[tw]
- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459) - provide iptc interface again, but unsupported (rhbz#216733) - compile all extension, which are supported by the kernel-headers package - review fixes (rhbz#225906)
This commit is contained in:
parent
7b2367e316
commit
32bdef74b2
@ -7,6 +7,16 @@
|
||||
#
|
||||
# config: /etc/sysconfig/iptables
|
||||
# config: /etc/sysconfig/iptables-config
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: iptables
|
||||
# Required-Start: $local_fs
|
||||
# Required-Stop: $local_fs
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: start and stop iptables firewall
|
||||
# Description: Start, stop and save iptables firewall
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/init.d/functions
|
||||
@ -15,24 +25,15 @@ IPTABLES=iptables
|
||||
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
|
||||
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
|
||||
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
|
||||
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
|
||||
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
|
||||
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
|
||||
|
||||
if [ ! -x /sbin/$IPTABLES ]; then
|
||||
echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
|
||||
exit 0
|
||||
exit 5
|
||||
fi
|
||||
|
||||
if lsmod 2>/dev/null | grep -q ipchains ; then
|
||||
echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# no protocol support, don't try to run
|
||||
if [ ! -d /proc/sys/net/ipv4 ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Old or new modutils
|
||||
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
|
||||
&& NEW_MODUTILS=1 \
|
||||
@ -59,8 +60,8 @@ rmmod_r() {
|
||||
# Get referring modules.
|
||||
# New modutils have another output format.
|
||||
[ $NEW_MODUTILS = 1 ] \
|
||||
&& ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
|
||||
|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
|
||||
&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
|
||||
|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
|
||||
|
||||
# recursive call for all referring modules
|
||||
for i in $ref; do
|
||||
@ -84,7 +85,7 @@ flush_n_delete() {
|
||||
[ -e "$PROC_IPTABLES_NAMES" ] || return 1
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
|
||||
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"Flushing firewall rules: "
|
||||
@ -117,7 +118,7 @@ set_policy() {
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
|
||||
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"Setting chains to policy $policy: "
|
||||
@ -206,8 +207,12 @@ stop() {
|
||||
ret=0
|
||||
rmmod_r ${IPV}_tables
|
||||
let ret+=$?;
|
||||
rmmod_r ${IPV}_conntrack
|
||||
rmmod_r nf_conntrack_${_IPV}
|
||||
let ret+=$?;
|
||||
# try to unload remaining netfilter modules used by ipv4 and ipv6
|
||||
# netfilter
|
||||
rmmod_r x_tables
|
||||
rmmod_r nf_conntrack
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
@ -221,7 +226,7 @@ save() {
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
|
||||
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"Saving firewall rules to $IPTABLES_DATA: "
|
||||
@ -230,10 +235,10 @@ save() {
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
|
||||
ret=0
|
||||
TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
|
||||
TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \
|
||||
&& chmod 600 "$TMP_FILE" \
|
||||
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
|
||||
&& size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
|
||||
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|
||||
|| ret=1
|
||||
if [ $ret -eq 0 ]; then
|
||||
if [ -e $IPTABLES_DATA ]; then
|
||||
@ -254,24 +259,20 @@ save() {
|
||||
}
|
||||
|
||||
status() {
|
||||
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
|
||||
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
|
||||
|
||||
# Do not print status if lockfile is missing and iptables modules are not
|
||||
# loaded.
|
||||
# Check if iptable module is loaded
|
||||
# Check if iptable modules are loaded
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
|
||||
echo $"Firewall is stopped."
|
||||
return 1
|
||||
return 3
|
||||
fi
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then
|
||||
echo $"Firewall is not configured. "
|
||||
return 1
|
||||
fi
|
||||
if [ -z "$tables" ]; then
|
||||
echo $"Firewall is not configured. "
|
||||
return 1
|
||||
return 3
|
||||
fi
|
||||
|
||||
NUM=
|
||||
@ -295,23 +296,29 @@ restart() {
|
||||
start
|
||||
}
|
||||
|
||||
status >/dev/null 2>&1
|
||||
running=$?
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
stop
|
||||
[ $running -eq 0 ] && exit 0
|
||||
start
|
||||
RETVAL=$?
|
||||
;;
|
||||
stop)
|
||||
[ $running -eq 0 ] || exit 0
|
||||
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
|
||||
stop
|
||||
RETVAL=$?
|
||||
;;
|
||||
restart)
|
||||
restart|force-reload)
|
||||
restart
|
||||
RETVAL=$?
|
||||
;;
|
||||
condrestart)
|
||||
[ -e "$VAR_SUBSYS_IPTABLES" ] && restart
|
||||
condrestart|try-restart)
|
||||
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 7
|
||||
restart
|
||||
RETVAL=$?
|
||||
;;
|
||||
status)
|
||||
status
|
||||
@ -328,7 +335,7 @@ case "$1" in
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
|
||||
exit 1
|
||||
RETVAL=3
|
||||
;;
|
||||
esac
|
||||
|
||||
|
@ -1,39 +1,35 @@
|
||||
%define build_devel 1
|
||||
|
||||
Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities.
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
Version: 1.3.8
|
||||
Release: 1
|
||||
Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2
|
||||
Release: 2%{?dist}
|
||||
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
Patch0: iptables-1.3.8-iptc.patch
|
||||
Patch1: iptables-1.3.8-headers.patch
|
||||
Group: System Environment/Base
|
||||
URL: http://www.netfilter.org/
|
||||
BuildRoot: %{_tmppath}/%{name}-buildroot
|
||||
License: GPL
|
||||
BuildRequires: /usr/bin/perl
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
License: GPLv2
|
||||
BuildRequires: libselinux-devel
|
||||
Conflicts: kernel < 2.4.20
|
||||
Requires(post,postun): chkconfig
|
||||
Prefix: %{_prefix}
|
||||
|
||||
%package ipv6
|
||||
Summary: IPv6 support for iptables.
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}
|
||||
|
||||
%if %{build_devel}
|
||||
%package devel
|
||||
Summary: Development package for iptables.
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}
|
||||
%endif
|
||||
Requires(post): chkconfig
|
||||
Requires(preun): chkconfig
|
||||
|
||||
%description
|
||||
The iptables utility controls the network packet filtering code in the
|
||||
Linux kernel. If you need to set up firewalls and/or IP masquerading,
|
||||
you should install this package.
|
||||
|
||||
%package ipv6
|
||||
Summary: IPv6 support for iptables
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires(post): chkconfig
|
||||
Requires(preun): chkconfig
|
||||
|
||||
%description ipv6
|
||||
The iptables package contains IPv6 (the next version of the IP
|
||||
protocol) support for iptables. Iptables controls the Linux kernel
|
||||
@ -44,19 +40,25 @@ Install iptables-ipv6 if you need to set up firewalling for your
|
||||
network and you are using ipv6.
|
||||
|
||||
%if %{build_devel}
|
||||
%package devel
|
||||
Summary: Development package for iptables
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
The iptables utility controls the network packet filtering code in the
|
||||
Linux kernel. If you need to set up firewalls and/or IP masquerading,
|
||||
you should install this package.
|
||||
iptables development headers and libraries.
|
||||
|
||||
The iptc interface is upstream marked as not public. The interface is not
|
||||
stable and may change with every new version. It is therefore unsupported.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
rm -rf %{buildroot}
|
||||
|
||||
%setup -q
|
||||
%patch0 -p1 -b .iptc
|
||||
%patch1 -p1 -b .headers
|
||||
|
||||
# Put it to a reasonable place
|
||||
find . -type f -exec perl -pi -e "s,/usr/local,%{prefix},g" {} \;
|
||||
find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
|
||||
|
||||
# do not use ld -shared and _init
|
||||
perl -pi -e "s/\(LD\) -shared/\(CC\) -shared/g" Rules.make
|
||||
@ -67,11 +69,12 @@ perl -pi -e "s/^_init\(/__attribute\(\(constructor\)\) my_init\(/g" extensions/*
|
||||
TOPDIR=`pwd`
|
||||
OPT="$RPM_OPT_FLAGS -I$TOPDIR/include -fPIC"
|
||||
export DO_SELINUX=1
|
||||
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib}
|
||||
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} %{?_smp_mflags}
|
||||
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} iptables-save iptables-restore
|
||||
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} ip6tables-save ip6tables-restore
|
||||
|
||||
%install
|
||||
rm -rf %{buildroot}
|
||||
export DO_SELINUX=1
|
||||
make install DESTDIR=%{buildroot} KERNEL_DIR=/usr BINDIR=/sbin LIBDIR=/%{_lib} MANDIR=%{_mandir}
|
||||
%if %{build_devel}
|
||||
@ -81,16 +84,18 @@ cp ip{6,}tables-{save,restore} $RPM_BUILD_ROOT/sbin
|
||||
cp iptables-*.8 $RPM_BUILD_ROOT%{_mandir}/man8
|
||||
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
|
||||
install -c -m755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables
|
||||
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' -e 's;/proc/sys/net/ipv4;/proc/sys/net/ipv6;g' < %{SOURCE1} > ip6tables.init
|
||||
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init
|
||||
install -c -m755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables
|
||||
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
|
||||
install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config
|
||||
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config
|
||||
install -c -m755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config
|
||||
# install devel header files
|
||||
mkdir -p $RPM_BUILD_ROOT/usr/include
|
||||
install -c include/ip*.h $RPM_BUILD_ROOT/usr/include/
|
||||
|
||||
mkdir -p $RPM_BUILD_ROOT%{_includedir}
|
||||
install -c -m644 include/ip*.h $RPM_BUILD_ROOT%{_includedir}
|
||||
# install libiptc header files (unsupported)
|
||||
mkdir -p $RPM_BUILD_ROOT%{_includedir}/libiptc
|
||||
install -c -m644 include/libiptc/*.h $RPM_BUILD_ROOT%{_includedir}/libiptc
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
@ -112,9 +117,9 @@ if [ "$1" = 0 ]; then
|
||||
fi
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,0755)
|
||||
%defattr(-,root,root)
|
||||
%doc COPYING INSTALL INCOMPATIBILITIES
|
||||
%config %attr(0755,root,root) /etc/rc.d/init.d/iptables
|
||||
%attr(0755,root,root) /etc/rc.d/init.d/iptables
|
||||
%config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config
|
||||
/sbin/iptables*
|
||||
%{_mandir}/man8/iptables*
|
||||
@ -122,8 +127,8 @@ fi
|
||||
/%{_lib}/iptables/libipt*
|
||||
|
||||
%files ipv6
|
||||
%defattr(-,root,root,0755)
|
||||
%config %attr(0755,root,root) /etc/rc.d/init.d/ip6tables
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) /etc/rc.d/init.d/ip6tables
|
||||
%config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config
|
||||
/sbin/ip6tables*
|
||||
%{_mandir}/man8/ip6tables*
|
||||
@ -131,14 +136,26 @@ fi
|
||||
|
||||
%if %{build_devel}
|
||||
%files devel
|
||||
%defattr(-,root,root,0755)
|
||||
%defattr(-,root,root)
|
||||
%{_includedir}/ip*.h
|
||||
%{_includedir}/libipq.h
|
||||
%dir %{_includedir}/libiptc
|
||||
%{_includedir}/libiptc/*.h
|
||||
%{_libdir}/libipq.a
|
||||
%{_libdir}/libiptc.a
|
||||
%{_mandir}/man3/*
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Aug 23 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-2
|
||||
- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459)
|
||||
- provide iptc interface again, but unsupported (rhbz#216733)
|
||||
- compile all extension, which are supported by the kernel-headers package
|
||||
- review fixes (rhbz#225906)
|
||||
|
||||
* Tue Jul 31 2007 Thomas Woerner <twoerner@redhat.com>
|
||||
- reverted ipv6 fix, because it disables the ipv6 at all (rhbz#236888)
|
||||
|
||||
* Fri Jul 13 2007 Steve Conklin <sconklin@redhat.com> - 1.3.8-1
|
||||
- New version 1.3.8
|
||||
|
||||
@ -340,7 +357,7 @@ fi
|
||||
- Merge ip6tables improvements from Ian Prowell <iprowell@prowell.org>
|
||||
#59402
|
||||
- Update URL (#59354)
|
||||
- Use /sbin/chkconfig rather than chkconfig in %postun script
|
||||
- Use /sbin/chkconfig rather than chkconfig in %%postun script
|
||||
|
||||
* Fri Jan 11 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.5-1
|
||||
- 1.2.5
|
||||
@ -349,7 +366,7 @@ fi
|
||||
- automated rebuild
|
||||
|
||||
* Mon Nov 5 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-2
|
||||
- Fix %preun script
|
||||
- Fix %%preun script
|
||||
|
||||
* Tue Oct 30 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-1
|
||||
- Update to 1.2.4 (various fixes, including security fixes; among others:
|
||||
@ -395,7 +412,7 @@ fi
|
||||
- fix bugzilla #25962 (iptables-restore)
|
||||
- mv chkconfig --del from postun to preun
|
||||
|
||||
* Thu Feb 1 2001 Trond Eivind Glomsrød <teg@redhat.com>
|
||||
* Thu Feb 1 2001 Trond Eivind Glomsrød <teg@redhat.com>
|
||||
- Fix check for ipchains
|
||||
|
||||
* Mon Jan 29 2001 Bernhard Rosenkraenzer <bero@redhat.com>
|
||||
@ -442,5 +459,5 @@ fi
|
||||
* Mon Jun 4 2000 Bill Nottingham <notting@redhat.com>
|
||||
- remove explicit kernel requirement
|
||||
|
||||
* Tue May 2 2000 Bernhard Rosenkränzer <bero@redhat.com>
|
||||
* Tue May 2 2000 Bernhard Rosenkränzer <bero@redhat.com>
|
||||
- initial package
|
||||
|
Loading…
Reference in New Issue
Block a user