diff options
author | Francisco Blas (klondike) Izquierdo Riera <klondike@gentoo.org> | 2019-01-16 00:13:18 +0100 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2019-01-15 17:20:42 -0600 |
commit | 5340dc96865d410a32ab4cb9f900bcb88e035600 (patch) | |
tree | 74bd9bce6d30450233bcad2977cc3e8c1e9ba3d1 /net-firewall | |
parent | dev-libs/cudnn: version bump to 7.4.2.24. (diff) | |
download | gentoo-5340dc96865d410a32ab4cb9f900bcb88e035600.tar.gz gentoo-5340dc96865d410a32ab4cb9f900bcb88e035600.tar.bz2 gentoo-5340dc96865d410a32ab4cb9f900bcb88e035600.zip |
net-firewall/nftables: Minor fixes on the script closes #675188
* Use printf instead of echo for better shell compatibility.
* Use an include instead of concatenating the ruleset.
(Note that this is likely to fail is the ruleset path contains
special characters).
* Empty the table first when executing panic actions.
Fixes: https://bugs.gentoo.org/675188
Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>
Diffstat (limited to 'net-firewall')
-rw-r--r-- | net-firewall/nftables/files/libexec/nftables-mk.sh | 7 | ||||
-rw-r--r-- | net-firewall/nftables/nftables-0.9.0-r3.ebuild (renamed from net-firewall/nftables/nftables-0.9.0-r2.ebuild) | 0 |
2 files changed, 4 insertions, 3 deletions
diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh index b6ad37867b6d..b3d7db60d7fe 100644 --- a/net-firewall/nftables/files/libexec/nftables-mk.sh +++ b/net-firewall/nftables/files/libexec/nftables-mk.sh @@ -13,7 +13,8 @@ main() { nft ${SAVE_OPTIONS} list ruleset ;; "load") - ( echo "flush ruleset;"; cat "${NFTABLES_SAVE}" ) | nft -f - + # We use an include because cat fails with long rulesets see #675188 + printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f - ;; "panic") panic hard | nft -f - @@ -25,8 +26,7 @@ main() { local tmp_save="${NFTABLES_SAVE}.tmp" umask 600; ( - echo "#!/sbin/nft -f" - echo "flush ruleset;" + printf '#!/sbin/nft -f\nflush ruleset\n' nft ${SAVE_OPTIONS} list ruleset ) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE} ;; @@ -37,6 +37,7 @@ panic() { local erule; [ "$1" = soft ] && erule="ct state established,related accept;" || erule=""; cat <<EOF +flush ruleset table inet filter { chain input { type filter hook input priority 0; diff --git a/net-firewall/nftables/nftables-0.9.0-r2.ebuild b/net-firewall/nftables/nftables-0.9.0-r3.ebuild index 346d321bb376..346d321bb376 100644 --- a/net-firewall/nftables/nftables-0.9.0-r2.ebuild +++ b/net-firewall/nftables/nftables-0.9.0-r3.ebuild |