/etc/init.d/iptables-is.sh: added IPv6 support

To: debian-firewall@lists.debian.org
Subject: /etc/init.d/iptables-is.sh: added IPv6 support
From: Ivan Shmakov <oneingray@gmail.com>
Date: Sun, 16 Aug 2009 17:25:47 +0700
Message-id: <87ljlkxdg4.fsf_-_@violet.siamics.int>
References: <87ocqn6a95.fsf@violet.siamics.int> <87fxbz56b7.fsf@violet.siamics.int>

	This new revision of my script (below) introduces the following
	changes:

	* IPv6;

	* minor fixes to the messages; more verbosity added.

* Features

	The script has the following features.

	* To put it short: the script runs just once, loading the
	  firewall state before any of the interfaces are brought up.
	  Since then, it does nothing.  If it finds no configuration, it
	  does nothing, either.  Skip the rest of this list if you've
	  got the point.

	* It's simple, and does not attempt to do anything unless
	  explicitly asked for.  In particular:

	  + it doesn't try to load the configuration if the respective
	    files do not exist; it merely issues a message saying that
	    it has no iptables configuration to load;

	  + it doesn't try to load the configuration other than when
	    explicitly requested, or early during the boot process; in
	    particular, it won't be spawn at all when the interfaces are
	    brough up and down (unlike the scripts residing in
	    /etc/network/if-pre-up.d/ and .../if-post-up.d/), say, when
	    the hotplug hardware is used;

	  + it doesn't try to save the configuration at any time (making
	    it immune to the Debian Bug#241162, or any other similar
	    issue);

	  + it doesn't try to verify that the configuration it loads is
	    reasonable at all; one's better to supply it with the
	    working configuration, as with:

    # ip6tables-save > /etc/network/ip6tables.conf 

	  + in fact, the script is so simple, that its size
	    is only less than 100 bytes bigger than of this list of its
	    features! (this item was specifically added to make the
	    difference even smaller; or one could expand the TABs...)

	* Its goal is to pre-load the static part of the netfilter
	  configuration early during the boot process.  Thus, it's
	  designed to be run from within the rcS.d/ sequence prior to
	  /etc/init.d/ifupdown.  On the contrary, loading static
	  netfilter rules from /etc/network/interfaces pre-up (post-up)
	  or /etc/network/if-pre-up.d/ (.../if-post-up.d/) may incur
	  (albeit most likely very small) timespans when a particular
	  interface is up, but no netfilter configuration is loaded.

* Installation

	The script could be installed as follows (assuming the symbolic
	link to the /etc/init.d/ifupdown is at /etc/rcS.d/S39ifupdown;
	adjust the sequence number if not):

    # install -m 755 iptables-is.sh /etc/init.d/ 
    # update-rc.d -n iptables-is.sh start 38 S . 
    # 

	The configuration files are expected to be the output of
	ip6tables-save(8) and iptables-save(8), respectively.  The
	current state could be saved like:

    # ip6tables-save > /etc/network/ip6tables.conf 
    # iptables-save > /etc/network/iptables.conf 
    # 

	The location of the configuration files could be set via the
	default/ file:

    $ cat /etc/default/iptables-is 
    IP6TABLES_CONF=/etc/network/ip6tables-my.conf
    IPTABLES_CONF=/etc/network/iptables-my.conf
    $ 

	If there're no default/ file, or if it doesn't define one or
	both of the variables above, the defaults are substituted as
	appropriate.  Tired of the script loading the configuration?
	Just put the following to /etc/default/iptables-is:

    IP6TABLES_CONF=/dev/null
    IPTABLES_CONF=/dev/null

* And finally...

#!/bin/sh
### BEGIN INIT INFO
# Provides:           iptables-is
# Required-Start:     mountkernfs
# Required-Stop:
# Default-Start:      S
# Default-Stop:
# Short-Description:  Load the iptables configuration from the conf. file.
# X-Start-Before:     ifupdown
### END INIT INFO

## NB: This script should be `start'ed before `ifupdown'.  It makes no
##     sense to stop it at any time.

set -e

IP6TABLES_RESTORE=/sbin/ip6tables-restore
IPTABLES_RESTORE=/sbin/iptables-restore
test -x "$IP6TABLES_RESTORE" \
    || test -x "$IPTABLES_RESTORE" \
    || exit 0

. /lib/lsb/init-functions

MYNAME="${0##*/}"
PATH=/sbin:/bin
test -r /etc/default/iptables-is && . /etc/default/iptables-is
: ${IP6TABLES_CONF:=/etc/network/ip6tables.conf}
: ${IPTABLES_CONF:=/etc/network/iptables.conf}

## NB: should probably support `status' as well.

case "$1" in
    (start | restart | force-reload)
        error_p=
        log_begin_msg "Restoring IP tables..."
        if ! [ -x "$IP6TABLES_RESTORE" ] ; then
            log_action_cont_msg " (IPv6 not supported)"
        elif ! [ -e "$IP6TABLES_CONF" ] ; then
            log_action_cont_msg " (IPv6 not configured)"
        elif ! "$IP6TABLES_RESTORE" < "$IP6TABLES_CONF" ; then
            log_action_cont_msg " (IPv6 failed)"
            error_p=yes
        else
            log_action_cont_msg " (IPv6)"
        fi
        if ! [ -x "$IP6TABLES_RESTORE" ] ; then
            log_action_cont_msg " (IPv4 not supported)"
        elif ! [ -e "$IPTABLES_CONF" ] ; then
            log_action_cont_msg " (IPv4 not configured)"
        elif ! "$IPTABLES_RESTORE" < "$IPTABLES_CONF" ; then
            log_action_cont_msg " (IPv4 failed)"
            error_p=yes
        else
            log_action_cont_msg " (IPv4)"
        fi
        if [ -n "$error_p" ] ; then
            log_failure_msg
            exit 2
        fi
        log_success_msg
        ;;

    (stop)
        ;;

    (*)
        echo "Usage: $0 {start|stop|restart|force-reload}" >&2
        exit 3
        ;;
esac

### iptables-is.sh ends here

-- 
FSF associate member #7257

Reply to:

References:
- /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>

Prev by Date: Re: NAT
Previous by thread: Re: NAT
Next by thread: Re: /etc/init.d/iptables
Index(es):
- Date
- Thread