diff options
-rw-r--r-- | user/nftables/APKBUILD | 45 | ||||
-rw-r--r-- | user/nftables/nftables.confd | 24 | ||||
-rw-r--r-- | user/nftables/nftables.initd | 127 |
3 files changed, 196 insertions, 0 deletions
diff --git a/user/nftables/APKBUILD b/user/nftables/APKBUILD new file mode 100644 index 000000000..3ef6d52aa --- /dev/null +++ b/user/nftables/APKBUILD @@ -0,0 +1,45 @@ +# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> +# Contributor: Jakub Jirutka <jakub@jirutka.cz> +# Contributor: Francesco Colista <fcolista@alpinelinux.org> +# Maintainer: multiplexd <multi@in-addr.xyz> +pkgname=nftables +pkgver=0.9.0 +pkgrel=0 +pkgdesc="Netfilter tables userspace tools" +url="https://netfilter.org/projects/nftables" +options="!check" # no test suite +arch="all" +license="GPL-2.0+ AND GPL-2.0" +makedepends="bison docbook2x flex gmp-dev libmnl-dev libnftnl-dev" +subpackages="$pkgname-doc $pkgname-openrc" +source="https://netfilter.org/projects/nftables/files/$pkgname-$pkgver.tar.bz2 + nftables.confd + nftables.initd" + +build() { + cd "$builddir" + + DB2MAN=docbook2x-man ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --localstatedir=/var \ + --without-cli + make +} + +package() { + cd "$builddir" + + make DESTDIR="$pkgdir" install + + install -Dm755 "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname + install -Dm644 "$srcdir"/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname +} + +sha512sums="ba08fd78d79f7df14a7a7d753e8be33f22d892672ad906672d938c66a8fbb0824fd1d083c173132b7d81dd5e3cdd7771364ec714662876cb71eb4f7ad4eaa59c nftables-0.9.0.tar.bz2 +4eb1adf003dfcaad65c91af6ca88d91b7904c471aefae67e7d3c2f8e053e1ac196d3437a45d1fed5a855b876a0f1fc58a724e381d2acf1164d9120cadee73eef nftables.confd +58daafb012b7cd0248a7db6e10f6a667e683347aaea7eaa78cb88780272f334e00913cea3fd39a22a4a72acc27fabd101944b40916f4b534ddeb509bd0232017 nftables.initd" diff --git a/user/nftables/nftables.confd b/user/nftables/nftables.confd new file mode 100644 index 000000000..87fa8f2ea --- /dev/null +++ b/user/nftables/nftables.confd @@ -0,0 +1,24 @@ +# Configuration for /etc/init.d/nftables + +# Location of file with nftables rules to restore on service start, +# and save rules to on service stop when $save_on_stop is enabled. +#rules_file="/etc/firewall.nft" + +# Options to pass to nft on save. +#save_options="-n" + +# Save state on stopping nftables. +#save_on_stop="yes" + +# Enable IPv4/IPv6 forwarding with the rules? +# Note: If you want to enable forwarding only on selected interfaces, +# keep this disabled and enable forwarding using /etc/sysctl.conf. +#enable_forwarding="no" + +# If you need to log nftables messages as soon as nftables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/user/nftables/nftables.initd b/user/nftables/nftables.initd new file mode 100644 index 000000000..c763b395d --- /dev/null +++ b/user/nftables/nftables.initd @@ -0,0 +1,127 @@ +#!/sbin/openrc-run +# Copyright 2014 Nicholas Vinson +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="list panic save" +extra_started_commands="reload" + +description="Manage nftable based firewall." +description_save="Save current nftables rulesets to disk." +description_list="Displays the current nftables ruleset." +description_panic="Immediately drop all packets on all interfaces." +description_reload="Clear current rulesets and load rulesets from the saved ruleset files." + +# Uppercase variables are there for backward compatibility. +: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}} +: ${save_options:=${SAVE_OPTIONS:="-n"}} +: ${save_on_stop:=${SAVE_ON_STOP:="yes"}} +: ${enable_forwarding:="no"} + +depend() { + need localmount + after sysctl + before net + provide firewall +} + +start_pre() { + checkkernel && checkconfig +} + +list() { + nft list ruleset +} + +panic() { + checkkernel || return 1 + + if service_started "$RC_SVCNAME"; then + rc-service "$RC_SVCNAME" stop + fi + + ebegin "Dropping all packets" + nft -f /dev/stdin <<-EOF + flush ruleset + table inet filter { + chain input { type filter hook input priority 0; policy drop; } + chain forward { type filter hook forward priority 0; policy drop; } + chain output { type filter hook output priority 0; policy drop; } + } + EOF + eend $? +} + +reload() { + start +} + +save() { + ebegin "Saving nftables state" + + checkpath -q -d "${rules_file%/*}" + checkpath -q -m 0600 -f "$rules_file" + + local tmp_save="$rules_file.tmp" + + echo 'flush ruleset' > "$tmp_save" + nft list ruleset >> "$tmp_save"; local retval=$? + + [ $retval -eq 0 ] && mv "$tmp_save" "$rules_file" + + return $retval +} + +start() { + ebegin "Loading nftables state and starting firewall" + + nft -f "$rules_file" + eend $? || return 1 + + if yesno "$enable_forwarding"; then + ebegin "Enabling forwarding" + forwarding 1 + eend $? || return 1 + fi +} + +stop() { + if yesno "$save_on_stop"; then + save || return 1 + fi + + if yesno "$enable_forwarding"; then + ebegin "Disabling forwarding" + forwarding 0 + eend $? + fi + + ebegin "Stopping firewall" + nft flush ruleset + eend $? +} + +checkconfig() { + if [ ! -f "$rules_file" ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror " rc-service nftables save" + return 1 + fi + return 0 +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +forwarding() { + /sbin/sysctl -qw \ + net.ipv4.ip_forward=$1 \ + net.ipv6.conf.default.forwarding=$1 \ + net.ipv6.conf.all.forwarding=$1 +} |