I’ve pretty much tried all three of your options - with varying success rates.
Option 1 works reasonably well if you only do installs in your factory. I ended up having to do this as I couldn’t build a complete sdef image for the FX30 and needed to install multiple apps at the same time. But if you need to change the rules for some reason, then you have to physically go to each device and re-run the installer. Can get ugly.
Option 2 has got a couple of issues - the first is that even if you can successfully build a sdef image for the FX30 (which I haven’t yet been able to do for a number of reasons), that’s only the Legato bundle - not the Linux operating system (where the startup scripts are). Tweaking the Yocto build is somewhat more complex than building a sdef image - and I haven’t even tried rebuilding Yocto for the FX30. And then you have to reinstall both the yocto image and the legato sdef image - again, either a road trip to the device or a multi-megabyte FOTA download.
I settled on Option 3 - for each app that requires holes opened in the firewall, I add an additional processes: stanza to the adef file, and use that to execute a shell script that adds the ip tables rules every time the app is started.
Something like this:
add to app.adef
( set-iptables.sh )
/* this is our script to config firewall */
[x] root/bin/set-iptables.sh /bin/
and then in the application build directory, create the following directory:
and then create a shell script called
/usr/sbin/iptables <blah blah blah>
<blah blah blah> is the rule you want to apply.
Make sure that you INSERT (
-I) the rules at the beginning of the chain, not APPEND (
-A) them at the end or they may be matched by the DROP rule that already exists at the end of the chain.
I did it this way as then I was SURE that the rules would always be implemented every time the app started … no more head scratching why the app stopped working after a reboot
Hope this helps.