From 44f482ba07949e17efe468b264047e2c9bde733d Mon Sep 17 00:00:00 2001 From: Colin Booth Date: Wed, 26 May 2021 13:19:13 -0700 Subject: [PATCH] iptables: adjust run scripts for more configuration flexibility The single configuration file approach that the iptables services provide precludes using it in more complicated buildouts such as ones defined with config management tools. This change takes a hybrid approach of the old method (to preserve backwards compatibility, etc) and the method taken with void-ansible-roles/network. Changes: No longer flush tables prior to loading new data - rely on finish in all cases Load data from /etc/iptables/iptables.rules and all found /etc/iptables.d/*.rules Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules) Flush nat table in both v4 and v6 mode (nat table supported on v6 since kernel 3.7) Caveats: the ip6tables.d match is overly explicit since dash does not provide brace expansion and there is no particularly clean way to match a single character or empty when expanding globs. --- srcpkgs/iptables/files/ip6tables/run | 7 +++++-- srcpkgs/iptables/files/iptables-flush.scripts | 5 +---- srcpkgs/iptables/files/iptables/run | 6 ++++-- srcpkgs/iptables/template | 2 +- 4 files changed, 11 insertions(+), 9 deletions(-) mode change 100644 => 100755 srcpkgs/iptables/files/ip6tables/run diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run old mode 100644 new mode 100755 index 10e559afe91d..96881a049d3b --- a/srcpkgs/iptables/files/ip6tables/run +++ b/srcpkgs/iptables/files/ip6tables/run @@ -1,4 +1,7 @@ #!/bin/sh -[ ! -e /etc/iptables/ip6tables.rules ] && exit 0 -ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1 +for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \ + /etc/ip6tables.d/*.6rules ; do + [ ! -e "$rule" ] && continue + ip6tables-restore -nw 3 "$rule" || exit 1 +done exec chpst -b ip6tables pause diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts index 8749c082a779..40b869840eea 100644 --- a/srcpkgs/iptables/files/iptables-flush.scripts +++ b/srcpkgs/iptables/files/iptables-flush.scripts @@ -2,13 +2,10 @@ # Usage: iptables-flush [-6] iptables=/usr/bin/iptables -tables="filter mangle raw" +tables="filter mangle nat raw" if [ "$1" = "-6" ]; then iptables=/usr/bin/ip6tables -else - # Only ipv4 has a nat table - tables="$tables nat" fi for table in ${tables}; do diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run index 74a2ab20d63c..0a94e54abf80 100644 --- a/srcpkgs/iptables/files/iptables/run +++ b/srcpkgs/iptables/files/iptables/run @@ -1,4 +1,6 @@ #!/bin/sh -[ ! -e /etc/iptables/iptables.rules ] && exit 0 -iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1 +for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do + [ ! -e "$rule" ] && continue + iptables-restore -nw 3 "$rule" || exit 1 +done exec chpst -b iptables pause diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template index 0d0ed43206db..01f9eefb611d 100644 --- a/srcpkgs/iptables/template +++ b/srcpkgs/iptables/template @@ -1,7 +1,7 @@ # Template file for 'iptables' pkgname=iptables version=1.8.7 -revision=1 +revision=2 build_style=gnu-configure configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler" hostmakedepends="pkg-config flex"