summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid P <megver83@parabola.nu>2022-07-19 16:25:26 -0400
committerDavid P <megver83@parabola.nu>2022-07-19 16:25:26 -0400
commit4c8a3124b2b91bb979c95c1c5a8d2206d6cd0b39 (patch)
tree298e96f298878e3974fc05bd31abbee6261621e3
parent13c126ab91c49bd7ad41b6946de56e5d7b008557 (diff)
addpkg: nonsystemd/iptables-openrc 20210505-2
Signed-off-by: David P <megver83@parabola.nu>
-rw-r--r--nonsystemd/iptables-openrc/PKGBUILD39
-rw-r--r--nonsystemd/iptables-openrc/ebtables.confd11
-rw-r--r--nonsystemd/iptables-openrc/ebtables.initd101
-rw-r--r--nonsystemd/iptables-openrc/ip6tables.confd27
-rw-r--r--nonsystemd/iptables-openrc/iptables.confd19
-rw-r--r--nonsystemd/iptables-openrc/iptables.initd165
6 files changed, 362 insertions, 0 deletions
diff --git a/nonsystemd/iptables-openrc/PKGBUILD b/nonsystemd/iptables-openrc/PKGBUILD
new file mode 100644
index 000000000..f60aa9793
--- /dev/null
+++ b/nonsystemd/iptables-openrc/PKGBUILD
@@ -0,0 +1,39 @@
+# Maintainer: David P. <megver83@parabola.nu>
+# Maintainer (Artix): artoo <artoo@artixlinux.org>
+
+pkgname=iptables-openrc
+pkgver=20210505
+pkgrel=2
+pkgdesc="OpenRC iptables init script"
+arch=('any')
+url="https://gitea.artixlinux.org/artixlinux/packagesI/iptables-openrc"
+license=('GPL2')
+groups=('openrc-system')
+provides=('init-iptables' 'ebtables-openrc')
+conflicts=('init-iptables' 'ebtables-openrc')
+backup=('etc/conf.d/iptables'
+ 'etc/conf.d/ip6tables')
+source=("iptables.confd"
+ "ip6tables.confd"
+ "iptables.initd"
+ "ebtables.confd"
+ "ebtables.initd")
+sha256sums=('7e2341211ca14997b7a8a1f930f94db855291af597c568f680f80031c20d45b6'
+ 'c1f5bb4ea36bb7c0a7b7abeb8169cb8547f43d348faef70c61f2daa9033c318b'
+ 'e5c6164a0ffa24501d5b3fa6425f0e24a2da73891b4dd62a25b083f9f5b731af'
+ 'c05a6c1ba6add3881068584074681b04bfb2ad43284d7bdd67f47f3da842de58'
+ '6eb00de3cf18f36f909cb95f1aa345de16d1cd9c8b92acb944691ac720bf3cb5')
+
+package() {
+ depends=('openrc' 'iptables')
+
+ for f in iptables ebtables; do
+ install -Dm755 "${srcdir}"/"$f".initd "${pkgdir}"/etc/init.d/"$f"
+ install -Dm644 "${srcdir}"/"$f".confd "${pkgdir}"/etc/conf.d/"$f"
+ done
+
+ install -Dm644 "${srcdir}"/ip6tables.confd "${pkgdir}"/etc/conf.d/ip6tables
+
+ install -Dm755 "${srcdir}"/iptables.initd "${pkgdir}"/etc/init.d/ip6tables
+
+}
diff --git a/nonsystemd/iptables-openrc/ebtables.confd b/nonsystemd/iptables-openrc/ebtables.confd
new file mode 100644
index 000000000..645b26eda
--- /dev/null
+++ b/nonsystemd/iptables-openrc/ebtables.confd
@@ -0,0 +1,11 @@
+# /etc/conf.d/ebtables
+
+# Location in which ebtables initscript will save set rules on
+# service shutdown
+EBTABLES_SAVE="/var/lib/ebtables/rules-save"
+
+# Options to pass to ebtables-save and ebtables-restore
+SAVE_RESTORE_OPTIONS=""
+
+# Save state on stopping ebtables
+SAVE_ON_STOP="yes"
diff --git a/nonsystemd/iptables-openrc/ebtables.initd b/nonsystemd/iptables-openrc/ebtables.initd
new file mode 100644
index 000000000..660876011
--- /dev/null
+++ b/nonsystemd/iptables-openrc/ebtables.initd
@@ -0,0 +1,101 @@
+#!/sbin/openrc-run
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+ebtables_bin="/sbin/ebtables"
+ebtables_save=${EBTABLES_SAVE}
+
+depend() {
+ before net
+ use logger
+}
+
+ebtables_tables() {
+ for table in filter nat broute; do
+ if ${ebtables_bin} -t ${table} -L > /dev/null 2>&1; then
+ printf '%s' "${table} "
+ fi
+ done
+}
+
+set_table_policy() {
+ local chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ broute) chains="BROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+ local chain
+ for chain in ${chains} ; do
+ ${ebtables_bin} -t ${table} -P ${chain} ${policy}
+ done
+}
+
+checkconfig() {
+ if [ ! -f ${ebtables_save} ] ; then
+ eerror "Not starting ebtables. First create some rules then run:"
+ eerror "/etc/init.d/ebtables save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ebtables state and starting bridge firewall"
+ ${ebtables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${ebtables_save}"
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+ ebegin "Stopping bridge firewall"
+ local a
+ for a in $(ebtables_tables); do
+ set_table_policy $a ACCEPT
+
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing bridge firewall"
+ local a
+ for a in $(ebtables_tables); do
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+ done
+ eend $?
+
+ start
+}
+
+save() {
+ ebegin "Saving ebtables state"
+ touch "${ebtables_save}"
+ chmod 0600 "${ebtables_save}"
+ ${ebtables_bin}-save $(ebtables_tables) ${SAVE_RESTORE_OPTIONS} > "${ebtables_save}"
+ eend $?
+}
+
+panic() {
+ service_started ebtables && svc_stop
+
+ local a
+ ebegin "Dropping all packets forwarded on bridges"
+ for a in $(ebtables_tables); do
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+
+ set_table_policy $a DROP
+ done
+ eend $?
+}
diff --git a/nonsystemd/iptables-openrc/ip6tables.confd b/nonsystemd/iptables-openrc/ip6tables.confd
new file mode 100644
index 000000000..e608f41d1
--- /dev/null
+++ b/nonsystemd/iptables-openrc/ip6tables.confd
@@ -0,0 +1,27 @@
+# /etc/conf.d/ip6tables
+
+# Set wait option for xtables lock in seconds
+# DEFAULT: 60
+#IPTABLES_LOCK_WAIT_TIME="60"
+
+# Set wait interval option for xtables lock in microseconds
+# DEFAULT: 1000
+#IPTABLES_LOCK_WAIT_INTERVAL="1000"
+
+# Location in which ip6tables initscript will save set rules on
+# service shutdown
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
+
+# Options to pass to ip6tables-save and ip6tables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping ip6tables
+SAVE_ON_STOP="yes"
+
+# If you need to log ip6tables messages as soon as ip6tables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/nonsystemd/iptables-openrc/iptables.confd b/nonsystemd/iptables-openrc/iptables.confd
new file mode 100644
index 000000000..7225374c3
--- /dev/null
+++ b/nonsystemd/iptables-openrc/iptables.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/iptables
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/nonsystemd/iptables-openrc/iptables.initd b/nonsystemd/iptables-openrc/iptables.initd
new file mode 100644
index 000000000..3dcabb0df
--- /dev/null
+++ b/nonsystemd/iptables-openrc/iptables.initd
@@ -0,0 +1,165 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"}
+iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"}
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+ iptables|ip6tables) ;;
+ *) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+ iptables) iptables_proc="/proc/net/ip_tables_names"
+ iptables_save=${IPTABLES_SAVE};;
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+ iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+ need localmount #434774
+ before net
+}
+
+set_table_policy() {
+ local has_errors=0 chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+
+ local chain
+ for chain in ${chains} ; do
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy}
+ [ $? -ne 0 ] && has_errors=1
+ done
+
+ return ${has_errors}
+}
+
+checkkernel() {
+ if [ ! -e ${iptables_proc} ] ; then
+ eerror "Your kernel lacks ${iptables_name} support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+
+checkconfig() {
+ if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then
+ eerror "Not starting ${iptables_name}. First create some rules then run:"
+ eerror "/etc/init.d/${iptables_name} save"
+ return 1
+ fi
+ return 0
+}
+
+start_pre() {
+ checkconfig || return 1
+}
+
+start() {
+ ebegin "Loading ${iptables_name} state and starting firewall"
+ ${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+stop_pre() {
+ checkkernel || return 1
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+
+ ebegin "Stopping firewall"
+ local has_errors=0 a
+ for a in $(cat ${iptables_proc}) ; do
+ set_table_policy $a ACCEPT
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+ [ $? -ne 0 ] && has_errors=1
+ done
+ eend ${has_errors}
+}
+
+reload() {
+ checkkernel || return 1
+ checkrules || return 1
+ ebegin "Flushing firewall"
+ local has_errors=0 a
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+ [ $? -ne 0 ] && has_errors=1
+ done
+ eend ${has_errors}
+
+ start
+}
+
+checkrules() {
+ ebegin "Checking rules"
+ ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+check() {
+ # Short name for users of init.d script.
+ checkrules
+}
+
+save() {
+ ebegin "Saving ${iptables_name} state"
+ checkpath -q -d "$(dirname "${iptables_save}")"
+ checkpath -q -m 0600 -f "${iptables_save}"
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+ eend $?
+}
+
+panic() {
+ # use iptables autoload capability to load at least all required
+ # modules and filter table
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -S >/dev/null
+ if [ $? -ne 0 ] ; then
+ eerror "${iptables_bin} failed to load"
+ return 1
+ fi
+
+ if service_started ${iptables_name}; then
+ rc-service ${iptables_name} stop
+ fi
+
+ local has_errors=0 a
+ ebegin "Dropping all packets"
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ if [ "${a}" != "nat" ]; then
+ # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
+ set_table_policy $a DROP
+ [ $? -ne 0 ] && has_errors=1
+ fi
+ done
+ eend ${has_errors}
+}