diff options
| author |   Jack Mitchell <jack@embed.me.uk> | 2019-09-05 09:35:37 +0000 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-09-16 09:54:21 +0100 |
| commit | 76d3574d17c38d93ba4660bdae5730ac222994d4 (patch) | |
| tree | a45bcb9b8d25156703d960a545cb6487bbafe720 | |
| parent | 7e0c9290a9971b92bcb313742f126ca7488d91c3 (diff) | |
| download | openembedded-core-contrib-76d3574d17c38d93ba4660bdae5730ac222994d4.tar.gz | |
iptables: add systemd helper unit to load/restore rules
There is currently no way to automatically load iptables rules in OE.
Add a systemd unit file to automatically load rules on network
connection. This is cribbed from the way ArchLinux handles iptables with
some minor modifications for OE.
New rules can be generated directly on the target using:
# iptables-save -f /etc/iptables/iptables.rules
Good documentation for writing rules offline is lacking, but the basics
are explained here:
https://unix.stackexchange.com/q/400163/49405
Signed-off-by: Jack Mitchell <jack@embed.me.uk>
Signed-off-by: Diego Rondini <diego.rondini@kynetics.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
| -rw-r--r-- | meta/recipes-extended/iptables/iptables/iptables.rules | 0 | ||||
| -rw-r--r-- | meta/recipes-extended/iptables/iptables/iptables.service | 13 | ||||
| -rw-r--r-- | meta/recipes-extended/iptables/iptables_1.8.3.bb | 17 |
3 files changed, 29 insertions, 1 deletions
diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/iptables.rules diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service new file mode 100644 index 0000000000..041316e457 --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/iptables.service @@ -0,0 +1,13 @@ +[Unit] +Description=Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules +ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb index 6ac3fc60c5..ff9fcb1b53 100644 --- a/meta/recipes-extended/iptables/iptables_1.8.3.bb +++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb @@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \ file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ + file://iptables.service \ + file://iptables.rules \ " SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513" SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80" -inherit autotools pkgconfig +inherit autotools pkgconfig systemd EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}" @@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so" ALLOW_EMPTY_${PN}-modules = "1" +do_install_append() { + + install -d ${D}${sysconfdir}/iptables + install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir} + + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service +} + +SYSTEMD_SERVICE_${PN} = "iptables.service" + RDEPENDS_${PN} = "${PN}-module-xt-standard" RRECOMMENDS_${PN} = " \ ${PN}-modules \ |