[ptxdist] [PATCH] Add persistant iptable-rules via systemd

[ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Gavin Schenk]

Supports ipv4 and ipv6 and both options can be selected in menuconfig IPTABLES_IPV6_SYSTEMD_UNIT and IPTABLES_IPV4_SYSTEMD_UNIT

If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on multiuser.target that set the iptable rules from file /etc/iptables/rules.v4.
If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on multiuser.target that set the iptable rules from the file /etc/iptables/rules.v6.
You have to provide this files. Both files can easily be generated with the utils iptables-save ip6tables-save from the iptables package.

e.g: Generating a rulefile, that drops port 5000 on interface eth0 ipv4
1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4

The basic idea was taken from https://github.com/gronke/systemd-iptables written by Stefan Grönke in 2015.
---
 .../0001-Added-files-for-systemd-support.patch     | 115 +++++++++++++++++++++
 patches/iptables-1.4.21/series                     |   4 +
 rules/iptables.in                                  |  10 ++
 rules/iptables.make                                |  17 +++
 4 files changed, 146 insertions(+)
 create mode 100644 patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
 create mode 100644 patches/iptables-1.4.21/series

diff --git a/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
new file mode 100644
index 0000000..e98a788
--- /dev/null
+++ b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
@@ -0,0 +1,115 @@
+From: Gavin Schenk <g.schenk@eckelmann.de>
+Date: Wed, 6 Apr 2016 10:19:52 +0200
+Subject: [PATCH] Added files for systemd support
+
+---
+ etc/iptables/rules.v4            |  0
+ etc/iptables/rules.v6            |  0
+ scripts/ip6tables-flush          | 19 +++++++++++++++++++
+ scripts/iptables-flush           | 19 +++++++++++++++++++
+ systemd/system/ip6tables.service | 14 ++++++++++++++
+ systemd/system/iptables.service  | 14 ++++++++++++++
+ 6 files changed, 66 insertions(+)
+ create mode 100644 etc/iptables/rules.v4
+ create mode 100644 etc/iptables/rules.v6
+ create mode 100755 scripts/ip6tables-flush
+ create mode 100755 scripts/iptables-flush
+ create mode 100755 systemd/system/ip6tables.service
+ create mode 100755 systemd/system/iptables.service
+
+diff --git a/etc/iptables/rules.v4 b/etc/iptables/rules.v4
+new file mode 100644
+index 000000000000..e69de29bb2d1
+diff --git a/etc/iptables/rules.v6 b/etc/iptables/rules.v6
+new file mode 100644
+index 000000000000..e69de29bb2d1
+diff --git a/scripts/ip6tables-flush b/scripts/ip6tables-flush
+new file mode 100755
+index 000000000000..cf6d22bb2923
+--- /dev/null
++++ b/scripts/ip6tables-flush
+@@ -0,0 +1,19 @@
++#!/bin/sh
++
++if ! ip6tables --list >/dev/null 2>&1; then
++        echo "ipv6 filtering is not supported by the running kernel."
++        exit 3
++fi
++
++ip6tables -F
++ip6tables -X
++ip6tables -Z
++for table in $(</proc/net/ip6_tables_names)
++do
++        ip6tables -t $table -F
++        ip6tables -t $table -X
++        ip6tables -t $table -Z
++done
++ip6tables -P INPUT ACCEPT
++ip6tables -P OUTPUT ACCEPT
++ip6tables -P FORWARD ACCEPT
+diff --git a/scripts/iptables-flush b/scripts/iptables-flush
+new file mode 100755
+index 000000000000..a6e056f31a75
+--- /dev/null
++++ b/scripts/iptables-flush
+@@ -0,0 +1,19 @@
++#!/bin/sh
++
++if ! iptables --list >/dev/null 2>&1; then
++	echo "ipv4 filtering is not supported by the running kernel." 	
++	exit 3
++fi 
++
++iptables -F
++iptables -X
++iptables -Z
++for table in $(</proc/net/ip_tables_names)
++do
++        iptables -t $table -F
++        iptables -t $table -X
++        iptables -t $table -Z
++done
++iptables -P INPUT ACCEPT
++iptables -P FORWARD ACCEPT
++iptables -P OUTPUT ACCEPT
+diff --git a/systemd/system/ip6tables.service b/systemd/system/ip6tables.service
+new file mode 100755
+index 000000000000..e842cc1973a1
+--- /dev/null
++++ b/systemd/system/ip6tables.service
+@@ -0,0 +1,14 @@
++[Unit]
++Description=Packet Filtering Framework
++DefaultDependencies=no
++After=systemd-sysctl.service
++Before=sysinit.target
++ConditionFileNotEmpty=/etc/iptables/rules.v6
++[Service]
++Type=oneshot
++ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
++ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
++ExecStop=/usr/sbin/iptables/ip6tables-flush
++RemainAfterExit=yes
++[Install]
++WantedBy=multi-user.target
+diff --git a/systemd/system/iptables.service b/systemd/system/iptables.service
+new file mode 100755
+index 000000000000..fa4a8b367ca0
+--- /dev/null
++++ b/systemd/system/iptables.service
+@@ -0,0 +1,14 @@
++[Unit]
++Description=Packet Filtering Framework
++DefaultDependencies=no
++After=systemd-sysctl.service
++Before=sysinit.target
++ConditionFileNotEmpty=/etc/iptables/rules.v4
++[Service]
++Type=oneshot
++ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
++ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
++ExecStop=/usr/sbin/iptables-flush
++RemainAfterExit=yes
++[Install]
++WantedBy=multi-user.target
diff --git a/patches/iptables-1.4.21/series b/patches/iptables-1.4.21/series
new file mode 100644
index 0000000..b8f388f
--- /dev/null
+++ b/patches/iptables-1.4.21/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-Added-files-for-systemd-support.patch
+# 366b7fd90bb4fe7e229f0ba777703fb5  - git-ptx-patches magic
diff --git a/rules/iptables.in b/rules/iptables.in
index e6f3699..8354060 100644
--- a/rules/iptables.in
+++ b/rules/iptables.in
@@ -25,6 +25,16 @@ config IPTABLES_IPV4
 	bool
 	prompt "IPv4 support"
 
+config IPTABLES_IPV6_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv6 systemd service unit"
+	select IPTABLES_IPV6
+
+config IPTABLES_IPV4_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv4 systemd service unit"
+	select IPTABLES_IPV4
+
 config IPTABLES_LIBIPQ
 	bool
 	prompt "Enable libipq"
diff --git a/rules/iptables.make b/rules/iptables.make
index 8a1ea66..12d3867 100644
--- a/rules/iptables.make
+++ b/rules/iptables.make
@@ -126,6 +126,23 @@ ifdef PTXCONF_IPTABLES_IPV4
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-restore)
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-save)
 endif
+
+ifdef PTXCONF_IPTABLES_IPV6_SYSTEMD_UNIT
+# 	# IPv6 systemd service unit part
+	@$(call install_copy, iptables, 0, 0, 0755,  $(IPTABLES_DIR)/scripts/ip6tables-flush, /usr/sbin/ip6tables-flush)
+	@$(call install_copy, iptables, 0, 0, 0644,  $(IPTABLES_DIR)/systemd/system/ip6tables.service, /lib/systemd/system/ip6tables.service)
+	@$(call install_link, iptables, ../ip6tables.service, /lib/systemd/system/multi-user.target.wants/ip6tables.service)
+	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v6)
+endif
+
+ifdef PTXCONF_IPTABLES_IPV4_SYSTEMD_UNIT
+# 	# IPv4 systemd service unit part
+	@$(call install_copy, iptables, 0, 0, 0755,  $(IPTABLES_DIR)/scripts/iptables-flush, /usr/sbin/iptables-flush)
+	@$(call install_copy, iptables, 0, 0, 0644,  $(IPTABLES_DIR)/systemd/system/iptables.service, /lib/systemd/system/iptables.service)
+	@$(call install_link, iptables, ../iptables.service, /lib/systemd/system/multi-user.target.wants/iptables.service)
+	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v4)
+endif
+
 endif
 
 ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
-- 
1.9.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Uwe Kleine-König]

Hello,

git format-patch helps you to add a version to your patch. In this case
-v2 would have been nice. This makes it easier for Michael to pick up
the right patch.

On Thu, Apr 07, 2016 at 12:10:04PM +0200, Gavin Schenk wrote:
> Supports ipv4 and ipv6 and both options can be selected in menuconfig IPTABLES_IPV6_SYSTEMD_UNIT and IPTABLES_IPV4_SYSTEMD_UNIT
> 
> If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on multiuser.target that set the iptable rules from file /etc/iptables/rules.v4.
> If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on multiuser.target that set the iptable rules from the file /etc/iptables/rules.v6.
> You have to provide this files. Both files can easily be generated with the utils iptables-save ip6tables-save from the iptables package.

Please wrap lines before column 76.

> 
> e.g: Generating a rulefile, that drops port 5000 on interface eth0 ipv4
> 1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
> 2.) iptables-save > /etc/iptables/rules.v4
> 
> The basic idea was taken from https://github.com/gronke/systemd-iptables written by Stefan Grönke in 2015.

You need to add a S-o-B line.

Other than that the patch looks good (which doesn't imply that Michael
has nothing to criticize).

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Michael Olbrich]

On Thu, Apr 07, 2016 at 12:10:04PM +0200, Gavin Schenk wrote:
> Supports ipv4 and ipv6 and both options can be selected in menuconfig IPTABLES_IPV6_SYSTEMD_UNIT and IPTABLES_IPV4_SYSTEMD_UNIT
> 
> If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on multiuser.target that set the iptable rules from file /etc/iptables/rules.v4.
> If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on multiuser.target that set the iptable rules from the file /etc/iptables/rules.v6.
> You have to provide this files. Both files can easily be generated with the utils iptables-save ip6tables-save from the iptables package.
> 
> e.g: Generating a rulefile, that drops port 5000 on interface eth0 ipv4
> 1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
> 2.) iptables-save > /etc/iptables/rules.v4
> 
> The basic idea was taken from https://github.com/gronke/systemd-iptables written by Stefan Grönke in 2015.
> ---
>  .../0001-Added-files-for-systemd-support.patch     | 115 +++++++++++++++++++++
>  patches/iptables-1.4.21/series                     |   4 +
>  rules/iptables.in                                  |  10 ++
>  rules/iptables.make                                |  17 +++
>  4 files changed, 146 insertions(+)
>  create mode 100644 patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
>  create mode 100644 patches/iptables-1.4.21/series
> 
> diff --git a/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
> new file mode 100644
> index 0000000..e98a788
> --- /dev/null
> +++ b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
> @@ -0,0 +1,115 @@
> +From: Gavin Schenk <g.schenk@eckelmann.de>
> +Date: Wed, 6 Apr 2016 10:19:52 +0200
> +Subject: [PATCH] Added files for systemd support
> +
> +---
> + etc/iptables/rules.v4            |  0
> + etc/iptables/rules.v6            |  0
> + scripts/ip6tables-flush          | 19 +++++++++++++++++++
> + scripts/iptables-flush           | 19 +++++++++++++++++++
> + systemd/system/ip6tables.service | 14 ++++++++++++++
> + systemd/system/iptables.service  | 14 ++++++++++++++


Please put these files into projectroot/ instead and use
install_alternative for all of them.

Michael

> + 6 files changed, 66 insertions(+)
> + create mode 100644 etc/iptables/rules.v4
> + create mode 100644 etc/iptables/rules.v6
> + create mode 100755 scripts/ip6tables-flush
> + create mode 100755 scripts/iptables-flush
> + create mode 100755 systemd/system/ip6tables.service
> + create mode 100755 systemd/system/iptables.service
> +
> +diff --git a/etc/iptables/rules.v4 b/etc/iptables/rules.v4
> +new file mode 100644
> +index 000000000000..e69de29bb2d1
> +diff --git a/etc/iptables/rules.v6 b/etc/iptables/rules.v6
> +new file mode 100644
> +index 000000000000..e69de29bb2d1
> +diff --git a/scripts/ip6tables-flush b/scripts/ip6tables-flush
> +new file mode 100755
> +index 000000000000..cf6d22bb2923
> +--- /dev/null
> ++++ b/scripts/ip6tables-flush
> +@@ -0,0 +1,19 @@
> ++#!/bin/sh
> ++
> ++if ! ip6tables --list >/dev/null 2>&1; then
> ++        echo "ipv6 filtering is not supported by the running kernel."
> ++        exit 3
> ++fi
> ++
> ++ip6tables -F
> ++ip6tables -X
> ++ip6tables -Z
> ++for table in $(</proc/net/ip6_tables_names)
> ++do
> ++        ip6tables -t $table -F
> ++        ip6tables -t $table -X
> ++        ip6tables -t $table -Z
> ++done
> ++ip6tables -P INPUT ACCEPT
> ++ip6tables -P OUTPUT ACCEPT
> ++ip6tables -P FORWARD ACCEPT
> +diff --git a/scripts/iptables-flush b/scripts/iptables-flush
> +new file mode 100755
> +index 000000000000..a6e056f31a75
> +--- /dev/null
> ++++ b/scripts/iptables-flush
> +@@ -0,0 +1,19 @@
> ++#!/bin/sh
> ++
> ++if ! iptables --list >/dev/null 2>&1; then
> ++	echo "ipv4 filtering is not supported by the running kernel." 	
> ++	exit 3
> ++fi 
> ++
> ++iptables -F
> ++iptables -X
> ++iptables -Z
> ++for table in $(</proc/net/ip_tables_names)
> ++do
> ++        iptables -t $table -F
> ++        iptables -t $table -X
> ++        iptables -t $table -Z
> ++done
> ++iptables -P INPUT ACCEPT
> ++iptables -P FORWARD ACCEPT
> ++iptables -P OUTPUT ACCEPT
> +diff --git a/systemd/system/ip6tables.service b/systemd/system/ip6tables.service
> +new file mode 100755
> +index 000000000000..e842cc1973a1
> +--- /dev/null
> ++++ b/systemd/system/ip6tables.service
> +@@ -0,0 +1,14 @@
> ++[Unit]
> ++Description=Packet Filtering Framework
> ++DefaultDependencies=no
> ++After=systemd-sysctl.service
> ++Before=sysinit.target
> ++ConditionFileNotEmpty=/etc/iptables/rules.v6
> ++[Service]
> ++Type=oneshot
> ++ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
> ++ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
> ++ExecStop=/usr/sbin/iptables/ip6tables-flush
> ++RemainAfterExit=yes
> ++[Install]
> ++WantedBy=multi-user.target
> +diff --git a/systemd/system/iptables.service b/systemd/system/iptables.service
> +new file mode 100755
> +index 000000000000..fa4a8b367ca0
> +--- /dev/null
> ++++ b/systemd/system/iptables.service
> +@@ -0,0 +1,14 @@
> ++[Unit]
> ++Description=Packet Filtering Framework
> ++DefaultDependencies=no
> ++After=systemd-sysctl.service
> ++Before=sysinit.target
> ++ConditionFileNotEmpty=/etc/iptables/rules.v4
> ++[Service]
> ++Type=oneshot
> ++ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
> ++ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
> ++ExecStop=/usr/sbin/iptables-flush
> ++RemainAfterExit=yes
> ++[Install]
> ++WantedBy=multi-user.target
> diff --git a/patches/iptables-1.4.21/series b/patches/iptables-1.4.21/series
> new file mode 100644
> index 0000000..b8f388f
> --- /dev/null
> +++ b/patches/iptables-1.4.21/series
> @@ -0,0 +1,4 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-Added-files-for-systemd-support.patch
> +# 366b7fd90bb4fe7e229f0ba777703fb5  - git-ptx-patches magic
> diff --git a/rules/iptables.in b/rules/iptables.in
> index e6f3699..8354060 100644
> --- a/rules/iptables.in
> +++ b/rules/iptables.in
> @@ -25,6 +25,16 @@ config IPTABLES_IPV4
>  	bool
>  	prompt "IPv4 support"
>  
> +config IPTABLES_IPV6_SYSTEMD_UNIT
> +	bool
> +	prompt "Activate IPv6 systemd service unit"
> +	select IPTABLES_IPV6
> +
> +config IPTABLES_IPV4_SYSTEMD_UNIT
> +	bool
> +	prompt "Activate IPv4 systemd service unit"
> +	select IPTABLES_IPV4
> +
>  config IPTABLES_LIBIPQ
>  	bool
>  	prompt "Enable libipq"
> diff --git a/rules/iptables.make b/rules/iptables.make
> index 8a1ea66..12d3867 100644
> --- a/rules/iptables.make
> +++ b/rules/iptables.make
> @@ -126,6 +126,23 @@ ifdef PTXCONF_IPTABLES_IPV4
>  	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-restore)
>  	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-save)
>  endif
> +
> +ifdef PTXCONF_IPTABLES_IPV6_SYSTEMD_UNIT
> +# 	# IPv6 systemd service unit part
> +	@$(call install_copy, iptables, 0, 0, 0755,  $(IPTABLES_DIR)/scripts/ip6tables-flush, /usr/sbin/ip6tables-flush)
> +	@$(call install_copy, iptables, 0, 0, 0644,  $(IPTABLES_DIR)/systemd/system/ip6tables.service, /lib/systemd/system/ip6tables.service)
> +	@$(call install_link, iptables, ../ip6tables.service, /lib/systemd/system/multi-user.target.wants/ip6tables.service)
> +	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v6)
> +endif
> +
> +ifdef PTXCONF_IPTABLES_IPV4_SYSTEMD_UNIT
> +# 	# IPv4 systemd service unit part
> +	@$(call install_copy, iptables, 0, 0, 0755,  $(IPTABLES_DIR)/scripts/iptables-flush, /usr/sbin/iptables-flush)
> +	@$(call install_copy, iptables, 0, 0, 0644,  $(IPTABLES_DIR)/systemd/system/iptables.service, /lib/systemd/system/iptables.service)
> +	@$(call install_link, iptables, ../iptables.service, /lib/systemd/system/multi-user.target.wants/iptables.service)
> +	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v4)
> +endif
> +
>  endif
>  
>  ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
> -- 
> 1.9.1
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Michael Olbrich]

On Mon, Apr 11, 2016 at 07:46:10PM +0200, Uwe Kleine-König wrote:
> Hello,
> 
> even though I said for (implict) v2 that I'm lucky now,
> I still found a few things to critize/ask.
> 
> You could be a still better ptxdist citizen if you used -v3 for
> git format-patch (or git send-email if you didn't do the explicit
> format-patch step). For additional karma add a section like:
> 
> 	Changes since v2:

Please note, that I've already pushed the last version, so any changes must
go into a new patch.

Michael

> 	 - reformat rule file
> 	 - ...
> 
> after the --- below.
> 
> $Subject ~= s/iptable/iptables/
> 
> On Mon, Apr 11, 2016 at 02:19:28PM +0200, Gavin Schenk wrote:
> > Supports ipv4 and ipv6 and both options can be selected in menuconfig
> > by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT
> > 
> > If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
> > multiuser.target that set the iptable rules from file:
> > /etc/iptables/rules.v4
> > 
> > If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
> > multiuser.target that set the iptable rules from the file:
> > /etc/iptables/rules.v6
> > 
> > The Package provides empty files. If you want to add custom rules, you
> 
> s/P/p/
> 
> > have to provide your own files. The rule files can be generated with
> > the utils iptables-save ip6tables-save from the iptables package.
> 
> 	the utils iptables-save or ip6tables-save respectively.
> 
> Pointing out "from the iptables package" doesn't add much because the
> two new config items are part of the iptables package, too.
> 
> > Example:
> > Generating a rule file, that drops port 5000 on interface eth0 for ipv4
> > 
> > 1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
> > 2.) iptables-save > /etc/iptables/rules.v4
> > 
> > The basic idea was taken from https://github.com/gronke/systemd-iptables
> > written by Stefan Grönke <stefan@gronke.net> in 2015.
> > 
> > Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
> > ---
> >  projectroot/etc/iptables/rules.v4                |  0
> >  projectroot/etc/iptables/rules.v6                |  0
> >  projectroot/lib/systemd/system/ip6tables.service | 14 ++++++++++++++
> >  projectroot/lib/systemd/system/iptables.service  | 14 ++++++++++++++
> >  projectroot/usr/sbin/ip6tables-flush             | 19 +++++++++++++++++++
> >  projectroot/usr/sbin/iptables-flush              | 19 +++++++++++++++++++
> >  rules/iptables.in                                | 10 ++++++++++
> >  rules/iptables.make                              | 21 +++++++++++++++++++++
> >  8 files changed, 97 insertions(+)
> >  create mode 100644 projectroot/etc/iptables/rules.v4
> >  create mode 100644 projectroot/etc/iptables/rules.v6
> >  create mode 100644 projectroot/lib/systemd/system/ip6tables.service
> >  create mode 100644 projectroot/lib/systemd/system/iptables.service
> >  create mode 100755 projectroot/usr/sbin/ip6tables-flush
> >  create mode 100755 projectroot/usr/sbin/iptables-flush
> > 
> > diff --git a/projectroot/etc/iptables/rules.v4 b/projectroot/etc/iptables/rules.v4
> > new file mode 100644
> > index 0000000..e69de29
> 
> These files are never used, are they? Either you want them filled, then
> you provide your own version in the BSP; or you disable
> IPTABLES_IPV4_SYSTEMD_UNIT.
> Hm, thinking again, not adding the files breaks an all-yes compile test.
> Michael, what do you think?
> 
> > diff --git a/projectroot/etc/iptables/rules.v6 b/projectroot/etc/iptables/rules.v6
> > new file mode 100644
> > index 0000000..e69de29
> > diff --git a/projectroot/lib/systemd/system/ip6tables.service b/projectroot/lib/systemd/system/ip6tables.service
> > new file mode 100644
> > index 0000000..e842cc1
> > --- /dev/null
> > +++ b/projectroot/lib/systemd/system/ip6tables.service
> > @@ -0,0 +1,14 @@
> > +[Unit]
> > +Description=Packet Filtering Framework
> > +DefaultDependencies=no
> > +After=systemd-sysctl.service
> > +Before=sysinit.target
> > +ConditionFileNotEmpty=/etc/iptables/rules.v6
> > +[Service]
> > +Type=oneshot
> > +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
> > +ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
> > +ExecStop=/usr/sbin/iptables/ip6tables-flush
> > +RemainAfterExit=yes
> > +[Install]
> > +WantedBy=multi-user.target
> > diff --git a/projectroot/lib/systemd/system/iptables.service b/projectroot/lib/systemd/system/iptables.service
> > new file mode 100644
> > index 0000000..fa4a8b3
> > --- /dev/null
> > +++ b/projectroot/lib/systemd/system/iptables.service
> > @@ -0,0 +1,14 @@
> > +[Unit]
> > +Description=Packet Filtering Framework
> > +DefaultDependencies=no
> > +After=systemd-sysctl.service
> > +Before=sysinit.target
> > +ConditionFileNotEmpty=/etc/iptables/rules.v4
> > +[Service]
> > +Type=oneshot
> > +ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
> > +ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
> > +ExecStop=/usr/sbin/iptables-flush
> > +RemainAfterExit=yes
> > +[Install]
> > +WantedBy=multi-user.target
> 
> I wonder if we want this to run earlier (not sure how to enforce this).
> Like this a service that is blocked by the firewall is reachable between
> start of respective service and loading of the firewall.
> 
> I'm not sure about the ordering of the services, is
> 
> 	After=systemd-sysctl.service
> 
> late enough that all relevant kernel modules are there that provide the
> ethernet devices? If the module is missing that provides eth0
> referencing eth0 in the rules doesn't work IIRC.
> 
> Best regards
> Uwe
> 
> -- 
> Pengutronix e.K.                           | Uwe Kleine-König            |
> Industrial Linux Solutions                 | http://www.pengutronix.de/  |
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Uwe Kleine-König]

Hello,

even though I said for (implict) v2 that I'm lucky now,
I still found a few things to critize/ask.

You could be a still better ptxdist citizen if you used -v3 for
git format-patch (or git send-email if you didn't do the explicit
format-patch step). For additional karma add a section like:

	Changes since v2:

	 - reformat rule file
	 - ...

after the --- below.

$Subject ~= s/iptable/iptables/

On Mon, Apr 11, 2016 at 02:19:28PM +0200, Gavin Schenk wrote:
> Supports ipv4 and ipv6 and both options can be selected in menuconfig
> by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT
> 
> If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
> multiuser.target that set the iptable rules from file:
> /etc/iptables/rules.v4
> 
> If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
> multiuser.target that set the iptable rules from the file:
> /etc/iptables/rules.v6
> 
> The Package provides empty files. If you want to add custom rules, you

s/P/p/

> have to provide your own files. The rule files can be generated with
> the utils iptables-save ip6tables-save from the iptables package.

	the utils iptables-save or ip6tables-save respectively.

Pointing out "from the iptables package" doesn't add much because the
two new config items are part of the iptables package, too.

> Example:
> Generating a rule file, that drops port 5000 on interface eth0 for ipv4
> 
> 1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
> 2.) iptables-save > /etc/iptables/rules.v4
> 
> The basic idea was taken from https://github.com/gronke/systemd-iptables
> written by Stefan Grönke <stefan@gronke.net> in 2015.
> 
> Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
> ---
>  projectroot/etc/iptables/rules.v4                |  0
>  projectroot/etc/iptables/rules.v6                |  0
>  projectroot/lib/systemd/system/ip6tables.service | 14 ++++++++++++++
>  projectroot/lib/systemd/system/iptables.service  | 14 ++++++++++++++
>  projectroot/usr/sbin/ip6tables-flush             | 19 +++++++++++++++++++
>  projectroot/usr/sbin/iptables-flush              | 19 +++++++++++++++++++
>  rules/iptables.in                                | 10 ++++++++++
>  rules/iptables.make                              | 21 +++++++++++++++++++++
>  8 files changed, 97 insertions(+)
>  create mode 100644 projectroot/etc/iptables/rules.v4
>  create mode 100644 projectroot/etc/iptables/rules.v6
>  create mode 100644 projectroot/lib/systemd/system/ip6tables.service
>  create mode 100644 projectroot/lib/systemd/system/iptables.service
>  create mode 100755 projectroot/usr/sbin/ip6tables-flush
>  create mode 100755 projectroot/usr/sbin/iptables-flush
> 
> diff --git a/projectroot/etc/iptables/rules.v4 b/projectroot/etc/iptables/rules.v4
> new file mode 100644
> index 0000000..e69de29

These files are never used, are they? Either you want them filled, then
you provide your own version in the BSP; or you disable
IPTABLES_IPV4_SYSTEMD_UNIT.
Hm, thinking again, not adding the files breaks an all-yes compile test.
Michael, what do you think?

> diff --git a/projectroot/etc/iptables/rules.v6 b/projectroot/etc/iptables/rules.v6
> new file mode 100644
> index 0000000..e69de29
> diff --git a/projectroot/lib/systemd/system/ip6tables.service b/projectroot/lib/systemd/system/ip6tables.service
> new file mode 100644
> index 0000000..e842cc1
> --- /dev/null
> +++ b/projectroot/lib/systemd/system/ip6tables.service
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=Packet Filtering Framework
> +DefaultDependencies=no
> +After=systemd-sysctl.service
> +Before=sysinit.target
> +ConditionFileNotEmpty=/etc/iptables/rules.v6
> +[Service]
> +Type=oneshot
> +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
> +ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
> +ExecStop=/usr/sbin/iptables/ip6tables-flush
> +RemainAfterExit=yes
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/projectroot/lib/systemd/system/iptables.service b/projectroot/lib/systemd/system/iptables.service
> new file mode 100644
> index 0000000..fa4a8b3
> --- /dev/null
> +++ b/projectroot/lib/systemd/system/iptables.service
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=Packet Filtering Framework
> +DefaultDependencies=no
> +After=systemd-sysctl.service
> +Before=sysinit.target
> +ConditionFileNotEmpty=/etc/iptables/rules.v4
> +[Service]
> +Type=oneshot
> +ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
> +ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
> +ExecStop=/usr/sbin/iptables-flush
> +RemainAfterExit=yes
> +[Install]
> +WantedBy=multi-user.target

I wonder if we want this to run earlier (not sure how to enforce this).
Like this a service that is blocked by the firewall is reachable between
start of respective service and loading of the firewall.

I'm not sure about the ordering of the services, is

	After=systemd-sysctl.service

late enough that all relevant kernel modules are there that provide the
ethernet devices? If the module is missing that provides eth0
referencing eth0 in the rules doesn't work IIRC.

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Michael Olbrich]

Hi,

On Mon, Apr 11, 2016 at 12:08:51PM +0000, Schenk, Gavin wrote:
> > > +for table in $(</proc/net/ip6_tables_names)
> > 
> > This does not work with a busybox /bin/sh. I think that's bashism.
> > 
> > This should work:
> > 
> > for table in $(cat /proc/net/ip6_tables_names); do ...
> > 
> > Note: It doesn't fail! The list is always empty!
> 
> Grrrr Uwe told me about the tool checkbashism last week, but I forgot to use it here :(.
> I tested the implementation with cat and it works! 

:-)

> > > +	@$(call install_link, iptables, ../ip6tables.service,
> > > +/lib/systemd/system/multi-user.target.wants/ip6tables.service)
> > 
> > 	@$(call install_link, iptables, ../ip6tables.service,  \
> > 		/lib/systemd/system/multi-
> > user.target.wants/ip6tables.service)
> > 
> > Break like this.
> 
> Can you please tell me about the limits of columns in makefiles, or where I can read about it?
> In some Makefiles more than 80 columns are used. Is there a kind of hard- and soft-limit :)?
> 
> I´ ll send a new patch after testing the changes

The soft limit is 80 columns. If making the lines a bit longer makes it
more readable, then that's ok too.

I'm sure there are quite a few old rules that don't match my requirements.
If I do non trivial changes to a rule, then I usually clean it up as well.
But I don't have the time to cleanup all rules.
If you need examples then look for rules I created or modified in the last
year or so. Those typically match what I think a rule should look like...

Regards,
Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Gavin Schenk]

Supports ipv4 and ipv6 and both options can be selected in menuconfig
by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT

If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from file:
/etc/iptables/rules.v4

If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from the file:
/etc/iptables/rules.v6

The Package provides empty files. If you want to add custom rules, you
have to provide your own files. The rule files can be generated with
the utils iptables-save ip6tables-save from the iptables package.

Example:
Generating a rule file, that drops port 5000 on interface eth0 for ipv4

1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4

The basic idea was taken from https://github.com/gronke/systemd-iptables
written by Stefan Grönke <stefan@gronke.net> in 2015.

Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
---
 projectroot/etc/iptables/rules.v4                |  0
 projectroot/etc/iptables/rules.v6                |  0
 projectroot/lib/systemd/system/ip6tables.service | 14 ++++++++++++++
 projectroot/lib/systemd/system/iptables.service  | 14 ++++++++++++++
 projectroot/usr/sbin/ip6tables-flush             | 19 +++++++++++++++++++
 projectroot/usr/sbin/iptables-flush              | 19 +++++++++++++++++++
 rules/iptables.in                                | 10 ++++++++++
 rules/iptables.make                              | 21 +++++++++++++++++++++
 8 files changed, 97 insertions(+)
 create mode 100644 projectroot/etc/iptables/rules.v4
 create mode 100644 projectroot/etc/iptables/rules.v6
 create mode 100644 projectroot/lib/systemd/system/ip6tables.service
 create mode 100644 projectroot/lib/systemd/system/iptables.service
 create mode 100755 projectroot/usr/sbin/ip6tables-flush
 create mode 100755 projectroot/usr/sbin/iptables-flush

diff --git a/projectroot/etc/iptables/rules.v4 b/projectroot/etc/iptables/rules.v4
new file mode 100644
index 0000000..e69de29
diff --git a/projectroot/etc/iptables/rules.v6 b/projectroot/etc/iptables/rules.v6
new file mode 100644
index 0000000..e69de29
diff --git a/projectroot/lib/systemd/system/ip6tables.service b/projectroot/lib/systemd/system/ip6tables.service
new file mode 100644
index 0000000..e842cc1
--- /dev/null
+++ b/projectroot/lib/systemd/system/ip6tables.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+ConditionFileNotEmpty=/etc/iptables/rules.v6
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
+ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
+ExecStop=/usr/sbin/iptables/ip6tables-flush
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
diff --git a/projectroot/lib/systemd/system/iptables.service b/projectroot/lib/systemd/system/iptables.service
new file mode 100644
index 0000000..fa4a8b3
--- /dev/null
+++ b/projectroot/lib/systemd/system/iptables.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+ConditionFileNotEmpty=/etc/iptables/rules.v4
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecStop=/usr/sbin/iptables-flush
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
diff --git a/projectroot/usr/sbin/ip6tables-flush b/projectroot/usr/sbin/ip6tables-flush
new file mode 100755
index 0000000..0ef3c3f
--- /dev/null
+++ b/projectroot/usr/sbin/ip6tables-flush
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if ! ip6tables --list >/dev/null 2>&1; then
+        echo "ipv6 filtering is not supported by the running kernel."
+        exit 3
+fi
+
+ip6tables -F
+ip6tables -X
+ip6tables -Z
+for table in $(cat /proc/net/ip6_tables_names);
+do
+        ip6tables -t $table -F
+        ip6tables -t $table -X
+        ip6tables -t $table -Z
+done
+ip6tables -P INPUT ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P FORWARD ACCEPT
diff --git a/projectroot/usr/sbin/iptables-flush b/projectroot/usr/sbin/iptables-flush
new file mode 100755
index 0000000..a9c146e
--- /dev/null
+++ b/projectroot/usr/sbin/iptables-flush
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if ! iptables --list >/dev/null 2>&1; then
+	echo "ipv4 filtering is not supported by the running kernel."
+	exit 3
+fi
+
+iptables -F
+iptables -X
+iptables -Z
+for table in $(cat /proc/net/ip_tables_names)
+do
+        iptables -t $table -F
+        iptables -t $table -X
+        iptables -t $table -Z
+done
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
diff --git a/rules/iptables.in b/rules/iptables.in
index e6f3699..8354060 100644
--- a/rules/iptables.in
+++ b/rules/iptables.in
@@ -25,6 +25,16 @@ config IPTABLES_IPV4
 	bool
 	prompt "IPv4 support"
 
+config IPTABLES_IPV6_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv6 systemd service unit"
+	select IPTABLES_IPV6
+
+config IPTABLES_IPV4_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv4 systemd service unit"
+	select IPTABLES_IPV4
+
 config IPTABLES_LIBIPQ
 	bool
 	prompt "Enable libipq"
diff --git a/rules/iptables.make b/rules/iptables.make
index 8a1ea66..b318336 100644
--- a/rules/iptables.make
+++ b/rules/iptables.make
@@ -126,6 +126,27 @@ ifdef PTXCONF_IPTABLES_IPV4
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-restore)
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-save)
 endif
+
+ifdef PTXCONF_IPTABLES_IPV6_SYSTEMD_UNIT
+# 	# IPv6 systemd service unit part
+	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v6)
+	@$(call install_alternative, iptables, 0, 0, 0755, /usr/sbin/ip6tables-flush)
+	@$(call install_alternative, iptables, 0, 0, 0644, \
+		/lib/systemd/system/ip6tables.service)
+	@$(call install_link, iptables, ../ip6tables.service, \
+		/lib/systemd/system/multi-user.target.wants/ip6tables.service)
+endif
+
+ifdef PTXCONF_IPTABLES_IPV4_SYSTEMD_UNIT
+# 	# IPv4 systemd service unit part
+	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v4)
+	@$(call install_alternative, iptables, 0, 0, 0755, /usr/sbin/iptables-flush)
+	@$(call install_alternative, iptables, 0, 0, 0644, \
+		/lib/systemd/system/iptables.service)
+	@$(call install_link, iptables, ../iptables.service, \
+		/lib/systemd/system/multi-user.target.wants/iptables.service)
+endif
+
 endif
 
 ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
-- 
1.9.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Schenk, Gavin]

Hi,

> > +for table in $(</proc/net/ip6_tables_names)
> 
> This does not work with a busybox /bin/sh. I think that's bashism.
> 
> This should work:
> 
> for table in $(cat /proc/net/ip6_tables_names); do ...
> 
> Note: It doesn't fail! The list is always empty!

Grrrr Uwe told me about the tool checkbashism last week, but I forgot to use it here :(.
I tested the implementation with cat and it works! 

> > +	@$(call install_link, iptables, ../ip6tables.service,
> > +/lib/systemd/system/multi-user.target.wants/ip6tables.service)
> 
> 	@$(call install_link, iptables, ../ip6tables.service,  \
> 		/lib/systemd/system/multi-
> user.target.wants/ip6tables.service)
> 
> Break like this.

Can you please tell me about the limits of columns in makefiles, or where I can read about it?
In some Makefiles more than 80 columns are used. Is there a kind of hard- and soft-limit :)?

I´ ll send a new patch after testing the changes

Regards
Gavin
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Michael Olbrich]

On Fri, Apr 08, 2016 at 03:04:10PM +0200, Gavin Schenk wrote:
> Supports ipv4 and ipv6 and both options can be selected in menuconfig
> by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT
> 
> If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
> multiuser.target that set the iptable rules from file:
> /etc/iptables/rules.v4
> 
> If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
> multiuser.target that set the iptable rules from the file:
> /etc/iptables/rules.v6
> 
> The Package provides empty files. If you want to add custom rules, you
> have to provide your own files. The rule files can be generated with
> the utils iptables-save ip6tables-save from the iptables package.
> 
> Example:
> Generating a rule file, that drops port 5000 on interface eth0 for ipv4
> 
> 1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
> 2.) iptables-save > /etc/iptables/rules.v4
> 
> The basic idea was taken from https://github.com/gronke/systemd-iptables
> written by Stefan Grönke <stefan@gronke.net> in 2015.
> 
> Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
> ---
>  projectroot/etc/iptables/rules.v4                |  0
>  projectroot/etc/iptables/rules.v6                |  0
>  projectroot/lib/systemd/system/ip6tables.service | 14 ++++++++++++++
>  projectroot/lib/systemd/system/iptables.service  | 14 ++++++++++++++
>  projectroot/usr/sbin/ip6tables-flush             | 19 +++++++++++++++++++
>  projectroot/usr/sbin/iptables-flush              | 19 +++++++++++++++++++
>  rules/iptables.in                                | 10 ++++++++++
>  rules/iptables.make                              | 17 +++++++++++++++++
>  8 files changed, 93 insertions(+)
>  create mode 100644 projectroot/etc/iptables/rules.v4
>  create mode 100644 projectroot/etc/iptables/rules.v6
>  create mode 100644 projectroot/lib/systemd/system/ip6tables.service
>  create mode 100644 projectroot/lib/systemd/system/iptables.service
>  create mode 100755 projectroot/usr/sbin/ip6tables-flush
>  create mode 100755 projectroot/usr/sbin/iptables-flush
> 
> diff --git a/projectroot/etc/iptables/rules.v4 b/projectroot/etc/iptables/rules.v4
> new file mode 100644
> index 0000000..e69de29
> diff --git a/projectroot/etc/iptables/rules.v6 b/projectroot/etc/iptables/rules.v6
> new file mode 100644
> index 0000000..e69de29
> diff --git a/projectroot/lib/systemd/system/ip6tables.service b/projectroot/lib/systemd/system/ip6tables.service
> new file mode 100644
> index 0000000..e842cc1
> --- /dev/null
> +++ b/projectroot/lib/systemd/system/ip6tables.service
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=Packet Filtering Framework
> +DefaultDependencies=no
> +After=systemd-sysctl.service
> +Before=sysinit.target
> +ConditionFileNotEmpty=/etc/iptables/rules.v6
> +[Service]
> +Type=oneshot
> +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
> +ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
> +ExecStop=/usr/sbin/iptables/ip6tables-flush
> +RemainAfterExit=yes
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/projectroot/lib/systemd/system/iptables.service b/projectroot/lib/systemd/system/iptables.service
> new file mode 100644
> index 0000000..fa4a8b3
> --- /dev/null
> +++ b/projectroot/lib/systemd/system/iptables.service
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=Packet Filtering Framework
> +DefaultDependencies=no
> +After=systemd-sysctl.service
> +Before=sysinit.target
> +ConditionFileNotEmpty=/etc/iptables/rules.v4
> +[Service]
> +Type=oneshot
> +ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
> +ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
> +ExecStop=/usr/sbin/iptables-flush
> +RemainAfterExit=yes
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/projectroot/usr/sbin/ip6tables-flush b/projectroot/usr/sbin/ip6tables-flush
> new file mode 100755
> index 0000000..cf6d22b
> --- /dev/null
> +++ b/projectroot/usr/sbin/ip6tables-flush
> @@ -0,0 +1,19 @@
> +#!/bin/sh
> +
> +if ! ip6tables --list >/dev/null 2>&1; then
> +        echo "ipv6 filtering is not supported by the running kernel."
> +        exit 3
> +fi
> +
> +ip6tables -F
> +ip6tables -X
> +ip6tables -Z
> +for table in $(</proc/net/ip6_tables_names)

This does not work with a busybox /bin/sh. I think that's bashism.

This should work:

for table in $(cat /proc/net/ip6_tables_names); do
...

Note: It doesn't fail! The list is always empty!

> +do
> +        ip6tables -t $table -F
> +        ip6tables -t $table -X
> +        ip6tables -t $table -Z
> +done
> +ip6tables -P INPUT ACCEPT
> +ip6tables -P OUTPUT ACCEPT
> +ip6tables -P FORWARD ACCEPT
> diff --git a/projectroot/usr/sbin/iptables-flush b/projectroot/usr/sbin/iptables-flush
> new file mode 100755
> index 0000000..a6e056f
> --- /dev/null
> +++ b/projectroot/usr/sbin/iptables-flush
> @@ -0,0 +1,19 @@
> +#!/bin/sh
> +
> +if ! iptables --list >/dev/null 2>&1; then
> +	echo "ipv4 filtering is not supported by the running kernel." 	
> +	exit 3
> +fi 
> +
> +iptables -F
> +iptables -X
> +iptables -Z
> +for table in $(</proc/net/ip_tables_names)

Same here.

> +do
> +        iptables -t $table -F
> +        iptables -t $table -X
> +        iptables -t $table -Z
> +done
> +iptables -P INPUT ACCEPT
> +iptables -P FORWARD ACCEPT
> +iptables -P OUTPUT ACCEPT
> diff --git a/rules/iptables.in b/rules/iptables.in
> index e6f3699..8354060 100644
> --- a/rules/iptables.in
> +++ b/rules/iptables.in
> @@ -25,6 +25,16 @@ config IPTABLES_IPV4
>  	bool
>  	prompt "IPv4 support"
>  
> +config IPTABLES_IPV6_SYSTEMD_UNIT
> +	bool
> +	prompt "Activate IPv6 systemd service unit"
> +	select IPTABLES_IPV6
> +
> +config IPTABLES_IPV4_SYSTEMD_UNIT
> +	bool
> +	prompt "Activate IPv4 systemd service unit"
> +	select IPTABLES_IPV4
> +
>  config IPTABLES_LIBIPQ
>  	bool
>  	prompt "Enable libipq"
> diff --git a/rules/iptables.make b/rules/iptables.make
> index 8a1ea66..3dff774 100644
> --- a/rules/iptables.make
> +++ b/rules/iptables.make
> @@ -126,6 +126,23 @@ ifdef PTXCONF_IPTABLES_IPV4
>  	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-restore)
>  	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-save)
>  endif
> +
> +ifdef PTXCONF_IPTABLES_IPV6_SYSTEMD_UNIT
> +# 	# IPv6 systemd service unit part
> +	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v6)
> +	@$(call install_alternative, iptables, 0, 0, 0755, /usr/sbin/ip6tables-flush)
> +	@$(call install_alternative, iptables, 0, 0, 0644, /lib/systemd/system/ip6tables.service)
> +	@$(call install_link, iptables, ../ip6tables.service, /lib/systemd/system/multi-user.target.wants/ip6tables.service)

	@$(call install_link, iptables, ../ip6tables.service,  \
		/lib/systemd/system/multi-user.target.wants/ip6tables.service)

Break like this.

> +endif
> +
> +ifdef PTXCONF_IPTABLES_IPV4_SYSTEMD_UNIT
> +# 	# IPv4 systemd service unit part
> +	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v4)
> +	@$(call install_alternative, iptables, 0, 0, 0755, /usr/sbin/iptables-flush)
> +	@$(call install_alternative, iptables, 0, 0, 0644, /lib/systemd/system/iptables.service)
> +	@$(call install_link, iptables, ../iptables.service, /lib/systemd/system/multi-user.target.wants/iptables.service)

Same here.

Michael

> +endif
> +
>  endif
>  
>  ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
> -- 
> 1.9.1
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Gavin Schenk]

Supports ipv4 and ipv6 and both options can be selected in menuconfig
by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT

If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from file:
/etc/iptables/rules.v4

If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from the file:
/etc/iptables/rules.v6

The Package provides empty files. If you want to add custom rules, you
have to provide your own files. The rule files can be generated with
the utils iptables-save ip6tables-save from the iptables package.

Example:
Generating a rule file, that drops port 5000 on interface eth0 for ipv4

1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4

The basic idea was taken from https://github.com/gronke/systemd-iptables
written by Stefan Grönke <stefan@gronke.net> in 2015.

Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
---
 projectroot/etc/iptables/rules.v4                |  0
 projectroot/etc/iptables/rules.v6                |  0
 projectroot/lib/systemd/system/ip6tables.service | 14 ++++++++++++++
 projectroot/lib/systemd/system/iptables.service  | 14 ++++++++++++++
 projectroot/usr/sbin/ip6tables-flush             | 19 +++++++++++++++++++
 projectroot/usr/sbin/iptables-flush              | 19 +++++++++++++++++++
 rules/iptables.in                                | 10 ++++++++++
 rules/iptables.make                              | 17 +++++++++++++++++
 8 files changed, 93 insertions(+)
 create mode 100644 projectroot/etc/iptables/rules.v4
 create mode 100644 projectroot/etc/iptables/rules.v6
 create mode 100644 projectroot/lib/systemd/system/ip6tables.service
 create mode 100644 projectroot/lib/systemd/system/iptables.service
 create mode 100755 projectroot/usr/sbin/ip6tables-flush
 create mode 100755 projectroot/usr/sbin/iptables-flush

diff --git a/projectroot/etc/iptables/rules.v4 b/projectroot/etc/iptables/rules.v4
new file mode 100644
index 0000000..e69de29
diff --git a/projectroot/etc/iptables/rules.v6 b/projectroot/etc/iptables/rules.v6
new file mode 100644
index 0000000..e69de29
diff --git a/projectroot/lib/systemd/system/ip6tables.service b/projectroot/lib/systemd/system/ip6tables.service
new file mode 100644
index 0000000..e842cc1
--- /dev/null
+++ b/projectroot/lib/systemd/system/ip6tables.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+ConditionFileNotEmpty=/etc/iptables/rules.v6
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
+ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
+ExecStop=/usr/sbin/iptables/ip6tables-flush
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
diff --git a/projectroot/lib/systemd/system/iptables.service b/projectroot/lib/systemd/system/iptables.service
new file mode 100644
index 0000000..fa4a8b3
--- /dev/null
+++ b/projectroot/lib/systemd/system/iptables.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+ConditionFileNotEmpty=/etc/iptables/rules.v4
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecStop=/usr/sbin/iptables-flush
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
diff --git a/projectroot/usr/sbin/ip6tables-flush b/projectroot/usr/sbin/ip6tables-flush
new file mode 100755
index 0000000..cf6d22b
--- /dev/null
+++ b/projectroot/usr/sbin/ip6tables-flush
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if ! ip6tables --list >/dev/null 2>&1; then
+        echo "ipv6 filtering is not supported by the running kernel."
+        exit 3
+fi
+
+ip6tables -F
+ip6tables -X
+ip6tables -Z
+for table in $(</proc/net/ip6_tables_names)
+do
+        ip6tables -t $table -F
+        ip6tables -t $table -X
+        ip6tables -t $table -Z
+done
+ip6tables -P INPUT ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P FORWARD ACCEPT
diff --git a/projectroot/usr/sbin/iptables-flush b/projectroot/usr/sbin/iptables-flush
new file mode 100755
index 0000000..a6e056f
--- /dev/null
+++ b/projectroot/usr/sbin/iptables-flush
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if ! iptables --list >/dev/null 2>&1; then
+	echo "ipv4 filtering is not supported by the running kernel." 	
+	exit 3
+fi 
+
+iptables -F
+iptables -X
+iptables -Z
+for table in $(</proc/net/ip_tables_names)
+do
+        iptables -t $table -F
+        iptables -t $table -X
+        iptables -t $table -Z
+done
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
diff --git a/rules/iptables.in b/rules/iptables.in
index e6f3699..8354060 100644
--- a/rules/iptables.in
+++ b/rules/iptables.in
@@ -25,6 +25,16 @@ config IPTABLES_IPV4
 	bool
 	prompt "IPv4 support"
 
+config IPTABLES_IPV6_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv6 systemd service unit"
+	select IPTABLES_IPV6
+
+config IPTABLES_IPV4_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv4 systemd service unit"
+	select IPTABLES_IPV4
+
 config IPTABLES_LIBIPQ
 	bool
 	prompt "Enable libipq"
diff --git a/rules/iptables.make b/rules/iptables.make
index 8a1ea66..3dff774 100644
--- a/rules/iptables.make
+++ b/rules/iptables.make
@@ -126,6 +126,23 @@ ifdef PTXCONF_IPTABLES_IPV4
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-restore)
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-save)
 endif
+
+ifdef PTXCONF_IPTABLES_IPV6_SYSTEMD_UNIT
+# 	# IPv6 systemd service unit part
+	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v6)
+	@$(call install_alternative, iptables, 0, 0, 0755, /usr/sbin/ip6tables-flush)
+	@$(call install_alternative, iptables, 0, 0, 0644, /lib/systemd/system/ip6tables.service)
+	@$(call install_link, iptables, ../ip6tables.service, /lib/systemd/system/multi-user.target.wants/ip6tables.service)
+endif
+
+ifdef PTXCONF_IPTABLES_IPV4_SYSTEMD_UNIT
+# 	# IPv4 systemd service unit part
+	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v4)
+	@$(call install_alternative, iptables, 0, 0, 0755, /usr/sbin/iptables-flush)
+	@$(call install_alternative, iptables, 0, 0, 0644, /lib/systemd/system/iptables.service)
+	@$(call install_link, iptables, ../iptables.service, /lib/systemd/system/multi-user.target.wants/iptables.service)
+endif
+
 endif
 
 ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
-- 
1.9.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Gavin Schenk]

Supports ipv4 and ipv6 and both options can be selected in menuconfig
by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT

If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from file:
/etc/iptables/rules.v4

If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from the file:
/etc/iptables/rules.v6

The Package provides empty files. If you want to add custom rules, you
have to provide your own files. The rule files can be generated with
the utils iptables-save ip6tables-save from the iptables package.

Example:
Generating a rule file, that drops port 5000 on interface eth0 for ipv4

1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4

The basic idea was taken from https://github.com/gronke/systemd-iptables
written by Stefan Grönke <stefan@gronke.net> in 2015.

Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
---
 .../0001-Added-files-for-systemd-support.patch     | 115 +++++++++++++++++++++
 patches/iptables-1.4.21/series                     |   4 +
 rules/iptables.in                                  |  10 ++
 rules/iptables.make                                |  17 +++
 4 files changed, 146 insertions(+)
 create mode 100644 patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
 create mode 100644 patches/iptables-1.4.21/series

diff --git a/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
new file mode 100644
index 0000000..e98a788
--- /dev/null
+++ b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
@@ -0,0 +1,115 @@
+From: Gavin Schenk <g.schenk@eckelmann.de>
+Date: Wed, 6 Apr 2016 10:19:52 +0200
+Subject: [PATCH] Added files for systemd support
+
+---
+ etc/iptables/rules.v4            |  0
+ etc/iptables/rules.v6            |  0
+ scripts/ip6tables-flush          | 19 +++++++++++++++++++
+ scripts/iptables-flush           | 19 +++++++++++++++++++
+ systemd/system/ip6tables.service | 14 ++++++++++++++
+ systemd/system/iptables.service  | 14 ++++++++++++++
+ 6 files changed, 66 insertions(+)
+ create mode 100644 etc/iptables/rules.v4
+ create mode 100644 etc/iptables/rules.v6
+ create mode 100755 scripts/ip6tables-flush
+ create mode 100755 scripts/iptables-flush
+ create mode 100755 systemd/system/ip6tables.service
+ create mode 100755 systemd/system/iptables.service
+
+diff --git a/etc/iptables/rules.v4 b/etc/iptables/rules.v4
+new file mode 100644
+index 000000000000..e69de29bb2d1
+diff --git a/etc/iptables/rules.v6 b/etc/iptables/rules.v6
+new file mode 100644
+index 000000000000..e69de29bb2d1
+diff --git a/scripts/ip6tables-flush b/scripts/ip6tables-flush
+new file mode 100755
+index 000000000000..cf6d22bb2923
+--- /dev/null
++++ b/scripts/ip6tables-flush
+@@ -0,0 +1,19 @@
++#!/bin/sh
++
++if ! ip6tables --list >/dev/null 2>&1; then
++        echo "ipv6 filtering is not supported by the running kernel."
++        exit 3
++fi
++
++ip6tables -F
++ip6tables -X
++ip6tables -Z
++for table in $(</proc/net/ip6_tables_names)
++do
++        ip6tables -t $table -F
++        ip6tables -t $table -X
++        ip6tables -t $table -Z
++done
++ip6tables -P INPUT ACCEPT
++ip6tables -P OUTPUT ACCEPT
++ip6tables -P FORWARD ACCEPT
+diff --git a/scripts/iptables-flush b/scripts/iptables-flush
+new file mode 100755
+index 000000000000..a6e056f31a75
+--- /dev/null
++++ b/scripts/iptables-flush
+@@ -0,0 +1,19 @@
++#!/bin/sh
++
++if ! iptables --list >/dev/null 2>&1; then
++	echo "ipv4 filtering is not supported by the running kernel." 	
++	exit 3
++fi 
++
++iptables -F
++iptables -X
++iptables -Z
++for table in $(</proc/net/ip_tables_names)
++do
++        iptables -t $table -F
++        iptables -t $table -X
++        iptables -t $table -Z
++done
++iptables -P INPUT ACCEPT
++iptables -P FORWARD ACCEPT
++iptables -P OUTPUT ACCEPT
+diff --git a/systemd/system/ip6tables.service b/systemd/system/ip6tables.service
+new file mode 100755
+index 000000000000..e842cc1973a1
+--- /dev/null
++++ b/systemd/system/ip6tables.service
+@@ -0,0 +1,14 @@
++[Unit]
++Description=Packet Filtering Framework
++DefaultDependencies=no
++After=systemd-sysctl.service
++Before=sysinit.target
++ConditionFileNotEmpty=/etc/iptables/rules.v6
++[Service]
++Type=oneshot
++ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
++ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
++ExecStop=/usr/sbin/iptables/ip6tables-flush
++RemainAfterExit=yes
++[Install]
++WantedBy=multi-user.target
+diff --git a/systemd/system/iptables.service b/systemd/system/iptables.service
+new file mode 100755
+index 000000000000..fa4a8b367ca0
+--- /dev/null
++++ b/systemd/system/iptables.service
+@@ -0,0 +1,14 @@
++[Unit]
++Description=Packet Filtering Framework
++DefaultDependencies=no
++After=systemd-sysctl.service
++Before=sysinit.target
++ConditionFileNotEmpty=/etc/iptables/rules.v4
++[Service]
++Type=oneshot
++ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
++ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
++ExecStop=/usr/sbin/iptables-flush
++RemainAfterExit=yes
++[Install]
++WantedBy=multi-user.target
diff --git a/patches/iptables-1.4.21/series b/patches/iptables-1.4.21/series
new file mode 100644
index 0000000..b8f388f
--- /dev/null
+++ b/patches/iptables-1.4.21/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-Added-files-for-systemd-support.patch
+# 366b7fd90bb4fe7e229f0ba777703fb5  - git-ptx-patches magic
diff --git a/rules/iptables.in b/rules/iptables.in
index e6f3699..8354060 100644
--- a/rules/iptables.in
+++ b/rules/iptables.in
@@ -25,6 +25,16 @@ config IPTABLES_IPV4
 	bool
 	prompt "IPv4 support"
 
+config IPTABLES_IPV6_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv6 systemd service unit"
+	select IPTABLES_IPV6
+
+config IPTABLES_IPV4_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv4 systemd service unit"
+	select IPTABLES_IPV4
+
 config IPTABLES_LIBIPQ
 	bool
 	prompt "Enable libipq"
diff --git a/rules/iptables.make b/rules/iptables.make
index 8a1ea66..12d3867 100644
--- a/rules/iptables.make
+++ b/rules/iptables.make
@@ -126,6 +126,23 @@ ifdef PTXCONF_IPTABLES_IPV4
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-restore)
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-save)
 endif
+
+ifdef PTXCONF_IPTABLES_IPV6_SYSTEMD_UNIT
+# 	# IPv6 systemd service unit part
+	@$(call install_copy, iptables, 0, 0, 0755,  $(IPTABLES_DIR)/scripts/ip6tables-flush, /usr/sbin/ip6tables-flush)
+	@$(call install_copy, iptables, 0, 0, 0644,  $(IPTABLES_DIR)/systemd/system/ip6tables.service, /lib/systemd/system/ip6tables.service)
+	@$(call install_link, iptables, ../ip6tables.service, /lib/systemd/system/multi-user.target.wants/ip6tables.service)
+	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v6)
+endif
+
+ifdef PTXCONF_IPTABLES_IPV4_SYSTEMD_UNIT
+# 	# IPv4 systemd service unit part
+	@$(call install_copy, iptables, 0, 0, 0755,  $(IPTABLES_DIR)/scripts/iptables-flush, /usr/sbin/iptables-flush)
+	@$(call install_copy, iptables, 0, 0, 0644,  $(IPTABLES_DIR)/systemd/system/iptables.service, /lib/systemd/system/iptables.service)
+	@$(call install_link, iptables, ../iptables.service, /lib/systemd/system/multi-user.target.wants/iptables.service)
+	@$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v4)
+endif
+
 endif
 
 ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
-- 
1.9.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Schenk, Gavin]

Hi,

> 
> Assuming this does the trick, this has the added benefit that module loading
> is tried.
> 
Ok.

> >
> > If [ $IPTABLES_SUPPORT -gt 0 ]; then
> > 	echo "iptables is not supported by your kernel"
> > 	exit $IPTABLES_SUPPORT
> > fi
> 
> I'd use:
> 
> 	if ! iptables --list >/dev/null 2>&1; then
> 
> (note that &> is a bashism and for example doesn't work with dash).
> 
Always good to have you guys for the details :-).
I´ll  test it and post a new patch later.

Thanks a lot!
Regards
Gavin

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Uwe Kleine-König]

Hello,

On Thu, Apr 07, 2016 at 09:14:01AM +0000, Schenk, Gavin wrote:
> > > +diff --git a/scripts/ip6tables-flush b/scripts/ip6tables-flush new
> > > +file mode 100755 index 000000000000..95086b0470d3
> > > +--- /dev/null
> > > ++++ b/scripts/ip6tables-flush
> > > +@@ -0,0 +1,13 @@
> > > ++#!/bin/sh
> > > ++ip6tables -F
> > > ++ip6tables -X
> > > ++ip6tables -Z
> > > ++for table in $(</proc/net/ip6_tables_names)
> > 
> > What happens if there is no ipv6 iptables support in the kernel? Maybe catch
> > that with an error message?
> > 
> 
> This is what happens on both ipv4 and ipv6:
> iptables-flush 
> modprobe: module ip_tables not found in modules.dep
> iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> modprobe: module ip_tables not found in modules.dep
> iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> modprobe: module ip_tables not found in modules.dep
> iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> /usr/sbin/iptables-flush: line 5: /proc/net/ip_tables_names: No such file or directory
> modprobe: module ip_tables not found in modules.dep
> iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> modprobe: module ip_tables not found in modules.dep
> iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> modprobe: module ip_tables not found in modules.dep
> iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> 
> 
> What is a good way to detect if the kernel supports iptables? 
> Instead of digging into /proc my idea is to add something like:
> 
> iptables --list &> /dev/null
> IPTABLES_SUPPORT=$?

Assuming this does the trick, this has the added benefit that module
loading is tried.

> 
> If [ $IPTABLES_SUPPORT -gt 0 ]; then
> 	echo "iptables is not supported by your kernel"
> 	exit $IPTABLES_SUPPORT
> fi

I'd use:

	if ! iptables --list >/dev/null 2>&1; then

(note that &> is a bashism and for example doesn't work with dash).

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Schenk, Gavin]

Hi,

> > If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
> > multiuser.target that set the iptable rules from file
> > /etc/iptables/rules.v4.
> > If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
> > multiuser.target that set the iptable rules from the file
> > /etc/iptables/rules.v6.
> 
> would it make sense to add a call to install_alternative for the rule files?

Yes, but in this case i have to provide an empty default file. 
I have testet ConditionFileNotEmpty with an empty file and it works!

Loaded: loaded (/lib/systemd/system/iptables.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
Condition: start condition failed at Thu 2016-04-07 11:26:45 CEST; 3min 20s ago
           ConditionFileNotEmpty=/etc/iptables/rules.v4 was not met

I will add empty files rules.v4 and rules.v6 to the package.

> > +---
> > + scripts/ip6tables-flush          | 13 +++++++++++++
> > + scripts/iptables-flush           | 13 +++++++++++++
> > + systemd/system/ip6tables.service | 14 ++++++++++++++
> > +systemd/system/iptables.service  | 14 ++++++++++++++
> > + 4 files changed, 54 insertions(+)
> > + create mode 100755 scripts/ip6tables-flush  create mode 100755
> > +scripts/iptables-flush  create mode 100755
> > +systemd/system/ip6tables.service  create mode 100755
> > +systemd/system/iptables.service
> > +
> > +diff --git a/scripts/ip6tables-flush b/scripts/ip6tables-flush new
> > +file mode 100755 index 000000000000..95086b0470d3
> > +--- /dev/null
> > ++++ b/scripts/ip6tables-flush
> > +@@ -0,0 +1,13 @@
> > ++#!/bin/sh
> > ++ip6tables -F
> > ++ip6tables -X
> > ++ip6tables -Z
> > ++for table in $(</proc/net/ip6_tables_names)
> 
> What happens if there is no ipv6 iptables support in the kernel? Maybe catch
> that with an error message?
> 

This is what happens on both ipv4 and ipv6:
iptables-flush 
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/usr/sbin/iptables-flush: line 5: /proc/net/ip_tables_names: No such file or directory
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


What is a good way to detect if the kernel supports iptables? 
Instead of digging into /proc my idea is to add something like:

iptables --list &> /dev/null
IPTABLES_SUPPORT=$?

If [ $IPTABLES_SUPPORT -gt 0 ]; then
	echo "iptables is not supported by your kernel"
	exit $IPTABLES_SUPPORT
fi

What you think about this?

Regards
Gavin Schenk

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Uwe Kleine-König]

Hello,

On Thu, Apr 07, 2016 at 09:24:26AM +0200, Gavin Schenk wrote:
> Supports ipv4 and ipv6 and both options can be selected in menuconfig
> IPTABLES_IPV6_SYSTEMD_UNIT and IPTABLES_IPV4_SYSTEMD_UNIT
> 
> If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
> multiuser.target that set the iptable rules from file
> /etc/iptables/rules.v4.
> If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
> multiuser.target that set the iptable rules from the file
> /etc/iptables/rules.v6.

would it make sense to add a call to install_alternative for the rule
files?

> You have to provide this files. Both files can easily be generated
> with the utils iptables-save ip6tables-save from the iptables package.
> 
> e.g: Generating a rulefile, that drops port 5000 on interface eth0 ipv4
> 1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
> 2.) iptables-save > /etc/iptables/rules.v4
> ---
>  .../0001-Added-files-for-systemd-support.patch     | 93 ++++++++++++++++++++++
>  patches/iptables-1.4.21/series                     |  4 +
>  rules/iptables.in                                  | 10 +++
>  rules/iptables.make                                | 15 ++++
>  4 files changed, 122 insertions(+)
>  create mode 100644 patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
>  create mode 100644 patches/iptables-1.4.21/series
> 
> diff --git a/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
> new file mode 100644
> index 0000000..6b055f4
> --- /dev/null
> +++ b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
> @@ -0,0 +1,93 @@
> +From: Gavin Schenk <g.schenk@eckelmann.de>
> +Date: Wed, 6 Apr 2016 10:19:52 +0200
> +Subject: [PATCH] Added files for systemd support
> +
> +---
> + scripts/ip6tables-flush          | 13 +++++++++++++
> + scripts/iptables-flush           | 13 +++++++++++++
> + systemd/system/ip6tables.service | 14 ++++++++++++++
> + systemd/system/iptables.service  | 14 ++++++++++++++
> + 4 files changed, 54 insertions(+)
> + create mode 100755 scripts/ip6tables-flush
> + create mode 100755 scripts/iptables-flush
> + create mode 100755 systemd/system/ip6tables.service
> + create mode 100755 systemd/system/iptables.service
> +
> +diff --git a/scripts/ip6tables-flush b/scripts/ip6tables-flush
> +new file mode 100755
> +index 000000000000..95086b0470d3
> +--- /dev/null
> ++++ b/scripts/ip6tables-flush
> +@@ -0,0 +1,13 @@
> ++#!/bin/sh
> ++ip6tables -F
> ++ip6tables -X
> ++ip6tables -Z
> ++for table in $(</proc/net/ip6_tables_names)

What happens if there is no ipv6 iptables support in the kernel? Maybe
catch that with an error message?

> ++do
> ++        ip6tables -t $table -F
> ++        ip6tables -t $table -X
> ++        ip6tables -t $table -Z
> ++done
> ++ip6tables -P INPUT ACCEPT
> ++ip6tables -P OUTPUT ACCEPT
> ++ip6tables -P FORWARD ACCEPT

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH] Add persistant iptable-rules via systemd

[Gavin Schenk]

Supports ipv4 and ipv6 and both options can be selected in menuconfig IPTABLES_IPV6_SYSTEMD_UNIT and IPTABLES_IPV4_SYSTEMD_UNIT

If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on multiuser.target that set the iptable rules from file /etc/iptables/rules.v4.
If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on multiuser.target that set the iptable rules from the file /etc/iptables/rules.v6.
You have to provide this files. Both files can easily be generated with the utils iptables-save ip6tables-save from the iptables package.

e.g: Generating a rulefile, that drops port 5000 on interface eth0 ipv4
1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4
---
 .../0001-Added-files-for-systemd-support.patch     | 93 ++++++++++++++++++++++
 patches/iptables-1.4.21/series                     |  4 +
 rules/iptables.in                                  | 10 +++
 rules/iptables.make                                | 15 ++++
 4 files changed, 122 insertions(+)
 create mode 100644 patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
 create mode 100644 patches/iptables-1.4.21/series

diff --git a/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
new file mode 100644
index 0000000..6b055f4
--- /dev/null
+++ b/patches/iptables-1.4.21/0001-Added-files-for-systemd-support.patch
@@ -0,0 +1,93 @@
+From: Gavin Schenk <g.schenk@eckelmann.de>
+Date: Wed, 6 Apr 2016 10:19:52 +0200
+Subject: [PATCH] Added files for systemd support
+
+---
+ scripts/ip6tables-flush          | 13 +++++++++++++
+ scripts/iptables-flush           | 13 +++++++++++++
+ systemd/system/ip6tables.service | 14 ++++++++++++++
+ systemd/system/iptables.service  | 14 ++++++++++++++
+ 4 files changed, 54 insertions(+)
+ create mode 100755 scripts/ip6tables-flush
+ create mode 100755 scripts/iptables-flush
+ create mode 100755 systemd/system/ip6tables.service
+ create mode 100755 systemd/system/iptables.service
+
+diff --git a/scripts/ip6tables-flush b/scripts/ip6tables-flush
+new file mode 100755
+index 000000000000..95086b0470d3
+--- /dev/null
++++ b/scripts/ip6tables-flush
+@@ -0,0 +1,13 @@
++#!/bin/sh
++ip6tables -F
++ip6tables -X
++ip6tables -Z
++for table in $(</proc/net/ip6_tables_names)
++do
++        ip6tables -t $table -F
++        ip6tables -t $table -X
++        ip6tables -t $table -Z
++done
++ip6tables -P INPUT ACCEPT
++ip6tables -P OUTPUT ACCEPT
++ip6tables -P FORWARD ACCEPT
+diff --git a/scripts/iptables-flush b/scripts/iptables-flush
+new file mode 100755
+index 000000000000..a47e82c0f875
+--- /dev/null
++++ b/scripts/iptables-flush
+@@ -0,0 +1,13 @@
++#!/bin/sh
++iptables -F
++iptables -X
++iptables -Z
++for table in $(</proc/net/ip_tables_names)
++do
++        iptables -t $table -F
++        iptables -t $table -X
++        iptables -t $table -Z
++done
++iptables -P INPUT ACCEPT
++iptables -P FORWARD ACCEPT
++iptables -P OUTPUT ACCEPT
+diff --git a/systemd/system/ip6tables.service b/systemd/system/ip6tables.service
+new file mode 100755
+index 000000000000..e842cc1973a1
+--- /dev/null
++++ b/systemd/system/ip6tables.service
+@@ -0,0 +1,14 @@
++[Unit]
++Description=Packet Filtering Framework
++DefaultDependencies=no
++After=systemd-sysctl.service
++Before=sysinit.target
++ConditionFileNotEmpty=/etc/iptables/rules.v6
++[Service]
++Type=oneshot
++ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
++ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
++ExecStop=/usr/sbin/iptables/ip6tables-flush
++RemainAfterExit=yes
++[Install]
++WantedBy=multi-user.target
+diff --git a/systemd/system/iptables.service b/systemd/system/iptables.service
+new file mode 100755
+index 000000000000..fa4a8b367ca0
+--- /dev/null
++++ b/systemd/system/iptables.service
+@@ -0,0 +1,14 @@
++[Unit]
++Description=Packet Filtering Framework
++DefaultDependencies=no
++After=systemd-sysctl.service
++Before=sysinit.target
++ConditionFileNotEmpty=/etc/iptables/rules.v4
++[Service]
++Type=oneshot
++ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
++ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
++ExecStop=/usr/sbin/iptables-flush
++RemainAfterExit=yes
++[Install]
++WantedBy=multi-user.target
diff --git a/patches/iptables-1.4.21/series b/patches/iptables-1.4.21/series
new file mode 100644
index 0000000..b8f388f
--- /dev/null
+++ b/patches/iptables-1.4.21/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-Added-files-for-systemd-support.patch
+# 366b7fd90bb4fe7e229f0ba777703fb5  - git-ptx-patches magic
diff --git a/rules/iptables.in b/rules/iptables.in
index e6f3699..8354060 100644
--- a/rules/iptables.in
+++ b/rules/iptables.in
@@ -25,6 +25,16 @@ config IPTABLES_IPV4
 	bool
 	prompt "IPv4 support"
 
+config IPTABLES_IPV6_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv6 systemd service unit"
+	select IPTABLES_IPV6
+
+config IPTABLES_IPV4_SYSTEMD_UNIT
+	bool
+	prompt "Activate IPv4 systemd service unit"
+	select IPTABLES_IPV4
+
 config IPTABLES_LIBIPQ
 	bool
 	prompt "Enable libipq"
diff --git a/rules/iptables.make b/rules/iptables.make
index 8a1ea66..dd283a6 100644
--- a/rules/iptables.make
+++ b/rules/iptables.make
@@ -126,6 +126,21 @@ ifdef PTXCONF_IPTABLES_IPV4
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-restore)
 	@$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-save)
 endif
+
+ifdef PTXCONF_IPTABLES_IPV6_SYSTEMD_UNIT
+# 	# IPv6 systemd service unit part
+	@$(call install_copy, iptables, 0, 0, 0755,  $(IPTABLES_DIR)/scripts/ip6tables-flush, /usr/sbin/ip6tables-flush)
+	@$(call install_copy, iptables, 0, 0, 0644,  $(IPTABLES_DIR)/systemd/system/ip6tables.service, /lib/systemd/system/ip6tables.service)
+	@$(call install_link, iptables, ../ip6tables.service, /lib/systemd/system/multi-user.target.wants/ip6tables.service)
+endif
+
+ifdef PTXCONF_IPTABLES_IPV4_SYSTEMD_UNIT
+# 	# IPv4 systemd service unit part
+	@$(call install_copy, iptables, 0, 0, 0755,  $(IPTABLES_DIR)/scripts/iptables-flush, /usr/sbin/iptables-flush)
+	@$(call install_copy, iptables, 0, 0, 0644,  $(IPTABLES_DIR)/systemd/system/iptables.service, /lib/systemd/system/iptables.service)
+	@$(call install_link, iptables, ../iptables.service, /lib/systemd/system/multi-user.target.wants/iptables.service)
+endif
+
 endif
 
 ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY
-- 
1.9.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de