Package init

Allocate-rule-cache-just-once.patch

@@ -0,0 +1,38 @@
+From c2594475dd270e3a81033fed2e5251dbd5ce319b Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Aug 2018 17:05:08 +0200
+Subject: xtables: Allocate rule cache just once
+
+For each parsed table, xtables-restore calls nft_table_flush() which
+each time allocates a new rule cache, possibly overwriting the pointer
+to the previously allocated one. Fix this by checking the pointer value
+and only allocate if it's NULL.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index a9cb92ed..d5c4c766 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -1867,9 +1867,11 @@ next:
+ 		t = nftnl_table_list_iter_next(iter);
+ 	}
+ 
+-	h->rule_cache = nftnl_rule_list_alloc();
+-	if (h->rule_cache == NULL)
+-		return -1;
++	if (!h->rule_cache) {
++		h->rule_cache = nftnl_rule_list_alloc();
++		if (h->rule_cache == NULL)
++			return -1;
++	}
+ 
+ err_table_iter:
+ 	nftnl_table_list_iter_destroy(iter);
+-- 
+cgit v1.2.1
+

Fix-for-nft_rule_flush-returning-garbage.patch

@@ -0,0 +1,54 @@
+From 89d344381c81bd1d5f29b498844f20280200c786 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Aug 2018 17:05:09 +0200
+Subject: xtables: Fix for nft_rule_flush() returning garbage
+
+Due to variable 'ret' not being initialized in all situations, return
+code of the function depends on garbage in stack. Fix this by
+initializing 'ret' to zero upon declaration.
+
+While being at it, make nftnl_chain_list_get() failure as well as
+nftnl_chain_list_iter_create() failure an error condition since both
+functions should succeed even if the current ruleset does not contain
+any chains at all.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index d5c4c766..f2d6ea13 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -1474,7 +1474,7 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list,
+ 
+ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
+ {
+-	int ret;
++	int ret = 0;
+ 	struct nftnl_chain_list *list;
+ 	struct nftnl_chain_list_iter *iter;
+ 	struct nftnl_chain *c;
+@@ -1486,13 +1486,15 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
+ 
+ 	list = nftnl_chain_list_get(h);
+ 	if (list == NULL) {
+-		ret = 0;
++		ret = 1;
+ 		goto err;
+ 	}
+ 
+ 	iter = nftnl_chain_list_iter_create(list);
+-	if (iter == NULL)
++	if (iter == NULL) {
++		ret = 1;
+ 		goto err;
++	}
+ 
+ 	c = nftnl_chain_list_iter_next(iter);
+ 	while (c != NULL) {
+-- 
+cgit v1.2.1
+

Fix-for-potential-array-boundary-overstep.patch

@@ -0,0 +1,30 @@
+From bfd41c8d99a54769678e0c66d55797082bf1edd3 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 10 Sep 2018 23:35:15 +0200
+Subject: ebtables: Fix for potential array boundary overstep
+
+Fix the parameter check in nft_ebt_standard_target() to avoid an array
+out of bounds access in ebt_standard_targets.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft-bridge.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
+index 1fe26bab..9d49ccbe 100644
+--- a/iptables/nft-bridge.h
++++ b/iptables/nft-bridge.h
+@@ -78,7 +78,7 @@ static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
+ 
+ static inline const char *nft_ebt_standard_target(unsigned int num)
+ {
+-	if (num > NUM_STANDARD_TARGETS)
++	if (num >= NUM_STANDARD_TARGETS)
+ 		return NULL;
+ 
+ 	return ebt_standard_targets[num];
+-- 
+cgit v1.2.1
+

Fix-for-segfault-in-iptables-nft.patch

@@ -0,0 +1,93 @@
+
+m 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 17 Aug 2018 15:35:47 +0200
+Subject: xtables: Fix for segfault in iptables-nft
+
+Trying to set a chain's policy in an invalid table resulted in a
+segfault. Reproducer was:
+
+| # iptables -t broute -P BROUTING ACCEPT
+
+Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
+returned NULL for the given table name.
+
+For an illustrative error message, set errno to ENXIO in the above case
+and add an appropriate Mesage to nft_strerror().
+
+While being at it, improve the error message if an invalid policy was
+given. Before:
+
+| # iptables-nft -t filter -P INPUT ACCEPTdf
+| iptables: Incompatible with this kernel.
+
+After:
+
+| # iptables-nft -t filter -P INPUT ACCEPTdf
+| iptables: Bad policy name. Run `dmesg' for more information.
+
+Third unrelated change in this patch: Drop error checking of
+nft_chain_set() in do_commandx(): The function never returns negative,
+so that check never yielded true.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft.c     | 11 +++++++++--
+ iptables/xtables.c |  3 ---
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 0b29caeb..dd8469a9 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
+ 	struct builtin_chain *_c;
+ 
+ 	_t = nft_table_builtin_find(h, table);
++	if (!_t) {
++		errno = ENXIO;
++		return NULL;
++	}
++
+ 	/* if this built-in table does not exists, create it */
+-	if (_t != NULL)
+-		nft_table_builtin_add(h, _t);
++	nft_table_builtin_add(h, _t);
+ 
+ 	_c = nft_chain_builtin_find(_t, chain);
+ 	if (_c != NULL) {
+@@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
+ 		c = nft_chain_new(h, table, chain, NF_DROP, counters);
+ 	else if (strcmp(policy, "ACCEPT") == 0)
+ 		c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
++	else
++		errno = EINVAL;
+ 
+ 	if (c == NULL)
+ 		return 0;
+@@ -2828,6 +2834,7 @@ const char *nft_strerror(int err)
+ 	      "Bad rule (does a matching rule exist in that chain?)" },
+ 	    { nft_chain_set, ENOENT, "Bad built-in chain name" },
+ 	    { nft_chain_set, EINVAL, "Bad policy name" },
++	    { nft_chain_set, ENXIO, "Bad table name" },
+ 	    { NULL, ELOOP, "Loop found in table" },
+ 	    { NULL, EPERM, "Permission denied (you must be root)" },
+ 	    { NULL, 0, "Incompatible with this kernel" },
+diff --git a/iptables/xtables.c b/iptables/xtables.c
+index d9050b45..72f65962 100644
+--- a/iptables/xtables.c
++++ b/iptables/xtables.c
+@@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
+ 		break;
+ 	case CMD_SET_POLICY:
+ 		ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL);
+-		if (ret < 0)
+-			xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n",
+-				      p.policy);
+ 		break;
+ 	default:
+ 		/* We should never reach this... */
+-- 
+cgit v1.2.1
+

Fix-for-segfault-when-registering-hashlimit-extension.patch

@@ -0,0 +1,33 @@
+From 37b68b2bc903112a74545c7f4a49c89e889582a9 Mon Sep 17 00:00:00 2001
+From: Heena Sirwani <heenasirwani@gmail.com>
+Date: Tue, 21 Aug 2018 17:25:56 +0530
+Subject: xtables: Fix for segfault when registering hashlimit extension
+
+This patch fixes the crash when registering the hashlimit extension
+with xtables during init_extensions(when built with static libs) .
+The option validation function xtables_option_metavalidate has a
+loop termination condition of the entry name being NULL. The loop
+does not terminate when validating hashlimit_mt_opts_v2 which causes
+a crash on derefencing an invalid entry.
+
+Signed-off-by: Heena Sirwani <heenasirwani@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ extensions/libxt_hashlimit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
+index 70bc615b..7d78d852 100644
+--- a/extensions/libxt_hashlimit.c
++++ b/extensions/libxt_hashlimit.c
+@@ -205,6 +205,7 @@ static const struct xt_option_entry hashlimit_mt_opts_v2[] = {
+ 	{.name = "hashlimit-mode", .id = O_MODE, .type = XTTYPE_STRING},
+ 	{.name = "hashlimit-name", .id = O_NAME, .type = XTTYPE_STRING,
+ 	 .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name), .min = 1},
++	XTOPT_TABLEEND,
+ };
+ #undef s
+ 
+-- 
+cgit v1.2.1
+

Fix-incorrect-strcmp-in-nft_arp_rule_find.patch

@@ -0,0 +1,31 @@
+From 7c9a1521105aa515a272e2d04fa806bed8b43396 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 19 Sep 2018 15:17:07 +0200
+Subject: arptables: Fix incorrect strcmp() in nft_arp_rule_find()
+
+Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to
+strcmp() may be passed a NULL pointer. Therefore check if the pointer is
+valid before doing so.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft-arp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index b8e89826..a2109c60 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -661,7 +661,7 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
+ 	if (!compare_targets(cs->target, this.target))
+ 		return false;
+ 
+-	if (strcmp(cs->jumpto, this.jumpto) != 0)
++	if (this.jumpto && strcmp(cs->jumpto, this.jumpto) != 0)
+ 		return false;
+ 
+ 	return true;
+-- 
+cgit v1.2.1
+

Fix-opcode-printing-in-numeric-output.patch

@@ -0,0 +1,29 @@
+From 3f279553a2908bfa3ad76211ee657c97e4103563 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Aug 2018 17:05:22 +0200
+Subject: arptables: Fix opcode printing in numeric output
+
+This line of code was dropped by accident, add it back.
+
+Fixes: 68e5e18210b8d ("nft-arp: adds nft_arp_save_firewall")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft-arp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index 5cabb93e..570a2589 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -543,6 +543,7 @@ after_devdst:
+ 		if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC))
+ 			printf("--opcode %s", opcodes[tmp-1]);
+ 		else
++			printf("--opcode %d", tmp);
+ 
+ 		if (fw->arp.arpop_mask != 65535)
+ 			printf("/%d", ntohs(fw->arp.arpop_mask));
+-- 
+cgit v1.2.1
+

Fix-potential-array-overrun-in-xtables_option_parse.patch

@@ -0,0 +1,30 @@
+From 4144571f87c094471419ef59e8bb89ef33cd1365 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 10 Sep 2018 23:35:13 +0200
+Subject: libxtables: Fix potential array overrun in xtables_option_parse()
+
+If entry->type is to be used as array index, it needs to be at max one
+less than that array's size.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ libxtables/xtoptions.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index ba3128bd..326febd5 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -844,7 +844,7 @@ void xtables_option_parse(struct xt_option_call *cb)
+ 	 * a *RC option type.
+ 	 */
+ 	cb->nvals = 1;
+-	if (entry->type <= ARRAY_SIZE(xtopt_subparse) &&
++	if (entry->type < ARRAY_SIZE(xtopt_subparse) &&
+ 	    xtopt_subparse[entry->type] != NULL)
+ 		xtopt_subparse[entry->type](cb);
+ 	/* Exclusion with other flags tested later in finalize. */
+-- 
+cgit v1.2.1
+

Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch

@@ -0,0 +1,72 @@
+From 82d278c19f8f187e78c90c91834018b16c007098 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Aug 2018 17:05:11 +0200
+Subject: xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs
+
+Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are
+not added to the cache.
+
+There is one exception though, namely when zeroing counters:
+nft_chain_zero_counters() adds a chain object it took from chain cache.
+To distinguish this situation from the others, introduce
+NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like
+NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 26df1287..327c19ad 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -246,6 +246,7 @@ enum obj_update_type {
+ 	NFT_COMPAT_CHAIN_USER_FLUSH,
+ 	NFT_COMPAT_CHAIN_UPDATE,
+ 	NFT_COMPAT_CHAIN_RENAME,
++	NFT_COMPAT_CHAIN_ZERO,
+ 	NFT_COMPAT_RULE_APPEND,
+ 	NFT_COMPAT_RULE_INSERT,
+ 	NFT_COMPAT_RULE_REPLACE,
+@@ -310,6 +311,7 @@ static int mnl_append_error(const struct nft_handle *h,
+ 			 nftnl_table_get_str(o->table, NFTNL_TABLE_NAME));
+ 		break;
+ 	case NFT_COMPAT_CHAIN_ADD:
++	case NFT_COMPAT_CHAIN_ZERO:
+ 	case NFT_COMPAT_CHAIN_USER_ADD:
+ 	case NFT_COMPAT_CHAIN_USER_DEL:
+ 	case NFT_COMPAT_CHAIN_USER_FLUSH:
+@@ -2445,9 +2447,10 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
+ 	case NFT_COMPAT_TABLE_FLUSH:
+ 		nftnl_table_free(o->table);
+ 		break;
+-	case NFT_COMPAT_CHAIN_ADD:
++	case NFT_COMPAT_CHAIN_ZERO:
+ 	case NFT_COMPAT_CHAIN_USER_ADD:
+ 		break;
++	case NFT_COMPAT_CHAIN_ADD:
+ 	case NFT_COMPAT_CHAIN_USER_DEL:
+ 	case NFT_COMPAT_CHAIN_USER_FLUSH:
+ 	case NFT_COMPAT_CHAIN_UPDATE:
+@@ -2496,6 +2499,7 @@ static int nft_action(struct nft_handle *h, int action)
+ 						   n->seq, n->table);
+ 			break;
+ 		case NFT_COMPAT_CHAIN_ADD:
++		case NFT_COMPAT_CHAIN_ZERO:
+ 			nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN,
+ 						   NLM_F_CREATE, n->seq,
+ 						   n->chain);
+@@ -2881,7 +2885,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
+ 
+ 		nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
+ 
+-		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
++		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c);
+ 
+ 		if (chain != NULL)
+ 			break;
+-- 
+cgit v1.2.1
+

Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch

@@ -0,0 +1,31 @@
+From c2895eaf7a9d604c4aa10848ad46cdde48a00357 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Aug 2018 17:05:10 +0200
+Subject: xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs
+
+These always have to be freed because nft_chain_user_del() removes them
+from the cache so they are not freed when the chain cache is flushed.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index f2d6ea13..26df1287 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -2447,8 +2447,8 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
+ 		break;
+ 	case NFT_COMPAT_CHAIN_ADD:
+ 	case NFT_COMPAT_CHAIN_USER_ADD:
+-	case NFT_COMPAT_CHAIN_USER_DEL:
+ 		break;
++	case NFT_COMPAT_CHAIN_USER_DEL:
+ 	case NFT_COMPAT_CHAIN_USER_FLUSH:
+ 	case NFT_COMPAT_CHAIN_UPDATE:
+ 	case NFT_COMPAT_CHAIN_RENAME:
+-- 
+cgit v1.2.1
+

fix-crash-if-nft_rule_list_get-fails.patch

@@ -0,0 +1,31 @@
+From 907da5c505b219537586f7c2bdb7320c4f97386f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 19 Jul 2018 18:31:53 +0200
+Subject: xtables: fix crash if nft_rule_list_get() fails
+
+Without this, trying to add a rule using ebtables without proper
+permissions crashes the program.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 3cacf5fe..e1788dba 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -1176,7 +1176,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
+ 	if (batch_rule_add(h, type, r) < 0)
+ 		nftnl_rule_free(r);
+ 
+-	nft_rule_list_get(h);
++	if (!nft_rule_list_get(h))
++		return 0;
+ 
+ 	nftnl_rule_list_add_tail(r, h->rule_cache);
+ 
+-- 
+cgit v1.2.1
+

free-the-table-lock-when-skipping-a-table.patch

@@ -0,0 +1,192 @@
+From 31e4b5906ff676a3c13060d6f456d72b7f6c90c2 Mon Sep 17 00:00:00 2001
+From: Joel Goguen <contact+netfilter@jgoguen.ca>
+Date: Wed, 11 Jul 2018 16:32:20 -0700
+Subject: iptables-restore: free the table lock when skipping a table
+
+Currently, when running `iptables-restore --table=X`, where `X` is not the first
+table in the rules dump, the restore will fail when parsing the second table:
+
+- a lock is acquird when parsing the first table name
+- the table name does not match the parameter to `--table` so processing
+  continues until the next table
+- when processing the next table a lock is acquired, which fails because a lock
+  is already held
+
+Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
+
+This will release the lock as soon as it's decided the current table won't be
+used.
+
+Signed-off-by: Joel Goguen <contact+netfilter@jgoguen.ca>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/ip6tables-restore.c                       |  7 +++-
+ iptables/iptables-restore.c                        |  7 +++-
+ .../ipt-restore/0001load-specific-table_0          | 41 ++++++++++++++++++++++
+ .../testcases/ipt-restore/dumps/ip6tables.dump     | 30 ++++++++++++++++
+ .../testcases/ipt-restore/dumps/iptables.dump      | 30 ++++++++++++++++
+ 5 files changed, 113 insertions(+), 2 deletions(-)
+ create mode 100755 iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
+ create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
+ create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
+
+diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
+index cc50bb4f..d36f92da 100644
+--- a/iptables/ip6tables-restore.c
++++ b/iptables/ip6tables-restore.c
+@@ -325,8 +325,13 @@ int ip6tables_restore_main(int argc, char *argv[])
+ 			strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
+ 			curtable[XT_TABLE_MAXNAMELEN] = '\0';
+ 
+-			if (tablename != NULL && strcmp(tablename, table) != 0)
++			if (tablename != NULL && strcmp(tablename, table) != 0) {
++				if (lock >= 0) {
++					xtables_unlock(lock);
++					lock = XT_LOCK_NOT_ACQUIRED;
++				}
+ 				continue;
++			}
+ 			if (handle)
+ 				ops->free(handle);
+ 
+diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
+index d5603fce..142ddb82 100644
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -323,8 +323,13 @@ iptables_restore_main(int argc, char *argv[])
+ 			strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
+ 			curtable[XT_TABLE_MAXNAMELEN] = '\0';
+ 
+-			if (tablename && (strcmp(tablename, table) != 0))
++			if (tablename && (strcmp(tablename, table) != 0)) {
++				if (lock >= 0) {
++					xtables_unlock(lock);
++					lock = XT_LOCK_NOT_ACQUIRED;
++				}
+ 				continue;
++			}
+ 			if (handle)
+ 				ops->free(handle);
+ 
+diff --git a/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
+new file mode 100755
+index 00000000..ce3bef3a
+--- /dev/null
++++ b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
+@@ -0,0 +1,41 @@
++#!/bin/bash
++
++RET=0
++tmpfile=""
++
++set -x
++
++clean_tempfile()
++{
++	if [ -n "${tmpfile}" ]; then
++		rm -f "${tmpfile}"
++	fi
++}
++
++trap clean_tempfile EXIT
++
++tmpfile=$(mktemp) || exit 1
++
++do_simple()
++{
++	iptables="${1}"
++	table="${2}"
++	dumpfile="$(dirname "${0}")/dumps/${iptables}.dump"
++
++	"$XT_MULTI" "${iptables}-restore" --table="${table}" <"${dumpfile}"; rv=$?
++
++	if [ "${rv}" -ne 0 ]; then
++		RET=1
++	fi
++}
++
++do_simple "iptables" "filter"
++do_simple "iptables" "mangle"
++do_simple "iptables" "raw"
++do_simple "iptables" "nat"
++do_simple "ip6tables" "filter"
++do_simple "ip6tables" "mangle"
++do_simple "ip6tables" "raw"
++do_simple "ip6tables" "nat"
++
++exit "${RET}"
+diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
+new file mode 100644
+index 00000000..4ac4f882
+--- /dev/null
++++ b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
+@@ -0,0 +1,30 @@
++*nat
++:PREROUTING ACCEPT [0:0]
++:INPUT ACCEPT [0:0]
++:OUTPUT ACCEPT [8:656]
++:POSTROUTING ACCEPT [8:656]
++COMMIT
++
++*mangle
++:PREROUTING ACCEPT [794:190738]
++:INPUT ACCEPT [794:190738]
++:FORWARD ACCEPT [0:0]
++:OUTPUT ACCEPT [991:170303]
++:POSTROUTING ACCEPT [991:170303]
++COMMIT
++
++*raw
++:PREROUTING ACCEPT [794:190738]
++:OUTPUT ACCEPT [991:170303]
++COMMIT
++
++*filter
++:INPUT DROP [0:0]
++:FORWARD DROP [0:0]
++:OUTPUT ACCEPT [991:170303]
++-A INPUT -i lo -j ACCEPT
++-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
++-A INPUT -p ipv6-icmp -j ACCEPT
++-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp6-port-unreachable
++-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp6-port-unreachable
++COMMIT
+diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
+new file mode 100644
+index 00000000..6e4e42d3
+--- /dev/null
++++ b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
+@@ -0,0 +1,30 @@
++*nat
++:PREROUTING ACCEPT [1:89]
++:INPUT ACCEPT [0:0]
++:OUTPUT ACCEPT [351:24945]
++:POSTROUTING ACCEPT [351:24945]
++COMMIT
++
++*mangle
++:PREROUTING ACCEPT [3270:1513114]
++:INPUT ACCEPT [3270:1513114]
++:FORWARD ACCEPT [0:0]
++:OUTPUT ACCEPT [3528:1087907]
++:POSTROUTING ACCEPT [3546:1090751]
++COMMIT
++
++*raw
++:PREROUTING ACCEPT [3270:1513114]
++:OUTPUT ACCEPT [3528:1087907]
++COMMIT
++
++*filter
++:INPUT DROP [37:4057]
++:FORWARD DROP [0:0]
++:OUTPUT ACCEPT [3528:1087907]
++-A INPUT -i lo -j ACCEPT
++-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
++-A INPUT -p icmp -j ACCEPT
++-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-unreachable
++-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable
++COMMIT
+-- 
+cgit v1.2.1
+

iptables-1.6.0-iptables-apply_mktemp.patch

@@ -0,0 +1,21 @@
+diff -up iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp iptables-1.6.0/iptables/iptables-apply
+--- iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp	2015-12-09 13:55:06.000000000 +0100
++++ iptables-1.6.0/iptables/iptables-apply	2016-04-13 17:44:07.130453958 +0200
+@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
+ 	exit 2
+ fi
+ 
+-COMMANDS=(tempfile "$SAVE" "$RESTORE")
++COMMANDS=(mktemp "$SAVE" "$RESTORE")
+ 
+ for cmd in "${COMMANDS[@]}"; do
+ 	if ! command -v $cmd >/dev/null; then
+@@ -122,7 +122,7 @@ done
+ 
+ umask 0700
+ 
+-TMPFILE=$(tempfile -p iptap)
++TMPFILE=$(mktemp)
+ trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
+ 
+ if ! "$SAVE" >"$TMPFILE"; then

iptables-1.8.0-xtables-nft-multi.patch

@@ -0,0 +1,15 @@
+diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c
+index 187da81e9f59b..03690a56edb72 100644
+--- a/iptables/xtables-nft-multi.c
++++ b/iptables/xtables-nft-multi.c
+@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = {
+ 	{"iptables-restore-translate",	xtables_ip4_xlate_restore_main},
+ 	{"ip6tables-restore-translate",	xtables_ip6_xlate_restore_main},
+ 	{"arptables",			xtables_arp_main},
++	{"arptables-nft",		xtables_arp_main},
+ 	{"ebtables-translate",		xtables_eb_xlate_main},
+ 	{"ebtables",			xtables_eb_main},
++	{"ebtables-nft",		xtables_eb_main},
+ 	{"xtables-monitor",		xtables_monitor_main},
+ 	{NULL},
+ };

iptables-config

@@ -0,0 +1,59 @@
+# Load additional iptables modules (nat helpers)
+#   Default: -none-
+# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
+# are loaded after the firewall rules are applied. Options for the helpers are
+# stored in /etc/modprobe.conf.
+IPTABLES_MODULES=""
+
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
+# (e.g. on system shutdown).
+IPTABLES_SAVE_ON_STOP="no"
+
+# Save current firewall rules on restart.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
+# restarted.
+IPTABLES_SAVE_ON_RESTART="no"
+
+# Save (and restore) rule and chain counter.
+#   Value: yes|no,  default: no
+# Save counters for rules and chains to /etc/sysconfig/iptables if
+# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
+# SAVE_ON_RESTART is enabled.
+IPTABLES_SAVE_COUNTER="no"
+
+# Numeric status output
+#   Value: yes|no,  default: yes
+# Print IP addresses and port numbers in numeric format in the status output.
+IPTABLES_STATUS_NUMERIC="yes"
+
+# Verbose status output
+#   Value: yes|no,  default: yes
+# Print info about the number of packets and bytes plus the "input-" and
+# "outputdevice" in the status output.
+IPTABLES_STATUS_VERBOSE="no"
+
+# Status output with numbered lines
+#   Value: yes|no,  default: yes
+# Print a counter/number for every rule in the status output.
+IPTABLES_STATUS_LINENUMBERS="yes"
+
+# Reload sysctl settings on start and restart
+#   Default: -none-
+# Space separated list of sysctl items which are to be reloaded on start.
+# List items will be matched by fgrep.
+#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
+
+# Set wait option for iptables-restore calls in seconds
+#   Default: 600
+# Set to 0 to deactivate the wait.
+#IPTABLES_RESTORE_WAIT=600
+
+# Set wait interval option for iptables-restore calls in microseconds
+#   Default: 1000000
+# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
+# second.
+# Only usable with IPTABLES_RESTORE_WAIT > 0
+#IPTABLES_RESTORE_WAIT_INTERVAL=1000000

iptables.init

@@ -0,0 +1,421 @@
+#!/bin/bash
+#
+# iptables	Start iptables firewall
+#
+# chkconfig: 2345 08 92
+# description:	Starts, stops and saves iptables firewall
+#
+# config: /etc/sysconfig/iptables
+# config: /etc/sysconfig/iptables-config
+#
+### BEGIN INIT INFO
+# Provides: iptables
+# Required-Start:
+# Required-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: start and stop iptables firewall
+# Description: Start, stop and save iptables firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/init.d/functions
+
+IPTABLES=iptables
+IPTABLES_DATA=/etc/sysconfig/$IPTABLES
+IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
+IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
+IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
+[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
+PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
+VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
+
+# only usable for root
+if [ $EUID != 0 ]; then
+    echo -n $"${IPTABLES}: Only usable by root."; warning; echo
+    exit 4
+fi
+
+if [ ! -x /sbin/$IPTABLES ]; then
+    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
+    exit 5
+fi
+
+# Old or new modutils
+/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
+    && NEW_MODUTILS=1 \
+    || NEW_MODUTILS=0
+
+# Default firewall configuration:
+IPTABLES_MODULES=""
+IPTABLES_SAVE_ON_STOP="no"
+IPTABLES_SAVE_ON_RESTART="no"
+IPTABLES_SAVE_COUNTER="no"
+IPTABLES_STATUS_NUMERIC="yes"
+IPTABLES_STATUS_VERBOSE="no"
+IPTABLES_STATUS_LINENUMBERS="yes"
+IPTABLES_SYSCTL_LOAD_LIST=""
+IPTABLES_RESTORE_WAIT=600
+IPTABLES_RESTORE_WAIT_INTERVAL=1000000
+
+# Load firewall configuration.
+[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
+
+# Get active tables
+NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+
+
+flush_n_delete() {
+    # Flush firewall rules and delete chains.
+    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+
+    # Check if firewall is configured (has tables)
+    [ -z "$NF_TABLES" ] && return 1
+
+    echo -n $"${IPTABLES}: Flushing firewall rules: "
+    ret=0
+    # For all tables
+    for i in $NF_TABLES; do
+        # Flush firewall rules.
+	$IPTABLES -t $i -F;
+	let ret+=$?;
+
+        # Delete firewall chains.
+	$IPTABLES -t $i -X;
+	let ret+=$?;
+
+	# Set counter to zero.
+	$IPTABLES -t $i -Z;
+	let ret+=$?;
+    done
+
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+set_policy() {
+    # Set policy for configured tables.
+    policy=$1
+
+    # Check if iptable module is loaded
+    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+
+    # Check if firewall is configured (has tables)
+    tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+    [ -z "$tables" ] && return 1
+
+    echo -n $"${IPTABLES}: Setting chains to policy $policy: "
+    ret=0
+    for i in $tables; do
+	echo -n "$i "
+	case "$i" in
+	    raw)
+		$IPTABLES -t raw -P PREROUTING $policy \
+		    && $IPTABLES -t raw -P OUTPUT $policy \
+		    || let ret+=1
+		;;
+	    filter)
+                $IPTABLES -t filter -P INPUT $policy \
+		    && $IPTABLES -t filter -P OUTPUT $policy \
+		    && $IPTABLES -t filter -P FORWARD $policy \
+		    || let ret+=1
+		;;
+	    nat)
+		$IPTABLES -t nat -P PREROUTING $policy \
+		    && $IPTABLES -t nat -P POSTROUTING $policy \
+		    && $IPTABLES -t nat -P OUTPUT $policy \
+		    || let ret+=1
+		;;
+	    mangle)
+	        $IPTABLES -t mangle -P PREROUTING $policy \
+		    && $IPTABLES -t mangle -P POSTROUTING $policy \
+		    && $IPTABLES -t mangle -P INPUT $policy \
+		    && $IPTABLES -t mangle -P OUTPUT $policy \
+		    && $IPTABLES -t mangle -P FORWARD $policy \
+		    || let ret+=1
+		;;
+	    *)
+	        let ret+=1
+		;;
+        esac
+    done
+
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+load_sysctl() {
+    # load matched sysctl values
+    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
+        echo -n $"Loading sysctl settings: "
+        ret=0
+        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
+            fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
+            let ret+=$?;
+        done
+        [ $ret -eq 0 ] && success || failure
+        echo
+    fi
+    return $ret
+}
+
+start() {
+    # Do not start if there is no config file.
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Applying firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
+       OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
+       if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
+           OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
+       fi
+    fi
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo;
+	if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
+	    echo -n $"${IPTABLES}: Applying firewall fallback rules: "
+	    $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
+	    if [ $? -eq 0 ]; then
+		success; echo
+	    else
+		failure; echo; return 1
+	    fi
+	else
+	    return 1
+	fi
+    fi
+    
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+    
+    # Load sysctl settings
+    load_sysctl
+
+    touch $VAR_SUBSYS_IPTABLES
+    return $ret
+}
+
+stop() {
+    # Do not stop if iptables module is not loaded.
+    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+
+    # Set default chain policy to ACCEPT, in order to not break shutdown
+    # on systems where the default policy is DROP and root device is
+    # network-based (i.e.: iSCSI, NFS)
+    set_policy ACCEPT
+    # And then, flush the rules and delete chains
+    flush_n_delete
+    
+    rm -f $VAR_SUBSYS_IPTABLES
+    return $ret
+}
+
+save() {
+    # Check if iptable module is loaded
+    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 0
+    fi
+
+    # Check if firewall is configured (has tables)
+    if [ -z "$NF_TABLES" ]; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 6
+    fi
+
+    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+    ret=0
+    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
+	&& chmod 600 "$TMP_FILE" \
+	&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
+	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
+	|| ret=1
+    if [ $ret -eq 0 ]; then
+	if [ -e $IPTABLES_DATA ]; then
+	    cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
+		&& chmod 600 $IPTABLES_DATA.save \
+		&& restorecon $IPTABLES_DATA.save \
+		|| ret=1
+	fi
+	if [ $ret -eq 0 ]; then
+	    mv -f $TMP_FILE $IPTABLES_DATA \
+		&& chmod 600 $IPTABLES_DATA \
+		&& restorecon $IPTABLES_DATA \
+	        || ret=1
+	fi
+    fi
+    rm -f $TMP_FILE
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+status() {
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
+	echo $"${IPTABLES}: Firewall is not running."
+	return 3
+    fi
+
+    # Do not print status if lockfile is missing and iptables modules are not 
+    # loaded.
+    # Check if iptable modules are loaded
+    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+	echo $"${IPTABLES}: Firewall modules are not loaded."
+	return 3
+    fi
+
+    # Check if firewall is configured (has tables)
+    if [ -z "$NF_TABLES" ]; then
+	echo $"${IPTABLES}: Firewall is not configured. "
+	return 3
+    fi
+
+    NUM=
+    [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
+    VERBOSE= 
+    [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
+    COUNT=
+    [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
+
+    for table in $NF_TABLES; do
+	echo $"Table: $table"
+	$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
+    done
+
+    return 0
+}
+
+reload() {
+    # Do not reload if there is no config file.
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Trying to reload firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
+       OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
+       if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
+           OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
+       fi
+    fi
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo; echo "Firewall rules are not changed."; return 1
+    fi
+
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+
+    # Load sysctl settings
+    load_sysctl
+
+    return $ret
+}
+
+restart() {
+    [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
+    stop
+    start
+}
+
+
+case "$1" in
+    start)
+	[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	start
+	RETVAL=$?
+	;;
+    stop)
+	[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
+	stop
+	RETVAL=$?
+	;;
+    restart|force-reload)
+	restart
+	RETVAL=$?
+	;;
+    reload)
+	[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
+	RETVAL=$?
+	;;      
+    condrestart|try-restart)
+	[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	restart
+	RETVAL=$?
+	;;
+    status)
+	status
+	RETVAL=$?
+	;;
+    panic)
+	set_policy DROP
+	RETVAL=$?
+        ;;
+    save)
+	save
+	RETVAL=$?
+	;;
+    *)
+	echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
+	RETVAL=2
+	;;
+esac
+
+exit $RETVAL

iptables.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=IPv4 firewall with iptables
+After=syslog.target
+AssertPathExists=/etc/sysconfig/iptables
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/iptables/iptables.init start
+ExecReload=/usr/libexec/iptables/iptables.init reload
+ExecStop=/usr/libexec/iptables/iptables.init stop
+Environment=BOOTUP=serial
+Environment=CONSOLETYPE=serial
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=basic.target

iptables.spec

@@ -0,0 +1,249 @@
+%global script_path %{_libexecdir}/iptables
+%global legacy_actions %{_libexecdir}/initscripts/legacy-actions
+Name:		  iptables
+Version:	  1.8.0
+Release:	  5
+Summary:	  IP packet filter administration utilities
+License:	  GPLv2 and Artistic Licence 2.0 and ISC
+URL:		  https://www.netfilter.org/
+Source0:  	  https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2
+Source1:          iptables.init
+Source2:          iptables-config
+Source3:          iptables.service
+Source4:          sysconfig_iptables
+Source5:          sysconfig_ip6tables
+
+Patch1:           iptables-1.6.0-iptables-apply_mktemp.patch
+Patch2:           iptables-1.8.0-xtables-nft-multi.patch
+Patch6000:        fix-crash-if-nft_rule_list_get-fails.patch
+Patch6001:        free-the-table-lock-when-skipping-a-table.patch
+Patch6002:        Allocate-rule-cache-just-once.patch
+Patch6003:        Fix-for-nft_rule_flush-returning-garbage.patch
+Patch6004:        Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch
+Patch6005:        Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch
+Patch6006:        Fix-opcode-printing-in-numeric-output.patch
+Patch6007:        Fix-for-segfault-in-iptables-nft.patch
+Patch6008:        Fix-for-segfault-when-registering-hashlimit-extension.patch
+Patch6009:        Fix-potential-array-overrun-in-xtables_option_parse.patch
+Patch6010:        Fix-for-potential-array-boundary-overstep.patch
+Patch6011:        Fix-incorrect-strcmp-in-nft_arp_rule_find.patch
+
+BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd git
+BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
+
+Requires(post):   %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+%systemd_requires
+
+Provides:         iptables-libs iptables-utils iptables-services
+Obsoletes:        iptables-libs iptables-utils iptables-services 
+
+%description
+Netfilter is a set of hooks inside the Linux kernel that allows kernel 
+modules to register callback functions with the network stack. A 
+registered callback function is then called back for every packet that 
+traverses the respective hook within the network stack.
+
+Iptables is a generic table structure for the definition of rulesets. 
+Each rule within an IP table consists of a number of classifiers 
+(iptables matches) and one connected action (iptables target).
+
+Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) 
+and the NAT subsystem together build the major parts of the framework.
+
+%package          devel
+Summary:          header files for iproute
+Requires:         %{name} = %{version}-%{release} pkgconfig
+
+%description      devel
+Header files for iproute.
+
+%package          nft
+Summary:          nft package for iproute
+Requires:         %{name} = %{version}-%{release}
+Obsoletes:        iptables-compat < 1.6.2-4
+
+%description      nft
+Nft package for iproute.
+
+%package_help
+
+%prep
+%autosetup -n %{name}-%{version} -p1 -S git
+
+%build
+%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
+
+%disable_rpath
+
+rm -f include/linux/types.h
+
+%make_build
+
+%install
+%make_install 
+
+%delete_la
+
+install -m 0755 -d %{buildroot}%{_includedir}/iptables
+install -m 0644 include/ip*tables.h %{buildroot}%{_includedir}
+install -m 0644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables
+
+install -m 0755 -d %{buildroot}%{_includedir}/libipulog/
+install -m 0644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog
+
+install -m 0755 -d %{buildroot}/%{script_path}
+install -m 0644 -c %{SOURCE1} %{buildroot}/%{script_path}/iptables.init
+sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init
+install -m 0755 ip6tables.init %{buildroot}/%{script_path}/ip6tables.init
+install -m 0755 -d %{buildroot}%{_sysconfdir}/sysconfig
+install -m 0600 -c %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config
+sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config
+install -m 0600 -c ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config
+install -m 0600 -c %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables
+install -m 0600 -c %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables
+
+install -m 0755 -d %{buildroot}%{_unitdir}
+install -m 0644 -c %{SOURCE3} %{buildroot}%{_unitdir}
+sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service
+install -m 0644 -c ip6tables.service %{buildroot}%{_unitdir}
+
+install -m 0755 -d %{buildroot}/%{legacy_actions}/iptables
+install -m 0755 -d %{buildroot}/%{legacy_actions}/ip6tables
+
+pushd  %{buildroot}/%{legacy_actions}/iptables
+cat << EOF > save
+#!/bin/bash
+exec %{script_path}/iptables.init save
+EOF
+chmod 0755 save
+popd
+sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy
+install -m 0755 -c ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save
+
+pushd %{buildroot}/%{legacy_actions}/iptables
+cat << EOF > panic
+#!/bin/bash
+exec %{script_path}/iptables.init panic
+EOF
+chmod 0755 panic
+popd
+sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
+install -m 0755 -c ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
+
+install -m 0755 iptables/iptables-apply %{buildroot}%{_sbindir}
+install -m 0755 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8
+
+pushd %{buildroot}%{_sbindir}
+mv ebtables ebtables-nft
+mv arptables arptables-nft
+
+touch ebtables  \
+      arptables \
+      iptables  \
+      ip6tables
+popd
+
+%ldconfig_scriptlets
+
+%post
+pfx=%{_sbindir}/iptables
+pfx6=%{_sbindir}/ip6tables
+%{_sbindir}/update-alternatives --install \
+	$pfx iptables $pfx-legacy 10 \
+	--slave $pfx6 ip6tables $pfx6-legacy \
+        --slave $pfx-restore iptables-restore $pfx-legacy-restore \
+        --slave $pfx-save iptables-save $pfx-legacy-save \
+        --slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
+        --slave $pfx6-save ip6tables-save $pfx6-legacy-save
+
+%systemd_post iptables.service ip6tables.service
+
+%preun
+%systemd_preun iptables.service ip6tables.service
+
+%postun
+if [ $1 -eq 0 ]; then
+	%{_sbindir}/update-alternatives --remove \
+		iptables %{_sbindir}/iptables-legacy
+fi
+%?ldconfig
+%systemd_postun iptables.service ip6tables.service
+
+%post             nft
+pfx=%{_sbindir}/iptables
+pfx6=%{_sbindir}/ip6tables
+%{_sbindir}/update-alternatives --install \
+	$pfx iptables $pfx-nft 5 \
+	--slave $pfx6 ip6tables $pfx6-nft \
+	--slave $pfx-restore iptables-restore $pfx-nft-restore \
+	--slave $pfx-save iptables-save $pfx-nft-save \
+	--slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \
+	--slave $pfx6-save ip6tables-save $pfx6-nft-save
+
+for cmd in ebtables arptables; do
+	if [ "$(readlink -e %{_sbindir}/$cmd)" == %{_sbindir}/$cmd ]; then
+		rm -f %{_sbindir}/$cmd
+	fi
+	%{_sbindir}/update-alternatives --install \
+	%{_sbindir}/$cmd $cmd %{_sbindir}/$cmd-nft 5
+done
+
+%postun           nft
+if [ $1 -eq 0 ]; then
+	for cmd in iptables ebtables arptables; do
+		%{_sbindir}/update-alternatives --remove \
+			$cmd %{_sbindir}/$cmd-nft
+	done
+fi
+
+%files
+%defattr(-,root,root)
+%license COPYING
+%{script_path}/ip*tables.init
+%{_sysconfdir}/ethertypes
+%config(noreplace) %{_sysconfdir}/sysconfig/*
+%{_sbindir}/nfnl_osf
+%{_sbindir}/nfbpf_*
+%{_sbindir}/iptables-apply
+%{_sbindir}/ip*tables-legacy*
+%{_sbindir}/xtables-legacy-multi
+%exclude %{_sbindir}/*-nft*
+%exclude %{_sbindir}/*-translate
+%exclude %{_sbindir}/xtables-monitor
+%{_bindir}/iptables-xml
+%{_libdir}/xtables/*
+%{_libdir}/*.so.*
+%{_unitdir}/*.service
+%dir %{legacy_actions}
+%{legacy_actions}/ip*
+%{_datadir}/xtables/pf.os
+%ghost %{_sbindir}/ip*tables
+%ghost %{_sbindir}/ip*tables-restore
+%ghost %{_sbindir}/ip*tables-save
+
+%files            devel
+%defattr(-,root,root)
+%{_includedir}/*
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+
+%files            nft
+%defattr(-,root,root)
+%{_sbindir}/*-nft*
+%{_sbindir}/*-translate
+%{_sbindir}/xtables-monitor
+%ghost %{_sbindir}/ip*tables
+%ghost %{_sbindir}/ip*tables-restore
+%ghost %{_sbindir}/ip*tables-save
+%ghost %{_sbindir}/ebtables
+%ghost %{_sbindir}/arptables
+
+%files            help
+%defattr(-,root,root)
+%doc INCOMPATIBILITIES
+%{_mandir}/*
+
+%changelog
+* Fri Sep 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.0-5
+- Package init

sysconfig_ip6tables

@@ -0,0 +1,15 @@
+# sample configuration for ip6tables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT

sysconfig_iptables

@@ -0,0 +1,14 @@
+# sample configuration for iptables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT