diff --git a/.cvsignore b/.cvsignore index c9a1ba4..d7b1ae7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -iptables-1.2.8.tar.bz2 +iptables-1.2.9.tar.bz2 diff --git a/iptables-1.2.9-netlink.patch b/iptables-1.2.9-netlink.patch new file mode 100644 index 0000000..b25fe3d --- /dev/null +++ b/iptables-1.2.9-netlink.patch @@ -0,0 +1,13 @@ +--- iptables-1.2.9/libipq/libipq.c.netlink 2003-12-05 17:00:07.000000000 +0100 ++++ iptables-1.2.9/libipq/libipq.c 2003-12-05 17:00:39.000000000 +0100 +@@ -171,6 +171,10 @@ + ipq_errno = IPQ_ERR_RECV; + return -1; + } ++ if (h->peer.nl_pid != 0) { ++ ipq_errno = IPQ_ERR_RECV; ++ return -1; ++ } + if (status == 0) { + ipq_errno = IPQ_ERR_NLEOF; + return -1; diff --git a/iptables-config b/iptables-config index d1a47e0..80e37fb 100644 --- a/iptables-config +++ b/iptables-config @@ -1,19 +1,37 @@ -# Additional iptables modules (nat helper) -# Default: -empty- -#IPTABLES_MODULES="ip_nat_ftp" +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modules.conf. +#IPTABLES_MODULES="" + +# Unload modules on restart and stop +# Value: yes|no, default: yes +# This option has to be 'yes' to get to a sane state for a firewall +# restart or stop. Only set to 'no' if there are problems unloading netfilter +# modules. +#IPTABLES_MODULES_UNLOAD="yes" # Save current firewall rules on stop. -# Value: yes|no, default: no +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). #IPTABLES_SAVE_ON_STOP="no" # Save current firewall rules on restart. -# Value: yes|no, default: no +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. #IPTABLES_SAVE_ON_RESTART="no" -# Save (and restore) rule counter. -# Value: yes|no, default: no +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. #IPTABLES_SAVE_COUNTER="no" # Numeric status output -# Value: yes|no, default: no +# Value: yes|no, default: no +# Print IP addresses and port numbers in numeric format in the status output. #IPTABLES_STATUS_NUMERIC="no" diff --git a/iptables.init b/iptables.init index c3b88eb..5c99246 100755 --- a/iptables.init +++ b/iptables.init @@ -28,8 +28,14 @@ if lsmod 2>/dev/null | grep -q ipchains ; then exit 0 fi +# Old or new modutils +/sbin/modprobe --version 2>&1 | grep -q module-init-tools \ + && NEW_MODUTILS=1 \ + || NEW_MODUTILS=0 + # Default firewall configuration: IPTABLES_MODULES="" +IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" @@ -43,19 +49,27 @@ rmmod_r() { # At first all referring modules will be unloaded, then the module itself. local mod=$1 local ret=0 + local ref= # Get referring modules. - local ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` + # New modutils have another output format. + [ $NEW_MODUTILS = 1 ] \ + && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ + || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` - # recursive call for all referring module + # recursive call for all referring modules for i in $ref; do rmmod_r $i let ret+=$?; done # Unload module. - modprobe -r $mod > /dev/null 2>&1 - let ret+=$?; + # The extra test is for 2.6: The module might have autocleaned, + # after all referring modules are unloaded. + if grep -q "^${mod}" /proc/modules ; then + modprobe -r $mod > /dev/null 2>&1 + let ret+=$?; + fi return $ret } @@ -87,6 +101,7 @@ flush_n_delete() { [ $ret -eq 0 ] && success || failure echo + return $ret } set_policy() { @@ -133,6 +148,7 @@ set_policy() { [ $ret -eq 0 ] && success || failure echo + return $ret } start() { @@ -151,6 +167,7 @@ start() { failure; echo; return 1 fi + # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"Loading additional $IPTABLES modules: " ret=0 @@ -164,6 +181,7 @@ start() { fi touch $VAR_SUBSYS_IPTABLES + return $ret } stop() { @@ -173,17 +191,19 @@ stop() { flush_n_delete set_policy ACCEPT - echo -n $"Unloading $IPTABLES modules: " - ret=0 - rmmod_r ${IPV}_tables - let ret+=$?; - rmmod_r ${IPV}_conntrack - let ret+=$?; - - [ $ret -eq 0 ] && success || failure - echo + if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then + echo -n $"Unloading $IPTABLES modules: " + ret=0 + rmmod_r ${IPV}_tables + let ret+=$?; + rmmod_r ${IPV}_conntrack + let ret+=$?; + [ $ret -eq 0 ] && success || failure + echo + fi rm -f $VAR_SUBSYS_IPTABLES + return $ret } save() { @@ -220,18 +240,23 @@ save() { [ $ret -eq 0 ] && success || failure echo rm -f $TMP_FILE + return $ret } status() { # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable module is loaded - if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then echo $"Firewall is stopped." return 1 fi # Check if firewall is configured (has tables) + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"Firewall is not configured. " + return 1 + fi tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` if [ -z "$tables" ]; then echo $"Firewall is not configured. " @@ -245,6 +270,8 @@ status() { echo $"Table: $table" $IPTABLES -t $table --list $NUM && echo done + + return 0 } restart() { @@ -257,26 +284,32 @@ case "$1" in start) stop start + RETVAL=$? ;; stop) [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop + RETVAL=$? ;; restart) restart + RETVAL=$? ;; condrestart) [ -e "$VAR_SUBSYS_IPTABLES" ] && restart ;; status) status + RETVAL=$? ;; panic) flush_n_delete set_policy DROP + RETVAL=$? ;; save) save + RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" @@ -284,4 +317,4 @@ case "$1" in ;; esac -exit 0 +exit $RETVAL diff --git a/iptables.spec b/iptables.spec index e0e9bf1..6ea0e2d 100644 --- a/iptables.spec +++ b/iptables.spec @@ -3,19 +3,17 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities. -Version: 1.2.8 -Release: 14 +Version: 1.2.9 +Release: 1.0 Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config %if %{linux_header} Source3: netfilter-2.4.20.tar.gz %endif -Patch0: iptables-1.2.8-numeric.patch -Patch1: iptables-1.2.8-save_ports.patch Patch2: iptables-1.2.8-nolibnsl.patch Patch3: iptables-1.2.8-print_type.patch -Patch4: iptables-1.2.8-netlink.patch +Patch4: iptables-1.2.9-netlink.patch Group: System Environment/Base URL: http://www.netfilter.org/ BuildRoot: %{_tmppath}/%{name}-buildroot @@ -67,8 +65,6 @@ cd include tar -zxf %{SOURCE3} cd .. %endif -%patch0 -p1 -b .numeric -%patch1 -p1 -b .save_ports %patch2 -p1 -b .nolibnsl %patch3 -p1 -b .print_type %patch4 -p1 -b .netlink @@ -120,7 +116,7 @@ fi %files %defattr(-,root,root,0755) -%doc COPYING KNOWN_BUGS +%doc COPYING INSTALL INCOMPATIBILITIES %config %attr(0755,root,root) /etc/rc.d/init.d/iptables %config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config /sbin/iptables* @@ -146,9 +142,13 @@ fi %endif %changelog -* Fri Dec 5 2003 Thomas Woerner 1.2.8-14 -- fixed netlink security issue in libipq (devel package) -- fixed save in libipt_icmp (#109546) +* Wed Dec 17 2003 Thomas Woerner 1.2.9-1.0 +- vew version 1.2.9 +- new config options in ipXtables-config: + IPTABLES_MODULES_UNLOAD +- more documentation in ipXtables-config +- fix for netlink security issue in libipq (devel package) +- print fix for libipt_icmp (#109546) * Thu Oct 23 2003 Thomas Woerner 1.2.8-13 - marked all messages in iptables init script for translation (#107462) diff --git a/sources b/sources index 4532c21..2e42af4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -cf62ebdabf05ccc5479334cc04fa993c iptables-1.2.8.tar.bz2 +8299db6ffbe98496d7f57dbb00f17e7d iptables-1.2.9.tar.bz2