From 73bda1dbfa244a81aac32d620f030a130ff8bcda Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 2 Apr 2025 19:02:24 +0200
Subject: [PATCH] overlay coreos/config: Add Flatcar modifications for
 net-firewall/iptables

---
 .../coreos/config/env/net-firewall/iptables   | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-firewall/iptables

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-firewall/iptables b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-firewall/iptables
new file mode 100644
index 0000000000..61dd535c58
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-firewall/iptables
@@ -0,0 +1,56 @@
+# A hack to avoid removing ebtables binaries
+if [[ -z ${flatcar_hacked_rm:-} ]]; then
+    flatcar_hacked_rm=$(command -v rm)
+fi
+rm() {
+    local -a new_f=()
+    local f
+    for f; do
+        if [[ ${f} != */sbin/ebtables* ]]; then
+            new_f+=( "${f}" )
+        fi
+    done
+    "${flatcar_hacked_rm}" "${new_f[@]}"
+}
+
+# A hack to set iptables to xtables-nft-multi instead of
+# xtables-legacy-multi, and to avoid tinkering with arptables.
+if [[ -z ${flatcar_hacked_eselect:-} ]]; then
+    flatcar_hacked_eselect=$(command -v eselect)
+fi
+eselect() {
+    if [[ ${#} -gt 2 && ${1} = 'iptables' && ${2} = 'set' && ${3} = 'xtables-legacy-multi' ]]; then
+        elog "Ackchyually, we are setting it to xtables-nft-multi"
+        "${flatcar_hacked_eselect}" iptables set xtables-nft-multi
+    elif [[ ${#} -gt 1 && ${1} = 'arptables' && ${2} = 'show' ]]; then
+        # Nothing to do, we will just return success, so ebuild will
+        # not be doing anything with arptables
+        :
+    else
+        "${flatcar_hacked_eselect}" "${@}"
+    fi
+}
+
+cros_post_src_install_iptables_flatcar_modifications() {
+    # Drop the rest of the arptables binaries.
+    rm "${ED}"/sbin/arptables-{translate,nft{,-{save,restore}}} || die
+
+    # Gentoo upstream dropped the iptables & ip6tables services but we
+    # continue to ship them.
+    systemd_newunit - ip6tables.service <<EOF
+[Unit]
+Description=Store and restore ip6tables firewall rules
+
+[Install]
+Also=ip6tables-store.service
+Also=ip6tables-restore.service
+EOF
+    systemd_newunit - iptables.service <<EOF
+[Unit]
+Description=Store and restore iptables firewall rules
+
+[Install]
+Also=iptables-store.service
+Also=iptables-restore.service
+EOF
+}