diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 13:49:04 -0700 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 17:38:18 -0700 |
| commit | 56bd759df1d0c750a065b8c845e93d5dfa6b549d (patch) | |
| tree | 3f91093cdb475e565ae857f1c5a7fd339e2d781e /net-firewall/nftables | |
| download | gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.gz gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.bz2 gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.zip | |
proj/gentoo: Initial commit
This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.
This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.
Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed
Diffstat (limited to 'net-firewall/nftables')
| -rw-r--r-- | net-firewall/nftables/Manifest | 1 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables.confd | 19 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables.init | 166 | ||||
| -rw-r--r-- | net-firewall/nftables/metadata.xml | 9 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-0.4.ebuild | 54 |
5 files changed, 249 insertions, 0 deletions
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest new file mode 100644 index 000000000000..a443926b35a8 --- /dev/null +++ b/net-firewall/nftables/Manifest @@ -0,0 +1 @@ +DIST nftables-0.4.tar.bz2 362120 SHA256 f6ca69b75c68915f9f3a3972274ec68354dfbbcfc0b9fc55c813a0525c351d3c SHA512 0932cf987da602285fbf7c7f61328b0d74d687889c2d4a5bd2bd7fe11e8b99433bc5ee53ebbddadf2c90e40acdcb28f6babf07e11feedff815c571c3b782dffc WHIRLPOOL 1604010f260247c2fd98d33ca931eb0be6f38097937983aadfbdf2eb44fd3827212d00e6e6351821ccd8a2696fc696d9e7ec102d447387f930b8fb2afadc22a8 diff --git a/net-firewall/nftables/files/nftables.confd b/net-firewall/nftables/files/nftables.confd new file mode 100644 index 000000000000..e83a4b962061 --- /dev/null +++ b/net-firewall/nftables/files/nftables.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/nftables + +# Location in which nftables initscript will save set rules on +# service shutdown +NFTABLES_SAVE="/var/lib/nftables/rules-save" + +# Options to pass to nft on save +SAVE_OPTIONS="-n" + +# Save state on stopping nftables +SAVE_ON_STOP="yes" + +# If you need to log nftables messages as soon as nftables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/nftables/files/nftables.init b/net-firewall/nftables/files/nftables.init new file mode 100644 index 000000000000..c72639305654 --- /dev/null +++ b/net-firewall/nftables/files/nftables.init @@ -0,0 +1,166 @@ +#!/sbin/runscript +# Copyright 2014 Nicholas Vinson +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="clear list panic save" +extra_started_commands="reload" + +depend() { + need localmount #434774 + before net +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ ! -f ${NFTABLES_SAVE} ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 + fi + return 0 +} + +getfamilies() { + local families + for l3f in ip arp ip6 bridge inet; do + if nft list tables ${l3f} > /dev/null 2>&1; then + families="${families}${l3f} " + fi + done + echo ${families} +} + +clearNFT() { + local l3f line table chain + + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + table=$(echo ${line} | sed "s/table[ \t]*//") + nft flush table ${l3f} ${table} + nft list table ${l3f} ${table} | while read l; do + chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\ + cut -d ' ' -f2) + if [ -n "${chain}" ]; then + nft flush chain ${l3f} ${table} ${chain} + nft delete chain ${l3f} ${table} ${chain} + fi + done + nft delete table ${l3f} ${table} + done + done +} + +addpanictable() { + local l3f=$1 + nft add table ${l3f} panic + nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \} + nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \} + nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \} + nft add rule ${l3f} panic input drop + nft add rule ${l3f} panic output drop + nft add rule ${l3f} panic forward drop +} + +start_pre() { + checkkernel || return 1 + checkconfig || return 1 + return 0 +} + +start() { + ebegin "Loading nftables state and starting firewall" + clearNFT + nft -f ${NFTABLES_SAVE} + eend $? +} + +stop() { + if yesno ${SAVE_ON_STOP:-yes}; then + save || return 1 + fi + + ebegin "Stopping firewall" + clearNFT + eend $? +} + +reload() { + checkkernel || return 1 + # checkrules || return 1 + ebegin "Flushing firewall" + clearNFT + + start +} + +clear() { + clearNFT +} + +list() { + local l3f + + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + echo "$(nft list ${line})" + done + done +} + +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + + local l3f line tmp_save="${NFTABLES_SAVE}.tmp" + + touch "${tmp_save}" + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + # The below substitution fixes an issue where nft -n output may not + # always be parsable by nft -f. For example, nft -n might print + # + # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept + # + # but nft -f refuses to parse that string with error: + # + # In file included from internal:0:0-0: + # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule: + # Invalid argument + # table ip6 filter { + # ^^ + echo "$(nft ${SAVE_OPTIONS} list ${line} |\ + sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" + done + done + mv "${tmp_save}" "${NFTABLES_SAVE}" +} + +panic() { + checkkernel || return 1 + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop + fi + + ebegin "Dropping all packets" + clearNFT + + local l3f + for l3f in $(getfamilies); do + case ${l3f} in + ip) addpanictable ${l3f} ;; + ip6) addpanictable ${l3f} ;; + esac + done +} diff --git a/net-firewall/nftables/metadata.xml b/net-firewall/nftables/metadata.xml new file mode 100644 index 000000000000..a25096653fc9 --- /dev/null +++ b/net-firewall/nftables/metadata.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> +<herd>base-system</herd> +<maintainer> + <email>mrueg@gentoo.org</email> + <name>Manuel Rüger</name> +</maintainer> +</pkgmetadata> diff --git a/net-firewall/nftables/nftables-0.4.ebuild b/net-firewall/nftables/nftables-0.4.ebuild new file mode 100644 index 000000000000..85a0bbb60204 --- /dev/null +++ b/net-firewall/nftables/nftables-0.4.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit autotools linux-info + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://netfilter.org/projects/nftables/" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~x86" +IUSE="debug +readline" +SRC_URI="http://netfilter.org/projects/${PN}/files/${P}.tar.bz2" + +RDEPEND="net-libs/libmnl + >=net-libs/libnftnl-1.0.2 + dev-libs/gmp + readline? ( sys-libs/readline )" +DEPEND="${RDEPEND} + >=app-text/docbook2X-0.8.8-r4 + sys-devel/bison + sys-devel/flex" + +pkg_setup() { + if kernel_is ge 3 13; then + CONFIG_CHECK="~NF_TABLES" + linux-info_pkg_setup + else + eerror "This package requires kernel version 3.13 or newer to work properly." + fi +} + +src_prepare() { + epatch_user + eautoreconf +} + +src_configure() { + econf \ + --sbindir="${EPREFIX}"/sbin \ + $(use_enable debug) \ + $(use_with readline cli) +} + +src_install() { + default + + newconfd "${FILESDIR}"/${PN}.confd ${PN} + newinitd "${FILESDIR}"/${PN}.init ${PN} + keepdir /var/lib/nftables +} |