iptables-1.8.7-8

- iptables.init: Fix functionality for iptables-nft
- iptables.init: Ignore sysctl files not suffixed '.conf'
- iptables.init: Drop unused NEW_MODUTILS check
- iptables.init: Drop some trailing whitespace
This commit is contained in:
Phil Sutter 2021-05-07 18:33:08 +02:00
parent 2eea62dd86
commit 1f40634151
2 changed files with 40 additions and 19 deletions

View File

@ -55,11 +55,6 @@ if [ ! -x /sbin/$IPTABLES ]; then
exit 5 exit 5
fi fi
# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
&& NEW_MODUTILS=1 \
|| NEW_MODUTILS=0
# Default firewall configuration: # Default firewall configuration:
IPTABLES_MODULES="" IPTABLES_MODULES=""
IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_STOP="no"
@ -75,13 +70,33 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000
# Load firewall configuration. # Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
is_iptables_nft() {
iptables --version | grep -q '(nf_tables)'
}
netfilter_active() {
is_iptables_nft && return 0
[ -e "$PROC_IPTABLES_NAMES" ]
}
netfilter_tables() {
netfilter_active || return 1
is_iptables_nft && {
# explicitly omit security table from this list as
# it should be reserved for SELinux use
echo "raw mangle filter nat"
return 0
}
cat "$PROC_IPTABLES_NAMES" 2>/dev/null
}
# Get active tables # Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) NF_TABLES=$(netfilter_tables)
flush_n_delete() { flush_n_delete() {
# Flush firewall rules and delete chains. # Flush firewall rules and delete chains.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 netfilter_active || return 0
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 1 [ -z "$NF_TABLES" ] && return 1
@ -113,10 +128,10 @@ set_policy() {
policy=$1 policy=$1
# Check if iptable module is loaded # Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 netfilter_active || return 0
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) tables=$(netfilter_tables)
[ -z "$tables" ] && return 1 [ -z "$tables" ] && return 1
echo -n $"${IPTABLES}: Setting chains to policy $policy: " echo -n $"${IPTABLES}: Setting chains to policy $policy: "
@ -166,7 +181,7 @@ load_sysctl() {
echo -n $"Loading sysctl settings: " echo -n $"Loading sysctl settings: "
ret=0 ret=0
for item in $IPTABLES_SYSCTL_LOAD_LIST; do for item in $IPTABLES_SYSCTL_LOAD_LIST; do
fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
let ret+=$?; let ret+=$?;
done done
[ $ret -eq 0 ] && success || failure [ $ret -eq 0 ] && success || failure
@ -217,7 +232,7 @@ start() {
return 1 return 1
fi fi
fi fi
# Load additional modules (helpers) # Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: " echo -n $"${IPTABLES}: Loading additional modules: "
@ -230,7 +245,7 @@ start() {
[ $ret -eq 0 ] && success || failure [ $ret -eq 0 ] && success || failure
echo echo
fi fi
# Load sysctl settings # Load sysctl settings
load_sysctl load_sysctl
@ -240,7 +255,7 @@ start() {
stop() { stop() {
# Do not stop if iptables module is not loaded. # Do not stop if iptables module is not loaded.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 netfilter_active || return 0
# Set default chain policy to ACCEPT, in order to not break shutdown # Set default chain policy to ACCEPT, in order to not break shutdown
# on systems where the default policy is DROP and root device is # on systems where the default policy is DROP and root device is
@ -248,14 +263,14 @@ stop() {
set_policy ACCEPT set_policy ACCEPT
# And then, flush the rules and delete chains # And then, flush the rules and delete chains
flush_n_delete flush_n_delete
rm -f $VAR_SUBSYS_IPTABLES rm -f $VAR_SUBSYS_IPTABLES
return $ret return $ret
} }
save() { save() {
# Check if iptable module is loaded # Check if iptable module is loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then if ! netfilter_active; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 0 return 0
fi fi
@ -298,7 +313,7 @@ save() {
} }
status() { status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
echo $"${IPTABLES}: Firewall is not running." echo $"${IPTABLES}: Firewall is not running."
return 3 return 3
fi fi
@ -306,7 +321,7 @@ status() {
# Do not print status if lockfile is missing and iptables modules are not # Do not print status if lockfile is missing and iptables modules are not
# loaded. # loaded.
# Check if iptable modules are loaded # Check if iptable modules are loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then if ! netfilter_active; then
echo $"${IPTABLES}: Firewall modules are not loaded." echo $"${IPTABLES}: Firewall modules are not loaded."
return 3 return 3
fi fi
@ -319,7 +334,7 @@ status() {
NUM= NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE= VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT= COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"

View File

@ -11,7 +11,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: 1.8.7 Version: 1.8.7
Release: 7%{?dist} Release: 8%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2 Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -418,6 +418,12 @@ fi
%changelog %changelog
* Fri May 07 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8
- iptables.init: Fix functionality for iptables-nft
- iptables.init: Ignore sysctl files not suffixed '.conf'
- iptables.init: Drop unused NEW_MODUTILS check
- iptables.init: Drop some trailing whitespace
* Mon Mar 29 2021 Damian Wrobel <dwrobel@ertelnet.rybnik.pl> - 1.8.7-7 * Mon Mar 29 2021 Damian Wrobel <dwrobel@ertelnet.rybnik.pl> - 1.8.7-7
- Add missing readlink required for iptables-nft(post) - Add missing readlink required for iptables-nft(post)