blob: 27defe3c1c31e8a05ab01f30fe25ed088c0840d2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#!/bin/sh
main() {
local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
case "$1" in
"check")
nft -c -f "${NFTABLES_SAVE}"
;;
"clear")
nft flush ruleset
;;
"list")
nft ${SAVE_OPTIONS} list ruleset
;;
"load")
# We use an include because cat fails with long rulesets see #675188
printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f -
;;
"panic")
panic hard | nft -f -
;;
"soft_panic")
panic soft | nft -f -
;;
"store")
local tmp_save="${NFTABLES_SAVE}.tmp"
umask 177
(
printf '#!/sbin/nft -f\nflush ruleset\n'
nft ${SAVE_OPTIONS} list ruleset
) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE}
;;
esac
}
panic() {
local erule;
[ "$1" = soft ] && erule="ct state established,related accept;" || erule="";
cat <<EOF
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
$erule
drop
}
chain forward {
type filter hook forward priority 0;
drop
}
chain output {
type filter hook output priority 0;
$erule
drop
}
}
EOF
}
main "$@"
|
