diff options
Diffstat (limited to 'repo/iptables')
| -rw-r--r-- | repo/iptables/ebtables.confd | 15 | ||||
| -rw-r--r-- | repo/iptables/ebtables.initd | 99 | ||||
| -rw-r--r-- | repo/iptables/ip6tables.confd | 14 | ||||
| -rw-r--r-- | repo/iptables/iptables.confd | 14 | ||||
| -rw-r--r-- | repo/iptables/iptables.initd | 135 | ||||
| -rw-r--r-- | repo/iptables/iptables.xibuild | 59 | ||||
| -rw-r--r-- | repo/iptables/use-sh-iptables-apply.patch | 39 |
7 files changed, 375 insertions, 0 deletions
diff --git a/repo/iptables/ebtables.confd b/repo/iptables/ebtables.confd new file mode 100644 index 0000000..0b48cb4 --- /dev/null +++ b/repo/iptables/ebtables.confd @@ -0,0 +1,15 @@ +# /etc/conf.d/ebtables + +# Location in which ebtables initscript will save set rules on +# service shutdown +EBTABLES_SAVE="/var/lib/ebtables/rules-save" + +# Options to pass to ebtables-save and ebtables-restore +SAVE_RESTORE_OPTIONS="" + +# Save state on stopping ebtables +SAVE_ON_STOP="yes" + +# Tables to be saved and restored. If you have built ebtables as modules, you +# may leave it blank. Otherwise, you MUST define which to control. +TABLE_NAMES="filter nat" diff --git a/repo/iptables/ebtables.initd b/repo/iptables/ebtables.initd new file mode 100644 index 0000000..7d92436 --- /dev/null +++ b/repo/iptables/ebtables.initd @@ -0,0 +1,99 @@ +#!/sbin/openrc-run +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/ebtables/files/ebtables.initd,v 1.2 2007/09/28 19:22:14 pva Exp $ + +extra_commands="save reload" +extra_started_commands="panic" + +ebtables_bin="/sbin/ebtables" +ebtables_save=${EBTABLES_SAVE} +ebtables_tables=$(grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//) +if [ "$ebtables_tables" == "" ] ; then + ebtables_tables=${TABLE_NAMES} +fi + +depend() { + before net + use logger +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + broute) chains="BROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${ebtables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkconfig() { + if [ ! -f ${ebtables_save} ] ; then + eerror "Not starting ebtables. First create some rules then run:" + eerror "/etc/init.d/ebtables save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ebtables state and starting bridge firewall" + ${ebtables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${ebtables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + ebegin "Stopping bridge firewall" + local a + for a in ${ebtables_tables}; do + set_table_policy $a ACCEPT + + ${ebtables_bin} -t $a -F + ${ebtables_bin} -t $a -X + done + eend $? +} + +reload() { + ebegin "Flushing bridge firewall" + local a + for a in ${ebtables_tables}; do + ${ebtables_bin} -t $a -F + ${ebtables_bin} -t $a -X + done + eend $? + + start +} + +save() { + ebegin "Saving ebtables state" + checkpath -Fm 0600 "${ebtables_save}" + for a in ${ebtables_tables} ; do + ${ebtables_bin}-save -t ${a} ${SAVE_RESTORE_OPTIONS} >> "${ebtables_save}" + done + eend $? +} + +panic() { + service_started ebtables && svc_stop + + local a + ebegin "Dropping all packets forwarded on bridges" + for a in ${ebtables_tables}; do + ${ebtables_bin} -t $a -F + ${ebtables_bin} -t $a -X + + set_table_policy $a DROP + done + eend $? +} diff --git a/repo/iptables/ip6tables.confd b/repo/iptables/ip6tables.confd new file mode 100644 index 0000000..1fa63f3 --- /dev/null +++ b/repo/iptables/ip6tables.confd @@ -0,0 +1,14 @@ +# /etc/conf.d/ip6tables + +# Location in which ip6tables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/etc/iptables/rules6-save" + +# Options to pass to ip6tables-save and ip6tables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# Enable/disable IPv6 forwarding with the rules +IPFORWARD="no" diff --git a/repo/iptables/iptables.confd b/repo/iptables/iptables.confd new file mode 100644 index 0000000..c9e5a68 --- /dev/null +++ b/repo/iptables/iptables.confd @@ -0,0 +1,14 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/etc/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# Enable/disable IPv4 forwarding with the rules +IPFORWARD="no" diff --git a/repo/iptables/iptables.initd b/repo/iptables/iptables.initd new file mode 100644 index 0000000..0f906ee --- /dev/null +++ b/repo/iptables/iptables.initd @@ -0,0 +1,135 @@ +#!/sbin/openrc-run +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.11.init,v 1.2 2011/12/04 10:15:59 swegener Exp $ + +description="IPv4/IPv6 packet filtering and NAT" +description_save="Save firewall state" +description_panic="Drop all packets" +description_reload="Reload configuration" + +extra_commands="save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then + iptables_name="iptables" +fi + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE} + sysctl_ipfwd=net.ipv4.ip_forward;; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE} + sysctl_ipfwd=net.ipv6.conf.all.forwarding;; +esac + +depend() { + before net + after sysctl + use logger + provide firewall +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -w 5 -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? + if yesno "${IPFORWARD}"; then + ebegin "Enabling forwarding" + /sbin/sysctl -w ${sysctl_ipfwd}=1 > /dev/null + eend $? + fi +} + +stop() { + if yesno "${IPFORWARD}"; then + ebegin "Disabling forwarding" + /sbin/sysctl -w ${sysctl_ipfwd}=0 > /dev/null + eend $? + fi + if yesno "${SAVE_ON_STOP}"; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -w 5 -F -t $a + ${iptables_bin} -w 5 -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -w 5 -F -t $a + ${iptables_bin} -w 5 -X -t $a + done + eend $? + + start +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -fm 0600 "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -w 5 -F -t $a + ${iptables_bin} -w 5 -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/repo/iptables/iptables.xibuild b/repo/iptables/iptables.xibuild new file mode 100644 index 0000000..8d8cead --- /dev/null +++ b/repo/iptables/iptables.xibuild @@ -0,0 +1,59 @@ +#!/bin/sh + +NAME="iptables" +DESC="Linux kernel firewall, NAT and packet mangling tools" + +MAKEDEPS=" linux-headers libnftnl bison flex autoconf automake" + +PKG_VER=1.8.7 +SOURCE="https://www.netfilter.org/projects/iptables/files/iptables-$PKG_VER.tar.bz2" + +ADDITIONAL=" +ebtables.confd +ebtables.initd +ip6tables.confd +iptables.confd +iptables.initd +use-sh-iptables-apply.patch +" + +prepare () { + apply_patches +} + +build() { + export CFLAGS="$CFLAGS -D_GNU_SOURCE" + ./configure \ + --prefix=/usr \ + --mandir=/usr/share/man \ + --sbindir=/sbin \ + --sysconfdir=/etc \ + --without-kernel \ + --enable-devel \ + --enable-libipq \ + --enable-shared + + # do not use rpath + sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool + sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + + make +} + +package() { + make -j1 install DESTDIR="$PKG_DEST" + + mkdir -p "$PKG_DEST"/usr/include/libiptc \ + "$PKG_DEST"/usr/lib \ + "$PKG_DEST"/var/lib/iptables \ + "$PKG_DEST"/etc/iptables + + install -m644 include/iptables.h include/ip6tables.h \ + "$PKG_DEST"/usr/include/ + install include/libiptc/*.h "$PKG_DEST"/usr/include/libiptc/ + + install -D -m755 "$BUILD_ROOT"/iptables.initd "$PKG_DEST"/etc/init.d/iptables + install -D -m644 "$BUILD_ROOT"/iptables.confd "$PKG_DEST"/etc/conf.d/iptables + install -D -m755 "$BUILD_ROOT"/ebtables.initd "$PKG_DEST"/etc/init.d/ebtables + install -D -m644 "$BUILD_ROOT"/ebtables.confd "$PKG_DEST"/etc/conf.d/ebtables +} diff --git a/repo/iptables/use-sh-iptables-apply.patch b/repo/iptables/use-sh-iptables-apply.patch new file mode 100644 index 0000000..b31fc94 --- /dev/null +++ b/repo/iptables/use-sh-iptables-apply.patch @@ -0,0 +1,39 @@ +From: Simon Frankenberger <simon-alpine@fraho.eu> + +make iptables-apply use posix sh + +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + # iptables-apply -- a safer way to update iptables remotely + # + # Usage: +@@ -110,7 +110,7 @@ + } + + function checkcommands() { +- for cmd in "${COMMANDS[@]}"; do ++ for cmd in ${COMMANDS}; do + if ! command -v "$cmd" >/dev/null; then + echo "Error: needed command not found: $cmd" >&2 + exit 127 +@@ -184,7 +184,7 @@ + fi + + # Needed commands +- COMMANDS=(mktemp "$SAVE" "$RESTORE" "$RUNCMD") ++ COMMANDS="mktemp $SAVE $RESTORE $RUNCMD" + checkcommands + ;; + (*) +@@ -196,7 +196,7 @@ + fi + + # Needed commands +- COMMANDS=(mktemp "$SAVE" "$RESTORE") ++ COMMANDS="mktemp $SAVE $RESTORE" + checkcommands + ;; + esac |