- fixed IPv6 reject type (rhbz#295181)
- fixed init script: start, stop and status - support netfilter compiled into kernel in init script (rhbz#295611) - dropped inversion for limit modules from man pages (rhbz#220780) - fixed typo in ip6tables man page (rhbz#236185)
This commit is contained in:
parent
324c1a2ec7
commit
b467a216c0
25
iptables-1.3.8-limit_man.patch
Normal file
25
iptables-1.3.8-limit_man.patch
Normal file
@ -0,0 +1,25 @@
|
||||
diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in
|
||||
diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man
|
||||
--- iptables-1.3.8/extensions/libip6t_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
|
||||
+++ iptables-1.3.8/extensions/libip6t_limit.man 2007-09-24 17:28:29.000000000 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
This module matches at a limited rate using a token bucket filter.
|
||||
-A rule using this extension will match until this limit is reached
|
||||
-(unless the `!' flag is used). It can be used in combination with the
|
||||
+A rule using this extension will match until this limit is reached.
|
||||
+ It can be used in combination with the
|
||||
.B LOG
|
||||
target to give limited logging, for example.
|
||||
.TP
|
||||
diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man
|
||||
--- iptables-1.3.8/extensions/libipt_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
|
||||
+++ iptables-1.3.8/extensions/libipt_limit.man 2007-09-24 17:28:19.000000000 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
This module matches at a limited rate using a token bucket filter.
|
||||
-A rule using this extension will match until this limit is reached
|
||||
-(unless the `!' flag is used). It can be used in combination with the
|
||||
+A rule using this extension will match until this limit is reached.
|
||||
+ It can be used in combination with the
|
||||
.B LOG
|
||||
target to give limited logging, for example.
|
||||
.TP
|
20
iptables-1.3.8-reject_type.patch
Normal file
20
iptables-1.3.8-reject_type.patch
Normal file
@ -0,0 +1,20 @@
|
||||
diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
|
||||
--- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type 2007-09-24 16:48:21.000000000 +0200
|
||||
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h 2007-09-24 17:20:45.000000000 +0200
|
||||
@@ -4,13 +4,15 @@
|
||||
enum ip6t_reject_with {
|
||||
IP6T_ICMP6_NO_ROUTE,
|
||||
IP6T_ICMP6_ADM_PROHIBITED,
|
||||
+ IP6T_ICMP6_NOT_NEIGHBOUR,
|
||||
IP6T_ICMP6_ADDR_UNREACH,
|
||||
IP6T_ICMP6_PORT_UNREACH,
|
||||
+ IP6T_ICMP6_ECHOREPLY,
|
||||
IP6T_TCP_RESET
|
||||
};
|
||||
|
||||
struct ip6t_reject_info {
|
||||
- enum ip6t_reject_with with; /* reject type */
|
||||
+ u_int32_t with; /* reject type */
|
||||
};
|
||||
|
||||
#endif /*_IP6T_REJECT_H*/
|
10
iptables-1.3.8-typo_latter.patch
Normal file
10
iptables-1.3.8-typo_latter.patch
Normal file
@ -0,0 +1,10 @@
|
||||
diff -up iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter iptables-1.3.8/extensions/libip6t_REJECT.man
|
||||
--- iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter 2007-09-24 17:30:47.000000000 +0200
|
||||
+++ iptables-1.3.8/extensions/libip6t_REJECT.man 2007-09-24 17:34:48.000000000 +0200
|
||||
@@ -32,5 +32,5 @@ TCP RST packet to be sent back. This is
|
||||
(113/tcp) probes which frequently occur when sending mail to broken mail
|
||||
hosts (which won't accept your mail otherwise).
|
||||
.B tcp-reset
|
||||
-can only be used with kernel versions 2.6.14 or latter.
|
||||
+can only be used with kernel versions 2.6.14 or later.
|
||||
|
@ -48,6 +48,31 @@ IPTABLES_STATUS_NUMERIC="yes"
|
||||
# Load firewall configuration.
|
||||
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
|
||||
|
||||
# Netfilter modules
|
||||
NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV})
|
||||
NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6
|
||||
|
||||
# Are netfilter modules loaded?
|
||||
MODULES_LOADED=0
|
||||
for mod in ${NF_MODULES[*]} ${NF_MODULES_COMMON[*]}; do
|
||||
$(lsmod | grep -q ^${mod} | awk '{print $1}')
|
||||
if [ $? -eq 0 ]; then
|
||||
MODULES_LOADED=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
# Get active tables
|
||||
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
||||
|
||||
# Is netfilter compiled into the kernel?
|
||||
[ $MODULES_LOADED -eq 0 -a -n "$NF_TABLES" ] && COMPILED_IN=1 || COMPILED_IN=0
|
||||
|
||||
# Get status (quicker than status function and honour lock file)
|
||||
[ ! -f "$VAR_SUBSYS_IPTABLES" -o ! -e "$PROC_IPTABLES_NAMES" \
|
||||
-o -z "$NF_TABLES" ] && running=0 || running=1
|
||||
|
||||
|
||||
rmmod_r() {
|
||||
# Unload module with all referring modules.
|
||||
# At first all referring modules will be unloaded, then the module itself.
|
||||
@ -83,13 +108,12 @@ flush_n_delete() {
|
||||
[ -e "$PROC_IPTABLES_NAMES" ] || return 1
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
|
||||
[ -z "$tables" ] && return 1
|
||||
[ -z "$NF_TABLES" ] && return 1
|
||||
|
||||
echo -n $"Flushing firewall rules: "
|
||||
ret=0
|
||||
# For all tables
|
||||
for i in $tables; do
|
||||
for i in $NF_TABLES; do
|
||||
# Flush firewall rules.
|
||||
$IPTABLES -t $i -F;
|
||||
let ret+=$?;
|
||||
@ -116,7 +140,7 @@ set_policy() {
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
|
||||
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"Setting chains to policy $policy: "
|
||||
@ -203,14 +227,15 @@ stop() {
|
||||
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
|
||||
echo -n $"Unloading $IPTABLES modules: "
|
||||
ret=0
|
||||
rmmod_r ${IPV}_tables
|
||||
let ret+=$?;
|
||||
rmmod_r nf_conntrack_${_IPV}
|
||||
for mod in ${NF_MODULES[*]}; do
|
||||
rmmod_r $mod
|
||||
let ret+=$?;
|
||||
done
|
||||
# try to unload remaining netfilter modules used by ipv4 and ipv6
|
||||
# netfilter
|
||||
rmmod_r x_tables
|
||||
rmmod_r nf_conntrack
|
||||
for mod in ${NF_MODULES_COMMON[*]}; do
|
||||
rmmod_r $mod
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
@ -224,8 +249,7 @@ save() {
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
|
||||
[ -z "$tables" ] && return 1
|
||||
[ -z "$NF_TABLES" ] && return 1
|
||||
|
||||
echo -n $"Saving firewall rules to $IPTABLES_DATA: "
|
||||
|
||||
@ -257,18 +281,21 @@ save() {
|
||||
}
|
||||
|
||||
status() {
|
||||
tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
|
||||
echo $"Firewall is not running."
|
||||
return 3
|
||||
fi
|
||||
|
||||
# Do not print status if lockfile is missing and iptables modules are not
|
||||
# loaded.
|
||||
# Check if iptable modules are loaded
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
|
||||
echo $"Firewall is stopped."
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
||||
echo $"Firewall modules not loaded."
|
||||
return 3
|
||||
fi
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then
|
||||
if [ -z "$NF_TABLES" ]; then
|
||||
echo $"Firewall is not configured. "
|
||||
return 3
|
||||
fi
|
||||
@ -280,7 +307,7 @@ status() {
|
||||
COUNT=
|
||||
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
|
||||
|
||||
for table in $tables; do
|
||||
for table in $NF_TABLES; do
|
||||
echo $"Table: $table"
|
||||
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
|
||||
done
|
||||
@ -294,17 +321,16 @@ restart() {
|
||||
start
|
||||
}
|
||||
|
||||
status >/dev/null 2>&1
|
||||
running=$?
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ $running -eq 0 ] && exit 0
|
||||
[ $running -eq 1 -a $COMPILED_IN -eq 0 ] && exit 0
|
||||
start
|
||||
RETVAL=$?
|
||||
;;
|
||||
stop)
|
||||
[ $running -eq 0 ] || exit 0
|
||||
# stop firewall, even if manually configured
|
||||
[ $running -eq 1 -o $MODULES_LOADED -eq 1 ] || exit 0
|
||||
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
|
||||
stop
|
||||
RETVAL=$?
|
||||
@ -314,7 +340,7 @@ case "$1" in
|
||||
RETVAL=$?
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
[ $running -eq 0 ] || exit 0
|
||||
[ $running -eq 1 ] || exit 0
|
||||
restart
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
@ -3,12 +3,15 @@
|
||||
Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
Version: 1.3.8
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
Patch0: iptables-1.3.8-iptc.patch
|
||||
Patch1: iptables-1.3.8-headers.patch
|
||||
Patch2: iptables-1.3.8-reject_type.patch
|
||||
Patch3: iptables-1.3.8-limit_man.patch
|
||||
Patch4: iptables-1.3.8-typo_latter.patch
|
||||
Group: System Environment/Base
|
||||
URL: http://www.netfilter.org/
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
@ -56,6 +59,9 @@ stable and may change with every new version. It is therefore unsupported.
|
||||
%setup -q
|
||||
%patch0 -p1 -b .iptc
|
||||
%patch1 -p1 -b .headers
|
||||
%patch2 -p1 -b .reject_type
|
||||
%patch3 -p1 -b .limit_man
|
||||
%patch4 -p1 -b .typo_latter
|
||||
|
||||
# Put it to a reasonable place
|
||||
find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
|
||||
@ -147,6 +153,13 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Sep 24 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-4
|
||||
- fixed IPv6 reject type (rhbz#295181)
|
||||
- fixed init script: start, stop and status
|
||||
- support netfilter compiled into kernel in init script (rhbz#295611)
|
||||
- dropped inversion for limit modules from man pages (rhbz#220780)
|
||||
- fixed typo in ip6tables man page (rhbz#236185)
|
||||
|
||||
* Wed Sep 19 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-3
|
||||
- do not depend on local_fs in lsb header - this delayes start after network
|
||||
- fixed exit code for initscript usage
|
||||
|
Loading…
Reference in New Issue
Block a user