commit 0fc2966087282671394788aebf1c3e3a45e311b6 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:53:23 2019 -0400 Package init diff --git a/Allocate-rule-cache-just-once.patch b/Allocate-rule-cache-just-once.patch new file mode 100644 index 0000000..b42a147 --- /dev/null +++ b/Allocate-rule-cache-just-once.patch @@ -0,0 +1,38 @@ +From c2594475dd270e3a81033fed2e5251dbd5ce319b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 2 Aug 2018 17:05:08 +0200 +Subject: xtables: Allocate rule cache just once + +For each parsed table, xtables-restore calls nft_table_flush() which +each time allocates a new rule cache, possibly overwriting the pointer +to the previously allocated one. Fix this by checking the pointer value +and only allocate if it's NULL. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index a9cb92ed..d5c4c766 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -1867,9 +1867,11 @@ next: + t = nftnl_table_list_iter_next(iter); + } + +- h->rule_cache = nftnl_rule_list_alloc(); +- if (h->rule_cache == NULL) +- return -1; ++ if (!h->rule_cache) { ++ h->rule_cache = nftnl_rule_list_alloc(); ++ if (h->rule_cache == NULL) ++ return -1; ++ } + + err_table_iter: + nftnl_table_list_iter_destroy(iter); +-- +cgit v1.2.1 + diff --git a/Fix-for-nft_rule_flush-returning-garbage.patch b/Fix-for-nft_rule_flush-returning-garbage.patch new file mode 100644 index 0000000..b89baf9 --- /dev/null +++ b/Fix-for-nft_rule_flush-returning-garbage.patch @@ -0,0 +1,54 @@ +From 89d344381c81bd1d5f29b498844f20280200c786 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 2 Aug 2018 17:05:09 +0200 +Subject: xtables: Fix for nft_rule_flush() returning garbage + +Due to variable 'ret' not being initialized in all situations, return +code of the function depends on garbage in stack. Fix this by +initializing 'ret' to zero upon declaration. + +While being at it, make nftnl_chain_list_get() failure as well as +nftnl_chain_list_iter_create() failure an error condition since both +functions should succeed even if the current ruleset does not contain +any chains at all. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index d5c4c766..f2d6ea13 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -1474,7 +1474,7 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list, + + int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table) + { +- int ret; ++ int ret = 0; + struct nftnl_chain_list *list; + struct nftnl_chain_list_iter *iter; + struct nftnl_chain *c; +@@ -1486,13 +1486,15 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table) + + list = nftnl_chain_list_get(h); + if (list == NULL) { +- ret = 0; ++ ret = 1; + goto err; + } + + iter = nftnl_chain_list_iter_create(list); +- if (iter == NULL) ++ if (iter == NULL) { ++ ret = 1; + goto err; ++ } + + c = nftnl_chain_list_iter_next(iter); + while (c != NULL) { +-- +cgit v1.2.1 + diff --git a/Fix-for-potential-array-boundary-overstep.patch b/Fix-for-potential-array-boundary-overstep.patch new file mode 100644 index 0000000..66f45ce --- /dev/null +++ b/Fix-for-potential-array-boundary-overstep.patch @@ -0,0 +1,30 @@ +From bfd41c8d99a54769678e0c66d55797082bf1edd3 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 10 Sep 2018 23:35:15 +0200 +Subject: ebtables: Fix for potential array boundary overstep + +Fix the parameter check in nft_ebt_standard_target() to avoid an array +out of bounds access in ebt_standard_targets. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft-bridge.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h +index 1fe26bab..9d49ccbe 100644 +--- a/iptables/nft-bridge.h ++++ b/iptables/nft-bridge.h +@@ -78,7 +78,7 @@ static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = { + + static inline const char *nft_ebt_standard_target(unsigned int num) + { +- if (num > NUM_STANDARD_TARGETS) ++ if (num >= NUM_STANDARD_TARGETS) + return NULL; + + return ebt_standard_targets[num]; +-- +cgit v1.2.1 + diff --git a/Fix-for-segfault-in-iptables-nft.patch b/Fix-for-segfault-in-iptables-nft.patch new file mode 100644 index 0000000..2944c5e --- /dev/null +++ b/Fix-for-segfault-in-iptables-nft.patch @@ -0,0 +1,93 @@ + +m 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 17 Aug 2018 15:35:47 +0200 +Subject: xtables: Fix for segfault in iptables-nft + +Trying to set a chain's policy in an invalid table resulted in a +segfault. Reproducer was: + +| # iptables -t broute -P BROUTING ACCEPT + +Fix this by aborting in nft_chain_new() if nft_table_builtin_find() +returned NULL for the given table name. + +For an illustrative error message, set errno to ENXIO in the above case +and add an appropriate Mesage to nft_strerror(). + +While being at it, improve the error message if an invalid policy was +given. Before: + +| # iptables-nft -t filter -P INPUT ACCEPTdf +| iptables: Incompatible with this kernel. + +After: + +| # iptables-nft -t filter -P INPUT ACCEPTdf +| iptables: Bad policy name. Run `dmesg' for more information. + +Third unrelated change in this patch: Drop error checking of +nft_chain_set() in do_commandx(): The function never returns negative, +so that check never yielded true. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft.c | 11 +++++++++-- + iptables/xtables.c | 3 --- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 0b29caeb..dd8469a9 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, + struct builtin_chain *_c; + + _t = nft_table_builtin_find(h, table); ++ if (!_t) { ++ errno = ENXIO; ++ return NULL; ++ } ++ + /* if this built-in table does not exists, create it */ +- if (_t != NULL) +- nft_table_builtin_add(h, _t); ++ nft_table_builtin_add(h, _t); + + _c = nft_chain_builtin_find(_t, chain); + if (_c != NULL) { +@@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table, + c = nft_chain_new(h, table, chain, NF_DROP, counters); + else if (strcmp(policy, "ACCEPT") == 0) + c = nft_chain_new(h, table, chain, NF_ACCEPT, counters); ++ else ++ errno = EINVAL; + + if (c == NULL) + return 0; +@@ -2828,6 +2834,7 @@ const char *nft_strerror(int err) + "Bad rule (does a matching rule exist in that chain?)" }, + { nft_chain_set, ENOENT, "Bad built-in chain name" }, + { nft_chain_set, EINVAL, "Bad policy name" }, ++ { nft_chain_set, ENXIO, "Bad table name" }, + { NULL, ELOOP, "Loop found in table" }, + { NULL, EPERM, "Permission denied (you must be root)" }, + { NULL, 0, "Incompatible with this kernel" }, +diff --git a/iptables/xtables.c b/iptables/xtables.c +index d9050b45..72f65962 100644 +--- a/iptables/xtables.c ++++ b/iptables/xtables.c +@@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, + break; + case CMD_SET_POLICY: + ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL); +- if (ret < 0) +- xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", +- p.policy); + break; + default: + /* We should never reach this... */ +-- +cgit v1.2.1 + diff --git a/Fix-for-segfault-when-registering-hashlimit-extension.patch b/Fix-for-segfault-when-registering-hashlimit-extension.patch new file mode 100644 index 0000000..5e898c2 --- /dev/null +++ b/Fix-for-segfault-when-registering-hashlimit-extension.patch @@ -0,0 +1,33 @@ +From 37b68b2bc903112a74545c7f4a49c89e889582a9 Mon Sep 17 00:00:00 2001 +From: Heena Sirwani +Date: Tue, 21 Aug 2018 17:25:56 +0530 +Subject: xtables: Fix for segfault when registering hashlimit extension + +This patch fixes the crash when registering the hashlimit extension +with xtables during init_extensions(when built with static libs) . +The option validation function xtables_option_metavalidate has a +loop termination condition of the entry name being NULL. The loop +does not terminate when validating hashlimit_mt_opts_v2 which causes +a crash on derefencing an invalid entry. + +Signed-off-by: Heena Sirwani +Signed-off-by: Florian Westphal +--- + extensions/libxt_hashlimit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c +index 70bc615b..7d78d852 100644 +--- a/extensions/libxt_hashlimit.c ++++ b/extensions/libxt_hashlimit.c +@@ -205,6 +205,7 @@ static const struct xt_option_entry hashlimit_mt_opts_v2[] = { + {.name = "hashlimit-mode", .id = O_MODE, .type = XTTYPE_STRING}, + {.name = "hashlimit-name", .id = O_NAME, .type = XTTYPE_STRING, + .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name), .min = 1}, ++ XTOPT_TABLEEND, + }; + #undef s + +-- +cgit v1.2.1 + diff --git a/Fix-incorrect-strcmp-in-nft_arp_rule_find.patch b/Fix-incorrect-strcmp-in-nft_arp_rule_find.patch new file mode 100644 index 0000000..7ef53db --- /dev/null +++ b/Fix-incorrect-strcmp-in-nft_arp_rule_find.patch @@ -0,0 +1,31 @@ +From 7c9a1521105aa515a272e2d04fa806bed8b43396 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 19 Sep 2018 15:17:07 +0200 +Subject: arptables: Fix incorrect strcmp() in nft_arp_rule_find() + +Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to +strcmp() may be passed a NULL pointer. Therefore check if the pointer is +valid before doing so. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft-arp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index b8e89826..a2109c60 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -661,7 +661,7 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r, + if (!compare_targets(cs->target, this.target)) + return false; + +- if (strcmp(cs->jumpto, this.jumpto) != 0) ++ if (this.jumpto && strcmp(cs->jumpto, this.jumpto) != 0) + return false; + + return true; +-- +cgit v1.2.1 + diff --git a/Fix-opcode-printing-in-numeric-output.patch b/Fix-opcode-printing-in-numeric-output.patch new file mode 100644 index 0000000..991861f --- /dev/null +++ b/Fix-opcode-printing-in-numeric-output.patch @@ -0,0 +1,29 @@ +From 3f279553a2908bfa3ad76211ee657c97e4103563 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 2 Aug 2018 17:05:22 +0200 +Subject: arptables: Fix opcode printing in numeric output + +This line of code was dropped by accident, add it back. + +Fixes: 68e5e18210b8d ("nft-arp: adds nft_arp_save_firewall") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft-arp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index 5cabb93e..570a2589 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -543,6 +543,7 @@ after_devdst: + if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC)) + printf("--opcode %s", opcodes[tmp-1]); + else ++ printf("--opcode %d", tmp); + + if (fw->arp.arpop_mask != 65535) + printf("/%d", ntohs(fw->arp.arpop_mask)); +-- +cgit v1.2.1 + diff --git a/Fix-potential-array-overrun-in-xtables_option_parse.patch b/Fix-potential-array-overrun-in-xtables_option_parse.patch new file mode 100644 index 0000000..22372df --- /dev/null +++ b/Fix-potential-array-overrun-in-xtables_option_parse.patch @@ -0,0 +1,30 @@ +From 4144571f87c094471419ef59e8bb89ef33cd1365 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 10 Sep 2018 23:35:13 +0200 +Subject: libxtables: Fix potential array overrun in xtables_option_parse() + +If entry->type is to be used as array index, it needs to be at max one +less than that array's size. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + libxtables/xtoptions.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index ba3128bd..326febd5 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -844,7 +844,7 @@ void xtables_option_parse(struct xt_option_call *cb) + * a *RC option type. + */ + cb->nvals = 1; +- if (entry->type <= ARRAY_SIZE(xtopt_subparse) && ++ if (entry->type < ARRAY_SIZE(xtopt_subparse) && + xtopt_subparse[entry->type] != NULL) + xtopt_subparse[entry->type](cb); + /* Exclusion with other flags tested later in finalize. */ +-- +cgit v1.2.1 + diff --git a/Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch b/Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch new file mode 100644 index 0000000..e487e32 --- /dev/null +++ b/Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch @@ -0,0 +1,72 @@ +From 82d278c19f8f187e78c90c91834018b16c007098 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 2 Aug 2018 17:05:11 +0200 +Subject: xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs + +Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are +not added to the cache. + +There is one exception though, namely when zeroing counters: +nft_chain_zero_counters() adds a chain object it took from chain cache. +To distinguish this situation from the others, introduce +NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like +NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 26df1287..327c19ad 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -246,6 +246,7 @@ enum obj_update_type { + NFT_COMPAT_CHAIN_USER_FLUSH, + NFT_COMPAT_CHAIN_UPDATE, + NFT_COMPAT_CHAIN_RENAME, ++ NFT_COMPAT_CHAIN_ZERO, + NFT_COMPAT_RULE_APPEND, + NFT_COMPAT_RULE_INSERT, + NFT_COMPAT_RULE_REPLACE, +@@ -310,6 +311,7 @@ static int mnl_append_error(const struct nft_handle *h, + nftnl_table_get_str(o->table, NFTNL_TABLE_NAME)); + break; + case NFT_COMPAT_CHAIN_ADD: ++ case NFT_COMPAT_CHAIN_ZERO: + case NFT_COMPAT_CHAIN_USER_ADD: + case NFT_COMPAT_CHAIN_USER_DEL: + case NFT_COMPAT_CHAIN_USER_FLUSH: +@@ -2445,9 +2447,10 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o) + case NFT_COMPAT_TABLE_FLUSH: + nftnl_table_free(o->table); + break; +- case NFT_COMPAT_CHAIN_ADD: ++ case NFT_COMPAT_CHAIN_ZERO: + case NFT_COMPAT_CHAIN_USER_ADD: + break; ++ case NFT_COMPAT_CHAIN_ADD: + case NFT_COMPAT_CHAIN_USER_DEL: + case NFT_COMPAT_CHAIN_USER_FLUSH: + case NFT_COMPAT_CHAIN_UPDATE: +@@ -2496,6 +2499,7 @@ static int nft_action(struct nft_handle *h, int action) + n->seq, n->table); + break; + case NFT_COMPAT_CHAIN_ADD: ++ case NFT_COMPAT_CHAIN_ZERO: + nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN, + NLM_F_CREATE, n->seq, + n->chain); +@@ -2881,7 +2885,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, + + nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); + +- ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); ++ ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c); + + if (chain != NULL) + break; +-- +cgit v1.2.1 + diff --git a/Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch b/Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch new file mode 100644 index 0000000..057a3a4 --- /dev/null +++ b/Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch @@ -0,0 +1,31 @@ +From c2895eaf7a9d604c4aa10848ad46cdde48a00357 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 2 Aug 2018 17:05:10 +0200 +Subject: xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs + +These always have to be freed because nft_chain_user_del() removes them +from the cache so they are not freed when the chain cache is flushed. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index f2d6ea13..26df1287 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -2447,8 +2447,8 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o) + break; + case NFT_COMPAT_CHAIN_ADD: + case NFT_COMPAT_CHAIN_USER_ADD: +- case NFT_COMPAT_CHAIN_USER_DEL: + break; ++ case NFT_COMPAT_CHAIN_USER_DEL: + case NFT_COMPAT_CHAIN_USER_FLUSH: + case NFT_COMPAT_CHAIN_UPDATE: + case NFT_COMPAT_CHAIN_RENAME: +-- +cgit v1.2.1 + diff --git a/fix-crash-if-nft_rule_list_get-fails.patch b/fix-crash-if-nft_rule_list_get-fails.patch new file mode 100644 index 0000000..1081d70 --- /dev/null +++ b/fix-crash-if-nft_rule_list_get-fails.patch @@ -0,0 +1,31 @@ +From 907da5c505b219537586f7c2bdb7320c4f97386f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 19 Jul 2018 18:31:53 +0200 +Subject: xtables: fix crash if nft_rule_list_get() fails + +Without this, trying to add a rule using ebtables without proper +permissions crashes the program. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +--- + iptables/nft.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 3cacf5fe..e1788dba 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -1176,7 +1176,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table, + if (batch_rule_add(h, type, r) < 0) + nftnl_rule_free(r); + +- nft_rule_list_get(h); ++ if (!nft_rule_list_get(h)) ++ return 0; + + nftnl_rule_list_add_tail(r, h->rule_cache); + +-- +cgit v1.2.1 + diff --git a/free-the-table-lock-when-skipping-a-table.patch b/free-the-table-lock-when-skipping-a-table.patch new file mode 100644 index 0000000..6291353 --- /dev/null +++ b/free-the-table-lock-when-skipping-a-table.patch @@ -0,0 +1,192 @@ +From 31e4b5906ff676a3c13060d6f456d72b7f6c90c2 Mon Sep 17 00:00:00 2001 +From: Joel Goguen +Date: Wed, 11 Jul 2018 16:32:20 -0700 +Subject: iptables-restore: free the table lock when skipping a table + +Currently, when running `iptables-restore --table=X`, where `X` is not the first +table in the rules dump, the restore will fail when parsing the second table: + +- a lock is acquird when parsing the first table name +- the table name does not match the parameter to `--table` so processing + continues until the next table +- when processing the next table a lock is acquired, which fails because a lock + is already held + +Another app is currently holding the xtables lock. Perhaps you want to use the -w option? + +This will release the lock as soon as it's decided the current table won't be +used. + +Signed-off-by: Joel Goguen +Signed-off-by: Florian Westphal +--- + iptables/ip6tables-restore.c | 7 +++- + iptables/iptables-restore.c | 7 +++- + .../ipt-restore/0001load-specific-table_0 | 41 ++++++++++++++++++++++ + .../testcases/ipt-restore/dumps/ip6tables.dump | 30 ++++++++++++++++ + .../testcases/ipt-restore/dumps/iptables.dump | 30 ++++++++++++++++ + 5 files changed, 113 insertions(+), 2 deletions(-) + create mode 100755 iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 + create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump + create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index cc50bb4f..d36f92da 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -325,8 +325,13 @@ int ip6tables_restore_main(int argc, char *argv[]) + strncpy(curtable, table, XT_TABLE_MAXNAMELEN); + curtable[XT_TABLE_MAXNAMELEN] = '\0'; + +- if (tablename != NULL && strcmp(tablename, table) != 0) ++ if (tablename != NULL && strcmp(tablename, table) != 0) { ++ if (lock >= 0) { ++ xtables_unlock(lock); ++ lock = XT_LOCK_NOT_ACQUIRED; ++ } + continue; ++ } + if (handle) + ops->free(handle); + +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index d5603fce..142ddb82 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -323,8 +323,13 @@ iptables_restore_main(int argc, char *argv[]) + strncpy(curtable, table, XT_TABLE_MAXNAMELEN); + curtable[XT_TABLE_MAXNAMELEN] = '\0'; + +- if (tablename && (strcmp(tablename, table) != 0)) ++ if (tablename && (strcmp(tablename, table) != 0)) { ++ if (lock >= 0) { ++ xtables_unlock(lock); ++ lock = XT_LOCK_NOT_ACQUIRED; ++ } + continue; ++ } + if (handle) + ops->free(handle); + +diff --git a/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 +new file mode 100755 +index 00000000..ce3bef3a +--- /dev/null ++++ b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 +@@ -0,0 +1,41 @@ ++#!/bin/bash ++ ++RET=0 ++tmpfile="" ++ ++set -x ++ ++clean_tempfile() ++{ ++ if [ -n "${tmpfile}" ]; then ++ rm -f "${tmpfile}" ++ fi ++} ++ ++trap clean_tempfile EXIT ++ ++tmpfile=$(mktemp) || exit 1 ++ ++do_simple() ++{ ++ iptables="${1}" ++ table="${2}" ++ dumpfile="$(dirname "${0}")/dumps/${iptables}.dump" ++ ++ "$XT_MULTI" "${iptables}-restore" --table="${table}" <"${dumpfile}"; rv=$? ++ ++ if [ "${rv}" -ne 0 ]; then ++ RET=1 ++ fi ++} ++ ++do_simple "iptables" "filter" ++do_simple "iptables" "mangle" ++do_simple "iptables" "raw" ++do_simple "iptables" "nat" ++do_simple "ip6tables" "filter" ++do_simple "ip6tables" "mangle" ++do_simple "ip6tables" "raw" ++do_simple "ip6tables" "nat" ++ ++exit "${RET}" +diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump +new file mode 100644 +index 00000000..4ac4f882 +--- /dev/null ++++ b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump +@@ -0,0 +1,30 @@ ++*nat ++:PREROUTING ACCEPT [0:0] ++:INPUT ACCEPT [0:0] ++:OUTPUT ACCEPT [8:656] ++:POSTROUTING ACCEPT [8:656] ++COMMIT ++ ++*mangle ++:PREROUTING ACCEPT [794:190738] ++:INPUT ACCEPT [794:190738] ++:FORWARD ACCEPT [0:0] ++:OUTPUT ACCEPT [991:170303] ++:POSTROUTING ACCEPT [991:170303] ++COMMIT ++ ++*raw ++:PREROUTING ACCEPT [794:190738] ++:OUTPUT ACCEPT [991:170303] ++COMMIT ++ ++*filter ++:INPUT DROP [0:0] ++:FORWARD DROP [0:0] ++:OUTPUT ACCEPT [991:170303] ++-A INPUT -i lo -j ACCEPT ++-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ++-A INPUT -p ipv6-icmp -j ACCEPT ++-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp6-port-unreachable ++-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp6-port-unreachable ++COMMIT +diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump +new file mode 100644 +index 00000000..6e4e42d3 +--- /dev/null ++++ b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump +@@ -0,0 +1,30 @@ ++*nat ++:PREROUTING ACCEPT [1:89] ++:INPUT ACCEPT [0:0] ++:OUTPUT ACCEPT [351:24945] ++:POSTROUTING ACCEPT [351:24945] ++COMMIT ++ ++*mangle ++:PREROUTING ACCEPT [3270:1513114] ++:INPUT ACCEPT [3270:1513114] ++:FORWARD ACCEPT [0:0] ++:OUTPUT ACCEPT [3528:1087907] ++:POSTROUTING ACCEPT [3546:1090751] ++COMMIT ++ ++*raw ++:PREROUTING ACCEPT [3270:1513114] ++:OUTPUT ACCEPT [3528:1087907] ++COMMIT ++ ++*filter ++:INPUT DROP [37:4057] ++:FORWARD DROP [0:0] ++:OUTPUT ACCEPT [3528:1087907] ++-A INPUT -i lo -j ACCEPT ++-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ++-A INPUT -p icmp -j ACCEPT ++-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-unreachable ++-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable ++COMMIT +-- +cgit v1.2.1 + diff --git a/iptables-1.6.0-iptables-apply_mktemp.patch b/iptables-1.6.0-iptables-apply_mktemp.patch new file mode 100644 index 0000000..607a611 --- /dev/null +++ b/iptables-1.6.0-iptables-apply_mktemp.patch @@ -0,0 +1,21 @@ +diff -up iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp iptables-1.6.0/iptables/iptables-apply +--- iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp 2015-12-09 13:55:06.000000000 +0100 ++++ iptables-1.6.0/iptables/iptables-apply 2016-04-13 17:44:07.130453958 +0200 +@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then + exit 2 + fi + +-COMMANDS=(tempfile "$SAVE" "$RESTORE") ++COMMANDS=(mktemp "$SAVE" "$RESTORE") + + for cmd in "${COMMANDS[@]}"; do + if ! command -v $cmd >/dev/null; then +@@ -122,7 +122,7 @@ done + + umask 0700 + +-TMPFILE=$(tempfile -p iptap) ++TMPFILE=$(mktemp) + trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 + + if ! "$SAVE" >"$TMPFILE"; then diff --git a/iptables-1.8.0-xtables-nft-multi.patch b/iptables-1.8.0-xtables-nft-multi.patch new file mode 100644 index 0000000..f1f5ab8 --- /dev/null +++ b/iptables-1.8.0-xtables-nft-multi.patch @@ -0,0 +1,15 @@ +diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c +index 187da81e9f59b..03690a56edb72 100644 +--- a/iptables/xtables-nft-multi.c ++++ b/iptables/xtables-nft-multi.c +@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = { + {"iptables-restore-translate", xtables_ip4_xlate_restore_main}, + {"ip6tables-restore-translate", xtables_ip6_xlate_restore_main}, + {"arptables", xtables_arp_main}, ++ {"arptables-nft", xtables_arp_main}, + {"ebtables-translate", xtables_eb_xlate_main}, + {"ebtables", xtables_eb_main}, ++ {"ebtables-nft", xtables_eb_main}, + {"xtables-monitor", xtables_monitor_main}, + {NULL}, + }; diff --git a/iptables-1.8.0.tar.bz2 b/iptables-1.8.0.tar.bz2 new file mode 100644 index 0000000..f6d028e Binary files /dev/null and b/iptables-1.8.0.tar.bz2 differ diff --git a/iptables-config b/iptables-config new file mode 100644 index 0000000..3d7e176 --- /dev/null +++ b/iptables-config @@ -0,0 +1,59 @@ +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modprobe.conf. +IPTABLES_MODULES="" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). +IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. +IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: yes +# Print IP addresses and port numbers in numeric format in the status output. +IPTABLES_STATUS_NUMERIC="yes" + +# Verbose status output +# Value: yes|no, default: yes +# Print info about the number of packets and bytes plus the "input-" and +# "outputdevice" in the status output. +IPTABLES_STATUS_VERBOSE="no" + +# Status output with numbered lines +# Value: yes|no, default: yes +# Print a counter/number for every rule in the status output. +IPTABLES_STATUS_LINENUMBERS="yes" + +# Reload sysctl settings on start and restart +# Default: -none- +# Space separated list of sysctl items which are to be reloaded on start. +# List items will be matched by fgrep. +#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" + +# Set wait option for iptables-restore calls in seconds +# Default: 600 +# Set to 0 to deactivate the wait. +#IPTABLES_RESTORE_WAIT=600 + +# Set wait interval option for iptables-restore calls in microseconds +# Default: 1000000 +# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a +# second. +# Only usable with IPTABLES_RESTORE_WAIT > 0 +#IPTABLES_RESTORE_WAIT_INTERVAL=1000000 diff --git a/iptables.init b/iptables.init new file mode 100755 index 0000000..8f74bb3 --- /dev/null +++ b/iptables.init @@ -0,0 +1,421 @@ +#!/bin/bash +# +# iptables Start iptables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves iptables firewall +# +# config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO + +# Source function library. +. /etc/init.d/functions + +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" +PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES + +# only usable for root +if [ $EUID != 0 ]; then + echo -n $"${IPTABLES}: Only usable by root."; warning; echo + exit 4 +fi + +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo + exit 5 +fi + +# Old or new modutils +/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \ + && NEW_MODUTILS=1 \ + || NEW_MODUTILS=0 + +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="yes" +IPTABLES_STATUS_VERBOSE="no" +IPTABLES_STATUS_LINENUMBERS="yes" +IPTABLES_SYSCTL_LOAD_LIST="" +IPTABLES_RESTORE_WAIT=600 +IPTABLES_RESTORE_WAIT_INTERVAL=1000000 + +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" + +# Get active tables +NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + + +flush_n_delete() { + # Flush firewall rules and delete chains. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Check if firewall is configured (has tables) + [ -z "$NF_TABLES" ] && return 1 + + echo -n $"${IPTABLES}: Flushing firewall rules: " + ret=0 + # For all tables + for i in $NF_TABLES; do + # Flush firewall rules. + $IPTABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Check if firewall is configured (has tables) + tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + [ -z "$tables" ] && return 1 + + echo -n $"${IPTABLES}: Setting chains to policy $policy: " + ret=0 + for i in $tables; do + echo -n "$i " + case "$i" in + raw) + $IPTABLES -t raw -P PREROUTING $policy \ + && $IPTABLES -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; + filter) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES -t nat -P PREROUTING $policy \ + && $IPTABLES -t nat -P POSTROUTING $policy \ + && $IPTABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES -t mangle -P PREROUTING $policy \ + && $IPTABLES -t mangle -P POSTROUTING $policy \ + && $IPTABLES -t mangle -P INPUT $policy \ + && $IPTABLES -t mangle -P OUTPUT $policy \ + && $IPTABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +load_sysctl() { + # load matched sysctl values + if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then + echo -n $"Loading sysctl settings: " + ret=0 + for item in $IPTABLES_SYSCTL_LOAD_LIST; do + fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + return $ret +} + +start() { + # Do not start if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Applying firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; + if [ -f "$IPTABLES_FALLBACK_DATA" ]; then + echo -n $"${IPTABLES}: Applying firewall fallback rules: " + $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + else + return 1 + fi + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + touch $VAR_SUBSYS_IPTABLES + return $ret +} + +stop() { + # Do not stop if iptables module is not loaded. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Set default chain policy to ACCEPT, in order to not break shutdown + # on systems where the default policy is DROP and root device is + # network-based (i.e.: iSCSI, NFS) + set_policy ACCEPT + # And then, flush the rules and delete chains + flush_n_delete + + rm -f $VAR_SUBSYS_IPTABLES + return $ret +} + +save() { + # Check if iptable module is loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 0 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 6 + fi + + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + && restorecon $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + mv -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + && restorecon $IPTABLES_DATA \ + || ret=1 + fi + fi + rm -f $TMP_FILE + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +status() { + if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not running." + return 3 + fi + + # Do not print status if lockfile is missing and iptables modules are not + # loaded. + # Check if iptable modules are loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"${IPTABLES}: Firewall modules are not loaded." + return 3 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not configured. " + return 3 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" + + for table in $NF_TABLES; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo + done + + return 0 +} + +reload() { + # Do not reload if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Trying to reload firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; echo "Firewall rules are not changed."; return 1 + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + return $ret +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + + +case "$1" in + start) + [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 + start + RETVAL=$? + ;; + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart|force-reload) + restart + RETVAL=$? + ;; + reload) + [ -e "$VAR_SUBSYS_IPTABLES" ] && reload + RETVAL=$? + ;; + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 + restart + RETVAL=$? + ;; + status) + status + RETVAL=$? + ;; + panic) + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/iptables.service b/iptables.service new file mode 100644 index 0000000..6722c7a --- /dev/null +++ b/iptables.service @@ -0,0 +1,18 @@ +[Unit] +Description=IPv4 firewall with iptables +After=syslog.target +AssertPathExists=/etc/sysconfig/iptables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/iptables/iptables.init start +ExecReload=/usr/libexec/iptables/iptables.init reload +ExecStop=/usr/libexec/iptables/iptables.init stop +Environment=BOOTUP=serial +Environment=CONSOLETYPE=serial +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=basic.target diff --git a/iptables.spec b/iptables.spec new file mode 100644 index 0000000..430eee6 --- /dev/null +++ b/iptables.spec @@ -0,0 +1,249 @@ +%global script_path %{_libexecdir}/iptables +%global legacy_actions %{_libexecdir}/initscripts/legacy-actions +Name: iptables +Version: 1.8.0 +Release: 5 +Summary: IP packet filter administration utilities +License: GPLv2 and Artistic Licence 2.0 and ISC +URL: https://www.netfilter.org/ +Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2 +Source1: iptables.init +Source2: iptables-config +Source3: iptables.service +Source4: sysconfig_iptables +Source5: sysconfig_ip6tables + +Patch1: iptables-1.6.0-iptables-apply_mktemp.patch +Patch2: iptables-1.8.0-xtables-nft-multi.patch +Patch6000: fix-crash-if-nft_rule_list_get-fails.patch +Patch6001: free-the-table-lock-when-skipping-a-table.patch +Patch6002: Allocate-rule-cache-just-once.patch +Patch6003: Fix-for-nft_rule_flush-returning-garbage.patch +Patch6004: Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch +Patch6005: Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch +Patch6006: Fix-opcode-printing-in-numeric-output.patch +Patch6007: Fix-for-segfault-in-iptables-nft.patch +Patch6008: Fix-for-segfault-when-registering-hashlimit-extension.patch +Patch6009: Fix-potential-array-overrun-in-xtables_option_parse.patch +Patch6010: Fix-for-potential-array-boundary-overstep.patch +Patch6011: Fix-incorrect-strcmp-in-nft_arp_rule_find.patch + +BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd git +BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel + +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +%systemd_requires + +Provides: iptables-libs iptables-utils iptables-services +Obsoletes: iptables-libs iptables-utils iptables-services + +%description +Netfilter is a set of hooks inside the Linux kernel that allows kernel +modules to register callback functions with the network stack. A +registered callback function is then called back for every packet that +traverses the respective hook within the network stack. + +Iptables is a generic table structure for the definition of rulesets. +Each rule within an IP table consists of a number of classifiers +(iptables matches) and one connected action (iptables target). + +Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) +and the NAT subsystem together build the major parts of the framework. + +%package devel +Summary: header files for iproute +Requires: %{name} = %{version}-%{release} pkgconfig + +%description devel +Header files for iproute. + +%package nft +Summary: nft package for iproute +Requires: %{name} = %{version}-%{release} +Obsoletes: iptables-compat < 1.6.2-4 + +%description nft +Nft package for iproute. + +%package_help + +%prep +%autosetup -n %{name}-%{version} -p1 -S git + +%build +%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr + +%disable_rpath + +rm -f include/linux/types.h + +%make_build + +%install +%make_install + +%delete_la + +install -m 0755 -d %{buildroot}%{_includedir}/iptables +install -m 0644 include/ip*tables.h %{buildroot}%{_includedir} +install -m 0644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables + +install -m 0755 -d %{buildroot}%{_includedir}/libipulog/ +install -m 0644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog + +install -m 0755 -d %{buildroot}/%{script_path} +install -m 0644 -c %{SOURCE1} %{buildroot}/%{script_path}/iptables.init +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init +install -m 0755 ip6tables.init %{buildroot}/%{script_path}/ip6tables.init +install -m 0755 -d %{buildroot}%{_sysconfdir}/sysconfig +install -m 0600 -c %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config +install -m 0600 -c ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config +install -m 0600 -c %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables +install -m 0600 -c %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables + +install -m 0755 -d %{buildroot}%{_unitdir} +install -m 0644 -c %{SOURCE3} %{buildroot}%{_unitdir} +sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service +install -m 0644 -c ip6tables.service %{buildroot}%{_unitdir} + +install -m 0755 -d %{buildroot}/%{legacy_actions}/iptables +install -m 0755 -d %{buildroot}/%{legacy_actions}/ip6tables + +pushd %{buildroot}/%{legacy_actions}/iptables +cat << EOF > save +#!/bin/bash +exec %{script_path}/iptables.init save +EOF +chmod 0755 save +popd +sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy +install -m 0755 -c ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save + +pushd %{buildroot}/%{legacy_actions}/iptables +cat << EOF > panic +#!/bin/bash +exec %{script_path}/iptables.init panic +EOF +chmod 0755 panic +popd +sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy +install -m 0755 -c ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic + +install -m 0755 iptables/iptables-apply %{buildroot}%{_sbindir} +install -m 0755 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8 + +pushd %{buildroot}%{_sbindir} +mv ebtables ebtables-nft +mv arptables arptables-nft + +touch ebtables \ + arptables \ + iptables \ + ip6tables +popd + +%ldconfig_scriptlets + +%post +pfx=%{_sbindir}/iptables +pfx6=%{_sbindir}/ip6tables +%{_sbindir}/update-alternatives --install \ + $pfx iptables $pfx-legacy 10 \ + --slave $pfx6 ip6tables $pfx6-legacy \ + --slave $pfx-restore iptables-restore $pfx-legacy-restore \ + --slave $pfx-save iptables-save $pfx-legacy-save \ + --slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \ + --slave $pfx6-save ip6tables-save $pfx6-legacy-save + +%systemd_post iptables.service ip6tables.service + +%preun +%systemd_preun iptables.service ip6tables.service + +%postun +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove \ + iptables %{_sbindir}/iptables-legacy +fi +%?ldconfig +%systemd_postun iptables.service ip6tables.service + +%post nft +pfx=%{_sbindir}/iptables +pfx6=%{_sbindir}/ip6tables +%{_sbindir}/update-alternatives --install \ + $pfx iptables $pfx-nft 5 \ + --slave $pfx6 ip6tables $pfx6-nft \ + --slave $pfx-restore iptables-restore $pfx-nft-restore \ + --slave $pfx-save iptables-save $pfx-nft-save \ + --slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \ + --slave $pfx6-save ip6tables-save $pfx6-nft-save + +for cmd in ebtables arptables; do + if [ "$(readlink -e %{_sbindir}/$cmd)" == %{_sbindir}/$cmd ]; then + rm -f %{_sbindir}/$cmd + fi + %{_sbindir}/update-alternatives --install \ + %{_sbindir}/$cmd $cmd %{_sbindir}/$cmd-nft 5 +done + +%postun nft +if [ $1 -eq 0 ]; then + for cmd in iptables ebtables arptables; do + %{_sbindir}/update-alternatives --remove \ + $cmd %{_sbindir}/$cmd-nft + done +fi + +%files +%defattr(-,root,root) +%license COPYING +%{script_path}/ip*tables.init +%{_sysconfdir}/ethertypes +%config(noreplace) %{_sysconfdir}/sysconfig/* +%{_sbindir}/nfnl_osf +%{_sbindir}/nfbpf_* +%{_sbindir}/iptables-apply +%{_sbindir}/ip*tables-legacy* +%{_sbindir}/xtables-legacy-multi +%exclude %{_sbindir}/*-nft* +%exclude %{_sbindir}/*-translate +%exclude %{_sbindir}/xtables-monitor +%{_bindir}/iptables-xml +%{_libdir}/xtables/* +%{_libdir}/*.so.* +%{_unitdir}/*.service +%dir %{legacy_actions} +%{legacy_actions}/ip* +%{_datadir}/xtables/pf.os +%ghost %{_sbindir}/ip*tables +%ghost %{_sbindir}/ip*tables-restore +%ghost %{_sbindir}/ip*tables-save + +%files devel +%defattr(-,root,root) +%{_includedir}/* +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc + +%files nft +%defattr(-,root,root) +%{_sbindir}/*-nft* +%{_sbindir}/*-translate +%{_sbindir}/xtables-monitor +%ghost %{_sbindir}/ip*tables +%ghost %{_sbindir}/ip*tables-restore +%ghost %{_sbindir}/ip*tables-save +%ghost %{_sbindir}/ebtables +%ghost %{_sbindir}/arptables + +%files help +%defattr(-,root,root) +%doc INCOMPATIBILITIES +%{_mandir}/* + +%changelog +* Fri Sep 20 2019 openEuler Buildteam - 1.8.0-5 +- Package init diff --git a/sysconfig_ip6tables b/sysconfig_ip6tables new file mode 100644 index 0000000..34b8b87 --- /dev/null +++ b/sysconfig_ip6tables @@ -0,0 +1,15 @@ +# sample configuration for ip6tables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/sysconfig_iptables b/sysconfig_iptables new file mode 100644 index 0000000..5183250 --- /dev/null +++ b/sysconfig_iptables @@ -0,0 +1,14 @@ +# sample configuration for iptables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT