[systemd-devel] transforming Iptables bash script to systemd service file -help
Dave Reisner
d at falconindy.com
Thu Oct 23 05:18:46 PDT 2014
On Wed, Oct 22, 2014 at 12:37:36PM +0100, Simon McVittie wrote:
> On 21/10/14 20:30, Lennart Poettering wrote:
> > But in cases like the iptables tool (which
> > is written in a style that kinda requires the usage of shell scripts
> > to invoke it, since it is more a programming language and is seldom
> > called just once at boot)
>
> If your ruleset is static (e.g. does not depend on the local IP
> address), it's very close to not needing a shell: all it would need is
> for systemd to support StandardInput=/a/file/path, or for
> iptables-restore to support "--file /a/file/path", or something similar.
>
> iptables-save | sudo tee /etc/my-firewall
> ip6tables-save | sudo tee /etc/my-firewall6
>
> ExecStart=/bin/sh -c 'iptables-restore < /etc/my-firewall'
>
> ExecStart=/bin/sh -c 'ip6tables-restore < /etc/my-firewall6'
While it isn't documented in the manpage, the iptables-restore code
documents that if a single non-option argument is passed, it will try to
use that as the rule source to restore:
if (optind == argc - 1) {
in = fopen(argv[optind], "re");
if (!in) {
fprintf(stderr, "Can't open %s: %s\n", argv[optind],
strerror(errno));
exit(1);
}
}
else if (optind < argc) {
fprintf(stderr, "Unknown arguments found on commandline\n");
exit(1);
}
else in = stdin;
So, no need for any redirects here. Arch ships this for an iptables
service:
[Unit]
Description=Packet Filtering Framework
[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Cheers,
Dr
More information about the systemd-devel
mailing list