iptables package update
Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>master
parent
2e8b038b6e
commit
697205a21f
SOURCES
SPECS
|
@ -0,0 +1,61 @@
|
|||
From 12852e5c973ef9e5d33c1dc1a21c659f4dc6227b Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 11 May 2018 15:28:07 +0200
|
||||
Subject: [PATCH] extensions: libxt_tcpmss: Detect invalid ranges
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1128510
|
||||
Upstream Status: iptables commit dbbab0aa328f1
|
||||
|
||||
commit dbbab0aa328f136502373a1031e64eb53fa113e5
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Mon Oct 9 15:47:39 2017 +0200
|
||||
|
||||
extensions: libxt_tcpmss: Detect invalid ranges
|
||||
|
||||
Previously, an MSS range of e.g. 65535:1000 was silently accepted but
|
||||
would then never match a packet since the kernel checks whether the MSS
|
||||
value is greater than or equal to the first *and* less than or equal to
|
||||
the second value.
|
||||
|
||||
Detect this as a parameter problem and update the man page accordingly.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
extensions/libxt_tcpmss.c | 6 +++++-
|
||||
extensions/libxt_tcpmss.man | 2 +-
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
|
||||
index c7c5971716294..bcd357aa3d8e2 100644
|
||||
--- a/extensions/libxt_tcpmss.c
|
||||
+++ b/extensions/libxt_tcpmss.c
|
||||
@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb)
|
||||
xtables_option_parse(cb);
|
||||
mssinfo->mss_min = cb->val.u16_range[0];
|
||||
mssinfo->mss_max = mssinfo->mss_min;
|
||||
- if (cb->nvals == 2)
|
||||
+ if (cb->nvals == 2) {
|
||||
mssinfo->mss_max = cb->val.u16_range[1];
|
||||
+ if (mssinfo->mss_max < mssinfo->mss_min)
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "tcpmss: invalid range given");
|
||||
+ }
|
||||
if (cb->invert)
|
||||
mssinfo->invert = 1;
|
||||
}
|
||||
diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man
|
||||
index 8ee715cdbfb07..8253c363418f8 100644
|
||||
--- a/extensions/libxt_tcpmss.man
|
||||
+++ b/extensions/libxt_tcpmss.man
|
||||
@@ -1,4 +1,4 @@
|
||||
This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
|
||||
.TP
|
||||
[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
|
||||
-Match a given TCP MSS value or range.
|
||||
+Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
|
||||
--
|
||||
2.17.0
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
From a7da716205fb6009f665a4e91b28c7782cf47ce2 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 11 May 2018 16:34:48 +0200
|
||||
Subject: [PATCH] ip{,6}tables-restore: Don't accept wait-interval without wait
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
|
||||
Upstream Status: iptables commit 21ba5b3874fb3
|
||||
|
||||
commit 21ba5b3874fb3d0c4cccc9b59f65c8df575211e2
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed Sep 20 19:34:36 2017 +0200
|
||||
|
||||
ip{,6}tables-restore: Don't accept wait-interval without wait
|
||||
|
||||
If -W <val> was given, error out if -w wasn't since that doesn't make
|
||||
sense.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/ip6tables-restore.c | 5 +++++
|
||||
iptables/iptables-restore.c | 5 +++++
|
||||
2 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
|
||||
index 0f85fee3593d5..e2a82c57bd426 100644
|
||||
--- a/iptables/ip6tables-restore.c
|
||||
+++ b/iptables/ip6tables-restore.c
|
||||
@@ -271,6 +271,11 @@ int ip6tables_restore_main(int argc, char *argv[])
|
||||
}
|
||||
else in = stdin;
|
||||
|
||||
+ if (!wait_interval.tv_sec && !wait) {
|
||||
+ fprintf(stderr, "Option --wait-interval requires option --wait\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
/* Grab standard input. */
|
||||
while (fgets(buffer, sizeof(buffer), in)) {
|
||||
int ret = 0;
|
||||
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
|
||||
index 6d0df8d1c0f36..af0c79408631d 100644
|
||||
--- a/iptables/iptables-restore.c
|
||||
+++ b/iptables/iptables-restore.c
|
||||
@@ -270,6 +270,11 @@ iptables_restore_main(int argc, char *argv[])
|
||||
}
|
||||
else in = stdin;
|
||||
|
||||
+ if (!wait_interval.tv_sec && !wait) {
|
||||
+ fprintf(stderr, "Option --wait-interval requires option --wait\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
/* Grab standard input. */
|
||||
while (fgets(buffer, sizeof(buffer), in)) {
|
||||
int ret = 0;
|
||||
--
|
||||
2.17.0
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From f5757357c0bb6b5df843d15b90f235190d3b4448 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 11 May 2018 16:34:48 +0200
|
||||
Subject: [PATCH] ip{,6}tables-restore: Don't ignore missing wait-interval
|
||||
value
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
|
||||
Upstream Status: iptables commit 60e0ffd365a2d
|
||||
|
||||
commit 60e0ffd365a2d936b3df13c1289b2ef57b756d92
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed Sep 20 19:34:35 2017 +0200
|
||||
|
||||
ip{,6}tables-restore: Don't ignore missing wait-interval value
|
||||
|
||||
Passing -W without a value doesn't make sense so bail out if none was
|
||||
given.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/xshared.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index 3fbe3b1a99b77..b8a81fd968361 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -318,7 +318,7 @@ void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval)
|
||||
else if (xs_has_arg(argc, argv))
|
||||
arg = argv[optind++];
|
||||
else
|
||||
- return;
|
||||
+ xtables_error(PARAMETER_PROBLEM, "wait interval value required");
|
||||
|
||||
ret = sscanf(arg, "%u", &usec);
|
||||
if (ret == 1) {
|
||||
--
|
||||
2.17.0
|
||||
|
|
@ -0,0 +1,152 @@
|
|||
From 7450d63abf0608efba8d48858e54ff23f2179300 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 11 May 2018 15:29:24 +0200
|
||||
Subject: [PATCH] iptables-restore/save: exit when given an unknown option
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
|
||||
Upstream Status: iptables commit d89dc47ab3875
|
||||
Conflicts:
|
||||
* Context changes in ip{6,}tables-restore.c
|
||||
* xtables-{save,restore}.c not present here.
|
||||
|
||||
commit d89dc47ab3875f6fe6679cebceccd2000bf81b8e
|
||||
Author: Vincent Bernat <vincent@bernat.im>
|
||||
Date: Sat Apr 15 12:16:47 2017 +0200
|
||||
|
||||
iptables-restore/save: exit when given an unknown option
|
||||
|
||||
When an unknown option is given, iptables-restore should exit instead of
|
||||
continue its operation. For example, if `--table` was misspelled, this
|
||||
could lead to an unwanted change. Moreover, exit with a status code of
|
||||
1. Make the same change for iptables-save.
|
||||
|
||||
OTOH, exit with a status code of 0 when requesting help.
|
||||
|
||||
Signed-off-by: Vincent Bernat <vincent@bernat.im>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/ip6tables-restore.c | 10 +++++-----
|
||||
iptables/ip6tables-save.c | 4 ++++
|
||||
iptables/iptables-restore.c | 10 +++++-----
|
||||
iptables/iptables-save.c | 4 ++++
|
||||
4 files changed, 18 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
|
||||
index 0b8b95607febf..0f85fee3593d5 100644
|
||||
--- a/iptables/ip6tables-restore.c
|
||||
+++ b/iptables/ip6tables-restore.c
|
||||
@@ -48,8 +48,6 @@ static const struct option options[] = {
|
||||
{NULL},
|
||||
};
|
||||
|
||||
-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
|
||||
-
|
||||
#define prog_name ip6tables_globals.program_name
|
||||
#define prog_vers ip6tables_globals.program_version
|
||||
|
||||
@@ -66,8 +64,6 @@ static void print_usage(const char *name, const char *version)
|
||||
" [ --wait-interval=<usecs>\n"
|
||||
" [ --noflush ]\n"
|
||||
" [ --modprobe=<command>]\n", name);
|
||||
-
|
||||
- exit(1);
|
||||
}
|
||||
|
||||
static struct xtc_handle *create_handle(const char *tablename)
|
||||
@@ -238,7 +234,7 @@ int ip6tables_restore_main(int argc, char *argv[])
|
||||
case 'h':
|
||||
print_usage("ip6tables-restore",
|
||||
IPTABLES_VERSION);
|
||||
- break;
|
||||
+ exit(0);
|
||||
case 'n':
|
||||
noflush = 1;
|
||||
break;
|
||||
@@ -254,6 +250,10 @@ int ip6tables_restore_main(int argc, char *argv[])
|
||||
case 'T':
|
||||
tablename = optarg;
|
||||
break;
|
||||
+ default:
|
||||
+ fprintf(stderr,
|
||||
+ "Try `ip6tables-restore -h' for more information.\n");
|
||||
+ exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
|
||||
index 3a1ded162fad1..a64d169fc1211 100644
|
||||
--- a/iptables/ip6tables-save.c
|
||||
+++ b/iptables/ip6tables-save.c
|
||||
@@ -157,6 +157,10 @@ int ip6tables_save_main(int argc, char *argv[])
|
||||
case 'd':
|
||||
do_output(tablename);
|
||||
exit(0);
|
||||
+ default:
|
||||
+ fprintf(stderr,
|
||||
+ "Look at manual page `ip6tables-save.8' for more information.\n");
|
||||
+ exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
|
||||
index 7aab1e78d7e0e..6d0df8d1c0f36 100644
|
||||
--- a/iptables/iptables-restore.c
|
||||
+++ b/iptables/iptables-restore.c
|
||||
@@ -45,8 +45,6 @@ static const struct option options[] = {
|
||||
{NULL},
|
||||
};
|
||||
|
||||
-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
|
||||
-
|
||||
#define prog_name iptables_globals.program_name
|
||||
#define prog_vers iptables_globals.program_version
|
||||
|
||||
@@ -64,8 +62,6 @@ static void print_usage(const char *name, const char *version)
|
||||
" [ --wait-interval=<usecs>\n"
|
||||
" [ --table=<TABLE> ]\n"
|
||||
" [ --modprobe=<command>]\n", name);
|
||||
-
|
||||
- exit(1);
|
||||
}
|
||||
|
||||
static struct xtc_handle *create_handle(const char *tablename)
|
||||
@@ -237,7 +233,7 @@ iptables_restore_main(int argc, char *argv[])
|
||||
case 'h':
|
||||
print_usage("iptables-restore",
|
||||
IPTABLES_VERSION);
|
||||
- break;
|
||||
+ exit(0);
|
||||
case 'n':
|
||||
noflush = 1;
|
||||
break;
|
||||
@@ -253,6 +249,10 @@ iptables_restore_main(int argc, char *argv[])
|
||||
case 'T':
|
||||
tablename = optarg;
|
||||
break;
|
||||
+ default:
|
||||
+ fprintf(stderr,
|
||||
+ "Try `iptables-restore -h' for more information.\n");
|
||||
+ exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
|
||||
index 21f8839e8cd82..87bc885735dc3 100644
|
||||
--- a/iptables/iptables-save.c
|
||||
+++ b/iptables/iptables-save.c
|
||||
@@ -156,6 +156,10 @@ iptables_save_main(int argc, char *argv[])
|
||||
case 'd':
|
||||
do_output(tablename);
|
||||
exit(0);
|
||||
+ default:
|
||||
+ fprintf(stderr,
|
||||
+ "Look at manual page `iptables-save.8' for more information.\n");
|
||||
+ exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.17.0
|
||||
|
|
@ -71,6 +71,17 @@ NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
|
|||
# Get active tables
|
||||
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
||||
|
||||
# Prepare commands for wait options
|
||||
IPTABLES_CMD="$IPTABLES"
|
||||
IPTABLES_RESTORE_CMD="$IPTABLES-restore"
|
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
|
||||
OPT="--wait ${IPTABLES_RESTORE_WAIT}"
|
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
|
||||
OPT+=" --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
|
||||
fi
|
||||
IPTABLES_CMD+=" $OPT"
|
||||
IPTABLES_RESTORE_CMD+=" $OPT"
|
||||
fi
|
||||
|
||||
rmmod_r() {
|
||||
# Unload module with all referring modules.
|
||||
|
@ -105,6 +116,8 @@ rmmod_r() {
|
|||
}
|
||||
|
||||
flush_n_delete() {
|
||||
local ret=0
|
||||
|
||||
# Flush firewall rules and delete chains.
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
||||
|
||||
|
@ -112,19 +125,18 @@ flush_n_delete() {
|
|||
[ -z "$NF_TABLES" ] && return 1
|
||||
|
||||
echo -n $"${IPTABLES}: Flushing firewall rules: "
|
||||
ret=0
|
||||
# For all tables
|
||||
for i in $NF_TABLES; do
|
||||
# Flush firewall rules.
|
||||
$IPTABLES -t $i -F;
|
||||
$IPTABLES_CMD -t $i -F;
|
||||
let ret+=$?;
|
||||
|
||||
# Delete firewall chains.
|
||||
$IPTABLES -t $i -X;
|
||||
$IPTABLES_CMD -t $i -X;
|
||||
let ret+=$?;
|
||||
|
||||
# Set counter to zero.
|
||||
$IPTABLES -t $i -Z;
|
||||
$IPTABLES_CMD -t $i -Z;
|
||||
let ret+=$?;
|
||||
done
|
||||
|
||||
|
@ -134,6 +146,8 @@ flush_n_delete() {
|
|||
}
|
||||
|
||||
set_policy() {
|
||||
local ret=0
|
||||
|
||||
# Set policy for configured tables.
|
||||
policy=$1
|
||||
|
||||
|
@ -145,35 +159,37 @@ set_policy() {
|
|||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
|
||||
ret=0
|
||||
for i in $tables; do
|
||||
echo -n "$i "
|
||||
case "$i" in
|
||||
raw)
|
||||
$IPTABLES -t raw -P PREROUTING $policy \
|
||||
&& $IPTABLES -t raw -P OUTPUT $policy \
|
||||
$IPTABLES_CMD -t raw -P PREROUTING $policy \
|
||||
&& $IPTABLES_CMD -t raw -P OUTPUT $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
filter)
|
||||
$IPTABLES -t filter -P INPUT $policy \
|
||||
&& $IPTABLES -t filter -P OUTPUT $policy \
|
||||
&& $IPTABLES -t filter -P FORWARD $policy \
|
||||
$IPTABLES_CMD -t filter -P INPUT $policy \
|
||||
&& $IPTABLES_CMD -t filter -P OUTPUT $policy \
|
||||
&& $IPTABLES_CMD -t filter -P FORWARD $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
nat)
|
||||
$IPTABLES -t nat -P PREROUTING $policy \
|
||||
&& $IPTABLES -t nat -P POSTROUTING $policy \
|
||||
&& $IPTABLES -t nat -P OUTPUT $policy \
|
||||
$IPTABLES_CMD -t nat -P PREROUTING $policy \
|
||||
&& $IPTABLES_CMD -t nat -P POSTROUTING $policy \
|
||||
&& $IPTABLES_CMD -t nat -P OUTPUT $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
mangle)
|
||||
$IPTABLES -t mangle -P PREROUTING $policy \
|
||||
&& $IPTABLES -t mangle -P POSTROUTING $policy \
|
||||
&& $IPTABLES -t mangle -P INPUT $policy \
|
||||
&& $IPTABLES -t mangle -P OUTPUT $policy \
|
||||
&& $IPTABLES -t mangle -P FORWARD $policy \
|
||||
$IPTABLES_CMD -t mangle -P PREROUTING $policy \
|
||||
&& $IPTABLES_CMD -t mangle -P POSTROUTING $policy \
|
||||
&& $IPTABLES_CMD -t mangle -P INPUT $policy \
|
||||
&& $IPTABLES_CMD -t mangle -P OUTPUT $policy \
|
||||
&& $IPTABLES_CMD -t mangle -P FORWARD $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
security)
|
||||
# Ignore the security table
|
||||
;;
|
||||
*)
|
||||
let ret+=1
|
||||
;;
|
||||
|
@ -186,10 +202,11 @@ set_policy() {
|
|||
}
|
||||
|
||||
load_sysctl() {
|
||||
local ret=0
|
||||
|
||||
# load matched sysctl values
|
||||
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
|
||||
echo -n $"Loading sysctl settings: "
|
||||
ret=0
|
||||
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
|
||||
fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
|
||||
let ret+=$?;
|
||||
|
@ -201,6 +218,8 @@ load_sysctl() {
|
|||
}
|
||||
|
||||
start() {
|
||||
local ret=0
|
||||
|
||||
# Do not start if there is no config file.
|
||||
if [ ! -f "$IPTABLES_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: No config file."; warning; echo
|
||||
|
@ -218,21 +237,15 @@ start() {
|
|||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
|
||||
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
|
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
|
||||
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
|
||||
fi
|
||||
fi
|
||||
|
||||
$IPTABLES-restore $OPT $IPTABLES_DATA
|
||||
$IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
failure; echo;
|
||||
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
|
||||
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
|
||||
$IPTABLES_RESTORE_CMD $OPT $IPTABLES_FALLBACK_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
|
@ -246,7 +259,6 @@ start() {
|
|||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
ret=0
|
||||
for mod in $IPTABLES_MODULES; do
|
||||
echo -n "$mod "
|
||||
modprobe $mod > /dev/null 2>&1
|
||||
|
@ -264,6 +276,8 @@ start() {
|
|||
}
|
||||
|
||||
stop() {
|
||||
local ret=0
|
||||
|
||||
# Do not stop if iptables module is not loaded.
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
||||
|
||||
|
@ -271,23 +285,26 @@ stop() {
|
|||
# on systems where the default policy is DROP and root device is
|
||||
# network-based (i.e.: iSCSI, NFS)
|
||||
set_policy ACCEPT
|
||||
let ret+=$?
|
||||
# And then, flush the rules and delete chains
|
||||
flush_n_delete
|
||||
let ret+=$?
|
||||
|
||||
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
|
||||
echo -n $"${IPTABLES}: Unloading modules: "
|
||||
ret=0
|
||||
ret2=0
|
||||
for mod in ${NF_MODULES[*]}; do
|
||||
rmmod_r $mod
|
||||
let ret+=$?;
|
||||
let ret2+=$?;
|
||||
done
|
||||
# try to unload remaining netfilter modules used by ipv4 and ipv6
|
||||
# netfilter
|
||||
for mod in ${NF_MODULES_COMMON[*]}; do
|
||||
rmmod_r $mod >/dev/null
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
[ $ret2 -eq 0 ] && success || failure
|
||||
echo
|
||||
let ret+=$ret2
|
||||
fi
|
||||
|
||||
rm -f $VAR_SUBSYS_IPTABLES
|
||||
|
@ -295,6 +312,8 @@ stop() {
|
|||
}
|
||||
|
||||
save() {
|
||||
local ret=0
|
||||
|
||||
# Check if iptable module is loaded
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
||||
|
@ -312,7 +331,6 @@ save() {
|
|||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
|
||||
ret=0
|
||||
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
|
||||
&& chmod 600 "$TMP_FILE" \
|
||||
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
|
||||
|
@ -374,6 +392,8 @@ status() {
|
|||
}
|
||||
|
||||
reload() {
|
||||
local ret=0
|
||||
|
||||
# Do not reload if there is no config file.
|
||||
if [ ! -f "$IPTABLES_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: No config file."; warning; echo
|
||||
|
@ -391,14 +411,8 @@ reload() {
|
|||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
|
||||
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
|
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
|
||||
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
|
||||
fi
|
||||
fi
|
||||
|
||||
$IPTABLES-restore $OPT $IPTABLES_DATA
|
||||
$IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
|
@ -408,7 +422,6 @@ reload() {
|
|||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
ret=0
|
||||
for mod in $IPTABLES_MODULES; do
|
||||
echo -n "$mod "
|
||||
modprobe $mod > /dev/null 2>&1
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
[Unit]
|
||||
Description=IPv4 firewall with iptables
|
||||
After=syslog.target
|
||||
AssertPathExists=/etc/sysconfig/iptables
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/iptables/iptables.init start
|
||||
ExecReload=/usr/libexec/iptables/iptables.init reload
|
||||
ExecStop=/usr/libexec/iptables/iptables.init stop
|
||||
Environment=BOOTUP=serial
|
||||
Environment=CONSOLETYPE=serial
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=basic.target
|
|
@ -0,0 +1,145 @@
|
|||
From 77ff3d215f2a28a9ffc9fe1943c7f2b12d5e4f69 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 5 Jun 2018 14:49:54 +0200
|
||||
Subject: [PATCH 2/2] utils: Add a man page for nfnl_osf
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331
|
||||
Upstream Status: iptables commit af468b6e7f35d
|
||||
|
||||
commit af468b6e7f35db09af10ae4ec65cc7803180a4b4
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed Sep 20 18:54:09 2017 +0200
|
||||
|
||||
utils: Add a man page for nfnl_osf
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
configure.ac | 3 +-
|
||||
utils/.gitignore | 1 +
|
||||
utils/Makefile.am | 4 +++
|
||||
utils/nfnl_osf.8.in | 67 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 74 insertions(+), 1 deletion(-)
|
||||
create mode 100644 utils/nfnl_osf.8.in
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index af710cf5481c0..9046633ce5a4d 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -173,7 +173,8 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
|
||||
libiptc/Makefile libiptc/libiptc.pc
|
||||
libiptc/libip4tc.pc libiptc/libip6tc.pc
|
||||
libxtables/Makefile utils/Makefile
|
||||
- include/xtables-version.h include/iptables/internal.h])
|
||||
+ include/xtables-version.h include/iptables/internal.h
|
||||
+ utils/nfnl_osf.8])
|
||||
AC_OUTPUT
|
||||
|
||||
|
||||
diff --git a/utils/.gitignore b/utils/.gitignore
|
||||
index 216d1e4a621ed..7c6afbf4e6a52 100644
|
||||
--- a/utils/.gitignore
|
||||
+++ b/utils/.gitignore
|
||||
@@ -1,2 +1,3 @@
|
||||
/nfnl_osf
|
||||
+/nfnl_osf.8
|
||||
/nfbpf_compile
|
||||
diff --git a/utils/Makefile.am b/utils/Makefile.am
|
||||
index c4192a9e73688..80029e303ff3b 100644
|
||||
--- a/utils/Makefile.am
|
||||
+++ b/utils/Makefile.am
|
||||
@@ -6,8 +6,10 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \
|
||||
|
||||
sbin_PROGRAMS =
|
||||
pkgdata_DATA =
|
||||
+man_MANS =
|
||||
|
||||
if HAVE_LIBNFNETLINK
|
||||
+man_MANS += nfnl_osf.8
|
||||
sbin_PROGRAMS += nfnl_osf
|
||||
pkgdata_DATA += pf.os
|
||||
|
||||
@@ -23,3 +25,5 @@ if ENABLE_SYNCONF
|
||||
sbin_PROGRAMS += nfsynproxy
|
||||
nfsynproxy_LDADD = -lpcap
|
||||
endif
|
||||
+
|
||||
+CLEANFILES = nfnl_osf.8
|
||||
diff --git a/utils/nfnl_osf.8.in b/utils/nfnl_osf.8.in
|
||||
new file mode 100644
|
||||
index 0000000000000..140b5c3f99a42
|
||||
--- /dev/null
|
||||
+++ b/utils/nfnl_osf.8.in
|
||||
@@ -0,0 +1,67 @@
|
||||
+.TH NFNL_OSF 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
|
||||
+
|
||||
+.SH NAME
|
||||
+nfnl_osf \- OS fingerprint loader utility
|
||||
+.SH SYNOPSIS
|
||||
+
|
||||
+.ad l
|
||||
+.in +8
|
||||
+.ti -8
|
||||
+.B nfnl_osf
|
||||
+.BI -f " fingerprints"
|
||||
+[
|
||||
+.B -d
|
||||
+]
|
||||
+
|
||||
+.SH DESCRIPTION
|
||||
+The
|
||||
+.B nfnl_osf
|
||||
+utility allows to load a set of operating system signatures into the kernel for
|
||||
+later matching against using iptables'
|
||||
+.B osf
|
||||
+match.
|
||||
+
|
||||
+.SH OPTIONS
|
||||
+
|
||||
+.TP
|
||||
+.BI -f " fingerprints"
|
||||
+Read signatures from file
|
||||
+.IR fingerprints .
|
||||
+
|
||||
+.TP
|
||||
+.B -d
|
||||
+Instead of adding the signatures from
|
||||
+.I fingerprints
|
||||
+into the kernel, remove them.
|
||||
+
|
||||
+.SH EXIT STATUS
|
||||
+Exit status is 0 if command succeeded, otherwise a negative return code
|
||||
+indicates the type of error which happened:
|
||||
+
|
||||
+.TP
|
||||
+.B -1
|
||||
+Illegal arguments passed, fingerprints file not readable or failure in netlink
|
||||
+communication.
|
||||
+
|
||||
+.TP
|
||||
+.B -ENOENT
|
||||
+Fingerprints file not specified.
|
||||
+
|
||||
+.TP
|
||||
+.B -EINVAL
|
||||
+Netlink handle initialization failed or fingerprints file format invalid.
|
||||
+
|
||||
+.SH FILES
|
||||
+
|
||||
+An up to date set of operating system signatures can be downloaded from
|
||||
+http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
|
||||
+
|
||||
+.SH SEE ALSO
|
||||
+
|
||||
+The description of
|
||||
+.B osf
|
||||
+match in
|
||||
+.BR iptables-extensions (8)
|
||||
+contains further information about the topic as well as example
|
||||
+.B nfnl_osf
|
||||
+invocations.
|
||||
--
|
||||
2.17.0
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
From 89c09c279e53abd66a7ca9b0dd8d2c2a5c8f2d9d Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 5 Jun 2018 14:49:54 +0200
|
||||
Subject: [PATCH 1/2] utils: nfnl_osf: Fix synopsis in help text
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331
|
||||
Upstream Status: iptables commit 1773dcaabb738
|
||||
|
||||
commit 1773dcaabb73884666d30b926677f8232e5c04b3
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed Sep 20 18:54:08 2017 +0200
|
||||
|
||||
utils: nfnl_osf: Fix synopsis in help text
|
||||
|
||||
* -d is optional
|
||||
* -h is not really a flag, just anything not recognized triggers the
|
||||
help output.
|
||||
* That '<del rules>' bit is rather confusing than helpful.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
utils/nfnl_osf.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
|
||||
index bb5f92dc6d0aa..972128f47ba04 100644
|
||||
--- a/utils/nfnl_osf.c
|
||||
+++ b/utils/nfnl_osf.c
|
||||
@@ -438,7 +438,7 @@ int main(int argc, char *argv[])
|
||||
break;
|
||||
default:
|
||||
fprintf(stderr,
|
||||
- "Usage: %s -f fingerprints -d <del rules> -h\n",
|
||||
+ "Usage: %s -f fingerprints [-d]\n",
|
||||
argv[0]);
|
||||
return -1;
|
||||
}
|
||||
--
|
||||
2.17.0
|
||||
|
|
@ -7,11 +7,11 @@
|
|||
Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
Version: 1.4.21
|
||||
Release: 24%{?dist}
|
||||
Release: 28%{?dist}
|
||||
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
Source3: iptables.service
|
||||
Source3: iptables.service.in
|
||||
Source4: iptables.save-legacy
|
||||
Source5: sysconfig_iptables
|
||||
Source6: sysconfig_ip6tables
|
||||
|
@ -33,6 +33,12 @@ Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch
|
|||
Patch14: iptables-do_not_set_changed_for_check_options.patch
|
||||
Patch15: iptables-1.4.21-restore_version.patch
|
||||
Patch16: iptables-1.4.21-restore_wait_man.patch
|
||||
Patch17: extensions-libxt_tcpmss-Detect-invalid-ranges.patch
|
||||
Patch18: iptables-restore-save-exit-when-given-an-unknown-opt.patch
|
||||
Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch
|
||||
Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch
|
||||
Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch
|
||||
Patch22: utils-Add-a-man-page-for-nfnl_osf.patch
|
||||
|
||||
Group: System Environment/Base
|
||||
URL: http://www.netfilter.org/
|
||||
|
@ -115,6 +121,12 @@ Currently only provides nfnl_osf with the pf.os database.
|
|||
%patch14 -p1 -b .do_not_set_changed_for_check_options
|
||||
%patch15 -p1 -b .restore_version
|
||||
%patch16 -p1 -b .restore_wait_man
|
||||
%patch17 -p1 -b .tcpmss_detect_invalid_ranges
|
||||
%patch18 -p1 -b .exit_unknown_option
|
||||
%patch19 -p1 -b .require_wait_value
|
||||
%patch20 -p1 -b .wait_interval_needs_wait
|
||||
%patch21 -p1 -b .nfnl_osf_synopsis
|
||||
%patch22 -p1 -b .nfnl_osf_man_page
|
||||
|
||||
%build
|
||||
# Since patches above touch configure.ac we must regen configure
|
||||
|
@ -164,8 +176,9 @@ sed -e 's;iptables;ip6tables;g' \
|
|||
-e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \
|
||||
-e 's;^\(After=.*\)$;\1 iptables.service;' \
|
||||
< %{SOURCE3} > ip6tables.service
|
||||
sed -i -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' %{SOURCE3}
|
||||
install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}
|
||||
sed -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' \
|
||||
< %{SOURCE3} > iptables.service
|
||||
install -c -m 644 iptables.service %{buildroot}/%{_unitdir}
|
||||
install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}
|
||||
|
||||
# install legacy actions for service command
|
||||
|
@ -273,9 +286,28 @@ done
|
|||
%{_sbindir}/nfnl_osf
|
||||
%dir %{_datadir}/xtables
|
||||
%{_datadir}/xtables/pf.os
|
||||
%{_mandir}/man8/nfnl_osf*
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jun 05 2018 Phil Sutter - 1.4.21-28
|
||||
- Add nfnl_osf.8 man page (RHBZ#1487331)
|
||||
|
||||
* Fri May 11 2018 Phil Sutter - 1.4.21-27
|
||||
- libxt_tcpmss: Detect invalid ranges (RHBZ#1128510)
|
||||
- ip(6)tables-save/restore: Exit if invalid option was given (RHBZ#1465078)
|
||||
- ip(6)tables-save/restore: Require value to -W option (RHBZ#1465078)
|
||||
- ip(6)tables-save/restore: Don't accept -W without -w (RHBZ#1465078)
|
||||
- Ignore security table when setting policies (RHBZ#1494012)
|
||||
- Fix spec file changing SRPM content (RHBZ#1531290)
|
||||
|
||||
* Thu Mar 29 2018 Phil Sutter - 1.4.21-26
|
||||
- Avoid overwriting parent's return code (RHBZ#1560012)
|
||||
|
||||
* Thu Mar 29 2018 Phil Sutter - 1.4.21-25
|
||||
- Fix for stopping iptables and ip6tables at the same time (RHBZ#1560012)
|
||||
- Propagate errors on service stop (RHBZ#1560012)
|
||||
|
||||
* Fri Nov 17 2017 Phil Sutter - 1.4.21-24
|
||||
- Fix fgrep call over multiple files in iptables.init
|
||||
|
||||
|
|
Loading…
Reference in New Issue