From: "Schenk, Gavin" <G.Schenk@eckelmann.de>
To: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>,
"ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
Subject: Re: [ptxdist] [PATCH] Add persistant iptable-rules via systemd
Date: Thu, 7 Apr 2016 09:14:01 +0000 [thread overview]
Message-ID: <D415CD2EC4182C4EAB90A76B7D9F16DC018D3AD5F2@EX-DAG02.eckelmann.group> (raw)
In-Reply-To: <20160407081135.GU10108@pengutronix.de>
Hi,
> > If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
> > multiuser.target that set the iptable rules from file
> > /etc/iptables/rules.v4.
> > If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
> > multiuser.target that set the iptable rules from the file
> > /etc/iptables/rules.v6.
>
> would it make sense to add a call to install_alternative for the rule files?
Yes, but in this case i have to provide an empty default file.
I have testet ConditionFileNotEmpty with an empty file and it works!
Loaded: loaded (/lib/systemd/system/iptables.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Thu 2016-04-07 11:26:45 CEST; 3min 20s ago
ConditionFileNotEmpty=/etc/iptables/rules.v4 was not met
I will add empty files rules.v4 and rules.v6 to the package.
> > +---
> > + scripts/ip6tables-flush | 13 +++++++++++++
> > + scripts/iptables-flush | 13 +++++++++++++
> > + systemd/system/ip6tables.service | 14 ++++++++++++++
> > +systemd/system/iptables.service | 14 ++++++++++++++
> > + 4 files changed, 54 insertions(+)
> > + create mode 100755 scripts/ip6tables-flush create mode 100755
> > +scripts/iptables-flush create mode 100755
> > +systemd/system/ip6tables.service create mode 100755
> > +systemd/system/iptables.service
> > +
> > +diff --git a/scripts/ip6tables-flush b/scripts/ip6tables-flush new
> > +file mode 100755 index 000000000000..95086b0470d3
> > +--- /dev/null
> > ++++ b/scripts/ip6tables-flush
> > +@@ -0,0 +1,13 @@
> > ++#!/bin/sh
> > ++ip6tables -F
> > ++ip6tables -X
> > ++ip6tables -Z
> > ++for table in $(</proc/net/ip6_tables_names)
>
> What happens if there is no ipv6 iptables support in the kernel? Maybe catch
> that with an error message?
>
This is what happens on both ipv4 and ipv6:
iptables-flush
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/usr/sbin/iptables-flush: line 5: /proc/net/ip_tables_names: No such file or directory
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: module ip_tables not found in modules.dep
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
What is a good way to detect if the kernel supports iptables?
Instead of digging into /proc my idea is to add something like:
iptables --list &> /dev/null
IPTABLES_SUPPORT=$?
If [ $IPTABLES_SUPPORT -gt 0 ]; then
echo "iptables is not supported by your kernel"
exit $IPTABLES_SUPPORT
fi
What you think about this?
Regards
Gavin Schenk
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2016-04-07 9:14 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-07 7:24 Gavin Schenk
2016-04-07 8:11 ` Uwe Kleine-König
2016-04-07 9:14 ` Schenk, Gavin [this message]
2016-04-07 9:20 ` Uwe Kleine-König
2016-04-07 9:25 ` Schenk, Gavin
2016-04-07 10:10 Gavin Schenk
2016-04-07 11:59 ` Uwe Kleine-König
2016-04-07 12:24 ` Michael Olbrich
2016-04-07 12:21 Gavin Schenk
2016-04-08 13:04 Gavin Schenk
2016-04-11 10:00 ` Michael Olbrich
2016-04-11 12:08 ` Schenk, Gavin
2016-04-11 12:44 ` Michael Olbrich
2016-04-11 12:19 Gavin Schenk
2016-04-11 17:46 ` Uwe Kleine-König
2016-04-12 8:35 ` Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D415CD2EC4182C4EAB90A76B7D9F16DC018D3AD5F2@EX-DAG02.eckelmann.group \
--to=g.schenk@eckelmann.de \
--cc=ptxdist@pengutronix.de \
--cc=u.kleine-koenig@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox