diff options
| author | williamvds | 2018-09-08 21:47:58 +0100 |
|---|---|---|
| committer | williamvds | 2018-09-08 21:49:15 +0100 |
| commit | 1fe68c202ce221c0710e55925d990222d64ea98a (patch) | |
| tree | 8b02b77d9e12bf1f637a504c17fc90a030552cc4 /nftables.initd | |
| download | aur-nftables-openrc.tar.gz | |
initial commit
Diffstat (limited to 'nftables.initd')
| -rwxr-xr-x | nftables.initd | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/nftables.initd b/nftables.initd new file mode 100755 index 000000000000..651c4fe09968 --- /dev/null +++ b/nftables.initd @@ -0,0 +1,99 @@ +#!/sbin/openrc-run +# Copyright 2018 William Vigolo da Silva +# Copyright 2014-2017 Nicholas Vinson +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="flush list panic save" +extra_started_commands="reload" +depend() { + need localmount + before net +} + +start_pre() { + checkkernel && checkconfig && return 0 + return 1 +} + +flush() { + nft flush ruleset || return 1 +} + +list() { + nft list ruleset || return 1 +} + +_panic() { + yesno "${PANIC_ON_FAIL:-yes}" && checkkernel && checkconfig && panic + return $? +} + +panic() { + if service_started "${RC_SVCNAME}"; then + rc-service "${RC_SVCNAME}" stop + fi + + ebegin "Dropping all packets" + + flush + for protocol in ip ip6; do + nft create table $protocol filter 2>/dev/null || continue + + nft -f /dev/stdin <<-EOF + table $protocol filter { + chain input { type filter hook input priority 0; drop; } + chain forward { type filter hook forward priority 0; drop; } + chain output { type filter hook output priority 0; drop; } + } + EOF + done +} + +reload() { + start_pre || return 1 + ebegin "Flushing firewall" + flush + start +} + +save() { + ebegin "Saving nftables ruleset" + checkpath -q -d "$(dirname "${NFTABLES_CONFIG}")" + checkpath -q -m 0700 -f "${NFTABLES_CONFIG}" + echo "#!/bin/nft -f" >"${NFTABLES_CONFIG}" + nft ${SAVE_OPTIONS} list ruleset >>"${NFTABLES_CONFIG}" + return $? +} + +start() { + ebegin "Loading ruleset and starting firewall" + flush + nft -f "${NFTABLES_CONFIG}" || _panic + eend $? +} + +stop() { + yesno "${SAVE_ON_STOP:-no}" && (save || return 1) + + ebegin "Stopping firewall" + flush + eend $? +} + +checkconfig() { + [ -r "${NFTABLES_CONFIG}" ] && return 0 + eerror "Could not read configuration file '${NFTABLES_CONFIG}'" + eerror "Populate it or use a different file by setting \$NFTABLES_CONFIG in" + eerror "the service configuration file" + eerror "Alternatively, create some rules and then run:" + eerror "rc-service ${RC_SVCNAME} save" + return 1 +} + +checkkernel() { + (nft list tables >/dev/null 2>&1) && return 0 + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 +} |