summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nonsystemd/nftables-openrc/PKGBUILD34
-rw-r--r--nonsystemd/nftables-openrc/nftables-mk.confd26
-rw-r--r--nonsystemd/nftables-openrc/nftables-mk.initd104
-rw-r--r--nonsystemd/nftables-openrc/nftables-mk.sh60
-rw-r--r--nonsystemd/nftables-openrc/nftables.confd19
-rw-r--r--nonsystemd/nftables-openrc/nftables.initd124
-rw-r--r--nonsystemd/nftables-openrc/nftables.sh150
7 files changed, 517 insertions, 0 deletions
diff --git a/nonsystemd/nftables-openrc/PKGBUILD b/nonsystemd/nftables-openrc/PKGBUILD
new file mode 100644
index 000000000..bbb928931
--- /dev/null
+++ b/nonsystemd/nftables-openrc/PKGBUILD
@@ -0,0 +1,34 @@
+# Maintainer: David P. <megver83@parabola.nu>
+# Maintainer (Artix): artoo <artoo@artixlinux.org>
+
+pkgname=nftables-openrc
+pkgver=20210505
+pkgrel=2
+pkgdesc="OpenRC nftables init script"
+arch=('any')
+url="https://gitea.artixlinux.org/packagesN/nftables-openrc"
+license=('GPL2')
+groups=('openrc-world')
+provides=('init-nftables')
+conflicts=('init-nftables')
+backup=('etc/conf.d/nftables'
+ 'etc/conf.d/nftables-mk')
+source=("nftables"{,-mk}.{initd,confd}
+ "nftables"{,-mk}.sh)
+sha256sums=('d99250bf4e54545d978041819b94ea27634ee1812e9b56f15f287ca68640dec8'
+ 'd5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd'
+ '155be88ef6cddf95841f629264d8d4b42d15b4f7e8e572e5159e2cc17f8258b1'
+ '5ea765fce16e2ee6a760760a1cfde9994bef24e9a788ab83750e96ac2bc9533a'
+ 'e3b1423f877871c649e7da15352f2abb489900f05b022a87292ff92d36203b67'
+ '041b5fb2d42d6245459fd581a3b7ad39aa898caaefb2178595606b38391fc4db')
+
+package() {
+ depends=('openrc' 'nftables')
+
+ for _i in nftables-mk nftables ; do
+ install -Dm755 "$srcdir/$_i.initd" "$pkgdir/etc/init.d/$_i"
+ install -Dm644 "$srcdir/$_i.confd" "$pkgdir/etc/conf.d/$_i"
+ done
+ install -Dm755 "$srcdir"/nftables-mk.sh "$pkgdir"/usr/lib/nftables/nftables-mk.sh
+ install -Dm755 "$srcdir"/nftables.sh "$pkgdir"/usr/lib/nftables/nftables.sh
+}
diff --git a/nonsystemd/nftables-openrc/nftables-mk.confd b/nonsystemd/nftables-openrc/nftables-mk.confd
new file mode 100644
index 000000000..5cda24030
--- /dev/null
+++ b/nonsystemd/nftables-openrc/nftables-mk.confd
@@ -0,0 +1,26 @@
+# /etc/conf.d/nftables
+
+# Location in which nftables initscript will save set rules on
+# service shutdown
+NFTABLES_SAVE="/var/lib/nftables/rules-save"
+
+# Options to pass to nft on save
+SAVE_OPTIONS="-n"
+
+# Save state on stopping nftables
+SAVE_ON_STOP="yes"
+
+# Only for OpenRC systems.
+# Set to "hard" or "soft" to panic when stopping instead of
+# clearing the rules
+# Soft panic loads a ruleset dropping any new or invalid connections
+# Hard panic loads a ruleset dropping all traffic
+PANIC_ON_STOP=""
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/nonsystemd/nftables-openrc/nftables-mk.initd b/nonsystemd/nftables-openrc/nftables-mk.initd
new file mode 100644
index 000000000..ca0446c30
--- /dev/null
+++ b/nonsystemd/nftables-openrc/nftables-mk.initd
@@ -0,0 +1,104 @@
+#!/usr/bin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check clear list panic save soft_panic"
+extra_started_commands="reload"
+
+depend() {
+ need localmount #434774
+ before net
+}
+
+checkkernel() {
+ if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+
+checkconfig() {
+ if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror "/etc/init.d/${SVCNAME} save"
+ return 1
+ fi
+ return 0
+}
+
+start_pre() {
+ checkconfig || return 1
+ checkkernel || return 1
+ check || return 1
+}
+
+start() {
+ ebegin "Loading ${SVCNAME} state and starting firewall"
+ /usr/lib/nftables/nftables.sh load "${NFTABLES_SAVE}"
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+
+ ebegin "Stopping firewall"
+ if [ "${PANIC_ON_STOP}" = "hard" ]; then
+ /usr/lib/nftables/nftables.sh panic
+ elif [ "${PANIC_ON_STOP}" = "soft" ]; then
+ /usr/lib/nftables/nftables.sh soft_panic
+ else
+ /usr/lib/nftables/nftables.sh clear
+ fi
+ eend $?
+}
+
+reload() {
+ start_pre || return 1
+ start
+}
+
+clear() {
+ ebegin "Clearing rules"
+ /usr/lib/nftables/nftables.sh clear
+ eend $?
+}
+
+list() {
+ /usr/lib/nftables/nftables.sh list
+}
+
+check() {
+ ebegin "Checking rules"
+ /usr/lib/nftables/nftables.sh check "${NFTABLES_SAVE}"
+ eend $?
+}
+
+save() {
+ ebegin "Saving ${SVCNAME} state"
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+ /usr/lib/nftables/nftables.sh store "${NFTABLES_SAVE}"
+ eend $?
+}
+
+panic() {
+ if service_started ${SVCNAME}; then
+ rc-service ${SVCNAME} zap
+ fi
+ ebegin "Dropping all packets"
+ /usr/lib/nftables/nftables.sh panic
+ eend $?
+}
+
+soft_panic() {
+ if service_started ${SVCNAME}; then
+ rc-service ${SVCNAME} zap
+ fi
+ ebegin "Dropping new connections"
+ /usr/lib/nftables/nftables.sh soft_panic
+ eend $?
+}
diff --git a/nonsystemd/nftables-openrc/nftables-mk.sh b/nonsystemd/nftables-openrc/nftables-mk.sh
new file mode 100644
index 000000000..27defe3c1
--- /dev/null
+++ b/nonsystemd/nftables-openrc/nftables-mk.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+main() {
+ local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
+ case "$1" in
+ "check")
+ nft -c -f "${NFTABLES_SAVE}"
+ ;;
+ "clear")
+ nft flush ruleset
+ ;;
+ "list")
+ nft ${SAVE_OPTIONS} list ruleset
+ ;;
+ "load")
+ # We use an include because cat fails with long rulesets see #675188
+ printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f -
+ ;;
+ "panic")
+ panic hard | nft -f -
+ ;;
+ "soft_panic")
+ panic soft | nft -f -
+ ;;
+ "store")
+ local tmp_save="${NFTABLES_SAVE}.tmp"
+ umask 177
+ (
+ printf '#!/sbin/nft -f\nflush ruleset\n'
+ nft ${SAVE_OPTIONS} list ruleset
+ ) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE}
+ ;;
+ esac
+}
+
+panic() {
+ local erule;
+ [ "$1" = soft ] && erule="ct state established,related accept;" || erule="";
+ cat <<EOF
+flush ruleset
+table inet filter {
+ chain input {
+ type filter hook input priority 0;
+ $erule
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ $erule
+ drop
+ }
+}
+EOF
+}
+
+main "$@"
diff --git a/nonsystemd/nftables-openrc/nftables.confd b/nonsystemd/nftables-openrc/nftables.confd
new file mode 100644
index 000000000..e83a4b962
--- /dev/null
+++ b/nonsystemd/nftables-openrc/nftables.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/nftables
+
+# Location in which nftables initscript will save set rules on
+# service shutdown
+NFTABLES_SAVE="/var/lib/nftables/rules-save"
+
+# Options to pass to nft on save
+SAVE_OPTIONS="-n"
+
+# Save state on stopping nftables
+SAVE_ON_STOP="yes"
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/nonsystemd/nftables-openrc/nftables.initd b/nonsystemd/nftables-openrc/nftables.initd
new file mode 100644
index 000000000..1859e4678
--- /dev/null
+++ b/nonsystemd/nftables-openrc/nftables.initd
@@ -0,0 +1,124 @@
+#!/usr/bin/openrc-run
+# Copyright 2014-2017 Nicholas Vinson
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="clear list panic save"
+extra_started_commands="reload"
+depend() {
+ need localmount #434774
+ before net
+}
+
+start_pre() {
+ checkkernel || return 1
+ checkconfig || return 1
+ return 0
+}
+
+clear() {
+ /usr/lib/nftables/nftables.sh clear || return 1
+ return 0
+}
+
+list() {
+ /usr/lib/nftables/nftables.sh list || return 1
+ return 0
+}
+
+panic() {
+ checkkernel || return 1
+ if service_started ${RC_SVCNAME}; then
+ rc-service ${RC_SVCNAME} stop
+ fi
+
+ ebegin "Dropping all packets"
+ clear
+ if nft create table ip filter >/dev/null 2>&1; then
+ nft -f /dev/stdin <<-EOF
+ table ip filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
+ if nft create table ip6 filter >/dev/null 2>&1; then
+ nft -f /dev/stdin <<-EOF
+ table ip6 filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
+}
+
+reload() {
+ checkkernel || return 1
+ ebegin "Flushing firewall"
+ clear
+ start
+}
+
+save() {
+ ebegin "Saving nftables state"
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+ export SAVE_OPTIONS
+ /usr/lib/nftables/nftables.sh store ${NFTABLES_SAVE}
+ return $?
+}
+
+start() {
+ ebegin "Loading nftables state and starting firewall"
+ clear
+ /usr/lib/nftables/nftables.sh load ${NFTABLES_SAVE}
+ eend $?
+}
+
+stop() {
+ if yesno ${SAVE_ON_STOP:-yes}; then
+ save || return 1
+ fi
+
+ ebegin "Stopping firewall"
+ clear
+ eend $?
+}
+
+checkconfig() {
+ if [ ! -f ${NFTABLES_SAVE} ]; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror "rc-service nftables save"
+ return 1
+ fi
+ return 0
+}
+
+checkkernel() {
+ if ! nft list tables >/dev/null 2>&1; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
diff --git a/nonsystemd/nftables-openrc/nftables.sh b/nonsystemd/nftables-openrc/nftables.sh
new file mode 100644
index 000000000..557b454a9
--- /dev/null
+++ b/nonsystemd/nftables-openrc/nftables.sh
@@ -0,0 +1,150 @@
+#! /bin/sh
+
+main() {
+ local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
+ local retval
+ case "$1" in
+ "clear")
+ if ! use_legacy; then
+ nft flush ruleset
+ else
+ clear_legacy
+ fi
+ retval=$?
+ ;;
+ "list")
+ if ! use_legacy; then
+ nft list ruleset
+ else
+ list_legacy
+ fi
+ retval=$?
+ ;;
+ "load")
+ nft -f ${NFTABLES_SAVE}
+ retval=$?
+ ;;
+ "store")
+ umask 177
+ local tmp_save="${NFTABLES_SAVE}.tmp"
+ if ! use_legacy; then
+ nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
+ else
+ save_legacy ${tmp_save}
+ fi
+ retval=$?
+ if [ ${retval} ]; then
+ mv ${tmp_save} ${NFTABLES_SAVE}
+ fi
+ ;;
+ esac
+ return ${retval}
+}
+
+clear_legacy() {
+ local l3f line table chain first_line
+
+ first_line=1
+ if manualwalk; then
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ table=$(echo ${line} | sed "s/table[ \t]*//")
+ deletetable ${l3f} ${table}
+ done
+ done
+ else
+ nft list tables | while read line; do
+ l3f=$(echo ${line} | cut -d ' ' -f2)
+ table=$(echo ${line} | cut -d ' ' -f3)
+ deletetable ${l3f} ${table}
+ done
+ fi
+}
+
+list_legacy() {
+ local l3f
+
+ if manualwalk; then
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ line=$(echo ${line} | sed "s/table/table ${l3f}/")
+ echo "$(nft list ${line})"
+ done
+ done
+ else
+ nft list tables | while read line; do
+ echo "$(nft list ${line})"
+ done
+ fi
+}
+
+save_legacy() {
+ tmp_save=$1
+ touch "${tmp_save}"
+ if manualwalk; then
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ line=$(echo ${line} | sed "s/table/table ${l3f}/")
+ nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}
+ done
+ done
+ else
+ nft list tables | while read line; do
+ nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}"
+ done
+ fi
+}
+
+use_legacy() {
+ local major_ver minor_ver
+
+ major_ver=$(uname -r | cut -d '.' -f1)
+ minor_ver=$(uname -r | cut -d '.' -f2)
+
+ [ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1
+ return 0
+}
+
+CHECK_TABLE_NAME="GENTOO_CHECK_TABLE"
+
+getfamilies() {
+ local l3f families
+
+ for l3f in ip arp ip6 bridge inet; do
+ if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then
+ families="${families}${l3f} "
+ nft delete table ${l3f} ${CHECK_TABLE_NAME}
+ fi
+ done
+ echo ${families}
+}
+
+manualwalk() {
+ local result l3f=`getfamilies | cut -d ' ' -f1`
+
+ nft create table ${l3f} ${CHECK_TABLE_NAME}
+ nft list tables | read line
+ if [ $(echo $line | wc -w) -lt 3 ]; then
+ result=0
+ fi
+ result=1
+ nft delete table ${l3f} ${CHECK_TABLE_NAME}
+
+ return $result
+}
+
+deletetable() {
+ # family is $1
+ # table name is $2
+ nft flush table $1 $2
+ nft list table $1 $2 | while read l; do
+ chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2)
+ if [ -n "${chain}" ]; then
+ nft flush chain $1 $2 ${chain}
+ nft delete chain $1 $2 ${chain}
+ fi
+ done
+ nft delete table $1 $2
+}
+
+main "$@"