Merge branch 'nftables' into 'master'

nftables + dependencies: new packages

This MR contains APKBUILDs for nftables and its libnftnl dependency. APKBUILDs have been adapted and trimmed from Alpine; the OpenRC scripts come indirectly from Gentoo via Alpine.

Tested on x86_64 by NAT'ing a couple of VM's to the outside world.

See merge request !145

1 files changed, 127 insertions, 0 deletions

diff --git a/user/nftables/nftables.initd b/user/nftables/nftables.initd
new file mode 100644
index 000000000..c763b395d
--- /dev/null
+++ b/user/nftables/nftables.initd
@@ -0,0 +1,127 @@
+#!/sbin/openrc-run
+# Copyright 2014 Nicholas Vinson
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="list panic save"
+extra_started_commands="reload"
+
+description="Manage nftable based firewall."
+description_save="Save current nftables rulesets to disk."
+description_list="Displays the current nftables ruleset."
+description_panic="Immediately drop all packets on all interfaces."
+description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
+
+# Uppercase variables are there for backward compatibility.
+: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}}
+: ${save_options:=${SAVE_OPTIONS:="-n"}}
+: ${save_on_stop:=${SAVE_ON_STOP:="yes"}}
+: ${enable_forwarding:="no"}
+
+depend() {
+	need localmount
+	after sysctl
+	before net
+	provide firewall
+}
+
+start_pre() {
+	checkkernel && checkconfig
+}
+
+list() {
+	nft list ruleset
+}
+
+panic() {
+	checkkernel || return 1
+
+	if service_started "$RC_SVCNAME"; then
+		rc-service "$RC_SVCNAME" stop
+	fi
+
+	ebegin "Dropping all packets"
+	nft -f /dev/stdin <<-EOF
+		flush ruleset
+		table inet filter {
+		    chain input { type filter hook input priority 0; policy drop; }
+		    chain forward { type filter hook forward priority 0; policy drop; }
+		    chain output { type filter hook output priority 0; policy drop; }
+		}
+	EOF
+	eend $?
+}
+
+reload() {
+	start
+}
+
+save() {
+	ebegin "Saving nftables state"
+
+	checkpath -q -d "${rules_file%/*}"
+	checkpath -q -m 0600 -f "$rules_file"
+
+	local tmp_save="$rules_file.tmp"
+
+	echo 'flush ruleset' > "$tmp_save"
+	nft list ruleset >> "$tmp_save"; local retval=$?
+
+	[ $retval -eq 0 ] && mv "$tmp_save" "$rules_file"
+
+	return $retval
+}
+
+start() {
+	ebegin "Loading nftables state and starting firewall"
+
+	nft -f "$rules_file"
+	eend $? || return 1
+
+	if yesno "$enable_forwarding"; then
+		ebegin "Enabling forwarding"
+		forwarding 1
+		eend $? || return 1
+	fi
+}
+
+stop() {
+	if yesno "$save_on_stop"; then
+		save || return 1
+	fi
+
+	if yesno "$enable_forwarding"; then
+		ebegin "Disabling forwarding"
+		forwarding 0
+		eend $?
+	fi
+
+	ebegin "Stopping firewall"
+	nft flush ruleset
+	eend $?
+}
+
+checkconfig() {
+	if [ ! -f "$rules_file" ]; then
+		eerror "Not starting nftables. First create some rules then run:"
+		eerror "  rc-service nftables save"
+		return 1
+	fi
+	return 0
+}
+
+checkkernel() {
+	if ! nft list tables >/dev/null 2>&1; then
+		eerror "Your kernel lacks nftables support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+
+forwarding() {
+	/sbin/sysctl -qw \
+		net.ipv4.ip_forward=$1 \
+		net.ipv6.conf.default.forwarding=$1 \
+		net.ipv6.conf.all.forwarding=$1
+}