diff --git a/.cvsignore b/.cvsignore index d57f476..c9a1ba4 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -iptables-1.2.7a.tar.bz2 +iptables-1.2.8.tar.bz2 diff --git a/iptables-config b/iptables-config new file mode 100644 index 0000000..d1a47e0 --- /dev/null +++ b/iptables-config @@ -0,0 +1,19 @@ +# Additional iptables modules (nat helper) +# Default: -empty- +#IPTABLES_MODULES="ip_nat_ftp" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +#IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +#IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule counter. +# Value: yes|no, default: no +#IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: no +#IPTABLES_STATUS_NUMERIC="no" diff --git a/iptables.init b/iptables.init index 792f9d6..3d66f5e 100755 --- a/iptables.init +++ b/iptables.init @@ -1,208 +1,287 @@ #!/bin/sh # -# Startup script to implement /etc/sysconfig/iptables pre-defined rules. +# iptables Start iptables firewall # # chkconfig: 2345 08 92 -# -# description: Automates a packet filtering firewall with iptables. -# -# by bero@redhat.com, based on the ipchains script: -# Script Author: Joshua Jensen -# -- hacked up by gafton with help from notting -# modified by Anton Altaparmakov : -# modified by Nils Philippsen +# description: Starts, stops and saves iptables firewall # # config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config -# Source 'em up +# Source function library. . /etc/init.d/functions -IPTABLES_CONFIG=/etc/sysconfig/iptables +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES -if [ ! -x /sbin/iptables ]; then - exit 0 +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"/sbin/$IPTABLES does not exist."; warning; echo + exit 0 fi -KERNELMAJ=`uname -r | sed -e 's,\..*,,'` -KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` - -if [ "$KERNELMAJ" -lt 2 ] ; then - exit 0 -fi -if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then - exit 0 +if lsmod 2>/dev/null | grep -q ipchains ; then + echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo + exit 0 fi +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="no" +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" -if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then - # Don't do both - exit 0 -fi +rmmod_r() { + # Unload module with all referring modules. + # At first all referring modules will be unloaded, then the module itself. + mod=$1 + ret=0 -iftable() { - if fgrep -qsx $1 /proc/net/ip_tables_names; then - iptables -t "$@" - fi + # Get referring modules. + ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` + + # recursive call for all referring module + for i in $ref; do + rmmod_r $i + let ret+=$?; + done + + # Unload module. + modprobe -r $mod > /dev/null 2>&1 + let ret+=$?; + + return $ret +} + +flush_n_delete() { + # Flush firewall rules and delete chains. + [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Flushing firewall rules: " + ret=0 + # For all tables + for i in $tables; do + # Flush firewall rules. + $IPTABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Setting chains to policy $policy: " + ret=0 + for i in $tables; do + echo -n "$i " + case "$i" in + filter) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES -t nat -P PREROUTING $policy \ + && $IPTABLES -t nat -P POSTROUTING $policy \ + && $IPTABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES -t mangle -P PREROUTING $policy \ + && $IPTABLES -t mangle -P POSTROUTING $policy \ + && $IPTABLES -t mangle -P INPUT $policy \ + && $IPTABLES -t mangle -P OUTPUT $policy \ + && $IPTABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo } start() { - # don't do squat if we don't have the config file - if [ -f $IPTABLES_CONFIG ]; then - # If we don't clear these first, we might be adding to - # pre-existing rules. - chains=`cat /proc/net/ip_tables_names 2>/dev/null` - echo -n $"Flushing all current rules and user defined chains:" - let ret=0 - for i in $chains; do iptables -t $i -F; let ret+=$?; done - iptables -F - let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo - echo -n $"Clearing all current rules and user defined chains:" - let ret=0 - for i in $chains; do iptables -t $i -X; let ret+=$?; done - iptables -X - let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo + # Do not start if there is no config file. + [ -f "$IPTABLES_DATA" ] || return 1 - for i in $chains; do iptables -t $i -Z; done + echo -n $"Applying $IPTABLES firewall rules: " - echo -n $"Applying iptables firewall rules: " - grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -c && \ - success || \ - failure - echo - touch /var/lock/subsys/iptables - fi + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"Loading additional $IPTABLES modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + touch $VAR_SUBSYS_IPTABLES } stop() { - chains=`cat /proc/net/ip_tables_names 2>/dev/null` - echo -n $"Flushing all chains:" - let ret=0 - for i in $chains; do iptables -t $i -F; let ret+=$?; done - iptables -F; let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo + # Do not stop if iptables module is not loaded. + [ -e "$PROC_IPTABLES_NAMES" ] || return 1 - echo -n $"Removing user defined chains:" - let ret=0 - for i in $chains; do iptables -t $i -X; let ret+=$?; done - iptables -X; let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo - echo -n $"Resetting built-in chains to the default ACCEPT policy:" - iftable filter -P INPUT ACCEPT && \ - iftable filter -P OUTPUT ACCEPT && \ - iftable filter -P FORWARD ACCEPT && \ - iftable nat -P PREROUTING ACCEPT && \ - iftable nat -P POSTROUTING ACCEPT && \ - iftable nat -P OUTPUT ACCEPT && \ - iftable mangle -P PREROUTING ACCEPT && \ - iftable mangle -P POSTROUTING ACCEPT && \ - iftable mangle -P INPUT ACCEPT && \ - iftable mangle -P OUTPUT ACCEPT && \ - iftable mangle -P FORWARD ACCEPT && \ - success || \ - failure - echo - rm -f /var/lock/subsys/iptables + flush_n_delete + set_policy ACCEPT + + echo -n $"Unloading $IPTABLES modules: " + ret=0 + rmmod_r ${IPV}_tables + let ret+=$?; + rmmod_r ${IPV}_conntrack + let ret+=$?; + + [ $ret -eq 0 ] && success || failure + echo + + rm -f $VAR_SUBSYS_IPTABLES +} + +save() { + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + cp -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + || ret=1 + fi + fi + [ $ret -eq 0 ] && success || failure + echo + rm -f $TMP_FILE +} + +status() { + # Do not print status if lockfile is missing and iptables modules are not + # loaded. + # Check if iptable module is loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo "Firewall is stopped." + return 1 + fi + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + if [ -z "$tables" ]; then + echo "Firewall is not configured. " + return 1 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + + for table in $tables; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM && echo + done +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start } case "$1" in - start) + start) + stop start ;; - - stop) + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop ;; - - restart) - # "restart" is really just "start" as this isn't a daemon, - # and "start" clears any pre-defined rules anyway. - # This is really only here to make those who expect it happy - start + restart) + restart ;; - - condrestart) - [ -e /var/lock/subsys/iptables ] && start + condrestart) + [ -e "$VAR_SUBSYS_IPTABLES" ] && restart ;; - - status) - tables=`cat /proc/net/ip_tables_names 2>/dev/null` - for table in $tables; do - echo $"Table: $table" - iptables -t $table --list - done + status) + status ;; - - panic) - echo -n $"Changing target policies to DROP: " - iftable filter -P INPUT DROP && \ - iftable filter -P FORWARD DROP && \ - iftable filter -P OUTPUT DROP && \ - iftable nat -P PREROUTING DROP && \ - iftable nat -P POSTROUTING DROP && \ - iftable nat -P OUTPUT DROP && \ - iftable mangle -P PREROUTING DROP && \ - iftable mangle -P OUTPUT DROP && \ - iftable mangle -P POSTROUTING DROP && \ - iftable mangle -P INPUT DROP && \ - iftable mangle -P FORWARD DROP && \ - success || failure - echo - echo -n "Flushing all chains:" - iftable filter -F INPUT && \ - iftable filter -F FORWARD && \ - iftable filter -F OUTPUT && \ - iftable nat -F PREROUTING && \ - iftable nat -F POSTROUTING && \ - iftable nat -F OUTPUT && \ - iftable mangle -F PREROUTING && \ - iftable mangle -F OUTPUT && \ - success || failure - echo - echo -n "Removing user defined chains:" - iftable iftable filter -X && \ - iftable nat -X && \ - iftable mangle -X && \ - success || failure - echo + panic) + flush_n_delete + set_policy DROP ;; - - save) - echo -n $"Saving current rules to $IPTABLES_CONFIG: " - touch $IPTABLES_CONFIG - chmod 600 $IPTABLES_CONFIG - /sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \ - success $"Saving current rules to $IPTABLES_CONFIG" || \ - failure $"Saving current rules to $IPTABLES_CONFIG" - echo + save) + save ;; - - *) + *) echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" exit 1 + ;; esac exit 0 - diff --git a/iptables.spec b/iptables.spec index fd534cb..aacf545 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,22 +1,23 @@ +%define build_devel 0 +%define linux_header 0 + Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities. -Version: 1.2.7a -Release: 2 +Version: 1.2.8 +Release: 7.90.1 Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2 Source1: iptables.init -Source2: ip6tables.init -Patch1: iptables-1.2.2-bug50990.patch -Patch2: iptables-1.2.7a-matchmac.patch -Patch3: iptables-1.2.7a-tcpmss.patch -Patch4: iptables-1.2.7a-length.patch +Source2: iptables-config +%if %{linux_header} +Source3: netfilter-2.4.20.tar.gz +%endif Group: System Environment/Base URL: http://www.netfilter.org/ BuildRoot: %{_tmppath}/%{name}-buildroot License: GPL BuildPrereq: /usr/bin/perl -Requires: kernel >= 2.4.0 +Requires: kernel >= 2.4.20 Requires(post,postun): chkconfig -# Obsoletes: ipchains Prefix: %{_prefix} %package ipv6 @@ -24,6 +25,13 @@ Summary: IPv6 support for iptables. Group: System Environment/Base Requires: %{name} = %{version} +%if %{build_devel} +%package devel +Summary: Development package for iptables. +Group: System Environment/Base +Requires: %{name} = %{version} +%endif + %description The iptables utility controls the network packet filtering code in the Linux kernel. If you need to set up firewalls and/or IP masquerading, @@ -38,34 +46,51 @@ masquerading. Install iptables-ipv6 if you need to set up firewalling for your network and you are using ipv6. +%if %{build_devel} +%description devel +The iptables utility controls the network packet filtering code in the +Linux kernel. If you need to set up firewalls and/or IP masquerading, +you should install this package. +%endif + %prep rm -rf %{buildroot} %setup -q -%patch1 -p1 -b .50990 -%patch2 -p1 -b .mac -%patch3 -p1 -b .typo -%patch4 -p1 -b .length +%if %{linux_header} +cd include +tar -zxf %{SOURCE3} +cd .. +%endif # Put it to a reasonable place -perl -pi -e "s,/usr/local,%{prefix},g" * */* +find . -type f -exec perl -pi -e "s,/usr/local,%{prefix},g" {} \; %build -OPT="$RPM_OPT_FLAGS" +TOPDIR=`pwd` +OPT="$RPM_OPT_FLAGS -I$TOPDIR/include" make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} iptables-save iptables-restore -make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/{_lib} ip6tables-save ip6tables-restore +make COPT_FLAGS="$OPT" KERNEL_DIR=/usr LIBDIR=/%{_lib} ip6tables-save ip6tables-restore %install make install DESTDIR=%{buildroot} KERNEL_DIR=/usr BINDIR=/sbin LIBDIR=/%{_lib} MANDIR=%{_mandir} +%if %{build_devel} +make install-devel DESTDIR=%{buildroot} KERNEL_DIR=/usr BINDIR=/sbin LIBDIR=%{_libdir} MANDIR=%{_mandir} +%endif cp ip{6,}tables-{save,restore} $RPM_BUILD_ROOT/sbin cp iptables-*.8 $RPM_BUILD_ROOT%{_mandir}/man8 mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d install -c -m755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables -install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init +install -c -m755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables +mkdir -p $RPM_BUILD_ROOT/etc/sysconfig +install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config +install -c -m755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config %clean -rm -rf $RPM_BUILD_ROOT $RPM_BUILD_DIR/%{name}-%{version} +rm -rf $RPM_BUILD_ROOT %post /sbin/chkconfig --add iptables @@ -85,20 +110,68 @@ fi %files %defattr(-,root,root,0755) -%config /etc/rc.d/init.d/iptables +%doc COPYING KNOWN_BUGS +%config %attr(0600,root,root) /etc/rc.d/init.d/iptables +%config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config /sbin/iptables* -%{_mandir}/*/iptables* +%{_mandir}/man8/iptables* %dir /%{_lib}/iptables /%{_lib}/iptables/libipt* %files ipv6 %defattr(-,root,root,0755) -%config /etc/rc.d/init.d/ip6tables +%config %attr(0600,root,root) /etc/rc.d/init.d/ip6tables +%config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config /sbin/ip6tables* +%{_mandir}/man8/ip6tables* /%{_lib}/iptables/libip6t* -%{_mandir}/*/ip6tables* + +%if %{build_devel} +%files devel +%defattr(-,root,root,0755) +%{_includedir}/libipq.h +%{_libdir}/libipq.a +%{_libdir}/libiptc.a +%{_mandir}/man3/* +%endif %changelog +* Sat Jul 19 2003 Thomas Woerner 1.2.8-7.90.1 +- fixed save when iptables file is missing and iptables-config permissions + +* Tue Jul 8 2003 Thomas Woerner 1.2.8-7 +- fixes for ip6tables: module unloading, setting policy only for existing + tables + +* Thu Jul 3 2003 Thomas Woerner 1.2.8-6 +- IPTABLES_SAVE_COUNTER defaults to no, now +- install config file in /etc/sysconfig +- exchange unload of ip_tables and ip_conntrack +- fixed start function + +* Wed Jul 2 2003 Thomas Woerner 1.2.8-5 +- new config option IPTABLES_SAVE_ON_RESTART +- init script: new status, save and restart +- fixes #44905, #65389, #80785, #82860, #91040, #91560 and #91374 + +* Mon Jun 30 2003 Thomas Woerner 1.2.8-4 +- new config option IPTABLES_STATUS_NUMERIC +- cleared IPTABLES_MODULES in iptables-config + +* Mon Jun 30 2003 Thomas Woerner 1.2.8-3 +- new init scripts + +* Sat Jun 28 2003 Florian La Roche +- remove check for very old kernel versions in init scripts +- sync up both init scripts and remove some further ugly things +- add some docu into rpm + +* Thu Jun 26 2003 Thomas Woerner 1.2.8-2 +- rebuild + +* Mon Jun 16 2003 Thomas Woerner 1.2.8-1 +- update to 1.2.8 + * Wed Jan 22 2003 Tim Powers - rebuilt diff --git a/sources b/sources index 152453d..4532c21 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e9de1c98c86a93934c8ada812fc8b286 iptables-1.2.7a.tar.bz2 +cf62ebdabf05ccc5479334cc04fa993c iptables-1.2.8.tar.bz2