rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- new version 1.4.0

Browse Source 
- fixed condrestart (rhbz#428148)
- report the module in rmmod_r if there is an error
This commit is contained in:
Thomas Woerner 2008-02-11 13:56:53 +00:00
parent 6a95dca65a
commit bfc8fd6a19
9 changed files with 33 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cvsignore
View File

@ -1 +1,2 @@
iptables-1.3.8.tar.bz2 iptables-1.3.8.tar.bz2
iptables-1.4.0.tar.bz2

30
iptables-1.3.8-cloexec.patch
View File

@ -1,30 +0,0 @@
diff -up iptables-1.3.8/ip6tables.c.cloexec iptables-1.3.8/ip6tables.c
--- iptables-1.3.8/ip6tables.c.cloexec 2007-10-02 13:42:23.000000000 +0200
+++ iptables-1.3.8/ip6tables.c 2007-10-02 13:42:54.000000000 +0200
@@ -1121,6 +1121,11 @@ static int compatible_revision(const cha
strerror(errno));
exit(1);
}
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+ fprintf(stderr, "Could not set close on exec: %s\n",
+ strerror(errno));
+ exit(1);
+ }
strcpy(rev.name, name);
rev.revision = revision;
diff -up iptables-1.3.8/iptables.c.cloexec iptables-1.3.8/iptables.c
--- iptables-1.3.8/iptables.c.cloexec 2007-10-02 13:42:09.000000000 +0200
+++ iptables-1.3.8/iptables.c 2007-10-02 13:42:25.000000000 +0200
@@ -1149,6 +1149,11 @@ static int compatible_revision(const cha
strerror(errno));
exit(1);
}
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+ fprintf(stderr, "Could not set close on exec: %s\n",
+ strerror(errno));
+ exit(1);
+ }
load_iptables_ko(modprobe, 1);

49
iptables-1.3.8-headers.patch
View File

@ -1,49 +0,0 @@
diff -up iptables-1.3.8/extensions/.frag-test6.headers iptables-1.3.8/extensions/.frag-test6
--- iptables-1.3.8/extensions/.frag-test6.headers 2007-08-23 14:05:44.000000000 +0200
+++ iptables-1.3.8/extensions/.frag-test6 2007-08-23 15:51:17.000000000 +0200
@@ -1,2 +1,2 @@
#!/bin/sh
-[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_frag.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_frag.h ] && echo frag
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_frag.h ] && echo frag
diff -up iptables-1.3.8/extensions/.CLUSTERIP-test.headers iptables-1.3.8/extensions/.CLUSTERIP-test
--- iptables-1.3.8/extensions/.CLUSTERIP-test.headers 2007-08-23 15:43:36.000000000 +0200
+++ iptables-1.3.8/extensions/.CLUSTERIP-test 2007-08-23 15:45:32.000000000 +0200
@@ -1,2 +1,2 @@
#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_CLUSTERIP.c ] && echo CLUSTERIP
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h ] && echo CLUSTERIP
diff -up iptables-1.3.8/extensions/.statistic-test.headers iptables-1.3.8/extensions/.statistic-test
--- iptables-1.3.8/extensions/.statistic-test.headers 2007-08-23 15:46:20.000000000 +0200
+++ iptables-1.3.8/extensions/.statistic-test 2007-08-23 15:46:22.000000000 +0200
@@ -1,2 +1,2 @@
#!/bin/sh
-[ -f $KERNEL_DIR/net/netfilter/xt_statistic.c -a -f $KERNEL_DIR/include/linux/netfilter/xt_statistic.h ] && echo statistic
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_statistic.h ] && echo statistic
diff -up iptables-1.3.8/extensions/.ah-test6.headers iptables-1.3.8/extensions/.ah-test6
--- iptables-1.3.8/extensions/.ah-test6.headers 2007-08-23 15:52:48.000000000 +0200
+++ iptables-1.3.8/extensions/.ah-test6 2007-08-23 15:52:49.000000000 +0200
@@ -1,2 +1,2 @@
#!/bin/sh
-[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_ah.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ah.h ] && echo ah
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ah.h ] && echo ah
diff -up iptables-1.3.8/extensions/.opts-test6.headers iptables-1.3.8/extensions/.opts-test6
--- iptables-1.3.8/extensions/.opts-test6.headers 2007-08-23 15:49:16.000000000 +0200
+++ iptables-1.3.8/extensions/.opts-test6 2007-08-23 15:49:19.000000000 +0200
@@ -1,2 +1,2 @@
#!/bin/sh
-[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_hbh.c -a -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_dst.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_opts.h ] && echo hbh dst
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_opts.h ] && echo hbh dst
diff -up iptables-1.3.8/extensions/.ipv6header-test6.headers iptables-1.3.8/extensions/.ipv6header-test6
--- iptables-1.3.8/extensions/.ipv6header-test6.headers 2007-08-23 14:05:45.000000000 +0200
+++ iptables-1.3.8/extensions/.ipv6header-test6 2007-08-23 15:50:26.000000000 +0200
@@ -1,2 +1,2 @@
#!/bin/sh
-[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_ipv6header.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ipv6header.h ] && echo ipv6header
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ipv6header.h ] && echo ipv6header
diff -up iptables-1.3.8/extensions/.rt-test6.headers iptables-1.3.8/extensions/.rt-test6
--- iptables-1.3.8/extensions/.rt-test6.headers 2007-08-23 15:47:21.000000000 +0200
+++ iptables-1.3.8/extensions/.rt-test6 2007-08-23 15:47:23.000000000 +0200
@@ -1,2 +1,2 @@
#!/bin/sh
-[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_rt.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_rt.h ] && echo rt
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_rt.h ] && echo rt

25
iptables-1.3.8-limit_man.patch
View File

@ -1,25 +0,0 @@
diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in
diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man
--- iptables-1.3.8/extensions/libip6t_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_limit.man 2007-09-24 17:28:29.000000000 +0200
@@ -1,6 +1,6 @@
This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+ It can be used in combination with the
.B LOG
target to give limited logging, for example.
.TP
diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man
--- iptables-1.3.8/extensions/libipt_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libipt_limit.man 2007-09-24 17:28:19.000000000 +0200
@@ -1,6 +1,6 @@
This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+ It can be used in combination with the
.B LOG
target to give limited logging, for example.
.TP

20
iptables-1.3.8-reject_type.patch
View File

@ -1,20 +0,0 @@
diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type 2007-09-24 16:48:21.000000000 +0200
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h 2007-09-24 17:20:45.000000000 +0200
@@ -4,13 +4,15 @@
enum ip6t_reject_with {
IP6T_ICMP6_NO_ROUTE,
IP6T_ICMP6_ADM_PROHIBITED,
+ IP6T_ICMP6_NOT_NEIGHBOUR,
IP6T_ICMP6_ADDR_UNREACH,
IP6T_ICMP6_PORT_UNREACH,
+ IP6T_ICMP6_ECHOREPLY,
IP6T_TCP_RESET
};
struct ip6t_reject_info {
- enum ip6t_reject_with with; /* reject type */
+ u_int32_t with; /* reject type */
};
#endif /*_IP6T_REJECT_H*/

16
iptables-1.4.0-cloexec.patch Normal file
View File

@ -0,0 +1,16 @@
diff -up iptables-1.4.0/xtables.c.cloexec iptables-1.4.0/xtables.c
--- iptables-1.4.0/xtables.c.cloexec 2008-02-11 13:50:20.000000000 +0100
+++ iptables-1.4.0/xtables.c 2008-02-11 13:51:03.000000000 +0100
@@ -428,6 +428,12 @@ static int compatible_revision(const cha
exit(1);
}
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+ fprintf(stderr, "Could not set close on exec: %s\n",
+ strerror(errno));
+ exit(1);
+ }
+
load_xtables_ko(modprobe, 1);
strcpy(rev.name, name);

10
iptables.init
View File

@ -49,8 +49,8 @@ IPTABLES_STATUS_NUMERIC="yes"
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
# Netfilter modules # Netfilter modules
NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV}) NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6 NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
# Get active tables # Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
@ -80,7 +80,9 @@ rmmod_r() {
# after all referring modules are unloaded. # after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null 2>&1 modprobe -r $mod > /dev/null 2>&1
let ret+=$?; res=$?
[ $res -eq 0 ] || echo -n " $mod"
let ret+=$res;
fi fi
return $ret return $ret
@ -328,7 +330,7 @@ case "$1" in
RETVAL=$? RETVAL=$?
;; ;;
condrestart|try-restart) condrestart|try-restart)
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart restart
RETVAL=$? RETVAL=$?
;; ;;

18
iptables.spec
View File

@ -2,17 +2,14 @@
Name: iptables Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.3.8 Version: 1.4.0
Release: 6%{?dist} Release: 1%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
Patch0: iptables-1.3.8-iptc.patch Patch0: iptables-1.3.8-iptc.patch
Patch1: iptables-1.3.8-headers.patch
Patch2: iptables-1.3.8-reject_type.patch
Patch3: iptables-1.3.8-limit_man.patch
Patch4: iptables-1.3.8-typo_latter.patch Patch4: iptables-1.3.8-typo_latter.patch
Patch5: iptables-1.3.8-cloexec.patch Patch5: iptables-1.4.0-cloexec.patch
Group: System Environment/Base Group: System Environment/Base
URL: http://www.netfilter.org/ URL: http://www.netfilter.org/
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@ -59,9 +56,6 @@ stable and may change with every new version. It is therefore unsupported.
%prep %prep
%setup -q %setup -q
%patch0 -p1 -b .iptc %patch0 -p1 -b .iptc
%patch1 -p1 -b .headers
%patch2 -p1 -b .reject_type
%patch3 -p1 -b .limit_man
%patch4 -p1 -b .typo_latter %patch4 -p1 -b .typo_latter
%patch5 -p1 -b .cloexec %patch5 -p1 -b .cloexec
@ -133,6 +127,7 @@ fi
%{_mandir}/man8/iptables* %{_mandir}/man8/iptables*
%dir /%{_lib}/iptables %dir /%{_lib}/iptables
/%{_lib}/iptables/libipt* /%{_lib}/iptables/libipt*
/%{_lib}/iptables/libxt*
%files ipv6 %files ipv6
%defattr(-,root,root) %defattr(-,root,root)
@ -155,6 +150,11 @@ fi
%endif %endif
%changelog %changelog
* Mon Feb 11 2008 Thomas Woerner <twoerner@redhat.com> 1.4.0-1
- new version 1.4.0
- fixed condrestart (rhbz#428148)
- report the module in rmmod_r if there is an error
* Mon Nov 5 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-6 * Mon Nov 5 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-6
- fixed leaked file descriptor before fork/exec (rhbz#312191) - fixed leaked file descriptor before fork/exec (rhbz#312191)
- blacklisting is not working, use "install X /bin/(true|false)" test instead - blacklisting is not working, use "install X /bin/(true|false)" test instead

2
sources
View File

@ -1 +1 @@
0a9209f928002e5eee9cdff8fef4d4b3 iptables-1.3.8.tar.bz2 90cfa8a554a29b0b859a625e701af2a7 iptables-1.4.0.tar.bz2