From 1f406341515f590a695a7c1bb7fb8253c6a7f37d Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 7 May 2021 18:33:08 +0200 Subject: [PATCH] iptables-1.8.7-8 - iptables.init: Fix functionality for iptables-nft - iptables.init: Ignore sysctl files not suffixed '.conf' - iptables.init: Drop unused NEW_MODUTILS check - iptables.init: Drop some trailing whitespace --- iptables.init | 51 +++++++++++++++++++++++++++++++++------------------ iptables.spec | 8 +++++++- 2 files changed, 40 insertions(+), 19 deletions(-) diff --git a/iptables.init b/iptables.init index 51155b0..ffbd742 100755 --- a/iptables.init +++ b/iptables.init @@ -55,11 +55,6 @@ if [ ! -x /sbin/$IPTABLES ]; then exit 5 fi -# Old or new modutils -/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \ - && NEW_MODUTILS=1 \ - || NEW_MODUTILS=0 - # Default firewall configuration: IPTABLES_MODULES="" IPTABLES_SAVE_ON_STOP="no" @@ -75,13 +70,33 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000 # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" +is_iptables_nft() { + iptables --version | grep -q '(nf_tables)' +} + +netfilter_active() { + is_iptables_nft && return 0 + [ -e "$PROC_IPTABLES_NAMES" ] +} + +netfilter_tables() { + netfilter_active || return 1 + is_iptables_nft && { + # explicitly omit security table from this list as + # it should be reserved for SELinux use + echo "raw mangle filter nat" + return 0 + } + cat "$PROC_IPTABLES_NAMES" 2>/dev/null +} + # Get active tables -NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) +NF_TABLES=$(netfilter_tables) flush_n_delete() { # Flush firewall rules and delete chains. - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + netfilter_active || return 0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 1 @@ -113,10 +128,10 @@ set_policy() { policy=$1 # Check if iptable module is loaded - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + netfilter_active || return 0 # Check if firewall is configured (has tables) - tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + tables=$(netfilter_tables) [ -z "$tables" ] && return 1 echo -n $"${IPTABLES}: Setting chains to policy $policy: " @@ -166,7 +181,7 @@ load_sysctl() { echo -n $"Loading sysctl settings: " ret=0 for item in $IPTABLES_SYSCTL_LOAD_LIST; do - fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null + fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null let ret+=$?; done [ $ret -eq 0 ] && success || failure @@ -217,7 +232,7 @@ start() { return 1 fi fi - + # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " @@ -230,7 +245,7 @@ start() { [ $ret -eq 0 ] && success || failure echo fi - + # Load sysctl settings load_sysctl @@ -240,7 +255,7 @@ start() { stop() { # Do not stop if iptables module is not loaded. - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + netfilter_active || return 0 # Set default chain policy to ACCEPT, in order to not break shutdown # on systems where the default policy is DROP and root device is @@ -248,14 +263,14 @@ stop() { set_policy ACCEPT # And then, flush the rules and delete chains flush_n_delete - + rm -f $VAR_SUBSYS_IPTABLES return $ret } save() { # Check if iptable module is loaded - if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + if ! netfilter_active; then echo -n $"${IPTABLES}: Nothing to save."; warning; echo return 0 fi @@ -298,7 +313,7 @@ save() { } status() { - if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then echo $"${IPTABLES}: Firewall is not running." return 3 fi @@ -306,7 +321,7 @@ status() { # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable modules are loaded - if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + if ! netfilter_active; then echo $"${IPTABLES}: Firewall modules are not loaded." return 3 fi @@ -319,7 +334,7 @@ status() { NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" - VERBOSE= + VERBOSE= [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" COUNT= [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" diff --git a/iptables.spec b/iptables.spec index 64f594f..498fc7f 100644 --- a/iptables.spec +++ b/iptables.spec @@ -11,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 7%{?dist} +Release: 8%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -418,6 +418,12 @@ fi %changelog +* Fri May 07 2021 Phil Sutter - 1.8.7-8 +- iptables.init: Fix functionality for iptables-nft +- iptables.init: Ignore sysctl files not suffixed '.conf' +- iptables.init: Drop unused NEW_MODUTILS check +- iptables.init: Drop some trailing whitespace + * Mon Mar 29 2021 Damian Wrobel - 1.8.7-7 - Add missing readlink required for iptables-nft(post)