n "${chain}" ]; then |
| 51 |
nft flush chain $1 $2 ${chain} |
| 52 |
nft delete chain $1 $2 ${chain} |
| 37 |
fi |
53 |
fi |
| 38 |
done |
54 |
done |
| 39 |
echo ${families} |
55 |
nft delete table $1 $2 |
| 40 |
} |
56 |
} |
| 41 |
|
57 |
|
| 42 |
clearNFT() { |
58 |
clearNFT() { |
| 43 |
local l3f line table chain |
59 |
local l3f line table chain first_line |
| 44 |
|
60 |
|
| 45 |
for l3f in $(getfamilies); do |
61 |
first_line=1 |
| 46 |
nft list tables ${l3f} | while read line; do |
62 |
if manualwalk; then |
| 47 |
table=$(echo ${line} | sed "s/table[ \t]*//") |
63 |
for l3f in $(getfamilies); do |
| 48 |
nft flush table ${l3f} ${table} |
64 |
nft list tables ${l3f} | while read line; do |
| 49 |
nft list table ${l3f} ${table} | while read l; do |
65 |
table=$(echo ${line} | sed "s/table[ \t]*//") |
| 50 |
chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\ |
66 |
deletetable ${l3f} ${table} |
| 51 |
cut -d ' ' -f2) |
|
|
| 52 |
if [ -n "${chain}" ]; then |
| 53 |
nft flush chain ${l3f} ${table} ${chain} |
| 54 |
nft delete chain ${l3f} ${table} ${chain} |
| 55 |
fi |
| 56 |
done |
67 |
done |
| 57 |
nft delete table ${l3f} ${table} |
|
|
| 58 |
done |
68 |
done |
| 59 |
done |
69 |
else |
|
|
70 |
nft list tables | while read line; do |
| 71 |
l3f=$(echo ${line} | cut -d ' ' -f2) |
| 72 |
table=$(echo ${line} | cut -d ' ' -f3) |
| 73 |
deletetable ${l3f} ${table} |
| 74 |
done |
| 75 |
fi |
| 60 |
} |
76 |
} |
| 61 |
|
77 |
|
| 62 |
addpanictable() { |
78 |
addpanictable() { |
| 63 |
local l3f=$1 |
79 |
local l3f=$1 |
| 64 |
nft add table ${l3f} panic |
80 |
nft add table ${l3f} panic |
|
Lines 107-151
clear() {
Link Here
|
| 107 |
} |
123 |
} |
| 108 |
|
124 |
|
| 109 |
list() { |
125 |
list() { |
| 110 |
local l3f |
126 |
local l3f |
| 111 |
|
127 |
|
| 112 |
for l3f in $(getfamilies); do |
128 |
if manualwalk; then |
| 113 |
nft list tables ${l3f} | while read line; do |
129 |
for l3f in $(getfamilies); do |
| 114 |
line=$(echo ${line} | sed "s/table/table ${l3f}/") |
130 |
nft list tables ${l3f} | while read line; do |
|
|
131 |
line=$(echo ${line} | sed "s/table/table ${l3f}/") |
| 132 |
echo "$(nft list ${line})" |
| 133 |
done |
| 134 |
done |
| 135 |
else |
| 136 |
nft list tables | while read line; do |
| 115 |
echo "$(nft list ${line})" |
137 |
echo "$(nft list ${line})" |
| 116 |
done |
138 |
done |
| 117 |
done |
139 |
fi |
| 118 |
} |
140 |
} |
| 119 |
|
141 |
|
| 120 |
save() { |
142 |
save() { |
| 121 |
ebegin "Saving nftables state" |
143 |
ebegin "Saving nftables state" |
| 122 |
checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" |
144 |
checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" |
| 123 |
checkpath -q -m 0600 -f "${NFTABLES_SAVE}" |
145 |
checkpath -q -m 0600 -f "${NFTABLES_SAVE}" |
| 124 |
|
146 |
|
| 125 |
local l3f line tmp_save="${NFTABLES_SAVE}.tmp" |
147 |
local l3f line tmp_save="${NFTABLES_SAVE}.tmp" |
| 126 |
|
148 |
|
| 127 |
touch "${tmp_save}" |
149 |
touch "${tmp_save}" |
| 128 |
for l3f in $(getfamilies); do |
150 |
if manualwalk; then |
| 129 |
nft list tables ${l3f} | while read line; do |
151 |
for l3f in $(getfamilies); do |
| 130 |
line=$(echo ${line} | sed "s/table/table ${l3f}/") |
152 |
nft list tables ${l3f} | while read line; do |
| 131 |
# The below substitution fixes an issue where nft -n output may not |
153 |
line=$(echo ${line} | sed "s/table/table ${l3f}/") |
| 132 |
# always be parsable by nft -f. For example, nft -n might print |
154 |
# The below substitution fixes an issue where nft -n output may |
| 133 |
# |
155 |
# not always be parsable by nft -f. For example, nft -n might |
| 134 |
# ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept |
156 |
# print |
| 135 |
# |
157 |
# |
| 136 |
# but nft -f refuses to parse that string with error: |
158 |
# ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept |
| 137 |
# |
159 |
# |
| 138 |
# In file included from internal:0:0-0: |
160 |
# but nft -f refuses to parse that string with error: |
| 139 |
# /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule: |
161 |
# |
| 140 |
# Invalid argument |
162 |
# In file included from internal:0:0-0: |
| 141 |
# table ip6 filter { |
163 |
# /var/lib/nftables/rules-save:1:1-2: Error: Could not |
| 142 |
# ^^ |
164 |
# process rule: Invalid argument table ip6 filter { |
|
|
165 |
# ^^ |
| 166 |
echo "$(nft ${SAVE_OPTIONS} list ${line} |\ |
| 167 |
sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" |
| 168 |
done |
| 169 |
done |
| 170 |
else |
| 171 |
nft list tables | while read line; do |
| 143 |
echo "$(nft ${SAVE_OPTIONS} list ${line} |\ |
172 |
echo "$(nft ${SAVE_OPTIONS} list ${line} |\ |
| 144 |
sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" |
173 |
sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" |
| 145 |
done |
174 |
done |
| 146 |
done |
175 |
fi |
| 147 |
mv "${tmp_save}" "${NFTABLES_SAVE}" |
176 |
mv "${tmp_save}" "${NFTABLES_SAVE}" |
| 148 |
} |
177 |
} |
| 149 |
|
178 |
|
| 150 |
panic() { |
179 |
panic() { |
| 151 |
checkkernel || return 1 |
180 |
checkkernel || return 1 |
