From f211ba89004aaba746abcd9bdeac80d34fbf2ce8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 14 2018 13:01:19 +0000 Subject: import iptables-1.4.21-24.1.el7_5 --- diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init index b1c991b..0ca8453 100755 --- a/SOURCES/iptables.init +++ b/SOURCES/iptables.init @@ -71,6 +71,17 @@ NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 # Get active tables NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) +# Prepare commands for wait options +IPTABLES_CMD="$IPTABLES" +IPTABLES_RESTORE_CMD="$IPTABLES-restore" +if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="--wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT+=" --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + IPTABLES_CMD+=" $OPT" + IPTABLES_RESTORE_CMD+=" $OPT" +fi rmmod_r() { # Unload module with all referring modules. @@ -105,6 +116,8 @@ rmmod_r() { } flush_n_delete() { + local ret=0 + # Flush firewall rules and delete chains. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 @@ -112,19 +125,18 @@ flush_n_delete() { [ -z "$NF_TABLES" ] && return 1 echo -n $"${IPTABLES}: Flushing firewall rules: " - ret=0 # For all tables for i in $NF_TABLES; do # Flush firewall rules. - $IPTABLES -t $i -F; + $IPTABLES_CMD -t $i -F; let ret+=$?; # Delete firewall chains. - $IPTABLES -t $i -X; + $IPTABLES_CMD -t $i -X; let ret+=$?; # Set counter to zero. - $IPTABLES -t $i -Z; + $IPTABLES_CMD -t $i -Z; let ret+=$?; done @@ -134,6 +146,8 @@ flush_n_delete() { } set_policy() { + local ret=0 + # Set policy for configured tables. policy=$1 @@ -145,33 +159,32 @@ set_policy() { [ -z "$tables" ] && return 1 echo -n $"${IPTABLES}: Setting chains to policy $policy: " - ret=0 for i in $tables; do echo -n "$i " case "$i" in raw) - $IPTABLES -t raw -P PREROUTING $policy \ - && $IPTABLES -t raw -P OUTPUT $policy \ + $IPTABLES_CMD -t raw -P PREROUTING $policy \ + && $IPTABLES_CMD -t raw -P OUTPUT $policy \ || let ret+=1 ;; filter) - $IPTABLES -t filter -P INPUT $policy \ - && $IPTABLES -t filter -P OUTPUT $policy \ - && $IPTABLES -t filter -P FORWARD $policy \ + $IPTABLES_CMD -t filter -P INPUT $policy \ + && $IPTABLES_CMD -t filter -P OUTPUT $policy \ + && $IPTABLES_CMD -t filter -P FORWARD $policy \ || let ret+=1 ;; nat) - $IPTABLES -t nat -P PREROUTING $policy \ - && $IPTABLES -t nat -P POSTROUTING $policy \ - && $IPTABLES -t nat -P OUTPUT $policy \ + $IPTABLES_CMD -t nat -P PREROUTING $policy \ + && $IPTABLES_CMD -t nat -P POSTROUTING $policy \ + && $IPTABLES_CMD -t nat -P OUTPUT $policy \ || let ret+=1 ;; mangle) - $IPTABLES -t mangle -P PREROUTING $policy \ - && $IPTABLES -t mangle -P POSTROUTING $policy \ - && $IPTABLES -t mangle -P INPUT $policy \ - && $IPTABLES -t mangle -P OUTPUT $policy \ - && $IPTABLES -t mangle -P FORWARD $policy \ + $IPTABLES_CMD -t mangle -P PREROUTING $policy \ + && $IPTABLES_CMD -t mangle -P POSTROUTING $policy \ + && $IPTABLES_CMD -t mangle -P INPUT $policy \ + && $IPTABLES_CMD -t mangle -P OUTPUT $policy \ + && $IPTABLES_CMD -t mangle -P FORWARD $policy \ || let ret+=1 ;; *) @@ -186,10 +199,11 @@ set_policy() { } load_sysctl() { + local ret=0 + # load matched sysctl values if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then echo -n $"Loading sysctl settings: " - ret=0 for item in $IPTABLES_SYSCTL_LOAD_LIST; do fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null let ret+=$?; @@ -201,6 +215,8 @@ load_sysctl() { } start() { + local ret=0 + # Do not start if there is no config file. if [ ! -f "$IPTABLES_DATA" ]; then echo -n $"${IPTABLES}: No config file."; warning; echo @@ -218,21 +234,15 @@ start() { OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" - if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then - OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" - if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then - OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" - fi - fi - $IPTABLES-restore $OPT $IPTABLES_DATA + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; if [ -f "$IPTABLES_FALLBACK_DATA" ]; then echo -n $"${IPTABLES}: Applying firewall fallback rules: " - $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_FALLBACK_DATA if [ $? -eq 0 ]; then success; echo else @@ -246,7 +256,6 @@ start() { # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " - ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 @@ -264,6 +273,8 @@ start() { } stop() { + local ret=0 + # Do not stop if iptables module is not loaded. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 @@ -271,23 +282,26 @@ stop() { # on systems where the default policy is DROP and root device is # network-based (i.e.: iSCSI, NFS) set_policy ACCEPT + let ret+=$? # And then, flush the rules and delete chains flush_n_delete + let ret+=$? if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"${IPTABLES}: Unloading modules: " - ret=0 + ret2=0 for mod in ${NF_MODULES[*]}; do rmmod_r $mod - let ret+=$?; + let ret2+=$?; done # try to unload remaining netfilter modules used by ipv4 and ipv6 # netfilter for mod in ${NF_MODULES_COMMON[*]}; do rmmod_r $mod >/dev/null done - [ $ret -eq 0 ] && success || failure + [ $ret2 -eq 0 ] && success || failure echo + let ret+=$ret2 fi rm -f $VAR_SUBSYS_IPTABLES @@ -295,6 +309,8 @@ stop() { } save() { + local ret=0 + # Check if iptable module is loaded if [ ! -e "$PROC_IPTABLES_NAMES" ]; then echo -n $"${IPTABLES}: Nothing to save."; warning; echo @@ -312,7 +328,6 @@ save() { OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" - ret=0 TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ && chmod 600 "$TMP_FILE" \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ @@ -374,6 +389,8 @@ status() { } reload() { + local ret=0 + # Do not reload if there is no config file. if [ ! -f "$IPTABLES_DATA" ]; then echo -n $"${IPTABLES}: No config file."; warning; echo @@ -391,14 +408,8 @@ reload() { OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" - if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then - OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" - if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then - OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" - fi - fi - $IPTABLES-restore $OPT $IPTABLES_DATA + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else @@ -408,7 +419,6 @@ reload() { # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " - ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index f30613c..b3c208d 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -7,7 +7,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.4.21 -Release: 24%{?dist} +Release: 24.1%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -276,6 +276,11 @@ done %changelog +* Tue Apr 03 2018 Phil Sutter - 1.4.21-24.1 +- Fix for stopping iptables and ip6tables at the same time (RHBZ#1563168) +- Propagate errors on service stop (RHBZ#1563168) +- Avoid overwriting parent's return code (RHBZ#1563168) + * Fri Nov 17 2017 Phil Sutter - 1.4.21-24 - Fix fgrep call over multiple files in iptables.init