packages/iptables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 10:53:23 -04:00
commit 0fc2966087
21 changed files with 1476 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
Allocate-rule-cache-just-once.patch Normal file
View File

@ -0,0 +1,38 @@
From c2594475dd270e3a81033fed2e5251dbd5ce319b Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:08 +0200
Subject: xtables: Allocate rule cache just once
For each parsed table, xtables-restore calls nft_table_flush() which
each time allocates a new rule cache, possibly overwriting the pointer
to the previously allocated one. Fix this by checking the pointer value
and only allocate if it's NULL.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index a9cb92ed..d5c4c766 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1867,9 +1867,11 @@ next:
t = nftnl_table_list_iter_next(iter);
}
- h->rule_cache = nftnl_rule_list_alloc();
- if (h->rule_cache == NULL)
- return -1;
+ if (!h->rule_cache) {
+ h->rule_cache = nftnl_rule_list_alloc();
+ if (h->rule_cache == NULL)
+ return -1;
+ }
err_table_iter:
nftnl_table_list_iter_destroy(iter);
--
cgit v1.2.1

54
Fix-for-nft_rule_flush-returning-garbage.patch Normal file
View File

@ -0,0 +1,54 @@
From 89d344381c81bd1d5f29b498844f20280200c786 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:09 +0200
Subject: xtables: Fix for nft_rule_flush() returning garbage
Due to variable 'ret' not being initialized in all situations, return
code of the function depends on garbage in stack. Fix this by
initializing 'ret' to zero upon declaration.
While being at it, make nftnl_chain_list_get() failure as well as
nftnl_chain_list_iter_create() failure an error condition since both
functions should succeed even if the current ruleset does not contain
any chains at all.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index d5c4c766..f2d6ea13 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1474,7 +1474,7 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list,
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
{
- int ret;
+ int ret = 0;
struct nftnl_chain_list *list;
struct nftnl_chain_list_iter *iter;
struct nftnl_chain *c;
@@ -1486,13 +1486,15 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
list = nftnl_chain_list_get(h);
if (list == NULL) {
- ret = 0;
+ ret = 1;
goto err;
}
iter = nftnl_chain_list_iter_create(list);
- if (iter == NULL)
+ if (iter == NULL) {
+ ret = 1;
goto err;
+ }
c = nftnl_chain_list_iter_next(iter);
while (c != NULL) {
--
cgit v1.2.1

30
Fix-for-potential-array-boundary-overstep.patch Normal file
View File

@ -0,0 +1,30 @@
From bfd41c8d99a54769678e0c66d55797082bf1edd3 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 10 Sep 2018 23:35:15 +0200
Subject: ebtables: Fix for potential array boundary overstep
Fix the parameter check in nft_ebt_standard_target() to avoid an array
out of bounds access in ebt_standard_targets.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft-bridge.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index 1fe26bab..9d49ccbe 100644
--- a/iptables/nft-bridge.h
+++ b/iptables/nft-bridge.h
@@ -78,7 +78,7 @@ static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
static inline const char *nft_ebt_standard_target(unsigned int num)
{
- if (num > NUM_STANDARD_TARGETS)
+ if (num >= NUM_STANDARD_TARGETS)
return NULL;
return ebt_standard_targets[num];
--
cgit v1.2.1

93
Fix-for-segfault-in-iptables-nft.patch Normal file
View File

@ -0,0 +1,93 @@
m 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 17 Aug 2018 15:35:47 +0200
Subject: xtables: Fix for segfault in iptables-nft
Trying to set a chain's policy in an invalid table resulted in a
segfault. Reproducer was:
| # iptables -t broute -P BROUTING ACCEPT
Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
returned NULL for the given table name.
For an illustrative error message, set errno to ENXIO in the above case
and add an appropriate Mesage to nft_strerror().
While being at it, improve the error message if an invalid policy was
given. Before:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Incompatible with this kernel.
After:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Bad policy name. Run `dmesg' for more information.
Third unrelated change in this patch: Drop error checking of
nft_chain_set() in do_commandx(): The function never returns negative,
so that check never yielded true.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 11 +++++++++--
iptables/xtables.c | 3 ---
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 0b29caeb..dd8469a9 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
struct builtin_chain *_c;
_t = nft_table_builtin_find(h, table);
+ if (!_t) {
+ errno = ENXIO;
+ return NULL;
+ }
+
/* if this built-in table does not exists, create it */
- if (_t != NULL)
- nft_table_builtin_add(h, _t);
+ nft_table_builtin_add(h, _t);
_c = nft_chain_builtin_find(_t, chain);
if (_c != NULL) {
@@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
c = nft_chain_new(h, table, chain, NF_DROP, counters);
else if (strcmp(policy, "ACCEPT") == 0)
c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
+ else
+ errno = EINVAL;
if (c == NULL)
return 0;
@@ -2828,6 +2834,7 @@ const char *nft_strerror(int err)
"Bad rule (does a matching rule exist in that chain?)" },
{ nft_chain_set, ENOENT, "Bad built-in chain name" },
{ nft_chain_set, EINVAL, "Bad policy name" },
+ { nft_chain_set, ENXIO, "Bad table name" },
{ NULL, ELOOP, "Loop found in table" },
{ NULL, EPERM, "Permission denied (you must be root)" },
{ NULL, 0, "Incompatible with this kernel" },
diff --git a/iptables/xtables.c b/iptables/xtables.c
index d9050b45..72f65962 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
break;
case CMD_SET_POLICY:
ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL);
- if (ret < 0)
- xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n",
- p.policy);
break;
default:
/* We should never reach this... */
--
cgit v1.2.1

33
Fix-for-segfault-when-registering-hashlimit-extension.patch Normal file
View File

@ -0,0 +1,33 @@
From 37b68b2bc903112a74545c7f4a49c89e889582a9 Mon Sep 17 00:00:00 2001
From: Heena Sirwani <heenasirwani@gmail.com>
Date: Tue, 21 Aug 2018 17:25:56 +0530
Subject: xtables: Fix for segfault when registering hashlimit extension
This patch fixes the crash when registering the hashlimit extension
with xtables during init_extensions(when built with static libs) .
The option validation function xtables_option_metavalidate has a
loop termination condition of the entry name being NULL. The loop
does not terminate when validating hashlimit_mt_opts_v2 which causes
a crash on derefencing an invalid entry.
Signed-off-by: Heena Sirwani <heenasirwani@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libxt_hashlimit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 70bc615b..7d78d852 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -205,6 +205,7 @@ static const struct xt_option_entry hashlimit_mt_opts_v2[] = {
{.name = "hashlimit-mode", .id = O_MODE, .type = XTTYPE_STRING},
{.name = "hashlimit-name", .id = O_NAME, .type = XTTYPE_STRING,
.flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name), .min = 1},
+ XTOPT_TABLEEND,
};
#undef s
--
cgit v1.2.1

31
Fix-incorrect-strcmp-in-nft_arp_rule_find.patch Normal file
View File

@ -0,0 +1,31 @@
From 7c9a1521105aa515a272e2d04fa806bed8b43396 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 19 Sep 2018 15:17:07 +0200
Subject: arptables: Fix incorrect strcmp() in nft_arp_rule_find()
Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to
strcmp() may be passed a NULL pointer. Therefore check if the pointer is
valid before doing so.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft-arp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index b8e89826..a2109c60 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -661,7 +661,7 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
if (!compare_targets(cs->target, this.target))
return false;
- if (strcmp(cs->jumpto, this.jumpto) != 0)
+ if (this.jumpto && strcmp(cs->jumpto, this.jumpto) != 0)
return false;
return true;
--
cgit v1.2.1

29
Fix-opcode-printing-in-numeric-output.patch Normal file
View File

@ -0,0 +1,29 @@
From 3f279553a2908bfa3ad76211ee657c97e4103563 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:22 +0200
Subject: arptables: Fix opcode printing in numeric output
This line of code was dropped by accident, add it back.
Fixes: 68e5e18210b8d ("nft-arp: adds nft_arp_save_firewall")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft-arp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 5cabb93e..570a2589 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -543,6 +543,7 @@ after_devdst:
if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC))
printf("--opcode %s", opcodes[tmp-1]);
else
+ printf("--opcode %d", tmp);
if (fw->arp.arpop_mask != 65535)
printf("/%d", ntohs(fw->arp.arpop_mask));
--
cgit v1.2.1

30
Fix-potential-array-overrun-in-xtables_option_parse.patch Normal file
View File

@ -0,0 +1,30 @@
From 4144571f87c094471419ef59e8bb89ef33cd1365 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 10 Sep 2018 23:35:13 +0200
Subject: libxtables: Fix potential array overrun in xtables_option_parse()
If entry->type is to be used as array index, it needs to be at max one
less than that array's size.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
libxtables/xtoptions.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index ba3128bd..326febd5 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -844,7 +844,7 @@ void xtables_option_parse(struct xt_option_call *cb)
* a *RC option type.
*/
cb->nvals = 1;
- if (entry->type <= ARRAY_SIZE(xtopt_subparse) &&
+ if (entry->type < ARRAY_SIZE(xtopt_subparse) &&
xtopt_subparse[entry->type] != NULL)
xtopt_subparse[entry->type](cb);
/* Exclusion with other flags tested later in finalize. */
--
cgit v1.2.1

72
Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch Normal file
View File

@ -0,0 +1,72 @@
From 82d278c19f8f187e78c90c91834018b16c007098 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:11 +0200
Subject: xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs
Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are
not added to the cache.
There is one exception though, namely when zeroing counters:
nft_chain_zero_counters() adds a chain object it took from chain cache.
To distinguish this situation from the others, introduce
NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like
NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 26df1287..327c19ad 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -246,6 +246,7 @@ enum obj_update_type {
NFT_COMPAT_CHAIN_USER_FLUSH,
NFT_COMPAT_CHAIN_UPDATE,
NFT_COMPAT_CHAIN_RENAME,
+ NFT_COMPAT_CHAIN_ZERO,
NFT_COMPAT_RULE_APPEND,
NFT_COMPAT_RULE_INSERT,
NFT_COMPAT_RULE_REPLACE,
@@ -310,6 +311,7 @@ static int mnl_append_error(const struct nft_handle *h,
nftnl_table_get_str(o->table, NFTNL_TABLE_NAME));
break;
case NFT_COMPAT_CHAIN_ADD:
+ case NFT_COMPAT_CHAIN_ZERO:
case NFT_COMPAT_CHAIN_USER_ADD:
case NFT_COMPAT_CHAIN_USER_DEL:
case NFT_COMPAT_CHAIN_USER_FLUSH:
@@ -2445,9 +2447,10 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
case NFT_COMPAT_TABLE_FLUSH:
nftnl_table_free(o->table);
break;
- case NFT_COMPAT_CHAIN_ADD:
+ case NFT_COMPAT_CHAIN_ZERO:
case NFT_COMPAT_CHAIN_USER_ADD:
break;
+ case NFT_COMPAT_CHAIN_ADD:
case NFT_COMPAT_CHAIN_USER_DEL:
case NFT_COMPAT_CHAIN_USER_FLUSH:
case NFT_COMPAT_CHAIN_UPDATE:
@@ -2496,6 +2499,7 @@ static int nft_action(struct nft_handle *h, int action)
n->seq, n->table);
break;
case NFT_COMPAT_CHAIN_ADD:
+ case NFT_COMPAT_CHAIN_ZERO:
nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN,
NLM_F_CREATE, n->seq,
n->chain);
@@ -2881,7 +2885,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
- ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
+ ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c);
if (chain != NULL)
break;
--
cgit v1.2.1

31
Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch Normal file
View File

@ -0,0 +1,31 @@
From c2895eaf7a9d604c4aa10848ad46cdde48a00357 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:10 +0200
Subject: xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs
These always have to be freed because nft_chain_user_del() removes them
from the cache so they are not freed when the chain cache is flushed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index f2d6ea13..26df1287 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2447,8 +2447,8 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
break;
case NFT_COMPAT_CHAIN_ADD:
case NFT_COMPAT_CHAIN_USER_ADD:
- case NFT_COMPAT_CHAIN_USER_DEL:
break;
+ case NFT_COMPAT_CHAIN_USER_DEL:
case NFT_COMPAT_CHAIN_USER_FLUSH:
case NFT_COMPAT_CHAIN_UPDATE:
case NFT_COMPAT_CHAIN_RENAME:
--
cgit v1.2.1

31
fix-crash-if-nft_rule_list_get-fails.patch Normal file
View File

@ -0,0 +1,31 @@
From 907da5c505b219537586f7c2bdb7320c4f97386f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 19 Jul 2018 18:31:53 +0200
Subject: xtables: fix crash if nft_rule_list_get() fails
Without this, trying to add a rule using ebtables without proper
permissions crashes the program.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 3cacf5fe..e1788dba 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1176,7 +1176,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
if (batch_rule_add(h, type, r) < 0)
nftnl_rule_free(r);
- nft_rule_list_get(h);
+ if (!nft_rule_list_get(h))
+ return 0;
nftnl_rule_list_add_tail(r, h->rule_cache);
--
cgit v1.2.1

192
free-the-table-lock-when-skipping-a-table.patch Normal file
View File

@ -0,0 +1,192 @@
From 31e4b5906ff676a3c13060d6f456d72b7f6c90c2 Mon Sep 17 00:00:00 2001
From: Joel Goguen <contact+netfilter@jgoguen.ca>
Date: Wed, 11 Jul 2018 16:32:20 -0700
Subject: iptables-restore: free the table lock when skipping a table
Currently, when running `iptables-restore --table=X`, where `X` is not the first
table in the rules dump, the restore will fail when parsing the second table:
- a lock is acquird when parsing the first table name
- the table name does not match the parameter to `--table` so processing
continues until the next table
- when processing the next table a lock is acquired, which fails because a lock
is already held
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
This will release the lock as soon as it's decided the current table won't be
used.
Signed-off-by: Joel Goguen <contact+netfilter@jgoguen.ca>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/ip6tables-restore.c | 7 +++-
iptables/iptables-restore.c | 7 +++-
.../ipt-restore/0001load-specific-table_0 | 41 ++++++++++++++++++++++
.../testcases/ipt-restore/dumps/ip6tables.dump | 30 ++++++++++++++++
.../testcases/ipt-restore/dumps/iptables.dump | 30 ++++++++++++++++
5 files changed, 113 insertions(+), 2 deletions(-)
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index cc50bb4f..d36f92da 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -325,8 +325,13 @@ int ip6tables_restore_main(int argc, char *argv[])
strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
curtable[XT_TABLE_MAXNAMELEN] = '\0';
- if (tablename != NULL && strcmp(tablename, table) != 0)
+ if (tablename != NULL && strcmp(tablename, table) != 0) {
+ if (lock >= 0) {
+ xtables_unlock(lock);
+ lock = XT_LOCK_NOT_ACQUIRED;
+ }
continue;
+ }
if (handle)
ops->free(handle);
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index d5603fce..142ddb82 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -323,8 +323,13 @@ iptables_restore_main(int argc, char *argv[])
strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
curtable[XT_TABLE_MAXNAMELEN] = '\0';
- if (tablename && (strcmp(tablename, table) != 0))
+ if (tablename && (strcmp(tablename, table) != 0)) {
+ if (lock >= 0) {
+ xtables_unlock(lock);
+ lock = XT_LOCK_NOT_ACQUIRED;
+ }
continue;
+ }
if (handle)
ops->free(handle);
diff --git a/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
new file mode 100755
index 00000000..ce3bef3a
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+RET=0
+tmpfile=""
+
+set -x
+
+clean_tempfile()
+{
+ if [ -n "${tmpfile}" ]; then
+ rm -f "${tmpfile}"
+ fi
+}
+
+trap clean_tempfile EXIT
+
+tmpfile=$(mktemp) || exit 1
+
+do_simple()
+{
+ iptables="${1}"
+ table="${2}"
+ dumpfile="$(dirname "${0}")/dumps/${iptables}.dump"
+
+ "$XT_MULTI" "${iptables}-restore" --table="${table}" <"${dumpfile}"; rv=$?
+
+ if [ "${rv}" -ne 0 ]; then
+ RET=1
+ fi
+}
+
+do_simple "iptables" "filter"
+do_simple "iptables" "mangle"
+do_simple "iptables" "raw"
+do_simple "iptables" "nat"
+do_simple "ip6tables" "filter"
+do_simple "ip6tables" "mangle"
+do_simple "ip6tables" "raw"
+do_simple "ip6tables" "nat"
+
+exit "${RET}"
diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
new file mode 100644
index 00000000..4ac4f882
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
@@ -0,0 +1,30 @@
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [8:656]
+:POSTROUTING ACCEPT [8:656]
+COMMIT
+
+*mangle
+:PREROUTING ACCEPT [794:190738]
+:INPUT ACCEPT [794:190738]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [991:170303]
+:POSTROUTING ACCEPT [991:170303]
+COMMIT
+
+*raw
+:PREROUTING ACCEPT [794:190738]
+:OUTPUT ACCEPT [991:170303]
+COMMIT
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [991:170303]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp6-port-unreachable
+-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp6-port-unreachable
+COMMIT
diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
new file mode 100644
index 00000000..6e4e42d3
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
@@ -0,0 +1,30 @@
+*nat
+:PREROUTING ACCEPT [1:89]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [351:24945]
+:POSTROUTING ACCEPT [351:24945]
+COMMIT
+
+*mangle
+:PREROUTING ACCEPT [3270:1513114]
+:INPUT ACCEPT [3270:1513114]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [3528:1087907]
+:POSTROUTING ACCEPT [3546:1090751]
+COMMIT
+
+*raw
+:PREROUTING ACCEPT [3270:1513114]
+:OUTPUT ACCEPT [3528:1087907]
+COMMIT
+
+*filter
+:INPUT DROP [37:4057]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [3528:1087907]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable
+COMMIT
--
cgit v1.2.1

21
iptables-1.6.0-iptables-apply_mktemp.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp iptables-1.6.0/iptables/iptables-apply
--- iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp 2015-12-09 13:55:06.000000000 +0100
+++ iptables-1.6.0/iptables/iptables-apply 2016-04-13 17:44:07.130453958 +0200
@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
exit 2
fi
-COMMANDS=(tempfile "$SAVE" "$RESTORE")
+COMMANDS=(mktemp "$SAVE" "$RESTORE")
for cmd in "${COMMANDS[@]}"; do
if ! command -v $cmd >/dev/null; then
@@ -122,7 +122,7 @@ done
umask 0700
-TMPFILE=$(tempfile -p iptap)
+TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
if ! "$SAVE" >"$TMPFILE"; then

15
iptables-1.8.0-xtables-nft-multi.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c
index 187da81e9f59b..03690a56edb72 100644
--- a/iptables/xtables-nft-multi.c
+++ b/iptables/xtables-nft-multi.c
@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = {
{"iptables-restore-translate", xtables_ip4_xlate_restore_main},
{"ip6tables-restore-translate", xtables_ip6_xlate_restore_main},
{"arptables", xtables_arp_main},
+ {"arptables-nft", xtables_arp_main},
{"ebtables-translate", xtables_eb_xlate_main},
{"ebtables", xtables_eb_main},
+ {"ebtables-nft", xtables_eb_main},
{"xtables-monitor", xtables_monitor_main},
{NULL},
};

BIN
iptables-1.8.0.tar.bz2 Normal file
View File

Binary file not shown.

59
iptables-config Normal file
View File

@ -0,0 +1,59 @@
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"
# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
# Reload sysctl settings on start and restart
# Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
# List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
# Set wait option for iptables-restore calls in seconds
# Default: 600
# Set to 0 to deactivate the wait.
#IPTABLES_RESTORE_WAIT=600
# Set wait interval option for iptables-restore calls in microseconds
# Default: 1000000
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
# second.
# Only usable with IPTABLES_RESTORE_WAIT > 0
#IPTABLES_RESTORE_WAIT_INTERVAL=1000000

421
iptables.init Executable file
View File

@ -0,0 +1,421 @@
#!/bin/bash
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO
# Source function library.
. /etc/init.d/functions
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
# only usable for root
if [ $EUID != 0 ]; then
echo -n $"${IPTABLES}: Only usable by root."; warning; echo
exit 4
fi
if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
exit 5
fi
# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
&& NEW_MODUTILS=1 \
|| NEW_MODUTILS=0
# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
IPTABLES_SYSCTL_LOAD_LIST=""
IPTABLES_RESTORE_WAIT=600
IPTABLES_RESTORE_WAIT_INTERVAL=1000000
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
# Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
flush_n_delete() {
# Flush firewall rules and delete chains.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 1
echo -n $"${IPTABLES}: Flushing firewall rules: "
ret=0
# For all tables
for i in $NF_TABLES; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
# Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?;
# Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
set_policy() {
# Set policy for configured tables.
policy=$1
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
[ -z "$tables" ] && return 1
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
case "$i" in
raw)
$IPTABLES -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \
|| let ret+=1
;;
filter)
$IPTABLES -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \
&& $IPTABLES -t filter -P FORWARD $policy \
|| let ret+=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy \
&& $IPTABLES -t nat -P POSTROUTING $policy \
&& $IPTABLES -t nat -P OUTPUT $policy \
|| let ret+=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy \
&& $IPTABLES -t mangle -P POSTROUTING $policy \
&& $IPTABLES -t mangle -P INPUT $policy \
&& $IPTABLES -t mangle -P OUTPUT $policy \
&& $IPTABLES -t mangle -P FORWARD $policy \
|| let ret+=1
;;
*)
let ret+=1
;;
esac
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
load_sysctl() {
# load matched sysctl values
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
echo -n $"Loading sysctl settings: "
ret=0
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
return $ret
}
start() {
# Do not start if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo
return 6
fi
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
fi
fi
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
else
return 1
fi
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
touch $VAR_SUBSYS_IPTABLES
return $ret
}
stop() {
# Do not stop if iptables module is not loaded.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Set default chain policy to ACCEPT, in order to not break shutdown
# on systems where the default policy is DROP and root device is
# network-based (i.e.: iSCSI, NFS)
set_policy ACCEPT
# And then, flush the rules and delete chains
flush_n_delete
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
save() {
# Check if iptable module is loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 0
fi
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 6
fi
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
&& chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \
&& restorecon $IPTABLES_DATA.save \
|| ret=1
fi
if [ $ret -eq 0 ]; then
mv -f $TMP_FILE $IPTABLES_DATA \
&& chmod 600 $IPTABLES_DATA \
&& restorecon $IPTABLES_DATA \
|| ret=1
fi
fi
rm -f $TMP_FILE
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not running."
return 3
fi
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable modules are loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo $"${IPTABLES}: Firewall modules are not loaded."
return 3
fi
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not configured. "
return 3
fi
NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
for table in $NF_TABLES; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
return 0
}
reload() {
# Do not reload if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo
return 6
fi
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Trying to reload firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
fi
fi
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; echo "Firewall rules are not changed."; return 1
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
return $ret
}
restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
}
case "$1" in
start)
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start
RETVAL=$?
;;
stop)
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart|force-reload)
restart
RETVAL=$?
;;
reload)
[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
RETVAL=$?
;;
condrestart|try-restart)
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart
RETVAL=$?
;;
status)
status
RETVAL=$?
;;
panic)
set_policy DROP
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac
exit $RETVAL

18
iptables.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=IPv4 firewall with iptables
After=syslog.target
AssertPathExists=/etc/sysconfig/iptables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/iptables/iptables.init start
ExecReload=/usr/libexec/iptables/iptables.init reload
ExecStop=/usr/libexec/iptables/iptables.init stop
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=basic.target

249
iptables.spec Normal file
View File

@ -0,0 +1,249 @@
%global script_path %{_libexecdir}/iptables
%global legacy_actions %{_libexecdir}/initscripts/legacy-actions
Name: iptables
Version: 1.8.0
Release: 5
Summary: IP packet filter administration utilities
License: GPLv2 and Artistic Licence 2.0 and ISC
URL: https://www.netfilter.org/
Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
Source3: iptables.service
Source4: sysconfig_iptables
Source5: sysconfig_ip6tables
Patch1: iptables-1.6.0-iptables-apply_mktemp.patch
Patch2: iptables-1.8.0-xtables-nft-multi.patch
Patch6000: fix-crash-if-nft_rule_list_get-fails.patch
Patch6001: free-the-table-lock-when-skipping-a-table.patch
Patch6002: Allocate-rule-cache-just-once.patch
Patch6003: Fix-for-nft_rule_flush-returning-garbage.patch
Patch6004: Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch
Patch6005: Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch
Patch6006: Fix-opcode-printing-in-numeric-output.patch
Patch6007: Fix-for-segfault-in-iptables-nft.patch
Patch6008: Fix-for-segfault-when-registering-hashlimit-extension.patch
Patch6009: Fix-potential-array-overrun-in-xtables_option_parse.patch
Patch6010: Fix-for-potential-array-boundary-overstep.patch
Patch6011: Fix-incorrect-strcmp-in-nft_arp_rule_find.patch
BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd git
BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
%systemd_requires
Provides: iptables-libs iptables-utils iptables-services
Obsoletes: iptables-libs iptables-utils iptables-services
%description
Netfilter is a set of hooks inside the Linux kernel that allows kernel
modules to register callback functions with the network stack. A
registered callback function is then called back for every packet that
traverses the respective hook within the network stack.
Iptables is a generic table structure for the definition of rulesets.
Each rule within an IP table consists of a number of classifiers
(iptables matches) and one connected action (iptables target).
Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack)
and the NAT subsystem together build the major parts of the framework.
%package devel
Summary: header files for iproute
Requires: %{name} = %{version}-%{release} pkgconfig
%description devel
Header files for iproute.
%package nft
Summary: nft package for iproute
Requires: %{name} = %{version}-%{release}
Obsoletes: iptables-compat < 1.6.2-4
%description nft
Nft package for iproute.
%package_help
%prep
%autosetup -n %{name}-%{version} -p1 -S git
%build
%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
%disable_rpath
rm -f include/linux/types.h
%make_build
%install
%make_install
%delete_la
install -m 0755 -d %{buildroot}%{_includedir}/iptables
install -m 0644 include/ip*tables.h %{buildroot}%{_includedir}
install -m 0644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables
install -m 0755 -d %{buildroot}%{_includedir}/libipulog/
install -m 0644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog
install -m 0755 -d %{buildroot}/%{script_path}
install -m 0644 -c %{SOURCE1} %{buildroot}/%{script_path}/iptables.init
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init
install -m 0755 ip6tables.init %{buildroot}/%{script_path}/ip6tables.init
install -m 0755 -d %{buildroot}%{_sysconfdir}/sysconfig
install -m 0600 -c %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config
sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config
install -m 0600 -c ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config
install -m 0600 -c %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables
install -m 0600 -c %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables
install -m 0755 -d %{buildroot}%{_unitdir}
install -m 0644 -c %{SOURCE3} %{buildroot}%{_unitdir}
sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service
install -m 0644 -c ip6tables.service %{buildroot}%{_unitdir}
install -m 0755 -d %{buildroot}/%{legacy_actions}/iptables
install -m 0755 -d %{buildroot}/%{legacy_actions}/ip6tables
pushd %{buildroot}/%{legacy_actions}/iptables
cat << EOF > save
#!/bin/bash
exec %{script_path}/iptables.init save
EOF
chmod 0755 save
popd
sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy
install -m 0755 -c ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save
pushd %{buildroot}/%{legacy_actions}/iptables
cat << EOF > panic
#!/bin/bash
exec %{script_path}/iptables.init panic
EOF
chmod 0755 panic
popd
sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
install -m 0755 -c ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
install -m 0755 iptables/iptables-apply %{buildroot}%{_sbindir}
install -m 0755 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8
pushd %{buildroot}%{_sbindir}
mv ebtables ebtables-nft
mv arptables arptables-nft
touch ebtables \
arptables \
iptables \
ip6tables
popd
%ldconfig_scriptlets
%post
pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables
%{_sbindir}/update-alternatives --install \
$pfx iptables $pfx-legacy 10 \
--slave $pfx6 ip6tables $pfx6-legacy \
--slave $pfx-restore iptables-restore $pfx-legacy-restore \
--slave $pfx-save iptables-save $pfx-legacy-save \
--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
--slave $pfx6-save ip6tables-save $pfx6-legacy-save
%systemd_post iptables.service ip6tables.service
%preun
%systemd_preun iptables.service ip6tables.service
%postun
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove \
iptables %{_sbindir}/iptables-legacy
fi
%?ldconfig
%systemd_postun iptables.service ip6tables.service
%post nft
pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables
%{_sbindir}/update-alternatives --install \
$pfx iptables $pfx-nft 5 \
--slave $pfx6 ip6tables $pfx6-nft \
--slave $pfx-restore iptables-restore $pfx-nft-restore \
--slave $pfx-save iptables-save $pfx-nft-save \
--slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \
--slave $pfx6-save ip6tables-save $pfx6-nft-save
for cmd in ebtables arptables; do
if [ "$(readlink -e %{_sbindir}/$cmd)" == %{_sbindir}/$cmd ]; then
rm -f %{_sbindir}/$cmd
fi
%{_sbindir}/update-alternatives --install \
%{_sbindir}/$cmd $cmd %{_sbindir}/$cmd-nft 5
done
%postun nft
if [ $1 -eq 0 ]; then
for cmd in iptables ebtables arptables; do
%{_sbindir}/update-alternatives --remove \
$cmd %{_sbindir}/$cmd-nft
done
fi
%files
%defattr(-,root,root)
%license COPYING
%{script_path}/ip*tables.init
%{_sysconfdir}/ethertypes
%config(noreplace) %{_sysconfdir}/sysconfig/*
%{_sbindir}/nfnl_osf
%{_sbindir}/nfbpf_*
%{_sbindir}/iptables-apply
%{_sbindir}/ip*tables-legacy*
%{_sbindir}/xtables-legacy-multi
%exclude %{_sbindir}/*-nft*
%exclude %{_sbindir}/*-translate
%exclude %{_sbindir}/xtables-monitor
%{_bindir}/iptables-xml
%{_libdir}/xtables/*
%{_libdir}/*.so.*
%{_unitdir}/*.service
%dir %{legacy_actions}
%{legacy_actions}/ip*
%{_datadir}/xtables/pf.os
%ghost %{_sbindir}/ip*tables
%ghost %{_sbindir}/ip*tables-restore
%ghost %{_sbindir}/ip*tables-save
%files devel
%defattr(-,root,root)
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%files nft
%defattr(-,root,root)
%{_sbindir}/*-nft*
%{_sbindir}/*-translate
%{_sbindir}/xtables-monitor
%ghost %{_sbindir}/ip*tables
%ghost %{_sbindir}/ip*tables-restore
%ghost %{_sbindir}/ip*tables-save
%ghost %{_sbindir}/ebtables
%ghost %{_sbindir}/arptables
%files help
%defattr(-,root,root)
%doc INCOMPATIBILITIES
%{_mandir}/*
%changelog
* Fri Sep 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.0-5
- Package init

15
sysconfig_ip6tables Normal file
View File

@ -0,0 +1,15 @@
# sample configuration for ip6tables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

14
sysconfig_iptables Normal file
View File

@ -0,0 +1,14 @@
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT