From e851e213d0ee0d4b022e6df27d0a8d7033cc9a64 Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Tue, 24 Feb 2009 16:37:31 +0000 Subject: [PATCH] reworked iptables specfile, init and config from f10 --- iptables-config | 23 ++++++-- iptables.init | 149 ++++++++++++++++++++++++++++++------------------ iptables.spec | 67 +++++++++++++++------- 3 files changed, 155 insertions(+), 84 deletions(-) diff --git a/iptables-config b/iptables-config index c7d81cf..4859da7 100644 --- a/iptables-config +++ b/iptables-config @@ -10,28 +10,39 @@ IPTABLES_MODULES="ip_conntrack vnet_tun" # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. -#IPTABLES_MODULES_UNLOAD="yes" +IPTABLES_MODULES_UNLOAD="yes" # Save current firewall rules on stop. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped # (e.g. on system shutdown). -#IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_STOP="no" # Save current firewall rules on restart. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets # restarted. -#IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_ON_RESTART="no" # Save (and restore) rule and chain counter. # Value: yes|no, default: no # Save counters for rules and chains to /etc/sysconfig/iptables if # 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or # SAVE_ON_RESTART is enabled. -#IPTABLES_SAVE_COUNTER="no" +IPTABLES_SAVE_COUNTER="no" # Numeric status output -# Value: yes|no, default: no +# Value: yes|no, default: yes # Print IP addresses and port numbers in numeric format in the status output. -#IPTABLES_STATUS_NUMERIC="no" +IPTABLES_STATUS_NUMERIC="no" + +# Verbose status output +# Value: yes|no, default: yes +# Print info about the number of packets and bytes plus the "input-" and +# "outputdevice" in the status output. +IPTABLES_STATUS_VERBOSE="yes" + +# Status output with numbered lines +# Value: yes|no, default: yes +# Print a counter/number for every rule in the status output. +IPTABLES_STATUS_LINENUMBERS="yes" diff --git a/iptables.init b/iptables.init index ec50ee0..48633fe 100755 --- a/iptables.init +++ b/iptables.init @@ -7,6 +7,16 @@ # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO + +# from http://fr2.rpmfind.net/linux/fedora/releases/10/Everything/source/SRPMS/iptables-1.4.1.1-2.fc10.src.rpm # Source function library. . /etc/init.d/functions @@ -15,17 +25,13 @@ IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES if [ ! -x /sbin/$IPTABLES ]; then - echo -n $"/sbin/$IPTABLES does not exist."; warning; echo - exit 0 -fi - -if lsmod 2>/dev/null | grep -q ipchains ; then - echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo - exit 0 + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo + exit 5 fi # Old or new modutils @@ -39,11 +45,19 @@ IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" -IPTABLES_STATUS_NUMERIC="no" +IPTABLES_STATUS_NUMERIC="yes" # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" +# Netfilter modules +NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables) +NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 + +# Get active tables +NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + + rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. @@ -54,8 +68,8 @@ rmmod_r() { # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] \ - && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ - || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` + && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \ + || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) # recursive call for all referring modules for i in $ref; do @@ -68,7 +82,9 @@ rmmod_r() { # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then modprobe -r $mod > /dev/null 2>&1 - let ret+=$?; + res=$? + [ $res -eq 0 ] || echo -n " $mod" + let ret+=$res; fi return $ret @@ -76,16 +92,15 @@ rmmod_r() { flush_n_delete() { # Flush firewall rules and delete chains. - [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` - [ -z "$tables" ] && return 1 + [ -z "$NF_TABLES" ] && return 1 - echo -n $"Flushing firewall rules: " + echo -n $"${IPTABLES}: Flushing firewall rules: " ret=0 # For all tables - for i in $tables; do + for i in $NF_TABLES; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; @@ -109,17 +124,22 @@ set_policy() { policy=$1 # Check if iptable module is loaded - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) [ -z "$tables" ] && return 1 - echo -n $"Setting chains to policy $policy: " + echo -n $"${IPTABLES}: Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in + raw) + $IPTABLES -t raw -P PREROUTING $policy \ + && $IPTABLES -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; filter) $IPTABLES -t filter -P INPUT $policy \ && $IPTABLES -t filter -P OUTPUT $policy \ @@ -153,9 +173,16 @@ set_policy() { start() { # Do not start if there is no config file. - [ -f "$IPTABLES_DATA" ] || return 1 + [ ! -f "$IPTABLES_DATA" ] && return 6 - echo -n $"Applying $IPTABLES firewall rules: " + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Applying firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" @@ -187,7 +214,7 @@ start() { # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then - echo -n $"Loading additional $IPTABLES modules: " + echo -n $"${IPTABLES}: Loading additional modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " @@ -231,20 +258,24 @@ start() { } stop() { - - # Do not stop if iptables module is not loaded. - [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + # Do not stop if iptables module is not loaded. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 flush_n_delete set_policy ACCEPT if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then - echo -n $"Unloading $IPTABLES modules: " + echo -n $"${IPTABLES}: Unloading modules: " ret=0 - rmmod_r ${IPV}_tables - let ret+=$?; - rmmod_r ${IPV}_conntrack - let ret+=$?; + for mod in ${NF_MODULES[*]}; do + rmmod_r $mod + let ret+=$?; + done + # try to unload remaining netfilter modules used by ipv4 and ipv6 + # netfilter + for mod in ${NF_MODULES_COMMON[*]}; do + rmmod_r $mod >/dev/null + done [ $ret -eq 0 ] && success || failure echo fi @@ -261,22 +292,21 @@ stop() { save() { # Check if iptable module is loaded - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` - [ -z "$tables" ] && return 1 + [ -z "$NF_TABLES" ] && return 6 - echo -n $"Saving firewall rules to $IPTABLES_DATA: " + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 - TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ + TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \ && chmod 600 "$TMP_FILE" \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ - && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then @@ -297,31 +327,35 @@ save() { } status() { + if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not running." + return 3 + fi + # Do not print status if lockfile is missing and iptables modules are not # loaded. - # Check if iptable module is loaded - if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then - echo $"Firewall is stopped." - return 1 + # Check if iptable modules are loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"${IPTABLES}: Firewall modules are not loaded." + return 3 fi # Check if firewall is configured (has tables) - if [ ! -e "$PROC_IPTABLES_NAMES" ]; then - echo $"Firewall is not configured. " - return 1 - fi - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` - if [ -z "$tables" ]; then - echo $"Firewall is not configured. " - return 1 + if [ -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not configured. " + return 3 fi NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" - for table in $tables; do + for table in $NF_TABLES; do echo $"Table: $table" - $IPTABLES -t $table --list $NUM && echo + $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo done return 0 @@ -333,9 +367,10 @@ restart() { start } + case "$1" in start) - stop + [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 start RETVAL=$? ;; @@ -344,12 +379,14 @@ case "$1" in stop RETVAL=$? ;; - restart) + restart|force-reload) restart RETVAL=$? ;; - condrestart) - [ -e "$VAR_SUBSYS_IPTABLES" ] && restart + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 + restart + RETVAL=$? ;; status) status @@ -365,8 +402,8 @@ case "$1" in RETVAL=$? ;; *) - echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" - exit 1 + echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}" + RETVAL=2 ;; esac diff --git a/iptables.spec b/iptables.spec index 23d8d83..db4190d 100644 --- a/iptables.spec +++ b/iptables.spec @@ -30,7 +30,7 @@ Group: System Environment/Base BuildRoot: %{_tmppath}/%{name}-buildroot License: GPL BuildPrereq: /usr/bin/perl -Requires: kernel >= 2.4.20 +Requires: kernel >= 2.6.27 Requires(post,postun): chkconfig Prefix: %{_prefix} BuildRequires: kernel-devel @@ -89,27 +89,36 @@ fi %define KERNEL_DIR "/usr/src/kernels/%{KERNEL}" -./configure --disable-devel --prefix=%{buildroot}/usr/local +%if %{build_devel} +%define configure_option --enable-devel +%else +%define configure_option +%endif + +./configure --prefix=/usr %{configure_option} --enable-libipq --bindir=/bin --sbindir=/sbin --sysconfdir=/etc --libdir=/%{_libdir} --libexecdir=/%{_lib} --mandir=%{_mandir} --includedir=%{_includedir} make COPT_FLAGS="$OPT" KERNEL_DIR=%{KERNEL_DIR} LIBDIR=/%{_lib} -make COPT_FLAGS="$OPT" KERNEL_DIR=%{KERNEL_DIR} LIBDIR=/%{_lib} iptables-save iptables-restore -make COPT_FLAGS="$OPT" KERNEL_DIR=%{KERNEL_DIR} LIBDIR=/%{_lib} ip6tables-save ip6tables-restore %install -mkdir -p %{buildroot}/sbin -make install DESTDIR=%{buildroot} KERNEL_DIR=%{KERNEL_DIR} BINDIR=/sbin LIBDIR=/%{_lib} MANDIR=%{_mandir} -cp ip{6,}tables-{save,restore} $RPM_BUILD_ROOT/sbin -mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8 -cp iptables-*.8 $RPM_BUILD_ROOT%{_mandir}/man8 -mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d -install -c -m755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables +# Thierry : for 1.4.1.1 +# from http://fr2.rpmfind.net/linux/fedora/releases/10/Everything/source/SRPMS/iptables-1.4.1.1-2.fc10.src.rpm +make install DESTDIR=%{buildroot} + +# install iptc devel library +%if %{build_devel} +install -m 644 libiptc/libiptc.a %{buildroot}/%{_libdir} +%endif + +# install init scripts and configuration files +install -d -m 755 $RPM_BUILD_ROOT/etc/rc.d/init.d +install -c -m 755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init -install -c -m755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables -mkdir -p $RPM_BUILD_ROOT/etc/sysconfig -install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config -install -c -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -c -m 755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables +install -d -m 755 $RPM_BUILD_ROOT/etc/sysconfig +install -c -m 755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config -install -c -m755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config +install -c -m 755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config +install -c -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/sysconfig/iptables %clean rm -rf $RPM_BUILD_ROOT @@ -142,26 +151,40 @@ fi %config %attr(0755,root,root) /etc/rc.d/init.d/iptables %config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config %config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables -/usr/local/sbin/iptables* /sbin/iptables* -/usr/local/bin/iptables* -/usr/local/libexec/xtables/* %{_mandir}/man8/iptables* +# Thierry - WARNING : location changed +%dir /%{_lib}/xtables +# WARNING : location changed +/%{_lib}/xtables/libipt* +# WARNING : new stuff +/%{_lib}/xtables/libxt* +# WARNING : not found at all +#/sbin/ipset* +#%{_mandir}/man8/ipset* +#%dir /%{_lib}/ipset +#/%{_lib}/ipset/libipset* + %files ipv6 %defattr(-,root,root,0755) %config %attr(0755,root,root) /etc/rc.d/init.d/ip6tables %config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config /sbin/ip6tables* +# Thierry - WARNING : new stuff +/bin/iptables-xml %{_mandir}/man8/ip6tables* -/%{_lib}/iptables/libip6t* +# WARNING : location changed +/%{_lib}/xtables/libip6t* %if %{build_devel} %files devel %defattr(-,root,root,0755) -%{_includedir}/libipq.h +%{_includedir}/*.h +%dir %{_includedir}/libiptc +%{_includedir}/libiptc/*.h %{_libdir}/libipq.a -#%{_libdir}/libiptc.a +%{_libdir}/libiptc.a %{_mandir}/man3/* %endif -- 2.43.0