[baseimage]: setup ebtables.service in buster image

ebtables is not enabled by default in buster Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-02-04 01:46:52 +00:00 · 2020-02-04 01:46:52 +00:00 · e479a56db3
commit e479a56db3
parent fb12b0a621
4 changed files with 234 additions and 1 deletions
--- a/build_debian.sh
+++ b/build_debian.sh
@ -487,8 +487,12 @@ if [ "${enable_organization_extensions}" = "y" ]; then
 fi
 ## Setup ebtable rules (rule file is in binary format)
-sudo sed -i 's/EBTABLES_LOAD_ON_START="no"/EBTABLES_LOAD_ON_START="yes"/g' ${FILESYSTEM_ROOT}/etc/default/ebtables
+sudo cp -f files/image_config/ebtables/ebtables.default $FILESYSTEM_ROOT/etc/default/ebtables
 sudo cp -f files/image_config/ebtables/ebtables.init $FILESYSTEM_ROOT/etc/init.d/ebtables
 sudo cp -f files/image_config/ebtables/ebtables.service $FILESYSTEM_ROOT/lib/systemd/system/ebtables.service
 sudo cp files/image_config/ebtables/ebtables.filter ${FILESYSTEM_ROOT}/etc
 sudo LANG=C chroot $FILESYSTEM_ROOT update-alternatives --set ebtables /usr/sbin/ebtables-legacy
 sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable ebtables.service
 ## Debug Image specific changes
 ## Update motd for debug image
--- a/files/image_config/ebtables/ebtables.default
+++ b/files/image_config/ebtables/ebtables.default
@ -0,0 +1,35 @@
 # Unload modules on restart and stop
 #   Value: yes|no,  default: yes
 # This option has to be 'yes' to get to a sane state for a firewall
 # restart or stop. Only set to 'no' if there are problems unloading netfilter
 # modules.
 EBTABLES_MODULES_UNLOAD="yes"
 # Load firewall rules on system startup.
 #   Value: yes|no,  default: no
 # Restores the ebtables rulesets from the last saved state when the
 # system boots up.
 EBTABLES_LOAD_ON_START="yes"
 # Save current firewall rules on stop.
 #   Value: yes|no,  default: no
 # Saves all firewall rules if firewall gets stopped
 # (e.g. on system shutdown).
 EBTABLES_SAVE_ON_STOP="no"
 # Save current firewall rules on restart.
 #   Value: yes|no,  default: no
 # Saves all firewall rules if firewall gets restarted.
 EBTABLES_SAVE_ON_RESTART="no"
 # Save (and restore) rule counters.
 #   Value: yes|no,  default: no
 # Save rule counters when saving a kernel table to a file. If the
 # rule counters were saved, they will be restored when restoring the table.
 EBTABLES_SAVE_COUNTER="no"
 # Backup suffix for ruleset save files.
 #   Value: <string>,  default: "~"
 # Keep one backup level of saved rules.
 # Set this variable to the empty string to disable backups.
 EBTABLES_BACKUP_SUFFIX="~"
--- a/files/image_config/ebtables/ebtables.init
+++ b/files/image_config/ebtables/ebtables.init
@ -0,0 +1,175 @@
 #!/bin/bash
 #
 # init script for the Ethernet Bridge filter tables
 #
 # Written by Dag Wieers <dag@wieers.com>
 # Modified by Rok Papez <rok.papez@arnes.si>
 #	     Bart De Schuymer <bdschuym@pandora.be>
 # Adapted to Debian by Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
 #
 # chkconfig: - 15 85
 # description: Ethernet Bridge filtering tables
 #
 ### BEGIN INIT INFO
 # Provides:		ebtables
 # Required-Start:
 # Required-Stop:
 # Should-Start:		$local_fs
 # Should-Stop:		$local_fs
 # Default-Start:	S
 # Default-Stop:		0 1 6
 # Short-Description:	ebtables ruleset management
 # Description:		Saves and restores the state of the ebtables rulesets.
 ### END INIT INFO
 . /lib/lsb/init-functions
 test -f /sbin/ebtables || exit 0
 EBTABLES_DUMPFILE_STEM=/etc/ebtables
 RETVAL=0
 prog="ebtables"
 desc="Ethernet bridge filtering"
 umask 0077
 #default configuration
 EBTABLES_MODULES_UNLOAD="yes"
 EBTABLES_LOAD_ON_START="no"
 EBTABLES_SAVE_ON_STOP="no"
 EBTABLES_SAVE_ON_RESTART="no"
 EBTABLES_SAVE_COUNTER="no"
 EBTABLES_BACKUP_SUFFIX="~"
 config=/etc/default/$prog
 [ -f "$config" ] && . "$config"
 function get_supported_tables() {
 	EBTABLES_SUPPORTED_TABLES=
 	/sbin/ebtables -t filter -L 2>&1 1>/dev/null | grep -q permission
 	if [ $? -eq 0 ]; then
 		log_failure_msg "Error: insufficient privileges to access the ebtables rulesets."
 		exit 1
 	fi
 	for table in filter nat broute; do
 		/sbin/ebtables -t $table -L &> /dev/null
 		if [ $? -eq 0 ]; then
 			EBTABLES_SUPPORTED_TABLES="${EBTABLES_SUPPORTED_TABLES} $table"
 		fi
 	done
 }
 function load() {
 	RETVAL=0
 	get_supported_tables
 	log_daemon_msg "Restoring ebtables rulesets"
 	for table in $EBTABLES_SUPPORTED_TABLES; do
 		log_progress_msg "$table"
 		if [ -s ${EBTABLES_DUMPFILE_STEM}.$table ]; then
 			/sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-commit
 			RET=$?
 			if [ $RET -ne 0 ]; then
 				log_progress_msg "(failed)"
 				RETVAL=$RET
 			fi
 		else
 			log_progress_msg "(no saved state)"
 		fi
 	done
 	if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
 		log_progress_msg "no kernel support"
 	else
 		log_progress_msg "done"
 	fi
 	log_end_msg $RETVAL
 }
 function clear() {
 	RETVAL=0
 	get_supported_tables
 	log_daemon_msg "Clearing ebtables rulesets"
 	for table in $EBTABLES_SUPPORTED_TABLES; do
 		log_progress_msg "$table"
 		/sbin/ebtables -t $table --init-table
 	done
 	if [ "$EBTABLES_MODULES_UNLOAD" = "yes" ]; then
 		for mod in $(grep -E '^(ebt|ebtable)_' /proc/modules | cut -d' ' -f1) ebtables; do
 			rmmod $mod 2> /dev/null
 		done
 	fi
 	if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
 		log_progress_msg "no kernel support"
 	else
 		log_progress_msg "done"
 	fi
 	log_end_msg $RETVAL
 }
 function save() {
 	RETVAL=0
 	get_supported_tables
 	log_daemon_msg "Saving ebtables rulesets"
 	for table in $EBTABLES_SUPPORTED_TABLES; do
 		log_progress_msg "$table"
 		[ -n "$EBTABLES_BACKUP_SUFFIX" ] && [ -s ${EBTABLES_DUMPFILE_STEM}.$table ] && \
 		  mv ${EBTABLES_DUMPFILE_STEM}.$table ${EBTABLES_DUMPFILE_STEM}.$table$EBTABLES_BACKUP_SUFFIX
 		/sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-save
 		RET=$?
 		if [ $RET -ne 0 ]; then
 			log_progress_msg "(failed)"
 			RETVAL=$RET
 		else
 			if [ "$EBTABLES_SAVE_COUNTER" = "no" ]; then
 				/sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table -Z
 			fi
 		fi
 	done
 	if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
 		log_progress_msg "no kernel support"
 	else
 		log_progress_msg "done"
 	fi
 	log_end_msg $RETVAL
 }
 case "$1" in
  start)
 	[ "$EBTABLES_LOAD_ON_START" = "yes" ] && load
 	;;
  stop)
 	[ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
 	clear
 	;;
  restart|reload|force-reload)
 	[ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
 	clear
 	[ "$EBTABLES_LOAD_ON_START" = "yes" ] && load
 	;;
  load)
 	load
 	;;
  save)
 	save
 	;;
  status)
 	get_supported_tables
 	if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
 		log_failure_msg "No kernel support for ebtables."
 		RETVAL=1
 	else
 		log_daemon_msg "Ebtables support available, number of installed rules"
 		for table in $EBTABLES_SUPPORTED_TABLES; do
 			COUNT=$(( $(/sbin/ebtables -t $table -L | sed -e "/^Bridge chain/! d" -e "s/^.*entries: //" -e "s/,.*$/ +/") 0 ))
 			log_progress_msg "$table($COUNT)"
 		done
 		log_end_msg 0
 		RETVAL=0
 	fi
 	;;
  *)
 	echo "Usage: $0 {start|stop|restart|reload|force-reload|load|save|status}" >&2
 	RETVAL=1
 esac
 exit $RETVAL
--- a/files/image_config/ebtables/ebtables.service
+++ b/files/image_config/ebtables/ebtables.service
@ -0,0 +1,19 @@
 [Unit]
 Description=ebtables ruleset management
 DefaultDependencies=no
 Before=network-pre.target
 Wants=network-pre.target
 After=local-fs.target
 # n.b. use below if we want to tear down rules before shutting down.
 #Before=shutdown.target
 #Conflicts=shutdown.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/etc/init.d/ebtables start
 ExecStop=/etc/init.d/ebtables stop
 ExecReload=/etc/init.d/ebtables reload
 [Install]
 WantedBy=multi-user.target