Github messages for voidlinux
 help / color / mirror / Atom feed
* [PR PATCH] iptables: adjust run scripts for more configuration flexibility
@ 2021-05-27  4:29 heliocat
  2021-05-27  4:30 ` heliocat
                   ` (22 more replies)
  0 siblings, 23 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  4:29 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2494 bytes --]

There is a new pull request by heliocat against master on the void-packages repository

https://github.com/heliocat/void-packages iptables
https://github.com/void-linux/void-packages/pull/31145

iptables: adjust run scripts for more configuration flexibility
The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.

@ailiop-git 
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->

#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [x] I built this PR locally for my native architecture, (x86_64)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl



A patch file from https://github.com/void-linux/void-packages/pull/31145.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-iptables-31145.patch --]
[-- Type: text/x-diff, Size: 3441 bytes --]

From 4cd5bd5cc5f7dbb0935258ba5a1dedcd7fee40d3 Mon Sep 17 00:00:00 2001
From: Colin Booth <colin@heliocat.net>
Date: Wed, 26 May 2021 13:19:13 -0700
Subject: [PATCH] iptables: adjust run scripts for more configuration
 flexibility

The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.
---
 srcpkgs/iptables/files/ip6tables/run          | 7 +++++--
 srcpkgs/iptables/files/iptables-flush.scripts | 5 +----
 srcpkgs/iptables/files/iptables/run           | 6 ++++--
 srcpkgs/iptables/template                     | 2 +-
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run
index 10e559afe91d..803231c4a93c 100644
--- a/srcpkgs/iptables/files/ip6tables/run
+++ b/srcpkgs/iptables/files/ip6tables/run
@@ -1,4 +1,7 @@
 #!/bin/sh
-[ ! -e /etc/iptables/ip6tables.rules ] && exit 0
-ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1
+for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \
+    /etc/ip6tables.d/*.rules ; do
+    [ ! -e "$rule" ] && continue
+    ip6tables-restore -nw 3 "$rule" || exit 1
+done
 exec chpst -b ip6tables pause
diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts
index 8749c082a779..40b869840eea 100644
--- a/srcpkgs/iptables/files/iptables-flush.scripts
+++ b/srcpkgs/iptables/files/iptables-flush.scripts
@@ -2,13 +2,10 @@
 # Usage: iptables-flush [-6]
 
 iptables=/usr/bin/iptables
-tables="filter mangle raw"
+tables="filter mangle nat raw"
 
 if [ "$1" = "-6" ]; then
   iptables=/usr/bin/ip6tables
-else
-  # Only ipv4 has a nat table
-  tables="$tables nat"
 fi
 
 for table in ${tables}; do
diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run
index 74a2ab20d63c..0a94e54abf80 100644
--- a/srcpkgs/iptables/files/iptables/run
+++ b/srcpkgs/iptables/files/iptables/run
@@ -1,4 +1,6 @@
 #!/bin/sh
-[ ! -e /etc/iptables/iptables.rules ] && exit 0
-iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1
+for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do
+    [ ! -e "$rule" ] && continue
+    iptables-restore -nw 3 "$rule" || exit 1
+done
 exec chpst -b iptables pause
diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template
index 0d0ed43206db..01f9eefb611d 100644
--- a/srcpkgs/iptables/template
+++ b/srcpkgs/iptables/template
@@ -1,7 +1,7 @@
 # Template file for 'iptables'
 pkgname=iptables
 version=1.8.7
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler"
 hostmakedepends="pkg-config flex"

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
@ 2021-05-27  4:30 ` heliocat
  2021-05-27  4:39 ` [PR PATCH] [Updated] " heliocat
                   ` (21 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  4:30 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 184 bytes --]

New comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-849310673

Comment:
@the-maldridge Relevant to your interests.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR PATCH] [Updated] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
  2021-05-27  4:30 ` heliocat
@ 2021-05-27  4:39 ` heliocat
  2021-05-27  4:44 ` [PR REVIEW] " the-maldridge
                   ` (20 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  4:39 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2501 bytes --]

There is an updated pull request by heliocat against master on the void-packages repository

https://github.com/heliocat/void-packages iptables
https://github.com/void-linux/void-packages/pull/31145

iptables: adjust run scripts for more configuration flexibility
The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/\*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/\*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.

@ailiop-git 
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->

#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [x] I built this PR locally for my native architecture, (x86_64)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl



A patch file from https://github.com/void-linux/void-packages/pull/31145.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-iptables-31145.patch --]
[-- Type: text/x-diff, Size: 3534 bytes --]

From 44f482ba07949e17efe468b264047e2c9bde733d Mon Sep 17 00:00:00 2001
From: Colin Booth <colin@heliocat.net>
Date: Wed, 26 May 2021 13:19:13 -0700
Subject: [PATCH] iptables: adjust run scripts for more configuration
 flexibility

The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.
---
 srcpkgs/iptables/files/ip6tables/run          | 7 +++++--
 srcpkgs/iptables/files/iptables-flush.scripts | 5 +----
 srcpkgs/iptables/files/iptables/run           | 6 ++++--
 srcpkgs/iptables/template                     | 2 +-
 4 files changed, 11 insertions(+), 9 deletions(-)
 mode change 100644 => 100755 srcpkgs/iptables/files/ip6tables/run

diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run
old mode 100644
new mode 100755
index 10e559afe91d..96881a049d3b
--- a/srcpkgs/iptables/files/ip6tables/run
+++ b/srcpkgs/iptables/files/ip6tables/run
@@ -1,4 +1,7 @@
 #!/bin/sh
-[ ! -e /etc/iptables/ip6tables.rules ] && exit 0
-ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1
+for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \
+    /etc/ip6tables.d/*.6rules ; do
+    [ ! -e "$rule" ] && continue
+    ip6tables-restore -nw 3 "$rule" || exit 1
+done
 exec chpst -b ip6tables pause
diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts
index 8749c082a779..40b869840eea 100644
--- a/srcpkgs/iptables/files/iptables-flush.scripts
+++ b/srcpkgs/iptables/files/iptables-flush.scripts
@@ -2,13 +2,10 @@
 # Usage: iptables-flush [-6]
 
 iptables=/usr/bin/iptables
-tables="filter mangle raw"
+tables="filter mangle nat raw"
 
 if [ "$1" = "-6" ]; then
   iptables=/usr/bin/ip6tables
-else
-  # Only ipv4 has a nat table
-  tables="$tables nat"
 fi
 
 for table in ${tables}; do
diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run
index 74a2ab20d63c..0a94e54abf80 100644
--- a/srcpkgs/iptables/files/iptables/run
+++ b/srcpkgs/iptables/files/iptables/run
@@ -1,4 +1,6 @@
 #!/bin/sh
-[ ! -e /etc/iptables/iptables.rules ] && exit 0
-iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1
+for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do
+    [ ! -e "$rule" ] && continue
+    iptables-restore -nw 3 "$rule" || exit 1
+done
 exec chpst -b iptables pause
diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template
index 0d0ed43206db..01f9eefb611d 100644
--- a/srcpkgs/iptables/template
+++ b/srcpkgs/iptables/template
@@ -1,7 +1,7 @@
 # Template file for 'iptables'
 pkgname=iptables
 version=1.8.7
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler"
 hostmakedepends="pkg-config flex"

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR REVIEW] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (3 preceding siblings ...)
  2021-05-27  4:44 ` the-maldridge
@ 2021-05-27  4:44 ` the-maldridge
  2021-05-27  4:54 ` [PR PATCH] [Updated] " heliocat
                   ` (17 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: the-maldridge @ 2021-05-27  4:44 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 168 bytes --]

New review comment by the-maldridge on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#discussion_r640281165

Comment:
duplicate glob.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR REVIEW] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (2 preceding siblings ...)
  2021-05-27  4:44 ` [PR REVIEW] " the-maldridge
@ 2021-05-27  4:44 ` the-maldridge
  2021-05-27  4:44 ` the-maldridge
                   ` (18 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: the-maldridge @ 2021-05-27  4:44 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 157 bytes --]

New review comment by the-maldridge on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#discussion_r640280868

Comment:
`-f`

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR REVIEW] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
  2021-05-27  4:30 ` heliocat
  2021-05-27  4:39 ` [PR PATCH] [Updated] " heliocat
@ 2021-05-27  4:44 ` the-maldridge
  2021-05-27  4:44 ` the-maldridge
                   ` (19 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: the-maldridge @ 2021-05-27  4:44 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 157 bytes --]

New review comment by the-maldridge on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#discussion_r640280825

Comment:
`-f`

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR PATCH] [Updated] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (4 preceding siblings ...)
  2021-05-27  4:44 ` the-maldridge
@ 2021-05-27  4:54 ` heliocat
  2021-05-27  4:54 ` [PR REVIEW] " heliocat
                   ` (16 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  4:54 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2501 bytes --]

There is an updated pull request by heliocat against master on the void-packages repository

https://github.com/heliocat/void-packages iptables
https://github.com/void-linux/void-packages/pull/31145

iptables: adjust run scripts for more configuration flexibility
The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/\*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/\*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.

@ailiop-git 
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->

#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [x] I built this PR locally for my native architecture, (x86_64)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl



A patch file from https://github.com/void-linux/void-packages/pull/31145.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-iptables-31145.patch --]
[-- Type: text/x-diff, Size: 3787 bytes --]

From e31fa998f73d4f7372efbfa76f3c69fe53c93ce5 Mon Sep 17 00:00:00 2001
From: Colin Booth <colin@heliocat.net>
Date: Wed, 26 May 2021 13:19:13 -0700
Subject: [PATCH] iptables: adjust run scripts for more configuration
 flexibility

The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)
No-rule bailouts are handled with a post-load accumulator instead of
  exiting entirely when a rules file doesn't exist

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.
---
 srcpkgs/iptables/files/ip6tables/run          | 10 ++++++++--
 srcpkgs/iptables/files/iptables-flush.scripts |  5 +----
 srcpkgs/iptables/files/iptables/run           |  9 +++++++--
 srcpkgs/iptables/template                     |  2 +-
 4 files changed, 17 insertions(+), 9 deletions(-)
 mode change 100644 => 100755 srcpkgs/iptables/files/ip6tables/run

diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run
old mode 100644
new mode 100755
index 10e559afe91d..72a3e4633b0d
--- a/srcpkgs/iptables/files/ip6tables/run
+++ b/srcpkgs/iptables/files/ip6tables/run
@@ -1,4 +1,10 @@
 #!/bin/sh
-[ ! -e /etc/iptables/ip6tables.rules ] && exit 0
-ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1
+count=0
+for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \
+    /etc/ip6tables.d/*.6rules ; do
+    [ ! -e "$rule" ] && continue
+    ip6tables-restore -nw 3 "$rule" || exit 1
+    count=$((count+1))
+done
+[ $count -eq 0 ] && exit 0
 exec chpst -b ip6tables pause
diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts
index 8749c082a779..40b869840eea 100644
--- a/srcpkgs/iptables/files/iptables-flush.scripts
+++ b/srcpkgs/iptables/files/iptables-flush.scripts
@@ -2,13 +2,10 @@
 # Usage: iptables-flush [-6]
 
 iptables=/usr/bin/iptables
-tables="filter mangle raw"
+tables="filter mangle nat raw"
 
 if [ "$1" = "-6" ]; then
   iptables=/usr/bin/ip6tables
-else
-  # Only ipv4 has a nat table
-  tables="$tables nat"
 fi
 
 for table in ${tables}; do
diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run
index 74a2ab20d63c..a5464bf96e58 100644
--- a/srcpkgs/iptables/files/iptables/run
+++ b/srcpkgs/iptables/files/iptables/run
@@ -1,4 +1,9 @@
 #!/bin/sh
-[ ! -e /etc/iptables/iptables.rules ] && exit 0
-iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1
+count=0
+for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do
+    [ ! -e "$rule" ] && continue
+    iptables-restore -nw 3 "$rule" || exit 1
+    count=$((count+1))
+done
+[ $count -eq 0 ] && exit 0
 exec chpst -b iptables pause
diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template
index 0d0ed43206db..01f9eefb611d 100644
--- a/srcpkgs/iptables/template
+++ b/srcpkgs/iptables/template
@@ -1,7 +1,7 @@
 # Template file for 'iptables'
 pkgname=iptables
 version=1.8.7
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler"
 hostmakedepends="pkg-config flex"

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR REVIEW] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (5 preceding siblings ...)
  2021-05-27  4:54 ` [PR PATCH] [Updated] " heliocat
@ 2021-05-27  4:54 ` heliocat
  2021-05-27  4:55 ` [PR PATCH] [Updated] " heliocat
                   ` (15 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  4:54 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 192 bytes --]

New review comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#discussion_r640286091

Comment:
Fixed. That was the typo I mentioned in irc.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR PATCH] [Updated] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (6 preceding siblings ...)
  2021-05-27  4:54 ` [PR REVIEW] " heliocat
@ 2021-05-27  4:55 ` heliocat
  2021-05-27  4:58 ` [PR REVIEW] " heliocat
                   ` (14 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  4:55 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2501 bytes --]

There is an updated pull request by heliocat against master on the void-packages repository

https://github.com/heliocat/void-packages iptables
https://github.com/void-linux/void-packages/pull/31145

iptables: adjust run scripts for more configuration flexibility
The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/\*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/\*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.

@ailiop-git 
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->

#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [x] I built this PR locally for my native architecture, (x86_64)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl



A patch file from https://github.com/void-linux/void-packages/pull/31145.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-iptables-31145.patch --]
[-- Type: text/x-diff, Size: 3787 bytes --]

From 8959846537fd34529ba8e45714636e261f22409d Mon Sep 17 00:00:00 2001
From: Colin Booth <colin@heliocat.net>
Date: Wed, 26 May 2021 13:19:13 -0700
Subject: [PATCH] iptables: adjust run scripts for more configuration
 flexibility

The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)
No-rule bailouts are handled with a post-load accumulator instead of
  exiting entirely when a rules file doesn't exist

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.
---
 srcpkgs/iptables/files/ip6tables/run          | 10 ++++++++--
 srcpkgs/iptables/files/iptables-flush.scripts |  5 +----
 srcpkgs/iptables/files/iptables/run           |  9 +++++++--
 srcpkgs/iptables/template                     |  2 +-
 4 files changed, 17 insertions(+), 9 deletions(-)
 mode change 100644 => 100755 srcpkgs/iptables/files/ip6tables/run

diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run
old mode 100644
new mode 100755
index 10e559afe91d..f5115689df38
--- a/srcpkgs/iptables/files/ip6tables/run
+++ b/srcpkgs/iptables/files/ip6tables/run
@@ -1,4 +1,10 @@
 #!/bin/sh
-[ ! -e /etc/iptables/ip6tables.rules ] && exit 0
-ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1
+count=0
+for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \
+    /etc/ip6tables.d/*.6rules ; do
+    [ ! -f "$rule" ] && continue
+    ip6tables-restore -nw 3 "$rule" || exit 1
+    count=$((count+1))
+done
+[ $count -eq 0 ] && exit 0
 exec chpst -b ip6tables pause
diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts
index 8749c082a779..40b869840eea 100644
--- a/srcpkgs/iptables/files/iptables-flush.scripts
+++ b/srcpkgs/iptables/files/iptables-flush.scripts
@@ -2,13 +2,10 @@
 # Usage: iptables-flush [-6]
 
 iptables=/usr/bin/iptables
-tables="filter mangle raw"
+tables="filter mangle nat raw"
 
 if [ "$1" = "-6" ]; then
   iptables=/usr/bin/ip6tables
-else
-  # Only ipv4 has a nat table
-  tables="$tables nat"
 fi
 
 for table in ${tables}; do
diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run
index 74a2ab20d63c..eaa494663c6e 100644
--- a/srcpkgs/iptables/files/iptables/run
+++ b/srcpkgs/iptables/files/iptables/run
@@ -1,4 +1,9 @@
 #!/bin/sh
-[ ! -e /etc/iptables/iptables.rules ] && exit 0
-iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1
+count=0
+for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do
+    [ ! -f "$rule" ] && continue
+    iptables-restore -nw 3 "$rule" || exit 1
+    count=$((count+1))
+done
+[ $count -eq 0 ] && exit 0
 exec chpst -b iptables pause
diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template
index 0d0ed43206db..01f9eefb611d 100644
--- a/srcpkgs/iptables/template
+++ b/srcpkgs/iptables/template
@@ -1,7 +1,7 @@
 # Template file for 'iptables'
 pkgname=iptables
 version=1.8.7
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler"
 hostmakedepends="pkg-config flex"

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR REVIEW] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (7 preceding siblings ...)
  2021-05-27  4:55 ` [PR PATCH] [Updated] " heliocat
@ 2021-05-27  4:58 ` heliocat
  2021-05-27  4:58 ` heliocat
                   ` (13 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  4:58 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 309 bytes --]

New review comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#discussion_r640287184

Comment:
Broken symlinks fail both `-e` and `-f` checks and the previous had `-e` which is why I left it. I'm not married to `-e` (my preference is for `-f`) so updating.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR REVIEW] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (8 preceding siblings ...)
  2021-05-27  4:58 ` [PR REVIEW] " heliocat
@ 2021-05-27  4:58 ` heliocat
  2021-05-27  5:02 ` [PR PATCH] [Updated] " heliocat
                   ` (12 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  4:58 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 309 bytes --]

New review comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#discussion_r640287237

Comment:
Broken symlinks fail both `-e` and `-f` checks and the previous had `-e` which is why I left it. I'm not married to `-e` (my preference is for `-f`) so updating.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR PATCH] [Updated] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (9 preceding siblings ...)
  2021-05-27  4:58 ` heliocat
@ 2021-05-27  5:02 ` heliocat
  2021-05-27  5:07 ` heliocat
                   ` (11 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  5:02 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2501 bytes --]

There is an updated pull request by heliocat against master on the void-packages repository

https://github.com/heliocat/void-packages iptables
https://github.com/void-linux/void-packages/pull/31145

iptables: adjust run scripts for more configuration flexibility
The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/\*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/\*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.

@ailiop-git 
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->

#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [x] I built this PR locally for my native architecture, (x86_64)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl



A patch file from https://github.com/void-linux/void-packages/pull/31145.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-iptables-31145.patch --]
[-- Type: text/x-diff, Size: 3892 bytes --]

From d3f94da2e96b6ba9fc0de6080cf74f4e081796b1 Mon Sep 17 00:00:00 2001
From: Colin Booth <colin@heliocat.net>
Date: Wed, 26 May 2021 13:19:13 -0700
Subject: [PATCH] iptables: adjust run scripts for more configuration
 flexibility

The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)
No-rule bailouts are handled with a post-load accumulator instead of
  exiting entirely when a rules file doesn't exist. The run script uses
  exit code `2' in that case to differentiate between a failed load and
  wrong use

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.
---
 srcpkgs/iptables/files/ip6tables/run          | 10 ++++++++--
 srcpkgs/iptables/files/iptables-flush.scripts |  5 +----
 srcpkgs/iptables/files/iptables/run           |  9 +++++++--
 srcpkgs/iptables/template                     |  2 +-
 4 files changed, 17 insertions(+), 9 deletions(-)
 mode change 100644 => 100755 srcpkgs/iptables/files/ip6tables/run

diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run
old mode 100644
new mode 100755
index 10e559afe91d..916d226411ac
--- a/srcpkgs/iptables/files/ip6tables/run
+++ b/srcpkgs/iptables/files/ip6tables/run
@@ -1,4 +1,10 @@
 #!/bin/sh
-[ ! -e /etc/iptables/ip6tables.rules ] && exit 0
-ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1
+count=0
+for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \
+    /etc/ip6tables.d/*.6rules ; do
+    [ ! -f "$rule" ] && continue
+    ip6tables-restore -nw 3 "$rule" || exit 1
+    count=$((count+1))
+done
+[ $count -eq 0 ] && exit 2
 exec chpst -b ip6tables pause
diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts
index 8749c082a779..40b869840eea 100644
--- a/srcpkgs/iptables/files/iptables-flush.scripts
+++ b/srcpkgs/iptables/files/iptables-flush.scripts
@@ -2,13 +2,10 @@
 # Usage: iptables-flush [-6]
 
 iptables=/usr/bin/iptables
-tables="filter mangle raw"
+tables="filter mangle nat raw"
 
 if [ "$1" = "-6" ]; then
   iptables=/usr/bin/ip6tables
-else
-  # Only ipv4 has a nat table
-  tables="$tables nat"
 fi
 
 for table in ${tables}; do
diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run
index 74a2ab20d63c..95e2b11d326c 100644
--- a/srcpkgs/iptables/files/iptables/run
+++ b/srcpkgs/iptables/files/iptables/run
@@ -1,4 +1,9 @@
 #!/bin/sh
-[ ! -e /etc/iptables/iptables.rules ] && exit 0
-iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1
+count=0
+for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do
+    [ ! -f "$rule" ] && continue
+    iptables-restore -nw 3 "$rule" || exit 1
+    count=$((count+1))
+done
+[ $count -eq 0 ] && exit 2
 exec chpst -b iptables pause
diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template
index 0d0ed43206db..01f9eefb611d 100644
--- a/srcpkgs/iptables/template
+++ b/srcpkgs/iptables/template
@@ -1,7 +1,7 @@
 # Template file for 'iptables'
 pkgname=iptables
 version=1.8.7
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler"
 hostmakedepends="pkg-config flex"

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (10 preceding siblings ...)
  2021-05-27  5:02 ` [PR PATCH] [Updated] " heliocat
@ 2021-05-27  5:07 ` heliocat
  2021-05-27 11:20 ` ailiop-git
                   ` (10 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27  5:07 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

New comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-849323424

Comment:
Run scripts updated to exit without any rules loads. I don't consider the previous behavior of exiting 0 on incorrect use to be good form so I've updated the exit code. Either way the finish scripts shipped here don't care about $1 so this is a behavior change with no impact.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (11 preceding siblings ...)
  2021-05-27  5:07 ` heliocat
@ 2021-05-27 11:20 ` ailiop-git
  2021-05-27 11:24 ` ailiop-git
                   ` (9 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: ailiop-git @ 2021-05-27 11:20 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 1017 bytes --]

New comment by ailiop-git on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-849550647

Comment:
I generally dislike splitting config files over those ``blah.d`` dirs (especially when they're scattered around the hier like sysctl.d..), but that's just a personal preference. If this change indeed serves a real and actual need right now, then so be it.

My only two other comments would be:

The naming of the ``rule`` var may be misleading; those are ``ruleset`` fragments (technically tables since this is the minimum granule that iptables can operate on but oh well), rather than individual filtering rules being loaded at every iteration.

Also, why not just ``cat /etc/iptables/iptables.rules /etc/iptables.d/*.rules | iptables-restore`` so that the entire aggregated ruleset will be loaded in one-go rather than invoking iptables-restore repeatedly? This would simplify and avoid the need to add the --noflush flag and the counter/exit code issue altogether.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (12 preceding siblings ...)
  2021-05-27 11:20 ` ailiop-git
@ 2021-05-27 11:24 ` ailiop-git
  2021-05-27 17:42 ` heliocat
                   ` (8 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: ailiop-git @ 2021-05-27 11:24 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 664 bytes --]

New comment by ailiop-git on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-849553123

Comment:
> Also, why not just `cat /etc/iptables/iptables.rules /etc/iptables.d/*.rules | iptables-restore` so that the entire aggregated ruleset will be loaded in one-go rather than invoking iptables-restore repeatedly? This would simplify and avoid the need to add the --noflush flag and the counter/exit code issue altogether.

Actually ``--noflush`` will still be required (otherwise iptables-restore will flush any tables are provided multiple times within the same aggregated ruleset even within a single invocation).



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (13 preceding siblings ...)
  2021-05-27 11:24 ` ailiop-git
@ 2021-05-27 17:42 ` heliocat
  2021-05-27 22:26 ` heliocat
                   ` (7 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27 17:42 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2985 bytes --]

New comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-849818635

Comment:
> I generally dislike splitting config files over those `blah.d` dirs (especially when they're scattered around the hier like sysctl.d..), but that's just a personal preference. If this change indeed serves a real and actual need right now, then so be it.
> 
The void-infratructure project and the void-ansible-roles/network subproject uses blah.d directories and a dhcpcd hook script to assemble a composite firewall definition out of rules dropped into .d directories. My goal here is to move that logic out of a custom ansible-managed set of scripts and into the iptables package itself in order to have a cleaner migration path away from dhcpcd as the network manager for static addressed hosts.
>
> My only two other comments would be:
> 
> The naming of the `rule` var may be misleading; those are `ruleset` fragments (technically tables since this is the minimum granule that iptables can operate on but oh well), rather than individual filtering rules being loaded at every iteration.
> 
I don't have an opinion either way, if this is something you feel strongly about it's a fairly trivial change.
>
> Also, why not just `cat /etc/iptables/iptables.rules /etc/iptables.d/*.rules | iptables-restore` so that the entire aggregated ruleset will be loaded in one-go rather than invoking iptables-restore repeatedly? This would simplify and avoid the need to add the --noflush flag and the counter/exit code issue altogether.
>
You already noted the `--noflush` comment. For the counter, some kind of detection is still needed to avoid @the-maldridge's earlier issue about wrong usage (no rules at all) leaves the service "up":
```
# cat /etc/iptables/iptables.rules /etc/iptables.d/*.rules | iptables-restore -n ; echo $?
cat: /etc/iptables/iptables.rules: No such file or directory
cat: '/etc/iptables.d/*.rules': No such file or directory
0```
In the previous iteration this was handled by the single file check but you can't rely on that now since I'm trying to support rules in either or both locations. Similarly, switching to bash and pipefail doesn't work because cat will exit 1 if *any* input file doesn't exist, which will be the case for installs that only use iptables.rules (all classic installs). The only way to get the behavior I want is to set errexit and nullglob in bash, and then call the pipeline with timeout in order to catch a null-read in the case where no rules files exist. I consider that a heavier and harder to read change than an accumulator, though I will admit that `count` is a semantically poor name so I've staged a change updating it to `seen`. 

Let me know about how you feel on rule vs. ruleset, and if you have a better approach to glob-based file detection in dash. The best I can come up with is a loop and (if necessary) accumulator but there might be something I'm missing.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (14 preceding siblings ...)
  2021-05-27 17:42 ` heliocat
@ 2021-05-27 22:26 ` heliocat
  2021-05-28  7:27 ` the-maldridge
                   ` (6 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-27 22:26 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2987 bytes --]

New comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-849818635

Comment:
> I generally dislike splitting config files over those `blah.d` dirs (especially when they're scattered around the hier like sysctl.d..), but that's just a personal preference. If this change indeed serves a real and actual need right now, then so be it.
> 
The void-infratructure project and the void-ansible-roles/network subproject uses blah.d directories and a dhcpcd hook script to assemble a composite firewall definition out of rules dropped into .d directories. My goal here is to move that logic out of a custom ansible-managed set of scripts and into the iptables package itself in order to have a cleaner migration path away from dhcpcd as the network manager for static addressed hosts.
>
> My only two other comments would be:
> 
> The naming of the `rule` var may be misleading; those are `ruleset` fragments (technically tables since this is the minimum granule that iptables can operate on but oh well), rather than individual filtering rules being loaded at every iteration.
> 
I don't have an opinion either way, if this is something you feel strongly about it's a fairly trivial change.
>
> Also, why not just `cat /etc/iptables/iptables.rules /etc/iptables.d/*.rules | iptables-restore` so that the entire aggregated ruleset will be loaded in one-go rather than invoking iptables-restore repeatedly? This would simplify and avoid the need to add the --noflush flag and the counter/exit code issue altogether.
>
You already noted the `--noflush` comment. For the counter, some kind of detection is still needed to avoid @the-maldridge's earlier issue about wrong usage (no rules at all) leaves the service "up":
```
# cat /etc/iptables/iptables.rules /etc/iptables.d/*.rules | iptables-restore -n ; echo $?
cat: /etc/iptables/iptables.rules: No such file or directory
cat: '/etc/iptables.d/*.rules': No such file or directory
0
```
In the previous iteration this was handled by the single file check but you can't rely on that now since I'm trying to support rules in either or both locations. Similarly, switching to bash and pipefail doesn't work because cat will exit 1 if *any* input file doesn't exist, which will be the case for installs that only use iptables.rules (all classic installs). The only way to get the behavior I want is to set errexit and nullglob in bash, and then call the pipeline with timeout in order to catch a null-read in the case where no rules files exist. I consider that a heavier and harder to read change than an accumulator, though I will admit that `count` is a semantically poor name so I've staged a change updating it to `seen`. 

Let me know about how you feel on rule vs. ruleset, and if you have a better approach to glob-based file detection in dash. The best I can come up with is a loop and (if necessary) accumulator but there might be something I'm missing.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (15 preceding siblings ...)
  2021-05-27 22:26 ` heliocat
@ 2021-05-28  7:27 ` the-maldridge
  2021-05-28  7:30 ` heliocat
                   ` (5 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: the-maldridge @ 2021-05-28  7:27 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 377 bytes --]

New comment by the-maldridge on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-850211183

Comment:
The variable should probably be named 'fragment' and in general I think there's also a case here in the fragment case that isn't being checked, which is that if iptables-restore fails for any fragment that should abort the load.  

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (16 preceding siblings ...)
  2021-05-28  7:27 ` the-maldridge
@ 2021-05-28  7:30 ` heliocat
  2021-05-28  7:32 ` heliocat
                   ` (4 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-28  7:30 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 430 bytes --]

New comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-850212935

Comment:
> The variable should probably be named 'fragment' and in general I think there's also a case here in the fragment case that isn't being checked, which is that if iptables-restore fails for any fragment that should abort the load.

`iptables-restore file || exit 1` should do just that.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (17 preceding siblings ...)
  2021-05-28  7:30 ` heliocat
@ 2021-05-28  7:32 ` heliocat
  2021-05-28  9:00 ` ailiop-git
                   ` (3 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-28  7:32 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 465 bytes --]

New comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-850212935

Comment:
> The variable should probably be named 'fragment' and in general I think there's also a case here in the fragment case that isn't being checked, which is that if iptables-restore fails for any fragment that should abort the load.

`iptables-restore file || exit 1` should do just that (unless I misunderstood something).

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (18 preceding siblings ...)
  2021-05-28  7:32 ` heliocat
@ 2021-05-28  9:00 ` ailiop-git
  2021-05-28 18:31 ` heliocat
                   ` (2 subsequent siblings)
  22 siblings, 0 replies; 24+ messages in thread
From: ailiop-git @ 2021-05-28  9:00 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 680 bytes --]

New comment by ailiop-git on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-850267277

Comment:
> > The variable should probably be named 'fragment' and in general I think there's also a case here in the fragment case that isn't being checked, which is that if iptables-restore fails for any fragment that should abort the load.
> 
> `iptables-restore file || exit 1` should do just that (unless I misunderstood something).

We probably also need to flush everything in case a fragment fails, since it may leave the ruleset in an undesirable state, and also subsequent sv starts/restores will end up duplicating ruleset entries.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (19 preceding siblings ...)
  2021-05-28  9:00 ` ailiop-git
@ 2021-05-28 18:31 ` heliocat
  2021-06-07 15:48 ` heliocat
  2021-06-10  4:38 ` [PR PATCH] [Updated] " heliocat
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-05-28 18:31 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 234 bytes --]

New comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-850595381

Comment:
That will happen, runsv always runs the finish script after run exits, regardless of reason.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (20 preceding siblings ...)
  2021-05-28 18:31 ` heliocat
@ 2021-06-07 15:48 ` heliocat
  2021-06-10  4:38 ` [PR PATCH] [Updated] " heliocat
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-06-07 15:48 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 351 bytes --]

New comment by heliocat on void-packages repository

https://github.com/void-linux/void-packages/pull/31145#issuecomment-856054722

Comment:
@ailiop-git do you have any other unaddressed concerns?

@the-maldridge can you drop the Change Requested flag and merge if there are no other issues from myself or ailiop? I think I've addressed everything.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PR PATCH] [Updated] iptables: adjust run scripts for more configuration flexibility
  2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
                   ` (21 preceding siblings ...)
  2021-06-07 15:48 ` heliocat
@ 2021-06-10  4:38 ` heliocat
  22 siblings, 0 replies; 24+ messages in thread
From: heliocat @ 2021-06-10  4:38 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2501 bytes --]

There is an updated pull request by heliocat against master on the void-packages repository

https://github.com/heliocat/void-packages iptables
https://github.com/void-linux/void-packages/pull/31145

iptables: adjust run scripts for more configuration flexibility
The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/\*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/\*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.

@ailiop-git 
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->

#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [x] I built this PR locally for my native architecture, (x86_64)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl



A patch file from https://github.com/void-linux/void-packages/pull/31145.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-iptables-31145.patch --]
[-- Type: text/x-diff, Size: 3884 bytes --]

From ac90821512f894b7a560e5efb5ed2d44b6218587 Mon Sep 17 00:00:00 2001
From: Colin Booth <colin@heliocat.net>
Date: Wed, 26 May 2021 13:19:13 -0700
Subject: [PATCH] iptables: adjust run scripts for more configuration
 flexibility

The single configuration file approach that the iptables services
provide precludes using it in more complicated buildouts such as ones
defined with config management tools. This change takes a hybrid
approach of the old method (to preserve backwards compatibility, etc)
and the method taken with void-ansible-roles/network.

Changes:
No longer flush tables prior to loading new data - rely on finish in all
  cases
Load data from /etc/iptables/iptables.rules and all found
  /etc/iptables.d/*.rules
Ditto ip6 equivalents (ip6rules.rules, ip6tables.d/*.{,6}rules)
Flush nat table in both v4 and v6 mode (nat table supported on v6 since
  kernel 3.7)
No-rule bailouts are handled with a post-load accumulator instead of
  exiting entirely when a rules file doesn't exist. The run script uses
  exit code `2' in that case to differentiate between a failed load and
  wrong use

Caveats: the ip6tables.d match is overly explicit since dash does not
provide brace expansion and there is no particularly clean way to match
a single character or empty when expanding globs.
---
 srcpkgs/iptables/files/ip6tables/run          | 10 ++++++++--
 srcpkgs/iptables/files/iptables-flush.scripts |  5 +----
 srcpkgs/iptables/files/iptables/run           |  9 +++++++--
 srcpkgs/iptables/template                     |  2 +-
 4 files changed, 17 insertions(+), 9 deletions(-)
 mode change 100644 => 100755 srcpkgs/iptables/files/ip6tables/run

diff --git a/srcpkgs/iptables/files/ip6tables/run b/srcpkgs/iptables/files/ip6tables/run
old mode 100644
new mode 100755
index 10e559afe91d..ac1ff599bbd3
--- a/srcpkgs/iptables/files/ip6tables/run
+++ b/srcpkgs/iptables/files/ip6tables/run
@@ -1,4 +1,10 @@
 #!/bin/sh
-[ ! -e /etc/iptables/ip6tables.rules ] && exit 0
-ip6tables-restore -w 3 /etc/iptables/ip6tables.rules || exit 1
+seen=0
+for rule in /etc/iptables/ip6tables.rules /etc/ip6tables.d/*.rules \
+    /etc/ip6tables.d/*.6rules ; do
+    [ ! -f "$rule" ] && continue
+    ip6tables-restore -nw 3 "$rule" || exit 1
+    seen=$((seen+1))
+done
+[ $seen -eq 0 ] && exit 2
 exec chpst -b ip6tables pause
diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts
index 8749c082a779..40b869840eea 100644
--- a/srcpkgs/iptables/files/iptables-flush.scripts
+++ b/srcpkgs/iptables/files/iptables-flush.scripts
@@ -2,13 +2,10 @@
 # Usage: iptables-flush [-6]
 
 iptables=/usr/bin/iptables
-tables="filter mangle raw"
+tables="filter mangle nat raw"
 
 if [ "$1" = "-6" ]; then
   iptables=/usr/bin/ip6tables
-else
-  # Only ipv4 has a nat table
-  tables="$tables nat"
 fi
 
 for table in ${tables}; do
diff --git a/srcpkgs/iptables/files/iptables/run b/srcpkgs/iptables/files/iptables/run
index 74a2ab20d63c..374d8f394fd2 100644
--- a/srcpkgs/iptables/files/iptables/run
+++ b/srcpkgs/iptables/files/iptables/run
@@ -1,4 +1,9 @@
 #!/bin/sh
-[ ! -e /etc/iptables/iptables.rules ] && exit 0
-iptables-restore -w 3 /etc/iptables/iptables.rules || exit 1
+seen=0
+for rule in /etc/iptables/iptables.rules /etc/iptables.d/*.rules ; do
+    [ ! -f "$rule" ] && continue
+    iptables-restore -nw 3 "$rule" || exit 1
+    seen=$((seen+1))
+done
+[ $seen -eq 0 ] && exit 2
 exec chpst -b iptables pause
diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template
index 0d0ed43206db..01f9eefb611d 100644
--- a/srcpkgs/iptables/template
+++ b/srcpkgs/iptables/template
@@ -1,7 +1,7 @@
 # Template file for 'iptables'
 pkgname=iptables
 version=1.8.7
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-libipq --enable-shared --enable-devel --enable-bpf-compiler"
 hostmakedepends="pkg-config flex"

^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2021-06-10  4:38 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-27  4:29 [PR PATCH] iptables: adjust run scripts for more configuration flexibility heliocat
2021-05-27  4:30 ` heliocat
2021-05-27  4:39 ` [PR PATCH] [Updated] " heliocat
2021-05-27  4:44 ` [PR REVIEW] " the-maldridge
2021-05-27  4:44 ` the-maldridge
2021-05-27  4:44 ` the-maldridge
2021-05-27  4:54 ` [PR PATCH] [Updated] " heliocat
2021-05-27  4:54 ` [PR REVIEW] " heliocat
2021-05-27  4:55 ` [PR PATCH] [Updated] " heliocat
2021-05-27  4:58 ` [PR REVIEW] " heliocat
2021-05-27  4:58 ` heliocat
2021-05-27  5:02 ` [PR PATCH] [Updated] " heliocat
2021-05-27  5:07 ` heliocat
2021-05-27 11:20 ` ailiop-git
2021-05-27 11:24 ` ailiop-git
2021-05-27 17:42 ` heliocat
2021-05-27 22:26 ` heliocat
2021-05-28  7:27 ` the-maldridge
2021-05-28  7:30 ` heliocat
2021-05-28  7:32 ` heliocat
2021-05-28  9:00 ` ailiop-git
2021-05-28 18:31 ` heliocat
2021-06-07 15:48 ` heliocat
2021-06-10  4:38 ` [PR PATCH] [Updated] " heliocat

Github messages for voidlinux

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/voidlinux-github

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 voidlinux-github voidlinux-github/ http://inbox.vuxu.org/voidlinux-github \
		voidlinux-github@inbox.vuxu.org
	public-inbox-index voidlinux-github

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.github.voidlinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git