iptables-1.8.7-9
- Add nft-services subpackage Resolves: RHBZ#1951074
This commit is contained in:
Phil Sutter
parent
3c640d04d2
commit
5d9bdbf66a
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Automates a packet filtering firewall with arptables
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/libexec/arptables-helper start
|
||||
ExecStop=/usr/libexec/arptables-helper stop
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# Save current firewall rules on stop.
|
||||
# Value: yes|no, default: no
|
||||
# Saves all firewall rules if firewall gets stopped
|
||||
# (e.g. on system shutdown).
|
||||
EBTABLES_SAVE_ON_STOP="no"
|
||||
|
||||
# Save (and restore) rule counters.
|
||||
# Value: yes|no, default: no
|
||||
# Save rule counters when saving a kernel table to a file. If the
|
||||
# rule counters were saved, they will be restored when restoring the table.
|
||||
EBTABLES_SAVE_COUNTER="no"
|
||||
|
|
@ -0,0 +1,105 @@
|
|||
#!/bin/bash
|
||||
|
||||
# compat for removed initscripts dependency
|
||||
|
||||
success() {
|
||||
echo "[ OK ]"
|
||||
return 0
|
||||
}
|
||||
|
||||
failure() {
|
||||
echo "[FAILED]"
|
||||
return 1
|
||||
}
|
||||
|
||||
# internal variables
|
||||
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
|
||||
EBTABLES_DATA=/etc/sysconfig/ebtables
|
||||
EBTABLES_TABLES="filter nat"
|
||||
if ebtables --version | grep -q '(legacy)'; then
|
||||
EBTABLES_TABLES+=" broute"
|
||||
fi
|
||||
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
|
||||
|
||||
# ebtables-config defaults
|
||||
EBTABLES_SAVE_ON_STOP="no"
|
||||
EBTABLES_SAVE_ON_RESTART="no"
|
||||
EBTABLES_SAVE_COUNTER="no"
|
||||
|
||||
# load config if existing
|
||||
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
|
||||
|
||||
initialize() {
|
||||
local ret=0
|
||||
for table in $EBTABLES_TABLES; do
|
||||
ebtables -t $table --init-table || ret=1
|
||||
done
|
||||
return $ret
|
||||
}
|
||||
|
||||
sanitize_dump() {
|
||||
local drop=false
|
||||
|
||||
export EBTABLES_TABLES
|
||||
|
||||
cat $1 | while read line; do
|
||||
case $line in
|
||||
\**)
|
||||
drop=false
|
||||
local table="${line#\*}"
|
||||
local found=false
|
||||
for t in $EBTABLES_TABLES; do
|
||||
if [[ $t == $table ]]; then
|
||||
found=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
$found || drop=true
|
||||
;;
|
||||
esac
|
||||
$drop || echo "$line"
|
||||
done
|
||||
}
|
||||
|
||||
start() {
|
||||
if [ -f $EBTABLES_DATA ]; then
|
||||
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
|
||||
sanitize_dump $EBTABLES_DATA | ebtables-restore
|
||||
else
|
||||
echo -n $"ebtables: no stored ruleset, initializing empty tables: "
|
||||
initialize
|
||||
fi
|
||||
local ret=$?
|
||||
touch $VAR_SUBSYS_EBTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
save() {
|
||||
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
|
||||
export EBTABLES_SAVE_COUNTER
|
||||
ebtables-save >$EBTABLES_DATA && success || failure
|
||||
}
|
||||
|
||||
case $1 in
|
||||
start)
|
||||
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
|
||||
start && success || failure
|
||||
RETVAL=$?
|
||||
;;
|
||||
stop)
|
||||
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
|
||||
echo -n $"ebtables: stopping firewall: "
|
||||
initialize && success || failure
|
||||
RETVAL=$?
|
||||
rm -f $VAR_SUBSYS_EBTABLES
|
||||
;;
|
||||
save)
|
||||
save
|
||||
;;
|
||||
*)
|
||||
echo "usage: ${0##*/} {start|stop|save}" >&2
|
||||
RETVAL=2
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
[Unit]
|
||||
Description=Ethernet Bridge Filtering tables
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/ebtables-helper start
|
||||
ExecStop=/usr/libexec/ebtables-helper stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -11,7 +11,7 @@ Name: iptables
|
|||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: https://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.7
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
|
|
@ -19,6 +19,10 @@ Source3: iptables.service
|
|||
Source4: sysconfig_iptables
|
||||
Source5: sysconfig_ip6tables
|
||||
Source6: arptables-nft-helper
|
||||
Source7: arptables.service
|
||||
Source8: ebtables-helper
|
||||
Source9: ebtables.service
|
||||
Source10: ebtables-config
|
||||
|
||||
Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
|
||||
|
||||
|
|
@ -120,6 +124,18 @@ iptables services for IPv4 and IPv6
|
|||
This package provides the services iptables and ip6tables that have been split
|
||||
out of the base package since they are not active by default anymore.
|
||||
|
||||
%package nft-services
|
||||
Summary: arptables and ebtables services for iptables-nft
|
||||
Requires: %{name}-nft%{?_isa} = %{version}-%{release}
|
||||
Conflicts: arptables-services
|
||||
Conflicts: ebtables-services
|
||||
|
||||
%description nft-services
|
||||
arptables and ebtables services for iptables-nft
|
||||
|
||||
This package provides the services arptables and ebtables for use
|
||||
with iptables-nft which provides nft-variants of these tools.
|
||||
|
||||
%package utils
|
||||
Summary: iptables and ip6tables misc utilities
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
|
@ -206,10 +222,19 @@ install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables
|
|||
# Remove /etc/ethertypes (now part of setup)
|
||||
rm -f %{buildroot}%{_sysconfdir}/ethertypes
|
||||
|
||||
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
|
||||
touch %{buildroot}%{_libexecdir}/arptables-helper
|
||||
# extra sources for arptables
|
||||
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper
|
||||
install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service
|
||||
touch %{buildroot}%{_sysconfdir}/sysconfig/arptables
|
||||
|
||||
# extra sources for ebtables
|
||||
install -p %{SOURCE9} %{buildroot}%{_unitdir}/
|
||||
install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper
|
||||
install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config
|
||||
touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables
|
||||
|
||||
# prepare for alternatives
|
||||
touch %{buildroot}%{_libexecdir}/arptables-helper
|
||||
touch %{buildroot}%{_mandir}/man8/arptables.8
|
||||
touch %{buildroot}%{_mandir}/man8/arptables-save.8
|
||||
touch %{buildroot}%{_mandir}/man8/arptables-restore.8
|
||||
|
|
@ -244,6 +269,16 @@ fi
|
|||
%?ldconfig
|
||||
%systemd_postun iptables.service ip6tables.service
|
||||
|
||||
%post nft-services
|
||||
%systemd_post arptables.service ebtables.service
|
||||
|
||||
%preun nft-services
|
||||
%systemd_preun arptables.service ebtables.service
|
||||
|
||||
%postun nft-services
|
||||
%?ldconfig
|
||||
%systemd_postun arptables.service ebtables.service
|
||||
|
||||
%post nft
|
||||
pfx=%{_sbindir}/iptables
|
||||
pfx6=%{_sbindir}/ip6tables
|
||||
|
|
@ -342,6 +377,13 @@ fi
|
|||
%dir %{legacy_actions}/ip{,6}tables
|
||||
%{legacy_actions}/ip{,6}tables/{save,panic}
|
||||
|
||||
%files nft-services
|
||||
%{_unitdir}/{arp,eb}tables.service
|
||||
%{_libexecdir}/ebtables-helper
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
|
||||
%ghost %{_sysconfdir}/sysconfig/arptables
|
||||
%ghost %{_sysconfdir}/sysconfig/ebtables
|
||||
|
||||
%files utils
|
||||
%license COPYING
|
||||
%{_sbindir}/nfnl_osf
|
||||
|
|
@ -374,6 +416,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Apr 21 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-9
|
||||
- Add nft-services subpackage
|
||||
|
||||
* Mon Apr 19 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8
|
||||
- Drop hacks to maintain upgrade path
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue