From 697205a21f102dbb4acfcb2faffb3033a98ba47c Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Tue, 27 Nov 2018 16:30:28 +0100 Subject: [PATCH] iptables package update Signed-off-by: basebuilder_pel7x64builder0 --- ...s-libxt_tcpmss-Detect-invalid-ranges.patch | 61 +++++++ ...ore-Don-t-accept-wait-interval-witho.patch | 61 +++++++ ...ore-Don-t-ignore-missing-wait-interv.patch | 42 +++++ ...-save-exit-when-given-an-unknown-opt.patch | 152 ++++++++++++++++++ SOURCES/iptables.init | 93 ++++++----- SOURCES/iptables.service.in | 18 +++ .../utils-Add-a-man-page-for-nfnl_osf.patch | 145 +++++++++++++++++ ...s-nfnl_osf-Fix-synopsis-in-help-text.patch | 43 +++++ SPECS/iptables.spec | 40 ++++- 9 files changed, 611 insertions(+), 44 deletions(-) create mode 100644 SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch create mode 100644 SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch create mode 100644 SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch create mode 100644 SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch create mode 100644 SOURCES/iptables.service.in create mode 100644 SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch create mode 100644 SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch diff --git a/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch b/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch new file mode 100644 index 00000000..e7658b09 --- /dev/null +++ b/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch @@ -0,0 +1,61 @@ +From 12852e5c973ef9e5d33c1dc1a21c659f4dc6227b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 May 2018 15:28:07 +0200 +Subject: [PATCH] extensions: libxt_tcpmss: Detect invalid ranges + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1128510 +Upstream Status: iptables commit dbbab0aa328f1 + +commit dbbab0aa328f136502373a1031e64eb53fa113e5 +Author: Phil Sutter +Date: Mon Oct 9 15:47:39 2017 +0200 + + extensions: libxt_tcpmss: Detect invalid ranges + + Previously, an MSS range of e.g. 65535:1000 was silently accepted but + would then never match a packet since the kernel checks whether the MSS + value is greater than or equal to the first *and* less than or equal to + the second value. + + Detect this as a parameter problem and update the man page accordingly. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_tcpmss.c | 6 +++++- + extensions/libxt_tcpmss.man | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c +index c7c5971716294..bcd357aa3d8e2 100644 +--- a/extensions/libxt_tcpmss.c ++++ b/extensions/libxt_tcpmss.c +@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb) + xtables_option_parse(cb); + mssinfo->mss_min = cb->val.u16_range[0]; + mssinfo->mss_max = mssinfo->mss_min; +- if (cb->nvals == 2) ++ if (cb->nvals == 2) { + mssinfo->mss_max = cb->val.u16_range[1]; ++ if (mssinfo->mss_max < mssinfo->mss_min) ++ xtables_error(PARAMETER_PROBLEM, ++ "tcpmss: invalid range given"); ++ } + if (cb->invert) + mssinfo->invert = 1; + } +diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man +index 8ee715cdbfb07..8253c363418f8 100644 +--- a/extensions/libxt_tcpmss.man ++++ b/extensions/libxt_tcpmss.man +@@ -1,4 +1,4 @@ + This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. + .TP + [\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP] +-Match a given TCP MSS value or range. ++Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP. +-- +2.17.0 + diff --git a/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch b/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch new file mode 100644 index 00000000..60f605ff --- /dev/null +++ b/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch @@ -0,0 +1,61 @@ +From a7da716205fb6009f665a4e91b28c7782cf47ce2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 May 2018 16:34:48 +0200 +Subject: [PATCH] ip{,6}tables-restore: Don't accept wait-interval without wait + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078 +Upstream Status: iptables commit 21ba5b3874fb3 + +commit 21ba5b3874fb3d0c4cccc9b59f65c8df575211e2 +Author: Phil Sutter +Date: Wed Sep 20 19:34:36 2017 +0200 + + ip{,6}tables-restore: Don't accept wait-interval without wait + + If -W was given, error out if -w wasn't since that doesn't make + sense. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 5 +++++ + iptables/iptables-restore.c | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index 0f85fee3593d5..e2a82c57bd426 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -271,6 +271,11 @@ int ip6tables_restore_main(int argc, char *argv[]) + } + else in = stdin; + ++ if (!wait_interval.tv_sec && !wait) { ++ fprintf(stderr, "Option --wait-interval requires option --wait\n"); ++ exit(1); ++ } ++ + /* Grab standard input. */ + while (fgets(buffer, sizeof(buffer), in)) { + int ret = 0; +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 6d0df8d1c0f36..af0c79408631d 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -270,6 +270,11 @@ iptables_restore_main(int argc, char *argv[]) + } + else in = stdin; + ++ if (!wait_interval.tv_sec && !wait) { ++ fprintf(stderr, "Option --wait-interval requires option --wait\n"); ++ exit(1); ++ } ++ + /* Grab standard input. */ + while (fgets(buffer, sizeof(buffer), in)) { + int ret = 0; +-- +2.17.0 + diff --git a/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch b/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch new file mode 100644 index 00000000..d69e43a8 --- /dev/null +++ b/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch @@ -0,0 +1,42 @@ +From f5757357c0bb6b5df843d15b90f235190d3b4448 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 May 2018 16:34:48 +0200 +Subject: [PATCH] ip{,6}tables-restore: Don't ignore missing wait-interval + value + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078 +Upstream Status: iptables commit 60e0ffd365a2d + +commit 60e0ffd365a2d936b3df13c1289b2ef57b756d92 +Author: Phil Sutter +Date: Wed Sep 20 19:34:35 2017 +0200 + + ip{,6}tables-restore: Don't ignore missing wait-interval value + + Passing -W without a value doesn't make sense so bail out if none was + given. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/xshared.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 3fbe3b1a99b77..b8a81fd968361 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -318,7 +318,7 @@ void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval) + else if (xs_has_arg(argc, argv)) + arg = argv[optind++]; + else +- return; ++ xtables_error(PARAMETER_PROBLEM, "wait interval value required"); + + ret = sscanf(arg, "%u", &usec); + if (ret == 1) { +-- +2.17.0 + diff --git a/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch b/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch new file mode 100644 index 00000000..750fa48b --- /dev/null +++ b/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch @@ -0,0 +1,152 @@ +From 7450d63abf0608efba8d48858e54ff23f2179300 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 May 2018 15:29:24 +0200 +Subject: [PATCH] iptables-restore/save: exit when given an unknown option + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078 +Upstream Status: iptables commit d89dc47ab3875 +Conflicts: + * Context changes in ip{6,}tables-restore.c + * xtables-{save,restore}.c not present here. + +commit d89dc47ab3875f6fe6679cebceccd2000bf81b8e +Author: Vincent Bernat +Date: Sat Apr 15 12:16:47 2017 +0200 + + iptables-restore/save: exit when given an unknown option + + When an unknown option is given, iptables-restore should exit instead of + continue its operation. For example, if `--table` was misspelled, this + could lead to an unwanted change. Moreover, exit with a status code of + 1. Make the same change for iptables-save. + + OTOH, exit with a status code of 0 when requesting help. + + Signed-off-by: Vincent Bernat + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 10 +++++----- + iptables/ip6tables-save.c | 4 ++++ + iptables/iptables-restore.c | 10 +++++----- + iptables/iptables-save.c | 4 ++++ + 4 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index 0b8b95607febf..0f85fee3593d5 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -48,8 +48,6 @@ static const struct option options[] = { + {NULL}, + }; + +-static void print_usage(const char *name, const char *version) __attribute__((noreturn)); +- + #define prog_name ip6tables_globals.program_name + #define prog_vers ip6tables_globals.program_version + +@@ -66,8 +64,6 @@ static void print_usage(const char *name, const char *version) + " [ --wait-interval=\n" + " [ --noflush ]\n" + " [ --modprobe=]\n", name); +- +- exit(1); + } + + static struct xtc_handle *create_handle(const char *tablename) +@@ -238,7 +234,7 @@ int ip6tables_restore_main(int argc, char *argv[]) + case 'h': + print_usage("ip6tables-restore", + IPTABLES_VERSION); +- break; ++ exit(0); + case 'n': + noflush = 1; + break; +@@ -254,6 +250,10 @@ int ip6tables_restore_main(int argc, char *argv[]) + case 'T': + tablename = optarg; + break; ++ default: ++ fprintf(stderr, ++ "Try `ip6tables-restore -h' for more information.\n"); ++ exit(1); + } + } + +diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c +index 3a1ded162fad1..a64d169fc1211 100644 +--- a/iptables/ip6tables-save.c ++++ b/iptables/ip6tables-save.c +@@ -157,6 +157,10 @@ int ip6tables_save_main(int argc, char *argv[]) + case 'd': + do_output(tablename); + exit(0); ++ default: ++ fprintf(stderr, ++ "Look at manual page `ip6tables-save.8' for more information.\n"); ++ exit(1); + } + } + +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 7aab1e78d7e0e..6d0df8d1c0f36 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -45,8 +45,6 @@ static const struct option options[] = { + {NULL}, + }; + +-static void print_usage(const char *name, const char *version) __attribute__((noreturn)); +- + #define prog_name iptables_globals.program_name + #define prog_vers iptables_globals.program_version + +@@ -64,8 +62,6 @@ static void print_usage(const char *name, const char *version) + " [ --wait-interval=\n" + " [ --table= ]\n" + " [ --modprobe=]\n", name); +- +- exit(1); + } + + static struct xtc_handle *create_handle(const char *tablename) +@@ -237,7 +233,7 @@ iptables_restore_main(int argc, char *argv[]) + case 'h': + print_usage("iptables-restore", + IPTABLES_VERSION); +- break; ++ exit(0); + case 'n': + noflush = 1; + break; +@@ -253,6 +249,10 @@ iptables_restore_main(int argc, char *argv[]) + case 'T': + tablename = optarg; + break; ++ default: ++ fprintf(stderr, ++ "Try `iptables-restore -h' for more information.\n"); ++ exit(1); + } + } + +diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c +index 21f8839e8cd82..87bc885735dc3 100644 +--- a/iptables/iptables-save.c ++++ b/iptables/iptables-save.c +@@ -156,6 +156,10 @@ iptables_save_main(int argc, char *argv[]) + case 'd': + do_output(tablename); + exit(0); ++ default: ++ fprintf(stderr, ++ "Look at manual page `iptables-save.8' for more information.\n"); ++ exit(1); + } + } + +-- +2.17.0 + diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init index b1c991be..73656d34 100755 --- a/SOURCES/iptables.init +++ b/SOURCES/iptables.init @@ -71,6 +71,17 @@ NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 # Get active tables NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) +# Prepare commands for wait options +IPTABLES_CMD="$IPTABLES" +IPTABLES_RESTORE_CMD="$IPTABLES-restore" +if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="--wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT+=" --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + IPTABLES_CMD+=" $OPT" + IPTABLES_RESTORE_CMD+=" $OPT" +fi rmmod_r() { # Unload module with all referring modules. @@ -105,6 +116,8 @@ rmmod_r() { } flush_n_delete() { + local ret=0 + # Flush firewall rules and delete chains. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 @@ -112,19 +125,18 @@ flush_n_delete() { [ -z "$NF_TABLES" ] && return 1 echo -n $"${IPTABLES}: Flushing firewall rules: " - ret=0 # For all tables for i in $NF_TABLES; do # Flush firewall rules. - $IPTABLES -t $i -F; + $IPTABLES_CMD -t $i -F; let ret+=$?; # Delete firewall chains. - $IPTABLES -t $i -X; + $IPTABLES_CMD -t $i -X; let ret+=$?; # Set counter to zero. - $IPTABLES -t $i -Z; + $IPTABLES_CMD -t $i -Z; let ret+=$?; done @@ -134,6 +146,8 @@ flush_n_delete() { } set_policy() { + local ret=0 + # Set policy for configured tables. policy=$1 @@ -145,35 +159,37 @@ set_policy() { [ -z "$tables" ] && return 1 echo -n $"${IPTABLES}: Setting chains to policy $policy: " - ret=0 for i in $tables; do echo -n "$i " case "$i" in raw) - $IPTABLES -t raw -P PREROUTING $policy \ - && $IPTABLES -t raw -P OUTPUT $policy \ + $IPTABLES_CMD -t raw -P PREROUTING $policy \ + && $IPTABLES_CMD -t raw -P OUTPUT $policy \ || let ret+=1 ;; filter) - $IPTABLES -t filter -P INPUT $policy \ - && $IPTABLES -t filter -P OUTPUT $policy \ - && $IPTABLES -t filter -P FORWARD $policy \ + $IPTABLES_CMD -t filter -P INPUT $policy \ + && $IPTABLES_CMD -t filter -P OUTPUT $policy \ + && $IPTABLES_CMD -t filter -P FORWARD $policy \ || let ret+=1 ;; nat) - $IPTABLES -t nat -P PREROUTING $policy \ - && $IPTABLES -t nat -P POSTROUTING $policy \ - && $IPTABLES -t nat -P OUTPUT $policy \ + $IPTABLES_CMD -t nat -P PREROUTING $policy \ + && $IPTABLES_CMD -t nat -P POSTROUTING $policy \ + && $IPTABLES_CMD -t nat -P OUTPUT $policy \ || let ret+=1 ;; mangle) - $IPTABLES -t mangle -P PREROUTING $policy \ - && $IPTABLES -t mangle -P POSTROUTING $policy \ - && $IPTABLES -t mangle -P INPUT $policy \ - && $IPTABLES -t mangle -P OUTPUT $policy \ - && $IPTABLES -t mangle -P FORWARD $policy \ + $IPTABLES_CMD -t mangle -P PREROUTING $policy \ + && $IPTABLES_CMD -t mangle -P POSTROUTING $policy \ + && $IPTABLES_CMD -t mangle -P INPUT $policy \ + && $IPTABLES_CMD -t mangle -P OUTPUT $policy \ + && $IPTABLES_CMD -t mangle -P FORWARD $policy \ || let ret+=1 ;; + security) + # Ignore the security table + ;; *) let ret+=1 ;; @@ -186,10 +202,11 @@ set_policy() { } load_sysctl() { + local ret=0 + # load matched sysctl values if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then echo -n $"Loading sysctl settings: " - ret=0 for item in $IPTABLES_SYSCTL_LOAD_LIST; do fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null let ret+=$?; @@ -201,6 +218,8 @@ load_sysctl() { } start() { + local ret=0 + # Do not start if there is no config file. if [ ! -f "$IPTABLES_DATA" ]; then echo -n $"${IPTABLES}: No config file."; warning; echo @@ -218,21 +237,15 @@ start() { OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" - if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then - OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" - if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then - OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" - fi - fi - $IPTABLES-restore $OPT $IPTABLES_DATA + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; if [ -f "$IPTABLES_FALLBACK_DATA" ]; then echo -n $"${IPTABLES}: Applying firewall fallback rules: " - $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_FALLBACK_DATA if [ $? -eq 0 ]; then success; echo else @@ -246,7 +259,6 @@ start() { # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " - ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 @@ -264,6 +276,8 @@ start() { } stop() { + local ret=0 + # Do not stop if iptables module is not loaded. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 @@ -271,23 +285,26 @@ stop() { # on systems where the default policy is DROP and root device is # network-based (i.e.: iSCSI, NFS) set_policy ACCEPT + let ret+=$? # And then, flush the rules and delete chains flush_n_delete + let ret+=$? if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"${IPTABLES}: Unloading modules: " - ret=0 + ret2=0 for mod in ${NF_MODULES[*]}; do rmmod_r $mod - let ret+=$?; + let ret2+=$?; done # try to unload remaining netfilter modules used by ipv4 and ipv6 # netfilter for mod in ${NF_MODULES_COMMON[*]}; do rmmod_r $mod >/dev/null done - [ $ret -eq 0 ] && success || failure + [ $ret2 -eq 0 ] && success || failure echo + let ret+=$ret2 fi rm -f $VAR_SUBSYS_IPTABLES @@ -295,6 +312,8 @@ stop() { } save() { + local ret=0 + # Check if iptable module is loaded if [ ! -e "$PROC_IPTABLES_NAMES" ]; then echo -n $"${IPTABLES}: Nothing to save."; warning; echo @@ -312,7 +331,6 @@ save() { OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" - ret=0 TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ && chmod 600 "$TMP_FILE" \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ @@ -374,6 +392,8 @@ status() { } reload() { + local ret=0 + # Do not reload if there is no config file. if [ ! -f "$IPTABLES_DATA" ]; then echo -n $"${IPTABLES}: No config file."; warning; echo @@ -391,14 +411,8 @@ reload() { OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" - if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then - OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" - if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then - OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" - fi - fi - $IPTABLES-restore $OPT $IPTABLES_DATA + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else @@ -408,7 +422,6 @@ reload() { # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " - ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 diff --git a/SOURCES/iptables.service.in b/SOURCES/iptables.service.in new file mode 100644 index 00000000..6722c7ad --- /dev/null +++ b/SOURCES/iptables.service.in @@ -0,0 +1,18 @@ +[Unit] +Description=IPv4 firewall with iptables +After=syslog.target +AssertPathExists=/etc/sysconfig/iptables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/iptables/iptables.init start +ExecReload=/usr/libexec/iptables/iptables.init reload +ExecStop=/usr/libexec/iptables/iptables.init stop +Environment=BOOTUP=serial +Environment=CONSOLETYPE=serial +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=basic.target diff --git a/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch b/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch new file mode 100644 index 00000000..53e1a4d0 --- /dev/null +++ b/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch @@ -0,0 +1,145 @@ +From 77ff3d215f2a28a9ffc9fe1943c7f2b12d5e4f69 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 5 Jun 2018 14:49:54 +0200 +Subject: [PATCH 2/2] utils: Add a man page for nfnl_osf + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331 +Upstream Status: iptables commit af468b6e7f35d + +commit af468b6e7f35db09af10ae4ec65cc7803180a4b4 +Author: Phil Sutter +Date: Wed Sep 20 18:54:09 2017 +0200 + + utils: Add a man page for nfnl_osf + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + configure.ac | 3 +- + utils/.gitignore | 1 + + utils/Makefile.am | 4 +++ + utils/nfnl_osf.8.in | 67 +++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 74 insertions(+), 1 deletion(-) + create mode 100644 utils/nfnl_osf.8.in + +diff --git a/configure.ac b/configure.ac +index af710cf5481c0..9046633ce5a4d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -173,7 +173,8 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile + libiptc/Makefile libiptc/libiptc.pc + libiptc/libip4tc.pc libiptc/libip6tc.pc + libxtables/Makefile utils/Makefile +- include/xtables-version.h include/iptables/internal.h]) ++ include/xtables-version.h include/iptables/internal.h ++ utils/nfnl_osf.8]) + AC_OUTPUT + + +diff --git a/utils/.gitignore b/utils/.gitignore +index 216d1e4a621ed..7c6afbf4e6a52 100644 +--- a/utils/.gitignore ++++ b/utils/.gitignore +@@ -1,2 +1,3 @@ + /nfnl_osf ++/nfnl_osf.8 + /nfbpf_compile +diff --git a/utils/Makefile.am b/utils/Makefile.am +index c4192a9e73688..80029e303ff3b 100644 +--- a/utils/Makefile.am ++++ b/utils/Makefile.am +@@ -6,8 +6,10 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \ + + sbin_PROGRAMS = + pkgdata_DATA = ++man_MANS = + + if HAVE_LIBNFNETLINK ++man_MANS += nfnl_osf.8 + sbin_PROGRAMS += nfnl_osf + pkgdata_DATA += pf.os + +@@ -23,3 +25,5 @@ if ENABLE_SYNCONF + sbin_PROGRAMS += nfsynproxy + nfsynproxy_LDADD = -lpcap + endif ++ ++CLEANFILES = nfnl_osf.8 +diff --git a/utils/nfnl_osf.8.in b/utils/nfnl_osf.8.in +new file mode 100644 +index 0000000000000..140b5c3f99a42 +--- /dev/null ++++ b/utils/nfnl_osf.8.in +@@ -0,0 +1,67 @@ ++.TH NFNL_OSF 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@" ++ ++.SH NAME ++nfnl_osf \- OS fingerprint loader utility ++.SH SYNOPSIS ++ ++.ad l ++.in +8 ++.ti -8 ++.B nfnl_osf ++.BI -f " fingerprints" ++[ ++.B -d ++] ++ ++.SH DESCRIPTION ++The ++.B nfnl_osf ++utility allows to load a set of operating system signatures into the kernel for ++later matching against using iptables' ++.B osf ++match. ++ ++.SH OPTIONS ++ ++.TP ++.BI -f " fingerprints" ++Read signatures from file ++.IR fingerprints . ++ ++.TP ++.B -d ++Instead of adding the signatures from ++.I fingerprints ++into the kernel, remove them. ++ ++.SH EXIT STATUS ++Exit status is 0 if command succeeded, otherwise a negative return code ++indicates the type of error which happened: ++ ++.TP ++.B -1 ++Illegal arguments passed, fingerprints file not readable or failure in netlink ++communication. ++ ++.TP ++.B -ENOENT ++Fingerprints file not specified. ++ ++.TP ++.B -EINVAL ++Netlink handle initialization failed or fingerprints file format invalid. ++ ++.SH FILES ++ ++An up to date set of operating system signatures can be downloaded from ++http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . ++ ++.SH SEE ALSO ++ ++The description of ++.B osf ++match in ++.BR iptables-extensions (8) ++contains further information about the topic as well as example ++.B nfnl_osf ++invocations. +-- +2.17.0 + diff --git a/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch b/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch new file mode 100644 index 00000000..4c77002f --- /dev/null +++ b/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch @@ -0,0 +1,43 @@ +From 89c09c279e53abd66a7ca9b0dd8d2c2a5c8f2d9d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 5 Jun 2018 14:49:54 +0200 +Subject: [PATCH 1/2] utils: nfnl_osf: Fix synopsis in help text + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331 +Upstream Status: iptables commit 1773dcaabb738 + +commit 1773dcaabb73884666d30b926677f8232e5c04b3 +Author: Phil Sutter +Date: Wed Sep 20 18:54:08 2017 +0200 + + utils: nfnl_osf: Fix synopsis in help text + + * -d is optional + * -h is not really a flag, just anything not recognized triggers the + help output. + * That '' bit is rather confusing than helpful. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + utils/nfnl_osf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index bb5f92dc6d0aa..972128f47ba04 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -438,7 +438,7 @@ int main(int argc, char *argv[]) + break; + default: + fprintf(stderr, +- "Usage: %s -f fingerprints -d -h\n", ++ "Usage: %s -f fingerprints [-d]\n", + argv[0]); + return -1; + } +-- +2.17.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index f30613cb..22d331f8 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -7,11 +7,11 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.4.21 -Release: 24%{?dist} +Release: 28%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config -Source3: iptables.service +Source3: iptables.service.in Source4: iptables.save-legacy Source5: sysconfig_iptables Source6: sysconfig_ip6tables @@ -33,6 +33,12 @@ Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch Patch14: iptables-do_not_set_changed_for_check_options.patch Patch15: iptables-1.4.21-restore_version.patch Patch16: iptables-1.4.21-restore_wait_man.patch +Patch17: extensions-libxt_tcpmss-Detect-invalid-ranges.patch +Patch18: iptables-restore-save-exit-when-given-an-unknown-opt.patch +Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch +Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch +Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch +Patch22: utils-Add-a-man-page-for-nfnl_osf.patch Group: System Environment/Base URL: http://www.netfilter.org/ @@ -115,6 +121,12 @@ Currently only provides nfnl_osf with the pf.os database. %patch14 -p1 -b .do_not_set_changed_for_check_options %patch15 -p1 -b .restore_version %patch16 -p1 -b .restore_wait_man +%patch17 -p1 -b .tcpmss_detect_invalid_ranges +%patch18 -p1 -b .exit_unknown_option +%patch19 -p1 -b .require_wait_value +%patch20 -p1 -b .wait_interval_needs_wait +%patch21 -p1 -b .nfnl_osf_synopsis +%patch22 -p1 -b .nfnl_osf_man_page %build # Since patches above touch configure.ac we must regen configure @@ -164,8 +176,9 @@ sed -e 's;iptables;ip6tables;g' \ -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \ -e 's;^\(After=.*\)$;\1 iptables.service;' \ < %{SOURCE3} > ip6tables.service -sed -i -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' %{SOURCE3} -install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir} +sed -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' \ + < %{SOURCE3} > iptables.service +install -c -m 644 iptables.service %{buildroot}/%{_unitdir} install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir} # install legacy actions for service command @@ -273,9 +286,28 @@ done %{_sbindir}/nfnl_osf %dir %{_datadir}/xtables %{_datadir}/xtables/pf.os +%{_mandir}/man8/nfnl_osf* %changelog +* Tue Jun 05 2018 Phil Sutter - 1.4.21-28 +- Add nfnl_osf.8 man page (RHBZ#1487331) + +* Fri May 11 2018 Phil Sutter - 1.4.21-27 +- libxt_tcpmss: Detect invalid ranges (RHBZ#1128510) +- ip(6)tables-save/restore: Exit if invalid option was given (RHBZ#1465078) +- ip(6)tables-save/restore: Require value to -W option (RHBZ#1465078) +- ip(6)tables-save/restore: Don't accept -W without -w (RHBZ#1465078) +- Ignore security table when setting policies (RHBZ#1494012) +- Fix spec file changing SRPM content (RHBZ#1531290) + +* Thu Mar 29 2018 Phil Sutter - 1.4.21-26 +- Avoid overwriting parent's return code (RHBZ#1560012) + +* Thu Mar 29 2018 Phil Sutter - 1.4.21-25 +- Fix for stopping iptables and ip6tables at the same time (RHBZ#1560012) +- Propagate errors on service stop (RHBZ#1560012) + * Fri Nov 17 2017 Phil Sutter - 1.4.21-24 - Fix fgrep call over multiple files in iptables.init