saving uncommitted changes in /etc prior to emerge run

diff --git a/init.d/ip6tables b/init.d/ip6tables
index 440e840c41a8f1f6c61c1e73dbf914371dbc117d..a63d076888c57e0645ec17d6e74e830a0245a56e 100755 (executable)
--- a/init.d/ip6tables
+++ b/init.d/ip6tables
@@ -1,7 +1,7 @@
 #!/sbin/runscript
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Id$
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $
 
 extra_commands="check save panic"
 extra_started_commands="reload"

diff --git a/init.d/iptables b/init.d/iptables
index 440e840c41a8f1f6c61c1e73dbf914371dbc117d..a63d076888c57e0645ec17d6e74e830a0245a56e 100755 (executable)
--- a/init.d/iptables
+++ b/init.d/iptables
@@ -1,7 +1,7 @@
 #!/sbin/runscript
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Id$
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $
 
 extra_commands="check save panic"
 extra_started_commands="reload"

diff --git a/systemd/system/iptables-save.service b/systemd/system/iptables-save.service
new file mode 100644 (file)
index 0000000..02588fa
--- /dev/null
+++ b/systemd/system/iptables-save.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Save iptables firewall
+DefaultDependencies=no
+After=iptables.service
+# fail immediately if iptables.service has not been started
+Requisite=iptables.service
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/usr/local/lib/iptables-helper save
+
+[Install]
+WantedBy=shutdown.target

diff --git a/systemd/system/iptables-save.service.d b/systemd/system/iptables-save.service.d
new file mode 120000 (symlink)
index 0000000..6eb1429
--- /dev/null
+++ b/systemd/system/iptables-save.service.d
@@ -0,0 +1 @@
+/etc/systemd/system/iptables.service.d
\ No newline at end of file

diff --git a/systemd/system/iptables.service b/systemd/system/iptables.service
new file mode 100644 (file)
index 0000000..46f04a4
--- /dev/null
+++ b/systemd/system/iptables.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=iptables firewall
+DefaultDependencies=false
+After=local-fs.target
+Before=basic.target
+# Note: shutdown is handled by iptables-save (if enabled)
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/lib/iptables-helper start
+ExecReload=/usr/local/lib/iptables-helper reload
+ExecStop=/usr/local/lib/iptables-helper stop
+# Note: ExecRestart hasn't been implemented by systemd (yet)
+
+[Install]
+WantedBy=sysinit.target multi-user.target
+Also=iptables-save.service

diff --git a/systemd/system/iptables.service.d/10iptables.conf b/systemd/system/iptables.service.d/10iptables.conf
new file mode 100644 (file)
index 0000000..1133bdf
--- /dev/null
+++ b/systemd/system/iptables.service.d/10iptables.conf
@@ -0,0 +1,21 @@
+[Service]
+
+# Files from which to initialize the ip*tables rules.
+# Personally, I like to keep all rules in one directory
+#Environment="IPTABLES_INIT=/var/lib/iptables/init-IPv4.rules"
+#Environment="IP6TABLES_INIT=/var/lib/iptables/init-IPv6.rules"
+# But these are the OpenRC defaults:
+Environment="IPTABLES_INIT=/var/lib/iptables/rules-save"
+Environment="IP6TABLES_INIT=/var/lib/ip6tables/rules-save"
+
+# At system shutdown (or systemctl start iptables-save), current rules are
+# saved to the above files per default.
+# This "Save as" functionality is very usefull for development or hardened
+# production servers; it allows to inspect the saved rules before applying
+# them for the next start/reload.
+# If you prefer never to save the rules at all, simply specify /dev/null here.
+#Environment="IPTABLES_SAVE_AS=/var/lib/iptables/inspect-IPv4.rules"
+#Environment="IP6TABLES_SAVE_AS=/var/lib/iptables/inspect-IPv6.rules"
+
+# Save & restore the counters [yes|no]?
+Environment="COUNTERS=yes"