add FIREWALL variable in replacement of IPTABLES and IP6TABLES

Makefile

@@ -73,8 +73,7 @@ $(DESTDIR)$(service_directory)/%: service/%
 		-e "s,@ZFS@,$(ZFS)," \
 		-e "s,@ZFS_IMPORT@,$(ZFS_IMPORT)," \
 		-e "s,@CRYPTTAB@,$(CRYPTTAB)," \
-		-e "s,@IPTABLES@,$(IPTABLES)," \
-		-e "s,@IP6TABLES@,$(IP6TABLES)," \
+		-e "s,@FIREWALL@,$(FIREWALL)," \
 		-e "s,@CGROUPS@,$(CGROUPS)," \
 		-e "s,@MNT_PROC@,$(MNT_PROC)," \
 		-e "s,@MNT_SYS@,$(MNT_SYS)," \

configure

@@ -51,8 +51,7 @@ Fine tunning of boot configuration:
   --ZFS=BOOLEAN                    mount zfs devices [!no]
   --ZFS_IMPORT=VALUE               use scan or zpoolcache method for zfs pools importation [!scan]
   --CRYPTTAB=BOOLEAN               use crypttab by default [!no]
-  --IPTABLES=BOOLEAN               use iptables by default [!no]
-  --IP6TABLES=BOOLEAN              use ip6tables by default [!no]
+  --FIREWALL=VALUE                 use iptables|ip6tables|nftables|ebtables|arptables []
   --CGROUPS=BOOLEAN                mount cgroups [!yes]
   --MNT_PROC=BOOLEAN               mount /proc [!yes]
   --MNT_SYS=BOOLEAN                mount /sys [!yes]
@@ -166,8 +165,7 @@ BTRFS='!no'
 ZFS='!no'
 ZFS_IMPORT='!scan'
 CRYPTTAB='!no'
-IPTABLES='!no'
-IP6TABLES='!no'
+FIREWALL=
 CGROUPS='!yes'
 MNT_PROC='!yes'
 MNT_SYS='!yes'
@@ -223,8 +221,7 @@ for arg ; do
     --ZFS=*) ZFS=${arg#*=} ;;
     --ZFS_IMPORT=*) ZFS_IMPORT=${arg#*=} ;;
     --CRYPTTAB=*) CRYPTTAB=${arg#*=} ;;
-    --IPTABLES=*) IPTABLES=${arg#*=} ;;
-    --IP6TABLES=*) IP6TABLES=${arg#*=} ;;
+    --FIREWALL=*) FIREWALL=${arg#*=} ;;
     --CGROUPS=*) CGROUPS=${arg#*=} ;;
     --MNT_PROC=*) MNT_PROC=${arg#*=} ;;
     --MNT_SYS=*) MNT_SYS=${arg#*=} ;;
@@ -293,7 +290,7 @@ for i in HOSTNAME HARDWARECLOCK TZ SETUPCONSOLE TTY \
 		KEYMAP FONT FONT_MAP FONT_UNIMAP UDEV SYSCTL FORCECHCK LOCAL CONTAINER \
 		TMPFILE MODULE_KERNEL MODULE_SYSTEM RANDOMSEED \
 		FSTAB SWAP LVM DMRAID BTRFS ZFS ZFS_IMPORT \
-		CRYPTTAB IPTABLES IP6TABLES  \
+		CRYPTTAB FIREWALL \
 		CGROUPS MNT_PROC MNT_SYS MNT_DEV MNT_RUN MNT_TMP \
 		MNT_PTS MNT_SHM MNT_NETFS POPULATE_SYS POPULATE_DEV POPULATE_RUN POPULATE_TMP ; do
   eval tmp=\${$i}
@@ -367,8 +364,7 @@ $BTRFS
 $ZFS
 $ZFS_IMPORT
 $CRYPTTAB
-$IPTABLES
-$IP6TABLES
+$FIREWALL
 $CGROUPS
 $MNT_PROC
 $MNT_SYS

module/boot@/configure/configure

@@ -7,13 +7,10 @@ export CLOCK_ENABLED=0
 export COLOR_ENABLED="${MOD_COLOR}"
 
 ## script variable
-module_name="${MOD_NAME}"
-target_symlink_path="${MOD_SERVICE_ADMCONFDIR}"
-skeleton_path="${MOD_SKEL_DIR}"
 service_dir="${MOD_MODULE_DIR}/service"
 SV_REAL=
 
-sv_boolean_list="CRYPTTAB SETUPCONSOLE IPTABLES	IP6TABLES FSTAB	SWAP LVM \
+sv_boolean_list="CRYPTTAB SETUPCONSOLE FSTAB SWAP LVM \
 DMRAID BTRFS ZFS UDEV SYSCTL LOCAL CONTAINER TMPFILE MODULE_KERNEL \
 MODULE_SYSTEM RANDOMSEED MNT_PROC MNT_SYS MNT_DEV MNT_RUN MNT_TMP CGROUPS \
 MNT_PTS MNT_SHM MNT_NETFS POPULATE_SYS POPULATE_DEV POPULATE_RUN POPULATE_TMP"
@@ -26,14 +23,19 @@ die(){
   exit 111
 }	
 
+check_empty_var(){
+	name="${1}" var_value="${2}"
+	if [ -z "${var_value}" ]; then
+		die invalid value for variable: "${name}"
+	fi
+}
+
 retrieve_sv_name(){
 	sv=${1}
 	case ${sv} in
 		HARDWARECLOCK) SV_REAL="system-hwclock" ;;
 		CRYPTTAB) SV_REAL="devices-crypttab" ;;
 		SETUPCONSOLE) SV_REAL="system-fontnkey" ;;
-		IPTABLES) SV_REAL="local-iptables" ;;
-		IP6TABLES) SV_REAL="local-ip6tables" ;;
 		FSTAB) SV_REAL="mount-fstab" ;;
 		SWAP) SV_REAL="mount-swap" ;;
 		LVM) SV_REAL="devices-lvm" ;;
@@ -99,6 +101,16 @@ sv_comment_list() {
 	unset list
 }
 
+sv_uncomment_real() {
+	name=${1} list="$(find "${service_dir}" -mindepth 1 -type f)"
+	66-yeller %benable%n service: "${name}"
+	for sv in ${list}; do
+		sed -i "s:#*${name}:${name}:g" "${sv}" || die "unable to sed ${sv}"
+	done
+
+	unset list
+}
+
 sv_comment_real() {
 	name=${1} list="$(find "${service_dir}" -mindepth 1 -type f)"
 	66-yeller %rdisable%n service: "${name}"
@@ -178,4 +190,21 @@ if [ "${TTY}" -gt 0 ]; then
 	done
 fi
 
+if execl-toc -X -V FIREWALL; then
+
+	check_empty_var "FIREWALL" "${FIREWALL}"
+	
+	for sv in "iptables" "ip6tables" "nftables" "ebtables" "arptables"; do
+		if [ "${FIREWALL}" = "${sv}" ]; then
+			sv_uncomment_real "local-${sv}"
+		else
+			sv_comment_real "local-${sv}"
+		fi
+	done
+else
+	for sv in "local-iptables" "local-ip6tables" "local-nftables" "local-ebtables" "local-arptables"; do
+		sv_comment_real "${sv}"
+	done
+fi
+
 66-yeller "%bsuccessfully%n configured"

module/boot@/service/all-Local

@@ -10,6 +10,9 @@ mount-swap
 mount-netfs
 local-iptables
 local-ip6tables
+local-nttables
+local-ebtables
+local-arptables
 local-loop
 local-sethostname
 local-time

module/boot@/service/local/firewall/local-arptables

@@ -0,0 +1,36 @@
+[main]
+@type = oneshot
+@version = @vers@
+@description = "Restore arptables rules"
+@depends = ( mount-rw )
+@user = ( root )
+@options = ( env )
+
+[start]
+@execute = 
+(
+	if { 66-yeller -cdp local-arptables -1 /dev/console starts... }
+	if -nt {
+	
+		execl-toc -e ${script_conf}
+		arptables-restore ${script_conf}
+	
+	}
+	66-yeller -fcdp local-arptables -1 /dev/console crashed!
+)
+
+[stop]
+@execute = 
+(
+	if { 66-yeller -cdp local-arptables -1 /dev/console stops... }
+	if -nt {
+	
+		arptables-restore
+	
+	}
+	66-yeller -fcdp local-arptables -1 /dev/console crashed!
+)
+
+[environment]
+script_conf=!/etc/arptables.conf
+

module/boot@/service/local/firewall/local-ebtables

@@ -0,0 +1,36 @@
+[main]
+@type = oneshot
+@version = @vers@
+@description = "Restore ebtables rules"
+@depends = ( mount-rw )
+@user = ( root )
+@options = ( env )
+
+[start]
+@execute = 
+(
+	if { 66-yeller -cdp local-ebtables -1 /dev/console starts... }
+	if -nt {
+	
+		execl-toc -e ${script_conf}
+		ebtables-restore ${script_conf}
+	
+	}
+	66-yeller -fcdp local-ebtables -1 /dev/console crashed!
+)
+
+[stop]
+@execute = 
+(
+	if { 66-yeller -cdp local-ebtables -1 /dev/console stops... }
+	if -nt {
+	
+		ebtables-restore
+	
+	}
+	66-yeller -fcdp local-ebtables -1 /dev/console crashed!
+)
+
+[environment]
+script_conf=!/etc/ebtables.conf
+

module/boot@/service/local/firewall/local-ip6tables

@@ -12,7 +12,6 @@
 	if { 66-yeller -cdp local-ip6tables -1 /dev/console starts... }
 	if -nt {
 	
-		if { 66-which -q ip6tables-restore }
 		execl-toc -e ${script_conf}		
 		ip6tables-restore ${script_conf}
 	

module/boot@/service/local/firewall/local-iptables

@@ -12,7 +12,6 @@
 	if { 66-yeller -cdp local-iptables -1 /dev/console starts... }
 	if -nt {
 	
-		if { 66-which -q iptables-restore }
 		execl-toc -e ${script_conf}
 		iptables-restore ${script_conf}
 	

module/boot@/service/local/firewall/local-nftables

@@ -0,0 +1,36 @@
+[main]
+@type = oneshot
+@version = @vers@
+@description = "Restore nftables rules"
+@depends = ( mount-rw )
+@user = ( root )
+@options = ( env )
+
+[start]
+@execute = 
+(
+	if { 66-yeller -cdp local-nftables -1 /dev/console starts... }
+	if -nt {
+	
+		execl-toc -e ${script_conf}
+		nftables -f ${script_conf}
+	
+	}
+	66-yeller -fcdp local-nftables -1 /dev/console crashed!
+)
+
+[stop]
+@execute = 
+(
+	if { 66-yeller -cdp local-nftables -1 /dev/console stops... }
+	if -nt {
+	
+		nft flush ruleset
+	
+	}
+	66-yeller -fcdp local-nftables -1 /dev/console crashed!
+)
+
+[environment]
+script_conf=!/etc/nftables.conf
+

module/boot@/service/local/local-dmesg

@@ -7,6 +7,9 @@
 mount-rw 
 local-iptables
 local-ip6tables
+local-nftables
+local-ebtables
+local-arptables
 local-loop
 local-sethostname
 local-time

module/boot@/service/local/local-loop

@@ -2,7 +2,13 @@
 @type = oneshot
 @version = @vers@
 @description = "Active loop devices"
-@depends = ( mount-rw local-iptables local-ip6tables )
+@depends = ( 
+mount-rw
+local-iptables
+local-ip6tables
+local-nftables
+local-ebtables
+local-arptables )
 @user = ( root )
 
 [start]

module/boot@/service/local/local-rc

@@ -8,6 +8,9 @@
 	mount-rw
 	local-iptables
 	local-ip6tables
+	local-nftables
+	local-ebtables
+	local-arptables
 	local-loop
 	local-time
 	local-authfiles

service/boot@

@@ -171,13 +171,10 @@
 
 @CRYPTTAB@
 
-## Use iptables [yes|no].
+## Firewall program to use [iptables|ip6tables|nftables|ebtables|arptables]
+## Comment to not use any firewall at all.
 
-@IPTABLES@
-
-## Use ip6tables [yes|no].
-
-@IP6TABLES@
+@FIREWALL@
 
 #========================== Pseudo filesystem ==========================