[oe-commits] [openembedded-core] 38/58: iptables: add systemd helper unit to load/restore rules
git at git.openembedded.org
git at git.openembedded.org
Sun Sep 15 16:59:32 UTC 2019
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch master-next
in repository openembedded-core.
commit 2d3048ddd9188117eb0fc26071562d3e0a5b9d22
Author: Jack Mitchell <jack at embed.me.uk>
AuthorDate: Thu Sep 5 09:35:37 2019 +0000
iptables: add systemd helper unit to load/restore rules
There is currently no way to automatically load iptables rules in OE.
Add a systemd unit file to automatically load rules on network
connection. This is cribbed from the way ArchLinux handles iptables with
some minor modifications for OE.
New rules can be generated directly on the target using:
# iptables-save -f /etc/iptables/iptables.rules
Good documentation for writing rules offline is lacking, but the basics
are explained here:
https://unix.stackexchange.com/q/400163/49405
Signed-off-by: Jack Mitchell <jack at embed.me.uk>
Signed-off-by: Diego Rondini <diego.rondini at kynetics.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
---
meta/recipes-extended/iptables/iptables/iptables.rules | 0
.../recipes-extended/iptables/iptables/iptables.service | 13 +++++++++++++
meta/recipes-extended/iptables/iptables_1.8.3.bb | 17 ++++++++++++++++-
3 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
new file mode 100644
index 0000000..e69de29
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
new file mode 100644
index 0000000..041316e
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 6ac3fc6..ff9fcb1 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
+ file://iptables.service \
+ file://iptables.rules \
"
SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
-inherit autotools pkgconfig
+inherit autotools pkgconfig systemd
EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"
@@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
ALLOW_EMPTY_${PN}-modules = "1"
+do_install_append() {
+
+ install -d ${D}${sysconfdir}/iptables
+ install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
+
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
+
+ sed -i -e 's, at SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service
+}
+
+SYSTEMD_SERVICE_${PN} = "iptables.service"
+
RDEPENDS_${PN} = "${PN}-module-xt-standard"
RRECOMMENDS_${PN} = " \
${PN}-modules \
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list