[OE-core] [PATCH 5/5] iptables: update init script and bb file
Anders Darander
anders at chargestorm.se
Tue Jun 24 06:01:30 UTC 2014
* Kang Kai <Kai.Kang at windriver.com> [140624 03:49]:
> On 2014年06月23日 19:44, Anders Darander wrote:
> > * Kai Kang <kai.kang at windriver.com> [140623 04:34]:
> >> Update path of command iptables in init script that we put it in
> >> /usr/sbin rather than /sbin. Then update bb file to install init script,
> >> configure and rules files.
> > These new files aren't that big, but could you anyway package at least
> > the rules files into a separate package? Using an RRECOMMENDS would be
> > fine, as I can easily add a BAD_RECOMMENDATION for that package.
> Of course.
> And as I replied in last main, do you think that an empty rule is
> better? A little concern is for iptables newbies.
Well, I'd be at lest a little bit happier to have the ipv6 rules file
obey the ipv6 distro feature, see below.
Besides, most users of OE-Core won't have any benefit of a pre-generated
iptable rules file. Remember, we're building embedded devices that have
everything but a standard setup.
If you want a static firewall configuration supplied by oe-core, can't
we package it in a separate package anyway?
> > It might be that I don't need/want both of iptables and ip6tables
> > installed; or even that I don't want either of those installed by
> > default.
> iptables and ip6tables are not split into separated packages, so I put
> them together. And package iptbales is not installed by default indeed.
No, but at least we're not building IPv6 support into the package if
ipv6 is not set in DISTRO_FEATURES. At the very least, the ip6tables
rule file should obey that DISTRO_FEATUR also.
Cheers,
Anders
--
Naeser's Law:
You can make it foolproof, but you can't make it damnfoolproof.
More information about the Openembedded-core
mailing list