auto-import changelog data from iptables-1.2.9-1.0.src.rpm

Wed Dec 17 2003 Thomas Woerner <twoerner@redhat.com> 1.2.9-1.0
- vew version 1.2.9
- new config options in ipXtables-config: IPTABLES_MODULES_UNLOAD
- more documentation in ipXtables-config
- fix for netlink security issue in libipq (devel package)
- print fix for libipt_icmp (#109546)

.cvsignore

@@ -1 +1 @@
-iptables-1.2.8.tar.bz2
+iptables-1.2.9.tar.bz2

iptables-1.2.9-netlink.patch

@@ -0,0 +1,13 @@
+--- iptables-1.2.9/libipq/libipq.c.netlink	2003-12-05 17:00:07.000000000 +0100
++++ iptables-1.2.9/libipq/libipq.c	2003-12-05 17:00:39.000000000 +0100
+@@ -171,6 +171,10 @@
+ 		ipq_errno = IPQ_ERR_RECV;
+ 		return -1;
+ 	}
++	if (h->peer.nl_pid != 0) {
++		ipq_errno = IPQ_ERR_RECV;
++		return -1;
++	}
+ 	if (status == 0) {
+ 		ipq_errno = IPQ_ERR_NLEOF;
+ 		return -1;

iptables-config

@@ -1,19 +1,37 @@
-# Additional iptables modules (nat helper)
+# Load additional iptables modules (nat helpers)
-# Default: -empty-
+#   Default: -none-
-#IPTABLES_MODULES="ip_nat_ftp"
+# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
+# are loaded after the firewall rules are applied. Options for the helpers are
+# stored in /etc/modules.conf.
+#IPTABLES_MODULES=""
+
+# Unload modules on restart and stop
+#   Value: yes|no,  default: yes
+# This option has to be 'yes' to get to a sane state for a firewall
+# restart or stop. Only set to 'no' if there are problems unloading netfilter
+# modules.
+#IPTABLES_MODULES_UNLOAD="yes"
 
 # Save current firewall rules on stop.
 #   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
+# (e.g. on system shutdown).
 #IPTABLES_SAVE_ON_STOP="no"
 
 # Save current firewall rules on restart.
 #   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
+# restarted.
 #IPTABLES_SAVE_ON_RESTART="no"
 
-# Save (and restore) rule counter.
+# Save (and restore) rule and chain counter.
 #   Value: yes|no,  default: no
+# Save counters for rules and chains to /etc/sysconfig/iptables if
+# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
+# SAVE_ON_RESTART is enabled.
 #IPTABLES_SAVE_COUNTER="no"
 
 # Numeric status output
 #   Value: yes|no,  default: no
+# Print IP addresses and port numbers in numeric format in the status output.
 #IPTABLES_STATUS_NUMERIC="no"

iptables.init

@@ -28,8 +28,14 @@ if lsmod 2>/dev/null | grep -q ipchains ; then
     exit 0
 fi
 
+# Old or new modutils
+/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
+    && NEW_MODUTILS=1 \
+    || NEW_MODUTILS=0
+
 # Default firewall configuration:
 IPTABLES_MODULES=""
+IPTABLES_MODULES_UNLOAD="yes"
 IPTABLES_SAVE_ON_STOP="no"
 IPTABLES_SAVE_ON_RESTART="no"
 IPTABLES_SAVE_COUNTER="no"
@@ -43,19 +49,27 @@ rmmod_r() {
     # At first all referring modules will be unloaded, then the module itself.
     local mod=$1
     local ret=0
+    local ref=
 
     # Get referring modules.
-    local ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
+    # New modutils have another output format.
+    [ $NEW_MODUTILS = 1 ] \
+	&& ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
+	|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
 
-    # recursive call for all referring module
+    # recursive call for all referring modules
     for i in $ref; do
 	rmmod_r $i
 	let ret+=$?;
     done
 
     # Unload module.
+    # The extra test is for 2.6: The module might have autocleaned,
+    # after all referring modules are unloaded.
+    if grep -q "^${mod}" /proc/modules ; then
 	modprobe -r $mod > /dev/null 2>&1
 	let ret+=$?;
+    fi
 
     return $ret
 }
@@ -87,6 +101,7 @@ flush_n_delete() {
 
     [ $ret -eq 0 ] && success || failure
     echo
+    return $ret
 }
 
 set_policy() {
@@ -133,6 +148,7 @@ set_policy() {
 
     [ $ret -eq 0 ] && success || failure
     echo
+    return $ret
 }
 
 start() {
@@ -151,6 +167,7 @@ start() {
 	failure; echo; return 1
     fi
     
+    # Load additional modules (helpers)
     if [ -n "$IPTABLES_MODULES" ]; then
 	echo -n $"Loading additional $IPTABLES modules: "
 	ret=0
@@ -164,6 +181,7 @@ start() {
     fi
     
     touch $VAR_SUBSYS_IPTABLES
+    return $ret
 }
 
 stop() {
@@ -173,17 +191,19 @@ stop() {
     flush_n_delete
     set_policy ACCEPT
     
+    if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
 	echo -n $"Unloading $IPTABLES modules: "
 	ret=0
 	rmmod_r ${IPV}_tables
 	let ret+=$?;
 	rmmod_r ${IPV}_conntrack
 	let ret+=$?;
-
 	[ $ret -eq 0 ] && success || failure
 	echo
+    fi
     
     rm -f $VAR_SUBSYS_IPTABLES
+    return $ret
 }
 
 save() {
@@ -220,18 +240,23 @@ save() {
     [ $ret -eq 0 ] && success || failure
     echo
     rm -f $TMP_FILE
+    return $ret
 }
 
 status() {
     # Do not print status if lockfile is missing and iptables modules are not 
     # loaded.
     # Check if iptable module is loaded
-    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
 	echo $"Firewall is stopped."
 	return 1
     fi
 
     # Check if firewall is configured (has tables)
+    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+	echo $"Firewall is not configured. "
+	return 1
+    fi
     tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
     if [ -z "$tables" ]; then
 	echo $"Firewall is not configured. "
@@ -245,6 +270,8 @@ status() {
 	echo $"Table: $table"
 	$IPTABLES -t $table --list $NUM && echo
     done
+
+    return 0
 }
 
 restart() {
@@ -257,26 +284,32 @@ case "$1" in
     start)
 	stop
 	start
+	RETVAL=$?
 	;;
     stop)
 	[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
 	stop
+	RETVAL=$?
 	;;
     restart)
 	restart
+	RETVAL=$?
 	;;
     condrestart)
 	[ -e "$VAR_SUBSYS_IPTABLES" ] && restart
 	;;
     status)
 	status
+	RETVAL=$?
 	;;
     panic)
 	flush_n_delete
 	set_policy DROP
+	RETVAL=$?
         ;;
     save)
 	save
+	RETVAL=$?
 	;;
     *)
 	echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
@@ -284,4 +317,4 @@ case "$1" in
 	;;
 esac
 
-exit 0
+exit $RETVAL

iptables.spec

@@ -3,19 +3,17 @@
 
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities.
-Version: 1.2.8
+Version: 1.2.9
-Release: 14
+Release: 1.0
 Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
 %if %{linux_header}
 Source3: netfilter-2.4.20.tar.gz
 %endif
-Patch0: iptables-1.2.8-numeric.patch
-Patch1: iptables-1.2.8-save_ports.patch
 Patch2: iptables-1.2.8-nolibnsl.patch
 Patch3: iptables-1.2.8-print_type.patch
-Patch4: iptables-1.2.8-netlink.patch
+Patch4: iptables-1.2.9-netlink.patch
 Group: System Environment/Base
 URL: http://www.netfilter.org/
 BuildRoot: %{_tmppath}/%{name}-buildroot
@@ -67,8 +65,6 @@ cd include
 tar -zxf %{SOURCE3}
 cd ..
 %endif
-%patch0 -p1 -b .numeric
-%patch1 -p1 -b .save_ports
 %patch2 -p1 -b .nolibnsl
 %patch3 -p1 -b .print_type
 %patch4 -p1 -b .netlink
@@ -120,7 +116,7 @@ fi
 
 %files
 %defattr(-,root,root,0755)
-%doc COPYING KNOWN_BUGS
+%doc COPYING INSTALL INCOMPATIBILITIES
 %config %attr(0755,root,root) /etc/rc.d/init.d/iptables
 %config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config
 /sbin/iptables*
@@ -146,9 +142,13 @@ fi
 %endif
 
 %changelog
-* Fri Dec  5 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-14
+* Wed Dec 17 2003 Thomas Woerner <twoerner@redhat.com> 1.2.9-1.0
-- fixed netlink security issue in libipq (devel package)
+- vew version 1.2.9
-- fixed save in libipt_icmp (#109546)
+- new config options in ipXtables-config:
+  IPTABLES_MODULES_UNLOAD
+- more documentation in ipXtables-config
+- fix for netlink security issue in libipq (devel package)
+- print fix for libipt_icmp (#109546)
 
 * Thu Oct 23 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-13
 - marked all messages in iptables init script for translation (#107462)

sources

@@ -1 +1 @@
-cf62ebdabf05ccc5479334cc04fa993c  iptables-1.2.8.tar.bz2
+8299db6ffbe98496d7f57dbb00f17e7d  iptables-1.2.9.tar.bz2