diff options
| author | William A. Kennington III <wak@google.com> | 2021-03-08 23:31:30 +0300 |
|---|---|---|
| committer | William A. Kennington III <wak@google.com> | 2021-03-09 06:53:28 +0300 |
| commit | c20feb7b192779112e702b8081d63b3d9a610867 (patch) | |
| tree | ef16e3c28f8e1ab19eaf5afa6bf5f8b16b769ac0 /meta-google/recipes-google/nftables | |
| parent | 0ce248846f907f3716625c268b61a9325b8762f4 (diff) | |
| download | openbmc-c20feb7b192779112e702b8081d63b3d9a610867.tar.xz | |
meta-google: nftables-systemd: Parse rules in a useful order
We want to make sure rules get parsed in a sensible order, following a
sorting order similar to systemd units.
Change-Id: Ica06c953dba793d89d50c6b4cfc8e8a2eb1f58de
Signed-off-by: William A. Kennington III <wak@google.com>
Diffstat (limited to 'meta-google/recipes-google/nftables')
3 files changed, 27 insertions, 4 deletions
diff --git a/meta-google/recipes-google/nftables/files/nft-configure.sh b/meta-google/recipes-google/nftables/files/nft-configure.sh new file mode 100644 index 000000000..a82c2826f --- /dev/null +++ b/meta-google/recipes-google/nftables/files/nft-configure.sh @@ -0,0 +1,16 @@ +#!/bin/bash +shopt -s nullglob +declare -A basemap=() +i=0 +for dir in /run/nftables /etc/nftables /usr/share/nftables; do + for file in "$dir"/*.rules; do + basemap["${file##*/}$i"]="$file" + done + let i+=1 +done +rc=0 +for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do + echo "Executing ${basemap[$key]}" >&2 + nft -f "${basemap[$key]}" || rc=$? +done +exit $rc diff --git a/meta-google/recipes-google/nftables/files/nftables.service b/meta-google/recipes-google/nftables/files/nftables.service index 3830988eb..79f0bb5b0 100644 --- a/meta-google/recipes-google/nftables/files/nftables.service +++ b/meta-google/recipes-google/nftables/files/nftables.service @@ -4,7 +4,7 @@ Before=network-pre.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/bin/bash -c 'shopt -s nullglob; echo /etc/nftables/*.rules | xargs -r -n 1 nft -f' +ExecStart=/usr/libexec/nft-configure.sh ExecStop=/bin/bash -c 'nft flush ruleset' [Install] diff --git a/meta-google/recipes-google/nftables/nftables-systemd.bb b/meta-google/recipes-google/nftables/nftables-systemd.bb index 03694c8c5..f4109ddc7 100644 --- a/meta-google/recipes-google/nftables/nftables-systemd.bb +++ b/meta-google/recipes-google/nftables/nftables-systemd.bb @@ -8,7 +8,11 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5 inherit systemd -SRC_URI += "file://nftables.service" +SRC_URI += " \ + file://nft-configure.sh \ + file://nftables.service \ + " + SYSTEMD_SERVICE_${PN} += "nftables.service" RDEPENDS_${PN} += " \ @@ -17,6 +21,9 @@ RDEPENDS_${PN} += " \ " do_install() { - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/nftables.service ${D}${systemd_system_unitdir} + install -d ${D}${libexecdir} + install -m0755 ${WORKDIR}/nft-configure.sh ${D}${libexecdir}/ + + install -d ${D}${systemd_system_unitdir} + install -m0644 ${WORKDIR}/nftables.service ${D}${systemd_system_unitdir}/ } |