rpms/iptables
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- do not start ip6tables if ipv6 is blacklisted (rhbz#236888)

Browse Source 
- use simpler fix for (rhbz#295611) Thanks to Linus Torvalds for the patch.
This commit is contained in:
Thomas Woerner 2007-09-26 15:59:58 +00:00
parent b467a216c0
commit 0396e7e145
2 changed files with 13 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
iptables.init
View File

@ -32,6 +32,12 @@ if [ ! -x /sbin/$IPTABLES ]; then
exit 5 exit 5
fi fi
if [ "${IPV}" = "ip6" ] \
&& grep -qIs "^blacklist\W${_IPV}" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"$0: ${_IPV} is blacklisted."
exit 0
fi
# Old or new modutils # Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \ /sbin/modprobe --version 2>&1 | grep -q module-init-tools \
&& NEW_MODUTILS=1 \ && NEW_MODUTILS=1 \
@ -52,26 +58,9 @@ IPTABLES_STATUS_NUMERIC="yes"
NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV}) NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV})
NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6 NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6
# Are netfilter modules loaded?
MODULES_LOADED=0
for mod in ${NF_MODULES[*]} ${NF_MODULES_COMMON[*]}; do
$(lsmod | grep -q ^${mod} | awk '{print $1}')
if [ $? -eq 0 ]; then
MODULES_LOADED=1
break
fi
done
# Get active tables # Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
# Is netfilter compiled into the kernel?
[ $MODULES_LOADED -eq 0 -a -n "$NF_TABLES" ] && COMPILED_IN=1 || COMPILED_IN=0
# Get status (quicker than status function and honour lock file)
[ ! -f "$VAR_SUBSYS_IPTABLES" -o ! -e "$PROC_IPTABLES_NAMES" \
-o -z "$NF_TABLES" ] && running=0 || running=1
rmmod_r() { rmmod_r() {
# Unload module with all referring modules. # Unload module with all referring modules.
@ -324,13 +313,11 @@ restart() {
case "$1" in case "$1" in
start) start)
[ $running -eq 1 -a $COMPILED_IN -eq 0 ] && exit 0 [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start start
RETVAL=$? RETVAL=$?
;; ;;
stop) stop)
# stop firewall, even if manually configured
[ $running -eq 1 -o $MODULES_LOADED -eq 1 ] || exit 0
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop stop
RETVAL=$? RETVAL=$?
@ -340,7 +327,7 @@ case "$1" in
RETVAL=$? RETVAL=$?
;; ;;
condrestart|try-restart) condrestart|try-restart)
[ $running -eq 1 ] || exit 0 [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart restart
RETVAL=$? RETVAL=$?
;; ;;

5
iptables.spec
View File

@ -153,6 +153,11 @@ fi
%endif %endif
%changelog %changelog
* Wed Sep 26 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-4.1
- do not start ip6tables if ipv6 is blacklisted (rhbz#236888)
- use simpler fix for (rhbz#295611)
Thanks to Linus Torvalds for the patch.
* Mon Sep 24 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-4 * Mon Sep 24 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-4
- fixed IPv6 reject type (rhbz#295181) - fixed IPv6 reject type (rhbz#295181)
- fixed init script: start, stop and status - fixed init script: start, stop and status