From: Jack Mitchell <j...@embed.me.uk> There is currently no way to automatically load iptables rules in OE. Add a systemd unit file to automatically load rules on network connection. This is cribbed from the way ArchLinux handles iptables with some minor modifications for OE. New rules can be generated directly on the target using: Good documentation for writing rules offline is lacking, but the basics are explained here: https://unix.stackexchange.com/q/400163/49405
Signed-off-by: Jack Mitchell <j...@embed.me.uk> Signed-off-by: Diego Rondini <diego.rond...@kynetics.com> --- Original patch has been posted 3 years ago, but never got approved. I'm posting a rebased patch, including the changes requested in the comments. https://patchwork.openembedded.org/patch/131285/ meta/recipes-extended/iptables/iptables/iptables.rules | 0 .../recipes-extended/iptables/iptables/iptables.service | 13 +++++++++++++ meta/recipes-extended/iptables/iptables_1.8.3.bb | 17 ++++++++++++++++- 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules create mode 100644 meta/recipes-extended/iptables/iptables/iptables.service diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules new file mode 100644 index 0000000..e69de29 diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service new file mode 100644 index 0000000..041316e --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/iptables.service @@ -0,0 +1,13 @@ +[Unit] +Description=Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules +ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb index 6ac3fc6..ff9fcb1 100644 --- a/meta/recipes-extended/iptables/iptables_1.8.3.bb +++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb @@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \ file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ + file://iptables.service \ + file://iptables.rules \ " SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513" SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80" -inherit autotools pkgconfig +inherit autotools pkgconfig systemd EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}" @@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so" ALLOW_EMPTY_${PN}-modules = "1" +do_install_append() { + + install -d ${D}${sysconfdir}/iptables + install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir} + + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service +} + +SYSTEMD_SERVICE_${PN} = "iptables.service" + RDEPENDS_${PN} = "${PN}-module-xt-standard" RRECOMMENDS_${PN} = " \ ${PN}-modules \ -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
