From 6f17c38c088bcc3310f3170436ac5bc28b00df2d Mon Sep 17 00:00:00 2001
From: Andre Fernando Zanella Kantek
 <AndreFernandoZanella.Kantek@windriver.com>
Date: Wed, 13 Apr 2022 15:21:42 -0300
Subject: [PATCH] Add iptables config customization package support for Debian

This package adds the configuration files needed to start the iptables
and ip6tables services. On Debian bullseye the filtering is
implemented with nftables, with iptables and ip6tables being aliases
the former.

Test plan:
PASS: build starlingx-debian ISO
PASS: install starlingx-debian ISO on virtualbox

Story: 2009965
Task: 45082

Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Change-Id: Idd4e86ba671c34e872a00288ca126aee6deaa5b5
---
 debian_pkg_dirs                               |  1 +
 iptables-config/debian/deb_folder/changelog   |  5 ++++
 iptables-config/debian/deb_folder/control     | 13 +++++++++
 iptables-config/debian/deb_folder/copyright   | 27 +++++++++++++++++++
 .../debian/deb_folder/iptables-config.install |  2 ++
 iptables-config/debian/deb_folder/postinst    | 16 +++++++++++
 iptables-config/debian/deb_folder/rules       |  5 ++++
 .../debian/deb_folder/source/format           |  1 +
 iptables-config/debian/meta_data.yaml         |  7 +++++
 iptables-config/source-debian/ip6tables.rules |  8 ++++++
 iptables-config/source-debian/iptables.rules  |  8 ++++++
 11 files changed, 93 insertions(+)
 create mode 100644 iptables-config/debian/deb_folder/changelog
 create mode 100644 iptables-config/debian/deb_folder/control
 create mode 100644 iptables-config/debian/deb_folder/copyright
 create mode 100644 iptables-config/debian/deb_folder/iptables-config.install
 create mode 100644 iptables-config/debian/deb_folder/postinst
 create mode 100644 iptables-config/debian/deb_folder/rules
 create mode 100644 iptables-config/debian/deb_folder/source/format
 create mode 100644 iptables-config/debian/meta_data.yaml
 create mode 100644 iptables-config/source-debian/ip6tables.rules
 create mode 100644 iptables-config/source-debian/iptables.rules

diff --git a/debian_pkg_dirs b/debian_pkg_dirs
index 1558bf9..27b4d4b 100644
--- a/debian_pkg_dirs
+++ b/debian_pkg_dirs
@@ -4,6 +4,7 @@ dhcp-config
 dnsmasq-config
 docker-config
 initscripts-config
+iptables-config
 lighttpd-config
 lvm2-config
 memcached-custom
diff --git a/iptables-config/debian/deb_folder/changelog b/iptables-config/debian/deb_folder/changelog
new file mode 100644
index 0000000..2876332
--- /dev/null
+++ b/iptables-config/debian/deb_folder/changelog
@@ -0,0 +1,5 @@
+iptables-config (1.0-1) unstable; urgency=medium
+
+  * Initial release
+
+ -- Andre Kantek <AndreFernandoZanella.Kantek@windriver.com>  Wed, 13 Apr 2022 08:50:58 -0300
diff --git a/iptables-config/debian/deb_folder/control b/iptables-config/debian/deb_folder/control
new file mode 100644
index 0000000..155d774
--- /dev/null
+++ b/iptables-config/debian/deb_folder/control
@@ -0,0 +1,13 @@
+Source: iptables-config
+Section: admin
+Priority: optional
+Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
+Build-Depends: debhelper-compat (= 13)
+Standards-Version: 4.4.1
+Homepage: https://www.starlingx.io
+
+Package: iptables-config
+Architecture: any
+Depends: ${misc:Depends}, iptables, iptables-persistent, nftables
+Description: StarlingX configuration files - iptables-config
+ Package of iptables-config to system folder.
diff --git a/iptables-config/debian/deb_folder/copyright b/iptables-config/debian/deb_folder/copyright
new file mode 100644
index 0000000..715746f
--- /dev/null
+++ b/iptables-config/debian/deb_folder/copyright
@@ -0,0 +1,27 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: iptables-config
+Source: https://opendev.org/starlingx/config-files
+
+Files: *
+Copyright: (c) 2013-2021 Wind River Systems, Inc
+License: Apache-2
+
+Files: debian/*
+Copyright: 2021 Wind River Systems, Inc
+License: Apache-2
+
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+    https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.
\ No newline at end of file
diff --git a/iptables-config/debian/deb_folder/iptables-config.install b/iptables-config/debian/deb_folder/iptables-config.install
new file mode 100644
index 0000000..2a3484d
--- /dev/null
+++ b/iptables-config/debian/deb_folder/iptables-config.install
@@ -0,0 +1,2 @@
+iptables.rules usr/share/starlingx
+ip6tables.rules usr/share/starlingx
\ No newline at end of file
diff --git a/iptables-config/debian/deb_folder/postinst b/iptables-config/debian/deb_folder/postinst
new file mode 100644
index 0000000..a92cf34
--- /dev/null
+++ b/iptables-config/debian/deb_folder/postinst
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+
+cp -f /usr/share/starlingx/iptables.rules /etc/iptables/rules.v4
+chmod 600 /etc/iptables/rules.v4
+cp -f /usr/share/starlingx/ip6tables.rules /etc/iptables/rules.v6
+chmod 600 /etc/iptables/rules.v6
+
+systemctl unmask nftables.service
+systemctl enable nftables.service >/dev/null 2>&1 || :
+
+systemctl unmask iptables.service ip6tables.service
+systemctl enable iptables.service ip6tables.service >/dev/null 2>&1 || :
+
+#DEBHELPER#
diff --git a/iptables-config/debian/deb_folder/rules b/iptables-config/debian/deb_folder/rules
new file mode 100644
index 0000000..ed58acc
--- /dev/null
+++ b/iptables-config/debian/deb_folder/rules
@@ -0,0 +1,5 @@
+#!/usr/bin/make -f
+#export DH_VERBOSE = 1
+
+%:
+	dh $@
diff --git a/iptables-config/debian/deb_folder/source/format b/iptables-config/debian/deb_folder/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/iptables-config/debian/deb_folder/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/iptables-config/debian/meta_data.yaml b/iptables-config/debian/meta_data.yaml
new file mode 100644
index 0000000..0e49e4e
--- /dev/null
+++ b/iptables-config/debian/meta_data.yaml
@@ -0,0 +1,7 @@
+---
+debname: iptables-config
+debver: 1.0-1
+src_path: source-debian
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true
diff --git a/iptables-config/source-debian/ip6tables.rules b/iptables-config/source-debian/ip6tables.rules
new file mode 100644
index 0000000..9ba9a26
--- /dev/null
+++ b/iptables-config/source-debian/ip6tables.rules
@@ -0,0 +1,8 @@
+# system default rules
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:INPUT-custom-pre - [0:0]
+:INPUT-custom-post - [0:0]
+COMMIT
diff --git a/iptables-config/source-debian/iptables.rules b/iptables-config/source-debian/iptables.rules
new file mode 100644
index 0000000..9ba9a26
--- /dev/null
+++ b/iptables-config/source-debian/iptables.rules
@@ -0,0 +1,8 @@
+# system default rules
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:INPUT-custom-pre - [0:0]
+:INPUT-custom-post - [0:0]
+COMMIT