diff options
author | Jack Mitchell <jack@embed.me.uk> | 2019-09-05 09:35:37 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-09-16 23:02:44 +0100 |
commit | bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 (patch) | |
tree | 08979f0564ca5a80d27ea354c288a7d5c26b0845 /meta | |
parent | 1edc497a80fb967c5ccf5293b4f746645260b780 (diff) | |
download | poky-bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0.tar.gz |
iptables: add systemd helper unit to load/restore rules
There is currently no way to automatically load iptables rules in OE.
Add a systemd unit file to automatically load rules on network
connection. This is cribbed from the way ArchLinux handles iptables with
some minor modifications for OE.
New rules can be generated directly on the target using:
# iptables-save -f /etc/iptables/iptables.rules
Good documentation for writing rules offline is lacking, but the basics
are explained here:
https://unix.stackexchange.com/q/400163/49405
(From OE-Core rev: 76d3574d17c38d93ba4660bdae5730ac222994d4)
Signed-off-by: Jack Mitchell <jack@embed.me.uk>
Signed-off-by: Diego Rondini <diego.rondini@kynetics.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/iptables/iptables/iptables.rules | 0 | ||||
-rw-r--r-- | meta/recipes-extended/iptables/iptables/iptables.service | 13 | ||||
-rw-r--r-- | meta/recipes-extended/iptables/iptables_1.8.3.bb | 17 |
3 files changed, 29 insertions, 1 deletions
diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/iptables.rules | |||
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service b/meta/recipes-extended/iptables/iptables/iptables.service new file mode 100644 index 0000000000..041316e457 --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/iptables.service | |||
@@ -0,0 +1,13 @@ | |||
1 | [Unit] | ||
2 | Description=Packet Filtering Framework | ||
3 | Before=network-pre.target | ||
4 | Wants=network-pre.target | ||
5 | |||
6 | [Service] | ||
7 | Type=oneshot | ||
8 | ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules | ||
9 | ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules | ||
10 | RemainAfterExit=yes | ||
11 | |||
12 | [Install] | ||
13 | WantedBy=multi-user.target | ||
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb index 6ac3fc60c5..ff9fcb1b53 100644 --- a/meta/recipes-extended/iptables/iptables_1.8.3.bb +++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb | |||
@@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\ | |||
10 | SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \ | 10 | SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \ |
11 | file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ | 11 | file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ |
12 | file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ | 12 | file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ |
13 | file://iptables.service \ | ||
14 | file://iptables.rules \ | ||
13 | " | 15 | " |
14 | 16 | ||
15 | SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513" | 17 | SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513" |
16 | SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80" | 18 | SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80" |
17 | 19 | ||
18 | inherit autotools pkgconfig | 20 | inherit autotools pkgconfig systemd |
19 | 21 | ||
20 | EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}" | 22 | EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}" |
21 | 23 | ||
@@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so" | |||
56 | 58 | ||
57 | ALLOW_EMPTY_${PN}-modules = "1" | 59 | ALLOW_EMPTY_${PN}-modules = "1" |
58 | 60 | ||
61 | do_install_append() { | ||
62 | |||
63 | install -d ${D}${sysconfdir}/iptables | ||
64 | install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables | ||
65 | |||
66 | install -d ${D}${systemd_system_unitdir} | ||
67 | install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir} | ||
68 | |||
69 | sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service | ||
70 | } | ||
71 | |||
72 | SYSTEMD_SERVICE_${PN} = "iptables.service" | ||
73 | |||
59 | RDEPENDS_${PN} = "${PN}-module-xt-standard" | 74 | RDEPENDS_${PN} = "${PN}-module-xt-standard" |
60 | RRECOMMENDS_${PN} = " \ | 75 | RRECOMMENDS_${PN} = " \ |
61 | ${PN}-modules \ | 76 | ${PN}-modules \ |