rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

[tw]

Browse Source 
- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459)
- provide iptc interface again, but unsupported (rhbz#216733)
- compile all extension, which are supported by the kernel-headers package
- review fixes (rhbz#225906)
This commit is contained in:
Thomas Woerner 2007-08-23 14:54:50 +00:00
parent 7b2367e316
commit 32bdef74b2
2 changed files with 97 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
iptables.init
View File

@ -7,6 +7,16 @@
# #
# config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config # config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO
# Source function library. # Source function library.
. /etc/init.d/functions . /etc/init.d/functions
@ -15,22 +25,13 @@ IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
if [ ! -x /sbin/$IPTABLES ]; then if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"/sbin/$IPTABLES does not exist."; warning; echo echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
exit 0 exit 5
fi
if lsmod 2>/dev/null | grep -q ipchains ; then
echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
exit 0
fi
# no protocol support, don't try to run
if [ ! -d /proc/sys/net/ipv4 ]; then
exit 0
fi fi
# Old or new modutils # Old or new modutils
@ -59,8 +60,8 @@ rmmod_r() {
# Get referring modules. # Get referring modules.
# New modutils have another output format. # New modutils have another output format.
[ $NEW_MODUTILS = 1 ] \ [ $NEW_MODUTILS = 1 ] \
&& ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
# recursive call for all referring modules # recursive call for all referring modules
for i in $ref; do for i in $ref; do
@ -84,7 +85,7 @@ flush_n_delete() {
[ -e "$PROC_IPTABLES_NAMES" ] || return 1 [ -e "$PROC_IPTABLES_NAMES" ] || return 1
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
[ -z "$tables" ] && return 1 [ -z "$tables" ] && return 1
echo -n $"Flushing firewall rules: " echo -n $"Flushing firewall rules: "
@ -117,7 +118,7 @@ set_policy() {
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
[ -z "$tables" ] && return 1 [ -z "$tables" ] && return 1
echo -n $"Setting chains to policy $policy: " echo -n $"Setting chains to policy $policy: "
@ -206,8 +207,12 @@ stop() {
ret=0 ret=0
rmmod_r ${IPV}_tables rmmod_r ${IPV}_tables
let ret+=$?; let ret+=$?;
rmmod_r ${IPV}_conntrack rmmod_r nf_conntrack_${_IPV}
let ret+=$?; let ret+=$?;
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
rmmod_r x_tables
rmmod_r nf_conntrack
[ $ret -eq 0 ] && success || failure [ $ret -eq 0 ] && success || failure
echo echo
fi fi
@ -221,7 +226,7 @@ save() {
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
[ -z "$tables" ] && return 1 [ -z "$tables" ] && return 1
echo -n $"Saving firewall rules to $IPTABLES_DATA: " echo -n $"Saving firewall rules to $IPTABLES_DATA: "
@ -230,10 +235,10 @@ save() {
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0 ret=0
TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \
&& chmod 600 "$TMP_FILE" \ && chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|| ret=1 || ret=1
if [ $ret -eq 0 ]; then if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then if [ -e $IPTABLES_DATA ]; then
@ -254,24 +259,20 @@ save() {
} }
status() { status() {
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
# Do not print status if lockfile is missing and iptables modules are not # Do not print status if lockfile is missing and iptables modules are not
# loaded. # loaded.
# Check if iptable module is loaded # Check if iptable modules are loaded
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
echo $"Firewall is stopped." echo $"Firewall is stopped."
return 1 return 3
fi fi
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then
echo $"Firewall is not configured. " echo $"Firewall is not configured. "
return 1 return 3
fi
if [ -z "$tables" ]; then
echo $"Firewall is not configured. "
return 1
fi fi
NUM= NUM=
@ -295,23 +296,29 @@ restart() {
start start
} }
status >/dev/null 2>&1
running=$?
case "$1" in case "$1" in
start) start)
stop [ $running -eq 0 ] && exit 0
start start
RETVAL=$? RETVAL=$?
;; ;;
stop) stop)
[ $running -eq 0 ] || exit 0
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop stop
RETVAL=$? RETVAL=$?
;; ;;
restart) restart|force-reload)
restart restart
RETVAL=$? RETVAL=$?
;; ;;
condrestart) condrestart|try-restart)
[ -e "$VAR_SUBSYS_IPTABLES" ] && restart [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 7
restart
RETVAL=$?
;; ;;
status) status)
status status
@ -328,7 +335,7 @@ case "$1" in
;; ;;
*) *)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1 RETVAL=3
;; ;;
esac esac

97
iptables.spec
View File

@ -1,39 +1,35 @@
%define build_devel 1 %define build_devel 1
Name: iptables Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities. Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.3.8 Version: 1.3.8
Release: 1 Release: 2%{?dist}
Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
Patch0: iptables-1.3.8-iptc.patch
Patch1: iptables-1.3.8-headers.patch
Group: System Environment/Base Group: System Environment/Base
URL: http://www.netfilter.org/ URL: http://www.netfilter.org/
BuildRoot: %{_tmppath}/%{name}-buildroot BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
License: GPL License: GPLv2
BuildRequires: /usr/bin/perl
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
Conflicts: kernel < 2.4.20 Conflicts: kernel < 2.4.20
Requires(post,postun): chkconfig Requires(post): chkconfig
Prefix: %{_prefix} Requires(preun): chkconfig
%package ipv6
Summary: IPv6 support for iptables.
Group: System Environment/Base
Requires: %{name} = %{version}
%if %{build_devel}
%package devel
Summary: Development package for iptables.
Group: System Environment/Base
Requires: %{name} = %{version}
%endif
%description %description
The iptables utility controls the network packet filtering code in the The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading, Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package. you should install this package.
%package ipv6
Summary: IPv6 support for iptables
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
Requires(post): chkconfig
Requires(preun): chkconfig
%description ipv6 %description ipv6
The iptables package contains IPv6 (the next version of the IP The iptables package contains IPv6 (the next version of the IP
protocol) support for iptables. Iptables controls the Linux kernel protocol) support for iptables. Iptables controls the Linux kernel
@ -44,19 +40,25 @@ Install iptables-ipv6 if you need to set up firewalling for your
network and you are using ipv6. network and you are using ipv6.
%if %{build_devel} %if %{build_devel}
%package devel
Summary: Development package for iptables
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description devel %description devel
The iptables utility controls the network packet filtering code in the iptables development headers and libraries.
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package. The iptc interface is upstream marked as not public. The interface is not
stable and may change with every new version. It is therefore unsupported.
%endif %endif
%prep %prep
rm -rf %{buildroot}
%setup -q %setup -q
%patch0 -p1 -b .iptc
%patch1 -p1 -b .headers
# Put it to a reasonable place # Put it to a reasonable place
find . -type f -exec perl -pi -e "s,/usr/local,%{prefix},g" {} \; find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
# do not use ld -shared and _init # do not use ld -shared and _init
perl -pi -e "s/\(LD\) -shared/\(CC\) -shared/g" Rules.make perl -pi -e "s/\(LD\) -shared/\(CC\) -shared/g" Rules.make
@ -67,11 +69,12 @@ perl -pi -e "s/^_init\(/__attribute\(\(constructor\)\) my_init\(/g" extensions/*
TOPDIR=`pwd` TOPDIR=`pwd`
OPT="$RPM_OPT_FLAGS -I$TOPDIR/include -fPIC" OPT="$RPM_OPT_FLAGS -I$TOPDIR/include -fPIC"
export DO_SELINUX=1 export DO_SELINUX=1
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} %{?_smp_mflags}
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} iptables-save iptables-restore make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} iptables-save iptables-restore
make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} ip6tables-save ip6tables-restore make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} ip6tables-save ip6tables-restore
%install %install
rm -rf %{buildroot}
export DO_SELINUX=1 export DO_SELINUX=1
make install DESTDIR=%{buildroot} KERNEL_DIR=/usr BINDIR=/sbin LIBDIR=/%{_lib} MANDIR=%{_mandir} make install DESTDIR=%{buildroot} KERNEL_DIR=/usr BINDIR=/sbin LIBDIR=/%{_lib} MANDIR=%{_mandir}
%if %{build_devel} %if %{build_devel}
@ -81,16 +84,18 @@ cp ip{6,}tables-{save,restore} $RPM_BUILD_ROOT/sbin
cp iptables-*.8 $RPM_BUILD_ROOT%{_mandir}/man8 cp iptables-*.8 $RPM_BUILD_ROOT%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
install -c -m755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables install -c -m755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' -e 's;/proc/sys/net/ipv4;/proc/sys/net/ipv6;g' < %{SOURCE1} > ip6tables.init sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init
install -c -m755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables install -c -m755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config
install -c -m755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config install -c -m755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config
# install devel header files # install devel header files
mkdir -p $RPM_BUILD_ROOT/usr/include mkdir -p $RPM_BUILD_ROOT%{_includedir}
install -c include/ip*.h $RPM_BUILD_ROOT/usr/include/ install -c -m644 include/ip*.h $RPM_BUILD_ROOT%{_includedir}
# install libiptc header files (unsupported)
mkdir -p $RPM_BUILD_ROOT%{_includedir}/libiptc
install -c -m644 include/libiptc/*.h $RPM_BUILD_ROOT%{_includedir}/libiptc
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -112,9 +117,9 @@ if [ "$1" = 0 ]; then
fi fi
%files %files
%defattr(-,root,root,0755) %defattr(-,root,root)
%doc COPYING INSTALL INCOMPATIBILITIES %doc COPYING INSTALL INCOMPATIBILITIES
%config %attr(0755,root,root) /etc/rc.d/init.d/iptables %attr(0755,root,root) /etc/rc.d/init.d/iptables
%config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config %config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config
/sbin/iptables* /sbin/iptables*
%{_mandir}/man8/iptables* %{_mandir}/man8/iptables*
@ -122,8 +127,8 @@ fi
/%{_lib}/iptables/libipt* /%{_lib}/iptables/libipt*
%files ipv6 %files ipv6
%defattr(-,root,root,0755) %defattr(-,root,root)
%config %attr(0755,root,root) /etc/rc.d/init.d/ip6tables %attr(0755,root,root) /etc/rc.d/init.d/ip6tables
%config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config %config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config
/sbin/ip6tables* /sbin/ip6tables*
%{_mandir}/man8/ip6tables* %{_mandir}/man8/ip6tables*
@ -131,14 +136,26 @@ fi
%if %{build_devel} %if %{build_devel}
%files devel %files devel
%defattr(-,root,root,0755) %defattr(-,root,root)
%{_includedir}/ip*.h %{_includedir}/ip*.h
%{_includedir}/libipq.h %{_includedir}/libipq.h
%dir %{_includedir}/libiptc
%{_includedir}/libiptc/*.h
%{_libdir}/libipq.a %{_libdir}/libipq.a
%{_libdir}/libiptc.a
%{_mandir}/man3/* %{_mandir}/man3/*
%endif %endif
%changelog %changelog
* Thu Aug 23 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-2
- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459)
- provide iptc interface again, but unsupported (rhbz#216733)
- compile all extension, which are supported by the kernel-headers package
- review fixes (rhbz#225906)
* Tue Jul 31 2007 Thomas Woerner <twoerner@redhat.com>
- reverted ipv6 fix, because it disables the ipv6 at all (rhbz#236888)
* Fri Jul 13 2007 Steve Conklin <sconklin@redhat.com> - 1.3.8-1 * Fri Jul 13 2007 Steve Conklin <sconklin@redhat.com> - 1.3.8-1
- New version 1.3.8 - New version 1.3.8
@ -340,7 +357,7 @@ fi
- Merge ip6tables improvements from Ian Prowell <iprowell@prowell.org> - Merge ip6tables improvements from Ian Prowell <iprowell@prowell.org>
#59402 #59402
- Update URL (#59354) - Update URL (#59354)
- Use /sbin/chkconfig rather than chkconfig in %postun script - Use /sbin/chkconfig rather than chkconfig in %%postun script
* Fri Jan 11 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.5-1 * Fri Jan 11 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.5-1
- 1.2.5 - 1.2.5
@ -349,7 +366,7 @@ fi
- automated rebuild - automated rebuild
* Mon Nov 5 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-2 * Mon Nov 5 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-2
- Fix %preun script - Fix %%preun script
* Tue Oct 30 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-1 * Tue Oct 30 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-1
- Update to 1.2.4 (various fixes, including security fixes; among others: - Update to 1.2.4 (various fixes, including security fixes; among others:
@ -395,7 +412,7 @@ fi
- fix bugzilla #25962 (iptables-restore) - fix bugzilla #25962 (iptables-restore)
- mv chkconfig --del from postun to preun - mv chkconfig --del from postun to preun
* Thu Feb 1 2001 Trond Eivind Glomsrød <teg@redhat.com> * Thu Feb 1 2001 Trond Eivind Glomsrød <teg@redhat.com>
- Fix check for ipchains - Fix check for ipchains
* Mon Jan 29 2001 Bernhard Rosenkraenzer <bero@redhat.com> * Mon Jan 29 2001 Bernhard Rosenkraenzer <bero@redhat.com>
@ -442,5 +459,5 @@ fi
* Mon Jun 4 2000 Bill Nottingham <notting@redhat.com> * Mon Jun 4 2000 Bill Nottingham <notting@redhat.com>
- remove explicit kernel requirement - remove explicit kernel requirement
* Tue May 2 2000 Bernhard Rosenkränzer <bero@redhat.com> * Tue May 2 2000 Bernhard Rosenkränzer <bero@redhat.com>
- initial package - initial package