On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach wrote: > Hi José, > > On Wed, Sep 15 2021, José Pekkarinen wrote: > > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach wrote: > > On Tue, Sep 14 2021, José Pekkarinen wrote: > > > This patch will add an init script that allows > > > to set a ruleset in /etc/iptables.conf to be loaded > > > on boot, or flushed on stop, as well as a saving > > > command to generate a new file. > > > > > > Signed-off-by: José Pekkarinen > > > --- > > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > > > package/iptables/S41iptables | 58 > ++++++++++++++++++++++++++++++++++++ > > > package/iptables/iptables.mk | 6 ++++ > > > 2 files changed, 64 insertions(+) > > > create mode 100644 package/iptables/S41iptables > > > > > > diff --git a/package/iptables/S41iptables > b/package/iptables/S41iptables > > > new file mode 100644 > > > index 0000000000..93998b78de > > > --- /dev/null > > > +++ b/package/iptables/S41iptables > > > @@ -0,0 +1,58 @@ > > > +#!/bin/sh > > > + > > > +DAEMON="iptables" > > > + > > > +IPTABLES_ARGS="" > > > + > > > +start() { > > > + printf 'Starting %s: ' "$DAEMON" > > > + iptables-restore < /etc/iptables.conf > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +stop() { > > > + printf 'Stopping %s: ' "$DAEMON" > > > + iptables -F > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +restart() { > > > + stop > > > + sleep 1 > > > + start > > > +} > > > + > > > +save() { > > > + printf 'Saving %s: ' "$DAEMON" > > > + iptables-save > /etc/iptables.conf > > > > What about read-only rootfs? > > > > Very good point, will it work if we check the rootfs > > whether is ro or rw, and execute on that behalf? > > I'm not sure that this script is a good idea to begin with for the > default installation. But if the maintainers think it is, the script > should skip the save operation for read-only filesystems. See how > package/urandom-scripts/S20urandom handles that. > Thanks again, I'm testing a patch to solve the ro rootfs issue. Is there any better approach to have a firewall ruleset by default in the final image? Best regards. José. > > baruch > > > > > Thanks for the comments! > > > > José. > > > > baruch > > > > > + status=$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +case "$1" in > > > + start|stop|restart|save) > > > + "$1";; > > > + reload) > > > + # Restart, since there is no true "reload" feature. > > > + restart;; > > > + *) > > > + echo "Usage: $0 {start|stop|restart|reload}" > > > + exit 1 > > > +esac > > > diff --git a/package/iptables/iptables.mk b/package/iptables/ > iptables.mk > > > index dc01466607..1d3612dbf6 100644 > > > --- a/package/iptables/iptables.mk > > > +++ b/package/iptables/iptables.mk > > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > > endef > > > > > > +define IPTABLES_INSTALL_INIT_SYSV > > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > > + $(TARGET_DIR)/etc/init.d/S41iptables > > > + touch $(TARGET_DIR)/etc/iptables.conf > > > +endef > > > + > > > $(eval $(autotools-package)) > > -- > ~. .~ Tk Open > Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - > -- José.