From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84FDEC433F5 for ; Wed, 15 Sep 2021 11:41:46 +0000 (UTC) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D1D7F61185 for ; Wed, 15 Sep 2021 11:41:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D1D7F61185 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=unikie.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.buildroot.org Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 726A64052D; Wed, 15 Sep 2021 11:41:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WECBT9z-ZZLi; Wed, 15 Sep 2021 11:41:44 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp4.osuosl.org (Postfix) with ESMTP id 772C14052E; Wed, 15 Sep 2021 11:41:43 +0000 (UTC) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 9D1361BF3D9 for ; Wed, 15 Sep 2021 11:41:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 98E9B82865 for ; Wed, 15 Sep 2021 11:41:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=unikie-com.20150623.gappssmtp.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6HN9UOP3ihpa for ; Wed, 15 Sep 2021 11:41:40 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by smtp1.osuosl.org (Postfix) with ESMTPS id 1250082864 for ; Wed, 15 Sep 2021 11:41:39 +0000 (UTC) Received: by mail-ed1-x52a.google.com with SMTP id g8so3853231edt.7 for ; Wed, 15 Sep 2021 04:41:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unikie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e/eNOOkt+wt3g7QQuUQnSeqfuONU67ipQ0ytfEhtKFY=; b=VaMv/pgS/fzUbQ0c7j8cIY1a/Vb9XNtu3MK3qt0qbO9GAxQOKhL+wp0Aa3ZIu2C7sN YJmumxd/Y07Ir4KbqE+8J9NJVsGJhO3nyVPOIijAEqexxkuvoRbfLDZKyUXXwvvWhuoa OjWc2XS/aG3t2a4+oDuR6TD7VR8xknkCabr7B3rrj/jiyKhSzG8iCeeQaLrEwwNyhsnb UmoKv4d68M/jMm4VNUz6OUfhWAf4odjaAfZgnZzhtHT6US/eL0kwLwNQYiqCjRCCrfmg 23i1+XtBfB66VsRfTHV+EhqBDqBb3QJO7PVS4TKXfk/+P9L5n2b0pRmDjUri8koPI/ck RA2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e/eNOOkt+wt3g7QQuUQnSeqfuONU67ipQ0ytfEhtKFY=; b=Gf6SzkMeADNpL46mjCrjUaI1KsU3r8RQAhta/evy22Ygs8KSiIH6ex4ML06BjldYHP eTpaLNDr9n5ix+J1v3tKlPcQRNMBdws8fAX2CKZj4rSb9P8qcp274OSnElIWEjWeHJEG lhwCxqNK58DuAxZB1nMzH6oWPU8wtcECkmX3Mh3NboHaON0vpQtD9Fv4mYj1lHzxvCAC QwoD5+wRP/yje9wNOgYe82fH2AtMVVUFUpjrQ7mScNJkaFbxdFF5/kyhjuGAFufZudhA rwdcwVTP+hr+t28W7NsLUUQmUJtr3p3r7zLfHax46yUzYWumefro26ZKRLMCdJ2QhoAS irjg== X-Gm-Message-State: AOAM532u7CHYcXdBBJvHAHdNKMyUSEWdFeAAOwQ/KNwI0GvB7S+NvcAf NY3k/YOgWFuRsZXxsAG3p+wGTOvt+R2nlt/wkOQliHHLD3SJlw== X-Google-Smtp-Source: ABdhPJw7zKEztZYMiz5fDPDYPFyJUm6HWHcdKu4lHnsJvNSchZI3tkGheIWYTXaVFyqmpzrjXmndu4nfKRbMkNlMlzQ= X-Received: by 2002:aa7:c9d6:: with SMTP id i22mr25840789edt.307.1631706098111; Wed, 15 Sep 2021 04:41:38 -0700 (PDT) MIME-Version: 1.0 References: <20210914132139.3597322-1-jose.pekkarinen@unikie.com> <87ee9rgm9e.fsf@tarshish> <87k0jif8w4.fsf@tarshish> In-Reply-To: <87k0jif8w4.fsf@tarshish> From: =?UTF-8?Q?Jos=C3=A9_Pekkarinen?= Date: Wed, 15 Sep 2021 14:41:27 +0300 Message-ID: To: Baruch Siach Subject: Re: [Buildroot] [PATCH v2] package/iptables: add init script X-BeenThere: buildroot@lists.buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: buildroot@buildroot.org Content-Type: multipart/mixed; boundary="===============5265403997954777128==" Errors-To: buildroot-bounces@lists.buildroot.org Sender: "buildroot" --===============5265403997954777128== Content-Type: multipart/alternative; boundary="0000000000005b2d4305cc072ec6" --0000000000005b2d4305cc072ec6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach wrote: > Hi Jos=C3=A9, > > On Wed, Sep 15 2021, Jos=C3=A9 Pekkarinen wrote: > > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach wrote: > > On Tue, Sep 14 2021, Jos=C3=A9 Pekkarinen wrote: > > > This patch will add an init script that allows > > > to set a ruleset in /etc/iptables.conf to be loaded > > > on boot, or flushed on stop, as well as a saving > > > command to generate a new file. > > > > > > Signed-off-by: Jos=C3=A9 Pekkarinen > > > --- > > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/ > > > > > > package/iptables/S41iptables | 58 > ++++++++++++++++++++++++++++++++++++ > > > package/iptables/iptables.mk | 6 ++++ > > > 2 files changed, 64 insertions(+) > > > create mode 100644 package/iptables/S41iptables > > > > > > diff --git a/package/iptables/S41iptables > b/package/iptables/S41iptables > > > new file mode 100644 > > > index 0000000000..93998b78de > > > --- /dev/null > > > +++ b/package/iptables/S41iptables > > > @@ -0,0 +1,58 @@ > > > +#!/bin/sh > > > + > > > +DAEMON=3D"iptables" > > > + > > > +IPTABLES_ARGS=3D"" > > > + > > > +start() { > > > + printf 'Starting %s: ' "$DAEMON" > > > + iptables-restore < /etc/iptables.conf > > > + status=3D$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +stop() { > > > + printf 'Stopping %s: ' "$DAEMON" > > > + iptables -F > > > + status=3D$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +restart() { > > > + stop > > > + sleep 1 > > > + start > > > +} > > > + > > > +save() { > > > + printf 'Saving %s: ' "$DAEMON" > > > + iptables-save > /etc/iptables.conf > > > > What about read-only rootfs? > > > > Very good point, will it work if we check the rootfs > > whether is ro or rw, and execute on that behalf? > > I'm not sure that this script is a good idea to begin with for the > default installation. But if the maintainers think it is, the script > should skip the save operation for read-only filesystems. See how > package/urandom-scripts/S20urandom handles that. > Thanks again, I'm testing a patch to solve the ro rootfs issue. Is there any better approach to have a firewall ruleset by default in the final image? Best regards. Jos=C3=A9. > > baruch > > > > > Thanks for the comments! > > > > Jos=C3=A9. > > > > baruch > > > > > + status=3D$? > > > + if [ "$status" -eq 0 ]; then > > > + echo "OK" > > > + else > > > + echo "FAIL" > > > + fi > > > + return "$status" > > > +} > > > + > > > +case "$1" in > > > + start|stop|restart|save) > > > + "$1";; > > > + reload) > > > + # Restart, since there is no true "reload" feature. > > > + restart;; > > > + *) > > > + echo "Usage: $0 {start|stop|restart|reload}" > > > + exit 1 > > > +esac > > > diff --git a/package/iptables/iptables.mk b/package/iptables/ > iptables.mk > > > index dc01466607..1d3612dbf6 100644 > > > --- a/package/iptables/iptables.mk > > > +++ b/package/iptables/iptables.mk > > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS > > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) > > > endef > > > > > > +define IPTABLES_INSTALL_INIT_SYSV > > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \ > > > + $(TARGET_DIR)/etc/init.d/S41iptables > > > + touch $(TARGET_DIR)/etc/iptables.conf > > > +endef > > > + > > > $(eval $(autotools-package)) > > -- > ~. .~ Tk Open > Systems > =3D}------------------------------------------------ooO--U--Ooo----------= --{=3D > - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - > --=20 Jos=C3=A9. --0000000000005b2d4305cc072ec6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Wed, Sep 15, 2021 at 1:09 PM Baruc= h Siach <baruch@tkos.co.il> = wrote:
Hi Jos=C3= =A9,

On Wed, Sep 15 2021, Jos=C3=A9 Pekkarinen wrote:
> On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote:
>=C2=A0 On Tue, Sep 14 2021, Jos=C3=A9 Pekkarinen wrote:
>=C2=A0 > This patch will add an init script that allows
>=C2=A0 > to set a ruleset in /etc/iptables.conf to be loaded
>=C2=A0 > on boot, or flushed on stop, as well as a saving
>=C2=A0 > command to generate a new file.
>=C2=A0 >
>=C2=A0 > Signed-off-by: Jos=C3=A9 Pekkarinen <jose.pekkarinen@unikie.com= >
>=C2=A0 > ---
>=C2=A0 > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
>=C2=A0 >
>=C2=A0 >=C2=A0 package/iptables/S41iptables | 58 +++++++++++++++++++= +++++++++++++++++
>=C2=A0 >=C2=A0 package/iptables/iptables.mk |=C2=A0 6 ++++
>=C2=A0 >=C2=A0 2 files changed, 64 insertions(+)
>=C2=A0 >=C2=A0 create mode 100644 package/iptables/S41iptables
>=C2=A0 >
>=C2=A0 > diff --git a/package/iptables/S41iptables b/package/iptable= s/S41iptables
>=C2=A0 > new file mode 100644
>=C2=A0 > index 0000000000..93998b78de
>=C2=A0 > --- /dev/null
>=C2=A0 > +++ b/package/iptables/S41iptables
>=C2=A0 > @@ -0,0 +1,58 @@
>=C2=A0 > +#!/bin/sh
>=C2=A0 > +
>=C2=A0 > +DAEMON=3D"iptables"
>=C2=A0 > +
>=C2=A0 > +IPTABLES_ARGS=3D""
>=C2=A0 > +
>=C2=A0 > +start() {
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0printf 'Starting %s: ' "$= DAEMON"
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0iptables-restore < /etc/iptables.co= nf
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0status=3D$?
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0if [ "$status" -eq 0 ]; then=
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "= ;OK"
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0else
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "= ;FAIL"
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0fi
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0return "$status"
>=C2=A0 > +}
>=C2=A0 > +
>=C2=A0 > +stop() {
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0printf 'Stopping %s: ' "$= DAEMON"
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0iptables -F
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0status=3D$?
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0if [ "$status" -eq 0 ]; then=
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "= ;OK"
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0else
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "= ;FAIL"
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0fi
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0return "$status"
>=C2=A0 > +}
>=C2=A0 > +
>=C2=A0 > +restart() {
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0stop
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0sleep 1
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0start
>=C2=A0 > +}
>=C2=A0 > +
>=C2=A0 > +save() {
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0printf 'Saving %s: ' "$DA= EMON"
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0iptables-save > /etc/iptables.conf<= br> >
>=C2=A0 What about read-only rootfs?
>
>=C2=A0 =C2=A0 =C2=A0Very good point, will it work if we check the rootf= s
> whether is ro or rw, and execute on that behalf?

I'm not sure that this script is a good idea to begin with for the
default installation. But if the maintainers think it is, the script
should skip the save operation for read-only filesystems. See how
package/urandom-scripts/S20urandom handles that.

<= /div>
=C2=A0 =C2=A0 Thanks again, I'm testing a patch to solve the = ro rootfs
issue. Is there any better approach to have a firewall = ruleset
by default in the final image?

= =C2=A0 =C2=A0 Best regards.

=C2=A0 =C2=A0 Jos=C3= =A9.
=C2=A0
iptables.mk b/package/iptables/<= a href=3D"http://iptables.mk" rel=3D"noreferrer" target=3D"_blank">iptables= .mk
>=C2=A0 > index dc01466607..1d3612dbf6 100644
>=C2=A0 > --- a/package/iptables/iptables.mk
>=C2=A0 > +++ b/package/iptables/iptables.mk
>=C2=A0 > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
>=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0$(call KCONFIG_ENABLE_OPT,CONFIG_= NETFILTER_XTABLES)
>=C2=A0 >=C2=A0 endef
>=C2=A0 >=C2=A0
>=C2=A0 > +define IPTABLES_INSTALL_INIT_SYSV
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0$(INSTALL) -m 0755 -D package/iptables= /S41iptables \
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0$(TARGET_D= IR)/etc/init.d/S41iptables
>=C2=A0 > +=C2=A0 =C2=A0 =C2=A0touch $(TARGET_DIR)/etc/iptables.conf<= br> >=C2=A0 > +endef
>=C2=A0 > +
>=C2=A0 >=C2=A0 $(eval $(autotools-package))

--
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0~. .~=C2=A0 =C2=A0Tk Open Systems<= br> =3D}------------------------------------------------ooO--U--Ooo------------= {=3D
=C2=A0 =C2=A0- baruc= h@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -


--
Jos=C3=A9.
<= /div> --0000000000005b2d4305cc072ec6-- --===============5265403997954777128== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot --===============5265403997954777128==--