Hello José,

On 9/15/21 1:41 PM, José Pekkarinen wrote:
>
>
> On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il 
> <mailto:baruch@tkos.co.il>> wrote:
>
>     Hi José,
>
>     On Wed, Sep 15 2021, José Pekkarinen wrote:
>     > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il
>     <mailto:baruch@tkos.co.il>> wrote:
>     >  On Tue, Sep 14 2021, José Pekkarinen wrote:
>     >  > This patch will add an init script that allows
>     >  > to set a ruleset in /etc/iptables.conf to be loaded
>     >  > on boot, or flushed on stop, as well as a saving
>     >  > command to generate a new file.
>     >  >
>     >  > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com
>     <mailto:jose.pekkarinen@unikie.com>>
>     >  > ---
>     >  > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
>     >  >
>     >  >  package/iptables/S41iptables | 58
>     ++++++++++++++++++++++++++++++++++++
>     >  >  package/iptables/iptables.mk <http://iptables.mk> |  6 ++++
>     >  >  2 files changed, 64 insertions(+)
>     >  >  create mode 100644 package/iptables/S41iptables
>     >  >
>     >  > diff --git a/package/iptables/S41iptables
>     b/package/iptables/S41iptables
>     >  > new file mode 100644
>     >  > index 0000000000..93998b78de
>     >  > --- /dev/null
>     >  > +++ b/package/iptables/S41iptables
>     >  > @@ -0,0 +1,58 @@
>     >  > +#!/bin/sh
>     >  > +
>     >  > +DAEMON="iptables"
>     >  > +
>     >  > +IPTABLES_ARGS=""
>     >  > +
>     >  > +start() {
>     >  > +     printf 'Starting %s: ' "$DAEMON"
>     >  > +     iptables-restore < /etc/iptables.conf
>     >  > +     status=$?
>     >  > +     if [ "$status" -eq 0 ]; then
>     >  > +             echo "OK"
>     >  > +     else
>     >  > +             echo "FAIL"
>     >  > +     fi
>     >  > +     return "$status"
>     >  > +}
>     >  > +
>     >  > +stop() {
>     >  > +     printf 'Stopping %s: ' "$DAEMON"
>     >  > +     iptables -F
>     >  > +     status=$?
>     >  > +     if [ "$status" -eq 0 ]; then
>     >  > +             echo "OK"
>     >  > +     else
>     >  > +             echo "FAIL"
>     >  > +     fi
>     >  > +     return "$status"
>     >  > +}
>     >  > +
>     >  > +restart() {
>     >  > +     stop
>     >  > +     sleep 1
>     >  > +     start
>     >  > +}
>     >  > +
>     >  > +save() {
>     >  > +     printf 'Saving %s: ' "$DAEMON"
>     >  > +     iptables-save > /etc/iptables.conf
>     >
>     >  What about read-only rootfs?
>     >
>     >     Very good point, will it work if we check the rootfs
>     > whether is ro or rw, and execute on that behalf?
>
>     I'm not sure that this script is a good idea to begin with for the
>     default installation. But if the maintainers think it is, the script
>     should skip the save operation for read-only filesystems. See how
>     package/urandom-scripts/S20urandom handles that.
>
>
>     Thanks again, I'm testing a patch to solve the ro rootfs
> issue. Is there any better approach to have a firewall ruleset
> by default in the final image?

Did you try to use post-build script to copy this file into your image?

Best
Bartek
>
>     Best regards.
>
>     José.
>
>
>     baruch
>
>     >
>     >     Thanks for the comments!
>     >
>     >     José.
>     >
>     >  baruch
>     >
>     >  > +     status=$?
>     >  > +     if [ "$status" -eq 0 ]; then
>     >  > +             echo "OK"
>     >  > +     else
>     >  > +             echo "FAIL"
>     >  > +     fi
>     >  > +     return "$status"
>     >  > +}
>     >  > +
>     >  > +case "$1" in
>     >  > +     start|stop|restart|save)
>     >  > +             "$1";;
>     >  > +     reload)
>     >  > +             # Restart, since there is no true "reload" feature.
>     >  > +             restart;;
>     >  > +     *)
>     >  > +             echo "Usage: $0 {start|stop|restart|reload}"
>     >  > +             exit 1
>     >  > +esac
>     >  > diff --git a/package/iptables/iptables.mk
>     <http://iptables.mk> b/package/iptables/iptables.mk
>     <http://iptables.mk>
>     >  > index dc01466607..1d3612dbf6 100644
>     >  > --- a/package/iptables/iptables.mk <http://iptables.mk>
>     >  > +++ b/package/iptables/iptables.mk <http://iptables.mk>
>     >  > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
>     >  >       $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
>     >  >  endef
>     >  >
>     >  > +define IPTABLES_INSTALL_INIT_SYSV
>     >  > +     $(INSTALL) -m 0755 -D package/iptables/S41iptables \
>     >  > +  $(TARGET_DIR)/etc/init.d/S41iptables
>     >  > +     touch $(TARGET_DIR)/etc/iptables.conf
>     >  > +endef
>     >  > +
>     >  >  $(eval $(autotools-package))
>
>     -- 
>                                                          ~. .~  Tk
>     Open Systems
>     =}------------------------------------------------ooO--U--Ooo------------{=
>        - baruch@tkos.co.il <mailto:baruch@tkos.co.il> - tel:
>     +972.52.368.4656, http://www.tkos.co.il <http://www.tkos.co.il> -
>
>
>
> -- 
>
>     José.
>
>
> _______________________________________________
> buildroot mailing list
> buildroot@lists.buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--