changes:
* IPv6;
* minor fixes to the messages; more verbosity added.
* Features
The script has the following features.
* To put it short: the script runs just once, loading the
firewall state before any of the interfaces are brought up.
Since then, it does nothing. If it finds no configuration, it
does nothing, either. Skip the rest of this list if you've
got the point.
* It's simple, and does not attempt to do anything unless
explicitly asked for. In particular:
+ it doesn't try to load the configuration if the respective
files do not exist; it merely issues a message saying that
it has no iptables configuration to load;
+ it doesn't try to load the configuration other than when
explicitly requested, or early during the boot process; in
particular, it won't be spawn at all when the interfaces are
brough up and down (unlike the scripts residing in
/etc/network/if-pre-up.d/ and .../if-post-up.d/), say, when
the hotplug hardware is used;
+ it doesn't try to save the configuration at any time (making
it immune to the Debian Bug#241162, or any other similar
issue);
+ it doesn't try to verify that the configuration it loads is
reasonable at all; one's better to supply it with the
working configuration, as with:
# ip6tables-save > /etc/network/ip6tables.conf
+ in fact, the script is so simple, that its size
is only less than 100 bytes bigger than of this list of its
features! (this item was specifically added to make the
difference even smaller; or one could expand the TABs...)
* Its goal is to pre-load the static part of the netfilter
configuration early during the boot process. Thus, it's
designed to be run from within the rcS.d/ sequence prior to
/etc/init.d/ifupdown. On the contrary, loading static
netfilter rules from /etc/network/interfaces pre-up (post-up)
or /etc/network/if-pre-up.d/ (.../if-post-up.d/) may incur
(albeit most likely very small) timespans when a particular
interface is up, but no netfilter configuration is loaded.
* Installation
The script could be installed as follows (assuming the symbolic
link to the /etc/init.d/ifupdown is at /etc/rcS.d/S39ifupdown;
adjust the sequence number if not):
# install -m 755 iptables-is.sh /etc/init.d/
# update-rc.d -n iptables-is.sh start 38 S .
#
The configuration files are expected to be the output of
ip6tables-save(8) and iptables-save(8), respectively. The
current state could be saved like:
# ip6tables-save > /etc/network/ip6tables.conf
# iptables-save > /etc/network/iptables.conf
#
The location of the configuration files could be set via the
default/ file:
$ cat /etc/default/iptables-is
IP6TABLES_CONF=/etc/network/ip6tables-my.conf
IPTABLES_CONF=/etc/network/iptables-my.conf
$
If there're no default/ file, or if it doesn't define one or
both of the variables above, the defaults are substituted as
appropriate. Tired of the script loading the configuration?
Just put the following to /etc/default/iptables-is:
IP6TABLES_CONF=/dev/null
IPTABLES_CONF=/dev/null
* And finally...
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables-is
# Required-Start: mountkernfs
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description: Load the iptables configuration from the conf. file.
# X-Start-Before: ifupdown
### END INIT INFO
## NB: This script should be `start'ed before `ifupdown'. It makes no
## sense to stop it at any time.
set -e
IP6TABLES_RESTORE=/sbin/ip6tables-restore
IPTABLES_RESTORE=/sbin/iptables-restore
test -x "$IP6TABLES_RESTORE" \
|| test -x "$IPTABLES_RESTORE" \
|| exit 0
. /lib/lsb/init-functions
MYNAME="${0##*/}"
PATH=/sbin:/bin
test -r /etc/default/iptables-is && . /etc/default/iptables-is
: ${IP6TABLES_CONF:=/etc/network/ip6tables.conf}
: ${IPTABLES_CONF:=/etc/network/iptables.conf}
## NB: should probably support `status' as well.
case "$1" in
(start | restart | force-reload)
error_p=
log_begin_msg "Restoring IP tables..."
if ! [ -x "$IP6TABLES_RESTORE" ] ; then
log_action_cont_msg " (IPv6 not supported)"
elif ! [ -e "$IP6TABLES_CONF" ] ; then
log_action_cont_msg " (IPv6 not configured)"
elif ! "$IP6TABLES_RESTORE" < "$IP6TABLES_CONF" ; then
log_action_cont_msg " (IPv6 failed)"
error_p=yes
else
log_action_cont_msg " (IPv6)"
fi
if ! [ -x "$IP6TABLES_RESTORE" ] ; then
log_action_cont_msg " (IPv4 not supported)"
elif ! [ -e "$IPTABLES_CONF" ] ; then
log_action_cont_msg " (IPv4 not configured)"
elif ! "$IPTABLES_RESTORE" < "$IPTABLES_CONF" ; then
log_action_cont_msg " (IPv4 failed)"
error_p=yes
else
log_action_cont_msg " (IPv4)"
fi
if [ -n "$error_p" ] ; then
log_failure_msg
exit 2
fi
log_success_msg
;;
(stop)
;;
(*)
echo "Usage: $0 {start|stop|restart|force-reload}" >&2
exit 3
;;
esac
### iptables-is.sh ends here
--
FSF associate member #7257
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment