rpms/iptables
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- fixed IPv6 reject type (rhbz#295181)

Browse Source 
- fixed init script: start, stop and status
- support netfilter compiled into kernel in init script (rhbz#295611)
- dropped inversion for limit modules from man pages (rhbz#220780)
- fixed typo in ip6tables man page (rhbz#236185)
This commit is contained in:
Thomas Woerner 2007-09-24 16:03:24 +00:00
parent 324c1a2ec7
commit b467a216c0
5 changed files with 117 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
iptables-1.3.8-limit_man.patch Normal file
View File

@ -0,0 +1,25 @@
diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in
diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man
--- iptables-1.3.8/extensions/libip6t_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_limit.man 2007-09-24 17:28:29.000000000 +0200
@@ -1,6 +1,6 @@
This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+ It can be used in combination with the
.B LOG
target to give limited logging, for example.
.TP
diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man
--- iptables-1.3.8/extensions/libipt_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libipt_limit.man 2007-09-24 17:28:19.000000000 +0200
@@ -1,6 +1,6 @@
This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+ It can be used in combination with the
.B LOG
target to give limited logging, for example.
.TP

20
iptables-1.3.8-reject_type.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type 2007-09-24 16:48:21.000000000 +0200
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h 2007-09-24 17:20:45.000000000 +0200
@@ -4,13 +4,15 @@
enum ip6t_reject_with {
IP6T_ICMP6_NO_ROUTE,
IP6T_ICMP6_ADM_PROHIBITED,
+ IP6T_ICMP6_NOT_NEIGHBOUR,
IP6T_ICMP6_ADDR_UNREACH,
IP6T_ICMP6_PORT_UNREACH,
+ IP6T_ICMP6_ECHOREPLY,
IP6T_TCP_RESET
};
struct ip6t_reject_info {
- enum ip6t_reject_with with; /* reject type */
+ u_int32_t with; /* reject type */
};
#endif /*_IP6T_REJECT_H*/

10
iptables-1.3.8-typo_latter.patch Normal file
View File

@ -0,0 +1,10 @@
diff -up iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter iptables-1.3.8/extensions/libip6t_REJECT.man
--- iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter 2007-09-24 17:30:47.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_REJECT.man 2007-09-24 17:34:48.000000000 +0200
@@ -32,5 +32,5 @@ TCP RST packet to be sent back. This is
(113/tcp) probes which frequently occur when sending mail to broken mail
hosts (which won't accept your mail otherwise).
.B tcp-reset
-can only be used with kernel versions 2.6.14 or latter.
+can only be used with kernel versions 2.6.14 or later.

70
iptables.init
View File

@ -48,6 +48,31 @@ IPTABLES_STATUS_NUMERIC="yes"
# Load firewall configuration. # Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
# Netfilter modules
NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV})
NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6
# Are netfilter modules loaded?
MODULES_LOADED=0
for mod in ${NF_MODULES[*]} ${NF_MODULES_COMMON[*]}; do
$(lsmod | grep -q ^${mod} | awk '{print $1}')
if [ $? -eq 0 ]; then
MODULES_LOADED=1
break
fi
done
# Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
# Is netfilter compiled into the kernel?
[ $MODULES_LOADED -eq 0 -a -n "$NF_TABLES" ] && COMPILED_IN=1 || COMPILED_IN=0
# Get status (quicker than status function and honour lock file)
[ ! -f "$VAR_SUBSYS_IPTABLES" -o ! -e "$PROC_IPTABLES_NAMES" \
-o -z "$NF_TABLES" ] && running=0 || running=1
rmmod_r() { rmmod_r() {
# Unload module with all referring modules. # Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself. # At first all referring modules will be unloaded, then the module itself.
@ -83,13 +108,12 @@ flush_n_delete() {
[ -e "$PROC_IPTABLES_NAMES" ] || return 1 [ -e "$PROC_IPTABLES_NAMES" ] || return 1
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) [ -z "$NF_TABLES" ] && return 1
[ -z "$tables" ] && return 1
echo -n $"Flushing firewall rules: " echo -n $"Flushing firewall rules: "
ret=0 ret=0
# For all tables # For all tables
for i in $tables; do for i in $NF_TABLES; do
# Flush firewall rules. # Flush firewall rules.
$IPTABLES -t $i -F; $IPTABLES -t $i -F;
let ret+=$?; let ret+=$?;
@ -116,7 +140,7 @@ set_policy() {
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
[ -z "$tables" ] && return 1 [ -z "$tables" ] && return 1
echo -n $"Setting chains to policy $policy: " echo -n $"Setting chains to policy $policy: "
@ -203,14 +227,15 @@ stop() {
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"Unloading $IPTABLES modules: " echo -n $"Unloading $IPTABLES modules: "
ret=0 ret=0
rmmod_r ${IPV}_tables for mod in ${NF_MODULES[*]}; do
let ret+=$?; rmmod_r $mod
rmmod_r nf_conntrack_${_IPV} let ret+=$?;
let ret+=$?; done
# try to unload remaining netfilter modules used by ipv4 and ipv6 # try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter # netfilter
rmmod_r x_tables for mod in ${NF_MODULES_COMMON[*]}; do
rmmod_r nf_conntrack rmmod_r $mod
done
[ $ret -eq 0 ] && success || failure [ $ret -eq 0 ] && success || failure
echo echo
fi fi
@ -224,8 +249,7 @@ save() {
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) [ -z "$NF_TABLES" ] && return 1
[ -z "$tables" ] && return 1
echo -n $"Saving firewall rules to $IPTABLES_DATA: " echo -n $"Saving firewall rules to $IPTABLES_DATA: "
@ -257,18 +281,21 @@ save() {
} }
status() { status() {
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null) if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
echo $"Firewall is not running."
return 3
fi
# Do not print status if lockfile is missing and iptables modules are not # Do not print status if lockfile is missing and iptables modules are not
# loaded. # loaded.
# Check if iptable modules are loaded # Check if iptable modules are loaded
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo $"Firewall is stopped." echo $"Firewall modules not loaded."
return 3 return 3
fi fi
# Check if firewall is configured (has tables) # Check if firewall is configured (has tables)
if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then if [ -z "$NF_TABLES" ]; then
echo $"Firewall is not configured. " echo $"Firewall is not configured. "
return 3 return 3
fi fi
@ -280,7 +307,7 @@ status() {
COUNT= COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
for table in $tables; do for table in $NF_TABLES; do
echo $"Table: $table" echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done done
@ -294,17 +321,16 @@ restart() {
start start
} }
status >/dev/null 2>&1
running=$?
case "$1" in case "$1" in
start) start)
[ $running -eq 0 ] && exit 0 [ $running -eq 1 -a $COMPILED_IN -eq 0 ] && exit 0
start start
RETVAL=$? RETVAL=$?
;; ;;
stop) stop)
[ $running -eq 0 ] || exit 0 # stop firewall, even if manually configured
[ $running -eq 1 -o $MODULES_LOADED -eq 1 ] || exit 0
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop stop
RETVAL=$? RETVAL=$?
@ -314,7 +340,7 @@ case "$1" in
RETVAL=$? RETVAL=$?
;; ;;
condrestart|try-restart) condrestart|try-restart)
[ $running -eq 0 ] || exit 0 [ $running -eq 1 ] || exit 0
restart restart
RETVAL=$? RETVAL=$?
;; ;;

15
iptables.spec
View File

@ -3,12 +3,15 @@
Name: iptables Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.3.8 Version: 1.3.8
Release: 3%{?dist} Release: 4%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
Patch0: iptables-1.3.8-iptc.patch Patch0: iptables-1.3.8-iptc.patch
Patch1: iptables-1.3.8-headers.patch Patch1: iptables-1.3.8-headers.patch
Patch2: iptables-1.3.8-reject_type.patch
Patch3: iptables-1.3.8-limit_man.patch
Patch4: iptables-1.3.8-typo_latter.patch
Group: System Environment/Base Group: System Environment/Base
URL: http://www.netfilter.org/ URL: http://www.netfilter.org/
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@ -56,6 +59,9 @@ stable and may change with every new version. It is therefore unsupported.
%setup -q %setup -q
%patch0 -p1 -b .iptc %patch0 -p1 -b .iptc
%patch1 -p1 -b .headers %patch1 -p1 -b .headers
%patch2 -p1 -b .reject_type
%patch3 -p1 -b .limit_man
%patch4 -p1 -b .typo_latter
# Put it to a reasonable place # Put it to a reasonable place
find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \; find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
@ -147,6 +153,13 @@ fi
%endif %endif
%changelog %changelog
* Mon Sep 24 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-4
- fixed IPv6 reject type (rhbz#295181)
- fixed init script: start, stop and status
- support netfilter compiled into kernel in init script (rhbz#295611)
- dropped inversion for limit modules from man pages (rhbz#220780)
- fixed typo in ip6tables man page (rhbz#236185)
* Wed Sep 19 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-3 * Wed Sep 19 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-3
- do not depend on local_fs in lsb header - this delayes start after network - do not depend on local_fs in lsb header - this delayes start after network
- fixed exit code for initscript usage - fixed exit code for initscript usage