rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- New upstream version 1.6.0 with nft-compat support and lots of fixes (RHBZ#1292990)

Browse Source 
Upstream changelog:
  http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161)
- Using scripts form RHEL-7 (RHBZ#1240366)
- New compat sub package for nftables compatibility
- Install iptables-apply (RHBZ#912047)
- Fixed module uninstall (RHBZ#1324101)
- Incorporated changes by Petr Pisar
- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch
This commit is contained in:
Thomas Woerner 2016-04-13 19:00:02 +02:00
parent cea668f0bf
commit 6791134663
6 changed files with 198 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -21,3 +21,4 @@ iptables-1.4.9.tar.bz2
/iptables-1.4.18.tar.bz2 /iptables-1.4.18.tar.bz2
/iptables-1.4.19.1.tar.bz2 /iptables-1.4.19.1.tar.bz2
/iptables-1.4.21.tar.bz2 /iptables-1.4.21.tar.bz2
/iptables-1.6.0.tar.bz2

6
iptables-config
View File

@ -46,3 +46,9 @@ IPTABLES_STATUS_VERBOSE="no"
# Value: yes|no, default: yes # Value: yes|no, default: yes
# Print a counter/number for every rule in the status output. # Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes" IPTABLES_STATUS_LINENUMBERS="yes"
# Reload sysctl settings on start and restart
# Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
# List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"

133
iptables.init
View File

@ -23,12 +23,18 @@
IPTABLES=iptables IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
RUN_SUBSYS=/run/lock/subsys VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
RUN_SUBSYS_IPTABLES=${RUN_SUBSYS}/${IPTABLES}
# only usable for root
if [ $EUID != 0 ]; then
echo -n $"${IPTABLES}: Only usable by root."; warning; echo
exit 4
fi
if [ ! -x /sbin/$IPTABLES ]; then if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
@ -36,7 +42,7 @@ if [ ! -x /sbin/$IPTABLES ]; then
fi fi
# Old or new modutils # Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \ /sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
&& NEW_MODUTILS=1 \ && NEW_MODUTILS=1 \
|| NEW_MODUTILS=0 || NEW_MODUTILS=0
@ -49,6 +55,7 @@ IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes" IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no" IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes" IPTABLES_STATUS_LINENUMBERS="yes"
IPTABLES_SYSCTL_LOAD_LIST=""
# Load firewall configuration. # Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
@ -174,9 +181,27 @@ set_policy() {
return $ret return $ret
} }
load_sysctl() {
# load matched sysctl values
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
echo -n $"Loading sysctl settings: "
ret=0
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
return $ret
}
start() { start() {
# Do not start if there is no config file. # Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6 if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo
return 6
fi
# check if ipv6 module load is deactivated # check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \ if [ "${_IPV}" = "ipv6" ] \
@ -194,7 +219,18 @@ start() {
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
success; echo success; echo
else else
failure; echo; return 1 failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
else
return 1
fi
fi fi
# Load additional modules (helpers) # Load additional modules (helpers)
@ -209,9 +245,11 @@ start() {
[ $ret -eq 0 ] && success || failure [ $ret -eq 0 ] && success || failure
echo echo
fi fi
# Load sysctl settings
load_sysctl
mkdir -p $RUN_SUBSYS touch $VAR_SUBSYS_IPTABLES
touch $RUN_SUBSYS_IPTABLES
return $ret return $ret
} }
@ -223,10 +261,9 @@ stop() {
# on systems where the default policy is DROP and root device is # on systems where the default policy is DROP and root device is
# network-based (i.e.: iSCSI, NFS) # network-based (i.e.: iSCSI, NFS)
set_policy ACCEPT set_policy ACCEPT
# And then, flush the rules and delete chains # And then, flush the rules and delete chains
flush_n_delete flush_n_delete
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"${IPTABLES}: Unloading modules: " echo -n $"${IPTABLES}: Unloading modules: "
ret=0 ret=0
@ -243,16 +280,22 @@ stop() {
echo echo
fi fi
rm -f $RUN_SUBSYS_IPTABLES rm -f $VAR_SUBSYS_IPTABLES
return $ret return $ret
} }
save() { save() {
# Check if iptable module is loaded # Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 0
fi
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 6 if [ -z "$NF_TABLES" ]; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 6
fi
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
@ -260,7 +303,7 @@ save() {
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0 ret=0
TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \ TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
&& chmod 600 "$TMP_FILE" \ && chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
@ -269,22 +312,24 @@ save() {
if [ -e $IPTABLES_DATA ]; then if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \ && chmod 600 $IPTABLES_DATA.save \
&& restorecon $IPTABLES_DATA.save \
|| ret=1 || ret=1
fi fi
if [ $ret -eq 0 ]; then if [ $ret -eq 0 ]; then
cp -f $TMP_FILE $IPTABLES_DATA \ mv -f $TMP_FILE $IPTABLES_DATA \
&& chmod 600 $IPTABLES_DATA \ && chmod 600 $IPTABLES_DATA \
&& restorecon $IPTABLES_DATA \
|| ret=1 || ret=1
fi fi
fi fi
rm -f $TMP_FILE
[ $ret -eq 0 ] && success || failure [ $ret -eq 0 ] && success || failure
echo echo
rm -f $TMP_FILE
return $ret return $ret
} }
status() { status() {
if [ ! -f "$RUN_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not running." echo $"${IPTABLES}: Firewall is not running."
return 3 return 3
fi fi
@ -318,6 +363,51 @@ status() {
return 0 return 0
} }
reload() {
# Do not reload if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo
return 6
fi
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Trying to reload firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; echo "Firewall rules are not changed."; return 1
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
return $ret
}
restart() { restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop stop
@ -327,7 +417,7 @@ restart() {
case "$1" in case "$1" in
start) start)
[ -f "$RUN_SUBSYS_IPTABLES" ] && exit 0 [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start start
RETVAL=$? RETVAL=$?
;; ;;
@ -340,8 +430,12 @@ case "$1" in
restart restart
RETVAL=$? RETVAL=$?
;; ;;
reload)
[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
RETVAL=$?
;;
condrestart|try-restart) condrestart|try-restart)
[ ! -e "$RUN_SUBSYS_IPTABLES" ] && exit 0 [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart restart
RETVAL=$? RETVAL=$?
;; ;;
@ -350,7 +444,6 @@ case "$1" in
RETVAL=$? RETVAL=$?
;; ;;
panic) panic)
flush_n_delete
set_policy DROP set_policy DROP
RETVAL=$? RETVAL=$?
;; ;;
@ -359,7 +452,7 @@ case "$1" in
RETVAL=$? RETVAL=$?
;; ;;
*) *)
echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}" echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
RETVAL=2 RETVAL=2
;; ;;
esac esac

3
iptables.service
View File

@ -1,6 +1,7 @@
[Unit] [Unit]
Description=IPv4 firewall with iptables Description=IPv4 firewall with iptables
ConditionPathExists=/etc/sysconfig/iptables After=syslog.target
AssertPathExists=/etc/sysconfig/iptables
[Service] [Service]
Type=oneshot Type=oneshot

82
iptables.spec
View File

@ -6,16 +6,19 @@
Name: iptables Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.4.21 Version: 1.6.0
Release: 16%{?dist} Release: 1%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
Source3: iptables.service Source3: iptables.service
Source4: sysconfig_iptables Source4: sysconfig_iptables
Source5: sysconfig_ip6tables Source5: sysconfig_ip6tables
Patch1: iptables-1.6.0-iptables-apply_mktemp.patch
URL: http://www.netfilter.org/ URL: http://www.netfilter.org/
License: GPLv2 # pf.os: ISC license
# iptables-apply: Artistic Licence 2.0
License: GPLv2/Artistic Licence 2.0/ISC
# libnetfilter_conntrack is needed for xt_connlabel # libnetfilter_conntrack is needed for xt_connlabel
BuildRequires: pkgconfig(libnetfilter_conntrack) BuildRequires: pkgconfig(libnetfilter_conntrack)
# libnfnetlink-devel is requires for nfnl_osf # libnfnetlink-devel is requires for nfnl_osf
@ -23,12 +26,36 @@ BuildRequires: pkgconfig(libnfnetlink)
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: kernel-headers BuildRequires: kernel-headers
BuildRequires: systemd BuildRequires: systemd
BuildRequires: pkgconfig(libnftnl)
BuildRequires: pkgconfig(libmnl) >= 1.0
# libmnl, libnftnl, bison, flex for nftables
BuildRequires: bison
BuildRequires: flex
BuildRequires: pkgconfig(libmnl) >= 1.0
BuildRequires: pkgconfig(libnftnl) >= 1.0.5
# libpcap-devel for nfbpf_compile
BuildRequires: libpcap-devel
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description %description
The iptables utility controls the network packet filtering code in the The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading, Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package. you should install this package.
%package libs
Summary: iptables libraries
Group: System Environment/Base
%description libs
iptables libraries.
Please remember that libip*tc libraries do neither have a stable API nor a real so version.
For more information about this, please have a look at
http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5
%package devel %package devel
Summary: Development package for iptables Summary: Development package for iptables
Group: System Environment/Base Group: System Environment/Base
@ -38,7 +65,7 @@ Requires: pkgconfig
%description devel %description devel
iptables development headers and libraries. iptables development headers and libraries.
The iptc interface is upstream marked as not public. The interface is not The iptc libraries are marked as not public by upstream. The interface is not
stable and may change with every new version. It is therefore unsupported. stable and may change with every new version. It is therefore unsupported.
%package services %package services
@ -71,13 +98,21 @@ Utils for iptables.
Currently only provides nfnl_osf with the pf.os database. Currently only provides nfnl_osf with the pf.os database.
%package compat
Summary: nftables compatibility for iptables, arptables and ebtables
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description compat
nftables compatibility for iptables, arptables and ebtables.
%prep %prep
%setup -q %setup -q
%patch1 -p1 -b .iptables-apply_mktemp
%build %build
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr %configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
# do not use rpath # do not use rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
@ -139,6 +174,10 @@ chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic
sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
# install iptables-apply with man page
install -m 755 iptables/iptables-apply %{buildroot}%{_sbindir}/
install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/
%if 0%{?rhel} %if 0%{?rhel}
%pre %pre
for p in %{_sysconfdir}/alternatives/{iptables,ip6tables}.*; do for p in %{_sysconfdir}/alternatives/{iptables,ip6tables}.*; do
@ -170,17 +209,28 @@ done
%doc INCOMPATIBILITIES %doc INCOMPATIBILITIES
%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config %config(noreplace) %{_sysconfdir}/sysconfig/iptables-config
%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config %config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config
%{_sbindir}/iptables* %{_sysconfdir}/ethertypes
%{_sbindir}/ip6tables* %{_sbindir}/iptables
%{_sbindir}/iptables-apply
%{_sbindir}/iptables-restore
%{_sbindir}/iptables-save
%{_sbindir}/ip6tables
%{_sbindir}/ip6tables-restore
%{_sbindir}/ip6tables-save
%{_sbindir}/xtables-multi %{_sbindir}/xtables-multi
%{_sbindir}/nfbpf_compile
%{_bindir}/iptables-xml %{_bindir}/iptables-xml
%{_mandir}/man1/iptables-xml* %{_mandir}/man1/iptables-xml*
%{_mandir}/man8/iptables* %{_mandir}/man8/iptables*
%{_mandir}/man8/ip6tables* %{_mandir}/man8/ip6tables*
%dir %{_libdir}/xtables %dir %{_libdir}/xtables
%{_libdir}/xtables/libarpt*
%{_libdir}/xtables/libebt*
%{_libdir}/xtables/libipt* %{_libdir}/xtables/libipt*
%{_libdir}/xtables/libip6t* %{_libdir}/xtables/libip6t*
%{_libdir}/xtables/libxt* %{_libdir}/xtables/libxt*
%files libs
%{_libdir}/libip*tc.so.* %{_libdir}/libip*tc.so.*
%{_libdir}/libxtables.so.* %{_libdir}/libxtables.so.*
@ -219,8 +269,26 @@ done
%dir %{_datadir}/xtables %dir %{_datadir}/xtables
%{_datadir}/xtables/pf.os %{_datadir}/xtables/pf.os
%files compat
%{_sbindir}/iptables-compat*
%{_sbindir}/ip6tables-compat*
%{_sbindir}/ebtables-compat*
%{_sbindir}/arptables-compat
%{_sbindir}/xtables-compat-multi
%changelog %changelog
* Wed Apr 13 2016 Thomas Woerner <twoerner@redhat.com> - 1.6.0-1
- New upstream version 1.6.0 with nft-compat support and lots of fixes (RHBZ#1292990)
Upstream changelog:
http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161)
- Using scripts form RHEL-7 (RHBZ#1240366)
- New compat sub package for nftables compatibility
- Install iptables-apply (RHBZ#912047)
- Fixed module uninstall (RHBZ#1324101)
- Incorporated changes by Petr Pisar
- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.21-16 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.21-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
536d048c8e8eeebcd9757d0863ebb0c0 iptables-1.4.21.tar.bz2 27ba3451cb622467fc9267a176f19a31 iptables-1.6.0.tar.bz2