diff options
Diffstat (limited to 'net-firewall/iptables/files')
| -rw-r--r-- | net-firewall/iptables/files/ip6tables-r1.confd | 27 | ||||
| -rw-r--r-- | net-firewall/iptables/files/iptables-r1.confd | 27 | ||||
| -rwxr-xr-x | net-firewall/iptables/files/iptables-r1.init | 159 |
3 files changed, 213 insertions, 0 deletions
diff --git a/net-firewall/iptables/files/ip6tables-r1.confd b/net-firewall/iptables/files/ip6tables-r1.confd new file mode 100644 index 000000000000..e608f41d1ea7 --- /dev/null +++ b/net-firewall/iptables/files/ip6tables-r1.confd @@ -0,0 +1,27 @@ +# /etc/conf.d/ip6tables + +# Set wait option for xtables lock in seconds +# DEFAULT: 60 +#IPTABLES_LOCK_WAIT_TIME="60" + +# Set wait interval option for xtables lock in microseconds +# DEFAULT: 1000 +#IPTABLES_LOCK_WAIT_INTERVAL="1000" + +# Location in which ip6tables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to ip6tables-save and ip6tables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping ip6tables +SAVE_ON_STOP="yes" + +# If you need to log ip6tables messages as soon as ip6tables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-r1.confd b/net-firewall/iptables/files/iptables-r1.confd new file mode 100644 index 000000000000..d5055e0a5d23 --- /dev/null +++ b/net-firewall/iptables/files/iptables-r1.confd @@ -0,0 +1,27 @@ +# /etc/conf.d/iptables + +# Set wait option for xtables lock in seconds +# DEFAULT: 60 +#IPTABLES_LOCK_WAIT_TIME="60" + +# Set wait interval option for xtables lock in microseconds +# DEFAULT: 1000 +#IPTABLES_LOCK_WAIT_INTERVAL="1000" + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-r1.init b/net-firewall/iptables/files/iptables-r1.init new file mode 100755 index 000000000000..708dcce6d3c7 --- /dev/null +++ b/net-firewall/iptables/files/iptables-r1.init @@ -0,0 +1,159 @@ +#!/sbin/openrc-run +# Copyright 1999-2018 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"} +iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"} + +iptables_name=${SVCNAME} +case ${iptables_name} in + iptables|ip6tables) ;; + *) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local has_errors=0 chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + + local chain + for chain in ${chains} ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy} + [ $? -ne 0 ] && has_errors=1 + done + + return ${has_errors} +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start_pre() { + checkkernel || return 1 + checkconfig || return 1 +} + +start() { + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop_pre() { + checkkernel || return 1 +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + + ebegin "Stopping firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local has_errors=0 a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a + [ $? -ne 0 ] && has_errors=1 + + if [ "${a}" != "nat" ]; then + # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. + set_table_policy $a DROP + [ $? -ne 0 ] && has_errors=1 + fi + done + eend ${has_errors} +} |