diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..18ac54b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/iptables-1.4.21.tar.bz2 diff --git a/.iptables.metadata b/.iptables.metadata new file mode 100644 index 0000000..8205ca4 --- /dev/null +++ b/.iptables.metadata @@ -0,0 +1 @@ +85d4160537546a23a7e42bc26dd7ee62a0ede4c8 SOURCES/iptables-1.4.21.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/iptables-1.4.21-configure_set_lock_file_path.patch b/SOURCES/iptables-1.4.21-configure_set_lock_file_path.patch new file mode 100644 index 0000000..4132f96 --- /dev/null +++ b/SOURCES/iptables-1.4.21-configure_set_lock_file_path.patch @@ -0,0 +1,97 @@ +Adapted version of + +commit b91af533f4da15854893ba5cc082e1df6bcf9a97 +Author: Lorenzo Colitti +Date: Tue Mar 14 17:55:50 2017 +0900 + + iptables: set the path of the lock file via a configure option. + + Currently the iptables lock is hardcoded as "/run/xtables.lock". + Allow users to change this path using the --with-xt-lock-name + option to ./configure option. This is useful on systems like + Android which do not have /run. + + Tested on Ubuntu, as follows: + + 1. By default, the lock is placed in /run/xtables.lock: + + $ make distclean-recursive && ./autogen.sh && + ./configure --disable-nftables --prefix /tmp/iptables && + make -j64 && + make install && + sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo + ... + open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 + flock(3, LOCK_EX|LOCK_NB) = 0 + iptables: No chain/target/match by that name. + + 2. Specifying the lock results in the expected location being + used: + + $ make distclean-recursive && ./autogen.sh && \ + ./configure --disable-nftables --prefix /tmp/iptables \ + --with-xt-lock-name=/tmp/iptables/run/xtables.lock && + make -j64 && + make install && + sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo + ... + open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 + flock(3, LOCK_EX|LOCK_NB) = 0 + iptables: No chain/target/match by that name. + + Signed-off-by: Lorenzo Colitti + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/configure.ac.configure_set_lock_file_path iptables-1.4.21/configure.ac +--- iptables-1.4.21/configure.ac.configure_set_lock_file_path 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/configure.ac 2017-04-05 14:47:17.308782472 +0200 +@@ -60,6 +60,10 @@ AC_ARG_ENABLE([nfsynproxy], + AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH], + [Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]), + [pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig']) ++AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH], ++ [Path to the xtables lock [[/run/xtables.lock]]]), ++ [xt_lock_name="$withval"], ++ [xt_lock_name="/run/xtables.lock"]) + + libiptc_LDFLAGS2=""; + AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed], +@@ -118,7 +122,7 @@ AM_CONDITIONAL([HAVE_LIBNFNETLINK], [tes + regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ + -Winline -pipe"; +-regular_CPPFLAGS="${largefile_cppflags} -D_REENTRANT \ ++regular_CPPFLAGS="${largefile_cppflags} -DXT_LOCK_NAME=\\\"\${xt_lock_name}\\\" -D_REENTRANT \ + -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL"; + kinclude_CPPFLAGS=""; + if [[ -n "$kbuilddir" ]]; then +@@ -156,6 +160,7 @@ AC_SUBST([libxtables_vcurrent]) + AC_SUBST([libxtables_vage]) + libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage)); + AC_SUBST([libxtables_vmajor]) ++AC_SUBST([xt_lock_name]) + + AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile + iptables/Makefile iptables/xtables.pc +@@ -188,7 +193,8 @@ Build parameters: + Support plugins via dlopen (shared): ${enable_shared} + Installation prefix (--prefix): ${prefix} + Xtables extension directory: ${e_xtlibdir} +- Pkg-config directory: ${e_pkgconfigdir}" ++ Pkg-config directory: ${e_pkgconfigdir} ++ Xtables lock file: ${xt_lock_name}" + + if [[ -n "$ksourcedir" ]]; then + echo " Kernel source directory: ${ksourcedir}" +diff -up iptables-1.4.21/iptables/xshared.c.configure_set_lock_file_path iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.configure_set_lock_file_path 2017-04-05 14:46:47.861540910 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:46:47.863540927 +0200 +@@ -17,8 +17,6 @@ + #include + #include "xshared.h" + +-#define XT_LOCK_NAME "/run/xtables.lock" +- + /* + * Print out any special helps. A user might like to be able to add a --help + * to the commandline, and see expected results. So we call help for all diff --git a/SOURCES/iptables-1.4.21-flock_wait.patch b/SOURCES/iptables-1.4.21-flock_wait.patch new file mode 100644 index 0000000..82448ce --- /dev/null +++ b/SOURCES/iptables-1.4.21-flock_wait.patch @@ -0,0 +1,88 @@ +From aa562a660d1555b13cffbac1e744033e91f82707 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 16 Jan 2015 14:21:57 +0100 +Subject: iptables: use flock() instead of abstract unix sockets + +Abstract unix sockets cannot be used to synchronize several concurrent +instances of iptables since an unpriviledged process can create them and +prevent the legitimate iptables instance from running. + +Use flock() and /run instead as suggested by Lennart Poettering. + +Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances") +Reported-by: Lennart Poettering +Cc: Phil Oester +Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index b18022e..7beb86b 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -9,11 +9,11 @@ + #include + #include + #include ++#include + #include + #include "xshared.h" + +-#define XT_SOCKET_NAME "xtables" +-#define XT_SOCKET_LEN 8 ++#define XT_LOCK_NAME "/run/xtables.lock" + + /* + * Print out any special helps. A user might like to be able to add a --help +@@ -245,22 +245,14 @@ void xs_init_match(struct xtables_match *match) + + bool xtables_lock(int wait) + { +- int i = 0, ret, xt_socket; +- struct sockaddr_un xt_addr; +- int waited = 0; +- +- memset(&xt_addr, 0, sizeof(xt_addr)); +- xt_addr.sun_family = AF_UNIX; +- strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME); +- xt_socket = socket(AF_UNIX, SOCK_STREAM, 0); +- /* If we can't even create a socket, fall back to prior (lockless) behavior */ +- if (xt_socket < 0) ++ int fd, waited = 0, i = 0; ++ ++ fd = open(XT_LOCK_NAME, O_CREAT, 0600); ++ if (fd < 0) + return true; + + while (1) { +- ret = bind(xt_socket, (struct sockaddr*)&xt_addr, +- offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN); +- if (ret == 0) ++ if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; + else if (wait >= 0 && waited >= wait) + return false; +-- +cgit v0.10.2 + +commit 6dc53c514f1e4683e51a877b3a2f3128cfccef28 +Author: Pablo Neira Ayuso +Date: Mon Feb 16 16:57:39 2015 +0100 + + xshared: calm down compilation warning + + xshared.c: In function ‘xtables_lock’: + xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration] + + Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 7beb86b..81c2581 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/SOURCES/iptables-1.4.21-libxt_cgroup.patch b/SOURCES/iptables-1.4.21-libxt_cgroup.patch new file mode 100644 index 0000000..b0cf8ad --- /dev/null +++ b/SOURCES/iptables-1.4.21-libxt_cgroup.patch @@ -0,0 +1,126 @@ +From 6465867eb48506687872b838b1ddfee61d1a0aeb Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Mon, 23 Dec 2013 18:46:29 +0100 +Subject: iptables: add libxt_cgroup frontend + +This patch adds the user space extension/frontend for process matching +based on cgroups from the kernel patch entitled "netfilter: xtables: +lightweight process control group matching". + +Signed-off-by: Daniel Borkmann +Signed-off-by: Pablo Neira Ayuso + +diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c +new file mode 100644 +index 0000000..e304e33 +--- /dev/null ++++ b/extensions/libxt_cgroup.c +@@ -0,0 +1,67 @@ ++#include ++#include ++#include ++ ++enum { ++ O_CGROUP = 0, ++}; ++ ++static void cgroup_help(void) ++{ ++ printf( ++"cgroup match options:\n" ++"[!] --cgroup fwid Match cgroup fwid\n"); ++} ++ ++static const struct xt_option_entry cgroup_opts[] = { ++ { ++ .name = "cgroup", ++ .id = O_CGROUP, ++ .type = XTTYPE_UINT32, ++ .flags = XTOPT_INVERT | XTOPT_MAND | XTOPT_PUT, ++ XTOPT_POINTER(struct xt_cgroup_info, id) ++ }, ++ XTOPT_TABLEEND, ++}; ++ ++static void cgroup_parse(struct xt_option_call *cb) ++{ ++ struct xt_cgroup_info *cgroupinfo = cb->data; ++ ++ xtables_option_parse(cb); ++ if (cb->invert) ++ cgroupinfo->invert = true; ++} ++ ++static void ++cgroup_print(const void *ip, const struct xt_entry_match *match, int numeric) ++{ ++ const struct xt_cgroup_info *info = (void *) match->data; ++ ++ printf(" cgroup %s%u", info->invert ? "! ":"", info->id); ++} ++ ++static void cgroup_save(const void *ip, const struct xt_entry_match *match) ++{ ++ const struct xt_cgroup_info *info = (void *) match->data; ++ ++ printf("%s --cgroup %u", info->invert ? " !" : "", info->id); ++} ++ ++static struct xtables_match cgroup_match = { ++ .family = NFPROTO_UNSPEC, ++ .name = "cgroup", ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_cgroup_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_cgroup_info)), ++ .help = cgroup_help, ++ .print = cgroup_print, ++ .save = cgroup_save, ++ .x6_parse = cgroup_parse, ++ .x6_options = cgroup_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&cgroup_match); ++} +diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man +new file mode 100644 +index 0000000..456a031 +--- /dev/null ++++ b/extensions/libxt_cgroup.man +@@ -0,0 +1,15 @@ ++.TP ++[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP ++Match corresponding cgroup for this packet. ++ ++Can be used to assign particular firewall policies for aggregated ++task/jobs on the system. This allows for more fine-grained firewall ++policies that only match for a subset of the system's processes. ++fwid is the maker set through the net_cls cgroup's id. ++.PP ++Example: ++.PP ++iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 ++\-j DROP ++.PP ++Available since Linux 3.14. +diff --git a/include/linux/netfilter/xt_cgroup.h b/include/linux/netfilter/xt_cgroup.h +new file mode 100644 +index 0000000..943d3a0 +--- /dev/null ++++ b/include/linux/netfilter/xt_cgroup.h +@@ -0,0 +1,11 @@ ++#ifndef _XT_CGROUP_H ++#define _XT_CGROUP_H ++ ++#include ++ ++struct xt_cgroup_info { ++ __u32 id; ++ __u32 invert; ++}; ++ ++#endif /* _XT_CGROUP_H */ +-- +cgit v0.10.2 + diff --git a/SOURCES/iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch b/SOURCES/iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch new file mode 100644 index 0000000..07836ca --- /dev/null +++ b/SOURCES/iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch @@ -0,0 +1,67 @@ +Adapted version of + +commit 836846f0d747e1be8e37d2d43b215a68b30ea1a9 +Author: Lorenzo Colitti +Date: Thu Mar 16 12:54:20 2017 +0900 + + iptables: move XT_LOCK_NAME from CFLAGS to config.h. + + This slightly simplifies configure.ac and results in more + correct dependencies. + + Tested by running ./configure with --with-xt-lock-name and + without, and using strace to verify that the right lock is used. + + $ make distclean-recursive && ./autogen.sh && + ./configure --disable-nftables --prefix /tmp/iptables && + make -j64 && + make install && + sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo + ... + open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 + flock(3, LOCK_EX|LOCK_NB) = 0 + + $ make distclean-recursive && ./autogen.sh && \ + ./configure --disable-nftables --prefix /tmp/iptables \ + --with-xt-lock-name=/tmp/iptables/run/xtables.lock && + make -j64 && + make install && + sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo + ... + open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 + flock(3, LOCK_EX|LOCK_NB) = 0 + + Signed-off-by: Lorenzo Colitti + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/configure.ac.move_XT_LOCK_NAME_to_config.h iptables-1.4.21/configure.ac +--- iptables-1.4.21/configure.ac.move_XT_LOCK_NAME_to_config.h 2017-04-05 14:48:11.855229929 +0200 ++++ iptables-1.4.21/configure.ac 2017-04-05 14:48:11.856229937 +0200 +@@ -122,7 +122,7 @@ AM_CONDITIONAL([HAVE_LIBNFNETLINK], [tes + regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ + -Winline -pipe"; +-regular_CPPFLAGS="${largefile_cppflags} -DXT_LOCK_NAME=\\\"\${xt_lock_name}\\\" -D_REENTRANT \ ++regular_CPPFLAGS="${largefile_cppflags} -D_REENTRANT \ + -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL"; + kinclude_CPPFLAGS=""; + if [[ -n "$kbuilddir" ]]; then +@@ -160,7 +160,9 @@ AC_SUBST([libxtables_vcurrent]) + AC_SUBST([libxtables_vage]) + libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage)); + AC_SUBST([libxtables_vmajor]) +-AC_SUBST([xt_lock_name]) ++ ++AC_DEFINE_UNQUOTED([XT_LOCK_NAME], "${xt_lock_name}", ++ [Location of the iptables lock file]) + + AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile + iptables/Makefile iptables/xtables.pc +diff -up iptables-1.4.21/iptables/xshared.c.move_XT_LOCK_NAME_to_config.h iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.move_XT_LOCK_NAME_to_config.h 2017-04-05 14:48:11.855229929 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:48:11.856229937 +0200 +@@ -1,3 +1,4 @@ ++#include + #include + #include + #include diff --git a/SOURCES/iptables-1.4.21-remove_duplicated_argument_parsing.patch b/SOURCES/iptables-1.4.21-remove_duplicated_argument_parsing.patch new file mode 100644 index 0000000..a0fe335 --- /dev/null +++ b/SOURCES/iptables-1.4.21-remove_duplicated_argument_parsing.patch @@ -0,0 +1,401 @@ +Adapted version of + +commit 6e2e169eb66b63d2991e1c7ada931e3cdb0ced32 +Author: Lorenzo Colitti +Date: Thu Mar 16 16:55:01 2017 +0900 + + iptables: remove duplicated argument parsing code + + 1. Factor out repeated code to a new xs_has_arg function. + 2. Add a new parse_wait_time option to parse the value of -w. + 3. Make parse_wait_interval take argc and argv so its callers + can be simpler. + + Signed-off-by: Lorenzo Colitti + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/ip6tables.c.remove_duplicated_argument_parsing iptables-1.4.21/iptables/ip6tables.c +--- iptables-1.4.21/iptables/ip6tables.c.remove_duplicated_argument_parsing 2017-04-05 14:51:44.033970476 +0200 ++++ iptables-1.4.21/iptables/ip6tables.c 2017-04-05 14:51:44.044970566 +0200 +@@ -1388,8 +1388,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_DELETE, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') { ++ if (xs_has_arg(argc, argv)) { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_DELETE_NUM; + } +@@ -1399,8 +1398,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_REPLACE, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + else + xtables_error(PARAMETER_PROBLEM, +@@ -1412,8 +1410,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_INSERT, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + else rulenum = 1; + break; +@@ -1422,11 +1419,9 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_LIST, + CMD_ZERO | CMD_ZERO_NUM, cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + break; + +@@ -1434,11 +1429,9 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_LIST_RULES, + CMD_ZERO | CMD_ZERO_NUM, cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + break; + +@@ -1446,8 +1439,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_FLUSH, CMD_NONE, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; + break; + +@@ -1455,11 +1447,9 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') { ++ if (xs_has_arg(argc, argv)) { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_ZERO_NUM; + } +@@ -1476,8 +1466,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_DELETE_CHAIN, CMD_NONE, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; + break; + +@@ -1485,8 +1474,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_RENAME_CHAIN, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + newname = argv[optind++]; + else + xtables_error(PARAMETER_PROBLEM, +@@ -1499,8 +1487,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_SET_POLICY, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + policy = argv[optind++]; + else + xtables_error(PARAMETER_PROBLEM, +@@ -1610,16 +1597,7 @@ int do_command6(int argc, char *argv[], + "You cannot use `-w' from " + "ip6tables-restore"); + } +- wait = -1; +- if (optarg) { +- if (sscanf(optarg, "%i", &wait) != 1) +- xtables_error(PARAMETER_PROBLEM, +- "wait seconds not numeric"); +- } else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') +- if (sscanf(argv[optind++], "%i", &wait) != 1) +- xtables_error(PARAMETER_PROBLEM, +- "wait seconds not numeric"); ++ wait = parse_wait_time(argc, argv); + break; + + case 'W': +@@ -1628,14 +1606,7 @@ int do_command6(int argc, char *argv[], + "You cannot use `-W' from " + "ip6tables-restore"); + } +- if (optarg) +- parse_wait_interval(optarg, &wait_interval); +- else if (optind < argc && +- argv[optind][0] != '-' && +- argv[optind][0] != '!') +- parse_wait_interval(argv[optind++], +- &wait_interval); +- ++ parse_wait_interval(argc, argv, &wait_interval); + wait_interval_set = true; + break; + +@@ -1685,8 +1656,7 @@ int do_command6(int argc, char *argv[], + bcnt = strchr(pcnt + 1, ','); + if (bcnt) + bcnt++; +- if (!bcnt && optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (!bcnt && xs_has_arg(argc, argv)) + bcnt = argv[optind++]; + if (!bcnt) + xtables_error(PARAMETER_PROBLEM, +diff -up iptables-1.4.21/iptables/iptables.c.remove_duplicated_argument_parsing iptables-1.4.21/iptables/iptables.c +--- iptables-1.4.21/iptables/iptables.c.remove_duplicated_argument_parsing 2017-04-05 14:51:44.034970484 +0200 ++++ iptables-1.4.21/iptables/iptables.c 2017-04-05 14:51:44.044970566 +0200 +@@ -1381,8 +1381,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_DELETE, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') { ++ if (xs_has_arg(argc, argv)) { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_DELETE_NUM; + } +@@ -1392,8 +1391,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_REPLACE, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + else + xtables_error(PARAMETER_PROBLEM, +@@ -1405,8 +1403,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_INSERT, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + else rulenum = 1; + break; +@@ -1415,11 +1412,9 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_LIST, + CMD_ZERO | CMD_ZERO_NUM, cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + break; + +@@ -1427,11 +1422,9 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_LIST_RULES, + CMD_ZERO|CMD_ZERO_NUM, cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + break; + +@@ -1439,8 +1432,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_FLUSH, CMD_NONE, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; + break; + +@@ -1448,11 +1440,9 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') { ++ if (xs_has_arg(argc, argv)) { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_ZERO_NUM; + } +@@ -1469,8 +1459,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_DELETE_CHAIN, CMD_NONE, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; + break; + +@@ -1478,8 +1467,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_RENAME_CHAIN, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + newname = argv[optind++]; + else + xtables_error(PARAMETER_PROBLEM, +@@ -1492,8 +1480,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_SET_POLICY, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + policy = argv[optind++]; + else + xtables_error(PARAMETER_PROBLEM, +@@ -1601,16 +1588,7 @@ int do_command4(int argc, char *argv[], + "You cannot use `-w' from " + "iptables-restore"); + } +- wait = -1; +- if (optarg) { +- if (sscanf(optarg, "%i", &wait) != 1) +- xtables_error(PARAMETER_PROBLEM, +- "wait seconds not numeric"); +- } else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') +- if (sscanf(argv[optind++], "%i", &wait) != 1) +- xtables_error(PARAMETER_PROBLEM, +- "wait seconds not numeric"); ++ wait = parse_wait_time(argc, argv); + break; + + case 'W': +@@ -1619,14 +1597,7 @@ int do_command4(int argc, char *argv[], + "You cannot use `-W' from " + "iptables-restore"); + } +- if (optarg) +- parse_wait_interval(optarg, &wait_interval); +- else if (optind < argc && +- argv[optind][0] != '-' && +- argv[optind][0] != '!') +- parse_wait_interval(argv[optind++], +- &wait_interval); +- ++ parse_wait_interval(argc, argv, &wait_interval); + wait_interval_set = true; + break; + +@@ -1676,8 +1647,7 @@ int do_command4(int argc, char *argv[], + bcnt = strchr(pcnt + 1, ','); + if (bcnt) + bcnt++; +- if (!bcnt && optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (!bcnt && xs_has_arg(argc, argv)) + bcnt = argv[optind++]; + if (!bcnt) + xtables_error(PARAMETER_PROBLEM, +diff -up iptables-1.4.21/iptables/xshared.c.remove_duplicated_argument_parsing iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.remove_duplicated_argument_parsing 2017-04-05 14:51:44.042970550 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:51:44.045970574 +0200 +@@ -285,12 +285,36 @@ bool xtables_lock(int wait, struct timev + } + } + +-void parse_wait_interval(const char *str, struct timeval *wait_interval) ++int parse_wait_time(int argc, char *argv[]) + { ++ int wait = -1; ++ ++ if (optarg) { ++ if (sscanf(optarg, "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ } else if (xs_has_arg(argc, argv)) ++ if (sscanf(argv[optind++], "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ ++ return wait; ++} ++ ++void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval) ++{ ++ const char *arg; + unsigned int usec; + int ret; + +- ret = sscanf(str, "%u", &usec); ++ if (optarg) ++ arg = optarg; ++ else if (xs_has_arg(argc, argv)) ++ arg = argv[optind++]; ++ else ++ return; ++ ++ ret = sscanf(arg, "%u", &usec); + if (ret == 1) { + if (usec > 999999) + xtables_error(PARAMETER_PROBLEM, +@@ -303,3 +327,10 @@ void parse_wait_interval(const char *str + } + xtables_error(PARAMETER_PROBLEM, "wait interval not numeric"); + } ++ ++inline bool xs_has_arg(int argc, char *argv[]) ++{ ++ return optind < argc && ++ argv[optind][0] != '-' && ++ argv[optind][0] != '!'; ++} +diff -up iptables-1.4.21/iptables/xshared.h.remove_duplicated_argument_parsing iptables-1.4.21/iptables/xshared.h +--- iptables-1.4.21/iptables/xshared.h.remove_duplicated_argument_parsing 2017-04-05 14:51:44.034970484 +0200 ++++ iptables-1.4.21/iptables/xshared.h 2017-04-05 14:51:44.045970574 +0200 +@@ -86,7 +86,9 @@ extern void xs_init_target(struct xtable + extern void xs_init_match(struct xtables_match *); + bool xtables_lock(int wait, struct timeval *wait_interval); + +-void parse_wait_interval(const char *str, struct timeval *wait_interval); ++int parse_wait_time(int argc, char *argv[]); ++void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); ++bool xs_has_arg(int argc, char *argv[]); + + extern const struct xtables_afinfo *afinfo; + diff --git a/SOURCES/iptables-1.4.21-restore_support_acquiring_the_lock.patch b/SOURCES/iptables-1.4.21-restore_support_acquiring_the_lock.patch new file mode 100644 index 0000000..77e1aff --- /dev/null +++ b/SOURCES/iptables-1.4.21-restore_support_acquiring_the_lock.patch @@ -0,0 +1,414 @@ +Adapted version of + +commit 999eaa241212d3952ddff39a99d0d55a74e3639e +Author: Lorenzo Colitti +Date: Thu Mar 16 16:55:02 2017 +0900 + + iptables-restore: support acquiring the lock. + + Currently, ip[6]tables-restore does not perform any locking, so it + is not safe to use concurrently with ip[6]tables. + + This patch makes ip[6]tables-restore wait for the lock if -w + was specified. Arguments to -w and -W are supported in the same + was as they are in ip[6]tables. + + The lock is not acquired on startup. Instead, it is acquired when + a new table handle is created (on encountering '*') and released + when the table is committed (COMMIT). This makes it possible to + keep long-running iptables-restore processes in the background + (for example, reading commands from a pipe opened by a system + management daemon) and simultaneously run iptables commands. + + If -w is not specified, then the command proceeds without taking + the lock. + + Tested as follows: + + 1. Run iptables-restore -w, and check that iptables commands work + with or without -w. + 2. Type "*filter" into the iptables-restore input. Verify that + a) ip[6]tables commands without -w fail with "another app is + currently holding the xtables lock...". + b) ip[6]tables commands with "-w 2" fail after 2 seconds. + c) ip[6]tables commands with "-w" hang until "COMMIT" is + typed into the iptables-restore window. + 3. With the lock held by an ip6tables-restore process: + strace -e flock /tmp/iptables/sbin/iptables-restore -w 1 -W 100000 + shows 11 calls to flock and fails. + 4. Run an iptables-restore with -w and one without -w, and check: + a) Type "*filter" in the first and then the second, and the + second exits with an error. + b) Type "*filter" in the second and "*filter" "-S" "COMMIT" + into the first. The rules are listed only when the first + copy sees "COMMIT". + + Signed-off-by: Narayan Kamath + Signed-off-by: Lorenzo Colitti + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/ip6tables.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/ip6tables.c +--- iptables-1.4.21/iptables/ip6tables.c.restore_support_acquiring_the_lock 2017-04-05 14:55:52.561008864 +0200 ++++ iptables-1.4.21/iptables/ip6tables.c 2017-04-05 14:55:52.564008888 +0200 +@@ -1767,7 +1767,7 @@ int do_command6(int argc, char *argv[], + generic_opt_check(command, cs.options); + + /* Attempt to acquire the xtables lock */ +- if (!restore && !xtables_lock(wait, &wait_interval)) { ++ if (!restore && xtables_lock(wait, &wait_interval) == XT_LOCK_BUSY) { + fprintf(stderr, "Another app is currently holding the xtables lock. "); + if (wait == 0) + fprintf(stderr, "Perhaps you want to use the -w option?\n"); +diff -up iptables-1.4.21/iptables/ip6tables-restore.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/ip6tables-restore.c +--- iptables-1.4.21/iptables/ip6tables-restore.c.restore_support_acquiring_the_lock 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/ip6tables-restore.c 2017-04-05 14:58:41.513393942 +0200 +@@ -15,6 +15,7 @@ + #include + #include + #include "ip6tables.h" ++#include "xshared.h" + #include "xtables.h" + #include "libiptc/libip6tc.h" + #include "ip6tables-multi.h" +@@ -25,18 +26,24 @@ + #define DEBUGP(x, args...) + #endif + +-static int binary = 0, counters = 0, verbose = 0, noflush = 0; ++static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; ++ ++static struct timeval wait_interval = { ++ .tv_sec = 1, ++}; + + /* Keeping track of external matches and targets. */ + static const struct option options[] = { +- {.name = "binary", .has_arg = false, .val = 'b'}, +- {.name = "counters", .has_arg = false, .val = 'c'}, +- {.name = "verbose", .has_arg = false, .val = 'v'}, +- {.name = "test", .has_arg = false, .val = 't'}, +- {.name = "help", .has_arg = false, .val = 'h'}, +- {.name = "noflush", .has_arg = false, .val = 'n'}, +- {.name = "modprobe", .has_arg = true, .val = 'M'}, +- {.name = "table", .has_arg = true, .val = 'T'}, ++ {.name = "binary", .has_arg = 0, .val = 'b'}, ++ {.name = "counters", .has_arg = 0, .val = 'c'}, ++ {.name = "verbose", .has_arg = 0, .val = 'v'}, ++ {.name = "test", .has_arg = 0, .val = 't'}, ++ {.name = "help", .has_arg = 0, .val = 'h'}, ++ {.name = "noflush", .has_arg = 0, .val = 'n'}, ++ {.name = "modprobe", .has_arg = 1, .val = 'M'}, ++ {.name = "table", .has_arg = 1, .val = 'T'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, ++ {.name = "wait-interval", .has_arg = 2, .val = 'W'}, + {NULL}, + }; + +@@ -44,14 +51,16 @@ static void print_usage(const char *name + + static void print_usage(const char *name, const char *version) + { +- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n" ++ fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h] [-w secs] [-W usecs]\n" + " [ --binary ]\n" + " [ --counters ]\n" + " [ --verbose ]\n" + " [ --test ]\n" + " [ --help ]\n" ++ " [ --wait=\n" ++ " [ --wait-interval=\n" + " [ --noflush ]\n" +- " [ --modprobe=]\n", name); ++ " [ --modprobe=]\n", name); + + exit(1); + } +@@ -182,7 +191,7 @@ int ip6tables_restore_main(int argc, cha + { + struct xtc_handle *handle = NULL; + char buffer[10240]; +- int c; ++ int c, lock; + char curtable[XT_TABLE_MAXNAMELEN + 1]; + FILE *in; + int in_table = 0, testing = 0; +@@ -190,6 +199,7 @@ int ip6tables_restore_main(int argc, cha + const struct xtc_ops *ops = &ip6tc_ops; + + line = 0; ++ lock = XT_LOCK_NOT_ACQUIRED; + + ip6tables_globals.program_name = "ip6tables-restore"; + c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); +@@ -204,7 +214,7 @@ int ip6tables_restore_main(int argc, cha + init_extensions6(); + #endif + +- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "bcvthnwWM:T:", options, NULL)) != -1) { + switch (c) { + case 'b': + binary = 1; +@@ -225,6 +235,12 @@ int ip6tables_restore_main(int argc, cha + case 'n': + noflush = 1; + break; ++ case 'w': ++ wait = parse_wait_time(argc, argv); ++ break; ++ case 'W': ++ parse_wait_interval(argc, argv, &wait_interval); ++ break; + case 'M': + xtables_modprobe_program = optarg; + break; +@@ -269,8 +285,23 @@ int ip6tables_restore_main(int argc, cha + DEBUGP("Not calling commit, testing\n"); + ret = 1; + } ++ ++ /* Done with the current table, release the lock. */ ++ if (lock >= 0) { ++ xtables_unlock(lock); ++ lock = XT_LOCK_NOT_ACQUIRED; ++ } ++ + in_table = 0; + } else if ((buffer[0] == '*') && (!in_table)) { ++ /* Acquire a lock before we create a new table handle */ ++ lock = xtables_lock(wait, &wait_interval); ++ if (lock == XT_LOCK_BUSY) { ++ fprintf(stderr, "Another app is currently holding the xtables lock. " ++ "Perhaps you want to use the -w option?\n"); ++ exit(RESOURCE_PROBLEM); ++ } ++ + /* New table */ + char *table; + +diff -up iptables-1.4.21/iptables/iptables.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/iptables.c +--- iptables-1.4.21/iptables/iptables.c.restore_support_acquiring_the_lock 2017-04-05 14:55:52.562008872 +0200 ++++ iptables-1.4.21/iptables/iptables.c 2017-04-05 14:55:52.564008888 +0200 +@@ -1754,7 +1754,7 @@ int do_command4(int argc, char *argv[], + generic_opt_check(command, cs.options); + + /* Attempt to acquire the xtables lock */ +- if (!restore && !xtables_lock(wait, &wait_interval)) { ++ if (!restore && xtables_lock(wait, &wait_interval) == XT_LOCK_BUSY) { + fprintf(stderr, "Another app is currently holding the xtables lock. "); + if (wait == 0) + fprintf(stderr, "Perhaps you want to use the -w option?\n"); +diff -up iptables-1.4.21/iptables/iptables-restore.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/iptables-restore.c +--- iptables-1.4.21/iptables/iptables-restore.c.restore_support_acquiring_the_lock 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/iptables-restore.c 2017-04-05 15:00:17.389179935 +0200 +@@ -12,6 +12,7 @@ + #include + #include + #include "iptables.h" ++#include "xshared.h" + #include "xtables.h" + #include "libiptc/libiptc.h" + #include "iptables-multi.h" +@@ -22,18 +23,24 @@ + #define DEBUGP(x, args...) + #endif + +-static int binary = 0, counters = 0, verbose = 0, noflush = 0; ++static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; ++ ++static struct timeval wait_interval = { ++ .tv_sec = 1, ++}; + + /* Keeping track of external matches and targets. */ + static const struct option options[] = { +- {.name = "binary", .has_arg = false, .val = 'b'}, +- {.name = "counters", .has_arg = false, .val = 'c'}, +- {.name = "verbose", .has_arg = false, .val = 'v'}, +- {.name = "test", .has_arg = false, .val = 't'}, +- {.name = "help", .has_arg = false, .val = 'h'}, +- {.name = "noflush", .has_arg = false, .val = 'n'}, +- {.name = "modprobe", .has_arg = true, .val = 'M'}, +- {.name = "table", .has_arg = true, .val = 'T'}, ++ {.name = "binary", .has_arg = 0, .val = 'b'}, ++ {.name = "counters", .has_arg = 0, .val = 'c'}, ++ {.name = "verbose", .has_arg = 0, .val = 'v'}, ++ {.name = "test", .has_arg = 0, .val = 't'}, ++ {.name = "help", .has_arg = 0, .val = 'h'}, ++ {.name = "noflush", .has_arg = 0, .val = 'n'}, ++ {.name = "modprobe", .has_arg = 1, .val = 'M'}, ++ {.name = "table", .has_arg = 1, .val = 'T'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, ++ {.name = "wait-interval", .has_arg = 2, .val = 'W'}, + {NULL}, + }; + +@@ -43,15 +50,17 @@ static void print_usage(const char *name + + static void print_usage(const char *name, const char *version) + { +- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n" ++ fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h] [-W usecs]\n" + " [ --binary ]\n" + " [ --counters ]\n" + " [ --verbose ]\n" + " [ --test ]\n" + " [ --help ]\n" + " [ --noflush ]\n" ++ " [ --wait=\n" ++ " [ --wait-interval=\n" + " [ --table= ]\n" +- " [ --modprobe=]\n", name); ++ " [ --modprobe=]\n", name); + + exit(1); + } +@@ -182,7 +191,7 @@ iptables_restore_main(int argc, char *ar + { + struct xtc_handle *handle = NULL; + char buffer[10240]; +- int c; ++ int c, lock; + char curtable[XT_TABLE_MAXNAMELEN + 1]; + FILE *in; + int in_table = 0, testing = 0; +@@ -190,6 +199,7 @@ iptables_restore_main(int argc, char *ar + const struct xtc_ops *ops = &iptc_ops; + + line = 0; ++ lock = XT_LOCK_NOT_ACQUIRED; + + iptables_globals.program_name = "iptables-restore"; + c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); +@@ -204,7 +214,7 @@ iptables_restore_main(int argc, char *ar + init_extensions4(); + #endif + +- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "bcvthnwWM:T:", options, NULL)) != -1) { + switch (c) { + case 'b': + binary = 1; +@@ -225,6 +235,12 @@ iptables_restore_main(int argc, char *ar + case 'n': + noflush = 1; + break; ++ case 'w': ++ wait = parse_wait_time(argc, argv); ++ break; ++ case 'W': ++ parse_wait_interval(argc, argv, &wait_interval); ++ break; + case 'M': + xtables_modprobe_program = optarg; + break; +@@ -269,8 +285,23 @@ iptables_restore_main(int argc, char *ar + DEBUGP("Not calling commit, testing\n"); + ret = 1; + } ++ ++ /* Done with the current table, release the lock. */ ++ if (lock >= 0) { ++ xtables_unlock(lock); ++ lock = XT_LOCK_NOT_ACQUIRED; ++ } ++ + in_table = 0; + } else if ((buffer[0] == '*') && (!in_table)) { ++ /* Acquire a lock before we create a new table handle */ ++ lock = xtables_lock(wait, &wait_interval); ++ if (lock == XT_LOCK_BUSY) { ++ fprintf(stderr, "Another app is currently holding the xtables lock. " ++ "Perhaps you want to use the -w option?\n"); ++ exit(RESOURCE_PROBLEM); ++ } ++ + /* New table */ + char *table; + +diff -up iptables-1.4.21/iptables/xshared.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.restore_support_acquiring_the_lock 2017-04-05 14:55:52.562008872 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:55:52.565008896 +0200 +@@ -246,7 +246,7 @@ void xs_init_match(struct xtables_match + match->init(match->m); + } + +-bool xtables_lock(int wait, struct timeval *wait_interval) ++int xtables_lock(int wait, struct timeval *wait_interval) + { + struct timeval time_left, wait_time; + int fd, i = 0; +@@ -256,22 +256,22 @@ bool xtables_lock(int wait, struct timev + + fd = open(XT_LOCK_NAME, O_CREAT, 0600); + if (fd < 0) +- return true; ++ return XT_LOCK_UNSUPPORTED; + + if (wait == -1) { + if (flock(fd, LOCK_EX) == 0) +- return true; ++ return fd; + + fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME, + strerror(errno)); +- return false; ++ return XT_LOCK_BUSY; + } + + while (1) { + if (flock(fd, LOCK_EX | LOCK_NB) == 0) +- return true; ++ return fd; + else if (timercmp(&time_left, wait_interval, <)) +- return false; ++ return XT_LOCK_BUSY; + + if (++i % 10 == 0) { + fprintf(stderr, "Another app is currently holding the xtables lock; " +@@ -285,6 +285,12 @@ bool xtables_lock(int wait, struct timev + } + } + ++void xtables_unlock(int lock) ++{ ++ if (lock >= 0) ++ close(lock); ++} ++ + int parse_wait_time(int argc, char *argv[]) + { + int wait = -1; +diff -up iptables-1.4.21/iptables/xshared.h.restore_support_acquiring_the_lock iptables-1.4.21/iptables/xshared.h +--- iptables-1.4.21/iptables/xshared.h.restore_support_acquiring_the_lock 2017-04-05 14:55:52.562008872 +0200 ++++ iptables-1.4.21/iptables/xshared.h 2017-04-05 14:55:52.565008896 +0200 +@@ -84,7 +84,28 @@ extern struct xtables_match *load_proto( + extern int subcmd_main(int, char **, const struct subcommand *); + extern void xs_init_target(struct xtables_target *); + extern void xs_init_match(struct xtables_match *); +-bool xtables_lock(int wait, struct timeval *wait_interval); ++ ++/** ++ * Values for the iptables lock. ++ * ++ * A value >= 0 indicates the lock filedescriptor. Other values are: ++ * ++ * XT_LOCK_UNSUPPORTED : The system does not support locking, execution will ++ * proceed lockless. ++ * ++ * XT_LOCK_BUSY : The lock was held by another process. xtables_lock only ++ * returns this value when |wait| == false. If |wait| == true, xtables_lock ++ * will not return unless the lock has been acquired. ++ * ++ * XT_LOCK_NOT_ACQUIRED : We have not yet attempted to acquire the lock. ++ */ ++enum { ++ XT_LOCK_BUSY = -1, ++ XT_LOCK_UNSUPPORTED = -2, ++ XT_LOCK_NOT_ACQUIRED = -3, ++}; ++extern int xtables_lock(int wait, struct timeval *tv); ++extern void xtables_unlock(int lock); + + int parse_wait_time(int argc, char *argv[]); + void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); diff --git a/SOURCES/iptables-1.4.21-restore_version.patch b/SOURCES/iptables-1.4.21-restore_version.patch new file mode 100644 index 0000000..bee5903 --- /dev/null +++ b/SOURCES/iptables-1.4.21-restore_version.patch @@ -0,0 +1,143 @@ +Adapted version of + +commit 9cd3adbed2fd8cdb6366293f3799573b811be89b +Author: Dan Williams +Date: Mon Apr 10 12:31:56 2017 -0500 + + iptables-restore/ip6tables-restore: add --version/-V argument + + Prints program version just like iptables/ip6tables. + + Signed-off-by: Dan Williams + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/ip6tables-restore.c.restore_version iptables-1.4.21/iptables/ip6tables-restore.c +--- iptables-1.4.21/iptables/ip6tables-restore.c.restore_version 2017-04-20 16:49:34.253130005 +0200 ++++ iptables-1.4.21/iptables/ip6tables-restore.c 2017-04-20 16:51:43.931089903 +0200 +@@ -37,6 +37,7 @@ static const struct option options[] = { + {.name = "binary", .has_arg = 0, .val = 'b'}, + {.name = "counters", .has_arg = 0, .val = 'c'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, ++ {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "test", .has_arg = 0, .val = 't'}, + {.name = "help", .has_arg = 0, .val = 'h'}, + {.name = "noflush", .has_arg = 0, .val = 'n'}, +@@ -49,12 +50,16 @@ static const struct option options[] = { + + static void print_usage(const char *name, const char *version) __attribute__((noreturn)); + ++#define prog_name ip6tables_globals.program_name ++#define prog_vers ip6tables_globals.program_version ++ + static void print_usage(const char *name, const char *version) + { +- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h] [-w secs] [-W usecs]\n" ++ fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-V] [-t] [-h] [-w secs] [-W usecs]\n" + " [ --binary ]\n" + " [ --counters ]\n" + " [ --verbose ]\n" ++ " [ --version]\n" + " [ --test ]\n" + " [ --help ]\n" + " [ --wait=\n" +@@ -79,8 +84,7 @@ static struct xtc_handle *create_handle( + + if (!handle) { + xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize " +- "table '%s'\n", ip6tables_globals.program_name, +- tablename); ++ "table '%s'\n", prog_name, tablename); + exit(1); + } + return handle; +@@ -214,7 +218,7 @@ int ip6tables_restore_main(int argc, cha + init_extensions6(); + #endif + +- while ((c = getopt_long(argc, argv, "bcvthnwWM:T:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "bcvVthnwWM:T:", options, NULL)) != -1) { + switch (c) { + case 'b': + binary = 1; +@@ -225,6 +229,9 @@ int ip6tables_restore_main(int argc, cha + case 'v': + verbose = 1; + break; ++ case 'V': ++ printf("%s v%s\n", prog_name, prog_vers); ++ exit(0); + case 't': + testing = 1; + break; +diff -up iptables-1.4.21/iptables/iptables-restore.8.in.restore_version iptables-1.4.21/iptables/iptables-restore.8.in +--- iptables-1.4.21/iptables/iptables-restore.8.in.restore_version 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/iptables-restore.8.in 2017-04-20 16:52:20.883299806 +0200 +@@ -23,9 +23,9 @@ iptables-restore \(em Restore IP Tables + .P + ip6tables-restore \(em Restore IPv6 Tables + .SH SYNOPSIS +-\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] ++\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-M\fP \fImodprobe\fP] + .P +-\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] ++\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-M\fP \fImodprobe\fP] + [\fB\-T\fP \fIname\fP] + .SH DESCRIPTION + .PP +@@ -51,6 +51,9 @@ Only parse and construct the ruleset, bu + \fB\-v\fP, \fB\-\-verbose\fP + Print additional debug info during ruleset processing. + .TP ++\fB\-V\fP, \fB\-\-version\fP ++Print the program version number. ++.TP + \fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP + Specify the path to the modprobe program. By default, iptables-restore will + inspect /proc/sys/kernel/modprobe to determine the executable's path. +diff -up iptables-1.4.21/iptables/iptables-restore.c.restore_version iptables-1.4.21/iptables/iptables-restore.c +--- iptables-1.4.21/iptables/iptables-restore.c.restore_version 2017-04-20 16:49:34.253130005 +0200 ++++ iptables-1.4.21/iptables/iptables-restore.c 2017-04-20 17:29:32.495390523 +0200 +@@ -34,6 +34,7 @@ static const struct option options[] = { + {.name = "binary", .has_arg = 0, .val = 'b'}, + {.name = "counters", .has_arg = 0, .val = 'c'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, ++ {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "test", .has_arg = 0, .val = 't'}, + {.name = "help", .has_arg = 0, .val = 'h'}, + {.name = "noflush", .has_arg = 0, .val = 'n'}, +@@ -47,13 +48,15 @@ static const struct option options[] = { + static void print_usage(const char *name, const char *version) __attribute__((noreturn)); + + #define prog_name iptables_globals.program_name ++#define prog_vers iptables_globals.program_version + + static void print_usage(const char *name, const char *version) + { +- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h] [-W usecs]\n" ++ fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-V] [-t] [-h] [-W usecs]\n" + " [ --binary ]\n" + " [ --counters ]\n" + " [ --verbose ]\n" ++ " [ --version]\n" + " [ --test ]\n" + " [ --help ]\n" + " [ --noflush ]\n" +@@ -214,7 +217,7 @@ iptables_restore_main(int argc, char *ar + init_extensions4(); + #endif + +- while ((c = getopt_long(argc, argv, "bcvthnwWM:T:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "bcvVthnwWM:T:", options, NULL)) != -1) { + switch (c) { + case 'b': + binary = 1; +@@ -225,6 +228,9 @@ iptables_restore_main(int argc, char *ar + case 'v': + verbose = 1; + break; ++ case 'V': ++ printf("%s v%s\n", prog_name, prog_vers); ++ exit(0); + case 't': + testing = 1; + break; diff --git a/SOURCES/iptables-1.4.21-restore_wait_man.patch b/SOURCES/iptables-1.4.21-restore_wait_man.patch new file mode 100644 index 0000000..4d3b3df --- /dev/null +++ b/SOURCES/iptables-1.4.21-restore_wait_man.patch @@ -0,0 +1,51 @@ +Adapted version of + +commit 65801d02a482befd2745c792d6596ec75d434934 +Author: Dan Williams +Date: Mon Apr 10 12:35:18 2017 -0500 + + iptables-restore.8: document -w/-W options + + Fixes: 999eaa241212 ("iptables-restore: support acquiring the lock.") + Signed-off-by: Dan Williams + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/iptables-restore.8.in.restore_wait_man iptables-1.4.21/iptables/iptables-restore.8.in +--- iptables-1.4.21/iptables/iptables-restore.8.in.restore_wait_man 2017-04-20 17:33:23.386401192 +0200 ++++ iptables-1.4.21/iptables/iptables-restore.8.in 2017-04-20 17:35:13.562713997 +0200 +@@ -23,9 +23,11 @@ iptables-restore \(em Restore IP Tables + .P + ip6tables-restore \(em Restore IPv6 Tables + .SH SYNOPSIS +-\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-M\fP \fImodprobe\fP] ++\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP] +++[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] + .P +-\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-M\fP \fImodprobe\fP] ++\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP] +++[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] + [\fB\-T\fP \fIname\fP] + .SH DESCRIPTION + .PP +@@ -54,6 +56,21 @@ Print additional debug info during rules + \fB\-V\fP, \fB\-\-version\fP + Print the program version number. + .TP ++\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP] ++Wait for the xtables lock. ++To prevent multiple instances of the program from running concurrently, ++an attempt will be made to obtain an exclusive lock at launch. By default, ++the program will exit if the lock cannot be obtained. This option will ++make the program wait (indefinitely or for optional \fIseconds\fP) until ++the exclusive lock can be obtained. ++.TP ++\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP ++Interval to wait per each iteration. ++When running latency sensitive applications, waiting for the xtables lock ++for extended durations may not be acceptable. This option will make each ++iteration take the amount of time specified. The default interval is ++1 second. This option only works with \fB\-w\fP. ++.TP + \fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP + Specify the path to the modprobe program. By default, iptables-restore will + inspect /proc/sys/kernel/modprobe to determine the executable's path. diff --git a/SOURCES/iptables-1.4.21-rhbz_1054871.patch b/SOURCES/iptables-1.4.21-rhbz_1054871.patch new file mode 100644 index 0000000..f2dfe6f --- /dev/null +++ b/SOURCES/iptables-1.4.21-rhbz_1054871.patch @@ -0,0 +1,51 @@ +diff -up iptables-1.4.21/iptables/ip6tables-save.c.rhbz_1054871 iptables-1.4.21/iptables/ip6tables-save.c +--- iptables-1.4.21/iptables/ip6tables-save.c.rhbz_1054871 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/ip6tables-save.c 2014-03-11 16:19:11.855799695 +0100 +@@ -141,7 +141,7 @@ int ip6tables_save_main(int argc, char * + init_extensions6(); + #endif + +- while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "M:cdt:", options, NULL)) != -1) { + switch (c) { + case 'c': + show_counters = 1; +diff -up iptables-1.4.21/iptables/iptables-save.8.in.rhbz_1054871 iptables-1.4.21/iptables/iptables-save.8.in +--- iptables-1.4.21/iptables/iptables-save.8.in.rhbz_1054871 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/iptables-save.8.in 2014-03-11 16:15:54.491729364 +0100 +@@ -23,11 +23,11 @@ iptables-save \(em dump iptables rules t + .P + ip6tables-save \(em dump iptables rules to stdout + .SH SYNOPSIS +-\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] ++\fBiptables\-save\fP [\fB\-M\fP,\fB\-\-modprobe\fP \fImodprobe\fP] [\fB\-c\fP] + [\fB\-t\fP \fItable\fP] + .P +-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] +-[\fB\-t\fP \fItable\fP ++\fBip6tables\-save\fP [\fB\-M\fP,\fB\-\-modprobe\fP \fImodprobe\fP] [\fB\-c\fP] ++[\fB\-t\fP \fItable\fP] + .SH DESCRIPTION + .PP + .B iptables-save +@@ -36,7 +36,7 @@ and + are used to dump the contents of IP or IPv6 Table in easily parseable format + to STDOUT. Use I/O-redirection provided by your shell to write to a file. + .TP +-\fB\-M\fP \fImodprobe_program\fP ++\fB\-M\fP,\fB\-\-modprobe\fP \fImodprobe_program\fP + Specify the path to the modprobe program. By default, iptables-save will + inspect /proc/sys/kernel/modprobe to determine the executable's path. + .TP +diff -up iptables-1.4.21/iptables/iptables-save.c.rhbz_1054871 iptables-1.4.21/iptables/iptables-save.c +--- iptables-1.4.21/iptables/iptables-save.c.rhbz_1054871 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/iptables-save.c 2014-03-11 16:19:38.354409495 +0100 +@@ -140,7 +140,7 @@ iptables_save_main(int argc, char *argv[ + init_extensions4(); + #endif + +- while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "M:cdt:", options, NULL)) != -1) { + switch (c) { + case 'c': + show_counters = 1; diff --git a/SOURCES/iptables-1.4.21-rhbz_1261238.patch b/SOURCES/iptables-1.4.21-rhbz_1261238.patch new file mode 100644 index 0000000..2584c74 --- /dev/null +++ b/SOURCES/iptables-1.4.21-rhbz_1261238.patch @@ -0,0 +1,14 @@ +diff -up iptables-1.4.21/extensions/libxt_TRACE.man.rhbz_1261238 iptables-1.4.21/extensions/libxt_TRACE.man +--- iptables-1.4.21/extensions/libxt_TRACE.man.rhbz_1261238 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/extensions/libxt_TRACE.man 2016-07-01 11:43:59.775632018 +0200 +@@ -1,8 +1,8 @@ + This target marks packets so that the kernel will log every rule which match + the packets as those traverse the tables, chains, rules. + .PP +-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this +-to be visible. ++A logging backend, such as nf_log_ipv4(6) or nfnetlink_log, must be loaded for ++this to be visible. + The packets are logged with the string prefix: + "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for + plain rule, "return" for implicit rule at the end of a user defined chain diff --git a/SOURCES/iptables-1.4.21-wait-interval.patch b/SOURCES/iptables-1.4.21-wait-interval.patch new file mode 100644 index 0000000..ac116d8 --- /dev/null +++ b/SOURCES/iptables-1.4.21-wait-interval.patch @@ -0,0 +1,330 @@ +Adapted version of + +commit e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 +Author: Subash Abhinov Kasiviswanathan +Date: Thu Jun 23 18:44:06 2016 -0600 + + xtables: Add an interval option for xtables lock wait + + ip[6]tables currently waits for 1 second for the xtables lock to be + freed if the -w option is used. We have seen that the lock is held + much less than that resulting in unnecessary delay when trying to + acquire the lock. This problem is even severe in case of latency + sensitive applications. + + Introduce a new option 'W' to specify the wait interval in microseconds. + If this option is not specified, the command sleeps for 1 second by + default. + + v1->v2: Change behavior to take millisecond sleep as an argument to + -w as suggested by Pablo. Also maintain current behavior for -w to + sleep for 1 second as mentioned by Liping. + + v2->v3: Move the millisecond behavior to a new option as suggested + by Pablo. + + v3->v4: Use select instead of usleep. Sleep every iteration for + the time specified in the "-W" argument. Update man page. + + v4->v5: Fix compilation error when enabling nftables + + v5->v6: Simplify -W so it only takes the interval wait in microseconds. + Bail out if -W is specific but -w is not. + + Joint work with Pablo Neira. + + Signed-off-by: Subash Abhinov Kasiviswanathan + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/ip6tables.c.wait-interval iptables-1.4.21/iptables/ip6tables.c +--- iptables-1.4.21/iptables/ip6tables.c.wait-interval 2017-04-05 14:04:04.560346651 +0200 ++++ iptables-1.4.21/iptables/ip6tables.c 2017-04-05 14:04:04.562346670 +0200 +@@ -103,6 +103,7 @@ static struct option original_opts[] = { + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, + {.name = "wait", .has_arg = 2, .val = 'w'}, ++ {.name = "wait-interval", .has_arg = 2, .val = 'W'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "help", .has_arg = 2, .val = 'h'}, +@@ -258,7 +259,10 @@ exit_printhelp(const struct xtables_rule + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w [seconds] wait for the xtables lock\n" ++" --wait -w [seconds] maximum wait to acquire xtables lock before give up\n" ++" --wait-interval -W [usecs] wait time to try to acquire xtables lock\n" ++" interval to wait for xtables lock\n" ++" default is 1 second\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + /*"[!] --fragment -f match second or further fragments only\n"*/ +@@ -1323,6 +1327,10 @@ int do_command6(int argc, char *argv[], + + int verbose = 0; + int wait = 0; ++ struct timeval wait_interval = { ++ .tv_sec = 1, ++ }; ++ bool wait_interval_set = false; + const char *chain = NULL; + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; + const char *policy = NULL, *newname = NULL; +@@ -1358,7 +1366,7 @@ int do_command6(int argc, char *argv[], + + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvw::nt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvw::W::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1614,6 +1622,23 @@ int do_command6(int argc, char *argv[], + "wait seconds not numeric"); + break; + ++ case 'W': ++ if (restore) { ++ xtables_error(PARAMETER_PROBLEM, ++ "You cannot use `-W' from " ++ "ip6tables-restore"); ++ } ++ if (optarg) ++ parse_wait_interval(optarg, &wait_interval); ++ else if (optind < argc && ++ argv[optind][0] != '-' && ++ argv[optind][0] != '!') ++ parse_wait_interval(argv[optind++], ++ &wait_interval); ++ ++ wait_interval_set = true; ++ break; ++ + case 'm': + command_match(&cs); + break; +@@ -1718,6 +1743,10 @@ int do_command6(int argc, char *argv[], + cs.invert = FALSE; + } + ++ if (!wait && wait_interval_set) ++ xtables_error(PARAMETER_PROBLEM, ++ "--wait-interval only makes sense with --wait\n"); ++ + if (strcmp(*table, "nat") == 0 && + ((policy != NULL && strcmp(policy, "DROP") == 0) || + (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) +@@ -1768,7 +1797,7 @@ int do_command6(int argc, char *argv[], + generic_opt_check(command, cs.options); + + /* Attempt to acquire the xtables lock */ +- if (!restore && !xtables_lock(wait)) { ++ if (!restore && !xtables_lock(wait, &wait_interval)) { + fprintf(stderr, "Another app is currently holding the xtables lock. "); + if (wait == 0) + fprintf(stderr, "Perhaps you want to use the -w option?\n"); +diff -up iptables-1.4.21/iptables/iptables.8.in.wait-interval iptables-1.4.21/iptables/iptables.8.in +--- iptables-1.4.21/iptables/iptables.8.in.wait-interval 2017-04-05 14:04:04.555346605 +0200 ++++ iptables-1.4.21/iptables/iptables.8.in 2017-04-05 14:04:04.562346670 +0200 +@@ -369,6 +369,13 @@ the program will exit if the lock cannot + make the program wait (indefinitely or for optional \fIseconds\fP) until + the exclusive lock can be obtained. + .TP ++\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP ++Interval to wait per each iteration. ++When running latency sensitive applications, waiting for the xtables lock ++for extended durations may not be acceptable. This option will make each ++iteration take the amount of time specified. The default interval is ++1 second. This option only works with \fB\-w\fP. ++.TP + \fB\-n\fP, \fB\-\-numeric\fP + Numeric output. + IP addresses and port numbers will be printed in numeric format. +diff -up iptables-1.4.21/iptables/iptables.c.wait-interval iptables-1.4.21/iptables/iptables.c +--- iptables-1.4.21/iptables/iptables.c.wait-interval 2017-04-05 14:04:04.555346605 +0200 ++++ iptables-1.4.21/iptables/iptables.c 2017-04-05 14:04:04.563346679 +0200 +@@ -100,6 +100,7 @@ static struct option original_opts[] = { + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, + {.name = "wait", .has_arg = 2, .val = 'w'}, ++ {.name = "wait-interval", .has_arg = 2, .val = 'W'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "fragments", .has_arg = 0, .val = 'f'}, + {.name = "version", .has_arg = 0, .val = 'V'}, +@@ -252,7 +253,9 @@ exit_printhelp(const struct xtables_rule + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w [seconds] wait for the xtables lock\n" ++" --wait -w [seconds] maximum wait to acquire xtables lock before give up\n" ++" --wait-interval -W [usecs] wait time to try to acquire xtables lock\n" ++" default is 1 second\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + "[!] --fragment -f match second or further fragments only\n" +@@ -1316,7 +1319,10 @@ int do_command4(int argc, char *argv[], + unsigned int nsaddrs = 0, ndaddrs = 0; + struct in_addr *saddrs = NULL, *smasks = NULL; + struct in_addr *daddrs = NULL, *dmasks = NULL; +- ++ struct timeval wait_interval = { ++ .tv_sec = 1, ++ }; ++ bool wait_interval_set = false; + int verbose = 0; + int wait = 0; + const char *chain = NULL; +@@ -1353,7 +1359,7 @@ int do_command4(int argc, char *argv[], + opterr = 0; + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1607,6 +1613,23 @@ int do_command4(int argc, char *argv[], + "wait seconds not numeric"); + break; + ++ case 'W': ++ if (restore) { ++ xtables_error(PARAMETER_PROBLEM, ++ "You cannot use `-W' from " ++ "iptables-restore"); ++ } ++ if (optarg) ++ parse_wait_interval(optarg, &wait_interval); ++ else if (optind < argc && ++ argv[optind][0] != '-' && ++ argv[optind][0] != '!') ++ parse_wait_interval(argv[optind++], ++ &wait_interval); ++ ++ wait_interval_set = true; ++ break; ++ + case 'm': + command_match(&cs); + break; +@@ -1707,6 +1730,10 @@ int do_command4(int argc, char *argv[], + cs.invert = FALSE; + } + ++ if (!wait && wait_interval_set) ++ xtables_error(PARAMETER_PROBLEM, ++ "--wait-interval only makes sense with --wait\n"); ++ + if (strcmp(*table, "nat") == 0 && + ((policy != NULL && strcmp(policy, "DROP") == 0) || + (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) +@@ -1757,7 +1784,7 @@ int do_command4(int argc, char *argv[], + generic_opt_check(command, cs.options); + + /* Attempt to acquire the xtables lock */ +- if (!restore && !xtables_lock(wait)) { ++ if (!restore && !xtables_lock(wait, &wait_interval)) { + fprintf(stderr, "Another app is currently holding the xtables lock. "); + if (wait == 0) + fprintf(stderr, "Perhaps you want to use the -w option?\n"); +diff -up iptables-1.4.21/iptables/xshared.c.wait-interval iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.wait-interval 2017-04-05 14:04:04.557346624 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:04:04.563346679 +0200 +@@ -9,12 +9,15 @@ + #include + #include + #include ++#include + #include + #include + #include ++#include + #include "xshared.h" + + #define XT_LOCK_NAME "/run/xtables.lock" ++#define BASE_MICROSECONDS 100000 + + /* + * Print out any special helps. A user might like to be able to add a --help +@@ -244,9 +247,15 @@ void xs_init_match(struct xtables_match + match->init(match->m); + } + +-bool xtables_lock(int wait) ++bool xtables_lock(int wait, struct timeval *wait_interval) + { +- int fd, waited = 0, i = 0; ++ struct timeval time_left, wait_time, waited_time; ++ int fd, i = 0; ++ ++ time_left.tv_sec = wait; ++ time_left.tv_usec = 0; ++ waited_time.tv_sec = 0; ++ waited_time.tv_usec = 0; + + fd = open(XT_LOCK_NAME, O_CREAT, 0600); + if (fd < 0) +@@ -255,12 +264,43 @@ bool xtables_lock(int wait) + while (1) { + if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; +- else if (wait >= 0 && waited >= wait) ++ if (++i % 10 == 0) { ++ if (wait != -1) ++ fprintf(stderr, "Another app is currently holding the xtables lock; " ++ "still %lds %ldus time ahead to have a chance to grab the lock...\n", ++ time_left.tv_sec, time_left.tv_usec); ++ else ++ fprintf(stderr, "Another app is currently holding the xtables lock; " ++ "waiting for it to exit...\n"); ++ } ++ ++ wait_time = *wait_interval; ++ select(0, NULL, NULL, NULL, &wait_time); ++ if (wait == -1) ++ continue; ++ ++ timeradd(&waited_time, wait_interval, &waited_time); ++ timersub(&time_left, wait_interval, &time_left); ++ if (!timerisset(&time_left)) + return false; +- if (++i % 2 == 0) +- fprintf(stderr, "Another app is currently holding the xtables lock; " +- "waiting (%ds) for it to exit...\n", waited); +- waited++; +- sleep(1); + } + } ++ ++void parse_wait_interval(const char *str, struct timeval *wait_interval) ++{ ++ unsigned int usec; ++ int ret; ++ ++ ret = sscanf(str, "%u", &usec); ++ if (ret == 1) { ++ if (usec > 999999) ++ xtables_error(PARAMETER_PROBLEM, ++ "too long usec wait %u > 999999 usec", ++ usec); ++ ++ wait_interval->tv_sec = 0; ++ wait_interval->tv_usec = usec; ++ return; ++ } ++ xtables_error(PARAMETER_PROBLEM, "wait interval not numeric"); ++} +diff -up iptables-1.4.21/iptables/xshared.h.wait-interval iptables-1.4.21/iptables/xshared.h +--- iptables-1.4.21/iptables/xshared.h.wait-interval 2017-04-05 14:04:04.555346605 +0200 ++++ iptables-1.4.21/iptables/xshared.h 2017-04-05 14:04:04.563346679 +0200 +@@ -84,7 +84,9 @@ extern struct xtables_match *load_proto( + extern int subcmd_main(int, char **, const struct subcommand *); + extern void xs_init_target(struct xtables_target *); + extern void xs_init_match(struct xtables_match *); +-extern bool xtables_lock(int wait); ++bool xtables_lock(int wait, struct timeval *wait_interval); ++ ++void parse_wait_interval(const char *str, struct timeval *wait_interval); + + extern const struct xtables_afinfo *afinfo; + diff --git a/SOURCES/iptables-1.4.21-wait_seconds.patch b/SOURCES/iptables-1.4.21-wait_seconds.patch new file mode 100644 index 0000000..4fb5cbc --- /dev/null +++ b/SOURCES/iptables-1.4.21-wait_seconds.patch @@ -0,0 +1,288 @@ +twoerner: Adapted version of the upstream patch for 1.4.21 + + +From aaa4ace72ba1d195bbf436134a336816c33f7bd0 Mon Sep 17 00:00:00 2001 +From: Jiri Popelka +Date: Fri, 4 Jul 2014 15:50:41 +0200 +Subject: iptables: add optional [seconds] argument to -w + +This patch adds an optional numeric argument +to -w option (added with 93587a0) so one can +specify how long to wait for an exclusive lock. + +If the value isn't specified it works as before, +i.e. program waits indefinitely. + +If user specifies it, program exits after +the given time interval passes. + +This patch also adds the -w/--wait to nftables +compat code, so the parser doesn't complain. + +[ In the original patch, iptables-compat -w X was not working, + I have fixed by adding the dummy code not to break scripts + using the new optional argument --pablo ] + +Signed-off-by: Jiri Popelka +Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 2ebfd6c..8db13b4 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -102,7 +102,7 @@ static struct option original_opts[] = { + {.name = "numeric", .has_arg = 0, .val = 'n'}, + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, +- {.name = "wait", .has_arg = 0, .val = 'w'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "help", .has_arg = 2, .val = 'h'}, +@@ -258,7 +258,7 @@ exit_printhelp(const struct xtables_rule_match *matches) + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w wait for the xtables lock\n" ++" --wait -w [seconds] wait for the xtables lock\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + /*"[!] --fragment -f match second or further fragments only\n"*/ +@@ -1322,7 +1322,7 @@ int do_command6(int argc, char *argv[], char **table, + struct in6_addr *smasks = NULL, *dmasks = NULL; + + int verbose = 0; +- bool wait = false; ++ int wait = 0; + const char *chain = NULL; + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; + const char *policy = NULL, *newname = NULL; +@@ -1358,7 +1358,7 @@ int do_command6(int argc, char *argv[], char **table, + + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvwnt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvw::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1602,7 +1602,16 @@ int do_command6(int argc, char *argv[], char **table, + "You cannot use `-w' from " + "ip6tables-restore"); + } +- wait = true; ++ wait = -1; ++ if (optarg) { ++ if (sscanf(optarg, "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ } else if (optind < argc && argv[optind][0] != '-' ++ && argv[optind][0] != '!') ++ if (sscanf(argv[optind++], "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); + break; + + case 'm': +@@ -1753,8 +1762,11 @@ int do_command6(int argc, char *argv[], char **table, + + /* Attempt to acquire the xtables lock */ + if (!restore && !xtables_lock(wait)) { +- fprintf(stderr, "Another app is currently holding the xtables lock. " +- "Perhaps you want to use the -w option?\n"); ++ fprintf(stderr, "Another app is currently holding the xtables lock. "); ++ if (wait == 0) ++ fprintf(stderr, "Perhaps you want to use the -w option?\n"); ++ else ++ fprintf(stderr, "Stopped waiting after %ds.\n", wait); + xtables_free_opts(1); + exit(RESOURCE_PROBLEM); + } +diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in +index 8ef222e..ceba5dc 100644 +--- a/iptables/iptables.8.in ++++ b/iptables/iptables.8.in +@@ -361,12 +361,13 @@ For appending, insertion, deletion and replacement, this causes + detailed information on the rule or rules to be printed. \fB\-v\fP may be + specified multiple times to possibly emit more detailed debug statements. + .TP +-\fB\-w\fP, \fB\-\-wait\fP ++\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP] + Wait for the xtables lock. + To prevent multiple instances of the program from running concurrently, + an attempt will be made to obtain an exclusive lock at launch. By default, + the program will exit if the lock cannot be obtained. This option will +-make the program wait until the exclusive lock can be obtained. ++make the program wait (indefinitely or for optional \fIseconds\fP) until ++the exclusive lock can be obtained. + .TP + \fB\-n\fP, \fB\-\-numeric\fP + Numeric output. +diff --git a/iptables/iptables.c b/iptables/iptables.c +index 471bff0..88953c4 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -99,7 +99,7 @@ static struct option original_opts[] = { + {.name = "numeric", .has_arg = 0, .val = 'n'}, + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, +- {.name = "wait", .has_arg = 0, .val = 'w'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "fragments", .has_arg = 0, .val = 'f'}, + {.name = "version", .has_arg = 0, .val = 'V'}, +@@ -252,7 +252,7 @@ exit_printhelp(const struct xtables_rule_match *matches) + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w wait for the xtables lock\n" ++" --wait -w [seconds] wait for the xtables lock\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + "[!] --fragment -f match second or further fragments only\n" +@@ -1318,7 +1318,7 @@ int do_command4(int argc, char *argv[], char **table, + struct in_addr *daddrs = NULL, *dmasks = NULL; + + int verbose = 0; +- bool wait = false; ++ int wait = 0; + const char *chain = NULL; + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; + const char *policy = NULL, *newname = NULL; +@@ -1351,10 +1351,9 @@ int do_command4(int argc, char *argv[], char **table, + /* Suppress error messages: we may add new options if we + demand-load a protocol. */ + opterr = 0; +- + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvwnt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1596,7 +1595,16 @@ int do_command4(int argc, char *argv[], char **table, + "You cannot use `-w' from " + "iptables-restore"); + } +- wait = true; ++ wait = -1; ++ if (optarg) { ++ if (sscanf(optarg, "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ } else if (optind < argc && argv[optind][0] != '-' ++ && argv[optind][0] != '!') ++ if (sscanf(argv[optind++], "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); + break; + + case 'm': +@@ -1750,8 +1758,11 @@ int do_command4(int argc, char *argv[], char **table, + + /* Attempt to acquire the xtables lock */ + if (!restore && !xtables_lock(wait)) { +- fprintf(stderr, "Another app is currently holding the xtables lock. " +- "Perhaps you want to use the -w option?\n"); ++ fprintf(stderr, "Another app is currently holding the xtables lock. "); ++ if (wait == 0) ++ fprintf(stderr, "Perhaps you want to use the -w option?\n"); ++ else ++ fprintf(stderr, "Stopped waiting after %ds.\n", wait); + xtables_free_opts(1); + exit(RESOURCE_PROBLEM); + } +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 6c9992e..b18022e 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -243,10 +243,11 @@ void xs_init_match(struct xtables_match *match) + match->init(match->m); + } + +-bool xtables_lock(bool wait) ++bool xtables_lock(int wait) + { + int i = 0, ret, xt_socket; + struct sockaddr_un xt_addr; ++ int waited = 0; + + memset(&xt_addr, 0, sizeof(xt_addr)); + xt_addr.sun_family = AF_UNIX; +@@ -261,11 +262,12 @@ bool xtables_lock(bool wait) + offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN); + if (ret == 0) + return true; +- else if (wait == false) ++ else if (wait >= 0 && waited >= wait) + return false; + if (++i % 2 == 0) + fprintf(stderr, "Another app is currently holding the xtables lock; " +- "waiting for it to exit...\n"); ++ "waiting (%ds) for it to exit...\n", waited); ++ waited++; + sleep(1); + } + } +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 27c5b78..40dd915 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -84,7 +84,7 @@ extern struct xtables_match *load_proto(struct iptables_command_state *); + extern int subcmd_main(int, char **, const struct subcommand *); + extern void xs_init_target(struct xtables_target *); + extern void xs_init_match(struct xtables_match *); +-extern bool xtables_lock(bool wait); ++extern bool xtables_lock(int wait); + + extern const struct xtables_afinfo *afinfo; + +#diff --git a/iptables/xtables.c b/iptables/xtables.c +#index 45a5ac6..d661dd1 100644 +#--- a/iptables/xtables.c +#+++ b/iptables/xtables.c +#@@ -85,6 +85,7 @@ static struct option original_opts[] = { +# {.name = "numeric", .has_arg = 0, .val = 'n'}, +# {.name = "out-interface", .has_arg = 1, .val = 'o'}, +# {.name = "verbose", .has_arg = 0, .val = 'v'}, +#+ {.name = "wait", .has_arg = 2, .val = 'w'}, +# {.name = "exact", .has_arg = 0, .val = 'x'}, +# {.name = "fragments", .has_arg = 0, .val = 'f'}, +# {.name = "version", .has_arg = 0, .val = 'V'}, +#@@ -683,6 +684,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# { +# struct iptables_command_state cs; +# int verbose = 0; +#+ int wait = 0; +# const char *chain = NULL; +# const char *policy = NULL, *newname = NULL; +# unsigned int rulenum = 0, command = 0; +#@@ -722,7 +724,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# +# opts = xt_params->orig_opts; +# while ((cs.c = getopt_long(argc, argv, +#- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46", +#+ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", +# opts, NULL)) != -1) { +# switch (cs.c) { +# /* +#@@ -1007,6 +1009,15 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# "You cannot use `-w' from " +# "iptables-restore"); +# } +#+ if (optarg) { +#+ if (sscanf(optarg, "%i", &wait) != 1) +#+ xtables_error(PARAMETER_PROBLEM, +#+ "wait seconds not numeric"); +#+ } else if (optind < argc && argv[optind][0] != '-' +#+ && argv[optind][0] != '!') +#+ if (sscanf(argv[optind++], "%i", &wait) != 1) +#+ xtables_error(PARAMETER_PROBLEM, +#+ "wait seconds not numeric"); +# break; +# +# case '0': +-- +cgit v0.10.2 + diff --git a/SOURCES/iptables-c513cc3-rhbz_1298879.patch b/SOURCES/iptables-c513cc3-rhbz_1298879.patch new file mode 100644 index 0000000..136b648 --- /dev/null +++ b/SOURCES/iptables-c513cc3-rhbz_1298879.patch @@ -0,0 +1,34 @@ +From c513cc3dd10231f267548d644dcb7632516a2348 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Fri, 10 Jun 2016 14:57:58 +0200 +Subject: ip6tables: Warn about use of DROP in nat table + +Clone of 1eada72b with 9bb76094 and e0390bee on top. + +Signed-off-by: Thomas Woerner +Signed-off-by: Pablo Neira Ayuso +--- + iptables/ip6tables.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 2731209..c48ddf9 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -1720,6 +1720,13 @@ int do_command6(int argc, char *argv[], char **table, + cs.invert = FALSE; + } + ++ if (strcmp(*table, "nat") == 0 && ++ ((policy != NULL && strcmp(policy, "DROP") == 0) || ++ (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) ++ xtables_error(PARAMETER_PROBLEM, ++ "\nThe \"nat\" table is not intended for filtering, " ++ "the use of DROP is therefore inhibited.\n\n"); ++ + for (matchp = cs.matches; matchp; matchp = matchp->next) + xtables_option_mfcall(matchp->match); + if (cs.target != NULL) +-- +cgit v0.12 + diff --git a/SOURCES/iptables-config b/SOURCES/iptables-config new file mode 100644 index 0000000..0237281 --- /dev/null +++ b/SOURCES/iptables-config @@ -0,0 +1,66 @@ +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modprobe.conf. +IPTABLES_MODULES="" + +# Unload modules on restart and stop +# Value: yes|no, default: yes +# This option has to be 'yes' to get to a sane state for a firewall +# restart or stop. Only set to 'no' if there are problems unloading netfilter +# modules. +IPTABLES_MODULES_UNLOAD="yes" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). +IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. +IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: yes +# Print IP addresses and port numbers in numeric format in the status output. +IPTABLES_STATUS_NUMERIC="yes" + +# Verbose status output +# Value: yes|no, default: yes +# Print info about the number of packets and bytes plus the "input-" and +# "outputdevice" in the status output. +IPTABLES_STATUS_VERBOSE="no" + +# Status output with numbered lines +# Value: yes|no, default: yes +# Print a counter/number for every rule in the status output. +IPTABLES_STATUS_LINENUMBERS="yes" + +# Reload sysctl settings on start and restart +# Default: -none- +# Space separated list of sysctl items which are to be reloaded on start. +# List items will be matched by fgrep. +#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" + +# Set wait option for iptables-restore calls in seconds +# Default: 600 +# Set to 0 to deactivate the wait. +#IPTABLES_RESTORE_WAIT=600 + +# Set wait interval option for iptables-restore calls in microseconds +# Default: 1000000 +# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a +# second. +# Only usable with IPTABLES_RESTORE_WAIT > 0 +#IPTABLES_RESTORE_WAIT_INTERVAL=1000000 diff --git a/SOURCES/iptables-do_not_lock_again_and_again.patch b/SOURCES/iptables-do_not_lock_again_and_again.patch new file mode 100644 index 0000000..6d4913d --- /dev/null +++ b/SOURCES/iptables-do_not_lock_again_and_again.patch @@ -0,0 +1,78 @@ +commit 24f8174646123c2833bc87967b366796231b04e0 +Author: Liping Zhang +Date: Sun Feb 5 21:57:34 2017 +0800 + + xshared: do not lock again and again if "-w" option is not specified + + After running the following commands, some confusing messages was printed + out: + # while : ; do + iptables -A INPUT & + iptables -D INPUT & + done + [...] + Another app is currently holding the xtables lock; still -9s 0us time + ahead to have a chance to grab the lock... + Another app is currently holding the xtables lock; still -29s 0us time + ahead to have a chance to grab the lock... + + If "-w" option is not specified, the "wait" will be zero, so we should + check whether the timer_left is less than wait_interval before we call + select to sleep. + + Also remove unused "BASE_MICROSECONDS" and "struct timeval waited_time" + introduced by commit e8f857a5a151 ("xtables: Add an interval option for + xtables lock wait"). + + Fixes: e8f857a5a151 ("xtables: Add an interval option for xtables lock wait") + Signed-off-by: Liping Zhang + Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index cccb8ae..055acf2 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -17,7 +17,6 @@ + #include "xshared.h" + + #define XT_LOCK_NAME "/run/xtables.lock" +-#define BASE_MICROSECONDS 100000 + + /* + * Print out any special helps. A user might like to be able to add a --help +@@ -249,13 +248,11 @@ void xs_init_match(struct xtables_match *match) + + bool xtables_lock(int wait, struct timeval *wait_interval) + { +- struct timeval time_left, wait_time, waited_time; ++ struct timeval time_left, wait_time; + int fd, i = 0; + + time_left.tv_sec = wait; + time_left.tv_usec = 0; +- waited_time.tv_sec = 0; +- waited_time.tv_usec = 0; + + fd = open(XT_LOCK_NAME, O_CREAT, 0600); + if (fd < 0) +@@ -264,6 +261,9 @@ bool xtables_lock(int wait, struct timeval *wait_interval) + while (1) { + if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; ++ else if (wait >= 0 && timercmp(&time_left, wait_interval, <)) ++ return false; ++ + if (++i % 10 == 0) { + if (wait != -1) + fprintf(stderr, "Another app is currently holding the xtables lock; " +@@ -279,10 +279,7 @@ bool xtables_lock(int wait, struct timeval *wait_interval) + if (wait == -1) + continue; + +- timeradd(&waited_time, wait_interval, &waited_time); + timersub(&time_left, wait_interval, &time_left); +- if (!timerisset(&time_left)) +- return false; + } + } + diff --git a/SOURCES/iptables-do_not_set_changed_for_check_options.patch b/SOURCES/iptables-do_not_set_changed_for_check_options.patch new file mode 100644 index 0000000..f36e064 --- /dev/null +++ b/SOURCES/iptables-do_not_set_changed_for_check_options.patch @@ -0,0 +1,79 @@ +commit 9b8cb7564a53865bf0e239bbc3e057de70edf65d +Author: Dan Williams +Date: Sat Feb 25 22:02:03 2017 -0600 + + libiptc: don't set_changed() when checking rules with module jumps + + Checking a rule that includes a jump to a module-based target currently + sets the "changed" flag on the handle, which then causes TC_COMMIT() to + run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This + seems wrong for simply checking rules, an operation which is documented + as "...does not alter the existing iptables configuration..." but yet + it clearly could do so. + + Fix that by ensuring that rule check operations for module targets + don't set the changed flag, and thus exit early from TC_COMMIT(). + + Signed-off-by: Dan Williams + Signed-off-by: Pablo Neira Ayuso + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index 2c66d04..a6e7057 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -1686,7 +1686,8 @@ iptcc_standard_map(struct rule_head *r, int verdict) + + static int + iptcc_map_target(struct xtc_handle *const handle, +- struct rule_head *r) ++ struct rule_head *r, ++ bool dry_run) + { + STRUCT_ENTRY *e = r->entry; + STRUCT_ENTRY_TARGET *t = GET_TARGET(e); +@@ -1731,7 +1732,8 @@ iptcc_map_target(struct xtc_handle *const handle, + 0, + FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name)); + r->type = IPTCC_R_MODULE; +- set_changed(handle); ++ if (!dry_run) ++ set_changed(handle); + return 1; + } + +@@ -1781,7 +1783,7 @@ TC_INSERT_ENTRY(const IPT_CHAINLABEL chain, + memcpy(r->entry, e, e->next_offset); + r->counter_map.maptype = COUNTER_MAP_SET; + +- if (!iptcc_map_target(handle, r)) { ++ if (!iptcc_map_target(handle, r, false)) { + free(r); + return 0; + } +@@ -1831,7 +1833,7 @@ TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain, + memcpy(r->entry, e, e->next_offset); + r->counter_map.maptype = COUNTER_MAP_SET; + +- if (!iptcc_map_target(handle, r)) { ++ if (!iptcc_map_target(handle, r, false)) { + free(r); + return 0; + } +@@ -1870,7 +1872,7 @@ TC_APPEND_ENTRY(const IPT_CHAINLABEL chain, + memcpy(r->entry, e, e->next_offset); + r->counter_map.maptype = COUNTER_MAP_SET; + +- if (!iptcc_map_target(handle, r)) { ++ if (!iptcc_map_target(handle, r, false)) { + DEBUGP("unable to map target of rule for chain `%s'\n", chain); + free(r); + return 0; +@@ -1976,7 +1978,7 @@ static int delete_entry(const IPT_CHAINLABEL chain, const STRUCT_ENTRY *origfw, + + memcpy(r->entry, origfw, origfw->next_offset); + r->counter_map.maptype = COUNTER_MAP_NOMAP; +- if (!iptcc_map_target(handle, r)) { ++ if (!iptcc_map_target(handle, r, dry_run)) { + DEBUGP("unable to map target of rule for chain `%s'\n", chain); + free(r); + return 0; diff --git a/SOURCES/iptables-use_the_blocking_file_lock_request.patch b/SOURCES/iptables-use_the_blocking_file_lock_request.patch new file mode 100644 index 0000000..1cddc36 --- /dev/null +++ b/SOURCES/iptables-use_the_blocking_file_lock_request.patch @@ -0,0 +1,91 @@ +commit 72bb3dbf0ecdf3ec96aee80e5d152c8be4394da1 +Author: Liping Zhang +Date: Mon Feb 6 19:47:47 2017 +0800 + + xshared: using the blocking file lock request when we wait indefinitely + + When using "-w" to avoid concurrent instances, we try to do flock() every + one second until it success. But one second maybe too long in some + situations, and it's hard to select a suitable interval time. So when + using "iptables -w" to wait indefinitely, it's better to block until + it become success. + + Now do some performance tests. First, flush all the iptables rules in + filter table, and run "iptables -w -S" endlessly: + # iptables -F + # iptables -X + # while : ; do + iptables -w -S >&- & + done + + Second, after adding and deleting the iptables rules 100 times, measure + the time cost: + # time for i in $(seq 100); do + iptables -w -A INPUT + iptables -w -D INPUT + done + + Before this patch: + real 1m15.962s + user 0m0.224s + sys 0m1.475s + + Apply this patch: + real 0m1.830s + user 0m0.168s + sys 0m1.130s + + Signed-off-by: Liping Zhang + Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 055acf2..f0a5ddd 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -1,4 +1,5 @@ + #include ++#include + #include + #include + #include +@@ -258,27 +259,29 @@ bool xtables_lock(int wait, struct timeval *wait_interval) + if (fd < 0) + return true; + ++ if (wait == -1) { ++ if (flock(fd, LOCK_EX) == 0) ++ return true; ++ ++ fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME, ++ strerror(errno)); ++ return false; ++ } ++ + while (1) { + if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; +- else if (wait >= 0 && timercmp(&time_left, wait_interval, <)) ++ else if (timercmp(&time_left, wait_interval, <)) + return false; + + if (++i % 10 == 0) { +- if (wait != -1) +- fprintf(stderr, "Another app is currently holding the xtables lock; " +- "still %lds %ldus time ahead to have a chance to grab the lock...\n", +- time_left.tv_sec, time_left.tv_usec); +- else +- fprintf(stderr, "Another app is currently holding the xtables lock; " +- "waiting for it to exit...\n"); ++ fprintf(stderr, "Another app is currently holding the xtables lock; " ++ "still %lds %ldus time ahead to have a chance to grab the lock...\n", ++ time_left.tv_sec, time_left.tv_usec); + } + + wait_time = *wait_interval; + select(0, NULL, NULL, NULL, &wait_time); +- if (wait == -1) +- continue; +- + timersub(&time_left, wait_interval, &time_left); + } + } diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init new file mode 100755 index 0000000..80f6ccd --- /dev/null +++ b/SOURCES/iptables.init @@ -0,0 +1,476 @@ +#!/bin/bash +# +# iptables Start iptables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves iptables firewall +# +# config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO + +# Source function library. +. /etc/init.d/functions + +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" +PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES +RESTORECON=/bin/restorecon +[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true + +# only usable for root +if [ $EUID != 0 ]; then + echo -n $"${IPTABLES}: Only usable by root."; warning; echo + exit 4 +fi + +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo + exit 5 +fi + +# Old or new modutils +/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \ + && NEW_MODUTILS=1 \ + || NEW_MODUTILS=0 + +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_MODULES_UNLOAD="yes" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="yes" +IPTABLES_STATUS_VERBOSE="no" +IPTABLES_STATUS_LINENUMBERS="yes" +IPTABLES_SYSCTL_LOAD_LIST="" +IPTABLES_RESTORE_WAIT=600 +IPTABLES_RESTORE_WAIT_INTERVAL=1000000 + +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" + +# Netfilter modules +NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables) +NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 + +# Get active tables +NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + + +rmmod_r() { + # Unload module with all referring modules. + # At first all referring modules will be unloaded, then the module itself. + local mod=$1 + local ret=0 + local ref= + + # Get referring modules. + # New modutils have another output format. + [ $NEW_MODUTILS = 1 ] \ + && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \ + || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) + + # recursive call for all referring modules + for i in $ref; do + rmmod_r $i + let ret+=$?; + done + + # Unload module. + # The extra test is for 2.6: The module might have autocleaned, + # after all referring modules are unloaded. + if grep -q "^${mod}" /proc/modules ; then + modprobe -r $mod > /dev/null 2>&1 + res=$? + [ $res -eq 0 ] || echo -n " $mod" + let ret+=$res; + fi + + return $ret +} + +flush_n_delete() { + # Flush firewall rules and delete chains. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Check if firewall is configured (has tables) + [ -z "$NF_TABLES" ] && return 1 + + echo -n $"${IPTABLES}: Flushing firewall rules: " + ret=0 + # For all tables + for i in $NF_TABLES; do + # Flush firewall rules. + $IPTABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Check if firewall is configured (has tables) + tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + [ -z "$tables" ] && return 1 + + echo -n $"${IPTABLES}: Setting chains to policy $policy: " + ret=0 + for i in $tables; do + echo -n "$i " + case "$i" in + raw) + $IPTABLES -t raw -P PREROUTING $policy \ + && $IPTABLES -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; + filter) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES -t nat -P PREROUTING $policy \ + && $IPTABLES -t nat -P POSTROUTING $policy \ + && $IPTABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES -t mangle -P PREROUTING $policy \ + && $IPTABLES -t mangle -P POSTROUTING $policy \ + && $IPTABLES -t mangle -P INPUT $policy \ + && $IPTABLES -t mangle -P OUTPUT $policy \ + && $IPTABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +load_sysctl() { + # load matched sysctl values + if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then + echo -n $"Loading sysctl settings: " + ret=0 + for item in $IPTABLES_SYSCTL_LOAD_LIST; do + fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + return $ret +} + +start() { + # Do not start if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Applying firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; + if [ -f "$IPTABLES_FALLBACK_DATA" ]; then + echo -n $"${IPTABLES}: Applying firewall fallback rules: " + $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + else + return 1 + fi + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + touch $VAR_SUBSYS_IPTABLES + return $ret +} + +stop() { + # Do not stop if iptables module is not loaded. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Set default chain policy to ACCEPT, in order to not break shutdown + # on systems where the default policy is DROP and root device is + # network-based (i.e.: iSCSI, NFS) + set_policy ACCEPT + # And then, flush the rules and delete chains + flush_n_delete + + if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then + echo -n $"${IPTABLES}: Unloading modules: " + ret=0 + for mod in ${NF_MODULES[*]}; do + rmmod_r $mod + let ret+=$?; + done + # try to unload remaining netfilter modules used by ipv4 and ipv6 + # netfilter + for mod in ${NF_MODULES_COMMON[*]}; do + rmmod_r $mod >/dev/null + done + [ $ret -eq 0 ] && success || failure + echo + fi + + rm -f $VAR_SUBSYS_IPTABLES + return $ret +} + +save() { + # Check if iptable module is loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 0 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 6 + fi + + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + && $RESTORECON $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + mv -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + && $RESTORECON $IPTABLES_DATA \ + || ret=1 + fi + fi + rm -f $TMP_FILE + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +status() { + if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not running." + return 3 + fi + + # Do not print status if lockfile is missing and iptables modules are not + # loaded. + # Check if iptable modules are loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"${IPTABLES}: Firewall modules are not loaded." + return 3 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not configured. " + return 3 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" + + for table in $NF_TABLES; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo + done + + return 0 +} + +reload() { + # Do not reload if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Trying to reload firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; echo "Firewall rules are not changed."; return 1 + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + return $ret +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + + +case "$1" in + start) + [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 + start + RETVAL=$? + ;; + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart|force-reload) + restart + RETVAL=$? + ;; + reload) + [ -e "$VAR_SUBSYS_IPTABLES" ] && reload + RETVAL=$? + ;; + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 + restart + RETVAL=$? + ;; + status) + status + RETVAL=$? + ;; + panic) + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/SOURCES/iptables.panic-legacy b/SOURCES/iptables.panic-legacy new file mode 100644 index 0000000..7eedfce --- /dev/null +++ b/SOURCES/iptables.panic-legacy @@ -0,0 +1,2 @@ +#!/bin/bash +exec /usr/libexec/iptables/iptables.init panic diff --git a/SOURCES/iptables.save-legacy b/SOURCES/iptables.save-legacy new file mode 100644 index 0000000..accca0e --- /dev/null +++ b/SOURCES/iptables.save-legacy @@ -0,0 +1,2 @@ +#!/bin/bash +exec /usr/libexec/iptables/iptables.init save diff --git a/SOURCES/iptables.service b/SOURCES/iptables.service new file mode 100644 index 0000000..6722c7a --- /dev/null +++ b/SOURCES/iptables.service @@ -0,0 +1,18 @@ +[Unit] +Description=IPv4 firewall with iptables +After=syslog.target +AssertPathExists=/etc/sysconfig/iptables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/iptables/iptables.init start +ExecReload=/usr/libexec/iptables/iptables.init reload +ExecStop=/usr/libexec/iptables/iptables.init stop +Environment=BOOTUP=serial +Environment=CONSOLETYPE=serial +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=basic.target diff --git a/SOURCES/sysconfig_ip6tables b/SOURCES/sysconfig_ip6tables new file mode 100644 index 0000000..34b8b87 --- /dev/null +++ b/SOURCES/sysconfig_ip6tables @@ -0,0 +1,15 @@ +# sample configuration for ip6tables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/SOURCES/sysconfig_iptables b/SOURCES/sysconfig_iptables new file mode 100644 index 0000000..5183250 --- /dev/null +++ b/SOURCES/sysconfig_iptables @@ -0,0 +1,14 @@ +# sample configuration for iptables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec new file mode 100644 index 0000000..b3adc32 --- /dev/null +++ b/SPECS/iptables.spec @@ -0,0 +1,1298 @@ +# install init scripts to /usr/libexec with systemd +%define script_path %{_libexecdir}/iptables + +# service legacy actions (RHBZ#748134) +%define legacy_actions %{_libexecdir}/initscripts/legacy-actions + +Name: iptables +Summary: Tools for managing Linux kernel packet filtering capabilities +Version: 1.4.21 +Release: 18.3%{?dist} +Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 +Source1: iptables.init +Source2: iptables-config +Source3: iptables.service +Source4: iptables.save-legacy +Source5: sysconfig_iptables +Source6: sysconfig_ip6tables +Source7: iptables.panic-legacy +Patch1: iptables-1.4.21-rhbz_1054871.patch +Patch2: iptables-1.4.21-libxt_cgroup.patch +Patch3: iptables-1.4.21-wait_seconds.patch +Patch4: iptables-1.4.21-flock_wait.patch +Patch5: iptables-1.4.21-rhbz_1261238.patch +Patch6: iptables-c513cc3-rhbz_1298879.patch +Patch7: iptables-1.4.21-wait-interval.patch +Patch8: iptables-do_not_lock_again_and_again.patch +Patch9: iptables-use_the_blocking_file_lock_request.patch +Patch10: iptables-1.4.21-configure_set_lock_file_path.patch +Patch11: iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch +Patch12: iptables-1.4.21-remove_duplicated_argument_parsing.patch +Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch +# One patch invalid: 1cf4ba6fbe85b3cbe9828a7947000290e1989986 +Patch14: iptables-do_not_set_changed_for_check_options.patch +Patch15: iptables-1.4.21-restore_version.patch +Patch16: iptables-1.4.21-restore_wait_man.patch + +Group: System Environment/Base +URL: http://www.netfilter.org/ +License: GPLv2 +# libnetfilter_conntrack is needed for xt_connlabel +BuildRequires: libnetfilter_conntrack-devel >= 1.0.4 +# libnfnetlink-devel is requires for nfnl_osf +BuildRequires: libnfnetlink-devel +BuildRequires: libselinux-devel +BuildRequires: kernel-headers +BuildRequires: systemd +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: libtool + +%description +The iptables utility controls the network packet filtering code in the +Linux kernel. If you need to set up firewalls and/or IP masquerading, +you should install this package. + +%package devel +Summary: Development package for iptables +Group: System Environment/Base +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig + +%description devel +iptables development headers and libraries. + +The iptc interface is upstream marked as not public. The interface is not +stable and may change with every new version. It is therefore unsupported. + +%package services +Summary: iptables and ip6tables services for iptables +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} +Requires: /bin/bash +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# provide and obsolete old main package +Provides: %{name} = 1.4.16.1 +Obsoletes: %{name} < 1.4.16.1 +# provide and obsolete ipv6 sub package +Provides: %{name}-ipv6 = 1.4.11.1 +Obsoletes: %{name}-ipv6 < 1.4.11.1 + +%description services +iptables services for IPv4 and IPv6 + +This package provides the services iptables and ip6tables that have been split +out of the base package since they are not active by default anymore. + +%package utils +Summary: iptables and ip6tables services for iptables +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description utils +Utils for iptables. + +Currently only provides nfnl_osf with the pf.os database. + + +%prep +%setup -q +%patch1 -p1 -b .rhbz_1054871 +%patch2 -p1 -b .libxt_cgroup +%patch3 -p1 -b .wait_seconds +%patch4 -p1 -b .flock_wait +%patch5 -p1 -b .rhbz_1261238 +%patch6 -p1 -b .rhbz_1298879 +%patch7 -p1 -b .wait-interval +%patch8 -p1 -b .do_not_lock_again_and_again +%patch9 -p1 -b .use_the_blocking_file_lock_request +%patch10 -p1 -b .configure_set_lock_file_path +%patch11 -p1 -b .move_XT_LOCK_NAME_to_config.h +%patch12 -p1 -b .remove_duplicated_argument_parsing +%patch13 -p1 -b .restore_support_acquiring_the_lock +%patch14 -p1 -b .do_not_set_changed_for_check_options +%patch15 -p1 -b .restore_version +%patch16 -p1 -b .restore_wait_man + +%build +# Since patches above touch configure.ac we must regen configure +./autogen.sh + +CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ +%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr + +# do not use rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +rm -f include/linux/types.h + +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +# remove la file(s) +rm -f %{buildroot}/%{_libdir}/*.la + +# install ip*tables.h header files +install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/ +install -d -m 755 %{buildroot}%{_includedir}/iptables +install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/ + +# install ipulog header file +install -d -m 755 %{buildroot}%{_includedir}/libipulog/ +install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/ + +# install init scripts and configuration files +install -d -m 755 %{buildroot}%{script_path} +install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init +install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init +install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig +install -c -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config +install -c -m 600 ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config +install -c -m 600 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/iptables +install -c -m 600 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables + +# install systemd service files +install -d -m 755 %{buildroot}/%{_unitdir} +sed -e 's;iptables;ip6tables;g' \ + -e 's;IPv4;IPv6;g' \ + -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \ + -e 's;^\(After=.*\)$;\1 iptables.service;' \ + < %{SOURCE3} > ip6tables.service +sed -i -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' %{SOURCE3} +install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir} +install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir} + +# install legacy actions for service command +install -d %{buildroot}/%{legacy_actions}/iptables +install -d %{buildroot}/%{legacy_actions}/ip6tables +install -c -m 755 %{SOURCE4} %{buildroot}/%{legacy_actions}/iptables/save +install -c -m 755 %{SOURCE7} %{buildroot}/%{legacy_actions}/iptables/panic +sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy +sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy +install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save +install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic + +%if 0%{?rhel} +%pre +for p in %{_sysconfdir}/alternatives/iptables.*; do + if [ -h "$p" ]; then + ipt=$(readlink "$p") + echo "Removing alternatives for ${p##*/} with path $ipt" + %{_sbindir}/alternatives --remove "${p##*/}" "$ipt" + fi +done +for p in %{_sysconfdir}/alternatives/ip6tables.*; do + if [ -h "$p" ]; then + ipt=$(readlink "$p") + echo "Removing alternatives for ${p##*/} with path $ipt" + %{_sbindir}/alternatives --remove "${p##*/}" "$ipt" + # create dummy alternatives entry to fix iptables-ipv6 package removal + %{_sbindir}/alternatives --install /sbin/ip6tables.dummy "${p##*/}" "$ipt" 90 + fi +done + +%posttrans +# cleanup dummy alternatives to fix iptables-ipv6 package removal if still there +for p in %{_sysconfdir}/alternatives/ip6tables.*; do + if [ -h "$p" ]; then + ipt=$(readlink "$p") + %{_sbindir}/alternatives --remove "${p##*/}" "$ipt" || : + fi +done +%endif + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%post services +%systemd_post iptables.service ip6tables.service + +%preun services +%systemd_preun iptables.service ip6tables.service + +%postun services +/sbin/ldconfig +%systemd_postun iptables.service ip6tables.service + +%files +%doc COPYING INCOMPATIBILITIES +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables-config +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables-config +%{_sbindir}/iptables* +%{_sbindir}/ip6tables* +%{_sbindir}/xtables-multi +%{_bindir}/iptables-xml +%{_mandir}/man1/iptables-xml* +%{_mandir}/man8/iptables* +%{_mandir}/man8/ip6tables* +%dir %{_libdir}/xtables +%{_libdir}/xtables/libipt* +%{_libdir}/xtables/libip6t* +%{_libdir}/xtables/libxt* +%{_libdir}/libip*tc.so.* +%{_libdir}/libxtables.so.* + +%files devel +%dir %{_includedir}/iptables +%{_includedir}/iptables/*.h +%{_includedir}/*.h +%dir %{_includedir}/libiptc +%{_includedir}/libiptc/*.h +%dir %{_includedir}/libipulog +%{_includedir}/libipulog/*.h +%{_libdir}/libip*tc.so +%{_libdir}/libxtables.so +%{_libdir}/pkgconfig/libiptc.pc +%{_libdir}/pkgconfig/libip4tc.pc +%{_libdir}/pkgconfig/libip6tc.pc +%{_libdir}/pkgconfig/xtables.pc + +%files services +%dir %{script_path} +%attr(0755,root,root) %{script_path}/iptables.init +%attr(0755,root,root) %{script_path}/ip6tables.init +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables +%{_unitdir}/iptables.service +%{_unitdir}/ip6tables.service +%dir %{legacy_actions}/iptables +%{legacy_actions}/iptables/save +%{legacy_actions}/iptables/panic +%dir %{legacy_actions}/ip6tables +%{legacy_actions}/ip6tables/save +%{legacy_actions}/ip6tables/panic + +%files utils +%{_sbindir}/nfnl_osf +%dir %{_datadir}/xtables +%{_datadir}/xtables/pf.os + + +%changelog +* Tue Feb 13 2018 Phil Sutter - 1.4.21-18.3 +- Fix incorrect ip6tables.service unit syntax (RHBZ#1538549) + +* Mon Sep 18 2017 Phil Sutter - 1.4.21-18.2 +- Prevent iptables.service and ip6tables.service from running in parallel + (RHBZ#1491963) +- Don't restart services upon upgrade (RHBZ#1491961) + +* Mon Aug 14 2017 Thomas Woerner 1.4.21-18.1 +- Use wait option for restore calls to fix failing service starts + (RHBZ#1481207) + +* Mon Apr 24 2017 Thomas Woerner 1.4.21-18 +- Add support for --wait options to restore commands (RHBZ#1438597) +- Do not set changed flag for rule check operations with module targets + (RHBZ#1438597) +- Add version option to restore commands (RHBZ#1438597) + +* Fri Jul 1 2016 Thomas Woerner 1.4.21-17 +- Fixed init script not to fail on missing restorecon (RHBZ#1246380) +- Adapted man page snipplet for TRACE to use proper logging backend names + (RHBZ#1261238) +- Warn about use of DROP in nat table (RHBZ#1298879) +- Fixed modules unload in init script (RHBZ#1324102) + +* Fri Sep 18 2015 Thomas Woerner 1.4.21-16 +- Fix important coverity findings: missing include for flock and use bash for + init script (RHBZ#1264399) + +* Fri Sep 18 2015 Thomas Woerner 1.4.21-15 +- Use systemd AssertPathExists for /etc/sysconfig/iptables (RHBZ#1200415) + +* Tue Jun 30 2015 Thomas Woerner 1.4.21-14 +- Add cgroup support (RHBZ#1058660) +- Add wait seonds support for commands (RHBZ#1156411) +- Add dhcpv6-client in default IPv6 firewall rules (RHBZ#1169036) +- Add message for init script error returns (RHBZ#1200415) +- Use flock for wait option (RHBZ#1202435) + +* Thu Mar 27 2014 Thomas Woerner 1.4.21-13 +- fixed further update issues from RHEL-6 to RHEL-7 (RHBZ#1043901) + +* Tue Mar 11 2014 Jiri Popelka - 1.4.21-12 +- Fixed iptables-save man page completely wrong (RHBZ#1054871) + +* Mon Mar 10 2014 Jiri Popelka - 1.4.21-11 +- Added missing "panic" action (RHBZ#1067670) + +* Mon Feb 24 2014 Jiri Popelka - 1.4.21-10 +- Fixed missing reload action for iptables service (RHBZ#1066007) + +* Fri Feb 21 2014 Thomas Woerner 1.4.21-9 +- fixed missing system hang at shutdown if root device is network based + (RHBZ#1007934) +- Fixed iptables-save man page completely wrong (RHBZ#1054871) +- Fixed missing reload action for iptables service (RHBZ#1066007) +- Fixed regressions from RHEL-6 iptables services (RHBZ#1067670) + +* Fri Jan 24 2014 Daniel Mach - 1.4.21-8 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Thomas Woerner 1.4.21-7 +- libnetfilter_conntrack is needed in version 1.0.4 for connlabel + See: RHBZ#1053702 + +* Wed Jan 15 2014 Thomas Woerner 1.4.21-6 +- Enable connlabel support again, needs libnetfilter_conntrack + +* Wed Jan 15 2014 Thomas Woerner 1.4.21-6 +- fixed update from RHEL-6 to RHEL-7 (RHBZ#1043901) + +* Tue Jan 14 2014 Jiri Popelka - 1.4.21-5 +- chmod /etc/sysconfig/ip[6]tables 755 -> 600 + +* Fri Jan 10 2014 Jiri Popelka - 1.4.21-4 +- drop virtual provide for xtables.so.9 +- add default /etc/sysconfig/ip[6]tables (RHBZ#1034494) + +* Thu Jan 09 2014 Jiri Popelka - 1.4.21-3 +- no need to support the pre-systemd things +- use systemd macros (#850166) +- remove scriptlets for migrating to a systemd unit from a SysV initscripts +- ./configure -> %%configure +- spec clean up +- fix self-obsoletion + +* Thu Jan 9 2014 Thomas Woerner 1.4.21-2 +- fixed system hang at shutdown if root device is network based (RHBZ#1007934) + Thanks to Rodrigo A B Freire for the patch + +* Thu Jan 9 2014 Thomas Woerner 1.4.21-1 +- no connlabel.conf upstream anymore +- new version 1.4.21 + - doc: clarify DEBUG usage macro + - iptables: use autoconf to process .in man pages + - extensions: libipt_ULOG: man page should mention NFLOG as replacement + - extensions: libxt_connlabel: use libnetfilter_conntrack + - Introduce a new revision for the set match with the counters support + - libxt_CT: Add the "NOTRACK" alias + - libip6t_mh: Correct command to list named mh types in manpage + - extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support + - extensions: libxt_LED: fix parsing of delay + - ip{6}tables-restore: fix breakage due to new locking approach + - libxt_recent: restore minimum value for --seconds + - iptables-xml: fix parameter parsing (similar to 2165f38) + - extensions: add copyright statements + - xtables: improve get_modprobe handling + - ip[6]tables: Add locking to prevent concurrent instances + - iptables: Fix connlabel.conf install location + - ip6tables: don't print out /128 + - libip6t_LOG: target output is different to libipt_LOG + - build: additional include path required after UAPI changes + - iptables: iptables-xml: Fix various parsing bugs + - libxt_recent: restore reap functionality to recent module + - build: fail in configure on missing dependency with --enable-bpf-compiler + - extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter + - extensions: libxt_set, libxt_SET: check the set family too + - ip6tables: Use consistent exit code for EAGAIN + - iptables: libxt_hashlimit.man: correct address + - iptables: libxt_conntrack.man extraneous commas + - iptables: libip(6)t_REJECT.man default icmp types + - iptables: iptables-xm1.1 correct man section + - iptables: libxt_recent.{c,man} dead URL + - iptables: libxt_string.man add examples + - extensions: libxt_LOG: use generic syslog reference in manpage + - iptables: extensions/GNUMakefile.in use CPPFLAGS + - iptables: correctly reference generated file + - ip[6]tables: fix incorrect alignment in commands_v_options + - build: add software version to manpage first line at configure stage + - extensions: libxt_cluster: add note on arptables-jf + - utils: nfsynproxy: fix error while compiling the BPF filter + - extensions: add SYNPROXY extension + - utils: add nfsynproxy tool + - iptables: state match incompatibilty across versions + - libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks + - iptables: improve chain name validation + - iptables: spurious error in load_extension + - xtables: trivial spelling fix + +* Fri Dec 27 2013 Daniel Mach - 1.4.19.1-2 +- Mass rebuild 2013-12-27 + +* Sun Dec 22 2013 Ville Skyttä - 1.4.19.1-2 +- Drop INSTALL from docs, escape macros in %%changelog. + +* Wed Jul 31 2013 Thomas Woerner 1.4.19.1-1 +- new version 1.4.19.1 + - libxt_NFQUEUE: fix bypass option documentation + - extensions: add connlabel match + - extensions: add connlabel match + - ip[6]tables: show --protocol instead of --proto in usage + - libxt_recent: Fix missing space in manpage for --mask option + - extensions: libxt_multiport: Update manpage to list valid protocols + - utils: nfnl_osf: use the right nfnetlink lib + - libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency + - Revert "build: resolve link failure for ip6t_NETMAP" + - libxt_osf: fix missing --ttl and --log in save output + - libxt_osf: fix bad location for location in --genre + - libip6t_SNPT: add manpage + - libip6t_DNPT: add manpage + - utils: updates .gitignore to include nfbpf_compile + - extensions: libxt_bpf: clarify --bytecode argument + - libxtables: fix parsing of dotted network mask format + - build: bump version to 1.4.19 + - libxt_conntrack: fix state match alias state parsing + - extensions: add libxt_bpf extension + - utils: nfbpf_compile + - doc: mention SNAT in INPUT chain since kernel 2.6.36 +- fixed changelog date weekdays where needed + +* Mon Mar 4 2013 Thomas Woerner 1.4.18-1 +- new version 1.4.18 + - lots of documentation changes + - Introduce match/target aliases + - Add the "state" alias to the "conntrack" match + - iptables: remove unused leftover definitions + - libxtables: add xtables_rule_matches_free + - libxtables: add xtables_print_num + - extensions: libip6t_DNPT: fix wording in DNPT target + - extension: libip6t_DNAT: allow port DNAT without address + - extensions: libip6t_DNAT: set IPv6 DNAT --to-destination + - extensions: S/DNPT: add missing save function +- changes of 1.4.17: + - libxt_time: add support to ignore day transition + - Convert the NAT targets to use the kernel supplied nf_nat.h header + - extensions: add IPv6 MASQUERADE extension + - extensions: add IPv6 SNAT extension + - extensions: add IPv6 DNAT target + - extensions: add IPv6 REDIRECT extension + - extensions: add IPv6 NETMAP extension + - extensions: add NPT extension + - extensions: libxt_statistic: Fix save output + +* Thu Feb 14 2013 Fedora Release Engineering - 1.4.16.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 16 2013 Ville Skyttä - 1.4.16.2-6 +- Own unowned -services libexec dirs (#894464, Michael Scherer). +- Fix -services unit file permissions (#732936, Michal Schmidt). + +* Thu Nov 8 2012 Thomas Woerner 1.4.16.2-5 +- fixed path of ip6tables.init in ip6tables.service + +* Fri Nov 2 2012 Thomas Woerner 1.4.16.2-4 +- fixed missing services for update of pre F-18 installations (rhbz#867960) + - provide and obsolete old main package in services sub package + - provide and obsolete old ipv6 sub package (pre F-17) in services sub package + +* Sun Oct 14 2012 Dan Horák 1.4.16.2-3 +- fix the compat provides for all 64-bit arches + +* Fri Oct 12 2012 Thomas Woerner 1.4.16.2-2 +- new sub package services providing the systemd services (RHBZ#862922) +- new sub package utils: provides nfnl_osf and the pf.os database +- using %%{_libexecdir}/iptables as script path for the original init scripts +- added service iptables save funcitonality using the new way provided by + initscripts 9.37.1 (RHBZ#748134) +- added virtual provide for libxtables.so.7 + +* Mon Oct 8 2012 Thomas Woerner 1.4.16.2-1 +- new version 1.4.16.2 + - build: support for automake-1.12 + - build: separate AC variable replacements from xtables.h + - build: have `make clean` remove dep files too + - doc: grammatical updates to libxt_SET + - doc: clean up interpunction in state list for xt_conntrack + - doc: deduplicate extension descriptions into a new manpage + - doc: trim "state" manpage and reference conntrack instead + - doc: have NOTRACK manpage point to CT instead + - doc: mention iptables-apply in the SEE ALSO sections + - extensions: libxt_addrtype: fix type in help message + - include: add missing linux/netfilter_ipv4/ip_queue.h + - iptables: fix wrong error messages + - iptables: support for match aliases + - iptables: support for target aliases + - iptables-restore: warn about -t in rule lines + - ip[6]tables-restore: cleanup to reduce one level of indentation + - libip6t_frag: match any frag id by default + - libxtables: consolidate preference logic + - libxt_devgroup: consolidate devgroup specification parsing + - libxt_devgroup: guard against negative numbers + - libxt_LED: guard against negative numbers + - libxt_NOTRACK: replace as an alias to CT --notrack + - libxt_state: replace as an alias to xt_conntrack + - libxt_tcp: print space before, not after "flags:" + - libxt_u32: do bounds checking for @'s operands + - libxt_*limit: avoid division by zero + - Merge branch 'master' of git://git.inai.de/iptables + - Merge remote-tracking branch 'nf/stable' + - New set match revision with --return-nomatch flag support +- dropped fixrestore patch, upstream + +* Wed Aug 1 2012 Thomas Woerner 1.4.15-1 +- new version 1.4.15 + - extensions: add HMARK target + - iptables-restore: fix parameter parsing (shows up with gcc-4.7) + - iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7) + - libxtables: add xtables_ip[6]mask_to_cidr + - libxt_devgroup: add man page snippet + - libxt_hashlimit: add support for byte-based operation + - libxt_recent: add --mask netmask + - libxt_recent: remove unused variable + - libxt_HMARK: correct a number of errors introduced by Pablo's rework + - libxt_HMARK: fix ct case example + - libxt_HMARK: fix output of iptables -L + - Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)" + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-3 +- added fixrestore patch submitted to upstream by fryasu (nfbz#774) + (RHBZ#825796) + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-2 +- disabled libipq, removed upstream, not provided by kernel anymore + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-1 +- new version 1.4.14 + - extensions: add IPv6 capable ECN match extension + - extensions: add nfacct match + - extensions: add rpfilter module + - extensions: libxt_rateest: output all options in save hook + - iptables: missing free() in function cache_add_entry() + - iptables: missing free() in function delete_entry() + - libiptc: fix retry path in TC_INIT + - libiptc: Returns the position the entry was inserted + - libipt_ULOG: fix --ulog-cprange + - libxt_CT: add --timeout option + - ip(6)tables-restore: make sure argv is NULL terminated + - Revert "libiptc: Returns the position the entry was inserted" + - src: mark newly opened fds as FD_CLOEXEC (close on exec) + - tests: add rateest match rules +- dropped patch5 (cloexec), merged upstream + +* Mon Apr 23 2012 Thomas Woerner 1.4.12.2-5 +- reenable iptables default services + +* Wed Feb 29 2012 Harald Hoyer 1.4.12.2-4 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Thu Feb 16 2012 Thomas Woerner 1.4.12.2-3 +- fixed auto enable check for Fedora > 16 and added rhel > 6 check + +* Wed Feb 15 2012 Thomas Woerner 1.4.12.2-2 +- disabled autostart and auto enable for iptables.service and ip6tables.service + for Fedora > 16 + +* Mon Jan 16 2012 Thomas Woerner 1.4.12.2-1 +- new version 1.4.12.2 with new pkgconfig/libip4tc.pc and pkgconfig/libip6tc.pc + - build: make check stage not fail when building statically + - build: restore build order of modules + - build: scan for unreferenced symbols + - build: sort file list before build + - doc: clarification on the meaning of -p 0 + - doc: document iptables-restore's -T option + - doc: fix undesired newline in ip6tables-restore(8) + - ip6tables-restore: implement missing -T option + - iptables: move kernel version find routing into libxtables + - libiptc: provide separate pkgconfig files + - libipt_SAME: set PROTO_RANDOM on all ranges + - libxtables: Fix file descriptor leak in xtables_lmap_init on error + - libxt_connbytes: fix handling of --connbytes FROM + - libxt_CONNSECMARK: fix spacing in output + - libxt_conntrack: improve error message on parsing violation + - libxt_NFQUEUE: fix --queue-bypass ipt-save output + - libxt_RATEEST: link with -lm + - libxt_statistic: link with -lm + - Merge branch 'stable' + - Merge branch 'stable' of git://dev.medozas.de/iptables + - nfnl_osf: add missing libnfnetlink_CFLAGS to compile process + - xtoptions: fill in fallback value for nvals + - xtoptions: simplify xtables_parse_interface + +* Fri Jan 13 2012 Fedora Release Engineering - 1.4.12.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 12 2011 Thomas Woerner 1.4.12.1-1 +- new version 1.4.12.1 with new pkgconfig/libipq.pc + - build: abort autogen on subcommand failure + - build: strengthen check for overlong lladdr components + - build: workaround broken linux-headers on RHEL-5 + - doc: clarify libxt_connlimit defaults + - doc: fix typo in libxt_TRACE + - extensions: use multi-target registration + - libip6t_dst: restore setting IP6T_OPTS_LEN flag + - libip6t_frag: restore inversion support + - libip6t_hbh: restore setting IP6T_OPTS_LEN flag + - libipq: add pkgconfig file + - libipt_ttl: document that negation is available + - libxt_conntrack: fix --ctproto 0 output + - libxt_conntrack: remove one misleading comment + - libxt_dccp: fix deprecated intrapositional ordering of ! + - libxt_dccp: fix random output of ! on --dccp-option + - libxt_dccp: provide man pages options in short help too + - libxt_dccp: restore missing XTOPT_INVERT tags for options + - libxt_dccp: spell out option name on save + - libxt_dscp: restore inversion support + - libxt_hashlimit: default htable-expire must be in milliseconds + - libxt_hashlimit: observe new default gc-expire time when saving + - libxt_hashlimit: remove inversion from hashlimit rev 0 + - libxt_owner: restore inversion support + - libxt_physdev: restore inversion support + - libxt_policy: remove superfluous inversion + - libxt_set: put differing variable names in directly + - libxt_set: update man page about kernel support on the feature + - libxt_string: define _GNU_SOURCE for strnlen + - libxt_string: escape the escaping char too + - libxt_string: fix space around arguments + - libxt_string: replace hex codes by char equivalents + - libxt_string: simplify hex output routine + - libxt_tcp: always print the mask parts + - libxt_TCPMSS: restore build with IPv6-less libcs + - libxt_TOS: update linux kernel version list for backported fix + - libxt_u32: fix missing allowance for inversion + - src: remove unused IPTABLES_MULTI define + - tests: add negation tests for libxt_statistic + - xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT +- removed include/linux/types.h before build to be able to compile + +* Tue Jul 26 2011 Thomas Woerner 1.4.12-2 +- dropped temporary provide again + +* Tue Jul 26 2011 Thomas Woerner 1.4.12-1.1 +- added temporary provides for libxtables.so.6 to be able to rebuild iproute, + which is part of the standard build environment + +* Mon Jul 25 2011 Thomas Woerner 1.4.12-1 +- new version 1.4.12 with support of all new features of kernel 3.0 + - build: attempt to fix building under Linux 2.4 + - build: bump soversion for recent data structure change + - build: install modules in arch-dependent location + - doc: fix group range in libxt_NFLOG's man + - doc: fix version string in ip6tables.8 + - doc: include matches/targets in manpage again + - doc: mention multiple verbosity flags + - doc: the -m option cannot be inverted + - extensions: support for per-extension instance global variable space + - iptables-apply: select default rule file depending on call name + - iptables: consolidate target/match init call + - iptables: Coverity: DEADCODE + - iptables: Coverity: NEGATIVE_RETURNS + - iptables: Coverity: RESOURCE_LEAK + - iptables: Coverity: REVERSE_INULL + - iptables: Coverity: VARARGS + - iptables: restore negation for -f + - libip6t_HL: fix option names from ttl -> hl + - libipt_LOG: fix ignoring all but last flags + - libxtables: ignore whitespace in the multiaddress argument parser + - libxtables: properly reject empty hostnames + - libxtables: set clone's initial data to NULL + - libxt_conntrack: move more data into the xt_option_entry + - libxt_conntrack: restore network-byte order for v1,v2 + - libxt_hashlimit: use a more obvious expiry value by default + - libxt_rateest: abolish global variables + - libxt_RATEEST: abolish global variables + - libxt_RATEEST: fix userspacesize field + - libxt_RATEEST: use guided option parser + - libxt_state: fix regression about inversion of main option + - option: remove last traces of intrapositional negation +- complete changelog: + http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.12.txt + +* Thu Jul 21 2011 Thomas Woerner 1.4.11.1-4 +- merged ipv6 sub package into main package +- renamed init scripts to /usr/libexec/ip*tables.init + +* Fri Jul 15 2011 Thomas Woerner 1.4.11.1-3 +- added support for native systemd file (rhbz#694738) + - new iptables.service file + - additional requires + - moved sysv init scripts to /usr/libexec + - added new post, preun and postun scripts and triggers + +* Tue Jul 12 2011 Thomas Woerner 1.4.11.1-2 +- dropped temporary provide again +- enabled smp build + +* Tue Jul 12 2011 Thomas Woerner 1.4.11.1-1.1 +- added temporary provides for libxtables.so.5 to be able to rebuild iproute, + which is part of the standard build environment + +* Mon Jul 11 2011 Thomas Woerner 1.4.11.1-1 +- new version 1.4.11.1, bug and doc fix release for 1.4.11 + +* Tue Jun 7 2011 Thomas Woerner 1.4.11-1 +- new version 1.4.11 with all new features of 2.6.37-39 (not usable) + - lots of changes and bugfixes for base and extensions + - complete changelog: + http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.11.txt + +* Wed Feb 09 2011 Fedora Release Engineering - 1.4.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 10 2011 Thomas Woerner 1.4.10-1 +- new version 1.4.10 with all new features of 2.6.36 + - all: consistent syntax use in struct option + - build: fix static linking + - doc: let man(1) autoalign the text in xt_cpu + - doc: remove extra empty line from xt_cpu + - doc: minimal spelling updates to xt_cpu + - doc: consistent use of markup + - extensions: libxt_quota: don't ignore the quota value on deletion + - extensions: REDIRECT: add random help + - extensions: add xt_cpu match + - extensions: add idletimer xt target extension + - extensions: libxt_IDLETIMER: use xtables_param_act when checking options + - extensions: libxt_CHECKSUM extension + - extensions: libipt_LOG/libip6t_LOG: support macdecode option + - extensions: fix compilation of the new CHECKSUM target + - extensions: libxt_ipvs: user-space lib for netfilter matcher xt_ipvs + - iptables-xml: resolve compiler warnings + - iptables: limit chain name length to be consistent with targets + - libiptc: add Libs.private to pkgconfig files + - libiptc: build with -Wl,--no-as-needed + - xtables: remove unnecessary cast +- dropped xt_CHECKSUM, added upstream + +* Tue Oct 12 2010 Thomas Woerner 1.4.9-2 +- added xt_CHECKSUM patch from Michael S. Tsirkin (rhbz#612587) + +* Wed Aug 4 2010 Thomas Woerner 1.4.9-1 +- new version 1.4.9 with all new features of 2.6.35 + - doc: xt_hashlimit: fix a typo + - doc: xt_LED: nroff formatting requirements + - doc: xt_string: correct copy-and-pasting in manpage + - extensions: add the LED target + - extensions: libxt_quota.c: Support option negation + - extensions: libxt_rateest: fix bps options for iptables-save + - extensions: libxt_rateest: fix typo in the man page + - extensions: REDIRECT: add random help + - includes: sync header files from Linux 2.6.35-rc1 + - libxt_conntrack: do print netmask + - libxt_hashlimit: always print burst value + - libxt_set: new revision added + - utils: add missing include flags to Makefile + - xtables: another try at chain name length checking + - xtables: remove xtables_set_revision function + - xt_quota: also document negation + - xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension + - xt_sctp: support FORWARD_TSN chunk type + +* Fri Jul 2 2010 Thomas Woerner 1.4.8-1 +- new version 1.4.8 all new features of 2.6.34 (rhbz#) + - extensions: REDIRECT: fix --to-ports parser + - iptables: add noreturn attribute to exit_tryhelp() + - extensions: MASQUERADE: fix --to-ports parser + - libxt_comment: avoid use of IPv4-specific examples + - libxt_CT: add a manpage + - iptables: correctly check for too-long chain/target/match names + - doc: libxt_MARK: no longer restricted to mangle table + - doc: remove claim that TCPMSS is limited to mangle + - libxt_recent: add a missing space in output + - doc: add manpage for libxt_osf + - libxt_osf: import nfnl_osf program + - extensions: add support for xt_TEE + - CT: fix --ctevents parsing + - extensions: add CT extension + - libxt_CT: print conntrack zone in ->print/->save + - xtables: fix compilation when debugging is enabled + - libxt_conntrack: document --ctstate UNTRACKED + - iprange: fix xt_iprange v0 parsing + +* Wed Mar 24 2010 Thomas Woerner 1.4.7-2 +- added default values for IPTABLES_STATUS_VERBOSE and + IPTABLES_STATUS_LINENUMBERS in init script +- added missing lsb keywords Required-Start and Required-Stop to init script + +* Fri Mar 5 2010 Thomas Woerner 1.4.7-1 +- new version 1.4.7 with support for all new features of 2.6.33 (rhbz#570767) + - libip4tc: Add static qualifier to dump_entry() + - libipq: build as shared library + - recent: reorder cases in code (cosmetic cleanup) + - several man page and documentation fixes + - policy: fix error message showing wrong option + - includes: header updates + - Lift restrictions on interface names +- fixed license and moved iptables-xml into base package according to review + +* Wed Jan 27 2010 Thomas Woerner 1.4.6-2 +- moved libip*tc and libxtables libs to /lib[64], added symlinks for .so libs + to /usr/lib[64] for compatibility (rhbz#558796) + +* Wed Jan 13 2010 Thomas Woerner 1.4.6-1 +- new version 1.4.6 with support for all new features of 2.6.32 + - several man page fixes + - Support for nommu arches + - realm: remove static initializations + - libiptc: remove unused functions + - libiptc: avoid strict-aliasing warnings + - iprange: do accept non-ranges for xt_iprange v1 + - iprange: warn on reverse range + - iprange: roll address parsing into a loop + - iprange: do accept non-ranges for xt_iprange v1 (log) + - iprange: warn on reverse range (log) + - libiptc: fix wrong maptype of base chain counters on restore + - iptables: fix undersized deletion mask creation + - style: reduce indent in xtables_check_inverse + - libxtables: hand argv to xtables_check_inverse + - iptables/extensions: make bundled options work again + - CONNMARK: print mark rules with mask 0xffffffff as set instead of xset + - iptables: take masks into consideration for replace command + - doc: explain experienced --hitcount limit + - doc: name resolution clarification + - iptables: expose option to zero packet/byte counters for a specific rule + - build: restore --disable-ipv6 functionality on system w/o v6 headers + - MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark + - DNAT: fix incorrect check during parsing + - extensions: add osf extension + - conntrack: fix --expires parsing + +* Thu Dec 17 2009 Thomas Woerner 1.4.5-2 +- dropped nf_ext_init remains from cloexec patch + +* Thu Sep 17 2009 Thomas Woerner 1.4.5-1 +- new version 1.4.5 with support for all new features of 2.6.31 + - libxt_NFQUEUE: add new v1 version with queue-balance option + - xt_conntrack: revision 2 for enlarged state_mask member + - libxt_helper: fix invalid passed option to check_inverse + - libiptc: split v4 and v6 + - extensions: collapse registration structures + - iptables: allow for parse-less extensions + - iptables: allow for help-less extensions + - extensions: remove empty help and parse functions + - xtables: add multi-registration functions + - extensions: collapse data variables to use multi-reg calls + - xtables: warn of missing version identifier in extensions + - multi binary: allow subcommand via argv[1] + - iptables: accept multiple IP address specifications for -s, -d + - several build fixes + - several man page fixes +- fixed two leaked file descriptors on sockets (rhbz#521397) + +* Mon Aug 24 2009 Thomas Woerner 1.4.4-1 +- new version 1.4.4 with support for all new features of 2.6.30 + - several man page fixes + - iptables: replace open-coded sizeof by ARRAY_SIZE + - libip6t_policy: remove redundant functions + - policy: use direct xt_policy_info instead of ipt/ip6t + - policy: merge ipv6 and ipv4 variant + - extensions: add `cluster' match support + - extensions: add const qualifiers in print/save functions + - extensions: use NFPROTO_UNSPEC for .family field + - extensions: remove redundant casts + - iptables: close open file descriptors + - fix segfault if incorrect protocol name is used + - replace open-coded sizeof by ARRAY_SIZE + - do not include v4-only modules in ip6tables manpage + - use direct xt_policy_info instead of ipt/ip6t + - xtables: fix segfault if incorrect protocol name is used + - libxt_connlimit: initialize v6_mask + - SNAT/DNAT: add support for persistent multi-range NAT mappings + +* Fri Jul 24 2009 Fedora Release Engineering - 1.4.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Apr 15 2009 Thomas Woerner 1.4.3.2-1 +- new version 1.4.3.2 +- also install iptables/internal.h, needed for iptables.h and ip6tables.h + +* Mon Mar 30 2009 Thomas Woerner 1.4.3.1-1 +- new version 1.4.3.1 + - libiptc is now shared + - supports all new features of the 2.6.29 kernel +- dropped typo_latter patch + +* Thu Mar 5 2009 Thomas Woerner 1.4.2-3 +- still more review fixes (rhbz#225906) + - consistent macro usage + - use sed instead of perl for rpath removal + - use standard RPM CFLAGS, but also -fno-strict-aliasing (needed for libiptc*) + +* Wed Feb 25 2009 Fedora Release Engineering - 1.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Feb 20 2009 Thomas Woerner 1.4.2-1 +- new version 1.4.2 +- removed TOS value mask patch (upstream) +- more review fixes (rhbz#225906) +- install all header files (rhbz#462207) +- dropped nf_ext_init (rhbz#472548) + +* Tue Jul 22 2008 Thomas Woerner 1.4.1.1-2 +- fixed TOS value mask problem (rhbz#456244) (upstream patch) +- two more cloexec fixes + +* Tue Jul 1 2008 Thomas Woerner 1.4.1.1-1 +- upstream bug fix release 1.4.1.1 +- dropped extra patch for 1.4.1 - not needed anymore + +* Tue Jun 10 2008 Thomas Woerner 1.4.1-1 +- new version 1.4.1 with new build environment +- additional ipv6 network mask patch from Jan Engelhardt +- spec file cleanup +- removed old patches + +* Fri Jun 6 2008 Tom "spot" Callaway 1.4.0-5 +- use normal kernel headers, not linux/compiler.h +- change BuildRequires: kernel-devel to kernel-headers +- We need to do this to be able to build for both sparcv9 and sparc64 + (there is no kernel-devel.sparcv9) + +* Thu Mar 20 2008 Thomas Woerner 1.4.0-4 +- use O_CLOEXEC for all opened files in all applications (rhbz#438189) + +* Mon Mar 3 2008 Thomas Woerner 1.4.0-3 +- use the kernel headers from the build tree for iptables for now to be able to + compile this package, but this makes the package more kernel dependant +- use s6_addr32 instead of in6_u.u6_addr32 + +* Wed Feb 20 2008 Fedora Release Engineering - 1.4.0-2 +- Autorebuild for GCC 4.3 + +* Mon Feb 11 2008 Thomas Woerner 1.4.0-1 +- new version 1.4.0 +- fixed condrestart (rhbz#428148) +- report the module in rmmod_r if there is an error +- use nf_ext_init instead of my_init for extension constructors + +* Mon Nov 5 2007 Thomas Woerner 1.3.8-6 +- fixed leaked file descriptor before fork/exec (rhbz#312191) +- blacklisting is not working, use "install X /bin/(true|false)" test instead +- return private exit code 150 for disabled ipv6 support +- use script name for output messages + +* Tue Oct 16 2007 Thomas Woerner 1.3.8-5 +- fixed error code for stopping a already stopped firewall (rhbz#321751) +- moved blacklist test into start + +* Wed Sep 26 2007 Thomas Woerner 1.3.8-4.1 +- do not start ip6tables if ipv6 is blacklisted (rhbz#236888) +- use simpler fix for (rhbz#295611) + Thanks to Linus Torvalds for the patch. + +* Mon Sep 24 2007 Thomas Woerner 1.3.8-4 +- fixed IPv6 reject type (rhbz#295181) +- fixed init script: start, stop and status +- support netfilter compiled into kernel in init script (rhbz#295611) +- dropped inversion for limit modules from man pages (rhbz#220780) +- fixed typo in ip6tables man page (rhbz#236185) + +* Wed Sep 19 2007 Thomas Woerner 1.3.8-3 +- do not depend on local_fs in lsb header - this delayes start after network +- fixed exit code for initscript usage + +* Mon Sep 17 2007 Thomas Woerner 1.3.8-2.1 +- do not use lock file for condrestart test + +* Thu Aug 23 2007 Thomas Woerner 1.3.8-2 +- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459) +- provide iptc interface again, but unsupported (rhbz#216733) +- compile all extension, which are supported by the kernel-headers package +- review fixes (rhbz#225906) + +* Tue Jul 31 2007 Thomas Woerner +- reverted ipv6 fix, because it disables the ipv6 at all (rhbz#236888) + +* Fri Jul 13 2007 Steve Conklin - 1.3.8-1 +- New version 1.3.8 + +* Mon Apr 23 2007 Jeremy Katz - 1.3.7-2 +- fix error when ipv6 support isn't loaded in the kernel (#236888) + +* Wed Jan 10 2007 Thomas Woerner 1.3.7-1.1 +- fixed installation of secmark modules + +* Tue Jan 9 2007 Thomas Woerner 1.3.7-1 +- new verison 1.3.7 +- iptc is not a public interface and therefore not installed anymore +- dropped upstream secmark patch + +* Tue Sep 19 2006 Thomas Woerner 1.3.5-2 +- added secmark iptables patches (#201573) + +* Wed Jul 12 2006 Jesse Keating - 1.3.5-1.2.1 +- rebuild + +* Fri Feb 10 2006 Jesse Keating - 1.3.5-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.3.5-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Thu Feb 2 2006 Thomas Woerner 1.3.5-1 +- new version 1.3.5 +- fixed init script to set policy for raw tables, too (#179094) + +* Tue Jan 24 2006 Thomas Woerner 1.3.4-3 +- added important iptables header files to devel package + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 25 2005 Thomas Woerner 1.3.4-2 +- fix for plugin problem: link with "gcc -shared" instead of "ld -shared" and + replace "_init" with "__attribute((constructor)) my_init" + +* Fri Nov 25 2005 Thomas Woerner 1.3.4-1.1 +- rebuild due to unresolved symbols in shared libraries + +* Fri Nov 18 2005 Thomas Woerner 1.3.4-1 +- new version 1.3.4 +- dropped free_opts patch (upstream fixed) +- made libipq PIC (#158623) +- additional configuration options for iptables startup script (#172929) + Thanks to Jan Gruenwald for the patch +- spec file cleanup (dropped linux_header define and usage) + +* Mon Jul 18 2005 Thomas Woerner 1.3.2-1 +- new version 1.3.2 with additional patch for the misplaced free_opts call + from Marcus Sundberg + +* Wed May 11 2005 Thomas Woerner 1.3.1-1 +- new version 1.3.1 + +* Fri Mar 18 2005 Thomas Woerner 1.3.0-2 +- Remove unnecessary explicit kernel dep (#146142) +- Fixed out of bounds accesses (#131848): Thanks to Steve Grubb + for the patch +- Adapted iptables-config to reference to modprobe.conf (#150143) +- Remove misleading message (#140154): Thanks to Ulrich Drepper + for the patch + +* Mon Feb 21 2005 Thomas Woerner 1.3.0-1 +- new version 1.3.0 + +* Thu Nov 11 2004 Thomas Woerner 1.2.11-3.2 +- fixed autoload problem in iptables and ip6tables (CAN-2004-0986) + +* Fri Sep 17 2004 Thomas Woerner 1.2.11-3.1 +- changed default behaviour for IPTABLES_STATUS_NUMERIC to "yes" (#129731) +- modified config file to match this change and un-commented variables with + default values + +* Thu Sep 16 2004 Thomas Woerner 1.2.11-3 +- applied second part of cleanup patch from (#131848): thanks to Steve Grubb + for the patch + +* Wed Aug 25 2004 Thomas Woerner 1.2.11-2 +- fixed free bug in iptables (#128322) + +* Tue Jun 22 2004 Thomas Woerner 1.2.11-1 +- new version 1.2.11 + +* Thu Jun 17 2004 Thomas Woerner 1.2.10-1 +- new version 1.2.10 + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Thu Feb 26 2004 Thomas Woerner 1.2.9-2.3 +- fixed iptables-restore -c fault if there are no counters (#116421) + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Sun Jan 25 2004 Dan Walsh 1.2.9-1.2 +- Close File descriptors to prevent SELinux error message + +* Wed Jan 7 2004 Thomas Woerner 1.2.9-1.1 +- rebuild + +* Wed Dec 17 2003 Thomas Woerner 1.2.9-1 +- vew version 1.2.9 +- new config options in ipXtables-config: + IPTABLES_MODULES_UNLOAD +- more documentation in ipXtables-config +- fix for netlink security issue in libipq (devel package) +- print fix for libipt_icmp (#109546) + +* Thu Oct 23 2003 Thomas Woerner 1.2.8-13 +- marked all messages in iptables init script for translation (#107462) +- enabled devel package (#105884, #106101) +- bumped build for fedora for libipt_recent.so (#106002) + +* Tue Sep 23 2003 Thomas Woerner 1.2.8-12.1 +- fixed lost udp port range in ip6tables-save (#104484) +- fixed non numeric multiport port output in ipXtables-savs + +* Mon Sep 22 2003 Florian La Roche 1.2.8-11 +- do not link against -lnsl + +* Wed Sep 17 2003 Thomas Woerner 1.2.8-10 +- made variables in rmmod_r local + +* Tue Jul 22 2003 Thomas Woerner 1.2.8-9 +- fixed permission for init script + +* Sat Jul 19 2003 Thomas Woerner 1.2.8-8 +- fixed save when iptables file is missing and iptables-config permissions + +* Tue Jul 8 2003 Thomas Woerner 1.2.8-7 +- fixes for ip6tables: module unloading, setting policy only for existing + tables + +* Thu Jul 3 2003 Thomas Woerner 1.2.8-6 +- IPTABLES_SAVE_COUNTER defaults to no, now +- install config file in /etc/sysconfig +- exchange unload of ip_tables and ip_conntrack +- fixed start function + +* Wed Jul 2 2003 Thomas Woerner 1.2.8-5 +- new config option IPTABLES_SAVE_ON_RESTART +- init script: new status, save and restart +- fixes #44905, #65389, #80785, #82860, #91040, #91560 and #91374 + +* Mon Jun 30 2003 Thomas Woerner 1.2.8-4 +- new config option IPTABLES_STATUS_NUMERIC +- cleared IPTABLES_MODULES in iptables-config + +* Mon Jun 30 2003 Thomas Woerner 1.2.8-3 +- new init scripts + +* Sat Jun 28 2003 Florian La Roche +- remove check for very old kernel versions in init scripts +- sync up both init scripts and remove some further ugly things +- add some docu into rpm + +* Thu Jun 26 2003 Thomas Woerner 1.2.8-2 +- rebuild + +* Mon Jun 16 2003 Thomas Woerner 1.2.8-1 +- update to 1.2.8 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Mon Jan 13 2003 Bill Nottingham 1.2.7a-1 +- update to 1.2.7a +- add a plethora of bugfixes courtesy Michael Schwendt + +* Fri Dec 13 2002 Elliot Lee 1.2.6a-3 +- Fix multilib + +* Wed Aug 07 2002 Karsten Hopp +- fixed iptables and ip6tables initscript output, based on #70511 +- check return status of all iptables calls, not just the last one + in a 'for' loop. + +* Mon Jul 29 2002 Bernhard Rosenkraenzer 1.2.6a-1 +- 1.2.6a (bugfix release, #69747) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Mon Mar 4 2002 Bernhard Rosenkraenzer 1.2.5-3 +- Add some fixes from CVS, fixing bug #60465 + +* Tue Feb 12 2002 Bernhard Rosenkraenzer 1.2.5-2 +- Merge ip6tables improvements from Ian Prowell + #59402 +- Update URL (#59354) +- Use /sbin/chkconfig rather than chkconfig in %%postun script + +* Fri Jan 11 2002 Bernhard Rosenkraenzer 1.2.5-1 +- 1.2.5 + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Mon Nov 5 2001 Bernhard Rosenkraenzer 1.2.4-2 +- Fix %%preun script + +* Tue Oct 30 2001 Bernhard Rosenkraenzer 1.2.4-1 +- Update to 1.2.4 (various fixes, including security fixes; among others: + #42990, #50500, #53325, #54280) +- Fix init script (#31133) + +* Mon Sep 3 2001 Bernhard Rosenkraenzer 1.2.3-1 +- 1.2.3 (5 security fixes, some other fixes) +- Fix updating (#53032) + +* Mon Aug 27 2001 Bernhard Rosenkraenzer 1.2.2-4 +- Fix #50990 +- Add some fixes from current CVS; should fix #52620 + +* Mon Jul 16 2001 Bernhard Rosenkraenzer 1.2.2-3 +- Add some fixes from the current CVS tree; fixes #49154 and some IPv6 + issues + +* Tue Jun 26 2001 Bernhard Rosenkraenzer 1.2.2-2 +- Fix iptables-save reject-with (#45632), Patch from Michael Schwendt + + +* Tue May 8 2001 Bernhard Rosenkraenzer 1.2.2-1 +- 1.2.2 + +* Wed Mar 21 2001 Bernhard Rosenkraenzer +- 1.2.1a, fixes #28412, #31136, #31460, #31133 + +* Thu Mar 1 2001 Bernhard Rosenkraenzer +- Yet another initscript fix (#30173) +- Fix the fixes; they fixed some issues but broke more important + stuff :/ (#30176) + +* Tue Feb 27 2001 Bernhard Rosenkraenzer +- Fix up initscript (#27962) +- Add fixes from CVS to iptables-{restore,save}, fixing #28412 + +* Fri Feb 09 2001 Karsten Hopp +- create /etc/sysconfig/iptables mode 600 (same problem as #24245) + +* Mon Feb 05 2001 Karsten Hopp +- fix bugzilla #25986 (initscript not marked as config file) +- fix bugzilla #25962 (iptables-restore) +- mv chkconfig --del from postun to preun + +* Thu Feb 1 2001 Trond Eivind Glomsrød +- Fix check for ipchains + +* Mon Jan 29 2001 Bernhard Rosenkraenzer +- Some fixes to init scripts + +* Wed Jan 24 2001 Bernhard Rosenkraenzer +- Add some fixes from CVS, fixes among other things Bug #24732 + +* Wed Jan 17 2001 Bernhard Rosenkraenzer +- Add missing man pages, fix up init script (Bug #17676) + +* Mon Jan 15 2001 Bill Nottingham +- add init script + +* Mon Jan 15 2001 Bernhard Rosenkraenzer +- 1.2 +- fix up ipv6 split +- add init script +- Move the plugins from /usr/lib/iptables to /lib/iptables. + This needs to work before /usr is mounted... +- Use -O1 on alpha (compiler bug) + +* Sat Jan 6 2001 Bernhard Rosenkraenzer +- 1.1.2 +- Add IPv6 support (in separate package) + +* Thu Aug 17 2000 Bill Nottingham +- build everywhere + +* Tue Jul 25 2000 Bernhard Rosenkraenzer +- 1.1.1 + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Tue Jun 27 2000 Preston Brown +- move iptables to /sbin. +- excludearch alpha for now, not building there because of compiler bug(?) + +* Fri Jun 9 2000 Bill Nottingham +- don't obsolete ipchains either +- update to 1.1.0 + +* Sun Jun 4 2000 Bill Nottingham +- remove explicit kernel requirement + +* Tue May 2 2000 Bernhard Rosenkränzer +- initial package