diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
commit | 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch) | |
tree | ba5f07bf3f9d22d82e54a462313f5d244036c768 /net-firewall/iptables/files |
reinit the tree, so we can have metadata
Diffstat (limited to 'net-firewall/iptables/files')
12 files changed, 469 insertions, 0 deletions
diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd new file mode 100644 index 000000000000..3bb36989d37e --- /dev/null +++ b/net-firewall/iptables/files/ip6tables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.4.13-r1.init b/net-firewall/iptables/files/iptables-1.4.13-r1.init new file mode 100644 index 000000000000..b410b4ff52bf --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13-r1.init @@ -0,0 +1,129 @@ +#!/sbin/openrc-run +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +case ${iptables_name} in +iptables|ip6tables) ;; +*) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd new file mode 100644 index 000000000000..7225374c3a8a --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.4.21-configure.patch b/net-firewall/iptables/files/iptables-1.4.21-configure.patch new file mode 100644 index 000000000000..e827885f1688 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.21-configure.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/557586 + +From b24e59fba39120bfdb9e521bbd0af8f33a60466e Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Sat, 15 Aug 2015 14:12:39 -0400 +Subject: [PATCH] configure: fix 3rd arg w/AC_ARG_ENABLE + +The 3rd arg is used when --{enable,disable}-foo are passed in, not when +the feature is enabled. Use the existing $enableval instead. + +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/configure ++++ b/configure +@@ -11898,14 +11898,14 @@ fi + + # Check whether --enable-bpf-compiler was given. + if test "${enable_bpf_compiler+set}" = set; then : +- enableval=$enable_bpf_compiler; enable_bpfc="yes" ++ enableval=$enable_bpf_compiler; enable_bpfc="$enableval" + else + enable_bpfc="no" + fi + + # Check whether --enable-nfsynproxy was given. + if test "${enable_nfsynproxy+set}" = set; then : +- enableval=$enable_nfsynproxy; enable_nfsynproxy="yes" ++ enableval=$enable_nfsynproxy; enable_nfsynproxy="$enableval" + else + enable_nfsynproxy="no" + fi diff --git a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch new file mode 100644 index 000000000000..a4183d6d4025 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch @@ -0,0 +1,77 @@ +https://bugs.gentoo.org/558234 +http://git.netfilter.org/iptables/commit/?id=825fbda5482a7d5ec5a6619c81fe07ff865c7d6e + +From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Fri, 5 Sep 2014 20:45:56 +0200 +Subject: [PATCH] extensions: libxt_connlabel: do not open config file from + _init hook + +else, static builds will print this for every iptables invocation, +even 'iptables -L'. Delay open until we need to translate a mapping. + +Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + extensions/libxt_connlabel.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c +index c84a167..1f83095 100644 +--- a/extensions/libxt_connlabel.c ++++ b/extensions/libxt_connlabel.c +@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = { + XTOPT_TABLEEND, + }; + ++/* cannot do this via _init, else static builds might spew error message ++ * for every iptables invocation. ++ */ ++static void connlabel_open(void) ++{ ++ if (map) ++ return; ++ ++ map = nfct_labelmap_new(NULL); ++ if (!map && errno) ++ xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n", ++ strerror(errno)); ++} ++ + static void connlabel_mt_parse(struct xt_option_call *cb) + { + struct xt_connlabel_mtinfo *info = cb->data; + int tmp; + ++ connlabel_open(); + xtables_option_parse(cb); + + switch (cb->entry->id) { +@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb) + + static const char *connlabel_get_name(int b) + { +- const char *name = nfct_labelmap_get_name(map, b); ++ const char *name; ++ ++ connlabel_open(); ++ ++ name = nfct_labelmap_get_name(map, b); + if (name && strcmp(name, "")) + return name; + return NULL; +@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = { + + void _init(void) + { +- map = nfct_labelmap_new(NULL); +- if (!map) { +- fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n", +- connlabel_mt_reg.name, strerror(errno)); +- return; +- } + xtables_register_match(&connlabel_mt_reg); + } +-- +2.4.4 + diff --git a/net-firewall/iptables/files/iptables.init b/net-firewall/iptables/files/iptables.init new file mode 100755 index 000000000000..10394c6f09cf --- /dev/null +++ b/net-firewall/iptables/files/iptables.init @@ -0,0 +1,129 @@ +#!/sbin/openrc-run +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +case ${iptables_name} in +iptables|ip6tables) ;; +*) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -w -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -w -F -t $a + ${iptables_bin} -w -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -w -F -t $a + ${iptables_bin} -w -X -t $a + done + eend $? + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -w -F -t $a + ${iptables_bin} -w -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service new file mode 100644 index 000000000000..c149e92ba900 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore ip6tables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=ip6tables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service new file mode 100644 index 000000000000..9975378353d3 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store ip6tables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service new file mode 100644 index 000000000000..0a6d7fa1c8ab --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore ip6tables firewall rules + +[Install] +Also=ip6tables-store.service +Also=ip6tables-restore.service diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service new file mode 100644 index 000000000000..2474ee3ec419 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore iptables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=iptables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service new file mode 100644 index 000000000000..aa16e75e9ccf --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store iptables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service new file mode 100644 index 000000000000..3643a3e31034 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore iptables firewall rules + +[Install] +Also=iptables-store.service +Also=iptables-restore.service |