On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote:
Hi José,

On Tue, Sep 14 2021, José Pekkarinen wrote:
> This patch will add an init script that allows
> to set a ruleset in /etc/iptables.conf to be loaded
> on boot, or flushed on stop, as well as a saving
> command to generate a new file.
>
> Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> ---
> [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
>
>  package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
>  package/iptables/iptables.mk |  6 ++++
>  2 files changed, 64 insertions(+)
>  create mode 100644 package/iptables/S41iptables
>
> diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
> new file mode 100644
> index 0000000000..93998b78de
> --- /dev/null
> +++ b/package/iptables/S41iptables
> @@ -0,0 +1,58 @@
> +#!/bin/sh
> +
> +DAEMON="iptables"
> +
> +IPTABLES_ARGS=""
> +
> +start() {
> +     printf 'Starting %s: ' "$DAEMON"
> +     iptables-restore < /etc/iptables.conf
> +     status=$?
> +     if [ "$status" -eq 0 ]; then
> +             echo "OK"
> +     else
> +             echo "FAIL"
> +     fi
> +     return "$status"
> +}
> +
> +stop() {
> +     printf 'Stopping %s: ' "$DAEMON"
> +     iptables -F
> +     status=$?
> +     if [ "$status" -eq 0 ]; then
> +             echo "OK"
> +     else
> +             echo "FAIL"
> +     fi
> +     return "$status"
> +}
> +
> +restart() {
> +     stop
> +     sleep 1
> +     start
> +}
> +
> +save() {
> +     printf 'Saving %s: ' "$DAEMON"
> +     iptables-save > /etc/iptables.conf

What about read-only rootfs?

    Very good point, will it work if we check the rootfs
whether is ro or rw, and execute on that behalf?

    Thanks for the comments!

    José.
 
baruch

> +     status=$?
> +     if [ "$status" -eq 0 ]; then
> +             echo "OK"
> +     else
> +             echo "FAIL"
> +     fi
> +     return "$status"
> +}
> +
> +case "$1" in
> +     start|stop|restart|save)
> +             "$1";;
> +     reload)
> +             # Restart, since there is no true "reload" feature.
> +             restart;;
> +     *)
> +             echo "Usage: $0 {start|stop|restart|reload}"
> +             exit 1
> +esac
> diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
> index dc01466607..1d3612dbf6 100644
> --- a/package/iptables/iptables.mk
> +++ b/package/iptables/iptables.mk
> @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
>       $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
>  endef

> +define IPTABLES_INSTALL_INIT_SYSV
> +     $(INSTALL) -m 0755 -D package/iptables/S41iptables \
> +             $(TARGET_DIR)/etc/init.d/S41iptables
> +     touch $(TARGET_DIR)/etc/iptables.conf
> +endef
> +
>  $(eval $(autotools-package))


--
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -


--
José.