mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-22 15:01:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-firewall/nftables: Container Linux fixups

Browse Source 
- Stabilize
- docbook2X isn't needed unless we're installing docs
- Don't ship automatic save/restore infrastructure for now
- Move base config files into /usr/share/nftables
This commit is contained in:
Benjamin Gilbert 2017-07-25 15:40:21 -07:00
parent ee90e8feb3
commit e299a9454a
7 changed files with 3 additions and 433 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest vendored
View File

@ -1,13 +1 @@
AUX libexec/nftables.sh 3643 SHA256 8f8ca76bc1f77d09b1198e144479cd8cf7f50cf787317522ac6c1978ca9b7e6b SHA512 efc9b4f9520c78b6248f16bd5708669872e8abf949f6f4b81182f331f8532dfeaae2df648e8878e9b5cbd66c0259daab71035ea922754807654b2b3bc86b4352 WHIRLPOOL d3ea74671d3686af9e70a22bf727b9f64ab735cd63270ca283013fc1ba0cad6750ca82127e968f028b65dfe905aeb6275b4e9c295a43f5c8dfe2a7b815a66c44
AUX nftables-0.5-pdf-doc.patch 1663 SHA256 c55698efb6f40085f1037b12706ca5ab8ba551b8af3902b16ac2cbfc922607c2 SHA512 1925ba300068155ec38ed0631eea0bab1e17ac0b4b454b6f5bf6548961b0264dfd9c9be27e697b8fd7db1827cc670a132c3a716d0874535e29ddb696d1a3eedc WHIRLPOOL c8ea06f6dbbc8c2e4acfaf9ec082647b1ae4288c818d48b47e0b2f5c0cbc7bc6b924b93981b1dd6991923375ffa66a1733988a66ec001d87114962824ee4907f
AUX nftables-0.6-null-payload-desc-fix.patch 411 SHA256 28bcb66a4d46cb1cb20376f38efb2d95d92983a1417cb500a4351870524c3bfe SHA512 034bfa338ef52b722df8441ab981f45c4eeb88c0d65aa4fcdbee1d17df93c7c3239786351632ccadada08ecae796d366b994bd3c20f576a853885517d4de6116 WHIRLPOOL d0b0ab1051bcdbc734f44fa361781babebfb052daf783bb0e0268d2c3d25f962d4e6f13bf141fcfe46701127c46f104b1740fc48e84266326e9a20553945bcc8
AUX nftables.confd 655 SHA256 d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 WHIRLPOOL e39d13f996e620aa82714cb18e4f57624faa302f2259a44cc065804edf95fe07a314f744d17a76be6941c3771da6b233a19ae5b6b2f63783847121c63339197f
AUX nftables.init 3069 SHA256 be1f1628305b5989ef9de2b95aa4e6201f067eb1f32cd92bba6db6f27f4f325f SHA512 ca761be0440945b21d5b002468baffb3299d0a3ac244aa895734dfdfaf442e7a73b757bcda99d958582064411d1b80b2cbcb4eb532bb219b4df407c9ed892661 WHIRLPOOL 95aebd414c91f3a1e31e241c3d5b83bc998ff5e516c3b6d14b45c0e8bbbb39aba8435f602bc21f7591ef0f6aa71fd01ceb7f08cdab731723478b2a9fb7640c2a
AUX systemd/nftables-restore.service 394 SHA256 ec9ca69ca916e0739de2eb229c8fee2a65a551a97886c4c0a69c35776f3f1c95 SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 WHIRLPOOL 67eb5b72e81ca66ba079ffd3b574fd21d3ac3cb9fc3d4a3986b1b5543e4059adbdb633b432fa1bb71208a48b4e2eda425d1a09e4b853b7c555d48e8da2b92ded
DIST nftables-0.6.tar.gz 252523 SHA256 85dd7fa4e741c0be02efddbc57b5d300e1147f09ec6f81d0399110f96dc958f0 SHA512 17f3b94687865e077dc082cf61b29ab2854fd1ffe18212a8d424f2876aef8db9780dd4d06dca8e6d093498151d47bab73e40e1f54062a83a23a3cbe75f27e921 WHIRLPOOL d15eaf81426d73bea28752f96727d291120120fb2aaa994d421d900974eb45062957435e077664fb916780f636ed9b61889dbec8b627d5d309512bae96f02874 DIST nftables-0.6.tar.gz 252523 SHA256 85dd7fa4e741c0be02efddbc57b5d300e1147f09ec6f81d0399110f96dc958f0 SHA512 17f3b94687865e077dc082cf61b29ab2854fd1ffe18212a8d424f2876aef8db9780dd4d06dca8e6d093498151d47bab73e40e1f54062a83a23a3cbe75f27e921 WHIRLPOOL d15eaf81426d73bea28752f96727d291120120fb2aaa994d421d900974eb45062957435e077664fb916780f636ed9b61889dbec8b627d5d309512bae96f02874
DIST nftables-0.7.tar.gz 292652 SHA256 192c9d92ee0c56eded599d1c54b0d68f4d9b0286f3d908579f0b9271aeba432f SHA512 6032720abf3af8a6dc0b4f507c6ae970447f504d59db4a34b2e0eea3c59962bc69d9ebfaa4e26a117747eb9d0224716a9709b96551b5479d914d7498f26ed43a WHIRLPOOL a999e85370bd9241daf015849ecdf5955f87a2d65f5525a6e75e9eda1bb87e1a84123c42e95f16c4469873a682409fea2ccc65a3af84a107b62d8c2a5727343d
EBUILD nftables-0.6-r4.ebuild 2116 SHA256 81001d2c20ee1ca27bf40f397be44d2e830d9fdd48d4ea4b6aa7495d45b8db7b SHA512 4c1a3420d9d228ff1925d91ee0bdd285995b7d06b59453863e5b5fef12813c6f58d8487a10c880c313a328be79e69b49147f0a5c73e07554d665ff24ffe1f265 WHIRLPOOL 3486ed76af507f4a49e8a203d7bf4544b244319c803e272db2b59fb6d7aa53900f8b9e8146de99b2dce41372cf9cd6d03075fbd4577c5b38ba642a2f628c18c8
EBUILD nftables-0.7.ebuild 2002 SHA256 c909b988d5ddde8cf9365667b8bd5d27314be4bb9a972ce651bc416d6739c33f SHA512 0b6efeee42b09b861a27fb11cf02b2096f5e66f8e80f92d8ed97bfeeabb8fe532b068761ffbadf7603cc6095ddd81abe313dd6f581b0719239411f740a0131bf WHIRLPOOL 2bee002b52161664bdd17ae47558b8a723ec603ab0c3c19454685a2511cd9e62d543db7007c0f64eeb35fef20a5b7edf119e8dfb8be852c2368861a95920ee29
MISC ChangeLog 9200 SHA256 2dab66ea101a22a52b3f2cee4afbfa6dbb2545da809a22cbb10ef9341e08f25e SHA512 cf2cf5c185447f5adaf7f1c7be119f1d13e009f450e2e632234b23b132fb478defda597f09ce492aa7f1c846d2c34f2cf7e6f87b450e7713a843e21a09480e79 WHIRLPOOL 25f4c0eb5d2b5d4492636b6c4c5892e68ed6be83b8d8606785c2c583c91d9429dca75014c196d3f991e78b8e97968b526c83d0bc9277b3ab8c8fd919f1592bf3
MISC ChangeLog-2015 1919 SHA256 36e610e38e898312082803dcc832cf1b808ff8f450e89f73610c8517cea6e045 SHA512 bb7cff250e90ba78e9e47692ddf126056d5d2b50cce7c3442de3b129ff00272e8b0ae2181f4898f424aac506783e4f978a5f2f1228827d3583402396a518e03b WHIRLPOOL b045fb1f27d640ad01b2fa3b28ba12df8d540b6b86657205d3a3bae303da17ccc5f09f441405579f662360200d98e45724b8f3cd579d55d21d82734545f9d98d
MISC metadata.xml 363 SHA256 e42199977ccd7d8c42f737be6748733b9aedeb201c810c2487ecf37763ec3eb9 SHA512 32abec1750df9b486d5c74e81aaafd7386ae793a2046635cdcab24debf51ca1c8f6b9733fe7f5d04934751ce3086251bb973e6e88b6c5ff96c902f1825dad07c WHIRLPOOL c0fb5f41754b8a54efcc750f72497175aa67d68b32146a7dcc8170a4565a429a4fa8c16e21a68ca5169440a93ba264744b1011cd6507a3c808ef0550b043bb6c

149
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh vendored
View File

@ -1,149 +0,0 @@
#! /bin/sh
main() {
local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
local retval
case "$1" in
"clear")
if ! use_legacy; then
nft flush ruleset
else
clear_legacy
fi
retval=$?
;;
"list")
if ! use_legacy; then
nft list ruleset
else
list_legacy
fi
retval=$?
;;
"load")
nft -f ${NFTABLES_SAVE}
retval=$?
;;
"store")
local tmp_save="${NFTABLES_SAVE}.tmp"
if ! use_legacy; then
nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
else
save_legacy ${tmp_save}
fi
retval=$?
if [ ${retval} ]; then
mv ${tmp_save} ${NFTABLES_SAVE}
fi
;;
esac
return ${retval}
}
clear_legacy() {
local l3f line table chain first_line
first_line=1
if manualwalk; then
for l3f in $(getfamilies); do
nft list tables ${l3f} | while read line; do
table=$(echo ${line} | sed "s/table[ \t]*//")
deletetable ${l3f} ${table}
done
done
else
nft list tables | while read line; do
l3f=$(echo ${line} | cut -d ' ' -f2)
table=$(echo ${line} | cut -d ' ' -f3)
deletetable ${l3f} ${table}
done
fi
}
list_legacy() {
local l3f
if manualwalk; then
for l3f in $(getfamilies); do
nft list tables ${l3f} | while read line; do
line=$(echo ${line} | sed "s/table/table ${l3f}/")
echo "$(nft list ${line})"
done
done
else
nft list tables | while read line; do
echo "$(nft list ${line})"
done
fi
}
save_legacy() {
tmp_save=$1
touch "${tmp_save}"
if manualwalk; then
for l3f in $(getfamilies); do
nft list tables ${l3f} | while read line; do
line=$(echo ${line} | sed "s/table/table ${l3f}/")
nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}
done
done
else
nft list tables | while read line; do
nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}"
done
fi
}
use_legacy() {
local major_ver minor_ver
major_ver=$(uname -r | cut -d '.' -f1)
minor_ver=$(uname -r | cut -d '.' -f2)
[ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1
return 0
}
CHECK_TABLE_NAME="GENTOO_CHECK_TABLE"
getfamilies() {
local l3f families
for l3f in ip arp ip6 bridge inet; do
if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then
families="${families}${l3f} "
nft delete table ${l3f} ${CHECK_TABLE_NAME}
fi
done
echo ${families}
}
manualwalk() {
local result l3f=`getfamilies | cut -d ' ' -f1`
nft create table ${l3f} ${CHECK_TABLE_NAME}
nft list tables | read line
if [ $(echo $line | wc -w) -lt 3 ]; then
result=0
fi
result=1
nft delete table ${l3f} ${CHECK_TABLE_NAME}
return $result
}
deletetable() {
# family is $1
# table name is $2
nft flush table $1 $2
nft list table $1 $2 | while read l; do
chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2)
if [ -n "${chain}" ]; then
nft flush chain $1 $2 ${chain}
nft delete chain $1 $2 ${chain}
fi
done
nft delete table $1 $2
}
main "$@"

19
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd vendored
View File

@ -1,19 +0,0 @@
# /etc/conf.d/nftables
# Location in which nftables initscript will save set rules on
# service shutdown
NFTABLES_SAVE="/var/lib/nftables/rules-save"
# Options to pass to nft on save
SAVE_OPTIONS="-n"
# Save state on stopping nftables
SAVE_ON_STOP="yes"
# If you need to log nftables messages as soon as nftables starts,
# AND your logger does NOT depend on the network, then you may wish
# to uncomment the next line.
# If your logger depends on the network, and you uncomment this line
# you will create an unresolvable circular dependency during startup.
# After commenting or uncommenting this line, you must run 'rc-update -u'.
#rc_use="logger"

124
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init vendored
View File

@ -1,124 +0,0 @@
#!/sbin/openrc-run
# Copyright 2014-2017 Nicholas Vinson
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_commands="clear list panic save"
extra_started_commands="reload"
depend() {
need localmount #434774
before net
}
start_pre() {
checkkernel || return 1
checkconfig || return 1
return 0
}
clear() {
/usr/libexec/nftables/nftables.sh clear || return 1
return 0
}
list() {
/usr/libexec/nftables/nftables.sh list || return 1
return 0
}
panic() {
checkkernel || return 1
if service_started ${RC_SVCNAME}; then
rc-service ${RC_SVCNAME} stop
fi
ebegin "Dropping all packets"
clear
if nft create table ip filter >/dev/null 2>&1; then
nft -f /dev/stdin <<-EOF
table ip filter {
chain input {
type filter hook input priority 0;
drop
}
chain forward {
type filter hook forward priority 0;
drop
}
chain output {
type filter hook output priority 0;
drop
}
}
EOF
fi
if nft create table ip6 filter >/dev/null 2>&1; then
nft -f /dev/stdin <<-EOF
table ip6 filter {
chain input {
type filter hook input priority 0;
drop
}
chain forward {
type filter hook forward priority 0;
drop
}
chain output {
type filter hook output priority 0;
drop
}
}
EOF
fi
}
reload() {
checkkernel || return 1
ebegin "Flushing firewall"
clear
start
}
save() {
ebegin "Saving nftables state"
checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
export SAVE_OPTIONS
/usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE}
return $?
}
start() {
ebegin "Loading nftables state and starting firewall"
clear
/usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE}
eend $?
}
stop() {
if yesno ${SAVE_ON_STOP:-yes}; then
save || return 1
fi
ebegin "Stopping firewall"
clear
eend $?
}
checkconfig() {
if [ ! -f ${NFTABLES_SAVE} ]; then
eerror "Not starting nftables. First create some rules then run:"
eerror "rc-service nftables save"
return 1
fi
return 0
}
checkkernel() {
if ! nft list tables >/dev/null 2>&1; then
eerror "Your kernel lacks nftables support, please load"
eerror "appropriate modules and try again."
return 1
fi
return 0
}

14
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service vendored
View File

@ -1,14 +0,0 @@
[Unit]
Description=Store and restore nftables firewall rules
ConditionPathExists=/var/lib/nftables/rules-save
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save
ExecStop=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save
[Install]
WantedBy=basic.target

36
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild vendored
View File

@ -11,7 +11,7 @@ SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz
LICENSE="GPL-2" LICENSE="GPL-2"
SLOT="0" SLOT="0"
KEYWORDS="~amd64 ~arm ~x86" KEYWORDS="amd64 arm64 ~arm ~x86"
IUSE="debug doc gmp +readline xml" IUSE="debug doc gmp +readline xml"
RDEPEND=">=net-libs/libmnl-1.0.3 RDEPEND=">=net-libs/libmnl-1.0.3
@ -20,8 +20,7 @@ RDEPEND=">=net-libs/libmnl-1.0.3
>=net-libs/libnftnl-1.0.6[xml(-)?] >=net-libs/libnftnl-1.0.6[xml(-)?]
" "
DEPEND="${RDEPEND} DEPEND="${RDEPEND}
>=app-text/docbook2X-0.8.8-r4 doc? ( >=app-text/docbook2X-0.8.8-r4 >=app-text/dblatex-0.3.7 )
doc? ( >=app-text/dblatex-0.3.7 )
sys-devel/bison sys-devel/bison
sys-devel/flex sys-devel/flex
virtual/pkgconfig" virtual/pkgconfig"
@ -49,39 +48,10 @@ src_prepare() {
src_configure() { src_configure() {
econf \ econf \
--sysconfdir="${EPREFIX}"/usr/share \
--sbindir="${EPREFIX}"/sbin \ --sbindir="${EPREFIX}"/sbin \
$(use_enable doc pdf-doc) \ $(use_enable doc pdf-doc) \
$(use_enable debug) \ $(use_enable debug) \
$(use_with readline cli) \ $(use_with readline cli) \
$(use_with !gmp mini_gmp) $(use_with !gmp mini_gmp)
} }
src_install() {
default
dodir /usr/libexec/${PN}
exeinto /usr/libexec/${PN}
doexe "${FILESDIR}"/libexec/${PN}.sh
newconfd "${FILESDIR}"/${PN}.confd ${PN}
newinitd "${FILESDIR}"/${PN}.init ${PN}
keepdir /var/lib/nftables
systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
systemd_enable_service basic.target ${PN}-restore.service
}
pkg_postinst() {
local save_file
save_file="${EROOT%/}/var/lib/nftables/rules-save"
elog "In order for the nftables-restore systemd service to start, "
elog "the file, ${save_file}, must exist. To create this "
elog "file run the following command: "
elog ""
elog " touch '${save_file}'"
elog ""
elog "Afterwards, the nftables-restore service should be manually started "
elog "to ensure firewall changes are stored on system shutdown. The "
elog "systemd service will function normally thereafter."
}

82
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild vendored
View File

@ -1,82 +0,0 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit autotools linux-info systemd
DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
HOMEPAGE="http://netfilter.org/projects/nftables/"
SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~amd64 ~arm ~x86"
IUSE="debug doc gmp +readline"
RDEPEND=">=net-libs/libmnl-1.0.3
gmp? ( dev-libs/gmp:0= )
readline? ( sys-libs/readline:0= )
>=net-libs/libnftnl-1.0.7"
DEPEND="${RDEPEND}
>=app-text/docbook2X-0.8.8-r4
doc? ( >=app-text/dblatex-0.3.7 )
sys-devel/bison
sys-devel/flex
virtual/pkgconfig"
S="${WORKDIR}/v${PV}"
pkg_setup() {
if kernel_is ge 3 13; then
CONFIG_CHECK="~NF_TABLES"
linux-info_pkg_setup
else
eerror "This package requires kernel version 3.13 or newer to work properly."
fi
}
src_prepare() {
default
eautoreconf
}
src_configure() {
econf \
--sbindir="${EPREFIX}"/sbin \
$(use_enable doc pdf-doc) \
$(use_enable debug) \
$(use_with readline cli) \
$(use_with !gmp mini_gmp)
}
src_install() {
default
dodir /usr/libexec/${PN}
exeinto /usr/libexec/${PN}
doexe "${FILESDIR}"/libexec/${PN}.sh
newconfd "${FILESDIR}"/${PN}.confd ${PN}
newinitd "${FILESDIR}"/${PN}.init ${PN}
keepdir /var/lib/nftables
systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
systemd_enable_service basic.target ${PN}-restore.service
}
pkg_postinst() {
local save_file
save_file="${EROOT%/}/var/lib/nftables/rules-save"
elog "In order for the nftables-restore systemd service to start, "
elog "the file, ${save_file}, must exist. To create this "
elog "file run the following command: "
elog ""
elog " touch '${save_file}'"
elog ""
elog "Afterwards, the nftables-restore service should be manually started "
elog "to ensure firewall changes are stored on system shutdown. The "
elog "systemd service will function normally thereafter."
}