[Buildroot] [PATCH v2] package/iptables: add init script

José Pekkarinen jose.pekkarinen at unikie.com
Wed Sep 15 12:20:32 UTC 2021 

On Wed, Sep 15, 2021 at 3:11 PM Bartosz Biłas <b.bilas at grinn-global.com>
wrote:

> Hello José,
> On 9/15/21 1:41 PM, José Pekkarinen wrote:
>
>
>
> On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch at tkos.co.il> wrote:
>
>> Hi José,
>>
>> On Wed, Sep 15 2021, José Pekkarinen wrote:
>> > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch at tkos.co.il> wrote:
>> >  On Tue, Sep 14 2021, José Pekkarinen wrote:
>> >  > This patch will add an init script that allows
>> >  > to set a ruleset in /etc/iptables.conf to be loaded
>> >  > on boot, or flushed on stop, as well as a saving
>> >  > command to generate a new file.
>> >  >
>> >  > Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
>> >  > ---
>> >  > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
>> >  >
>> >  >  package/iptables/S41iptables | 58
>> ++++++++++++++++++++++++++++++++++++
>> >  >  package/iptables/iptables.mk |  6 ++++
>> >  >  2 files changed, 64 insertions(+)
>> >  >  create mode 100644 package/iptables/S41iptables
>> >  >
>> >  > diff --git a/package/iptables/S41iptables
>> b/package/iptables/S41iptables
>> >  > new file mode 100644
>> >  > index 0000000000..93998b78de
>> >  > --- /dev/null
>> >  > +++ b/package/iptables/S41iptables
>> >  > @@ -0,0 +1,58 @@
>> >  > +#!/bin/sh
>> >  > +
>> >  > +DAEMON="iptables"
>> >  > +
>> >  > +IPTABLES_ARGS=""
>> >  > +
>> >  > +start() {
>> >  > +     printf 'Starting %s: ' "$DAEMON"
>> >  > +     iptables-restore < /etc/iptables.conf
>> >  > +     status=$?
>> >  > +     if [ "$status" -eq 0 ]; then
>> >  > +             echo "OK"
>> >  > +     else
>> >  > +             echo "FAIL"
>> >  > +     fi
>> >  > +     return "$status"
>> >  > +}
>> >  > +
>> >  > +stop() {
>> >  > +     printf 'Stopping %s: ' "$DAEMON"
>> >  > +     iptables -F
>> >  > +     status=$?
>> >  > +     if [ "$status" -eq 0 ]; then
>> >  > +             echo "OK"
>> >  > +     else
>> >  > +             echo "FAIL"
>> >  > +     fi
>> >  > +     return "$status"
>> >  > +}
>> >  > +
>> >  > +restart() {
>> >  > +     stop
>> >  > +     sleep 1
>> >  > +     start
>> >  > +}
>> >  > +
>> >  > +save() {
>> >  > +     printf 'Saving %s: ' "$DAEMON"
>> >  > +     iptables-save > /etc/iptables.conf
>> >
>> >  What about read-only rootfs?
>> >
>> >     Very good point, will it work if we check the rootfs
>> > whether is ro or rw, and execute on that behalf?
>>
>> I'm not sure that this script is a good idea to begin with for the
>> default installation. But if the maintainers think it is, the script
>> should skip the save operation for read-only filesystems. See how
>> package/urandom-scripts/S20urandom handles that.
>>
>
>     Thanks again, I'm testing a patch to solve the ro rootfs
> issue. Is there any better approach to have a firewall ruleset
> by default in the final image?
>
> Did you try to use post-build script to copy this file into your image?
>
    Hi,

    I'm using the overlay to populate the final file,
but iptables doesn't look for it itself, it requires
some external mechanism to load the rules. That
is why I proposed this init script, to have a sort
of default via from buildroot.

    Best regards.

    José.


> Best
> Bartek
>
>
>     Best regards.
>
>     José.
>
>
>>
>> baruch
>>
>> >
>> >     Thanks for the comments!
>> >
>> >     José.
>> >
>> >  baruch
>> >
>> >  > +     status=$?
>> >  > +     if [ "$status" -eq 0 ]; then
>> >  > +             echo "OK"
>> >  > +     else
>> >  > +             echo "FAIL"
>> >  > +     fi
>> >  > +     return "$status"
>> >  > +}
>> >  > +
>> >  > +case "$1" in
>> >  > +     start|stop|restart|save)
>> >  > +             "$1";;
>> >  > +     reload)
>> >  > +             # Restart, since there is no true "reload" feature.
>> >  > +             restart;;
>> >  > +     *)
>> >  > +             echo "Usage: $0 {start|stop|restart|reload}"
>> >  > +             exit 1
>> >  > +esac
>> >  > diff --git a/package/iptables/iptables.mk b/package/iptables/
>> iptables.mk
>> >  > index dc01466607..1d3612dbf6 100644
>> >  > --- a/package/iptables/iptables.mk
>> >  > +++ b/package/iptables/iptables.mk
>> >  > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
>> >  >       $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
>> >  >  endef
>> >  >
>> >  > +define IPTABLES_INSTALL_INIT_SYSV
>> >  > +     $(INSTALL) -m 0755 -D package/iptables/S41iptables \
>> >  > +             $(TARGET_DIR)/etc/init.d/S41iptables
>> >  > +     touch $(TARGET_DIR)/etc/iptables.conf
>> >  > +endef
>> >  > +
>> >  >  $(eval $(autotools-package))
>>
>> --
>>                                                      ~. .~   Tk Open
>> Systems
>>
>> =}------------------------------------------------ooO--U--Ooo------------{=
>>    - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
>>
>
>
> --
>
> José.
>
>
> _______________________________________________
> buildroot mailing listbuildroot at lists.buildroot.orghttps://lists.buildroot.org/mailman/listinfo/buildroot
>
> --
>
>

-- 

José.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20210915/60325b48/attachment.html>

More information about the buildroot mailing list