Skip to content

Commit

Permalink
pineup: update network init.d script to use nftables
Browse files Browse the repository at this point in the history
iptables was removed from Pineup in favor of nftables, but this script
still used iptables. Change it so it uses nftables instead.
  • Loading branch information
AlexTMjugador committed Aug 26, 2020
1 parent 70da0d8 commit f143822
Showing 1 changed file with 25 additions and 13 deletions.
38 changes: 25 additions & 13 deletions board/pineup/rootfs-overlay/etc/init.d/S03network.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,31 @@
# administration computer and the Internet only.

readonly NETWORK_IFACE=eth0
readonly LAN=192.168.0.0/27
readonly NETWORK_ADDRESS=192.168.0.29/27
readonly CONFIGURATION_HOST_ADDRESS=192.168.0.30
readonly GATEWAY_ADDRESS=192.168.0.1

case "$1" in
start) printf 'Configuring network: '
if iptables -P INPUT DROP && \
iptables -A INPUT -s 192.168.0.30 -j ACCEPT && \
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT && \
iptables -P OUTPUT DROP && \
iptables -A OUTPUT -d 192.168.0.30 -j ACCEPT && \
iptables -A OUTPUT ! -d 192.168.0.0/27 -j ACCEPT && \
ip addr add 192.168.0.29/27 dev "$NETWORK_IFACE" && \
if nft -f - <<NFT_COMMANDS &&
table ip filter {
chain input {
type filter hook input priority filter; policy drop;
ip saddr $CONFIGURATION_HOST_ADDRESS accept comment "Accept packets from configuration host"
ct state established accept comment "Accept packets from established connections"
}
chain output {
type filter hook output priority filter; policy drop;
ip daddr $CONFIGURATION_HOST_ADDRESS accept comment "Allow outgoing packets to the configuration host"
ip daddr != $LAN accept comment "Allow outgoing packets to the Internet"
}
}
NFT_COMMANDS
ip addr add "$NETWORK_ADDRESS" dev "$NETWORK_IFACE" && \
ip link set "$NETWORK_IFACE" up
then
# Give the network adapter a bit of time to stabilize
Expand All @@ -25,7 +40,7 @@ case "$1" in
sleep 1
done

if ip route add default via 192.168.0.1 dev "$NETWORK_IFACE"; then
if ip route add default via "$GATEWAY_ADDRESS" dev "$NETWORK_IFACE"; then
echo ' OK'
else
echo ' ERROR'
Expand All @@ -35,11 +50,8 @@ case "$1" in
fi;;

stop) printf 'Stopping network: '
if iptables -P INPUT ACCEPT && \
iptables -F INPUT && \
iptables -P OUTPUT ACCEPT && \
iptables -F OUTPUT && \
ip addr del 192.168.0.29/27 dev "$NETWORK_IFACE" && \
if nft flush ruleset && \
ip addr del "$NETWORK_ADDRESS" dev "$NETWORK_IFACE" && \
ip link set "$NETWORK_IFACE" down
then
echo 'OK'
Expand Down

0 comments on commit f143822

Please sign in to comment.