From 2b7d2b33c09bcdf5800c542d192d7ea8e743ad8e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 19 2015 16:04:51 +0000 Subject: import iptables-1.4.21-16.el7 --- diff --git a/SOURCES/iptables-1.4.21-flock_wait.patch b/SOURCES/iptables-1.4.21-flock_wait.patch new file mode 100644 index 0000000..82448ce --- /dev/null +++ b/SOURCES/iptables-1.4.21-flock_wait.patch @@ -0,0 +1,88 @@ +From aa562a660d1555b13cffbac1e744033e91f82707 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 16 Jan 2015 14:21:57 +0100 +Subject: iptables: use flock() instead of abstract unix sockets + +Abstract unix sockets cannot be used to synchronize several concurrent +instances of iptables since an unpriviledged process can create them and +prevent the legitimate iptables instance from running. + +Use flock() and /run instead as suggested by Lennart Poettering. + +Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances") +Reported-by: Lennart Poettering +Cc: Phil Oester +Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index b18022e..7beb86b 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -9,11 +9,11 @@ + #include + #include + #include ++#include + #include + #include "xshared.h" + +-#define XT_SOCKET_NAME "xtables" +-#define XT_SOCKET_LEN 8 ++#define XT_LOCK_NAME "/run/xtables.lock" + + /* + * Print out any special helps. A user might like to be able to add a --help +@@ -245,22 +245,14 @@ void xs_init_match(struct xtables_match *match) + + bool xtables_lock(int wait) + { +- int i = 0, ret, xt_socket; +- struct sockaddr_un xt_addr; +- int waited = 0; +- +- memset(&xt_addr, 0, sizeof(xt_addr)); +- xt_addr.sun_family = AF_UNIX; +- strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME); +- xt_socket = socket(AF_UNIX, SOCK_STREAM, 0); +- /* If we can't even create a socket, fall back to prior (lockless) behavior */ +- if (xt_socket < 0) ++ int fd, waited = 0, i = 0; ++ ++ fd = open(XT_LOCK_NAME, O_CREAT, 0600); ++ if (fd < 0) + return true; + + while (1) { +- ret = bind(xt_socket, (struct sockaddr*)&xt_addr, +- offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN); +- if (ret == 0) ++ if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; + else if (wait >= 0 && waited >= wait) + return false; +-- +cgit v0.10.2 + +commit 6dc53c514f1e4683e51a877b3a2f3128cfccef28 +Author: Pablo Neira Ayuso +Date: Mon Feb 16 16:57:39 2015 +0100 + + xshared: calm down compilation warning + + xshared.c: In function ‘xtables_lock’: + xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration] + + Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 7beb86b..81c2581 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/SOURCES/iptables-1.4.21-libxt_cgroup.patch b/SOURCES/iptables-1.4.21-libxt_cgroup.patch new file mode 100644 index 0000000..b0cf8ad --- /dev/null +++ b/SOURCES/iptables-1.4.21-libxt_cgroup.patch @@ -0,0 +1,126 @@ +From 6465867eb48506687872b838b1ddfee61d1a0aeb Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Mon, 23 Dec 2013 18:46:29 +0100 +Subject: iptables: add libxt_cgroup frontend + +This patch adds the user space extension/frontend for process matching +based on cgroups from the kernel patch entitled "netfilter: xtables: +lightweight process control group matching". + +Signed-off-by: Daniel Borkmann +Signed-off-by: Pablo Neira Ayuso + +diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c +new file mode 100644 +index 0000000..e304e33 +--- /dev/null ++++ b/extensions/libxt_cgroup.c +@@ -0,0 +1,67 @@ ++#include ++#include ++#include ++ ++enum { ++ O_CGROUP = 0, ++}; ++ ++static void cgroup_help(void) ++{ ++ printf( ++"cgroup match options:\n" ++"[!] --cgroup fwid Match cgroup fwid\n"); ++} ++ ++static const struct xt_option_entry cgroup_opts[] = { ++ { ++ .name = "cgroup", ++ .id = O_CGROUP, ++ .type = XTTYPE_UINT32, ++ .flags = XTOPT_INVERT | XTOPT_MAND | XTOPT_PUT, ++ XTOPT_POINTER(struct xt_cgroup_info, id) ++ }, ++ XTOPT_TABLEEND, ++}; ++ ++static void cgroup_parse(struct xt_option_call *cb) ++{ ++ struct xt_cgroup_info *cgroupinfo = cb->data; ++ ++ xtables_option_parse(cb); ++ if (cb->invert) ++ cgroupinfo->invert = true; ++} ++ ++static void ++cgroup_print(const void *ip, const struct xt_entry_match *match, int numeric) ++{ ++ const struct xt_cgroup_info *info = (void *) match->data; ++ ++ printf(" cgroup %s%u", info->invert ? "! ":"", info->id); ++} ++ ++static void cgroup_save(const void *ip, const struct xt_entry_match *match) ++{ ++ const struct xt_cgroup_info *info = (void *) match->data; ++ ++ printf("%s --cgroup %u", info->invert ? " !" : "", info->id); ++} ++ ++static struct xtables_match cgroup_match = { ++ .family = NFPROTO_UNSPEC, ++ .name = "cgroup", ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_cgroup_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_cgroup_info)), ++ .help = cgroup_help, ++ .print = cgroup_print, ++ .save = cgroup_save, ++ .x6_parse = cgroup_parse, ++ .x6_options = cgroup_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&cgroup_match); ++} +diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man +new file mode 100644 +index 0000000..456a031 +--- /dev/null ++++ b/extensions/libxt_cgroup.man +@@ -0,0 +1,15 @@ ++.TP ++[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP ++Match corresponding cgroup for this packet. ++ ++Can be used to assign particular firewall policies for aggregated ++task/jobs on the system. This allows for more fine-grained firewall ++policies that only match for a subset of the system's processes. ++fwid is the maker set through the net_cls cgroup's id. ++.PP ++Example: ++.PP ++iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 ++\-j DROP ++.PP ++Available since Linux 3.14. +diff --git a/include/linux/netfilter/xt_cgroup.h b/include/linux/netfilter/xt_cgroup.h +new file mode 100644 +index 0000000..943d3a0 +--- /dev/null ++++ b/include/linux/netfilter/xt_cgroup.h +@@ -0,0 +1,11 @@ ++#ifndef _XT_CGROUP_H ++#define _XT_CGROUP_H ++ ++#include ++ ++struct xt_cgroup_info { ++ __u32 id; ++ __u32 invert; ++}; ++ ++#endif /* _XT_CGROUP_H */ +-- +cgit v0.10.2 + diff --git a/SOURCES/iptables-1.4.21-wait_seconds.patch b/SOURCES/iptables-1.4.21-wait_seconds.patch new file mode 100644 index 0000000..4fb5cbc --- /dev/null +++ b/SOURCES/iptables-1.4.21-wait_seconds.patch @@ -0,0 +1,288 @@ +twoerner: Adapted version of the upstream patch for 1.4.21 + + +From aaa4ace72ba1d195bbf436134a336816c33f7bd0 Mon Sep 17 00:00:00 2001 +From: Jiri Popelka +Date: Fri, 4 Jul 2014 15:50:41 +0200 +Subject: iptables: add optional [seconds] argument to -w + +This patch adds an optional numeric argument +to -w option (added with 93587a0) so one can +specify how long to wait for an exclusive lock. + +If the value isn't specified it works as before, +i.e. program waits indefinitely. + +If user specifies it, program exits after +the given time interval passes. + +This patch also adds the -w/--wait to nftables +compat code, so the parser doesn't complain. + +[ In the original patch, iptables-compat -w X was not working, + I have fixed by adding the dummy code not to break scripts + using the new optional argument --pablo ] + +Signed-off-by: Jiri Popelka +Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 2ebfd6c..8db13b4 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -102,7 +102,7 @@ static struct option original_opts[] = { + {.name = "numeric", .has_arg = 0, .val = 'n'}, + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, +- {.name = "wait", .has_arg = 0, .val = 'w'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "help", .has_arg = 2, .val = 'h'}, +@@ -258,7 +258,7 @@ exit_printhelp(const struct xtables_rule_match *matches) + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w wait for the xtables lock\n" ++" --wait -w [seconds] wait for the xtables lock\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + /*"[!] --fragment -f match second or further fragments only\n"*/ +@@ -1322,7 +1322,7 @@ int do_command6(int argc, char *argv[], char **table, + struct in6_addr *smasks = NULL, *dmasks = NULL; + + int verbose = 0; +- bool wait = false; ++ int wait = 0; + const char *chain = NULL; + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; + const char *policy = NULL, *newname = NULL; +@@ -1358,7 +1358,7 @@ int do_command6(int argc, char *argv[], char **table, + + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvwnt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvw::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1602,7 +1602,16 @@ int do_command6(int argc, char *argv[], char **table, + "You cannot use `-w' from " + "ip6tables-restore"); + } +- wait = true; ++ wait = -1; ++ if (optarg) { ++ if (sscanf(optarg, "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ } else if (optind < argc && argv[optind][0] != '-' ++ && argv[optind][0] != '!') ++ if (sscanf(argv[optind++], "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); + break; + + case 'm': +@@ -1753,8 +1762,11 @@ int do_command6(int argc, char *argv[], char **table, + + /* Attempt to acquire the xtables lock */ + if (!restore && !xtables_lock(wait)) { +- fprintf(stderr, "Another app is currently holding the xtables lock. " +- "Perhaps you want to use the -w option?\n"); ++ fprintf(stderr, "Another app is currently holding the xtables lock. "); ++ if (wait == 0) ++ fprintf(stderr, "Perhaps you want to use the -w option?\n"); ++ else ++ fprintf(stderr, "Stopped waiting after %ds.\n", wait); + xtables_free_opts(1); + exit(RESOURCE_PROBLEM); + } +diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in +index 8ef222e..ceba5dc 100644 +--- a/iptables/iptables.8.in ++++ b/iptables/iptables.8.in +@@ -361,12 +361,13 @@ For appending, insertion, deletion and replacement, this causes + detailed information on the rule or rules to be printed. \fB\-v\fP may be + specified multiple times to possibly emit more detailed debug statements. + .TP +-\fB\-w\fP, \fB\-\-wait\fP ++\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP] + Wait for the xtables lock. + To prevent multiple instances of the program from running concurrently, + an attempt will be made to obtain an exclusive lock at launch. By default, + the program will exit if the lock cannot be obtained. This option will +-make the program wait until the exclusive lock can be obtained. ++make the program wait (indefinitely or for optional \fIseconds\fP) until ++the exclusive lock can be obtained. + .TP + \fB\-n\fP, \fB\-\-numeric\fP + Numeric output. +diff --git a/iptables/iptables.c b/iptables/iptables.c +index 471bff0..88953c4 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -99,7 +99,7 @@ static struct option original_opts[] = { + {.name = "numeric", .has_arg = 0, .val = 'n'}, + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, +- {.name = "wait", .has_arg = 0, .val = 'w'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "fragments", .has_arg = 0, .val = 'f'}, + {.name = "version", .has_arg = 0, .val = 'V'}, +@@ -252,7 +252,7 @@ exit_printhelp(const struct xtables_rule_match *matches) + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w wait for the xtables lock\n" ++" --wait -w [seconds] wait for the xtables lock\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + "[!] --fragment -f match second or further fragments only\n" +@@ -1318,7 +1318,7 @@ int do_command4(int argc, char *argv[], char **table, + struct in_addr *daddrs = NULL, *dmasks = NULL; + + int verbose = 0; +- bool wait = false; ++ int wait = 0; + const char *chain = NULL; + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; + const char *policy = NULL, *newname = NULL; +@@ -1351,10 +1351,9 @@ int do_command4(int argc, char *argv[], char **table, + /* Suppress error messages: we may add new options if we + demand-load a protocol. */ + opterr = 0; +- + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvwnt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1596,7 +1595,16 @@ int do_command4(int argc, char *argv[], char **table, + "You cannot use `-w' from " + "iptables-restore"); + } +- wait = true; ++ wait = -1; ++ if (optarg) { ++ if (sscanf(optarg, "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ } else if (optind < argc && argv[optind][0] != '-' ++ && argv[optind][0] != '!') ++ if (sscanf(argv[optind++], "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); + break; + + case 'm': +@@ -1750,8 +1758,11 @@ int do_command4(int argc, char *argv[], char **table, + + /* Attempt to acquire the xtables lock */ + if (!restore && !xtables_lock(wait)) { +- fprintf(stderr, "Another app is currently holding the xtables lock. " +- "Perhaps you want to use the -w option?\n"); ++ fprintf(stderr, "Another app is currently holding the xtables lock. "); ++ if (wait == 0) ++ fprintf(stderr, "Perhaps you want to use the -w option?\n"); ++ else ++ fprintf(stderr, "Stopped waiting after %ds.\n", wait); + xtables_free_opts(1); + exit(RESOURCE_PROBLEM); + } +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 6c9992e..b18022e 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -243,10 +243,11 @@ void xs_init_match(struct xtables_match *match) + match->init(match->m); + } + +-bool xtables_lock(bool wait) ++bool xtables_lock(int wait) + { + int i = 0, ret, xt_socket; + struct sockaddr_un xt_addr; ++ int waited = 0; + + memset(&xt_addr, 0, sizeof(xt_addr)); + xt_addr.sun_family = AF_UNIX; +@@ -261,11 +262,12 @@ bool xtables_lock(bool wait) + offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN); + if (ret == 0) + return true; +- else if (wait == false) ++ else if (wait >= 0 && waited >= wait) + return false; + if (++i % 2 == 0) + fprintf(stderr, "Another app is currently holding the xtables lock; " +- "waiting for it to exit...\n"); ++ "waiting (%ds) for it to exit...\n", waited); ++ waited++; + sleep(1); + } + } +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 27c5b78..40dd915 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -84,7 +84,7 @@ extern struct xtables_match *load_proto(struct iptables_command_state *); + extern int subcmd_main(int, char **, const struct subcommand *); + extern void xs_init_target(struct xtables_target *); + extern void xs_init_match(struct xtables_match *); +-extern bool xtables_lock(bool wait); ++extern bool xtables_lock(int wait); + + extern const struct xtables_afinfo *afinfo; + +#diff --git a/iptables/xtables.c b/iptables/xtables.c +#index 45a5ac6..d661dd1 100644 +#--- a/iptables/xtables.c +#+++ b/iptables/xtables.c +#@@ -85,6 +85,7 @@ static struct option original_opts[] = { +# {.name = "numeric", .has_arg = 0, .val = 'n'}, +# {.name = "out-interface", .has_arg = 1, .val = 'o'}, +# {.name = "verbose", .has_arg = 0, .val = 'v'}, +#+ {.name = "wait", .has_arg = 2, .val = 'w'}, +# {.name = "exact", .has_arg = 0, .val = 'x'}, +# {.name = "fragments", .has_arg = 0, .val = 'f'}, +# {.name = "version", .has_arg = 0, .val = 'V'}, +#@@ -683,6 +684,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# { +# struct iptables_command_state cs; +# int verbose = 0; +#+ int wait = 0; +# const char *chain = NULL; +# const char *policy = NULL, *newname = NULL; +# unsigned int rulenum = 0, command = 0; +#@@ -722,7 +724,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# +# opts = xt_params->orig_opts; +# while ((cs.c = getopt_long(argc, argv, +#- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46", +#+ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", +# opts, NULL)) != -1) { +# switch (cs.c) { +# /* +#@@ -1007,6 +1009,15 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# "You cannot use `-w' from " +# "iptables-restore"); +# } +#+ if (optarg) { +#+ if (sscanf(optarg, "%i", &wait) != 1) +#+ xtables_error(PARAMETER_PROBLEM, +#+ "wait seconds not numeric"); +#+ } else if (optind < argc && argv[optind][0] != '-' +#+ && argv[optind][0] != '!') +#+ if (sscanf(argv[optind++], "%i", &wait) != 1) +#+ xtables_error(PARAMETER_PROBLEM, +#+ "wait seconds not numeric"); +# break; +# +# case '0': +-- +cgit v0.10.2 + diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init index 95ea1e4..611f9da 100755 --- a/SOURCES/iptables.init +++ b/SOURCES/iptables.init @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # iptables Start iptables firewall # @@ -31,7 +31,10 @@ PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES # only usable for root -[ $EUID = 0 ] || exit 4 +if [ $EUID != 0 ]; then + echo -n $"${IPTABLES}: Only usable by root."; warning; echo + exit 4 +fi if [ ! -x /sbin/$IPTABLES ]; then echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo @@ -195,7 +198,10 @@ load_sysctl() { start() { # Do not start if there is no config file. - [ ! -f "$IPTABLES_DATA" ] && return 6 + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi # check if ipv6 module load is deactivated if [ "${_IPV}" = "ipv6" ] \ @@ -280,10 +286,16 @@ stop() { save() { # Check if iptable module is loaded - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 0 + fi # Check if firewall is configured (has tables) - [ -z "$NF_TABLES" ] && return 6 + if [ -z "$NF_TABLES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 6 + fi echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " @@ -353,7 +365,10 @@ status() { reload() { # Do not reload if there is no config file. - [ ! -f "$IPTABLES_DATA" ] && return 6 + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi # check if ipv6 module load is deactivated if [ "${_IPV}" = "ipv6" ] \ diff --git a/SOURCES/iptables.service b/SOURCES/iptables.service index 34e41b5..6722c7a 100644 --- a/SOURCES/iptables.service +++ b/SOURCES/iptables.service @@ -1,7 +1,7 @@ [Unit] Description=IPv4 firewall with iptables After=syslog.target -ConditionPathExists=/etc/sysconfig/iptables +AssertPathExists=/etc/sysconfig/iptables [Service] Type=oneshot diff --git a/SOURCES/sysconfig_ip6tables b/SOURCES/sysconfig_ip6tables index 1c1a825..34b8b87 100644 --- a/SOURCES/sysconfig_ip6tables +++ b/SOURCES/sysconfig_ip6tables @@ -9,6 +9,7 @@ -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index a65f367..4e40d76 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -7,7 +7,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.4.21 -Release: 13%{?dist} +Release: 16%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -17,6 +17,9 @@ Source5: sysconfig_iptables Source6: sysconfig_ip6tables Source7: iptables.panic-legacy Patch1: iptables-1.4.21-rhbz_1054871.patch +Patch2: iptables-1.4.21-libxt_cgroup.patch +Patch3: iptables-1.4.21-wait_seconds.patch +Patch4: iptables-1.4.21-flock_wait.patch Group: System Environment/Base URL: http://www.netfilter.org/ License: GPLv2 @@ -49,6 +52,7 @@ stable and may change with every new version. It is therefore unsupported. Summary: iptables and ip6tables services for iptables Group: System Environment/Base Requires: %{name} = %{version}-%{release} +Requires: /bin/bash Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -79,6 +83,9 @@ Currently only provides nfnl_osf with the pf.os database. %prep %setup -q %patch1 -p1 -b .rhbz_1054871 +%patch2 -p1 -b .libxt_cgroup +%patch3 -p1 -b .wait_seconds +%patch4 -p1 -b .flock_wait %build CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ @@ -232,6 +239,19 @@ done %changelog +* Fri Sep 18 2015 Thomas Woerner 1.4.21-16 +- Fix important coverity findings: missing include for flock and use bash for init script + +* Fri Sep 18 2015 Thomas Woerner 1.4.21-15 +- Use systemd AssertPathExists for /etc/sysconfig/iptables (RHBZ#1200415) + +* Tue Jun 30 2015 Thomas Woerner 1.4.21-14 +- Add cgroup support (RHBZ#1058660) +- Add wait seonds support for commands (RHBZ#1156411) +- Add dhcpv6-client in default IPv6 firewall rules (RHBZ#1169036) +- Add message for init script error returns (RHBZ#1200415) +- Use flock for wait option (RHBZ#1202435) + * Thu Mar 27 2014 Thomas Woerner 1.4.21-13 - fixed further update issues from RHEL-6 to RHEL-7 (RHBZ#1043901)