Attachment #415974 for bug #540198

View | Details | Raw Unified | Return to bug 540198 | Differences between
Collapse All | Expand All




#!/sbin/runscript
# Copyright 2014 Nicholas Vinson
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

extra_commands="clear list panic save"
extra_started_commands="reload"
depend() {
    need localmount #434774
    before net
}

start_pre() {
    checkkernel || return 1
    checkconfig || return 1
    return 0
}

clear() {
    /usr/libexec/nftables/nftables.sh clear || return 1
    return 0
}

list() {
    /usr/libexec/nftables/nftables.sh list || return 1
    return 0
}

panic() {
    checkkernel || return 1
    if service_started ${RC_SVCNAME}; then
        rc-service ${RC_SVCNAME} stop
    fi

    ebegin "Dropping all packets"
    clear
    if nft create table ip filter >/dev/null 2>&1; then
	nft -f /dev/stdin <<-EOF
	    table ip filter {
	                    chain input {
	                                    type filter hook input priority 0;
	                                    drop
	                    }
	                    chain forward {
	                                    type filter hook forward priority 0;
	                                    drop
	                    }
	                    chain output {
	                                    type filter hook output priority 0;
	                                    drop
	                    }
	    }
	EOF
    fi
    if nft create table ip6 filter >/dev/null 2>&1; then
	nft -f /dev/stdin <<-EOF
	    table ip6 filter {
	                    chain input {
	                                    type filter hook input priority 0;
	                                    drop
	                    }
	                    chain forward {
	                                    type filter hook forward priority 0;
	                                    drop
	                    }
	                    chain output {
	                                    type filter hook output priority 0;
	                                    drop
	                    }
	    }
	EOF
    fi
}

reload() {
    checkkernel || return 1
    ebegin "Flushing firewall"
    clear
    start
}

save() {
    ebegin "Saving nftables state"
    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
    /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE}
    return $?
}

start() {
    ebegin "Loading nftables state and starting firewall"
    clear
    /usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE}
    eend $?
}

stop() {
    if yesno ${SAVE_ON_STOP:-yes}; then
        save || return 1
    fi

    ebegin "Stopping firewall"
    clear
    eend $?
}

checkconfig() {
    if [ ! -f ${NFTABLES_SAVE} ]; then
        eerror "Not starting nftables.  First create some rules then run:"
        eerror "rc-service nftables save"
        return 1
    fi
    return 0
}

checkkernel() {
    if ! nft list tables >/dev/null 2>&1; then
        eerror "Your kernel lacks nftables support, please load"
        eerror "appropriate modules and try again."
        return 1
    fi
    return 0
}

Return to bug 540198

Line 0 Link Here

(-)net-firewall/nftables/files/nftables.init-r2 (-1 / +123 lines)
0	-	1	#!/sbin/runscript
		2	# Copyright 2014 Nicholas Vinson
		3	# Copyright 1999-2014 Gentoo Foundation
		4	# Distributed under the terms of the GNU General Public License v2
		5
		6	extra_commands="clear list panic save"
		7	extra_started_commands="reload"
		8	depend() {
		9	need localmount #434774
		10	before net
		11	}
		12
		13	start_pre() {
		14	checkkernel \|\| return 1
		15	checkconfig \|\| return 1
		16	return 0
		17	}
		18
		19	clear() {
		20	/usr/libexec/nftables/nftables.sh clear \|\| return 1
		21	return 0
		22	}
		23
		24	list() {
		25	/usr/libexec/nftables/nftables.sh list \|\| return 1
		26	return 0
		27	}
		28
		29	panic() {
		30	checkkernel \|\| return 1
		31	if service_started ${RC_SVCNAME}; then
		32	rc-service ${RC_SVCNAME} stop
		33	fi
		34
		35	ebegin "Dropping all packets"
		36	clear
		37	if nft create table ip filter >/dev/null 2>&1; then
		38	nft -f /dev/stdin <<-EOF
		39	table ip filter {
		40	chain input {
		41	type filter hook input priority 0;
		42	drop
		43	}
		44	chain forward {
		45	type filter hook forward priority 0;
		46	drop
		47	}
		48	chain output {
		49	type filter hook output priority 0;
		50	drop
		51	}
		52	}
		53	EOF
		54	fi
		55	if nft create table ip6 filter >/dev/null 2>&1; then
		56	nft -f /dev/stdin <<-EOF
		57	table ip6 filter {
		58	chain input {
		59	type filter hook input priority 0;
		60	drop
		61	}
		62	chain forward {
		63	type filter hook forward priority 0;
		64	drop
		65	}
66	chain output {
67	type filter hook output priority 0;
68	drop
69	}
70	}
71	EOF
72	fi
73	}
74
75	reload() {
76	checkkernel \|\| return 1
77	ebegin "Flushing firewall"
78	clear
79	start
80	}
81
82	save() {
83	ebegin "Saving nftables state"
84	checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
85	checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
86	/usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE}
87	return $?
88	}
89
90	start() {
91	ebegin "Loading nftables state and starting firewall"
92	clear
93	/usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE}
94	eend $?
95	}
96
97	stop() {
98	if yesno ${SAVE_ON_STOP:-yes}; then
99	save \|\| return 1
100	fi
101
102	ebegin "Stopping firewall"
103	clear
104	eend $?
105	}
106
107	checkconfig() {
108	if [ ! -f ${NFTABLES_SAVE} ]; then
109	eerror "Not starting nftables. First create some rules then run:"
110	eerror "rc-service nftables save"
111	return 1
112	fi
113	return 0
114	}
115
116	checkkernel() {
117	if ! nft list tables >/dev/null 2>&1; then
118	eerror "Your kernel lacks nftables support, please load"
119	eerror "appropriate modules and try again."
120	return 1
121	fi
122	return 0
123	}