[OE-core] [PATCH] iptables: add systemd helper unit to load/restore rules
Diego Rondini
diego.rondini at kynetics.com
Thu Sep 5 09:31:01 UTC 2019
From: Jack Mitchell <jack at embed.me.uk>
There is currently no way to automatically load iptables rules in OE.
Add a systemd unit file to automatically load rules on network
connection. This is cribbed from the way ArchLinux handles iptables with
some minor modifications for OE.
New rules can be generated directly on the target using:
Good documentation for writing rules offline is lacking, but the basics
are explained here:
https://unix.stackexchange.com/q/400163/49405
Signed-off-by: Jack Mitchell <jack at embed.me.uk>
Signed-off-by: Diego Rondini <diego.rondini at kynetics.com>
---
Original patch has been posted 3 years ago, but never got approved. I'm posting
a rebased patch, including the changes requested in the comments.
https://patchwork.openembedded.org/patch/131285/
meta/recipes-extended/iptables/iptables/iptables.rules | 0
.../recipes-extended/iptables/iptables/iptables.service | 13 +++++++++++++
meta/recipes-extended/iptables/iptables_1.8.3.bb | 17 ++++++++++++++++-
3 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules
create mode 100644 meta/recipes-extended/iptables/iptables/iptables.service
diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
new file mode 100644
index 0000000..e69de29
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
new file mode 100644
index 0000000..041316e
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 6ac3fc6..ff9fcb1 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
+ file://iptables.service \
+ file://iptables.rules \
"
SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
-inherit autotools pkgconfig
+inherit autotools pkgconfig systemd
EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"
@@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
ALLOW_EMPTY_${PN}-modules = "1"
+do_install_append() {
+
+ install -d ${D}${sysconfdir}/iptables
+ install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
+
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
+
+ sed -i -e 's, at SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service
+}
+
+SYSTEMD_SERVICE_${PN} = "iptables.service"
+
RDEPENDS_${PN} = "${PN}-module-xt-standard"
RRECOMMENDS_${PN} = " \
${PN}-modules \
--
2.7.4
More information about the Openembedded-core
mailing list