Re: [RFC] iptables: add systemd helper unit to load/restore rules

[Khem Raj <raj.khem@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3820 bytes --]


> On Sep 8, 2016, at 4:29 AM, Jack Mitchell <ml@embed.me.uk> wrote:
> 
> From: Jack Mitchell <jack@embed.me.uk>
> 
> there is currently no way to automatically load iptable rules
> in OE. Add a systemd unit file to automatically load rules on
> network connection. This is cribbed from the way ArchLinux
> handles iptables with some minor modifications for OE. New rules
> can be generated using 'iptables-save > iptables.rules’

Patch is fine but
Can you add commentary on how one would go about doing this
offline during cross compiling ?

> ---
> .../iptables/iptables/iptables.rules                 |  0
> .../iptables/iptables/iptables.service               | 13 +++++++++++++
> meta/recipes-extended/iptables/iptables_1.6.0.bb     | 20 ++++++++++++++++++--
> 3 files changed, 31 insertions(+), 2 deletions(-)
> create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules
> create mode 100644 meta/recipes-extended/iptables/iptables/iptables.service
> 
> diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
> new file mode 100644
> index 0000000..e69de29
> diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
> new file mode 100644
> index 0000000..041316e
> --- /dev/null
> +++ b/meta/recipes-extended/iptables/iptables/iptables.service
> @@ -0,0 +1,13 @@
> +[Unit]
> +Description=Packet Filtering Framework
> +Before=network-pre.target
> +Wants=network-pre.target
> +
> +[Service]
> +Type=oneshot
> +ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
> +ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta/recipes-extended/iptables/iptables_1.6.0.bb b/meta/recipes-extended/iptables/iptables_1.6.0.bb
> index fbbe418..65430a1 100644
> --- a/meta/recipes-extended/iptables/iptables_1.6.0.bb
> +++ b/meta/recipes-extended/iptables/iptables_1.6.0.bb
> @@ -22,13 +22,16 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
>            file://types.h-add-defines-that-are-required-for-if_packet.patch \
>            file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
>            file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
> -          "
> +           file://iptables.service \
> +           file://iptables.rules \
> +"
> +
> SRC_URI_append_libc-musl = " file://0001-fix-build-with-musl.patch"
> 
> SRC_URI[md5sum] = "27ba3451cb622467fc9267a176f19a31"
> SRC_URI[sha256sum] = "4bb72a0a0b18b5a9e79e87631ddc4084528e5df236bc7624472dcaa8480f1c60"
> 
> -inherit autotools pkgconfig
> +inherit autotools pkgconfig systemd
> 
> EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR} \
>                "
> @@ -48,3 +51,16 @@ do_configure_prepend() {
> 	# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
> 	rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
> }
> +
> +do_install_append() {
> +
> +        install -d ${D}${sysconfdir}/iptables
> +        install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
> +
> +        install -d ${D}${systemd_unitdir}/system
> +        install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_unitdir}/system
> +
> +	sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/iptables.service
> +}
> +
> +SYSTEMD_SERVICE_${PN} = "iptables.service"
> --
> 2.9.3
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]