From 3b8df6b6aba3632de7c3c01c8468fbcedb032493 Mon Sep 17 00:00:00 2001
From: Niko Mauno <niko.mauno@iki.fi>
Date: Tue, 26 Nov 2019 22:14:07 +0200
Subject: iptables: Add systemd helper unit for IPv6 too

Commit bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 added systemd helper
unit for automatic IPv4 rule loading. Complement the effort by adding
systemd helper unit also for automatic IPv6 rule loading.

Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../iptables/iptables/ip6tables.rules               |  0
 .../iptables/iptables/ip6tables.service             | 13 +++++++++++++
 .../iptables/iptables/iptables.service              |  6 +++---
 meta/recipes-extended/iptables/iptables_1.8.3.bb    | 21 ++++++++++++++++++++-
 4 files changed, 36 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.rules
 create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.service

(limited to 'meta/recipes-extended/iptables')

diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.rules b/meta/recipes-extended/iptables/iptables/ip6tables.rules
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.service b/meta/recipes-extended/iptables/iptables/ip6tables.service
new file mode 100644
index 0000000000..6c059fca49
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/ip6tables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=IPv6 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+ExecReload=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
index 5a8aa3f298..0eb3c343de 100644
--- a/meta/recipes-extended/iptables/iptables/iptables.service
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -1,12 +1,12 @@
 [Unit]
-Description=Packet Filtering Framework
+Description=IPv4 Packet Filtering Framework
 Before=network-pre.target
 Wants=network-pre.target
 
 [Service]
 Type=oneshot
-ExecStart=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
-ExecReload=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
+ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
 RemainAfterExit=yes
 
 [Install]
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 73680207b4..96d195d9d0 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -13,11 +13,16 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
            file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
            file://iptables.service \
            file://iptables.rules \
+           file://ip6tables.service \
+           file://ip6tables.rules \
 "
 SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
 SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
 
-SYSTEMD_SERVICE_${PN} = "iptables.service"
+SYSTEMD_SERVICE_${PN} = "\
+    iptables.service \
+    ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'ip6tables.service', '', d)} \
+"
 
 inherit autotools pkgconfig systemd
 
@@ -51,6 +56,16 @@ do_install_append() {
         -e 's,@SBINDIR@,${sbindir},g' \
         -e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
         ${D}${systemd_system_unitdir}/iptables.service
+
+    if ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'true', 'false', d)} ; then
+        install -m 0644 ${WORKDIR}/ip6tables.rules ${D}${IPTABLES_RULES_DIR}
+        install -m 0644 ${WORKDIR}/ip6tables.service ${D}${systemd_system_unitdir}
+
+        sed -i \
+            -e 's,@SBINDIR@,${sbindir},g' \
+            -e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
+            ${D}${systemd_system_unitdir}/ip6tables.service
+    fi
 }
 
 PACKAGES += "${PN}-modules"
@@ -75,6 +90,10 @@ RRECOMMENDS_${PN} = " \
     kernel-module-nf-conntrack-ipv4 \
     kernel-module-nf-nat \
     kernel-module-ipt-masquerade \
+    ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', '\
+        kernel-module-ip6table-filter \
+        kernel-module-ip6-tables \
+    ', '', d)} \
 "
 
 FILES_${PN} += "${datadir}/xtables"
-- 
cgit 1.2.3-korg