[Buildroot] [PATCH] package/iptables: add init script

[Buildroot] [PATCH] package/iptables: add init script

[José Pekkarinen]

This patch will add an init script that allows
to set a ruleset in /etc/iptables.conf to be loaded
on boot, or flushed on stop, as well as a saving
command to generate a new file.

Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
---
 package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
 package/iptables/iptables.mk |  6 ++++
 2 files changed, 64 insertions(+)
 create mode 100644 package/iptables/S41iptables

diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
new file mode 100644
index 0000000000..93998b78de
--- /dev/null
+++ b/package/iptables/S41iptables
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+DAEMON="iptables"
+
+IPTABLES_ARGS=""
+
+start() {
+	printf 'Starting %s: ' "$DAEMON"
+	iptables-restore < /etc/iptables.conf
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+stop() {
+	printf 'Stopping %s: ' "$DAEMON"
+	iptables -F
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+restart() {
+	stop
+	sleep 1
+	start
+}
+
+save() {
+	printf 'Saving %s: ' "$DAEMON"
+	iptables-save > /etc/iptables.conf
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+case "$1" in
+	start|stop|restart|save)
+		"$1";;
+	reload)
+		# Restart, since there is no true "reload" feature.
+		restart;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac
diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index dc01466607..2811e41e7c 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
 	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
 endef
 
+define IPTABLES_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 -D package/iptables/S41iptables \
+		$(TARGET_DIR)/etc/init.d/S41iptables
+	touch $(DESTDIR)/etc/iptables.conf
+endef
+
 $(eval $(autotools-package))
-- 
2.25.1

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/iptables: add init script

[Nicolas Cavallari]

On 14/09/2021 11:46, José Pekkarinen wrote:
> This patch will add an init script that allows
> to set a ruleset in /etc/iptables.conf to be loaded
> on boot, or flushed on stop, as well as a saving
> command to generate a new file.
> 
> Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> ---
>   package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
>   package/iptables/iptables.mk |  6 ++++
>   2 files changed, 64 insertions(+)
>   create mode 100644 package/iptables/S41iptables
> 
> diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
> new file mode 100644
> index 0000000000..93998b78de
> --- /dev/null
> +++ b/package/iptables/S41iptables

Regardless of whether the maintainers want this in buildroot or not, it 
does not make sense to start this after S40network;
Ideally, the firewall should be enabled before even enabling any network 
interface.

It is even debatable if the firewall should be disabled when shutting 
down, or just left enabled.

(also, iptables is deprecated in favor of nftables)
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/iptables: add init script

[José Pekkarinen]

[-- Attachment #1.1: Type: text/plain, Size: 1624 bytes --]

On Tue, Sep 14, 2021 at 2:05 PM Nicolas Cavallari <
nicolas.cavallari@green-communications.fr> wrote:

> On 14/09/2021 11:46, José Pekkarinen wrote:
> > This patch will add an init script that allows
> > to set a ruleset in /etc/iptables.conf to be loaded
> > on boot, or flushed on stop, as well as a saving
> > command to generate a new file.
> >
> > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> > ---
> >   package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
> >   package/iptables/iptables.mk |  6 ++++
> >   2 files changed, 64 insertions(+)
> >   create mode 100644 package/iptables/S41iptables
> >
> > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
> > new file mode 100644
> > index 0000000000..93998b78de
> > --- /dev/null
> > +++ b/package/iptables/S41iptables
>
> Regardless of whether the maintainers want this in buildroot or not, it
> does not make sense to start this after S40network;
> Ideally, the firewall should be enabled before even enabling any network
> interface.
>
> It is even debatable if the firewall should be disabled when shutting
> down, or just left enabled.
>
> (also, iptables is deprecated in favor of nftables)
>

Hi,

Thanks for the very valid points, I don't have any problem

in moving the name to any other number before 40 on demand. Re
the deprecation, I'm not sure if the tools are going away since I believe
there is backward compatibility layer in place, but certainly, if it is
requested, I can bake something similar for nftables and be done.

Best regards.

José.

[-- Attachment #1.2: Type: text/html, Size: 2691 bytes --]

[-- Attachment #2: Type: text/plain, Size: 156 bytes --]

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot