summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--user/nftables/APKBUILD45
-rw-r--r--user/nftables/nftables.confd24
-rw-r--r--user/nftables/nftables.initd127
3 files changed, 196 insertions, 0 deletions
diff --git a/user/nftables/APKBUILD b/user/nftables/APKBUILD
new file mode 100644
index 000000000..3ef6d52aa
--- /dev/null
+++ b/user/nftables/APKBUILD
@@ -0,0 +1,45 @@
+# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Contributor: Francesco Colista <fcolista@alpinelinux.org>
+# Maintainer: multiplexd <multi@in-addr.xyz>
+pkgname=nftables
+pkgver=0.9.0
+pkgrel=0
+pkgdesc="Netfilter tables userspace tools"
+url="https://netfilter.org/projects/nftables"
+options="!check" # no test suite
+arch="all"
+license="GPL-2.0+ AND GPL-2.0"
+makedepends="bison docbook2x flex gmp-dev libmnl-dev libnftnl-dev"
+subpackages="$pkgname-doc $pkgname-openrc"
+source="https://netfilter.org/projects/nftables/files/$pkgname-$pkgver.tar.bz2
+ nftables.confd
+ nftables.initd"
+
+build() {
+ cd "$builddir"
+
+ DB2MAN=docbook2x-man ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ --localstatedir=/var \
+ --without-cli
+ make
+}
+
+package() {
+ cd "$builddir"
+
+ make DESTDIR="$pkgdir" install
+
+ install -Dm755 "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
+ install -Dm644 "$srcdir"/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname
+}
+
+sha512sums="ba08fd78d79f7df14a7a7d753e8be33f22d892672ad906672d938c66a8fbb0824fd1d083c173132b7d81dd5e3cdd7771364ec714662876cb71eb4f7ad4eaa59c nftables-0.9.0.tar.bz2
+4eb1adf003dfcaad65c91af6ca88d91b7904c471aefae67e7d3c2f8e053e1ac196d3437a45d1fed5a855b876a0f1fc58a724e381d2acf1164d9120cadee73eef nftables.confd
+58daafb012b7cd0248a7db6e10f6a667e683347aaea7eaa78cb88780272f334e00913cea3fd39a22a4a72acc27fabd101944b40916f4b534ddeb509bd0232017 nftables.initd"
diff --git a/user/nftables/nftables.confd b/user/nftables/nftables.confd
new file mode 100644
index 000000000..87fa8f2ea
--- /dev/null
+++ b/user/nftables/nftables.confd
@@ -0,0 +1,24 @@
+# Configuration for /etc/init.d/nftables
+
+# Location of file with nftables rules to restore on service start,
+# and save rules to on service stop when $save_on_stop is enabled.
+#rules_file="/etc/firewall.nft"
+
+# Options to pass to nft on save.
+#save_options="-n"
+
+# Save state on stopping nftables.
+#save_on_stop="yes"
+
+# Enable IPv4/IPv6 forwarding with the rules?
+# Note: If you want to enable forwarding only on selected interfaces,
+# keep this disabled and enable forwarding using /etc/sysctl.conf.
+#enable_forwarding="no"
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/user/nftables/nftables.initd b/user/nftables/nftables.initd
new file mode 100644
index 000000000..c763b395d
--- /dev/null
+++ b/user/nftables/nftables.initd
@@ -0,0 +1,127 @@
+#!/sbin/openrc-run
+# Copyright 2014 Nicholas Vinson
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="list panic save"
+extra_started_commands="reload"
+
+description="Manage nftable based firewall."
+description_save="Save current nftables rulesets to disk."
+description_list="Displays the current nftables ruleset."
+description_panic="Immediately drop all packets on all interfaces."
+description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
+
+# Uppercase variables are there for backward compatibility.
+: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}}
+: ${save_options:=${SAVE_OPTIONS:="-n"}}
+: ${save_on_stop:=${SAVE_ON_STOP:="yes"}}
+: ${enable_forwarding:="no"}
+
+depend() {
+ need localmount
+ after sysctl
+ before net
+ provide firewall
+}
+
+start_pre() {
+ checkkernel && checkconfig
+}
+
+list() {
+ nft list ruleset
+}
+
+panic() {
+ checkkernel || return 1
+
+ if service_started "$RC_SVCNAME"; then
+ rc-service "$RC_SVCNAME" stop
+ fi
+
+ ebegin "Dropping all packets"
+ nft -f /dev/stdin <<-EOF
+ flush ruleset
+ table inet filter {
+ chain input { type filter hook input priority 0; policy drop; }
+ chain forward { type filter hook forward priority 0; policy drop; }
+ chain output { type filter hook output priority 0; policy drop; }
+ }
+ EOF
+ eend $?
+}
+
+reload() {
+ start
+}
+
+save() {
+ ebegin "Saving nftables state"
+
+ checkpath -q -d "${rules_file%/*}"
+ checkpath -q -m 0600 -f "$rules_file"
+
+ local tmp_save="$rules_file.tmp"
+
+ echo 'flush ruleset' > "$tmp_save"
+ nft list ruleset >> "$tmp_save"; local retval=$?
+
+ [ $retval -eq 0 ] && mv "$tmp_save" "$rules_file"
+
+ return $retval
+}
+
+start() {
+ ebegin "Loading nftables state and starting firewall"
+
+ nft -f "$rules_file"
+ eend $? || return 1
+
+ if yesno "$enable_forwarding"; then
+ ebegin "Enabling forwarding"
+ forwarding 1
+ eend $? || return 1
+ fi
+}
+
+stop() {
+ if yesno "$save_on_stop"; then
+ save || return 1
+ fi
+
+ if yesno "$enable_forwarding"; then
+ ebegin "Disabling forwarding"
+ forwarding 0
+ eend $?
+ fi
+
+ ebegin "Stopping firewall"
+ nft flush ruleset
+ eend $?
+}
+
+checkconfig() {
+ if [ ! -f "$rules_file" ]; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror " rc-service nftables save"
+ return 1
+ fi
+ return 0
+}
+
+checkkernel() {
+ if ! nft list tables >/dev/null 2>&1; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+
+forwarding() {
+ /sbin/sysctl -qw \
+ net.ipv4.ip_forward=$1 \
+ net.ipv6.conf.default.forwarding=$1 \
+ net.ipv6.conf.all.forwarding=$1
+}