mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-01-18 07:02:29 +01:00
Code Issues Packages Projects Releases Wiki Activity
aports/main/nftables/nftables.initd
Jakub Jirutka 286fad13ea main/nftables: fix wrong variable in runscript
2018-04-01 21:34:20 +02:00

128 lines
2.6 KiB
Plaintext
Raw Blame History

#!/sbin/openrc-run
# Copyright 2014 Nicholas Vinson
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_commands="list panic save"
extra_started_commands="reload"
description="Manage nftable based firewall."
description_save="Save current nftables rulesets to disk."
description_list="Displays the current nftables ruleset."
description_panic="Immediately drop all packets on all interfaces."
description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
# Uppercase variables are there for backward compatibility.
: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}}
: ${save_options:=${SAVE_OPTIONS:="-n"}}
: ${save_on_stop:=${SAVE_ON_STOP:="yes"}}
: ${enable_forwarding:="no"}
depend() {
need localmount
after sysctl
before net
provide firewall
}
start_pre() {
checkkernel && checkconfig
}
list() {
nft list ruleset
}
panic() {
checkkernel || return 1
if service_started "$RC_SVCNAME"; then
rc-service "$RC_SVCNAME" stop
fi
ebegin "Dropping all packets"
nft -f /dev/stdin <<-EOF
flush ruleset
table inet filter {
chain input { type filter hook input priority 0; policy drop; }
chain forward { type filter hook forward priority 0; policy drop; }
chain output { type filter hook output priority 0; policy drop; }
}
EOF
eend $?
}
reload() {
start
}
save() {
ebegin "Saving nftables state"
checkpath -q -d "${rules_file%/*}"
checkpath -q -m 0600 -f "$rules_file"
local tmp_save="$rules_file.tmp"
echo 'flush ruleset' > "$tmp_save"
nft list ruleset >> "$tmp_save"; local retval=$?
[ $retval -eq 0 ] && mv "$tmp_save" "$rules_file"
return $retval
}
start() {
ebegin "Loading nftables state and starting firewall"
nft -f "$rules_file"
eend $? || return 1
if yesno "$enable_forwarding"; then
ebegin "Enabling forwarding"
forwarding 1
eend $? || return 1
fi
}
stop() {
if yesno "$save_on_stop"; then
save || return 1
fi
if yesno "$enable_forwarding"; then
ebegin "Disabling forwarding"
forwarding 0
eend $?
fi
ebegin "Stopping firewall"
nft flush ruleset
eend $?
}
checkconfig() {
if [ ! -f "$rules_file" ]; then
eerror "Not starting nftables. First create some rules then run:"
eerror " rc-service nftables save"
return 1
fi
return 0
}
checkkernel() {
if ! nft list tables >/dev/null 2>&1; then
eerror "Your kernel lacks nftables support, please load"
eerror "appropriate modules and try again."
return 1
fi
return 0
}
forwarding() {
/sbin/sysctl -qw \
net.ipv4.ip_forward=$1 \
net.ipv6.conf.default.forwarding=$1 \
net.ipv6.conf.all.forwarding=$1
}
Reference in New Issue View Git Blame Copy Permalink