Patchwork [5/5] iptables: update init script and bb file

login
register
mail settings
Submitter Kang Kai
Date June 23, 2014, 2:32 a.m.
Message ID <89ff3aaad229d018851347dcda7d8c0e7cea6429.1403490121.git.kai.kang@windriver.com>
Download mbox | patch
Permalink /patch/74229/
State New
Headers show

Comments

Kang Kai - June 23, 2014, 2:32 a.m.
Update path of command iptables in init script that we put it in
/usr/sbin rather than /sbin. Then update bb file to install init script,
configure and rules files.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta/recipes-extended/iptables/iptables/iptables.init |  4 ++--
 meta/recipes-extended/iptables/iptables_1.4.21.bb     | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)
Anders Darander - June 23, 2014, 11:44 a.m.
* Kai Kang <kai.kang@windriver.com> [140623 04:34]:
> Update path of command iptables in init script that we put it in
> /usr/sbin rather than /sbin. Then update bb file to install init script,
> configure and rules files.

These new files aren't that big, but could you anyway package at least
the rules files into a separate package? Using an RRECOMMENDS would be
fine, as I can easily add a BAD_RECOMMENDATION for that package.

It might be that I don't need/want both of iptables and ip6tables
installed; or even that I don't want either of those installed by
default.

Cheers,
Anders

> +do_install_append() {
> +	install -d -m 755 ${D}${sysconfdir}/init.d
> +	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/iptables
> +	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/ip6tables
> +	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/init.d/ip6tables
> +
> +	install -d -m 755 ${D}${sysconfdir}/sysconfig
> +	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig
> +	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig/ip6tables-config
> +	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/sysconfig/ip6tables-config
> +
> +	install -m 755 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/sysconfig/iptables
> +	install -m 755 ${WORKDIR}/ip6tables.rules ${D}${sysconfdir}/sysconfig/ip6tables
> +}
Kang Kai - June 24, 2014, 1:49 a.m.
On 2014?06?23? 19:44, Anders Darander wrote:
> * Kai Kang <kai.kang@windriver.com> [140623 04:34]:
>> Update path of command iptables in init script that we put it in
>> /usr/sbin rather than /sbin. Then update bb file to install init script,
>> configure and rules files.
> These new files aren't that big, but could you anyway package at least
> the rules files into a separate package? Using an RRECOMMENDS would be
> fine, as I can easily add a BAD_RECOMMENDATION for that package.

Of course.

And as I replied in last main, do you think that an empty rule is 
better? A little concern is for iptables newbies.

>
> It might be that I don't need/want both of iptables and ip6tables
> installed; or even that I don't want either of those installed by
> default.

iptables and ip6tables are not split into separated packages, so I put 
them together. And package iptbales is not installed by default indeed.

Regards,
Kai

>
> Cheers,
> Anders
>
>> +do_install_append() {
>> +	install -d -m 755 ${D}${sysconfdir}/init.d
>> +	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/iptables
>> +	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/ip6tables
>> +	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/init.d/ip6tables
>> +
>> +	install -d -m 755 ${D}${sysconfdir}/sysconfig
>> +	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig
>> +	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig/ip6tables-config
>> +	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/sysconfig/ip6tables-config
>> +
>> +	install -m 755 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/sysconfig/iptables
>> +	install -m 755 ${WORKDIR}/ip6tables.rules ${D}${sysconfdir}/sysconfig/ip6tables
>> +}
Anders Darander - June 24, 2014, 6:01 a.m.
* Kang Kai <Kai.Kang@windriver.com> [140624 03:49]:

> On 2014?06?23? 19:44, Anders Darander wrote:
> > * Kai Kang <kai.kang@windriver.com> [140623 04:34]:
> >> Update path of command iptables in init script that we put it in
> >> /usr/sbin rather than /sbin. Then update bb file to install init script,
> >> configure and rules files.
> > These new files aren't that big, but could you anyway package at least
> > the rules files into a separate package? Using an RRECOMMENDS would be
> > fine, as I can easily add a BAD_RECOMMENDATION for that package.

> Of course.

> And as I replied in last main, do you think that an empty rule is 
> better? A little concern is for iptables newbies.

Well, I'd be at lest a little bit happier to have the ipv6 rules file
obey the ipv6 distro feature, see below.

Besides, most users of OE-Core won't have any benefit of a pre-generated
iptable rules file. Remember, we're building embedded devices that have
everything but a standard setup.

If you want a static firewall configuration supplied by oe-core, can't
we package it in a separate package anyway?

> > It might be that I don't need/want both of iptables and ip6tables
> > installed; or even that I don't want either of those installed by
> > default.

> iptables and ip6tables are not split into separated packages, so I put 
> them together. And package iptbales is not installed by default indeed.

No, but at least we're not building IPv6 support into the package if
ipv6 is not set in DISTRO_FEATURES. At the very least, the ip6tables
rule file should obey that DISTRO_FEATUR also.

Cheers,
Anders
Kang Kai - June 25, 2014, 6:46 a.m.
On 2014?06?24? 14:01, Anders Darander wrote:
> * Kang Kai <Kai.Kang@windriver.com> [140624 03:49]:
>
>> On 2014?06?23? 19:44, Anders Darander wrote:
>>> * Kai Kang <kai.kang@windriver.com> [140623 04:34]:
>>>> Update path of command iptables in init script that we put it in
>>>> /usr/sbin rather than /sbin. Then update bb file to install init script,
>>>> configure and rules files.
>>> These new files aren't that big, but could you anyway package at least
>>> the rules files into a separate package? Using an RRECOMMENDS would be
>>> fine, as I can easily add a BAD_RECOMMENDATION for that package.
>> Of course.
>> And as I replied in last main, do you think that an empty rule is
>> better? A little concern is for iptables newbies.
> Well, I'd be at lest a little bit happier to have the ipv6 rules file
> obey the ipv6 distro feature, see below.
>
> Besides, most users of OE-Core won't have any benefit of a pre-generated
> iptable rules file. Remember, we're building embedded devices that have
> everything but a standard setup.
>
> If you want a static firewall configuration supplied by oe-core, can't
> we package it in a separate package anyway?

OK.

>
>>> It might be that I don't need/want both of iptables and ip6tables
>>> installed; or even that I don't want either of those installed by
>>> default.
>> iptables and ip6tables are not split into separated packages, so I put
>> them together. And package iptbales is not installed by default indeed.
> No, but at least we're not building IPv6 support into the package if
> ipv6 is not set in DISTRO_FEATURES. At the very least, the ip6tables
> rule file should obey that DISTRO_FEATUR also.

I'll update to check DISTRO_FEATURES for ipv6 supports.

Regards,
Kai


>
> Cheers,
> Anders
>

Patch

diff --git a/meta/recipes-extended/iptables/iptables/iptables.init b/meta/recipes-extended/iptables/iptables/iptables.init
index 01057dd..3f9ce23 100755
--- a/meta/recipes-extended/iptables/iptables/iptables.init
+++ b/meta/recipes-extended/iptables/iptables/iptables.init
@@ -33,8 +33,8 @@  VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
 # only usable for root
 [ $EUID = 0 ] || exit 4
 
-if [ ! -x /sbin/$IPTABLES ]; then
-    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
+if [ ! -x /usr/sbin/$IPTABLES ]; then
+    echo -n $"${IPTABLES}: /usr/sbin/$IPTABLES does not exist."; warning; echo
     exit 5
 fi
 
diff --git a/meta/recipes-extended/iptables/iptables_1.4.21.bb b/meta/recipes-extended/iptables/iptables_1.4.21.bb
index ba4e8e4..a6fe55f 100644
--- a/meta/recipes-extended/iptables/iptables_1.4.21.bb
+++ b/meta/recipes-extended/iptables/iptables_1.4.21.bb
@@ -28,6 +28,10 @@  FILES_${PN}-dbg =+ "${libdir}/xtables/.debug"
 SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
            file://types.h-add-defines-that-are-required-for-if_packet.patch \
            file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
+           file://iptables.init \
+           file://iptables-config \
+           file://iptables.rules \
+           file://ip6tables.rules \
           "
 
 SRC_URI[md5sum] = "536d048c8e8eeebcd9757d0863ebb0c0"
@@ -50,3 +54,18 @@  do_configure_prepend() {
 	# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
 	rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
 }
+
+do_install_append() {
+	install -d -m 755 ${D}${sysconfdir}/init.d
+	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/iptables
+	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/ip6tables
+	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/init.d/ip6tables
+
+	install -d -m 755 ${D}${sysconfdir}/sysconfig
+	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig
+	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig/ip6tables-config
+	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/sysconfig/ip6tables-config
+
+	install -m 755 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/sysconfig/iptables
+	install -m 755 ${WORKDIR}/ip6tables.rules ${D}${sysconfdir}/sysconfig/ip6tables
+}