rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

iptables-1.8.7-9

Browse Source 
- Add nft-services subpackage

Resolves: RHBZ#1951074
This commit is contained in:
Phil Sutter 2021-04-21 18:23:36 +02:00
parent 3c640d04d2
commit 5d9bdbf66a
5 changed files with 187 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
arptables.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Automates a packet filtering firewall with arptables
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/libexec/arptables-helper start
ExecStop=/usr/libexec/arptables-helper stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

11
ebtables-config Normal file
View File

@ -0,0 +1,11 @@
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules if firewall gets stopped
# (e.g. on system shutdown).
EBTABLES_SAVE_ON_STOP="no"
# Save (and restore) rule counters.
# Value: yes|no, default: no
# Save rule counters when saving a kernel table to a file. If the
# rule counters were saved, they will be restored when restoring the table.
EBTABLES_SAVE_COUNTER="no"

105
ebtables-helper Normal file
View File

@ -0,0 +1,105 @@
#!/bin/bash
# compat for removed initscripts dependency
success() {
echo "[ OK ]"
return 0
}
failure() {
echo "[FAILED]"
return 1
}
# internal variables
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
EBTABLES_DATA=/etc/sysconfig/ebtables
EBTABLES_TABLES="filter nat"
if ebtables --version | grep -q '(legacy)'; then
EBTABLES_TABLES+=" broute"
fi
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
# ebtables-config defaults
EBTABLES_SAVE_ON_STOP="no"
EBTABLES_SAVE_ON_RESTART="no"
EBTABLES_SAVE_COUNTER="no"
# load config if existing
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
initialize() {
local ret=0
for table in $EBTABLES_TABLES; do
ebtables -t $table --init-table || ret=1
done
return $ret
}
sanitize_dump() {
local drop=false
export EBTABLES_TABLES
cat $1 | while read line; do
case $line in
\**)
drop=false
local table="${line#\*}"
local found=false
for t in $EBTABLES_TABLES; do
if [[ $t == $table ]]; then
found=true
break
fi
done
$found || drop=true
;;
esac
$drop || echo "$line"
done
}
start() {
if [ -f $EBTABLES_DATA ]; then
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
sanitize_dump $EBTABLES_DATA | ebtables-restore
else
echo -n $"ebtables: no stored ruleset, initializing empty tables: "
initialize
fi
local ret=$?
touch $VAR_SUBSYS_EBTABLES
return $ret
}
save() {
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
export EBTABLES_SAVE_COUNTER
ebtables-save >$EBTABLES_DATA && success || failure
}
case $1 in
start)
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
start && success || failure
RETVAL=$?
;;
stop)
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
echo -n $"ebtables: stopping firewall: "
initialize && success || failure
RETVAL=$?
rm -f $VAR_SUBSYS_EBTABLES
;;
save)
save
;;
*)
echo "usage: ${0##*/} {start|stop|save}" >&2
RETVAL=2
;;
esac
exit $RETVAL

11
ebtables.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Ethernet Bridge Filtering tables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/ebtables-helper start
ExecStop=/usr/libexec/ebtables-helper stop
[Install]
WantedBy=multi-user.target

51
iptables.spec
View File

@ -11,7 +11,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: 1.8.7 Version: 1.8.7
Release: 8%{?dist} Release: 9%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2 Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -19,6 +19,10 @@ Source3: iptables.service
Source4: sysconfig_iptables Source4: sysconfig_iptables
Source5: sysconfig_ip6tables Source5: sysconfig_ip6tables
Source6: arptables-nft-helper Source6: arptables-nft-helper
Source7: arptables.service
Source8: ebtables-helper
Source9: ebtables.service
Source10: ebtables-config
Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
@ -120,6 +124,18 @@ iptables services for IPv4 and IPv6
This package provides the services iptables and ip6tables that have been split This package provides the services iptables and ip6tables that have been split
out of the base package since they are not active by default anymore. out of the base package since they are not active by default anymore.
%package nft-services
Summary: arptables and ebtables services for iptables-nft
Requires: %{name}-nft%{?_isa} = %{version}-%{release}
Conflicts: arptables-services
Conflicts: ebtables-services
%description nft-services
arptables and ebtables services for iptables-nft
This package provides the services arptables and ebtables for use
with iptables-nft which provides nft-variants of these tools.
%package utils %package utils
Summary: iptables and ip6tables misc utilities Summary: iptables and ip6tables misc utilities
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
@ -206,10 +222,19 @@ install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables
# Remove /etc/ethertypes (now part of setup) # Remove /etc/ethertypes (now part of setup)
rm -f %{buildroot}%{_sysconfdir}/ethertypes rm -f %{buildroot}%{_sysconfdir}/ethertypes
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/ # extra sources for arptables
touch %{buildroot}%{_libexecdir}/arptables-helper install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper
install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service
touch %{buildroot}%{_sysconfdir}/sysconfig/arptables
# extra sources for ebtables
install -p %{SOURCE9} %{buildroot}%{_unitdir}/
install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper
install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config
touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables
# prepare for alternatives # prepare for alternatives
touch %{buildroot}%{_libexecdir}/arptables-helper
touch %{buildroot}%{_mandir}/man8/arptables.8 touch %{buildroot}%{_mandir}/man8/arptables.8
touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-save.8
touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8
@ -244,6 +269,16 @@ fi
%?ldconfig %?ldconfig
%systemd_postun iptables.service ip6tables.service %systemd_postun iptables.service ip6tables.service
%post nft-services
%systemd_post arptables.service ebtables.service
%preun nft-services
%systemd_preun arptables.service ebtables.service
%postun nft-services
%?ldconfig
%systemd_postun arptables.service ebtables.service
%post nft %post nft
pfx=%{_sbindir}/iptables pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables pfx6=%{_sbindir}/ip6tables
@ -342,6 +377,13 @@ fi
%dir %{legacy_actions}/ip{,6}tables %dir %{legacy_actions}/ip{,6}tables
%{legacy_actions}/ip{,6}tables/{save,panic} %{legacy_actions}/ip{,6}tables/{save,panic}
%files nft-services
%{_unitdir}/{arp,eb}tables.service
%{_libexecdir}/ebtables-helper
%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
%ghost %{_sysconfdir}/sysconfig/arptables
%ghost %{_sysconfdir}/sysconfig/ebtables
%files utils %files utils
%license COPYING %license COPYING
%{_sbindir}/nfnl_osf %{_sbindir}/nfnl_osf
@ -374,6 +416,9 @@ fi
%changelog %changelog
* Wed Apr 21 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-9
- Add nft-services subpackage
* Mon Apr 19 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8 * Mon Apr 19 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8
- Drop hacks to maintain upgrade path - Drop hacks to maintain upgrade path