powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

iptables package update 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 2018-11-27 16:30:28 +01:00
parent 2e8b038b6e
commit 697205a21f
9 changed files with 611 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch Normal file
View File

@ -0,0 +1,61 @@
From 12852e5c973ef9e5d33c1dc1a21c659f4dc6227b Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 11 May 2018 15:28:07 +0200
Subject: [PATCH] extensions: libxt_tcpmss: Detect invalid ranges

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1128510
Upstream Status: iptables commit dbbab0aa328f1

commit dbbab0aa328f136502373a1031e64eb53fa113e5
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Oct 9 15:47:39 2017 +0200

extensions: libxt_tcpmss: Detect invalid ranges

Previously, an MSS range of e.g. 65535:1000 was silently accepted but
would then never match a packet since the kernel checks whether the MSS
value is greater than or equal to the first *and* less than or equal to
the second value.

Detect this as a parameter problem and update the man page accordingly.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_tcpmss.c | 6 +++++-
extensions/libxt_tcpmss.man | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
index c7c5971716294..bcd357aa3d8e2 100644
--- a/extensions/libxt_tcpmss.c
+++ b/extensions/libxt_tcpmss.c
@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb)
xtables_option_parse(cb);
mssinfo->mss_min = cb->val.u16_range[0];
mssinfo->mss_max = mssinfo->mss_min;
- if (cb->nvals == 2)
+ if (cb->nvals == 2) {
mssinfo->mss_max = cb->val.u16_range[1];
+ if (mssinfo->mss_max < mssinfo->mss_min)
+ xtables_error(PARAMETER_PROBLEM,
+ "tcpmss: invalid range given");
+ }
if (cb->invert)
mssinfo->invert = 1;
}
diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man
index 8ee715cdbfb07..8253c363418f8 100644
--- a/extensions/libxt_tcpmss.man
+++ b/extensions/libxt_tcpmss.man
@@ -1,4 +1,4 @@
This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
.TP
[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
-Match a given TCP MSS value or range.
+Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
--
2.17.0

61
SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch Normal file
View File

@ -0,0 +1,61 @@
From a7da716205fb6009f665a4e91b28c7782cf47ce2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 11 May 2018 16:34:48 +0200
Subject: [PATCH] ip{,6}tables-restore: Don't accept wait-interval without wait

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
Upstream Status: iptables commit 21ba5b3874fb3

commit 21ba5b3874fb3d0c4cccc9b59f65c8df575211e2
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 20 19:34:36 2017 +0200

ip{,6}tables-restore: Don't accept wait-interval without wait

If -W <val> was given, error out if -w wasn't since that doesn't make
sense.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ip6tables-restore.c | 5 +++++
iptables/iptables-restore.c | 5 +++++
2 files changed, 10 insertions(+)

diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index 0f85fee3593d5..e2a82c57bd426 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -271,6 +271,11 @@ int ip6tables_restore_main(int argc, char *argv[])
}
else in = stdin;
+ if (!wait_interval.tv_sec && !wait) {
+ fprintf(stderr, "Option --wait-interval requires option --wait\n");
+ exit(1);
+ }
+
/* Grab standard input. */
while (fgets(buffer, sizeof(buffer), in)) {
int ret = 0;
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 6d0df8d1c0f36..af0c79408631d 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -270,6 +270,11 @@ iptables_restore_main(int argc, char *argv[])
}
else in = stdin;
+ if (!wait_interval.tv_sec && !wait) {
+ fprintf(stderr, "Option --wait-interval requires option --wait\n");
+ exit(1);
+ }
+
/* Grab standard input. */
while (fgets(buffer, sizeof(buffer), in)) {
int ret = 0;
--
2.17.0

42
SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch Normal file
View File

@ -0,0 +1,42 @@
From f5757357c0bb6b5df843d15b90f235190d3b4448 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 11 May 2018 16:34:48 +0200
Subject: [PATCH] ip{,6}tables-restore: Don't ignore missing wait-interval
value

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
Upstream Status: iptables commit 60e0ffd365a2d

commit 60e0ffd365a2d936b3df13c1289b2ef57b756d92
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 20 19:34:35 2017 +0200

ip{,6}tables-restore: Don't ignore missing wait-interval value

Passing -W without a value doesn't make sense so bail out if none was
given.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/xshared.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables/xshared.c b/iptables/xshared.c
index 3fbe3b1a99b77..b8a81fd968361 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -318,7 +318,7 @@ void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval)
else if (xs_has_arg(argc, argv))
arg = argv[optind++];
else
- return;
+ xtables_error(PARAMETER_PROBLEM, "wait interval value required");
ret = sscanf(arg, "%u", &usec);
if (ret == 1) {
--
2.17.0

152
SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch Normal file
View File

@ -0,0 +1,152 @@
From 7450d63abf0608efba8d48858e54ff23f2179300 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 11 May 2018 15:29:24 +0200
Subject: [PATCH] iptables-restore/save: exit when given an unknown option

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
Upstream Status: iptables commit d89dc47ab3875
Conflicts:
* Context changes in ip{6,}tables-restore.c
* xtables-{save,restore}.c not present here.

commit d89dc47ab3875f6fe6679cebceccd2000bf81b8e
Author: Vincent Bernat <vincent@bernat.im>
Date: Sat Apr 15 12:16:47 2017 +0200

iptables-restore/save: exit when given an unknown option

When an unknown option is given, iptables-restore should exit instead of
continue its operation. For example, if `--table` was misspelled, this
could lead to an unwanted change. Moreover, exit with a status code of
1. Make the same change for iptables-save.

OTOH, exit with a status code of 0 when requesting help.

Signed-off-by: Vincent Bernat <vincent@bernat.im>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ip6tables-restore.c | 10 +++++-----
iptables/ip6tables-save.c | 4 ++++
iptables/iptables-restore.c | 10 +++++-----
iptables/iptables-save.c | 4 ++++
4 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index 0b8b95607febf..0f85fee3593d5 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -48,8 +48,6 @@ static const struct option options[] = {
{NULL},
};
-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
-
#define prog_name ip6tables_globals.program_name
#define prog_vers ip6tables_globals.program_version
@@ -66,8 +64,6 @@ static void print_usage(const char *name, const char *version)
" [ --wait-interval=<usecs>\n"
" [ --noflush ]\n"
" [ --modprobe=<command>]\n", name);
-
- exit(1);
}
static struct xtc_handle *create_handle(const char *tablename)
@@ -238,7 +234,7 @@ int ip6tables_restore_main(int argc, char *argv[])
case 'h':
print_usage("ip6tables-restore",
IPTABLES_VERSION);
- break;
+ exit(0);
case 'n':
noflush = 1;
break;
@@ -254,6 +250,10 @@ int ip6tables_restore_main(int argc, char *argv[])
case 'T':
tablename = optarg;
break;
+ default:
+ fprintf(stderr,
+ "Try `ip6tables-restore -h' for more information.\n");
+ exit(1);
}
}
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index 3a1ded162fad1..a64d169fc1211 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -157,6 +157,10 @@ int ip6tables_save_main(int argc, char *argv[])
case 'd':
do_output(tablename);
exit(0);
+ default:
+ fprintf(stderr,
+ "Look at manual page `ip6tables-save.8' for more information.\n");
+ exit(1);
}
}
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 7aab1e78d7e0e..6d0df8d1c0f36 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -45,8 +45,6 @@ static const struct option options[] = {
{NULL},
};
-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
-
#define prog_name iptables_globals.program_name
#define prog_vers iptables_globals.program_version
@@ -64,8 +62,6 @@ static void print_usage(const char *name, const char *version)
" [ --wait-interval=<usecs>\n"
" [ --table=<TABLE> ]\n"
" [ --modprobe=<command>]\n", name);
-
- exit(1);
}
static struct xtc_handle *create_handle(const char *tablename)
@@ -237,7 +233,7 @@ iptables_restore_main(int argc, char *argv[])
case 'h':
print_usage("iptables-restore",
IPTABLES_VERSION);
- break;
+ exit(0);
case 'n':
noflush = 1;
break;
@@ -253,6 +249,10 @@ iptables_restore_main(int argc, char *argv[])
case 'T':
tablename = optarg;
break;
+ default:
+ fprintf(stderr,
+ "Try `iptables-restore -h' for more information.\n");
+ exit(1);
}
}
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index 21f8839e8cd82..87bc885735dc3 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -156,6 +156,10 @@ iptables_save_main(int argc, char *argv[])
case 'd':
do_output(tablename);
exit(0);
+ default:
+ fprintf(stderr,
+ "Look at manual page `iptables-save.8' for more information.\n");
+ exit(1);
}
}
--
2.17.0

93
SOURCES/iptables.init
View File

@ -71,6 +71,17 @@ NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
# Get active tables # Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)


# Prepare commands for wait options
IPTABLES_CMD="$IPTABLES"
IPTABLES_RESTORE_CMD="$IPTABLES-restore"
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
OPT="--wait ${IPTABLES_RESTORE_WAIT}"
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
OPT+=" --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
fi
IPTABLES_CMD+=" $OPT"
IPTABLES_RESTORE_CMD+=" $OPT"
fi


rmmod_r() { rmmod_r() {
# Unload module with all referring modules. # Unload module with all referring modules.
@ -105,6 +116,8 @@ rmmod_r() {
} }


flush_n_delete() { flush_n_delete() {
local ret=0

# Flush firewall rules and delete chains. # Flush firewall rules and delete chains.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0


@ -112,19 +125,18 @@ flush_n_delete() {
[ -z "$NF_TABLES" ] && return 1 [ -z "$NF_TABLES" ] && return 1


echo -n $"${IPTABLES}: Flushing firewall rules: " echo -n $"${IPTABLES}: Flushing firewall rules: "
ret=0
# For all tables # For all tables
for i in $NF_TABLES; do for i in $NF_TABLES; do
# Flush firewall rules. # Flush firewall rules.
$IPTABLES -t $i -F; $IPTABLES_CMD -t $i -F;
let ret+=$?; let ret+=$?;


# Delete firewall chains. # Delete firewall chains.
$IPTABLES -t $i -X; $IPTABLES_CMD -t $i -X;
let ret+=$?; let ret+=$?;


# Set counter to zero. # Set counter to zero.
$IPTABLES -t $i -Z; $IPTABLES_CMD -t $i -Z;
let ret+=$?; let ret+=$?;
done done


@ -134,6 +146,8 @@ flush_n_delete() {
} }


set_policy() { set_policy() {
local ret=0

# Set policy for configured tables. # Set policy for configured tables.
policy=$1 policy=$1


@ -145,35 +159,37 @@ set_policy() {
[ -z "$tables" ] && return 1 [ -z "$tables" ] && return 1


echo -n $"${IPTABLES}: Setting chains to policy $policy: " echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=0
for i in $tables; do for i in $tables; do
echo -n "$i " echo -n "$i "
case "$i" in case "$i" in
raw) raw)
$IPTABLES -t raw -P PREROUTING $policy \ $IPTABLES_CMD -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \ && $IPTABLES_CMD -t raw -P OUTPUT $policy \
|| let ret+=1 || let ret+=1
;; ;;
filter) filter)
$IPTABLES -t filter -P INPUT $policy \ $IPTABLES_CMD -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \ && $IPTABLES_CMD -t filter -P OUTPUT $policy \
&& $IPTABLES -t filter -P FORWARD $policy \ && $IPTABLES_CMD -t filter -P FORWARD $policy \
|| let ret+=1 || let ret+=1
;; ;;
nat) nat)
$IPTABLES -t nat -P PREROUTING $policy \ $IPTABLES_CMD -t nat -P PREROUTING $policy \
&& $IPTABLES -t nat -P POSTROUTING $policy \ && $IPTABLES_CMD -t nat -P POSTROUTING $policy \
&& $IPTABLES -t nat -P OUTPUT $policy \ && $IPTABLES_CMD -t nat -P OUTPUT $policy \
|| let ret+=1 || let ret+=1
;; ;;
mangle) mangle)
$IPTABLES -t mangle -P PREROUTING $policy \ $IPTABLES_CMD -t mangle -P PREROUTING $policy \
&& $IPTABLES -t mangle -P POSTROUTING $policy \ && $IPTABLES_CMD -t mangle -P POSTROUTING $policy \
&& $IPTABLES -t mangle -P INPUT $policy \ && $IPTABLES_CMD -t mangle -P INPUT $policy \
&& $IPTABLES -t mangle -P OUTPUT $policy \ && $IPTABLES_CMD -t mangle -P OUTPUT $policy \
&& $IPTABLES -t mangle -P FORWARD $policy \ && $IPTABLES_CMD -t mangle -P FORWARD $policy \
|| let ret+=1 || let ret+=1
;; ;;
security)
# Ignore the security table
;;
*) *)
let ret+=1 let ret+=1
;; ;;
@ -186,10 +202,11 @@ set_policy() {
} }


load_sysctl() { load_sysctl() {
local ret=0

# load matched sysctl values # load matched sysctl values
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
echo -n $"Loading sysctl settings: " echo -n $"Loading sysctl settings: "
ret=0
for item in $IPTABLES_SYSCTL_LOAD_LIST; do for item in $IPTABLES_SYSCTL_LOAD_LIST; do
fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
let ret+=$?; let ret+=$?;
@ -201,6 +218,8 @@ load_sysctl() {
} }


start() { start() {
local ret=0

# Do not start if there is no config file. # Do not start if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo echo -n $"${IPTABLES}: No config file."; warning; echo
@ -218,21 +237,15 @@ start() {


OPT= OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
fi
fi


$IPTABLES-restore $OPT $IPTABLES_DATA $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
success; echo success; echo
else else
failure; echo; failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: " echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA $IPTABLES_RESTORE_CMD $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
success; echo success; echo
else else
@ -246,7 +259,6 @@ start() {
# Load additional modules (helpers) # Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: " echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do for mod in $IPTABLES_MODULES; do
echo -n "$mod " echo -n "$mod "
modprobe $mod > /dev/null 2>&1 modprobe $mod > /dev/null 2>&1
@ -264,6 +276,8 @@ start() {
} }


stop() { stop() {
local ret=0

# Do not stop if iptables module is not loaded. # Do not stop if iptables module is not loaded.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0


@ -271,23 +285,26 @@ stop() {
# on systems where the default policy is DROP and root device is # on systems where the default policy is DROP and root device is
# network-based (i.e.: iSCSI, NFS) # network-based (i.e.: iSCSI, NFS)
set_policy ACCEPT set_policy ACCEPT
let ret+=$?
# And then, flush the rules and delete chains # And then, flush the rules and delete chains
flush_n_delete flush_n_delete
let ret+=$?
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"${IPTABLES}: Unloading modules: " echo -n $"${IPTABLES}: Unloading modules: "
ret=0 ret2=0
for mod in ${NF_MODULES[*]}; do for mod in ${NF_MODULES[*]}; do
rmmod_r $mod rmmod_r $mod
let ret+=$?; let ret2+=$?;
done done
# try to unload remaining netfilter modules used by ipv4 and ipv6 # try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter # netfilter
for mod in ${NF_MODULES_COMMON[*]}; do for mod in ${NF_MODULES_COMMON[*]}; do
rmmod_r $mod >/dev/null rmmod_r $mod >/dev/null
done done
[ $ret -eq 0 ] && success || failure [ $ret2 -eq 0 ] && success || failure
echo echo
let ret+=$ret2
fi fi
rm -f $VAR_SUBSYS_IPTABLES rm -f $VAR_SUBSYS_IPTABLES
@ -295,6 +312,8 @@ stop() {
} }


save() { save() {
local ret=0

# Check if iptable module is loaded # Check if iptable module is loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo echo -n $"${IPTABLES}: Nothing to save."; warning; echo
@ -312,7 +331,6 @@ save() {
OPT= OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"


ret=0
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
&& chmod 600 "$TMP_FILE" \ && chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
@ -374,6 +392,8 @@ status() {
} }


reload() { reload() {
local ret=0

# Do not reload if there is no config file. # Do not reload if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo echo -n $"${IPTABLES}: No config file."; warning; echo
@ -391,14 +411,8 @@ reload() {


OPT= OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
fi
fi


$IPTABLES-restore $OPT $IPTABLES_DATA $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
success; echo success; echo
else else
@ -408,7 +422,6 @@ reload() {
# Load additional modules (helpers) # Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: " echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do for mod in $IPTABLES_MODULES; do
echo -n "$mod " echo -n "$mod "
modprobe $mod > /dev/null 2>&1 modprobe $mod > /dev/null 2>&1

18
SOURCES/iptables.service.in Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=IPv4 firewall with iptables
After=syslog.target
AssertPathExists=/etc/sysconfig/iptables

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/iptables/iptables.init start
ExecReload=/usr/libexec/iptables/iptables.init reload
ExecStop=/usr/libexec/iptables/iptables.init stop
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=basic.target

145
SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch Normal file
View File

@ -0,0 +1,145 @@
From 77ff3d215f2a28a9ffc9fe1943c7f2b12d5e4f69 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 5 Jun 2018 14:49:54 +0200
Subject: [PATCH 2/2] utils: Add a man page for nfnl_osf

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331
Upstream Status: iptables commit af468b6e7f35d

commit af468b6e7f35db09af10ae4ec65cc7803180a4b4
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 20 18:54:09 2017 +0200

utils: Add a man page for nfnl_osf

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
configure.ac | 3 +-
utils/.gitignore | 1 +
utils/Makefile.am | 4 +++
utils/nfnl_osf.8.in | 67 +++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 74 insertions(+), 1 deletion(-)
create mode 100644 utils/nfnl_osf.8.in

diff --git a/configure.ac b/configure.ac
index af710cf5481c0..9046633ce5a4d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -173,7 +173,8 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
libiptc/Makefile libiptc/libiptc.pc
libiptc/libip4tc.pc libiptc/libip6tc.pc
libxtables/Makefile utils/Makefile
- include/xtables-version.h include/iptables/internal.h])
+ include/xtables-version.h include/iptables/internal.h
+ utils/nfnl_osf.8])
AC_OUTPUT
diff --git a/utils/.gitignore b/utils/.gitignore
index 216d1e4a621ed..7c6afbf4e6a52 100644
--- a/utils/.gitignore
+++ b/utils/.gitignore
@@ -1,2 +1,3 @@
/nfnl_osf
+/nfnl_osf.8
/nfbpf_compile
diff --git a/utils/Makefile.am b/utils/Makefile.am
index c4192a9e73688..80029e303ff3b 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -6,8 +6,10 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \
sbin_PROGRAMS =
pkgdata_DATA =
+man_MANS =
if HAVE_LIBNFNETLINK
+man_MANS += nfnl_osf.8
sbin_PROGRAMS += nfnl_osf
pkgdata_DATA += pf.os
@@ -23,3 +25,5 @@ if ENABLE_SYNCONF
sbin_PROGRAMS += nfsynproxy
nfsynproxy_LDADD = -lpcap
endif
+
+CLEANFILES = nfnl_osf.8
diff --git a/utils/nfnl_osf.8.in b/utils/nfnl_osf.8.in
new file mode 100644
index 0000000000000..140b5c3f99a42
--- /dev/null
+++ b/utils/nfnl_osf.8.in
@@ -0,0 +1,67 @@
+.TH NFNL_OSF 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
+
+.SH NAME
+nfnl_osf \- OS fingerprint loader utility
+.SH SYNOPSIS
+
+.ad l
+.in +8
+.ti -8
+.B nfnl_osf
+.BI -f " fingerprints"
+[
+.B -d
+]
+
+.SH DESCRIPTION
+The
+.B nfnl_osf
+utility allows to load a set of operating system signatures into the kernel for
+later matching against using iptables'
+.B osf
+match.
+
+.SH OPTIONS
+
+.TP
+.BI -f " fingerprints"
+Read signatures from file
+.IR fingerprints .
+
+.TP
+.B -d
+Instead of adding the signatures from
+.I fingerprints
+into the kernel, remove them.
+
+.SH EXIT STATUS
+Exit status is 0 if command succeeded, otherwise a negative return code
+indicates the type of error which happened:
+
+.TP
+.B -1
+Illegal arguments passed, fingerprints file not readable or failure in netlink
+communication.
+
+.TP
+.B -ENOENT
+Fingerprints file not specified.
+
+.TP
+.B -EINVAL
+Netlink handle initialization failed or fingerprints file format invalid.
+
+.SH FILES
+
+An up to date set of operating system signatures can be downloaded from
+http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
+
+.SH SEE ALSO
+
+The description of
+.B osf
+match in
+.BR iptables-extensions (8)
+contains further information about the topic as well as example
+.B nfnl_osf
+invocations.
--
2.17.0

43
SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch Normal file
View File

@ -0,0 +1,43 @@
From 89c09c279e53abd66a7ca9b0dd8d2c2a5c8f2d9d Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 5 Jun 2018 14:49:54 +0200
Subject: [PATCH 1/2] utils: nfnl_osf: Fix synopsis in help text

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331
Upstream Status: iptables commit 1773dcaabb738

commit 1773dcaabb73884666d30b926677f8232e5c04b3
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 20 18:54:08 2017 +0200

utils: nfnl_osf: Fix synopsis in help text

* -d is optional
* -h is not really a flag, just anything not recognized triggers the
help output.
* That '<del rules>' bit is rather confusing than helpful.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
utils/nfnl_osf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index bb5f92dc6d0aa..972128f47ba04 100644
--- a/utils/nfnl_osf.c
+++ b/utils/nfnl_osf.c
@@ -438,7 +438,7 @@ int main(int argc, char *argv[])
break;
default:
fprintf(stderr,
- "Usage: %s -f fingerprints -d <del rules> -h\n",
+ "Usage: %s -f fingerprints [-d]\n",
argv[0]);
return -1;
}
--
2.17.0

40
SPECS/iptables.spec
View File

@ -7,11 +7,11 @@
Name: iptables Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.4.21 Version: 1.4.21
Release: 24%{?dist} Release: 28%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
Source3: iptables.service Source3: iptables.service.in
Source4: iptables.save-legacy Source4: iptables.save-legacy
Source5: sysconfig_iptables Source5: sysconfig_iptables
Source6: sysconfig_ip6tables Source6: sysconfig_ip6tables
@ -33,6 +33,12 @@ Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch
Patch14: iptables-do_not_set_changed_for_check_options.patch Patch14: iptables-do_not_set_changed_for_check_options.patch
Patch15: iptables-1.4.21-restore_version.patch Patch15: iptables-1.4.21-restore_version.patch
Patch16: iptables-1.4.21-restore_wait_man.patch Patch16: iptables-1.4.21-restore_wait_man.patch
Patch17: extensions-libxt_tcpmss-Detect-invalid-ranges.patch
Patch18: iptables-restore-save-exit-when-given-an-unknown-opt.patch
Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch
Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch
Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch
Patch22: utils-Add-a-man-page-for-nfnl_osf.patch


Group: System Environment/Base Group: System Environment/Base
URL: http://www.netfilter.org/ URL: http://www.netfilter.org/
@ -115,6 +121,12 @@ Currently only provides nfnl_osf with the pf.os database.
%patch14 -p1 -b .do_not_set_changed_for_check_options %patch14 -p1 -b .do_not_set_changed_for_check_options
%patch15 -p1 -b .restore_version %patch15 -p1 -b .restore_version
%patch16 -p1 -b .restore_wait_man %patch16 -p1 -b .restore_wait_man
%patch17 -p1 -b .tcpmss_detect_invalid_ranges
%patch18 -p1 -b .exit_unknown_option
%patch19 -p1 -b .require_wait_value
%patch20 -p1 -b .wait_interval_needs_wait
%patch21 -p1 -b .nfnl_osf_synopsis
%patch22 -p1 -b .nfnl_osf_man_page


%build %build
# Since patches above touch configure.ac we must regen configure # Since patches above touch configure.ac we must regen configure
@ -164,8 +176,9 @@ sed -e 's;iptables;ip6tables;g' \
-e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \ -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \
-e 's;^\(After=.*\)$;\1 iptables.service;' \ -e 's;^\(After=.*\)$;\1 iptables.service;' \
< %{SOURCE3} > ip6tables.service < %{SOURCE3} > ip6tables.service
sed -i -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' %{SOURCE3} sed -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' \
install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir} < %{SOURCE3} > iptables.service
install -c -m 644 iptables.service %{buildroot}/%{_unitdir}
install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir} install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}


# install legacy actions for service command # install legacy actions for service command
@ -273,9 +286,28 @@ done
%{_sbindir}/nfnl_osf %{_sbindir}/nfnl_osf
%dir %{_datadir}/xtables %dir %{_datadir}/xtables
%{_datadir}/xtables/pf.os %{_datadir}/xtables/pf.os
%{_mandir}/man8/nfnl_osf*




%changelog %changelog
* Tue Jun 05 2018 Phil Sutter - 1.4.21-28
- Add nfnl_osf.8 man page (RHBZ#1487331)

* Fri May 11 2018 Phil Sutter - 1.4.21-27
- libxt_tcpmss: Detect invalid ranges (RHBZ#1128510)
- ip(6)tables-save/restore: Exit if invalid option was given (RHBZ#1465078)
- ip(6)tables-save/restore: Require value to -W option (RHBZ#1465078)
- ip(6)tables-save/restore: Don't accept -W without -w (RHBZ#1465078)
- Ignore security table when setting policies (RHBZ#1494012)
- Fix spec file changing SRPM content (RHBZ#1531290)

* Thu Mar 29 2018 Phil Sutter - 1.4.21-26
- Avoid overwriting parent's return code (RHBZ#1560012)

* Thu Mar 29 2018 Phil Sutter - 1.4.21-25
- Fix for stopping iptables and ip6tables at the same time (RHBZ#1560012)
- Propagate errors on service stop (RHBZ#1560012)

* Fri Nov 17 2017 Phil Sutter - 1.4.21-24 * Fri Nov 17 2017 Phil Sutter - 1.4.21-24
- Fix fgrep call over multiple files in iptables.init - Fix fgrep call over multiple files in iptables.init