iptables-1.8.7-8
- iptables.init: Fix functionality for iptables-nft - iptables.init: Ignore sysctl files not suffixed '.conf' - iptables.init: Drop unused NEW_MODUTILS check - iptables.init: Drop some trailing whitespace
This commit is contained in:
parent
2eea62dd86
commit
1f40634151
@ -55,11 +55,6 @@ if [ ! -x /sbin/$IPTABLES ]; then
|
|||||||
exit 5
|
exit 5
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Old or new modutils
|
|
||||||
/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
|
|
||||||
&& NEW_MODUTILS=1 \
|
|
||||||
|| NEW_MODUTILS=0
|
|
||||||
|
|
||||||
# Default firewall configuration:
|
# Default firewall configuration:
|
||||||
IPTABLES_MODULES=""
|
IPTABLES_MODULES=""
|
||||||
IPTABLES_SAVE_ON_STOP="no"
|
IPTABLES_SAVE_ON_STOP="no"
|
||||||
@ -75,13 +70,33 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000
|
|||||||
# Load firewall configuration.
|
# Load firewall configuration.
|
||||||
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
|
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
|
||||||
|
|
||||||
|
is_iptables_nft() {
|
||||||
|
iptables --version | grep -q '(nf_tables)'
|
||||||
|
}
|
||||||
|
|
||||||
|
netfilter_active() {
|
||||||
|
is_iptables_nft && return 0
|
||||||
|
[ -e "$PROC_IPTABLES_NAMES" ]
|
||||||
|
}
|
||||||
|
|
||||||
|
netfilter_tables() {
|
||||||
|
netfilter_active || return 1
|
||||||
|
is_iptables_nft && {
|
||||||
|
# explicitly omit security table from this list as
|
||||||
|
# it should be reserved for SELinux use
|
||||||
|
echo "raw mangle filter nat"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
cat "$PROC_IPTABLES_NAMES" 2>/dev/null
|
||||||
|
}
|
||||||
|
|
||||||
# Get active tables
|
# Get active tables
|
||||||
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
NF_TABLES=$(netfilter_tables)
|
||||||
|
|
||||||
|
|
||||||
flush_n_delete() {
|
flush_n_delete() {
|
||||||
# Flush firewall rules and delete chains.
|
# Flush firewall rules and delete chains.
|
||||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
netfilter_active || return 0
|
||||||
|
|
||||||
# Check if firewall is configured (has tables)
|
# Check if firewall is configured (has tables)
|
||||||
[ -z "$NF_TABLES" ] && return 1
|
[ -z "$NF_TABLES" ] && return 1
|
||||||
@ -113,10 +128,10 @@ set_policy() {
|
|||||||
policy=$1
|
policy=$1
|
||||||
|
|
||||||
# Check if iptable module is loaded
|
# Check if iptable module is loaded
|
||||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
netfilter_active || return 0
|
||||||
|
|
||||||
# Check if firewall is configured (has tables)
|
# Check if firewall is configured (has tables)
|
||||||
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
tables=$(netfilter_tables)
|
||||||
[ -z "$tables" ] && return 1
|
[ -z "$tables" ] && return 1
|
||||||
|
|
||||||
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
|
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
|
||||||
@ -166,7 +181,7 @@ load_sysctl() {
|
|||||||
echo -n $"Loading sysctl settings: "
|
echo -n $"Loading sysctl settings: "
|
||||||
ret=0
|
ret=0
|
||||||
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
|
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
|
||||||
fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
|
fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
|
||||||
let ret+=$?;
|
let ret+=$?;
|
||||||
done
|
done
|
||||||
[ $ret -eq 0 ] && success || failure
|
[ $ret -eq 0 ] && success || failure
|
||||||
@ -217,7 +232,7 @@ start() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Load additional modules (helpers)
|
# Load additional modules (helpers)
|
||||||
if [ -n "$IPTABLES_MODULES" ]; then
|
if [ -n "$IPTABLES_MODULES" ]; then
|
||||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||||
@ -230,7 +245,7 @@ start() {
|
|||||||
[ $ret -eq 0 ] && success || failure
|
[ $ret -eq 0 ] && success || failure
|
||||||
echo
|
echo
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Load sysctl settings
|
# Load sysctl settings
|
||||||
load_sysctl
|
load_sysctl
|
||||||
|
|
||||||
@ -240,7 +255,7 @@ start() {
|
|||||||
|
|
||||||
stop() {
|
stop() {
|
||||||
# Do not stop if iptables module is not loaded.
|
# Do not stop if iptables module is not loaded.
|
||||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
netfilter_active || return 0
|
||||||
|
|
||||||
# Set default chain policy to ACCEPT, in order to not break shutdown
|
# Set default chain policy to ACCEPT, in order to not break shutdown
|
||||||
# on systems where the default policy is DROP and root device is
|
# on systems where the default policy is DROP and root device is
|
||||||
@ -248,14 +263,14 @@ stop() {
|
|||||||
set_policy ACCEPT
|
set_policy ACCEPT
|
||||||
# And then, flush the rules and delete chains
|
# And then, flush the rules and delete chains
|
||||||
flush_n_delete
|
flush_n_delete
|
||||||
|
|
||||||
rm -f $VAR_SUBSYS_IPTABLES
|
rm -f $VAR_SUBSYS_IPTABLES
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
save() {
|
save() {
|
||||||
# Check if iptable module is loaded
|
# Check if iptable module is loaded
|
||||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
if ! netfilter_active; then
|
||||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
@ -298,7 +313,7 @@ save() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
status() {
|
status() {
|
||||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
|
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
|
||||||
echo $"${IPTABLES}: Firewall is not running."
|
echo $"${IPTABLES}: Firewall is not running."
|
||||||
return 3
|
return 3
|
||||||
fi
|
fi
|
||||||
@ -306,7 +321,7 @@ status() {
|
|||||||
# Do not print status if lockfile is missing and iptables modules are not
|
# Do not print status if lockfile is missing and iptables modules are not
|
||||||
# loaded.
|
# loaded.
|
||||||
# Check if iptable modules are loaded
|
# Check if iptable modules are loaded
|
||||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
if ! netfilter_active; then
|
||||||
echo $"${IPTABLES}: Firewall modules are not loaded."
|
echo $"${IPTABLES}: Firewall modules are not loaded."
|
||||||
return 3
|
return 3
|
||||||
fi
|
fi
|
||||||
@ -319,7 +334,7 @@ status() {
|
|||||||
|
|
||||||
NUM=
|
NUM=
|
||||||
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
|
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
|
||||||
VERBOSE=
|
VERBOSE=
|
||||||
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
|
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
|
||||||
COUNT=
|
COUNT=
|
||||||
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
|
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
|
||||||
|
@ -11,7 +11,7 @@ Name: iptables
|
|||||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||||
URL: https://www.netfilter.org/projects/iptables
|
URL: https://www.netfilter.org/projects/iptables
|
||||||
Version: 1.8.7
|
Version: 1.8.7
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||||
Source1: iptables.init
|
Source1: iptables.init
|
||||||
Source2: iptables-config
|
Source2: iptables-config
|
||||||
@ -418,6 +418,12 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 07 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8
|
||||||
|
- iptables.init: Fix functionality for iptables-nft
|
||||||
|
- iptables.init: Ignore sysctl files not suffixed '.conf'
|
||||||
|
- iptables.init: Drop unused NEW_MODUTILS check
|
||||||
|
- iptables.init: Drop some trailing whitespace
|
||||||
|
|
||||||
* Mon Mar 29 2021 Damian Wrobel <dwrobel@ertelnet.rybnik.pl> - 1.8.7-7
|
* Mon Mar 29 2021 Damian Wrobel <dwrobel@ertelnet.rybnik.pl> - 1.8.7-7
|
||||||
- Add missing readlink required for iptables-nft(post)
|
- Add missing readlink required for iptables-nft(post)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user