From 29a2513f241e3be9428d20756ac2929c764b4115 Mon Sep 17 00:00:00 2001 From: Alexander Dahl Date: Fri, 6 Apr 2018 11:00:46 +0200 Subject: [PATCH v2 5/5] nftables: Add bbinit startscript For loading your packet filter rules on system startup. Signed-off-by: Alexander Dahl --- projectroot/etc/init.d/nftables | 103 ++++++++++++++++++++++++++++++++++++++++ rules/nftables-bbinit.in | 9 ++++ rules/nftables.in | 4 ++ rules/nftables.make | 11 +++++ 4 files changed, 127 insertions(+) create mode 100644 projectroot/etc/init.d/nftables create mode 100644 rules/nftables-bbinit.in diff --git a/projectroot/etc/init.d/nftables b/projectroot/etc/init.d/nftables new file mode 100644 index 0000000000..c10db5d901 --- /dev/null +++ b/projectroot/etc/init.d/nftables @@ -0,0 +1,103 @@ +#!/bin/sh + +# Author: Arturo Borrero Gonzalez +# Adapted by: Alexander Dahl + +# Do NOT "set -e" + +CONF=/etc/nftables.conf + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="firewall service" +NAME=nftables +BIN=/usr/sbin/nft +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$BIN" ] || exit 0 + +do_start() +{ + # Return + # 0 if start OK + # 2 if start NOK + + # nft v0.4 return 0 if ENOENT $CONF + if [ ! -r "$CONF" ] ; then + echo "E: No such $NAME $DESC config file $CONF" >&2 + return 2 + fi + + $BIN -f $CONF || return 2 +} + +do_stop() +{ + # Return + # 0 if stopped + # 1 if already stopped + # 2 if could not be stopped + if ! do_status ; then + $BIN flush ruleset || return 2 + fi +} + +do_status() +{ + # Return + # 0 if no rules + # 1 if rules + if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then + return 0 + fi + + return 1 +} + +case "$1" in + start) + echo -n "Starting $DESC ..." + do_start + ret="$?" + case "$ret" in + 0|1) echo " Done." ;; + 2) echo " Failed." ;; + esac + exit $ret + ;; + restart|force-reload) + echo -n "Restarting $DESC ..." + do_start + ret="$?" + case "$ret" in + 0|1) echo " Done." ;; + 2) echo " Failed." ;; + esac + exit $ret + ;; + stop) + echo -n "Stopping $DESC ..." + do_stop + ret="$?" + case "$ret" in + 0|1) echo " Done." ;; + 2) echo " Failed." ;; + esac + exit $ret + ;; + status) + if ! do_status ; then + echo "Status of ${DESC}: rules loaded" + exit 0 + else + echo "Status of ${DESC}: no rules loaded" + exit 1 + fi + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/rules/nftables-bbinit.in b/rules/nftables-bbinit.in new file mode 100644 index 0000000000..84234c9761 --- /dev/null +++ b/rules/nftables-bbinit.in @@ -0,0 +1,9 @@ +## SECTION=initmethod_bbinit + +config NFTABLES_BBINIT_LINK + depends on NFTABLES_STARTSCRIPT + string + prompt "nftables" + default "S24nftables" + +# vim: ft=kconfig noet tw=72 diff --git a/rules/nftables.in b/rules/nftables.in index be7fca1fa0..2b35741b7d 100644 --- a/rules/nftables.in +++ b/rules/nftables.in @@ -31,6 +31,10 @@ config NFTABLES_MGMP use the nftables build-in mini-GMP instead of linking to the shared libgmp. (may reduce debugging verbosity on some files) +config NFTABLES_STARTSCRIPT + bool + prompt "install /etc/init.d/nftables" + endif # vim: ft=kconfig noet tw=72 diff --git a/rules/nftables.make b/rules/nftables.make index 6c978aa21c..c7d704612e 100644 --- a/rules/nftables.make +++ b/rules/nftables.make @@ -58,6 +58,17 @@ $(STATEDIR)/nftables.targetinstall: @$(call install_copy, nftables, 0, 0, 0755, -, /usr/sbin/nft) @$(call install_alternative, nftables, 0, 0, 0755, /etc/nftables.conf) +ifdef PTXCONF_INITMETHOD_BBINIT +ifdef PTXCONF_NFTABLES_STARTSCRIPT + @$(call install_alternative, nftables, 0, 0, 0755, /etc/init.d/nftables) + +ifneq ($(call remove_quotes,$(PTXCONF_NFTABLES_BBINIT_LINK)),) + @$(call install_link, nftables, ../init.d/nftables, \ + /etc/rc.d/$(PTXCONF_NFTABLES_BBINIT_LINK)) +endif +endif +endif + @$(call install_finish, nftables) @$(call touch) -- 2.11.0