Re: [PATCH 5/5] iptables: update init script and bb file

[Anders Darander <anders@chargestorm.se>]

* Kang Kai <Kai.Kang@windriver.com> [140624 03:49]:

> On 2014年06月23日 19:44, Anders Darander wrote:
> > * Kai Kang <kai.kang@windriver.com> [140623 04:34]:
> >> Update path of command iptables in init script that we put it in
> >> /usr/sbin rather than /sbin. Then update bb file to install init script,
> >> configure and rules files.
> > These new files aren't that big, but could you anyway package at least
> > the rules files into a separate package? Using an RRECOMMENDS would be
> > fine, as I can easily add a BAD_RECOMMENDATION for that package.

> Of course.

> And as I replied in last main, do you think that an empty rule is 
> better? A little concern is for iptables newbies.

Well, I'd be at lest a little bit happier to have the ipv6 rules file
obey the ipv6 distro feature, see below.

Besides, most users of OE-Core won't have any benefit of a pre-generated
iptable rules file. Remember, we're building embedded devices that have
everything but a standard setup.

If you want a static firewall configuration supplied by oe-core, can't
we package it in a separate package anyway?

> > It might be that I don't need/want both of iptables and ip6tables
> > installed; or even that I don't want either of those installed by
> > default.

> iptables and ip6tables are not split into separated packages, so I put 
> them together. And package iptbales is not installed by default indeed.

No, but at least we're not building IPv6 support into the package if
ipv6 is not set in DISTRO_FEATURES. At the very least, the ip6tables
rule file should obey that DISTRO_FEATUR also.

Cheers,
Anders

-- 
Naeser's Law:
	You can make it foolproof, but you can't make it damnfoolproof.