diff mbox series

[v5,3/6] package/iptables: check for rules in init script

Message ID 20241204182913.4085670-4-fiona.klute@gmx.de
State New
Headers show
Series nftables firewall support | expand

Commit Message

Fiona Klute Dec. 4, 2024, 6:29 p.m. UTC
From: "Fiona Klute (WIWA)" <fiona.klute@gmx.de>

Instead of installing an empty rules file, the init script now checks
if the rules file exists and does nothing if it doesn't. The "save"
action is exempt from that limit because it may be used to create the
rules file.

Also fix the shellcheck warning about the unused IPTABLES_ARGS
variable, and use long form options for iptables commands.

Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
---
Changes v4 -> v5:
* iptables init script: run any target only if rules file exists,
  except for "save" (which may be used to create it)

Changes v2 -> v3:
* replace "iptables -F" with "iptables --flush"

 .checkpackageignore          |  1 -
 package/iptables/S35iptables | 16 +++++++++++-----
 package/iptables/iptables.mk |  1 -
 3 files changed, 11 insertions(+), 7 deletions(-)
diff mbox series

Patch

diff --git a/.checkpackageignore b/.checkpackageignore
index b793026881..767e3bb21d 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -612,7 +612,6 @@  package/ipmitool/0002-Fix-enterprise-numbers-URL.patch lib_patch.Upstream
 package/ipmitool/0003-Do-not-require-the-IANA-PEN-registry-file.patch lib_patch.Upstream
 package/ipmitool/0004-configure.ac-allow-disabling-registry-downloads.patch lib_patch.Upstream
 package/iprutils/0001-configure.ac-add-AC_USE_SYSTEM_EXTENSIONS.patch lib_patch.Upstream
-package/iptables/S35iptables Shellcheck
 package/irda-utils/0001-daemon.patch lib_patch.Sob lib_patch.Upstream
 package/irda-utils/0002-nommu.patch lib_patch.Sob lib_patch.Upstream
 package/irda-utils/0003-subdir.patch lib_patch.Sob lib_patch.Upstream
diff --git a/package/iptables/S35iptables b/package/iptables/S35iptables
index a2de29d222..fc42fc9a8c 100644
--- a/package/iptables/S35iptables
+++ b/package/iptables/S35iptables
@@ -2,11 +2,18 @@ 
 
 DAEMON="iptables"
 
-IPTABLES_ARGS=""
+IPTABLES_CONF="/etc/iptables.conf"
+
+# Run only if IPTABLES_CONF exists, except when the action is "save"
+# (which creates it).
+if [ ! -f "${IPTABLES_CONF}" ] && [ "$1" != "save" ]; then
+	echo "${IPTABLES_CONF} does not exist, nothing to do."
+	exit 0
+fi
 
 start() {
 	printf 'Starting %s: ' "$DAEMON"
-	iptables-restore /etc/iptables.conf
+	iptables-restore "$IPTABLES_CONF"
 	status=$?
 	if [ "$status" -eq 0 ]; then
 		echo "OK"
@@ -18,7 +25,7 @@  start() {
 
 stop() {
 	printf 'Stopping %s: ' "$DAEMON"
-	iptables -F
+	iptables --flush
 	status=$?
 	if [ "$status" -eq 0 ]; then
 		echo "OK"
@@ -30,13 +37,12 @@  stop() {
 
 restart() {
 	stop
-	sleep 1
 	start
 }
 
 save() {
 	printf 'Saving %s: ' "$DAEMON"
-	iptables-save -f /etc/iptables.conf
+	iptables-save --file "$IPTABLES_CONF"
 	status=$?
 	if [ "$status" -eq 0 ]; then
 		echo "OK"
diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index dbf7fbf5e1..e7495c1085 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -59,7 +59,6 @@  endef
 define IPTABLES_INSTALL_INIT_SYSV
 	$(INSTALL) -m 0755 -D package/iptables/S35iptables \
 		$(TARGET_DIR)/etc/init.d/S35iptables
-	touch $(TARGET_DIR)/etc/iptables.conf
 endef
 
 ifeq ($(BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT),y)