diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2023-12-26 13:47:07 +0100 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2023-12-26 13:47:07 +0100 |
| commit | 0ed7f8592ada79c8e8e307a6c39a49b531ae29cf (patch) | |
| tree | ce0ed2af760e5d6f9b2674cd98698259fe08165c /main/iptables/iptables.initd | |
| parent | 4b3e10d9fa2fd6eaf1582b27a9e6859eaa21afa9 (diff) | |
| download | aports-0ed7f8592ada79c8e8e307a6c39a49b531ae29cf.zip | |
main/iptables: fix init.d to work with nft backend
Drop checkkernel which does not work with nft backend and does not
really provide much value.
Use iptables-save to extract the list of tables names instead of use
obsolete /proc/net/ip_tables_names.
fixes https://gitlab.alpinelinux.org/alpine/aports/-/issues/15002
fixes https://gitlab.alpinelinux.org/alpine/aports/-/issues/15357
Diffstat (limited to 'main/iptables/iptables.initd')
| -rw-r--r-- | main/iptables/iptables.initd | 35 |
1 files changed, 16 insertions, 19 deletions
diff --git a/main/iptables/iptables.initd b/main/iptables/iptables.initd index 857dd796de9..ddecde17a6c 100644 --- a/main/iptables/iptables.initd +++ b/main/iptables/iptables.initd @@ -18,12 +18,15 @@ fi iptables_bin="/sbin/${iptables_name}" case ${iptables_name} in - iptables) iptables_proc="/proc/net/ip_tables_names" - iptables_save=${IPTABLES_SAVE} - sysctl_ipfwd=net.ipv4.ip_forward;; - ip6tables) iptables_proc="/proc/net/ip6_tables_names" - iptables_save=${IP6TABLES_SAVE} - sysctl_ipfwd=net.ipv6.conf.all.forwarding;; + iptables) + #shellcheck disable=SC2153 + iptables_save="${IPTABLES_SAVE}" + sysctl_ipfwd=net.ipv4.ip_forward + ;; + ip6tables) + iptables_save="${IP6TABLES_SAVE}" + sysctl_ipfwd=net.ipv6.conf.all.forwarding + ;; esac # Add ip netns if configured to run in a netns namespace @@ -53,14 +56,11 @@ set_table_policy() { done } -checkkernel() { - if [ ! -e ${iptables_proc} ] ; then - eerror "Your kernel lacks ${iptables_name} support, please load" - eerror "appropriate modules and try again." - return 1 - fi - return 0 +get_tables() { + # shellcheck disable=SC2086 + ${iptables_bin}-save | /bin/sed -n 's/^\*//p' } + checkconfig() { if [ ! -f ${iptables_save} ] ; then eerror "Not starting ${iptables_name}. First create some rules then run:" @@ -91,10 +91,9 @@ stop() { if yesno "${SAVE_ON_STOP}"; then save || return 1 fi - checkkernel || return 1 ebegin "Stopping firewall" local a - for a in $(cat ${iptables_proc}) ; do + for a in $(get_tables) ; do set_table_policy $a ACCEPT ${iptables_bin} -w 5 -F -t $a @@ -104,10 +103,9 @@ stop() { } reload() { - checkkernel || return 1 ebegin "Flushing firewall" local a - for a in $(cat ${iptables_proc}) ; do + for a in $(get_tables) ; do ${iptables_bin} -w 5 -F -t $a ${iptables_bin} -w 5 -X -t $a done @@ -135,14 +133,13 @@ save() { } panic() { - checkkernel || return 1 if service_started ${iptables_name}; then rc-service ${iptables_name} stop fi local a ebegin "Dropping all packets" - for a in $(cat ${iptables_proc}) ; do + for a in $(get_tables) ; do ${iptables_bin} -w 5 -F -t $a ${iptables_bin} -w 5 -X -t $a |