The XS needs to be able to handle network devices that come and go, and the firewall needs to be able to self configure after a new USB network dongle is attached. (This note is to remind myself of the changes I needed to make for it to work during the migration from XS-0.7 to the XS-community edition).
I like the version convention recently used by OLPC, and also used by Ubuntu, of using the year.release number. So perhaps this version is XS-CE.12.1.1.
XS-0.7 used a scheme which substituted for “@@wan@@”, “@@lan@@”, and “@@squid@@” tokens in /etc/sysconfig/olpc-scripts/iptables-xs. The format of this file is generated by the command “iptables-save”. But the substitutions seemed to cause the loading of the intermediate file via “iptables-restore” to fail. (The iptables startup script in /usr/libexec requires this intermediate iptables format — the one generated by “iptables-save”). So I decided to start from a regular iptables bash script, and then generate the intermediate file format at each startup. This seems to work reliably.
Systemd responds to a unit service file link in /etc/systemd/system/multiuser-wants, which initiates /usr/libexec/iptables.init, which in turn sources /etc/sysconfig/iptables-config. I modified this file. It had called /usr/bin/xs-gen-iptables to do the substitution, and modify /etc/sysconfig/olpc-scripts/iptables-xs. I called /etc/sysconfig/olpc-scripts/firewall to generate the same file.
OLPC School Server 