From ec2c6c234ae098994a9f218fcd3e40f923749342 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Thu, 18 Jul 2019 16:33:24 +0800 Subject: [PATCH] Add nftables plugin script. --- docs/configurations/nftables-plugin.sh | 68 ++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100755 docs/configurations/nftables-plugin.sh diff --git a/docs/configurations/nftables-plugin.sh b/docs/configurations/nftables-plugin.sh new file mode 100755 index 0000000..f5d640d --- /dev/null +++ b/docs/configurations/nftables-plugin.sh @@ -0,0 +1,68 @@ +#!/bin/sh + +# This file is part of netfilter-persistent +# Copyright (C) 2019, Samson W +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation, either version 3 +# of the License, or (at your option) any later version. + +set -e + +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +NFT_RULESET="/etc/nftables.conf" +NFT_CMD=$(which nft) + +load_rules() +{ + #load nft rules + if [ ! -f ${NFT_RULESET} ]; then + echo "Warning: nft ruleset file ${NFT_RULESET} is not exist!" + else + ${NFT_CMD} -f ${NFT_RULESET} + fi +} + +save_rules() +{ + if [ ! -f ${NFT_RULESET} ]; then + echo "Warning: nft ruleset file ${NFT_RULESET} is not exist!" + touch ${NFT_RULESET} + chmod 0640 ${NFT_RULESET} + else + : + fi + ${NFT_CMD} list ruleset -n > ${NFT_RULESET} +} + +flush_rules() +{ + if [ ! -f ${NFT_CMD} ]; then + echo "Warning: nft ruleset file ${NFT_CMD} is not exist!" + else + ${NFT_CMD} flush ruleset + fi +} + +case "$1" in +start|restart|reload|force-reload) + load_rules + ;; +save) + save_rules + ;; +stop) + # Why? because if stop is used, the firewall gets flushed for a variable + # amount of time during package upgrades, leaving the machine vulnerable + # It's also not always desirable to flush during purge + echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" + ;; +flush) + flush_rules + ;; +*) + echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 + exit 1 + ;; +esac