From c20feb7b192779112e702b8081d63b3d9a610867 Mon Sep 17 00:00:00 2001
From: "William A. Kennington III" <wak@google.com>
Date: Mon, 8 Mar 2021 12:31:30 -0800
Subject: meta-google: nftables-systemd: Parse rules in a useful order

We want to make sure rules get parsed in a sensible order, following a
sorting order similar to systemd units.

Change-Id: Ica06c953dba793d89d50c6b4cfc8e8a2eb1f58de
Signed-off-by: William A. Kennington III <wak@google.com>
---
 .../recipes-google/nftables/files/nft-configure.sh       | 16 ++++++++++++++++
 .../recipes-google/nftables/files/nftables.service       |  2 +-
 meta-google/recipes-google/nftables/nftables-systemd.bb  | 13 ++++++++++---
 3 files changed, 27 insertions(+), 4 deletions(-)
 create mode 100644 meta-google/recipes-google/nftables/files/nft-configure.sh

(limited to 'meta-google/recipes-google')

diff --git a/meta-google/recipes-google/nftables/files/nft-configure.sh b/meta-google/recipes-google/nftables/files/nft-configure.sh
new file mode 100644
index 000000000..a82c2826f
--- /dev/null
+++ b/meta-google/recipes-google/nftables/files/nft-configure.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+shopt -s nullglob
+declare -A basemap=()
+i=0
+for dir in /run/nftables /etc/nftables /usr/share/nftables; do
+  for file in "$dir"/*.rules; do
+    basemap["${file##*/}$i"]="$file"
+  done
+  let i+=1
+done
+rc=0
+for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do
+  echo "Executing ${basemap[$key]}" >&2
+  nft -f "${basemap[$key]}" || rc=$?
+done
+exit $rc
diff --git a/meta-google/recipes-google/nftables/files/nftables.service b/meta-google/recipes-google/nftables/files/nftables.service
index 3830988eb..79f0bb5b0 100644
--- a/meta-google/recipes-google/nftables/files/nftables.service
+++ b/meta-google/recipes-google/nftables/files/nftables.service
@@ -4,7 +4,7 @@ Before=network-pre.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/bin/bash -c 'shopt -s nullglob; echo /etc/nftables/*.rules | xargs -r -n 1 nft -f'
+ExecStart=/usr/libexec/nft-configure.sh
 ExecStop=/bin/bash -c 'nft flush ruleset'
 
 [Install]
diff --git a/meta-google/recipes-google/nftables/nftables-systemd.bb b/meta-google/recipes-google/nftables/nftables-systemd.bb
index 03694c8c5..f4109ddc7 100644
--- a/meta-google/recipes-google/nftables/nftables-systemd.bb
+++ b/meta-google/recipes-google/nftables/nftables-systemd.bb
@@ -8,7 +8,11 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5
 
 inherit systemd
 
-SRC_URI += "file://nftables.service"
+SRC_URI += " \
+  file://nft-configure.sh \
+  file://nftables.service \
+  "
+
 SYSTEMD_SERVICE_${PN} += "nftables.service"
 
 RDEPENDS_${PN} += " \
@@ -17,6 +21,9 @@ RDEPENDS_${PN} += " \
   "
 
 do_install() {
-    install -d ${D}${systemd_system_unitdir}
-    install -m 0644 ${WORKDIR}/nftables.service ${D}${systemd_system_unitdir}
+  install -d ${D}${libexecdir}
+  install -m0755 ${WORKDIR}/nft-configure.sh ${D}${libexecdir}/
+
+  install -d ${D}${systemd_system_unitdir}
+  install -m0644 ${WORKDIR}/nftables.service ${D}${systemd_system_unitdir}/
 }
-- 
cgit v1.2.3