Use iptables for openSUSE
In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor of firewalld[1]. This commit updates the openSUSE nodeset to use plain iptables rather than injecting iptables rules into the SuSEfirewall2 service. This will work on both Tumbleweed and Leap nodesets. openSUSE provides no iptables-service package the way the RHEL family does, so we can't fall back to that. Rather than try to convert iptables rules to firewalld syntax, this change leverages init.d to ensure iptables rules are loaded at boot. The 89-unbound script has been coopted for this purpose since it already creates /etc/init.d/boot.local. Switched from `dd` to `cat` which makes conditionally composing the file more natural. [1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html Change-Id: Ia2b72e25078efa68019f1bf7c7a0b77e6ff702fd
This commit is contained in:
parent
7a6101a60c
commit
587b85ba36
|
@ -49,7 +49,7 @@
|
|||
"python-dev": "python-devel",
|
||||
"python3-dev": "python3-devel",
|
||||
"python3": "python3",
|
||||
"iptables": "iptables SuSEfirewall2",
|
||||
"iptables": "iptables",
|
||||
"uuid-runtime": "uuidd"
|
||||
}
|
||||
},
|
||||
|
|
|
@ -124,7 +124,7 @@ else
|
|||
# [1] https://bugzilla.redhat.com/show_bug.cgi?id=1386052
|
||||
if [[ ! -e /etc/rc.local ]] && [[ ! -e /etc/debian_version ]]; then
|
||||
if [[ ! -d /etc/rc.d ]]; then
|
||||
echo "No rc.local and no rc.d directory! See comments in 89-unbound"
|
||||
echo "No rc.local and no rc.d directory! See comments in 89-boot-settings"
|
||||
exit 1
|
||||
fi
|
||||
touch /etc/rc.d/rc.local
|
||||
|
@ -137,7 +137,7 @@ fi
|
|||
|
||||
# Overwrite /etc/resolv.conf at boot (let's hope nothing else is using
|
||||
# rc.local...)
|
||||
dd of=$rclocal <<EOF
|
||||
cat >$rclocal <<EOF
|
||||
#!/bin/bash
|
||||
set -o xtrace
|
||||
|
||||
|
@ -150,6 +150,16 @@ set -e
|
|||
|
||||
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
|
||||
|
||||
EOF
|
||||
# openSUSE doesn't have an iptables service, so apply the iptables rules at boot
|
||||
if [[ "${DISTRO_NAME}" =~ (opensuse) ]] ; then
|
||||
cat >>$rclocal <<EOF
|
||||
iptables-restore /etc/sysconfig/iptables
|
||||
ip6tables-restore /etc/sysconfig/ip6tables
|
||||
|
||||
EOF
|
||||
fi
|
||||
cat >>$rclocal <<EOF
|
||||
exit 0
|
||||
EOF
|
||||
|
|
@ -90,14 +90,3 @@ cat > $ipv6_rules << EOF
|
|||
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
COMMIT
|
||||
EOF
|
||||
|
||||
if [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
|
||||
sed -i -e 's,^FW_CUSTOMRULES=.*$,FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom",' /etc/sysconfig/SuSEfirewall2
|
||||
|
||||
cat > /etc/sysconfig/scripts/SuSEfirewall2-custom <<EOF
|
||||
fw_custom_after_finished() {
|
||||
/usr/sbin/iptables-restore $ipv4_rules
|
||||
/usr/sbin/ip6tables-restore $ipv6_rules
|
||||
}
|
||||
EOF
|
||||
fi
|
||||
|
|
|
@ -29,7 +29,8 @@ if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
|
|||
elif [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora) ]] ; then
|
||||
service_name=iptables
|
||||
elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
|
||||
service_name=SuSEfirewall2
|
||||
# handle iptables through init.d instead of a service
|
||||
exit 0
|
||||
elif [[ "$DISTRO_NAME" == 'gentoo' ]] ; then
|
||||
# for use in loops in both openrc and systemd
|
||||
service_name='iptables ip6tables'
|
||||
|
|
Loading…
Reference in New Issue