From 49eac35941014356d4f1860fd256a2aa6e70c778 Mon Sep 17 00:00:00 2001 From: Nicholas Vinson Date: Thu, 15 Oct 2015 03:09:24 -0400 Subject: [PATCH] Fix for bug 560920 --- net-firewall/nftables/files/nftables.init-r1 | 263 +++++++++++++++++++++++++++ net-firewall/nftables/nftables-0.5-r1.ebuild | 57 ++++++ 2 files changed, 320 insertions(+) create mode 100644 net-firewall/nftables/files/nftables.init-r1 create mode 100644 net-firewall/nftables/nftables-0.5-r1.ebuild diff --git a/net-firewall/nftables/files/nftables.init-r1 b/net-firewall/nftables/files/nftables.init-r1 new file mode 100644 index 0000000..05bb053 --- /dev/null +++ b/net-firewall/nftables/files/nftables.init-r1 @@ -0,0 +1,263 @@ +#!/sbin/runscript +# Copyright 2014 Nicholas Vinson +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="clear list panic save" +extra_started_commands="reload" +depend() { + need localmount #434774 + before net +} + +start_pre() { + checkkernel || return 1 + checkconfig || return 1 + return 0 +} + +clear() { + if use_legacy; then + clear_legacy + return 0 + fi + + nft flush ruleset +} + +list() { + if use_legacy; then + list_legacy + return 0 + fi + + nft list ruleset +} + +panic() { + checkkernel || return 1 + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop + fi + + ebegin "Dropping all packets" + clear + if nft create table ip filter >/dev/null 2>&1; then + #nft -f /var/lib/nftables/rules-panic.ip + nft -f /dev/stdin <<-EOF + table ip filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi + if nft create table ip6 filter >/dev/null 2>&1; then + #nft -f /var/lib/nftables/rules-panic.ip6 + nft -f /dev/stdin <<-EOF + table ip6 filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + clear + start +} + +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + + local tmp_save="${NFTABLES_SAVE}.tmp" + + if use_legacy; then + save_legacy ${tmp_save} + else + nft list ruleset > ${tmp_save} + fi + mv ${tmp_save} ${NFTABLES_SAVE} +} + +start() { + ebegin "Loading nftables state and starting firewall" + clear + nft -f ${NFTABLES_SAVE} + eend $? +} + +stop() { + if yesno ${SAVE_ON_STOP:-yes}; then + save || return 1 + fi + + ebegin "Stopping firewall" + clear + eend $? +} + +################################################################################ +# +# SUPPORT FUNCTIONS +# +################################################################################ +checkconfig() { + if [ ! -f ${NFTABLES_SAVE} ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 + fi + return 0 +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +use_legacy() { + local major_ver minor_ver + + major_ver=`uname -r | cut -d '.' -f1` + minor_ver=`uname -r | cut -d '.' -f2` + + [[ $major_ver -ge 4 || $major_ver -eq 3 && $minor_ver -ge 18 ]] && return 1 + return 0 +} + +################################################################################ +# +# LEGACY COMMAND FUNCTIONS +# +################################################################################ + +clear_legacy() { + local l3f line table chain first_line + + first_line=1 + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + table=$(echo ${line} | sed "s/table[ \t]*//") + deletetable ${l3f} ${table} + done + done + else + nft list tables | while read line; do + l3f=$(echo ${line} | cut -d ' ' -f2) + table=$(echo ${line} | cut -d ' ' -f3) + deletetable ${l3f} ${table} + done + fi +} + +list_legacy() { + local l3f + + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + echo "$(nft list ${line})" + done + done + else + nft list tables | while read line; do + echo "$(nft list ${line})" + done + fi +} + +save_legacy() { + tmp_save=$1 + touch "${tmp_save}" + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save} + done + done + else + nft list tables | while read line; do + nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}" + done + fi +} + +################################################################################ +# +# LEGACY SUPPORT FUNCTIONS +# +################################################################################ +CHECK_TABLE_NAME="GENTOO_CHECK_TABLE" + +getfamilies() { + local l3f families + + for l3f in ip arp ip6 bridge inet; do + if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then + families="${families}${l3f} " + nft delete table ${l3f} ${CHECK_TABLE_NAME} + fi + done + echo ${families} +} + +manualwalk() { + local result l3f=`getfamilies | cut -d ' ' -f1` + + nft create table ${l3f} ${CHECK_TABLE_NAME} + nft list tables | read line + if [ $(echo $line | wc -w) -lt 3 ]; then + result=0 + fi + result=1 + nft delete table ${l3f} ${CHECK_TABLE_NAME} + + return $result +} + +deletetable() { + # family is $1 + # table name is $2 + nft flush table $1 $2 + nft list table $1 $2 | while read l; do + chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2) + if [ -n "${chain}" ]; then + nft flush chain $1 $2 ${chain} + nft delete chain $1 $2 ${chain} + fi + done + nft delete table $1 $2 +} + diff --git a/net-firewall/nftables/nftables-0.5-r1.ebuild b/net-firewall/nftables/nftables-0.5-r1.ebuild new file mode 100644 index 0000000..77d1e4e --- /dev/null +++ b/net-firewall/nftables/nftables-0.5-r1.ebuild @@ -0,0 +1,57 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit autotools linux-info eutils + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://netfilter.org/projects/nftables/" +SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~x86" +IUSE="debug gmp +readline" + +RDEPEND=">=net-libs/libmnl-1.0.3 + >=net-libs/libnftnl-1.0.5 + gmp? ( dev-libs/gmp ) + readline? ( sys-libs/readline )" +DEPEND="${RDEPEND} + >=app-text/docbook2X-0.8.8-r4 + sys-devel/bison + sys-devel/flex" + +S="${WORKDIR}"/v${PV} + +pkg_setup() { + if kernel_is ge 3 13; then + CONFIG_CHECK="~NF_TABLES" + linux-info_pkg_setup + else + eerror "This package requires kernel version 3.13 or newer to work properly." + fi +} + +src_prepare() { + epatch_user + eautoreconf +} + +src_configure() { + econf \ + --sbindir="${EPREFIX}"/sbin \ + $(use_enable debug) \ + $(use_with readline cli) \ + $(use_with !gmp mini_gmp) +} + +src_install() { + default + + newconfd "${FILESDIR}"/${PN}.confd ${PN} + newinitd "${FILESDIR}"/${PN}.init-r1 ${PN} + keepdir /var/lib/nftables +} -- 2.4.9