mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2026-01-02 07:11:47 +01:00
438f7d4f57
- Tidy up panic function to a single inet (combined ip and ipv6) table. - Use policy drop for each chain in the panic function instead of a drop rule. This way a user could manually add in rules later allowing explicit access. - Instead of a clear function, include 'flush ruleset' in the output of the save function. This way loading the saved rulesets is fully atomic, instead of two commands. - Stop is the only function that needs to be able to flush ruleset, so run 'nft flush ruleset' directly, and remove the clear function.
100 lines
2.3 KiB
Plaintext
100 lines
2.3 KiB
Plaintext
#!/sbin/openrc-run
|
|
# Copyright 2014 Nicholas Vinson
|
|
# Copyright 1999-2014 Gentoo Foundation
|
|
# Distributed under the terms of the GNU General Public License v2
|
|
|
|
extra_commands="list panic save"
|
|
extra_started_commands="reload"
|
|
|
|
description="Manage nftable based firewall."
|
|
description_save="Save current nftables rulesets to disk."
|
|
description_list="Displays the current nftables ruleset."
|
|
description_panic="Immediately drop all packets on all interfaces."
|
|
description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
|
|
|
|
depend() {
|
|
need localmount #434774
|
|
before net
|
|
}
|
|
|
|
start_pre() {
|
|
checkkernel || return 1
|
|
checkconfig || return 1
|
|
return 0
|
|
}
|
|
|
|
list() {
|
|
nft list ruleset || return 1
|
|
return 0
|
|
}
|
|
|
|
panic() {
|
|
checkkernel || return 1
|
|
if service_started ${RC_SVCNAME}; then
|
|
rc-service ${RC_SVCNAME} stop
|
|
fi
|
|
|
|
ebegin "Dropping all packets"
|
|
nft -f /dev/stdin <<-EOF
|
|
flush ruleset
|
|
table inet filter {
|
|
chain input { type filter hook input priority 0; policy drop; }
|
|
chain forward { type filter hook forward priority 0; policy drop; }
|
|
chain output { type filter hook output priority 0; policy drop; }
|
|
}
|
|
EOF
|
|
eend $?
|
|
}
|
|
|
|
reload() {
|
|
start
|
|
}
|
|
|
|
save() {
|
|
ebegin "Saving nftables state"
|
|
checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
|
|
checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
|
|
local tmp_save="${NFTABLES_SAVE}.tmp"
|
|
echo 'flush ruleset' > ${tmp_save}
|
|
nft list ruleset >> ${tmp_save}
|
|
retval=$?
|
|
if [ ${retval} ]; then
|
|
mv ${tmp_save} ${NFTABLES_SAVE}
|
|
fi
|
|
return $?
|
|
}
|
|
|
|
start() {
|
|
ebegin "Loading nftables state and starting firewall"
|
|
nft -f ${NFTABLES_SAVE}
|
|
eend $?
|
|
}
|
|
|
|
stop() {
|
|
if yesno ${SAVE_ON_STOP:-yes}; then
|
|
save || return 1
|
|
fi
|
|
|
|
ebegin "Stopping firewall"
|
|
nft flush ruleset
|
|
eend $?
|
|
}
|
|
|
|
checkconfig() {
|
|
if [ ! -f ${NFTABLES_SAVE} ]; then
|
|
eerror "Not starting nftables. First create some rules then run:"
|
|
eerror "rc-service nftables save"
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
checkkernel() {
|
|
if ! nft list tables >/dev/null 2>&1; then
|
|
eerror "Your kernel lacks nftables support, please load"
|
|
eerror "appropriate modules and try again."
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|