* [Buildroot] [PATCH v2] package/iptables: add init script @ 2021-09-14 13:21 José Pekkarinen 2021-09-14 16:20 ` Baruch Siach 0 siblings, 1 reply; 7+ messages in thread From: José Pekkarinen @ 2021-09-14 13:21 UTC (permalink / raw) To: buildroot; +Cc: José Pekkarinen This patch will add an init script that allows to set a ruleset in /etc/iptables.conf to be loaded on boot, or flushed on stop, as well as a saving command to generate a new file. Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> --- [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++ package/iptables/iptables.mk | 6 ++++ 2 files changed, 64 insertions(+) create mode 100644 package/iptables/S41iptables diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables new file mode 100644 index 0000000000..93998b78de --- /dev/null +++ b/package/iptables/S41iptables @@ -0,0 +1,58 @@ +#!/bin/sh + +DAEMON="iptables" + +IPTABLES_ARGS="" + +start() { + printf 'Starting %s: ' "$DAEMON" + iptables-restore < /etc/iptables.conf + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +stop() { + printf 'Stopping %s: ' "$DAEMON" + iptables -F + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +restart() { + stop + sleep 1 + start +} + +save() { + printf 'Saving %s: ' "$DAEMON" + iptables-save > /etc/iptables.conf + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +case "$1" in + start|stop|restart|save) + "$1";; + reload) + # Restart, since there is no true "reload" feature. + restart;; + *) + echo "Usage: $0 {start|stop|restart|reload}" + exit 1 +esac diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk index dc01466607..1d3612dbf6 100644 --- a/package/iptables/iptables.mk +++ b/package/iptables/iptables.mk @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) endef +define IPTABLES_INSTALL_INIT_SYSV + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ + $(TARGET_DIR)/etc/init.d/S41iptables + touch $(TARGET_DIR)/etc/iptables.conf +endef + $(eval $(autotools-package)) -- 2.25.1 _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script 2021-09-14 13:21 [Buildroot] [PATCH v2] package/iptables: add init script José Pekkarinen @ 2021-09-14 16:20 ` Baruch Siach 2021-09-15 9:14 ` José Pekkarinen 0 siblings, 1 reply; 7+ messages in thread From: Baruch Siach @ 2021-09-14 16:20 UTC (permalink / raw) To: José Pekkarinen; +Cc: buildroot Hi José, On Tue, Sep 14 2021, José Pekkarinen wrote: > This patch will add an init script that allows > to set a ruleset in /etc/iptables.conf to be loaded > on boot, or flushed on stop, as well as a saving > command to generate a new file. > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> > --- > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++ > package/iptables/iptables.mk | 6 ++++ > 2 files changed, 64 insertions(+) > create mode 100644 package/iptables/S41iptables > > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables > new file mode 100644 > index 0000000000..93998b78de > --- /dev/null > +++ b/package/iptables/S41iptables > @@ -0,0 +1,58 @@ > +#!/bin/sh > + > +DAEMON="iptables" > + > +IPTABLES_ARGS="" > + > +start() { > + printf 'Starting %s: ' "$DAEMON" > + iptables-restore < /etc/iptables.conf > + status=$? > + if [ "$status" -eq 0 ]; then > + echo "OK" > + else > + echo "FAIL" > + fi > + return "$status" > +} > + > +stop() { > + printf 'Stopping %s: ' "$DAEMON" > + iptables -F > + status=$? > + if [ "$status" -eq 0 ]; then > + echo "OK" > + else > + echo "FAIL" > + fi > + return "$status" > +} > + > +restart() { > + stop > + sleep 1 > + start > +} > + > +save() { > + printf 'Saving %s: ' "$DAEMON" > + iptables-save > /etc/iptables.conf What about read-only rootfs? baruch > + status=$? > + if [ "$status" -eq 0 ]; then > + echo "OK" > + else > + echo "FAIL" > + fi > + return "$status" > +} > + > +case "$1" in > + start|stop|restart|save) > + "$1";; > + reload) > + # Restart, since there is no true "reload" feature. > + restart;; > + *) > + echo "Usage: $0 {start|stop|restart|reload}" > + exit 1 > +esac > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk > index dc01466607..1d3612dbf6 100644 > --- a/package/iptables/iptables.mk > +++ b/package/iptables/iptables.mk > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > endef > > +define IPTABLES_INSTALL_INIT_SYSV > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > + $(TARGET_DIR)/etc/init.d/S41iptables > + touch $(TARGET_DIR)/etc/iptables.conf > +endef > + > $(eval $(autotools-package)) -- ~. .~ Tk Open Systems =}------------------------------------------------ooO--U--Ooo------------{= - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script 2021-09-14 16:20 ` Baruch Siach @ 2021-09-15 9:14 ` José Pekkarinen 2021-09-15 10:05 ` Baruch Siach via buildroot 0 siblings, 1 reply; 7+ messages in thread From: José Pekkarinen @ 2021-09-15 9:14 UTC (permalink / raw) To: Baruch Siach; +Cc: buildroot [-- Attachment #1.1: Type: text/plain, Size: 3364 bytes --] On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote: > Hi José, > > On Tue, Sep 14 2021, José Pekkarinen wrote: > > This patch will add an init script that allows > > to set a ruleset in /etc/iptables.conf to be loaded > > on boot, or flushed on stop, as well as a saving > > command to generate a new file. > > > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> > > --- > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++ > > package/iptables/iptables.mk | 6 ++++ > > 2 files changed, 64 insertions(+) > > create mode 100644 package/iptables/S41iptables > > > > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables > > new file mode 100644 > > index 0000000000..93998b78de > > --- /dev/null > > +++ b/package/iptables/S41iptables > > @@ -0,0 +1,58 @@ > > +#!/bin/sh > > + > > +DAEMON="iptables" > > + > > +IPTABLES_ARGS="" > > + > > +start() { > > + printf 'Starting %s: ' "$DAEMON" > > + iptables-restore < /etc/iptables.conf > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +stop() { > > + printf 'Stopping %s: ' "$DAEMON" > > + iptables -F > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +restart() { > > + stop > > + sleep 1 > > + start > > +} > > + > > +save() { > > + printf 'Saving %s: ' "$DAEMON" > > + iptables-save > /etc/iptables.conf > > What about read-only rootfs? > Very good point, will it work if we check the rootfs whether is ro or rw, and execute on that behalf? Thanks for the comments! José. > baruch > > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +case "$1" in > > + start|stop|restart|save) > > + "$1";; > > + reload) > > + # Restart, since there is no true "reload" feature. > > + restart;; > > + *) > > + echo "Usage: $0 {start|stop|restart|reload}" > > + exit 1 > > +esac > > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk > > index dc01466607..1d3612dbf6 100644 > > --- a/package/iptables/iptables.mk > > +++ b/package/iptables/iptables.mk > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > endef > > > > +define IPTABLES_INSTALL_INIT_SYSV > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > + $(TARGET_DIR)/etc/init.d/S41iptables > > + touch $(TARGET_DIR)/etc/iptables.conf > > +endef > > + > > $(eval $(autotools-package)) > > > -- > ~. .~ Tk Open > Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - > -- José. [-- Attachment #1.2: Type: text/html, Size: 5533 bytes --] [-- Attachment #2: Type: text/plain, Size: 156 bytes --] _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script 2021-09-15 9:14 ` José Pekkarinen @ 2021-09-15 10:05 ` Baruch Siach via buildroot 2021-09-15 11:41 ` José Pekkarinen 0 siblings, 1 reply; 7+ messages in thread From: Baruch Siach via buildroot @ 2021-09-15 10:05 UTC (permalink / raw) To: José Pekkarinen; +Cc: buildroot Hi José, On Wed, Sep 15 2021, José Pekkarinen wrote: > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote: > On Tue, Sep 14 2021, José Pekkarinen wrote: > > This patch will add an init script that allows > > to set a ruleset in /etc/iptables.conf to be loaded > > on boot, or flushed on stop, as well as a saving > > command to generate a new file. > > > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> > > --- > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++ > > package/iptables/iptables.mk | 6 ++++ > > 2 files changed, 64 insertions(+) > > create mode 100644 package/iptables/S41iptables > > > > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables > > new file mode 100644 > > index 0000000000..93998b78de > > --- /dev/null > > +++ b/package/iptables/S41iptables > > @@ -0,0 +1,58 @@ > > +#!/bin/sh > > + > > +DAEMON="iptables" > > + > > +IPTABLES_ARGS="" > > + > > +start() { > > + printf 'Starting %s: ' "$DAEMON" > > + iptables-restore < /etc/iptables.conf > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +stop() { > > + printf 'Stopping %s: ' "$DAEMON" > > + iptables -F > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +restart() { > > + stop > > + sleep 1 > > + start > > +} > > + > > +save() { > > + printf 'Saving %s: ' "$DAEMON" > > + iptables-save > /etc/iptables.conf > > What about read-only rootfs? > > Very good point, will it work if we check the rootfs > whether is ro or rw, and execute on that behalf? I'm not sure that this script is a good idea to begin with for the default installation. But if the maintainers think it is, the script should skip the save operation for read-only filesystems. See how package/urandom-scripts/S20urandom handles that. baruch > > Thanks for the comments! > > José. > > baruch > > > + status=$? > > + if [ "$status" -eq 0 ]; then > > + echo "OK" > > + else > > + echo "FAIL" > > + fi > > + return "$status" > > +} > > + > > +case "$1" in > > + start|stop|restart|save) > > + "$1";; > > + reload) > > + # Restart, since there is no true "reload" feature. > > + restart;; > > + *) > > + echo "Usage: $0 {start|stop|restart|reload}" > > + exit 1 > > +esac > > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk > > index dc01466607..1d3612dbf6 100644 > > --- a/package/iptables/iptables.mk > > +++ b/package/iptables/iptables.mk > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > endef > > > > +define IPTABLES_INSTALL_INIT_SYSV > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > + $(TARGET_DIR)/etc/init.d/S41iptables > > + touch $(TARGET_DIR)/etc/iptables.conf > > +endef > > + > > $(eval $(autotools-package)) -- ~. .~ Tk Open Systems =}------------------------------------------------ooO--U--Ooo------------{= - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script 2021-09-15 10:05 ` Baruch Siach via buildroot @ 2021-09-15 11:41 ` José Pekkarinen 2021-09-15 12:11 ` Bartosz Biłas 0 siblings, 1 reply; 7+ messages in thread From: José Pekkarinen @ 2021-09-15 11:41 UTC (permalink / raw) To: Baruch Siach; +Cc: buildroot [-- Attachment #1.1: Type: text/plain, Size: 4295 bytes --] On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il> wrote: > Hi José, > > On Wed, Sep 15 2021, José Pekkarinen wrote: > > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote: > > On Tue, Sep 14 2021, José Pekkarinen wrote: > > > This patch will add an init script that allows > > > to set a ruleset in /etc/iptables.conf to be loaded > > > on boot, or flushed on stop, as well as a saving > > > command to generate a new file. > > > > > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> > > > --- > > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > > > package/iptables/S41iptables | 58 > ++++++++++++++++++++++++++++++++++++ > > > package/iptables/iptables.mk | 6 ++++ > > > 2 files changed, 64 insertions(+) > > > create mode 100644 package/iptables/S41iptables > > > > > > diff --git a/package/iptables/S41iptables > b/package/iptables/S41iptables > > > new file mode 100644 > > > index 0000000000..93998b78de > > > --- /dev/null > > > +++ b/package/iptables/S41iptables > > > @@ -0,0 +1,58 @@ > > > +#!/bin/sh > > > + > > > +DAEMON="iptables" > > > + > > > +IPTABLES_ARGS="" > > > + > > > +start() { > > > + printf 'Starting %s: ' "$DAEMON" > > > + iptables-restore < /etc/iptables.conf > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +stop() { > > > + printf 'Stopping %s: ' "$DAEMON" > > > + iptables -F > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +restart() { > > > + stop > > > + sleep 1 > > > + start > > > +} > > > + > > > +save() { > > > + printf 'Saving %s: ' "$DAEMON" > > > + iptables-save > /etc/iptables.conf > > > > What about read-only rootfs? > > > > Very good point, will it work if we check the rootfs > > whether is ro or rw, and execute on that behalf? > > I'm not sure that this script is a good idea to begin with for the > default installation. But if the maintainers think it is, the script > should skip the save operation for read-only filesystems. See how > package/urandom-scripts/S20urandom handles that. > Thanks again, I'm testing a patch to solve the ro rootfs issue. Is there any better approach to have a firewall ruleset by default in the final image? Best regards. José. > > baruch > > > > > Thanks for the comments! > > > > José. > > > > baruch > > > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +case "$1" in > > > + start|stop|restart|save) > > > + "$1";; > > > + reload) > > > + # Restart, since there is no true "reload" feature. > > > + restart;; > > > + *) > > > + echo "Usage: $0 {start|stop|restart|reload}" > > > + exit 1 > > > +esac > > > diff --git a/package/iptables/iptables.mk b/package/iptables/ > iptables.mk > > > index dc01466607..1d3612dbf6 100644 > > > --- a/package/iptables/iptables.mk > > > +++ b/package/iptables/iptables.mk > > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > > endef > > > > > > +define IPTABLES_INSTALL_INIT_SYSV > > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > > + $(TARGET_DIR)/etc/init.d/S41iptables > > > + touch $(TARGET_DIR)/etc/iptables.conf > > > +endef > > > + > > > $(eval $(autotools-package)) > > -- > ~. .~ Tk Open > Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - > -- José. [-- Attachment #1.2: Type: text/html, Size: 6995 bytes --] [-- Attachment #2: Type: text/plain, Size: 156 bytes --] _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script 2021-09-15 11:41 ` José Pekkarinen @ 2021-09-15 12:11 ` Bartosz Biłas 2021-09-15 12:20 ` José Pekkarinen 0 siblings, 1 reply; 7+ messages in thread From: Bartosz Biłas @ 2021-09-15 12:11 UTC (permalink / raw) To: José Pekkarinen; +Cc: buildroot [-- Attachment #1.1: Type: text/plain, Size: 5563 bytes --] Hello José, On 9/15/21 1:41 PM, José Pekkarinen wrote: > > > On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il > <mailto:baruch@tkos.co.il>> wrote: > > Hi José, > > On Wed, Sep 15 2021, José Pekkarinen wrote: > > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il > <mailto:baruch@tkos.co.il>> wrote: > > On Tue, Sep 14 2021, José Pekkarinen wrote: > > > This patch will add an init script that allows > > > to set a ruleset in /etc/iptables.conf to be loaded > > > on boot, or flushed on stop, as well as a saving > > > command to generate a new file. > > > > > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com > <mailto:jose.pekkarinen@unikie.com>> > > > --- > > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > > > package/iptables/S41iptables | 58 > ++++++++++++++++++++++++++++++++++++ > > > package/iptables/iptables.mk <http://iptables.mk> | 6 ++++ > > > 2 files changed, 64 insertions(+) > > > create mode 100644 package/iptables/S41iptables > > > > > > diff --git a/package/iptables/S41iptables > b/package/iptables/S41iptables > > > new file mode 100644 > > > index 0000000000..93998b78de > > > --- /dev/null > > > +++ b/package/iptables/S41iptables > > > @@ -0,0 +1,58 @@ > > > +#!/bin/sh > > > + > > > +DAEMON="iptables" > > > + > > > +IPTABLES_ARGS="" > > > + > > > +start() { > > > + printf 'Starting %s: ' "$DAEMON" > > > + iptables-restore < /etc/iptables.conf > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +stop() { > > > + printf 'Stopping %s: ' "$DAEMON" > > > + iptables -F > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +restart() { > > > + stop > > > + sleep 1 > > > + start > > > +} > > > + > > > +save() { > > > + printf 'Saving %s: ' "$DAEMON" > > > + iptables-save > /etc/iptables.conf > > > > What about read-only rootfs? > > > > Very good point, will it work if we check the rootfs > > whether is ro or rw, and execute on that behalf? > > I'm not sure that this script is a good idea to begin with for the > default installation. But if the maintainers think it is, the script > should skip the save operation for read-only filesystems. See how > package/urandom-scripts/S20urandom handles that. > > > Thanks again, I'm testing a patch to solve the ro rootfs > issue. Is there any better approach to have a firewall ruleset > by default in the final image? Did you try to use post-build script to copy this file into your image? Best Bartek > > Best regards. > > José. > > > baruch > > > > > Thanks for the comments! > > > > José. > > > > baruch > > > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +case "$1" in > > > + start|stop|restart|save) > > > + "$1";; > > > + reload) > > > + # Restart, since there is no true "reload" feature. > > > + restart;; > > > + *) > > > + echo "Usage: $0 {start|stop|restart|reload}" > > > + exit 1 > > > +esac > > > diff --git a/package/iptables/iptables.mk > <http://iptables.mk> b/package/iptables/iptables.mk > <http://iptables.mk> > > > index dc01466607..1d3612dbf6 100644 > > > --- a/package/iptables/iptables.mk <http://iptables.mk> > > > +++ b/package/iptables/iptables.mk <http://iptables.mk> > > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > > endef > > > > > > +define IPTABLES_INSTALL_INIT_SYSV > > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > > + $(TARGET_DIR)/etc/init.d/S41iptables > > > + touch $(TARGET_DIR)/etc/iptables.conf > > > +endef > > > + > > > $(eval $(autotools-package)) > > -- > ~. .~ Tk > Open Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il <mailto:baruch@tkos.co.il> - tel: > +972.52.368.4656, http://www.tkos.co.il <http://www.tkos.co.il> - > > > > -- > > José. > > > _______________________________________________ > buildroot mailing list > buildroot@lists.buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- [-- Attachment #1.2: Type: text/html, Size: 10577 bytes --] [-- Attachment #2: Type: text/plain, Size: 156 bytes --] _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script 2021-09-15 12:11 ` Bartosz Biłas @ 2021-09-15 12:20 ` José Pekkarinen 0 siblings, 0 replies; 7+ messages in thread From: José Pekkarinen @ 2021-09-15 12:20 UTC (permalink / raw) To: Bartosz Biłas; +Cc: buildroot [-- Attachment #1.1: Type: text/plain, Size: 5201 bytes --] On Wed, Sep 15, 2021 at 3:11 PM Bartosz Biłas <b.bilas@grinn-global.com> wrote: > Hello José, > On 9/15/21 1:41 PM, José Pekkarinen wrote: > > > > On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il> wrote: > >> Hi José, >> >> On Wed, Sep 15 2021, José Pekkarinen wrote: >> > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote: >> > On Tue, Sep 14 2021, José Pekkarinen wrote: >> > > This patch will add an init script that allows >> > > to set a ruleset in /etc/iptables.conf to be loaded >> > > on boot, or flushed on stop, as well as a saving >> > > command to generate a new file. >> > > >> > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com> >> > > --- >> > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ >> > > >> > > package/iptables/S41iptables | 58 >> ++++++++++++++++++++++++++++++++++++ >> > > package/iptables/iptables.mk | 6 ++++ >> > > 2 files changed, 64 insertions(+) >> > > create mode 100644 package/iptables/S41iptables >> > > >> > > diff --git a/package/iptables/S41iptables >> b/package/iptables/S41iptables >> > > new file mode 100644 >> > > index 0000000000..93998b78de >> > > --- /dev/null >> > > +++ b/package/iptables/S41iptables >> > > @@ -0,0 +1,58 @@ >> > > +#!/bin/sh >> > > + >> > > +DAEMON="iptables" >> > > + >> > > +IPTABLES_ARGS="" >> > > + >> > > +start() { >> > > + printf 'Starting %s: ' "$DAEMON" >> > > + iptables-restore < /etc/iptables.conf >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +stop() { >> > > + printf 'Stopping %s: ' "$DAEMON" >> > > + iptables -F >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +restart() { >> > > + stop >> > > + sleep 1 >> > > + start >> > > +} >> > > + >> > > +save() { >> > > + printf 'Saving %s: ' "$DAEMON" >> > > + iptables-save > /etc/iptables.conf >> > >> > What about read-only rootfs? >> > >> > Very good point, will it work if we check the rootfs >> > whether is ro or rw, and execute on that behalf? >> >> I'm not sure that this script is a good idea to begin with for the >> default installation. But if the maintainers think it is, the script >> should skip the save operation for read-only filesystems. See how >> package/urandom-scripts/S20urandom handles that. >> > > Thanks again, I'm testing a patch to solve the ro rootfs > issue. Is there any better approach to have a firewall ruleset > by default in the final image? > > Did you try to use post-build script to copy this file into your image? > Hi, I'm using the overlay to populate the final file, but iptables doesn't look for it itself, it requires some external mechanism to load the rules. That is why I proposed this init script, to have a sort of default via from buildroot. Best regards. José. > Best > Bartek > > > Best regards. > > José. > > >> >> baruch >> >> > >> > Thanks for the comments! >> > >> > José. >> > >> > baruch >> > >> > > + status=$? >> > > + if [ "$status" -eq 0 ]; then >> > > + echo "OK" >> > > + else >> > > + echo "FAIL" >> > > + fi >> > > + return "$status" >> > > +} >> > > + >> > > +case "$1" in >> > > + start|stop|restart|save) >> > > + "$1";; >> > > + reload) >> > > + # Restart, since there is no true "reload" feature. >> > > + restart;; >> > > + *) >> > > + echo "Usage: $0 {start|stop|restart|reload}" >> > > + exit 1 >> > > +esac >> > > diff --git a/package/iptables/iptables.mk b/package/iptables/ >> iptables.mk >> > > index dc01466607..1d3612dbf6 100644 >> > > --- a/package/iptables/iptables.mk >> > > +++ b/package/iptables/iptables.mk >> > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS >> > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) >> > > endef >> > > >> > > +define IPTABLES_INSTALL_INIT_SYSV >> > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ >> > > + $(TARGET_DIR)/etc/init.d/S41iptables >> > > + touch $(TARGET_DIR)/etc/iptables.conf >> > > +endef >> > > + >> > > $(eval $(autotools-package)) >> >> -- >> ~. .~ Tk Open >> Systems >> >> =}------------------------------------------------ooO--U--Ooo------------{= >> - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - >> > > > -- > > José. > > > _______________________________________________ > buildroot mailing listbuildroot@lists.buildroot.orghttps://lists.buildroot.org/mailman/listinfo/buildroot > > -- > > -- José. [-- Attachment #1.2: Type: text/html, Size: 11129 bytes --] [-- Attachment #2: Type: text/plain, Size: 156 bytes --] _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-09-15 12:20 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-09-14 13:21 [Buildroot] [PATCH v2] package/iptables: add init script José Pekkarinen 2021-09-14 16:20 ` Baruch Siach 2021-09-15 9:14 ` José Pekkarinen 2021-09-15 10:05 ` Baruch Siach via buildroot 2021-09-15 11:41 ` José Pekkarinen 2021-09-15 12:11 ` Bartosz Biłas 2021-09-15 12:20 ` José Pekkarinen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.