iptables-1.8.7-9

- Add nft-services subpackage Resolves: RHBZ#1951074
2021-04-21 18:23:36 +02:00 · 2021-04-21 18:23:36 +02:00 · 5d9bdbf66a
commit 5d9bdbf66a
parent 3c640d04d2
5 changed files with 187 additions and 3 deletions
--- a/arptables.service
+++ b/arptables.service
@ -0,0 +1,12 @@
+[Unit]
+Description=Automates a packet filtering firewall with arptables
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/arptables-helper start
+ExecStop=/usr/libexec/arptables-helper stop
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/11
+++ b/11
@ -0,0 +1,11 @@
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules if firewall gets stopped
+# (e.g. on system shutdown).
+EBTABLES_SAVE_ON_STOP="no"
+
+# Save (and restore) rule counters.
+#   Value: yes|no,  default: no
+# Save rule counters when saving a kernel table to a file. If the
+# rule counters were saved, they will be restored when restoring the table.
+EBTABLES_SAVE_COUNTER="no"
--- a/105
+++ b/105
@ -0,0 +1,105 @@
+#!/bin/bash
+
+# compat for removed initscripts dependency
+
+success() {
+       echo "[  OK  ]"
+       return 0
+}
+
+failure() {
+       echo "[FAILED]"
+       return 1
+}
+
+# internal variables
+EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
+EBTABLES_DATA=/etc/sysconfig/ebtables
+EBTABLES_TABLES="filter nat"
+if ebtables --version | grep -q '(legacy)'; then
+	EBTABLES_TABLES+=" broute"
+fi
+VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
+
+# ebtables-config defaults
+EBTABLES_SAVE_ON_STOP="no"
+EBTABLES_SAVE_ON_RESTART="no"
+EBTABLES_SAVE_COUNTER="no"
+
+# load config if existing
+[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
+
+initialize() {
+	local ret=0
+	for table in $EBTABLES_TABLES; do
+		ebtables -t $table --init-table || ret=1
+	done
+	return $ret
+}
+
+sanitize_dump() {
+	local drop=false
+
+	export EBTABLES_TABLES
+
+	cat $1 | while read line; do
+		case $line in
+		\**)
+			drop=false
+			local table="${line#\*}"
+			local found=false
+			for t in $EBTABLES_TABLES; do
+				if [[ $t == $table ]]; then
+					found=true
+					break
+				fi
+			done
+			$found || drop=true
+			;;
+		esac
+		$drop || echo "$line"
+	done
+}
+
+start() {
+	if [ -f $EBTABLES_DATA ]; then
+		echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
+		sanitize_dump $EBTABLES_DATA | ebtables-restore
+	else
+		echo -n $"ebtables: no stored ruleset, initializing empty tables: "
+		initialize
+	fi
+	local ret=$?
+	touch $VAR_SUBSYS_EBTABLES
+	return $ret
+}
+
+save() {
+	echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
+	export EBTABLES_SAVE_COUNTER
+	ebtables-save >$EBTABLES_DATA && success || failure
+}
+
+case $1 in
+	start)
+		[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
+		start && success || failure
+		RETVAL=$?
+		;;
+	stop)
+		[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
+		echo -n $"ebtables: stopping firewall: "
+		initialize && success || failure
+		RETVAL=$?
+		rm -f $VAR_SUBSYS_EBTABLES
+		;;
+	save)
+		save
+		;;
+	*)
+		echo "usage: ${0##*/} {start|stop|save}" >&2
+		RETVAL=2
+		;;
+esac
+
+exit $RETVAL
--- a/ebtables.service
+++ b/ebtables.service
@ -0,0 +1,11 @@
+[Unit]
+Description=Ethernet Bridge Filtering tables
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/ebtables-helper start
+ExecStop=/usr/libexec/ebtables-helper stop
+
+[Install]
+WantedBy=multi-user.target
--- a/iptables.spec
+++ b/iptables.spec
@ -11,7 +11,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 8%{?dist}
+Release: 9%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@ -19,6 +19,10 @@ Source3: iptables.service
 Source4: sysconfig_iptables
 Source5: sysconfig_ip6tables
 Source6: arptables-nft-helper
+Source7: arptables.service
+Source8: ebtables-helper
+Source9: ebtables.service
+Source10: ebtables-config

 Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch

@ -120,6 +124,18 @@ iptables services for IPv4 and IPv6
 This package provides the services iptables and ip6tables that have been split
 out of the base package since they are not active by default anymore.

+%package nft-services
+Summary: arptables and ebtables services for iptables-nft
+Requires: %{name}-nft%{?_isa} = %{version}-%{release}
+Conflicts: arptables-services
+Conflicts: ebtables-services
+
+%description nft-services
+arptables and ebtables services for iptables-nft
+
+This package provides the services arptables and ebtables for use
+with iptables-nft which provides nft-variants of these tools.
+
 %package utils
 Summary: iptables and ip6tables misc utilities
 Requires: %{name} = %{version}-%{release}
@ -206,10 +222,19 @@ install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables
 # Remove /etc/ethertypes (now part of setup)
 rm -f %{buildroot}%{_sysconfdir}/ethertypes

-install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
-touch %{buildroot}%{_libexecdir}/arptables-helper
+# extra sources for arptables
+install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper
+install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service
+touch %{buildroot}%{_sysconfdir}/sysconfig/arptables
+
+# extra sources for ebtables
+install -p %{SOURCE9} %{buildroot}%{_unitdir}/
+install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper
+install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config
+touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables

 # prepare for alternatives
+touch %{buildroot}%{_libexecdir}/arptables-helper
 touch %{buildroot}%{_mandir}/man8/arptables.8
 touch %{buildroot}%{_mandir}/man8/arptables-save.8
 touch %{buildroot}%{_mandir}/man8/arptables-restore.8
@ -244,6 +269,16 @@ fi
 %?ldconfig
 %systemd_postun iptables.service ip6tables.service

+%post nft-services
+%systemd_post arptables.service ebtables.service
+
+%preun nft-services
+%systemd_preun arptables.service ebtables.service
+
+%postun nft-services
+%?ldconfig
+%systemd_postun arptables.service ebtables.service
+
 %post nft
 pfx=%{_sbindir}/iptables
 pfx6=%{_sbindir}/ip6tables
@ -342,6 +377,13 @@ fi
 %dir %{legacy_actions}/ip{,6}tables
 %{legacy_actions}/ip{,6}tables/{save,panic}

+%files nft-services
+%{_unitdir}/{arp,eb}tables.service
+%{_libexecdir}/ebtables-helper
+%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
+%ghost %{_sysconfdir}/sysconfig/arptables
+%ghost %{_sysconfdir}/sysconfig/ebtables
+
 %files utils
 %license COPYING
 %{_sbindir}/nfnl_osf
@ -374,6 +416,9 @@ fi


 %changelog
+* Wed Apr 21 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-9
+- Add nft-services subpackage
+
 * Mon Apr 19 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8
 - Drop hacks to maintain upgrade path