net-firewall/iptables: multiple fixes for runscript

- We are now passing iptables "--wait" option to every iptables
  command which needs to aquire a lock. [Bug 501710]

- In addition, "--wait" (IPTABLES_LOCK_WAIT_TIME) and "--wait-interval"
  (IPTABLES_LOCK_WAIT_INTERVAL) is now configurable via
  /etc/conf.d/{iptables,ip6tables}.

- We are now only installing one runscript and now using a symlink
  for the ip6tables runscript.

- Error detection improved/added.

Closes: https://bugs.gentoo.org/501710
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

3 files changed, 213 insertions, 0 deletions

diff --git a/net-firewall/iptables/files/ip6tables-r1.confd b/net-firewall/iptables/files/ip6tables-r1.confd
new file mode 100644
index 000000000000..e608f41d1ea7
--- /dev/null
+++ b/net-firewall/iptables/files/ip6tables-r1.confd
@@ -0,0 +1,27 @@
+# /etc/conf.d/ip6tables
+
+# Set wait option for xtables lock in seconds
+# DEFAULT: 60
+#IPTABLES_LOCK_WAIT_TIME="60"
+
+# Set wait interval option for xtables lock in microseconds
+# DEFAULT: 1000
+#IPTABLES_LOCK_WAIT_INTERVAL="1000"
+
+# Location in which ip6tables initscript will save set rules on
+# service shutdown
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
+
+# Options to pass to ip6tables-save and ip6tables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping ip6tables
+SAVE_ON_STOP="yes"
+
+# If you need to log ip6tables messages as soon as ip6tables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/iptables/files/iptables-r1.confd b/net-firewall/iptables/files/iptables-r1.confd
new file mode 100644
index 000000000000..d5055e0a5d23
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-r1.confd
@@ -0,0 +1,27 @@
+# /etc/conf.d/iptables
+
+# Set wait option for xtables lock in seconds
+# DEFAULT: 60
+#IPTABLES_LOCK_WAIT_TIME="60"
+
+# Set wait interval option for xtables lock in microseconds
+# DEFAULT: 1000
+#IPTABLES_LOCK_WAIT_INTERVAL="1000"
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/iptables/files/iptables-r1.init b/net-firewall/iptables/files/iptables-r1.init
new file mode 100755
index 000000000000..708dcce6d3c7
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-r1.init
@@ -0,0 +1,159 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"}
+iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"}
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+	iptables|ip6tables) ;;
+	*) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	need localmount #434774
+	before net
+}
+
+set_table_policy() {
+	local has_errors=0 chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy}
+		[ $? -ne 0 ] && has_errors=1
+	done
+
+	return ${has_errors}
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+
+checkconfig() {
+	if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start_pre() {
+	checkkernel || return 1
+	checkconfig || return 1
+}
+
+start() {
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop_pre() {
+	checkkernel || return 1
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+
+	ebegin "Stopping firewall"
+	local has_errors=0 a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+		[ $? -ne 0 ] && has_errors=1
+
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		[ $? -ne 0 ] && has_errors=1
+
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		[ $? -ne 0 ] && has_errors=1
+	done
+	eend ${has_errors}
+}
+
+reload() {
+	checkkernel || return 1
+	checkrules || return 1
+	ebegin "Flushing firewall"
+	local has_errors=0 a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		[ $? -ne 0 ] && has_errors=1
+
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		[ $? -ne 0 ] && has_errors=1
+	done
+	eend ${has_errors}
+
+	start
+}
+
+checkrules() {
+	ebegin "Checking rules"
+	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+check() {
+	# Short name for users of init.d script.
+	checkrules
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	checkpath -q -d "$(dirname "${iptables_save}")"
+	checkpath -q -m 0600 -f "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local has_errors=0 a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		[ $? -ne 0 ] && has_errors=1
+
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		[ $? -ne 0 ] && has_errors=1
+
+		if [ "${a}" != "nat" ]; then
+			# The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
+			set_table_policy $a DROP
+			[ $? -ne 0 ] && has_errors=1
+		fi
+	done
+	eend ${has_errors}
+}