summaryrefslogtreecommitdiff
path: root/repo/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'repo/iptables')
-rw-r--r--repo/iptables/ebtables.confd15
-rw-r--r--repo/iptables/ebtables.initd99
-rw-r--r--repo/iptables/ip6tables.confd14
-rw-r--r--repo/iptables/iptables.confd14
-rw-r--r--repo/iptables/iptables.initd135
-rw-r--r--repo/iptables/iptables.xibuild59
-rw-r--r--repo/iptables/use-sh-iptables-apply.patch39
7 files changed, 375 insertions, 0 deletions
diff --git a/repo/iptables/ebtables.confd b/repo/iptables/ebtables.confd
new file mode 100644
index 0000000..0b48cb4
--- /dev/null
+++ b/repo/iptables/ebtables.confd
@@ -0,0 +1,15 @@
+# /etc/conf.d/ebtables
+
+# Location in which ebtables initscript will save set rules on
+# service shutdown
+EBTABLES_SAVE="/var/lib/ebtables/rules-save"
+
+# Options to pass to ebtables-save and ebtables-restore
+SAVE_RESTORE_OPTIONS=""
+
+# Save state on stopping ebtables
+SAVE_ON_STOP="yes"
+
+# Tables to be saved and restored. If you have built ebtables as modules, you
+# may leave it blank. Otherwise, you MUST define which to control.
+TABLE_NAMES="filter nat"
diff --git a/repo/iptables/ebtables.initd b/repo/iptables/ebtables.initd
new file mode 100644
index 0000000..7d92436
--- /dev/null
+++ b/repo/iptables/ebtables.initd
@@ -0,0 +1,99 @@
+#!/sbin/openrc-run
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ebtables/files/ebtables.initd,v 1.2 2007/09/28 19:22:14 pva Exp $
+
+extra_commands="save reload"
+extra_started_commands="panic"
+
+ebtables_bin="/sbin/ebtables"
+ebtables_save=${EBTABLES_SAVE}
+ebtables_tables=$(grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//)
+if [ "$ebtables_tables" == "" ] ; then
+ ebtables_tables=${TABLE_NAMES}
+fi
+
+depend() {
+ before net
+ use logger
+}
+
+set_table_policy() {
+ local chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ broute) chains="BROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+ local chain
+ for chain in ${chains} ; do
+ ${ebtables_bin} -t ${table} -P ${chain} ${policy}
+ done
+}
+
+checkconfig() {
+ if [ ! -f ${ebtables_save} ] ; then
+ eerror "Not starting ebtables. First create some rules then run:"
+ eerror "/etc/init.d/ebtables save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ebtables state and starting bridge firewall"
+ ${ebtables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${ebtables_save}"
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+ ebegin "Stopping bridge firewall"
+ local a
+ for a in ${ebtables_tables}; do
+ set_table_policy $a ACCEPT
+
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing bridge firewall"
+ local a
+ for a in ${ebtables_tables}; do
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+ done
+ eend $?
+
+ start
+}
+
+save() {
+ ebegin "Saving ebtables state"
+ checkpath -Fm 0600 "${ebtables_save}"
+ for a in ${ebtables_tables} ; do
+ ${ebtables_bin}-save -t ${a} ${SAVE_RESTORE_OPTIONS} >> "${ebtables_save}"
+ done
+ eend $?
+}
+
+panic() {
+ service_started ebtables && svc_stop
+
+ local a
+ ebegin "Dropping all packets forwarded on bridges"
+ for a in ${ebtables_tables}; do
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+
+ set_table_policy $a DROP
+ done
+ eend $?
+}
diff --git a/repo/iptables/ip6tables.confd b/repo/iptables/ip6tables.confd
new file mode 100644
index 0000000..1fa63f3
--- /dev/null
+++ b/repo/iptables/ip6tables.confd
@@ -0,0 +1,14 @@
+# /etc/conf.d/ip6tables
+
+# Location in which ip6tables initscript will save set rules on
+# service shutdown
+IP6TABLES_SAVE="/etc/iptables/rules6-save"
+
+# Options to pass to ip6tables-save and ip6tables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# Enable/disable IPv6 forwarding with the rules
+IPFORWARD="no"
diff --git a/repo/iptables/iptables.confd b/repo/iptables/iptables.confd
new file mode 100644
index 0000000..c9e5a68
--- /dev/null
+++ b/repo/iptables/iptables.confd
@@ -0,0 +1,14 @@
+# /etc/conf.d/iptables
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IPTABLES_SAVE="/etc/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# Enable/disable IPv4 forwarding with the rules
+IPFORWARD="no"
diff --git a/repo/iptables/iptables.initd b/repo/iptables/iptables.initd
new file mode 100644
index 0000000..0f906ee
--- /dev/null
+++ b/repo/iptables/iptables.initd
@@ -0,0 +1,135 @@
+#!/sbin/openrc-run
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.11.init,v 1.2 2011/12/04 10:15:59 swegener Exp $
+
+description="IPv4/IPv6 packet filtering and NAT"
+description_save="Save firewall state"
+description_panic="Drop all packets"
+description_reload="Reload configuration"
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
+ iptables_name="iptables"
+fi
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+ iptables) iptables_proc="/proc/net/ip_tables_names"
+ iptables_save=${IPTABLES_SAVE}
+ sysctl_ipfwd=net.ipv4.ip_forward;;
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+ iptables_save=${IP6TABLES_SAVE}
+ sysctl_ipfwd=net.ipv6.conf.all.forwarding;;
+esac
+
+depend() {
+ before net
+ after sysctl
+ use logger
+ provide firewall
+}
+
+set_table_policy() {
+ local chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+ local chain
+ for chain in ${chains} ; do
+ ${iptables_bin} -w 5 -t ${table} -P ${chain} ${policy}
+ done
+}
+
+checkkernel() {
+ if [ ! -e ${iptables_proc} ] ; then
+ eerror "Your kernel lacks ${iptables_name} support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+checkconfig() {
+ if [ ! -f ${iptables_save} ] ; then
+ eerror "Not starting ${iptables_name}. First create some rules then run:"
+ eerror "/etc/init.d/${iptables_name} save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ${iptables_name} state and starting firewall"
+ ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+ if yesno "${IPFORWARD}"; then
+ ebegin "Enabling forwarding"
+ /sbin/sysctl -w ${sysctl_ipfwd}=1 > /dev/null
+ eend $?
+ fi
+}
+
+stop() {
+ if yesno "${IPFORWARD}"; then
+ ebegin "Disabling forwarding"
+ /sbin/sysctl -w ${sysctl_ipfwd}=0 > /dev/null
+ eend $?
+ fi
+ if yesno "${SAVE_ON_STOP}"; then
+ save || return 1
+ fi
+ checkkernel || return 1
+ ebegin "Stopping firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ set_table_policy $a ACCEPT
+
+ ${iptables_bin} -w 5 -F -t $a
+ ${iptables_bin} -w 5 -X -t $a
+ done
+ eend $?
+}
+
+reload() {
+ checkkernel || return 1
+ ebegin "Flushing firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -w 5 -F -t $a
+ ${iptables_bin} -w 5 -X -t $a
+ done
+ eend $?
+
+ start
+}
+
+save() {
+ ebegin "Saving ${iptables_name} state"
+ checkpath -fm 0600 "${iptables_save}"
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+ eend $?
+}
+
+panic() {
+ checkkernel || return 1
+ if service_started ${iptables_name}; then
+ rc-service ${iptables_name} stop
+ fi
+
+ local a
+ ebegin "Dropping all packets"
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -w 5 -F -t $a
+ ${iptables_bin} -w 5 -X -t $a
+
+ set_table_policy $a DROP
+ done
+ eend $?
+}
diff --git a/repo/iptables/iptables.xibuild b/repo/iptables/iptables.xibuild
new file mode 100644
index 0000000..8d8cead
--- /dev/null
+++ b/repo/iptables/iptables.xibuild
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+NAME="iptables"
+DESC="Linux kernel firewall, NAT and packet mangling tools"
+
+MAKEDEPS=" linux-headers libnftnl bison flex autoconf automake"
+
+PKG_VER=1.8.7
+SOURCE="https://www.netfilter.org/projects/iptables/files/iptables-$PKG_VER.tar.bz2"
+
+ADDITIONAL="
+ebtables.confd
+ebtables.initd
+ip6tables.confd
+iptables.confd
+iptables.initd
+use-sh-iptables-apply.patch
+"
+
+prepare () {
+ apply_patches
+}
+
+build() {
+ export CFLAGS="$CFLAGS -D_GNU_SOURCE"
+ ./configure \
+ --prefix=/usr \
+ --mandir=/usr/share/man \
+ --sbindir=/sbin \
+ --sysconfdir=/etc \
+ --without-kernel \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared
+
+ # do not use rpath
+ sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+
+ make
+}
+
+package() {
+ make -j1 install DESTDIR="$PKG_DEST"
+
+ mkdir -p "$PKG_DEST"/usr/include/libiptc \
+ "$PKG_DEST"/usr/lib \
+ "$PKG_DEST"/var/lib/iptables \
+ "$PKG_DEST"/etc/iptables
+
+ install -m644 include/iptables.h include/ip6tables.h \
+ "$PKG_DEST"/usr/include/
+ install include/libiptc/*.h "$PKG_DEST"/usr/include/libiptc/
+
+ install -D -m755 "$BUILD_ROOT"/iptables.initd "$PKG_DEST"/etc/init.d/iptables
+ install -D -m644 "$BUILD_ROOT"/iptables.confd "$PKG_DEST"/etc/conf.d/iptables
+ install -D -m755 "$BUILD_ROOT"/ebtables.initd "$PKG_DEST"/etc/init.d/ebtables
+ install -D -m644 "$BUILD_ROOT"/ebtables.confd "$PKG_DEST"/etc/conf.d/ebtables
+}
diff --git a/repo/iptables/use-sh-iptables-apply.patch b/repo/iptables/use-sh-iptables-apply.patch
new file mode 100644
index 0000000..b31fc94
--- /dev/null
+++ b/repo/iptables/use-sh-iptables-apply.patch
@@ -0,0 +1,39 @@
+From: Simon Frankenberger <simon-alpine@fraho.eu>
+
+make iptables-apply use posix sh
+
+--- a/iptables/iptables-apply
++++ b/iptables/iptables-apply
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ # iptables-apply -- a safer way to update iptables remotely
+ #
+ # Usage:
+@@ -110,7 +110,7 @@
+ }
+
+ function checkcommands() {
+- for cmd in "${COMMANDS[@]}"; do
++ for cmd in ${COMMANDS}; do
+ if ! command -v "$cmd" >/dev/null; then
+ echo "Error: needed command not found: $cmd" >&2
+ exit 127
+@@ -184,7 +184,7 @@
+ fi
+
+ # Needed commands
+- COMMANDS=(mktemp "$SAVE" "$RESTORE" "$RUNCMD")
++ COMMANDS="mktemp $SAVE $RESTORE $RUNCMD"
+ checkcommands
+ ;;
+ (*)
+@@ -196,7 +196,7 @@
+ fi
+
+ # Needed commands
+- COMMANDS=(mktemp "$SAVE" "$RESTORE")
++ COMMANDS="mktemp $SAVE $RESTORE"
+ checkcommands
+ ;;
+ esac