Home Explore Help
Register Sign In
Parabola
/
abslibre
mirror of https://git.parabola.nu/abslibre.git
Watch 2
Star 0
Fork 0
Files Issues 0 Wiki
Tree: 1dd45b1f53
Branches Tags
abslibre
/
nonsystemd
/
iptables-openrc
/
iptables.initd

iptables.initd 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. #!/sbin/openrc-run
    2. 

  2. # Copyright 1999-2018 Gentoo Authors
    3. 

  3. # Distributed under the terms of the GNU General Public License v2
    4. 

  4. 

  5. extra_commands="check save panic"
    6. 

  6. extra_started_commands="reload"
    7. 

  7. 

  8. iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"}
    9. 

  9. iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"}
    10. 

  10. 

  11. iptables_name=${SVCNAME}
    12. 

  12. case ${iptables_name} in
    13. 

  13. 	iptables|ip6tables) ;;
    14. 

  14. 	*) iptables_name="iptables" ;;
    15. 

  15. esac
    16. 

  16. 

  17. iptables_bin="/sbin/${iptables_name}"
    18. 

  18. case ${iptables_name} in
    19. 

  19. 	iptables)  iptables_proc="/proc/net/ip_tables_names"
    20. 

  20. 	           iptables_save=${IPTABLES_SAVE};;
    21. 

  21. 	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
    22. 

  22. 	           iptables_save=${IP6TABLES_SAVE};;
    23. 

  23. esac
    24. 

  24. 

  25. depend() {
    26. 

  26. 	need localmount #434774
    27. 

  27. 	before net
    28. 

  28. }
    29. 

  29. 

  30. set_table_policy() {
    31. 

  31. 	local has_errors=0 chains table=$1 policy=$2
    32. 

  32. 	case ${table} in
    33. 

  33. 		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
    34. 

  34. 		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
    35. 

  35. 		filter) chains="INPUT FORWARD OUTPUT";;
    36. 

  36. 		*)      chains="";;
    37. 

  37. 	esac
    38. 

  38. 

  39. 	local chain
    40. 

  40. 	for chain in ${chains} ; do
    41. 

  41. 		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy}
    42. 

  42. 		[ $? -ne 0 ] && has_errors=1
    43. 

  43. 	done
    44. 

  44. 

  45. 	return ${has_errors}
    46. 

  46. }
    47. 

  47. 

  48. checkkernel() {
    49. 

  49. 	if [ ! -e ${iptables_proc} ] ; then
    50. 

  50. 		eerror "Your kernel lacks ${iptables_name} support, please load"
    51. 

  51. 		eerror "appropriate modules and try again."
    52. 

  52. 		return 1
    53. 

  53. 	fi
    54. 

  54. 	return 0
    55. 

  55. }
    56. 

  56. 

  57. checkconfig() {
    58. 

  58. 	if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then
    59. 

  59. 		eerror "Not starting ${iptables_name}.  First create some rules then run:"
    60. 

  60. 		eerror "/etc/init.d/${iptables_name} save"
    61. 

  61. 		return 1
    62. 

  62. 	fi
    63. 

  63. 	return 0
    64. 

  64. }
    65. 

  65. 

  66. start_pre() {
    67. 

  67. 	checkconfig || return 1
    68. 

  68. }
    69. 

  69. 

  70. start() {
    71. 

  71. 	ebegin "Loading ${iptables_name} state and starting firewall"
    72. 

  72. 	${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
    73. 

  73. 	eend $?
    74. 

  74. }
    75. 

  75. 

  76. stop_pre() {
    77. 

  77. 	checkkernel || return 1
    78. 

  78. }
    79. 

  79. 

  80. stop() {
    81. 

  81. 	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
    82. 

  82. 		save || return 1
    83. 

  83. 	fi
    84. 

  84. 

  85. 	ebegin "Stopping firewall"
    86. 

  86. 	local has_errors=0 a
    87. 

  87. 	for a in $(cat ${iptables_proc}) ; do
    88. 

  88. 		set_table_policy $a ACCEPT
    89. 

  89. 		[ $? -ne 0 ] && has_errors=1
    90. 

  90. 

  91. 		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
    92. 

  92. 		[ $? -ne 0 ] && has_errors=1
    93. 

  93. 

  94. 		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
    95. 

  95. 		[ $? -ne 0 ] && has_errors=1
    96. 

  96. 	done
    97. 

  97. 	eend ${has_errors}
    98. 

  98. }
    99. 

  99. 

  100. reload() {
    101. 

  101. 	checkkernel || return 1
    102. 

  102. 	checkrules || return 1
    103. 

  103. 	ebegin "Flushing firewall"
    104. 

  104. 	local has_errors=0 a
    105. 

  105. 	for a in $(cat ${iptables_proc}) ; do
    106. 

  106. 		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
    107. 

  107. 		[ $? -ne 0 ] && has_errors=1
    108. 

  108. 

  109. 		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
    110. 

  110. 		[ $? -ne 0 ] && has_errors=1
    111. 

  111. 	done
    112. 

  112. 	eend ${has_errors}
    113. 

  113. 

  114. 	start
    115. 

  115. }
    116. 

  116. 

  117. checkrules() {
    118. 

  118. 	ebegin "Checking rules"
    119. 

  119. 	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
    120. 

  120. 	eend $?
    121. 

  121. }
    122. 

  122. 

  123. check() {
    124. 

  124. 	# Short name for users of init.d script.
    125. 

  125. 	checkrules
    126. 

  126. }
    127. 

  127. 

  128. save() {
    129. 

  129. 	ebegin "Saving ${iptables_name} state"
    130. 

  130. 	checkpath -q -d "$(dirname "${iptables_save}")"
    131. 

  131. 	checkpath -q -m 0600 -f "${iptables_save}"
    132. 

  132. 	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
    133. 

  133. 	eend $?
    134. 

  134. }
    135. 

  135. 

  136. panic() {
    137. 

  137. 	# use iptables autoload capability to load at least all required
    138. 

  138. 	# modules and filter table
    139. 

  139. 	${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -S >/dev/null
    140. 

  140. 	if [ $? -ne 0 ] ; then
    141. 

  141. 		eerror "${iptables_bin} failed to load"
    142. 

  142. 		return 1
    143. 

  143. 	fi
    144. 

  144. 

  145. 	if service_started ${iptables_name}; then
    146. 

  146. 		rc-service ${iptables_name} stop
    147. 

  147. 	fi
    148. 

  148. 

  149. 	local has_errors=0 a
    150. 

  150. 	ebegin "Dropping all packets"
    151. 

  151. 	for a in $(cat ${iptables_proc}) ; do
    152. 

  152. 		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
    153. 

  153. 		[ $? -ne 0 ] && has_errors=1
    154. 

  154. 

  155. 		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
    156. 

  156. 		[ $? -ne 0 ] && has_errors=1
    157. 

  157. 

  158. 		if [ "${a}" != "nat" ]; then
    159. 

  159. 			# The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
    160. 

  160. 			set_table_policy $a DROP
    161. 

  161. 			[ $? -ne 0 ] && has_errors=1
    162. 

  162. 		fi
    163. 

  163. 	done
    164. 

  164. 	eend ${has_errors}
    165. 

  165. }
    166. 

  166.