Message ID | 20210914132139.3597322-1-jose.pekkarinen@unikie.com |
---|---|
State | Superseded |
Headers | show |
Series | [v2] package/iptables: add init script | expand |
Hi José, On Tue, Sep 14 2021, José Pekkarinen wrote: > This patch will add an init script that allows > to set a ruleset in /etc/iptables.conf to be loaded > on boot, or flushed on stop, as well as a saving > command to generate a new file. > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> > --- > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++ > package/iptables/iptables.mk | 6 ++++ > 2 files changed, 64 insertions(+) > create mode 100644 package/iptables/S41iptables > > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables > new file mode 100644 > index 0000000000..93998b78de > --- /dev/null > +++ b/package/iptables/S41iptables > @@ -0,0 +1,58 @@ > +#!/bin/sh > + > +DAEMON="iptables" > + > +IPTABLES_ARGS="" > + > +start() { > + printf 'Starting %s: ' "$DAEMON" > + iptables-restore < /etc/iptables.conf > + status=$? > + if [ "$status" -eq 0 ]; then > + echo "OK" > + else > + echo "FAIL" > + fi > + return "$status" > +} > + > +stop() { > + printf 'Stopping %s: ' "$DAEMON" > + iptables -F > + status=$? > + if [ "$status" -eq 0 ]; then > + echo "OK" > + else > + echo "FAIL" > + fi > + return "$status" > +} > + > +restart() { > + stop > + sleep 1 > + start > +} > + > +save() { > + printf 'Saving %s: ' "$DAEMON" > + iptables-save > /etc/iptables.conf What about read-only rootfs? baruch > + status=$? > + if [ "$status" -eq 0 ]; then > + echo "OK" > + else > + echo "FAIL" > + fi > + return "$status" > +} > + > +case "$1" in > + start|stop|restart|save) > + "$1";; > + reload) > + # Restart, since there is no true "reload" feature. > + restart;; > + *) > + echo "Usage: $0 {start|stop|restart|reload}" > + exit 1 > +esac > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk > index dc01466607..1d3612dbf6 100644 > --- a/package/iptables/iptables.mk > +++ b/package/iptables/iptables.mk > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > endef > > +define IPTABLES_INSTALL_INIT_SYSV > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > + $(TARGET_DIR)/etc/init.d/S41iptables > + touch $(TARGET_DIR)/etc/iptables.conf > +endef > + > $(eval $(autotools-package))
On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote: > Hi José, > > On Tue, Sep 14 2021, José Pekkarinen wrote: > > This patch will add an init script that allows > > to set a ruleset in /etc/iptables.conf to be loaded > > on boot, or flushed on stop, as well as a saving > > command to generate a new file. > > > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> > > --- > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++ > > package/iptables/iptables.mk | 6 ++++ > > 2 files changed, 64 insertions(+) > > create mode 100644 package/iptables/S41iptables > > > > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables > > new file mode 100644 > > index 0000000000..93998b78de > > --- /dev/null > > +++ b/package/iptables/S41iptables > > @@ -0,0 +1,58 @@ > > +#!/bin/sh > > + > > +DAEMON="iptables" > > + > > +IPTABLES_ARGS="" > > + > > +start() { > > + printf 'Starting %s: ' "$DAEMON" > > + iptables-restore < /etc/iptables.conf > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +stop() { > > + printf 'Stopping %s: ' "$DAEMON" > > + iptables -F > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +restart() { > > + stop > > + sleep 1 > > + start > > +} > > + > > +save() { > > + printf 'Saving %s: ' "$DAEMON" > > + iptables-save > /etc/iptables.conf > > What about read-only rootfs? > Very good point, will it work if we check the rootfs whether is ro or rw, and execute on that behalf? Thanks for the comments! José. > baruch > > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +case "$1" in > > + start|stop|restart|save) > > + "$1";; > > + reload) > > + # Restart, since there is no true "reload" feature. > > + restart;; > > + *) > > + echo "Usage: $0 {start|stop|restart|reload}" > > + exit 1 > > +esac > > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk > > index dc01466607..1d3612dbf6 100644 > > --- a/package/iptables/iptables.mk > > +++ b/package/iptables/iptables.mk > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > endef > > > > +define IPTABLES_INSTALL_INIT_SYSV > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > + $(TARGET_DIR)/etc/init.d/S41iptables > > + touch $(TARGET_DIR)/etc/iptables.conf > > +endef > > + > > $(eval $(autotools-package)) > > > -- > ~. .~ Tk Open > Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - >
Hi José, On Wed, Sep 15 2021, José Pekkarinen wrote: > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote: > On Tue, Sep 14 2021, José Pekkarinen wrote: > > This patch will add an init script that allows > > to set a ruleset in /etc/iptables.conf to be loaded > > on boot, or flushed on stop, as well as a saving > > command to generate a new file. > > > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> > > --- > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++ > > package/iptables/iptables.mk | 6 ++++ > > 2 files changed, 64 insertions(+) > > create mode 100644 package/iptables/S41iptables > > > > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables > > new file mode 100644 > > index 0000000000..93998b78de > > --- /dev/null > > +++ b/package/iptables/S41iptables > > @@ -0,0 +1,58 @@ > > +#!/bin/sh > > + > > +DAEMON="iptables" > > + > > +IPTABLES_ARGS="" > > + > > +start() { > > + printf 'Starting %s: ' "$DAEMON" > > + iptables-restore < /etc/iptables.conf > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +stop() { > > + printf 'Stopping %s: ' "$DAEMON" > > + iptables -F > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +restart() { > > + stop > > + sleep 1 > > + start > > +} > > + > > +save() { > > + printf 'Saving %s: ' "$DAEMON" > > + iptables-save > /etc/iptables.conf > > What about read-only rootfs? > > Very good point, will it work if we check the rootfs > whether is ro or rw, and execute on that behalf? I'm not sure that this script is a good idea to begin with for the default installation. But if the maintainers think it is, the script should skip the save operation for read-only filesystems. See how package/urandom-scripts/S20urandom handles that. baruch > > Thanks for the comments! > > José. > > baruch > > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +case "$1" in > > + start|stop|restart|save) > > + "$1";; > > + reload) > > + # Restart, since there is no true "reload" feature. > > + restart;; > > + *) > > + echo "Usage: $0 {start|stop|restart|reload}" > > + exit 1 > > +esac > > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk > > index dc01466607..1d3612dbf6 100644 > > --- a/package/iptables/iptables.mk > > +++ b/package/iptables/iptables.mk > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > endef > > > > +define IPTABLES_INSTALL_INIT_SYSV > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > + $(TARGET_DIR)/etc/init.d/S41iptables > > + touch $(TARGET_DIR)/etc/iptables.conf > > +endef > > + > > $(eval $(autotools-package))
On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il> wrote: > Hi José, > > On Wed, Sep 15 2021, José Pekkarinen wrote: > > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote: > > On Tue, Sep 14 2021, José Pekkarinen wrote: > > > This patch will add an init script that allows > > > to set a ruleset in /etc/iptables.conf to be loaded > > > on boot, or flushed on stop, as well as a saving > > > command to generate a new file. > > > > > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> > > > --- > > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > > > package/iptables/S41iptables | 58 > ++++++++++++++++++++++++++++++++++++ > > > package/iptables/iptables.mk | 6 ++++ > > > 2 files changed, 64 insertions(+) > > > create mode 100644 package/iptables/S41iptables > > > > > > diff --git a/package/iptables/S41iptables > b/package/iptables/S41iptables > > > new file mode 100644 > > > index 0000000000..93998b78de > > > --- /dev/null > > > +++ b/package/iptables/S41iptables > > > @@ -0,0 +1,58 @@ > > > +#!/bin/sh > > > + > > > +DAEMON="iptables" > > > + > > > +IPTABLES_ARGS="" > > > + > > > +start() { > > > + printf 'Starting %s: ' "$DAEMON" > > > + iptables-restore < /etc/iptables.conf > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +stop() { > > > + printf 'Stopping %s: ' "$DAEMON" > > > + iptables -F > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +restart() { > > > + stop > > > + sleep 1 > > > + start > > > +} > > > + > > > +save() { > > > + printf 'Saving %s: ' "$DAEMON" > > > + iptables-save > /etc/iptables.conf > > > > What about read-only rootfs? > > > > Very good point, will it work if we check the rootfs > > whether is ro or rw, and execute on that behalf? > > I'm not sure that this script is a good idea to begin with for the > default installation. But if the maintainers think it is, the script > should skip the save operation for read-only filesystems. See how > package/urandom-scripts/S20urandom handles that. > Thanks again, I'm testing a patch to solve the ro rootfs issue. Is there any better approach to have a firewall ruleset by default in the final image? Best regards. José. > > baruch > > > > > Thanks for the comments! > > > > José. > > > > baruch > > > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +case "$1" in > > > + start|stop|restart|save) > > > + "$1";; > > > + reload) > > > + # Restart, since there is no true "reload" feature. > > > + restart;; > > > + *) > > > + echo "Usage: $0 {start|stop|restart|reload}" > > > + exit 1 > > > +esac > > > diff --git a/package/iptables/iptables.mk b/package/iptables/ > iptables.mk > > > index dc01466607..1d3612dbf6 100644 > > > --- a/package/iptables/iptables.mk > > > +++ b/package/iptables/iptables.mk > > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > > endef > > > > > > +define IPTABLES_INSTALL_INIT_SYSV > > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > > + $(TARGET_DIR)/etc/init.d/S41iptables > > > + touch $(TARGET_DIR)/etc/iptables.conf > > > +endef > > > + > > > $(eval $(autotools-package)) > > -- > ~. .~ Tk Open > Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - >
Hello José, On 9/15/21 1:41 PM, José Pekkarinen wrote: > > > On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il > <mailto:baruch@tkos.co.il>> wrote: > > Hi José, > > On Wed, Sep 15 2021, José Pekkarinen wrote: > > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il > <mailto:baruch@tkos.co.il>> wrote: > > On Tue, Sep 14 2021, José Pekkarinen wrote: > > > This patch will add an init script that allows > > > to set a ruleset in /etc/iptables.conf to be loaded > > > on boot, or flushed on stop, as well as a saving > > > command to generate a new file. > > > > > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com > <mailto:jose.pekkarinen@unikie.com>> > > > --- > > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > > > package/iptables/S41iptables | 58 > ++++++++++++++++++++++++++++++++++++ > > > package/iptables/iptables.mk <http://iptables.mk> | 6 ++++ > > > 2 files changed, 64 insertions(+) > > > create mode 100644 package/iptables/S41iptables > > > > > > diff --git a/package/iptables/S41iptables > b/package/iptables/S41iptables > > > new file mode 100644 > > > index 0000000000..93998b78de > > > --- /dev/null > > > +++ b/package/iptables/S41iptables > > > @@ -0,0 +1,58 @@ > > > +#!/bin/sh > > > + > > > +DAEMON="iptables" > > > + > > > +IPTABLES_ARGS="" > > > + > > > +start() { > > > + printf 'Starting %s: ' "$DAEMON" > > > + iptables-restore < /etc/iptables.conf > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +stop() { > > > + printf 'Stopping %s: ' "$DAEMON" > > > + iptables -F > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +restart() { > > > + stop > > > + sleep 1 > > > + start > > > +} > > > + > > > +save() { > > > + printf 'Saving %s: ' "$DAEMON" > > > + iptables-save > /etc/iptables.conf > > > > What about read-only rootfs? > > > > Very good point, will it work if we check the rootfs > > whether is ro or rw, and execute on that behalf? > > I'm not sure that this script is a good idea to begin with for the > default installation. But if the maintainers think it is, the script > should skip the save operation for read-only filesystems. See how > package/urandom-scripts/S20urandom handles that. > > > Thanks again, I'm testing a patch to solve the ro rootfs > issue. Is there any better approach to have a firewall ruleset > by default in the final image? Did you try to use post-build script to copy this file into your image? Best Bartek > > Best regards. > > José. > > > baruch > > > > > Thanks for the comments! > > > > José. > > > > baruch > > > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +case "$1" in > > > + start|stop|restart|save) > > > + "$1";; > > > + reload) > > > + # Restart, since there is no true "reload" feature. > > > + restart;; > > > + *) > > > + echo "Usage: $0 {start|stop|restart|reload}" > > > + exit 1 > > > +esac > > > diff --git a/package/iptables/iptables.mk > <http://iptables.mk> b/package/iptables/iptables.mk > <http://iptables.mk> > > > index dc01466607..1d3612dbf6 100644 > > > --- a/package/iptables/iptables.mk <http://iptables.mk> > > > +++ b/package/iptables/iptables.mk <http://iptables.mk> > > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > > endef > > > > > > +define IPTABLES_INSTALL_INIT_SYSV > > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > > + $(TARGET_DIR)/etc/init.d/S41iptables > > > + touch $(TARGET_DIR)/etc/iptables.conf > > > +endef > > > + > > > $(eval $(autotools-package)) > > -- > ~. .~ Tk > Open Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il <mailto:baruch@tkos.co.il> - tel: > +972.52.368.4656, http://www.tkos.co.il <http://www.tkos.co.il> - > > > > -- > > José. > > > _______________________________________________ > buildroot mailing list > buildroot@lists.buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot --
On Wed, Sep 15, 2021 at 3:11 PM Bartosz Biłas <b.bilas@grinn-global.com> wrote: > Hello José, > On 9/15/21 1:41 PM, José Pekkarinen wrote: > > > > On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il> wrote: > >> Hi José, >> >> On Wed, Sep 15 2021, José Pekkarinen wrote: >> > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote: >> > On Tue, Sep 14 2021, José Pekkarinen wrote: >> > > This patch will add an init script that allows >> > > to set a ruleset in /etc/iptables.conf to be loaded >> > > on boot, or flushed on stop, as well as a saving >> > > command to generate a new file. >> > > >> > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> >> > > --- >> > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ >> > > >> > > package/iptables/S41iptables | 58 >> ++++++++++++++++++++++++++++++++++++ >> > > package/iptables/iptables.mk | 6 ++++ >> > > 2 files changed, 64 insertions(+) >> > > create mode 100644 package/iptables/S41iptables >> > > >> > > diff --git a/package/iptables/S41iptables >> b/package/iptables/S41iptables >> > > new file mode 100644 >> > > index 0000000000..93998b78de >> > > --- /dev/null >> > > +++ b/package/iptables/S41iptables >> > > @@ -0,0 +1,58 @@ >> > > +#!/bin/sh >> > > + >> > > +DAEMON="iptables" >> > > + >> > > +IPTABLES_ARGS="" >> > > + >> > > +start() { >> > > + printf 'Starting %s: ' "$DAEMON" >> > > + iptables-restore < /etc/iptables.conf >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +stop() { >> > > + printf 'Stopping %s: ' "$DAEMON" >> > > + iptables -F >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +restart() { >> > > + stop >> > > + sleep 1 >> > > + start >> > > +} >> > > + >> > > +save() { >> > > + printf 'Saving %s: ' "$DAEMON" >> > > + iptables-save > /etc/iptables.conf >> > >> > What about read-only rootfs? >> > >> > Very good point, will it work if we check the rootfs >> > whether is ro or rw, and execute on that behalf? >> >> I'm not sure that this script is a good idea to begin with for the >> default installation. But if the maintainers think it is, the script >> should skip the save operation for read-only filesystems. See how >> package/urandom-scripts/S20urandom handles that. >> > > Thanks again, I'm testing a patch to solve the ro rootfs > issue. Is there any better approach to have a firewall ruleset > by default in the final image? > > Did you try to use post-build script to copy this file into your image? > Hi, I'm using the overlay to populate the final file, but iptables doesn't look for it itself, it requires some external mechanism to load the rules. That is why I proposed this init script, to have a sort of default via from buildroot. Best regards. José. > Best > Bartek > > > Best regards. > > José. > > >> >> baruch >> >> > >> > Thanks for the comments! >> > >> > José. >> > >> > baruch >> > >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +case "$1" in >> > > + start|stop|restart|save) >> > > + "$1";; >> > > + reload) >> > > + # Restart, since there is no true "reload" feature. >> > > + restart;; >> > > + *) >> > > + echo "Usage: $0 {start|stop|restart|reload}" >> > > + exit 1 >> > > +esac >> > > diff --git a/package/iptables/iptables.mk b/package/iptables/ >> iptables.mk >> > > index dc01466607..1d3612dbf6 100644 >> > > --- a/package/iptables/iptables.mk >> > > +++ b/package/iptables/iptables.mk >> > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS >> > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) >> > > endef >> > > >> > > +define IPTABLES_INSTALL_INIT_SYSV >> > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ >> > > + $(TARGET_DIR)/etc/init.d/S41iptables >> > > + touch $(TARGET_DIR)/etc/iptables.conf >> > > +endef >> > > + >> > > $(eval $(autotools-package)) >> >> -- >> ~. .~ Tk Open >> Systems >> >> =}------------------------------------------------ooO--U--Ooo------------{= >> - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - >> > > > -- > > José. > > > _______________________________________________ > buildroot mailing listbuildroot@lists.buildroot.orghttps://lists.buildroot.org/mailman/listinfo/buildroot > > -- > >
diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables new file mode 100644 index 0000000000..93998b78de --- /dev/null +++ b/package/iptables/S41iptables @@ -0,0 +1,58 @@ +#!/bin/sh + +DAEMON="iptables" + +IPTABLES_ARGS="" + +start() { + printf 'Starting %s: ' "$DAEMON" + iptables-restore < /etc/iptables.conf + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +stop() { + printf 'Stopping %s: ' "$DAEMON" + iptables -F + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +restart() { + stop + sleep 1 + start +} + +save() { + printf 'Saving %s: ' "$DAEMON" + iptables-save > /etc/iptables.conf + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +case "$1" in + start|stop|restart|save) + "$1";; + reload) + # Restart, since there is no true "reload" feature. + restart;; + *) + echo "Usage: $0 {start|stop|restart|reload}" + exit 1 +esac diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk index dc01466607..1d3612dbf6 100644 --- a/package/iptables/iptables.mk +++ b/package/iptables/iptables.mk @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) endef +define IPTABLES_INSTALL_INIT_SYSV + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ + $(TARGET_DIR)/etc/init.d/S41iptables + touch $(TARGET_DIR)/etc/iptables.conf +endef + $(eval $(autotools-package))
This patch will add an init script that allows to set a ruleset in /etc/iptables.conf to be loaded on boot, or flushed on stop, as well as a saving command to generate a new file. Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> --- [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++ package/iptables/iptables.mk | 6 ++++ 2 files changed, 64 insertions(+) create mode 100644 package/iptables/S41iptables