diff options
| author | williamvds | 2018-09-08 21:47:58 +0100 |
|---|---|---|
| committer | williamvds | 2018-09-08 21:49:15 +0100 |
| commit | 1fe68c202ce221c0710e55925d990222d64ea98a (patch) | |
| tree | 8b02b77d9e12bf1f637a504c17fc90a030552cc4 | |
| download | aur-1fe68c202ce221c0710e55925d990222d64ea98a.tar.gz | |
initial commit
| -rw-r--r-- | .SRCINFO | 18 | ||||
| -rw-r--r-- | PKGBUILD | 23 | ||||
| -rw-r--r-- | nftables-openrc.install | 10 | ||||
| -rw-r--r-- | nftables.confd | 19 | ||||
| -rwxr-xr-x | nftables.initd | 99 |
5 files changed, 169 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..31aa90659459 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,18 @@ +pkgbase = nftables-openrc + pkgdesc = OpenRC init scripts for nftables + pkgver = 1 + pkgrel = 1 + url = https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables + install = nftables-openrc.install + arch = any + license = GPL2 + depends = nftables + depends = openrc + backup = etc/conf.d/nftables + source = nftables.confd + source = nftables.initd + md5sums = fb03adecedabb52a059479e3c912785f + md5sums = 93bbfe082acb899ec1f4d8af1b6634e0 + +pkgname = nftables-openrc + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..f643ac06b4b9 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,23 @@ +# Maintainer: William Vigolo da Silva <wvigolodasilva@gmail.com> +_service=nftables +pkgname=nftables-openrc +pkgver=1 +pkgrel=1 +pkgdesc="OpenRC init scripts for nftables" +arch=('any') +url="https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables" +license=('GPL2') +depends=('nftables' 'openrc') +backup=("etc/conf.d/$_service") +install="$pkgname.install" +source=("$_service.confd" + "$_service.initd") +md5sums=('fb03adecedabb52a059479e3c912785f' + '93bbfe082acb899ec1f4d8af1b6634e0') + +package() { + install -dm755 "$pkgdir/etc/init.d" + install -dm755 "$pkgdir/etc/conf.d" + install -Dm755 "$srcdir/$_service.initd" "$pkgdir/etc/init.d/$_service" + install -Dm644 "$srcdir/$_service.confd" "$pkgdir/etc/conf.d/$_service" +} diff --git a/nftables-openrc.install b/nftables-openrc.install new file mode 100644 index 000000000000..8a0af50561aa --- /dev/null +++ b/nftables-openrc.install @@ -0,0 +1,10 @@ +service=nftables +post_install() { + echo "Installed service $service" + echo "Enable it by running:" + echo "rc-update add $service" +} + +pre_remove() { + sudo rc-update del $service +} diff --git a/nftables.confd b/nftables.confd new file mode 100644 index 000000000000..d747aecb19bb --- /dev/null +++ b/nftables.confd @@ -0,0 +1,19 @@ +# File to load from and save rules into +NFTABLES_CONFIG="/etc/nftables.conf" + +# Options to pass to 'nft list ruleset' when saving +AVE_OPTIONS="-n" + +# Save current ruleset when the service is stopped, overwriting the config file +SAVE_ON_STOP="no" + +# If a ruleset can't be loaded, create one that drops all packets +PANIC_ON_FAIL="yes" + +# If you need to log nftables messages as soon as nftables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/nftables.initd b/nftables.initd new file mode 100755 index 000000000000..651c4fe09968 --- /dev/null +++ b/nftables.initd @@ -0,0 +1,99 @@ +#!/sbin/openrc-run +# Copyright 2018 William Vigolo da Silva +# Copyright 2014-2017 Nicholas Vinson +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="flush list panic save" +extra_started_commands="reload" +depend() { + need localmount + before net +} + +start_pre() { + checkkernel && checkconfig && return 0 + return 1 +} + +flush() { + nft flush ruleset || return 1 +} + +list() { + nft list ruleset || return 1 +} + +_panic() { + yesno "${PANIC_ON_FAIL:-yes}" && checkkernel && checkconfig && panic + return $? +} + +panic() { + if service_started "${RC_SVCNAME}"; then + rc-service "${RC_SVCNAME}" stop + fi + + ebegin "Dropping all packets" + + flush + for protocol in ip ip6; do + nft create table $protocol filter 2>/dev/null || continue + + nft -f /dev/stdin <<-EOF + table $protocol filter { + chain input { type filter hook input priority 0; drop; } + chain forward { type filter hook forward priority 0; drop; } + chain output { type filter hook output priority 0; drop; } + } + EOF + done +} + +reload() { + start_pre || return 1 + ebegin "Flushing firewall" + flush + start +} + +save() { + ebegin "Saving nftables ruleset" + checkpath -q -d "$(dirname "${NFTABLES_CONFIG}")" + checkpath -q -m 0700 -f "${NFTABLES_CONFIG}" + echo "#!/bin/nft -f" >"${NFTABLES_CONFIG}" + nft ${SAVE_OPTIONS} list ruleset >>"${NFTABLES_CONFIG}" + return $? +} + +start() { + ebegin "Loading ruleset and starting firewall" + flush + nft -f "${NFTABLES_CONFIG}" || _panic + eend $? +} + +stop() { + yesno "${SAVE_ON_STOP:-no}" && (save || return 1) + + ebegin "Stopping firewall" + flush + eend $? +} + +checkconfig() { + [ -r "${NFTABLES_CONFIG}" ] && return 0 + eerror "Could not read configuration file '${NFTABLES_CONFIG}'" + eerror "Populate it or use a different file by setting \$NFTABLES_CONFIG in" + eerror "the service configuration file" + eerror "Alternatively, create some rules and then run:" + eerror "rc-service ${RC_SVCNAME} save" + return 1 +} + +checkkernel() { + (nft list tables >/dev/null 2>&1) && return 0 + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 +} |