diff --git a/SOURCES/iptables-1.4.21-rhbz_1261238.patch b/SOURCES/iptables-1.4.21-rhbz_1261238.patch new file mode 100644 index 0000000..2584c74 --- /dev/null +++ b/SOURCES/iptables-1.4.21-rhbz_1261238.patch @@ -0,0 +1,14 @@ +diff -up iptables-1.4.21/extensions/libxt_TRACE.man.rhbz_1261238 iptables-1.4.21/extensions/libxt_TRACE.man +--- iptables-1.4.21/extensions/libxt_TRACE.man.rhbz_1261238 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/extensions/libxt_TRACE.man 2016-07-01 11:43:59.775632018 +0200 +@@ -1,8 +1,8 @@ + This target marks packets so that the kernel will log every rule which match + the packets as those traverse the tables, chains, rules. + .PP +-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this +-to be visible. ++A logging backend, such as nf_log_ipv4(6) or nfnetlink_log, must be loaded for ++this to be visible. + The packets are logged with the string prefix: + "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for + plain rule, "return" for implicit rule at the end of a user defined chain diff --git a/SOURCES/iptables-c513cc3-rhbz_1298879.patch b/SOURCES/iptables-c513cc3-rhbz_1298879.patch new file mode 100644 index 0000000..136b648 --- /dev/null +++ b/SOURCES/iptables-c513cc3-rhbz_1298879.patch @@ -0,0 +1,34 @@ +From c513cc3dd10231f267548d644dcb7632516a2348 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Fri, 10 Jun 2016 14:57:58 +0200 +Subject: ip6tables: Warn about use of DROP in nat table + +Clone of 1eada72b with 9bb76094 and e0390bee on top. + +Signed-off-by: Thomas Woerner +Signed-off-by: Pablo Neira Ayuso +--- + iptables/ip6tables.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 2731209..c48ddf9 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -1720,6 +1720,13 @@ int do_command6(int argc, char *argv[], char **table, + cs.invert = FALSE; + } + ++ if (strcmp(*table, "nat") == 0 && ++ ((policy != NULL && strcmp(policy, "DROP") == 0) || ++ (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) ++ xtables_error(PARAMETER_PROBLEM, ++ "\nThe \"nat\" table is not intended for filtering, " ++ "the use of DROP is therefore inhibited.\n\n"); ++ + for (matchp = cs.matches; matchp; matchp = matchp->next) + xtables_option_mfcall(matchp->match); + if (cs.target != NULL) +-- +cgit v0.12 + diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init index 611f9da..8f3060e 100755 --- a/SOURCES/iptables.init +++ b/SOURCES/iptables.init @@ -29,6 +29,8 @@ IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES +RESTORECON=/bin/restorecon +[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true # only usable for root if [ $EUID != 0 ]; then @@ -42,7 +44,7 @@ if [ ! -x /sbin/$IPTABLES ]; then fi # Old or new modutils -/sbin/modprobe --version 2>&1 | grep -q module-init-tools \ +/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \ && NEW_MODUTILS=1 \ || NEW_MODUTILS=0 @@ -312,13 +314,13 @@ save() { if [ -e $IPTABLES_DATA ]; then cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ && chmod 600 $IPTABLES_DATA.save \ - && restorecon $IPTABLES_DATA.save \ + && $RESTORECON $IPTABLES_DATA.save \ || ret=1 fi if [ $ret -eq 0 ]; then mv -f $TMP_FILE $IPTABLES_DATA \ && chmod 600 $IPTABLES_DATA \ - && restorecon $IPTABLES_DATA \ + && $RESTORECON $IPTABLES_DATA \ || ret=1 fi fi diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index 4e40d76..9e237dd 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -7,7 +7,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.4.21 -Release: 16%{?dist} +Release: 17%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -20,6 +20,8 @@ Patch1: iptables-1.4.21-rhbz_1054871.patch Patch2: iptables-1.4.21-libxt_cgroup.patch Patch3: iptables-1.4.21-wait_seconds.patch Patch4: iptables-1.4.21-flock_wait.patch +Patch5: iptables-1.4.21-rhbz_1261238.patch +Patch6: iptables-c513cc3-rhbz_1298879.patch Group: System Environment/Base URL: http://www.netfilter.org/ License: GPLv2 @@ -86,6 +88,8 @@ Currently only provides nfnl_osf with the pf.os database. %patch2 -p1 -b .libxt_cgroup %patch3 -p1 -b .wait_seconds %patch4 -p1 -b .flock_wait +%patch5 -p1 -b .rhbz_1261238 +%patch6 -p1 -b .rhbz_1298879 %build CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ @@ -239,8 +243,16 @@ done %changelog +* Fri Jul 1 2016 Thomas Woerner 1.4.21-17 +- Fixed init script not to fail on missing restorecon (RHBZ#1246380) +- Adapted man page snipplet for TRACE to use proper logging backend names + (RHBZ#1261238) +- Warn about use of DROP in nat table (RHBZ#1298879) +- Fixed modules unload in init script (RHBZ#1324102) + * Fri Sep 18 2015 Thomas Woerner 1.4.21-16 -- Fix important coverity findings: missing include for flock and use bash for init script +- Fix important coverity findings: missing include for flock and use bash for + init script (RHBZ#1264399) * Fri Sep 18 2015 Thomas Woerner 1.4.21-15 - Use systemd AssertPathExists for /etc/sysconfig/iptables (RHBZ#1200415)