#!/sbin/openrc-run # Copyright 2018 William Vigolo da Silva # Copyright 2014-2017 Nicholas Vinson # Copyright 1999-2017 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 extra_commands="flush list panic save" extra_started_commands="reload" depend() { need localmount before net } start_pre() { checkkernel && checkconfig && return 0 return 1 } flush() { nft flush ruleset || return 1 } list() { nft list ruleset || return 1 } _panic() { yesno "${PANIC_ON_FAIL:-yes}" && checkkernel && checkconfig && panic return $? } panic() { if service_started "${RC_SVCNAME}"; then rc-service "${RC_SVCNAME}" stop fi ebegin "Dropping all packets" flush for protocol in ip ip6; do nft create table $protocol filter 2>/dev/null || continue nft -f /dev/stdin <<-EOF table $protocol filter { chain input { type filter hook input priority 0; drop; } chain forward { type filter hook forward priority 0; drop; } chain output { type filter hook output priority 0; drop; } } EOF done } reload() { start_pre || return 1 ebegin "Flushing firewall" flush start } save() { ebegin "Saving nftables ruleset" checkpath -q -d "$(dirname "${NFTABLES_CONFIG}")" checkpath -q -m 0700 -f "${NFTABLES_CONFIG}" echo "#!/bin/nft -f" >"${NFTABLES_CONFIG}" nft ${SAVE_OPTIONS} list ruleset >>"${NFTABLES_CONFIG}" return $? } start() { ebegin "Loading ruleset and starting firewall" flush nft -f "${NFTABLES_CONFIG}" || _panic eend $? } stop() { yesno "${SAVE_ON_STOP:-no}" && (save || return 1) ebegin "Stopping firewall" flush eend $? } checkconfig() { [ -r "${NFTABLES_CONFIG}" ] && return 0 eerror "Could not read configuration file '${NFTABLES_CONFIG}'" eerror "Populate it or use a different file by setting \$NFTABLES_CONFIG in" eerror "the service configuration file" eerror "Alternatively, create some rules and then run:" eerror "rc-service ${RC_SVCNAME} save" return 1 } checkkernel() { (nft list tables >/dev/null 2>&1) && return 0 eerror "Your kernel lacks nftables support, please load" eerror "appropriate modules and try again." return 1 }