From 311316e4334f955982ca0f5d2f05047cdbfc6147 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0abata?= Date: Thu, 15 Oct 2020 13:44:19 +0200 Subject: [PATCH] RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/iptables#fb677ca83cc1a1ad64e67ae869318c8909650c47 --- .gitignore | 6 + ...iptables-apply-not-getting-installed.patch | 42 + ...mat-security-fixes-in-libip-6-t_icmp.patch | 60 + ...ate-don-t-fail-if-help-was-requested.patch | 58 + ...eck-consistency-with-NFT_CL_FAKE-too.patch | 40 + ...mand-name-in-ip6tables-error-message.patch | 45 + arptables-nft-helper | 76 + iptables-config | 59 + iptables.init | 435 +++++ iptables.service | 18 + iptables.spec | 1574 +++++++++++++++++ sources | 1 + sysconfig_ip6tables | 15 + sysconfig_iptables | 14 + tests/NFQUEUE-queue-bypass/Makefile | 63 + tests/NFQUEUE-queue-bypass/PURPOSE | 4 + tests/NFQUEUE-queue-bypass/runtest.sh | 54 + .../Makefile | 63 + .../PURPOSE | 4 + .../runtest.sh | 65 + .../Makefile | 63 + .../PURPOSE | 4 + .../rules.in | 50 + .../runtest.sh | 73 + .../Makefile | 63 + .../PURPOSE | 4 + .../runtest.sh | 136 ++ .../Makefile | 63 + .../PURPOSE | 4 + .../runtest.sh | 111 ++ tests/initscript-sanity/Makefile | 63 + tests/initscript-sanity/PURPOSE | 4 + tests/initscript-sanity/runtest.sh | 56 + tests/inventory | 3 + .../Makefile | 62 + .../PURPOSE | 4 + .../runtest.sh | 85 + .../Makefile | 63 + .../PURPOSE | 4 + .../runtest.sh | 53 + .../Makefile | 63 + .../PURPOSE | 4 + .../env.sh | 20 + .../runtest.sh | 83 + .../Makefile | 63 + .../PURPOSE | 4 + .../runtest.sh | 78 + .../Makefile | 63 + .../iptables-save-cuts-space-before-j/PURPOSE | 4 + .../runtest.sh | 61 + tests/iptables-save-modprobe-option/Makefile | 63 + tests/iptables-save-modprobe-option/PURPOSE | 4 + .../iptables-save-modprobe-option/runtest.sh | 42 + tests/tests.yml | 91 + .../Makefile | 63 + .../PURPOSE | 4 + .../runtest.sh | 54 + 57 files changed, 4428 insertions(+) create mode 100644 0001-build-resolve-iptables-apply-not-getting-installed.patch create mode 100644 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch create mode 100644 0002-xtables-translate-don-t-fail-if-help-was-requested.patch create mode 100644 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch create mode 100644 0004-nft-Fix-command-name-in-ip6tables-error-message.patch create mode 100644 arptables-nft-helper create mode 100644 iptables-config create mode 100755 iptables.init create mode 100644 iptables.service create mode 100644 iptables.spec create mode 100644 sources create mode 100644 sysconfig_ip6tables create mode 100644 sysconfig_iptables create mode 100644 tests/NFQUEUE-queue-bypass/Makefile create mode 100644 tests/NFQUEUE-queue-bypass/PURPOSE create mode 100755 tests/NFQUEUE-queue-bypass/runtest.sh create mode 100644 tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile create mode 100644 tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE create mode 100755 tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh create mode 100644 tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/Makefile create mode 100644 tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/PURPOSE create mode 100644 tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/rules.in create mode 100755 tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh create mode 100644 tests/TRACE-target-of-iptables-can-t-work-in/Makefile create mode 100644 tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE create mode 100755 tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh create mode 100644 tests/backport-iptables-add-libxt-cgroup-frontend/Makefile create mode 100644 tests/backport-iptables-add-libxt-cgroup-frontend/PURPOSE create mode 100755 tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh create mode 100644 tests/initscript-sanity/Makefile create mode 100644 tests/initscript-sanity/PURPOSE create mode 100755 tests/initscript-sanity/runtest.sh create mode 100755 tests/inventory create mode 100644 tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/Makefile create mode 100644 tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/PURPOSE create mode 100755 tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh create mode 100644 tests/ip6tables-service-does-not-allow-dhcpv6-client-by/Makefile create mode 100644 tests/ip6tables-service-does-not-allow-dhcpv6-client-by/PURPOSE create mode 100755 tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh create mode 100644 tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/Makefile create mode 100644 tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/PURPOSE create mode 100644 tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh create mode 100755 tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh create mode 100644 tests/iptables-rule-deletion-fails-for-rules-that-use/Makefile create mode 100644 tests/iptables-rule-deletion-fails-for-rules-that-use/PURPOSE create mode 100755 tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh create mode 100644 tests/iptables-save-cuts-space-before-j/Makefile create mode 100644 tests/iptables-save-cuts-space-before-j/PURPOSE create mode 100755 tests/iptables-save-cuts-space-before-j/runtest.sh create mode 100644 tests/iptables-save-modprobe-option/Makefile create mode 100644 tests/iptables-save-modprobe-option/PURPOSE create mode 100755 tests/iptables-save-modprobe-option/runtest.sh create mode 100644 tests/tests.yml create mode 100644 tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile create mode 100644 tests/xtables-tools-locking-vulnerable-to-local-DoS/PURPOSE create mode 100755 tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh diff --git a/.gitignore b/.gitignore index e69de29..ae4c970 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,6 @@ +/iptables-1.6.2.tar.bz2 +/iptables-1.8.0.tar.bz2 +/iptables-1.8.2.tar.bz2 +/iptables-1.8.3.tar.bz2 +/iptables-1.8.4.tar.bz2 +/iptables-1.8.5.tar.bz2 diff --git a/0001-build-resolve-iptables-apply-not-getting-installed.patch b/0001-build-resolve-iptables-apply-not-getting-installed.patch new file mode 100644 index 0000000..26e08db --- /dev/null +++ b/0001-build-resolve-iptables-apply-not-getting-installed.patch @@ -0,0 +1,42 @@ +From 55bb60d8ae717d3bc1cfdd6203604a18f30eb3c3 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Wed, 3 Jun 2020 15:38:48 +0200 +Subject: [PATCH] build: resolve iptables-apply not getting installed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ip6tables-apply gets installed but iptables-apply does not. +That is wrong. + +» make install DESTDIR=$PWD/r +» find r -name "*app*" +r/usr/local/sbin/ip6tables-apply +r/usr/local/share/man/man8/iptables-apply.8 +r/usr/local/share/man/man8/ip6tables-apply.8 + +Fixes: v1.8.5~87 +Signed-off-by: Jan Engelhardt +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit d4ed0c741fc789bb09d977d74d30875fdd50d08b) +Signed-off-by: Phil Sutter +--- + iptables/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/Makefile.am b/iptables/Makefile.am +index dc66b3cc09c08..2024dbf5cb88c 100644 +--- a/iptables/Makefile.am ++++ b/iptables/Makefile.am +@@ -56,7 +56,7 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ + ip6tables-save.8 iptables-extensions.8 \ + iptables-apply.8 ip6tables-apply.8 + +-sbin_SCRIPT = iptables-apply ++sbin_SCRIPTS = iptables-apply + + if ENABLE_NFTABLES + man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ +-- +2.27.0 + diff --git a/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch b/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch new file mode 100644 index 0000000..1bdbbd1 --- /dev/null +++ b/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch @@ -0,0 +1,60 @@ +From 6e8f0c61f4c9abc2836d772fca97ff0d84c03360 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= +Date: Wed, 14 Nov 2018 07:35:28 +0100 +Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") +introduced support for gcc feature to check format string against passed +argument. This commit adds missing bits to extenstions's libipt_icmp.c +and libip6t_icmp6.c that were causing build to fail. + +Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") +Signed-off-by: Adam Gołębiowski +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Phil Sutter +--- + extensions/libip6t_icmp6.c | 4 ++-- + extensions/libipt_icmp.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c +index 45a71875722c4..cc7bfaeb72fd7 100644 +--- a/extensions/libip6t_icmp6.c ++++ b/extensions/libip6t_icmp6.c +@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + type_name = icmp6_type_xlate(icmptype); + + if (type_name) { +- xt_xlate_add(xl, type_name); ++ xt_xlate_add(xl, "%s", type_name); + } else { + for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) + if (icmpv6_codes[i].type == icmptype && +@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + break; + + if (i != ARRAY_SIZE(icmpv6_codes)) +- xt_xlate_add(xl, icmpv6_codes[i].name); ++ xt_xlate_add(xl, "%s", icmpv6_codes[i].name); + else + return 0; + } +diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c +index 5418997668d4c..e76257c54708c 100644 +--- a/extensions/libipt_icmp.c ++++ b/extensions/libipt_icmp.c +@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + if (icmp_codes[i].type == icmptype && + icmp_codes[i].code_min == code_min && + icmp_codes[i].code_max == code_max) { +- xt_xlate_add(xl, icmp_codes[i].name); ++ xt_xlate_add(xl, "%s", icmp_codes[i].name); + return 1; + } + } +-- +2.21.0 + diff --git a/0002-xtables-translate-don-t-fail-if-help-was-requested.patch b/0002-xtables-translate-don-t-fail-if-help-was-requested.patch new file mode 100644 index 0000000..4fcb549 --- /dev/null +++ b/0002-xtables-translate-don-t-fail-if-help-was-requested.patch @@ -0,0 +1,58 @@ +From 51730adbe90a17e0d86d5adcab30040fa7e751ed Mon Sep 17 00:00:00 2001 +From: Arturo Borrero Gonzalez +Date: Tue, 16 Jun 2020 11:20:42 +0200 +Subject: [PATCH] xtables-translate: don't fail if help was requested + +If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle +this case in do_command_xlate(). + +Before this patch, you would see: + + user@debian:~$ sudo iptables-translate -h + [..] + nft Unsupported command? + user@debian:~$ echo $? + 1 + +After this patch: + + user@debian:~$ sudo iptables-translate -h + [..] + user@debian:~$ echo $? + 0 + +Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts") +Acked-by: Phil Sutter +Signed-off-by: Arturo Borrero Gonzalez +(cherry picked from commit 2757c0b5e5fbbf569695469b331453cecefdf069) +Signed-off-by: Phil Sutter +--- + iptables/xtables-translate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c +index 5aa42496b5a48..363c8be15b3fa 100644 +--- a/iptables/xtables-translate.c ++++ b/iptables/xtables-translate.c +@@ -249,7 +249,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], + + cs.restore = restore; + +- if (!restore) ++ if (!restore && p.command != CMD_NONE) + printf("nft "); + + switch (p.command) { +@@ -310,6 +310,9 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], + break; + case CMD_SET_POLICY: + break; ++ case CMD_NONE: ++ ret = 1; ++ break; + default: + /* We should never reach this... */ + printf("Unsupported command?\n"); +-- +2.27.0 + diff --git a/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch b/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch new file mode 100644 index 0000000..abe95fe --- /dev/null +++ b/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch @@ -0,0 +1,40 @@ +From eacefb728885b5dc51036181de83b2df309d4e6b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 29 Jul 2020 15:39:31 +0200 +Subject: [PATCH] nft: cache: Check consistency with NFT_CL_FAKE, too + +Athough this cache level fetches table names only, it shouldn't skip the +consistency check. + +Fixes: f42bfb344af82 ("nft: cache: Re-establish cache consistency check") +Signed-off-by: Phil Sutter +(cherry picked from commit b531365ce32f386d91c6a0bbc80ec4076e4babdd) +Signed-off-by: Phil Sutter +--- + iptables/nft-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c +index 638b18bc7e382..434cc10b82ce7 100644 +--- a/iptables/nft-cache.c ++++ b/iptables/nft-cache.c +@@ -511,14 +511,14 @@ retry: + if (req->level >= NFT_CL_TABLES) + fetch_table_cache(h); + if (req->level == NFT_CL_FAKE) +- return; ++ goto genid_check; + if (req->level >= NFT_CL_CHAINS) + fetch_chain_cache(h, t, chains); + if (req->level >= NFT_CL_SETS) + fetch_set_cache(h, t, NULL); + if (req->level >= NFT_CL_RULES) + fetch_rule_cache(h, t); +- ++genid_check: + mnl_genid_get(h, &genid_check); + if (h->nft_genid != genid_check) { + flush_cache(h, h->cache, NULL); +-- +2.27.0 + diff --git a/0004-nft-Fix-command-name-in-ip6tables-error-message.patch b/0004-nft-Fix-command-name-in-ip6tables-error-message.patch new file mode 100644 index 0000000..b9a83f6 --- /dev/null +++ b/0004-nft-Fix-command-name-in-ip6tables-error-message.patch @@ -0,0 +1,45 @@ +From dac3434e2e7ea297a3886c662d558305b460670b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 7 Aug 2020 13:48:28 +0200 +Subject: [PATCH] nft: Fix command name in ip6tables error message + +Upon errors, ip6tables-nft would prefix its error messages with +'iptables:' instead of 'ip6tables:'. Turns out the command name was +hard-coded, use 'progname' variable instead. +While being at it, merge the two mostly identical fprintf() calls into +one. + +Signed-off-by: Phil Sutter +Acked-by: Pablo Neira Ayuso +(cherry picked from commit 3be40dcfb5af1438b6abdbda45a1e3b59c104e13) +Signed-off-by: Phil Sutter +--- + iptables/xtables-standalone.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c +index dd6fb7919d2e1..7b71db62f1ea6 100644 +--- a/iptables/xtables-standalone.c ++++ b/iptables/xtables-standalone.c +@@ -75,14 +75,10 @@ xtables_main(int family, const char *progname, int argc, char *argv[]) + xtables_fini(); + + if (!ret) { +- if (errno == EINVAL) { +- fprintf(stderr, "iptables: %s. " +- "Run `dmesg' for more information.\n", +- nft_strerror(errno)); +- } else { +- fprintf(stderr, "iptables: %s.\n", +- nft_strerror(errno)); +- } ++ fprintf(stderr, "%s: %s.%s\n", progname, nft_strerror(errno), ++ (errno == EINVAL ? ++ " Run `dmesg' for more information." : "")); ++ + if (errno == EAGAIN) + exit(RESOURCE_PROBLEM); + } +-- +2.27.0 + diff --git a/arptables-nft-helper b/arptables-nft-helper new file mode 100644 index 0000000..7380abf --- /dev/null +++ b/arptables-nft-helper @@ -0,0 +1,76 @@ +#!/bin/sh + +ARPTABLES_CONFIG=/etc/sysconfig/arptables + +# compat for removed initscripts dependency + +success() { + echo -n "[ OK ]" + return 0 +} + +failure() { + echo -n "[FAILED]" + return 1 +} + +start() { + if [ ! -x /usr/sbin/arptables ]; then + exit 4 + fi + + # don't do squat if we don't have the config file + if [ -f $ARPTABLES_CONFIG ]; then + echo -n $"Applying arptables firewall rules: " + /usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ + success || \ + failure + echo + touch /var/lock/subsys/arptables + else + failure + echo + echo $"Configuration file /etc/sysconfig/arptables missing" + exit 6 + fi +} + +stop() { + echo -n $"Removing user defined chains:" + arptables -X && success || failure + echo -n $"Flushing all chains:" + arptables -F && success || failure + echo -n $"Resetting built-in chains to the default ACCEPT policy:" + arptables -P INPUT ACCEPT && \ + arptables -P OUTPUT ACCEPT && \ + success || \ + failure + echo + rm -f /var/lock/subsys/arptables +} + +case "$1" in +start) + start + ;; + +stop) + stop + ;; + +restart|reload) + # "restart" is really just "start" as this isn't a daemon, + # and "start" clears any pre-defined rules anyway. + # This is really only here to make those who expect it happy + start + ;; + +condrestart|try-restart|force-reload) + [ -e /var/lock/subsys/arptables ] && start + ;; + +*) + exit 2 +esac + +exit 0 diff --git a/iptables-config b/iptables-config new file mode 100644 index 0000000..3d7e176 --- /dev/null +++ b/iptables-config @@ -0,0 +1,59 @@ +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modprobe.conf. +IPTABLES_MODULES="" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). +IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. +IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: yes +# Print IP addresses and port numbers in numeric format in the status output. +IPTABLES_STATUS_NUMERIC="yes" + +# Verbose status output +# Value: yes|no, default: yes +# Print info about the number of packets and bytes plus the "input-" and +# "outputdevice" in the status output. +IPTABLES_STATUS_VERBOSE="no" + +# Status output with numbered lines +# Value: yes|no, default: yes +# Print a counter/number for every rule in the status output. +IPTABLES_STATUS_LINENUMBERS="yes" + +# Reload sysctl settings on start and restart +# Default: -none- +# Space separated list of sysctl items which are to be reloaded on start. +# List items will be matched by fgrep. +#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" + +# Set wait option for iptables-restore calls in seconds +# Default: 600 +# Set to 0 to deactivate the wait. +#IPTABLES_RESTORE_WAIT=600 + +# Set wait interval option for iptables-restore calls in microseconds +# Default: 1000000 +# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a +# second. +# Only usable with IPTABLES_RESTORE_WAIT > 0 +#IPTABLES_RESTORE_WAIT_INTERVAL=1000000 diff --git a/iptables.init b/iptables.init new file mode 100755 index 0000000..51155b0 --- /dev/null +++ b/iptables.init @@ -0,0 +1,435 @@ +#!/bin/bash +# +# iptables Start iptables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves iptables firewall +# +# config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO + +# compat for removed initscripts dependency + +success() { + echo -n "[ OK ]" + return 0 +} + +warning() { + echo -n "[WARNING]" + return 1 +} + +failure() { + echo -n "[FAILED]" + return 1 +} + +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" +PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES + +# only usable for root +if [ $EUID != 0 ]; then + echo -n $"${IPTABLES}: Only usable by root."; warning; echo + exit 4 +fi + +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo + exit 5 +fi + +# Old or new modutils +/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \ + && NEW_MODUTILS=1 \ + || NEW_MODUTILS=0 + +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="yes" +IPTABLES_STATUS_VERBOSE="no" +IPTABLES_STATUS_LINENUMBERS="yes" +IPTABLES_SYSCTL_LOAD_LIST="" +IPTABLES_RESTORE_WAIT=600 +IPTABLES_RESTORE_WAIT_INTERVAL=1000000 + +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" + +# Get active tables +NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + + +flush_n_delete() { + # Flush firewall rules and delete chains. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Check if firewall is configured (has tables) + [ -z "$NF_TABLES" ] && return 1 + + echo -n $"${IPTABLES}: Flushing firewall rules: " + ret=0 + # For all tables + for i in $NF_TABLES; do + # Flush firewall rules. + $IPTABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Check if firewall is configured (has tables) + tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + [ -z "$tables" ] && return 1 + + echo -n $"${IPTABLES}: Setting chains to policy $policy: " + ret=0 + for i in $tables; do + echo -n "$i " + case "$i" in + raw) + $IPTABLES -t raw -P PREROUTING $policy \ + && $IPTABLES -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; + filter) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES -t nat -P PREROUTING $policy \ + && $IPTABLES -t nat -P POSTROUTING $policy \ + && $IPTABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES -t mangle -P PREROUTING $policy \ + && $IPTABLES -t mangle -P POSTROUTING $policy \ + && $IPTABLES -t mangle -P INPUT $policy \ + && $IPTABLES -t mangle -P OUTPUT $policy \ + && $IPTABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +load_sysctl() { + # load matched sysctl values + if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then + echo -n $"Loading sysctl settings: " + ret=0 + for item in $IPTABLES_SYSCTL_LOAD_LIST; do + fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + return $ret +} + +start() { + # Do not start if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Applying firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; + if [ -f "$IPTABLES_FALLBACK_DATA" ]; then + echo -n $"${IPTABLES}: Applying firewall fallback rules: " + $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + else + return 1 + fi + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + touch $VAR_SUBSYS_IPTABLES + return $ret +} + +stop() { + # Do not stop if iptables module is not loaded. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Set default chain policy to ACCEPT, in order to not break shutdown + # on systems where the default policy is DROP and root device is + # network-based (i.e.: iSCSI, NFS) + set_policy ACCEPT + # And then, flush the rules and delete chains + flush_n_delete + + rm -f $VAR_SUBSYS_IPTABLES + return $ret +} + +save() { + # Check if iptable module is loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 0 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 6 + fi + + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + && restorecon $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + mv -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + && restorecon $IPTABLES_DATA \ + || ret=1 + fi + fi + rm -f $TMP_FILE + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +status() { + if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not running." + return 3 + fi + + # Do not print status if lockfile is missing and iptables modules are not + # loaded. + # Check if iptable modules are loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"${IPTABLES}: Firewall modules are not loaded." + return 3 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not configured. " + return 3 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" + + for table in $NF_TABLES; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo + done + + return 0 +} + +reload() { + # Do not reload if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Trying to reload firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; echo "Firewall rules are not changed."; return 1 + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + return $ret +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + + +case "$1" in + start) + [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 + start + RETVAL=$? + ;; + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart|force-reload) + restart + RETVAL=$? + ;; + reload) + [ -e "$VAR_SUBSYS_IPTABLES" ] && reload + RETVAL=$? + ;; + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 + restart + RETVAL=$? + ;; + status) + status + RETVAL=$? + ;; + panic) + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/iptables.service b/iptables.service new file mode 100644 index 0000000..6722c7a --- /dev/null +++ b/iptables.service @@ -0,0 +1,18 @@ +[Unit] +Description=IPv4 firewall with iptables +After=syslog.target +AssertPathExists=/etc/sysconfig/iptables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/iptables/iptables.init start +ExecReload=/usr/libexec/iptables/iptables.init reload +ExecStop=/usr/libexec/iptables/iptables.init stop +Environment=BOOTUP=serial +Environment=CONSOLETYPE=serial +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=basic.target diff --git a/iptables.spec b/iptables.spec new file mode 100644 index 0000000..42ce8c2 --- /dev/null +++ b/iptables.spec @@ -0,0 +1,1574 @@ +# install init scripts to /usr/libexec with systemd +%global script_path %{_libexecdir}/iptables + +# service legacy actions (RHBZ#748134) +%global legacy_actions %{_libexecdir}/initscripts/legacy-actions + +# Bootstrap mode providing old and new versions of libip{4,6}tc in parallel +%global bootstrap 0 + +%if 0%{?bootstrap} +%global version_old 1.8.2 +%global iptc_so_ver_old 0 +%global ipXtc_so_ver_old 0 +%endif +%global iptc_so_ver 0 +%global ipXtc_so_ver 2 + +Name: iptables +Summary: Tools for managing Linux kernel packet filtering capabilities +URL: http://www.netfilter.org/projects/iptables +Version: 1.8.5 +Release: 3%{?dist} +Source: %{url}/files/%{name}-%{version}.tar.bz2 +Source1: iptables.init +Source2: iptables-config +Source3: iptables.service +Source4: sysconfig_iptables +Source5: sysconfig_ip6tables +Source6: arptables-nft-helper +%if 0%{?bootstrap} +Source7: %{url}/files/%{name}-%{version_old}.tar.bz2 +Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch +%endif + +Patch1: 0001-build-resolve-iptables-apply-not-getting-installed.patch +Patch2: 0002-xtables-translate-don-t-fail-if-help-was-requested.patch +Patch3: 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch +Patch4: 0004-nft-Fix-command-name-in-ip6tables-error-message.patch + +# pf.os: ISC license +# iptables-apply: Artistic Licence 2.0 +License: GPLv2 and Artistic Licence 2.0 and ISC + +# libnetfilter_conntrack is needed for xt_connlabel +BuildRequires: pkgconfig(libnetfilter_conntrack) +# libnfnetlink-devel is requires for nfnl_osf +BuildRequires: pkgconfig(libnfnetlink) +BuildRequires: libselinux-devel +BuildRequires: kernel-headers +BuildRequires: systemd +# libmnl, libnftnl, bison, flex for nftables +BuildRequires: bison +BuildRequires: flex +BuildRequires: gcc +BuildRequires: pkgconfig(libmnl) >= 1.0 +BuildRequires: pkgconfig(libnftnl) >= 1.1.5 +# libpcap-devel for nfbpf_compile +BuildRequires: libpcap-devel +BuildRequires: autogen +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +%if 0%{?fedora} > 24 +Conflicts: setup < 2.10.4-1 +%endif +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives + +%description +The iptables utility controls the network packet filtering code in the +Linux kernel. If you need to set up firewalls and/or IP masquerading, +you should install this package. + +%package libs +Summary: iptables libraries + +%description libs +iptables libraries. + +Please remember that libip*tc libraries do neither have a stable API nor a real so version. + +For more information about this, please have a look at + + http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5 + + +%package devel +Summary: Development package for iptables +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig + +%description devel +iptables development headers and libraries. + +The iptc libraries are marked as not public by upstream. The interface is not +stable and may change with every new version. It is therefore unsupported. + +%package services +Summary: iptables and ip6tables services for iptables +Requires: %{name} = %{version}-%{release} +%{?systemd_ordering} +# obsolete old main package +Obsoletes: %{name} < 1.4.16.1 +# obsolete ipv6 sub package +Obsoletes: %{name}-ipv6 < 1.4.11.1 + +%description services +iptables services for IPv4 and IPv6 + +This package provides the services iptables and ip6tables that have been split +out of the base package since they are not active by default anymore. + +%package utils +Summary: iptables and ip6tables services for iptables +Requires: %{name} = %{version}-%{release} + +%description utils +Utils for iptables + +This package provides nfnl_osf with the pf.os database and nfbpf_compile, +a bytecode generator for use with xt_bpf. + +%package nft +Summary: nftables compatibility for iptables, arptables and ebtables +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Obsoletes: iptables-compat < 1.6.2-4 +Provides: arptables-helper +Provides: iptables +Provides: arptables +Provides: ebtables + +%description nft +nftables compatibility for iptables, arptables and ebtables. + +%prep +%autosetup -p1 + +%if 0%{?bootstrap} +%{__mkdir} -p bootstrap_ver +pushd bootstrap_ver +%{__tar} --strip-components=1 -xf %{SOURCE7} +%{__patch} -p1 <%{SOURCE8} +popd +%endif + +%build +./autogen.sh +CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ +%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr + +# do not use rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +rm -f include/linux/types.h + +make %{?_smp_mflags} + +%if 0%{?bootstrap} +pushd bootstrap_ver +./autogen.sh +CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ +%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr + +# do not use rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +rm -f include/linux/types.h + +make %{?_smp_mflags} +popd +%endif + +%install +%if 0%{?bootstrap} +%make_install -C bootstrap_ver +%{_bindir}/find %{buildroot} -xtype f -not \ + -name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print +%{_bindir}/find %{buildroot} -type l -not \ + -name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print +%endif + +make install DESTDIR=%{buildroot} +# remove la file(s) +rm -f %{buildroot}/%{_libdir}/*.la + +# install ip*tables.h header files +install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/ +install -d -m 755 %{buildroot}%{_includedir}/iptables +install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/ + +# install ipulog header file +install -d -m 755 %{buildroot}%{_includedir}/libipulog/ +install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/ + +# install init scripts and configuration files +install -d -m 755 %{buildroot}%{script_path} +install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init +install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init +install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig +install -c -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config +install -c -m 600 ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config +install -c -m 600 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables +install -c -m 600 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables + +# install systemd service files +install -d -m 755 %{buildroot}/%{_unitdir} +install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir} +sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service +install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir} + +# install legacy actions for service command +install -d %{buildroot}/%{legacy_actions}/iptables +install -d %{buildroot}/%{legacy_actions}/ip6tables + +cat << EOF > %{buildroot}/%{legacy_actions}/iptables/save +#!/bin/bash +exec %{script_path}/iptables.init save +EOF +chmod 755 %{buildroot}/%{legacy_actions}/iptables/save +sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy +install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save + +cat << EOF > %{buildroot}/%{legacy_actions}/iptables/panic +#!/bin/bash +exec %{script_path}/iptables.init panic +EOF +chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic +sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy +install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic + +%if 0%{?fedora} > 24 +# Remove /etc/ethertypes (now part of setup) +rm -f %{buildroot}%{_sysconfdir}/ethertypes +%endif + +install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/ +touch %{buildroot}%{_libexecdir}/arptables-helper + +# prepare for alternatives +touch %{buildroot}%{_mandir}/man8/arptables.8 +touch %{buildroot}%{_mandir}/man8/arptables-save.8 +touch %{buildroot}%{_mandir}/man8/arptables-restore.8 +touch %{buildroot}%{_mandir}/man8/ebtables.8 + +%ldconfig_scriptlets + +%post +pfx=%{_sbindir}/iptables +pfx6=%{_sbindir}/ip6tables +%{_sbindir}/update-alternatives --install \ + $pfx iptables $pfx-legacy 10 \ + --slave $pfx6 ip6tables $pfx6-legacy \ + --slave $pfx-restore iptables-restore $pfx-legacy-restore \ + --slave $pfx-save iptables-save $pfx-legacy-save \ + --slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \ + --slave $pfx6-save ip6tables-save $pfx6-legacy-save + +%postun +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove \ + iptables %{_sbindir}/iptables-legacy +fi + +%post services +%systemd_post iptables.service ip6tables.service + +%preun services +%systemd_preun iptables.service ip6tables.service + +%postun services +%?ldconfig +%systemd_postun iptables.service ip6tables.service + +%post nft +pfx=%{_sbindir}/iptables +pfx6=%{_sbindir}/ip6tables +%{_sbindir}/update-alternatives --install \ + $pfx iptables $pfx-nft 10 \ + --slave $pfx6 ip6tables $pfx6-nft \ + --slave $pfx-restore iptables-restore $pfx-nft-restore \ + --slave $pfx-save iptables-save $pfx-nft-save \ + --slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \ + --slave $pfx6-save ip6tables-save $pfx6-nft-save + +pfx=%{_sbindir}/ebtables +manpfx=%{_mandir}/man8/ebtables +for sfx in "" "-restore" "-save"; do + if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then + rm -f $pfx$sfx + fi +done +if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then + rm -f $manpfx.8.gz +fi +%{_sbindir}/update-alternatives --install \ + $pfx ebtables $pfx-nft 10 \ + --slave $pfx-save ebtables-save $pfx-nft-save \ + --slave $pfx-restore ebtables-restore $pfx-nft-restore \ + --slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz + +pfx=%{_sbindir}/arptables +manpfx=%{_mandir}/man8/arptables +lepfx=%{_libexecdir}/arptables +for sfx in "" "-restore" "-save"; do + if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then + rm -f $pfx$sfx + fi + if [ "$(readlink -e $manpfx$sfx.8.gz)" == $manpfx$sfx.8.gz ]; then + rm -f $manpfx$sfx.8.gz + fi +done +if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then + rm -f $lepfx-helper +fi +%{_sbindir}/update-alternatives --install \ + $pfx arptables $pfx-nft 10 \ + --slave $pfx-save arptables-save $pfx-nft-save \ + --slave $pfx-restore arptables-restore $pfx-nft-restore \ + --slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \ + --slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \ + --slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \ + --slave $lepfx-helper arptables-helper $lepfx-nft-helper + +%postun nft +if [ $1 -eq 0 ]; then + for cmd in iptables ebtables arptables; do + %{_sbindir}/update-alternatives --remove \ + $cmd %{_sbindir}/$cmd-nft + done +fi + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc INCOMPATIBILITIES +%if 0%{?fedora} <= 24 +%{_sysconfdir}/ethertypes +%endif +%{_sbindir}/iptables-apply +%{_sbindir}/ip6tables-apply +%{_sbindir}/iptables-legacy* +%{_sbindir}/ip6tables-legacy* +%{_sbindir}/xtables-legacy-multi +%{_bindir}/iptables-xml +%{_mandir}/man1/iptables-xml* +%{_mandir}/man8/iptables* +%{_mandir}/man8/ip6tables* +%{_mandir}/man8/xtables-legacy* +%ghost %{_sbindir}/iptables +%ghost %{_sbindir}/iptables-restore +%ghost %{_sbindir}/iptables-save +%ghost %{_sbindir}/ip6tables +%ghost %{_sbindir}/ip6tables-restore +%ghost %{_sbindir}/ip6tables-save + +%files libs +%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}* +%if 0%{?bootstrap} +%{_libdir}/libiptc.so.%{iptc_so_ver_old}* +%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver_old}* +%endif +%{_libdir}/libxtables.so.12* +%dir %{_libdir}/xtables +%{_libdir}/xtables/libipt* +%{_libdir}/xtables/libip6t* +%{_libdir}/xtables/libxt* + +%files devel +%dir %{_includedir}/iptables +%{_includedir}/iptables/*.h +%{_includedir}/*.h +%dir %{_includedir}/libiptc +%{_includedir}/libiptc/*.h +%dir %{_includedir}/libipulog +%{_includedir}/libipulog/*.h +%{_libdir}/libip*tc.so +%{_libdir}/libxtables.so +%{_libdir}/pkgconfig/libiptc.pc +%{_libdir}/pkgconfig/libip4tc.pc +%{_libdir}/pkgconfig/libip6tc.pc +%{_libdir}/pkgconfig/xtables.pc + +%files services +%dir %{script_path} +%{script_path}/iptables.init +%{script_path}/ip6tables.init +%config(noreplace) %{_sysconfdir}/sysconfig/iptables +%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables +%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config +%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config +%{_unitdir}/iptables.service +%{_unitdir}/ip6tables.service +%dir %{legacy_actions}/iptables +%{legacy_actions}/iptables/save +%{legacy_actions}/iptables/panic +%dir %{legacy_actions}/ip6tables +%{legacy_actions}/ip6tables/save +%{legacy_actions}/ip6tables/panic + +%files utils +%{_sbindir}/nfnl_osf +%{_sbindir}/nfbpf_compile +%dir %{_datadir}/xtables +%{_datadir}/xtables/pf.os +%{_mandir}/man8/nfnl_osf* +%{_mandir}/man8/nfbpf_compile* + +%files nft +%{_sbindir}/iptables-nft* +%{_sbindir}/iptables-restore-translate +%{_sbindir}/iptables-translate +%{_sbindir}/ip6tables-nft* +%{_sbindir}/ip6tables-restore-translate +%{_sbindir}/ip6tables-translate +%{_sbindir}/ebtables-nft* +%{_sbindir}/arptables-nft* +%{_sbindir}/xtables-nft-multi +%{_sbindir}/xtables-monitor +%dir %{_libdir}/xtables +%{_libdir}/xtables/libarpt* +%{_libdir}/xtables/libebt* +%{_libexecdir}/arptables-nft-helper +%{_mandir}/man8/xtables-monitor* +%{_mandir}/man8/xtables-translate* +%{_mandir}/man8/*-nft* +%ghost %{_sbindir}/iptables +%ghost %{_sbindir}/iptables-restore +%ghost %{_sbindir}/iptables-save +%ghost %{_sbindir}/ip6tables +%ghost %{_sbindir}/ip6tables-restore +%ghost %{_sbindir}/ip6tables-save +%ghost %{_sbindir}/ebtables +%ghost %{_sbindir}/ebtables-save +%ghost %{_sbindir}/ebtables-restore +%ghost %{_sbindir}/arptables +%ghost %{_sbindir}/arptables-save +%ghost %{_sbindir}/arptables-restore +%ghost %{_libexecdir}/arptables-helper +%ghost %{_mandir}/man8/arptables.8.gz +%ghost %{_mandir}/man8/arptables-save.8.gz +%ghost %{_mandir}/man8/arptables-restore.8.gz +%ghost %{_mandir}/man8/ebtables.8.gz + + +%changelog +* Tue Aug 25 15:56:10 GMT 2020 Phil Sutter - 1.8.5-3 +- nft: cache: Check consistency with NFT_CL_FAKE, too +- nft: Fix command name in ip6tables error message + +* Tue Jul 28 2020 Fedora Release Engineering - 1.8.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 23 2020 Phil Sutter - 1.8.5-1 +- Rebase onto upstream version 1.8.5 plus two late fixes +- Drop explicit iptables-apply installation, upstream fixed that +- Ship ip6tables-apply along with iptables package + +* Wed Feb 12 2020 Phil Sutter - 1.8.4-7 +- Move nft-specific extensions into iptables-nft package +- Move remaining extensions into iptables-libs package +- Make iptables-nft depend on iptables-libs instead of iptables +- Add upstream-suggested fixes + +* Wed Jan 29 2020 Fedora Release Engineering - 1.8.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jan 15 2020 Phil Sutter - 1.8.4-5 +- Raise Alternatives priority of nft variants to match legacy ones +- Add Provides lines to allow for iptables-nft as full legacy alternative + +* Thu Dec 19 2019 Phil Sutter - 1.8.4-4 +- Drop leftover include in arptables-nft-helper + +* Fri Dec 13 2019 Phil Sutter - 1.8.4-3 +- Remove dependencies on initscripts package + +* Tue Dec 10 2019 Phil Sutter - 1.8.4-2 +- iptables-services requires /etc/init.d/functions + +* Wed Dec 04 2019 Phil Sutter - 1.8.4-1 +- New upstream version 1.8.4 + +* Thu Jul 25 2019 Fedora Release Engineering - 1.8.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 25 2019 Björn Esser - 1.8.3-4 +- Disable bootstrapping + +* Tue Jun 25 2019 Phil Sutter - 1.8.3-3 +- Change URL to point at iptables project, not netfilter overview page +- Reuse URL value in tarball source +- Reduce globbing of library file names to expose future SONAME changes +- Add bootstrapping for libip*tc SONAME bump + +* Tue Jun 25 2019 Phil Sutter - 1.8.3-2 +- Install new man page for nfbpf_compile utility +- Move nfnl_osf man page to utils subpackage + +* Wed May 29 2019 Phil Sutter - 1.8.3-1 +- New upstream version 1.8.3 + +* Mon Apr 15 2019 Phil Sutter - 1.8.2-1 +- New upstream version 1.8.2 +- Integrate ebtables and arptables save/restore scripts with alternatives +- Add nft-specific ebtables and arptables man pages +- Move /etc/sysconfig/ip*tables-config files into services sub-package + +* Fri Feb 01 2019 Fedora Release Engineering - 1.8.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 23 2019 Bogdan Dobrelya - 1.8.0-4 +- Use systemd_ordering macro + +* Fri Jul 13 2018 Fedora Release Engineering - 1.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 10 2018 Phil Sutter - 1.8.0-2 +- Fix calling ebtables-nft and arptables-nft via their new names. + +* Mon Jul 09 2018 Phil Sutter - 1.8.0-1 +- New upstream version 1.8.0. +- Replace ldconfig calls with newly introduced macros. +- Rename compat subpackage to iptables-nft to clarify its purpose. +- Make use of Alternatives system. + +* Fri May 04 2018 Phil Sutter - 1.6.2-3 +- Fix License: tag in spec-file +- Fix separation into compat subpackage + +* Thu Mar 01 2018 Phil Sutter - 1.6.2-2 +- Kill module unloading support +- Support /etc/sysctl.d +- Don't restart services after package update +- Add support for --wait options to restore commands + +* Wed Feb 21 2018 Michael Cronenworth - 1.6.2-1 +- New upstream version 1.6.2 + http://www.netfilter.org/projects/iptables/files/changes-iptables-1.6.2.txt + +* Wed Feb 07 2018 Fedora Release Engineering - 1.6.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Oct 22 2017 Kevin Fenzi - 1.6.1-5 +- Rebuild for new libnftnl + +* Wed Aug 02 2017 Fedora Release Engineering - 1.6.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.6.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 1.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 02 2017 Thomas Woerner - 1.6.1-1 +- New upstream version 1.6.1 with enhanced translation to nft support and + several fixes (RHBZ#1417323) + http://netfilter.org/projects/iptables/files/changes-iptables-1.6.1.txt +- Enable parallel build again + +* Thu Feb 02 2017 Petr Šabata - 1.6.0-4 +- Disabling parallel build to avoid build issues with xtables +- See http://patchwork.alpinelinux.org/patch/1787/ for reference +- This should be fixed in 1.6.1; parallel build can be restored after the + update + +* Mon Dec 19 2016 Thomas Woerner - 1.6.0-3 +- Dropped bad provides for iptables in services sub package (RHBZ#1327786) + +* Fri Jul 22 2016 Thomas Woerner - 1.6.0-2 +- /etc/ethertypes has been moved into the setup package for F-25+. + (RHBZ#1329256) + +* Wed Apr 13 2016 Thomas Woerner - 1.6.0-1 +- New upstream version 1.6.0 with nft-compat support and lots of fixes (RHBZ#1292990) + Upstream changelog: + http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt +- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161) +- Using scripts form RHEL-7 (RHBZ#1240366) +- New compat sub package for nftables compatibility +- Install iptables-apply (RHBZ#912047) +- Fixed module uninstall (RHBZ#1324101) +- Incorporated changes by Petr Pisar +- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch + +* Thu Feb 04 2016 Fedora Release Engineering - 1.4.21-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 1.4.21-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Dec 01 2014 Jiri Popelka - 1.4.21-14 +- add dhcpv6-client to /etc/sysconfig/ip6tables (RHBZ#1169036) + +* Mon Nov 03 2014 Jiri Popelka - 1.4.21-13 +- iptables.init: use /run/lock/subsys/ instead of /var/lock/subsys/ (RHBZ#1159573) + +* Mon Sep 29 2014 Jiri Popelka - 1.4.21-12 +- ip[6]tables.init: change shebang from /bin/sh to /bin/bash (RHBZ#1147272) + +* Sat Aug 16 2014 Fedora Release Engineering - 1.4.21-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jul 12 2014 Tom Callaway - 1.4.21-10 +- fix license handling + +* Sat Jun 07 2014 Fedora Release Engineering - 1.4.21-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Mar 12 2014 Jiri Popelka - 1.4.21-8 +- add missing reload and panic actions +- BuildRequires: pkgconfig(x) instead of x-devel +- no need to specify file mode bits twice (in %%install and %%files) + +* Sun Jan 19 2014 Ville Skyttä - 1.4.21-7 +- Don't order services after syslog.target. + +* Wed Jan 15 2014 Thomas Woerner 1.4.21-6 +- Enable connlabel support again, needs libnetfilter_conntrack + +* Wed Jan 15 2014 Thomas Woerner 1.4.21-6 +- fixed update from RHEL-6 to RHEL-7 (RHBZ#1043901) + +* Tue Jan 14 2014 Jiri Popelka - 1.4.21-5 +- chmod /etc/sysconfig/ip[6]tables 755 -> 600 + +* Fri Jan 10 2014 Jiri Popelka - 1.4.21-4 +- drop virtual provide for xtables.so.9 +- add default /etc/sysconfig/ip[6]tables (RHBZ#1034494) + +* Thu Jan 09 2014 Jiri Popelka - 1.4.21-3 +- no need to support the pre-systemd things +- use systemd macros (#850166) +- remove scriptlets for migrating to a systemd unit from a SysV initscripts +- ./configure -> %%configure +- spec clean up +- fix self-obsoletion + +* Thu Jan 9 2014 Thomas Woerner 1.4.21-2 +- fixed system hang at shutdown if root device is network based (RHBZ#1007934) + Thanks to Rodrigo A B Freire for the patch + +* Thu Jan 9 2014 Thomas Woerner 1.4.21-1 +- no connlabel.conf upstream anymore +- new version 1.4.21 + - doc: clarify DEBUG usage macro + - iptables: use autoconf to process .in man pages + - extensions: libipt_ULOG: man page should mention NFLOG as replacement + - extensions: libxt_connlabel: use libnetfilter_conntrack + - Introduce a new revision for the set match with the counters support + - libxt_CT: Add the "NOTRACK" alias + - libip6t_mh: Correct command to list named mh types in manpage + - extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support + - extensions: libxt_LED: fix parsing of delay + - ip{6}tables-restore: fix breakage due to new locking approach + - libxt_recent: restore minimum value for --seconds + - iptables-xml: fix parameter parsing (similar to 2165f38) + - extensions: add copyright statements + - xtables: improve get_modprobe handling + - ip[6]tables: Add locking to prevent concurrent instances + - iptables: Fix connlabel.conf install location + - ip6tables: don't print out /128 + - libip6t_LOG: target output is different to libipt_LOG + - build: additional include path required after UAPI changes + - iptables: iptables-xml: Fix various parsing bugs + - libxt_recent: restore reap functionality to recent module + - build: fail in configure on missing dependency with --enable-bpf-compiler + - extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter + - extensions: libxt_set, libxt_SET: check the set family too + - ip6tables: Use consistent exit code for EAGAIN + - iptables: libxt_hashlimit.man: correct address + - iptables: libxt_conntrack.man extraneous commas + - iptables: libip(6)t_REJECT.man default icmp types + - iptables: iptables-xm1.1 correct man section + - iptables: libxt_recent.{c,man} dead URL + - iptables: libxt_string.man add examples + - extensions: libxt_LOG: use generic syslog reference in manpage + - iptables: extensions/GNUMakefile.in use CPPFLAGS + - iptables: correctly reference generated file + - ip[6]tables: fix incorrect alignment in commands_v_options + - build: add software version to manpage first line at configure stage + - extensions: libxt_cluster: add note on arptables-jf + - utils: nfsynproxy: fix error while compiling the BPF filter + - extensions: add SYNPROXY extension + - utils: add nfsynproxy tool + - iptables: state match incompatibilty across versions + - libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks + - iptables: improve chain name validation + - iptables: spurious error in load_extension + - xtables: trivial spelling fix + +* Sun Dec 22 2013 Ville Skyttä - 1.4.19.1-2 +- Drop INSTALL from docs, escape macros in %%changelog. + +* Wed Jul 31 2013 Thomas Woerner 1.4.19.1-1 +- new version 1.4.19.1 + - libxt_NFQUEUE: fix bypass option documentation + - extensions: add connlabel match + - extensions: add connlabel match + - ip[6]tables: show --protocol instead of --proto in usage + - libxt_recent: Fix missing space in manpage for --mask option + - extensions: libxt_multiport: Update manpage to list valid protocols + - utils: nfnl_osf: use the right nfnetlink lib + - libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency + - Revert "build: resolve link failure for ip6t_NETMAP" + - libxt_osf: fix missing --ttl and --log in save output + - libxt_osf: fix bad location for location in --genre + - libip6t_SNPT: add manpage + - libip6t_DNPT: add manpage + - utils: updates .gitignore to include nfbpf_compile + - extensions: libxt_bpf: clarify --bytecode argument + - libxtables: fix parsing of dotted network mask format + - build: bump version to 1.4.19 + - libxt_conntrack: fix state match alias state parsing + - extensions: add libxt_bpf extension + - utils: nfbpf_compile + - doc: mention SNAT in INPUT chain since kernel 2.6.36 +- fixed changelog date weekdays where needed + +* Mon Mar 4 2013 Thomas Woerner 1.4.18-1 +- new version 1.4.18 + - lots of documentation changes + - Introduce match/target aliases + - Add the "state" alias to the "conntrack" match + - iptables: remove unused leftover definitions + - libxtables: add xtables_rule_matches_free + - libxtables: add xtables_print_num + - extensions: libip6t_DNPT: fix wording in DNPT target + - extension: libip6t_DNAT: allow port DNAT without address + - extensions: libip6t_DNAT: set IPv6 DNAT --to-destination + - extensions: S/DNPT: add missing save function +- changes of 1.4.17: + - libxt_time: add support to ignore day transition + - Convert the NAT targets to use the kernel supplied nf_nat.h header + - extensions: add IPv6 MASQUERADE extension + - extensions: add IPv6 SNAT extension + - extensions: add IPv6 DNAT target + - extensions: add IPv6 REDIRECT extension + - extensions: add IPv6 NETMAP extension + - extensions: add NPT extension + - extensions: libxt_statistic: Fix save output + +* Thu Feb 14 2013 Fedora Release Engineering - 1.4.16.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 16 2013 Ville Skyttä - 1.4.16.2-6 +- Own unowned -services libexec dirs (#894464, Michael Scherer). +- Fix -services unit file permissions (#732936, Michal Schmidt). + +* Thu Nov 8 2012 Thomas Woerner 1.4.16.2-5 +- fixed path of ip6tables.init in ip6tables.service + +* Fri Nov 2 2012 Thomas Woerner 1.4.16.2-4 +- fixed missing services for update of pre F-18 installations (rhbz#867960) + - provide and obsolete old main package in services sub package + - provide and obsolete old ipv6 sub package (pre F-17) in services sub package + +* Sun Oct 14 2012 Dan Horák 1.4.16.2-3 +- fix the compat provides for all 64-bit arches + +* Fri Oct 12 2012 Thomas Woerner 1.4.16.2-2 +- new sub package services providing the systemd services (RHBZ#862922) +- new sub package utils: provides nfnl_osf and the pf.os database +- using %%{_libexecdir}/iptables as script path for the original init scripts +- added service iptables save funcitonality using the new way provided by + initscripts 9.37.1 (RHBZ#748134) +- added virtual provide for libxtables.so.7 + +* Mon Oct 8 2012 Thomas Woerner 1.4.16.2-1 +- new version 1.4.16.2 + - build: support for automake-1.12 + - build: separate AC variable replacements from xtables.h + - build: have `make clean` remove dep files too + - doc: grammatical updates to libxt_SET + - doc: clean up interpunction in state list for xt_conntrack + - doc: deduplicate extension descriptions into a new manpage + - doc: trim "state" manpage and reference conntrack instead + - doc: have NOTRACK manpage point to CT instead + - doc: mention iptables-apply in the SEE ALSO sections + - extensions: libxt_addrtype: fix type in help message + - include: add missing linux/netfilter_ipv4/ip_queue.h + - iptables: fix wrong error messages + - iptables: support for match aliases + - iptables: support for target aliases + - iptables-restore: warn about -t in rule lines + - ip[6]tables-restore: cleanup to reduce one level of indentation + - libip6t_frag: match any frag id by default + - libxtables: consolidate preference logic + - libxt_devgroup: consolidate devgroup specification parsing + - libxt_devgroup: guard against negative numbers + - libxt_LED: guard against negative numbers + - libxt_NOTRACK: replace as an alias to CT --notrack + - libxt_state: replace as an alias to xt_conntrack + - libxt_tcp: print space before, not after "flags:" + - libxt_u32: do bounds checking for @'s operands + - libxt_*limit: avoid division by zero + - Merge branch 'master' of git://git.inai.de/iptables + - Merge remote-tracking branch 'nf/stable' + - New set match revision with --return-nomatch flag support +- dropped fixrestore patch, upstream + +* Wed Aug 1 2012 Thomas Woerner 1.4.15-1 +- new version 1.4.15 + - extensions: add HMARK target + - iptables-restore: fix parameter parsing (shows up with gcc-4.7) + - iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7) + - libxtables: add xtables_ip[6]mask_to_cidr + - libxt_devgroup: add man page snippet + - libxt_hashlimit: add support for byte-based operation + - libxt_recent: add --mask netmask + - libxt_recent: remove unused variable + - libxt_HMARK: correct a number of errors introduced by Pablo's rework + - libxt_HMARK: fix ct case example + - libxt_HMARK: fix output of iptables -L + - Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)" + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-3 +- added fixrestore patch submitted to upstream by fryasu (nfbz#774) + (RHBZ#825796) + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-2 +- disabled libipq, removed upstream, not provided by kernel anymore + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-1 +- new version 1.4.14 + - extensions: add IPv6 capable ECN match extension + - extensions: add nfacct match + - extensions: add rpfilter module + - extensions: libxt_rateest: output all options in save hook + - iptables: missing free() in function cache_add_entry() + - iptables: missing free() in function delete_entry() + - libiptc: fix retry path in TC_INIT + - libiptc: Returns the position the entry was inserted + - libipt_ULOG: fix --ulog-cprange + - libxt_CT: add --timeout option + - ip(6)tables-restore: make sure argv is NULL terminated + - Revert "libiptc: Returns the position the entry was inserted" + - src: mark newly opened fds as FD_CLOEXEC (close on exec) + - tests: add rateest match rules +- dropped patch5 (cloexec), merged upstream + +* Mon Apr 23 2012 Thomas Woerner 1.4.12.2-5 +- reenable iptables default services + +* Wed Feb 29 2012 Harald Hoyer 1.4.12.2-4 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Thu Feb 16 2012 Thomas Woerner 1.4.12.2-3 +- fixed auto enable check for Fedora > 16 and added rhel > 6 check + +* Wed Feb 15 2012 Thomas Woerner 1.4.12.2-2 +- disabled autostart and auto enable for iptables.service and ip6tables.service + for Fedora > 16 + +* Mon Jan 16 2012 Thomas Woerner 1.4.12.2-1 +- new version 1.4.12.2 with new pkgconfig/libip4tc.pc and pkgconfig/libip6tc.pc + - build: make check stage not fail when building statically + - build: restore build order of modules + - build: scan for unreferenced symbols + - build: sort file list before build + - doc: clarification on the meaning of -p 0 + - doc: document iptables-restore's -T option + - doc: fix undesired newline in ip6tables-restore(8) + - ip6tables-restore: implement missing -T option + - iptables: move kernel version find routing into libxtables + - libiptc: provide separate pkgconfig files + - libipt_SAME: set PROTO_RANDOM on all ranges + - libxtables: Fix file descriptor leak in xtables_lmap_init on error + - libxt_connbytes: fix handling of --connbytes FROM + - libxt_CONNSECMARK: fix spacing in output + - libxt_conntrack: improve error message on parsing violation + - libxt_NFQUEUE: fix --queue-bypass ipt-save output + - libxt_RATEEST: link with -lm + - libxt_statistic: link with -lm + - Merge branch 'stable' + - Merge branch 'stable' of git://dev.medozas.de/iptables + - nfnl_osf: add missing libnfnetlink_CFLAGS to compile process + - xtoptions: fill in fallback value for nvals + - xtoptions: simplify xtables_parse_interface + +* Fri Jan 13 2012 Fedora Release Engineering - 1.4.12.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 12 2011 Thomas Woerner 1.4.12.1-1 +- new version 1.4.12.1 with new pkgconfig/libipq.pc + - build: abort autogen on subcommand failure + - build: strengthen check for overlong lladdr components + - build: workaround broken linux-headers on RHEL-5 + - doc: clarify libxt_connlimit defaults + - doc: fix typo in libxt_TRACE + - extensions: use multi-target registration + - libip6t_dst: restore setting IP6T_OPTS_LEN flag + - libip6t_frag: restore inversion support + - libip6t_hbh: restore setting IP6T_OPTS_LEN flag + - libipq: add pkgconfig file + - libipt_ttl: document that negation is available + - libxt_conntrack: fix --ctproto 0 output + - libxt_conntrack: remove one misleading comment + - libxt_dccp: fix deprecated intrapositional ordering of ! + - libxt_dccp: fix random output of ! on --dccp-option + - libxt_dccp: provide man pages options in short help too + - libxt_dccp: restore missing XTOPT_INVERT tags for options + - libxt_dccp: spell out option name on save + - libxt_dscp: restore inversion support + - libxt_hashlimit: default htable-expire must be in milliseconds + - libxt_hashlimit: observe new default gc-expire time when saving + - libxt_hashlimit: remove inversion from hashlimit rev 0 + - libxt_owner: restore inversion support + - libxt_physdev: restore inversion support + - libxt_policy: remove superfluous inversion + - libxt_set: put differing variable names in directly + - libxt_set: update man page about kernel support on the feature + - libxt_string: define _GNU_SOURCE for strnlen + - libxt_string: escape the escaping char too + - libxt_string: fix space around arguments + - libxt_string: replace hex codes by char equivalents + - libxt_string: simplify hex output routine + - libxt_tcp: always print the mask parts + - libxt_TCPMSS: restore build with IPv6-less libcs + - libxt_TOS: update linux kernel version list for backported fix + - libxt_u32: fix missing allowance for inversion + - src: remove unused IPTABLES_MULTI define + - tests: add negation tests for libxt_statistic + - xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT +- removed include/linux/types.h before build to be able to compile + +* Tue Jul 26 2011 Thomas Woerner 1.4.12-2 +- dropped temporary provide again + +* Tue Jul 26 2011 Thomas Woerner 1.4.12-1.1 +- added temporary provides for libxtables.so.6 to be able to rebuild iproute, + which is part of the standard build environment + +* Mon Jul 25 2011 Thomas Woerner 1.4.12-1 +- new version 1.4.12 with support of all new features of kernel 3.0 + - build: attempt to fix building under Linux 2.4 + - build: bump soversion for recent data structure change + - build: install modules in arch-dependent location + - doc: fix group range in libxt_NFLOG's man + - doc: fix version string in ip6tables.8 + - doc: include matches/targets in manpage again + - doc: mention multiple verbosity flags + - doc: the -m option cannot be inverted + - extensions: support for per-extension instance global variable space + - iptables-apply: select default rule file depending on call name + - iptables: consolidate target/match init call + - iptables: Coverity: DEADCODE + - iptables: Coverity: NEGATIVE_RETURNS + - iptables: Coverity: RESOURCE_LEAK + - iptables: Coverity: REVERSE_INULL + - iptables: Coverity: VARARGS + - iptables: restore negation for -f + - libip6t_HL: fix option names from ttl -> hl + - libipt_LOG: fix ignoring all but last flags + - libxtables: ignore whitespace in the multiaddress argument parser + - libxtables: properly reject empty hostnames + - libxtables: set clone's initial data to NULL + - libxt_conntrack: move more data into the xt_option_entry + - libxt_conntrack: restore network-byte order for v1,v2 + - libxt_hashlimit: use a more obvious expiry value by default + - libxt_rateest: abolish global variables + - libxt_RATEEST: abolish global variables + - libxt_RATEEST: fix userspacesize field + - libxt_RATEEST: use guided option parser + - libxt_state: fix regression about inversion of main option + - option: remove last traces of intrapositional negation +- complete changelog: + http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.12.txt + +* Thu Jul 21 2011 Thomas Woerner 1.4.11.1-4 +- merged ipv6 sub package into main package +- renamed init scripts to /usr/libexec/ip*tables.init + +* Fri Jul 15 2011 Thomas Woerner 1.4.11.1-3 +- added support for native systemd file (rhbz#694738) + - new iptables.service file + - additional requires + - moved sysv init scripts to /usr/libexec + - added new post, preun and postun scripts and triggers + +* Tue Jul 12 2011 Thomas Woerner 1.4.11.1-2 +- dropped temporary provide again +- enabled smp build + +* Tue Jul 12 2011 Thomas Woerner 1.4.11.1-1.1 +- added temporary provides for libxtables.so.5 to be able to rebuild iproute, + which is part of the standard build environment + +* Mon Jul 11 2011 Thomas Woerner 1.4.11.1-1 +- new version 1.4.11.1, bug and doc fix release for 1.4.11 + +* Tue Jun 7 2011 Thomas Woerner 1.4.11-1 +- new version 1.4.11 with all new features of 2.6.37-39 (not usable) + - lots of changes and bugfixes for base and extensions + - complete changelog: + http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.11.txt + +* Wed Feb 09 2011 Fedora Release Engineering - 1.4.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 10 2011 Thomas Woerner 1.4.10-1 +- new version 1.4.10 with all new features of 2.6.36 + - all: consistent syntax use in struct option + - build: fix static linking + - doc: let man(1) autoalign the text in xt_cpu + - doc: remove extra empty line from xt_cpu + - doc: minimal spelling updates to xt_cpu + - doc: consistent use of markup + - extensions: libxt_quota: don't ignore the quota value on deletion + - extensions: REDIRECT: add random help + - extensions: add xt_cpu match + - extensions: add idletimer xt target extension + - extensions: libxt_IDLETIMER: use xtables_param_act when checking options + - extensions: libxt_CHECKSUM extension + - extensions: libipt_LOG/libip6t_LOG: support macdecode option + - extensions: fix compilation of the new CHECKSUM target + - extensions: libxt_ipvs: user-space lib for netfilter matcher xt_ipvs + - iptables-xml: resolve compiler warnings + - iptables: limit chain name length to be consistent with targets + - libiptc: add Libs.private to pkgconfig files + - libiptc: build with -Wl,--no-as-needed + - xtables: remove unnecessary cast +- dropped xt_CHECKSUM, added upstream + +* Tue Oct 12 2010 Thomas Woerner 1.4.9-2 +- added xt_CHECKSUM patch from Michael S. Tsirkin (rhbz#612587) + +* Wed Aug 4 2010 Thomas Woerner 1.4.9-1 +- new version 1.4.9 with all new features of 2.6.35 + - doc: xt_hashlimit: fix a typo + - doc: xt_LED: nroff formatting requirements + - doc: xt_string: correct copy-and-pasting in manpage + - extensions: add the LED target + - extensions: libxt_quota.c: Support option negation + - extensions: libxt_rateest: fix bps options for iptables-save + - extensions: libxt_rateest: fix typo in the man page + - extensions: REDIRECT: add random help + - includes: sync header files from Linux 2.6.35-rc1 + - libxt_conntrack: do print netmask + - libxt_hashlimit: always print burst value + - libxt_set: new revision added + - utils: add missing include flags to Makefile + - xtables: another try at chain name length checking + - xtables: remove xtables_set_revision function + - xt_quota: also document negation + - xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension + - xt_sctp: support FORWARD_TSN chunk type + +* Fri Jul 2 2010 Thomas Woerner 1.4.8-1 +- new version 1.4.8 all new features of 2.6.34 (rhbz#) + - extensions: REDIRECT: fix --to-ports parser + - iptables: add noreturn attribute to exit_tryhelp() + - extensions: MASQUERADE: fix --to-ports parser + - libxt_comment: avoid use of IPv4-specific examples + - libxt_CT: add a manpage + - iptables: correctly check for too-long chain/target/match names + - doc: libxt_MARK: no longer restricted to mangle table + - doc: remove claim that TCPMSS is limited to mangle + - libxt_recent: add a missing space in output + - doc: add manpage for libxt_osf + - libxt_osf: import nfnl_osf program + - extensions: add support for xt_TEE + - CT: fix --ctevents parsing + - extensions: add CT extension + - libxt_CT: print conntrack zone in ->print/->save + - xtables: fix compilation when debugging is enabled + - libxt_conntrack: document --ctstate UNTRACKED + - iprange: fix xt_iprange v0 parsing + +* Wed Mar 24 2010 Thomas Woerner 1.4.7-2 +- added default values for IPTABLES_STATUS_VERBOSE and + IPTABLES_STATUS_LINENUMBERS in init script +- added missing lsb keywords Required-Start and Required-Stop to init script + +* Fri Mar 5 2010 Thomas Woerner 1.4.7-1 +- new version 1.4.7 with support for all new features of 2.6.33 (rhbz#570767) + - libip4tc: Add static qualifier to dump_entry() + - libipq: build as shared library + - recent: reorder cases in code (cosmetic cleanup) + - several man page and documentation fixes + - policy: fix error message showing wrong option + - includes: header updates + - Lift restrictions on interface names +- fixed license and moved iptables-xml into base package according to review + +* Wed Jan 27 2010 Thomas Woerner 1.4.6-2 +- moved libip*tc and libxtables libs to /lib[64], added symlinks for .so libs + to /usr/lib[64] for compatibility (rhbz#558796) + +* Wed Jan 13 2010 Thomas Woerner 1.4.6-1 +- new version 1.4.6 with support for all new features of 2.6.32 + - several man page fixes + - Support for nommu arches + - realm: remove static initializations + - libiptc: remove unused functions + - libiptc: avoid strict-aliasing warnings + - iprange: do accept non-ranges for xt_iprange v1 + - iprange: warn on reverse range + - iprange: roll address parsing into a loop + - iprange: do accept non-ranges for xt_iprange v1 (log) + - iprange: warn on reverse range (log) + - libiptc: fix wrong maptype of base chain counters on restore + - iptables: fix undersized deletion mask creation + - style: reduce indent in xtables_check_inverse + - libxtables: hand argv to xtables_check_inverse + - iptables/extensions: make bundled options work again + - CONNMARK: print mark rules with mask 0xffffffff as set instead of xset + - iptables: take masks into consideration for replace command + - doc: explain experienced --hitcount limit + - doc: name resolution clarification + - iptables: expose option to zero packet/byte counters for a specific rule + - build: restore --disable-ipv6 functionality on system w/o v6 headers + - MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark + - DNAT: fix incorrect check during parsing + - extensions: add osf extension + - conntrack: fix --expires parsing + +* Thu Dec 17 2009 Thomas Woerner 1.4.5-2 +- dropped nf_ext_init remains from cloexec patch + +* Thu Sep 17 2009 Thomas Woerner 1.4.5-1 +- new version 1.4.5 with support for all new features of 2.6.31 + - libxt_NFQUEUE: add new v1 version with queue-balance option + - xt_conntrack: revision 2 for enlarged state_mask member + - libxt_helper: fix invalid passed option to check_inverse + - libiptc: split v4 and v6 + - extensions: collapse registration structures + - iptables: allow for parse-less extensions + - iptables: allow for help-less extensions + - extensions: remove empty help and parse functions + - xtables: add multi-registration functions + - extensions: collapse data variables to use multi-reg calls + - xtables: warn of missing version identifier in extensions + - multi binary: allow subcommand via argv[1] + - iptables: accept multiple IP address specifications for -s, -d + - several build fixes + - several man page fixes +- fixed two leaked file descriptors on sockets (rhbz#521397) + +* Mon Aug 24 2009 Thomas Woerner 1.4.4-1 +- new version 1.4.4 with support for all new features of 2.6.30 + - several man page fixes + - iptables: replace open-coded sizeof by ARRAY_SIZE + - libip6t_policy: remove redundant functions + - policy: use direct xt_policy_info instead of ipt/ip6t + - policy: merge ipv6 and ipv4 variant + - extensions: add `cluster' match support + - extensions: add const qualifiers in print/save functions + - extensions: use NFPROTO_UNSPEC for .family field + - extensions: remove redundant casts + - iptables: close open file descriptors + - fix segfault if incorrect protocol name is used + - replace open-coded sizeof by ARRAY_SIZE + - do not include v4-only modules in ip6tables manpage + - use direct xt_policy_info instead of ipt/ip6t + - xtables: fix segfault if incorrect protocol name is used + - libxt_connlimit: initialize v6_mask + - SNAT/DNAT: add support for persistent multi-range NAT mappings + +* Fri Jul 24 2009 Fedora Release Engineering - 1.4.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Apr 15 2009 Thomas Woerner 1.4.3.2-1 +- new version 1.4.3.2 +- also install iptables/internal.h, needed for iptables.h and ip6tables.h + +* Mon Mar 30 2009 Thomas Woerner 1.4.3.1-1 +- new version 1.4.3.1 + - libiptc is now shared + - supports all new features of the 2.6.29 kernel +- dropped typo_latter patch + +* Thu Mar 5 2009 Thomas Woerner 1.4.2-3 +- still more review fixes (rhbz#225906) + - consistent macro usage + - use sed instead of perl for rpath removal + - use standard RPM CFLAGS, but also -fno-strict-aliasing (needed for libiptc*) + +* Wed Feb 25 2009 Fedora Release Engineering - 1.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Feb 20 2009 Thomas Woerner 1.4.2-1 +- new version 1.4.2 +- removed TOS value mask patch (upstream) +- more review fixes (rhbz#225906) +- install all header files (rhbz#462207) +- dropped nf_ext_init (rhbz#472548) + +* Tue Jul 22 2008 Thomas Woerner 1.4.1.1-2 +- fixed TOS value mask problem (rhbz#456244) (upstream patch) +- two more cloexec fixes + +* Tue Jul 1 2008 Thomas Woerner 1.4.1.1-1 +- upstream bug fix release 1.4.1.1 +- dropped extra patch for 1.4.1 - not needed anymore + +* Tue Jun 10 2008 Thomas Woerner 1.4.1-1 +- new version 1.4.1 with new build environment +- additional ipv6 network mask patch from Jan Engelhardt +- spec file cleanup +- removed old patches + +* Fri Jun 6 2008 Tom "spot" Callaway 1.4.0-5 +- use normal kernel headers, not linux/compiler.h +- change BuildRequires: kernel-devel to kernel-headers +- We need to do this to be able to build for both sparcv9 and sparc64 + (there is no kernel-devel.sparcv9) + +* Thu Mar 20 2008 Thomas Woerner 1.4.0-4 +- use O_CLOEXEC for all opened files in all applications (rhbz#438189) + +* Mon Mar 3 2008 Thomas Woerner 1.4.0-3 +- use the kernel headers from the build tree for iptables for now to be able to + compile this package, but this makes the package more kernel dependant +- use s6_addr32 instead of in6_u.u6_addr32 + +* Wed Feb 20 2008 Fedora Release Engineering - 1.4.0-2 +- Autorebuild for GCC 4.3 + +* Mon Feb 11 2008 Thomas Woerner 1.4.0-1 +- new version 1.4.0 +- fixed condrestart (rhbz#428148) +- report the module in rmmod_r if there is an error +- use nf_ext_init instead of my_init for extension constructors + +* Mon Nov 5 2007 Thomas Woerner 1.3.8-6 +- fixed leaked file descriptor before fork/exec (rhbz#312191) +- blacklisting is not working, use "install X /bin/(true|false)" test instead +- return private exit code 150 for disabled ipv6 support +- use script name for output messages + +* Tue Oct 16 2007 Thomas Woerner 1.3.8-5 +- fixed error code for stopping a already stopped firewall (rhbz#321751) +- moved blacklist test into start + +* Wed Sep 26 2007 Thomas Woerner 1.3.8-4.1 +- do not start ip6tables if ipv6 is blacklisted (rhbz#236888) +- use simpler fix for (rhbz#295611) + Thanks to Linus Torvalds for the patch. + +* Mon Sep 24 2007 Thomas Woerner 1.3.8-4 +- fixed IPv6 reject type (rhbz#295181) +- fixed init script: start, stop and status +- support netfilter compiled into kernel in init script (rhbz#295611) +- dropped inversion for limit modules from man pages (rhbz#220780) +- fixed typo in ip6tables man page (rhbz#236185) + +* Wed Sep 19 2007 Thomas Woerner 1.3.8-3 +- do not depend on local_fs in lsb header - this delayes start after network +- fixed exit code for initscript usage + +* Mon Sep 17 2007 Thomas Woerner 1.3.8-2.1 +- do not use lock file for condrestart test + +* Thu Aug 23 2007 Thomas Woerner 1.3.8-2 +- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459) +- provide iptc interface again, but unsupported (rhbz#216733) +- compile all extension, which are supported by the kernel-headers package +- review fixes (rhbz#225906) + +* Tue Jul 31 2007 Thomas Woerner +- reverted ipv6 fix, because it disables the ipv6 at all (rhbz#236888) + +* Fri Jul 13 2007 Steve Conklin - 1.3.8-1 +- New version 1.3.8 + +* Mon Apr 23 2007 Jeremy Katz - 1.3.7-2 +- fix error when ipv6 support isn't loaded in the kernel (#236888) + +* Wed Jan 10 2007 Thomas Woerner 1.3.7-1.1 +- fixed installation of secmark modules + +* Tue Jan 9 2007 Thomas Woerner 1.3.7-1 +- new verison 1.3.7 +- iptc is not a public interface and therefore not installed anymore +- dropped upstream secmark patch + +* Tue Sep 19 2006 Thomas Woerner 1.3.5-2 +- added secmark iptables patches (#201573) + +* Wed Jul 12 2006 Jesse Keating - 1.3.5-1.2.1 +- rebuild + +* Fri Feb 10 2006 Jesse Keating - 1.3.5-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.3.5-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Thu Feb 2 2006 Thomas Woerner 1.3.5-1 +- new version 1.3.5 +- fixed init script to set policy for raw tables, too (#179094) + +* Tue Jan 24 2006 Thomas Woerner 1.3.4-3 +- added important iptables header files to devel package + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 25 2005 Thomas Woerner 1.3.4-2 +- fix for plugin problem: link with "gcc -shared" instead of "ld -shared" and + replace "_init" with "__attribute((constructor)) my_init" + +* Fri Nov 25 2005 Thomas Woerner 1.3.4-1.1 +- rebuild due to unresolved symbols in shared libraries + +* Fri Nov 18 2005 Thomas Woerner 1.3.4-1 +- new version 1.3.4 +- dropped free_opts patch (upstream fixed) +- made libipq PIC (#158623) +- additional configuration options for iptables startup script (#172929) + Thanks to Jan Gruenwald for the patch +- spec file cleanup (dropped linux_header define and usage) + +* Mon Jul 18 2005 Thomas Woerner 1.3.2-1 +- new version 1.3.2 with additional patch for the misplaced free_opts call + from Marcus Sundberg + +* Wed May 11 2005 Thomas Woerner 1.3.1-1 +- new version 1.3.1 + +* Fri Mar 18 2005 Thomas Woerner 1.3.0-2 +- Remove unnecessary explicit kernel dep (#146142) +- Fixed out of bounds accesses (#131848): Thanks to Steve Grubb + for the patch +- Adapted iptables-config to reference to modprobe.conf (#150143) +- Remove misleading message (#140154): Thanks to Ulrich Drepper + for the patch + +* Mon Feb 21 2005 Thomas Woerner 1.3.0-1 +- new version 1.3.0 + +* Thu Nov 11 2004 Thomas Woerner 1.2.11-3.2 +- fixed autoload problem in iptables and ip6tables (CAN-2004-0986) + +* Fri Sep 17 2004 Thomas Woerner 1.2.11-3.1 +- changed default behaviour for IPTABLES_STATUS_NUMERIC to "yes" (#129731) +- modified config file to match this change and un-commented variables with + default values + +* Thu Sep 16 2004 Thomas Woerner 1.2.11-3 +- applied second part of cleanup patch from (#131848): thanks to Steve Grubb + for the patch + +* Wed Aug 25 2004 Thomas Woerner 1.2.11-2 +- fixed free bug in iptables (#128322) + +* Tue Jun 22 2004 Thomas Woerner 1.2.11-1 +- new version 1.2.11 + +* Thu Jun 17 2004 Thomas Woerner 1.2.10-1 +- new version 1.2.10 + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Thu Feb 26 2004 Thomas Woerner 1.2.9-2.3 +- fixed iptables-restore -c fault if there are no counters (#116421) + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Sun Jan 25 2004 Dan Walsh 1.2.9-1.2 +- Close File descriptors to prevent SELinux error message + +* Wed Jan 7 2004 Thomas Woerner 1.2.9-1.1 +- rebuild + +* Wed Dec 17 2003 Thomas Woerner 1.2.9-1 +- vew version 1.2.9 +- new config options in ipXtables-config: + IPTABLES_MODULES_UNLOAD +- more documentation in ipXtables-config +- fix for netlink security issue in libipq (devel package) +- print fix for libipt_icmp (#109546) + +* Thu Oct 23 2003 Thomas Woerner 1.2.8-13 +- marked all messages in iptables init script for translation (#107462) +- enabled devel package (#105884, #106101) +- bumped build for fedora for libipt_recent.so (#106002) + +* Tue Sep 23 2003 Thomas Woerner 1.2.8-12.1 +- fixed lost udp port range in ip6tables-save (#104484) +- fixed non numeric multiport port output in ipXtables-savs + +* Mon Sep 22 2003 Florian La Roche 1.2.8-11 +- do not link against -lnsl + +* Wed Sep 17 2003 Thomas Woerner 1.2.8-10 +- made variables in rmmod_r local + +* Tue Jul 22 2003 Thomas Woerner 1.2.8-9 +- fixed permission for init script + +* Sat Jul 19 2003 Thomas Woerner 1.2.8-8 +- fixed save when iptables file is missing and iptables-config permissions + +* Tue Jul 8 2003 Thomas Woerner 1.2.8-7 +- fixes for ip6tables: module unloading, setting policy only for existing + tables + +* Thu Jul 3 2003 Thomas Woerner 1.2.8-6 +- IPTABLES_SAVE_COUNTER defaults to no, now +- install config file in /etc/sysconfig +- exchange unload of ip_tables and ip_conntrack +- fixed start function + +* Wed Jul 2 2003 Thomas Woerner 1.2.8-5 +- new config option IPTABLES_SAVE_ON_RESTART +- init script: new status, save and restart +- fixes #44905, #65389, #80785, #82860, #91040, #91560 and #91374 + +* Mon Jun 30 2003 Thomas Woerner 1.2.8-4 +- new config option IPTABLES_STATUS_NUMERIC +- cleared IPTABLES_MODULES in iptables-config + +* Mon Jun 30 2003 Thomas Woerner 1.2.8-3 +- new init scripts + +* Sat Jun 28 2003 Florian La Roche +- remove check for very old kernel versions in init scripts +- sync up both init scripts and remove some further ugly things +- add some docu into rpm + +* Thu Jun 26 2003 Thomas Woerner 1.2.8-2 +- rebuild + +* Mon Jun 16 2003 Thomas Woerner 1.2.8-1 +- update to 1.2.8 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Mon Jan 13 2003 Bill Nottingham 1.2.7a-1 +- update to 1.2.7a +- add a plethora of bugfixes courtesy Michael Schwendt + +* Fri Dec 13 2002 Elliot Lee 1.2.6a-3 +- Fix multilib + +* Wed Aug 07 2002 Karsten Hopp +- fixed iptables and ip6tables initscript output, based on #70511 +- check return status of all iptables calls, not just the last one + in a 'for' loop. + +* Mon Jul 29 2002 Bernhard Rosenkraenzer 1.2.6a-1 +- 1.2.6a (bugfix release, #69747) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Mon Mar 4 2002 Bernhard Rosenkraenzer 1.2.5-3 +- Add some fixes from CVS, fixing bug #60465 + +* Tue Feb 12 2002 Bernhard Rosenkraenzer 1.2.5-2 +- Merge ip6tables improvements from Ian Prowell + #59402 +- Update URL (#59354) +- Use /sbin/chkconfig rather than chkconfig in %%postun script + +* Fri Jan 11 2002 Bernhard Rosenkraenzer 1.2.5-1 +- 1.2.5 + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Mon Nov 5 2001 Bernhard Rosenkraenzer 1.2.4-2 +- Fix %%preun script + +* Tue Oct 30 2001 Bernhard Rosenkraenzer 1.2.4-1 +- Update to 1.2.4 (various fixes, including security fixes; among others: + #42990, #50500, #53325, #54280) +- Fix init script (#31133) + +* Mon Sep 3 2001 Bernhard Rosenkraenzer 1.2.3-1 +- 1.2.3 (5 security fixes, some other fixes) +- Fix updating (#53032) + +* Mon Aug 27 2001 Bernhard Rosenkraenzer 1.2.2-4 +- Fix #50990 +- Add some fixes from current CVS; should fix #52620 + +* Mon Jul 16 2001 Bernhard Rosenkraenzer 1.2.2-3 +- Add some fixes from the current CVS tree; fixes #49154 and some IPv6 + issues + +* Tue Jun 26 2001 Bernhard Rosenkraenzer 1.2.2-2 +- Fix iptables-save reject-with (#45632), Patch from Michael Schwendt + + +* Tue May 8 2001 Bernhard Rosenkraenzer 1.2.2-1 +- 1.2.2 + +* Wed Mar 21 2001 Bernhard Rosenkraenzer +- 1.2.1a, fixes #28412, #31136, #31460, #31133 + +* Thu Mar 1 2001 Bernhard Rosenkraenzer +- Yet another initscript fix (#30173) +- Fix the fixes; they fixed some issues but broke more important + stuff :/ (#30176) + +* Tue Feb 27 2001 Bernhard Rosenkraenzer +- Fix up initscript (#27962) +- Add fixes from CVS to iptables-{restore,save}, fixing #28412 + +* Fri Feb 09 2001 Karsten Hopp +- create /etc/sysconfig/iptables mode 600 (same problem as #24245) + +* Mon Feb 05 2001 Karsten Hopp +- fix bugzilla #25986 (initscript not marked as config file) +- fix bugzilla #25962 (iptables-restore) +- mv chkconfig --del from postun to preun + +* Thu Feb 1 2001 Trond Eivind Glomsrød +- Fix check for ipchains + +* Mon Jan 29 2001 Bernhard Rosenkraenzer +- Some fixes to init scripts + +* Wed Jan 24 2001 Bernhard Rosenkraenzer +- Add some fixes from CVS, fixes among other things Bug #24732 + +* Wed Jan 17 2001 Bernhard Rosenkraenzer +- Add missing man pages, fix up init script (Bug #17676) + +* Mon Jan 15 2001 Bill Nottingham +- add init script + +* Mon Jan 15 2001 Bernhard Rosenkraenzer +- 1.2 +- fix up ipv6 split +- add init script +- Move the plugins from /usr/lib/iptables to /lib/iptables. + This needs to work before /usr is mounted... +- Use -O1 on alpha (compiler bug) + +* Sat Jan 6 2001 Bernhard Rosenkraenzer +- 1.1.2 +- Add IPv6 support (in separate package) + +* Thu Aug 17 2000 Bill Nottingham +- build everywhere + +* Tue Jul 25 2000 Bernhard Rosenkraenzer +- 1.1.1 + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Tue Jun 27 2000 Preston Brown +- move iptables to /sbin. +- excludearch alpha for now, not building there because of compiler bug(?) + +* Fri Jun 9 2000 Bill Nottingham +- don't obsolete ipchains either +- update to 1.1.0 + +* Sun Jun 4 2000 Bill Nottingham +- remove explicit kernel requirement + +* Tue May 2 2000 Bernhard Rosenkränzer +- initial package diff --git a/sources b/sources new file mode 100644 index 0000000..a7e9f94 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (iptables-1.8.5.tar.bz2) = 6a6baa541bb7aa331b176e0a91894e0766859814b59e77c71351ac34d6ebd337487981db48c70e476a48c67bcf891cfc663221a7582feb1496ad1df56eb28da8 diff --git a/sysconfig_ip6tables b/sysconfig_ip6tables new file mode 100644 index 0000000..34b8b87 --- /dev/null +++ b/sysconfig_ip6tables @@ -0,0 +1,15 @@ +# sample configuration for ip6tables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/sysconfig_iptables b/sysconfig_iptables new file mode 100644 index 0000000..5183250 --- /dev/null +++ b/sysconfig_iptables @@ -0,0 +1,14 @@ +# sample configuration for iptables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/tests/NFQUEUE-queue-bypass/Makefile b/tests/NFQUEUE-queue-bypass/Makefile new file mode 100644 index 0000000..a4553d4 --- /dev/null +++ b/tests/NFQUEUE-queue-bypass/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass +# Description: Test for "--queue-bypass" backport +# Author: Ales Zelinka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Sanity/NFQUEUE-queue-bypass +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ales Zelinka " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for \"--queue-bypass\" backport" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/NFQUEUE-queue-bypass/PURPOSE b/tests/NFQUEUE-queue-bypass/PURPOSE new file mode 100644 index 0000000..4f2548e --- /dev/null +++ b/tests/NFQUEUE-queue-bypass/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass +Description: Test for "--queue-bypass" backport +Author: Ales Zelinka +Bug summary: "--queue-bypass" backport diff --git a/tests/NFQUEUE-queue-bypass/runtest.sh b/tests/NFQUEUE-queue-bypass/runtest.sh new file mode 100755 index 0000000..05213b7 --- /dev/null +++ b/tests/NFQUEUE-queue-bypass/runtest.sh @@ -0,0 +1,54 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass +# Description: Test for "--queue-bypass" backport +# Author: Ales Zelinka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + + rlPhaseStartTest control-ping + rlRun "ping -w 2 -c 2 127.0.0.1" + rlPhaseEnd + + rlPhaseStartTest NFQUEUE-no-listener + rlRun "iptables -I INPUT -p icmp -j NFQUEUE" 0 "queue all icmp for userspace processing" + rlRun "ping -w 2 -c 2 127.0.0.1" 1-255 "ping 127.0.0.1 - none is listening on queue so packets will be dropped" + rlRun "iptables -D INPUT -p icmp -j NFQUEUE" 0 "removing the queue rule" + rlPhaseEnd + + rlPhaseStartTest NFQUEUE-no-listener-bypass + rlRun "iptables -I INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "queue all icmp for userspace processing, bypass if no one is listening" + rlRun "ping -w 2 -c 2 127.0.0.1" 0 "ping 127.0.0.1 - none is listening on queue - bypass will make packets go through" + rlRun "iptables -D INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "removing the queue rule" + rlPhaseEnd + +rlJournalPrintText +rlJournalEnd diff --git a/tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile b/tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile new file mode 100644 index 0000000..5a56668 --- /dev/null +++ b/tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target +# Description: Test for [RFE] Enable the missing IPv6 "SET" target +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for [RFE] Enable the missing IPv6 \"SET\" target" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables ipset" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE b/tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE new file mode 100644 index 0000000..baa182c --- /dev/null +++ b/tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target +Description: Test for [RFE] Enable the missing IPv6 "SET" target +Author: Tomas Dolezal +Bug summary: [RFE] Enable the missing IPv6 "SET" target userland ip6tables support to enable ipset to be usable with IPv6 diff --git a/tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh b/tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh new file mode 100755 index 0000000..32eab99 --- /dev/null +++ b/tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target +# Description: Test for [RFE] Enable the missing IPv6 "SET" target +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +IPSET=testset6 + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + # rlAssertRpm kernel + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "ipset create $IPSET hash:ip family inet6" + rlRun "ipset add testset6 1234::3456" + rlRun "ip6tables-save -t filter > ipt6.save" + rlPhaseEnd + + rlPhaseStartTest + RULE1="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j LOG --log-prefix 'LOG:IPSET added to $IPSET'" + RULE2="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j SET --add-set $IPSET src" + for op in -A -C -D; do #add, check, delete + rlRun "ip6tables $op $RULE1" 0 "do $op logrule" + rlRun "ip6tables $op $RULE2" 0 "do $op -j SET rule" + done + rlRun "ip6tables-save -t filter > ipt6.save2" + rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt6*" 0 "magically unify savefiles" + rlAssertNotDiffer ipt6.save ipt6.save2 + diff -u ipt6.save ipt6.save2 + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "ipset destroy $IPSET" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/Makefile b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/Makefile new file mode 100644 index 0000000..33fb03c --- /dev/null +++ b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6 +# Description: Test for RFE iptables add -C option to iptables in RHEL6 to +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6 +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE rules.in + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for RFE iptables add -C option to iptables in RHEL6 to" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/PURPOSE b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/PURPOSE new file mode 100644 index 0000000..2f3ed01 --- /dev/null +++ b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6 +Description: Test for RFE iptables add -C option to iptables in RHEL6 to +Author: Tomas Dolezal +Bug summary: RFE: iptables: add -C option to iptables in RHEL6 to check for existing rules diff --git a/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/rules.in b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/rules.in new file mode 100644 index 0000000..454f78f --- /dev/null +++ b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/rules.in @@ -0,0 +1,50 @@ +# vim: ft=sh +rules4=( +"-t nat -A POSTROUTING -o tun+ -j MASQUERADE" +"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" +"-A INPUT -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited" +"-A INPUT -p icmp -j ACCEPT" +"-A INPUT -i lo -j ACCEPT" +"-A INPUT -i ippp+ -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT" +"-A INPUT -p ah -j ACCEPT" +"-A INPUT -p esp -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT" +"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" +"-A FORWARD -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited" +"-A FORWARD -p icmp -j ACCEPT" +"-A FORWARD -i lo -j ACCEPT" +"-A FORWARD -i ippp+ -j ACCEPT" +"-A FORWARD -o tun+ -j ACCEPT" +"-A INPUT -j REJECT --reject-with icmp-host-prohibited" +"-A FORWARD -j REJECT --reject-with icmp-host-prohibited" +) + +rules6=( +"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" +"-A INPUT -p ipv6-icmp -j ACCEPT" +"-A INPUT -i lo -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT" +"-A INPUT -i ippp+ -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j ACCEPT" +"-A INPUT -m ipv6header --header ah -j ACCEPT" +"-A INPUT -m ipv6header --header esp -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT" +"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" +"-A FORWARD -p ipv6-icmp -j ACCEPT" +"-A FORWARD -i lo -j ACCEPT" +"-A FORWARD -i ippp+ -j ACCEPT" +"-A INPUT -j REJECT --reject-with icmp6-adm-prohibited" +"-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited" +) diff --git a/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh new file mode 100755 index 0000000..438468d --- /dev/null +++ b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6 +# Description: Test for RFE iptables add -C option to iptables in RHEL6 to +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +TESTD=$PWD + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "source $TESTD/rules.in" 0 "read ruleset" + rlRun "iptables -F" + rlRun "ip6tables -F" + rlPhaseEnd + + rlPhaseStartTest + declare -i sane=0 + for i in ${!rules4[*]}; do + let sane++ + rlRun "iptables ${rules4[$i]}" + testrule="${rules4[$i]/-A/-C}" + rlRun "iptables $testrule" + done + for i in ${!rules6[*]}; do + let sane++ + rlRun "ip6tables ${rules6[$i]}" + testrule="${rules6[$i]/-A/-C}" + rlRun "ip6tables $testrule" + done + #check itercount + if [[ $sane -lt 40 ]]; then + rlFail "test insane, do inspect" # rules were not properly loaded! + fi + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "iptables -F" + rlRun "iptables -t nat -F" + rlRun "ip6tables -F" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/TRACE-target-of-iptables-can-t-work-in/Makefile b/tests/TRACE-target-of-iptables-can-t-work-in/Makefile new file mode 100644 index 0000000..7df75a1 --- /dev/null +++ b/tests/TRACE-target-of-iptables-can-t-work-in/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in +# Description: Test for TRACE target of iptables can't work in +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for TRACE target of iptables can't work in" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables iptables-services" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE b/tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE new file mode 100644 index 0000000..7b690d2 --- /dev/null +++ b/tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in +Description: Test for TRACE target of iptables can't work in +Author: Tomas Dolezal +Bug summary: TRACE target of iptables can't work in RHEL7.1/RHEL7.2 diff --git a/tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh b/tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh new file mode 100755 index 0000000..889c1b6 --- /dev/null +++ b/tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh @@ -0,0 +1,136 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in +# Description: Test for TRACE target of iptables can't work in +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +SERVICES="iptables ip6tables firewalld" + +prepare_page() { + section=$1 + name=$2 + dest=${name}.manpage + zcat /usr/share/man/man${section}/${name}.${section}.gz | tr -s ' ' > ${dest} + rlAssertExists ${dest} +} + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + # rlAssertRpm kernel + rlLogInfo $(uname -r) + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + prepare_page 8 iptables-extensions + for svc in $SERVICES; do + rlServiceStop $svc + done + rlRun "ip -4 -o r | grep default | head -1 | sed -re 's/.*dev ((\.|\w)+).*/\1/' > default-iface" + IFACE="$(< default-iface)" + rlAssertExists "/sys/class/net/$IFACE" + rlRun "ip route save > ip-route.save" 0 "save routing info" + rlRun "ip -6 route save > ip-route.save6" 0 "save ipv6 routing info" + rlRun "ip -6 r add default dev $IFACE" 0,2 "add ipv6 default route" + rlRun "rmmod nf_log_ipv4" 0,1 + rlRun "rmmod nf_log_ipv6" 0,1 + rlPhaseEnd + + rlPhaseStartTest "manpage check" + rlAssertGrep "nfnetlink_log" iptables-extensions.manpage + if rlIsRHEL 7 && rlIsRHEL '>=7.3' ; then + # RHEL version-specific libxt_TRACE man page patchs + rlAssertGrep "nf_log_ipv4(6)" iptables-extensions.manpage + rlAssertNotGrep "ip(...)?t_LOG" iptables-extensions.manpage -Ei + fi + rlPhaseEnd + + ipv4_ping() { + rlRun "ping -i 0.2 -c 3 -W 1 192.0.2.99" 0,1 "ipv4 icmp out (ping)" + } + ipv6_ping() { + rlRun "ping6 -i 0.2 -c 3 -W 1 2001:DB8::99" 0,1 "ipv6 icmp out (ping6)" + } + get_messages() { + if rlIsFedora; then + journalctl -qkb + else + cat /var/log/messages + fi + } + + rlPhaseStartTest "iptables_TRACE" + rlRun "get_messages > messages.log-orig" + rlRun "iptables -t raw -I OUTPUT -p icmp -j TRACE" 0 + rlRun "ip6tables -t raw -I OUTPUT -p icmpv6 -j TRACE" 0 + if rlTestVersion "$(uname -r)" "<" "4.6"; then + ipv4_ping; ipv6_ping + rlRun "get_messages > messages.current" + + rlRun "diff messages.log-orig messages.current > diff.1" 0,1 + echo --debug_START-- + cat diff.1 + echo --debug_END-- + rlRun "modprobe nf_log_ipv4" 0 "load ipv4 TRACE logging module" + rlRun "modprobe nf_log_ipv6" 0 "load ipv6 TRACE logging module" + rlAssertNotGrep "TRACE" diff.1 + else + rlLogInfo "new kernel detected: skipping loading modules and associated checks" + fi + ipv4_ping; ipv6_ping + rlRun "get_messages > messages.current" + + rlRun "diff messages.log-orig messages.current > diff.2" 0,1 + rlAssertGrep "TRACE" diff.2 + rlAssertGrep "TRACE.*PROTO=ICMP " diff.2 + rlAssertGrep "TRACE.*PROTO=ICMPv6 " diff.2 + echo --debug_START-- + cat diff.2 + echo --debug_END-- + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "ip route flush default" 0 "flush ip route data" + rlRun "ip -6 route flush default" 0 "flush ipv6 route data" + rlRun "ip route restore < ip-route.save" 0 "restore routing info" + rlRun "ip -6 route restore < ip-route.save6" 0 "restore routing info ipv6" + rlRun "iptables -t raw -F" + rlRun "ip6tables -t raw -F" + rlRun "rmmod nf_log_ipv4" + rlRun "rmmod nf_log_ipv6" + rlRun "rmmod nf_log_common" + rlRun "rmmod nfnetlink_log" 0,1 + rlLogInfo "restoring services" + for svc in $SERVICES; do + rlServiceRestore $svc + done + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/backport-iptables-add-libxt-cgroup-frontend/Makefile b/tests/backport-iptables-add-libxt-cgroup-frontend/Makefile new file mode 100644 index 0000000..7ebab54 --- /dev/null +++ b/tests/backport-iptables-add-libxt-cgroup-frontend/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend +# Description: Test for backport iptables add libxt_cgroup frontend +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for backport iptables add libxt_cgroup frontend" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables libcgroup-tools" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/backport-iptables-add-libxt-cgroup-frontend/PURPOSE b/tests/backport-iptables-add-libxt-cgroup-frontend/PURPOSE new file mode 100644 index 0000000..ec49073 --- /dev/null +++ b/tests/backport-iptables-add-libxt-cgroup-frontend/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend +Description: Test for backport iptables add libxt_cgroup frontend +Author: Tomas Dolezal +Bug summary: Backport: iptables: add libxt_cgroup frontend diff --git a/tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh b/tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh new file mode 100755 index 0000000..888dfbd --- /dev/null +++ b/tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh @@ -0,0 +1,111 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend +# Description: Test for backport iptables add libxt_cgroup frontend +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +CGNUM="15" +CGNAME="15" +CGDIR="/sys/fs/cgroup/net_cls/$CGNAME" +DEST_IP4="192.0.2.99" # TEST-NET-1 +DEST_IP42="192.0.2.199" # TEST-NET-1 +DEST_IP6="2001:0db8:0000:0000:0000:0000:0000:abc0" #has to be expanded due to matching ! +DEST_IP62="2001:0db8:0000:0000:0000:0000:0000:abc1" +SKIP6=false + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + # rlAssertRpm kernel-$(uname -r) + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + if rlIsRHEL '>=7'; then + rlServiceStop firewalld + sleep 1 + fi + rlLogInfo "check if net_cls cgroup is present" + rlAssertGrep "cgroup.*net_cls" /proc/mounts + rlRun "cgcreate -g net_cls:$CGNAME" 0 "create cgroup '15'" + rlRun "echo $CGNUM > $CGDIR/net_cls.classid" 0 "assign numerical id to cgroup" + rlPhaseEnd + + rlPhaseStartTest + ping -W 1 -c 30 $DEST_IP4 & + PING4_P1=$! EC4=$? + ping -W 1 -c 30 $DEST_IP42 & + PING4_P2=$! EC42=$? + rlRun "[[ $EC4 -eq 0 && $EC42 -eq 0 ]]" 0 "ping ipv4 running to $DEST_IP4, $DEST_IP42" + + ping6 -W 1 -c 30 $DEST_IP6 & + PING6_P1=$! EC6=$? + sleep 1 + if [[ $EC6 -eq 2 ]] || ! kill -0 $PING6_P1 2>/dev/null; then + rlLogInfo "skipping ipv6 test, network stack unavailable" + SKIP6=true + else + ping6 -W 1 -c 30 $DEST_IP62 & + PING6_P2=$! + rlRun "kill -0 $PING6_P1 && kill -0 $PING6_P2" 0 "ping ipv6 running to $DEST_IP6, $DEST_IP62" + fi + journalctl -fkb > dmesg.out & + DMESG_P=$! + echo > dmesg.out # clear dmesg out + + rlRun "iptables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG" + rlRun "ip6tables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG" + + rlRun "echo $PING4_P2 >> $CGDIR/tasks" 0 "Add second ping to cgroup '15'" + $SKIP6 || rlRun "echo $PING6_P2 >> $CGDIR/tasks" 0 "Add second ping6 to cgroup '15'" + cat $CGDIR/tasks + sleep 10 + cat dmesg.out + rlAssertGrep "$DEST_IP42" dmesg.out + $SKIP6 || rlAssertGrep "$DEST_IP62" dmesg.out + rlAssertNotGrep "$DEST_IP4" dmesg.out + rlAssertNotGrep "$DEST_IP6" dmesg.out + rlPhaseEnd + + rlPhaseStartCleanup + kill $DMESG_P + # pings die after 30s of execution either way + kill $PING4_P1 + kill $PING4_P2 + $SKIP6 || kill $PING6_P1 + $SKIP6 || kill $PING6_P2 + sleep 1 + + rlRun "iptables -F" 0 "cleanup iptables" + rlRun "ip6tables -F" 0 "cleanup ip6tables" + rlServiceRestore firewalld + rlRun "cgdelete -g net_cls:$CGNAME" 0 "delete cgroup" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/initscript-sanity/Makefile b/tests/initscript-sanity/Makefile new file mode 100644 index 0000000..cae5ac3 --- /dev/null +++ b/tests/initscript-sanity/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Sanity/initscript-sanity +# Description: initscript-sanity +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Sanity/initscript-sanity +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: initscript-sanity" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables iptables-services" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/initscript-sanity/PURPOSE b/tests/initscript-sanity/PURPOSE new file mode 100644 index 0000000..a533943 --- /dev/null +++ b/tests/initscript-sanity/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Sanity/initscript-sanity +Description: initscript-sanity +Author: Tomas Dolezal +Bug summary: Can not "service iptables save": restorecon not found diff --git a/tests/initscript-sanity/runtest.sh b/tests/initscript-sanity/runtest.sh new file mode 100755 index 0000000..e270b78 --- /dev/null +++ b/tests/initscript-sanity/runtest.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Sanity/initscript-sanity +# Description: initscript-sanity +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + rlPhaseStartTest + rlLogInfo 'Can not "service iptables save": restorecon not found' + if rlIsRHEL 6 7 ; then + rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/iptables.init + rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/ip6tables.init + else + rlLogInfo 'skipping: test not applicable to this OS release' + fi + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/inventory b/tests/inventory new file mode 100755 index 0000000..b118a5a --- /dev/null +++ b/tests/inventory @@ -0,0 +1,3 @@ +#!/bin/bash +export TEST_DOCKER_EXTRA_ARGS="--privileged" +exec merge-standard-inventory "$@" diff --git a/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/Makefile b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/Makefile new file mode 100644 index 0000000..5b7f979 --- /dev/null +++ b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/Makefile @@ -0,0 +1,62 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets +# Description: Test for while adding iptables rules with ipv6 sets in +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2014 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for while adding iptables rules with ipv6 sets in" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables bridge-utils ipset" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/PURPOSE b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/PURPOSE new file mode 100644 index 0000000..a3cf0eb --- /dev/null +++ b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets +Description: Test for while adding iptables rules with ipv6 sets in +Author: Tomas Dolezal +Bug summary: while adding iptables rules with ipv6 sets in destination direction, either individually or combined with source we see error messages. diff --git a/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh new file mode 100755 index 0000000..75f7413 --- /dev/null +++ b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets +# Description: Test for while adding iptables rules with ipv6 sets in +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2014 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "ip6tables-save > ip6tables.backup" + rlRun "iptables-save > iptables.backup" + rlRun "brctl addbr testbr" 0 "create bridge iface" + rlPhaseEnd + + rlPhaseStartTest + rlRun "ipset create ipsetv6 hash:net timeout 60 family inet6" 0 "Create hash:net ipset for ipv6" + rlRun "ipset create ipsetv4 hash:net timeout 60 family inet" 0 "Create hash:net ipset for ipv4" + rlRun "ipset list ipsetv6" 0 "verify ipsetv6 presence" + rlRun "ipset list ipsetv4" 0 "verify ipsetv4 presence" +# echo waiting; read; echo cont + checkRule() { + binary="$1" + comment="$2" + rlRun "$binary -t mangle $RULE" 0 "$comment" + rlRun "$binary-save | grep -qe '$RULE'" 0 "verify rule" + } + for i in dst src dst,src src,dst; do + # 6,4 (+) + RULE="-A PREROUTING -i testbr -m set --match-set ipsetv6 $i -j ACCEPT" + checkRule ip6tables "[ipv6] direction: $i. adding ip6tables rule to match set" + RULE="-A PREROUTING -i testbr -m set --match-set ipsetv4 $i -j ACCEPT" + checkRule iptables "[ipv4] direction: $i. adding iptables rule to match set" + + # 6,4 (-) + RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv6 $i -j ACCEPT" + checkRule ip6tables "[ipv6] direction: $i. adding negated ip6tables rule to match set" + RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv4 $i -j ACCEPT" + checkRule iptables "[ipv4] direction: $i. adding negated iptables rule to match set" + done + ip6tables-save + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "ip6tables -t mangle -F" + rlRun "iptables -t mangle -F" + rlRun "ip6tables-restore < ip6tables.backup" + rlRun "iptables-restore < iptables.backup" + rlRun "ip link set down dev testbr" + rlRun "brctl delbr testbr" 0 "remove bridge iface" + rlRun "ipset destroy ipsetv6" 0 "remove ipv6 ipset" + rlRun "ipset destroy ipsetv4" 0 "remove ipv4 ipset" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/Makefile b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/Makefile new file mode 100644 index 0000000..e489837 --- /dev/null +++ b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by +# Description: Test for ip6tables service does not allow dhcpv6-client by +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for ip6tables service does not allow dhcpv6-client by" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables iptables-services" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/PURPOSE b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/PURPOSE new file mode 100644 index 0000000..453fc1e --- /dev/null +++ b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by +Description: Test for ip6tables service does not allow dhcpv6-client by +Author: Tomas Dolezal +Bug summary: ip6tables service does not allow dhcpv6-client by default diff --git a/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh new file mode 100755 index 0000000..f59a908 --- /dev/null +++ b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by +# Description: Test for ip6tables service does not allow dhcpv6-client by +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "cp /etc/sysconfig/ip6tables ." + rlPhaseEnd + + rlPhaseStartTest + rlRun "sed -ie '/REJECT/,// d' ip6tables" 0 "remove all rejected rules" + echo --debug--; cat ip6tables + rlAssertGrep "-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT" ip6tables + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/Makefile b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/Makefile new file mode 100644 index 0000000..13ff3c8 --- /dev/null +++ b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP +# Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/PURPOSE b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/PURPOSE new file mode 100644 index 0000000..a4b72da --- /dev/null +++ b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP +Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP +Author: Tomas Dolezal +Bug summary: ip6tables -t nat -A POSTROUTING/OUTPUT with DROP target can't filter packets diff --git a/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh new file mode 100644 index 0000000..1d3e2ab --- /dev/null +++ b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +ip netns del cs_client >/dev/null 2>&1 +ip link del veth0 >/dev/null 2>&1 + +ip netns add cs_client +ip link add type veth +ip link set veth1 name eth1 netns cs_client + +export cs_client_if1=eth1 +export cs_server_if1=veth0 +export cs_client_ip1=2001:db8:ffff::1 +export cs_server_ip1=2001:db8:ffff::2 + +ip netns exec cs_client ip link set $cs_client_if1 up +ip link set $cs_server_if1 up +ip netns exec cs_client ip -6 addr add $cs_client_ip1/64 dev $cs_client_if1 +ip -6 addr add $cs_server_ip1/64 dev $cs_server_if1 +ip netns exec cs_client ifconfig lo up +ifconfig lo up diff --git a/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh new file mode 100755 index 0000000..79b2696 --- /dev/null +++ b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh @@ -0,0 +1,83 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP +# Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +SERVICES="iptables ip6tables firewalld" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + for svc in $SERVICES; do + rlServiceStop $svc + done + rlRun "iptables -t nat -F" + rlRun "ip6tables -t nat -F" + rlPhaseEnd + + rlPhaseStartTest + table="nat" + assert_string="nat.*intended.*inhibited" + for chain in PREROUTING INPUT OUTPUT POSTROUTING; do + rlLogInfo "checking chain $chain" + rlRun "iptables -t $table -A $chain -p icmp -j DROP 2>iptables.stderr" 2 \ + "iptables: Failure to accept DROP to '$table/$chain' chain" + rlRun "ip6tables -t $table -A $chain -p icmpv6 -j DROP 2>ip6tables.stderr" 2 \ + "ip6tables: Failure to accept DROP to '$table/$chain' chain" + rlAssertGrep "$assert_string" iptables.stderr -E + rlAssertGrep "$assert_string" ip6tables.stderr -E + rm -f iptables.stderr ip6tables.stderr + echo --debug_START-- + set -x + iptables-save | grep -E '\*|icmp' + ip6tables-save | grep -E '\*|icmp' + set +x + echo --debug_END-- + done + rlRun "iptables-save > ipt4.out" + rlRun "ip6tables-save > ipt6.out" + rlAssertNotGrep "icmp" ipt4.out + rlAssertNotGrep "icmp" ipt6.out + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "iptables -t nat -F" + rlRun "ip6tables -t nat -F" + rlLogInfo "restoring services" + for svc in $SERVICES; do + rlServiceRestore $svc + done + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/iptables-rule-deletion-fails-for-rules-that-use/Makefile b/tests/iptables-rule-deletion-fails-for-rules-that-use/Makefile new file mode 100644 index 0000000..99883bc --- /dev/null +++ b/tests/iptables-rule-deletion-fails-for-rules-that-use/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use +# Description: Test for iptables rule deletion fails for rules that use +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for iptables rule deletion fails for rules that use" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables ipset" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/iptables-rule-deletion-fails-for-rules-that-use/PURPOSE b/tests/iptables-rule-deletion-fails-for-rules-that-use/PURPOSE new file mode 100644 index 0000000..af508e8 --- /dev/null +++ b/tests/iptables-rule-deletion-fails-for-rules-that-use/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use +Description: Test for iptables rule deletion fails for rules that use +Author: Tomas Dolezal +Bug summary: iptables rule deletion fails for rules that use ipset match "--match-set" diff --git a/tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh b/tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh new file mode 100755 index 0000000..d17e693 --- /dev/null +++ b/tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh @@ -0,0 +1,78 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use +# Description: Test for iptables rule deletion fails for rules that use +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +IPSET4="ipsetv4" +IPSET6="ipsetv6" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "ipset create $IPSET4 hash:ip" + rlRun "ipset create $IPSET6 hash:ip family inet6" + rlRun "iptables-save -t mangle > ipt4.save" + rlRun "ip6tables-save -t mangle > ipt6.save" + rlPhaseEnd + + rlPhaseStartTest + RULE40="-A PREROUTING -m set --match-set $IPSET4 dst -j ACCEPT" + RULE40d="-D PREROUTING -m set --match-set $IPSET4 dst -j ACCEPT" + RULE41="-A PREROUTING -m set --match-set $IPSET4 dst -j SET --add-set $IPSET4 src" + RULE41d="-D PREROUTING -m set --match-set $IPSET4 dst -j SET --add-set $IPSET4 src" + RULE60="-A PREROUTING -m set --match-set $IPSET6 dst -j ACCEPT" + RULE60d="-D PREROUTING -m set --match-set $IPSET6 dst -j ACCEPT" + RULE61="-A PREROUTING -m set --match-set $IPSET6 dst -j SET --add-set $IPSET6 src" + RULE61d="-D PREROUTING -m set --match-set $IPSET6 dst -j SET --add-set $IPSET6 src" + for RULE in "$RULE40" "$RULE40d" "$RULE41" "$RULE41d"; do + rlRun "iptables -t mangle $RULE" + done + for RULE in "$RULE60" "$RULE60d" "$RULE61" "$RULE61d"; do + rlRun "ip6tables -t mangle $RULE" + done + rlRun "iptables-save -t mangle > ipt4.save2" + rlRun "ip6tables-save -t mangle > ipt6.save2" + rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt4* ipt6*" 0 "magically unify savefiles" + rlAssertNotDiffer ipt4.save ipt4.save2 + rlAssertNotDiffer ipt6.save ipt6.save2 + diff -u ipt4.save ipt4.save2 + diff -u ipt6.save ipt6.save2 + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "ipset destroy $IPSET4" + rlRun "ipset destroy $IPSET6" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/iptables-save-cuts-space-before-j/Makefile b/tests/iptables-save-cuts-space-before-j/Makefile new file mode 100644 index 0000000..66b2599 --- /dev/null +++ b/tests/iptables-save-cuts-space-before-j/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j +# Description: Test for iptables-save cuts space before -j +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/iptables-save-cuts-space-before-j +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for iptables-save cuts space before -j" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/iptables-save-cuts-space-before-j/PURPOSE b/tests/iptables-save-cuts-space-before-j/PURPOSE new file mode 100644 index 0000000..cb0a83a --- /dev/null +++ b/tests/iptables-save-cuts-space-before-j/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j +Description: Test for iptables-save cuts space before -j +Author: Tomas Dolezal +Bug summary: iptables-save cuts space before -j diff --git a/tests/iptables-save-cuts-space-before-j/runtest.sh b/tests/iptables-save-cuts-space-before-j/runtest.sh new file mode 100755 index 0000000..a6a5099 --- /dev/null +++ b/tests/iptables-save-cuts-space-before-j/runtest.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j +# Description: Test for iptables-save cuts space before -j +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlServiceStart iptables + rlPhaseEnd + + rlPhaseStartTest + RULE="-A INPUT -p dccp -m dccp --dccp-type RESET,INVALID -j LOG" + if rlIsRHEL '>6' || rlIsFedora; then + RULE="${RULE/type/types}" # it is exported under other name + fi + rlLogInfo "using rule '$RULE'" + rlRun "iptables $RULE" 0 "add rule for ipv4" + rlRun "ip6tables $RULE" 0 "add rule for ipv6" + rlRun "iptables-save | grep -- '$RULE'" 0 "check rule for ipv4" + rlRun "ip6tables-save | grep -- '$RULE'" 0 "check rule for ipv6" + rlPhaseEnd + + rlPhaseStartCleanup + rlServiceStop iptables + rlServiceRestore iptables + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/iptables-save-modprobe-option/Makefile b/tests/iptables-save-modprobe-option/Makefile new file mode 100644 index 0000000..7364207 --- /dev/null +++ b/tests/iptables-save-modprobe-option/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/iptables-save-modprobe-option +# Description: Test for iptables-save man page completely wrong - which +# Author: Ales Zelinka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/iptables-save-modprobe-option +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ales Zelinka " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for iptables-save man page completely wrong - which" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/iptables-save-modprobe-option/PURPOSE b/tests/iptables-save-modprobe-option/PURPOSE new file mode 100644 index 0000000..934d1b1 --- /dev/null +++ b/tests/iptables-save-modprobe-option/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/iptables-save-modprobe-option +Description: Test for iptables-save man page completely wrong - which +Author: Ales Zelinka +Bug summary: iptables-save man page completely wrong - which conflicting arguments should work? diff --git a/tests/iptables-save-modprobe-option/runtest.sh b/tests/iptables-save-modprobe-option/runtest.sh new file mode 100755 index 0000000..22951c4 --- /dev/null +++ b/tests/iptables-save-modprobe-option/runtest.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/iptables-save-modprobe-option +# Description: Test for iptables-save man page completely wrong - which +# Author: Ales Zelinka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartTest + rlAssertRpm $PACKAGE + rlRun "iptables-save -M /dev/null" 0 "iptables-save -M ... supported" + rlRun "iptables-save --modprobe /dev/null" 0 "iptables-save --modprobe ... supported" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..dead758 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,91 @@ +--- +- hosts: localhost + tags: [ always ] + tasks: + - set_fact: + our_required_packages: + - iproute # multiple tests need ip command + - iputils # multiple tests need ping/ping6 commands + - iptables # multiple tests need iptables/ip6tables commands + - iptables-services # multiple tests need iptables/ip6tables config files + - initscripts # multiple tests need system command + - libcgroup-tools # backport-iptables-add-libxt-cgroup-frontend needs cg* commands + - bridge-utils # ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets needs brctl command + - ipset # multiple tests need ipset command + - strace # xtables-tools-locking-vulnerable-to-local-DoS needs strace command + - policycoreutils # initscript-sanity needs restorecon command + +- hosts: localhost + tags: + - rhts-all + roles: + - role: standard-test-rhts + tests: + - backport-iptables-add-libxt-cgroup-frontend + - initscript-sanity + - ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets + - ip6tables-service-does-not-allow-dhcpv6-client-by + - ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP + - iptables-rule-deletion-fails-for-rules-that-use + - iptables-save-cuts-space-before-j + - iptables-save-modprobe-option + - NFQUEUE-queue-bypass + - RFE-Enable-the-missing-IPv6-SET-target + - RFE-iptables-add-C-option-to-iptables-in-RHEL6 + - TRACE-target-of-iptables-can-t-work-in + - xtables-tools-locking-vulnerable-to-local-DoS + required_packages: "{{ our_required_packages }}" + +- hosts: localhost + tags: + - classic + - beakerlib-all + roles: + - role: standard-test-beakerlib + tests: + - backport-iptables-add-libxt-cgroup-frontend + - initscript-sanity + - ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets + - ip6tables-service-does-not-allow-dhcpv6-client-by + - ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP + - iptables-rule-deletion-fails-for-rules-that-use + - iptables-save-cuts-space-before-j + - iptables-save-modprobe-option + - NFQUEUE-queue-bypass + - RFE-Enable-the-missing-IPv6-SET-target + - RFE-iptables-add-C-option-to-iptables-in-RHEL6 + - TRACE-target-of-iptables-can-t-work-in + - xtables-tools-locking-vulnerable-to-local-DoS + required_packages: "{{ our_required_packages }}" + +- hosts: localhost + tags: + - container + roles: + - role: standard-test-beakerlib + tests: + #- backport-iptables-add-libxt-cgroup-frontend # journaling/logging issues? + - ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets + - ip6tables-service-does-not-allow-dhcpv6-client-by + - ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP + - iptables-rule-deletion-fails-for-rules-that-use + - iptables-save-cuts-space-before-j + - iptables-save-modprobe-option + - NFQUEUE-queue-bypass + - RFE-Enable-the-missing-IPv6-SET-target + - RFE-iptables-add-C-option-to-iptables-in-RHEL6 + - xtables-tools-locking-vulnerable-to-local-DoS + required_packages: "{{ our_required_packages }}" + +- hosts: localhost + tags: + - atomic + roles: + - role: standard-test-beakerlib + tests: + - ip6tables-service-does-not-allow-dhcpv6-client-by + - iptables-save-cuts-space-before-j + - iptables-save-modprobe-option + - NFQUEUE-queue-bypass + - RFE-iptables-add-C-option-to-iptables-in-RHEL6 + - xtables-tools-locking-vulnerable-to-local-DoS diff --git a/tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile b/tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile new file mode 100644 index 0000000..0e56bcd --- /dev/null +++ b/tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS +# Description: Test for xtables tools locking vulnerable to local DoS +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for xtables tools locking vulnerable to local DoS" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables strace" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/xtables-tools-locking-vulnerable-to-local-DoS/PURPOSE b/tests/xtables-tools-locking-vulnerable-to-local-DoS/PURPOSE new file mode 100644 index 0000000..3a8ebe8 --- /dev/null +++ b/tests/xtables-tools-locking-vulnerable-to-local-DoS/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS +Description: Test for xtables tools locking vulnerable to local DoS +Author: Tomas Dolezal +Bug summary: xtables tools locking vulnerable to local DoS diff --git a/tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh b/tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh new file mode 100755 index 0000000..c3223b5 --- /dev/null +++ b/tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh @@ -0,0 +1,54 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS +# Description: Test for xtables tools locking vulnerable to local DoS +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + rlPhaseStartTest + rlRun "strace -fe flock,bind,open,openat -o strace.out iptables -w -L" 0 "execute iptables in strace" + echo --debug--; cat strace.out + rlAssertNotGrep "bind.*xtables" strace.out -E + rlAssertGrep " flock(" strace.out + rlAssertGrep "/run/xtables.lock" strace.out + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd