iptables: Add systemd helper unit for IPv6 too

Commit bc66b2f45a added systemd helper unit for automatic IPv4 rule loading. Complement the effort by adding systemd helper unit also for automatic IPv6 rule loading. (From OE-Core rev: 3b8df6b6aba3632de7c3c01c8468fbcedb032493) Signed-off-by: Niko Mauno <niko.mauno@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-18 03:32:13 +02:00 · 2019-11-26 22:14:07 +02:00
parent 05b20e95e1
commit 7a2c2df853
4 changed files with 36 additions and 4 deletions
--- a/meta/recipes-extended/iptables/iptables/ip6tables.rules
+++ b/meta/recipes-extended/iptables/iptables/ip6tables.rules
--- a/meta/recipes-extended/iptables/iptables/ip6tables.service
+++ b/meta/recipes-extended/iptables/iptables/ip6tables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=IPv6 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+ExecReload=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/meta/recipes-extended/iptables/iptables/iptables.service
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -1,12 +1,12 @@
 [Unit]
-Description=Packet Filtering Framework
+Description=IPv4 Packet Filtering Framework
 Before=network-pre.target
 Wants=network-pre.target

 [Service]
 Type=oneshot
-ExecStart=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
-ExecReload=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
+ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
 RemainAfterExit=yes

 [Install]
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -13,11 +13,16 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
           file://iptables.service \
           file://iptables.rules \
+           file://ip6tables.service \
+           file://ip6tables.rules \
 "
 SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
 SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"

-SYSTEMD_SERVICE_${PN} = "iptables.service"
+SYSTEMD_SERVICE_${PN} = "\
+    iptables.service \
+    ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'ip6tables.service', '', d)} \
+"

 inherit autotools pkgconfig systemd

@@ -51,6 +56,16 @@ do_install_append() {
        -e 's,@SBINDIR@,${sbindir},g' \
        -e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
        ${D}${systemd_system_unitdir}/iptables.service
+
+    if ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'true', 'false', d)} ; then
+        install -m 0644 ${WORKDIR}/ip6tables.rules ${D}${IPTABLES_RULES_DIR}
+        install -m 0644 ${WORKDIR}/ip6tables.service ${D}${systemd_system_unitdir}
+
+        sed -i \
+            -e 's,@SBINDIR@,${sbindir},g' \
+            -e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
+            ${D}${systemd_system_unitdir}/ip6tables.service
+    fi
 }

 PACKAGES += "${PN}-modules"
@@ -75,6 +90,10 @@ RRECOMMENDS_${PN} = " \
    kernel-module-nf-conntrack-ipv4 \
    kernel-module-nf-nat \
    kernel-module-ipt-masquerade \
+    ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', '\
+        kernel-module-ip6table-filter \
+        kernel-module-ip6-tables \
+    ', '', d)} \
 "

 FILES_${PN} += "${datadir}/xtables"