diff options
| author |   Nicholas Vinson <nvinson234@gmail.com> | 2015-11-03 01:00:22 -0500 |
|---|---|---|
| committer | Nicholas Vinson <nvinson234@gmail.com> | 2015-11-03 01:11:22 -0500 |
| commit | bbee7c12baa2b1d85c23f83f2ec18ac535179f43 (patch) | |
| tree | bcae675051df468ebe8c54512649a1a31f9f763e /net-firewall | |
| parent | net-firewall/nftables: refactor init.d/nftables into libexec/nftable.sh (diff) | |
| download | gentoo-bbee7c12baa2b1d85c23f83f2ec18ac535179f43.tar.gz gentoo-bbee7c12baa2b1d85c23f83f2ec18ac535179f43.tar.bz2 gentoo-bbee7c12baa2b1d85c23f83f2ec18ac535179f43.zip | |
net-firewall/nftables: update nftables.init to use new libexec/nftables.sh
Package-Manager: portage-2.2.23
Diffstat (limited to 'net-firewall')
| -rw-r--r-- | net-firewall/nftables/files/nftables.init-r2 | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/net-firewall/nftables/files/nftables.init-r2 b/net-firewall/nftables/files/nftables.init-r2 new file mode 100644 index 000000000000..c86d2e3c995f --- /dev/null +++ b/net-firewall/nftables/files/nftables.init-r2 @@ -0,0 +1,123 @@ +#!/sbin/runscript +# Copyright 2014 Nicholas Vinson +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="clear list panic save" +extra_started_commands="reload" +depend() { + need localmount #434774 + before net +} + +start_pre() { + checkkernel || return 1 + checkconfig || return 1 + return 0 +} + +clear() { + /usr/libexec/nftables/nftables.sh clear || return 1 + return 0 +} + +list() { + /usr/libexec/nftables/nftables.sh list || return 1 + return 0 +} + +panic() { + checkkernel || return 1 + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop + fi + + ebegin "Dropping all packets" + clear + if nft create table ip filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi + if nft create table ip6 filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip6 filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + clear + start +} + +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE} + return $? +} + +start() { + ebegin "Loading nftables state and starting firewall" + clear + /usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE} + eend $? +} + +stop() { + if yesno ${SAVE_ON_STOP:-yes}; then + save || return 1 + fi + + ebegin "Stopping firewall" + clear + eend $? +} + +checkconfig() { + if [ ! -f ${NFTABLES_SAVE} ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 + fi + return 0 +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} |