Browse Source

add FIREWALL variable in replacement of IPTABLES and IP6TABLES

2.3.1
obarun 2 years ago
parent
commit
6ee5c970ba
  1. 3
      Makefile
  2. 14
      configure
  3. 41
      module/boot@/configure/configure
  4. 3
      module/boot@/service/all-Local
  5. 36
      module/boot@/service/local/firewall/local-arptables
  6. 36
      module/boot@/service/local/firewall/local-ebtables
  7. 1
      module/boot@/service/local/firewall/local-ip6tables
  8. 1
      module/boot@/service/local/firewall/local-iptables
  9. 36
      module/boot@/service/local/firewall/local-nftables
  10. 3
      module/boot@/service/local/local-dmesg
  11. 8
      module/boot@/service/local/local-loop
  12. 3
      module/boot@/service/local/local-rc
  13. 9
      service/boot@

3
Makefile

@ -73,8 +73,7 @@ $(DESTDIR)$(service_directory)/%: service/%
-e "s,@ZFS@,$(ZFS)," \
-e "s,@ZFS_IMPORT@,$(ZFS_IMPORT)," \
-e "s,@CRYPTTAB@,$(CRYPTTAB)," \
-e "s,@IPTABLES@,$(IPTABLES)," \
-e "s,@IP6TABLES@,$(IP6TABLES)," \
-e "s,@FIREWALL@,$(FIREWALL)," \
-e "s,@CGROUPS@,$(CGROUPS)," \
-e "s,@MNT_PROC@,$(MNT_PROC)," \
-e "s,@MNT_SYS@,$(MNT_SYS)," \

14
configure vendored

@ -51,8 +51,7 @@ Fine tunning of boot configuration:
--ZFS=BOOLEAN mount zfs devices [!no]
--ZFS_IMPORT=VALUE use scan or zpoolcache method for zfs pools importation [!scan]
--CRYPTTAB=BOOLEAN use crypttab by default [!no]
--IPTABLES=BOOLEAN use iptables by default [!no]
--IP6TABLES=BOOLEAN use ip6tables by default [!no]
--FIREWALL=VALUE use iptables|ip6tables|nftables|ebtables|arptables []
--CGROUPS=BOOLEAN mount cgroups [!yes]
--MNT_PROC=BOOLEAN mount /proc [!yes]
--MNT_SYS=BOOLEAN mount /sys [!yes]
@ -166,8 +165,7 @@ BTRFS='!no'
ZFS='!no'
ZFS_IMPORT='!scan'
CRYPTTAB='!no'
IPTABLES='!no'
IP6TABLES='!no'
FIREWALL=
CGROUPS='!yes'
MNT_PROC='!yes'
MNT_SYS='!yes'
@ -223,8 +221,7 @@ for arg ; do
--ZFS=*) ZFS=${arg#*=} ;;
--ZFS_IMPORT=*) ZFS_IMPORT=${arg#*=} ;;
--CRYPTTAB=*) CRYPTTAB=${arg#*=} ;;
--IPTABLES=*) IPTABLES=${arg#*=} ;;
--IP6TABLES=*) IP6TABLES=${arg#*=} ;;
--FIREWALL=*) FIREWALL=${arg#*=} ;;
--CGROUPS=*) CGROUPS=${arg#*=} ;;
--MNT_PROC=*) MNT_PROC=${arg#*=} ;;
--MNT_SYS=*) MNT_SYS=${arg#*=} ;;
@ -293,7 +290,7 @@ for i in HOSTNAME HARDWARECLOCK TZ SETUPCONSOLE TTY \
KEYMAP FONT FONT_MAP FONT_UNIMAP UDEV SYSCTL FORCECHCK LOCAL CONTAINER \
TMPFILE MODULE_KERNEL MODULE_SYSTEM RANDOMSEED \
FSTAB SWAP LVM DMRAID BTRFS ZFS ZFS_IMPORT \
CRYPTTAB IPTABLES IP6TABLES \
CRYPTTAB FIREWALL \
CGROUPS MNT_PROC MNT_SYS MNT_DEV MNT_RUN MNT_TMP \
MNT_PTS MNT_SHM MNT_NETFS POPULATE_SYS POPULATE_DEV POPULATE_RUN POPULATE_TMP ; do
eval tmp=\${$i}
@ -367,8 +364,7 @@ $BTRFS
$ZFS
$ZFS_IMPORT
$CRYPTTAB
$IPTABLES
$IP6TABLES
$FIREWALL
$CGROUPS
$MNT_PROC
$MNT_SYS

41
module/boot@/configure/configure vendored

@ -7,13 +7,10 @@ export CLOCK_ENABLED=0
export COLOR_ENABLED="${MOD_COLOR}"
## script variable
module_name="${MOD_NAME}"
target_symlink_path="${MOD_SERVICE_ADMCONFDIR}"
skeleton_path="${MOD_SKEL_DIR}"
service_dir="${MOD_MODULE_DIR}/service"
SV_REAL=
sv_boolean_list="CRYPTTAB SETUPCONSOLE IPTABLES IP6TABLES FSTAB SWAP LVM \
sv_boolean_list="CRYPTTAB SETUPCONSOLE FSTAB SWAP LVM \
DMRAID BTRFS ZFS UDEV SYSCTL LOCAL CONTAINER TMPFILE MODULE_KERNEL \
MODULE_SYSTEM RANDOMSEED MNT_PROC MNT_SYS MNT_DEV MNT_RUN MNT_TMP CGROUPS \
MNT_PTS MNT_SHM MNT_NETFS POPULATE_SYS POPULATE_DEV POPULATE_RUN POPULATE_TMP"
@ -26,14 +23,19 @@ die(){
exit 111
}
check_empty_var(){
name="${1}" var_value="${2}"
if [ -z "${var_value}" ]; then
die invalid value for variable: "${name}"
fi
}
retrieve_sv_name(){
sv=${1}
case ${sv} in
HARDWARECLOCK) SV_REAL="system-hwclock" ;;
CRYPTTAB) SV_REAL="devices-crypttab" ;;
SETUPCONSOLE) SV_REAL="system-fontnkey" ;;
IPTABLES) SV_REAL="local-iptables" ;;
IP6TABLES) SV_REAL="local-ip6tables" ;;
FSTAB) SV_REAL="mount-fstab" ;;
SWAP) SV_REAL="mount-swap" ;;
LVM) SV_REAL="devices-lvm" ;;
@ -99,6 +101,16 @@ sv_comment_list() {
unset list
}
sv_uncomment_real() {
name=${1} list="$(find "${service_dir}" -mindepth 1 -type f)"
66-yeller %benable%n service: "${name}"
for sv in ${list}; do
sed -i "s:#*${name}:${name}:g" "${sv}" || die "unable to sed ${sv}"
done
unset list
}
sv_comment_real() {
name=${1} list="$(find "${service_dir}" -mindepth 1 -type f)"
66-yeller %rdisable%n service: "${name}"
@ -178,4 +190,21 @@ if [ "${TTY}" -gt 0 ]; then
done
fi
if execl-toc -X -V FIREWALL; then
check_empty_var "FIREWALL" "${FIREWALL}"
for sv in "iptables" "ip6tables" "nftables" "ebtables" "arptables"; do
if [ "${FIREWALL}" = "${sv}" ]; then
sv_uncomment_real "local-${sv}"
else
sv_comment_real "local-${sv}"
fi
done
else
for sv in "local-iptables" "local-ip6tables" "local-nftables" "local-ebtables" "local-arptables"; do
sv_comment_real "${sv}"
done
fi
66-yeller "%bsuccessfully%n configured"

3
module/boot@/service/all-Local

@ -10,6 +10,9 @@ mount-swap
mount-netfs
local-iptables
local-ip6tables
local-nttables
local-ebtables
local-arptables
local-loop
local-sethostname
local-time

36
module/boot@/service/local/firewall/local-arptables

@ -0,0 +1,36 @@
[main]
@type = oneshot
@version = @vers@
@description = "Restore arptables rules"
@depends = ( mount-rw )
@user = ( root )
@options = ( env )
[start]
@execute =
(
if { 66-yeller -cdp local-arptables -1 /dev/console starts... }
if -nt {
execl-toc -e ${script_conf}
arptables-restore ${script_conf}
}
66-yeller -fcdp local-arptables -1 /dev/console crashed!
)
[stop]
@execute =
(
if { 66-yeller -cdp local-arptables -1 /dev/console stops... }
if -nt {
arptables-restore
}
66-yeller -fcdp local-arptables -1 /dev/console crashed!
)
[environment]
script_conf=!/etc/arptables.conf

36
module/boot@/service/local/firewall/local-ebtables

@ -0,0 +1,36 @@
[main]
@type = oneshot
@version = @vers@
@description = "Restore ebtables rules"
@depends = ( mount-rw )
@user = ( root )
@options = ( env )
[start]
@execute =
(
if { 66-yeller -cdp local-ebtables -1 /dev/console starts... }
if -nt {
execl-toc -e ${script_conf}
ebtables-restore ${script_conf}
}
66-yeller -fcdp local-ebtables -1 /dev/console crashed!
)
[stop]
@execute =
(
if { 66-yeller -cdp local-ebtables -1 /dev/console stops... }
if -nt {
ebtables-restore
}
66-yeller -fcdp local-ebtables -1 /dev/console crashed!
)
[environment]
script_conf=!/etc/ebtables.conf

1
module/boot@/service/local/local-ip6tables → module/boot@/service/local/firewall/local-ip6tables

@ -12,7 +12,6 @@
if { 66-yeller -cdp local-ip6tables -1 /dev/console starts... }
if -nt {
if { 66-which -q ip6tables-restore }
execl-toc -e ${script_conf}
ip6tables-restore ${script_conf}

1
module/boot@/service/local/local-iptables → module/boot@/service/local/firewall/local-iptables

@ -12,7 +12,6 @@
if { 66-yeller -cdp local-iptables -1 /dev/console starts... }
if -nt {
if { 66-which -q iptables-restore }
execl-toc -e ${script_conf}
iptables-restore ${script_conf}

36
module/boot@/service/local/firewall/local-nftables

@ -0,0 +1,36 @@
[main]
@type = oneshot
@version = @vers@
@description = "Restore nftables rules"
@depends = ( mount-rw )
@user = ( root )
@options = ( env )
[start]
@execute =
(
if { 66-yeller -cdp local-nftables -1 /dev/console starts... }
if -nt {
execl-toc -e ${script_conf}
nftables -f ${script_conf}
}
66-yeller -fcdp local-nftables -1 /dev/console crashed!
)
[stop]
@execute =
(
if { 66-yeller -cdp local-nftables -1 /dev/console stops... }
if -nt {
nft flush ruleset
}
66-yeller -fcdp local-nftables -1 /dev/console crashed!
)
[environment]
script_conf=!/etc/nftables.conf

3
module/boot@/service/local/local-dmesg

@ -7,6 +7,9 @@
mount-rw
local-iptables
local-ip6tables
local-nftables
local-ebtables
local-arptables
local-loop
local-sethostname
local-time

8
module/boot@/service/local/local-loop

@ -2,7 +2,13 @@
@type = oneshot
@version = @vers@
@description = "Active loop devices"
@depends = ( mount-rw local-iptables local-ip6tables )
@depends = (
mount-rw
local-iptables
local-ip6tables
local-nftables
local-ebtables
local-arptables )
@user = ( root )
[start]

3
module/boot@/service/local/local-rc

@ -8,6 +8,9 @@
mount-rw
local-iptables
local-ip6tables
local-nftables
local-ebtables
local-arptables
local-loop
local-time
local-authfiles

9
service/boot@

@ -171,13 +171,10 @@
@CRYPTTAB@
## Use iptables [yes|no].
## Firewall program to use [iptables|ip6tables|nftables|ebtables|arptables]
## Comment to not use any firewall at all.
@IPTABLES@
## Use ip6tables [yes|no].
@IP6TABLES@
@FIREWALL@
#========================== Pseudo filesystem ==========================

Loading…
Cancel
Save