From ac90821512f894b7a560e5efb5ed2d44b6218587 Mon Sep 17 00:00:00 2001 From: Colin Booth Date: Wed, 26 May 2021 13:19:13 -0700 Subject: [PATCH] iptables: adjust run scripts for more configuration flexibility The single configuration file approach that the iptables services provide precludes using it in more complicated buildouts such as ones defined with config management tools. This change takes a hybrid approach of the old method (to preserve backwards compatibility, etc) and the method taken with void-ansible-roles/network. Changes: No longer flush tables prior to loading new data - rely on finish in all cases Load data from /etc/iptables/iptables.rules and all found /etc/iptables.d/*.rules Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules) Flush nat table in both v4 and v6 mode (nat table supported on v6 since kernel 3.7) No-rule bailouts are handled with a post-load accumulator instead of exiting entirely when a rules file doesn't exist. The run script uses exit code `2' in that case to differentiate between a failed load and wrong use Caveats: the ip6tables.d match is overly explicit since dash does not provide brace expansion and there is no particularly clean way to match a single character or empty when expanding globs. --- srcpkgs/iptables/files/ip6tables/run | 10 ++++++++-- srcpkgs/iptables/files/iptables-flush.scripts | 5 +---- srcpkgs/iptables/files/iptables/run | 9 +++++++-- srcpkgs/iptables/template | 2 +- 4 files changed, 17 insertions(+), 9 deletions(-) mode change 100644 => 100755 srcpkgs/iptables/files/ip6tables/run diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run old mode 100644 new mode 100755 index 10e559afe91d..ac1ff599bbd3 --- a/srcpkgs/iptables/files/ip6tables/run +++ b/srcpkgs/iptables/files/ip6tables/run @@ -1,4 +1,10 @@ #!/bin/sh -[ ! -e /etc/iptables/ip6tables.rules ] && exit 0 -ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1 +seen=0 +for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \ + /etc/ip6tables.d/*.6rules ; do + [ ! -f "$rule" ] && continue + ip6tables-restore -nw 3 "$rule" || exit 1 + seen=$((seen+1)) +done +[ $seen -eq 0 ] && exit 2 exec chpst -b ip6tables pause diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts index 8749c082a779..40b869840eea 100644 --- a/srcpkgs/iptables/files/iptables-flush.scripts +++ b/srcpkgs/iptables/files/iptables-flush.scripts @@ -2,13 +2,10 @@ # Usage: iptables-flush [-6] iptables=/usr/bin/iptables -tables="filter mangle raw" +tables="filter mangle nat raw" if [ "$1" = "-6" ]; then iptables=/usr/bin/ip6tables -else - # Only ipv4 has a nat table - tables="$tables nat" fi for table in ${tables}; do diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run index 74a2ab20d63c..374d8f394fd2 100644 --- a/srcpkgs/iptables/files/iptables/run +++ b/srcpkgs/iptables/files/iptables/run @@ -1,4 +1,9 @@ #!/bin/sh -[ ! -e /etc/iptables/iptables.rules ] && exit 0 -iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1 +seen=0 +for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do + [ ! -f "$rule" ] && continue + iptables-restore -nw 3 "$rule" || exit 1 + seen=$((seen+1)) +done +[ $seen -eq 0 ] && exit 2 exec chpst -b iptables pause diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template index 0d0ed43206db..01f9eefb611d 100644 --- a/srcpkgs/iptables/template +++ b/srcpkgs/iptables/template @@ -1,7 +1,7 @@ # Template file for 'iptables' pkgname=iptables version=1.8.7 -revision=1 +revision=2 build_style=gnu-configure configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler" hostmakedepends="pkg-config flex"