diff options
| author |   Thomas Deutschmann <whissi@gentoo.org> | 2018-12-02 16:46:25 +0100 |
|---|---|---|
| committer | Thomas Deutschmann <whissi@gentoo.org> | 2018-12-02 16:49:19 +0100 |
| commit | 8addacfd7c0364953240840246f7256bebc87e0a (patch) | |
| tree | e7c9bb4348df97caf72db2cfe98951b67e808776 /net-firewall/iptables/files/iptables-r2.init | |
| parent | app-arch/brotli: stable 1.0.6-r1 for hppa, bug #668496 (diff) | |
| download | gentoo-8addacfd7c0364953240840246f7256bebc87e0a.tar.gz gentoo-8addacfd7c0364953240840246f7256bebc87e0a.tar.bz2 gentoo-8addacfd7c0364953240840246f7256bebc87e0a.zip | |
net-firewall/iptables: allow for iptables' module autoload functionality
In commit cdc003118830087bbb409761fe4e0e2c19ea103a, a non working check
were fixed. In addition, error handling was added.
However, this introduced a behavior change for users who didn't load
iptables on their own and relied on iptables' own capability to autoload
required modules.
This new revision restores previous behavior and allows for relying on
iptables' module autoload capability again.
Closes: https://bugs.gentoo.org/672366
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Diffstat (limited to 'net-firewall/iptables/files/iptables-r2.init')
| -rwxr-xr-x | net-firewall/iptables/files/iptables-r2.init | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/net-firewall/iptables/files/iptables-r2.init b/net-firewall/iptables/files/iptables-r2.init new file mode 100755 index 000000000000..3dcabb0dfb41 --- /dev/null +++ b/net-firewall/iptables/files/iptables-r2.init @@ -0,0 +1,165 @@ +#!/sbin/openrc-run +# Copyright 1999-2018 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"} +iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"} + +iptables_name=${SVCNAME} +case ${iptables_name} in + iptables|ip6tables) ;; + *) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local has_errors=0 chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + + local chain + for chain in ${chains} ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy} + [ $? -ne 0 ] && has_errors=1 + done + + return ${has_errors} +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start_pre() { + checkconfig || return 1 +} + +start() { + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop_pre() { + checkkernel || return 1 +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + + ebegin "Stopping firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + # use iptables autoload capability to load at least all required + # modules and filter table + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -S >/dev/null + if [ $? -ne 0 ] ; then + eerror "${iptables_bin} failed to load" + return 1 + fi + + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local has_errors=0 a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + + if [ "${a}" != "nat" ]; then + # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. + set_table_policy $a DROP + [ $? -ne 0 ] && has_errors=1 + fi + done + eend ${has_errors} +} |