On Wed, Sep 15, 2021 at 3:11 PM Bartosz Biłas wrote: > Hello José, > On 9/15/21 1:41 PM, José Pekkarinen wrote: > > > > On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach wrote: > >> Hi José, >> >> On Wed, Sep 15 2021, José Pekkarinen wrote: >> > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach wrote: >> > On Tue, Sep 14 2021, José Pekkarinen wrote: >> > > This patch will add an init script that allows >> > > to set a ruleset in /etc/iptables.conf to be loaded >> > > on boot, or flushed on stop, as well as a saving >> > > command to generate a new file. >> > > >> > > Signed-off-by: José Pekkarinen >> > > --- >> > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ >> > > >> > > package/iptables/S41iptables | 58 >> ++++++++++++++++++++++++++++++++++++ >> > > package/iptables/iptables.mk | 6 ++++ >> > > 2 files changed, 64 insertions(+) >> > > create mode 100644 package/iptables/S41iptables >> > > >> > > diff --git a/package/iptables/S41iptables >> b/package/iptables/S41iptables >> > > new file mode 100644 >> > > index 0000000000..93998b78de >> > > --- /dev/null >> > > +++ b/package/iptables/S41iptables >> > > @@ -0,0 +1,58 @@ >> > > +#!/bin/sh >> > > + >> > > +DAEMON="iptables" >> > > + >> > > +IPTABLES_ARGS="" >> > > + >> > > +start() { >> > > + printf 'Starting %s: ' "$DAEMON" >> > > + iptables-restore < /etc/iptables.conf >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +stop() { >> > > + printf 'Stopping %s: ' "$DAEMON" >> > > + iptables -F >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +restart() { >> > > + stop >> > > + sleep 1 >> > > + start >> > > +} >> > > + >> > > +save() { >> > > + printf 'Saving %s: ' "$DAEMON" >> > > + iptables-save > /etc/iptables.conf >> > >> > What about read-only rootfs? >> > >> > Very good point, will it work if we check the rootfs >> > whether is ro or rw, and execute on that behalf? >> >> I'm not sure that this script is a good idea to begin with for the >> default installation. But if the maintainers think it is, the script >> should skip the save operation for read-only filesystems. See how >> package/urandom-scripts/S20urandom handles that. >> > > Thanks again, I'm testing a patch to solve the ro rootfs > issue. Is there any better approach to have a firewall ruleset > by default in the final image? > > Did you try to use post-build script to copy this file into your image? > Hi, I'm using the overlay to populate the final file, but iptables doesn't look for it itself, it requires some external mechanism to load the rules. That is why I proposed this init script, to have a sort of default via from buildroot. Best regards. José. > Best > Bartek > > > Best regards. > > José. > > >> >> baruch >> >> > >> > Thanks for the comments! >> > >> > José. >> > >> > baruch >> > >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +case "$1" in >> > > + start|stop|restart|save) >> > > + "$1";; >> > > + reload) >> > > + # Restart, since there is no true "reload" feature. >> > > + restart;; >> > > + *) >> > > + echo "Usage: $0 {start|stop|restart|reload}" >> > > + exit 1 >> > > +esac >> > > diff --git a/package/iptables/iptables.mk b/package/iptables/ >> iptables.mk >> > > index dc01466607..1d3612dbf6 100644 >> > > --- a/package/iptables/iptables.mk >> > > +++ b/package/iptables/iptables.mk >> > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS >> > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) >> > > endef >> > > >> > > +define IPTABLES_INSTALL_INIT_SYSV >> > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ >> > > + $(TARGET_DIR)/etc/init.d/S41iptables >> > > + touch $(TARGET_DIR)/etc/iptables.conf >> > > +endef >> > > + >> > > $(eval $(autotools-package)) >> >> -- >> ~. .~ Tk Open >> Systems >> >> =}------------------------------------------------ooO--U--Ooo------------{= >> - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - >> > > > -- > > José. > > > _______________________________________________ > buildroot mailing listbuildroot@lists.buildroot.orghttps://lists.buildroot.org/mailman/listinfo/buildroot > > -- > > -- José.