:: Re: [DNG] Sysvinit script doesn't t…
Startseite
Diese Nachricht ist Teil des folgenden Threads:
M----++-\Der komplette Thread sortiert nach Datum
M-\..MM\MRalph Ronnquist am <-
M\M+\MMMJoel Roth am ->
Nachricht löschen
Nachricht beantworten
Autor: Olaf Meeuwissen
Datum:  
To: Joel Roth
CC: dng
Betreff: Re: [DNG] Sysvinit script doesn't trigger on boot
Hi,

Joel Roth via Dng <dng@???> writes:

> Hi,
>
> I made a script to load rules for an nft firewall.
>
> It's executable, runs from the command line
> with start/stop/status options.
>
> But it doesn't start during system boot.

I did the same and it has been working fine for me since 2022-08-07
according to my logs. That includes starting during system boot.

I've attached my script for reference. The salient part in it is in the
INIT INFO section where I have 

  ### BEGIN INIT INFO
  # Provides:          nftables
  # X-Start-Before:    $network
  # Required-Start:    $local_fs $syslog
  # Required-Stop:     $local_fs $syslog
  # Default-Start:     S
  # Default-Stop:      0 6
  # Short-Description: nftables firewall service
  # Description:       nftables firewall system service
  ### END INIT INFO


> I created symlinks with update-rc.d
> and links appear in the rc*.d directories
> where * is 2,3,4,5.

I don't remember what I used to create the symlinks, I think used
insserv, but I have

/etc/rc0.d/K01nftables
/etc/rc6.d/K01nftables
/etc/rcS.d/S12nftables

The numbers in the [KS]*nftables filenames may differ depending on what
other links you already have.

The script expects the configuration in

CONF=/etc/nftables.conf

I've based mine off

/usr/share/doc/nftables/examples/workstation.nft

> Also, I couldn't find evidence in any log files.
> There was no /var/log/firewall, nothing in /var/boot.

nftables does not start a daemon, it sets up the rules for use by the
kernel's NetFilter Tables. Unless you add rules that log anything,
nothing will get logged. Any logging rules you add will log in
/var/log/kern.log, IIRC.

For reference, the etckeeper commit message when I added this has

network: Integrate nftables firewall service in init process

The init script and configuration files have been adapted from the
examples included in the nftables package. LSB headers have been
changed so the script runs before networking is started. Logging
has been updated so this can be verified in the logs.

so if you decide to use it, you be able to find the init script's log
messages in your logs provided you have

VERBOSE=yes

in /etc/default/rcS.

BTW, I'm using runit-init but believe that sysvinit will behave the
same.

> TIA for any suggestions.

Hope this helps,
--
Olaf Meeuwissen
#!/bin/sh
### BEGIN INIT INFO
# Provides:          nftables
# X-Start-Before:    $network
# Required-Start:    $local_fs $syslog
# Required-Stop:     $local_fs $syslog
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: nftables firewall service
# Description:       nftables firewall system service
### END INIT INFO


# Author: Arturo Borrero Gonzalez <arturo@???>

# Do NOT "set -e"

CONF=/etc/nftables.conf

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="firewall service"
NAME=nftables
BIN=/usr/sbin/nft
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$BIN" ] || exit 0

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions 

do_start()
{
    # Return
    #  0 if start OK
    #  2 if start NOK


    # nft v0.4 return 0 if ENOENT $CONF
    if [ ! -r "$CONF" ] ; then
        echo "E: No such $NAME $DESC config file $CONF" >&2
        return 2
    fi


    $BIN -f $CONF || return 2
}


do_stop()
{
    # Return
    #   0 if stopped
    #   1 if already stopped
    #   2 if could not be stopped
    if ! do_status ; then
        $BIN flush ruleset || return 2
    fi
}


do_status()
{
    # Return
    #   0 if no rules
    #   1 if rules
    if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then
        return 0
    fi


    return 1
}


case "$1" in
  start)
    log_action_begin_msg "Starting $DESC" "$NAME"
    do_start
    ret="$?"
    case "$ret" in
        0|1) log_action_end_msg 0 ;;
        *) log_action_end_msg 1 ;;
    esac
    exit $ret
    ;;
  restart|force-reload)
    log_action_begin_msg "Restarting $DESC" "$NAME"
    do_start
    ret="$?"
    case "$ret" in
        0|1) log_action_end_msg 0 ;;
        *) log_action_end_msg 1 ;;
    esac
    exit $ret
    ;;
  stop)
    log_action_begin_msg "Stopping $DESC" "$NAME"
    do_stop
    ret="$?"
    case "$ret" in
        0|1) log_action_end_msg 0 ;;
        *) log_action_end_msg 1 ;;
    esac
    exit $ret
    ;;
  status)
    if ! do_status ; then
        log_action_begin_msg "Status of ${DESC}: rules loaded" "$NAME"
        log_action_end_msg 0
        exit 0
    else
        log_action_begin_msg "Status of ${DESC}: no rules loaded" "$NAME"
        log_action_end_msg 1
        exit 1
    fi
    ;;
  *)
    echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
    exit 3
    ;;
esac


:
Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
dng
Mailing-List-Info | Nachrichten um die Zeit		<-Re: [DNG] Thoughts and infos on unmerged layoutRe: [DNG] Thoughts and infos on unmerged layout->

Donate to Dyne.org

dyne.org open discussions
administriert von dyne.org hackers		Lurker (Version 2.3)