- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459)
- provide iptc interface again, but unsupported (rhbz#216733)
- compile all extension, which are supported by the kernel-headers package
- review fixes (rhbz#225906)
This commit is contained in:
Thomas Woerner 2007-08-23 14:54:50 +00:00
parent 7b2367e316
commit 32bdef74b2
2 changed files with 97 additions and 73 deletions

View File

@ -7,6 +7,16 @@
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO
# Source function library.
. /etc/init.d/functions
@ -15,24 +25,15 @@ IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
exit 0
exit 5
fi
if lsmod 2>/dev/null | grep -q ipchains ; then
echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
exit 0
fi
# no protocol support, don't try to run
if [ ! -d /proc/sys/net/ipv4 ]; then
exit 0
fi
# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
&& NEW_MODUTILS=1 \
@ -59,8 +60,8 @@ rmmod_r() {
# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ] \
&& ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
# recursive call for all referring modules
for i in $ref; do
@ -84,7 +85,7 @@ flush_n_delete() {
[ -e "$PROC_IPTABLES_NAMES" ] || return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
[ -z "$tables" ] && return 1
echo -n $"Flushing firewall rules: "
@ -117,7 +118,7 @@ set_policy() {
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
[ -z "$tables" ] && return 1
echo -n $"Setting chains to policy $policy: "
@ -206,8 +207,12 @@ stop() {
ret=0
rmmod_r ${IPV}_tables
let ret+=$?;
rmmod_r ${IPV}_conntrack
rmmod_r nf_conntrack_${_IPV}
let ret+=$?;
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
rmmod_r x_tables
rmmod_r nf_conntrack
[ $ret -eq 0 ] && success || failure
echo
fi
@ -221,7 +226,7 @@ save() {
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
[ -z "$tables" ] && return 1
echo -n $"Saving firewall rules to $IPTABLES_DATA: "
@ -230,10 +235,10 @@ save() {
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \
&& chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
@ -254,24 +259,20 @@ save() {
}
status() {
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable module is loaded
# Check if iptable modules are loaded
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
echo $"Firewall is stopped."
return 1
return 3
fi
# Check if firewall is configured (has tables)
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then
echo $"Firewall is not configured. "
return 1
fi
if [ -z "$tables" ]; then
echo $"Firewall is not configured. "
return 1
return 3
fi
NUM=
@ -295,23 +296,29 @@ restart() {
start
}
status >/dev/null 2>&1
running=$?
case "$1" in
start)
stop
[ $running -eq 0 ] && exit 0
start
RETVAL=$?
;;
stop)
[ $running -eq 0 ] || exit 0
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart)
restart|force-reload)
restart
RETVAL=$?
;;
condrestart)
[ -e "$VAR_SUBSYS_IPTABLES" ] && restart
condrestart|try-restart)
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 7
restart
RETVAL=$?
;;
status)
status
@ -328,7 +335,7 @@ case "$1" in
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
RETVAL=3
;;
esac

View File

@ -1,39 +1,35 @@
%define build_devel 1
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities.
Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.3.8
Release: 1
Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2
Release: 2%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
Patch0: iptables-1.3.8-iptc.patch
Patch1: iptables-1.3.8-headers.patch
Group: System Environment/Base
URL: http://www.netfilter.org/
BuildRoot: %{_tmppath}/%{name}-buildroot
License: GPL
BuildRequires: /usr/bin/perl
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
License: GPLv2
BuildRequires: libselinux-devel
Conflicts: kernel < 2.4.20
Requires(post,postun): chkconfig
Prefix: %{_prefix}
%package ipv6
Summary: IPv6 support for iptables.
Group: System Environment/Base
Requires: %{name} = %{version}
%if %{build_devel}
%package devel
Summary: Development package for iptables.
Group: System Environment/Base
Requires: %{name} = %{version}
%endif
Requires(post): chkconfig
Requires(preun): chkconfig
%description
The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package.
%package ipv6
Summary: IPv6 support for iptables
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
Requires(post): chkconfig
Requires(preun): chkconfig
%description ipv6
The iptables package contains IPv6 (the next version of the IP
protocol) support for iptables. Iptables controls the Linux kernel
@ -44,19 +40,25 @@ Install iptables-ipv6 if you need to set up firewalling for your
network and you are using ipv6.
%if %{build_devel}
%package devel
Summary: Development package for iptables
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description devel
The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package.
iptables development headers and libraries.
The iptc interface is upstream marked as not public. The interface is not
stable and may change with every new version. It is therefore unsupported.
%endif
%prep
rm -rf %{buildroot}
%setup -q
%patch0 -p1 -b .iptc
%patch1 -p1 -b .headers
# Put it to a reasonable place
find . -type f -exec perl -pi -e "s,/usr/local,%{prefix},g" {} \;
find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
# do not use ld -shared and _init
perl -pi -e "s/\(LD\) -shared/\(CC\) -shared/g" Rules.make
@ -67,11 +69,12 @@ perl -pi -e "s/^_init\(/__attribute\(\(constructor\)\) my_init\(/g" extensions/*
TOPDIR=`pwd`
OPT="$RPM_OPT_FLAGS -I$TOPDIR/include -fPIC"
export DO_SELINUX=1
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib}
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} %{?_smp_mflags}
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} iptables-save iptables-restore
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} ip6tables-save ip6tables-restore
%install
rm -rf %{buildroot}
export DO_SELINUX=1
make install DESTDIR=%{buildroot} KERNEL_DIR=/usr BINDIR=/sbin LIBDIR=/%{_lib} MANDIR=%{_mandir}
%if %{build_devel}
@ -81,16 +84,18 @@ cp ip{6,}tables-{save,restore} $RPM_BUILD_ROOT/sbin
cp iptables-*.8 $RPM_BUILD_ROOT%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
install -c -m755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' -e 's;/proc/sys/net/ipv4;/proc/sys/net/ipv6;g' < %{SOURCE1} > ip6tables.init
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init
install -c -m755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config
install -c -m755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config
# install devel header files
mkdir -p $RPM_BUILD_ROOT/usr/include
install -c include/ip*.h $RPM_BUILD_ROOT/usr/include/
mkdir -p $RPM_BUILD_ROOT%{_includedir}
install -c -m644 include/ip*.h $RPM_BUILD_ROOT%{_includedir}
# install libiptc header files (unsupported)
mkdir -p $RPM_BUILD_ROOT%{_includedir}/libiptc
install -c -m644 include/libiptc/*.h $RPM_BUILD_ROOT%{_includedir}/libiptc
%clean
rm -rf $RPM_BUILD_ROOT
@ -112,9 +117,9 @@ if [ "$1" = 0 ]; then
fi
%files
%defattr(-,root,root,0755)
%defattr(-,root,root)
%doc COPYING INSTALL INCOMPATIBILITIES
%config %attr(0755,root,root) /etc/rc.d/init.d/iptables
%attr(0755,root,root) /etc/rc.d/init.d/iptables
%config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config
/sbin/iptables*
%{_mandir}/man8/iptables*
@ -122,8 +127,8 @@ fi
/%{_lib}/iptables/libipt*
%files ipv6
%defattr(-,root,root,0755)
%config %attr(0755,root,root) /etc/rc.d/init.d/ip6tables
%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/ip6tables
%config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config
/sbin/ip6tables*
%{_mandir}/man8/ip6tables*
@ -131,14 +136,26 @@ fi
%if %{build_devel}
%files devel
%defattr(-,root,root,0755)
%defattr(-,root,root)
%{_includedir}/ip*.h
%{_includedir}/libipq.h
%dir %{_includedir}/libiptc
%{_includedir}/libiptc/*.h
%{_libdir}/libipq.a
%{_libdir}/libiptc.a
%{_mandir}/man3/*
%endif
%changelog
* Thu Aug 23 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-2
- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459)
- provide iptc interface again, but unsupported (rhbz#216733)
- compile all extension, which are supported by the kernel-headers package
- review fixes (rhbz#225906)
* Tue Jul 31 2007 Thomas Woerner <twoerner@redhat.com>
- reverted ipv6 fix, because it disables the ipv6 at all (rhbz#236888)
* Fri Jul 13 2007 Steve Conklin <sconklin@redhat.com> - 1.3.8-1
- New version 1.3.8
@ -340,7 +357,7 @@ fi
- Merge ip6tables improvements from Ian Prowell <iprowell@prowell.org>
#59402
- Update URL (#59354)
- Use /sbin/chkconfig rather than chkconfig in %postun script
- Use /sbin/chkconfig rather than chkconfig in %%postun script
* Fri Jan 11 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.5-1
- 1.2.5
@ -349,7 +366,7 @@ fi
- automated rebuild
* Mon Nov 5 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-2
- Fix %preun script
- Fix %%preun script
* Tue Oct 30 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-1
- Update to 1.2.4 (various fixes, including security fixes; among others:
@ -395,7 +412,7 @@ fi
- fix bugzilla #25962 (iptables-restore)
- mv chkconfig --del from postun to preun
* Thu Feb 1 2001 Trond Eivind Glomsrød <teg@redhat.com>
* Thu Feb 1 2001 Trond Eivind Glomsrød <teg@redhat.com>
- Fix check for ipchains
* Mon Jan 29 2001 Bernhard Rosenkraenzer <bero@redhat.com>
@ -442,5 +459,5 @@ fi
* Mon Jun 4 2000 Bill Nottingham <notting@redhat.com>
- remove explicit kernel requirement
* Tue May 2 2000 Bernhard Rosenkränzer <bero@redhat.com>
* Tue May 2 2000 Bernhard Rosenkränzer <bero@redhat.com>
- initial package