129 lines
2.7 KiB
Plaintext
129 lines
2.7 KiB
Plaintext
#!/sbin/openrc-run
|
|
# Copyright 2014 Nicholas Vinson
|
|
# Copyright 1999-2014 Gentoo Foundation
|
|
# Distributed under the terms of the GNU General Public License v2
|
|
|
|
extra_commands="checkconfig list panic save"
|
|
extra_started_commands="reload"
|
|
|
|
description="Manage nftable based firewall."
|
|
description_checkconfig="Check validity of rulesets on disk without applying changes."
|
|
description_save="Save current nftables rulesets to disk."
|
|
description_list="Displays the current nftables ruleset."
|
|
description_panic="Immediately drop all packets on all interfaces."
|
|
description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
|
|
|
|
# Uppercase variables are there for backward compatibility.
|
|
: ${rules_file:="/etc/nftables.nft"}
|
|
: ${rules_directory:="/etc/nftables.d"}
|
|
: ${save_options:="-n"}
|
|
: ${save_on_stop:="no"}
|
|
: ${enable_forwarding:="no"}
|
|
|
|
depend() {
|
|
need localmount
|
|
after sysctl
|
|
before net
|
|
provide firewall
|
|
}
|
|
|
|
start_pre() {
|
|
checkkernel && checkconfig
|
|
}
|
|
|
|
list() {
|
|
nft list ruleset
|
|
}
|
|
|
|
panic() {
|
|
checkkernel || return 1
|
|
|
|
if service_started "$RC_SVCNAME"; then
|
|
stop
|
|
fi
|
|
|
|
ebegin "Dropping all packets"
|
|
nft -f /dev/stdin <<-EOF
|
|
flush ruleset
|
|
table inet filter {
|
|
chain input { type filter hook input priority 0; policy drop; }
|
|
chain forward { type filter hook forward priority 0; policy drop; }
|
|
chain output { type filter hook output priority 0; policy drop; }
|
|
}
|
|
EOF
|
|
eend $?
|
|
}
|
|
|
|
reload() {
|
|
start
|
|
}
|
|
|
|
save() {
|
|
ebegin "Saving nftables state"
|
|
|
|
checkpath -q -d "${rules_file%/*}"
|
|
checkpath -q -m 0600 -f "$rules_file"
|
|
|
|
local tmp_save="$rules_file.tmp"
|
|
|
|
echo 'flush ruleset' > "$tmp_save"
|
|
nft list ruleset >> "$tmp_save"; local retval=$?
|
|
|
|
[ $retval -eq 0 ] && mv "$tmp_save" "$rules_file"
|
|
|
|
return $retval
|
|
}
|
|
|
|
start() {
|
|
ebegin "Loading nftables state and starting firewall"
|
|
|
|
nft -I "$rules_directory" -f "$rules_file"
|
|
eend $? || return 1
|
|
|
|
if yesno "$enable_forwarding"; then
|
|
ebegin "Enabling forwarding"
|
|
forwarding 1
|
|
eend $? || return 1
|
|
fi
|
|
}
|
|
|
|
stop() {
|
|
if yesno "$save_on_stop"; then
|
|
save || return 1
|
|
fi
|
|
|
|
if yesno "$enable_forwarding"; then
|
|
ebegin "Disabling forwarding"
|
|
forwarding 0
|
|
eend $?
|
|
fi
|
|
|
|
ebegin "Stopping firewall"
|
|
nft flush ruleset
|
|
eend $?
|
|
}
|
|
|
|
checkconfig() {
|
|
if [ ! -f "$rules_file" ]; then
|
|
eerror "Rules files $rules_file does not exist!"
|
|
return 1
|
|
fi
|
|
nft -c -I "$rules_directory" -f "$rules_file"
|
|
}
|
|
|
|
checkkernel() {
|
|
if ! nft list tables >/dev/null 2>&1; then
|
|
eerror "Your kernel lacks nftables support, please load"
|
|
eerror "appropriate modules and try again."
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
forwarding() {
|
|
/sbin/sysctl -qw \
|
|
net.ipv4.ip_forward=$1 \
|
|
net.ipv6.conf.default.forwarding=$1 \
|
|
net.ipv6.conf.all.forwarding=$1
|
|
}
|