commit: cb51431baffa2b5f38beb351274913f0d2768fc9 Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> AuthorDate: Sun Nov 8 02:59:20 2020 +0000 Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> CommitDate: Sun Nov 8 02:59:20 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb51431b
net-firewall/nftables-0.9.7-r1: revbump, fix initd (bug #753491, #744955) Closes: https://bugs.gentoo.org/753491 Closes: https://bugs.gentoo.org/744955 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> net-firewall/nftables/files/nftables-mk.init-r1 | 50 ++++--- net-firewall/nftables/files/nftables.init-r1 | 154 ++++++++++++--------- ...ables-0.9.7.ebuild => nftables-0.9.7-r1.ebuild} | 2 +- net-firewall/nftables/nftables-0.9.7.ebuild | 2 +- net-firewall/nftables/nftables-9999.ebuild | 2 +- 5 files changed, 119 insertions(+), 91 deletions(-) diff --git a/net-firewall/nftables/files/nftables-mk.init-r1 b/net-firewall/nftables/files/nftables-mk.init-r1 index 45b2abdbda7..1f03301c053 100644 --- a/net-firewall/nftables/files/nftables-mk.init-r1 +++ b/net-firewall/nftables/files/nftables-mk.init-r1 @@ -20,7 +20,7 @@ checkkernel() { } checkconfig() { - if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then + if [ -z "${NFTABLES_SAVE}" ] || [ ! -f "${NFTABLES_SAVE}" ] ; then eerror "Not starting nftables. First create some rules then run:" eerror "/etc/init.d/${SVCNAME} save" return 1 @@ -28,6 +28,11 @@ checkconfig() { return 0 } +_nftables() { + export NFTABLES_SAVE SAVE_OPTIONS + /usr/libexec/nftables/nftables.sh "${@}" +} + start_pre() { checkconfig || return 1 checkkernel || return 1 @@ -36,8 +41,8 @@ start_pre() { start() { ebegin "Loading ${SVCNAME} state and starting firewall" - /usr/libexec/nftables/nftables.sh load "${NFTABLES_SAVE}" - eend $? + _nftables load "${NFTABLES_SAVE}" + eend ${?} } stop() { @@ -47,13 +52,13 @@ stop() { ebegin "Stopping firewall" if [ "${PANIC_ON_STOP}" = "hard" ]; then - /usr/libexec/nftables/nftables.sh panic + _nftables panic elif [ "${PANIC_ON_STOP}" = "soft" ]; then - /usr/libexec/nftables/nftables.sh soft_panic + _nftables soft_panic else - /usr/libexec/nftables/nftables.sh clear + _nftables clear fi - eend $? + eend ${?} } reload() { @@ -63,43 +68,42 @@ reload() { clear() { ebegin "Clearing rules" - /usr/libexec/nftables/nftables.sh clear - eend $? + _nftables clear + eend ${?} } list() { - /usr/libexec/nftables/nftables.sh list + _nftables list } check() { ebegin "Checking rules" - /usr/libexec/nftables/nftables.sh check "${NFTABLES_SAVE}" - eend $? + _nftables check "${NFTABLES_SAVE}" + eend ${?} } save() { ebegin "Saving ${SVCNAME} state" checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" checkpath -q -m 0600 -f "${NFTABLES_SAVE}" - SAVE_OPTIONS="${SAVE_OPTIONS}" \ - /usr/libexec/nftables/nftables.sh store "${NFTABLES_SAVE}" - eend $? + _nftables store "${NFTABLES_SAVE}" + eend ${?} } panic() { - if service_started ${SVCNAME}; then - rc-service ${SVCNAME} zap + if service_started "${SVCNAME}"; then + rc-service "${SVCNAME}" zap fi ebegin "Dropping all packets" - /usr/libexec/nftables/nftables.sh panic - eend $? + _nftables panic + eend ${?} } soft_panic() { - if service_started ${SVCNAME}; then - rc-service ${SVCNAME} zap + if service_started "${SVCNAME}"; then + rc-service "${SVCNAME}" zap fi ebegin "Dropping new connections" - /usr/libexec/nftables/nftables.sh soft_panic - eend $? + _nftables soft_panic + eend ${?} } diff --git a/net-firewall/nftables/files/nftables.init-r1 b/net-firewall/nftables/files/nftables.init-r1 index 45b2abdbda7..60f1632f455 100644 --- a/net-firewall/nftables/files/nftables.init-r1 +++ b/net-firewall/nftables/files/nftables.init-r1 @@ -1,105 +1,129 @@ #!/sbin/openrc-run +# Copyright 2014-2017 Nicholas Vinson # Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -extra_commands="check clear list panic save soft_panic" +extra_commands="clear list panic save" extra_started_commands="reload" - depend() { need localmount #434774 before net } -checkkernel() { - if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then - eerror "Your kernel lacks nftables support, please load" - eerror "appropriate modules and try again." - return 1 - fi - return 0 +_nftables() { + export NFTABLES_SAVE SAVE_OPTIONS + /usr/libexec/nftables/nftables.sh "${@}" } -checkconfig() { - if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then - eerror "Not starting nftables. First create some rules then run:" - eerror "/etc/init.d/${SVCNAME} save" - return 1 - fi +start_pre() { + checkkernel || return 1 + checkconfig || return 1 return 0 } -start_pre() { - checkconfig || return 1 - checkkernel || return 1 - check || return 1 +clear() { + _nftables clear || return 1 + return 0 } -start() { - ebegin "Loading ${SVCNAME} state and starting firewall" - /usr/libexec/nftables/nftables.sh load "${NFTABLES_SAVE}" - eend $? +list() { + _nftables list || return 1 + return 0 } -stop() { - if [ "${SAVE_ON_STOP}" = "yes" ] ; then - save || return 1 +panic() { + checkkernel || return 1 + if service_started "${RC_SVCNAME}"; then + rc-service "${RC_SVCNAME}" stop fi - ebegin "Stopping firewall" - if [ "${PANIC_ON_STOP}" = "hard" ]; then - /usr/libexec/nftables/nftables.sh panic - elif [ "${PANIC_ON_STOP}" = "soft" ]; then - /usr/libexec/nftables/nftables.sh soft_panic - else - /usr/libexec/nftables/nftables.sh clear + ebegin "Dropping all packets" + clear + if nft create table ip filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi + if nft create table ip6 filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip6 filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF fi - eend $? } reload() { - start_pre || return 1 + checkkernel || return 1 + ebegin "Flushing firewall" + clear start } -clear() { - ebegin "Clearing rules" - /usr/libexec/nftables/nftables.sh clear - eend $? +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + export SAVE_OPTIONS + _nftables store "${NFTABLES_SAVE}" + return $? } -list() { - /usr/libexec/nftables/nftables.sh list +start() { + ebegin "Loading nftables state and starting firewall" + clear + _nftables load "${NFTABLES_SAVE}" + eend ${?} } -check() { - ebegin "Checking rules" - /usr/libexec/nftables/nftables.sh check "${NFTABLES_SAVE}" - eend $? -} +stop() { + if yesno "${SAVE_ON_STOP:-yes}"; then + save || return 1 + fi -save() { - ebegin "Saving ${SVCNAME} state" - checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" - checkpath -q -m 0600 -f "${NFTABLES_SAVE}" - SAVE_OPTIONS="${SAVE_OPTIONS}" \ - /usr/libexec/nftables/nftables.sh store "${NFTABLES_SAVE}" - eend $? + ebegin "Stopping firewall" + clear + eend ${?} } -panic() { - if service_started ${SVCNAME}; then - rc-service ${SVCNAME} zap +checkconfig() { + if [ ! -f "${NFTABLES_SAVE}" ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 fi - ebegin "Dropping all packets" - /usr/libexec/nftables/nftables.sh panic - eend $? + return 0 } -soft_panic() { - if service_started ${SVCNAME}; then - rc-service ${SVCNAME} zap +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 fi - ebegin "Dropping new connections" - /usr/libexec/nftables/nftables.sh soft_panic - eend $? + return 0 } diff --git a/net-firewall/nftables/nftables-0.9.7.ebuild b/net-firewall/nftables/nftables-0.9.7-r1.ebuild similarity index 98% copy from net-firewall/nftables/nftables-0.9.7.ebuild copy to net-firewall/nftables/nftables-0.9.7-r1.ebuild index c1413422262..99305e2ed64 100644 --- a/net-firewall/nftables/nftables-0.9.7.ebuild +++ b/net-firewall/nftables/nftables-0.9.7-r1.ebuild @@ -111,7 +111,7 @@ src_install() { exeinto /usr/libexec/${PN} newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} - newinitd "${FILESDIR}"/${PN}${mksuffix}.init ${PN} + newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} keepdir /var/lib/nftables systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service diff --git a/net-firewall/nftables/nftables-0.9.7.ebuild b/net-firewall/nftables/nftables-0.9.7.ebuild index c1413422262..99305e2ed64 100644 --- a/net-firewall/nftables/nftables-0.9.7.ebuild +++ b/net-firewall/nftables/nftables-0.9.7.ebuild @@ -111,7 +111,7 @@ src_install() { exeinto /usr/libexec/${PN} newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} - newinitd "${FILESDIR}"/${PN}${mksuffix}.init ${PN} + newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} keepdir /var/lib/nftables systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index 2230bbd4f98..1cc0dea3eb8 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -122,7 +122,7 @@ src_install() { exeinto /usr/libexec/${PN} newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} - newinitd "${FILESDIR}"/${PN}${mksuffix}.init ${PN} + newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} keepdir /var/lib/nftables systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
