* [RFC] iptables: add systemd helper unit to load/restore rules
@ 2016-09-08 11:29 Jack Mitchell
2016-09-12 9:22 ` Jack Mitchell
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jack Mitchell @ 2016-09-08 11:29 UTC (permalink / raw)
To: openembedded-core; +Cc: Jack Mitchell
From: Jack Mitchell <jack@embed.me.uk>
there is currently no way to automatically load iptable rules
in OE. Add a systemd unit file to automatically load rules on
network connection. This is cribbed from the way ArchLinux
handles iptables with some minor modifications for OE. New rules
can be generated using 'iptables-save > iptables.rules'
---
.../iptables/iptables/iptables.rules | 0
.../iptables/iptables/iptables.service | 13 +++++++++++++
meta/recipes-extended/iptables/iptables_1.6.0.bb | 20 ++++++++++++++++++--
3 files changed, 31 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules
create mode 100644 meta/recipes-extended/iptables/iptables/iptables.service
diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
new file mode 100644
index 0000000..e69de29
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
new file mode 100644
index 0000000..041316e
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-extended/iptables/iptables_1.6.0.bb b/meta/recipes-extended/iptables/iptables_1.6.0.bb
index fbbe418..65430a1 100644
--- a/meta/recipes-extended/iptables/iptables_1.6.0.bb
+++ b/meta/recipes-extended/iptables/iptables_1.6.0.bb
@@ -22,13 +22,16 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
file://types.h-add-defines-that-are-required-for-if_packet.patch \
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
- "
+ file://iptables.service \
+ file://iptables.rules \
+"
+
SRC_URI_append_libc-musl = " file://0001-fix-build-with-musl.patch"
SRC_URI[md5sum] = "27ba3451cb622467fc9267a176f19a31"
SRC_URI[sha256sum] = "4bb72a0a0b18b5a9e79e87631ddc4084528e5df236bc7624472dcaa8480f1c60"
-inherit autotools pkgconfig
+inherit autotools pkgconfig systemd
EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR} \
"
@@ -48,3 +51,16 @@ do_configure_prepend() {
# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
}
+
+do_install_append() {
+
+ install -d ${D}${sysconfdir}/iptables
+ install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
+
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_unitdir}/system
+
+ sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/iptables.service
+}
+
+SYSTEMD_SERVICE_${PN} = "iptables.service"
--
2.9.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [RFC] iptables: add systemd helper unit to load/restore rules
2016-09-08 11:29 [RFC] iptables: add systemd helper unit to load/restore rules Jack Mitchell
@ 2016-09-12 9:22 ` Jack Mitchell
2016-10-02 20:30 ` Khem Raj
2016-10-03 17:22 ` Pau Espin Pedrol
2 siblings, 0 replies; 4+ messages in thread
From: Jack Mitchell @ 2016-09-12 9:22 UTC (permalink / raw)
To: openembedded-core
On 08/09/16 12:29, Jack Mitchell wrote:
> From: Jack Mitchell <jack@embed.me.uk>
>
> there is currently no way to automatically load iptable rules
> in OE. Add a systemd unit file to automatically load rules on
> network connection. This is cribbed from the way ArchLinux
> handles iptables with some minor modifications for OE. New rules
> can be generated using 'iptables-save > iptables.rules'
> ---
> .../iptables/iptables/iptables.rules | 0
> .../iptables/iptables/iptables.service | 13 +++++++++++++
> meta/recipes-extended/iptables/iptables_1.6.0.bb | 20 ++++++++++++++++++--
> 3 files changed, 31 insertions(+), 2 deletions(-)
> create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules
> create mode 100644 meta/recipes-extended/iptables/iptables/iptables.service
>
> diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
> new file mode 100644
> index 0000000..e69de29
> diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
> new file mode 100644
> index 0000000..041316e
> --- /dev/null
> +++ b/meta/recipes-extended/iptables/iptables/iptables.service
> @@ -0,0 +1,13 @@
> +[Unit]
> +Description=Packet Filtering Framework
> +Before=network-pre.target
> +Wants=network-pre.target
> +
> +[Service]
> +Type=oneshot
> +ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
> +ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta/recipes-extended/iptables/iptables_1.6.0.bb b/meta/recipes-extended/iptables/iptables_1.6.0.bb
> index fbbe418..65430a1 100644
> --- a/meta/recipes-extended/iptables/iptables_1.6.0.bb
> +++ b/meta/recipes-extended/iptables/iptables_1.6.0.bb
> @@ -22,13 +22,16 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
> file://types.h-add-defines-that-are-required-for-if_packet.patch \
> file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
> file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
> - "
> + file://iptables.service \
> + file://iptables.rules \
> +"
> +
> SRC_URI_append_libc-musl = " file://0001-fix-build-with-musl.patch"
>
> SRC_URI[md5sum] = "27ba3451cb622467fc9267a176f19a31"
> SRC_URI[sha256sum] = "4bb72a0a0b18b5a9e79e87631ddc4084528e5df236bc7624472dcaa8480f1c60"
>
> -inherit autotools pkgconfig
> +inherit autotools pkgconfig systemd
>
> EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR} \
> "
> @@ -48,3 +51,16 @@ do_configure_prepend() {
> # Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
> rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
> }
> +
> +do_install_append() {
> +
> + install -d ${D}${sysconfdir}/iptables
> + install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
> +
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_unitdir}/system
> +
> + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/iptables.service
> +}
> +
> +SYSTEMD_SERVICE_${PN} = "iptables.service"
>
If there are no comments on this then I suggest we take it as it is. Not
having a way to auto load iptables rules is just asking for
layer/application specific hacks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] iptables: add systemd helper unit to load/restore rules
2016-09-08 11:29 [RFC] iptables: add systemd helper unit to load/restore rules Jack Mitchell
2016-09-12 9:22 ` Jack Mitchell
@ 2016-10-02 20:30 ` Khem Raj
2016-10-03 17:22 ` Pau Espin Pedrol
2 siblings, 0 replies; 4+ messages in thread
From: Khem Raj @ 2016-10-02 20:30 UTC (permalink / raw)
To: Jack Mitchell; +Cc: Jack Mitchell, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3820 bytes --]
> On Sep 8, 2016, at 4:29 AM, Jack Mitchell <ml@embed.me.uk> wrote:
>
> From: Jack Mitchell <jack@embed.me.uk>
>
> there is currently no way to automatically load iptable rules
> in OE. Add a systemd unit file to automatically load rules on
> network connection. This is cribbed from the way ArchLinux
> handles iptables with some minor modifications for OE. New rules
> can be generated using 'iptables-save > iptables.rules’
Patch is fine but
Can you add commentary on how one would go about doing this
offline during cross compiling ?
> ---
> .../iptables/iptables/iptables.rules | 0
> .../iptables/iptables/iptables.service | 13 +++++++++++++
> meta/recipes-extended/iptables/iptables_1.6.0.bb | 20 ++++++++++++++++++--
> 3 files changed, 31 insertions(+), 2 deletions(-)
> create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules
> create mode 100644 meta/recipes-extended/iptables/iptables/iptables.service
>
> diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
> new file mode 100644
> index 0000000..e69de29
> diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
> new file mode 100644
> index 0000000..041316e
> --- /dev/null
> +++ b/meta/recipes-extended/iptables/iptables/iptables.service
> @@ -0,0 +1,13 @@
> +[Unit]
> +Description=Packet Filtering Framework
> +Before=network-pre.target
> +Wants=network-pre.target
> +
> +[Service]
> +Type=oneshot
> +ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
> +ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta/recipes-extended/iptables/iptables_1.6.0.bb b/meta/recipes-extended/iptables/iptables_1.6.0.bb
> index fbbe418..65430a1 100644
> --- a/meta/recipes-extended/iptables/iptables_1.6.0.bb
> +++ b/meta/recipes-extended/iptables/iptables_1.6.0.bb
> @@ -22,13 +22,16 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
> file://types.h-add-defines-that-are-required-for-if_packet.patch \
> file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
> file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
> - "
> + file://iptables.service \
> + file://iptables.rules \
> +"
> +
> SRC_URI_append_libc-musl = " file://0001-fix-build-with-musl.patch"
>
> SRC_URI[md5sum] = "27ba3451cb622467fc9267a176f19a31"
> SRC_URI[sha256sum] = "4bb72a0a0b18b5a9e79e87631ddc4084528e5df236bc7624472dcaa8480f1c60"
>
> -inherit autotools pkgconfig
> +inherit autotools pkgconfig systemd
>
> EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR} \
> "
> @@ -48,3 +51,16 @@ do_configure_prepend() {
> # Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
> rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
> }
> +
> +do_install_append() {
> +
> + install -d ${D}${sysconfdir}/iptables
> + install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
> +
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_unitdir}/system
> +
> + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/iptables.service
> +}
> +
> +SYSTEMD_SERVICE_${PN} = "iptables.service"
> --
> 2.9.3
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] iptables: add systemd helper unit to load/restore rules
2016-09-08 11:29 [RFC] iptables: add systemd helper unit to load/restore rules Jack Mitchell
2016-09-12 9:22 ` Jack Mitchell
2016-10-02 20:30 ` Khem Raj
@ 2016-10-03 17:22 ` Pau Espin Pedrol
2 siblings, 0 replies; 4+ messages in thread
From: Pau Espin Pedrol @ 2016-10-03 17:22 UTC (permalink / raw)
To: Jack Mitchell; +Cc: Jack Mitchell, OE-core
Hi,
can you please use ${systemd_system_unitdir} instead of
${systemd_unitdir}/system?
Pau Espin Pedrol
2016-09-08 13:29 GMT+02:00 Jack Mitchell <ml@embed.me.uk>:
> From: Jack Mitchell <jack@embed.me.uk>
>
> there is currently no way to automatically load iptable rules
> in OE. Add a systemd unit file to automatically load rules on
> network connection. This is cribbed from the way ArchLinux
> handles iptables with some minor modifications for OE. New rules
> can be generated using 'iptables-save > iptables.rules'
> ---
> .../iptables/iptables/iptables.rules | 0
> .../iptables/iptables/iptables.service | 13 +++++++++++++
> meta/recipes-extended/iptables/iptables_1.6.0.bb | 20 ++++++++++++++++++--
> 3 files changed, 31 insertions(+), 2 deletions(-)
> create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules
> create mode 100644 meta/recipes-extended/iptables/iptables/iptables.service
>
> diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
> new file mode 100644
> index 0000000..e69de29
> diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
> new file mode 100644
> index 0000000..041316e
> --- /dev/null
> +++ b/meta/recipes-extended/iptables/iptables/iptables.service
> @@ -0,0 +1,13 @@
> +[Unit]
> +Description=Packet Filtering Framework
> +Before=network-pre.target
> +Wants=network-pre.target
> +
> +[Service]
> +Type=oneshot
> +ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
> +ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta/recipes-extended/iptables/iptables_1.6.0.bb b/meta/recipes-extended/iptables/iptables_1.6.0.bb
> index fbbe418..65430a1 100644
> --- a/meta/recipes-extended/iptables/iptables_1.6.0.bb
> +++ b/meta/recipes-extended/iptables/iptables_1.6.0.bb
> @@ -22,13 +22,16 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
> file://types.h-add-defines-that-are-required-for-if_packet.patch \
> file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
> file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
> - "
> + file://iptables.service \
> + file://iptables.rules \
> +"
> +
> SRC_URI_append_libc-musl = " file://0001-fix-build-with-musl.patch"
>
> SRC_URI[md5sum] = "27ba3451cb622467fc9267a176f19a31"
> SRC_URI[sha256sum] = "4bb72a0a0b18b5a9e79e87631ddc4084528e5df236bc7624472dcaa8480f1c60"
>
> -inherit autotools pkgconfig
> +inherit autotools pkgconfig systemd
>
> EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR} \
> "
> @@ -48,3 +51,16 @@ do_configure_prepend() {
> # Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
> rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
> }
> +
> +do_install_append() {
> +
> + install -d ${D}${sysconfdir}/iptables
> + install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
> +
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_unitdir}/system
> +
> + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/iptables.service
> +}
> +
> +SYSTEMD_SERVICE_${PN} = "iptables.service"
> --
> 2.9.3
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-10-03 17:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-08 11:29 [RFC] iptables: add systemd helper unit to load/restore rules Jack Mitchell
2016-09-12 9:22 ` Jack Mitchell
2016-10-02 20:30 ` Khem Raj
2016-10-03 17:22 ` Pau Espin Pedrol
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox