From 89b5ac26508c6681dca7c4a40dfa745725af9e1a Mon Sep 17 00:00:00 2001 From: Juan RP Date: Tue, 11 Oct 2011 05:58:03 +0200 Subject: [PATCH] iptables: switch to systemd, drop openrc support. --- srcpkgs/iptables/files/ip6tables.confd | 11 -- srcpkgs/iptables/files/ip6tables.service | 11 ++ srcpkgs/iptables/files/iptables-flush.scripts | 21 ++++ srcpkgs/iptables/files/iptables.confd | 11 -- srcpkgs/iptables/files/iptables.rc | 114 ------------------ srcpkgs/iptables/files/iptables.service | 11 ++ srcpkgs/iptables/template | 14 +-- 7 files changed, 49 insertions(+), 144 deletions(-) delete mode 100644 srcpkgs/iptables/files/ip6tables.confd create mode 100644 srcpkgs/iptables/files/ip6tables.service create mode 100644 srcpkgs/iptables/files/iptables-flush.scripts delete mode 100644 srcpkgs/iptables/files/iptables.confd delete mode 100644 srcpkgs/iptables/files/iptables.rc create mode 100644 srcpkgs/iptables/files/iptables.service diff --git a/srcpkgs/iptables/files/ip6tables.confd b/srcpkgs/iptables/files/ip6tables.confd deleted file mode 100644 index 93c0bc89b38..00000000000 --- a/srcpkgs/iptables/files/ip6tables.confd +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/conf.d/ip6tables - -# Location in which iptables initscript will save set rules on -# service shutdown -IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" - -# Options to pass to iptables-save and iptables-restore -SAVE_RESTORE_OPTIONS="-c" - -# Save state on stopping iptables -SAVE_ON_STOP="yes" diff --git a/srcpkgs/iptables/files/ip6tables.service b/srcpkgs/iptables/files/ip6tables.service new file mode 100644 index 00000000000..1e068156556 --- /dev/null +++ b/srcpkgs/iptables/files/ip6tables.service @@ -0,0 +1,11 @@ +[Unit] +Description=IPv6 Packet Filtering Framework + +[Service] +Type=oneshot +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/ip6tables.rules +ExecStop=/lib/systemd/scripts/iptables-flush -6 +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/srcpkgs/iptables/files/iptables-flush.scripts b/srcpkgs/iptables/files/iptables-flush.scripts new file mode 100644 index 00000000000..8cb3d561c8e --- /dev/null +++ b/srcpkgs/iptables/files/iptables-flush.scripts @@ -0,0 +1,21 @@ +#!/bin/bash +# Usage: iptables-flush [-6] + +iptables=/usr/sbin/iptables +tables=(filter mangle raw) + +if [[ "$1" == "-6" ]]; then + iptables=/usr/sbin/ip6tables +else + # Only ipv4 has a nat table + tables+=(nat) +fi + +for table in "${tables[@]}"; do + $iptables -t "$table" -F + $iptables -t "$table" -X +done + +for chain in INPUT FORWARD OUTPUT; do + $iptables -P "$chain" ACCEPT +done diff --git a/srcpkgs/iptables/files/iptables.confd b/srcpkgs/iptables/files/iptables.confd deleted file mode 100644 index 91287debdbc..00000000000 --- a/srcpkgs/iptables/files/iptables.confd +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/conf.d/iptables - -# Location in which iptables initscript will save set rules on -# service shutdown -IPTABLES_SAVE="/var/lib/iptables/rules-save" - -# Options to pass to iptables-save and iptables-restore -SAVE_RESTORE_OPTIONS="-c" - -# Save state on stopping iptables -SAVE_ON_STOP="yes" diff --git a/srcpkgs/iptables/files/iptables.rc b/srcpkgs/iptables/files/iptables.rc deleted file mode 100644 index c50f955981d..00000000000 --- a/srcpkgs/iptables/files/iptables.rc +++ /dev/null @@ -1,114 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2007 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/www/viewcvs.gentoo.org/raw_cvs/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.6 2007/03/12 21:49:04 vapier Exp $ - -opts="save reload panic" - -iptables_name=${SVCNAME} -if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then - iptables_name="iptables" -fi - -iptables_bin="/sbin/${iptables_name}" -case ${iptables_name} in - iptables) iptables_proc="/proc/net/ip_tables_names" - iptables_save=${IPTABLES_SAVE};; - ip6tables) iptables_proc="/proc/net/ip6_tables_names" - iptables_save=${IP6TABLES_SAVE};; -esac - -depend() { - before net - use logger -} - -set_table_policy() { - local chains table=$1 policy=$2 - case ${table} in - nat) chains="PREROUTING POSTROUTING OUTPUT";; - mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; - filter) chains="INPUT FORWARD OUTPUT";; - *) chains="";; - esac - local chain - for chain in ${chains} ; do - ${iptables_bin} -t ${table} -P ${chain} ${policy} - done -} - -checkkernel() { - if [ ! -e ${iptables_proc} ] ; then - eerror "Your kernel lacks ${iptables_name} support, please load" - eerror "appropriate modules and try again." - return 1 - fi - return 0 -} -checkconfig() { - if [ ! -f ${iptables_save} ] ; then - eerror "Not starting ${iptables_name}. First create some rules then run:" - eerror "/etc/init.d/${iptables_name} save" - return 1 - fi - return 0 -} - -start() { - checkconfig || return 1 - ebegin "Loading ${iptables_name} state and starting firewall" - ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" - eend $? -} - -stop() { - if [ "${SAVE_ON_STOP}" = "yes" ] ; then - save || return 1 - fi - checkkernel || return 1 - ebegin "Stopping firewall" - local a - for a in $(cat ${iptables_proc}) ; do - set_table_policy $a ACCEPT - - ${iptables_bin} -F -t $a - ${iptables_bin} -X -t $a - done - eend $? -} - -reload() { - checkkernel || return 1 - ebegin "Flushing firewall" - local a - for a in $(cat ${iptables_proc}) ; do - ${iptables_bin} -F -t $a - ${iptables_bin} -X -t $a - done - eend $? - - start -} - -save() { - ebegin "Saving ${iptables_name} state" - touch "${iptables_save}" - chmod 0600 "${iptables_save}" - ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" - eend $? -} - -panic() { - checkkernel || return 1 - service_started ${iptables_name} && svc_stop - - local a - ebegin "Dropping all packets" - for a in $(cat ${iptables_proc}) ; do - ${iptables_bin} -F -t $a - ${iptables_bin} -X -t $a - - set_table_policy $a DROP - done - eend $? -} diff --git a/srcpkgs/iptables/files/iptables.service b/srcpkgs/iptables/files/iptables.service new file mode 100644 index 00000000000..90b2507fb63 --- /dev/null +++ b/srcpkgs/iptables/files/iptables.service @@ -0,0 +1,11 @@ +[Unit] +Description=Packet Filtering Framework + +[Service] +Type=oneshot +ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules +ExecStop=/lib/systemd/scripts/iptables-flush +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template index 48ad910809f..4eb84598b64 100644 --- a/srcpkgs/iptables/template +++ b/srcpkgs/iptables/template @@ -1,6 +1,7 @@ # Template file for 'iptables' pkgname=iptables version=1.4.12 +revision=1 distfiles="http://www.iptables.org/projects/iptables/files/$pkgname-$version.tar.bz2" build_style=custom-install short_desc="Linux IPv[46] packet filtering ruleset" @@ -18,11 +19,6 @@ long_desc=" The iptables package also includes ip6tables. ip6tables is used for configuring the IPv6 packet filter." -openrc_services="iptables default false" -conf_files=" -/etc/conf.d/iptables -/etc/conf.d/ip6tables" - subpackages="$pkgname-devel" Add_dependency run glibc @@ -47,9 +43,11 @@ do_install() { make DESTDIR=${DESTDIR} install - vinstall ${FILESDIR}/iptables.confd 644 etc/conf.d iptables - vinstall ${FILESDIR}/ip6tables.confd 644 etc/conf.d ip6tables - vinstall ${FILESDIR}/iptables.rc 755 etc/init.d iptables + vinstall ${FILESDIR}/iptables.service 644 lib/systemd/system + vinstall ${FILESDIR}/ip6tables.service 644 lib/systemd/system + vinstall ${FILESDIR}/iptables-flush.scripts 755 \ + lib/systemd/scripts iptables-flush + for f in empty.rules simple_firewall.rules; do vinstall ${FILESDIR}/${f} 644 etc/iptables done