diff options
Diffstat (limited to 'nonsystemd')
-rw-r--r-- | nonsystemd/nftables-openrc/PKGBUILD | 34 | ||||
-rw-r--r-- | nonsystemd/nftables-openrc/nftables-mk.confd | 26 | ||||
-rw-r--r-- | nonsystemd/nftables-openrc/nftables-mk.initd | 104 | ||||
-rw-r--r-- | nonsystemd/nftables-openrc/nftables-mk.sh | 60 | ||||
-rw-r--r-- | nonsystemd/nftables-openrc/nftables.confd | 19 | ||||
-rw-r--r-- | nonsystemd/nftables-openrc/nftables.initd | 124 | ||||
-rw-r--r-- | nonsystemd/nftables-openrc/nftables.sh | 150 |
7 files changed, 517 insertions, 0 deletions
diff --git a/nonsystemd/nftables-openrc/PKGBUILD b/nonsystemd/nftables-openrc/PKGBUILD new file mode 100644 index 000000000..bbb928931 --- /dev/null +++ b/nonsystemd/nftables-openrc/PKGBUILD @@ -0,0 +1,34 @@ +# Maintainer: David P. <megver83@parabola.nu> +# Maintainer (Artix): artoo <artoo@artixlinux.org> + +pkgname=nftables-openrc +pkgver=20210505 +pkgrel=2 +pkgdesc="OpenRC nftables init script" +arch=('any') +url="https://gitea.artixlinux.org/packagesN/nftables-openrc" +license=('GPL2') +groups=('openrc-world') +provides=('init-nftables') +conflicts=('init-nftables') +backup=('etc/conf.d/nftables' + 'etc/conf.d/nftables-mk') +source=("nftables"{,-mk}.{initd,confd} + "nftables"{,-mk}.sh) +sha256sums=('d99250bf4e54545d978041819b94ea27634ee1812e9b56f15f287ca68640dec8' + 'd5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd' + '155be88ef6cddf95841f629264d8d4b42d15b4f7e8e572e5159e2cc17f8258b1' + '5ea765fce16e2ee6a760760a1cfde9994bef24e9a788ab83750e96ac2bc9533a' + 'e3b1423f877871c649e7da15352f2abb489900f05b022a87292ff92d36203b67' + '041b5fb2d42d6245459fd581a3b7ad39aa898caaefb2178595606b38391fc4db') + +package() { + depends=('openrc' 'nftables') + + for _i in nftables-mk nftables ; do + install -Dm755 "$srcdir/$_i.initd" "$pkgdir/etc/init.d/$_i" + install -Dm644 "$srcdir/$_i.confd" "$pkgdir/etc/conf.d/$_i" + done + install -Dm755 "$srcdir"/nftables-mk.sh "$pkgdir"/usr/lib/nftables/nftables-mk.sh + install -Dm755 "$srcdir"/nftables.sh "$pkgdir"/usr/lib/nftables/nftables.sh +} diff --git a/nonsystemd/nftables-openrc/nftables-mk.confd b/nonsystemd/nftables-openrc/nftables-mk.confd new file mode 100644 index 000000000..5cda24030 --- /dev/null +++ b/nonsystemd/nftables-openrc/nftables-mk.confd @@ -0,0 +1,26 @@ +# /etc/conf.d/nftables + +# Location in which nftables initscript will save set rules on +# service shutdown +NFTABLES_SAVE="/var/lib/nftables/rules-save" + +# Options to pass to nft on save +SAVE_OPTIONS="-n" + +# Save state on stopping nftables +SAVE_ON_STOP="yes" + +# Only for OpenRC systems. +# Set to "hard" or "soft" to panic when stopping instead of +# clearing the rules +# Soft panic loads a ruleset dropping any new or invalid connections +# Hard panic loads a ruleset dropping all traffic +PANIC_ON_STOP="" + +# If you need to log nftables messages as soon as nftables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/nonsystemd/nftables-openrc/nftables-mk.initd b/nonsystemd/nftables-openrc/nftables-mk.initd new file mode 100644 index 000000000..ca0446c30 --- /dev/null +++ b/nonsystemd/nftables-openrc/nftables-mk.initd @@ -0,0 +1,104 @@ +#!/usr/bin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check clear list panic save soft_panic" +extra_started_commands="reload" + +depend() { + need localmount #434774 + before net +} + +checkkernel() { + if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then + eerror "Not starting nftables. First create some rules then run:" + eerror "/etc/init.d/${SVCNAME} save" + return 1 + fi + return 0 +} + +start_pre() { + checkconfig || return 1 + checkkernel || return 1 + check || return 1 +} + +start() { + ebegin "Loading ${SVCNAME} state and starting firewall" + /usr/lib/nftables/nftables.sh load "${NFTABLES_SAVE}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + + ebegin "Stopping firewall" + if [ "${PANIC_ON_STOP}" = "hard" ]; then + /usr/lib/nftables/nftables.sh panic + elif [ "${PANIC_ON_STOP}" = "soft" ]; then + /usr/lib/nftables/nftables.sh soft_panic + else + /usr/lib/nftables/nftables.sh clear + fi + eend $? +} + +reload() { + start_pre || return 1 + start +} + +clear() { + ebegin "Clearing rules" + /usr/lib/nftables/nftables.sh clear + eend $? +} + +list() { + /usr/lib/nftables/nftables.sh list +} + +check() { + ebegin "Checking rules" + /usr/lib/nftables/nftables.sh check "${NFTABLES_SAVE}" + eend $? +} + +save() { + ebegin "Saving ${SVCNAME} state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + /usr/lib/nftables/nftables.sh store "${NFTABLES_SAVE}" + eend $? +} + +panic() { + if service_started ${SVCNAME}; then + rc-service ${SVCNAME} zap + fi + ebegin "Dropping all packets" + /usr/lib/nftables/nftables.sh panic + eend $? +} + +soft_panic() { + if service_started ${SVCNAME}; then + rc-service ${SVCNAME} zap + fi + ebegin "Dropping new connections" + /usr/lib/nftables/nftables.sh soft_panic + eend $? +} diff --git a/nonsystemd/nftables-openrc/nftables-mk.sh b/nonsystemd/nftables-openrc/nftables-mk.sh new file mode 100644 index 000000000..27defe3c1 --- /dev/null +++ b/nonsystemd/nftables-openrc/nftables-mk.sh @@ -0,0 +1,60 @@ +#!/bin/sh + +main() { + local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'} + case "$1" in + "check") + nft -c -f "${NFTABLES_SAVE}" + ;; + "clear") + nft flush ruleset + ;; + "list") + nft ${SAVE_OPTIONS} list ruleset + ;; + "load") + # We use an include because cat fails with long rulesets see #675188 + printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f - + ;; + "panic") + panic hard | nft -f - + ;; + "soft_panic") + panic soft | nft -f - + ;; + "store") + local tmp_save="${NFTABLES_SAVE}.tmp" + umask 177 + ( + printf '#!/sbin/nft -f\nflush ruleset\n' + nft ${SAVE_OPTIONS} list ruleset + ) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE} + ;; + esac +} + +panic() { + local erule; + [ "$1" = soft ] && erule="ct state established,related accept;" || erule=""; + cat <<EOF +flush ruleset +table inet filter { + chain input { + type filter hook input priority 0; + $erule + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + $erule + drop + } +} +EOF +} + +main "$@" diff --git a/nonsystemd/nftables-openrc/nftables.confd b/nonsystemd/nftables-openrc/nftables.confd new file mode 100644 index 000000000..e83a4b962 --- /dev/null +++ b/nonsystemd/nftables-openrc/nftables.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/nftables + +# Location in which nftables initscript will save set rules on +# service shutdown +NFTABLES_SAVE="/var/lib/nftables/rules-save" + +# Options to pass to nft on save +SAVE_OPTIONS="-n" + +# Save state on stopping nftables +SAVE_ON_STOP="yes" + +# If you need to log nftables messages as soon as nftables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/nonsystemd/nftables-openrc/nftables.initd b/nonsystemd/nftables-openrc/nftables.initd new file mode 100644 index 000000000..1859e4678 --- /dev/null +++ b/nonsystemd/nftables-openrc/nftables.initd @@ -0,0 +1,124 @@ +#!/usr/bin/openrc-run +# Copyright 2014-2017 Nicholas Vinson +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="clear list panic save" +extra_started_commands="reload" +depend() { + need localmount #434774 + before net +} + +start_pre() { + checkkernel || return 1 + checkconfig || return 1 + return 0 +} + +clear() { + /usr/lib/nftables/nftables.sh clear || return 1 + return 0 +} + +list() { + /usr/lib/nftables/nftables.sh list || return 1 + return 0 +} + +panic() { + checkkernel || return 1 + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop + fi + + ebegin "Dropping all packets" + clear + if nft create table ip filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi + if nft create table ip6 filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip6 filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + clear + start +} + +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + export SAVE_OPTIONS + /usr/lib/nftables/nftables.sh store ${NFTABLES_SAVE} + return $? +} + +start() { + ebegin "Loading nftables state and starting firewall" + clear + /usr/lib/nftables/nftables.sh load ${NFTABLES_SAVE} + eend $? +} + +stop() { + if yesno ${SAVE_ON_STOP:-yes}; then + save || return 1 + fi + + ebegin "Stopping firewall" + clear + eend $? +} + +checkconfig() { + if [ ! -f ${NFTABLES_SAVE} ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 + fi + return 0 +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} diff --git a/nonsystemd/nftables-openrc/nftables.sh b/nonsystemd/nftables-openrc/nftables.sh new file mode 100644 index 000000000..557b454a9 --- /dev/null +++ b/nonsystemd/nftables-openrc/nftables.sh @@ -0,0 +1,150 @@ +#! /bin/sh + +main() { + local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'} + local retval + case "$1" in + "clear") + if ! use_legacy; then + nft flush ruleset + else + clear_legacy + fi + retval=$? + ;; + "list") + if ! use_legacy; then + nft list ruleset + else + list_legacy + fi + retval=$? + ;; + "load") + nft -f ${NFTABLES_SAVE} + retval=$? + ;; + "store") + umask 177 + local tmp_save="${NFTABLES_SAVE}.tmp" + if ! use_legacy; then + nft ${SAVE_OPTIONS} list ruleset > ${tmp_save} + else + save_legacy ${tmp_save} + fi + retval=$? + if [ ${retval} ]; then + mv ${tmp_save} ${NFTABLES_SAVE} + fi + ;; + esac + return ${retval} +} + +clear_legacy() { + local l3f line table chain first_line + + first_line=1 + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + table=$(echo ${line} | sed "s/table[ \t]*//") + deletetable ${l3f} ${table} + done + done + else + nft list tables | while read line; do + l3f=$(echo ${line} | cut -d ' ' -f2) + table=$(echo ${line} | cut -d ' ' -f3) + deletetable ${l3f} ${table} + done + fi +} + +list_legacy() { + local l3f + + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + echo "$(nft list ${line})" + done + done + else + nft list tables | while read line; do + echo "$(nft list ${line})" + done + fi +} + +save_legacy() { + tmp_save=$1 + touch "${tmp_save}" + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save} + done + done + else + nft list tables | while read line; do + nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}" + done + fi +} + +use_legacy() { + local major_ver minor_ver + + major_ver=$(uname -r | cut -d '.' -f1) + minor_ver=$(uname -r | cut -d '.' -f2) + + [ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1 + return 0 +} + +CHECK_TABLE_NAME="GENTOO_CHECK_TABLE" + +getfamilies() { + local l3f families + + for l3f in ip arp ip6 bridge inet; do + if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then + families="${families}${l3f} " + nft delete table ${l3f} ${CHECK_TABLE_NAME} + fi + done + echo ${families} +} + +manualwalk() { + local result l3f=`getfamilies | cut -d ' ' -f1` + + nft create table ${l3f} ${CHECK_TABLE_NAME} + nft list tables | read line + if [ $(echo $line | wc -w) -lt 3 ]; then + result=0 + fi + result=1 + nft delete table ${l3f} ${CHECK_TABLE_NAME} + + return $result +} + +deletetable() { + # family is $1 + # table name is $2 + nft flush table $1 $2 + nft list table $1 $2 | while read l; do + chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2) + if [ -n "${chain}" ]; then + nft flush chain $1 $2 ${chain} + nft delete chain $1 $2 ${chain} + fi + done + nft delete table $1 $2 +} + +main "$@" |