summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrancisco Blas (klondike) Izquierdo Riera <klondike@gentoo.org>2019-01-16 00:13:18 +0100
committerMatthew Thode <prometheanfire@gentoo.org>2019-01-15 17:20:42 -0600
commit5340dc96865d410a32ab4cb9f900bcb88e035600 (patch)
tree74bd9bce6d30450233bcad2977cc3e8c1e9ba3d1 /net-firewall
parentdev-libs/cudnn: version bump to 7.4.2.24. (diff)
downloadgentoo-5340dc96865d410a32ab4cb9f900bcb88e035600.tar.gz
gentoo-5340dc96865d410a32ab4cb9f900bcb88e035600.tar.bz2
gentoo-5340dc96865d410a32ab4cb9f900bcb88e035600.zip
net-firewall/nftables: Minor fixes on the script closes #675188
* Use printf instead of echo for better shell compatibility. * Use an include instead of concatenating the ruleset. (Note that this is likely to fail is the ruleset path contains special characters). * Empty the table first when executing panic actions. Fixes: https://bugs.gentoo.org/675188 Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>
Diffstat (limited to 'net-firewall')
-rw-r--r--net-firewall/nftables/files/libexec/nftables-mk.sh7
-rw-r--r--net-firewall/nftables/nftables-0.9.0-r3.ebuild (renamed from net-firewall/nftables/nftables-0.9.0-r2.ebuild)0
2 files changed, 4 insertions, 3 deletions
diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh
index b6ad37867b6d..b3d7db60d7fe 100644
--- a/net-firewall/nftables/files/libexec/nftables-mk.sh
+++ b/net-firewall/nftables/files/libexec/nftables-mk.sh
@@ -13,7 +13,8 @@ main() {
nft ${SAVE_OPTIONS} list ruleset
;;
"load")
- ( echo "flush ruleset;"; cat "${NFTABLES_SAVE}" ) | nft -f -
+ # We use an include because cat fails with long rulesets see #675188
+ printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f -
;;
"panic")
panic hard | nft -f -
@@ -25,8 +26,7 @@ main() {
local tmp_save="${NFTABLES_SAVE}.tmp"
umask 600;
(
- echo "#!/sbin/nft -f"
- echo "flush ruleset;"
+ printf '#!/sbin/nft -f\nflush ruleset\n'
nft ${SAVE_OPTIONS} list ruleset
) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE}
;;
@@ -37,6 +37,7 @@ panic() {
local erule;
[ "$1" = soft ] && erule="ct state established,related accept;" || erule="";
cat <<EOF
+flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
diff --git a/net-firewall/nftables/nftables-0.9.0-r2.ebuild b/net-firewall/nftables/nftables-0.9.0-r3.ebuild
index 346d321bb376..346d321bb376 100644
--- a/net-firewall/nftables/nftables-0.9.0-r2.ebuild
+++ b/net-firewall/nftables/nftables-0.9.0-r3.ebuild