| #!/sbin/openrc-run |
| # Copyright 1999-2013 Gentoo Foundation |
| # Distributed under the terms of the GNU General Public License v2 |
| |
| extra_commands="check save panic" |
| extra_started_commands="reload" |
| |
| iptables_name=${SVCNAME} |
| case ${iptables_name} in |
| iptables|ip6tables) ;; |
| *) iptables_name="iptables" ;; |
| esac |
| |
| iptables_bin="/sbin/${iptables_name}" |
| case ${iptables_name} in |
| iptables) iptables_proc="/proc/net/ip_tables_names" |
| iptables_save=${IPTABLES_SAVE};; |
| ip6tables) iptables_proc="/proc/net/ip6_tables_names" |
| iptables_save=${IP6TABLES_SAVE};; |
| esac |
| |
| depend() { |
| need localmount #434774 |
| before net |
| } |
| |
| set_table_policy() { |
| local chains table=$1 policy=$2 |
| case ${table} in |
| nat) chains="PREROUTING POSTROUTING OUTPUT";; |
| mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; |
| filter) chains="INPUT FORWARD OUTPUT";; |
| *) chains="";; |
| esac |
| local chain |
| for chain in ${chains} ; do |
| ${iptables_bin} -w -t ${table} -P ${chain} ${policy} |
| done |
| } |
| |
| checkkernel() { |
| if [ ! -e ${iptables_proc} ] ; then |
| eerror "Your kernel lacks ${iptables_name} support, please load" |
| eerror "appropriate modules and try again." |
| return 1 |
| fi |
| return 0 |
| } |
| checkconfig() { |
| if [ ! -f ${iptables_save} ] ; then |
| eerror "Not starting ${iptables_name}. First create some rules then run:" |
| eerror "/etc/init.d/${iptables_name} save" |
| return 1 |
| fi |
| return 0 |
| } |
| |
| start() { |
| checkconfig || return 1 |
| ebegin "Loading ${iptables_name} state and starting firewall" |
| ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" |
| eend $? |
| } |
| |
| stop() { |
| if [ "${SAVE_ON_STOP}" = "yes" ] ; then |
| save || return 1 |
| fi |
| checkkernel || return 1 |
| ebegin "Stopping firewall" |
| local a |
| for a in $(cat ${iptables_proc}) ; do |
| set_table_policy $a ACCEPT |
| |
| ${iptables_bin} -w -F -t $a |
| ${iptables_bin} -w -X -t $a |
| done |
| eend $? |
| } |
| |
| reload() { |
| checkkernel || return 1 |
| checkrules || return 1 |
| ebegin "Flushing firewall" |
| local a |
| for a in $(cat ${iptables_proc}) ; do |
| ${iptables_bin} -w -F -t $a |
| ${iptables_bin} -w -X -t $a |
| done |
| eend $? |
| |
| start |
| } |
| |
| checkrules() { |
| ebegin "Checking rules" |
| ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" |
| eend $? |
| } |
| |
| check() { |
| # Short name for users of init.d script. |
| checkrules |
| } |
| |
| save() { |
| ebegin "Saving ${iptables_name} state" |
| checkpath -q -d "$(dirname "${iptables_save}")" |
| checkpath -q -m 0600 -f "${iptables_save}" |
| ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" |
| eend $? |
| } |
| |
| panic() { |
| checkkernel || return 1 |
| if service_started ${iptables_name}; then |
| rc-service ${iptables_name} stop |
| fi |
| |
| local a |
| ebegin "Dropping all packets" |
| for a in $(cat ${iptables_proc}) ; do |
| ${iptables_bin} -w -F -t $a |
| ${iptables_bin} -w -X -t $a |
| |
| set_table_policy $a DROP |
| done |
| eend $? |
| } |