[ptxdist] [PATCH v2 0/5] netfilter: Upgrades and autostart

[ptxdist] [PATCH v2 0/5] netfilter: Upgrades and autostart

[Alexander Dahl]

Hei hei,

this series has upgrades for nftables and libnftnl. This was
necessary here, because nft v0.6 could not import rulesets dumped with
`nft list ruleset > myruleset` again with `nft -f myruleset`. With nft
v0.8.3 I can successfully import those packet filter rules.

Also included: a new init script for bbinit and the necessary
adaptions to the rule files.

Tested with OSELAS.Toolchain-2014.12.3/arm-v5te-linux-gnueabi and
ptxdist 2017.09.0 on an at91sam9g20 based board.

This supersedes the series '[PATCH 0/2] nft: Upgrade' from earlier
this week.

Greets
Alex

---
v1 -> v2:
  * Added three additional patches not included in v1 of the series

Alexander Dahl (5):
  libnftnl: Upgrade from 1.0.6 to 1.0.9
  nftables: Upgrade from v0.6 to v0.8.3
  nftables: Fix Vim modelines
  nftables: Add example config file
  nftables: Add bbinit startscript

 ...on-t-enable-xtables-when-without-xtables-.patch |  32 +++++++
 patches/nftables-0.8.3/autogen.sh                  |   1 +
 patches/nftables-0.8.3/series                      |   4 +
 projectroot/etc/init.d/nftables                    | 103 +++++++++++++++++++++
 projectroot/etc/nftables.conf                      |  15 +++
 rules/libnftnl.in                                  |   6 --
 rules/libnftnl.make                                |   5 +-
 rules/nftables-bbinit.in                           |   9 ++
 rules/nftables.in                                  |   7 +-
 rules/nftables.make                                |  31 ++++---
 10 files changed, 192 insertions(+), 21 deletions(-)
 create mode 100644 patches/nftables-0.8.3/0001-configure-don-t-enable-xtables-when-without-xtables-.patch
 create mode 120000 patches/nftables-0.8.3/autogen.sh
 create mode 100644 patches/nftables-0.8.3/series
 create mode 100644 projectroot/etc/init.d/nftables
 create mode 100755 projectroot/etc/nftables.conf
 create mode 100644 rules/nftables-bbinit.in

-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 1/5] libnftnl: Upgrade from 1.0.6 to 1.0.9

[Alexander Dahl]

The upgrades include support for newer kernel features and bugfixes.
This is a dependency for nftables 0.8.3. See the announcements for
details:

* 1.0.7: https://lists.netfilter.org/pipermail/netfilter-announce/2016/000221.html
* 1.0.8: https://lists.netfilter.org/pipermail/netfilter-announce/2017/000224.html
* 1.0.9: https://lists.netfilter.org/pipermail/netfilter-announce/2018/000226.html

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/libnftnl.in   | 6 ------
 rules/libnftnl.make | 5 ++---
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/rules/libnftnl.in b/rules/libnftnl.in
index 7d91ccea8e..78cefc2cbd 100644
--- a/rules/libnftnl.in
+++ b/rules/libnftnl.in
@@ -3,7 +3,6 @@
 menuconfig LIBNFTNL
 	tristate
 	select LIBMNL
-	select LIBMXML if LIBNFTNL_XML
 	select JANSSON if LIBNFTNL_JSON
 	prompt "libnftnl                      "
 	help
@@ -14,11 +13,6 @@ menuconfig LIBNFTNL
 
 if LIBNFTNL
 
-config LIBNFTNL_XML
-	bool
-	depends on LIBNFTNL
-	prompt "XML parsing support"
-
 config LIBNFTNL_JSON
 	bool
 	depends on LIBNFTNL
diff --git a/rules/libnftnl.make b/rules/libnftnl.make
index 7d73a21946..5547b56bff 100644
--- a/rules/libnftnl.make
+++ b/rules/libnftnl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_LIBNFTNL) += libnftnl
 #
 # Paths and names
 #
-LIBNFTNL_VERSION	:= 1.0.6
-LIBNFTNL_MD5	:= 6d7f9f161538ca7efd535dcc70caf964
+LIBNFTNL_VERSION	:= 1.0.9
+LIBNFTNL_MD5	:= 6c4f392faab5745933553b4354be5d8d
 LIBNFTNL		:= libnftnl-$(LIBNFTNL_VERSION)
 LIBNFTNL_SUFFIX	:= tar.bz2
 LIBNFTNL_URL		:= http://ftp.netfilter.org/pub/libnftnl/$(LIBNFTNL).$(LIBNFTNL_SUFFIX)
@@ -31,7 +31,6 @@ LIBNFTNL_LICENSE	:= GPL-2.0-only
 LIBNFTNL_CONF_TOOL	:= autoconf
 LIBNFTNL_CONF_OPT	:= \
 	$(CROSS_AUTOCONF_USR) \
-	--$(call ptx/wwo, PTXCONF_LIBNFTNL_XML)-xml-parsing \
 	--$(call ptx/wwo, PTXCONF_LIBNFTNL_JSON)-json-parsing
 
 # ----------------------------------------------------------------------------
-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 2/5] nftables: Upgrade from v0.6 to v0.8.3

[Alexander Dahl]

Options for configure were reviewed, docs can now be disabled with
switches.

Support for the new option --with-xtables is not included. The
additional patch is necessary to successfully call configure with
--without-xtables for a setup without iptables. (Patch is currently
under review upstream, got it from
http://patchwork.ozlabs.org/patch/894947/ )

For details on new version see announcements:

* v0.7: http://lists.netfilter.org/pipermail/netfilter-announce/2016/000222.html
* v0.8: http://lists.netfilter.org/pipermail/netfilter-announce/2017/000225.html
* v0.8.1: http://lists.netfilter.org/pipermail/netfilter-announce/2018/000227.html
* v0.8.2: http://lists.netfilter.org/pipermail/netfilter-announce/2018/000229.html
* v0.8.3: https://marc.info/?l=netfilter&m=152009279821556

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 ...on-t-enable-xtables-when-without-xtables-.patch | 32 ++++++++++++++++++++++
 patches/nftables-0.8.3/autogen.sh                  |  1 +
 patches/nftables-0.8.3/series                      |  4 +++
 rules/nftables.make                                | 17 +++++-------
 4 files changed, 44 insertions(+), 10 deletions(-)
 create mode 100644 patches/nftables-0.8.3/0001-configure-don-t-enable-xtables-when-without-xtables-.patch
 create mode 120000 patches/nftables-0.8.3/autogen.sh
 create mode 100644 patches/nftables-0.8.3/series

diff --git a/patches/nftables-0.8.3/0001-configure-don-t-enable-xtables-when-without-xtables-.patch b/patches/nftables-0.8.3/0001-configure-don-t-enable-xtables-when-without-xtables-.patch
new file mode 100644
index 0000000000..2b5ff1bf5f
--- /dev/null
+++ b/patches/nftables-0.8.3/0001-configure-don-t-enable-xtables-when-without-xtables-.patch
@@ -0,0 +1,32 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 4 Apr 2018 13:53:28 +0200
+Subject: [PATCH] configure: don't enable xtables when --without-xtables is
+ passed
+
+AC_ARG_WITH runs this when EITHER --with-foo or --without-foo is given,
+so use 'withval'.
+
+After this patch:
+./configure -> xtables off
+./configure --with-xtables -> xtables on
+./configure --without-xtables -> xtables off (was on).
+
+Reported-by: Alexander Dahl <ada@thorsis.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 2d0b1b939a18..74e721cd4691 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -99,7 +99,7 @@ AM_CONDITIONAL([BUILD_CLI], [test "x$with_cli" != xno])
+ 
+ AC_ARG_WITH([xtables], [AS_HELP_STRING([--with-xtables],
+             [Use libxtables for iptables interaction)])],
+-	    [with_libxtables=yes], [with_libxtables=no])
++	    [with_libxtables=$withval], [with_libxtables=no])
+ AS_IF([test "x$with_libxtables" != xno], [
+ PKG_CHECK_MODULES([XTABLES], [xtables >= 1.6.1])
+ AC_DEFINE([HAVE_LIBXTABLES], [1], [0])
diff --git a/patches/nftables-0.8.3/autogen.sh b/patches/nftables-0.8.3/autogen.sh
new file mode 120000
index 0000000000..9f8a4cb7dd
--- /dev/null
+++ b/patches/nftables-0.8.3/autogen.sh
@@ -0,0 +1 @@
+../autogen.sh
\ No newline at end of file
diff --git a/patches/nftables-0.8.3/series b/patches/nftables-0.8.3/series
new file mode 100644
index 0000000000..d4fe1dc340
--- /dev/null
+++ b/patches/nftables-0.8.3/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-configure-don-t-enable-xtables-when-without-xtables-.patch
+# 12321dad8667c00b553d2c9b76ee6dd3  - git-ptx-patches magic
diff --git a/rules/nftables.make b/rules/nftables.make
index 02c2cedd54..74828a2e92 100644
--- a/rules/nftables.make
+++ b/rules/nftables.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_NFTABLES) += nftables
 #
 # Paths and names
 #
-NFTABLES_VERSION	:= 0.6
-NFTABLES_MD5		:= fd320e35fdf14b7be795492189b13dae
+NFTABLES_VERSION	:= 0.8.3
+NFTABLES_MD5		:= a604501c10a302fa417410b16f293d2c
 NFTABLES		:= nftables-$(NFTABLES_VERSION)
 NFTABLES_SUFFIX		:= tar.bz2
 NFTABLES_URL		:= http://ftp.netfilter.org/pub/nftables/$(NFTABLES).$(NFTABLES_SUFFIX)
@@ -29,13 +29,6 @@ NFTABLES_LICENSE	:= GPL-2.0-only
 # Prepare
 # ----------------------------------------------------------------------------
 
-NFTABLES_CONF_ENV	:= \
-	$(CROSS_ENV) \
-	ac_cv_prog_DOCBOOK2X_MAN=no \
-	ac_cv_prog_DOCBOOK2MAN=no \
-	ac_cv_prog_DB2X_DOCBOOK2MAN=no \
-	ac_cv_prog_DBLATEX=no
-
 #
 # autoconf
 #
@@ -43,7 +36,11 @@ NFTABLES_CONF_TOOL	:= autoconf
 NFTABLES_CONF_OPT	:= \
 	$(CROSS_AUTOCONF_USR) \
 	--$(call ptx/endis, PTXCONF_NFTABLES_DEBUG)-debug \
-	--$(call ptx/wwo, PTXCONF_NFTABLES_MGMP)-mini-gmp
+	--disable-man-doc \
+	--disable-pdf-doc \
+	--$(call ptx/wwo, PTXCONF_NFTABLES_MGMP)-mini-gmp \
+	--without-cli \
+	--without-xtables
 
 # ----------------------------------------------------------------------------
 # Target-Install
-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 3/5] nftables: Fix Vim modelines

[Alexander Dahl]

* Add line in kconfig rule
* Fix line in make rule

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/nftables.in   | 3 ++-
 rules/nftables.make | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/nftables.in b/rules/nftables.in
index 0377e731c1..be7fca1fa0 100644
--- a/rules/nftables.in
+++ b/rules/nftables.in
@@ -24,7 +24,6 @@ config NFTABLES_DEBUG
 	default y
 	prompt "enable debug"
 
-
 config NFTABLES_MGMP
 	bool
 	prompt "use mini-GMP"
@@ -33,3 +32,5 @@ config NFTABLES_MGMP
 	  libgmp. (may reduce debugging verbosity on some files)
 
 endif
+
+# vim: ft=kconfig noet tw=72
diff --git a/rules/nftables.make b/rules/nftables.make
index 74828a2e92..774a1fd935 100644
--- a/rules/nftables.make
+++ b/rules/nftables.make
@@ -61,4 +61,4 @@ $(STATEDIR)/nftables.targetinstall:
 
 	@$(call touch)
 
-# vim: syntax=make
+# vim: ft=make noet ts=8 sw=8
-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 4/5] nftables: Add example config file

[Alexander Dahl]

This adds only empty chains, but it will be needed for the bbinit
startscript not to fail. User will probably overwrite it with something
more useful.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/nftables.conf | 15 +++++++++++++++
 rules/nftables.make           |  1 +
 2 files changed, 16 insertions(+)
 create mode 100755 projectroot/etc/nftables.conf

diff --git a/projectroot/etc/nftables.conf b/projectroot/etc/nftables.conf
new file mode 100755
index 0000000000..2c09327d7f
--- /dev/null
+++ b/projectroot/etc/nftables.conf
@@ -0,0 +1,15 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table filter {
+	chain input {
+		type filter hook input priority 0;
+	}
+	chain forward {
+		type filter hook forward priority 0;
+	}
+	chain output {
+		type filter hook output priority 0;
+	}
+}
diff --git a/rules/nftables.make b/rules/nftables.make
index 774a1fd935..6c978aa21c 100644
--- a/rules/nftables.make
+++ b/rules/nftables.make
@@ -56,6 +56,7 @@ $(STATEDIR)/nftables.targetinstall:
 	@$(call install_fixup, nftables,DESCRIPTION,missing)
 
 	@$(call install_copy, nftables, 0, 0, 0755, -, /usr/sbin/nft)
+	@$(call install_alternative, nftables, 0, 0, 0755, /etc/nftables.conf)
 
 	@$(call install_finish, nftables)
 
-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2 5/5] nftables: Add bbinit startscript

[Alexander Dahl]

For loading your packet filter rules on system startup.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/init.d/nftables | 103 ++++++++++++++++++++++++++++++++++++++++
 rules/nftables-bbinit.in        |   9 ++++
 rules/nftables.in               |   4 ++
 rules/nftables.make             |  11 +++++
 4 files changed, 127 insertions(+)
 create mode 100644 projectroot/etc/init.d/nftables
 create mode 100644 rules/nftables-bbinit.in

diff --git a/projectroot/etc/init.d/nftables b/projectroot/etc/init.d/nftables
new file mode 100644
index 0000000000..c10db5d901
--- /dev/null
+++ b/projectroot/etc/init.d/nftables
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+# Author: Arturo Borrero Gonzalez <arturo@debian.org>
+# Adapted by: Alexander Dahl <ada@thorsis.com>
+
+# Do NOT "set -e"
+
+CONF=/etc/nftables.conf
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="firewall service"
+NAME=nftables
+BIN=/usr/sbin/nft
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$BIN" ] || exit 0
+
+do_start()
+{
+    # Return
+    #  0 if start OK
+    #  2 if start NOK
+
+    # nft v0.4 return 0 if ENOENT $CONF
+    if [ ! -r "$CONF" ] ; then
+        echo "E: No such $NAME $DESC config file $CONF" >&2
+        return 2
+    fi
+
+    $BIN -f $CONF || return 2
+}
+
+do_stop()
+{
+    # Return
+    #   0 if stopped
+    #   1 if already stopped
+    #   2 if could not be stopped
+    if ! do_status ; then
+        $BIN flush ruleset || return 2
+    fi
+}
+
+do_status()
+{
+    # Return
+    #   0 if no rules
+    #   1 if rules
+    if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then
+        return 0
+    fi
+
+    return 1
+}
+
+case "$1" in
+    start)
+        echo -n "Starting $DESC ..."
+        do_start
+        ret="$?"
+        case "$ret" in
+            0|1)    echo " Done." ;;
+            2)      echo " Failed." ;;
+        esac
+        exit $ret
+        ;;
+    restart|force-reload)
+        echo -n "Restarting $DESC ..."
+        do_start
+        ret="$?"
+        case "$ret" in
+            0|1)    echo " Done." ;;
+            2)      echo " Failed." ;;
+        esac
+        exit $ret
+        ;;
+    stop)
+        echo -n "Stopping $DESC ..."
+        do_stop
+        ret="$?"
+        case "$ret" in
+            0|1)    echo " Done." ;;
+            2)      echo " Failed." ;;
+        esac
+        exit $ret
+        ;;
+    status)
+        if ! do_status ; then
+            echo "Status of ${DESC}: rules loaded"
+            exit 0
+        else
+            echo "Status of ${DESC}: no rules loaded"
+            exit 1
+        fi
+        ;;
+    *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+        exit 3
+        ;;
+esac
+
+:
diff --git a/rules/nftables-bbinit.in b/rules/nftables-bbinit.in
new file mode 100644
index 0000000000..84234c9761
--- /dev/null
+++ b/rules/nftables-bbinit.in
@@ -0,0 +1,9 @@
+## SECTION=initmethod_bbinit
+
+config NFTABLES_BBINIT_LINK
+	depends on NFTABLES_STARTSCRIPT
+	string
+	prompt "nftables"
+	default "S24nftables"
+
+# vim: ft=kconfig noet tw=72
diff --git a/rules/nftables.in b/rules/nftables.in
index be7fca1fa0..2b35741b7d 100644
--- a/rules/nftables.in
+++ b/rules/nftables.in
@@ -31,6 +31,10 @@ config NFTABLES_MGMP
 	  use the nftables build-in mini-GMP instead of linking to the shared
 	  libgmp. (may reduce debugging verbosity on some files)
 
+config NFTABLES_STARTSCRIPT
+	bool
+	prompt "install /etc/init.d/nftables"
+
 endif
 
 # vim: ft=kconfig noet tw=72
diff --git a/rules/nftables.make b/rules/nftables.make
index 6c978aa21c..c7d704612e 100644
--- a/rules/nftables.make
+++ b/rules/nftables.make
@@ -58,6 +58,17 @@ $(STATEDIR)/nftables.targetinstall:
 	@$(call install_copy, nftables, 0, 0, 0755, -, /usr/sbin/nft)
 	@$(call install_alternative, nftables, 0, 0, 0755, /etc/nftables.conf)
 
+ifdef PTXCONF_INITMETHOD_BBINIT
+ifdef PTXCONF_NFTABLES_STARTSCRIPT
+	@$(call install_alternative, nftables, 0, 0, 0755, /etc/init.d/nftables)
+
+ifneq ($(call remove_quotes,$(PTXCONF_NFTABLES_BBINIT_LINK)),)
+	@$(call install_link, nftables, ../init.d/nftables, \
+		/etc/rc.d/$(PTXCONF_NFTABLES_BBINIT_LINK))
+endif
+endif
+endif
+
 	@$(call install_finish, nftables)
 
 	@$(call touch)
-- 
2.11.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2 2/5] nftables: Upgrade from v0.6 to v0.8.3

[Alexander Dahl]

Hello,

Am Freitag, 6. April 2018, 11:07:27 CEST schrieb Alexander Dahl:
> Support for the new option --with-xtables is not included. The
> additional patch is necessary to successfully call configure with
> --without-xtables for a setup without iptables. (Patch is currently
> under review upstream, got it from
> http://patchwork.ozlabs.org/patch/894947/ )

Meanwhile the patch was applied upstream, I just forgot to reword the commit 
message before sending v2.

Greets
Alex


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2 5/5] nftables: Add bbinit startscript

[Michael Olbrich]

On Fri, Apr 06, 2018 at 11:07:30AM +0200, Alexander Dahl wrote:
> For loading your packet filter rules on system startup.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>

This patch does not apply. I'm not sure why:
[...]
error: sha1 information is lacking or useless (rules/nftables.in).
error: could not build fake ancestor
[...]

Please resent. Maybe as an attachment.

Michael

> ---
>  projectroot/etc/init.d/nftables | 103 ++++++++++++++++++++++++++++++++++++++++
>  rules/nftables-bbinit.in        |   9 ++++
>  rules/nftables.in               |   4 ++
>  rules/nftables.make             |  11 +++++
>  4 files changed, 127 insertions(+)
>  create mode 100644 projectroot/etc/init.d/nftables
>  create mode 100644 rules/nftables-bbinit.in
> 
> diff --git a/projectroot/etc/init.d/nftables b/projectroot/etc/init.d/nftables
> new file mode 100644
> index 0000000000..c10db5d901
> --- /dev/null
> +++ b/projectroot/etc/init.d/nftables
> @@ -0,0 +1,103 @@
> +#!/bin/sh
> +
> +# Author: Arturo Borrero Gonzalez <arturo@debian.org>
> +# Adapted by: Alexander Dahl <ada@thorsis.com>
> +
> +# Do NOT "set -e"
> +
> +CONF=/etc/nftables.conf
> +
> +PATH=/sbin:/usr/sbin:/bin:/usr/bin
> +DESC="firewall service"
> +NAME=nftables
> +BIN=/usr/sbin/nft
> +SCRIPTNAME=/etc/init.d/$NAME
> +
> +# Exit if the package is not installed
> +[ -x "$BIN" ] || exit 0
> +
> +do_start()
> +{
> +    # Return
> +    #  0 if start OK
> +    #  2 if start NOK
> +
> +    # nft v0.4 return 0 if ENOENT $CONF
> +    if [ ! -r "$CONF" ] ; then
> +        echo "E: No such $NAME $DESC config file $CONF" >&2
> +        return 2
> +    fi
> +
> +    $BIN -f $CONF || return 2
> +}
> +
> +do_stop()
> +{
> +    # Return
> +    #   0 if stopped
> +    #   1 if already stopped
> +    #   2 if could not be stopped
> +    if ! do_status ; then
> +        $BIN flush ruleset || return 2
> +    fi
> +}
> +
> +do_status()
> +{
> +    # Return
> +    #   0 if no rules
> +    #   1 if rules
> +    if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then
> +        return 0
> +    fi
> +
> +    return 1
> +}
> +
> +case "$1" in
> +    start)
> +        echo -n "Starting $DESC ..."
> +        do_start
> +        ret="$?"
> +        case "$ret" in
> +            0|1)    echo " Done." ;;
> +            2)      echo " Failed." ;;
> +        esac
> +        exit $ret
> +        ;;
> +    restart|force-reload)
> +        echo -n "Restarting $DESC ..."
> +        do_start
> +        ret="$?"
> +        case "$ret" in
> +            0|1)    echo " Done." ;;
> +            2)      echo " Failed." ;;
> +        esac
> +        exit $ret
> +        ;;
> +    stop)
> +        echo -n "Stopping $DESC ..."
> +        do_stop
> +        ret="$?"
> +        case "$ret" in
> +            0|1)    echo " Done." ;;
> +            2)      echo " Failed." ;;
> +        esac
> +        exit $ret
> +        ;;
> +    status)
> +        if ! do_status ; then
> +            echo "Status of ${DESC}: rules loaded"
> +            exit 0
> +        else
> +            echo "Status of ${DESC}: no rules loaded"
> +            exit 1
> +        fi
> +        ;;
> +    *)
> +        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
> +        exit 3
> +        ;;
> +esac
> +
> +:
> diff --git a/rules/nftables-bbinit.in b/rules/nftables-bbinit.in
> new file mode 100644
> index 0000000000..84234c9761
> --- /dev/null
> +++ b/rules/nftables-bbinit.in
> @@ -0,0 +1,9 @@
> +## SECTION=initmethod_bbinit
> +
> +config NFTABLES_BBINIT_LINK
> +	depends on NFTABLES_STARTSCRIPT
> +	string
> +	prompt "nftables"
> +	default "S24nftables"
> +
> +# vim: ft=kconfig noet tw=72
> diff --git a/rules/nftables.in b/rules/nftables.in
> index be7fca1fa0..2b35741b7d 100644
> --- a/rules/nftables.in
> +++ b/rules/nftables.in
> @@ -31,6 +31,10 @@ config NFTABLES_MGMP
>  	  use the nftables build-in mini-GMP instead of linking to the shared
>  	  libgmp. (may reduce debugging verbosity on some files)
>  
> +config NFTABLES_STARTSCRIPT
> +	bool
> +	prompt "install /etc/init.d/nftables"
> +
>  endif
>  
>  # vim: ft=kconfig noet tw=72
> diff --git a/rules/nftables.make b/rules/nftables.make
> index 6c978aa21c..c7d704612e 100644
> --- a/rules/nftables.make
> +++ b/rules/nftables.make
> @@ -58,6 +58,17 @@ $(STATEDIR)/nftables.targetinstall:
>  	@$(call install_copy, nftables, 0, 0, 0755, -, /usr/sbin/nft)
>  	@$(call install_alternative, nftables, 0, 0, 0755, /etc/nftables.conf)
>  
> +ifdef PTXCONF_INITMETHOD_BBINIT
> +ifdef PTXCONF_NFTABLES_STARTSCRIPT
> +	@$(call install_alternative, nftables, 0, 0, 0755, /etc/init.d/nftables)
> +
> +ifneq ($(call remove_quotes,$(PTXCONF_NFTABLES_BBINIT_LINK)),)
> +	@$(call install_link, nftables, ../init.d/nftables, \
> +		/etc/rc.d/$(PTXCONF_NFTABLES_BBINIT_LINK))
> +endif
> +endif
> +endif
> +
>  	@$(call install_finish, nftables)
>  
>  	@$(call touch)
> -- 
> 2.11.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2 5/5] nftables: Add bbinit startscript

[Alexander Dahl]

[-- Attachment #1.1: Type: text/plain, Size: 1002 bytes --]

Hei hei,

On Mon, Apr 09, 2018 at 10:30:56AM +0200, Michael Olbrich wrote:
> On Fri, Apr 06, 2018 at 11:07:30AM +0200, Alexander Dahl wrote:
> > For loading your packet filter rules on system startup.
> > 
> > Signed-off-by: Alexander Dahl <ada@thorsis.com>
> 
> This patch does not apply. I'm not sure why:
> [...]
> error: sha1 information is lacking or useless (rules/nftables.in).
> error: could not build fake ancestor
> [...]
> 
> Please resent. Maybe as an attachment.

If you don't mind, you can pull it from the branch 'netfilter' on my
personal GitHub repository:

https://github.com/LeSpocky/ptxdist/tree/netfilter

If that's not an option, I will resend later today.

Greets
Alex

-- 
/"\ ASCII RIBBON | »With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.«
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 91 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2 5/5] nftables: Add bbinit startscript

[Alexander Dahl]

[-- Attachment #1: Type: text/plain, Size: 490 bytes --]

Hello Michael,

Am Montag, 9. April 2018, 10:30:56 CEST schrieb Michael Olbrich:
> This patch does not apply. I'm not sure why:
> [...]
> error: sha1 information is lacking or useless (rules/nftables.in).
> error: could not build fake ancestor
> [...]

I tried to apply the series from the mails by myself on two systems and got no 
error. Strange.

> Please resent. Maybe as an attachment.

I attach it to this mail. You may need to apply other patches of this series 
first?

Greets
Alex

[-- Attachment #2: v2-0005-nftables-Add-bbinit-startscript.patch --]
[-- Type: text/x-patch, Size: 4479 bytes --]

From 29a2513f241e3be9428d20756ac2929c764b4115 Mon Sep 17 00:00:00 2001
From: Alexander Dahl <ada@thorsis.com>
Date: Fri, 6 Apr 2018 11:00:46 +0200
Subject: [PATCH v2 5/5] nftables: Add bbinit startscript

For loading your packet filter rules on system startup.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/init.d/nftables | 103 ++++++++++++++++++++++++++++++++++++++++
 rules/nftables-bbinit.in        |   9 ++++
 rules/nftables.in               |   4 ++
 rules/nftables.make             |  11 +++++
 4 files changed, 127 insertions(+)
 create mode 100644 projectroot/etc/init.d/nftables
 create mode 100644 rules/nftables-bbinit.in

diff --git a/projectroot/etc/init.d/nftables b/projectroot/etc/init.d/nftables
new file mode 100644
index 0000000000..c10db5d901
--- /dev/null
+++ b/projectroot/etc/init.d/nftables
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+# Author: Arturo Borrero Gonzalez <arturo@debian.org>
+# Adapted by: Alexander Dahl <ada@thorsis.com>
+
+# Do NOT "set -e"
+
+CONF=/etc/nftables.conf
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="firewall service"
+NAME=nftables
+BIN=/usr/sbin/nft
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$BIN" ] || exit 0
+
+do_start()
+{
+    # Return
+    #  0 if start OK
+    #  2 if start NOK
+
+    # nft v0.4 return 0 if ENOENT $CONF
+    if [ ! -r "$CONF" ] ; then
+        echo "E: No such $NAME $DESC config file $CONF" >&2
+        return 2
+    fi
+
+    $BIN -f $CONF || return 2
+}
+
+do_stop()
+{
+    # Return
+    #   0 if stopped
+    #   1 if already stopped
+    #   2 if could not be stopped
+    if ! do_status ; then
+        $BIN flush ruleset || return 2
+    fi
+}
+
+do_status()
+{
+    # Return
+    #   0 if no rules
+    #   1 if rules
+    if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then
+        return 0
+    fi
+
+    return 1
+}
+
+case "$1" in
+    start)
+        echo -n "Starting $DESC ..."
+        do_start
+        ret="$?"
+        case "$ret" in
+            0|1)    echo " Done." ;;
+            2)      echo " Failed." ;;
+        esac
+        exit $ret
+        ;;
+    restart|force-reload)
+        echo -n "Restarting $DESC ..."
+        do_start
+        ret="$?"
+        case "$ret" in
+            0|1)    echo " Done." ;;
+            2)      echo " Failed." ;;
+        esac
+        exit $ret
+        ;;
+    stop)
+        echo -n "Stopping $DESC ..."
+        do_stop
+        ret="$?"
+        case "$ret" in
+            0|1)    echo " Done." ;;
+            2)      echo " Failed." ;;
+        esac
+        exit $ret
+        ;;
+    status)
+        if ! do_status ; then
+            echo "Status of ${DESC}: rules loaded"
+            exit 0
+        else
+            echo "Status of ${DESC}: no rules loaded"
+            exit 1
+        fi
+        ;;
+    *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+        exit 3
+        ;;
+esac
+
+:
diff --git a/rules/nftables-bbinit.in b/rules/nftables-bbinit.in
new file mode 100644
index 0000000000..84234c9761
--- /dev/null
+++ b/rules/nftables-bbinit.in
@@ -0,0 +1,9 @@
+## SECTION=initmethod_bbinit
+
+config NFTABLES_BBINIT_LINK
+	depends on NFTABLES_STARTSCRIPT
+	string
+	prompt "nftables"
+	default "S24nftables"
+
+# vim: ft=kconfig noet tw=72
diff --git a/rules/nftables.in b/rules/nftables.in
index be7fca1fa0..2b35741b7d 100644
--- a/rules/nftables.in
+++ b/rules/nftables.in
@@ -31,6 +31,10 @@ config NFTABLES_MGMP
 	  use the nftables build-in mini-GMP instead of linking to the shared
 	  libgmp. (may reduce debugging verbosity on some files)
 
+config NFTABLES_STARTSCRIPT
+	bool
+	prompt "install /etc/init.d/nftables"
+
 endif
 
 # vim: ft=kconfig noet tw=72
diff --git a/rules/nftables.make b/rules/nftables.make
index 6c978aa21c..c7d704612e 100644
--- a/rules/nftables.make
+++ b/rules/nftables.make
@@ -58,6 +58,17 @@ $(STATEDIR)/nftables.targetinstall:
 	@$(call install_copy, nftables, 0, 0, 0755, -, /usr/sbin/nft)
 	@$(call install_alternative, nftables, 0, 0, 0755, /etc/nftables.conf)
 
+ifdef PTXCONF_INITMETHOD_BBINIT
+ifdef PTXCONF_NFTABLES_STARTSCRIPT
+	@$(call install_alternative, nftables, 0, 0, 0755, /etc/init.d/nftables)
+
+ifneq ($(call remove_quotes,$(PTXCONF_NFTABLES_BBINIT_LINK)),)
+	@$(call install_link, nftables, ../init.d/nftables, \
+		/etc/rc.d/$(PTXCONF_NFTABLES_BBINIT_LINK))
+endif
+endif
+endif
+
 	@$(call install_finish, nftables)
 
 	@$(call touch)
-- 
2.11.0


[-- Attachment #3: Type: text/plain, Size: 91 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2 5/5] nftables: Add bbinit startscript

[Michael Olbrich]

On Tue, Apr 10, 2018 at 08:57:01AM +0200, Alexander Dahl wrote:
> Hello Michael,
> 
> Am Montag, 9. April 2018, 10:30:56 CEST schrieb Michael Olbrich:
> > This patch does not apply. I'm not sure why:
> > [...]
> > error: sha1 information is lacking or useless (rules/nftables.in).
> > error: could not build fake ancestor
> > [...]
> 
> I tried to apply the series from the mails by myself on two systems and got no 
> error. Strange.

It's a line break problem. The patch had the same problem until I used
'dos2unix'.

> > Please resent. Maybe as an attachment.
> 
> I attach it to this mail. You may need to apply other patches of this series 
> first?

It's in my internal test queue now.

Michael


-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2 3/5] nftables: Fix Vim modelines

[Michael Olbrich]

On Fri, Apr 06, 2018 at 11:07:28AM +0200, Alexander Dahl wrote:
> * Add line in kconfig rule
> * Fix line in make rule

No. If we change the modelines, then we do this for all files. I don't
really care about this. Feel free to start a discussion to figure out the
'correct' modelines. I see several different ones right now. Then we can
script this to change all files including templates.

Michael

> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
>  rules/nftables.in   | 3 ++-
>  rules/nftables.make | 2 +-
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/rules/nftables.in b/rules/nftables.in
> index 0377e731c1..be7fca1fa0 100644
> --- a/rules/nftables.in
> +++ b/rules/nftables.in
> @@ -24,7 +24,6 @@ config NFTABLES_DEBUG
>  	default y
>  	prompt "enable debug"
>  
> -
>  config NFTABLES_MGMP
>  	bool
>  	prompt "use mini-GMP"
> @@ -33,3 +32,5 @@ config NFTABLES_MGMP
>  	  libgmp. (may reduce debugging verbosity on some files)
>  
>  endif
> +
> +# vim: ft=kconfig noet tw=72
> diff --git a/rules/nftables.make b/rules/nftables.make
> index 74828a2e92..774a1fd935 100644
> --- a/rules/nftables.make
> +++ b/rules/nftables.make
> @@ -61,4 +61,4 @@ $(STATEDIR)/nftables.targetinstall:
>  
>  	@$(call touch)
>  
> -# vim: syntax=make
> +# vim: ft=make noet ts=8 sw=8
> -- 
> 2.11.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2 3/5] nftables: Fix Vim modelines

[Alexander Dahl]

Hei hei,

Am Dienstag, 10. April 2018, 10:47:32 CEST schrieb Michael Olbrich:
> No. If we change the modelines, then we do this for all files. I don't
> really care about this. Feel free to start a discussion to figure out the
> 'correct' modelines. I see several different ones right now. Then we can
> script this to change all files including templates.

Well, it annoys me a litte, let's say I care. ;-)

I tried starting a discussion back in 2017 [1], maybe we just start over again 
and I throw in my needs for that?

Greets
Alex

[1] https://www.mail-archive.com/ptxdist@pengutronix.de/msg11771.html


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2 3/5] nftables: Fix Vim modelines

[Michael Olbrich]

On Tue, Apr 10, 2018 at 11:02:53AM +0200, Alexander Dahl wrote:
> Am Dienstag, 10. April 2018, 10:47:32 CEST schrieb Michael Olbrich:
> > No. If we change the modelines, then we do this for all files. I don't
> > really care about this. Feel free to start a discussion to figure out the
> > 'correct' modelines. I see several different ones right now. Then we can
> > script this to change all files including templates.
> 
> Well, it annoys me a litte, let's say I care. ;-)
> 
> I tried starting a discussion back in 2017 [1], maybe we just start over again 
> and I throw in my needs for that?

Then by all means, start a new thread to discuss this and propose some
modelines for .make and .in files. And maybe for .sh as well?

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de