From bdab2ae3d451b295663473477b0f2d8064c75fc6 Mon Sep 17 00:00:00 2001 From: Seonah Moon Date: Mon, 28 Dec 2015 14:35:30 +0900 Subject: [PATCH] Sycn code from tizen 2.4 Change-Id: I974f50e1bb3493190ac63a79adae234ffac011b3 Signed-off-by: Seonah Moon --- extensions/libxt_cgroup.c | 74 +++++ extensions/libxt_cgroup.man | 15 + extensions/libxt_hashlimit.c | 2 +- extensions/libxt_limit.c | 2 +- extensions/libxt_pkttype.c | 1 + include/linux/netfilter/xt_cgroup.h | 11 + iptables.manifest | 5 + iptables/Makefile.am | 10 +- iptables/Makefile.in | 2 + iptables/iptables-apply | 4 +- m4/.gitignore | 2 - packaging/iptables-apply-mktemp-fix.patch | 22 -- packaging/iptables-batch.patch | 499 ------------------------------ packaging/iptables.changes | 6 - packaging/iptables.manifest | 5 - packaging/iptables.spec | 231 +++++--------- 16 files changed, 182 insertions(+), 709 deletions(-) create mode 100644 extensions/libxt_cgroup.c create mode 100644 extensions/libxt_cgroup.man create mode 100644 include/linux/netfilter/xt_cgroup.h create mode 100644 iptables.manifest delete mode 100644 m4/.gitignore delete mode 100644 packaging/iptables-apply-mktemp-fix.patch delete mode 100644 packaging/iptables-batch.patch delete mode 100644 packaging/iptables.changes delete mode 100644 packaging/iptables.manifest mode change 100644 => 100755 packaging/iptables.spec diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c new file mode 100644 index 0000000..cdc4ec9 --- /dev/null +++ b/extensions/libxt_cgroup.c @@ -0,0 +1,74 @@ +#include +#include +#include +#include + +static void cgroup_help(void) +{ + printf( +"cgroup match options:\n" +"[!] --cgroup fwid Match cgroup fwid\n"); +} + +static const struct option cgroup_opts[] = { + { "cgroup", 1, NULL, 'c' }, + { .name = NULL } +}; + +static int +cgroup_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, + struct xt_entry_match **target) +{ + struct xt_cgroup_info *cgroupinfo + = (struct xt_cgroup_info *)(*target)->data; + + switch (c) { + case 'c': /* TODO 1 or 0 */ + /* use optarg, due libopt is used */ + if (sscanf(optarg, "%u", &cgroupinfo->id) != 1) + return 1; + + cgroupinfo->invert = invert; + *flags = 1; + break; + + default: + return 0; + } + + return 1; +} + +static void +cgroup_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_cgroup_info *info = (void *) match->data; + + printf(" cgroup %s%u", info->invert ? "! ":"", info->id); +} + +static void cgroup_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_cgroup_info *info = (void *) match->data; + + printf("%s --cgroup %u", info->invert ? " !" : "", info->id); +} + +static struct xtables_match cgroup_match = { + .family = NFPROTO_UNSPEC, + .name = "cgroup", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_cgroup_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_cgroup_info)), + .help = cgroup_help, + .print = cgroup_print, + .save = cgroup_save, + .parse = cgroup_parse, + .extra_opts = cgroup_opts, +}; + +void _init(void) +{ + xtables_register_match(&cgroup_match); +} diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man new file mode 100644 index 0000000..456a031 --- /dev/null +++ b/extensions/libxt_cgroup.man @@ -0,0 +1,15 @@ +.TP +[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP +Match corresponding cgroup for this packet. + +Can be used to assign particular firewall policies for aggregated +task/jobs on the system. This allows for more fine-grained firewall +policies that only match for a subset of the system's processes. +fwid is the maker set through the net_cls cgroup's id. +.PP +Example: +.PP +iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 +\-j DROP +.PP +Available since Linux 3.14. diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c index c5b8d77..8fb9bb4 100644 --- a/extensions/libxt_hashlimit.c +++ b/extensions/libxt_hashlimit.c @@ -10,7 +10,7 @@ * * Error corections by nmalykh@bilim.com (22.01.2005) */ -#define _BSD_SOURCE 1 +#define _DEFAULT_SOURCE 1 #define _ISOC99_SOURCE 1 #include #include diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c index f75ef2f..0a49b08 100644 --- a/extensions/libxt_limit.c +++ b/extensions/libxt_limit.c @@ -3,7 +3,7 @@ * Jérôme de Vivie * Hervé Eychenne */ -#define _BSD_SOURCE 1 +#define _DEFAULT_SOURCE 1 #define _ISOC99_SOURCE 1 #include #include diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c index 1ed3b44..b72c013 100644 --- a/extensions/libxt_pkttype.c +++ b/extensions/libxt_pkttype.c @@ -7,6 +7,7 @@ #include #include #include +#define __aligned_u64 __u64 __attribute__((aligned(8))) #include #include diff --git a/include/linux/netfilter/xt_cgroup.h b/include/linux/netfilter/xt_cgroup.h new file mode 100644 index 0000000..943d3a0 --- /dev/null +++ b/include/linux/netfilter/xt_cgroup.h @@ -0,0 +1,11 @@ +#ifndef _XT_CGROUP_H +#define _XT_CGROUP_H + +#include + +struct xt_cgroup_info { + __u32 id; + __u32 invert; +}; + +#endif /* _XT_CGROUP_H */ diff --git a/iptables.manifest b/iptables.manifest new file mode 100644 index 0000000..97e8c31 --- /dev/null +++ b/iptables.manifest @@ -0,0 +1,5 @@ + + + + + diff --git a/iptables/Makefile.am b/iptables/Makefile.am index 4bf9b13..a4246eb 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -24,15 +24,7 @@ endif xtables_multi_SOURCES += xshared.c xtables_multi_LDADD += ../libxtables/libxtables.la -lm -iptables_batch_SOURCES = iptables-batch.c iptables.c xshared.c -iptables_batch_LDFLAGS = ${xtables_multi_LDFLAGS} -iptables_batch_LDADD = ${xtables_multi_LDADD} -ip6tables_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c -ip6tables_batch_CFLAGS = ${AM_CFLAGS} -DIP6T -ip6tables_batch_LDFLAGS = ${xtables_multi_LDFLAGS} -ip6tables_batch_LDADD = ${xtables_multi_LDADD} - -sbin_PROGRAMS = xtables-multi iptables-batch ip6tables-batch +sbin_PROGRAMS = xtables-multi man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ ip6tables-save.8 iptables-extensions.8 diff --git a/iptables/Makefile.in b/iptables/Makefile.in index 94f5bef..46c007c 100644 --- a/iptables/Makefile.in +++ b/iptables/Makefile.in @@ -177,6 +177,7 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CFLAGS += -fPIE CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -199,6 +200,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ +LDFLAGS += -pie LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ diff --git a/iptables/iptables-apply b/iptables/iptables-apply index 112072c..86b8d5a 100755 --- a/iptables/iptables-apply +++ b/iptables/iptables-apply @@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then exit 2 fi -COMMANDS=(mktemp "$SAVE" "$RESTORE") +COMMANDS=(tempfile "$SAVE" "$RESTORE") for cmd in "${COMMANDS[@]}"; do if ! command -v $cmd >/dev/null; then @@ -122,7 +122,7 @@ done umask 0700 -TMPFILE=$(mktemp) +TMPFILE=$(tempfile -p iptap) trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 if ! "$SAVE" >"$TMPFILE"; then diff --git a/m4/.gitignore b/m4/.gitignore deleted file mode 100644 index 64d9bbc..0000000 --- a/m4/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -/libtool.m4 -/lt*.m4 diff --git a/packaging/iptables-apply-mktemp-fix.patch b/packaging/iptables-apply-mktemp-fix.patch deleted file mode 100644 index 6d10ef0..0000000 --- a/packaging/iptables-apply-mktemp-fix.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: iptables-1.4.12.1+16/iptables/iptables-apply -=================================================================== ---- iptables-1.4.12.1+16.orig/iptables/iptables-apply -+++ iptables-1.4.12.1+16/iptables/iptables-apply -@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then - exit 2 - fi - --COMMANDS=(tempfile "$SAVE" "$RESTORE") -+COMMANDS=(mktemp "$SAVE" "$RESTORE") - - for cmd in "${COMMANDS[@]}"; do - if ! command -v $cmd >/dev/null; then -@@ -122,7 +122,7 @@ done - - umask 0700 - --TMPFILE=$(tempfile -p iptap) -+TMPFILE=$(mktemp) - trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 - - if ! "$SAVE" >"$TMPFILE"; then diff --git a/packaging/iptables-batch.patch b/packaging/iptables-batch.patch deleted file mode 100644 index 52299ff..0000000 --- a/packaging/iptables-batch.patch +++ /dev/null @@ -1,499 +0,0 @@ ---- - iptables/Makefile.am | 10 - iptables/iptables-batch.c | 468 ++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 477 insertions(+), 1 deletion(-) - -Index: iptables-1.4.12.1+16/iptables/Makefile.am -=================================================================== ---- iptables-1.4.12.1+16.orig/iptables/Makefile.am -+++ iptables-1.4.12.1+16/iptables/Makefile.am -@@ -24,7 +24,15 @@ endif - xtables_multi_SOURCES += xshared.c - xtables_multi_LDADD += ../libxtables/libxtables.la -lm - --sbin_PROGRAMS = xtables-multi -+iptables_batch_SOURCES = iptables-batch.c iptables.c xshared.c -+iptables_batch_LDFLAGS = ${xtables_multi_LDFLAGS} -+iptables_batch_LDADD = ${xtables_multi_LDADD} -+ip6tables_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c -+ip6tables_batch_CFLAGS = ${AM_CFLAGS} -DIP6T -+ip6tables_batch_LDFLAGS = ${xtables_multi_LDFLAGS} -+ip6tables_batch_LDADD = ${xtables_multi_LDADD} -+ -+sbin_PROGRAMS = xtables-multi iptables-batch ip6tables-batch - man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ - iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 -Index: iptables-1.4.12.1+16/iptables/iptables-batch.c -=================================================================== ---- /dev/null -+++ iptables-1.4.12.1+16/iptables/iptables-batch.c -@@ -0,0 +1,468 @@ -+/* -+ * Author: Ludwig Nussel -+ * Update for iptables 1.4.3.x: Petr Uzel -+ * -+ * Based on the ipchains code by Paul Russell and Michael Neuling -+ * -+ * (C) 2000-2002 by the netfilter coreteam : -+ * Paul 'Rusty' Russell -+ * Marc Boucher -+ * James Morris -+ * Harald Welte -+ * Jozsef Kadlecsik -+ * -+ * iptables-batch -- iptables batch processor -+ * -+ * See the accompanying manual page iptables(8) for information -+ * about proper usage of this program. -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+ */ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef IP6T -+#include -+#else -+#include -+#endif -+#include -+ -+#ifdef IP6T -+#define prog_name ip6tables_globals.program_name -+#define prog_ver ip6tables_globals.program_version -+#else -+#define prog_name iptables_globals.program_name -+#define prog_ver iptables_globals.program_version -+#endif -+ -+static char* errstr = NULL; -+ -+static unsigned current_line = 0; -+ -+static char* -+skipspace(char* ptr) -+{ -+ while(*ptr && isspace(*ptr)) -+ ++ptr; -+ return ptr; -+} -+ -+static char* -+getliteral(char** ptr) -+{ -+ char* start = *ptr; -+ char* p = start; -+ -+ while(*p && !isspace(*p)) -+ ++p; -+ -+ if(*p) -+ { -+ *p = '\0'; -+ ++p; -+ } -+ -+ *ptr = p; -+ return start; -+} -+ -+static char* -+getstring(char** ptr) -+{ -+ char* start = *ptr+1; // skip leading " -+ char* p = start; -+ char* o = start; -+ int backslash = 0; -+ int done = 0; -+ -+ while(*p && !done) -+ { -+ if(backslash) -+ { -+ backslash = 0; -+ // no escapes supported, just eat the backslash -+ *o++ = *p++; -+ } -+ else if(*p == '\\') -+ { -+ backslash = 1; -+ p++; -+ } -+ else if(*p == '"') -+ { -+ done = 1; -+ } -+ else -+ { -+ *o++ = *p++; -+ } -+ } -+ -+ if(done) -+ { -+ *o = '\0'; -+ *p = '\0'; -+ ++p; -+ *ptr = p; -+ } -+ else -+ { -+ errstr = "missing \" at end of string"; -+ start = NULL; -+ } -+ return start; -+} -+ -+// this is just a very basic method, not 100% shell compatible -+static char* -+getword(char** ptr) -+{ -+ *ptr = skipspace(*ptr); -+ if(**ptr == '"') -+ return getstring(ptr); -+ return getliteral(ptr); -+} -+ -+// destructive -+static int -+tokenize(int* argc, char* argv[], size_t nargvsize, char* iline) -+{ -+ char* ptr = skipspace(iline); -+ int ret = 0; -+ char* word; -+ -+ while(ptr && *ptr) -+ { -+ if(*ptr == '#') -+ break; -+ if(*argc >= nargvsize) -+ { -+ errstr = "too many arguments"; -+ ret = -1; -+ break; -+ } -+ word = getword(&ptr); -+ if(!word) -+ { -+ ret = -1; -+ break; -+ } -+ argv[(*argc)++] = word; -+ ++ret; -+ } -+ return ret; -+} -+ -+#ifdef DEBUG -+static void -+dumpargv(int argc, char* argv[]) -+{ -+ int i; -+ for(i=0; i < argc; ++i) -+ { -+ printf("%s\"%s\"",i?" ":"", argv[i]); -+ } -+ puts(""); -+} -+#endif -+ -+struct table_handle -+{ -+ char* name; -+#ifdef IP6T -+ struct ip6tc_handle *handle; -+#else -+ struct iptc_handle *handle; -+#endif -+}; -+ -+static struct table_handle* tables = NULL; -+static unsigned num_tables; -+struct table_handle* current_table; -+ -+static void -+alloc_tables(void) -+{ -+ tables = realloc(tables, sizeof(struct table_handle) * num_tables); -+} -+ -+static void -+set_current_table(const char* name) -+{ -+ unsigned i; -+ -+ if(!strcmp(name, current_table->name)) // same as last time? -+ return; -+ -+ for(i = 0; i < num_tables; ++i) // find already known table -+ { -+ if(!strcmp(name, tables[i].name)) -+ { -+ current_table = &tables[i]; -+ return; -+ } -+ } -+ -+ // table name not known, create new -+ i = num_tables++; -+ alloc_tables(); -+ current_table = &tables[i]; -+ current_table->name = strdup(name); -+ current_table->handle = NULL; -+} -+ -+static int -+find_table(int argc, char* argv[]) -+{ -+ int i; -+ for(i = 0; i < argc; ++i) -+ { -+ if(!strcmp(argv[i], "-t") || !strcmp(argv[i], "--table")) -+ { -+ ++i; -+ if(i >= argc) -+ { -+ fprintf(stderr, "line %d: missing table name after %s\n", -+ current_line, argv[i]); -+ return 0; -+ } -+ set_current_table(argv[i]); -+ return 1; -+ } -+ } -+ -+ // no -t specified -+ set_current_table("filter"); -+ -+ return 1; -+} -+ -+static int -+do_iptables(int argc, char* argv[]) -+{ -+ char *table = "filter"; -+ int ret = 0; -+ -+ if(!find_table(argc, argv)) -+ return 0; -+ -+#ifdef IP6T -+ ret = do_command6(argc, argv, &table, ¤t_table->handle); -+ -+ if (!ret) -+ { -+ fprintf(stderr, "line %d: %s\n", current_line, ip6tc_strerror(errno)); -+ } -+ else -+ { -+ if(!table || strcmp(table, current_table->name)) -+ { -+ fprintf(stderr, "line %d: expected table %s, got %s\n", -+ current_line, current_table->name, table); -+ exit(1); -+ } -+ } -+#else -+ ret = do_command4(argc, argv, &table, ¤t_table->handle); -+ -+ if (!ret) -+ { -+ fprintf(stderr, "line %d: %s\n", current_line, iptc_strerror(errno)); -+ } -+ else -+ { -+ if(!table || strcmp(table, current_table->name)) -+ { -+ fprintf(stderr, "line %d: expected table %s, got %s\n", -+ current_line, current_table->name, table); -+ exit(1); -+ } -+ } -+#endif -+ -+ return ret; -+} -+ -+static int -+do_commit(void) -+{ -+ unsigned i; -+ int ret = 1; -+ -+ for(i = 0; i < num_tables; ++i) -+ { -+ if(tables[i].handle) -+ { -+#ifdef IP6T -+ ret = ip6tc_commit(tables[i].handle); -+ if (!ret) -+ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, ip6tc_strerror(errno)); -+ ip6tc_free(tables[i].handle); -+ tables[i].handle = NULL; -+#else -+ ret = iptc_commit(tables[i].handle); -+ if (!ret) -+ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, iptc_strerror(errno)); -+ iptc_free(tables[i].handle); -+ tables[i].handle = NULL; -+#endif -+ } -+ } -+ -+ return ret; -+} -+ -+static void -+help(void) -+{ -+ fprintf(stderr, "Usage: %s [FILE]\n\n", prog_name); -+ puts("Read iptables commands from FILE, commit them at EOF\n"); -+ puts("In addition to normal iptables calls the commands"); -+ puts("'commit' and 'exit' are understood."); -+ exit(0); -+} -+ -+int -+main(int argc, char *argv[]) -+{ -+ int ret = 1; -+ int c; -+ int numtok; -+ size_t llen = 0; -+ char* iline = NULL; -+ ssize_t r = -1; -+ int nargc = 0; -+ char* nargv[256]; -+ FILE* fp = stdin; -+ -+#ifdef IP6T -+ prog_name = "ip6tables-batch"; -+#else -+ prog_name = "iptables-batch"; -+#endif -+ -+#ifdef IP6T -+ c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); -+#else -+ c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); -+#endif -+ -+ if(c < 0) { -+ fprintf(stderr, "%s/%s Failed to initialize xtables\n", -+ prog_name, -+ prog_ver); -+ exit(1); -+ } -+ -+#ifdef NO_SHARED_LIBS -+ init_extensions(); -+#endif -+ if(argc > 1) -+ { -+ if(!strcmp(argv[1], "--help") || !strcmp(argv[1], "-h")) -+ { -+ help(); -+ } -+ else if(strcmp(argv[1], "-")) -+ { -+ fp = fopen(argv[1], "r"); -+ if(!fp) -+ { -+ perror("fopen"); -+ exit(1); -+ } -+ } -+ } -+ -+ num_tables = 4; -+ alloc_tables(); -+ tables[0].name = "filter"; -+ tables[0].handle = NULL; -+ tables[1].name = "mangle"; -+ tables[1].handle = NULL; -+ tables[2].name = "nat"; -+ tables[2].handle = NULL; -+ tables[3].name = "raw"; -+ tables[3].handle = NULL; -+ current_table = &tables[0]; -+ -+ while((r = getline(&iline, &llen, fp)) != -1) -+ { -+ if(llen < 1 || !*iline) -+ continue; -+ if(iline[strlen(iline)-1] == '\n') -+ iline[strlen(iline) -1 ] = '\0'; -+ -+ ++current_line; -+ nargc = 0; -+ errstr = NULL; -+ numtok = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), iline); -+ if(numtok == -1) -+ { -+ } -+ else if (numtok == 0) -+ { -+ continue; -+ } -+ else if(nargc < 1) -+ { -+ errstr = "insufficient number of arguments"; -+ } -+ -+ if(errstr) -+ { -+ fprintf(stderr, "parse error in line %d: %s\n", current_line, errstr); -+ ret = 0; -+ break; -+ } -+ -+#ifdef DEBUG -+ dumpargv(nargc, nargv); -+#endif -+ -+#ifdef IP6T -+ if(!strcmp(nargv[0], "ip6tables")) -+#else -+ if(!strcmp(nargv[0], "iptables")) -+#endif -+ { -+ ret = do_iptables(nargc, nargv); -+ if(!ret) break; -+ } -+ else if(!strcmp(nargv[0], "exit")) -+ { -+ break; -+ } -+ else if(!strcmp(nargv[0], "commit")) -+ { -+ /* do nothing - see bnc#500990, comment #16 */ -+ } -+ else -+ { -+ fprintf(stderr, "line %d: invalid command '%s'\n", current_line, nargv[0]); -+ } -+ } -+ -+ if(ret) -+ ret = do_commit(); -+ -+ exit(!ret); -+} diff --git a/packaging/iptables.changes b/packaging/iptables.changes deleted file mode 100644 index 0ada051..0000000 --- a/packaging/iptables.changes +++ /dev/null @@ -1,6 +0,0 @@ -* Fri Aug 16 2013 Anas Nashif upstream/1.4.19.1@ed7885d -- Update to 1.4.19.1 - -* Mon Mar 18 2013 Anas Nashif upstream/1.4.14@95689b2 -- Update package groups - diff --git a/packaging/iptables.manifest b/packaging/iptables.manifest deleted file mode 100644 index 017d22d..0000000 --- a/packaging/iptables.manifest +++ /dev/null @@ -1,5 +0,0 @@ - - - - - diff --git a/packaging/iptables.spec b/packaging/iptables.spec old mode 100644 new mode 100755 index e6f718e..f4d61ee --- a/packaging/iptables.spec +++ b/packaging/iptables.spec @@ -1,195 +1,102 @@ -Name: iptables -%define lname_ipq libipq -%define lname_iptc libiptc -%define lname_xt libxtables -Version: 1.4.21 -Release: 0 -License: GPL-2.0+ -Summary: IP Packet Filter Administration utilities -Group: Security/Network - -Url: http://netfilter.org/ -Source: ftp://ftp.netfilter.org/pub/iptables/%{name}-%{version}.tar.bz2 -Source1001: iptables.manifest -BuildRequires: fdupes -BuildRequires: libtool -BuildRequires: pkgconfig >= 0.21 -BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0 +Name: iptables +Summary: Tools for managing Linux kernel packet filtering capabilities +Version: 1.4.21 +Release: 1 +Group: System/Network +Source: %{name}-%{version}.tar.gz +URL: http://www.netfilter.org +License: GPL-2.0+ +BuildRequires: kernel-headers +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig %description -iptables is used to set up, maintain, and inspect the tables of IP -packet filter rules in the Linux kernel. This version requires kernel -2.4.0 or newer. - -%package -n %lname_ipq -Summary: Library to interface with the (old) ip_queue kernel mechanism - -%description -n %lname_ipq -The Netfilter project provides a mechanism (ip_queue) for passing -packets out of the stack for queueing to userspace, then receiving -these packets back into the kernel with a verdict specifying what to -do with the packets (such as ACCEPT or DROP). These packets may also -be modified in userspace prior to reinjection back into the kernel. - -ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! - -%package -n libipq-devel -Summary: Development files for the ip_queue kernel mechanism -Requires: %lname_ipq = %{version} - -%description -n libipq-devel -The Netfilter project provides a mechanism (ip_queue) for passing -packets out of the stack for queueing to userspace, then receiving -these packets back into the kernel with a verdict specifying what to -do with the packets (such as ACCEPT or DROP). These packets may also -be modified in userspace prior to reinjection back into the kernel. - -ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! +The iptables utility controls the network packet filtering code in the +Linux kernel. If you need to set up firewalls and/or IP masquerading, +you should install this package. +%package devel +Summary: Development package for iptables +Group: System/Network +License: GPL-2.0+ +Requires: %{name} = %{version} +Requires: pkgconfig -%package -n xtables-plugins -Summary: Match and Target Extension plugins for iptables -Conflicts: iptables < 1.4.18 +%description devel +iptables development headers and libraries. -%description -n xtables-plugins -Match and Target Extension plugins for iptables. +The iptc interface is upstream marked as not public. The interface is not +stable and may change with every new version. It is therefore unsupported. -%package -n %lname_iptc -Summary: Library for low-level ruleset generation and parsing +%prep +%setup -q -%description -n %lname_iptc -libiptc ("iptables cache") is used to retrieve from the kernel, parse, -construct, and load new rulesets into the kernel. -%package -n libiptc-devel -Summary: Development files for libiptc, a packet filter ruleset library -Requires: %lname_iptc = %{version} -# NOT adding Obsoletes/Provides: iptables-devel, because that one has -# been split into _two_ new pkgs (libxtables-devel, libiptc-devel). -# NOTE: Please use pkgconfig(...) symbols for BuildRequires. +%build +export CFLAGS+=" $RPM_OPT_FLAGS -Wall -Werror -O2 -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wno-unused-value" +export LDFLAGS+=" -Wl,--as-needed" -%description -n libiptc-devel -libiptc ("iptables cache") is used to retrieve from the kernel, parse, -construct, and load new rulesets into the kernel. +%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr -%package -n %lname_xt -Summary: iptables extension interface +# do not use rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool -%description -n %lname_xt -This library contains all the iptables code shared between iptables, -ip6tables, their extensions, and for external integration for e.g. -iproute2's m_xt. +make %{?_smp_mflags} -%package -n libxtables-devel -Summary: Libraries, Headers and Development Man Pages for iptables -Requires: %lname_xt = %{version} -%description -n libxtables-devel -This library contains all the iptables code shared between iptables, -ip6tables, their extensions, and for external integration for e.g. +%install +make install DESTDIR=%{buildroot} -Link your extension (iptables plugins) with $(pkg-config xtables ---libs) and place the plugin in the directory given by $(pkg-config -xtables --variable=xtlibdir). +# remove la file(s) +rm -f %{buildroot}/%{_libdir}/*.la -%prep -%setup -q -cp %{SOURCE1001} . +# install ip*tables.h header files +install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/ +install -d -m 755 %{buildroot}%{_includedir}/iptables +install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/ -%build -# bnc#561793 - do not include unclean module in iptables manpage -rm -f extensions/libipt_unclean.man -# includedir is overriden on purpose to detect projects that -# fail to include libxtables_CFLAGS -%configure --includedir=%{_includedir}/%{name}-%{version} --enable-libipq -make %{?_smp_mflags} +# install ipulog header file +install -d -m 755 %{buildroot}%{_includedir}/libipulog/ +install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/ -%install -%make_install -# iptables-apply is not installed by upstream Makefile -install -m0755 iptables/iptables-apply %{buildroot}%{_sbindir}/ -install -m0644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/ -rm -f "%{buildroot}/%{_libdir}"/*.la; -%fdupes %{buildroot} +# remove man pages +rm -rf %{buildroot}%{_mandir} # License mkdir -p %{buildroot}%{_datadir}/license cp COPYING %{buildroot}%{_datadir}/license/iptables -%post -n %lname_ipq -p /sbin/ldconfig - -%postun -n %lname_ipq -p /sbin/ldconfig - -%post -n %lname_iptc -p /sbin/ldconfig - -%postun -n %lname_iptc -p /sbin/ldconfig - -%post -n %lname_xt -p /sbin/ldconfig - -%postun -n %lname_xt -p /sbin/ldconfig - +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig %docs_package %files -%manifest %{name}.manifest -%defattr(-,root,root) -%{_bindir}/iptables* +%manifest iptables.manifest %{_sbindir}/iptables* %{_sbindir}/ip6tables* -%{_sbindir}/xtables* -%{_sbindir}/nfnl_osf -%{_libdir}/xtables -%{_datadir}/xtables +%{_sbindir}/xtables-multi +%{_bindir}/iptables-xml +%dir %{_libdir}/xtables +%{_libdir}/xtables/libipt* +%{_libdir}/xtables/libip6t* +%{_libdir}/xtables/libxt* +%{_libdir}/libip*tc.so.* +%{_libdir}/libxtables.so.* %{_datadir}/license/iptables -%files -n %lname_ipq -%manifest %{name}.manifest -%defattr(-,root,root) -%{_libdir}/libipq.so.0* - -%files -n libipq-devel -%manifest %{name}.manifest -%defattr(-,root,root) -%dir %{_includedir}/%{name}-%{version} -%{_includedir}/%{name}-%{version}/libipq* -%{_libdir}/libipq.so -%{_libdir}/pkgconfig/libipq.pc - -%files -n %lname_iptc -%manifest %{name}.manifest -%defattr(-,root,root) -%{_libdir}/libiptc.so.0* -%{_libdir}/libip4tc.so.0* -%{_libdir}/libip6tc.so.0* - -%files -n libiptc-devel -%manifest %{name}.manifest -%defattr(-,root,root) -%dir %{_includedir}/%{name}-%{version} -%{_includedir}/%{name}-%{version}/libiptc* +%files devel +%dir %{_includedir}/iptables +%{_includedir}/iptables/*.h +%{_includedir}/*.h +%dir %{_includedir}/libiptc +%{_includedir}/libiptc/*.h +%dir %{_includedir}/libipulog +%{_includedir}/libipulog/*.h %{_libdir}/libip*tc.so -%{_libdir}/pkgconfig/libip*tc.pc - -%files -n %lname_xt -%manifest %{name}.manifest -%defattr(-,root,root) -%{_libdir}/libxtables.so.* - - -%files -n xtables-plugins -%defattr(-,root,root) -%_libdir/xtables/ -%_sbindir/nfnl_osf -%_datadir/xtables/ - -%files -n libxtables-devel -%manifest %{name}.manifest -%defattr(-,root,root) -%dir %{_includedir}/%{name}-%{version} -%{_includedir}/%{name}-%{version}/xtables.h -%{_includedir}/%{name}-%{version}/xtables-version.h %{_libdir}/libxtables.so +%{_libdir}/pkgconfig/libiptc.pc +%{_libdir}/pkgconfig/libip4tc.pc +%{_libdir}/pkgconfig/libip6tc.pc %{_libdir}/pkgconfig/xtables.pc - -%changelog -- 2.7.4