diff options
Diffstat (limited to 'user/nftables/nftables.initd')
-rw-r--r-- | user/nftables/nftables.initd | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/user/nftables/nftables.initd b/user/nftables/nftables.initd new file mode 100644 index 000000000..c763b395d --- /dev/null +++ b/user/nftables/nftables.initd @@ -0,0 +1,127 @@ +#!/sbin/openrc-run +# Copyright 2014 Nicholas Vinson +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="list panic save" +extra_started_commands="reload" + +description="Manage nftable based firewall." +description_save="Save current nftables rulesets to disk." +description_list="Displays the current nftables ruleset." +description_panic="Immediately drop all packets on all interfaces." +description_reload="Clear current rulesets and load rulesets from the saved ruleset files." + +# Uppercase variables are there for backward compatibility. +: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}} +: ${save_options:=${SAVE_OPTIONS:="-n"}} +: ${save_on_stop:=${SAVE_ON_STOP:="yes"}} +: ${enable_forwarding:="no"} + +depend() { + need localmount + after sysctl + before net + provide firewall +} + +start_pre() { + checkkernel && checkconfig +} + +list() { + nft list ruleset +} + +panic() { + checkkernel || return 1 + + if service_started "$RC_SVCNAME"; then + rc-service "$RC_SVCNAME" stop + fi + + ebegin "Dropping all packets" + nft -f /dev/stdin <<-EOF + flush ruleset + table inet filter { + chain input { type filter hook input priority 0; policy drop; } + chain forward { type filter hook forward priority 0; policy drop; } + chain output { type filter hook output priority 0; policy drop; } + } + EOF + eend $? +} + +reload() { + start +} + +save() { + ebegin "Saving nftables state" + + checkpath -q -d "${rules_file%/*}" + checkpath -q -m 0600 -f "$rules_file" + + local tmp_save="$rules_file.tmp" + + echo 'flush ruleset' > "$tmp_save" + nft list ruleset >> "$tmp_save"; local retval=$? + + [ $retval -eq 0 ] && mv "$tmp_save" "$rules_file" + + return $retval +} + +start() { + ebegin "Loading nftables state and starting firewall" + + nft -f "$rules_file" + eend $? || return 1 + + if yesno "$enable_forwarding"; then + ebegin "Enabling forwarding" + forwarding 1 + eend $? || return 1 + fi +} + +stop() { + if yesno "$save_on_stop"; then + save || return 1 + fi + + if yesno "$enable_forwarding"; then + ebegin "Disabling forwarding" + forwarding 0 + eend $? + fi + + ebegin "Stopping firewall" + nft flush ruleset + eend $? +} + +checkconfig() { + if [ ! -f "$rules_file" ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror " rc-service nftables save" + return 1 + fi + return 0 +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +forwarding() { + /sbin/sysctl -qw \ + net.ipv4.ip_forward=$1 \ + net.ipv6.conf.default.forwarding=$1 \ + net.ipv6.conf.all.forwarding=$1 +} |