diff options
| author |   Paul Healy <lmiphay@gmail.com> | 2019-06-22 15:22:18 +0100 |
|---|---|---|
| committer | Paul Healy <lmiphay@gmail.com> | 2019-06-22 15:22:18 +0100 |
| commit | 5d3cd35a123ebe4b901287f46ebab9cb2db085f6 (patch) | |
| tree | 54a614bae06538dcdb51473b044b79872ffa2e79 | |
| parent | revbump gitea (diff) | |
| download | lmiphay-5d3cd35a123ebe4b901287f46ebab9cb2db085f6.tar.gz lmiphay-5d3cd35a123ebe4b901287f46ebab9cb2db085f6.tar.bz2 lmiphay-5d3cd35a123ebe4b901287f46ebab9cb2db085f6.zip | |
work around fetch problem for nftables 0.8
Signed-off-by: Paul Healy <lmiphay@gmail.com>
| -rw-r--r-- | net-firewall/nftables/Manifest | 9 | ||||
| -rw-r--r-- | net-firewall/nftables/files/libexec/nftables-mk.sh | 60 | ||||
| -rwxr-xr-x | net-firewall/nftables/files/libexec/nftables.sh | 149 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables-mk.confd | 26 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables-mk.init | 104 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables.confd | 19 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables.init | 124 | ||||
| -rw-r--r-- | net-firewall/nftables/files/systemd/nftables-restore.service | 14 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-0.8-r4.ebuild | 84 |
9 files changed, 589 insertions, 0 deletions
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest new file mode 100644 index 0000000..39a8e04 --- /dev/null +++ b/net-firewall/nftables/Manifest @@ -0,0 +1,9 @@ +AUX libexec/nftables-mk.sh 1071 BLAKE2B 0377d7ddbf11a8e897050a715b1313db95ba5f19832d882357f6083bb7a890a2fdf1d97a9b3730ad341f58539655b22989b18b29358645eb5b4d597e800b382a SHA512 4e2901de1d8d9488939bc052bd3f6362cba1855138e0577630db4bc1d9e352d9ab0a54e3c5c8bf0daecf56b9471f445eb9770879ea29b7e7961a576d65f49647 +AUX libexec/nftables.sh 3643 BLAKE2B 83818eb88db2d30c58b348e12b5c5baf7599f4e301ac12455a70f1c98e369e4febab3020ddb1c5b83e6d3777b3a98bd30a5baf73d90ac00e1278d88fc1565b8b SHA512 efc9b4f9520c78b6248f16bd5708669872e8abf949f6f4b81182f331f8532dfeaae2df648e8878e9b5cbd66c0259daab71035ea922754807654b2b3bc86b4352 +AUX nftables-mk.confd 899 BLAKE2B f4c3d82fbae87fb0d755af786a98db591b6a667cf33660ba9275ada2e6417fad1899a7f29762f23c112fc5c9e178bc7590c3b2ba26617853c3577917bd7d3edf SHA512 505ed05674a04367f1a3d5cf6447596ad1c3b2e9c920697f12f58a20d94c2a39b0041bb4911678511c4548566a69d964661d4afc3e7e27997943b875f204c602 +AUX nftables-mk.init 2090 BLAKE2B 62f56586ca4ba0acbd3ac41f4904041d625388771bbafc32833055a5f3c00f251e1d9a04bb41dd672f33d13a0825f7e4470a30d7e874df1abd41508148ef42b0 SHA512 819b2d60b42207cb70d95b700557e873fe18c5f6e8437683240beb317f773cf8e18755086e24652a9bcff49c6f96af8cd9e3f3b62c9f433779eff4e3f3935197 +AUX nftables.confd 655 BLAKE2B 5512be1edd43e270941de3d9b66fda69e4afd7c7e6e970b232a044c2fd64f8e50b9b55a4fe670174c3eabf3d176ee0158c1043baec4b76b0802e7e97bc862fcf SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 +AUX nftables.init 3069 BLAKE2B 68c6b2b81995bd909c00cc3527f891f04d0dd30532cd821c89b59fc7e3ea0dff0e98d767cee2c00a5462023fdf6f59e813dec7063768a34187f2404377e498f7 SHA512 ca761be0440945b21d5b002468baffb3299d0a3ac244aa895734dfdfaf442e7a73b757bcda99d958582064411d1b80b2cbcb4eb532bb219b4df407c9ed892661 +AUX systemd/nftables-restore.service 394 BLAKE2B 1c1f358eb2eff789e68c051098c971f11a8df6621c3c919e30a1ec1213f6db822c390609c01827fe9fc75c540effa3e3a7b6f93bd24e16ea19841bbfaab796ed SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 +DIST nftables-0.8.tar.bz2 552345 BLAKE2B a810d1c0f8bf0dc728acd65a51b6ee4aede663a20681871d838b93a285fa0f062638a6d508dee850d21c6fcf3147d035f461360dbd470e1305fd612a1e0a0fcd SHA512 63614d982c7c8a72f6c287b6a026a901994d161573daf490eba4013e7ac4184c371ab49323830f7b0a980b850aae45becb7fa55aa876ce705a1b44f20124caf4 +EBUILD nftables-0.8-r4.ebuild 1945 BLAKE2B 92a7306e258c0fffc545ae24d217d74b4af6cc8fb8f78fe6a1d20ceb82b92b292c1c22b634cb2741fdbc34cc6e539a2714dac11c75ce6a754d66432e2a3e1bb0 SHA512 625f281497422e6b21accfaac312f825ac56e4cdcf8feab5298d1c478c1e7099f4402e234ba3062b8f08d31a7cfff52e0de86718ee6bb85b02a5168949c05f26 diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh new file mode 100644 index 0000000..b3d7db6 --- /dev/null +++ b/net-firewall/nftables/files/libexec/nftables-mk.sh @@ -0,0 +1,60 @@ +#!/bin/sh + +main() { + local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'} + case "$1" in + "check") + nft -c -f "${NFTABLES_SAVE}" + ;; + "clear") + nft flush ruleset + ;; + "list") + nft ${SAVE_OPTIONS} list ruleset + ;; + "load") + # We use an include because cat fails with long rulesets see #675188 + printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f - + ;; + "panic") + panic hard | nft -f - + ;; + "soft_panic") + panic soft | nft -f - + ;; + "store") + local tmp_save="${NFTABLES_SAVE}.tmp" + umask 600; + ( + printf '#!/sbin/nft -f\nflush ruleset\n' + nft ${SAVE_OPTIONS} list ruleset + ) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE} + ;; + esac +} + +panic() { + local erule; + [ "$1" = soft ] && erule="ct state established,related accept;" || erule=""; + cat <<EOF +flush ruleset +table inet filter { + chain input { + type filter hook input priority 0; + $erule + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + $erule + drop + } +} +EOF +} + +main "$@" diff --git a/net-firewall/nftables/files/libexec/nftables.sh b/net-firewall/nftables/files/libexec/nftables.sh new file mode 100755 index 0000000..cc55f85 --- /dev/null +++ b/net-firewall/nftables/files/libexec/nftables.sh @@ -0,0 +1,149 @@ +#! /bin/sh + +main() { + local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'} + local retval + case "$1" in + "clear") + if ! use_legacy; then + nft flush ruleset + else + clear_legacy + fi + retval=$? + ;; + "list") + if ! use_legacy; then + nft list ruleset + else + list_legacy + fi + retval=$? + ;; + "load") + nft -f ${NFTABLES_SAVE} + retval=$? + ;; + "store") + local tmp_save="${NFTABLES_SAVE}.tmp" + if ! use_legacy; then + nft ${SAVE_OPTIONS} list ruleset > ${tmp_save} + else + save_legacy ${tmp_save} + fi + retval=$? + if [ ${retval} ]; then + mv ${tmp_save} ${NFTABLES_SAVE} + fi + ;; + esac + return ${retval} +} + +clear_legacy() { + local l3f line table chain first_line + + first_line=1 + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + table=$(echo ${line} | sed "s/table[ \t]*//") + deletetable ${l3f} ${table} + done + done + else + nft list tables | while read line; do + l3f=$(echo ${line} | cut -d ' ' -f2) + table=$(echo ${line} | cut -d ' ' -f3) + deletetable ${l3f} ${table} + done + fi +} + +list_legacy() { + local l3f + + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + echo "$(nft list ${line})" + done + done + else + nft list tables | while read line; do + echo "$(nft list ${line})" + done + fi +} + +save_legacy() { + tmp_save=$1 + touch "${tmp_save}" + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save} + done + done + else + nft list tables | while read line; do + nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}" + done + fi +} + +use_legacy() { + local major_ver minor_ver + + major_ver=$(uname -r | cut -d '.' -f1) + minor_ver=$(uname -r | cut -d '.' -f2) + + [ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1 + return 0 +} + +CHECK_TABLE_NAME="GENTOO_CHECK_TABLE" + +getfamilies() { + local l3f families + + for l3f in ip arp ip6 bridge inet; do + if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then + families="${families}${l3f} " + nft delete table ${l3f} ${CHECK_TABLE_NAME} + fi + done + echo ${families} +} + +manualwalk() { + local result l3f=`getfamilies | cut -d ' ' -f1` + + nft create table ${l3f} ${CHECK_TABLE_NAME} + nft list tables | read line + if [ $(echo $line | wc -w) -lt 3 ]; then + result=0 + fi + result=1 + nft delete table ${l3f} ${CHECK_TABLE_NAME} + + return $result +} + +deletetable() { + # family is $1 + # table name is $2 + nft flush table $1 $2 + nft list table $1 $2 | while read l; do + chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2) + if [ -n "${chain}" ]; then + nft flush chain $1 $2 ${chain} + nft delete chain $1 $2 ${chain} + fi + done + nft delete table $1 $2 +} + +main "$@" diff --git a/net-firewall/nftables/files/nftables-mk.confd b/net-firewall/nftables/files/nftables-mk.confd new file mode 100644 index 0000000..5cda240 --- /dev/null +++ b/net-firewall/nftables/files/nftables-mk.confd @@ -0,0 +1,26 @@ +# /etc/conf.d/nftables + +# Location in which nftables initscript will save set rules on +# service shutdown +NFTABLES_SAVE="/var/lib/nftables/rules-save" + +# Options to pass to nft on save +SAVE_OPTIONS="-n" + +# Save state on stopping nftables +SAVE_ON_STOP="yes" + +# Only for OpenRC systems. +# Set to "hard" or "soft" to panic when stopping instead of +# clearing the rules +# Soft panic loads a ruleset dropping any new or invalid connections +# Hard panic loads a ruleset dropping all traffic +PANIC_ON_STOP="" + +# If you need to log nftables messages as soon as nftables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/nftables/files/nftables-mk.init b/net-firewall/nftables/files/nftables-mk.init new file mode 100644 index 0000000..f7e3dce --- /dev/null +++ b/net-firewall/nftables/files/nftables-mk.init @@ -0,0 +1,104 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check clear list panic save soft_panic" +extra_started_commands="reload" + +depend() { + need localmount #434774 + before net +} + +checkkernel() { + if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then + eerror "Not starting nftables. First create some rules then run:" + eerror "/etc/init.d/${SVCNAME} save" + return 1 + fi + return 0 +} + +start_pre() { + checkconfig || return 1 + checkkernel || return 1 + check || return 1 +} + +start() { + ebegin "Loading ${SVCNAME} state and starting firewall" + /usr/libexec/nftables/nftables.sh load "${NFTABLES_SAVE}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + + ebegin "Stopping firewall" + if [ "${PANIC_ON_STOP}" = "hard" ]; then + /usr/libexec/nftables/nftables.sh panic + elif [ "${PANIC_ON_STOP}" = "soft" ]; then + /usr/libexec/nftables/nftables.sh soft_panic + else + /usr/libexec/nftables/nftables.sh clear + fi + eend $? +} + +reload() { + start_pre || return 1 + start +} + +clear() { + ebegin "Clearing rules" + /usr/libexec/nftables/nftables.sh clear + eend $? +} + +list() { + /usr/libexec/nftables/nftables.sh list +} + +check() { + ebegin "Checking rules" + /usr/libexec/nftables/nftables.sh check "${NFTABLES_SAVE}" + eend $? +} + +save() { + ebegin "Saving ${SVCNAME} state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + /usr/libexec/nftables/nftables.sh store "${NFTABLES_SAVE}" + eend $? +} + +panic() { + if service_started ${SVCNAME}; then + rc-service ${SVCNAME} zap + fi + ebegin "Dropping all packets" + /usr/libexec/nftables/nftables.sh panic + eend $? +} + +soft_panic() { + if service_started ${SVCNAME}; then + rc-service ${SVCNAME} zap + fi + ebegin "Dropping new connections" + /usr/libexec/nftables/nftables.sh soft_panic + eend $? +} diff --git a/net-firewall/nftables/files/nftables.confd b/net-firewall/nftables/files/nftables.confd new file mode 100644 index 0000000..e83a4b9 --- /dev/null +++ b/net-firewall/nftables/files/nftables.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/nftables + +# Location in which nftables initscript will save set rules on +# service shutdown +NFTABLES_SAVE="/var/lib/nftables/rules-save" + +# Options to pass to nft on save +SAVE_OPTIONS="-n" + +# Save state on stopping nftables +SAVE_ON_STOP="yes" + +# If you need to log nftables messages as soon as nftables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/nftables/files/nftables.init b/net-firewall/nftables/files/nftables.init new file mode 100644 index 0000000..cf4ab8b --- /dev/null +++ b/net-firewall/nftables/files/nftables.init @@ -0,0 +1,124 @@ +#!/sbin/openrc-run +# Copyright 2014-2017 Nicholas Vinson +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="clear list panic save" +extra_started_commands="reload" +depend() { + need localmount #434774 + before net +} + +start_pre() { + checkkernel || return 1 + checkconfig || return 1 + return 0 +} + +clear() { + /usr/libexec/nftables/nftables.sh clear || return 1 + return 0 +} + +list() { + /usr/libexec/nftables/nftables.sh list || return 1 + return 0 +} + +panic() { + checkkernel || return 1 + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop + fi + + ebegin "Dropping all packets" + clear + if nft create table ip filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi + if nft create table ip6 filter >/dev/null 2>&1; then + nft -f /dev/stdin <<-EOF + table ip6 filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + clear + start +} + +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + export SAVE_OPTIONS + /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE} + return $? +} + +start() { + ebegin "Loading nftables state and starting firewall" + clear + /usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE} + eend $? +} + +stop() { + if yesno ${SAVE_ON_STOP:-yes}; then + save || return 1 + fi + + ebegin "Stopping firewall" + clear + eend $? +} + +checkconfig() { + if [ ! -f ${NFTABLES_SAVE} ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 + fi + return 0 +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} diff --git a/net-firewall/nftables/files/systemd/nftables-restore.service b/net-firewall/nftables/files/systemd/nftables-restore.service new file mode 100644 index 0000000..4b68b0a --- /dev/null +++ b/net-firewall/nftables/files/systemd/nftables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Store and restore nftables firewall rules +ConditionPathExists=/var/lib/nftables/rules-save +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save +ExecStop=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/nftables/nftables-0.8-r4.ebuild b/net-firewall/nftables/nftables-0.8-r4.ebuild new file mode 100644 index 0000000..5e10fa5 --- /dev/null +++ b/net-firewall/nftables/nftables-0.8-r4.ebuild @@ -0,0 +1,84 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools linux-info systemd + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" +HOMEPAGE="https://netfilter.org/projects/nftables/" +SRC_URI="http://ftp.netfilter.org/pub/nftables/nftables-0.8.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 arm ia64 x86" +IUSE="debug doc +gmp +readline" + +RDEPEND=">=net-libs/libmnl-1.0.3:0= + gmp? ( dev-libs/gmp:0= ) + readline? ( sys-libs/readline:0= ) + >=net-libs/libnftnl-1.0.8:0=" + +DEPEND="${RDEPEND} + >=app-text/docbook2X-0.8.8-r4 + doc? ( >=app-text/dblatex-0.3.7 ) + sys-devel/bison + sys-devel/flex + virtual/pkgconfig" + +S="${WORKDIR}/v${PV}" + +pkg_setup() { + if kernel_is ge 3 13; then + CONFIG_CHECK="~NF_TABLES" + linux-info_pkg_setup + else + eerror "This package requires kernel version 3.13 or newer to work properly." + fi +} + +src_prepare() { + default + eautoreconf +} + +src_configure() { + local myeconfargs=( + --sbindir="${EPREFIX}"/sbin + $(use_enable doc pdf-doc) + $(use_enable debug) + $(use_with readline cli) + $(use_with !gmp mini_gmp) + ) + econf "${myeconfargs[@]}" +} + +src_install() { + default + + dodir /usr/libexec/${PN} + exeinto /usr/libexec/${PN} + doexe "${FILESDIR}"/libexec/${PN}.sh + + newconfd "${FILESDIR}"/${PN}.confd ${PN} + newinitd "${FILESDIR}"/${PN}.init ${PN} + keepdir /var/lib/nftables + + systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + systemd_enable_service basic.target ${PN}-restore.service +} + +pkg_postinst() { + local save_file + save_file="${EROOT%/}/var/lib/nftables/rules-save" + + # In order for the nftables-restore systemd service to start + # the save_file must exist. + if [[ ! -f ${save_file} ]]; then + touch ${save_file} + fi + + elog "If you are creating firewall rules before the next system restart " + elog "the nftables-restore service must be manually started in order to " + elog "save those rules on shutdown." +} |