diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2023-12-26 13:47:07 +0100 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2023-12-26 13:47:07 +0100 |
| commit | 0ed7f8592ada79c8e8e307a6c39a49b531ae29cf (patch) | |
| tree | ce0ed2af760e5d6f9b2674cd98698259fe08165c /main/iptables | |
| parent | 4b3e10d9fa2fd6eaf1582b27a9e6859eaa21afa9 (diff) | |
| download | aports-0ed7f8592ada79c8e8e307a6c39a49b531ae29cf.zip | |
main/iptables: fix init.d to work with nft backend
Drop checkkernel which does not work with nft backend and does not
really provide much value.
Use iptables-save to extract the list of tables names instead of use
obsolete /proc/net/ip_tables_names.
fixes https://gitlab.alpinelinux.org/alpine/aports/-/issues/15002
fixes https://gitlab.alpinelinux.org/alpine/aports/-/issues/15357
Diffstat (limited to 'main/iptables')
| -rw-r--r-- | main/iptables/APKBUILD | 4 | ||||
| -rw-r--r-- | main/iptables/iptables.initd | 35 |
2 files changed, 18 insertions, 21 deletions
diff --git a/main/iptables/APKBUILD b/main/iptables/APKBUILD index 03a59631a53..318bbb73137 100644 --- a/main/iptables/APKBUILD +++ b/main/iptables/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=iptables pkgver=1.8.10 -pkgrel=1 +pkgrel=2 pkgdesc="Linux kernel firewall, NAT and packet mangling tools" url="https://www.netfilter.org/projects/iptables/index.html" arch="all" @@ -119,7 +119,7 @@ openrc() { sha512sums=" 71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153 iptables-1.8.10.tar.xz ac78898c2acbe66ed8d32a06f41ff08cde7c22c3df6dfec6bc89a912d2cef2bde730de19d25a5407886d567cb0972a0b7bde7e6b18a34c4511495b4dad3b90ad use-sh-iptables-apply.patch -7c1c8caa9a94f829db5a41ec00a6f3d6ce064843c6a5dd0578782baa9642cb5c219965a406ef1fd61509ab1f2f43812571d50f3dbec3dcfd9f46d394564ba4f3 iptables.initd +8b1128cd998362e728f0f1127f06d98612bc3430ed0c4f83fd70812cd512363873fd75c9038d847caa487f5666defff68b829f452f270b2a21de6e4172fa83c1 iptables.initd cb7fecd5cab2c78bd3f215a41f39ec11c37eb360efbe83982378a0e647e0aa9dc0b7ec915a5b5081aa2f7747464787e69404aa15ba15a063c32cb8fb7dd13d1e iptables.confd 0897a7a22f8b700f7f1f5c355ad6cbf39740e44d6c962af99e479978d8a2d556ca7fe4e31f238829046b4a871ce0b5fd52e2544f1361d15dd1ea3e33992646c4 ip6tables.confd 6f3a7e3f6cedff9e73aa0fb959c92a93b2c484ae3c9b48d9522d1ee1e5ee4e2af12be8c3d73b932fe7f5716b5dd1c5cdfde729a808c0ae9a7dbd4ceec93e5a32 ebtables.initd diff --git a/main/iptables/iptables.initd b/main/iptables/iptables.initd index 857dd796de9..ddecde17a6c 100644 --- a/main/iptables/iptables.initd +++ b/main/iptables/iptables.initd @@ -18,12 +18,15 @@ fi iptables_bin="/sbin/${iptables_name}" case ${iptables_name} in - iptables) iptables_proc="/proc/net/ip_tables_names" - iptables_save=${IPTABLES_SAVE} - sysctl_ipfwd=net.ipv4.ip_forward;; - ip6tables) iptables_proc="/proc/net/ip6_tables_names" - iptables_save=${IP6TABLES_SAVE} - sysctl_ipfwd=net.ipv6.conf.all.forwarding;; + iptables) + #shellcheck disable=SC2153 + iptables_save="${IPTABLES_SAVE}" + sysctl_ipfwd=net.ipv4.ip_forward + ;; + ip6tables) + iptables_save="${IP6TABLES_SAVE}" + sysctl_ipfwd=net.ipv6.conf.all.forwarding + ;; esac # Add ip netns if configured to run in a netns namespace @@ -53,14 +56,11 @@ set_table_policy() { done } -checkkernel() { - if [ ! -e ${iptables_proc} ] ; then - eerror "Your kernel lacks ${iptables_name} support, please load" - eerror "appropriate modules and try again." - return 1 - fi - return 0 +get_tables() { + # shellcheck disable=SC2086 + ${iptables_bin}-save | /bin/sed -n 's/^\*//p' } + checkconfig() { if [ ! -f ${iptables_save} ] ; then eerror "Not starting ${iptables_name}. First create some rules then run:" @@ -91,10 +91,9 @@ stop() { if yesno "${SAVE_ON_STOP}"; then save || return 1 fi - checkkernel || return 1 ebegin "Stopping firewall" local a - for a in $(cat ${iptables_proc}) ; do + for a in $(get_tables) ; do set_table_policy $a ACCEPT ${iptables_bin} -w 5 -F -t $a @@ -104,10 +103,9 @@ stop() { } reload() { - checkkernel || return 1 ebegin "Flushing firewall" local a - for a in $(cat ${iptables_proc}) ; do + for a in $(get_tables) ; do ${iptables_bin} -w 5 -F -t $a ${iptables_bin} -w 5 -X -t $a done @@ -135,14 +133,13 @@ save() { } panic() { - checkkernel || return 1 if service_started ${iptables_name}; then rc-service ${iptables_name} stop fi local a ebegin "Dropping all packets" - for a in $(cat ${iptables_proc}) ; do + for a in $(get_tables) ; do ${iptables_bin} -w 5 -F -t $a ${iptables_bin} -w 5 -X -t $a |