Browse Source

ebtables package update

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64bebuilder0 6 years ago
parent
commit
99c519c407
  1. 157
      SOURCES/ebtables-2.0.0-audit.patch
  2. 126
      SOURCES/ebtables-2.0.10-flock.patch
  3. 16
      SOURCES/ebtables-2.0.10-linkfix.patch
  4. 50
      SOURCES/ebtables-2.0.10-lockdirfix.patch
  5. 69
      SOURCES/ebtables-2.0.10-noflush.patch
  6. 66
      SOURCES/ebtables-2.0.10-norootinst.patch
  7. 106
      SOURCES/ebtables-2.0.9-lsb.patch
  8. 43
      SOURCES/ebtables-save
  9. 11
      SOURCES/ebtables.service
  10. 74
      SOURCES/ebtables.systemd
  11. 268
      SPECS/ebtables.spec

157
SOURCES/ebtables-2.0.0-audit.patch

@ -0,0 +1,157 @@
--- ebtables2.orig/extensions/ebt_AUDIT.c 1970-01-01 01:00:00.000000000 +0100
+++ ebtables2.orig/extensions/ebt_AUDIT.c 2011-01-07 10:53:46.680329228 +0100
@@ -0,0 +1,110 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter/xt_AUDIT.h>
+
+#define AUDIT_TYPE '1'
+static struct option opts[] =
+{
+ { "audit-type" , required_argument, 0, AUDIT_TYPE },
+ { 0 }
+};
+
+static void print_help()
+{
+ printf(
+ "AUDIT target options:\n"
+ " --audit-type TYPE : Set action type to record.\n");
+}
+
+static void init(struct ebt_entry_target *target)
+{
+ struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) target->data;
+
+ info->type = 0;
+}
+
+static int parse(int c, char **argv, int argc,
+ const struct ebt_u_entry *entry, unsigned int *flags,
+ struct ebt_entry_target **target)
+{
+ struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) (*target)->data;
+
+ switch (c) {
+ case AUDIT_TYPE:
+ ebt_check_option2(flags, AUDIT_TYPE);
+
+ if (!strcasecmp(optarg, "accept"))
+ info->type = XT_AUDIT_TYPE_ACCEPT;
+ else if (!strcasecmp(optarg, "drop"))
+ info->type = XT_AUDIT_TYPE_DROP;
+ else if (!strcasecmp(optarg, "reject"))
+ info->type = XT_AUDIT_TYPE_REJECT;
+ else
+ ebt_print_error2("Bad action type value `%s'", optarg);
+
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+ const struct ebt_entry_match *match, const char *name,
+ unsigned int hookmask, unsigned int time)
+{
+}
+
+static void print(const struct ebt_u_entry *entry,
+ const struct ebt_entry_target *target)
+{
+ const struct xt_AUDIT_info *info =
+ (const struct xt_AUDIT_info *) target->data;
+
+ printf("--audit-type ");
+
+ switch(info->type) {
+ case XT_AUDIT_TYPE_ACCEPT:
+ printf("accept");
+ break;
+ case XT_AUDIT_TYPE_DROP:
+ printf("drop");
+ break;
+ case XT_AUDIT_TYPE_REJECT:
+ printf("reject");
+ break;
+ }
+}
+
+static int compare(const struct ebt_entry_target *t1,
+ const struct ebt_entry_target *t2)
+{
+ const struct xt_AUDIT_info *info1 =
+ (const struct xt_AUDIT_info *) t1->data;
+ const struct xt_AUDIT_info *info2 =
+ (const struct xt_AUDIT_info *) t2->data;
+
+ return info1->type == info2->type;
+}
+
+static struct ebt_u_target AUDIT_target =
+{
+ .name = "AUDIT",
+ .size = sizeof(struct xt_AUDIT_info),
+ .help = print_help,
+ .init = init,
+ .parse = parse,
+ .final_check = final_check,
+ .print = print,
+ .compare = compare,
+ .extra_ops = opts,
+};
+
+void _init(void)
+{
+ ebt_register_target(&AUDIT_target);
+}
--- ebtables2.orig/extensions/Makefile 2011-01-07 10:55:28.077246240 +0100
+++ ebtables2.orig/extensions/Makefile 2011-01-07 10:53:46.686329230 +0100
@@ -1,7 +1,7 @@
#! /usr/bin/make
EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark \
- pkttype stp among limit ulog nflog
+ pkttype stp among limit ulog nflog AUDIT
EXT_TABLES+=filter nat broute
EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
--- a/include/linux/netfilter/xt_AUDIT.h
+++ a/include/linux/netfilter/xt_AUDIT.h
@@ -0,0 +1,30 @@
+/*
+ * Header file for iptables xt_AUDIT target
+ *
+ * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
+ * (C) 2010-2011 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _XT_AUDIT_TARGET_H
+#define _XT_AUDIT_TARGET_H
+
+#include <linux/types.h>
+
+enum {
+ XT_AUDIT_TYPE_ACCEPT = 0,
+ XT_AUDIT_TYPE_DROP,
+ XT_AUDIT_TYPE_REJECT,
+ __XT_AUDIT_TYPE_MAX,
+};
+
+#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
+
+struct xt_AUDIT_info {
+ __u8 type; /* XT_AUDIT_TYPE_* */
+};
+
+#endif /* _XT_AUDIT_TARGET_H */

126
SOURCES/ebtables-2.0.10-flock.patch

@ -0,0 +1,126 @@
From 03df255180677b86eb058866be668063fcc6f598 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 6 Oct 2017 12:48:50 +0200
Subject: [PATCH] Use flock() for --concurrent option

The previous locking mechanism was not atomic, hence it was possible
that a killed ebtables process would leave the lock file in place which
in turn made future ebtables processes wait indefinitely for the lock to
become free.

Fix this by using flock(). This also simplifies code quite a bit because
there is no need for a custom signal handler or an __exit routine
anymore.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
ebtables.c | 8 --------
libebtc.c | 49 +++++--------------------------------------------
2 files changed, 5 insertions(+), 52 deletions(-)

diff --git a/ebtables.c b/ebtables.c
index 62f1ba80063d8..f7dfccf4b2f31 100644
--- a/ebtables.c
+++ b/ebtables.c
@@ -528,12 +528,6 @@ void ebt_early_init_once()
ebt_iterate_targets(merge_target);
}
-/* signal handler, installed when the option --concurrent is specified. */
-static void sighandler(int signum)
-{
- exit(-1);
-}
-
/* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
int do_command(int argc, char *argv[], int exec_style,
struct ebt_u_replace *replace_)
@@ -1047,8 +1041,6 @@ big_iface_length:
strcpy(replace->filename, optarg);
break;
case 13 : /* concurrent */
- signal(SIGINT, sighandler);
- signal(SIGTERM, sighandler);
use_lockfd = 1;
break;
case 1 :
diff --git a/libebtc.c b/libebtc.c
index b0814213b6b06..ab3429577a1f1 100644
--- a/libebtc.c
+++ b/libebtc.c
@@ -31,6 +31,7 @@
#include "include/ethernetdb.h"
#include <unistd.h>
#include <fcntl.h>
+#include <sys/file.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -137,58 +138,18 @@ void ebt_list_extensions()
#define LOCKDIR "/run"
#define LOCKFILE LOCKDIR"/ebtables.lock"
#endif
-static int lockfd = -1, locked;
int use_lockfd;
/* Returns 0 on success, -1 when the file is locked by another process
* or -2 on any other error. */
static int lock_file()
{
- int try = 0;
- int ret = 0;
- sigset_t sigset;
-
-tryagain:
- /* the SIGINT handler will call unlock_file. To make sure the state
- * of the variable locked is correct, we need to temporarily mask the
- * SIGINT interrupt. */
- sigemptyset(&sigset);
- sigaddset(&sigset, SIGINT);
- sigprocmask(SIG_BLOCK, &sigset, NULL);
- lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
- if (lockfd < 0) {
- if (errno == EEXIST)
- ret = -1;
- else if (try == 1)
- ret = -2;
- else {
- if (mkdir(LOCKDIR, 00700))
- ret = -2;
- else {
- try = 1;
- goto tryagain;
- }
- }
- } else {
- close(lockfd);
- locked = 1;
- }
- sigprocmask(SIG_UNBLOCK, &sigset, NULL);
- return ret;
-}
+ int fd = open(LOCKFILE, O_CREAT, 00600);
-void unlock_file()
-{
- if (locked) {
- remove(LOCKFILE);
- locked = 0;
- }
+ if (fd < 0)
+ return -2;
+ return flock(fd, LOCK_EX);
}
-void __attribute__ ((destructor)) onexit()
-{
- if (use_lockfd)
- unlock_file();
-}
/* Get the table from the kernel or from a binary file
* init: 1 = ask the kernel for the initial contents of a table, i.e. the
* way it looks when the table is insmod'ed
--
2.13.1

16
SOURCES/ebtables-2.0.10-linkfix.patch

@ -0,0 +1,16 @@
diff -up ebtables-v2.0.10-4/extensions/Makefile.linkfix ebtables-v2.0.10-4/extensions/Makefile
--- ebtables-v2.0.10-4/extensions/Makefile.linkfix 2011-12-15 15:02:47.000000000 -0500
+++ ebtables-v2.0.10-4/extensions/Makefile 2012-04-05 15:52:09.563511746 -0400
@@ -9,9 +9,10 @@ EXT_LIBS+=$(foreach T,$(EXT_FUNC), exten
EXT_LIBS+=$(foreach T,$(EXT_TABLES), extensions/libebtable_$(T).so)
EXT_LIBSI+=$(foreach T,$(EXT_FUNC), -lebt_$(T))
EXT_LIBSI+=$(foreach T,$(EXT_TABLES), -lebtable_$(T))
+EXT_LDFLAGS+=-L. -lebtc
-extensions/ebt_%.so: extensions/ebt_%.o
- $(CC) $(LDFLAGS) -shared -o $@ -lc $< -nostartfiles
+extensions/ebt_%.so: extensions/ebt_%.o libebtc.so
+ $(CC) $(LDFLAGS) $(EXT_LDFLAGS) -shared -o $@ -lc $< -nostartfiles
extensions/libebt_%.so: extensions/ebt_%.so
mv $< $@

50
SOURCES/ebtables-2.0.10-lockdirfix.patch

@ -0,0 +1,50 @@
diff -up ebtables-v2.0.10-4/ebtables.8.lockdirfix ebtables-v2.0.10-4/ebtables.8
--- ebtables-v2.0.10-4/ebtables.8.lockdirfix 2016-01-18 11:13:21.707069702 -0500
+++ ebtables-v2.0.10-4/ebtables.8 2016-01-18 11:13:40.554953365 -0500
@@ -1103,7 +1103,7 @@ arp message and the hardware address len
.br
.SH FILES
.I /etc/ethertypes
-.I /var/lib/ebtables/lock
+.I /run/ebtables.lock
.SH ENVIRONMENT VARIABLES
.I EBTABLES_ATOMIC_FILE
.SH MAILINGLISTS
diff -up ebtables-v2.0.10-4/INSTALL.lockdirfix ebtables-v2.0.10-4/INSTALL
--- ebtables-v2.0.10-4/INSTALL.lockdirfix 2016-01-18 11:15:31.458268826 -0500
+++ ebtables-v2.0.10-4/INSTALL 2016-01-18 11:15:53.890130367 -0500
@@ -31,7 +31,7 @@ WHAT GETS INSTALLED AND WHAT OPTIONS ARE
copied to /etc/rc.d/init.d (change with option INITDIR)
- The ebtables configuration file (ebtables-config) is copied to /etc/sysconfig
- ebtables can use a lock file to enable concurrent execution of the ebtables
- tool. The standard location of the lock file is /var/lib/ebtables/lock.
+ tool. The standard location of the lock file is /run/ebtables.lock.
Include LOCKFILE=<<path-to-file>> if you want to use another file.
That's all
diff -up ebtables-v2.0.10-4/libebtc.c.lockdirfix ebtables-v2.0.10-4/libebtc.c
--- ebtables-v2.0.10-4/libebtc.c.lockdirfix 2016-01-18 11:12:14.347485472 -0500
+++ ebtables-v2.0.10-4/libebtc.c 2016-01-18 11:13:06.515163472 -0500
@@ -134,8 +134,8 @@ void ebt_list_extensions()
}
#ifndef LOCKFILE
-#define LOCKDIR "/var/lib/ebtables"
-#define LOCKFILE LOCKDIR"/lock"
+#define LOCKDIR "/run"
+#define LOCKFILE LOCKDIR"/ebtables.lock"
#endif
static int lockfd = -1, locked;
int use_lockfd;
diff -up ebtables-v2.0.10-4/Makefile.lockdirfix ebtables-v2.0.10-4/Makefile
--- ebtables-v2.0.10-4/Makefile.lockdirfix 2016-01-18 11:14:10.715767201 -0500
+++ ebtables-v2.0.10-4/Makefile 2016-01-18 11:15:20.506336425 -0500
@@ -5,7 +5,7 @@ PROGRELEASE:=4
PROGVERSION_:=2.0.10
PROGVERSION:=$(PROGVERSION_)-$(PROGRELEASE)
PROGDATE:=December\ 2011
-LOCKFILE?=/var/lib/ebtables/lock
+LOCKFILE?=/run/ebtables.lock
LOCKDIR:=$(shell echo $(LOCKFILE) | sed 's/\(.*\)\/.*/\1/')/
# default paths

69
SOURCES/ebtables-2.0.10-noflush.patch

@ -0,0 +1,69 @@
commit 3a25ae2361da048f24524d8e63d70f4cd40444f3
Author: Sanket Shah <sanket.shah@cyberoam.com>
Date: Wed Jul 31 21:40:08 2013 +0200

Add --noflush command line support for ebtables-restore

diff --git a/ebtables-restore.c b/ebtables-restore.c
index ea02960..bb4d0cf 100644
--- a/ebtables-restore.c
+++ b/ebtables-restore.c
@@ -22,13 +22,25 @@
#include <string.h>
#include <errno.h>
#include <unistd.h>
+#include <getopt.h>
#include "include/ebtables_u.h"
+static const struct option options[] = {
+ {.name = "noflush", .has_arg = 0, .val = 'n'},
+ { 0 }
+};
+
static struct ebt_u_replace replace[3];
void ebt_early_init_once();
#define OPT_KERNELDATA 0x800 /* Also defined in ebtables.c */
+static void print_usage()
+{
+ fprintf(stderr, "Usage: ebtables-restore [ --noflush ]\n");
+ exit(1);
+}
+
static void copy_table_names()
{
strcpy(replace[0].name, "filter");
@@ -41,11 +53,20 @@ static void copy_table_names()
int main(int argc_, char *argv_[])
{
char *argv[EBTD_ARGC_MAX], cmdline[EBTD_CMDLINE_MAXLN];
- int i, offset, quotemode = 0, argc, table_nr = -1, line = 0, whitespace;
+ int i, offset, quotemode = 0, argc, table_nr = -1, line = 0, whitespace, c, flush = 1;
char ebtables_str[] = "ebtables";
- if (argc_ != 1)
- ebtrest_print_error("options are not supported");
+ while ((c = getopt_long(argc_, argv_, "n", options, NULL)) != -1) {
+ switch(c) {
+ case 'n':
+ flush = 0;
+ break;
+ default:
+ print_usage();
+ break;
+ }
+ }
+
ebt_silent = 0;
copy_table_names();
ebt_early_init_once();
@@ -68,7 +89,7 @@ int main(int argc_, char *argv_[])
ebtrest_print_error("table '%s' was not recognized", cmdline+1);
table_nr = i;
replace[table_nr].command = 11;
- ebt_get_kernel_table(&replace[table_nr], 1);
+ ebt_get_kernel_table(&replace[table_nr], flush);
replace[table_nr].command = 0;
replace[table_nr].flags = OPT_KERNELDATA; /* Prevent do_command from initialising replace */
continue;

66
SOURCES/ebtables-2.0.10-norootinst.patch

@ -0,0 +1,66 @@
diff -up ebtables-v2.0.10-1/Makefile.orig ebtables-v2.0.10-1/Makefile
--- ebtables-v2.0.10-1/Makefile.orig 2011-07-10 05:28:52.000000000 -0400
+++ ebtables-v2.0.10-1/Makefile 2011-07-11 10:45:00.323426448 -0400
@@ -157,31 +157,31 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
scripts: ebtables-save ebtables.sysv ebtables-config
cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
mkdir -p $(DESTDIR)$(BINDIR)
- install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
+ install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_
if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi
- if test -d $(DESTDIR)$(INITDIR); then install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
+ if test -d $(DESTDIR)$(INITDIR); then install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_
if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(SYSCONFIGDIR); fi
- if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
+ if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
rm -f ebtables-save_ ebtables.sysv_ ebtables-config_
tmp4:=$(shell printf $(LOCKFILE) | sed 's/\//\\\//g')
$(MANDIR)/man8/ebtables.8: ebtables.8
mkdir -p $(DESTDIR)$(@D)
sed -e 's/$$(VERSION)/$(PROGVERSION)/' -e 's/$$(DATE)/$(PROGDATE)/' -e 's/$$(LOCKFILE)/$(tmp4)/' ebtables.8 > ebtables.8_
- install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@
+ install -m 0644 ebtables.8_ $(DESTDIR)$@
rm -f ebtables.8_
$(DESTDIR)$(ETHERTYPESFILE): ethertypes
mkdir -p $(@D)
- install -m 0644 -o root -g root $< $@
+ install -m 0644 $< $@
.PHONY: exec
exec: ebtables ebtables-restore
mkdir -p $(DESTDIR)$(BINDIR)
- install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
- install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
+ install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
+ install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
.PHONY: install
install: $(MANDIR)/man8/ebtables.8 $(DESTDIR)$(ETHERTYPESFILE) exec scripts
@@ -205,18 +205,18 @@ release:
rm -f extensions/ebt_inat.c
rm -rf $(CVSDIRS)
mkdir -p include/linux/netfilter_bridge
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/netfilter_bridge.h include/linux/
# To keep possible compile error complaints about undefined ETH_P_8021Q
# off my back
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/if_ether.h include/linux/
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/types.h include/linux/
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/netfilter_bridge/*.h \
include/linux/netfilter_bridge/
- install -m 0644 -o root -g root \
+ install -m 0644 \
include/ebtables.h include/linux/netfilter_bridge/
make clean
touch *

106
SOURCES/ebtables-2.0.9-lsb.patch

@ -0,0 +1,106 @@
diff -up ebtables-v2.0.9-1/ebtables.sysv.lsb ebtables-v2.0.9-1/ebtables.sysv
--- ebtables-v2.0.9-1/ebtables.sysv.lsb 2010-01-15 11:39:31.000000000 +0100
+++ ebtables-v2.0.9-1/ebtables.sysv 2010-01-15 12:52:24.000000000 +0100
@@ -18,9 +18,9 @@ source /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
-[ -x __EXEC_PATH__/ebtables ] || exit 1
-[ -x __EXEC_PATH__/ebtables-save ] || exit 1
-[ -x __EXEC_PATH__/ebtables-restore ] || exit 1
+[ -x __EXEC_PATH__/ebtables ] || exit 5
+[ -x __EXEC_PATH__/ebtables-save ] || exit 5
+[ -x __EXEC_PATH__/ebtables-restore ] || exit 5
RETVAL=0
prog="ebtables"
@@ -39,6 +39,7 @@ config=__SYSCONFIG__/$prog-config
[ -f "$config" ] && . "$config"
start() {
+ [ "$EUID" != "0" ] && exit 4
echo -n $"Starting $desc ($prog): "
if [ "$EBTABLES_BINARY_FORMAT" = "yes" ]; then
for table in $(ls __SYSCONFIG__/ebtables.* 2>/dev/null | sed -e 's/.*ebtables\.//' -e '/save/d' ); do
@@ -50,7 +51,7 @@ start() {
if [ $RETVAL -eq 0 ]; then
success "$prog startup"
- rm -f /var/lock/subsys/$prog
+ touch "/var/lock/subsys/$prog"
else
failure "$prog startup"
fi
@@ -58,6 +59,7 @@ start() {
}
stop() {
+ [ "$EUID" != "0" ] && exit 4
echo -n $"Stopping $desc ($prog): "
for table in $(grep '^ebtable_' /proc/modules | sed -e 's/ebtable_\([^ ]*\).*/\1/'); do
__EXEC_PATH__/ebtables -t $table --init-table || RETVAL=1
@@ -71,7 +73,7 @@ stop() {
if [ $RETVAL -eq 0 ]; then
success "$prog shutdown"
- rm -f /var/lock/subsys/$prog
+ rm -f "/var/lock/subsys/$prog"
else
failure "$prog shutdown"
fi
@@ -79,11 +81,13 @@ stop() {
}
restart() {
+ [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
stop
start
}
save() {
+ [ "$EUID" != "0" ] && exit 4
echo -n $"Saving $desc ($prog): "
if [ "$EBTABLES_TEXT_FORMAT" = "yes" ]; then
if [ -e __SYSCONFIG__/ebtables ]; then
@@ -116,30 +120,34 @@ save() {
case "$1" in
start)
+ [ -f "/var/lock/subsys/$prog" ] && exit 0
start
;;
stop)
[ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
stop
;;
- restart|reload)
- [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
+ restart|force-reload)
restart
;;
- condrestart)
- [ -e /var/lock/subsys/$prog ] && restart
- RETVAL=$?
+ reload)
+ [ ! -f "/var/lock/subsys/$prog" ] && exit 7
+ restart
+ ;;
+ condrestart|try-restart)
+ [ ! -e "/var/lock/subsys/$prog" ] && exit 0
+ restart
;;
save)
save
;;
status)
+ [ -f "/var/lock/subsys/$prog" ] && RETVAL=0 || RETVAL=3
__EXEC_PATH__/ebtables-save
- RETVAL=$?
;;
*)
echo $"Usage $0 {start|stop|restart|condrestart|save|status}"
- RETVAL=1
+ RETVAL=2
esac
exit $RETVAL

43
SOURCES/ebtables-save

@ -0,0 +1,43 @@
#!/bin/bash

EBTABLES="/sbin/ebtables"

[ -x "$EBTABLES" ] || exit 1

echo "# Generated by ebtables-save v1.0 on $(date)"

cnt=""
[ "x$EBTABLES_SAVE_COUNTER" = "xyes" ] && cnt="--Lc"

for table_name in $(grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//); do
table=$($EBTABLES -t $table_name -L $cnt)
[ $? -eq 0 ] || { echo "$table"; exit -1; }

chain=""
rules=""
while read line; do
[ -z "$line" ] && continue

case "$line" in
Bridge\ table:\ *)
echo "*${line:14}"
;;
Bridge\ chain:\ *)
chain="${line:14}"
chain="${chain%%,*}"
policy="${line##*policy: }"
echo ":$chain $policy"
;;
*)
if [ "$cnt" = "--Lc" ]; then
line=${line/, pcnt \=/ -c}
line=${line/-- bcnt \=/}
fi
rules="$rules-A $chain $line\n"
;;
esac
done <<EOF
$table
EOF
echo -e $rules
done

11
SOURCES/ebtables.service

@ -0,0 +1,11 @@
[Unit]
Description=Ethernet Bridge Filtering tables

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/ebtables start
ExecStop=/usr/libexec/ebtables stop

[Install]
WantedBy=multi-user.target

74
SOURCES/ebtables.systemd

@ -0,0 +1,74 @@
#!/bin/bash

RETVAL=0

initialize() {
# Initialize $TYPE tables
echo -n $" $TYPE tables: "
if [ -r /etc/sysconfig/ebtables.$TYPE ]; then
/sbin/ebtables -t $TYPE --atomic-file /etc/sysconfig/ebtables.$TYPE --atomic-commit > /dev/null || RETVAL=1
else
echo -n "not configured"
fi
if [ $RETVAL -eq 0 ]; then
echo -n $"[ OK ]"
echo -ne "\r"
else
echo -n $"[FAILED]"
echo -ne "\r"
fi
}

case $1 in
start)
# Initialize filter tables
TYPE=filter
initialize
# Initialize NAT tables
echo
TYPE=nat
initialize

# Initialize broute tables
echo
TYPE=broute
initialize
;;
stop)
/sbin/ebtables -t filter --init-table || RETVAL=1
/sbin/ebtables -t nat --init-table || RETVAL=1
/sbin/ebtables -t broute --init-table || RETVAL=1

for mod in $(grep -E '^(ebt|ebtable)_' /proc/modules | cut -f1 -d' ') ebtables; do
/sbin/rmmod $mod || RETVAL=1
done

if [ $RETVAL -eq 0 ]; then
echo -n $"[ OK ]"
echo -ne "\r"
else
echo -n $"[FAILED]"
echo -ne "\r"
fi
;;
save)
echo -n $"Saving Ethernet bridge filtering (ebtables): "
/sbin/ebtables -t filter --atomic-file /etc/sysconfig/ebtables.filter --atomic-save || RETVAL=1
/sbin/ebtables -t nat --atomic-file /etc/sysconfig/ebtables.nat --atomic-save || RETVAL=1
/sbin/ebtables -t broute --atomic-file /etc/sysconfig/ebtables.broute --atomic-save || RETVAL=1
if [ $RETVAL -eq 0 ]; then
echo -n $"[ OK ]"
echo -ne "\r"
else
echo -n $"[FAILED]"
echo -ne "\r"
fi
;;
*)
echo "usage: ${0##*/} {start|stop|save}" >&2
exit 1
;;
esac

# vim:set ts=2 sw=2 ft=sh et:

268
SPECS/ebtables.spec

@ -0,0 +1,268 @@
%global ebminor 4

Name: ebtables
Version: 2.0.10
Release: 16%{?dist}
Summary: Ethernet Bridge frame table administration tool
License: GPLv2+
Group: System Environment/Base
URL: http://ebtables.sourceforge.net/
Source0: http://downloads.sourceforge.net/ebtables/ebtables-v%{version}-%{ebminor}.tar.gz
Source1: ebtables-save
Source2: ebtables.systemd
Source3: ebtables.service
Patch0: ebtables-2.0.10-norootinst.patch
Patch3: ebtables-2.0.9-lsb.patch
Patch4: ebtables-2.0.10-linkfix.patch
Patch5: ebtables-2.0.0-audit.patch
Patch6: ebtables-2.0.10-noflush.patch
Patch7: ebtables-2.0.10-lockdirfix.patch
Patch8: ebtables-2.0.10-flock.patch
BuildRequires: systemd-units
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd

%description
Ethernet bridge tables is a firewalling tool to transparently filter network
traffic passing a bridge. The filtering possibilities are limited to link
layer filtering and some basic filtering on higher network layers.

This tool is the userspace control for the bridge and ebtables kernel
components.

The ebtables tool can be used together with the other Linux filtering tools,
like iptables. There are no known incompatibility issues.

%prep
%setup -q -n ebtables-v%{version}-%{ebminor}
%patch0 -p1 -b .norootinst
%patch3 -p1 -b .lsb
# extension modules need to link to libebtc.so for ebt_errormsg
%patch4 -p1 -b .linkfix
%patch5 -p1 -b .AUDIT
%patch6 -p1 -b .noflush
%patch7 -p1 -b .lockdir
%patch8 -p1 -b .flock

# Convert to UTF-8
f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f

%build
make %{?_smp_mflags} CFLAGS="${RPM_OPT_FLAGS}" LIBDIR="/%{_lib}/ebtables" BINDIR="/sbin" MANDIR="%{_mandir}" LDFLAGS="${RPM_LD_FLAGS} -Wl,-z,now"

%install
mkdir -p %{buildroot}%{_initrddir}
mkdir -p %{buildroot}%{_unitdir}
install -m 644 -p %{SOURCE3} %{buildroot}%{_unitdir}/
mkdir -p %{buildroot}%{_libexecdir}
install -m0755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
make DESTDIR="%{buildroot}" LIBDIR="/%{_lib}/ebtables" BINDIR="/sbin" MANDIR="%{_mandir}" install
touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables.filter
touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables.nat
touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables.broute

# Do not need the sysvinit
rm -rf %{buildroot}%{_initrddir}

# install ebtables-save bash script
rm -f %{buildroot}/sbin/ebtables-save
install %{SOURCE1} %{buildroot}/sbin/ebtables-save

# move libebtc.so into the ldpath
mv %{buildroot}/%{_lib}/ebtables/libebtc.so %{buildroot}/%{_lib}/

%post
%systemd_post ebtables.service
/sbin/ldconfig

%preun
%systemd_preun ebtables.service

%postun
%systemd_postun_with_restart ebtables.service
/sbin/ldconfig

%files
%defattr(-, root, root, 0755)
%doc ChangeLog COPYING THANKS
%doc %{_mandir}/man8/ebtables.8*
%config(noreplace) %{_sysconfdir}/ethertypes
%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
%{_unitdir}/ebtables.service
%{_libexecdir}/ebtables
/%{_lib}/libebtc.so
/%{_lib}/ebtables/
/sbin/ebtables*
%ghost %{_sysconfdir}/sysconfig/ebtables.filter
%ghost %{_sysconfdir}/sysconfig/ebtables.nat
%ghost %{_sysconfdir}/sysconfig/ebtables.broute

%changelog
* Wed Oct 25 2017 Phil Sutter <psutter@redhat.com> - 2.0.10-16
- Fix for potentially stale lock files (RHBZ#1495893)

* Thu Jun 30 2016 Thomas Woerner <twoerner@redhat.com> - 2.0.10-15
- Backported lockdirfix to use (/var)/run from Fedora (RHBZ#1346376)

* Tue May 17 2016 Thomas Woerner <twoerner@redhat.com> - 2.0.10-14
- Fixed persmissions of ebtables.service (RHBZ#1288586)
- Added upstream patch to add noflush option to ebtables-restore (RHBZ#1334271)

* Tue Mar 04 2014 Jiri Popelka <jpopelka@redhat.com> - 2.0.10-13
- do not eviscerate -fstack-protector(-strong) from CFLAGS (#1070801)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.0.10-12
- Mass rebuild 2014-01-24

* Tue Jan 7 2014 Thomas Woerner <twoerner@redhat.com> - 2.0.10-11
- fixed rebuild problem, using MY_CFLAGS from latest fedora package
(RHBZ#1048855)

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.0.10-10
- Mass rebuild 2013-12-27

* Tue Nov 5 2013 Thomas Woerner <twoerner@redhat.com> - 2.0.10-9
- fixed missing systemd unit file (RHBZ#818953)
merged fedora patches from Tom Callaway
- fixed NETWORK test in the init script (RHBZ#1026784)
- fixed needed rpmdiff failures (RHBZ#883988)

* Thu Mar 21 2013 Tom Callaway <spot@fedoraproject.org> - 2.0.10-8
- add audit module

* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.10-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.10-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Thu Apr 5 2012 Tom Callaway <spot@fedoraproject.org> - 2.0.10-5
- update to 2.0.10-4 (upstream numbering is goofy)
- fix missing symbol issue with extension modules (bz810006)

* Thu Feb 16 2012 Thomas Woerner <twoerner@redhat.com> - 2.0.10-4
- replaced ebtables-save perl script by bash script to get rid of the perl
requirement

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Thu Aug 11 2011 Tom Callaway <spot@fedoraproject.org> - 2.0.10-2
- update to 2.0.10-2

* Mon Jul 11 2011 Tom Callaway <spot@fedoraproject.org> - 2.0.10-1
- update to 2.0.10-1

* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.9-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Mon Feb 15 2010 Tom "spot" Callaway <tcallawa@redhat.com> - 2.0.9-5
- update to 2.0.9-2

* Fri Jan 29 2010 Thomas Woerner <twoerner@redhat.com> - 2.0.9-4
- moved ebtables modules to /lib[64]/ebtables (rhbz#558886)

* Fri Jan 15 2010 Thomas Woerner <twoerner@redhat.com> - 2.0.9-3
- fixed init script to be lsb conform (rhbz#536828)
- fixed download link according to package review

* Wed Aug 19 2009 Tom "spot" Callaway <tcallawa@redhat.com> - 2.0.9-2
- fix source0 url

* Mon Jul 27 2009 Tom "spot" Callaway <tcallawa@redhat.com> - 2.0.9-1
- update to 2.0.9

* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.8-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.8-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.0.8-5
- Autorebuild for GCC 4.3

* Sun Oct 28 2007 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-4
- bump to 2.0.8-2 from upstream
- keep _libdir/ebtables, even though upstream just moved away from it.

* Thu Aug 23 2007 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-3
- use _libdir/ebtables to match upstream RPATH (bugzilla 248865)
- correct license tag
- use upstream init script
- enable build-id
- use cflags for all compiles
- be sane with DESTDIR

* Mon Jul 9 2007 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-2
- remove "Fedora Core" reference in spec

* Mon Jul 2 2007 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-1
- final 2.0.8 release

* Wed Jan 17 2007 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.8.rc3
- fix release order

* Wed Jan 17 2007 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.1.rc3
- bump to rc3

* Thu Oct 05 2006 Christian Iseli <Christian.Iseli@licr.org> 2.0.8-0.7.rc2
- rebuilt for unwind info generation, broken in gcc-4.1.1-21

* Mon Sep 18 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.6.rc2
- fix versioning

* Thu Sep 14 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.3.rc2
- fix bugzilla 206257

* Tue Sep 12 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.2.rc2
- fix for FC-6

* Mon Apr 24 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.1.rc2
- bump to rc2

* Sun Apr 2 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.5.rc1
- learn to use "install" correctly. :/

* Sun Apr 2 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.4.rc1
- package up the shared libs too

* Wed Mar 29 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.3.rc1
- use -fPIC

* Wed Mar 29 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.2.rc1
- broken tagging

* Tue Jan 10 2006 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.8-0.1.rc1
- bump to 2.0.8-rc1

* Mon Jul 4 2005 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.6-7
- buildsystem error requires artificial release bump

* Mon Jul 4 2005 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.6-6
- actually touch ghosted files

* Fri Jul 1 2005 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.6-5
- fix sysv file

* Fri Jul 1 2005 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.6-4
- remove INSTALL file
- add some text to description, correct typos
- fix %%postun
- add PreReqs
- add %%ghost config files

* Tue May 31 2005 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.6-3
- reworked for Fedora Extras
- add gcc4 fix
- move init file into SOURCE1

* Thu Dec 02 2004 Dag Wieers <dag@wieers.com> - 2.0.6-2
- Added patch for gcc 3.4. (Nigel Smith)

* Tue Apr 27 2004 Dag Wieers <dag@wieers.com> - 2.0.6-2
- Cosmetic changes.

* Tue Apr 27 2004 Dag Wieers <dag@wieers.com> - 2.0.6-1
- Initial package. (using DAR)
Loading…
Cancel
Save