summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Mitchell <jack@embed.me.uk>2019-09-05 09:35:37 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-09-16 23:02:44 +0100
commitbc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 (patch)
tree08979f0564ca5a80d27ea354c288a7d5c26b0845
parent1edc497a80fb967c5ccf5293b4f746645260b780 (diff)
downloadpoky-bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0.tar.gz
iptables: add systemd helper unit to load/restore rules
There is currently no way to automatically load iptables rules in OE. Add a systemd unit file to automatically load rules on network connection. This is cribbed from the way ArchLinux handles iptables with some minor modifications for OE. New rules can be generated directly on the target using: # iptables-save -f /etc/iptables/iptables.rules Good documentation for writing rules offline is lacking, but the basics are explained here: https://unix.stackexchange.com/q/400163/49405 (From OE-Core rev: 76d3574d17c38d93ba4660bdae5730ac222994d4) Signed-off-by: Jack Mitchell <jack@embed.me.uk> Signed-off-by: Diego Rondini <diego.rondini@kynetics.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/iptables/iptables/iptables.rules0
-rw-r--r--meta/recipes-extended/iptables/iptables/iptables.service13
-rw-r--r--meta/recipes-extended/iptables/iptables_1.8.3.bb17
3 files changed, 29 insertions, 1 deletions
diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables.rules
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service
new file mode 100644
index 0000000000..041316e457
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -0,0 +1,13 @@
1[Unit]
2Description=Packet Filtering Framework
3Before=network-pre.target
4Wants=network-pre.target
5
6[Service]
7Type=oneshot
8ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
9ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
10RemainAfterExit=yes
11
12[Install]
13WantedBy=multi-user.target
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 6ac3fc60c5..ff9fcb1b53 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
10SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \ 10SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
11 file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ 11 file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
12 file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ 12 file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
13 file://iptables.service \
14 file://iptables.rules \
13" 15"
14 16
15SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513" 17SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
16SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80" 18SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
17 19
18inherit autotools pkgconfig 20inherit autotools pkgconfig systemd
19 21
20EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}" 22EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"
21 23
@@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
56 58
57ALLOW_EMPTY_${PN}-modules = "1" 59ALLOW_EMPTY_${PN}-modules = "1"
58 60
61do_install_append() {
62
63 install -d ${D}${sysconfdir}/iptables
64 install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
65
66 install -d ${D}${systemd_system_unitdir}
67 install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
68
69 sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service
70}
71
72SYSTEMD_SERVICE_${PN} = "iptables.service"
73
59RDEPENDS_${PN} = "${PN}-module-xt-standard" 74RDEPENDS_${PN} = "${PN}-module-xt-standard"
60RRECOMMENDS_${PN} = " \ 75RRECOMMENDS_${PN} = " \
61 ${PN}-modules \ 76 ${PN}-modules \