[arptables_jf] Migrate to systemd.

Jon Ciesla limb at fedoraproject.org
Mon May 14 15:51:38 UTC 2012 

commit bb6feb1ef9a348114dc8c1f905b007f8753d1006
Author: Jon Ciesla <limburgher at gmail.com>
Date:   Mon May 14 10:51:28 2012 -0500

    Migrate to systemd.

 arptables-helper  |  133 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 arptables.service |   12 +++++
 arptables_jf.spec |   56 ++++++++++++++++++----
 3 files changed, 191 insertions(+), 10 deletions(-)
---
diff --git a/arptables-helper b/arptables-helper
new file mode 100755
index 0000000..5afc5cc
--- /dev/null
+++ b/arptables-helper
@@ -0,0 +1,133 @@
+#!/bin/sh
+# config: /etc/sysconfig/arptables
+
+# Source 'em up
+. /etc/init.d/functions
+
+ARPTABLES_CONFIG=/etc/sysconfig/arptables
+
+arp_table() {
+	if fgrep -qsx $1 /proc/net/arp_tables_names; then
+		arptables -t "$@"
+	fi
+}
+
+start() {
+	if [ ! -x /sbin/arptables ]; then
+		exit 4
+	fi
+
+	KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
+	KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
+
+	if [ "$KERNELMAJ" -lt 2 ] ; then
+		echo "Not supported for kernel $KERNELMAJ.$KERNELMIN"
+		exit 1
+	fi
+	if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
+		echo "Not supported for kernel $KERNELMAJ.$KERNELMIN"
+		exit 1
+	fi
+
+	# don't do squat if we don't have the config file
+	echo -n $"Starting arptables_jf"
+	if [ -f $ARPTABLES_CONFIG ]; then
+		success
+		# If we don't clear these first, we might be adding to
+		# pre-existing rules.
+		chains=`cat /proc/net/arp_tables_names 2>/dev/null`
+		echo -n $"Flushing all current rules and user defined chains:"
+		let ret=0
+		for i in $chains; do arptables -t $i -F; let ret+=$?; done
+		arptables -F
+		let ret+=$?
+		if [ $ret -eq 0 ]; then
+			success
+		else
+			failure
+		fi
+		echo
+		echo -n $"Clearing all current rules and user defined chains:"
+		let ret=0
+		for i in $chains; do arptables -t $i -X; let ret+=$?; done
+		arptables -X
+		let ret+=$?
+		if [ $ret -eq 0 ]; then
+			success
+		else
+			failure
+		fi
+		echo
+
+		for i in $chains; do arptables -t $i -Z; done
+
+		echo -n $"Applying arptables firewall rules: "
+		grep -v "^[[:space:]]*#" $ARPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/arptables-restore -c && \
+			success || \
+			failure
+		echo
+		touch /var/lock/subsys/arptables
+	else
+		failure
+		echo
+		echo $"Configuration file /etc/sysconfig/arptables missing"
+		exit 6
+	fi
+}
+
+stop() {
+	chains=`cat /proc/net/arp_tables_names 2>/dev/null`
+	echo -n $"Flushing all chains:"
+	let ret=0
+	for i in $chains; do arptables -t $i -F; let ret+=$?; done
+	arptables -F; let ret+=$?
+	if [ $ret -eq 0 ]; then
+		success
+	else
+		failure
+	fi
+	echo
+
+	echo -n $"Removing user defined chains:"
+	let ret=0
+	for i in $chains; do arptables -t $i -X; let ret+=$?; done
+	arptables -X; let ret+=$?
+	if [ $ret -eq 0 ]; then
+		success
+	else
+		failure
+	fi
+	echo
+	echo -n $"Resetting built-in chains to the default ACCEPT policy:"
+	arp_table filter -P IN ACCEPT && \
+		arp_table filter -P OUT ACCEPT && \
+		success || \
+		failure
+	echo
+	rm -f /var/lock/subsys/arptables
+}
+
+case "$1" in
+start)
+	start
+	;;
+
+stop)
+	stop
+	;;
+
+restart|reload)
+	# "restart" is really just "start" as this isn't a daemon,
+	# and "start" clears any pre-defined rules anyway.
+	# This is really only here to make those who expect it happy
+	start
+	;;
+
+condrestart|try-restart|force-reload)
+	[ -e /var/lock/subsys/arptables ] && start
+	;;
+
+	exit 2
+esac
+
+exit 0
diff --git a/arptables.service b/arptables.service
new file mode 100644
index 0000000..7bdb839
--- /dev/null
+++ b/arptables.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Automates a packet filtering firewall with arptables
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/arptables-helper start
+ExecStop=/sbin/arptables-helper stop
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/arptables_jf.spec b/arptables_jf.spec
index d182fb5..55a2574 100644
--- a/arptables_jf.spec
+++ b/arptables_jf.spec
@@ -3,7 +3,7 @@ Summary: Userspace control program for the arptables network filter
 Name: arptables_jf
 
 Version: 0.0.8
-Release: 24%{?dist}
+Release: 25%{?dist}
 Source: %{name}-%{version}.tbz
 #Source1: Makefile
 #Source2: arptables.h
@@ -11,11 +11,13 @@ Source: %{name}-%{version}.tbz
 #Source4: libarptc.c
 #Source5: libarptc.h
 #Source6: arptables.init
+Source7: arptables.service
+Source8: arptables-helper
 Patch1: arptables_jf-0.0.8-2.6-kernel.patch
 Patch2: arptables_jf-0.0.8-man.patch
 Patch3: arptables_jf-0.0.8-warnings.patch
 Patch4: arptables_jf-0.0.8-header.patch
-Patch5: arptables_jf-0.0.8-initscript.patch
+#Patch5: arptables_jf-0.0.8-initscript.patch
 Patch6: arptables_jf-0.0.8-mangle.patch
 Patch7: arptables_jf-0.0.8-byteorder.patch
 Patch8: arptables_jf-0.0.8-dbl-opt.patch
@@ -30,8 +32,10 @@ BuildRequires: perl
 
 Requires: kernel >= 2.4.0
 
-Requires(post): chkconfig
-Requires(postun): chkconfig
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+Requires(post): systemd-sysv
 
 %description
 
@@ -47,7 +51,7 @@ install this package.
 %patch2 -p1 -b .man
 %patch3 -p1 -b .warnings
 %patch4 -p1 -b .header
-%patch5 -p1 -b .initscript
+#%patch5 -p1 -b .initscript
 %patch6 -p1 -b .mangle
 %patch7 -p1 -b .byteorder
 %patch8 -p1 -b .dbl-opt
@@ -58,26 +62,58 @@ make all LIBDIR=/%{_lib} 'COPT_FLAGS=%{optflags}' %{_smp_mflags}
 %install
 rm -rf $RPM_BUILD_ROOT
 make install DESTDIR=%{buildroot} LIBDIR=/%{_lib}
+install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service
+install -D -m 755 %{SOURCE8} %{buildroot}/sbin/
+rm -rf %{buildroot}%{_initrddir}
+mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
+echo '#Configure prior to use' > %{buildroot}%{_sysconfdir}/sysconfig/arptables
+
 
 %clean
 rm -rf $RPM_BUILD_ROOT
 
 %post
-/sbin/chkconfig --add arptables_jf
+if [ $1 -eq 1 ] ; then 
+    # Initial installation 
+    /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+fi
 
 %preun
-if [ "$1" = 0 ]; then
-        /sbin/chkconfig --del arptables_jf
+if [ $1 -eq 0 ] ; then
+    # Package removal, not upgrade
+    /bin/systemctl --no-reload disable arptables.service > /dev/null 2>&1 || :
+    /bin/systemctl stop arptables.service > /dev/null 2>&1 || :
 fi
 
+%postun
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+    # Package upgrade, not uninstall
+    /bin/systemctl try-restart arptables.service >/dev/null 2>&1 || :
+fi
+
+%triggerun -- arptables_jf < 0.0.8-25
+# Save the current service runlevel info
+# User must manually run systemd-sysv-convert --apply arptables
+# to migrate them to systemd targets
+/usr/bin/systemd-sysv-convert --save arptables >/dev/null 2>&1 ||:
+
+# Run these because the SysV package being removed won't do them
+/sbin/chkconfig --del arptables >/dev/null 2>&1 || :
+/bin/systemctl try-restart arptables.service >/dev/null 2>&1 || :
+
+
 %files
 %defattr(-,root,root,0755)
-%attr(0755,root,root) /etc/rc.d/init.d/arptables_jf
 /sbin/arptables*
 %{_mandir}/*/arptables*
-
+%{_unitdir}/arptables.service
+%config(noreplace) %{_sysconfdir}/sysconfig/arptables
 
 %changelog
+* Fri May 11 2012 Jon Ciesla <limburgher at gmail.com> - 0.0.8-25
+- Migrate to systemd, BZ 754423.
+
 * Thu Jan 12 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.0.8-24
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

More information about the scm-commits mailing list