diff --git a/.cvsignore b/.cvsignore index 9801098..33b16ea 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,2 @@ iptables-1.3.8.tar.bz2 +iptables-1.4.0.tar.bz2 diff --git a/iptables-1.3.8-cloexec.patch b/iptables-1.3.8-cloexec.patch deleted file mode 100644 index 26a937e..0000000 --- a/iptables-1.3.8-cloexec.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up iptables-1.3.8/ip6tables.c.cloexec iptables-1.3.8/ip6tables.c ---- iptables-1.3.8/ip6tables.c.cloexec 2007-10-02 13:42:23.000000000 +0200 -+++ iptables-1.3.8/ip6tables.c 2007-10-02 13:42:54.000000000 +0200 -@@ -1121,6 +1121,11 @@ static int compatible_revision(const cha - strerror(errno)); - exit(1); - } -+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { -+ fprintf(stderr, "Could not set close on exec: %s\n", -+ strerror(errno)); -+ exit(1); -+ } - - strcpy(rev.name, name); - rev.revision = revision; -diff -up iptables-1.3.8/iptables.c.cloexec iptables-1.3.8/iptables.c ---- iptables-1.3.8/iptables.c.cloexec 2007-10-02 13:42:09.000000000 +0200 -+++ iptables-1.3.8/iptables.c 2007-10-02 13:42:25.000000000 +0200 -@@ -1149,6 +1149,11 @@ static int compatible_revision(const cha - strerror(errno)); - exit(1); - } -+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { -+ fprintf(stderr, "Could not set close on exec: %s\n", -+ strerror(errno)); -+ exit(1); -+ } - - load_iptables_ko(modprobe, 1); - diff --git a/iptables-1.3.8-headers.patch b/iptables-1.3.8-headers.patch deleted file mode 100644 index 6f77ca0..0000000 --- a/iptables-1.3.8-headers.patch +++ /dev/null @@ -1,49 +0,0 @@ -diff -up iptables-1.3.8/extensions/.frag-test6.headers iptables-1.3.8/extensions/.frag-test6 ---- iptables-1.3.8/extensions/.frag-test6.headers 2007-08-23 14:05:44.000000000 +0200 -+++ iptables-1.3.8/extensions/.frag-test6 2007-08-23 15:51:17.000000000 +0200 -@@ -1,2 +1,2 @@ - #!/bin/sh --[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_frag.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_frag.h ] && echo frag -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_frag.h ] && echo frag -diff -up iptables-1.3.8/extensions/.CLUSTERIP-test.headers iptables-1.3.8/extensions/.CLUSTERIP-test ---- iptables-1.3.8/extensions/.CLUSTERIP-test.headers 2007-08-23 15:43:36.000000000 +0200 -+++ iptables-1.3.8/extensions/.CLUSTERIP-test 2007-08-23 15:45:32.000000000 +0200 -@@ -1,2 +1,2 @@ - #! /bin/sh --[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_CLUSTERIP.c ] && echo CLUSTERIP -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h ] && echo CLUSTERIP -diff -up iptables-1.3.8/extensions/.statistic-test.headers iptables-1.3.8/extensions/.statistic-test ---- iptables-1.3.8/extensions/.statistic-test.headers 2007-08-23 15:46:20.000000000 +0200 -+++ iptables-1.3.8/extensions/.statistic-test 2007-08-23 15:46:22.000000000 +0200 -@@ -1,2 +1,2 @@ - #!/bin/sh --[ -f $KERNEL_DIR/net/netfilter/xt_statistic.c -a -f $KERNEL_DIR/include/linux/netfilter/xt_statistic.h ] && echo statistic -+[ -f $KERNEL_DIR/include/linux/netfilter/xt_statistic.h ] && echo statistic -diff -up iptables-1.3.8/extensions/.ah-test6.headers iptables-1.3.8/extensions/.ah-test6 ---- iptables-1.3.8/extensions/.ah-test6.headers 2007-08-23 15:52:48.000000000 +0200 -+++ iptables-1.3.8/extensions/.ah-test6 2007-08-23 15:52:49.000000000 +0200 -@@ -1,2 +1,2 @@ - #!/bin/sh --[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_ah.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ah.h ] && echo ah -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ah.h ] && echo ah -diff -up iptables-1.3.8/extensions/.opts-test6.headers iptables-1.3.8/extensions/.opts-test6 ---- iptables-1.3.8/extensions/.opts-test6.headers 2007-08-23 15:49:16.000000000 +0200 -+++ iptables-1.3.8/extensions/.opts-test6 2007-08-23 15:49:19.000000000 +0200 -@@ -1,2 +1,2 @@ - #!/bin/sh --[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_hbh.c -a -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_dst.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_opts.h ] && echo hbh dst -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_opts.h ] && echo hbh dst -diff -up iptables-1.3.8/extensions/.ipv6header-test6.headers iptables-1.3.8/extensions/.ipv6header-test6 ---- iptables-1.3.8/extensions/.ipv6header-test6.headers 2007-08-23 14:05:45.000000000 +0200 -+++ iptables-1.3.8/extensions/.ipv6header-test6 2007-08-23 15:50:26.000000000 +0200 -@@ -1,2 +1,2 @@ - #!/bin/sh --[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_ipv6header.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ipv6header.h ] && echo ipv6header -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ipv6header.h ] && echo ipv6header -diff -up iptables-1.3.8/extensions/.rt-test6.headers iptables-1.3.8/extensions/.rt-test6 ---- iptables-1.3.8/extensions/.rt-test6.headers 2007-08-23 15:47:21.000000000 +0200 -+++ iptables-1.3.8/extensions/.rt-test6 2007-08-23 15:47:23.000000000 +0200 -@@ -1,2 +1,2 @@ - #!/bin/sh --[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_rt.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_rt.h ] && echo rt -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_rt.h ] && echo rt diff --git a/iptables-1.3.8-limit_man.patch b/iptables-1.3.8-limit_man.patch deleted file mode 100644 index 563f32b..0000000 --- a/iptables-1.3.8-limit_man.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in -diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man ---- iptables-1.3.8/extensions/libip6t_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200 -+++ iptables-1.3.8/extensions/libip6t_limit.man 2007-09-24 17:28:29.000000000 +0200 -@@ -1,6 +1,6 @@ - This module matches at a limited rate using a token bucket filter. --A rule using this extension will match until this limit is reached --(unless the `!' flag is used). It can be used in combination with the -+A rule using this extension will match until this limit is reached. -+ It can be used in combination with the - .B LOG - target to give limited logging, for example. - .TP -diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man ---- iptables-1.3.8/extensions/libipt_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200 -+++ iptables-1.3.8/extensions/libipt_limit.man 2007-09-24 17:28:19.000000000 +0200 -@@ -1,6 +1,6 @@ - This module matches at a limited rate using a token bucket filter. --A rule using this extension will match until this limit is reached --(unless the `!' flag is used). It can be used in combination with the -+A rule using this extension will match until this limit is reached. -+ It can be used in combination with the - .B LOG - target to give limited logging, for example. - .TP diff --git a/iptables-1.3.8-reject_type.patch b/iptables-1.3.8-reject_type.patch deleted file mode 100644 index eb55c3f..0000000 --- a/iptables-1.3.8-reject_type.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h ---- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type 2007-09-24 16:48:21.000000000 +0200 -+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h 2007-09-24 17:20:45.000000000 +0200 -@@ -4,13 +4,15 @@ - enum ip6t_reject_with { - IP6T_ICMP6_NO_ROUTE, - IP6T_ICMP6_ADM_PROHIBITED, -+ IP6T_ICMP6_NOT_NEIGHBOUR, - IP6T_ICMP6_ADDR_UNREACH, - IP6T_ICMP6_PORT_UNREACH, -+ IP6T_ICMP6_ECHOREPLY, - IP6T_TCP_RESET - }; - - struct ip6t_reject_info { -- enum ip6t_reject_with with; /* reject type */ -+ u_int32_t with; /* reject type */ - }; - - #endif /*_IP6T_REJECT_H*/ diff --git a/iptables-1.4.0-cloexec.patch b/iptables-1.4.0-cloexec.patch new file mode 100644 index 0000000..90d42ec --- /dev/null +++ b/iptables-1.4.0-cloexec.patch @@ -0,0 +1,16 @@ +diff -up iptables-1.4.0/xtables.c.cloexec iptables-1.4.0/xtables.c +--- iptables-1.4.0/xtables.c.cloexec 2008-02-11 13:50:20.000000000 +0100 ++++ iptables-1.4.0/xtables.c 2008-02-11 13:51:03.000000000 +0100 +@@ -428,6 +428,12 @@ static int compatible_revision(const cha + exit(1); + } + ++ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { ++ fprintf(stderr, "Could not set close on exec: %s\n", ++ strerror(errno)); ++ exit(1); ++ } ++ + load_xtables_ko(modprobe, 1); + + strcpy(rev.name, name); diff --git a/iptables.init b/iptables.init index 684ca79..81742d7 100755 --- a/iptables.init +++ b/iptables.init @@ -49,8 +49,8 @@ IPTABLES_STATUS_NUMERIC="yes" [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" # Netfilter modules -NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV}) -NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6 +NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables) +NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 # Get active tables NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) @@ -80,7 +80,9 @@ rmmod_r() { # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then modprobe -r $mod > /dev/null 2>&1 - let ret+=$?; + res=$? + [ $res -eq 0 ] || echo -n " $mod" + let ret+=$res; fi return $ret @@ -328,7 +330,7 @@ case "$1" in RETVAL=$? ;; condrestart|try-restart) - [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 restart RETVAL=$? ;; diff --git a/iptables.spec b/iptables.spec index 72b8d2b..0a125da 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,17 +2,14 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities -Version: 1.3.8 -Release: 6%{?dist} +Version: 1.4.0 +Release: 1%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config Patch0: iptables-1.3.8-iptc.patch -Patch1: iptables-1.3.8-headers.patch -Patch2: iptables-1.3.8-reject_type.patch -Patch3: iptables-1.3.8-limit_man.patch Patch4: iptables-1.3.8-typo_latter.patch -Patch5: iptables-1.3.8-cloexec.patch +Patch5: iptables-1.4.0-cloexec.patch Group: System Environment/Base URL: http://www.netfilter.org/ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -59,9 +56,6 @@ stable and may change with every new version. It is therefore unsupported. %prep %setup -q %patch0 -p1 -b .iptc -%patch1 -p1 -b .headers -%patch2 -p1 -b .reject_type -%patch3 -p1 -b .limit_man %patch4 -p1 -b .typo_latter %patch5 -p1 -b .cloexec @@ -133,6 +127,7 @@ fi %{_mandir}/man8/iptables* %dir /%{_lib}/iptables /%{_lib}/iptables/libipt* +/%{_lib}/iptables/libxt* %files ipv6 %defattr(-,root,root) @@ -155,6 +150,11 @@ fi %endif %changelog +* Mon Feb 11 2008 Thomas Woerner 1.4.0-1 +- new version 1.4.0 +- fixed condrestart (rhbz#428148) +- report the module in rmmod_r if there is an error + * Mon Nov 5 2007 Thomas Woerner 1.3.8-6 - fixed leaked file descriptor before fork/exec (rhbz#312191) - blacklisting is not working, use "install X /bin/(true|false)" test instead diff --git a/sources b/sources index 5c3c67d..eb770b6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0a9209f928002e5eee9cdff8fef4d4b3 iptables-1.3.8.tar.bz2 +90cfa8a554a29b0b859a625e701af2a7 iptables-1.4.0.tar.bz2