diff options
-rw-r--r-- | nonsystemd/iptables-openrc/PKGBUILD | 39 | ||||
-rw-r--r-- | nonsystemd/iptables-openrc/ebtables.confd | 11 | ||||
-rw-r--r-- | nonsystemd/iptables-openrc/ebtables.initd | 101 | ||||
-rw-r--r-- | nonsystemd/iptables-openrc/ip6tables.confd | 27 | ||||
-rw-r--r-- | nonsystemd/iptables-openrc/iptables.confd | 19 | ||||
-rw-r--r-- | nonsystemd/iptables-openrc/iptables.initd | 165 |
6 files changed, 362 insertions, 0 deletions
diff --git a/nonsystemd/iptables-openrc/PKGBUILD b/nonsystemd/iptables-openrc/PKGBUILD new file mode 100644 index 000000000..f60aa9793 --- /dev/null +++ b/nonsystemd/iptables-openrc/PKGBUILD @@ -0,0 +1,39 @@ +# Maintainer: David P. <megver83@parabola.nu> +# Maintainer (Artix): artoo <artoo@artixlinux.org> + +pkgname=iptables-openrc +pkgver=20210505 +pkgrel=2 +pkgdesc="OpenRC iptables init script" +arch=('any') +url="https://gitea.artixlinux.org/artixlinux/packagesI/iptables-openrc" +license=('GPL2') +groups=('openrc-system') +provides=('init-iptables' 'ebtables-openrc') +conflicts=('init-iptables' 'ebtables-openrc') +backup=('etc/conf.d/iptables' + 'etc/conf.d/ip6tables') +source=("iptables.confd" + "ip6tables.confd" + "iptables.initd" + "ebtables.confd" + "ebtables.initd") +sha256sums=('7e2341211ca14997b7a8a1f930f94db855291af597c568f680f80031c20d45b6' + 'c1f5bb4ea36bb7c0a7b7abeb8169cb8547f43d348faef70c61f2daa9033c318b' + 'e5c6164a0ffa24501d5b3fa6425f0e24a2da73891b4dd62a25b083f9f5b731af' + 'c05a6c1ba6add3881068584074681b04bfb2ad43284d7bdd67f47f3da842de58' + '6eb00de3cf18f36f909cb95f1aa345de16d1cd9c8b92acb944691ac720bf3cb5') + +package() { + depends=('openrc' 'iptables') + + for f in iptables ebtables; do + install -Dm755 "${srcdir}"/"$f".initd "${pkgdir}"/etc/init.d/"$f" + install -Dm644 "${srcdir}"/"$f".confd "${pkgdir}"/etc/conf.d/"$f" + done + + install -Dm644 "${srcdir}"/ip6tables.confd "${pkgdir}"/etc/conf.d/ip6tables + + install -Dm755 "${srcdir}"/iptables.initd "${pkgdir}"/etc/init.d/ip6tables + +} diff --git a/nonsystemd/iptables-openrc/ebtables.confd b/nonsystemd/iptables-openrc/ebtables.confd new file mode 100644 index 000000000..645b26eda --- /dev/null +++ b/nonsystemd/iptables-openrc/ebtables.confd @@ -0,0 +1,11 @@ +# /etc/conf.d/ebtables + +# Location in which ebtables initscript will save set rules on +# service shutdown +EBTABLES_SAVE="/var/lib/ebtables/rules-save" + +# Options to pass to ebtables-save and ebtables-restore +SAVE_RESTORE_OPTIONS="" + +# Save state on stopping ebtables +SAVE_ON_STOP="yes" diff --git a/nonsystemd/iptables-openrc/ebtables.initd b/nonsystemd/iptables-openrc/ebtables.initd new file mode 100644 index 000000000..660876011 --- /dev/null +++ b/nonsystemd/iptables-openrc/ebtables.initd @@ -0,0 +1,101 @@ +#!/sbin/openrc-run +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="save panic" +extra_started_commands="reload" + +ebtables_bin="/sbin/ebtables" +ebtables_save=${EBTABLES_SAVE} + +depend() { + before net + use logger +} + +ebtables_tables() { + for table in filter nat broute; do + if ${ebtables_bin} -t ${table} -L > /dev/null 2>&1; then + printf '%s' "${table} " + fi + done +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + broute) chains="BROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${ebtables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkconfig() { + if [ ! -f ${ebtables_save} ] ; then + eerror "Not starting ebtables. First create some rules then run:" + eerror "/etc/init.d/ebtables save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ebtables state and starting bridge firewall" + ${ebtables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${ebtables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + ebegin "Stopping bridge firewall" + local a + for a in $(ebtables_tables); do + set_table_policy $a ACCEPT + + ${ebtables_bin} -t $a -F + ${ebtables_bin} -t $a -X + done + eend $? +} + +reload() { + ebegin "Flushing bridge firewall" + local a + for a in $(ebtables_tables); do + ${ebtables_bin} -t $a -F + ${ebtables_bin} -t $a -X + done + eend $? + + start +} + +save() { + ebegin "Saving ebtables state" + touch "${ebtables_save}" + chmod 0600 "${ebtables_save}" + ${ebtables_bin}-save $(ebtables_tables) ${SAVE_RESTORE_OPTIONS} > "${ebtables_save}" + eend $? +} + +panic() { + service_started ebtables && svc_stop + + local a + ebegin "Dropping all packets forwarded on bridges" + for a in $(ebtables_tables); do + ${ebtables_bin} -t $a -F + ${ebtables_bin} -t $a -X + + set_table_policy $a DROP + done + eend $? +} diff --git a/nonsystemd/iptables-openrc/ip6tables.confd b/nonsystemd/iptables-openrc/ip6tables.confd new file mode 100644 index 000000000..e608f41d1 --- /dev/null +++ b/nonsystemd/iptables-openrc/ip6tables.confd @@ -0,0 +1,27 @@ +# /etc/conf.d/ip6tables + +# Set wait option for xtables lock in seconds +# DEFAULT: 60 +#IPTABLES_LOCK_WAIT_TIME="60" + +# Set wait interval option for xtables lock in microseconds +# DEFAULT: 1000 +#IPTABLES_LOCK_WAIT_INTERVAL="1000" + +# Location in which ip6tables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to ip6tables-save and ip6tables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping ip6tables +SAVE_ON_STOP="yes" + +# If you need to log ip6tables messages as soon as ip6tables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/nonsystemd/iptables-openrc/iptables.confd b/nonsystemd/iptables-openrc/iptables.confd new file mode 100644 index 000000000..7225374c3 --- /dev/null +++ b/nonsystemd/iptables-openrc/iptables.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/nonsystemd/iptables-openrc/iptables.initd b/nonsystemd/iptables-openrc/iptables.initd new file mode 100644 index 000000000..3dcabb0df --- /dev/null +++ b/nonsystemd/iptables-openrc/iptables.initd @@ -0,0 +1,165 @@ +#!/sbin/openrc-run +# Copyright 1999-2018 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"} +iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"} + +iptables_name=${SVCNAME} +case ${iptables_name} in + iptables|ip6tables) ;; + *) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local has_errors=0 chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + + local chain + for chain in ${chains} ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy} + [ $? -ne 0 ] && has_errors=1 + done + + return ${has_errors} +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start_pre() { + checkconfig || return 1 +} + +start() { + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop_pre() { + checkkernel || return 1 +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + + ebegin "Stopping firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + # use iptables autoload capability to load at least all required + # modules and filter table + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -S >/dev/null + if [ $? -ne 0 ] ; then + eerror "${iptables_bin} failed to load" + return 1 + fi + + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local has_errors=0 a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + + if [ "${a}" != "nat" ]; then + # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. + set_table_policy $a DROP + [ $? -ne 0 ] && has_errors=1 + fi + done + eend ${has_errors} +} |