williamh 14/08/28 13:25:47 Modified: nftables.init Log: revision bump for bug #521232 approved by Manuel Rueger (Portage version: 2.2.12/cvs/Linux x86_64, signed Manifest commit with key 0x30C46538)
Revision Changes Path 1.3 net-firewall/nftables/files/nftables.init file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?rev=1.3&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?rev=1.3&content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-firewall/nftables/files/nftables.init?r1=1.2&r2=1.3 Index: nftables.init =================================================================== RCS file: /var/cvsroot/gentoo-x86/net-firewall/nftables/files/nftables.init,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- nftables.init 26 Aug 2014 17:53:54 -0000 1.2 +++ nftables.init 28 Aug 2014 13:25:47 -0000 1.3 @@ -3,21 +3,17 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -extra_commands="check clear list panic save" +extra_commands="clear list panic save" extra_started_commands="reload" -nftables_name=nftables -nft_bin=/sbin/nft - depend() { need localmount #434774 before net } checkkernel() { - ${nft_bin} list tables &>/dev/null - if [ $? -ne 0 ]; then - eerror "Your kernel lacks ${nftables_name} support, please load" + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" eerror "appropriate modules and try again." return 1 fi @@ -26,57 +22,39 @@ checkconfig() { if [ ! -f ${NFTABLES_SAVE} ]; then - eerror "Not starting ${nftables_name}. First create some rules then run:" - eerror "/etc/init.d/${nftables_name} save" + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" return 1 fi return 0 } -checkfamilies() { - if [ -n "${families+set}" ]; then - return - fi - - families=() +getfamilies() { + local families for l3f in ip arp ip6 bridge inet; do - ${nft_bin} list tables ${l3f} &> /dev/null - if [ $? -eq 0 ]; then - families+=($l3f) - fi - done -} - -havefamily() { - local i tfamily=$1 - checkfamilies - - for i in ${families[@]}; do - if [ $i == $tfamily ]; then - return 0 + if nft list tables ${l3f} > /dev/null 2>&1; then + families="${families}${l3f} " fi done - return 1 + echo ${families} } clearNFT() { - checkfamilies - local l3f line table chain - for l3f in ${families[@]}; do - ${nft_bin} list tables ${l3f} | while read line; do + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do table=$(echo ${line} | sed "s/table[ \t]*//") - ${nft_bin} flush table ${l3f} ${table} - ${nft_bin} list table ${l3f} ${table} | while read l; do + nft flush table ${l3f} ${table} + nft list table ${l3f} ${table} | while read l; do chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\ cut -d ' ' -f2) if [ -n "${chain}" ]; then - ${nft_bin} flush chain ${l3f} ${table} ${chain} - ${nft_bin} delete chain ${l3f} ${table} ${chain} + nft flush chain ${l3f} ${table} ${chain} + nft delete chain ${l3f} ${table} ${chain} fi done - ${nft_bin} delete table ${l3f} ${table} + nft delete table ${l3f} ${table} done done } @@ -92,22 +70,21 @@ nft add rule ${l3f} panic forward drop } -checkrules() { - ewarn "Rules not checked as ${nftables_name} does not support this feature." - return 0 +start_pre() { + checkkernel || return 1 + checkconfig || return 1 + return 0 } start() { - checkkernel || return 1 - checkconfig || return 1 - ebegin "Loading ${nftables_name} state and starting firewall" + ebegin "Loading nftables state and starting firewall" clearNFT - ${nft_bin} -f ${NFTABLES_SAVE} + nft -f ${NFTABLES_SAVE} eend $? } stop() { - if [ "${SAVE_ON_STOP}" = "yes" ] ; then + if yesno ${SAVE_ON_STOP:-yes}; then save || return 1 fi @@ -125,39 +102,31 @@ start } -check() { - # Short name for users of init.d script - checkrules -} - clear() { clearNFT } list() { - checkfamilies local l3f - for l3f in ${families[@]}; do - ${nft_bin} list tables ${l3f} | while read line; do + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do line=$(echo ${line} | sed "s/table/table ${l3f}/") - echo "$(${nft_bin} list ${line})" + echo "$(nft list ${line})" done done } save() { - checkfamilies - - ebegin "Saving ${nftables_name} state" + ebegin "Saving nftables state" checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" checkpath -q -m 0600 -f "${NFTABLES_SAVE}" local l3f line tmp_save="${NFTABLES_SAVE}.tmp" touch "${tmp_save}" - for l3f in ${families[@]}; do - ${nft_bin} list tables ${l3f} | while read line; do + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do line=$(echo ${line} | sed "s/table/table ${l3f}/") # The below substitution fixes an issue where nft -n output may not # always be parsable by nft -f. For example, nft -n might print @@ -171,7 +140,7 @@ # Invalid argument # table ip6 filter { # ^^ - echo "$(${nft_bin} ${SAVE_OPTIONS} list ${line} |\ + echo "$(nft ${SAVE_OPTIONS} list ${line} |\ sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" done done @@ -180,15 +149,15 @@ panic() { checkkernel || return 1 - if service_started ${nftables_name}; then - rc-service ${nftables_name} stop + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop fi ebegin "Dropping all packets" clearNFT local l3f - for l3f in ${families[@]}; do + for l3f in $(getfamilies); do case ${l3f} in ip) addpanictable ${l3f} ;; ip6) addpanictable ${l3f} ;;