rpms/iptables/devel iptables-1.3.8-limit_man.patch, NONE, 1.1 iptables-1.3.8-reject_type.patch, NONE, 1.1 iptables-1.3.8-typo_latter.patch, NONE, 1.1 iptables.init, 1.15, 1.16 iptables.spec, 1.52, 1.53
Thomas Woerner (twoerner)
fedora-extras-commits at redhat.com
Mon Sep 24 16:03:56 UTC 2007
Author: twoerner
Update of /cvs/pkgs/rpms/iptables/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21413
Modified Files:
iptables.init iptables.spec
Added Files:
iptables-1.3.8-limit_man.patch
iptables-1.3.8-reject_type.patch
iptables-1.3.8-typo_latter.patch
Log Message:
- fixed IPv6 reject type (rhbz#295181)
- fixed init script: start, stop and status
- support netfilter compiled into kernel in init script (rhbz#295611)
- dropped inversion for limit modules from man pages (rhbz#220780)
- fixed typo in ip6tables man page (rhbz#236185)
iptables-1.3.8-limit_man.patch:
--- NEW FILE iptables-1.3.8-limit_man.patch ---
diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in
diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man
--- iptables-1.3.8/extensions/libip6t_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_limit.man 2007-09-24 17:28:29.000000000 +0200
@@ -1,6 +1,6 @@
This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+ It can be used in combination with the
.B LOG
target to give limited logging, for example.
.TP
diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man
--- iptables-1.3.8/extensions/libipt_limit.man.limit_man 2007-09-24 16:48:22.000000000 +0200
+++ iptables-1.3.8/extensions/libipt_limit.man 2007-09-24 17:28:19.000000000 +0200
@@ -1,6 +1,6 @@
This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+ It can be used in combination with the
.B LOG
target to give limited logging, for example.
.TP
iptables-1.3.8-reject_type.patch:
--- NEW FILE iptables-1.3.8-reject_type.patch ---
diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type 2007-09-24 16:48:21.000000000 +0200
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h 2007-09-24 17:20:45.000000000 +0200
@@ -4,13 +4,15 @@
enum ip6t_reject_with {
IP6T_ICMP6_NO_ROUTE,
IP6T_ICMP6_ADM_PROHIBITED,
+ IP6T_ICMP6_NOT_NEIGHBOUR,
IP6T_ICMP6_ADDR_UNREACH,
IP6T_ICMP6_PORT_UNREACH,
+ IP6T_ICMP6_ECHOREPLY,
IP6T_TCP_RESET
};
struct ip6t_reject_info {
- enum ip6t_reject_with with; /* reject type */
+ u_int32_t with; /* reject type */
};
#endif /*_IP6T_REJECT_H*/
iptables-1.3.8-typo_latter.patch:
--- NEW FILE iptables-1.3.8-typo_latter.patch ---
diff -up iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter iptables-1.3.8/extensions/libip6t_REJECT.man
--- iptables-1.3.8/extensions/libip6t_REJECT.man.typo_latter 2007-09-24 17:30:47.000000000 +0200
+++ iptables-1.3.8/extensions/libip6t_REJECT.man 2007-09-24 17:34:48.000000000 +0200
@@ -32,5 +32,5 @@ TCP RST packet to be sent back. This is
(113/tcp) probes which frequently occur when sending mail to broken mail
hosts (which won't accept your mail otherwise).
.B tcp-reset
-can only be used with kernel versions 2.6.14 or latter.
+can only be used with kernel versions 2.6.14 or later.
Index: iptables.init
===================================================================
RCS file: /cvs/pkgs/rpms/iptables/devel/iptables.init,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- iptables.init 19 Sep 2007 16:30:16 -0000 1.15
+++ iptables.init 24 Sep 2007 16:03:24 -0000 1.16
@@ -48,6 +48,31 @@
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
+# Netfilter modules
+NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV})
+NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6
+
+# Are netfilter modules loaded?
+MODULES_LOADED=0
+for mod in ${NF_MODULES[*]} ${NF_MODULES_COMMON[*]}; do
+ $(lsmod | grep -q ^${mod} | awk '{print $1}')
+ if [ $? -eq 0 ]; then
+ MODULES_LOADED=1
+ break
+ fi
+done
+
+# Get active tables
+NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+
+# Is netfilter compiled into the kernel?
+[ $MODULES_LOADED -eq 0 -a -n "$NF_TABLES" ] && COMPILED_IN=1 || COMPILED_IN=0
+
+# Get status (quicker than status function and honour lock file)
+[ ! -f "$VAR_SUBSYS_IPTABLES" -o ! -e "$PROC_IPTABLES_NAMES" \
+ -o -z "$NF_TABLES" ] && running=0 || running=1
+
+
rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
@@ -83,13 +108,12 @@
[ -e "$PROC_IPTABLES_NAMES" ] || return 1
# Check if firewall is configured (has tables)
- tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
- [ -z "$tables" ] && return 1
+ [ -z "$NF_TABLES" ] && return 1
echo -n $"Flushing firewall rules: "
ret=0
# For all tables
- for i in $tables; do
+ for i in $NF_TABLES; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
@@ -116,7 +140,7 @@
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
- tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
+ tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
[ -z "$tables" ] && return 1
echo -n $"Setting chains to policy $policy: "
@@ -203,14 +227,15 @@
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"Unloading $IPTABLES modules: "
ret=0
- rmmod_r ${IPV}_tables
- let ret+=$?;
- rmmod_r nf_conntrack_${_IPV}
- let ret+=$?;
+ for mod in ${NF_MODULES[*]}; do
+ rmmod_r $mod
+ let ret+=$?;
+ done
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
- rmmod_r x_tables
- rmmod_r nf_conntrack
+ for mod in ${NF_MODULES_COMMON[*]}; do
+ rmmod_r $mod
+ done
[ $ret -eq 0 ] && success || failure
echo
fi
@@ -224,8 +249,7 @@
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
- tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
- [ -z "$tables" ] && return 1
+ [ -z "$NF_TABLES" ] && return 1
echo -n $"Saving firewall rules to $IPTABLES_DATA: "
@@ -257,18 +281,21 @@
}
status() {
- tables=$(cat $PROC_IPTABLES_NAMES 2>/dev/null)
+ if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
+ echo $"Firewall is not running."
+ return 3
+ fi
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable modules are loaded
- if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
- echo $"Firewall is stopped."
+ if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+ echo $"Firewall modules not loaded."
return 3
fi
# Check if firewall is configured (has tables)
- if [ ! -e "$PROC_IPTABLES_NAMES" -o -z "$tables" ]; then
+ if [ -z "$NF_TABLES" ]; then
echo $"Firewall is not configured. "
return 3
fi
@@ -280,7 +307,7 @@
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
- for table in $tables; do
+ for table in $NF_TABLES; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
@@ -294,17 +321,16 @@
start
}
-status >/dev/null 2>&1
-running=$?
case "$1" in
start)
- [ $running -eq 0 ] && exit 0
+ [ $running -eq 1 -a $COMPILED_IN -eq 0 ] && exit 0
start
RETVAL=$?
;;
stop)
- [ $running -eq 0 ] || exit 0
+ # stop firewall, even if manually configured
+ [ $running -eq 1 -o $MODULES_LOADED -eq 1 ] || exit 0
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
@@ -314,7 +340,7 @@
RETVAL=$?
;;
condrestart|try-restart)
- [ $running -eq 0 ] || exit 0
+ [ $running -eq 1 ] || exit 0
restart
RETVAL=$?
;;
Index: iptables.spec
===================================================================
RCS file: /cvs/pkgs/rpms/iptables/devel/iptables.spec,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- iptables.spec 19 Sep 2007 16:30:16 -0000 1.52
+++ iptables.spec 24 Sep 2007 16:03:24 -0000 1.53
@@ -3,12 +3,15 @@
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.3.8
-Release: 3%{?dist}
+Release: 4%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
Patch0: iptables-1.3.8-iptc.patch
Patch1: iptables-1.3.8-headers.patch
+Patch2: iptables-1.3.8-reject_type.patch
+Patch3: iptables-1.3.8-limit_man.patch
+Patch4: iptables-1.3.8-typo_latter.patch
Group: System Environment/Base
URL: http://www.netfilter.org/
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -56,6 +59,9 @@
%setup -q
%patch0 -p1 -b .iptc
%patch1 -p1 -b .headers
+%patch2 -p1 -b .reject_type
+%patch3 -p1 -b .limit_man
+%patch4 -p1 -b .typo_latter
# Put it to a reasonable place
find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
@@ -147,6 +153,13 @@
%endif
%changelog
+* Mon Sep 24 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-4
+- fixed IPv6 reject type (rhbz#295181)
+- fixed init script: start, stop and status
+- support netfilter compiled into kernel in init script (rhbz#295611)
+- dropped inversion for limit modules from man pages (rhbz#220780)
+- fixed typo in ip6tables man page (rhbz#236185)
+
* Wed Sep 19 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-3
- do not depend on local_fs in lsb header - this delayes start after network
- fixed exit code for initscript usage
More information about the scm-commits
mailing list