diff --git a/iptables-1.3.8-limit_man.patch b/iptables-1.3.8-limit_man.patch new file mode 100644 index 0000000..563f32b --- /dev/null +++ b/iptables-1.3.8-limit_man.patch @@ -0,0 +1,25 @@ +diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in +diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man +--- iptables-1.3.8/extensions/libip6t_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200 ++++ iptables-1.3.8/extensions/libip6t_limit.man 2007-09-24 17:28:29.000000000 +0200 +@@ -1,6 +1,6 @@ + This module matches at a limited rate using a token bucket filter. +-A rule using this extension will match until this limit is reached +-(unless the `!' flag is used). It can be used in combination with the ++A rule using this extension will match until this limit is reached. ++ It can be used in combination with the + .B LOG + target to give limited logging, for example. + .TP +diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man +--- iptables-1.3.8/extensions/libipt_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200 ++++ iptables-1.3.8/extensions/libipt_limit.man 2007-09-24 17:28:19.000000000 +0200 +@@ -1,6 +1,6 @@ + This module matches at a limited rate using a token bucket filter. +-A rule using this extension will match until this limit is reached +-(unless the `!' flag is used). It can be used in combination with the ++A rule using this extension will match until this limit is reached. ++ It can be used in combination with the + .B LOG + target to give limited logging, for example. + .TP diff --git a/iptables-1.3.8-reject_type.patch b/iptables-1.3.8-reject_type.patch new file mode 100644 index 0000000..eb55c3f --- /dev/null +++ b/iptables-1.3.8-reject_type.patch @@ -0,0 +1,20 @@ +diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h +--- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type 2007-09-24 16:48:21.000000000 +0200 ++++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h 2007-09-24 17:20:45.000000000 +0200 +@@ -4,13 +4,15 @@ + enum ip6t_reject_with { + IP6T_ICMP6_NO_ROUTE, + IP6T_ICMP6_ADM_PROHIBITED, ++ IP6T_ICMP6_NOT_NEIGHBOUR, + IP6T_ICMP6_ADDR_UNREACH, + IP6T_ICMP6_PORT_UNREACH, ++ IP6T_ICMP6_ECHOREPLY, + IP6T_TCP_RESET + }; + + struct ip6t_reject_info { +- enum ip6t_reject_with with; /* reject type */ ++ u_int32_t with; /* reject type */ + }; + + #endif /*_IP6T_REJECT_H*/ diff --git a/iptables-1.3.8-typo_latter.patch b/iptables-1.3.8-typo_latter.patch new file mode 100644 index 0000000..6430cfc --- /dev/null +++ b/iptables-1.3.8-typo_latter.patch @@ -0,0 +1,10 @@ +diff -up iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter iptables-1.3.8/extensions/libip6t_REJECT.man +--- iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter 2007-09-24 17:30:47.000000000 +0200 ++++ iptables-1.3.8/extensions/libip6t_REJECT.man 2007-09-24 17:34:48.000000000 +0200 +@@ -32,5 +32,5 @@ TCP RST packet to be sent back. This is + (113/tcp) probes which frequently occur when sending mail to broken mail + hosts (which won't accept your mail otherwise). + .B tcp-reset +-can only be used with kernel versions 2.6.14 or latter. ++can only be used with kernel versions 2.6.14 or later. + diff --git a/iptables.init b/iptables.init index 55eadc3..dfefcac 100755 --- a/iptables.init +++ b/iptables.init @@ -48,6 +48,31 @@ IPTABLES_STATUS_NUMERIC="yes" # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" +# Netfilter modules +NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV}) +NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6 + +# Are netfilter modules loaded? +MODULES_LOADED=0 +for mod in ${NF_MODULES[*]} ${NF_MODULES_COMMON[*]}; do + $(lsmod | grep -q ^${mod} | awk '{print $1}') + if [ $? -eq 0 ]; then + MODULES_LOADED=1 + break + fi +done + +# Get active tables +NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + +# Is netfilter compiled into the kernel? +[ $MODULES_LOADED -eq 0 -a -n "$NF_TABLES" ] && COMPILED_IN=1 || COMPILED_IN=0 + +# Get status (quicker than status function and honour lock file) +[ ! -f "$VAR_SUBSYS_IPTABLES" -o ! -e "$PROC_IPTABLES_NAMES" \ + -o -z "$NF_TABLES" ] && running=0 || running=1 + + rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. @@ -83,13 +108,12 @@ flush_n_delete() { [ -e "$PROC_IPTABLES_NAMES" ] || return 1 # Check if firewall is configured (has tables) - tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) - [ -z "$tables" ] && return 1 + [ -z "$NF_TABLES" ] && return 1 echo -n $"Flushing firewall rules: " ret=0 # For all tables - for i in $tables; do + for i in $NF_TABLES; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; @@ -116,7 +140,7 @@ set_policy() { [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) - tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) + tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) [ -z "$tables" ] && return 1 echo -n $"Setting chains to policy $policy: " @@ -203,14 +227,15 @@ stop() { if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"Unloading $IPTABLES modules: " ret=0 - rmmod_r ${IPV}_tables - let ret+=$?; - rmmod_r nf_conntrack_${_IPV} - let ret+=$?; + for mod in ${NF_MODULES[*]}; do + rmmod_r $mod + let ret+=$?; + done # try to unload remaining netfilter modules used by ipv4 and ipv6 # netfilter - rmmod_r x_tables - rmmod_r nf_conntrack + for mod in ${NF_MODULES_COMMON[*]}; do + rmmod_r $mod + done [ $ret -eq 0 ] && success || failure echo fi @@ -224,8 +249,7 @@ save() { [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) - tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) - [ -z "$tables" ] && return 1 + [ -z "$NF_TABLES" ] && return 1 echo -n $"Saving firewall rules to $IPTABLES_DATA: " @@ -257,18 +281,21 @@ save() { } status() { - tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) + if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + echo $"Firewall is not running." + return 3 + fi # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable modules are loaded - if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then - echo $"Firewall is stopped." + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"Firewall modules not loaded." return 3 fi # Check if firewall is configured (has tables) - if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then + if [ -z "$NF_TABLES" ]; then echo $"Firewall is not configured. " return 3 fi @@ -280,7 +307,7 @@ status() { COUNT= [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" - for table in $tables; do + for table in $NF_TABLES; do echo $"Table: $table" $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo done @@ -294,17 +321,16 @@ restart() { start } -status >/dev/null 2>&1 -running=$? case "$1" in start) - [ $running -eq 0 ] && exit 0 + [ $running -eq 1 -a $COMPILED_IN -eq 0 ] && exit 0 start RETVAL=$? ;; stop) - [ $running -eq 0 ] || exit 0 + # stop firewall, even if manually configured + [ $running -eq 1 -o $MODULES_LOADED -eq 1 ] || exit 0 [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? @@ -314,7 +340,7 @@ case "$1" in RETVAL=$? ;; condrestart|try-restart) - [ $running -eq 0 ] || exit 0 + [ $running -eq 1 ] || exit 0 restart RETVAL=$? ;; diff --git a/iptables.spec b/iptables.spec index c443614..0947896 100644 --- a/iptables.spec +++ b/iptables.spec @@ -3,12 +3,15 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.3.8 -Release: 3%{?dist} +Release: 4%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config Patch0: iptables-1.3.8-iptc.patch Patch1: iptables-1.3.8-headers.patch +Patch2: iptables-1.3.8-reject_type.patch +Patch3: iptables-1.3.8-limit_man.patch +Patch4: iptables-1.3.8-typo_latter.patch Group: System Environment/Base URL: http://www.netfilter.org/ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -56,6 +59,9 @@ stable and may change with every new version. It is therefore unsupported. %setup -q %patch0 -p1 -b .iptc %patch1 -p1 -b .headers +%patch2 -p1 -b .reject_type +%patch3 -p1 -b .limit_man +%patch4 -p1 -b .typo_latter # Put it to a reasonable place find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \; @@ -147,6 +153,13 @@ fi %endif %changelog +* Mon Sep 24 2007 Thomas Woerner 1.3.8-4 +- fixed IPv6 reject type (rhbz#295181) +- fixed init script: start, stop and status +- support netfilter compiled into kernel in init script (rhbz#295611) +- dropped inversion for limit modules from man pages (rhbz#220780) +- fixed typo in ip6tables man page (rhbz#236185) + * Wed Sep 19 2007 Thomas Woerner 1.3.8-3 - do not depend on local_fs in lsb header - this delayes start after network - fixed exit code for initscript usage