iptables: switch to systemd, drop openrc support.

srcpkgs/iptables/files/ip6tables.confd

@@ -1,11 +0,0 @@
-# /etc/conf.d/ip6tables
-
-# Location in which iptables initscript will save set rules on 
-# service shutdown
-IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
-
-# Options to pass to iptables-save and iptables-restore 
-SAVE_RESTORE_OPTIONS="-c"
-
-# Save state on stopping iptables
-SAVE_ON_STOP="yes"

srcpkgs/iptables/files/ip6tables.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=IPv6 Packet Filtering Framework
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecStop=/lib/systemd/scripts/iptables-flush -6
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

srcpkgs/iptables/files/iptables-flush.scripts

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Usage: iptables-flush [-6]
+
+iptables=/usr/sbin/iptables
+tables=(filter mangle raw)
+
+if [[ "$1" == "-6" ]]; then
+  iptables=/usr/sbin/ip6tables
+else
+  # Only ipv4 has a nat table
+  tables+=(nat)
+fi
+
+for table in "${tables[@]}"; do
+  $iptables -t "$table" -F
+  $iptables -t "$table" -X
+done
+
+for chain in INPUT FORWARD OUTPUT; do
+  $iptables -P "$chain" ACCEPT
+done

srcpkgs/iptables/files/iptables.confd

@@ -1,11 +0,0 @@
-# /etc/conf.d/iptables
-
-# Location in which iptables initscript will save set rules on 
-# service shutdown
-IPTABLES_SAVE="/var/lib/iptables/rules-save"
-
-# Options to pass to iptables-save and iptables-restore 
-SAVE_RESTORE_OPTIONS="-c"
-
-# Save state on stopping iptables
-SAVE_ON_STOP="yes"

srcpkgs/iptables/files/iptables.rc

@@ -1,114 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/www/viewcvs.gentoo.org/raw_cvs/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.6 2007/03/12 21:49:04 vapier Exp $
-
-opts="save reload panic"
-
-iptables_name=${SVCNAME}
-if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
-	iptables_name="iptables"
-fi
-
-iptables_bin="/sbin/${iptables_name}"
-case ${iptables_name} in
-	iptables)  iptables_proc="/proc/net/ip_tables_names"
-	           iptables_save=${IPTABLES_SAVE};;
-	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
-	           iptables_save=${IP6TABLES_SAVE};;
-esac
-
-depend() {
-	before net
-	use logger
-}
-
-set_table_policy() {
-	local chains table=$1 policy=$2
-	case ${table} in
-		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
-		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
-		filter) chains="INPUT FORWARD OUTPUT";;
-		*)      chains="";;
-	esac
-	local chain
-	for chain in ${chains} ; do
-		${iptables_bin} -t ${table} -P ${chain} ${policy}
-	done
-}
-
-checkkernel() {
-	if [ ! -e ${iptables_proc} ] ; then
-		eerror "Your kernel lacks ${iptables_name} support, please load"
-		eerror "appropriate modules and try again."
-		return 1
-	fi
-	return 0
-}
-checkconfig() {
-	if [ ! -f ${iptables_save} ] ; then
-		eerror "Not starting ${iptables_name}.  First create some rules then run:"
-		eerror "/etc/init.d/${iptables_name} save"
-		return 1
-	fi
-	return 0
-}
-
-start() {
-	checkconfig || return 1
-	ebegin "Loading ${iptables_name} state and starting firewall"
-	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
-	eend $?
-}
-
-stop() {
-	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
-		save || return 1
-	fi
-	checkkernel || return 1
-	ebegin "Stopping firewall"
-	local a
-	for a in $(cat ${iptables_proc}) ; do
-		set_table_policy $a ACCEPT
-
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
-	done
-	eend $?
-}
-
-reload() {
-	checkkernel || return 1
-	ebegin "Flushing firewall"
-	local a
-	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
-	done
-	eend $?
-
-	start
-}
-
-save() {
-	ebegin "Saving ${iptables_name} state"
-	touch "${iptables_save}"
-	chmod 0600 "${iptables_save}"
-	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
-	eend $?
-}
-
-panic() {
-	checkkernel || return 1
-	service_started ${iptables_name} && svc_stop
-
-	local a
-	ebegin "Dropping all packets"
-	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
-
-		set_table_policy $a DROP
-	done
-	eend $?
-}

srcpkgs/iptables/files/iptables.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Packet Filtering Framework
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecStop=/lib/systemd/scripts/iptables-flush
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

srcpkgs/iptables/template

@@ -1,6 +1,7 @@
 # Template file for 'iptables'
 pkgname=iptables
 version=1.4.12
+revision=1
 distfiles="http://www.iptables.org/projects/iptables/files/$pkgname-$version.tar.bz2"
 build_style=custom-install
 short_desc="Linux IPv[46] packet filtering ruleset"
@@ -18,11 +19,6 @@ long_desc="
  The iptables package also includes ip6tables. ip6tables is used for
  configuring the IPv6 packet filter."
 
-openrc_services="iptables default false"
-conf_files="
-/etc/conf.d/iptables
-/etc/conf.d/ip6tables"
-
 subpackages="$pkgname-devel"
 
 Add_dependency run glibc
@@ -47,9 +43,11 @@ do_install()
 {
 	make DESTDIR=${DESTDIR} install
 
-	vinstall ${FILESDIR}/iptables.confd 644 etc/conf.d iptables
+	vinstall ${FILESDIR}/iptables.service 644 lib/systemd/system
-	vinstall ${FILESDIR}/ip6tables.confd 644 etc/conf.d ip6tables
+	vinstall ${FILESDIR}/ip6tables.service 644 lib/systemd/system
-	vinstall ${FILESDIR}/iptables.rc 755 etc/init.d iptables
+	vinstall ${FILESDIR}/iptables-flush.scripts 755 \
+		lib/systemd/scripts iptables-flush
+
 	for f in empty.rules simple_firewall.rules; do
 		vinstall ${FILESDIR}/${f} 644 etc/iptables
 	done