You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
gentoo-overlay/net-firewall/nftables/files/libexec/nftables.sh

151 lines
3.6 KiB

#! /bin/sh
main() {
local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
local retval
case "$1" in
"clear")
if ! use_legacy; then
nft flush ruleset
else
clear_legacy
fi
retval=$?
;;
"list")
if ! use_legacy; then
nft list ruleset
else
list_legacy
fi
retval=$?
;;
"load")
nft -f ${NFTABLES_SAVE}
retval=$?
;;
"store")
umask 177
local tmp_save="${NFTABLES_SAVE}.tmp"
if ! use_legacy; then
nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
else
save_legacy ${tmp_save}
fi
retval=$?
if [ ${retval} ]; then
mv ${tmp_save} ${NFTABLES_SAVE}
fi
;;
esac
return ${retval}
}
clear_legacy() {
local l3f line table chain first_line
first_line=1
if manualwalk; then
for l3f in $(getfamilies); do
nft list tables ${l3f} | while read line; do
table=$(echo ${line} | sed "s/table[ \t]*//")
deletetable ${l3f} ${table}
done
done
else
nft list tables | while read line; do
l3f=$(echo ${line} | cut -d ' ' -f2)
table=$(echo ${line} | cut -d ' ' -f3)
deletetable ${l3f} ${table}
done
fi
}
list_legacy() {
local l3f
if manualwalk; then
for l3f in $(getfamilies); do
nft list tables ${l3f} | while read line; do
line=$(echo ${line} | sed "s/table/table ${l3f}/")
echo "$(nft list ${line})"
done
done
else
nft list tables | while read line; do
echo "$(nft list ${line})"
done
fi
}
save_legacy() {
tmp_save=$1
touch "${tmp_save}"
if manualwalk; then
for l3f in $(getfamilies); do
nft list tables ${l3f} | while read line; do
line=$(echo ${line} | sed "s/table/table ${l3f}/")
nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}
done
done
else
nft list tables | while read line; do
nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}"
done
fi
}
use_legacy() {
local major_ver minor_ver
major_ver=$(uname -r | cut -d '.' -f1)
minor_ver=$(uname -r | cut -d '.' -f2)
[ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1
return 0
}
CHECK_TABLE_NAME="GENTOO_CHECK_TABLE"
getfamilies() {
local l3f families
for l3f in ip arp ip6 bridge inet; do
if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then
families="${families}${l3f} "
nft delete table ${l3f} ${CHECK_TABLE_NAME}
fi
done
echo ${families}
}
manualwalk() {
local result l3f=`getfamilies | cut -d ' ' -f1`
nft create table ${l3f} ${CHECK_TABLE_NAME}
nft list tables | read line
if [ $(echo $line | wc -w) -lt 3 ]; then
result=0
fi
result=1
nft delete table ${l3f} ${CHECK_TABLE_NAME}
return $result
}
deletetable() {
# family is $1
# table name is $2
nft flush table $1 $2
nft list table $1 $2 | while read l; do
chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2)
if [ -n "${chain}" ]; then
nft flush chain $1 $2 ${chain}
nft delete chain $1 $2 ${chain}
fi
done
nft delete table $1 $2
}
main "$@"