Sync from SUSE:ALP:Source:Standard:1.0 iptables revision b044e261279e6ea204f39471f63b379d
This commit is contained in:
commit
82d8bbdefc
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
baselibs.conf
Normal file
1
baselibs.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
libip4tc2
|
24
iptables-1.8.2-dont_read_garbage.patch
Normal file
24
iptables-1.8.2-dont_read_garbage.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
From: Fabian Vogt <fvogt@suse.com>
|
||||||
|
Date: 2019-04-04 13:41:59 +0200
|
||||||
|
Subject: 'iptables -L' reads garbage
|
||||||
|
References: [bsc#1106751]
|
||||||
|
Upstream: reported (https://bugzilla.netfilter.org/show_bug.cgi?id=1331)
|
||||||
|
|
||||||
|
This patch fixes a situation where 'iptables -L' reads garbage
|
||||||
|
from the struct as the kernel never filled it in the bugged case.
|
||||||
|
This can lead to issues like mapping a few TiB of memory
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
Index: iptables-1.8.2/libiptc/libiptc.c
|
||||||
|
===================================================================
|
||||||
|
--- iptables-1.8.2.orig/libiptc/libiptc.c
|
||||||
|
+++ iptables-1.8.2/libiptc/libiptc.c
|
||||||
|
@@ -1305,6 +1305,7 @@ TC_INIT(const char *tablename)
|
||||||
|
{
|
||||||
|
struct xtc_handle *h;
|
||||||
|
STRUCT_GETINFO info;
|
||||||
|
+ memset(&info, 0, sizeof(info));
|
||||||
|
unsigned int tmp;
|
||||||
|
socklen_t s;
|
||||||
|
int sockfd;
|
BIN
iptables-1.8.9.tar.xz
(Stored with Git LFS)
Normal file
BIN
iptables-1.8.9.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
iptables-1.8.9.tar.xz.sig
Normal file
BIN
iptables-1.8.9.tar.xz.sig
Normal file
Binary file not shown.
75
iptables-batch-lock.patch
Normal file
75
iptables-batch-lock.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
From: Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
Date: 2017-06-26T10:53:24+0000
|
||||||
|
|
||||||
|
- fix a locking issue of iptables-batch which can cause it to spuriously fail
|
||||||
|
when other programs modify the iptables rules in parallel (bnc#1045130).
|
||||||
|
This can especially affect SuSEfirewall2 during startup.
|
||||||
|
|
||||||
|
---
|
||||||
|
iptables/iptables-batch.c | 21 +++++++++++++++++++++
|
||||||
|
iptables/xshared.c | 8 +++++++-
|
||||||
|
2 files changed, 28 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Index: iptables-1.8.8/iptables/iptables-batch.c
|
||||||
|
===================================================================
|
||||||
|
--- iptables-1.8.8.orig/iptables/iptables-batch.c
|
||||||
|
+++ iptables-1.8.8/iptables/iptables-batch.c
|
||||||
|
@@ -403,6 +403,27 @@ main(int argc, char *argv[])
|
||||||
|
tables[3].name = "raw";
|
||||||
|
tables[3].handle = NULL;
|
||||||
|
current_table = &tables[0];
|
||||||
|
+ /*
|
||||||
|
+ * We need to lock the complete batch processing against parallel
|
||||||
|
+ * modification by other processes. Otherwise, we can end up with
|
||||||
|
+ * EAGAIN errors.
|
||||||
|
+ *
|
||||||
|
+ * The do_command{4,6} function already locks itself, but the complete
|
||||||
|
+ * call sequence needs to be locked until the commit is performed.
|
||||||
|
+ *
|
||||||
|
+ * Sadly, the xtables_lock() implementation is not very cooperative.
|
||||||
|
+ * There is no unlock() equivalent. The lock file descriptor is simply
|
||||||
|
+ * left open until the process exits. Thus, we would have deadlocks
|
||||||
|
+ * when calling do_command{4,6} the second time.
|
||||||
|
+ *
|
||||||
|
+ * To prevent this, part of this patch adds logic to avoid taking the
|
||||||
|
+ * lock a second time in the same process in xtables_lock()
|
||||||
|
+ */
|
||||||
|
+ const struct timeval wait_interval = {.tv_sec = 1};
|
||||||
|
+ if (!xtables_lock_or_exit(-1, &wait_interval)) {
|
||||||
|
+ fprintf(stderr, "failed to acquire the xtables lock\n");
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
while((r = getline(&iline, &llen, fp)) != -1)
|
||||||
|
{
|
||||||
|
Index: iptables-1.8.8/iptables/xshared.c
|
||||||
|
===================================================================
|
||||||
|
--- iptables-1.8.8.orig/iptables/xshared.c
|
||||||
|
+++ iptables-1.8.8/iptables/xshared.c
|
||||||
|
@@ -262,10 +262,14 @@ static void alarm_ignore(int i) {
|
||||||
|
|
||||||
|
static int xtables_lock(int wait)
|
||||||
|
{
|
||||||
|
+ static bool already_locked = false;
|
||||||
|
struct sigaction sigact_alarm;
|
||||||
|
const char *lock_file;
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
+ if (already_locked)
|
||||||
|
+ /* Avoid deadlocks, see iptables-batch.c */
|
||||||
|
+ return true;
|
||||||
|
lock_file = getenv("XTABLES_LOCKFILE");
|
||||||
|
if (lock_file == NULL || lock_file[0] == '\0')
|
||||||
|
lock_file = XT_LOCK_NAME;
|
||||||
|
@@ -285,8 +289,10 @@ static int xtables_lock(int wait)
|
||||||
|
alarm(wait);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (flock(fd, LOCK_EX) == 0)
|
||||||
|
+ if (flock(fd, LOCK_EX) == 0) {
|
||||||
|
+ already_locked = true;
|
||||||
|
return fd;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (errno == EINTR) {
|
||||||
|
errno = EWOULDBLOCK;
|
495
iptables-batch.patch
Normal file
495
iptables-batch.patch
Normal file
@ -0,0 +1,495 @@
|
|||||||
|
---
|
||||||
|
iptables/Makefile.am | 9
|
||||||
|
iptables/iptables-batch.c | 468 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 477 insertions(+)
|
||||||
|
|
||||||
|
Index: iptables-1.8.9/iptables/Makefile.am
|
||||||
|
===================================================================
|
||||||
|
--- iptables-1.8.9.orig/iptables/Makefile.am
|
||||||
|
+++ iptables-1.8.9/iptables/Makefile.am
|
||||||
|
@@ -147,3 +147,12 @@ uninstall-hook:
|
||||||
|
}
|
||||||
|
|
||||||
|
EXTRA_DIST = tests
|
||||||
|
+
|
||||||
|
+iptables_legacy_batch_SOURCES = iptables-batch.c iptables.c xshared.c
|
||||||
|
+iptables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS}
|
||||||
|
+iptables_legacy_batch_LDADD = ${xtables_legacy_multi_LDADD}
|
||||||
|
+ip6tables_legacy_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c
|
||||||
|
+ip6tables_legacy_batch_CFLAGS = ${AM_CFLAGS} -DIP6T
|
||||||
|
+ip6tables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS}
|
||||||
|
+ip6tables_legacy_batch_LDADD = ${xtables_legacy_multi_LDADD}
|
||||||
|
+sbin_PROGRAMS += iptables-legacy-batch ip6tables-legacy-batch
|
||||||
|
Index: iptables-1.8.9/iptables/iptables-batch.c
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null
|
||||||
|
+++ iptables-1.8.9/iptables/iptables-batch.c
|
||||||
|
@@ -0,0 +1,468 @@
|
||||||
|
+/*
|
||||||
|
+ * Author: Ludwig Nussel <ludwig.nussel@suse.de>
|
||||||
|
+ * Update for iptables 1.4.3.x: Petr Uzel <petr.uzel@suse.cz>
|
||||||
|
+ *
|
||||||
|
+ * Based on the ipchains code by Paul Russell and Michael Neuling
|
||||||
|
+ *
|
||||||
|
+ * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
|
||||||
|
+ * Paul 'Rusty' Russell <rusty@rustcorp.com.au>
|
||||||
|
+ * Marc Boucher <marc+nf@mbsi.ca>
|
||||||
|
+ * James Morris <jmorris@intercode.com.au>
|
||||||
|
+ * Harald Welte <laforge@gnumonks.org>
|
||||||
|
+ * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
||||||
|
+ *
|
||||||
|
+ * iptables-batch -- iptables batch processor
|
||||||
|
+ *
|
||||||
|
+ * See the accompanying manual page iptables(8) for information
|
||||||
|
+ * about proper usage of this program.
|
||||||
|
+ *
|
||||||
|
+ * This program is free software; you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation; either version 2 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * This program is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with this program; if not, write to the Free Software
|
||||||
|
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <ctype.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+
|
||||||
|
+#ifdef IP6T
|
||||||
|
+#include <ip6tables.h>
|
||||||
|
+#else
|
||||||
|
+#include <iptables.h>
|
||||||
|
+#endif
|
||||||
|
+#include <xtables.h>
|
||||||
|
+
|
||||||
|
+#ifdef IP6T
|
||||||
|
+#define prog_name ip6tables_globals.program_name
|
||||||
|
+#define prog_ver ip6tables_globals.program_version
|
||||||
|
+#else
|
||||||
|
+#define prog_name iptables_globals.program_name
|
||||||
|
+#define prog_ver iptables_globals.program_version
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+static char* errstr = NULL;
|
||||||
|
+
|
||||||
|
+static unsigned current_line = 0;
|
||||||
|
+
|
||||||
|
+static char*
|
||||||
|
+skipspace(char* ptr)
|
||||||
|
+{
|
||||||
|
+ while(*ptr && isspace(*ptr))
|
||||||
|
+ ++ptr;
|
||||||
|
+ return ptr;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static char*
|
||||||
|
+getliteral(char** ptr)
|
||||||
|
+{
|
||||||
|
+ char* start = *ptr;
|
||||||
|
+ char* p = start;
|
||||||
|
+
|
||||||
|
+ while(*p && !isspace(*p))
|
||||||
|
+ ++p;
|
||||||
|
+
|
||||||
|
+ if(*p)
|
||||||
|
+ {
|
||||||
|
+ *p = '\0';
|
||||||
|
+ ++p;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *ptr = p;
|
||||||
|
+ return start;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static char*
|
||||||
|
+getstring(char** ptr)
|
||||||
|
+{
|
||||||
|
+ char* start = *ptr+1; // skip leading "
|
||||||
|
+ char* p = start;
|
||||||
|
+ char* o = start;
|
||||||
|
+ int backslash = 0;
|
||||||
|
+ int done = 0;
|
||||||
|
+
|
||||||
|
+ while(*p && !done)
|
||||||
|
+ {
|
||||||
|
+ if(backslash)
|
||||||
|
+ {
|
||||||
|
+ backslash = 0;
|
||||||
|
+ // no escapes supported, just eat the backslash
|
||||||
|
+ *o++ = *p++;
|
||||||
|
+ }
|
||||||
|
+ else if(*p == '\\')
|
||||||
|
+ {
|
||||||
|
+ backslash = 1;
|
||||||
|
+ p++;
|
||||||
|
+ }
|
||||||
|
+ else if(*p == '"')
|
||||||
|
+ {
|
||||||
|
+ done = 1;
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ *o++ = *p++;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if(done)
|
||||||
|
+ {
|
||||||
|
+ *o = '\0';
|
||||||
|
+ *p = '\0';
|
||||||
|
+ ++p;
|
||||||
|
+ *ptr = p;
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ errstr = "missing \" at end of string";
|
||||||
|
+ start = NULL;
|
||||||
|
+ }
|
||||||
|
+ return start;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// this is just a very basic method, not 100% shell compatible
|
||||||
|
+static char*
|
||||||
|
+getword(char** ptr)
|
||||||
|
+{
|
||||||
|
+ *ptr = skipspace(*ptr);
|
||||||
|
+ if(**ptr == '"')
|
||||||
|
+ return getstring(ptr);
|
||||||
|
+ return getliteral(ptr);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// destructive
|
||||||
|
+static int
|
||||||
|
+tokenize(int* argc, char* argv[], size_t nargvsize, char* iline)
|
||||||
|
+{
|
||||||
|
+ char* ptr = skipspace(iline);
|
||||||
|
+ int ret = 0;
|
||||||
|
+ char* word;
|
||||||
|
+
|
||||||
|
+ while(ptr && *ptr)
|
||||||
|
+ {
|
||||||
|
+ if(*ptr == '#')
|
||||||
|
+ break;
|
||||||
|
+ if(*argc >= nargvsize)
|
||||||
|
+ {
|
||||||
|
+ errstr = "too many arguments";
|
||||||
|
+ ret = -1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ word = getword(&ptr);
|
||||||
|
+ if(!word)
|
||||||
|
+ {
|
||||||
|
+ ret = -1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ argv[(*argc)++] = word;
|
||||||
|
+ ++ret;
|
||||||
|
+ }
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#ifdef DEBUG
|
||||||
|
+static void
|
||||||
|
+dumpargv(int argc, char* argv[])
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ for(i=0; i < argc; ++i)
|
||||||
|
+ {
|
||||||
|
+ printf("%s\"%s\"",i?" ":"", argv[i]);
|
||||||
|
+ }
|
||||||
|
+ puts("");
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+struct table_handle
|
||||||
|
+{
|
||||||
|
+ char* name;
|
||||||
|
+#ifdef IP6T
|
||||||
|
+ struct ip6tc_handle *handle;
|
||||||
|
+#else
|
||||||
|
+ struct iptc_handle *handle;
|
||||||
|
+#endif
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct table_handle* tables = NULL;
|
||||||
|
+static unsigned num_tables;
|
||||||
|
+struct table_handle* current_table;
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+alloc_tables(void)
|
||||||
|
+{
|
||||||
|
+ tables = realloc(tables, sizeof(struct table_handle) * num_tables);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+set_current_table(const char* name)
|
||||||
|
+{
|
||||||
|
+ unsigned i;
|
||||||
|
+
|
||||||
|
+ if(!strcmp(name, current_table->name)) // same as last time?
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ for(i = 0; i < num_tables; ++i) // find already known table
|
||||||
|
+ {
|
||||||
|
+ if(!strcmp(name, tables[i].name))
|
||||||
|
+ {
|
||||||
|
+ current_table = &tables[i];
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // table name not known, create new
|
||||||
|
+ i = num_tables++;
|
||||||
|
+ alloc_tables();
|
||||||
|
+ current_table = &tables[i];
|
||||||
|
+ current_table->name = strdup(name);
|
||||||
|
+ current_table->handle = NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+find_table(int argc, char* argv[])
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ for(i = 0; i < argc; ++i)
|
||||||
|
+ {
|
||||||
|
+ if(!strcmp(argv[i], "-t") || !strcmp(argv[i], "--table"))
|
||||||
|
+ {
|
||||||
|
+ ++i;
|
||||||
|
+ if(i >= argc)
|
||||||
|
+ {
|
||||||
|
+ fprintf(stderr, "line %d: missing table name after %s\n",
|
||||||
|
+ current_line, argv[i]);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ set_current_table(argv[i]);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // no -t specified
|
||||||
|
+ set_current_table("filter");
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+do_iptables(int argc, char* argv[])
|
||||||
|
+{
|
||||||
|
+ char *table = "filter";
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+ if(!find_table(argc, argv))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+#ifdef IP6T
|
||||||
|
+ ret = do_command6(argc, argv, &table, ¤t_table->handle, true);
|
||||||
|
+
|
||||||
|
+ if (!ret)
|
||||||
|
+ {
|
||||||
|
+ fprintf(stderr, "line %d: %s\n", current_line, ip6tc_strerror(errno));
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ if(!table || strcmp(table, current_table->name))
|
||||||
|
+ {
|
||||||
|
+ fprintf(stderr, "line %d: expected table %s, got %s\n",
|
||||||
|
+ current_line, current_table->name, table);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#else
|
||||||
|
+ ret = do_command4(argc, argv, &table, ¤t_table->handle, true);
|
||||||
|
+
|
||||||
|
+ if (!ret)
|
||||||
|
+ {
|
||||||
|
+ fprintf(stderr, "line %d: %s\n", current_line, iptc_strerror(errno));
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ if(!table || strcmp(table, current_table->name))
|
||||||
|
+ {
|
||||||
|
+ fprintf(stderr, "line %d: expected table %s, got %s\n",
|
||||||
|
+ current_line, current_table->name, table);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+do_commit(void)
|
||||||
|
+{
|
||||||
|
+ unsigned i;
|
||||||
|
+ int ret = 1;
|
||||||
|
+
|
||||||
|
+ for(i = 0; i < num_tables; ++i)
|
||||||
|
+ {
|
||||||
|
+ if(tables[i].handle)
|
||||||
|
+ {
|
||||||
|
+#ifdef IP6T
|
||||||
|
+ ret = ip6tc_commit(tables[i].handle);
|
||||||
|
+ if (!ret)
|
||||||
|
+ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, ip6tc_strerror(errno));
|
||||||
|
+ ip6tc_free(tables[i].handle);
|
||||||
|
+ tables[i].handle = NULL;
|
||||||
|
+#else
|
||||||
|
+ ret = iptc_commit(tables[i].handle);
|
||||||
|
+ if (!ret)
|
||||||
|
+ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, iptc_strerror(errno));
|
||||||
|
+ iptc_free(tables[i].handle);
|
||||||
|
+ tables[i].handle = NULL;
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+help(void)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr, "Usage: %s [FILE]\n\n", prog_name);
|
||||||
|
+ puts("Read iptables commands from FILE, commit them at EOF\n");
|
||||||
|
+ puts("In addition to normal iptables calls the commands");
|
||||||
|
+ puts("'commit' and 'exit' are understood.");
|
||||||
|
+ exit(0);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+main(int argc, char *argv[])
|
||||||
|
+{
|
||||||
|
+ int ret = 1;
|
||||||
|
+ int c;
|
||||||
|
+ int numtok;
|
||||||
|
+ size_t llen = 0;
|
||||||
|
+ char* iline = NULL;
|
||||||
|
+ ssize_t r = -1;
|
||||||
|
+ int nargc = 0;
|
||||||
|
+ char* nargv[256];
|
||||||
|
+ FILE* fp = stdin;
|
||||||
|
+
|
||||||
|
+#ifdef IP6T
|
||||||
|
+ prog_name = "ip6tables-batch";
|
||||||
|
+#else
|
||||||
|
+ prog_name = "iptables-batch";
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#ifdef IP6T
|
||||||
|
+ c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
|
||||||
|
+#else
|
||||||
|
+ c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if(c < 0) {
|
||||||
|
+ fprintf(stderr, "%s/%s Failed to initialize xtables\n",
|
||||||
|
+ prog_name,
|
||||||
|
+ prog_ver);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef NO_SHARED_LIBS
|
||||||
|
+ init_extensions();
|
||||||
|
+#endif
|
||||||
|
+ if(argc > 1)
|
||||||
|
+ {
|
||||||
|
+ if(!strcmp(argv[1], "--help") || !strcmp(argv[1], "-h"))
|
||||||
|
+ {
|
||||||
|
+ help();
|
||||||
|
+ }
|
||||||
|
+ else if(strcmp(argv[1], "-"))
|
||||||
|
+ {
|
||||||
|
+ fp = fopen(argv[1], "r");
|
||||||
|
+ if(!fp)
|
||||||
|
+ {
|
||||||
|
+ perror("fopen");
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ num_tables = 4;
|
||||||
|
+ alloc_tables();
|
||||||
|
+ tables[0].name = "filter";
|
||||||
|
+ tables[0].handle = NULL;
|
||||||
|
+ tables[1].name = "mangle";
|
||||||
|
+ tables[1].handle = NULL;
|
||||||
|
+ tables[2].name = "nat";
|
||||||
|
+ tables[2].handle = NULL;
|
||||||
|
+ tables[3].name = "raw";
|
||||||
|
+ tables[3].handle = NULL;
|
||||||
|
+ current_table = &tables[0];
|
||||||
|
+
|
||||||
|
+ while((r = getline(&iline, &llen, fp)) != -1)
|
||||||
|
+ {
|
||||||
|
+ if(llen < 1 || !*iline)
|
||||||
|
+ continue;
|
||||||
|
+ if(iline[strlen(iline)-1] == '\n')
|
||||||
|
+ iline[strlen(iline) -1 ] = '\0';
|
||||||
|
+
|
||||||
|
+ ++current_line;
|
||||||
|
+ nargc = 0;
|
||||||
|
+ errstr = NULL;
|
||||||
|
+ numtok = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), iline);
|
||||||
|
+ if(numtok == -1)
|
||||||
|
+ {
|
||||||
|
+ }
|
||||||
|
+ else if (numtok == 0)
|
||||||
|
+ {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ else if(nargc < 1)
|
||||||
|
+ {
|
||||||
|
+ errstr = "insufficient number of arguments";
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if(errstr)
|
||||||
|
+ {
|
||||||
|
+ fprintf(stderr, "parse error in line %d: %s\n", current_line, errstr);
|
||||||
|
+ ret = 0;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef DEBUG
|
||||||
|
+ dumpargv(nargc, nargv);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#ifdef IP6T
|
||||||
|
+ if(!strcmp(nargv[0], "ip6tables"))
|
||||||
|
+#else
|
||||||
|
+ if(!strcmp(nargv[0], "iptables"))
|
||||||
|
+#endif
|
||||||
|
+ {
|
||||||
|
+ ret = do_iptables(nargc, nargv);
|
||||||
|
+ if(!ret) break;
|
||||||
|
+ }
|
||||||
|
+ else if(!strcmp(nargv[0], "exit"))
|
||||||
|
+ {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ else if(!strcmp(nargv[0], "commit"))
|
||||||
|
+ {
|
||||||
|
+ /* do nothing - see bnc#500990, comment #16 */
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ fprintf(stderr, "line %d: invalid command '%s'\n", current_line, nargv[0]);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if(ret)
|
||||||
|
+ ret = do_commit();
|
||||||
|
+
|
||||||
|
+ exit(!ret);
|
||||||
|
+}
|
1008
iptables.changes
Normal file
1008
iptables.changes
Normal file
File diff suppressed because it is too large
Load Diff
64
iptables.keyring
Normal file
64
iptables.keyring
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded
|
||||||
|
660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi
|
||||||
|
V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2
|
||||||
|
zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t
|
||||||
|
Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh
|
||||||
|
KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3
|
||||||
|
dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi
|
||||||
|
WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg
|
||||||
|
9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj
|
||||||
|
+IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR
|
||||||
|
U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB
|
||||||
|
tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
|
||||||
|
VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ
|
||||||
|
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6
|
||||||
|
+ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd
|
||||||
|
RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6
|
||||||
|
4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN
|
||||||
|
IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w
|
||||||
|
bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf
|
||||||
|
Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj
|
||||||
|
QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3
|
||||||
|
wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb
|
||||||
|
4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET
|
||||||
|
tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP
|
||||||
|
n8Uvz12Xu/Qde+NicogLNWF90QJ2iQIzBBABCgAdFiEEwJ2yBj8dcDS6YVKtq0ZV
|
||||||
|
oSbSkuQFAl+HdTEACgkQq0ZVoSbSkuSrmhAAi64OqYjb2ZbAJbFAPM6pijyys6Y9
|
||||||
|
o8ZyLoCRCUXNrjWkNIozTgmj5fm0ECrUXKyrB6OJhTvaRXmqLcBwWOAnP1v7wb+S
|
||||||
|
ZhEwP0n6E1mZW0t1Qt0xX8yifM5Tpvy+757OSrsuoRpXwwz4Ubuc6G4N/McoRSfU
|
||||||
|
tVUcz3sKF8hcbETD/hVZb9Qfv0ZjQxu8LiBfKfgy2Eg8yExTdO027hYqQc5q2HEp
|
||||||
|
HRjD2PMyI33V8KqffWn0AkofweOOFxg1ePV5X9M8rYP+k/2gjPkrrvnZgF/4SxDM
|
||||||
|
FATmHaIbO3zEQg+u2f1mVCZASBBN1MLth7dMOoClHBmxnQ8uapRg9GNxs7TnXmV/
|
||||||
|
diZZbqLf6i9bW/scvWEIdM8EGKpbGjdWIlgQJTIuz3seB+9zOdq9L3uTQWHnYLid
|
||||||
|
R3YkyOsBRqQvM7Gb3zYgvlPjZ+L2FeGg5rD/eeLbv+k027E0TSAgtHoSA2pVTDDK
|
||||||
|
uqCXVKfmk1I0SO83L9teBblxed07LeVaS9/uK00rWM/TM1bwogfF/4ZEsmAWznzv
|
||||||
|
Xan/QmrYNgK3C3AZ4pMX7pGCGV1w93Fw3tUzaEJeS2LlsiL5aPOF63b/DqM6W2nl
|
||||||
|
UqGjKTdVLuF+JgoRH5U2wCyHYhDFm+CaFsYUu2Jf5hTmVWOR3anBoXy6Ty8SoV8q
|
||||||
|
KxtKpmKmIdPhDe65Ag0EX4d1CAEQANJMZApYzeeLrc7Rs6fGDK4Z3ejEST+aq7vO
|
||||||
|
RT9YEppRBG1QoUDBuNodAFxIWM6SpwvN7X9AZeIML2EOjDabF5Q6RNHbwODyLDYc
|
||||||
|
wmqtWh0NNpK85fXwDgcLOQW+dPimsk3ni1crXhhjZgs6syb9yM/pDi0Tf7wzNZt0
|
||||||
|
0p736zlpQPMORfO+mFgac0FVt/GQsTdIwTBzZ36fcV3W8iPH334Sqsatp617R+z+
|
||||||
|
q2alH8Vynz12iHi2oJFtmTxhghCROPcLWz3XMKv9A7BfuZeE0k+pK7xnBKrpZzKU
|
||||||
|
k1j2uzTKzV2Bquo5HNDsy9PgQn16BlXVrxdHfQnBz2w67aHMKnPD/v+K81oxtnuk
|
||||||
|
pwBAT8Wovkyy1VTLhQH5F0y5bpQrVH/Lwq0/q421hfD3iPHtb2tC1heT9ze/sqkY
|
||||||
|
plctFb81fx3o8xcBpvuIaTB3URptf8JNvh5KjETZFMQvAddq8oYovoKu+Z/585uC
|
||||||
|
qwO0Fohpw9qRwmhq7UBvGDVAVgo6kKjMW2Z9U3OnfggrDCytCIZh8eLNagfRL2cu
|
||||||
|
iq8Sx+cGGt1zoCPhjDN1MaNt/KHm8Gxr+lP+RxH3Et3pEX6mmhSCaU4wr0W5Bf3p
|
||||||
|
jEtiOwnqajisBQCHh49OGiV8Vg9uQN5GpLpPpbvnGS4vq8jdj6p3gsiS2F7JMy7O
|
||||||
|
ysBENBkXABEBAAGJAjwEGAEKACYWIQQ32WSswEmBx1UA+5vVXZeKihQg5AUCX4d1
|
||||||
|
CAIbDAUJB4TOAAAKCRDVXZeKihQg5NMIEACBdwXwDMRB8rQeqNrhbh7pjbHHFmag
|
||||||
|
8bPvkmCq/gYGx9MQEKFUFtEGNSBh6m5pXr9hJ9HD2V16q9ERbuBcA6wosz4efQFB
|
||||||
|
bbage7ZSECCN+xMLirQGRVbTozu2eS8FXedH0X9f0JWLDGWwRg+pAqSOtuFjHhYM
|
||||||
|
jVpwbH/s71BhH84x5RgWezh2BWLbP3UuY7JtWNAvAaeo53Js2dzzgjDopPis4qZR
|
||||||
|
rLR9cTGjqa6ZTc/PlLfaCsm6rGBlNx/bFJjz75+yn7vMQa47fOBt4qfriHX7G/Tg
|
||||||
|
3s8xsQSLEm3IBEYh27hoc9ZD45EXgm9ZiGA21t9v1jA27yTVaUrPbC40iDv/CMcQ
|
||||||
|
7N2Y1sJRvmrd+2pKxtNNutujjwgBguo5bKK253R5Hy0a+NzK2LSc/GmR8EJJEwW1
|
||||||
|
7r6road7Ss6YImCZExeY+CAW0FEzwQpmqfOdlusvIyk4x4r12JH8Q8NWHMzU3Ym/
|
||||||
|
yqdopn/SCwCfXJsL4/eHLCaWuyiWjljNa7MwPDITx2ZPRE5QEqCqi4gaDWXyVHt8
|
||||||
|
leGE1G3zoXNJogWhDswh105UnlZEEfOvbHbaxgWPjLV/xkuHhVlaqdyXbTExrgK6
|
||||||
|
U2wevNS03dBuQ6bjNIbMIt9ulbiBV8MJWR0PZtnNJ958f1QXC4GT+L3FG1g5Jtz+
|
||||||
|
rlbu70nh2kSJrg==
|
||||||
|
=wukb
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
458
iptables.spec
Normal file
458
iptables.spec
Normal file
@ -0,0 +1,458 @@
|
|||||||
|
#
|
||||||
|
# spec file for package iptables
|
||||||
|
#
|
||||||
|
# Copyright (c) 2023 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
%if 0%{?suse_version} > 1500
|
||||||
|
%bcond_without libalternatives
|
||||||
|
%else
|
||||||
|
%bcond_with libalternatives
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Name: iptables
|
||||||
|
Version: 1.8.9
|
||||||
|
Release: 0
|
||||||
|
Summary: IP packet filter administration utilities
|
||||||
|
License: Artistic-2.0 AND GPL-2.0-only
|
||||||
|
Group: Productivity/Networking/Security
|
||||||
|
URL: https://netfilter.org/projects/iptables/
|
||||||
|
#Git-Clone: git://git.netfilter.org/iptables
|
||||||
|
Source: https://netfilter.org/projects/iptables/files/%name-%version.tar.xz
|
||||||
|
Source2: https://netfilter.org/projects/iptables/files/%name-%version.tar.xz.sig
|
||||||
|
Source3: %name.keyring
|
||||||
|
Source4: baselibs.conf
|
||||||
|
Patch1: iptables-batch.patch
|
||||||
|
Patch2: iptables-batch-lock.patch
|
||||||
|
Patch3: iptables-1.8.2-dont_read_garbage.patch
|
||||||
|
|
||||||
|
BuildRequires: bison
|
||||||
|
BuildRequires: fdupes
|
||||||
|
BuildRequires: flex >= 2.5.33
|
||||||
|
BuildRequires: libtool
|
||||||
|
BuildRequires: pkg-config >= 0.21
|
||||||
|
BuildRequires: xz
|
||||||
|
BuildRequires: pkgconfig(libmnl) >= 1.0
|
||||||
|
BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4
|
||||||
|
BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0
|
||||||
|
BuildRequires: pkgconfig(libnftnl) >= 1.1.6
|
||||||
|
Requires: netcfg >= 11.6
|
||||||
|
Requires: xtables-plugins = %version-%release
|
||||||
|
%if %{with libalternatives}
|
||||||
|
Requires: alts
|
||||||
|
BuildRequires: alts
|
||||||
|
%else
|
||||||
|
Requires(post): update-alternatives
|
||||||
|
Requires(postun):update-alternatives
|
||||||
|
%endif
|
||||||
|
# During the update to iptables 1.8, ip6tables-restore-translate, ip6tables-translate,
|
||||||
|
# iptables-restore-translate and iptables-translate were moved from iptables-nft subpackage
|
||||||
|
# (now iptables-backend-nft) to the main package so we need to add a conflict here otherwise
|
||||||
|
# we hit file conflicts error during the update
|
||||||
|
Conflicts: iptables-nft = 1.6.2
|
||||||
|
|
||||||
|
%description
|
||||||
|
iptables is used to set up, maintain, and inspect the rule tables of
|
||||||
|
the various Netfilter packet filter engines inside the Linux kernel.
|
||||||
|
|
||||||
|
%package backend-nft
|
||||||
|
Summary: Metapackage to make nft the default backend for iptables/arptables/ebtables
|
||||||
|
Group: Productivity/Networking/Security
|
||||||
|
Requires: iptables >= 1.8.0
|
||||||
|
%if %{with libalternatives}
|
||||||
|
Requires: alts
|
||||||
|
BuildRequires: alts
|
||||||
|
%else
|
||||||
|
Requires(post): update-alternatives
|
||||||
|
Requires(postun):update-alternatives
|
||||||
|
%endif
|
||||||
|
Provides: iptables-nft = %version-%release
|
||||||
|
Obsoletes: iptables-nft < %version-%release
|
||||||
|
|
||||||
|
%description backend-nft
|
||||||
|
Installation of this package adds higher priority alternatives (cf.
|
||||||
|
update-alternatives) that makes the iptables, ip6tables, arptables
|
||||||
|
and ebtables commands point to a program variant that uses the
|
||||||
|
nftables kernel interface.
|
||||||
|
|
||||||
|
%package -n xtables-plugins
|
||||||
|
Summary: Match and target extension plugins for iptables
|
||||||
|
Group: Productivity/Networking/Security
|
||||||
|
Conflicts: iptables < 1.4.18
|
||||||
|
|
||||||
|
%description -n xtables-plugins
|
||||||
|
Match and Target Extension plugins for iptables.
|
||||||
|
|
||||||
|
%package -n libipq0
|
||||||
|
Summary: Library to interface with the (old) ip_queue kernel mechanism
|
||||||
|
Group: System/Libraries
|
||||||
|
|
||||||
|
%description -n libipq0
|
||||||
|
The Netfilter project provides a mechanism (ip_queue) for passing
|
||||||
|
packets out of the stack for queueing to userspace, then receiving
|
||||||
|
these packets back into the kernel with a verdict specifying what to
|
||||||
|
do with the packets (such as ACCEPT or DROP). These packets may also
|
||||||
|
be modified in userspace prior to reinjection back into the kernel.
|
||||||
|
|
||||||
|
ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
|
||||||
|
|
||||||
|
%package -n libipq-devel
|
||||||
|
Summary: Development files for the ip_queue kernel mechanism
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: libipq0 = %version
|
||||||
|
|
||||||
|
%description -n libipq-devel
|
||||||
|
The Netfilter project provides a mechanism (ip_queue) for passing
|
||||||
|
packets out of the stack for queueing to userspace, then receiving
|
||||||
|
these packets back into the kernel with a verdict specifying what to
|
||||||
|
do with the packets (such as ACCEPT or DROP). These packets may also
|
||||||
|
be modified in userspace prior to reinjection back into the kernel.
|
||||||
|
|
||||||
|
ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
|
||||||
|
|
||||||
|
%package -n libip4tc2
|
||||||
|
Summary: Library for the ip_tables low-level ruleset generation and parsing (IPv4)
|
||||||
|
Group: System/Libraries
|
||||||
|
|
||||||
|
%description -n libip4tc2
|
||||||
|
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
|
||||||
|
construct, and load rulesets into the kernel.
|
||||||
|
This package contains the iptc IPv4 API.
|
||||||
|
|
||||||
|
%package -n libip6tc2
|
||||||
|
Summary: Library for the ip_tables low-level ruleset generation and parsing (IPv6)
|
||||||
|
Group: System/Libraries
|
||||||
|
|
||||||
|
%description -n libip6tc2
|
||||||
|
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
|
||||||
|
construct, and load rulesets into the kernel.
|
||||||
|
This package contains the iptc IPv6 API.
|
||||||
|
|
||||||
|
%package -n libiptc-devel
|
||||||
|
Summary: Development files for libiptc, a packet filter ruleset library
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: libip4tc2 = %version
|
||||||
|
Requires: libip6tc2 = %version
|
||||||
|
|
||||||
|
%description -n libiptc-devel
|
||||||
|
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
|
||||||
|
construct, and load rulesets into the kernel.
|
||||||
|
|
||||||
|
%package -n libxtables12
|
||||||
|
Summary: The iptables plugin interface
|
||||||
|
Group: System/Libraries
|
||||||
|
|
||||||
|
%description -n libxtables12
|
||||||
|
This library contains all the iptables code shared between iptables,
|
||||||
|
ip6tables, their extensions, and for external integration for e.g.
|
||||||
|
iproute2's m_xt.
|
||||||
|
|
||||||
|
%package -n libxtables-devel
|
||||||
|
Summary: Headers and manpages for iptables
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: libxtables12 = %version
|
||||||
|
|
||||||
|
%description -n libxtables-devel
|
||||||
|
This library contains all the iptables code shared between iptables,
|
||||||
|
ip6tables, their extensions, and for external integration for e.g.
|
||||||
|
|
||||||
|
Link your extension (iptables plugins) with $(pkg-config xtables
|
||||||
|
--libs) and place the plugin in the directory given by $(pkg-config
|
||||||
|
xtables --variable=xtlibdir).
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
%build
|
||||||
|
# We have the iptables-batch patch, so always regenerate.
|
||||||
|
./autogen.sh
|
||||||
|
# bnc#561793 - do not include unclean module in iptables manpage
|
||||||
|
rm -f extensions/libipt_unclean.man
|
||||||
|
# includedir is overriden on purpose to detect projects that
|
||||||
|
# fail to include libxtables_CFLAGS
|
||||||
|
%configure --includedir="%_includedir/%name" --enable-libipq
|
||||||
|
%make_build V=1
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install
|
||||||
|
b="%buildroot"
|
||||||
|
# no contents and is unused; proposed for removal upstream
|
||||||
|
rm -f "$b/%_libdir/"libiptc.so*
|
||||||
|
# iptables-apply is not installed by upstream Makefile
|
||||||
|
install -m0755 iptables/iptables-apply "$b/%_sbindir/"
|
||||||
|
rm -f "$b/%_libdir"/*.la
|
||||||
|
rm -f "$b/%_sysconfdir/ethertypes" # provided by netcfg
|
||||||
|
rm -f "$b/%_sysconfdir/xtables.conf" # packaging bug
|
||||||
|
|
||||||
|
for i in iptables iptables-restore iptables-save ip6tables ip6tables-restore \
|
||||||
|
ip6tables-save arptables arptables-restore arptables-save ebtables \
|
||||||
|
ebtables-restore ebtables-save; do
|
||||||
|
%if ! %{with libalternatives}
|
||||||
|
ln -fsv "%_sysconfdir/alternatives/$i" "$b/%_sbindir/$i"
|
||||||
|
%else
|
||||||
|
ln -fsv %_bindir/alts "$b/%_sbindir/$i"
|
||||||
|
%endif
|
||||||
|
done
|
||||||
|
|
||||||
|
%if 0%{?suse_version}
|
||||||
|
%fdupes %buildroot/%_prefix
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with libalternatives}
|
||||||
|
mkdir -pv "$b/%_datadir/libalternatives/iptables"
|
||||||
|
cat >"$b/%_datadir/libalternatives/iptables/1.conf" <<-EOF
|
||||||
|
binary=%_sbindir/xtables-legacy-multi
|
||||||
|
group=iptables, ip6tables, ip6tables-restore, ip6tables-save, iptables-restore, iptables-save
|
||||||
|
options=KeepArgv0
|
||||||
|
EOF
|
||||||
|
cat >"$b/%_datadir/libalternatives/iptables/2.conf" <<-EOF
|
||||||
|
binary=%_sbindir/xtables-nft-multi
|
||||||
|
group=iptables, ip6tables, ip6tables-restore, ip6tables-save, iptables-restore, iptables-save
|
||||||
|
options=KeepArgv0
|
||||||
|
EOF
|
||||||
|
for i in ip6tables ip6tables-restore ip6tables-save iptables-restore iptables-save; do
|
||||||
|
mkdir -pv "$b/%_datadir/libalternatives/$i"
|
||||||
|
cp -av "$b/%_datadir/libalternatives/iptables/"*.conf "$b/%_datadir/libalternatives/$i/"
|
||||||
|
done
|
||||||
|
|
||||||
|
mkdir -pv $b/%_datadir/libalternatives/arptables
|
||||||
|
cat >"$b/%_datadir/libalternatives/arptables/2.conf" <<-EOF
|
||||||
|
binary=%_sbindir/xtables-nft-multi
|
||||||
|
group=arptables, arptables-restore, arptables-save
|
||||||
|
options=KeepArgv0
|
||||||
|
EOF
|
||||||
|
for i in arptables-restore arptables-save; do
|
||||||
|
mkdir -pv "$b/%_datadir/libalternatives/$i"
|
||||||
|
cp -av "$b/%_datadir/libalternatives/arptables/2.conf" "$b/%_datadir/libalternatives/$i/"
|
||||||
|
done
|
||||||
|
|
||||||
|
mkdir -p "$b/%_datadir/libalternatives/ebtables"
|
||||||
|
cat >"$b/%_datadir/libalternatives/ebtables/2.conf" <<-EOF
|
||||||
|
binary=%_sbindir/xtables-nft-multi
|
||||||
|
group=ebtables, ebtables-restore, ebtables-save
|
||||||
|
options=KeepArgv0
|
||||||
|
EOF
|
||||||
|
for i in ebtables-restore ebtables-save; do
|
||||||
|
mkdir -pv "$b/%_datadir/libalternatives/$i"
|
||||||
|
cp -av "$b/%_datadir/libalternatives/ebtables/2.conf" "$b/%_datadir/libalternatives/$i/"
|
||||||
|
done
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with libalternatives}
|
||||||
|
%pre
|
||||||
|
# removing old update-alternatives entries
|
||||||
|
if [ "$1" -gt 0 ] && [ -f "%_sbindir/update-alternatives" ]; then
|
||||||
|
update-alternatives --remove iptables "%_sbindir/xtables-legacy-multi"
|
||||||
|
fi
|
||||||
|
%else
|
||||||
|
|
||||||
|
%post
|
||||||
|
update-alternatives \
|
||||||
|
--install "%_sbindir/iptables" iptables "%_sbindir/xtables-legacy-multi" 1 \
|
||||||
|
--slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-legacy-multi" \
|
||||||
|
--slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-legacy-multi" \
|
||||||
|
--slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-legacy-multi" \
|
||||||
|
--slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-legacy-multi" \
|
||||||
|
--slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-legacy-multi"
|
||||||
|
|
||||||
|
%postun
|
||||||
|
if test "$1" = 0; then
|
||||||
|
update-alternatives --remove iptables "%_sbindir/xtables-legacy-multi"
|
||||||
|
fi
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with libalternatives}
|
||||||
|
%pre backend-nft
|
||||||
|
# removing old update-alternatives entries
|
||||||
|
if [ "$1" -gt 0 ] && [ -f "%_sbindir/update-alternatives" ]; then
|
||||||
|
update-alternatives --remove iptables "%_sbindir/xtables-nft-multi"
|
||||||
|
update-alternatives --remove arptables "%_sbindir/xtables-nft-multi"
|
||||||
|
update-alternatives --remove ebtables "%_sbindir/xtables-nft-multi"
|
||||||
|
fi
|
||||||
|
%else
|
||||||
|
|
||||||
|
%post backend-nft
|
||||||
|
update-alternatives \
|
||||||
|
--install "%_sbindir/iptables" iptables "%_sbindir/xtables-nft-multi" 2 \
|
||||||
|
--slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-nft-multi" \
|
||||||
|
--slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-nft-multi" \
|
||||||
|
--slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-nft-multi" \
|
||||||
|
--slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-nft-multi" \
|
||||||
|
--slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-nft-multi"
|
||||||
|
update-alternatives --install "%_sbindir/arptables" arptables "%_sbindir/xtables-nft-multi" 2 \
|
||||||
|
--slave "%_sbindir/arptables-restore" arptables-restore "%_sbindir/xtables-nft-multi" \
|
||||||
|
--slave "%_sbindir/arptables-save" arptables-save "%_sbindir/xtables-nft-multi"
|
||||||
|
update-alternatives --install "%_sbindir/ebtables" ebtables "%_sbindir/xtables-nft-multi" 2 \
|
||||||
|
--slave "%_sbindir/ebtables-restore" ebtables-restore "%_sbindir/xtables-nft-multi" \
|
||||||
|
--slave "%_sbindir/ebtables-save" ebtables-save "%_sbindir/xtables-nft-multi"
|
||||||
|
|
||||||
|
%postun backend-nft
|
||||||
|
if test "$1" = 0; then
|
||||||
|
update-alternatives --remove iptables "%_sbindir/xtables-nft-multi"
|
||||||
|
update-alternatives --remove arptables "%_sbindir/xtables-nft-multi"
|
||||||
|
update-alternatives --remove ebtables "%_sbindir/xtables-nft-multi"
|
||||||
|
fi
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%post -n libipq0 -p /sbin/ldconfig
|
||||||
|
%postun -n libipq0 -p /sbin/ldconfig
|
||||||
|
%post -n libip4tc2 -p /sbin/ldconfig
|
||||||
|
%postun -n libip4tc2 -p /sbin/ldconfig
|
||||||
|
%post -n libip6tc2 -p /sbin/ldconfig
|
||||||
|
%postun -n libip6tc2 -p /sbin/ldconfig
|
||||||
|
%post -n libxtables12 -p /sbin/ldconfig
|
||||||
|
%postun -n libxtables12 -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%files
|
||||||
|
%license COPYING
|
||||||
|
%_bindir/iptables-xml
|
||||||
|
%_sbindir/iptables-apply
|
||||||
|
%_sbindir/iptables-legacy*
|
||||||
|
%_sbindir/iptables-nft*
|
||||||
|
%_sbindir/iptables-*translate*
|
||||||
|
%_sbindir/ip6tables-apply
|
||||||
|
%_sbindir/ip6tables-legacy*
|
||||||
|
%_sbindir/ip6tables-nft*
|
||||||
|
%_sbindir/ip6tables-*translate*
|
||||||
|
%_sbindir/arptables-nft*
|
||||||
|
%_sbindir/ebtables-nft*
|
||||||
|
%_sbindir/ebtables-*translate*
|
||||||
|
%_sbindir/xtables*
|
||||||
|
%_mandir/man1/*tables*
|
||||||
|
%_mandir/man8/*tables*
|
||||||
|
# backend-legacy (implicit)
|
||||||
|
%if ! %{with libalternatives}
|
||||||
|
%ghost %_sysconfdir/alternatives/iptables
|
||||||
|
%ghost %_sysconfdir/alternatives/iptables-restore
|
||||||
|
%ghost %_sysconfdir/alternatives/iptables-save
|
||||||
|
%ghost %_sysconfdir/alternatives/ip6tables
|
||||||
|
%ghost %_sysconfdir/alternatives/ip6tables-restore
|
||||||
|
%ghost %_sysconfdir/alternatives/ip6tables-save
|
||||||
|
%else
|
||||||
|
%_datadir/libalternatives/ip6tables/1.conf
|
||||||
|
%dir %_datadir/libalternatives/ip6tables
|
||||||
|
%_datadir/libalternatives/ip6tables-restore/1.conf
|
||||||
|
%dir %_datadir/libalternatives/ip6tables-restore
|
||||||
|
%_datadir/libalternatives/ip6tables-save/1.conf
|
||||||
|
%dir %_datadir/libalternatives/ip6tables-save
|
||||||
|
%_datadir/libalternatives/iptables/1.conf
|
||||||
|
%dir %_datadir/libalternatives/iptables
|
||||||
|
%_datadir/libalternatives/iptables-restore/1.conf
|
||||||
|
%dir %_datadir/libalternatives/iptables-restore
|
||||||
|
%_datadir/libalternatives/iptables-save/1.conf
|
||||||
|
%dir %_datadir/libalternatives/iptables-save
|
||||||
|
%endif
|
||||||
|
%_sbindir/iptables
|
||||||
|
%_sbindir/iptables-restore
|
||||||
|
%_sbindir/iptables-save
|
||||||
|
%_sbindir/ip6tables
|
||||||
|
%_sbindir/ip6tables-restore
|
||||||
|
%_sbindir/ip6tables-save
|
||||||
|
|
||||||
|
%files backend-nft
|
||||||
|
%if ! %{with libalternatives}
|
||||||
|
%ghost %_sysconfdir/alternatives/iptables
|
||||||
|
%ghost %_sysconfdir/alternatives/iptables-restore
|
||||||
|
%ghost %_sysconfdir/alternatives/iptables-save
|
||||||
|
%ghost %_sysconfdir/alternatives/ip6tables
|
||||||
|
%ghost %_sysconfdir/alternatives/ip6tables-restore
|
||||||
|
%ghost %_sysconfdir/alternatives/ip6tables-save
|
||||||
|
%ghost %_sysconfdir/alternatives/arptables
|
||||||
|
%ghost %_sysconfdir/alternatives/arptables-restore
|
||||||
|
%ghost %_sysconfdir/alternatives/arptables-save
|
||||||
|
%ghost %_sysconfdir/alternatives/ebtables
|
||||||
|
%ghost %_sysconfdir/alternatives/ebtables-restore
|
||||||
|
%ghost %_sysconfdir/alternatives/ebtables-save
|
||||||
|
%_sbindir/iptables
|
||||||
|
%_sbindir/iptables-restore
|
||||||
|
%_sbindir/iptables-save
|
||||||
|
%_sbindir/ip6tables
|
||||||
|
%_sbindir/ip6tables-restore
|
||||||
|
%_sbindir/ip6tables-save
|
||||||
|
%else
|
||||||
|
%_datadir/libalternatives/arptables/2.conf
|
||||||
|
%dir %_datadir/libalternatives/arptables
|
||||||
|
%_datadir/libalternatives/arptables-restore/2.conf
|
||||||
|
%dir %_datadir/libalternatives/arptables-restore
|
||||||
|
%_datadir/libalternatives/arptables-save/2.conf
|
||||||
|
%dir %_datadir/libalternatives/arptables-save
|
||||||
|
%_datadir/libalternatives/ebtables/2.conf
|
||||||
|
%dir %_datadir/libalternatives/ebtables
|
||||||
|
%_datadir/libalternatives/ebtables-restore/2.conf
|
||||||
|
%dir %_datadir/libalternatives/ebtables-restore
|
||||||
|
%_datadir/libalternatives/ebtables-save/2.conf
|
||||||
|
%dir %_datadir/libalternatives/ebtables-save
|
||||||
|
%_datadir/libalternatives/ip6tables/2.conf
|
||||||
|
%dir %_datadir/libalternatives/ip6tables
|
||||||
|
%_datadir/libalternatives/ip6tables-restore/2.conf
|
||||||
|
%dir %_datadir/libalternatives/ip6tables-restore
|
||||||
|
%_datadir/libalternatives/ip6tables-save/2.conf
|
||||||
|
%dir %_datadir/libalternatives/ip6tables-save
|
||||||
|
%_datadir/libalternatives/iptables/2.conf
|
||||||
|
%dir %_datadir/libalternatives/iptables
|
||||||
|
%_datadir/libalternatives/iptables-restore/2.conf
|
||||||
|
%dir %_datadir/libalternatives/iptables-restore
|
||||||
|
%_datadir/libalternatives/iptables-save/2.conf
|
||||||
|
%dir %_datadir/libalternatives/iptables-save
|
||||||
|
%_datadir/libalternatives/iptables-save/2.conf
|
||||||
|
%endif
|
||||||
|
%_sbindir/arptables
|
||||||
|
%_sbindir/arptables-restore
|
||||||
|
%_sbindir/arptables-save
|
||||||
|
%_sbindir/ebtables
|
||||||
|
%_sbindir/ebtables-restore
|
||||||
|
%_sbindir/ebtables-save
|
||||||
|
|
||||||
|
%files -n xtables-plugins
|
||||||
|
%_libdir/xtables/
|
||||||
|
%_sbindir/nfnl_osf
|
||||||
|
%_mandir/man8/nfnl_osf.8*
|
||||||
|
%_datadir/xtables/
|
||||||
|
|
||||||
|
%files -n libipq0
|
||||||
|
%_libdir/libipq.so.0*
|
||||||
|
|
||||||
|
%files -n libipq-devel
|
||||||
|
%doc %_mandir/man3/libipq*
|
||||||
|
%doc %_mandir/man3/ipq*
|
||||||
|
%dir %_includedir/%name/
|
||||||
|
%_includedir/%name/libipq*
|
||||||
|
%_libdir/libipq.so
|
||||||
|
%_libdir/pkgconfig/libipq.pc
|
||||||
|
|
||||||
|
%files -n libip4tc2
|
||||||
|
%_libdir/libip4tc.so.2*
|
||||||
|
|
||||||
|
%files -n libip6tc2
|
||||||
|
%_libdir/libip6tc.so.2*
|
||||||
|
|
||||||
|
%files -n libiptc-devel
|
||||||
|
%dir %_includedir/%name/
|
||||||
|
%_includedir/%name/libiptc*
|
||||||
|
%_libdir/libip*tc.so
|
||||||
|
%_libdir/pkgconfig/libip*tc.pc
|
||||||
|
|
||||||
|
%files -n libxtables12
|
||||||
|
%_libdir/libxtables.so.12*
|
||||||
|
|
||||||
|
%files -n libxtables-devel
|
||||||
|
%dir %_includedir/%name/
|
||||||
|
%_includedir/%name/xtables.h
|
||||||
|
%_includedir/%name/xtables-version.h
|
||||||
|
%_libdir/libxtables.so
|
||||||
|
%_libdir/pkgconfig/xtables.pc
|
||||||
|
|
||||||
|
%changelog
|
Loading…
Reference in New Issue
Block a user