From 32bdef74b28d4ad6d8d38360131ce9448b7683e1 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 23 Aug 2007 14:54:50 +0000 Subject: [PATCH] [tw] - fixed initscript for LSB conformance (rhbz#246953, rhbz#242459) - provide iptc interface again, but unsupported (rhbz#216733) - compile all extension, which are supported by the kernel-headers package - review fixes (rhbz#225906) --- iptables.init | 73 ++++++++++++++++++++------------------ iptables.spec | 97 ++++++++++++++++++++++++++++++--------------------- 2 files changed, 97 insertions(+), 73 deletions(-) diff --git a/iptables.init b/iptables.init index d808f03..93fb093 100755 --- a/iptables.init +++ b/iptables.init @@ -7,6 +7,16 @@ # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO # Source function library. . /etc/init.d/functions @@ -15,24 +25,15 @@ IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES if [ ! -x /sbin/$IPTABLES ]; then echo -n $"/sbin/$IPTABLES does not exist."; warning; echo - exit 0 + exit 5 fi -if lsmod 2>/dev/null | grep -q ipchains ; then - echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo - exit 0 -fi - -# no protocol support, don't try to run -if [ ! -d /proc/sys/net/ipv4 ]; then - exit 0 -fi - # Old or new modutils /sbin/modprobe --version 2>&1 | grep -q module-init-tools \ && NEW_MODUTILS=1 \ @@ -59,8 +60,8 @@ rmmod_r() { # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] \ - && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ - || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` + && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \ + || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) # recursive call for all referring modules for i in $ref; do @@ -84,7 +85,7 @@ flush_n_delete() { [ -e "$PROC_IPTABLES_NAMES" ] || return 1 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) [ -z "$tables" ] && return 1 echo -n $"Flushing firewall rules: " @@ -117,7 +118,7 @@ set_policy() { [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) [ -z "$tables" ] && return 1 echo -n $"Setting chains to policy $policy: " @@ -206,8 +207,12 @@ stop() { ret=0 rmmod_r ${IPV}_tables let ret+=$?; - rmmod_r ${IPV}_conntrack + rmmod_r nf_conntrack_${_IPV} let ret+=$?; + # try to unload remaining netfilter modules used by ipv4 and ipv6 + # netfilter + rmmod_r x_tables + rmmod_r nf_conntrack [ $ret -eq 0 ] && success || failure echo fi @@ -221,7 +226,7 @@ save() { [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) [ -z "$tables" ] && return 1 echo -n $"Saving firewall rules to $IPTABLES_DATA: " @@ -230,10 +235,10 @@ save() { [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 - TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ + TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \ && chmod 600 "$TMP_FILE" \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ - && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then @@ -254,24 +259,20 @@ save() { } status() { - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) # Do not print status if lockfile is missing and iptables modules are not # loaded. - # Check if iptable module is loaded + # Check if iptable modules are loaded if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then echo $"Firewall is stopped." - return 1 + return 3 fi # Check if firewall is configured (has tables) - if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then echo $"Firewall is not configured. " - return 1 - fi - if [ -z "$tables" ]; then - echo $"Firewall is not configured. " - return 1 + return 3 fi NUM= @@ -295,23 +296,29 @@ restart() { start } +status >/dev/null 2>&1 +running=$? + case "$1" in start) - stop + [ $running -eq 0 ] && exit 0 start RETVAL=$? ;; stop) + [ $running -eq 0 ] || exit 0 [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? ;; - restart) + restart|force-reload) restart RETVAL=$? ;; - condrestart) - [ -e "$VAR_SUBSYS_IPTABLES" ] && restart + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 7 + restart + RETVAL=$? ;; status) status @@ -328,7 +335,7 @@ case "$1" in ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" - exit 1 + RETVAL=3 ;; esac diff --git a/iptables.spec b/iptables.spec index 3003782..f72c46c 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,39 +1,35 @@ %define build_devel 1 Name: iptables -Summary: Tools for managing Linux kernel packet filtering capabilities. +Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.3.8 -Release: 1 -Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2 +Release: 2%{?dist} +Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config +Patch0: iptables-1.3.8-iptc.patch +Patch1: iptables-1.3.8-headers.patch Group: System Environment/Base URL: http://www.netfilter.org/ -BuildRoot: %{_tmppath}/%{name}-buildroot -License: GPL -BuildRequires: /usr/bin/perl +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +License: GPLv2 BuildRequires: libselinux-devel Conflicts: kernel < 2.4.20 -Requires(post,postun): chkconfig -Prefix: %{_prefix} - -%package ipv6 -Summary: IPv6 support for iptables. -Group: System Environment/Base -Requires: %{name} = %{version} - -%if %{build_devel} -%package devel -Summary: Development package for iptables. -Group: System Environment/Base -Requires: %{name} = %{version} -%endif +Requires(post): chkconfig +Requires(preun): chkconfig %description The iptables utility controls the network packet filtering code in the Linux kernel. If you need to set up firewalls and/or IP masquerading, you should install this package. +%package ipv6 +Summary: IPv6 support for iptables +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} +Requires(post): chkconfig +Requires(preun): chkconfig + %description ipv6 The iptables package contains IPv6 (the next version of the IP protocol) support for iptables. Iptables controls the Linux kernel @@ -44,19 +40,25 @@ Install iptables-ipv6 if you need to set up firewalling for your network and you are using ipv6. %if %{build_devel} +%package devel +Summary: Development package for iptables +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + %description devel -The iptables utility controls the network packet filtering code in the -Linux kernel. If you need to set up firewalls and/or IP masquerading, -you should install this package. +iptables development headers and libraries. + +The iptc interface is upstream marked as not public. The interface is not +stable and may change with every new version. It is therefore unsupported. %endif %prep -rm -rf %{buildroot} - %setup -q +%patch0 -p1 -b .iptc +%patch1 -p1 -b .headers # Put it to a reasonable place -find . -type f -exec perl -pi -e "s,/usr/local,%{prefix},g" {} \; +find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \; # do not use ld -shared and _init perl -pi -e "s/\(LD\) -shared/\(CC\) -shared/g" Rules.make @@ -67,11 +69,12 @@ perl -pi -e "s/^_init\(/__attribute\(\(constructor\)\) my_init\(/g" extensions/* TOPDIR=`pwd` OPT="$RPM_OPT_FLAGS -I$TOPDIR/include -fPIC" export DO_SELINUX=1 -make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} +make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} %{?_smp_mflags} make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} iptables-save iptables-restore make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} ip6tables-save ip6tables-restore %install +rm -rf %{buildroot} export DO_SELINUX=1 make install DESTDIR=%{buildroot} KERNEL_DIR=/usr BINDIR=/sbin LIBDIR=/%{_lib} MANDIR=%{_mandir} %if %{build_devel} @@ -81,16 +84,18 @@ cp ip{6,}tables-{save,restore} $RPM_BUILD_ROOT/sbin cp iptables-*.8 $RPM_BUILD_ROOT%{_mandir}/man8 mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d install -c -m755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables -sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' -e 's;/proc/sys/net/ipv4;/proc/sys/net/ipv6;g' < %{SOURCE1} > ip6tables.init +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init install -c -m755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables mkdir -p $RPM_BUILD_ROOT/etc/sysconfig install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config install -c -m755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config # install devel header files -mkdir -p $RPM_BUILD_ROOT/usr/include -install -c include/ip*.h $RPM_BUILD_ROOT/usr/include/ - +mkdir -p $RPM_BUILD_ROOT%{_includedir} +install -c -m644 include/ip*.h $RPM_BUILD_ROOT%{_includedir} +# install libiptc header files (unsupported) +mkdir -p $RPM_BUILD_ROOT%{_includedir}/libiptc +install -c -m644 include/libiptc/*.h $RPM_BUILD_ROOT%{_includedir}/libiptc %clean rm -rf $RPM_BUILD_ROOT @@ -112,9 +117,9 @@ if [ "$1" = 0 ]; then fi %files -%defattr(-,root,root,0755) +%defattr(-,root,root) %doc COPYING INSTALL INCOMPATIBILITIES -%config %attr(0755,root,root) /etc/rc.d/init.d/iptables +%attr(0755,root,root) /etc/rc.d/init.d/iptables %config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config /sbin/iptables* %{_mandir}/man8/iptables* @@ -122,8 +127,8 @@ fi /%{_lib}/iptables/libipt* %files ipv6 -%defattr(-,root,root,0755) -%config %attr(0755,root,root) /etc/rc.d/init.d/ip6tables +%defattr(-,root,root) +%attr(0755,root,root) /etc/rc.d/init.d/ip6tables %config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config /sbin/ip6tables* %{_mandir}/man8/ip6tables* @@ -131,14 +136,26 @@ fi %if %{build_devel} %files devel -%defattr(-,root,root,0755) +%defattr(-,root,root) %{_includedir}/ip*.h %{_includedir}/libipq.h +%dir %{_includedir}/libiptc +%{_includedir}/libiptc/*.h %{_libdir}/libipq.a +%{_libdir}/libiptc.a %{_mandir}/man3/* %endif %changelog +* Thu Aug 23 2007 Thomas Woerner 1.3.8-2 +- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459) +- provide iptc interface again, but unsupported (rhbz#216733) +- compile all extension, which are supported by the kernel-headers package +- review fixes (rhbz#225906) + +* Tue Jul 31 2007 Thomas Woerner +- reverted ipv6 fix, because it disables the ipv6 at all (rhbz#236888) + * Fri Jul 13 2007 Steve Conklin - 1.3.8-1 - New version 1.3.8 @@ -340,7 +357,7 @@ fi - Merge ip6tables improvements from Ian Prowell #59402 - Update URL (#59354) -- Use /sbin/chkconfig rather than chkconfig in %postun script +- Use /sbin/chkconfig rather than chkconfig in %%postun script * Fri Jan 11 2002 Bernhard Rosenkraenzer 1.2.5-1 - 1.2.5 @@ -349,7 +366,7 @@ fi - automated rebuild * Mon Nov 5 2001 Bernhard Rosenkraenzer 1.2.4-2 -- Fix %preun script +- Fix %%preun script * Tue Oct 30 2001 Bernhard Rosenkraenzer 1.2.4-1 - Update to 1.2.4 (various fixes, including security fixes; among others: @@ -395,7 +412,7 @@ fi - fix bugzilla #25962 (iptables-restore) - mv chkconfig --del from postun to preun -* Thu Feb 1 2001 Trond Eivind Glomsrød +* Thu Feb 1 2001 Trond Eivind Glomsrød - Fix check for ipchains * Mon Jan 29 2001 Bernhard Rosenkraenzer @@ -442,5 +459,5 @@ fi * Mon Jun 4 2000 Bill Nottingham - remove explicit kernel requirement -* Tue May 2 2000 Bernhard Rosenkränzer +* Tue May 2 2000 Bernhard Rosenkränzer - initial package