Skip to content

Commit

Permalink
sentinel-dynfw-client: Fix init script
Browse files Browse the repository at this point in the history 
Making sure it doesn't fail and that it starts doing something. More
testing is required to figure out whether it does what it is supposed to
do.
  • Loading branch information
@miska
miska committed Aug 2, 2024
1 parent 017d311 commit 8c53fdf
Showing 1 changed file with 10 additions and 10 deletions.
20 changes: 10 additions & 10 deletions collect/sentinel/sentinel-dynfw-c-client/files/init.nftables
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,30 +10,30 @@ SET="dynfw"
CHAIN="dynfw"

setup_firewall() {
nft list table "$TABLE" 2> /dev/null || nft add table inet "$TABLE"
nft list tables 2> /dev/null | grep -q " $TABLE" || nft create table inet "$TABLE"
nft delete chain inet "$TABLE" "$SET"-"$TABLE"_input 2> /dev/null
nft add chain inet "$TABLE" "$SET"-"$TABLE"_input '{ type filter hook input priority -5; }'
nft add rule inet "$TABLE" "$SET"-"$TABLE"_input ct state established accept
nft add rule inet "$TABLE" "$SET"-"$TABLE"_input ip saddr @"$SET"_v4 drop
nft add rule inet "$TABLE" "$SET"-"$TABLE"_input ip6 saddr @"$SET"_v6 drop
nft add set inet "$TABLE" "${SET}_4" '{ type ipv4_addr; comment "IPv4 addresses blocked by Turris Sentinel"; }'
nft add rule inet "$TABLE" "$SET"-"$TABLE"_input ip saddr @"$SET"_4 drop
nft add set inet "$TABLE" "${SET}_6" '{ type ipv6_addr; flags interval; comment "IPv6 addresses blocked by Turris Sentinel"; }'
nft add rule inet "$TABLE" "$SET"-"$TABLE"_input ip6 saddr @"$SET"_6 drop
nft delete chain inet "$TABLE" "$SET"-"$TABLE"_forward 2> /dev/null
nft add chain inet "$TABLE" "$SET"-"$TABLE"_forward '{ type filter hook forward priority -5; }'
nft add rule inet "$TABLE" "$SET"-"$TABLE"_forward ct state established accept
nft add rule inet "$TABLE" "$SET"-"$TABLE"_forward ip saddr @"$SET"_v4 drop
nft add rule inet "$TABLE" "$SET"-"$TABLE"_forward ip6 saddr @"$SET"_v6 drop


nft add rule inet "$TABLE" "$SET"-"$TABLE"_forward ip saddr @"$SET"_4 drop
nft add rule inet "$TABLE" "$SET"-"$TABLE"_forward ip6 saddr @"$SET"_6 drop
}

teardown_firewall() {
nft delete chain inet "$TABLE" "$SET"-"$TABLE"_input
nft delete chain inet "$TABLE" "$SET"-"$TABLE"_forward
nft delete chain inet "$TABLE" "$SET"-"$TABLE"_input 2> /dev/null
nft delete chain inet "$TABLE" "$SET"-"$TABLE"_forward 2> /dev/null
}

start_service() {
setup_firewall
procd_open_instance
procd_set_param command dynfw-nftables-client
procd_set_param command dynfw-nfset-client
procd_append_param command --table "$TABLE"
procd_append_param command --set "$SET"
procd_append_param command --cert "$CERT_KEY"
Expand Down

0 comments on commit 8c53fdf

Please sign in to comment.