iptables: add systemd helper unit to load/restore rules

There is currently no way to automatically load iptables rules in OE. Add a systemd unit file to automatically load rules on network connection. This is cribbed from the way ArchLinux handles iptables with some minor modifications for OE. New rules can be generated directly on the target using: # iptables-save -f /etc/iptables/iptables.rules Good documentation for writing rules offline is lacking, but the basics are explained here: https://unix.stackexchange.com/q/400163/49405 (From OE-Core rev: 76d3574d17c38d93ba4660bdae5730ac222994d4) Signed-off-by: Jack Mitchell <jack@embed.me.uk> Signed-off-by: Diego Rondini <diego.rondini@kynetics.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-02 17:02:21 +02:00 · 2019-09-05 09:35:37 +00:00
parent 1edc497a80
commit bc66b2f45a
3 changed files with 29 additions and 1 deletions
--- a/meta/recipes-extended/iptables/iptables/iptables.rules
+++ b/meta/recipes-extended/iptables/iptables/iptables.rules
--- a/meta/recipes-extended/iptables/iptables/iptables.service
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
 SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
+           file://iptables.service \
+           file://iptables.rules \
 "

 SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
 SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"

-inherit autotools pkgconfig
+inherit autotools pkgconfig systemd

 EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"

@@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so"

 ALLOW_EMPTY_${PN}-modules = "1"

+do_install_append() {
+
+        install -d ${D}${sysconfdir}/iptables
+        install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
+
+        install -d ${D}${systemd_system_unitdir}
+        install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
+
+	sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service
+}
+
+SYSTEMD_SERVICE_${PN} = "iptables.service"
+
 RDEPENDS_${PN} = "${PN}-module-xt-standard"
 RRECOMMENDS_${PN} = " \
    ${PN}-modules \