On Fri, Apr 06, 2018 at 11:07:30AM +0200, Alexander Dahl wrote:
> For loading your packet filter rules on system startup.
> 
> Signed-off-by: Alexander Dahl <a...@thorsis.com>

This patch does not apply. I'm not sure why:
[...]
error: sha1 information is lacking or useless (rules/nftables.in).
error: could not build fake ancestor
[...]

Please resent. Maybe as an attachment.

Michael

> ---
>  projectroot/etc/init.d/nftables | 103 
> ++++++++++++++++++++++++++++++++++++++++
>  rules/nftables-bbinit.in        |   9 ++++
>  rules/nftables.in               |   4 ++
>  rules/nftables.make             |  11 +++++
>  4 files changed, 127 insertions(+)
>  create mode 100644 projectroot/etc/init.d/nftables
>  create mode 100644 rules/nftables-bbinit.in
> 
> diff --git a/projectroot/etc/init.d/nftables b/projectroot/etc/init.d/nftables
> new file mode 100644
> index 0000000000..c10db5d901
> --- /dev/null
> +++ b/projectroot/etc/init.d/nftables
> @@ -0,0 +1,103 @@
> +#!/bin/sh
> +
> +# Author: Arturo Borrero Gonzalez <art...@debian.org>
> +# Adapted by: Alexander Dahl <a...@thorsis.com>
> +
> +# Do NOT "set -e"
> +
> +CONF=/etc/nftables.conf
> +
> +PATH=/sbin:/usr/sbin:/bin:/usr/bin
> +DESC="firewall service"
> +NAME=nftables
> +BIN=/usr/sbin/nft
> +SCRIPTNAME=/etc/init.d/$NAME
> +
> +# Exit if the package is not installed
> +[ -x "$BIN" ] || exit 0
> +
> +do_start()
> +{
> +    # Return
> +    #  0 if start OK
> +    #  2 if start NOK
> +
> +    # nft v0.4 return 0 if ENOENT $CONF
> +    if [ ! -r "$CONF" ] ; then
> +        echo "E: No such $NAME $DESC config file $CONF" >&2
> +        return 2
> +    fi
> +
> +    $BIN -f $CONF || return 2
> +}
> +
> +do_stop()
> +{
> +    # Return
> +    #   0 if stopped
> +    #   1 if already stopped
> +    #   2 if could not be stopped
> +    if ! do_status ; then
> +        $BIN flush ruleset || return 2
> +    fi
> +}
> +
> +do_status()
> +{
> +    # Return
> +    #   0 if no rules
> +    #   1 if rules
> +    if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then
> +        return 0
> +    fi
> +
> +    return 1
> +}
> +
> +case "$1" in
> +    start)
> +        echo -n "Starting $DESC ..."
> +        do_start
> +        ret="$?"
> +        case "$ret" in
> +            0|1)    echo " Done." ;;
> +            2)      echo " Failed." ;;
> +        esac
> +        exit $ret
> +        ;;
> +    restart|force-reload)
> +        echo -n "Restarting $DESC ..."
> +        do_start
> +        ret="$?"
> +        case "$ret" in
> +            0|1)    echo " Done." ;;
> +            2)      echo " Failed." ;;
> +        esac
> +        exit $ret
> +        ;;
> +    stop)
> +        echo -n "Stopping $DESC ..."
> +        do_stop
> +        ret="$?"
> +        case "$ret" in
> +            0|1)    echo " Done." ;;
> +            2)      echo " Failed." ;;
> +        esac
> +        exit $ret
> +        ;;
> +    status)
> +        if ! do_status ; then
> +            echo "Status of ${DESC}: rules loaded"
> +            exit 0
> +        else
> +            echo "Status of ${DESC}: no rules loaded"
> +            exit 1
> +        fi
> +        ;;
> +    *)
> +        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" 
> >&2
> +        exit 3
> +        ;;
> +esac
> +
> +:
> diff --git a/rules/nftables-bbinit.in b/rules/nftables-bbinit.in
> new file mode 100644
> index 0000000000..84234c9761
> --- /dev/null
> +++ b/rules/nftables-bbinit.in
> @@ -0,0 +1,9 @@
> +## SECTION=initmethod_bbinit
> +
> +config NFTABLES_BBINIT_LINK
> +     depends on NFTABLES_STARTSCRIPT
> +     string
> +     prompt "nftables"
> +     default "S24nftables"
> +
> +# vim: ft=kconfig noet tw=72
> diff --git a/rules/nftables.in b/rules/nftables.in
> index be7fca1fa0..2b35741b7d 100644
> --- a/rules/nftables.in
> +++ b/rules/nftables.in
> @@ -31,6 +31,10 @@ config NFTABLES_MGMP
>         use the nftables build-in mini-GMP instead of linking to the shared
>         libgmp. (may reduce debugging verbosity on some files)
>  
> +config NFTABLES_STARTSCRIPT
> +     bool
> +     prompt "install /etc/init.d/nftables"
> +
>  endif
>  
>  # vim: ft=kconfig noet tw=72
> diff --git a/rules/nftables.make b/rules/nftables.make
> index 6c978aa21c..c7d704612e 100644
> --- a/rules/nftables.make
> +++ b/rules/nftables.make
> @@ -58,6 +58,17 @@ $(STATEDIR)/nftables.targetinstall:
>       @$(call install_copy, nftables, 0, 0, 0755, -, /usr/sbin/nft)
>       @$(call install_alternative, nftables, 0, 0, 0755, /etc/nftables.conf)
>  
> +ifdef PTXCONF_INITMETHOD_BBINIT
> +ifdef PTXCONF_NFTABLES_STARTSCRIPT
> +     @$(call install_alternative, nftables, 0, 0, 0755, /etc/init.d/nftables)
> +
> +ifneq ($(call remove_quotes,$(PTXCONF_NFTABLES_BBINIT_LINK)),)
> +     @$(call install_link, nftables, ../init.d/nftables, \
> +             /etc/rc.d/$(PTXCONF_NFTABLES_BBINIT_LINK))
> +endif
> +endif
> +endif
> +
>       @$(call install_finish, nftables)
>  
>       @$(call touch)
> -- 
> 2.11.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Reply via email to