- fixed IPv6 reject type (rhbz#295181)

- fixed init script: start, stop and status - support netfilter compiled into kernel in init script (rhbz#295611) - dropped inversion for limit modules from man pages (rhbz#220780) - fixed typo in ip6tables man page (rhbz#236185)
2007-09-24 16:03:24 +00:00 · 2007-09-24 16:03:24 +00:00 · b467a216c0
commit b467a216c0
parent 324c1a2ec7
5 changed files with 117 additions and 23 deletions
--- a/iptables-1.3.8-limit_man.patch
+++ b/iptables-1.3.8-limit_man.patch
@ -0,0 +1,25 @@
+diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in
+diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man
+--- iptables-1.3.8/extensions/libip6t_limit.man.limit_man	2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_limit.man	2007-09-24 17:28:29.000000000 +0200
+@@ -1,6 +1,6 @@
+ This module matches at a limited rate using a token bucket filter.
+-A rule using this extension will match until this limit is reached
+-(unless the `!' flag is used).  It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+  It can be used in combination with the
+ .B LOG
+ target to give limited logging, for example.
+ .TP
+diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man
+--- iptables-1.3.8/extensions/libipt_limit.man.limit_man	2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libipt_limit.man	2007-09-24 17:28:19.000000000 +0200
+@@ -1,6 +1,6 @@
+ This module matches at a limited rate using a token bucket filter.
+-A rule using this extension will match until this limit is reached
+-(unless the `!' flag is used).  It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+  It can be used in combination with the
+ .B LOG
+ target to give limited logging, for example.
+ .TP
--- a/iptables-1.3.8-reject_type.patch
+++ b/iptables-1.3.8-reject_type.patch
@ -0,0 +1,20 @@
+diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
+--- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type	2007-09-24 16:48:21.000000000 +0200
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h	2007-09-24 17:20:45.000000000 +0200
+@@ -4,13 +4,15 @@
+ enum ip6t_reject_with {
+ 	IP6T_ICMP6_NO_ROUTE,
+ 	IP6T_ICMP6_ADM_PROHIBITED,
+	IP6T_ICMP6_NOT_NEIGHBOUR,
+ 	IP6T_ICMP6_ADDR_UNREACH,
+ 	IP6T_ICMP6_PORT_UNREACH,
+	IP6T_ICMP6_ECHOREPLY,
+ 	IP6T_TCP_RESET
+ };
+ 
+ struct ip6t_reject_info {
+-	enum ip6t_reject_with with;      /* reject type */
+	u_int32_t with;      /* reject type */
+ };
+ 
+ #endif /*_IP6T_REJECT_H*/
--- a/iptables-1.3.8-typo_latter.patch
+++ b/iptables-1.3.8-typo_latter.patch
@ -0,0 +1,10 @@
+diff -up iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter iptables-1.3.8/extensions/libip6t_REJECT.man
+--- iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter	2007-09-24 17:30:47.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_REJECT.man	2007-09-24 17:34:48.000000000 +0200
+@@ -32,5 +32,5 @@ TCP RST packet to be sent back.  This is
+ (113/tcp) probes which frequently occur when sending mail to broken mail
+ hosts (which won't accept your mail otherwise).
+ .B tcp-reset
+-can only be used with kernel versions 2.6.14 or latter.
+can only be used with kernel versions 2.6.14 or later.
+ 
--- a/iptables.init
+++ b/iptables.init
@ -48,6 +48,31 @@ IPTABLES_STATUS_NUMERIC="yes"
 # Load firewall configuration.
 [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"

+# Netfilter modules
+NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV})
+NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6
+
+# Are netfilter modules loaded?
+MODULES_LOADED=0
+for mod in ${NF_MODULES[*]} ${NF_MODULES_COMMON[*]}; do
+    $(lsmod | grep -q ^${mod} | awk '{print $1}')
+    if [ $? -eq 0 ]; then
+	MODULES_LOADED=1
+	break
+    fi
+done
+
+# Get active tables
+NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+
+# Is netfilter compiled into the kernel?
+[ $MODULES_LOADED -eq 0 -a -n "$NF_TABLES" ] && COMPILED_IN=1 || COMPILED_IN=0
+
+# Get status (quicker than status function and honour lock file)
+[ ! -f "$VAR_SUBSYS_IPTABLES" -o ! -e "$PROC_IPTABLES_NAMES" \
+    -o -z "$NF_TABLES" ] && running=0 || running=1
+
+
 rmmod_r() {
    # Unload module with all referring modules.
    # At first all referring modules will be unloaded, then the module itself.
@ -83,13 +108,12 @@ flush_n_delete() {
    [ -e "$PROC_IPTABLES_NAMES" ] || return 1

    # Check if firewall is configured (has tables)
-    tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
-    [ -z "$tables" ] && return 1
+    [ -z "$NF_TABLES" ] && return 1

    echo -n $"Flushing firewall rules: "
    ret=0
    # For all tables
-    for i in $tables; do
+    for i in $NF_TABLES; do
        # Flush firewall rules.
 	$IPTABLES -t $i -F;
 	let ret+=$?;
@ -116,7 +140,7 @@ set_policy() {
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1

    # Check if firewall is configured (has tables)
-    tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
+    tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
    [ -z "$tables" ] && return 1

    echo -n $"Setting chains to policy $policy: "
@ -203,14 +227,15 @@ stop() {
    if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
 	echo -n $"Unloading $IPTABLES modules: "
 	ret=0
-	rmmod_r ${IPV}_tables
-	let ret+=$?;
-	rmmod_r nf_conntrack_${_IPV}
-	let ret+=$?;
+	for mod in ${NF_MODULES[*]}; do
+	    rmmod_r $mod
+	    let ret+=$?;
+	done
 	# try to unload remaining netfilter modules used by ipv4 and ipv6 
 	# netfilter
-	rmmod_r x_tables
-	rmmod_r nf_conntrack
+	for mod in ${NF_MODULES_COMMON[*]}; do
+	    rmmod_r $mod
+	done
 	[ $ret -eq 0 ] && success || failure
 	echo
    fi
@ -224,8 +249,7 @@ save() {
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1

    # Check if firewall is configured (has tables)
-    tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
-    [ -z "$tables" ] && return 1
+    [ -z "$NF_TABLES" ] && return 1

    echo -n $"Saving firewall rules to $IPTABLES_DATA: "

@ -257,18 +281,21 @@ save() {
 }

 status() {
-    tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
+	echo $"Firewall is not running."
+	return 3
+    fi

    # Do not print status if lockfile is missing and iptables modules are not 
    # loaded.
    # Check if iptable modules are loaded
-    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
-	echo $"Firewall is stopped."
+    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+	echo $"Firewall modules not loaded."
 	return 3
    fi

    # Check if firewall is configured (has tables)
-    if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then
+    if [ -z "$NF_TABLES" ]; then
 	echo $"Firewall is not configured. "
 	return 3
    fi
@ -280,7 +307,7 @@ status() {
    COUNT=
    [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"

-    for table in $tables; do
+    for table in $NF_TABLES; do
 	echo $"Table: $table"
 	$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
    done
@ -294,17 +321,16 @@ restart() {
    start
 }

-status >/dev/null 2>&1
-running=$?

 case "$1" in
    start)
-	[ $running -eq 0 ] && exit 0
+	[ $running -eq 1 -a $COMPILED_IN -eq 0 ] && exit 0
 	start
 	RETVAL=$?
 	;;
    stop)
-	[ $running -eq 0 ] || exit 0
+	# stop firewall, even if manually configured
+	[ $running -eq 1 -o $MODULES_LOADED -eq 1 ] || exit 0
 	[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
 	stop
 	RETVAL=$?
@ -314,7 +340,7 @@ case "$1" in
 	RETVAL=$?
 	;;
    condrestart|try-restart)
-	[ $running -eq 0 ] || exit 0
+	[ $running -eq 1 ] || exit 0
 	restart
 	RETVAL=$?
 	;;
--- a/iptables.spec
+++ b/iptables.spec
@ -3,12 +3,15 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 Version: 1.3.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
 Patch0: iptables-1.3.8-iptc.patch
 Patch1: iptables-1.3.8-headers.patch
+Patch2: iptables-1.3.8-reject_type.patch
+Patch3: iptables-1.3.8-limit_man.patch
+Patch4: iptables-1.3.8-typo_latter.patch
 Group: System Environment/Base
 URL: http://www.netfilter.org/
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@ -56,6 +59,9 @@ stable and may change with every new version. It is therefore unsupported.
 %setup -q
 %patch0 -p1 -b .iptc
 %patch1 -p1 -b .headers
+%patch2 -p1 -b .reject_type
+%patch3 -p1 -b .limit_man
+%patch4 -p1 -b .typo_latter

 # Put it to a reasonable place
 find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
@ -147,6 +153,13 @@ fi
 %endif

 %changelog
+* Mon Sep 24 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-4
+- fixed IPv6 reject type (rhbz#295181)
+- fixed init script: start, stop and status
+- support netfilter compiled into kernel in init script (rhbz#295611)
+- dropped inversion for limit modules from man pages (rhbz#220780)
+- fixed typo in ip6tables man page (rhbz#236185)
+
 * Wed Sep 19 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-3
 - do not depend on local_fs in lsb header - this delayes start after network
 - fixed exit code for initscript usage