iptables-1.8.7-8
- iptables.init: Fix functionality for iptables-nft - iptables.init: Ignore sysctl files not suffixed '.conf' - iptables.init: Drop unused NEW_MODUTILS check - iptables.init: Drop some trailing whitespace
This commit is contained in:
Phil Sutter
parent
2eea62dd86
commit
1f40634151
@ -55,11 +55,6 @@ if [ ! -x /sbin/$IPTABLES ]; then
|
||||
exit 5
|
||||
fi
|
||||
|
||||
# Old or new modutils
|
||||
/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
|
||||
&& NEW_MODUTILS=1 \
|
||||
|| NEW_MODUTILS=0
|
||||
|
||||
# Default firewall configuration:
|
||||
IPTABLES_MODULES=""
|
||||
IPTABLES_SAVE_ON_STOP="no"
|
||||
@ -75,13 +70,33 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000
|
||||
# Load firewall configuration.
|
||||
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
|
||||
|
||||
is_iptables_nft() {
|
||||
iptables --version | grep -q '(nf_tables)'
|
||||
}
|
||||
|
||||
netfilter_active() {
|
||||
is_iptables_nft && return 0
|
||||
[ -e "$PROC_IPTABLES_NAMES" ]
|
||||
}
|
||||
|
||||
netfilter_tables() {
|
||||
netfilter_active || return 1
|
||||
is_iptables_nft && {
|
||||
# explicitly omit security table from this list as
|
||||
# it should be reserved for SELinux use
|
||||
echo "raw mangle filter nat"
|
||||
return 0
|
||||
}
|
||||
cat "$PROC_IPTABLES_NAMES" 2>/dev/null
|
||||
}
|
||||
|
||||
# Get active tables
|
||||
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
||||
NF_TABLES=$(netfilter_tables)
|
||||
|
||||
|
||||
flush_n_delete() {
|
||||
# Flush firewall rules and delete chains.
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
||||
netfilter_active || return 0
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
[ -z "$NF_TABLES" ] && return 1
|
||||
@ -113,10 +128,10 @@ set_policy() {
|
||||
policy=$1
|
||||
|
||||
# Check if iptable module is loaded
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
||||
netfilter_active || return 0
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
||||
tables=$(netfilter_tables)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
|
||||
@ -166,7 +181,7 @@ load_sysctl() {
|
||||
echo -n $"Loading sysctl settings: "
|
||||
ret=0
|
||||
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
|
||||
fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
|
||||
fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
|
||||
let ret+=$?;
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
@ -217,7 +232,7 @@ start() {
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
@ -230,7 +245,7 @@ start() {
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
|
||||
|
||||
# Load sysctl settings
|
||||
load_sysctl
|
||||
|
||||
@ -240,7 +255,7 @@ start() {
|
||||
|
||||
stop() {
|
||||
# Do not stop if iptables module is not loaded.
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
||||
netfilter_active || return 0
|
||||
|
||||
# Set default chain policy to ACCEPT, in order to not break shutdown
|
||||
# on systems where the default policy is DROP and root device is
|
||||
@ -248,14 +263,14 @@ stop() {
|
||||
set_policy ACCEPT
|
||||
# And then, flush the rules and delete chains
|
||||
flush_n_delete
|
||||
|
||||
|
||||
rm -f $VAR_SUBSYS_IPTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
save() {
|
||||
# Check if iptable module is loaded
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
||||
if ! netfilter_active; then
|
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
||||
return 0
|
||||
fi
|
||||
@ -298,7 +313,7 @@ save() {
|
||||
}
|
||||
|
||||
status() {
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
|
||||
echo $"${IPTABLES}: Firewall is not running."
|
||||
return 3
|
||||
fi
|
||||
@ -306,7 +321,7 @@ status() {
|
||||
# Do not print status if lockfile is missing and iptables modules are not
|
||||
# loaded.
|
||||
# Check if iptable modules are loaded
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
||||
if ! netfilter_active; then
|
||||
echo $"${IPTABLES}: Firewall modules are not loaded."
|
||||
return 3
|
||||
fi
|
||||
@ -319,7 +334,7 @@ status() {
|
||||
|
||||
NUM=
|
||||
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
|
||||
VERBOSE=
|
||||
VERBOSE=
|
||||
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
|
||||
COUNT=
|
||||
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
|
||||
|
||||
@ -11,7 +11,7 @@ Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: https://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.7
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -418,6 +418,12 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri May 07 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8
|
||||
- iptables.init: Fix functionality for iptables-nft
|
||||
- iptables.init: Ignore sysctl files not suffixed '.conf'
|
||||
- iptables.init: Drop unused NEW_MODUTILS check
|
||||
- iptables.init: Drop some trailing whitespace
|
||||
|
||||
* Mon Mar 29 2021 Damian Wrobel <dwrobel@ertelnet.rybnik.pl> - 1.8.7-7
|
||||
- Add missing readlink required for iptables-nft(post)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user