diff --git a/arptables.service b/arptables.service new file mode 100644 index 0000000..df6c7d6 --- /dev/null +++ b/arptables.service @@ -0,0 +1,12 @@ +[Unit] +Description=Automates a packet filtering firewall with arptables +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/libexec/arptables-helper start +ExecStop=/usr/libexec/arptables-helper stop +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/ebtables-config b/ebtables-config new file mode 100644 index 0000000..69d9289 --- /dev/null +++ b/ebtables-config @@ -0,0 +1,11 @@ +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules if firewall gets stopped +# (e.g. on system shutdown). +EBTABLES_SAVE_ON_STOP="no" + +# Save (and restore) rule counters. +# Value: yes|no, default: no +# Save rule counters when saving a kernel table to a file. If the +# rule counters were saved, they will be restored when restoring the table. +EBTABLES_SAVE_COUNTER="no" diff --git a/ebtables-helper b/ebtables-helper new file mode 100644 index 0000000..f1dee08 --- /dev/null +++ b/ebtables-helper @@ -0,0 +1,105 @@ +#!/bin/bash + +# compat for removed initscripts dependency + +success() { + echo "[ OK ]" + return 0 +} + +failure() { + echo "[FAILED]" + return 1 +} + +# internal variables +EBTABLES_CONFIG=/etc/sysconfig/ebtables-config +EBTABLES_DATA=/etc/sysconfig/ebtables +EBTABLES_TABLES="filter nat" +if ebtables --version | grep -q '(legacy)'; then + EBTABLES_TABLES+=" broute" +fi +VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables + +# ebtables-config defaults +EBTABLES_SAVE_ON_STOP="no" +EBTABLES_SAVE_ON_RESTART="no" +EBTABLES_SAVE_COUNTER="no" + +# load config if existing +[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG" + +initialize() { + local ret=0 + for table in $EBTABLES_TABLES; do + ebtables -t $table --init-table || ret=1 + done + return $ret +} + +sanitize_dump() { + local drop=false + + export EBTABLES_TABLES + + cat $1 | while read line; do + case $line in + \**) + drop=false + local table="${line#\*}" + local found=false + for t in $EBTABLES_TABLES; do + if [[ $t == $table ]]; then + found=true + break + fi + done + $found || drop=true + ;; + esac + $drop || echo "$line" + done +} + +start() { + if [ -f $EBTABLES_DATA ]; then + echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: " + sanitize_dump $EBTABLES_DATA | ebtables-restore + else + echo -n $"ebtables: no stored ruleset, initializing empty tables: " + initialize + fi + local ret=$? + touch $VAR_SUBSYS_EBTABLES + return $ret +} + +save() { + echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: " + export EBTABLES_SAVE_COUNTER + ebtables-save >$EBTABLES_DATA && success || failure +} + +case $1 in + start) + [ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0 + start && success || failure + RETVAL=$? + ;; + stop) + [ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save + echo -n $"ebtables: stopping firewall: " + initialize && success || failure + RETVAL=$? + rm -f $VAR_SUBSYS_EBTABLES + ;; + save) + save + ;; + *) + echo "usage: ${0##*/} {start|stop|save}" >&2 + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/ebtables.service b/ebtables.service new file mode 100644 index 0000000..b096f1d --- /dev/null +++ b/ebtables.service @@ -0,0 +1,11 @@ +[Unit] +Description=Ethernet Bridge Filtering tables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/ebtables-helper start +ExecStop=/usr/libexec/ebtables-helper stop + +[Install] +WantedBy=multi-user.target diff --git a/iptables.spec b/iptables.spec index ba2e68e..f4aceda 100644 --- a/iptables.spec +++ b/iptables.spec @@ -11,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 8%{?dist} +Release: 9%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -19,6 +19,10 @@ Source3: iptables.service Source4: sysconfig_iptables Source5: sysconfig_ip6tables Source6: arptables-nft-helper +Source7: arptables.service +Source8: ebtables-helper +Source9: ebtables.service +Source10: ebtables-config Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch @@ -120,6 +124,18 @@ iptables services for IPv4 and IPv6 This package provides the services iptables and ip6tables that have been split out of the base package since they are not active by default anymore. +%package nft-services +Summary: arptables and ebtables services for iptables-nft +Requires: %{name}-nft%{?_isa} = %{version}-%{release} +Conflicts: arptables-services +Conflicts: ebtables-services + +%description nft-services +arptables and ebtables services for iptables-nft + +This package provides the services arptables and ebtables for use +with iptables-nft which provides nft-variants of these tools. + %package utils Summary: iptables and ip6tables misc utilities Requires: %{name} = %{version}-%{release} @@ -206,10 +222,19 @@ install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables # Remove /etc/ethertypes (now part of setup) rm -f %{buildroot}%{_sysconfdir}/ethertypes -install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/ -touch %{buildroot}%{_libexecdir}/arptables-helper +# extra sources for arptables +install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper +install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service +touch %{buildroot}%{_sysconfdir}/sysconfig/arptables + +# extra sources for ebtables +install -p %{SOURCE9} %{buildroot}%{_unitdir}/ +install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper +install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config +touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables # prepare for alternatives +touch %{buildroot}%{_libexecdir}/arptables-helper touch %{buildroot}%{_mandir}/man8/arptables.8 touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8 @@ -244,6 +269,16 @@ fi %?ldconfig %systemd_postun iptables.service ip6tables.service +%post nft-services +%systemd_post arptables.service ebtables.service + +%preun nft-services +%systemd_preun arptables.service ebtables.service + +%postun nft-services +%?ldconfig +%systemd_postun arptables.service ebtables.service + %post nft pfx=%{_sbindir}/iptables pfx6=%{_sbindir}/ip6tables @@ -342,6 +377,13 @@ fi %dir %{legacy_actions}/ip{,6}tables %{legacy_actions}/ip{,6}tables/{save,panic} +%files nft-services +%{_unitdir}/{arp,eb}tables.service +%{_libexecdir}/ebtables-helper +%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config +%ghost %{_sysconfdir}/sysconfig/arptables +%ghost %{_sysconfdir}/sysconfig/ebtables + %files utils %license COPYING %{_sbindir}/nfnl_osf @@ -374,6 +416,9 @@ fi %changelog +* Wed Apr 21 2021 Phil Sutter - 1.8.7-9 +- Add nft-services subpackage + * Mon Apr 19 2021 Phil Sutter - 1.8.7-8 - Drop hacks to maintain upgrade path