[Buildroot] [PATCH v2] package/iptables: add init script
Baruch Siach
baruch at tkos.co.il
Wed Sep 15 10:05:18 UTC 2021
Hi José,
On Wed, Sep 15 2021, José Pekkarinen wrote:
> On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch at tkos.co.il> wrote:
> On Tue, Sep 14 2021, José Pekkarinen wrote:
> > This patch will add an init script that allows
> > to set a ruleset in /etc/iptables.conf to be loaded
> > on boot, or flushed on stop, as well as a saving
> > command to generate a new file.
> >
> > Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
> > ---
> > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
> >
> > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
> > package/iptables/iptables.mk | 6 ++++
> > 2 files changed, 64 insertions(+)
> > create mode 100644 package/iptables/S41iptables
> >
> > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
> > new file mode 100644
> > index 0000000000..93998b78de
> > --- /dev/null
> > +++ b/package/iptables/S41iptables
> > @@ -0,0 +1,58 @@
> > +#!/bin/sh
> > +
> > +DAEMON="iptables"
> > +
> > +IPTABLES_ARGS=""
> > +
> > +start() {
> > + printf 'Starting %s: ' "$DAEMON"
> > + iptables-restore < /etc/iptables.conf
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +stop() {
> > + printf 'Stopping %s: ' "$DAEMON"
> > + iptables -F
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +restart() {
> > + stop
> > + sleep 1
> > + start
> > +}
> > +
> > +save() {
> > + printf 'Saving %s: ' "$DAEMON"
> > + iptables-save > /etc/iptables.conf
>
> What about read-only rootfs?
>
> Very good point, will it work if we check the rootfs
> whether is ro or rw, and execute on that behalf?
I'm not sure that this script is a good idea to begin with for the
default installation. But if the maintainers think it is, the script
should skip the save operation for read-only filesystems. See how
package/urandom-scripts/S20urandom handles that.
baruch
>
> Thanks for the comments!
>
> José.
>
> baruch
>
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +case "$1" in
> > + start|stop|restart|save)
> > + "$1";;
> > + reload)
> > + # Restart, since there is no true "reload" feature.
> > + restart;;
> > + *)
> > + echo "Usage: $0 {start|stop|restart|reload}"
> > + exit 1
> > +esac
> > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
> > index dc01466607..1d3612dbf6 100644
> > --- a/package/iptables/iptables.mk
> > +++ b/package/iptables/iptables.mk
> > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
> > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
> > endef
> >
> > +define IPTABLES_INSTALL_INIT_SYSV
> > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \
> > + $(TARGET_DIR)/etc/init.d/S41iptables
> > + touch $(TARGET_DIR)/etc/iptables.conf
> > +endef
> > +
> > $(eval $(autotools-package))
--
~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
More information about the buildroot
mailing list