diff options
| author |   Francisco Blas (klondike) Izquierdo Riera <klondike@gentoo.org> | 2019-01-08 03:37:48 +0100 |
|---|---|---|
| committer |   Matthew Thode <prometheanfire@gentoo.org> | 2019-01-07 20:53:52 -0600 |
| commit | 4ebf4b667f24cf4384e12413e73307766cec6413 (patch) | |
| tree | 63d92ec5151b9115b0f7bde1e7965851d4b7a73b /net-firewall | |
| parent | app-office/calligra: Fix build with poppler-0.72 (diff) | |
| download | gentoo-4ebf4b667f24cf4384e12413e73307766cec6413.tar.gz gentoo-4ebf4b667f24cf4384e12413e73307766cec6413.tar.bz2 gentoo-4ebf4b667f24cf4384e12413e73307766cec6413.zip | |
net-firewall/nftables: Add atomic nftables updates for modern kernels
Signed-off-by: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>
Diffstat (limited to 'net-firewall')
| -rw-r--r-- | net-firewall/nftables/files/libexec/nftables-mk.sh | 59 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables-mk.confd | 26 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables-mk.init | 104 | ||||
| -rw-r--r-- | net-firewall/nftables/metadata.xml | 5 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-0.9.0-r2.ebuild | 94 |
5 files changed, 288 insertions, 0 deletions
diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh new file mode 100644 index 000000000000..b6ad37867b6d --- /dev/null +++ b/net-firewall/nftables/files/libexec/nftables-mk.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +main() { + local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'} + case "$1" in + "check") + nft -c -f "${NFTABLES_SAVE}" + ;; + "clear") + nft flush ruleset + ;; + "list") + nft ${SAVE_OPTIONS} list ruleset + ;; + "load") + ( echo "flush ruleset;"; cat "${NFTABLES_SAVE}" ) | nft -f - + ;; + "panic") + panic hard | nft -f - + ;; + "soft_panic") + panic soft | nft -f - + ;; + "store") + local tmp_save="${NFTABLES_SAVE}.tmp" + umask 600; + ( + echo "#!/sbin/nft -f" + echo "flush ruleset;" + nft ${SAVE_OPTIONS} list ruleset + ) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE} + ;; + esac +} + +panic() { + local erule; + [ "$1" = soft ] && erule="ct state established,related accept;" || erule=""; + cat <<EOF +table inet filter { + chain input { + type filter hook input priority 0; + $erule + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + $erule + drop + } +} +EOF +} + +main "$@" diff --git a/net-firewall/nftables/files/nftables-mk.confd b/net-firewall/nftables/files/nftables-mk.confd new file mode 100644 index 000000000000..5cda24030f93 --- /dev/null +++ b/net-firewall/nftables/files/nftables-mk.confd @@ -0,0 +1,26 @@ +# /etc/conf.d/nftables + +# Location in which nftables initscript will save set rules on +# service shutdown +NFTABLES_SAVE="/var/lib/nftables/rules-save" + +# Options to pass to nft on save +SAVE_OPTIONS="-n" + +# Save state on stopping nftables +SAVE_ON_STOP="yes" + +# Only for OpenRC systems. +# Set to "hard" or "soft" to panic when stopping instead of +# clearing the rules +# Soft panic loads a ruleset dropping any new or invalid connections +# Hard panic loads a ruleset dropping all traffic +PANIC_ON_STOP="" + +# If you need to log nftables messages as soon as nftables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/nftables/files/nftables-mk.init b/net-firewall/nftables/files/nftables-mk.init new file mode 100644 index 000000000000..f7e3dce8ada2 --- /dev/null +++ b/net-firewall/nftables/files/nftables-mk.init @@ -0,0 +1,104 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check clear list panic save soft_panic" +extra_started_commands="reload" + +depend() { + need localmount #434774 + before net +} + +checkkernel() { + if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then + eerror "Not starting nftables. First create some rules then run:" + eerror "/etc/init.d/${SVCNAME} save" + return 1 + fi + return 0 +} + +start_pre() { + checkconfig || return 1 + checkkernel || return 1 + check || return 1 +} + +start() { + ebegin "Loading ${SVCNAME} state and starting firewall" + /usr/libexec/nftables/nftables.sh load "${NFTABLES_SAVE}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + + ebegin "Stopping firewall" + if [ "${PANIC_ON_STOP}" = "hard" ]; then + /usr/libexec/nftables/nftables.sh panic + elif [ "${PANIC_ON_STOP}" = "soft" ]; then + /usr/libexec/nftables/nftables.sh soft_panic + else + /usr/libexec/nftables/nftables.sh clear + fi + eend $? +} + +reload() { + start_pre || return 1 + start +} + +clear() { + ebegin "Clearing rules" + /usr/libexec/nftables/nftables.sh clear + eend $? +} + +list() { + /usr/libexec/nftables/nftables.sh list +} + +check() { + ebegin "Checking rules" + /usr/libexec/nftables/nftables.sh check "${NFTABLES_SAVE}" + eend $? +} + +save() { + ebegin "Saving ${SVCNAME} state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + /usr/libexec/nftables/nftables.sh store "${NFTABLES_SAVE}" + eend $? +} + +panic() { + if service_started ${SVCNAME}; then + rc-service ${SVCNAME} zap + fi + ebegin "Dropping all packets" + /usr/libexec/nftables/nftables.sh panic + eend $? +} + +soft_panic() { + if service_started ${SVCNAME}; then + rc-service ${SVCNAME} zap + fi + ebegin "Dropping new connections" + /usr/libexec/nftables/nftables.sh soft_panic + eend $? +} diff --git a/net-firewall/nftables/metadata.xml b/net-firewall/nftables/metadata.xml index 1a891a6e5330..dcc71d66d6f8 100644 --- a/net-firewall/nftables/metadata.xml +++ b/net-firewall/nftables/metadata.xml @@ -9,7 +9,12 @@ <email>prometheanfire@gentoo.org</email> <name>Matthew Thode</name> </maintainer> + <maintainer type="person"> + <email>klondike@gentoo.org</email> + <name>Francisco Blas Izquierdo Riera</name> + </maintainer> <use> <flag name="json">Enable JSON support via <pkg>dev-libs/jansson</pkg></flag> + <flag name="modern_kernel">Install init scripts for 3.18 or higher kernels with atomic rule updates</flag> </use> </pkgmetadata> diff --git a/net-firewall/nftables/nftables-0.9.0-r2.ebuild b/net-firewall/nftables/nftables-0.9.0-r2.ebuild new file mode 100644 index 000000000000..346d321bb376 --- /dev/null +++ b/net-firewall/nftables/nftables-0.9.0-r2.ebuild @@ -0,0 +1,94 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools linux-info systemd + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" +HOMEPAGE="https://netfilter.org/projects/nftables/" +SRC_URI="https://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~ia64 ~x86" +IUSE="debug doc +gmp json +modern_kernel +readline" + +RDEPEND=">=net-libs/libmnl-1.0.3:0= + gmp? ( dev-libs/gmp:0= ) + json? ( dev-libs/jansson ) + readline? ( sys-libs/readline:0= ) + >=net-libs/libnftnl-1.1.1:0=" + +DEPEND="${RDEPEND} + >=app-text/docbook2X-0.8.8-r4 + doc? ( >=app-text/dblatex-0.3.7 ) + sys-devel/bison + sys-devel/flex + virtual/pkgconfig" + +S="${WORKDIR}/v${PV}" + +pkg_setup() { + if kernel_is ge 3 13; then + if use modern_kernel && kernel_is lt 3 18; then + eerror "The modern_kernel USE flag requires kernel version 3.18 or newer to work properly." + fi + CONFIG_CHECK="~NF_TABLES" + linux-info_pkg_setup + else + eerror "This package requires kernel version 3.13 or newer to work properly." + fi +} + +src_prepare() { + default + eautoreconf +} + +src_configure() { + local myeconfargs=( + --sbindir="${EPREFIX}"/sbin + $(use_enable debug) + $(use_enable doc pdf-doc) + $(use_with !gmp mini_gmp) + $(use_with json) + $(use_with readline cli) + ) + econf "${myeconfargs[@]}" +} + +src_install() { + default + + local mksuffix="" + use modern_kernel && mksuffix="-mk" + + exeinto /usr/libexec/${PN} + newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh + newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} + newinitd "${FILESDIR}"/${PN}${mksuffix}.init ${PN} + keepdir /var/lib/nftables + + systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + systemd_enable_service basic.target ${PN}-restore.service + + docinto /usr/share/doc/${PF}/skels + dodoc "${D}"/etc/nftables/* + rm -R "${D}"/etc/nftables +} + +pkg_postinst() { + local save_file + save_file="${EROOT%/}/var/lib/nftables/rules-save" + + # In order for the nftables-restore systemd service to start + # the save_file must exist. + if [[ ! -f ${save_file} ]]; then + touch ${save_file} + fi + + elog "If you are creating firewall rules before the next system restart " + elog "the nftables-restore service must be manually started in order to " + elog "save those rules on shutdown." +} |