Github messages for voidlinux
 help / color / mirror / Atom feed
From: heliocat <heliocat@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] iptables: adjust run scripts for more configuration flexibility
Date: Thu, 27 May 2021 06:55:27 +0200	[thread overview]
Message-ID: <20210527045527.m9B2F6LhDAq3LHNQa2aMPR-K3SgkzhgkVSnZOkcee5g@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-31145@inbox.vuxu.org>

[-- Attachment #1: Type: text/plain, Size: 2501 bytes --]

There is an updated pull request by heliocat against master on the void-packages repository

https://github.com/heliocat/void-packages iptables
https://github.com/void-linux/void-packages/pull/31145

iptables: adjust run scripts for more configuration flexibility
The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/\*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/\*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.

@ailiop-git 
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->

#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [x] I built this PR locally for my native architecture, (x86_64)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl



A patch file from https://github.com/void-linux/void-packages/pull/31145.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-iptables-31145.patch --]
[-- Type: text/x-diff, Size: 3787 bytes --]

From 8959846537fd34529ba8e45714636e261f22409d Mon Sep 17 00:00:00 2001
From: Colin Booth <colin@heliocat.net>
Date: Wed, 26 May 2021 13:19:13 -0700
Subject: [PATCH] iptables: adjust run scripts for more configuration
 flexibility

The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)
No-rule bailouts are handled with a post-load accumulator instead of
  exiting entirely when a rules file doesn't exist

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.
---
 srcpkgs/iptables/files/ip6tables/run          | 10 ++++++++--
 srcpkgs/iptables/files/iptables-flush.scripts |  5 +----
 srcpkgs/iptables/files/iptables/run           |  9 +++++++--
 srcpkgs/iptables/template                     |  2 +-
 4 files changed, 17 insertions(+), 9 deletions(-)
 mode change 100644 => 100755 srcpkgs/iptables/files/ip6tables/run

diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run
old mode 100644
new mode 100755
index 10e559afe91d..f5115689df38
--- a/srcpkgs/iptables/files/ip6tables/run
+++ b/srcpkgs/iptables/files/ip6tables/run
@@ -1,4 +1,10 @@
 #!/bin/sh
-[ ! -e /etc/iptables/ip6tables.rules ] && exit 0
-ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1
+count=0
+for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \
+    /etc/ip6tables.d/*.6rules ; do
+    [ ! -f "$rule" ] && continue
+    ip6tables-restore -nw 3 "$rule" || exit 1
+    count=$((count+1))
+done
+[ $count -eq 0 ] && exit 0
 exec chpst -b ip6tables pause
diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts
index 8749c082a779..40b869840eea 100644
--- a/srcpkgs/iptables/files/iptables-flush.scripts
+++ b/srcpkgs/iptables/files/iptables-flush.scripts
@@ -2,13 +2,10 @@
 # Usage: iptables-flush [-6]
 
 iptables=/usr/bin/iptables
-tables="filter mangle raw"
+tables="filter mangle nat raw"
 
 if [ "$1" = "-6" ]; then
   iptables=/usr/bin/ip6tables
-else
-  # Only ipv4 has a nat table
-  tables="$tables nat"
 fi
 
 for table in ${tables}; do
diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run
index 74a2ab20d63c..eaa494663c6e 100644
--- a/srcpkgs/iptables/files/iptables/run
+++ b/srcpkgs/iptables/files/iptables/run
@@ -1,4 +1,9 @@
 #!/bin/sh
-[ ! -e /etc/iptables/iptables.rules ] && exit 0
-iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1
+count=0
+for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do
+    [ ! -f "$rule" ] && continue
+    iptables-restore -nw 3 "$rule" || exit 1
+    count=$((count+1))
+done
+[ $count -eq 0 ] && exit 0
 exec chpst -b iptables pause
diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template
index 0d0ed43206db..01f9eefb611d 100644
--- a/srcpkgs/iptables/template
+++ b/srcpkgs/iptables/template
@@ -1,7 +1,7 @@
 # Template file for 'iptables'
 pkgname=iptables
 version=1.8.7
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler"
 hostmakedepends="pkg-config flex"

  parent reply	other threads:[~2021-05-27  4:55 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-27  4:29 [PR PATCH] " heliocat
2021-05-27  4:30 ` heliocat
2021-05-27  4:39 ` [PR PATCH] [Updated] " heliocat
2021-05-27  4:44 ` [PR REVIEW] " the-maldridge
2021-05-27  4:44 ` the-maldridge
2021-05-27  4:44 ` the-maldridge
2021-05-27  4:54 ` [PR PATCH] [Updated] " heliocat
2021-05-27  4:54 ` [PR REVIEW] " heliocat
2021-05-27  4:55 ` heliocat [this message]
2021-05-27  4:58 ` heliocat
2021-05-27  4:58 ` heliocat
2021-05-27  5:02 ` [PR PATCH] [Updated] " heliocat
2021-05-27  5:07 ` heliocat
2021-05-27 11:20 ` ailiop-git
2021-05-27 11:24 ` ailiop-git
2021-05-27 17:42 ` heliocat
2021-05-27 22:26 ` heliocat
2021-05-28  7:27 ` the-maldridge
2021-05-28  7:30 ` heliocat
2021-05-28  7:32 ` heliocat
2021-05-28  9:00 ` ailiop-git
2021-05-28 18:31 ` heliocat
2021-06-07 15:48 ` heliocat
2021-06-10  4:38 ` [PR PATCH] [Updated] " heliocat
2021-06-18  6:25 ` heliocat
2022-05-20  2:12 ` github-actions
2022-06-04  2:08 ` [PR PATCH] [Closed]: " github-actions

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210527045527.m9B2F6LhDAq3LHNQa2aMPR-K3SgkzhgkVSnZOkcee5g@z \
    --to=heliocat@users.noreply.github.com \
    --cc=ml@inbox.vuxu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).