From 31b7fdb7c5dd0d48ae32532a6f7e352831fe2e46 Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank@brehm-online.com>
Date: Sat, 17 Dec 2016 18:01:20 +0100
Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run

---
 init.d/ip6tables                              |  2 +-
 init.d/iptables                               |  2 +-
 systemd/system/iptables-save.service          | 15 +++++++++++++
 systemd/system/iptables-save.service.d        |  1 +
 systemd/system/iptables.service               | 18 ++++++++++++++++
 .../system/iptables.service.d/10iptables.conf | 21 +++++++++++++++++++
 6 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 systemd/system/iptables-save.service
 create mode 120000 systemd/system/iptables-save.service.d
 create mode 100644 systemd/system/iptables.service
 create mode 100644 systemd/system/iptables.service.d/10iptables.conf

diff --git a/init.d/ip6tables b/init.d/ip6tables
index 440e840c..a63d0768 100755
--- a/init.d/ip6tables
+++ b/init.d/ip6tables
@@ -1,7 +1,7 @@
 #!/sbin/runscript
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Id$
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $
 
 extra_commands="check save panic"
 extra_started_commands="reload"
diff --git a/init.d/iptables b/init.d/iptables
index 440e840c..a63d0768 100755
--- a/init.d/iptables
+++ b/init.d/iptables
@@ -1,7 +1,7 @@
 #!/sbin/runscript
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Id$
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $
 
 extra_commands="check save panic"
 extra_started_commands="reload"
diff --git a/systemd/system/iptables-save.service b/systemd/system/iptables-save.service
new file mode 100644
index 00000000..02588fa6
--- /dev/null
+++ b/systemd/system/iptables-save.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Save iptables firewall
+DefaultDependencies=no
+After=iptables.service
+# fail immediately if iptables.service has not been started
+Requisite=iptables.service
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/usr/local/lib/iptables-helper save
+
+[Install]
+WantedBy=shutdown.target
diff --git a/systemd/system/iptables-save.service.d b/systemd/system/iptables-save.service.d
new file mode 120000
index 00000000..6eb14290
--- /dev/null
+++ b/systemd/system/iptables-save.service.d
@@ -0,0 +1 @@
+/etc/systemd/system/iptables.service.d
\ No newline at end of file
diff --git a/systemd/system/iptables.service b/systemd/system/iptables.service
new file mode 100644
index 00000000..46f04a4b
--- /dev/null
+++ b/systemd/system/iptables.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=iptables firewall
+DefaultDependencies=false
+After=local-fs.target
+Before=basic.target
+# Note: shutdown is handled by iptables-save (if enabled)
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/lib/iptables-helper start
+ExecReload=/usr/local/lib/iptables-helper reload
+ExecStop=/usr/local/lib/iptables-helper stop
+# Note: ExecRestart hasn't been implemented by systemd (yet)
+
+[Install]
+WantedBy=sysinit.target multi-user.target
+Also=iptables-save.service
diff --git a/systemd/system/iptables.service.d/10iptables.conf b/systemd/system/iptables.service.d/10iptables.conf
new file mode 100644
index 00000000..1133bdf2
--- /dev/null
+++ b/systemd/system/iptables.service.d/10iptables.conf
@@ -0,0 +1,21 @@
+[Service]
+
+# Files from which to initialize the ip*tables rules.
+# Personally, I like to keep all rules in one directory
+#Environment="IPTABLES_INIT=/var/lib/iptables/init-IPv4.rules"
+#Environment="IP6TABLES_INIT=/var/lib/iptables/init-IPv6.rules"
+# But these are the OpenRC defaults:
+Environment="IPTABLES_INIT=/var/lib/iptables/rules-save"
+Environment="IP6TABLES_INIT=/var/lib/ip6tables/rules-save"
+
+# At system shutdown (or systemctl start iptables-save), current rules are
+# saved to the above files per default.
+# This "Save as" functionality is very usefull for development or hardened
+# production servers; it allows to inspect the saved rules before applying
+# them for the next start/reload.
+# If you prefer never to save the rules at all, simply specify /dev/null here.
+#Environment="IPTABLES_SAVE_AS=/var/lib/iptables/inspect-IPv4.rules"
+#Environment="IP6TABLES_SAVE_AS=/var/lib/iptables/inspect-IPv6.rules"
+
+# Save & restore the counters [yes|no]?
+Environment="COUNTERS=yes"
-- 
2.39.5