rpms/iptables/F-7 iptables-1.3.8-cloexec.patch, NONE, 1.1 iptables-1.3.8-limit_man.patch, NONE, 1.1 iptables-1.3.8-reject_type.patch, NONE, 1.1 iptables-1.3.8-typo_latter.patch, NONE, 1.1 iptables.init, 1.14, 1.15 iptables.spec, 1.49, 1.50
Thomas Woerner (twoerner)
fedora-extras-commits at redhat.com
Wed Nov 28 14:27:27 UTC 2007
- Previous message (by thread): rpms/OpenSceneGraph/devel OpenSceneGraph.spec,1.31,1.32
- Next message (by thread): rpms/ruby-zoom/devel dead.package, NONE, 1.1 .cvsignore, 1.2, NONE Makefile, 1.1, NONE ruby-zoom.spec, 1.5, NONE sources, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: twoerner
Update of /cvs/pkgs/rpms/iptables/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29055
Modified Files:
iptables.init iptables.spec
Added Files:
iptables-1.3.8-cloexec.patch iptables-1.3.8-limit_man.patch
iptables-1.3.8-reject_type.patch
iptables-1.3.8-typo_latter.patch
Log Message:
- F-7 verison without lsb header in init script
iptables-1.3.8-cloexec.patch:
--- NEW FILE iptables-1.3.8-cloexec.patch ---
diff -up iptables-1.3.8/ip6tables.c.cloexec iptables-1.3.8/ip6tables.c
--- iptables-1.3.8/ip6tables.c.cloexec 2007-10-02 13:42:23.000000000 +0200
+++ iptables-1.3.8/ip6tables.c 2007-10-02 13:42:54.000000000 +0200
@@ -1121,6 +1121,11 @@ static int compatible_revision(const cha
strerror(errno));
exit(1);
}
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+ fprintf(stderr, "Could not set close on exec: %s\n",
+ strerror(errno));
+ exit(1);
+ }
strcpy(rev.name, name);
rev.revision = revision;
diff -up iptables-1.3.8/iptables.c.cloexec iptables-1.3.8/iptables.c
--- iptables-1.3.8/iptables.c.cloexec 2007-10-02 13:42:09.000000000 +0200
+++ iptables-1.3.8/iptables.c 2007-10-02 13:42:25.000000000 +0200
@@ -1149,6 +1149,11 @@ static int compatible_revision(const cha
strerror(errno));
exit(1);
}
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+ fprintf(stderr, "Could not set close on exec: %s\n",
+ strerror(errno));
+ exit(1);
+ }
load_iptables_ko(modprobe, 1);
iptables-1.3.8-limit_man.patch:
--- NEW FILE iptables-1.3.8-limit_man.patch ---
diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in
diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man
--- iptables-1.3.8/extensions/libip6t_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_limit.man 2007-09-24 17:28:29.000000000 +0200
@@ -1,6 +1,6 @@
This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+ It can be used in combination with the
.B LOG
target to give limited logging, for example.
.TP
diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man
--- iptables-1.3.8/extensions/libipt_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libipt_limit.man 2007-09-24 17:28:19.000000000 +0200
@@ -1,6 +1,6 @@
This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+ It can be used in combination with the
.B LOG
target to give limited logging, for example.
.TP
iptables-1.3.8-reject_type.patch:
--- NEW FILE iptables-1.3.8-reject_type.patch ---
diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type 2007-09-24 16:48:21.000000000 +0200
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h 2007-09-24 17:20:45.000000000 +0200
@@ -4,13 +4,15 @@
enum ip6t_reject_with {
IP6T_ICMP6_NO_ROUTE,
IP6T_ICMP6_ADM_PROHIBITED,
+ IP6T_ICMP6_NOT_NEIGHBOUR,
IP6T_ICMP6_ADDR_UNREACH,
IP6T_ICMP6_PORT_UNREACH,
+ IP6T_ICMP6_ECHOREPLY,
IP6T_TCP_RESET
};
struct ip6t_reject_info {
- enum ip6t_reject_with with; /* reject type */
+ u_int32_t with; /* reject type */
};
#endif /*_IP6T_REJECT_H*/
iptables-1.3.8-typo_latter.patch:
--- NEW FILE iptables-1.3.8-typo_latter.patch ---
diff -up iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter iptables-1.3.8/extensions/libip6t_REJECT.man
--- iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter 2007-09-24 17:30:47.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_REJECT.man 2007-09-24 17:34:48.000000000 +0200
@@ -32,5 +32,5 @@ TCP RST packet to be sent back. This is
(113/tcp) probes which frequently occur when sending mail to broken mail
hosts (which won't accept your mail otherwise).
.B tcp-reset
-can only be used with kernel versions 2.6.14 or latter.
+can only be used with kernel versions 2.6.14 or later.
Index: iptables.init
===================================================================
RCS file: /cvs/pkgs/rpms/iptables/F-7/iptables.init,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- iptables.init 19 Sep 2007 10:38:26 -0000 1.14
+++ iptables.init 28 Nov 2007 14:26:51 -0000 1.15
@@ -21,7 +21,7 @@
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
if [ ! -x /sbin/$IPTABLES ]; then
- echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
+ echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
exit 5
fi
@@ -41,6 +41,14 @@
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
+# Netfilter modules
+NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV})
+NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6
+
+# Get active tables
+NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+
+
rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
@@ -73,16 +81,15 @@
flush_n_delete() {
# Flush firewall rules and delete chains.
- [ -e "$PROC_IPTABLES_NAMES" ] || return 1
+ [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
- tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
- [ -z "$tables" ] && return 1
+ [ -z "$NF_TABLES" ] && return 1
- echo -n $"Flushing firewall rules: "
+ echo -n $"${IPTABLES}: Flushing firewall rules: "
ret=0
# For all tables
- for i in $tables; do
+ for i in $NF_TABLES; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
@@ -106,13 +113,13 @@
policy=$1
# Check if iptable module is loaded
- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
+ [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
- tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
+ tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
[ -z "$tables" ] && return 1
- echo -n $"Setting chains to policy $policy: "
+ echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
@@ -155,9 +162,16 @@
start() {
# Do not start if there is no config file.
- [ -f "$IPTABLES_DATA" ] || return 1
+ [ ! -f "$IPTABLES_DATA" ] && return 6
+
+ # check if ipv6 module load is deactivated
+ if [ "${_IPV}" = "ipv6" ] \
+ && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+ echo $"${IPTABLES}: ${_IPV} is disabled."
+ return 150
+ fi
- echo -n $"Applying $IPTABLES firewall rules: "
+ echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
@@ -171,7 +185,7 @@
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
- echo -n $"Loading additional $IPTABLES modules: "
+ echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
@@ -188,22 +202,23 @@
stop() {
# Do not stop if iptables module is not loaded.
- [ -e "$PROC_IPTABLES_NAMES" ] || return 1
+ [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
flush_n_delete
set_policy ACCEPT
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
- echo -n $"Unloading $IPTABLES modules: "
+ echo -n $"${IPTABLES}: Unloading modules: "
ret=0
- rmmod_r ${IPV}_tables
- let ret+=$?;
- rmmod_r nf_conntrack_${_IPV}
- let ret+=$?;
+ for mod in ${NF_MODULES[*]}; do
+ rmmod_r $mod
+ let ret+=$?;
+ done
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
- rmmod_r x_tables
- rmmod_r nf_conntrack
+ for mod in ${NF_MODULES_COMMON[*]}; do
+ rmmod_r $mod >/dev/null
+ done
[ $ret -eq 0 ] && success || failure
echo
fi
@@ -214,13 +229,12 @@
save() {
# Check if iptable module is loaded
- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
+ [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
- tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
- [ -z "$tables" ] && return 1
+ [ -z "$NF_TABLES" ] && return 6
- echo -n $"Saving firewall rules to $IPTABLES_DATA: "
+ echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
@@ -250,19 +264,22 @@
}
status() {
- tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
+ if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
+ echo $"${IPTABLES}: Firewall is not running."
+ return 3
+ fi
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable modules are loaded
- if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
- echo $"Firewall is stopped."
+ if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+ echo $"${IPTABLES}: Firewall modules are not loaded."
return 3
fi
# Check if firewall is configured (has tables)
- if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then
- echo $"Firewall is not configured. "
+ if [ -z "$NF_TABLES" ]; then
+ echo $"${IPTABLES}: Firewall is not configured. "
return 3
fi
@@ -273,7 +290,7 @@
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
- for table in $tables; do
+ for table in $NF_TABLES; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
@@ -287,17 +304,14 @@
start
}
-status >/dev/null 2>&1
-running=$?
case "$1" in
start)
- [ $running -eq 0 ] && exit 0
+ [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start
RETVAL=$?
;;
stop)
- [ $running -eq 0 ] || exit 0
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
@@ -307,7 +321,7 @@
RETVAL=$?
;;
condrestart|try-restart)
- [ $running -eq 0 ] || exit 0
+ [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart
RETVAL=$?
;;
@@ -325,7 +339,7 @@
RETVAL=$?
;;
*)
- echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
+ echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac
Index: iptables.spec
===================================================================
RCS file: /cvs/pkgs/rpms/iptables/F-7/iptables.spec,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- iptables.spec 19 Sep 2007 10:38:26 -0000 1.49
+++ iptables.spec 28 Nov 2007 14:26:51 -0000 1.50
@@ -3,12 +3,16 @@
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.3.8
-Release: 2.1%{?dist}
+Release: 6%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
Patch0: iptables-1.3.8-iptc.patch
Patch1: iptables-1.3.8-headers.patch
+Patch2: iptables-1.3.8-reject_type.patch
+Patch3: iptables-1.3.8-limit_man.patch
+Patch4: iptables-1.3.8-typo_latter.patch
+Patch5: iptables-1.3.8-cloexec.patch
Group: System Environment/Base
URL: http://www.netfilter.org/
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -56,6 +60,10 @@
%setup -q
%patch0 -p1 -b .iptc
%patch1 -p1 -b .headers
+%patch2 -p1 -b .reject_type
+%patch3 -p1 -b .limit_man
+%patch4 -p1 -b .typo_latter
+%patch5 -p1 -b .cloexec
# Put it to a reasonable place
find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
@@ -147,9 +155,37 @@
%endif
%changelog
-* Wed Sep 19 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-2.1
-- dropped lsb header from init script, delayes start after network
-- fixed return values in init script
+* Wed Nov 28 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-6
+- F-7 verison without lsb header in init script
+
+* Mon Nov 5 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-6
+- fixed leaked file descriptor before fork/exec (rhbz#312191)
+- blacklisting is not working, use "install X /bin/(true|false)" test instead
+- return private exit code 150 for disabled ipv6 support
+- use script name for output messages
+
+* Tue Oct 16 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-5
+- fixed error code for stopping a already stopped firewall (rhbz#321751)
+- moved blacklist test into start
+
+* Wed Sep 26 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-4.1
+- do not start ip6tables if ipv6 is blacklisted (rhbz#236888)
+- use simpler fix for (rhbz#295611)
+ Thanks to Linus Torvalds for the patch.
+
+* Mon Sep 24 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-4
+- fixed IPv6 reject type (rhbz#295181)
+- fixed init script: start, stop and status
+- support netfilter compiled into kernel in init script (rhbz#295611)
+- dropped inversion for limit modules from man pages (rhbz#220780)
+- fixed typo in ip6tables man page (rhbz#236185)
+
+* Wed Sep 19 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-3
+- do not depend on local_fs in lsb header - this delayes start after network
+- fixed exit code for initscript usage
+
+* Mon Sep 17 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-2.1
+- do not use lock file for condrestart test
* Thu Aug 23 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-2
- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459)
- Previous message (by thread): rpms/OpenSceneGraph/devel OpenSceneGraph.spec,1.31,1.32
- Next message (by thread): rpms/ruby-zoom/devel dead.package, NONE, 1.1 .cvsignore, 1.2, NONE Makefile, 1.1, NONE ruby-zoom.spec, 1.5, NONE sources, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list