From: Alexander Dahl <ada@thorsis.com>
To: ptxdist@pengutronix.de
Subject: [ptxdist] [PATCH v2 5/5] nftables: Add bbinit startscript
Date: Fri, 6 Apr 2018 11:07:30 +0200 [thread overview]
Message-ID: <20180406090730.2055-6-ada@thorsis.com> (raw)
In-Reply-To: <20180406090730.2055-1-ada@thorsis.com>
For loading your packet filter rules on system startup.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
projectroot/etc/init.d/nftables | 103 ++++++++++++++++++++++++++++++++++++++++
rules/nftables-bbinit.in | 9 ++++
rules/nftables.in | 4 ++
rules/nftables.make | 11 +++++
4 files changed, 127 insertions(+)
create mode 100644 projectroot/etc/init.d/nftables
create mode 100644 rules/nftables-bbinit.in
diff --git a/projectroot/etc/init.d/nftables b/projectroot/etc/init.d/nftables
new file mode 100644
index 0000000000..c10db5d901
--- /dev/null
+++ b/projectroot/etc/init.d/nftables
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+# Author: Arturo Borrero Gonzalez <arturo@debian.org>
+# Adapted by: Alexander Dahl <ada@thorsis.com>
+
+# Do NOT "set -e"
+
+CONF=/etc/nftables.conf
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="firewall service"
+NAME=nftables
+BIN=/usr/sbin/nft
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$BIN" ] || exit 0
+
+do_start()
+{
+ # Return
+ # 0 if start OK
+ # 2 if start NOK
+
+ # nft v0.4 return 0 if ENOENT $CONF
+ if [ ! -r "$CONF" ] ; then
+ echo "E: No such $NAME $DESC config file $CONF" >&2
+ return 2
+ fi
+
+ $BIN -f $CONF || return 2
+}
+
+do_stop()
+{
+ # Return
+ # 0 if stopped
+ # 1 if already stopped
+ # 2 if could not be stopped
+ if ! do_status ; then
+ $BIN flush ruleset || return 2
+ fi
+}
+
+do_status()
+{
+ # Return
+ # 0 if no rules
+ # 1 if rules
+ if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then
+ return 0
+ fi
+
+ return 1
+}
+
+case "$1" in
+ start)
+ echo -n "Starting $DESC ..."
+ do_start
+ ret="$?"
+ case "$ret" in
+ 0|1) echo " Done." ;;
+ 2) echo " Failed." ;;
+ esac
+ exit $ret
+ ;;
+ restart|force-reload)
+ echo -n "Restarting $DESC ..."
+ do_start
+ ret="$?"
+ case "$ret" in
+ 0|1) echo " Done." ;;
+ 2) echo " Failed." ;;
+ esac
+ exit $ret
+ ;;
+ stop)
+ echo -n "Stopping $DESC ..."
+ do_stop
+ ret="$?"
+ case "$ret" in
+ 0|1) echo " Done." ;;
+ 2) echo " Failed." ;;
+ esac
+ exit $ret
+ ;;
+ status)
+ if ! do_status ; then
+ echo "Status of ${DESC}: rules loaded"
+ exit 0
+ else
+ echo "Status of ${DESC}: no rules loaded"
+ exit 1
+ fi
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
diff --git a/rules/nftables-bbinit.in b/rules/nftables-bbinit.in
new file mode 100644
index 0000000000..84234c9761
--- /dev/null
+++ b/rules/nftables-bbinit.in
@@ -0,0 +1,9 @@
+## SECTION=initmethod_bbinit
+
+config NFTABLES_BBINIT_LINK
+ depends on NFTABLES_STARTSCRIPT
+ string
+ prompt "nftables"
+ default "S24nftables"
+
+# vim: ft=kconfig noet tw=72
diff --git a/rules/nftables.in b/rules/nftables.in
index be7fca1fa0..2b35741b7d 100644
--- a/rules/nftables.in
+++ b/rules/nftables.in
@@ -31,6 +31,10 @@ config NFTABLES_MGMP
use the nftables build-in mini-GMP instead of linking to the shared
libgmp. (may reduce debugging verbosity on some files)
+config NFTABLES_STARTSCRIPT
+ bool
+ prompt "install /etc/init.d/nftables"
+
endif
# vim: ft=kconfig noet tw=72
diff --git a/rules/nftables.make b/rules/nftables.make
index 6c978aa21c..c7d704612e 100644
--- a/rules/nftables.make
+++ b/rules/nftables.make
@@ -58,6 +58,17 @@ $(STATEDIR)/nftables.targetinstall:
@$(call install_copy, nftables, 0, 0, 0755, -, /usr/sbin/nft)
@$(call install_alternative, nftables, 0, 0, 0755, /etc/nftables.conf)
+ifdef PTXCONF_INITMETHOD_BBINIT
+ifdef PTXCONF_NFTABLES_STARTSCRIPT
+ @$(call install_alternative, nftables, 0, 0, 0755, /etc/init.d/nftables)
+
+ifneq ($(call remove_quotes,$(PTXCONF_NFTABLES_BBINIT_LINK)),)
+ @$(call install_link, nftables, ../init.d/nftables, \
+ /etc/rc.d/$(PTXCONF_NFTABLES_BBINIT_LINK))
+endif
+endif
+endif
+
@$(call install_finish, nftables)
@$(call touch)
--
2.11.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2018-04-06 9:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-06 9:07 [ptxdist] [PATCH v2 0/5] netfilter: Upgrades and autostart Alexander Dahl
2018-04-06 9:07 ` [ptxdist] [PATCH v2 1/5] libnftnl: Upgrade from 1.0.6 to 1.0.9 Alexander Dahl
2018-04-06 9:07 ` [ptxdist] [PATCH v2 2/5] nftables: Upgrade from v0.6 to v0.8.3 Alexander Dahl
2018-04-06 9:48 ` Alexander Dahl
2018-04-06 9:07 ` [ptxdist] [PATCH v2 3/5] nftables: Fix Vim modelines Alexander Dahl
2018-04-10 8:47 ` Michael Olbrich
2018-04-10 9:02 ` Alexander Dahl
2018-04-10 14:03 ` Michael Olbrich
2018-04-06 9:07 ` [ptxdist] [PATCH v2 4/5] nftables: Add example config file Alexander Dahl
2018-04-06 9:07 ` Alexander Dahl [this message]
2018-04-09 8:30 ` [ptxdist] [PATCH v2 5/5] nftables: Add bbinit startscript Michael Olbrich
2018-04-09 9:16 ` Alexander Dahl
2018-04-10 6:57 ` Alexander Dahl
2018-04-10 8:42 ` Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180406090730.2055-6-ada@thorsis.com \
--to=ada@thorsis.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox